def dump(self, key): res = PluginResult(key=key) res.path = self.cleanup_path(res.path) yield res for subkey in key.subkeys(): yield from self.dump(subkey)
def run(self): path = r"Microsoft\Windows NT\CurrentVersion\ProfileList" key = self.open_key(path) if not key: return sid_list = list() for v in key.subkeys(): sid_list.append(v.name()) for sid in sid_list: sid_path = path + "\\" + sid key2 = self.open_key(sid_path) if not key2: continue for entry in key2.values(): if entry.name() == "ProfileImagePath": res = PluginResult(key=key, value=entry) user_name = entry.value().split("\\")[-1] res.custom["value"] = "{}:\t{}".format( user_name, key2.name()) yield res
def handle_user_env(self): k = self.open_key("Environment") if not k: return for v in k.values(): r = PluginResult(key=k, value=v) r.custom["Name"] = f"%{v.name()}%" yield r
def handle_env_key(self): ccs = self.get_currentcontrolset_path() k = self.open_key(ccs + "\\Control\\Session Manager\\Environment") if not k: return for v in k.values(): r = PluginResult(key=k, value=v) r.custom["Name"] = f"%{v.name()}%" yield r
def yield_groups(self): """Yields a dictionary representation of groups and their members, from the SAM hive""" key_groups = self.open_key("SAM\\Domains\\Builtin\\Aliases") if not key_groups: return # Yield a custom structure with information from the SAM hive for subkey in key_groups.subkeys(): if subkey.name().startswith("00000"): c_raw = subkey.value("C").value() # Header is 13 little-endian unsigned long values and holds among others: # - Group's name offset and length # - Group's description offset and length # - Group members' offset and size (as binary SIDs) c_header = struct.unpack("<13L", c_raw[:0x34]) c_data = c_raw[0x34:] c_gname_off = c_header[4] c_gname_len = c_header[5] c_gdesc_off = c_header[7] c_gdesc_len = c_header[8] c_gmembers_off = c_header[10] c_gmembers_size = c_header[12] member_sid_list = [] off = c_gmembers_off for _ in range(c_gmembers_size): # 1 member == 1 binary SID # SID structure: # + 1 byte (revision, little endian) # + 1 byte (count of sub auths, little endian) # + 6 bytes (authority value, big endian) # + n * 4 bytes where n is the count of sub auths # Look ahead to check the count of sub authorities to compute SID size sub_auth_count = struct.unpack("<B", c_data[off + 1:off + 2])[0] sid_size = 8 + sub_auth_count * 4 member_sid_list.append( self.sid2asc(c_data[off:off + sid_size])) off += sid_size res = PluginResult(key=subkey, value=None) res.custom = { "name": c_data[c_gname_off:c_gname_off + c_gname_len].decode("utf-16-le"), "desc": c_data[c_gdesc_off:c_gdesc_off + c_gdesc_len].decode("utf-16-le"), "size": c_gmembers_size, "member_sids": member_sid_list, } yield res
def handle_windows_nt_currentversion(self): k = self.open_key("Microsoft\\Windows NT\\CurrentVersion") if not k: return try: v = k.value("SystemRoot") r = PluginResult(key=k, value=v) r.custom["Name"] = "%SystemRoot%" yield r except RegistryValueNotFoundException: pass
def run(self): key = self.open_key(r"Software\Microsoft\Terminal Server Client\Servers") if not key: return for subkey in key.subkeys(): try: username = subkey.value("UsernameHint").value() except Registry.RegistryValueNotFoundException: username = "" res = PluginResult(key=subkey, value=None) res.custom["username"] = username yield res
def run(self): key = self.open_key(self.get_currentcontrolset_path() + "\\Services") if not key: return for service in key.subkeys(): try: image_path = service.value("ImagePath").value() except Registry.RegistryValueNotFoundException: image_path = "N/A" res = PluginResult(key=service, value=None) res.custom["image_path"] = image_path yield res
def run(self): k = self.open_key(r"Microsoft\Security Center\Provider\Av") if not k: return for subkey in k.subkeys(): r = PluginResult(key=subkey) r.custom = { "DisplayName": subkey.value("DISPLAYNAME").value(), "ProductExe": subkey.value("PRODUCTEXE").value(), "ReportingExe": subkey.value("REPORTINGEXE").value(), "State": " | ".join(self.parse_state(subkey.value("STATE").value())), } yield r
def run(self): key = self.open_key(self.get_currentcontrolset_path() + r"\Control\Session Manager\AppCompatCache") or \ self.open_key(self.get_currentcontrolset_path() + r"\Control\Session Manager\AppCompatibility") if not key: return for entry in read_cache(key.value("AppCompatCache").value()): res = PluginResult(key=key, value=None) res.custom["date"] = entry[0] if type(entry[2]) == bytes: res.custom["path"] = entry[2].decode("utf8") else: res.custom["path"] = entry[2] yield res
def run(self): ccs = self.get_currentcontrolset_path() if not ccs: return for proto in ["tcp", "udp"]: key = self.open_key(ccs + "\\Services\\PortProxy\\v4tov4\\" + proto) if not key: continue for value in key.values(): res = PluginResult(key=key, value=value) res.custom["proto"] = proto yield res
def run(self): key = self.open_key(self.get_currentcontrolset_path() + r"\Control\Windows") if not key: return for v in key.values(): if v.name() == "ShutdownTime": binary = struct.unpack("<Q", v.value())[0] dt = parse_windows_timestamp(binary) value = dt.isoformat("T") + "Z" res = PluginResult(key=key, value=v) res.custom["LastShutdownTime"] = value yield res
def run(self): key = self.open_key("Microsoft\\Windows NT\\CurrentVersion") if not key: return value = key.value("ProductName") yield PluginResult(key=key, value=value)
def run(self): key = self.open_key( "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist" ) if not key: return for subkey in key.subkeys(): if subkey.name() not in GUIDS: continue count_key = subkey.subkey("Count") for entry in count_key.values(): res = PluginResult(key=count_key, value=entry) res.custom["userassist"] = UAObject(entry.name(), entry.value()) yield res
def run(self): key = self.open_key(r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs") if not key: return for v in key.values(): if v.name() == "MRUListEx": continue binary = v.value() offset_str_end = binary.find(b"\x00\x00") docname = binary[:offset_str_end+1].decode("utf16") res = PluginResult(key=key, value=v) res.custom['docname'] = docname yield res
def process_key(self, k): r = PluginResult(key=k) values = [x.name() for x in k.values()] r.custom = { "AlwaysOnline": k.value("Always_Online").value() == 1, "ClientID": k.value("ClientID").value(), "LastStartupTime": k.value("LastStartupTime") if "LastStartupTime" in values else -1, "Version": k.value("Version").value(), } yield r
def run(self): k = self.open_key(r"Printers\ConvertUserDevModesCount") if not k: return for v in k.values(): r = PluginResult(key=k, value=v) yield r
def run(self): k = self.open_key(r"Microsoft\Windows NT\CurrentVersion\Ports") if not k: return for v in k.values(): r = PluginResult(key=k, value=v) yield r
def run(self): key = self.open_key(r"Software\Microsoft\Terminal Server Client\Default") if not key or not key.values(): return for value in key.values(): res = PluginResult(key=key, value=value) yield res
def run(self): k = self.open_key("SAM\\Domains\\Account\\Users\\Names") if not k: return for user in k.subkeys(): res = PluginResult(key=user, value=None) yield res
def run(self): preload = self.open_key("Keyboard Layout\\Preload") substitutes = self.open_key("Keyboard Layout\\Substitutes") if not preload or not substitutes: return for preload_value in preload.values(): preload_txt = preload_value.value() try: subs = substitutes.value(preload_txt) except RegistryValueNotFoundException: subs = None r = PluginResult(key=preload, value=preload_value) r.custom["substitute"] = subs yield r
def run(self): key = self.open_key(r"Software\Microsoft\Internet Explorer\TypedURLs") if not key: return self.info(self.guess_username()) for v in key.values(): res = PluginResult(key=key, value=v) yield res
def run(self): key = self.open_key(self.get_currentcontrolset_path() + "\\Control\\ComputerName\\ComputerName") if not key: return compname = key.value("ComputerName") res = PluginResult(key=key, value=compname) yield res
def run(self): key = self.open_key( "Microsoft\\Windows\\CurrentVersion\\SRUM\\Extensions\\") if not key: return for extension_key in key.subkeys(): v = extension_key.value("(default)") res = PluginResult(key=extension_key, value=v) yield res
def run(self): k = self.open_key( r"Software\Microsoft\Windows\CurrentVersion\Internet Settings") if not k: return r = PluginResult(key=k) r.custom["type"] = "proxy" r.custom["enabled"] = self.safe_value(k, "ProxyEnabled", 0) == 1 r.custom["proxy"] = self.safe_value(k, "ProxyServer", "N/A") r.custom["exceptions"] = self.safe_value(k, "ProxyOverride", "") yield r r = PluginResult(key=k) r.custom["type"] = "autoconfig" r.custom["proxypac"] = self.safe_value(k, "AutoConfigURL", "N/A") yield r
def run(self): key = self.open_key( "Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI") if not key: return for v in key.values(): if v.name().startswith( "LastLoggedOn") and v.name() != "LastLoggedOnProvider": res = PluginResult(key=key, value=v) yield res
def run(self): ccs = self.get_currentcontrolset_path() if not ccs: return key = self.open_key(ccs + r"\Control\TimeZoneInformation") if not key: return value = key.value("TimeZoneKeyName") yield PluginResult(key=key, value=value)
def run(self): key = self.open_key("Microsoft\\Windows\\CurrentVersion\\Uninstall") if not key: return for program in key.subkeys(): try: display_name = program.value("DisplayName").value() except Registry.RegistryValueNotFoundException: display_name = "[N/A]" try: uninstall_string = program.value("UninstallString").value() except Registry.RegistryValueNotFoundException: uninstall_string = "[N/A]" res = PluginResult(key=program) res.custom["display_name"] = display_name res.custom["uninstall_string"] = uninstall_string yield res
def run(self): k = self.open_key(r"Software\SimonTatham\PuTTY") if not k: return # SSH host keys try: ssh_host_keys = k.subkey("SshHostKeys") for v in ssh_host_keys.values(): name = v.name() crypto, host = name.split("@") r = PluginResult(key=ssh_host_keys, value=v) r.custom["type"] = "sshkey" r.custom["crypto"] = crypto r.custom["host"] = host yield r except RegistryKeyNotFoundException: self.warning("Could not find SshHostKeys subkey") # Saved sessions try: sessions = k.subkey("Sessions") for sess in sessions.subkeys(): try: name = sess.name() host = sess.value("HostName").value() proto = sess.value("Protocol").value() r = PluginResult(key=sess) r.custom["type"] = "session" r.custom["host"] = host r.custom["protocol"] = proto yield r except RegistryValueNotFoundException: self.warning(f"Malformed entry: {sess.name()}") except RegistryKeyNotFoundException: self.warning("Could not find Sessions subkey")
def run(self): key = self.open_key(self.get_currentcontrolset_path() + "\\Services") if not key: return for service in key.subkeys(): values = [x.name() for x in service.values()] res = PluginResult(key=service, value=None) res.custom = { "image_path": service.value("ImagePath").value() if "ImagePath" in values else "N/A", "start_mode": ServiceStartMode( service.value("Start").value() if "Start" in values else -1), "description": service.value("Description").value() if "Description" in values else "N/A", } yield res