Beispiel #1
0
    def services_from_registry(addr_space):
        """Enumerate services from the cached registry hive"""

        services = {}
        plugin = hivelist.HiveList(addr_space.get_config())
        for hive in plugin.calculate():

            ## find the SYSTEM hive
            name = hive.get_name()
            if not name.lower().endswith("system"):
                continue

            ## get the root key
            hive_space = hive.address_space()
            root = rawreg.get_root(hive_space)

            if not root:
                break

            ## open the services key
            key = rawreg.open_key(root, ["ControlSet001", "Services"])
            if not key:
                break

            ## build a dictionary of the key names
            for subkey in rawreg.subkeys(key):
                services[(str(subkey.Name).lower())] = subkey

            ## we don't need to keep trying
            break

        return services
Beispiel #2
0
    def populate_offsets(self):
        """
        get all hive offsets so we don't have to scan again...
        """
        hive_offsets = []
        hiveroot = hl.HiveList(self._config).calculate()

        for hive in hiveroot:
            if hive.is_valid() and hive.obj_offset not in hive_offsets:
                hive_offsets.append(hive.obj_offset)
                self.all_offsets[hive.obj_offset] = hive.get_name()
Beispiel #3
0
    def populate_offsets(self):
        '''
        get all hive offsets so we don't have to scan again...
        '''
        hive_offsets = []
        hiveroot = hl.HiveList(self._config).calculate()

        for hive in hiveroot:
            if hive.obj_offset not in hive_offsets:
                hive_offsets.append(hive.obj_offset)
                try:
                    name = hive.FileFullPath.v() or hive.FileUserName.v() or hive.HiveRootPath.v() or "[no name]"
                # What exception are we expecting here?
                except:
                    name = "[no name]"
                self.all_offsets[hive.obj_offset] = name
Beispiel #4
0
    def get_registry_keys(self):

        addr_space = utils.load_as(self._config)

        hl = hivelist.HiveList(self._config)

        if not self._config.HIVE_OFFSET:
            hive_offsets = [h.obj_offset for h in hl.calculate()]
        else:
            hive_offsets = [self._config.HIVE_OFFSET]

        for hoff in set(hive_offsets):
            h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
            name = obj.Object("_CMHIVE", vm = addr_space, offset = hoff).get_name()
            root = rawreg.get_root(h)
            if not root:
                if self._config.HIVE_OFFSET:
                    self.console_print("Unable to find root key. Is the hive offset correct?")
            else:
                if self._config.KEY:
                    yield name, rawreg.open_key(root, self._config.KEY.split('\\'))
                else:
                    yield name, root