Jump to content











Photo
- - - - -

SetRegTime

forensic timestamp registry

  • Please log in to reply
4 replies to this topic

#1 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 08 August 2012 - 11:03 PM

Posted Image

File Name: SetRegTime
File Submitter: joakim
File Submitted: 08 Aug 2012
File Updated: 30 Aug 2012
File Category: Security

This is a small utility providing only 1 feature. And that is to manipulate registry key's timestamp (LastWriteTime). I could not find much information about this, and some places it is clamed to not be possible. So I decided to make a Proof of Concept.

The LastWriteTime timstamps that every registry key has, is similar to NTFS timestamps. They are 64-bit in UTC and counted in 100 nanosec since 01 January 1601. There does not exist such timestamp for registry values, only for keys. The tool will let you set any timestamp within the whole 64-bit range. It takes immediate effect, as the key is flushed to disk instantly. Since it uses native NT apis in ntdll.dll, it does not work with user friendly registry names like HKEY_LOCAL_MACHINE, HKCU etc. It uwill only take the Windows internal registry names, those starting with \Registry\...

Below is a listing of the most important translations:

HKEY_LOCAL_MACHINE			 \registry\machine

HKEY_USERS					 \registry\user

HKEY_CURRENT_USER			 \registry\user\user_sid

HKEY_CLASSES_ROOT			 \registry\machine\software\classes

HKEY_CURRENT_CONFIG			\Registry\Machine\System\CurrentControlSet\Hardware Profiles\Current


The user sid is the one similar to this: S-1-5-21-2895024241-3518395705-1366494917-288

Syntax is:
SetRegTime.exe RegPath timestamp switch

-RegPath is a path similar to the ones listed above.
-Timestamp is in the format YYYY:MM:DD:HH:MM:SS:MSMSMS:NSNSNSNS
-Switch can be "-s" for recursive mode, or "-n" for singel key

Some real world command examples:

Reading timestamp:

SetRegTime_x64.exe "\Registry\Machine\Software\test"



Writing timestamp recursively:

SetRegTime_x64.exe "\Registry\Machine\Software" "1743:04:01:00:00:00:000:0000" -s



Writing timestamps on singel keys:

SetRegTime_x64.exe "\Registry\Machine\System\mounteddevices" "1976:04:01:00:00:00:000:0000" -n

SetRegTime_x64.exe "\Registry\Machine\Security\policy\polacdms" "1944:12:24:00:00:00:000:0000" -n


Some images to lighten up this dry material:
Posted Image
Posted Image

Posted Image

Posted Image

Posted Image


Posted Image

Notice how the modifications look like in the output from RegRipper.


Now usually you will not get access to the security hive just like that, so instead we launch a process from the local system account, and then we have full access. A sample program for launching cmd from the system account can be found in the download for this app. Not very surprising that we can do almost anything when we are SYSTEM. And while at it, since many keys are protected by the TrustedInstaller, which requires a little workaround. For instance you can run the process with the privileges/token of the TrustedInstaller. Have a look at my RunFromToken utility..

Setting the timestamps way off, like for instance outside the range for unix time, may prevent certain tools from decoding the true timestamp. Other tools may only decode timestamps correctly when they are within a certain range, because they where coded so. In these cases, extreme timestamps like 1766 or 2387, may not be decoded/displayed.

What important winapi are utilized?
  • NtCreateKey
  • NtOpenKey
  • NtSetInformationKey
  • NtFlushKey
  • NtQueryKey
  • NtEnumerateKey
This was tested on Windows 7 SP1 x64, but I really don't see any reason why it should not work on previous Windows versions.

Note:
When querying the current timestamp, you may in certain cases get confused by the name of the key returned. But don't worry, it is just the system internal name of the key, as given by the configuration manager. That means for \Registry\Machine\software you may get a name called something like this: CMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}

Click here to download this file

#2 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12701 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 09 August 2012 - 10:16 AM

A great explorer and developer work!

Did you do that only academically to confirm that this is possible?
Or can you give an example for a practical use?

Seen the subforum title, used in AV themes?

Peter

#3 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 09 August 2012 - 05:14 PM

As stated, it is a PoC. There is no other practical use than what the above images may reveal. It can only do 1 thing and that is to set the LastWriteTime timstamp of any registry key. Most people probably did not even know those timestamps existed, now it's also proven how to modify them.

But maybe more interesting and related to practical use as you request, is the fact that these native functions in ntdll.dll is much more powerfull than the ones normally used (for instance advapi32.dll for registry functions). For instance the issue with illegal key names can be dealt with if using this set of Nt* registry functions in ntdll.dll.

#4 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12701 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 09 August 2012 - 05:22 PM

Thanks, Joakim, for the explanation!

I'll try to remember this, when I found new development questions which touches this theme!.

Peter :cheers:

#5 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 28 August 2012 - 09:12 PM

Added recursive option which will make it possible to modify almost the complete registry.

Quite a few keys are protected by TrustedInstaller. To overcome this you can use RunasSystem and RunFromToken in the same download section for this tool. And seriously, those may actually be worth its own topic. To sysadmins and hardcore users, it may be extremely handy to have a command prompt available that can run with all the power that TrustedInstaller has (duplicated token). They work on Vista and later :)

Regarding the registry, when performing timestamp manipulation recursively, it takes about half a minute to process the SOFTWARE hive on my Windows 7 x64.

The tool has also been given some attention in the forensic community lately; http://windowsir.blo...setregtime.html





Also tagged with one or more of these keywords: forensic, timestamp, registry

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users