Thursday, January 22, 2009

Windows 7 Beta

It's probably kind of early to go posting about Windows 7...yes, the beta is out, but it will likely be a while before we start seeing widespread use of it. As an incident responder who deals primarily with corporations, I see a lot of XP and Windows 2003, but so far, no Vista.

So, like many, when the Windows 7 Ultimate Beta hit the streets, I started taking a look at it. As many would expect, and as Matthieu found out, things have changed in memory. Didier also found out that things changed with respect to how the UserAssist key entries are "encrypted"...rather than being ROT-13 encrypted, the value names are now Vigenere encrypted. Didier was able to determine the cipher key for his system; apparently, the same key is used across all installations!

Okay, let's hold up for just a second...why are these value names even encrypted? I mean, honestly, what's the point? Look at most of the value names, and no one knows what they mean when they aren't encrypted!

All right then...what were we talking about? Oh, yeah...so Didier did a fantastic job of figuring out what was going on with the new encryption scheme. He also figured out some of the new elements stored in the binary data. So using this information, I located some code on PerlMonks to decrypt strings using the Vigenere cipher; I then tweaked it to include handling special characters, numbers and letters that were capitalized. I added parsing of the data in the way that Didier described, and then logged into my Windows 7 Ultimate Beta VM and did some stuff (updated Defender, launched Solitaire, and opened a command prompt and ran ftp.exe). I then shut off the VM, pulled out the NTUSER.DAT and ran it through the new RegRipper plugin I'd just written, and got some really interesting stuff, a portion of which is shown below:

C:\Program Files\Windows Defender\MSASCui.exe
Last Run = 0
C:\Program Files\Internet Explorer\iexplore.exe
Last Run = Wed Jan 21 18:53:28 2009
C:\Program Files\Microsoft Games\solitaire\solitaire.exe
Last Run = Wed Jan 21 19:03:09 2009
C:\Windows\system32\cmd.exe
Last Run = Wed Jan 21 19:04:14 2009

This is just a partially-redacted (redaction much more effective than what either MS or Adobe has used in the past...) excerpt of the output, and I'll get with Didier to see about further testing and verification, but so far, so good, it seems.

One thing that hasn't changed is that F-Response works like a champ with Windows 7, as Matt found out and blogged about. Even access to physical memory works! Don't be the last on your block to get your copy of F-Response!

No comments: