Applications that write to the registry, are they portable?
- Andrew Lee
- Posts: 3105
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Applications that write to the registry, are they portable?
Holy cow.. that's complicated!
Re: Applications that write to the registry, are they portable?
Andrew Lee wrote: ↑That's complicated!
Apparently, it's also poorly implemented... (or it least was, since what follows is a rather old reference):
I've just spent a couple of weeks reverse engineering the binary format completely for our hivex library and shell which now supports both reading and writing to the registry. So now I can tell you why the Registry sucks from a technical point of view too...
- Andrew Lee
- Posts: 3105
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Applications that write to the registry, are they portable?
Wow, that was brutal, but an engaging read!Midas wrote: ↑Fri Jul 29, 2022 8:53 am Apparently, it's also poorly implemented... (or it least was, since what follows is a rather old reference):
I've just spent a couple of weeks reverse engineering the binary format completely for our hivex library and shell which now supports both reading and writing to the registry. So now I can tell you why the Registry sucks from a technical point of view too...
Re: Applications that write to the registry, are they portable?
With Shellbags, LastRun etc. all over the registry in often obfuscated binary formats, isn't it essentially impossible to create a 100% stealth project that does anything non-trivial? You'd need a wrapper that was aware of every aspect of registry forensics that could clean up on exit, and even then you'd need to rely on the software closing elegantly every time. Stealth on Windows after XP is a myth for all but the most OCD developers working on privacy-centric apps. Linux is arguably even less friendly due to the sheer number of variables involved though -- yes, there's no ugly monolithic binary database like the registry but your desktop environment, file explorer, package manager, package format (esp. the portable ones like AppImage), distro directory structure etc. all contribute to hundreds of permutations of potential non-stealth remnants. At least with Windows, it fails stealth in a highly predictable way that uses the same dozen or so diffuse locations for remnants.
Speaking of which, anyone aware of any wrapper frameworks (for developers) or apps (for end users) that will do all that stuff? My ideal would be one that even cleans up Shellbags if explorer dialogs were used. Though that seems like a wholly unrealistic moving target. Can Sandboxie be used to avoid all of those remnants without much of a performance hit? I've always meant to try it, especially since it went open source, but just never got around to it. What about Docker? I've been looking for native solutions but I think emulation/virtualisation/containerisation is the future for truly portable apps with stealth.
I know that I talk a good game and that I should've already tried these things a long time ago but most of what I know comes from when I was a CS academic working on security engineering and networking over a decade ago, before Docker became this huge deal; I had to give up because I developed an extremely rare blood disorder that has left me (hopefully temporarily) disabled.
Speaking of which, anyone aware of any wrapper frameworks (for developers) or apps (for end users) that will do all that stuff? My ideal would be one that even cleans up Shellbags if explorer dialogs were used. Though that seems like a wholly unrealistic moving target. Can Sandboxie be used to avoid all of those remnants without much of a performance hit? I've always meant to try it, especially since it went open source, but just never got around to it. What about Docker? I've been looking for native solutions but I think emulation/virtualisation/containerisation is the future for truly portable apps with stealth.
I know that I talk a good game and that I should've already tried these things a long time ago but most of what I know comes from when I was a CS academic working on security engineering and networking over a decade ago, before Docker became this huge deal; I had to give up because I developed an extremely rare blood disorder that has left me (hopefully temporarily) disabled.
Re: Applications that write to the registry, are they portable?
Another big aspect that I forgot about was all the shit in the latest Windows versions (10 + 11) that take forensic artefacts out of your control entirely by broadcasting them over the net. Once Recall is a quasi-mandatory part of the OS (it may take many years to convince people to accept it, but it'll happen), "stealth" will be an essentially meaningless term. Arguably we've been trending that way for a long time, esp as MS hasn't given up on replacing .exe downloads with Store apps.
Re: Applications that write to the registry, are they portable?
Sandboxie comes to mind even if I dunno if it'll fit the bill...