I’m looking to create a compound registry query to read the value “Type” of an unknown Services key and then display several values of that key. I cannot use the (DisplayName of it, Imagepath of it) of it as this is blocked by the services i am looking for. Malware also blocks SC Query and WMI requests.
So it must be done using Registry keys.
This part works:
Q: if exists ((values “Type” of keys of keys “HKLM\System\CurrentControlSet\Services” of x64 registry) as string) whose (it = “272”)
This part does not work: I want the DisplayName key data value of “Beep” to display
then ((values “DisplayName” of keys of keys “HKLM\System\CurrentControlSet\Services” of x64 registry) as string) whose (“Type” of “Beep” = “1”) else “No Key”
I used “Beep” as an example which has to be the Service Key the if exists finds. I would like to read the following values of each key with “Type value = 272” or any other value I am looking for. They can be four separate Properties in the analysis. Would be fine
Services\unknown - Actual Key name whose Type value = 272 or 120 HEX
(name of it, value “displayname” of it, value “imagepath” of it) of keys whose(value “type” of it as string = “272”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry
values “ServiceDLL” of keys “Parameters” of keys whose(exists key “Parameters” of it AND exists value “ServiceDLL” of key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry
WoW thanks ! #2 & #3 I was close, not sure why I didn’t get those.
Now on #4 - Any idea how to get the parameter key on ONLY the service keys whose value is “272” ?
This is not working:
values “ServiceDLL” of keys “Parameters” of keys whose(exists key “Parameters” of it AND exists value “ServiceDLL” of key “Parameters” of it) AND whose (value “type” of it as string = “272”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry
(name of it, value “displayname” of it, value “imagepath” of it) of keys whose(value “type” of it as string = “32” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry
keys “Parameters” of keys whose(value “type” of it as string = “272” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry
(name of it, value “displayname” of it, value “imagepath” of it) of keys whose(value “type” of it as string = “272” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry
number of keys “Parameters” of keys whose(value “type” of it as string = “272” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry
Q: keys “Parameters” of keys whose (value “Type” of it as string = “272” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry
E: This expression evaluates to an unrepresentable object of type “registry key”
That is what you should get, that means you are getting a result.
Try this:
names of keys “Parameters” of keys whose (value “Type” of it as string = “272” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry
This one just returns “Parameters” as the answer for all. Tried to play with it… just returns True
value “ServiceDll” of keys whose (value “Type” of it as string = “288” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry
Works to find the ServiceDll value for any key
It would be nice to combine the one above with below…
(name of it, value “displayname” of it, value “imagepath” of it) of keys whose(value “type” of it as string = “288” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry
Thanks for your assistance… for some reason this was eluding me.
it was only supposed to return “Parameters”… I do not have this situation on any of my systems so I cannot come up with examples to extract the info that you desire without just guessing.
This is kind of what I’m trying to point you towards:
(value “whatever” of it, value “whatever2” of it) of keys “Parameters” of keys whose (value “Type” of it as string = “272” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry
value “ServiceDll” of keys whose (value “Type” of it as string = “288” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of native registry
the TYPE value 288 is VERY odd and does not show up where you would expect. I look at the type to see if I need to know more and the above tells me the actual SERVERDLL that is being injected by the Imagepath which in the case of the malware is svchost netsvcs and that tells me nothing… but the subkey of the service Parameters has a ServiceDll value that lists the BAD JuJu dll I am trying to find.
values “ServiceDll” of keys whose (value “Type” of it as string = “32” AND exists key “Parameters” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of x64 registry
You don’t need “x64 registry”, use “native registry” since it will work on 32bit or 64bit machines.
(in all truth, you don’t actually need “native registry” since it only makes a difference when looking at the software key, but I like to use it everywhere)