Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Finding Hidden Keys in Your Windows Registry

by idsfa (Vicar)
on Aug 25, 2005 at 16:12 UTC ( #486613=CUFP: print w/ replies, xml ) Need Help??

Yesterday's SANS Internet Storm Center Diary mentioned a Secunia advisory about a vulnerability in regedit and regedt32. Entries longer than 256 characters are not displayed by either of these tools. Malicious code could insert registry entries which could not be found with either of these tools. The diary entry points out the problems if one of these added keys, say, autoran some malware at startup.

The following code messes with your Windows Registry. USE AT YOUR OWN RISK

The first program demonstrates this bug:

use Win32::TieRegistry(Delimiter=>'/'); $| = 1; sub list_content { print join("\n","@_----------------",keys %{$Registry->{"@_"}},""); print "\n\nCheck your registry (HKEY_CURRENT_USER\TEST)...\n" . "Press <Enter> to continue ..."; $_=<>; } my $maxname = 'x'x255; my $testkey = 'CUser/TEST/'; $Registry->{"$testkey/NonEmpty"} = 1; # List All Values in the Test Key &list_content($testkey); # Add a visible key and an invisible key $Registry->{"$testkey/$maxname"} = 1; $Registry->{"$testkey/INVISIBLE$maxname"} = 1; &list_content($testkey); # Remove them again delete $Registry->{"$testkey/$maxname"}; delete $Registry->{"$testkey/INVISIBLE$maxname"}; &list_content($testkey); print "You may want to delete HKEY_CURRENT_USER\\TEST now\n";

The next one recursively searches a provided registry tree for overlong keys and asks how to deal with them:

use Win32::TieRegistry(Delimiter=>'/'); $| = 1; sub process_hidden { my $overlong = shift; print "OVERLONG REGISTRY KEY FOUND:\n$overlong\n\n"; print "Delete or Keep? [D/k] "; $_=<>; chomp; if ( ! /k/i ) { delete $Registry->{$overlong}; } } sub check_content { my $root = shift; for ( keys %{$Registry->{$root}} ) { &check_content("$root/$_") if exists $Registry->{"$root/$_/"}; &process_hidden("$root/$_") if length($_) > 256; } } &check_content(@ARGV);

Both tested in Activestate Perl 5.8.6


The intelligent reader will judge for himself. Without examining the facts fully and fairly, there is no way of knowing whether vox populi is really vox dei, or merely vox asinorum. -- Cyrus H. Gordon

Comment on Finding Hidden Keys in Your Windows Registry
Select or Download Code
Re: Finding Hidden Keys in Your Windows Registry
by davidrw (Prior) on Aug 25, 2005 at 17:27 UTC

      Well, I was able to find those keys with the second script, but the delete part needs some work to catch them. Good thing that isn't the issue I'm trying to solve. ;-)

      Here's the fixed version:

      use Win32::TieRegistry(Delimiter=>'/'); $| = 1; sub process_hidden { my ($root, $tgt) = @_; print "HIDDEN REGISTRY KEY FOUND:\n$root/$tgt\n\n"; print "Delete or Keep? [D/k] "; $_=<>; chomp; if ( ! /k/i ) { delete $Registry->{$root}->{$tgt}; } } sub check_content { for ( keys %{$Registry->{$root}} ) { &check_content("$root/$_") if exists $Registry->{"$root/$_/"}; &process_hidden($root,$_) if (length($_) > 256 || index($_,"\0") >= 0); } } &check_content("CUser/TEST/");

      Also, my regedit had no problem deleting that key ... perhaps that is an old bug? The page you reference is from 1999 ...


      The intelligent reader will judge for himself. Without examining the facts fully and fairly, there is no way of knowing whether vox populi is really vox dei, or merely vox asinorum. -- Cyrus H. Gordon
        hmm.. my regedit32 on windowsXP threw an error trying to delete it.. That site tends to stay up to date; and if you haven't poked around there, has some really great windows utilities including RegMon and FileMon -- well worth the time to browse their utilities section.
        One nit...
        if ( ! /k/i )
        The "anything but /k/i deletes" mentality is not friendly to big fat fingers. Since this *is* the registry, I'd be extra cautious about BFFS (Big Fat Finger Syndrome).

        -QM
        --
        Quantum Mechanics: The dreams stuff is made of

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: CUFP [id://486613]
Approved by herveus
Front-paged by ww
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (17)
As of 2014-07-24 18:52 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (165 votes), past polls