Jump to content

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. X
X


Photo

Dealing with invalid registry keys

registry; ntdll.dll;

  • Please log in to reply
4 replies to this topic

#1 joakim

joakim

    Adventurer

  • Active Members
  • PipPip
  • 112 posts

Posted 19 August 2012 - 08:46 PM

The issue is that win32 api can't handle names with embedded null characters. That's certainly an issue when it comes to registry keys, because such keys are not deletable by OS shipped registry tools.

Here's the more complete description; http://reboot.pro/files/file/232-regkeyfixer/

Code for PoC to create invalid keys are attached as CreateInvalidKey.au3

Code for the tool to fix these keys are attached as RegKeyFixer.au3

Option for recursive search is on the todo list.

Attached Files









#2 joakim

joakim

    Adventurer

  • Active Members
  • PipPip
  • 112 posts

Posted 07 September 2012 - 10:45 PM

Made some changes to it, like recursive search and modification, as well as including another PoC that will create a different set of registry keys proving to be somewhat impossible to handle: http://www.mediafire.com/download.php?65gcjxvtln291yx

Let me know if you figure out how to deal with those tricky long named keys. :) I certainly did not..

#3 Factfinder

Factfinder

    Wayfarer

  • Active Members
  • Pip
  • 56 posts

Posted 11 February 2014 - 11:24 PM

Great job.


Edited by Factfinder, 27 June 2014 - 12:50 PM.


#4 step887

step887

    Wayfarer

  • Active Members
  • Pip
  • 90 posts

Posted 02 October 2014 - 02:21 AM

joakim,

 

First off, you do great work, with this and rawcopy.  But I ran into an issue

attached is empty registry .dat with one key that I can not access.

It looks like a key with null char was created and then strip of permissions

 

I ran your tool and it is getting this

Startkey: \registry\machine\a\key1\key2\key3
Invalid keyname in hex: 010000000100
Number of invalid charaters in keyname: 3
Location: \registry\machine\a\key1\key2\key3\***
Error in NtOpenKey 3 : 0xC0000022 -> Access is denied.
 
So reviewing what you wrote, you are trying to open a handle to the invalid keyname, but since there is no permissions on the key, it is failing, 
 
I look at adjusting the permissions using Fred (FredAI)'s permission UDF, but he needs stringname or handle to adjust the permissions. so the keyname is invalid and cannot get a handle on the key..
 
So any ideas?

Attached Files

  • Attached File  reg.zip   639.17KB   30 downloads


#5 joakim

joakim

    Adventurer

  • Active Members
  • PipPip
  • 112 posts

Posted 02 October 2014 - 07:23 PM

I doubt that I'll do more with that tool, so what I would suggest is to try running tool from the local system account, or as trustedinstaller. It's a quick workaround that usually gives you access to any registry key.







Also tagged with one or more of these keywords: registry;, ntdll.dll;

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users