[TOP]

RegReveal - a small rootkit registry revealer

Reveal hidden registry entries.

RegReveal supports Windows 2000 and Windows XP

RegReveal is a command line program.

Change Log

v1.0 beta3 - Sep. 10, 2008
* can set/delete a registry value of some malwares, Cutwail, Pandex, Bulknet, Boaxxe, Agent.cid, on Windows XP.
v1.0 beta2c - May 13, 2007
* added /a switch.
* some small changes.

Usage:

C:\>regreveal
RegReveal v1.0 beta3 - a small rootkit registry revealer
Copyright (C) 2006-2008 kazuo
Usage1: RegReveal scan <registry-key> [/r] [/a]
  Scan hidden registry entries in the key
  /r   scan recursively
  /a   output non-hidden entries too
Usage2: RegReveal scan /d <file-name> [/a]
  Read registry keys from the file and scan
Usage3: RegReveal set <registry-key> "<value-name>"=[<value-data>]
  Set the value. If no <value-data> specified, delete the value
  <value-data>:= "<string>" | expand_sz:"<string>"
                | dword:<hexadecimal-number>
    e.g. "shell"="explore.exe", "dir"=expand_sz:"\%windir\%",
         "start"=dword:4, "flag"=dword:ffff80ab
NOTES:
 1. RegReveal requires Administrator privileges.
 2. You can stop RegReveal by pressing Ctrl+C or Ctrl+Break.
 3. If <registry-key> includes spaces, it must be quoted.
 4. Escape sequence in <string>: \\ \" \% (means \ " %)

C:\>regreveal scan HKLM\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /r

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
# found hidden value!
"RunAppBk"="C:\WINDOWS\system32\ctfmun.exe"

---- Total 0 hidden keys and 1 hidden values found

C:\>type startup.txt
#
# sample input file for RegReveal
#
# Supports following keys:
#    HKEY_CLASSES_ROOT (HKCR)
#    HKEY_CURRENT_CONFIG (HKCC)
#    HKEY_CURRENT_USER (HKCU)
#    HKEY_LOCAL_MACHINE (HKLM)
#    HKEY_USERS (HKU)
#
# If key name includes spaces, it must be quoted.
#
# Options:
#    /r   scan recursively
#

# Known startups:
"HKCR\Folder\shellex\ColumnHandlers"
"HKCU\Software\Microsoft\Command Processor"
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows"
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /r
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /r
"HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /r
"HKLM\Software\Microsoft\Active Setup\Installed Components" /r
"HKLM\Software\Microsoft\Command Processor"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /r
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /r
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /r
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /r
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
"HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
"HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute"
"HKLM\System\CurrentControlSet\Services"

# Others:
"HKCU\Software"
"HKLM\Software"

C:\>regreveal scan /d startup.txt

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
# found hidden value!
"RunAppBk"="C:\WINDOWS\system32\ctfmun.exe"

# found hidden key!
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CTFDrv2]
Enum                 <SubKey>
"ErrorControl"=dword:00000000
"ImagePath"=expand_sz:"\??\C:\WINDOWS\system32\ctfmsvc.sys"
"Start"=dword:00000003
"Type"=dword:00000001

# found hidden key!
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CTFMN]
Security             <SubKey>
Enum                 <SubKey>
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=expand_sz:"C:\WINDOWS\system32\ctfmsvc.exe"
"DisplayName"="CTF Monitor Service"
"ObjectName"="LocalSystem"

# found hidden key!
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kprof]
Security             <SubKey>
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=expand_sz:"\??\C:\WINDOWS\System32\kprof"
"Group"="Base"

# found hidden key!
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pe386]
Security             <SubKey>
Enum                 <SubKey>
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"=expand_sz:"\??\C:\WINDOWS\System32:lzx32.sys"
"DisplayName"="Win23 lzx files loader"
"Group"="Base"
"ExtParam"=REG_BINARY:
 0000 4A 0F 45 BC B4 B5 E6 DD  C0 70 79 85 C4 64 A8 82  J.E......py..d..
"Checked"=dword:00000001

# found hidden key!
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\poof]
Security             <SubKey>
Enum                 <SubKey>
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=expand_sz:"\??\C:\WINDOWS\System32\poof"
"Group"="Base"

---- Total 5 hidden keys and 1 hidden values found

C:\>regreveal set HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "RunAppBk"=
Value was deleted.

C:\>REM Set service start type to 4 (DISABLED)

C:\>regreveal set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CTFMN "Start"=dword:4
Value was set.

C:\>regreveal set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pe386 "Start"=dword:4
Value was set.

C:\>regreveal set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\poof "Start"=dword:4
Value was set.

C:\>

Note

RegReveal loads its own kernel mode driver and directly manipulates some system data.
Please use RegReveal AT YOUR OWN RISK!

Download

RegReveal v1.0 beta3