DCSIMG
Malware and Hidden Registry Keys - Pavel's Blog
Sign in | Join | Help

Pavel's Blog

Pavel is a software guy that is interested in almost everything
software related... way too much for too little time

Malware and Hidden Registry Keys

Published at Jul 02 2008, 09:21 PM by pavely | 7 comment(s)

Normal 0 false false false EN-US X-NONE HE MicrosoftInternetExplorer4 /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

One of the ways malware activates itself after it infiltrates a system, is by adding itself to the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run with a value of Rundll32.Exe, the malware DLL (usually a random character combination) and an entry point.

However, if you open RegEdit.Exe and try to find those keys - you usually won't. That's because they're hidden, or to be more precise - hidden from RegEdit.Exe.

RegEdit.Exe uses the Win32 API to query and manipulate the registry. Keys and values are NULL terminated (with the ‘\0' character). But, the Native API (the undocumented API exposed through NtDll.Dll allows embedded ‘\0' characters (a length is provided, which is all that's needed), so if a malware creates such a value with an additional NULL, RegEdit will fail to see it (or delete it).

The Native API function signatures are "known", but before you attempt to create such a registry editor (or at least viewer), you can try the Reg.Exe tool that is part of Windows.

For example, the command

Reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Will show all the values in that key (including the hidden ones).

Reg Delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v SomeValue

Will delete the value SomeValue even if it has a NULL after the name.

Happy malware hunting!

 
תגים:, ,

Comments List

# re: Malware and Hidden Registry Keys

Published at Monday, February 16, 2009 3:51 AM by Ralph  

I have tried this fix and it might work except when I do the command -

Reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run  I get an on off flash.  There is information there but it disappears so quick it is impossible to read anything.  Any idea how to slow that down?

My email:  ardee2@yahoo.com

# re: Malware and Hidden Registry Keys

Published at Monday, February 16, 2009 8:58 AM by pavely  

I'm not sure what you mean. Did you open a command prompt before running the query?

# re: Malware and Hidden Registry Keys

Published at Tuesday, February 17, 2009 6:34 PM by Ralph  

Many thanks!!!  Worked well from COMMAND PROMPT.  Three bad values removed and problem fixed. I had been trying to run the query from RUN.

# re: Malware and Hidden Registry Keys

Published at Monday, February 23, 2009 10:51 PM by Mikehell  

This info is very helpful in aiding me in getting rid of a rootkit but i have a problem,

using the delete method on a key i know is malware i get the prompt are you sure u wish to permanently delete blah blah i answer yes and then receive = ERROR Access is denied.

How do I delete this key or get bloody permission to ???

BTW i only found this key by using Rootkit Reveler as the key is hidden to the api.

# re: Malware and Hidden Registry Keys

Published at Monday, February 23, 2009 10:57 PM by Mikehell  

ps. I forgot to add if anyone has any info that can help me get permission to delete a key under those circumstances can they please email @ mikehell5@gmail.com

Can give me the info in the message or just send me a link back here if the info is here.

Manny Manny thanks in advanced :-)

# re: Malware and Hidden Registry Keys

Published at Friday, February 19, 2010 7:05 AM by Roxiataxcip  

Los Angeles  Locksmith is here to serve you. We are licensed and insured, ready to handle any job. Many Locksmith  companies have a bad reputation, not Fidelity, we keep our clients happy and coming back to us. Business clients include Marc Jacobs, Burton Snowboards, American Eagle, and more. We can help you with your locksmith needs whether you need to rekey  locks, or you just need some help opening up your door.

Just move? Think about all the spare keys you give out in case you lose yours, guaranteed the person living or working in the space you just moved into did also! Make sure to call us to have your locks rekeyed  so you do not have any unwanted visitors!

Just move into a NEW home? Ask Fidelity  Pasadena  Locksmith how you can save 10%  today on any locksmith job!

Best regards

www.fidelitylocksmith.com

# re: Malware and Hidden Registry Keys

Published at Friday, February 19, 2010 1:06 PM by Roxiataxcip  

Santa Monica  Locksmith is here to serve you. We are licensed and insured, ready to handle any job. Many  Locksmith Services companies have a bad reputation, not Fidelity, we keep our clients happy and coming back to us. Business clients include Marc Jacobs, Burton Snowboards, American Eagle, and more. We can help you with your locksmith needs whether you need to rekey  locks, or you just need some help opening up your door.

Just move? Think about all the spare keys you give out in case you lose yours, guaranteed the person living or working in the space you just moved into did also! Make sure to call us to have your locks rekeyed  so you do not have any unwanted visitors!

Just move into a NEW home? Ask Fidelity  Santa Monica  Locksmith how you can save 10%  today on any locksmith job!

Best regards

www.fidelitylocksmith.com

Leave a Comment

(required) 
(
required
) 
(optional)
(required) 

Enter the numbers above: