Beispiel #1
0
def parseSC(query_type, raw_info, whitelist):
  """It parses the result of the SC command, using the information in the raw
  output to get the display name, service name, company name and path of a
  driver or service."""
  parsed_sc = []
  for line in raw_info.split("\n"):
    if line.startswith("SERVICE"):
      service_name = " ".join(line.strip().split(" ")[1:])
      if service_name in whitelist:
        continue
      display_name = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\%s" % service_name, "DisplayName")
      image_path = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\%s" % service_name, "ImagePath")
      if display_name and image_path:
        company_name = getCompanyName(image_path)
      else:
        display_name, image_path, company_name = ("unknown", "unknown", "unknown")
    elif line.strip().startswith("STATE"):
      if service_name in whitelist:
        continue
      state = line.strip().split(" ")[-1]
      query_type = smartStr.normalize(query_type)
      display_name = smartStr.normalize(display_name)
      service_name = smartStr.normalize(service_name)
      company_name = smartStr.normalize(company_name)
      image_path = smartStr.normalize(image_path)
      parsed_sc.append("%s - %s (%s) - %s - %s" % (query_type, display_name, service_name, company_name, image_path))
  return parsed_sc
Beispiel #2
0
def getRegs(reg_list):
    """
  Given a list with keys, subkeys and values, it returns the content of those
  registers in a list. Any error on key, subkey or value will be ignored
  """
    regs = []
    for reg_key in reg_list:
        if reg_key["key"] == "Startups":
            regs.append("Startups")
            continue
        elif reg_key["key"] == "winlogon":
            regs.append("winlogon")
            continue

        values = reg_key["values"]
        if values == []:
            values = discoverValues(reg_key["key"], reg_key["subkey"])
            if not values:
                continue

        for value in values:
            try:
                content = getRegistryValue(reg_key["key"], reg_key["subkey"],
                                           smartStr.normalize(value))
                if not content:
                    continue
                regs.append(
                    "%s%s: %s" %
                    (smartStr.normalize(reg_key["tag"]),
                     smartStr.normalize(value), smartStr.normalize(content)))
            except WindowsError:
                continue
    return regs
Beispiel #3
0
def getComponents(source_reg, target_reg, as_subkeys=True):
    """Looks for IE components, returning them on a dictionary"""

    components = []
    if as_subkeys:
        subkeys = regOps.discoverSubkeys(source_reg["key"],
                                         source_reg["subkey"])
    else:
        subkeys = regOps.discoverValues(source_reg["key"],
                                        source_reg["subkey"])
    if subkeys:
        for subkey in subkeys:
            subkey_name = subkey
            objname = regOps.getRegistryValue(
                source_reg["key"], source_reg["subkey"] + "\\" + subkey,
                "") or "no name"
            exepath = regOps.getRegistryValue(target_reg["key"],
                                              target_reg["subkey"] % subkey,
                                              "") or "file missing"
            components.append({
                "subkey": smartStr.normalize(subkey_name),
                "objname": smartStr.normalize(objname),
                "exepath": smartStr.normalize(exepath)
            })
    return components
Beispiel #4
0
def getStartups():
    """Returns two lists, with global startups ans user startups. The lists may
  be empty if something goes wrong"""
    user_startup_path = regOps.getRegistryValue(
        "HKEY_CURRENT_USER",
        "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\",
        "Startup")
    global_startup_path = regOps.getRegistryValue(
        "HKEY_LOCAL_MACHINE",
        "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\",
        "common startup")
    user_startups = commandHandler.getOutput(
        ["dir", "/a/b", smartStr.normalize(user_startup_path)])
    user_startups = user_startups.split("\n")
    global_startups = commandHandler.getOutput(
        ["dir", "/a/b", smartStr.normalize(global_startup_path)])
    global_startups = global_startups.split("\n")
    for startup in list(user_startups):
        if startup == "" or startup.strip().lower().endswith(".ini"):
            user_startups.remove(startup)

    for startup in list(global_startups):
        if startup == "" or startup.strip().lower().endswith(".ini"):
            global_startups.remove(startup)

    global_startups = [
        smartStr.normalize(global_startup)
        for global_startup in global_startups
    ]
    user_startups = [
        smartStr.normalize(user_startup) for user_startup in user_startups
    ]
    return global_startups, user_startups
Beispiel #5
0
def getRegs(reg_list):
  """
  Given a list with keys, subkeys and values, it returns the content of those
  registers in a list. Any error on key, subkey or value will be ignored
  """
  regs = []
  for reg_key in reg_list:
    if reg_key["key"] == "Startups":
      regs.append("Startups")
      continue
    elif reg_key["key"] == "winlogon":
      regs.append("winlogon")
      continue
    
    values = reg_key["values"]
    if values == []:
      values = discoverValues(reg_key["key"], reg_key["subkey"])
      if not values:
        continue
      
    for value in values:
      try:
        content = getRegistryValue(reg_key["key"], reg_key["subkey"], smartStr.normalize(value))
        if not content:
          continue
        regs.append("%s%s: %s" % (smartStr.normalize(reg_key["tag"]),
                                  smartStr.normalize(value),
                                  smartStr.normalize(content)))
      except WindowsError:
        continue
  return regs
Beispiel #6
0
 def startups(self, global_startups, user_startups):
   if user_startups:
     self.output.write("Startups: ")
     for startup in user_startups:
       self.output.write("%s " % smartStr.normalize(str(user_startups)).strip())
     self.output.write("\n")
   if global_startups:
     self.output.write("Global: ")
     for startup in global_startups:
       self.output.write("%s " % smartStr.normalize(str(startup)).strip())
     self.output.write("\n")
Beispiel #7
0
def running_processes():
    """Returns the running processes or an error message if that's not possible"""

    processes_list = commandHandler.getOutput("wmic process get description,executablepath")
    if processes_list == "":
        yield "This computer can't execute wmic"
    else:
        processes_list = processes_list.split("\n")[3:]

    for line in processes_list:
        parsed_line = smartStr.normalize(line.strip()).split(" ")
        if parsed_line:
            yield smartStr.normalize(" ".join(parsed_line[1:]).strip())
Beispiel #8
0
def running_processes():
    """Returns the running processes or an error message if that's not possible"""

    processes_list = commandHandler.getOutput(
        "wmic process get description,executablepath")
    if processes_list == "":
        yield "This computer can't execute wmic"
    else:
        processes_list = processes_list.split("\n")[3:]

    for line in processes_list:
        parsed_line = smartStr.normalize(line.strip()).split(" ")
        if parsed_line:
            yield smartStr.normalize(" ".join(parsed_line[1:]).strip())
Beispiel #9
0
def getMountpoints():
  """Search for mountpoints. Returns None if none is found."""
  
  suspects = []
  main_key = "HKEY_CURRENT_USER"
  subkey = "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\%s\shell\%s\command"
  mountpoints = regOps.discoverSubkeys("HKEY_CURRENT_USER", "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2")
  for mountpoint in mountpoints:
    value = regOps.getRegistryValue(main_key, subkey % (mountpoint, "AutoRun"), "") or\
            regOps.getRegistryValue(main_key, subkey % (mountpoint, "explore"), "") or\
            regOps.getRegistryValue(main_key, subkey % (mountpoint, "open"), "")
                                
    if value:
      suspects.append([smartStr.normalize(mountpoint), smartStr.normalize(value)])
  return suspects or None
Beispiel #10
0
def getComponents(source_reg, target_reg, as_subkeys=True):
    """Looks for IE components, returning them on a dictionary"""

    components = []
    if as_subkeys:
        subkeys = regOps.discoverSubkeys(source_reg["key"], source_reg["subkey"])
    else:
        subkeys = regOps.discoverValues(source_reg["key"], source_reg["subkey"])
    if subkeys:
        for subkey in subkeys:
            subkey_name = subkey
            objname = regOps.getRegistryValue(source_reg["key"], source_reg["subkey"] + "\\" + subkey, "") or "no name"
            exepath = regOps.getRegistryValue(target_reg["key"], target_reg["subkey"] % subkey, "") or "file missing"
            components.append(
                {
                    "subkey": smartStr.normalize(subkey_name),
                    "objname": smartStr.normalize(objname),
                    "exepath": smartStr.normalize(exepath),
                }
            )
    return components
Beispiel #11
0
def getStartups():
    """Returns two lists, with global startups ans user startups. The lists may
  be empty if something goes wrong"""
    user_startup_path = regOps.getRegistryValue(
        "HKEY_CURRENT_USER", "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\", "Startup"
    )
    global_startup_path = regOps.getRegistryValue(
        "HKEY_LOCAL_MACHINE", "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\", "common startup"
    )
    user_startups = commandHandler.getOutput(["dir", "/a/b", smartStr.normalize(user_startup_path)])
    user_startups = user_startups.split("\n")
    global_startups = commandHandler.getOutput(["dir", "/a/b", smartStr.normalize(global_startup_path)])
    global_startups = global_startups.split("\n")
    for startup in list(user_startups):
        if startup == "" or startup.strip().lower().endswith(".ini"):
            user_startups.remove(startup)

    for startup in list(global_startups):
        if startup == "" or startup.strip().lower().endswith(".ini"):
            global_startups.remove(startup)

    global_startups = [smartStr.normalize(global_startup) for global_startup in global_startups]
    user_startups = [smartStr.normalize(user_startup) for user_startup in user_startups]
    return global_startups, user_startups
Beispiel #12
0
 def LSP(self, LSPs):
   for LSP in LSPs:
     self.output.write("LSP - %s: %s\n" % (smartStr.normalize(LSP[0]), smartStr.normalize(LSP[1])))
Beispiel #13
0
 def IEToolbars(self, toolbars):
   if toolbars:
     for toolbar in toolbars:
       self.output.write("Toolbar - %s - " % smartStr.normalize(toolbar["objname"]))
       self.output.write("%s - " % smartStr.normalize(toolbar["subkey"]))
       self.output.write("%s\n" % smartStr.normalize(toolbar["exepath"]))
Beispiel #14
0
 def BHO(self, components_list):
   for IEComponent in components_list:
     self.output.write("BHO - %s - "  % smartStr.normalize(IEComponent["objname"]))
     self.output.write("%s - " % smartStr.normalize(IEComponent["subkey"]))
     self.output.write("%s\n" % smartStr.normalize(IEComponent["exepath"]))