Jump to content











Photo
- - - - -

NativeReg


  • Please log in to reply
41 replies to this topic

#1 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1916 posts
  • Location:Nantes - France
  •  
    France

Posted 15 January 2017 - 05:30 PM

*
POPULAR

Hi,

Following a discussion initiated here, I decided to give a go to a native windows application that would modify the registry in the early stage of the booting process.

A native app is an app that will be launched as soon as the kernel initialization is completed.

 

It will be launched (in user mode) by the session manager (smss.exe) thru the registry key HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\BootExecute (run at every boot) or HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\setupexecute (run once only).

 

A native app can only use NT API functions (ntdll.dll) and not the Windows API functions.

The challenges for a developper :
-Compile the binary with subsystem = native
-Retrieve the command line
-Parse the command line in unicode/pointer world
-Code without the "nice and easy" windows API's

While doing some mad googling to address the above challenges, I end up on a post on reboot.pro (all roads lead to reboot.pro) where I realised Joakim had already done a great job.

Anyway, I'll post my work here (binary and source code in delphi).
Joakim's tool relies on a file when mine takes parameters on the command line but apart from that they do pretty much the same.
Mine is still early alpha but I might add more command line switches in the future to bring more features (handle files, etc ...).

I also was greatly inspired by this (italian) article here.

Possible usages :

nativereg createkey \Registry\Machine\SYSTEM\Setup key1
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test1 toto REG_SZ
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test2 112233AABBCC REG_BINARY
nativereg createvalue \Registry\Machine\SYSTEM\Setup\key1 test3 666 REG_DWORD
nativereg deletevalue \Registry\Machine\SYSTEM\Setup\key1 test1
nativereg deletekey \Registry\Machine\SYSTEM\Setup\key1

The tool is 32 bits (a 64 bits may come later).
It should be working on XP and up.

Regards,
Erwan

Attached Files


  • Nuno Brito, pscEx, joakim and 2 others like this

#2 agni

agni

    Frequent Member

  • Tutorial Writer
  • 254 posts
  • Location:Bengaluru (Bangalore)
  •  
    India

Posted 16 January 2017 - 06:22 PM

Thanks. Looks very promising. What are the differences between your tool and Joakim's tool?

 

I am a bit busy. I'll try the tool next week and give you my feedback.



#3 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1916 posts
  • Location:Nantes - France
  •  
    France

Posted 16 January 2017 - 06:30 PM

Hi Agni,

 

Not much difference between Joakim's and my version.

 

my version take parameters (whick key/value to add/remove) from the command line.

Joakim's version uses a flat file to read parameters.

 

Mine is written in delphi, Joakim's in CPP (not sure the average user will care although source code is provided).

 

I will probably update my version, not sure what are Joakim's plans.

 

Regards,

Erwan



#4 joakim

joakim

    Silver Member

  • Team Reboot
  • 907 posts
  • Location:Bergen
  •  
    Norway

Posted 17 January 2017 - 11:35 PM

Cool to see someone else messing with those things too, as well as finding something real to use it for. My tool will likely not be updated, unless I find a really good reason to. I remember that I tested with parameters, but I had some issues with that back then. Anyways, good job Erwan!



#5 dencorso

dencorso

    Frequent Member

  • Advanced user
  • 110 posts
  •  
    Brazil

Posted 18 January 2017 - 02:32 AM

"\Registry\Machine\SYSTEM\Setup\key2" is a general form. If I'm intending to change the registry of the current machine can I omit them and use just "\SYSTEM\Setup\key2" or, if not, which value should "Registry" and "Machine" assume exactly? I presume "Machine" can be taken from My Computer ==> Properties ==> System Properties ==> Computer Name, but whence do I get the value for "Registry"? :dubbio:



#6 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1916 posts
  • Location:Nantes - France
  •  
    France

Posted 18 January 2017 - 06:34 PM

"\Registry\Machine\SYSTEM\Setup\key2" is a general form. If I'm intending to change the registry of the current machine can I omit them and use just "\SYSTEM\Setup\key2" or, if not, which value should "Registry" and "Machine" assume exactly? I presume "Machine" can be taken from My Computer ==> Properties ==> System Properties ==> Computer Name, but whence do I get the value for "Registry"? :dubbio:

 

When using native registry API's, you have to use this syntax.

 

Also beware that only the system hive is loaded at this point although it may be possible to load other hives (did not explore that yet).

 

\Registry\Machine\SYSTEM = HKLM\SYTEM.

 

Regards,

Erwan


  • dencorso likes this

#7 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1916 posts
  • Location:Nantes - France
  •  
    France

Posted 18 January 2017 - 06:37 PM

Cool to see someone else messing with those things too, as well as finding something real to use it for. My tool will likely not be updated, unless I find a really good reason to. I remember that I tested with parameters, but I had some issues with that back then. Anyways, good job Erwan!

 

Thx for your feedback Joakim, appreciated :)

 

"Messing" is definitely the right word : coding in native world is a PITA !

 

About command line arguments, the trick was to change the ntprocessstartup signature.

FROM procedure NtProcessStartup( Argument: PSTARTUP_ARGUMENT ); stdcall; TO procedure NtProcessStartup( Peb: PPeb32 ); stdcall; .
Took me some mad googling to find this one.


#8 dencorso

dencorso

    Frequent Member

  • Advanced user
  • 110 posts
  •  
    Brazil

Posted 18 January 2017 - 07:33 PM

When using native registry API's, you have to use this syntax.


\Registry\Machine\SYSTEM = HKLM\SYTEM.

Thanks for your swift reply and for the nice tool! You rock!
Your tool provides another, easier, way to revert the XP POSReady trick, if it ever turns out to be required.
Your tool is also the ideal companion for MS Srdelayed.exe (a little known native tool to manipulate files and directories), which is included in Win 7 and its server counterpart, as well as later Windows releases (so it's easily available, but rarely mentioned).
Just for the record srdelayed.exe x86 v. 6.1.7600.16385 (win7_rtm.090713-1255) is 14,848 bytes long, and has CRC32: 7DCBA10D and  MD5: 89370EEE7ADD53E05DF47F9F9D2B4EE8.
BTW, it seems the people at MS did not solve the problem of the command line arguments as well as you did! Congrats!

 



#9 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13478 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 18 January 2017 - 07:52 PM

Just for the record srdelayed.exe x86 v. 6.1.7600.16385 (win7_rtm.090713-1255) is 14,848 bytes long, and has CRC32: 7DCBA10D and  MD5: 89370EEE7ADD53E05DF47F9F9D2B4EE8.
BTW, it seems the people at MS did not solve the problem of the command line arguments as well as you did! Congrats!

And a good question :unsure: could be :
Does that tool work (possibly with some small modification such as Major/Minor version in the PE header) on XP also?

:dubbio:

Provided that it is very small, operates at a very low level early stage ;) and all, maybe it could open a number of possibilities (together with erwan.l's new Registry tool).

:duff:
Wonko



#10 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1916 posts
  • Location:Nantes - France
  •  
    France

Posted 18 January 2017 - 07:53 PM

Thanks for your swift reply and for the nice tool! You rock!
Your tool provides another, easier, way to revert the XP POSReady trick, if it ever turns out to be required.
Your tool is also the ideal companion for MS Srdelayed.exe (a little known native tool to manipulate files and directories), which is included in Win 7 and its server counterpart, as well as later Windows releases (so it's easily available, but rarely mentioned).
Just for the record srdelayed.exe x86 v. 6.1.7600.16385 (win7_rtm.090713-1255) is 14,848 bytes long, and has CRC32: 7DCBA10D and  MD5: 89370EEE7ADD53E05DF47F9F9D2B4EE8.
BTW, it seems the people at MS did not solve the problem of the command line arguments as well as you did! Congrats!

 

 

Interesting MS tool, thx for that !

The setupexecute is also an interesting key : a sort of runonce (at next reboot) in native mode whereas bootexecute will be run at each reboot.

 

I am also looking for examples where nativereg could come handy.



#11 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1916 posts
  • Location:Nantes - France
  •  
    France

Posted 18 January 2017 - 07:55 PM

And a good question :unsure: could be :
Does that tool work (possibly with some small modification such as Major/Minor version in the PE header) on XP also?

:dubbio:

Provided that it is very small, operates at a very low level early stage ;) and all, maybe it could open a number of possibilities (together with erwan.l's new Registry tool).

:duff:
Wonko

 

The main function in native world i.e NtProcessStartup has a different signature between xp and vista (and up) so one would probably need to compile 2 different versions.

 

I was planning (mid term future) on building a native tool to deal with files as well, all on the command line with commands such as move/delete/copy/rename, etc ...



#12 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13478 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 18 January 2017 - 08:12 PM

The main function in native world i.e NtProcessStartup has a different signature between xp and vista (and up) so one would probably need to compile 2 different versions.
 
I was planning (mid term future) on building a native tool to deal with files as well, all on the command line with commands such as move/delete/copy/rename, etc ...

I assumed that your nativereg tool worked on *any* NT (at least XP, and possibly also 2K), isn't this the case? :dubbio:
If it isn't, yes, then "custom" version for each major OS versions are needed. And/or AT THE VERY LEAST which version(s) your current tool works on should be explicited in the first post.
You know *like*:

Target OS
Should really run on any modern Windows version and architecture. Has been tested on:

  • XP SP2 32-bit
  • Windows 7 SP1 32-bit
  • Windows 7 SP1 64-bit
Even though there exist compiled versions for both 32 and 64-bit, the 32-bit also works on 64-bit as long as WoW64 is present (default except for standard WinPE).

 
Or are you saying that your tool will work but the Srdelayed.exe won't? :unsure:
 
:duff:
Wonko

#13 joakim

joakim

    Silver Member

  • Team Reboot
  • 907 posts
  • Location:Bergen
  •  
    Norway

Posted 18 January 2017 - 08:17 PM

If I remember correctly, I solved that by manually modifying the PE header after compile and setting major/minor versions to 5/1. But I could have been doing stupid things and incorrectly. Or I had other issues with my tool.



#14 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1916 posts
  • Location:Nantes - France
  •  
    France

Posted 18 January 2017 - 08:18 PM

I assumed that your nativereg tool worked on *any* NT (at least XP, and possibly also 2K), isn't this the case? :dubbio:
If it isn't, yes, then "custom" version for each major OS versions are needed. And/or AT THE VERY LEAST which version(s) your current tool works on should be explicited in the first post.
You know *like*:
 
Or are you saying that your tool will work but the Srdelayed.exe won't? :unsure:
 
:duff:
Wonko

 

Good point : I have updated the first post.

 

Reading MS article, since they mention W2K8, I would be tempted that it runs on vista and up.

But I could be wrong and it could be that the good MS guys are smarter than me :)



#15 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1916 posts
  • Location:Nantes - France
  •  
    France

Posted 18 January 2017 - 08:24 PM

Will test it in a XP VM.

I believe it will run but will not take command line parameters.



#16 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1916 posts
  • Location:Nantes - France
  •  
    France

Posted 18 January 2017 - 09:46 PM

Tested under windows xp 32 bits.

Exe runs, displays the usual text, and accept command line parameters.

 

Value was not created in registry thus : some debugging needed.



#17 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13478 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 19 January 2017 - 11:11 AM

Should be good news :), if the thingy overall runs, only a minor change might be needed.
Go erwan, go! :cheerleader:

:duff:
Wonko

#18 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1916 posts
  • Location:Nantes - France
  •  
    France

Posted 20 January 2017 - 08:42 PM

xp looks promising so far.

 

Obviously i cannot delete non existing keys or values but creating keys and values work.

 

87K9J9z.png



#19 agni

agni

    Frequent Member

  • Tutorial Writer
  • 254 posts
  • Location:Bengaluru (Bangalore)
  •  
    India

Posted 21 January 2017 - 07:49 AM

Thanks for your swift reply and for the nice tool! You rock!
Your tool provides another, easier, way to revert the XP POSReady trick, if it ever turns out to be required.
Your tool is also the ideal companion for MS Srdelayed.exe (a little known native tool to manipulate files and directories), which is included in Win 7 and its server counterpart, as well as later Windows releases (so it's easily available, but rarely mentioned).
Just for the record srdelayed.exe x86 v. 6.1.7600.16385 (win7_rtm.090713-1255) is 14,848 bytes long, and has CRC32: 7DCBA10D and  MD5: 89370EEE7ADD53E05DF47F9F9D2B4EE8.
BTW, it seems the people at MS did not solve the problem of the command line arguments as well as you did! Congrats!

 

 Why is this tool useful for POSReady Trick ? Does the regtweak not work once the kernel is loaded ?

 

Erwan

There is a utility called nrun, which can be used test Native Apps without restarting

http://hex.pp.ua/shedel-utils.php

http://ashedel.chat.ru/source/

 

Also lot of useful info in Russian - http://hex.pp.ua/native-api.php



#20 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13478 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 21 January 2017 - 11:26 AM

 Why is this tool useful for POSReady Trick ? Does the regtweak not work once the kernel is loaded ?

It may be useful if - for whatever reason - you need to "disable" it, as the Registry key involved is "protected" on a running system and booting a PE (or *something*) is needed to remove it.

 

:duff:

Wonko



#21 agni

agni

    Frequent Member

  • Tutorial Writer
  • 254 posts
  • Location:Bengaluru (Bangalore)
  •  
    India

Posted 21 January 2017 - 11:58 AM

Interesting. So enabling it was not a problem, its the only disabling which is protected ??

 

I wonder what are the other protected registry keys can be potentially be modified using NativeReg( or NativeRegMod)



#22 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13478 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 21 January 2017 - 12:51 PM

Interesting. So enabling it was not a problem, its the only disabling which is protected ??

Yes, see:

http://www.msfn.org/...gistry-subkeys/

 

:duff:

Wonko



#23 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1916 posts
  • Location:Nantes - France
  •  
    France

Posted 21 January 2017 - 02:51 PM

I have added a version 0.2 in the first post.

A few bugs have been fixed and it was tested on XP and Window7 32 bits editions.

 

Next step : handle binary values.


  • dencorso likes this

#24 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1916 posts
  • Location:Nantes - France
  •  
    France

Posted 21 January 2017 - 05:36 PM

I have added version 0.3 to the first post.

 

Binary values are now handled (512 bytes max for now).

Syntax updated in first post as well.

 

Next possible step : a search and replace feature as some registry valus are rather big and passing them as command line parameters is not realistic.


  • dencorso likes this

#25 ndog37

ndog37

    Member

  • Members
  • 75 posts
  •  
    New Zealand

Posted 22 January 2017 - 03:54 AM

Thanks for this, so to use it I drop nativereg.exe and nativereg.fpr in system32 and add registry keys as such?

I would like to use this for injecting dosdiskdevice entries, An issue I have had for a long time is injecting dosdiskdevices in sysprep mode for windows XP after injecting winvblock from a wim file etc

11lrgu9.png






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users