Government Security
Network Security Resources

Jump to content

Photo

How To Exploit Windows Registry To Find Hidden Registry Key?


  • Please log in to reply
10 replies to this topic

#1 draggy

draggy

    Private First Class

  • Members
  • 39 posts

Posted 18 April 2008 - 07:16 AM

Hello professionals,

:D

Well, I got a question, which is:

How to exploit windows registry to uncover or find hidden registry key?

For example, a video graphic card that has a special feature which it can be activated by using a widows registry key. Since nobody knew about it, so, the question is how can we uncover or find this "special" windows registry key?

Thank you

#2 Guest_DiabloHorn_*

Guest_DiabloHorn_*
  • Guests

Posted 18 April 2008 - 09:01 AM

a) monitor the installation of the video card software with regmon.
B) reverse engineer the installation software

#3 draggy

draggy

    Private First Class

  • Members
  • 39 posts

Posted 20 April 2008 - 09:46 PM

a) monitor the installation of the video card software with regmon.
B) reverse engineer the installation software


a) monitor the installation of the video card software with regmon.

What if that particular registry key is not specify during the installation?

B) reverse engineer the installation software or graphic card driver :D

Most properly, this is the best idea :D , however are there any more simple way? something like
"debug /all" , where it print out all the hidden registry key?

Thank you

#4 SickO

SickO

    Private First Class

  • Members
  • 25 posts

Posted 20 April 2008 - 10:10 PM

a) monitor the installation of the video card software with regmon.
B) reverse engineer the installation software


a) monitor the installation of the video card software with regmon.

What if that particular registry key is not specify during the installation?

B) reverse engineer the installation software or graphic card driver :D

Most properly, this is the best idea :D , however are there any more simple way? something like
"debug /all" , where it print out all the hidden registry key?

Thank you


There are two programs i've crossed which maybe could help you..

This: hxxp://www.snapfiles.com/get/erunt.html
and for second i would suggest reading this thread which was discussed here some days ago.
(The second one was mentioned above by DiabloHorn)

#5 sarkar112

sarkar112

    Staff Sergeant

  • Sergeant Major
  • 340 posts

Posted 20 April 2008 - 10:51 PM

B) reverse engineer the installation software or graphic card driver :D

Most properly, this is the best idea :D , however are there any more simple way? something like
"debug /all" , where it print out all the hidden registry key?

Reverse engineering the software should be fairly easy; attach a debugger and place a breakpoint on all API calls pertaining to the registry. Explore the application a bit and you should find what you need.
"The quieter you become, the more you can hear." -Baba Ram Dass
PGP: 0x6C767D75

#6 enodr

enodr

    Private First Class

  • Members
  • 62 posts

Posted 21 April 2008 - 12:15 AM

Using a debugger would be an overkill. A typical program will try to read and write hundreds of registry keys (ok maybe I am exaggerating a bit).

Simply use regmon.exe. I will tell you which keys the program tries to open / read / write, and if the key was found. If your program tries to use a "non documented" registry key, you will spot it easily. But then knowing what the registry keys are used for is another story (especially if they don't come with a fancy name like "SupperHiddenFeatureEnabled").

#7 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 21 April 2008 - 12:40 PM

there´s no thing such as creating hidden registry keys or values, unless you find a vulnerability in the registry editor so you create a key in which the registry editor is not able to display somehow, but it is there. Also, you would need to come up with a vuln that affected regedit.exe, regedt32.exe, regini.exe and reg.exe (am I missing any other native registry tool??).
what may happen is a program creating a key or value under an uncommon registry path. Also depending on the software it may not store all its settings in the registry, it may store in an ini file (a configuration file, it could have any other extension, not just ini) for example.
by the way there was a vuln like this in regedit, some time ago. do a google search and u will find it out; I guess it was posted here too.
http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!

#8 enodr

enodr

    Private First Class

  • Members
  • 62 posts

Posted 24 April 2008 - 01:15 AM

I think the question was not formulated clearly. From what I understand "hidden registry keys" means here keys that may not be "installed" by default by the program, but if added that would be used by it.

For example, my software could look for a registry key named "SpecialFeatureEnabled" and if not present do nothing, else enable the "Special feature".

The challenge is: how to discover the names of those registry keys that may not be present in the registry, but that would be used if they were added.

Is this what you meant Draggy?

#9 rave23

rave23

    Private First Class

  • Members
  • 37 posts

Posted 24 April 2008 - 03:37 PM

i would use RegMon and monitor the given programm.
It shows you exactly what is being accessed, and what sort of reply the program got (ie. A value, an error because it doesn't exist etc...)!
In theory, that way you can find out if the program is trying to access a reg.key in order to enable features.
Most programms don't roll that way though :( It's just too damn easy to get around.

I believe that dude is talking about the pipelines on his graphic card though. I heard there are some low-end versions of graphic cards that are equal to their high-end version, and the only thing that's different is the ammount of enabled pipelines on the card. This however, is a hardware thing, and has nothing to do with the windows registry. It has to be hard-coded into the card, or made acessible in some other way, like a jumper, or a bridge on the card, that when being closed or opened returns a value of 0 or 1. Say 32 pipelines are being available, but the card actually just uses 16 of them, IF a certain value at a certain adress is either true or false (open-closed, 0-1, yes-no, whatever)

Or it is simply a thing of the chipset, meaning if you're able to flash the chip and get the image of the "unlocked" card somewhere, you are able to enable these features that way. On a software level you won't get far, and you probably need a solid knowledge of what the heck you're doing.

But like i said, i might be totally mistaken, and he really just wonders about a software thing. In that case, regmon is the way to go. Filter out the specific process and see what it's doing. I know about some programs that use a way to get around this kind of attack though. They simply use another process to querry the reg value, for example, the explorer.exe. This way it's more likely that you won't get what's going on, since the explorer naturally makes A LOT of querries. It's just eaiser to hide something in a huge stream of data, rather than having a simple process calling for something, that stands out like a Hooker in Prison.
If the program uses reg. values to enable features, this is really the only way to find out for sure. But most programs just don't do that. They use the registry to store common settings and values, and have the stuff that actually leads to profit in something way less accessible. Like, they might store the serial you entered, but they won't store if it's valid or not. That is being checked by the programm over and over again every time it starts again. That is actually the case with a lot of programs. They store the serial in the registry, and access it at every start. Then that serial is being validated internally. That is why you see so many keygens using .reg files, AND a patch for the .exe! The patch just makes sure that whatever serial is being fed into the program, the outcome is true. That way you can have the program registerd to your own name/company, and it still works fine.

cheers,
Rave23

#10 riotz

riotz

    Specialist

  • Members
  • 118 posts

Posted 24 April 2008 - 03:40 PM

just hack the gibson and find the garbage file! :ph34r:

#11 Opawesome

Opawesome

    Private First Class

  • Members
  • 31 posts

Posted 01 June 2008 - 03:57 PM

just hack the gibson and find the garbage file! :ph34r:


WTH is that supposed to mean ?

Also, maybe we could help more if you give us the name of the card you're talking about.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users