def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
dce, rpctransport, phKey = self.connect()
resp = rrp.hOpenClassesRoot(dce)
resp.dump()
regHandle = resp['phKey']
resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00')
resp.dump()
phKey = resp['phkResult']
try:
resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ,
'HOLA COMO TE VA\x00')
resp.dump()
except Exception as e:
print(e)
type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00')
#print data
resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00')
resp.dump()
resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00')
resp.dump()
self.assertTrue('HOLA COMO TE VA\x00' == data)
def __retrieve_hive(self, hive_name):
temp_filename = '%s' % ''.join(
[random.choice(string.letters) for i in range(8)])
ans = rrp.hOpenLocalMachine(self.__rrp)
regHandle = ans['phKey']
try:
ans = rrp.hBaseRegCreateKey(self.__rrp, regHandle, hive_name)
except:
raise registryKey('Cannot open %s hive' % hive_name)
logger.debug('Saving %s hive to %s' % (hive_name, temp_filename))
keyHandle = ans['phkResult']
resp = rrp.hBaseRegSaveKey(self.__rrp, keyHandle, temp_filename)
rrp.hBaseRegCloseKey(self.__rrp, keyHandle)
rrp.hBaseRegCloseKey(self.__rrp, regHandle)
# Open the temporary remote file, so it can be read later
# remote_fp = RemoteFile(self.smb, ntpath.join('\\', temp_filename), share=DataStore.writable_share)
remote_fp = RemoteFile(self.smb,
ntpath.join('System32', temp_filename),
share='ADMIN$')
return remote_fp
def disableTamper(self, dce):
#
try:
ans = rrp.hOpenLocalMachine(
dce) # gets handle for HKEY_LOCAL_MACHINE
regHandle = ans['phKey']
except Exception as e:
logging.debug('Exception thrown when hOpenLocalMachine: %s',
str(e))
return
try:
resp = rrp.hBaseRegCreateKey(
dce, regHandle,
'SOFTWARE\\Microsoft\\Windows Defender\\Features')
keyHandle = resp['phkResult']
except Exception as e:
logging.debug('Exception thrown when hBaseRegCreateKey: %s',
str(e))
return
# TamperProtection
try:
resp = rrp.hBaseRegSetValue(dce, keyHandle, 'TamperProtection\x00',
rrp.REG_DWORD, 0)
self.logger.highlight(
'TamperProtection Key Set! TamperProtection is now off!')
except Exception as e:
logging.debug(
'Exception thrown when hBaseRegSetValue EnableLUA: %s', str(e))
self.logger.error('Could not set TamperProtection Key')
pass
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
dce, rpctransport, phKey = self.connect()
resp = rrp.hOpenClassesRoot(dce)
resp.dump()
regHandle = resp['phKey']
resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00')
resp.dump()
phKey = resp['phkResult']
try:
resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ, 'HOLA COMO TE VA\x00')
resp.dump()
except Exception as e:
print e
type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00')
#print data
resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00')
resp.dump()
resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00')
resp.dump()
self.assertTrue( 'HOLA COMO TE VA\x00' == data )
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
dce, rpctransport = self.connect()
resp = rrp.hOpenClassesRoot(dce)
resp.dump()
regHandle = resp['phKey']
resp = rrp.hBaseRegCreateKey(dce, regHandle, self.test_key)
resp.dump()
phKey = resp['phkResult']
try:
resp = rrp.hBaseRegSetValue(dce, phKey, self.test_value_name,
rrp.REG_SZ, self.test_value_data)
resp.dump()
except Exception as e:
print(e)
type, data = rrp.hBaseRegQueryValue(dce, phKey, self.test_value_name)
resp = rrp.hBaseRegDeleteValue(dce, phKey, self.test_value_name)
resp.dump()
resp = rrp.hBaseRegDeleteKey(dce, regHandle, self.test_key)
resp.dump()
self.assertEqual(self.test_value_data, data)
def add(self, dce, keyName):
hRootKey, subKey = self.__strip_root_key(dce, keyName)
# READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY should be equal to KEY_WRITE (0x20006)
if self.__options.v is None: # Try to create subkey
subKeyCreate = subKey
subKey = '\\'.join(subKey.split('\\')[:-1])
ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey,
samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY)
# Should I use ans2?
ans3 = rrp.hBaseRegCreateKey(
dce, hRootKey, subKeyCreate,
samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY
)
if ans3['ErrorCode'] == 0:
print('Successfully set subkey %s' % (
keyName
))
else:
print('Error 0x%08x while creating subkey %s' % (
ans3['ErrorCode'], keyName
))
else: # Try to set value of key
ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey,
samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY)
dwType = getattr(rrp, self.__options.vt, None)
if dwType is None or not self.__options.vt.startswith('REG_'):
raise Exception('Error parsing value type %s' % self.__options.vt)
#Fix (?) for packValue function
if dwType in (
rrp.REG_DWORD, rrp.REG_DWORD_BIG_ENDIAN, rrp.REG_DWORD_LITTLE_ENDIAN,
rrp.REG_QWORD, rrp.REG_QWORD_LITTLE_ENDIAN
):
valueData = int(self.__options.vd)
else:
valueData = self.__options.vd
ans3 = rrp.hBaseRegSetValue(
dce, ans2['phkResult'], self.__options.v, dwType, valueData
)
if ans3['ErrorCode'] == 0:
print('Successfully set key %s\\%s of type %s to value %s' % (
keyName, self.__options.v, self.__options.vt, valueData
))
else:
print('Error 0x%08x while setting key %s\\%s of type %s to value %s' % (
ans3['ErrorCode'], keyName, self.__options.v, self.__options.vt, valueData
))
def __retrieveHive(self, hiveName):
tmpFileName = ''.join([random.choice(string.letters) for _ in range(8)]) + '.tmp'
ans = rrp.hOpenLocalMachine(self.__rrp)
regHandle = ans['phKey']
try:
ans = rrp.hBaseRegCreateKey(self.__rrp, regHandle, hiveName)
except:
raise Exception("Can't open %s hive" % hiveName)
keyHandle = ans['phkResult']
rrp.hBaseRegSaveKey(self.__rrp, keyHandle, tmpFileName)
rrp.hBaseRegCloseKey(self.__rrp, keyHandle)
rrp.hBaseRegCloseKey(self.__rrp, regHandle)
# Now let's open the remote file, so it can be read later
remoteFileName = RemoteFile(self.__smbConnection, 'SYSTEM32\\'+tmpFileName)
return remoteFileName
def __retrieveHive(self, hiveName):
tmpFileName = ''.join([random.choice(string.letters) for _ in range(8)]) + '.tmp'
ans = rrp.hOpenLocalMachine(self.__rrp)
regHandle = ans['phKey']
try:
ans = rrp.hBaseRegCreateKey(self.__rrp, regHandle, hiveName)
except:
raise Exception("Can't open %s hive" % hiveName)
keyHandle = ans['phkResult']
rrp.hBaseRegSaveKey(self.__rrp, keyHandle, tmpFileName)
rrp.hBaseRegCloseKey(self.__rrp, keyHandle)
rrp.hBaseRegCloseKey(self.__rrp, regHandle)
# Now let's open the remote file, so it can be read later
remoteFileName = RemoteFile(self.__smbConnection, 'SYSTEM32\\'+tmpFileName)
return remoteFileName
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
dce, rpctransport, phKey = self.connect()
resp = rrp.hOpenClassesRoot(dce)
#resp.dump()
regHandle = resp['phKey']
resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00')
#resp.dump()
phKey = resp['phkResult']
try:
resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ,
'HOLA COMO TE VA\x00')
#resp.dump()
except Exception, e:
print e
def enableUAC(self, dce):
# this actually disables UAC but the key is enable....
try:
ans = rrp.hOpenLocalMachine(dce)
regHandle = ans['phKey']
except Exception as e:
logging.debug('Exception thrown when hOpenLocalMachine: %s',
str(e))
return
try:
resp = rrp.hBaseRegCreateKey(
dce, regHandle,
'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
)
keyHandle = resp['phkResult']
except Exception as e:
logging.debug('Exception thrown when hBaseRegCreateKey: %s',
str(e))
return
# EnableLUA
try:
resp = rrp.hBaseRegSetValue(dce, keyHandle, 'EnableLUA\x00',
rrp.REG_DWORD, 0)
self.logger.highlight('EnableLUA Key Set!')
except Exception as e:
logging.debug(
'Exception thrown when hBaseRegSetValue EnableLUA: %s', str(e))
self.logger.error('Could not set EnableLUA Key')
pass
# LocalAccountTokenFilterPolicy
try:
resp = rrp.hBaseRegSetValue(dce, keyHandle,
'LocalAccountTokenFilterPolicy\x00',
rrp.REG_DWORD, 1)
self.logger.highlight('LocalAccountTokenFilterPolicy Key Set!')
except Exception as e:
logging.debug(
'Exception thrown when hBaseRegSetValue LocalAccountTokenFilterPolicy: %s',
str(e))
self.logger.error(
'Could not set LocalAccountTokenFilterPolicy Key')
return
def checkTamper(self, dce):
#
try:
ans = rrp.hOpenLocalMachine(
dce) # gets handle for HKEY_LOCAL_MACHINE
regHandle = ans['phKey']
except Exception as e:
logging.debug('Exception thrown when hOpenLocalMachine: %s',
str(e))
return
try:
resp = rrp.hBaseRegCreateKey(
dce, regHandle,
'SOFTWARE\\Microsoft\\Windows Defender\\Features')
keyHandle = resp['phkResult']
except Exception as e:
logging.debug('Exception thrown when hBaseRegCreateKey: %s',
str(e))
return
# TamperProtection
try:
dataType, tp_value = rrp.hBaseRegQueryValue(
dce, keyHandle, 'TamperProtection')
except Exception as e:
logging.debug('Exception thrown when hBaseRegQueryValue: %s',
str(e))
tp_value = 5
pass
if tp_value == 5:
self.logger.highlight('TamperProtection = 5 (its on) ')
else:
self.logger.highlight(
'TamperProtection = {} (less than 5 is good)'.format(
tp_value))
