25.1 The Basic concept of a Registry
Figure 25-1 The Basic concept of a Registry
The registry is a database that stores
general information and a variety of configuration information for the
hardware, software, users, operating system and programs. In the past, a “ini”
file was used to store such information, but it is difficult to efficiently
manage such files used by each respective program, so registry was born in the
form of an integrated database. The Registry can be changed in two ways, as
follows. First, Windows and installed programs can automatically update the
registry information. Second, you can modify it arbitrarily using a tool such as
“regedit”. Since manual changes can cause serious problems in the system, any
such changes must be carefully considered.
Figure 25-2 Registry settings
If “regedit” is executed in the command
prompt in Windows, the Registry Editor screen appears. It consists of four
sections. First, there is a region for the Key on the left. The top Key called
the “Root key”, and a “subkey” is under it. When the Key is selected, the value
can be seen on the right. It consists of a “Data Type” and “Data” pair. The registry
is a logical unit that is managed by the Hive, and it is backed up to a file.
The Hive is divided into units according to the “Root Key”, and the registry is
finally stored in the file managed by the Hive units.
Table 25-1 Root Key
Querying and changing the registry values
that contain important information for system operation is considered a form
of hacking. Based on the account information obtained by analyzing the registry,
you can modify the password and use the remote desktop information and network
driver connection information to analyze the vulnerability of the system. It is
also possible to infer a user's Internet usage patterns by searching for
applications and browsing the corresponding data. You can also utilize this basic
information for secondary hacking.
25.2
Query Registry Information
Figure 25-3 Query Registry information
Python supports the “_winreg” module to query
for the registry information. The “_winreg” module acts as an intermediary that
helps you use the Windows registry API in Python through a simple method. You can
specify the “Root Key” in the parameters and can explicitly connect to the
registry handle by using the “ConnectRegistry” function. “OpenKey” is a
function that returns a handle that allows you to control the sub-registry
using the name in the string type. Finally, the registry values can be obtained
by using an “EnumValue” function. When all of the work has been completed,
the open handles can be closed by using the “CloseKey” function.
25.2.1 Query
the list of the user accounts
The regedit program can be used to access the following
screen. The SID of the user account entries exist in a subdirectory of the
“SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList” item in “HKEY_LOCAL_MACHINE”.
You can see the variable “ProfileImagePath” for each item. The system stores a
list of directories that are assigned to the user account name to the
“ProfileImagePath” variable.
Figure 25-4 ProfileList registry information
Using the Python, let's automatically create a program
that can retrieve a list of the user accounts. Specify the registry
sub-directory that was mentioned earlier, and add a bit of program code to
extract the information of interest. Now, you can easily extract a list of user
accounts that are used by the system.
from _winreg import *
import sys
varSubKey = "SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList" #(1)
varReg =
ConnectRegistry(None, HKEY_LOCAL_MACHINE) #(2)
varKey =
OpenKey(varReg, varSubKey) #(3)
for i in range(1024):
try:
keyname =
EnumKey(varKey, i) #(4)
varSubKey2 = "%s\\%s"%(varSubKey,keyname) #(5)
varKey2 =
OpenKey(varReg, varSubKey2) #(6)
try:
for j in range(1024):
n,v,t =
EnumValue(varKey2,j) #(7)
if("ProfileImagePath" in n and "Users" in v): #(8)
print v
except:
errorMsg = "Exception
Inner:", sys.exc_info()[0]
#print
errorMsg
CloseKey(varKey2)
except:
errorMsg = "Exception
Outter:", sys.exc_info()[0]
break
CloseKey(varKey) #(9)
CloseKey(varReg)
|
Program development uses the “_winreg” module.
The functionality provided by the “_winreg” module can be used to obtain the
registry handles and to derive the detailed entries. The detailed operation of
such is as follows.
(1)
Specifing sub-registry list: Specify the sub-registry list for which you
can look up the user account information.
(2)
Getting the root registry handle object: Use the reserved word
“HKEY_LOCAL_MACHINE” provided by the “_winreg” module to specify the root registry
and obtain a registry handle object through the “ConnectRegistry” function.
(3)
Getting the registry handle object: The “OpenKey” function can be used to
obtain a handle object to manipulate the registry that exists under the root
registry.
(4)
Querying of the specified registry subkey values: Sequentially display a list
of subkey values that are specified in the registry.
(5)
Creating a sub-registry list: A list of upper registers and subkey values
can be combined to generate a registry that contains the user account
information.
(6)
Getting the registry handle object: Obtain a handle object to manipulate
the registry object that was created earlier.
(7)
Acquisition of data from the registry: Query the name of the value, data
type, and data contained in the registry.
(8)
Extracting user account information: Extract user account information using
the string associated with it.
(9) Returning a handle object: Return a
handle object to the system.
The user account information that is
extracted during the registry search is useful for system hacking. The user's
password can be extracted using a dictionary attack, and the “adsi” class
provided by the “win32com” module can be used to change the password directly.
Figure 25-5 registryUserList.py Execution result
25.2.2 Browsing History
A URL entered by the user into the Internet Explorer
address bar is recorded in a specific location in the registry. The browsing
history can be viewd by a hacker to infer the user's lifestyle. If you
frequently access e-commerce sites, a hacker can steal banking information by
installing a keylogger program. Internet access logs are stored in the registry
“HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs”.
25.3
Updating Registry Information
Figure 25-6 Updating Registry Information
In addition to performing a query for information
contained in the registry, registry information can also be modified using the
“_winreg” module. The “CreateKey” function generates a key and enters the given
data. If the same key exists, it is also possible to update the data. The
“SetValue” function provides the ability to enter data, and after using all
handles, you must return the resources to the system by using the “CloseKey”
function.
5.3.3.1 Changing the Windows Firewall settings
Windows stores the firewall configuration to the
registry. The information to enable/disable the firewall, firewall status
notification information, whether to add startup programs, firewall policy
configuration information, the registration application information, and
various other types of information are stored in the registry. Let's create a
simple example to disable the firewall by changing the corresponding registry
value.
from _winreg import *
import sys
varSubKey = "SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy"
varStd = "\StandardProfile" #(1)
varPub = "\PublicProfile" #(2)
varEnbKey = "EnableFirewall" #(3)
varOff = 0
try:
varReg =
ConnectRegistry(None, HKEY_LOCAL_MACHINE)
varKey =
CreateKey(varReg, varSubKey+varStd)
SetValueEx(varKey, varEnbKey, varOff, REG_DWORD, varOff) #(4)
CloseKey(varKey)
varKey =
CreateKey(varReg, varSubKey+varPub)
SetValueEx(varKey, varEnbKey, varOff, REG_DWORD, varOff)
except:
errorMsg = "Exception
Outter:", sys.exc_info()[0]
print errorMsg
CloseKey(varKey)
CloseKey(varReg)
|
The program that manages the Windows firewall reads the
registry information to set the firewall. If you change the firewall settings
in the Control Panel, the relevant information is stored in the registry. When
you run a sample program to change the registry setting, the Windows Firewall
settings are not changed immediately. You must instruct the firewall management
program to read the registry information forcibly. The simplest way is to
restart Windows. The detailed operations are as follows.
(1) A home or office
network registry key: In Windows two
types of networks can be used. One is a “home or office network” and another is
a “public network”. This section specifies the registry key that refers to a “home
or office network”.
(2) Public Network registry key: Specify
the “public network” registry key.
(3) Variable that specifies whether to use the
firewall: Store a decision for using the firewall by setting the
“EnableFirewall” variable.
(4) Setting the value to the registry
variables: The “EnableFirewall” variable is of a REG_DWORD type. Entering
zero means disabling the firewall.
When different values are entered in the registry, you
can have a significant impact on the system configuration. To change the security
settings, you can register an arbitraty list of services that are allowed in the
firewall. The program can therefore be used to change applicaton configuration,
including that for Internet Explorer or a Word Processor.
No comments:
Post a Comment