Plumbing the depths: Registry Internals

Eric R. Zimmerman

Senior director, Kroll Cyber Security

eric.zimmerman@kroll.com

501-313-3778

@EricRZimmerman

https://binaryforay.blogspot.com/

Topics of discussion

• Building blocks• Header• hbin

• Records• Cells

• Keys• Values• Security

• Lists• Data

• Recovering deleted records

Registry hive overview

Building blocks: Header

• 4096 bytes long

• Several important bits of information• Signature (Offset 0x0)

• Last write timestamp (Offset 0xC)

• Major and minor version (Offset 0x14 and offset 0x18)

• Root cell offset (Offset 0x24)

• Length* (Offset 0x28)

• Internal file name (Offset 0x30)

* Length does not always match with how much data is actually present

Building blocks: Header example

Signature Last write timestamp Major/minor versionRoot cell offset Length Internal file name

Parsing a hive

• The general rules for parsing a hive can be summarized as follows:1. Open file2. Read header

1. Get RootCellOffset

3. Locate hbin1. Determine length of hbin

4. Find records in hbin1. Cells2. Lists3. Data

5. "Do stuff" with records6. GOTO 3 until EOF or invalid hbin header is reached7. Close file

• Root cell index had a value of 0x20, which means the root cell for this hive is located at absolute offset 0x1000 + 0x20 == 0x1020

Building blocks: hbin

• hbins are containers that hold cells, lists, and data records

• Most often are 4096 bytes in size, but can be a multiple of 4096 bytes

• Several important bits of information in header (32 bytes long)• Signature (Relative offset 0x0)• FileOffset (Relative offset 0x4)• Size (Relative offset 0x8)

• Records start at relative offset 0x20

• As we saw on the last slide, add 0x1000 bytes (to account for header) to get the absolute offset

Building blocks: hbin example

Signature Relative offset Size

Beginning of record data

Records: Cells

• Cells• Named key (NK signature)

• Value key (VK signature)

• Security key (SK signature)

• General concepts• In use records have a negative size

• Free records have a positive size

• Never trust the size of free records• Free records can exist in record slack

Records: NK

• Commonly referred to as keys

• Contain several items of interest• Last write timestamp• Name• Subkey and value counts• Flags

• Contain several pointers to other data structures• Parent cell index: Points to another NK record (except for root node)• Value list cell index: Points to a list of VK record offsets• Subkey list index: Points to a list of NK record offsets• Security cell index: Points to an SK record

• As we saw before, the indexes to things like value list and subkeylist are relative offsets

• Add 0x1000 to find the data structure in a hex editor

Records: VK

• Commonly referred to as values

• Contain several items of interest• Name

• What if Name length is zero?

• Data type• Data length• Flags

• Contain several pointers to other data structures• Pointer to data record

• Exception: If data length <=4, the data is resident within the VK record

• Notice there is no pointer to the NK record where a VK record “lives”

• Since data length is 0x4, the data is stored directly in the VK record at offset 0xC.

• A maximum of four bytes of data can be stored since the Data pointer is a 32-bit number

VK data resident

• Data length is 0x72 or 114 bytes

• Data record lives at relative offset 0xABF8

• Anything left over in the data record after reading 114 bytes is value slack

VK data non-resident

Records: SK

• Very dense data format

• Several sections• Descriptor data

• SACL: system access control list (logging of successful/failed access by someone)• DACL: discretionary access control list (who has access to a resource)

• SACL and DACL records contain ACE (access control entry) records• Owner and group SIDs• More ACE detail at https://msdn.microsoft.com/en-

us/library/windows/desktop/aa374872(v=vs.85).aspx

• For a full breakdown of the SK record, see• https://binaryforay.blogspot.com/2015/02/registry-hive-basics-part-4-sk-

records.html

• Flags determine what other structures are present• DaclPresent

• SaclPresent

• Each contain information like:• Size

• ACE count

SK descriptor data

• Contains• Flags

• SID

• This is a DACL, so it controls who has access to the keys this SK record points to

SK ACE records

Records: Lists

• List signatures• lf

• lh

• li

• ri: point to either li or lx lists depending on version of hive (from header)

• db: contains an offset to another list of offsets. These offsets point to data records

• All work roughly the same in that they hold a list of offsets to other things

• For a much more in depth treatment of lists, see• https://binaryforay.blogspot.com/2015/08/registry-hive-basics-part-5-lists.html

Records: Data

• Data• Data records are made up of

• Size (4 bytes)• Remaining bytes are the data itself

• Normal• This is the non-resident case which means data length > 4• VK record ‘Data’ points to a data record

• Big data• Made up of normal data records contained in a db list• Used when value data exceeds 16,344 bytes• Only found in hives with version > 1.3 (version is contained in the header)• Once the db list is resolved to data offsets, concatenate the bytes together, then take

‘Data length’ bytes and treat them according to ‘Data type.’ Anything left is slack.

Putting it all together

NK

Subkey list cell index

List record

NK

NK

Value list cell index

VK

(resident data)

VK

(Big data)Db record List of offsets

Data record

Data recordVK

(Normal data)Data record

Security cell index

SK

Recovering deleted records

• Overview• Find free records

• Look for signatures

• Extract recoverable records (NK and VK primarily)

• Reassociate to existing records when possible

Locating free records• This is the beginning of a free data block

since its size is > 0.• It starts at offset 0x4020 and is 4064 bytes

long• Once a free block is found, scan it for

signatures• nk• Vk

• For each signature found, remember the offset

Extracting records

• The start of the free record is 0x4020

• The second offset with a signature is at 0x418

• Adding the two, we get offset 0x4438

• Here we have a recovered VK record

• Data length = 412 bytes

• OffsetToDatapoints to where the data lives

• Cursor is at the start of the data record

• Notice the data record is marked free as well since it has a positive size

Associating deleted records

• Recall from earlier that NK records point to a list of values• Once all available VK and NK records have been recovered:

• For each recovered NK, follow the list to look for VK records and if found, associate with NK

• Look at recovered NK record’s parent cell index to see if it points to a recovered NK record

• Finally, look at top-level recovered NK record’s parent cell index to see if it points to an available NK record

• Once this is done we now have two lists of NK records:• Associated with an in-use record (Parent index pointed to an in-use NK)• Un-associated (Parent index pointed to non-existent NK)

• My implementation is at:• https://github.com/EricZimmerman/Registry/blob/master/Registry/RegistryHive.cs#

L719

Caveats

• When recovering records, you cannot stop processing after the first signature.• If you find an NK record with size 480 and treat it as a single record you will

most likely miss everything after the name of the NK record.

• Must look for signatures and attempt to recover over entire free record

• It is important to check whether the data pointed to in recovered records is also marked as free• If it has a negative size, another active record is using it and it should be

ignored

• Exception: Associating a recovered NK record to its parent

Other resources

• https://binaryforay.blogspot.com/2015/01/designing-registry-parser.html

• https://binaryforay.blogspot.com/2015/08/registry-hive-basics-part-5-lists.html

• https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md

• https://github.com/libyal/libregf/blob/master/documentation/Windows%20NT%20Registry%20File%20(REGF)%20format.asciidoc

Questions?