def hive_to_json(hive_path, output_path, registry_path, timeline, hive_type,
partial_hive_path, verbose):
_setup_logging(verbose=verbose)
registry_hive = RegistryHive(hive_path,
hive_type=hive_type,
partial_hive_path=partial_hive_path)
if registry_path:
try:
name_key_entry = registry_hive.get_key(registry_path)
except RegistryKeyNotFoundException as ex:
logger.debug('Did not find the key: {}'.format(ex))
return
else:
name_key_entry = registry_hive.root
if timeline and not output_path:
click.secho(
'You must provide an output path if choosing timeline output!',
fg='red')
return
if output_path:
if timeline:
with open(output_path, 'w') as csvfile:
csvwriter = csv.DictWriter(
csvfile,
delimiter=',',
quotechar='"',
quoting=csv.QUOTE_MINIMAL,
fieldnames=['timestamp', 'subkey_name', 'values_count'])
csvwriter.writeheader()
with progressbar(
registry_hive.recurse_subkeys(
name_key_entry, as_json=True)) as reg_subkeys:
for entry in reg_subkeys:
entry_dict = entry.__dict__
path = entry.path
csvwriter.writerow({
'subkey_name':
r'{}\{}'.format(entry.path, path),
'timestamp':
entry_dict['timestamp'],
'values_count':
entry_dict['values_count']
})
else:
dump_hive_to_json(registry_hive, output_path, name_key_entry,
verbose)
else:
for entry in registry_hive.recurse_subkeys(name_key_entry,
as_json=True):
click.secho(json.dumps(attr.asdict(entry), indent=4))
def hive_to_json(hive_path, output_path, registry_path, timeline, hive_type,
partial_hive_path, verbose):
with logbook.NestedSetup(
_get_log_handlers(verbose=verbose)).applicationbound():
registry_hive = RegistryHive(hive_path,
hive_type=hive_type,
partial_hive_path=partial_hive_path)
if registry_path:
try:
name_key_entry = registry_hive.get_key(registry_path)
except RegistryKeyNotFoundException as ex:
logger.debug('Did not find the key: {}'.format(ex))
return
else:
name_key_entry = registry_hive.root
if timeline and not output_path:
click.secho(
'You must provide an output path if choosing timeline output!',
fg='red')
return
if output_path:
if timeline:
with open(output_path, 'w') as csvfile:
csvwriter = csv.DictWriter(csvfile,
delimiter=',',
quotechar='"',
quoting=csv.QUOTE_MINIMAL,
fieldnames=[
'timestamp', 'subkey_name',
'values_count'
])
csvwriter.writeheader()
for entry in tqdm(
registry_hive.recurse_subkeys(name_key_entry,
as_json=True)):
subkey_name = entry.pop('subkey_name')
path = entry.pop('path')
entry['subkey_name'] = r'{}\{}'.format(
path, subkey_name)
entry.pop('values')
csvwriter.writerow(entry)
else:
dump_hive_to_json(registry_hive, output_path, name_key_entry,
verbose)
else:
for entry in registry_hive.recurse_subkeys(name_key_entry,
as_json=True):
click.secho(json.dumps(attr.asdict(entry), indent=4))
def test_recurse_amcache(amcache_hive):
registry_hive = RegistryHive(amcache_hive)
value_types = {
'REG_BINARY': 0,
'REG_DWORD': 0,
'REG_EXPAND_SZ': 0,
'REG_MULTI_SZ': 0,
'REG_NONE': 0,
'REG_QWORD': 0,
'REG_SZ': 0
}
subkey_count = 0
values_count = 0
for subkey in registry_hive.recurse_subkeys():
subkey_count += 1
subkey_values = subkey.values
values_count += len(subkey_values or [])
if subkey_values:
for x in subkey_values:
value_types[x.value_type] += 1
assert subkey_count == 2105
assert values_count == 17539
assert value_types == {
'REG_BINARY': 56,
'REG_DWORD': 1656,
'REG_EXPAND_SZ': 0,
'REG_MULTI_SZ': 140,
'REG_NONE': 0,
'REG_QWORD': 1254,
'REG_SZ': 14433
}
def test_recurse_ntuser(ntuser_hive):
registry_hive = RegistryHive(ntuser_hive)
value_types = {
'REG_BINARY': 0,
'REG_DWORD': 0,
'REG_EXPAND_SZ': 0,
'REG_MULTI_SZ': 0,
'REG_NONE': 0,
'REG_QWORD': 0,
'REG_SZ': 0
}
subkey_count = 0
values_count = 0
for subkey in registry_hive.recurse_subkeys(as_json=True):
subkey_values = subkey.values
subkey_count += 1
values_count += len(subkey_values or [])
if subkey_values:
for x in subkey_values:
value_types[x['value_type']] += 1
assert subkey_count == 1812
assert values_count == 4094
assert value_types == {
'REG_BINARY': 531,
'REG_DWORD': 1336,
'REG_EXPAND_SZ': 93,
'REG_MULTI_SZ': 303,
'REG_NONE': 141,
'REG_QWORD': 54,
'REG_SZ': 1636
}
def test_recurse_ntuser(ntuser_hive):
registry_hive = RegistryHive(ntuser_hive)
EXPECTED_KEYS = ['path', 'subkey_name', 'timestamp', 'values', 'values_count']
value_types = {
'REG_BINARY': 0,
'REG_DWORD': 0,
'REG_EXPAND_SZ': 0,
'REG_MULTI_SZ': 0,
'REG_NONE': 0,
'REG_QWORD': 0,
'REG_SZ': 0
}
subkey_count = 0
values_count = 0
for subkey in registry_hive.recurse_subkeys(as_json=True):
subkey_values = subkey.values
subkey_count += 1
values_count += len(subkey_values or [])
if subkey_values:
for x in subkey_values:
value_types[x['value_type']] += 1
assert subkey_count == 2318
assert values_count == 4613
assert value_types == {
'REG_BINARY': 620,
'REG_DWORD': 1516,
'REG_EXPAND_SZ': 100,
'REG_MULTI_SZ': 309,
'REG_NONE': 141,
'REG_QWORD': 57,
'REG_SZ': 1870
}
def parse_hive(self, hive_file, hive_name, user=''):
reg = RegistryHive(hive_file)
for d in reg.recurse_subkeys(as_json=True):
data = {}
data.update({
'timestamp': d.timestamp,
'hive_name': hive_name,
'path': d.path,
'subkey': d.subkey_name,
})
if user:
data['user'] = user
if not d.values:
yield data
continue
data['values_count'] = d.values_count
# Store a list of dictionaries as values
data['values'] = []
for v in d.values:
name = v['name'].lstrip('(').rstrip(')')
value_type = 'bytes' if v[
'value_type'] == 'REG_BINARY' else 'strings'
data['values'].append({
'value': name,
'data.{}'.format(value_type): v['value']
})
yield data
def test_recurse_partial_ntuser(ntuser_software_partial):
registry_hive = RegistryHive(ntuser_software_partial,
hive_type=NTUSER_HIVE_TYPE,
partial_hive_path=r'\Software')
for subkey_count, subkey in enumerate(
registry_hive.recurse_subkeys(as_json=True)):
assert subkey.actual_path.startswith(registry_hive.partial_hive_path)
assert subkey_count == 6395
def get_registry_tree(registry_location, registry_path):
"""
Return a list of dictionaries of Window registry entries found under a given
registry path
"""
registry_hive = RegistryHive(registry_location)
name_key_entry = get_registry_name_key_entry(registry_hive=registry_hive,
registry_path=registry_path)
if not name_key_entry:
return []
return [
attr.asdict(entry)
for entry in registry_hive.recurse_subkeys(name_key_entry,
as_json=True)
]
def run_regipy(result_pk, filepath):
"""
Runs regipy on filepath
"""
try:
registry_hive = RegistryHive(filepath)
reg_json = registry_hive.recurse_subkeys(registry_hive.root, as_json=True)
root = {"values": [attr.asdict(entry) for entry in reg_json]}
root = json.loads(json.dumps(root).replace(r"\u0000", ""))
except Exception as e:
logging.error(e)
root = {}
ed = ExtractedDump.objects.get(result__pk=result_pk, path=filepath)
ed.reg_array = root
ed.save()
def get_reg_timeline(date_min, duration_hours, hivespath="."):
for i in os.listdir(hivespath):
#pastis
if i.startswith("51") or "NTUSER" in i:
print("")
print("--------------------------")
print(" HIVE %s" % (i))
print("--------------------------")
print("")
reg = RegistryHive(i)
for entry in reg.recurse_subkeys():
mtime = entry.timestamp.replace(tzinfo=None)
delta = date_min - mtime
x = delta.total_seconds()
if x > 0:
continue
if abs(divmod(delta.total_seconds(),
3600)[0]) > duration_hours:
continue
print("%s\\%s" % (entry.path, entry.subkey_name))
print("\t%s" % (entry.timestamp))
pr = cProfile.Profile()
pr.enable()
yield
pr.disable()
s = io.StringIO()
sortby = SortKey.CUMULATIVE
ps = pstats.Stats(pr, stream=s).sort_stats(sortby)
ps.print_stats()
print(s.getvalue())
@contextmanager
def get_file_from_tests(file_name):
path = str(Path(__file__).parent.joinpath('data').joinpath(file_name))
tempfile_path = mktemp()
with open(tempfile_path, 'wb') as tmp:
with lzma.open(path) as f:
tmp.write(f.read())
yield tempfile_path
os.remove(tempfile_path)
registry_path = 'SAM.xz'
logger.info(f'Iterating over all subkeys in {registry_path}')
with profiling():
with get_file_from_tests(registry_path) as reg:
registry_hive = RegistryHive(reg)
keys = [x for x in registry_hive.recurse_subkeys()]
