Jump to content











Photo
- - - - -

NativeRegMod


  • Please log in to reply
17 replies to this topic

#1 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 12 September 2013 - 09:57 PM

Posted Image

File Name: NativeRegMod
File Submitter: joakim
File Submitted: 12 Sep 2013
File Updated: 13 Sep 2013
File Category: Miscellaneous

This is basically a native application that can modify the registry during the early boot stage.

So what's a native application?
An excellent description can be found by Mark at Sysinternals; http://technet.micro...s/bb897447.aspx
In short it is an application you can configure to run before the Win32 subsystem is loaded, similar to autochk,exe. What this means is that we can halt the Windows boot while in native mode (NT) and do whatever we programmed our native app to do. To give an idea of roughly when this occurs during boot, it is right after the system thread has finished phase 1 (executive and kernel initialization considered complete), and the session manager (smss.exe) has been started. In fact, it is smss.exe that starts configured native applications. It does so by reading the registry key: HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\BootExecute. However at this stage, no other registry hives than then SYSTEM have been loaded (and obviously that is what this application can modify), and only 2 processes are running (system and smss). Csrss comes into play later when the subsystem is loaded. For this reason, a native application can not use the Windows API (kernel32.dll etc), but must use the NT API (ntdll.dll). So it has some similarity to kernel mode coding, though the native apps are actually running in user mode, almost right after user mode has been created. But since it is compiled with subsystem=native, it will not be possible to run it like other exe's (when win32 subsystem is loaded). To speed up the testing of such an application it is therefore an advantage to compile a win32 equivalent to execute directly within Windows.

What operations are supported?
  • Modify existing Value's data or type
  • Create new value
  • Create new key
  • Delete value
  • Delete key
How to configure OS
The application file must be located within the \Windows\System32 folder. And the relevant registry key are:
Posted Image

The included reg file will import the correct setting, as shown in the above image.

Configuration of application
It will search in the root of all volumes for a file name NativeRegMod.config. The config file must have 1 configuration/modification per line (new line), and all settings must be comma separated. Currently 3 reg types are supported: REG_SZ, REG_DWORD and REG_BINARY. Due to the comma as separator, any key/value name must not have comma in it. The structure of this file is:
NativeRegKeyPath,ValueName,RegType,Data,
NativeRegKeyPath2,ValueName2,RegType2,Data2,
Some important rules to follow regarding the config:
Assumptions:
  • New line feed for each registry key.
  • Strings separated by comma. Therefore every setting must end with a comma, even the last one on each line.
  • No setting must have comma in its value.
  • The configuration file is expected to found at the root of a volume, and must be named NativeRegMod.config.
  • Registry type must be either REG_SZ, REG_DWORD or REG_BINARY.
  • Value of REG_DWORD must be specified in decimal.
  • Value of REG_BINARY must be a sequence of hexvalues without "0x" or "\x" prefix and without spaces. Hexvalues (A-F) must be in capitals (for instance A not a).
  • When deleting a key or value put "DELETE" as reg type.
Sample configuration:
\Registry\Machine\SYSTEM\Setup\NewKey1,,,,
\Registry\Machine\SYSTEM\Setup\NewKey1\NewKey2,test_sz,REG_SZ,something,
\Registry\Machine\SYSTEM\Setup,test_dword,REG_DWORD,10,
\Registry\Machine\SYSTEM\Setup,test_binary,REG_BINARY,00112233445566778899AABBCCDDEEFF,
\Registry\Machine\SYSTEM\Setup\OldKey,,DELETE,,
\Registry\Machine\SYSTEM\Setup\OldKey2,OldValueName,DELETE,,
Explanation per line:
  • Creating the key "NewKey1" at \Registry\Machine\SYSTEM\Setup
  • Create the key "NewKey2" under the key created in first line. Then create a value "test_sz" of type REG_SZ with the data "something".
  • Update the data of an existing REG_DWORD value with name "test_dword" with the new data of decimal 10.
  • Update the data of an existing REG_BINARY value with name "test_binary" with the new data of "00112233445566778899AABBCCDDEEFF".
  • Delete the key \Registry\Machine\SYSTEM\Setup\OldKey
  • Delete the value named "OldValueName" under the key \Registry\Machine\SYSTEM\Setup\OldKey2
If the reg value does not exist, it will be created. However if a key does not exist, the function fails.

Warning
The error checking is far from perfect, and the input evaluation is limited. It is expected to be correct. It should not be regarded as a safe C implementation. However from all my tests, the worst thing that have happened, is that the application crash and Windows continue booting fine. Of course if you are modifying system critical registry parts, then chances are good that you may mess up the system. And actually, that is the kind of use the application was made for. So, ideally you would be testing with it in a virtual machine where you have snapshots to revert.

What can it be used for?
That's up to you to figure out. However if you are still reading and find it interesting, you likely will come up with something.

Target OS
Should really run on any modern Windows version and architecture. Has been tested on:
  • XP SP2 32-bit
  • Windows 7 SP1 32-bit
  • Windows 7 SP1 64-bit
Even though there exist compiled versions for both 32 and 64-bit, the 32-bit also works on 64-bit as long as WoW64 is present (default except for standard WinPE).
ToDo
  • Add support for more registry types.
  • Figure out how to pass on parameter from registry.

Click here to download this file
  • dencorso and erwan.l like this

#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 13 September 2013 - 08:09 AM

Nice! :)

 

:cheers:

Wonko



#3 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 13 September 2013 - 08:41 PM

Updated it and added support for deleting keys and values, as well as creating new keys/values. Also fixed a bug with memory cleanup (caused subsequent REG_SZ of varying length to corrupt next value.

 

Works on 32 and 64-bit, but the 64-bit version is strictly only required when WoW64 is not available (as with standard WinPE). Think it also works on Windows 8, but have not been tested there.

 

The source will be released too, when cleaned up. Besides that, compiling this in VS2012, likely deserves a tutorial on its own. And actually I also had to manually modify the final exe in a PE-editor to make it work.



#4 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 13 September 2013 - 09:34 PM

Hi Joakim,

 

Excellent.

I sure can see applications for this !

 

Side question : under which account does it run? System I guess?

Does it mean it bypasses ACL in the registry?

Regards,

Erwan



#5 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 13 September 2013 - 09:55 PM

Thinking out loud : on the same idea (native api), a "ntfilemod" could be interesting using the NtxxxFile api's ?

Could be handy to manipulate some file with sensitive ACL's ?

 

Also, a "ntdrivermod" to load driver/services at early stage using NtSetSystemInformation or NtLoadDriver ?

/Erwan



#6 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 13 September 2013 - 10:44 PM

Hi Erwan

 

Definetely running as system. The OS has barely any knowledge of sessions and useraccounts at this stage. So yes, I guess unlimited access to registry.

 

Sure, file and process hacks would be cool to implement in a separate app. Here's the sources I have been studying;

http://www.codeproje...n32-User-Land-t

http://www.codeproje...ssion-Manager-S

 

Any particular hack you had in mind?



#7 dencorso

dencorso

    Frequent Member

  • Advanced user
  • 142 posts
  •  
    Brazil

Posted 14 September 2013 - 07:10 AM

Wonderful work, joakim!  :thumbup:

 

I imagine you may also be aware of the Native Shell, an evolution, created by amdf, of the famous TinyKRNL Project's shell, but I'm mentioning it here just in case, since that's related material, too, after all.



#8 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 14 September 2013 - 09:01 AM

Wonderful work, joakim!  :thumbup:

 

I imagine you may also be aware of the Native Shell, an evolution, created by amdf, of the famous TinyKRNL Project's shell, but I'm mentioning it here just in case, since that's related material, too, after all.

If you are into this, then probably the Alex Ionescu's native nt toolkit:

http://reboot.pro/to...ive-nt-toolkit/

http://code.google.c...ive-nt-toolkit/

may be of use for *something*.

The actual original idea by Alex:

 


....
2) Provide a *single* and *correct* set of headers for *all* community members who need access to Native API. Too many people get it wrong, or get it right but had to spend 2 months duplicating effort that someone may already have been made.
.....

I strongly urge and recommend anyone writing native applications to use the NDK instead of their own header files and please let me know any issues you encounter. As far as naming and structure format goes, the ones in the NDK are the official Microsoft-internal names (which were obtained either from symbols or strings inside binaries) --not guesses. So they supercede information found on other websites, if contradictory (of course, if you have a really good argument against a field name, feel free to drop me a note -- everyone makes mistakes).

.....

seems to me like "sound", as I have seen a lot of "guesses" when it comes to native apps.

 

:cheers:

Wonko



#9 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 14 September 2013 - 12:03 PM

The Native Shell and NDK is also nice resources for the topic of native application. However I did not use it for this tool. In that sense, it's a bit of a shame since I've likely re-invented some of the native wheels, in a not so elegant way as Alex have. :)

 

Anyways, trying to solve the "detect commandline passed from registry" challenge. Will take a new look at those projects to see if it is already solved there. If not, I still have a good clue, just need to solve it in C..



#10 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 14 September 2013 - 12:04 PM

Native Shell does not implement registry native apis.

NativeRegMod comes in handy then.

I believe NativeRegMod can be executed from NativeShell (being a native app).

 

/erwan



#11 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 14 September 2013 - 12:13 PM

Native Shell does not implement registry native apis.

NativeRegMod comes in handy then.

If I believe NativeRegMod can be executed from NativeShell (being a native app).

 

/erwan

Yes it fills in some missing stuff in the Native Shell. I think it can be started directly from within Native Shell too, since both are native apps. If not you can still configure them run after each other by adding entries in the registry at BootExecute. I am not aware of any restriction there.



#12 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 14 September 2013 - 01:09 PM

As I see it, and *ideally* someone could (maybe) see if there is something in the mentioned tools/libraries/docs/whatever, as well as in the NCLI/Winroot thingy here:
http://www.betaarchi...php?f=39&t=2772
http://www.boot-land...wtopic=3537&hl=

and in the Native Regedit:
http://reboot.pro/to...egistry-editor/

And *somehow* build something a little beyond the "POC" level, particularly as a "building environment" as - as Joakim just reported - it seems to be particularly difficult to actually compile anything working in "native" mode.

Still (nth attempt to draw attention of good programmers to this :ph34r:) a minlogon replacement would allow to have a real NTCLI (or XPCLI, 7CLI, etc.) i.e. what I see as a good replacement for the Recovery Console and for most PE's when it comes to small mods/repairs):

http://reboot.pro/to...screen-of-life/

 

:cheers:

Wonko



#13 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 14 September 2013 - 01:40 PM

Thinking about possible applications.

 

Usb Boot : you need to patch the registry for windows xp and 7 sp0 so that the usb drivers are set to start on boot.

You can do it once but then takes the risk that these keys get modified back to original settings or you can install a service that will constantly watch these keys and fix it (usbbootwatcher).

 

What if I use NativeRegMod to patch my registry keys at boot time?

If this is too late in the booting stages or would this work?

 

/Erwan



#14 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 14 September 2013 - 01:47 PM

Today, I have a native app offering me to defrag some system files before windows actually gets into the user mode.

I have 5 secs to choose whether I want to perform this action or continue with the booting process.

 

Would be nice to have such a choice with a shell as well : boot to a native cli or not, and once done with my native cli, either get back into windows (not sure this is possible) or simply reboot.

 

From the cli, I could then edit my registry hives (system but also others like sam, software, ...), delete/copy/move files, patch files, ...

 

All this under the system context :)

 

/Erwan



#15 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 14 September 2013 - 02:09 PM

It needs to be explored a bit more I think. Regarding usb boot, I think it may be too late in the boot process, but testing may be required to conclude.

 

Regarding native cli, you sure can access it and then continue booting into the win32 subsystem of Windows. Having an option to reboot I think already is there, or else could probably be added with little effort.

 

About registry modification, we have certain restrictions, to what hives actually are loaded and available at the time of NT mode. It is only SYSTEM and HARDWARE, which means SAM, SOFTWARE and the rest are not yet loaded. Though I guess we can load them, modify and then unload them..



#16 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 14 September 2013 - 10:33 PM

So it took a little bit of work to retrieve the parameter passed. And certainly not as easy as in autoit (a couple of lines of code).

 

First NtQuerySystemInformation to scan processen and retrieve PID.

Then NtOpenProcess to get handle.

Then NtQueryInformationProcess to get PebBaseAddress.

Then NtReadVirtualMemory to get PEB.

Then NtReadVirtualMemory to get process parameters.

Then NtReadVirtualMemory to get CommandLine

Then NtReadVirtualMemory to get ImagePathName

And finally a few memory operations later retrieved the actual parameter passed.

 

Uhh, this is life in native mode.



#17 agni

agni

    Frequent Member

  • Tutorial Writer
  • 270 posts
  • Location:Bengaluru (Bangalore)
  •  
    India

Posted 25 January 2017 - 07:30 PM

After a bit of tinkering around, I managed to get NativeRegMod to build and compile.

 

I have forked joakim's github project and updated the Build Instructions with the necessary code changes. Also fixed a few bugs.

 

https://github.com/b...re/NativeRegMod

 

The code can be built using WDK 7 - https://www.microsof....aspx?id=11800 


  • Brito likes this

#18 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 26 January 2017 - 07:03 PM

@agni

Thanks for taking the time to document build instructions :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users