Read Registry RAW (like a Rootkit revealer)

Started by Theo Gottwald, July 04, 2012, 08:52:35 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Theo Gottwald

Viruses do sometimes hide from beeing seen. For this they hook the API's, for example those well known RegistryRead API's-

Then how do "Rootkit Revealers" like those from Sysinternals still reveal the Rootkit?
They use a technique that reads the "registry RAW".

It does not use the API, it directly reads from the large registry file, that is organized like a very simple filesystem.

I have just seen this interesting code:

Read Registry RAW

Let me add that using this system, larger parts of the registry can be accessed mach faster then using API, because no Rights-Management is used.

Which we do not yet have in PB currently. Is anybody interested to make a translation?

Registry-Inside Format