def __print_regkey_csv(self, bKey, key_path, csv_writer, is_recursive, subkey_type_to_query, additional_info_function): ''' Recursive method that will parse the registry and write in the output file ''' ''' The subkey_type_to_query is a string that will be checked against the subkeys name if it is not None ''' for i in range(QueryInfoKey(bKey)[0]): try: subkey_name = EnumKey(bKey, i) if subkey_type_to_query is None or subkey_type_to_query in subkey_name: # if it is None, then we go inside no matter what, else we check if it is in the name key_info = '' if additional_info_function: # this function is a parameter, it is None by default key_info = additional_info_function(subkey_name) subkey = OpenKey(bKey, subkey_name) subkey_path = key_path + subkey_name + '\\' node_type = 'Key' date_last_mod = convert_windate(QueryInfoKey(subkey)[2]) #self.logger.info(date_last_mod + ' : ' + subkey_name) write_to_csv([ self.computer_name, date_last_mod, 'HKEY_LOCAL_MACHINE', subkey_path, node_type, key_info ], csv_writer) if is_recursive: self.__print_regkey_values_csv( subkey, date_last_mod, 'HKEY_LOCAL_MACHINE', subkey_path, csv_writer, is_recursive, subkey_type_to_query) # print the values first self.__print_regkey_csv( subkey, subkey_path, csv_writer) # and then go deeper in the tree except EnvironmentError: break
def _csv_user_assist(self, count_offset, is_win7_or_further): ''' Extracts information from UserAssist registry key which contains information about executed programs ''' ''' The count offset is for Windows versions before 7, where it would start at 6... ''' self.logger.info('Getting user_assist from registry') aReg = ConnectRegistry(None, HKEY_USERS) str_user_assist = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\' with open( self.output_dir + '\\' + self.computer_name + '_userassist.csv', 'wb') as output: csv_writer = get_csv_writer(output) for index_sid in range( QueryInfoKey(aReg)[0]): # the number of subkeys # in HKEY_USERS, we have a list of subkeys which are SIDs str_sid = EnumKey(aReg, index_sid) try: path = str_sid + '\\' + str_user_assist username = str_sid2username(str_sid) reg_user_assist = OpenKey(aReg, path) for index_clsid in range(QueryInfoKey(reg_user_assist) [0]): # the number of subkeys # in UserAssist, we have a list of IDs which may vary between different Windows versions str_clsid = EnumKey(reg_user_assist, index_clsid) result = [username, str_sid, str_clsid] reg_count = OpenKey(aReg, path + str_clsid + '\\Count') date_last_mod = convert_windate( QueryInfoKey(reg_count)[2]) for index_value in range(QueryInfoKey(reg_count) [1]): # the number of values # the name of the value is encoded with ROT13 str_value_name = EnumValue(reg_count, index_value)[0] str_value_name = codecs.decode( str_value_name, 'rot_13') str_value_datatmp = EnumValue( reg_count, index_value)[1] # some data are less than 16 bytes for some reason... if len(str_value_datatmp) < 16: write_to_csv( result + [str_value_name, date_last_mod], csv_writer) else: if is_win7_or_further: arr_output = result + [ str_value_name, date_last_mod ] + self.__csv_user_assist_value_decode_win7_and_after( str_value_datatmp, count_offset) write_to_csv(arr_output, csv_writer) else: write_to_csv( result + [str_value_name, date_last_mod] + self. __csv_user_assist_value_decode_before_win7( str_value_datatmp, count_offset), csv_writer) CloseKey(reg_count) CloseKey(reg_user_assist) except WindowsError: pass CloseKey(aReg)
def __csv_user_assist_value_decode_before_win7(self, str_value_datatmp, count_offset): # the Count registry contains values representing the programs # each value is separated as : # first 4 bytes are session # following 4 bytes are number of times the program has been run # next 8 bytes are the timestamp of last execution # each of those values are in big endian which have to be converted in little endian # 16 bytes data str_value_data_session = str_value_datatmp[0:4] str_value_data_session = unicode( get_int_from_reversed_string(str_value_data_session)) str_value_data_count = str_value_datatmp[4:8] str_value_data_count = unicode( get_int_from_reversed_string(str_value_data_count) + count_offset + 1) str_value_data_timestamp = str_value_datatmp[8:16] try: timestamp = get_int_from_reversed_string(str_value_data_timestamp) date_last_exec = convert_windate(timestamp) except ValueError: date_last_exec = None arr_data = [str_value_data_session, str_value_data_count] if date_last_exec: arr_data.append(date_last_exec) return arr_data
def __csv_user_assist_value_decode_win7_and_after(self, str_value_datatmp, count_offset): ''' The value in user assist has changed since Win7. It is taken into account here. ''' # 16 bytes data str_value_data_session = str_value_datatmp[0:4] str_value_data_session = unicode( get_int_from_reversed_string(str_value_data_session)) str_value_data_count = str_value_datatmp[4:8] str_value_data_count = unicode( get_int_from_reversed_string(str_value_data_count) + count_offset + 1) str_value_data_focus = str_value_datatmp[12:16] str_value_data_focus = unicode( get_int_from_reversed_string(str_value_data_focus)) str_value_data_timestamp = str_value_datatmp[60:68] try: timestamp = get_int_from_reversed_string(str_value_data_timestamp) date_last_exec = convert_windate(timestamp) except ValueError: date_last_exec = None arr_data = [ str_value_data_session, str_value_data_count, str_value_data_focus ] if date_last_exec: arr_data.append(date_last_exec) return arr_data
def _dump_csv_registry_to_output(self, hive_name, path, hive, csv_writer, username=None, optional_function=None, is_recursive=True): ''' Dumps the registry in the given output file object Path should end with the '\' (for concat reasons) ''' try: reg_key = OpenKey(hive, path) # print values from key date_last_mod = convert_windate(QueryInfoKey(reg_key)[2]) self.__print_regkey_values_csv(reg_key, date_last_mod, hive_name, path, csv_writer, username, optional_function) if is_recursive: for index_subkey in range( QueryInfoKey(reg_key)[0]): # the number of subkeys # then go further in the tree str_subkey = EnumKey(reg_key, index_subkey) self._dump_csv_registry_to_output(hive_name, path + str_subkey + '\\', hive, csv_writer, username, optional_function) CloseKey(reg_key) except WindowsError as e: if e.winerror == 5: # Access denied pass else: raise e
def _csv_open_save_MRU(self, str_opensaveMRU): ''' Extracts information from OpenSaveMRU registry key which contains information about opened and saved windows ''' # TODO : Win XP self.logger.info('Getting open_save_MRU from registry') aReg = ConnectRegistry(None, HKEY_USERS) with open( self.output_dir + '\\' + self.computer_name + '_opensaveMRU.csv', 'wb') as output: csv_writer = get_csv_writer(output) for index_sid in range( QueryInfoKey(aReg)[0]): # the number of subkeys # in HKEY_USERS, we have a list of subkeys which are SIDs str_sid = EnumKey(aReg, index_sid) try: username = str_sid2username(str_sid) path = str_sid + '\\' + str_opensaveMRU reg_opensaveMRU = OpenKey(aReg, path) for index_clsid in range(QueryInfoKey(reg_opensaveMRU) [0]): # the number of subkeys str_filetype = EnumKey(reg_opensaveMRU, index_clsid) reg_filetype = OpenKey(aReg, path + '\\' + str_filetype) date_last_mod = convert_windate( QueryInfoKey(reg_filetype)[2]) # now get the value from the SID subkey for index_value in range( QueryInfoKey(reg_filetype) [1]): # the number of values value_filetype = EnumValue(reg_filetype, index_value) # Here, it is quite... dirty, it is a binary MRU list in which we have to extract the interesting values if value_filetype[0] != 'MRUListEx': l_printable = self.__extract_filename_from_PIDLMRU( value_filetype[1]) # VERY DIRTY, if the list is empty it's probably because the string is off by 1... if len(l_printable) == 0: # So we take away the first char to have a correct offset (modulo 2) l_printable = self.__extract_filename_from_PIDLMRU( value_filetype[1][1:]) if len(l_printable) != 0: str_printable = l_printable[-1] write_to_csv([ username, str_sid, str_filetype, date_last_mod, str_printable ], csv_writer) else: # if the length is still 0 then... I'm at a loss for words write_to_csv([ username, str_sid, str_filetype, date_last_mod ], csv_writer) CloseKey(reg_filetype) CloseKey(reg_opensaveMRU) except WindowsError: pass CloseKey(aReg)
def __csv_user_assist_value_decode_win7_and_after(self, str_value_datatmp, count_offset): ''' The value in user assist has changed since Win7. It is taken into account here. ''' # 16 bytes data str_value_data_session = str_value_datatmp[0:4] str_value_data_session = unicode(get_int_from_reversed_string(str_value_data_session)) str_value_data_count = str_value_datatmp[4:8] str_value_data_count = unicode(get_int_from_reversed_string(str_value_data_count) + count_offset + 1) str_value_data_focus = str_value_datatmp[12:16] str_value_data_focus = unicode(get_int_from_reversed_string(str_value_data_focus)) str_value_data_timestamp = str_value_datatmp[60:68] try: timestamp = get_int_from_reversed_string(str_value_data_timestamp) date_last_exec = convert_windate(timestamp) except ValueError: date_last_exec = None arr_data = [str_value_data_session, str_value_data_count, str_value_data_focus] if date_last_exec: arr_data.append(date_last_exec) return arr_data
def _dump_csv_registry_to_output(self, hive_name, path, hive, csv_writer, username=None, optional_function=None, is_recursive=True): ''' Dumps the registry in the given output file object Path should end with the '\' (for concat reasons) ''' try: reg_key = OpenKey(hive, path) # print values from key date_last_mod = convert_windate(QueryInfoKey(reg_key)[2]) self.__print_regkey_values_csv(reg_key, date_last_mod, hive_name, path, csv_writer, username, optional_function) if is_recursive: for index_subkey in range(QueryInfoKey(reg_key)[0]): # the number of subkeys # then go further in the tree str_subkey = EnumKey(reg_key, index_subkey) self._dump_csv_registry_to_output(hive_name, path + str_subkey + '\\', hive, csv_writer, username, optional_function) CloseKey(reg_key) except WindowsError as e: if e.winerror == 5: # Access denied pass else: raise e
def _csv_user_assist(self, count_offset, is_win7_or_further): ''' Extracts information from UserAssist registry key which contains information about executed programs ''' ''' The count offset is for Windows versions before 7, where it would start at 6... ''' self.logger.info('Getting user_assist from registry') aReg = ConnectRegistry(None,HKEY_USERS) str_user_assist = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\' with open(self.output_dir + '\\' + self.computer_name + '_userassist.csv', 'wb') as output: csv_writer = get_csv_writer(output) for index_sid in range(QueryInfoKey(aReg)[0]): # the number of subkeys # in HKEY_USERS, we have a list of subkeys which are SIDs str_sid = EnumKey(aReg, index_sid) try: path = str_sid + '\\' + str_user_assist username = str_sid2username(str_sid) reg_user_assist = OpenKey(aReg, path) for index_clsid in range(QueryInfoKey(reg_user_assist)[0]): # the number of subkeys # in UserAssist, we have a list of IDs which may vary between different Windows versions str_clsid = EnumKey(reg_user_assist, index_clsid) result = [username, str_sid, str_clsid] reg_count = OpenKey(aReg, path + str_clsid + '\\Count') date_last_mod = convert_windate(QueryInfoKey(reg_count)[2]) for index_value in range(QueryInfoKey(reg_count)[1]): # the number of values # the name of the value is encoded with ROT13 str_value_name = EnumValue(reg_count, index_value)[0] str_value_name = codecs.decode(str_value_name, 'rot_13') str_value_datatmp = EnumValue(reg_count, index_value)[1] # some data are less than 16 bytes for some reason... if len(str_value_datatmp) < 16: write_to_csv(result + [str_value_name, date_last_mod], csv_writer) else: if is_win7_or_further: arr_output = result + [str_value_name, date_last_mod] + self.__csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset) write_to_csv(arr_output, csv_writer) else: write_to_csv(result + [str_value_name, date_last_mod] + self.__csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset), csv_writer) CloseKey(reg_count) CloseKey(reg_user_assist) except WindowsError: pass CloseKey(aReg)
def _csv_open_save_MRU(self, str_opensaveMRU): ''' Extracts information from OpenSaveMRU registry key which contains information about opened and saved windows ''' # TODO : Win XP self.logger.info('Getting open_save_MRU from registry') aReg = ConnectRegistry(None,HKEY_USERS) with open(self.output_dir + '\\' + self.computer_name + '_opensaveMRU.csv', 'wb') as output: csv_writer = get_csv_writer(output) for index_sid in range(QueryInfoKey(aReg)[0]): # the number of subkeys # in HKEY_USERS, we have a list of subkeys which are SIDs str_sid = EnumKey(aReg, index_sid) try: username = str_sid2username(str_sid) path = str_sid + '\\' + str_opensaveMRU reg_opensaveMRU = OpenKey(aReg, path) for index_clsid in range(QueryInfoKey(reg_opensaveMRU)[0]): # the number of subkeys str_filetype = EnumKey(reg_opensaveMRU, index_clsid) reg_filetype = OpenKey(aReg, path + '\\' + str_filetype) date_last_mod = convert_windate(QueryInfoKey(reg_filetype)[2]) # now get the value from the SID subkey for index_value in range(QueryInfoKey(reg_filetype)[1]): # the number of values value_filetype = EnumValue(reg_filetype, index_value) # Here, it is quite... dirty, it is a binary MRU list in which we have to extract the interesting values if value_filetype[0] != 'MRUListEx': l_printable = self.__extract_filename_from_PIDLMRU(value_filetype[1]) # VERY DIRTY, if the list is empty it's probably because the string is off by 1... if len(l_printable) == 0: # So we take away the first char to have a correct offset (modulo 2) l_printable = self.__extract_filename_from_PIDLMRU(value_filetype[1][1:]) if len(l_printable) != 0: str_printable = l_printable[-1] write_to_csv([username, str_sid, str_filetype, date_last_mod, str_printable], csv_writer) else: # if the length is still 0 then... I'm at a loss for words write_to_csv([username, str_sid, str_filetype, date_last_mod], csv_writer) CloseKey(reg_filetype) CloseKey(reg_opensaveMRU) except WindowsError: pass CloseKey(aReg)
def __print_regkey_csv(self, bKey, key_path, csv_writer, is_recursive, subkey_type_to_query, additional_info_function): ''' Recursive method that will parse the registry and write in the output file ''' ''' The subkey_type_to_query is a string that will be checked against the subkeys name if it is not None ''' for i in range(QueryInfoKey(bKey)[0]): try: subkey_name=EnumKey(bKey,i) if subkey_type_to_query is None or subkey_type_to_query in subkey_name: # if it is None, then we go inside no matter what, else we check if it is in the name key_info = '' if additional_info_function: # this function is a parameter, it is None by default key_info = additional_info_function(subkey_name) subkey=OpenKey(bKey,subkey_name) subkey_path = key_path + subkey_name + '\\' node_type = 'Key' date_last_mod = convert_windate(QueryInfoKey(subkey)[2]) #self.logger.info(date_last_mod + ' : ' + subkey_name) write_to_csv([self.computer_name, date_last_mod, 'HKEY_LOCAL_MACHINE', subkey_path, node_type, key_info], csv_writer) if is_recursive: self.__print_regkey_values_csv(subkey, date_last_mod, 'HKEY_LOCAL_MACHINE', subkey_path, csv_writer, is_recursive, subkey_type_to_query) # print the values first self.__print_regkey_csv(subkey, subkey_path, csv_writer) # and then go deeper in the tree except EnvironmentError: break
def __csv_user_assist_value_decode_before_win7(self, str_value_datatmp, count_offset): # the Count registry contains values representing the programs # each value is separated as : # first 4 bytes are session # following 4 bytes are number of times the program has been run # next 8 bytes are the timestamp of last execution # each of those values are in big endian which have to be converted in little endian # 16 bytes data str_value_data_session = str_value_datatmp[0:4] str_value_data_session = unicode(get_int_from_reversed_string(str_value_data_session)) str_value_data_count = str_value_datatmp[4:8] str_value_data_count = unicode(get_int_from_reversed_string(str_value_data_count) + count_offset + 1) str_value_data_timestamp = str_value_datatmp[8:16] try: timestamp = get_int_from_reversed_string(str_value_data_timestamp) date_last_exec = convert_windate(timestamp) except ValueError: date_last_exec = None arr_data = [str_value_data_session, str_value_data_count] if date_last_exec: arr_data.append(date_last_exec) return arr_data
def get_last_written_time(self): return utils.convert_windate(QueryInfoKey(self.key)[2])