def parseSC(query_type, raw_info, whitelist): """It parses the result of the SC command, using the information in the raw output to get the display name, service name, company name and path of a driver or service.""" parsed_sc = [] for line in raw_info.split("\n"): if line.startswith("SERVICE"): service_name = " ".join(line.strip().split(" ")[1:]) if service_name in whitelist: continue display_name = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\%s" % service_name, "DisplayName") image_path = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\%s" % service_name, "ImagePath") if display_name and image_path: company_name = getCompanyName(image_path) else: display_name, image_path, company_name = ("unknown", "unknown", "unknown") elif line.strip().startswith("STATE"): if service_name in whitelist: continue state = line.strip().split(" ")[-1] query_type = smartStr.normalize(query_type) display_name = smartStr.normalize(display_name) service_name = smartStr.normalize(service_name) company_name = smartStr.normalize(company_name) image_path = smartStr.normalize(image_path) parsed_sc.append("%s - %s (%s) - %s - %s" % (query_type, display_name, service_name, company_name, image_path)) return parsed_sc
def getRegs(reg_list): """ Given a list with keys, subkeys and values, it returns the content of those registers in a list. Any error on key, subkey or value will be ignored """ regs = [] for reg_key in reg_list: if reg_key["key"] == "Startups": regs.append("Startups") continue elif reg_key["key"] == "winlogon": regs.append("winlogon") continue values = reg_key["values"] if values == []: values = discoverValues(reg_key["key"], reg_key["subkey"]) if not values: continue for value in values: try: content = getRegistryValue(reg_key["key"], reg_key["subkey"], smartStr.normalize(value)) if not content: continue regs.append( "%s%s: %s" % (smartStr.normalize(reg_key["tag"]), smartStr.normalize(value), smartStr.normalize(content))) except WindowsError: continue return regs
def getComponents(source_reg, target_reg, as_subkeys=True): """Looks for IE components, returning them on a dictionary""" components = [] if as_subkeys: subkeys = regOps.discoverSubkeys(source_reg["key"], source_reg["subkey"]) else: subkeys = regOps.discoverValues(source_reg["key"], source_reg["subkey"]) if subkeys: for subkey in subkeys: subkey_name = subkey objname = regOps.getRegistryValue( source_reg["key"], source_reg["subkey"] + "\\" + subkey, "") or "no name" exepath = regOps.getRegistryValue(target_reg["key"], target_reg["subkey"] % subkey, "") or "file missing" components.append({ "subkey": smartStr.normalize(subkey_name), "objname": smartStr.normalize(objname), "exepath": smartStr.normalize(exepath) }) return components
def getStartups(): """Returns two lists, with global startups ans user startups. The lists may be empty if something goes wrong""" user_startup_path = regOps.getRegistryValue( "HKEY_CURRENT_USER", "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\", "Startup") global_startup_path = regOps.getRegistryValue( "HKEY_LOCAL_MACHINE", "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\", "common startup") user_startups = commandHandler.getOutput( ["dir", "/a/b", smartStr.normalize(user_startup_path)]) user_startups = user_startups.split("\n") global_startups = commandHandler.getOutput( ["dir", "/a/b", smartStr.normalize(global_startup_path)]) global_startups = global_startups.split("\n") for startup in list(user_startups): if startup == "" or startup.strip().lower().endswith(".ini"): user_startups.remove(startup) for startup in list(global_startups): if startup == "" or startup.strip().lower().endswith(".ini"): global_startups.remove(startup) global_startups = [ smartStr.normalize(global_startup) for global_startup in global_startups ] user_startups = [ smartStr.normalize(user_startup) for user_startup in user_startups ] return global_startups, user_startups
def getRegs(reg_list): """ Given a list with keys, subkeys and values, it returns the content of those registers in a list. Any error on key, subkey or value will be ignored """ regs = [] for reg_key in reg_list: if reg_key["key"] == "Startups": regs.append("Startups") continue elif reg_key["key"] == "winlogon": regs.append("winlogon") continue values = reg_key["values"] if values == []: values = discoverValues(reg_key["key"], reg_key["subkey"]) if not values: continue for value in values: try: content = getRegistryValue(reg_key["key"], reg_key["subkey"], smartStr.normalize(value)) if not content: continue regs.append("%s%s: %s" % (smartStr.normalize(reg_key["tag"]), smartStr.normalize(value), smartStr.normalize(content))) except WindowsError: continue return regs
def startups(self, global_startups, user_startups): if user_startups: self.output.write("Startups: ") for startup in user_startups: self.output.write("%s " % smartStr.normalize(str(user_startups)).strip()) self.output.write("\n") if global_startups: self.output.write("Global: ") for startup in global_startups: self.output.write("%s " % smartStr.normalize(str(startup)).strip()) self.output.write("\n")
def running_processes(): """Returns the running processes or an error message if that's not possible""" processes_list = commandHandler.getOutput("wmic process get description,executablepath") if processes_list == "": yield "This computer can't execute wmic" else: processes_list = processes_list.split("\n")[3:] for line in processes_list: parsed_line = smartStr.normalize(line.strip()).split(" ") if parsed_line: yield smartStr.normalize(" ".join(parsed_line[1:]).strip())
def running_processes(): """Returns the running processes or an error message if that's not possible""" processes_list = commandHandler.getOutput( "wmic process get description,executablepath") if processes_list == "": yield "This computer can't execute wmic" else: processes_list = processes_list.split("\n")[3:] for line in processes_list: parsed_line = smartStr.normalize(line.strip()).split(" ") if parsed_line: yield smartStr.normalize(" ".join(parsed_line[1:]).strip())
def getMountpoints(): """Search for mountpoints. Returns None if none is found.""" suspects = [] main_key = "HKEY_CURRENT_USER" subkey = "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\%s\shell\%s\command" mountpoints = regOps.discoverSubkeys("HKEY_CURRENT_USER", "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2") for mountpoint in mountpoints: value = regOps.getRegistryValue(main_key, subkey % (mountpoint, "AutoRun"), "") or\ regOps.getRegistryValue(main_key, subkey % (mountpoint, "explore"), "") or\ regOps.getRegistryValue(main_key, subkey % (mountpoint, "open"), "") if value: suspects.append([smartStr.normalize(mountpoint), smartStr.normalize(value)]) return suspects or None
def getComponents(source_reg, target_reg, as_subkeys=True): """Looks for IE components, returning them on a dictionary""" components = [] if as_subkeys: subkeys = regOps.discoverSubkeys(source_reg["key"], source_reg["subkey"]) else: subkeys = regOps.discoverValues(source_reg["key"], source_reg["subkey"]) if subkeys: for subkey in subkeys: subkey_name = subkey objname = regOps.getRegistryValue(source_reg["key"], source_reg["subkey"] + "\\" + subkey, "") or "no name" exepath = regOps.getRegistryValue(target_reg["key"], target_reg["subkey"] % subkey, "") or "file missing" components.append( { "subkey": smartStr.normalize(subkey_name), "objname": smartStr.normalize(objname), "exepath": smartStr.normalize(exepath), } ) return components
def getStartups(): """Returns two lists, with global startups ans user startups. The lists may be empty if something goes wrong""" user_startup_path = regOps.getRegistryValue( "HKEY_CURRENT_USER", "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\", "Startup" ) global_startup_path = regOps.getRegistryValue( "HKEY_LOCAL_MACHINE", "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\", "common startup" ) user_startups = commandHandler.getOutput(["dir", "/a/b", smartStr.normalize(user_startup_path)]) user_startups = user_startups.split("\n") global_startups = commandHandler.getOutput(["dir", "/a/b", smartStr.normalize(global_startup_path)]) global_startups = global_startups.split("\n") for startup in list(user_startups): if startup == "" or startup.strip().lower().endswith(".ini"): user_startups.remove(startup) for startup in list(global_startups): if startup == "" or startup.strip().lower().endswith(".ini"): global_startups.remove(startup) global_startups = [smartStr.normalize(global_startup) for global_startup in global_startups] user_startups = [smartStr.normalize(user_startup) for user_startup in user_startups] return global_startups, user_startups
def LSP(self, LSPs): for LSP in LSPs: self.output.write("LSP - %s: %s\n" % (smartStr.normalize(LSP[0]), smartStr.normalize(LSP[1])))
def IEToolbars(self, toolbars): if toolbars: for toolbar in toolbars: self.output.write("Toolbar - %s - " % smartStr.normalize(toolbar["objname"])) self.output.write("%s - " % smartStr.normalize(toolbar["subkey"])) self.output.write("%s\n" % smartStr.normalize(toolbar["exepath"]))
def BHO(self, components_list): for IEComponent in components_list: self.output.write("BHO - %s - " % smartStr.normalize(IEComponent["objname"])) self.output.write("%s - " % smartStr.normalize(IEComponent["subkey"])) self.output.write("%s\n" % smartStr.normalize(IEComponent["exepath"]))