def calculate(self): sys_hive = registry.RegistryHive( profile=self.profile, hive_offset=self.sys_offset, kernel_address_space=self.kernel_address_space) security_hive = registry.RegistryHive( profile=self.profile, hive_offset=self.security_offset, kernel_address_space=self.kernel_address_space) return lsasecrets.get_secrets(sys_hive, security_hive)
def calculate(self): sys_registry = registry.RegistryHive( profile=self.profile, hive_offset=self.sys_offset, kernel_address_space=self.kernel_address_space) sam_registry = registry.RegistryHive( profile=self.profile, hive_offset=self.sam_offset, kernel_address_space=self.kernel_address_space) return hashdump.dump_hashes(sys_registry, sam_registry)
def GenerateUsers(self): """Generates User RID keys, V and F structs for all users.""" sam_profile = SAMProfile(session=self.session) for hive_offset in self.hive_offsets: reg = registry.RegistryHive( hive_offset=hive_offset, session=self.session, kernel_address_space=self.kernel_address_space, profile=self.profile) users = reg.open_key("SAM/Domains/Account/Users") for user_rid in users.subkeys(): # The V value holds the information we are after. v_data = user_rid.open_value("V") if not v_data: continue v = sam_profile.V(vm=addrspace.BufferAddressSpace( data=v_data.DecodedData, session=self.session)) f_data = user_rid.open_value("F") f = sam_profile.F(vm=addrspace.BufferAddressSpace( data=f_data.DecodedData, session=self.session)) yield user_rid, v, f
def GenerateServices(self): for hive_offset in self.hive_offsets: reg = registry.RegistryHive( profile=self.profile, session=self.session, kernel_address_space=self.kernel_address_space, hive_offset=hive_offset) for service in reg.CurrentControlSet().open_subkey( "Services").subkeys(): yield service
def get_service_sids(self): # Search for the current_control_set in all hives. for hive_offset in self.hive_offsets: reg = registry.RegistryHive( hive_offset=hive_offset, session=self.session) current_control_set = reg.CurrentControlSet() # There is no CurrentControlSet in this hive. if not current_control_set: continue # Enumerate the services. for subkey in current_control_set.open_subkey("services").subkeys(): sid = self.createservicesid(subkey.Name) yield sid, subkey.Name
def list_keys(self): """Return the keys that match.""" seen = set() for hive_offset in self.hive_offsets: reg = registry.RegistryHive( profile=self.profile, session=self.session, kernel_address_space=self.kernel_address_space, hive_offset=hive_offset) key = reg.open_key(self.key) for subkey in self._list_keys(key): if subkey in seen: break seen.add(subkey) yield reg, subkey
def render(self, renderer): seen = set() for hive_offset in self.hive_offsets: reg = registry.RegistryHive( hive_offset=hive_offset, session=self.session, kernel_address_space=self.kernel_address_space, profile=self.profile) renderer.section() renderer.format("Hive {0}\n\n", reg.Name) renderer.table_header([("Last Written", "timestamp", "<24"), ("Key", "key", "")]) for key in self._key_iterator(reg.root, seen): renderer.table_row(key.LastWriteTime, key.Path)
def get_buildnumber(self): hive_list = self.session.profile.get_constant_object( "CmpHiveListHead", "_LIST_ENTRY") hives = list(hive_list.list_of_type("_CMHIVE", "HiveList")) reg = None for hive in hives: reg = registry.RegistryHive(profile=self.session.profile, session=self.session, hive_offset=hive) if reg.Name.find('System32\\Config\\SOFTWARE') != -1: break if not reg: raise Exception('Could not find registry key!') key = reg.open_key("Microsoft\\Windows NT\\CurrentVersion\\") # v = key.open_value("CurrentBuildNumber") return int(str(v.DecodedData).replace('\x00', ''))
def dump_hive(self, hive_offset=None, reg=None, fd=None): """Write the hive into the fd. Args: hive_offset: The virtual offset where the hive is located. reg: Optionally an instance of registry.Registry helper. If provided hive_offset is ignored. fd: The file like object we write to. """ if reg is None: reg = registry.RegistryHive( profile=self.profile, kernel_address_space=self.kernel_address_space, hive_offset=hive_offset) count = 0 for data in reg.address_space.save(): fd.write(data) count += len(data) self.session.report_progress("Dumping {0}Mb".format(count / 1024 / 1024))
def render(self, renderer): # Get all the offsets if needed. for hive_offset in self.hive_offsets: reg = registry.RegistryHive( profile=self.profile, session=self.session, kernel_address_space=self.kernel_address_space, hive_offset=hive_offset) # Make up a filename for it, should be similar to the hive name. filename = reg.Name.rsplit("\\", 1).pop() # Sanitize it. filename = re.sub(r"[^a-zA-Z0-9_\-@ ]", "_", filename) # Make up the path. renderer.section() renderer.format("Dumping {0} into \"{1}\"\n", reg.Name, filename) with renderer.open(directory=self.dump_dir, filename=filename, mode="wb") as fd: self.dump_hive(reg=reg, fd=fd) renderer.format("Dumped {0} bytes\n", fd.tell())