Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??

Yesterday's SANS Internet Storm Center Diary mentioned a Secunia advisory about a vulnerability in regedit and regedt32. Entries longer than 256 characters are not displayed by either of these tools. Malicious code could insert registry entries which could not be found with either of these tools. The diary entry points out the problems if one of these added keys, say, autoran some malware at startup.

The following code messes with your Windows Registry. USE AT YOUR OWN RISK

The first program demonstrates this bug:

use Win32::TieRegistry(Delimiter=>'/'); $| = 1; sub list_content { print join("\n","@_----------------",keys %{$Registry->{"@_"}},""); print "\n\nCheck your registry (HKEY_CURRENT_USER\TEST)...\n" . "Press <Enter> to continue ..."; $_=<>; } my $maxname = 'x'x255; my $testkey = 'CUser/TEST/'; $Registry->{"$testkey/NonEmpty"} = 1; # List All Values in the Test Key &list_content($testkey); # Add a visible key and an invisible key $Registry->{"$testkey/$maxname"} = 1; $Registry->{"$testkey/INVISIBLE$maxname"} = 1; &list_content($testkey); # Remove them again delete $Registry->{"$testkey/$maxname"}; delete $Registry->{"$testkey/INVISIBLE$maxname"}; &list_content($testkey); print "You may want to delete HKEY_CURRENT_USER\\TEST now\n";

The next one recursively searches a provided registry tree for overlong keys and asks how to deal with them:

use Win32::TieRegistry(Delimiter=>'/'); $| = 1; sub process_hidden { my $overlong = shift; print "OVERLONG REGISTRY KEY FOUND:\n$overlong\n\n"; print "Delete or Keep? [D/k] "; $_=<>; chomp; if ( ! /k/i ) { delete $Registry->{$overlong}; } } sub check_content { my $root = shift; for ( keys %{$Registry->{$root}} ) { &check_content("$root/$_") if exists $Registry->{"$root/$_/"}; &process_hidden("$root/$_") if length($_) > 256; } } &check_content(@ARGV);

Both tested in Activestate Perl 5.8.6


The intelligent reader will judge for himself. Without examining the facts fully and fairly, there is no way of knowing whether vox populi is really vox dei, or merely vox asinorum. -- Cyrus H. Gordon

In reply to Finding Hidden Keys in Your Windows Registry by idsfa

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others scrutinizing the Monastery: (4)
As of 2024-03-28 20:23 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found