def parse_default_hive(default_hive: RegistryHive) -> dict: """ Parse default hive and return needed information. Parameters ---------- default_hive : RegistryHive The default hive to parse Returns ------- dict Dictionary with the information for systeminfo """ default_hive_dict = { "system_locale": ";".join([ default_hive.get_key(".DEFAULT\\Control Panel\\International" ).get_value("LocaleName"), default_hive.get_key(".DEFAULT\\Control Panel\\International"). get_value("sCountry"), ]) } # Return results return default_hive_dict
def test_get_key(software_hive): """ # Refers to https://github.com/mkorman90/regipy/issues/144 """ registry_hive = RegistryHive(software_hive) # We verify the registry headers are similar, because this is the same subkey. assert registry_hive.get_key( 'ODBC').header == registry_hive.root.get_subkey('ODBC').header assert registry_hive.root.get_subkey( 'ODBC').header == registry_hive.get_key('SOFTWARE\\ODBC').header
def test_ntuser_emojis(transaction_ntuser): # There are some cases where the Registry stores utf-16 emojis as subkey names :) registry_hive = RegistryHive(transaction_ntuser) international = registry_hive.get_key(r'\Control Panel\International') subkeys = [x.name for x in international.iter_subkeys()] assert subkeys == [ 'Geo', 'User Profile', 'User Profile System Backup', '🌎🌏🌍' ]
def test_find_keys_partial_ntuser_hive(ntuser_software_partial): registry_hive = RegistryHive(ntuser_software_partial, hive_type=NTUSER_HIVE_TYPE, partial_hive_path=r'\Software') run_key = registry_hive.get_key(r'\Software\Microsoft\Windows\CurrentVersion\Run') assert run_key.name == 'Run' assert run_key.header.last_modified == 132024690510209250 values = [x for x in run_key.iter_values(as_json=True)] assert values[0].name == 'OneDrive' assert values[0].value_type == 'REG_SZ'
def _get_last_logon(self, reg: RegistryHive): try: key = reg.get_key( r'\Microsoft\Windows\CurrentVersion\Authentication\LogonUI') return { "LastLoggedOnUser": key.get_value("LastLoggedOnUser"), "LastLoggedOnSAMUser": key.get_value("LastLoggedOnSAMUser") } except: pass
def _get_so_version(self, reg: RegistryHive): try: subkey = reg.get_key(r'\Microsoft\Windows NT\CurrentVersion') return { 'ProductName': subkey.get_value('ProductName'), 'ReleaseId': subkey.get_value('ReleaseId') } except: return None
def test_find_keys_ntuser(ntuser_hive): registry_hive = RegistryHive(ntuser_hive) run_key = registry_hive.get_key(r'\Software\Microsoft\Windows\CurrentVersion\Run') assert run_key.name == 'Run' assert run_key.header.last_modified == 129779615948377168 values = [x for x in run_key.iter_values(as_json=True)] assert values[0].name == 'Sidebar' assert values[0].value_type == 'REG_EXPAND_SZ'
def _get_wifis(self, reg: RegistryHive): try: "ESto solo vale para XP" "TODO pendiente de que tenga un ejemplo con datos" subkey = reg.get_key(r'\Microsoft\WZCSVC\Parameters\Interfaces') list = [] for a in subkey.iter_subkeys(): list.append(a.name) return list except: return None
def _userassist(self, reg: RegistryHive): try: "TODO pendiente de que tenga un ejemplo con datos" subkey = reg.get_key( r'\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist' ) list = [] for a in subkey.iter_subkeys(): list.append(a.name) return list except: return None
def hive_to_json(hive_path, output_path, registry_path, timeline, hive_type, partial_hive_path, verbose): _setup_logging(verbose=verbose) registry_hive = RegistryHive(hive_path, hive_type=hive_type, partial_hive_path=partial_hive_path) if registry_path: try: name_key_entry = registry_hive.get_key(registry_path) except RegistryKeyNotFoundException as ex: logger.debug('Did not find the key: {}'.format(ex)) return else: name_key_entry = registry_hive.root if timeline and not output_path: click.secho( 'You must provide an output path if choosing timeline output!', fg='red') return if output_path: if timeline: with open(output_path, 'w') as csvfile: csvwriter = csv.DictWriter( csvfile, delimiter=',', quotechar='"', quoting=csv.QUOTE_MINIMAL, fieldnames=['timestamp', 'subkey_name', 'values_count']) csvwriter.writeheader() with progressbar( registry_hive.recurse_subkeys( name_key_entry, as_json=True)) as reg_subkeys: for entry in reg_subkeys: entry_dict = entry.__dict__ path = entry.path csvwriter.writerow({ 'subkey_name': r'{}\{}'.format(entry.path, path), 'timestamp': entry_dict['timestamp'], 'values_count': entry_dict['values_count'] }) else: dump_hive_to_json(registry_hive, output_path, name_key_entry, verbose) else: for entry in registry_hive.recurse_subkeys(name_key_entry, as_json=True): click.secho(json.dumps(attr.asdict(entry), indent=4))
def hive_to_json(hive_path, output_path, registry_path, timeline, hive_type, partial_hive_path, verbose): with logbook.NestedSetup( _get_log_handlers(verbose=verbose)).applicationbound(): registry_hive = RegistryHive(hive_path, hive_type=hive_type, partial_hive_path=partial_hive_path) if registry_path: try: name_key_entry = registry_hive.get_key(registry_path) except RegistryKeyNotFoundException as ex: logger.debug('Did not find the key: {}'.format(ex)) return else: name_key_entry = registry_hive.root if timeline and not output_path: click.secho( 'You must provide an output path if choosing timeline output!', fg='red') return if output_path: if timeline: with open(output_path, 'w') as csvfile: csvwriter = csv.DictWriter(csvfile, delimiter=',', quotechar='"', quoting=csv.QUOTE_MINIMAL, fieldnames=[ 'timestamp', 'subkey_name', 'values_count' ]) csvwriter.writeheader() for entry in tqdm( registry_hive.recurse_subkeys(name_key_entry, as_json=True)): subkey_name = entry.pop('subkey_name') path = entry.pop('path') entry['subkey_name'] = r'{}\{}'.format( path, subkey_name) entry.pop('values') csvwriter.writerow(entry) else: dump_hive_to_json(registry_hive, output_path, name_key_entry, verbose) else: for entry in registry_hive.recurse_subkeys(name_key_entry, as_json=True): click.secho(json.dumps(attr.asdict(entry), indent=4))
def parse_timezone_information(system_hive: RegistryHive, software_hive: RegistryHive) -> dict: """ Parse system and software hives and return needed information. Parameters ---------- system_hive : RegistryHive The system hive to parse software_hive : RegistryHive The software hive to parse Returns ------- dict Dictionary with the information for systeminfo """ # Determine current control set current_control_set = determine_current_control_set(system_hive) # Timezone information timezone_key_name = (system_hive.get_key( f"{current_control_set}\\Control\\TimeZoneInformation").get_value( "TimeZoneKeyName").replace(str(b"\x00"), "")) timezone_key_name = timezone_key_name[:timezone_key_name.find("Time") + len("Time")] timezone_information = { "timezone_desc": software_hive.get_key( f"Software\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\{timezone_key_name}" ).get_value("Display") } timezone_information["timezone_offset"] = ( timezone_information["timezone_desc"].replace( "-", "+").split("+")[1].split(")")[0]) # Return results return timezone_information
def _get_computer_name(self, reg: RegistryHive): names = [] for subkey_path in reg.get_control_sets( r'Control\ComputerName\ComputerName'): subkey = reg.get_key(subkey_path) try: names.append({ 'name': subkey.get_value('ComputerName'), 'timestamp': Time.change_output_date_format_from_epoch( subkey.header.last_modified) }) except RegistryValueNotFoundException as ex: continue return names
def _get_usbstorage(self, reg: RegistryHive): usbs = [] try: for subkey_path in reg.get_control_sets(r'Enum\USBSTOR'): subkey = reg.get_key(subkey_path) for usb in subkey.iter_subkeys(): usbs.append({ 'device': usb.name, 'timestamp': Time.change_output_date_format_from_epoch( usb.header.last_modified) }) except: return None return usbs
def _get_get_runmru(self, reg: RegistryHive): "TODO pendiente de que tenga un ejemplo con datos" try: subkey = reg.get_key( r'\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU') order = subkey.get_value('MRUList') list = [] if order: for char in order: try: value = subkey.get_value(char) if value: list.append(value) except: pass return list except: return None
def _get_profilelist(self, reg: RegistryHive): profiles = [] subkey = reg.get_key( r'\Microsoft\Windows NT\CurrentVersion\ProfileList') for profile in subkey.iter_subkeys(): try: profiles.append({ 'Sid': profile.name, 'Guid': profile.get_value(r'Guid') if profile.get_value(r'Guid') is not None else "", 'ProfileImagePath': profile.get_value(r'ProfileImagePath') }) except RegistryValueNotFoundException as ex: continue return profiles
def determine_current_control_set(system_hive: RegistryHive) -> str: """ Determine the current control set. Parameters ---------- system_hive : RegistryHive The system hive to parse Returns ------- str The path to the current control set """ current_control_set = system_hive.get_key("\\Select").get_value("Current") for control_set in system_hive.CONTROL_SETS: if int(control_set[-3:]) == current_control_set: current_control_set = control_set break else: raise ValueError("Error determining current control set.") return current_control_set
def test_parse_security_info(ntuser_hive): registry_hive = RegistryHive(ntuser_hive) run_key = registry_hive.get_key( r'\Software\Microsoft\Windows\CurrentVersion\Run') security_key_info = run_key.get_security_key_info() assert security_key_info['owner'] == 'S-1-5-18' assert security_key_info['group'] == 'S-1-5-18' assert len(security_key_info['dacl']) == 4 assert security_key_info['dacl'][0] == { 'access_mask': { 'ACCESS_SYSTEM_SECURITY': False, 'DELETE': True, 'GENERIC_ALL': False, 'GENERIC_EXECUTE': False, 'GENERIC_READ': False, 'GENERIC_WRITE': False, 'MAXIMUM_ALLOWED': False, 'READ_CONTROL': True, 'SYNCHRONIZE': False, 'WRITE_DAC': True, 'WRITE_OWNER': True }, 'ace_type': 'ACCESS_ALLOWED', 'flags': { 'CONTAINER_INHERIT_ACE': True, 'INHERIT_ONLY_ACE': False, 'NO_PROPAGATE_INHERIT_ACE': False, 'OBJECT_INHERIT_ACE': True }, 'sid': 'S-1-5-21-2036804247-3058324640-2116585241-1673' } dacl_sids = [x["sid"] for x in security_key_info['dacl']] assert dacl_sids == [ 'S-1-5-21-2036804247-3058324640-2116585241-1673', 'S-1-5-18', 'S-1-5-32-544', 'S-1-5-12' ]
from regipy.registry import RegistryHive import sys counter = 1 reg = RegistryHive(sys.argv[1]) regvalues = reg.get_key('System\MountedDevices').iter_values(as_json=True) for value in regvalues: print(value) """ def run(self): self.entries = {} mountdev_subkeys = self.registry_hive.get_control_sets(TZ_DATA_PATH) for mountdev_subkey in mountdev_subkeys: mountdev = self.registry_hive.get_key(mountdev_subkey) self.entries[mountdev_subkey] = [x for x in mountdev.iter_values(as_json=self.as_json)] if self.as_json: for k, v in self.entries.items(): self.entries[k] = [attr.asdict(x) for x in v] """
def compare_hives(first_hive_path, second_hive_path, verbose=False): # The list will contain tuples, in the following format: (Difference type, first value, second value, description) found_differences = [] # Compare hash, verify they are indeed different first_hive_sha1 = calculate_sha1(first_hive_path) second_hive_sha1 = calculate_sha1(second_hive_path) if first_hive_sha1 == second_hive_sha1: logger.info('Hives have the same hash!') return found_differences # Compare header parameters first_registry_hive = RegistryHive(first_hive_path) second_registry_hive = RegistryHive(second_hive_path) if first_registry_hive.header.hive_bins_data_size != second_registry_hive.header.hive_bins_data_size: found_differences.append(('different_hive_bin_data_size', first_registry_hive.header.hive_bins_data_size, second_registry_hive.header.hive_bins_data_size, '')) # Enumerate subkeys for each hive and start comparing logger.info('Enumerating subkeys in {}'.format(os.path.basename(first_hive_path))) first_hive_subkeys = get_subkeys_and_timestamps(first_registry_hive) logger.info('Enumerating subkeys in {}'.format(os.path.basename(second_hive_path))) second_hive_subkeys = get_subkeys_and_timestamps(second_registry_hive) # Get a set of keys present in one hive and not the other and vice versa first_hive_subkey_names = {x[0] for x in first_hive_subkeys if x[0] is not None} second_hive_subkey_names = {x[0] for x in second_hive_subkeys if x[0] is not None} found_differences.extend(('new_subkey', ts, None, subkey_path) for subkey_path, ts in get_timestamp_for_subkeys(first_registry_hive, first_hive_subkey_names - second_hive_subkey_names)) found_differences.extend(('new_subkey', None, ts, subkey_path) for subkey_path, ts in get_timestamp_for_subkeys(second_registry_hive, second_hive_subkey_names - first_hive_subkey_names)) # Remove duplicate keys from each of the sets first_hive_diff_subkeys = first_hive_subkeys - second_hive_subkeys second_hive_diff_subkeys = second_hive_subkeys - first_hive_subkeys # Find subkeys that exist in both hives, but were modified. Look for new values and subkeys for path_1, ts_1 in tqdm(first_hive_diff_subkeys) if verbose else first_hive_diff_subkeys: for path_2, ts_2 in tqdm(second_hive_diff_subkeys, leave=False) if verbose else second_hive_diff_subkeys: if path_1 and path_1 == path_2 and ts_1 != ts_2: first_subkey_nk_record = first_registry_hive.get_key(path_1) second_subkey_nk_record = second_registry_hive.get_key(path_2) # Compare values between the subkeys first_subkey_values = set() second_subkey_values = set() if first_subkey_nk_record.values_count: first_subkey_values = _get_name_value_tuples(first_subkey_nk_record) if second_subkey_nk_record.values_count: second_subkey_values = _get_name_value_tuples(second_subkey_nk_record) # If one hive or the other contain values, and they are different, compare values if (first_subkey_values or second_subkey_values) and (first_subkey_values != second_subkey_values): first_hive_value_names = set(x[0] for x in first_subkey_values) second_hive_value_names = set(x[0] for x in second_subkey_values) values_in_first_but_not_in_second = first_hive_value_names - second_hive_value_names values_in_second_but_not_in_first = second_hive_value_names - first_hive_value_names # If there are value names that are present in the first subkey but not the second # Iterate over all values in the first subkey # If the value name is one of those that is not on the second subkey, add it to the set if values_in_first_but_not_in_second: found_differences.extend(('new_value', f'{n}: {d} @ {ts_1}', None, path_1) for n, d in get_values_from_tuples(first_subkey_values, values_in_first_but_not_in_second)) if values_in_second_but_not_in_first: found_differences.extend(('new_value', None, f'{n}: {d} @ {ts_2}', path_1) for n, d in get_values_from_tuples(second_subkey_values, values_in_second_but_not_in_first)) # We do not compare subkeys for each subkey, because we would have detected those. return found_differences
def parse_software_hive(software_hive: RegistryHive) -> dict: """ Parse software hive and return needed information. Parameters ---------- software_hive : RegistryHive The software hive to parse Returns ------- dict Dictionary with the information for systeminfo """ # Registered owner software_hive_dict = { "registered_owner": software_hive.get_key("Software\\Microsoft\\Windows NT\\CurrentVersion" ).get_value("RegisteredOwner") } # OS name software_hive_dict["os_name"] = " ".join([ "Microsoft", software_hive.get_key("Software\\Microsoft\\Windows NT\\CurrentVersion" ).get_value("ProductName"), ]) # OS build type software_hive_dict["os_build_type"] = software_hive.get_key( "Software\\Microsoft\\Windows NT\\CurrentVersion").get_value( "CurrentType") # Product ID software_hive_dict["product_id"] = software_hive.get_key( "Software\\Microsoft\\Windows NT\\CurrentVersion").get_value( "ProductId") # Install date software_hive_dict["install_date"] = software_hive.get_key( "Software\\Microsoft\\Windows NT\\CurrentVersion").get_value( "InstallDate") # UTC, Needs timezone offset # Hotfixes software_hive_dict["hotfix"] = set( hotfix.get_value("InstallName").split("_for_")[1].split("~")[0] for hotfix in software_hive.get_key( "Software\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages" ).iter_subkeys() if "_for_KB" in hotfix.get_value("InstallName") and hotfix.get_value( "CurrentState") == 112) # 112 is successfully installed software_hive_dict["hotfix"].update( set( hotfix.get_value("InstallLocation").split("-")[1] for hotfix in software_hive.get_key( "Software\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages" ).iter_subkeys() if "RollupFix" in hotfix.get_value("InstallName") and hotfix. get_value("CurrentState") == 112)) # 112 is successfully installed # OS Version software_hive_dict["os_version"] = " ".join([ software_hive.get_key("Software\\Microsoft\\Windows NT\\CurrentVersion" ).get_value("ProductName"), "N/A Build", software_hive.get_key("Software\\Microsoft\\Windows NT\\CurrentVersion" ).get_value("CurrentBuild"), ]) # Registered organization software_hive_dict["registered_organization"] = software_hive.get_key( "Software\\Microsoft\\Windows NT\\CurrentVersion").get_value( "RegisteredOrganization") # Return results return software_hive_dict
def parse_system_hive(system_hive: RegistryHive) -> dict: """ Parse system hive and return needed information. Parameters ---------- system_hive : RegistryHive The system hive to parse Returns ------- dict Dictionary with the information for systeminfo """ # Determine current control set current_control_set = determine_current_control_set(system_hive) # Determine current hardware config try: current_hardware_config = system_hive.get_key( "SYSTEM\\HardwareConfig").get_value("LastConfig") except RegistryKeyNotFoundException: current_hardware_config = None # Hostname system_hive_dict = { "hostname": system_hive.get_key( f"{current_control_set}\\Services\\Tcpip\\Parameters").get_value( "Hostname") } # BIOS Version if current_hardware_config: bios_version = system_hive.get_key( f"SYSTEM\\HardwareConfig\\{current_hardware_config}").get_value( "BIOSVersion") bios_vendor = system_hive.get_key( f"SYSTEM\\HardwareConfig\\{current_hardware_config}").get_value( "BIOSVendor") bios_release_date = system_hive.get_key( f"SYSTEM\\HardwareConfig\\{current_hardware_config}").get_value( "BIOSReleaseDate") system_hive_dict[ "bios_version"] = f"{bios_vendor} {bios_version}, {bios_release_date}" else: system_hive_dict["bios_version"] = "UNKNOWN UNKNOWN, UNKNOWN" # Domain system_hive_dict["domain"] = system_hive.get_key( f"{current_control_set}\\Services\\Tcpip\\Parameters").get_value( "Domain") system_hive_dict["domain"] = (system_hive_dict["domain"] if system_hive_dict["domain"] != 0 else "WORKGROUP") # Page file locations system_hive_dict["page_file_locations"] = system_hive.get_key( f"{current_control_set}\\Control\\Session Manager\\Memory Management" ).get_value("PagingFiles")[::3] # TODO This could probably be improved if I could find the system drive letter in the registry for idx, page_file_location in enumerate( system_hive_dict["page_file_locations"]): if page_file_location[0] == "?": system_hive_dict["page_file_locations"][ idx] = page_file_location.replace( "?", system_hive.get_key( f"{current_control_set}\\Control\\Session Manager\\Memory Management" ).get_value("ExistingPageFiles")[0][4], ) # Page file max size system_hive_dict["page_file_max_sizes"] = system_hive.get_key( f"{current_control_set}\\Control\\Session Manager\\Memory Management" ).get_value("PagingFiles")[2::3] # Boot device system_hive_dict["boot_device"] = system_hive.get_key( "SYSTEM\\Setup").get_value("SystemPartition") if current_hardware_config: # System manufacturer system_hive_dict["manufacturer"] = system_hive.get_key( f"SYSTEM\\HardwareConfig\\{current_hardware_config}").get_value( "SystemManufacturer") # System model system_hive_dict["model"] = system_hive.get_key( f"SYSTEM\\HardwareConfig\\{current_hardware_config}").get_value( "SystemProductName") else: system_hive_dict["manufacturer"] = "UNKNOWN" system_hive_dict["model"] = "UNKNOWN" # System type system_hive_dict["type"] = (system_hive.get_key( f"{current_control_set}\\Enum\\ROOT\\ACPI_HAL\\0000").get_value( "DeviceDesc").split(";")[1].replace("ACPI ", "")) # Network adapters # MAC address can optionally be changed with NetworkAddress entry network_adapters = dict() for network_adapter in system_hive.get_key("".join([ current_control_set, "\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", ])).iter_subkeys(): if network_adapter.get_value("NetCfgInstanceId"): network_adapters[network_adapter.get_value("NetCfgInstanceId")] = ( network_adapter.get_value("DriverDesc"), network_adapter.get_value("NetworkAddress"), ) interfaces = dict() for interface in system_hive.get_key("".join( [current_control_set, "\\Services\\Tcpip\\Parameters\\Interfaces"])).iter_subkeys(): if not network_adapters.get(interface.name.upper()): continue interfaces[interface.name] = { "desc": network_adapters[interface.name.upper()][0], "mac": network_adapters[interface.name.upper()][1], "dhcp_activated": interface.get_value("EnableDHCP") == 1, "dhcp_server": interface.get_value("DhcpServer"), "ip_addresses": [interface.get_value("DhcpIPAddress")] if interface.get_value("DhcpIPAddress") else interface.get_value("IPAddress"), "connection_name": system_hive.get_key("".join([ current_control_set, "\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\", interface.name.upper(), "\\Connection", ])).get_value("Name"), } if not interfaces[interface.name]["ip_addresses"]: del interfaces[interface.name] system_hive_dict["network_cards"] = interfaces # Processor(s) system_hive_dict["processors"] = system_hive.get_key( f"{current_control_set}\\Control\\Session Manager\\Environment" ).get_value( "PROCESSOR_IDENTIFIER" ) # This is technically not correct, because the real value is in the volatile HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor subkeys # Windows/System directory lsa_library = system_hive.get_key( f"{current_control_set}\\Services\\Lsa\\Performance").get_value( "Library" ) # It’s a bit of a hack, but I can’t find the real key to read system_hive_dict["windows_directory"] = "\\".join( lsa_library.split("\\")[:2]) system_hive_dict["system_directory"] = "\\".join( lsa_library.split("\\")[:3]) # Return results return system_hive_dict
def _get_users(self, reg: RegistryHive): key = reg.get_key(r'\SAM\Domains\Account\Users\Names') users = [] for user in key.iter_subkeys(): users.append(user.name) return users
def _get_mounted_devices(self, reg: RegistryHive): devices = [] subkey = reg.get_key(r'\MountedDevices') for device in subkey.iter_values(): devices.append(device.name) return devices
""" --------------------RESULTAT ATTENDU------------------------- Disk&Ven_JetFlash&Prod_Transcend_16GB&Rev_1100 [Wed Jun 26 19:34:59 2019] S/N: 17GIWK3QFAF50DSD&0 [Wed Jun 26 19:34:59 2019] Device Parameters LastWrite: [Wed Jun 26 19:34:59 2019] LogConf LastWrite : [Wed Jun 26 19:34:59 2019] Properties LastWrite : [Wed Jun 26 19:34:59 2019] FriendlyName : JetFlash Transcend 16GB USB Device InstallDate : Mon Oct 9 08:42:44 2017 UTC FirstInstallDate: Mon Oct 9 08:42:44 2017 UTC """ from regipy.registry import RegistryHive print("-------------USBSTOR-----------") print("FORENSIC de l'historique des peripheriques USB") print("Version 1.0, ATK \n\n") reg = RegistryHive('system') #for entry in reg.recurse_subkeys(as_json=True): # print(entry) #for sk in reg.get_key('CurrentControlSet').iter_subkeys(): # print(sk.name, convert_wintime(sk.header.last_modified).isoformat()) for entry in reg.get_key('\\Enum\\USBStor').get_values(as_json=True): print(entry)
import sys from regipy.registry import RegistryHive if __name__ == "__main__": try: # todo: use argparse for better usability if len(sys.argv) == 4: try: reg_file = RegistryHive(sys.argv[1]) # e.g. "SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\full\\Release" key = sys.argv[2] val = sys.argv[3] print(reg_file.get_key(key).get_value(val, as_json=True, raise_on_missing=True)) except: print("Registry key not found or you have provided an incorrect key") else: print("incomplete argument list") print("Usage: regireader.exe <registry_file> <key> <value>") except Exception as ex: print("Regi-reader gets the registry key from an offline registry hive") print("Usage: regireader.exe <registry_file> <key> <value>")
def get_persistence(hivespath="."): for i in os.listdir(hivespath): if "NTUSER" in i: reg = RegistryHive(hivespath + "\\" + i) print(i) try: sk = reg.get_key( "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") for v in sk.get_values(): print("HKUSRRUN : %s : %s" % (v.name, v.value)) except: continue pass sk = reg.get_key( "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce") for v in sk.get_values(): print("HKUSRRUNONCE : %s : %s" % (v.name, v.value)) sk = reg.get_key( "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" ) for v in sk.get_values(): print("HKUSRRUNW64 : %s : %s" % (v.name, v.value)) sk = reg.get_key( "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ) for v in sk.get_values(): print("HKUSRRUNONCEW64 : %s : %s" % (v.name, v.value)) reg = RegistryHive(hivespath + "\\SOFTWARE") sk = reg.get_key("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") for v in sk.get_values(): print("HKLMRUN : %s : %s" % (v.name, v.value)) sk = reg.get_key( "SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run") for v in sk.get_values(): print("HKLMRUNX64 : %s : %s" % (v.name, v.value)) sk = reg.get_key("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce") for v in sk.get_values(): print("HKLMRUNONCE : %s : %s" % (v.name, v.value)) sk = reg.get_key( "SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce") for v in sk.get_values(): print("HKLMRUNONCEW64 : %s : %s" % (v.name, v.value)) for sk in reg.get_key( 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options' ).iter_subkeys(): sk2 = reg.get_key( 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s' % (sk.name)) for v in sk2.get_values(): if v.name.lower() == "debugger": print("REGIFEO : %s : %s" % (v.name, v.value)) sk = reg.get_key( "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon") for v in sk.get_values(): if v.name == "Shell": if v.value.lower().rstrip(",") not in ( "explorer.exe", "c:\\windows\\system32\\explorer.exe"): print("HIJACK : %s : %s" % (v.name, v.value)) elif v.name == "ShellInfrastructure": if v.value.lower().rstrip(",") not in ( "sihost.exe", "c:\\windows\\system32\\sihost.exe"): print("HIJACK : %s : %s" % (v.name, v.value)) elif v.name == "Userinit": if v.value.lower().rstrip(",") not in ( "userinit.exe", "c:\\windows\\system32\\userinit.exe"): print("HIJACK : %s : %s" % (v.name, v.value)) sk = reg.get_key( "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon") for v in sk.get_values(): if v.name == "AppInit_DLLs": print("APPINITDLLS : %s : %s" % (v.name, v.value)) break reg = RegistryHive(hivespath + "\\SYSTEM") try: sk = reg.get_key("SYSTEM\\ControlSet001\\Control\\Lsa\\OSConfig") for v in sk.get_values(): if v.name == "Security Packages": print("SECPACKAGESO : %s : %s" % (v.name, v.value)) break except: pass sk = reg.get_key("SYSTEM\\ControlSet001\\Control\\Lsa") for v in sk.get_values(): if v.name == "Security Packages": print("SECPACKAGES : %s : %s" % (v.name, v.value)) break for sk in reg.get_key('SYSTEM\\ControlSet001\\Services').iter_subkeys(): sk2 = reg.get_key('SYSTEM\\ControlSet001\\Services\\%s' % (sk.name)) for v in sk2.get_values(): if v.name.lower() == "imagepath": print("SERVICE : %s : %s" % (v.name, v.value)) elif v.name.lower() == "servicedll": print("SERVICEDLL : %s : %s" % (v.name, v.value)) try: sk2 = reg.get_key( 'SYSTEM\\ControlSet0001\\Services\\%s\\Parameters' % (sk.name)) for v in sk2.get_values(): if v.name.lower() == "servicedll": print("SERVICEDLLP : %s : %s" % (v.name, v.value)) except: pass