Yesterday's SANS Internet Storm Center Diary mentioned a Secunia advisory about a vulnerability in regedit and regedt32. Entries longer than 256 characters are not displayed by either of these tools. Malicious code could insert registry entries which could not be found with either of these tools. The diary entry points out the problems if one of these added keys, say, autoran some malware at startup.
The following code messes with your Windows Registry. USE AT YOUR OWN RISK
The first program demonstrates this bug:
use Win32::TieRegistry(Delimiter=>'/'); $| = 1; sub list_content { print join("\n","@_----------------",keys %{$Registry->{"@_"}},""); print "\n\nCheck your registry (HKEY_CURRENT_USER\TEST)...\n" . "Press <Enter> to continue ..."; $_=<>; } my $maxname = 'x'x255; my $testkey = 'CUser/TEST/'; $Registry->{"$testkey/NonEmpty"} = 1; # List All Values in the Test Key &list_content($testkey); # Add a visible key and an invisible key $Registry->{"$testkey/$maxname"} = 1; $Registry->{"$testkey/INVISIBLE$maxname"} = 1; &list_content($testkey); # Remove them again delete $Registry->{"$testkey/$maxname"}; delete $Registry->{"$testkey/INVISIBLE$maxname"}; &list_content($testkey); print "You may want to delete HKEY_CURRENT_USER\\TEST now\n";
The next one recursively searches a provided registry tree for overlong keys and asks how to deal with them:
use Win32::TieRegistry(Delimiter=>'/'); $| = 1; sub process_hidden { my $overlong = shift; print "OVERLONG REGISTRY KEY FOUND:\n$overlong\n\n"; print "Delete or Keep? [D/k] "; $_=<>; chomp; if ( ! /k/i ) { delete $Registry->{$overlong}; } } sub check_content { my $root = shift; for ( keys %{$Registry->{$root}} ) { &check_content("$root/$_") if exists $Registry->{"$root/$_/"}; &process_hidden("$root/$_") if length($_) > 256; } } &check_content(@ARGV);
Both tested in Activestate Perl 5.8.6
In reply to Finding Hidden Keys in Your Windows Registry by idsfa
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |