The Avenger

An In-Depth Example

  • To put it all together, I will walk through an example of how to construct an Avenger script.

  • I assume a user of The Avenger will already have sufficient familiarity with the Windows registry. If you are not familiar with the registry or reading data exports from it, you might want to read one or more of the following tutorials before going any further with The Avenger:

    Demystifying the Windows Registry [bleepingcomputer.com]
    Description of the Windows Registry [microsoft.com]
    Windows Registry Tutorial [pctools.com]

  • Even if you are familiar with the basic structure of the registry, if you are not experienced at identifying registry loading points, drivers, or specific signs of malware infection, it is strongly recommended to use The Avenger under expert supervision.
    The Avenger is a very powerful tool and can easily be misused! See Why is it important to be careful with it?. Please feel free to contact me any time for help with The Avenger or scripts.

Step 1: Identifying the Problem

  • Suppose you have the following exports from the registry (in standard .REG file format) and you know them to be malicious:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ntbase"="c:\\windows\\ntbase.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"ntbase"="c:\\windows\\ntbase.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="C:\\WINDOWS\\System32\\expl0rer.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmcca]
"Asynchronous"=dword:00000001
"DLLName"="pmcca.dll"
"Impersonate"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServProv]
"DisplayName"="Windows NT Services provider"
"ErrorControl"=dword:00000000
"Group"="Base"
"ImagePath"="System32\\drivers\\provider.sys"
"Start"=dword:00000001
"Type"=dword:00000001

  • The same information could be obtained from a program like HijackThis or from many other similar tools. I will use the raw registry export here.

  • I made this example up, but it is fairly typical of simple infections using simple loading points to run on reboot, load a driver into kernel memory, etc.

  • I will now break down piece-by-piece how to convert this registry export into commands to give The Avenger to remove the infection.

Step 2: Analyzing the Pieces

Let's consider each piece of the registry export above in turn.

  1. Registry data

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "ntbase"="c:\\windows\\ntbase.exe"

    Here the HKEY_LOCAL_MACHINE\...\Run portion is the registry key name and the "ntbase" line is a value under the \...\Run key. The value name is the bolded part between the quotation marks.

    The Run value above is designed to execute the malware on each reboot. We don't want to delete the whole Run key since legitimate applications will execute from there as well. We just want to remove the bad value named "ntbase". Assuming we also wanted to delete the associated file, we would feed to The Avenger:

    Avenger script

    Registry values to delete:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | ntbase

    Files to delete:
    c:\windows\ntbase.exe

    where we have constructed the "Registry values to delete:" syntax from the key name, a pipe | , and the value name.

    Note that we have discarded the double backslashes \\ in favor of single backslashes \ in the file path. Double backslashes are required (as escape characters) inside quotation marks in .REG file expressions, but The Avenger does not use them.

    For more information see the command references for "Registry values to delete:" and "Files to delete:".

  2. The next part is similar, using a different autorun location in the registry:

    Registry data

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    "ntbase"="c:\\windows\\ntbase.exe"

    The Policies\Explorer\Run key does not exist in Windows by default, and if no legitimate applications are running from it (it is likely that none are), we can delete the key outright, which will delete the bad value underneath the key automatically:

    Avenger script

    Registry keys to delete:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

    Files to delete:
    c:\windows\ntbase.exe

    Of course, if we have already issued the "Files to delete:" command for c:\windows\ntbase.exe above, there is no need to do it again.

    For more information see the command reference for "Registry keys to delete:".

  3. Next we have another loading point:

    Registry data

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"="C:\\WINDOWS\\System32\\expl0rer.exe"

    The "System" value under the Winlogon key does exist by default, but it is normally empty (null string value). So we don't want to delete the value; instead, we want Avenger to replace it with a dummy, which for a string value is the null string. So we use:

    Avenger script

    Registry values to replace with dummy:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | System

    Files to delete:
    c:\windows\system32\expl0rer.exe

    Note that the legitimate explorer.exe has a letter 'O' instead of a number 'zero' in the filename, and is located in the Windows directory, not the Windows\System32 directory.

    For more information see the command reference for "Registry values to replace with dummy:".

  4. The next two parts are again autorun keys we want to delete:

    Registry data

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmcca]
    "Asynchronous"=dword:00000001
    "DLLName"="pmcca.dll"
    "Impersonate"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF}]

    So we can do:

    Avenger script

    Registry keys to delete:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmcca
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF}

    Note that the key name should be put entirely on one line, even if it is very long like this one. (The key name above is in fact on a single line, even though your browser will probably word-wrap it. Be careful of this!)

  5. Lastly, we have the driver:

    Registry data

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServProv]
    "DisplayName"="Windows NT Services provider"
    "ErrorControl"=dword:00000000
    "Group"="Base"
    "ImagePath"="System32\\drivers\\provider.sys"
    "Start"=dword:00000001
    "Type"=dword:00000001

    Let's examine the various parts of this key. The portion bolded above, the subkey name under Services, is the "driver name". In the Windows services.msc console it is called the "Service name" (for user-mode services/drivers). This is what we need for The Avenger. The other parts, including the "DisplayName" value and the "ImagePath" or file name are not important to us.

    We know this is a driver (in fact, we know from the "Start"=dword:00000001 value above that it is a kernel driver), and so we must use a driver-specific Avenger command. If we want to delete this driver outright, we can use "Drivers to delete:", or if we just want to disable it, we can use "Drivers to disable:".

    Suppose we want to delete it. The syntax would be:

    Avenger script

    Drivers to delete:
    ServProv

    This will delete the entire HKLM\...\Services\ServProv key, so there is nothing more to do, unless we also want to delete the associated driver file:

    Avenger script

    Files to delete:
    C:\WINDOWS\System32\drivers\provider.sys

Step 3: Putting it All Together

That's it! Let's put all of this together and see the complete Avenger script:

Drivers to delete:
ServProv

Registry values to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | ntbase

Files to delete:
c:\windows\ntbase.exe
c:\windows\system32\expl0rer.exe
C:\WINDOWS\System32\drivers\provider.sys

Registry values to replace with dummy:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | System

Registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmcca
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF}

  • I have consolidated the commands that we use more than once, for ease of reading the script.

  • Note that The Avenger does NOT guarantee that the commands in a script are executed in order. In fact the "Drivers to delete:" command would be executed first, even if I did not list it first, because it needs to be! Otherwise we could not safely delete the associated driver file provider.sys using "Files to delete:" since the driver would still be active, and this could cause system deadlock. I listed the driver first in the script anyway, just so that would be easier to understand, and this is probably good practice.

FarCry - Mollio