无忧启动论坛
标题: 64位写字板wordpad.exe添加到RE为底本的骨头版的折腾过程中的一些手记盼有益于后来者 [打印本页]
作者: sairen139 时间: 2021-12-17 20:29
标题: 64位写字板wordpad.exe添加到RE为底本的骨头版的折腾过程中的一些手记盼有益于后来者
本帖最后由 sairen139 于 2021-12-20 14:18 编辑
64位写字板wordpad.exe添加到RE为底本的骨头版的折腾过程中的一些手记盼有益于后来者
初衷是88mb的骨头网络版pe里不想大动干戈加Office套件那么大体积的东西,想了下微软系统自带的一直被Word光芒所遮掩的写字板程序就挺好的。
因为写字板wordpad.exe只有2mb多的体积。而且wordpad能够创建、打开和修改docx格式的word文档,这对于pe里偶尔要查看修改该格式文档和新建该格式文档倒是颇有裨益!
关于64位wordpad.exe写字板程序的添加手记的折腾过程:首先我运用依赖查询文件找到wordpad.exe的pe依赖文件,然后把这些文件添加到骨头版里依然无法运行写字板程序。后来发现@我是小青蛙的pe加上写字板的几个文件就能运行而且打开docx文件功能正常,大喜之下我把小青蛙的pe削减到能打开写字板为止的一百mb多的骨头版依然可以打开64位的wordpad.exe程序。再然后我把我的骨头版加到和小青蛙pe削减到的文件一摸一样,RE削减出来的骨头版pe里却依然还是无法打开64位的WordPad.exe写字板程序。经询问@我是小青蛙 才知道他的注册表里的唯一没有用RE的文件是software他用了install.wim里的63mb的software注册表文件。我把63mb的software拷贝替换掉我自己骨头版里的9mb的software文件之后,果然能打开wordpad.exe写字板程序了。原来唯一的差别就在software注册表文件里。后来据@slore大神说software里的classes需要补充注册表片段才行,以后有空再测试好了。
最终骨头版pe增加下列64位写字板wordpad.exe组件程序的依赖文件48个即可:
\Program Files\Windows NT\Accessories\wordpad.exe
\Program Files\Windows NT\Accessories\WordpadFilter.dll
\Program Files\Windows NT\Accessories\zh-CN\wordpad.exe.mui
\Windows\SYSTEM32\shellstyle.dll
\Windows\SYSTEM32\UIRibbon.dll
\Windows\SYSTEM32\UIRibbonRes.dll
\Windows\SYSTEM32\OpcServices.dll
\Windows\SYSTEM32\ADVAPI32.dll
\Windows\SYSTEM32\bcrypt.dll
\Windows\SYSTEM32\bcryptPrimitives.dll
\Windows\SYSTEM32\combase.dll
\Windows\SYSTEM32\COMDLG32.dll
\Windows\SYSTEM32\dwmapi.dll
\Windows\SYSTEM32\GDI32.dll
\Windows\SYSTEM32\gdi32full.dll
\Windows\SYSTEM32\iertutil.dll
\Windows\SYSTEM32\IMM32.DLL
\Windows\SYSTEM32\kernel.appcore.dll
\Windows\SYSTEM32\KERNEL32.DLL
\Windows\SYSTEM32\KERNELBASE.dll
\Windows\SYSTEM32\MFC42u.dll
\Windows\SYSTEM32\MSCTF.dll
\Windows\SYSTEM32\MSFTEDIT.DLL
\Windows\SYSTEM32\msvcp_win.dll
\Windows\SYSTEM32\msvcrt.dll
\Windows\SYSTEM32\msxml3.dll
\Windows\SYSTEM32\ntdll.dll
\Windows\SYSTEM32\ntmarta.dll
\Windows\SYSTEM32\OLE32.dll
\Windows\SYSTEM32\oleacc.dll
\Windows\SYSTEM32\OLEAUT32.dll
\Windows\SYSTEM32\PROPSYS.dll
\Windows\SYSTEM32\RPCRT4.dll
\Windows\SYSTEM32\sechost.dll
\Windows\SYSTEM32\shcore.dll
\Windows\SYSTEM32\SHELL32.dll
\Windows\SYSTEM32\SHLWAPI.dll
\Windows\SYSTEM32\TextShaping.dll
\Windows\SYSTEM32\ucrtbase.dll
\Windows\SYSTEM32\urlmon.dll
\Windows\SYSTEM32\USER32.dll
\Windows\SYSTEM32\uxtheme.dll
\Windows\SYSTEM32\win32u.dll
\Windows\SYSTEM32\windows.storage.dll
\Windows\SYSTEM32\windowscodecs.dll
\Windows\SYSTEM32\WINMM.dll
\Windows\SYSTEM32\WINSPOOL.DRV
\Windows\SYSTEM32\wintypes.dll
\Windows\SYSTEM32\Wldp.dll
\Windows\SYSTEM32\WS2_32.dll
\Windows\SYSTEM32\XmlLite.dll
PS:至于这些依赖dll文件相对应的\Windows\System32\zh-CN文件夹里的语言配置文件请对照dll自行添加mui后缀的语言文件即可!
还有一个可加可不加的\Windows\write.exe是用来启动wordpad.exe写字板程序用的,不加也不影响写字板的使用!
最终离线注入WinRE.wim生效的具体注册表只有三行Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{0F7434B6-59B6-4250-999E-D168D6AE4293}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{32665929-D77E-4ab5-8C08-FBF409B8A233}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{926749fa-2615-4987-8845-c33e65f2b957}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}]
@="rtf persistent handler"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
@="{e2403e98-663b-4df6-b234-687789db8560}"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{3037B4CD-A40B-401B-B676-2017EE8FAFF4}]
@="Wordpad DOCX Filter"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{3037B4CD-A40B-401B-B676-2017EE8FAFF4}\InprocServer32]
@="X:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll"
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{6047F837-D527-467E-9DC1-6D51F92D9E45}]
@="Wordpad ODT Filter"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{6047F837-D527-467E-9DC1-6D51F92D9E45}\InprocServer32]
@="X:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll"
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}]
@="Wordpad OOXML Document Filter"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
@="{3037B4CD-A40B-401B-B676-2017EE8FAFF4}"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}]
@="Wordpad ODT Document Filter"
[HKEY_LOCAL_MACHINE\pe-software\Classes\CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
@="{6047F837-D527-467E-9DC1-6D51F92D9E45}"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.docx]
@="docxfile"
"PerceivedType"="document"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.docx\OpenWithList\WordPad.exe]
@=""
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.docx\PersistentHandler]
@="{698A4FFC-63A3-4E70-8F00-376AD29363FB}"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile]
@="OOXML Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
2e,00,45,00,58,00,45,00,2c,00,2d,00,33,00,30,00,30,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,2c,00,32,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\shell]
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\shell\print\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,2f,00,70,00,20,00,22,00,25,00,31,00,22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\shell\printto\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,2f,00,70,00,74,00,20,00,22,00,25,00,31,00,22,00,20,00,22,\
00,25,00,32,00,22,00,20,00,22,00,25,00,33,00,22,00,20,00,22,00,25,00,34,00,\
22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt]
@="odtfile"
"PerceivedType"="document"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt\OpenWithList\WordPad.exe]
@=""
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt\PersistentHandler]
@="{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile]
@="ODF Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
2e,00,45,00,58,00,45,00,2c,00,2d,00,33,00,30,00,31,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,2c,00,33,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\shell\open]
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\shell\print\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,2f,00,70,00,20,00,22,00,25,00,31,00,22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\shell\printto\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,2f,00,70,00,74,00,20,00,22,00,25,00,31,00,22,00,20,00,22,\
00,25,00,32,00,22,00,20,00,22,00,25,00,33,00,22,00,20,00,22,00,25,00,34,00,\
22,00,00,00
[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf]
@="rtffile"
"PerceivedType"="document"
[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf\OpenWithList\WordPad.exe]
@=""
[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf\PersistentHandler]
@="{2e2294a9-50d7-4fe7-a09f-e6492e185884}"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile]
@="Rich Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
2e,00,45,00,58,00,45,00,2c,00,2d,00,31,00,39,00,30,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\CLSID]
@="{73FDDC80-AEA9-101A-98A7-00AA00374959}"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,2c,00,31,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\shell]
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\shell\print\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,2f,00,70,00,20,00,22,00,25,00,31,00,22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\shell\printto\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,2f,00,70,00,74,00,20,00,22,00,25,00,31,00,22,00,20,00,22,\
00,25,00,32,00,22,00,20,00,22,00,25,00,33,00,22,00,20,00,22,00,25,00,34,00,\
22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\rtffile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]
@="{a42c2ccb-67d3-46fa-abe6-7d2f3488c7a3}"
-
80FA80AA-ED6E-484D-9EF4-A0EAA8C6CF6A.jpeg
(3.35 MB, 下载次数: 86)
pe中写字板程序能正常打开docx文件并修改也能直接创建docx文件!
-
C72C5660-290C-4088-AA0A-79097F73D8B9.jpeg
(2.19 MB, 下载次数: 98)
纯64位pe中找出了打开64位写字板程序和software注册表里的Classes下面的注册表项目相关!直接导出Classes项 ...
-
-
64位wordpad写字板运行的离线注入RE的关键注册表和格式关联.reg.TXT
10.98 KB, 下载次数: 3, 下载积分: 无忧币 -2
64位wordpad写字板运行的离线注入RE的关键注册表和格式关联.reg
-
-
64位wordpad写字板程序的pe依赖文件SYSTEM32下zh-CN目录里的配套语言文件请自己添加.txt
2.14 KB, 下载次数: 3, 下载积分: 无忧币 -2
64位wordpad写字板程序的pe依赖文件SYSTEM32下zh-CN目录里的配套语言文件请自己添加.txt
作者: sairen139 时间: 2021-12-17 20:32
本帖最后由 sairen139 于 2021-12-19 22:08 编辑
1早前粗略找了下能让88mb骨头网络版pe里的64位wordpad.exe写字板能运行的software注册表配置文件里可离线导入的涵盖范围条目如下:
2最终离线注入WinRE.wim生效的具体注册表只有三行
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{0F7434B6-59B6-4250-999E-D168D6AE4293}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{32665929-D77E-4ab5-8C08-FBF409B8A233}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{926749fa-2615-4987-8845-c33e65f2b957}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
-
-
全部和缩小到5mb的software里的Classes子项可导入使用.7z
1.22 MB, 下载次数: 4, 下载积分: 无忧币 -2
全部和缩小到5mb的software里的Classes子项64位wordpad.exe可导入使用
-
-
64位wordpad写字板运行的离线注入RE的关键注册表.reg.TXT
1.11 KB, 下载次数: 2, 下载积分: 无忧币 -2
64位wordpad写字板运行的离线注入RE的关键注册表.reg.TXT
-
-
64位wordpad写字板运行的离线注入RE的关键注册表和格式关联.reg.TXT
10.71 KB, 下载次数: 2, 下载积分: 无忧币 -2
64位wordpad写字板运行的离线注入RE的关键注册表和格式关联.reg
作者: lily9718 时间: 2021-12-18 06:19
谢谢楼主
作者: sairen139 时间: 2021-12-18 10:32
本帖最后由 sairen139 于 2021-12-18 10:47 编辑
只要导出Classes子项为reg文件然后把的WOW6432开始的支持32位程序全删除,接着离线把software文件替换进pe减少一半software注册表文件体积!
作者: 2011网中一条鱼 时间: 2021-12-18 14:03
写得上不。。。。。。。。。。。
作者: 旁观者清 时间: 2021-12-18 19:43
说实话,没用过,文本文档倒是老用。
作者: 某些人 时间: 2021-12-20 10:21
请问大佬,您说的“依赖查询文件”是用的什么工具?
作者: sairen139 时间: 2021-12-20 10:26
http://bbs.wuyou.net/forum.php?mod=viewthread&tid=416500就有这种工具。
请在我上面贴出的这个帖子主题帖下载!!!!提取程序的依赖文件.zip
作者: sairen139 时间: 2021-12-20 14:20
WinRE.wim里缺失需要从install.wim里提取的写字板组件及其依赖共7个文件和离线注册表reg片段:
\Program Files\Windows NT\Accessories\wordpad.exe
\Program Files\Windows NT\Accessories\WordpadFilter.dll
\Program Files\Windows NT\Accessories\zh-CN\wordpad.exe.mui
\Windows\SYSTEM32\shellstyle.dll
\Windows\SYSTEM32\UIRibbon.dll
\Windows\SYSTEM32\UIRibbonRes.dll
\Windows\SYSTEM32\UIRibbon.dll\zh-CN\UIRibbon.dll.mui
-
-
wordpad写字板组件install里提取的7个文件和离线导入注册表片段.zip
2.98 MB, 下载次数: 4, 下载积分: 无忧币 -2
wordpad写字板组件install里提取的7个文件和离线导入注册表片段
作者: fkltd-123 时间: 2021-12-21 10:56
本帖最后由 fkltd-123 于 2021-12-21 11:03 编辑
123456789
-
2021.12.12-.png
(1.15 MB, 下载次数: 94)
作者: sairen139 时间: 2021-12-21 12:10
请教这个右键新建RTF文档怎么修改注册表搞出来的?
作者: fkltd-123 时间: 2021-12-21 13:18
去win10搬,classes下的. txt之类的。
作者: sairen139 时间: 2021-12-22 22:00
给88mb骨头版pe增加下列64位写字板wordpad.exe组件程序的依赖文件5个即可:
\Program Files\Windows NT\Accessories\wordpad.exe
\Program Files\Windows NT\Accessories\zh-CN\wordpad.exe.mui
\Windows\SYSTEM32\UIRibbon.dll
\Windows\SYSTEM32\UIRibbonRes.dll
\Windows\SYSTEM32\OpcServices.dll
\Windows\SYSTEM32\MFC42u.dll
\Windows\SYSTEM32\MSFTEDIT.DLL
右键新建菜单能直接生成docx和RTF文档的添加wordpad写字板组件所需的注册表如下:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{0F7434B6-59B6-4250-999E-D168D6AE4293}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{32665929-D77E-4ab5-8C08-FBF409B8A233}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\CLSID\{926749fa-2615-4987-8845-c33e65f2b957}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,55,00,49,00,\
52,00,69,00,62,00,62,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\pe-software\Classes\.docx\ShellNew]
"NullFile"=""
[HKEY_LOCAL_MACHINE\pe-software\Classes\.docx]
"PerceivedType"="document"
@="docxfile"
[HKEY_LOCAL_MACHINE\pe-software\Classes\.docx\OpenWithList\WordPad.exe]
@=""
[HKEY_LOCAL_MACHINE\pe-software\Classes\.docx\PersistentHandler]
@="{698A4FFC-63A3-4E70-8F00-376AD29363FB}"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile]
@="OOXML Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
2e,00,45,00,58,00,45,00,2c,00,2d,00,33,00,30,00,30,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,2c,00,32,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\docxfile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00
[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf\ShellNew]
"Data"="{\\rtf1}"
"ItemName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\
69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\
00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,\
69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,\
00,58,00,45,00,2c,00,2d,00,32,00,31,00,33,00,00,00
[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf]
"PerceivedType"="document"
@="rtffile"
[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf\OpenWithList\WordPad.exe]
@=""
[HKEY_LOCAL_MACHINE\pe-software\Classes\.rtf\PersistentHandler]
@="{2e2294a9-50d7-4fe7-a09f-e6492e185884}"
[HKEY_LOCAL_MACHINE\pe-software\Classes\rtffile]
@="Rich Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
2e,00,45,00,58,00,45,00,2c,00,2d,00,31,00,39,00,30,00,00,00
[HKEY_LOCAL_MACHINE\pe-software\Classes\rtffile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,2c,00,31,00,00,00
[HKEY_LOCAL_MACHINE\pe-software\Classes\rtffile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt]
@="odtfile"
"PerceivedType"="document"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt\OpenWithList\WordPad.exe]
@=""
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\.odt\PersistentHandler]
@="{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}"
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile]
@="ODF Text Document"
"AllowSilentDefaultTakeOver"=""
"EditFlags"=dword:00200000
"FriendlyTypeName"=hex(2):40,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,\
77,00,73,00,20,00,4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,\
00,72,00,69,00,65,00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,\
2e,00,45,00,58,00,45,00,2c,00,2d,00,33,00,30,00,31,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\DefaultIcon]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,2c,00,33,00,00,00
[HKEY_LOCAL_MACHINE\pe-SOFTWARE\Classes\odtfile\shell\open\command]
@=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,6c,\
00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,\
4e,00,54,00,5c,00,41,00,63,00,63,00,65,00,73,00,73,00,6f,00,72,00,69,00,65,\
00,73,00,5c,00,57,00,4f,00,52,00,44,00,50,00,41,00,44,00,2e,00,45,00,58,00,\
45,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00
-
-
WordPad写字板依赖文件注册表生效三条和配置.7z
3.97 MB, 下载次数: 15, 下载积分: 无忧币 -2
WordPad写字板依赖文件注册表生效三条和配置.7z
作者: martin313 时间: 2024-10-19 19:59
在我的豪华版骨头PE里,用wordpad.exe关联文件,只需要下述3个文件及对应mui文件,以及在PE里在线添加注册表即可:
wordpad.exe
UIRibbon.dll
UIRibbonRes.dll
[HKEY_CLASSES_ROOT\.doc\shell\open\command]
@="\"X:\\Windows\\System32\\wordpad.exe\" \"%1\""
[HKEY_CLASSES_ROOT\.docx\shell\open\command]
@="\"X:\\Windows\\System32\\wordpad.exe\" \"%1\""
[HKEY_CLASSES_ROOT\.rtf\shell\open\command]
@="\"X:\\Windows\\System32\\wordpad.exe\" \"%1\""
[HKEY_CLASSES_ROOT\.odt\shell\open\command]
@="\"X:\\Windows\\System32\\wordpad.exe\" \"%1\""
作者: liuweidrea 时间: 2024-11-5 22:10
感谢分享
欢迎光临 无忧启动论坛 (http://bbs.c3.wuyou.net/) |
Powered by Discuz! X3.3 |