Create file disables_safeboot.py #82
Conversation
A signature to detect the various modifications to safeboot
|
I noticed it is similar to the signature prevents_safeboot aside from that signature is a delete of the key where as this one is a modify. I have been testing with tools to disable safemode use in which it is effectively a modification to the values and things to break it but this signature is potentially redundant or could be applied to the existing signature. |
|
Could you show me some logs or screenshots (or maybe a hash) of a sample that plays with safeboot via registry writes? |
|
Hi, I can't find a malware sample again I am sure I have seen and noted in the past but you can trigger this functionality with MD5 d21a98b6f55d6e6bf6d4d6357e5028f4 which is a safeboot disabling tool https://www.raymond.cc/blog/disable-f8-key-to-block-access-to-safe-mode-during-windows-startup/ As such because it is effectively disable safemode without deleting the keys it may be worth covering this in case. |
A signature to detect the various modifications to safeboot