github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/examples/registry-read.py (about) 1 #!/usr/bin/env python 2 # SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved. 3 # 4 # This software is provided under under a slightly modified version 5 # of the Apache Software License. See the accompanying LICENSE file 6 # for more information. 7 # 8 # Author: Alberto Solino (@agsolino) 9 # 10 # Description: A Windows Registry Reader Example 11 # 12 # Reference for: 13 # winregistry.py 14 # 15 from __future__ import division 16 from __future__ import print_function 17 import sys 18 import argparse 19 import ntpath 20 from binascii import unhexlify, hexlify 21 22 from impacket.examples import logger 23 from impacket import version 24 from impacket import winregistry 25 26 27 def bootKey(reg): 28 baseClass = 'ControlSet001\\Control\\Lsa\\' 29 keys = ['JD','Skew1','GBG','Data'] 30 tmpKey = '' 31 32 for key in keys: 33 tmpKey = tmpKey + unhexlify(reg.getClass(baseClass + key).decode('utf-16le')[:8]) 34 35 transforms = [ 8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7 ] 36 37 syskey = '' 38 for i in range(len(tmpKey)): 39 syskey += tmpKey[transforms[i]] 40 41 print(hexlify(syskey)) 42 43 def getClass(reg, className): 44 regKey = ntpath.dirname(className) 45 regClass = ntpath.basename(className) 46 47 value = reg.getClass(className) 48 49 if value is None: 50 return 51 52 print("[%s]" % regKey) 53 54 print("Value for Class %s: \n" % regClass, end=' ') 55 56 winregistry.hexdump(value,' ') 57 58 def getValue(reg, keyValue): 59 regKey = ntpath.dirname(keyValue) 60 regValue = ntpath.basename(keyValue) 61 62 value = reg.getValue(keyValue) 63 64 print("[%s]\n" % regKey) 65 66 if value is None: 67 return 68 69 print("Value for %s:\n " % regValue, end=' ') 70 reg.printValue(value[0],value[1]) 71 72 def enumValues(reg, searchKey): 73 key = reg.findKey(searchKey) 74 75 if key is None: 76 return 77 78 print("[%s]\n" % searchKey) 79 80 values = reg.enumValues(key) 81 print(values) 82 83 for value in values: 84 print(" %-30s: " % value, end=' ') 85 data = reg.getValue('%s\\%s'%(searchKey,value.decode('utf-8'))) 86 # Special case for binary string.. so it looks better formatted 87 if data[0] == winregistry.REG_BINARY: 88 print('') 89 reg.printValue(data[0],data[1]) 90 print('') 91 else: 92 reg.printValue(data[0],data[1]) 93 94 def enumKey(reg, searchKey, isRecursive, indent=' '): 95 parentKey = reg.findKey(searchKey) 96 97 if parentKey is None: 98 return 99 100 keys = reg.enumKey(parentKey) 101 102 for key in keys: 103 print("%s%s" %(indent, key)) 104 if isRecursive is True: 105 if searchKey == '\\': 106 enumKey(reg, '\\%s'%key,isRecursive,indent+' ') 107 else: 108 enumKey(reg, '%s\\%s'%(searchKey,key),isRecursive,indent+' ') 109 110 def walk(reg, keyName): 111 return reg.walk(keyName) 112 113 114 def main(): 115 # Init the example's logger theme 116 logger.init() 117 print(version.BANNER) 118 119 parser = argparse.ArgumentParser(add_help = True, description = "Reads data from registry hives.") 120 121 parser.add_argument('hive', action='store', help='registry hive to open') 122 subparsers = parser.add_subparsers(help='actions', dest='action') 123 # A enum_key command 124 enumkey_parser = subparsers.add_parser('enum_key', help='enumerates the subkeys of the specified open registry key') 125 enumkey_parser.add_argument('-name', action='store', required=True, help='registry key') 126 enumkey_parser.add_argument('-recursive', dest='recursive', action='store_true', required=False, help='recursive search (default False)') 127 128 # A enum_values command 129 enumvalues_parser = subparsers.add_parser('enum_values', help='enumerates the values for the specified open registry key') 130 enumvalues_parser.add_argument('-name', action='store', required=True, help='registry key') 131 132 # A get_value command 133 getvalue_parser = subparsers.add_parser('get_value', help='retrieves the data for the specified registry value') 134 getvalue_parser.add_argument('-name', action='store', required=True, help='registry value') 135 136 # A get_class command 137 getclass_parser = subparsers.add_parser('get_class', help='retrieves the data for the specified registry class') 138 getclass_parser.add_argument('-name', action='store', required=True, help='registry class name') 139 140 # A walk command 141 walk_parser = subparsers.add_parser('walk', help='walks the registry from the name node down') 142 walk_parser.add_argument('-name', action='store', required=True, help='registry class name to start walking down from') 143 144 if len(sys.argv)==1: 145 parser.print_help() 146 sys.exit(1) 147 148 options = parser.parse_args() 149 150 reg = winregistry.Registry(options.hive) 151 152 if options.action.upper() == 'ENUM_KEY': 153 print("[%s]" % options.name) 154 enumKey(reg, options.name, options.recursive) 155 elif options.action.upper() == 'ENUM_VALUES': 156 enumValues(reg, options.name) 157 elif options.action.upper() == 'GET_VALUE': 158 getValue(reg, options.name) 159 elif options.action.upper() == 'GET_CLASS': 160 getClass(reg, options.name) 161 elif options.action.upper() == 'WALK': 162 walk(reg, options.name) 163 164 reg.close() 165 166 if __name__ == "__main__": 167 main()