One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8627647 |
| Date de publication | 2024-12-19 11:03:53 (vue: 2024-12-19 19:08:21) |
| Titre | The Windows Registry Adventure #5: The regf file format |
| Texte | Posted by Mateusz Jurczyk, Google Project Zero As previously mentioned in the second installment of the blog post series ("A brief history of the feature"), the binary format used to encode registry hives from Windows NT 3.1 up to the modern Windows 11 is called regf. In a way, it is quite special, because it represents a registry subtree simultaneously on disk and in memory, as opposed to most other common file formats. Documents, images, videos, etc. are generally designed to store data efficiently on disk, and they are subsequently parsed to and from different in-memory representations whenever they are read or written. This seems only natural, as offline storage and RAM come with different constraints and requirements. On disk, it is important that the data is packed as tightly as possible, while in memory, easy and efficient random access is typically prioritized. The regf format aims to bypass the reparsing step – likely to optimize the memory/disk synchronization process – and reconcile the two types of data encodings into a single one that is both relatively compact and easy to operate on at the same time. This explains, for instance, why hives don\'t natively support compression (but the clients are of course free to store compressed data in the registry). This unique approach comes with its own set of challenges, and has been a contributing factor in a number of historical vulnerabilities. Throughout the 30 years of the format\'s existence, Microsoft has never released its official specification. However, the data layout of all of the building blocks making up a hive (file header, bin headers, cell structures) are effectively public through the PDB symbols for the Windows kernel image (ntoskrnl.exe) available on the Microsoft Symbol Server. Furthermore, the Windows Internals book series also includes a section that delves into the specifics of the regf format (named Hive structure). Lastly, forensics experts have long expressed interest in the format for analysis purposes, resulting in the creation of several unofficial specifications based on reverse engineering, experimentation and deduction. These sources have been listed in my earlier Learning resources blog post; the two most extensive specifications of this kind can be found here and here. The intent of this post is not to repeat the information compiled in the existing resources, but rather to highlight specific parts of the format that have major relevance to security, or provide some extra context where I found it missing. A deep understanding of the low-level regf format will prove invaluable in grasping many of the higher-level concepts in the registry, as well as the technical details of software bugs discussed in f |
| Notes | ★★★★ |
| Envoyé | Oui |
| Condensat | #10 #13 #20 #5: $$$proto 🙂key ≥1 ≤1 +0x010 descriptorlength : uint4b +0x034 virtcontrolflags : pos 20 +0x0a8 lastreorganizetime : uint8b 1 bit 16 bits 2 bits 4 bits 5 bits 8 bits : 0x0 : 0x168 : 0x26 : 0x318 : 0xffff800f : pos 0 : pos 2 : pos 7 : root : system : uchar : uint2b : uint4b and bcd00000000 blockoffset = 0000000000000000 blog ffff800f88a88000 hardware hklm kcb key sam security software system the the full name of a registry key under hklm this to dump the subkey details uchar uint4b use wchar +0x000 +0x000 count +0x000 keycell +0x004 list +0x008 +0x008 keyhive /reg:32 /reg:32 | /reg:64 /reg:64 0–4 000 0000 00000000 000000000000 007 0073 and 009 048 0881 by 0: kd> 0: kd> dt 0: kd> dx 0for 0in 0x0 0x0000 0x00000020 0x0001 0x0002 0x0004 0x0008 0x0010 0x0020 0x0040 0x005c 0x0080 0x01 0x0100 0x02 0x0200 0x04 0x08 0x1 0x10 0x1000 0x100000000return 0x1c 0x1fc 0x2 0x20 0x200 0x2a 0x3fd7c028 0x3fd7c029 0x3fd8 0x3fd9 0x4 0x40 0x48 0x4e 0x6264 0x696c 0x6b6c 0x6b6e 0x6b73 0x6b76 0x7fffe000 0x7ffff000 0x7ffff001 0x7fffffff 0x80 0x80000000 0x80000004 0x80000005 0xb0 0xff 0xffff 0xffff800f88a8e000 0xffff800f88ada338 0xffffc 0xffffd 0xffffff80 0xfffffffe 0xffffffff 1–16343 10/11 100 1012 1040 11: 127 128 1607+ 16344 1992 1993 1994 1995 1999 2–65535 2*n 2000 2000; 2001 2002 2003 2009: 2015 2016 2018 2019 2022 2023 2024 2134 21747 21748 / 21748 bug 22621 23420 bug 236 250 255 256 26173 bug 26176 26178 in 26178security 26182 28248 32767 344 34707 34708 35356 35357 or 35358 35382 35386 and 35633 35768 35768reference 37956 37956 37988 37991 38037 38037 38139 38154 383 characters 3: encodes 407 4096 43452 43641 bug 500 508 512 5: encodes 64k 65534 65535 6: encodes 882 : : 0x 1db2b94:0xe031a530 : 0x0 : 0x20 : 0x20 : 0x2a : 0x2c : 0x88a8e000 : 0xffff800f88a8e000 : 0xffffffff : 0xffffffff : pos 16 : pos 24 : ptr64 : uint2b : uint4b >reg flags / `data` ability able abort aborted about above abstract abstraction abstractions abuse abused abusing accepted access accessbits accessed accessed: accessible accommodate accompanying according accordingly account accounts accumulating accurate accurately aces achieve achieved achieves acknowledged acls across actions activationbroker activationstore active activeds actively acts actual actually add added added/deleted adding addition additional additionally address addressed addresses adequate adhere adhering adjacent adjusted administrator administrators adopted advanced adventure affect affected aforementioned after after the again against ago agree aimed aims algorithm alias aligned all alloc allocate allocated allocating allocation allocations allocator allow allowed allowing allows along alongside alphabetical alphabetically alphanumeric already also although always among amount amusing analysis analyzing and recursively and/or angle anniversary another another: answer ant anti antivirus any anymore anything anyway anywhere api apis app apparent applicable application applications applied applies approach approaching appropriate april arbitrarily arbitrary architecture are are: are:merge aren arguably argument arguments arise around array arrays arrived article artifact artificial ascii ask aspect aspects assessment assigned assigns associated assum |
| Tags | Hack Tool Vulnerability Threat General Information Studies Legislation Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.