Ejemplo n.º 1
0
    def reg_get_all_keys(self, hive_name, user = None, start = None, end = None, reg = False, rawtime = False):
        '''
        This function enumerates all keys in specified hives and 
        collects lastwrite times.
        '''
        keys = []
        if self.all_offsets == {}:
            self.populate_offsets()
        if self.current_offsets == {}:
            self.set_current(hive_name, user)

        # Collect the root keys 
        for offset in self.current_offsets:
            reg_name = self.current_offsets[offset]
            h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset)
            root = rawreg.get_root(h)
            if not root:
                pass
            else:
                time = "{0}".format(root.LastWriteTime) if not rawtime else root.LastWriteTime
                if reg:
                    if start and end and str(time) >= start and str(time) <= end:
                        yield (time, reg_name, root.Name)
                    elif start == None and end == None:
                        yield (time, reg_name, root.Name)
                else:
                    if start and end and str(time) >= start and str(time) <= end:
                        yield (time, root.Name)
                    elif start == None and end == None:
                        yield (time, root.Name)
                for s in rawreg.subkeys(root):
                    if reg:
                        keys.append([s, reg_name, root.Name + "\\" + s.Name])
                    else:
                        keys.append([s, root.Name + "\\" + s.Name])

        # Get subkeys
        if reg:
            for k, reg_name, name in keys:
                time = "{0}".format(k.LastWriteTime) if not rawtime else k.LastWriteTime
                if start and end and str(time) >= start and str(time) <= end:
                    yield (time, reg_name, name)
                elif start == None and end == None:
                    yield (time, reg_name, name)
                for s in rawreg.subkeys(k):
                    if name and s.Name:
                        item = name + '\\' + s.Name
                        keys.append([s, reg_name, item])
        else:
            for k, name in keys:
                time = "{0}".format(k.LastWriteTime) if not rawtime else k.LastWriteTime
                if start and end and str(time) >= start and str(time) <= end:
                    yield (time, name)
                elif start == None and end == None:
                    yield (time, name)

                for s in rawreg.subkeys(k):
                    if name and s.Name:
                        item = name + '\\' + s.Name
                        keys.append([s, item])
Ejemplo n.º 2
0
    def reg_get_all_keys(self, hive_name, user = None, start = None, end = None, reg = False, rawtime = False):
        '''
        This function enumerates all keys in specified hives and 
        collects lastwrite times.
        '''
        keys = []
        if self.all_offsets == {}:
            self.populate_offsets()
        if self.current_offsets == {}:
            self.set_current(hive_name, user)

        # Collect the root keys 
        for offset in self.current_offsets:
            reg_name = self.current_offsets[offset]
            h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset)
            root = rawreg.get_root(h)
            if not root:
                pass
            else:
                time = "{0}".format(root.LastWriteTime) if not rawtime else root.LastWriteTime
                if reg:
                    if start and end and str(time) >= start and str(time) <= end:
                        yield (time, reg_name, root.Name)
                    elif start == None and end == None:
                        yield (time, reg_name, root.Name)
                else:
                    if start and end and str(time) >= start and str(time) <= end:
                        yield (time, root.Name)
                    elif start == None and end == None:
                        yield (time, root.Name)
                for s in rawreg.subkeys(root):
                    if reg:
                        keys.append([s, reg_name, root.Name + "\\" + s.Name])
                    else:
                        keys.append([s, root.Name + "\\" + s.Name])

        # Get subkeys
        if reg:
            for k, reg_name, name in keys:
                time = "{0}".format(k.LastWriteTime) if not rawtime else root.LastWriteTime
                if start and end and str(time) >= start and str(time) <= end:
                    yield (time, reg_name, name)
                elif start == None and end == None:
                    yield (time, reg_name, name)
                for s in rawreg.subkeys(k):
                    if name and s.Name:
                        item = name + '\\' + s.Name
                        keys.append([s, reg_name, item])
        else:
            for k, name in keys:
                time = "{0}".format(k.LastWriteTime) if not rawtime else root.LastWriteTime
                if start and end and str(time) >= start and str(time) <= end:
                    yield (time, name)
                elif start == None and end == None:
                    yield (time, name)

                for s in rawreg.subkeys(k):
                    if name and s.Name:
                        item = name + '\\' + s.Name
                        keys.append([s, item])
Ejemplo n.º 3
0
 def render_text(self, outfd, data):
     for reg, key in data:
         if not key:
             if not self._config.BRUTE_FORCE:
                 outfd.write("Unable to find requested key\n")
             continue
         outfd.write("Legend: (S) = Stable   (V) = Volatile\n\n")
         outfd.write("Registry: {0}\n".format(reg))
         outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
         outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
         outfd.write("\n")
         outfd.write("Subkeys:\n")
         for s in rawreg.subkeys(key):
             if s.Name == None:
                 outfd.write("  Unknown subkey: " + s.Name.reason + "\n")
             else:
                 outfd.write("  {1:3s} {0}\n".format(s.Name, self.voltext(s)))
         outfd.write("\n")
         outfd.write("Values:\n")
         for v in rawreg.values(key):
             tp, dat = rawreg.value_data(v)
             if tp == 'REG_BINARY':
                 dat = "\n" + hd(dat, length = 16)
             if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
                 dat = dat.encode("ascii", 'backslashreplace')
             if tp == 'REG_MULTI_SZ':
                 for i in range(len(dat)):
                     dat[i] = dat[i].encode("ascii", 'backslashreplace')
             outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))
Ejemplo n.º 4
0
    def services_from_registry(addr_space):
        """Enumerate services from the cached registry hive"""

        services = {}
        plugin = hivelist.HiveList(addr_space.get_config())
        for hive in plugin.calculate():

            ## find the SYSTEM hive 
            name = hive.get_name()
            if not name.lower().endswith("system"):
                continue 
        
            ## get the root key 
            hive_space = hive.address_space() 
            root = rawreg.get_root(hive_space)

            if not root:
                break 

            ## open the services key 
            key = rawreg.open_key(root, ["ControlSet001", "Services"])
            if not key:
                break 

            ## build a dictionary of the key names 
            for subkey in rawreg.subkeys(key):
                services[(str(subkey.Name).lower())] = subkey

            ## we don't need to keep trying 
            break

        return services
Ejemplo n.º 5
0
 def render_text(self, outfd, data):
     outfd.write("Legend: (S) = Stable   (V) = Volatile\n\n")
     keyfound = False
     for reg, key in data:
         if key:
             keyfound = True
             outfd.write("----------------------------\n")
             outfd.write("Registry: {0}\n".format(reg))
             outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
             outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
             outfd.write("\n")
             outfd.write("Subkeys:\n")
             for s in rawreg.subkeys(key):
                 if s.Name == None:
                     outfd.write("  Unknown subkey: " + s.Name.reason + "\n")
                 else:
                     outfd.write("  {1:3s} {0}\n".format(s.Name, self.voltext(s)))
             outfd.write("\n")
             outfd.write("Values:\n")
             for v in rawreg.values(key):
                 tp, dat = rawreg.value_data(v)
                 if tp == 'REG_BINARY' or tp == 'REG_NONE':
                     dat = "\n" + "\n".join(["{0:#010x}  {1:<48}  {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
                 if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
                     dat = dat.encode("ascii", 'backslashreplace')
                 if tp == 'REG_MULTI_SZ':
                     for i in range(len(dat)):
                         dat[i] = dat[i].encode("ascii", 'backslashreplace')
                 outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))
     if not keyfound:
         outfd.write("The requested key could not be found in the hive(s) searched\n")
Ejemplo n.º 6
0
    def calculate(self):
        addr_space = utils.load_as(self._config)

        if not self._config.HIVE_OFFSET:
            hive_offsets = [
                h.obj_offset for h in hivelist.HiveList.calculate(self)
            ]
        else:
            hive_offsets = [self._config.HIVE_OFFSET]

        for hoff in set(hive_offsets):
            h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
            name = obj.Object("_CMHIVE", vm=addr_space, offset=hoff).get_name()
            root = rawreg.get_root(h)
            if not root:
                if self._config.HIVE_OFFSET:
                    debug.error(
                        "Unable to find root key. Is the hive offset correct?")
            else:
                if self._config.KEY:
                    yield name, rawreg.open_key(root,
                                                self._config.KEY.split('\\'))
                else:
                    for s in rawreg.subkeys(root):
                        yield name, s
Ejemplo n.º 7
0
    def calculate(self):
        addr_space = utils.load_as(self._config)
        
        #scan for registries and populate them:
        print "Scanning for registries...."
        self.populate_offsets()

        #set our current registry of interest and get its path
        #and get current control set
        print "Getting Current Control Set...."
        currentcs = "ControlSet001"
        self.set_current('system')
        for o in self.current_offsets:
            sysaddr = hivemod.HiveAddressSpace(addr_space, self._config, o)
            cs = find_control_set(sysaddr)
            currentcs = "ControlSet{0:03}".format(cs)

        #set the services root. 
        print "Getting Services and calculating SIDs...."
        services = self.reg_get_key('system', currentcs + '\\' + 'Services')
        if services:
            for s in rawreg.subkeys(services):
                if s.Name not in servicesids.values():
                    sid = createservicesid(str(s.Name))
                    yield sid, str(s.Name)
        for sid in servicesids:
            yield sid, servicesids[sid]
Ejemplo n.º 8
0
def get_secrets(sysaddr, secaddr):
    root = rawreg.get_root(secaddr)
    if not root:
        return None

    bootkey = hashdump.get_bootkey(sysaddr)
    lsakey = get_lsa_key(secaddr, bootkey)
    if not bootkey or not lsakey:
        return None

    secrets_key = rawreg.open_key(root, ["Policy", "Secrets"])
    if not secrets_key:
        return None

    secrets = {}
    for key in rawreg.subkeys(secrets_key):
        sec_val_key = rawreg.open_key(key, ["CurrVal"])
        if not sec_val_key:
            continue

        enc_secret_value = sec_val_key.ValueList.List.dereference()[0]
        if not enc_secret_value:
            continue

        enc_secret = secaddr.read(enc_secret_value.Data,
                                  enc_secret_value.DataLength)
        if not enc_secret:
            continue

        secret = decrypt_secret(enc_secret[0xC:], lsakey)
        secrets[key.Name] = secret

    return secrets
Ejemplo n.º 9
0
def get_secrets(sysaddr, secaddr):
    root = rawreg.get_root(secaddr)
    if not root:
        return None

    bootkey = hashdump.get_bootkey(sysaddr)
    lsakey = get_lsa_key(secaddr, bootkey)
    if not bootkey or not lsakey:
        return None

    secrets_key = rawreg.open_key(root, ["Policy", "Secrets"])
    if not secrets_key:
        return None

    secrets = {}
    for key in rawreg.subkeys(secrets_key):
        sec_val_key = rawreg.open_key(key, ["CurrVal"])
        if not sec_val_key:
            continue

        enc_secret_value = sec_val_key.ValueList.List.dereference()[0]
        if not enc_secret_value:
            continue

        enc_secret = secaddr.read(enc_secret_value.Data,
                enc_secret_value.DataLength)
        if not enc_secret:
            continue

        secret = decrypt_secret(enc_secret[0xC:], lsakey)
        secrets[key.Name] = secret

    return secrets
Ejemplo n.º 10
0
    def services_from_registry(addr_space):
        """Enumerate services from the cached registry hive"""

        services = {}
        plugin = hivelist.HiveList(addr_space.get_config())
        for hive in plugin.calculate():

            ## find the SYSTEM hive
            name = hive.get_name()
            if not name.lower().endswith("system"):
                continue

            ## get the root key
            hive_space = hive.address_space()
            root = rawreg.get_root(hive_space)

            if not root:
                break

            ## open the services key
            key = rawreg.open_key(root, ["ControlSet001", "Services"])
            if not key:
                break

            ## build a dictionary of the key names
            for subkey in rawreg.subkeys(key):
                services[(str(subkey.Name).lower())] = subkey

            ## we don't need to keep trying
            break

        return services
Ejemplo n.º 11
0
    def search_key(self, key, prefix):
        prefix += '\t'
        for subkey in rawreg.subkeys(key):

            if not rawreg.values(subkey):
                if not rawreg.subkeys(subkey):
                    print "[-]", subkey.Name
                    continue
                else:
                    pass

            if subkey.Name == None:
                pass
            else:
                print prefix, subkey.Name
                self.search_key(subkey, prefix)
            """
Ejemplo n.º 12
0
 def generator(self, data):
     path = str(data.Name)
     keys = [(data, path)]
     for key, path in keys:
         if key:
             yield (0, [f"{key.LastWriteTime}", str(path)])
             for s in rawreg.subkeys(key):
                 item = f"{path}\\{s.Name}"
                 keys.append((s, item))
Ejemplo n.º 13
0
 def reg_get_all_subkeys(self, hive_name, key, user = None, given_root = None):
     '''
     This function enumerates the subkeys of the requested key
     '''
     k = given_root if given_root != None else self.reg_get_key(hive_name, key)
     if k:
         for s in rawreg.subkeys(k):
             if s.Name:
                 yield s
Ejemplo n.º 14
0
 def reg_get_all_subkeys(self, hive_name, key, user = None, given_root = None):
     '''
     This function enumerates the subkeys of the requested key
     '''
     k = given_root if given_root != None else self.reg_get_key(hive_name, key)
     if k:
         for s in rawreg.subkeys(k):
             if s.Name:
                 yield s
Ejemplo n.º 15
0
 def generator(self, data):
     path = str(data.Name)
     keys = [(data, path)]
     for key, path in keys:
         if key:
             yield (0, [str("{0}".format(key.LastWriteTime)), str(path)])
             for s in rawreg.subkeys(key):
                 item = "{0}\\{1}".format(path, s.Name)
                 keys.append((s, item))
Ejemplo n.º 16
0
    def generator(self, data):
        for reg, key in data:
            if key:
                subkeys = list(rawreg.subkeys(key))
                values = list(rawreg.values(key))
                yield (0, [
                    str("{0}".format(reg)),
                    str("{0}".format(key.Name)),
                    str("{0:3s}".format(self.voltext(key))),
                    str("{0}".format(key.LastWriteTime)), "-", "-", "-", "-",
                    "-", "-"
                ])

                if subkeys:
                    for s in subkeys:
                        if s.Name == None:
                            yield (0, [
                                str("{0}".format(reg)),
                                str("{0}".format(key.Name)),
                                str("{0:3s}".format(self.voltext(key))),
                                str("{0}".format(key.LastWriteTime)),
                                str("Unknown subkey: {0}".format(
                                    s.Name.reason)), "-", "-", "-", "-", "-"
                            ])
                        else:
                            yield (0, [
                                str("{0}".format(reg)),
                                str("{0}".format(key.Name)),
                                str("{0:3s}".format(self.voltext(key))),
                                str("{0}".format(key.LastWriteTime)),
                                str("{0}".format(s.Name)),
                                str("{0:3s}".format(self.voltext(s))), "-",
                                "-", "-", "-"
                            ])

                if values:
                    for v in values:
                        tp, dat = rawreg.value_data(v)
                        if tp == 'REG_BINARY' or tp == 'REG_NONE':
                            dat = Bytes(dat)
                        if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
                            dat = dat.encode("ascii", 'backslashreplace')
                        if tp == 'REG_MULTI_SZ':
                            for i in range(len(dat)):
                                dat[i] = dat[i].encode("ascii",
                                                       'backslashreplace')
                        yield (0, [
                            str("{0}".format(reg)),
                            str("{0}".format(key.Name)),
                            str("{0:3s}".format(self.voltext(key))),
                            str("{0}".format(key.LastWriteTime)), "-", "-",
                            str(tp),
                            str("{0}".format(v.Name)),
                            str("{0:3s}".format(self.voltext(v))),
                            str(dat)
                        ])
Ejemplo n.º 17
0
 def reg_enum_key(self, hive_name, key, user = None):
     '''
     This function enumerates the requested key
     '''
     k = self.reg_get_key(hive_name, key, user)
     if k:
         for s in rawreg.subkeys(k):
             if s.Name:
                 item = key + '\\' + s.Name
                 yield item
Ejemplo n.º 18
0
 def reg_enum_key(self, hive_name, key, user=None):
     '''
     This function enumerates the requested key
     '''
     k = self.reg_get_key(hive_name, key, user)
     if k:
         for s in rawreg.subkeys(k):
             if s.Name:
                 item = key + '\\' + s.Name
                 yield item
Ejemplo n.º 19
0
 def reg_enum_key(self, hive_name, key, user=None):
     """
     This function enumerates the requested key
     """
     k = self.reg_get_key(hive_name, key, user)
     if k:
         for s in rawreg.subkeys(k):
             if s.Name:
                 item = f'{key}\\{s.Name}'
                 yield item
Ejemplo n.º 20
0
 def generator(self, data):
     path = str(data.Name)
     keys = [(data, path)]
     for key, path in keys:
         if key:
             yield (0, [str("{0}".format(key.LastWriteTime)),
                        str(path)])
             for s in rawreg.subkeys(key):
                 item = "{0}\\{1}".format(path, s.Name)
                 keys.append((s, item))
Ejemplo n.º 21
0
 def render_text(self, outfd, data):
     print_values = {
         5: 'InstallSource',
         6: 'InstallLocation',
         3: 'Publisher',
         1: 'DisplayName',
         2: 'DisplayVersion',
         4: 'InstallDate'
     }
     outfd.write("Legend: (S) = Stable   (V) = Volatile\n\n")
     keyfound = False
     for reg, key in data:
         if key:
             keyfound = True
             outfd.write("----------------------------\n")
             outfd.write("Registry: {0}\n".format(reg))
             outfd.write("Key name: {0} {1:3s}\n".format(
                 key.Name, self.voltext(key)))
             outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
             outfd.write("\n")
             outfd.write("Subkeys:\n")
             for s in rawreg.subkeys(key):
                 key_info = {}
                 if s.Name == None:
                     outfd.write("  Unknown subkey: " + s.Name.reason +
                                 "\n")
                 else:
                     key_info['Name'] = s.Name
                     key_info['LastUpdated'] = s.LastWriteTime
                     for v in rawreg.values(s):
                         if v.Name not in print_values.values():
                             continue
                         tp, dat = rawreg.value_data(v)
                         if tp == 'REG_BINARY' or tp == 'REG_NONE':
                             dat = "\n" + "\n".join([
                                 "{0:#010x}  {1:<48}  {2}".format(
                                     o, h, ''.join(c))
                                 for o, h, c in utils.Hexdump(dat)
                             ])
                         if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
                             dat = dat.encode("ascii", 'backslashreplace')
                         if tp == 'REG_MULTI_SZ':
                             for i in range(len(dat)):
                                 dat[i] = dat[i].encode(
                                     "ascii", 'backslashreplace')
                         key_info[str(v.Name)] = dat
                 outfd.write("Subkey: {0}\n".format(key_info.get(
                     'Name', '')))
                 outfd.write("  LastUpdated     : {0}\n".format(
                     key_info.get('LastUpdated', '')))
                 for k, v in sorted(print_values.items()):
                     val = key_info.get(v, '')
                     if val != '':
                         outfd.write("  {0:16}: {1}\n".format(v, val))
                 outfd.write("\n")
Ejemplo n.º 22
0
 def reg_enum_key(self, hive_name, key, user = None):
     '''
     This function enumerates the requested key
     '''
     addr_space = utils.load_as(self._config)
     k = self.reg_get_key(hive_name, key, user)
     if k:
         for s in rawreg.subkeys(k):
             if s.Name:
                 item = key +  '\\' + s.Name
                 yield item
Ejemplo n.º 23
0
def get_user_keys(samaddr):
    user_key_path = ["SAM", "Domains", "Account", "Users"]

    root = rawreg.get_root(samaddr)
    if not root:
        return []

    user_key = rawreg.open_key(root, user_key_path)
    if not user_key:
        return []

    return [k for k in rawreg.subkeys(user_key) if k.Name != "Names"]
Ejemplo n.º 24
0
 def reg_get_all_subkeys(self, hive_name, key, user = None, given_root = None):
     '''
     This function enumerates the subkeys of the requested key
     '''
     addr_space = utils.load_as(self._config)
     if given_root == None:
         k = self.reg_get_key(hive_name, key, user)
     else:
         k = given_root
     if k:
         for s in rawreg.subkeys(k):
             if s.Name:
                 yield s
Ejemplo n.º 25
0
 def render_text(self, outfd, data):
     keyfound = False
     for win7, reg, key in data:
         if key:
             keyfound = True
             outfd.write("----------------------------\n")
             outfd.write("Registry: {0}\n".format(reg))
             outfd.write("Key name: {0}\n".format(key.Name))
             outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
             outfd.write("\n")
             outfd.write("Subkeys:\n")
             for s in rawreg.subkeys(key):
                 if s.Name == None:
                     outfd.write("  Unknown subkey: " + s.Name.reason +
                                 "\n")
                 else:
                     outfd.write("  {0}\n".format(s.Name))
             outfd.write("\n")
             outfd.write("Values:\n")
             for v in rawreg.values(key):
                 tp, dat = rawreg.value_data(v)
                 subname = v.Name
                 if tp == 'REG_BINARY':
                     dat_raw = dat
                     dat = "\n" + printkey.hd(dat, length=16)
                     try:
                         subname = subname.encode('rot_13')
                     except:
                         pass
                     if win7:
                         guid = subname.split("\\")[0]
                         if guid in folder_guids:
                             subname = subname.replace(
                                 guid, folder_guids[guid])
                     d = self.parse_data(dat_raw)
                     if d != None:
                         dat = d + dat
                 #these types shouldn't be encountered, but are just left here in case:
                 if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
                     dat = dat.encode("ascii", 'backslashreplace')
                 if tp == 'REG_MULTI_SZ':
                     for i in range(len(dat)):
                         dat[i] = dat[i].encode("ascii", 'backslashreplace')
                 outfd.write("{0:13} {1:15} : {2:3s}\n".format(
                     tp, subname, dat))
     if not keyfound:
         outfd.write(
             "The requested key could not be found in the hive(s) searched\n"
         )
Ejemplo n.º 26
0
 def render_text(self, outfd, data):
     keyfound = False
     for win7, reg, key in data:
         if key:
             keyfound = True
             outfd.write("----------------------------\n")
             outfd.write("Registry: {0}\n".format(reg))
             outfd.write("Key name: {0}\n".format(key.Name))
             outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
             outfd.write("\n")
             outfd.write("Subkeys:\n")
             for s in rawreg.subkeys(key):
                 if s.Name == None:
                     outfd.write("  Unknown subkey: " + s.Name.reason + "\n")
                 else:
                     outfd.write("  {0}\n".format(s.Name))
             outfd.write("\n")
             outfd.write("Values:\n")
             for v in rawreg.values(key):
                 tp, dat = rawreg.value_data(v)
                 subname = v.Name
                 if tp == 'REG_BINARY':
                     dat_raw = dat
                     dat = "\n".join(["{0:#010x}  {1:<48}  {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
                     try:
                         subname = subname.encode('rot_13')
                     except UnicodeDecodeError:
                         pass
                     if win7:
                         guid = subname.split("\\")[0]
                         if guid in folder_guids:
                             subname = subname.replace(guid, folder_guids[guid])
                     d = self.parse_data(dat_raw)
                     if d != None:
                         dat = d + dat
                     else:
                         dat = "\n" + dat
                 #these types shouldn't be encountered, but are just left here in case:
                 if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
                     dat = dat.encode("ascii", 'backslashreplace')
                 if tp == 'REG_MULTI_SZ':
                     for i in range(len(dat)):
                         dat[i] = dat[i].encode("ascii", 'backslashreplace')
                 outfd.write("\n{0:13} {1:15} : {2}\n".format(tp, subname, dat))
     if not keyfound:
         outfd.write("The requested key could not be found in the hive(s) searched\n")
Ejemplo n.º 27
0
    def parse_service_key(self, service_key):

        service_dict = self.dict_for_key(service_key)
        name = str(service_key.Name)
        display_name = service_dict.get('DisplayName',
                                        "Unknown").replace('\x00', '')
        startup = int(service_dict.get("Start", -1))
        type = int(service_dict.get("Type", -1))
        image_path = service_dict.get("ImagePath",
                                      "Unknown").replace('\x00', '')
        timestamp = service_key.LastWriteTime

        # The service is run through svchost - try to resolve the parameter name
        entry = None
        if "svchost.exe -k" in image_path:
            parameters = None
            for sub in rawreg.subkeys(service_key):
                if sub.Name == "Parameters":
                    parameters = self.dict_for_key(sub)
                    timestamp = sub.LastWriteTime
                    break
            if parameters:
                if 'ServiceDll' in parameters:
                    entry = parameters.get("ServiceDll")
                    main = parameters.get('ServiceMain')
                    if main:
                        entry += " ({})".format(main)
                    entry = entry.replace('\x00', '')

        # Check if the service is set to automatically start
        # More details here: http://technet.microsoft.com/en-us/library/cc759637(v=ws.10).aspx
        if startup in [0, 1, 2]:
            if entry:
                pids = self.find_pids_for_imagepath(
                    parameters.get("ServiceDll"))
            else:
                pids = self.find_pids_for_imagepath(image_path)

            return (name, timestamp, display_name, service_startup[startup],
                    service_types[type], image_path, entry, pids)
Ejemplo n.º 28
0
 def render_text(self, outfd, data):
     print_values = {5:'InstallSource', 6:'InstallLocation', 3:'Publisher',
                     1:'DisplayName', 2:'DisplayVersion', 4:'InstallDate'}
     outfd.write("Legend: (S) = Stable   (V) = Volatile\n\n")
     keyfound = False
     for reg, key in data:
         if key:
             keyfound = True
             outfd.write("----------------------------\n")
             outfd.write("Registry: {0}\n".format(reg))
             outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
             outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
             outfd.write("\n")
             outfd.write("Subkeys:\n")
             for s in rawreg.subkeys(key):
                 key_info = {}
                 if s.Name == None:
                     outfd.write("  Unknown subkey: " + s.Name.reason + "\n")
                 else:
                     key_info['Name'] = s.Name
                     key_info['LastUpdated'] = s.LastWriteTime
                     for v in rawreg.values(s):
                         if v.Name not in print_values.values():
                             continue
                         tp, dat = rawreg.value_data(v)
                         if tp == 'REG_BINARY' or tp == 'REG_NONE':
                             dat = "\n" + "\n".join(["{0:#010x}  {1:<48}  {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
                         if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
                             dat = dat.encode("ascii", 'backslashreplace')
                         if tp == 'REG_MULTI_SZ':
                             for i in range(len(dat)):
                                 dat[i] = dat[i].encode("ascii", 'backslashreplace')
                         key_info[str(v.Name)] = dat
                 outfd.write("Subkey: {0}\n".format(key_info.get('Name','')))
                 outfd.write("  LastUpdated     : {0}\n".format(key_info.get('LastUpdated','')))
                 for k, v in sorted(print_values.items()):
                     val = key_info.get(v, '')
                     if val != '':
                         outfd.write("  {0:16}: {1}\n".format(v, val))
                 outfd.write("\n")
Ejemplo n.º 29
0
    def calculate(self):
        # scan for registries and populate them:
        debug.debug("Scanning for registries....")

        # set our current registry of interest and get its path
        # and get current control set
        debug.debug("Getting Current Control Set....")
        regapi = registryapi.RegistryApi(self._config)
        currentcs = regapi.reg_get_currentcontrolset()
        if currentcs == None:
            currentcs = "ControlSet001"

        # set the services root.
        regapi.set_current("system")
        debug.debug("Getting Services and calculating SIDs....")
        services = regapi.reg_get_key("system", currentcs + "\\" + "Services")
        if services:
            for s in rawreg.subkeys(services):
                if s.Name not in servicesids.values():
                    sid = createservicesid(str(s.Name))
                    yield sid, str(s.Name)
        for sid in servicesids:
            yield sid, servicesids[sid]
Ejemplo n.º 30
0
    def calculate(self):
        #scan for registries and populate them:
        debug.debug("Scanning for registries....")

        #set our current registry of interest and get its path
        #and get current control set
        debug.debug("Getting Current Control Set....")
        regapi = registryapi.RegistryApi(self._config)
        currentcs = regapi.reg_get_currentcontrolset()
        if currentcs == None:
            currentcs = "ControlSet001"

        #set the services root.
        regapi.set_current('system')
        debug.debug("Getting Services and calculating SIDs....")
        services = regapi.reg_get_key('system', currentcs + '\\' + 'Services')
        if services:
            for s in rawreg.subkeys(services):
                if s.Name not in servicesids.values():
                    sid = createservicesid(str(s.Name))
                    yield sid, str(s.Name)
        for sid in servicesids:
            yield sid, servicesids[sid]
Ejemplo n.º 31
0
 def render_text(self, outfd, data):
     outfd.write("Legend: (S) = Stable   (V) = Volatile\n\n")
     keyfound = False
     for reg, key in data:
         if key:
             keyfound = True
             outfd.write("----------------------------\n")
             outfd.write(f"Registry: {reg}\n")
             outfd.write(f"Key name: {key.Name} {self.voltext(key):3s}\n")
             outfd.write(f"Last updated: {key.LastWriteTime}\n")
             outfd.write("\n")
             outfd.write("Subkeys:\n")
             for s in rawreg.subkeys(key):
                 if s.Name == None:
                     outfd.write(f"  Unknown subkey at {s.obj_offset:#x}\n")
                 else:
                     outfd.write(f"  {self.voltext(s):3s} {s.Name}\n")
             outfd.write("\n")
             outfd.write("Values:\n")
             for v in rawreg.values(key):
                 tp, dat = rawreg.value_data(v)
                 if tp == 'REG_BINARY' or tp == 'REG_NONE':
                     dat = "\n" + "\n".join([
                         f"{o:#010x}  {h:<48}  {''.join(c)}"
                         for o, h, c in utils.Hexdump(dat)
                     ])
                 if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
                     dat = dat.encode("ascii", 'backslashreplace')
                 if tp == 'REG_MULTI_SZ':
                     for i in range(len(dat)):
                         dat[i] = dat[i].encode("ascii", 'backslashreplace')
                 outfd.write(
                     f"{tp:13} {v.Name:15} : {self.voltext(v):3s} {dat}\n")
     if not keyfound:
         outfd.write(
             "The requested key could not be found in the hive(s) searched\n"
         )
Ejemplo n.º 32
0
    def parse_service_key(self, service_key):

        service_dict = self.dict_for_key(service_key)
        name = str(service_key.Name)
        display_name = service_dict.get('DisplayName', "Unknown").replace('\x00', '')
        startup = int(service_dict.get("Start", -1))
        type = int(service_dict.get("Type", -1))
        image_path = service_dict.get("ImagePath", "Unknown").replace('\x00', '')
        timestamp = service_key.LastWriteTime
        
        # The service is run through svchost - try to resolve the parameter name
        entry = None
        if "svchost.exe -k" in image_path:
            parameters = None
            for sub in rawreg.subkeys(service_key):
                if sub.Name == "Parameters":
                    parameters = self.dict_for_key(sub)
                    timestamp = sub.LastWriteTime
                    break
            if parameters:
                if 'ServiceDll' in parameters:
                    entry = parameters.get("ServiceDll")
                    main = parameters.get('ServiceMain')
                    if main:
                        entry += " ({})".format(main)
                    entry = entry.replace('\x00', '')            
        
        # Check if the service is set to automatically start
        # More details here: http://technet.microsoft.com/en-us/library/cc759637(v=ws.10).aspx
        if startup in [0, 1, 2]:
            if entry:
                pids = self.find_pids_for_imagepath(parameters.get("ServiceDll"))
            else:
                pids = self.find_pids_for_imagepath(image_path)

            return (name, timestamp, display_name, service_startup[startup], service_types[type], image_path, entry, pids)
Ejemplo n.º 33
0
def get_secrets(addr_space, sysaddr, secaddr):
    root = rawreg.get_root(secaddr)
    if not root:
        return None

    bootkey = hashdump.get_bootkey(sysaddr)
    lsakey = get_lsa_key(addr_space, secaddr, bootkey)
    if not bootkey or not lsakey:
        return None

    secrets_key = rawreg.open_key(root, ["Policy", "Secrets"])
    if not secrets_key:
        return None

    secrets = {}
    for key in rawreg.subkeys(secrets_key):
        sec_val_key = rawreg.open_key(key, ["CurrVal"])
        if not sec_val_key:
            continue

        enc_secret_value = sec_val_key.ValueList.List.dereference()[0]
        if not enc_secret_value:
            continue

        enc_secret = secaddr.read(enc_secret_value.Data,
                                  enc_secret_value.DataLength)
        if not enc_secret:
            continue

        if addr_space.profile.metadata.get('major', 0) == 5:
            secret = enc_secret[0xC:]
        else:
            secret = enc_secret
        secrets[key.Name] = secret

    return secrets
Ejemplo n.º 34
0
def get_secrets(addr_space, sysaddr, secaddr):
    root = rawreg.get_root(secaddr)
    if not root:
        return None

    bootkey = hashdump.get_bootkey(sysaddr)
    lsakey = get_lsa_key(addr_space, secaddr, bootkey)
    if not bootkey or not lsakey:
        return None

    secrets_key = rawreg.open_key(root, ["Policy", "Secrets"])
    if not secrets_key:
        return None

    secrets = {}
    for key in rawreg.subkeys(secrets_key):
        sec_val_key = rawreg.open_key(key, ["CurrVal"])
        if not sec_val_key:
            continue

        enc_secret_value = sec_val_key.ValueList.List.dereference()[0]
        if not enc_secret_value:
            continue

        enc_secret = secaddr.read(enc_secret_value.Data,
                enc_secret_value.DataLength)
        if not enc_secret:
            continue

        if addr_space.profile.metadata.get('major', 0) == 5:
            secret = enc_secret[0xC:]
        else:
            secret = enc_secret
        secrets[key.Name] = secret

    return secrets
Ejemplo n.º 35
0
 def print_key(self, outfd, keypath, key):
     if key.Name != None:
         kp = f"{keypath}\\{key.Name}"
         outfd.write(f"{key.LastWriteTime:20s} {kp}\n")
     for k in rawreg.subkeys(key):
         self.print_key(outfd, f"{keypath}\\{key.Name}", k)
Ejemplo n.º 36
0
    def calculate(self):
        addr_space = utils.load_as(self._config)
        config = self._config

        # Determine OS

#        myos = config.PROFILE[:5]

        profile = addr_space.profile

        if profile.metadata.get('os', 0) == 'windows':
            if profile.metadata.get('major', 0) == 5 and \
                profile.metadata.get('minor', 0) == 1:
                myos = "WinXP"
            elif profile.metadata.get('major', 0) == 6 and \
                profile.metadata.get('minor', 0) == 1:
                myos = "Win7"
        else:
            debug.error("OS not supported")

        assert myos in regchk_by_os

        
        # Determine which checks to do

        if not config.CHK:         

            checklist = []
            # Default action: Do everything
            if not config.HIVE_NAME:
                myhives = regchk_by_os[myos].keys()
            else:
                # User has specified a specific hive to process
                htmp = ''.join(config.HIVE_NAME).lower()
                if not htmp in regchk_by_os[ myos ]:
                    debug.error("Invalid Hive Name specified.")
                else:
                    myhives = [ htmp ]

        # Specific check asked for            
        else:
            check = ''.join(config.CHK).lower()
            if not check in chk_defn:
                debug.error("Invalid check specified.")
            
            # Only 1 check to do
            checklist = [ check ]

            # determine which hive this check refers to (to avoid wasting time on the other hives)
            
            for htmp1, chktmp in regchk_by_os[ myos ].iteritems():
                if check in chktmp:
                    htmp = htmp1

            myhives = [ htmp ]
            config.remove_option("HIVE-NAME")
            
                
        # If user hasn't given a specific hive offset, then default is to try to process all the hives

        if not config.HIVE_OFFSET:
            hive_offsets = [(self.hive_name(h), h.obj_offset) for h in hivelist.HiveList.calculate(self)]
        else:
            hive_offsets = [("User Specified", config.HIVE_OFFSET)]


        # Try to process each hive in turn

        for hname, hoff in set(hive_offsets):
            h = hivemod.HiveAddressSpace(addr_space, config, hoff)
            root = rawreg.get_root(h)

            if not root:
                if config.HIVE_OFFSET:
                    debug.error("Unable to find root key. Is the hive offset correct?")
            
            # Find out which hive this is        
            hive_last_name = hname.lower().split("\\")[-1]


            # see if the current hive is on the list of hives the user wants to process
            for myhive in myhives:

                if not hive_last_name in (myhive, "[no name]", "user specified"):
                    continue

                # Determine current controlset (if the key actually exists in this hive)

                ccs_key = rawreg.open_key(root, [ "CurrentControlSet" ] )
                if ccs_key:
                    ccs_v = rawreg.values(ccs_key)[ 0 ]


                    ccs_tp, ccs_dat = rawreg.value_data(ccs_v)
                    ccs = ccs_dat.encode("ascii", 'backslashreplace').split("\\")[-1] + "\\"
                    # Sanity check
                    if not ccs.lower().startswith("controlset00"):
                        debug.error("CurrentControlSet key found but has invalid value.")
                else:
                    ccs = ""

               # Set checklist to run the checks for this hive
               # If the user just wants to do 1 check then checklist has already been
               # set.

                if not config.CHK:
                    checklist = regchk_by_os[ myos ][ myhive ]

                for check in checklist:
                    chk_ccsflag, chk_key_lst, chk_msg, chk_action_list = chk_defn[check]
                    for chk_key in chk_key_lst:
                        if chk_ccsflag:
                            chk_key = ccs + chk_key
                                    

                        if check == "bho":
                            # Do specific processing for Browser Helper Objects
                            key = rawreg.open_key(root, chk_key.split('\\'))
                            if key:
                                # Pull out the class reg key for each GUID
                                for s in rawreg.subkeys(key):
                                    # pull out the clsid for the BHO
                                    clsid = str(s.Name)
                                    if clsid == None:
                                        pass
                                   # Next read the classid reg key
                                    clsid = "Classes\\CLSID\\" + clsid
                                    yield hname, \
                                        rawreg.open_key(root, clsid.split('\\')), \
                                        check, \
                                        clsid

                        elif check == "assoc":
                            # Do specific processing for file associations
                            key = rawreg.open_key(root, chk_key.split('\\'))
                            if key:
                                # Pull out the file association values
                                assoc_cache = {}
                                for s in rawreg.subkeys(key):
                                    s_name = str(s.Name)

                                    # First look for an association key
                                    if s_name.startswith(r"."):

                                        # Next find the filename value for this association

                                        for v in rawreg.values(s):
                                            # force conversion to string from String object
                                            v_name = str(v.Name)
                                            if not v_name == "":
                                                continue

                                            # Have found the default value key. Now read the datafile value
                                            tp, dat = rawreg.value_data( v )
                                            assert tp == "REG_SZ"
                                            fname = dat.encode("ascii", 'backslashreplace').rstrip("\0")

                                            # Check for cache hit
                                            if not fname in assoc_cache:

                                                # Find the filename key (which has the actual cmd shell value)
                                                cmd_shell_key = "Classes\\" + fname + "\\shell\\open\\command"              
                                                assoc_cache[fname] = [
                                                rawreg.open_key(root, cmd_shell_key.split('\\')),
                                                "{0}, File extension: {1}".format(cmd_shell_key, s_name)
                                                ]
                                                   
                                            yield hname, assoc_cache[fname][0], check, assoc_cache[fname][1]
                                            break
                        else:
                            yield hname, \
                               rawreg.open_key(root, chk_key.split('\\')), \
                               check, \
                               chk_key
Ejemplo n.º 37
0
    def generator(self, data):
        for reg, key in data:
            if key:
                subkeys = list(rawreg.subkeys(key))
                values = list(rawreg.values(key))
                yield (
                    0,
                    [
                        f"{reg}",
                        f"{key.Name}",
                        f"{self.voltext(key):3s}",
                        f"{key.LastWriteTime}",
                        "-",
                        "-",
                        "-",
                        "-",
                        "-",
                        "-",
                    ],
                )

                if subkeys:
                    for s in subkeys:
                        if s.Name == None:
                            yield (
                                0,
                                [
                                    f"{reg}",
                                    f"{key.Name}",
                                    f"{self.voltext(key):3s}",
                                    f"{key.LastWriteTime}",
                                    f"Unknown subkey: {s.Name.reason}",
                                    "-",
                                    "-",
                                    "-",
                                    "-",
                                    "-",
                                ],
                            )
                        else:
                            yield (
                                0,
                                [
                                    f"{reg}",
                                    f"{key.Name}",
                                    f"{self.voltext(key):3s}",
                                    f"{key.LastWriteTime}",
                                    f"{s.Name}",
                                    f"{self.voltext(s):3s}",
                                    "-",
                                    "-",
                                    "-",
                                    "-",
                                ],
                            )

                if values:
                    for v in values:
                        tp, dat = rawreg.value_data(v)
                        if tp == 'REG_BINARY' or tp == 'REG_NONE':
                            dat = Bytes(dat)
                        if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
                            dat = dat.encode("ascii", 'backslashreplace')
                        if tp == 'REG_MULTI_SZ':
                            for i in range(len(dat)):
                                dat[i] = dat[i].encode("ascii",
                                                       'backslashreplace')
                        yield (
                            0,
                            [
                                f"{reg}",
                                f"{key.Name}",
                                f"{self.voltext(key):3s}",
                                f"{key.LastWriteTime}",
                                "-",
                                "-",
                                f"{tp}",
                                f"{v.Name}",
                                f"{self.voltext(v):3s}",
                                f"{dat}",
                            ],
                        )
Ejemplo n.º 38
0
    def render_key(self, outfd, key, actions):


        if len(actions) > 0:
            action = actions[0]
        else:
            return
    
        if action == PRT_VALUE:
            valname = actions[1]
            for v in rawreg.values(key):
                # force conversion to string from String object
                v_name = str(v.Name) 

                # Determine whether to print this value
                if valname[0] == "all":
                    pass

                # include specified values
                elif valname[0] == "+":
                    if not v_name in valname:
                        continue
                # exclude specified values
                elif valname[0] == "-":
                    if v_name in valname:
                        continue
                else:
                    debug.error("Pgm Error - Invalid valname render_key PRT_VALUE")

                self.prt_val(outfd, v)
                
            actions = actions[2:]
                           
        elif action == LIST_SUBKEYS:
            subkey_1st = True
            valname = actions[1]
            for s in rawreg.subkeys(key):
                s_name = str(s.Name)

                # Determine whether to list this subkey
                if valname[0] == "all":
                    pass

                # include specified keys
                elif valname[0] == "+":
                    if not s_name in valname:
                        continue

                # exclude specified keys
                elif valname[0] == "-":
                    if s_name in valname:
                        continue
 
                # include subkey if starts with specified value
                elif valname[0] == "s":
                    if not s_name.startswith( valname[1] ):
                        continue

                else:
                    debug.error("Pgm Error - Invalid valname render_key LIST_SUBKEYS")

                if subkey_1st:
                    outfd.write("   Subkeys:\n")
                    subkey_1st = False
                if s_name == None:
                    outfd.write("  Unknown subkey: " + s_name.reason + "\n")
                else:
                    outfd.write("  {1:3s} {0}\n".format(s_name, self.voltext(s)))

                # If there is a recursive action specified for each subkey, then do it
                if actions[2]:
                    self.render_key(outfd, s, actions[2])
                    outfd.write("\n")

            actions = actions[3:]

        # Print Windows Services
        elif action == PRT_SRVC:
            for s in rawreg.subkeys(key):
                v_type, v_start, v_display, v_path = ('','','','')
                for v in rawreg.values(s):
                    v_name = str(v.Name)
                    if v_name in ["Type", 
                                  "DisplayName",
                                  "ImagePath",
                                  "Start"
                                  ]:
                        tp, dat = rawreg.value_data(v)
                        if v_name == "Type":
                            if dat in serv_types:
                                v_type = serv_types[dat]
                        elif v_name == "Start":
                            if dat in serv_starts:
                                v_start = serv_starts[dat]
                        elif v_name == "ImagePath":
                            v_path = dat
                        else:
                            v_display = dat

                outfd.write("\n   {0:s} {1} {2:10s} {3}".format(s.Name,
                                                         v_display,
                                                         self.voltext(s),
                                                         s.LastWriteTime))
                outfd.write("\n           {0} Start= {1}, Type= {2}\n".format( v_path, v_start, v_type))            
            actions = actions[1:]
            
        # Data field is a Windows TimeStamp
        elif action == PRT_WINTIME:
            valname = actions[1]
            for v in rawreg.values(key):
                v_name = v.Name    
                if v_name in valname:
                    v_ts = obj.Object("WinTimeStamp", v.Data.v(), v.obj_vm)
                    outfd.write("   {0} {1} \n".format(v_name, v_ts))

            actions = actions[2:]

        # Data field is MountedDevices key value
        elif action == PRT_DEV:
            for v in rawreg.values(key):
                tp, dat = rawreg.value_data(v)
                assert tp == 'REG_BINARY'
                if v.DataLength == 12:
                    hexa = ' '.join(["{0:02X}".format(ord(k)) for k in dat[:4]])
                    outfd.write("\n   {0:15} : {1:3s}\n      Drive Signature: {2}\n".format(v.Name,
                                                                       self.voltext(v),
                                                                       hexa))                    
                elif v.DataLength > 12:
                    dat = dat.encode("ascii", 'backslashreplace')
                    outfd.write("\n   {0:15} : {1:3s}\n      {2}\n".format(v.Name,
                                                                       self.voltext(v),
                                                                       dat))
            actions = actions[1:]
                        
        # Access and print "shell\\open\\command" subkey value


        # Print value which is null-terminated Unicode string
        elif action == PRT_UNI:
            for v in rawreg.values(key):
                v_name = str(v.Name)
                if v_name.startswith("MRUList"):
                    continue
                tp, dat = rawreg.value_data( v )
                assert( tp == "REG_BINARY")

                # grab up to (but not including) the first null byte
                xx = dat.decode('utf-16-le', "ignore").split("\0")[0]
                # convert unicode to ascii
                yy = xx.encode("ascii", 'backslashreplace')
                outfd.write("   {0} {1}\n".format(v_name, yy))

            actions = actions[1:]

        # Print Explorer UserAssist Active Desktop key
        elif action == PRT_USRAS:
            for v in rawreg.values(key):
                v_name = str(v.Name)
                if v_name.startswith("HRZR"):
                    # Python decodes rot13 to unicode so need to convert to ascii
                    ad_ent = v_name.decode('rot13', "ignore").encode("ascii", 'backslashreplace')
                    outfd.write("   {0}\n".format(ad_ent)) 
            actions = actions[1:]

        # Print a binary timestamp stored as low value / high value
        # Assumes that low value key field is specified first, followed by high value
        elif action == PRT_BINTIME:
            valname = actions[1]
            v_ts_lo = 0
            v_ts_hi = 0
            for v in rawreg.values(key):
                v_name = v.Name    
                if v_name == valname[0]: 
                    tp, v_ts_lo = rawreg.value_data( v )
                    assert tp == "REG_DWORD"
                elif v_name == valname[1]:
                    tp, v_ts_hi = rawreg.value_data( v )
                    assert tp == "REG_DWORD"                    
            if not v_ts_lo == 0:

                # Format the time for display

                windows_ts = (v_ts_hi << 32) | v_ts_lo
                if(windows_ts == 0):
                    unix_time =0
                else:
                    unix_time = windows_ts / 10000000 # nano-sec since 16
                    unix_time = unix_time - 11644473600

                if unix_time < 0:
                    unix_time = 0

                try:     
                    utc_display = strftime("%a %b %d %H:%M:%S %Y UTC", gmtime( unix_time ))
                except ValueError, e:
                    utc_display = "Datetime conversion failure: " + str(e)

                outfd.write("  {0} : {1} \n".format(valname, utc_display))

            actions = actions[2:]
Ejemplo n.º 39
0
 def print_key(self, outfd, keypath, key):
     if key.Name != None:
         outfd.write("{0:20s} {1}\n".format(key.LastWriteTime, keypath + "\\" + key.Name))
     for k in rawreg.subkeys(key):
         self.print_key(outfd, keypath + "\\" + key.Name, k)
Ejemplo n.º 40
0
 def LoadSubKeys(self,reg,key,regObjectList):
     for k in rawreg.subkeys(key):
         r = reg + '\\' + utils._utf8_encode(k.Name)
         self.getregistrykeyobject(r,k,regObjectList)
         self.LoadSubKeys(r,k,regObjectList)
Ejemplo n.º 41
0
 def LoadSubKeys(self, reg, key, regObjectList):
     for k in rawreg.subkeys(key):
         r = reg + '\\' + utils._utf8_encode(k.Name)
         self.getregistrykeyobject(r, k, regObjectList)
         self.LoadSubKeys(r, k, regObjectList)
Ejemplo n.º 42
0
    def generator(self, data):
        for reg, key in data:
            if key:
                subkeys = list(rawreg.subkeys(key))
                values = list(rawreg.values(key))
                yield (0, [str("{0}".format(reg)), 
                        str("{0}".format(key.Name)),
                        str("{0:3s}".format(self.voltext(key))),
                        str("{0}".format(key.LastWriteTime)),
                        "-",
                        "-",
                        "-",
                        "-",
                        "-",
                        "-"])

                if subkeys:
                    for s in subkeys:
                        if s.Name == None:
                            yield (0, [str("{0}".format(reg)),
                                str("{0}".format(key.Name)),
                                str("{0:3s}".format(self.voltext(key))),
                                str("{0}".format(key.LastWriteTime)),
                                str("Unknown subkey: {0}".format(s.Name.reason)),
                                "-",
                                "-",
                                "-",
                                "-",
                                "-"])
                        else:
                            yield (0, [str("{0}".format(reg)),
                                str("{0}".format(key.Name)),
                                str("{0:3s}".format(self.voltext(key))),
                                str("{0}".format(key.LastWriteTime)),
                                str("{0}".format(s.Name)), 
                                str("{0:3s}".format(self.voltext(s))),
                                "-",
                                "-",
                                "-",
                                "-"])

                if values:
                    for v in values:
                        tp, dat = rawreg.value_data(v)
                        if tp == 'REG_BINARY' or tp == 'REG_NONE':
                            dat = Bytes(dat)
                        if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
                            dat = dat.encode("ascii", 'backslashreplace')
                        if tp == 'REG_MULTI_SZ':
                            for i in range(len(dat)):
                                dat[i] = dat[i].encode("ascii", 'backslashreplace')
                        yield (0, [str("{0}".format(reg)),
                            str("{0}".format(key.Name)),
                            str("{0:3s}".format(self.voltext(key))),
                            str("{0}".format(key.LastWriteTime)),
                            "-",
                            "-",
                            str(tp),
                            str("{0}".format(v.Name)),
                            str("{0:3s}".format(self.voltext(v))),
                            str(dat)])