mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix Undefined Value in Autopsy Regripper Plugins

Browse Source 
Check for undefined values in Autopsy regripper plugins, this is for Autopsy version of regripper not full version of regripper.
This commit is contained in:
Mark McKinnon 2020-06-19 14:34:32 -04:00
parent fbcb565b3a
commit 01494b3fb2
7 changed files with 485 additions and 471 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
thirdparty/rr/plugins/arunmru.pl vendored
View File

@ -36,43 +36,44 @@ sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
#::logMsg("autospyrunmru"); #::logMsg("autospyrunmru");
my $reg = Parse::Win32Registry->new($ntuser); if (defined(Parse::Win32Registry->new($ntuser))) {
my $root_key = $reg->get_root_key; my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'; my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU';
my $key; my $key;
if ($key = $root_key->get_subkey($key_path)) { if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("RunMru"); #::rptMsg("RunMru");
#::rptMsg($key_path); #::rptMsg($key_path);
my @vals = $key->get_list_of_values(); my @vals = $key->get_list_of_values();
::rptMsg("<runMRU>"); ::rptMsg("<runMRU>");
::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>"); ::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>");
::rptMsg("<artifacts>"); ::rptMsg("<artifacts>");
my %runvals; my %runvals;
my $mru; my $mru;
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
foreach my $v (@vals) { foreach my $v (@vals) {
$runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i); $runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i);
$mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i); $mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i);
} }
::rptMsg("<MRUList>".$mru."</MRUList>"); ::rptMsg("<MRUList>".$mru."</MRUList>");
foreach my $r (sort keys %runvals) { foreach my $r (sort keys %runvals) {
::rptMsg("<MRU>".$r." ".$runvals{$r}."</MRU>"); ::rptMsg("<MRU>".$r." ".$runvals{$r}."</MRU>");
} }
} }
else { else {
#::rptMsg($key_path." has no values."); #::rptMsg($key_path." has no values.");
#::logMsg($key_path." has no values."); #::logMsg($key_path." has no values.");
} }
::rptMsg("</artifacts>"); ::rptMsg("</artifacts>");
::rptMsg("</runMRU>"); ::rptMsg("</runMRU>");
} }
else { else {
#::rptMsg($key_path." not found."); #::rptMsg($key_path." not found.");
#::logMsg($key_path." not found."); #::logMsg($key_path." not found.");
} }
}
} }
1; 1;

62
thirdparty/rr/plugins/autopsylogin.pl vendored
View File

@ -35,36 +35,38 @@ sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
#::logMsg("||logonusername||"); #::logMsg("||logonusername||");
my $reg = Parse::Win32Registry->new($ntuser); if (defined(Parse::Win32Registry->new($ntuser))) {
my $root_key = $reg->get_root_key; my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $logon_name = "Username";
my $logon_name = "Username";
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer';
my $key; my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer';
if ($key = $root_key->get_subkey($key_path)) { my $key;
my @vals = $key->get_list_of_values(); if ($key = $root_key->get_subkey($key_path)) {
if (scalar(@vals) > 0) { my @vals = $key->get_list_of_values();
#::rptMsg("Logon User Name"); if (scalar(@vals) > 0) {
#::rptMsg($key_path); #::rptMsg("Logon User Name");
::rptMsg("<logon>"); #::rptMsg($key_path);
::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime><artifacts>"); ::rptMsg("<logon>");
foreach my $v (@vals) { ::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime><artifacts>");
if ($v->get_name() eq $logon_name) { foreach my $v (@vals) {
::rptMsg("<user name=\"".$logon_name."\"> ".$v->get_data() ."</user>"); if ($v->get_name() eq $logon_name) {
} ::rptMsg("<user name=\"".$logon_name."\"> ".$v->get_data() ."</user>");
} }
::rptMsg("</artifacts></logon>"); }
} ::rptMsg("</artifacts></logon>");
else { }
#::rptMsg($key_path." has no values."); else {
#::logMsg($key_path." has no values."); #::rptMsg($key_path." has no values.");
} #::logMsg($key_path." has no values.");
} }
else { }
#::rptMsg($key_path." not found."); else {
#::logMsg($key_path." not found."); #::rptMsg($key_path." not found.");
} #::logMsg($key_path." not found.");
}
}
} }
1; 1;

107
thirdparty/rr/plugins/autopsyntusernetwork.pl vendored
View File

@ -30,64 +30,67 @@ sub pluginmain {
my $ntuser = shift; my $ntuser = shift;
#::logMsg("Launching ntusernetwork v.".$VERSION); #::logMsg("Launching ntusernetwork v.".$VERSION);
#::rptMsg("ntusernetwork v.".$VERSION); # banner #::rptMsg("ntusernetwork v.".$VERSION); # banner
#::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner #::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser); if (defined(Parse::Win32Registry->new($ntuser))) {
my $root_key = $reg->get_root_key;
my $reg = Parse::Win32Registry->new($ntuser);
::rptMsg("<NtuserNetwork>"); my $root_key = $reg->get_root_key;
::rptMsg("<mtime></mtime>");
::rptMsg("<artifacts>"); ::rptMsg("<NtuserNetwork>");
::rptMsg("<mtime></mtime>");
::rptMsg("<artifacts>");
my $key_path = 'Network'; my $key_path = 'Network';
my $key; my $key;
if ($key = $root_key->get_subkey($key_path)) { if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys(); my @subkeys = $key->get_list_of_subkeys();
if (scalar @subkeys > 0) { if (scalar @subkeys > 0) {
foreach my $s (@subkeys) { foreach my $s (@subkeys) {
#::rptMsg($key_path."\\".$s->get_name()); #::rptMsg($key_path."\\".$s->get_name());
my $localPath = $key_path."\\".$s->get_name(); my $localPath = $key_path."\\".$s->get_name();
my $remotePath; my $remotePath;
eval { eval {
$remotePath = $s->get_value("RemotePath")->get_data(); $remotePath = $s->get_value("RemotePath")->get_data();
}; };
if ($@) { if ($@) {
# ::rptMsg("OS value not found."); # ::rptMsg("OS value not found.");
} }
else { else {
::rptMsg("<network localPath=\"" . $localPath . "\">". $remotePath . "</network>"); ::rptMsg("<network localPath=\"" . $localPath . "\">". $remotePath . "</network>");
} }
} }
} }
# ::rptMsg($key_path); # ::rptMsg($key_path);
# ::rptMsg(""); # ::rptMsg("");
# my @subkeys = $key->get_list_of_subkeys(); # my @subkeys = $key->get_list_of_subkeys();
# if (scalar @subkeys > 0) { # if (scalar @subkeys > 0) {
# foreach my $s (@subkeys) { # foreach my $s (@subkeys) {
# ::rptMsg($key_path."\\".$s->get_name()); # ::rptMsg($key_path."\\".$s->get_name());
# ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())); # ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp()));
# my @vals = $s->get_list_of_values(); # my @vals = $s->get_list_of_values();
# if (scalar @vals > 0) { # if (scalar @vals > 0) {
# foreach my $v (@vals) { # foreach my $v (@vals) {
# ::rptMsg(sprintf " %-15s %-25s",$v->get_name(),$v->get_data()); # ::rptMsg(sprintf " %-15s %-25s",$v->get_name(),$v->get_data());
# } # }
# ::rptMsg(""); # ::rptMsg("");
# } # }
# } # }
# } # }
# else { # else {
# ::rptMsg($key_path." key has no subkeys."); # ::rptMsg($key_path." key has no subkeys.");
# } # }
} }
else { else {
#::rptMsg($key_path." key not found."); #::rptMsg($key_path." key not found.");
} }
::rptMsg("</artifacts></NtuserNetwork>"); ::rptMsg("</artifacts></NtuserNetwork>");
}
} }
1; 1;

150
thirdparty/rr/plugins/autopsyrecentdocs.pl vendored
View File

@ -41,80 +41,82 @@ sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
#::logMsg("||recentdocs||"); #::logMsg("||recentdocs||");
my $reg = Parse::Win32Registry->new($ntuser); if (defined(Parse::Win32Registry->new($ntuser))) {
my $root_key = $reg->get_root_key; my $reg = Parse::Win32Registry->new($ntuser);
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs"; my $root_key = $reg->get_root_key;
my $key; my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs";
if ($key = $root_key->get_subkey($key_path)) { my $key;
#::rptMsg("RecentDocs"); if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("**All values printed in MRUList\\MRUListEx order."); #::rptMsg("RecentDocs");
#::rptMsg($key_path); #::rptMsg("**All values printed in MRUList\\MRUListEx order.");
::rptMsg("<recentdocs><mtime>".gmtime($key->get_timestamp())."</mtime><artifacts>"); #::rptMsg($key_path);
# Get RecentDocs values ::rptMsg("<recentdocs><mtime>".gmtime($key->get_timestamp())."</mtime><artifacts>");
my %rdvals = getRDValues($key); # Get RecentDocs values
if (%rdvals) { my %rdvals = getRDValues($key);
my $tag; if (%rdvals) {
if (exists $rdvals{"MRUListEx"}) { my $tag;
$tag = "MRUListEx"; if (exists $rdvals{"MRUListEx"}) {
} $tag = "MRUListEx";
elsif (exists $rdvals{"MRUList"}) { }
$tag = "MRUList"; elsif (exists $rdvals{"MRUList"}) {
} $tag = "MRUList";
else { }
else {
}
}
my @list = split(/,/,$rdvals{$tag});
foreach my $i (@list) { my @list = split(/,/,$rdvals{$tag});
::rptMsg("<doc name=\"Windows\">".$rdvals{$i} . "</doc>"); foreach my $i (@list) {
} ::rptMsg("<doc name=\"Windows\">".$rdvals{$i} . "</doc>");
}
}
else { }
#::rptMsg($key_path." has no values."); else {
#::logMsg("Error: ".$key_path." has no values."); #::rptMsg($key_path." has no values.");
} #::logMsg("Error: ".$key_path." has no values.");
::rptMsg("</artifacts></recentdocs>"); }
# Get RecentDocs subkeys' values ::rptMsg("</artifacts></recentdocs>");
my @subkeys = $key->get_list_of_subkeys(); # Get RecentDocs subkeys' values
if (scalar(@subkeys) > 0) { my @subkeys = $key->get_list_of_subkeys();
foreach my $s (@subkeys) { if (scalar(@subkeys) > 0) {
#::rptMsg($key_path."\\".$s->get_name()); foreach my $s (@subkeys) {
#::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); #::rptMsg($key_path."\\".$s->get_name());
#::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
my %rdvals = getRDValues($s);
if (%rdvals) { my %rdvals = getRDValues($s);
my $tag; if (%rdvals) {
if (exists $rdvals{"MRUListEx"}) { my $tag;
$tag = "MRUListEx"; if (exists $rdvals{"MRUListEx"}) {
} $tag = "MRUListEx";
elsif (exists $rdvals{"MRUList"}) { }
$tag = "MRUList"; elsif (exists $rdvals{"MRUList"}) {
} $tag = "MRUList";
else { }
else {
}
}
my @list = split(/,/,$rdvals{$tag});
#::rptMsg($tag." = ".$rdvals{$tag}); my @list = split(/,/,$rdvals{$tag});
foreach my $i (@list) { #::rptMsg($tag." = ".$rdvals{$tag});
#::rptMsg("".$rdvals{$i}); foreach my $i (@list) {
} #::rptMsg("".$rdvals{$i});
}
#::rptMsg("");
} #::rptMsg("");
else { }
#::rptMsg($key_path." has no values."); else {
} #::rptMsg($key_path." has no values.");
} }
} }
else { }
#::rptMsg($key_path." has no subkeys."); else {
} #::rptMsg($key_path." has no subkeys.");
} }
else { }
#::rptMsg($key_path." not found."); else {
} #::rptMsg($key_path." not found.");
}
}
} }

55
thirdparty/rr/plugins/autopsyshellfolders.pl vendored
View File

@ -41,32 +41,35 @@ sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
#::logMsg("Launching shellfolders v.".$VERSION); #::logMsg("Launching shellfolders v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); if (defined(Parse::Win32Registry->new($hive))) {
my $root_key = $reg->get_root_key; my $reg = Parse::Win32Registry->new($hive);
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
::rptMsg("<shellfolders>"); my $key;
::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>"); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("<shellfolders>");
my @vals = $key->get_list_of_values(); ::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>");
::rptMsg("<artifacts>");
if (scalar(@vals) > 0) { my @vals = $key->get_list_of_values();
foreach my $v (@vals) { ::rptMsg("<artifacts>");
my $str = sprintf "%-20s %-40s","<shell name=\"".$v->get_name()."\">",$v->get_data()."</shell>"; if (scalar(@vals) > 0) {
::rptMsg($str); foreach my $v (@vals) {
} my $str = sprintf "%-20s %-40s","<shell name=\"".$v->get_name()."\">",$v->get_data()."</shell>";
::rptMsg(""); ::rptMsg($str);
} }
else { ::rptMsg("");
#::rptMsg($key_path." has no values."); }
} else {
::rptMsg("</artifacts></shellfolders>"); #::rptMsg($key_path." has no values.");
} }
else { ::rptMsg("</artifacts></shellfolders>");
#::rptMsg($key_path." not found."); }
#::logMsg($key_path." not found."); else {
} #::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
}
} }
1; 1;

220
thirdparty/rr/plugins/officedocs.pl vendored
View File

@ -37,115 +37,117 @@ sub pluginmain {
# ::rptMsg("officedocs v.".$VERSION); # 20110830 [fpi] + banner # ::rptMsg("officedocs v.".$VERSION); # 20110830 [fpi] + banner
# ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner # ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
::rptMsg("<office>"); ::rptMsg("<office>");
my $reg = Parse::Win32Registry->new($ntuser); if (defined(Parse::Win32Registry->new($ntuser))) {
my $root_key = $reg->get_root_key; my $reg = Parse::Win32Registry->new($ntuser);
#::rptMsg("officedocs v.".$VERSION); my $root_key = $reg->get_root_key;
# First, let's find out which version of Office is installed #::rptMsg("officedocs v.".$VERSION);
my $version; # First, let's find out which version of Office is installed
my $tag = 0; my $version;
my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); my $tag = 0;
foreach my $ver (@versions) { my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0");
my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Open Find"; foreach my $ver (@versions) {
if (defined($root_key->get_subkey($key_path))) { my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Open Find";
$version = $ver; if (defined($root_key->get_subkey($key_path))) {
$tag = 1; $version = $ver;
} $tag = 1;
} }
}
if ($tag) {
#::rptMsg("MSOffice version ".$version." located."); if ($tag) {
my $key_path = "Software\\Microsoft\\Office\\".$version; #::rptMsg("MSOffice version ".$version." located.");
my $of_key = $root_key->get_subkey($key_path); my $key_path = "Software\\Microsoft\\Office\\".$version;
::rptMsg("<mtime> ".gmtime($of_key->get_timestamp())."</mtime>"); my $of_key = $root_key->get_subkey($key_path);
::rptMsg("<artifacts>"); ::rptMsg("<mtime> ".gmtime($of_key->get_timestamp())."</mtime>");
if ($of_key) { ::rptMsg("<artifacts>");
# Attempt to retrieve Word docs if ($of_key) {
my @funcs = ("Open","Save As","File Save"); # Attempt to retrieve Word docs
foreach my $func (@funcs) { my @funcs = ("Open","Save As","File Save");
my $word = "Common\\Open Find\\Microsoft Office Word\\Settings\\".$func."\\File Name MRU"; foreach my $func (@funcs) {
my $word_key = $of_key->get_subkey($word); my $word = "Common\\Open Find\\Microsoft Office Word\\Settings\\".$func."\\File Name MRU";
if ($word_key) { my $word_key = $of_key->get_subkey($word);
#::rptMsg($word); if ($word_key) {
#::rptMsg($word);
#::rptMsg("");
my $value = $word_key->get_value("Value")->get_data(); #::rptMsg("");
my @data = split(/\00/,$value); my $value = $word_key->get_value("Value")->get_data();
::rptMsg("<Word name=\"".$value."\">". @data . "</Word>"); my @data = split(/\00/,$value);
#map{::rptMsg("$_");}@data; ::rptMsg("<Word name=\"".$value."\">". @data . "</Word>");
} #map{::rptMsg("$_");}@data;
else { }
# ::rptMsg("Could not access ".$word); else {
} # ::rptMsg("Could not access ".$word);
#::rptMsg(""); }
} #::rptMsg("");
# Attempt to retrieve Excel docs }
my $excel = 'Excel\\Recent Files'; # Attempt to retrieve Excel docs
if (my $excel_key = $of_key->get_subkey($excel)) { my $excel = 'Excel\\Recent Files';
#::rptMsg($key_path."\\".$excel); if (my $excel_key = $of_key->get_subkey($excel)) {
#::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)"); #::rptMsg($key_path."\\".$excel);
my @vals = $excel_key->get_list_of_values(); #::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)");
if (scalar(@vals) > 0) { my @vals = $excel_key->get_list_of_values();
my %files; if (scalar(@vals) > 0) {
# Retrieve values and load into a hash for sorting my %files;
foreach my $v (@vals) { # Retrieve values and load into a hash for sorting
my $val = $v->get_name(); foreach my $v (@vals) {
my $data = $v->get_data(); my $val = $v->get_name();
my $tag = (split(/File/,$val))[1]; my $data = $v->get_data();
$files{$tag} = $val.":".$data; my $tag = (split(/File/,$val))[1];
} $files{$tag} = $val.":".$data;
# Print sorted content to report file }
foreach my $u (sort {$a <=> $b} keys %files) { # Print sorted content to report file
my ($val,$data) = split(/:/,$files{$u},2); foreach my $u (sort {$a <=> $b} keys %files) {
::rptMsg("<Excel name=\"".$val."\">".$data . "</Excel>"); my ($val,$data) = split(/:/,$files{$u},2);
} ::rptMsg("<Excel name=\"".$val."\">".$data . "</Excel>");
} }
else { }
#::rptMsg($key_path.$excel." has no values."); else {
} #::rptMsg($key_path.$excel." has no values.");
} }
else { }
#::rptMsg($key_path.$excel." not found."); else {
} #::rptMsg($key_path.$excel." not found.");
#::rptMsg(""); }
# Attempt to retrieve PowerPoint docs #::rptMsg("");
my $ppt = 'PowerPoint\\Recent File List'; # Attempt to retrieve PowerPoint docs
if (my $ppt_key = $of_key->get_subkey($ppt)) { my $ppt = 'PowerPoint\\Recent File List';
#::rptMsg($key_path."\\".$ppt); if (my $ppt_key = $of_key->get_subkey($ppt)) {
#::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)"); #::rptMsg($key_path."\\".$ppt);
my @vals = $ppt_key->get_list_of_values(); #::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)");
if (scalar(@vals) > 0) { my @vals = $ppt_key->get_list_of_values();
my %files; if (scalar(@vals) > 0) {
# Retrieve values and load into a hash for sorting my %files;
foreach my $v (@vals) { # Retrieve values and load into a hash for sorting
my $val = $v->get_name(); foreach my $v (@vals) {
my $data = $v->get_data(); my $val = $v->get_name();
my $tag = (split(/File/,$val))[1]; my $data = $v->get_data();
$files{$tag} = $val.":".$data; my $tag = (split(/File/,$val))[1];
} $files{$tag} = $val.":".$data;
# Print sorted content to report file }
foreach my $u (sort {$a <=> $b} keys %files) { # Print sorted content to report file
my ($val,$data) = split(/:/,$files{$u},2); foreach my $u (sort {$a <=> $b} keys %files) {
::rptMsg("<PowerPoint name=\"".$val."\">".$data . "</PowerPoint>"); my ($val,$data) = split(/:/,$files{$u},2);
} ::rptMsg("<PowerPoint name=\"".$val."\">".$data . "</PowerPoint>");
} }
else { }
#::rptMsg($key_path."\\".$ppt." has no values."); else {
} #::rptMsg($key_path."\\".$ppt." has no values.");
} }
else { }
#::rptMsg($key_path."\\".$ppt." not found."); else {
} #::rptMsg($key_path."\\".$ppt." not found.");
} }
else { }
#::rptMsg("Could not access ".$key_path); else {
#::logMsg("Could not access ".$key_path); #::rptMsg("Could not access ".$key_path);
} #::logMsg("Could not access ".$key_path);
::rptMsg("</artifacts>"); }
} ::rptMsg("</artifacts>");
else { }
#::logMsg("MSOffice version not found."); else {
#::rptMsg("MSOffice version not found."); #::logMsg("MSOffice version not found.");
} #::rptMsg("MSOffice version not found.");
}
}
::rptMsg("</office>"); ::rptMsg("</office>");
} }

289
thirdparty/rr/plugins/officedocs2010.pl vendored
View File

@ -72,150 +72,151 @@ sub pluginmain {
#::logMsg("Launching officedocs2010 v.".$VERSION); #::logMsg("Launching officedocs2010 v.".$VERSION);
#::rptMsg("officedocs2010 v.".$VERSION); # 20110830 [fpi] + banner #::rptMsg("officedocs2010 v.".$VERSION); # 20110830 [fpi] + banner
#::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner #::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
if (defined(Parse::Win32Registry->new($ntuser))) {
my $reg = Parse::Win32Registry->new($ntuser); my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key; my $root_key = $reg->get_root_key;
# ::rptMsg("officedocs v.".$VERSION); # 20110830 [fpi] - redundant # ::rptMsg("officedocs v.".$VERSION); # 20110830 [fpi] - redundant
my $tag = 0; my $tag = 0;
my $key_path = "Software\\Microsoft\\Office\\14.0"; my $key_path = "Software\\Microsoft\\Office\\14.0";
if (defined($root_key->get_subkey($key_path))) { if (defined($root_key->get_subkey($key_path))) {
$tag = 1; $tag = 1;
} }
if ($tag) { if ($tag) {
#::rptMsg("MSOffice version 2010 located."); #::rptMsg("MSOffice version 2010 located.");
my $key_path = "Software\\Microsoft\\Office\\14.0"; my $key_path = "Software\\Microsoft\\Office\\14.0";
my $of_key = $root_key->get_subkey($key_path); my $of_key = $root_key->get_subkey($key_path);
if ($of_key) { if ($of_key) {
# Attempt to retrieve Word docs # Attempt to retrieve Word docs
my $word = 'Word\\File MRU'; my $word = 'Word\\File MRU';
if (my $word_key = $of_key->get_subkey($word)) { if (my $word_key = $of_key->get_subkey($word)) {
#::rptMsg($key_path."\\".$word); #::rptMsg($key_path."\\".$word);
#::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)"); #::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)");
my @vals = $word_key->get_list_of_values(); my @vals = $word_key->get_list_of_values();
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
my %files; my %files;
# Retrieve values and load into a hash for sorting # Retrieve values and load into a hash for sorting
foreach my $v (@vals) { foreach my $v (@vals) {
my $val = $v->get_name(); my $val = $v->get_name();
if ($val eq "Max Display") { next; } if ($val eq "Max Display") { next; }
my $data = getWinTS($v->get_data()); my $data = getWinTS($v->get_data());
my $tag = (split(/Item/,$val))[1]; my $tag = (split(/Item/,$val))[1];
$files{$tag} = $val.":".$data; $files{$tag} = $val.":".$data;
} }
# Print sorted content to report file # Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) { foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2); my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg("<Word name=\"".$val."\">".$data . "</Word>"); ::rptMsg("<Word name=\"".$val."\">".$data . "</Word>");
} }
} }
else { else {
#::rptMsg($key_path.$word." has no values."); #::rptMsg($key_path.$word." has no values.");
} }
} }
else { else {
#::rptMsg($key_path.$word." not found."); #::rptMsg($key_path.$word." not found.");
} }
#::rptMsg(""); #::rptMsg("");
# Attempt to retrieve Excel docs # Attempt to retrieve Excel docs
my $excel = 'Excel\\File MRU'; my $excel = 'Excel\\File MRU';
if (my $excel_key = $of_key->get_subkey($excel)) { if (my $excel_key = $of_key->get_subkey($excel)) {
#::rptMsg($key_path."\\".$excel); #::rptMsg($key_path."\\".$excel);
#::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)"); #::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)");
my @vals = $excel_key->get_list_of_values(); my @vals = $excel_key->get_list_of_values();
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
my %files; my %files;
# Retrieve values and load into a hash for sorting # Retrieve values and load into a hash for sorting
foreach my $v (@vals) { foreach my $v (@vals) {
my $val = $v->get_name(); my $val = $v->get_name();
if ($val eq "Max Display") { next; } if ($val eq "Max Display") { next; }
my $data = getWinTS($v->get_data()); my $data = getWinTS($v->get_data());
my $tag = (split(/Item/,$val))[1]; my $tag = (split(/Item/,$val))[1];
$files{$tag} = $val.":".$data; $files{$tag} = $val.":".$data;
} }
# Print sorted content to report file # Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) { foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2); my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg("<Excel name=\"".$val."\">".$data . "</Excel>"); ::rptMsg("<Excel name=\"".$val."\">".$data . "</Excel>");
} }
} }
else { else {
#::rptMsg($key_path.$excel." has no values."); #::rptMsg($key_path.$excel." has no values.");
} }
} }
else { else {
#::rptMsg($key_path.$excel." not found."); #::rptMsg($key_path.$excel." not found.");
} }
#::rptMsg(""); #::rptMsg("");
# Attempt to retrieve Access docs # Attempt to retrieve Access docs
my $access = 'Access\\File MRU'; my $access = 'Access\\File MRU';
if (my $access_key = $of_key->get_subkey($access)) { if (my $access_key = $of_key->get_subkey($access)) {
#::rptMsg($key_path."\\".$access); #::rptMsg($key_path."\\".$access);
#::rptMsg("LastWrite Time ".gmtime($access_key->get_timestamp())." (UTC)"); #::rptMsg("LastWrite Time ".gmtime($access_key->get_timestamp())." (UTC)");
my @vals = $access_key->get_list_of_values(); my @vals = $access_key->get_list_of_values();
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
my %files; my %files;
# Retrieve values and load into a hash for sorting # Retrieve values and load into a hash for sorting
foreach my $v (@vals) { foreach my $v (@vals) {
my $val = $v->get_name(); my $val = $v->get_name();
if ($val eq "Max Display") { next; } if ($val eq "Max Display") { next; }
my $data = getWinTS($v->get_data()); my $data = getWinTS($v->get_data());
my $tag = (split(/Item/,$val))[1]; my $tag = (split(/Item/,$val))[1];
$files{$tag} = $val.":".$data; $files{$tag} = $val.":".$data;
} }
# Print sorted content to report file # Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) { foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2); my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg("<Access name=\"".$val."\">".$data . "</Access>"); ::rptMsg("<Access name=\"".$val."\">".$data . "</Access>");
} }
} }
else { else {
# ::rptMsg($key_path.$access." has no values."); # ::rptMsg($key_path.$access." has no values.");
} }
} }
else { else {
# ::rptMsg($key_path.$access." not found."); # ::rptMsg($key_path.$access." not found.");
} }
#::rptMsg(""); #::rptMsg("");
# Attempt to retrieve PowerPoint docs # Attempt to retrieve PowerPoint docs
my $ppt = 'PowerPoint\\File MRU'; my $ppt = 'PowerPoint\\File MRU';
if (my $ppt_key = $of_key->get_subkey($ppt)) { if (my $ppt_key = $of_key->get_subkey($ppt)) {
#::rptMsg($key_path."\\".$ppt); #::rptMsg($key_path."\\".$ppt);
#::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)"); #::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)");
my @vals = $ppt_key->get_list_of_values(); my @vals = $ppt_key->get_list_of_values();
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
my %files; my %files;
# Retrieve values and load into a hash for sorting # Retrieve values and load into a hash for sorting
foreach my $v (@vals) { foreach my $v (@vals) {
my $val = $v->get_name(); my $val = $v->get_name();
if ($val eq "Max Display") { next; } if ($val eq "Max Display") { next; }
my $data = getWinTS($v->get_data()); my $data = getWinTS($v->get_data());
my $tag = (split(/Item/,$val))[1]; my $tag = (split(/Item/,$val))[1];
$files{$tag} = $val.":".$data; $files{$tag} = $val.":".$data;
} }
# Print sorted content to report file # Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) { foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2); my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg("<PowerPoint name=\"".$val."\">".$data . "</PowerPoint>"); ::rptMsg("<PowerPoint name=\"".$val."\">".$data . "</PowerPoint>");
} }
} }
else { else {
# ::rptMsg($key_path."\\".$ppt." has no values."); # ::rptMsg($key_path."\\".$ppt." has no values.");
} }
} }
else { else {
# ::rptMsg($key_path."\\".$ppt." not found."); # ::rptMsg($key_path."\\".$ppt." not found.");
} }
} }
else { else {
# ::rptMsg("Could not access ".$key_path); # ::rptMsg("Could not access ".$key_path);
# ::logMsg("Could not access ".$key_path); # ::logMsg("Could not access ".$key_path);
} }
} }
else { else {
# ::logMsg("MSOffice version not found."); # ::logMsg("MSOffice version not found.");
# ::rptMsg("MSOffice version not found."); # ::rptMsg("MSOffice version not found.");
} }
}
} }
1; 1;