You are browsing the archive for Forensic Analysis.

Updated 3R (RegRipper Ripper)

November 4, 2018 in 3R, Forensic Analysis, Software Releases

It’s been 2 years since I last updated the 3R so I decided to download the latest regripper repo (https://github.com/keydet89/RegRipper2.8) and re-run my tool on it.

I had to do quick fix to handle the slack.pl script, but other than that, it’s the same old 3r.pl script generating the very same content as before, except it now covers all the new plugins Harlan added over last 2 years – if I am not wrong, there are over 40 new scripts. Kudos to Harlan for maintaining the repo for so many years.

So, there you have it, the Regripper is still here and kicking; if you ever need to write a new plug-in feel free to leverage the free online tool 3RPG, or, just learn perl 🙂

Additional IEFO keys for Metro Apps

October 8, 2018 in Forensic Analysis

In my previous post I described how Metro Apps are hosted by wwahost.exe process which in turn leverages its IEFO (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wwahost.exe) key to store its additional execution configuration.

Looking closer at Procmon logs I noticed that the actual Metro App itself also leverages IEFO keys. I am not sure what the purpose of all of them is, but in some cases we can try to guess by looking at the names, and 2 of them were already described in my older posts.

  • IFEO\wwahost.exe
    • AllowTopLevelNavigation
    • BreakOnInitializeProcessFailure
    • CFGOptions
    • CustomUAActive
    • CWDIllegalInDLLSearch
    • DebugProcessHeapOnly
    • DelegatedNtdll
    • DeveloperAuthList
    • DisableByteCodeCache
    • disableCSP
    • DisableExceptionChainValidation
    • DisableHeapLookaside
    • DpiAwareness
    • EnabledTestHook
    • ExecuteOptions
    • FrontEndHeapDebugOptions
    • GdiScaling
    • GlobalFlag
    • KeepActivationContextsAlive
    • LogConsoleToDebugPort
    • MaxDeadActivationContexts
    • MaxLoaderThreads
    • MinimumStackCommitInBytes
    • PerProcessSystemDpi
    • RpcRuntimeConfigFlags
    • SearchPathMode
    • ShutdownFlags
    • TestEffectiveWebPlatformVersion
    • TracingFlags
    • TrackActivationContextReleases
    • UnloadEventTraceDepth
    • UseFilter
    • UseImpersonatedDeviceMap
    • WebInstanceUseAdapter
    • WindowsComponentEnabled
    • WWAInject
  • IFEO\wwahost.exe\4DF9E0F8.Netflix_6.81.325.0_x86__mcm4njqhnhss8!Netflix.App
    • DebugProcessHeapOnly
    • DisableHeapLookaside
    • FrontEndHeapDebugOptions
    • GlobalFlag
    • MaxLoaderThreads
    • ShutdownFlags
    • TracingFlags
    • UnloadEventTraceDepth
    • UseImpersonatedDeviceMap
  • IFEO\4df9e0f8.netflix
    • CustomUAActive
    • EnabledTestHook
    • LogConsoleToDebugPort
  • IFEO\WebView
    • AnyScriptNotify
  • IFEO\WebView\4df9e0f8.netflix
    • ExecutionMode