コード例 #1
0
def UserAssist_F4E():
    try:
        registry = Registry.Registry(NTUSER)
        path = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\" \
               "{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count"
        key = registry.open(path)

        result = []
        for v in key.values():
            program_name = decode.ROT13(v.name())
            program_name = decode.GUID_to_display_name(program_name)
            run_count = int.from_bytes(v.value()[4:8],
                                       byteorder="little",
                                       signed=False)
            if v.value(
            )[60:
              68] == b'\x00\x00\x00\x00\x00\x00\x00\x00' or program_name == "UEME_CTLSESSION":
                last_executed_time = None
            else:
                last_executed_time = decode.convert_time(v.value()[60:68])

            result.append([program_name, run_count, last_executed_time])
        return result
    except:
        print(
            "Error while parsing UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}"
        )
        return None
コード例 #2
0
def others():
    computer_name = None
    default_user_name = None
    last_used_user_name = None
    shutdown_time = None

    registry = Registry.Registry(SYSTEM)
    path = ControlSet00n + "\\Control\\ComputerName\\ComputerName"
    key = registry.open(path)
    for v in key.values():
        if v.name() == "ComputerName":
            computer_name = v.value()

    registry = Registry.Registry(SOFTWARE)
    path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
    key = registry.open(path)
    for v in key.values():
        if v.name() == "DefaultUserName":
            default_user_name = v.value()
        if v.name() == "LastUsedUsername":
            last_used_user_name = v.value()

    registry = Registry.Registry(SYSTEM)
    path = ControlSet00n + "\\Control\\Windows"
    key = registry.open(path)
    for v in key.values():
        if v.name() == "ShutdownTime":
            shutdown_time = decode.convert_time(v.value())

    result = [
        computer_name, default_user_name, last_used_user_name, shutdown_time
    ]
    return result
コード例 #3
0
ファイル: REGParse.py プロジェクト: minhyeung-eca19b/BMS
def BAM():
    registry = Registry.Registry(sys_reg)
    path = ControlSet00n + "\\Services\\bam\\State\\UserSettings"
    key = registry.open(path)
    sid = []
    for v in key.subkeys():
        sid.append(v.name())

    result = []
    for s in sid:
        sub_path = path + "\\" + s
        sub_key = registry.open(sub_path)
        for v in sub_key.values():
            if v.name() != "Version" and v.name() != "SequenceNumber":
                last_executed = decode.convert_time(v.value()[0:8])
                result.append([s, v.name(), last_executed])

    return result
コード例 #4
0
def UserAssist_CEB():
    registry = Registry.Registry(NTUSER)
    path = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count"
    key = registry.open(path)

    result = []
    for v in key.values():
        program_name = decode.ROT13(v.name())
        program_name = decode.GUID_to_display_name(program_name)
        run_count = int.from_bytes(v.value()[4:8],
                                   byteorder="little",
                                   signed=False)
        if v.value(
        )[60:
          68] == b'\x00\x00\x00\x00\x00\x00\x00\x00' or program_name == "UEME_CTLSESSION":
            last_executed_time = None
        else:
            last_executed_time = decode.convert_time(v.value()[60:68])

        result.append([program_name, run_count, last_executed_time])

    return result
コード例 #5
0
def user_account():
    try:
        registry = Registry.Registry(SAM)

        # Users 경로의 하위 키들을 구합니다.
        path = "SAM\\Domains\\Account\\Users"
        key = registry.open(path)
        RID = []  # Relative ID :Users의 하위 키
        for v in key.subkeys():
            if v.name() != "Names":
                RID.append(v.name())

        # 각 하위 키에 대해 F와 V 값을 구해 계정 정보를 얻습니다.
        accounts = []
        for r in RID:
            sub_path = path + "\\" + r
            sub_key = registry.open(sub_path)

            rid = None
            last_login_t = None
            last_password_change_t = None
            expires_on_t = None
            last_incorrect_password_t = None
            logon_failure_count = None
            logon_success_count = None
            account_name = None
            complete_account_name = None
            comment = None
            homedir = None

            for v in sub_key.values():
                if v.name() == "F":
                    F = v.value()
                    last_login_t = decode.convert_time(F[8:16])
                    last_password_change_t = decode.convert_time(F[24:32])
                    expires_on_t = decode.convert_time(F[32:40])
                    last_incorrect_password_t = decode.convert_time(F[40:48])
                    rid = int.from_bytes(F[48:52], byteorder="little")
                    logon_failure_count = int.from_bytes(F[64:66],
                                                         byteorder="little",
                                                         signed=False)
                    logon_success_count = int.from_bytes(F[66:68],
                                                         byteorder="little",
                                                         signed=False)
                if v.name() == "V":
                    V = v.value()
                    account_name_offset = int.from_bytes(
                        V[12:16], byteorder="little") + 204
                    account_name_len = int.from_bytes(V[16:20],
                                                      byteorder="little")
                    account_name = V[account_name_offset:account_name_offset +
                                     account_name_len].decode("utf-16")

                    complete_account_offset = int.from_bytes(
                        V[24:28], byteorder="little") + 204
                    complete_account_name_len = int.from_bytes(
                        V[28:32], byteorder="little")
                    complete_account_name = V[
                        complete_account_offset:complete_account_offset +
                        complete_account_name_len].decode("utf-16")

                    comment_offset = int.from_bytes(V[36:40],
                                                    byteorder="little") + 204
                    comment_len = int.from_bytes(V[40:44], byteorder="little")
                    comment = V[comment_offset:comment_offset +
                                comment_len].decode("utf-16")

                    homedir_offset = int.from_bytes(V[72:76],
                                                    byteorder="little") + 204
                    homedir_len = int.from_bytes(V[76:80], byteorder="little")
                    homedir = V[homedir_offset:homedir_offset +
                                homedir_len].decode("utf-16")

            accounts.append([
                r, rid, last_login_t, last_password_change_t, expires_on_t,
                last_incorrect_password_t, logon_failure_count,
                logon_success_count, account_name, complete_account_name,
                comment, homedir
            ])

        # Names 키의 timestamp에서 계정 생성 시간을 얻습니다
        key = registry.open("SAM\\Domains\\Account\\Users\\Names")
        timestamp = []
        for v in key.subkeys():
            timestamp.append(
                [v.name(),
                 v.timestamp().strftime("%Y-%m-%d %H:%M:%S")])
        for a in accounts:
            for t in timestamp:
                if a[8] == t[0]:
                    a.append(t[1])
        return accounts
    except:
        print("Error while parsing user accounts")
        return None