I think we have all read about some malware using hidden registry keys by either
- Having non ASCII character in key name
- Null byte at beginning of key name
So decided to finally test this out and got some (non)interesting results. First threw threw some non-ASCII stuff in an unsigned byte array, and then casted to PWSTR at time of calling RegCreateKeyW. For example:
From my reading I expected regedit to not properly display, but instead worked fine lawl... Then tried putting null in beginning
This instead gives me runtime failure of call to RegKeyCreate, basically it says the reg key name is invalid. So how is it possible to create a key with null byte in beginning? Or perhaps researchers I read were just being ambiguous with language and meant that key value was hidden using this method... butmakes me think otherwise.
Could someone clear this up for me, maybe I am missing something stupid and simple lol? Also should be noted tried this on win8.1 + 7, just to make sure it wasn't just my win8.1 that was able to display the key.
Edited by friendlycow, 01 March 2016 - 04:15 AM.