Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create file disables_safeboot.py #82

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

kevross33
Copy link
Contributor

A signature to detect the various modifications to safeboot

A signature to detect the various modifications to safeboot
@kevross33
Copy link
Contributor Author

I noticed it is similar to the signature prevents_safeboot aside from that signature is a delete of the key where as this one is a modify. I have been testing with tools to disable safemode use in which it is effectively a modification to the values and things to break it but this signature is potentially redundant or could be applied to the existing signature.

@brad-sp
Copy link
Owner

brad-sp commented Aug 28, 2015

Could you show me some logs or screenshots (or maybe a hash) of a sample that plays with safeboot via registry writes?

@kevross33
Copy link
Contributor Author

Hi,

I can't find a malware sample again I am sure I have seen and noted in the past but you can trigger this functionality with MD5 d21a98b6f55d6e6bf6d4d6357e5028f4 which is a safeboot disabling tool https://www.raymond.cc/blog/disable-f8-key-to-block-access-to-safe-mode-during-windows-startup/

As such because it is effectively disable safemode without deleting the keys it may be worth covering this in case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants