def dump_memory_hashes(addr_space, config, syshive, samhive): if syshive != None and samhive != None: sysaddr = hive.HiveAddressSpace(addr_space, config, syshive) samaddr = hive.HiveAddressSpace(addr_space, config, samhive) return dump_hashes(sysaddr, samaddr) return obj.NoneObject( "SYSTEM or SAM address is None: Did you use the correct profile?")
def dump_memory_hashes(addr_space, config, syshive, sechive): sysaddr = hive.HiveAddressSpace(addr_space, config, syshive) secaddr = hive.HiveAddressSpace(addr_space, config, sechive) for (u, d, dn, hashh) in dump_hashes(sysaddr, secaddr): print("{0}:{1}:{2}:{3}".format(u.lower(), hashh.encode('hex'), d.lower(), dn.lower()))
def get_memory_secrets(addr_space, config, syshive, sechive): if syshive != None and sechive != None: sysaddr = hive.HiveAddressSpace(addr_space, config, syshive) secaddr = hive.HiveAddressSpace(addr_space, config, sechive) return get_secrets(addr_space, sysaddr, secaddr) return None
def calculate(self): addr_space = utils.load_as(self._config) win7 = addr_space.profile.metadata.get('major', 0) == 6 and addr_space.profile.metadata.get('minor', 0) == 1 if not self._config.HIVE_OFFSET: hive_offsets = [(self.hive_name(h), h.obj_offset) for h in hivelist.HiveList.calculate(self)] else: hive_offsets = [("User Specified", self._config.HIVE_OFFSET)] for name, hoff in set(hive_offsets): h = hivemod.HiveAddressSpace(addr_space, self._config, hoff) root = rawreg.get_root(h) if not root: if self._config.HIVE_OFFSET: debug.error("Unable to find root key. Is the hive offset correct?") else: skey = "software\\microsoft\\windows\\currentversion\\explorer\\userassist\\" if win7: uakey = skey + "{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count" yield win7, name, rawreg.open_key(root, uakey.split('\\')) uakey = skey + "{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count" yield win7, name, rawreg.open_key(root, uakey.split('\\')) else: uakey = skey + "{75048700-EF1F-11D0-9888-006097DEACF9}\\Count" yield win7, name, rawreg.open_key(root, uakey.split('\\')) uakey = skey + "{5E6AB780-7743-11CF-A12B-00AA004AE837}\\Count" yield win7, name, rawreg.open_key(root, uakey.split('\\'))
def reg_get_all_keys(self, hive_name, user = None, start = None, end = None, reg = False, rawtime = False): ''' This function enumerates all keys in specified hives and collects lastwrite times. ''' keys = [] if self.all_offsets == {}: self.populate_offsets() if self.current_offsets == {}: self.set_current(hive_name, user) # Collect the root keys for offset in self.current_offsets: reg_name = self.current_offsets[offset] h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset) root = rawreg.get_root(h) if not root: pass else: time = "{0}".format(root.LastWriteTime) if not rawtime else root.LastWriteTime if reg: if start and end and str(time) >= start and str(time) <= end: yield (time, reg_name, root.Name) elif start == None and end == None: yield (time, reg_name, root.Name) else: if start and end and str(time) >= start and str(time) <= end: yield (time, root.Name) elif start == None and end == None: yield (time, root.Name) for s in rawreg.subkeys(root): if reg: keys.append([s, reg_name, root.Name + "\\" + s.Name]) else: keys.append([s, root.Name + "\\" + s.Name]) # Get subkeys if reg: for k, reg_name, name in keys: time = "{0}".format(k.LastWriteTime) if not rawtime else k.LastWriteTime if start and end and str(time) >= start and str(time) <= end: yield (time, reg_name, name) elif start == None and end == None: yield (time, reg_name, name) for s in rawreg.subkeys(k): if name and s.Name: item = name + '\\' + s.Name keys.append([s, reg_name, item]) else: for k, name in keys: time = "{0}".format(k.LastWriteTime) if not rawtime else k.LastWriteTime if start and end and str(time) >= start and str(time) <= end: yield (time, name) elif start == None and end == None: yield (time, name) for s in rawreg.subkeys(k): if name and s.Name: item = name + '\\' + s.Name keys.append([s, item])
def calculate(self): addr_space = utils.load_as(self._config) if self._config.BRUTE_FORCE: hiveroot = hl.HiveList.calculate(self) elif not self._config.hive_offset: debug.error("No hive offset provided!") else: hiveroot = [obj.Object("_CMHIVE", self._config.hive_offset, addr_space)] hive_offsets = [] for hive in hiveroot: if hive.obj_offset not in hive_offsets: try: name = hive.FileFullPath.v() or hive.FileUserName.v() or hive.HiveRootPath.v() or "[no name]" except: name = "[no name]" hive_offsets.append(hive.obj_offset) h = hivemod.HiveAddressSpace(addr_space, self._config, hive.obj_offset) root = rawreg.get_root(h) if not root: if not self._config.BRUTE_FORCE: debug.error("Unable to find root key. Is the hive offset correct?") else: if self._config.KEY: yield name, rawreg.open_key(root, self._config.KEY.split('\\')) else: yield name, root
def calculate(self): addr_space = utils.load_as(self._config) if not self._config.HIVE_OFFSET: hive_offsets = { h.obj_offset for h in hivelist.HiveList.calculate(self) } else: hive_offsets = {self._config.HIVE_OFFSET} for hoff in sorted(list(hive_offsets)): h = hivemod.HiveAddressSpace(addr_space, self._config, hoff) name = obj.Object("_CMHIVE", vm=addr_space, offset=hoff).get_name() root = rawreg.get_root(h) if not root: if self._config.HIVE_OFFSET: debug.error( "Unable to find root key. Is the hive offset correct?") else: if self._config.KEY: opened_key = rawreg.open_key(root, self._config.KEY.split('\\')) yield name, opened_key else: yield name, root
def calculate(self): addr_space = utils.load_as(self._config) regapi = registryapi.RegistryApi(self._config) software_hive = "SOFTWARE" uninstall = "Microsoft\\Windows\\CurrentVersion\\Uninstall" hive_offsets = [] if not self._config.HIVE_OFFSET: for h in hivelist.HiveList.calculate(self): hive_name = self.hive_name(h) if software_hive in hive_name: hive_offsets = [(hive_name, h.obj_offset)] else: hive_offsets = [("User Specified", self._config.HIVE_OFFSET)] for name, hoff in set(hive_offsets): h = hivemod.HiveAddressSpace(addr_space, self._config, hoff) root = rawreg.get_root(h) if not root: if self._config.HIVE_OFFSET: debug.error( "Unable to find root key. Is the hive offset correct?") else: uninstall_key = rawreg.open_key(root, uninstall.split('\\')) if uninstall_key: yield name, uninstall_key else: outfd.write( "The requested key could not be found in the hive(s) searched\n" )
def calculate(self): addr_space = utils.load_as(self._config) #scan for registries and populate them: print "Scanning for registries...." self.populate_offsets() #set our current registry of interest and get its path #and get current control set print "Getting Current Control Set...." currentcs = "ControlSet001" self.set_current('system') for o in self.current_offsets: sysaddr = hivemod.HiveAddressSpace(addr_space, self._config, o) cs = find_control_set(sysaddr) currentcs = "ControlSet{0:03}".format(cs) #set the services root. print "Getting Services and calculating SIDs...." services = self.reg_get_key('system', currentcs + '\\' + 'Services') if services: for s in rawreg.subkeys(services): if s.Name not in servicesids.values(): sid = createservicesid(str(s.Name)) yield sid, str(s.Name) for sid in servicesids: yield sid, servicesids[sid]
def calculate(self): addr_space = utils.load_as(self._config) if not self._config.hive_offset: debug.error("A Hive offset must be provided (--hive-offset)") h = hivemod.HiveAddressSpace(addr_space, self._config, self._config.hive_offset) return rawreg.get_root(h)
def dump_memory_hashes(addr_space, config, syshive, sechive): hashes = [] if syshive != None and sechive != None: sysaddr = hive.HiveAddressSpace(addr_space, config, syshive) secaddr = hive.HiveAddressSpace(addr_space, config, sechive) hashes = dump_hashes(addr_space, sysaddr, secaddr) if hashes == []: return obj.NoneObject("Unable to find hashes") else: result = [] for (u, d, dn, hashh) in hashes: result.append("{0}:{1}:{2}:{3}".format( u.encode('utf-8', 'ignore').lower(), hashh.encode('hex'), d.encode('utf-8', 'ignore').lower(), dn.encode('utf-8', 'ignore').lower())) return result
def calculate(self): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") addr_space = utils.load_as(self._config) if self._config.HIVE_OFFSET: name = obj.Object("_CMHIVE", vm=addr_space, offset=self._config.HIVE_OFFSET).get_name() yield self.fixname( name, self._config.HIVE_OFFSET), hivemod.HiveAddressSpace( addr_space, self._config, self._config.HIVE_OFFSET) else: regapi = registryapi.RegistryApi(self._config) for offset in regapi.all_offsets: name = self.fixname(regapi.all_offsets[offset], offset) yield name, hivemod.HiveAddressSpace(addr_space, self._config, offset)
def get_autoruns(self): debug.debug("Getting offsets") addr_space = utils.load_as(self._config) hive_offsets = [ h.obj_offset for h in hivelist.HiveList.calculate(self) ] debug.debug("Found %s hives" % len(hive_offsets)) hives = {} ntuser_hive_roots = [] software_hive_root = None system_hive_root = None # Cycle through all hives until we find NTUSER.DAT or SOFTWARE # This enables us to search all memory-resident NTUSER.DAT hives for hoff in set(hive_offsets): h = hivemod.HiveAddressSpace(addr_space, self._config, hoff) name = self.hive_name( obj.Object("_CMHIVE", vm=addr_space, offset=hoff)) root = rawreg.get_root(h) if 'ntuser.dat' in name.split('\\')[-1].lower(): keys = NTUSER_RUN_KEYS ntuser_hive_roots.append(root) elif 'software' in name.split('\\')[-1].lower(): keys = SOFTWARE_RUN_KEYS software_hive_root = root elif 'system' in name.split('\\')[-1].lower(): system_hive_root = root continue else: continue debug.debug("Searching for keys in %s" % name) for full_key in keys: results = [] debug.debug(" Opening %s" % (full_key)) key = rawreg.open_key(root, full_key.split('\\')) results = self.parse_autoruns_key(key) if len(results) > 0: h = hives.get(name, {}) h[(full_key, key.LastWriteTime)] = results hives[name] = h return hives
def reg_get_currentcontrolset(self, fullname = True): ''' get the CurrentControlSet If fullname is not specified, we only get the number like "1" or "2" etc The default is ControlSet00{#} so we can append it to the desired key path We return None if it fails, so you need to verify before using. ''' for offset in self.all_offsets: name = self.all_offsets[offset] + " " if name.lower().find("\\system ") != -1: sysaddr = hivemod.HiveAddressSpace(self.addr_space, self._config, offset) if fullname: return "ControlSet00{0}".format(hashdump.find_control_set(sysaddr)) else: return hashdump.find_control_set(sysaddr) return None
def reg_yield_key(self, hive_name, key, user = None, given_root = None): ''' Use this function if you are collecting keys from more than one hive ''' if self.all_offsets == {}: self.populate_offsets() if self.current_offsets == {}: self.set_current(hive_name, user) if key: for offset in self.current_offsets: name = self.current_offsets[offset] if given_root == None: h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset) root = rawreg.get_root(h) else: root = given_root if root != None: k = rawreg.open_key(root, key.split('\\')) if k: yield k, name
def reg_get_key(self, hive_name, key, user = None, given_root = None): ''' Returns a key from a requested hive; assumes this is from a single hive if more than one hive is specified, the hive/key found is returned ''' if self.all_offsets == {}: self.populate_offsets() if self.current_offsets == {}: self.set_current(hive_name, user) if key: for offset in self.current_offsets: if given_root == None: h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset) root = rawreg.get_root(h) else: root = given_root if root != None: k = rawreg.open_key(root, key.split('\\')) if k: return k return None
def calculate(self): addr_space = utils.load_as(self._config) regapi = registryapi.RegistryApi(self._config) user_hive = "ntuser.dat" trustrecords = { "Software\\Microsoft\\Office\\14.0\\Word\\Security\\Trusted Documents\\TrustRecords", "Software\\Microsoft\\Office\\14.0\\Excel\\Security\\Trusted Documents\\TrustRecords", "Software\\Microsoft\\Office\\14.0\\PowerPoint\\Security\\Trusted Documents\\TrustRecords", "Software\\Microsoft\\Office\\14.0\\Access\\Security\\Trusted Documents\\TrustRecords", } hive_offsets = {} if not self._config.HIVE_OFFSET: for h in hivelist.HiveList.calculate(self): hive_name = self.hive_name(h) if user_hive in hive_name.lower(): hive_offsets[h.obj_offset] = hive_name else: hive_offsets = [("User Specified", self._config.HIVE_OFFSET)] found = False for hoff, name in hive_offsets.iteritems(): h = hivemod.HiveAddressSpace(addr_space, self._config, hoff) root = rawreg.get_root(h) if not root: if self._config.HIVE_OFFSET: debug.error( "Unable to find root key. Is the hive offset correct?") else: for r in trustrecords: trustrecord_key = rawreg.open_key(root, r.split('\\')) if trustrecord_key: yield name, r, trustrecord_key found = True if not found: debug.error( "The requested key could not be found in the hive(s) searched\n" )
def calculate(self): addr_space = utils.load_as(self._config) if not self._config.HIVE_OFFSET: hive_offsets = [(self.hive_name(h), h.obj_offset) for h in hivelist.HiveList.calculate(self)] else: hive_offsets = [("User Specified", self._config.HIVE_OFFSET)] for name, hoff in set(hive_offsets): h = hivemod.HiveAddressSpace(addr_space, self._config, hoff) root = rawreg.get_root(h) if not root: if self._config.HIVE_OFFSET: debug.error( "Unable to find root key. Is the hive offset correct?") else: if self._config.KEY: yield name, rawreg.open_key(root, self._config.KEY.split('\\')) else: yield name, root
def get_registry_keys(self): addr_space = utils.load_as(self._config) hl = hivelist.HiveList(self._config) if not self._config.HIVE_OFFSET: hive_offsets = [h.obj_offset for h in hl.calculate()] else: hive_offsets = [self._config.HIVE_OFFSET] for hoff in set(hive_offsets): h = hivemod.HiveAddressSpace(addr_space, self._config, hoff) name = obj.Object("_CMHIVE", vm = addr_space, offset = hoff).get_name() root = rawreg.get_root(h) if not root: if self._config.HIVE_OFFSET: self.console_print("Unable to find root key. Is the hive offset correct?") else: if self._config.KEY: yield name, rawreg.open_key(root, self._config.KEY.split('\\')) else: yield name, root
def calculate(self): addr_space = utils.load_as(self._config) regapi = registryapi.RegistryApi(self._config) hiveset = set() if not self._config.HIVE_OFFSET: hive_offsets = [ h.obj_offset for h in hivelist.HiveList.calculate(self) ] else: hive_offsets = [self._config.HIVE_OFFSET] for hoff in set(hive_offsets): h = hivemod.HiveAddressSpace(addr_space, self._config, hoff) name = obj.Object("_CMHIVE", vm=addr_space, offset=hoff).get_name() print "[debug]", name root = rawreg.get_root(h) hive = name.split("\\")[-1] hiveset.add(hive) print hiveset for hive in hiveset: print "\n========================", hive for regtime, keyname in regapi.reg_get_last_modified(hive, count=5): print "\n", regtime, keyname regapi.set_current(hive_name=hive) k = keyname.split('\\')[1:] k = '\\'.join(k) print k + "\n" for value, tp, data in self.reg_yield_values_type( regapi, hive_name=hive, key=k): yield value, tp, data regapi.reset_current()
def dump_memory_hashes(addr_space, config, syshive, samhive): sysaddr = hive.HiveAddressSpace(addr_space, config, syshive) samaddr = hive.HiveAddressSpace(addr_space, config, samhive) return dump_hashes(sysaddr, samaddr)
def get_memory_secrets(addr_space, config, syshive, sechive): sysaddr = hive.HiveAddressSpace(addr_space, config, syshive) secaddr = hive.HiveAddressSpace(addr_space, config, sechive) return get_secrets(sysaddr, secaddr)
def address_space(self): return hivemod.HiveAddressSpace(self.obj_vm, self.obj_vm.get_config(), self.obj_offset)