Hidden Registry Key Name Not Accurately Reported in Logs

[andrew-petrus]

Describe the bug

I am using SharpHide to create a hidden registry key, and the "hidden registry key creation" rule in Fibratus correctly detects this event. However, the key_name field in the logs is incorrectly reporting the path of the key. Running SharpHide multiple times produces different results for the key_name field, none of which are the correct path to the registry path of the hidden key.

How to reproduce it

1. Run SharpHide to create a hidden registry key.
2. Check the logs and note that the key_name field does not reflect the actual registry key correctly.

Expected behavior

The key_name field should accurately report the full registry path of the hidden key that was created.

Screenshots

Environment

Fresh install of Windows 11 Pro.

• Fibratus version:
  ┌─────────────┬─────────────────────┐
  │ Version │ 2.3.0 │
  │ Commit │ e7573a4 │
  │ Build date │ 09-12-2024.12:22:55 │
  ├─────────────┼─────────────────────┤
  │ Go compiler │ go1.23.3 │
  └─────────────┴─────────────────────┘
• OS:
  Windows 11 Pro

Additional context

Kparams: key_handle➜ ffff9603df5177d0, key_name➜ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\ SOFTWARE, status➜ Success

Fibratus.log file:

fibratus.log

[rabbitstack]

Hi @andrew-petrus,

Impressive bug report granularity! This should be fixed in the next release (2.4.0).

[andrew-petrus]

Fantastic to hear that you could resolve this so quickly. Thank you!