def getDNS(): """Returns the Network Adapter, primary and secondary DNS servers. Returns None if no network adapter is found.""" key = "HKEY_LOCAL_MACHINE" path_to_adapter = "SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}" partial_path = regOps.discoverSubkeys(key, path_to_adapter) for subkey in partial_path: if subkey.startswith("{"): adapterID = subkey break else: return None, None, None DNS = regOps.getRegistryValue( key, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%s" % adapterID, "DhcpNameServer") if DNS and len(DNS.split(" ")) == 2: primary_dns = DNS.split(" ")[0] secondary_dns = DNS.split(" ")[1] else: primary_dns = DNS secondary_dns = "" return primary_dns, secondary_dns, adapterID
def getComponents(source_reg, target_reg, as_subkeys=True): """Looks for IE components, returning them on a dictionary""" components = [] if as_subkeys: subkeys = regOps.discoverSubkeys(source_reg["key"], source_reg["subkey"]) else: subkeys = regOps.discoverValues(source_reg["key"], source_reg["subkey"]) if subkeys: for subkey in subkeys: subkey_name = subkey objname = regOps.getRegistryValue( source_reg["key"], source_reg["subkey"] + "\\" + subkey, "") or "no name" exepath = regOps.getRegistryValue(target_reg["key"], target_reg["subkey"] % subkey, "") or "file missing" components.append({ "subkey": smartStr.normalize(subkey_name), "objname": smartStr.normalize(objname), "exepath": smartStr.normalize(exepath) }) return components
def safeBootExists(): """Verify if safeboot is an option. Returns a boolean.""" safe_boot_regs = regOps.discoverSubkeys("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Control\SafeBoot") if len(safe_boot_regs) == 0: return False else: return True
def getOutcastKeys(key, subkey, whitelist): """Returns which values on a key and subkey are not part of the whitelist""" outcasts = [] entries = regOps.discoverSubkeys(key, subkey) or [] for entry in entries: if entry not in whitelist: outcasts.append(entry) return outcasts
def safeBootExists(): """Verify if safeboot is an option. Returns a boolean.""" safe_boot_regs = regOps.discoverSubkeys( "HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Control\SafeBoot") if len(safe_boot_regs) == 0: return False else: return True
def getImageFilesOptions(): """Returns a list with suspect IFEO's, or None if nothing is found""" key = "HKEY_LOCAL_MACHINE" IFEO = "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" subkeys = regOps.discoverSubkeys(key, IFEO) suspects = [] for subkey in subkeys: debugger = regOps.getRegistryValue(key, IFEO + "\\" + subkey, "Debugger") if debugger and subkey.strip() != "Your Image File Name Here without a path": suspects.append([subkey, debugger]) return suspects or None
def getImageFilesOptions(): """Returns a list with suspect IFEO's, or None if nothing is found""" key = "HKEY_LOCAL_MACHINE" IFEO = "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" subkeys = regOps.discoverSubkeys(key, IFEO) suspects = [] for subkey in subkeys: debugger = regOps.getRegistryValue(key, IFEO + "\\" + subkey, "Debugger") if debugger and subkey.strip( ) != "Your Image File Name Here without a path": suspects.append([subkey, debugger]) return suspects or None
def getMountpoints(): """Search for mountpoints. Returns None if none is found.""" suspects = [] main_key = "HKEY_CURRENT_USER" subkey = "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\%s\shell\%s\command" mountpoints = regOps.discoverSubkeys("HKEY_CURRENT_USER", "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2") for mountpoint in mountpoints: value = regOps.getRegistryValue(main_key, subkey % (mountpoint, "AutoRun"), "") or\ regOps.getRegistryValue(main_key, subkey % (mountpoint, "explore"), "") or\ regOps.getRegistryValue(main_key, subkey % (mountpoint, "open"), "") if value: suspects.append([smartStr.normalize(mountpoint), smartStr.normalize(value)]) return suspects or None
def getLSP(): """Returns a list with the LSP's""" num_entries = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9", "Num_Catalog_Entries") folders = regOps.discoverSubkeys("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries") lsp_list = [] for folder in folders: folder_num = int(folder) folder_path = regOps.getRegistryValue("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\%s" % folder, "PackedCatalogItem") folder_path = folder_path.split(".dll")[0] + ".dll" lsp_list.append(("Catalog_Entry %s" % folder_num, folder_path)) return num_entries, lsp_list
def getComponents(source_reg, target_reg, as_subkeys=True): """Looks for IE components, returning them on a dictionary""" components = [] if as_subkeys: subkeys = regOps.discoverSubkeys(source_reg["key"], source_reg["subkey"]) else: subkeys = regOps.discoverValues(source_reg["key"], source_reg["subkey"]) if subkeys: for subkey in subkeys: subkey_name = subkey objname = regOps.getRegistryValue(source_reg["key"], source_reg["subkey"] + "\\" + subkey, "") or "no name" exepath = regOps.getRegistryValue(target_reg["key"], target_reg["subkey"] % subkey, "") or "file missing" components.append( { "subkey": smartStr.normalize(subkey_name), "objname": smartStr.normalize(objname), "exepath": smartStr.normalize(exepath), } ) return components
def getLSP(): """Returns a list with the LSP's""" num_entries = regOps.getRegistryValue( "HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9", "Num_Catalog_Entries") folders = regOps.discoverSubkeys( "HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries" ) lsp_list = [] for folder in folders: folder_num = int(folder) folder_path = regOps.getRegistryValue( "HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\%s" % folder, "PackedCatalogItem") folder_path = folder_path.split(".dll")[0] + ".dll" lsp_list.append(("Catalog_Entry %s" % folder_num, folder_path)) return num_entries, lsp_list
def getDNS(): """Returns the Network Adapter, primary and secondary DNS servers. Returns None if no network adapter is found.""" key = "HKEY_LOCAL_MACHINE" path_to_adapter = "SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}" partial_path = regOps.discoverSubkeys(key, path_to_adapter) for subkey in partial_path: if subkey.startswith("{"): adapterID = subkey break else: return None, None, None DNS = regOps.getRegistryValue(key, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%s" % adapterID, "DhcpNameServer") if DNS and len(DNS.split(" ")) == 2: primary_dns = DNS.split(" ")[0] secondary_dns = DNS.split(" ")[1] else: primary_dns = DNS secondary_dns = "" return primary_dns, secondary_dns, adapterID