def main():
"""The entry function to be executed.
Returns:
None
"""
clsid_all_keys_list = get_all_keys(HKEY_CURRENT_USER, CLSID_PATH)
premium_all_keys_list = get_all_keys(HKEY_CURRENT_USER, PREMIUM_PATH)
premium_sub_keys_list = [
os.path.join(PREMIUM_PATH, item)
for item in get_sub_keys(HKEY_CURRENT_USER, PREMIUM_PATH)
]
print(f"premium_sub_keys_list: {premium_sub_keys_list}")
for clsid_item in clsid_all_keys_list:
if "Info" in clsid_item:
clsid_item_prefix = os.path.dirname(clsid_item)
print(f"# Info item: {clsid_item}")
winreg.DeleteKeyEx(HKEY_CURRENT_USER, clsid_item)
winreg.DeleteKeyEx(HKEY_CURRENT_USER, clsid_item_prefix)
# The outermost folder is not deleted.
for premium_item in reversed(premium_all_keys_list):
if "Servers" in premium_item:
print(f"Tips: Servers => {premium_item} will not be deleted.")
pass
elif premium_item in premium_sub_keys_list:
print(f"Tips: Servers => {premium_item} will not be deleted.")
pass
else:
winreg.DeleteKeyEx(HKEY_CURRENT_USER, premium_item)
def delete_registry(self,
root: str,
key_relative_to_root: str,
key: str,
architecture: int = None) -> bool:
"""
Delete a key in the registry. Is not recursive
:param root: e.g., winreg.HKEY_CURRENT_USER
:param key_relative_to_root: you can use "SOFTWARE\\Microsoft\\Internet Explorer\\Main" to set it to internet explorer
:param key: key to generate within root + key_relative_to_root
:param architecture: architecture to user in the regedit
:return: true if the oepration suceeds, false otheriwse
"""
key_name = f"{key_relative_to_root}\\{key}"
open_key = None
try:
try:
print(f"open_key = {key_name}")
open_key = winreg.OpenKey(root, key_name, 0,
winreg.KEY_ALL_ACCESS)
try:
sub_key = winreg.EnumKey(open_key, 0)
print(f"subkey considered is {sub_key}")
winreg.DeleteKeyEx(open_key, sub_key)
return True
except OSError:
pass
finally:
if open_key is not None:
winreg.CloseKey(open_key)
except FileNotFoundError:
architecture = architecture or self.core.get_architecture()
if architecture == 32:
other_architecture = winreg.KEY_WOW64_64KEY
elif architecture == 64:
other_architecture = winreg.KEY_WOW64_32KEY
else:
raise ValueError(f"Invalid architecture {architecture}!")
try:
print(f"open_key = {key_name}")
open_key = winreg.OpenKey(root, key_name, 0,
winreg.KEY_ALL_ACCESS)
try:
sub_key = winreg.EnumKey(open_key, 0)
print(f"subkey considered is {sub_key}")
winreg.DeleteKeyEx(open_key, sub_key)
return True
except OSError:
pass
except FileNotFoundError as e:
raise FileNotFoundError(
f"Cannot find the registry key {root}\\{key_relative_to_root}\\{key}"
)
finally:
if open_key is not None:
winreg.CloseKey(open_key)
def uninstall():
for key in reg_classes:
root = winreg.OpenKey(winreg.HKEY_CLASSES_ROOT,
sub_key=rf'{key}\shell')
winreg.DeleteKeyEx(root, r'EZNO Convert to PDF\command')
winreg.DeleteKeyEx(root, r'EZNO Convert to...\command')
winreg.DeleteKeyEx(root, r'EZNO Convert to PDF')
winreg.DeleteKeyEx(root, r'EZNO Convert to...')
def add_to_registry(remove_key=False):
# in python __file__ is the instant of
# file path where it was executed
# so if it was executed from desktop,
# then __file__ will be
# c:\users\current_user\desktop
pth = os.path.dirname(os.path.realpath(__file__))
# name of the python file with extension
s_name = "TA_Monitor.py"
# joins the file name to end of path address
address = os.path.join(pth, s_name)
# key we want to change is HKEY_CURRENT_USER
# key value is Software\Microsoft\Windows\CurrentVersion\Run
key = reg.HKEY_CURRENT_USER
key_value = r"Software\Microsoft\Windows\CurrentVersion\Run"
# open the key to make changes to
reg_key = reg.OpenKey(key, key_value, 0, reg.KEY_ALL_ACCESS)
if remove_key:
reg.DeleteKeyEx(reg_key, "start_up", 0, reg.REG_SZ, address)
else:
reg.SetValueEx(reg_key, "start_up", 0, reg.REG_SZ, address)
# now close the opened key
reg.CloseKey(reg_key)
def remove_vc9_reg():
try:
winreg.DeleteKeyEx(HCU,
r"Software\Microsoft\VisualStudio\9.0\Setup\VC")
print("Removed")
except WindowsError:
print("key not exist")
def unregisterInstallation(keepDesktopShortcut=False):
try:
winreg.DeleteKeyEx(winreg.HKEY_LOCAL_MACHINE, easeOfAccess.APP_KEY_PATH,
winreg.KEY_WOW64_64KEY)
easeOfAccess.setAutoStart(winreg.HKEY_LOCAL_MACHINE, False)
except WindowsError:
pass
wsh=_getWSH()
desktopPath=os.path.join(wsh.SpecialFolders("AllUsersDesktop"),"NVDA.lnk")
if not keepDesktopShortcut and os.path.isfile(desktopPath):
try:
os.remove(desktopPath)
except WindowsError:
pass
startMenuFolder=getStartMenuFolder()
if startMenuFolder:
programsPath=wsh.SpecialFolders("AllUsersPrograms")
startMenuPath=os.path.join(programsPath,startMenuFolder)
if os.path.isdir(startMenuPath):
shutil.rmtree(startMenuPath,ignore_errors=True)
try:
winreg.DeleteKey(winreg.HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\nvda")
except WindowsError:
pass
try:
winreg.DeleteKey(winreg.HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\nvda.exe")
except WindowsError:
pass
try:
winreg.DeleteKey(winreg.HKEY_LOCAL_MACHINE,config.NVDA_REGKEY)
except WindowsError:
pass
unregisterAddonFileAssociation()
def delete_key(self, keyName):
try:
winreg.DeleteKeyEx(self.HKEY,
self.__format_after_path() + keyName,
winreg.KEY_ALL_ACCESS, 0)
except:
pass
def delete(self, key, bitness=None):
"""
Deletes key registry
:param key: registry key
:param bitness:
"""
logging.debug('{0}'.format(key))
hive, path = self._get_registry_hive(key)
bitness_flag = Registry._get_bitness_flag(bitness)
winreg.DeleteKeyEx(hive, path, bitness_flag, 0)
def delete(self):
for k in self:
k.delete()
try:
key = winreg.OpenKeyEx(self._root, None, 0,
winreg.KEY_READ | self._flags)
except OSError:
return
with key:
winreg.DeleteKeyEx(key, self.subkey)
def del_user_env(name=None):
try:
if name is None:
winreg.DeleteKeyEx(winreg.HKEY_CURRENT_USER, r"xGIS",
winreg.KEY_ALL_ACCESS, 0)
else:
key = winreg.OpenKeyEx(winreg.HKEY_CURRENT_USER, r"xGIS", 0,
winreg.KEY_SET_VALUE)
winreg.DeleteValue(key, name)
except WindowsError:
pass
def delete_registry(key, subkey, arch):
"""
Delete a registry
Parameters
----------
key : str
The key of the registry (HKEY_* constants).
subkey : str
The subkey (name) of the registry.
"""
sys.platform == 'win32' and winreg.DeleteKeyEx(key, subkey, access=arch)
def deleteKey(data):
try:
data = data.split('\\', 1)
data1 = str(data[0])
data2 = str(data[1])
data2 = format(data2)
registry_key = winreg.DeleteKeyEx(getattr(winreg, data1), data2,
winreg.KEY_WOW64_64KEY, 0)
winreg.CloseKey(registry_key)
return 'Xoá key thành công'
except WindowsError:
return 'Lỗi'
def delete_registry_entries(self):
'''
@summary: Deletes the timer registry key
'''
# Open and delete the key
try:
reg = winreg.OpenKeyEx(winreg.HKEY_CURRENT_USER, self.REGISTRY_LOCATION)
winreg.DeleteKeyEx(reg, "")
winreg.CloseKey(reg)
except WindowsError:
# Ignore any Windows errors
pass
def remove_start_at_boot():
# Creating a handle (key) in the HKEY Current user tree of the windows registry
key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, run_key, 0, winreg.KEY_ALL_ACCESS)
# We execute the function defined below to check whether the key we're about
# to make exists.
if registry_key_exists(key, program_name):
print("Key exists attempting to remove")
try:
winreg.DeleteKeyEx(key, program_name)
except WindowsError:
# If this fails try executing as administrator
print("Couldn't remove key")
else:
print("Key doesn't exists")
def deleteRegKeyRecursively(HKey, subKey, view=winreg.KEY_WOW64_64KEY):
# Delete all the sub keys first
keyExist = False
with winreg.OpenKeyEx(HKey, subKey, 0,
access=winreg.KEY_ALL_ACCESS | view) as keyHandle:
keyExist = True
index = 0
while True:
try:
subKeyName = winreg.EnumKey(keyHandle, index)
deleteRegKeyRecursively(HKey, subKey + '\\' + subKeyName)
except OSError:
break
index += 1
# Then delete this key
if keyExist:
if view == winreg.KEY_WOW64_64KEY:
winreg.DeleteKeyEx(HKey, subKey, access=view, reserved=0)
else:
winreg.DeleteKey(HKey, subKey)
def delete_key(key_hive, key_path, access_type=Wow64RegistryEntry.KEY_WOW64):
"""
Delete registry key
:param key_hive: Windows registry hive to edit, e.g. HKEY_CURRENT_USER
:param key_path: Path Windows registry key inside the hive, for example "SOFTWARE\Microsoft\Windows"
:param access_type: Access type for 32/64 bit registry sub-entries in HKLM/SOFTWARE key.
:return: True if success, False otherwise
"""
if access_type == Wow64RegistryEntry.KEY_WOW32_64:
raise RuntimeError("Use either KEY_WOW64 or KEY_WOW32 with delete_key()")
try:
key_hive_value = HIVES_MAP[key_hive]
wow64_flags = WOW64_MAP[access_type]
winreg.DeleteKeyEx(key_hive_value, key_path, (wow64_flags | winreg.KEY_WRITE), 0)
return True
except WindowsError as e:
logger.error("Unable to delete registry key %s\\%s with LastError=%d [%s]",
key_hive, key_path, e.winerror, e.strerror)
return None
def folder_set():
dic = {
'{0ddd015d-b06c-45d5-8c4c-f59713854639}': 'Local Pictures',
'{35286a68-3c57-41a1-bbb1-0eae73d76c95}': 'Local Videos',
'{a0c69a99-21c8-4671-8703-7934162fcf1d}': 'Local Music',
'{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}': 'Desktop'
}
for entry in dic:
try:
key = winreg.OpenKeyEx(
winreg.HKEY_LOCAL_MACHINE,
r'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\%s\PropertyBag'
% (entry),
access=winreg.KEY_SET_VALUE)
winreg.SetValueEx(key, 'ThisPCPolicy', 0, winreg.REG_SZ, 'Hide')
winreg.CloseKey(key)
except Exception as e:
print("hide %s error, %s" % (dic[entry], e))
namespace_dict = {
# '{088e3905-0323-4b02-9826-5d99428e115f}': 'Download',
'{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}': '3D objects',
'{24ad3ad4-a569-4530-98e1-ab02f9417aa8}': "Pictures",
'{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}': 'Music',
'{d3162b92-9365-467a-956b-92703aca08af}': "documents",
'{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}': "Videos"
# '{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}': 'Desktop',
}
for entry in dic:
try:
winreg.DeleteKeyEx(
winreg.HKEY_LOCAL_MACHINE,
r'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\%s'
% (entry),
)
except Exception as e:
print("hide %s error, %s" % (dic[entry], e))
def DeleteKey(self, aKey):
bResult = False
if self.KeyExists(aKey):
bResult = winreg.DeleteKeyEx(self.__Root_Key, aKey, self.__default_Architecture_Key)
return bResult
def tearDownClass(cls):
super(InstallerTest, cls).tearDownClass()
winreg.DeleteKeyEx(winreg.HKEY_LOCAL_MACHINE, _TEST_KEY_PATH,
winreg.KEY_ALL_ACCESS, 0)
def delete(self, recursive: bool = True) -> None:
if recursive:
for subkey in self.subkeys():
subkey.delete()
winreg.DeleteKeyEx(self.hkey.id_, str(self.path))
import os
import shutil
import winreg
path = 'C:{0}RAT_DELETE_ME'.format(os.path.sep)
try:
shutil.rmtree(path)
except FileNotFoundError:
pass
try:
run = winreg.OpenKey(winreg.HKEY_CURRENT_USER,
'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run',
0, winreg.KEY_WRITE)
winreg.DeleteKeyEx(run, "JRAT")
except FileNotFoundError:
pass
os.system('shutdown /l')
def deleteKeyEx():
# This method can not delete keys with subkeys.
winreg.DeleteKeyEx(winreg.HKEY_CURRENT_USER, path, 0,
winreg.KEY_ALL_ACCESS)
def delete_entry(self):
key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, self.path, 0, winreg.KEY_WRITE)
winreg.DeleteKeyEx(key, self.name, access=KEY_WOW64_64KEY ,reserved =0)
winreg.CloseKey(key)
def main():
common.log("Suspicious Registry Persistence")
for hive in (winreg.HKEY_LOCAL_MACHINE, winreg.HKEY_CURRENT_USER):
write_reg_string(
hive, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\",
"RunOnceTest", TARGET_APP)
write_reg_string(
hive, "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
"RunTest", TARGET_APP)
# create Services subkey for "ServiceTest"
common.log("Creating ServiceTest registry key")
hkey = winreg.CreateKey(
winreg.HKEY_LOCAL_MACHINE,
"System\\CurrentControlSet\\Services\\ServiceTest\\")
# create "ServiceTest" data values
common.log("Updating ServiceTest metadata")
winreg.SetValueEx(hkey, "Description", 0, winreg.REG_SZ, "A fake service")
winreg.SetValueEx(hkey, "DisplayName", 0, winreg.REG_SZ,
"ServiceTest Service")
winreg.SetValueEx(hkey, "ImagePath", 0, winreg.REG_SZ,
"c:\\ServiceTest.exe")
winreg.SetValueEx(hkey, "ServiceDLL", 0, winreg.REG_SZ,
"C:\\ServiceTest.dll")
# modify contents of ServiceDLL and ImagePath
common.log("Modifying ServiceTest binary")
winreg.SetValueEx(hkey, "ImagePath", 0, winreg.REG_SZ,
"c:\\ServiceTestMod.exe")
winreg.SetValueEx(hkey, "ServiceDLL", 0, winreg.REG_SZ,
"c:\\ServiceTestMod.dll")
hkey.Close()
pause()
# delete Service subkey for "ServiceTest"
common.log("Removing ServiceTest", log_type="-")
hkey = winreg.CreateKey(winreg.HKEY_LOCAL_MACHINE,
"System\\CurrentControlSet\\Services\\")
winreg.DeleteKeyEx(hkey, "ServiceTest")
hkey.Close()
pause()
# Additional persistence
hklm = winreg.HKEY_LOCAL_MACHINE
common.log("Adding AppInit DLL")
windows_base = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\"
write_reg_string(hklm,
windows_base,
"AppInit_Dlls",
"evil.dll",
delete=False)
write_reg_string(hklm, windows_base, "AppInit_Dlls", "", delete=False)
hkey.Close()
pause()
debugger_targets = [
"normalprogram.exe", "sethc.exe", "utilman.exe", "magnify.exe",
"narrator.exe", "osk.exe", "displayswitch.exe", "atbroker.exe"
]
for victim in debugger_targets:
common.log(
"Registering Image File Execution Options debugger for %s -> %s" %
(victim, TARGET_APP))
base_key = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s" % victim
write_reg_string(winreg.HKEY_LOCAL_MACHINE,
base_key,
"Debugger",
TARGET_APP,
delete=True)
