Before testing registry key hiding, you should be aware of the risk involved in registry modifications. Here’s the warning from Microsoft:
Tip | For information about how to edit the registry, view the Changing Keys and Values online Help topic in Registry Editor (Regedit.exe). Note that you should make a backup copy of the registry files (System.dat and User.dat) before you edit the registry. |
Warning | Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. |
Always make a backup of the Windows Registry before you modify any settings. You can back up the entire Registry by copying System.dat and User.dat or by exporting a single portion of the Registry using REGEDIT.
To back up by exporting a portion of the registry:
Click the Start button, click Run, and type REGEDIT. Click OK.
In the registry editor, select the key you want to back up.
From the Registry menu, choose Export Registry File.
In the Save In list, select the folder in which you want to save the backup.
In the File Name box, type a name for your backup file, such as “Options” or “Backup.”
In the Export Range box, be sure that Selected Branch is selected.
Click Save. The file is saved with a .reg extension.
To test registry key and file hiding, add the following to your environment:
Directory: c:\RootkitDirectory
Registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSSDriver1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSSDriver2
Now use SCMLoader to load the rootkit presented in this chapter. This will not only load the rootkit into kernel memory, it will also create a MyDeviceDriver key under the Services key in the registry. You should be able to verify this key using the registry editor (regedt32):
HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\MyDeviceDriver
Now start the rootkit (net start MyDeviceDriver).
Now either restart the registry editor or refresh the current view (View Refresh). You should no longer be able to see the three registry keys mentioned above.
Now perform a directory listing of C:\. You should no longer be able to see the directory created above.
To test process hiding, run the test program, HideMe.exe, with and without the rootkit running.
Without the rootkit running, the HideMe program should report “Could not find MyDeviceDriver” and the Windows Task Manager Processes tab will show the HideMe.exe process. After verifying the process, press any key while the Command Prompt window running HideMe has focus. This will terminate the HideMe process.
With the rootkit running, the HideMe program should report “MyDeviceDriver hiding this process” and the Windows Task Manager Processes tab will not show the HideMe.exe process.