Xanthros
11-07-2007, 09:32 PM
Without further adieu:
HKLM\Software\Policies\Microsoft\Windows\Safer\Cod eIdentifiers\0\Hashes\
The initial 4 queries to this key are successful, but are also returning UNKNOWN TYPE: 11 errors.
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Shell Folders\Cache
When this key is queried, there's a potential for a buffer overflow, which I saw firsthand when watching it in memory. That said, it appears that there's a code loop coupled with it as it worked on the second attempt a fraction of a second later.
HKCR\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
When this key is queried, there's also potential for overflow - I saw it in memory and the first time it was queried there wasn't a retry when it failed...in a later attempt, it overflowed then was successful with what appeared to be a hash string following.
Those are the immediates that I saw upon a quick glance, there's also registry calls referencing keys that simply don't exist and don't appear to play any any role at this moment other than registry integrity check at best.
There are more, but they're not anywhere near as critical as these few could be. If any admin want the full report or have questions, feel free to PM.
Bug huntin' ftw,
X-
HKLM\Software\Policies\Microsoft\Windows\Safer\Cod eIdentifiers\0\Hashes\
The initial 4 queries to this key are successful, but are also returning UNKNOWN TYPE: 11 errors.
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Shell Folders\Cache
When this key is queried, there's a potential for a buffer overflow, which I saw firsthand when watching it in memory. That said, it appears that there's a code loop coupled with it as it worked on the second attempt a fraction of a second later.
HKCR\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32\InprocServer32
When this key is queried, there's also potential for overflow - I saw it in memory and the first time it was queried there wasn't a retry when it failed...in a later attempt, it overflowed then was successful with what appeared to be a hash string following.
Those are the immediates that I saw upon a quick glance, there's also registry calls referencing keys that simply don't exist and don't appear to play any any role at this moment other than registry integrity check at best.
There are more, but they're not anywhere near as critical as these few could be. If any admin want the full report or have questions, feel free to PM.
Bug huntin' ftw,
X-