def test(filename):
with open(filename) as f:
t = f.read()
print hex_dump(t)
l = SHITEMLIST(t, 0, False)
for index, item in enumerate(l.items()):
print "item:", index
print "type:", item.__class__.__name__
print "name:", item.name()
def test(filename):
with open(filename) as f:
t = f.read()
print hex_dump(t)
l = SHITEMLIST(t, 0, False)
for index, item in enumerate(l.items()):
print "item:", index
print "type:", item.__class__.__name__
print "name:", item.name()
print "mtime:", item.m_date()
def test(filename):
r = Registry.Registry(filename)
k = r.open("Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\1\\0\\0")
v = k.value("0")
print hex_dump(v.value())
l = SHITEMLIST(v.value(), 0, False)
for index, item in enumerate(l.items()):
print "item:", index
print "type:", item.__class__.__name__
print "name:", item.name()
# its a SHITEM_FILEENTRY
print "short name:", item.short_name()
print "off long name:", item._off_long_name
print "off long name size:", item._off_long_name_size
print "long name size:", hex(item.long_name_size())
def test(filename):
r = Registry.Registry(filename)
k = r.open("Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\1\\0\\0")
v = k.value("0")
print hex_dump(v.value())
l = SHITEMLIST(v.value(), 0, False)
for index, item in enumerate(l.items()):
print "item:", index
print "type:", item.__class__.__name__
print "name:", item.name()
# its a SHITEM_FILEENTRY
print "short name:", item.short_name()
print "off long name:", item._off_long_name
print "off long name size:", item._off_long_name_size
print "long name size:", hex(item.long_name_size())
print "mtime:", item.m_date()
def shellbag_rec(key, bag_prefix, path_prefix):
"""
Function to recursively parse the BagMRU Registry key structure.
Arguments:
`key`: The current 'BagsMRU' key to recurse into.
`bag_prefix`: A string containing the current subkey path of
the relevant 'Bags' key. It will look something like '1\\2\\3\\4'.
`path_prefix` A string containing the current human-readable,
file system path so far constructed.
Throws:
"""
debug("Considering BagMRU key %s" % (key.path()))
debug_increase_indent()
try:
# First, consider the current key, and extract shellbag items
slot = key.value("NodeSlot").value()
for bag in bags_key.subkey(str(slot)).subkeys():
for value in [value for value in bag.values() if
"ItemPos" in value.name()]:
buf = value.value()
debug("Slot %s ITEMPOS @ %s" % (str(slot), value.name()))
block = Block(buf, 0x0, False)
offset = 0x10
while True:
offset += 0x8
size = block.unpack_word(offset)
if size == 0:
break
elif size < 0x15:
pass
else:
item = ITEMPOS_FILEENTRY(buf, offset, False)
debug("Name: " + item.name())
shellbags.append({
"path": path_prefix + "\\" + item.name(),
"mtime": item.m_date(),
"atime": item.a_date(),
"crtime": item.cr_date(),
"source": bag.path() + " @ " + hex(item.offset()),
"regsource": bag.path() + "\\" + value.name(),
"klwt": key.timestamp()
})
offset += size
except Registry.RegistryValueNotFoundException:
debug("Registry.RegistryValueNotFoundException")
pass
except Registry.RegistryKeyNotFoundException:
debug("Registry.RegistryKeyNotFoundException")
pass
except:
debug("Unexpected error %s" % sys.exc_info()[0])
# Next, recurse into each BagMRU key
for value in [value for value in key.values()
if re.match("\d+", value.name())]:
debug("BagMRU value %s (%s)" % (value.name(),
key.path()))
try: # TODO(wb): removeme
l = SHITEMLIST(value.value(), 0, False)
for item in l.items():
# assume there is only one entry in the value, or take the last
# as the path component
debug("Name: " + item.name())
path = path_prefix + "\\" + item.name()
shellbags.append({
"path": path,
"mtime": item.m_date(),
"atime": item.a_date(),
"crtime": item.cr_date(),
"source": key.path() + " @ " + hex(item.offset()),
"regsource": key.path() + "\\" + value.name(),
"klwt": key.timestamp()
})
except OverrunBufferException:
print key.path()
print value.name()
raise
shellbag_rec(key.subkey(value.name()),
bag_prefix + "\\" + value.name(),
path)
debug_decrease_indent()
def shellbag_rec(key, bag_prefix, path_prefix):
"""
Function to recursively parse the BagMRU Registry key structure.
Arguments:
`key`: The current 'BagsMRU' key to recurse into.
`bag_prefix`: A string containing the current subkey path of
the relevant 'Bags' key. It will look something like '1\\2\\3\\4'.
`path_prefix` A string containing the current human-readable,
file system path so far constructed.
Throws:
"""
try:
# First, consider the current key, and extract shellbag items
slot = key.value("NodeSlot").value()
for bag in bags_key.subkey(str(slot)).subkeys():
for value in [
value for value in bag.values()
if "ItemPos" in value.name()
]:
buf = value.value()
block = SHITEMLIST(buf, 0x0, False)
offset = 0x10
while True:
offset += 0x8
size = block.unpack_word(offset)
if size == 0:
break
elif size < 0x15:
pass
else:
item = block.get_item(offset)
shellbags.append({
"path":
path.encode("ascii", "replace"),
"mtime":
str(item.m_date()),
"atime":
str(item.a_date()),
"crtime":
str(item.cr_date()),
"key_path":
(key.path() + "\\" + value.name()).encode(
"ascii", "replace"),
"@timestamp":
str(key.timestamp())
})
offset += size
except Registry.RegistryValueNotFoundException:
g_logger.warning("Registry.RegistryValueNotFoundException")
pass
except Registry.RegistryKeyNotFoundException:
g_logger.warning("Registry.RegistryKeyNotFoundException")
pass
except:
g_logger.warning("Unexpected error %s" % sys.exc_info()[0])
# Next, recurse into each BagMRU key
for value in [
value for value in key.values()
if re.match("\d+", value.name())
]:
path = ""
try: # TODO(wb): removeme
l = SHITEMLIST(value.value(), 0, False)
for item in l.items():
# assume there is only one entry in the value, or take the last
# as the path component
path = path_prefix + "\\" + item.name()
shellbags.append({
"path":
path.encode("ascii", "replace"),
"mtime":
str(item.m_date()),
"atime":
str(item.a_date()),
"crtime":
str(item.cr_date()),
"key_path": (key.path() + "\\" + value.name()).encode(
"ascii", "replace"),
"@timestamp":
str(key.timestamp())
})
except OverrunBufferException:
print key.path()
print value.name()
raise
shellbag_rec(key.subkey(value.name()),
bag_prefix + "\\" + value.name(), path)
def shellbag_rec(hive, key, bag_prefix, path_prefix):
try:
# First, consider the current key, and extract shellbag items
result, valueNames, valueTypes = objRegistry.EnumValues(
hDefKey=hive, sSubKeyName=key)
if result == 0:
if valueTypes == None or len(valueTypes) == 0:
pass
else:
for x in range(0, len(valueNames)):
if valueNames[x] == "NodeSlot" and valueTypes[
x] == _winreg.REG_DWORD:
result, slot = objRegistry.GetDWORDValue(
hDefKey=hive,
sSubKeyName=key,
sValueName=valueNames[x])
slot = str(slot)
if result == 0:
result, subkeys = objRegistry.EnumKey(
hDefKey=hive,
sSubKeyName=bags_key + "\\" + slot)
if result == 0:
for bag in subkeys:
result, valueNames2, valueTypes2 = objRegistry.EnumValues(
hDefKey=hive,
sSubKeyName=bags_key + "\\" +
slot + "\\" + bag)
if result == 0:
if valueTypes2 == None or len(
valueTypes2) == 0:
pass
else:
for x in range(
0, len(valueNames2)):
if "ItemPos" in valueNames2[
x] and valueTypes2[
x] == _winreg.REG_BINARY:
result, itemPos = objRegistry.GetBinaryValue(
hDefKey=hive,
sSubKeyName=bags_key
+ "\\" + slot +
"\\" + bag,
sValueName=
valueNames2[x])
if result == 0:
cachebin = ""
for decimal in itemPos:
cachebin += chr(
decimal)
buf = cachebin
block = Block(
buf, 0x0,
False)
offset = 0x10
while True:
offset += 0x8
size = block.unpack_word(
offset)
if size == 0:
break
elif size < 0x15:
pass
else:
item = ITEMPOS_FILEENTRY(
buf,
offset,
False)
shellbags.append({
"path":
path_prefix
+
"\\" +
item.
name(),
"mtime":
item.
m_date(
),
"atime":
item.
a_date(
),
"crtime":
item.
cr_date(
)
})
offset += size
except Exception as ex:
print ex
# Next, recurse into each BagMRU key
result, valueNames, valueTypes = objRegistry.EnumValues(
hDefKey=hive, sSubKeyName=key)
if result == 0:
if valueTypes == None or len(valueTypes) == 0:
pass
else:
for x in range(0, len(valueNames)):
if re.match("\d+", valueNames[x]
) and valueTypes[x] == _winreg.REG_BINARY:
result, reg_value = objRegistry.GetBinaryValue(
hDefKey=hive,
sSubKeyName=key,
sValueName=valueNames[x])
if result == 0:
cachebin = ""
for decimal in reg_value:
cachebin += chr(decimal)
buf = cachebin
try:
l = SHITEMLIST(buf, 0, False)
for item in l.items():
# assume there is only one entry in the value, or take the last
# as the path component
path = path_prefix + "\\" + item.name()
shellbags.append({
"path": path,
"mtime": item.m_date(),
"atime": item.a_date(),
"crtime": item.cr_date()
})
except OverrunBufferException as ex:
raise
shellbag_rec(hive, key + "\\" + valueNames[x],
bag_prefix + "\\" + valueNames[x],
path)
def shellbag_rec(hive,key,bag_prefix,path_prefix):
try:
# First, consider the current key, and extract shellbag items
result,valueNames,valueTypes = objRegistry.EnumValues(hDefKey=hive,sSubKeyName=key)
if result == 0:
if valueTypes == None or len(valueTypes) == 0:
pass
else:
for x in range(0,len(valueNames)):
if valueNames[x] == "NodeSlot" and valueTypes[x] == _winreg.REG_DWORD:
result,slot = objRegistry.GetDWORDValue(hDefKey=hive,sSubKeyName=key,sValueName=valueNames[x])
slot = str(slot)
if result == 0:
result,subkeys = objRegistry.EnumKey(hDefKey=hive,sSubKeyName=bags_key+"\\"+slot)
if result == 0:
for bag in subkeys:
result,valueNames2,valueTypes2 = objRegistry.EnumValues(hDefKey=hive,sSubKeyName=bags_key+"\\"+slot+"\\"+bag)
if result == 0:
if valueTypes2 == None or len(valueTypes2) == 0:
pass
else:
for x in range(0,len(valueNames2)):
if "ItemPos" in valueNames2[x] and valueTypes2[x] == _winreg.REG_BINARY:
result,itemPos = objRegistry.GetBinaryValue(hDefKey=hive,sSubKeyName=bags_key+"\\"+slot+"\\"+bag,sValueName=valueNames2[x])
if result == 0:
cachebin = ""
for decimal in itemPos:
cachebin += chr(decimal)
buf = cachebin
block = Block(buf, 0x0, False)
offset = 0x10
while True:
offset += 0x8
size = block.unpack_word(offset)
if size == 0:
break
elif size < 0x15:
pass
else:
item = ITEMPOS_FILEENTRY(buf, offset, False)
shellbags.append({
"path": path_prefix + "\\" + item.name(),
"mtime": item.m_date(),
"atime": item.a_date(),
"crtime": item.cr_date()
})
offset += size
except Exception as ex:
print ex
# Next, recurse into each BagMRU key
result,valueNames,valueTypes = objRegistry.EnumValues(hDefKey=hive,sSubKeyName=key)
if result == 0:
if valueTypes == None or len(valueTypes) == 0:
pass
else:
for x in range(0,len(valueNames)):
if re.match("\d+", valueNames[x]) and valueTypes[x] == _winreg.REG_BINARY:
result,reg_value = objRegistry.GetBinaryValue(hDefKey=hive,sSubKeyName=key,sValueName=valueNames[x])
if result == 0:
cachebin = ""
for decimal in reg_value:
cachebin += chr(decimal)
buf = cachebin
try:
l = SHITEMLIST(buf, 0, False)
for item in l.items():
# assume there is only one entry in the value, or take the last
# as the path component
path = path_prefix + "\\" + item.name()
shellbags.append({
"path": path,
"mtime": item.m_date(),
"atime": item.a_date(),
"crtime": item.cr_date()
})
except OverrunBufferException as ex:
raise
shellbag_rec(hive, key+"\\"+valueNames[x],bag_prefix + "\\" + valueNames[x],path)
def parse_shellbags(bagmru_key, bags_key, key, bag_pre, path_pre):
try:
slot = key.value("NodeSlot").value()
for bag in bags_key.subkey(str(slot)).subkeys():
for val in [
val for val in bag.values() if "ItemPos" in val.name()
]:
buf = val.value()
blk = SHITEMLIST(buf, 0, False)
offset = 0x10
while True:
offset += 0x8
size = block.unpack_word(offset)
if size == 0:
break
elif size < 0x15:
pass
else:
item = blk.get_item(offset)
shellbag_list.append({
"path":
path_pre + "\\" + item.name(),
"mtime":
cvtDate(item.m_date()),
"atime":
cvtDate(item.a_date()),
"crtime":
cvtDate(item.cr_date()),
"source":
bag.path() + " @ " + hex(item.offset()),
"regsource":
bag.path() + "\\" + val.name(),
"klwt":
cvtDate(key.timestamp())
})
offset += size
except Registry.RegistryValueNotFoundException:
pass
except Registry.RegistryKeyNotFoundException:
print "[-] no key"
pass
except:
print "[-] error"
for val in [val for val in key.values() if re.match("\d+", val.name())]:
path = ""
try:
lst = SHITEMLIST(val.value(), 0, False)
for item in lst.items():
path = path_pre + "\\" + item.name()
shellbag_list.append({
"path":
path,
"mtime":
cvtDate(item.m_date()),
"atime":
cvtDate(item.a_date()),
"crtime":
cvtDate(item.cr_date()),
"source":
key.path() + " @ " + hex(item.offset()),
"klwt":
cvtDate(key.timestamp())
})
except OverrunBufferException:
print key.path()
print val.name()
raise
parse_shellbags(bagmru_key, bags_key, key.subkey(val.name()),
bag_pre + "\\" + val.name(), path)