Author Topic: Read Registry RAW (like a Rootkit revealer)  (Read 4991 times)

0 Members and 1 Guest are viewing this topic.

Offline Theo Gottwald

  • Administrator
  • Hero Member
  • *****
  • Posts: 1039
  • User-Rate: +30/-4
    • it-berater
Read Registry RAW (like a Rootkit revealer)
« on: July 04, 2012, 08:52:35 AM »
Viruses do sometimes hide from beeing seen. For this they hook the API's, for example those well known RegistryRead API's-

Then how do "Rootkit Revealers" like those from Sysinternals still reveal the Rootkit?
They use a technique that reads the "registry RAW".

It does not use the API, it directly reads from the large registry file, that is organized like a very simple filesystem.

I have just seen this interesting code:

Read Registry RAW

Let me add that using this system, larger parts of the registry can be accessed mach faster then using API, because no Rights-Management is used.

Which we do not yet have in PB currently. Is anybody interested to make a translation?

Registry-Inside Format
« Last Edit: July 04, 2012, 01:27:16 PM by Theo Gottwald »