Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-18-2009, 16:44
-=bb=- -=bb=- is offline
Family
 
Join Date: Sep 2009
Location: slowly learning
Posts: 72
Rept. Given: 23
Rept. Rcvd 37 Times in 10 Posts
Thanks Given: 18
Thanks Rcvd at 23 Times in 9 Posts
-=bb=- Reputation: 37
How to access an invalid registry key?

Hi,

Looking at a software protection that stores some data in an invalid registry key. Trying to open/delete/rename the key results in "Cannot open <keyname>: Error while opening key."

How do I see what is in there, rename it or delete it?

Thanks in advance!

bb
Reply With Quote
  #2  
Old 09-18-2009, 17:19
STRELiTZIA
 
Posts: n/a
Quote:
software protection
Like Antivirus / Firewalls ? or Exe Protectors ?

For Antivirus / Firewalls :
They are not invalid key, the Anti/Fire software uses the SSDT Hook to prevent their changes...

To clean SSDT hook try SSDT Unkookers Tools before manipulate these keys
.
Reply With Quote
  #3  
Old 09-18-2009, 17:22
-=bb=- -=bb=- is offline
Family
 
Join Date: Sep 2009
Location: slowly learning
Posts: 72
Rept. Given: 23
Rept. Rcvd 37 Times in 10 Posts
Thanks Given: 18
Thanks Rcvd at 23 Times in 9 Posts
-=bb=- Reputation: 37
Hi STRELiTZIA,

It is a simple time trial that I suspect is hiding the 'start date/run times' etc in this key, but since I can't look at it, delete it or rename it, I can't confirm that is the case just yet.

I will try the SSDT Unhooker you mention - thanks!

bb
Reply With Quote
  #4  
Old 09-18-2009, 17:27
-=bb=- -=bb=- is offline
Family
 
Join Date: Sep 2009
Location: slowly learning
Posts: 72
Rept. Given: 23
Rept. Rcvd 37 Times in 10 Posts
Thanks Given: 18
Thanks Rcvd at 23 Times in 9 Posts
-=bb=- Reputation: 37
Managed to find the contents, and delete it using Registry Trash Keys Finder using the 'Search Null-embedded Keys' option.

Reset the trial perfectly. Now just to reverse RTKF to find out how it deletes the key and I can make my own automated trial reset for the software.

Simples!

Thanks all.
bb
Reply With Quote
  #5  
Old 09-18-2009, 17:51
LouCypher LouCypher is offline
Friend
 
Join Date: Aug 2004
Posts: 41
Rept. Given: 5
Rept. Rcvd 9 Times in 9 Posts
Thanks Given: 0
Thanks Rcvd at 9 Times in 9 Posts
LouCypher Reputation: 9
Quote:
Originally Posted by -=bb=- View Post
Now just to reverse RTKF to find out how it deletes the key and I can make my own automated trial reset for the software.
You'd probably be interested in the source code for Mark Russovich's old RegHide program. It provides a demonstration on how to create, verify, and remove a key containing embedded NULL characters. When he sold out to Microsoft they removed all of his source code from the current site, but there are mirrors available.

You can download the original RegHide with source here:
Code:
http://court.shrock.org/sysinternals-bt/RegHide.zip
Reply With Quote
  #6  
Old 09-18-2009, 18:09
-=bb=- -=bb=- is offline
Family
 
Join Date: Sep 2009
Location: slowly learning
Posts: 72
Rept. Given: 23
Rept. Rcvd 37 Times in 10 Posts
Thanks Given: 18
Thanks Rcvd at 23 Times in 9 Posts
-=bb=- Reputation: 37
Wow - great find LouCypher!

Thanks a lot - I'll read into that this evening (or today if my boss stays in his office )

Thanks mate!
Reply With Quote
  #7  
Old 09-20-2009, 14:54
piccolo piccolo is offline
Friend
 
Join Date: Jul 2006
Posts: 28
Rept. Given: 4
Rept. Rcvd 3 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
piccolo Reputation: 3
That error also occurs when you do not have the rights to change that key, e.g. with some services. Simply right click the registry entry and check the Permissions. They are probably set to not allow that much.
Reply With Quote
  #8  
Old 09-22-2009, 07:11
-=bb=- -=bb=- is offline
Family
 
Join Date: Sep 2009
Location: slowly learning
Posts: 72
Rept. Given: 23
Rept. Rcvd 37 Times in 10 Posts
Thanks Given: 18
Thanks Rcvd at 23 Times in 9 Posts
-=bb=- Reputation: 37
Hi piccolo,

In this instance it wasn't a rights issue - it was the NULL terminated key name.

I was hoping to modify the source code from Sysinternal's RegHide but my C skillz are so weak that I can't even get the original source to compile without a bunch of errors such as :

41 C:\RegHide\REGHIDE.C invalid conversion from `int (*)()' to `NTSTATUS (*)(void*, DWORD, OBJECT_ATTRIBUTES*, DWORD, UNICODE_STRING*, DWORD, long unsigned int*)'

So I guess I'll have to knock up a little MASM framework to do it in this coming weekend when I get some free time (hopefully!).

I'm aiming to base it on NtCreateKey and NtDeleteKey as per that source - since it appears the NtDeleteKey (according to the brief look I've had) relies on a handle being passed to it created by a successful call to NtCreateKey or NtOpenKey.

Damn my feeble C skills - its times like this that being entirely self taught shows that I had a poor teacher!

bb
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Mark memory page as invalid Kerlingen General Discussion 3 08-29-2016 19:49
problem with idr "invalid oep" SubzEro General Discussion 2 09-14-2015 00:19
Softice: hwnd -> invalid window handle dreamershl General Discussion 2 04-19-2004 09:58


All times are GMT +8. The time now is 02:02.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )