RegDefend VS Hidden Keys

Discussion in 'Ghost Security Suite (GSS)' started by kareldjag, Mar 15, 2005.

Thread Status:
Not open for further replies.
  1. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    On my first post about RegDefend, i've mentioned protection against hidden keys.
    So i've tested RegDefend against this kind of methods used by rootkits for instance.

    The test tool is RegHide by Sysinternals:

    http://www.sysinternals.com/ntw2k/info/tips.shtml#registryhidden

    RegHide creates a hidden key in the HKLM_Software group.

    During the test, i've monitored all changes with InstallSpy (a monotoring free soft).

    I've added the HKLM_Software group to the rules with different configurations:

    *block,
    *ask user .

    Conclusion: RegDefend has a real and efficiency protection against hidden keys:

    *RegHide was able to create the key (Systems Internals\Can't touch me):

    -With the "ask user" rule, and "allow" answer to the RegDefend's pop up box .

    *RegHide was not able to create the keys in all the others case:

    -"block" rule,
    -"ask user" rule and "block" answer to the pop up box.

    To be objective, there's many monitoring softs (free or paid) which have not a real and efficiency prevetion protection of the registry (prevent=block, not only monitor and detect).

    In this case, RegDefend, as RegRun, is an efficiency program which protects against advanced attacks .

    But just some little remarks (or whishes) :

    *Why RegDefend is not already pre-rules configured?

    If Wilders members are well informed about computer's security, it's not the case of John Doe, Monsieur Dupont, our friends or family's members.
    Three rules with different level (low, medium, high security) could be interesting for newbies and classicals users.

    *For more security, hashes values to authenticate the registry could also be interesting.
    MD5 is enough, SHA-1 can be more secure but also too slow and too long.




    Regards
     
  2. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    RegDefend pop up box:
     

    Attached Files:

  3. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    About the RegHide pop up box:
     

    Attached Files:

  4. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    And here the second RegHide Pop up:
     

    Attached Files:

  5. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Here the html report of InstallSpy with the "allow" answer to the RegDefend's pop up box:
     

    Attached Files:

  6. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Thanx Kareldjag for this indepth testing against hidden regkeys!!!

    it seems :) that regdefend is doing what it is supposed to do, protect the registry.
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Good tests, french mate ;)

    These tests should be added to RegTest IMHO, it shows the strength of RegDefend.
     
  8. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Great detailed testing Kareldjag :)....nice one.

    Regards,
    Jade.
     
  9. docfleetwood

    docfleetwood Registered Member

    Joined:
    Apr 6, 2004
    Posts:
    36
    Nice job on the testing but I don't quite understand. You added the registry key to regdefend that you already knew the software was trying to 'infect' and then it detected it. I would certainly hope so. The problem is that typically a program trying to add a hidden registry item won't be kind enough to tell you where it is going to put it so perhaps regdefend could warn against any hidden keys being installed anywhere? Or are there good reasons for hidden registry keys?
     
  10. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    The key being added contains a NULL character and the Win32 API's that most programs use treat the NULL as the "end of string"

    Seeing as the key name actually contains the NULL then all programs that use the Win32 API's won't be able to touch it because they are truncating the name

    Probably the most interesting part of the "demo" pictures is that it highlights the lack of information being shown in the popup boxes...
     
  11. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Yes kareldjag, thank you for that interesting test. Also, I think docfleetwood has an interesting point. Perhaps RD should have a global option to ask approval for (block??) the insertion of any key or value whose name contains a NULL (or any non-printable character?). I suspect such keys are frequently used for time-limited software trials, but it would be nice to know what untouchable remnants will be left behind. More importantly, I wouldn't want such a key/value to be inserted anywhere in the registry without some sense of a good reason for it.
     
  12. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Jason,
    I'll second that request - it fits the bill of being generic and easy to monitor for the creation of such keys (and values)...

    I'm still hoping that we will be able to represent NULL's when we are constructing patterns containing wildcards.... that way we can detect the existing ones if we are really keen
     
  13. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Thanks for the Belgian/French/Aussie/American feedbacks. ;)

    *Docfleetwood

    I think that many members on this forum have already add the HKLM\Software Group to their rules!
    The problem is that RegDefend has only 2 specific rules by default (statup in particular).

    If i run the test with default's rules, RegDefend will surely fail.

    As i said in my post, it's not a problem for the ones who are well informed about malwares methods.
    But the newbie or the classical user may not add this rule to his configuration.

    That's why i've suggested diiferent level of rules by default available in RegDefend's options.

    In all case, how could you see if RegDefend has or not the ability to block this key (Systems Internals\Can't touch me) if you don't add the HKLM\Software registry group to your rules?

    *As it 's said on the Sysinternals link this kind of value name includes "0" character as a part of the name.
    I've also monitored the API calls used by RegHide (see the images).

    And as said Gottadoit, the RegDefend's pop up box doesn't show exactly the name of the key (the installSpy report too).
    If we allow the installation of the hidden key, we will not be able to see it (or to touch it) with RegEdit or RegDatXP: the value name is really hidden!

    Regards
     

    Attached Files:

  14. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    API calls of RegHide.exe:
     

    Attached Files:

  15. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Other API details:
     

    Attached Files:

  16. docfleetwood

    docfleetwood Registered Member

    Joined:
    Apr 6, 2004
    Posts:
    36
    Does anyone know of a free registry editor that does allow you to see hidden keys?
     
Thread Status:
Not open for further replies.