How to read/dump/compare registry hives

• Download regdmp.zip - 40.91 KB

Motivation

Well recently I had nasty worm/rootkit problem and naturally I wanted to know what he changed in my system. So i started seeking for some tool to detect registry changes. some simple tool to dump complete registry content to text file before infection and after and by simple text diff i would be able to see the changes fast. I was not very lucky thou. Since all reg tools i found were using win32 api to get data which that clever rootkit redirected to himself and thus stayed hidden. Also as i later found out malware don't even need to be that clever to hide things in registry from standard api.

So now I had physical clean registry files from system restore point and dirty ones from my infected system. And I didn't stop poking in the hives until I did come up with simple tool to dump and compare their real contents in simple text format. I also needed full reg path at each entry so in case I use text diff on those dumps I see where the change happened.

Hive format

NT/XP registry files (binary hives not textual reg files) are actually very simple. tey are just bunch of 4k blocks where each block contain variable sized blocks . Each of those starts with

usual 4b size and 2b type.

And thats about it . thats ms registry hive format. Oh and I nearly forgot. First 1k of first block is hive header with no usefull info as far as i know

Now whats inside of those variable sized blocks

The simplest way to describe registry is to think of it as a file system where keys are directories and values are files. And as we allready know both directories and files have names except that each file can also contain data.

So there are 2 basic blocks one for keys and one for values. what's nice is that MS decided to use human readable 2 char strings in the block type field i mentioned earlier. so if you open hive in hex viewer jou can clearly see "nk" for key block and "vk" for value block.

Using the code

And here is actual code to dump registry hives. I used portable c code so it should be compilable on unix too without much change.

#include <string.h>
#include <stdio.h>
#include <stdlib.h>

struct offsets { 
    long  block_size;
    char  block_type[2]; // "lf" "il" "ri"
    short count;   
    long  first; 
    long  hash; 
};

struct key_block  { 
    long  block_size;
    char  block_type[2]; // "nk"
    char  dummya[18];
    int   subkey_count;
    char  dummyb[4];
    int   subkeys;
    char  dummyc[4];
    int   value_count;
    int   offsets;
    char  dummyd[28];
    short len;
    short du;
    char  name; 
};

struct value_block {
    long  block_size;
    char  block_type[2]; // "vk"
    short name_len;
    long  size;
    long  offset;
    long  value_type;
    short flags;
    short dummy;
    char  name; 
};

void walk ( char* path,   key_block* key ) {
    static  char* root=(char*)key-0x20, *full=path;
    
    // add current key name to printed path
    memcpy(path++,"/",2); memcpy(path,&key->name,key->len); path+=key->len;

    // print all contained values
    for(int o=0;o<key->value_count;o++){
        value_block* val = (value_block*)(((int*)(key->offsets+root+4))[o]+root); 
        
        // we skip nodes without values
        if(!val->offset)  continue;
        
        // data are usually in separate blocks without types
        char* data = root+val->offset+4;
        // but for small values MS added optimization where 
        // if bit 31 is set data are contained wihin the key itself to save space
        if(val->size&1<<31) {
              data = (char*)&val->offset;
        }
        // notice that we use memcopy for key/value names everywhere instead of strcat
        // reason is that malware/wiruses often write non nulterminated strings to
        // hide from win32 api
        *path='/'; if(!val->name_len) *path=' '; 
        memcpy(path+1,&val->name,val->name_len); path[val->name_len+1]=0;

        printf("%s [%d] = ",full,val->value_type);
        for(int i=0;i<(val->size&0xffff);i++) {
            // print types 1 and 7 as unicode strings  
            if(val->value_type==1||val->value_type==7) {
                if(data[i]) putchar(data[i]);
            // and rest dump as binary data         
            } else {
                printf("%02X",data[i]);
            }
        }
        printf("\n");
    }
    
    // for simplicity we can imagine keys as directories in filesystem and values
    // as files.
    // and since we already dumped values for this dir we will now iterate 
    // thru subdirectories in the same way

    offsets* item = (offsets*)(root+key->subkeys);
    for(int i=0;i<item->count;i++){
        // in case of too many subkeys this list contain just other lists
        offsets* subitem = (offsets*)((&item->first)[i]+root);

        // usual directory traversal  
        if(item->block_type[1]=='f'||item->block_type[1]=='h') {
            // for now we skip hash codes (used by regedit for faster search)
            walk(path,(key_block*)((&item->first)[i*2]+root));
        } else for(int j=0;j<subitem->count;j++) {
            // also ms had chosen to skip hashes altogether in this case 
            walk(path,(key_block*)((&subitem->first)[item->block_type[1]=='i'?j*2:j]+root));
        }
    }
}

int main(int argc, char** argv) {
    char path[0x1000]={0}, *data; FILE* f; int size;  
    
    if(argc<2||!(f=fopen(argv[1],"rb"))) return printf("hive path err");
    
    fseek(f,0,SEEK_END); 
    if(!(size=ftell(f))) return printf("empty file");
    
    rewind(f); data=(char*)malloc(size); 
    fread(data,size,1,f); 
    fclose(f);

    // we just skip 1k header and start walking root key tree
    walk(path,(key_block*)(data+0x1020));
    free(data);
    return 0;
}

Points of Interest

Remember it will dump values that you normally don't even have access to so be careful.

It's prerfect to just dump the hives before and after software installation and just compare changes with text diff (for example commandline version from UnixUtils is great) .