flat assembler
Message board for the users of flat assembler.

Index > Windows > detect registry virtualization

Author
Thread Post new topic Reply to topic
randomdude



Joined: 01 Jun 2012
Posts: 83
randomdude
hey

does anyone know the proper way to detect if a registry key is going to be virtualized?

i need to write some key in HKEY_LOCAL_MACHINE from a dll (therefore i cant use a manifest), so first i need to know if the key is going to be virtualized and if so, run a exe which asks the user for elevated priviledges

thanks in advance! Smile
Post 25 Feb 2014, 15:17
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17284
Location: In your JS exploiting you and your system
revolution
It is complicated and no simple method will work in all cases. Perhaps detecting combinations of the various associated flags will reveal the virtualised status? I think you will have to experiment a bit to see if it possible.
Post 26 Feb 2014, 01:59
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
For registry I/O. A simple flag will do.

First read this :

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724072(v=vs.85).aspx

Then this:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa965884(v=vs.85).aspx

You can also detect the OS version and operating bits. That will help you divide and conquer your problem. But the flag has always worked for me.
Post 26 Feb 2014, 02:43
View user's profile Send private message Reply with quote
randomdude



Joined: 01 Jun 2012
Posts: 83
randomdude
thanks for answering but i already had read those pages and none are of help Sad

edit:

nvm guys, doesnt seem to there any way to detect it. il just let my key get redirected to virtualstore

edit2:

found this!
http://stackoverflow.com/questions/14005081/how-to-detect-file-redirection-to-the-windows-virtualstore

Code:
proc CheckVirtualization

        locals
                TokenHandle dd ?
                TokenInformation dd ?
                ReturnLength dd ?
        endl

        push    ebx
        lea     ebx,dword[TokenInformation]
        and     dword[ebx],0
        lea     eax,dword[TokenHandle]
        push    eax
        invoke  GetCurrentProcess
        invoke  OpenProcessToken,eax,TOKEN_QUERY
        test    eax,eax
        jz      .end
        lea     eax,dword[ReturnLength]
        invoke  GetTokenInformation,dword[TokenHandle],TokenVirtualizationEnabled,ebx,4,eax
        .end:
        invoke  CloseHandle,dword[TokenHandle]
        xor     eax,eax
        mov     ebx,dword[ebx]
        test    ebx,ebx
        setnz   al
        pop     ebx
        ret
endp    
Post 26 Feb 2014, 11:20
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.