0x00 Preface
I recently learned the [email protected] Article persistence architecture matters, which happened to solve a problem I encountered before and clarified the details that need attention in file and registry redirection.
We will inevitably encounter this in the course of learning, so let's share it here.
Links to persistence architecture matters:
Https://labs.mwrinfosecurity.com/blog/persistence-architecture-matters/
0x01 the registry key value that disappears
OS: win8x64
Development Environment: vs2008
1. Write a program into the registry
The Code is as follows:
123456789101112131415161718192021222324 |
#include <atlbase.h> int main( int argc, char *argv[]) { LPCTSTR lpSubKey = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ; HKEY hKey; DWORD dwDisposition = REG_OPENED_EXISTING_KEY; LONG lRet = ::RegCreateKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, NULL, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition); if (ERROR_SUCCESS != lRet) { return 0; } char szModuleName[MAX_PATH] = { 0 }; ::GetModuleFileNameA(NULL, szModuleName, MAX_PATH); lRet = ::RegSetValueEx(hKey, "test" , NULL, REG_SZ, ( BYTE *)szModuleName, strlen (szModuleName) + 1); if (ERROR_SUCCESS != lRet) printf ( "RegSetValueEx error!\n" ); else printf ( "[+] RegSetValueEx Success!\n" ); ::RegCloseKey(hKey); return 0; } |
The compilation platform is set to Win32.
After running as an administratorHKLM\Software\Microsoft\Windows\CurrentVersion\Run
Write key valuetest
2. Get the written key value
Write a batch file to obtain the Write result.
The batch processing content is as follows:
1 |
REG query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "test" >>result.txt |
Right-click locally and execute the batch file directly.
However, the write key value cannot be output after the batch processing is executed.
0x02 files that disappear 1. Write programs to write files
The Code is as follows:
123456789101112 |
#include <stdio.h> void main() { char *temp= "test" ; FILE * fp; fp= fopen ( "c:\\windows\\system32\\test.txt" , "a+" ); if (fp==0) return ; fwrite (temp, strlen (temp),1,fp); printf ( "[+] Write Success!\n" ); fclose (fp); } |
The compilation platform is set to Win32.
After running as an administratorc:\windows\system32\
Write filestest.txt
2. Get the written file
The batch processing content is as follows:
1 |
dir c:\windows\system32\ test .txt >>result.txt |
Right-click locally and execute the batch file directly.
Likewise, batch processing cannot output written file content
0x03 Cause Analysis 1. Redirection
Since the XP system, the 64-bit system has introduced new technologies:File redirection and registry redirection
This technique is used to split 32-bit programs and 64-bit programs in a 64-bit system.
A 32-bit program running simulator on a 64-bit platform is called wow64
Wow64 is called "Windows 32 on Windows 64"
2. Registry redirection
In x64 systems, some special registry keys are divided into two independent parts.
(1) The 32-bit program redirects some operations on the registry.
For example, access to HKLM/software will be redirected to HKLM/software/wow6432node by wow64
For details about the location of the redirected registry, refer to the following link:
Https://msdn.microsoft.com/en-us/library/windows/desktop/aa384253 (V = vs.85). aspx
(2) The 64-bit program does not redirect operations on the registry.
(3) Supplement
The Registry Information of the 32-bit program stored in HKLM/software/wow6432node
IfHKLM\Software\Wow6432Node\Microsoft\CurrentVersion\Run
When the startup Item is used to run the dll, the system will execute a 32-bit rundll32.exe (Path: C: \ WINDOWS \ syswow64 \ rundll32.exe) to load the DLL. The loaded dll must be 32-bit (errors may occur if it is 64-bit)
Of course, ifHKLM\Software\Microsoft\Windows\CurrentVersion\Run
When a 64-bit rundll32.exe file is loaded, the 64-bit DLL file is loaded.
3. File redirection
Similarly, the file system has two separate parts.
(1) 32-bit program pair%systemroot%/system32
Operation has redirection
32-bit files will be redirected%systemroot%/SysWOW64
(2) The 64-bit program does not redirect the file operation.
(3) Supplement
% SystemRoot %/syswow64 contains 32-bit programs, including 32-bit CMD and Calc.
Based on the above analysis, we have sorted out the following methods for operating the registry key value and file system:
0x04 retrieve the registry key
Solution:
The 32-bit write operation to the registry will be redirectedHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
By default, a 64-bit program will be called for local batch processing and will not be redirected. The query location isHKLM\Software\Microsoft\Windows\CurrentVersion\Run
Solution:
1. Modify the called API parameters and skip redirection so that the 32-bit program can access the 64-bit registry.
When you call the regcreatekeyex function to create a registry key, add the key_wow64_64key parameter to the sixth regsam samdesired parameter.
That isKEY_ALL_ACCES
ChangeKEY_ALL_ACCESS | KEY_WOW64_64KEY
In this way, the redirection will be skipped and the Final write location isHKLM\Software\Microsoft\Windows\CurrentVersion\Run
The modified code is as follows:
12345678910111213141516171819202122232425 |
#include "stdafx.h" #include <atlbase.h> int main( int argc, char *argv[]) { LPCTSTR lpSubKey = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ; HKEY hKey; DWORD dwDisposition = REG_OPENED_EXISTING_KEY; LONG lRet = ::RegCreateKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, NULL, NULL, REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS | KEY_WOW64_64KEY, NULL, &hKey, &dwDisposition); if (ERROR_SUCCESS != lRet) { printf ( "RegCreateKeyEx error!\n" ); return 0; } char szModuleName[MAX_PATH] = { 0 }; ::GetModuleFileNameA(NULL, szModuleName, MAX_PATH); lRet = ::RegSetValueEx(hKey, "test" , NULL, REG_SZ, ( BYTE *)szModuleName, strlen (szModuleName) + 1); if (ERROR_SUCCESS != lRet) printf ( "RegSetValueEx error!\n" ); else printf ( "[+] RegSetValueEx Success!\n" ); ::RegCloseKey(hKey); return 0; } |
Execute batch processing again
1 |
REG query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "test" >>result.txt |
Key value obtained successfully
Note:
It can also be used in combinationWow64DisableWow64FsRedirection
AndWow64RevertWow64FsRedirection
Disable and enable redirection to skip redirection and write to the 64-bit Registry
2. Modify the batch processing and query the registry key value after redirection (for verification conclusion)
If you do not modify the original program, write it by default.HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Modify the registry key value after the redirection of the batch file query. The code is:
1 |
REG query "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "test" |
You can obtain the key value after right-clicking locally.
Note:
In the actual test process, you can rarely right-click locally to execute batch processing. Therefore, this method is only used for verification.
Usually, the 32-bit program also has the redirection problem when executing the batch processing file.
0x05 File Retrieval
Solution:
Similarly, 32-bit program writec:\windows\system32\
Will be redirectedc:\windows\SysWOW64\
32-bit programsc:\windows\system32\
, Accessiblec:\windows\Sysnative\
1. Modify Batch Processing
The actual file generated by the 32-bit program is c: \ windows \ syswow64 \ test.txt
Therefore, the content of batch processing is as follows:
1 |
dir C:\Windows\SysWOW64\ test .txt >>result.txt |
2. Supplement
(1) A problem encountered before:
This problem exists when testing the Security Support Provider:
Http://drops.wooyun.org/tips/12518
Use a 32-bit program to upload mimikatz. DLL to c: \ windows \ system32 \ of the domain controller (server2008x64)
Due to redirection, the actual upload location of mimikatz. dll is c: \ windows \ syswow64, leading to test failure.
Solution:
- Change the file copy path to c: \ windows \ sysnative.
- The replication function is implemented by using batch processing instead of redirection.
(2) A small method to test the differences between 32-bit and 64-bit programs:
32-bit cmd:
1 |
C:\Windows\SysWOW64\cmd.exe |
64-bit cmd:
1 |
c:\windows\system32\cmd.exe |
Write the registry and file respectively. The details of redirection are obvious.
Write the registry:
1 |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "test" |
Query the registry:
12 |
REG query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "test" REG query "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "test" |
Write File:
1 |
copy test .txt c:\windows\system32\ test .txt |
Find Files:
123 |
dir c:\windows\system32\ test .txt dir C:\Windows\SysWOW64\ test .txt dir C:\Windows\Sysnative\ test .txt |
0x06 Summary
When a 32-bit program is executed in a 64-system, if you have operations on the registry and files, the redirection details must be considered.
Registry operation:
AccessHKLM\Software\
The actual path isHKLM\Software\Wow6432Node\
File Operations:
Accessc:\windows\Sysnative\
The actual path isc:\windows\system32\
Accessc:\windows\system32\
The actual path isc:\windows\SysWOW64\
Referencing the two images in the [email protected] Article can help you better understand the details.
Thank you for sharing [email protected. Solved my problems and gave me a clearer understanding.
More learning materials:
- Https://msdn.microsoft.com/en-us/library/windows/desktop/aa384232 (V = vs.85). aspx
- Https://msdn.microsoft.com/en-us/library/windows/desktop/aa384187 (V = vs.85). aspx
This article is original and first published on wooyun drops.
Http://drops.wooyun.org/tips/14831
Redirection for 32-bit programs running in 64-bit systems (as shown in the figure below)