Embedded Nulls in the Windows Registry

Explaination

Systems Internals published a technical article last year which detailed how kernel level processes / drivers where able to create registry key / value names which are inaccessible to the user mode API. The principal technique of this relies on the fact that user mode strings define their length by embedding a NULL character where as strings in Kernel mode are usually explicitly sized by an additional length parameter. It is therefore possible in Kernel mode to embed a NULL Character into a string and have it form part of the complete key name. When opening keys or values in user mode it is done by providing a NULL Terminated string representing the name of the key to be opened, therefore it is impossible to open a string with an embedded NULL character as part of its complete length.

Background

Registry Manager was written from the ground up to allow the maximum access to the registry that the chosen accounts security will allow. When KVK Consultancy discovered there was a virus (aka. WWWCool) that prevented user level applications from being able to access or see the true data stored in the registry, KVK Consultancy took this as a challenge and Registry Manager received an update (adding Anti-Virus methods to Registry Manager to help prevent and counter this type of data concealment). This done I felt confident that Registry Manager lived up to its aim.

However, when I read earlier this year the above System Internals article about user mode in-accessible registry keys I had felt that Registry Manager would meet this challenge. I was disapointed to find that although it was able to access keys via kernel mode like every other registry application (including Microsofts own Regedit) it was completely unable to access any keys created using embedded NULL characters.

The gauntlet was down and Registry Manager had to respond. In this latest release of Registry Manager this new registry concealment methodology has been countered and furthur Registry Manager will warn you if this type of concealment has taken place and it will now also show the correct values (not the "reported" values).

Aims and Goals

Registry Manager aims to be the best registry tool available under every reasonable condition for maintainance of the Microsoft Windows Registry. All the techniques discovered to be used for  for data hiding have worked without overly subverting the operating system. That is to say, no core DLL's where replaced and the system was not fundimentally compromised. Registry Manager seeks to work correctly, and as expected, in ALL conditions where the core operating system is intact (that is to say, has not been subverted outside of its intended operation, or to put it another way, all the calls as documented by Microsoft still perform as documented).

Most Registry software programs can not offer this level of accessibility. Registry Manager was designed to give complete and accurate control of the registry and to operator under the widest range of system conditions! The program works with all versions of windows from Windows 95 and upward and scales to the features of the operating system on which it is launched. It requires no installation to offer these features, and will work with any known service pack or update level.

Outcomes

Having been twice caught out by malware and virus attempts to hide and deny access to registry data I decided to completely overhaul Registry Manager and then to run it through some stress tests to try to predict and circumvent any future technique.

     <Link from here to updates>

 Return to Latest Links