Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@katlogic
katlogic committed Aug 13, 2016
1 parent 9351cb6 commit 17c0656
Showing 1 changed file with 13 additions and 3 deletions.
16 changes: 13 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ found at Alex's blog:

### Registry

Windows contains 2 mechanisms to make dealing with registry especially painful:
Windows contains 3 mechanisms to make dealing with registry especially painful:

1. "Hard R/O lock", an undocumented, but publicly exported system call, `NtLockRegistryKey()`. This will
make given key read-only, until next reboot. Worse still, there does not need to be even a process or driver
Expand All @@ -104,6 +104,8 @@ Windows contains 2 mechanisms to make dealing with registry especially painful:
listening to notifications about changes to key value. The listener is either a thread, or kernel-resident
driver. They'll usually silently replace the key back to value they want. No errors are reported, but the key
cannot be edited.
3. Global hooks. These can be installed only by kernel drivers, and hook directly to registry operation calls.
These are not per-key. Originally designed for AV software, but malware has use for it too.

Note that both methods work at run time, they are not permanent permission within the registry.
"Protection" like this, unlike permissions, works only within the currently running session.
Expand All @@ -115,15 +117,19 @@ Method 1 example. Parameters `/RD` and `/RE`:
```
> wind64 /RE \Registry\Machine\SYSTEM\CurrentControlSet\Control\Services
```
Will very sternly disallow writing to this subtree - no new services can be installed. There does not exist permission to disable this setting (except via `/RD` command), and almost nothing can override it - not even internal kernel APIs.
Will very sternly disallow writing to this subtree - no new services can be installed. There does
not exist permission to disable this setting (except via `/RD` command), and almost nothing can
override it - not even internal kernel APIs.

`/RD` and `/RE` can be issued on any key.

Method 2 example. Parameters `/ND` and `/NE`
```
> wind64 /ND \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows
```
Will disable notifications on this subtree (which contains frequently hijacked autorun, `AppInit_DLLs`). Now you can edit it back to value you want, without something mysterious forcing it back. Finally, you can even protect it with `/RE`.
Will disable notifications on this subtree (which contains frequently hijacked autorun, `AppInit_DLLs`).
Now you can edit it back to value you want, without something mysterious forcing it back. Finally, you
can even protect it with `/RE`.

Note that `/NE` can be issued only on key with notifications previously disabled via `/ND`

Expand All @@ -132,6 +138,10 @@ All registry paths are NT, not the usualy Win32 ones:
`\HKLM\` becomes `\Registry\Machine\`
`\HKCU\` becomes `\Registry\User\`

Method 3 uses parameters `/CD` and `/CE`. There is no registry path to specify (that is specific
to the driver which registered the callback), so we can simply disable and re-enable again all
hooks present.

### Bugs

The tool depends on many undocumented windows internals, as such, may break
Expand Down

0 comments on commit 17c0656

Please sign in to comment.