Beispiel #1
0
    def _get_key_info(self, key_name):
        ''' Extract information from the registry concerning the USB key '''
        #HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}
        str_reg_key_usbinfo = "SYSTEM\ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}\\"

        # here is a sample of a key_name
        # ##?#USBSTOR#Disk&Ven_&Prod_USB_DISK_2.0&Rev_PMAP#07BC13025A3B03A1&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
        # the logic is : there are 6 '#' so we should split this string on '#' and get the USB id (index 5)
        index_id = 5
        usb_id = key_name.split('#')[index_id]
        # now we want only the left part of the which may contain another separator '&' -> 07BC13025A3B03A1&0
        usb_id = usb_id.split('&')[0]

        # next we look in the registry for such an id
        key_ids = ""
        reg_key_info = OpenKey(self.aReg, str_reg_key_usbinfo)
        for i in range(QueryInfoKey(reg_key_info)[0]):  # the number of subkeys
            try:
                subkey_name = EnumKey(reg_key_info, i)
                if usb_id in subkey_name:
                    # example of a key_info_name
                    # ##?#USB#VID_26BD&PID_9917#0702313E309E0863#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
                    # the pattern is quite similar, a '#' separated string, with 5 as key id and 4 as VID&PID, we need those 2
                    index_id = 4
                    key_ids = subkey_name.split('#')[index_id]
                    break
            except EnvironmentError:
                break
        CloseKey(reg_key_info)
        return key_ids
Beispiel #2
0
def GetTypelibVersions(IID):
    """
    Returns the list of installed versions of a
    given typelib. Versions are returned as a list
    of two element tuples of the form (major, minor)
    where major, minor are integers.

    """
    versions = []
    with OpenKey(HKEY_CLASSES_ROOT, 'Typelib\\' + IID) as key:
        subkeycount, _, _ = QueryInfoKey(key)

        for i in range(subkeycount):
            rawversion = EnumKey(key, i)

            # We're only interested in subkeys of the form
            # MAJORVERSION.MINORVERSION
            if rawversion.count('.') != 1:
                continue

            rawmajor, rawminor = rawversion.split('.')
            # Versions are expressed in hex.
            major, minor = int(rawmajor, 16), int(rawminor, 16)
            versions.append((major, minor))

    return versions
Beispiel #3
0
	def _get_key_info(self, key_name):
		''' Extract information from the registry concerning the USB key '''
		#HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}
		str_reg_key_usbinfo = "SYSTEM\ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}\\"
		
		# here is a sample of a key_name
		# ##?#USBSTOR#Disk&Ven_&Prod_USB_DISK_2.0&Rev_PMAP#07BC13025A3B03A1&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
		# the logic is : there are 6 '#' so we should split this string on '#' and get the USB id (index 5)
		index_id = 5
		usb_id = key_name.split('#')[index_id]
		# now we want only the left part of the which may contain another separator '&' -> 07BC13025A3B03A1&0
		usb_id = usb_id.split('&')[0]
		
		# next we look in the registry for such an id
		key_ids = ""
		reg_key_info = OpenKey(self.aReg, str_reg_key_usbinfo)
		for i in range(QueryInfoKey(reg_key_info)[0]): # the number of subkeys
			try:
				subkey_name=EnumKey(reg_key_info,i)
				if usb_id in subkey_name:
					# example of a key_info_name
					# ##?#USB#VID_26BD&PID_9917#0702313E309E0863#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
					# the pattern is quite similar, a '#' separated string, with 5 as key id and 4 as VID&PID, we need those 2
					index_id = 4
					key_ids = subkey_name.split('#')[index_id]
					break
			except EnvironmentError:
				break
		CloseKey(reg_key_info)
		return key_ids
Beispiel #4
0
def GetTypelibVersions(IID):
    """
    Returns the list of installed versions of a
    given typelib. Versions are returned as a list
    of two element tuples of the form (major, minor)
    where major, minor are integers.

    """
    versions = []
    with OpenKey(HKEY_CLASSES_ROOT, 'Typelib\\' + IID) as key:
        subkeycount, _, _ = QueryInfoKey(key)

        for i in range(subkeycount):
            rawversion = EnumKey(key, i)

            # We're only interested in subkeys of the form
            # MAJORVERSION.MINORVERSION
            if rawversion.count('.') != 1:
                continue

            rawmajor, rawminor = rawversion.split('.')
            # Versions are expressed in hex.
            major, minor = int(rawmajor, 16), int(rawminor, 16)
            versions.append((major, minor))

    return versions
Beispiel #5
0
    def set_keys(self):

        baseOfficeKeyPath = r"Software\Microsoft\Office"
        installedVersions = list()
        try:
            officeKey = OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0,
                                KEY_READ)
            for currentKey in xrange(0, QueryInfoKey(officeKey)[0]):
                isVersion = True
                officeVersion = EnumKey(officeKey, currentKey)
                if "." in officeVersion:
                    for intCheck in officeVersion.split("."):
                        if not intCheck.isdigit():
                            isVersion = False
                            break

                    if isVersion:
                        installedVersions.append(officeVersion)
            CloseKey(officeKey)
        except WindowsError:
            # Office isn't installed at all
            return

        for oVersion in installedVersions:
            key = CreateKeyEx(
                HKEY_CURRENT_USER,
                r"{0}\{1}\Publisher\Security".format(baseOfficeKeyPath,
                                                     oVersion), 0,
                KEY_SET_VALUE)

            SetValueEx(key, "VBAWarnings", 0, REG_DWORD, 1)
            SetValueEx(key, "AccessVBOM", 0, REG_DWORD, 1)
            SetValueEx(key, "ExtensionHardening", 0, REG_DWORD, 0)
            CloseKey(key)
Beispiel #6
0
    def set_keys(self):

        baseOfficeKeyPath = r"Software\Microsoft\Office"
        installedVersions = list()
        try:
            officeKey = OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0, KEY_READ)
            for currentKey in xrange(0, QueryInfoKey(officeKey)[0]):
                isVersion = True
                officeVersion = EnumKey(officeKey, currentKey)
                if "." in officeVersion:
                    for intCheck in officeVersion.split("."):
                        if not intCheck.isdigit():
                            isVersion = False
                            break

                    if isVersion:
                        installedVersions.append(officeVersion)
            CloseKey(officeKey)
        except WindowsError:
                # Office isn't installed at all
                return

        for oVersion in installedVersions:
            key = CreateKeyEx(HKEY_CURRENT_USER,
                      r"{0}\{1}\Publisher\Security".format(baseOfficeKeyPath, oVersion),
                      0, KEY_SET_VALUE)

            SetValueEx(key, "VBAWarnings", 0, REG_DWORD, 1)
            SetValueEx(key, "AccessVBOM", 0, REG_DWORD, 1)
            SetValueEx(key, "ExtensionHardening", 0, REG_DWORD, 0)
            CloseKey(key)
Beispiel #7
0
    def set_office_mrus(self):
        """Adds randomized MRU's to Office software(s).
        Occasionally used by macros to detect sandbox environments.
        """
        baseOfficeKeyPath = r"Software\Microsoft\Office"
        installedVersions = list()
        basePaths = [
            "C:\\",
            "C:\\Windows\\Logs\\",
            "C:\\Windows\\Temp\\",
            "C:\\Program Files\\",
        ]
        extensions = {
            "Word": ["doc", "docx", "docm", "rtf"],
            "Excel": ["xls", "xlsx", "csv"],
            "PowerPoint": ["ppt", "pptx"],
        }
        try:
            officeKey = OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0, KEY_READ)
            for currentKey in xrange(0, QueryInfoKey(officeKey)[0]):
                isVersion = True
                officeVersion = EnumKey(officeKey, currentKey)
                if "." in officeVersion:
                    for intCheck in officeVersion.split("."):
                        if not intCheck.isdigit():
                            isVersion = False
                            break

                    if isVersion:
                        installedVersions.append(officeVersion)

            CloseKey(officeKey)
        except WindowsError:
                # Office isn't installed at all
                return
        
        for oVersion in installedVersions:
            for software in extensions:
                values = list()
                mruKeyPath = ""
                productPath = r"{0}\{1}\{2}".format(baseOfficeKeyPath, oVersion, software)
                try:
                    productKey = OpenKey(HKEY_CURRENT_USER, productPath, 0, KEY_READ)
                    CloseKey(productKey)
                    mruKeyPath = r"{0}\File MRU".format(productPath)
                    try:
                        mruKey = OpenKey(HKEY_CURRENT_USER, mruKeyPath, 0, KEY_READ)
                    except WindowsError:
                        mruKey = CreateKeyEx(HKEY_CURRENT_USER, mruKeyPath, 0, KEY_READ)
                    displayValue = False
                    for mruKeyInfo in xrange(0, QueryInfoKey(mruKey)[1]):
                        currentValue = EnumValue(mruKey, mruKeyInfo)
                        if currentValue[0] == "Max Display":
                            displayValue = True
                        values.append(currentValue)
                    CloseKey(mruKey)
                except WindowsError:
                    # An Office version was found in the registry but the
                    # software (Word/Excel/PowerPoint) was not installed.
                    values = "notinstalled"

                if values != "notinstalled" and len(values) < 5:
                    mruKey = OpenKey(HKEY_CURRENT_USER, mruKeyPath, 0, KEY_SET_VALUE)
                    if not displayValue:
                        SetValueEx(mruKey, "Max Display", 0, REG_DWORD, 25)

                    for i in xrange(1, randint(10, 30)):
                        rString = random_string(minimum=11, charset="0123456789ABCDEF")
                        if i % 2:
                            baseId = "T01D1C" + rString
                        else:
                            baseId = "T01D1D" + rString
                        setVal = "[F00000000][{0}][O00000000]*{1}{2}.{3}".format(
                            baseId, basePaths[randint(0, len(basePaths)-1)],
                            random_string(minimum=3, maximum=15,
                                charset="abcdefghijkLMNOPQURSTUVwxyz_0369"),
                            extensions[software][randint(0, len(extensions[software])-1)])
                        name = "Item {0}".format(i)
                        SetValueEx(mruKey, name, 0, REG_SZ, setVal)
                    CloseKey(mruKey)
Beispiel #8
0
    def set_office_mrus(self):
        """Adds randomized MRU's to Office software(s).
        Occasionally used by macros to detect sandbox environments.
        """
        baseOfficeKeyPath = r"Software\Microsoft\Office"
        installedVersions = list()
        basePaths = [
            "C:\\",
            "C:\\Windows\\Logs\\",
            "C:\\Windows\\Temp\\",
            "C:\\Program Files\\",
        ]
        extensions = {
            "Word": ["doc", "docx", "docm", "rtf"],
            "Excel": ["xls", "xlsx", "csv"],
            "PowerPoint": ["ppt", "pptx"],
        }
        try:
            officeKey = OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0,
                                KEY_READ)
            for currentKey in xrange(0, QueryInfoKey(officeKey)[0]):
                isVersion = True
                officeVersion = EnumKey(officeKey, currentKey)
                if "." in officeVersion:
                    for intCheck in officeVersion.split("."):
                        if not intCheck.isdigit():
                            isVersion = False
                            break

                    if isVersion:
                        installedVersions.append(officeVersion)

            CloseKey(officeKey)
        except WindowsError:
            # Office isn't installed at all
            return

        for oVersion in installedVersions:
            for software in extensions:
                values = list()
                mruKeyPath = r"{0}\{1}\{2}\File MRU".format(
                    baseOfficeKeyPath, oVersion, software)
                try:
                    mruKey = OpenKey(HKEY_CURRENT_USER, mruKeyPath, 0,
                                     KEY_READ)
                    displayValue = False
                    for mruKeyInfo in xrange(0, QueryInfoKey(mruKey)[1]):
                        currentValue = EnumValue(mruKey, mruKeyInfo)
                        if currentValue[0] == "Max Display":
                            displayValue = True
                        values.append(currentValue)
                    CloseKey(mruKey)

                except WindowsError:
                    # An Office version was found in the registry but the
                    # software (Word/Excel/PowerPoint) was not installed.
                    values = "notinstalled"

                if values != "notinstalled" and len(values) < 5:
                    mruKey = OpenKey(HKEY_CURRENT_USER, mruKeyPath, 0,
                                     KEY_SET_VALUE)
                    if not displayValue:
                        SetValueEx(mruKey, "Max Display", 0, REG_DWORD, 25)

                    for i in xrange(1, randint(10, 30)):
                        rString = random_string(minimum=11,
                                                charset="0123456789ABCDEF")
                        if i % 2:
                            baseId = "T01D1C" + rString
                        else:
                            baseId = "T01D1D" + rString
                        setVal = "[F00000000][{0}][O00000000]*{1}{2}.{3}".format(
                            baseId, basePaths[randint(0,
                                                      len(basePaths) - 1)],
                            random_string(
                                minimum=3,
                                maximum=15,
                                charset="abcdefghijkLMNOPQURSTUVwxyz_0369"),
                            extensions[software][randint(
                                0,
                                len(extensions[software]) - 1)])
                        name = "Item {0}".format(i)
                        SetValueEx(mruKey, name, 0, REG_SZ, setVal)
                    CloseKey(mruKey)