Messing around with register

In these days I’m discovering winappdbg, it’s a python module that wrap many win32 API. Why am I using this “tool”? I could take a look at Paimei and its PyDbg or Immunity Debugger with its immlib. To this choice I must thank ratsoul and swirl that, during a boring afternoon on a irc channel, when I asked to a library to hook some functions on Windows using Python, suggested me to use winappdbg. I was using pydbg but it wasn’t satisfing me due to lack of documentation.

To learn fast I’ve decided to script something. My target is the register, I want to monitor its activity to the point of view of a single process. This idea, using winappdbg, is easy. The proof:

from optparse import OptionParser
from winappdbg import Debug, EventHandler
import sys

To perform our task we need from winappdbg the classes Debug and EventHandler in particular this last class is important to hook functions.

apiHooks = {

 # Hooks for the advapi32 library
 'advapi32.dll' : [
 #  Function            Parameters
 ( 'RegCreateKeyExA'  ,   9  ),
 ( 'RegSetValueExA'   ,   6  ),
 ( 'RegOpenKeyExA'    ,   5  ),
 ( 'RegQueryValueExA' ,   6  ),
 ( 'RegDeleteKeyExA'  ,   4  )
 ]
 }

To make our hooks possible we have to specify to EventHandler what to hook and the numbers of parameters of each function. Next step is to create the functions to monitor the input and the output of our target, so:

# functions to monitor the guys above
 def pre_RegCreateKeyExA( self, event, ra, hKey, lpSubKey, Reserved,
 lpClass, dwOptions, samDesired,
 lpSecurityAttributes, phkResult,
 lpdwDisposition ):
 key = event.get_process( ).peek_string( lpSubKey )
 tid = event.get_tid( )
 print ":: Thread: " + str(tid) + " Advapi32!RegCreateKeyExA -> try to create key " + str( key )

 def post_RegCreateKeyExA( self, event, ret ):
 tid = event.get_tid( )
 if ret:
 print ":: Thread: " + str(tid) + " Advapi32!RegCreateKeyExA -> key created successfully"
 else:
 print ":: Thread: " + str(tid) + " Advapi32!RegCreateKeyExA -> key not created successfully"

and so on to all the target functions.

Once the coding part is over we have to test out our script. To this task I’ve coded two simple programs that use the functions target.

In particular these two programs block and unblock the regedit. Here I’ll post only the locker:

#define STRICT
#define WIN32_LEAN_AND_MEAN

#include <windows.h>
#include <stdio.h>

#define KEY "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
#define NAME "DisableRegistryTools"
#define MAX_VALUE_NAME 2000

int main( int argc, LPTSTR argv[] )
{
 HKEY key, newK;
 int flag = 0;
 LPDWORD tipo;
 DWORD mode, svalue, value, sdata, data;
 TCHAR Value[MAX_VALUE_NAME];
 DWORD size = sizeof(DWORD);

 if( RegOpenKeyEx( HKEY_CURRENT_USER, KEY, 0, KEY_ALL_ACCESS, &key ) != ERROR_SUCCESS )
 {
 printf( "- dir not open\n" );
 }
 else
 {
 printf( "- dir open\n" );
 }

 if( RegQueryValueEx( key,
 NAME,
 NULL,
 NULL,
 (BYTE*)&data,
 &sdata ) != ERROR_SUCCESS )
 {
 printf( "- key not found \n" );
 flag = 0;
 }
 else
 {
 printf( "- key found \n" );
 flag = 1;
 }

 ...

Now it’s time to see if our code run properly:

C:\Documents and Settings\mw\Desktop>SRS.py -n regLocker.exe

** Spy Register Script **
- 5A4D LAB -

:: Process regLocker.exe starts with PID: 316

:: Thread: 568 Advapi32!RegOpenKeyExA -> try to open key Software\Microsoft\Windows\CurrentVersion\Policies\System
:: Thread: 568 Advapi32!RegQueryValueExA -> try to query value DisableRegistryTools
:: Thread: 568 Advapi32!RegQueryValueExA -> try to query value DisableRegistryTools
:: Thread: 568 Advapi32!RegSetValueExA -> try to set value DisableRegistryTools
C:\Documents and Settings\mw\Desktop>

And now let’s try the unlocker

C:\Documents and Settings\mw\Desktop>SRS.py -n unlocker.exe

 ** Spy Register Script **
 - 5A4D LAB -

:: Process unlocker.exe starts with PID: 1600

:: Thread: 1988 Advapi32!RegOpenKeyExA -> try to open key Software\Microsoft\Windows\CurrentVersion\Policies\System
:: Thread: 1988 Advapi32!RegQueryValueExA -> try to query value DisableRegistryTools
:: Thread: 1988 Advapi32!RegQueryValueExA -> try to query value DisableRegistryTools
:: Thread: 1988 Advapi32!RegSetValueExA -> try to set value DisableRegistryTools
C:\Documents and Settings\mw\Desktop>

As you can see everytime a function is inovoked we log its activity and this was our goal. This post is only a brief and quick presentation of the power of winappdbg.

Try it! To download: srs.rar

Regards,

emdel

Advertisements

One thought on “Messing around with register

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s