To detect the memory resident stuff, follow the procedure outlined in "How to detect malware infection in 9 easy steps." If you review the registry keys that Autoruns inspects, you’ll have one of the most complete lists of the registry keys that malware likes to manipulate.

The following code snippet illustrates how this can be achieved. Repeat that permissions routine for every registry key you want to monitor.

Modify Values & Data In A
Registry Key

This vulnerability allows malware to hide malicious code in “autorun” entries such as the infamous HKLM\Software\Microsoft \Windows\CurrentVersion\Run. Any program or components specified in this key will be automatically run during system startup. Windows will still execute these hidden entries successfully at startup (Wesemann, 2005). Suspect may store text-based information using value type REG_BINARY. This technique however does not hide data, as tool like hex editors automatically interpret binary data into readable format (usually ASCII).

However, forensic examiner could still analyse the suspicious text at different intervals (e.g. even or odd characters position) and derive possible meaningful information from the incident context. HKCC is a symbolic link to current hardware profile configurations subkey, HKLM\SYSTEM \CurrentControlSet\Hardware Profiles\Current.

The Autoruns/ linkage will help you, but I don’t know of an easy way to automate or script the process. Simply collecting and aggregating registry key modifications is a start, at least. Then you can analyze what you’re collecting and determine how hard or easy it’s going to be to detect a malicious agent.

Using different encoding technique to store data, such as using Unicode instead of ASCII does not improve stealthiness, if suspect only uses common English characters. For instance ASNI ASCII for “pass” is 0x70 0x61 0x73 0x73. While Unicode (16-bit) encoding translate into 0x70 0x00 0x61 0x00 0x73 0x00 0x73 0x00 (Windows stores 16-bit characters in little-endian format). Examiner could easily find the word “pass” using tools that features text finding using different encoding format. Suspect may substitute the 0x00 with random binary numbers to improve stealthiness.

  • I’ve spend more time cleaning up people’s registries and file systems, many attempts of which fail entirely multiple times because of windows’ horrible task scheduling.
  • Windows has been the most patience-wearing operating system since at least since 3.x series.
  • Even a windows virtual machine I have had caused me enough grief as to trash it at least once.
  • I’m not saying you should use it, but the real hardcore Linux geeks won’t even acknowledge it’s numerous good points and the fact that there really are use cases where it’s technically superior.

If you’ve read this far, you’re already further along than most admins. Note, however, that perhaps one percent of today’s malware is memory-resident only — that is, it doesn’t write itself to permanent storage. As such, it does not modify one of the analyzed registry keys.

Windows Registry

Covering 19 different registry key sections, Autoruns is pretty thorough. Some people prefer a similar script calledSilent Runners.vbs, but I prefer Autoruns. Not only is it hosted by Microsoft, but it was created by the legendaryMark Russinovichand frequently updated by him and his team. Which registry keys among tens of thousands are useful to audit? I don’t have a complete list that would be 100 percent accurate, but the best source isMicrosoft’s Sysinternals Autorunsprogram.

If you change a key to an invalid value or you delete the wrong key, applications will not behave correctly or will not start. In the worst case, Windows itself will not be able to start. Stay up to date with InfoWorld’s newsletters for software developers, analysts, database programmers, and data scientists. You can also retrieve all the sub keys of a particular key using the GetSubKeyNames method of the RegistryKey class.

Auditing your registry can turn up telltale signs on malware infection. Here’s how to monitor the registry keys that matter using Microsoft’s Sysinternals Autoruns.

Leave a Reply

Your email address will not be published. Required fields are marked *