Skip to content

Commit

Permalink
Add ms_regcheck command
Browse files Browse the repository at this point in the history
  • Loading branch information
Andrey Bazhan committed Mar 30, 2018
1 parent 60e55ea commit cbd62ff
Show file tree
Hide file tree
Showing 4 changed files with 144 additions and 10 deletions.
42 changes: 34 additions & 8 deletions SwishDbgExt/Registry.cpp
View file
Expand Up @@ -42,6 +42,29 @@ Revision History:
vector<HIVE_OBJECT> g_Hives;


PWSTR
GetRegistryValueTypeName(
_In_ ULONG ValueType
)
{
switch (ValueType) {

case REG_NONE: return L"REG_NONE";
case REG_SZ: return L"REG_SZ";
case REG_EXPAND_SZ: return L"REG_EXPAND_SZ";
case REG_BINARY: return L"REG_BINARY";
case REG_DWORD: return L"REG_DWORD";
case REG_DWORD_BIG_ENDIAN: return L"REG_DWORD_BIG_ENDIAN";
case REG_LINK: return L"REG_LINK";
case REG_MULTI_SZ: return L"REG_MULTI_SZ";
case REG_RESOURCE_LIST: return L"REG_RESOURCE_LIST";
case REG_FULL_RESOURCE_DESCRIPTOR: return L"REG_FULL_RESOURCE_DESCRIPTOR";
case REG_RESOURCE_REQUIREMENTS_LIST: return L"REG_RESOURCE_REQUIREMENTS_LIST";
case REG_QWORD: return L"REG_QWORD";
default: return L"Unknown";
}
}

vector<KEY_NAME>
GetKeysNames(
_In_ PWSTR FullKeyPath
Expand Down Expand Up @@ -322,13 +345,16 @@ BOOL
RegGetKeyValue(
_In_ PWSTR FullKeyPath,
_In_ PWSTR ValueName,
_Out_ PVOID Data,
_In_ ULONG DataLength
_Out_writes_bytes_to_(Length, *DataLength) PVOID Buffer,
_In_ ULONG Length,
_Out_ PULONG DataLength
)
{
BOOL Status = FALSE;

ZeroMemory(Data, DataLength);
ZeroMemory(Buffer, Length);

*DataLength = 0;

try {

Expand Down Expand Up @@ -373,9 +399,9 @@ RegGetKeyValue(

if (KeyValue.Field("Signature").GetUshort() == CM_KEY_VALUE_SIGNATURE) {

ULONG ValueLength = (KeyValue.Field("DataLength").GetUlong()) & 0x7FFFFFFF;
*DataLength = (KeyValue.Field("DataLength").GetUlong()) & 0x7FFFFFFF;

if (ValueLength <= DataLength) {
if (*DataLength <= Length) {

switch (KeyValue.Field("Type").GetUlong()) {

Expand All @@ -387,7 +413,7 @@ RegGetKeyValue(
{
ULONG64 ValueAddress = RegGetCellPaged(CmHive, KeyValue.Field("Data").GetUlong());

if (ExtRemoteTypedEx::ReadVirtual(ValueAddress, Data, ValueLength, NULL) == S_OK) {
if (ExtRemoteTypedEx::ReadVirtual(ValueAddress, Buffer, *DataLength, NULL) == S_OK) {

Status = TRUE;
}
Expand All @@ -397,15 +423,15 @@ RegGetKeyValue(
case REG_DWORD:
case REG_DWORD_BIG_ENDIAN:
{
*(PDWORD)Data = KeyValue.Field("Data").GetUlong();
*(PDWORD)Buffer = KeyValue.Field("Data").GetUlong();

Status = TRUE;

break;
}
case REG_QWORD:
{
*(PDWORD64)Data = KeyValue.Field("Data").GetLong64();
*(PDWORD64)Buffer = KeyValue.Field("Data").GetLong64();

Status = TRUE;

Expand Down
16 changes: 14 additions & 2 deletions SwishDbgExt/Registry.h
View file
Expand Up @@ -109,6 +109,17 @@ typedef struct _KEY_NODE {
ExtRemoteTyped KeyNode;
} KEY_NODE, *PKEY_NODE;

typedef struct _REG_CHECK {
PWSTR KeyName;
PWSTR ValueName;
ULONG ValueType;
} REG_CHECK, *PREG_CHECK;


PWSTR
GetRegistryValueTypeName(
_In_ ULONG ValueType
);

ULONG64
RegGetCellPaged(
Expand Down Expand Up @@ -137,8 +148,9 @@ BOOL
RegGetKeyValue(
_In_ PWSTR FullKeyPath,
_In_ PWSTR ValueName,
_In_ PVOID Data,
_In_ ULONG DataLength
_Out_writes_bytes_to_(Length, *DataLength) PVOID Buffer,
_In_ ULONG Length,
_Out_ PULONG DataLength
);

vector<KEY_NAME>
Expand Down
95 changes: 95 additions & 0 deletions SwishDbgExt/SwishDbgExt.cpp
View file
Expand Up @@ -125,6 +125,7 @@ class EXT_CLASS : public ExtExtension
EXT_COMMAND_METHOD(ms_lxss);

EXT_COMMAND_METHOD(ms_yarascan);
EXT_COMMAND_METHOD(ms_regcheck);

HRESULT
Initialize(void)
Expand Down Expand Up @@ -2246,3 +2247,97 @@ EXT_COMMAND(ms_yarascan,
YaraScan(&ProcObj, FileName);
}
}

EXT_COMMAND(ms_regcheck,
"Scan for suspicious registry entries",
"{;e,o;;}"
)
{
BYTE KeyValue[MAX_PATH * 8];
ULONG DataLength;
static REG_CHECK RegChecks[] = {
L"\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\GloballyOpenPorts\\List", L"3389:TCP", REG_SZ,
L"\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile\\GloballyOpenPorts\\List", L"3389:TCP", REG_SZ,
L"\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server", L"fDenyTSConnections", REG_DWORD,
L"\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server", L"fSingleSessionPerUser", REG_DWORD,
L"\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core", L"EnableConcurrentSessions", REG_DWORD,
L"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", L"EnableConcurrentSessions", REG_DWORD,
L"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", L"AllowMultipleTSSessions", REG_DWORD,
L"\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services", L"MaxInstanceCount", REG_DWORD,
L"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList", L"MS_BACKUP", REG_DWORD,
L"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system", L"dontdisplaylastusername", REG_DWORD,
L"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system", L"LocalAccountTokenFilterPolicy", REG_DWORD,
L"\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest", L"UseLogonCredential", REG_DWORD
};

if (RegInitialize()) {

for (size_t i = 0; i < _countof(RegChecks); i++) {

Dml("\n%S\n", RegChecks[i].KeyName);
Dml("%S %S ", RegChecks[i].ValueName, GetRegistryValueTypeName(RegChecks[i].ValueType));

if (RegGetKeyValue(RegChecks[i].KeyName, RegChecks[i].ValueName, KeyValue, sizeof(KeyValue), &DataLength)) {

switch (RegChecks[i].ValueType) {

case REG_BINARY:
{
size_t k;

g_Ext->Dml("\n ");

for (size_t j = 0; j < DataLength; j++) {

for (k = 0; ((j + k) < DataLength) && (k < 0x10); k++) {

g_Ext->Dml("0x%02x ", KeyValue[j + k]);
}

for ( ; k < 0x10; k++) {

g_Ext->Dml(" ");
}

g_Ext->Dml(" | ");

for (k = 0; ((j + k) < DataLength) && (k < 0x10); k++) {

g_Ext->Dml("%c ", ((KeyValue[j + k] >= ' ') && (KeyValue[j + k] <= 'Z')) ? KeyValue[j + k] : '.');
}

g_Ext->Dml("\n ");

j += k;
}

break;
}
case REG_SZ:
case REG_EXPAND_SZ:
case REG_LINK:
case REG_MULTI_SZ:
{
g_Ext->Dml("%S", (PWSTR)KeyValue);

break;
}
case REG_DWORD:
{
g_Ext->Dml("0x%08x", *(PULONG)KeyValue);

break;
}
case REG_QWORD:
{
g_Ext->Dml("0x%I64x", *(PULONG64)KeyValue);

break;
}
}
}

Dml("\n");
}
}
}
1 change: 1 addition & 0 deletions SwishDbgExt/SwishDbgExt.def
View file
Expand Up @@ -55,5 +55,6 @@ EXPORTS
ms_lxss

ms_yarascan
ms_regcheck

help

0 comments on commit cbd62ff

Please sign in to comment.