def do_rpc_logic(self):
try:
resp = rrp.hOpenCurrentUser(self.dce)
except Exception:
return
rrp.hBaseRegSaveKey(self.dce, resp['phKey'],
f'\\\\{self.target}\\shmores\\file')
def __retrieveHive(self, hiveName):
tmpFileName = ''.join([random.choice(string.letters) for _ in range(8)]) + '.tmp'
ans = rrp.hOpenLocalMachine(self.__rrp)
regHandle = ans['phKey']
try:
ans = rrp.hBaseRegCreateKey(self.__rrp, regHandle, hiveName)
except:
raise Exception("Can't open %s hive" % hiveName)
keyHandle = ans['phkResult']
rrp.hBaseRegSaveKey(self.__rrp, keyHandle, tmpFileName)
rrp.hBaseRegCloseKey(self.__rrp, keyHandle)
rrp.hBaseRegCloseKey(self.__rrp, regHandle)
# Now let's open the remote file, so it can be read later
remoteFileName = RemoteFile(self.__smbConnection, 'SYSTEM32\\'+tmpFileName)
return remoteFileName
def __retrieveHive(self, hiveName):
tmpFileName = ''.join([random.choice(string.letters) for _ in range(8)]) + '.tmp'
ans = rrp.hOpenLocalMachine(self.__rrp)
regHandle = ans['phKey']
try:
ans = rrp.hBaseRegCreateKey(self.__rrp, regHandle, hiveName)
except:
raise Exception("Can't open %s hive" % hiveName)
keyHandle = ans['phkResult']
rrp.hBaseRegSaveKey(self.__rrp, keyHandle, tmpFileName)
rrp.hBaseRegCloseKey(self.__rrp, keyHandle)
rrp.hBaseRegCloseKey(self.__rrp, regHandle)
# Now let's open the remote file, so it can be read later
remoteFileName = RemoteFile(self.__smbConnection, 'SYSTEM32\\'+tmpFileName)
return remoteFileName
def __retrieve_hive(self, hive_name):
temp_filename = '%s' % ''.join(
[random.choice(string.letters) for i in range(8)])
ans = rrp.hOpenLocalMachine(self.__rrp)
regHandle = ans['phKey']
try:
ans = rrp.hBaseRegCreateKey(self.__rrp, regHandle, hive_name)
except:
raise registryKey('Cannot open %s hive' % hive_name)
logger.debug('Saving %s hive to %s' % (hive_name, temp_filename))
keyHandle = ans['phkResult']
resp = rrp.hBaseRegSaveKey(self.__rrp, keyHandle, temp_filename)
rrp.hBaseRegCloseKey(self.__rrp, keyHandle)
rrp.hBaseRegCloseKey(self.__rrp, regHandle)
# Open the temporary remote file, so it can be read later
# remote_fp = RemoteFile(self.smb, ntpath.join('\\', temp_filename), share=DataStore.writable_share)
remote_fp = RemoteFile(self.smb,
ntpath.join('System32', temp_filename),
share='ADMIN$')
return remote_fp
def save(self, dce, keyName):
hRootKey, subKey = self.__strip_root_key(dce, keyName)
outputFileName = "%s\%s.save" % (self.__options.outputPath, subKey)
logging.debug(
"Dumping %s, be patient it can take a while for large hives (e.g. HKLM\SYSTEM)"
% keyName)
try:
ans2 = rrp.hBaseRegOpenKey(dce,
hRootKey,
subKey,
dwOptions=rrp.REG_OPTION_BACKUP_RESTORE
| rrp.REG_OPTION_OPEN_LINK,
samDesired=rrp.KEY_READ)
rrp.hBaseRegSaveKey(dce, ans2['phkResult'], outputFileName)
logging.info("Saved %s to %s" % (keyName, outputFileName))
except Exception as e:
logging.error("Couldn't save %s: %s" % (keyName, e))
def test_hBaseRegSaveKey(self):
dce, rpctransport, phKey = self.connect()
resp = rrp.hOpenCurrentUser(dce)
resp.dump()
resp = rrp.hBaseRegSaveKey(dce,resp['phKey'],'BETUSFILE2\x00')
resp.dump()
# I gotta remove the file now :s
smb = rpctransport.get_smb_connection()
smb.deleteFile('ADMIN$', 'System32\\BETUSFILE2')
def test_hBaseRegSaveKey(self):
dce, rpctransport, phKey = self.connect()
resp = rrp.hOpenCurrentUser(dce)
resp.dump()
resp = rrp.hBaseRegSaveKey(dce, resp['phKey'], 'BETUSFILE2\x00')
resp.dump()
# I gotta remove the file now :s
smb = rpctransport.get_smb_connection()
smb.deleteFile('ADMIN$', 'System32\\BETUSFILE2')
