def calculate(self):
addr_space = utils.load_as(self._config)
self.regapi = registryapi.RegistryApi(self._config)
result = {}
if not self._config.HIVE_OFFSET:
self.regapi.set_current("SYSTEM")
else:
name = obj.Object("_CMHIVE", vm = addr_space, offset = self._config.HIVE_OFFSET).get_name()
self.regapi.all_offsets[self._config.HIVE_OFFSET] = name
self.regapi.current_offsets[self._config.HIVE_OFFSET] = name
self.regapi.reset_current()
currentcs = self.regapi.reg_get_currentcontrolset()
if currentcs == None:
currentcs = "ControlSet001"
shutdownkey = currentcs + "\\Control\\Windows"
key = self.regapi.reg_get_key("system", shutdownkey)
value = self.regapi.reg_get_value("system", shutdownkey, "ShutdownTime", given_root = key)
result["key"] = key
result["hive"] = "SYSTEM"
result["valuename"] = "ShutdownTime"
result["value"] = value
result["timestamp"] = ""
if value != None:
try:
bufferas = addrspace.BufferAddressSpace(self._config, data = value)
result["timestamp"] = obj.Object("WinTimeStamp", vm = bufferas, offset = 0, is_utc = True)
except (struct.error, TypeError):
pass
yield result
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
regapi.reset_current()
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for value, data_raw in regapi.reg_yield_values('security', 'Policy\\PolAdtEv', thetype = 'REG_NONE'):
bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw)
if version <= (5, 1):
ap = obj.Object("AuditPolDataXP", offset = 0, vm = bufferas)
elif version <= (6, 0):
ap = obj.Object("AuditPolDataVista", offset = 0, vm = bufferas)
elif version == (6, 1):
ap = obj.Object("AuditPolData7", offset = 0, vm = bufferas)
elif version == (6, 2) or version == (6, 3):
ap = obj.Object("AuditPolData8", offset = 0, vm = bufferas)
else:
ap = obj.Object("AuditPolData10", offset = 0, vm = bufferas)
if ap == None:
debug.error("No AuditPol data found")
yield data_raw, ap
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
regapi.reset_current()
currentcs = regapi.reg_get_currentcontrolset()
if currentcs == None:
currentcs = "ControlSet001"
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
xp = False
if version <= (5, 1):
key = currentcs + '\\' + "Control\\Session Manager\\AppCompatibility"
xp = True
else:
key = currentcs + '\\' + "Control\\Session Manager\\AppCompatCache"
data_raw = regapi.reg_get_value('system', key, "AppCompatCache")
if data_raw == None or len(data_raw) < 0x1c:
debug.error("No ShimCache data found")
bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw)
shimdata = obj.Object("ShimRecords", offset = 0, vm = bufferas)
if shimdata == None:
debug.error("No ShimCache data found")
for e in shimdata.Entries:
if xp:
path = str(''.join([str(c) for c in e.Path]))
yield self.remove_unprintable(path), e.LastModified, e.LastUpdate
else:
yield self.remove_unprintable(bufferas.read(int(e.PathOffset), int(e.Length))), e.LastModified, None
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('HIVE-OFFSET',
short_option='o',
help='Hive offset (virtual)',
type='int')
self.regapi = registryapi.RegistryApi(self._config)
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
software_hive = "SOFTWARE"
uninstall = "Microsoft\\Windows\\CurrentVersion\\Uninstall"
hive_offsets = []
if not self._config.HIVE_OFFSET:
for h in hivelist.HiveList.calculate(self):
hive_name = self.hive_name(h)
if software_hive in hive_name:
hive_offsets = [(hive_name, h.obj_offset)]
else:
hive_offsets = [("User Specified", self._config.HIVE_OFFSET)]
for name, hoff in set(hive_offsets):
h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
root = rawreg.get_root(h)
if not root:
if self._config.HIVE_OFFSET:
debug.error(
"Unable to find root key. Is the hive offset correct?")
else:
uninstall_key = rawreg.open_key(root, uninstall.split('\\'))
if uninstall_key:
yield name, uninstall_key
else:
outfd.write(
"The requested key could not be found in the hive(s) searched\n"
)
def calculate(self):
"""
Use the volatility registry API to enumerate the
Services registry key based on the last modified time stamp
:return:
"""
# Set up our registry api instance
reg_api = registryapi.RegistryApi(self._config)
key = "ControlSet001\\Services"
# Pull the ControlSet001\Services registry sub-keys
sub_keys = reg_api.reg_get_all_subkeys("system", key)
services = dict((s.Name, int(s.LastWriteTime)) for s in sub_keys)
# Sort them by their last modified timestamp, in descending order
times = sorted(set(services.values()), reverse=True)
# Pull the service info from the registry using SvcScanner
svc_scanner = svcscan.SvcScan(self._config)
service_info = svc_scanner.get_service_info(reg_api)
# only return a subset of the Service last write times
top_five = times[0:5]
return [top_five, services, service_info]
def generator(self, data):
if self._config.VERBOSE:
regapi = registryapi.RegistryApi(self._config)
dlls = self.get_service_dlls(regapi)
for rec in data:
if self._config.VERBOSE:
val = dlls.get("{0}".format(rec.ServiceName.dereference()),
None)
if val == None:
val = ""
yield (0, [
Address(rec.obj_offset),
int(rec.Order),
str(rec.Start),
int(rec.Pid),
str(rec.ServiceName.dereference() or ""),
str(rec.DisplayName.dereference() or ""),
str(rec.Type),
str(rec.State),
str(rec.Binary or ""),
str(val)
])
else:
yield (0, [
Address(rec.obj_offset),
int(rec.Order),
str(rec.Start),
int(rec.Pid),
str(rec.ServiceName.dereference() or ""),
str(rec.DisplayName.dereference() or ""),
str(rec.Type),
str(rec.State),
str(rec.Binary or "")
])
def render_text(self, outfd, data):
if self._config.VERBOSE:
regapi = registryapi.RegistryApi(self._config)
for rec in data:
# This can't possibly look neat in a table with columns...
outfd.write("Offset: {0:#x}\n".format(rec.obj_offset))
outfd.write("Order: {0}\n".format(rec.Order))
outfd.write("Process ID: {0}\n".format(rec.Pid))
outfd.write("Service Name: {0}\n".format(
rec.ServiceName.dereference()))
outfd.write("Display Name: {0}\n".format(
rec.DisplayName.dereference()))
outfd.write("Service Type: {0}\n".format(rec.Type))
outfd.write("Service State: {0}\n".format(rec.State))
outfd.write("Binary Path: {0}\n".format(rec.Binary))
if self._config.VERBOSE:
ccs = regapi.reg_get_currentcontrolset()
val = regapi.reg_get_value(
hive_name="system",
key="{0}\\services\\{1}\\Parameters".format(
ccs, rec.ServiceName.dereference()),
value="ServiceDll")
if val is not None:
outfd.write("ServiceDll: {0}\n".format(val))
outfd.write("\n")
def calculate(self):
addr_space = utils.load_as(self._config)
self.regapi = registryapi.RegistryApi(self._config)
win7 = addr_space.profile.metadata.get(
'major',
0) == 6 and addr_space.profile.metadata.get('minor', 0) >= 1
skey = "software\\microsoft\\windows\\currentversion\\explorer\\userassist"
if not self._config.HIVE_OFFSET:
self.regapi.set_current("ntuser.dat")
else:
name = obj.Object("_CMHIVE",
vm=addr_space,
offset=self._config.HIVE_OFFSET).get_name()
self.regapi.all_offsets[self._config.HIVE_OFFSET] = name
self.regapi.current_offsets[self._config.HIVE_OFFSET] = name
for key, name in self.regapi.reg_yield_key(None, skey):
for guidkey in self.regapi.reg_get_all_subkeys(None,
None,
given_root=key):
for count in self.regapi.reg_get_all_subkeys(
None, None, given_root=guidkey):
if count.Name == "Count":
yield win7, name, count
def render_text(self, outfd, data):
if self._config.VERBOSE:
regapi = registryapi.RegistryApi(self._config)
dlls = self.get_service_dlls(regapi)
for rec in data:
# This can't possibly look neat in a table with columns...
outfd.write("Offset: {0:#x}\n".format(rec.obj_offset))
outfd.write("Order: {0}\n".format(rec.Order))
outfd.write("Start: {0}\n".format(rec.Start))
outfd.write("Process ID: {0}\n".format(rec.Pid))
outfd.write("Service Name: {0}\n".format(
rec.ServiceName.dereference()))
outfd.write("Display Name: {0}\n".format(
rec.DisplayName.dereference()))
outfd.write("Service Type: {0}\n".format(rec.Type))
outfd.write("Service State: {0}\n".format(rec.State))
outfd.write("Binary Path: {0}\n".format(rec.Binary))
if self._config.VERBOSE:
val = dlls.get("{0}".format(rec.ServiceName.dereference()),
None)
if val is not None:
outfd.write("ServiceDll: {0}\n".format(val))
outfd.write("\n")
def __init__(self, config, *args, **kwargs):
AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
self._config.add_option('MATCH',
help='Only shows suspicious entries',
action='store_true')
self.addr_space = utils.load_as(self._config)
self.regapi = registryapi.RegistryApi(self._config)
def calculate(self):
"""
Use the volatility registry API to enumerate the
Services registry key based on the last modified time stamp
:return [top_five, services, service_info]:
"""
# Set up our registry api instance
reg_api = registryapi.RegistryApi(self._config)
key = "ControlSet001\\Services"
# Pull the ControlSet001\Services registry sub-keys
sub_keys = reg_api.reg_get_all_subkeys("system", key)
# collect the name and the last write timestamp of the service
services = dict((s.Name, int(s.LastWriteTime)) for s in sub_keys)
# De-duped list of times from the Service registry sub keys
times = sorted(set([ts for ts in services.values()]))
# confirm that the start timestamp is within the timeline
start = 0
# Did the user provide a time window?
if self._config.START_TIME:
try:
start = int(
time.mktime(
datetime.datetime.strptime(self._config.START_TIME,
"%m/%d/%Y").timetuple()))
except ValueError:
print("Please enter date in correct format: mm/dd/YYYY")
sys.exit(1)
# Start time outside of the provided range?
if start <= times[0]:
start = times[0]
elif start >= times[len(times) - 1]:
start = times[len(times) - 1]
# Get timestamps only on the provided day
times = [
t for t in times if time.gmtime(t)[7] == time.gmtime(start)[7]
]
# Pull the service info from the registry using SvcScanner
svc_scanner = svcscan.SvcScan(self._config)
service_info = svc_scanner.get_service_info(reg_api)
# grab only the top five (or top n) timestamps from the services dict
if self._config.N_TIMES:
n = self._config.N_TIMES
if n > len(times):
n = len(times)
top_five = sorted(times, reverse=True)[0:n]
else:
top_five = sorted(times, reverse=True)[0:5]
return [top_five, services, service_info, start]
def load_user_sids(self):
"""Load the user SIDs from the registry"""
regapi = registryapi.RegistryApi(self._config)
regapi.set_current("SOFTWARE")
for k1 in regapi.reg_enum_key('SOFTWARE', 'Microsoft\\Windows NT\\CurrentVersion\\ProfileList'):
val = regapi.reg_get_value('SOFTWARE', k1, 'ProfileImagePath')
sid = k1.split("\\")[-1]
if val != None:
## Strip NULLs in the value
self.extrasids[sid] = " (User: "******"\\")[-1].replace("\x00", "") + ")"
def get_rcm_secrets(self):
"""Retrieves the secrets held in the service Terminal Server. They are
RC4 keys that were DPAPI encrypted using a system's masterkey for "S-1-5-20".
Returns a dictionary of secrets.
"""
regapi = registryapi.RegistryApi(self._config)
current_cs = regapi.reg_get_currentcontrolset()
regapi.set_current('SYSTEM')
rcm_key = r'%s\Control\Terminal Server\RCM\Secrets' % current_cs
item = regapi.reg_get_key(None, rcm_key)
return regapi.reg_yield_values(None, rcm_key, given_root = item)
def calculate(self):
addr_space = utils.load_as(self._config)
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
if self._config.MACHINE != "":
self._config.update("MACHINE", "{0} ".format(self._config.MACHINE))
#set our current registry of interest and get its path
regapi = registryapi.RegistryApi(self._config)
regapi.reset_current()
#scan for registries and populate them:
print "Scanning for registries...."
regapi.set_current('ntuser.dat')
shellbag_data = []
print "Gathering shellbag items and building path tree..."
seen = {}
for bk in BAG_KEYS:
for cat, current_path in regapi.reg_yield_key("ntuser.dat", bk):
keys = [(k, bk + "\\" + k.Name) for k in regapi.reg_get_all_subkeys("ntuser.dat", key = None, given_root = cat)]
for key, start in keys:
if key.Name:
if seen.get(start + "\\" + k.Name, None) != None:
continue
seen[start + "\\" + k.Name] = key.obj_offset
subkeys = [k for k in regapi.reg_get_all_subkeys("ntuser.dat", key = None, given_root = key)]
for k in subkeys:
keys.append((k, start + "\\" + k.Name))
items = self.parse_key(regapi, current_path, start, given_root = key)
if len(items) > 0:
shellbag_data.append((start, current_path, key, items))
if version >= (6, 0):
regapi.reset_current()
regapi.set_current("UsrClass.dat")
seen = {}
for bk in USERDAT_KEYS:
for cat, current_path in regapi.reg_yield_key("UsrClass.dat", bk):
keys = [(k, bk + "\\" + k.Name) for k in regapi.reg_get_all_subkeys("UsrClass.dat", key = None, given_root = cat)]
for key, start in keys:
if key.Name:
if seen.get(start + "\\" + k.Name, None) != None:
continue
seen[start + "\\" + k.Name] = key.obj_offset
subkeys = [k for k in regapi.reg_get_all_subkeys("UsrClass.dat", key = None, given_root = key)]
for k in subkeys:
keys.append((k, start + "\\" + k.Name))
items = self.parse_key(regapi, current_path, start, given_root = key)
if len(items) > 0:
shellbag_data.append((start, current_path, key, items))
return shellbag_data
def calculate(self):
addr_space = utils.load_as(self._config)
if not self._config.sys_offset or not self._config.sec_offset:
regapi = registryapi.RegistryApi(self._config)
for offset in regapi.all_offsets:
name = regapi.all_offsets[offset].lower().split("\\")[-1]
if "system" == name:
self._config.update("SYS_OFFSET", offset)
elif "security" == name:
self._config.update("SEC_OFFSET", offset)
hashes = domcachedumpmod.dump_memory_hashes(addr_space, self._config, self._config.sys_offset, self._config.sec_offset)
if hashes == None:
debug.error("Unable to read hashes from registry")
return hashes
def calculate(self):
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
addr_space = utils.load_as(self._config)
if self._config.HIVE_OFFSET:
name = obj.Object("_CMHIVE",
vm=addr_space,
offset=self._config.HIVE_OFFSET).get_name()
yield self.fixname(
name, self._config.HIVE_OFFSET), hivemod.HiveAddressSpace(
addr_space, self._config, self._config.HIVE_OFFSET)
else:
regapi = registryapi.RegistryApi(self._config)
for offset in regapi.all_offsets:
name = self.fixname(regapi.all_offsets[offset], offset)
yield name, hivemod.HiveAddressSpace(addr_space, self._config,
offset)
def calculate(self):
addr_space = utils.load_as(self._config)
if not self._config.sys_offset or not self._config.sec_offset:
regapi = registryapi.RegistryApi(self._config)
for offset in regapi.all_offsets:
name = regapi.all_offsets[offset].lower().split("\\")[-1]
if "system" == name:
self._config.update("SYS_OFFSET", offset)
elif "security" == name:
self._config.update("SEC_OFFSET", offset)
secrets = lsasecrets.get_memory_secrets(addr_space, self._config, self._config.sys_offset, self._config.sec_offset)
if not secrets:
debug.error("Unable to read LSA secrets from registry")
return secrets
def get_scan(self):
'''
Mimics volatiltiy's svcscan - scans the memory image carving out objects
which look like Windows processes.
'''
import volatility.plugins.malware.svcscan as svcscan
import volatility.plugins.registry.registryapi as registryapi
regapi = registryapi.RegistryApi(self.vol.config)
ccs = regapi.reg_get_currentcontrolset()
for rec in svcscan.SvcScan(self.vol.config).calculate():
svcdll = regapi.reg_get_value(
hive_name = "system",
key = "{0}\\services\\{1}\\Parameters".format(ccs, rec.ServiceName.dereference()),
value = "ServiceDll")
yield Service(rec, svcdll, str(hex(rec.obj_offset)))
def lookup_user_sids(self):
regapi = registryapi.RegistryApi(self._config)
regapi.set_current("hklm")
key = "Microsoft\\Windows NT\\CurrentVersion\\ProfileList"
val = "ProfileImagePath"
sids = {}
for subkey in regapi.reg_get_all_subkeys(None, key = key):
sid = str(subkey.Name)
path = regapi.reg_get_value(None, key = "", value = val, given_root = subkey)
if path:
path = str(path).replace("\x00", "")
user = ntpath.basename(path)
sids[sid] = user
return sids
def __init__(self, config, *args, **kwargs):
hivelist.HiveList.__init__(self, config, *args, **kwargs)
config.add_option(
"ASEP-TYPE",
short_option='t',
default=None,
help=
'Show these ASEP types: autoruns, services, appinit, winlogon, tasks, sdb (comma-separated)',
action='store',
type='str')
config.add_option("VERBOSE",
short_option='v',
default=False,
help='Verbose output: display less relevant results',
action='store_true')
self.regapi = registryapi.RegistryApi(self._config)
def calculate(self):
self.regapi = registryapi.RegistryApi(self._config)
builds_with_old_location = ['16299', '17134']
# Get Windows build version
addr_space = utils.load_as(self._config)
build = addr_space.profile.metadata.get('build', 0)
# Choose which location of bam to use in the registry. Builds 16299 and 17134
# use another path.
bam_path = ""
controlset = self.regapi.reg_get_currentcontrolset() or "ControlSet001"
if build in builds_with_old_location:
bam_path = controlset + "\\Services\\bam\\UserSettings"
else:
bam_path = controlset + "\\Services\\bam\\State\\UserSettings"
bam_key = self.regapi.reg_get_key('system', bam_path)
# Get all subkeys in UserSettings
bam_sub_keys = self.regapi.reg_get_all_subkeys('system',
bam_path,
given_root=bam_key)
# Get all key values, processing the binary content of the values
self.data = {}
for sidkey in bam_sub_keys:
sidkey_values = []
for key, value in self.regapi.reg_yield_values(
'system', sidkey, thetype='REG_BINARY', given_root=sidkey):
dat = "\n".join(
["{0:<48}".format(h) for o, h, c in utils.Hexdump(value)])
sidkey_values.append({
'key': key,
'time': self.reg_bin_to_file_time(dat)
})
#print sidkey.Name, key, self.reg_bin_to_file_time(dat)
self.data[sidkey.Name] = sidkey_values
return self.data
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
user_hive = "ntuser.dat"
trustrecords = {
"Software\\Microsoft\\Office\\14.0\\Word\\Security\\Trusted Documents\\TrustRecords",
"Software\\Microsoft\\Office\\14.0\\Excel\\Security\\Trusted Documents\\TrustRecords",
"Software\\Microsoft\\Office\\14.0\\PowerPoint\\Security\\Trusted Documents\\TrustRecords",
"Software\\Microsoft\\Office\\14.0\\Access\\Security\\Trusted Documents\\TrustRecords",
}
hive_offsets = {}
if not self._config.HIVE_OFFSET:
for h in hivelist.HiveList.calculate(self):
hive_name = self.hive_name(h)
if user_hive in hive_name.lower():
hive_offsets[h.obj_offset] = hive_name
else:
hive_offsets = [("User Specified", self._config.HIVE_OFFSET)]
found = False
for hoff, name in hive_offsets.iteritems():
h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
root = rawreg.get_root(h)
if not root:
if self._config.HIVE_OFFSET:
debug.error(
"Unable to find root key. Is the hive offset correct?")
else:
for r in trustrecords:
trustrecord_key = rawreg.open_key(root, r.split('\\'))
if trustrecord_key:
yield name, r, trustrecord_key
found = True
if not found:
debug.error(
"The requested key could not be found in the hive(s) searched\n"
)
def render_text(self, outfd, data):
serviceDict = defaultdict(list)
#this is for the ServiceDLL data
regapi = registryapi.RegistryApi(self._config)
info = self.get_service_info(regapi)
outfd.write("\n")
outfd.write("------- service check -------- \n\n")
numberOfServices = 0
for rec in data:
serviceInfo = []
vals = info.get("{0}".format(rec.ServiceName.dereference()), None)
serviceDict[str(rec.ServiceName.dereference())].append(
str(rec.DisplayName.dereference()))
serviceDict[str(rec.ServiceName.dereference())].append(
str(rec.Type))
serviceDict[str(rec.ServiceName.dereference())].append(
str(rec.State))
if vals:
serviceDict[str(rec.ServiceName.dereference())].append(
str(vals[0]))
else:
serviceDict[str(rec.ServiceName.dereference())].append("")
numberOfServices += 1
outfd.write("# of services: " + str(numberOfServices) + "\n\n")
locationString = str(conf.ConfObject.opts["location"]).rsplit(
'/', 1)[1] + "_ServiceList"
outfd.write("Storing ServiceList as \"" + locationString + "\"\n")
with open(locationString + '.p', 'wb') as fp:
pickle.dump(serviceDict, fp)
def calculate(self):
regapi = registryapi.RegistryApi(self._config)
addr_space = utils.load_as(self._config)
tasks = win32.tasks.pslist(addr_space)
registerKeys = open('/Users/Lunde/volatility_plugins/registerRunKeys.txt').read().splitlines()
for locations in registerKeys:
base =locations.split('\\')[0]
search_location = locations.split('\\',2)[2]
if base == 'HKLM':
hive = 'software'
if base == 'HKCU':
hive = 'NTUSER.DAT'
#regapi.set_current(hive_name= "software", user = "******")
regapi.set_current(hive_name= hive)
key_ = search_location
for value, data in regapi.reg_yield_values(hive_name = str(hive), key = str(key_)):
yield value, data, locations
def calculate(self):
#scan for registries and populate them:
debug.debug("Scanning for registries....")
#set our current registry of interest and get its path
#and get current control set
debug.debug("Getting Current Control Set....")
regapi = registryapi.RegistryApi(self._config)
currentcs = regapi.reg_get_currentcontrolset()
if currentcs == None:
currentcs = "ControlSet001"
#set the services root.
regapi.set_current('system')
debug.debug("Getting Services and calculating SIDs....")
services = regapi.reg_get_key('system', currentcs + '\\' + 'Services')
if services:
for s in rawreg.subkeys(services):
if s.Name not in servicesids.values():
sid = createservicesid(str(s.Name))
yield sid, str(s.Name)
for sid in servicesids:
yield sid, servicesids[sid]
def calculate(self):
regapi = registryapi.RegistryApi(self._config)
regapi.set_current(hive_name="NTUSER.DAT")
## Select the keys based on user input,
keys = []
if self._config.EHISTRY:
key = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery"
title = "Explorer History"
keys.append((key, title))
if self._config.RDOCS:
key = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs"
title = "Recent Documents"
keys.append((key, title))
if self._config.SFOLDER:
key = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"
title = "Shell Folders"
keys.append((key, title))
if self._config.USFOLDER:
key = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders"
title = "User Shell Folders"
keys.append((key, title))
if not len(keys):
key = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery"
title = "Explorer History"
keys.append((key, title))
for key, title in keys:
yield title
for record in regapi.reg_yield_values(None, key=key):
## yield the selected registry values
yield record[1].strip()
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
hiveset = set()
if not self._config.HIVE_OFFSET:
hive_offsets = [
h.obj_offset for h in hivelist.HiveList.calculate(self)
]
else:
hive_offsets = [self._config.HIVE_OFFSET]
for hoff in set(hive_offsets):
h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
name = obj.Object("_CMHIVE", vm=addr_space, offset=hoff).get_name()
print "[debug]", name
root = rawreg.get_root(h)
hive = name.split("\\")[-1]
hiveset.add(hive)
print hiveset
for hive in hiveset:
print "\n========================", hive
for regtime, keyname in regapi.reg_get_last_modified(hive,
count=5):
print "\n", regtime, keyname
regapi.set_current(hive_name=hive)
k = keyname.split('\\')[1:]
k = '\\'.join(k)
print k + "\n"
for value, tp, data in self.reg_yield_values_type(
regapi, hive_name=hive, key=k):
yield value, tp, data
regapi.reset_current()
def calculate(self):
self.get_dll_list()
self.regapi = registryapi.RegistryApi(self._config)
self.currentcs = self.regapi.reg_get_currentcontrolset() or "ControlSet001"
asep_list = ['autoruns', 'services', 'appinit', 'winlogon', 'tasks', 'activesetup', 'sdb']
os_major = utils.load_as(self._config).profile.metadata.get('major', 0)
# If all_offsets is empty then regapi was unable to find
# hive offsets and we exit with an error message
if not self.regapi.all_offsets:
debug.error('Unable to find registry hives.')
if self._config.ASEP_TYPE:
debug.debug('Config: {}'.format(self._config.ASEP_TYPE))
asep_list = [s for s in self._config.ASEP_TYPE.replace(' ', '').split(',')]
# Scan for ASEPs and populate the lists
if 'autoruns' in asep_list:
self.autoruns = self.get_autoruns()
if 'services' in asep_list:
self.services = self.get_services()
if 'appinit' in asep_list:
self.appinit_dlls = self.get_appinit_dlls()
if 'winlogon' in asep_list:
self.winlogon = self.get_winlogon()
if os_major == 5:
self.winlogon_registrations = self.get_winlogon_registrations()
if 'tasks' in asep_list:
self.tasks = self.get_tasks()
if 'activesetup' in asep_list:
self.activesetup = self.get_activesetup()
if 'sdb' in asep_list:
self.sdb = self.get_sdb()
#Returns a generator to generator() that generates the unified output data
return self.get_unified_output_data()
yield self.getoutput(line, uadata.LastUpdated, body=body)
shimdata = []
if "Shimcache" in self._config.TYPE:
shimdata = shimcache.ShimCache(self._config).calculate()
for path, lm, lu in shimdata:
line = "[{2}SHIMCACHE]{0} {1}{0} ".format("" if body else "|",
path,
self._config.MACHINE)
if lu:
yield self.getoutput(line, lm, end=lu, body=body)
else:
yield self.getoutput(line, lm, body=body)
if "_HBASE_BLOCK" in self._config.TYPE or "_CMHIVE" in self._config.TYPE or "Registry" in self._config.TYPE:
regapi = registryapi.RegistryApi(self._config)
for o in regapi.all_offsets:
if "_HBASE_BLOCK" in self._config.TYPE:
line = "[{2}_HBASE_BLOCK TimeStamp]{0} {1}{0} ".format(
"" if body else "|", regapi.all_offsets[o],
self._config.MACHINE)
h = obj.Object("_HHIVE", o, addr_space)
yield self.getoutput(line,
h.BaseBlock.TimeStamp,
body=body)
if "_CMHIVE" in self._config.TYPE and version[
0] == 6 and addr_space.profile.metadata.get(
'build', 0) >= 7601:
line = line = "[{2}_CMHIVE LastWriteTime]{0} {1}{0} ".format(
"" if body else "|", regapi.all_offsets[o],
