Gosh, it has been a long time since I wrote something, despite doing a lot of cool stuff.
This will be a post around recovering my elderly friends computer after he called "microsoft" after random full screen popup.
Bottom line first: * Lesson here is to immediately take the computer away from your loved ones - they can't stay still and will do stuff to cause further damage to themselves.
The gist:
* some random guy on the other end got him to install remote control software and ran a bunch of scripts
The Plan:
* recover the files
* scan for remnant of whatever could have gotten on the box
* rebuild the computer from absolute scratch
Recovery:
* call all banks to lock all accounts
* change (luckily) a handful of passwords
* coach him on the fact that every file he had is now in the possession of someone else.
* coach him to expect phone calls, and any time anyone important calls, just hang up and call the bank directly. Don't even ask any questions - when someone identifies as an entity that matters, hang up, call them directly.
* get into his Microsoft account to get bitlocker key
* attempt local recovery, get into safe boot, unlock bitlock and pull down whatever useful files he had
Clean up:
* attempt cloud recover - broken
* attempt local recovery to reinstall windows - success with a big fat *
** Run defender in offline mode, didn't complain.
** Running scf and dism flagged a number of files on recovery partition as corrupt, and they were not able to recover the files.
* get a big fat USB stick, and download recovery image from HP
* flatten the box, and rebuild from the USB.
Extra recovery:
* note: After reading the chipsec readme, I realized that I'll have to re-flatten it again. Oh well
* Test firmware - https://github.com/chipsec/chipsec/blob/2.0.3/chipsec-manual.pdf
** clone the repo to USB with HP recovery stuff
* Spend a bunch of time to try and build the project because readme is oversimplified.
** install python 3.8: ``winget install python.python.3.8`` (or something like that)
** install Windows build tools: ``winget install microsoft.visualstudio.2022.buildtools``
** install more build tools. There isn't an exact winget command in the readme, so I used the above command with ``--force -i`` to modify via GUI (easy way out) and select all of the bundles
** install windows driver kit build tools, spectre-mitigated for c++ v14.44-17.14 (as of this writing)
** Open new shell - VS shell "x86_x64 shell"
** Kick off the build command as per the readme. Various linker errors, and platform toolset == windowskernelmodedriver10.0 - read the errors very carefully, modify VS installation, and add whatever's missing: for example - pcifilter.vcxproj build target failed with toolset == windowskernelmodedriver10.0.xxx can not be found for all proj files
** apparently build numbers have to match.. VS2022-supported SDK + WDK 26100.6584. Microsoft’s current WDK page says VS2022 should use WDK 26100.6584, and Microsoft also says SDK and WDK build numbers must match for driver builds
*** Somehow they were not available in UI, so ```winget search microsoft.windowswdk.10.0``` select the one to match your SDK and install. For me it was ```261000```
*** Finally build is done (I typed it, now lets see if it's true). Mostly successful but a few errors remaining around unknown file encoding for pcifilter.inf in pcifilter.vcxproj.
*** ChatGPT to the rescue, it stated that WDK is rejecting validation because pcifilter.ini starts with EF BB BF... yes, I also don't speak Chinese. Error: ```pcifilter.inf : error 1003: INF has invalid or unknown file encoding, must be ANSI or UTF-16 LE```
Fix: ```python -c "from pathlib import Path; p=Path(r'D:\av_tools\chipsec\drivers\windows\pcifilter\pcifilter.inf'); s=p.read_text(encoding='utf-8-sig'); p.write_bytes(b'\xff\xfe' + s.encode('utf-16-le'))"```
Rerunning the build success! Next bullet point. Actually running the thing...
*
Hm. Additional TODO:
* turns out manage-bde command straight up exposes bitlocker key. So now we have to rotate it as well. And make sure that MSFT /account thing has the new key. Rotation does seem pretty easy
The funnies:
* He called me about the same day this happened because the guy on the other end said enough scary stuff to keep him on the phone, that he finally hung up. Stuff like: (we found child pornography on your computer, if you don't let me clean it up, I'll have to report you - do this and that), you need to say on a phone with me and skip your doctor appointment, do not shut off your computer or disconnect, etc..
* I told him to shutdown his computer immediately, unplug the router (so there is no wifi connection if they changed power settings to always on), and absolutely do not touch it.
* Instead, he call his internet provider (why?) and they immediately told him to turn the computer on, and started fixing his WiFi. Then they changed the password to something ridiculous, so even he couldn't get back in.
* Lesson here is to immediately take the computer away from your loved ones - they can't stay still and will do stuff to cause further damage.
