accessing system32\config\system file...

Hi,

I need read access to \System32\Config\System file, which seems to be
exclusively locked by the System process…

So, the easiest way, which come to mind is to steal the handle for that
file from the System process…

…however, on Windows 2000, when investigating file handles (.handle
command in KD), there seems to be no open handle for that file name.
Surprisingly 90% of the File handles I get (from System process) are
with NULL FileName field. And this seems to be Windows 2000 specific,
since on Windows XP, most of the file objects opened by System process
seem to have a valid name and I can easily find the open handle for that
hive file.

On Windows XP it’s also possible to find file object for the
corresponding hive file by looking at the _CMHIVE.FileObject field,
which unfortunately is not present on older systems :frowning:

So, my question is: can you propose an elegant method for reading
\System32\Config\System file (from diver of course)?

Of course I’m aware of the possibility of reading it by accessing raw
disk sectors through \Device\HardDisk… but it seems to much work;)

thanks,
joanna.

> So, my question is: can you propose an elegant method for reading

\System32\Config\System file (from diver of course)?

Yes. By the registry APIs :slight_smile:

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Maxim S. Shatskih wrote:

>So, my question is: can you propose an elegant method for reading
>\System32\Config\System file (from diver of course)?

Yes. By the registry APIs :slight_smile:

hahaha :slight_smile:

ok, just to provide at least one reason for doing it not with API…

Registry API is often hooked/cheated in more or less smart way to hide
some registry keys (vide malicious code/rootkits). So, one way of
detecting such hidden keys, is to compare what you get from the API with
information you got on the deepest possible level (which seems to be
reading hive file *from disk*). Why rootkit shouldn’t change also the
hive file contest you may ask? Well, rootkit is interested in surviving
the reboot… (ok, it may also cheat NTFS driver too, but let’s ignore
it at the moment;)

And I’m also aware of using ‘reg save’ command, but it still is not good
enough, since it provides us with information from the Configuration
Manager cache, rather then from the hive file on disk (verified by an
experiment).

So, how to access that interesting hive file?

joanna.

Open it just as a file from DriverEntry from a system-start driver.

When the registry is fully booted, you cannot do this. This file is opened
monopolistically by CM.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Joanna Rutkowska”
To: “Windows System Software Devs Interest List”
Sent: Sunday, January 23, 2005 2:44 PM
Subject: Re: [ntdev] accessing system32\config\system file…

> Maxim S. Shatskih wrote:
> >>So, my question is: can you propose an elegant method for reading
> >>\System32\Config\System file (from diver of course)?
> >
> >
> > Yes. By the registry APIs :slight_smile:
> >
> hahaha :slight_smile:
>
> ok, just to provide at least one reason for doing it not with API…
>
> Registry API is often hooked/cheated in more or less smart way to hide
> some registry keys (vide malicious code/rootkits). So, one way of
> detecting such hidden keys, is to compare what you get from the API with
> information you got on the deepest possible level (which seems to be
> reading hive file from disk). Why rootkit shouldn’t change also the
> hive file contest you may ask? Well, rootkit is interested in surviving
> the reboot… (ok, it may also cheat NTFS driver too, but let’s ignore
> it at the moment;)
>
> And I’m also aware of using ‘reg save’ command, but it still is not good
> enough, since it provides us with information from the Configuration
> Manager cache, rather then from the hive file on disk (verified by an
> experiment).
>
> So, how to access that interesting hive file?
>
> joanna.
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

If you want to access those files you can try
direct disk access, it might work (winhex for example)
But in your case registry cache will be your nightmare

Regards,
Maxim

----- Original Message -----
From: “Joanna Rutkowska”
To: “Windows System Software Devs Interest List”
Sent: Sunday, January 23, 2005 1:44 PM
Subject: Re: [ntdev] accessing system32\config\system file…

> Maxim S. Shatskih wrote:
>>>So, my question is: can you propose an elegant method for reading
>>>\System32\Config\System file (from diver of course)?
>>
>>
>> Yes. By the registry APIs :slight_smile:
>>
> hahaha :slight_smile:
>
> ok, just to provide at least one reason for doing it not with API…
>
> Registry API is often hooked/cheated in more or less smart way to hide
> some registry keys (vide malicious code/rootkits). So, one way of
> detecting such hidden keys, is to compare what you get from the API with
> information you got on the deepest possible level (which seems to be
> reading hive file from disk). Why rootkit shouldn’t change also the hive
> file contest you may ask? Well, rootkit is interested in surviving the
> reboot… (ok, it may also cheat NTFS driver too, but let’s ignore it at
> the moment;)
>
> And I’m also aware of using ‘reg save’ command, but it still is not good
> enough, since it provides us with information from the Configuration
> Manager cache, rather then from the hive file on disk (verified by an
> experiment).
>
> So, how to access that interesting hive file?
>
> joanna.
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@secureol.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

why do you believe that your ability to access the file directly won’t
also be compromised by the root kit? are you merely trying to detect
lazy root-kit developers who choose to hook the kernel registry APIs but
not the I/O system paths?

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Joanna
Rutkowska
Sent: Sunday, January 23, 2005 3:45 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] accessing system32\config\system file…

Maxim S. Shatskih wrote:
>>So, my question is: can you propose an elegant method for reading
>>\System32\Config\System file (from diver of course)?
>
>
> Yes. By the registry APIs :slight_smile:
>
hahaha :slight_smile:

ok, just to provide at least one reason for doing it not
with API…

Registry API is often hooked/cheated in more or less smart
way to hide some registry keys (vide malicious
code/rootkits). So, one way of detecting such hidden keys, is
to compare what you get from the API with information you got
on the deepest possible level (which seems to be reading hive
file *from disk*). Why rootkit shouldn’t change also the hive
file contest you may ask? Well, rootkit is interested in
surviving the reboot… (ok, it may also cheat NTFS driver
too, but let’s ignore it at the moment;)

And I’m also aware of using ‘reg save’ command, but it still
is not good enough, since it provides us with information
from the Configuration Manager cache, rather then from the
hive file on disk (verified by an experiment).

So, how to access that interesting hive file?

joanna.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@windows.microsoft.com To unsubscribe send a blank
email to xxxxx@lists.osr.com

Would using IoCreateFileSpecifyDeviceObjectHint and specifying the
IO_IGNORE_SHARE_ACCESS_CHECK option help you? It should allow you to open
the file
inspite of the sharing state.

Kevin Stearns

Joanna Rutkowska
Sent by: xxxxx@lists.osr.com
01/22/2005 10:34 AM
Please respond to “Windows System Software Devs Interest List”

To: “Windows System Software Devs Interest List”

cc:
Subject: [ntdev] accessing system32\config\system file…

Hi,

I need read access to \System32\Config\System file, which seems to be
exclusively locked by the System process…

So, the easiest way, which come to mind is to steal the handle for that
file from the System process…

…however, on Windows 2000, when investigating file handles (.handle
command in KD), there seems to be no open handle for that file name.
Surprisingly 90% of the File handles I get (from System process) are
with NULL FileName field. And this seems to be Windows 2000 specific,
since on Windows XP, most of the file objects opened by System process
seem to have a valid name and I can easily find the open handle for that
hive file.

On Windows XP it’s also possible to find file object for the
corresponding hive file by looking at the _CMHIVE.FileObject field,
which unfortunately is not present on older systems :frowning:

So, my question is: can you propose an elegant method for reading
\System32\Config\System file (from diver of course)?

Of course I’m aware of the possibility of reading it by accessing raw
disk sectors through \Device\HardDisk… but it seems to much work;)

thanks,
joanna.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: kstearns@us.ibm.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Kevin Stearns wrote:

Would using IoCreateFileSpecifyDeviceObjectHint and specifying the
IO_IGNORE_SHARE_ACCESS_CHECK option help you? It should allow you to open
the file
inspite of the sharing state.

do you have any links to the documentation (at least prototype) about
this function? In my old DDK I cannot find this…

thanks,
joanna.