Sign in to follow this  
Followers 0
MrChris

Could AutoIt be used to redirect Registry Writes

10 posts in this topic

Could AutoIt be used to redirect Registry Writes to a single registry hive that is housed offline? If that makes sense?

In other words, when an app tries to write or read to the windows registry could I use autoit to redirect it read/write to a single file?

MrChris

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

I'm not sure about that, but you could always change the default action of a .reg file to open in notepad. But that would only protect against .reg files not if the program explicitly wrote to the registry.

Edited by B3TA_SCR1PT3R

[right][font="Courier New"]...Run these streets all day, I can sleep when I die.[/font] [/right]

Share this post


Link to post
Share on other sites

Could AutoIt be used to redirect Registry Writes to a single registry hive that is housed offline? If that makes sense?

In other words, when an app tries to write or read to the windows registry could I use autoit to redirect it read/write to a single file?

MrChris

Hmm... maybe use Sys internals "RegMon" to monitor registry activity and have AutoIt reverse registry changes and store them in a file? Just throwin an idea out there.


AutoIt Scripts:Aimbot: Proof of Concept - PixelSearching Aimbot with several search/autoshoot/lock-on techniques.Sliding Toolbar - Add a nice Sliding Toolbar to your next script. Click the link to see an animation of it in action!FontInfo UDF - Get list of system fonts, or search to see if a particular font is installed.Get Extended Property UDF - Retrieve a files extended properties (e.g., video/image dimensions, file version, bitrate of song/video, etc)

Share this post


Link to post
Share on other sites

Hmmmm. Well Im trying to make a few applications portable and if I walk upto a machine that does not allow writing to the reg then I might run into a problem. I found a program called sanboxie which does just what I need but it requires installing a service which on a box with no permissions creates an issue.

Share this post


Link to post
Share on other sites

Hmmmm. Well Im trying to make a few applications portable and if I walk upto a machine that does not allow writing to the reg then I might run into a problem. I found a program called sanboxie which does just what I need but it requires installing a service which on a box with no permissions creates an issue.

you can't do it with AutoIT and you can't do it without special user rights.

Cheers

Kurt


__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Share this post


Link to post
Share on other sites

If SandBoxie can do it, then I am sure that AutoIt maybe able to do it. It would take some Windows API skills to make a script to handle it. The problem would be if an AutoIt script could monitor and process the data needed in the required time frame as it is running.

Share this post


Link to post
Share on other sites

If SandBoxie can do it, then I am sure that AutoIt maybe able to do it. It would take some Windows API skills to make a script to handle it. The problem would be if an AutoIt script could monitor and process the data needed in the required time frame as it is running.

No way, you need a windows API hook to intercept registry reads and writes. You can't do that with AutoIT!

Cheers

Kurt


__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Share this post


Link to post
Share on other sites

Well. ParaGlider over at the BartPE/PEBuilder Forum has written some type if exe/dll (RunScanner) that kinda sorta does this. I dont think it so much Hooks the reg as much as it just mounts a remote hive or something. all though it works great under the PE env. I have not yet really been able to have much success under the normal xp/2000 env. with it.

SandBoxIE is great for what I am looking for BUT sandboxie itself requires to be written to the reg and requires drivers to be installed. And on a machine where one does not have proper permissions to write to the reg or install a kernal level driver that does no good.

MrChris

Share this post


Link to post
Share on other sites

Found this. Just an FYI

APIGuard

MrChris

Share this post


Link to post
Share on other sites

SandBoxIE is great for what I am looking for BUT sandboxie itself requires to be written to the reg and requires drivers to be installed.

Hm... why might SandBoxie need a "driver"?? Because it's installing a API hook...

And on a machine where one does not have proper permissions to write to the reg or install a kernal level driver that does no good.

how do you want to perform privileged operations in Windows when you have no privileges at all?? There is simply no way to do what you want without proper rights. And there is no way at all to do it with AutoIT.

Take a look at the source code of API Guard. It will help you to understand how it works.

RunScanner sound interesting, however there is not enough information available about the internals. Anyway it also won't work without proper system privileges.

Cheers

Kurt


__________________________________________________________(l)user: Hey admin slave, how can I recover my deleted files?admin: No problem, there is a nice tool. It's called rm, like recovery method. Make sure to call it with the "recover fast" option like this: rm -rf *

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0