| |
| |
| Hidden Registry Detection |
| |
| |
| |
|
|
|
| |
| |
| |
|
|
| |
| |
|
Registry is the large database where Windows stores all the
system, security and software specific settings. It is a tree like
structure, which can be viewed or modified using the standard
windows utilities such as Regedit.exe (start->run->
regedit) .
|
|
|
In addition to all system settings, Registry also contains
various startup entries for processes and services that are
automatically started
when Windows starts. For example, all Windows services are stored
under the following Registry key,
|
| |
| 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services'. |
| |
| Similarly some of the startup process entries can be found in the following
Registry locations, |
| |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run |
| |
| |
| |
|
| Rootkits generally modifies these entry points to start their own
processes, services or drivers. So it's important for the Rootkit to
hide these registry entries to prevent its detection from various
system-monitoring tools such as Autoruns, HijackThis, etc. |
| |
Rootkits use various methods to hide their registry infiltration.
One of the most commonly used techniques is hooking the registry API
functions such as RegOpenKey, RegEnumKey, RegEnumValue etc. All of these
top level API functions in turn will call low level NT functions such as
NTOpenKey, NtEnumerateKey and NtEnumerateValueKey etc. So in order
to be more effective, Rootkits typically hook NT version of these
functions.
As a result whenever any application calls
these registry functions, Hooked Rootkit function will return the filtered
results there by hiding its presence. |
| |
| |
| |
|
Most common detection mechanism used in these cases is the cross-view
comparison method. In this method initially, high level registry API
functions (such as RegEnumKey, RegEnumValue) are used to enumerate the
keys and values. Next some of the advanced techniques are used to enumerate
the same
registry keys. Then the both results are compared to find out the
hidden Rootkit entries.
Many such lower level techniques are present to detect hidden registry
keys. Here we will discuss about two such prominent methods in detail.
|
| |
| |
| |
|
As mentioned previously, Rootkits hide their registry entries by
hooking the lower level NT functions. In order to effectively detect
these entries, one can directly invoke those NT functions rather than
using API functions. Every NT function in Windows is uniquely identified
through its service number (For NtEnumerateKey its 0x47). So instead of
calling these NT functions, one can directly call these functions by
using INT 2E (for Windows 2K) or Sysenter (Windows XP onwards)
instruction by passing the respective service number.
Here is the direct implementation of NtEnumerateKey and
NtEnumerateValueKey function, which can be directly called to bypass any
API level hooks put by the Rootkits.
|
|
|
|
//For Windows XP, for other platforms only service number will differ
_declspec(naked)
NTSTATUS __stdcall DirectNtEnumerateKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation,
IN ULONG KeyInformationLength,
OUT PULONG ResultLength )
{
__asm
{
mov eax, 0x47
call DirectCall_XP
ret 0x18
DirectCall_XP:
mov edx, esp
sysenter
}
}
//For Windows XP, for other platforms only service number will differ
_declspec(naked)
NTSTATUS __stdcall DirectNtEnumerateValueKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation,
IN ULONG KeyValueInformationLength,
OUT PULONG ResultLength )
{
__asm
{
mov eax, 0x49
call DirectCall_XP
ret 0x18
DirectCall_XP:
mov edx, esp
sysenter
}
}
|
| |
| |
|
Rootkits may also hook the NtOpenKey function to prevent any hidden
key from being opened. So it will become useless even if one is able to
discover the key name. In such case, one can use direct NtOpenKey
function as shown below...
|
| |
|
//Note that this code is written for Windows XP. For other platforms
only service number will differ
_declspec(naked)
NTSTATUS __stdcall DirectNtOpenKey(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes )
{
__asm
{
mov eax, 0x77
call DirectCall_XP
ret 0x0C
DirectCall_XP:
mov edx, esp
sysenter
}
}
|
| |
| Though Rootkits can bypass this technique by hooking the
above-mentioned NT functions in the kernel, it presents simple but very
effective mechanism to detect any hidden Rootkit registry entries in
user land. |
| |
| |
| |
| |
|
Windows stores the entire registry contents into the different files called Hives
in a standard format. A different portion of registry is stored in
respective hive files such as SYSTEM, SOFTWARE,
SECURITY, SAM, etc. in
the 'C:\Windows\System32\Config' folder.
Here is the table showing the mapping between the registry section and
corresponding registry hive file.
|
| |
| HKEY_CURRENT_USER |
NTuser.dat |
| HKEY_LOCAL_MACHINE\SAM |
SAM |
| HKEY_LOCAL_MACHINE\SECURITY |
SECURITY |
| HKEY_LOCAL_MACHINE\SOFTWARE |
SOFTWARE |
| HKEY_LOCAL_MACHINE\SYSTEM |
SYSTEM |
| HKEY_USERS\DEFAULT |
DEFAULT |
| |
|
|
|
|
|
Though the internal format of
these registry hive file is undocumented, lot of code samples and good
amount of documentation can be found on the net. These hive files are
generally locked while Windows is running and hence remains
inaccessible. However if you like to understand internal storage
structure of these hive files, you can use the API function such as
RegSaveKey (or equivalent
NT function NtSaveKey) to save any registry section to
the chosen file. Then you can manually traverse through this hive file
to decipher the low level of registry entries.
Detailed code sample to traverse the hive file can
be found in the article [1] 'How to avoid the detection of hidden
regkey by hooking RegSaveKeyA' written by EiNSTeiN_. Also the whitepaper
[2] 'Detection of Rootkits in Windows registry'
by miel-labs
explains in detail the complete structure of registry hive file.
In this detection method, all registry entries are retrieved by
traversing through these hive files. Then this list is compared against the high level
list obtained through normal registry
API functions such as RegEnumKey, RegEnumValue etc. At the end any
additional entries discovered will be marked as Hidden Rootkit registry
entries.
Though this method involves using undocumented registry hive
traversal method, it is very effective method in detecting the registry
entries hidden through even the Kernel level hooks (such as SSDT hooks).
|
| |
| |
| |
|
| This article shows why Rootkits hide their registry entries
and some of the methods which can be used to detect such hidden entries
to reveal the traces of Rootkits. Though some of these techniques can be
bypassed by
Rootkits operating in Kernel land, these methods present very simple and powerful methods to
detect any registry entries hidden by userland Rootkits. |
| |
| |
| |
|
1.
How to avoid the detection of hidden regkey by hooking RegSaveKeyA
2.
Detection of Rootkits in Windows registry
3.
How to become unseen on Windows NT by HxDef |
| |
| |
| |
|
|
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
