Tuesday, March 11, 2014

Anti-Forensics Part 1 (Hiding Files in the Registry)

This semester, I’ve been teaching a class on Anti-Forensics, which is a variety of techniques designed to make life difficult for a forensic investigator. The Windows registry is a great place to hide data as it turns out. While it’s stored in plain sight, the registry is such an enormous, convoluted mess that finding a value stored in the registry in an arbitrary place would be just like looking for a needle in a haystack. You could store notes to other people, account numbers, passwords or any number of other pieces of data. You can see the registry editor below and the New menu with key, which is like a folder where you would collect a number of values. These values could be strings, numbers as words, double words or quad words, string collections or just simply binary data. 

Screen Shot 2014 03 11 at 7 58 48 PM

 

 

 

 

 

We started down the road of talking about different things you could store in the registry one class period. Once you start thinking about binary data, it’s nearly irresistible to think about stuffing files, particularly executable program files, into a registry key somewhere. There are challenges with using the registry editor to do this, however. You can’t just open an executable file in a hexadecimal editor, copy the contents of the file and then paste the data into a binary value. When you create a binary value and go to plug data into it, you get a dialog box where you can start entering hexadecimal. You can’t Paste. None of the typical pasting techniques (Ctrl-V, right click and select paste and so forth) work. However, there are great application programming interfaces (APIs) that we can use to get access to the registry. The challenge is then to write a program that will take any file as input and stuff it into the registry. I took up the challenge in two programming languages. The first was C#. I mean, why not use Microsoft’s own language to get access to a Microsoft feature. I ran into creeping featurism, however, and though I currently have a working version, I don’t consider it to be complete at this point. The second language was Python. You can see the proof of concept script below. This can be used to store any file into a registry key. 

 

#  File: reghide.py
#  Author: Ric Messier
#  Description: This program could be used to hide files inside a registry key. 
# While we assume that the key created will be in HKEY_CURRENT_USER\Software,
#it could be anywhere and this script could be edited to reflect that or I 
#could also extend it to make that flexible as well
#  Copyright:  2014, WasHere Consulting, Inc.
 
import _winreg
import sys, os
import argparse
 
# get arguments
argParser = argparse.ArgumentParser()
argParser.add_argument('-f', type=str, help='the file you want to store', required=True)
argParser.add_argument('-v', type=str, help='the name of the value to use', required=True)
argParser.add_argument('-k', type=str, help='the name of the key to use', required=True)
 
passedArgs = vars(argParser.parse_args())
 
keyName = passedArgs['k']
baseName = passedArgs['v']
fileName = passedArgs['f']
 
key = _winreg.CreateKey(_winreg.HKEY_CURRENT_USER, "Software\\" + keyName)
 
#  set the extension to the base value name to 1. This will increase based on the number
#  of chunks read in
currValue = 1
 
#  open the file specified with a bunch of exception handling
try:
with open(fileName) as fileHandle:
#  going to read in 1024 byte chunks
dataChunk = fileHandle.read(1024)
while dataChunk:
#  create a value name from the base name and then a zero filled number
#  appended to it to create unique value names
valName = baseName + str(currValue).zfill(6)
#  set the value in the registry
_winreg.SetValueEx(key, valName, 0, _winreg.REG_BINARY, dataChunk)
#  read another chunk in
dataChunk = fileHandle.read(1024)
currValue = currValue + 1
except IOError as err:
print("I/O error: {0}".format(err))
except:
print("Unexpected error:", sys.exc_info()[0])

Fair warning that stuffing very large files into your registry may cause unexpected consequences. The Python script chunks the data up into 1024 byte chunks meaning that you will end up with a number of values with data in them. You can see some of what that looks like below.

Screen Shot 2014 03 11 at 9 01 05 PM

 

 

The one thing missing from this scenario, of course, is a way to extract the file once it’s been stuffed into the registry. Well, that would be a project for another day and it seems like it may require more overhead when it comes to the hiding program. It may be useful to store the filename so when you extract the data, you don’t have to prompt for a new filename. The filename is already there in the registry with all of the bytes from the file. Just get the name back and associate it with the data. 

 

 

 

 

 

No comments:

Post a Comment