def get_services(self, services_loaded): scm = win32service.OpenSCManager( None, None, win32service.SC_MANAGER_ENUMERATE_SERVICE) svcs = win32service.EnumServicesStatus(scm) for svc in svcs: try: sh_query_config = win32service.OpenService( scm, svc[0], win32service.SERVICE_QUERY_CONFIG) service_info = win32service.QueryServiceConfig(sh_query_config) short_name = svc[0] full_path = service_info[3] sv = self.check_if_service_already_loaded( short_name, full_path, services_loaded) if sv: sv.permissions = self.get_service_permissions(sv) if not sv: sk = Service() sk.name = short_name sk.display_name = svc[1] sk.full_path = full_path sk.paths = get_path_info(full_path) sk.permissions = self.get_service_permissions(sv) services_loaded.append(sk) except: pass return services_loaded
def get_services(self, services_loaded): scm = win32service.OpenSCManager(None,None,win32service.SC_MANAGER_ENUMERATE_SERVICE) svcs = win32service.EnumServicesStatus(scm) for svc in svcs: try: sh_query_config = win32service.OpenService(scm, svc[0], win32service.SERVICE_QUERY_CONFIG) service_info = win32service.QueryServiceConfig(sh_query_config) short_name = svc[0] full_path = service_info[3] sv = self.check_if_service_already_loaded(short_name, full_path, services_loaded) if sv: sv.permissions = self.get_service_permissions(sv) if not sv: sk = Service() sk.name = short_name sk.display_name = svc[1] sk.full_path = full_path sk.paths = get_path_info(full_path) sk.permissions = self.get_service_permissions(sv) services_loaded.append(sk) except: pass return services_loaded
def get_services_from_registry(self): service_keys = [] # Open the Base on read only accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE accessWrite = win32con.KEY_WRITE | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE hkey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE, 'SYSTEM\\CurrentControlSet\\Services', 0, accessRead) num = win32api.RegQueryInfoKey(hkey)[0] # loop through all subkeys for x in range(0, num): sk = Service() # Name of the service svc = win32api.RegEnumKey(hkey, x) sk.name = svc # ------ Check Write access of the key ------ try: sk.key = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s" % svc skey = win32api.RegOpenKey(hkey, svc, 0, accessWrite) sk.is_key_writable = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s" % svc except win32api.error: skey = win32api.RegOpenKey(hkey, svc, 0, accessRead) pass # ------ Check if the key has the Parameters\Application value presents ------ try: # find display name display_name = str( win32api.RegQueryValueEx(skey, 'DisplayName')[0]) if display_name: sk.display_name = display_name except win32api.error: # in case there is no key called DisplayName pass # ------ Check if the key has his executable with write access and the folder containing it as well ------ try: skey = win32api.RegOpenKey(hkey, svc, 0, accessRead) # find ImagePath name image_path = str( win32api.RegQueryValueEx(skey, 'ImagePath')[0]) if image_path: image_path = os.path.expandvars(image_path) if 'drivers' not in image_path.lower(): sk.full_path = image_path sk.paths = get_path_info(image_path) except win32api.error: pass service_keys.append(sk) return service_keys
def get_services_from_registry(self): service_keys = [] # Open the Base on read only accessRead = KEY_READ | KEY_ENUMERATE_SUB_KEYS | KEY_QUERY_VALUE accessWrite = KEY_WRITE | KEY_ENUMERATE_SUB_KEYS | KEY_QUERY_VALUE hkey = OpenKey(HKEY_LOCAL_MACHINE, 'SYSTEM\\CurrentControlSet\\Services', 0, accessRead) num = _winreg.QueryInfoKey(hkey)[0] # loop through all subkeys for x in range(0, num): sk = Service() # Name of the service svc = _winreg.EnumKey(hkey, x) sk.name = svc # ------ Check Write access of the key ------ try: sk.key = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s" % svc skey = OpenKey(hkey, svc, 0, accessWrite) sk.is_key_writable = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s" % svc except: skey = OpenKey(hkey, svc, 0, accessRead) pass # ------ Check if the key has the Parameters\Application value presents ------ try: # find display name display_name = str(_winreg.QueryValueEx(skey, 'DisplayName')[0]) if display_name: sk.display_name = display_name except: # in case there is no key called DisplayName pass # ------ Check if the key has his executable with write access and the folder containing it as well ------ try: skey = OpenKey(hkey, svc, 0, accessRead) # find ImagePath name image_path = str(_winreg.QueryValueEx(skey, 'ImagePath')[0]) if image_path: image_path = os.path.expandvars(image_path) if 'drivers' not in image_path.lower(): sk.full_path = image_path sk.paths = get_path_info(image_path) except: pass service_keys.append(sk) return service_keys
def get_sensitive_registry_key(self): keys = [] runkeys_hklm = self.definePath() # access either in read only mode, or in write mode accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE accessWrite = win32con.KEY_WRITE | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE # Loop through all keys to check for keyPath in runkeys_hklm: is_key_writable = False # check if the registry key has writable access try: hkey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE, keyPath, 0, accessWrite) is_key_writable = keyPath except: try: hkey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE, keyPath, 0, accessRead) except: continue # retrieve all value of the registry key try: num = win32api.RegQueryInfoKey(hkey)[1] # loop through number of value in the key for x in range(0, num): k = win32api.RegEnumValue(hkey, x) stk = Registry_key() if is_key_writable: stk.is_key_writable = is_key_writable stk.key = keyPath stk.name = k[0] stk.full_path = k[1] stk.paths = get_path_info(k[1]) keys.append(stk) win32api.RegCloseKey(hkey) except win32api.error: pass return keys
def get_sensitive_registry_key(self): keys = [] runkeys_hklm = self.definePath() # access either in read only mode, or in write mode accessRead = KEY_READ | KEY_ENUMERATE_SUB_KEYS | KEY_QUERY_VALUE accessWrite = KEY_WRITE | KEY_ENUMERATE_SUB_KEYS | KEY_QUERY_VALUE # Loop through all keys to check for keyPath in runkeys_hklm: is_key_writable = False # check if the registry key has writable access try: hkey = OpenKey(HKEY_LOCAL_MACHINE, keyPath, 0, accessWrite) is_key_writable = keyPath except: try: hkey = OpenKey(HKEY_LOCAL_MACHINE, keyPath, 0, accessRead) except: continue # retrieve all value of the registry key try: num = _winreg.QueryInfoKey(hkey)[1] # loop through number of value in the key for x in range(0, num): k = _winreg.EnumValue(hkey, x) stk = Registry_key() if is_key_writable: stk.is_key_writable = is_key_writable stk.key = keyPath stk.name = k[0] stk.full_path = k[1] stk.paths = get_path_info(k[1]) keys.append(stk) _winreg.CloseKey(hkey) except: pass return keys
def tasksList(self): tasks_list = [] # manage tasks for windows XP if platform.release() == 'XP' or platform.release() == '2003': pass # try: # from win32com.taskscheduler import taskscheduler # ts = pythoncom.CoCreateInstance( # taskscheduler.CLSID_CTaskScheduler, # None, # pythoncom.CLSCTX_INPROC_SERVER, # taskscheduler.IID_ITaskScheduler # ) # except: # return False # Loop through all scheduled task # tasks = ts.Enum() # for job in tasks: # task = ts.Activate(job) # t = Taskscheduler() # t.name = job # check if the tasks file has write access # taskpath = '%s%s%s%s%s' % (os.environ['systemroot'], os.sep, 'Tasks', os.sep, job) # TO DO # if os.path.exists(taskpath): # if checkPermissions(taskpath): # results = results + '<strong><font color=ff0000>Write access on: ' + taskpath + '</font></strong><br/>\n' # run as # try: # t.runas = task.GetCreator() # except: # pass # path of the exe file # try: # task.GetApplicationName() # except: # pass # check the permission of the executable # try: # test = checkPermissions(task.GetApplicationName()) # except: # pass # manage task for windows 7 else: if self.disable_redirection: wow64 = ctypes.c_long(0) ctypes.windll.kernel32.Wow64DisableWow64FsRedirection( ctypes.byref(wow64)) if os.path.exists(self.task_directory): for root, dirs, files in os.walk(self.task_directory): for f in files: xml_file = os.path.join(root, f) try: tree = ET.ElementTree(file=xml_file) except: continue command = '' arguments = '' userid = '' groupid = '' runlevel = '' xmlroot = tree.getroot() for xml in xmlroot: # get task information (date, author) # in RegistrationInfo tag # get triggers information (launch at boot, etc.) # in Triggers tag # get user information if 'principals' in xml.tag.lower(): for child in xml.getchildren(): if 'principal' in child.tag.lower(): for principal in child.getchildren(): if 'userid' in principal.tag.lower( ): userid = principal.text elif 'groupid' in principal.tag.lower( ): groupid = principal.text elif 'runlevel' in principal.tag.lower( ): runlevel = principal.text # get all execution information (executable and arguments) if 'actions' in xml.tag.lower(): for child in xml.getchildren(): if 'exec' in child.tag.lower(): for execution in child.getchildren(): if 'command' in execution.tag.lower( ): command = os.path.expandvars( execution.text) elif 'arguments' in execution.tag.lower( ): arguments = os.path.expandvars( execution.text) full_path = '%s %s' % (str(command), str(arguments)) full_path = full_path.strip() if full_path: #and runlevel != 'LeastPrivilege': t = Taskscheduler() t.name = f t.full_path = full_path t.paths = get_path_info(t.full_path) if userid == 'S-1-5-18': t.userid = 'LocalSystem' else: t.userid = userid t.groupid = groupid t.runlevel = runlevel # append the tasks to the main tasklist tasks_list.append(t) if self.disable_redirection: ctypes.windll.kernel32.Wow64EnableWow64FsRedirection(wow64) return tasks_list
def tasksList(self): tasks_list = [] # manage tasks for windows XP if platform.release() == 'XP' or platform.release() == '2003': pass # try: # from win32com.taskscheduler import taskscheduler # ts = pythoncom.CoCreateInstance( # taskscheduler.CLSID_CTaskScheduler, # None, # pythoncom.CLSCTX_INPROC_SERVER, # taskscheduler.IID_ITaskScheduler # ) # except: # return False # Loop through all scheduled task # tasks = ts.Enum() # for job in tasks: # task = ts.Activate(job) # t = Taskscheduler() # t.name = job # check if the tasks file has write access # taskpath = '%s%s%s%s%s' % (os.environ['systemroot'], os.sep, 'Tasks', os.sep, job) # TO DO # if os.path.exists(taskpath): # if checkPermissions(taskpath): # results = results + '<strong><font color=ff0000>Write access on: ' + taskpath + '</font></strong><br/>\n' # run as # try: # t.runas = task.GetCreator() # except: # pass # path of the exe file # try: # task.GetApplicationName() # except: # pass # check the permission of the executable # try: # test = checkPermissions(task.GetApplicationName()) # except: # pass # manage task for windows 7 else: if self.disable_redirection: wow64 = ctypes.c_long(0) ctypes.windll.kernel32.Wow64DisableWow64FsRedirection(ctypes.byref(wow64)) if os.path.exists(self.task_directory): for root, dirs, files in os.walk(self.task_directory): for f in files: xml_file = os.path.join(root, f) try: tree = ET.ElementTree(file=xml_file) except: continue command = '' arguments = '' userid = '' groupid = '' runlevel = '' xmlroot = tree.getroot() for xml in xmlroot: # get task information (date, author) # in RegistrationInfo tag # get triggers information (launch at boot, etc.) # in Triggers tag # get user information if 'principals' in xml.tag.lower(): for child in xml.getchildren(): if 'principal' in child.tag.lower(): for principal in child.getchildren(): if 'userid' in principal.tag.lower(): userid = principal.text elif 'groupid' in principal.tag.lower(): groupid = principal.text elif 'runlevel' in principal.tag.lower(): runlevel = principal.text # get all execution information (executable and arguments) if 'actions' in xml.tag.lower(): for child in xml.getchildren(): if 'exec' in child.tag.lower(): for execution in child.getchildren(): if 'command' in execution.tag.lower(): command = os.path.expandvars(execution.text) elif 'arguments' in execution.tag.lower(): arguments = os.path.expandvars(execution.text) full_path = '%s %s' % (str(command), str(arguments)) full_path = full_path.strip() if full_path: #and runlevel != 'LeastPrivilege': t = Taskscheduler() t.name = f t.full_path = full_path t.paths = get_path_info(t.full_path) if userid == 'S-1-5-18': t.userid = 'LocalSystem' else: t.userid = userid t.groupid = groupid t.runlevel = runlevel # append the tasks to the main tasklist tasks_list.append(t) if self.disable_redirection: ctypes.windll.kernel32.Wow64EnableWow64FsRedirection(wow64) return tasks_list