def getDNS():
"""Returns the Network Adapter, primary and secondary DNS servers. Returns
None if no network adapter is found."""
key = "HKEY_LOCAL_MACHINE"
path_to_adapter = "SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}"
partial_path = regOps.discoverSubkeys(key, path_to_adapter)
for subkey in partial_path:
if subkey.startswith("{"):
adapterID = subkey
break
else:
return None, None, None
DNS = regOps.getRegistryValue(
key,
"SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%s" %
adapterID, "DhcpNameServer")
if DNS and len(DNS.split(" ")) == 2:
primary_dns = DNS.split(" ")[0]
secondary_dns = DNS.split(" ")[1]
else:
primary_dns = DNS
secondary_dns = ""
return primary_dns, secondary_dns, adapterID
def getComponents(source_reg, target_reg, as_subkeys=True):
"""Looks for IE components, returning them on a dictionary"""
components = []
if as_subkeys:
subkeys = regOps.discoverSubkeys(source_reg["key"],
source_reg["subkey"])
else:
subkeys = regOps.discoverValues(source_reg["key"],
source_reg["subkey"])
if subkeys:
for subkey in subkeys:
subkey_name = subkey
objname = regOps.getRegistryValue(
source_reg["key"], source_reg["subkey"] + "\\" + subkey,
"") or "no name"
exepath = regOps.getRegistryValue(target_reg["key"],
target_reg["subkey"] % subkey,
"") or "file missing"
components.append({
"subkey": smartStr.normalize(subkey_name),
"objname": smartStr.normalize(objname),
"exepath": smartStr.normalize(exepath)
})
return components
def safeBootExists():
"""Verify if safeboot is an option. Returns a boolean."""
safe_boot_regs = regOps.discoverSubkeys("HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Control\SafeBoot")
if len(safe_boot_regs) == 0:
return False
else:
return True
def getOutcastKeys(key, subkey, whitelist):
"""Returns which values on a key and subkey are not part of the whitelist"""
outcasts = []
entries = regOps.discoverSubkeys(key, subkey) or []
for entry in entries:
if entry not in whitelist:
outcasts.append(entry)
return outcasts
def safeBootExists():
"""Verify if safeboot is an option. Returns a boolean."""
safe_boot_regs = regOps.discoverSubkeys(
"HKEY_LOCAL_MACHINE", "SYSTEM\CurrentControlSet\Control\SafeBoot")
if len(safe_boot_regs) == 0:
return False
else:
return True
def getOutcastKeys(key, subkey, whitelist):
"""Returns which values on a key and subkey are not part of the whitelist"""
outcasts = []
entries = regOps.discoverSubkeys(key, subkey) or []
for entry in entries:
if entry not in whitelist:
outcasts.append(entry)
return outcasts
def getImageFilesOptions():
"""Returns a list with suspect IFEO's, or None if nothing is found"""
key = "HKEY_LOCAL_MACHINE"
IFEO = "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
subkeys = regOps.discoverSubkeys(key, IFEO)
suspects = []
for subkey in subkeys:
debugger = regOps.getRegistryValue(key, IFEO + "\\" + subkey, "Debugger")
if debugger and subkey.strip() != "Your Image File Name Here without a path":
suspects.append([subkey, debugger])
return suspects or None
def getImageFilesOptions():
"""Returns a list with suspect IFEO's, or None if nothing is found"""
key = "HKEY_LOCAL_MACHINE"
IFEO = "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
subkeys = regOps.discoverSubkeys(key, IFEO)
suspects = []
for subkey in subkeys:
debugger = regOps.getRegistryValue(key, IFEO + "\\" + subkey,
"Debugger")
if debugger and subkey.strip(
) != "Your Image File Name Here without a path":
suspects.append([subkey, debugger])
return suspects or None
def getMountpoints():
"""Search for mountpoints. Returns None if none is found."""
suspects = []
main_key = "HKEY_CURRENT_USER"
subkey = "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\%s\shell\%s\command"
mountpoints = regOps.discoverSubkeys("HKEY_CURRENT_USER", "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2")
for mountpoint in mountpoints:
value = regOps.getRegistryValue(main_key, subkey % (mountpoint, "AutoRun"), "") or\
regOps.getRegistryValue(main_key, subkey % (mountpoint, "explore"), "") or\
regOps.getRegistryValue(main_key, subkey % (mountpoint, "open"), "")
if value:
suspects.append([smartStr.normalize(mountpoint), smartStr.normalize(value)])
return suspects or None
def getLSP():
"""Returns a list with the LSP's"""
num_entries = regOps.getRegistryValue("HKEY_LOCAL_MACHINE",
"SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9",
"Num_Catalog_Entries")
folders = regOps.discoverSubkeys("HKEY_LOCAL_MACHINE",
"SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries")
lsp_list = []
for folder in folders:
folder_num = int(folder)
folder_path = regOps.getRegistryValue("HKEY_LOCAL_MACHINE",
"SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\%s" % folder,
"PackedCatalogItem")
folder_path = folder_path.split(".dll")[0] + ".dll"
lsp_list.append(("Catalog_Entry %s" % folder_num, folder_path))
return num_entries, lsp_list
def getComponents(source_reg, target_reg, as_subkeys=True):
"""Looks for IE components, returning them on a dictionary"""
components = []
if as_subkeys:
subkeys = regOps.discoverSubkeys(source_reg["key"], source_reg["subkey"])
else:
subkeys = regOps.discoverValues(source_reg["key"], source_reg["subkey"])
if subkeys:
for subkey in subkeys:
subkey_name = subkey
objname = regOps.getRegistryValue(source_reg["key"], source_reg["subkey"] + "\\" + subkey, "") or "no name"
exepath = regOps.getRegistryValue(target_reg["key"], target_reg["subkey"] % subkey, "") or "file missing"
components.append(
{
"subkey": smartStr.normalize(subkey_name),
"objname": smartStr.normalize(objname),
"exepath": smartStr.normalize(exepath),
}
)
return components
def getLSP():
"""Returns a list with the LSP's"""
num_entries = regOps.getRegistryValue(
"HKEY_LOCAL_MACHINE",
"SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9",
"Num_Catalog_Entries")
folders = regOps.discoverSubkeys(
"HKEY_LOCAL_MACHINE",
"SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries"
)
lsp_list = []
for folder in folders:
folder_num = int(folder)
folder_path = regOps.getRegistryValue(
"HKEY_LOCAL_MACHINE",
"SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\%s"
% folder, "PackedCatalogItem")
folder_path = folder_path.split(".dll")[0] + ".dll"
lsp_list.append(("Catalog_Entry %s" % folder_num, folder_path))
return num_entries, lsp_list
def getDNS():
"""Returns the Network Adapter, primary and secondary DNS servers. Returns
None if no network adapter is found."""
key = "HKEY_LOCAL_MACHINE"
path_to_adapter = "SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}"
partial_path = regOps.discoverSubkeys(key, path_to_adapter)
for subkey in partial_path:
if subkey.startswith("{"):
adapterID = subkey
break
else:
return None, None, None
DNS = regOps.getRegistryValue(key, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%s" % adapterID, "DhcpNameServer")
if DNS and len(DNS.split(" ")) == 2:
primary_dns = DNS.split(" ")[0]
secondary_dns = DNS.split(" ")[1]
else:
primary_dns = DNS
secondary_dns = ""
return primary_dns, secondary_dns, adapterID
