def get_usb_key_info(key_name):
"""
Extracts information about the USB keys from the registry
:return: A list of USB key IDs
"""
# HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}
str_reg_key_usbinfo = r"SYSTEM\ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
# here is a sample of a key_name
# ##?#USBSTOR#Disk&Ven_&Prod_USB_DISK_2.0&Rev_PMAP#07BC13025A3B03A1&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
# the logic is : there are 6 "#" so we should split this string on "#" and get the USB id (index 5)
index_usb_id = 5
usb_id = key_name.split("#")[index_usb_id]
# now we want only the left part of the which may contain another separator "&" -> 07BC13025A3B03A1&0
usb_id = usb_id.split("&")[0]
# next we look in the registry for such an id
key_ids = ""
reg_key_info = registry_obj.get_registry_key(registry_obj.HKEY_LOCAL_MACHINE, str_reg_key_usbinfo)
if reg_key_info:
for i in xrange(reg_key_info.get_number_of_sub_keys()):
subkey = reg_key_info.get_sub_key(i)
if usb_id in subkey.get_name():
# example of a key_info_name
# ##?#USB#VID_26BD&PID_9917#0702313E309E0863#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
# the pattern is quite similar, a "#" separated string, with 5 as key id and 4 as VID&PID, we need
# those 2
index_usb_id = 4
key_ids = subkey.get_name().split("#")[index_usb_id]
break
return key_ids
def _get_list_from_users_registry_key(self, key_path, is_recursive=True, is_usrclass=False):
"""
Extracts information from HKEY_USERS. Since logged off users hives are not mounted by Windows, it is necessary
to open each NTUSER.DAT files, except for currently logged on users.
On Windows Vista and later, HKEY_USERS\ID\Software\Classes is in UsrClass.dat.
On Windows Vista and later, shadow copies are used in order to bypass the lock on HKCU.
:param key_path: the registry key to list
:param is_recursive: whether the function should also list subkeys
:return: a list of all extracted keys/values
"""
hive_list = []
key_users = registry_obj.get_registry_key(registry_obj.HKEY_USERS)
if key_users:
for i in xrange(key_users.get_number_of_sub_keys()):
key_user = key_users.get_sub_key(i)
key_data = key_user.get_sub_key_by_path(key_path)
if key_data:
construct_list_from_key(hive_list, key_data, is_recursive)
# same thing for logged off users (NTUSER.DAT, UsrClass.dat)
for sid, root_key_ntuser, root_key_usrclass in self.user_hives:
if is_usrclass:
cur_root_key = root_key_usrclass
else:
cur_root_key = root_key_ntuser
key_data = cur_root_key.get_sub_key_by_path(key_path)
if key_data:
key_data.prepend_path_with_sid(sid)
construct_list_from_key(hive_list, key_data, is_recursive)
return hive_list
def init_win_vista_and_above(self):
users = registry_obj.get_registry_key(
registry_obj.HKEY_LOCAL_MACHINE,
r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList")
drive, p = os.path.splitdrive(self.systemroot)
params = {"logger": self.logger}
self.vss = _VSS._get_instance(params, drive)
if users:
for i in xrange(users.get_number_of_sub_keys()):
user = users.get_sub_key(i)
tmp = user.get_value_by_name("ProfileImagePath").get_data()
path = tmp.replace(drive,
self.vss._return_root()) + r"\NTUSER.DAT"
path_usrclass = tmp.replace(drive, self.vss._return_root(
)) + r"\AppData\Local\Microsoft\Windows\\UsrClass.dat"
try:
regf_file = registry_obj.RegfFile()
regf_file.open(path)
regf_file_usrclass = registry_obj.RegfFile()
regf_file_usrclass.open(path_usrclass)
self.user_hives.append(
(user.get_name(), regf_file.get_root_key(),
regf_file_usrclass.get_root_key()))
except IOError: # not a user
pass
def init_win_xp(self):
users = registry_obj.get_registry_key(registry_obj.HKEY_LOCAL_MACHINE,
r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList")
if users:
for i in xrange(users.get_number_of_sub_keys()):
user = users.get_sub_key(i)
path = user.get_value_by_name("ProfileImagePath").get_data() + r"\NTUSER.DAT"
try:
regf_file = registry_obj.RegfFile()
regf_file.open(path)
self.user_hives.append((user.get_name(), regf_file.get_root_key()))
except IOError: # user is logged on or not a user
pass
def _get_list_from_registry_key(self, hive, key_path, is_recursive=True):
"""Creates a list of all nodes and values from a registry key path.
Keyword arguments:
hive -- (String) the hive name
key_path -- (String) the path of the key from which the list should be created
"""
if hive == registry_obj.HKEY_USERS:
return self._get_list_from_users_registry_key(key_path, is_recursive)
hive_list = []
root_key = registry_obj.get_registry_key(hive, key_path)
if root_key:
append_reg_values(hive_list, root_key)
for i in xrange(root_key.get_number_of_sub_keys()):
sub_key = root_key.get_sub_key(i)
construct_list_from_key(hive_list, sub_key, is_recursive)
return hive_list
def _get_list_from_users_registry_key(self, key_path, is_recursive=True):
hive_list = []
key_users = registry_obj.get_registry_key(registry_obj.HKEY_USERS)
if key_users:
for i in xrange(key_users.get_number_of_sub_keys()):
key_user = key_users.get_sub_key(i)
key_data = key_user.get_sub_key_by_path(key_path)
if key_data:
construct_list_from_key(hive_list, key_data, is_recursive)
# same thing for logged off users (NTUSER.DAT)
for sid, root_key in self.user_hives:
key_data = root_key.get_sub_key_by_path(key_path)
if key_data:
key_data.prepend_path_with_sid(sid)
construct_list_from_key(hive_list, key_data, is_recursive)
return hive_list
def _get_list_from_users_registry_key(self, key_path, is_recursive=True):
hive_list = []
key_users = registry_obj.get_registry_key(registry_obj.HKEY_USERS)
if key_users:
for i in xrange(key_users.get_number_of_sub_keys()):
key_user = key_users.get_sub_key(i)
key_data = key_user.get_sub_key_by_path(key_path)
if key_data:
construct_list_from_key(hive_list, key_data, is_recursive)
# same thing for logged off users (NTUSER.DAT)
for sid, root_key in self.user_hives:
key_data = root_key.get_sub_key_by_path(key_path)
if key_data:
key_data.prepend_path_with_sid(sid)
construct_list_from_key(hive_list, key_data, is_recursive)
return hive_list
def _get_list_from_registry_key(self, hive, key_path, is_recursive=True):
"""Creates a list of all nodes and values from a registry key path.
Keyword arguments:
hive -- (String) the hive name
key_path -- (String) the path of the key from which the list should be created
"""
if hive == registry_obj.HKEY_USERS:
return self._get_list_from_users_registry_key(
key_path, is_recursive)
hive_list = []
root_key = registry_obj.get_registry_key(hive, key_path)
if root_key:
append_reg_values(hive_list, root_key)
for i in xrange(root_key.get_number_of_sub_keys()):
sub_key = root_key.get_sub_key(i)
construct_list_from_key(hive_list, sub_key, is_recursive)
return hive_list
def __init__(self, params):
if params["output_dir"] and params["computer_name"]:
self.computer_name = params["computer_name"]
self.output_dir = params["output_dir"]
self.logger = params["logger"]
# get logged off users hives
self.user_hives = []
users = registry_obj.get_registry_key(registry_obj.HKEY_LOCAL_MACHINE,
r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList")
if users:
for i in xrange(users.get_number_of_sub_keys()):
user = users.get_sub_key(i)
path = user.get_value_by_name("ProfileImagePath").get_data() + r"\NTUSER.DAT"
try:
regf_file = registry_obj.RegfFile()
regf_file.open(path)
self.user_hives.append((user.get_name(), regf_file.get_root_key()))
except IOError: # user is logged on or not a user
pass
def init_win_vista_and_above(self):
users = registry_obj.get_registry_key(registry_obj.HKEY_LOCAL_MACHINE,
r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList")
drive, p = os.path.splitdrive(self.systemroot)
params = {"logger": self.logger}
self.vss = _VSS._get_instance(params, drive)
if users:
for i in xrange(users.get_number_of_sub_keys()):
user = users.get_sub_key(i)
tmp = user.get_value_by_name("ProfileImagePath").get_data()
path = tmp.replace(drive, self.vss._return_root()) + r"\NTUSER.DAT"
path_usrclass = tmp.replace(drive,
self.vss._return_root()) + r"\AppData\Local\Microsoft\Windows\\UsrClass.dat"
try:
regf_file = registry_obj.RegfFile()
regf_file.open(path)
regf_file_usrclass = registry_obj.RegfFile()
regf_file_usrclass.open(path_usrclass)
self.user_hives.append(
(user.get_name(), regf_file.get_root_key(), regf_file_usrclass.get_root_key()))
except IOError: # not a user
pass
def _get_list_from_users_registry_key(self, key_path, is_recursive=True):
"""
Extracts information from HKEY_USERS. Since logged off users hives are not mounted by Windows, it is necessary
to open each NTUSER.DAT files, except for currently logged on users.
:param key_path: the registry key to list
:param is_recursive: whether the function should also list subkeys
:return: a list of all extracted keys/values
"""
hive_list = []
key_users = registry_obj.get_registry_key(registry_obj.HKEY_USERS)
if key_users:
for i in xrange(key_users.get_number_of_sub_keys()):
key_user = key_users.get_sub_key(i)
key_data = key_user.get_sub_key_by_path(key_path)
if key_data:
construct_list_from_key(hive_list, key_data, is_recursive)
# same thing for logged off users (NTUSER.DAT)
for sid, root_key in self.user_hives:
key_data = root_key.get_sub_key_by_path(key_path)
if key_data:
key_data.prepend_path_with_sid(sid)
construct_list_from_key(hive_list, key_data, is_recursive)
return hive_list
