def getComponents(source_reg, target_reg, as_subkeys=True):
"""Looks for IE components, returning them on a dictionary"""
components = []
if as_subkeys:
subkeys = regOps.discoverSubkeys(source_reg["key"],
source_reg["subkey"])
else:
subkeys = regOps.discoverValues(source_reg["key"],
source_reg["subkey"])
if subkeys:
for subkey in subkeys:
subkey_name = subkey
objname = regOps.getRegistryValue(
source_reg["key"], source_reg["subkey"] + "\\" + subkey,
"") or "no name"
exepath = regOps.getRegistryValue(target_reg["key"],
target_reg["subkey"] % subkey,
"") or "file missing"
components.append({
"subkey": smartStr.normalize(subkey_name),
"objname": smartStr.normalize(objname),
"exepath": smartStr.normalize(exepath)
})
return components
def parseSC(query_type, raw_info, whitelist):
"""It parses the result of the SC command, using the information in the raw
output to get the display name, service name, company name and path of a
driver or service."""
parsed_sc = []
for line in raw_info.split("\n"):
if line.startswith("SERVICE"):
service_name = " ".join(line.strip().split(" ")[1:])
if service_name in whitelist:
continue
display_name = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\%s" % service_name, "DisplayName")
image_path = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\%s" % service_name, "ImagePath")
if display_name and image_path:
company_name = getCompanyName(image_path)
else:
display_name, image_path, company_name = ("unknown", "unknown", "unknown")
elif line.strip().startswith("STATE"):
if service_name in whitelist:
continue
state = line.strip().split(" ")[-1]
query_type = smartStr.normalize(query_type)
display_name = smartStr.normalize(display_name)
service_name = smartStr.normalize(service_name)
company_name = smartStr.normalize(company_name)
image_path = smartStr.normalize(image_path)
parsed_sc.append("%s - %s (%s) - %s - %s" % (query_type, display_name, service_name, company_name, image_path))
return parsed_sc
def getStartups():
"""Returns two lists, with global startups ans user startups. The lists may
be empty if something goes wrong"""
user_startup_path = regOps.getRegistryValue(
"HKEY_CURRENT_USER",
"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\",
"Startup")
global_startup_path = regOps.getRegistryValue(
"HKEY_LOCAL_MACHINE",
"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\",
"common startup")
user_startups = commandHandler.getOutput(
["dir", "/a/b", smartStr.normalize(user_startup_path)])
user_startups = user_startups.split("\n")
global_startups = commandHandler.getOutput(
["dir", "/a/b", smartStr.normalize(global_startup_path)])
global_startups = global_startups.split("\n")
for startup in list(user_startups):
if startup == "" or startup.strip().lower().endswith(".ini"):
user_startups.remove(startup)
for startup in list(global_startups):
if startup == "" or startup.strip().lower().endswith(".ini"):
global_startups.remove(startup)
global_startups = [
smartStr.normalize(global_startup)
for global_startup in global_startups
]
user_startups = [
smartStr.normalize(user_startup) for user_startup in user_startups
]
return global_startups, user_startups
def browser_version(browser_dict):
"""Give information about a browser in the registry, tries to find out the
browser version. Returns None if not found, what means this browser is not
installed"""
try:
version = regOps.getRegistryValue(browser_dict["key"], browser_dict["subkey"], "Version") or \
regOps.getRegistryValue(browser_dict["key"], browser_dict["subkey"], "CurrentVersion")
except WindowsError:
version = None
version = (browser_dict["name"], version)
return version
def browser_version(browser_dict):
"""Give information about a browser in the registry, tries to find out the
browser version. Returns None if not found, what means this browser is not
installed"""
try:
version = regOps.getRegistryValue(
browser_dict["key"], browser_dict["subkey"], "Version"
) or regOps.getRegistryValue(browser_dict["key"], browser_dict["subkey"], "CurrentVersion")
except WindowsError:
version = None
version = (browser_dict["name"], version)
return version
def getSvchostAnomalies(whitelist):
"""Based on a whitelist, tries to detect weird entries on SVCHost.
If something is detected, it searches for the injected DLL."""
anomalies = []
values = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost", "netsvcs")
for value in values:
if value not in whitelist:
DLL = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\\" + value + "\\Parameters", "ServiceDll")
if not DLL:
DLL = "Unknown. You may need to restart the system."
anomalies.append((value, DLL))
return anomalies
def getMountpoints():
"""Search for mountpoints. Returns None if none is found."""
suspects = []
main_key = "HKEY_CURRENT_USER"
subkey = "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\%s\shell\%s\command"
mountpoints = regOps.discoverSubkeys("HKEY_CURRENT_USER", "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2")
for mountpoint in mountpoints:
value = regOps.getRegistryValue(main_key, subkey % (mountpoint, "AutoRun"), "") or\
regOps.getRegistryValue(main_key, subkey % (mountpoint, "explore"), "") or\
regOps.getRegistryValue(main_key, subkey % (mountpoint, "open"), "")
if value:
suspects.append([smartStr.normalize(mountpoint), smartStr.normalize(value)])
return suspects or None
def getDNS():
"""Returns the Network Adapter, primary and secondary DNS servers. Returns
None if no network adapter is found."""
key = "HKEY_LOCAL_MACHINE"
path_to_adapter = "SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}"
partial_path = regOps.discoverSubkeys(key, path_to_adapter)
for subkey in partial_path:
if subkey.startswith("{"):
adapterID = subkey
break
else:
return None, None, None
DNS = regOps.getRegistryValue(
key,
"SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%s" %
adapterID, "DhcpNameServer")
if DNS and len(DNS.split(" ")) == 2:
primary_dns = DNS.split(" ")[0]
secondary_dns = DNS.split(" ")[1]
else:
primary_dns = DNS
secondary_dns = ""
return primary_dns, secondary_dns, adapterID
def getSvchostAnomalies(whitelist):
"""Based on a whitelist, tries to detect weird entries on SVCHost.
If something is detected, it searches for the injected DLL."""
anomalies = []
values = regOps.getRegistryValue(
"HKEY_LOCAL_MACHINE",
"SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost", "netsvcs")
for value in values:
if value not in whitelist:
DLL = regOps.getRegistryValue(
"HKEY_LOCAL_MACHINE",
"SYSTEM\CurrentControlSet\Services\\" + value + "\\Parameters",
"ServiceDll")
if not DLL:
DLL = "Unknown. You may need to restart the system."
anomalies.append((value, DLL))
return anomalies
def getLSP():
"""Returns a list with the LSP's"""
num_entries = regOps.getRegistryValue("HKEY_LOCAL_MACHINE",
"SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9",
"Num_Catalog_Entries")
folders = regOps.discoverSubkeys("HKEY_LOCAL_MACHINE",
"SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries")
lsp_list = []
for folder in folders:
folder_num = int(folder)
folder_path = regOps.getRegistryValue("HKEY_LOCAL_MACHINE",
"SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\%s" % folder,
"PackedCatalogItem")
folder_path = folder_path.split(".dll")[0] + ".dll"
lsp_list.append(("Catalog_Entry %s" % folder_num, folder_path))
return num_entries, lsp_list
def getComponents(source_reg, target_reg, as_subkeys=True):
"""Looks for IE components, returning them on a dictionary"""
components = []
if as_subkeys:
subkeys = regOps.discoverSubkeys(source_reg["key"], source_reg["subkey"])
else:
subkeys = regOps.discoverValues(source_reg["key"], source_reg["subkey"])
if subkeys:
for subkey in subkeys:
subkey_name = subkey
objname = regOps.getRegistryValue(source_reg["key"], source_reg["subkey"] + "\\" + subkey, "") or "no name"
exepath = regOps.getRegistryValue(target_reg["key"], target_reg["subkey"] % subkey, "") or "file missing"
components.append(
{
"subkey": smartStr.normalize(subkey_name),
"objname": smartStr.normalize(objname),
"exepath": smartStr.normalize(exepath),
}
)
return components
def getImageFilesOptions():
"""Returns a list with suspect IFEO's, or None if nothing is found"""
key = "HKEY_LOCAL_MACHINE"
IFEO = "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
subkeys = regOps.discoverSubkeys(key, IFEO)
suspects = []
for subkey in subkeys:
debugger = regOps.getRegistryValue(key, IFEO + "\\" + subkey, "Debugger")
if debugger and subkey.strip() != "Your Image File Name Here without a path":
suspects.append([subkey, debugger])
return suspects or None
def getLSP():
"""Returns a list with the LSP's"""
num_entries = regOps.getRegistryValue(
"HKEY_LOCAL_MACHINE",
"SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9",
"Num_Catalog_Entries")
folders = regOps.discoverSubkeys(
"HKEY_LOCAL_MACHINE",
"SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries"
)
lsp_list = []
for folder in folders:
folder_num = int(folder)
folder_path = regOps.getRegistryValue(
"HKEY_LOCAL_MACHINE",
"SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\%s"
% folder, "PackedCatalogItem")
folder_path = folder_path.split(".dll")[0] + ".dll"
lsp_list.append(("Catalog_Entry %s" % folder_num, folder_path))
return num_entries, lsp_list
def getImageFilesOptions():
"""Returns a list with suspect IFEO's, or None if nothing is found"""
key = "HKEY_LOCAL_MACHINE"
IFEO = "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
subkeys = regOps.discoverSubkeys(key, IFEO)
suspects = []
for subkey in subkeys:
debugger = regOps.getRegistryValue(key, IFEO + "\\" + subkey,
"Debugger")
if debugger and subkey.strip(
) != "Your Image File Name Here without a path":
suspects.append([subkey, debugger])
return suspects or None
def checkAssociations(associations):
"""Check which file assosiations are different from the expected values and
returns a list"""
anomalies = []
for full_key in associations.keys():
key = full_key.split("\\")[0]
subkey = "\\".join(full_key.split("\\")[1:])
expected_value = associations[full_key]
value = regOps.getRegistryValue(key, subkey, "")
if value != expected_value:
anomalies.append((subkey.split("Classes\\")[-1].split("\\")[0], value))
return anomalies
def getStartups():
"""Returns two lists, with global startups ans user startups. The lists may
be empty if something goes wrong"""
user_startup_path = regOps.getRegistryValue(
"HKEY_CURRENT_USER", "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\", "Startup"
)
global_startup_path = regOps.getRegistryValue(
"HKEY_LOCAL_MACHINE", "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\", "common startup"
)
user_startups = commandHandler.getOutput(["dir", "/a/b", smartStr.normalize(user_startup_path)])
user_startups = user_startups.split("\n")
global_startups = commandHandler.getOutput(["dir", "/a/b", smartStr.normalize(global_startup_path)])
global_startups = global_startups.split("\n")
for startup in list(user_startups):
if startup == "" or startup.strip().lower().endswith(".ini"):
user_startups.remove(startup)
for startup in list(global_startups):
if startup == "" or startup.strip().lower().endswith(".ini"):
global_startups.remove(startup)
global_startups = [smartStr.normalize(global_startup) for global_startup in global_startups]
user_startups = [smartStr.normalize(user_startup) for user_startup in user_startups]
return global_startups, user_startups
def checkAssociations(associations):
"""Check which file assosiations are different from the expected values and
returns a list"""
anomalies = []
for full_key in associations.keys():
key = full_key.split("\\")[0]
subkey = "\\".join(full_key.split("\\")[1:])
expected_value = associations[full_key]
value = regOps.getRegistryValue(key, subkey, "")
if value != expected_value:
anomalies.append(
(subkey.split("Classes\\")[-1].split("\\")[0], value))
return anomalies
def getWinlogonEntries(whitelist):
"""Searches for winlogon entries which are not part of the whitelist and
returns a list"""
key = "HKEY_LOCAL_MACHINE"
subkey = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
outcasts = getOutcastKeys(key, subkey, whitelist)
suspect_entries = []
for outcast in outcasts:
entry_path = regOps.getRegistryValue("HKEY_LOCAL_MACHINE",
"Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\%s" % outcast,
" DLLName")
if outcast and entry_path:
suspect_entries.append((outcast, entry_path))
return suspect_entries
def getWinlogonEntries(whitelist):
"""Searches for winlogon entries which are not part of the whitelist and
returns a list"""
key = "HKEY_LOCAL_MACHINE"
subkey = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
outcasts = getOutcastKeys(key, subkey, whitelist)
suspect_entries = []
for outcast in outcasts:
entry_path = regOps.getRegistryValue(
"HKEY_LOCAL_MACHINE",
"Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\%s" %
outcast, " DLLName")
if outcast and entry_path:
suspect_entries.append((outcast, entry_path))
return suspect_entries
def getDNS():
"""Returns the Network Adapter, primary and secondary DNS servers. Returns
None if no network adapter is found."""
key = "HKEY_LOCAL_MACHINE"
path_to_adapter = "SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}"
partial_path = regOps.discoverSubkeys(key, path_to_adapter)
for subkey in partial_path:
if subkey.startswith("{"):
adapterID = subkey
break
else:
return None, None, None
DNS = regOps.getRegistryValue(key, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%s" % adapterID, "DhcpNameServer")
if DNS and len(DNS.split(" ")) == 2:
primary_dns = DNS.split(" ")[0]
secondary_dns = DNS.split(" ")[1]
else:
primary_dns = DNS
secondary_dns = ""
return primary_dns, secondary_dns, adapterID
