def getPlugin(reg_soft, reg_nt='', reg_sys=''):
try:
for k in winlogon_list:
key = reg_soft.open(k)
last_write = key.timestamp()
for v in key.values():
if v.name().lower() == "shell":
shell = v.name()
shell_path = v.value()
elif v.name().lower() == "userinit":
userinit = v.name()
userinit_path = v.value()
elif v.name().lower() == "taskman":
taskman = v.name()
taskman_path = v.value()
else:
taskman = "???"
taskman_path = "???"
objects_list.append(jsonOutput(header, \
key_item = k, \
value_item1 = shell, \
value_item2 = shell_path, \
value_item3 = userinit, \
value_item4 = userinit_path, \
value_item5 = taskman, \
lastwrite_time = last_write, \
sys_name = "???"))
except Registry.RegistryKeyNotFoundException as e:
pass
outputRender(objects_list)
def getPlugin(reg_soft, reg_nt, reg_sys):
computer_name = getComputerName(reg_sys)
reg_hives = [reg_sys, reg_soft, reg_nt]
run_entries = [
"Microsoft\\Windows\\CurrentVersion\\Run",
"Microsoft\\Windows\\CurrentVersion\\RunOnce",
"Microsoft\\Windows\\CurrentVersion\\RunOnceEx",
"Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run",
"Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" "Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices",
"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run",
]
for k in run_entries:
for hive in reg_hives:
try:
key = hive.open(k)
for v in key.values():
try:
key_name = v.name()
except:
key_name = "???"
try:
key_value = v.value()
except:
key_value = "???"
try:
last_write = str(key.timestamp())
except:
last_write = "???"
objects_list.append(
jsonOutput(
header,
key_item=key_name,
value_item1=key_value,
value_item2=k,
value_item3="???",
value_item4="???",
value_item5="???",
lastwrite_time=last_write,
sys_name=computer_name,
)
)
except Registry.RegistryKeyNotFoundException as e:
pass
outputRender(objects_list)
def getPlugin(reg_sys, reg_nt='', reg_soft=''):
computer_name = getComputerName(reg_sys)
current = getControlSet(reg_sys)
servicesnames = reg_sys.open('%s\\Services' % (current))
for service in servicesnames.subkeys():
service_list.append(service.name().lower())
for service_name in service_list:
k = reg_sys.open('%s\\Services\\%s' % (current, service_name))
key_name = k.name()
last_write = str(k.timestamp())
try:
type_name = k.value("Type").value()
except:
type_name = "???"
try:
image_path = k.value("ImagePath").value()
except:
image_path = "???"
try:
display_name = k.value("DisplayName").value()
except:
display_name = "???"
try:
start_type = k.value("Start").value()
except:
start_type = "???"
try:
service_dll = k.subkey("Parameters").value("ServiceDll").value()
except:
service_dll = "???"
objects_list.append(jsonOutput(header, \
key_item = key_name, \
value_item1 = start_type, \
value_item2 = image_path, \
value_item3 = display_name, \
value_item4 = type_name, \
value_item5 = service_dll, \
lastwrite_time = last_write,\
sys_name = computer_name))
outputRender(objects_list)
def getPlugin(reg_soft, reg_sys, reg_nt=''):
computer_name = getComputerName(reg_sys)
current = getControlSet(reg_sys)
timezone_key = [current + "\\Control\\TimeZoneInformation"]
sysinfo_key = ["Microsoft\\Windows NT\\CurrentVersion"]
for k in timezone_key:
key = reg_sys.open(k)
for v in key.values():
if "StandardName" in v.name():
time_zone = v.value()
else:
pass
for k in sysinfo_key:
key = reg_soft.open(k)
for v in key.values():
if "ProductName" in v.name():
product_name = v.value()
if "CurrentVersion" in v.name():
current_version = v.value()
if "CurrentBuildNumber" in v.name():
current_build = v.value()
if "CSDVersion" in v.name():
csd_version = v.value()
if "InstallDate" in v.name():
install_date = time.strftime('%a %b %d %H:%M:%S %Y (UTC)', time.gmtime(v.value()))
else:
pass
objects_list.append(jsonOutput(header, \
key_item = product_name, \
value_item1 = current_version, \
value_item2 = current_build, \
value_item3 = csd_version, \
value_item4 = install_date, \
value_item5 = time_zone, \
lastwrite_time = "???", \
sys_name = computer_name))
outputRender(objects_list)
def getPlugin(reg_sys, reg_nt='', reg_soft=''):
computer_name = getComputerName(reg_sys)
current = getControlSet(reg_sys)
try:
usbstor = reg_sys.open('%s\\Enum\USBSTOR' % (current))
for k in usbstor.subkeys():
last_write = k.timestamp()
for usbstorsk in k.subkeys():
#Vendor/Make/Version = k.name()
venmakever = k.name().split("&")
#Serial Number = usbstorsk.name()
serial_number = (str(usbstorsk.name().encode('ascii'))).split("&")
#Populate the S/N list so we can search for it in Enum\USB
# Using [0] since we split on the &0 above, which makes comparing easier below.
vendor = venmakever[1].lstrip("Ven_").encode('ascii')
make = venmakever[2].lstrip("Prod_").encode('ascii')
ver = venmakever[3].lstrip("Rev_").encode('ascii')
for usbstorv in usbstorsk.values():
if "ParentIdPrefix" in usbstorv.name():
#ParentIdPrefix = usbstorv.value()
pip = usbstorv.value()
else:
pass
objects_list.append(jsonOutput(header, \
key_item = usbstor.name(), \
value_item1 = vendor + " " + make, \
value_item2 = serial_number[0], \
value_item3 = pip, \
value_item4 = "", \
value_item5 = "", \
lastwrite_time = last_write, \
sys_name = computer_name))
except Registry.RegistryKeyNotFoundException as e:
print "There is no USBSTOR Key."
outputRender(objects_list)
def getPlugin(reg_soft, reg_sys='', reg_nt=''):
for b in bho_keys:
try:
k = reg_soft.open(b)
for v in k.subkeys():
BHO_list.append(v.name())
except Registry.RegistryKeyNotFoundException as e:
pass
for clsids in BHO_list:
try:
k = reg_soft.open("Classes\\CLSID\\%s" % (clsids))
try:
key_name = k.name()
except:
key_name = "???"
try:
key_value = k.subkey("InProcServer32").value('').value()
except:
key_value = "???"
try:
last_write = str(k.timestamp())
except:
last_write = "???"
objects_list.append(jsonOutput(header, \
key_item = k.name(), \
value_item1 = k.subkey("InProcServer32").value('').value(), \
value_item2 = "???", \
value_item3 = "???", \
value_item4 = "???", \
value_item5 = "???", \
lastwrite_time = last_write, \
sys_name = "???"))
except Registry.RegistryKeyNotFoundException as e:
pass
outputRender(objects_list)