def get_services(self, services_loaded):
scm = win32service.OpenSCManager(
None, None, win32service.SC_MANAGER_ENUMERATE_SERVICE)
svcs = win32service.EnumServicesStatus(scm)
for svc in svcs:
try:
sh_query_config = win32service.OpenService(
scm, svc[0], win32service.SERVICE_QUERY_CONFIG)
service_info = win32service.QueryServiceConfig(sh_query_config)
short_name = svc[0]
full_path = service_info[3]
sv = self.check_if_service_already_loaded(
short_name, full_path, services_loaded)
if sv:
sv.permissions = self.get_service_permissions(sv)
if not sv:
sk = Service()
sk.name = short_name
sk.display_name = svc[1]
sk.full_path = full_path
sk.paths = get_path_info(full_path)
sk.permissions = self.get_service_permissions(sv)
services_loaded.append(sk)
except:
pass
return services_loaded
def get_services(self, services_loaded): scm = win32service.OpenSCManager(None,None,win32service.SC_MANAGER_ENUMERATE_SERVICE) svcs = win32service.EnumServicesStatus(scm) for svc in svcs: try: sh_query_config = win32service.OpenService(scm, svc[0], win32service.SERVICE_QUERY_CONFIG) service_info = win32service.QueryServiceConfig(sh_query_config) short_name = svc[0] full_path = service_info[3] sv = self.check_if_service_already_loaded(short_name, full_path, services_loaded) if sv: sv.permissions = self.get_service_permissions(sv) if not sv: sk = Service() sk.name = short_name sk.display_name = svc[1] sk.full_path = full_path sk.paths = get_path_info(full_path) sk.permissions = self.get_service_permissions(sv) services_loaded.append(sk) except: pass return services_loaded
def get_services_from_registry(self):
service_keys = []
# Open the Base on read only
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
accessWrite = win32con.KEY_WRITE | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
hkey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE,
'SYSTEM\\CurrentControlSet\\Services', 0,
accessRead)
num = win32api.RegQueryInfoKey(hkey)[0]
# loop through all subkeys
for x in range(0, num):
sk = Service()
# Name of the service
svc = win32api.RegEnumKey(hkey, x)
sk.name = svc
# ------ Check Write access of the key ------
try:
sk.key = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s" % svc
skey = win32api.RegOpenKey(hkey, svc, 0, accessWrite)
sk.is_key_writable = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s" % svc
except win32api.error:
skey = win32api.RegOpenKey(hkey, svc, 0, accessRead)
pass
# ------ Check if the key has the Parameters\Application value presents ------
try:
# find display name
display_name = str(
win32api.RegQueryValueEx(skey, 'DisplayName')[0])
if display_name:
sk.display_name = display_name
except win32api.error:
# in case there is no key called DisplayName
pass
# ------ Check if the key has his executable with write access and the folder containing it as well ------
try:
skey = win32api.RegOpenKey(hkey, svc, 0, accessRead)
# find ImagePath name
image_path = str(
win32api.RegQueryValueEx(skey, 'ImagePath')[0])
if image_path:
image_path = os.path.expandvars(image_path)
if 'drivers' not in image_path.lower():
sk.full_path = image_path
sk.paths = get_path_info(image_path)
except win32api.error:
pass
service_keys.append(sk)
return service_keys
def get_services_from_registry(self): service_keys = [] # Open the Base on read only accessRead = KEY_READ | KEY_ENUMERATE_SUB_KEYS | KEY_QUERY_VALUE accessWrite = KEY_WRITE | KEY_ENUMERATE_SUB_KEYS | KEY_QUERY_VALUE hkey = OpenKey(HKEY_LOCAL_MACHINE, 'SYSTEM\\CurrentControlSet\\Services', 0, accessRead) num = _winreg.QueryInfoKey(hkey)[0] # loop through all subkeys for x in range(0, num): sk = Service() # Name of the service svc = _winreg.EnumKey(hkey, x) sk.name = svc # ------ Check Write access of the key ------ try: sk.key = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s" % svc skey = OpenKey(hkey, svc, 0, accessWrite) sk.is_key_writable = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s" % svc except: skey = OpenKey(hkey, svc, 0, accessRead) pass # ------ Check if the key has the Parameters\Application value presents ------ try: # find display name display_name = str(_winreg.QueryValueEx(skey, 'DisplayName')[0]) if display_name: sk.display_name = display_name except: # in case there is no key called DisplayName pass # ------ Check if the key has his executable with write access and the folder containing it as well ------ try: skey = OpenKey(hkey, svc, 0, accessRead) # find ImagePath name image_path = str(_winreg.QueryValueEx(skey, 'ImagePath')[0]) if image_path: image_path = os.path.expandvars(image_path) if 'drivers' not in image_path.lower(): sk.full_path = image_path sk.paths = get_path_info(image_path) except: pass service_keys.append(sk) return service_keys
def get_sensitive_registry_key(self):
keys = []
runkeys_hklm = self.definePath()
# access either in read only mode, or in write mode
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
accessWrite = win32con.KEY_WRITE | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
# Loop through all keys to check
for keyPath in runkeys_hklm:
is_key_writable = False
# check if the registry key has writable access
try:
hkey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE,
keyPath, 0, accessWrite)
is_key_writable = keyPath
except:
try:
hkey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE,
keyPath, 0, accessRead)
except:
continue
# retrieve all value of the registry key
try:
num = win32api.RegQueryInfoKey(hkey)[1]
# loop through number of value in the key
for x in range(0, num):
k = win32api.RegEnumValue(hkey, x)
stk = Registry_key()
if is_key_writable:
stk.is_key_writable = is_key_writable
stk.key = keyPath
stk.name = k[0]
stk.full_path = k[1]
stk.paths = get_path_info(k[1])
keys.append(stk)
win32api.RegCloseKey(hkey)
except win32api.error:
pass
return keys
def get_sensitive_registry_key(self): keys = [] runkeys_hklm = self.definePath() # access either in read only mode, or in write mode accessRead = KEY_READ | KEY_ENUMERATE_SUB_KEYS | KEY_QUERY_VALUE accessWrite = KEY_WRITE | KEY_ENUMERATE_SUB_KEYS | KEY_QUERY_VALUE # Loop through all keys to check for keyPath in runkeys_hklm: is_key_writable = False # check if the registry key has writable access try: hkey = OpenKey(HKEY_LOCAL_MACHINE, keyPath, 0, accessWrite) is_key_writable = keyPath except: try: hkey = OpenKey(HKEY_LOCAL_MACHINE, keyPath, 0, accessRead) except: continue # retrieve all value of the registry key try: num = _winreg.QueryInfoKey(hkey)[1] # loop through number of value in the key for x in range(0, num): k = _winreg.EnumValue(hkey, x) stk = Registry_key() if is_key_writable: stk.is_key_writable = is_key_writable stk.key = keyPath stk.name = k[0] stk.full_path = k[1] stk.paths = get_path_info(k[1]) keys.append(stk) _winreg.CloseKey(hkey) except: pass return keys
def tasksList(self):
tasks_list = []
# manage tasks for windows XP
if platform.release() == 'XP' or platform.release() == '2003':
pass
# try:
# from win32com.taskscheduler import taskscheduler
# ts = pythoncom.CoCreateInstance(
# taskscheduler.CLSID_CTaskScheduler,
# None,
# pythoncom.CLSCTX_INPROC_SERVER,
# taskscheduler.IID_ITaskScheduler
# )
# except:
# return False
# Loop through all scheduled task
# tasks = ts.Enum()
# for job in tasks:
# task = ts.Activate(job)
# t = Taskscheduler()
# t.name = job
# check if the tasks file has write access
# taskpath = '%s%s%s%s%s' % (os.environ['systemroot'], os.sep, 'Tasks', os.sep, job)
# TO DO
# if os.path.exists(taskpath):
# if checkPermissions(taskpath):
# results = results + '<strong><font color=ff0000>Write access on: ' + taskpath + '</font></strong><br/>\n'
# run as
# try:
# t.runas = task.GetCreator()
# except:
# pass
# path of the exe file
# try:
# task.GetApplicationName()
# except:
# pass
# check the permission of the executable
# try:
# test = checkPermissions(task.GetApplicationName())
# except:
# pass
# manage task for windows 7
else:
if self.disable_redirection:
wow64 = ctypes.c_long(0)
ctypes.windll.kernel32.Wow64DisableWow64FsRedirection(
ctypes.byref(wow64))
if os.path.exists(self.task_directory):
for root, dirs, files in os.walk(self.task_directory):
for f in files:
xml_file = os.path.join(root, f)
try:
tree = ET.ElementTree(file=xml_file)
except:
continue
command = ''
arguments = ''
userid = ''
groupid = ''
runlevel = ''
xmlroot = tree.getroot()
for xml in xmlroot:
# get task information (date, author)
# in RegistrationInfo tag
# get triggers information (launch at boot, etc.)
# in Triggers tag
# get user information
if 'principals' in xml.tag.lower():
for child in xml.getchildren():
if 'principal' in child.tag.lower():
for principal in child.getchildren():
if 'userid' in principal.tag.lower(
):
userid = principal.text
elif 'groupid' in principal.tag.lower(
):
groupid = principal.text
elif 'runlevel' in principal.tag.lower(
):
runlevel = principal.text
# get all execution information (executable and arguments)
if 'actions' in xml.tag.lower():
for child in xml.getchildren():
if 'exec' in child.tag.lower():
for execution in child.getchildren():
if 'command' in execution.tag.lower(
):
command = os.path.expandvars(
execution.text)
elif 'arguments' in execution.tag.lower(
):
arguments = os.path.expandvars(
execution.text)
full_path = '%s %s' % (str(command), str(arguments))
full_path = full_path.strip()
if full_path: #and runlevel != 'LeastPrivilege':
t = Taskscheduler()
t.name = f
t.full_path = full_path
t.paths = get_path_info(t.full_path)
if userid == 'S-1-5-18':
t.userid = 'LocalSystem'
else:
t.userid = userid
t.groupid = groupid
t.runlevel = runlevel
# append the tasks to the main tasklist
tasks_list.append(t)
if self.disable_redirection:
ctypes.windll.kernel32.Wow64EnableWow64FsRedirection(wow64)
return tasks_list
def tasksList(self): tasks_list = [] # manage tasks for windows XP if platform.release() == 'XP' or platform.release() == '2003': pass # try: # from win32com.taskscheduler import taskscheduler # ts = pythoncom.CoCreateInstance( # taskscheduler.CLSID_CTaskScheduler, # None, # pythoncom.CLSCTX_INPROC_SERVER, # taskscheduler.IID_ITaskScheduler # ) # except: # return False # Loop through all scheduled task # tasks = ts.Enum() # for job in tasks: # task = ts.Activate(job) # t = Taskscheduler() # t.name = job # check if the tasks file has write access # taskpath = '%s%s%s%s%s' % (os.environ['systemroot'], os.sep, 'Tasks', os.sep, job) # TO DO # if os.path.exists(taskpath): # if checkPermissions(taskpath): # results = results + '<strong><font color=ff0000>Write access on: ' + taskpath + '</font></strong><br/>\n' # run as # try: # t.runas = task.GetCreator() # except: # pass # path of the exe file # try: # task.GetApplicationName() # except: # pass # check the permission of the executable # try: # test = checkPermissions(task.GetApplicationName()) # except: # pass # manage task for windows 7 else: if self.disable_redirection: wow64 = ctypes.c_long(0) ctypes.windll.kernel32.Wow64DisableWow64FsRedirection(ctypes.byref(wow64)) if os.path.exists(self.task_directory): for root, dirs, files in os.walk(self.task_directory): for f in files: xml_file = os.path.join(root, f) try: tree = ET.ElementTree(file=xml_file) except: continue command = '' arguments = '' userid = '' groupid = '' runlevel = '' xmlroot = tree.getroot() for xml in xmlroot: # get task information (date, author) # in RegistrationInfo tag # get triggers information (launch at boot, etc.) # in Triggers tag # get user information if 'principals' in xml.tag.lower(): for child in xml.getchildren(): if 'principal' in child.tag.lower(): for principal in child.getchildren(): if 'userid' in principal.tag.lower(): userid = principal.text elif 'groupid' in principal.tag.lower(): groupid = principal.text elif 'runlevel' in principal.tag.lower(): runlevel = principal.text # get all execution information (executable and arguments) if 'actions' in xml.tag.lower(): for child in xml.getchildren(): if 'exec' in child.tag.lower(): for execution in child.getchildren(): if 'command' in execution.tag.lower(): command = os.path.expandvars(execution.text) elif 'arguments' in execution.tag.lower(): arguments = os.path.expandvars(execution.text) full_path = '%s %s' % (str(command), str(arguments)) full_path = full_path.strip() if full_path: #and runlevel != 'LeastPrivilege': t = Taskscheduler() t.name = f t.full_path = full_path t.paths = get_path_info(t.full_path) if userid == 'S-1-5-18': t.userid = 'LocalSystem' else: t.userid = userid t.groupid = groupid t.runlevel = runlevel # append the tasks to the main tasklist tasks_list.append(t) if self.disable_redirection: ctypes.windll.kernel32.Wow64EnableWow64FsRedirection(wow64) return tasks_list