Checking for "Operation Aurora"

(imported topic written by SystemAdmin)

What would be the best way to check for the registry keys below

im assuming regex would be needed and i would just need to check for the first key

this is for “Operation Aurora” from the NAI site http://vil.nai.com/vil/content/v_253415.htm

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS

% random 4 chars %

o “ImagePath” = %SystemRoot%\svchost.exe -k netsvcs

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS

% random 4 chars %

o “Start”= 02, 00, 00, 00

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS

% random 4 chars %

\Parameters

o “ServiceDll” = %SystemRoot%\rasmon.dll

(imported comment written by SystemAdmin)

Wishing there was a MD5 inspector…

http://www.mcafee.com/us/local_content/reports/how_can_u_tell.pdf

(imported comment written by jessewk)

How about:

exists key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” whose (exists key whose (name of it starts with “RaS” and length of name of it = 7) of it) of native registry

(imported comment written by SystemAdmin)

what am i missing here ? all i wanted to do is, if the result exists then display it ?

if RaS%???% exists, display it

Q: if exists (key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” whose (exists key whose (name of it as lowercase starts with “ras%25” and name of it ends with “%25” and length of name of it = 9) of it) of native registry) then ((key whose (name of it as lowercase starts with “ras%25” and name of it ends with “%25” and length of name of it = 9) of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry) else “”

E: Incompatible types.

(imported comment written by NoahSalzman)

Then and Else need to return the same type. In this case Else is returning a string and Then is returning a registry key.

For example:

Q: if true then key “HKLM” of registry else “na”

A: Incompatible types.

Q: if true then name of key “HKLM” of registry else “na”

A: HKEY_LOCAL_MACHINE

(imported comment written by SystemAdmin)

noah

Then and Else need to return the same type. In this case Else is returning a string and Then is returning a registry key.

For example:
Q: if true then key “HKLM” of registry else "na"
A: Incompatible types.

Q: if true then name of key “HKLM” of registry else "na"
A: HKEY_LOCAL_MACHINE

Thank you :slight_smile:

of native registry) then ((

name of

key whose (name of it as lowercase starts with

(imported comment written by JackCoates91)

there’s a few freebie md5sum programs out there, just search for md5sum.exe… I’d want to see source code and compile from it given the nature of the sites, but it’s another route to checking hash values.