RegView – Exploring hidden windows registry data

Long time ago I came across Trojan.Poweliks. Its low detection rate, file-less nature and interesting persistence way made me thinking about the question: “is there a tool, freely available, allowing to display hidden registry values?

Tremendous research has been performed by Security Response, if you want to get familiar with this threat, you must absolutely read it:

 The evolution of the fileless click-fraud malware Poweliks
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf

 

By the time being the question was remaining open, so I decided to make my hands dirty and tried following free Tools:

    • Windows RegEdit -> Failed to display hidden data (Key export failed as well)


    • ntRegedit -> Failed to display hidden data
    • SpyBot’s RegAnalyzer -> Failed to display hidden data
    • Autoruns -> Displayed the data partially

Script code:

from Registry import Registry
HiveFile=”NTUSER.DAT”
RegKey=”Software\\Microsoft\\Windows\\CurrentVersion\Run”
RegistryHiveHandle = open(HiveFile, “rb”)
reg = Registry.Registry(RegistryHiveHandle)

print(“Hive:        “, HiveFile)
print(“Key:         “, RegKey)
try:
   key = reg.open(RegKey)
except Registry.RegistryKeyNotFoundException:
   print(“Couldn’t open key. Exiting…”)
   sys.exit(-1)
print(“Modified:    “, key.timestamp())
for value in key.values():
       print (” – Value: [“, value.name(), “]”, ” —> [“, value.value(), “]”, sep=””)

 

Finally I got even more crazy idea; since I didn’t have much knowledge in C++ I realized that it’s a very good moment to get it by developing a tool I need.

 

That was the birth of RegView (a registry viewer by Witold ;-)) … The details below:

RegView is a command-line tool written in C/C++ based on imported registry functions from ntdll.dll library. It allows retrieving information from online windows registry (including hidden values and non-printable keys).

It can be useful during troubleshooting of a malware infection or during live forensics.

 

It does support:

-Following registry types: REG_SZ, REG_MULTI_SZ, REG_EXPAND_SZ, REG_DWORD, REG_QWORD, REG_BINARY
-Hidden registry values (Not visible in Windows RegEdit)
-Hidden registry keys (incorrectly displayed and non-accessible in Windows RegEdit)
-Sub-keys enumeration
-Removal of registry key (including sub-keys and hidden keys/values)
-Exporting of registry keys containing hidden values or non-printable keys

 

Script usage (IMPORTANT)
-Run the script from command line with appropriate parameters.

Parameters:

/h Print help
-k <HKEY> Registry key for enumeration
/d Remove specified key (with sub keys) (/s gets enabled automatically)

“ACTION: DeleteKey!” appears in script’s output

 

/u Print Value Data in Unicode HEX (REG_SZ only)
/s Print SubKeys recursively
/v Print SubKey’s values
/t Print execution time (Start time, End time)

 

Examples (Taken from a machine infected with Trojan.Poweliks)

RegView /s /v -k "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" > ConsoleOutput.txt

 

Output Format:

SubKeys:
 [LastWriteTime], [NT KeyPath], [KeyName: size in bytes], [KeyName], [KeyName in hex], [SubKeys Num], [Values Num]
Values:
 [ValueType], [ValueName: size in bytes], [ValueName], [ValueName in hex], [ValueData size in bytes], [DataValue], [ValueData in hex]

 

Changelog 1.6.0.0:

– Change: Added support for following registry types: REG_MULTI_SZ, REG_EXPAND_SZ, REG_DWORD, REG_QWORD, REG_BINARY
– Some old code clean-up
– New parameter “/t” print execution time

 

Planned enhancement requests:

 

– “/d” Should support hex format of the key name… (For non-printable key names)
Like “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\/u0001/u0000/u0001”
– A parameter that controls the number of items displayed
– Create RegView.dll 😉
– Option to enumerate registry key within other user profiles
-Handle offline registry hives

 

Regards,
Witold Lawacz