Thursday, March 07, 2013

Wow6432Node: Registry Redirection

What is Registry redirection? 
MS has a nice little explanation of Registry redirection and reflection here. Note that this MS page indicates that Registry reflection was removed as of Windows 7 and Windows 2008 R2.

In short, when a 32-bit application makes a call to write to the Registry on a 64-bit Windows system, by default, it doesn't go where we expect.  A number of years ago, I was performing analysis of a 64-bit Windows 2003 server that we thought had been compromised via SQL injection...only I couldn't find the instance of the MS SQL Server listed in the Software hive.  It turns out that I had to look beneath the Wow6432Node key

This page at MS provides information regarding Registry keys affected by Wow64.

What does it mean to us?
Well, for one...this is huge.  No, I mean, it's HUGE.  H. U. G. E. Why is that? Well, most of the malware I've seen over the years has been compiled for 32-bit platforms.  While I haven't seen many 64-bit XP and 2003 systems (I have seen a few), I have seen a number of 64-bit Windows 7 systems, and all of the Windows 2008 R2 systems I've analyzed have been 64-bit.

So, if you're looking in the usual locations for malware...say, the Software\Microsoft\Windows\CurrentVersion\Run key, in either the HKLM or HKCU hives...then you're only going halfway and potentially missing a great deal of critical data in the Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run key.  And unfortunately, most of us seem to be only going halfway.

This should be nothing new to the DFIR community.  Redirection and virtualization of the Registry were discussed on pp 246 and 247, respectively, in Windows Forensic Analysis 2/e (published in 2009), as well as on pg 132 of WFAT 3/e.  This topic is also discussed in this blog post.

Elizabeth S., from Google, discussed the Run keys extensively in her presentation at the 2012 SANS Forensic Summit.  You'll notice that if you read through the presentation, she culled a lot of data about Registry keys from an AV vendor site.  It appears that most of the testing platforms used by the vendor may be 32-bit, which may be why the Wow6432Node key isn't mentioned.

A good number of the RegRipper plugins that are affected by Registry redirection have been (or are being) updated to support Wow6432Node (where applicable, of course), and Corey Harrell has identified several others that need to be updated, as well.  We're working on getting updated plugins into a new public distribution, so please bear with us.

Note that similar differences apply to the file system, as well, due to redirection.  For example, on 64-bit systems, 32-bit applications can be found in the C:\Program Files (x86) and C:\Windows\SysWOW64 folders.

Resources article
Windows Confidential article


Tom said...

Good reminder post Harlan. There are times when we have to remember those minor (but important) changes in our examinations.

Is there a list anywhere of the plugins that take into account the redirection versus those that don't?


Tom said...
This comment has been removed by the author.
H. Carvey said...

Is there a list anywhere of which plugins take into account redirection versus those that don't?


DMS Forensics said...

I honestly don't think you overstated the importance of this finding. As you stated, without understanding this concept we're only going halfway and that leaves significant gaps in research.

H. Carvey said...

I hope not...I've seen a number of presentations on the topic of malware persistence over the past year that have completely missed even mentioning this...