First, what is the registry?The registry is basically where programs (including the Operating System) store information and settings rather than using files for everything. QVR even makes some registry entries when it runs.How the registry is laid outThe registry is organized in a fairly simple way: first, there are five "hives":
 Those four-letter abbreviations are included here because either one can be referenced in definitions. Most of the time you will use the longer versions but either way works. You'll see them in both forms in other places, too, so don't be too shocked.Each hive includes a number of registry "keys" inside of it. The most important hives are going to be HKCU and HKLM. This is where the majority of system information is kept, and the majority of malware changes are made. A registry key can have registry keys inside of itself as well. Think of keys as folders or directories, and registry "values" as files. A value stores a tidbit of information on the system. It is usually used to hold only one setting, and it can be a string, a number, or binary code. Every registry key must contain a default value, which can be totally empty, or which might hold information. We'll look at these a little later. So how to registry definitions work?Registry definitions are basically stored in a giant ".reg" file called reg-list.reg. This file is automatically merged with the Windows registry whenever QVR runs a scan. There are a few things registry definitions can do:1. Adding or changing registry value(s)The registry definitions can or change registry values like this:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion] "WallpaperDir"="%SystemRoot%\Web\Wallpaper" The first line sets the key that is going to be used, and the second one sets the value "WallpaperDir" to the desired contents. If you want to change more than one value in a single key, you only need to use the first line once, and then list each value change after: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion] "WallpaperDir"="%SystemRoot%\Web\Wallpaper" "ProgramFilesPath"="%ProgramFiles%" If the key(s) don't already exist, they are created for you. If you need to set a numeric value, you have to do it like this: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "TaskbarSizeMove"=dword:00000000 To indicate that you want to change a default value, use the "@" character in place of the value name: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] @="" 2. Deleting registry value(s)To delete a specific registry value, the code for the registry definitions looks like this:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion] "BADBADMALWARE"=- I know, "=-" looks weird, but that's how it works. If the value doesn't exist, nothing happens here. 3. Deleting registry key(s)To delete an entire registry keys and all keys and values within it, you use code that looks like this:[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\BADBADMALWARE] See that little minus thing? Yep, that's what you have to remember. If the registry key doesn't exist, nothing happens. Alright, where do I find this stuff?As always, ThreatExpert has the answer. There is a little section near the bottom of the report for any malware that creates registry entries that looks like this:What you are going to do is copy these entries into the reg-list.reg file, properly formatting them while doing so. They are mainly already in the format they need to be in: you just need to reverse the changes. So for example, if you saw this:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\BADBADMALWARE] @="{23D44BCF-AA7A-41D6-8905-E808F16322EF}" "Dnld"="127.0.0.2" You need to put this in the definitions: [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\BADBADMALWARE] Or if you see this: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion] "WallpaperDir"="C:\BADBADMALWARE\EVILWALLPAPER" Since this is a legitimate registry value that has just been changed, we need to change it back to what it was. You would put this in the definitions: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion] "WallpaperDir"="%SystemRoot%\Web\Wallpaper" How do I know what it was initially?You'll have to use the Registry Editor to find out. Click Start > Run or press Windows+R and type "regedit" and hit enter. This program can show you the contents of every key and value on the system, and even let you modify, delete, or add keys or values. Open this program and navigate to the correct key and value, and see what the original contents of the value are on your (uninfected) system. For the example above, it will look something like this: ;Trojan.Agobot.sd5!gen [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion] "WallpaperDir"="C:\BADBADMALWARE\EVILWALLPAPER" Anything with a ";" at the front of the line is ignored by QVR, so feel free to use these anytime something in the registry definitions needs explaining. Testing File Definitions - Curriculum Navigation - Testing Registry Definitions |
|
|
|
|
QVR Staff Training >
Definition Robot Training - Adding Registry Definitions |