def _get_key_info(self, key_name): ''' Extract information from the registry concerning the USB key ''' #HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed} str_reg_key_usbinfo = "SYSTEM\ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}\\" # here is a sample of a key_name # ##?#USBSTOR#Disk&Ven_&Prod_USB_DISK_2.0&Rev_PMAP#07BC13025A3B03A1&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} # the logic is : there are 6 '#' so we should split this string on '#' and get the USB id (index 5) index_id = 5 usb_id = key_name.split('#')[index_id] # now we want only the left part of the which may contain another separator '&' -> 07BC13025A3B03A1&0 usb_id = usb_id.split('&')[0] # next we look in the registry for such an id key_ids = "" reg_key_info = OpenKey(self.aReg, str_reg_key_usbinfo) for i in range(QueryInfoKey(reg_key_info)[0]): # the number of subkeys try: subkey_name = EnumKey(reg_key_info, i) if usb_id in subkey_name: # example of a key_info_name # ##?#USB#VID_26BD&PID_9917#0702313E309E0863#{a5dcbf10-6530-11d2-901f-00c04fb951ed} # the pattern is quite similar, a '#' separated string, with 5 as key id and 4 as VID&PID, we need those 2 index_id = 4 key_ids = subkey_name.split('#')[index_id] break except EnvironmentError: break CloseKey(reg_key_info) return key_ids
def GetTypelibVersions(IID): """ Returns the list of installed versions of a given typelib. Versions are returned as a list of two element tuples of the form (major, minor) where major, minor are integers. """ versions = [] with OpenKey(HKEY_CLASSES_ROOT, 'Typelib\\' + IID) as key: subkeycount, _, _ = QueryInfoKey(key) for i in range(subkeycount): rawversion = EnumKey(key, i) # We're only interested in subkeys of the form # MAJORVERSION.MINORVERSION if rawversion.count('.') != 1: continue rawmajor, rawminor = rawversion.split('.') # Versions are expressed in hex. major, minor = int(rawmajor, 16), int(rawminor, 16) versions.append((major, minor)) return versions
def _get_key_info(self, key_name): ''' Extract information from the registry concerning the USB key ''' #HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed} str_reg_key_usbinfo = "SYSTEM\ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}\\" # here is a sample of a key_name # ##?#USBSTOR#Disk&Ven_&Prod_USB_DISK_2.0&Rev_PMAP#07BC13025A3B03A1&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} # the logic is : there are 6 '#' so we should split this string on '#' and get the USB id (index 5) index_id = 5 usb_id = key_name.split('#')[index_id] # now we want only the left part of the which may contain another separator '&' -> 07BC13025A3B03A1&0 usb_id = usb_id.split('&')[0] # next we look in the registry for such an id key_ids = "" reg_key_info = OpenKey(self.aReg, str_reg_key_usbinfo) for i in range(QueryInfoKey(reg_key_info)[0]): # the number of subkeys try: subkey_name=EnumKey(reg_key_info,i) if usb_id in subkey_name: # example of a key_info_name # ##?#USB#VID_26BD&PID_9917#0702313E309E0863#{a5dcbf10-6530-11d2-901f-00c04fb951ed} # the pattern is quite similar, a '#' separated string, with 5 as key id and 4 as VID&PID, we need those 2 index_id = 4 key_ids = subkey_name.split('#')[index_id] break except EnvironmentError: break CloseKey(reg_key_info) return key_ids
def GetTypelibVersions(IID): """ Returns the list of installed versions of a given typelib. Versions are returned as a list of two element tuples of the form (major, minor) where major, minor are integers. """ versions = [] with OpenKey(HKEY_CLASSES_ROOT, 'Typelib\\' + IID) as key: subkeycount, _, _ = QueryInfoKey(key) for i in range(subkeycount): rawversion = EnumKey(key, i) # We're only interested in subkeys of the form # MAJORVERSION.MINORVERSION if rawversion.count('.') != 1: continue rawmajor, rawminor = rawversion.split('.') # Versions are expressed in hex. major, minor = int(rawmajor, 16), int(rawminor, 16) versions.append((major, minor)) return versions
def set_keys(self): baseOfficeKeyPath = r"Software\Microsoft\Office" installedVersions = list() try: officeKey = OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0, KEY_READ) for currentKey in xrange(0, QueryInfoKey(officeKey)[0]): isVersion = True officeVersion = EnumKey(officeKey, currentKey) if "." in officeVersion: for intCheck in officeVersion.split("."): if not intCheck.isdigit(): isVersion = False break if isVersion: installedVersions.append(officeVersion) CloseKey(officeKey) except WindowsError: # Office isn't installed at all return for oVersion in installedVersions: key = CreateKeyEx( HKEY_CURRENT_USER, r"{0}\{1}\Publisher\Security".format(baseOfficeKeyPath, oVersion), 0, KEY_SET_VALUE) SetValueEx(key, "VBAWarnings", 0, REG_DWORD, 1) SetValueEx(key, "AccessVBOM", 0, REG_DWORD, 1) SetValueEx(key, "ExtensionHardening", 0, REG_DWORD, 0) CloseKey(key)
def set_keys(self): baseOfficeKeyPath = r"Software\Microsoft\Office" installedVersions = list() try: officeKey = OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0, KEY_READ) for currentKey in xrange(0, QueryInfoKey(officeKey)[0]): isVersion = True officeVersion = EnumKey(officeKey, currentKey) if "." in officeVersion: for intCheck in officeVersion.split("."): if not intCheck.isdigit(): isVersion = False break if isVersion: installedVersions.append(officeVersion) CloseKey(officeKey) except WindowsError: # Office isn't installed at all return for oVersion in installedVersions: key = CreateKeyEx(HKEY_CURRENT_USER, r"{0}\{1}\Publisher\Security".format(baseOfficeKeyPath, oVersion), 0, KEY_SET_VALUE) SetValueEx(key, "VBAWarnings", 0, REG_DWORD, 1) SetValueEx(key, "AccessVBOM", 0, REG_DWORD, 1) SetValueEx(key, "ExtensionHardening", 0, REG_DWORD, 0) CloseKey(key)
def set_office_mrus(self): """Adds randomized MRU's to Office software(s). Occasionally used by macros to detect sandbox environments. """ baseOfficeKeyPath = r"Software\Microsoft\Office" installedVersions = list() basePaths = [ "C:\\", "C:\\Windows\\Logs\\", "C:\\Windows\\Temp\\", "C:\\Program Files\\", ] extensions = { "Word": ["doc", "docx", "docm", "rtf"], "Excel": ["xls", "xlsx", "csv"], "PowerPoint": ["ppt", "pptx"], } try: officeKey = OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0, KEY_READ) for currentKey in xrange(0, QueryInfoKey(officeKey)[0]): isVersion = True officeVersion = EnumKey(officeKey, currentKey) if "." in officeVersion: for intCheck in officeVersion.split("."): if not intCheck.isdigit(): isVersion = False break if isVersion: installedVersions.append(officeVersion) CloseKey(officeKey) except WindowsError: # Office isn't installed at all return for oVersion in installedVersions: for software in extensions: values = list() mruKeyPath = "" productPath = r"{0}\{1}\{2}".format(baseOfficeKeyPath, oVersion, software) try: productKey = OpenKey(HKEY_CURRENT_USER, productPath, 0, KEY_READ) CloseKey(productKey) mruKeyPath = r"{0}\File MRU".format(productPath) try: mruKey = OpenKey(HKEY_CURRENT_USER, mruKeyPath, 0, KEY_READ) except WindowsError: mruKey = CreateKeyEx(HKEY_CURRENT_USER, mruKeyPath, 0, KEY_READ) displayValue = False for mruKeyInfo in xrange(0, QueryInfoKey(mruKey)[1]): currentValue = EnumValue(mruKey, mruKeyInfo) if currentValue[0] == "Max Display": displayValue = True values.append(currentValue) CloseKey(mruKey) except WindowsError: # An Office version was found in the registry but the # software (Word/Excel/PowerPoint) was not installed. values = "notinstalled" if values != "notinstalled" and len(values) < 5: mruKey = OpenKey(HKEY_CURRENT_USER, mruKeyPath, 0, KEY_SET_VALUE) if not displayValue: SetValueEx(mruKey, "Max Display", 0, REG_DWORD, 25) for i in xrange(1, randint(10, 30)): rString = random_string(minimum=11, charset="0123456789ABCDEF") if i % 2: baseId = "T01D1C" + rString else: baseId = "T01D1D" + rString setVal = "[F00000000][{0}][O00000000]*{1}{2}.{3}".format( baseId, basePaths[randint(0, len(basePaths)-1)], random_string(minimum=3, maximum=15, charset="abcdefghijkLMNOPQURSTUVwxyz_0369"), extensions[software][randint(0, len(extensions[software])-1)]) name = "Item {0}".format(i) SetValueEx(mruKey, name, 0, REG_SZ, setVal) CloseKey(mruKey)
def set_office_mrus(self): """Adds randomized MRU's to Office software(s). Occasionally used by macros to detect sandbox environments. """ baseOfficeKeyPath = r"Software\Microsoft\Office" installedVersions = list() basePaths = [ "C:\\", "C:\\Windows\\Logs\\", "C:\\Windows\\Temp\\", "C:\\Program Files\\", ] extensions = { "Word": ["doc", "docx", "docm", "rtf"], "Excel": ["xls", "xlsx", "csv"], "PowerPoint": ["ppt", "pptx"], } try: officeKey = OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0, KEY_READ) for currentKey in xrange(0, QueryInfoKey(officeKey)[0]): isVersion = True officeVersion = EnumKey(officeKey, currentKey) if "." in officeVersion: for intCheck in officeVersion.split("."): if not intCheck.isdigit(): isVersion = False break if isVersion: installedVersions.append(officeVersion) CloseKey(officeKey) except WindowsError: # Office isn't installed at all return for oVersion in installedVersions: for software in extensions: values = list() mruKeyPath = r"{0}\{1}\{2}\File MRU".format( baseOfficeKeyPath, oVersion, software) try: mruKey = OpenKey(HKEY_CURRENT_USER, mruKeyPath, 0, KEY_READ) displayValue = False for mruKeyInfo in xrange(0, QueryInfoKey(mruKey)[1]): currentValue = EnumValue(mruKey, mruKeyInfo) if currentValue[0] == "Max Display": displayValue = True values.append(currentValue) CloseKey(mruKey) except WindowsError: # An Office version was found in the registry but the # software (Word/Excel/PowerPoint) was not installed. values = "notinstalled" if values != "notinstalled" and len(values) < 5: mruKey = OpenKey(HKEY_CURRENT_USER, mruKeyPath, 0, KEY_SET_VALUE) if not displayValue: SetValueEx(mruKey, "Max Display", 0, REG_DWORD, 25) for i in xrange(1, randint(10, 30)): rString = random_string(minimum=11, charset="0123456789ABCDEF") if i % 2: baseId = "T01D1C" + rString else: baseId = "T01D1D" + rString setVal = "[F00000000][{0}][O00000000]*{1}{2}.{3}".format( baseId, basePaths[randint(0, len(basePaths) - 1)], random_string( minimum=3, maximum=15, charset="abcdefghijkLMNOPQURSTUVwxyz_0369"), extensions[software][randint( 0, len(extensions[software]) - 1)]) name = "Item {0}".format(i) SetValueEx(mruKey, name, 0, REG_SZ, setVal) CloseKey(mruKey)