def shellbag_rec(key, bag_prefix, path_prefix): """ Function to recursively parse the BagMRU Registry key structure. Arguments: `key`: The current 'BagsMRU' key to recurse into. `bag_prefix`: A string containing the current subkey path of the relevant 'Bags' key. It will look something like '1\\2\\3\\4'. `path_prefix` A string containing the current human-readable, file system path so far constructed. Throws: """ try: # First, consider the current key, and extract shellbag items slot = key.value("NodeSlot").value() for bag in bags_key.subkey(str(slot)).subkeys(): for value in [value for value in bag.values() if "ItemPos" in value.name()]: buf = value.value() block = SHITEMLIST(buf, 0x0, False) offset = 0x10 while True: offset += 0x8 size = block.unpack_word(offset) if size == 0: break elif size < 0x15: pass else: item = block.get_item(offset) shellbags.append({ "path": path_prefix + "\\" + item.name(), "mtime": item.m_date(), "atime": item.a_date(), "crtime": item.cr_date(), "source": bag.path() + " @ " + hex(item.offset()), "regsource": bag.path() + "\\" + value.name(), "klwt": key.timestamp() }) offset += size except Registry.RegistryValueNotFoundException: g_logger.warning("Registry.RegistryValueNotFoundException") pass except Registry.RegistryKeyNotFoundException: g_logger.warning("Registry.RegistryKeyNotFoundException") pass except: g_logger.warning("Unexpected error %s" % sys.exc_info()[0]) # Next, recurse into each BagMRU key for value in [value for value in key.values() if re.match("\d+", value.name())]: path = "" try: # TODO(wb): removeme l = SHITEMLIST(value.value(), 0, False) for item in l.items(): # assume there is only one entry in the value, or take the last # as the path component path = path_prefix + "\\" + item.name() shellbags.append({ "path": path, "mtime": item.m_date(), "atime": item.a_date(), "crtime": item.cr_date(), "source": key.path() + " @ " + hex(item.offset()), "regsource": key.path() + "\\" + value.name(), "klwt": key.timestamp() }) except OverrunBufferException: print key.path() print value.name() raise shellbag_rec(key.subkey(value.name()), bag_prefix + "\\" + value.name(), path)
def shellbag_rec(key, bag_prefix, path_prefix): """ Function to recursively parse the BagMRU Registry key structure. Arguments: `key`: The current 'BagsMRU' key to recurse into. `bag_prefix`: A string containing the current subkey path of the relevant 'Bags' key. It will look something like '1\\2\\3\\4'. `path_prefix` A string containing the current human-readable, file system path so far constructed. Throws: """ try: # First, consider the current key, and extract shellbag items slot = key.value("NodeSlot").value() for bag in bags_key.subkey(str(slot)).subkeys(): for value in [ value for value in bag.values() if "ItemPos" in value.name() ]: buf = value.value() block = SHITEMLIST(buf, 0x0, False) offset = 0x10 while True: offset += 0x8 size = block.unpack_word(offset) if size == 0: break elif size < 0x15: pass else: item = block.get_item(offset) shellbags.append({ "path": path.encode("ascii", "replace"), "mtime": str(item.m_date()), "atime": str(item.a_date()), "crtime": str(item.cr_date()), "key_path": (key.path() + "\\" + value.name()).encode( "ascii", "replace"), "@timestamp": str(key.timestamp()) }) offset += size except Registry.RegistryValueNotFoundException: g_logger.warning("Registry.RegistryValueNotFoundException") pass except Registry.RegistryKeyNotFoundException: g_logger.warning("Registry.RegistryKeyNotFoundException") pass except: g_logger.warning("Unexpected error %s" % sys.exc_info()[0]) # Next, recurse into each BagMRU key for value in [ value for value in key.values() if re.match("\d+", value.name()) ]: path = "" try: # TODO(wb): removeme l = SHITEMLIST(value.value(), 0, False) for item in l.items(): # assume there is only one entry in the value, or take the last # as the path component path = path_prefix + "\\" + item.name() shellbags.append({ "path": path.encode("ascii", "replace"), "mtime": str(item.m_date()), "atime": str(item.a_date()), "crtime": str(item.cr_date()), "key_path": (key.path() + "\\" + value.name()).encode( "ascii", "replace"), "@timestamp": str(key.timestamp()) }) except OverrunBufferException: print key.path() print value.name() raise shellbag_rec(key.subkey(value.name()), bag_prefix + "\\" + value.name(), path)
def parse_shellbags(bagmru_key, bags_key, key, bag_pre, path_pre): try: slot = key.value("NodeSlot").value() for bag in bags_key.subkey(str(slot)).subkeys(): for val in [ val for val in bag.values() if "ItemPos" in val.name() ]: buf = val.value() blk = SHITEMLIST(buf, 0, False) offset = 0x10 while True: offset += 0x8 size = block.unpack_word(offset) if size == 0: break elif size < 0x15: pass else: item = blk.get_item(offset) shellbag_list.append({ "path": path_pre + "\\" + item.name(), "mtime": cvtDate(item.m_date()), "atime": cvtDate(item.a_date()), "crtime": cvtDate(item.cr_date()), "source": bag.path() + " @ " + hex(item.offset()), "regsource": bag.path() + "\\" + val.name(), "klwt": cvtDate(key.timestamp()) }) offset += size except Registry.RegistryValueNotFoundException: pass except Registry.RegistryKeyNotFoundException: print "[-] no key" pass except: print "[-] error" for val in [val for val in key.values() if re.match("\d+", val.name())]: path = "" try: lst = SHITEMLIST(val.value(), 0, False) for item in lst.items(): path = path_pre + "\\" + item.name() shellbag_list.append({ "path": path, "mtime": cvtDate(item.m_date()), "atime": cvtDate(item.a_date()), "crtime": cvtDate(item.cr_date()), "source": key.path() + " @ " + hex(item.offset()), "klwt": cvtDate(key.timestamp()) }) except OverrunBufferException: print key.path() print val.name() raise parse_shellbags(bagmru_key, bags_key, key.subkey(val.name()), bag_pre + "\\" + val.name(), path)