Sunday, 30 October 2011

Storing Binary Files in the Registry

As part of a group work at university, my colleagues and I are in the process of preparing a computer image for the first year students to investigate it as a part of their assignment. The main task for us is to pretend to be a “bad guy” and hide numerous files on that image using as many techniques as possible.

The technical level of these methods should vary and if some of them happen to be too challenging then to leave some clues behind (e.g. browser’s history or source code), so that with basic investigation knowledge and help of omniscient Google they shouldn’t have a problem to find them.

So far we had about 20 different ideas –ranging from hiding data in NTFS bad sectors, file slack, and Ms Word documents to pseudo-encryption algorithms and file merging. It’s been very interesting so far and I’m glad with the way our team works: we all have learnt a lot just by researching different ideas and developing various tools, and then by sharing the findings with each other. Hence, by the way, my last post about recovering the passphrase to a TrueCrypt volume from a memory dump.

One of the remaining things on my list for this group work is to investigate whether it is possible to store binary files, such as images, in the Windows registry.

I did some Googling, as always, but exceptionally I couldn’t find much, besides a couple of articles about storing data in a REG_BINARY value type. Thus, I decided to develop one myself and after a few hours I had a ready “framework” for reading a file to memory, transforming it and then saving to the registry, and the other way around of course.

The tool is called bin2reg and at the moment supports two basic encoding mechanisms: XOR against a password, and Windows Data Protection API (DPAPI). If anyone wanted to treat it seriously though, then the latter is obviously a better solution.

There’s a small limitation at the moment: the application can only store files smaller than 1MB as this is the maximum size for any single Registry value. It can be easily solved by splitting a file into smaller parts and then saving them separately to the registry.

Here’s the code written in C#, so you need to have .NET Framework to run it, and a compiled binary for those who don’t have Visual Studio.

No comments:

Post a Comment