Kernel Extracting the Powelik's DLL from the Registry by Sketchymoose

Storm Shadow

Staff member
Ida Pro Expert
Elite Cracker
  • RegDecoder by Digital Forensics Solutions: Wonderful registry tool for analysis
  • Scrdec by Mr.Brownstone: JScript decoder
  • PDFStreamDumper by David Zimmer for prettifying the code
  • CygWin to add some *nix functionality to Windows, these additional packages were added
    • xxd -> hex editor
    • binutils -> strings
  • MAP by iDefense for the Shell Extensions of strings and submitting to VirusTotal
  • Foremost for carving
For those who just want to cut to the chase (you know who you are, you TLDR people), here are the steps:

  1. Copy the data from the registry key holding the JScript encoded data ( it's somewhere in HKCU/Software/Microsoft/Windows/CurrentVersionRun)
  2. Decrypt with scrdec
  3. Extract & decode the base64
  4. Extract & decode the 2nd base64
  5. Carve the DLL
The next video I will show extracting the DLL from a memory dump. Hope everyone enjoys!