mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix Undefined Value in Autopsy Regripper Plugins

Browse Source 
Check for undefined values in Autopsy regripper plugins, this is for Autopsy version of regripper not full version of regripper.
This commit is contained in:
Mark McKinnon 2020-06-19 14:34:32 -04:00
parent fbcb565b3a
commit 01494b3fb2
7 changed files with 485 additions and 471 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
thirdparty/rr/plugins/arunmru.pl vendored
View File

@ -36,43 +36,44 @@ sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
#::logMsg("autospyrunmru"); #::logMsg("autospyrunmru");
my $reg = Parse::Win32Registry->new($ntuser); if (defined(Parse::Win32Registry->new($ntuser))) {
my $root_key = $reg->get_root_key; my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'; my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU';
my $key; my $key;
if ($key = $root_key->get_subkey($key_path)) { if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("RunMru"); #::rptMsg("RunMru");
#::rptMsg($key_path); #::rptMsg($key_path);
my @vals = $key->get_list_of_values();
::rptMsg("<runMRU>");
::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>");
::rptMsg("<artifacts>");
my %runvals;
my $mru;
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
$runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i);
$mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i);
}
::rptMsg("<MRUList>".$mru."</MRUList>");
foreach my $r (sort keys %runvals) {
::rptMsg("<MRU>".$r." ".$runvals{$r}."</MRU>");
}
}
else {
#::rptMsg($key_path." has no values.");
#::logMsg($key_path." has no values.");
}
::rptMsg("</artifacts>");
::rptMsg("</runMRU>");
}
else {
#::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
my @vals = $key->get_list_of_values();
::rptMsg("<runMRU>");
::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>");
::rptMsg("<artifacts>");
my %runvals;
my $mru;
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
$runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i);
$mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i);
}
::rptMsg("<MRUList>".$mru."</MRUList>");
foreach my $r (sort keys %runvals) {
::rptMsg("<MRU>".$r." ".$runvals{$r}."</MRU>");
}
}
else {
#::rptMsg($key_path." has no values.");
#::logMsg($key_path." has no values.");
}
::rptMsg("</artifacts>");
::rptMsg("</runMRU>");
}
else {
#::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
}
} }
1; 1;

58
thirdparty/rr/plugins/autopsylogin.pl vendored
View File

@ -35,36 +35,38 @@ sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
#::logMsg("||logonusername||"); #::logMsg("||logonusername||");
my $reg = Parse::Win32Registry->new($ntuser); if (defined(Parse::Win32Registry->new($ntuser))) {
my $root_key = $reg->get_root_key; my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $logon_name = "Username"; my $logon_name = "Username";
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer'; my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer';
my $key; my $key;
if ($key = $root_key->get_subkey($key_path)) { if ($key = $root_key->get_subkey($key_path)) {
my @vals = $key->get_list_of_values(); my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
#::rptMsg("Logon User Name"); #::rptMsg("Logon User Name");
#::rptMsg($key_path); #::rptMsg($key_path);
::rptMsg("<logon>"); ::rptMsg("<logon>");
::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime><artifacts>"); ::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime><artifacts>");
foreach my $v (@vals) { foreach my $v (@vals) {
if ($v->get_name() eq $logon_name) { if ($v->get_name() eq $logon_name) {
::rptMsg("<user name=\"".$logon_name."\"> ".$v->get_data() ."</user>"); ::rptMsg("<user name=\"".$logon_name."\"> ".$v->get_data() ."</user>");
} }
} }
::rptMsg("</artifacts></logon>"); ::rptMsg("</artifacts></logon>");
} }
else { else {
#::rptMsg($key_path." has no values."); #::rptMsg($key_path." has no values.");
#::logMsg($key_path." has no values."); #::logMsg($key_path." has no values.");
} }
} }
else { else {
#::rptMsg($key_path." not found."); #::rptMsg($key_path." not found.");
#::logMsg($key_path." not found."); #::logMsg($key_path." not found.");
} }
}
} }
1; 1;

101
thirdparty/rr/plugins/autopsyntusernetwork.pl vendored
View File

@ -31,63 +31,66 @@ sub pluginmain {
#::logMsg("Launching ntusernetwork v.".$VERSION); #::logMsg("Launching ntusernetwork v.".$VERSION);
#::rptMsg("ntusernetwork v.".$VERSION); # banner #::rptMsg("ntusernetwork v.".$VERSION); # banner
#::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner #::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser); if (defined(Parse::Win32Registry->new($ntuser))) {
my $root_key = $reg->get_root_key;
::rptMsg("<NtuserNetwork>"); my $reg = Parse::Win32Registry->new($ntuser);
::rptMsg("<mtime></mtime>"); my $root_key = $reg->get_root_key;
::rptMsg("<artifacts>");
my $key_path = 'Network'; ::rptMsg("<NtuserNetwork>");
my $key; ::rptMsg("<mtime></mtime>");
if ($key = $root_key->get_subkey($key_path)) { ::rptMsg("<artifacts>");
my $key_path = 'Network';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys(); my @subkeys = $key->get_list_of_subkeys();
if (scalar @subkeys > 0) { if (scalar @subkeys > 0) {
foreach my $s (@subkeys) { foreach my $s (@subkeys) {
#::rptMsg($key_path."\\".$s->get_name()); #::rptMsg($key_path."\\".$s->get_name());
my $localPath = $key_path."\\".$s->get_name(); my $localPath = $key_path."\\".$s->get_name();
my $remotePath; my $remotePath;
eval { eval {
$remotePath = $s->get_value("RemotePath")->get_data(); $remotePath = $s->get_value("RemotePath")->get_data();
}; };
if ($@) { if ($@) {
# ::rptMsg("OS value not found."); # ::rptMsg("OS value not found.");
} }
else { else {
::rptMsg("<network localPath=\"" . $localPath . "\">". $remotePath . "</network>"); ::rptMsg("<network localPath=\"" . $localPath . "\">". $remotePath . "</network>");
} }
} }
} }
# ::rptMsg($key_path); # ::rptMsg($key_path);
# ::rptMsg(""); # ::rptMsg("");
# my @subkeys = $key->get_list_of_subkeys(); # my @subkeys = $key->get_list_of_subkeys();
# if (scalar @subkeys > 0) { # if (scalar @subkeys > 0) {
# foreach my $s (@subkeys) { # foreach my $s (@subkeys) {
# ::rptMsg($key_path."\\".$s->get_name()); # ::rptMsg($key_path."\\".$s->get_name());
# ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())); # ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp()));
# my @vals = $s->get_list_of_values(); # my @vals = $s->get_list_of_values();
# if (scalar @vals > 0) { # if (scalar @vals > 0) {
# foreach my $v (@vals) { # foreach my $v (@vals) {
# ::rptMsg(sprintf " %-15s %-25s",$v->get_name(),$v->get_data()); # ::rptMsg(sprintf " %-15s %-25s",$v->get_name(),$v->get_data());
# } # }
# ::rptMsg(""); # ::rptMsg("");
# } # }
# } # }
# } # }
# else { # else {
# ::rptMsg($key_path." key has no subkeys."); # ::rptMsg($key_path." key has no subkeys.");
# } # }
} }
else { else {
#::rptMsg($key_path." key not found."); #::rptMsg($key_path." key not found.");
} }
::rptMsg("</artifacts></NtuserNetwork>"); ::rptMsg("</artifacts></NtuserNetwork>");
}
} }
1; 1;

136
thirdparty/rr/plugins/autopsyrecentdocs.pl vendored
View File

@ -41,80 +41,82 @@ sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
#::logMsg("||recentdocs||"); #::logMsg("||recentdocs||");
my $reg = Parse::Win32Registry->new($ntuser); if (defined(Parse::Win32Registry->new($ntuser))) {
my $root_key = $reg->get_root_key; my $reg = Parse::Win32Registry->new($ntuser);
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs"; my $root_key = $reg->get_root_key;
my $key; my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs";
if ($key = $root_key->get_subkey($key_path)) { my $key;
#::rptMsg("RecentDocs"); if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("**All values printed in MRUList\\MRUListEx order."); #::rptMsg("RecentDocs");
#::rptMsg($key_path); #::rptMsg("**All values printed in MRUList\\MRUListEx order.");
::rptMsg("<recentdocs><mtime>".gmtime($key->get_timestamp())."</mtime><artifacts>"); #::rptMsg($key_path);
# Get RecentDocs values ::rptMsg("<recentdocs><mtime>".gmtime($key->get_timestamp())."</mtime><artifacts>");
my %rdvals = getRDValues($key); # Get RecentDocs values
if (%rdvals) { my %rdvals = getRDValues($key);
my $tag; if (%rdvals) {
if (exists $rdvals{"MRUListEx"}) { my $tag;
$tag = "MRUListEx"; if (exists $rdvals{"MRUListEx"}) {
} $tag = "MRUListEx";
elsif (exists $rdvals{"MRUList"}) { }
$tag = "MRUList"; elsif (exists $rdvals{"MRUList"}) {
} $tag = "MRUList";
else { }
else {
} }
my @list = split(/,/,$rdvals{$tag}); my @list = split(/,/,$rdvals{$tag});
foreach my $i (@list) { foreach my $i (@list) {
::rptMsg("<doc name=\"Windows\">".$rdvals{$i} . "</doc>"); ::rptMsg("<doc name=\"Windows\">".$rdvals{$i} . "</doc>");
} }
} }
else { else {
#::rptMsg($key_path." has no values."); #::rptMsg($key_path." has no values.");
#::logMsg("Error: ".$key_path." has no values."); #::logMsg("Error: ".$key_path." has no values.");
} }
::rptMsg("</artifacts></recentdocs>"); ::rptMsg("</artifacts></recentdocs>");
# Get RecentDocs subkeys' values # Get RecentDocs subkeys' values
my @subkeys = $key->get_list_of_subkeys(); my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) { if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) { foreach my $s (@subkeys) {
#::rptMsg($key_path."\\".$s->get_name()); #::rptMsg($key_path."\\".$s->get_name());
#::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); #::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
my %rdvals = getRDValues($s); my %rdvals = getRDValues($s);
if (%rdvals) { if (%rdvals) {
my $tag; my $tag;
if (exists $rdvals{"MRUListEx"}) { if (exists $rdvals{"MRUListEx"}) {
$tag = "MRUListEx"; $tag = "MRUListEx";
} }
elsif (exists $rdvals{"MRUList"}) { elsif (exists $rdvals{"MRUList"}) {
$tag = "MRUList"; $tag = "MRUList";
} }
else { else {
} }
my @list = split(/,/,$rdvals{$tag}); my @list = split(/,/,$rdvals{$tag});
#::rptMsg($tag." = ".$rdvals{$tag}); #::rptMsg($tag." = ".$rdvals{$tag});
foreach my $i (@list) { foreach my $i (@list) {
#::rptMsg("".$rdvals{$i}); #::rptMsg("".$rdvals{$i});
} }
#::rptMsg(""); #::rptMsg("");
} }
else { else {
#::rptMsg($key_path." has no values."); #::rptMsg($key_path." has no values.");
} }
} }
} }
else { else {
#::rptMsg($key_path." has no subkeys."); #::rptMsg($key_path." has no subkeys.");
} }
} }
else { else {
#::rptMsg($key_path." not found."); #::rptMsg($key_path." not found.");
} }
}
} }

53
thirdparty/rr/plugins/autopsyshellfolders.pl vendored
View File

@ -41,32 +41,35 @@ sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
#::logMsg("Launching shellfolders v.".$VERSION); #::logMsg("Launching shellfolders v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); if (defined(Parse::Win32Registry->new($hive))) {
my $root_key = $reg->get_root_key; my $reg = Parse::Win32Registry->new($hive);
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("<shellfolders>");
::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>");
my @vals = $key->get_list_of_values(); my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
::rptMsg("<artifacts>"); my $key;
if (scalar(@vals) > 0) { if ($key = $root_key->get_subkey($key_path)) {
foreach my $v (@vals) { ::rptMsg("<shellfolders>");
my $str = sprintf "%-20s %-40s","<shell name=\"".$v->get_name()."\">",$v->get_data()."</shell>"; ::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>");
::rptMsg($str);
} my @vals = $key->get_list_of_values();
::rptMsg(""); ::rptMsg("<artifacts>");
} if (scalar(@vals) > 0) {
else { foreach my $v (@vals) {
#::rptMsg($key_path." has no values."); my $str = sprintf "%-20s %-40s","<shell name=\"".$v->get_name()."\">",$v->get_data()."</shell>";
} ::rptMsg($str);
::rptMsg("</artifacts></shellfolders>"); }
} ::rptMsg("");
else { }
#::rptMsg($key_path." not found."); else {
#::logMsg($key_path." not found."); #::rptMsg($key_path." has no values.");
} }
::rptMsg("</artifacts></shellfolders>");
}
else {
#::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
}
} }
1; 1;

216
thirdparty/rr/plugins/officedocs.pl vendored
View File

@ -37,115 +37,117 @@ sub pluginmain {
# ::rptMsg("officedocs v.".$VERSION); # 20110830 [fpi] + banner # ::rptMsg("officedocs v.".$VERSION); # 20110830 [fpi] + banner
# ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner # ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
::rptMsg("<office>"); ::rptMsg("<office>");
my $reg = Parse::Win32Registry->new($ntuser); if (defined(Parse::Win32Registry->new($ntuser))) {
my $root_key = $reg->get_root_key; my $reg = Parse::Win32Registry->new($ntuser);
#::rptMsg("officedocs v.".$VERSION); my $root_key = $reg->get_root_key;
# First, let's find out which version of Office is installed #::rptMsg("officedocs v.".$VERSION);
my $version; # First, let's find out which version of Office is installed
my $tag = 0; my $version;
my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); my $tag = 0;
foreach my $ver (@versions) { my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0");
my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Open Find"; foreach my $ver (@versions) {
if (defined($root_key->get_subkey($key_path))) { my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Open Find";
$version = $ver; if (defined($root_key->get_subkey($key_path))) {
$tag = 1; $version = $ver;
} $tag = 1;
} }
}
if ($tag) { if ($tag) {
#::rptMsg("MSOffice version ".$version." located."); #::rptMsg("MSOffice version ".$version." located.");
my $key_path = "Software\\Microsoft\\Office\\".$version; my $key_path = "Software\\Microsoft\\Office\\".$version;
my $of_key = $root_key->get_subkey($key_path); my $of_key = $root_key->get_subkey($key_path);
::rptMsg("<mtime> ".gmtime($of_key->get_timestamp())."</mtime>"); ::rptMsg("<mtime> ".gmtime($of_key->get_timestamp())."</mtime>");
::rptMsg("<artifacts>"); ::rptMsg("<artifacts>");
if ($of_key) { if ($of_key) {
# Attempt to retrieve Word docs # Attempt to retrieve Word docs
my @funcs = ("Open","Save As","File Save"); my @funcs = ("Open","Save As","File Save");
foreach my $func (@funcs) { foreach my $func (@funcs) {
my $word = "Common\\Open Find\\Microsoft Office Word\\Settings\\".$func."\\File Name MRU"; my $word = "Common\\Open Find\\Microsoft Office Word\\Settings\\".$func."\\File Name MRU";
my $word_key = $of_key->get_subkey($word); my $word_key = $of_key->get_subkey($word);
if ($word_key) { if ($word_key) {
#::rptMsg($word); #::rptMsg($word);
#::rptMsg(""); #::rptMsg("");
my $value = $word_key->get_value("Value")->get_data(); my $value = $word_key->get_value("Value")->get_data();
my @data = split(/\00/,$value); my @data = split(/\00/,$value);
::rptMsg("<Word name=\"".$value."\">". @data . "</Word>"); ::rptMsg("<Word name=\"".$value."\">". @data . "</Word>");
#map{::rptMsg("$_");}@data; #map{::rptMsg("$_");}@data;
} }
else { else {
# ::rptMsg("Could not access ".$word); # ::rptMsg("Could not access ".$word);
} }
#::rptMsg(""); #::rptMsg("");
} }
# Attempt to retrieve Excel docs # Attempt to retrieve Excel docs
my $excel = 'Excel\\Recent Files'; my $excel = 'Excel\\Recent Files';
if (my $excel_key = $of_key->get_subkey($excel)) { if (my $excel_key = $of_key->get_subkey($excel)) {
#::rptMsg($key_path."\\".$excel); #::rptMsg($key_path."\\".$excel);
#::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)"); #::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)");
my @vals = $excel_key->get_list_of_values(); my @vals = $excel_key->get_list_of_values();
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
my %files; my %files;
# Retrieve values and load into a hash for sorting # Retrieve values and load into a hash for sorting
foreach my $v (@vals) { foreach my $v (@vals) {
my $val = $v->get_name(); my $val = $v->get_name();
my $data = $v->get_data(); my $data = $v->get_data();
my $tag = (split(/File/,$val))[1]; my $tag = (split(/File/,$val))[1];
$files{$tag} = $val.":".$data; $files{$tag} = $val.":".$data;
} }
# Print sorted content to report file # Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) { foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2); my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg("<Excel name=\"".$val."\">".$data . "</Excel>"); ::rptMsg("<Excel name=\"".$val."\">".$data . "</Excel>");
} }
} }
else { else {
#::rptMsg($key_path.$excel." has no values."); #::rptMsg($key_path.$excel." has no values.");
} }
} }
else { else {
#::rptMsg($key_path.$excel." not found."); #::rptMsg($key_path.$excel." not found.");
} }
#::rptMsg(""); #::rptMsg("");
# Attempt to retrieve PowerPoint docs # Attempt to retrieve PowerPoint docs
my $ppt = 'PowerPoint\\Recent File List'; my $ppt = 'PowerPoint\\Recent File List';
if (my $ppt_key = $of_key->get_subkey($ppt)) { if (my $ppt_key = $of_key->get_subkey($ppt)) {
#::rptMsg($key_path."\\".$ppt); #::rptMsg($key_path."\\".$ppt);
#::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)"); #::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)");
my @vals = $ppt_key->get_list_of_values(); my @vals = $ppt_key->get_list_of_values();
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
my %files; my %files;
# Retrieve values and load into a hash for sorting # Retrieve values and load into a hash for sorting
foreach my $v (@vals) { foreach my $v (@vals) {
my $val = $v->get_name(); my $val = $v->get_name();
my $data = $v->get_data(); my $data = $v->get_data();
my $tag = (split(/File/,$val))[1]; my $tag = (split(/File/,$val))[1];
$files{$tag} = $val.":".$data; $files{$tag} = $val.":".$data;
} }
# Print sorted content to report file # Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) { foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2); my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg("<PowerPoint name=\"".$val."\">".$data . "</PowerPoint>"); ::rptMsg("<PowerPoint name=\"".$val."\">".$data . "</PowerPoint>");
} }
} }
else { else {
#::rptMsg($key_path."\\".$ppt." has no values."); #::rptMsg($key_path."\\".$ppt." has no values.");
} }
} }
else { else {
#::rptMsg($key_path."\\".$ppt." not found."); #::rptMsg($key_path."\\".$ppt." not found.");
} }
} }
else { else {
#::rptMsg("Could not access ".$key_path); #::rptMsg("Could not access ".$key_path);
#::logMsg("Could not access ".$key_path); #::logMsg("Could not access ".$key_path);
} }
::rptMsg("</artifacts>"); ::rptMsg("</artifacts>");
} }
else { else {
#::logMsg("MSOffice version not found."); #::logMsg("MSOffice version not found.");
#::rptMsg("MSOffice version not found."); #::rptMsg("MSOffice version not found.");
} }
}
::rptMsg("</office>"); ::rptMsg("</office>");
} }

287
thirdparty/rr/plugins/officedocs2010.pl vendored
View File

@ -72,150 +72,151 @@ sub pluginmain {
#::logMsg("Launching officedocs2010 v.".$VERSION); #::logMsg("Launching officedocs2010 v.".$VERSION);
#::rptMsg("officedocs2010 v.".$VERSION); # 20110830 [fpi] + banner #::rptMsg("officedocs2010 v.".$VERSION); # 20110830 [fpi] + banner
#::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner #::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
if (defined(Parse::Win32Registry->new($ntuser))) {
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
# ::rptMsg("officedocs v.".$VERSION); # 20110830 [fpi] - redundant
my $tag = 0;
my $key_path = "Software\\Microsoft\\Office\\14.0";
if (defined($root_key->get_subkey($key_path))) {
$tag = 1;
}
my $reg = Parse::Win32Registry->new($ntuser); if ($tag) {
my $root_key = $reg->get_root_key; #::rptMsg("MSOffice version 2010 located.");
# ::rptMsg("officedocs v.".$VERSION); # 20110830 [fpi] - redundant my $key_path = "Software\\Microsoft\\Office\\14.0";
my $tag = 0; my $of_key = $root_key->get_subkey($key_path);
my $key_path = "Software\\Microsoft\\Office\\14.0"; if ($of_key) {
if (defined($root_key->get_subkey($key_path))) { # Attempt to retrieve Word docs
$tag = 1; my $word = 'Word\\File MRU';
} if (my $word_key = $of_key->get_subkey($word)) {
#::rptMsg($key_path."\\".$word);
if ($tag) { #::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)");
#::rptMsg("MSOffice version 2010 located."); my @vals = $word_key->get_list_of_values();
my $key_path = "Software\\Microsoft\\Office\\14.0"; if (scalar(@vals) > 0) {
my $of_key = $root_key->get_subkey($key_path); my %files;
if ($of_key) { # Retrieve values and load into a hash for sorting
# Attempt to retrieve Word docs foreach my $v (@vals) {
my $word = 'Word\\File MRU'; my $val = $v->get_name();
if (my $word_key = $of_key->get_subkey($word)) { if ($val eq "Max Display") { next; }
#::rptMsg($key_path."\\".$word); my $data = getWinTS($v->get_data());
#::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)"); my $tag = (split(/Item/,$val))[1];
my @vals = $word_key->get_list_of_values(); $files{$tag} = $val.":".$data;
if (scalar(@vals) > 0) { }
my %files; # Print sorted content to report file
# Retrieve values and load into a hash for sorting foreach my $u (sort {$a <=> $b} keys %files) {
foreach my $v (@vals) { my ($val,$data) = split(/:/,$files{$u},2);
my $val = $v->get_name(); ::rptMsg("<Word name=\"".$val."\">".$data . "</Word>");
if ($val eq "Max Display") { next; } }
my $data = getWinTS($v->get_data()); }
my $tag = (split(/Item/,$val))[1]; else {
$files{$tag} = $val.":".$data; #::rptMsg($key_path.$word." has no values.");
} }
# Print sorted content to report file }
foreach my $u (sort {$a <=> $b} keys %files) { else {
my ($val,$data) = split(/:/,$files{$u},2); #::rptMsg($key_path.$word." not found.");
::rptMsg("<Word name=\"".$val."\">".$data . "</Word>"); }
} #::rptMsg("");
} # Attempt to retrieve Excel docs
else { my $excel = 'Excel\\File MRU';
#::rptMsg($key_path.$word." has no values."); if (my $excel_key = $of_key->get_subkey($excel)) {
} #::rptMsg($key_path."\\".$excel);
} #::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)");
else { my @vals = $excel_key->get_list_of_values();
#::rptMsg($key_path.$word." not found."); if (scalar(@vals) > 0) {
} my %files;
#::rptMsg(""); # Retrieve values and load into a hash for sorting
# Attempt to retrieve Excel docs foreach my $v (@vals) {
my $excel = 'Excel\\File MRU'; my $val = $v->get_name();
if (my $excel_key = $of_key->get_subkey($excel)) { if ($val eq "Max Display") { next; }
#::rptMsg($key_path."\\".$excel); my $data = getWinTS($v->get_data());
#::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)"); my $tag = (split(/Item/,$val))[1];
my @vals = $excel_key->get_list_of_values(); $files{$tag} = $val.":".$data;
if (scalar(@vals) > 0) { }
my %files; # Print sorted content to report file
# Retrieve values and load into a hash for sorting foreach my $u (sort {$a <=> $b} keys %files) {
foreach my $v (@vals) { my ($val,$data) = split(/:/,$files{$u},2);
my $val = $v->get_name(); ::rptMsg("<Excel name=\"".$val."\">".$data . "</Excel>");
if ($val eq "Max Display") { next; } }
my $data = getWinTS($v->get_data()); }
my $tag = (split(/Item/,$val))[1]; else {
$files{$tag} = $val.":".$data; #::rptMsg($key_path.$excel." has no values.");
} }
# Print sorted content to report file }
foreach my $u (sort {$a <=> $b} keys %files) { else {
my ($val,$data) = split(/:/,$files{$u},2); #::rptMsg($key_path.$excel." not found.");
::rptMsg("<Excel name=\"".$val."\">".$data . "</Excel>"); }
} #::rptMsg("");
} # Attempt to retrieve Access docs
else { my $access = 'Access\\File MRU';
#::rptMsg($key_path.$excel." has no values."); if (my $access_key = $of_key->get_subkey($access)) {
} #::rptMsg($key_path."\\".$access);
} #::rptMsg("LastWrite Time ".gmtime($access_key->get_timestamp())." (UTC)");
else { my @vals = $access_key->get_list_of_values();
#::rptMsg($key_path.$excel." not found."); if (scalar(@vals) > 0) {
} my %files;
#::rptMsg(""); # Retrieve values and load into a hash for sorting
# Attempt to retrieve Access docs foreach my $v (@vals) {
my $access = 'Access\\File MRU'; my $val = $v->get_name();
if (my $access_key = $of_key->get_subkey($access)) { if ($val eq "Max Display") { next; }
#::rptMsg($key_path."\\".$access); my $data = getWinTS($v->get_data());
#::rptMsg("LastWrite Time ".gmtime($access_key->get_timestamp())." (UTC)"); my $tag = (split(/Item/,$val))[1];
my @vals = $access_key->get_list_of_values(); $files{$tag} = $val.":".$data;
if (scalar(@vals) > 0) { }
my %files; # Print sorted content to report file
# Retrieve values and load into a hash for sorting foreach my $u (sort {$a <=> $b} keys %files) {
foreach my $v (@vals) { my ($val,$data) = split(/:/,$files{$u},2);
my $val = $v->get_name(); ::rptMsg("<Access name=\"".$val."\">".$data . "</Access>");
if ($val eq "Max Display") { next; } }
my $data = getWinTS($v->get_data()); }
my $tag = (split(/Item/,$val))[1]; else {
$files{$tag} = $val.":".$data; # ::rptMsg($key_path.$access." has no values.");
} }
# Print sorted content to report file }
foreach my $u (sort {$a <=> $b} keys %files) { else {
my ($val,$data) = split(/:/,$files{$u},2); # ::rptMsg($key_path.$access." not found.");
::rptMsg("<Access name=\"".$val."\">".$data . "</Access>"); }
} #::rptMsg("");
} # Attempt to retrieve PowerPoint docs
else { my $ppt = 'PowerPoint\\File MRU';
# ::rptMsg($key_path.$access." has no values."); if (my $ppt_key = $of_key->get_subkey($ppt)) {
} #::rptMsg($key_path."\\".$ppt);
} #::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)");
else { my @vals = $ppt_key->get_list_of_values();
# ::rptMsg($key_path.$access." not found."); if (scalar(@vals) > 0) {
} my %files;
#::rptMsg(""); # Retrieve values and load into a hash for sorting
# Attempt to retrieve PowerPoint docs foreach my $v (@vals) {
my $ppt = 'PowerPoint\\File MRU'; my $val = $v->get_name();
if (my $ppt_key = $of_key->get_subkey($ppt)) { if ($val eq "Max Display") { next; }
#::rptMsg($key_path."\\".$ppt); my $data = getWinTS($v->get_data());
#::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)"); my $tag = (split(/Item/,$val))[1];
my @vals = $ppt_key->get_list_of_values(); $files{$tag} = $val.":".$data;
if (scalar(@vals) > 0) { }
my %files; # Print sorted content to report file
# Retrieve values and load into a hash for sorting foreach my $u (sort {$a <=> $b} keys %files) {
foreach my $v (@vals) { my ($val,$data) = split(/:/,$files{$u},2);
my $val = $v->get_name(); ::rptMsg("<PowerPoint name=\"".$val."\">".$data . "</PowerPoint>");
if ($val eq "Max Display") { next; } }
my $data = getWinTS($v->get_data()); }
my $tag = (split(/Item/,$val))[1]; else {
$files{$tag} = $val.":".$data; # ::rptMsg($key_path."\\".$ppt." has no values.");
} }
# Print sorted content to report file }
foreach my $u (sort {$a <=> $b} keys %files) { else {
my ($val,$data) = split(/:/,$files{$u},2); # ::rptMsg($key_path."\\".$ppt." not found.");
::rptMsg("<PowerPoint name=\"".$val."\">".$data . "</PowerPoint>"); }
} }
} else {
else { # ::rptMsg("Could not access ".$key_path);
# ::rptMsg($key_path."\\".$ppt." has no values."); # ::logMsg("Could not access ".$key_path);
} }
} }
else { else {
# ::rptMsg($key_path."\\".$ppt." not found."); # ::logMsg("MSOffice version not found.");
} # ::rptMsg("MSOffice version not found.");
} }
else { }
# ::rptMsg("Could not access ".$key_path);
# ::logMsg("Could not access ".$key_path);
}
}
else {
# ::logMsg("MSOffice version not found.");
# ::rptMsg("MSOffice version not found.");
}
} }
1; 1;