![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiARJB9z7j2JIkDcM1cmrOVru_0m95bAPeFY_GCbEDxO5AMXzOdxchuQx9BEiq6z5mgqhsw3FV68V82ASPLoIQ-8cfHzHAXklDheosqoXBRDCjUvrWJbWZp7RTncuyO7mmEAJRn6mhwg_o/s288/iphone_photo.jpg)
I just LOVE when a Twitter conversation turns into a new tool! It is a perfect example of collaboration and how the community can ban together to solve a need.
That happened last week when Austin's own @dnlongen read a blog post from @codereversing about hiding malware in Windows registry keys and mentioned that he first heard it from me ;-)
In the following tweets I pointed out how the majority of registry keys are below 20k and easy to filter out the normal noise to find a hidden payload. I was involved in an event that had a 250k payload hidden in the HKLM\Software\Classes key and the size of the key was a dead give away. It led us to finding a couple other hidden payloads in other parts of the registry on various systems allowing us to harvest and detect additional infections.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaw3Z2Q9qKcGVWCUFVt2dJ-Fq1aGRbP0ep-hcTHUplenRtYNECMhojfd4fIZV7PAkHg5xmYtRyqepthXIhr_E0Rjk1boKRwlReqE9kI-U8BFZwT7jK7aYx-dfIaHv0peOgWXI27iTX1hc/s288/iphone_photo.jpg)
Nirsoft makes a GUI tool called RegScanner that allows you to scan the registry for keys based on size. Unfortunately it is a GUI tool and that can not be easily scripted. What we need is a command line based tool that can be scripted to look for large registry keys and whitelisted normal keys.
In the following tweets @dnlongen announced a python script named "RegLister" which can be found here:
RegLister - Registry key scanner by size
@dnlongen added a whitelist and size tweaks after I inquired, and now there is a new tool to help you Hunt the Malwarez.
GREAT JOB @dnlongen!!!
#InfoSec #MalwareArchaeology