Пример #1
0
def reg_diff(first_hive_path, second_hive_path, output_path, verbose):
    _setup_logging(verbose=verbose)
    REGDIFF_HEADERS = [
        'difference', 'first_hive', 'second_hive', 'description'
    ]

    found_differences = compare_hives(first_hive_path,
                                      second_hive_path,
                                      verbose=verbose)
    click.secho('Comparing {} vs {}'.format(
        os.path.basename(first_hive_path), os.path.basename(second_hive_path)))

    if output_path:
        with open(output_path, 'w') as csvfile:
            csvwriter = csv.writer(csvfile,
                                   delimiter='|',
                                   quoting=csv.QUOTE_MINIMAL)
            csvwriter.writerow(REGDIFF_HEADERS)
            for difference in found_differences:
                csvwriter.writerow(difference)
    else:
        click.secho(
            tabulate(found_differences,
                     headers=REGDIFF_HEADERS,
                     tablefmt='fancy_grid'))
    click.secho(f'Detected {len(found_differences)} differences', fg='green')
Пример #2
0
def run_plugins(hive_path, output_path, plugins, hive_type, partial_hive_path,
                verbose):
    _setup_logging(verbose=verbose)
    registry_hive = RegistryHive(hive_path,
                                 hive_type=hive_type,
                                 partial_hive_path=partial_hive_path)
    click.secho('Loaded {} plugins'.format(len(PLUGINS)), fg='white')

    if plugins:
        plugin_names = {x.NAME for x in PLUGINS}
        plugins = plugins.split(',')
        plugins = set(plugins)
        if not plugins.issubset(plugin_names):
            click.secho('Invalid plugin names given: {}'.format(
                ','.join(set(plugins) - plugin_names)),
                        fg='red')
            click.secho(
                'Use --help or -h to get list of plugins and their descriptions',
                fg='red')
            return

    # Run relevant plugins
    plugin_results = run_relevant_plugins(registry_hive,
                                          as_json=True,
                                          plugins=plugins)

    # If output path was set, dump results to disk
    if output_path:
        with open(output_path, 'w') as f:
            f.write(json.dumps(plugin_results, indent=4))
    else:
        print(json.dumps(plugin_results, indent=4))
    click.secho('Finished: {}/{} plugins matched the hive type'.format(
        len(plugin_results), len(PLUGINS)),
                fg='green')
Пример #3
0
def hive_to_json(hive_path, output_path, registry_path, timeline, hive_type,
                 partial_hive_path, verbose):
    _setup_logging(verbose=verbose)
    registry_hive = RegistryHive(hive_path,
                                 hive_type=hive_type,
                                 partial_hive_path=partial_hive_path)

    if registry_path:
        try:
            name_key_entry = registry_hive.get_key(registry_path)
        except RegistryKeyNotFoundException as ex:
            logger.debug('Did not find the key: {}'.format(ex))
            return
    else:
        name_key_entry = registry_hive.root

    if timeline and not output_path:
        click.secho(
            'You must provide an output path if choosing timeline output!',
            fg='red')
        return

    if output_path:
        if timeline:
            with open(output_path, 'w') as csvfile:
                csvwriter = csv.DictWriter(
                    csvfile,
                    delimiter=',',
                    quotechar='"',
                    quoting=csv.QUOTE_MINIMAL,
                    fieldnames=['timestamp', 'subkey_name', 'values_count'])
                csvwriter.writeheader()
                with progressbar(
                        registry_hive.recurse_subkeys(
                            name_key_entry, as_json=True)) as reg_subkeys:
                    for entry in reg_subkeys:
                        entry_dict = entry.__dict__
                        path = entry.path
                        csvwriter.writerow({
                            'subkey_name':
                            r'{}\{}'.format(entry.path, path),
                            'timestamp':
                            entry_dict['timestamp'],
                            'values_count':
                            entry_dict['values_count']
                        })
        else:
            dump_hive_to_json(registry_hive, output_path, name_key_entry,
                              verbose)
    else:
        for entry in registry_hive.recurse_subkeys(name_key_entry,
                                                   as_json=True):
            click.secho(json.dumps(attr.asdict(entry), indent=4))
Пример #4
0
def parse_header(hive_path, verbose):
    _setup_logging(verbose=verbose)
    registry_hive = RegistryHive(hive_path)

    click.secho(tabulate(registry_hive.header.items(), tablefmt='fancy_grid'))

    if registry_hive.header.primary_sequence_num != registry_hive.header.secondary_sequence_num:
        click.secho('Hive is not clean! You should apply transaction logs',
                    fg='red')

    calculated_checksum = calculate_xor32_checksum(
        registry_hive._stream.read(4096))
    if registry_hive.header.checksum != calculated_checksum:
        click.secho('Hive is not clean! Header checksum does not match',
                    fg='red')
Пример #5
0
def parse_transaction_log(hive_path, primary_log_path, secondary_log_path,
                          output_path, verbose):
    _setup_logging(verbose=verbose)
    logger.info(
        f'Processing hive {hive_path} with transaction log {primary_log_path}')
    if secondary_log_path:
        logger.info(
            f'Processing hive {hive_path} with secondary transaction log {primary_log_path}'
        )

    restored_hive_path, recovered_dirty_pages_count = apply_transaction_logs(
        hive_path,
        primary_log_path,
        secondary_log_path=secondary_log_path,
        restored_hive_path=output_path,
        verbose=verbose)
    if recovered_dirty_pages_count:
        click.secho(
            f'Recovered {recovered_dirty_pages_count} dirty pages. Restored hive is at {restored_hive_path}',
            fg='green')