If you want to open your hives and browse the structure you can of course use any hex editor. There are several hex editors out there that let you define templates to parse data. One of these hex editors is 010 Editor.
010 has a C/C++ like syntax for defining templates. I wrote a template for Registry hives that you can get on theTemplate Archive (at some point), but it will also always be available here.
The template currently supports all the major structures found in hives including NK, VK. SK. and lists (LH, LF, and LI).
How to use it
After saving the template to your computer, add it to 010 editor via the Templates | Edit Templates List option.
Click New, change the name to "Registry hive", then browse to the template you saved above. Once that is done click OK.
Open a hive in 010 and then select Templates | Registry hive from the list.
Here is an example of what you would see before applying the template:
And after applying the template.
As you browse the data at the bottom the relevant bytes are selected in the hex view. In the image below I selected the Descriptor struct and all the bytes that make up that struct are selected. If I select a member of a struct, the bytes belonging to that member are selected.
From here you can explore at will and verify hives by hand (just be sure to add 0x1000 to any offsets to get to the proper position in the file).
Enjoy!
'malware ' 카테고리의 다른 글
| CTB-Locker dropper (0) | 2015.02.13 |
|---|---|
| Reverse Engineering Resources (0) | 2015.02.13 |
| One-Bit To Rule Them All: Bypassing Windows’ 10 Protections using a Single Bit (0) | 2015.02.11 |
| Dridex이 가진 새로운 UAC 해결 방법 (0) | 2015.02.11 |
| Analyzing CVE-2015-0016, Revisited (0) | 2015.02.11 |