Advanced Windows Hacking
In this manual we will be discussing the advanced Windows hacking techniques.I will be taking you through all the system internals with which you can really change the way Windows works.I will teach you to change every tiny detail of Windows, even to change the error messages that Windows shows.
So get ready for some real kewl stuff.This is the stuff that really sets my adrenalin going. If you master the topics that I discuss in this Manual you manual to editing the core of Windows.
HEX Editing Explorer.exe
Hit Ctrl + Alt + Del and you will see a Window popup titled End Program.
Whenever you hit these keys while Windows is running you will always see Explorer as a part of it’s list. It is, what controls how Windows functions. Everything from error messages to the menu that pops up when you right click a file is controlled by explorer.exe.
To edit it would be something that gives you the power to change everything in Windows. You may be thinking, big deal how difficult can it be to edit a file.Well it is not that simple.You need to know some basic things before you would actually be able to edit it.
*************
WARNING: First of all before even thinking about editing explorer.exe you must back it up on floppy disk or on a separate folder on your hard disk.It is real easy to mess with this file and destroy your computer.
*************
NOTE: READ THE WHOLE SECTION BEFORE EVEN OPENING THE FILE.
OK you have backed up explorer.exe and want to know what to do next.So here goes. First restart your computer in MSDOS, to do this click on Start > Shut Down and select Restart in MSDOS.
************
Note: Do not try to edit explorer.exe in DOS while running Windows.It is a read only file and Windows will not allow you to edit.Changing it’s attributes and editing it while running Windows is not advisable.
***********
Once you get the DOS Prompt goto the Windows directory by typing:
C:\>cd windows
Once you are in the Windows directory open the file explorer.exe in the MSDOS Editor with the /70 parameter.To do this type:
C:\windows>edit /70 explorer.exe
You must be knowing that Edit opens the Microsoft editor, and explorer.exe is the name of the file you want to edit. But many people do not know what the /70 stands for.Well actually /70 just stands for the number of columns across. It sets the number of columns to 70 and makes the file easy to read else you have to scroll like hell. Anyway this will bring a blue screen that is the MSDOS editor screen with the file explorer.exe opened. The screen would look like full of weird characters or something in machine language. Well almost.
Let me start by describing what you would be seeing if you followed the above steps. Now the screen is full of weird characters like a heart , a smiley face and other unrecognizable pieces of junk. Well actually each symbol you see has a numerical value that you can see at the right bottom of the screen at VALUE:###.
To see what each symbol stands for move your cursor over the symbol and look at the right bottom screen at VALUE:###.
At the bottom you also see LINE: #### which gives you the line number.
You are not going to edit these symbols but edit the part of the files which consists of these unrecognizable characters and text that you actually can understand.The Understandable part begins at line:1336.
*************
NOTE: The line numbers I am going are on a Win98 machine.I am not sure if they are same in Win95 or not.Anyway to go to the recognizable part in Win95 just scroll down and look for recognizable English.
************
When you right click on the Taskbar and select properties then a pop up Window comes up from where you can customise the taskbar.There are options like Always on Top, Auto Hide etc.
Now lines 1336 to 1354 allow us to change text of this TaskBar Properties, you can change text that appears on anwhere in the Window even the text on the various buttons.Now before changing the text just read the following very very carefully.
Now you must have noticed by now that in explorer.exe the text has a space in between them.Now this space is not the space of the spacebar.Let me put it this way, in the file explorer.exe the value of a space from the spacebar i.e. the value of the space that appers on the screen if if click the spacebar once is 32 and the value of the spaces that are there in between characters in explorer.exe is 0.If there was no space in between letters, it would look untidy.
Another thing that you must have noticed is that there are many &’s in between the characters,well this & signifies that the next charcter i.e. the character that suceeds the & is underlined in Windows .
**************
The underlined letter is used as a keyboard shortcut in Windows to run that particular operation.Say if the letter s is underlined that the user can press theletter s in the keyboard as the shortcut.
**************
Lets take an example to make the above more understandable. Say you want to edit the text on clear button which is the TaskBar Properties window under the Start Menu Programs. Now originally the text is Clear and you do not like it and want it to be osmething like Klear, then what do you do?
Goto LINE 1354 and locate &C l e a r
Now the spaces between each letter is not the space of the space bar(Value=32) but spaces whose value is 0.
So instead of &C l e a r I type &K l e a r keeping in mind that the spaces have a value of 0.
If by chance you press the spacebar and want to replace it by value of 0, you can click on any blank space in explorer.exe whose value is 0, and copy paste it to the space where you want to paste it.
After making the necessary changes save the file and restart Windows. Now right click on the TaskBar and select properties.In the TaskBar Properties Window Select the Start Menu Programs tab and voila you see Klear on the button.If you press the K key on the keyboard the button will be clicked, so even the keyboard shortcuts can be changed by editing explorer.exe - The only problem is that I am not able to devise a method to change the length of the word. Whenever I tried to do so, Explorer.exe crashed.
If we go a bit further down, then the unrecognizable characters start again.The recognizable editable part starts again only at LINE:2323.Here we come to the TaskBar properties again.This part of the file can be used to edit the text that appears when we right click on the small clock on the taskbar and also the text that appears when we right click on the TaskBar itself.
LINE:2334 to Line:2348 deal with what appears when you click the Start Button, you can change the name of Shut Down to any wacky name having the same number of characters,you can change anything on the Start Menu,even the Programs to Hackings as they have the same number of characters.Then further down come the Windows Error messages that we can change to make the boring error messages that Microsoft sets to some wacky kewl error messages of our own.
Then at line:2390 comes a very interesting part.This lines lets us change the text on the START button that is START to anything we want, that too of any length.Yes you can have your name on the START button even if your name is 132 letters long!!!
If you see carefully on LINE:2390, you will find that a clubs symbol preceeds S t a r t .If you move cursur over the club you will find that it’s value is 5. So the text after the clubs symbol, in this case S t a r t has to be of 5 letters.Now if you want to replace Start and in it’s place put something like Stop which is 4 letter long; then you will have to search for a symbol whose numeric value is 4 and paste it over the clubs symbol.Now the text suceeding this new symbol should be of 4 letters. Now that you know how to change how the desktop looks and what the Start Menu shows, lets move on to changing deeper and more complex appearances in Windows.The Control Panel is the place where you can change various options and set various properties or install things, bascially it is the controlling place of a lot of things of the system both Hardware and Software.Click on Start>Settings>Control Panel to access the control panel.You will find various options like Passwords, Add New Hardware and Modems etc.Well in this section we will learn how to change the look of these various options.
Now,each option or Menu(like Modem, Add New Hardware etc) in the Control Panel points to .cpl file located in the c:\windows\system directory.For Example, for the Modem Option there is a corresponding Modem.cpl file in the System folder in the Windows directory.The entire list would be:
APPWIZ.CPL (Add Remove Programs)
DESK.CPL (Display Properties, same as right clicking Desktop)
INTL.CPL (Regional Settings)
INETCPL.CPL(Internet Properties)
JOY.CPL (Game Controllers)
MAIN.CPL (Mouse Properties)
MMSYS.CPL (Multimedia Properties)
MODEM.CPL (Modem Settings)
NETCPL.CPL (Network Settings)
PASSWORD.CPL (Passwords)
POWERCFG.CPL (Power Configuration)
SYSDM.CPL (System Properties, same as right clicking My Computer and selecting Properties)
TELEPHON.CPL (Dialing Properties)
STICPL.CPL (Scanners and Cameras Properties, Not on all systems)
TIMEDATE.CPL (Date/Time Settings)
ACCESS ACCESS.CPL (Accessibility Properties)
THEMES THEMES.CPL (Desktop Themes)
FINDFAST.CPL (What the name says, only on systems with Microsoft Office running)
Now if any of the above files are opened in the DOS Editor then we can very much change the text that appears on each button or tect field in that particular menu or option.Just remember to launch the editor by giving the /70 parameter and keep in mind the set of rules without which the particular software will not work.
Well wasn’t that kewl? I think this is even cooler than the reigstry.
The Registry
The registry is a hierarchical database that contains virtually all information about your computer's configuration. Under previous version of Windows, those setting where contained in files like config.sys, autoexec.bat, win.ini, system.ini, control.ini and so on. From this you can understand how important the registry is. The structure of the registry is similar to the ini files structure, but it goes beyond the concept of ini files because it offers a hierarchical structure, similar to the folders and files on hard disk. In fact the procedure to get to the elements of the registry is similar to the way to get to folders and files.
In this section I would be examing the Win95\98 registry only although NT is quite similar.
The Registry Editor
The Registry Editor is a utility by the filename regedit.exe that allows you to see, search, modify and save the registry database of Windows. The Registry Editor doesn't validate the values you are writing: it allows any operation. So you have to pay close attention, because no error message will be shown if you make a wrong operation.
To launch the Registry Editor simply run RegEdit.exe ( under WinNT run RegEdt32.exe with administer privileges).
The registry editor is divided into two sectios in the left one there is a hierarchical structure of the database (the screen looks like Windows Explorer) in the right one there are the values.
The registry is organized into keys and subkeys. Each key contains a value entry , each one has a name, a type or a class and the value itself. The name is a string that identifies the value to the key. The length and the format of the value is dependent on the data type.
As you can see with the Registry Editor, the registry is divided into five principal keys: there is no way to add or delete keys at this level. Only two of these keys are effectively saved on hard disk: HKEY_LOCAL_MACHINE and HKEY_USERS. The others are jusr branches of the main keys or are dynamically created by Windows.
HKEY_LOCAL_MACHINE
This key contains any hardware, applications and services information. Several hardware information is updated automatically while the computer is booting. The data stored in this key is shared with any user. This handle has many subkeys:
Config
Contains configuration data for different hardware configurations.
Enum
This is the device data. For each device in your computer, you can find information such as the device type, the hardware manufacturer, device drivers and the configuration.
Hardware
This key contains a list of serial ports, processors and floating point processors.
Network
Contains network information.
Security
Shows you network security information.
Software
This key contains data about installed software.
System
It contains data that checks which device drivers are used by Windows and how they are configured.
HKEY_CLASSES_ROOT
This key is an alias of the branch HKEY_LOCAL_MACHINE\Software\Classes and contains OLE, drag'n'drop, shortcut and file association information.
HKEY_CURRENT_CONFIG
This key is also an alias. It contains a copy of the branch HKEY_LOCAL_MACHINE\Config, with the current computer configuration.
HKEY_DYN_DATA
Some information stored in the registry changes frequently, so Windows maintains part of the registry in memory instead of on the hard disk. For example it stores PnP information and computer performance. This key has two sub keys.
Config Manager
This key contains all hardware information problem codes, with their status. There is also the sub key HKEY_LOCAL_MACHINE\Enum, but written in a different way.
PerfStats
It contains performance data about system and network
HKEY_USERS
This important key contains the sub key .Default and another key for each user that has access to the computer. If there is just one user, only .Default key exists. . Each sub key maintains the preferences of each user, like the desktop colors, the fonts used, and also the settings of many programs. If you open a user subkey you will find five important subkeys:
AppEvent
It contains the path of audio files that Windows plays when some events happen.
Control Panel
Here are the settings defined in the Control Panel. They used to be stored in win.ini and control.ini.
Keyboard Layouts
It contains a voice that identify the actual keyboard disposition how it is set into the Control Panel.
Network
This key stores subkeys that describe current and recent network shortcuts.
RemoteAccess
The settings of Remote Access are stored here.
Software
Contains all software settings. This data was stored in win.ini and private .ini files.
HKEY_CURRENT_USER
It is an alias to current user of HKEY_USERS. If your computer is not configured for multi-users usage, it points to the subkey .Default of HKEY_USERS.
Description of .reg file
Here I am assuming that you already have a .reg file on your hard disk and want to know more about how it is structured.Now do not double click the .reg file or it’s content will be added to the registry, of course there will be warning message that pops up. Now to view the properties of the .reg file open it in notepad.
To do so first launch notepad by going to Start>Programs>Accessories>Notepad.
Then through the open menu open the .reg file.
Now the thing that differentiates .reg files from other files is the word REGEDIT4. It is found to be the first word in all .reg files. If this word is not there then the registry editor cannot recognize the file to be a .reg file.
Then follows the key declaration which has to be done within square brackets and with the full path.If the key does not exist then it will be created. After the key declaration you will see a list of values that have to be set in the particular key in the registry.The values look like this:
"value name"=type:value
Value name is in double commas. Type can be absent for string values, dword: for dword values and hex: for binary values and for all other values you have to use the code hex(#): , where # indicate the API code of the type.
So that wraps up the Windows registry. You may be wondering from where I found out such an extensive detailed description of the registry. Well this kind of information is usually not found in books and searching at the Microsoft will not help either.I actually had attented a Microsoft conference on Windows Technologies and had learnt a lot about the working of the registry there.
As you can see, strings are in double quotes, dword is hexadecimal and binary is a sequence of hexadecimal byte pairs, with a comma between each. If you want to add a back slash into a string remember to repeat it two times, so the value "c:\Windows" will be "c:\\Windows".
Before write a new .reg file, make sure you do this else you will get an error message.
Command Line Registry Arguments
FILENAME.REG to merge a .reg file with the registry
/L:SYSTEM to specify the position of SYSTEM.DAT
/R:USER to specify the position of USER.DAT
/e FILENAME.REG [KEY] to export the registry to a file. If the key is specified, the whole branch will be exported.
/c FILENAME.REG to substitute the entire registry with a .reg file
/s to work silently, without prompt information or Warnings.
Other System Files
Config.sys is used to configure Hardware of your computer
Autoexec.bat is used to load parameters and system variables which are needed by Windows.It can also be used to start Baby Sitting programs or programs that need to be started automatically when Windows is started. Win.ini and System.ini constitute the Windows registry.
Now in Win 9x there is cool program called sysedit that allows you to edit many system files simultaneously. To run it type sysedit.exe in the Run Dialog Box.
Some Windoze & DOS Tricks:
Say you have a clueless newbie as your friend and want to give him a nasty scare, what do you do? Well you can configure his pc such as soon as the Windows desktop becomes visible, Windows shuts down and restarts in MS DOS mode.
This is actually a very lame trick but a good one to really scare newbies.To do this follow the following steps:
Right click on the desktop and select new and then ShortCut. This will bring a new window and in the blank line beside Command Line: type c:\windows\command.com
This creates a shortcut to the command.com which is actually MSDOS. Now click Next and type any name of your choice in the Input box.
Then click Finish.
There should now be a new icon in the desktop.
Now right click on this new icon so that it brings up the menu. Click "Properties" then click on the Program Tab and again click on the Advanced. Now Check the button that says "MS-DOS mode", uncheck the button that says "Warn before entering MS-DOS mode. Click OK.
Command.com is basically the program that launches MSDOS. By chnaging the properties we have made the program to restart the computer in MS DOS mode without giving any warning message.Now if we copy and paste this file into the Start Up folder i.e. paste it into the "c:\windows\Start Menu\programs\startup" folder, then this file will be executed automatically every time Windows boots and voila your friend is getting ready to call the computer mechanic.
Customize DOS
Once my friend asked me how he could learn the different DOS commands which computer institute should he join? Which book is the best for learning DOS? I am sure many of you too ask the same questions. Well the answer lies in DOS itself.
DOS or Disk Operating System has one of the most comprehensive help systems, after Linux of course. The best way to find out what a particular command does is to type the command followed by a front slash ( i.e /) followed by the question mark sign.
Eg to learn about the dir command type the following:
C:\windows> dir/?
This will give you unfriendly but comprehensive info on the dir command.
One day I was experimenting and discovered a kewl command that allows you to change the boring DOS prompt to a more interesting one.I will take you through the whole process of discovering this command.
C:\windows> prompt /?
The following appeared on the screen:
PROMPT [text]
text Specifies a new command prompt.
Prompt can be made up of normal characters and the following special codes
$Q = (equal sign)
$$ $ (dollar sign)
$T Current time
$D Current date
$P Current drive and path
$V Windows version number
$N Current drive
$G > (greater-than sign)
$L < (less-than sign)
$B | (pipe)
$H Backspace (erases previous character)
$E Escape code (ASCII code 27)
$_ Carriage return and linefeed
Type PROMPT without parameters to reset the prompt to the default setting.
I was able to change the prompt to a funky new one but I discovered that as soon as I exited DOS the prompt was revered back to the original one. So I decided to edit the file autoexec.bat. When I opened it I found the following line in it:
prompt $p$g
I changed this line to suit according to my needs and I could now change the prompt according to my needs.
**************
TIP: To revert back to the original prompt type prompt in DOS.
**************
Hacking Truth: If the above does not work then, look at the properties of command.com There is a way to invoke a batch file upon entering a DOS shell.
**************
Clearing The CMOS without opening your PC.
Say at school the floppy drive has been disabled and you want to do your project at home and copy it to the floppy drive and use this floppy to transfer it to the school computer.What do you do. In most cases the BIOS is configured to disable the Floppy Drive. Now if you are able to bring the DOS prompt in school the you will be able to change the BIOS setting to the default and enable the floppy drive which is the default setting. In DOS there is the debug command which allows us to do.To clear the CMOS do the following:
Got DOS and type:
DEBUG hit enter
-o 70 2e hit enter
-o 71 ff hit enter
-q hit enter
exit hit enter
Restart the computer
It works on most versions of the AWARD BIOS.If it doesn’t work then search at http:\\astalavista.box.sk for the debug command for your BIOS version.
Well now you do know how to customize almost everything in Windows and in DOS. If you really want to learn more then play around with the Windows system files and try out new things.There is no way anything can happen to Windows if you keep your back up file sand your start up disk ready and I am sure if you try new things out yourself, you stand a better chance of learning new things.