Forums
Main Category
General (Technical,...
When does Microsoft...
 
Notifications
Clear all

When does Microsoft use ROT13 on files in RAM and why?

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by traknerud 14 years ago
4 Posts
4 Users
0 Reactions
2,253 Views
RSS
 tall1
(@tall1)
Active Member
Joined: 14 years ago
Posts: 11
Topic starter 13/05/2011 8:15 pm  

Hello,

I would assume that UserAssist entries are stored in ROT13 in memory, but does anyone know if all files and their paths when registered in memory are stored in ROT13? I have run memory dump through strings and searched for .rkr (rot 13 conversion for exe) and a .exe and found both.

Does anyone know on what occasions Microsoft uses ROT13 on some entries (maybe just user assist entries) and normal, non ROT13 on others?

Thanks,


   
Quote
 Earn
(@earn)
Estimable Member
Joined: 20 years ago
Posts: 146
13/05/2011 11:20 pm  

This doesn't answer your question but has some good info

http//forensiczone.blogspot.com/2007/12/user-assist-data-in-ram-dump.html


   
ReplyQuote
 Muirner
(@muirner)
Trusted Member
Joined: 17 years ago
Posts: 65
14/05/2011 1:35 am  

This doesn't answer your question but has some good info

http//forensiczone.blogspot.com/2007/12/user-assist-data-in-ram-dump.html

+1, there are some very good links there. Check out the main page of ForensicZone as well, there is more on the ROT13 discussion.


   
ReplyQuote
traknerud
 traknerud
(@traknerud)
Active Member
Joined: 18 years ago
Posts: 12
14/05/2011 9:36 pm  

User assist values are stored as ROT13 in the registry, which is why you find them encoded this way in RAM dumps etc. Of the top of my head I can't remember any other registry values stored in ROT13 that I've worked with in forensic examinations, but that doesn't mean they don't exists.

As far as I know ROT13 is used on user assist values to discourage users to "mess around". As far as cryptography is concerned it's pretty weak, so it can hardly be considered a real security measure.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: