Many times, some problems just don't seem to have an obvious or easy solution. Take for instance some of the more recent malware to be seen, like Conficker (...and a rose by any other name would smell as sweet...)...it gets on your network, but initially isn't detected. That's because your AV product protects you from variants A through D, and what you've got on your network is a variant somewhere between F and P. Or let's just say you want to see if you do have something unusual on one of your systems. How would you do this?
Well, there are a number of ways you can do this, but if you look at the descriptions available for the Conficker malware, one of the commonalities you see is that it creates a Windows Service with a random name, which means that you can't just search for "Conficker" and hope to find it. Then the malware creates an ImagePath value that points to "svchost.exe -k netsvcs", which runs it when the system starts, but runs it as System level privileges. Also, note that a LOT of Services start this way, too. Then the malware creates a Parameters\ServiceDll value name that points to a randomly named DLL.
Interestingly, there's a number of bits of malware that use this same or a similar persistence mechanism. Okay, great. So, besides going to each machine individually, opening RegEdit, and clicking through the GUI, what do you do?
That's where Perl comes in! I ducked inside a telephone booth, pulled out my laptop and found some previously written code that accesses the live Registry in read-only mode. I then opened up one of my RegRipper plugins, grabbed a bit of already-written and -tested code, added it, shook it (one does NOT stir!), and presto! RegScan was born!
So here's what regscan does...you run it on your local system and it accesses the HKLM\System\CurrentControlSet\Services key, gets a list of subkeys, and then goes to each one and gets the LastWrite time, the ImagePath value (if there is one), the Parameters\ServiceDll value (if there is one), sorts everything by LastWrite time, and prints each Service entry on a single line with each element pipe ('|') separated. Okay, take a breath.
You run regscan like so:
C:\>regscan.pl
And you get a bunch of stuff like this:
Sat Jan 3 00:34:43 2009Z|WebClient|%SystemRoot%\system3\svchost.exe -k LocalService|%SystemRoot%\System32\webclnt.dll
Sat Jan 3 00:34:43 2009Z|winachsf|system32\DRIVERS\HSX_CNXT.sys||
Sat Jan 3 00:34:43 2009Z|Windows Workflow Foundation 3.0.0.0|||
Sat Jan 3 00:34:43 2009Z|winmgmt|%systemroot%\system32\svchost.exe -k netsvcs|%SystemRoot%\system32\wbem\WMIsvc.dll
Sat Jan 3 00:34:43 2009Z|Winsock||
Uh...okay. Well, this is command line, so to weed out some of the stuff you aren't interested in, you could type:
C:\>regscan.pl | find "svchost.exe -k netsvcs"
But wait...there's more! If you want to access remote systems (that you have admin access to, such as in your lab or in your corporate infrastructure), just type:
C:\>regscan.pl IP_address
...or...
C:\>regscan.pl System_name
Pretty cool, eh? And no, you don't need to have Perl running on the remote system. And yes, I've 'compiled' it into an EXE w/ Perl2Exe. And yes, it'll be included on the media that accompanies WFA 2/e. Oh, and it's also available for download at the RegRipper site, in the Downloads section. Enjoy!
Now that is cool. I really need to learn Perl (add learning Perl to ever-growing list of items to get to). Thanks Harlan!
ReplyDeleteKP
There are very few personal problems that can't be solved by the proper application of high expl...oh, sorry. I mean, Perl. ;-)
ReplyDeleteSo, there was an issue, a problem that needed to be addressed. None of the tools I have native to a Windows system provided me with the information I needed. So it came down to two choices...use Perl to access the Win32_Service WMI class, or use Perl to access the Registry directly. Both would've given me information from other systems, but accessing the Registry directly gave me the Registry Key LastWrite times.
I found a long time ago that learning Perl took care of a good number of things on my list...
This comment has been removed by the author.
ReplyDeleteAs I delve deeper into the world of digital forensics, I'm discovering just how much Perl is used to solve various problems. Reading WFA really enforces to me how important Perl is.
ReplyDeleteI've heard it's not a terribly easy language to learn, but I've not looked at any learning materials yet to see for myself. I really need to convince my wife that I need to retire so I can devote all my time to learning cool stuff ;)
KP
Perl is the best scripting language for Text processing and handle regex. I have posted few articles related to those at my blog
ReplyDeletehttp://icfun.blogspot.com/search/label/perl
Also Perl's Cpan has lots of support that I don't even need to think extra while developing project. I didn't find such help on other programming language except Java and .NET
Good stuff, can never have enough Perl...
ReplyDelete