4 replies to this topic

[friendlycow]

I think we have all read about some malware using hidden registry keys by either

• Having non ASCII character in key name
• Null byte at beginning of key name

 

So decided to finally test this out and got some (non)interesting results. First threw threw some non-ASCII stuff in an unsigned byte array, and then casted to PWSTR at time of calling RegCreateKeyW. For example:

Please Login or Register to see this Hidden Content

From my reading I expected regedit to not properly display, but instead worked fine lawl... Then tried putting null in beginning 

Please Login or Register to see this Hidden Content

This instead gives me runtime failure of call to RegKeyCreate, basically it says the reg key name is invalid. So how is it possible to create a key with null byte in beginning? Or perhaps researchers I read were just being ambiguous with language and meant that key value was hidden using this method... but

Please Login or Register to see this Hidden Content

makes me think otherwise.

 

Could someone clear this up for me, maybe I am missing something stupid and simple lol? Also should be noted tried this on win8.1 + 7, just to make sure it wasn't just my win8.1 that was able to display the key.

Edited by friendlycow, 01 March 2016 - 04:15 AM.

[ng-Coder]

You can create hidden registry keys with Nt native functions because of the way Unicode string works, not with high level functions like in Kernel32 which will check your string before converting it to Unicode.

[friendlycow]

ng-Coder, on 01 Mar 2016 - 2:45 PM, said:

You can create hidden registry keys with Nt native functions because of the way Unicode string works, not with high level functions like in Kernel32 which will check your string before converting it to Unicode.

 

Ahhh ok I will give this a try, makes sense. Thanks

[optyczny]

By the way, isnt this detected by AV ?

[Tigerass]

I'll leave this here.

Please Login or Register to see this Hidden Content