Finding Hidden Keys in Your Windows Registry

Yesterday's SANS Internet Storm Center Diary mentioned a Secunia advisory about a vulnerability in regedit and regedt32. Entries longer than 256 characters are not displayed by either of these tools. Malicious code could insert registry entries which could not be found with either of these tools. The diary entry points out the problems if one of these added keys, say, autoran some malware at startup.

The following code messes with your Windows Registry. USE AT YOUR OWN RISK

The first program demonstrates this bug:

use Win32::TieRegistry(Delimiter=>'/');
$| = 1;

sub list_content
{
   print join("\n","@_----------------",keys %{$Registry->{"@_"}},"");
   print "\n\nCheck your registry (HKEY_CURRENT_USER\TEST)...\n"
       . "Press <Enter> to continue ...";
   $_=<>;
}



my $maxname = 'x'x255;
my $testkey = 'CUser/TEST/';

$Registry->{"$testkey/NonEmpty"} = 1;

# List All Values in the Test Key
&list_content($testkey);

# Add a visible key and an invisible key
$Registry->{"$testkey/$maxname"} = 1;
$Registry->{"$testkey/INVISIBLE$maxname"} = 1;
&list_content($testkey);

# Remove them again
delete $Registry->{"$testkey/$maxname"};
delete $Registry->{"$testkey/INVISIBLE$maxname"};
&list_content($testkey);

print "You may want to delete HKEY_CURRENT_USER\\TEST now\n";
[download]

The next one recursively searches a provided registry tree for overlong keys and asks how to deal with them:

use Win32::TieRegistry(Delimiter=>'/');
$| = 1;

sub process_hidden
{
  my $overlong = shift;
  print "OVERLONG REGISTRY KEY FOUND:\n$overlong\n\n";
  print "Delete or Keep? [D/k]  ";
  $_=<>;
  chomp;
  if ( ! /k/i )
  {
    delete $Registry->{$overlong};
  }
}

sub check_content
{
   my $root = shift;
   for ( keys %{$Registry->{$root}} )
   {
      &check_content("$root/$_")   if exists $Registry->{"$root/$_/"};
      &process_hidden("$root/$_")  if length($_) > 256;
   }
}


&check_content(@ARGV);
[download]

Both tested in Activestate Perl 5.8.6

The intelligent reader will judge for himself. Without examining the facts fully and fairly, there is no way of knowing whether vox populi is really vox dei, or merely vox asinorum. -- Cyrus H. Gordon

Comment on Finding Hidden Keys in Your Windows Registry Select or Download Code

Replies are listed 'Best First'.
Re: Finding Hidden Keys in Your Windows Registry by davidrw (Prior) on Aug 25, 2005 at 17:27 UTC
Note that there can also be registry keys with `\0` embedded in them which makes it impossible to find using the Win32 API (but can be found via the native api). Good information, as well as a demonstration program, here: http://www.sysinternals.com/Information/TipsAndTrivia.html#HiddenKeys	[reply] [d/l]
Re^2: Finding Hidden Keys in Your Windows Registry by idsfa (Vicar) on Aug 25, 2005 at 18:04 UTC
Well, I was able to find those keys with the second script, but the delete part needs some work to catch them. Good thing that isn't the issue I'm trying to solve. ;-) Here's the fixed version: `use Win32::TieRegistry(Delimiter=>'/'); $\| = 1; sub process_hidden { my ($root, $tgt) = @_; print "HIDDEN REGISTRY KEY FOUND:\n$root/$tgt\n\n"; print "Delete or Keep? [D/k] "; $_=<>; chomp; if ( ! /k/i ) { delete $Registry->{$root}->{$tgt}; } } sub check_content { for ( keys %{$Registry->{$root}} ) { &check_content("$root/$_") if exists $Registry->{"$root/$_/"}; &process_hidden($root,$_) if (length($_) > 256 \|\| index($_,"\0") >= 0); } } &check_content("CUser/TEST/");` [download] Also, my regedit had no problem deleting that key ... perhaps that is an old bug? The page you reference is from 1999 ... The intelligent reader will judge for himself. Without examining the facts fully and fairly, there is no way of knowing whether vox populi is really vox dei, or merely vox asinorum. -- Cyrus H. Gordon	[reply] [d/l]
Re^3: Finding Hidden Keys in Your Windows Registry by davidrw (Prior) on Aug 25, 2005 at 18:14 UTC
hmm.. my regedit32 on windowsXP threw an error trying to delete it.. That site tends to stay up to date; and if you haven't poked around there, has some really great windows utilities including RegMon and FileMon -- well worth the time to browse their utilities section.	[reply]
Re^3: Finding Hidden Keys in Your Windows Registry by QM (Parson) on Aug 26, 2005 at 15:12 UTC
One nit... `if ( ! /k/i )` [download] The "anything but /k/i deletes" mentality is not friendly to big fat fingers. Since this is the registry, I'd be extra cautious about BFFS (Big Fat Finger Syndrome). -QM -- Quantum Mechanics: The dreams stuff is made of	[reply] [d/l]

Back to Cool Uses for Perl