def shellbag_rec(key, bag_prefix, path_prefix):
"""
Function to recursively parse the BagMRU Registry key structure.
Arguments:
`key`: The current 'BagsMRU' key to recurse into.
`bag_prefix`: A string containing the current subkey path of
the relevant 'Bags' key. It will look something like '1\\2\\3\\4'.
`path_prefix` A string containing the current human-readable,
file system path so far constructed.
Throws:
"""
try:
# First, consider the current key, and extract shellbag items
slot = key.value("NodeSlot").value()
for bag in bags_key.subkey(str(slot)).subkeys():
for value in [value for value in bag.values() if
"ItemPos" in value.name()]:
buf = value.value()
block = SHITEMLIST(buf, 0x0, False)
offset = 0x10
while True:
offset += 0x8
size = block.unpack_word(offset)
if size == 0:
break
elif size < 0x15:
pass
else:
item = block.get_item(offset)
shellbags.append({
"path": path_prefix + "\\" + item.name(),
"mtime": item.m_date(),
"atime": item.a_date(),
"crtime": item.cr_date(),
"source": bag.path() + " @ " + hex(item.offset()),
"regsource": bag.path() + "\\" + value.name(),
"klwt": key.timestamp()
})
offset += size
except Registry.RegistryValueNotFoundException:
g_logger.warning("Registry.RegistryValueNotFoundException")
pass
except Registry.RegistryKeyNotFoundException:
g_logger.warning("Registry.RegistryKeyNotFoundException")
pass
except:
g_logger.warning("Unexpected error %s" % sys.exc_info()[0])
# Next, recurse into each BagMRU key
for value in [value for value in key.values()
if re.match("\d+", value.name())]:
path = ""
try: # TODO(wb): removeme
l = SHITEMLIST(value.value(), 0, False)
for item in l.items():
# assume there is only one entry in the value, or take the last
# as the path component
path = path_prefix + "\\" + item.name()
shellbags.append({
"path": path,
"mtime": item.m_date(),
"atime": item.a_date(),
"crtime": item.cr_date(),
"source": key.path() + " @ " + hex(item.offset()),
"regsource": key.path() + "\\" + value.name(),
"klwt": key.timestamp()
})
except OverrunBufferException:
print key.path()
print value.name()
raise
shellbag_rec(key.subkey(value.name()),
bag_prefix + "\\" + value.name(),
path)
def shellbag_rec(key, bag_prefix, path_prefix):
"""
Function to recursively parse the BagMRU Registry key structure.
Arguments:
`key`: The current 'BagsMRU' key to recurse into.
`bag_prefix`: A string containing the current subkey path of
the relevant 'Bags' key. It will look something like '1\\2\\3\\4'.
`path_prefix` A string containing the current human-readable,
file system path so far constructed.
Throws:
"""
try:
# First, consider the current key, and extract shellbag items
slot = key.value("NodeSlot").value()
for bag in bags_key.subkey(str(slot)).subkeys():
for value in [
value for value in bag.values()
if "ItemPos" in value.name()
]:
buf = value.value()
block = SHITEMLIST(buf, 0x0, False)
offset = 0x10
while True:
offset += 0x8
size = block.unpack_word(offset)
if size == 0:
break
elif size < 0x15:
pass
else:
item = block.get_item(offset)
shellbags.append({
"path":
path.encode("ascii", "replace"),
"mtime":
str(item.m_date()),
"atime":
str(item.a_date()),
"crtime":
str(item.cr_date()),
"key_path":
(key.path() + "\\" + value.name()).encode(
"ascii", "replace"),
"@timestamp":
str(key.timestamp())
})
offset += size
except Registry.RegistryValueNotFoundException:
g_logger.warning("Registry.RegistryValueNotFoundException")
pass
except Registry.RegistryKeyNotFoundException:
g_logger.warning("Registry.RegistryKeyNotFoundException")
pass
except:
g_logger.warning("Unexpected error %s" % sys.exc_info()[0])
# Next, recurse into each BagMRU key
for value in [
value for value in key.values()
if re.match("\d+", value.name())
]:
path = ""
try: # TODO(wb): removeme
l = SHITEMLIST(value.value(), 0, False)
for item in l.items():
# assume there is only one entry in the value, or take the last
# as the path component
path = path_prefix + "\\" + item.name()
shellbags.append({
"path":
path.encode("ascii", "replace"),
"mtime":
str(item.m_date()),
"atime":
str(item.a_date()),
"crtime":
str(item.cr_date()),
"key_path": (key.path() + "\\" + value.name()).encode(
"ascii", "replace"),
"@timestamp":
str(key.timestamp())
})
except OverrunBufferException:
print key.path()
print value.name()
raise
shellbag_rec(key.subkey(value.name()),
bag_prefix + "\\" + value.name(), path)
def parse_shellbags(bagmru_key, bags_key, key, bag_pre, path_pre):
try:
slot = key.value("NodeSlot").value()
for bag in bags_key.subkey(str(slot)).subkeys():
for val in [
val for val in bag.values() if "ItemPos" in val.name()
]:
buf = val.value()
blk = SHITEMLIST(buf, 0, False)
offset = 0x10
while True:
offset += 0x8
size = block.unpack_word(offset)
if size == 0:
break
elif size < 0x15:
pass
else:
item = blk.get_item(offset)
shellbag_list.append({
"path":
path_pre + "\\" + item.name(),
"mtime":
cvtDate(item.m_date()),
"atime":
cvtDate(item.a_date()),
"crtime":
cvtDate(item.cr_date()),
"source":
bag.path() + " @ " + hex(item.offset()),
"regsource":
bag.path() + "\\" + val.name(),
"klwt":
cvtDate(key.timestamp())
})
offset += size
except Registry.RegistryValueNotFoundException:
pass
except Registry.RegistryKeyNotFoundException:
print "[-] no key"
pass
except:
print "[-] error"
for val in [val for val in key.values() if re.match("\d+", val.name())]:
path = ""
try:
lst = SHITEMLIST(val.value(), 0, False)
for item in lst.items():
path = path_pre + "\\" + item.name()
shellbag_list.append({
"path":
path,
"mtime":
cvtDate(item.m_date()),
"atime":
cvtDate(item.a_date()),
"crtime":
cvtDate(item.cr_date()),
"source":
key.path() + " @ " + hex(item.offset()),
"klwt":
cvtDate(key.timestamp())
})
except OverrunBufferException:
print key.path()
print val.name()
raise
parse_shellbags(bagmru_key, bags_key, key.subkey(val.name()),
bag_pre + "\\" + val.name(), path)
