def services_from_registry(addr_space): """Enumerate services from the cached registry hive""" services = {} plugin = hivelist.HiveList(addr_space.get_config()) for hive in plugin.calculate(): ## find the SYSTEM hive name = hive.get_name() if not name.lower().endswith("system"): continue ## get the root key hive_space = hive.address_space() root = rawreg.get_root(hive_space) if not root: break ## open the services key key = rawreg.open_key(root, ["ControlSet001", "Services"]) if not key: break ## build a dictionary of the key names for subkey in rawreg.subkeys(key): services[(str(subkey.Name).lower())] = subkey ## we don't need to keep trying break return services
def populate_offsets(self): """ get all hive offsets so we don't have to scan again... """ hive_offsets = [] hiveroot = hl.HiveList(self._config).calculate() for hive in hiveroot: if hive.is_valid() and hive.obj_offset not in hive_offsets: hive_offsets.append(hive.obj_offset) self.all_offsets[hive.obj_offset] = hive.get_name()
def populate_offsets(self): ''' get all hive offsets so we don't have to scan again... ''' hive_offsets = [] hiveroot = hl.HiveList(self._config).calculate() for hive in hiveroot: if hive.obj_offset not in hive_offsets: hive_offsets.append(hive.obj_offset) try: name = hive.FileFullPath.v() or hive.FileUserName.v() or hive.HiveRootPath.v() or "[no name]" # What exception are we expecting here? except: name = "[no name]" self.all_offsets[hive.obj_offset] = name
def get_registry_keys(self): addr_space = utils.load_as(self._config) hl = hivelist.HiveList(self._config) if not self._config.HIVE_OFFSET: hive_offsets = [h.obj_offset for h in hl.calculate()] else: hive_offsets = [self._config.HIVE_OFFSET] for hoff in set(hive_offsets): h = hivemod.HiveAddressSpace(addr_space, self._config, hoff) name = obj.Object("_CMHIVE", vm = addr_space, offset = hoff).get_name() root = rawreg.get_root(h) if not root: if self._config.HIVE_OFFSET: self.console_print("Unable to find root key. Is the hive offset correct?") else: if self._config.KEY: yield name, rawreg.open_key(root, self._config.KEY.split('\\')) else: yield name, root