Search This Blog

Monday, August 17, 2015

Size DOES matter when it comes to Registry Keys

I just LOVE when a Twitter conversation turns into a new tool! It is a perfect example of collaboration and how the community can ban together to solve a need.

That happened last week when Austin's own @dnlongen read a blog post from @codereversing about hiding malware in Windows registry keys and mentioned that he first heard it from me ;-)

In the following tweets I pointed out how the majority of registry keys are below 20k and easy to filter out the normal noise to find a hidden payload. I was involved in an event that had a 250k payload hidden in the HKLM\Software\Classes key and the size of the key was a dead give away. It led us to finding a couple other hidden payloads in other parts of the registry on various systems allowing us to harvest and detect additional infections.

Nirsoft makes a GUI tool called RegScanner that allows you to scan the registry for keys based on size. Unfortunately it is a GUI tool and that can not be easily scripted. What we need is a command line based tool that can be scripted to look for large registry keys and whitelisted normal keys.

In the following tweets @dnlongen announced a python script named "RegLister" which can be found here:

RegLister - Registry key scanner by size

@dnlongen added a whitelist and size tweaks after I inquired, and now there is a new tool to help you Hunt the Malwarez.

GREAT JOB @dnlongen!!!

#InfoSec #MalwareArchaeology