home >> userland >> Hidden Registry Detection

Uncovering Userland Rootkits through Detection of Hidden Registry Entries

TOP

Registry is the large database where Windows stores all the system, security and software specific settings. It is a tree like structure, which can be viewed or modified using the standard windows utilities such as Regedit.

Reason for Hiding the Registry Entries

TOP

In addition to all system settings, Registry also contains various startup entries for processes and services that are started when Windows starts. For example, all Windows services are stored under the following Registry key,
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services'.

Similarly the startup process entries can be found in the following Registry keys,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run

Rootkits generally modifies these entry points to start their own processes, services or drivers. So it's important for the Rootkit to hide these registry entries to prevent its detection from various system-monitoring tools such as Autoruns, HijackThis, etc.

Rootkit Techniques to Hide the Registry Entries

TOP

Rootkits can employ various methods to hide their registry infiltration. One of the most commonly used techniques is hooking the registry API functions such as RegOpenKey, RegEnumKey, RegEnumValue etc. To be more effective, Rootkits typically hook NT version of these functions namely NtOpenKey, NtEnumerateKey and NtEnumerateValueKey. So when any one calls these registry functions, hooked function will return the filtered results there by hiding its presence.

Detection of Hidden Registry Entries

TOP

Most common detection mechanism used in these cases is the cross-view comparison method. In this method initially, high level registry API functions (such as RegEnumKey, RegEnumValue) are used to enumerate the keys and values. Next the lower level methods are used to enumerate same registry keys. Then the both results are compared to determine the hidden Rootkit entries.

Many such lower level techniques exist to enumerate keys. Here we will be discussing about two such prominent methods in detail.

Detecting Hidden Registry Entries Using Direct NT System Call Method

TOP

As mentioned previously, Rootkits hide their registry entries by hooking the lower level NT functions. In order to effectively detect these entries, one can directly invoke those NT functions rather than using API functions. Every NT function in Windows is uniquely identified through its service number (For NtEnumerateKey its 0x47). So instead of calling these NT functions, one can directly call these functions by using INT 2E (for Windows 2K) or Sysenter (Windows XP onwards) instruction by passing the respective service number.

Here is the direct implementation of NtEnumerateKey and NtEnumerateValueKey function, which can be directly called to bypass any API level hooks put by the Rootkits.

//For Windows XP, for other platforms only service number will differ


 _declspec(naked)
 NTSTATUS __stdcall DirectNtEnumerateKey(
		IN HANDLE KeyHandle,
		IN ULONG Index,
		IN KEY_INFORMATION_CLASS KeyInformationClass,
		OUT PVOID KeyInformation,
		IN ULONG KeyInformationLength,
		OUT PULONG ResultLength )
 {

	__asm
	{
			mov eax, 0x47     
			call DirectCall_XP
			ret 0x18
			
		DirectCall_XP:
		
			mov edx, esp
			sysenter
	}	
			
 }

//For Windows XP, for other platforms only service number will differ


 _declspec(naked)
 NTSTATUS __stdcall DirectNtEnumerateValueKey(
	IN HANDLE KeyHandle,
	IN ULONG Index,
	IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
	OUT PVOID KeyValueInformation,
	IN ULONG KeyValueInformationLength,
	OUT PULONG ResultLength )
 { 

		__asm
		{
				mov eax, 0x49     
				call DirectCall_XP
				ret 0x18
				
			DirectCall_XP:
			
				mov edx, esp
				sysenter
		}	
				
 }

Rootkits may also hook the NtOpenKey function to prevent any hidden key from being opened. So it will become useless even if one is able to discover the key name. In such case, one can use direct NtOpenKey function as shown below...

//For Windows XP, for other platforms only service number will differ


  _declspec(naked)
  NTSTATUS __stdcall DirectNtOpenKey(
          		 OUT PHANDLE KeyHandle,
       			 IN ACCESS_MASK DesiredAccess,
                         IN POBJECT_ATTRIBUTES ObjectAttributes )
  {

		__asm
		{
				mov eax, 0x77     
				call DirectCall_XP
				ret 0x0C
				
			DirectCall_XP:
			
				mov edx, esp
				sysenter
		}	
				
  }

Though Rootkits can bypass this technique by hooking the above-mentioned NT functions in the kernel, it presents simple but very effective mechanism to detect any hidden Rootkit registry entries in user land.

Detection of Hidden Registry by Directly Reading Hives

TOP

Entire Windows registry is stored in the different files called Hives in a standard format. A different portion of registry is stored in respective hive files such as SYSTEM, SOFTWARE, SECURITY, SAM, etc. in the 'C:\Windows\System32\Config' folder. Though the internal format of these registry hive file is undocumented, lot of code samples and good amount of documentation can be found on the net.

While these hive files cannot be accessed while Windows is running as they are locked, one can use the API function RegSaveKey or equivalent NT function NtSaveKey to save the registry data to the chosen file. Then this saved file can be manually traversed to get the low level view of the registry entries. Detailed code sample to traverse the hive file can be found in the article [1] 'How to avoid the detection of hidden regkey by hooking RegSaveKeyA' written by EiNSTeiN_. Also the whitepaper [2] 'Detection of Rootkits in Windows registry' by miel-labs explains in detail the complete structure of registry hive file.

Once the registry entries are obtained by traversing the hive file, it is compared against the high level view got through normal registry API functions such as RegEnumKey, RegEnumValue etc. During this process, any additional entries discovered will be marked as hidden rootkit registry entries.

Though this method involves using undocumented registry hive traversal method, it can even uncover the registry entries hidden through kernel land SSDT hooks.

Conclusion

TOP

The techniques described here are from the userland perspective and Rootkits operating in Kernel land can bypass these techniques. Nevertheless these methods present very simple and powerful methods to detect any registry entries hidden by userland Rootkits.

EvilFingers Arsenal




Socialize with RootkitAnalytics

Twitter Feed Blogspot

Links

Rootkits & Enterprise: Enterprise is a major victim to rootkits. What could rootkits do to them?[read more]

Rootkits & Home-users: Do home-users know the seriousness of rootkits? What should a home-user know about rootkits?[read more]

Rootkits & Information Warfare: What does the silent war of intelligence and national security, got to do with rootkit analysis?[read more]

Userland Rootkits: What should one know about userland rootkits?[read more]

Kernelland Rootkits: What should one know about kernelland rootkits?[read more]

ElfStat: ElfStat is a tool designed for detecting any kernel malware that modifies the text segment of the kernel in memory...[read more]

Syscall/Kernel function interception: This is a more stealth method of syscall hijacking without having to directly modify the syscall table; instead the first several bytes of the syscall are overwritten with a jump to the new code...[read more]

Syscall Interception: What should you know about Syscall interception by directly modifying the Syscall table?[read more]

KsiD [Kernel Symbol Interception Detection]: This tool is designed to detect kernel rootkits and kernel malware which hijack syscalls and kernel functions ...[read more]

IDT /dev/kmem rootkit method: This can be done using several methods including overwriting the first several bytes of the syscall with a jump to other code, or modifying the function pointers.[read more]

Hidden Process Detection: Hidden Process Detection [HPD] using Direct NT System Call Implemenation, PIDB (Process ID Bruteforce) method, CSRSS Process Handle Enumeration and other methods...[read more]

Hidden Registry Detection: Reason for Hiding the Registry Entries, Rootkit techniques to hide, and Detecting Hidden Registry Entries Using Direct NT System Call Method and Directly Reading Hives Method...[read more]

Hidden Service Detection: Hidden Rootkit Services Detection Methods...Enumerating Processes with 'NtControlPipe', Hook Bypass Method through Mapped Image, Services Enumerating Child Processes of Services.exe, Enumerating Services Registry Key...[read more]

Syscall Handler Checker [SHC]: This tool simply verifies whether or not the system call handler system_call() has been patched to call a phony sys_call_table. If a phony sys_call_table appears to be in use, a tool like elfstat can be used for further analysis...[read more]

Firmware Rootkits: Firmware is a small static code that runs on devices ranging from consumer electronics to anything that controls heavy machinery...[read more]

Hypervisor Rootkits: This comes under both firmware and hardware rootkits. The reason being, hypervisor is a virtual environment that runs on the hardware, but basically it is a firmware. Hence, we have drawn the line and dropped this rootkit in the firmware category of rootkits...[read more]

Publications: In this section, we are planning to list all the papers that we have published so far that are rootkit related.

Backdoor Ultimate Defender: In this paper (Backdoor.Win32.UltimateDefender.gtz - Reversing) we analyze install.exe that presents the typical structure of an Medium Evoluted Malware, with basical Obfuscated-Dummy Code...[read more]

Socialize: You could socialize with us by many ways...[read more]

About: Learn about rootkit analytics here...[read more]

Contact us: How can you reach us...[read more]

Our Team: Read more about the rootkit analytics team...[read more]

dwtf v1.0: dwtf is a DLL copying engine ... [read more]

Exploring ADS: Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which...[read more]

Installations [from RootkitAnalytics.com]

ToolsCount
~~~~~~~~~~~~~~~~~~~
Elfstat4480
dwtf3593
KsiD3141
SHC2336

NOTE: Our tools are listed in many sites and torrents, which makes it hard for us to track all downloads. Hence, we are listing only the total installations from our website.

Socialize with EvilFingers

Twitter Feed Blogspot LinkedIn Delicious Google

Tweets