RegHide still finds a problem

Discussion in 'Ghost Security Suite (GSS)' started by earth1, Apr 14, 2005.

Thread Status:
Not open for further replies.
  1. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Congratulations Jason, RegDefend v1.200 feels much improved! Unfortunately, though, the bug fix that you thought would address my issue with RegHide (originally attributed as A Problem with Hidden Keys) did not seem to help. Since my original thread started from a wrong premise (not related to hidden keys), I'm hoping a new thread will help simplify and highlight the issue.

    Again, I started by creating a group of rules (attached as RegHide.ghst.txt) to intercept every action taken by RegHide. The RegHide executable (and 'C' source code) are available from sysInternals.

    Activate the new rules, and the problem is most easily observed by running RegHide from two slightly different starting points. In "Scenario A" (below) every appropriate alert is reported correctly, but in "Scenario B" one of the alerts reported in 'A' does not get reported (although it should).

    .. Scenario A: The key "HKLM\SOFTWARE\Systems Internals" already exists.
    .. Scenario B: The key "HKLM\SOFTWARE\Systems Internals" needs to be created.

    The actual sequence of alerts for 'A' is correct as follows:
    A_1) CREATE Key..: HKLM\SOFTWARE\Systems Internals\Can't Touch Me!
    A_2) MODIFY Value: HKLM\SOFTWARE\Systems Internals\Can't Touch Me!\\hidden value
    A_3) DELETE Key..: HKLM\SOFTWARE\Systems Internals\Can't Touch Me!

    The sequence of alerts for 'B' should be:
    B_1) CREATE Key..: HKLM\SOFTWARE\Systems Internals
    B_2) CREATE Key..: HKLM\SOFTWARE\Systems Internals\Can't Touch Me!
    B_3) MODIFY Value: HKLM\SOFTWARE\Systems Internals\Can't Touch Me!\\hidden value
    B_4) DELETE Key..: HKLM\SOFTWARE\Systems Internals\Can't Touch Me!

    Under Scenario B, we should see an extra key creation alert (B_1) because we ensured that the key does not exist at startup. RegDefend did perform the B_1 alert, but the B_2 alert (same as A_1) is now, mysteriously, _not_ triggered. Obviously, though, B_2 still had to occur after the B_1 alert or else B_3 would be impossible.

    I'm hoping you'll look at this because it seems, to me, a very clear cut problem.

    Thanks
     

    Attached Files:

  2. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Could you post your logfile of these events? After you have done both tests, shut down the GUI and it should be saved to the current month, which you can then upload here.
     
  3. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    I just reread your results, do you think maybe the reason you don't see the second KEY creation is because it realized it failed to make the first one, and hence doesn't bother with it. Is the key actually created?
     
  4. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    I was just writing an explanation of why I had no log to send, because the test would get invalidated if I block the first key creation. In order to run the test I had to allow everything. Unless there's an option to log what I allow, the best I could do is generate one log entry per run and let you piece them together. It will probably work better if you see it for yourself, but I'll do whatever seems helpful.

    EDIT: Yes, the "Can't Touch Me!" key is actually created, as is the "hidden value" beneath it.
     
    Last edited: Apr 14, 2005
  5. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    earth1,
    Just in case you didn't notice I added the "log for allow" request into the wishlist thread (as well at a little bit more)
     
Thread Status:
Not open for further replies.