From 572bc9144089eea057a737d348aab8ff6b4f69da Mon Sep 17 00:00:00 2001 From: "Samuel H. Kenyon" Date: Wed, 8 Jan 2014 17:33:46 -0500 Subject: [PATCH 1/8] line endings --- .../release/rr-full/plugins/drwatson.pl | 156 +-- .../release/rr-full/plugins/esent.pl | 158 +-- .../release/rr-full/plugins/eventlog.pl | 314 +++--- .../release/rr-full/plugins/eventlogs.pl | 198 ++-- .../release/rr-full/plugins/fileexts.pl | 148 +-- .../release/rr-full/plugins/findexes.pl | 190 ++-- .../release/rr-full/plugins/fw_config.pl | 234 ++--- .../release/rr-full/plugins/gthist.pl | 142 +-- .../release/rr-full/plugins/gtwhitelist.pl | 148 +-- .../release/rr-full/plugins/hibernate.pl | 158 +-- RecentActivity/release/rr-full/plugins/ide.pl | 248 ++--- .../release/rr-full/plugins/ie_main.pl | 166 ++-- .../release/rr-full/plugins/ie_version.pl | 122 +-- .../release/rr-full/plugins/imagedev.pl | 172 ++-- .../release/rr-full/plugins/init_dlls.pl | 156 +-- .../release/rr-full/plugins/javafx.pl | 136 +-- .../release/rr-full/plugins/kb950582.pl | 182 ++-- .../release/rr-full/plugins/kbdcrash.pl | 134 +-- .../release/rr-full/plugins/legacy.pl | 212 ++-- .../release/rr-full/plugins/listsoft.pl | 140 +-- .../release/rr-full/plugins/load.pl | 164 ++-- .../release/rr-full/plugins/logonusername.pl | 138 +-- .../release/rr-full/plugins/lsasecrets.pl | 146 +-- .../release/rr-full/plugins/macaddr.pl | 312 +++--- RecentActivity/release/rr-full/plugins/mmc.pl | 152 +-- .../release/rr-full/plugins/mmc_tln.pl | 136 +-- .../release/rr-full/plugins/mndmru.pl | 156 +-- .../release/rr-full/plugins/mndmru_tln.pl | 136 +-- .../release/rr-full/plugins/mountdev.pl | 200 ++-- .../release/rr-full/plugins/mountdev2.pl | 298 +++--- RecentActivity/release/rr-full/plugins/mp2.pl | 262 ++--- .../release/rr-full/plugins/mpmru.pl | 152 +-- RecentActivity/release/rr-full/plugins/mrt.pl | 146 +-- .../release/rr-full/plugins/msis.pl | 194 ++-- .../release/rr-full/plugins/mspaper.pl | 202 ++-- .../release/rr-full/plugins/muicache.pl | 184 ++-- .../release/rr-full/plugins/nero.pl | 150 +-- .../release/rr-full/plugins/network.pl | 192 ++-- .../release/rr-full/plugins/networkcards.pl | 126 +-- .../release/rr-full/plugins/networklist.pl | 314 +++--- .../release/rr-full/plugins/networkuid.pl | 116 +-- RecentActivity/release/rr-full/plugins/nic.pl | 162 ++-- .../release/rr-full/plugins/nic2.pl | 162 ++-- .../release/rr-full/plugins/nic_mst2.pl | 298 +++--- .../release/rr-full/plugins/nolmhash.pl | 150 +-- .../release/rr-full/plugins/officedocs.pl | 292 +++--- .../release/rr-full/plugins/oisc.pl | 248 ++--- .../release/rr-full/plugins/outlook.pl | 372 +++---- .../release/rr-full/plugins/pagefile.pl | 146 +-- .../release/rr-full/plugins/polacdms.pl | 188 ++-- .../release/rr-full/plugins/policies_u.pl | 148 +-- .../release/rr-full/plugins/port_dev.pl | 180 ++-- .../release/rr-full/plugins/printermru.pl | 150 +-- .../release/rr-full/plugins/printers.pl | 168 ++-- .../release/rr-full/plugins/product.pl | 238 ++--- .../release/rr-full/plugins/productpolicy.pl | 292 +++--- .../release/rr-full/plugins/producttype.pl | 178 ++-- .../release/rr-full/plugins/profilelist.pl | 276 +++--- .../release/rr-full/plugins/proxysettings.pl | 142 +-- .../release/rr-full/plugins/rdphint.pl | 124 +-- .../release/rr-full/plugins/rdpport.pl | 120 +-- .../release/rr-full/plugins/realplayer6.pl | 158 +-- .../release/rr-full/plugins/realvnc.pl | 152 +-- .../release/rr-full/plugins/recentdocs.pl | 324 +++---- .../release/rr-full/plugins/regtime.pl | 130 +-- .../release/rr-full/plugins/renocide.pl | 136 +-- .../release/rr-full/plugins/routes.pl | 164 ++-- .../release/rr-full/plugins/runmru.pl | 146 +-- .../release/rr-full/plugins/runmru_tln.pl | 142 +-- .../release/rr-full/plugins/safeboot.pl | 210 ++-- .../release/rr-full/plugins/samparse.pl | 658 ++++++------- .../release/rr-full/plugins/schedagent.pl | 176 ++-- .../release/rr-full/plugins/secctr.pl | 136 +-- .../release/rr-full/plugins/services.pl | 302 +++--- RecentActivity/release/rr-full/plugins/sfc.pl | 216 ++--- .../release/rr-full/plugins/shares.pl | 258 ++--- .../release/rr-full/plugins/shellext.pl | 194 ++-- .../release/rr-full/plugins/shellfolders.pl | 144 +-- .../release/rr-full/plugins/shelloverlay.pl | 174 ++-- .../release/rr-full/plugins/shutdown.pl | 154 +-- .../release/rr-full/plugins/shutdowncount.pl | 164 ++-- .../release/rr-full/plugins/skype.pl | 118 +-- .../release/rr-full/plugins/snapshot.pl | 194 ++-- .../rr-full/plugins/sql_lastconnect.pl | 134 +-- .../release/rr-full/plugins/ssid.pl | 368 +++---- .../release/rr-full/plugins/startpage.pl | 156 +-- .../release/rr-full/plugins/stillimage.pl | 226 ++--- .../release/rr-full/plugins/streammru.pl | 130 +-- .../release/rr-full/plugins/streams.pl | 128 +-- RecentActivity/release/rr-full/plugins/svc.pl | 300 +++--- .../release/rr-full/plugins/svc2.pl | 294 +++--- .../release/rr-full/plugins/svcdll.pl | 264 ++--- .../release/rr-full/plugins/svchost.pl | 150 +-- .../release/rr-full/plugins/termcert.pl | 194 ++-- .../release/rr-full/plugins/termserv.pl | 320 +++---- .../release/rr-full/plugins/timezone.pl | 178 ++-- .../release/rr-full/plugins/tsclient.pl | 204 ++-- .../release/rr-full/plugins/typedpaths.pl | 140 +-- .../release/rr-full/plugins/typedurls.pl | 178 ++-- .../release/rr-full/plugins/unreadmail.pl | 178 ++-- .../release/rr-full/plugins/urlzone.pl | 194 ++-- .../release/rr-full/plugins/usbdevices.pl | 228 ++--- .../release/rr-full/plugins/usbstor.pl | 184 ++-- .../release/rr-full/plugins/usbstor2.pl | 266 ++--- .../release/rr-full/plugins/usbstor3.pl | 204 ++-- .../release/rr-full/plugins/user_win.pl | 122 +-- .../release/rr-full/plugins/userassist.pl | 248 ++--- .../release/rr-full/plugins/userassist_tln.pl | 226 ++--- .../release/rr-full/plugins/userlocsvc.pl | 126 +-- .../release/rr-full/plugins/virut.pl | 142 +-- .../rr-full/plugins/vista_bitbucket.pl | 190 ++-- .../release/rr-full/plugins/vncviewer.pl | 210 ++-- .../release/rr-full/plugins/wallpaper.pl | 182 ++-- .../release/rr-full/plugins/win_cv.pl | 172 ++-- .../release/rr-full/plugins/winnt_cv.pl | 176 ++-- .../release/rr-full/plugins/winrar.pl | 142 +-- .../release/rr-full/plugins/winver.pl | 216 ++--- .../release/rr-full/plugins/winzip.pl | 180 ++-- .../release/rr-full/plugins/wordwheelquery.pl | 160 ++-- .../release/rr-full/plugins/xpedition.pl | 132 +-- RecentActivity/release/rr-full/rip.pl | 668 ++++++------- RecentActivity/release/rr-full/rr.pl | 906 +++++++++--------- docs/QuickStartGuide/index.html | 442 ++++----- docs/doxygen/needs_a_home.dox | 60 +- docs/doxygen/workflow.dox | 106 +- 125 files changed, 12649 insertions(+), 12649 deletions(-) diff --git a/RecentActivity/release/rr-full/plugins/drwatson.pl b/RecentActivity/release/rr-full/plugins/drwatson.pl index 22af6e5813..4d63bc0d53 100755 --- a/RecentActivity/release/rr-full/plugins/drwatson.pl +++ b/RecentActivity/release/rr-full/plugins/drwatson.pl @@ -1,79 +1,79 @@ -#----------------------------------------------------------- -# drwatson.pl -# Author: Don C. Weber -# Plugin for Registry Ripper; Access Software hive file to get the -# Dr. Watson settings from Software hive -# -# Change history -# -# -# References -# Dr Watson: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html -# -# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security -#----------------------------------------------------------- -package drwatson; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081219); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Dr. Watson settings from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching drwatson v.".$VERSION); - ::rptMsg("drwatson v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AeDebug"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ($key->get_value('Auto') == 0x0) ? ::rptMsg("Debugging is Disabled") : ::rptMsg("Debugging is Enabled"); - eval { - ::rptMsg("Debugger: ".$key->get_value('Debugger')->get_data()); - }; - - } else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - ::rptMsg(""); - my $key_path = "Microsoft\\DrWatson"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ($key->get_value('LogFilePath')) ? ::rptMsg("DrWatson LogFile Path location: ".$key->get_value('LogFilePath')->get_data()) : ::rptMsg("DrWatson LogFile Path location: %SystemRoot%\\Documents and Settings\\All Users\\Documents\\DrWatson"); - ($key->get_value('CreateCrashDump') == 0x0) ? ::rptMsg("CreateCrashDump is Disabled") : ::rptMsg("CreateCrashDump is Enabled"); - ($key->get_value('CrashDumpFile')) ? ::rptMsg("Crash Dump Path and Name: ".$key->get_value('CrashDumpFile')->get_data()) : ::rptMsg("CrashDumpFile is not set"); - ($key->get_value('AppendToLogFile') == 0x0) ? ::rptMsg("AppendToLogFile is set to create a new file each time") : ::rptMsg("AppendToLogFile is set to append"); - - } else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - ::rptMsg(""); - ::rptMsg("Analysis Tips: For Dr. Watson settings information check: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html"); -} - +#----------------------------------------------------------- +# drwatson.pl +# Author: Don C. Weber +# Plugin for Registry Ripper; Access Software hive file to get the +# Dr. Watson settings from Software hive +# +# Change history +# +# +# References +# Dr Watson: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html +# +# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security +#----------------------------------------------------------- +package drwatson; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20081219); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Dr. Watson settings from Software hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching drwatson v.".$VERSION); + ::rptMsg("drwatson v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AeDebug"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ($key->get_value('Auto') == 0x0) ? ::rptMsg("Debugging is Disabled") : ::rptMsg("Debugging is Enabled"); + eval { + ::rptMsg("Debugger: ".$key->get_value('Debugger')->get_data()); + }; + + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + ::rptMsg(""); + my $key_path = "Microsoft\\DrWatson"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ($key->get_value('LogFilePath')) ? ::rptMsg("DrWatson LogFile Path location: ".$key->get_value('LogFilePath')->get_data()) : ::rptMsg("DrWatson LogFile Path location: %SystemRoot%\\Documents and Settings\\All Users\\Documents\\DrWatson"); + ($key->get_value('CreateCrashDump') == 0x0) ? ::rptMsg("CreateCrashDump is Disabled") : ::rptMsg("CreateCrashDump is Enabled"); + ($key->get_value('CrashDumpFile')) ? ::rptMsg("Crash Dump Path and Name: ".$key->get_value('CrashDumpFile')->get_data()) : ::rptMsg("CrashDumpFile is not set"); + ($key->get_value('AppendToLogFile') == 0x0) ? ::rptMsg("AppendToLogFile is set to create a new file each time") : ::rptMsg("AppendToLogFile is set to append"); + + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + ::rptMsg(""); + ::rptMsg("Analysis Tips: For Dr. Watson settings information check: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html"); +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/esent.pl b/RecentActivity/release/rr-full/plugins/esent.pl index 0d333ec3dd..cea3dfad46 100755 --- a/RecentActivity/release/rr-full/plugins/esent.pl +++ b/RecentActivity/release/rr-full/plugins/esent.pl @@ -1,80 +1,80 @@ -#----------------------------------------------------------- -# esent -# Get contents of Esent\Process key from Software hive -# -# Note: Not sure why I wrote this one; just thought it might come -# in handy as info about this key is developed. -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package esent; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20101202); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get ESENT\\Process key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching esent v.".$VERSION); - ::rptMsg("esent v.".$VERSION); # banner - ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\ESENT\\Process"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @sk = $key->get_list_of_subkeys(); - - if (scalar(@sk) > 0) { - my %esent; - - foreach my $s (@sk) { - my $sk = $s->get_subkey("DEBUG"); -# my $lw = $s->get_timestamp(); - my $lw = $sk->get_timestamp(); - - my $name = $s->get_name(); - - push(@{$esent{$lw}},$name); - } - - foreach my $t (reverse sort {$a <=> $b} keys %esent) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$esent{$t}}) { - ::rptMsg(" $item"); - } - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# esent +# Get contents of Esent\Process key from Software hive +# +# Note: Not sure why I wrote this one; just thought it might come +# in handy as info about this key is developed. +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package esent; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20101202); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get ESENT\\Process key contents"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching esent v.".$VERSION); + ::rptMsg("esent v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\ESENT\\Process"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @sk = $key->get_list_of_subkeys(); + + if (scalar(@sk) > 0) { + my %esent; + + foreach my $s (@sk) { + my $sk = $s->get_subkey("DEBUG"); +# my $lw = $s->get_timestamp(); + my $lw = $sk->get_timestamp(); + + my $name = $s->get_name(); + + push(@{$esent{$lw}},$name); + } + + foreach my $t (reverse sort {$a <=> $b} keys %esent) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$esent{$t}}) { + ::rptMsg(" $item"); + } + } + + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/eventlog.pl b/RecentActivity/release/rr-full/plugins/eventlog.pl index f44672a46d..13524d47e8 100755 --- a/RecentActivity/release/rr-full/plugins/eventlog.pl +++ b/RecentActivity/release/rr-full/plugins/eventlog.pl @@ -1,158 +1,158 @@ -#----------------------------------------------------------- -# eventlog.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package eventlog; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090112); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get EventLog configuration info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching eventlog v.".$VERSION); - ::rptMsg("eventlog v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $evt_path = "ControlSet00".$current."\\Services\\Eventlog"; - my $evt; - if ($evt = $root_key->get_subkey($evt_path)) { - ::rptMsg(""); - my @subkeys = $evt->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $logname = $s->get_name(); - ::rptMsg($logname." \\ ".scalar gmtime($s->get_timestamp())."Z"); - eval { - my $file = $s->get_value("File")->get_data(); - ::rptMsg(" File = ".$file); - }; - - eval { - my $display = $s->get_value("DisplayNameFile")->get_data(); - ::rptMsg(" DisplayNameFile = ".$display); - }; - - eval { - my $max = $s->get_value("MaxSize")->get_data(); - ::rptMsg(" MaxSize = ".processSize($max)); - }; - - eval { - my $ret = $s->get_value("Retention")->get_data(); - ::rptMsg(" Retention = ".processRetention($ret)); - }; - -# AutoBackupLogFiles; http://support.microsoft.com/kb/312571/ - eval { - my $auto = $s->get_value("AutoBackupLogFiles")->get_data(); - ::rptMsg(" AutoBackupLogFiles = ".$auto); - }; - -# Check WarningLevel value on Security EventLog; http://support.microsoft.com/kb/945463 - eval { - if ($logname eq "Security") { - my $wl = $s->get_value("WarningLevel")->get_data(); - ::rptMsg(" WarningLevel = ".$wl); - } - }; - - ::rptMsg(""); - } - - } - else { - ::rptMsg($evt_path." has no subkeys."); - } - } - else { - ::rptMsg($evt_path." not found."); - ::logMsg($evt_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; - -sub processSize { - my $sz = shift; - - my $kb = 1024; - my $mb = $kb * 1024; - my $gb = $mb * 1024; - - if ($sz > $gb) { - my $d = $sz/$gb; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2fGB",$d; - } - elsif ($sz > $mb) { - my $d = $sz/$mb; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2fMB",$d; - } - elsif ($sz > $kb) { - my $d = $sz/$kb; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2fKB",$d; - } - else {return $sz."B"}; -} - -sub processRetention { -# Retention maintained in seconds -# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ -# regentry/30709.mspx?mfr=true - my $ret = shift; - - my $min = 60; - my $hr = $min * 60; - my $day = $hr * 24; - - if ($ret > $day) { - my $d = $ret/$day; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2f days",$d; - } - elsif ($ret > $hr) { - my $d = $ret/$hr; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2f hr",$d; - } - elsif ($ret > $min) { - my $d = $ret/$min; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2f min",$d; - } - else {return $ret." sec"}; +#----------------------------------------------------------- +# eventlog.pl +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package eventlog; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090112); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get EventLog configuration info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching eventlog v.".$VERSION); + ::rptMsg("eventlog v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + + my $evt_path = "ControlSet00".$current."\\Services\\Eventlog"; + my $evt; + if ($evt = $root_key->get_subkey($evt_path)) { + ::rptMsg(""); + my @subkeys = $evt->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + my $logname = $s->get_name(); + ::rptMsg($logname." \\ ".scalar gmtime($s->get_timestamp())."Z"); + eval { + my $file = $s->get_value("File")->get_data(); + ::rptMsg(" File = ".$file); + }; + + eval { + my $display = $s->get_value("DisplayNameFile")->get_data(); + ::rptMsg(" DisplayNameFile = ".$display); + }; + + eval { + my $max = $s->get_value("MaxSize")->get_data(); + ::rptMsg(" MaxSize = ".processSize($max)); + }; + + eval { + my $ret = $s->get_value("Retention")->get_data(); + ::rptMsg(" Retention = ".processRetention($ret)); + }; + +# AutoBackupLogFiles; http://support.microsoft.com/kb/312571/ + eval { + my $auto = $s->get_value("AutoBackupLogFiles")->get_data(); + ::rptMsg(" AutoBackupLogFiles = ".$auto); + }; + +# Check WarningLevel value on Security EventLog; http://support.microsoft.com/kb/945463 + eval { + if ($logname eq "Security") { + my $wl = $s->get_value("WarningLevel")->get_data(); + ::rptMsg(" WarningLevel = ".$wl); + } + }; + + ::rptMsg(""); + } + + } + else { + ::rptMsg($evt_path." has no subkeys."); + } + } + else { + ::rptMsg($evt_path." not found."); + ::logMsg($evt_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} +1; + +sub processSize { + my $sz = shift; + + my $kb = 1024; + my $mb = $kb * 1024; + my $gb = $mb * 1024; + + if ($sz > $gb) { + my $d = $sz/$gb; + my $l = length((split(/\./,$d,2))[0]) + 2; + return sprintf "%$l.2fGB",$d; + } + elsif ($sz > $mb) { + my $d = $sz/$mb; + my $l = length((split(/\./,$d,2))[0]) + 2; + return sprintf "%$l.2fMB",$d; + } + elsif ($sz > $kb) { + my $d = $sz/$kb; + my $l = length((split(/\./,$d,2))[0]) + 2; + return sprintf "%$l.2fKB",$d; + } + else {return $sz."B"}; +} + +sub processRetention { +# Retention maintained in seconds +# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ +# regentry/30709.mspx?mfr=true + my $ret = shift; + + my $min = 60; + my $hr = $min * 60; + my $day = $hr * 24; + + if ($ret > $day) { + my $d = $ret/$day; + my $l = length((split(/\./,$d,2))[0]) + 2; + return sprintf "%$l.2f days",$d; + } + elsif ($ret > $hr) { + my $d = $ret/$hr; + my $l = length((split(/\./,$d,2))[0]) + 2; + return sprintf "%$l.2f hr",$d; + } + elsif ($ret > $min) { + my $d = $ret/$min; + my $l = length((split(/\./,$d,2))[0]) + 2; + return sprintf "%$l.2f min",$d; + } + else {return $ret." sec"}; } \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/eventlogs.pl b/RecentActivity/release/rr-full/plugins/eventlogs.pl index 856adcfce7..200bb07d7f 100755 --- a/RecentActivity/release/rr-full/plugins/eventlogs.pl +++ b/RecentActivity/release/rr-full/plugins/eventlogs.pl @@ -1,100 +1,100 @@ -#----------------------------------------------------------- -# eventlogs.pl -# Author: Don C. Weber -# Plugin for Registry Ripper; Access System hive file to get the -# Event Log settings from System hive -# -# Change history -# -# -# References -# Eventlog Key: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx -# -# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security -#----------------------------------------------------------- -package eventlogs; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081219); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Event Log settings from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching eventlogs v.".$VERSION); - ::rptMsg("eventlogs v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $win_path = $ccs."\\Services\\Eventlog"; - my $win; - if ($win = $root_key->get_subkey($win_path)) { - ::rptMsg("EventLog Configuration"); - ::rptMsg($win_path); - ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); - my $cn; - if ($cn = $win->get_value("ComputerName")->get_data()) { - ::rptMsg("ComputerName = ".$cn); - } - else { - ::rptMsg("ComputerName value not found."); - } - } - else { - ::rptMsg($win_path." not found."); - } - -# Cycle through each type of log - my $logname; - my $evpath; - my $evlog; - my @list_logs = $win->get_list_of_subkeys(); - foreach $logname (@list_logs){ - ::rptMsg(""); - $evpath = $win_path."\\".$logname->get_name(); - if ($evlog = $root_key->get_subkey($evpath)) { - ::rptMsg(" ".$logname->get_name()." EventLog"); - ::rptMsg(" ".$evpath); - ::rptMsg(" LastWrite Time ".gmtime($evlog->get_timestamp())." (UTC)"); - ::rptMsg(" Configuration Settings"); - ::rptMsg(" Log location: ".$evlog->get_value('File')->get_data()); - ::rptMsg(" Log Size: ".$evlog->get_value('MaxSize')->get_data()." Bytes"); - ($evlog->get_value('AutoBackupLogFiles') == 0x0) ? ::rptMsg(" AutoBackupLogFiles is Disabled") : ::rptMsg(" AutoBackupLogFiles is Enabled") - } - else { - ::rptMsg($logname->get_name()." Event Log not found."); - } - } - ::rptMsg(""); - ::rptMsg("Analysis Tips: For Event Log settings information check: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx"); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# eventlogs.pl +# Author: Don C. Weber +# Plugin for Registry Ripper; Access System hive file to get the +# Event Log settings from System hive +# +# Change history +# +# +# References +# Eventlog Key: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx +# +# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security +#----------------------------------------------------------- +package eventlogs; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20081219); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Event Log settings from System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching eventlogs v.".$VERSION); + ::rptMsg("eventlogs v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $win_path = $ccs."\\Services\\Eventlog"; + my $win; + if ($win = $root_key->get_subkey($win_path)) { + ::rptMsg("EventLog Configuration"); + ::rptMsg($win_path); + ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); + my $cn; + if ($cn = $win->get_value("ComputerName")->get_data()) { + ::rptMsg("ComputerName = ".$cn); + } + else { + ::rptMsg("ComputerName value not found."); + } + } + else { + ::rptMsg($win_path." not found."); + } + +# Cycle through each type of log + my $logname; + my $evpath; + my $evlog; + my @list_logs = $win->get_list_of_subkeys(); + foreach $logname (@list_logs){ + ::rptMsg(""); + $evpath = $win_path."\\".$logname->get_name(); + if ($evlog = $root_key->get_subkey($evpath)) { + ::rptMsg(" ".$logname->get_name()." EventLog"); + ::rptMsg(" ".$evpath); + ::rptMsg(" LastWrite Time ".gmtime($evlog->get_timestamp())." (UTC)"); + ::rptMsg(" Configuration Settings"); + ::rptMsg(" Log location: ".$evlog->get_value('File')->get_data()); + ::rptMsg(" Log Size: ".$evlog->get_value('MaxSize')->get_data()." Bytes"); + ($evlog->get_value('AutoBackupLogFiles') == 0x0) ? ::rptMsg(" AutoBackupLogFiles is Disabled") : ::rptMsg(" AutoBackupLogFiles is Enabled") + } + else { + ::rptMsg($logname->get_name()." Event Log not found."); + } + } + ::rptMsg(""); + ::rptMsg("Analysis Tips: For Event Log settings information check: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx"); + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/fileexts.pl b/RecentActivity/release/rr-full/plugins/fileexts.pl index 6fde48fdab..732b43a08b 100755 --- a/RecentActivity/release/rr-full/plugins/fileexts.pl +++ b/RecentActivity/release/rr-full/plugins/fileexts.pl @@ -1,75 +1,75 @@ -#----------------------------------------------------------- -# fileexts.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package fileexts; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080818); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get user FileExts values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching fileexts v.".$VERSION); - ::rptMsg("fileexts v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("fileexts"); - ::rptMsg($key_path); - ::rptMsg(""); - - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^\.\w+/); - - eval { - my $data = $s->get_subkey("OpenWithList")->get_value("MRUList")->get_data(); - if ($data =~ m/^\w/) { - ::rptMsg("File Extension: ".$name); - ::rptMsg("LastWrite: ".gmtime($s->get_subkey("OpenWithList")->get_timestamp())); - ::rptMsg("MRUList: ".$data); - my @list = split(//,$data); - foreach my $l (@list) { - my $valdata = $s->get_subkey("OpenWithList")->get_value($l)->get_data(); - ::rptMsg(" ".$l." => ".$valdata); - } - ::rptMsg(""); - } - }; - } - } - else { - ::rptMsg($key_path." does not have subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# fileexts.pl +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package fileexts; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080818); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get user FileExts values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching fileexts v.".$VERSION); + ::rptMsg("fileexts v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("fileexts"); + ::rptMsg($key_path); + ::rptMsg(""); + + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + next unless ($name =~ m/^\.\w+/); + + eval { + my $data = $s->get_subkey("OpenWithList")->get_value("MRUList")->get_data(); + if ($data =~ m/^\w/) { + ::rptMsg("File Extension: ".$name); + ::rptMsg("LastWrite: ".gmtime($s->get_subkey("OpenWithList")->get_timestamp())); + ::rptMsg("MRUList: ".$data); + my @list = split(//,$data); + foreach my $l (@list) { + my $valdata = $s->get_subkey("OpenWithList")->get_value($l)->get_data(); + ::rptMsg(" ".$l." => ".$valdata); + } + ::rptMsg(""); + } + }; + } + } + else { + ::rptMsg($key_path." does not have subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/findexes.pl b/RecentActivity/release/rr-full/plugins/findexes.pl index c8934fe3dd..0d10ae22f4 100755 --- a/RecentActivity/release/rr-full/plugins/findexes.pl +++ b/RecentActivity/release/rr-full/plugins/findexes.pl @@ -1,96 +1,96 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# findexes.pl -# Plugin for RegRipper; traverses through a Registry hive, -# looking for values with binary data types, and checks to see -# if they start with "MZ"; if so, records the value path, key -# LastWrite time, and length of the data -# -# Change history -# 20090728 - Created -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package findexes; -use strict; - -my %config = (hive => "All", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090728); - -sub getConfig{return %config} -sub getShortDescr { - return "Scans a hive file looking for binary value data that contains MZ"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %vals; -my $bin_count = 0; -my $exe_count = 0; - -sub pluginmain { - my $class = shift; - my $file = shift; - my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; - ::logMsg("Launching findexes v.".$VERSION); - ::rptMsg("findexes v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - traverse($root_key); -# Data structure containing findings is a hash of hashes - foreach my $k (keys %vals) { - ::rptMsg("Key: ".$k." LastWrite time: ".gmtime($vals{$k}{lastwrite})); - foreach my $i (keys %{$vals{$k}}) { - next if ($i eq "lastwrite"); - ::rptMsg(" Value: ".$i." Length: ".$vals{$k}{$i}." bytes"); - } - ::rptMsg(""); - } - ::rptMsg("Number of values w/ binary data types: ".$bin_count); - ::rptMsg("Number of values w/ MZ in binary data: ".$exe_count); -} - -sub traverse { - my $key = shift; -# my $ts = $key->get_timestamp(); - - foreach my $val ($key->get_list_of_values()) { - my $type = $val->get_type(); - if ($type == 0 || $type == 3) { - $bin_count++; - my $data = $val->get_data(); -# This code looks for data that starts with MZ -# my $i = unpack("v",substr($data,0,2)); -# if ($i == 0x5a4d) { - if (grep(/MZ/,$data)) { - $exe_count++; - my $path; - my @p = split(/\\/,$key->get_path()); - if (scalar(@p) == 1) { - $path = "root"; - } - else { - shift(@p); - $path = join('\\',@p); - } - - $vals{$path}{lastwrite} = $key->get_timestamp(); - $vals{$path}{$val->get_name()} = length($data); - } - } - } - - foreach my $subkey ($key->get_list_of_subkeys()) { - traverse($subkey); - } -} - +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# findexes.pl +# Plugin for RegRipper; traverses through a Registry hive, +# looking for values with binary data types, and checks to see +# if they start with "MZ"; if so, records the value path, key +# LastWrite time, and length of the data +# +# Change history +# 20090728 - Created +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package findexes; +use strict; + +my %config = (hive => "All", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20090728); + +sub getConfig{return %config} +sub getShortDescr { + return "Scans a hive file looking for binary value data that contains MZ"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %vals; +my $bin_count = 0; +my $exe_count = 0; + +sub pluginmain { + my $class = shift; + my $file = shift; + my $reg = Parse::Win32Registry->new($file); + my $root_key = $reg->get_root_key; + ::logMsg("Launching findexes v.".$VERSION); + ::rptMsg("findexes v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + traverse($root_key); +# Data structure containing findings is a hash of hashes + foreach my $k (keys %vals) { + ::rptMsg("Key: ".$k." LastWrite time: ".gmtime($vals{$k}{lastwrite})); + foreach my $i (keys %{$vals{$k}}) { + next if ($i eq "lastwrite"); + ::rptMsg(" Value: ".$i." Length: ".$vals{$k}{$i}." bytes"); + } + ::rptMsg(""); + } + ::rptMsg("Number of values w/ binary data types: ".$bin_count); + ::rptMsg("Number of values w/ MZ in binary data: ".$exe_count); +} + +sub traverse { + my $key = shift; +# my $ts = $key->get_timestamp(); + + foreach my $val ($key->get_list_of_values()) { + my $type = $val->get_type(); + if ($type == 0 || $type == 3) { + $bin_count++; + my $data = $val->get_data(); +# This code looks for data that starts with MZ +# my $i = unpack("v",substr($data,0,2)); +# if ($i == 0x5a4d) { + if (grep(/MZ/,$data)) { + $exe_count++; + my $path; + my @p = split(/\\/,$key->get_path()); + if (scalar(@p) == 1) { + $path = "root"; + } + else { + shift(@p); + $path = join('\\',@p); + } + + $vals{$path}{lastwrite} = $key->get_timestamp(); + $vals{$path}{$val->get_name()} = length($data); + } + } + } + + foreach my $subkey ($key->get_list_of_subkeys()) { + traverse($subkey); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/fw_config.pl b/RecentActivity/release/rr-full/plugins/fw_config.pl index ae9bb43aca..4b90dacfd9 100755 --- a/RecentActivity/release/rr-full/plugins/fw_config.pl +++ b/RecentActivity/release/rr-full/plugins/fw_config.pl @@ -1,118 +1,118 @@ -#----------------------------------------------------------- -# fw_config -# -# References -# http://technet2.microsoft.com/WindowsServer/en/library/47f25d7d- -# 882b-4f87-b05f-31e5664fc15e1033.mspx?mfr=true -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package fw_config; -use strict; - -my %config = (hive => "System", - osmask => 20, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets the Windows Firewall config from the System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching fw_config v.".$VERSION); - ::rptMsg("fw_config v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $select_path = 'Select'; - my $sel; - if ($sel = $root_key->get_subkey($select_path)) { - $current = $sel->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($select_path." could not be found."); - ::logMsg($select_path." could not be found."); - return; - } - - my @profiles = ("DomainProfile","StandardProfile"); - foreach my $profile (@profiles) { - my $key_path = $ccs."\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\".$profile; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Windows Firewall Configuration"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %vals = getKeyValues($key); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - else { -# ::rptMsg($key_path." has no values."); - } - - my @configs = ("RemoteAdminSettings", - "IcmpSettings", - "GloballyOpenPorts\\List", - "AuthorizedApplications\\List"); - - foreach my $config (@configs) { - eval { - my %vals = getKeyValues($key->get_subkey($config)); - if (scalar(keys %vals) > 0) { - ::rptMsg(""); - ::rptMsg($key_path."\\".$config); - ::rptMsg("LastWrite Time ".gmtime($key->get_subkey($config)->get_timestamp())." (UTC)"); - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - }; - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg(""); - } # end foreach -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { - - } - return %vals; -} +#----------------------------------------------------------- +# fw_config +# +# References +# http://technet2.microsoft.com/WindowsServer/en/library/47f25d7d- +# 882b-4f87-b05f-31e5664fc15e1033.mspx?mfr=true +# +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package fw_config; +use strict; + +my %config = (hive => "System", + osmask => 20, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080328); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets the Windows Firewall config from the System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching fw_config v.".$VERSION); + ::rptMsg("fw_config v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $select_path = 'Select'; + my $sel; + if ($sel = $root_key->get_subkey($select_path)) { + $current = $sel->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($select_path." could not be found."); + ::logMsg($select_path." could not be found."); + return; + } + + my @profiles = ("DomainProfile","StandardProfile"); + foreach my $profile (@profiles) { + my $key_path = $ccs."\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\".$profile; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Windows Firewall Configuration"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my %vals = getKeyValues($key); + if (scalar(keys %vals) > 0) { + foreach my $v (keys %vals) { + ::rptMsg("\t".$v." -> ".$vals{$v}); + } + } + else { +# ::rptMsg($key_path." has no values."); + } + + my @configs = ("RemoteAdminSettings", + "IcmpSettings", + "GloballyOpenPorts\\List", + "AuthorizedApplications\\List"); + + foreach my $config (@configs) { + eval { + my %vals = getKeyValues($key->get_subkey($config)); + if (scalar(keys %vals) > 0) { + ::rptMsg(""); + ::rptMsg($key_path."\\".$config); + ::rptMsg("LastWrite Time ".gmtime($key->get_subkey($config)->get_timestamp())." (UTC)"); + foreach my $v (keys %vals) { + ::rptMsg("\t".$v." -> ".$vals{$v}); + } + } + }; + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + ::rptMsg(""); + } # end foreach +} + +sub getKeyValues { + my $key = shift; + my %vals; + + my @vk = $key->get_list_of_values(); + if (scalar(@vk) > 0) { + foreach my $v (@vk) { + next if ($v->get_name() eq "" && $v->get_data() eq ""); + $vals{$v->get_name()} = $v->get_data(); + } + } + else { + + } + return %vals; +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/gthist.pl b/RecentActivity/release/rr-full/plugins/gthist.pl index b206c6912f..c52f2ebd3b 100755 --- a/RecentActivity/release/rr-full/plugins/gthist.pl +++ b/RecentActivity/release/rr-full/plugins/gthist.pl @@ -1,72 +1,72 @@ -#----------------------------------------------------------- -# gthist.pl -# Google Toolbar Search History plugin -# -# -# Change history -# 20100218 - created -# -# References -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package gthist; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Google Toolbar Search History"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching gthist v.".$VERSION); - ::rptMsg("gthist v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Google\\NavClient\\1.1\\History'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg(""); - foreach my $v (@vals) { - my $tv = unpack("V",$v->get_data()); - $hist{$tv} = $v->get_name(); - } - - foreach my $t (reverse sort {$a <=> $b} keys %hist) { - my $str = gmtime($t)." ".$hist{$t}; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# gthist.pl +# Google Toolbar Search History plugin +# +# +# Change history +# 20100218 - created +# +# References +# +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package gthist; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100218); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Google Toolbar Search History"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + my %hist; + ::logMsg("Launching gthist v.".$VERSION); + ::rptMsg("gthist v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Google\\NavClient\\1.1\\History'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar @vals > 0) { + ::rptMsg(""); + foreach my $v (@vals) { + my $tv = unpack("V",$v->get_data()); + $hist{$tv} = $v->get_name(); + } + + foreach my $t (reverse sort {$a <=> $b} keys %hist) { + my $str = gmtime($t)." ".$hist{$t}; + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/gtwhitelist.pl b/RecentActivity/release/rr-full/plugins/gtwhitelist.pl index 17e2fbfc45..03cc268743 100755 --- a/RecentActivity/release/rr-full/plugins/gtwhitelist.pl +++ b/RecentActivity/release/rr-full/plugins/gtwhitelist.pl @@ -1,75 +1,75 @@ -#----------------------------------------------------------- -# gtwhitelist.pl -# Google Toolbar Search History plugin -# -# -# Change history -# 20100218 - created -# -# References -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package gtwhitelist; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Google Toolbar whitelist values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching gtwhitelist v.".$VERSION); - ::rptMsg("gtwhitelist v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Google\\Google Toolbar\\4.0\\whitelist'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my $allow2; - eval { - $allow2 = $key->get_value("allow2")->get_data(); - my @vals = split(/\|/,$allow2); - ::rptMsg(""); - ::rptMsg("whitelist"); - foreach my $v (@vals) { - next if ($v eq ""); - ::rptMsg(" ".$v); - } - ::rptMsg(""); - }; - - my $lastmod; - eval { - $lastmod = $key->get_value("lastmod")->get_data(); - ::rptMsg("lastmod ".gmtime($lastmod)." (UTC)"); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# gtwhitelist.pl +# Google Toolbar Search History plugin +# +# +# Change history +# 20100218 - created +# +# References +# +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package gtwhitelist; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100218); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Google Toolbar whitelist values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + my %hist; + ::logMsg("Launching gtwhitelist v.".$VERSION); + ::rptMsg("gtwhitelist v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Google\\Google Toolbar\\4.0\\whitelist'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $allow2; + eval { + $allow2 = $key->get_value("allow2")->get_data(); + my @vals = split(/\|/,$allow2); + ::rptMsg(""); + ::rptMsg("whitelist"); + foreach my $v (@vals) { + next if ($v eq ""); + ::rptMsg(" ".$v); + } + ::rptMsg(""); + }; + + my $lastmod; + eval { + $lastmod = $key->get_value("lastmod")->get_data(); + ::rptMsg("lastmod ".gmtime($lastmod)." (UTC)"); + }; + + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/hibernate.pl b/RecentActivity/release/rr-full/plugins/hibernate.pl index a3ad5a3bbe..e81acb8c73 100755 --- a/RecentActivity/release/rr-full/plugins/hibernate.pl +++ b/RecentActivity/release/rr-full/plugins/hibernate.pl @@ -1,80 +1,80 @@ -#----------------------------------------------------------- -# hibernate.pl -# -# Ref: -# http://support.microsoft.com/kb/293399 & testing -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package hibernate; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081216); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check hibernation status"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching hibernate v.".$VERSION); - ::rptMsg("hibernate v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $power_path = $ccs."\\Control\\Session Manager\\Power"; - my $power; - if ($power = $root_key->get_subkey($power_path)) { - - my $heur; - eval { - my $bin_val = $power->get_value("Heuristics")->get_data(); - $heur = (unpack("v*",$bin_val))[3]; - if ($heur == 0) { - ::rptMsg("Hibernation disabled."); - } - elsif ($heur == 1) { - ::rptMsg("Hibernation enabled."); - } - else { - ::rptMsg("Unknown hibernation value: ".$heur); - } - - }; - ::rptMsg("Error reading Heuristics value.") if ($@); - - } - else { - ::rptMsg($power_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# hibernate.pl +# +# Ref: +# http://support.microsoft.com/kb/293399 & testing +# +# copyright 2008-2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package hibernate; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081216); + +sub getConfig{return %config} + +sub getShortDescr { + return "Check hibernation status"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching hibernate v.".$VERSION); + ::rptMsg("hibernate v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + + my $power_path = $ccs."\\Control\\Session Manager\\Power"; + my $power; + if ($power = $root_key->get_subkey($power_path)) { + + my $heur; + eval { + my $bin_val = $power->get_value("Heuristics")->get_data(); + $heur = (unpack("v*",$bin_val))[3]; + if ($heur == 0) { + ::rptMsg("Hibernation disabled."); + } + elsif ($heur == 1) { + ::rptMsg("Hibernation enabled."); + } + else { + ::rptMsg("Unknown hibernation value: ".$heur); + } + + }; + ::rptMsg("Error reading Heuristics value.") if ($@); + + } + else { + ::rptMsg($power_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); +# ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/ide.pl b/RecentActivity/release/rr-full/plugins/ide.pl index e9cc3825ae..3319969036 100755 --- a/RecentActivity/release/rr-full/plugins/ide.pl +++ b/RecentActivity/release/rr-full/plugins/ide.pl @@ -1,125 +1,125 @@ -#----------------------------------------------------------- -# ide.pl -# Get IDE device info from the System hive file -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package ide; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080418); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get IDE device info from the System hive file"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ide v.".$VERSION); - ::rptMsg("ide v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::rptMsg("IDE"); - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::logMsg("Could not find ".$key_path); - return - } - - my $key_path = $ccs."\\Enum\\IDE"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg(""); - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s2 (@sk) { - ::rptMsg($s2->get_name()." [".gmtime($s2->get_timestamp())." (UTC)]"); - eval { - ::rptMsg("FriendlyName : ".$s2->get_value("FriendlyName")->get_data()); - }; - ::rptMsg(""); - } - } - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("DevClasses - Disks"); - ::rptMsg($key_path); - my %disks; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless (grep(/IDE/,$name)); - my $lastwrite = $s->get_timestamp(); - my ($dev, $serial) = (split(/#/,$name))[4,5]; - push(@{$disks{$lastwrite}},$dev.",".$serial); - } - - if (scalar(keys %disks) == 0) { - ::rptMsg("No IDE subkeys were found."); - return; - } - ::rptMsg(""); - foreach my $t (reverse sort {$a <=> $b} keys %disks) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$disks{$t}}) { - ::rptMsg("\t$item"); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# ide.pl +# Get IDE device info from the System hive file +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package ide; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080418); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get IDE device info from the System hive file"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching ide v.".$VERSION); + ::rptMsg("ide v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + ::rptMsg("IDE"); + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::logMsg("Could not find ".$key_path); + return + } + + my $key_path = $ccs."\\Enum\\IDE"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg(""); + ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); + my @sk = $s->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s2 (@sk) { + ::rptMsg($s2->get_name()." [".gmtime($s2->get_timestamp())." (UTC)]"); + eval { + ::rptMsg("FriendlyName : ".$s2->get_value("FriendlyName")->get_data()); + }; + ::rptMsg(""); + } + } + + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("DevClasses - Disks"); + ::rptMsg($key_path); + my %disks; + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + next unless (grep(/IDE/,$name)); + my $lastwrite = $s->get_timestamp(); + my ($dev, $serial) = (split(/#/,$name))[4,5]; + push(@{$disks{$lastwrite}},$dev.",".$serial); + } + + if (scalar(keys %disks) == 0) { + ::rptMsg("No IDE subkeys were found."); + return; + } + ::rptMsg(""); + foreach my $t (reverse sort {$a <=> $b} keys %disks) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$disks{$t}}) { + ::rptMsg("\t$item"); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/ie_main.pl b/RecentActivity/release/rr-full/plugins/ie_main.pl index e7c5dfd3a7..f471484cf3 100755 --- a/RecentActivity/release/rr-full/plugins/ie_main.pl +++ b/RecentActivity/release/rr-full/plugins/ie_main.pl @@ -1,84 +1,84 @@ -#----------------------------------------------------------- -# ie_main.pl -# Checks keys/values set by new version of Trojan.Clampi -# -# Change history -# 20091019 - created -# -# -# References -# http://support.microsoft.com/kb/895339 -# http://support.microsoft.com/kb/176497 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package ie_main; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091019); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets values beneath user's Internet Explorer\\Main key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching ie_main v.".$VERSION); - ::rptMsg("ie_main v.".$VERSION); # banner - ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %main; - - my @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - next if ($name eq "Window_Placement"); - - $data = unpack("V",$data) if ($name eq "Do404Search"); - - if ($name eq "IE8RunOnceLastShown_TIMESTAMP" || $name eq "IE8TourShownTime") { - my ($t0,$t1) = unpack("VV",$data); - $data = gmtime(::getTime($t0,$t1))." UTC"; - } - $main{$name} = $data; - } - - foreach my $n (keys %main) { - my $str = sprintf "%-35s %-20s",$n,$main{$n}; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# ie_main.pl +# Checks keys/values set by new version of Trojan.Clampi +# +# Change history +# 20091019 - created +# +# +# References +# http://support.microsoft.com/kb/895339 +# http://support.microsoft.com/kb/176497 +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package ie_main; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20091019); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets values beneath user's Internet Explorer\\Main key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching ie_main v.".$VERSION); + ::rptMsg("ie_main v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my %main; + + my @vals = $key->get_list_of_values(); + + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + next if ($name eq "Window_Placement"); + + $data = unpack("V",$data) if ($name eq "Do404Search"); + + if ($name eq "IE8RunOnceLastShown_TIMESTAMP" || $name eq "IE8TourShownTime") { + my ($t0,$t1) = unpack("VV",$data); + $data = gmtime(::getTime($t0,$t1))." UTC"; + } + $main{$name} = $data; + } + + foreach my $n (keys %main) { + my $str = sprintf "%-35s %-20s",$n,$main{$n}; + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/ie_version.pl b/RecentActivity/release/rr-full/plugins/ie_version.pl index ca35830b8b..e5f975ee64 100755 --- a/RecentActivity/release/rr-full/plugins/ie_version.pl +++ b/RecentActivity/release/rr-full/plugins/ie_version.pl @@ -1,62 +1,62 @@ -#----------------------------------------------------------- -# ie_version -# Get IE version and build -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package ie_version; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091016); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get IE version and build"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ie_version v.".$VERSION); - ::rptMsg("ie_version v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Internet Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $version; - my $build; - eval { - $build = $key->get_value("Build")->get_data(); - ::rptMsg("IE Build = ".$build); - }; - - eval { - $version= $key->get_value("Version")->get_data(); - ::rptMsg("IE Version = ".$version); - }; - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# ie_version +# Get IE version and build +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package ie_version; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20091016); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get IE version and build"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching ie_version v.".$VERSION); + ::rptMsg("ie_version v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Internet Explorer"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $version; + my $build; + eval { + $build = $key->get_value("Build")->get_data(); + ::rptMsg("IE Build = ".$build); + }; + + eval { + $version= $key->get_value("Version")->get_data(); + ::rptMsg("IE Version = ".$version); + }; + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/imagedev.pl b/RecentActivity/release/rr-full/plugins/imagedev.pl index 4a486a9874..573098a246 100755 --- a/RecentActivity/release/rr-full/plugins/imagedev.pl +++ b/RecentActivity/release/rr-full/plugins/imagedev.pl @@ -1,87 +1,87 @@ -#----------------------------------------------------------- -# imagedev.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package imagedev; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080730); - -sub getConfig{return %config} - -sub getShortDescr { - return " -- "; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching imagedev v.".$VERSION); - ::rptMsg("imagedev v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - eval { - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - }; - if ($@) { - ::rptMsg("Problem locating proper controlset: $@"); - return; - } - - my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("imagedev"); - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @sk = $key->get_list_of_subkeys(); - - if (scalar(@sk) > 0) { - ::rptMsg("Still Image Capture Devices"); - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^\d{4}$/); - my $friendly; - eval { - $friendly = $s->get_value("FriendlyName")->get_data(); - ::rptMsg(" ".$friendly); - }; - if ($@) { - ::logMsg("Error getting device FriendlyName in imagedev: ".$@); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# imagedev.pl +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package imagedev; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080730); + +sub getConfig{return %config} + +sub getShortDescr { + return " -- "; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching imagedev v.".$VERSION); + ::rptMsg("imagedev v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + eval { + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + }; + if ($@) { + ::rptMsg("Problem locating proper controlset: $@"); + return; + } + + my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("imagedev"); + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @sk = $key->get_list_of_subkeys(); + + if (scalar(@sk) > 0) { + ::rptMsg("Still Image Capture Devices"); + foreach my $s (@sk) { + my $name = $s->get_name(); + next unless ($name =~ m/^\d{4}$/); + my $friendly; + eval { + $friendly = $s->get_value("FriendlyName")->get_data(); + ::rptMsg(" ".$friendly); + }; + if ($@) { + ::logMsg("Error getting device FriendlyName in imagedev: ".$@); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/init_dlls.pl b/RecentActivity/release/rr-full/plugins/init_dlls.pl index 58fcbc3766..cf6ef64207 100755 --- a/RecentActivity/release/rr-full/plugins/init_dlls.pl +++ b/RecentActivity/release/rr-full/plugins/init_dlls.pl @@ -1,79 +1,79 @@ -#----------------------------------------------------------- -# init_dlls.pl -# Plugin to assist in the detection of malware per Mark Russinovich's -# blog post (References, below) -# -# Change History: -# 20110309 - created -# -# References -# http://blogs.technet.com/b/markrussinovich/archive/2011/02/27/3390475.aspx -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package init_dlls; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20110309); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check for odd **pInit_Dlls keys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my @init; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching init_dlls v.".$VERSION); - ::rptMsg("init_dlls v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Windows"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("init_dlls"); - ::rptMsg($key_path); - ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next if ($name eq "AppInit_DLLs"); - push(@init,$name) if ($name =~ m/Init_DLLs$/); - } - - if (scalar @init > 0) { - foreach my $n (@init) { - ::rptMsg($n); - } - } - else { - ::rptMsg("No additional values named *Init_DLLs located."); - } - - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# init_dlls.pl +# Plugin to assist in the detection of malware per Mark Russinovich's +# blog post (References, below) +# +# Change History: +# 20110309 - created +# +# References +# http://blogs.technet.com/b/markrussinovich/archive/2011/02/27/3390475.aspx +# +# copyright 2011 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package init_dlls; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20110309); + +sub getConfig{return %config} + +sub getShortDescr { + return "Check for odd **pInit_Dlls keys"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my @init; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching init_dlls v.".$VERSION); + ::rptMsg("init_dlls v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Windows"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("init_dlls"); + ::rptMsg($key_path); + ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + next if ($name eq "AppInit_DLLs"); + push(@init,$name) if ($name =~ m/Init_DLLs$/); + } + + if (scalar @init > 0) { + foreach my $n (@init) { + ::rptMsg($n); + } + } + else { + ::rptMsg("No additional values named *Init_DLLs located."); + } + + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/javafx.pl b/RecentActivity/release/rr-full/plugins/javafx.pl index 369a365b7b..b7dae6f3c1 100755 --- a/RecentActivity/release/rr-full/plugins/javafx.pl +++ b/RecentActivity/release/rr-full/plugins/javafx.pl @@ -1,69 +1,69 @@ -#----------------------------------------------------------- -# javafx.pl -# Plugin written based on Cory Harrell's Exploit Artifacts posts at -# http://journeyintoir.blogspot.com/ -# -# Change history -# 20110322 - created -# -# References -# http://java.sun.com/j2se/1.4.2/runtime_win32.html -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package javafx; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20110322); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's JavaFX key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching javafx v.".$VERSION); - ::rptMsg("javafx v.".$VERSION); # banner - ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\JavaSoft\\Java Update\\Policy\\JavaFX"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("javafx v.".$VERSION); - ::rptMsg($key_path); - ::rptMsg("LastWrite time: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - ::rptMsg(sprintf "%-25s %-20s",$v->get_name(), $v->get_data()); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# javafx.pl +# Plugin written based on Cory Harrell's Exploit Artifacts posts at +# http://journeyintoir.blogspot.com/ +# +# Change history +# 20110322 - created +# +# References +# http://java.sun.com/j2se/1.4.2/runtime_win32.html +# +# copyright 2011 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package javafx; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20110322); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's JavaFX key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching javafx v.".$VERSION); + ::rptMsg("javafx v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\JavaSoft\\Java Update\\Policy\\JavaFX"; + my $key; + my @vals; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("javafx v.".$VERSION); + ::rptMsg($key_path); + ::rptMsg("LastWrite time: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + @vals = $key->get_list_of_values(); + + if (scalar(@vals) > 0) { +# First, read in all of the values and the data + foreach my $v (@vals) { + ::rptMsg(sprintf "%-25s %-20s",$v->get_name(), $v->get_data()); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/kb950582.pl b/RecentActivity/release/rr-full/plugins/kb950582.pl index 6e3f409c87..50f7d4f391 100755 --- a/RecentActivity/release/rr-full/plugins/kb950582.pl +++ b/RecentActivity/release/rr-full/plugins/kb950582.pl @@ -1,92 +1,92 @@ -#----------------------------------------------------------- -# kb950582.pl -# Get autorun settings WRT KB950582 -# -# Change history -# 18 Dec 2008 - Updated to new name; added checks for Registry -# keys -# -# References -# http://support.microsoft.com/kb/953252 -# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit -# /regentry/91525.mspx?mfr=true -# -# copyright 2008-2009 H. Carvey -#----------------------------------------------------------- -package kb950582; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081212); - -sub getConfig{return %config} -sub getShortDescr { - return "KB950582 - Gets autorun settings from HKLM hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching kb950582 v.".$VERSION); - ::rptMsg("kb950582 v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - eval { - my $path = "Microsoft\\Windows\\CurrentVersion\\Uninstall\\KB950582"; - if (my $kbkey = $root_key->get_subkey($path)) { - my $install = $kbkey->get_value("InstallDate")->get_data(); - ::rptMsg("KB950528 Uninstall Key ".gmtime($kbkey->get_timestamp())); - ::rptMsg(" InstallDate = ".$install."\n"); - } - }; - ::rptMsg("Uninstall\\KB950528 does not appear to be installed.\n") if ($@); - - eval { - my $path = "Microsoft\\Updates\\Windows XP\\SP4\\KB950582"; - if (my $kbkey = $root_key->get_subkey($path)) { - my $install = $kbkey->get_value("InstalledDate")->get_data(); - ::rptMsg("KB950528 Update Key ".gmtime($kbkey->get_timestamp())); - ::rptMsg(" InstalledDate = ".$install."\n"); - } - }; - ::rptMsg("KB950528 does not appear to be installed.\n") if ($@); - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - eval { - my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data(); - my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive; - ::rptMsg($str); - }; - ::rptMsg("Error: ".$@) if ($@); - -# http://support.microsoft.com/kb/953252 - eval { - my $honor = $key->get_value("HonorAutorunSetting")->get_data(); - my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor; - ::rptMsg($str); - }; - ::rptMsg("HonorAutorunSetting not found.") if ($@); - ::rptMsg(""); - ::rptMsg("Autorun settings in the HKLM hive take precedence over those in"); - ::rptMsg("the HKCU hive."); - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# kb950582.pl +# Get autorun settings WRT KB950582 +# +# Change history +# 18 Dec 2008 - Updated to new name; added checks for Registry +# keys +# +# References +# http://support.microsoft.com/kb/953252 +# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit +# /regentry/91525.mspx?mfr=true +# +# copyright 2008-2009 H. Carvey +#----------------------------------------------------------- +package kb950582; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20081212); + +sub getConfig{return %config} +sub getShortDescr { + return "KB950582 - Gets autorun settings from HKLM hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching kb950582 v.".$VERSION); + ::rptMsg("kb950582 v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + eval { + my $path = "Microsoft\\Windows\\CurrentVersion\\Uninstall\\KB950582"; + if (my $kbkey = $root_key->get_subkey($path)) { + my $install = $kbkey->get_value("InstallDate")->get_data(); + ::rptMsg("KB950528 Uninstall Key ".gmtime($kbkey->get_timestamp())); + ::rptMsg(" InstallDate = ".$install."\n"); + } + }; + ::rptMsg("Uninstall\\KB950528 does not appear to be installed.\n") if ($@); + + eval { + my $path = "Microsoft\\Updates\\Windows XP\\SP4\\KB950582"; + if (my $kbkey = $root_key->get_subkey($path)) { + my $install = $kbkey->get_value("InstalledDate")->get_data(); + ::rptMsg("KB950528 Update Key ".gmtime($kbkey->get_timestamp())); + ::rptMsg(" InstalledDate = ".$install."\n"); + } + }; + ::rptMsg("KB950528 does not appear to be installed.\n") if ($@); + + my $key_path = "Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + eval { + my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data(); + my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive; + ::rptMsg($str); + }; + ::rptMsg("Error: ".$@) if ($@); + +# http://support.microsoft.com/kb/953252 + eval { + my $honor = $key->get_value("HonorAutorunSetting")->get_data(); + my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor; + ::rptMsg($str); + }; + ::rptMsg("HonorAutorunSetting not found.") if ($@); + ::rptMsg(""); + ::rptMsg("Autorun settings in the HKLM hive take precedence over those in"); + ::rptMsg("the HKCU hive."); + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/kbdcrash.pl b/RecentActivity/release/rr-full/plugins/kbdcrash.pl index c1e68e8011..ef5b221f72 100755 --- a/RecentActivity/release/rr-full/plugins/kbdcrash.pl +++ b/RecentActivity/release/rr-full/plugins/kbdcrash.pl @@ -1,67 +1,67 @@ -#----------------------------------------------------------- -# kbdcrash.pl -# -# Ref: -# http://support.microsoft.com/kb/244139 -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package kbdcrash; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081212); - -sub getConfig{return %config} - -sub getShortDescr { - return "Checks to see if system is config to crash via keyboard"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $enabled = 0; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching kbdcrash v.".$VERSION); - ::rptMsg("kbdcrash v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $svc = "ControlSet00".$current."\\Services"; - - eval { - my $ps2 = $svc->get_subkey("i8042prt\\Parameters")->get_value("CrashOnCtrlScroll")->get_data(); - ::rptMsg("CrashOnCtrlScroll set for PS2 keyboard") if ($ps2 == 1); - $enabled = 1 if ($ps2 == 1); - }; - - eval { - my $usb = $svc->get_subkey("kbdhid\\Parameters")->get_value("CrashOnCtrlScroll")->get_data(); - ::rptMsg("CrashOnCtrlScroll set for USB keyboard") if ($usb == 1); - $enabled = 1 if ($usb == 1); - }; - ::rptMsg("CrashOnCtrlScroll not set"); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; +#----------------------------------------------------------- +# kbdcrash.pl +# +# Ref: +# http://support.microsoft.com/kb/244139 +# +# copyright 2008-2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package kbdcrash; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081212); + +sub getConfig{return %config} + +sub getShortDescr { + return "Checks to see if system is config to crash via keyboard"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my $enabled = 0; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching kbdcrash v.".$VERSION); + ::rptMsg("kbdcrash v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $svc = "ControlSet00".$current."\\Services"; + + eval { + my $ps2 = $svc->get_subkey("i8042prt\\Parameters")->get_value("CrashOnCtrlScroll")->get_data(); + ::rptMsg("CrashOnCtrlScroll set for PS2 keyboard") if ($ps2 == 1); + $enabled = 1 if ($ps2 == 1); + }; + + eval { + my $usb = $svc->get_subkey("kbdhid\\Parameters")->get_value("CrashOnCtrlScroll")->get_data(); + ::rptMsg("CrashOnCtrlScroll set for USB keyboard") if ($usb == 1); + $enabled = 1 if ($usb == 1); + }; + ::rptMsg("CrashOnCtrlScroll not set"); + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} +1; diff --git a/RecentActivity/release/rr-full/plugins/legacy.pl b/RecentActivity/release/rr-full/plugins/legacy.pl index bfeac48f9c..86a3b8b656 100755 --- a/RecentActivity/release/rr-full/plugins/legacy.pl +++ b/RecentActivity/release/rr-full/plugins/legacy.pl @@ -1,107 +1,107 @@ -#----------------------------------------------------------- -# legacy.pl -# -# -# Change history -# 20120524 -# 20090429 - created -# -# Reference: http://support.microsoft.com/kb/310592 -# -# -# Analysis Tip: -# The keys of interested begin with LEGACY_, for example, -# "LEGACY_EVENTSYSTEM". The LastWrite time on this key seems to indicate -# the first time that the serivce was launched. The LastWrite time on -# keys named, for example, "LEGACY_EVENTSYSTEM\0000", appear to indicate -# the most recent time that the service was launched. One example to look -# for is services related to malware/lateral movement, such as PSExec. -# -# copyright 2012 Quantum Analytics Research, LLC -# Author: H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package legacy; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20120524); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists LEGACY_* entries in Enum\\Root key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching legacy v.".$VERSION); # message - ::rptMsg("legacy v.".$VERSION); # banner - ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key(); -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $root_path = $ccs."\\Enum\\Root"; - - my %legacy; - if (my $root = $root_key->get_subkey($root_path)) { - my @sk = $root->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^LEGACY_/); - push(@{$legacy{$s->get_timestamp()}},$name); - - eval { - my @s_sk = $s->get_list_of_subkeys(); - if (scalar(@s_sk) > 0) { - foreach my $s_s (@s_sk) { - - my $desc; - eval { - $desc = $s_s->get_value("DeviceDesc")->get_data(); - push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()." - ".$desc); - }; - push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()) if ($@); - } - } - }; - } - } - else { - ::rptMsg($root_path." has no subkeys."); - } - - foreach my $t (reverse sort {$a <=> $b} keys %legacy) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$legacy{$t}}) { - ::rptMsg(" ".$item); - } - } - } - else { - ::rptMsg($root_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# legacy.pl +# +# +# Change history +# 20120524 +# 20090429 - created +# +# Reference: http://support.microsoft.com/kb/310592 +# +# +# Analysis Tip: +# The keys of interested begin with LEGACY_, for example, +# "LEGACY_EVENTSYSTEM". The LastWrite time on this key seems to indicate +# the first time that the serivce was launched. The LastWrite time on +# keys named, for example, "LEGACY_EVENTSYSTEM\0000", appear to indicate +# the most recent time that the service was launched. One example to look +# for is services related to malware/lateral movement, such as PSExec. +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package legacy; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120524); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists LEGACY_* entries in Enum\\Root key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching legacy v.".$VERSION); # message + ::rptMsg("legacy v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key(); +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $root_path = $ccs."\\Enum\\Root"; + + my %legacy; + if (my $root = $root_key->get_subkey($root_path)) { + my @sk = $root->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + next unless ($name =~ m/^LEGACY_/); + push(@{$legacy{$s->get_timestamp()}},$name); + + eval { + my @s_sk = $s->get_list_of_subkeys(); + if (scalar(@s_sk) > 0) { + foreach my $s_s (@s_sk) { + + my $desc; + eval { + $desc = $s_s->get_value("DeviceDesc")->get_data(); + push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()." - ".$desc); + }; + push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()) if ($@); + } + } + }; + } + } + else { + ::rptMsg($root_path." has no subkeys."); + } + + foreach my $t (reverse sort {$a <=> $b} keys %legacy) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$legacy{$t}}) { + ::rptMsg(" ".$item); + } + } + } + else { + ::rptMsg($root_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/listsoft.pl b/RecentActivity/release/rr-full/plugins/listsoft.pl index 4d27eeda96..9cecce0e7a 100755 --- a/RecentActivity/release/rr-full/plugins/listsoft.pl +++ b/RecentActivity/release/rr-full/plugins/listsoft.pl @@ -1,71 +1,71 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# listsoft.pl -# Plugin for Registry Ripper; traverses thru the Software -# key of an NTUSER.DAT file, extracting all of the subkeys -# and listing them in order by LastWrite time. -# -# Change history -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package listsoft; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists contents of user's Software key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $file = shift; - my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; - ::logMsg("Launching listsoft v.".$VERSION); - ::rptMsg("listsoft v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my %soft; - my $key_path = 'Software'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("listsoft v.".$VERSION); - ::rptMsg("List the contents of the Software key in the NTUSER\.DAT hive"); - ::rptMsg("file, in order by LastWrite time."); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - push(@{$soft{$s->get_timestamp()}},$s->get_name()); - } - - foreach my $t (reverse sort {$a <=> $b} keys %soft) { - foreach my $item (@{$soft{$t}}) { - ::rptMsg(gmtime($t)."Z \t".$item); - } - } - } - else { - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::logMsg("Could not access ".$key_path); - } -} - +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# listsoft.pl +# Plugin for Registry Ripper; traverses thru the Software +# key of an NTUSER.DAT file, extracting all of the subkeys +# and listing them in order by LastWrite time. +# +# Change history +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package listsoft; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists contents of user's Software key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $file = shift; + my $reg = Parse::Win32Registry->new($file); + my $root_key = $reg->get_root_key; + ::logMsg("Launching listsoft v.".$VERSION); + ::rptMsg("listsoft v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my %soft; + my $key_path = 'Software'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("listsoft v.".$VERSION); + ::rptMsg("List the contents of the Software key in the NTUSER\.DAT hive"); + ::rptMsg("file, in order by LastWrite time."); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + push(@{$soft{$s->get_timestamp()}},$s->get_name()); + } + + foreach my $t (reverse sort {$a <=> $b} keys %soft) { + foreach my $item (@{$soft{$t}}) { + ::rptMsg(gmtime($t)."Z \t".$item); + } + } + } + else { + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::logMsg("Could not access ".$key_path); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/load.pl b/RecentActivity/release/rr-full/plugins/load.pl index 430ec5528a..dbfce70557 100755 --- a/RecentActivity/release/rr-full/plugins/load.pl +++ b/RecentActivity/release/rr-full/plugins/load.pl @@ -1,83 +1,83 @@ -#----------------------------------------------------------- -# load.pl -# The load and run values in the Windows NT\CurrentVersion\Windows -# key are throw-backs to the old win.ini file, and can be/are used -# by malware. -# -# Change history -# 20100811 - created -# -# References -# http://support.microsoft.com/kb/103865 -# http://security.fnal.gov/cookbook/WinStartup.html -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package load; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100811); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets load and run values from user hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching load v.".$VERSION); - ::rptMsg("load v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("load"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg(""); - my %win; - foreach my $v (@vals) { - $win{$v->get_name()} = $v->get_data(); - } - - if (exists $win{"load"}) { - ::rptMsg("load = ".$win{"load"}); - } - else { - ::rptMsg("load value not found."); - } - - if (exists $win{"run"}) { - ::rptMsg("run = ".$win{"run"}); - } - else { - ::rptMsg("run value not found."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# load.pl +# The load and run values in the Windows NT\CurrentVersion\Windows +# key are throw-backs to the old win.ini file, and can be/are used +# by malware. +# +# Change history +# 20100811 - created +# +# References +# http://support.microsoft.com/kb/103865 +# http://security.fnal.gov/cookbook/WinStartup.html +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package load; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100811); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets load and run values from user hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching load v.".$VERSION); + ::rptMsg("load v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("load"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + ::rptMsg(""); + my %win; + foreach my $v (@vals) { + $win{$v->get_name()} = $v->get_data(); + } + + if (exists $win{"load"}) { + ::rptMsg("load = ".$win{"load"}); + } + else { + ::rptMsg("load value not found."); + } + + if (exists $win{"run"}) { + ::rptMsg("run = ".$win{"run"}); + } + else { + ::rptMsg("run value not found."); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/logonusername.pl b/RecentActivity/release/rr-full/plugins/logonusername.pl index 422b60fb91..4e255c2023 100755 --- a/RecentActivity/release/rr-full/plugins/logonusername.pl +++ b/RecentActivity/release/rr-full/plugins/logonusername.pl @@ -1,70 +1,70 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# logonusername.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# "Logon User Name" value -# -# Change history -# -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package logonusername; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get user's Logon User Name value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching logonusername v.".$VERSION); - ::rptMsg("logonusername v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $logon_name = "Logon User Name"; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg("Logon User Name"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time [".gmtime($key->get_timestamp())." (UTC)]"); - foreach my $v (@vals) { - if ($v->get_name() eq $logon_name) { - ::rptMsg($logon_name." = ".$v->get_data()); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# logonusername.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# "Logon User Name" value +# +# Change history +# +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package logonusername; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Get user's Logon User Name value"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching logonusername v.".$VERSION); + ::rptMsg("logonusername v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $logon_name = "Logon User Name"; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + ::rptMsg("Logon User Name"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time [".gmtime($key->get_timestamp())." (UTC)]"); + foreach my $v (@vals) { + if ($v->get_name() eq $logon_name) { + ::rptMsg($logon_name." = ".$v->get_data()); + } + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/lsasecrets.pl b/RecentActivity/release/rr-full/plugins/lsasecrets.pl index ad067c38fc..399ba6519e 100755 --- a/RecentActivity/release/rr-full/plugins/lsasecrets.pl +++ b/RecentActivity/release/rr-full/plugins/lsasecrets.pl @@ -1,74 +1,74 @@ -#----------------------------------------------------------- -# lsasecrets.pl -# Get update times for LSA Secrets from the Security hive file -# -# History -# 20100219 - created -# -# References -# http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package lsasecrets; -use strict; - -my %config = (hive => "Security", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100219); - -sub getConfig{return %config} -sub getShortDescr { - return "TEST - Get update times for LSA Secrets"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching lsasecrets v.".$VERSION); - ::logMsg("Launching lsasecrets v.".$VERSION); - ::rptMsg("lsasecrets v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Policy\\Secrets"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - -# -# http://support.microsoft.com/kb/175468 - eval { - ::rptMsg(""); - ::rptMsg("Domain secret - \$MACHINE\.ACC"); - my $c = $key->get_subkey("\$MACHINE\.ACC\\CupdTime")->get_value("")->get_data(); - my @v = unpack("VV",$c); - my $cupd = gmtime(::getTime($v[0],$v[1])); - ::rptMsg("CupdTime = ".$cupd); - - my $o = $key->get_subkey("\$MACHINE\.ACC\\OupdTime")->get_value("")->get_data(); - my @v = unpack("VV",$c); - my $oupd = gmtime(::getTime($v[0],$v[1])); - ::rptMsg("OupdTime = ".$oupd); - }; - ::rptMsg("Error: ".$@) if ($@); - - - - - - - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# lsasecrets.pl +# Get update times for LSA Secrets from the Security hive file +# +# History +# 20100219 - created +# +# References +# http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package lsasecrets; +use strict; + +my %config = (hive => "Security", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100219); + +sub getConfig{return %config} +sub getShortDescr { + return "TEST - Get update times for LSA Secrets"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching lsasecrets v.".$VERSION); + ::logMsg("Launching lsasecrets v.".$VERSION); + ::rptMsg("lsasecrets v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Policy\\Secrets"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + +# +# http://support.microsoft.com/kb/175468 + eval { + ::rptMsg(""); + ::rptMsg("Domain secret - \$MACHINE\.ACC"); + my $c = $key->get_subkey("\$MACHINE\.ACC\\CupdTime")->get_value("")->get_data(); + my @v = unpack("VV",$c); + my $cupd = gmtime(::getTime($v[0],$v[1])); + ::rptMsg("CupdTime = ".$cupd); + + my $o = $key->get_subkey("\$MACHINE\.ACC\\OupdTime")->get_value("")->get_data(); + my @v = unpack("VV",$c); + my $oupd = gmtime(::getTime($v[0],$v[1])); + ::rptMsg("OupdTime = ".$oupd); + }; + ::rptMsg("Error: ".$@) if ($@); + + + + + + + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/macaddr.pl b/RecentActivity/release/rr-full/plugins/macaddr.pl index a43ffa6d13..be5d690a1e 100755 --- a/RecentActivity/release/rr-full/plugins/macaddr.pl +++ b/RecentActivity/release/rr-full/plugins/macaddr.pl @@ -1,157 +1,157 @@ -#----------------------------------------------------------- -# macaddr.pl -# Attempt to locate MAC address in either Software or System hive files; -# The plugin will determine which one its in and use the appropriate -# code -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package macaddr; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090118); - -sub getConfig{return %config} - -sub getShortDescr { - return " -- "; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching macaddr v.".$VERSION); - ::rptMsg("macaddr v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $guess = guessHive($hive); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - if ($guess eq "System") { -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $key_path = $ccs."\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318}"; - my $key; - my $found = 0; - ::rptMsg($key_path); - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $na; - eval { - $na = $key->get_subkey($name)->get_value("NetworkAddress")->get_data(); - ::rptMsg(" ".$name.": NetworkAddress = ".$na); - $found = 1; - }; - } - ::rptMsg("No NetworkAddress value found.") if ($found == 0); - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } - } - elsif ($guess eq "Software") { - my $key_path = "Microsoft\\Windows Genuine Advantage"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my $mac; - my $found = 0; - eval { - $mac = $key->get_value("MAC")->get_data(); - ::rptMsg("Mac Address(es) = ".$mac); - $found = 1; - }; - ::rptMsg("No MAC address(es) found.") if ($found == 0); - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg("Hive file ".$hive." appeared to be neither a Software nor a"); - ::rptMsg("System hive file."); - } -} - -#------------------------------------------------------------- -# guessHive() - attempts to determine the hive type; if NTUSER.DAT, -# attempt to retrieve the SID for the user; this function populates -# global variables (%config, @sids) -#------------------------------------------------------------- -sub guessHive { - my $hive = shift; - my $hive_guess; - my $reg; - my $root_key; - eval { - $reg = Parse::Win32Registry->new($hive); - $root_key = $reg->get_root_key; - }; - ::rptMsg($hive." may not be a valid hive.") if ($@); - -# Check for SAM - eval { - if (my $key = $root_key->get_subkey("SAM\\Domains\\Account\\Users")) { - $hive_guess = "SAM"; - } - }; -# Check for Software - eval { - if ($root_key->get_subkey("Microsoft\\Windows\\CurrentVersion") && - $root_key->get_subkey("Microsoft\\Windows NT\\CurrentVersion")) { - $hive_guess = "Software"; - } - }; - -# Check for System - eval { - if ($root_key->get_subkey("MountedDevices") && $root_key->get_subkey("Select")) { - $hive_guess = "System"; - } - }; - -# Check for Security - eval { - if ($root_key->get_subkey("Policy\\Accounts") && $root_key->get_subkey("Policy\\PolAdtEv")) { - $hive_guess = "Security"; - } - }; -# Check for NTUSER.DAT - eval { - if ($root_key->get_subkey("Software\\Microsoft\\Windows\\CurrentVersion")) { - $hive_guess = "NTUSER\.DAT"; - } - }; - return $hive_guess; -} - - +#----------------------------------------------------------- +# macaddr.pl +# Attempt to locate MAC address in either Software or System hive files; +# The plugin will determine which one its in and use the appropriate +# code +# +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package macaddr; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090118); + +sub getConfig{return %config} + +sub getShortDescr { + return " -- "; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching macaddr v.".$VERSION); + ::rptMsg("macaddr v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $guess = guessHive($hive); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + if ($guess eq "System") { +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + + my $key_path = $ccs."\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318}"; + my $key; + my $found = 0; + ::rptMsg($key_path); + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $na; + eval { + $na = $key->get_subkey($name)->get_value("NetworkAddress")->get_data(); + ::rptMsg(" ".$name.": NetworkAddress = ".$na); + $found = 1; + }; + } + ::rptMsg("No NetworkAddress value found.") if ($found == 0); + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } + elsif ($guess eq "Software") { + my $key_path = "Microsoft\\Windows Genuine Advantage"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my $mac; + my $found = 0; + eval { + $mac = $key->get_value("MAC")->get_data(); + ::rptMsg("Mac Address(es) = ".$mac); + $found = 1; + }; + ::rptMsg("No MAC address(es) found.") if ($found == 0); + } + else { + ::rptMsg($key_path." not found."); + } + } + else { + ::rptMsg("Hive file ".$hive." appeared to be neither a Software nor a"); + ::rptMsg("System hive file."); + } +} + +#------------------------------------------------------------- +# guessHive() - attempts to determine the hive type; if NTUSER.DAT, +# attempt to retrieve the SID for the user; this function populates +# global variables (%config, @sids) +#------------------------------------------------------------- +sub guessHive { + my $hive = shift; + my $hive_guess; + my $reg; + my $root_key; + eval { + $reg = Parse::Win32Registry->new($hive); + $root_key = $reg->get_root_key; + }; + ::rptMsg($hive." may not be a valid hive.") if ($@); + +# Check for SAM + eval { + if (my $key = $root_key->get_subkey("SAM\\Domains\\Account\\Users")) { + $hive_guess = "SAM"; + } + }; +# Check for Software + eval { + if ($root_key->get_subkey("Microsoft\\Windows\\CurrentVersion") && + $root_key->get_subkey("Microsoft\\Windows NT\\CurrentVersion")) { + $hive_guess = "Software"; + } + }; + +# Check for System + eval { + if ($root_key->get_subkey("MountedDevices") && $root_key->get_subkey("Select")) { + $hive_guess = "System"; + } + }; + +# Check for Security + eval { + if ($root_key->get_subkey("Policy\\Accounts") && $root_key->get_subkey("Policy\\PolAdtEv")) { + $hive_guess = "Security"; + } + }; +# Check for NTUSER.DAT + eval { + if ($root_key->get_subkey("Software\\Microsoft\\Windows\\CurrentVersion")) { + $hive_guess = "NTUSER\.DAT"; + } + }; + return $hive_guess; +} + + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/mmc.pl b/RecentActivity/release/rr-full/plugins/mmc.pl index d10ed82c2d..5de0cd1c3b 100755 --- a/RecentActivity/release/rr-full/plugins/mmc.pl +++ b/RecentActivity/release/rr-full/plugins/mmc.pl @@ -1,77 +1,77 @@ -#----------------------------------------------------------- -# mmc.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# Microsoft Management Console Recent File List values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mmc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get contents of user's MMC\\Recent File List key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mmc v.".$VERSION); - ::rptMsg("mmc v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Microsoft Management Console\\Recent File List'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("MMC - Recent File List"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# mmc.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# Microsoft Management Console Recent File List values +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package mmc; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Get contents of user's MMC\\Recent File List key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mmc v.".$VERSION); + ::rptMsg("mmc v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Microsoft Management Console\\Recent File List'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("MMC - Recent File List"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/File/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/mmc_tln.pl b/RecentActivity/release/rr-full/plugins/mmc_tln.pl index 3287f795ab..0ea4337ada 100755 --- a/RecentActivity/release/rr-full/plugins/mmc_tln.pl +++ b/RecentActivity/release/rr-full/plugins/mmc_tln.pl @@ -1,69 +1,69 @@ -#----------------------------------------------------------- -# mmc_tln.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# Microsoft Management Console Recent File List values -# -# Change history -# 20120828 - updated, transitioned to TLN format output -# 20080324 - created -# -# References -# -# -# copyright 2012 -# Author: H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package mmc_tln; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20120828); - -sub getConfig{return %config} -sub getShortDescr { - return "Get contents of user's MMC\\Recent File List key (TLN)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mmc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Microsoft Management Console\\Recent File List'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("MMC - Recent File List"); -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my $lw = $key->get_timestamp(); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my $file1; - eval { - $file1 = $key->get_value("File1")->get_data(); - ::rptMsg($lw."|REG|||[Program Execution] MMC - Recent File List - ".$file1); - }; - - } - else { -# ::rptMsg($key_path." has no values."); - } - } - else { -# ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# mmc_tln.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# Microsoft Management Console Recent File List values +# +# Change history +# 20120828 - updated, transitioned to TLN format output +# 20080324 - created +# +# References +# +# +# copyright 2012 +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package mmc_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120828); + +sub getConfig{return %config} +sub getShortDescr { + return "Get contents of user's MMC\\Recent File List key (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mmc v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Microsoft Management Console\\Recent File List'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("MMC - Recent File List"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my $file1; + eval { + $file1 = $key->get_value("File1")->get_data(); + ::rptMsg($lw."|REG|||[Program Execution] MMC - Recent File List - ".$file1); + }; + + } + else { +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/mndmru.pl b/RecentActivity/release/rr-full/plugins/mndmru.pl index 852309bec5..4fbbf45a8a 100755 --- a/RecentActivity/release/rr-full/plugins/mndmru.pl +++ b/RecentActivity/release/rr-full/plugins/mndmru.pl @@ -1,79 +1,79 @@ -#----------------------------------------------------------- -# mndmru.pl -# Plugin for Registry Ripper, -# Map Network Drive MRU parser -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mndmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get contents of user's Map Network Drive MRU"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mndmru v.".$VERSION); - ::rptMsg("mndmru v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Map Network Drive MRU"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mnd; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - $mnd{$val} = $data; - } -# Print sorted content to report file - if (exists $mnd{"MRUList"}) { - ::rptMsg(" MRUList = ".$mnd{"MRUList"}); - delete $mnd{"MRUList"}; - } - foreach my $m (sort {$a <=> $b} keys %mnd) { - ::rptMsg(" ".$m." ".$mnd{$m}); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# mndmru.pl +# Plugin for Registry Ripper, +# Map Network Drive MRU parser +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package mndmru; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Get contents of user's Map Network Drive MRU"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mndmru v.".$VERSION); + ::rptMsg("mndmru v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Map Network Drive MRU"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %mnd; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + $mnd{$val} = $data; + } +# Print sorted content to report file + if (exists $mnd{"MRUList"}) { + ::rptMsg(" MRUList = ".$mnd{"MRUList"}); + delete $mnd{"MRUList"}; + } + foreach my $m (sort {$a <=> $b} keys %mnd) { + ::rptMsg(" ".$m." ".$mnd{$m}); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/mndmru_tln.pl b/RecentActivity/release/rr-full/plugins/mndmru_tln.pl index 406af0d286..08ef7b707e 100755 --- a/RecentActivity/release/rr-full/plugins/mndmru_tln.pl +++ b/RecentActivity/release/rr-full/plugins/mndmru_tln.pl @@ -1,69 +1,69 @@ -#----------------------------------------------------------- -# mndmru_tln.pl -# Plugin for Registry Ripper, -# Map Network Drive MRU parser -# -# Change history -# 20120829 - updated to TLN -# 20080324 - mndmru.pl created -# -# References -# -# -# copyright 2012 -# Author: H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package mndmru_tln; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20120829); - -sub getConfig{return %config} -sub getShortDescr { - return "Get user's Map Network Drive MRU (TLN)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mndmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("Map Network Drive MRU"); -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my $lw = $key->get_timestamp(); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - eval { - my $list = $key->get_value("MRUList")->get_data(); - my $l = (split(//,$list))[0]; - my $mru = $key->get_value($l)->get_data(); - ::rptMsg($lw."|REG|||Map Network Drive MRU - ".$mru); - }; - } - else { -# ::rptMsg($key_path." has no values."); - } - } - else { -# ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# mndmru_tln.pl +# Plugin for Registry Ripper, +# Map Network Drive MRU parser +# +# Change history +# 20120829 - updated to TLN +# 20080324 - mndmru.pl created +# +# References +# +# +# copyright 2012 +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package mndmru_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120829); + +sub getConfig{return %config} +sub getShortDescr { + return "Get user's Map Network Drive MRU (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mndmru v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("Map Network Drive MRU"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + eval { + my $list = $key->get_value("MRUList")->get_data(); + my $l = (split(//,$list))[0]; + my $mru = $key->get_value($l)->get_data(); + ::rptMsg($lw."|REG|||Map Network Drive MRU - ".$mru); + }; + } + else { +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/mountdev.pl b/RecentActivity/release/rr-full/plugins/mountdev.pl index 0407331bf8..d8dc73bce3 100755 --- a/RecentActivity/release/rr-full/plugins/mountdev.pl +++ b/RecentActivity/release/rr-full/plugins/mountdev.pl @@ -1,101 +1,101 @@ -#----------------------------------------------------------- -# mountdev.pl -# Plugin for Registry Ripper; Access System hive file to get the -# MountedDevices -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mountdev; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Return contents of System hive MountedDevices key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching mountdev v.".$VERSION); - ::rptMsg("mountdev v.".$VERSION); - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); #banner - ::rptMsg(""); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my %md; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $data = $v->get_data(); - my $len = length($data); - if ($len == 12) { - my $sig = _translateBinary(substr($data,0,4)); - ::rptMsg($v->get_name()); - ::rptMsg("\tDrive Signature = ".$sig); - } - elsif ($len > 12) { - $data =~ s/\00//g; - push(@{$md{$data}},$v->get_name()); - } - else { - ::logMsg("mountdev v.".$VERSION."\tData length = $len"); - } - } - - ::rptMsg(""); - foreach my $m (keys %md) { - ::rptMsg("Device: ".$m); - foreach my $item (@{$md{$m}}) { - ::rptMsg("\t".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} - +#----------------------------------------------------------- +# mountdev.pl +# Plugin for Registry Ripper; Access System hive file to get the +# MountedDevices +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package mountdev; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Return contents of System hive MountedDevices key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching mountdev v.".$VERSION); + ::rptMsg("mountdev v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); #banner + ::rptMsg(""); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = 'MountedDevices'; + my $key; + my %md; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $data = $v->get_data(); + my $len = length($data); + if ($len == 12) { + my $sig = _translateBinary(substr($data,0,4)); + ::rptMsg($v->get_name()); + ::rptMsg("\tDrive Signature = ".$sig); + } + elsif ($len > 12) { + $data =~ s/\00//g; + push(@{$md{$data}},$v->get_name()); + } + else { + ::logMsg("mountdev v.".$VERSION."\tData length = $len"); + } + } + + ::rptMsg(""); + foreach my $m (keys %md) { + ::rptMsg("Device: ".$m); + foreach my $item (@{$md{$m}}) { + ::rptMsg("\t".$item); + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + +sub _translateBinary { + my $str = unpack("H*",$_[0]); + my $len = length($str); + my @nstr = split(//,$str,$len); + my @list = (); + foreach (0..($len/2)) { + push(@list,$nstr[$_*2].$nstr[($_*2)+1]); + } + return join(' ',@list); +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/mountdev2.pl b/RecentActivity/release/rr-full/plugins/mountdev2.pl index 5c7770a142..f79ccfff9f 100755 --- a/RecentActivity/release/rr-full/plugins/mountdev2.pl +++ b/RecentActivity/release/rr-full/plugins/mountdev2.pl @@ -1,150 +1,150 @@ -#----------------------------------------------------------- -# mountdev2.pl -# Plugin for Registry Ripper; Access System hive file to get the -# MountedDevices -# -# Change history -# 20120403 - commented out time stamp info from volume GUIDs, added -# listing of unique MAC addresses -# 20120330 - updated to parse the Volume GUIDs to get the time stamps -# 20091116 - changed output -# -# References -# -# -# copyright 2012 Quantum Analytics Research, LLC -# Author: H. Carvey -#----------------------------------------------------------- -package mountdev2; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20120403); - -sub getConfig{return %config} -sub getShortDescr { - return "Return contents of System hive MountedDevices key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching mountdev2 v.".$VERSION); - ::rptMsg(""); - ::rptMsg("mountdev2 v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my (%md,%dos,%vol,%macs); - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $data = $v->get_data(); - my $len = length($data); - if ($len == 12) { - my $sig = _translateBinary(substr($data,0,4)); -# my $sig = _translateBinary($data); - $vol{$v->get_name()} = $sig; - } - elsif ($len > 12) { - $data =~ s/\00//g; - push(@{$md{$data}},$v->get_name()); - } - else { - ::logMsg("mountdev2 v.".$VERSION."\tData length = $len"); - } - } - - ::rptMsg(sprintf "%-50s %-20s","Volume","Disk Sig"); - ::rptMsg(sprintf "%-50s %-20s","-------","--------"); - foreach my $v (sort keys %vol) { - my $str = sprintf "%-50s %-20s",$v,$vol{$v}; - ::rptMsg($str); - } - ::rptMsg(""); - foreach my $v (sort keys %vol) { - next unless ($v =~ m/^\\\?\?\\Volume{/); - my $id = $v; - $id =~ s/^\\\?\?\\Volume{//; - $id =~ s/}$//; - $id =~ s/-//g; - my $l = hex(substr($id,0,8)); - my $m = hex(substr($id,8,4)); - my $h = hex(substr($id,12,4)) & 0x0fff; - my $h = $m | $h << 16; - my $t = (::getTime($l,$h) - 574819200); - ::rptMsg($v); - ::rptMsg(" ".gmtime($t)); - } - - ::rptMsg(""); - foreach my $m (sort keys %md) { - ::rptMsg("Device: ".$m); - foreach my $item (@{$md{$m}}) { - - if ($item =~ m/^\\\?\?\\Volume/) { - my $id = $item; - $id =~ s/^\\\?\?\\Volume{//; - $id =~ s/}$//; -# $id =~ s/-//g; -# my $l = hex(substr($id,0,8)); -# my $m = hex(substr($id,8,4)); -# my $h = hex(substr($id,12,4)) & 0x0fff; -# my $h = $m | $h << 16; -# my $t = (::getTime($l,$h) - 574819200); -# $item .= " ".gmtime($t); - my $m = (split(/-/,$id,5))[4]; - $m = uc($m); - $m = join(':',unpack("(A2)*",$m)); - $macs{$m} = 1; - } - - ::rptMsg(" ".$item); - } - ::rptMsg(""); - } - ::rptMsg(""); - ::rptMsg("Unique MAC Addresses:"); - foreach (keys %macs) { - ::rptMsg($_); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} - +#----------------------------------------------------------- +# mountdev2.pl +# Plugin for Registry Ripper; Access System hive file to get the +# MountedDevices +# +# Change history +# 20120403 - commented out time stamp info from volume GUIDs, added +# listing of unique MAC addresses +# 20120330 - updated to parse the Volume GUIDs to get the time stamps +# 20091116 - changed output +# +# References +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey +#----------------------------------------------------------- +package mountdev2; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120403); + +sub getConfig{return %config} +sub getShortDescr { + return "Return contents of System hive MountedDevices key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching mountdev2 v.".$VERSION); + ::rptMsg(""); + ::rptMsg("mountdev2 v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = 'MountedDevices'; + my $key; + my (%md,%dos,%vol,%macs); + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $data = $v->get_data(); + my $len = length($data); + if ($len == 12) { + my $sig = _translateBinary(substr($data,0,4)); +# my $sig = _translateBinary($data); + $vol{$v->get_name()} = $sig; + } + elsif ($len > 12) { + $data =~ s/\00//g; + push(@{$md{$data}},$v->get_name()); + } + else { + ::logMsg("mountdev2 v.".$VERSION."\tData length = $len"); + } + } + + ::rptMsg(sprintf "%-50s %-20s","Volume","Disk Sig"); + ::rptMsg(sprintf "%-50s %-20s","-------","--------"); + foreach my $v (sort keys %vol) { + my $str = sprintf "%-50s %-20s",$v,$vol{$v}; + ::rptMsg($str); + } + ::rptMsg(""); + foreach my $v (sort keys %vol) { + next unless ($v =~ m/^\\\?\?\\Volume{/); + my $id = $v; + $id =~ s/^\\\?\?\\Volume{//; + $id =~ s/}$//; + $id =~ s/-//g; + my $l = hex(substr($id,0,8)); + my $m = hex(substr($id,8,4)); + my $h = hex(substr($id,12,4)) & 0x0fff; + my $h = $m | $h << 16; + my $t = (::getTime($l,$h) - 574819200); + ::rptMsg($v); + ::rptMsg(" ".gmtime($t)); + } + + ::rptMsg(""); + foreach my $m (sort keys %md) { + ::rptMsg("Device: ".$m); + foreach my $item (@{$md{$m}}) { + + if ($item =~ m/^\\\?\?\\Volume/) { + my $id = $item; + $id =~ s/^\\\?\?\\Volume{//; + $id =~ s/}$//; +# $id =~ s/-//g; +# my $l = hex(substr($id,0,8)); +# my $m = hex(substr($id,8,4)); +# my $h = hex(substr($id,12,4)) & 0x0fff; +# my $h = $m | $h << 16; +# my $t = (::getTime($l,$h) - 574819200); +# $item .= " ".gmtime($t); + my $m = (split(/-/,$id,5))[4]; + $m = uc($m); + $m = join(':',unpack("(A2)*",$m)); + $macs{$m} = 1; + } + + ::rptMsg(" ".$item); + } + ::rptMsg(""); + } + ::rptMsg(""); + ::rptMsg("Unique MAC Addresses:"); + foreach (keys %macs) { + ::rptMsg($_); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + +sub _translateBinary { + my $str = unpack("H*",$_[0]); + my $len = length($str); + my @nstr = split(//,$str,$len); + my @list = (); + foreach (0..($len/2)) { + push(@list,$nstr[$_*2].$nstr[($_*2)+1]); + } + return join(' ',@list); +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/mp2.pl b/RecentActivity/release/rr-full/plugins/mp2.pl index b3ae838692..5922ed160b 100755 --- a/RecentActivity/release/rr-full/plugins/mp2.pl +++ b/RecentActivity/release/rr-full/plugins/mp2.pl @@ -1,132 +1,132 @@ -#----------------------------------------------------------- -# mp2.pl -# Plugin for Registry Ripper, -# MountPoints2 key parser -# -# Change history -# 20120330 - updated to include parsing of UUID v1 GUIDs to get unique -# MAC addresses -# 20091116 - updated output/sorting; added getting -# _LabelFromReg value -# 20090115 - Removed printing of "volumes" -# -# References -# http://support.microsoft.com/kb/932463 -# -# copyright 2012 Quantum Analytics Research, LLC -# Author: H. Carvey -#----------------------------------------------------------- -package mp2; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20120330); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's MountPoints2 key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mp2 v.".$VERSION); - ::rptMsg("mp2 v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my %drives; - my %volumes; - my %remote; - my %macs; - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("MountPoints2"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if ($name =~ m/^{/) { - my $label; - eval { - $label = $s->get_value("_LabelFromReg")->get_data(); - }; - - my $m = (split(/-/,$name,5))[4]; - $m =~ s/}$//; - $m = uc($m); - $m = join(':',unpack("(A2)*",$m)); - $macs{$m} = 1; - - $name = $name." (".$label.")" unless ($@); - - push(@{$volumes{$s->get_timestamp()}},$name); - } - elsif ($name =~ m/^[A-Z]/) { - push(@{$drives{$s->get_timestamp()}},$name); - } - elsif ($name =~ m/^#/) { - push(@{$remote{$s->get_timestamp()}},$name); - } - else { - ::rptMsg(" Key name = ".$name); - } - } - ::rptMsg(""); - ::rptMsg("Remote Drives:"); - foreach my $t (reverse sort {$a <=> $b} keys %remote) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$remote{$t}}) { - ::rptMsg(" $item"); - } - } - - ::rptMsg(""); - ::rptMsg("Volumes:"); - foreach my $t (reverse sort {$a <=> $b} keys %volumes) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$volumes{$t}}) { - ::rptMsg(" $item"); - } - } - ::rptMsg(""); - ::rptMsg("Drives:"); - foreach my $t (reverse sort {$a <=> $b} keys %drives) { - my $d = join(',',(@{$drives{$t}})); - ::rptMsg(gmtime($t)." (UTC) - ".$d); - } - ::rptMsg(""); - ::rptMsg("Unique MAC Addresses:"); - foreach (keys %macs) { - ::rptMsg($_); - } - - ::rptMsg(""); - ::rptMsg("Analysis Tip: Correlate the Volume entries to those found in the MountedDevices"); - ::rptMsg("entries that begin with \"\\??\\Volume\"\."); - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# mp2.pl +# Plugin for Registry Ripper, +# MountPoints2 key parser +# +# Change history +# 20120330 - updated to include parsing of UUID v1 GUIDs to get unique +# MAC addresses +# 20091116 - updated output/sorting; added getting +# _LabelFromReg value +# 20090115 - Removed printing of "volumes" +# +# References +# http://support.microsoft.com/kb/932463 +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey +#----------------------------------------------------------- +package mp2; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120330); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's MountPoints2 key contents"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mp2 v.".$VERSION); + ::rptMsg("mp2 v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my %drives; + my %volumes; + my %remote; + my %macs; + + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("MountPoints2"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + if ($name =~ m/^{/) { + my $label; + eval { + $label = $s->get_value("_LabelFromReg")->get_data(); + }; + + my $m = (split(/-/,$name,5))[4]; + $m =~ s/}$//; + $m = uc($m); + $m = join(':',unpack("(A2)*",$m)); + $macs{$m} = 1; + + $name = $name." (".$label.")" unless ($@); + + push(@{$volumes{$s->get_timestamp()}},$name); + } + elsif ($name =~ m/^[A-Z]/) { + push(@{$drives{$s->get_timestamp()}},$name); + } + elsif ($name =~ m/^#/) { + push(@{$remote{$s->get_timestamp()}},$name); + } + else { + ::rptMsg(" Key name = ".$name); + } + } + ::rptMsg(""); + ::rptMsg("Remote Drives:"); + foreach my $t (reverse sort {$a <=> $b} keys %remote) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$remote{$t}}) { + ::rptMsg(" $item"); + } + } + + ::rptMsg(""); + ::rptMsg("Volumes:"); + foreach my $t (reverse sort {$a <=> $b} keys %volumes) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$volumes{$t}}) { + ::rptMsg(" $item"); + } + } + ::rptMsg(""); + ::rptMsg("Drives:"); + foreach my $t (reverse sort {$a <=> $b} keys %drives) { + my $d = join(',',(@{$drives{$t}})); + ::rptMsg(gmtime($t)." (UTC) - ".$d); + } + ::rptMsg(""); + ::rptMsg("Unique MAC Addresses:"); + foreach (keys %macs) { + ::rptMsg($_); + } + + ::rptMsg(""); + ::rptMsg("Analysis Tip: Correlate the Volume entries to those found in the MountedDevices"); + ::rptMsg("entries that begin with \"\\??\\Volume\"\."); + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/mpmru.pl b/RecentActivity/release/rr-full/plugins/mpmru.pl index 87e449a936..2244e27ed9 100755 --- a/RecentActivity/release/rr-full/plugins/mpmru.pl +++ b/RecentActivity/release/rr-full/plugins/mpmru.pl @@ -1,77 +1,77 @@ -#----------------------------------------------------------- -# mpmru.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# Media Player RecentFileList values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mpmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Media Player RecentFileList values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mpmru v.".$VERSION); - ::rptMsg("mpmru v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Media Player - RecentFileList"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# mpmru.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# Media Player RecentFileList values +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package mpmru; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's Media Player RecentFileList values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mpmru v.".$VERSION); + ::rptMsg("mpmru v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Media Player - RecentFileList"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/File/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/mrt.pl b/RecentActivity/release/rr-full/plugins/mrt.pl index aee2c361dc..a5f8e22791 100755 --- a/RecentActivity/release/rr-full/plugins/mrt.pl +++ b/RecentActivity/release/rr-full/plugins/mrt.pl @@ -1,74 +1,74 @@ -#----------------------------------------------------------- -# mrt.pl -# -# Per http://support.microsoft.com/kb/891716/, whenever MRT is run, a new -# GUID is written to the Version value. Check the KB article to compare -# GUIDs against the last time the tool was run. Also be sure to check the -# MRT logs in %WinDir%\Debug (mrt.log) -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package mrt; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080804); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check to see if Malicious Software Removal Tool has been run"; -} -sub getDescr{} -sub getRefs {"Deployment of the Microsoft Windows Malicious Software Removal Tool" => - "http://support.microsoft.com/kb/891716/", - "The Microsoft Windows Malicious Software Removal Tool" => "http://support.microsoft.com/?kbid=890830"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching mrt v.".$VERSION); - ::rptMsg("mrt v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - - my $key_path = "Microsoft\\RemovalTools\\MRT"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Key Path: ".$key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $version; - eval { - $version = $key->get_value("Version")->get_data(); - }; - if ($@) { - ::rptMsg("Error getting Version information: ".$@); - - } - else { - ::rptMsg("Version: ".$version); - ::rptMsg(""); - ::rptMsg("Analysis Tip: Go to http://support.microsoft.com/kb/891716/ to see when MRT"); - ::rptMsg("was last run. According to the KB article, each time MRT is run, a new GUID"); - ::rptMsg("is written to the Version value."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# mrt.pl +# +# Per http://support.microsoft.com/kb/891716/, whenever MRT is run, a new +# GUID is written to the Version value. Check the KB article to compare +# GUIDs against the last time the tool was run. Also be sure to check the +# MRT logs in %WinDir%\Debug (mrt.log) +# +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package mrt; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20080804); + +sub getConfig{return %config} + +sub getShortDescr { + return "Check to see if Malicious Software Removal Tool has been run"; +} +sub getDescr{} +sub getRefs {"Deployment of the Microsoft Windows Malicious Software Removal Tool" => + "http://support.microsoft.com/kb/891716/", + "The Microsoft Windows Malicious Software Removal Tool" => "http://support.microsoft.com/?kbid=890830"} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching mrt v.".$VERSION); + ::rptMsg("mrt v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + + my $key_path = "Microsoft\\RemovalTools\\MRT"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Key Path: ".$key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $version; + eval { + $version = $key->get_value("Version")->get_data(); + }; + if ($@) { + ::rptMsg("Error getting Version information: ".$@); + + } + else { + ::rptMsg("Version: ".$version); + ::rptMsg(""); + ::rptMsg("Analysis Tip: Go to http://support.microsoft.com/kb/891716/ to see when MRT"); + ::rptMsg("was last run. According to the KB article, each time MRT is run, a new GUID"); + ::rptMsg("is written to the Version value."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/msis.pl b/RecentActivity/release/rr-full/plugins/msis.pl index 0075eec172..1be5db7617 100755 --- a/RecentActivity/release/rr-full/plugins/msis.pl +++ b/RecentActivity/release/rr-full/plugins/msis.pl @@ -1,98 +1,98 @@ -#----------------------------------------------------------- -# msis.pl -# Plugin to determine the MSI packages installed on the system -# -# Change history: -# 20090911 - created -# -# References: -# http://support.microsoft.com/kb/290134 -# http://support.microsoft.com/kb/931401 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package msis; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090911); - -sub getConfig{return %config} - -sub getShortDescr { - return "Determine MSI packages installed on the system"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %msi; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching msis v.".$VERSION); - ::rptMsg("msis v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Classes\\Installer\\Products"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $lastwrite = $s->get_timestamp(); - - my $product; - eval { - $product = $s->get_value("ProductName")->get_data(); - }; - - my $path; - my $pkg; - - eval { - my $p = $s->get_subkey("SourceList")->get_value("LastUsedSource")->get_data(); - $path = (split(/;/,$p,3))[2]; - }; - - eval { - $pkg = $s->get_subkey("SourceList")->get_value("PackageName")->get_data(); - }; - - push(@{$msi{$lastwrite}},$product.";".$path.$pkg); - } - - - foreach my $t (reverse sort {$a <=> $b} keys %msi) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$msi{$t}}) { - ::rptMsg(" ".$item); - } - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# msis.pl +# Plugin to determine the MSI packages installed on the system +# +# Change history: +# 20090911 - created +# +# References: +# http://support.microsoft.com/kb/290134 +# http://support.microsoft.com/kb/931401 +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package msis; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090911); + +sub getConfig{return %config} + +sub getShortDescr { + return "Determine MSI packages installed on the system"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %msi; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching msis v.".$VERSION); + ::rptMsg("msis v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Classes\\Installer\\Products"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $lastwrite = $s->get_timestamp(); + + my $product; + eval { + $product = $s->get_value("ProductName")->get_data(); + }; + + my $path; + my $pkg; + + eval { + my $p = $s->get_subkey("SourceList")->get_value("LastUsedSource")->get_data(); + $path = (split(/;/,$p,3))[2]; + }; + + eval { + $pkg = $s->get_subkey("SourceList")->get_value("PackageName")->get_data(); + }; + + push(@{$msi{$lastwrite}},$product.";".$path.$pkg); + } + + + foreach my $t (reverse sort {$a <=> $b} keys %msi) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$msi{$t}}) { + ::rptMsg(" ".$item); + } + } + + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/mspaper.pl b/RecentActivity/release/rr-full/plugins/mspaper.pl index f4038b321d..325fc6474c 100755 --- a/RecentActivity/release/rr-full/plugins/mspaper.pl +++ b/RecentActivity/release/rr-full/plugins/mspaper.pl @@ -1,102 +1,102 @@ -#----------------------------------------------------------- -# mspaper.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# MSPaper Recent File List values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mspaper; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets images listed in user's MSPaper key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mspaper v.".$VERSION); - ::rptMsg("mspaper v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $tick = 0; - my $key_path = 'Software\\Microsoft'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - - if (scalar @subkeys > 0) { - foreach my $sk (@subkeys) { - if ($sk->get_name() =~ m/^mspaper/i) { - $tick = 1; - my $nkey = $sk->get_name()."\\Recent File List"; - my $msp; - if ($msp = $key->get_subkey($nkey)) { - ::rptMsg("MSPaper - Recent File List"); - ::rptMsg($key_path."\\".$nkey); - ::rptMsg("LastWrite Time ".gmtime($msp->get_timestamp())." (UTC)"); - my @vals = $msp->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path."\\".$nkey." has no values."); - } - } - else { - ::rptMsg($key_path."\\".$nkey." not found."); - ::logMsg("Error: ".$key_path."\\".$nkey." not found."); - } - } - } - if ($tick == 0) { - ::rptMsg("SOFTWARE\\Microsoft\\MSPaper* not found."); - ::logMsg("SOFTWARE\\Microsoft\\MSPaper* not found."); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# mspaper.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# MSPaper Recent File List values +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package mspaper; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets images listed in user's MSPaper key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mspaper v.".$VERSION); + ::rptMsg("mspaper v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $tick = 0; + my $key_path = 'Software\\Microsoft'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + + if (scalar @subkeys > 0) { + foreach my $sk (@subkeys) { + if ($sk->get_name() =~ m/^mspaper/i) { + $tick = 1; + my $nkey = $sk->get_name()."\\Recent File List"; + my $msp; + if ($msp = $key->get_subkey($nkey)) { + ::rptMsg("MSPaper - Recent File List"); + ::rptMsg($key_path."\\".$nkey); + ::rptMsg("LastWrite Time ".gmtime($msp->get_timestamp())." (UTC)"); + my @vals = $msp->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/File/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path."\\".$nkey." has no values."); + } + } + else { + ::rptMsg($key_path."\\".$nkey." not found."); + ::logMsg("Error: ".$key_path."\\".$nkey." not found."); + } + } + } + if ($tick == 0) { + ::rptMsg("SOFTWARE\\Microsoft\\MSPaper* not found."); + ::logMsg("SOFTWARE\\Microsoft\\MSPaper* not found."); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/muicache.pl b/RecentActivity/release/rr-full/plugins/muicache.pl index 96f564b834..68de4dfa7d 100755 --- a/RecentActivity/release/rr-full/plugins/muicache.pl +++ b/RecentActivity/release/rr-full/plugins/muicache.pl @@ -1,93 +1,93 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# muicache.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# MUICache values -# -# Change history -# 20130425 - added alertMsg() functionality -# 20120522 - updated to collect info from Win7 USRCLASS.DAT -# -# -# copyright 2012 Quantum Research Analytics, LLC -# Author: H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package muicache; -use strict; - -my %config = (hive => "NTUSER\.DAT,USRCLASS\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20130425); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets EXEs from user's MUICache key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching muicache v.".$VERSION); - ::rptMsg("muicache v.".$VERSION); - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - ::alertMsg("ALERT: muicache: ".$key_path." ".$name." has \"Temp\" in path\.") if (grep(/[Tt]emp/,$name)); - next if ($name =~ m/^@/ || $name eq "LangID"); - my $data = $v->get_data(); - ::rptMsg(" ".$name." (".$data.")"); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::rptMsg(""); - } -# Added for access to USRCLASS.DAT - my $key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - ::alertMsg("ALERT: muicache: ".$key_path." ".$name." has \"Temp\" in path\.") if (grep(/[Tt]emp/,$name)); - next if ($name =~ m/^@/ || $name eq "LangID"); - my $data = $v->get_data(); - ::rptMsg($name." (".$data.")"); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } - -} +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# muicache.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# MUICache values +# +# Change history +# 20130425 - added alertMsg() functionality +# 20120522 - updated to collect info from Win7 USRCLASS.DAT +# +# +# copyright 2012 Quantum Research Analytics, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package muicache; +use strict; + +my %config = (hive => "NTUSER\.DAT,USRCLASS\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130425); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets EXEs from user's MUICache key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching muicache v.".$VERSION); + ::rptMsg("muicache v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + my $key_path = 'Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + ::alertMsg("ALERT: muicache: ".$key_path." ".$name." has \"Temp\" in path\.") if (grep(/[Tt]emp/,$name)); + next if ($name =~ m/^@/ || $name eq "LangID"); + my $data = $v->get_data(); + ::rptMsg(" ".$name." (".$data.")"); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::rptMsg(""); + } +# Added for access to USRCLASS.DAT + my $key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + ::alertMsg("ALERT: muicache: ".$key_path." ".$name." has \"Temp\" in path\.") if (grep(/[Tt]emp/,$name)); + next if ($name =~ m/^@/ || $name eq "LangID"); + my $data = $v->get_data(); + ::rptMsg($name." (".$data.")"); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/nero.pl b/RecentActivity/release/rr-full/plugins/nero.pl index 5ec0065264..4e0930d46d 100755 --- a/RecentActivity/release/rr-full/plugins/nero.pl +++ b/RecentActivity/release/rr-full/plugins/nero.pl @@ -1,76 +1,76 @@ -#----------------------------------------------------------- -# nero.pl -# **Very Beta! Based on one sample hive file only! -# -# Change history -# 20100218 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nero; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of Ahead\\Nero Recent File List subkeys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my @nerosubkeys = ("Cover Designer","FlmgPlg","Nero PhotoSnap", - "NSPluginMgr","PhotoEffects","XlmgPlg"); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching nero v.".$VERSION); - ::rptMsg("nero v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Ahead'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - foreach my $nsk (@nerosubkeys) { - eval { - my $nk; - if ($nk = $key->get_subkey($nsk."\\Recent File List")) { - my @vals = $nk->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg($nsk."\\Recent File List"); - ::rptMsg("LastWrite Time ".gmtime($nk->get_timestamp())." (UTC)"); - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()." -> ".$v->get_data()); - } - ::rptMsg(""); - } - else { - ::rptMsg($nsk."\\Recent File List has no values."); - } - } - }; - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# nero.pl +# **Very Beta! Based on one sample hive file only! +# +# Change history +# 20100218 - created +# +# References +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package nero; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100218); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of Ahead\\Nero Recent File List subkeys"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my @nerosubkeys = ("Cover Designer","FlmgPlg","Nero PhotoSnap", + "NSPluginMgr","PhotoEffects","XlmgPlg"); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + my %hist; + ::logMsg("Launching nero v.".$VERSION); + ::rptMsg("nero v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Ahead'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + foreach my $nsk (@nerosubkeys) { + eval { + my $nk; + if ($nk = $key->get_subkey($nsk."\\Recent File List")) { + my @vals = $nk->get_list_of_values(); + if (scalar @vals > 0) { + ::rptMsg($nsk."\\Recent File List"); + ::rptMsg("LastWrite Time ".gmtime($nk->get_timestamp())." (UTC)"); + foreach my $v (@vals) { + ::rptMsg(" ".$v->get_name()." -> ".$v->get_data()); + } + ::rptMsg(""); + } + else { + ::rptMsg($nsk."\\Recent File List has no values."); + } + } + }; + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/network.pl b/RecentActivity/release/rr-full/plugins/network.pl index c8be89b91d..79562a2751 100755 --- a/RecentActivity/release/rr-full/plugins/network.pl +++ b/RecentActivity/release/rr-full/plugins/network.pl @@ -1,97 +1,97 @@ -#----------------------------------------------------------- -# network.pl -# Plugin for Registry Ripper; Get information on network -# interfaces from the System hive file - from the -# Control\Network GUID subkeys... -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package network; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets info from System\\Control\\Network GUIDs"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching network v.".$VERSION); - ::rptMsg("network v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"; - my $nw; - if ($nw = $root_key->get_subkey($nw_path)) { - ::rptMsg("Network key"); - ::rptMsg($nw_path); -# Get all of the subkey names - my @sk = $nw->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next if ($name eq "Descriptions"); - if (my $conn = $nw->get_subkey($name."\\Connection")) { - ::rptMsg("Interface ".$name); - ::rptMsg("LastWrite time ".gmtime($conn->get_timestamp())." (UTC)"); - my %conn_vals; - my @vals = $conn->get_list_of_values(); - map{$conn_vals{$_->get_name()} = $_->get_data()}@vals; - ::rptMsg("\tName = ".$conn_vals{Name}); - ::rptMsg("\tPnpInstanceID = ".$conn_vals{PnpInstanceID}); - ::rptMsg("\tMediaSubType = ".$conn_vals{MediaSubType}); - ::rptMsg("\tIpCheckingEnabled = ".$conn_vals{IpCheckingEnabled}) - if (exists $conn_vals{IpCheckingEnabled}); - - } - ::rptMsg(""); - } - - } - else { - ::rptMsg($nw_path." has no subkeys."); - } - } - else { - ::rptMsg($nw_path." could not be found."); - ::logMsg($nw_path." could not be found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# network.pl +# Plugin for Registry Ripper; Get information on network +# interfaces from the System hive file - from the +# Control\Network GUID subkeys... +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package network; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets info from System\\Control\\Network GUIDs"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %nics; + my $ccs; + ::logMsg("Launching network v.".$VERSION); + ::rptMsg("network v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"; + my $nw; + if ($nw = $root_key->get_subkey($nw_path)) { + ::rptMsg("Network key"); + ::rptMsg($nw_path); +# Get all of the subkey names + my @sk = $nw->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + next if ($name eq "Descriptions"); + if (my $conn = $nw->get_subkey($name."\\Connection")) { + ::rptMsg("Interface ".$name); + ::rptMsg("LastWrite time ".gmtime($conn->get_timestamp())." (UTC)"); + my %conn_vals; + my @vals = $conn->get_list_of_values(); + map{$conn_vals{$_->get_name()} = $_->get_data()}@vals; + ::rptMsg("\tName = ".$conn_vals{Name}); + ::rptMsg("\tPnpInstanceID = ".$conn_vals{PnpInstanceID}); + ::rptMsg("\tMediaSubType = ".$conn_vals{MediaSubType}); + ::rptMsg("\tIpCheckingEnabled = ".$conn_vals{IpCheckingEnabled}) + if (exists $conn_vals{IpCheckingEnabled}); + + } + ::rptMsg(""); + } + + } + else { + ::rptMsg($nw_path." has no subkeys."); + } + } + else { + ::rptMsg($nw_path." could not be found."); + ::logMsg($nw_path." could not be found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/networkcards.pl b/RecentActivity/release/rr-full/plugins/networkcards.pl index e2d9508c0f..23cf82d74b 100755 --- a/RecentActivity/release/rr-full/plugins/networkcards.pl +++ b/RecentActivity/release/rr-full/plugins/networkcards.pl @@ -1,64 +1,64 @@ -#----------------------------------------------------------- -# networkcards -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package networkcards; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080325); - -sub getConfig{return %config} -sub getShortDescr { - return "Get NetworkCards"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching networkcards v.".$VERSION); - ::rptMsg("networkcards v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("NetworkCards"); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - my %nc; - foreach my $s (@subkeys) { - my $service = $s->get_value("ServiceName")->get_data(); - $nc{$service}{descr} = $s->get_value("Description")->get_data(); - $nc{$service}{lastwrite} = $s->get_timestamp(); - } - - foreach my $n (keys %nc) { - ::rptMsg($nc{$n}{descr}." [".gmtime($nc{$n}{lastwrite})."]"); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# networkcards +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package networkcards; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080325); + +sub getConfig{return %config} +sub getShortDescr { + return "Get NetworkCards"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching networkcards v.".$VERSION); + ::rptMsg("networkcards v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("NetworkCards"); + ::rptMsg($key_path); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + my %nc; + foreach my $s (@subkeys) { + my $service = $s->get_value("ServiceName")->get_data(); + $nc{$service}{descr} = $s->get_value("Description")->get_data(); + $nc{$service}{lastwrite} = $s->get_timestamp(); + } + + foreach my $n (keys %nc) { + ::rptMsg($nc{$n}{descr}." [".gmtime($nc{$n}{lastwrite})."]"); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/networklist.pl b/RecentActivity/release/rr-full/plugins/networklist.pl index ccdd4ad86c..4e1fb05126 100755 --- a/RecentActivity/release/rr-full/plugins/networklist.pl +++ b/RecentActivity/release/rr-full/plugins/networklist.pl @@ -1,158 +1,158 @@ -#----------------------------------------------------------- -# networklist.pl - Plugin to extract information from the -# NetworkList key, including the MAC address of the default -# gateway -# -# -# Change History: -# 20120917 - updated to include NameType value -# 20090812 - updated code to parse DateCreated and DateLastConnected -# values; modified output, as well -# 20090811 - created -# -# References -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package networklist; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20120917); - -sub getConfig{return %config} - -sub getShortDescr { - return "Collects network info from Vista+ NetworkList key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %types = (0x47 => "wireless", - 0x06 => "wired", - 0x17 => "broadband (3g)"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching networklist v.".$VERSION); - ::rptMsg("Launching networklist v.".$VERSION); - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $base_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkList"; - -# First, get profile info - my $key_path = $base_path."\\Profiles"; - my $key; - my %nl; # hash of hashes to hold data - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - $nl{$name}{LastWrite} = $s->get_timestamp(); - eval { - $nl{$name}{ProfileName} = $s->get_value("ProfileName")->get_data(); - $nl{$name}{Description} = $s->get_value("Description")->get_data(); - $nl{$name}{Managed} = $s->get_value("Managed")->get_data(); - - my $create = $s->get_value("DateCreated")->get_data(); - $nl{$name}{DateCreated} = parseDate128($create) if (length($create) == 16); - my $conn = $s->get_value("DateLastConnected")->get_data(); - $nl{$name}{DateLastConnected} = parseDate128($conn) if (length($conn) == 16); - - $nl{$name}{NameType} = $s->get_value("NameType")->get_data(); - - if (exists $types{$nl{$name}{NameType}}) { - $nl{$name}{Type} = $types{$nl{$name}{NameType}}; - } - else { - $nl{$name}{Type} = $nl{$name}{NameType}; - } - - }; - } - -# Get additional information from the Signatures subkey - $key_path = $base_path."\\Signatures\\Managed"; - if ($key = $root_key->get_subkey($key_path)) { - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - eval { - my $prof = $s->get_value("ProfileGuid")->get_data(); - my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6); - my $mac = uc(unpack("H*",$tmp)); - my @t = split(//,$mac); - $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3]. - "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; - }; - } - } - } - - $key_path = $base_path."\\Signatures\\Unmanaged"; - if ($key = $root_key->get_subkey($key_path)) { - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - eval { - my $prof = $s->get_value("ProfileGuid")->get_data(); - my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6); - my $mac = uc(unpack("H*",$tmp)); - my @t = split(//,$mac); - $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3]. - "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; - }; - } - } - } - -# Now, display the information - foreach my $n (keys %nl) { - my $str = sprintf "%-15s Gateway Mac: ".$nl{$n}{DefaultGatewayMac},$nl{$n}{ProfileName}; - ::rptMsg($nl{$n}{ProfileName}); - ::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." UTC"); - ::rptMsg(" DateLastConnected: ".$nl{$n}{DateLastConnected}); - ::rptMsg(" DateCreated : ".$nl{$n}{DateCreated}); - ::rptMsg(" DefaultGatewayMac: ".$nl{$n}{DefaultGatewayMac}); - ::rptMsg(" Type : ".$nl{$n}{Type}); - ::rptMsg(""); - } - - } - else { - ::rptMsg($key_path." has not subkeys"); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - - - -sub parseDate128 { - my $date = $_[0]; - my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul", - "Aug","Sep","Oct","Nov","Dec"); - my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat"); - my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date); - $hr = "0".$hr if ($hr < 10); - $min = "0".$min if ($min < 10); - $sec = "0".$sec if ($sec < 10); - my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom." ".$hr.":".$min.":".$sec." ".$yr; - return $str; -} +#----------------------------------------------------------- +# networklist.pl - Plugin to extract information from the +# NetworkList key, including the MAC address of the default +# gateway +# +# +# Change History: +# 20120917 - updated to include NameType value +# 20090812 - updated code to parse DateCreated and DateLastConnected +# values; modified output, as well +# 20090811 - created +# +# References +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package networklist; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120917); + +sub getConfig{return %config} + +sub getShortDescr { + return "Collects network info from Vista+ NetworkList key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %types = (0x47 => "wireless", + 0x06 => "wired", + 0x17 => "broadband (3g)"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching networklist v.".$VERSION); + ::rptMsg("Launching networklist v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $base_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkList"; + +# First, get profile info + my $key_path = $base_path."\\Profiles"; + my $key; + my %nl; # hash of hashes to hold data + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + $nl{$name}{LastWrite} = $s->get_timestamp(); + eval { + $nl{$name}{ProfileName} = $s->get_value("ProfileName")->get_data(); + $nl{$name}{Description} = $s->get_value("Description")->get_data(); + $nl{$name}{Managed} = $s->get_value("Managed")->get_data(); + + my $create = $s->get_value("DateCreated")->get_data(); + $nl{$name}{DateCreated} = parseDate128($create) if (length($create) == 16); + my $conn = $s->get_value("DateLastConnected")->get_data(); + $nl{$name}{DateLastConnected} = parseDate128($conn) if (length($conn) == 16); + + $nl{$name}{NameType} = $s->get_value("NameType")->get_data(); + + if (exists $types{$nl{$name}{NameType}}) { + $nl{$name}{Type} = $types{$nl{$name}{NameType}}; + } + else { + $nl{$name}{Type} = $nl{$name}{NameType}; + } + + }; + } + +# Get additional information from the Signatures subkey + $key_path = $base_path."\\Signatures\\Managed"; + if ($key = $root_key->get_subkey($key_path)) { + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + eval { + my $prof = $s->get_value("ProfileGuid")->get_data(); + my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6); + my $mac = uc(unpack("H*",$tmp)); + my @t = split(//,$mac); + $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3]. + "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; + }; + } + } + } + + $key_path = $base_path."\\Signatures\\Unmanaged"; + if ($key = $root_key->get_subkey($key_path)) { + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + eval { + my $prof = $s->get_value("ProfileGuid")->get_data(); + my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6); + my $mac = uc(unpack("H*",$tmp)); + my @t = split(//,$mac); + $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3]. + "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; + }; + } + } + } + +# Now, display the information + foreach my $n (keys %nl) { + my $str = sprintf "%-15s Gateway Mac: ".$nl{$n}{DefaultGatewayMac},$nl{$n}{ProfileName}; + ::rptMsg($nl{$n}{ProfileName}); + ::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." UTC"); + ::rptMsg(" DateLastConnected: ".$nl{$n}{DateLastConnected}); + ::rptMsg(" DateCreated : ".$nl{$n}{DateCreated}); + ::rptMsg(" DefaultGatewayMac: ".$nl{$n}{DefaultGatewayMac}); + ::rptMsg(" Type : ".$nl{$n}{Type}); + ::rptMsg(""); + } + + } + else { + ::rptMsg($key_path." has not subkeys"); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + + + +sub parseDate128 { + my $date = $_[0]; + my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul", + "Aug","Sep","Oct","Nov","Dec"); + my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat"); + my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date); + $hr = "0".$hr if ($hr < 10); + $min = "0".$min if ($min < 10); + $sec = "0".$sec if ($sec < 10); + my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom." ".$hr.":".$min.":".$sec." ".$yr; + return $str; +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/networkuid.pl b/RecentActivity/release/rr-full/plugins/networkuid.pl index a8ceea9dc0..d23c55cd49 100755 --- a/RecentActivity/release/rr-full/plugins/networkuid.pl +++ b/RecentActivity/release/rr-full/plugins/networkuid.pl @@ -1,59 +1,59 @@ -#----------------------------------------------------------- -# networkuid.pl -# Gets UID value from Network key -# -# References -# http://blogs.technet.com/mmpc/archive/2010/03/11/got-zbot.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package networkuid; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100312); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets Network key UID value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching networkuid v.".$VERSION); - ::rptMsg("networkuid v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Network"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())); - ::rptMsg(""); - - eval { - my $uid = $key->get_value("UID")->get_data(); - ::rptMsg("UID value = ".$uid); - }; - ::rptMsg("UID value not found.") if ($@); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# networkuid.pl +# Gets UID value from Network key +# +# References +# http://blogs.technet.com/mmpc/archive/2010/03/11/got-zbot.aspx +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package networkuid; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100312); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets Network key UID value"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching networkuid v.".$VERSION); + ::rptMsg("networkuid v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Network"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())); + ::rptMsg(""); + + eval { + my $uid = $key->get_value("UID")->get_data(); + ::rptMsg("UID value = ".$uid); + }; + ::rptMsg("UID value not found.") if ($@); + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/nic.pl b/RecentActivity/release/rr-full/plugins/nic.pl index a8d095d448..adbaa8143c 100755 --- a/RecentActivity/release/rr-full/plugins/nic.pl +++ b/RecentActivity/release/rr-full/plugins/nic.pl @@ -1,82 +1,82 @@ -#----------------------------------------------------------- -# nic.pl -# -# -# Change history -# 20100401 - created -# -# References -# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx -# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nic; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100401); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NIC info from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching nic v.".$VERSION); - ::rptMsg("nic v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - eval { - $current = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - }; - my @nics; - my $key_path = "ControlSet00".$current."\\Services"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @svcs = $key->get_list_of_subkeys(); - foreach my $s (@svcs) { - push(@nics,$s) if ($s->get_name() =~ m/^{/); - } - foreach my $n (@nics) { - eval { - my @vals = $n->get_subkey("Parameters\\Tcpip")->get_list_of_values(); - ::rptMsg("Adapter: ".$n->get_name()); - ::rptMsg("LastWrite Time: ".gmtime($n->get_timestamp())." Z"); - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2"); - $data = gmtime($data)." Z" if ($name =~ m/Time$/); - - ::rptMsg(sprintf " %-20s %-20s",$name,$data); - - } - ::rptMsg(""); - }; - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# nic.pl +# +# +# Change history +# 20100401 - created +# +# References +# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx +# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package nic; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100401); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets NIC info from System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %nics; + my $ccs; + ::logMsg("Launching nic v.".$VERSION); + ::rptMsg("nic v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + eval { + $current = $root_key->get_subkey("Select")->get_value("Current")->get_data(); + }; + my @nics; + my $key_path = "ControlSet00".$current."\\Services"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @svcs = $key->get_list_of_subkeys(); + foreach my $s (@svcs) { + push(@nics,$s) if ($s->get_name() =~ m/^{/); + } + foreach my $n (@nics) { + eval { + my @vals = $n->get_subkey("Parameters\\Tcpip")->get_list_of_values(); + ::rptMsg("Adapter: ".$n->get_name()); + ::rptMsg("LastWrite Time: ".gmtime($n->get_timestamp())." Z"); + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2"); + $data = gmtime($data)." Z" if ($name =~ m/Time$/); + + ::rptMsg(sprintf " %-20s %-20s",$name,$data); + + } + ::rptMsg(""); + }; + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/nic2.pl b/RecentActivity/release/rr-full/plugins/nic2.pl index 0585e9f39e..7a833f1c5c 100755 --- a/RecentActivity/release/rr-full/plugins/nic2.pl +++ b/RecentActivity/release/rr-full/plugins/nic2.pl @@ -1,82 +1,82 @@ -#----------------------------------------------------------- -# nic2.pl -# -# -# Change history -# 20100401 - created -# -# References -# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx -# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nic2; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100401); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NIC info from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching nic2 v.".$VERSION); - ::rptMsg("nic2 v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - eval { - $current = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - }; - my @nics; - my $key_path = "ControlSet00".$current."\\Services\\Tcpip\\Parameters\\Interfaces"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @guids = $key->get_list_of_subkeys(); - if (scalar @guids > 0) { - foreach my $g (@guids) { - ::rptMsg("Adapter: ".$g->get_name()); - ::rptMsg("LastWrite Time: ".gmtime($g->get_timestamp())." Z"); - eval { - my @vals = $g->get_list_of_values(); - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2"); - $data = gmtime($data)." Z" if ($name =~ m/Time$/); - ::rptMsg(sprintf " %-28s %-20s",$name,$data); - } - ::rptMsg(""); - }; - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# nic2.pl +# +# +# Change history +# 20100401 - created +# +# References +# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx +# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package nic2; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100401); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets NIC info from System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %nics; + my $ccs; + ::logMsg("Launching nic2 v.".$VERSION); + ::rptMsg("nic2 v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + eval { + $current = $root_key->get_subkey("Select")->get_value("Current")->get_data(); + }; + my @nics; + my $key_path = "ControlSet00".$current."\\Services\\Tcpip\\Parameters\\Interfaces"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @guids = $key->get_list_of_subkeys(); + if (scalar @guids > 0) { + foreach my $g (@guids) { + ::rptMsg("Adapter: ".$g->get_name()); + ::rptMsg("LastWrite Time: ".gmtime($g->get_timestamp())." Z"); + eval { + my @vals = $g->get_list_of_values(); + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2"); + $data = gmtime($data)." Z" if ($name =~ m/Time$/); + ::rptMsg(sprintf " %-28s %-20s",$name,$data); + } + ::rptMsg(""); + }; + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/nic_mst2.pl b/RecentActivity/release/rr-full/plugins/nic_mst2.pl index 25f8fbecb3..2fbb9c1bb6 100755 --- a/RecentActivity/release/rr-full/plugins/nic_mst2.pl +++ b/RecentActivity/release/rr-full/plugins/nic_mst2.pl @@ -1,150 +1,150 @@ -#----------------------------------------------------------- -# nic_mst2.pl -# Plugin for Registry Ripper; Get information on network -# interfaces from the System hive file - start with the -# Control\Network GUID subkeys...within the Connection key, -# look for MediaSubType == 2, and maintain a list of GUIDs. -# Then go over to the Services\Tcpip\Parameters\Interfaces -# key and get the IP configurations for each of the interface -# GUIDs -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/555382 -# http://support.microsoft.com/kb/894564 -# http://support.microsoft.com/kb/899868 -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package nic_mst2; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NICs from System hive; looks for MediaType = 2"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching nic_mst2 v.".$VERSION); - ::rptMsg("nic_mst2 v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"; - my $nw; - if ($nw = $root_key->get_subkey($nw_path)) { - ::rptMsg("Network key"); - ::rptMsg($nw_path); -# Get all of the subkey names - my @sk = $nw->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next if ($name eq "Descriptions"); - if (my $conn = $nw->get_subkey($name."\\Connection")) { - my %conn_vals; - my @vals = $conn->get_list_of_values(); - map{$conn_vals{$_->get_name()} = $_->get_data()}@vals; -# See what the active NICs were on the system; "active" based on PnpInstanceID having -# a string value -# Get the GUID of the interface, the name, and the LastWrite time of the Connection -# key - if (exists $conn_vals{PnpInstanceID} && $conn_vals{PnpInstanceID} ne "") { - $nics{$name}{Name} = $conn_vals{Name}; - $nics{$name}{LastWrite} = $conn->get_timestamp(); - } - } - } - - } - else { - ::rptMsg($nw_path." has no subkeys."); - } - } - else { - ::rptMsg($nw_path." could not be found."); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); -# access the Tcpip Services key to get the IP address information - if (scalar(keys %nics) > 0) { - my $key_path = $ccs."\\Services\\Tcpip\\Parameters\\Interfaces"; - if ($key = $root_key->get_subkey($key_path)) { - my %guids; - ::rptMsg($key_path); - ::rptMsg("LastWrite time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); -# Dump the names of the subkeys under Parameters\Interfaces into a hash - my @sk = $key->get_list_of_subkeys(); - map{$guids{$_->get_name()} = 1}(@sk); - - foreach my $n (keys %nics) { - if (exists $guids{$n}) { - my $if = $key->get_subkey($n); - ::rptMsg("Interface ".$n); - ::rptMsg("Name: ".$nics{$n}{Name}); - ::rptMsg("Control\\Network key LastWrite time ".gmtime($nics{$n}{LastWrite})." (UTC)"); - ::rptMsg("Services\\Tcpip key LastWrite time ".gmtime($if->get_timestamp())." (UTC)"); - - my @vals = $if->get_list_of_values; - my %ip; - map{$ip{$_->get_name()} = $_->get_data()}@vals; - - if (exists $ip{EnableDHCP} && $ip{EnableDHCP} == 1) { - ::rptMsg("\tDhcpDomain = ".$ip{DhcpDomain}); - ::rptMsg("\tDhcpIPAddress = ".$ip{DhcpIPAddress}); - ::rptMsg("\tDhcpSubnetMask = ".$ip{DhcpSubnetMask}); - ::rptMsg("\tDhcpNameServer = ".$ip{DhcpNameServer}); - ::rptMsg("\tDhcpServer = ".$ip{DhcpServer}); - } - else { - ::rptMsg("\tIPAddress = ".$ip{IPAddress}); - ::rptMsg("\tSubnetMask = ".$ip{SubnetMask}); - ::rptMsg("\tDefaultGateway = ".$ip{DefaultGateway}); - } - - } - else { - ::rptMsg("Interface ".$n." not found in the ".$key_path." key."); - } - ::rptMsg(""); - } - } - } - else { - ::rptMsg("No active network interface cards were found."); - ::logMsg("No active network interface cards were found."); - } -} +#----------------------------------------------------------- +# nic_mst2.pl +# Plugin for Registry Ripper; Get information on network +# interfaces from the System hive file - start with the +# Control\Network GUID subkeys...within the Connection key, +# look for MediaSubType == 2, and maintain a list of GUIDs. +# Then go over to the Services\Tcpip\Parameters\Interfaces +# key and get the IP configurations for each of the interface +# GUIDs +# +# Change history +# +# +# References +# http://support.microsoft.com/kb/555382 +# http://support.microsoft.com/kb/894564 +# http://support.microsoft.com/kb/899868 +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package nic_mst2; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets NICs from System hive; looks for MediaType = 2"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %nics; + my $ccs; + ::logMsg("Launching nic_mst2 v.".$VERSION); + ::rptMsg("nic_mst2 v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"; + my $nw; + if ($nw = $root_key->get_subkey($nw_path)) { + ::rptMsg("Network key"); + ::rptMsg($nw_path); +# Get all of the subkey names + my @sk = $nw->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + next if ($name eq "Descriptions"); + if (my $conn = $nw->get_subkey($name."\\Connection")) { + my %conn_vals; + my @vals = $conn->get_list_of_values(); + map{$conn_vals{$_->get_name()} = $_->get_data()}@vals; +# See what the active NICs were on the system; "active" based on PnpInstanceID having +# a string value +# Get the GUID of the interface, the name, and the LastWrite time of the Connection +# key + if (exists $conn_vals{PnpInstanceID} && $conn_vals{PnpInstanceID} ne "") { + $nics{$name}{Name} = $conn_vals{Name}; + $nics{$name}{LastWrite} = $conn->get_timestamp(); + } + } + } + + } + else { + ::rptMsg($nw_path." has no subkeys."); + } + } + else { + ::rptMsg($nw_path." could not be found."); + } + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); +# access the Tcpip Services key to get the IP address information + if (scalar(keys %nics) > 0) { + my $key_path = $ccs."\\Services\\Tcpip\\Parameters\\Interfaces"; + if ($key = $root_key->get_subkey($key_path)) { + my %guids; + ::rptMsg($key_path); + ::rptMsg("LastWrite time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); +# Dump the names of the subkeys under Parameters\Interfaces into a hash + my @sk = $key->get_list_of_subkeys(); + map{$guids{$_->get_name()} = 1}(@sk); + + foreach my $n (keys %nics) { + if (exists $guids{$n}) { + my $if = $key->get_subkey($n); + ::rptMsg("Interface ".$n); + ::rptMsg("Name: ".$nics{$n}{Name}); + ::rptMsg("Control\\Network key LastWrite time ".gmtime($nics{$n}{LastWrite})." (UTC)"); + ::rptMsg("Services\\Tcpip key LastWrite time ".gmtime($if->get_timestamp())." (UTC)"); + + my @vals = $if->get_list_of_values; + my %ip; + map{$ip{$_->get_name()} = $_->get_data()}@vals; + + if (exists $ip{EnableDHCP} && $ip{EnableDHCP} == 1) { + ::rptMsg("\tDhcpDomain = ".$ip{DhcpDomain}); + ::rptMsg("\tDhcpIPAddress = ".$ip{DhcpIPAddress}); + ::rptMsg("\tDhcpSubnetMask = ".$ip{DhcpSubnetMask}); + ::rptMsg("\tDhcpNameServer = ".$ip{DhcpNameServer}); + ::rptMsg("\tDhcpServer = ".$ip{DhcpServer}); + } + else { + ::rptMsg("\tIPAddress = ".$ip{IPAddress}); + ::rptMsg("\tSubnetMask = ".$ip{SubnetMask}); + ::rptMsg("\tDefaultGateway = ".$ip{DefaultGateway}); + } + + } + else { + ::rptMsg("Interface ".$n." not found in the ".$key_path." key."); + } + ::rptMsg(""); + } + } + } + else { + ::rptMsg("No active network interface cards were found."); + ::logMsg("No active network interface cards were found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/nolmhash.pl b/RecentActivity/release/rr-full/plugins/nolmhash.pl index f5b25569c8..e47e0bc67d 100755 --- a/RecentActivity/release/rr-full/plugins/nolmhash.pl +++ b/RecentActivity/release/rr-full/plugins/nolmhash.pl @@ -1,76 +1,76 @@ -#----------------------------------------------------------- -# nolmhash.pl -# Gets NoLMHash value -# -# Change history -# 20100712 - created -# -# References -# http://support.microsoft.com/kb/299656 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nolmhash; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100712); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NoLMHash value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching nolmhash v.".$VERSION); - ::rptMsg("nolmhash v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my ($current,$ccs); - my $sel_path = 'Select'; - my $sel; - if ($sel = $root_key->get_subkey($sel_path)) { - $current = $sel->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $key_path = $ccs."\\Control\\Lsa"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("nolmhash v.".$VERSION); - ::rptMsg($key_path); - ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - my $nolmhash; - eval { - $nolmhash = $key->get_value("NoLMHash")->get_data(); - ::rptMsg("NoLMHash value = ".$nolmhash); - ::rptMsg(""); - ::rptMsg("A value of 1 indicates that LMHashes are not stored in the SAM."); - }; - ::rptMsg("Error occurred getting NoLMHash value: $@") if ($@); - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg($sel_path." not found."); - ::logMsg($sel_path." not found."); - } -} +#----------------------------------------------------------- +# nolmhash.pl +# Gets NoLMHash value +# +# Change history +# 20100712 - created +# +# References +# http://support.microsoft.com/kb/299656 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package nolmhash; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100712); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets NoLMHash value"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching nolmhash v.".$VERSION); + ::rptMsg("nolmhash v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $sel_path = 'Select'; + my $sel; + if ($sel = $root_key->get_subkey($sel_path)) { + $current = $sel->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $key_path = $ccs."\\Control\\Lsa"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("nolmhash v.".$VERSION); + ::rptMsg($key_path); + ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + my $nolmhash; + eval { + $nolmhash = $key->get_value("NoLMHash")->get_data(); + ::rptMsg("NoLMHash value = ".$nolmhash); + ::rptMsg(""); + ::rptMsg("A value of 1 indicates that LMHashes are not stored in the SAM."); + }; + ::rptMsg("Error occurred getting NoLMHash value: $@") if ($@); + } + else { + ::rptMsg($key_path." not found."); + } + } + else { + ::rptMsg($sel_path." not found."); + ::logMsg($sel_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/officedocs.pl b/RecentActivity/release/rr-full/plugins/officedocs.pl index 523252cf05..d5c10c5c0b 100755 --- a/RecentActivity/release/rr-full/plugins/officedocs.pl +++ b/RecentActivity/release/rr-full/plugins/officedocs.pl @@ -1,147 +1,147 @@ -#----------------------------------------------------------- -# officedocs.pl -# Plugin for Registry Ripper -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package officedocs; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's Office doc MRU keys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching officedocs v.".$VERSION); - ::rptMsg("officedocs v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("officedocs v.".$VERSION); -# First, let's find out which version of Office is installed - my $version; - my $tag = 0; - my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); - foreach my $ver (@versions) { - my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Open Find"; - if (defined($root_key->get_subkey($key_path))) { - $version = $ver; - $tag = 1; - } - } - - if ($tag) { - ::rptMsg("MSOffice version ".$version." located."); - my $key_path = "Software\\Microsoft\\Office\\".$version; - my $of_key = $root_key->get_subkey($key_path); - if ($of_key) { -# Attempt to retrieve Word docs - my @funcs = ("Open","Save As","File Save"); - foreach my $func (@funcs) { - my $word = "Common\\Open Find\\Microsoft Office Word\\Settings\\".$func."\\File Name MRU"; - my $word_key = $of_key->get_subkey($word); - if ($word_key) { - ::rptMsg($word); - ::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $value = $word_key->get_value("Value")->get_data(); - my @data = split(/\00/,$value); - map{::rptMsg("$_");}@data; - } - else { -# ::rptMsg("Could not access ".$word); - } - ::rptMsg(""); - } -# Attempt to retrieve Excel docs - my $excel = 'Excel\\Recent Files'; - if (my $excel_key = $of_key->get_subkey($excel)) { - ::rptMsg($key_path."\\".$excel); - ::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)"); - my @vals = $excel_key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path.$excel." has no values."); - } - } - else { - ::rptMsg($key_path.$excel." not found."); - } - ::rptMsg(""); -# Attempt to retrieve PowerPoint docs - my $ppt = 'PowerPoint\\Recent File List'; - if (my $ppt_key = $of_key->get_subkey($ppt)) { - ::rptMsg($key_path."\\".$ppt); - ::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)"); - my @vals = $ppt_key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path."\\".$ppt." has no values."); - } - } - else { - ::rptMsg($key_path."\\".$ppt." not found."); - } - } - else { - ::rptMsg("Could not access ".$key_path); - ::logMsg("Could not access ".$key_path); - } - } - else { - ::logMsg("MSOffice version not found."); - ::rptMsg("MSOffice version not found."); - } -} - +#----------------------------------------------------------- +# officedocs.pl +# Plugin for Registry Ripper +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package officedocs; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's Office doc MRU keys"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching officedocs v.".$VERSION); + ::rptMsg("officedocs v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + ::rptMsg("officedocs v.".$VERSION); +# First, let's find out which version of Office is installed + my $version; + my $tag = 0; + my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); + foreach my $ver (@versions) { + my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Open Find"; + if (defined($root_key->get_subkey($key_path))) { + $version = $ver; + $tag = 1; + } + } + + if ($tag) { + ::rptMsg("MSOffice version ".$version." located."); + my $key_path = "Software\\Microsoft\\Office\\".$version; + my $of_key = $root_key->get_subkey($key_path); + if ($of_key) { +# Attempt to retrieve Word docs + my @funcs = ("Open","Save As","File Save"); + foreach my $func (@funcs) { + my $word = "Common\\Open Find\\Microsoft Office Word\\Settings\\".$func."\\File Name MRU"; + my $word_key = $of_key->get_subkey($word); + if ($word_key) { + ::rptMsg($word); + ::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my $value = $word_key->get_value("Value")->get_data(); + my @data = split(/\00/,$value); + map{::rptMsg("$_");}@data; + } + else { +# ::rptMsg("Could not access ".$word); + } + ::rptMsg(""); + } +# Attempt to retrieve Excel docs + my $excel = 'Excel\\Recent Files'; + if (my $excel_key = $of_key->get_subkey($excel)) { + ::rptMsg($key_path."\\".$excel); + ::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)"); + my @vals = $excel_key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/File/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path.$excel." has no values."); + } + } + else { + ::rptMsg($key_path.$excel." not found."); + } + ::rptMsg(""); +# Attempt to retrieve PowerPoint docs + my $ppt = 'PowerPoint\\Recent File List'; + if (my $ppt_key = $of_key->get_subkey($ppt)) { + ::rptMsg($key_path."\\".$ppt); + ::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)"); + my @vals = $ppt_key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/File/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path."\\".$ppt." has no values."); + } + } + else { + ::rptMsg($key_path."\\".$ppt." not found."); + } + } + else { + ::rptMsg("Could not access ".$key_path); + ::logMsg("Could not access ".$key_path); + } + } + else { + ::logMsg("MSOffice version not found."); + ::rptMsg("MSOffice version not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/oisc.pl b/RecentActivity/release/rr-full/plugins/oisc.pl index af938d8d9b..c24bae4951 100755 --- a/RecentActivity/release/rr-full/plugins/oisc.pl +++ b/RecentActivity/release/rr-full/plugins/oisc.pl @@ -1,125 +1,125 @@ -#----------------------------------------------------------- -# oisc.pl -# Plugin for Registry Ripper -# -# Change history -# 20091125 - modified by H. Carvey -# 20091110 - created -# -# References -# http://support.microsoft.com/kb/838028 -# http://support.microsoft.com/kb/916658 -# -# Derived from the officeDocs plugin -# copyright 2008-2009 H. Carvey, mangled 2009 M. Tarnawsky -# -# Michael Tarnawsky -# forensics@mialta.com -#----------------------------------------------------------- -package oisc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091125); - -my %prot = (0 => "Read-only HTTP", - 1 => "WEC to FPSE-enabled web folder", - 2 => "DAV to DAV-ext. web folder"); - -my %types = (0 => "no collaboration", - 1 => "SharePoint Team Server", - 2 => "Exchange 2000 Server", - 3 => "SharePoint Portal 2001 Server", - 4 => "SharePoint 2001 enhanced folder", - 5 => "Windows SharePoint Server/SharePoint Portal 2003 Server"); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's Office Internet Server Cache"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching oisc v.".$VERSION); - ::rptMsg("oisc v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; -# First, let's find out which version of Office is installed - my $version; - my $tag = 0; - my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); - foreach my $ver (@versions) { - my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Internet\\Server Cache"; - if (defined($root_key->get_subkey($key_path))) { - $version = $ver; - $tag = 1; - } - } - - if ($tag) { - - my %isc; - - ::rptMsg("MSOffice version ".$version." located."); - my $key_path = "Software\\Microsoft\\Office\\".$version."\\Common\\Internet\\Server Cache"; - my $sc_key; - if ($sc_key = $root_key->get_subkey($key_path)) { -# Attempt to retrieve Servers Cache subkeys - my @sc = ($sc_key->get_list_of_subkeys()); - if (scalar(@sc) > 0) { - foreach my $s (@sc) { - my $name = $s->get_name(); - $isc{$name}{lastwrite} = $s->get_timestamp(); - - eval { - my $t = $s->get_value("Type")->get_data(); - (exists $types{$t}) ? ($isc{$name}{type} = $types{$t}) - : ($isc{$name}{type} = $t); - }; - - eval { - my $p = $s->get_value("Protocol")->get_data(); - (exists $prot{$p}) ? ($isc{$name}{protocol} = $prot{$p}) - : ($isc{$name}{protocol} = $p); - }; - - eval { - my @e = unpack("VV",$s->get_value("Expiration")->get_data()); - $isc{$name}{expiry} = ::getTime($e[0],$e[1]); - }; - } - ::rptMsg(""); - foreach my $i (keys %isc) { - ::rptMsg($i); - ::rptMsg(" LastWrite : ".gmtime($isc{$i}{lastwrite})." UTC"); - ::rptMsg(" Expiry : ".gmtime($isc{$i}{expiry})." UTC"); - ::rptMsg(" Protocol : ".$isc{$i}{protocol}); - ::rptMsg(" Type : ".$isc{$i}{type}); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg("MSOffice version not found."); - } -} +#----------------------------------------------------------- +# oisc.pl +# Plugin for Registry Ripper +# +# Change history +# 20091125 - modified by H. Carvey +# 20091110 - created +# +# References +# http://support.microsoft.com/kb/838028 +# http://support.microsoft.com/kb/916658 +# +# Derived from the officeDocs plugin +# copyright 2008-2009 H. Carvey, mangled 2009 M. Tarnawsky +# +# Michael Tarnawsky +# forensics@mialta.com +#----------------------------------------------------------- +package oisc; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20091125); + +my %prot = (0 => "Read-only HTTP", + 1 => "WEC to FPSE-enabled web folder", + 2 => "DAV to DAV-ext. web folder"); + +my %types = (0 => "no collaboration", + 1 => "SharePoint Team Server", + 2 => "Exchange 2000 Server", + 3 => "SharePoint Portal 2001 Server", + 4 => "SharePoint 2001 enhanced folder", + 5 => "Windows SharePoint Server/SharePoint Portal 2003 Server"); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's Office Internet Server Cache"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching oisc v.".$VERSION); + ::rptMsg("oisc v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; +# First, let's find out which version of Office is installed + my $version; + my $tag = 0; + my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); + foreach my $ver (@versions) { + my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Internet\\Server Cache"; + if (defined($root_key->get_subkey($key_path))) { + $version = $ver; + $tag = 1; + } + } + + if ($tag) { + + my %isc; + + ::rptMsg("MSOffice version ".$version." located."); + my $key_path = "Software\\Microsoft\\Office\\".$version."\\Common\\Internet\\Server Cache"; + my $sc_key; + if ($sc_key = $root_key->get_subkey($key_path)) { +# Attempt to retrieve Servers Cache subkeys + my @sc = ($sc_key->get_list_of_subkeys()); + if (scalar(@sc) > 0) { + foreach my $s (@sc) { + my $name = $s->get_name(); + $isc{$name}{lastwrite} = $s->get_timestamp(); + + eval { + my $t = $s->get_value("Type")->get_data(); + (exists $types{$t}) ? ($isc{$name}{type} = $types{$t}) + : ($isc{$name}{type} = $t); + }; + + eval { + my $p = $s->get_value("Protocol")->get_data(); + (exists $prot{$p}) ? ($isc{$name}{protocol} = $prot{$p}) + : ($isc{$name}{protocol} = $p); + }; + + eval { + my @e = unpack("VV",$s->get_value("Expiration")->get_data()); + $isc{$name}{expiry} = ::getTime($e[0],$e[1]); + }; + } + ::rptMsg(""); + foreach my $i (keys %isc) { + ::rptMsg($i); + ::rptMsg(" LastWrite : ".gmtime($isc{$i}{lastwrite})." UTC"); + ::rptMsg(" Expiry : ".gmtime($isc{$i}{expiry})." UTC"); + ::rptMsg(" Protocol : ".$isc{$i}{protocol}); + ::rptMsg(" Type : ".$isc{$i}{type}); + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } + else { + ::rptMsg("MSOffice version not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/outlook.pl b/RecentActivity/release/rr-full/plugins/outlook.pl index c2fb6d1075..a566e0a36a 100755 --- a/RecentActivity/release/rr-full/plugins/outlook.pl +++ b/RecentActivity/release/rr-full/plugins/outlook.pl @@ -1,187 +1,187 @@ -#----------------------------------------------------------- -# outlook.pl -# **Very Beta! Based on one sample hive file only! -# -# Change history -# 20100218 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package outlook; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Outlook settings"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching outlook v.".$VERSION); - ::rptMsg("outlook v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg(""); - foreach my $s (@subkeys) { - - my $profile = $s->get_name(); - ::rptMsg($profile." Profile"); - -# AutoArchive settings -# http://support.microsoft.com/kb/198479 - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0324")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2007 AutoArchive path -> ".$data); - }; - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e0324")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2003 AutoArchive path -> ".$data); - }; - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data); - }; - -# http://support.microsoft.com/kb/288570 - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101e0384")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Open Other Users MRU (Outlook 97) -> ".$data); - }; - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101f0390")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Open Other Users MRU (Outlook 2003) -> ".$data); - }; - - - - eval { - my $data = unpack("V",$s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("00036601")->get_data()); - my $str; - if ($data == 4) { - $str = " Cached Exchange Mode disabled."; - } - elsif ($data == 4484) { - $str = " Cached Exchange Mode enabled."; - } - else { - $str = sprintf " Cached Exchange Mode: 0x%x",$data; - } - ::rptMsg($str); - }; - - eval { - my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6610")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Path to OST file: ".$data); - }; - - eval { - my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6607")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Email: ".$data); - }; - - eval { - my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6620")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Email: ".$data); - }; - -# http://support.microsoft.com/kb/959956 -# eval { -# my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("01026687")->get_data(); -# $data =~ s/\00/\./g; -# $data =~ s/\W//g; -# ::rptMsg(" Non-SMTP Email: ".$data); -# }; - - - - - - - - - - - - - - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data); - }; - - - - - - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0418")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" 001f0418 -> ".$data); - }; -# ::rptMsg("Error : ".$@) if ($@); - - -# Account Names and signatures -# http://support.microsoft.com/kb/938360 - my @subkeys = $s->get_subkey("9375CFF0413111d3B88A00104B2A6676")->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - - foreach my $s2 (@subkeys) { - eval { - - - }; - } - } - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# outlook.pl +# **Very Beta! Based on one sample hive file only! +# +# Change history +# 20100218 - created +# +# References +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package outlook; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100218); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's Outlook settings"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + my %hist; + ::logMsg("Launching outlook v.".$VERSION); + ::rptMsg("outlook v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + ::rptMsg(""); + foreach my $s (@subkeys) { + + my $profile = $s->get_name(); + ::rptMsg($profile." Profile"); + +# AutoArchive settings +# http://support.microsoft.com/kb/198479 + eval { + my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0324")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Outlook 2007 AutoArchive path -> ".$data); + }; + + eval { + my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e0324")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Outlook 2003 AutoArchive path -> ".$data); + }; + + eval { + my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data); + }; + +# http://support.microsoft.com/kb/288570 + eval { + my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101e0384")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Open Other Users MRU (Outlook 97) -> ".$data); + }; + + eval { + my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101f0390")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Open Other Users MRU (Outlook 2003) -> ".$data); + }; + + + + eval { + my $data = unpack("V",$s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("00036601")->get_data()); + my $str; + if ($data == 4) { + $str = " Cached Exchange Mode disabled."; + } + elsif ($data == 4484) { + $str = " Cached Exchange Mode enabled."; + } + else { + $str = sprintf " Cached Exchange Mode: 0x%x",$data; + } + ::rptMsg($str); + }; + + eval { + my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6610")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Path to OST file: ".$data); + }; + + eval { + my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6607")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Email: ".$data); + }; + + eval { + my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6620")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Email: ".$data); + }; + +# http://support.microsoft.com/kb/959956 +# eval { +# my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("01026687")->get_data(); +# $data =~ s/\00/\./g; +# $data =~ s/\W//g; +# ::rptMsg(" Non-SMTP Email: ".$data); +# }; + + + + + + + + + + + + + + + eval { + my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data); + }; + + + + + + + eval { + my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0418")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" 001f0418 -> ".$data); + }; +# ::rptMsg("Error : ".$@) if ($@); + + +# Account Names and signatures +# http://support.microsoft.com/kb/938360 + my @subkeys = $s->get_subkey("9375CFF0413111d3B88A00104B2A6676")->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + + foreach my $s2 (@subkeys) { + eval { + + + }; + } + } + + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/pagefile.pl b/RecentActivity/release/rr-full/plugins/pagefile.pl index 147f352c9f..3af614bca7 100755 --- a/RecentActivity/release/rr-full/plugins/pagefile.pl +++ b/RecentActivity/release/rr-full/plugins/pagefile.pl @@ -1,73 +1,73 @@ -#----------------------------------------------------------- -# pagefile.pl -# -# Ref: -# -# http://support.microsoft.com/kb/314834 - ClearPagefileAtShutdown -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package pagefile; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081212); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get info on pagefile(s)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching pagefile v.".$VERSION); - ::rptMsg("pagefile v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $mm_path = "ControlSet00".$current."\\Control\\Session Manager\\Memory Management"; - my $mm; - if ($mm = $root_key->get_subkey($mm_path)) { - - eval { - my $files = $mm->get_value("PagingFiles")->get_data(); - ::rptMsg("PagingFiles = ".$files); - }; - ::rptMsg($@) if ($@); - - eval { - my $cpf = $mm->get_value("ClearPageFileAtShutdown")->get_data(); - ::rptMsg("ClearPageFileAtShutdown = ".$cpf); - }; - - } - else { - ::rptMsg($mm_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; +#----------------------------------------------------------- +# pagefile.pl +# +# Ref: +# +# http://support.microsoft.com/kb/314834 - ClearPagefileAtShutdown +# +# copyright 2008-2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package pagefile; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081212); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get info on pagefile(s)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching pagefile v.".$VERSION); + ::rptMsg("pagefile v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + + my $mm_path = "ControlSet00".$current."\\Control\\Session Manager\\Memory Management"; + my $mm; + if ($mm = $root_key->get_subkey($mm_path)) { + + eval { + my $files = $mm->get_value("PagingFiles")->get_data(); + ::rptMsg("PagingFiles = ".$files); + }; + ::rptMsg($@) if ($@); + + eval { + my $cpf = $mm->get_value("ClearPageFileAtShutdown")->get_data(); + ::rptMsg("ClearPageFileAtShutdown = ".$cpf); + }; + + } + else { + ::rptMsg($mm_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} +1; diff --git a/RecentActivity/release/rr-full/plugins/polacdms.pl b/RecentActivity/release/rr-full/plugins/polacdms.pl index ba74600fcf..9117eec462 100755 --- a/RecentActivity/release/rr-full/plugins/polacdms.pl +++ b/RecentActivity/release/rr-full/plugins/polacdms.pl @@ -1,95 +1,95 @@ -#----------------------------------------------------------- -# polacdms -# Get the audit policy from the Security hive file; also, gets -# -# -# Change History: -# 20100531 - Created -# -# References: -# http://en.wikipedia.org/wiki/Security_Identifier -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package polacdms; -use strict; - -my %config = (hive => "Security", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100531); - -sub getConfig{return %config} -sub getShortDescr { - return "Get local machine SID from Security hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching polacdms v.".$VERSION); - ::rptMsg("polacdms v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Policy\\PolAcDmS"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("PolAcDmS"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $data; - eval { - $data = $key->get_value("")->get_data(); - }; - if ($@) { - ::rptMsg("Error occurred getting data from ".$key_path); - ::rptMsg(" - ".$@); - } - else { - my @d = unpack("V4",substr($data,8,16)); - ::rptMsg("Machine SID: S-1-5-".(join('-',@d))); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - my $key_path = "Policy\\PolPrDmS"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("PolPrDmS"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $data; - eval { - $data = $key->get_value("")->get_data(); - }; - if ($@) { - ::rptMsg("Error occurred getting data from ".$key_path); - ::rptMsg(" - ".$@); - } - else { - my @d = unpack("V4",substr($data,8,16)); - ::rptMsg("Primary Domain SID: S-1-5-".(join('-',@d))); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# polacdms +# Get the audit policy from the Security hive file; also, gets +# +# +# Change History: +# 20100531 - Created +# +# References: +# http://en.wikipedia.org/wiki/Security_Identifier +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package polacdms; +use strict; + +my %config = (hive => "Security", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100531); + +sub getConfig{return %config} +sub getShortDescr { + return "Get local machine SID from Security hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching polacdms v.".$VERSION); + ::rptMsg("polacdms v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Policy\\PolAcDmS"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("PolAcDmS"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $data; + eval { + $data = $key->get_value("")->get_data(); + }; + if ($@) { + ::rptMsg("Error occurred getting data from ".$key_path); + ::rptMsg(" - ".$@); + } + else { + my @d = unpack("V4",substr($data,8,16)); + ::rptMsg("Machine SID: S-1-5-".(join('-',@d))); + } + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); + my $key_path = "Policy\\PolPrDmS"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("PolPrDmS"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $data; + eval { + $data = $key->get_value("")->get_data(); + }; + if ($@) { + ::rptMsg("Error occurred getting data from ".$key_path); + ::rptMsg(" - ".$@); + } + else { + my @d = unpack("V4",substr($data,8,16)); + ::rptMsg("Primary Domain SID: S-1-5-".(join('-',@d))); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/policies_u.pl b/RecentActivity/release/rr-full/plugins/policies_u.pl index ce9430a641..57fcb5c873 100755 --- a/RecentActivity/release/rr-full/plugins/policies_u.pl +++ b/RecentActivity/release/rr-full/plugins/policies_u.pl @@ -1,75 +1,75 @@ -#----------------------------------------------------------- -# policies_u -# Get values from user's WinLogon key -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package policies_u; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091021); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get values from the user's Policies key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching policies_u v.".$VERSION); - ::rptMsg("policies_u v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path."\\policies")) { -# ::rptMsg("policies key found."); - - } - elsif ($key = $root_key->get_subkey($key_path."\\Policies")) { -# ::rptMsg("Policies key found."); - - } - else { - ::rptMsg("Neither policies nor Policies key found."); - return; - } - - eval { - my @vals = $key->get_subkey("Explorer")->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg(""); - ::rptMsg("Explorer subkey values:"); - foreach my $v (@vals) { - my $str = sprintf "%-20s %-20s",$v->get_name(),$v->get_data(); - ::rptMsg(" ".$str); - } - } - }; - ::rptMsg(""); - eval { - my $quota = $key->get_subkey("System")->get_value("EnableProfileQuota")->get_data(); - ::rptMsg("EnableProfileQuota = ".$quota); - ::rptMsg(""); - ::rptMsg("The EnableProfileQuota = 1 setting causes the proquota\.exe to be run"); - ::rptMsg("automatically in order to limit the size of roaming profiles\. This"); - ::rptMsg("corresponds to the Limit Profile Size GPO setting\."); - }; - ::rptMsg("System\\EnableProfileQuota value not found\.") if ($@); -} - +#----------------------------------------------------------- +# policies_u +# Get values from user's WinLogon key +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package policies_u; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20091021); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get values from the user's Policies key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching policies_u v.".$VERSION); + ::rptMsg("policies_u v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion"; + my $key; + if ($key = $root_key->get_subkey($key_path."\\policies")) { +# ::rptMsg("policies key found."); + + } + elsif ($key = $root_key->get_subkey($key_path."\\Policies")) { +# ::rptMsg("Policies key found."); + + } + else { + ::rptMsg("Neither policies nor Policies key found."); + return; + } + + eval { + my @vals = $key->get_subkey("Explorer")->get_list_of_values(); + if (scalar(@vals) > 0) { + ::rptMsg(""); + ::rptMsg("Explorer subkey values:"); + foreach my $v (@vals) { + my $str = sprintf "%-20s %-20s",$v->get_name(),$v->get_data(); + ::rptMsg(" ".$str); + } + } + }; + ::rptMsg(""); + eval { + my $quota = $key->get_subkey("System")->get_value("EnableProfileQuota")->get_data(); + ::rptMsg("EnableProfileQuota = ".$quota); + ::rptMsg(""); + ::rptMsg("The EnableProfileQuota = 1 setting causes the proquota\.exe to be run"); + ::rptMsg("automatically in order to limit the size of roaming profiles\. This"); + ::rptMsg("corresponds to the Limit Profile Size GPO setting\."); + }; + ::rptMsg("System\\EnableProfileQuota value not found\.") if ($@); +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/port_dev.pl b/RecentActivity/release/rr-full/plugins/port_dev.pl index 23fdcd8e8c..3b8a16a5f9 100755 --- a/RecentActivity/release/rr-full/plugins/port_dev.pl +++ b/RecentActivity/release/rr-full/plugins/port_dev.pl @@ -1,91 +1,91 @@ -#----------------------------------------------------------- -# port_dev -# Parse Microsoft\Windows Portable Devices\Devices key on Vista -# Get historical information about drive letter assigned to devices -# -# NOTE: Credit for "discovery" goes to Rob Lee -# -# Change History: -# 20090118 - changed the name of the plugin from "removdev" -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package port_dev; -use strict; - -my %config = (hive => "Software", - osmask => 192, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090118); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parses Windows Portable Devices key (Vista)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching port_dev v.".$VERSION); - ::rptMsg("port_dev v.".$VERSION); # banner - :rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows Portable Devices\\Devices"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("RemovDev"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $lastwrite = $s->get_timestamp(); - - my $letter; - eval { - $letter = $s->get_value("FriendlyName")->get_data(); - }; - ::rptMsg($name." key error: $@") if ($@); - - my $half; - if (grep(/##/,$name)) { - $half = (split(/##/,$name))[1]; - } - - if (grep(/\?\?/,$name)) { - $half = (split(/\?\?/,$name))[1]; - } - - my ($dev,$sn) = (split(/#/,$half))[1,2]; - - ::rptMsg("Device : ".$dev); - ::rptMsg("LastWrite : ".gmtime($lastwrite)." (UTC)"); - ::rptMsg("SN : ".$sn); - ::rptMsg("Drive : ".$letter); - ::rptMsg(""); - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# port_dev +# Parse Microsoft\Windows Portable Devices\Devices key on Vista +# Get historical information about drive letter assigned to devices +# +# NOTE: Credit for "discovery" goes to Rob Lee +# +# Change History: +# 20090118 - changed the name of the plugin from "removdev" +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package port_dev; +use strict; + +my %config = (hive => "Software", + osmask => 192, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090118); + +sub getConfig{return %config} + +sub getShortDescr { + return "Parses Windows Portable Devices key (Vista)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching port_dev v.".$VERSION); + ::rptMsg("port_dev v.".$VERSION); # banner + :rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows Portable Devices\\Devices"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("RemovDev"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $lastwrite = $s->get_timestamp(); + + my $letter; + eval { + $letter = $s->get_value("FriendlyName")->get_data(); + }; + ::rptMsg($name." key error: $@") if ($@); + + my $half; + if (grep(/##/,$name)) { + $half = (split(/##/,$name))[1]; + } + + if (grep(/\?\?/,$name)) { + $half = (split(/\?\?/,$name))[1]; + } + + my ($dev,$sn) = (split(/#/,$half))[1,2]; + + ::rptMsg("Device : ".$dev); + ::rptMsg("LastWrite : ".gmtime($lastwrite)." (UTC)"); + ::rptMsg("SN : ".$sn); + ::rptMsg("Drive : ".$letter); + ::rptMsg(""); + + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/printermru.pl b/RecentActivity/release/rr-full/plugins/printermru.pl index 6a75763524..82074a8221 100755 --- a/RecentActivity/release/rr-full/plugins/printermru.pl +++ b/RecentActivity/release/rr-full/plugins/printermru.pl @@ -1,76 +1,76 @@ -#----------------------------------------------------------- -# printermru.pl -# Plugin to get RealVNC MRU listings from NTUSER.DAT -# -# Change history -# 20091125 - created -# -# References -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package printermru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091125); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Printer Wizard MRU listing"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching printermru v.".$VERSION); - ::rptMsg("printermru v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Printers\\Settings\\Wizard\\ConnectMRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mru; - my @list; - foreach my $v (@vals) { - $mru{$v->get_name()} = $v->get_data(); - } - - if (exists $mru{MRUList}) { - @list = split(//,$mru{MRUList}); - } - - ::rptMsg("Printers listed in MRUList order."); - foreach my $i (0..scalar(@list) - 1) { - ::rptMsg(" ".$list[$i]." -> ".$mru{$list[$i]}); - } - - - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# printermru.pl +# Plugin to get RealVNC MRU listings from NTUSER.DAT +# +# Change history +# 20091125 - created +# +# References +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package printermru; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20091125); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's Printer Wizard MRU listing"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching printermru v.".$VERSION); + ::rptMsg("printermru v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Printers\\Settings\\Wizard\\ConnectMRU'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %mru; + my @list; + foreach my $v (@vals) { + $mru{$v->get_name()} = $v->get_data(); + } + + if (exists $mru{MRUList}) { + @list = split(//,$mru{MRUList}); + } + + ::rptMsg("Printers listed in MRUList order."); + foreach my $i (0..scalar(@list) - 1) { + ::rptMsg(" ".$list[$i]." -> ".$mru{$list[$i]}); + } + + + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/printers.pl b/RecentActivity/release/rr-full/plugins/printers.pl index 0c6da4338a..8c9a349bec 100755 --- a/RecentActivity/release/rr-full/plugins/printers.pl +++ b/RecentActivity/release/rr-full/plugins/printers.pl @@ -1,85 +1,85 @@ -#----------------------------------------------------------- -# printers.pl -# Get information about printers used by a user; System hive -# info is volatile -# -# Ref: -# http://support.microsoft.com/kb/102966 -# http://support.microsoft.com/kb/252388 -# http://support.microsoft.com/kb/102116 -# -# The following references contain information from the System -# hive that is volatile. -# http://www.undocprint.org/winspool/registry -# http://msdn.microsoft.com/en-us/library/aa394363(VS.85).aspx -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package printers; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090223); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get user's printers"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching printers v.".$VERSION); - ::rptMsg("printers v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()." (".$v->get_data().")"); - } - } - else { - ::rptMsg($key_path." has no values."); - } - ::rptMsg(""); -# Get default printer - my $def_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; - my $def; - eval { - $def = $root_key->get_subkey($def_path)->get_value("Device")->get_data(); - ::rptMsg("Default Printer (via CurrentVersion\\Windows): ".$def); - }; -# another attempt to get the default printer - my $def_path = "Printers"; - my $def; - eval { - $def = $root_key->get_subkey($def_path)->get_value("DeviceOld")->get_data(); - ::rptMsg("Default Printer (via Printers->DeviceOld): ".$def); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# printers.pl +# Get information about printers used by a user; System hive +# info is volatile +# +# Ref: +# http://support.microsoft.com/kb/102966 +# http://support.microsoft.com/kb/252388 +# http://support.microsoft.com/kb/102116 +# +# The following references contain information from the System +# hive that is volatile. +# http://www.undocprint.org/winspool/registry +# http://msdn.microsoft.com/en-us/library/aa394363(VS.85).aspx +# +# copyright 2008-2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package printers; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090223); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get user's printers"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching printers v.".$VERSION); + ::rptMsg("printers v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg(" ".$v->get_name()." (".$v->get_data().")"); + } + } + else { + ::rptMsg($key_path." has no values."); + } + ::rptMsg(""); +# Get default printer + my $def_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; + my $def; + eval { + $def = $root_key->get_subkey($def_path)->get_value("Device")->get_data(); + ::rptMsg("Default Printer (via CurrentVersion\\Windows): ".$def); + }; +# another attempt to get the default printer + my $def_path = "Printers"; + my $def; + eval { + $def = $root_key->get_subkey($def_path)->get_value("DeviceOld")->get_data(); + ::rptMsg("Default Printer (via Printers->DeviceOld): ".$def); + }; + + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/product.pl b/RecentActivity/release/rr-full/plugins/product.pl index 9beacc2aad..056db05048 100755 --- a/RecentActivity/release/rr-full/plugins/product.pl +++ b/RecentActivity/release/rr-full/plugins/product.pl @@ -1,120 +1,120 @@ -#----------------------------------------------------------- -# product.pl -# Plugin to determine the MSI packages installed on the system -# -# Change history: -# 20100325 - created -# -# References: -# http://support.microsoft.com/kb/236590 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package product; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100325); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get installed product info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %msi; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching product v.".$VERSION); - ::rptMsg("product v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Installer\\UserData"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { -# Each of these subkeys should be SIDs - foreach my $s (@subkeys) { - next unless ($s->get_name() =~ m/^S/); - ::rptMsg($s->get_name()); - if ($s->get_subkey("Products")) { - processSIDKey($s->get_subkey("Products")); - ::rptMsg(""); - } - else { - ::rptMsg($s->get_name()."\\Products subkey not found."); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub processSIDKey { - my $key = shift; - my %prod; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { -# ::rptMsg($key->get_name()); - foreach my $s (@subkeys) { - my ($displayname,$lastwrite); - eval { - $displayname = $s->get_subkey("InstallProperties")->get_value("DisplayName")->get_data(); - $lastwrite = $s->get_subkey("InstallProperties")->get_timestamp(); - }; - - my $displayversion; - eval { - $displayversion = $s->get_subkey("InstallProperties")->get_value("DisplayVersion")->get_data(); - }; - - my $installdate; - eval { - $installdate = $s->get_subkey("InstallProperties")->get_value("InstallDate")->get_data(); - }; - - my $str = $displayname." v.".$displayversion.", ".$installdate; - push(@{$prod{$lastwrite}},$str); - } - - foreach my $t (reverse sort {$a <=> $b} keys %prod) { - ::rptMsg(gmtime($t)." Z"); - foreach my $i (@{$prod{$t}}) { - ::rptMsg(" ".$i); - } - } - - - } - else { - ::rptMsg($key->get_name()." has no subkeys."); - return; - } -} - +#----------------------------------------------------------- +# product.pl +# Plugin to determine the MSI packages installed on the system +# +# Change history: +# 20100325 - created +# +# References: +# http://support.microsoft.com/kb/236590 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package product; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100325); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get installed product info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %msi; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching product v.".$VERSION); + ::rptMsg("product v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows\\CurrentVersion\\Installer\\UserData"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { +# Each of these subkeys should be SIDs + foreach my $s (@subkeys) { + next unless ($s->get_name() =~ m/^S/); + ::rptMsg($s->get_name()); + if ($s->get_subkey("Products")) { + processSIDKey($s->get_subkey("Products")); + ::rptMsg(""); + } + else { + ::rptMsg($s->get_name()."\\Products subkey not found."); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub processSIDKey { + my $key = shift; + my %prod; + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { +# ::rptMsg($key->get_name()); + foreach my $s (@subkeys) { + my ($displayname,$lastwrite); + eval { + $displayname = $s->get_subkey("InstallProperties")->get_value("DisplayName")->get_data(); + $lastwrite = $s->get_subkey("InstallProperties")->get_timestamp(); + }; + + my $displayversion; + eval { + $displayversion = $s->get_subkey("InstallProperties")->get_value("DisplayVersion")->get_data(); + }; + + my $installdate; + eval { + $installdate = $s->get_subkey("InstallProperties")->get_value("InstallDate")->get_data(); + }; + + my $str = $displayname." v.".$displayversion.", ".$installdate; + push(@{$prod{$lastwrite}},$str); + } + + foreach my $t (reverse sort {$a <=> $b} keys %prod) { + ::rptMsg(gmtime($t)." Z"); + foreach my $i (@{$prod{$t}}) { + ::rptMsg(" ".$i); + } + } + + + } + else { + ::rptMsg($key->get_name()." has no subkeys."); + return; + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/productpolicy.pl b/RecentActivity/release/rr-full/plugins/productpolicy.pl index 0d99e5a469..80948e1ff2 100755 --- a/RecentActivity/release/rr-full/plugins/productpolicy.pl +++ b/RecentActivity/release/rr-full/plugins/productpolicy.pl @@ -1,147 +1,147 @@ -#----------------------------------------------------------- -# productpolicy.pl -# Extract/parse the ControlSet00x\Control\ProductOptions\ProductPolicy value -# -# NOTE: For Vista and 2008 ONLY; the value structure changed with Windows 7 -# -# Change History: -# 20091116 - created -# -# Ref: -# http://www.geoffchappell.com/viewer.htm?doc=studies/windows/km/ntoskrnl/ -# api/ex/slmem/productpolicy.htm&tx=19 -# http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/ -# install.htm&tx=3,5,6;4 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package productpolicy; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parse ProductPolicy value (Vista & Win2008 ONLY)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %prodinfo = (1 => "Ultimate", - 2 => "Home Basic", - 3 => "Home Premium", - 5 => "Home Basic N", - 6 => "Business", - 7 => "Standard", - 8 => "Data Center", - 10 => "Enterprise", - 11 => "Starter", - 12 => "Data Center Core", - 13 => "Standard Core", - 14 => "Enterprise Core", - 15 => "Business N"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - - ::logMsg("Launching productpolicy v.".$VERSION); - ::rptMsg("productpolicy v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $curr; - eval { - $curr = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - }; - $curr = 1 if ($@); - - my $key; - my $key_path = "ControlSet00".$curr."\\Control\\ProductOptions"; - if ($key = $root_key->get_subkey($key_path)) { - my $prod; - eval { - $prod = $key->get_value("ProductPolicy")->get_data(); - }; - if ($@) { - ::rptMsg("Error getting ProductPolicy value: $@"); - } - else { - my %pol = parseData($prod); - ::rptMsg(""); - ::rptMsg("Note: This plugin applies to Vista and Windows 2008 ONLY."); - ::rptMsg("For a listing of names and values, see:"); - ::rptMsg("http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/install.htm&tx=3,5,6;4"); - ::rptMsg(""); - foreach my $p (sort keys %pol) { - ::rptMsg($p." - ".$pol{$p}); - } - - if (exists $prodinfo{$pol{"Kernel\-ProductInfo"}}) { - ::rptMsg(""); - ::rptMsg("Kernel\-ProductInfo = ".$prodinfo{$pol{"Kernel\-ProductInfo"}}); - } - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub parseHeader { -# Ref: http://www.geoffchappell.com/viewer.htm?doc=studies/windows/km/ntoskrnl/ -# api/ex/slmem/productpolicy.htm&tx=19,21 - my %h; - my @v = unpack("V*",shift); - $h{size} = $v[0]; - $h{array} = $v[1]; - $h{marker} = $v[2]; - $h{version} = $v[4]; - return %h; -} - -sub parseData { - my $pd = shift; - my %policy; - my $h = substr($pd,0,0x14); - my %hdr = parseHeader($h); - my $total_size = $hdr{size}; - my $cursor = 0x14; - - while ($cursor <= $total_size) { - my @vals = unpack("v4V2", substr($pd,$cursor,0x10)); - my $value = substr($pd,$cursor,$vals[0]); - my $name = substr($value,0x10,$vals[1]); - $name =~ s/\00//g; - - my $data = substr($value,0x10 + $vals[1],$vals[3]); - if ($vals[2] == 4) { -# $data = sprintf "0x%x",unpack("V",$data); - $data = unpack("V",$data); - } - elsif ($vals[2] == 1) { - $data =~ s/\00//g; - } - elsif ($vals[2] == 3) { - $data = unpack("H*",$data); - } - else { - - } - $policy{$name} = $data; - $cursor += $vals[0]; - } - delete $policy{""}; - return %policy; -} +#----------------------------------------------------------- +# productpolicy.pl +# Extract/parse the ControlSet00x\Control\ProductOptions\ProductPolicy value +# +# NOTE: For Vista and 2008 ONLY; the value structure changed with Windows 7 +# +# Change History: +# 20091116 - created +# +# Ref: +# http://www.geoffchappell.com/viewer.htm?doc=studies/windows/km/ntoskrnl/ +# api/ex/slmem/productpolicy.htm&tx=19 +# http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/ +# install.htm&tx=3,5,6;4 +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package productpolicy; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20091116); + +sub getConfig{return %config} + +sub getShortDescr { + return "Parse ProductPolicy value (Vista & Win2008 ONLY)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my %prodinfo = (1 => "Ultimate", + 2 => "Home Basic", + 3 => "Home Premium", + 5 => "Home Basic N", + 6 => "Business", + 7 => "Standard", + 8 => "Data Center", + 10 => "Enterprise", + 11 => "Starter", + 12 => "Data Center Core", + 13 => "Standard Core", + 14 => "Enterprise Core", + 15 => "Business N"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + + ::logMsg("Launching productpolicy v.".$VERSION); + ::rptMsg("productpolicy v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $curr; + eval { + $curr = $root_key->get_subkey("Select")->get_value("Current")->get_data(); + }; + $curr = 1 if ($@); + + my $key; + my $key_path = "ControlSet00".$curr."\\Control\\ProductOptions"; + if ($key = $root_key->get_subkey($key_path)) { + my $prod; + eval { + $prod = $key->get_value("ProductPolicy")->get_data(); + }; + if ($@) { + ::rptMsg("Error getting ProductPolicy value: $@"); + } + else { + my %pol = parseData($prod); + ::rptMsg(""); + ::rptMsg("Note: This plugin applies to Vista and Windows 2008 ONLY."); + ::rptMsg("For a listing of names and values, see:"); + ::rptMsg("http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/install.htm&tx=3,5,6;4"); + ::rptMsg(""); + foreach my $p (sort keys %pol) { + ::rptMsg($p." - ".$pol{$p}); + } + + if (exists $prodinfo{$pol{"Kernel\-ProductInfo"}}) { + ::rptMsg(""); + ::rptMsg("Kernel\-ProductInfo = ".$prodinfo{$pol{"Kernel\-ProductInfo"}}); + } + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub parseHeader { +# Ref: http://www.geoffchappell.com/viewer.htm?doc=studies/windows/km/ntoskrnl/ +# api/ex/slmem/productpolicy.htm&tx=19,21 + my %h; + my @v = unpack("V*",shift); + $h{size} = $v[0]; + $h{array} = $v[1]; + $h{marker} = $v[2]; + $h{version} = $v[4]; + return %h; +} + +sub parseData { + my $pd = shift; + my %policy; + my $h = substr($pd,0,0x14); + my %hdr = parseHeader($h); + my $total_size = $hdr{size}; + my $cursor = 0x14; + + while ($cursor <= $total_size) { + my @vals = unpack("v4V2", substr($pd,$cursor,0x10)); + my $value = substr($pd,$cursor,$vals[0]); + my $name = substr($value,0x10,$vals[1]); + $name =~ s/\00//g; + + my $data = substr($value,0x10 + $vals[1],$vals[3]); + if ($vals[2] == 4) { +# $data = sprintf "0x%x",unpack("V",$data); + $data = unpack("V",$data); + } + elsif ($vals[2] == 1) { + $data =~ s/\00//g; + } + elsif ($vals[2] == 3) { + $data = unpack("H*",$data); + } + else { + + } + $policy{$name} = $data; + $cursor += $vals[0]; + } + delete $policy{""}; + return %policy; +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/producttype.pl b/RecentActivity/release/rr-full/plugins/producttype.pl index 17885ddd2b..bd56ee6956 100755 --- a/RecentActivity/release/rr-full/plugins/producttype.pl +++ b/RecentActivity/release/rr-full/plugins/producttype.pl @@ -1,90 +1,90 @@ -#----------------------------------------------------------- -# producttype.pl -# Determine Windows product information -# -# History -# 20100713 - updated reference info, formatting -# 20100325 - renamed to producttype.pl -# -# References -# http://support.microsoft.com/kb/181412 -# http://support.microsoft.com/kb/152078 -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package producttype; -use strict; -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100325); - -sub getConfig{return %config} -sub getShortDescr { - return "Queries System hive for Windows Product info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching producttype v.".$VERSION); - ::rptMsg("producttype v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $prod_key_path = $ccs."\\Control\\ProductOptions"; - if (my $prod_key = $root_key->get_subkey($prod_key_path)) { - ::rptMsg($prod_key_path); - ::rptMsg("LastWrite = ".gmtime($prod_key->get_timestamp())); - ::rptMsg(""); - ::rptMsg("Ref: http://support.microsoft.com/kb/152078"); - ::rptMsg(" http://support.microsoft.com/kb/181412"); - ::rptMsg(""); - my $type; - eval { - $type = $prod_key->get_value("ProductType")->get_data(); - ::rptMsg("ProductType = ".$type); - ::rptMsg("Ref: http://technet.microsoft.com/en-us/library/cc782360%28WS.10%29.aspx"); - ::rptMsg("WinNT indicates a workstation."); - ::rptMsg("ServerNT indicates a standalone server."); - ::rptMsg("LanmanNT indicates a domain controller (pri/backup)."); - }; - ::rptMsg(""); -#----------------------------------------------------------- -# http://technet.microsoft.com/en-us/library/cc784364(WS.10).aspx -# -# http://www.geoffchappell.com/viewer.htm?doc=studies/windows/ -# km/ntoskrnl/api/ex/exinit/productsuite.htm -# -#----------------------------------------------------------- - my $suite; - eval { - $suite = $prod_key->get_value("ProductSuite")->get_data(); - ::rptMsg("ProductSuite = ".$suite); - ::rptMsg("Ref: http://technet.microsoft.com/en-us/library/cc784364%28WS.10%29.aspx"); - }; - } - else { - ::rptMsg($prod_key_path." not found."); - } - } - else { - ::rptMsg("Select key not found."); - } -} +#----------------------------------------------------------- +# producttype.pl +# Determine Windows product information +# +# History +# 20100713 - updated reference info, formatting +# 20100325 - renamed to producttype.pl +# +# References +# http://support.microsoft.com/kb/181412 +# http://support.microsoft.com/kb/152078 +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package producttype; +use strict; +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100325); + +sub getConfig{return %config} +sub getShortDescr { + return "Queries System hive for Windows Product info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching producttype v.".$VERSION); + ::rptMsg("producttype v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $prod_key_path = $ccs."\\Control\\ProductOptions"; + if (my $prod_key = $root_key->get_subkey($prod_key_path)) { + ::rptMsg($prod_key_path); + ::rptMsg("LastWrite = ".gmtime($prod_key->get_timestamp())); + ::rptMsg(""); + ::rptMsg("Ref: http://support.microsoft.com/kb/152078"); + ::rptMsg(" http://support.microsoft.com/kb/181412"); + ::rptMsg(""); + my $type; + eval { + $type = $prod_key->get_value("ProductType")->get_data(); + ::rptMsg("ProductType = ".$type); + ::rptMsg("Ref: http://technet.microsoft.com/en-us/library/cc782360%28WS.10%29.aspx"); + ::rptMsg("WinNT indicates a workstation."); + ::rptMsg("ServerNT indicates a standalone server."); + ::rptMsg("LanmanNT indicates a domain controller (pri/backup)."); + }; + ::rptMsg(""); +#----------------------------------------------------------- +# http://technet.microsoft.com/en-us/library/cc784364(WS.10).aspx +# +# http://www.geoffchappell.com/viewer.htm?doc=studies/windows/ +# km/ntoskrnl/api/ex/exinit/productsuite.htm +# +#----------------------------------------------------------- + my $suite; + eval { + $suite = $prod_key->get_value("ProductSuite")->get_data(); + ::rptMsg("ProductSuite = ".$suite); + ::rptMsg("Ref: http://technet.microsoft.com/en-us/library/cc784364%28WS.10%29.aspx"); + }; + } + else { + ::rptMsg($prod_key_path." not found."); + } + } + else { + ::rptMsg("Select key not found."); + } +} 1 \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/profilelist.pl b/RecentActivity/release/rr-full/plugins/profilelist.pl index 89d5e42e0c..6a5a7293f1 100755 --- a/RecentActivity/release/rr-full/plugins/profilelist.pl +++ b/RecentActivity/release/rr-full/plugins/profilelist.pl @@ -1,139 +1,139 @@ -#----------------------------------------------------------- -# profilelist.pl -# Gets ProfileList subkeys and ProfileImagePath value; also -# gets the ProfileLoadTimeHigh and Low values, and translates them -# into a readable time -# -# History: -# 20100219 - updated to gather SpecialAccounts and domain -# user info -# 20080415 - created -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package profilelist; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100219); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get content of ProfileList key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - - my %profiles; - - ::logMsg("Launching profilelist v.".$VERSION); - ::rptMsg("profilelist v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\ProfileList"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $path; - eval { - $path = $s->get_value("ProfileImagePath")->get_data(); - }; - - ::rptMsg("Path : ".$path); - ::rptMsg("SID : ".$s->get_name()); - ::rptMsg("LastWrite : ".gmtime($s->get_timestamp())." (UTC)"); - - my $user; - if ($path) { - my @a = split(/\\/,$path); - my $end = scalar @a - 1; - $user = $a[$end]; - $profiles{$s->get_name()} = $user; - } - - my @load; - eval { - $load[0] = $s->get_value("ProfileLoadTimeLow")->get_data(); - $load[1] = $s->get_value("ProfileLoadTimeHigh")->get_data(); - }; - if (@load) { - my $loadtime = ::getTime($load[0],$load[1]); - ::rptMsg("LoadTime : ".gmtime($loadtime)." (UTC)"); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -# The following was added 20100219 - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg("Domain Accounts"); - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless ($name =~ m/^S\-1/); - - (exists $profiles{$name}) ? (::rptMsg($name." [".$profiles{$name}."]")) - : (::rptMsg($name)); -# ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())); -# ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - -# Domain Cache? - eval { - my @cache = $key->get_subkey("DomainCache")->get_list_of_values(); - if (scalar @cache > 0) { - ::rptMsg(""); - ::rptMsg("DomainCache"); - foreach my $d (@cache) { - my $str = sprintf "%-15s %-20s",$d->get_name(),$d->get_data(); - ::rptMsg($str); - } - } - }; - - - } - else { - ::rptMsg($key_path." not found."); - } - - - -} +#----------------------------------------------------------- +# profilelist.pl +# Gets ProfileList subkeys and ProfileImagePath value; also +# gets the ProfileLoadTimeHigh and Low values, and translates them +# into a readable time +# +# History: +# 20100219 - updated to gather SpecialAccounts and domain +# user info +# 20080415 - created +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package profilelist; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100219); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get content of ProfileList key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + + my %profiles; + + ::logMsg("Launching profilelist v.".$VERSION); + ::rptMsg("profilelist v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\ProfileList"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $path; + eval { + $path = $s->get_value("ProfileImagePath")->get_data(); + }; + + ::rptMsg("Path : ".$path); + ::rptMsg("SID : ".$s->get_name()); + ::rptMsg("LastWrite : ".gmtime($s->get_timestamp())." (UTC)"); + + my $user; + if ($path) { + my @a = split(/\\/,$path); + my $end = scalar @a - 1; + $user = $a[$end]; + $profiles{$s->get_name()} = $user; + } + + my @load; + eval { + $load[0] = $s->get_value("ProfileLoadTimeLow")->get_data(); + $load[1] = $s->get_value("ProfileLoadTimeHigh")->get_data(); + }; + if (@load) { + my $loadtime = ::getTime($load[0],$load[1]); + ::rptMsg("LoadTime : ".gmtime($loadtime)." (UTC)"); + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +# The following was added 20100219 + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + ::rptMsg("Domain Accounts"); + foreach my $s (@subkeys) { + my $name = $s->get_name(); + next unless ($name =~ m/^S\-1/); + + (exists $profiles{$name}) ? (::rptMsg($name." [".$profiles{$name}."]")) + : (::rptMsg($name)); +# ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())); +# ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + +# Domain Cache? + eval { + my @cache = $key->get_subkey("DomainCache")->get_list_of_values(); + if (scalar @cache > 0) { + ::rptMsg(""); + ::rptMsg("DomainCache"); + foreach my $d (@cache) { + my $str = sprintf "%-15s %-20s",$d->get_name(),$d->get_data(); + ::rptMsg($str); + } + } + }; + + + } + else { + ::rptMsg($key_path." not found."); + } + + + +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/proxysettings.pl b/RecentActivity/release/rr-full/plugins/proxysettings.pl index aeb47aa370..7864174ac5 100755 --- a/RecentActivity/release/rr-full/plugins/proxysettings.pl +++ b/RecentActivity/release/rr-full/plugins/proxysettings.pl @@ -1,72 +1,72 @@ -#----------------------------------------------------------- -# proxysettings.pl -# Plugin for Registry Ripper, -# Internet Explorer ProxySettings key parser -# -# Change history -# 20081224 - H. Carvey, updated sorting and printing routine -# -# -# copyright 2008 C. Bentley -#----------------------------------------------------------- -package proxysettings; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081224); - -sub getConfig{return %config} -sub getShortDescr {return "Gets contents of user's Proxy Settings";} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching proxysettings v.".$VERSION); - ::rptMsg("proxysettings v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ProxySettings"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %proxy; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - my $type = $v->get_type(); - $data = unpack("V",$data) if ($type == 3); - $proxy{$name} = $data; - } - foreach my $n (sort keys %proxy) { - my $str = sprintf " %-30s %-30s",$n,$proxy{$n}; - ::rptMsg($str); -# ::rptMsg(" ".$v->get_name()." ".$v->get_data()); - } - } - else { - ::rptMsg($key_path." key has no values."); - ::logMsg($key_path." key has no values."); - } - } - else { - ::rptMsg($key_path." hat key not found."); - ::logMsg($key_path." hat key not found."); - } -} +#----------------------------------------------------------- +# proxysettings.pl +# Plugin for Registry Ripper, +# Internet Explorer ProxySettings key parser +# +# Change history +# 20081224 - H. Carvey, updated sorting and printing routine +# +# +# copyright 2008 C. Bentley +#----------------------------------------------------------- +package proxysettings; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20081224); + +sub getConfig{return %config} +sub getShortDescr {return "Gets contents of user's Proxy Settings";} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching proxysettings v.".$VERSION); + ::rptMsg("proxysettings v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("ProxySettings"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %proxy; + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + my $type = $v->get_type(); + $data = unpack("V",$data) if ($type == 3); + $proxy{$name} = $data; + } + foreach my $n (sort keys %proxy) { + my $str = sprintf " %-30s %-30s",$n,$proxy{$n}; + ::rptMsg($str); +# ::rptMsg(" ".$v->get_name()." ".$v->get_data()); + } + } + else { + ::rptMsg($key_path." key has no values."); + ::logMsg($key_path." key has no values."); + } + } + else { + ::rptMsg($key_path." hat key not found."); + ::logMsg($key_path." hat key not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/rdphint.pl b/RecentActivity/release/rr-full/plugins/rdphint.pl index 66cbc86351..dc43c11ab4 100755 --- a/RecentActivity/release/rr-full/plugins/rdphint.pl +++ b/RecentActivity/release/rr-full/plugins/rdphint.pl @@ -1,63 +1,63 @@ -#----------------------------------------------------------- -# rdphint.pl - http://www.regripper.net/ -# Gathers servers logged onto via RDP and last successful username -# -# by Brandon Nesbit, Trustwave -#----------------------------------------------------------- -package rdphint; -use strict; - -my %config = (hive => "NTUSER", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090715); - -sub getConfig{return %config} -sub getShortDescr { return "Gets hosts logged onto via RDP and the Domain\\Username";} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching rdphint v.".$VERSION); - ::rptMsg("rdphint v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Terminal Server Client\\Servers"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $path; - eval { - $path = $s->get_value("UsernameHint")->get_data(); - }; - ::rptMsg(""); - ::rptMsg("Hostname: ".$s->get_name()); - ::rptMsg("Domain/Username: ".$path); - ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())." (UTC)"); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# rdphint.pl - http://www.regripper.net/ +# Gathers servers logged onto via RDP and last successful username +# +# by Brandon Nesbit, Trustwave +#----------------------------------------------------------- +package rdphint; +use strict; + +my %config = (hive => "NTUSER", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090715); + +sub getConfig{return %config} +sub getShortDescr { return "Gets hosts logged onto via RDP and the Domain\\Username";} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching rdphint v.".$VERSION); + ::rptMsg("rdphint v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Terminal Server Client\\Servers"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $path; + eval { + $path = $s->get_value("UsernameHint")->get_data(); + }; + ::rptMsg(""); + ::rptMsg("Hostname: ".$s->get_name()); + ::rptMsg("Domain/Username: ".$path); + ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())." (UTC)"); + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/rdpport.pl b/RecentActivity/release/rr-full/plugins/rdpport.pl index 49425060ba..9213abd731 100755 --- a/RecentActivity/release/rr-full/plugins/rdpport.pl +++ b/RecentActivity/release/rr-full/plugins/rdpport.pl @@ -1,61 +1,61 @@ -#----------------------------------------------------------- -# rdpport.pl -# Determine the RDP Port used -# -# History -# 20100713 - created -# -# References -# http://support.microsoft.com/kb/306759 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package rdpport; -use strict; -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100713); - -sub getConfig{return %config} -sub getShortDescr { - return "Queries System hive for RDP Port"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $key; - - ::logMsg("Launching rdpport v.".$VERSION); - ::rptMsg("rdpport v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $ccs = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - my $key_path = "ControlSet00".$ccs."\\Control\\Terminal Server\\WinStations\\RDP-Tcp"; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("rdpport v.".$VERSION); - ::rptMsg(""); - my $port; - eval { - $port = $key->get_value("PortNumber")->get_data(); - ::rptMsg("Remote Desktop Listening Port Number = ".$port); - }; - ::rptMsg("Error getting PortNumber: ".$@) if ($@); - - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# rdpport.pl +# Determine the RDP Port used +# +# History +# 20100713 - created +# +# References +# http://support.microsoft.com/kb/306759 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package rdpport; +use strict; +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100713); + +sub getConfig{return %config} +sub getShortDescr { + return "Queries System hive for RDP Port"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my $key; + + ::logMsg("Launching rdpport v.".$VERSION); + ::rptMsg("rdpport v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $ccs = $root_key->get_subkey("Select")->get_value("Current")->get_data(); + my $key_path = "ControlSet00".$ccs."\\Control\\Terminal Server\\WinStations\\RDP-Tcp"; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("rdpport v.".$VERSION); + ::rptMsg(""); + my $port; + eval { + $port = $key->get_value("PortNumber")->get_data(); + ::rptMsg("Remote Desktop Listening Port Number = ".$port); + }; + ::rptMsg("Error getting PortNumber: ".$@) if ($@); + + } + else { + ::rptMsg($key_path." not found."); + } +} 1 \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/realplayer6.pl b/RecentActivity/release/rr-full/plugins/realplayer6.pl index bdf0db0605..f56a58d132 100755 --- a/RecentActivity/release/rr-full/plugins/realplayer6.pl +++ b/RecentActivity/release/rr-full/plugins/realplayer6.pl @@ -1,80 +1,80 @@ -#----------------------------------------------------------- -# realplayer6.pl -# Plugin for Registry Ripper -# Get Real Player 6 MostRecentClipsx values -# -# Change history -# -# -# References -# -# Note: LastWrite times on c subkeys will all be the same, -# as each subkey is modified as when a new entry is added -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package realplayer6; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's RealPlayer v6 MostRecentClips\(Default) values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching realplayer6 v.".$VERSION); - ::rptMsg("realplayer6 v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\RealNetworks\\RealPlayer\\6.0\\Preferences"; - my $key = $root_key->get_subkey($key_path); - if ($key) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my %rpkeys; - my $tag = "MostRecentClips"; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if ($name =~ m/^$tag/) { - my $num = $name; - $num =~ s/$tag//; - $rpkeys{$num}{name} = $name; - $rpkeys{$num}{data} = $s->get_value('')->get_data(); - $rpkeys{$num}{lastwrite} = $s->get_timestamp(); - } - } - foreach my $k (sort keys %rpkeys) { - ::rptMsg("\t".$rpkeys{$k}{name}." -> ".$rpkeys{$k}{data}); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# realplayer6.pl +# Plugin for Registry Ripper +# Get Real Player 6 MostRecentClipsx values +# +# Change history +# +# +# References +# +# Note: LastWrite times on c subkeys will all be the same, +# as each subkey is modified as when a new entry is added +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package realplayer6; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's RealPlayer v6 MostRecentClips\(Default) values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching realplayer6 v.".$VERSION); + ::rptMsg("realplayer6 v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\RealNetworks\\RealPlayer\\6.0\\Preferences"; + my $key = $root_key->get_subkey($key_path); + if ($key) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my %rpkeys; + my $tag = "MostRecentClips"; + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + if ($name =~ m/^$tag/) { + my $num = $name; + $num =~ s/$tag//; + $rpkeys{$num}{name} = $name; + $rpkeys{$num}{data} = $s->get_value('')->get_data(); + $rpkeys{$num}{lastwrite} = $s->get_timestamp(); + } + } + foreach my $k (sort keys %rpkeys) { + ::rptMsg("\t".$rpkeys{$k}{name}." -> ".$rpkeys{$k}{data}); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/realvnc.pl b/RecentActivity/release/rr-full/plugins/realvnc.pl index 18a1d2a6ab..77a35aa36a 100755 --- a/RecentActivity/release/rr-full/plugins/realvnc.pl +++ b/RecentActivity/release/rr-full/plugins/realvnc.pl @@ -1,77 +1,77 @@ -#----------------------------------------------------------- -# realvnc.pl -# Plugin to get RealVNC MRU listings from NTUSER.DAT -# -# Change history -# 20091125 - created -# -# References -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package realvnc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091125); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's RealVNC MRU listing"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching realvnc v.".$VERSION); - ::rptMsg("realvnc v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\RealVNC\\VNCViewer4\\MRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mru; - my @order; - foreach my $v (@vals) { - $mru{$v->get_name()} = $v->get_data(); - } - - if (exists($mru{Order})) { - @order = unpack("C*",$mru{Order}); -# List systems connected to based on Order MRU value - ::rptMsg("*Systems output in \"Order\" sequence"); - foreach my $i (0..scalar(@order) - 1) { - $order[$i] = "0".$order[$i] if ($order[$i] < 10); - ::rptMsg(" ".$order[$i]." -> ".$mru{$order[$i]}); - } - } - else { - ::rptMsg("Could not find Order value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# realvnc.pl +# Plugin to get RealVNC MRU listings from NTUSER.DAT +# +# Change history +# 20091125 - created +# +# References +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package realvnc; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20091125); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's RealVNC MRU listing"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching realvnc v.".$VERSION); + ::rptMsg("realvnc v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\RealVNC\\VNCViewer4\\MRU'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %mru; + my @order; + foreach my $v (@vals) { + $mru{$v->get_name()} = $v->get_data(); + } + + if (exists($mru{Order})) { + @order = unpack("C*",$mru{Order}); +# List systems connected to based on Order MRU value + ::rptMsg("*Systems output in \"Order\" sequence"); + foreach my $i (0..scalar(@order) - 1) { + $order[$i] = "0".$order[$i] if ($order[$i] < 10); + ::rptMsg(" ".$order[$i]." -> ".$mru{$order[$i]}); + } + } + else { + ::rptMsg("Could not find Order value."); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/recentdocs.pl b/RecentActivity/release/rr-full/plugins/recentdocs.pl index ef44a1766b..b8f95b7f4f 100755 --- a/RecentActivity/release/rr-full/plugins/recentdocs.pl +++ b/RecentActivity/release/rr-full/plugins/recentdocs.pl @@ -1,163 +1,163 @@ -#----------------------------------------------------------- -# recentdocs.pl -# Plugin for Registry Ripper -# Parses RecentDocs keys/values in NTUSER.DAT -# -# Change history -# 20100405 - Updated to use Encode::decode to translate strings -# 20090115 - Minor update to keep plugin from printing terminating -# MRUListEx value of 0xFFFFFFFF -# 20080418 - Minor update to address NTUSER.DAT files that have -# MRUList values in this key, rather than MRUListEx -# values -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package recentdocs; -use strict; -use Encode; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100405); - -sub getShortDescr { - return "Gets contents of user's RecentDocs key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching recentdocs v.".$VERSION); - ::rptMsg("recentdocs v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("RecentDocs"); - ::rptMsg("**All values printed in MRUList\\MRUListEx order."); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); -# Get RecentDocs values - my %rdvals = getRDValues($key); - if (%rdvals) { - my $tag; - if (exists $rdvals{"MRUListEx"}) { - $tag = "MRUListEx"; - } - elsif (exists $rdvals{"MRUList"}) { - $tag = "MRUList"; - } - else { - - } - - my @list = split(/,/,$rdvals{$tag}); - foreach my $i (@list) { - ::rptMsg(" ".$i." = ".$rdvals{$i}); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg("Error: ".$key_path." has no values."); - } -# Get RecentDocs subkeys' values - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - - my %rdvals = getRDValues($s); - if (%rdvals) { - my $tag; - if (exists $rdvals{"MRUListEx"}) { - $tag = "MRUListEx"; - } - elsif (exists $rdvals{"MRUList"}) { - $tag = "MRUList"; - } - else { - - } - - my @list = split(/,/,$rdvals{$tag}); - ::rptMsg($tag." = ".$rdvals{$tag}); - foreach my $i (@list) { - ::rptMsg(" ".$i." = ".$rdvals{$i}); - } - - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - - -sub getRDValues { - my $key = shift; - - my $mru = "MRUList"; - my %rdvals; - - my @vals = $key->get_list_of_values(); - if (scalar @vals > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - if ($name =~ m/^$mru/) { - my @mru; - if ($name eq "MRUList") { - @mru = split(//,$data); - } - elsif ($name eq "MRUListEx") { - @mru = unpack("V*",$data); - } -# Horrible, ugly cludge; the last, terminating value in MRUListEx -# is 0xFFFFFFFF, so we remove it. - pop(@mru); - $rdvals{$name} = join(',',@mru); - } - else { -# New code - $data = decode("ucs-2le", $data); - my $file = (split(/\00/,$data))[0]; -# my $file = (split(/\00\00/,$data))[0]; -# $file =~ s/\00//g; - $rdvals{$name} = $file; - } - } - return %rdvals; - } - else { - return undef; - } -} - +#----------------------------------------------------------- +# recentdocs.pl +# Plugin for Registry Ripper +# Parses RecentDocs keys/values in NTUSER.DAT +# +# Change history +# 20100405 - Updated to use Encode::decode to translate strings +# 20090115 - Minor update to keep plugin from printing terminating +# MRUListEx value of 0xFFFFFFFF +# 20080418 - Minor update to address NTUSER.DAT files that have +# MRUList values in this key, rather than MRUListEx +# values +# +# References +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package recentdocs; +use strict; +use Encode; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100405); + +sub getShortDescr { + return "Gets contents of user's RecentDocs key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching recentdocs v.".$VERSION); + ::rptMsg("recentdocs v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("RecentDocs"); + ::rptMsg("**All values printed in MRUList\\MRUListEx order."); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# Get RecentDocs values + my %rdvals = getRDValues($key); + if (%rdvals) { + my $tag; + if (exists $rdvals{"MRUListEx"}) { + $tag = "MRUListEx"; + } + elsif (exists $rdvals{"MRUList"}) { + $tag = "MRUList"; + } + else { + + } + + my @list = split(/,/,$rdvals{$tag}); + foreach my $i (@list) { + ::rptMsg(" ".$i." = ".$rdvals{$i}); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg("Error: ".$key_path." has no values."); + } +# Get RecentDocs subkeys' values + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($key_path."\\".$s->get_name()); + ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); + + my %rdvals = getRDValues($s); + if (%rdvals) { + my $tag; + if (exists $rdvals{"MRUListEx"}) { + $tag = "MRUListEx"; + } + elsif (exists $rdvals{"MRUList"}) { + $tag = "MRUList"; + } + else { + + } + + my @list = split(/,/,$rdvals{$tag}); + ::rptMsg($tag." = ".$rdvals{$tag}); + foreach my $i (@list) { + ::rptMsg(" ".$i." = ".$rdvals{$i}); + } + + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no values."); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + + +sub getRDValues { + my $key = shift; + + my $mru = "MRUList"; + my %rdvals; + + my @vals = $key->get_list_of_values(); + if (scalar @vals > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + if ($name =~ m/^$mru/) { + my @mru; + if ($name eq "MRUList") { + @mru = split(//,$data); + } + elsif ($name eq "MRUListEx") { + @mru = unpack("V*",$data); + } +# Horrible, ugly cludge; the last, terminating value in MRUListEx +# is 0xFFFFFFFF, so we remove it. + pop(@mru); + $rdvals{$name} = join(',',@mru); + } + else { +# New code + $data = decode("ucs-2le", $data); + my $file = (split(/\00/,$data))[0]; +# my $file = (split(/\00\00/,$data))[0]; +# $file =~ s/\00//g; + $rdvals{$name} = $file; + } + } + return %rdvals; + } + else { + return undef; + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/regtime.pl b/RecentActivity/release/rr-full/plugins/regtime.pl index eb2e0d1e05..9e60779534 100755 --- a/RecentActivity/release/rr-full/plugins/regtime.pl +++ b/RecentActivity/release/rr-full/plugins/regtime.pl @@ -1,66 +1,66 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# regtime.pl -# Plugin for Registry Ripper; traverses through a Registry -# hive file, pulling out keys and their LastWrite times, and -# then listing them in order, sorted by the most recent time -# first - works with any Registry hive file. -# -# Change history -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package regtime; -use strict; - -my %config = (hive => "All", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Dumps entire hive - all keys sorted by LastWrite time"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %regkeys; - -sub pluginmain { - my $class = shift; - my $file = shift; - my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; - ::logMsg("Launching regtime v.".$VERSION); - ::rptMsg("regtime v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - traverse($root_key); - - foreach my $t (reverse sort {$a <=> $b} keys %regkeys) { - foreach my $item (@{$regkeys{$t}}) { - ::rptMsg(gmtime($t)."Z \t".$item); - } - } -} - -sub traverse { - my $key = shift; - my $ts = $key->get_timestamp(); - my $name = $key->as_string(); - $name =~ s/\$\$\$PROTO\.HIV//; - $name = (split(/\[/,$name))[0]; - push(@{$regkeys{$ts}},$name); - foreach my $subkey ($key->get_list_of_subkeys()) { - traverse($subkey); - } -} - +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# regtime.pl +# Plugin for Registry Ripper; traverses through a Registry +# hive file, pulling out keys and their LastWrite times, and +# then listing them in order, sorted by the most recent time +# first - works with any Registry hive file. +# +# Change history +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package regtime; +use strict; + +my %config = (hive => "All", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Dumps entire hive - all keys sorted by LastWrite time"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %regkeys; + +sub pluginmain { + my $class = shift; + my $file = shift; + my $reg = Parse::Win32Registry->new($file); + my $root_key = $reg->get_root_key; + ::logMsg("Launching regtime v.".$VERSION); + ::rptMsg("regtime v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + traverse($root_key); + + foreach my $t (reverse sort {$a <=> $b} keys %regkeys) { + foreach my $item (@{$regkeys{$t}}) { + ::rptMsg(gmtime($t)."Z \t".$item); + } + } +} + +sub traverse { + my $key = shift; + my $ts = $key->get_timestamp(); + my $name = $key->as_string(); + $name =~ s/\$\$\$PROTO\.HIV//; + $name = (split(/\[/,$name))[0]; + push(@{$regkeys{$ts}},$name); + foreach my $subkey ($key->get_list_of_subkeys()) { + traverse($subkey); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/renocide.pl b/RecentActivity/release/rr-full/plugins/renocide.pl index bda30e7307..eb9b2ff458 100755 --- a/RecentActivity/release/rr-full/plugins/renocide.pl +++ b/RecentActivity/release/rr-full/plugins/renocide.pl @@ -1,69 +1,69 @@ -#----------------------------------------------------------- -# renocide.pl -# Plugin to assist in the detection of malware per MMPC -# blog post (References, below) -# -# Change History: -# 20130425 - added alertMsg() functionality -# 20110309 - created -# -# References -# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Renocide -# -# copyright 2013 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package renocide; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20130425); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check for Renocide malware"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching renocide v.".$VERSION); - ::rptMsg("renocide v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\DRM\\amty"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("renocide"); - ::rptMsg($key_path); - ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - ::rptMst($key_path." found; possible Win32\\Renocide infection\."); - ::alertMsg($key_path." found; possible Win32\\Renocide infection\."); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(sprintf "%-12s %-20s",$v->get_name(),$v->get_data()); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# renocide.pl +# Plugin to assist in the detection of malware per MMPC +# blog post (References, below) +# +# Change History: +# 20130425 - added alertMsg() functionality +# 20110309 - created +# +# References +# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Renocide +# +# copyright 2013 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package renocide; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130425); + +sub getConfig{return %config} + +sub getShortDescr { + return "Check for Renocide malware"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching renocide v.".$VERSION); + ::rptMsg("renocide v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\DRM\\amty"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("renocide"); + ::rptMsg($key_path); + ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + ::rptMst($key_path." found; possible Win32\\Renocide infection\."); + ::alertMsg($key_path." found; possible Win32\\Renocide infection\."); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg(sprintf "%-12s %-20s",$v->get_name(),$v->get_data()); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/routes.pl b/RecentActivity/release/rr-full/plugins/routes.pl index b557740a64..c3a6ffa8f5 100755 --- a/RecentActivity/release/rr-full/plugins/routes.pl +++ b/RecentActivity/release/rr-full/plugins/routes.pl @@ -1,83 +1,83 @@ -#----------------------------------------------------------- -# routes.pl -# -# Some malware is known to create persistent routes -# -# Change History: -# 20100817 - created -# -# Ref: -# http://support.microsoft.com/kb/141383 -# http://www.symantec.com/security_response/writeup.jsp?docid= -# 2010-041308-3301-99&tabid=2 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package routes; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100817); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get persistent routes"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching routes v.".$VERSION); - ::rptMsg("routes v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $sb_path = $ccs."\\Services\\Tcpip\\Parameters\\PersistentRoutes"; - - my $sb; - if ($sb = $root_key->get_subkey($sb_path)) { - ::rptMsg($sb_path); - ::rptMsg("LastWrite: ".gmtime($sb->get_timestamp())); - ::rptMsg(""); - my @vals = $sb->get_list_of_values(); - - if (scalar(@vals) > 0) { - ::rptMsg(sprintf "%-15s %-15s %-15s %-5s","Address","Netmask","Gateway","Metric"); - foreach my $v (@vals) { - my ($addr,$netmask,$gateway,$metric) = split(/,/,$v->get_name(),4); - ::rptMsg(sprintf "%-15s %-15s %-15s %-5s",$addr,$netmask,$gateway,$metric); - } - } - else { - ::rptMsg($sb_path." has no values."); - } - } - else { - ::rptMsg($sb_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# routes.pl +# +# Some malware is known to create persistent routes +# +# Change History: +# 20100817 - created +# +# Ref: +# http://support.microsoft.com/kb/141383 +# http://www.symantec.com/security_response/writeup.jsp?docid= +# 2010-041308-3301-99&tabid=2 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package routes; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100817); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get persistent routes"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching routes v.".$VERSION); + ::rptMsg("routes v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + + my $sb_path = $ccs."\\Services\\Tcpip\\Parameters\\PersistentRoutes"; + + my $sb; + if ($sb = $root_key->get_subkey($sb_path)) { + ::rptMsg($sb_path); + ::rptMsg("LastWrite: ".gmtime($sb->get_timestamp())); + ::rptMsg(""); + my @vals = $sb->get_list_of_values(); + + if (scalar(@vals) > 0) { + ::rptMsg(sprintf "%-15s %-15s %-15s %-5s","Address","Netmask","Gateway","Metric"); + foreach my $v (@vals) { + my ($addr,$netmask,$gateway,$metric) = split(/,/,$v->get_name(),4); + ::rptMsg(sprintf "%-15s %-15s %-15s %-5s",$addr,$netmask,$gateway,$metric); + } + } + else { + ::rptMsg($sb_path." has no values."); + } + } + else { + ::rptMsg($sb_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/runmru.pl b/RecentActivity/release/rr-full/plugins/runmru.pl index f321cd91c8..2042f63d62 100755 --- a/RecentActivity/release/rr-full/plugins/runmru.pl +++ b/RecentActivity/release/rr-full/plugins/runmru.pl @@ -1,74 +1,74 @@ -#----------------------------------------------------------- -# runmru.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# RunMru values -# -# Change history -# 20080324 - created -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package runmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's RunMRU key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching runmru v.".$VERSION); - ::rptMsg("runmru v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("RunMru"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - my %runvals; - my $mru; - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - $runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i); - $mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i); - } - ::rptMsg("MRUList = ".$mru); - foreach my $r (sort keys %runvals) { - ::rptMsg($r." ".$runvals{$r}); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# runmru.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# RunMru values +# +# Change history +# 20080324 - created +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package runmru; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's RunMRU key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching runmru v.".$VERSION); + ::rptMsg("runmru v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("RunMru"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + my %runvals; + my $mru; + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + $runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i); + $mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i); + } + ::rptMsg("MRUList = ".$mru); + foreach my $r (sort keys %runvals) { + ::rptMsg($r." ".$runvals{$r}); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/runmru_tln.pl b/RecentActivity/release/rr-full/plugins/runmru_tln.pl index f4f1024376..b36f1ebecc 100755 --- a/RecentActivity/release/rr-full/plugins/runmru_tln.pl +++ b/RecentActivity/release/rr-full/plugins/runmru_tln.pl @@ -1,72 +1,72 @@ -#----------------------------------------------------------- -# runmru_tln.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# RunMru values -# -# Change history -# 20120828 - updated to TLN format -# 20080324 - created -# -# References -# -# -# copyright 2012 Quantum Analytics Research, LLC -# Author: H. Carvey -#----------------------------------------------------------- -package runmru_tln; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20120828); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's RunMRU key (TLN)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching runmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("RunMru"); -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my $lw = $key->get_timestamp(); - my @vals = $key->get_list_of_values(); - my %runvals; - my $mru; - if (scalar(@vals) > 0) { - my $mru; - eval { - my $m = $key->get_value("MRUList")->get_data(); - my $r = (split(//,$m))[0]; - $mru = $key->get_value($r)->get_data(); - ::rptMsg($lw."|REG|||RunMRU: ".$mru); - }; - } - else { -# ::rptMsg($key_path." has no values."); - } - } - else { -# ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# runmru_tln.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# RunMru values +# +# Change history +# 20120828 - updated to TLN format +# 20080324 - created +# +# References +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey +#----------------------------------------------------------- +package runmru_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120828); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's RunMRU key (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching runmru v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("RunMru"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my @vals = $key->get_list_of_values(); + my %runvals; + my $mru; + if (scalar(@vals) > 0) { + my $mru; + eval { + my $m = $key->get_value("MRUList")->get_data(); + my $r = (split(//,$m))[0]; + $mru = $key->get_value($r)->get_data(); + ::rptMsg($lw."|REG|||RunMRU: ".$mru); + }; + } + else { +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/safeboot.pl b/RecentActivity/release/rr-full/plugins/safeboot.pl index 7a56f548d1..2ec36fd3cc 100755 --- a/RecentActivity/release/rr-full/plugins/safeboot.pl +++ b/RecentActivity/release/rr-full/plugins/safeboot.pl @@ -1,106 +1,106 @@ -#----------------------------------------------------------- -# safeboot.pl -# -# Some malware is known to maintain persistence, even when the system -# is booted to SafeMode by writing entries to the SafeBoot subkeys -# ex: http://www.symantec.com/security_response/writeup.jsp? -# docid=2008-011507-0108-99&tabid=2 -# -# Ref: -# http://support.microsoft.com/kb/315222 -# http://support.microsoft.com/kb/202485/ -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package safeboot; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081216); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check SafeBoot entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching safeboot v.".$VERSION); - ::rptMsg("safeboot v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $sb_path = $ccs."\\Control\\SafeBoot"; - my $sb; - if ($sb = $root_key->get_subkey($sb_path)) { - - my @sks = $sb->get_list_of_subkeys(); - - if (scalar(@sks) > 0) { - - foreach my $s (@sks) { - my $name = $s->get_name(); - my $ts = $s->get_timestamp(); - ::rptMsg($name." [".gmtime($ts)." Z]"); - my %sk; - my @subkeys = $s->get_list_of_subkeys(); - - if (scalar(@subkeys) > 0) { - foreach my $s2 (@subkeys) { - my $str; - my $default; - eval { - $default = $s2->get_value("")->get_data(); - }; - ($@)?($str = $s2->get_name()):($str = $s2->get_name()." (".$default.")"); - push(@{$sk{$s2->get_timestamp()}},$str); - } - - foreach my $t (sort keys %sk) { - ::rptMsg(gmtime($t)." Z"); - foreach my $i (@{$sk{$t}}) { - ::rptMsg(" ".$i); - } - } - ::rptMsg(""); - } - else { - ::rptMsg($name." has no subkeys."); - } - } - } - else { - ::rptMsg($sb_path." has no subkeys."); - } - } - else { - ::rptMsg($sb_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# safeboot.pl +# +# Some malware is known to maintain persistence, even when the system +# is booted to SafeMode by writing entries to the SafeBoot subkeys +# ex: http://www.symantec.com/security_response/writeup.jsp? +# docid=2008-011507-0108-99&tabid=2 +# +# Ref: +# http://support.microsoft.com/kb/315222 +# http://support.microsoft.com/kb/202485/ +# +# copyright 2008-2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package safeboot; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081216); + +sub getConfig{return %config} + +sub getShortDescr { + return "Check SafeBoot entries"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching safeboot v.".$VERSION); + ::rptMsg("safeboot v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + + my $sb_path = $ccs."\\Control\\SafeBoot"; + my $sb; + if ($sb = $root_key->get_subkey($sb_path)) { + + my @sks = $sb->get_list_of_subkeys(); + + if (scalar(@sks) > 0) { + + foreach my $s (@sks) { + my $name = $s->get_name(); + my $ts = $s->get_timestamp(); + ::rptMsg($name." [".gmtime($ts)." Z]"); + my %sk; + my @subkeys = $s->get_list_of_subkeys(); + + if (scalar(@subkeys) > 0) { + foreach my $s2 (@subkeys) { + my $str; + my $default; + eval { + $default = $s2->get_value("")->get_data(); + }; + ($@)?($str = $s2->get_name()):($str = $s2->get_name()." (".$default.")"); + push(@{$sk{$s2->get_timestamp()}},$str); + } + + foreach my $t (sort keys %sk) { + ::rptMsg(gmtime($t)." Z"); + foreach my $i (@{$sk{$t}}) { + ::rptMsg(" ".$i); + } + } + ::rptMsg(""); + } + else { + ::rptMsg($name." has no subkeys."); + } + } + } + else { + ::rptMsg($sb_path." has no subkeys."); + } + } + else { + ::rptMsg($sb_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); +# ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/samparse.pl b/RecentActivity/release/rr-full/plugins/samparse.pl index a47766e822..60ec4f1dfe 100755 --- a/RecentActivity/release/rr-full/plugins/samparse.pl +++ b/RecentActivity/release/rr-full/plugins/samparse.pl @@ -1,330 +1,330 @@ -#----------------------------------------------------------- -# samparse.pl -# Parse the SAM hive file for user/group membership info -# -# Change history: -# 20120722 - updated %config hash -# 20110303 - Fixed parsing of SID, added check for account type -# Acct type determined based on Dustin Hulburt's "Forensic -# Determination of a User's Logon Status in Windows" -# from 10 Aug 2009 (link below) -# 20100712 - Added References entry -# 20091020 - Added extracting UserPasswordHint value -# 20090413 - Added account creation date -# 20080415 - created -# -# References -# Source available here: http://pogostick.net/~pnh/ntpasswd/ -# http://accessdata.com/downloads/media/Forensic_Determination_Users_Logon_Status.pdf -# -# copyright 2012 Quantum Analytics Research, LLC -# Author: H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package samparse; -use strict; - -my %config = (hive => "SAM", - hivemask => 2, - output => "report", - category => "", - osmask => 63, #XP - Win8 - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20120722); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parse SAM file for user & group mbrshp info"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Well-known SIDs" => "http://support.microsoft.com/kb/243330"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %acb_flags = (0x0001 => "Account Disabled", - 0x0002 => "Home directory required", - 0x0004 => "Password not required", - 0x0008 => "Temporary duplicate account", - 0x0010 => "Normal user account", - 0x0020 => "MNS logon user account", - 0x0040 => "Interdomain trust account", - 0x0080 => "Workstation trust account", - 0x0100 => "Server trust account", - 0x0200 => "Password does not expire", - 0x0400 => "Account auto locked"); - -my %types = (0xbc => "Default Admin User", - 0xd4 => "Custom Limited Acct", - 0xb0 => "Default Guest Acct"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching samparse v.".$VERSION); - ::rptMsg("samparse v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::rptMsg(""); -# Get user information - ::rptMsg("User Information"); - ::rptMsg("-" x 25); - my $key_path = 'SAM\\Domains\\Account\\Users'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @user_list = $key->get_list_of_subkeys(); - if (scalar(@user_list) > 0) { - foreach my $u (@user_list) { - my $rid = $u->get_name(); - my $ts = $u->get_timestamp(); - my $tag = "0000"; - if ($rid =~ m/^$tag/) { - my $v_value = $u->get_value("V"); - my $v = $v_value->get_data(); - my %v_val = parseV($v); - $rid =~ s/^0000//; - $rid = hex($rid); - - my $c_date; - eval { - my $create_path = $key_path."\\Names\\".$v_val{name}; - if (my $create = $root_key->get_subkey($create_path)) { - $c_date = $create->get_timestamp(); - } - }; - - ::rptMsg("Username : ".$v_val{name}." [".$rid."]"); - ::rptMsg("Full Name : ".$v_val{fullname}); - ::rptMsg("User Comment : ".$v_val{comment}); - ::rptMsg("Account Type : ".$v_val{type}); - ::rptMsg("Account Created : ".gmtime($c_date)." Z") if ($c_date > 0); - - my $f_value = $u->get_value("F"); - my $f = $f_value->get_data(); - my %f_val = parseF($f); - - my $lastlogin; - my $pwdreset; - my $pwdfail; - ($f_val{last_login_date} == 0) ? ($lastlogin = "Never") : ($lastlogin = gmtime($f_val{last_login_date})." Z"); - ($f_val{pwd_reset_date} == 0) ? ($pwdreset = "Never") : ($pwdreset = gmtime($f_val{pwd_reset_date})." Z"); - ($f_val{pwd_fail_date} == 0) ? ($pwdfail = "Never") : ($pwdfail = gmtime($f_val{pwd_fail_date})." Z"); - - my $pw_hint; - eval { - $pw_hint = $u->get_value("UserPasswordHint")->get_data(); - $pw_hint =~ s/\00//g; - }; - ::rptMsg("Password Hint : ".$pw_hint) unless ($@); - ::rptMsg("Last Login Date : ".$lastlogin); - ::rptMsg("Pwd Reset Date : ".$pwdreset); - ::rptMsg("Pwd Fail Date : ".$pwdfail); - ::rptMsg("Login Count : ".$f_val{login_count}); - foreach my $flag (keys %acb_flags) { - ::rptMsg(" --> ".$acb_flags{$flag}) if ($f_val{acb_flags} & $flag); - } - ::rptMsg(""); - } - } - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg("-" x 25); - ::rptMsg("Group Membership Information"); - ::rptMsg("-" x 25); -# Get Group membership information - my $key_path = 'SAM\\Domains\\Builtin\\Aliases'; - if ($key = $root_key->get_subkey($key_path)) { - my %grps; - my @groups = $key->get_list_of_subkeys(); - if (scalar(@groups) > 0) { - foreach my $k (@groups) { - my $name = $k->get_name(); - if ($name =~ m/^0000/) { - $grps{$name}{LastWrite} = $k->get_timestamp(); - $grps{$name}{C_value} = $k->get_value("C")->get_data(); - } - } - - foreach my $k (keys %grps) { - my $name = $k; - $name =~ s/^0000//; - my %c_val = parseC($grps{$k}{C_value}); - ::rptMsg("Group Name : ".$c_val{group_name}." [".$c_val{num_users}."]"); - ::rptMsg("LastWrite : ".gmtime($grps{$k}{LastWrite})." Z"); - ::rptMsg("Group Comment : ".$c_val{comment}); - if ($c_val{num_users} == 0) { - ::rptMsg("Users : None"); - }else { - my %users = parseCUsers($grps{$k}{C_value}); - if (scalar(keys %users) != $c_val{num_users}) { - ::logMsg("parseC function reports ".$c_val{num_users}."; parseCUsers function returned ".(scalar(keys %users))); - } - ::rptMsg("Users :"); - foreach my $u (keys %users) { - ::rptMsg(" ".$u); - } - - } - ::rptMsg(""); - } - ::rptMsg("Analysis Tips:"); - ::rptMsg(" - For well-known SIDs, see http://support.microsoft.com/kb/243330"); - ::rptMsg(" - S-1-5-4 = Interactive"); - ::rptMsg(" - S-1-5-11 = Authenticated Users"); - ::rptMsg(" - Correlate the user SIDs to the output of the ProfileList plugin"); - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub parseF { - my $f = shift; - my %f_value = (); - my @tv; -# last login date - @tv = unpack("VV",substr($f,8,8)); - $f_value{last_login_date} = ::getTime($tv[0],$tv[1]); -# password reset/acct creation - @tv = unpack("VV",substr($f,24,8)); - $f_value{pwd_reset_date} = ::getTime($tv[0],$tv[1]); -# Account expires - @tv = unpack("VV",substr($f,32,8)); - $f_value{acct_exp_date} = ::getTime($tv[0],$tv[1]); -# Incorrect password - @tv = unpack("VV",substr($f,40,8)); - $f_value{pwd_fail_date} = ::getTime($tv[0],$tv[1]); - $f_value{rid} = unpack("V",substr($f,48,4)); - $f_value{acb_flags} = unpack("v",substr($f,56,2)); - $f_value{failed_count} = unpack("v",substr($f,64,2)); - $f_value{login_count} = unpack("v",substr($f,66,2)); - return %f_value; -} - -sub parseV { - my $v = shift; - my %v_val = (); - my $header = substr($v,0,44); - my @vals = unpack("V*",$header); - $v_val{type} = $types{$vals[1]}; - $v_val{name} = _uniToAscii(substr($v,($vals[3] + 0xCC),$vals[4])); - $v_val{fullname} = _uniToAscii(substr($v,($vals[6] + 0xCC),$vals[7])) if ($vals[7] > 0); - $v_val{comment} = _uniToAscii(substr($v,($vals[9] + 0xCC),$vals[10])) if ($vals[10] > 0); - return %v_val; -} - -sub parseC { - my $cv = $_[0]; - my %c_val = (); - my $header = substr($cv,0,0x34); - my @vals = unpack("V*",$header); - - $c_val{group_name} = _uniToAscii(substr($cv,(0x34 + $vals[4]),$vals[5])); - $c_val{comment} = _uniToAscii(substr($cv,(0x34 + $vals[7]),$vals[8])); - $c_val{num_users} = $vals[12]; - - return %c_val; -} - -sub parseCUsers { - my $cv = $_[0]; - my %members = (); - my $header = substr($cv,0,0x34); - my @vals = unpack("V*",$header); - - my $num = $vals[12]; - - my @users = (); - my $ofs; - if ($num > 0) { - my $count = 0; - foreach my $c (1..$num) { - my $ofs = $vals[10] + 52 + $count; - my $tmp = unpack("V",substr($cv,$ofs,4)); - - if ($tmp == 0x101) { - $ofs++ if (unpack("C",substr($cv,$ofs,1)) == 0); - $members{_translateSID(substr($cv,$ofs,12))} = 1; - $count += 12; - } - elsif ($tmp == 0x501) { - $members{_translateSID(substr($cv,$ofs,28))} = 1; - $count += 28; - } - else { - - } - } - } - return %members; -} - -#--------------------------------------------------------------------- -# _translateSID() -# Translate binary data into a SID -# References: -# http://blogs.msdn.com/oldnewthing/archive/2004/03/15/89753.aspx -# http://support.microsoft.com/kb/286182/ -# http://support.microsoft.com/kb/243330 -#--------------------------------------------------------------------- -sub _translateSID { - my $sid = $_[0]; - my $len = length($sid); - my $revision; - my $dashes; - my $idauth; - if ($len < 12) { -# Is a SID ever less than 12 bytes? - return "SID less than 12 bytes"; - } - elsif ($len == 12) { - $revision = unpack("C",substr($sid,0,1)); - $dashes = unpack("C",substr($sid,1,1)); - $idauth = unpack("H*",substr($sid,2,6)); - $idauth =~ s/^0+//g; - my $sub = unpack("V",substr($sid,8,4)); - return "S-".$revision."-".$idauth."-".$sub; - } - elsif ($len > 12) { - $revision = unpack("C",substr($sid,0,1)); - $dashes = unpack("C",substr($sid,1,1)); - $idauth = unpack("H*",substr($sid,2,6)); - $idauth =~ s/^0+//g; - my @sub = unpack("V4",substr($sid,8,16)); - my $rid = unpack("V",substr($sid,24,4)); - my $s = join('-',@sub); - return "S-".$revision."-".$idauth."-".$s."-".$rid; - } - else { -# Nothing to do - } -} - -#--------------------------------------------------------------------- -# _uniToAscii() -#--------------------------------------------------------------------- -sub _uniToAscii { - my $str = $_[0]; - $str =~ s/\00//g; - return $str; -} - +#----------------------------------------------------------- +# samparse.pl +# Parse the SAM hive file for user/group membership info +# +# Change history: +# 20120722 - updated %config hash +# 20110303 - Fixed parsing of SID, added check for account type +# Acct type determined based on Dustin Hulburt's "Forensic +# Determination of a User's Logon Status in Windows" +# from 10 Aug 2009 (link below) +# 20100712 - Added References entry +# 20091020 - Added extracting UserPasswordHint value +# 20090413 - Added account creation date +# 20080415 - created +# +# References +# Source available here: http://pogostick.net/~pnh/ntpasswd/ +# http://accessdata.com/downloads/media/Forensic_Determination_Users_Logon_Status.pdf +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package samparse; +use strict; + +my %config = (hive => "SAM", + hivemask => 2, + output => "report", + category => "", + osmask => 63, #XP - Win8 + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20120722); + +sub getConfig{return %config} + +sub getShortDescr { + return "Parse SAM file for user & group mbrshp info"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Well-known SIDs" => "http://support.microsoft.com/kb/243330"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %acb_flags = (0x0001 => "Account Disabled", + 0x0002 => "Home directory required", + 0x0004 => "Password not required", + 0x0008 => "Temporary duplicate account", + 0x0010 => "Normal user account", + 0x0020 => "MNS logon user account", + 0x0040 => "Interdomain trust account", + 0x0080 => "Workstation trust account", + 0x0100 => "Server trust account", + 0x0200 => "Password does not expire", + 0x0400 => "Account auto locked"); + +my %types = (0xbc => "Default Admin User", + 0xd4 => "Custom Limited Acct", + 0xb0 => "Default Guest Acct"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching samparse v.".$VERSION); + ::rptMsg("samparse v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + ::rptMsg(""); +# Get user information + ::rptMsg("User Information"); + ::rptMsg("-" x 25); + my $key_path = 'SAM\\Domains\\Account\\Users'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @user_list = $key->get_list_of_subkeys(); + if (scalar(@user_list) > 0) { + foreach my $u (@user_list) { + my $rid = $u->get_name(); + my $ts = $u->get_timestamp(); + my $tag = "0000"; + if ($rid =~ m/^$tag/) { + my $v_value = $u->get_value("V"); + my $v = $v_value->get_data(); + my %v_val = parseV($v); + $rid =~ s/^0000//; + $rid = hex($rid); + + my $c_date; + eval { + my $create_path = $key_path."\\Names\\".$v_val{name}; + if (my $create = $root_key->get_subkey($create_path)) { + $c_date = $create->get_timestamp(); + } + }; + + ::rptMsg("Username : ".$v_val{name}." [".$rid."]"); + ::rptMsg("Full Name : ".$v_val{fullname}); + ::rptMsg("User Comment : ".$v_val{comment}); + ::rptMsg("Account Type : ".$v_val{type}); + ::rptMsg("Account Created : ".gmtime($c_date)." Z") if ($c_date > 0); + + my $f_value = $u->get_value("F"); + my $f = $f_value->get_data(); + my %f_val = parseF($f); + + my $lastlogin; + my $pwdreset; + my $pwdfail; + ($f_val{last_login_date} == 0) ? ($lastlogin = "Never") : ($lastlogin = gmtime($f_val{last_login_date})." Z"); + ($f_val{pwd_reset_date} == 0) ? ($pwdreset = "Never") : ($pwdreset = gmtime($f_val{pwd_reset_date})." Z"); + ($f_val{pwd_fail_date} == 0) ? ($pwdfail = "Never") : ($pwdfail = gmtime($f_val{pwd_fail_date})." Z"); + + my $pw_hint; + eval { + $pw_hint = $u->get_value("UserPasswordHint")->get_data(); + $pw_hint =~ s/\00//g; + }; + ::rptMsg("Password Hint : ".$pw_hint) unless ($@); + ::rptMsg("Last Login Date : ".$lastlogin); + ::rptMsg("Pwd Reset Date : ".$pwdreset); + ::rptMsg("Pwd Fail Date : ".$pwdfail); + ::rptMsg("Login Count : ".$f_val{login_count}); + foreach my $flag (keys %acb_flags) { + ::rptMsg(" --> ".$acb_flags{$flag}) if ($f_val{acb_flags} & $flag); + } + ::rptMsg(""); + } + } + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + ::rptMsg("-" x 25); + ::rptMsg("Group Membership Information"); + ::rptMsg("-" x 25); +# Get Group membership information + my $key_path = 'SAM\\Domains\\Builtin\\Aliases'; + if ($key = $root_key->get_subkey($key_path)) { + my %grps; + my @groups = $key->get_list_of_subkeys(); + if (scalar(@groups) > 0) { + foreach my $k (@groups) { + my $name = $k->get_name(); + if ($name =~ m/^0000/) { + $grps{$name}{LastWrite} = $k->get_timestamp(); + $grps{$name}{C_value} = $k->get_value("C")->get_data(); + } + } + + foreach my $k (keys %grps) { + my $name = $k; + $name =~ s/^0000//; + my %c_val = parseC($grps{$k}{C_value}); + ::rptMsg("Group Name : ".$c_val{group_name}." [".$c_val{num_users}."]"); + ::rptMsg("LastWrite : ".gmtime($grps{$k}{LastWrite})." Z"); + ::rptMsg("Group Comment : ".$c_val{comment}); + if ($c_val{num_users} == 0) { + ::rptMsg("Users : None"); + }else { + my %users = parseCUsers($grps{$k}{C_value}); + if (scalar(keys %users) != $c_val{num_users}) { + ::logMsg("parseC function reports ".$c_val{num_users}."; parseCUsers function returned ".(scalar(keys %users))); + } + ::rptMsg("Users :"); + foreach my $u (keys %users) { + ::rptMsg(" ".$u); + } + + } + ::rptMsg(""); + } + ::rptMsg("Analysis Tips:"); + ::rptMsg(" - For well-known SIDs, see http://support.microsoft.com/kb/243330"); + ::rptMsg(" - S-1-5-4 = Interactive"); + ::rptMsg(" - S-1-5-11 = Authenticated Users"); + ::rptMsg(" - Correlate the user SIDs to the output of the ProfileList plugin"); + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + +sub parseF { + my $f = shift; + my %f_value = (); + my @tv; +# last login date + @tv = unpack("VV",substr($f,8,8)); + $f_value{last_login_date} = ::getTime($tv[0],$tv[1]); +# password reset/acct creation + @tv = unpack("VV",substr($f,24,8)); + $f_value{pwd_reset_date} = ::getTime($tv[0],$tv[1]); +# Account expires + @tv = unpack("VV",substr($f,32,8)); + $f_value{acct_exp_date} = ::getTime($tv[0],$tv[1]); +# Incorrect password + @tv = unpack("VV",substr($f,40,8)); + $f_value{pwd_fail_date} = ::getTime($tv[0],$tv[1]); + $f_value{rid} = unpack("V",substr($f,48,4)); + $f_value{acb_flags} = unpack("v",substr($f,56,2)); + $f_value{failed_count} = unpack("v",substr($f,64,2)); + $f_value{login_count} = unpack("v",substr($f,66,2)); + return %f_value; +} + +sub parseV { + my $v = shift; + my %v_val = (); + my $header = substr($v,0,44); + my @vals = unpack("V*",$header); + $v_val{type} = $types{$vals[1]}; + $v_val{name} = _uniToAscii(substr($v,($vals[3] + 0xCC),$vals[4])); + $v_val{fullname} = _uniToAscii(substr($v,($vals[6] + 0xCC),$vals[7])) if ($vals[7] > 0); + $v_val{comment} = _uniToAscii(substr($v,($vals[9] + 0xCC),$vals[10])) if ($vals[10] > 0); + return %v_val; +} + +sub parseC { + my $cv = $_[0]; + my %c_val = (); + my $header = substr($cv,0,0x34); + my @vals = unpack("V*",$header); + + $c_val{group_name} = _uniToAscii(substr($cv,(0x34 + $vals[4]),$vals[5])); + $c_val{comment} = _uniToAscii(substr($cv,(0x34 + $vals[7]),$vals[8])); + $c_val{num_users} = $vals[12]; + + return %c_val; +} + +sub parseCUsers { + my $cv = $_[0]; + my %members = (); + my $header = substr($cv,0,0x34); + my @vals = unpack("V*",$header); + + my $num = $vals[12]; + + my @users = (); + my $ofs; + if ($num > 0) { + my $count = 0; + foreach my $c (1..$num) { + my $ofs = $vals[10] + 52 + $count; + my $tmp = unpack("V",substr($cv,$ofs,4)); + + if ($tmp == 0x101) { + $ofs++ if (unpack("C",substr($cv,$ofs,1)) == 0); + $members{_translateSID(substr($cv,$ofs,12))} = 1; + $count += 12; + } + elsif ($tmp == 0x501) { + $members{_translateSID(substr($cv,$ofs,28))} = 1; + $count += 28; + } + else { + + } + } + } + return %members; +} + +#--------------------------------------------------------------------- +# _translateSID() +# Translate binary data into a SID +# References: +# http://blogs.msdn.com/oldnewthing/archive/2004/03/15/89753.aspx +# http://support.microsoft.com/kb/286182/ +# http://support.microsoft.com/kb/243330 +#--------------------------------------------------------------------- +sub _translateSID { + my $sid = $_[0]; + my $len = length($sid); + my $revision; + my $dashes; + my $idauth; + if ($len < 12) { +# Is a SID ever less than 12 bytes? + return "SID less than 12 bytes"; + } + elsif ($len == 12) { + $revision = unpack("C",substr($sid,0,1)); + $dashes = unpack("C",substr($sid,1,1)); + $idauth = unpack("H*",substr($sid,2,6)); + $idauth =~ s/^0+//g; + my $sub = unpack("V",substr($sid,8,4)); + return "S-".$revision."-".$idauth."-".$sub; + } + elsif ($len > 12) { + $revision = unpack("C",substr($sid,0,1)); + $dashes = unpack("C",substr($sid,1,1)); + $idauth = unpack("H*",substr($sid,2,6)); + $idauth =~ s/^0+//g; + my @sub = unpack("V4",substr($sid,8,16)); + my $rid = unpack("V",substr($sid,24,4)); + my $s = join('-',@sub); + return "S-".$revision."-".$idauth."-".$s."-".$rid; + } + else { +# Nothing to do + } +} + +#--------------------------------------------------------------------- +# _uniToAscii() +#--------------------------------------------------------------------- +sub _uniToAscii { + my $str = $_[0]; + $str =~ s/\00//g; + return $str; +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/schedagent.pl b/RecentActivity/release/rr-full/plugins/schedagent.pl index 7c560b7f63..6b574e20cd 100755 --- a/RecentActivity/release/rr-full/plugins/schedagent.pl +++ b/RecentActivity/release/rr-full/plugins/schedagent.pl @@ -1,89 +1,89 @@ -#----------------------------------------------------------- -# schedagent -# Get contents of SchedulingAgent key from Software hive -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package schedagent; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20100817); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get SchedulingAgent key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching schedagent v.".$VERSION); - ::rptMsg("schedagent v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\SchedulingAgent"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my ($oldname,$logpath,$folder,$lastrun,$size); - eval { - $oldname = $key->get_value("OldName")->get_data(); - ::rptMsg("OldName = ".$oldname); - }; - - eval { - $logpath = $key->get_value("LogPath")->get_data(); - ::rptMsg("LogPath = ".$logpath); - }; - - eval { - $size = $key->get_value("MaxLogSizeKB")->get_data(); - ::rptMsg("MaxLogSizeKB = ".$size); - }; - - eval { - $folder = $key->get_value("TasksFolder")->get_data(); - ::rptMsg("TasksFolder = ".$folder); - }; -# - eval { - $lastrun = $key->get_value("LastTaskRun")->get_data(); - ::rptMsg("LastTaskRun = ".parseSystemTime($lastrun)); - ::rptMsg(""); - ::rptMsg("Note: LastTaskRun time is written in local system time, not GMT"); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub parseSystemTime { - my ($yr,$mon,$dow,$day,$hr,$min,$sec,$mil) = unpack("v8",$_[0]); - $mon = "0".$mon unless ($mon =~ /^\d\d$/); - $day = "0".$day unless ($day =~ /^\d\d$/); - $hr = "0".$hr unless ($hr =~ /^\d\d$/); - $min = "0".$min unless ($min =~ /^\d\d$/); - $sec = "0".$sec unless ($sec =~ /^\d\d$/); - return "$yr-$mon-$day $hr:$min:$sec"; -} - +#----------------------------------------------------------- +# schedagent +# Get contents of SchedulingAgent key from Software hive +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package schedagent; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20100817); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get SchedulingAgent key contents"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching schedagent v.".$VERSION); + ::rptMsg("schedagent v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\SchedulingAgent"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my ($oldname,$logpath,$folder,$lastrun,$size); + eval { + $oldname = $key->get_value("OldName")->get_data(); + ::rptMsg("OldName = ".$oldname); + }; + + eval { + $logpath = $key->get_value("LogPath")->get_data(); + ::rptMsg("LogPath = ".$logpath); + }; + + eval { + $size = $key->get_value("MaxLogSizeKB")->get_data(); + ::rptMsg("MaxLogSizeKB = ".$size); + }; + + eval { + $folder = $key->get_value("TasksFolder")->get_data(); + ::rptMsg("TasksFolder = ".$folder); + }; +# + eval { + $lastrun = $key->get_value("LastTaskRun")->get_data(); + ::rptMsg("LastTaskRun = ".parseSystemTime($lastrun)); + ::rptMsg(""); + ::rptMsg("Note: LastTaskRun time is written in local system time, not GMT"); + }; + + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub parseSystemTime { + my ($yr,$mon,$dow,$day,$hr,$min,$sec,$mil) = unpack("v8",$_[0]); + $mon = "0".$mon unless ($mon =~ /^\d\d$/); + $day = "0".$day unless ($day =~ /^\d\d$/); + $hr = "0".$hr unless ($hr =~ /^\d\d$/); + $min = "0".$min unless ($min =~ /^\d\d$/); + $sec = "0".$sec unless ($sec =~ /^\d\d$/); + return "$yr-$mon-$day $hr:$min:$sec"; +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/secctr.pl b/RecentActivity/release/rr-full/plugins/secctr.pl index f321e7318b..d4f0c8cb9a 100755 --- a/RecentActivity/release/rr-full/plugins/secctr.pl +++ b/RecentActivity/release/rr-full/plugins/secctr.pl @@ -1,69 +1,69 @@ -#----------------------------------------------------------- -# secctr -# Plugin to get data from Security Center keys -# -# Change History: -# 20100310 - created -# -# References: -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package secctr; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100310); - -sub getConfig{return %config} -sub getShortDescr { - return "Get data from Security Center key"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $infected = 0; - ::logMsg("Launching secctr v.".$VERSION); - ::rptMsg("secctr v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Microsoft\Security Center'; - my $key; - ::rptMsg("secctr"); - ::rptMsg(""); - - if ($key = $root_key->get_subkey($key_path)) { - $infected++; - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-25s 0x%02x",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::rptMsg(""); - } -} +#----------------------------------------------------------- +# secctr +# Plugin to get data from Security Center keys +# +# Change History: +# 20100310 - created +# +# References: +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package secctr; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100310); + +sub getConfig{return %config} +sub getShortDescr { + return "Get data from Security Center key"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my $infected = 0; + ::logMsg("Launching secctr v.".$VERSION); + ::rptMsg("secctr v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = 'Microsoft\Security Center'; + my $key; + ::rptMsg("secctr"); + ::rptMsg(""); + + if ($key = $root_key->get_subkey($key_path)) { + $infected++; + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $str = sprintf "%-25s 0x%02x",$v->get_name(),$v->get_data(); + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::rptMsg(""); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/services.pl b/RecentActivity/release/rr-full/plugins/services.pl index 90c2b323c6..b14fa16623 100755 --- a/RecentActivity/release/rr-full/plugins/services.pl +++ b/RecentActivity/release/rr-full/plugins/services.pl @@ -1,152 +1,152 @@ -#----------------------------------------------------------- -# services.pl -# Plugin for Registry Ripper; Access System hive file to get the -# services -# -# Change history -# 20080507 - Added collection of Type and Start values; separated -# data by Services vs. Drivers; created separate plugin -# for Drivers -# 20080505 - Added collection of ImagePath and DisplayName, if avail. -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package services; -#use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080507); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists services/drivers in Services key by LastWrite times"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -# Reference for types and start types: -# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx -my %types = (0x001 => "Kernel driver", - 0x002 => "File system driver", - 0x010 => "Own_Process", - 0x020 => "Share_Process", - 0x100 => "Interactive"); - -my %starts = (0x00 => "Boot Start", - 0x01 => "System Start", - 0x02 => "Auto Start", - 0x03 => "Manual", - 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching services v.".$VERSION); - ::rptMsg("services v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { - ::rptMsg($s_path); - ::rptMsg(getShortDescr()); - ::rptMsg(""); -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - - my $type; - eval { - $type = $s->get_value("Type")->get_data(); -# Only look for services; drivers handled in another plugin - if (exists $types{$type}) { - $type = $types{$type}; - } - else { - $type = sprintf "0x%x",$t; - } - }; - - $name = $s->get_name(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); - }; - - my $image; - eval { - $image = $s->get_value("ImagePath")->get_data(); - }; - - my $start; - eval { - $start = $s->get_value("Start")->get_data(); - if (exists $starts{$start}) { - $start = $starts{$start}; - } - }; - - my $group; - eval { - $group = $s->get_value("Group")->get_data(); - }; - - my $str = $name.";".$display.";".$image.";".$type.";".$start.";".$group; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { - ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - my ($n,$d,$i,$t,$s,$g) = split(/;/,$item,6); - ::rptMsg(" Name = ".$n); - ::rptMsg(" Display = ".$d); - ::rptMsg(" ImagePath = ".$i); - ::rptMsg(" Type = ".$t); - ::rptMsg(" Start = ".$s); - ::rptMsg(" Group = ".$g); - ::rptMsg(""); - } - } - - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# services.pl +# Plugin for Registry Ripper; Access System hive file to get the +# services +# +# Change history +# 20080507 - Added collection of Type and Start values; separated +# data by Services vs. Drivers; created separate plugin +# for Drivers +# 20080505 - Added collection of ImagePath and DisplayName, if avail. +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package services; +#use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080507); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists services/drivers in Services key by LastWrite times"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +# Reference for types and start types: +# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx +my %types = (0x001 => "Kernel driver", + 0x002 => "File system driver", + 0x010 => "Own_Process", + 0x020 => "Share_Process", + 0x100 => "Interactive"); + +my %starts = (0x00 => "Boot Start", + 0x01 => "System Start", + 0x02 => "Auto Start", + 0x03 => "Manual", + 0x04 => "Disabled"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching services v.".$VERSION); + ::rptMsg("services v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $s_path = $ccs."\\Services"; + my $svc; + my %svcs; + if ($svc = $root_key->get_subkey($s_path)) { + ::rptMsg($s_path); + ::rptMsg(getShortDescr()); + ::rptMsg(""); +# Get all subkeys and sort based on LastWrite times + my @subkeys = $svc->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + + my $type; + eval { + $type = $s->get_value("Type")->get_data(); +# Only look for services; drivers handled in another plugin + if (exists $types{$type}) { + $type = $types{$type}; + } + else { + $type = sprintf "0x%x",$t; + } + }; + + $name = $s->get_name(); + my $display; + eval { + $display = $s->get_value("DisplayName")->get_data(); + }; + + my $image; + eval { + $image = $s->get_value("ImagePath")->get_data(); + }; + + my $start; + eval { + $start = $s->get_value("Start")->get_data(); + if (exists $starts{$start}) { + $start = $starts{$start}; + } + }; + + my $group; + eval { + $group = $s->get_value("Group")->get_data(); + }; + + my $str = $name.";".$display.";".$image.";".$type.";".$start.";".$group; + push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); + } + + foreach my $t (reverse sort {$a <=> $b} keys %svcs) { + ::rptMsg(gmtime($t)."Z"); + foreach my $item (@{$svcs{$t}}) { + my ($n,$d,$i,$t,$s,$g) = split(/;/,$item,6); + ::rptMsg(" Name = ".$n); + ::rptMsg(" Display = ".$d); + ::rptMsg(" ImagePath = ".$i); + ::rptMsg(" Type = ".$t); + ::rptMsg(" Start = ".$s); + ::rptMsg(" Group = ".$g); + ::rptMsg(""); + } + } + + } + else { + ::rptMsg($s_path." has no subkeys."); + ::logMsg("Error: ".$s_path." has no subkeys."); + } + } + else { + ::rptMsg($s_path." not found."); + ::logMsg($s_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/sfc.pl b/RecentActivity/release/rr-full/plugins/sfc.pl index 4f223fb763..f70e00daa0 100755 --- a/RecentActivity/release/rr-full/plugins/sfc.pl +++ b/RecentActivity/release/rr-full/plugins/sfc.pl @@ -1,109 +1,109 @@ -#----------------------------------------------------------- -# sfc.pl -# Check SFC settings in the Registry -# -# History -# 20100305 - updated -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package sfc; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100305); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get SFC values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching sfc v.".$VERSION); - ::rptMsg("sfc v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("sfc v.".$VERSION); - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next unless ($name =~ m/^sfc/i); - my $str; - if ($name =~ m/^sfcquota$/i || $name =~ m/^sfcdisable$/i) { - $str = sprintf " %-20s 0x%08x",$name,$v->get_data(); - } - else { - $str = sprintf " %-20s %-20s",$name,$v->get_data(); - } - ::rptMsg($str); - } - - } - else { - ::rptMsg($key_path." key has no values."); - } - } - else { - ::rptMsg($key_path." key not found."); - ::logMsg($key_path." key not found."); - } - ::rptMsg(""); -# According to http://support.microsoft.com/kb/222193, sfc* values in this key, if -# it exists, take precedence over and are copied into the values within the Winlogon -# key; see also http://support.microsoft.com/kb/222473/ - my $key_path = "Policies\\Microsoft\\Windows NT\\Windows File Protection"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next unless ($name =~ m/^sfc/i); - my $str; - if ($name =~ m/^sfcquota$/i || $name =~ m/^sfcdisable$/i) { - $str = sprintf " %-20s 0x%08x",$name,$v->get_data(); - } - else { - $str = sprintf " %-20s %-20s",$name,$v->get_data(); - } - ::rptMsg($str); - } - - } - else { - ::rptMsg($key_path." key has no values."); - } - } - else { - ::rptMsg($key_path." key not found."); -# ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# sfc.pl +# Check SFC settings in the Registry +# +# History +# 20100305 - updated +# +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package sfc; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100305); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get SFC values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching sfc v.".$VERSION); + ::rptMsg("sfc v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("sfc v.".$VERSION); + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + next unless ($name =~ m/^sfc/i); + my $str; + if ($name =~ m/^sfcquota$/i || $name =~ m/^sfcdisable$/i) { + $str = sprintf " %-20s 0x%08x",$name,$v->get_data(); + } + else { + $str = sprintf " %-20s %-20s",$name,$v->get_data(); + } + ::rptMsg($str); + } + + } + else { + ::rptMsg($key_path." key has no values."); + } + } + else { + ::rptMsg($key_path." key not found."); + ::logMsg($key_path." key not found."); + } + ::rptMsg(""); +# According to http://support.microsoft.com/kb/222193, sfc* values in this key, if +# it exists, take precedence over and are copied into the values within the Winlogon +# key; see also http://support.microsoft.com/kb/222473/ + my $key_path = "Policies\\Microsoft\\Windows NT\\Windows File Protection"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + next unless ($name =~ m/^sfc/i); + my $str; + if ($name =~ m/^sfcquota$/i || $name =~ m/^sfcdisable$/i) { + $str = sprintf " %-20s 0x%08x",$name,$v->get_data(); + } + else { + $str = sprintf " %-20s %-20s",$name,$v->get_data(); + } + ::rptMsg($str); + } + + } + else { + ::rptMsg($key_path." key has no values."); + } + } + else { + ::rptMsg($key_path." key not found."); +# ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/shares.pl b/RecentActivity/release/rr-full/plugins/shares.pl index 4739032688..477cfecc8d 100755 --- a/RecentActivity/release/rr-full/plugins/shares.pl +++ b/RecentActivity/release/rr-full/plugins/shares.pl @@ -1,130 +1,130 @@ -#----------------------------------------------------------- -# shares.pl -# -# Retrieve information about shares from a System hive file -# -# References: -# http://support.microsoft.com/kb/556023 -# For info about share types, see the Win32_Share WMI class: -# http://msdn.microsoft.com/en-us/library/aa394435(VS.85).aspx -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shares; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090112); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get list of shares from System hive file"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $root_key; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shares v.".$VERSION); - ::rptMsg("shares v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - eval { - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - }; - if ($@) { - ::rptMsg("Problem locating proper controlset: $@"); - return; - } -# First, connect to the Services key; some versions of Windows appear to -# spell the lanmanserver key as "lanmanserver" and others as "LanmanServer" - my $key_path = $ccs."\\Services"; - my $key; - my $tag = "lanmanserver"; - my $lanman = getKeyPath($key_path,$tag); - if ($lanman ne "") { - my $share_path = $key_path."\\".$lanman."\\Shares"; - my $share; - if ($share = $root_key->get_subkey($share_path)) { - my @vals = $share->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()); - my @data = $v->get_data(); - ::rptMsg(" ".$data[2]); - ::rptMsg(" ".$data[4]); - ::rptMsg(" ".$data[5]); - ::rptMsg(""); - } - } - else { - ::rptMsg($share_path." has no values."); - } - } - else { - ::rptMsg($share_path." not found."); - } - } - else { - ::rptMsg($lanman." subkey not found."); - } - -# Determine of the AutoShareServer/Wks values have been set - my $path = $key_path."\\".$lanman; - my $tag = "parameters"; - my $para = getKeyPath($path,$tag); - eval { - if ($key = $root_key->get_subkey($path."\\".$para)) { - my $auto_svr = $key->get_value("AutoShareServer")->get_data(); - ::rptMsg(" AutoShareServer = ".$auto_svr); - } - }; - - eval { - if ($key = $root_key->get_subkey($path."\\".$para)) { - my $auto_wks = $key->get_value("AutoShareWks")->get_data(); - ::rptMsg(" AutoShareWks = ".$auto_wks); - } - }; -} - -# On different versions of Windows, subkeys such as lanmanserver -# and parameters are spelled differently; use this subroutine to get -# the correct spelling of the name of the subkey -# http://support.microsoft.com/kb/288164 -sub getKeyPath { - my $path = $_[0]; - my $tag = $_[1]; - my $subkey; - if (my $key = $root_key->get_subkey($path)) { - my @sk = $key->get_list_of_subkeys(); - foreach my $s (@sk) { - my $name = $s->get_name(); - $subkey = $name if ($name =~ m/^$tag/i); - } - } - return $subkey; -} - +#----------------------------------------------------------- +# shares.pl +# +# Retrieve information about shares from a System hive file +# +# References: +# http://support.microsoft.com/kb/556023 +# For info about share types, see the Win32_Share WMI class: +# http://msdn.microsoft.com/en-us/library/aa394435(VS.85).aspx +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package shares; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090112); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get list of shares from System hive file"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my $root_key; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching shares v.".$VERSION); + ::rptMsg("shares v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + eval { + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + }; + if ($@) { + ::rptMsg("Problem locating proper controlset: $@"); + return; + } +# First, connect to the Services key; some versions of Windows appear to +# spell the lanmanserver key as "lanmanserver" and others as "LanmanServer" + my $key_path = $ccs."\\Services"; + my $key; + my $tag = "lanmanserver"; + my $lanman = getKeyPath($key_path,$tag); + if ($lanman ne "") { + my $share_path = $key_path."\\".$lanman."\\Shares"; + my $share; + if ($share = $root_key->get_subkey($share_path)) { + my @vals = $share->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg(" ".$v->get_name()); + my @data = $v->get_data(); + ::rptMsg(" ".$data[2]); + ::rptMsg(" ".$data[4]); + ::rptMsg(" ".$data[5]); + ::rptMsg(""); + } + } + else { + ::rptMsg($share_path." has no values."); + } + } + else { + ::rptMsg($share_path." not found."); + } + } + else { + ::rptMsg($lanman." subkey not found."); + } + +# Determine of the AutoShareServer/Wks values have been set + my $path = $key_path."\\".$lanman; + my $tag = "parameters"; + my $para = getKeyPath($path,$tag); + eval { + if ($key = $root_key->get_subkey($path."\\".$para)) { + my $auto_svr = $key->get_value("AutoShareServer")->get_data(); + ::rptMsg(" AutoShareServer = ".$auto_svr); + } + }; + + eval { + if ($key = $root_key->get_subkey($path."\\".$para)) { + my $auto_wks = $key->get_value("AutoShareWks")->get_data(); + ::rptMsg(" AutoShareWks = ".$auto_wks); + } + }; +} + +# On different versions of Windows, subkeys such as lanmanserver +# and parameters are spelled differently; use this subroutine to get +# the correct spelling of the name of the subkey +# http://support.microsoft.com/kb/288164 +sub getKeyPath { + my $path = $_[0]; + my $tag = $_[1]; + my $subkey; + if (my $key = $root_key->get_subkey($path)) { + my @sk = $key->get_list_of_subkeys(); + foreach my $s (@sk) { + my $name = $s->get_name(); + $subkey = $name if ($name =~ m/^$tag/i); + } + } + return $subkey; +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/shellext.pl b/RecentActivity/release/rr-full/plugins/shellext.pl index 620abc5dff..7a6b4c456f 100755 --- a/RecentActivity/release/rr-full/plugins/shellext.pl +++ b/RecentActivity/release/rr-full/plugins/shellext.pl @@ -1,98 +1,98 @@ -#----------------------------------------------------------- -# shellext -# Plugin to get approved shell extensions list from the -# Software hive -# -# This plugin retrieves the list of approved shell extensions from -# the Software hive; specifically, the "Shell Extensions\Approved" -# key. Once it has the names (GUID) and data (string) of each value, -# it then goes to the Classes\CLSID\{GUID} key to get the name of/path to -# the associated DLL, if available. It also gets the LastWrite time of the -# Classes\CLSID\{GUID} key. -# -# Analysis of an incident showed that the intruder placed their malware in -# the C:\Windows dir, using the same name as a known valid shell extension. -# When Explorer.exe launches, it reads the list of approved shell extensions, -# then goes to the Classes\CLSID key to get the path to the associated DLL. The -# intruder chose a shell extension that did not have an explicit path, so when -# explorer.exe looked for it, it started in the C:\Windows dir, and never got to -# the legit DLL in the C:\Windows\system32 dir. -# -# References: -# http://msdn.microsoft.com/en-us/library/ms682586%28VS.85%29.aspx -# -# -# Note: This plugin can take several minutes to run -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package shellext; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100515); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Shell Extensions from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %bhos; - ::logMsg("Launching shellext v.".$VERSION); - ::rptMsg("shellext v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved";; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %exts; - - my @vals = $key->get_list_of_values(); - if (scalar (@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - $exts{$name}{name} = $v->get_data(); - - my $clsid_path = "Classes\\CLSID\\".$name; - my $clsid; - if ($clsid = $root_key->get_subkey($clsid_path)) { - eval { - $exts{$v->get_name()}{lastwrite} = $clsid->get_timestamp(); - $exts{$v->get_name()}{dll} = $clsid->get_subkey("InProcServer32")->get_value("")->get_data(); - }; - } - } - foreach my $e (keys %exts) { - ::rptMsg($e." ".$exts{$e}{name}); - ::rptMsg(" DLL: ".$exts{$e}{dll}); - ::rptMsg(" Timestamp: ".gmtime($exts{$e}{lastwrite})." Z"); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# shellext +# Plugin to get approved shell extensions list from the +# Software hive +# +# This plugin retrieves the list of approved shell extensions from +# the Software hive; specifically, the "Shell Extensions\Approved" +# key. Once it has the names (GUID) and data (string) of each value, +# it then goes to the Classes\CLSID\{GUID} key to get the name of/path to +# the associated DLL, if available. It also gets the LastWrite time of the +# Classes\CLSID\{GUID} key. +# +# Analysis of an incident showed that the intruder placed their malware in +# the C:\Windows dir, using the same name as a known valid shell extension. +# When Explorer.exe launches, it reads the list of approved shell extensions, +# then goes to the Classes\CLSID key to get the path to the associated DLL. The +# intruder chose a shell extension that did not have an explicit path, so when +# explorer.exe looked for it, it started in the C:\Windows dir, and never got to +# the legit DLL in the C:\Windows\system32 dir. +# +# References: +# http://msdn.microsoft.com/en-us/library/ms682586%28VS.85%29.aspx +# +# +# Note: This plugin can take several minutes to run +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package shellext; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100515); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Shell Extensions from Software hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %bhos; + ::logMsg("Launching shellext v.".$VERSION); + ::rptMsg("shellext v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved";; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my %exts; + + my @vals = $key->get_list_of_values(); + if (scalar (@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + $exts{$name}{name} = $v->get_data(); + + my $clsid_path = "Classes\\CLSID\\".$name; + my $clsid; + if ($clsid = $root_key->get_subkey($clsid_path)) { + eval { + $exts{$v->get_name()}{lastwrite} = $clsid->get_timestamp(); + $exts{$v->get_name()}{dll} = $clsid->get_subkey("InProcServer32")->get_value("")->get_data(); + }; + } + } + foreach my $e (keys %exts) { + ::rptMsg($e." ".$exts{$e}{name}); + ::rptMsg(" DLL: ".$exts{$e}{dll}); + ::rptMsg(" Timestamp: ".gmtime($exts{$e}{lastwrite})." Z"); + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/shellfolders.pl b/RecentActivity/release/rr-full/plugins/shellfolders.pl index dce73911f0..4ec1889d4c 100755 --- a/RecentActivity/release/rr-full/plugins/shellfolders.pl +++ b/RecentActivity/release/rr-full/plugins/shellfolders.pl @@ -1,73 +1,73 @@ -#----------------------------------------------------------- -# shellfolders.pl -# -# Retrieve the Shell Folders values from user's hive; while -# this may not be important in every instance, it may give the -# examiner indications as to where to look for certain items; -# for example, if the user's "My Documents" folder has been redirected -# as part of configuration changes (corporate policies, etc.). Also, -# this may be important as part of data leakage exams, as XP and Vista -# allow users to drop and drag files to the CD Burner. -# -# References: -# http://support.microsoft.com/kb/279157 -# http://support.microsoft.com/kb/326982 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shellfolders; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090115); - -sub getConfig{return %config} - -sub getShortDescr { - return "Retrieve user Shell Folders values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shellfolders v.".$VERSION); - ::rptMsg("shellfolders v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-20s %-40s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# shellfolders.pl +# +# Retrieve the Shell Folders values from user's hive; while +# this may not be important in every instance, it may give the +# examiner indications as to where to look for certain items; +# for example, if the user's "My Documents" folder has been redirected +# as part of configuration changes (corporate policies, etc.). Also, +# this may be important as part of data leakage exams, as XP and Vista +# allow users to drop and drag files to the CD Burner. +# +# References: +# http://support.microsoft.com/kb/279157 +# http://support.microsoft.com/kb/326982 +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package shellfolders; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090115); + +sub getConfig{return %config} + +sub getShortDescr { + return "Retrieve user Shell Folders values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching shellfolders v.".$VERSION); + ::rptMsg("shellfolders v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @vals = $key->get_list_of_values(); + + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $str = sprintf "%-20s %-40s",$v->get_name(),$v->get_data(); + ::rptMsg($str); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/shelloverlay.pl b/RecentActivity/release/rr-full/plugins/shelloverlay.pl index 8bf496cbed..91088d63cd 100755 --- a/RecentActivity/release/rr-full/plugins/shelloverlay.pl +++ b/RecentActivity/release/rr-full/plugins/shelloverlay.pl @@ -1,88 +1,88 @@ -#----------------------------------------------------------- -# shelloverlay -# Get contents of ShellIconOverlayIdentifiers subkeys; sorts data -# based on LastWrite times of subkeys -# -# History -# 20100308 - created -# -# References -# http://msdn.microsoft.com/en-us/library/cc144123%28VS.85%29.aspx -# Coreflood - http://vil.nai.com/vil/content/v_102053.htm -# http://www.secureworks.com/research/threats/coreflood/?threat=coreflood -# -# Analysis Tip: Malware such as Coreflood uses a random subkey name and a -# random CLSID GUID value -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package shelloverlay; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100308); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets ShellIconOverlayIdentifiers values"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shelloverlay v.".$VERSION); - ::rptMsg("shelloverlay v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my %id; - - my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("shelloverlay"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $def; - eval { - $def = $s->get_value("")->get_data(); - $name .= " ".$def; - }; - push(@{$id{$s->get_timestamp()}},$name); - } - - foreach my $t (reverse sort {$a <=> $b} keys %id) { - ::rptMsg(gmtime($t)." Z"); - foreach my $item (@{$id{$t}}) { - ::rptMsg(" ".$item); - } - ::rptMsg(""); - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# shelloverlay +# Get contents of ShellIconOverlayIdentifiers subkeys; sorts data +# based on LastWrite times of subkeys +# +# History +# 20100308 - created +# +# References +# http://msdn.microsoft.com/en-us/library/cc144123%28VS.85%29.aspx +# Coreflood - http://vil.nai.com/vil/content/v_102053.htm +# http://www.secureworks.com/research/threats/coreflood/?threat=coreflood +# +# Analysis Tip: Malware such as Coreflood uses a random subkey name and a +# random CLSID GUID value +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package shelloverlay; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100308); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets ShellIconOverlayIdentifiers values"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching shelloverlay v.".$VERSION); + ::rptMsg("shelloverlay v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my %id; + + my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("shelloverlay"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $def; + eval { + $def = $s->get_value("")->get_data(); + $name .= " ".$def; + }; + push(@{$id{$s->get_timestamp()}},$name); + } + + foreach my $t (reverse sort {$a <=> $b} keys %id) { + ::rptMsg(gmtime($t)." Z"); + foreach my $item (@{$id{$t}}) { + ::rptMsg(" ".$item); + } + ::rptMsg(""); + } + + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/shutdown.pl b/RecentActivity/release/rr-full/plugins/shutdown.pl index 727b74a1db..f2ff4634ea 100755 --- a/RecentActivity/release/rr-full/plugins/shutdown.pl +++ b/RecentActivity/release/rr-full/plugins/shutdown.pl @@ -1,78 +1,78 @@ -#----------------------------------------------------------- -# shutdown.pl -# Plugin for Registry Ripper; Access System hive file to get the -# contents of the ShutdownTime value -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package shutdown; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets ShutdownTime value from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shutdown v.".$VERSION); - ::rptMsg("shutdown v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $win_path = $ccs."\\Control\\Windows"; - my $win; - if ($win = $root_key->get_subkey($win_path)) { - ::rptMsg($win_path." key, ShutdownTime value"); - ::rptMsg($win_path); - ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); - my $sd; - if ($sd = $win->get_value("ShutdownTime")->get_data()) { - my @vals = unpack("VV",$sd); - my $shutdown = ::getTime($vals[0],$vals[1]); - ::rptMsg(" ShutdownTime = ".gmtime($shutdown)." (UTC)"); - - } - else { - ::rptMsg("ShutdownTime value not found."); - } - } - else { - ::rptMsg($win_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# shutdown.pl +# Plugin for Registry Ripper; Access System hive file to get the +# contents of the ShutdownTime value +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package shutdown; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets ShutdownTime value from System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching shutdown v.".$VERSION); + ::rptMsg("shutdown v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $win_path = $ccs."\\Control\\Windows"; + my $win; + if ($win = $root_key->get_subkey($win_path)) { + ::rptMsg($win_path." key, ShutdownTime value"); + ::rptMsg($win_path); + ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); + my $sd; + if ($sd = $win->get_value("ShutdownTime")->get_data()) { + my @vals = unpack("VV",$sd); + my $shutdown = ::getTime($vals[0],$vals[1]); + ::rptMsg(" ShutdownTime = ".gmtime($shutdown)." (UTC)"); + + } + else { + ::rptMsg("ShutdownTime value not found."); + } + } + else { + ::rptMsg($win_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/shutdowncount.pl b/RecentActivity/release/rr-full/plugins/shutdowncount.pl index 65efe79f4f..c82f8cc414 100755 --- a/RecentActivity/release/rr-full/plugins/shutdowncount.pl +++ b/RecentActivity/release/rr-full/plugins/shutdowncount.pl @@ -1,83 +1,83 @@ -#----------------------------------------------------------- -# shutdowncount.pl -# -# *Value info first seen at: -# http://forensicsfromthesausagefactory.blogspot.com/2008/06/install-dates-and-shutdown-times-found.html -# thanks to DC1743@gmail.com -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shutdowncount; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080709); - -sub getConfig{return %config} - -sub getShortDescr { - return "Retrieves ShutDownCount value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shutdowncount v.".$VERSION); - ::rptMsg("shutdowncount v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::logMsg("Could not find ".$key_path); - return - } - - my $key_path = $ccs."\\Control\\Watchdog\\Display"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ShutdownCount"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $count = 0; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - if ($v->get_name() eq "ShutdownCount") { - $count = 1; - ::rptMsg("ShutdownCount = ".$v->get_data()); - } - } - ::rptMsg("ShutdownCount value not found.") if ($count == 0); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# shutdowncount.pl +# +# *Value info first seen at: +# http://forensicsfromthesausagefactory.blogspot.com/2008/06/install-dates-and-shutdown-times-found.html +# thanks to DC1743@gmail.com +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package shutdowncount; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080709); + +sub getConfig{return %config} + +sub getShortDescr { + return "Retrieves ShutDownCount value"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching shutdowncount v.".$VERSION); + ::rptMsg("shutdowncount v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::logMsg("Could not find ".$key_path); + return + } + + my $key_path = $ccs."\\Control\\Watchdog\\Display"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("ShutdownCount"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $count = 0; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + if ($v->get_name() eq "ShutdownCount") { + $count = 1; + ::rptMsg("ShutdownCount = ".$v->get_data()); + } + } + ::rptMsg("ShutdownCount value not found.") if ($count == 0); + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/skype.pl b/RecentActivity/release/rr-full/plugins/skype.pl index 94e199da35..3c83bc65f1 100755 --- a/RecentActivity/release/rr-full/plugins/skype.pl +++ b/RecentActivity/release/rr-full/plugins/skype.pl @@ -1,60 +1,60 @@ -#----------------------------------------------------------- -# skype.pl -# -# -# History -# 20100713 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package skype; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100713); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets data user's Skype key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching acmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Skype'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $install; - eval { - $install = $key->get_subkey("Installer")->get_value("DonwloadLastModified")->get_data(); - ::rptMsg("DonwloadLastModified = ".$install); - }; - ::rptMsg("DonwloadLastModified value not found: ".$@) if ($@); - - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# skype.pl +# +# +# History +# 20100713 - created +# +# References +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package skype; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100713); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets data user's Skype key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching acmru v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Skype'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $install; + eval { + $install = $key->get_subkey("Installer")->get_value("DonwloadLastModified")->get_data(); + ::rptMsg("DonwloadLastModified = ".$install); + }; + ::rptMsg("DonwloadLastModified value not found: ".$@) if ($@); + + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/snapshot.pl b/RecentActivity/release/rr-full/plugins/snapshot.pl index 5d175f09b5..95fc9b131d 100755 --- a/RecentActivity/release/rr-full/plugins/snapshot.pl +++ b/RecentActivity/release/rr-full/plugins/snapshot.pl @@ -1,98 +1,98 @@ -#----------------------------------------------------------- -# snapshot.pl -# Plugin to check the ActiveX component for the MS Access Snapshot -# Viewer kill bit -# -# Ref: US-CERT Vuln Note #837785, http://www.kb.cert.org/vuls/id/837785 -# -# Note: Look for each GUID key, and check for the Compatibility Flags value; -# if the value is 0x400, the kill bit is set; a vulnerable system is -# indicated by having IE version 6.x, and the kill bits NOT set (IE 7 -# requires user interaction to download the ActiveX component -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package snapshot; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080725); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check ActiveX comp kill bit; Access Snapshot"; -} -sub getDescr{} -sub getRefs {"US-CERT Vuln Note 837785" => "http://www.kb.cert.org/vuls/id/837785"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my @guids = ("{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}", - "{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}", - "{F2175210-368C-11D0-AD81-00A0C90DC8D9}"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching snapshot v.".$VERSION); - ::rptMsg("snapshot v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Internet Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ActiveX Snapshot Vuln"); - ::rptMsg($key_path); - ::rptMsg(""); - my $ver; - eval { - $ver = $key->get_value("Version")->get_data(); - }; - if ($@) { - ::rptMsg("IE Version not found."); - } - else { - ::rptMsg("IE Version = ".$ver) - } - - ::rptMsg(""); - foreach my $guid (@guids) { - my $g; - eval { - $g = $key->get_subkey("ActiveX Compatibility\\".$guid); - }; - if ($@) { - ::rptMsg("$guid not found."); - } - else { - ::rptMsg("GUID: $guid"); - my $flag; - eval { - $flag = $g->get_value("Compatibility Flags")->get_data(); - }; - if ($@) { - ::rptMsg("Compatibility Flags value not found."); - } - else { - my $str = sprintf "Compatibility Flags 0x%x",$flag; - ::rptMsg($str); - } - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# snapshot.pl +# Plugin to check the ActiveX component for the MS Access Snapshot +# Viewer kill bit +# +# Ref: US-CERT Vuln Note #837785, http://www.kb.cert.org/vuls/id/837785 +# +# Note: Look for each GUID key, and check for the Compatibility Flags value; +# if the value is 0x400, the kill bit is set; a vulnerable system is +# indicated by having IE version 6.x, and the kill bits NOT set (IE 7 +# requires user interaction to download the ActiveX component +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package snapshot; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20080725); + +sub getConfig{return %config} + +sub getShortDescr { + return "Check ActiveX comp kill bit; Access Snapshot"; +} +sub getDescr{} +sub getRefs {"US-CERT Vuln Note 837785" => "http://www.kb.cert.org/vuls/id/837785"} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my @guids = ("{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}", + "{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}", + "{F2175210-368C-11D0-AD81-00A0C90DC8D9}"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching snapshot v.".$VERSION); + ::rptMsg("snapshot v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Internet Explorer"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("ActiveX Snapshot Vuln"); + ::rptMsg($key_path); + ::rptMsg(""); + my $ver; + eval { + $ver = $key->get_value("Version")->get_data(); + }; + if ($@) { + ::rptMsg("IE Version not found."); + } + else { + ::rptMsg("IE Version = ".$ver) + } + + ::rptMsg(""); + foreach my $guid (@guids) { + my $g; + eval { + $g = $key->get_subkey("ActiveX Compatibility\\".$guid); + }; + if ($@) { + ::rptMsg("$guid not found."); + } + else { + ::rptMsg("GUID: $guid"); + my $flag; + eval { + $flag = $g->get_value("Compatibility Flags")->get_data(); + }; + if ($@) { + ::rptMsg("Compatibility Flags value not found."); + } + else { + my $str = sprintf "Compatibility Flags 0x%x",$flag; + ::rptMsg($str); + } + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/sql_lastconnect.pl b/RecentActivity/release/rr-full/plugins/sql_lastconnect.pl index fb1a216894..511ec4a7de 100755 --- a/RecentActivity/release/rr-full/plugins/sql_lastconnect.pl +++ b/RecentActivity/release/rr-full/plugins/sql_lastconnect.pl @@ -1,68 +1,68 @@ -#----------------------------------------------------------- -# sql_lastconnect.pl -# -# Per MS, Microsoft Data Access Components (MDAC) clients can attempt -# to use multiple protocols based on a protocol ordering, which is -# listed in the SuperSocketNetLib\ProtocolOrder value. Successful -# connection attempts (for SQL Server 2000) are cached in the LastConnect -# key. -# -# References: -# http://support.microsoft.com/kb/273673/ -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package sql_lastconnect; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090112); - -sub getConfig{return %config} - -sub getShortDescr { - return "MDAC cache of successful connections"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching sql_lastconnect v.".$VERSION); - ::rptMsg("sql_lastconnect v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\MSSQLServer\\Client\\SuperSocketNetLib\\LastConnect"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("MDAC Cache of successful connections"); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-15s %-25s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# sql_lastconnect.pl +# +# Per MS, Microsoft Data Access Components (MDAC) clients can attempt +# to use multiple protocols based on a protocol ordering, which is +# listed in the SuperSocketNetLib\ProtocolOrder value. Successful +# connection attempts (for SQL Server 2000) are cached in the LastConnect +# key. +# +# References: +# http://support.microsoft.com/kb/273673/ +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package sql_lastconnect; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090112); + +sub getConfig{return %config} + +sub getShortDescr { + return "MDAC cache of successful connections"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching sql_lastconnect v.".$VERSION); + ::rptMsg("sql_lastconnect v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\MSSQLServer\\Client\\SuperSocketNetLib\\LastConnect"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("MDAC Cache of successful connections"); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $str = sprintf "%-15s %-25s",$v->get_name(),$v->get_data(); + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/ssid.pl b/RecentActivity/release/rr-full/plugins/ssid.pl index b8ac575414..082944088a 100755 --- a/RecentActivity/release/rr-full/plugins/ssid.pl +++ b/RecentActivity/release/rr-full/plugins/ssid.pl @@ -1,185 +1,185 @@ -#----------------------------------------------------------- -# ssid -# Gets SSID and other info from WZCSVC key -# -# -# Change History: -# 20100301 - Updated References; removed dwCtlFlags being -# printed; minor adjustments to formatting -# 20091102 - added code to parse EAPOL values for SSIDs -# 20090807 - updated code in accordance with WZC_WLAN_CONFIG -# structure -# -# References -# http://msdn.microsoft.com/en-us/library/aa448338.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package ssid; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100301); - -sub getConfig{return %config} -sub getShortDescr { - return "Get WZCSVC SSID Info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $error; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ssid v.".$VERSION); - ::rptMsg("ssid v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner -# Get the NetworkCards values - my %nc; - if (%nc = getNetworkCards($hive)) { - - } - else { - ::logMsg("Problem w/ SSIDs, getting NetworkCards: ".$error); - return; - } - - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\WZCSVC\\Parameters\\Interfaces"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("SSID"); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if (exists($nc{$name})) { - ::rptMsg("NIC: ".$nc{$name}{descr}); - ::rptMsg("Key LastWrite: ".gmtime($s->get_timestamp())." UTC"); - ::rptMsg(""); - my @vals = $s->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $n = $v->get_name(); - if ($n =~ m/^Static#/) { - my $data = $v->get_data(); -# my $w = unpack("V",substr($data,0x04,0x04)); -# printf "dwCtlFlags = 0x%x\n",$w; - - my $l = unpack("V",substr($data, 0x10, 0x04)); - my $ssid = substr($data,0x14,$l); - - my $tm = uc(unpack("H*",substr($data,0x08,0x06))); - my @t = split(//,$tm); - my $mac = $t[0].$t[1]."-".$t[2].$t[3]."-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; - - my ($t1,$t2) = unpack("VV",substr($data,0x2B8,8)); - my $t = ::getTime($t1,$t2); - my $str = sprintf gmtime($t)." MAC: %-18s %-8s",$mac,$ssid; - ::rptMsg($str); - } - } - } - else { - ::rptMsg($name." has no values."); - } - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - -# Now, go to the EAPOL key, locate the appropriate subkeys and parse out -# any available SSIDs -# EAPOL is Extensible Authentication Protocol over LAN - my $key_path = "Microsoft\\EAPOL\\Parameters\\Interfaces"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if (exists $nc{$name}) { - ::rptMsg("NIC: ".$nc{$name}{descr}); - } - else { - ::rptMsg("NIC: ".$name); - } - ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())." UTC"); - - my @vals = $s->get_list_of_values(); - my %eapol; - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - $eapol{$v->get_name()} = parseEAPOLData($v->get_data()); - } - foreach my $i (sort {$a <=> $b} keys %eapol) { - my $str = sprintf "%-3d %s",$i,$eapol{$i}; - ::rptMsg($str); - } - } - ::rptMsg(""); - } - } - else { - ::rtpMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub getNetworkCards { - my $hive = shift; - my %nc; - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $service = $s->get_value("ServiceName")->get_data(); - $nc{$service}{descr} = $s->get_value("Description")->get_data(); - $nc{$service}{lastwrite} = $s->get_timestamp(); - } - } - else { - $error = $key_path." has no subkeys."; - } - } - else { - $error = $key_path." not found."; - } - return %nc; -} - -sub parseEAPOLData { - my $data = shift; - my $size = unpack("V",substr($data,0x10,4)); - return substr($data,0x14,$size); -} - +#----------------------------------------------------------- +# ssid +# Gets SSID and other info from WZCSVC key +# +# +# Change History: +# 20100301 - Updated References; removed dwCtlFlags being +# printed; minor adjustments to formatting +# 20091102 - added code to parse EAPOL values for SSIDs +# 20090807 - updated code in accordance with WZC_WLAN_CONFIG +# structure +# +# References +# http://msdn.microsoft.com/en-us/library/aa448338.aspx +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package ssid; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100301); + +sub getConfig{return %config} +sub getShortDescr { + return "Get WZCSVC SSID Info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my $error; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching ssid v.".$VERSION); + ::rptMsg("ssid v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner +# Get the NetworkCards values + my %nc; + if (%nc = getNetworkCards($hive)) { + + } + else { + ::logMsg("Problem w/ SSIDs, getting NetworkCards: ".$error); + return; + } + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\WZCSVC\\Parameters\\Interfaces"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("SSID"); + ::rptMsg($key_path); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + if (exists($nc{$name})) { + ::rptMsg("NIC: ".$nc{$name}{descr}); + ::rptMsg("Key LastWrite: ".gmtime($s->get_timestamp())." UTC"); + ::rptMsg(""); + my @vals = $s->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $n = $v->get_name(); + if ($n =~ m/^Static#/) { + my $data = $v->get_data(); +# my $w = unpack("V",substr($data,0x04,0x04)); +# printf "dwCtlFlags = 0x%x\n",$w; + + my $l = unpack("V",substr($data, 0x10, 0x04)); + my $ssid = substr($data,0x14,$l); + + my $tm = uc(unpack("H*",substr($data,0x08,0x06))); + my @t = split(//,$tm); + my $mac = $t[0].$t[1]."-".$t[2].$t[3]."-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; + + my ($t1,$t2) = unpack("VV",substr($data,0x2B8,8)); + my $t = ::getTime($t1,$t2); + my $str = sprintf gmtime($t)." MAC: %-18s %-8s",$mac,$ssid; + ::rptMsg($str); + } + } + } + else { + ::rptMsg($name." has no values."); + } + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + +# Now, go to the EAPOL key, locate the appropriate subkeys and parse out +# any available SSIDs +# EAPOL is Extensible Authentication Protocol over LAN + my $key_path = "Microsoft\\EAPOL\\Parameters\\Interfaces"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + if (exists $nc{$name}) { + ::rptMsg("NIC: ".$nc{$name}{descr}); + } + else { + ::rptMsg("NIC: ".$name); + } + ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())." UTC"); + + my @vals = $s->get_list_of_values(); + my %eapol; + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + $eapol{$v->get_name()} = parseEAPOLData($v->get_data()); + } + foreach my $i (sort {$a <=> $b} keys %eapol) { + my $str = sprintf "%-3d %s",$i,$eapol{$i}; + ::rptMsg($str); + } + } + ::rptMsg(""); + } + } + else { + ::rtpMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub getNetworkCards { + my $hive = shift; + my %nc; + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $service = $s->get_value("ServiceName")->get_data(); + $nc{$service}{descr} = $s->get_value("Description")->get_data(); + $nc{$service}{lastwrite} = $s->get_timestamp(); + } + } + else { + $error = $key_path." has no subkeys."; + } + } + else { + $error = $key_path." not found."; + } + return %nc; +} + +sub parseEAPOLData { + my $data = shift; + my $size = unpack("V",substr($data,0x10,4)); + return substr($data,0x14,$size); +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/startpage.pl b/RecentActivity/release/rr-full/plugins/startpage.pl index 6cc8d5743d..70592a87cb 100755 --- a/RecentActivity/release/rr-full/plugins/startpage.pl +++ b/RecentActivity/release/rr-full/plugins/startpage.pl @@ -1,79 +1,79 @@ -#----------------------------------------------------------- -# startpage.pl -# For Windows 7 -# -# Change history -# 20100330 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package startpage; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100330); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's StartPage key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching startpage v.".$VERSION); - ::rptMsg("startpage v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $menu; - my $balloon; - - eval { - my $val = $key->get_value("StartMenu_Start_Time")->get_data(); - my ($t0,$t1) = unpack("VV",$val); - $menu = ::getTime($t0,$t1); - ::rptMsg("StartMenu_Start_Time = ".gmtime($menu)." Z"); - }; - ::rptMsg("Error: ".@$) if (@$); - - eval { - my $val = $key->get_value("StartMenu_Balloon_Time")->get_data(); - my ($t0,$t1) = unpack("VV",$val); - $balloon = ::getTime($t0,$t1); - ::rptMsg("StartMenu_Balloon_Time = ".gmtime($balloon)." Z"); - }; - ::rptMsg("Error: ".@$) if (@$); - - - - - - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# startpage.pl +# For Windows 7 +# +# Change history +# 20100330 - created +# +# References +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package startpage; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100330); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's StartPage key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching startpage v.".$VERSION); + ::rptMsg("startpage v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $menu; + my $balloon; + + eval { + my $val = $key->get_value("StartMenu_Start_Time")->get_data(); + my ($t0,$t1) = unpack("VV",$val); + $menu = ::getTime($t0,$t1); + ::rptMsg("StartMenu_Start_Time = ".gmtime($menu)." Z"); + }; + ::rptMsg("Error: ".@$) if (@$); + + eval { + my $val = $key->get_value("StartMenu_Balloon_Time")->get_data(); + my ($t0,$t1) = unpack("VV",$val); + $balloon = ::getTime($t0,$t1); + ::rptMsg("StartMenu_Balloon_Time = ".gmtime($balloon)." Z"); + }; + ::rptMsg("Error: ".@$) if (@$); + + + + + + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/stillimage.pl b/RecentActivity/release/rr-full/plugins/stillimage.pl index 8c447e88e8..2a935db1b4 100755 --- a/RecentActivity/release/rr-full/plugins/stillimage.pl +++ b/RecentActivity/release/rr-full/plugins/stillimage.pl @@ -1,114 +1,114 @@ -#----------------------------------------------------------- -# stillimage.pl -# Parses contents of Enum\USB key for web cam -# -# History -# 20100222 - created -# -# References -# http://msdn.microsoft.com/en-us/library/ms791870.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package stillimage; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100222); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get info on StillImage devices"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $reg; - -sub pluginmain { - my $class = shift; - my $hive = shift; - $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::logMsg("Launching stillimage v.".$VERSION); - ::rptMsg("stillimage v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg(""); - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless ($name =~ m/\d\d/); - ::rptMsg($name); - - eval { - my $desc = $s->get_value("DriverDesc")->get_data(); - ::rptMsg(" ".$desc); - }; - - eval { - my $desc = $s->get_value("MatchingDeviceID")->get_data(); - ::rptMsg(" ".$desc); - }; - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - -# http://msdn.microsoft.com/en-us/library/ms791870.aspx -# StillImage logging levels - my $key_path = $ccs."\\Control\\StillImage\\Logging"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg("StillImage Logging Level"); - eval { - my $level = $key->get_subkey("STICLI")->get_value("Level")->get_data(); - my $str = sprintf " STICLI Logging Level = 0x%x",$level; - ::rptMsg($str); - }; - ::rptMsg("STICLI Error: ".$@) if ($@); - - eval { - my $level = $key->get_subkey("STIMON")->get_value("Level")->get_data(); - my $str = sprintf " STIMON Logging Level = 0x%x",$level; - ::rptMsg($str); - }; - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# stillimage.pl +# Parses contents of Enum\USB key for web cam +# +# History +# 20100222 - created +# +# References +# http://msdn.microsoft.com/en-us/library/ms791870.aspx +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package stillimage; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100222); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get info on StillImage devices"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my $reg; + +sub pluginmain { + my $class = shift; + my $hive = shift; + $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + ::logMsg("Launching stillimage v.".$VERSION); + ::rptMsg("stillimage v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($key_path." not found."); + return; + } + + my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + ::rptMsg(""); + foreach my $s (@subkeys) { + my $name = $s->get_name(); + next unless ($name =~ m/\d\d/); + ::rptMsg($name); + + eval { + my $desc = $s->get_value("DriverDesc")->get_data(); + ::rptMsg(" ".$desc); + }; + + eval { + my $desc = $s->get_value("MatchingDeviceID")->get_data(); + ::rptMsg(" ".$desc); + }; + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + +# http://msdn.microsoft.com/en-us/library/ms791870.aspx +# StillImage logging levels + my $key_path = $ccs."\\Control\\StillImage\\Logging"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg("StillImage Logging Level"); + eval { + my $level = $key->get_subkey("STICLI")->get_value("Level")->get_data(); + my $str = sprintf " STICLI Logging Level = 0x%x",$level; + ::rptMsg($str); + }; + ::rptMsg("STICLI Error: ".$@) if ($@); + + eval { + my $level = $key->get_subkey("STIMON")->get_value("Level")->get_data(); + my $str = sprintf " STIMON Logging Level = 0x%x",$level; + ::rptMsg($str); + }; + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/streammru.pl b/RecentActivity/release/rr-full/plugins/streammru.pl index 82242cb8da..686b4e3c97 100755 --- a/RecentActivity/release/rr-full/plugins/streammru.pl +++ b/RecentActivity/release/rr-full/plugins/streammru.pl @@ -1,66 +1,66 @@ -#----------------------------------------------------------- -# streammru.pl -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package streammru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090205); - -sub getConfig{return %config} - -sub getShortDescr { - return "streammru"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching streammru v.".$VERSION); - ::rptMsg("streammru v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg(""); - - my $data = $key->get_value("5")->get_data(); - - my $drive = substr($data, 0x16,4); - ::rptMsg("Drive = ".$drive); - ::rptMsg(""); - - my $size = substr($data, 0x2d, 1); - ::rptMsg("Size of first object: ".unpack("c",$size)." bytes"); - ::rptMsg(""); - - - - - - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# streammru.pl +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package streammru; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090205); + +sub getConfig{return %config} + +sub getShortDescr { + return "streammru"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching streammru v.".$VERSION); + ::rptMsg("streammru v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg(""); + + my $data = $key->get_value("5")->get_data(); + + my $drive = substr($data, 0x16,4); + ::rptMsg("Drive = ".$drive); + ::rptMsg(""); + + my $size = substr($data, 0x2d, 1); + ::rptMsg("Size of first object: ".unpack("c",$size)." bytes"); + ::rptMsg(""); + + + + + + + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/streams.pl b/RecentActivity/release/rr-full/plugins/streams.pl index ac423af250..a9242934e8 100755 --- a/RecentActivity/release/rr-full/plugins/streams.pl +++ b/RecentActivity/release/rr-full/plugins/streams.pl @@ -1,65 +1,65 @@ -#----------------------------------------------------------- -# streams.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package streams; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081124); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parse Streams and StreamsMRU entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching streams v.".$VERSION); - ::rptMsg("streams v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("streamMRU"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $i (0..10) { - my $data = $key->get_value($i)->get_data(); - open(FH,">",$i); - binmode(FH); - print FH $data; - close(FH); - } - } - else { - ::rptMsg($key_path." has no values."); - } - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# streams.pl +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package streams; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081124); + +sub getConfig{return %config} + +sub getShortDescr { + return "Parse Streams and StreamsMRU entries"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching streams v.".$VERSION); + ::rptMsg("streams v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("streamMRU"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $i (0..10) { + my $data = $key->get_value($i)->get_data(); + open(FH,">",$i); + binmode(FH); + print FH $data; + close(FH); + } + } + else { + ::rptMsg($key_path." has no values."); + } + + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/svc.pl b/RecentActivity/release/rr-full/plugins/svc.pl index cdb52f4fa9..4fdd38b4e0 100755 --- a/RecentActivity/release/rr-full/plugins/svc.pl +++ b/RecentActivity/release/rr-full/plugins/svc.pl @@ -1,151 +1,151 @@ -#----------------------------------------------------------- -# svc.pl -# Plugin for Registry Ripper; Access System hive file to get the -# services, display short format (hence "svc", shortened version -# of service.pl plugin) -# -# Change history -# 20080610 - created -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package svc; -#use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080610); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists services/drivers in Services key by LastWrite times (short format)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -# Reference for types and start types: -# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx -my %types = (0x001 => "Kernel driver", - 0x002 => "File system driver", - 0x010 => "Own_Process", - 0x020 => "Share_Process", - 0x100 => "Interactive"); - -my %starts = (0x00 => "Boot Start", - 0x01 => "System Start", - 0x02 => "Auto Start", - 0x03 => "Manual", - 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching svc v.".$VERSION); - ::rptMsg("svc v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { - ::rptMsg($s_path); - ::rptMsg(getShortDescr()); - ::rptMsg(""); -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - - my $type; - eval { - $type = $s->get_value("Type")->get_data(); - }; - - $name = $s->get_name(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); - }; - - my $image; - eval { - $image = $s->get_value("ImagePath")->get_data(); - }; - - my $start; - eval { - $start = $s->get_value("Start")->get_data(); - if (exists $starts{$start}) { - $start = $starts{$start}; - } - }; - - my $object; - eval { - $object = $s->get_value("ObjectName")->get_data(); - }; - next if ($type == 0x001 || $type == 0x002); - my $str = $name.";".$display.";".$image.";".$type.";".$start.";".$object; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { - ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - my ($n,$d,$i,$t,$s,$o) = split(/;/,$item,6); - my $str = " ".$n; - - if ($i eq "") { - if ($d eq "") { - - } - else { - $str = $str." (".$d.")"; - } - } - else { - $str = $str." (".$i.")"; - } - - $str = $str." [".$o."]" unless ($o eq ""); - - ::rptMsg($str); - } - ::rptMsg(""); - } - - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# svc.pl +# Plugin for Registry Ripper; Access System hive file to get the +# services, display short format (hence "svc", shortened version +# of service.pl plugin) +# +# Change history +# 20080610 - created +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package svc; +#use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080610); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists services/drivers in Services key by LastWrite times (short format)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +# Reference for types and start types: +# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx +my %types = (0x001 => "Kernel driver", + 0x002 => "File system driver", + 0x010 => "Own_Process", + 0x020 => "Share_Process", + 0x100 => "Interactive"); + +my %starts = (0x00 => "Boot Start", + 0x01 => "System Start", + 0x02 => "Auto Start", + 0x03 => "Manual", + 0x04 => "Disabled"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching svc v.".$VERSION); + ::rptMsg("svc v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $s_path = $ccs."\\Services"; + my $svc; + my %svcs; + if ($svc = $root_key->get_subkey($s_path)) { + ::rptMsg($s_path); + ::rptMsg(getShortDescr()); + ::rptMsg(""); +# Get all subkeys and sort based on LastWrite times + my @subkeys = $svc->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + + my $type; + eval { + $type = $s->get_value("Type")->get_data(); + }; + + $name = $s->get_name(); + my $display; + eval { + $display = $s->get_value("DisplayName")->get_data(); + }; + + my $image; + eval { + $image = $s->get_value("ImagePath")->get_data(); + }; + + my $start; + eval { + $start = $s->get_value("Start")->get_data(); + if (exists $starts{$start}) { + $start = $starts{$start}; + } + }; + + my $object; + eval { + $object = $s->get_value("ObjectName")->get_data(); + }; + next if ($type == 0x001 || $type == 0x002); + my $str = $name.";".$display.";".$image.";".$type.";".$start.";".$object; + push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); + } + + foreach my $t (reverse sort {$a <=> $b} keys %svcs) { + ::rptMsg(gmtime($t)."Z"); + foreach my $item (@{$svcs{$t}}) { + my ($n,$d,$i,$t,$s,$o) = split(/;/,$item,6); + my $str = " ".$n; + + if ($i eq "") { + if ($d eq "") { + + } + else { + $str = $str." (".$d.")"; + } + } + else { + $str = $str." (".$i.")"; + } + + $str = $str." [".$o."]" unless ($o eq ""); + + ::rptMsg($str); + } + ::rptMsg(""); + } + + } + else { + ::rptMsg($s_path." has no subkeys."); + ::logMsg("Error: ".$s_path." has no subkeys."); + } + } + else { + ::rptMsg($s_path." not found."); + ::logMsg($s_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/svc2.pl b/RecentActivity/release/rr-full/plugins/svc2.pl index 33718a6a7c..0a12370371 100755 --- a/RecentActivity/release/rr-full/plugins/svc2.pl +++ b/RecentActivity/release/rr-full/plugins/svc2.pl @@ -1,148 +1,148 @@ -#----------------------------------------------------------- -# svc2.pl -# Plugin for Registry Ripper; Access System hive file to get the -# services, display short format (hence "svc", shortened version -# of service.pl plugin); outputs info in .csv format -# -# Change history -# 20081129 - created -# -# Ref: -# http://msdn.microsoft.com/en-us/library/aa394073(VS.85).aspx -# -# Analysis Tip: Several services keys have Parameters subkeys that point to -# the ServiceDll value; During intrusions, a service key may be added to -# the system's Registry; using this module, send the output to .csv format -# and sort on column B to get the names to line up -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package svc2; -#use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081129); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists Services key contents by LastWrite times (CSV)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %types = (0x001 => "Kernel driver", - 0x002 => "File system driver", - 0x004 => "Adapter", - 0x010 => "Own_Process", - 0x020 => "Share_Process", - 0x100 => "Interactive"); - -my %starts = (0x00 => "Boot Start", - 0x01 => "System Start", - 0x02 => "Auto Start", - 0x03 => "Manual", - 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; -# ::logMsg("Launching svc2 v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { -# ::rptMsg($s_path); -# ::rptMsg(getShortDescr()); -# ::rptMsg(""); -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - $name = $s->get_name(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); -# take commas out of the display name, replace w/ semi-colons - $display =~ s/,/;/g; - }; - - my $type; - eval { - $type = $s->get_value("Type")->get_data(); - $type = $types{$type} if (exists $types{$type}); - - }; - - my $image; - eval { - $image = $s->get_value("ImagePath")->get_data(); - }; - - my $start; - eval { - $start = $s->get_value("Start")->get_data(); - $start = $starts{$start} if (exists $starts{$start}); - }; - - my $object; - eval { - $object = $s->get_value("ObjectName")->get_data(); - }; - - my $str = $name."\|".$display."\|".$image."\|".$type."\|".$start."\|".$object; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); -# Get ServiceDll value if there is one - eval { - my $para = $s->get_subkey("Parameters"); - my $dll = $para->get_value("ServiceDll")->get_data(); - my $str = $name."\\Parameters\|\|".$dll."\|\|\|"; - push(@{$svcs{$para->get_timestamp()}},$str); - }; - - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { -# ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - my ($n,$d,$i,$t2,$s,$o) = split(/\|/,$item,6); -# ::rptMsg($t.",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o); - ::rptMsg(gmtime($t)."Z".",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o); - } - } - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# svc2.pl +# Plugin for Registry Ripper; Access System hive file to get the +# services, display short format (hence "svc", shortened version +# of service.pl plugin); outputs info in .csv format +# +# Change history +# 20081129 - created +# +# Ref: +# http://msdn.microsoft.com/en-us/library/aa394073(VS.85).aspx +# +# Analysis Tip: Several services keys have Parameters subkeys that point to +# the ServiceDll value; During intrusions, a service key may be added to +# the system's Registry; using this module, send the output to .csv format +# and sort on column B to get the names to line up +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package svc2; +#use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20081129); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists Services key contents by LastWrite times (CSV)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %types = (0x001 => "Kernel driver", + 0x002 => "File system driver", + 0x004 => "Adapter", + 0x010 => "Own_Process", + 0x020 => "Share_Process", + 0x100 => "Interactive"); + +my %starts = (0x00 => "Boot Start", + 0x01 => "System Start", + 0x02 => "Auto Start", + 0x03 => "Manual", + 0x04 => "Disabled"); + +sub pluginmain { + my $class = shift; + my $hive = shift; +# ::logMsg("Launching svc2 v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $s_path = $ccs."\\Services"; + my $svc; + my %svcs; + if ($svc = $root_key->get_subkey($s_path)) { +# ::rptMsg($s_path); +# ::rptMsg(getShortDescr()); +# ::rptMsg(""); +# Get all subkeys and sort based on LastWrite times + my @subkeys = $svc->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + $name = $s->get_name(); + my $display; + eval { + $display = $s->get_value("DisplayName")->get_data(); +# take commas out of the display name, replace w/ semi-colons + $display =~ s/,/;/g; + }; + + my $type; + eval { + $type = $s->get_value("Type")->get_data(); + $type = $types{$type} if (exists $types{$type}); + + }; + + my $image; + eval { + $image = $s->get_value("ImagePath")->get_data(); + }; + + my $start; + eval { + $start = $s->get_value("Start")->get_data(); + $start = $starts{$start} if (exists $starts{$start}); + }; + + my $object; + eval { + $object = $s->get_value("ObjectName")->get_data(); + }; + + my $str = $name."\|".$display."\|".$image."\|".$type."\|".$start."\|".$object; + push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); +# Get ServiceDll value if there is one + eval { + my $para = $s->get_subkey("Parameters"); + my $dll = $para->get_value("ServiceDll")->get_data(); + my $str = $name."\\Parameters\|\|".$dll."\|\|\|"; + push(@{$svcs{$para->get_timestamp()}},$str); + }; + + } + + foreach my $t (reverse sort {$a <=> $b} keys %svcs) { +# ::rptMsg(gmtime($t)."Z"); + foreach my $item (@{$svcs{$t}}) { + my ($n,$d,$i,$t2,$s,$o) = split(/\|/,$item,6); +# ::rptMsg($t.",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o); + ::rptMsg(gmtime($t)."Z".",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o); + } + } + } + else { + ::rptMsg($s_path." has no subkeys."); + ::logMsg("Error: ".$s_path." has no subkeys."); + } + } + else { + ::rptMsg($s_path." not found."); + ::logMsg($s_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/svcdll.pl b/RecentActivity/release/rr-full/plugins/svcdll.pl index ec5b9b1edf..38aa4748c6 100755 --- a/RecentActivity/release/rr-full/plugins/svcdll.pl +++ b/RecentActivity/release/rr-full/plugins/svcdll.pl @@ -1,133 +1,133 @@ -#----------------------------------------------------------- -# svcdll.pl -# -# Change history -# 20091104 - created -# -# Ref: -# http://msdn.microsoft.com/en-us/library/aa394073(VS.85).aspx -# -# Analysis Tip: Several services keys have Parameters subkeys that point to -# the ServiceDll value; During intrusions, a service key may be added to -# the system's Registry; this module provides a quick look, displaying the -# Service names (in malware, sometimes random) and the ServiceDll value, -# sorted based on the LastWrite time of the \Parameters subkey. -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package svcdll; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091104); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists Services keys with ServiceDll values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -#my %types = (0x001 => "Kernel driver", -# 0x002 => "File system driver", -# 0x004 => "Adapter", -# 0x010 => "Own_Process", -# 0x020 => "Share_Process", -# 0x100 => "Interactive"); - -#my %starts = (0x00 => "Boot Start", -# 0x01 => "System Start", -# 0x02 => "Auto Start", -# 0x03 => "Manual", -# 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching svcdll v.".$VERSION); - ::rptMsg("svcdll v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { - -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); -# my $display; -# eval { -# $display = $s->get_value("DisplayName")->get_data(); -# }; - -# my $type; -# eval { -# $type = $s->get_value("Type")->get_data(); -# $type = $types{$type} if (exists $types{$type}); -# }; - -# my $image; -# eval { -# $image = $s->get_value("ImagePath")->get_data(); -# }; - -# my $start; -# eval { -# $start = $s->get_value("Start")->get_data(); -# $start = $starts{$start} if (exists $starts{$start}); -# }; - - my $dll; - eval { - $dll = $s->get_subkey("Parameters")->get_value("ServiceDll")->get_data(); - my $str = $name." -> ".$dll; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); - }; - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { - ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - ::rptMsg(" ".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# svcdll.pl +# +# Change history +# 20091104 - created +# +# Ref: +# http://msdn.microsoft.com/en-us/library/aa394073(VS.85).aspx +# +# Analysis Tip: Several services keys have Parameters subkeys that point to +# the ServiceDll value; During intrusions, a service key may be added to +# the system's Registry; this module provides a quick look, displaying the +# Service names (in malware, sometimes random) and the ServiceDll value, +# sorted based on the LastWrite time of the \Parameters subkey. +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package svcdll; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20091104); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists Services keys with ServiceDll values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +#my %types = (0x001 => "Kernel driver", +# 0x002 => "File system driver", +# 0x004 => "Adapter", +# 0x010 => "Own_Process", +# 0x020 => "Share_Process", +# 0x100 => "Interactive"); + +#my %starts = (0x00 => "Boot Start", +# 0x01 => "System Start", +# 0x02 => "Auto Start", +# 0x03 => "Manual", +# 0x04 => "Disabled"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching svcdll v.".$VERSION); + ::rptMsg("svcdll v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $s_path = $ccs."\\Services"; + my $svc; + my %svcs; + if ($svc = $root_key->get_subkey($s_path)) { + +# Get all subkeys and sort based on LastWrite times + my @subkeys = $svc->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); +# my $display; +# eval { +# $display = $s->get_value("DisplayName")->get_data(); +# }; + +# my $type; +# eval { +# $type = $s->get_value("Type")->get_data(); +# $type = $types{$type} if (exists $types{$type}); +# }; + +# my $image; +# eval { +# $image = $s->get_value("ImagePath")->get_data(); +# }; + +# my $start; +# eval { +# $start = $s->get_value("Start")->get_data(); +# $start = $starts{$start} if (exists $starts{$start}); +# }; + + my $dll; + eval { + $dll = $s->get_subkey("Parameters")->get_value("ServiceDll")->get_data(); + my $str = $name." -> ".$dll; + push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); + }; + } + + foreach my $t (reverse sort {$a <=> $b} keys %svcs) { + ::rptMsg(gmtime($t)."Z"); + foreach my $item (@{$svcs{$t}}) { + ::rptMsg(" ".$item); + } + ::rptMsg(""); + } + } + else { + ::rptMsg($s_path." has no subkeys."); + ::logMsg("Error: ".$s_path." has no subkeys."); + } + } + else { + ::rptMsg($s_path." not found."); + ::logMsg($s_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/svchost.pl b/RecentActivity/release/rr-full/plugins/svchost.pl index ce097da173..694205b36e 100755 --- a/RecentActivity/release/rr-full/plugins/svchost.pl +++ b/RecentActivity/release/rr-full/plugins/svchost.pl @@ -1,76 +1,76 @@ -#----------------------------------------------------------- -# svchost -# Plugin to get data from Security Center keys -# -# Change History: -# 20100322 - created -# -# References: -# http://support.microsoft.com/kb/314056 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package svchost; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100322); - -sub getConfig{return %config} -sub getShortDescr { - return "Get entries from SvcHost key"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $infected = 0; - ::logMsg("Launching svchost v.".$VERSION); - ::rptMsg("svchost v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Microsoft\Windows NT\CurrentVersion\SvcHost'; - my $key; - ::rptMsg("svchost"); - ::rptMsg(""); - - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my @data = $v->get_data(); - my $d; - if (scalar(@data) > 1) { - $d = join(',',@data); - } - else { - $d = $data[0]; - } - my $str = sprintf "%-15s %-55s",$v->get_name(),$d; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::rptMsg(""); - } -} +#----------------------------------------------------------- +# svchost +# Plugin to get data from Security Center keys +# +# Change History: +# 20100322 - created +# +# References: +# http://support.microsoft.com/kb/314056 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package svchost; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100322); + +sub getConfig{return %config} +sub getShortDescr { + return "Get entries from SvcHost key"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my $infected = 0; + ::logMsg("Launching svchost v.".$VERSION); + ::rptMsg("svchost v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = 'Microsoft\Windows NT\CurrentVersion\SvcHost'; + my $key; + ::rptMsg("svchost"); + ::rptMsg(""); + + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my @data = $v->get_data(); + my $d; + if (scalar(@data) > 1) { + $d = join(',',@data); + } + else { + $d = $data[0]; + } + my $str = sprintf "%-15s %-55s",$v->get_name(),$d; + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::rptMsg(""); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/termcert.pl b/RecentActivity/release/rr-full/plugins/termcert.pl index 1871dc5035..2b97a18811 100755 --- a/RecentActivity/release/rr-full/plugins/termcert.pl +++ b/RecentActivity/release/rr-full/plugins/termcert.pl @@ -1,98 +1,98 @@ -#----------------------------------------------------------- -# termcert.pl -# Plugin for Registry Ripper; -# -# Change history -# 20110316 - created -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package termcert; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20110316); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Terminal Server certificate"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching termcert v.".$VERSION); - ::rptMsg("termcert v.".$VERSION); # banner - ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $ts_path = $ccs."\\Services\\TermService\\Parameters"; - my $ts; - if ($ts = $root_key->get_subkey($ts_path)) { - ::rptMsg($ts_path); - ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $cert; - eval { - $cert = $ts->get_value("Certificate")->get_raw_data(); - - printSector($cert); - }; - ::rptMsg("Certificate value not found.") if ($@); - } - else { - ::rptMsg($ts_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub printSector { - my $data = shift; - my $len = length($data); - my $remaining = $len; - my $i = 0; - - while ($remaining > 0) { - my $seg1 = substr($data,$i * 16,16); - my @str1 = split(//,unpack("H*",$seg1)); - - my @s3; - foreach my $i (0..15) { - $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; - } - - my $h = join(' ',@s3); - my @s1 = unpack("A*",$seg1); - my $s2 = join('',@s1); - $s2 =~ s/\W/\./g; - - ::rptMsg(sprintf "%-50s %-20s",$h,$s2); - $i++; - $remaining -= 16; - } -} - +#----------------------------------------------------------- +# termcert.pl +# Plugin for Registry Ripper; +# +# Change history +# 20110316 - created +# +# copyright 2011 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package termcert; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20110316); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Terminal Server certificate"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching termcert v.".$VERSION); + ::rptMsg("termcert v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $ts_path = $ccs."\\Services\\TermService\\Parameters"; + my $ts; + if ($ts = $root_key->get_subkey($ts_path)) { + ::rptMsg($ts_path); + ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $cert; + eval { + $cert = $ts->get_value("Certificate")->get_raw_data(); + + printSector($cert); + }; + ::rptMsg("Certificate value not found.") if ($@); + } + else { + ::rptMsg($ts_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub printSector { + my $data = shift; + my $len = length($data); + my $remaining = $len; + my $i = 0; + + while ($remaining > 0) { + my $seg1 = substr($data,$i * 16,16); + my @str1 = split(//,unpack("H*",$seg1)); + + my @s3; + foreach my $i (0..15) { + $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; + } + + my $h = join(' ',@s3); + my @s1 = unpack("A*",$seg1); + my $s2 = join('',@s1); + $s2 =~ s/\W/\./g; + + ::rptMsg(sprintf "%-50s %-20s",$h,$s2); + $i++; + $remaining -= 16; + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/termserv.pl b/RecentActivity/release/rr-full/plugins/termserv.pl index 9eac550290..6721018a50 100755 --- a/RecentActivity/release/rr-full/plugins/termserv.pl +++ b/RecentActivity/release/rr-full/plugins/termserv.pl @@ -1,161 +1,161 @@ -#----------------------------------------------------------- -# termserv.pl -# Plugin for Registry Ripper; -# -# Change history -# 20130307 - updated with autostart locations -# 20100713 - Updated to include additional values, based on references -# 20100119 - updated -# 20090727 - created -# -# Category: Autostart -# -# References -# Change TS listening port number - http://support.microsoft.com/kb/187623 -# Examining TS key - http://support.microsoft.com/kb/243215 -# Win2K8 TS stops listening - http://support.microsoft.com/kb/954398 -# XP/Win2K3 TSAdvertise value - http://support.microsoft.com/kb/281307 -# AllowTSConnections value - http://support.microsoft.com/kb/305608 -# TSEnabled value - http://support.microsoft.com/kb/222992 -# TSUserEnabled value - http://support.microsoft.com/kb/238965 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package termserv; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20130307); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Terminal Server values from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching termserv v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $ts_path = $ccs."\\Control\\Terminal Server"; - my $ts; - if ($ts = $root_key->get_subkey($ts_path)) { - ::rptMsg($ts_path); - ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)"); - ::rptMsg(""); - ::rptMsg("Reference: http://support.microsoft.com/kb/243215"); - ::rptMsg(""); - - my $ver; - eval { - $ver = $ts->get_value("ProductVersion")->get_data(); - ::rptMsg(" ProductVersion = ".$ver); - }; - ::rptMsg(""); - - my $fdeny; - eval { - $fdeny = $ts->get_value("fDenyTSConnections")->get_data(); - ::rptMsg(" fDenyTSConnections = ".$fdeny); - ::rptMsg(" 1 = connections denied"); - }; - ::rptMsg("fDenyTSConnections value not found.") if ($@); - ::rptMsg(""); - - my $allow; - eval { - $allow = $ts->get_value("AllowTSConnections")->get_data(); - ::rptMsg(" AllowTSConnections = ".$allow); - ::rptMsg(" Ref: http://support.microsoft.com/kb/305608"); - }; - ::rptMsg(""); - - my $ad; - eval { - $ad = $ts->get_value("TSAdvertise")->get_data(); - ::rptMsg(" TSAdvertise = ".$ad); - ::rptMsg(" 0 = disabled, 1 = enabled (advertise Terminal Services)"); - ::rptMsg(" Ref: http://support.microsoft.com/kb/281307"); - }; - ::rptMsg(""); - - my $enabled; - eval { - $enabled = $ts->get_value("TSEnabled")->get_data(); - ::rptMsg(" TSEnabled = ".$enabled); - ::rptMsg(" 0 = disabled, 1 = enabled (Terminal Services enabled)"); - ::rptMsg(" Ref: http://support.microsoft.com/kb/222992"); - }; - ::rptMsg(""); - - my $user; - eval { - $user = $ts->get_value("TSUserEnabled")->get_data(); - ::rptMsg(" TSUserEnabled = ".$user); - ::rptMsg(" 1 = All users logging in are automatically part of the"); - ::rptMsg(" built-in Terminal Server User group. 0 = No one is a"); - ::rptMsg(" member of the built-in group."); - ::rptMsg(" Ref: http://support.microsoft.com/kb/238965"); - }; - ::rptMsg(""); - - my $help; - eval { - $help = $ts->get_value("fAllowToGetHelp")->get_data(); - ::rptMsg(" fAllowToGetHelp = ".$user); - ::rptMsg(" 1 = Users can request assistance from friend or a "); - ::rptMsg(" support professional."); - ::rptMsg(" Ref: http://www.pctools.com/guides/registry/detail/1213/"); - }; - - ::rptMsg("AutoStart Locations"); - eval { - my $start = $ts->get_subkey("Wds\\rdpwd")->get_value("StartupPrograms")->get_data(); - ::rptMsg("Wds\\rdpwd key"); - ::rptMsg(" StartupPrograms: ".$start); - ::rptMsg("Analysis Tip: This value usually contains 'rdpclip'; any additional entries "); - ::rptMsg("should be investigated\."); - ::rptMsg(""); - }; - ::rptMsg(" StartupPrograms value not found\.") if ($@); - - eval { - my $init = $ts->get_subkey("WinStations\\RDP-Tcp")->get_value("InitialProgram")->get_data(); - ::rptMsg("WinStations\\RDP-Tcp key"); - $init = "{blank}" if ($init eq ""); - ::rptMsg(" InitialProgram: ".$init); - ::rptMsg("Analysis Tip: Maybe be empty; appears as '{blank}'"); - }; - ::rptMsg(" InitialProgram value not found\.") if ($@); - - - } - else { - ::rptMsg($ts_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# termserv.pl +# Plugin for Registry Ripper; +# +# Change history +# 20130307 - updated with autostart locations +# 20100713 - Updated to include additional values, based on references +# 20100119 - updated +# 20090727 - created +# +# Category: Autostart +# +# References +# Change TS listening port number - http://support.microsoft.com/kb/187623 +# Examining TS key - http://support.microsoft.com/kb/243215 +# Win2K8 TS stops listening - http://support.microsoft.com/kb/954398 +# XP/Win2K3 TSAdvertise value - http://support.microsoft.com/kb/281307 +# AllowTSConnections value - http://support.microsoft.com/kb/305608 +# TSEnabled value - http://support.microsoft.com/kb/222992 +# TSUserEnabled value - http://support.microsoft.com/kb/238965 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package termserv; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130307); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Terminal Server values from System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching termserv v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $ts_path = $ccs."\\Control\\Terminal Server"; + my $ts; + if ($ts = $root_key->get_subkey($ts_path)) { + ::rptMsg($ts_path); + ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)"); + ::rptMsg(""); + ::rptMsg("Reference: http://support.microsoft.com/kb/243215"); + ::rptMsg(""); + + my $ver; + eval { + $ver = $ts->get_value("ProductVersion")->get_data(); + ::rptMsg(" ProductVersion = ".$ver); + }; + ::rptMsg(""); + + my $fdeny; + eval { + $fdeny = $ts->get_value("fDenyTSConnections")->get_data(); + ::rptMsg(" fDenyTSConnections = ".$fdeny); + ::rptMsg(" 1 = connections denied"); + }; + ::rptMsg("fDenyTSConnections value not found.") if ($@); + ::rptMsg(""); + + my $allow; + eval { + $allow = $ts->get_value("AllowTSConnections")->get_data(); + ::rptMsg(" AllowTSConnections = ".$allow); + ::rptMsg(" Ref: http://support.microsoft.com/kb/305608"); + }; + ::rptMsg(""); + + my $ad; + eval { + $ad = $ts->get_value("TSAdvertise")->get_data(); + ::rptMsg(" TSAdvertise = ".$ad); + ::rptMsg(" 0 = disabled, 1 = enabled (advertise Terminal Services)"); + ::rptMsg(" Ref: http://support.microsoft.com/kb/281307"); + }; + ::rptMsg(""); + + my $enabled; + eval { + $enabled = $ts->get_value("TSEnabled")->get_data(); + ::rptMsg(" TSEnabled = ".$enabled); + ::rptMsg(" 0 = disabled, 1 = enabled (Terminal Services enabled)"); + ::rptMsg(" Ref: http://support.microsoft.com/kb/222992"); + }; + ::rptMsg(""); + + my $user; + eval { + $user = $ts->get_value("TSUserEnabled")->get_data(); + ::rptMsg(" TSUserEnabled = ".$user); + ::rptMsg(" 1 = All users logging in are automatically part of the"); + ::rptMsg(" built-in Terminal Server User group. 0 = No one is a"); + ::rptMsg(" member of the built-in group."); + ::rptMsg(" Ref: http://support.microsoft.com/kb/238965"); + }; + ::rptMsg(""); + + my $help; + eval { + $help = $ts->get_value("fAllowToGetHelp")->get_data(); + ::rptMsg(" fAllowToGetHelp = ".$user); + ::rptMsg(" 1 = Users can request assistance from friend or a "); + ::rptMsg(" support professional."); + ::rptMsg(" Ref: http://www.pctools.com/guides/registry/detail/1213/"); + }; + + ::rptMsg("AutoStart Locations"); + eval { + my $start = $ts->get_subkey("Wds\\rdpwd")->get_value("StartupPrograms")->get_data(); + ::rptMsg("Wds\\rdpwd key"); + ::rptMsg(" StartupPrograms: ".$start); + ::rptMsg("Analysis Tip: This value usually contains 'rdpclip'; any additional entries "); + ::rptMsg("should be investigated\."); + ::rptMsg(""); + }; + ::rptMsg(" StartupPrograms value not found\.") if ($@); + + eval { + my $init = $ts->get_subkey("WinStations\\RDP-Tcp")->get_value("InitialProgram")->get_data(); + ::rptMsg("WinStations\\RDP-Tcp key"); + $init = "{blank}" if ($init eq ""); + ::rptMsg(" InitialProgram: ".$init); + ::rptMsg("Analysis Tip: Maybe be empty; appears as '{blank}'"); + }; + ::rptMsg(" InitialProgram value not found\.") if ($@); + + + } + else { + ::rptMsg($ts_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/timezone.pl b/RecentActivity/release/rr-full/plugins/timezone.pl index 81655c82f0..8969fb197c 100755 --- a/RecentActivity/release/rr-full/plugins/timezone.pl +++ b/RecentActivity/release/rr-full/plugins/timezone.pl @@ -1,90 +1,90 @@ -#----------------------------------------------------------- -# timezone.pl -# Plugin for Registry Ripper; Access System hive file to get the -# contents of the TimeZoneInformation key -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/102986 -# http://support.microsoft.com/kb/207563 -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package timezone; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get TimeZoneInformation key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching timezone v.".$VERSION); - ::rptMsg("timezone v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $tz_path = $ccs."\\Control\\TimeZoneInformation"; - my $tz; - if ($tz = $root_key->get_subkey($tz_path)) { - ::rptMsg("TimeZoneInformation key"); - ::rptMsg($tz_path); - ::rptMsg("LastWrite Time ".gmtime($tz->get_timestamp())." (UTC)"); - my %tz_vals; - my @vals = $tz->get_list_of_values(); - if (scalar(@vals) > 0) { - map{$tz_vals{$_->get_name()} = $_->get_data()}(@vals); - - ::rptMsg(" DaylightName -> ".$tz_vals{"DaylightName"}); - ::rptMsg(" StandardName -> ".$tz_vals{"StandardName"}); - - my $bias = $tz_vals{"Bias"}/60; - my $atbias = $tz_vals{"ActiveTimeBias"}/60; - - ::rptMsg(" Bias -> ".$tz_vals{"Bias"}." (".$bias." hours)"); - ::rptMsg(" ActiveTimeBias -> ".$tz_vals{"ActiveTimeBias"}." (".$atbias." hours)"); - - } - else { - ::rptMsg($tz_path." has no values."); - ::logMsg($tz_path." has no values."); - } - } - else { - ::rptMsg($tz_path." could not be found."); - ::logMsg($tz_path." could not be found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# timezone.pl +# Plugin for Registry Ripper; Access System hive file to get the +# contents of the TimeZoneInformation key +# +# Change history +# +# +# References +# http://support.microsoft.com/kb/102986 +# http://support.microsoft.com/kb/207563 +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package timezone; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Get TimeZoneInformation key contents"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching timezone v.".$VERSION); + ::rptMsg("timezone v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $tz_path = $ccs."\\Control\\TimeZoneInformation"; + my $tz; + if ($tz = $root_key->get_subkey($tz_path)) { + ::rptMsg("TimeZoneInformation key"); + ::rptMsg($tz_path); + ::rptMsg("LastWrite Time ".gmtime($tz->get_timestamp())." (UTC)"); + my %tz_vals; + my @vals = $tz->get_list_of_values(); + if (scalar(@vals) > 0) { + map{$tz_vals{$_->get_name()} = $_->get_data()}(@vals); + + ::rptMsg(" DaylightName -> ".$tz_vals{"DaylightName"}); + ::rptMsg(" StandardName -> ".$tz_vals{"StandardName"}); + + my $bias = $tz_vals{"Bias"}/60; + my $atbias = $tz_vals{"ActiveTimeBias"}/60; + + ::rptMsg(" Bias -> ".$tz_vals{"Bias"}." (".$bias." hours)"); + ::rptMsg(" ActiveTimeBias -> ".$tz_vals{"ActiveTimeBias"}." (".$atbias." hours)"); + + } + else { + ::rptMsg($tz_path." has no values."); + ::logMsg($tz_path." has no values."); + } + } + else { + ::rptMsg($tz_path." could not be found."); + ::logMsg($tz_path." could not be found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/tsclient.pl b/RecentActivity/release/rr-full/plugins/tsclient.pl index 2b338f6a2c..14ef8fe260 100755 --- a/RecentActivity/release/rr-full/plugins/tsclient.pl +++ b/RecentActivity/release/rr-full/plugins/tsclient.pl @@ -1,103 +1,103 @@ -#----------------------------------------------------------- -# tsclient.pl -# Plugin for Registry Ripper -# -# Change history -# 20120827 - updated -# 20080324 - created -# -# References -# http://support.microsoft.com/kb/312169 -# -# copyright 2012 -# Author: H. Carvey -#----------------------------------------------------------- -package tsclient; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 0, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20120827); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of user's Terminal Server Client\\Default key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching tsclient v.".$VERSION); - ::rptMsg("Launching tsclient v.".$VERSION); - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Default'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("TSClient"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mrus; - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/MRU/,$val))[1]; - $mrus{$tag} = $val.":".$data; - } - foreach my $u (sort {$a <=> $b} keys %mrus) { - my ($val,$data) = split(/:/,$mrus{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - - my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $lw = $s->get_timestamp(); - ::rptMsg($name." LastWrite: ".gmtime($lw)); - my $hint; - eval { - $hint = $s->get_value("UsernameHint")->get_data(); - ::rptMsg(" UsernameHint: ".$hint); - }; - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# tsclient.pl +# Plugin for Registry Ripper +# +# Change history +# 20120827 - updated +# 20080324 - created +# +# References +# http://support.microsoft.com/kb/312169 +# +# copyright 2012 +# Author: H. Carvey +#----------------------------------------------------------- +package tsclient; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 0, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120827); + +sub getConfig{return %config} +sub getShortDescr { + return "Displays contents of user's Terminal Server Client\\Default key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching tsclient v.".$VERSION); + ::rptMsg("Launching tsclient v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Default'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("TSClient"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %mrus; + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/MRU/,$val))[1]; + $mrus{$tag} = $val.":".$data; + } + foreach my $u (sort {$a <=> $b} keys %mrus) { + my ($val,$data) = split(/:/,$mrus{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); + + my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $lw = $s->get_timestamp(); + ::rptMsg($name." LastWrite: ".gmtime($lw)); + my $hint; + eval { + $hint = $s->get_value("UsernameHint")->get_data(); + ::rptMsg(" UsernameHint: ".$hint); + }; + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/typedpaths.pl b/RecentActivity/release/rr-full/plugins/typedpaths.pl index 927dbe4dd8..828eeff399 100755 --- a/RecentActivity/release/rr-full/plugins/typedpaths.pl +++ b/RecentActivity/release/rr-full/plugins/typedpaths.pl @@ -1,71 +1,71 @@ -#----------------------------------------------------------- -# typedpaths.pl -# For Windows 7, Desktop Address Bar History -# -# Change history -# 20100330 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package typedpaths; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100330); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's typedpaths key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching typedpaths v.".$VERSION); - ::rptMsg("typedpaths v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %paths; - foreach my $v (@vals) { - my $name = $v->get_name(); - $name =~ s/^url//; - my $data = $v->get_data(); - $paths{$name} = $data; - } - foreach my $p (sort {$a <=> $b} keys %paths) { - ::rptMsg(sprintf "%-8s %-30s","url".$p,$paths{$p}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# typedpaths.pl +# For Windows 7, Desktop Address Bar History +# +# Change history +# 20100330 - created +# +# References +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package typedpaths; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100330); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's typedpaths key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching typedpaths v.".$VERSION); + ::rptMsg("typedpaths v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %paths; + foreach my $v (@vals) { + my $name = $v->get_name(); + $name =~ s/^url//; + my $data = $v->get_data(); + $paths{$name} = $data; + } + foreach my $p (sort {$a <=> $b} keys %paths) { + ::rptMsg(sprintf "%-8s %-30s","url".$p,$paths{$p}); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/typedurls.pl b/RecentActivity/release/rr-full/plugins/typedurls.pl index 0a665ead1a..fff1693ff8 100755 --- a/RecentActivity/release/rr-full/plugins/typedurls.pl +++ b/RecentActivity/release/rr-full/plugins/typedurls.pl @@ -1,90 +1,90 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# typedurls.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# TypedURLs values -# -# Change history -# 20120827 - TLN version created -# 20080324 - created -# -# References -# http://support.microsoft.com/kb/157729 -# http://msdn2.microsoft.com/en-us/library/aa908115.aspx -# -# Notes: Reportedly, only the last 20 entries are maintained; -# Also, new entries aren't added to the key until the current -# instance of IE is terminated. -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package typedurls; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Returns contents of user's TypedURLs key."; -} -sub getDescr{} -sub getRefs { - my %refs = ("IESample Registry Settings" => - "http://msdn2.microsoft.com/en-us/library/aa908115.aspx", - "How to clear History entries in IE" => - "http://support.microsoft.com/kb/157729"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching typedurls v.".$VERSION); - ::rptMsg("typedurls v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Internet Explorer\\TypedURLs'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("TypedURLs"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %urls; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/url/,$val))[1]; - $urls{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %urls) { - my ($val,$data) = split(/:/,$urls{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# typedurls.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# TypedURLs values +# +# Change history +# 20120827 - TLN version created +# 20080324 - created +# +# References +# http://support.microsoft.com/kb/157729 +# http://msdn2.microsoft.com/en-us/library/aa908115.aspx +# +# Notes: Reportedly, only the last 20 entries are maintained; +# Also, new entries aren't added to the key until the current +# instance of IE is terminated. +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package typedurls; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Returns contents of user's TypedURLs key."; +} +sub getDescr{} +sub getRefs { + my %refs = ("IESample Registry Settings" => + "http://msdn2.microsoft.com/en-us/library/aa908115.aspx", + "How to clear History entries in IE" => + "http://support.microsoft.com/kb/157729"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching typedurls v.".$VERSION); + ::rptMsg("typedurls v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Internet Explorer\\TypedURLs'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("TypedURLs"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %urls; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/url/,$val))[1]; + $urls{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %urls) { + my ($val,$data) = split(/:/,$urls{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/unreadmail.pl b/RecentActivity/release/rr-full/plugins/unreadmail.pl index 75bd88e562..479b5b63d7 100755 --- a/RecentActivity/release/rr-full/plugins/unreadmail.pl +++ b/RecentActivity/release/rr-full/plugins/unreadmail.pl @@ -1,90 +1,90 @@ -#----------------------------------------------------------- -# unreadmail.pl -# -# -# Change history -# 20100218 - created -# -# References -# http://support.microsoft.com/kb/304148 -# http://support.microsoft.com/kb/831403 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package unreadmail; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of Unreadmail key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching unreadmail v.".$VERSION); - ::rptMsg("unreadmail v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - eval { - my $e = $key->get_value("MessageExpiryDays")->get_data(); - ::rptMsg("MessageExpiryDays : ".$e); - ::rptMsg(""); - }; - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg(""); - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - eval { - my $m = $s->get_value("MessageCount")->get_data(); - ::rptMsg(" MessageCount: ".$m); - }; - - eval { - my $a = $s->get_value("Application")->get_data(); - ::rptMsg(" Application : ".$a); - }; - - eval { - my @t = unpack("VV",$s->get_value("TimeStamp")->get_data()); - my $ts = ::getTime($t[0],$t[1]); - ::rptMsg(" TimeStamp : ".gmtime($ts)." (UTC)"); - }; - - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# unreadmail.pl +# +# +# Change history +# 20100218 - created +# +# References +# http://support.microsoft.com/kb/304148 +# http://support.microsoft.com/kb/831403 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package unreadmail; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100218); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of Unreadmail key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + my %hist; + ::logMsg("Launching unreadmail v.".$VERSION); + ::rptMsg("unreadmail v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + eval { + my $e = $key->get_value("MessageExpiryDays")->get_data(); + ::rptMsg("MessageExpiryDays : ".$e); + ::rptMsg(""); + }; + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + ::rptMsg(""); + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()); + ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); + eval { + my $m = $s->get_value("MessageCount")->get_data(); + ::rptMsg(" MessageCount: ".$m); + }; + + eval { + my $a = $s->get_value("Application")->get_data(); + ::rptMsg(" Application : ".$a); + }; + + eval { + my @t = unpack("VV",$s->get_value("TimeStamp")->get_data()); + my $ts = ::getTime($t[0],$t[1]); + ::rptMsg(" TimeStamp : ".gmtime($ts)." (UTC)"); + }; + + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/urlzone.pl b/RecentActivity/release/rr-full/plugins/urlzone.pl index 899779a463..e51d774342 100755 --- a/RecentActivity/release/rr-full/plugins/urlzone.pl +++ b/RecentActivity/release/rr-full/plugins/urlzone.pl @@ -1,98 +1,98 @@ -#----------------------------------------------------------- -# /root/bin/plugins/urlzone.pl -# Plugin to detect URLZONE infection -# -# copyright 2009 Stefan Kelm (skelm@bfk.de) -#----------------------------------------------------------- -package urlzone; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090526); - -sub getConfig{return %config} - -sub getShortDescr {return "URLZONE detection";} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { -my $class = shift; -my $hive = shift; -::logMsg("Launching urlzone v.".$VERSION); -::rptMsg("urlzone v.".$VERSION); # banner -::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner -my $reg = Parse::Win32Registry->new($hive); -my $root_key = $reg->get_root_key; - -my $key_path = "Microsoft\\Windows\\CurrentVersion\\Internet Settings\\urlzone"; -my $key; -if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); - eval { - my @vals = $s->get_list_of_values(); - if (scalar(@vals) > 0) { - my %sns; - foreach my $v (@vals) { - $sns{$v->get_name()} = $v->get_data(); - } - foreach my $i (keys %sns) { - ::rptMsg("\t\t".$i." = ".$sns{$i}); - } - } - else { -# No values - } - }; - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } - - my $key_path2 = "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\userinit.exe"; - my $key2; - if ($key2 = $root_key->get_subkey($key_path2)) { - ::rptMsg($key_path2); - ::rptMsg("LastWrite Time ".gmtime($key2->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $dbg; - eval { - $dbg = $key2->get_value("Debugger")->get_data(); - }; - if ($@) { - ::rptMsg("Debugger value not found."); - } - else { - ::rptMsg("Debugger = ".$dbg); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path2." not found."); -# ::logMsg($key_path2." not found."); - } -} +#----------------------------------------------------------- +# /root/bin/plugins/urlzone.pl +# Plugin to detect URLZONE infection +# +# copyright 2009 Stefan Kelm (skelm@bfk.de) +#----------------------------------------------------------- +package urlzone; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090526); + +sub getConfig{return %config} + +sub getShortDescr {return "URLZONE detection";} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { +my $class = shift; +my $hive = shift; +::logMsg("Launching urlzone v.".$VERSION); +::rptMsg("urlzone v.".$VERSION); # banner +::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner +my $reg = Parse::Win32Registry->new($hive); +my $root_key = $reg->get_root_key; + +my $key_path = "Microsoft\\Windows\\CurrentVersion\\Internet Settings\\urlzone"; +my $key; +if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($key_path."\\".$s->get_name()); + ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); + eval { + my @vals = $s->get_list_of_values(); + if (scalar(@vals) > 0) { + my %sns; + foreach my $v (@vals) { + $sns{$v->get_name()} = $v->get_data(); + } + foreach my $i (keys %sns) { + ::rptMsg("\t\t".$i." = ".$sns{$i}); + } + } + else { +# No values + } + }; + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); +# ::logMsg($key_path." not found."); + } + + my $key_path2 = "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\userinit.exe"; + my $key2; + if ($key2 = $root_key->get_subkey($key_path2)) { + ::rptMsg($key_path2); + ::rptMsg("LastWrite Time ".gmtime($key2->get_timestamp())." (UTC)"); + ::rptMsg(""); + my $dbg; + eval { + $dbg = $key2->get_value("Debugger")->get_data(); + }; + if ($@) { + ::rptMsg("Debugger value not found."); + } + else { + ::rptMsg("Debugger = ".$dbg); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path2." not found."); +# ::logMsg($key_path2." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/usbdevices.pl b/RecentActivity/release/rr-full/plugins/usbdevices.pl index 75b1ae5009..a9e09fe0a0 100755 --- a/RecentActivity/release/rr-full/plugins/usbdevices.pl +++ b/RecentActivity/release/rr-full/plugins/usbdevices.pl @@ -1,115 +1,115 @@ -#----------------------------------------------------------- -# usbdevices.pl -# Parses contents of Enum\USB key for USB storage devices -# -# History -# 20120522 - updated to report only USBStor devices -# 20100219 - created -# -# copyright 2012 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package usbdevices; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20120522); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parses Enum\\USB key for devices"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $reg; - -sub pluginmain { - my $class = shift; - my $hive = shift; - $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::logMsg("Launching usbdevices v.".$VERSION); - ::rptMsg("usbdevices v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $key_path = $ccs."\\Enum\\USB"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my @sk = $s->get_list_of_subkeys(); - if (scalar @sk > 0) { - foreach my $s2 (@sk) { - - my ($desc,$class,$serv,$loc,$mfg); - - eval { - $desc = $s2->get_value("DeviceDesc")->get_data(); -# ::rptMsg($desc." [".$s->get_name()."\\".$s2->get_name()."]"); - }; - - eval { - $class = $s2->get_value("Class")->get_data(); - }; - - eval { - $serv = $s2->get_value("Service")->get_data(); - }; - - eval { - $loc = $s2->get_value("LocationInformation")->get_data(); - }; - - eval { - $mfg = $s2->get_value("Mfg")->get_data(); - }; - - if ($serv eq "USBSTOR") { - ::rptMsg($s->get_name()); - ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())); - ::rptMsg(" SN : ".$s2->get_name()); - ::rptMsg(" LastWrite: ".gmtime($s2->get_timestamp())); -# ::rptMsg("DeviceDesc: ".$desc); -# ::rptMsg("Class : ".$class); -# ::rptMsg("Location : ".$loc); -# ::rptMsg("MFG : ".$mfg); - ::rptMsg(""); - - } - - } - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# usbdevices.pl +# Parses contents of Enum\USB key for USB storage devices +# +# History +# 20120522 - updated to report only USBStor devices +# 20100219 - created +# +# copyright 2012 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package usbdevices; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120522); + +sub getConfig{return %config} + +sub getShortDescr { + return "Parses Enum\\USB key for devices"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my $reg; + +sub pluginmain { + my $class = shift; + my $hive = shift; + $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + ::logMsg("Launching usbdevices v.".$VERSION); + ::rptMsg("usbdevices v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($key_path." not found."); + return; + } + + my $key_path = $ccs."\\Enum\\USB"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $s (@subkeys) { + my @sk = $s->get_list_of_subkeys(); + if (scalar @sk > 0) { + foreach my $s2 (@sk) { + + my ($desc,$class,$serv,$loc,$mfg); + + eval { + $desc = $s2->get_value("DeviceDesc")->get_data(); +# ::rptMsg($desc." [".$s->get_name()."\\".$s2->get_name()."]"); + }; + + eval { + $class = $s2->get_value("Class")->get_data(); + }; + + eval { + $serv = $s2->get_value("Service")->get_data(); + }; + + eval { + $loc = $s2->get_value("LocationInformation")->get_data(); + }; + + eval { + $mfg = $s2->get_value("Mfg")->get_data(); + }; + + if ($serv eq "USBSTOR") { + ::rptMsg($s->get_name()); + ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())); + ::rptMsg(" SN : ".$s2->get_name()); + ::rptMsg(" LastWrite: ".gmtime($s2->get_timestamp())); +# ::rptMsg("DeviceDesc: ".$desc); +# ::rptMsg("Class : ".$class); +# ::rptMsg("Location : ".$loc); +# ::rptMsg("MFG : ".$mfg); + ::rptMsg(""); + + } + + } + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/usbstor.pl b/RecentActivity/release/rr-full/plugins/usbstor.pl index ba5ad1f1c5..40af2f615f 100755 --- a/RecentActivity/release/rr-full/plugins/usbstor.pl +++ b/RecentActivity/release/rr-full/plugins/usbstor.pl @@ -1,93 +1,93 @@ -#----------------------------------------------------------- -# usbstor -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package usbstor; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080418); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USBStor key info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching usbstor v.".$VERSION); - ::rptMsg("usbstor v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("USBStor"); - ::rptMsg($key_path); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); - - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $k (@sk) { - my $serial = $k->get_name(); - ::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]"); - my $friendly; - eval { - $friendly = $k->get_value("FriendlyName")->get_data(); - }; - ::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne ""); - my $parent; - eval { - $parent = $k->get_value("ParentIdPrefix")->get_data(); - }; - ::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne ""); - } - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# usbstor +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package usbstor; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080418); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get USBStor key info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching usbstor v.".$VERSION); + ::rptMsg("usbstor v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($key_path." not found."); + return; + } + + my $key_path = $ccs."\\Enum\\USBStor"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("USBStor"); + ::rptMsg($key_path); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); + + my @sk = $s->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $k (@sk) { + my $serial = $k->get_name(); + ::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]"); + my $friendly; + eval { + $friendly = $k->get_value("FriendlyName")->get_data(); + }; + ::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne ""); + my $parent; + eval { + $parent = $k->get_value("ParentIdPrefix")->get_data(); + }; + ::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne ""); + } + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/usbstor2.pl b/RecentActivity/release/rr-full/plugins/usbstor2.pl index b0beedc7b2..b62283bb1c 100755 --- a/RecentActivity/release/rr-full/plugins/usbstor2.pl +++ b/RecentActivity/release/rr-full/plugins/usbstor2.pl @@ -1,134 +1,134 @@ -#----------------------------------------------------------- -# usbstor2 -# Similar to usbstor plugin, but prints output in .csv format; -# also checks MountedDevices keys -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package usbstor2; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080825); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USBStor key info; csv output"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $reg; - -sub pluginmain { - my $class = shift; - my $hive = shift; - $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $name_path = $ccs."\\Control\\ComputerName\\ComputerName"; - my $comp_name; - eval { - $comp_name = $root_key->get_subkey($name_path)->get_value("ComputerName")->get_data(); - }; - $comp_name = "Test" if ($@); - - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $dev_class = $s->get_name(); - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $k (@sk) { - my $serial = $k->get_name(); - my $sn_lw = $k->get_timestamp(); - my $str = $comp_name.",".$dev_class.",".$serial.",".$sn_lw; - - my $friendly; - eval { - $friendly = $k->get_value("FriendlyName")->get_data(); - $str .= ",".$friendly; - }; - $str .= ", " if ($@); - - my $parent; - eval { - $parent = $k->get_value("ParentIdPrefix")->get_data(); - $str .= ",".$parent; - - my $dev = checkMountedDevices($parent); - $str .= ",".$dev if ($dev); - - }; - - - ::rptMsg($str); - } - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub checkMountedDevices { - my $pip = shift; - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my %md; - if ($key = $root_key->get_subkey($key_path)) { - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next unless ($name =~ m/^\\DosDevices/); - my $data = $v->get_data(); - if (length($data) > 12) { - $data =~ s/\00//g; - return $name if (grep(/$pip/,$data)); - } - } - } - } - else { - return undef; - } - return undef; -} - +#----------------------------------------------------------- +# usbstor2 +# Similar to usbstor plugin, but prints output in .csv format; +# also checks MountedDevices keys +# +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package usbstor2; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080825); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get USBStor key info; csv output"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my $reg; + +sub pluginmain { + my $class = shift; + my $hive = shift; + $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($key_path." not found."); + return; + } + + my $name_path = $ccs."\\Control\\ComputerName\\ComputerName"; + my $comp_name; + eval { + $comp_name = $root_key->get_subkey($name_path)->get_value("ComputerName")->get_data(); + }; + $comp_name = "Test" if ($@); + + my $key_path = $ccs."\\Enum\\USBStor"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $dev_class = $s->get_name(); + my @sk = $s->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $k (@sk) { + my $serial = $k->get_name(); + my $sn_lw = $k->get_timestamp(); + my $str = $comp_name.",".$dev_class.",".$serial.",".$sn_lw; + + my $friendly; + eval { + $friendly = $k->get_value("FriendlyName")->get_data(); + $str .= ",".$friendly; + }; + $str .= ", " if ($@); + + my $parent; + eval { + $parent = $k->get_value("ParentIdPrefix")->get_data(); + $str .= ",".$parent; + + my $dev = checkMountedDevices($parent); + $str .= ",".$dev if ($dev); + + }; + + + ::rptMsg($str); + } + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + +sub checkMountedDevices { + my $pip = shift; + my $root_key = $reg->get_root_key; + my $key_path = 'MountedDevices'; + my $key; + my %md; + if ($key = $root_key->get_subkey($key_path)) { + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + next unless ($name =~ m/^\\DosDevices/); + my $data = $v->get_data(); + if (length($data) > 12) { + $data =~ s/\00//g; + return $name if (grep(/$pip/,$data)); + } + } + } + } + else { + return undef; + } + return undef; +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/usbstor3.pl b/RecentActivity/release/rr-full/plugins/usbstor3.pl index 9bcdeb5980..5215454818 100755 --- a/RecentActivity/release/rr-full/plugins/usbstor3.pl +++ b/RecentActivity/release/rr-full/plugins/usbstor3.pl @@ -1,103 +1,103 @@ -#----------------------------------------------------------- -# usbstor3 -# Collects USBStor information, output in .csv -# -# History -# 20100312 - created -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package usbstor3; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100312); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USBStor key info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching usbstor3 v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("USBStor"); -# ::rptMsg($key_path); -# ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { -# ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); - my $name1 = $s->get_name(); - my $time1 = gmtime($s->get_timestamp()); - - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $k (@sk) { - my $serial = $k->get_name(); -# ::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]"); - my $str = $name1.",".$time1.",".$serial.",".gmtime($k->get_timestamp()); - - my $friendly; - eval { - $friendly = $k->get_value("FriendlyName")->get_data(); - $str .= ",".$friendly; - }; - $str .= "," if ($@); -# ::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne ""); - my $parent; - eval { - $parent = $k->get_value("ParentIdPrefix")->get_data(); - $str .= ",".$parent; - }; - $str .= "," if ($@); -# ::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne ""); - ::rptMsg($str); - } - } -# ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# usbstor3 +# Collects USBStor information, output in .csv +# +# History +# 20100312 - created +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package usbstor3; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100312); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get USBStor key info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching usbstor3 v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($key_path." not found."); + return; + } + + my $key_path = $ccs."\\Enum\\USBStor"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("USBStor"); +# ::rptMsg($key_path); +# ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { +# ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); + my $name1 = $s->get_name(); + my $time1 = gmtime($s->get_timestamp()); + + my @sk = $s->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $k (@sk) { + my $serial = $k->get_name(); +# ::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]"); + my $str = $name1.",".$time1.",".$serial.",".gmtime($k->get_timestamp()); + + my $friendly; + eval { + $friendly = $k->get_value("FriendlyName")->get_data(); + $str .= ",".$friendly; + }; + $str .= "," if ($@); +# ::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne ""); + my $parent; + eval { + $parent = $k->get_value("ParentIdPrefix")->get_data(); + $str .= ",".$parent; + }; + $str .= "," if ($@); +# ::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne ""); + ::rptMsg($str); + } + } +# ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/user_win.pl b/RecentActivity/release/rr-full/plugins/user_win.pl index 27f69912a1..ee746e2b0e 100755 --- a/RecentActivity/release/rr-full/plugins/user_win.pl +++ b/RecentActivity/release/rr-full/plugins/user_win.pl @@ -1,62 +1,62 @@ -#----------------------------------------------------------- -# user_win.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package user_win; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080415); - -sub getConfig{return %config} - -sub getShortDescr { - return " -- "; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching user_win v.".$VERSION); - ::rptMsg("user_win v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - eval { - my $load = $key->get_value("load")->get_data(); - ::rptMsg("load value = ".$load); - ::rptMsg("*Should be blank; anything listed gets run when the user logs in."); - }; - - eval { - my $run = $key->get_value("run")->get_data(); - ::rptMsg("run value = ".$run); - ::rptMsg("*Should be blank; anything listed gets run when the user logs in."); - }; - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# user_win.pl +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package user_win; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080415); + +sub getConfig{return %config} + +sub getShortDescr { + return " -- "; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching user_win v.".$VERSION); + ::rptMsg("user_win v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + eval { + my $load = $key->get_value("load")->get_data(); + ::rptMsg("load value = ".$load); + ::rptMsg("*Should be blank; anything listed gets run when the user logs in."); + }; + + eval { + my $run = $key->get_value("run")->get_data(); + ::rptMsg("run value = ".$run); + ::rptMsg("*Should be blank; anything listed gets run when the user logs in."); + }; + + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/userassist.pl b/RecentActivity/release/rr-full/plugins/userassist.pl index ab055f7b19..4342069663 100755 --- a/RecentActivity/release/rr-full/plugins/userassist.pl +++ b/RecentActivity/release/rr-full/plugins/userassist.pl @@ -1,125 +1,125 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userassist.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# UserAssist values -# -# Change history -# 20100322 - Added CLSID list reference -# 20100308 - created, based on original userassist.pl plugin -# -# References -# Control Panel Applets - http://support.microsoft.com/kb/313808 -# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package userassist; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100308); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of UserAssist subkeys"; -} -sub getDescr{} -sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching userassist2 v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; - my $key; - - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("UserAssist"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()); - processKey($s); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub processKey { - my $ua = shift; - - my $key = $ua->get_subkey("Count"); - - my %ua; - my $hrzr = "HRZR"; - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $value_name = $v->get_name(); - my $data = $v->get_data(); - -# Windows XP/2003/Vista/2008 - if (length($data) == 16) { - my ($session,$count,$val1,$val2) = unpack("V*",$data); - if ($val2 != 0) { - my $time_value = ::getTime($val1,$val2); - if ($value_name =~ m/^$hrzr/) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - } - $count -= 5 if ($count > 5); - push(@{$ua{$time_value}},$value_name." (".$count.")"); - } - } -# Windows 7 - elsif (length($data) == 72) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; -# if (unpack("V",substr($data,0,4)) == 0) { -# my $count = unpack("V",substr($data,4,4)); -# my @t = unpack("VV",substr($data,60,8)); -# next if ($t[0] == 0 && $t[1] == 0); -# my $time_val = ::getTime($t[0],$t[1]); -# print " .-> ".$time_val."\n"; -# push(@{$ua{$time_val}},$value_name." (".$count.")"); -# } - my $count = unpack("V",substr($data,4,4)); - my @t = unpack("VV",substr($data,60,8)); - next if ($t[0] == 0 && $t[1] == 0); - my $time_val = ::getTime($t[0],$t[1]); - push(@{$ua{$time_val}},$value_name." (".$count.")"); - } - else { -# Nothing else to do - } - } - foreach my $t (reverse sort {$a <=> $b} keys %ua) { - ::rptMsg(gmtime($t)." Z"); - foreach my $i (@{$ua{$t}}) { - ::rptMsg(" ".$i); - } - } - } -} +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# userassist.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# UserAssist values +# +# Change history +# 20100322 - Added CLSID list reference +# 20100308 - created, based on original userassist.pl plugin +# +# References +# Control Panel Applets - http://support.microsoft.com/kb/313808 +# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package userassist; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100308); + +sub getConfig{return %config} +sub getShortDescr { + return "Displays contents of UserAssist subkeys"; +} +sub getDescr{} +sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching userassist2 v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; + my $key; + + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("UserAssist"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()); + processKey($s); + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub processKey { + my $ua = shift; + + my $key = $ua->get_subkey("Count"); + + my %ua; + my $hrzr = "HRZR"; + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $value_name = $v->get_name(); + my $data = $v->get_data(); + +# Windows XP/2003/Vista/2008 + if (length($data) == 16) { + my ($session,$count,$val1,$val2) = unpack("V*",$data); + if ($val2 != 0) { + my $time_value = ::getTime($val1,$val2); + if ($value_name =~ m/^$hrzr/) { + $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; + } + $count -= 5 if ($count > 5); + push(@{$ua{$time_value}},$value_name." (".$count.")"); + } + } +# Windows 7 + elsif (length($data) == 72) { + $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; +# if (unpack("V",substr($data,0,4)) == 0) { +# my $count = unpack("V",substr($data,4,4)); +# my @t = unpack("VV",substr($data,60,8)); +# next if ($t[0] == 0 && $t[1] == 0); +# my $time_val = ::getTime($t[0],$t[1]); +# print " .-> ".$time_val."\n"; +# push(@{$ua{$time_val}},$value_name." (".$count.")"); +# } + my $count = unpack("V",substr($data,4,4)); + my @t = unpack("VV",substr($data,60,8)); + next if ($t[0] == 0 && $t[1] == 0); + my $time_val = ::getTime($t[0],$t[1]); + push(@{$ua{$time_val}},$value_name." (".$count.")"); + } + else { +# Nothing else to do + } + } + foreach my $t (reverse sort {$a <=> $b} keys %ua) { + ::rptMsg(gmtime($t)." Z"); + foreach my $i (@{$ua{$t}}) { + ::rptMsg(" ".$i); + } + } + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/userassist_tln.pl b/RecentActivity/release/rr-full/plugins/userassist_tln.pl index 1d10585b97..2922dc6b23 100755 --- a/RecentActivity/release/rr-full/plugins/userassist_tln.pl +++ b/RecentActivity/release/rr-full/plugins/userassist_tln.pl @@ -1,114 +1,114 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userassist_tln.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# UserAssist values -# -# Change history -# 20110516 - created, modified from userassist2.pl -# 20100322 - Added CLSID list reference -# 20100308 - created, based on original userassist.pl plugin -# -# References -# Control Panel Applets - http://support.microsoft.com/kb/313808 -# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package userassist_tln; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20110516); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of UserAssist subkeys in TLN format"; -} -sub getDescr{} -sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching userassist_tln v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; - my $key; - - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("UserAssist"); -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); -# ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()); - processKey($s); - ::rptMsg(""); - } - } - else { - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::logMsg($key_path." not found."); - } -} - -sub processKey { - my $ua = shift; - my $key = $ua->get_subkey("Count"); - my %ua; - my $hrzr = "HRZR"; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $value_name = $v->get_name(); - my $data = $v->get_data(); - -# Windows XP/2003/Vista/2008 - if (length($data) == 16) { - my ($session,$count,$val1,$val2) = unpack("V*",$data); - if ($val2 != 0) { - my $time_value = ::getTime($val1,$val2); - if ($value_name =~ m/^$hrzr/) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - } - $count -= 5 if ($count > 5); - push(@{$ua{$time_value}},$value_name." (".$count.")"); - } - } -# Windows 7 - elsif (length($data) == 72) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - my $count = unpack("V",substr($data,4,4)); - my @t = unpack("VV",substr($data,60,8)); - next if ($t[0] == 0 && $t[1] == 0); - my $time_val = ::getTime($t[0],$t[1]); - push(@{$ua{$time_val}},$value_name." (".$count.")"); - } - else { -# Nothing else to do - } - } - foreach my $t (reverse sort {$a <=> $b} keys %ua) { - foreach my $i (@{$ua{$t}}) { - ::rptMsg($t."|REG|||[Program Execution] UserAssist - ".$i); - } - } - } -} +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# userassist_tln.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# UserAssist values +# +# Change history +# 20110516 - created, modified from userassist2.pl +# 20100322 - Added CLSID list reference +# 20100308 - created, based on original userassist.pl plugin +# +# References +# Control Panel Applets - http://support.microsoft.com/kb/313808 +# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm +# +# copyright 2011 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package userassist_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20110516); + +sub getConfig{return %config} +sub getShortDescr { + return "Displays contents of UserAssist subkeys in TLN format"; +} +sub getDescr{} +sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching userassist_tln v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; + my $key; + + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("UserAssist"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()); + processKey($s); + ::rptMsg(""); + } + } + else { + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::logMsg($key_path." not found."); + } +} + +sub processKey { + my $ua = shift; + my $key = $ua->get_subkey("Count"); + my %ua; + my $hrzr = "HRZR"; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $value_name = $v->get_name(); + my $data = $v->get_data(); + +# Windows XP/2003/Vista/2008 + if (length($data) == 16) { + my ($session,$count,$val1,$val2) = unpack("V*",$data); + if ($val2 != 0) { + my $time_value = ::getTime($val1,$val2); + if ($value_name =~ m/^$hrzr/) { + $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; + } + $count -= 5 if ($count > 5); + push(@{$ua{$time_value}},$value_name." (".$count.")"); + } + } +# Windows 7 + elsif (length($data) == 72) { + $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; + my $count = unpack("V",substr($data,4,4)); + my @t = unpack("VV",substr($data,60,8)); + next if ($t[0] == 0 && $t[1] == 0); + my $time_val = ::getTime($t[0],$t[1]); + push(@{$ua{$time_val}},$value_name." (".$count.")"); + } + else { +# Nothing else to do + } + } + foreach my $t (reverse sort {$a <=> $b} keys %ua) { + foreach my $i (@{$ua{$t}}) { + ::rptMsg($t."|REG|||[Program Execution] UserAssist - ".$i); + } + } + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/userlocsvc.pl b/RecentActivity/release/rr-full/plugins/userlocsvc.pl index 2b21e1758c..0cd4737c44 100755 --- a/RecentActivity/release/rr-full/plugins/userlocsvc.pl +++ b/RecentActivity/release/rr-full/plugins/userlocsvc.pl @@ -1,64 +1,64 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userlocsvc.pl -# Get the contents of the Microsoft\User Location Service\Clients key -# from the user's hive -# -# Ref: -# http://support.microsoft.com/kb/196301 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package userlocsvc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090411); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of User Location Service\\Client key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching userlocsvc v.".$VERSION); - ::rptMsg("userlocsvc v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\User Location Service\\Client'; - my $key; - my %ua; - my $hrzr = "HRZR"; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-15s %-30s",$v->get_name(),$v->get_data(); - ::rptMsg($str) if ($v->get_type() == 1); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# userlocsvc.pl +# Get the contents of the Microsoft\User Location Service\Clients key +# from the user's hive +# +# Ref: +# http://support.microsoft.com/kb/196301 +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package userlocsvc; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20090411); + +sub getConfig{return %config} +sub getShortDescr { + return "Displays contents of User Location Service\\Client key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching userlocsvc v.".$VERSION); + ::rptMsg("userlocsvc v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + my $key_path = 'Software\\Microsoft\\User Location Service\\Client'; + my $key; + my %ua; + my $hrzr = "HRZR"; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $str = sprintf "%-15s %-30s",$v->get_name(),$v->get_data(); + ::rptMsg($str) if ($v->get_type() == 1); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/virut.pl b/RecentActivity/release/rr-full/plugins/virut.pl index 9d51fdb2c4..3188b3c514 100755 --- a/RecentActivity/release/rr-full/plugins/virut.pl +++ b/RecentActivity/release/rr-full/plugins/virut.pl @@ -1,72 +1,72 @@ -#----------------------------------------------------------- -# virut.pl -# Plugin to detect artifacts of a Virut infection -# -# References: -# Symantec: http://www.symantec.com/security_response/ -# writeup.jsp?docid=2009-020411-2802-99&tabid=2 -# -# Change History: -# 20130425 - added alertMsg() functionality -# 20090218 - created -# -# -# copyright 2013 QAR, LLC -# Author: H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package virut; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20130425); - -sub getConfig{return %config} - -sub getShortDescr { - return "Detect Virut artifacts"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching virut v.".$VERSION); - ::rptMsg("virut v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $update; - eval { - $update = $key->get_value("UpdateHost")->get_data(); - ::rptMsg("UpdateHost value detected! Possible Virut infection!"); - ::alertMsg("ALERT: virut: UpdateHost value detected! Possible Virut infection!"); - }; - ::rptMsg("UpdateHost value not found.") if ($@); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg(""); - ::rptMsg("Also be sure to check the SYSTEM\\ControlSet00n\\Services\\SharedAccess\\"); - ::rptMsg("Parameters\\FirewallPolicy\\DomainProfile\\AuthorizedApplications\\List key"); - ::rptMsg("for exceptions added to the firewall; use the fw_config\.pl plugin."); -} +#----------------------------------------------------------- +# virut.pl +# Plugin to detect artifacts of a Virut infection +# +# References: +# Symantec: http://www.symantec.com/security_response/ +# writeup.jsp?docid=2009-020411-2802-99&tabid=2 +# +# Change History: +# 20130425 - added alertMsg() functionality +# 20090218 - created +# +# +# copyright 2013 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package virut; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130425); + +sub getConfig{return %config} + +sub getShortDescr { + return "Detect Virut artifacts"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching virut v.".$VERSION); + ::rptMsg("virut v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $update; + eval { + $update = $key->get_value("UpdateHost")->get_data(); + ::rptMsg("UpdateHost value detected! Possible Virut infection!"); + ::alertMsg("ALERT: virut: UpdateHost value detected! Possible Virut infection!"); + }; + ::rptMsg("UpdateHost value not found.") if ($@); + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + ::rptMsg(""); + ::rptMsg("Also be sure to check the SYSTEM\\ControlSet00n\\Services\\SharedAccess\\"); + ::rptMsg("Parameters\\FirewallPolicy\\DomainProfile\\AuthorizedApplications\\List key"); + ::rptMsg("for exceptions added to the firewall; use the fw_config\.pl plugin."); +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/vista_bitbucket.pl b/RecentActivity/release/rr-full/plugins/vista_bitbucket.pl index f1b32757ee..9f883362d1 100755 --- a/RecentActivity/release/rr-full/plugins/vista_bitbucket.pl +++ b/RecentActivity/release/rr-full/plugins/vista_bitbucket.pl @@ -1,96 +1,96 @@ -#----------------------------------------------------------- -# vista_bitbucket.pl -# BitBucket settings for Vista $Recylce.bin are maintained on a -# per-user, per-volume basis -# -# Change history -# 20110830 [fpi] + banner, no change to the version number -# -# References -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package vista_bitbucket; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 192, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080420); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get BitBucket settings from Vista via NTUSER\.DAT"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching vista_bitbucket v.".$VERSION); - ::rptMsg("vista_bitbucket v.".$VERSION); # 20110830 [fpi] + banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner - - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg($v->get_name()." : ".$v->get_data()); - } - - } - else { - ::rptMsg($key_path." has no values."); - } - ::rptMsg(""); - - my @vols; - eval { - @vols = $key->get_subkey("Volume")->get_list_of_subkeys(); - }; - if ($@) { - ::rptMsg("Could not access ".$key_path."\\Volume subkey."); - return; - } - - if (scalar(@vols) > 0) { - foreach my $v (@vols) { - ::rptMsg($v->get_name()." [".gmtime($v->get_timestamp())."] (UTC)"); - eval { - ::rptMsg(sprintf " %-15s %-3s","NukeOnDelete",$v->get_value("NukeOnDelete")->get_data()); - }; - - - } - - } - else { - ::rptMsg($key_path."\\Volume key has no subkeys."); - } - - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# vista_bitbucket.pl +# BitBucket settings for Vista $Recylce.bin are maintained on a +# per-user, per-volume basis +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package vista_bitbucket; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 192, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080420); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get BitBucket settings from Vista via NTUSER\.DAT"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching vista_bitbucket v.".$VERSION); + ::rptMsg("vista_bitbucket v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg($v->get_name()." : ".$v->get_data()); + } + + } + else { + ::rptMsg($key_path." has no values."); + } + ::rptMsg(""); + + my @vols; + eval { + @vols = $key->get_subkey("Volume")->get_list_of_subkeys(); + }; + if ($@) { + ::rptMsg("Could not access ".$key_path."\\Volume subkey."); + return; + } + + if (scalar(@vols) > 0) { + foreach my $v (@vols) { + ::rptMsg($v->get_name()." [".gmtime($v->get_timestamp())."] (UTC)"); + eval { + ::rptMsg(sprintf " %-15s %-3s","NukeOnDelete",$v->get_value("NukeOnDelete")->get_data()); + }; + + + } + + } + else { + ::rptMsg($key_path."\\Volume key has no subkeys."); + } + + + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/vncviewer.pl b/RecentActivity/release/rr-full/plugins/vncviewer.pl index be9fb8e34e..3660050adb 100755 --- a/RecentActivity/release/rr-full/plugins/vncviewer.pl +++ b/RecentActivity/release/rr-full/plugins/vncviewer.pl @@ -1,106 +1,106 @@ -#----------------------------------------------------------- -# vncviewer -# -# -# History: -# 20121231 - Updated to include VNCViewer4 -# 20080325 - created -# -# -# -#----------------------------------------------------------- -package vncviewer; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20121231); - -sub getConfig{return %config} -sub getShortDescr { - return "Get VNCViewer system list"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching vncviewer v.".$VERSION); - ::rptMsg("vncviewer v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\ORL\\VNCviewer\\MRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("VNCViewer\\MRU"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %vnc; - foreach my $v (@vals) { - $vnc{$v->get_name()} = $v->get_data(); - } - my $ind; - if (exists $vnc{'index'}) { - $ind = $vnc{'index'}; - delete $vnc{'index'}; - } - - ::rptMsg("Index = ".$ind); - my @i = split(//,$ind); - foreach my $i (@i) { - ::rptMsg(" ".$i." -> ".$vnc{$i}); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } - - my $key_path = "Software\\RealVNC\\VNCViewer4\\MRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $type = $v->get_type(); - my $data; - if ($type == 3) { - $data = $v->get_data_as_string(); - } - else { - $data = $v->get_data(); - } - - ::rptMsg(sprintf "%-8s %-25s",$name,$data); - } - - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# vncviewer +# +# +# History: +# 20121231 - Updated to include VNCViewer4 +# 20080325 - created +# +# +# +#----------------------------------------------------------- +package vncviewer; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20121231); + +sub getConfig{return %config} +sub getShortDescr { + return "Get VNCViewer system list"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching vncviewer v.".$VERSION); + ::rptMsg("vncviewer v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Software\\ORL\\VNCviewer\\MRU"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("VNCViewer\\MRU"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %vnc; + foreach my $v (@vals) { + $vnc{$v->get_name()} = $v->get_data(); + } + my $ind; + if (exists $vnc{'index'}) { + $ind = $vnc{'index'}; + delete $vnc{'index'}; + } + + ::rptMsg("Index = ".$ind); + my @i = split(//,$ind); + foreach my $i (@i) { + ::rptMsg(" ".$i." -> ".$vnc{$i}); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } + + my $key_path = "Software\\RealVNC\\VNCViewer4\\MRU"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $type = $v->get_type(); + my $data; + if ($type == 3) { + $data = $v->get_data_as_string(); + } + else { + $data = $v->get_data(); + } + + ::rptMsg(sprintf "%-8s %-25s",$name,$data); + } + + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/wallpaper.pl b/RecentActivity/release/rr-full/plugins/wallpaper.pl index 8fec33eef1..d4e1a3b160 100755 --- a/RecentActivity/release/rr-full/plugins/wallpaper.pl +++ b/RecentActivity/release/rr-full/plugins/wallpaper.pl @@ -1,92 +1,92 @@ -#----------------------------------------------------------- -# wallpaper.pl -# -# Wallpaper MRU -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package wallpaper; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 200800810); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parses Wallpaper MRU Entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching wallpaper v.".$VERSION); - ::rptMsg("wallpaper v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("wallpaper"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %wp; - my @mrulist; - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (sort @vals) { - my $name = $v->get_name(); - if ($name =~ m/^\d/) { - my $data = $v->get_data(); - my $str = getStringValue($data); - $wp{$name} = $str; - } - elsif ($name =~ m/^MRUList/) { - @mrulist = unpack("V*",$v->get_data()); - } - else { -# nothing to do - } - } - foreach my $m (@mrulist) { - next if ($m == 0xffffffff); - ::rptMsg($m." -> ".$wp{$m}); - } - } - else { - ::rptMsg($key_path." has no values"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -#----------------------------------------------------------- -# getStringValue() - given a binary data type w/ a Unicode -# string at the beginning, delimited by \x00\x00, return an ASCII -# string -#----------------------------------------------------------- -sub getStringValue { - my $bin = shift; - my $str = (split(/\00\00/,$bin,2))[0]; - $str =~ s/\00//g; - return $str; -} +#----------------------------------------------------------- +# wallpaper.pl +# +# Wallpaper MRU +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package wallpaper; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 200800810); + +sub getConfig{return %config} + +sub getShortDescr { + return "Parses Wallpaper MRU Entries"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching wallpaper v.".$VERSION); + ::rptMsg("wallpaper v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("wallpaper"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my %wp; + my @mrulist; + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (sort @vals) { + my $name = $v->get_name(); + if ($name =~ m/^\d/) { + my $data = $v->get_data(); + my $str = getStringValue($data); + $wp{$name} = $str; + } + elsif ($name =~ m/^MRUList/) { + @mrulist = unpack("V*",$v->get_data()); + } + else { +# nothing to do + } + } + foreach my $m (@mrulist) { + next if ($m == 0xffffffff); + ::rptMsg($m." -> ".$wp{$m}); + } + } + else { + ::rptMsg($key_path." has no values"); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + +#----------------------------------------------------------- +# getStringValue() - given a binary data type w/ a Unicode +# string at the beginning, delimited by \x00\x00, return an ASCII +# string +#----------------------------------------------------------- +sub getStringValue { + my $bin = shift; + my $str = (split(/\00\00/,$bin,2))[0]; + $str =~ s/\00//g; + return $str; +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/win_cv.pl b/RecentActivity/release/rr-full/plugins/win_cv.pl index ecea0c0502..6669347c75 100755 --- a/RecentActivity/release/rr-full/plugins/win_cv.pl +++ b/RecentActivity/release/rr-full/plugins/win_cv.pl @@ -1,87 +1,87 @@ -#----------------------------------------------------------- -# win_cv.pl -# Get and display the contents of the Windows\CurrentVersion key -# Output sorted based on length of data -# -# Change History: -# 20080609: added translation of InstallDate time -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package win_cv; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090312); - -sub getConfig{return %config} -sub getShortDescr { - return "Get & display the contents of the Windows\\CurrentVersion key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching win_cv v.".$VERSION); - ::rptMsg("win_cv v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my %cv; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - my $len = length($data); - next if ($name eq ""); - if ($v->get_type() == 3) { - $data = _translateBinary($data); - } - push(@{$cv{$len}},$name." : ".$data); - } - foreach my $t (sort {$a <=> $b} keys %cv) { - foreach my $item (@{$cv{$t}}) { - ::rptMsg(" $item"); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} +#----------------------------------------------------------- +# win_cv.pl +# Get and display the contents of the Windows\CurrentVersion key +# Output sorted based on length of data +# +# Change History: +# 20080609: added translation of InstallDate time +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package win_cv; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20090312); + +sub getConfig{return %config} +sub getShortDescr { + return "Get & display the contents of the Windows\\CurrentVersion key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching win_cv v.".$VERSION); + ::rptMsg("win_cv v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows\\CurrentVersion"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my %cv; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + my $len = length($data); + next if ($name eq ""); + if ($v->get_type() == 3) { + $data = _translateBinary($data); + } + push(@{$cv{$len}},$name." : ".$data); + } + foreach my $t (sort {$a <=> $b} keys %cv) { + foreach my $item (@{$cv{$t}}) { + ::rptMsg(" $item"); + } + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values"); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + + +sub _translateBinary { + my $str = unpack("H*",$_[0]); + my $len = length($str); + my @nstr = split(//,$str,$len); + my @list = (); + foreach (0..($len/2)) { + push(@list,$nstr[$_*2].$nstr[($_*2)+1]); + } + return join(' ',@list); +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/winnt_cv.pl b/RecentActivity/release/rr-full/plugins/winnt_cv.pl index 3c8e1016d5..55e84710fd 100755 --- a/RecentActivity/release/rr-full/plugins/winnt_cv.pl +++ b/RecentActivity/release/rr-full/plugins/winnt_cv.pl @@ -1,89 +1,89 @@ -#----------------------------------------------------------- -# winnt_cv.pl -# Get and display the contents of the Windows\CurrentVersion key -# Output sorted based on length of data -# -# Change History: -# 20080609: added translation of InstallDate time -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winnt_cv; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080609); - -sub getConfig{return %config} -sub getShortDescr { - return "Get & display the contents of the Windows NT\\CurrentVersion key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winnt_cv v.".$VERSION); - ::rptMsg("winnt_cv v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("WinNT_CV"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my %cv; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - $data = gmtime($data)." (UTC)" if ($name eq "InstallDate"); - my $len = length($data); - next if ($name eq ""); - if ($v->get_type() == 3) { - $data = _translateBinary($data); - } - push(@{$cv{$len}},$name." : ".$data); - } - foreach my $t (sort {$a <=> $b} keys %cv) { - foreach my $item (@{$cv{$t}}) { - ::rptMsg(" $item"); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} +#----------------------------------------------------------- +# winnt_cv.pl +# Get and display the contents of the Windows\CurrentVersion key +# Output sorted based on length of data +# +# Change History: +# 20080609: added translation of InstallDate time +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package winnt_cv; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080609); + +sub getConfig{return %config} +sub getShortDescr { + return "Get & display the contents of the Windows NT\\CurrentVersion key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching winnt_cv v.".$VERSION); + ::rptMsg("winnt_cv v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("WinNT_CV"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my %cv; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + $data = gmtime($data)." (UTC)" if ($name eq "InstallDate"); + my $len = length($data); + next if ($name eq ""); + if ($v->get_type() == 3) { + $data = _translateBinary($data); + } + push(@{$cv{$len}},$name." : ".$data); + } + foreach my $t (sort {$a <=> $b} keys %cv) { + foreach my $item (@{$cv{$t}}) { + ::rptMsg(" $item"); + } + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values"); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + + +sub _translateBinary { + my $str = unpack("H*",$_[0]); + my $len = length($str); + my @nstr = split(//,$str,$len); + my @list = (); + foreach (0..($len/2)) { + push(@list,$nstr[$_*2].$nstr[($_*2)+1]); + } + return join(' ',@list); +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/winrar.pl b/RecentActivity/release/rr-full/plugins/winrar.pl index e44be05b45..0d62e6d944 100755 --- a/RecentActivity/release/rr-full/plugins/winrar.pl +++ b/RecentActivity/release/rr-full/plugins/winrar.pl @@ -1,72 +1,72 @@ -#----------------------------------------------------------- -# winrar.pl -# Get WinRAR\ArcHistory entries -# -# History -# 20080819 - created -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winrar; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080819); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get WinRAR\\ArcHistory entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winrar v.".$VERSION); - ::rptMsg("winrar v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\WinRAR\\ArcHistory"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("WinRAR"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %arc; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - $arc{$v->get_name()} = $v->get_data(); - } - - foreach (sort keys %arc) { - ::rptMsg($_." -> ".$arc{$_}); - } - - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# winrar.pl +# Get WinRAR\ArcHistory entries +# +# History +# 20080819 - created +# +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package winrar; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080819); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get WinRAR\\ArcHistory entries"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching winrar v.".$VERSION); + ::rptMsg("winrar v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\WinRAR\\ArcHistory"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("WinRAR"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my %arc; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + $arc{$v->get_name()} = $v->get_data(); + } + + foreach (sort keys %arc) { + ::rptMsg($_." -> ".$arc{$_}); + } + + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/winver.pl b/RecentActivity/release/rr-full/plugins/winver.pl index 2f042253be..1dd3720ba9 100755 --- a/RecentActivity/release/rr-full/plugins/winver.pl +++ b/RecentActivity/release/rr-full/plugins/winver.pl @@ -1,109 +1,109 @@ -#----------------------------------------------------------- -# winver.pl -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winver; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081210); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get Windows version"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winver v.".$VERSION); - ::rptMsg("winver v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("{name}"); -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my $prod; - eval { - $prod = $key->get_value("ProductName")->get_data(); - }; - if ($@) { -# ::rptMsg("ProductName value not found."); - } - else { - ::rptMsg("ProductName = ".$prod); - } - - my $csd; - eval { - $csd = $key->get_value("CSDVersion")->get_data(); - }; - if ($@) { -# ::rptMsg("CSDVersion value not found."); - } - else { - ::rptMsg("CSDVersion = ".$csd); - } - - - my $build; - eval { - $build = $key->get_value("BuildName")->get_data(); - }; - if ($@) { -# ::rptMsg("BuildName value not found."); - } - else { - ::rptMsg("BuildName = ".$build); - } - - my $buildex; - eval { - $buildex = $key->get_value("BuildNameEx")->get_data(); - }; - if ($@) { -# ::rptMsg("BuildName value not found."); - } - else { - ::rptMsg("BuildNameEx = ".$buildex); - } - - - my $install; - eval { - $install = $key->get_value("InstallDate")->get_data(); - }; - if ($@) { -# ::rptMsg("InstallDate value not found."); - } - else { - ::rptMsg("InstallDate = ".gmtime($install)); - } - - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# winver.pl +# +# copyright 2008-2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package winver; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081210); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get Windows version"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching winver v.".$VERSION); + ::rptMsg("winver v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("{name}"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my $prod; + eval { + $prod = $key->get_value("ProductName")->get_data(); + }; + if ($@) { +# ::rptMsg("ProductName value not found."); + } + else { + ::rptMsg("ProductName = ".$prod); + } + + my $csd; + eval { + $csd = $key->get_value("CSDVersion")->get_data(); + }; + if ($@) { +# ::rptMsg("CSDVersion value not found."); + } + else { + ::rptMsg("CSDVersion = ".$csd); + } + + + my $build; + eval { + $build = $key->get_value("BuildName")->get_data(); + }; + if ($@) { +# ::rptMsg("BuildName value not found."); + } + else { + ::rptMsg("BuildName = ".$build); + } + + my $buildex; + eval { + $buildex = $key->get_value("BuildNameEx")->get_data(); + }; + if ($@) { +# ::rptMsg("BuildName value not found."); + } + else { + ::rptMsg("BuildNameEx = ".$buildex); + } + + + my $install; + eval { + $install = $key->get_value("InstallDate")->get_data(); + }; + if ($@) { +# ::rptMsg("InstallDate value not found."); + } + else { + ::rptMsg("InstallDate = ".gmtime($install)); + } + + + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/winzip.pl b/RecentActivity/release/rr-full/plugins/winzip.pl index d0d00c5452..bc691fd562 100755 --- a/RecentActivity/release/rr-full/plugins/winzip.pl +++ b/RecentActivity/release/rr-full/plugins/winzip.pl @@ -1,91 +1,91 @@ -#----------------------------------------------------------- -# WinZip -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winzip; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080325); - -sub getConfig{return %config} -sub getShortDescr { - return "Get WinZip extract and filemenu values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching WinZip v.".$VERSION); - ::rptMsg("winzip v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Nico Mak Computing\\WinZip"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("WinZip"); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - my %sk; - foreach my $s (@subkeys) { - $sk{$s->get_name()} = $s; - } - - if (exists $sk{'extract'}) { - my $tag = "extract"; - ::rptMsg($key_path."\\extract [".gmtime($sk{'extract'}->get_timestamp)."]"); - my @vals = $sk{'extract'}->get_list_of_values(); - my %ext; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $num = $name; - $num =~ s/^$tag//; - $ext{$num} = $v->get_data(); - } - foreach my $e (sort {$a <=> $b} keys %ext) { - ::rptMsg(" extract".$e." -> ".$ext{$e}); - } - ::rptMsg(""); - } - else { - ::rptMsg("extract key not found."); - } - - if (exists $sk{'filemenu'}) { - my $tag = "filemenu"; - ::rptMsg($key_path."\\filemenu [".gmtime($sk{'extract'}->get_timestamp)."]"); - my @vals = $sk{'filemenu'}->get_list_of_values(); - my %ext; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $num = $name; - $num =~ s/^$tag//; - $ext{$num} = $v->get_data(); - } - foreach my $e (sort {$a <=> $b} keys %ext) { - ::rptMsg(" filemenu".$e." -> ".$ext{$e}); - } - } - else { - ::rptMsg("filemenu key not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# WinZip +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package winzip; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080325); + +sub getConfig{return %config} +sub getShortDescr { + return "Get WinZip extract and filemenu values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching WinZip v.".$VERSION); + ::rptMsg("winzip v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Software\\Nico Mak Computing\\WinZip"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("WinZip"); + ::rptMsg($key_path); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + my %sk; + foreach my $s (@subkeys) { + $sk{$s->get_name()} = $s; + } + + if (exists $sk{'extract'}) { + my $tag = "extract"; + ::rptMsg($key_path."\\extract [".gmtime($sk{'extract'}->get_timestamp)."]"); + my @vals = $sk{'extract'}->get_list_of_values(); + my %ext; + foreach my $v (@vals) { + my $name = $v->get_name(); + my $num = $name; + $num =~ s/^$tag//; + $ext{$num} = $v->get_data(); + } + foreach my $e (sort {$a <=> $b} keys %ext) { + ::rptMsg(" extract".$e." -> ".$ext{$e}); + } + ::rptMsg(""); + } + else { + ::rptMsg("extract key not found."); + } + + if (exists $sk{'filemenu'}) { + my $tag = "filemenu"; + ::rptMsg($key_path."\\filemenu [".gmtime($sk{'extract'}->get_timestamp)."]"); + my @vals = $sk{'filemenu'}->get_list_of_values(); + my %ext; + foreach my $v (@vals) { + my $name = $v->get_name(); + my $num = $name; + $num =~ s/^$tag//; + $ext{$num} = $v->get_data(); + } + foreach my $e (sort {$a <=> $b} keys %ext) { + ::rptMsg(" filemenu".$e." -> ".$ext{$e}); + } + } + else { + ::rptMsg("filemenu key not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/wordwheelquery.pl b/RecentActivity/release/rr-full/plugins/wordwheelquery.pl index f307100d86..aa25a7fba5 100755 --- a/RecentActivity/release/rr-full/plugins/wordwheelquery.pl +++ b/RecentActivity/release/rr-full/plugins/wordwheelquery.pl @@ -1,81 +1,81 @@ -#----------------------------------------------------------- -# wordwheelquery.pl -# For Windows 7 -# -# Change history -# 20100330 - created -# -# References -# http://www.winhelponline.com/blog/clear-file-search-mru-history-windows-7/ -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package wordwheelquery; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100330); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's WordWheelQuery key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching wordwheelquery v.".$VERSION); - ::rptMsg("wordwheelquery v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my @list; - my %wwq; - foreach my $v (@vals) { - my $name = $v->get_name(); - if ($name eq "MRUListEx") { - @list = unpack("V*",$v->get_data()); - pop(@list) if ($list[scalar(@list) - 1] == 0xffffffff); - } - else { - my $data = $v->get_data(); - $data =~ s/\00//g; - $wwq{$name} = $data; - } - } -# list searches in MRUListEx order - ::rptMsg(""); - ::rptMsg("Searches listed in MRUListEx order"); - ::rptMsg(""); - foreach my $l (@list) { - ::rptMsg(sprintf "%-4d %-30s",$l,$wwq{$l}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# wordwheelquery.pl +# For Windows 7 +# +# Change history +# 20100330 - created +# +# References +# http://www.winhelponline.com/blog/clear-file-search-mru-history-windows-7/ +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package wordwheelquery; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100330); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's WordWheelQuery key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching wordwheelquery v.".$VERSION); + ::rptMsg("wordwheelquery v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my @list; + my %wwq; + foreach my $v (@vals) { + my $name = $v->get_name(); + if ($name eq "MRUListEx") { + @list = unpack("V*",$v->get_data()); + pop(@list) if ($list[scalar(@list) - 1] == 0xffffffff); + } + else { + my $data = $v->get_data(); + $data =~ s/\00//g; + $wwq{$name} = $data; + } + } +# list searches in MRUListEx order + ::rptMsg(""); + ::rptMsg("Searches listed in MRUListEx order"); + ::rptMsg(""); + foreach my $l (@list) { + ::rptMsg(sprintf "%-4d %-30s",$l,$wwq{$l}); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/xpedition.pl b/RecentActivity/release/rr-full/plugins/xpedition.pl index 3f89d07fdf..df9d574477 100755 --- a/RecentActivity/release/rr-full/plugins/xpedition.pl +++ b/RecentActivity/release/rr-full/plugins/xpedition.pl @@ -1,67 +1,67 @@ -#----------------------------------------------------------- -# xpedition.pl -# Determine the edition of XP (MediaCenter, TabletPC) -# -# History -# 20120722 - updated the %config hash -# 20090727 - created -# -# References -# http://windowsitpro.com/article/articleid/94531/ -# how-can-a-script-determine-if-windows-xp-tablet-pc-edition-is-installed.html -# http://unasked.com/question/view/id/119610 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package xpedition; -use strict; -my %config = (hive => "System", - hivemask => 4, - output => "report", - category => "", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 1, - version => 20120722); - -sub getConfig{return %config} -sub getShortDescr { - return "Queries System hive for XP Edition info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $key; - my $edition = 0; - - ::logMsg("Launching xpedition v.".$VERSION); - ::rptMsg("xpedition v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::rptMsg("xpedition v.".$VERSION); - eval { - $key = $root_key->get_subkey("WPA\\MediaCenter")->get_value("Installed")->get_data(); - if ($key == 1) { - ::rptMsg("MediaCenter Edition"); - $edition = 1; - } - }; - - eval { - $key = $root_key->get_subkey("WPA\\TabletPC")->get_value("Installed")->get_data(); - if ($key == 1) { - ::rptMsg("TabletPC Edition"); - $edition = 1; - } - }; -} +#----------------------------------------------------------- +# xpedition.pl +# Determine the edition of XP (MediaCenter, TabletPC) +# +# History +# 20120722 - updated the %config hash +# 20090727 - created +# +# References +# http://windowsitpro.com/article/articleid/94531/ +# how-can-a-script-determine-if-windows-xp-tablet-pc-edition-is-installed.html +# http://unasked.com/question/view/id/119610 +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package xpedition; +use strict; +my %config = (hive => "System", + hivemask => 4, + output => "report", + category => "", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 1, + version => 20120722); + +sub getConfig{return %config} +sub getShortDescr { + return "Queries System hive for XP Edition info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my $key; + my $edition = 0; + + ::logMsg("Launching xpedition v.".$VERSION); + ::rptMsg("xpedition v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + ::rptMsg("xpedition v.".$VERSION); + eval { + $key = $root_key->get_subkey("WPA\\MediaCenter")->get_value("Installed")->get_data(); + if ($key == 1) { + ::rptMsg("MediaCenter Edition"); + $edition = 1; + } + }; + + eval { + $key = $root_key->get_subkey("WPA\\TabletPC")->get_value("Installed")->get_data(); + if ($key == 1) { + ::rptMsg("TabletPC Edition"); + $edition = 1; + } + }; +} 1 \ No newline at end of file diff --git a/RecentActivity/release/rr-full/rip.pl b/RecentActivity/release/rr-full/rip.pl index b16786608a..e31ed32b82 100755 --- a/RecentActivity/release/rr-full/rip.pl +++ b/RecentActivity/release/rr-full/rip.pl @@ -1,335 +1,335 @@ -#! c:\perl\bin\perl.exe -#------------------------------------------------------------------------- -# Rip - RegRipper, CLI version -# Use this utility to run a plugins file or a single plugin against a Reg -# hive file. -# -# Output goes to STDOUT -# Usage: see "_syntax()" function -# -# Change History -# 20130425 - added alertMsg() functionality, updated to v2.8 -# 20120506 - updated to v2.5 release -# 20110516 - added -s & -u options for TLN support -# 20090102 - updated code for relative path to plugins dir -# 20080419 - added '-g' switch (experimental) -# 20080412 - added '-c' switch -# -# copyright 2013 Quantum Analytics Research, LLC -# Author: H. Carvey, keydet89@yahoo.com -# -# This software is released via the GPL v3.0 license: -# http://www.gnu.org/licenses/gpl.html -#------------------------------------------------------------------------- -use strict; -use Parse::Win32Registry qw(:REG_); -use Getopt::Long; - -# Included to permit compiling via Perl2Exe -#perl2exe_include "Parse/Win32Registry.pm"; -#perl2exe_include "Parse/Win32Registry/Key.pm"; -#perl2exe_include "Parse/Win32Registry/Entry.pm"; -#perl2exe_include "Parse/Win32Registry/Value.pm"; -#perl2exe_include "Parse/Win32Registry/File.pm"; -#perl2exe_include "Parse/Win32Registry/Win95/File.pm"; -#perl2exe_include "Parse/Win32Registry/Win95/Key.pm"; -#perl2exe_include "Encode.pm"; -#perl2exe_include "Encode/Byte.pm"; -#perl2exe_include "Encode/Unicode.pm"; -#perl2exe_include "utf8.pm"; -#perl2exe_include "unicore/Heavy.pl"; -#perl2exe_include "unicore/To/Upper.pl"; - -my %config; -Getopt::Long::Configure("prefix_pattern=(-|\/)"); -GetOptions(\%config,qw(reg|r=s file|f=s csv|c guess|g user|u=s sys|s=s plugin|p=s list|l help|?|h)); - -# Code updated 20090102 -my @path; -my $str = $0; -($^O eq "MSWin32") ? (@path = split(/\\/,$0)) - : (@path = split(/\//,$0)); -$str =~ s/($path[scalar(@path) - 1])//; -my $plugindir = $str."plugins/"; -#print "Plugins Dir = ".$plugindir."\n"; -# End code update -my $VERSION = "2\.8"; -my @alerts = (); - -if ($config{help} || !%config) { - _syntax(); - exit; -} - -#------------------------------------------------------------- -# -#------------------------------------------------------------- -if ($config{list}) { - my @plugins; - opendir(DIR,$plugindir) || die "Could not open $plugindir: $!\n"; - @plugins = readdir(DIR); - closedir(DIR); - - my $count = 1; - print "Plugin,Version,Hive,Description\n" if ($config{csv}); - foreach my $p (@plugins) { - next unless ($p =~ m/\.pl$/); - my $pkg = (split(/\./,$p,2))[0]; - $p = $plugindir.$p; - eval { - require $p; - my $hive = $pkg->getHive(); - my $version = $pkg->getVersion(); - my $descr = $pkg->getShortDescr(); - if ($config{csv}) { - print $pkg.",".$version.",".$hive.",".$descr."\n"; - } - else { - print $count.". ".$pkg." v.".$version." [".$hive."]\n"; -# printf "%-20s %-10s %-10s\n",$pkg,$version,$hive; - print " - ".$descr."\n\n"; - $count++; - } - }; - print "Error: $@\n" if ($@); - } - exit; -} - -#------------------------------------------------------------- -# -#------------------------------------------------------------- -if ($config{file}) { -# First, check that a hive file was identified, and that the path is -# correct - my $hive = $config{reg}; - die "You must enter a hive file path/name.\n" if ($hive eq ""); -# die $hive." not found.\n" unless (-e $hive); - - my %plugins = parsePluginsFile($config{file}); - if (%plugins) { - logMsg("Parsed Plugins file."); - } - else { - logMsg("Plugins file not parsed."); - exit; - } - foreach my $i (sort {$a <=> $b} keys %plugins) { - eval { - require "plugins/".$plugins{$i}."\.pl"; - $plugins{$i}->pluginmain($hive); - }; - if ($@) { - logMsg("Error in ".$plugins{$i}.": ".$@); - } - logMsg($plugins{$i}." complete."); - rptMsg("-" x 40); - } - printAlerts(); -} - -#------------------------------------------------------------- -# -#------------------------------------------------------------- -if ($config{reg} && $config{guess}) { -# Attempt to guess which kind of hive we have - my $hive = $config{reg}; - die "You must enter a hive file path/name.\n" if ($hive eq ""); -# die $hive." not found.\n" unless (-e $hive); - - my $reg; - my $root_key; - my %guess = guessHive($hive); - - foreach my $g (keys %guess) { - ::rptMsg(sprintf "%-8s = %-2s",$g,$guess{$g}); - } -} - -#------------------------------------------------------------- -# -#------------------------------------------------------------- -if ($config{plugin}) { -# First, check that a hive file was identified, and that the path is -# correct - my $hive = $config{reg}; - die "You must enter a hive file path/name.\n" if ($hive eq ""); -# die $hive." not found.\n" unless (-e $hive); - -# check to see if the plugin exists - my $plugin = $config{plugin}; - my $pluginfile = $plugindir.$config{plugin}."\.pl"; - die $pluginfile." not found.\n" unless (-e $pluginfile); - - eval { - require $pluginfile; - $plugin->pluginmain($hive); - }; - if ($@) { - logMsg("Error in ".$pluginfile.": ".$@); - } - printAlerts(); -} - -sub _syntax { - print<< "EOT"; -Rip v.$VERSION - CLI RegRipper tool -Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h] -Parse Windows Registry files, using either a single module, or a plugins file. - - -r Reg hive file...Registry hive file to parse - -g ................Guess the hive file (experimental) - -f [profile].......use the plugin file (default: plugins\\plugins) - -p plugin module...use only this module - -l ................list all plugins - -c ................Output list in CSV format (use with -l) - -s system name.....Server name (TLN support) - -u username........User name (TLN support) - -h.................Help (print this information) - -Ex: C:\\>rip -r c:\\case\\system -f system - C:\\>rip -r c:\\case\\ntuser.dat -p userassist - C:\\>rip -l -c - -All output goes to STDOUT; use redirection (ie, > or >>) to output to a file\. - -copyright 2013 Quantum Analytics Research, LLC -EOT -} - -#------------------------------------------------------------- -# -#------------------------------------------------------------- -sub logMsg { - print STDERR $_[0]."\n"; -} - -#------------------------------------------------------------- -# -#------------------------------------------------------------- -sub rptMsg { - binmode STDOUT,":utf8"; - if ($config{sys} || $config{user}) { - my @vals = split(/\|/,$_[0],5); - my $str = $vals[0]."|".$vals[1]."|".$config{sys}."|".$config{user}."|".$vals[4]; - print $str."\n"; - } - else { - print $_[0]."\n"; - } -} - -#------------------------------------------------------------- -# -#------------------------------------------------------------- -sub alertMsg { - push(@alerts,$_[0]); -} - -sub printAlerts { - if (scalar(@alerts) > 0) { -# print "\n"; -# print "Alerts\n"; -# print "-" x 40,"\n"; - foreach (@alerts) { - print $_."\n"; - } - } -} - -#------------------------------------------------------------- -# parsePluginsFile() -# Parse the plugins file and get a list of plugins -#------------------------------------------------------------- -sub parsePluginsFile { - my $file = $_[0]; - my %plugins; -# Parse a file containing a list of plugins -# Future versions of this tool may allow for the analyst to -# choose different plugins files - my $pluginfile = $plugindir.$file; - if (-e $pluginfile) { - open(FH,"<",$pluginfile); - my $count = 1; - while() { - chomp; - next if ($_ =~ m/^#/ || $_ =~ m/^\s+$/); -# next unless ($_ =~ m/\.pl$/); - next if ($_ eq ""); - $_ =~ s/^\s+//; - $_ =~ s/\s+$//; - $plugins{$count++} = $_; - } - close(FH); - return %plugins; - } - else { - return undef; - } -} - -#------------------------------------------------------------- -# guessHive() -# -#------------------------------------------------------------- -sub guessHive { - my $hive = shift; - my $reg; - my $root_key; - my %guess; - eval { - $reg = Parse::Win32Registry->new($hive); - $root_key = $reg->get_root_key; - }; - $guess{unknown} = 1 if ($@); - -# Check for SAM - eval { - $guess{sam} = 1 if (my $key = $root_key->get_subkey("SAM\\Domains\\Account\\Users")); - }; -# Check for Software - eval { - $guess{software} = 1 if ($root_key->get_subkey("Microsoft\\Windows\\CurrentVersion") && - $root_key->get_subkey("Microsoft\\Windows NT\\CurrentVersion")); - }; - -# Check for System - eval { - $guess{system} = 1 if ($root_key->get_subkey("MountedDevices") && - $root_key->get_subkey("Select")); - }; - -# Check for Security - eval { - $guess{security} = 1 if ($root_key->get_subkey("Policy\\Accounts") && - $root_key->get_subkey("Policy\\PolAdtEv")); - }; -# Check for NTUSER.DAT - eval { - $guess{ntuser} = 1 if ($root_key->get_subkey("Software\\Microsoft\\Windows\\CurrentVersion")); - - }; - - return %guess; -} - -#------------------------------------------------------------- -# getTime() -# Translate FILETIME object (2 DWORDS) to Unix time, to be passed -# to gmtime() or localtime() -#------------------------------------------------------------- -sub getTime($$) { - my $lo = shift; - my $hi = shift; - my $t; - - if ($lo == 0 && $hi == 0) { - $t = 0; - } else { - $lo -= 0xd53e8000; - $hi -= 0x019db1de; - $t = int($hi*429.4967296 + $lo/1e7); - }; - $t = 0 if ($t < 0); - return $t; +#! c:\perl\bin\perl.exe +#------------------------------------------------------------------------- +# Rip - RegRipper, CLI version +# Use this utility to run a plugins file or a single plugin against a Reg +# hive file. +# +# Output goes to STDOUT +# Usage: see "_syntax()" function +# +# Change History +# 20130425 - added alertMsg() functionality, updated to v2.8 +# 20120506 - updated to v2.5 release +# 20110516 - added -s & -u options for TLN support +# 20090102 - updated code for relative path to plugins dir +# 20080419 - added '-g' switch (experimental) +# 20080412 - added '-c' switch +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +# +# This software is released via the GPL v3.0 license: +# http://www.gnu.org/licenses/gpl.html +#------------------------------------------------------------------------- +use strict; +use Parse::Win32Registry qw(:REG_); +use Getopt::Long; + +# Included to permit compiling via Perl2Exe +#perl2exe_include "Parse/Win32Registry.pm"; +#perl2exe_include "Parse/Win32Registry/Key.pm"; +#perl2exe_include "Parse/Win32Registry/Entry.pm"; +#perl2exe_include "Parse/Win32Registry/Value.pm"; +#perl2exe_include "Parse/Win32Registry/File.pm"; +#perl2exe_include "Parse/Win32Registry/Win95/File.pm"; +#perl2exe_include "Parse/Win32Registry/Win95/Key.pm"; +#perl2exe_include "Encode.pm"; +#perl2exe_include "Encode/Byte.pm"; +#perl2exe_include "Encode/Unicode.pm"; +#perl2exe_include "utf8.pm"; +#perl2exe_include "unicore/Heavy.pl"; +#perl2exe_include "unicore/To/Upper.pl"; + +my %config; +Getopt::Long::Configure("prefix_pattern=(-|\/)"); +GetOptions(\%config,qw(reg|r=s file|f=s csv|c guess|g user|u=s sys|s=s plugin|p=s list|l help|?|h)); + +# Code updated 20090102 +my @path; +my $str = $0; +($^O eq "MSWin32") ? (@path = split(/\\/,$0)) + : (@path = split(/\//,$0)); +$str =~ s/($path[scalar(@path) - 1])//; +my $plugindir = $str."plugins/"; +#print "Plugins Dir = ".$plugindir."\n"; +# End code update +my $VERSION = "2\.8"; +my @alerts = (); + +if ($config{help} || !%config) { + _syntax(); + exit; +} + +#------------------------------------------------------------- +# +#------------------------------------------------------------- +if ($config{list}) { + my @plugins; + opendir(DIR,$plugindir) || die "Could not open $plugindir: $!\n"; + @plugins = readdir(DIR); + closedir(DIR); + + my $count = 1; + print "Plugin,Version,Hive,Description\n" if ($config{csv}); + foreach my $p (@plugins) { + next unless ($p =~ m/\.pl$/); + my $pkg = (split(/\./,$p,2))[0]; + $p = $plugindir.$p; + eval { + require $p; + my $hive = $pkg->getHive(); + my $version = $pkg->getVersion(); + my $descr = $pkg->getShortDescr(); + if ($config{csv}) { + print $pkg.",".$version.",".$hive.",".$descr."\n"; + } + else { + print $count.". ".$pkg." v.".$version." [".$hive."]\n"; +# printf "%-20s %-10s %-10s\n",$pkg,$version,$hive; + print " - ".$descr."\n\n"; + $count++; + } + }; + print "Error: $@\n" if ($@); + } + exit; +} + +#------------------------------------------------------------- +# +#------------------------------------------------------------- +if ($config{file}) { +# First, check that a hive file was identified, and that the path is +# correct + my $hive = $config{reg}; + die "You must enter a hive file path/name.\n" if ($hive eq ""); +# die $hive." not found.\n" unless (-e $hive); + + my %plugins = parsePluginsFile($config{file}); + if (%plugins) { + logMsg("Parsed Plugins file."); + } + else { + logMsg("Plugins file not parsed."); + exit; + } + foreach my $i (sort {$a <=> $b} keys %plugins) { + eval { + require "plugins/".$plugins{$i}."\.pl"; + $plugins{$i}->pluginmain($hive); + }; + if ($@) { + logMsg("Error in ".$plugins{$i}.": ".$@); + } + logMsg($plugins{$i}." complete."); + rptMsg("-" x 40); + } + printAlerts(); +} + +#------------------------------------------------------------- +# +#------------------------------------------------------------- +if ($config{reg} && $config{guess}) { +# Attempt to guess which kind of hive we have + my $hive = $config{reg}; + die "You must enter a hive file path/name.\n" if ($hive eq ""); +# die $hive." not found.\n" unless (-e $hive); + + my $reg; + my $root_key; + my %guess = guessHive($hive); + + foreach my $g (keys %guess) { + ::rptMsg(sprintf "%-8s = %-2s",$g,$guess{$g}); + } +} + +#------------------------------------------------------------- +# +#------------------------------------------------------------- +if ($config{plugin}) { +# First, check that a hive file was identified, and that the path is +# correct + my $hive = $config{reg}; + die "You must enter a hive file path/name.\n" if ($hive eq ""); +# die $hive." not found.\n" unless (-e $hive); + +# check to see if the plugin exists + my $plugin = $config{plugin}; + my $pluginfile = $plugindir.$config{plugin}."\.pl"; + die $pluginfile." not found.\n" unless (-e $pluginfile); + + eval { + require $pluginfile; + $plugin->pluginmain($hive); + }; + if ($@) { + logMsg("Error in ".$pluginfile.": ".$@); + } + printAlerts(); +} + +sub _syntax { + print<< "EOT"; +Rip v.$VERSION - CLI RegRipper tool +Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h] +Parse Windows Registry files, using either a single module, or a plugins file. + + -r Reg hive file...Registry hive file to parse + -g ................Guess the hive file (experimental) + -f [profile].......use the plugin file (default: plugins\\plugins) + -p plugin module...use only this module + -l ................list all plugins + -c ................Output list in CSV format (use with -l) + -s system name.....Server name (TLN support) + -u username........User name (TLN support) + -h.................Help (print this information) + +Ex: C:\\>rip -r c:\\case\\system -f system + C:\\>rip -r c:\\case\\ntuser.dat -p userassist + C:\\>rip -l -c + +All output goes to STDOUT; use redirection (ie, > or >>) to output to a file\. + +copyright 2013 Quantum Analytics Research, LLC +EOT +} + +#------------------------------------------------------------- +# +#------------------------------------------------------------- +sub logMsg { + print STDERR $_[0]."\n"; +} + +#------------------------------------------------------------- +# +#------------------------------------------------------------- +sub rptMsg { + binmode STDOUT,":utf8"; + if ($config{sys} || $config{user}) { + my @vals = split(/\|/,$_[0],5); + my $str = $vals[0]."|".$vals[1]."|".$config{sys}."|".$config{user}."|".$vals[4]; + print $str."\n"; + } + else { + print $_[0]."\n"; + } +} + +#------------------------------------------------------------- +# +#------------------------------------------------------------- +sub alertMsg { + push(@alerts,$_[0]); +} + +sub printAlerts { + if (scalar(@alerts) > 0) { +# print "\n"; +# print "Alerts\n"; +# print "-" x 40,"\n"; + foreach (@alerts) { + print $_."\n"; + } + } +} + +#------------------------------------------------------------- +# parsePluginsFile() +# Parse the plugins file and get a list of plugins +#------------------------------------------------------------- +sub parsePluginsFile { + my $file = $_[0]; + my %plugins; +# Parse a file containing a list of plugins +# Future versions of this tool may allow for the analyst to +# choose different plugins files + my $pluginfile = $plugindir.$file; + if (-e $pluginfile) { + open(FH,"<",$pluginfile); + my $count = 1; + while() { + chomp; + next if ($_ =~ m/^#/ || $_ =~ m/^\s+$/); +# next unless ($_ =~ m/\.pl$/); + next if ($_ eq ""); + $_ =~ s/^\s+//; + $_ =~ s/\s+$//; + $plugins{$count++} = $_; + } + close(FH); + return %plugins; + } + else { + return undef; + } +} + +#------------------------------------------------------------- +# guessHive() +# +#------------------------------------------------------------- +sub guessHive { + my $hive = shift; + my $reg; + my $root_key; + my %guess; + eval { + $reg = Parse::Win32Registry->new($hive); + $root_key = $reg->get_root_key; + }; + $guess{unknown} = 1 if ($@); + +# Check for SAM + eval { + $guess{sam} = 1 if (my $key = $root_key->get_subkey("SAM\\Domains\\Account\\Users")); + }; +# Check for Software + eval { + $guess{software} = 1 if ($root_key->get_subkey("Microsoft\\Windows\\CurrentVersion") && + $root_key->get_subkey("Microsoft\\Windows NT\\CurrentVersion")); + }; + +# Check for System + eval { + $guess{system} = 1 if ($root_key->get_subkey("MountedDevices") && + $root_key->get_subkey("Select")); + }; + +# Check for Security + eval { + $guess{security} = 1 if ($root_key->get_subkey("Policy\\Accounts") && + $root_key->get_subkey("Policy\\PolAdtEv")); + }; +# Check for NTUSER.DAT + eval { + $guess{ntuser} = 1 if ($root_key->get_subkey("Software\\Microsoft\\Windows\\CurrentVersion")); + + }; + + return %guess; +} + +#------------------------------------------------------------- +# getTime() +# Translate FILETIME object (2 DWORDS) to Unix time, to be passed +# to gmtime() or localtime() +#------------------------------------------------------------- +sub getTime($$) { + my $lo = shift; + my $hi = shift; + my $t; + + if ($lo == 0 && $hi == 0) { + $t = 0; + } else { + $lo -= 0xd53e8000; + $hi -= 0x019db1de; + $t = int($hi*429.4967296 + $lo/1e7); + }; + $t = 0 if ($t < 0); + return $t; } \ No newline at end of file diff --git a/RecentActivity/release/rr-full/rr.pl b/RecentActivity/release/rr-full/rr.pl index 8cd9aee011..f4e06fe824 100755 --- a/RecentActivity/release/rr-full/rr.pl +++ b/RecentActivity/release/rr-full/rr.pl @@ -1,454 +1,454 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# Registry Ripper -# Parse a Registry hive file for data pertinent to an investigation -# -# Adv version...provides the basic functionality. All plugins -# can be used with both the basic version and the full-featured -# version -# -# Change History: -# 20130429 - minor updates, including not adding .txt files to Profile list -# 20130425 - added alertMsg() functionality, updated to v2.8 -# 20120505 - Updated to v2.5 -# 20081111 - Updated code in setUpEnv() to parse the file paths for -# output files (log, etc) so that they paths were handled -# properly; updated Perl2Exe include statements to support -# Parse::Win32Registry 0.40 -# 20080512 - Consolidated Basic and Advanced versions into a single -# track -# 20080429 - Fixed issue with output report and log files having the -# same (.log) file extension -# 20080422 - Added ComboBox to choose plugins file -# 20080414 - updated code to check for a selected hive file; set -# default plugin file to "ntuser" if none selected; check -# for plugins file with no plugins or all plugins commented -# out; keep track of plugins w/ hard errors generated via -# this GUI. -# 20080412 - added listbox; populate with list of plugin files -# from plugin dir -# - Log file now based on report file name and location -# 20080226 - added eval{} to wrap require pragma in go_Click() -# -# -# Functionality: -# - plugins file is selectable -# -# copyright 2013 Quantum Research Analytics, LLC -# Author: H. Carvey, keydet89@yahoo.com -# -# This software is released via the GPL v3.0 license: -# http://www.gnu.org/licenses/gpl.html -#----------------------------------------------------------- -#use strict; -use Win32::GUI(); -use Parse::Win32Registry qw(:REG_); - -# Included to permit compiling via Perl2Exe -#perl2exe_include "Parse/Win32Registry.pm"; -#perl2exe_include "Parse/Win32Registry/Key.pm"; -#perl2exe_include "Parse/Win32Registry/Entry.pm"; -#perl2exe_include "Parse/Win32Registry/Value.pm"; -#perl2exe_include "Parse/Win32Registry/File.pm"; -#perl2exe_include "Parse/Win32Registry/Win95/File.pm"; -#perl2exe_include "Parse/Win32Registry/Win95/Key.pm"; -#perl2exe_include "Encode.pm"; -#perl2exe_include "Encode/Byte.pm"; -#perl2exe_include "Encode/Unicode.pm"; -#perl2exe_include "utf8.pm"; -#perl2exe_include "unicore/Heavy.pl"; -#perl2exe_include "unicore/To/Upper.pl"; -#----------------------------------------------------------- -# Global variables -#----------------------------------------------------------- -my $VERSION = "2\.8"; -my %env; -my @alerts = (); - -#----------------------------------------------------------- -# GUI -#----------------------------------------------------------- -# create our menu -my $menu = Win32::GUI::MakeMenu( - "&File" => "File", - " > O&pen..." => { -name => "Open"}, - " > -" => 0, - " > E&xit" => { -name => "Exit", -onClick => sub {exit 1;}}, - "&Help" => "Help", - " > &About" => { -name => "About", -onClick => \&RR_OnAbout}, -); - -# Create Main Window -my $main = new Win32::GUI::Window ( - -name => "Main", - -title => "RegRipper, v.".$VERSION, - -pos => [200, 200], -# Format: [width, height] - -maxsize => [500, 420], - -size => [500, 420], - -menu => $menu, - -dialogui => 1, -) or die "Could not create a new Window: $!\n"; - -my $icon_file = "q\.ico"; -my $icon = new Win32::GUI::Icon($icon_file); -$main->SetIcon($icon); - -$main->AddLabel( - -text => "Hive File:", - -left => 20, - -top => 10); - -my $ntuserfile = $main->AddTextfield( - -name => "ntuserdat", - -tabstop => 1, - -left => 100, - -top => 10, - -width => 250, - -height => 22, - -tabstop => 1, - -foreground => "#000000", - -background => "#FFFFFF"); - -my $browse1 = $main->AddButton( - -name => 'browse1', - -left => 375, - -top => 10, - -width => 50, - -height => 22, - -tabstop => 1, - -text => "Browse"); - -$main->AddLabel( - -text => "Report File:", - -left => 20, - -top => 50); - -my $rptfile = $main->AddTextfield( - -name => "rptfile", - -tabstop => 1, - -left => 100, - -top => 50, - -width => 250, - -height => 22, - -tabstop => 1, - -foreground => "#000000", - -background => "#FFFFFF"); - -my $browse2 = $main->AddButton( - -name => 'browse2', - -left => 375, - -top => 50, - -width => 50, - -height => 22, - -tabstop => 1, - -text => "Browse"); - -$main->AddLabel( - -text => "Profile:", - -left => 20, - -top => 90); - -# http://perl-win32-gui.sourceforge.net/cgi-bin/docs.cgi?doc=combobox -my $combo = $main->AddCombobox( - -name => "Combobox", -# -dropdown => 1, - -dropdownlist => 1, - -top => 90, - -left => 100, - -width => 120, - -height => 110, - -tabstop=> 1, - ); - -my $testlabel = $main->AddLabel( - -text => "", - -name => "TestLabel", - -pos => [10,140], - -size => [445,160], - -frame => etched, - -sunken => 1 -); - -my $report = $main->AddTextfield( - -name => "Report", - -pos => [20,150], - -size => [425,140], - -multiline => 1, - -vscroll => 1, - -autohscroll => 1, - -autovscroll => 1, - -keepselection => 1 , - -tabstop => 1, -); - -my $go = $main->AddButton( - -name => 'go', - -left => 320, - -top => 310, - -width => 50, - -height => 25, - -tabstop => 1, - -text => "Rip It"); - -$main->AddButton( - -name => 'close', - -left => 390, - -top => 310, - -width => 50, - -height => 25, - -tabstop => 1, - -text => "Close"); - -my $status = new Win32::GUI::StatusBar($main, - -text => "RegRipper v.".$VERSION." opened\.", -); - -populatePluginsList(); -$combo->Text(""); +$status->Text("Profile List Populated."); + +$main->Show(); +Win32::GUI::Dialog(); +#----------------------------------------------------------- +sub Open_Click { + \&browse1_Click(); +} + +sub browse1_Click { + # Open a file + my $file = Win32::GUI::GetOpenFileName( + -owner => $main, + -title => "Open a hive file", + -filter => ['All files' => '*.*',], + ); + + $ntuserfile->Text($file); + 0; +} + +sub browse2_Click { + # Open a file + my $file = Win32::GUI::GetSaveFileName( + -owner => $main, + -title => "Save a report file", + -filter => [ + 'Report file (*.txt)' => '*.txt', + 'All files' => '*.*', + ], + ); + + $file = $file."\.txt" unless ($file =~ m/\.\w+$/i); + $rptfile->Text($file); + 0; +} + +sub go_Click { +# Set up the environment + setUpEnv(); + if ($env{ntuser} eq "") { + Win32::GUI::MessageBox($main,$ENV{USERNAME}.", you did not select a hive file.\r\n", + "Doh!!",16); + return; + } +# Get the selected item from the Plugins file listbox +# only allows for single selections at this time; defaults to ntuser +# if none selected + my $pluginfile = $combo->GetLBText($combo->GetCurSel()); + $pluginfile = "ntuser" if ($pluginfile eq ""); + $report->Append("Logging to ".$env{logfile}."\r\n"); + $report->Append("Using plugins file ".$pluginfile."\r\n"); + logMsg("Log opened."); + logMsg("File: ".$env{ntuser}); + logMsg("Environment set up."); + my %plugins = parsePluginsFile($pluginfile); + logMsg("Parsed Plugins file ".$pluginfile); + if (scalar(keys %plugins) == 0) { + Win32::GUI::MessageBox($main,$ENV{USERNAME}.", the plugins file has no plugins!!.\r\n", + "Doh!!",16); + return; + } + my $err_cnt = 0; + foreach my $i (sort {$a <=> $b} keys %plugins) { + eval { + require "plugins\\".$plugins{$i}."\.pl"; + $plugins{$i}->pluginmain($env{ntuser}); + }; + if ($@) { + $err_cnt++; + logMsg("Error in ".$plugins{$i}.": ".$@); + } + + $report->Append($plugins{$i}."...Done.\r\n"); + $status->Text($plugins{$i}." completed."); + + Win32::GUI::DoEvents(); + logMsg($err_cnt." plugins completed with errors."); + logMsg($plugins{$i}." complete."); + rptMsg("-" x 40); + } +# add output of alerts to the report file here + if (scalar(@alerts) > 0) { +# rptMsg(""); +# rptMsg("Alerts"); +# rptMsg("-" x 40); + foreach my $a (@alerts) { + rptMsg($a); + } + } + + $report->Append($err_cnt." plugins completed with errors.\r\n"); + $status->Text("Done."); +} + +sub close_Click { + $main->Hide(); + exit -1; +} + +sub Combobox_CloseUp { + $status->Text("Profile = ".$combo->GetLBText($combo->GetCurSel())); +} + +# About box +sub RR_OnAbout { + my $self = shift; + $self->MessageBox( + "Registry Ripper, v.".$VERSION."\r\n". + "Parses Registry hive (NTUSER\.DAT, System, etc.) files, placing pertinent info in a report ". + "file in a readable manner.\r\n". + "\r\n". + "Copyright 2013 Quantum Analytics Research, LLC.\r\n". + "H\. Carvey, keydet89\@yahoo\.com", + "About...", + MB_ICONINFORMATION | MB_OK, + ); + 0; +} +#----------------------------------------------------------- + +#----------------------------------------------------------- +sub setUpEnv { + $env{ntuser} = $ntuserfile->Text(); + $env{rptfile} = $rptfile->Text(); +# Ensure that the report file has a .txt extension if none was given + $env{rptfile} = $env{rptfile}."\.txt" unless ($env{rptfile} =~ m/\.\w+$/i); + $rptfile->Text($env{rptfile}); + + my @path = split(/\\/,$env{rptfile}); + my $last = scalar(@path) - 1; + my @f = split(/\./,$path[$last]); + my $ext = $f[scalar(@f) - 1]; + +# Assemble path to log file + $f[scalar(@f) - 1] = "log"; + $path[$last] = join('.',@f); + print join('\\',@path)."\n"; + $env{logfile} = join('\\',@path); + +# Use the above code to set up the path to the Timeline +# (.tln) file +# Assemble path to log file +# $f[scalar(@f) - 1] = "tln"; +# $path[$last] = join('.',@f); +# print join('\\',@path)."\n"; +# $env{tlnfile} = join('\\',@path); + +} + +#----------------------------------------------------------- +# get a list of plugins files from the plugins dir +#----------------------------------------------------------- +sub getProfiles { + my @pluginfiles; + opendir(DIR,"plugins"); + my @files = readdir(DIR); + close(DIR); + + foreach my $f (@files) { + next if ($f =~ m/^\.$/ || $f =~ m/^\.\.$/); + next if ($f =~ m/\.pl$/ || $f =~ m/\.txt$/); + push(@pluginfiles,$f); + } + return @pluginfiles; +} + +#----------------------------------------------------------- +# populate the list of plugins files +#----------------------------------------------------------- +sub populatePluginsList { + my @files = getProfiles(); + foreach my $f (@files) { + $combo->InsertItem($f); + } +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parsePluginsFile { + my $file = $_[0]; + my %plugins; +# Parse a file containing a list of plugins +# Future versions of this tool may allow for the analyst to +# choose different plugins files + my $pluginfile = "plugins\\".$file; + if (-e $pluginfile) { + open(FH,"<",$pluginfile); + my $count = 1; + while() { + chomp; + next if ($_ =~ m/^#/ || $_ =~ m/^\s+$/); +# next unless ($_ =~ m/\.pl$/); + next if ($_ eq ""); + $_ =~ s/^\s+//; + $_ =~ s/\s+$//; + $plugins{$count++} = $_; + } + close(FH); + $status->Text("Plugin file parsed and loaded."); + return %plugins; + } + else { + $report->Append($pluginfile." not found.\r\n"); + return undef; + } +} + +sub logMsg { + open(FH,">>",$env{logfile}); + print FH localtime(time).": ".$_[0]."\n"; + close(FH); +} + +sub rptMsg { + open(FH,">>",$env{rptfile}); + binmode FH,":utf8"; + print FH $_[0]."\n"; + close(FH); +} + +sub alertMsg { + push(@alerts,$_[0]); +} + +#------------------------------------------------------------- +# getTime() +# Translate FILETIME object (2 DWORDS) to Unix time, to be passed +# to gmtime() or localtime() +#------------------------------------------------------------- +sub getTime($$) { + my $lo = shift; + my $hi = shift; + my $t; + + if ($lo == 0 && $hi == 0) { + $t = 0; + } else { + $lo -= 0xd53e8000; + $hi -= 0x019db1de; + $t = int($hi*429.4967296 + $lo/1e7); + }; + $t = 0 if ($t < 0); + return $t; } \ No newline at end of file diff --git a/docs/QuickStartGuide/index.html b/docs/QuickStartGuide/index.html index 7fe6d0867b..7bafa3b452 100644 --- a/docs/QuickStartGuide/index.html +++ b/docs/QuickStartGuide/index.html @@ -1,221 +1,221 @@ - - - - - - Autopsy 3 Quick Start Guide - - - -

Autopsy 3 Quick Start Guide

-

June 2013

-

www.sleuthkit.org/autopsy/

- - -

Installation

-

- The current version of Autopsy 3 runs only on Microsoft Windows. - We have gotten it to run on other platforms, such as Linux and OS X, but we do not have it in a state that makes it easy to distribute and find the needed libraries. -

-

- The Windows installer will make a directory for Autopsy and place all of the needed files inside of it. - The installer includes all dependencies, including Sleuth Kit and Java. -

-

Note that Autopsy 3 is a complete rewrite from Autopsy 2 and none of this document is relevant to Autopsy 2.

- -

Adding a Data Source (image, local disk, logical files)

-

- Data sources are added to a case. A case can have a single data source or it can have multiple data source if they are related. - Currently, a single report is generated for an entire case, so if you need to report on individual data sources, then you should use one data source per case. -

- -

Creating a Case

-

- To create a case, use either the "Create New Case" option on the Welcome screen or from the "File" menu. - This will start the New Case Wizard. You will need to supply it with the name of the case and a directory to store the case results into. - You can optionally provide case numbers and other details. -

- - -

Adding a Data Source

-

- The next step is to add input data source to the case. - The Add Data Source Wizard will start automatically after the case is created or you can manually start it from the "File" menu or toolbar. - You will need to choose the type of input data source to add (image, local disk or logical files and folders). - Next, supply it with the location of the source to add. -

-
    -
  • For a disk image, browse to the first file in the set (Autopsy will find the rest of the files). Autopsy currently supports E01 and raw (dd) files. -
    • -
  • - For local disk, select one of the detected disks. - Autopsy will add the current view of the disk to the case (i.e. snapshot of the meta-data). - However, the individual file content (not meta-data) does get updated with the changes made to the disk. - Note, you may need run Autopsy as an Administrator to detect all disks. -
    • -
  • For logical files (a single file or folder of files), use the "Add" button to add one or more files or folders on your system to the case. Folders will be recursively added to the case.
    • -
- - -

- There are a couple of options in the wizard that will allow you to make the ingest process faster. - These typically deal with deleted files. - It will take longer if unallocated space is analyzed and the entire drive is searched for deleted files. - In some scenarios, these recovery steps must be performed and in other scenarios these steps are not needed and instead fast results on the allocated files are needed. - Use these options to control how long the analysis will take. -

- -

- Autopsy will start to analyze these data sources and add them to the case and internal database. While it is doing that, it will prompt you to configure the Ingest Modules.

- - -

Ingest Modules

-

- You will next be prompted to configure the Ingest Modules. - Ingest modules will run in the background and perform specific tasks. - The Ingest Modules analyze files in a prioritized order so that files in a user's directory are analyzed before files in other folders. - Ingest modules can be developed by third-parties and here are some of the standard ingest modules that come with Autopsy: -

-
    -
  • Recent Activity - extracts user activity as saved by web browsers and the OS. Also runs regripper on the registry hive. -
    • -
  • Hash Lookup - uses hash databases to ignore known files from the NIST NSRL and flag known bad files. - Use the "Advanced" button to add and configure the hash databases to use during this process. - You will get updates on known bad file hits as the ingest occurs. You can later add hash databases - via the Tools -> Options menu in the main UI. You can download an index of the NIST NSRL from - here. -
    • -
  • Keyword Search - uses keyword lists to identify files with specific words in them. - You can select the keyword lists to search for automatically and you can create new lists using the "Advanced" button. - Note that with keyword search, you can always conduct searches after ingest has finished. - The keyword lists that you select during ingest will be searched for at periodic intervals and you will get the results in real-time. - You do not need to wait for all files to be indexed. -
    • -
  • Archive Extractor opens ZIP, RAR, and other archive formats and sends the files from those archive files back - through the pipelines for analysis.
    • -
  • Exif Image Parser extracts EXIF information from JPEG files and posts the results into the tree in the main UI.
    • -
  • Thunderbird Parser Identifies Thunderbird MBOX files and extracts the e-mails from them.
    • -
-

- When you select a module, you will have the option to change its settings. - For example, you can configure which keyword search lists to use during ingest and which hash databases to use. - Refer to the help system inside of Autopsy for details on configuring each module. -

-

- While ingest modules are running in the background, you will see a progress bar in the lower right. - You can use the GUI to review incoming results and perform other tasks while ingest at that time. -

- - -

Analysis Basics

- Autopsy Screenshot -

You will start all of your analysis techniques from the tree on the left.

-
    -
  • The Data Sources root node shows all data in the case.
    • -
      -
    • The individual image nodes show the file system structure of the disk images or local disks in the case.
      • -
    • The LogicalFileSet nodes show the logical files in the case.
      • -
    -
  • The Views node shows the same data from a file type or timeline perspective.
    • -
  • The Results node shows the output from the ingest modules.
    • -
- -

- When you select a node from the tree on the left, a list of files will be shown in the upper right. - You can use the Thumbnail view in the upper right to view the pictures. - When you select a file from the upper right, its contents will be shown in the lower right. - You can use the tabs in the lower right to view the text of the file, an image, or the hex data. -

- -

- If you are viewing files from the Views and Results nodes, you can right-click on a file to go to its file system location. - This feature is useful to see what else the user stored in the same folder as the file that you are currently looking at. - You can also right click on a file to extract it to the local system. -

-

- If you want to search for single keywords, then you can use the search box in the upper right of the program. - The results will be shown in a table in the upper right. -

- -

You can tag (or bookmark) arbitrary files so that you can more quickly find them later or so that you can include them specifically in a report.

- -

Ingest Inbox

-

- As you are going through the results in the tree, the ingest modules are running in the background. - The results are shown in the tree as soon as the ingest modules find them and report them. -

-

- The Ingest Inbox receives messages from the ingest modules as they find results. - You can open the inbox to see what has been recently found. - It keeps track of what messages you have read. -

-

- The intended use of this inbox is that you can focus on some data for a while and then check back on the inbox at a time that is convenient for them. - You can then see what else was found while you were focused on the previous task. - You may learn that a known bad file was found or that a file was found with a relevant keyword and then decide to focus on that for a while. -

-

When you select a message, you can then jump to the Results tree where more details can be found or jump to the file's location in the filesystem.

- -

Timeline (Beta)

-

There is a basic timeline view that you can access via the Tools -> Make Timeline feature. This will take a few minutes to create the timeline for analysis. Its features are still in development.

- - -

Example Use Cases

-

In this section, we will provide examples of how to do common analysis tasks.

- -

Web Artifacts

-

- If you want to view the user's recent web activity, make sure that the Recent Activity ingest module was enabled. - You can then go to the "Results " node in the tree on the left and then into the "Extracted Data" node. - There, you can find bookmarks, cookies, downloads, and history. -

- -

Known Bad Hash Files

-

- If you want to see if the data source had known bad files, make sure that the Hash Lookup ingest module was enabled. - You can then view the "Hashset Hits" section in the "Results" area of the tree on the left. - Note that hash lookup can take a long time, so this section will be updated as long as the ingest process is occurring. - Use the Ingest Inbox to keep track of what known bad files were recently found. -

-

- When you find a known bad file in this interface, you may want to right click on the file to also view the file's original location. - You may find additional files that are relevant and stored in the same folder as this file. -

- -

Media: Images and Videos

-

- If you want to see all images and video on the disk image, then go to the "Views" section in the tree on the left and then "File Types". - Select either "Images" or "Videos". - You can use the thumbnail option in the upper right to view thumbnails of all images. -

-
    -
  • Note: - We are working on making this more efficient when there are lots of images and we are working on the feature to display video thumbnails. -
    • -
-

You can select an image or video from the upper right and view the video or image in the lower right. Video will be played with sound.

- - -

Reporting

-

- A final report can be generated that will include all analysis results. - Use the "Generate Report" button to create this. - It will create an HTML or XLS report in the Reports folder of the case folder. - If you forgot the location of your case folder, you can determine it using the "Case Properties" option in the "File" menu. - There is also an option to export report files to a separate folder outside of the case folder. -

- -
-

Copyright © 2012-2013 Basis Technology.

-

- This work is licensed under a - Creative Commons Attribution-Share Alike 3.0 United States License. -

- - + + + + + + Autopsy 3 Quick Start Guide + + + +

Autopsy 3 Quick Start Guide

+

June 2013

+

www.sleuthkit.org/autopsy/

+ + +

Installation

+

+ The current version of Autopsy 3 runs only on Microsoft Windows. + We have gotten it to run on other platforms, such as Linux and OS X, but we do not have it in a state that makes it easy to distribute and find the needed libraries. +

+

+ The Windows installer will make a directory for Autopsy and place all of the needed files inside of it. + The installer includes all dependencies, including Sleuth Kit and Java. +

+

Note that Autopsy 3 is a complete rewrite from Autopsy 2 and none of this document is relevant to Autopsy 2.

+ +

Adding a Data Source (image, local disk, logical files)

+

+ Data sources are added to a case. A case can have a single data source or it can have multiple data source if they are related. + Currently, a single report is generated for an entire case, so if you need to report on individual data sources, then you should use one data source per case. +

+ +

Creating a Case

+

+ To create a case, use either the "Create New Case" option on the Welcome screen or from the "File" menu. + This will start the New Case Wizard. You will need to supply it with the name of the case and a directory to store the case results into. + You can optionally provide case numbers and other details. +

+ + +

Adding a Data Source

+

+ The next step is to add input data source to the case. + The Add Data Source Wizard will start automatically after the case is created or you can manually start it from the "File" menu or toolbar. + You will need to choose the type of input data source to add (image, local disk or logical files and folders). + Next, supply it with the location of the source to add. +

+
    +
  • For a disk image, browse to the first file in the set (Autopsy will find the rest of the files). Autopsy currently supports E01 and raw (dd) files. +
    • +
  • + For local disk, select one of the detected disks. + Autopsy will add the current view of the disk to the case (i.e. snapshot of the meta-data). + However, the individual file content (not meta-data) does get updated with the changes made to the disk. + Note, you may need run Autopsy as an Administrator to detect all disks. +
    • +
  • For logical files (a single file or folder of files), use the "Add" button to add one or more files or folders on your system to the case. Folders will be recursively added to the case.
    • +
+ + +

+ There are a couple of options in the wizard that will allow you to make the ingest process faster. + These typically deal with deleted files. + It will take longer if unallocated space is analyzed and the entire drive is searched for deleted files. + In some scenarios, these recovery steps must be performed and in other scenarios these steps are not needed and instead fast results on the allocated files are needed. + Use these options to control how long the analysis will take. +

+ +

+ Autopsy will start to analyze these data sources and add them to the case and internal database. While it is doing that, it will prompt you to configure the Ingest Modules.

+ + +

Ingest Modules

+

+ You will next be prompted to configure the Ingest Modules. + Ingest modules will run in the background and perform specific tasks. + The Ingest Modules analyze files in a prioritized order so that files in a user's directory are analyzed before files in other folders. + Ingest modules can be developed by third-parties and here are some of the standard ingest modules that come with Autopsy: +

+
    +
  • Recent Activity + extracts user activity as saved by web browsers and the OS. Also runs regripper on the registry hive. +
    • +
  • Hash Lookup + uses hash databases to ignore known files from the NIST NSRL and flag known bad files. + Use the "Advanced" button to add and configure the hash databases to use during this process. + You will get updates on known bad file hits as the ingest occurs. You can later add hash databases + via the Tools -> Options menu in the main UI. You can download an index of the NIST NSRL from + here. +
    • +
  • Keyword Search + uses keyword lists to identify files with specific words in them. + You can select the keyword lists to search for automatically and you can create new lists using the "Advanced" button. + Note that with keyword search, you can always conduct searches after ingest has finished. + The keyword lists that you select during ingest will be searched for at periodic intervals and you will get the results in real-time. + You do not need to wait for all files to be indexed. +
    • +
  • Archive Extractor opens ZIP, RAR, and other archive formats and sends the files from those archive files back + through the pipelines for analysis.
    • +
  • Exif Image Parser extracts EXIF information from JPEG files and posts the results into the tree in the main UI.
    • +
  • Thunderbird Parser Identifies Thunderbird MBOX files and extracts the e-mails from them.
    • +
+

+ When you select a module, you will have the option to change its settings. + For example, you can configure which keyword search lists to use during ingest and which hash databases to use. + Refer to the help system inside of Autopsy for details on configuring each module. +

+

+ While ingest modules are running in the background, you will see a progress bar in the lower right. + You can use the GUI to review incoming results and perform other tasks while ingest at that time. +

+ + +

Analysis Basics

+ Autopsy Screenshot +

You will start all of your analysis techniques from the tree on the left.

+
    +
  • The Data Sources root node shows all data in the case.
    • +
      +
    • The individual image nodes show the file system structure of the disk images or local disks in the case.
      • +
    • The LogicalFileSet nodes show the logical files in the case.
      • +
    +
  • The Views node shows the same data from a file type or timeline perspective.
    • +
  • The Results node shows the output from the ingest modules.
    • +
+ +

+ When you select a node from the tree on the left, a list of files will be shown in the upper right. + You can use the Thumbnail view in the upper right to view the pictures. + When you select a file from the upper right, its contents will be shown in the lower right. + You can use the tabs in the lower right to view the text of the file, an image, or the hex data. +

+ +

+ If you are viewing files from the Views and Results nodes, you can right-click on a file to go to its file system location. + This feature is useful to see what else the user stored in the same folder as the file that you are currently looking at. + You can also right click on a file to extract it to the local system. +

+

+ If you want to search for single keywords, then you can use the search box in the upper right of the program. + The results will be shown in a table in the upper right. +

+ +

You can tag (or bookmark) arbitrary files so that you can more quickly find them later or so that you can include them specifically in a report.

+ +

Ingest Inbox

+

+ As you are going through the results in the tree, the ingest modules are running in the background. + The results are shown in the tree as soon as the ingest modules find them and report them. +

+

+ The Ingest Inbox receives messages from the ingest modules as they find results. + You can open the inbox to see what has been recently found. + It keeps track of what messages you have read. +

+

+ The intended use of this inbox is that you can focus on some data for a while and then check back on the inbox at a time that is convenient for them. + You can then see what else was found while you were focused on the previous task. + You may learn that a known bad file was found or that a file was found with a relevant keyword and then decide to focus on that for a while. +

+

When you select a message, you can then jump to the Results tree where more details can be found or jump to the file's location in the filesystem.

+ +

Timeline (Beta)

+

There is a basic timeline view that you can access via the Tools -> Make Timeline feature. This will take a few minutes to create the timeline for analysis. Its features are still in development.

+ + +

Example Use Cases

+

In this section, we will provide examples of how to do common analysis tasks.

+ +

Web Artifacts

+

+ If you want to view the user's recent web activity, make sure that the Recent Activity ingest module was enabled. + You can then go to the "Results " node in the tree on the left and then into the "Extracted Data" node. + There, you can find bookmarks, cookies, downloads, and history. +

+ +

Known Bad Hash Files

+

+ If you want to see if the data source had known bad files, make sure that the Hash Lookup ingest module was enabled. + You can then view the "Hashset Hits" section in the "Results" area of the tree on the left. + Note that hash lookup can take a long time, so this section will be updated as long as the ingest process is occurring. + Use the Ingest Inbox to keep track of what known bad files were recently found. +

+

+ When you find a known bad file in this interface, you may want to right click on the file to also view the file's original location. + You may find additional files that are relevant and stored in the same folder as this file. +

+ +

Media: Images and Videos

+

+ If you want to see all images and video on the disk image, then go to the "Views" section in the tree on the left and then "File Types". + Select either "Images" or "Videos". + You can use the thumbnail option in the upper right to view thumbnails of all images. +

+
    +
  • Note: + We are working on making this more efficient when there are lots of images and we are working on the feature to display video thumbnails. +
    • +
+

You can select an image or video from the upper right and view the video or image in the lower right. Video will be played with sound.

+ + +

Reporting

+

+ A final report can be generated that will include all analysis results. + Use the "Generate Report" button to create this. + It will create an HTML or XLS report in the Reports folder of the case folder. + If you forgot the location of your case folder, you can determine it using the "Case Properties" option in the "File" menu. + There is also an option to export report files to a separate folder outside of the case folder. +

+ +
+

Copyright © 2012-2013 Basis Technology.

+

+ This work is licensed under a + Creative Commons Attribution-Share Alike 3.0 United States License. +

+ + diff --git a/docs/doxygen/needs_a_home.dox b/docs/doxygen/needs_a_home.dox index c6badf6b36..b0a2b42d4f 100755 --- a/docs/doxygen/needs_a_home.dox +++ b/docs/doxygen/needs_a_home.dox @@ -1,30 +1,30 @@ - - - -The component is by default registered with the ingest manager as an ingest event listener. -The viewer first loads all the viewer-supported data currently in the blackboard when Autopsy starts. -During the ingest process the viewer receives events from ingest modules -(relayed by ingest manager) and it selectively refreshes parts of the tree providing real-time updates to the user. -When ingest is completed, the viewer responds to the final ingest data event generated by the ingest manager, -and performs a final refresh of all viewer-supported data in the blackboard. - - -Node content support capabilities are registered in the node's Lookup. - - - - -\section design_data_flow Data Flow - -\subsection design_data_flow_create Creating Nodes in DataExplorer - -Data flows between the UI zones using a NetBeans node. The DataExplorer modules create the NetBeans nodes. They query the SQLite database or do whatever they want to identify the set of files that are of interest. They create the NetBeans nodes based on Sleuthkit data model objects. See the org.sleuthkit.autopsy.datamodel package for more details on this. - -\subsection design_data_flow_toResult Getting Nodes to DataResult - -Each DataExplorer TopComponent is responsible for creating its own DataResult TopComponent to display its results. It can choose to re-use the same TopComponent for multiple searches (as DirectoryTree does) or it can choose to make a new one each time (as FileSearch does). The setNode() method on the DataResult object is used to set the root node to display. A dummy root node must be created as the parent if a parent does not already exist. - -The DataExplorer is responsible for setting the double-click and right-click actions associated with the node. The default single click action is to pass data to DataContent. To override this, you must create a new DataResultViewer instance that overrides the propertyChange() method. The DataExplorer adds actions to wrapping the node in a FilterNode variant. The FilterNode then defines the actions for the node by overriding the getPreferredAction() and getActions() methods. As an example, org.sleuthkit.autopsy.directorytree.DataResultFilterNode and org.sleuthkit.autopsy.directorytree.DataResultFilterChildren wraps the nodes that are passed over by the DirectoryTree DataExplorer. - -DataResult can send data back to its DataExplorer by making a custom action that looks up it's instance (DataExplorer.getInstance()). + + + +The component is by default registered with the ingest manager as an ingest event listener. +The viewer first loads all the viewer-supported data currently in the blackboard when Autopsy starts. +During the ingest process the viewer receives events from ingest modules +(relayed by ingest manager) and it selectively refreshes parts of the tree providing real-time updates to the user. +When ingest is completed, the viewer responds to the final ingest data event generated by the ingest manager, +and performs a final refresh of all viewer-supported data in the blackboard. + + +Node content support capabilities are registered in the node's Lookup. + + + + +\section design_data_flow Data Flow + +\subsection design_data_flow_create Creating Nodes in DataExplorer + +Data flows between the UI zones using a NetBeans node. The DataExplorer modules create the NetBeans nodes. They query the SQLite database or do whatever they want to identify the set of files that are of interest. They create the NetBeans nodes based on Sleuthkit data model objects. See the org.sleuthkit.autopsy.datamodel package for more details on this. + +\subsection design_data_flow_toResult Getting Nodes to DataResult + +Each DataExplorer TopComponent is responsible for creating its own DataResult TopComponent to display its results. It can choose to re-use the same TopComponent for multiple searches (as DirectoryTree does) or it can choose to make a new one each time (as FileSearch does). The setNode() method on the DataResult object is used to set the root node to display. A dummy root node must be created as the parent if a parent does not already exist. + +The DataExplorer is responsible for setting the double-click and right-click actions associated with the node. The default single click action is to pass data to DataContent. To override this, you must create a new DataResultViewer instance that overrides the propertyChange() method. The DataExplorer adds actions to wrapping the node in a FilterNode variant. The FilterNode then defines the actions for the node by overriding the getPreferredAction() and getActions() methods. As an example, org.sleuthkit.autopsy.directorytree.DataResultFilterNode and org.sleuthkit.autopsy.directorytree.DataResultFilterChildren wraps the nodes that are passed over by the DirectoryTree DataExplorer. + +DataResult can send data back to its DataExplorer by making a custom action that looks up it's instance (DataExplorer.getInstance()). diff --git a/docs/doxygen/workflow.dox b/docs/doxygen/workflow.dox index e7e3b9c882..c9bdf78486 100644 --- a/docs/doxygen/workflow.dox +++ b/docs/doxygen/workflow.dox @@ -1,53 +1,53 @@ -/*! \page workflow_page General Workflow and Design - -\section design_overview Overview -This section outlines the internal Autopsy design from the typical analysis work flow perspective. -This page is organized based on these phases: -- A Case is created. -- Images are added to the case and ingest modules are run. -- Results are manually reviewed and searched. -- Reports are generated. - -\section design_case Creating a Case -The first step in Autopsy work flow is creating a case. This is done in the org.sleuthkit.autopsy.casemodule package (see \ref casemodule_overview for details). This module contains the wizards needed and deals with how to store the information. You should not need to do much modifications in this package. But, you will want to use the org.sleuthkit.autopsy.casemodule.Case object to access all data related to this case. - - -\section design_image Adding an Image and Running Ingest Modules - -After case is created, one or more disk images can be added to the case. There is a wizard to guide that process and it is located in the org.sleuthkit.autopsy.casemodule package. Refer to the package section \ref casemodule_add_image for more details on the wizard. Most developers will not need to touch this code though. An important concept though is that adding an image to a case means that Autopsy uses The Sleuth Kit to enumerate all of the files in the file system and make a database entry for them in the embedded SQLite database that was created for the case. The database will be used for all further analysis. - -After image has been added to the case, the user can select one or more ingest modules to be executed on the image. Ingest modules focus on a specific type of analysis task and run in the background. They either analyze the entire disk image or individual files. The user will see the results from the modules in the result tree and in the ingest inbox. - -The org.sleuthkit.autopsy.ingest package provides the basic infrastructure for the ingest module management. - -If you want to develop a module that analyzes drive data, then this is probably the type of module that you want to build. See \ref mod_ingest_page for more details on making an ingest module. - - -\section design_view Viewing Results - -The UI has three main areas. The tree on the left-hand side, the result viewers in the upper right, and the content viewers in the lower right. Data passes between these areas by encapsulating them in Netbeans Node objects (see org.openide.nodes.Node). These allow Autopsy to generically handle all types of data. The org.sleuthkit.autopsy.datamodel package wraps the generic org.sleuthkit.datamodel Sleuth Kit objects as Netbeans Nodes. - -Nodes are modeled in a parent-child hierarchy with other nodes. All data within a Case is represented in a hierarchy with the disk images being one level below the case and volumes and such below the image. - -The tree on the left hand-side shows the analysis results. -Its contents are populated from the central database. -This is where you can browse the file system contents and see the results from the blackboard. - -The tree is implemented in the org.sleuthkit.autopsy.directorytree package. - -The area in the upper right is the result viewer area. When a node is selected from the tree, the node and its children are sent to this area. This area is used to view a set of nodes. The viewer is itself a framework with modules that display the data in different layouts. For example, the standard version comes with a table viewer and a thumbnail viewer. Refer to \ref mod_result_page for details on building a data result module. - -When an item is selected from the result viewer area, it is passed to the bottom right content viewers. It too is a framework with many modules that know how to show information about a specific file in different ways. For example, there are viewers that show the data in a hex dump format, extract the strings, and display pictures and movies. -See \ref mod_content_page for details on building new content viewers. - -\section design_report Report generation - -When ingest is complete, the user can generate reports. -There is a reporting framework to enable many different formats. Autopsy currently comes with generic html, xml and Excel reports. See the org.sleuthkit.autopsy.report package for details on the framework and -\ref mod_report_page for details on building a new report module. - - - - - -*/ +/*! \page workflow_page General Workflow and Design + +\section design_overview Overview +This section outlines the internal Autopsy design from the typical analysis work flow perspective. +This page is organized based on these phases: +- A Case is created. +- Images are added to the case and ingest modules are run. +- Results are manually reviewed and searched. +- Reports are generated. + +\section design_case Creating a Case +The first step in Autopsy work flow is creating a case. This is done in the org.sleuthkit.autopsy.casemodule package (see \ref casemodule_overview for details). This module contains the wizards needed and deals with how to store the information. You should not need to do much modifications in this package. But, you will want to use the org.sleuthkit.autopsy.casemodule.Case object to access all data related to this case. + + +\section design_image Adding an Image and Running Ingest Modules + +After case is created, one or more disk images can be added to the case. There is a wizard to guide that process and it is located in the org.sleuthkit.autopsy.casemodule package. Refer to the package section \ref casemodule_add_image for more details on the wizard. Most developers will not need to touch this code though. An important concept though is that adding an image to a case means that Autopsy uses The Sleuth Kit to enumerate all of the files in the file system and make a database entry for them in the embedded SQLite database that was created for the case. The database will be used for all further analysis. + +After image has been added to the case, the user can select one or more ingest modules to be executed on the image. Ingest modules focus on a specific type of analysis task and run in the background. They either analyze the entire disk image or individual files. The user will see the results from the modules in the result tree and in the ingest inbox. + +The org.sleuthkit.autopsy.ingest package provides the basic infrastructure for the ingest module management. + +If you want to develop a module that analyzes drive data, then this is probably the type of module that you want to build. See \ref mod_ingest_page for more details on making an ingest module. + + +\section design_view Viewing Results + +The UI has three main areas. The tree on the left-hand side, the result viewers in the upper right, and the content viewers in the lower right. Data passes between these areas by encapsulating them in Netbeans Node objects (see org.openide.nodes.Node). These allow Autopsy to generically handle all types of data. The org.sleuthkit.autopsy.datamodel package wraps the generic org.sleuthkit.datamodel Sleuth Kit objects as Netbeans Nodes. + +Nodes are modeled in a parent-child hierarchy with other nodes. All data within a Case is represented in a hierarchy with the disk images being one level below the case and volumes and such below the image. + +The tree on the left hand-side shows the analysis results. +Its contents are populated from the central database. +This is where you can browse the file system contents and see the results from the blackboard. + +The tree is implemented in the org.sleuthkit.autopsy.directorytree package. + +The area in the upper right is the result viewer area. When a node is selected from the tree, the node and its children are sent to this area. This area is used to view a set of nodes. The viewer is itself a framework with modules that display the data in different layouts. For example, the standard version comes with a table viewer and a thumbnail viewer. Refer to \ref mod_result_page for details on building a data result module. + +When an item is selected from the result viewer area, it is passed to the bottom right content viewers. It too is a framework with many modules that know how to show information about a specific file in different ways. For example, there are viewers that show the data in a hex dump format, extract the strings, and display pictures and movies. +See \ref mod_content_page for details on building new content viewers. + +\section design_report Report generation + +When ingest is complete, the user can generate reports. +There is a reporting framework to enable many different formats. Autopsy currently comes with generic html, xml and Excel reports. See the org.sleuthkit.autopsy.report package for details on the framework and +\ref mod_report_page for details on building a new report module. + + + + + +*/ From 6930328197c81eeba1cbaefe0fb44158989d2357 Mon Sep 17 00:00:00 2001 From: "Samuel H. Kenyon" Date: Wed, 29 Jan 2014 13:49:24 -0500 Subject: [PATCH 2/8] Added createInstanceUninitialized() method. --- .../autopsy/corecomponents/DataResultPanel.java | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java b/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java index d243bab86b..54320b707b 100644 --- a/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java +++ b/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java @@ -134,6 +134,23 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C return newDataResult; } + /** + * Factory method to create, customize and open a new custom data result panel. + * Does NOT call open(). Client must manually initialize by calling open(). + * + * @param title Title of the result panel + * @param pathText Descriptive text about the source of the nodes displayed + * @param givenNode The new root node + * @param totalMatches Cardinality of root node's children + * @return a new DataResultPanel instance representing a custom data result viewer + */ + public static DataResultPanel createInstanceUninitialized(String title, String pathText, Node givenNode, int totalMatches) { + DataResultPanel newDataResult = new DataResultPanel(false, title); + + createInstanceCommon(pathText, givenNode, totalMatches, newDataResult); + return newDataResult; + } + /** * Factory method to create, customize and open a new custom data result panel. * From e3e8d72c7a941c7e89998e025094430a2834443b Mon Sep 17 00:00:00 2001 From: "Samuel H. Kenyon" Date: Wed, 29 Jan 2014 13:50:23 -0500 Subject: [PATCH 3/8] whitespace? --- .../docs/text-content-viewer.html | 60 +++++++++---------- .../docs/thumbnail-results-viewer.html | 42 ++++++------- 2 files changed, 51 insertions(+), 51 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html index 31260ae9cb..966fbd0753 100644 --- a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html +++ b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html @@ -1,30 +1,30 @@ - - - - Text View - - - - -

Text View

-

- Text Content Viewer uses the keyword search index that may have been populated during - Image Ingest. - If a file has text stored in the index, then this tab will be enabled and it will be displayed to the user if a file or a result associated with a file is selected. -

-

- This tab may have more text on it than the "String View", which relies on searching the file for text-looking data. - Some files, like PDF, will not have text-looking data at the byte-level, but the keyword indexing process knows how to interpret a PDF file and produce text. - For the files the indexer knows about, there may be the METADATA section at the end of the displayed extracted text. - If an indexed document contains any metadata (such as creation date, author, etc), it will be displayed there. - Note that, unlike the "String View", the Text View does not have its built-in settings for the script/language to use for extracted strings. - This is because the script/language is used at indexing time, and that setting is associated with the Keyword Search indexer, not the viewer. -

-

- If this tab is not enabled, then either the file has no text or you did not enable Keyword Search as an ingest module. - Note that this viewer is also used to display highlighted keyword hits when operated in the "Search Matches" mode, - selected on the right-hand side of the viewer's toolbar. -

- Text View - - + + + + Text View + + + + +

Text View

+

+ Text Content Viewer uses the keyword search index that may have been populated during + Image Ingest. + If a file has text stored in the index, then this tab will be enabled and it will be displayed to the user if a file or a result associated with a file is selected. +

+

+ This tab may have more text on it than the "String View", which relies on searching the file for text-looking data. + Some files, like PDF, will not have text-looking data at the byte-level, but the keyword indexing process knows how to interpret a PDF file and produce text. + For the files the indexer knows about, there may be the METADATA section at the end of the displayed extracted text. + If an indexed document contains any metadata (such as creation date, author, etc), it will be displayed there. + Note that, unlike the "String View", the Text View does not have its built-in settings for the script/language to use for extracted strings. + This is because the script/language is used at indexing time, and that setting is associated with the Keyword Search indexer, not the viewer. +

+

+ If this tab is not enabled, then either the file has no text or you did not enable Keyword Search as an ingest module. + Note that this viewer is also used to display highlighted keyword hits when operated in the "Search Matches" mode, + selected on the right-hand side of the viewer's toolbar. +

+ Text View + + diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/thumbnail-results-viewer.html b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/thumbnail-results-viewer.html index 87cdcd9440..986b786d29 100644 --- a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/thumbnail-results-viewer.html +++ b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/thumbnail-results-viewer.html @@ -1,22 +1,22 @@ - - - - Thumbnail Results Viewer - - - - -

Thumbnail Results Viewer

-

- Thumbnail Results Viewer displays the data catalog as a table of thumbnail images in adjustable sizes. - This viewer only supports picture file(s) (Currently, only supports JPG, GIF, and PNG formats). - Click the Thumbnail tab to select this view. - Note that for a large number of images in a directory selected in the Data Explorer, or for a View selected that contains - a large number of images, it might take a while to populate this view for the first time before the images are cached. -

- -

Example

-

Below is an example of "Thumbnail Results Viewer" window:

- Example of Thumbnail Results Viewer Tab - + + + + Thumbnail Results Viewer + + + + +

Thumbnail Results Viewer

+

+ Thumbnail Results Viewer displays the data catalog as a table of thumbnail images in adjustable sizes. + This viewer only supports picture file(s) (Currently, only supports JPG, GIF, and PNG formats). + Click the Thumbnail tab to select this view. + Note that for a large number of images in a directory selected in the Data Explorer, or for a View selected that contains + a large number of images, it might take a while to populate this view for the first time before the images are cached. +

+ +

Example

+

Below is an example of "Thumbnail Results Viewer" window:

+ Example of Thumbnail Results Viewer Tab + \ No newline at end of file From 53c088a00258c1cb5bd77a2fc6f1931903af0e18 Mon Sep 17 00:00:00 2001 From: "Samuel H. Kenyon" Date: Thu, 30 Jan 2014 13:58:03 -0500 Subject: [PATCH 4/8] Added overload for new createInstanceUninitialized() method. --- .../corecomponents/DataResultPanel.java | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java b/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java index 54320b707b..bfe00c8038 100644 --- a/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java +++ b/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java @@ -169,6 +169,26 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C return newDataResult; } + + /** + * Factory method to create, customize and open a new custom data result panel. + * Does NOT call open(). Client must manually initialize by calling open(). + * + * @param title Title of the component window + * @param pathText Descriptive text about the source of the nodes displayed + * @param givenNode The new root node + * @param totalMatches Cardinality of root node's children + * @param dataContent a handle to data content to send selection events to + * @return a new DataResultPanel instance representing a custom data result viewer + */ + public static DataResultPanel createInstanceUninitialized(String title, String pathText, Node givenNode, int totalMatches, DataContent dataContent) { + DataResultPanel newDataResult = new DataResultPanel(title, dataContent); + + createInstanceCommon(pathText, givenNode, totalMatches, newDataResult); + return newDataResult; + } + + /** * Common code for factory helper methods * @param pathText From bb85548e67e71f1a2eb25e9f4fbb396ab8e928bf Mon Sep 17 00:00:00 2001 From: "Samuel H. Kenyon" Date: Thu, 30 Jan 2014 17:10:04 -0500 Subject: [PATCH 5/8] Allow using DataResultPanel without a content viewer. --- .../corecomponents/DataResultPanel.java | 68 +++++++++++++------ 1 file changed, 47 insertions(+), 21 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java b/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java index bfe00c8038..249f73264d 100644 --- a/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java +++ b/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java @@ -68,7 +68,8 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C private static final Logger logger = Logger.getLogger(DataResultPanel.class.getName() ); private boolean listeningToTabbedPane = false; - + private boolean defaultContent = true; + /** * Creates new DataResultPanel * Default constructor, needed mostly for the palette/UI builder @@ -99,7 +100,28 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C this.isMain = isMain; this.title = title; } + + + /** + * Creates data result panel + * + * @param isMain whether it is the main panel associated with the main window, + * clients will almost always use false + * @param title title string to be displayed + * @param defaultContent Flag to indicate if the default content viewer should + * be used (if a custom one is not provided) + */ + DataResultPanel(boolean isMain, String title, boolean defaultContent) { + this(); + + setName(title); + this.isMain = isMain; + this.title = title; + this.defaultContent = defaultContent; + } + + /** * Create a new, custom data result panel, in addition to the application * main one and links with a custom data content panel. @@ -110,7 +132,7 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C */ DataResultPanel(String title, DataContent customContentViewer) { this(false, title); - + setName(title); //custom content viewer tc to setup for every result viewer @@ -142,10 +164,12 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C * @param pathText Descriptive text about the source of the nodes displayed * @param givenNode The new root node * @param totalMatches Cardinality of root node's children + * @param defaultContent Flag to indicate if the default content viewer should + * be used (if a custom one is not provided) * @return a new DataResultPanel instance representing a custom data result viewer */ - public static DataResultPanel createInstanceUninitialized(String title, String pathText, Node givenNode, int totalMatches) { - DataResultPanel newDataResult = new DataResultPanel(false, title); + public static DataResultPanel createInstanceUninitialized(String title, String pathText, Node givenNode, int totalMatches, boolean defaultContent) { + DataResultPanel newDataResult = new DataResultPanel(false, title, defaultContent); createInstanceCommon(pathText, givenNode, totalMatches, newDataResult); return newDataResult; @@ -287,30 +311,32 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C if (evt.getPropertyName().equals(ExplorerManager.PROP_SELECTED_NODES)) { setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR)); - - // If a custom DataContent object has not been specified, get the default instance. + + // If a custom DataContent object has not been specified, + // AND the defaultContent flag is set, get the default instance. DataContent contentViewer = customContentViewer; - if (null == contentViewer) { + if ((contentViewer == null) && defaultContent) { contentViewer = Lookup.getDefault().lookup(DataContent.class); } try { - Node[] selectedNodes = explorerManager.getSelectedNodes(); - for (UpdateWrapper drv : viewers) { - drv.setSelectedNodes(selectedNodes); - } + if (contentViewer != null) { + Node[] selectedNodes = explorerManager.getSelectedNodes(); + for (UpdateWrapper drv : viewers) { + drv.setSelectedNodes(selectedNodes); + } - // Passing null signals that either multiple nodes are selected, or no nodes are selected. - // This is important to the DataContent object, since the content mode (area) of the app is designed - // to show only the content underlying a single Node. - if (selectedNodes.length == 1) { - contentViewer.setNode(selectedNodes[0]); - } - else { - contentViewer.setNode(null); + // Passing null signals that either multiple nodes are selected, or no nodes are selected. + // This is important to the DataContent object, since the content mode (area) of the app is designed + // to show only the content underlying a single Node. + if (selectedNodes.length == 1) { + contentViewer.setNode(selectedNodes[0]); + } + else { + contentViewer.setNode(null); + } } - } - finally { + } finally { setCursor(null); } } From d366a634ce80d5a8be7d3a7fa87dc29bc904586d Mon Sep 17 00:00:00 2001 From: "Samuel H. Kenyon" Date: Thu, 6 Feb 2014 17:11:16 -0500 Subject: [PATCH 6/8] Make DataResultViewerTable class public. --- .../sleuthkit/autopsy/corecomponents/DataResultViewerTable.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultViewerTable.java b/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultViewerTable.java index 5723151e53..6cde1ad2a2 100644 --- a/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultViewerTable.java +++ b/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultViewerTable.java @@ -55,7 +55,7 @@ import org.sleuthkit.autopsy.corecomponentinterfaces.DataResultViewer; // service provider when DataResultViewers can be made compatible with node // multiple selection actions. //@ServiceProvider(service = DataResultViewer.class) - class DataResultViewerTable extends AbstractDataResultViewer { + public class DataResultViewerTable extends AbstractDataResultViewer { private String firstColumnLabel = "Name"; private Set propertiesAcc = new LinkedHashSet<>(); From c3ce0d73117017bdf8682090a2fa9a1443182ba1 Mon Sep 17 00:00:00 2001 From: "Samuel H. Kenyon" Date: Thu, 6 Feb 2014 17:55:08 -0500 Subject: [PATCH 7/8] Revert some recent additions that are not actually useful. --- .../corecomponents/DataResultPanel.java | 45 +------------------ 1 file changed, 2 insertions(+), 43 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java b/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java index 249f73264d..25030b6362 100644 --- a/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java +++ b/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java @@ -68,7 +68,6 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C private static final Logger logger = Logger.getLogger(DataResultPanel.class.getName() ); private boolean listeningToTabbedPane = false; - private boolean defaultContent = true; /** * Creates new DataResultPanel @@ -101,27 +100,6 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C this.title = title; } - - /** - * Creates data result panel - * - * @param isMain whether it is the main panel associated with the main window, - * clients will almost always use false - * @param title title string to be displayed - * @param defaultContent Flag to indicate if the default content viewer should - * be used (if a custom one is not provided) - */ - DataResultPanel(boolean isMain, String title, boolean defaultContent) { - this(); - - setName(title); - - this.isMain = isMain; - this.title = title; - this.defaultContent = defaultContent; - } - - /** * Create a new, custom data result panel, in addition to the application * main one and links with a custom data content panel. @@ -155,26 +133,7 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C newDataResult.open(); return newDataResult; } - - /** - * Factory method to create, customize and open a new custom data result panel. - * Does NOT call open(). Client must manually initialize by calling open(). - * - * @param title Title of the result panel - * @param pathText Descriptive text about the source of the nodes displayed - * @param givenNode The new root node - * @param totalMatches Cardinality of root node's children - * @param defaultContent Flag to indicate if the default content viewer should - * be used (if a custom one is not provided) - * @return a new DataResultPanel instance representing a custom data result viewer - */ - public static DataResultPanel createInstanceUninitialized(String title, String pathText, Node givenNode, int totalMatches, boolean defaultContent) { - DataResultPanel newDataResult = new DataResultPanel(false, title, defaultContent); - - createInstanceCommon(pathText, givenNode, totalMatches, newDataResult); - return newDataResult; - } - + /** * Factory method to create, customize and open a new custom data result panel. * @@ -315,7 +274,7 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C // If a custom DataContent object has not been specified, // AND the defaultContent flag is set, get the default instance. DataContent contentViewer = customContentViewer; - if ((contentViewer == null) && defaultContent) { + if (contentViewer == null) { contentViewer = Lookup.getDefault().lookup(DataContent.class); } From 75961e729426357cbedd0712abfc4ba70e441846 Mon Sep 17 00:00:00 2001 From: "Samuel H. Kenyon" Date: Thu, 6 Feb 2014 17:59:56 -0500 Subject: [PATCH 8/8] Cleanup some comments and whitespace. --- .../autopsy/corecomponents/DataResultPanel.java | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java b/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java index 25030b6362..eb5ecf409b 100644 --- a/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java +++ b/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultPanel.java @@ -68,7 +68,7 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C private static final Logger logger = Logger.getLogger(DataResultPanel.class.getName() ); private boolean listeningToTabbedPane = false; - + /** * Creates new DataResultPanel * Default constructor, needed mostly for the palette/UI builder @@ -99,7 +99,7 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C this.isMain = isMain; this.title = title; } - + /** * Create a new, custom data result panel, in addition to the application * main one and links with a custom data content panel. @@ -110,7 +110,6 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C */ DataResultPanel(String title, DataContent customContentViewer) { this(false, title); - setName(title); //custom content viewer tc to setup for every result viewer @@ -133,7 +132,7 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C newDataResult.open(); return newDataResult; } - + /** * Factory method to create, customize and open a new custom data result panel. * @@ -271,8 +270,7 @@ public class DataResultPanel extends javax.swing.JPanel implements DataResult, C if (evt.getPropertyName().equals(ExplorerManager.PROP_SELECTED_NODES)) { setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR)); - // If a custom DataContent object has not been specified, - // AND the defaultContent flag is set, get the default instance. + // If a custom DataContent object has not been specified, get the default instance. DataContent contentViewer = customContentViewer; if (contentViewer == null) { contentViewer = Lookup.getDefault().lookup(DataContent.class);