def getComponents(source_reg, target_reg, as_subkeys=True): """Looks for IE components, returning them on a dictionary""" components = [] if as_subkeys: subkeys = regOps.discoverSubkeys(source_reg["key"], source_reg["subkey"]) else: subkeys = regOps.discoverValues(source_reg["key"], source_reg["subkey"]) if subkeys: for subkey in subkeys: subkey_name = subkey objname = regOps.getRegistryValue( source_reg["key"], source_reg["subkey"] + "\\" + subkey, "") or "no name" exepath = regOps.getRegistryValue(target_reg["key"], target_reg["subkey"] % subkey, "") or "file missing" components.append({ "subkey": smartStr.normalize(subkey_name), "objname": smartStr.normalize(objname), "exepath": smartStr.normalize(exepath) }) return components
def parseSC(query_type, raw_info, whitelist): """It parses the result of the SC command, using the information in the raw output to get the display name, service name, company name and path of a driver or service.""" parsed_sc = [] for line in raw_info.split("\n"): if line.startswith("SERVICE"): service_name = " ".join(line.strip().split(" ")[1:]) if service_name in whitelist: continue display_name = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\%s" % service_name, "DisplayName") image_path = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\%s" % service_name, "ImagePath") if display_name and image_path: company_name = getCompanyName(image_path) else: display_name, image_path, company_name = ("unknown", "unknown", "unknown") elif line.strip().startswith("STATE"): if service_name in whitelist: continue state = line.strip().split(" ")[-1] query_type = smartStr.normalize(query_type) display_name = smartStr.normalize(display_name) service_name = smartStr.normalize(service_name) company_name = smartStr.normalize(company_name) image_path = smartStr.normalize(image_path) parsed_sc.append("%s - %s (%s) - %s - %s" % (query_type, display_name, service_name, company_name, image_path)) return parsed_sc
def getStartups(): """Returns two lists, with global startups ans user startups. The lists may be empty if something goes wrong""" user_startup_path = regOps.getRegistryValue( "HKEY_CURRENT_USER", "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\", "Startup") global_startup_path = regOps.getRegistryValue( "HKEY_LOCAL_MACHINE", "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\", "common startup") user_startups = commandHandler.getOutput( ["dir", "/a/b", smartStr.normalize(user_startup_path)]) user_startups = user_startups.split("\n") global_startups = commandHandler.getOutput( ["dir", "/a/b", smartStr.normalize(global_startup_path)]) global_startups = global_startups.split("\n") for startup in list(user_startups): if startup == "" or startup.strip().lower().endswith(".ini"): user_startups.remove(startup) for startup in list(global_startups): if startup == "" or startup.strip().lower().endswith(".ini"): global_startups.remove(startup) global_startups = [ smartStr.normalize(global_startup) for global_startup in global_startups ] user_startups = [ smartStr.normalize(user_startup) for user_startup in user_startups ] return global_startups, user_startups
def browser_version(browser_dict): """Give information about a browser in the registry, tries to find out the browser version. Returns None if not found, what means this browser is not installed""" try: version = regOps.getRegistryValue(browser_dict["key"], browser_dict["subkey"], "Version") or \ regOps.getRegistryValue(browser_dict["key"], browser_dict["subkey"], "CurrentVersion") except WindowsError: version = None version = (browser_dict["name"], version) return version
def browser_version(browser_dict): """Give information about a browser in the registry, tries to find out the browser version. Returns None if not found, what means this browser is not installed""" try: version = regOps.getRegistryValue( browser_dict["key"], browser_dict["subkey"], "Version" ) or regOps.getRegistryValue(browser_dict["key"], browser_dict["subkey"], "CurrentVersion") except WindowsError: version = None version = (browser_dict["name"], version) return version
def getSvchostAnomalies(whitelist): """Based on a whitelist, tries to detect weird entries on SVCHost. If something is detected, it searches for the injected DLL.""" anomalies = [] values = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost", "netsvcs") for value in values: if value not in whitelist: DLL = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\\" + value + "\\Parameters", "ServiceDll") if not DLL: DLL = "Unknown. You may need to restart the system." anomalies.append((value, DLL)) return anomalies
def getMountpoints(): """Search for mountpoints. Returns None if none is found.""" suspects = [] main_key = "HKEY_CURRENT_USER" subkey = "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\%s\shell\%s\command" mountpoints = regOps.discoverSubkeys("HKEY_CURRENT_USER", "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2") for mountpoint in mountpoints: value = regOps.getRegistryValue(main_key, subkey % (mountpoint, "AutoRun"), "") or\ regOps.getRegistryValue(main_key, subkey % (mountpoint, "explore"), "") or\ regOps.getRegistryValue(main_key, subkey % (mountpoint, "open"), "") if value: suspects.append([smartStr.normalize(mountpoint), smartStr.normalize(value)]) return suspects or None
def getDNS(): """Returns the Network Adapter, primary and secondary DNS servers. Returns None if no network adapter is found.""" key = "HKEY_LOCAL_MACHINE" path_to_adapter = "SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}" partial_path = regOps.discoverSubkeys(key, path_to_adapter) for subkey in partial_path: if subkey.startswith("{"): adapterID = subkey break else: return None, None, None DNS = regOps.getRegistryValue( key, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%s" % adapterID, "DhcpNameServer") if DNS and len(DNS.split(" ")) == 2: primary_dns = DNS.split(" ")[0] secondary_dns = DNS.split(" ")[1] else: primary_dns = DNS secondary_dns = "" return primary_dns, secondary_dns, adapterID
def getSvchostAnomalies(whitelist): """Based on a whitelist, tries to detect weird entries on SVCHost. If something is detected, it searches for the injected DLL.""" anomalies = [] values = regOps.getRegistryValue( "HKEY_LOCAL_MACHINE", "SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost", "netsvcs") for value in values: if value not in whitelist: DLL = regOps.getRegistryValue( "HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\\" + value + "\\Parameters", "ServiceDll") if not DLL: DLL = "Unknown. You may need to restart the system." anomalies.append((value, DLL)) return anomalies
def getLSP(): """Returns a list with the LSP's""" num_entries = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9", "Num_Catalog_Entries") folders = regOps.discoverSubkeys("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries") lsp_list = [] for folder in folders: folder_num = int(folder) folder_path = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\%s" % folder, "PackedCatalogItem") folder_path = folder_path.split(".dll")[0] + ".dll" lsp_list.append(("Catalog_Entry %s" % folder_num, folder_path)) return num_entries, lsp_list
def getComponents(source_reg, target_reg, as_subkeys=True): """Looks for IE components, returning them on a dictionary""" components = [] if as_subkeys: subkeys = regOps.discoverSubkeys(source_reg["key"], source_reg["subkey"]) else: subkeys = regOps.discoverValues(source_reg["key"], source_reg["subkey"]) if subkeys: for subkey in subkeys: subkey_name = subkey objname = regOps.getRegistryValue(source_reg["key"], source_reg["subkey"] + "\\" + subkey, "") or "no name" exepath = regOps.getRegistryValue(target_reg["key"], target_reg["subkey"] % subkey, "") or "file missing" components.append( { "subkey": smartStr.normalize(subkey_name), "objname": smartStr.normalize(objname), "exepath": smartStr.normalize(exepath), } ) return components
def getImageFilesOptions(): """Returns a list with suspect IFEO's, or None if nothing is found""" key = "HKEY_LOCAL_MACHINE" IFEO = "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" subkeys = regOps.discoverSubkeys(key, IFEO) suspects = [] for subkey in subkeys: debugger = regOps.getRegistryValue(key, IFEO + "\\" + subkey, "Debugger") if debugger and subkey.strip() != "Your Image File Name Here without a path": suspects.append([subkey, debugger]) return suspects or None
def getLSP(): """Returns a list with the LSP's""" num_entries = regOps.getRegistryValue( "HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9", "Num_Catalog_Entries") folders = regOps.discoverSubkeys( "HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries" ) lsp_list = [] for folder in folders: folder_num = int(folder) folder_path = regOps.getRegistryValue( "HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\%s" % folder, "PackedCatalogItem") folder_path = folder_path.split(".dll")[0] + ".dll" lsp_list.append(("Catalog_Entry %s" % folder_num, folder_path)) return num_entries, lsp_list
def getImageFilesOptions(): """Returns a list with suspect IFEO's, or None if nothing is found""" key = "HKEY_LOCAL_MACHINE" IFEO = "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" subkeys = regOps.discoverSubkeys(key, IFEO) suspects = [] for subkey in subkeys: debugger = regOps.getRegistryValue(key, IFEO + "\\" + subkey, "Debugger") if debugger and subkey.strip( ) != "Your Image File Name Here without a path": suspects.append([subkey, debugger]) return suspects or None
def checkAssociations(associations): """Check which file assosiations are different from the expected values and returns a list""" anomalies = [] for full_key in associations.keys(): key = full_key.split("\\")[0] subkey = "\\".join(full_key.split("\\")[1:]) expected_value = associations[full_key] value = regOps.getRegistryValue(key, subkey, "") if value != expected_value: anomalies.append((subkey.split("Classes\\")[-1].split("\\")[0], value)) return anomalies
def getStartups(): """Returns two lists, with global startups ans user startups. The lists may be empty if something goes wrong""" user_startup_path = regOps.getRegistryValue( "HKEY_CURRENT_USER", "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\", "Startup" ) global_startup_path = regOps.getRegistryValue( "HKEY_LOCAL_MACHINE", "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\", "common startup" ) user_startups = commandHandler.getOutput(["dir", "/a/b", smartStr.normalize(user_startup_path)]) user_startups = user_startups.split("\n") global_startups = commandHandler.getOutput(["dir", "/a/b", smartStr.normalize(global_startup_path)]) global_startups = global_startups.split("\n") for startup in list(user_startups): if startup == "" or startup.strip().lower().endswith(".ini"): user_startups.remove(startup) for startup in list(global_startups): if startup == "" or startup.strip().lower().endswith(".ini"): global_startups.remove(startup) global_startups = [smartStr.normalize(global_startup) for global_startup in global_startups] user_startups = [smartStr.normalize(user_startup) for user_startup in user_startups] return global_startups, user_startups
def checkAssociations(associations): """Check which file assosiations are different from the expected values and returns a list""" anomalies = [] for full_key in associations.keys(): key = full_key.split("\\")[0] subkey = "\\".join(full_key.split("\\")[1:]) expected_value = associations[full_key] value = regOps.getRegistryValue(key, subkey, "") if value != expected_value: anomalies.append( (subkey.split("Classes\\")[-1].split("\\")[0], value)) return anomalies
def getWinlogonEntries(whitelist): """Searches for winlogon entries which are not part of the whitelist and returns a list""" key = "HKEY_LOCAL_MACHINE" subkey = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" outcasts = getOutcastKeys(key, subkey, whitelist) suspect_entries = [] for outcast in outcasts: entry_path = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\%s" % outcast, " DLLName") if outcast and entry_path: suspect_entries.append((outcast, entry_path)) return suspect_entries
def getWinlogonEntries(whitelist): """Searches for winlogon entries which are not part of the whitelist and returns a list""" key = "HKEY_LOCAL_MACHINE" subkey = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" outcasts = getOutcastKeys(key, subkey, whitelist) suspect_entries = [] for outcast in outcasts: entry_path = regOps.getRegistryValue( "HKEY_LOCAL_MACHINE", "Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\%s" % outcast, " DLLName") if outcast and entry_path: suspect_entries.append((outcast, entry_path)) return suspect_entries
def getDNS(): """Returns the Network Adapter, primary and secondary DNS servers. Returns None if no network adapter is found.""" key = "HKEY_LOCAL_MACHINE" path_to_adapter = "SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}" partial_path = regOps.discoverSubkeys(key, path_to_adapter) for subkey in partial_path: if subkey.startswith("{"): adapterID = subkey break else: return None, None, None DNS = regOps.getRegistryValue(key, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%s" % adapterID, "DhcpNameServer") if DNS and len(DNS.split(" ")) == 2: primary_dns = DNS.split(" ")[0] secondary_dns = DNS.split(" ")[1] else: primary_dns = DNS secondary_dns = "" return primary_dns, secondary_dns, adapterID