def calculate(self):
sys_hive = registry.RegistryHive(
profile=self.profile, hive_offset=self.sys_offset,
kernel_address_space=self.kernel_address_space)
security_hive = registry.RegistryHive(
profile=self.profile, hive_offset=self.security_offset,
kernel_address_space=self.kernel_address_space)
return lsasecrets.get_secrets(sys_hive, security_hive)
def calculate(self):
sys_registry = registry.RegistryHive(
profile=self.profile, hive_offset=self.sys_offset,
kernel_address_space=self.kernel_address_space)
sam_registry = registry.RegistryHive(
profile=self.profile, hive_offset=self.sam_offset,
kernel_address_space=self.kernel_address_space)
return hashdump.dump_hashes(sys_registry, sam_registry)
def GenerateUsers(self):
"""Generates User RID keys, V and F structs for all users."""
sam_profile = SAMProfile(session=self.session)
for hive_offset in self.hive_offsets:
reg = registry.RegistryHive(
hive_offset=hive_offset,
session=self.session,
kernel_address_space=self.kernel_address_space,
profile=self.profile)
users = reg.open_key("SAM/Domains/Account/Users")
for user_rid in users.subkeys():
# The V value holds the information we are after.
v_data = user_rid.open_value("V")
if not v_data:
continue
v = sam_profile.V(vm=addrspace.BufferAddressSpace(
data=v_data.DecodedData, session=self.session))
f_data = user_rid.open_value("F")
f = sam_profile.F(vm=addrspace.BufferAddressSpace(
data=f_data.DecodedData, session=self.session))
yield user_rid, v, f
def GenerateServices(self):
for hive_offset in self.hive_offsets:
reg = registry.RegistryHive(
profile=self.profile, session=self.session,
kernel_address_space=self.kernel_address_space,
hive_offset=hive_offset)
for service in reg.CurrentControlSet().open_subkey(
"Services").subkeys():
yield service
def get_service_sids(self):
# Search for the current_control_set in all hives.
for hive_offset in self.hive_offsets:
reg = registry.RegistryHive(
hive_offset=hive_offset, session=self.session)
current_control_set = reg.CurrentControlSet()
# There is no CurrentControlSet in this hive.
if not current_control_set: continue
# Enumerate the services.
for subkey in current_control_set.open_subkey("services").subkeys():
sid = self.createservicesid(subkey.Name)
yield sid, subkey.Name
def list_keys(self):
"""Return the keys that match."""
seen = set()
for hive_offset in self.hive_offsets:
reg = registry.RegistryHive(
profile=self.profile, session=self.session,
kernel_address_space=self.kernel_address_space,
hive_offset=hive_offset)
key = reg.open_key(self.key)
for subkey in self._list_keys(key):
if subkey in seen:
break
seen.add(subkey)
yield reg, subkey
def render(self, renderer):
seen = set()
for hive_offset in self.hive_offsets:
reg = registry.RegistryHive(
hive_offset=hive_offset, session=self.session,
kernel_address_space=self.kernel_address_space,
profile=self.profile)
renderer.section()
renderer.format("Hive {0}\n\n", reg.Name)
renderer.table_header([("Last Written", "timestamp", "<24"),
("Key", "key", "")])
for key in self._key_iterator(reg.root, seen):
renderer.table_row(key.LastWriteTime, key.Path)
def get_buildnumber(self):
hive_list = self.session.profile.get_constant_object(
"CmpHiveListHead", "_LIST_ENTRY")
hives = list(hive_list.list_of_type("_CMHIVE", "HiveList"))
reg = None
for hive in hives:
reg = registry.RegistryHive(profile=self.session.profile,
session=self.session,
hive_offset=hive)
if reg.Name.find('System32\\Config\\SOFTWARE') != -1:
break
if not reg:
raise Exception('Could not find registry key!')
key = reg.open_key("Microsoft\\Windows NT\\CurrentVersion\\") #
v = key.open_value("CurrentBuildNumber")
return int(str(v.DecodedData).replace('\x00', ''))
def dump_hive(self, hive_offset=None, reg=None, fd=None):
"""Write the hive into the fd.
Args:
hive_offset: The virtual offset where the hive is located.
reg: Optionally an instance of registry.Registry helper. If provided
hive_offset is ignored.
fd: The file like object we write to.
"""
if reg is None:
reg = registry.RegistryHive(
profile=self.profile,
kernel_address_space=self.kernel_address_space,
hive_offset=hive_offset)
count = 0
for data in reg.address_space.save():
fd.write(data)
count += len(data)
self.session.report_progress("Dumping {0}Mb".format(count / 1024 /
1024))
def render(self, renderer):
# Get all the offsets if needed.
for hive_offset in self.hive_offsets:
reg = registry.RegistryHive(
profile=self.profile, session=self.session,
kernel_address_space=self.kernel_address_space,
hive_offset=hive_offset)
# Make up a filename for it, should be similar to the hive name.
filename = reg.Name.rsplit("\\", 1).pop()
# Sanitize it.
filename = re.sub(r"[^a-zA-Z0-9_\-@ ]", "_", filename)
# Make up the path.
renderer.section()
renderer.format("Dumping {0} into \"{1}\"\n", reg.Name, filename)
with renderer.open(directory=self.dump_dir,
filename=filename,
mode="wb") as fd:
self.dump_hive(reg=reg, fd=fd)
renderer.format("Dumped {0} bytes\n", fd.tell())
