Exemple #1
0
def dump_memory_hashes(addr_space, config, syshive, samhive):
    if syshive != None and samhive != None:
        sysaddr = hive.HiveAddressSpace(addr_space, config, syshive)
        samaddr = hive.HiveAddressSpace(addr_space, config, samhive)
        return dump_hashes(sysaddr, samaddr)
    return obj.NoneObject(
        "SYSTEM or SAM address is None: Did you use the correct profile?")
Exemple #2
0
def dump_memory_hashes(addr_space, config, syshive, sechive):
    sysaddr = hive.HiveAddressSpace(addr_space, config, syshive)
    secaddr = hive.HiveAddressSpace(addr_space, config, sechive)

    for (u, d, dn, hashh) in dump_hashes(sysaddr, secaddr):
        print("{0}:{1}:{2}:{3}".format(u.lower(), hashh.encode('hex'),
                                       d.lower(), dn.lower()))
Exemple #3
0
def get_memory_secrets(addr_space, config, syshive, sechive):
    if syshive != None and sechive != None:
        sysaddr = hive.HiveAddressSpace(addr_space, config, syshive)
        secaddr = hive.HiveAddressSpace(addr_space, config, sechive)

        return get_secrets(addr_space, sysaddr, secaddr)
    return None
Exemple #4
0
    def calculate(self):
        addr_space = utils.load_as(self._config)
        win7 = addr_space.profile.metadata.get('major', 0) == 6 and addr_space.profile.metadata.get('minor', 0) == 1

        if not self._config.HIVE_OFFSET:
            hive_offsets = [(self.hive_name(h), h.obj_offset) for h in hivelist.HiveList.calculate(self)]
        else:
            hive_offsets = [("User Specified", self._config.HIVE_OFFSET)]

        for name, hoff in set(hive_offsets):
            h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
            root = rawreg.get_root(h)
            if not root:
                if self._config.HIVE_OFFSET:
                    debug.error("Unable to find root key. Is the hive offset correct?")
            else:
                skey = "software\\microsoft\\windows\\currentversion\\explorer\\userassist\\"
                if win7:
                    uakey = skey + "{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count"
                    yield win7, name, rawreg.open_key(root, uakey.split('\\'))
                    uakey = skey + "{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count"
                    yield win7, name, rawreg.open_key(root, uakey.split('\\'))
                else:
                    uakey = skey + "{75048700-EF1F-11D0-9888-006097DEACF9}\\Count"
                    yield win7, name, rawreg.open_key(root, uakey.split('\\'))
                    uakey = skey + "{5E6AB780-7743-11CF-A12B-00AA004AE837}\\Count"
                    yield win7, name, rawreg.open_key(root, uakey.split('\\'))
Exemple #5
0
    def reg_get_all_keys(self, hive_name, user = None, start = None, end = None, reg = False, rawtime = False):
        '''
        This function enumerates all keys in specified hives and 
        collects lastwrite times.
        '''
        keys = []
        if self.all_offsets == {}:
            self.populate_offsets()
        if self.current_offsets == {}:
            self.set_current(hive_name, user)

        # Collect the root keys 
        for offset in self.current_offsets:
            reg_name = self.current_offsets[offset]
            h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset)
            root = rawreg.get_root(h)
            if not root:
                pass
            else:
                time = "{0}".format(root.LastWriteTime) if not rawtime else root.LastWriteTime
                if reg:
                    if start and end and str(time) >= start and str(time) <= end:
                        yield (time, reg_name, root.Name)
                    elif start == None and end == None:
                        yield (time, reg_name, root.Name)
                else:
                    if start and end and str(time) >= start and str(time) <= end:
                        yield (time, root.Name)
                    elif start == None and end == None:
                        yield (time, root.Name)
                for s in rawreg.subkeys(root):
                    if reg:
                        keys.append([s, reg_name, root.Name + "\\" + s.Name])
                    else:
                        keys.append([s, root.Name + "\\" + s.Name])

        # Get subkeys
        if reg:
            for k, reg_name, name in keys:
                time = "{0}".format(k.LastWriteTime) if not rawtime else k.LastWriteTime
                if start and end and str(time) >= start and str(time) <= end:
                    yield (time, reg_name, name)
                elif start == None and end == None:
                    yield (time, reg_name, name)
                for s in rawreg.subkeys(k):
                    if name and s.Name:
                        item = name + '\\' + s.Name
                        keys.append([s, reg_name, item])
        else:
            for k, name in keys:
                time = "{0}".format(k.LastWriteTime) if not rawtime else k.LastWriteTime
                if start and end and str(time) >= start and str(time) <= end:
                    yield (time, name)
                elif start == None and end == None:
                    yield (time, name)

                for s in rawreg.subkeys(k):
                    if name and s.Name:
                        item = name + '\\' + s.Name
                        keys.append([s, item])
Exemple #6
0
    def calculate(self):
        addr_space = utils.load_as(self._config)

        if self._config.BRUTE_FORCE:
            hiveroot = hl.HiveList.calculate(self)
        elif not self._config.hive_offset:
            debug.error("No hive offset provided!")
        else:
            hiveroot = [obj.Object("_CMHIVE", self._config.hive_offset, addr_space)]

        hive_offsets = []
        for hive in hiveroot:
            if hive.obj_offset not in hive_offsets:
                try:
                    name = hive.FileFullPath.v() or hive.FileUserName.v() or hive.HiveRootPath.v() or "[no name]"
                except:
                    name = "[no name]"
                hive_offsets.append(hive.obj_offset)
                h = hivemod.HiveAddressSpace(addr_space, self._config, hive.obj_offset)
                root = rawreg.get_root(h)
                if not root:
                    if not self._config.BRUTE_FORCE:
                        debug.error("Unable to find root key. Is the hive offset correct?")
                else:
                    if self._config.KEY:
                        yield name, rawreg.open_key(root, self._config.KEY.split('\\'))
                    else:
                        yield name, root
Exemple #7
0
    def calculate(self):
        addr_space = utils.load_as(self._config)

        if not self._config.HIVE_OFFSET:
            hive_offsets = {
                h.obj_offset
                for h in hivelist.HiveList.calculate(self)
            }
        else:
            hive_offsets = {self._config.HIVE_OFFSET}

        for hoff in sorted(list(hive_offsets)):
            h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
            name = obj.Object("_CMHIVE", vm=addr_space, offset=hoff).get_name()
            root = rawreg.get_root(h)
            if not root:
                if self._config.HIVE_OFFSET:
                    debug.error(
                        "Unable to find root key. Is the hive offset correct?")
            else:
                if self._config.KEY:
                    opened_key = rawreg.open_key(root,
                                                 self._config.KEY.split('\\'))
                    yield name, opened_key
                else:
                    yield name, root
Exemple #8
0
    def calculate(self):
        addr_space = utils.load_as(self._config)
        regapi = registryapi.RegistryApi(self._config)

        software_hive = "SOFTWARE"
        uninstall = "Microsoft\\Windows\\CurrentVersion\\Uninstall"

        hive_offsets = []
        if not self._config.HIVE_OFFSET:
            for h in hivelist.HiveList.calculate(self):
                hive_name = self.hive_name(h)
                if software_hive in hive_name:
                    hive_offsets = [(hive_name, h.obj_offset)]
        else:
            hive_offsets = [("User Specified", self._config.HIVE_OFFSET)]

        for name, hoff in set(hive_offsets):
            h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
            root = rawreg.get_root(h)
            if not root:
                if self._config.HIVE_OFFSET:
                    debug.error(
                        "Unable to find root key. Is the hive offset correct?")
            else:
                uninstall_key = rawreg.open_key(root, uninstall.split('\\'))
                if uninstall_key:
                    yield name, uninstall_key
                else:
                    outfd.write(
                        "The requested key could not be found in the hive(s) searched\n"
                    )
Exemple #9
0
    def calculate(self):
        addr_space = utils.load_as(self._config)
        
        #scan for registries and populate them:
        print "Scanning for registries...."
        self.populate_offsets()

        #set our current registry of interest and get its path
        #and get current control set
        print "Getting Current Control Set...."
        currentcs = "ControlSet001"
        self.set_current('system')
        for o in self.current_offsets:
            sysaddr = hivemod.HiveAddressSpace(addr_space, self._config, o)
            cs = find_control_set(sysaddr)
            currentcs = "ControlSet{0:03}".format(cs)

        #set the services root. 
        print "Getting Services and calculating SIDs...."
        services = self.reg_get_key('system', currentcs + '\\' + 'Services')
        if services:
            for s in rawreg.subkeys(services):
                if s.Name not in servicesids.values():
                    sid = createservicesid(str(s.Name))
                    yield sid, str(s.Name)
        for sid in servicesids:
            yield sid, servicesids[sid]
Exemple #10
0
    def calculate(self):
        addr_space = utils.load_as(self._config)

        if not self._config.hive_offset:
            debug.error("A Hive offset must be provided (--hive-offset)")

        h = hivemod.HiveAddressSpace(addr_space, self._config, self._config.hive_offset)
        return rawreg.get_root(h)
Exemple #11
0
def dump_memory_hashes(addr_space, config, syshive, sechive):
    hashes = []
    if syshive != None and sechive != None:
        sysaddr = hive.HiveAddressSpace(addr_space, config, syshive)
        secaddr = hive.HiveAddressSpace(addr_space, config, sechive)
        hashes = dump_hashes(addr_space, sysaddr, secaddr)

    if hashes == []:
        return obj.NoneObject("Unable to find hashes")
    else:
        result = []
        for (u, d, dn, hashh) in hashes:
            result.append("{0}:{1}:{2}:{3}".format(
                u.encode('utf-8', 'ignore').lower(), hashh.encode('hex'),
                d.encode('utf-8', 'ignore').lower(),
                dn.encode('utf-8', 'ignore').lower()))
        return result
Exemple #12
0
 def calculate(self):
     if self._config.DUMP_DIR == None:
         debug.error("Please specify a dump directory (--dump-dir)")
     addr_space = utils.load_as(self._config)
     if self._config.HIVE_OFFSET:
         name = obj.Object("_CMHIVE",
                           vm=addr_space,
                           offset=self._config.HIVE_OFFSET).get_name()
         yield self.fixname(
             name, self._config.HIVE_OFFSET), hivemod.HiveAddressSpace(
                 addr_space, self._config, self._config.HIVE_OFFSET)
     else:
         regapi = registryapi.RegistryApi(self._config)
         for offset in regapi.all_offsets:
             name = self.fixname(regapi.all_offsets[offset], offset)
             yield name, hivemod.HiveAddressSpace(addr_space, self._config,
                                                  offset)
Exemple #13
0
    def get_autoruns(self):
        debug.debug("Getting offsets")
        addr_space = utils.load_as(self._config)
        hive_offsets = [
            h.obj_offset for h in hivelist.HiveList.calculate(self)
        ]
        debug.debug("Found %s hives" % len(hive_offsets))
        hives = {}
        ntuser_hive_roots = []
        software_hive_root = None
        system_hive_root = None

        # Cycle through all hives until we find NTUSER.DAT or SOFTWARE
        # This enables us to search all memory-resident NTUSER.DAT hives

        for hoff in set(hive_offsets):
            h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)

            name = self.hive_name(
                obj.Object("_CMHIVE", vm=addr_space, offset=hoff))
            root = rawreg.get_root(h)

            if 'ntuser.dat' in name.split('\\')[-1].lower():
                keys = NTUSER_RUN_KEYS
                ntuser_hive_roots.append(root)
            elif 'software' in name.split('\\')[-1].lower():
                keys = SOFTWARE_RUN_KEYS
                software_hive_root = root
            elif 'system' in name.split('\\')[-1].lower():
                system_hive_root = root
                continue
            else:
                continue

            debug.debug("Searching for keys in %s" % name)

            for full_key in keys:
                results = []
                debug.debug("  Opening %s" % (full_key))
                key = rawreg.open_key(root, full_key.split('\\'))
                results = self.parse_autoruns_key(key)

                if len(results) > 0:
                    h = hives.get(name, {})
                    h[(full_key, key.LastWriteTime)] = results
                    hives[name] = h

        return hives
Exemple #14
0
 def reg_get_currentcontrolset(self, fullname = True):
     '''
     get the CurrentControlSet
         If fullname is not specified, we only get the number like "1" or "2" etc
         The default is ControlSet00{#} so we can append it to the desired key path
         We return None if it fails, so you need to verify before using.
     '''
     for offset in self.all_offsets:
         name = self.all_offsets[offset] + " "
         if name.lower().find("\\system ") != -1:
             sysaddr = hivemod.HiveAddressSpace(self.addr_space, self._config, offset)
             if fullname:
                 return "ControlSet00{0}".format(hashdump.find_control_set(sysaddr))
             else:
                 return hashdump.find_control_set(sysaddr)
     return None
Exemple #15
0
 def reg_yield_key(self, hive_name, key, user = None, given_root = None):
     ''' 
     Use this function if you are collecting keys from more than one hive
     '''
     if self.all_offsets == {}:
         self.populate_offsets()
     if self.current_offsets == {}:
         self.set_current(hive_name, user)
     if key:
         for offset in self.current_offsets:
             name = self.current_offsets[offset]
             if given_root == None:
                 h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset)
                 root = rawreg.get_root(h)
             else:
                 root = given_root
             if root != None:
                 k = rawreg.open_key(root, key.split('\\'))
                 if k:
                     yield k, name
Exemple #16
0
 def reg_get_key(self, hive_name, key, user = None, given_root = None):
     '''
     Returns a key from a requested hive; assumes this is from a single hive
     if more than one hive is specified, the hive/key found is returned
     '''
     if self.all_offsets == {}:
         self.populate_offsets()
     if self.current_offsets == {}:
         self.set_current(hive_name, user)
     if key:
         for offset in self.current_offsets:
             if given_root == None:
                 h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset)
                 root = rawreg.get_root(h)
             else:
                 root = given_root
             if root != None:
                 k = rawreg.open_key(root, key.split('\\'))
                 if k:
                     return k
     return None
Exemple #17
0
    def calculate(self):
        addr_space = utils.load_as(self._config)
        regapi = registryapi.RegistryApi(self._config)

        user_hive = "ntuser.dat"
        trustrecords = {
            "Software\\Microsoft\\Office\\14.0\\Word\\Security\\Trusted Documents\\TrustRecords",
            "Software\\Microsoft\\Office\\14.0\\Excel\\Security\\Trusted Documents\\TrustRecords",
            "Software\\Microsoft\\Office\\14.0\\PowerPoint\\Security\\Trusted Documents\\TrustRecords",
            "Software\\Microsoft\\Office\\14.0\\Access\\Security\\Trusted Documents\\TrustRecords",
        }

        hive_offsets = {}
        if not self._config.HIVE_OFFSET:
            for h in hivelist.HiveList.calculate(self):
                hive_name = self.hive_name(h)
                if user_hive in hive_name.lower():
                    hive_offsets[h.obj_offset] = hive_name
        else:
            hive_offsets = [("User Specified", self._config.HIVE_OFFSET)]

        found = False
        for hoff, name in hive_offsets.iteritems():
            h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
            root = rawreg.get_root(h)
            if not root:
                if self._config.HIVE_OFFSET:
                    debug.error(
                        "Unable to find root key. Is the hive offset correct?")
            else:
                for r in trustrecords:
                    trustrecord_key = rawreg.open_key(root, r.split('\\'))
                    if trustrecord_key:
                        yield name, r, trustrecord_key
                        found = True

        if not found:
            debug.error(
                "The requested key could not be found in the hive(s) searched\n"
            )
Exemple #18
0
    def calculate(self):
        addr_space = utils.load_as(self._config)

        if not self._config.HIVE_OFFSET:
            hive_offsets = [(self.hive_name(h), h.obj_offset)
                            for h in hivelist.HiveList.calculate(self)]
        else:
            hive_offsets = [("User Specified", self._config.HIVE_OFFSET)]

        for name, hoff in set(hive_offsets):
            h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
            root = rawreg.get_root(h)
            if not root:
                if self._config.HIVE_OFFSET:
                    debug.error(
                        "Unable to find root key. Is the hive offset correct?")
            else:
                if self._config.KEY:
                    yield name, rawreg.open_key(root,
                                                self._config.KEY.split('\\'))
                else:
                    yield name, root
Exemple #19
0
    def get_registry_keys(self):

        addr_space = utils.load_as(self._config)

        hl = hivelist.HiveList(self._config)

        if not self._config.HIVE_OFFSET:
            hive_offsets = [h.obj_offset for h in hl.calculate()]
        else:
            hive_offsets = [self._config.HIVE_OFFSET]

        for hoff in set(hive_offsets):
            h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
            name = obj.Object("_CMHIVE", vm = addr_space, offset = hoff).get_name()
            root = rawreg.get_root(h)
            if not root:
                if self._config.HIVE_OFFSET:
                    self.console_print("Unable to find root key. Is the hive offset correct?")
            else:
                if self._config.KEY:
                    yield name, rawreg.open_key(root, self._config.KEY.split('\\'))
                else:
                    yield name, root
Exemple #20
0
    def calculate(self):
        addr_space = utils.load_as(self._config)
        regapi = registryapi.RegistryApi(self._config)
        hiveset = set()

        if not self._config.HIVE_OFFSET:
            hive_offsets = [
                h.obj_offset for h in hivelist.HiveList.calculate(self)
            ]
        else:
            hive_offsets = [self._config.HIVE_OFFSET]

        for hoff in set(hive_offsets):
            h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
            name = obj.Object("_CMHIVE", vm=addr_space, offset=hoff).get_name()
            print "[debug]", name
            root = rawreg.get_root(h)
            hive = name.split("\\")[-1]
            hiveset.add(hive)

        print hiveset
        for hive in hiveset:
            print "\n========================", hive

            for regtime, keyname in regapi.reg_get_last_modified(hive,
                                                                 count=5):
                print "\n", regtime, keyname
                regapi.set_current(hive_name=hive)
                k = keyname.split('\\')[1:]
                k = '\\'.join(k)
                print k + "\n"
                for value, tp, data in self.reg_yield_values_type(
                        regapi, hive_name=hive, key=k):
                    yield value, tp, data

            regapi.reset_current()
Exemple #21
0
def dump_memory_hashes(addr_space, config, syshive, samhive):
    sysaddr = hive.HiveAddressSpace(addr_space, config, syshive)
    samaddr = hive.HiveAddressSpace(addr_space, config, samhive)
    return dump_hashes(sysaddr, samaddr)
Exemple #22
0
def get_memory_secrets(addr_space, config, syshive, sechive):
    sysaddr = hive.HiveAddressSpace(addr_space, config, syshive)
    secaddr = hive.HiveAddressSpace(addr_space, config, sechive)

    return get_secrets(sysaddr, secaddr)
Exemple #23
0
 def address_space(self):
     return hivemod.HiveAddressSpace(self.obj_vm, self.obj_vm.get_config(), self.obj_offset)