def reg_get_all_keys(self, hive_name, user = None, start = None, end = None, reg = False, rawtime = False): ''' This function enumerates all keys in specified hives and collects lastwrite times. ''' keys = [] if self.all_offsets == {}: self.populate_offsets() if self.current_offsets == {}: self.set_current(hive_name, user) # Collect the root keys for offset in self.current_offsets: reg_name = self.current_offsets[offset] h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset) root = rawreg.get_root(h) if not root: pass else: time = "{0}".format(root.LastWriteTime) if not rawtime else root.LastWriteTime if reg: if start and end and str(time) >= start and str(time) <= end: yield (time, reg_name, root.Name) elif start == None and end == None: yield (time, reg_name, root.Name) else: if start and end and str(time) >= start and str(time) <= end: yield (time, root.Name) elif start == None and end == None: yield (time, root.Name) for s in rawreg.subkeys(root): if reg: keys.append([s, reg_name, root.Name + "\\" + s.Name]) else: keys.append([s, root.Name + "\\" + s.Name]) # Get subkeys if reg: for k, reg_name, name in keys: time = "{0}".format(k.LastWriteTime) if not rawtime else k.LastWriteTime if start and end and str(time) >= start and str(time) <= end: yield (time, reg_name, name) elif start == None and end == None: yield (time, reg_name, name) for s in rawreg.subkeys(k): if name and s.Name: item = name + '\\' + s.Name keys.append([s, reg_name, item]) else: for k, name in keys: time = "{0}".format(k.LastWriteTime) if not rawtime else k.LastWriteTime if start and end and str(time) >= start and str(time) <= end: yield (time, name) elif start == None and end == None: yield (time, name) for s in rawreg.subkeys(k): if name and s.Name: item = name + '\\' + s.Name keys.append([s, item])
def reg_get_all_keys(self, hive_name, user = None, start = None, end = None, reg = False, rawtime = False): ''' This function enumerates all keys in specified hives and collects lastwrite times. ''' keys = [] if self.all_offsets == {}: self.populate_offsets() if self.current_offsets == {}: self.set_current(hive_name, user) # Collect the root keys for offset in self.current_offsets: reg_name = self.current_offsets[offset] h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset) root = rawreg.get_root(h) if not root: pass else: time = "{0}".format(root.LastWriteTime) if not rawtime else root.LastWriteTime if reg: if start and end and str(time) >= start and str(time) <= end: yield (time, reg_name, root.Name) elif start == None and end == None: yield (time, reg_name, root.Name) else: if start and end and str(time) >= start and str(time) <= end: yield (time, root.Name) elif start == None and end == None: yield (time, root.Name) for s in rawreg.subkeys(root): if reg: keys.append([s, reg_name, root.Name + "\\" + s.Name]) else: keys.append([s, root.Name + "\\" + s.Name]) # Get subkeys if reg: for k, reg_name, name in keys: time = "{0}".format(k.LastWriteTime) if not rawtime else root.LastWriteTime if start and end and str(time) >= start and str(time) <= end: yield (time, reg_name, name) elif start == None and end == None: yield (time, reg_name, name) for s in rawreg.subkeys(k): if name and s.Name: item = name + '\\' + s.Name keys.append([s, reg_name, item]) else: for k, name in keys: time = "{0}".format(k.LastWriteTime) if not rawtime else root.LastWriteTime if start and end and str(time) >= start and str(time) <= end: yield (time, name) elif start == None and end == None: yield (time, name) for s in rawreg.subkeys(k): if name and s.Name: item = name + '\\' + s.Name keys.append([s, item])
def render_text(self, outfd, data): for reg, key in data: if not key: if not self._config.BRUTE_FORCE: outfd.write("Unable to find requested key\n") continue outfd.write("Legend: (S) = Stable (V) = Volatile\n\n") outfd.write("Registry: {0}\n".format(reg)) outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key))) outfd.write("Last updated: {0}\n".format(key.LastWriteTime)) outfd.write("\n") outfd.write("Subkeys:\n") for s in rawreg.subkeys(key): if s.Name == None: outfd.write(" Unknown subkey: " + s.Name.reason + "\n") else: outfd.write(" {1:3s} {0}\n".format(s.Name, self.voltext(s))) outfd.write("\n") outfd.write("Values:\n") for v in rawreg.values(key): tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY': dat = "\n" + hd(dat, length = 16) if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))
def services_from_registry(addr_space): """Enumerate services from the cached registry hive""" services = {} plugin = hivelist.HiveList(addr_space.get_config()) for hive in plugin.calculate(): ## find the SYSTEM hive name = hive.get_name() if not name.lower().endswith("system"): continue ## get the root key hive_space = hive.address_space() root = rawreg.get_root(hive_space) if not root: break ## open the services key key = rawreg.open_key(root, ["ControlSet001", "Services"]) if not key: break ## build a dictionary of the key names for subkey in rawreg.subkeys(key): services[(str(subkey.Name).lower())] = subkey ## we don't need to keep trying break return services
def render_text(self, outfd, data): outfd.write("Legend: (S) = Stable (V) = Volatile\n\n") keyfound = False for reg, key in data: if key: keyfound = True outfd.write("----------------------------\n") outfd.write("Registry: {0}\n".format(reg)) outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key))) outfd.write("Last updated: {0}\n".format(key.LastWriteTime)) outfd.write("\n") outfd.write("Subkeys:\n") for s in rawreg.subkeys(key): if s.Name == None: outfd.write(" Unknown subkey: " + s.Name.reason + "\n") else: outfd.write(" {1:3s} {0}\n".format(s.Name, self.voltext(s))) outfd.write("\n") outfd.write("Values:\n") for v in rawreg.values(key): tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or tp == 'REG_NONE': dat = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)]) if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v))) if not keyfound: outfd.write("The requested key could not be found in the hive(s) searched\n")
def calculate(self): addr_space = utils.load_as(self._config) if not self._config.HIVE_OFFSET: hive_offsets = [ h.obj_offset for h in hivelist.HiveList.calculate(self) ] else: hive_offsets = [self._config.HIVE_OFFSET] for hoff in set(hive_offsets): h = hivemod.HiveAddressSpace(addr_space, self._config, hoff) name = obj.Object("_CMHIVE", vm=addr_space, offset=hoff).get_name() root = rawreg.get_root(h) if not root: if self._config.HIVE_OFFSET: debug.error( "Unable to find root key. Is the hive offset correct?") else: if self._config.KEY: yield name, rawreg.open_key(root, self._config.KEY.split('\\')) else: for s in rawreg.subkeys(root): yield name, s
def calculate(self): addr_space = utils.load_as(self._config) #scan for registries and populate them: print "Scanning for registries...." self.populate_offsets() #set our current registry of interest and get its path #and get current control set print "Getting Current Control Set...." currentcs = "ControlSet001" self.set_current('system') for o in self.current_offsets: sysaddr = hivemod.HiveAddressSpace(addr_space, self._config, o) cs = find_control_set(sysaddr) currentcs = "ControlSet{0:03}".format(cs) #set the services root. print "Getting Services and calculating SIDs...." services = self.reg_get_key('system', currentcs + '\\' + 'Services') if services: for s in rawreg.subkeys(services): if s.Name not in servicesids.values(): sid = createservicesid(str(s.Name)) yield sid, str(s.Name) for sid in servicesids: yield sid, servicesids[sid]
def get_secrets(sysaddr, secaddr): root = rawreg.get_root(secaddr) if not root: return None bootkey = hashdump.get_bootkey(sysaddr) lsakey = get_lsa_key(secaddr, bootkey) if not bootkey or not lsakey: return None secrets_key = rawreg.open_key(root, ["Policy", "Secrets"]) if not secrets_key: return None secrets = {} for key in rawreg.subkeys(secrets_key): sec_val_key = rawreg.open_key(key, ["CurrVal"]) if not sec_val_key: continue enc_secret_value = sec_val_key.ValueList.List.dereference()[0] if not enc_secret_value: continue enc_secret = secaddr.read(enc_secret_value.Data, enc_secret_value.DataLength) if not enc_secret: continue secret = decrypt_secret(enc_secret[0xC:], lsakey) secrets[key.Name] = secret return secrets
def search_key(self, key, prefix): prefix += '\t' for subkey in rawreg.subkeys(key): if not rawreg.values(subkey): if not rawreg.subkeys(subkey): print "[-]", subkey.Name continue else: pass if subkey.Name == None: pass else: print prefix, subkey.Name self.search_key(subkey, prefix) """
def generator(self, data): path = str(data.Name) keys = [(data, path)] for key, path in keys: if key: yield (0, [f"{key.LastWriteTime}", str(path)]) for s in rawreg.subkeys(key): item = f"{path}\\{s.Name}" keys.append((s, item))
def reg_get_all_subkeys(self, hive_name, key, user = None, given_root = None): ''' This function enumerates the subkeys of the requested key ''' k = given_root if given_root != None else self.reg_get_key(hive_name, key) if k: for s in rawreg.subkeys(k): if s.Name: yield s
def generator(self, data): path = str(data.Name) keys = [(data, path)] for key, path in keys: if key: yield (0, [str("{0}".format(key.LastWriteTime)), str(path)]) for s in rawreg.subkeys(key): item = "{0}\\{1}".format(path, s.Name) keys.append((s, item))
def generator(self, data): for reg, key in data: if key: subkeys = list(rawreg.subkeys(key)) values = list(rawreg.values(key)) yield (0, [ str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), "-", "-", "-", "-", "-", "-" ]) if subkeys: for s in subkeys: if s.Name == None: yield (0, [ str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), str("Unknown subkey: {0}".format( s.Name.reason)), "-", "-", "-", "-", "-" ]) else: yield (0, [ str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), str("{0}".format(s.Name)), str("{0:3s}".format(self.voltext(s))), "-", "-", "-", "-" ]) if values: for v in values: tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or tp == 'REG_NONE': dat = Bytes(dat) if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') yield (0, [ str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), "-", "-", str(tp), str("{0}".format(v.Name)), str("{0:3s}".format(self.voltext(v))), str(dat) ])
def reg_enum_key(self, hive_name, key, user = None): ''' This function enumerates the requested key ''' k = self.reg_get_key(hive_name, key, user) if k: for s in rawreg.subkeys(k): if s.Name: item = key + '\\' + s.Name yield item
def reg_enum_key(self, hive_name, key, user=None): ''' This function enumerates the requested key ''' k = self.reg_get_key(hive_name, key, user) if k: for s in rawreg.subkeys(k): if s.Name: item = key + '\\' + s.Name yield item
def reg_enum_key(self, hive_name, key, user=None): """ This function enumerates the requested key """ k = self.reg_get_key(hive_name, key, user) if k: for s in rawreg.subkeys(k): if s.Name: item = f'{key}\\{s.Name}' yield item
def render_text(self, outfd, data): print_values = { 5: 'InstallSource', 6: 'InstallLocation', 3: 'Publisher', 1: 'DisplayName', 2: 'DisplayVersion', 4: 'InstallDate' } outfd.write("Legend: (S) = Stable (V) = Volatile\n\n") keyfound = False for reg, key in data: if key: keyfound = True outfd.write("----------------------------\n") outfd.write("Registry: {0}\n".format(reg)) outfd.write("Key name: {0} {1:3s}\n".format( key.Name, self.voltext(key))) outfd.write("Last updated: {0}\n".format(key.LastWriteTime)) outfd.write("\n") outfd.write("Subkeys:\n") for s in rawreg.subkeys(key): key_info = {} if s.Name == None: outfd.write(" Unknown subkey: " + s.Name.reason + "\n") else: key_info['Name'] = s.Name key_info['LastUpdated'] = s.LastWriteTime for v in rawreg.values(s): if v.Name not in print_values.values(): continue tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or tp == 'REG_NONE': dat = "\n" + "\n".join([ "{0:#010x} {1:<48} {2}".format( o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat) ]) if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode( "ascii", 'backslashreplace') key_info[str(v.Name)] = dat outfd.write("Subkey: {0}\n".format(key_info.get( 'Name', ''))) outfd.write(" LastUpdated : {0}\n".format( key_info.get('LastUpdated', ''))) for k, v in sorted(print_values.items()): val = key_info.get(v, '') if val != '': outfd.write(" {0:16}: {1}\n".format(v, val)) outfd.write("\n")
def reg_enum_key(self, hive_name, key, user = None): ''' This function enumerates the requested key ''' addr_space = utils.load_as(self._config) k = self.reg_get_key(hive_name, key, user) if k: for s in rawreg.subkeys(k): if s.Name: item = key + '\\' + s.Name yield item
def get_user_keys(samaddr): user_key_path = ["SAM", "Domains", "Account", "Users"] root = rawreg.get_root(samaddr) if not root: return [] user_key = rawreg.open_key(root, user_key_path) if not user_key: return [] return [k for k in rawreg.subkeys(user_key) if k.Name != "Names"]
def reg_get_all_subkeys(self, hive_name, key, user = None, given_root = None): ''' This function enumerates the subkeys of the requested key ''' addr_space = utils.load_as(self._config) if given_root == None: k = self.reg_get_key(hive_name, key, user) else: k = given_root if k: for s in rawreg.subkeys(k): if s.Name: yield s
def render_text(self, outfd, data): keyfound = False for win7, reg, key in data: if key: keyfound = True outfd.write("----------------------------\n") outfd.write("Registry: {0}\n".format(reg)) outfd.write("Key name: {0}\n".format(key.Name)) outfd.write("Last updated: {0}\n".format(key.LastWriteTime)) outfd.write("\n") outfd.write("Subkeys:\n") for s in rawreg.subkeys(key): if s.Name == None: outfd.write(" Unknown subkey: " + s.Name.reason + "\n") else: outfd.write(" {0}\n".format(s.Name)) outfd.write("\n") outfd.write("Values:\n") for v in rawreg.values(key): tp, dat = rawreg.value_data(v) subname = v.Name if tp == 'REG_BINARY': dat_raw = dat dat = "\n" + printkey.hd(dat, length=16) try: subname = subname.encode('rot_13') except: pass if win7: guid = subname.split("\\")[0] if guid in folder_guids: subname = subname.replace( guid, folder_guids[guid]) d = self.parse_data(dat_raw) if d != None: dat = d + dat #these types shouldn't be encountered, but are just left here in case: if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') outfd.write("{0:13} {1:15} : {2:3s}\n".format( tp, subname, dat)) if not keyfound: outfd.write( "The requested key could not be found in the hive(s) searched\n" )
def render_text(self, outfd, data): keyfound = False for win7, reg, key in data: if key: keyfound = True outfd.write("----------------------------\n") outfd.write("Registry: {0}\n".format(reg)) outfd.write("Key name: {0}\n".format(key.Name)) outfd.write("Last updated: {0}\n".format(key.LastWriteTime)) outfd.write("\n") outfd.write("Subkeys:\n") for s in rawreg.subkeys(key): if s.Name == None: outfd.write(" Unknown subkey: " + s.Name.reason + "\n") else: outfd.write(" {0}\n".format(s.Name)) outfd.write("\n") outfd.write("Values:\n") for v in rawreg.values(key): tp, dat = rawreg.value_data(v) subname = v.Name if tp == 'REG_BINARY': dat_raw = dat dat = "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)]) try: subname = subname.encode('rot_13') except UnicodeDecodeError: pass if win7: guid = subname.split("\\")[0] if guid in folder_guids: subname = subname.replace(guid, folder_guids[guid]) d = self.parse_data(dat_raw) if d != None: dat = d + dat else: dat = "\n" + dat #these types shouldn't be encountered, but are just left here in case: if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') outfd.write("\n{0:13} {1:15} : {2}\n".format(tp, subname, dat)) if not keyfound: outfd.write("The requested key could not be found in the hive(s) searched\n")
def parse_service_key(self, service_key): service_dict = self.dict_for_key(service_key) name = str(service_key.Name) display_name = service_dict.get('DisplayName', "Unknown").replace('\x00', '') startup = int(service_dict.get("Start", -1)) type = int(service_dict.get("Type", -1)) image_path = service_dict.get("ImagePath", "Unknown").replace('\x00', '') timestamp = service_key.LastWriteTime # The service is run through svchost - try to resolve the parameter name entry = None if "svchost.exe -k" in image_path: parameters = None for sub in rawreg.subkeys(service_key): if sub.Name == "Parameters": parameters = self.dict_for_key(sub) timestamp = sub.LastWriteTime break if parameters: if 'ServiceDll' in parameters: entry = parameters.get("ServiceDll") main = parameters.get('ServiceMain') if main: entry += " ({})".format(main) entry = entry.replace('\x00', '') # Check if the service is set to automatically start # More details here: http://technet.microsoft.com/en-us/library/cc759637(v=ws.10).aspx if startup in [0, 1, 2]: if entry: pids = self.find_pids_for_imagepath( parameters.get("ServiceDll")) else: pids = self.find_pids_for_imagepath(image_path) return (name, timestamp, display_name, service_startup[startup], service_types[type], image_path, entry, pids)
def render_text(self, outfd, data): print_values = {5:'InstallSource', 6:'InstallLocation', 3:'Publisher', 1:'DisplayName', 2:'DisplayVersion', 4:'InstallDate'} outfd.write("Legend: (S) = Stable (V) = Volatile\n\n") keyfound = False for reg, key in data: if key: keyfound = True outfd.write("----------------------------\n") outfd.write("Registry: {0}\n".format(reg)) outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key))) outfd.write("Last updated: {0}\n".format(key.LastWriteTime)) outfd.write("\n") outfd.write("Subkeys:\n") for s in rawreg.subkeys(key): key_info = {} if s.Name == None: outfd.write(" Unknown subkey: " + s.Name.reason + "\n") else: key_info['Name'] = s.Name key_info['LastUpdated'] = s.LastWriteTime for v in rawreg.values(s): if v.Name not in print_values.values(): continue tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or tp == 'REG_NONE': dat = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)]) if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') key_info[str(v.Name)] = dat outfd.write("Subkey: {0}\n".format(key_info.get('Name',''))) outfd.write(" LastUpdated : {0}\n".format(key_info.get('LastUpdated',''))) for k, v in sorted(print_values.items()): val = key_info.get(v, '') if val != '': outfd.write(" {0:16}: {1}\n".format(v, val)) outfd.write("\n")
def calculate(self): # scan for registries and populate them: debug.debug("Scanning for registries....") # set our current registry of interest and get its path # and get current control set debug.debug("Getting Current Control Set....") regapi = registryapi.RegistryApi(self._config) currentcs = regapi.reg_get_currentcontrolset() if currentcs == None: currentcs = "ControlSet001" # set the services root. regapi.set_current("system") debug.debug("Getting Services and calculating SIDs....") services = regapi.reg_get_key("system", currentcs + "\\" + "Services") if services: for s in rawreg.subkeys(services): if s.Name not in servicesids.values(): sid = createservicesid(str(s.Name)) yield sid, str(s.Name) for sid in servicesids: yield sid, servicesids[sid]
def calculate(self): #scan for registries and populate them: debug.debug("Scanning for registries....") #set our current registry of interest and get its path #and get current control set debug.debug("Getting Current Control Set....") regapi = registryapi.RegistryApi(self._config) currentcs = regapi.reg_get_currentcontrolset() if currentcs == None: currentcs = "ControlSet001" #set the services root. regapi.set_current('system') debug.debug("Getting Services and calculating SIDs....") services = regapi.reg_get_key('system', currentcs + '\\' + 'Services') if services: for s in rawreg.subkeys(services): if s.Name not in servicesids.values(): sid = createservicesid(str(s.Name)) yield sid, str(s.Name) for sid in servicesids: yield sid, servicesids[sid]
def render_text(self, outfd, data): outfd.write("Legend: (S) = Stable (V) = Volatile\n\n") keyfound = False for reg, key in data: if key: keyfound = True outfd.write("----------------------------\n") outfd.write(f"Registry: {reg}\n") outfd.write(f"Key name: {key.Name} {self.voltext(key):3s}\n") outfd.write(f"Last updated: {key.LastWriteTime}\n") outfd.write("\n") outfd.write("Subkeys:\n") for s in rawreg.subkeys(key): if s.Name == None: outfd.write(f" Unknown subkey at {s.obj_offset:#x}\n") else: outfd.write(f" {self.voltext(s):3s} {s.Name}\n") outfd.write("\n") outfd.write("Values:\n") for v in rawreg.values(key): tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or tp == 'REG_NONE': dat = "\n" + "\n".join([ f"{o:#010x} {h:<48} {''.join(c)}" for o, h, c in utils.Hexdump(dat) ]) if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') outfd.write( f"{tp:13} {v.Name:15} : {self.voltext(v):3s} {dat}\n") if not keyfound: outfd.write( "The requested key could not be found in the hive(s) searched\n" )
def parse_service_key(self, service_key): service_dict = self.dict_for_key(service_key) name = str(service_key.Name) display_name = service_dict.get('DisplayName', "Unknown").replace('\x00', '') startup = int(service_dict.get("Start", -1)) type = int(service_dict.get("Type", -1)) image_path = service_dict.get("ImagePath", "Unknown").replace('\x00', '') timestamp = service_key.LastWriteTime # The service is run through svchost - try to resolve the parameter name entry = None if "svchost.exe -k" in image_path: parameters = None for sub in rawreg.subkeys(service_key): if sub.Name == "Parameters": parameters = self.dict_for_key(sub) timestamp = sub.LastWriteTime break if parameters: if 'ServiceDll' in parameters: entry = parameters.get("ServiceDll") main = parameters.get('ServiceMain') if main: entry += " ({})".format(main) entry = entry.replace('\x00', '') # Check if the service is set to automatically start # More details here: http://technet.microsoft.com/en-us/library/cc759637(v=ws.10).aspx if startup in [0, 1, 2]: if entry: pids = self.find_pids_for_imagepath(parameters.get("ServiceDll")) else: pids = self.find_pids_for_imagepath(image_path) return (name, timestamp, display_name, service_startup[startup], service_types[type], image_path, entry, pids)
def get_secrets(addr_space, sysaddr, secaddr): root = rawreg.get_root(secaddr) if not root: return None bootkey = hashdump.get_bootkey(sysaddr) lsakey = get_lsa_key(addr_space, secaddr, bootkey) if not bootkey or not lsakey: return None secrets_key = rawreg.open_key(root, ["Policy", "Secrets"]) if not secrets_key: return None secrets = {} for key in rawreg.subkeys(secrets_key): sec_val_key = rawreg.open_key(key, ["CurrVal"]) if not sec_val_key: continue enc_secret_value = sec_val_key.ValueList.List.dereference()[0] if not enc_secret_value: continue enc_secret = secaddr.read(enc_secret_value.Data, enc_secret_value.DataLength) if not enc_secret: continue if addr_space.profile.metadata.get('major', 0) == 5: secret = enc_secret[0xC:] else: secret = enc_secret secrets[key.Name] = secret return secrets
def print_key(self, outfd, keypath, key): if key.Name != None: kp = f"{keypath}\\{key.Name}" outfd.write(f"{key.LastWriteTime:20s} {kp}\n") for k in rawreg.subkeys(key): self.print_key(outfd, f"{keypath}\\{key.Name}", k)
def calculate(self): addr_space = utils.load_as(self._config) config = self._config # Determine OS # myos = config.PROFILE[:5] profile = addr_space.profile if profile.metadata.get('os', 0) == 'windows': if profile.metadata.get('major', 0) == 5 and \ profile.metadata.get('minor', 0) == 1: myos = "WinXP" elif profile.metadata.get('major', 0) == 6 and \ profile.metadata.get('minor', 0) == 1: myos = "Win7" else: debug.error("OS not supported") assert myos in regchk_by_os # Determine which checks to do if not config.CHK: checklist = [] # Default action: Do everything if not config.HIVE_NAME: myhives = regchk_by_os[myos].keys() else: # User has specified a specific hive to process htmp = ''.join(config.HIVE_NAME).lower() if not htmp in regchk_by_os[ myos ]: debug.error("Invalid Hive Name specified.") else: myhives = [ htmp ] # Specific check asked for else: check = ''.join(config.CHK).lower() if not check in chk_defn: debug.error("Invalid check specified.") # Only 1 check to do checklist = [ check ] # determine which hive this check refers to (to avoid wasting time on the other hives) for htmp1, chktmp in regchk_by_os[ myos ].iteritems(): if check in chktmp: htmp = htmp1 myhives = [ htmp ] config.remove_option("HIVE-NAME") # If user hasn't given a specific hive offset, then default is to try to process all the hives if not config.HIVE_OFFSET: hive_offsets = [(self.hive_name(h), h.obj_offset) for h in hivelist.HiveList.calculate(self)] else: hive_offsets = [("User Specified", config.HIVE_OFFSET)] # Try to process each hive in turn for hname, hoff in set(hive_offsets): h = hivemod.HiveAddressSpace(addr_space, config, hoff) root = rawreg.get_root(h) if not root: if config.HIVE_OFFSET: debug.error("Unable to find root key. Is the hive offset correct?") # Find out which hive this is hive_last_name = hname.lower().split("\\")[-1] # see if the current hive is on the list of hives the user wants to process for myhive in myhives: if not hive_last_name in (myhive, "[no name]", "user specified"): continue # Determine current controlset (if the key actually exists in this hive) ccs_key = rawreg.open_key(root, [ "CurrentControlSet" ] ) if ccs_key: ccs_v = rawreg.values(ccs_key)[ 0 ] ccs_tp, ccs_dat = rawreg.value_data(ccs_v) ccs = ccs_dat.encode("ascii", 'backslashreplace').split("\\")[-1] + "\\" # Sanity check if not ccs.lower().startswith("controlset00"): debug.error("CurrentControlSet key found but has invalid value.") else: ccs = "" # Set checklist to run the checks for this hive # If the user just wants to do 1 check then checklist has already been # set. if not config.CHK: checklist = regchk_by_os[ myos ][ myhive ] for check in checklist: chk_ccsflag, chk_key_lst, chk_msg, chk_action_list = chk_defn[check] for chk_key in chk_key_lst: if chk_ccsflag: chk_key = ccs + chk_key if check == "bho": # Do specific processing for Browser Helper Objects key = rawreg.open_key(root, chk_key.split('\\')) if key: # Pull out the class reg key for each GUID for s in rawreg.subkeys(key): # pull out the clsid for the BHO clsid = str(s.Name) if clsid == None: pass # Next read the classid reg key clsid = "Classes\\CLSID\\" + clsid yield hname, \ rawreg.open_key(root, clsid.split('\\')), \ check, \ clsid elif check == "assoc": # Do specific processing for file associations key = rawreg.open_key(root, chk_key.split('\\')) if key: # Pull out the file association values assoc_cache = {} for s in rawreg.subkeys(key): s_name = str(s.Name) # First look for an association key if s_name.startswith(r"."): # Next find the filename value for this association for v in rawreg.values(s): # force conversion to string from String object v_name = str(v.Name) if not v_name == "": continue # Have found the default value key. Now read the datafile value tp, dat = rawreg.value_data( v ) assert tp == "REG_SZ" fname = dat.encode("ascii", 'backslashreplace').rstrip("\0") # Check for cache hit if not fname in assoc_cache: # Find the filename key (which has the actual cmd shell value) cmd_shell_key = "Classes\\" + fname + "\\shell\\open\\command" assoc_cache[fname] = [ rawreg.open_key(root, cmd_shell_key.split('\\')), "{0}, File extension: {1}".format(cmd_shell_key, s_name) ] yield hname, assoc_cache[fname][0], check, assoc_cache[fname][1] break else: yield hname, \ rawreg.open_key(root, chk_key.split('\\')), \ check, \ chk_key
def generator(self, data): for reg, key in data: if key: subkeys = list(rawreg.subkeys(key)) values = list(rawreg.values(key)) yield ( 0, [ f"{reg}", f"{key.Name}", f"{self.voltext(key):3s}", f"{key.LastWriteTime}", "-", "-", "-", "-", "-", "-", ], ) if subkeys: for s in subkeys: if s.Name == None: yield ( 0, [ f"{reg}", f"{key.Name}", f"{self.voltext(key):3s}", f"{key.LastWriteTime}", f"Unknown subkey: {s.Name.reason}", "-", "-", "-", "-", "-", ], ) else: yield ( 0, [ f"{reg}", f"{key.Name}", f"{self.voltext(key):3s}", f"{key.LastWriteTime}", f"{s.Name}", f"{self.voltext(s):3s}", "-", "-", "-", "-", ], ) if values: for v in values: tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or tp == 'REG_NONE': dat = Bytes(dat) if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') yield ( 0, [ f"{reg}", f"{key.Name}", f"{self.voltext(key):3s}", f"{key.LastWriteTime}", "-", "-", f"{tp}", f"{v.Name}", f"{self.voltext(v):3s}", f"{dat}", ], )
def render_key(self, outfd, key, actions): if len(actions) > 0: action = actions[0] else: return if action == PRT_VALUE: valname = actions[1] for v in rawreg.values(key): # force conversion to string from String object v_name = str(v.Name) # Determine whether to print this value if valname[0] == "all": pass # include specified values elif valname[0] == "+": if not v_name in valname: continue # exclude specified values elif valname[0] == "-": if v_name in valname: continue else: debug.error("Pgm Error - Invalid valname render_key PRT_VALUE") self.prt_val(outfd, v) actions = actions[2:] elif action == LIST_SUBKEYS: subkey_1st = True valname = actions[1] for s in rawreg.subkeys(key): s_name = str(s.Name) # Determine whether to list this subkey if valname[0] == "all": pass # include specified keys elif valname[0] == "+": if not s_name in valname: continue # exclude specified keys elif valname[0] == "-": if s_name in valname: continue # include subkey if starts with specified value elif valname[0] == "s": if not s_name.startswith( valname[1] ): continue else: debug.error("Pgm Error - Invalid valname render_key LIST_SUBKEYS") if subkey_1st: outfd.write(" Subkeys:\n") subkey_1st = False if s_name == None: outfd.write(" Unknown subkey: " + s_name.reason + "\n") else: outfd.write(" {1:3s} {0}\n".format(s_name, self.voltext(s))) # If there is a recursive action specified for each subkey, then do it if actions[2]: self.render_key(outfd, s, actions[2]) outfd.write("\n") actions = actions[3:] # Print Windows Services elif action == PRT_SRVC: for s in rawreg.subkeys(key): v_type, v_start, v_display, v_path = ('','','','') for v in rawreg.values(s): v_name = str(v.Name) if v_name in ["Type", "DisplayName", "ImagePath", "Start" ]: tp, dat = rawreg.value_data(v) if v_name == "Type": if dat in serv_types: v_type = serv_types[dat] elif v_name == "Start": if dat in serv_starts: v_start = serv_starts[dat] elif v_name == "ImagePath": v_path = dat else: v_display = dat outfd.write("\n {0:s} {1} {2:10s} {3}".format(s.Name, v_display, self.voltext(s), s.LastWriteTime)) outfd.write("\n {0} Start= {1}, Type= {2}\n".format( v_path, v_start, v_type)) actions = actions[1:] # Data field is a Windows TimeStamp elif action == PRT_WINTIME: valname = actions[1] for v in rawreg.values(key): v_name = v.Name if v_name in valname: v_ts = obj.Object("WinTimeStamp", v.Data.v(), v.obj_vm) outfd.write(" {0} {1} \n".format(v_name, v_ts)) actions = actions[2:] # Data field is MountedDevices key value elif action == PRT_DEV: for v in rawreg.values(key): tp, dat = rawreg.value_data(v) assert tp == 'REG_BINARY' if v.DataLength == 12: hexa = ' '.join(["{0:02X}".format(ord(k)) for k in dat[:4]]) outfd.write("\n {0:15} : {1:3s}\n Drive Signature: {2}\n".format(v.Name, self.voltext(v), hexa)) elif v.DataLength > 12: dat = dat.encode("ascii", 'backslashreplace') outfd.write("\n {0:15} : {1:3s}\n {2}\n".format(v.Name, self.voltext(v), dat)) actions = actions[1:] # Access and print "shell\\open\\command" subkey value # Print value which is null-terminated Unicode string elif action == PRT_UNI: for v in rawreg.values(key): v_name = str(v.Name) if v_name.startswith("MRUList"): continue tp, dat = rawreg.value_data( v ) assert( tp == "REG_BINARY") # grab up to (but not including) the first null byte xx = dat.decode('utf-16-le', "ignore").split("\0")[0] # convert unicode to ascii yy = xx.encode("ascii", 'backslashreplace') outfd.write(" {0} {1}\n".format(v_name, yy)) actions = actions[1:] # Print Explorer UserAssist Active Desktop key elif action == PRT_USRAS: for v in rawreg.values(key): v_name = str(v.Name) if v_name.startswith("HRZR"): # Python decodes rot13 to unicode so need to convert to ascii ad_ent = v_name.decode('rot13', "ignore").encode("ascii", 'backslashreplace') outfd.write(" {0}\n".format(ad_ent)) actions = actions[1:] # Print a binary timestamp stored as low value / high value # Assumes that low value key field is specified first, followed by high value elif action == PRT_BINTIME: valname = actions[1] v_ts_lo = 0 v_ts_hi = 0 for v in rawreg.values(key): v_name = v.Name if v_name == valname[0]: tp, v_ts_lo = rawreg.value_data( v ) assert tp == "REG_DWORD" elif v_name == valname[1]: tp, v_ts_hi = rawreg.value_data( v ) assert tp == "REG_DWORD" if not v_ts_lo == 0: # Format the time for display windows_ts = (v_ts_hi << 32) | v_ts_lo if(windows_ts == 0): unix_time =0 else: unix_time = windows_ts / 10000000 # nano-sec since 16 unix_time = unix_time - 11644473600 if unix_time < 0: unix_time = 0 try: utc_display = strftime("%a %b %d %H:%M:%S %Y UTC", gmtime( unix_time )) except ValueError, e: utc_display = "Datetime conversion failure: " + str(e) outfd.write(" {0} : {1} \n".format(valname, utc_display)) actions = actions[2:]
def print_key(self, outfd, keypath, key): if key.Name != None: outfd.write("{0:20s} {1}\n".format(key.LastWriteTime, keypath + "\\" + key.Name)) for k in rawreg.subkeys(key): self.print_key(outfd, keypath + "\\" + key.Name, k)
def LoadSubKeys(self,reg,key,regObjectList): for k in rawreg.subkeys(key): r = reg + '\\' + utils._utf8_encode(k.Name) self.getregistrykeyobject(r,k,regObjectList) self.LoadSubKeys(r,k,regObjectList)
def LoadSubKeys(self, reg, key, regObjectList): for k in rawreg.subkeys(key): r = reg + '\\' + utils._utf8_encode(k.Name) self.getregistrykeyobject(r, k, regObjectList) self.LoadSubKeys(r, k, regObjectList)
def generator(self, data): for reg, key in data: if key: subkeys = list(rawreg.subkeys(key)) values = list(rawreg.values(key)) yield (0, [str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), "-", "-", "-", "-", "-", "-"]) if subkeys: for s in subkeys: if s.Name == None: yield (0, [str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), str("Unknown subkey: {0}".format(s.Name.reason)), "-", "-", "-", "-", "-"]) else: yield (0, [str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), str("{0}".format(s.Name)), str("{0:3s}".format(self.voltext(s))), "-", "-", "-", "-"]) if values: for v in values: tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or tp == 'REG_NONE': dat = Bytes(dat) if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') yield (0, [str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), "-", "-", str(tp), str("{0}".format(v.Name)), str("{0:3s}".format(self.voltext(v))), str(dat)])