Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

KEY_WOW64 registry flag option

From: Danilo Nascimento <danilonc () bugnotfound com>
Date: Mon, 26 Apr 2010 16:40:38 -0300
Some registry keys are displayed differently depending on whether the
process image is 32 or 64 bits.
I've just created an reg command option to set the flag KEY_WOW64 in
which allows you to change this behavior.

This can be useful to enumerate or create keys in x64 environments.
For example, an entry in the autorun can go unnoticed for a distracted
sysadm if he only checks the
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" key
and forgets to check the
"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"
key.

------------------------------------------------------------------------------------------------------------------
"The registry redirector isolates 32-bit and 64-bit applications by providing
separate logical views of certain portions of the registry on WOW64.
The registry redirector intercepts 32-bit and 64-bit registry calls to their
respective logical registry views and maps them to the corresponding physical
registry location. The redirection process is transparent to the application.
Therefore, a 32-bit application can access registry data as if it were running
on 32-bit Windows even if the data is stored in a different location on 64-bit
Windows."

1 - Accessing an Alternate Registry View
- http://msdn.microsoft.com/en-us/library/aa384129(v=VS.85).aspx
2 - Registry Redirector
- http://msdn.microsoft.com/en-us/library/aa384232(v=VS.85).aspx
3 - Registry Keys Affected by WOW64
- http://msdn.microsoft.com/en-us/library/aa384253(v=VS.85).aspx
--------------------------------------------------------------------------------------------------------------------

meterpreter > reg enumkey -k
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -w 64
Enumerating: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  Values (4):

        MSSE
        IgfxTray
        HotKeysCmds
        Persistence

meterpreter > reg enumkey -k
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -w 32
Enumerating: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  Keys (2):

        AutorunsDisabled
        OptionalComponents

  Values (4):

        Adobe Reader Speed Launcher
        Adobe ARM
        QuickTime Task
        iTunesHelper

Regards,
DaniloNC

Attachment: wow64flag.patch
Description: 

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: