Solving problems with Perl
Many times, some problems just don't seem to have an obvious or easy solution. Take for instance some of the more recent malware to be seen, like Conficker (...and a rose by any other name would smell as sweet...)...it gets on your network, but initially isn't detected. That's because your AV product protects you from variants A through D, and what you've got on your network is a variant somewhere between F and P. Or let's just say you want to see if you do have something unusual on one of your systems. How would you do this?
Well, there are a number of ways you can do this, but if you look at the descriptions available for the Conficker malware, one of the commonalities you see is that it creates a Windows Service with a random name, which means that you can't just search for "Conficker" and hope to find it. Then the malware creates an ImagePath value that points to "svchost.exe -k netsvcs", which runs it when the system starts, but runs it as System level privileges. Also, note that a LOT of Services start this way, too. Then the malware creates a Parameters\ServiceDll value name that points to a randomly named DLL.
Interestingly, there's a number of bits of malware that use this same or a similar persistence mechanism. Okay, great. So, besides going to each machine individually, opening RegEdit, and clicking through the GUI, what do you do?
That's where Perl comes in! I ducked inside a telephone booth, pulled out my laptop and found some previously written code that accesses the live Registry in read-only mode. I then opened up one of my RegRipper plugins, grabbed a bit of already-written and -tested code, added it, shook it (one does NOT stir!), and presto! RegScan was born!
So here's what regscan does...you run it on your local system and it accesses the HKLM\System\CurrentControlSet\Services key, gets a list of subkeys, and then goes to each one and gets the LastWrite time, the ImagePath value (if there is one), the Parameters\ServiceDll value (if there is one), sorts everything by LastWrite time, and prints each Service entry on a single line with each element pipe ('|') separated. Okay, take a breath.
You run regscan like so:
C:\>regscan.pl
And you get a bunch of stuff like this:
Sat Jan 3 00:34:43 2009Z|WebClient|%SystemRoot%\system3\svchost.exe -k LocalService|%SystemRoot%\System32\webclnt.dll
Sat Jan 3 00:34:43 2009Z|winachsf|system32\DRIVERS\HSX_CNXT.sys||
Sat Jan 3 00:34:43 2009Z|Windows Workflow Foundation 3.0.0.0|||
Sat Jan 3 00:34:43 2009Z|winmgmt|%systemroot%\system32\svchost.exe -k netsvcs|%SystemRoot%\system32\wbem\WMIsvc.dll
Sat Jan 3 00:34:43 2009Z|Winsock||
Uh...okay. Well, this is command line, so to weed out some of the stuff you aren't interested in, you could type:
C:\>regscan.pl | find "svchost.exe -k netsvcs"
But wait...there's more! If you want to access remote systems (that you have admin access to, such as in your lab or in your corporate infrastructure), just type:
C:\>regscan.pl IP_address
...or...
C:\>regscan.pl System_name
Pretty cool, eh? And no, you don't need to have Perl running on the remote system. And yes, I've 'compiled' it into an EXE w/ Perl2Exe. And yes, it'll be included on the media that accompanies WFA 2/e. Oh, and it's also available for download at the RegRipper site, in the Downloads section. Enjoy!
Well, there are a number of ways you can do this, but if you look at the descriptions available for the Conficker malware, one of the commonalities you see is that it creates a Windows Service with a random name, which means that you can't just search for "Conficker" and hope to find it. Then the malware creates an ImagePath value that points to "svchost.exe -k netsvcs", which runs it when the system starts, but runs it as System level privileges. Also, note that a LOT of Services start this way, too. Then the malware creates a Parameters\ServiceDll value name that points to a randomly named DLL.
Interestingly, there's a number of bits of malware that use this same or a similar persistence mechanism. Okay, great. So, besides going to each machine individually, opening RegEdit, and clicking through the GUI, what do you do?
That's where Perl comes in! I ducked inside a telephone booth, pulled out my laptop and found some previously written code that accesses the live Registry in read-only mode. I then opened up one of my RegRipper plugins, grabbed a bit of already-written and -tested code, added it, shook it (one does NOT stir!), and presto! RegScan was born!
So here's what regscan does...you run it on your local system and it accesses the HKLM\System\CurrentControlSet\Services key, gets a list of subkeys, and then goes to each one and gets the LastWrite time, the ImagePath value (if there is one), the Parameters\ServiceDll value (if there is one), sorts everything by LastWrite time, and prints each Service entry on a single line with each element pipe ('|') separated. Okay, take a breath.
You run regscan like so:
C:\>regscan.pl
And you get a bunch of stuff like this:
Sat Jan 3 00:34:43 2009Z|WebClient|%SystemRoot%\system3\svchost.exe -k LocalService|%SystemRoot%\System32\webclnt.dll
Sat Jan 3 00:34:43 2009Z|winachsf|system32\DRIVERS\HSX_CNXT.sys||
Sat Jan 3 00:34:43 2009Z|Windows Workflow Foundation 3.0.0.0|||
Sat Jan 3 00:34:43 2009Z|winmgmt|%systemroot%\system32\svchost.exe -k netsvcs|%SystemRoot%\system32\wbem\WMIsvc.dll
Sat Jan 3 00:34:43 2009Z|Winsock||
Uh...okay. Well, this is command line, so to weed out some of the stuff you aren't interested in, you could type:
C:\>regscan.pl | find "svchost.exe -k netsvcs"
But wait...there's more! If you want to access remote systems (that you have admin access to, such as in your lab or in your corporate infrastructure), just type:
C:\>regscan.pl IP_address
...or...
C:\>regscan.pl System_name
Pretty cool, eh? And no, you don't need to have Perl running on the remote system. And yes, I've 'compiled' it into an EXE w/ Perl2Exe. And yes, it'll be included on the media that accompanies WFA 2/e. Oh, and it's also available for download at the RegRipper site, in the Downloads section. Enjoy!