def getBootKey(self):
# Local Version whenever we are given the files directly
bootKey = ''
tmpKey = ''
winreg = winregistry.Registry(self.__systemHive, self.__isRemote)
# We gotta find out the Current Control Set
currentControlSet = winreg.getValue('\\Select\\Current')[1]
currentControlSet = "ControlSet%03d" % currentControlSet
for key in ['JD', 'Skew1', 'GBG', 'Data']:
logging.debug('Retrieving class info for %s' % key)
ans = winreg.getClass('\\%s\\Control\\Lsa\\%s' %
(currentControlSet, key))
digit = ans[:16].decode('utf-16le')
tmpKey = tmpKey + digit
transforms = [8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7]
tmpKey = unhexlify(tmpKey)
for i in xrange(len(tmpKey)):
bootKey += tmpKey[transforms[i]]
logging.info('Target system bootKey: 0x%s' % hexlify(bootKey))
return bootKey
def main():
# Init the example's logger theme
logger.init()
print(version.BANNER)
parser = argparse.ArgumentParser(add_help = True, description = "Reads data from registry hives.")
parser.add_argument('hive', action='store', help='registry hive to open')
subparsers = parser.add_subparsers(help='actions', dest='action')
# A enum_key command
enumkey_parser = subparsers.add_parser('enum_key', help='enumerates the subkeys of the specified open registry key')
enumkey_parser.add_argument('-name', action='store', required=True, help='registry key')
enumkey_parser.add_argument('-recursive', dest='recursive', action='store_true', required=False, help='recursive search (default False)')
# A enum_values command
enumvalues_parser = subparsers.add_parser('enum_values', help='enumerates the values for the specified open registry key')
enumvalues_parser.add_argument('-name', action='store', required=True, help='registry key')
# A get_value command
getvalue_parser = subparsers.add_parser('get_value', help='retrieves the data for the specified registry value')
getvalue_parser.add_argument('-name', action='store', required=True, help='registry value')
# A get_class command
getclass_parser = subparsers.add_parser('get_class', help='retrieves the data for the specified registry class')
getclass_parser.add_argument('-name', action='store', required=True, help='registry class name')
# A walk command
walk_parser = subparsers.add_parser('walk', help='walks the registry from the name node down')
walk_parser.add_argument('-name', action='store', required=True, help='registry class name to start walking down from')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
reg = winregistry.Registry(options.hive)
if options.action.upper() == 'ENUM_KEY':
print("[%s]" % options.name)
enumKey(reg, options.name, options.recursive)
elif options.action.upper() == 'ENUM_VALUES':
enumValues(reg, options.name)
elif options.action.upper() == 'GET_VALUE':
getValue(reg, options.name)
elif options.action.upper() == 'GET_CLASS':
getClass(reg, options.name)
elif options.action.upper() == 'WALK':
walk(reg, options.name)
reg.close()
def checkNoLMHashPolicy(self):
# logging.debug('Checking NoLMHash Policy')
winreg = winregistry.Registry(self.__systemHive, self.__isRemote)
# We gotta find out the Current Control Set
currentControlSet = winreg.getValue('\\Select\\Current')[1]
currentControlSet = "ControlSet%03d" % currentControlSet
noLmHash = winreg.getValue('\\%s\\Control\\Lsa\\NoLmHash' % currentControlSet)
if noLmHash is not None:
noLmHash = noLmHash[1]
else:
noLmHash = 0
if noLmHash != 1:
# logging.debug('LMHashes are being stored')
return False
# logging.debug('LMHashes are NOT being stored')
return True
def getBootKey(system):
# Local Version whenever we are given the files directly
bootKey = b''
tmpKey = b''
winreg = winregistry.Registry(system, False)
# We gotta find out the Current Control Set
currentControlSet = winreg.getValue('\\Select\\Current')[1]
currentControlSet = "ControlSet%03d" % currentControlSet
for key in ['JD', 'Skew1', 'GBG', 'Data']:
ans = winreg.getClass('\\%s\\Control\\Lsa\\%s' %
(currentControlSet, key))
digit = ans[:16].decode('utf-16le')
tmpKey = tmpKey + b(digit)
transforms = [8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7]
tmpKey = unhexlify(tmpKey)
for i in range(len(tmpKey)):
bootKey += tmpKey[transforms[i]:transforms[i] + 1]
return bootKey
def __init__(self, hiveFile=None):
self.__hiveFile = hiveFile
if self.__hiveFile is not None:
self.__registry_hive = winregistry.Registry(self.__hiveFile,
isRemote=True)
