Windows Registry Forensics


This blog post will cover how registry keys are stored in memory.

There are many good tools available to extract windows registry information from memory or dump but it's always good to learn how the information is stored in memory and how these tools are extracting it.

Windows Registry (Configuration Manager) in memory is represented using CMHIVE structure.You can view CMHIVE structure here https://www.nirsoft.net/kernel_struct/vista/CMHIVE.html. More about Registry structure can be found here https://binaryforay.blogspot.in/2015/01/registry-hive-basics.html.

We can locate CMHIVE structure in memory by scanning pool tag value CM10. The pool tag is part of POOL_HEADER (https://www.nirsoft.net/kernel_struct/vista/POOL_HEADER.html).The size of POOL_HEADER structure is 8 bytes in 32-bit OS and lies above CMHIVE structure in memory.Below is the result of command !poolfind <tag> <pooltype> in windbg where tag is CM10 and pooltype =1 (paged pool).

Below is the POOL_HEADER structure at virtual address 0x89bae2a0.

As we discussed above structure CMHIVE representing Registry hive lies below POOL_HEADER.
Adding 8 (size of POOL_HEADER struct for 32-bit) byte to POOL_HEADER address structure we get CMHIVE structure as shown below.

But we can use windbg !reg hivelist command to locate registry hives in memory.The command to execute is show below.

As highlighted above is USER hive and is stored in file ntuser.dat on disk.We will see how values of node key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run stored in memory.

First Member of CMHIVE structure is HHIVE structure. HHIVE structure contains information how registry entries are stored in memory.

The DUAL structure which is member of HHIVE structure as highlighted in above image contains mapping of Registry hive cells to virtual address's in memory.

The HMAP_DIRECTORY structure contains Directory member which consist of 1024 elements and size of each elements is 4 bytes and each element points to HMAP_TABLE structure as shown below.
HMAP_TABLE structure contains 512 HMAP_ENTRY structures and size of  a HMAP_ENTRY structure is 0x10 bytes as shown below.


BlockAddress member of HMAP_ENTRY table points to Registry hive which starts with header hbin as shown in below image.

Node key information in Registry hive starts with header nk as shown in below image.

The node key (nk)  is represented using CM_KEY_NODE structure as shown in below image node key CurrentVersion.

SubKeyCounts member of CM_KEY_NODE structure as shown in above image contains number of Sub Keys CurrentVersion node key has under it. SubKeyCounts member is an array of two elements where 0th element contains count (0x15) of non volatile sub keys where as 1st element contains count (0x0) of volatile sub keys. 

SubKeyLists member of CM_KEY_NODE contains two elements where 0th element contains cell index (0x67388) of non volatile sub keys and 1st element contains cell index (0xFFFFFFFF) of volatile sub keys.

As discussed above DUAL structure member of HHIVE structure contains information to map cell index to virtual memory.We can convert a cell index to virtual memory as shown below.
cell index bits representation - 
Bit 0 - Indicates whether the key is stable or volatile. Stable keys can also be found in the registry file on disk, whereas volatile keys are found only in memory.
Bits 1–10 - An index into the Directory member.
Bits 11–19 - An index into the Table member.
Bits 20–31 - The offset within the BlockAddress of where the key data resides. This is the cell within the registry. The cell contains the length of the data. Therefore, after you find the offset within the BlockAddress, you must add 4 to get to the actual data.

windg command !reg cellindex <HiveAddress> <cellindex>  performs above steps to convert cell index to virtual memory. HiveAddress is virtual address of CMHIVE structure.
In above image cell index 0x67388 is converted to virtual address 0x91eb638c.

As highlighted in above image header at address 0x91eb638c is lf.


As per LF Node template Run sub key offset(cell index) is 0x019730. Again converting cell index of Run sub key to virtual address.
In above image cell index 0x019730 is converted to virtual address 0x89be6734 which contains Run node key information as shown in below image.
As discussed above node key is represented using CM_NODE_KEY structure.

ValueList which is a CHILD_LIST structure contains the information about number of value keys under Run node key
Count - number of value keys. 
List - contains cell indexes for value keys. 
Address of List is also in form of cell index.Converting cell index to get virtual address of List.
In above image cell index 0x7de78 is converted to virtual address 0x91ecce7c. List is represented by below structure.
Highlighted below is Offset (cell index) of 2 elements of List which is member of CHILD_LIST structure of CM_NODE_KEY structure.
Offset(cell index) 0x70828 is converted to virtual address 0x91ebf82c.

As shown in above image, header value at address 0x91ebf82c is vk and used for Value Key and is represented by structure CM_KEY_VALUE. Name of the Value Key is malware.

Data member of CM_KEY_VALUE points to cell index which contains data of malware Value Key.cell index 0x7b320 is converted to virtual address 0x91eca324.
Data of Value Key malware is stored at virtual address 0x91eca324 as shown below.
Now converting 2nd Offset (cell index) 0x07f810 from List to virtual memory address.

As shown in above image, header at virtual address 0x91ece814 is nk and used for Value Key and is represented by structure CM_KEY_VALUE. Name of the Value Key is IyFxHT.exe.

Data member of CM_KEY_VALUE points to cell index which contains data of IyFxHT.exe Value Key.cell index 0x7f838 is converted to virtual address 0x91ece83c.
Data of  Value Key IyFxHT.exe is stored at virtual address 0x91eca324 as shown below.

Comments

  1. franklinj17 October 2019 at 21:32

    I was facing issues while using 'regedit' figured out it to be a registry issue on my windows, however a Factory reset windows resolved the issue for me and has restored the registry to it's default.

    ReplyDelete
  2. Shron Prysock7 May 2020 at 15:27


    BEST WAY TO HAVE GOOD AMOUNT TO START A GOOD BUSINESS or TO START LIVING A GOOD LIFE….. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (williamshackers@hotmail.com) for how to get it and its cost . ………. EXPLANATION OF HOW THESE CARD WORKS………. You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT $1,000, 2nd VAULT $2,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly… Done. ***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. email (williamshackers@hotmail.com) We are located in USA.

    ReplyDelete
  3. Caro Williams27 January 2021 at 02:27

    PLEASE READ!!Hello Guys!!!I am Caro I live in Ohio USA I’m 32 Years old, am so happy I got my blank ATM card from Adriano. My blank ATM card can withdraw $4,000 daily. I got it from Him last week and now I have withdrawn about $10,000 for free. The blank ATM withdraws money from any ATM machines and there is no name on it because it is blank just your PIN will be on it, it is not traceable and now I have money for business, shopping and enough money for me and my family to live on.I am really glad and happy i met Adriano because I met Five persons before him and they could not help me. But am happy now Adriano sent the card through DHL and I got it in two days. Get your own card from him right now, he is giving it out for small fee to help people even if it is illegal but it helps a lot and no one ever gets caught or traced. I’m happy and grateful to Adriano because he changed my story all of a sudden. The card works in all countries that is the good news Adriano’s email address is adrianohackers01@gmail.com.

    ReplyDelete
  4. No Name19 March 2021 at 17:26

    **SELLING SSN+DOB FULLZ**

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    >>1$ each without DL/ID number
    >>2$ each with DL
    >>5$ each for premium (also included relative info)

    *Will reduce price if buying in bulk
    *Hope for a long term business

    FORMAT OF LEADS/FULLZ/PROS

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER WITH EXPIRY DATE
    ->COMPLETE ADDRESS
    ->PHONE NUMBER, EMAIL, I.P ADDRESS
    ->EMPLOYMENT DETAILS
    ->REALTIONSHIP DETAILS
    ->MORTGAGE INFO
    ->BANK ACCOUNT DETAILS

    >Fresh Leads for tax returns & w-2 form filling
    >Payment mode BTC, ETH, LTC, PayPal, USDT & PERFECT MONEY

    ''OTHER GADGETS PROVIDING''

    >SSN+DOB Fullz
    >CC with CVV
    >Photo ID's
    >Dead Fullz
    >Carding Tutorials
    >Hacking Tutorials
    >SMTP Linux Root
    >DUMPS with pins track 1 and 2
    >Sock Tools
    >Server I.P's
    >HQ Emails with passwords

    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    THANK YOU

    ReplyDelete
  5. doron24 April 2021 at 03:26

    i was lost with no hope for my wife was cheating and had always got away with it because i did not know how or

    always too scared to pin anything on her. with the help a friend who recommended me to who help hack her phone,

    email, chat, sms and expose her for a cheater she is. I just want to say a big thank you to

    SUPERIOR.HACK@GMAIL.COM . am sure someone out there is looking for how to solve his relationship problems, you can also contact him for all sorts of hacking job..he is fast and reliable. you could also text +1 213-295-1376(whatsapp) contact and thank me later

    ReplyDelete
  6. No Name18 May 2021 at 21:09

    Hi Guy's

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>2$ each with SSN+DOB+DL
    >>5$ each for premium (also included relative info)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SMTP Linux Root
    DUMPS with pins track 1 and 2
    Socks, rdp's, vpn's
    Server I.P's
    HQ Emails with passwords

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete
  7. mike26 July 2021 at 19:35

    I just have to introduce this hacker that I have been working with him on getting my credit score been boosted across the Equifax, TransUnion and Experian report. He made a lot of good changes on my credit report by erasing all the past eviction, bad collections and DUI off my credit report history and also increased my FICO score above 876 across my three credit bureaus report you can contatc him for all kind of hacks . Email him here via Email him here via hackintechnology@cyberservices.com or whatsapp Number: +1 213 295 1376.

    ReplyDelete
  8. No Name25 October 2021 at 18:26

    FULLZ AVAILABLE

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>3$ each with SSN+DOB+DL
    >>5$ each for premium fullz (700+ credit score with replacement guarantee)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SMTP Linux Root
    DUMPS with pins track 1 and 2
    WU & Bank transfers
    Socks, rdp's, vpn
    Php mailer
    Sql injector
    Bitcoin cracker
    Server I.P's
    HQ Emails with passwords
    All types of tools & tutorials.. & much more

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete
  9. vstcomplex28 October 2021 at 11:39

    Excellent post. I've been browsing this blog constantly thanks for sharing

    vstcomplex
    Goodhertz Vulf Crack
    4Front TruePianos Crack
    Arturia Pigments Crack
    XSplit VCam Crack
    AMEK EQ Crack
    MusicLab RealEight Crack
    WiFi Explorer Pro Crack

    ReplyDelete
  10. Anonymous24 March 2022 at 03:25

    Hello there, as a newbie to crypto currency trading, I lost a lot of money trying to navigate the market on my own. In my search for a genuine and trusted trader, i came across Anderson Carl who guided and helped me make so much profit up to the tune of $40,000. I made my first investment with $1,000 and got a ROI of $9,400 in less than 8 days. You can contact this expert trader via email: andersoncarlassettrade@gmail.com or on WhatsApp +1(252)285-2093 and be ready to share your own testimony

    ReplyDelete
  11. QuickBooks Support12 April 2022 at 03:13

    Your blog is great. I read a lot of interesting things from it. Thank you very much for sharing. Hope you will update more news in the future. If you want to Fix Common QuickBooks Pro Errors easily please contact QuickBooks team for instant help.

    ReplyDelete
  12. Jacob2 December 2022 at 18:19

    Here We Go..

    If you are in search of legit Tools, Fullz & Tutorials for
    Hac-king, Car-ding, Sp-amming, Spying, Cyber Attacking
    We will provide you.

    @killhacks / TG/Icq
    peeterhacks / Wickr/Skype

    All tools will be genuine, verified, guaranteed
    Fullz available in bulk order
    Dumps with pins Track 101-202

    You just asked what you need
    We'll provide you stuff
    We don't do any job, just selling the stuff
    Replacement available only/N0 Refund

    C.C FULLZ
    S.S.N DOB D.L FULLZ
    HIGH.CREDIT.SCORES FULLZ
    Business EIN Fullz
    Office365 Logins/Emails Leads
    C-panels/Shells/SMTP's/Rdp's/Brute's
    Mailers/Senders/SMS Sender/Bulk Email Senders
    Key-Logger's/VPN's/RAT's/Viruses
    BTC Cracker/Flasher
    Kali.Linux Master Class With Complete Guide
    FB/WA H-ack-ing Tutorials/Tips/Tricks
    Sever Pene-tra-tion/SQLi Injector
    I.p's/Combos/Proxies
    PayPal/Coinbase/Amazon/Netflix/E-bay/Spotify Logins
    C-rackers/Extractors
    Fr**d B***e 2021/2022
    E.T.C

    @killhacks / TG/Icq
    peeterhacks / Wickr/Skype

    You can asked whatever you want
    We will fulfil your demands
    Just Try Our services

    ReplyDelete

Post a Comment

Popular posts from this blog

VIrtual Machine Detection Techniques

This post will cover techniques that can be used to detect virtualized environment. Sample Analyzed - hxxps://virustotal.com/en/file/46686679e58fe4767e6796ddb27f31f3a46e4310abb6cf51b031a0181ba08ddf/analysis/ 1.VMWare Backdoor This techniques uses special I/O port to send command and get output. VMware Command Execution code In above image VMWare I/O port is 'VX' (5658h) . Command number 0x0A (get vmware version). VMware version is return in register EAX as shown below. More About VM Backdoor Port  https://sites.google.com/site/chitchatvmback/backdoor 2.VPCEXT VPCEXT instruction is used to detect presence of Virtual PC. If opcode 0F 3F b1 b2 is run outside Virtual PC, illegal instruction exception is thrown otherwise return value in ebx register is checked.If value in ebx register is 0 which means Virtual PC detected. 3.DMIDECODE Utility dmidecode is a tool for dumping a computer's DMI (some say SMBIOS ) table contents in a
Read more

Analyzing ATM Malwares

This post will explain how to analyze ATM malwares developed using middle ware CEN/XFS (extension for financial services). ATM (Automated Teller machine). The three leading ATM vendors are - 1.NCR 2.Diebold 3.Wincor The main services (peripherals) of an ATM are - 1.Card Reader 2.PinPad 3.Cash Dispenser Applications developed to interact with ATM services (peripherals) uses CEN/XFS (extension for financial services). XFS provides the API to access and manipulate the ATM peripherals from different vendors as shown in below image. CEN/XFS Application Programming interface and SDK can be downloaded from below website under Published CWA's. https://www.cen.eu/work/areas/ICT/eBusiness/Pages/WS-XFS.aspx Apart from CEN/XFS Application Programming interface and SDK other important guides as mentioned below and can be download from above mentioned website. 1.Service Class Definition - Programmer's Reference 2.Identification Card Device Class Interface - Programmer&
Read more

Debugging MBR : IDA Pro and Bochs Emulator

This post will explain how to setup Bochs Emulator to debug MBR. I will be taking NotPetya\Petya ransomware MBR as an example. Take dump of Physical Drive whose MBR is overwritten by NotPetya\Petya ransomware by its malicious MBR. dd utility for windows can be used for this purpose.Command to dump the disk is as shown below. dd.exe if=\\?\Device\Harddisk0\DR0 of=<output file path> bs=512k --size --progress if = input file of = output file bs = read and write bytes at a time Configuring Bochs Emulator. Go to installation directory of Bochs Emulator and open file bochsrc and provide below information. 1.Disk Geometry 2.Boot Drive Disk Geometry setting contain Cylinder,Head and Sector (CHS) value of disk. # ATA controller for hard disks and cdroms ata0-master: type=disk, path="winxp0.img", mode=flat, cylinders=124830, heads=16, spt=63 where path is dump of disk taken using dd utility. Boot Drive setting contain bootable drive type. # BOOT: # This de
Read more

FireEye FLARE CTF 2017 : APK Challenge 8

The challenge required decrypting passwords in order to form AES key to decrypt the flag bytes. On decompiling flair.apk file we can see four classes for which we need to decrypt passwords. 1.Michael Class  It was pretty simple password comparison.The password is  MYPRSHE__FTW . 2. Brian Class Password is formed as shown below. String.format("%s_%s%x_%s!", new Object[]{t, y, Integer.valueOf(p), c}); t = (ImageView) findViewById(R.id.pfdu).getTag().toString() y = getApplicationContext().getPackageManager().getApplicationInfo(getApplicationContext().getPackageName(), 128).metaData.getString("vdf") p = (TextView) findViewById(R.id.vcxv).getCurrentTextColor() & SupportMenu.USER_MASK; c = (TextView) findViewById(R.id.vcxv).getText().toString().split(" ")[4]; The Password is  hashtag_covfefe_Fajitas! . 3.Milton Class The password is formed by decrypting a string and taking SHA1 of the decrypted string. Decryption algorithm
Read more

Samsung CTF : Chicken or Egg Reversing Challenge

 The CTF is over but i really enjoyed solving the challenge (https://sctf.codeground.org/ctf/prob).The challenge is to decrypt flag.enc. This is another APK + JNI (Java Native Interface) kind of challenge similar to the one in Google CTF 2017 (http://shasaurabh.blogspot.com/2017/07/google-ctf-2017-android-re-challenge.html). Challenge can be divided into three parts. 1.Android application (application) loading Native Library 2.Native Library decrypts DEX file in memory. 3.Using Reflection to call methods of decrypted DEX file in step 2. 1. Android application loading Native Library OnClick() method of MainActivity class calls constructor of Crypt class. Calling constructor of Crypt class results in loading of Native library ( libegg.so ) which is ELF for ARM. Constructor of Crypt class calls crackEgg method implemented in native library. 2.Native Library decrypts DEX file in memory. The native library reads the encrypted DEX file stored in asset fo
Read more

FireEye FLARE CTF 2017 : PEWPEWBOAT Challenge 5

The challenge is about selecting correct coordinates on to the map and advancing to the next stage to get flag. As we advance to next stage, the game print some metadata. After debugging the binary, the logic to calculate co-ordinate can be rewritten. Below is the python implementation of calculating co-ordinate and decrypting metadata for each stage. import binascii key = 0x3B1EE5F6B3D99FF7                #initial key to decrypt metadata. offset = 0x50E0                         #offset of metadata in binary f = open('pewpewboat.exe','rb') for i in range(0,11):     stage = i     v = ((i << 3) + i) << 6     f.seek(offset + v)     mask = '0x'     temp = '0x'     res = []     metadata = []     for i in range(0,0x240):         key = ((key * 0x41c64e6d) + 0x3039) & 0xFFFFFFFFFFFFFFFF         c = binascii.hexlify(f.read(1))         c = int(c,16)         c = c ^ (key & 0xFF)         metadata.append(chr(c))      
Read more

Memory Forensics : Tracking Process Injection

This post describe about process memory internals which allow us to track process injections. Example used below is recent Brazil Malspam (hxxp://malware-traffic-analysis.net/2017/07/07/index.html) which inject DLL  fltLib.dll into process notepad.exe. Attach kernel debugger to infected machine and get information about notepad.exe  Process   object. Process object is represented by EPROCESS structure. VAD (Virtual Address Descriptors) is member of EPROCESS  structure and describes the layout of process memory segments. VADs contain the names of memory-mapped files, the total number of pages in the region, the initial protection (read, write, execute), and several other flags that can tell you a lot about what type of data the regions contain. VAD is a self balancing tree and each node in tree represent one range in process virtual memory.Each node has child in the form of left and right node.A node is represented using MMADDRESS_NODE structure. Listing all V
Read more

DoublePulsar Backdoor

This post explains DoublePulsar Backdoor and how WannaCry Ransomware uses it to spread Itself. EternalBlue Installing DoublePulasr Backdoor EternalBlue exploits vulnerability in SMB protocol and execute shell code.Offset of shell code in EternalBlue binary that is present in shadow broker dump. Shellcode finds address of srv.sys (SMB Driver) and replace address of srv!SrvTransactionNotImplemented function in srv!SrvTransaction2DispatchTable with its own function address as shown below. Offset of function code in EternalBlue binary which replaces srv!SrvTransactionNotImplemented function address in srv!SrvTransaction2DispatchTable . Before overwriting srv!SrvTransactionNotImplemented function in srv!SrvTransaction2DispatchTable with  its own function address shell code allocates memory using ExAllocatePool API and write function bytes. Function code is stored at 0x48 offset from memory address re
Read more

Google CTF 2017 : Android RE Challenge

The challenge was consist of three parts. 1.Android application loading native library (ARM or x86) depending on platform. 2.Native library drops a dex file and dynamically loads it. 3.Native library modify bytes (in memory) of loaded dex file in step2. 1.Android application loading native library Decompiling food.apk file using JADX (Dex to Java decompiler) and looking at AndroidManifiest.xml we see activity is implemented in FoodActivity class. Looking at FoodActivity class it only loads the native library cook .The argument to System.loadLibrary is a library name chosen arbitrarily by the programmer. The system follows a standard, but platform-specific, approach to convert the library name to a native library name. For example, a Solaris system converts the name cook to libcook.so , while a Win32 system converts the same cook name to cook.dll . 2.Attaching to libcook.so . We will be using IDA Pro.Refer to http://www.hexblog.com/?p=809 for how to attach to nati
Read more