This is a simple proof of concept tool, written in Rust, to demonstrate the use of RegRestoreKey and the Offline Registry Library for registry interactions.
For more information about how this tool was implemented and why it might be useful in a red team context, please refer to Rehabilitating Registry Tradecraft with RegRestoreKey.
WARNING: THIS PROOF OF CONCEPT IS LIKELY TO CAUSE SYSTEM INSTABILITY WHEN USED TO OVERWRITE THE ACTUAL ROOT SERVICES KEY (SOFTWARE\\CURRENTCONTROLSET\\SERVICES)
- Regstoration does not overwrite the main services key at
HKLM\SOFTWARE\CURRENTCONTROLSET\SERVICESby default. The default target isHKLM\Software\Test, which you will need to create if you would like to run Regstoration without specifying an already existing key's path. - If you would like to test overwriting the actual services key, do so using a virtual machine that can be restored from a stable snapshot. Any content written to a key or its values will be overwritten if supplied as an argument.
- I suggest creating a dummy key to collect telemetry or evaluate detection strategies for this approach. The telemetry will be the same aside from the targeted path in the restore operation.
-
Open command prompt as Administrator
-
For testing:
- Create empty key at
HKLM\Software\Test - Restore to test key at
HKLM\Software\Test(key must already exist):cargo run
- Create empty key at
-
For restoring to the primary Services key at
HKLM\SOFTWARE\CURRENTCONTROLSET\SERVICES(WARNING: UNSAFE!)- Restore to arbitrary HKLM key (key must already exist):
cargo run -- SOFTWARE\CURRENTCONTROLSET\SERVICES
- Restore to arbitrary HKLM key (key must already exist):