def hive_to_json(hive_path, output_path, registry_path, timeline, hive_type, partial_hive_path, verbose): _setup_logging(verbose=verbose) registry_hive = RegistryHive(hive_path, hive_type=hive_type, partial_hive_path=partial_hive_path) if registry_path: try: name_key_entry = registry_hive.get_key(registry_path) except RegistryKeyNotFoundException as ex: logger.debug('Did not find the key: {}'.format(ex)) return else: name_key_entry = registry_hive.root if timeline and not output_path: click.secho( 'You must provide an output path if choosing timeline output!', fg='red') return if output_path: if timeline: with open(output_path, 'w') as csvfile: csvwriter = csv.DictWriter( csvfile, delimiter=',', quotechar='"', quoting=csv.QUOTE_MINIMAL, fieldnames=['timestamp', 'subkey_name', 'values_count']) csvwriter.writeheader() with progressbar( registry_hive.recurse_subkeys( name_key_entry, as_json=True)) as reg_subkeys: for entry in reg_subkeys: entry_dict = entry.__dict__ path = entry.path csvwriter.writerow({ 'subkey_name': r'{}\{}'.format(entry.path, path), 'timestamp': entry_dict['timestamp'], 'values_count': entry_dict['values_count'] }) else: dump_hive_to_json(registry_hive, output_path, name_key_entry, verbose) else: for entry in registry_hive.recurse_subkeys(name_key_entry, as_json=True): click.secho(json.dumps(attr.asdict(entry), indent=4))
def hive_to_json(hive_path, output_path, registry_path, timeline, hive_type, partial_hive_path, verbose): with logbook.NestedSetup( _get_log_handlers(verbose=verbose)).applicationbound(): registry_hive = RegistryHive(hive_path, hive_type=hive_type, partial_hive_path=partial_hive_path) if registry_path: try: name_key_entry = registry_hive.get_key(registry_path) except RegistryKeyNotFoundException as ex: logger.debug('Did not find the key: {}'.format(ex)) return else: name_key_entry = registry_hive.root if timeline and not output_path: click.secho( 'You must provide an output path if choosing timeline output!', fg='red') return if output_path: if timeline: with open(output_path, 'w') as csvfile: csvwriter = csv.DictWriter(csvfile, delimiter=',', quotechar='"', quoting=csv.QUOTE_MINIMAL, fieldnames=[ 'timestamp', 'subkey_name', 'values_count' ]) csvwriter.writeheader() for entry in tqdm( registry_hive.recurse_subkeys(name_key_entry, as_json=True)): subkey_name = entry.pop('subkey_name') path = entry.pop('path') entry['subkey_name'] = r'{}\{}'.format( path, subkey_name) entry.pop('values') csvwriter.writerow(entry) else: dump_hive_to_json(registry_hive, output_path, name_key_entry, verbose) else: for entry in registry_hive.recurse_subkeys(name_key_entry, as_json=True): click.secho(json.dumps(attr.asdict(entry), indent=4))
def test_recurse_amcache(amcache_hive): registry_hive = RegistryHive(amcache_hive) value_types = { 'REG_BINARY': 0, 'REG_DWORD': 0, 'REG_EXPAND_SZ': 0, 'REG_MULTI_SZ': 0, 'REG_NONE': 0, 'REG_QWORD': 0, 'REG_SZ': 0 } subkey_count = 0 values_count = 0 for subkey in registry_hive.recurse_subkeys(): subkey_count += 1 subkey_values = subkey.values values_count += len(subkey_values or []) if subkey_values: for x in subkey_values: value_types[x.value_type] += 1 assert subkey_count == 2105 assert values_count == 17539 assert value_types == { 'REG_BINARY': 56, 'REG_DWORD': 1656, 'REG_EXPAND_SZ': 0, 'REG_MULTI_SZ': 140, 'REG_NONE': 0, 'REG_QWORD': 1254, 'REG_SZ': 14433 }
def test_recurse_ntuser(ntuser_hive): registry_hive = RegistryHive(ntuser_hive) value_types = { 'REG_BINARY': 0, 'REG_DWORD': 0, 'REG_EXPAND_SZ': 0, 'REG_MULTI_SZ': 0, 'REG_NONE': 0, 'REG_QWORD': 0, 'REG_SZ': 0 } subkey_count = 0 values_count = 0 for subkey in registry_hive.recurse_subkeys(as_json=True): subkey_values = subkey.values subkey_count += 1 values_count += len(subkey_values or []) if subkey_values: for x in subkey_values: value_types[x['value_type']] += 1 assert subkey_count == 1812 assert values_count == 4094 assert value_types == { 'REG_BINARY': 531, 'REG_DWORD': 1336, 'REG_EXPAND_SZ': 93, 'REG_MULTI_SZ': 303, 'REG_NONE': 141, 'REG_QWORD': 54, 'REG_SZ': 1636 }
def test_recurse_ntuser(ntuser_hive): registry_hive = RegistryHive(ntuser_hive) EXPECTED_KEYS = ['path', 'subkey_name', 'timestamp', 'values', 'values_count'] value_types = { 'REG_BINARY': 0, 'REG_DWORD': 0, 'REG_EXPAND_SZ': 0, 'REG_MULTI_SZ': 0, 'REG_NONE': 0, 'REG_QWORD': 0, 'REG_SZ': 0 } subkey_count = 0 values_count = 0 for subkey in registry_hive.recurse_subkeys(as_json=True): subkey_values = subkey.values subkey_count += 1 values_count += len(subkey_values or []) if subkey_values: for x in subkey_values: value_types[x['value_type']] += 1 assert subkey_count == 2318 assert values_count == 4613 assert value_types == { 'REG_BINARY': 620, 'REG_DWORD': 1516, 'REG_EXPAND_SZ': 100, 'REG_MULTI_SZ': 309, 'REG_NONE': 141, 'REG_QWORD': 57, 'REG_SZ': 1870 }
def parse_hive(self, hive_file, hive_name, user=''): reg = RegistryHive(hive_file) for d in reg.recurse_subkeys(as_json=True): data = {} data.update({ 'timestamp': d.timestamp, 'hive_name': hive_name, 'path': d.path, 'subkey': d.subkey_name, }) if user: data['user'] = user if not d.values: yield data continue data['values_count'] = d.values_count # Store a list of dictionaries as values data['values'] = [] for v in d.values: name = v['name'].lstrip('(').rstrip(')') value_type = 'bytes' if v[ 'value_type'] == 'REG_BINARY' else 'strings' data['values'].append({ 'value': name, 'data.{}'.format(value_type): v['value'] }) yield data
def test_recurse_partial_ntuser(ntuser_software_partial): registry_hive = RegistryHive(ntuser_software_partial, hive_type=NTUSER_HIVE_TYPE, partial_hive_path=r'\Software') for subkey_count, subkey in enumerate( registry_hive.recurse_subkeys(as_json=True)): assert subkey.actual_path.startswith(registry_hive.partial_hive_path) assert subkey_count == 6395
def get_registry_tree(registry_location, registry_path): """ Return a list of dictionaries of Window registry entries found under a given registry path """ registry_hive = RegistryHive(registry_location) name_key_entry = get_registry_name_key_entry(registry_hive=registry_hive, registry_path=registry_path) if not name_key_entry: return [] return [ attr.asdict(entry) for entry in registry_hive.recurse_subkeys(name_key_entry, as_json=True) ]
def run_regipy(result_pk, filepath): """ Runs regipy on filepath """ try: registry_hive = RegistryHive(filepath) reg_json = registry_hive.recurse_subkeys(registry_hive.root, as_json=True) root = {"values": [attr.asdict(entry) for entry in reg_json]} root = json.loads(json.dumps(root).replace(r"\u0000", "")) except Exception as e: logging.error(e) root = {} ed = ExtractedDump.objects.get(result__pk=result_pk, path=filepath) ed.reg_array = root ed.save()
def get_reg_timeline(date_min, duration_hours, hivespath="."): for i in os.listdir(hivespath): #pastis if i.startswith("51") or "NTUSER" in i: print("") print("--------------------------") print(" HIVE %s" % (i)) print("--------------------------") print("") reg = RegistryHive(i) for entry in reg.recurse_subkeys(): mtime = entry.timestamp.replace(tzinfo=None) delta = date_min - mtime x = delta.total_seconds() if x > 0: continue if abs(divmod(delta.total_seconds(), 3600)[0]) > duration_hours: continue print("%s\\%s" % (entry.path, entry.subkey_name)) print("\t%s" % (entry.timestamp))
pr = cProfile.Profile() pr.enable() yield pr.disable() s = io.StringIO() sortby = SortKey.CUMULATIVE ps = pstats.Stats(pr, stream=s).sort_stats(sortby) ps.print_stats() print(s.getvalue()) @contextmanager def get_file_from_tests(file_name): path = str(Path(__file__).parent.joinpath('data').joinpath(file_name)) tempfile_path = mktemp() with open(tempfile_path, 'wb') as tmp: with lzma.open(path) as f: tmp.write(f.read()) yield tempfile_path os.remove(tempfile_path) registry_path = 'SAM.xz' logger.info(f'Iterating over all subkeys in {registry_path}') with profiling(): with get_file_from_tests(registry_path) as reg: registry_hive = RegistryHive(reg) keys = [x for x in registry_hive.recurse_subkeys()]