Exemple #1
0
    def dump(self, key):
        res = PluginResult(key=key)
        res.path = self.cleanup_path(res.path)
        yield res

        for subkey in key.subkeys():
            yield from self.dump(subkey)
Exemple #2
0
    def run(self):
        path = r"Microsoft\Windows NT\CurrentVersion\ProfileList"
        key = self.open_key(path)
        if not key:
            return

        sid_list = list()

        for v in key.subkeys():
            sid_list.append(v.name())

        for sid in sid_list:
            sid_path = path + "\\" + sid
            key2 = self.open_key(sid_path)

            if not key2:
                continue

            for entry in key2.values():
                if entry.name() == "ProfileImagePath":
                    res = PluginResult(key=key, value=entry)
                    user_name = entry.value().split("\\")[-1]
                    res.custom["value"] = "{}:\t{}".format(
                        user_name, key2.name())
                    yield res
Exemple #3
0
    def handle_user_env(self):
        k = self.open_key("Environment")
        if not k:
            return

        for v in k.values():
            r = PluginResult(key=k, value=v)
            r.custom["Name"] = f"%{v.name()}%"
            yield r
Exemple #4
0
    def handle_env_key(self):
        ccs = self.get_currentcontrolset_path()
        k = self.open_key(ccs + "\\Control\\Session Manager\\Environment")
        if not k:
            return

        for v in k.values():
            r = PluginResult(key=k, value=v)

            r.custom["Name"] = f"%{v.name()}%"
            yield r
Exemple #5
0
    def yield_groups(self):
        """Yields a dictionary representation of groups and their members, from the SAM hive"""
        key_groups = self.open_key("SAM\\Domains\\Builtin\\Aliases")
        if not key_groups:
            return

        # Yield a custom structure with information from the SAM hive
        for subkey in key_groups.subkeys():
            if subkey.name().startswith("00000"):
                c_raw = subkey.value("C").value()
                # Header is 13 little-endian unsigned long values and holds among others:
                # - Group's name offset and length
                # - Group's description offset and length
                # - Group members' offset and size (as binary SIDs)
                c_header = struct.unpack("<13L", c_raw[:0x34])
                c_data = c_raw[0x34:]
                c_gname_off = c_header[4]
                c_gname_len = c_header[5]
                c_gdesc_off = c_header[7]
                c_gdesc_len = c_header[8]
                c_gmembers_off = c_header[10]
                c_gmembers_size = c_header[12]

                member_sid_list = []
                off = c_gmembers_off
                for _ in range(c_gmembers_size):
                    # 1 member == 1 binary SID
                    # SID structure:
                    #   + 1 byte (revision, little endian)
                    #   + 1 byte (count of sub auths, little endian)
                    #   + 6 bytes (authority value, big endian)
                    #   + n * 4 bytes where n is the count of sub auths
                    # Look ahead to check the count of sub authorities to compute SID size
                    sub_auth_count = struct.unpack("<B",
                                                   c_data[off + 1:off + 2])[0]
                    sid_size = 8 + sub_auth_count * 4
                    member_sid_list.append(
                        self.sid2asc(c_data[off:off + sid_size]))
                    off += sid_size

                res = PluginResult(key=subkey, value=None)
                res.custom = {
                    "name":
                    c_data[c_gname_off:c_gname_off +
                           c_gname_len].decode("utf-16-le"),
                    "desc":
                    c_data[c_gdesc_off:c_gdesc_off +
                           c_gdesc_len].decode("utf-16-le"),
                    "size":
                    c_gmembers_size,
                    "member_sids":
                    member_sid_list,
                }
                yield res
Exemple #6
0
    def handle_windows_nt_currentversion(self):
        k = self.open_key("Microsoft\\Windows NT\\CurrentVersion")
        if not k:
            return

        try:
            v = k.value("SystemRoot")
            r = PluginResult(key=k, value=v)
            r.custom["Name"] = "%SystemRoot%"
            yield r
        except RegistryValueNotFoundException:
            pass
Exemple #7
0
    def run(self):
        key = self.open_key(r"Software\Microsoft\Terminal Server Client\Servers")
        if not key:
            return

        for subkey in key.subkeys():
            try:
                username = subkey.value("UsernameHint").value()
            except Registry.RegistryValueNotFoundException:
                username = ""

            res = PluginResult(key=subkey, value=None)
            res.custom["username"] = username
            yield res
Exemple #8
0
    def run(self):
        key = self.open_key(self.get_currentcontrolset_path() + "\\Services")
        if not key:
            return

        for service in key.subkeys():
            try:
                image_path = service.value("ImagePath").value()
            except Registry.RegistryValueNotFoundException:
                image_path = "N/A"

            res = PluginResult(key=service, value=None)
            res.custom["image_path"] = image_path
            yield res
Exemple #9
0
    def run(self):
        k = self.open_key(r"Microsoft\Security Center\Provider\Av")
        if not k:
            return

        for subkey in k.subkeys():
            r = PluginResult(key=subkey)
            r.custom = {
                "DisplayName": subkey.value("DISPLAYNAME").value(),
                "ProductExe": subkey.value("PRODUCTEXE").value(),
                "ReportingExe": subkey.value("REPORTINGEXE").value(),
                "State": " | ".join(self.parse_state(subkey.value("STATE").value())),
            }
            yield r
Exemple #10
0
    def run(self):
        key = self.open_key(self.get_currentcontrolset_path() + r"\Control\Session Manager\AppCompatCache") or \
              self.open_key(self.get_currentcontrolset_path() + r"\Control\Session Manager\AppCompatibility")

        if not key:
            return

        for entry in read_cache(key.value("AppCompatCache").value()):
            res = PluginResult(key=key, value=None)
            res.custom["date"] = entry[0]
            if type(entry[2]) == bytes:
                res.custom["path"] = entry[2].decode("utf8")
            else:
                res.custom["path"] = entry[2]
            yield res
Exemple #11
0
    def run(self):
        ccs = self.get_currentcontrolset_path()
        if not ccs:
            return

        for proto in ["tcp", "udp"]:
            key = self.open_key(ccs + "\\Services\\PortProxy\\v4tov4\\" +
                                proto)
            if not key:
                continue

            for value in key.values():
                res = PluginResult(key=key, value=value)
                res.custom["proto"] = proto
                yield res
Exemple #12
0
    def run(self):

        key = self.open_key(self.get_currentcontrolset_path() +
                            r"\Control\Windows")
        if not key:
            return

        for v in key.values():
            if v.name() == "ShutdownTime":
                binary = struct.unpack("<Q", v.value())[0]
                dt = parse_windows_timestamp(binary)
                value = dt.isoformat("T") + "Z"
                res = PluginResult(key=key, value=v)
                res.custom["LastShutdownTime"] = value
                yield res
Exemple #13
0
    def run(self):
        key = self.open_key("Microsoft\\Windows NT\\CurrentVersion")
        if not key:
            return

        value = key.value("ProductName")
        yield PluginResult(key=key, value=value)
Exemple #14
0
    def run(self):
        key = self.open_key(
            "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"
        )
        if not key:
            return

        for subkey in key.subkeys():
            if subkey.name() not in GUIDS:
                continue

            count_key = subkey.subkey("Count")
            for entry in count_key.values():
                res = PluginResult(key=count_key, value=entry)
                res.custom["userassist"] = UAObject(entry.name(), entry.value())
                yield res
Exemple #15
0
    def run(self):
        key = self.open_key(r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs")
        if not key:
            return

        for v in key.values():
            if v.name() == "MRUListEx":
                continue
    
            binary = v.value()
            offset_str_end = binary.find(b"\x00\x00")
            docname = binary[:offset_str_end+1].decode("utf16")

            res = PluginResult(key=key, value=v)
            res.custom['docname'] = docname
            yield res
Exemple #16
0
    def process_key(self, k):
        r = PluginResult(key=k)

        values = [x.name() for x in k.values()]

        r.custom = {
            "AlwaysOnline":
            k.value("Always_Online").value() == 1,
            "ClientID":
            k.value("ClientID").value(),
            "LastStartupTime":
            k.value("LastStartupTime") if "LastStartupTime" in values else -1,
            "Version":
            k.value("Version").value(),
        }
        yield r
Exemple #17
0
    def run(self):
        k = self.open_key(r"Printers\ConvertUserDevModesCount")
        if not k:
            return

        for v in k.values():
            r = PluginResult(key=k, value=v)
            yield r
Exemple #18
0
    def run(self):
        k = self.open_key(r"Microsoft\Windows NT\CurrentVersion\Ports")
        if not k:
            return

        for v in k.values():
            r = PluginResult(key=k, value=v)
            yield r
Exemple #19
0
    def run(self):
        key = self.open_key(r"Software\Microsoft\Terminal Server Client\Default")
        if not key or not key.values():
            return

        for value in key.values():
            res = PluginResult(key=key, value=value)
            yield res
Exemple #20
0
    def run(self):
        k = self.open_key("SAM\\Domains\\Account\\Users\\Names")
        if not k:
            return

        for user in k.subkeys():
            res = PluginResult(key=user, value=None)
            yield res
Exemple #21
0
    def run(self):
        preload = self.open_key("Keyboard Layout\\Preload")
        substitutes = self.open_key("Keyboard Layout\\Substitutes")

        if not preload or not substitutes:
            return

        for preload_value in preload.values():
            preload_txt = preload_value.value()

            try:
                subs = substitutes.value(preload_txt)
            except RegistryValueNotFoundException:
                subs = None

            r = PluginResult(key=preload, value=preload_value)
            r.custom["substitute"] = subs
            yield r
Exemple #22
0
    def run(self):
        key = self.open_key(r"Software\Microsoft\Internet Explorer\TypedURLs")
        if not key:
            return

        self.info(self.guess_username())
        for v in key.values():
            res = PluginResult(key=key, value=v)
            yield res
Exemple #23
0
    def run(self):
        key = self.open_key(self.get_currentcontrolset_path() + "\\Control\\ComputerName\\ComputerName")
        if not key:
            return

        compname = key.value("ComputerName")
        
        res = PluginResult(key=key, value=compname)
        yield res
Exemple #24
0
    def run(self):
        key = self.open_key(
            "Microsoft\\Windows\\CurrentVersion\\SRUM\\Extensions\\")
        if not key:
            return

        for extension_key in key.subkeys():
            v = extension_key.value("(default)")
            res = PluginResult(key=extension_key, value=v)
            yield res
Exemple #25
0
    def run(self):
        k = self.open_key(
            r"Software\Microsoft\Windows\CurrentVersion\Internet Settings")
        if not k:
            return

        r = PluginResult(key=k)

        r.custom["type"] = "proxy"
        r.custom["enabled"] = self.safe_value(k, "ProxyEnabled", 0) == 1
        r.custom["proxy"] = self.safe_value(k, "ProxyServer", "N/A")
        r.custom["exceptions"] = self.safe_value(k, "ProxyOverride", "")

        yield r

        r = PluginResult(key=k)
        r.custom["type"] = "autoconfig"
        r.custom["proxypac"] = self.safe_value(k, "AutoConfigURL", "N/A")

        yield r
Exemple #26
0
    def run(self):
        key = self.open_key(
            "Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI")
        if not key:
            return

        for v in key.values():
            if v.name().startswith(
                    "LastLoggedOn") and v.name() != "LastLoggedOnProvider":
                res = PluginResult(key=key, value=v)
                yield res
Exemple #27
0
    def run(self):
        ccs = self.get_currentcontrolset_path()
        if not ccs:
            return

        key = self.open_key(ccs + r"\Control\TimeZoneInformation")
        if not key:
            return

        value = key.value("TimeZoneKeyName")
        yield PluginResult(key=key, value=value)
Exemple #28
0
    def run(self):
        key = self.open_key("Microsoft\\Windows\\CurrentVersion\\Uninstall")
        if not key:
            return

        for program in key.subkeys():
            try:
                display_name = program.value("DisplayName").value()
            except Registry.RegistryValueNotFoundException:
                display_name = "[N/A]"

            try:
                uninstall_string = program.value("UninstallString").value()
            except Registry.RegistryValueNotFoundException:
                uninstall_string = "[N/A]"

            res = PluginResult(key=program)
            res.custom["display_name"] = display_name
            res.custom["uninstall_string"] = uninstall_string
            yield res
Exemple #29
0
    def run(self):
        k = self.open_key(r"Software\SimonTatham\PuTTY")
        if not k:
            return

        # SSH host keys
        try:
            ssh_host_keys = k.subkey("SshHostKeys")
            for v in ssh_host_keys.values():
                name = v.name()
                crypto, host = name.split("@")

                r = PluginResult(key=ssh_host_keys, value=v)
                r.custom["type"] = "sshkey"
                r.custom["crypto"] = crypto
                r.custom["host"] = host

                yield r
        except RegistryKeyNotFoundException:
            self.warning("Could not find SshHostKeys subkey")

        # Saved sessions
        try:
            sessions = k.subkey("Sessions")
            for sess in sessions.subkeys():
                try:
                    name = sess.name()
                    host = sess.value("HostName").value()
                    proto = sess.value("Protocol").value()

                    r = PluginResult(key=sess)
                    r.custom["type"] = "session"
                    r.custom["host"] = host
                    r.custom["protocol"] = proto

                    yield r
                except RegistryValueNotFoundException:
                    self.warning(f"Malformed entry: {sess.name()}")
        except RegistryKeyNotFoundException:
            self.warning("Could not find Sessions subkey")
Exemple #30
0
    def run(self):
        key = self.open_key(self.get_currentcontrolset_path() + "\\Services")
        if not key:
            return

        for service in key.subkeys():
            values = [x.name() for x in service.values()]

            res = PluginResult(key=service, value=None)
            res.custom = {
                "image_path":
                service.value("ImagePath").value()
                if "ImagePath" in values else "N/A",
                "start_mode":
                ServiceStartMode(
                    service.value("Start").value() if "Start" in
                    values else -1),
                "description":
                service.value("Description").value()
                if "Description" in values else "N/A",
            }
            yield res