Topic
  • 29 replies
  • Latest Post - ‏2013-05-29T18:23:20Z by SecurityMG
SecurityMG
SecurityMG
32 Posts

Pinned topic CurrentControlSet\Services

‏2013-05-03T19:13:37Z |

I'm looking to create a compound registry query to read the value "Type" of an unknown Services key and then display several values of that key.  I cannot use the (DisplayName of it, Imagepath of it) of it as this is blocked by the services i am looking for.  Malware also blocks SC Query and WMI requests.

So it must be done using Registry keys.

This part works:

Q: if exists ((values "Type" of keys of keys "HKLM\System\CurrentControlSet\Services" of x64 registry) as string) whose (it = "272")

This part does not work:  I want the DisplayName key data value of "Beep" to display

then ((values "DisplayName" of keys of keys "HKLM\System\CurrentControlSet\Services" of x64 registry) as string) whose ("Type" of "Beep" = "1") else "No Key"

I used "Beep" as an example which has to be the Service Key the if exists finds.  I would like to read the following values of each key with "Type value = 272" or any other value I am looking for.  They can be four separate Properties in the analysis.  Would be fine

1.  Services\unknown - Actual Key name whose Type value = 272 or 120 HEX

2.  Services\unknown\DisplayName

3.  Services\unknown\Imagepath

4.  services\unknown\Parameters\ServiceDll

Seems simple enough, but can't get it.

Thoughts?

Thanks,

MG

  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T13:30:31Z  

    unique values of (it as string) of values "type" of keys of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T13:31:33Z  

    names of keys whose(value "type" of it as string = "272") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T13:33:10Z  

    (name of it, value "displayname" of it, value "imagepath" of it) of keys whose(value "type" of it as string = "272") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T13:35:51Z  

    values "ServiceDLL" of keys "Parameters" of keys whose(exists key "Parameters" of it AND exists value "ServiceDLL" of key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

  • SecurityMG
    SecurityMG
    32 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T15:02:32Z  
    • jgstew
    • ‏2013-05-06T13:35:51Z

    values "ServiceDLL" of keys "Parameters" of keys whose(exists key "Parameters" of it AND exists value "ServiceDLL" of key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

    WoW thanks !  #2 & #3 I was close, not sure why I didn't get those.

    Now on #4 - Any idea how to get the parameter key on ONLY the service keys whose value is "272" ?

    This is not working:

    values "ServiceDLL" of keys "Parameters" of keys whose(exists key "Parameters" of it AND exists value "ServiceDLL" of key "Parameters" of it) AND whose (value "type" of it as string = "272") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry
     

     

  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T15:06:02Z  

    WoW thanks !  #2 & #3 I was close, not sure why I didn't get those.

    Now on #4 - Any idea how to get the parameter key on ONLY the service keys whose value is "272" ?

    This is not working:

    values "ServiceDLL" of keys "Parameters" of keys whose(exists key "Parameters" of it AND exists value "ServiceDLL" of key "Parameters" of it) AND whose (value "type" of it as string = "272") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry
     

     

    That last one does not work for me either because I did not have any services on my machine that had such entries, so that was purely a guess.

  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T15:08:00Z  

    keys "Parameters" of keys whose(value "type" of it as string = "272" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

  • SecurityMG
    SecurityMG
    32 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T15:09:35Z  
    • jgstew
    • ‏2013-05-06T15:06:02Z

    That last one does not work for me either because I did not have any services on my machine that had such entries, so that was purely a guess.

    How about change the TYPE value to 32 or any of the ones that worked under #1 that you do have. 

    The "Parameter\Services" value is the malware file that the TYPE value indicates something funky so the real trick is to link these two.

  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T15:13:15Z  

    Side note, this same method is how I query the "Uninstall" key of the registry:

     

    not exists keys whose (value "DisplayName" of it as string as lowercase contains "Pidgin" as lowercase AND value "DisplayVersion" of it as string as version >= "2.9.0" as version) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of registry

     

    I use the above to install Pidgin on only machines that do not already have Pidgin installed. I do not worry about what the name of the registry key entry is, I just query the values of the key to find out if the key I am looking for exists or not. The main reason to do this is because these keys are often GUIDs or arbitrary names, both of which can be changed over time by the developer. I also much prefer seeing the query for the contents of the "DisplayName"  value rather than some long GUID which is not human readable. 

     

    This is also related: https://www.ibm.com/developerworks/community/forums/html/topic?id=0e3c105c-fc7b-467c-9adf-b8e1d780a542&ps=25

     

    You can use the same method to query and/or aggregate the contents of the "C:\Users" folder:

    ((sum of sizes of descendants of folders "AppData\Local\Temp" of folders whose(exists folder "AppData\Local\Temp" of it) of folder "C:\users") / (1024*1024)) as string & " MB of user temp files"

  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T15:14:32Z  
    • jgstew
    • ‏2013-05-06T15:08:00Z

    keys "Parameters" of keys whose(value "type" of it as string = "272" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

    (name of it, value "displayname" of it, value "imagepath" of it) of keys whose(value "type" of it as string = "272" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T15:15:18Z  
    • jgstew
    • ‏2013-05-06T15:08:00Z

    keys "Parameters" of keys whose(value "type" of it as string = "272" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

    number of keys "Parameters" of keys whose(value "type" of it as string = "272" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

  • dmoore21
    dmoore21
    56 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T15:23:28Z  
    • jgstew
    • ‏2013-05-06T15:08:00Z

    keys "Parameters" of keys whose(value "type" of it as string = "272" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

    When I try your query, I get the following:

     

    Q: keys "Parameters" of keys whose (value "Type" of it as string = "272" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry
    E: This expression evaluates to an unrepresentable object of type "registry key"
     
  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T15:30:59Z  
    • dmoore21
    • ‏2013-05-06T15:23:28Z

    When I try your query, I get the following:

     

    Q: keys "Parameters" of keys whose (value "Type" of it as string = "272" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry
    E: This expression evaluates to an unrepresentable object of type "registry key"
     

    That is what you should get, that means you are getting a result. 

    Try this: 

    names of keys "Parameters" of keys whose (value "Type" of it as string = "272" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T15:32:58Z  

    How about change the TYPE value to 32 or any of the ones that worked under #1 that you do have. 

    The "Parameter\Services" value is the malware file that the TYPE value indicates something funky so the real trick is to link these two.

    (name of it, value "displayname" of it, value "imagepath" of it) of keys whose(value "type" of it as string = "32" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

  • SecurityMG
    SecurityMG
    32 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T16:06:35Z  
    • jgstew
    • ‏2013-05-06T15:30:59Z

    That is what you should get, that means you are getting a result. 

    Try this: 

    names of keys "Parameters" of keys whose (value "Type" of it as string = "272" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

    This one just returns "Parameters" as the answer for all.  Tried to play with it...  just returns True

    value "ServiceDll" of keys whose (value "Type" of it as string = "288" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

    Works to find the ServiceDll value for any key

    It would be nice to combine the one above with below... ;-)

    (name of it, value "displayname" of it, value "imagepath" of it) of keys whose(value "type" of it as string = "288" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

    Thanks for your assistance... for some reason this was eluding me.

     

     

  • SecurityMG
    SecurityMG
    32 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T16:08:05Z  
    • jgstew
    • ‏2013-05-06T15:13:15Z

    Side note, this same method is how I query the "Uninstall" key of the registry:

     

    not exists keys whose (value "DisplayName" of it as string as lowercase contains "Pidgin" as lowercase AND value "DisplayVersion" of it as string as version >= "2.9.0" as version) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of registry

     

    I use the above to install Pidgin on only machines that do not already have Pidgin installed. I do not worry about what the name of the registry key entry is, I just query the values of the key to find out if the key I am looking for exists or not. The main reason to do this is because these keys are often GUIDs or arbitrary names, both of which can be changed over time by the developer. I also much prefer seeing the query for the contents of the "DisplayName"  value rather than some long GUID which is not human readable. 

     

    This is also related: https://www.ibm.com/developerworks/community/forums/html/topic?id=0e3c105c-fc7b-467c-9adf-b8e1d780a542&ps=25

     

    You can use the same method to query and/or aggregate the contents of the "C:\Users" folder:

    ((sum of sizes of descendants of folders "AppData\Local\Temp" of folders whose(exists folder "AppData\Local\Temp" of it) of folder "C:\users") / (1024*1024)) as string & " MB of user temp files"

    I use a slightly different approach on user keys.

    if exists (pathnames whose (it ends with ".exe") of files of folders of folders of folders of folder "c:\users") whose (it as lowercase contains "\appdata\") then (pathnames whose (it ends with ".exe") of files of folders of folders of folders of folder "c:\users") whose (it as lowercase contains "\appdata\") else "No MALWARE"

    Then I can adjust up or down folders as needed.  We look for new folders to appear and then what is in them.  Or just the extensions of type we care about.

    if exists (pathnames whose (it ends with ".exe") of files of folders of folders of folders of folders of folder "c:\users") whose (it as lowercase contains "\appdata\") then (pathnames whose (it ends with ".exe") of files of folders of folders of folders of folders of folder "c:\users") whose (it as lowercase contains "\appdata\") else "No_Files"

     

     

  • SecurityMG
    SecurityMG
    32 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T16:11:00Z  
    • dmoore21
    • ‏2013-05-06T15:23:28Z

    When I try your query, I get the following:

     

    Q: keys "Parameters" of keys whose (value "Type" of it as string = "272" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry
    E: This expression evaluates to an unrepresentable object of type "registry key"
     

    This is the query i was after. 

    value "ServiceDll" of keys whose (value "Type" of it as string = "288" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

    the TYPE value 288 is VERY odd and does not show up where you would expect.  I look at the type to see if I need to know more and the above tells me the actual SERVERDLL that is being injected by the Imagepath which in the case of the malware is svchost netsvcs and that tells me nothing... but the subkey of the service Parameters has a ServiceDll value that lists the BAD JuJu dll I am trying to find.

     

     

  • SecurityMG
    SecurityMG
    32 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T16:30:02Z  
    • dmoore21
    • ‏2013-05-06T15:23:28Z

    When I try your query, I get the following:

     

    Q: keys "Parameters" of keys whose (value "Type" of it as string = "272" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry
    E: This expression evaluates to an unrepresentable object of type "registry key"
     

    Scratch that...

    Use 'values' in case there are multiple keys

    values "ServiceDll" of keys whose (value "Type" of it as string = "32" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of x64 registry

     

  • SecurityMG
    SecurityMG
    32 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T18:46:14Z  
    • jgstew
    • ‏2013-05-06T15:13:15Z

    Side note, this same method is how I query the "Uninstall" key of the registry:

     

    not exists keys whose (value "DisplayName" of it as string as lowercase contains "Pidgin" as lowercase AND value "DisplayVersion" of it as string as version >= "2.9.0" as version) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of registry

     

    I use the above to install Pidgin on only machines that do not already have Pidgin installed. I do not worry about what the name of the registry key entry is, I just query the values of the key to find out if the key I am looking for exists or not. The main reason to do this is because these keys are often GUIDs or arbitrary names, both of which can be changed over time by the developer. I also much prefer seeing the query for the contents of the "DisplayName"  value rather than some long GUID which is not human readable. 

     

    This is also related: https://www.ibm.com/developerworks/community/forums/html/topic?id=0e3c105c-fc7b-467c-9adf-b8e1d780a542&ps=25

     

    You can use the same method to query and/or aggregate the contents of the "C:\Users" folder:

    ((sum of sizes of descendants of folders "AppData\Local\Temp" of folders whose(exists folder "AppData\Local\Temp" of it) of folder "C:\users") / (1024*1024)) as string & " MB of user temp files"

    OK... explain this one...

    Q: values "ServiceDll" of keys whose (value "Type" of it as string as lowercase = "32" AND exists key "Parameters" of it) of key "HKLM\SYSTEM\CurrentControlSet\Services" of x64 registry
    A: %25SystemRoot%25\system32\dhcpcore.dll%00
    A: %25SystemRoot%25\System32\trkwks.dll%00
    T: 11.674 ms
     

    Looks like it works, but change one of the values TYPE to 288 hex (120 dec)  and look for "288"

    No worky ??  WTF

    Well these two have ServiceDll under the Service Key... this is NOT picking up the subkey Parameters

    This works:

    values "ServiceDll" of keys of keys whose (value "Type" of it as string = "288" AND exists key "Parameters" of it) of key "HKLM\SYSTEM\CurrentControlSet\Services" of x64 registry

    notice "keys of keys"

  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T21:26:36Z  

    This one just returns "Parameters" as the answer for all.  Tried to play with it...  just returns True

    value "ServiceDll" of keys whose (value "Type" of it as string = "288" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

    Works to find the ServiceDll value for any key

    It would be nice to combine the one above with below... ;-)

    (name of it, value "displayname" of it, value "imagepath" of it) of keys whose(value "type" of it as string = "288" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

    Thanks for your assistance... for some reason this was eluding me.

     

     

    it was only supposed to return "Parameters"... I do not have this situation on any of my systems so I cannot come up with examples to extract the info that you desire without just guessing.

    This is kind of what I'm trying to point you towards: 

    (value "whatever" of it, value "whatever2" of it) of keys "Parameters" of keys whose (value "Type" of it as string = "272" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registry

  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T21:28:30Z  

    Scratch that...

    Use 'values' in case there are multiple keys

    values "ServiceDll" of keys whose (value "Type" of it as string = "32" AND exists key "Parameters" of it) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of x64 registry

     

    You don't need "x64 registry", use "native registry" since it will work on 32bit or 64bit machines.

     

    (in all truth, you don't actually need "native registry" since it only makes a difference when looking at the software key, but I like to use it everywhere)

  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T21:31:01Z  

    OK... explain this one...

    Q: values "ServiceDll" of keys whose (value "Type" of it as string as lowercase = "32" AND exists key "Parameters" of it) of key "HKLM\SYSTEM\CurrentControlSet\Services" of x64 registry
    A: %25SystemRoot%25\system32\dhcpcore.dll%00
    A: %25SystemRoot%25\System32\trkwks.dll%00
    T: 11.674 ms
     

    Looks like it works, but change one of the values TYPE to 288 hex (120 dec)  and look for "288"

    No worky ??  WTF

    Well these two have ServiceDll under the Service Key... this is NOT picking up the subkey Parameters

    This works:

    values "ServiceDll" of keys of keys whose (value "Type" of it as string = "288" AND exists key "Parameters" of it) of key "HKLM\SYSTEM\CurrentControlSet\Services" of x64 registry

    notice "keys of keys"

    those queries do not pick up subkey stuff, only the exact location that it is pointing to. If something is only in a subkey, then you have to do "keys of keys" to search the subkeys.

  • jgstew
    jgstew
    410 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-06T21:33:54Z  

    I use a slightly different approach on user keys.

    if exists (pathnames whose (it ends with ".exe") of files of folders of folders of folders of folder "c:\users") whose (it as lowercase contains "\appdata\") then (pathnames whose (it ends with ".exe") of files of folders of folders of folders of folder "c:\users") whose (it as lowercase contains "\appdata\") else "No MALWARE"

    Then I can adjust up or down folders as needed.  We look for new folders to appear and then what is in them.  Or just the extensions of type we care about.

    if exists (pathnames whose (it ends with ".exe") of files of folders of folders of folders of folders of folder "c:\users") whose (it as lowercase contains "\appdata\") then (pathnames whose (it ends with ".exe") of files of folders of folders of folders of folders of folder "c:\users") whose (it as lowercase contains "\appdata\") else "No_Files"

     

     

    This seems like an oddly written query to me and I don't entirely get the point of it. That seems a bit too unspecific to me, and you could probably be using the "descendants" option to effectively "search" inside particular folders.

  • SecurityMG
    SecurityMG
    32 Posts

    Re: CurrentControlSet\Services

    ‏2013-05-07T20:15:47Z  
    • jgstew
    • ‏2013-05-06T21:31:01Z

    those queries do not pick up subkey stuff, only the exact location that it is pointing to. If something is only in a subkey, then you have to do "keys of keys" to search the subkeys.

    That is all you need is that key and the ServiceDll value.  You want to locate the file being launched by the ImagePath value if it is netsvcs for example.

    It is working well to find odd services of Type 288 and a ServiceDll name