def parseSC(query_type, raw_info, whitelist):
"""It parses the result of the SC command, using the information in the raw
output to get the display name, service name, company name and path of a
driver or service."""
parsed_sc = []
for line in raw_info.split("\n"):
if line.startswith("SERVICE"):
service_name = " ".join(line.strip().split(" ")[1:])
if service_name in whitelist:
continue
display_name = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\%s" % service_name, "DisplayName")
image_path = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\%s" % service_name, "ImagePath")
if display_name and image_path:
company_name = getCompanyName(image_path)
else:
display_name, image_path, company_name = ("unknown", "unknown", "unknown")
elif line.strip().startswith("STATE"):
if service_name in whitelist:
continue
state = line.strip().split(" ")[-1]
query_type = smartStr.normalize(query_type)
display_name = smartStr.normalize(display_name)
service_name = smartStr.normalize(service_name)
company_name = smartStr.normalize(company_name)
image_path = smartStr.normalize(image_path)
parsed_sc.append("%s - %s (%s) - %s - %s" % (query_type, display_name, service_name, company_name, image_path))
return parsed_sc
def getRegs(reg_list):
"""
Given a list with keys, subkeys and values, it returns the content of those
registers in a list. Any error on key, subkey or value will be ignored
"""
regs = []
for reg_key in reg_list:
if reg_key["key"] == "Startups":
regs.append("Startups")
continue
elif reg_key["key"] == "winlogon":
regs.append("winlogon")
continue
values = reg_key["values"]
if values == []:
values = discoverValues(reg_key["key"], reg_key["subkey"])
if not values:
continue
for value in values:
try:
content = getRegistryValue(reg_key["key"], reg_key["subkey"],
smartStr.normalize(value))
if not content:
continue
regs.append(
"%s%s: %s" %
(smartStr.normalize(reg_key["tag"]),
smartStr.normalize(value), smartStr.normalize(content)))
except WindowsError:
continue
return regs
def getComponents(source_reg, target_reg, as_subkeys=True):
"""Looks for IE components, returning them on a dictionary"""
components = []
if as_subkeys:
subkeys = regOps.discoverSubkeys(source_reg["key"],
source_reg["subkey"])
else:
subkeys = regOps.discoverValues(source_reg["key"],
source_reg["subkey"])
if subkeys:
for subkey in subkeys:
subkey_name = subkey
objname = regOps.getRegistryValue(
source_reg["key"], source_reg["subkey"] + "\\" + subkey,
"") or "no name"
exepath = regOps.getRegistryValue(target_reg["key"],
target_reg["subkey"] % subkey,
"") or "file missing"
components.append({
"subkey": smartStr.normalize(subkey_name),
"objname": smartStr.normalize(objname),
"exepath": smartStr.normalize(exepath)
})
return components
def getStartups():
"""Returns two lists, with global startups ans user startups. The lists may
be empty if something goes wrong"""
user_startup_path = regOps.getRegistryValue(
"HKEY_CURRENT_USER",
"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\",
"Startup")
global_startup_path = regOps.getRegistryValue(
"HKEY_LOCAL_MACHINE",
"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\",
"common startup")
user_startups = commandHandler.getOutput(
["dir", "/a/b", smartStr.normalize(user_startup_path)])
user_startups = user_startups.split("\n")
global_startups = commandHandler.getOutput(
["dir", "/a/b", smartStr.normalize(global_startup_path)])
global_startups = global_startups.split("\n")
for startup in list(user_startups):
if startup == "" or startup.strip().lower().endswith(".ini"):
user_startups.remove(startup)
for startup in list(global_startups):
if startup == "" or startup.strip().lower().endswith(".ini"):
global_startups.remove(startup)
global_startups = [
smartStr.normalize(global_startup)
for global_startup in global_startups
]
user_startups = [
smartStr.normalize(user_startup) for user_startup in user_startups
]
return global_startups, user_startups
def getRegs(reg_list):
"""
Given a list with keys, subkeys and values, it returns the content of those
registers in a list. Any error on key, subkey or value will be ignored
"""
regs = []
for reg_key in reg_list:
if reg_key["key"] == "Startups":
regs.append("Startups")
continue
elif reg_key["key"] == "winlogon":
regs.append("winlogon")
continue
values = reg_key["values"]
if values == []:
values = discoverValues(reg_key["key"], reg_key["subkey"])
if not values:
continue
for value in values:
try:
content = getRegistryValue(reg_key["key"], reg_key["subkey"], smartStr.normalize(value))
if not content:
continue
regs.append("%s%s: %s" % (smartStr.normalize(reg_key["tag"]),
smartStr.normalize(value),
smartStr.normalize(content)))
except WindowsError:
continue
return regs
def startups(self, global_startups, user_startups):
if user_startups:
self.output.write("Startups: ")
for startup in user_startups:
self.output.write("%s " % smartStr.normalize(str(user_startups)).strip())
self.output.write("\n")
if global_startups:
self.output.write("Global: ")
for startup in global_startups:
self.output.write("%s " % smartStr.normalize(str(startup)).strip())
self.output.write("\n")
def running_processes():
"""Returns the running processes or an error message if that's not possible"""
processes_list = commandHandler.getOutput("wmic process get description,executablepath")
if processes_list == "":
yield "This computer can't execute wmic"
else:
processes_list = processes_list.split("\n")[3:]
for line in processes_list:
parsed_line = smartStr.normalize(line.strip()).split(" ")
if parsed_line:
yield smartStr.normalize(" ".join(parsed_line[1:]).strip())
def running_processes():
"""Returns the running processes or an error message if that's not possible"""
processes_list = commandHandler.getOutput(
"wmic process get description,executablepath")
if processes_list == "":
yield "This computer can't execute wmic"
else:
processes_list = processes_list.split("\n")[3:]
for line in processes_list:
parsed_line = smartStr.normalize(line.strip()).split(" ")
if parsed_line:
yield smartStr.normalize(" ".join(parsed_line[1:]).strip())
def getMountpoints():
"""Search for mountpoints. Returns None if none is found."""
suspects = []
main_key = "HKEY_CURRENT_USER"
subkey = "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\%s\shell\%s\command"
mountpoints = regOps.discoverSubkeys("HKEY_CURRENT_USER", "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2")
for mountpoint in mountpoints:
value = regOps.getRegistryValue(main_key, subkey % (mountpoint, "AutoRun"), "") or\
regOps.getRegistryValue(main_key, subkey % (mountpoint, "explore"), "") or\
regOps.getRegistryValue(main_key, subkey % (mountpoint, "open"), "")
if value:
suspects.append([smartStr.normalize(mountpoint), smartStr.normalize(value)])
return suspects or None
def getComponents(source_reg, target_reg, as_subkeys=True):
"""Looks for IE components, returning them on a dictionary"""
components = []
if as_subkeys:
subkeys = regOps.discoverSubkeys(source_reg["key"], source_reg["subkey"])
else:
subkeys = regOps.discoverValues(source_reg["key"], source_reg["subkey"])
if subkeys:
for subkey in subkeys:
subkey_name = subkey
objname = regOps.getRegistryValue(source_reg["key"], source_reg["subkey"] + "\\" + subkey, "") or "no name"
exepath = regOps.getRegistryValue(target_reg["key"], target_reg["subkey"] % subkey, "") or "file missing"
components.append(
{
"subkey": smartStr.normalize(subkey_name),
"objname": smartStr.normalize(objname),
"exepath": smartStr.normalize(exepath),
}
)
return components
def getStartups():
"""Returns two lists, with global startups ans user startups. The lists may
be empty if something goes wrong"""
user_startup_path = regOps.getRegistryValue(
"HKEY_CURRENT_USER", "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\", "Startup"
)
global_startup_path = regOps.getRegistryValue(
"HKEY_LOCAL_MACHINE", "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\", "common startup"
)
user_startups = commandHandler.getOutput(["dir", "/a/b", smartStr.normalize(user_startup_path)])
user_startups = user_startups.split("\n")
global_startups = commandHandler.getOutput(["dir", "/a/b", smartStr.normalize(global_startup_path)])
global_startups = global_startups.split("\n")
for startup in list(user_startups):
if startup == "" or startup.strip().lower().endswith(".ini"):
user_startups.remove(startup)
for startup in list(global_startups):
if startup == "" or startup.strip().lower().endswith(".ini"):
global_startups.remove(startup)
global_startups = [smartStr.normalize(global_startup) for global_startup in global_startups]
user_startups = [smartStr.normalize(user_startup) for user_startup in user_startups]
return global_startups, user_startups
def LSP(self, LSPs):
for LSP in LSPs:
self.output.write("LSP - %s: %s\n" % (smartStr.normalize(LSP[0]), smartStr.normalize(LSP[1])))
def IEToolbars(self, toolbars):
if toolbars:
for toolbar in toolbars:
self.output.write("Toolbar - %s - " % smartStr.normalize(toolbar["objname"]))
self.output.write("%s - " % smartStr.normalize(toolbar["subkey"]))
self.output.write("%s\n" % smartStr.normalize(toolbar["exepath"]))
def BHO(self, components_list):
for IEComponent in components_list:
self.output.write("BHO - %s - " % smartStr.normalize(IEComponent["objname"]))
self.output.write("%s - " % smartStr.normalize(IEComponent["subkey"]))
self.output.write("%s\n" % smartStr.normalize(IEComponent["exepath"]))