def parse_default_hive(default_hive: RegistryHive) -> dict:
"""
Parse default hive and return needed information.
Parameters
----------
default_hive : RegistryHive
The default hive to parse
Returns
-------
dict
Dictionary with the information for systeminfo
"""
default_hive_dict = {
"system_locale":
";".join([
default_hive.get_key(".DEFAULT\\Control Panel\\International"
).get_value("LocaleName"),
default_hive.get_key(".DEFAULT\\Control Panel\\International").
get_value("sCountry"),
])
}
# Return results
return default_hive_dict
def test_get_key(software_hive):
"""
# Refers to https://github.com/mkorman90/regipy/issues/144
"""
registry_hive = RegistryHive(software_hive)
# We verify the registry headers are similar, because this is the same subkey.
assert registry_hive.get_key(
'ODBC').header == registry_hive.root.get_subkey('ODBC').header
assert registry_hive.root.get_subkey(
'ODBC').header == registry_hive.get_key('SOFTWARE\\ODBC').header
def test_ntuser_emojis(transaction_ntuser):
# There are some cases where the Registry stores utf-16 emojis as subkey names :)
registry_hive = RegistryHive(transaction_ntuser)
international = registry_hive.get_key(r'\Control Panel\International')
subkeys = [x.name for x in international.iter_subkeys()]
assert subkeys == [
'Geo', 'User Profile', 'User Profile System Backup', '🌎🌏🌍'
]
def test_find_keys_partial_ntuser_hive(ntuser_software_partial):
registry_hive = RegistryHive(ntuser_software_partial, hive_type=NTUSER_HIVE_TYPE, partial_hive_path=r'\Software')
run_key = registry_hive.get_key(r'\Software\Microsoft\Windows\CurrentVersion\Run')
assert run_key.name == 'Run'
assert run_key.header.last_modified == 132024690510209250
values = [x for x in run_key.iter_values(as_json=True)]
assert values[0].name == 'OneDrive'
assert values[0].value_type == 'REG_SZ'
def _get_last_logon(self, reg: RegistryHive):
try:
key = reg.get_key(
r'\Microsoft\Windows\CurrentVersion\Authentication\LogonUI')
return {
"LastLoggedOnUser": key.get_value("LastLoggedOnUser"),
"LastLoggedOnSAMUser": key.get_value("LastLoggedOnSAMUser")
}
except:
pass
def _get_so_version(self, reg: RegistryHive):
try:
subkey = reg.get_key(r'\Microsoft\Windows NT\CurrentVersion')
return {
'ProductName': subkey.get_value('ProductName'),
'ReleaseId': subkey.get_value('ReleaseId')
}
except:
return None
def test_find_keys_ntuser(ntuser_hive):
registry_hive = RegistryHive(ntuser_hive)
run_key = registry_hive.get_key(r'\Software\Microsoft\Windows\CurrentVersion\Run')
assert run_key.name == 'Run'
assert run_key.header.last_modified == 129779615948377168
values = [x for x in run_key.iter_values(as_json=True)]
assert values[0].name == 'Sidebar'
assert values[0].value_type == 'REG_EXPAND_SZ'
def _get_wifis(self, reg: RegistryHive):
try:
"ESto solo vale para XP"
"TODO pendiente de que tenga un ejemplo con datos"
subkey = reg.get_key(r'\Microsoft\WZCSVC\Parameters\Interfaces')
list = []
for a in subkey.iter_subkeys():
list.append(a.name)
return list
except:
return None
def _userassist(self, reg: RegistryHive):
try:
"TODO pendiente de que tenga un ejemplo con datos"
subkey = reg.get_key(
r'\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist'
)
list = []
for a in subkey.iter_subkeys():
list.append(a.name)
return list
except:
return None
def hive_to_json(hive_path, output_path, registry_path, timeline, hive_type,
partial_hive_path, verbose):
_setup_logging(verbose=verbose)
registry_hive = RegistryHive(hive_path,
hive_type=hive_type,
partial_hive_path=partial_hive_path)
if registry_path:
try:
name_key_entry = registry_hive.get_key(registry_path)
except RegistryKeyNotFoundException as ex:
logger.debug('Did not find the key: {}'.format(ex))
return
else:
name_key_entry = registry_hive.root
if timeline and not output_path:
click.secho(
'You must provide an output path if choosing timeline output!',
fg='red')
return
if output_path:
if timeline:
with open(output_path, 'w') as csvfile:
csvwriter = csv.DictWriter(
csvfile,
delimiter=',',
quotechar='"',
quoting=csv.QUOTE_MINIMAL,
fieldnames=['timestamp', 'subkey_name', 'values_count'])
csvwriter.writeheader()
with progressbar(
registry_hive.recurse_subkeys(
name_key_entry, as_json=True)) as reg_subkeys:
for entry in reg_subkeys:
entry_dict = entry.__dict__
path = entry.path
csvwriter.writerow({
'subkey_name':
r'{}\{}'.format(entry.path, path),
'timestamp':
entry_dict['timestamp'],
'values_count':
entry_dict['values_count']
})
else:
dump_hive_to_json(registry_hive, output_path, name_key_entry,
verbose)
else:
for entry in registry_hive.recurse_subkeys(name_key_entry,
as_json=True):
click.secho(json.dumps(attr.asdict(entry), indent=4))
def hive_to_json(hive_path, output_path, registry_path, timeline, hive_type,
partial_hive_path, verbose):
with logbook.NestedSetup(
_get_log_handlers(verbose=verbose)).applicationbound():
registry_hive = RegistryHive(hive_path,
hive_type=hive_type,
partial_hive_path=partial_hive_path)
if registry_path:
try:
name_key_entry = registry_hive.get_key(registry_path)
except RegistryKeyNotFoundException as ex:
logger.debug('Did not find the key: {}'.format(ex))
return
else:
name_key_entry = registry_hive.root
if timeline and not output_path:
click.secho(
'You must provide an output path if choosing timeline output!',
fg='red')
return
if output_path:
if timeline:
with open(output_path, 'w') as csvfile:
csvwriter = csv.DictWriter(csvfile,
delimiter=',',
quotechar='"',
quoting=csv.QUOTE_MINIMAL,
fieldnames=[
'timestamp', 'subkey_name',
'values_count'
])
csvwriter.writeheader()
for entry in tqdm(
registry_hive.recurse_subkeys(name_key_entry,
as_json=True)):
subkey_name = entry.pop('subkey_name')
path = entry.pop('path')
entry['subkey_name'] = r'{}\{}'.format(
path, subkey_name)
entry.pop('values')
csvwriter.writerow(entry)
else:
dump_hive_to_json(registry_hive, output_path, name_key_entry,
verbose)
else:
for entry in registry_hive.recurse_subkeys(name_key_entry,
as_json=True):
click.secho(json.dumps(attr.asdict(entry), indent=4))
def parse_timezone_information(system_hive: RegistryHive,
software_hive: RegistryHive) -> dict:
"""
Parse system and software hives and return needed information.
Parameters
----------
system_hive : RegistryHive
The system hive to parse
software_hive : RegistryHive
The software hive to parse
Returns
-------
dict
Dictionary with the information for systeminfo
"""
# Determine current control set
current_control_set = determine_current_control_set(system_hive)
# Timezone information
timezone_key_name = (system_hive.get_key(
f"{current_control_set}\\Control\\TimeZoneInformation").get_value(
"TimeZoneKeyName").replace(str(b"\x00"), ""))
timezone_key_name = timezone_key_name[:timezone_key_name.find("Time") +
len("Time")]
timezone_information = {
"timezone_desc":
software_hive.get_key(
f"Software\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\{timezone_key_name}"
).get_value("Display")
}
timezone_information["timezone_offset"] = (
timezone_information["timezone_desc"].replace(
"-", "+").split("+")[1].split(")")[0])
# Return results
return timezone_information
def _get_computer_name(self, reg: RegistryHive):
names = []
for subkey_path in reg.get_control_sets(
r'Control\ComputerName\ComputerName'):
subkey = reg.get_key(subkey_path)
try:
names.append({
'name':
subkey.get_value('ComputerName'),
'timestamp':
Time.change_output_date_format_from_epoch(
subkey.header.last_modified)
})
except RegistryValueNotFoundException as ex:
continue
return names
def _get_usbstorage(self, reg: RegistryHive):
usbs = []
try:
for subkey_path in reg.get_control_sets(r'Enum\USBSTOR'):
subkey = reg.get_key(subkey_path)
for usb in subkey.iter_subkeys():
usbs.append({
'device':
usb.name,
'timestamp':
Time.change_output_date_format_from_epoch(
usb.header.last_modified)
})
except:
return None
return usbs
def _get_get_runmru(self, reg: RegistryHive):
"TODO pendiente de que tenga un ejemplo con datos"
try:
subkey = reg.get_key(
r'\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU')
order = subkey.get_value('MRUList')
list = []
if order:
for char in order:
try:
value = subkey.get_value(char)
if value:
list.append(value)
except:
pass
return list
except:
return None
def _get_profilelist(self, reg: RegistryHive):
profiles = []
subkey = reg.get_key(
r'\Microsoft\Windows NT\CurrentVersion\ProfileList')
for profile in subkey.iter_subkeys():
try:
profiles.append({
'Sid':
profile.name,
'Guid':
profile.get_value(r'Guid')
if profile.get_value(r'Guid') is not None else "",
'ProfileImagePath':
profile.get_value(r'ProfileImagePath')
})
except RegistryValueNotFoundException as ex:
continue
return profiles
def determine_current_control_set(system_hive: RegistryHive) -> str:
"""
Determine the current control set.
Parameters
----------
system_hive : RegistryHive
The system hive to parse
Returns
-------
str
The path to the current control set
"""
current_control_set = system_hive.get_key("\\Select").get_value("Current")
for control_set in system_hive.CONTROL_SETS:
if int(control_set[-3:]) == current_control_set:
current_control_set = control_set
break
else:
raise ValueError("Error determining current control set.")
return current_control_set
def test_parse_security_info(ntuser_hive):
registry_hive = RegistryHive(ntuser_hive)
run_key = registry_hive.get_key(
r'\Software\Microsoft\Windows\CurrentVersion\Run')
security_key_info = run_key.get_security_key_info()
assert security_key_info['owner'] == 'S-1-5-18'
assert security_key_info['group'] == 'S-1-5-18'
assert len(security_key_info['dacl']) == 4
assert security_key_info['dacl'][0] == {
'access_mask': {
'ACCESS_SYSTEM_SECURITY': False,
'DELETE': True,
'GENERIC_ALL': False,
'GENERIC_EXECUTE': False,
'GENERIC_READ': False,
'GENERIC_WRITE': False,
'MAXIMUM_ALLOWED': False,
'READ_CONTROL': True,
'SYNCHRONIZE': False,
'WRITE_DAC': True,
'WRITE_OWNER': True
},
'ace_type': 'ACCESS_ALLOWED',
'flags': {
'CONTAINER_INHERIT_ACE': True,
'INHERIT_ONLY_ACE': False,
'NO_PROPAGATE_INHERIT_ACE': False,
'OBJECT_INHERIT_ACE': True
},
'sid': 'S-1-5-21-2036804247-3058324640-2116585241-1673'
}
dacl_sids = [x["sid"] for x in security_key_info['dacl']]
assert dacl_sids == [
'S-1-5-21-2036804247-3058324640-2116585241-1673', 'S-1-5-18',
'S-1-5-32-544', 'S-1-5-12'
]
from regipy.registry import RegistryHive
import sys
counter = 1
reg = RegistryHive(sys.argv[1])
regvalues = reg.get_key('System\MountedDevices').iter_values(as_json=True)
for value in regvalues:
print(value)
"""
def run(self):
self.entries = {}
mountdev_subkeys = self.registry_hive.get_control_sets(TZ_DATA_PATH)
for mountdev_subkey in mountdev_subkeys:
mountdev = self.registry_hive.get_key(mountdev_subkey)
self.entries[mountdev_subkey] = [x for x in mountdev.iter_values(as_json=self.as_json)]
if self.as_json:
for k, v in self.entries.items():
self.entries[k] = [attr.asdict(x) for x in v]
"""
def compare_hives(first_hive_path, second_hive_path, verbose=False):
# The list will contain tuples, in the following format: (Difference type, first value, second value, description)
found_differences = []
# Compare hash, verify they are indeed different
first_hive_sha1 = calculate_sha1(first_hive_path)
second_hive_sha1 = calculate_sha1(second_hive_path)
if first_hive_sha1 == second_hive_sha1:
logger.info('Hives have the same hash!')
return found_differences
# Compare header parameters
first_registry_hive = RegistryHive(first_hive_path)
second_registry_hive = RegistryHive(second_hive_path)
if first_registry_hive.header.hive_bins_data_size != second_registry_hive.header.hive_bins_data_size:
found_differences.append(('different_hive_bin_data_size', first_registry_hive.header.hive_bins_data_size,
second_registry_hive.header.hive_bins_data_size, ''))
# Enumerate subkeys for each hive and start comparing
logger.info('Enumerating subkeys in {}'.format(os.path.basename(first_hive_path)))
first_hive_subkeys = get_subkeys_and_timestamps(first_registry_hive)
logger.info('Enumerating subkeys in {}'.format(os.path.basename(second_hive_path)))
second_hive_subkeys = get_subkeys_and_timestamps(second_registry_hive)
# Get a set of keys present in one hive and not the other and vice versa
first_hive_subkey_names = {x[0] for x in first_hive_subkeys if x[0] is not None}
second_hive_subkey_names = {x[0] for x in second_hive_subkeys if x[0] is not None}
found_differences.extend(('new_subkey', ts, None, subkey_path) for subkey_path, ts in
get_timestamp_for_subkeys(first_registry_hive,
first_hive_subkey_names - second_hive_subkey_names))
found_differences.extend(('new_subkey', None, ts, subkey_path) for subkey_path, ts in
get_timestamp_for_subkeys(second_registry_hive,
second_hive_subkey_names - first_hive_subkey_names))
# Remove duplicate keys from each of the sets
first_hive_diff_subkeys = first_hive_subkeys - second_hive_subkeys
second_hive_diff_subkeys = second_hive_subkeys - first_hive_subkeys
# Find subkeys that exist in both hives, but were modified. Look for new values and subkeys
for path_1, ts_1 in tqdm(first_hive_diff_subkeys) if verbose else first_hive_diff_subkeys:
for path_2, ts_2 in tqdm(second_hive_diff_subkeys, leave=False) if verbose else second_hive_diff_subkeys:
if path_1 and path_1 == path_2 and ts_1 != ts_2:
first_subkey_nk_record = first_registry_hive.get_key(path_1)
second_subkey_nk_record = second_registry_hive.get_key(path_2)
# Compare values between the subkeys
first_subkey_values = set()
second_subkey_values = set()
if first_subkey_nk_record.values_count:
first_subkey_values = _get_name_value_tuples(first_subkey_nk_record)
if second_subkey_nk_record.values_count:
second_subkey_values = _get_name_value_tuples(second_subkey_nk_record)
# If one hive or the other contain values, and they are different, compare values
if (first_subkey_values or second_subkey_values) and (first_subkey_values != second_subkey_values):
first_hive_value_names = set(x[0] for x in first_subkey_values)
second_hive_value_names = set(x[0] for x in second_subkey_values)
values_in_first_but_not_in_second = first_hive_value_names - second_hive_value_names
values_in_second_but_not_in_first = second_hive_value_names - first_hive_value_names
# If there are value names that are present in the first subkey but not the second
# Iterate over all values in the first subkey
# If the value name is one of those that is not on the second subkey, add it to the set
if values_in_first_but_not_in_second:
found_differences.extend(('new_value', f'{n}: {d} @ {ts_1}', None, path_1) for n, d in
get_values_from_tuples(first_subkey_values,
values_in_first_but_not_in_second))
if values_in_second_but_not_in_first:
found_differences.extend(('new_value', None, f'{n}: {d} @ {ts_2}', path_1) for n, d in
get_values_from_tuples(second_subkey_values,
values_in_second_but_not_in_first))
# We do not compare subkeys for each subkey, because we would have detected those.
return found_differences
def parse_software_hive(software_hive: RegistryHive) -> dict:
"""
Parse software hive and return needed information.
Parameters
----------
software_hive : RegistryHive
The software hive to parse
Returns
-------
dict
Dictionary with the information for systeminfo
"""
# Registered owner
software_hive_dict = {
"registered_owner":
software_hive.get_key("Software\\Microsoft\\Windows NT\\CurrentVersion"
).get_value("RegisteredOwner")
}
# OS name
software_hive_dict["os_name"] = " ".join([
"Microsoft",
software_hive.get_key("Software\\Microsoft\\Windows NT\\CurrentVersion"
).get_value("ProductName"),
])
# OS build type
software_hive_dict["os_build_type"] = software_hive.get_key(
"Software\\Microsoft\\Windows NT\\CurrentVersion").get_value(
"CurrentType")
# Product ID
software_hive_dict["product_id"] = software_hive.get_key(
"Software\\Microsoft\\Windows NT\\CurrentVersion").get_value(
"ProductId")
# Install date
software_hive_dict["install_date"] = software_hive.get_key(
"Software\\Microsoft\\Windows NT\\CurrentVersion").get_value(
"InstallDate") # UTC, Needs timezone offset
# Hotfixes
software_hive_dict["hotfix"] = set(
hotfix.get_value("InstallName").split("_for_")[1].split("~")[0]
for hotfix in software_hive.get_key(
"Software\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages"
).iter_subkeys()
if "_for_KB" in hotfix.get_value("InstallName") and hotfix.get_value(
"CurrentState") == 112) # 112 is successfully installed
software_hive_dict["hotfix"].update(
set(
hotfix.get_value("InstallLocation").split("-")[1]
for hotfix in software_hive.get_key(
"Software\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages"
).iter_subkeys()
if "RollupFix" in hotfix.get_value("InstallName") and hotfix.
get_value("CurrentState") == 112)) # 112 is successfully installed
# OS Version
software_hive_dict["os_version"] = " ".join([
software_hive.get_key("Software\\Microsoft\\Windows NT\\CurrentVersion"
).get_value("ProductName"),
"N/A Build",
software_hive.get_key("Software\\Microsoft\\Windows NT\\CurrentVersion"
).get_value("CurrentBuild"),
])
# Registered organization
software_hive_dict["registered_organization"] = software_hive.get_key(
"Software\\Microsoft\\Windows NT\\CurrentVersion").get_value(
"RegisteredOrganization")
# Return results
return software_hive_dict
def parse_system_hive(system_hive: RegistryHive) -> dict:
"""
Parse system hive and return needed information.
Parameters
----------
system_hive : RegistryHive
The system hive to parse
Returns
-------
dict
Dictionary with the information for systeminfo
"""
# Determine current control set
current_control_set = determine_current_control_set(system_hive)
# Determine current hardware config
try:
current_hardware_config = system_hive.get_key(
"SYSTEM\\HardwareConfig").get_value("LastConfig")
except RegistryKeyNotFoundException:
current_hardware_config = None
# Hostname
system_hive_dict = {
"hostname":
system_hive.get_key(
f"{current_control_set}\\Services\\Tcpip\\Parameters").get_value(
"Hostname")
}
# BIOS Version
if current_hardware_config:
bios_version = system_hive.get_key(
f"SYSTEM\\HardwareConfig\\{current_hardware_config}").get_value(
"BIOSVersion")
bios_vendor = system_hive.get_key(
f"SYSTEM\\HardwareConfig\\{current_hardware_config}").get_value(
"BIOSVendor")
bios_release_date = system_hive.get_key(
f"SYSTEM\\HardwareConfig\\{current_hardware_config}").get_value(
"BIOSReleaseDate")
system_hive_dict[
"bios_version"] = f"{bios_vendor} {bios_version}, {bios_release_date}"
else:
system_hive_dict["bios_version"] = "UNKNOWN UNKNOWN, UNKNOWN"
# Domain
system_hive_dict["domain"] = system_hive.get_key(
f"{current_control_set}\\Services\\Tcpip\\Parameters").get_value(
"Domain")
system_hive_dict["domain"] = (system_hive_dict["domain"]
if system_hive_dict["domain"] != 0 else
"WORKGROUP")
# Page file locations
system_hive_dict["page_file_locations"] = system_hive.get_key(
f"{current_control_set}\\Control\\Session Manager\\Memory Management"
).get_value("PagingFiles")[::3]
# TODO This could probably be improved if I could find the system drive letter in the registry
for idx, page_file_location in enumerate(
system_hive_dict["page_file_locations"]):
if page_file_location[0] == "?":
system_hive_dict["page_file_locations"][
idx] = page_file_location.replace(
"?",
system_hive.get_key(
f"{current_control_set}\\Control\\Session Manager\\Memory Management"
).get_value("ExistingPageFiles")[0][4],
)
# Page file max size
system_hive_dict["page_file_max_sizes"] = system_hive.get_key(
f"{current_control_set}\\Control\\Session Manager\\Memory Management"
).get_value("PagingFiles")[2::3]
# Boot device
system_hive_dict["boot_device"] = system_hive.get_key(
"SYSTEM\\Setup").get_value("SystemPartition")
if current_hardware_config:
# System manufacturer
system_hive_dict["manufacturer"] = system_hive.get_key(
f"SYSTEM\\HardwareConfig\\{current_hardware_config}").get_value(
"SystemManufacturer")
# System model
system_hive_dict["model"] = system_hive.get_key(
f"SYSTEM\\HardwareConfig\\{current_hardware_config}").get_value(
"SystemProductName")
else:
system_hive_dict["manufacturer"] = "UNKNOWN"
system_hive_dict["model"] = "UNKNOWN"
# System type
system_hive_dict["type"] = (system_hive.get_key(
f"{current_control_set}\\Enum\\ROOT\\ACPI_HAL\\0000").get_value(
"DeviceDesc").split(";")[1].replace("ACPI ", ""))
# Network adapters
# MAC address can optionally be changed with NetworkAddress entry
network_adapters = dict()
for network_adapter in system_hive.get_key("".join([
current_control_set,
"\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
])).iter_subkeys():
if network_adapter.get_value("NetCfgInstanceId"):
network_adapters[network_adapter.get_value("NetCfgInstanceId")] = (
network_adapter.get_value("DriverDesc"),
network_adapter.get_value("NetworkAddress"),
)
interfaces = dict()
for interface in system_hive.get_key("".join(
[current_control_set,
"\\Services\\Tcpip\\Parameters\\Interfaces"])).iter_subkeys():
if not network_adapters.get(interface.name.upper()):
continue
interfaces[interface.name] = {
"desc":
network_adapters[interface.name.upper()][0],
"mac":
network_adapters[interface.name.upper()][1],
"dhcp_activated":
interface.get_value("EnableDHCP") == 1,
"dhcp_server":
interface.get_value("DhcpServer"),
"ip_addresses": [interface.get_value("DhcpIPAddress")]
if interface.get_value("DhcpIPAddress") else
interface.get_value("IPAddress"),
"connection_name":
system_hive.get_key("".join([
current_control_set,
"\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\",
interface.name.upper(),
"\\Connection",
])).get_value("Name"),
}
if not interfaces[interface.name]["ip_addresses"]:
del interfaces[interface.name]
system_hive_dict["network_cards"] = interfaces
# Processor(s)
system_hive_dict["processors"] = system_hive.get_key(
f"{current_control_set}\\Control\\Session Manager\\Environment"
).get_value(
"PROCESSOR_IDENTIFIER"
) # This is technically not correct, because the real value is in the volatile HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor subkeys
# Windows/System directory
lsa_library = system_hive.get_key(
f"{current_control_set}\\Services\\Lsa\\Performance").get_value(
"Library"
) # It’s a bit of a hack, but I can’t find the real key to read
system_hive_dict["windows_directory"] = "\\".join(
lsa_library.split("\\")[:2])
system_hive_dict["system_directory"] = "\\".join(
lsa_library.split("\\")[:3])
# Return results
return system_hive_dict
def _get_users(self, reg: RegistryHive):
key = reg.get_key(r'\SAM\Domains\Account\Users\Names')
users = []
for user in key.iter_subkeys():
users.append(user.name)
return users
def _get_mounted_devices(self, reg: RegistryHive):
devices = []
subkey = reg.get_key(r'\MountedDevices')
for device in subkey.iter_values():
devices.append(device.name)
return devices
"""
--------------------RESULTAT ATTENDU-------------------------
Disk&Ven_JetFlash&Prod_Transcend_16GB&Rev_1100 [Wed Jun 26 19:34:59 2019]
S/N: 17GIWK3QFAF50DSD&0 [Wed Jun 26 19:34:59 2019]
Device Parameters LastWrite: [Wed Jun 26 19:34:59 2019]
LogConf LastWrite : [Wed Jun 26 19:34:59 2019]
Properties LastWrite : [Wed Jun 26 19:34:59 2019]
FriendlyName : JetFlash Transcend 16GB USB Device
InstallDate : Mon Oct 9 08:42:44 2017 UTC
FirstInstallDate: Mon Oct 9 08:42:44 2017 UTC
"""
from regipy.registry import RegistryHive
print("-------------USBSTOR-----------")
print("FORENSIC de l'historique des peripheriques USB")
print("Version 1.0, ATK \n\n")
reg = RegistryHive('system')
#for entry in reg.recurse_subkeys(as_json=True):
# print(entry)
#for sk in reg.get_key('CurrentControlSet').iter_subkeys():
# print(sk.name, convert_wintime(sk.header.last_modified).isoformat())
for entry in reg.get_key('\\Enum\\USBStor').get_values(as_json=True):
print(entry)
import sys
from regipy.registry import RegistryHive
if __name__ == "__main__":
try:
# todo: use argparse for better usability
if len(sys.argv) == 4:
try:
reg_file = RegistryHive(sys.argv[1])
# e.g. "SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\full\\Release"
key = sys.argv[2]
val = sys.argv[3]
print(reg_file.get_key(key).get_value(val, as_json=True, raise_on_missing=True))
except:
print("Registry key not found or you have provided an incorrect key")
else:
print("incomplete argument list")
print("Usage: regireader.exe <registry_file> <key> <value>")
except Exception as ex:
print("Regi-reader gets the registry key from an offline registry hive")
print("Usage: regireader.exe <registry_file> <key> <value>")
def get_persistence(hivespath="."):
for i in os.listdir(hivespath):
if "NTUSER" in i:
reg = RegistryHive(hivespath + "\\" + i)
print(i)
try:
sk = reg.get_key(
"\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run")
for v in sk.get_values():
print("HKUSRRUN : %s : %s" % (v.name, v.value))
except:
continue
pass
sk = reg.get_key(
"\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce")
for v in sk.get_values():
print("HKUSRRUNONCE : %s : %s" % (v.name, v.value))
sk = reg.get_key(
"\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
)
for v in sk.get_values():
print("HKUSRRUNW64 : %s : %s" % (v.name, v.value))
sk = reg.get_key(
"\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
)
for v in sk.get_values():
print("HKUSRRUNONCEW64 : %s : %s" % (v.name, v.value))
reg = RegistryHive(hivespath + "\\SOFTWARE")
sk = reg.get_key("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run")
for v in sk.get_values():
print("HKLMRUN : %s : %s" % (v.name, v.value))
sk = reg.get_key(
"SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run")
for v in sk.get_values():
print("HKLMRUNX64 : %s : %s" % (v.name, v.value))
sk = reg.get_key("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce")
for v in sk.get_values():
print("HKLMRUNONCE : %s : %s" % (v.name, v.value))
sk = reg.get_key(
"SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce")
for v in sk.get_values():
print("HKLMRUNONCEW64 : %s : %s" % (v.name, v.value))
for sk in reg.get_key(
'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'
).iter_subkeys():
sk2 = reg.get_key(
'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s'
% (sk.name))
for v in sk2.get_values():
if v.name.lower() == "debugger":
print("REGIFEO : %s : %s" % (v.name, v.value))
sk = reg.get_key(
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon")
for v in sk.get_values():
if v.name == "Shell":
if v.value.lower().rstrip(",") not in (
"explorer.exe", "c:\\windows\\system32\\explorer.exe"):
print("HIJACK : %s : %s" % (v.name, v.value))
elif v.name == "ShellInfrastructure":
if v.value.lower().rstrip(",") not in (
"sihost.exe", "c:\\windows\\system32\\sihost.exe"):
print("HIJACK : %s : %s" % (v.name, v.value))
elif v.name == "Userinit":
if v.value.lower().rstrip(",") not in (
"userinit.exe", "c:\\windows\\system32\\userinit.exe"):
print("HIJACK : %s : %s" % (v.name, v.value))
sk = reg.get_key(
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon")
for v in sk.get_values():
if v.name == "AppInit_DLLs":
print("APPINITDLLS : %s : %s" % (v.name, v.value))
break
reg = RegistryHive(hivespath + "\\SYSTEM")
try:
sk = reg.get_key("SYSTEM\\ControlSet001\\Control\\Lsa\\OSConfig")
for v in sk.get_values():
if v.name == "Security Packages":
print("SECPACKAGESO : %s : %s" % (v.name, v.value))
break
except:
pass
sk = reg.get_key("SYSTEM\\ControlSet001\\Control\\Lsa")
for v in sk.get_values():
if v.name == "Security Packages":
print("SECPACKAGES : %s : %s" % (v.name, v.value))
break
for sk in reg.get_key('SYSTEM\\ControlSet001\\Services').iter_subkeys():
sk2 = reg.get_key('SYSTEM\\ControlSet001\\Services\\%s' % (sk.name))
for v in sk2.get_values():
if v.name.lower() == "imagepath":
print("SERVICE : %s : %s" % (v.name, v.value))
elif v.name.lower() == "servicedll":
print("SERVICEDLL : %s : %s" % (v.name, v.value))
try:
sk2 = reg.get_key(
'SYSTEM\\ControlSet0001\\Services\\%s\\Parameters' % (sk.name))
for v in sk2.get_values():
if v.name.lower() == "servicedll":
print("SERVICEDLLP : %s : %s" % (v.name, v.value))
except:
pass
