diff --git a/thirdparty/rr-full/plugins/adoberdr.pl b/thirdparty/rr-full/plugins/adoberdr.pl index 2cca397981..35e5a8f412 100644 --- a/thirdparty/rr-full/plugins/adoberdr.pl +++ b/thirdparty/rr-full/plugins/adoberdr.pl @@ -4,16 +4,20 @@ # Parse Adobe Reader MRU keys # # Change history +# 20150717 - updated IAW Jason Hale's blog post (see ref), added +# .csv output format # 20120716 - added version 10.0 to @versions # 20100218 - added checks for versions 4.0, 5.0, 9.0 # 20091125 - modified output to make a bit more clear # # References +# http://dfstream.blogspot.com/2015/07/adobe-readers-not-so-crecentfiles.html # # Note: LastWrite times on c subkeys will all be the same, # as each subkey is modified as when a new entry is added # -# copyright 2010 Quantum Analytics Research, LLC +# copyright 2015 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package adoberdr; use strict; @@ -23,7 +27,7 @@ my %config = (hive => "NTUSER\.DAT", hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20120716); + version => 20150717); sub getConfig{return %config} sub getShortDescr { @@ -41,14 +45,14 @@ sub pluginmain { my $ntuser = shift; ::logMsg("Launching adoberdr v.".$VERSION); ::rptMsg("adoberdr v.".$VERSION); # banner - ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner my $reg = Parse::Win32Registry->new($ntuser); my $root_key = $reg->get_root_key; ::rptMsg("Adoberdr v.".$VERSION); # First, let's find out which version of Adobe Acrobat Reader is installed my $version; my $tag = 0; - my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0","10\.0","11\.0","12\.0"); + my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0","10\.0","11\.0","12\.0","13\.0","14\.0", "DC"); foreach my $ver (@versions) { my $key_path = "Software\\Adobe\\Acrobat Reader\\".$ver."\\AVGeneral\\cRecentFiles"; if (defined($root_key->get_subkey($key_path))) { @@ -74,10 +78,30 @@ sub pluginmain { $num =~ s/^c//; $arkeys{$num}{lastwrite} = $s->get_timestamp(); $arkeys{$num}{data} = $data; + + eval { + $arkeys{$num}{tDIText} = $s->get_value('tDIText')->get_data(); + }; + + eval { + $arkeys{$num}{sDate} = $s->get_value('sDate')->get_data(); + $arkeys{$num}{sDate} =~ s/^D://; + }; + + eval { + $arkeys{$num}{uFileSize} = $s->get_value('uFileSize')->get_data(); + }; + + eval { + $arkeys{$num}{uPageCount} = $s->get_value('uPageCount')->get_data(); + }; + + } ::rptMsg("Most recent PDF opened: ".gmtime($arkeys{1}{lastwrite})." (UTC)"); - foreach my $k (sort keys %arkeys) { - ::rptMsg(" c".$k." ".$arkeys{$k}{data}); + ::rptMsg("Key name,file name,sDate,uFileSize,uPageCount"); + foreach my $k (sort {$a <=> $b} keys %arkeys) { + ::rptMsg("c".$k.",".$arkeys{$k}{data}.",".$arkeys{$k}{sDate}.",".$arkeys{$k}{uFileSize}.",".$arkeys{$k}{uPageCount}); } } else { diff --git a/thirdparty/rr-full/plugins/all b/thirdparty/rr-full/plugins/all index c9312edbf7..57843dc607 100644 --- a/thirdparty/rr-full/plugins/all +++ b/thirdparty/rr-full/plugins/all @@ -1,6 +1,17 @@ -# 20120528 *ALL* Plugins that apply on any HIVES, alphabetical order +# 20161213 *ALL* Plugins that apply on any HIVES, alphabetical order baseline +del +del_tln +fileless findexes +installedcomp +installer +malware +null regtime +regtime_tln rlo -del \ No newline at end of file +sizes +uninstall +uninstall_tln +wallpaper diff --git a/thirdparty/rr-full/plugins/amcache.pl b/thirdparty/rr-full/plugins/amcache.pl index 9e13227507..8e77b2e6e2 100644 --- a/thirdparty/rr-full/plugins/amcache.pl +++ b/thirdparty/rr-full/plugins/amcache.pl @@ -2,6 +2,8 @@ # amcache.pl # # Change history +# 20170315 - added output for Product Name and File Description values +# 20160818 - added check for value 17 # 20131218 - fixed bug computing compile time # 20131213 - updated # 20131204 - created @@ -9,7 +11,7 @@ # References # http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html # -# Copyright (c) 2013 QAR, LLC +# Copyright (c) 2017 QAR, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package amcache; @@ -21,7 +23,7 @@ my %config = (hive => "amcache", hasRefs => 1, osmask => 22, category => "program execution", - version => 20131218); + version => 20170315); my $VERSION = getVersion(); # Functions # @@ -62,8 +64,9 @@ sub pluginmain { if (scalar(@sk) > 0) { foreach my $s (@sk) { ::rptMsg("File Reference: ".$s->get_name()); + ::rptMsg("LastWrite : ".gmtime($s->get_timestamp())." Z"); # update 20131213: based on trial and error, it appears that not all file -# references will have all of the values, such as Path, or SHA-1 +# references will have all of the values, such as Path, or SHA-1 eval { ::rptMsg("Path : ".$s->get_value("15")->get_data()); }; @@ -72,6 +75,18 @@ sub pluginmain { ::rptMsg("Company Name : ".$s->get_value("1")->get_data()); }; + eval { + ::rptMsg("Product Name : ".$s->get_value("0")->get_data()); + }; + + eval { + ::rptMsg("File Descr : ".$s->get_value("c")->get_data()); + }; + + eval { + ::rptMsg("Lang Code : ".$s->get_value("3")->get_data()); + }; + eval { ::rptMsg("SHA-1 : ".$s->get_value("101")->get_data()); }; @@ -79,21 +94,26 @@ sub pluginmain { eval { @t = unpack("VV",$s->get_value("11")->get_data()); $gt = gmtime(::getTime($t[0],$t[1])); - ::rptMsg("Last Mod Time : ".$gt); + ::rptMsg("Last Mod Time : ".$gt." Z"); + }; + + eval { + @t = unpack("VV",$s->get_value("17")->get_data()); + $gt = gmtime(::getTime($t[0],$t[1])); + ::rptMsg("Last Mod Time2: ".$gt." Z"); }; eval { @t = unpack("VV",$s->get_value("12")->get_data()); $gt = gmtime(::getTime($t[0],$t[1])); - ::rptMsg("Create Time : ".$gt); + ::rptMsg("Create Time : ".$gt." Z"); }; eval { $gt = gmtime($s->get_value("f")->get_data()); # $gt = gmtime(unpack("V",$s->get_value("f")->get_data())); - ::rptMsg("Compile Time : ".$gt); + ::rptMsg("Compile Time : ".$gt." Z"); }; - ::rptMsg(""); } } diff --git a/thirdparty/rr-full/plugins/appcompatcache.pl b/thirdparty/rr-full/plugins/appcompatcache.pl index ae978efa53..332a31838a 100644 --- a/thirdparty/rr-full/plugins/appcompatcache.pl +++ b/thirdparty/rr-full/plugins/appcompatcache.pl @@ -2,6 +2,10 @@ # appcompatcache.pl # # History: +# 20160528 - updated code to not de-dup entries based on filename +# 20160217 - updated to correctly support Win10 +# 20150611 - mod'd for Kevin Pagano +# 20150429 - updated to support Win10 # 20140724 - update based on data provided by Shafik Punja # 20130801 - added initial Win8 support; very alpha at the moment # 20130603 - updated alerts @@ -15,14 +19,16 @@ # 20120418 - created # # References: +# https://binaryforay.blogspot.com/2016/05/appcompatcacheparser-v0900-released-and.html # Blog post: https://blog.mandiant.com/archives/2459 # Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf # Tool: https://github.com/mandiant/ShimCacheParser +# Win10: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html # # This plugin is based solely on the work and examples provided by Mandiant; # thanks to them for sharing this information, and making the plugin possible. # -# copyright 2013 Quantum Analytics Research, LLC +# copyright 2016 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package appcompatcache; @@ -36,11 +42,11 @@ my %config = (hive => "System", hasDescr => 0, hasRefs => 0, osmask => 31, #XP - Win7 - version => 20140724); + version => 20160528); sub getConfig{return %config} sub getShortDescr { - return "Parse files from System hive Shim Cache"; + return "Parse files from System hive AppCompatCache"; } sub getDescr{} sub getRefs {} @@ -49,6 +55,7 @@ sub getVersion {return $config{version};} my $VERSION = getVersion(); my %files; +my $str = ""; sub pluginmain { my $class = shift; @@ -75,13 +82,18 @@ sub pluginmain { eval { $app_data = $appcompat->get_subkey("AppCompatibility")->get_value("AppCompatCache")->get_data(); + ::rptMsg($appcompat_path."\\AppCompatibility"); + ::rptMsg("LastWrite Time: ".gmtime($appcompat->get_subkey("AppCompatibility")->get_timestamp())." Z"); }; eval { $app_data = $appcompat->get_subkey("AppCompatCache")->get_value("AppCompatCache")->get_data(); + ::rptMsg($appcompat_path."\\AppCompatCache"); + ::rptMsg("LastWrite Time: ".gmtime($appcompat->get_subkey("AppCompatCache")->get_timestamp())." Z"); }; # ::rptMsg("Length of data: ".length($app_data)); +# probe($app_data); my $sig = unpack("V",substr($app_data,0,4)); ::rptMsg(sprintf "Signature: 0x%x",$sig); @@ -102,31 +114,37 @@ sub pluginmain { } elsif ($sig == 0x80) { - ::rptMsg("Possible Win8 system\."); - ::rptMsg(sprintf "Data Length: 0x%08x",length($app_data)); +# ::rptMsg("Possible Win8 system\."); +# ::rptMsg(sprintf "Data Length: 0x%08x",length($app_data)); appWin8($app_data); # probe($app_data); } + elsif ($sig == 0x30) { +# Windows 10 system + appWin10($app_data); + } else { ::rptMsg(sprintf "Unknown signature: 0x%x",$sig); } # this is where we print out the files foreach my $f (keys %files) { - ::rptMsg($f); +# ::rptMsg($f); -# Warnings and alerts, updated 20130603 -# alertCheckPath($f); -# alertCheckADS($f); -# ::alertMsg("WARN: appcompatcache: use of cacls\.exe found: ".$f) if ($f =~ m/cacls\.exe$/); + my $modtime = $files{$f}{modtime}; + if ($modtime == 0) { + $modtime = ""; + } + else { + $modtime = gmtime($modtime)." Z"; + } - ::rptMsg("ModTime: ".gmtime($files{$f}{modtime})." Z"); - ::rptMsg("UpdTime: ".gmtime($files{$f}{updtime})." Z") if (exists $files{$f}{updtime}); - ::rptMsg("Size : ".$files{$f}{size}." bytes") if (exists $files{$f}{size}); - ::rptMsg("Executed") if (exists $files{$f}{executed}); - ::rptMsg(""); + $str = $files{$f}{filename}." ".$modtime; + $str .= " ".gmtime($files{$f}{updtime})." Z" if (exists $files{$f}{updtime}); + $str .= " ".$files{$f}{size}." bytes" if (exists $files{$f}{size}); + $str .= " Executed" if (exists $files{$f}{executed}); + ::rptMsg($str); } - } else { ::rptMsg($appcompat_path." not found."); @@ -160,9 +178,10 @@ sub appXP32Bit { my ($up1,$up2) = unpack("VV",substr($x,544,8)); my $updtime = ::getTime($up1,$up2); - $files{$file}{size} = $sz; - $files{$file}{modtime} = $modtime; - $files{$file}{updtime} = $updtime; + $files{$i}{filename} = $file; + $files{$i}{size} = $sz; + $files{$i}{modtime} = $modtime; + $files{$i}{updtime} = $updtime; } } #----------------------------------------------------------- @@ -196,13 +215,10 @@ sub appWin2k3 { $file =~ s/\00//g; $file =~ s/^\\\?\?\\//; my $t = ::getTime($t0,$t1); -# ::rptMsg($file); -# ::rptMsg(" LastMod: ".gmtime($t)." Z"); -# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2)); -# ::rptMsg(""); - $files{$file}{modtime} = $t; + $files{$i}{filename} = $file; + $files{$i}{modtime} = $t; # $files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3)); - $files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2)); + $files{$i}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2)); } elsif ($struct_sz == 32) { my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvVVVVVVV",$struct); @@ -210,18 +226,13 @@ sub appWin2k3 { $file =~ s/\00//g; $file =~ s/^\\\?\?\\//; my $t = ::getTime($t0,$t1); -# ::rptMsg($file); -# ::rptMsg(" LastMod: ".gmtime($t)." Z"); -# ::rptMsg(" Size : ".$f0) if (($f1 == 0) && ($f0 > 3)); -# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2)); -# ::rptMsg(""); - $files{$file}{modtime} = $t; - $files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3)); - $files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2)); + $files{$i}{filename} = $file; + $files{$i}{modtime} = $t; + $files{$i}{size} = $f0 if (($f1 == 0) && ($f0 > 3)); + $files{$i}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2)); } else { - - +# } } } @@ -256,12 +267,9 @@ sub appWin7 { $file =~ s/\00//g; $file =~ s/^\\\?\?\\//; my $t = ::getTime($t0,$t1); -# ::rptMsg($file); -# ::rptMsg(" LastModTime: ".gmtime($t)." Z"); -# ::rptMsg(" [Executed]") if ($f0 & 0x2); -# ::rptMsg(""); - $files{$file}{modtime} = $t; - $files{$file}{executed} = 1 if ($f0 & 0x2); + $files{$i}{filename} = $file; + $files{$i}{modtime} = $t; + $files{$i}{executed} = 1 if ($f0 & 0x2); } else { my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvV7x16",$struct); @@ -269,12 +277,9 @@ sub appWin7 { $file =~ s/\00//g; $file =~ s/^\\\?\?\\//; my $t = ::getTime($t0,$t1); -# ::rptMsg($file); -# ::rptMsg(" LastModTime: ".gmtime($t)." Z"); -# ::rptMsg(" [Executed]") if ($f0 & 0x2); -# ::rptMsg(""); - $files{$file}{modtime} = $t; - $files{$file}{executed} = 1 if ($f0 & 0x2); + $files{$i}{filename} = $file; + $files{$i}{modtime} = $t; + $files{$i}{executed} = 1 if ($f0 & 0x2); } } } @@ -286,7 +291,7 @@ sub appWin8 { my $data = shift; my $len = length($data); my ($jmp, $t0, $t1, $sz, $name); - + my $ct = 0; my $ofs = unpack("V",substr($data,0,4)); while($ofs < $len) { @@ -298,9 +303,9 @@ sub appWin8 { $sz = unpack("v",substr($data,$ofs + 20,2)); $name = substr($data,$ofs + 22,$sz); $name =~ s/\00//g; - - $files{$name}{modtime} = ::getTime($t0,$t1); - + $files{$ct}{filename} = $name; + $files{$ct}{modtime} = ::getTime($t0,$t1); + $ct++; $ofs += ($jmp + 12); } # 64-bit @@ -309,10 +314,10 @@ sub appWin8 { $sz = unpack("v",substr($data,$ofs + 0x0C,2)); $name = substr($data,$ofs + 0x0E,$sz + 2); $name =~ s/\00//g; - ($t0,$t1) = unpack("VV",substr($data,($ofs + 0x0E + $sz +2 + 8),8)); - $files{$name}{modtime} = ::getTime($t0,$t1); - + $files{$ct}{filename} = $name; + $files{$ct}{modtime} = ::getTime($t0,$t1); + $ct++; $ofs += ($jmp + 12); } else { @@ -320,7 +325,35 @@ sub appWin8 { } } +} +#----------------------------------------------------------- +# appWin10() +# Ref: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html +#----------------------------------------------------------- +sub appWin10 { + my $data = shift; + my $len = length($data); + my ($tag, $sz, $t0, $t1, $name, $name_len); + my $ct = 0; + my $ofs = 0x30; + + while ($ofs < $len) { + $tag = substr($data,$ofs,4); + if ($tag eq "10ts") { + + $sz = unpack("V",substr($data,$ofs + 0x08,4)); + $name_len = unpack("v",substr($data,$ofs + 0x0c,2)); + my $name = substr($data,$ofs + 0x0e,$name_len); + $name =~ s/\00//g; +# ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x03 + $name_len,8)); + ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x0e + $name_len,8)); + $files{$ct}{filename} = $name; + $files{$ct}{modtime} = ::getTime($t0,$t1); + $ct++; + $ofs += ($sz + 0x0c); + } + } } #----------------------------------------------------------- @@ -405,21 +438,6 @@ sub printData { } $display[$cnt] = sprintf("0x%08X %-50s %s",$cnt,$lhs,$rhs); -# my @str1 = split(//,unpack("H*",$seg)); -# my @s3; -# my $str = ""; -# foreach my $i (0..($n - 1)) { -# $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; -# -# if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) { -# $str .= chr(hex($s3[$i])); -# } -# else { -# $str .= "\."; -# } -# } -# my $h = join(' ',@s3); -# $display[$cnt] = sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h; } return @display; } diff --git a/thirdparty/rr-full/plugins/appcompatcache_tln.pl b/thirdparty/rr-full/plugins/appcompatcache_tln.pl index 16ef5aab59..e349d09320 100644 --- a/thirdparty/rr-full/plugins/appcompatcache_tln.pl +++ b/thirdparty/rr-full/plugins/appcompatcache_tln.pl @@ -2,25 +2,33 @@ # appcompatcache_tln.pl # # History: -# 20130509 - added additional alert/warn checks +# 20160528 - updated code to not de-dup entries based on filename +# 20160217 - updated to correctly support Win10 +# 20150611 - mod'd for Kevin Pagano +# 20150429 - updated to support Win10 +# 20140724 - update based on data provided by Shafik Punja +# 20130801 - added initial Win8 support; very alpha at the moment +# 20130603 - updated alerts +# 20130509 - added additional alerts/warnings # 20130425 - added alertMsg() functionality -# 20120817 - updated to address extra data in XP data blocks -# 20120722 - updated %config hash -# 20120523 - created; updated from appcompatcache.pl +# 20120817 - updated to address issue with residual data in XP data blocks +# 20120722 - updated the %config hash # 20120523 - updated to send all files to a single hash, and check for temp paths # 20120515 - Updated to support 64-bit Win2003 and Vista/Win2008 # 20120424 - Modified/updated # 20120418 - created # # References: +# https://binaryforay.blogspot.com/2016/05/appcompatcacheparser-v0900-released-and.html # Blog post: https://blog.mandiant.com/archives/2459 # Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf # Tool: https://github.com/mandiant/ShimCacheParser +# Win10: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html # # This plugin is based solely on the work and examples provided by Mandiant; # thanks to them for sharing this information, and making the plugin possible. # -# copyright 2012 Quantum Analytics Research, LLC +# copyright 2016 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package appcompatcache_tln; @@ -34,11 +42,11 @@ my %config = (hive => "System", hasDescr => 0, hasRefs => 0, osmask => 31, #XP - Win7 - version => 20130509); + version => 20160528); sub getConfig{return %config} sub getShortDescr { - return "Parse files from System hive Shim Cache"; + return "Parse files from System hive AppCompatCache"; } sub getDescr{} sub getRefs {} @@ -47,11 +55,14 @@ sub getVersion {return $config{version};} my $VERSION = getVersion(); my %files; +my $str = ""; sub pluginmain { my $class = shift; my $hive = shift; ::logMsg("Launching appcompatcache_tln v.".$VERSION); + ::rptMsg("appcompatcache_tln v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner my $reg = Parse::Win32Registry->new($hive); my $root_key = $reg->get_root_key; # First thing to do is get the ControlSet00x marked current...this is @@ -71,15 +82,20 @@ sub pluginmain { eval { $app_data = $appcompat->get_subkey("AppCompatibility")->get_value("AppCompatCache")->get_data(); + ::rptMsg($appcompat_path."\\AppCompatibility"); + ::rptMsg("LastWrite Time: ".gmtime($appcompat->get_subkey("AppCompatibility")->get_timestamp())." Z"); }; eval { $app_data = $appcompat->get_subkey("AppCompatCache")->get_value("AppCompatCache")->get_data(); + ::rptMsg($appcompat_path."\\AppCompatCache"); + ::rptMsg("LastWrite Time: ".gmtime($appcompat->get_subkey("AppCompatCache")->get_timestamp())." Z"); }; # ::rptMsg("Length of data: ".length($app_data)); +# probe($app_data); my $sig = unpack("V",substr($app_data,0,4)); -# ::rptMsg(sprintf "Signature: 0x%x",$sig); + ::rptMsg(sprintf "Signature: 0x%x",$sig); if ($sig == 0xdeadbeef) { eval { @@ -97,26 +113,32 @@ sub pluginmain { }; } + elsif ($sig == 0x80) { +# ::rptMsg("Possible Win8 system\."); +# ::rptMsg(sprintf "Data Length: 0x%08x",length($app_data)); + appWin8($app_data); +# probe($app_data); + + } + elsif ($sig == 0x30) { +# Windows 10 system + appWin10($app_data); + } else { - ::rptMsg("Unknown signature"); + ::rptMsg(sprintf "Unknown signature: 0x%x",$sig); } # this is where we print out the files foreach my $f (keys %files) { my $str; if (exists $files{$f}{executed}) { - $str = "M... [Program Execution] AppCompatCache - ".$f; + $str = "M... [Program Execution] AppCompatCache - ".$files{$f}{filename}; } else { - $str = "M... AppCompatCache - ".$f; + $str = "M... AppCompatCache - ".$files{$f}{filename}; } $str .= " [Size = ".$files{$f}{size}." bytes]" if (exists $files{$f}{size}); -# $str .= " [Executed]" if (exists $files{$f}{executed}); + $str .= " [Executed]" if (exists $files{$f}{executed}); ::rptMsg($files{$f}{modtime}."|REG|||".$str); - -# added 20130603 - alertCheckPathTLN($f,$files{$f}{modtime}); - alertCheckADSTLN($f,$files{$f}{modtime}); - ::alertMsg($files{$f}{modtime}."|WARN|||Use of calcs\.exe. appcompatcache_tln: ".$f) if ($f =~ m/cacls\.exe$/); } } else { @@ -151,14 +173,10 @@ sub appXP32Bit { my ($up1,$up2) = unpack("VV",substr($x,544,8)); my $updtime = ::getTime($up1,$up2); -# ::rptMsg($file); -# ::rptMsg("Size : ".$sz." bytes"); -# ::rptMsg("ModTime: ".gmtime($modtime)." Z"); -# ::rptMsg("UpdTime: ".gmtime($updtime)." Z"); -# ::rptMsg(""); - $files{$file}{size} = $sz; - $files{$file}{modtime} = $modtime; - $files{$file}{updtime} = $updtime; + $files{$i}{filename} = $file; + $files{$i}{size} = $sz; + $files{$i}{modtime} = $modtime; + $files{$i}{updtime} = $updtime; } } #----------------------------------------------------------- @@ -192,12 +210,10 @@ sub appWin2k3 { $file =~ s/\00//g; $file =~ s/^\\\?\?\\//; my $t = ::getTime($t0,$t1); -# ::rptMsg($file); -# ::rptMsg(" LastMod: ".gmtime($t)." Z"); -# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2)); -# ::rptMsg(""); - $files{$file}{modtime} = $t; - $files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2)); + $files{$i}{filename} = $file; + $files{$i}{modtime} = $t; +# $files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3)); + $files{$i}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2)); } elsif ($struct_sz == 32) { my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvVVVVVVV",$struct); @@ -205,18 +221,13 @@ sub appWin2k3 { $file =~ s/\00//g; $file =~ s/^\\\?\?\\//; my $t = ::getTime($t0,$t1); -# ::rptMsg($file); -# ::rptMsg(" LastMod: ".gmtime($t)." Z"); -# ::rptMsg(" Size : ".$f0) if (($f1 == 0) && ($f0 > 3)); -# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2)); -# ::rptMsg(""); - $files{$file}{modtime} = $t; - $files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3)); - $files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2)); + $files{$i}{filename} = $file; + $files{$i}{modtime} = $t; + $files{$i}{size} = $f0 if (($f1 == 0) && ($f0 > 3)); + $files{$i}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2)); } else { - - +# } } } @@ -251,12 +262,9 @@ sub appWin7 { $file =~ s/\00//g; $file =~ s/^\\\?\?\\//; my $t = ::getTime($t0,$t1); -# ::rptMsg($file); -# ::rptMsg(" LastModTime: ".gmtime($t)." Z"); -# ::rptMsg(" [Executed]") if ($f0 & 0x2); -# ::rptMsg(""); - $files{$file}{modtime} = $t; - $files{$file}{executed} = 1 if ($f0 & 0x2); + $files{$i}{filename} = $file; + $files{$i}{modtime} = $t; + $files{$i}{executed} = 1 if ($f0 & 0x2); } else { my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvV7x16",$struct); @@ -264,12 +272,81 @@ sub appWin7 { $file =~ s/\00//g; $file =~ s/^\\\?\?\\//; my $t = ::getTime($t0,$t1); -# ::rptMsg($file); -# ::rptMsg(" LastModTime: ".gmtime($t)." Z"); -# ::rptMsg(" [Executed]") if ($f0 & 0x2); -# ::rptMsg(""); - $files{$file}{modtime} = $t; - $files{$file}{executed} = 1 if ($f0 & 0x2); + $files{$i}{filename} = $file; + $files{$i}{modtime} = $t; + $files{$i}{executed} = 1 if ($f0 & 0x2); + } + } +} + +#----------------------------------------------------------- +# appWin8() +#----------------------------------------------------------- +sub appWin8 { + my $data = shift; + my $len = length($data); + my ($jmp, $t0, $t1, $sz, $name); + my $ct = 0; + my $ofs = unpack("V",substr($data,0,4)); + + while($ofs < $len) { + my $tag = unpack("V",substr($data,$ofs,4)); +# 32-bit + if ($tag == 0x73746f72) { + $jmp = unpack("V",substr($data,$ofs + 8,4)); + ($t0,$t1) = unpack("VV",substr($data,$ofs + 12,8)); + $sz = unpack("v",substr($data,$ofs + 20,2)); + $name = substr($data,$ofs + 22,$sz); + $name =~ s/\00//g; + $files{$ct}{filename} = $name; + $files{$ct}{modtime} = ::getTime($t0,$t1); + $ct++; + $ofs += ($jmp + 12); + } +# 64-bit + elsif ($tag == 0x73743030 || $tag == 0x73743031) { + $jmp = unpack("V",substr($data,$ofs + 8,4)); + $sz = unpack("v",substr($data,$ofs + 0x0C,2)); + $name = substr($data,$ofs + 0x0E,$sz + 2); + $name =~ s/\00//g; + ($t0,$t1) = unpack("VV",substr($data,($ofs + 0x0E + $sz +2 + 8),8)); + $files{$ct}{filename} = $name; + $files{$ct}{modtime} = ::getTime($t0,$t1); + $ct++; + $ofs += ($jmp + 12); + } + else { +# Unknown tag + } + + } +} + +#----------------------------------------------------------- +# appWin10() +# Ref: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html +#----------------------------------------------------------- +sub appWin10 { + my $data = shift; + my $len = length($data); + my ($tag, $sz, $t0, $t1, $name, $name_len); + my $ct = 0; + my $ofs = 0x30; + + while ($ofs < $len) { + $tag = substr($data,$ofs,4); + if ($tag eq "10ts") { + + $sz = unpack("V",substr($data,$ofs + 0x08,4)); + $name_len = unpack("v",substr($data,$ofs + 0x0c,2)); + my $name = substr($data,$ofs + 0x0e,$name_len); + $name =~ s/\00//g; +# ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x03 + $name_len,8)); + ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x0e + $name_len,8)); + $files{$ct}{filename} = $name; + $files{$ct}{modtime} = ::getTime($t0,$t1); + $ct++; + $ofs += ($sz + 0x0c); } } } @@ -277,16 +354,15 @@ sub appWin7 { #----------------------------------------------------------- # alertCheckPath() #----------------------------------------------------------- -sub alertCheckPathTLN { +sub alertCheckPath { my $path = shift; - my $tln = shift; $path = lc($path); my @alerts = ("recycle","globalroot","temp","system volume information","appdata", "application data"); foreach my $a (@alerts) { if (grep(/$a/,$path)) { - ::alertMsg($tln."|ALERT|||appcompatcache_tln: ".$a." found in path: ".$path); + ::alertMsg("ALERT: appcompatcache: ".$a." found in path: ".$path); } } } @@ -294,11 +370,70 @@ sub alertCheckPathTLN { #----------------------------------------------------------- # alertCheckADS() #----------------------------------------------------------- -sub alertCheckADSTLN { +sub alertCheckADS { my $path = shift; - my $tln = shift; my @list = split(/\\/,$path); my $last = $list[scalar(@list) - 1]; - ::alertMsg($tln."|ALERT|||appcompatcache_tln: Poss. ADS found in path: ".$path) if grep(/:/,$last); + ::alertMsg("ALERT: appcompatcache: Poss. ADS found in path: ".$path) if grep(/:/,$last); } -1; + + +#----------------------------------------------------------- +# probe() +# +# Code the uses printData() to insert a 'probe' into a specific +# location and display the data +# +# Input: binary data of arbitrary length +# Output: Nothing, no return value. Displays data to the console +#----------------------------------------------------------- +sub probe { + my $data = shift; + my @d = printData($data); + + foreach (0..(scalar(@d) - 1)) { + print $d[$_]."\n"; + } +} + +#----------------------------------------------------------- +# printData() +# subroutine used primarily for debugging; takes an arbitrary +# length of binary data, prints it out in hex editor-style +# format for easy debugging +#----------------------------------------------------------- +sub printData { + my $data = shift; + my $len = length($data); + + my @display = (); + + my $loop = $len/16; + $loop++ if ($len%16); + + foreach my $cnt (0..($loop - 1)) { +# How much is left? + my $left = $len - ($cnt * 16); + + my $n; + ($left < 16) ? ($n = $left) : ($n = 16); + + my $seg = substr($data,$cnt * 16,$n); + my $lhs = ""; + my $rhs = ""; + foreach my $i ($seg =~ m/./gs) { +# This loop is to process each character at a time. + $lhs .= sprintf(" %02X",ord($i)); + if ($i =~ m/[ -~]/) { + $rhs .= $i; + } + else { + $rhs .= "."; + } + } + $display[$cnt] = sprintf("0x%08X %-50s %s",$cnt,$lhs,$rhs); + + } + return @display; +} +1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/appcompatflags.pl b/thirdparty/rr-full/plugins/appcompatflags.pl index bcf5823cd7..c3ea9c49b0 100644 --- a/thirdparty/rr-full/plugins/appcompatflags.pl +++ b/thirdparty/rr-full/plugins/appcompatflags.pl @@ -76,8 +76,6 @@ sub pluginmain { "Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers", "Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers"); - - foreach my $key_path (@paths) { # If AppCompatFlags path exists # if ($key = $root_key->get_subkey($key_path)) { @@ -169,6 +167,60 @@ sub pluginmain { # ::rptMsg($key_path." not found\."); } } + +# Added check for use of AppCompat DB for persistence +# 21051021, H. Carvey + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom"; + if ($key = $root_key->get_subkey($key_path)){ + my @subkeys = $key->get_list_of_subkeys($key); + if (scalar @subkeys > 0) { + foreach my $sk (@subkeys) { + ::rptMsg("Key name: ".$sk->get_name()); + ::rptMsg("LastWrite time: ".gmtime($sk->get_timestamp())); + + my @vals = $sk->get_list_of_values(); + if (scalar @vals > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my ($t0,$t1) = unpack("VV",$v->get_data()); + my $l = ::getTime($t0,$t1); + my $ts = gmtime($l); + ::rptMsg(" ".$name." ".$ts); + } + } + ::rptMsg(""); + } + } + } + + $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB"; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys($key); + if (scalar @subkeys > 0) { + foreach my $sk (@subkeys) { + my($path, $descr, $ts); + eval { + $descr = $sk->get_value("DatabaseDescription")->get_data(); + ::rptMsg("Description: ".$descr); + }; + + eval { + $path = $sk->get_value("DatabasePath")->get_data(); + ::rptMsg(" Path: ".$path); + }; + + eval { + my ($t0,$t1) = unpack("VV",$sk->get_value("DatabaseInstallTimeStamp")->get_data()); + my $l = ::getTime($t0,$t1); + $ts = gmtime($l); + ::rptMsg(" Install TimeStamp: ".$ts); + }; + + ::rptMsg(""); + + } + } + } } 1; diff --git a/thirdparty/rr-full/plugins/arpcache.pl b/thirdparty/rr-full/plugins/arpcache.pl index 7e129cb33c..b4b8a2a1f2 100644 --- a/thirdparty/rr-full/plugins/arpcache.pl +++ b/thirdparty/rr-full/plugins/arpcache.pl @@ -130,6 +130,6 @@ sub parsePath { } } } - $str =~ s/\00//g; + $str =~ s/\x00//g; return $str; } \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/auditpol.pl b/thirdparty/rr-full/plugins/auditpol.pl index acd7d46849..7f915860cc 100644 --- a/thirdparty/rr-full/plugins/auditpol.pl +++ b/thirdparty/rr-full/plugins/auditpol.pl @@ -1,14 +1,19 @@ #----------------------------------------------------------- # auditpol -# Get the audit policy from the Security hive file -# +# Get the audit policy from the Security hive file (Win7+) +# *Works for Win7 and Win10 at the moment # # History -# 20121128 - updated for later versions of Windows -# 20080327 - created +# 20151202 - created # +# Ref: +# http://www.kazamiya.net/structure/poladtev +# http://www.kazamiya.net/en/poladtev +# http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx # -# copyright 2012 Quantum Analytics Research, LLC +# Equiv: auditpol /get /category:* +# +# copyright 2015 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package auditpol; @@ -17,20 +22,16 @@ use strict; my %config = (hive => "Security", hasShortDescr => 1, hasDescr => 0, - hasRefs => 1, + hasRefs => 0, osmask => 22, - version => 20121128); + version => 20151202); sub getConfig{return %config} sub getShortDescr { return "Get audit policy from the Security hive file"; } sub getDescr{} -sub getRefs { - my %refs = ("How To Determine Audit Policies from the Registry" => - "http://support.microsoft.com/default.aspx?scid=kb;EN-US;q246120"); - return %refs; -} +sub getRefs {} sub getHive {return $config{hive};} sub getVersion {return $config{version};} @@ -46,7 +47,7 @@ sub pluginmain { my $hive = shift; ::logMsg("Launching auditpol v.".$VERSION); ::rptMsg("auditpol v.".$VERSION); # banner - ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner my $reg = Parse::Win32Registry->new($hive); my $root_key = $reg->get_root_key; @@ -59,53 +60,169 @@ sub pluginmain { ::rptMsg(""); my $data; + my @policy; eval { $data = $key->get_value("")->get_data(); - ::rptMsg("Length of data: ".length($data)." bytes."); +# ::rptMsg("Length of data: ".length($data)." bytes."); + my $id = unpack("v",substr($data,8,2)); +# ::rptMsg(sprintf "Offset value is: 0x%x",$id); - my @d = printData($data); - foreach (0..(scalar(@d) - 1)) { - ::rptMsg($d[$_]); + if (length($data) == 148 && $id == 0x82) { + @policy = processWin10($data) } - - }; - if ($@) { - ::rptMsg("Error occurred getting data from ".$key_path); - ::rptMsg(" - ".$@); - } - else { -# Check to see if auditing is enabled - my $enabled = unpack("C",substr($data,0,1)); - if ($enabled) { - ::rptMsg("Auditing is enabled."); -# Get audit configuration settings - my @vals = unpack("V*",$data); - ::rptMsg("\tAudit System Events = ".$audit{$vals[1]}); - ::rptMsg("\tAudit Logon Events = ".$audit{$vals[2]}); - ::rptMsg("\tAudit Object Access = ".$audit{$vals[3]}); - ::rptMsg("\tAudit Privilege Use = ".$audit{$vals[4]}); - ::rptMsg("\tAudit Process Tracking = ".$audit{$vals[5]}); - ::rptMsg("\tAudit Policy Change = ".$audit{$vals[6]}); - ::rptMsg("\tAudit Account Management = ".$audit{$vals[7]}); - ::rptMsg("\tAudit Dir Service Access = ".$audit{$vals[8]}); - ::rptMsg("\tAudit Account Logon Events = ".$audit{$vals[9]}); + elsif (length($data) == 138 && $id == 0x78) { + @policy = processWin7($data); } else { - ::rptMsg("**Auditing is NOT enabled."); + my @d = printData($data); + foreach (0..(scalar(@d) - 1)) { + ::rptMsg($d[$_]); + } } - } + + foreach (0..((scalar @policy) - 1)) { + my ($aud,$pol) = split(/;/,$policy[$_],2); + ::rptMsg(sprintf "%-50s %-5s",$aud,$audit{$pol}); + } + }; } else { ::rptMsg($key_path." not found."); } } +sub processWin10 { + my $data = shift; + my @win = ("System:Security State Change;".unpack("v",substr($data,0x0c,2)), + "System:Security System Extension;".unpack("v",substr($data,0x0e,2)), + "System:System Integrity;".unpack("v",substr($data,0x10,2)), + "System:IPsec Driver;".unpack("v",substr($data,0x12,2)), + "System:Other System Events;".unpack("v",substr($data,0x14,2)), + "Logon/Logoff:Logon;".unpack("v",substr($data,0x16,2)), + "Logon/Logoff:Logoff;".unpack("v",substr($data,0x18,2)), + "Logon/Logoff:Account Lockout;".unpack("v",substr($data,0x1a,2)), + "Logon/Logoff:IPsec Main Mode;".unpack("v",substr($data,0x1c,2)), + "Logon/Logoff:IPsec Quick Mode;".unpack("v",substr($data,0x1e,2)), + "Logon/Logoff:IPsec Extended Mode;".unpack("v",substr($data,0x20,2)), + "Logon/Logoff:Special Logon;".unpack("v",substr($data,0x22,2)), + "Logon/Logoff:Other Logon/Logoff Events;".unpack("v",substr($data,0x24,2)), + "Logon/Logoff:Network Policy Server;".unpack("v",substr($data,0x26,2)), + "Logon/Logoff:User Device Claims;".unpack("v",substr($data,0x28,2)), + "Logon/Logoff:Group Membership;".unpack("v",substr($data,0x2a,2)), + "Object Access:File System;".unpack("v",substr($data,0x2c,2)), + "Object Access:Registry;".unpack("v",substr($data,0x2e,2)), + "Object Access:Kernel Object;".unpack("v",substr($data,0x30,2)), + "Object Access:SAM;".unpack("v",substr($data,0x32,2)), + "Object Access:Certification Services;".unpack("v",substr($data,0x34,2)), + "Object Access:Application Generated;".unpack("v",substr($data,0x36,2)), + "Object Access:Handle Manipulation;".unpack("v",substr($data,0x38,2)), + "Object Access:File Share;".unpack("v",substr($data,0x3a,2)), + "Object Access:Filtering Platform Packet Drop;".unpack("v",substr($data,0x3c,2)), + "Object Access:Filtering Platform Connection;".unpack("v",substr($data,0x3e,2)), + "Object Access:Other Object Access Events;".unpack("v",substr($data,0x40,2)), + "Object Access:Detailed File Share;".unpack("v",substr($data,0x42,2)), + "Object Access:Removable Storage;".unpack("v",substr($data,0x44,2)), + "Object Access:Central Policy Staging;".unpack("v",substr($data,0x46,2)), + "Privilege Use:Sensitive Privilege Use;".unpack("v",substr($data,0x48,2)), + "Privilege Use:Non Sensitive Privilege Use;".unpack("v",substr($data,0x4a,2)), + "Privilege Use:Other Privilege Use Events;".unpack("v",substr($data,0x4c,2)), + "Detailed Tracking:Process Creation;".unpack("v",substr($data,0x4e,2)), + "Detailed Tracking:Process Termination;".unpack("v",substr($data,0x50,2)), + "Detailed Tracking:DPAPI Activity;".unpack("v",substr($data,0x52,2)), + "Detailed Tracking:RPC Events;".unpack("v",substr($data,0x54,2)), + "Detailed Tracking:Plug and Play Events;".unpack("v",substr($data,0x56,2)), + "Policy Change:Audit Policy Change;".unpack("v",substr($data,0x58,2)), + "Policy Change:Authentication Policy Change;".unpack("v",substr($data,0x5a,2)), + "Policy Change:Authorization Policy Change;".unpack("v",substr($data,0x5c,2)), + "Policy Change:MPSSVC Rule-Level Policy Change;".unpack("v",substr($data,0x5e,2)), + "Policy Change:Filtering Platform Policy Change;".unpack("v",substr($data,0x60,2)), + "Policy Change:Other Policy Change Events;".unpack("v",substr($data,0x62,2)), + "Account Management:User Account Management;".unpack("v",substr($data,0x64,2)), + "Account Management:Computer Account Management;".unpack("v",substr($data,0x66,2)), + "Account Management:Security Group Management;".unpack("v",substr($data,0x68,2)), + "Account Management:Distribution Group Management;".unpack("v",substr($data,0x6a,2)), + "Account Management:Application Group Management;".unpack("v",substr($data,0x6c,2)), + "Account Management:Other Account Management Events;".unpack("v",substr($data,0x6e,2)), + "DS Access:Directory Service Access;".unpack("v",substr($data,0x70,2)), + "DS Access:Directory Service Changes;".unpack("v",substr($data,0x72,2)), + "DS Access:Directory Service Replication;".unpack("v",substr($data,0x74,2)), + "DS Access:Detailed Directory Service Replication;".unpack("v",substr($data,0x76,2)), + "Account Logon:Credential Validation;".unpack("v",substr($data,0x78,2)), + "Account Logon:Kerberos Service Ticket Operations;".unpack("v",substr($data,0x7a,2)), + "Account Logon:Other Account Logon Events;".unpack("v",substr($data,0x7c,2)), + "Account Logon:Kerberos Authentication Service;".unpack("v",substr($data,0x7e,2))); + + return @win; +} + +sub processWin7 { + my $data = shift; + my @win = ("System:Security State Change;".unpack("v",substr($data,0x0c,2)), + "System:Security System Extension;".unpack("v",substr($data,0x0e,2)), + "System:System Integrity;".unpack("v",substr($data,0x10,2)), + "System:IPsec Driver;".unpack("v",substr($data,0x12,2)), + "System:Other System Events;".unpack("v",substr($data,0x14,2)), + "Logon/Logoff:Logon;".unpack("v",substr($data,0x16,2)), + "Logon/Logoff:Logoff;".unpack("v",substr($data,0x18,2)), + "Logon/Logoff:Account Lockout;".unpack("v",substr($data,0x1a,2)), + "Logon/Logoff:IPsec Main Mode;".unpack("v",substr($data,0x1c,2)), + "Logon/Logoff:IPsec Quick Mode;".unpack("v",substr($data,0x1e,2)), + "Logon/Logoff:IPsec Extended Mode;".unpack("v",substr($data,0x20,2)), + "Logon/Logoff:Special Logon;".unpack("v",substr($data,0x22,2)), + "Logon/Logoff:Other Logon/Logoff Events;".unpack("v",substr($data,0x24,2)), + "Logon/Logoff:Network Policy Server;".unpack("v",substr($data,0x26,2)), + "Object Access:File System;".unpack("v",substr($data,0x28,2)), + "Object Access:Registry;".unpack("v",substr($data,0x2a,2)), + "Object Access:Kernel Object;".unpack("v",substr($data,0x2c,2)), + "Object Access:SAM;".unpack("v",substr($data,0x2e,2)), + "Object Access:Other Object Access Events;".unpack("v",substr($data,0x30,2)), + "Object Access:Certification Services;".unpack("v",substr($data,0x32,2)), + "Object Access:Application Generated;".unpack("v",substr($data,0x34,2)), + "Object Access:Handle Manipulation;".unpack("v",substr($data,0x36,2)), + "Object Access:File Share;".unpack("v",substr($data,0x38,2)), + "Object Access:Filtering Platform Packet Drop;".unpack("v",substr($data,0x3a,2)), + "Object Access:Filtering Platform Connection;".unpack("v",substr($data,0x3c,2)), + "Object Access:Detailed File Share;".unpack("v",substr($data,0x3e,2)), + "Privilege Use:Sensitive Privilege Use;".unpack("v",substr($data,0x40,2)), + "Privilege Use:Non Sensitive Privilege Use;".unpack("v",substr($data,0x42,2)), + "Privilege Use:Other Privilege Use Events;".unpack("v",substr($data,0x44,2)), + "Detailed Tracking:Process Creation;".unpack("v",substr($data,0x46,2)), + "Detailed Tracking:Process Termination;".unpack("v",substr($data,0x48,2)), + "Detailed Tracking:DPAPI Activity;".unpack("v",substr($data,0x4a,2)), + "Detailed Tracking:RPC Events;".unpack("v",substr($data,0x4c,2)), + "Policy Change:Audit Policy Change;".unpack("v",substr($data,0x4e,2)), + "Policy Change:Authentication Policy Change;".unpack("v",substr($data,0x50,2)), + "Policy Change:Authorization Policy Change;".unpack("v",substr($data,0x52,2)), + "Policy Change:MPSSVC Rule-Level Policy Change;".unpack("v",substr($data,0x54,2)), + "Policy Change:Filtering Platform Policy Change;".unpack("v",substr($data,0x56,2)), + "Policy Change:Other Policy Change Events;".unpack("v",substr($data,0x58,2)), + "Account Management:User Account Management;".unpack("v",substr($data,0x5a,2)), + "Account Management:Computer Account Management;".unpack("v",substr($data,0x5c,2)), + "Account Management:Security Group Management;".unpack("v",substr($data,0x5e,2)), + "Account Management:Distribution Group Management;".unpack("v",substr($data,0x60,2)), + "Account Management:Application Group Management;".unpack("v",substr($data,0x62,2)), + "Account Management:Other Account Management Events;".unpack("v",substr($data,0x64,2)), + "DS Access:Directory Service Access;".unpack("v",substr($data,0x66,2)), + "DS Access:Directory Service Changes;".unpack("v",substr($data,0x68,2)), + "DS Access:Directory Service Replication;".unpack("v",substr($data,0x6a,2)), + "DS Access:Detailed Directory Service Replication;".unpack("v",substr($data,0x6c,2)), + "Account Logon:Credential Validation;".unpack("v",substr($data,0x6e,2)), + "Account Logon:Kerberos Service Ticket Operations;".unpack("v",substr($data,0x70,2)), + "Account Logon:Other Account Logon Events;".unpack("v",substr($data,0x72,2)), + "Account Logon:Kerberos Authentication Service;".unpack("v",substr($data,0x74,2))); + return @win; +} #----------------------------------------------------------- # printData() # subroutine used primarily for debugging; takes an arbitrary # length of binary data, prints it out in hex editor-style # format for easy debugging +# +# my @d = printData($data); +# foreach (0..(scalar(@d) - 1)) { +# ::rptMsg($d[$_]); +# } #----------------------------------------------------------- sub printData { my $data = shift; diff --git a/thirdparty/rr-full/plugins/banner.pl b/thirdparty/rr-full/plugins/banner.pl index 7225c09929..7ccab617c4 100644 --- a/thirdparty/rr-full/plugins/banner.pl +++ b/thirdparty/rr-full/plugins/banner.pl @@ -83,8 +83,7 @@ sub pluginmain { ::logMsg($key_path." not found."); } -my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; + $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg($key_path); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -126,4 +125,4 @@ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/brisv.pl b/thirdparty/rr-full/plugins/brisv.pl index 6b03ba8e6d..8039b0cd21 100644 --- a/thirdparty/rr-full/plugins/brisv.pl +++ b/thirdparty/rr-full/plugins/brisv.pl @@ -29,7 +29,7 @@ my %config = (hive => "NTUSER\.DAT", sub getConfig{return %config} sub getShortDescr { - return "Detect artifacts of a Troj\.Brisv\.A infection"; + return "Detect artifacts of a Troj.Brisv.A infection"; } sub getDescr{} sub getRefs {} @@ -67,4 +67,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/bthport.pl b/thirdparty/rr-full/plugins/bthport.pl index c7e1b09ec5..96f2a3769e 100644 --- a/thirdparty/rr-full/plugins/bthport.pl +++ b/thirdparty/rr-full/plugins/bthport.pl @@ -6,10 +6,11 @@ # # Change history # 20130115 - created +# 20170129 - added support for http://www.hexacorn.com/blog/2017/01/29/beyond-good-ol-run-key-part-59/ # # Category: # -# copyright 2013 Quantum Analytics Research, LLC +# copyright 2017 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package bthport; @@ -20,7 +21,7 @@ my %config = (hive => "System", hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20130115); + version => 20170129); sub getConfig{return %config} sub getShortDescr { @@ -38,7 +39,7 @@ sub pluginmain { my $hive = shift; ::logMsg("Launching bthport v.".$VERSION); ::rptMsg("bthport v.".$VERSION); # banner -::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner my $reg = Parse::Win32Registry->new($hive); my $root_key = $reg->get_root_key; # First thing to do is get the ControlSet00x marked current...this is @@ -91,11 +92,25 @@ sub pluginmain { else { ::rptMsg($cn_path." not found."); } + + my $rs_path = $ccs."\\services\\BTHPORT\\Parameters\\Radio Support"; + my $rs; + if ($rs = $root_key->get_subkey($rs_path)) { + ::rptMsg($rs_path); + ::rptMsg("LastWrite: ".gmtime($rs->get_timestamp())." UTC"); + + eval { + my $spt = $rs->get_value("SupportDLL")->get_data(); + ::rptMsg("SupportDLL = ".$spt); + }; + } + else { + ::rptMsg($rs_path." not found."); + } } else { ::rptMsg($key_path." not found."); } - } 1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/clampi.pl b/thirdparty/rr-full/plugins/clampi.pl index 04fb61e4d3..464784b213 100644 --- a/thirdparty/rr-full/plugins/clampi.pl +++ b/thirdparty/rr-full/plugins/clampi.pl @@ -26,7 +26,7 @@ my %config = (hive => "NTUSER\.DAT", sub getConfig{return %config} sub getShortDescr { - return "TEST - Checks for keys set by Trojan\.Clampi PROT module"; + return "TEST - Checks for keys set by Trojan.Clampi PROT module"; } sub getDescr{} sub getRefs {} @@ -77,8 +77,7 @@ sub pluginmain { ::rptMsg($key_path." not found."); } ::rptMsg(""); - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete"; - my $key; + $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg($key_path); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -94,8 +93,7 @@ sub pluginmain { ::rptMsg($key_path." not found."); } ::rptMsg(""); - my $key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts"; - my $key; + $key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg($key_path); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -119,4 +117,4 @@ sub pluginmain { ::rptMsg("PROT module."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/cmd_shell_u.pl b/thirdparty/rr-full/plugins/cmd_shell_u.pl index 39f6dfd4ab..3c98f8afdf 100644 --- a/thirdparty/rr-full/plugins/cmd_shell_u.pl +++ b/thirdparty/rr-full/plugins/cmd_shell_u.pl @@ -23,7 +23,7 @@ my %config = (hive => "USRCLASS\.DAT", sub getConfig{return %config} sub getShortDescr { - return "Gets shell open cmds for various file types from USRCLASS\.DAT"; + return "Gets shell open cmds for various file types from USRCLASS.DAT"; } sub getDescr{} sub getRefs {} @@ -64,4 +64,4 @@ sub pluginmain { } ::rptMsg(""); } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/cmdproc.pl b/thirdparty/rr-full/plugins/cmdproc.pl index b74ad25438..4a341d108d 100644 --- a/thirdparty/rr-full/plugins/cmdproc.pl +++ b/thirdparty/rr-full/plugins/cmdproc.pl @@ -26,7 +26,7 @@ my %config = (hive => "NTUSER\.DAT", sub getConfig{return %config} sub getShortDescr { - return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive"; + return "Autostart - get Command Processor\\AutoRun value from NTUSER.DAT hive"; } sub getDescr{} sub getRefs {} @@ -64,4 +64,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/cmdproc_tln.pl b/thirdparty/rr-full/plugins/cmdproc_tln.pl index f6c14bb087..e6dcf94fe0 100644 --- a/thirdparty/rr-full/plugins/cmdproc_tln.pl +++ b/thirdparty/rr-full/plugins/cmdproc_tln.pl @@ -25,7 +25,7 @@ my %config = (hive => "NTUSER\.DAT", sub getConfig{return %config} sub getShortDescr { - return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive (TLN)"; + return "Autostart - get Command Processor\\AutoRun value from NTUSER.DAT hive (TLN)"; } sub getDescr{} sub getRefs {} @@ -64,4 +64,4 @@ sub pluginmain { # ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/comdlg32.pl b/thirdparty/rr-full/plugins/comdlg32.pl index 45555bb766..7eecfaaabf 100644 --- a/thirdparty/rr-full/plugins/comdlg32.pl +++ b/thirdparty/rr-full/plugins/comdlg32.pl @@ -128,9 +128,9 @@ sub parseLastVisitedMRU { @mrulist = split(//,$lvmru{MRUList}); delete($lvmru{MRUList}); foreach my $m (@mrulist) { - my ($file,$dir) = split(/\00\00/,$lvmru{$m},2); - $file =~ s/\00//g; - $dir =~ s/\00//g; + my ($file,$dir) = split(/\x00\x00/,$lvmru{$m},2); + $file =~ s/\x00//g; + $dir =~ s/\x00//g; ::rptMsg(" ".$m." -> EXE: ".$file); ::rptMsg(" -> Last Dir: ".$dir); } @@ -213,8 +213,8 @@ sub parseCIDSizeMRU { delete $mru{0xffffffff}; foreach my $m (sort {$a <=> $b} keys %mru) { # my $file = parseStr($mru{$m}); - my $file = (split(/\00\00/,$mru{$m},2))[0]; - $file =~ s/\00//g; + my $file = (split(/\x00\x00/,$mru{$m},2))[0]; + $file =~ s/\x00//g; ::rptMsg(" ".$file); } } @@ -251,18 +251,18 @@ sub parseFirstFolder { delete $mru{0xffffffff}; foreach my $m (sort {$a <=> $b} keys %mru) { # my $file = parseStr($mru{$m}); - my @files = split(/\00\00/,$mru{$m}); + my @files = split(/\x00\x00/,$mru{$m}); if (scalar(@files) == 0) { ::rptMsg(" No files listed."); } elsif (scalar(@files) == 1) { - $files[0] =~ s/\00//g; + $files[0] =~ s/\x00//g; ::rptMsg(" ".$files[0]); } elsif (scalar(@files) > 1) { my @files2; foreach my $file (@files) { - $file =~ s/\00//g; + $file =~ s/\x00//g; push(@files2,$file); } ::rptMsg(" ".join(' ',@files2)); @@ -305,9 +305,9 @@ sub parseLastVisitedPidlMRU { delete $mru{0xffffffff}; foreach my $m (sort {$a <=> $b} keys %mru) { - my ($file,$shell) = split(/\00\00/,$mru{$m},2); - $file =~ s/\00//g; - $shell =~ s/^\00//; + my ($file,$shell) = split(/\x00\x00/,$mru{$m},2); + $file =~ s/\x00//g; + $shell =~ s/^\x00//; my $str = parseShellItem($shell); ::rptMsg(" ".$file." - ".$str); } @@ -497,7 +497,7 @@ sub parseNetworkEntry { my %item = (); $item{type} = unpack("C",substr($data,2,1)); - my @n = split(/\00/,substr($data,4,length($data) - 4)); + my @n = split(/\x00/,substr($data,4,length($data) - 4)); $item{name} = $n[0]; $item{name} =~ s/^\W//; return %item; @@ -537,14 +537,14 @@ sub parseFolderEntry { ($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]); # Need to read in short name; nul-term ASCII -# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0]; +# $item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0]; $ofs_shortname = $ofs_mdate + 6; my $tag = 1; my $cnt = 0; my $str = ""; while($tag) { my $s = substr($data,$ofs_shortname + $cnt,1); - if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { + if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) { $tag = 0; } else { @@ -552,12 +552,12 @@ sub parseFolderEntry { $cnt++; } } -# $str =~ s/\00//g; +# $str =~ s/\x00//g; my $shortname = $str; my $ofs = $ofs_shortname + $cnt + 1; # Read progressively, 1 byte at a time, looking for 0xbeef - my $tag = 1; - my $cnt = 0; + $tag = 1; + $cnt = 0; while ($tag) { if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) { $tag = 0; @@ -573,10 +573,10 @@ sub parseFolderEntry { $ofs = $ofs + $cnt + 2; - my @m = unpack("vv",substr($data,$ofs,4)); + @m = unpack("vv",substr($data,$ofs,4)); ($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]); $ofs += 4; - my @m = unpack("vv",substr($data,$ofs,4)); + @m = unpack("vv",substr($data,$ofs,4)); ($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]); $ofs += 4; @@ -595,10 +595,10 @@ sub parseFolderEntry { $ofs += $jmp; # ::rptMsg(sprintf " Offset: 0x%x",$ofs); - my $str = substr($data,$ofs,length($data) - $ofs); + $str = substr($data,$ofs,length($data) - $ofs); - my $longname = (split(/\00\00/,$str,2))[0]; - $longname =~ s/\00//g; + my $longname = (split(/\x00\x00/,$str,2))[0]; + $longname =~ s/\x00//g; if ($longname ne "") { $item{name} = $longname; @@ -697,4 +697,4 @@ sub printData { return @display; } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/comfoo.pl b/thirdparty/rr-full/plugins/comfoo.pl index 4b584b5768..8ea35588f5 100644 --- a/thirdparty/rr-full/plugins/comfoo.pl +++ b/thirdparty/rr-full/plugins/comfoo.pl @@ -58,7 +58,6 @@ sub pluginmain { foreach my $s (@svcs) { $cf_path = $ccs."\\Services\\".$s; - $cf; if ($cf = $root_key->get_subkey($cf_path)) { ::rptMsg($cf_path); ::rptMsg("LastWrite Time ".gmtime($cf->get_subkey("Parameters")->get_timestamp())." (UTC)"); @@ -88,4 +87,4 @@ sub pluginmain { } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/defbrowser.pl b/thirdparty/rr-full/plugins/defbrowser.pl index 2d02410a76..569a9fecc3 100644 --- a/thirdparty/rr-full/plugins/defbrowser.pl +++ b/thirdparty/rr-full/plugins/defbrowser.pl @@ -41,7 +41,8 @@ sub pluginmain { my $root_key = $reg->get_root_key; my $key_path = "Clients\\StartMenuInternet"; - if (my $key = $root_key->get_subkey($key_path)) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { ::rptMsg("Default Browser Check #1"); ::rptMsg($key_path); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -55,9 +56,8 @@ sub pluginmain { ::rptMsg(""); - my $key_path = "Classes\\HTTP\\shell\\open\\command"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { + $key_path = "Classes\\HTTP\\shell\\open\\command"; + if (my $key = $root_key->get_subkey($key_path)) { ::rptMsg("Default Browser Check #2"); ::rptMsg($key_path); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -77,4 +77,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/devclass.pl b/thirdparty/rr-full/plugins/devclass.pl index a245622e57..69a8533ad9 100644 --- a/thirdparty/rr-full/plugins/devclass.pl +++ b/thirdparty/rr-full/plugins/devclass.pl @@ -56,8 +56,7 @@ sub pluginmain { return } # Get devices from the Disk GUID - my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; - my $key; + $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg("DevClasses - Disks"); ::rptMsg($key_path); @@ -90,8 +89,7 @@ sub pluginmain { } ::rptMsg(""); # Get devices from the Volume GUID - my $key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"; - my $key; + $key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg("DevClasses - Volumes"); ::rptMsg($key_path); @@ -150,4 +148,4 @@ sub pluginmain { } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/disablelastaccess.pl b/thirdparty/rr-full/plugins/disablelastaccess.pl index 4e233310c5..4048561e8b 100644 --- a/thirdparty/rr-full/plugins/disablelastaccess.pl +++ b/thirdparty/rr-full/plugins/disablelastaccess.pl @@ -48,8 +48,7 @@ sub pluginmain { $ccs = "ControlSet00".$current; } - my $key_path = $ccs."\\Control\\FileSystem"; - my $key; + $key_path = $ccs."\\Control\\FileSystem"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg("NtfsDisableLastAccessUpdate"); ::rptMsg($key_path); @@ -72,4 +71,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/drwatson.pl b/thirdparty/rr-full/plugins/drwatson.pl index 4d63bc0d53..7b95ccf389 100644 --- a/thirdparty/rr-full/plugins/drwatson.pl +++ b/thirdparty/rr-full/plugins/drwatson.pl @@ -57,8 +57,7 @@ sub pluginmain { } ::rptMsg(""); - my $key_path = "Microsoft\\DrWatson"; - my $key; + $key_path = "Microsoft\\DrWatson"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg($key_path); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -76,4 +75,4 @@ sub pluginmain { ::rptMsg("Analysis Tips: For Dr. Watson settings information check: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html"); } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/environment.pl b/thirdparty/rr-full/plugins/environment.pl index 60f97f7a2d..5bfb84f671 100644 --- a/thirdparty/rr-full/plugins/environment.pl +++ b/thirdparty/rr-full/plugins/environment.pl @@ -3,23 +3,23 @@ # Extracts user's Environment paths from NTUSER.DAT # # Change history +# 20150910 - added check for specific value, per Hexacorn blog # 20110830 [fpi] + banner, no change to the version number # # References -# +# http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/ +# # Copyright (c) 2011-02-04 Brendan Coles #----------------------------------------------------------- -# Require # package environment; use strict; -# Declarations # my %config = (hive => "NTUSER\.DAT", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20110204); + version => 20150910); my $VERSION = getVersion(); # Functions # @@ -32,9 +32,6 @@ sub getShortDescr { return "Extracts user's Environment paths from NTUSER.DAT"; } -############################################################ -# pluginmain # -############################################################ sub pluginmain { # Declarations # @@ -43,8 +40,8 @@ sub pluginmain { # Initialize # ::logMsg("Launching environment v.".$VERSION); - ::rptMsg("environment v.".$VERSION); # 20110830 [fpi] + banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + ::rptMsg("environment v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); my $reg = Parse::Win32Registry->new($hive); my $root_key = $reg->get_root_key; my $key; @@ -67,23 +64,27 @@ sub pluginmain { # Extract # all key names+values for Environment registry path # foreach my $v (@vals) { - ::rptMsg($v->get_name()." -> ".$v->get_data()); + my $name = $v->get_name(); + ::rptMsg($name." -> ".$v->get_data()); + + if ($name eq "UserInitMprLogonScript") { + ::rptMsg("**ALERT: UserInitMprLogonScript value found: ".$v->get_data()); + } + } # Error # key value is null # - } else { + } + else { ::rptMsg($key_path." has no values."); } # Error # Environment isn't here, try another castle # } else { ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); } - # Return # obligatory new-line # ::rptMsg(""); } - # Error # oh snap! # 1; diff --git a/thirdparty/rr-full/plugins/ide.pl b/thirdparty/rr-full/plugins/ide.pl index 3319969036..43f47c3fee 100644 --- a/thirdparty/rr-full/plugins/ide.pl +++ b/thirdparty/rr-full/plugins/ide.pl @@ -50,8 +50,7 @@ sub pluginmain { return } - my $key_path = $ccs."\\Enum\\IDE"; - my $key; + $key_path = $ccs."\\Enum\\IDE"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg($key_path); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -84,8 +83,7 @@ sub pluginmain { ::logMsg($key_path." not found."); } - my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; - my $key; + $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg("DevClasses - Disks"); ::rptMsg($key_path); @@ -122,4 +120,4 @@ sub pluginmain { ::logMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/ie_settings.pl b/thirdparty/rr-full/plugins/ie_settings.pl index 3a8d70aa73..c1063abc80 100644 --- a/thirdparty/rr-full/plugins/ie_settings.pl +++ b/thirdparty/rr-full/plugins/ie_settings.pl @@ -102,8 +102,7 @@ sub pluginmain { # # #----------------------------------------------------------- - my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main\\WindowsSearch'; - my $key; + $key_path = 'Software\\Microsoft\\Internet Explorer\\Main\\WindowsSearch'; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg(""); ::rptMsg($key_path); @@ -152,4 +151,4 @@ sub pluginmain { } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/inprocserver.pl b/thirdparty/rr-full/plugins/inprocserver.pl index 84a876edfa..36f5b9f9b7 100644 --- a/thirdparty/rr-full/plugins/inprocserver.pl +++ b/thirdparty/rr-full/plugins/inprocserver.pl @@ -3,6 +3,7 @@ # # # History +# 20141126 - minor updates # 20141112 - added support for Wow6432Node # 20141103 - updated to include detection for PowerLiks # 20141030 - added GDataSoftware reference @@ -36,7 +37,7 @@ my %config = (hive => "Software","NTUSER\.DAT","USRCLASS\.DAT", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, - version => 20141103); + version => 20141126); sub getConfig{return %config} @@ -61,7 +62,7 @@ sub pluginmain { ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner my $reg = Parse::Win32Registry->new($hive); my $root_key = $reg->get_root_key; - my @paths = ("Classes\\CLSID","Wow6432Node\\Classes\\CLSID","CLSID","Wow6432Node\\CLSID"); + my @paths = ("Classes\\CLSID","Classes\\Wow6432Node\\CLSID","CLSID","Wow6432Node\\CLSID"); foreach my $key_path (@paths) { my $key; if ($key = $root_key->get_subkey($key_path)) { @@ -80,10 +81,12 @@ sub pluginmain { my $l = $s->get_subkey("InprocServer32")->get_value("")->get_data(); $l =~ tr/[A-Z]/[a-z]/; - ::rptMsg("Possible Lurk infection found!") unless ($l eq "c:\\windows\\system32\\pngfilt\.dll"); - + if ($l eq "c:\\windows\\system32\\pngfilt\.dll" || $l eq "c:\\windows\\syswow64\\pngfilt\.dll") { + ::rptMsg("Possible Lurk infection found!"); + ::rptMsg(" ".$l); + } } - + eval { my $n = $s->get_subkey("InprocServer32")->get_value("")->get_data(); alertCheckPath($n); @@ -95,9 +98,9 @@ sub pluginmain { eval { my $local = $s->get_subkey("localserver32"); my $powerliks = $local->get_value("")->get_data(); - ::rptMsg($s->get_name()."\\LocalServer32 key found\."); - ::rptMsg(" LastWrite: ".gmtime($local->get_timestamp())); - if ($powerliks =~ m/^rundll32/) { +# ::rptMsg($s->get_name()."\\LocalServer32 key found\."); +# ::rptMsg(" LastWrite: ".gmtime($local->get_timestamp())); + if ($powerliks =~ m/^rundll32 javascript/) { ::rptMsg("**Possible PowerLiks found\."); ::rptMsg(" ".$powerliks); } @@ -123,7 +126,7 @@ sub alertCheckPath { $path =~ tr/[A-Z]/[a-z]/; my @alerts = ("recycle","globalroot","temp","system volume information","appdata", - "application data","c:\\users"); + "application data","programdata","c:\\users"); foreach my $a (@alerts) { if (grep(/$a/,$path)) { diff --git a/thirdparty/rr-full/plugins/itempos.pl b/thirdparty/rr-full/plugins/itempos.pl index e8884fba3e..a1e309196a 100644 --- a/thirdparty/rr-full/plugins/itempos.pl +++ b/thirdparty/rr-full/plugins/itempos.pl @@ -43,7 +43,7 @@ my %config = (hive => "NTUSER\.DAT", sub getConfig{return %config} sub getShortDescr { - return "Shell/Bags/1/Desktop ItemPos* value parsing; Win7 NTUSER\.DAT hives"; + return "Shell/Bags/1/Desktop ItemPos* value parsing; Win7 NTUSER.DAT hives"; } sub getDescr{} sub getRefs {} @@ -98,8 +98,7 @@ sub pluginmain { } # ::rptMsg(""); # The following was added on 20130514 to address Windows XP systems - my $key_path = "Software\\Microsoft\\Windows\\ShellNoRoam\\Bags"; - my $key; + $key_path = "Software\\Microsoft\\Windows\\ShellNoRoam\\Bags"; if ($key = $root_key->get_subkey($key_path)) { my @sk = $key->get_list_of_subkeys(); if (scalar(@sk) > 0) { @@ -229,7 +228,7 @@ sub parseFolderItem { my $str = ""; while($tag) { my $s = substr($data,$ofs_shortname + $cnt,1); - if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { + if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) { $tag = 0; } else { @@ -237,12 +236,12 @@ sub parseFolderItem { $cnt++; } } -# $str =~ s/\00//g; +# $str =~ s/\x00//g; my $shortname = $str; my $ofs = $ofs_shortname + $cnt + 1; # Read progressively, 1 byte at a time, looking for 0xbeef - my $tag = 1; - my $cnt = 0; + $tag = 1; + $cnt = 0; while ($tag) { if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) { $tag = 0; @@ -254,10 +253,10 @@ sub parseFolderItem { $item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2)); $ofs = $ofs + $cnt + 2; - my @m = unpack("vv",substr($data,$ofs,4)); + @m = unpack("vv",substr($data,$ofs,4)); ($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]); $ofs += 4; - my @m = unpack("vv",substr($data,$ofs,4)); + @m = unpack("vv",substr($data,$ofs,4)); ($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]); my $jmp; @@ -274,9 +273,9 @@ sub parseFolderItem { $ofs += $jmp; - my $str = substr($data,$ofs,length($data) - 30); - my $longname = (split(/\00\00/,$str,2))[0]; - $longname =~ s/\00//g; + $str = substr($data,$ofs,length($data) - 30); + my $longname = (split(/\x00\x00/,$str,2))[0]; + $longname =~ s/\x00//g; if ($longname ne "") { $item{name} = $longname; @@ -378,4 +377,4 @@ sub printData { ::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/landesk.pl b/thirdparty/rr-full/plugins/landesk.pl index 579ab18b11..242295cf07 100644 --- a/thirdparty/rr-full/plugins/landesk.pl +++ b/thirdparty/rr-full/plugins/landesk.pl @@ -3,7 +3,11 @@ # parses LANDESK Monitor Logs # # +# https://community.landesk.com/docs/DOC-3249 +# # Change history +# 20160823 - added "Current Duration" parsing +# 20160822 - updated based on client engagement # 20130326 - added Wow6432Node path # 20130214 - updated w/ Logon info # 20090729 - updates, H. Carvey @@ -19,7 +23,7 @@ my %config = (hive => "Software", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, - version => 20130326); + version => 20160823); sub getConfig{return %config} @@ -32,7 +36,7 @@ sub getHive {return $config{hive};} sub getVersion {return $config{version};} my $VERSION = getVersion(); -my %ls; +my (@ts,$d); sub pluginmain { my $class = shift; @@ -53,18 +57,49 @@ sub pluginmain { my @subkeys = $key->get_list_of_subkeys(); if (scalar(@subkeys) > 0) { foreach my $s (@subkeys) { + ::rptMsg($s->get_name()); + ::rptMsg(" LastWrite: ".gmtime($s->get_timestamp())." Z"); + eval { - my $lw = $s->get_timestamp(); -# Push the data into a hash of arrays - push(@{$ls{$lw}},$s->get_name()); + @ts = unpack("VV",$s->get_value("Last Started")->get_data()); + ::rptMsg(" Last Started: ".gmtime(::getTime($ts[0],$ts[1]))." Z"); }; - } - - foreach my $t (reverse sort {$a <=> $b} keys %ls) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$ls{$t}}) { - ::rptMsg(" $item"); - } + + eval { + @ts = unpack("VV",$s->get_value("Last Duration")->get_data()); + my $i = c64($ts[0],$ts[1]); + $i = $i/10000000; + ::rptMsg(" Last Duration: ".$i." sec"); + }; + + eval { + @ts = unpack("VV",$s->get_value("Current Duration")->get_data()); + my $i = c64($ts[0],$ts[1]); + $i = $i/10000000; + ::rptMsg(" Current Duration: ".$i." sec"); + }; + + eval { + @ts = unpack("VV",$s->get_value("Total Duration")->get_data()); + my $i = c64($ts[0],$ts[1]); + $i = $i/10000000; + ::rptMsg(" Total Duration: ".$i." sec"); + }; + + eval { + @ts = unpack("VV",$s->get_value("First Started")->get_data()); + ::rptMsg(" First Started: ".gmtime(::getTime($ts[0],$ts[1]))." Z"); + }; + + eval { + ::rptMsg(" Total Runs: ".$s->get_value("Total Runs")->get_data()); + }; + + eval { + ::rptMsg(" Current User: ".$s->get_value("Current User")->get_data()); + }; + + ::rptMsg(""); } } else { @@ -76,6 +111,7 @@ sub pluginmain { } } + ::rptMsg(""); # update added 20130327 my @paths = ("LANDesk\\Inventory\\LogonHistory\\Logons", "Wow6432Node\\LANDesk\\Inventory\\LogonHistory\\Logons"); @@ -107,4 +143,19 @@ sub pluginmain { } } +# Thanks to David Cowen for sharing this code +sub c64 { + my $n1 = shift; + my $n2 = shift; + + if ($n2 != 0) { + $n2 = ($n2 * 4294967296); + my $n = $n1 + $n2; + return $n; + } + else { + return $n1; + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/landesk_tln.pl b/thirdparty/rr-full/plugins/landesk_tln.pl index 76a4be7dbb..8e627b9a1c 100644 --- a/thirdparty/rr-full/plugins/landesk_tln.pl +++ b/thirdparty/rr-full/plugins/landesk_tln.pl @@ -4,6 +4,7 @@ # # # Change history +# 20160822 - minor updates based on client engagement # 20130214 - updated with Logon info # 20090729 - updates, H. Carvey # @@ -31,7 +32,7 @@ sub getHive {return $config{hive};} sub getVersion {return $config{version};} my $VERSION = getVersion(); -my %ls; +my (@f,$first); sub pluginmain { my $class = shift; @@ -62,17 +63,23 @@ sub pluginmain { $user = "" if ($@); # ::rptMsg($lw."|REG||".$user."|M... LanDesk - ".$name." key last modified"); - +# "Current User" value not included in "First Started" data, as the user value applies only to the +# "Last Started" value eval { - my @f = unpack("VV",$s->get_value("First Started")->get_data()); - my $first = ::getTime($f[0],$f[1]); - ::rptMsg($first."|REG||".$user."|LanDesk - ".$name." First Started"); + @f = unpack("VV",$s->get_value("First Started")->get_data()); + $first = ::getTime($f[0],$f[1]); + ::rptMsg($first."|REG|||LanDesk - ".$name." First Started"); }; eval { - my @f = unpack("VV",$s->get_value("Last Started")->get_data()); - my $first = ::getTime($f[0],$f[1]); - ::rptMsg($first."|REG||".$user."|LanDesk - ".$name." Last Started"); + @f = unpack("VV",$s->get_value("Last Started")->get_data()); + $first = ::getTime($f[0],$f[1]); + + @f = unpack("VV",$s->get_value("Last Duration")->get_data()); + my $i = c64($f[0],$f[1]); + $i = $i/10000000; + + ::rptMsg($first."|REG||".$user."|LanDesk - ".$name." Last Started, Last Duration : ".$i." sec. - Total Runs: ".$s->get_value("Total Runs")->get_data()); }; } } @@ -115,4 +122,19 @@ sub pluginmain { } } +# Thanks to David Cowen for sharing this code +sub c64 { + my $n1 = shift; + my $n2 = shift; + + if ($n2 != 0) { + $n2 = ($n2 * 4294967296); + my $n = $n1 + $n2; + return $n; + } + else { + return $n1; + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/lsasecrets.pl b/thirdparty/rr-full/plugins/lsasecrets.pl index 433c8d389f..602621dc1c 100644 --- a/thirdparty/rr-full/plugins/lsasecrets.pl +++ b/thirdparty/rr-full/plugins/lsasecrets.pl @@ -54,7 +54,7 @@ sub pluginmain { ::rptMsg("CupdTime = ".$cupd); my $o = $key->get_subkey("\$MACHINE\.ACC\\OupdTime")->get_value("")->get_data(); - my @v = unpack("VV",$c); + @v = unpack("VV",$c); my $oupd = gmtime(::getTime($v[0],$v[1])); ::rptMsg("OupdTime = ".$oupd); }; @@ -64,4 +64,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/menuorder.pl b/thirdparty/rr-full/plugins/menuorder.pl index 7e12d6006a..467e9abe8b 100644 --- a/thirdparty/rr-full/plugins/menuorder.pl +++ b/thirdparty/rr-full/plugins/menuorder.pl @@ -167,7 +167,7 @@ sub parseAugM { my $str = ""; while($tag) { my $s = substr($data,0x16 + $cnt,1); - if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { + if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) { $tag = 0; } else { @@ -183,18 +183,18 @@ sub parseAugM { $item{version} = unpack("v",substr($data2,2,2)); my $ext = unpack("v",substr($data2,4,2)); - my $ofs = 0x08; + $ofs = 0x08; # Get creation time values; # my @m = unpack("vv",substr($data,$ofs,4)); $ofs += 4; # Get last access time values -# my @m = unpack("vv",substr($data,$ofs,4)); +# @m = unpack("vv",substr($data,$ofs,4)); $ofs += 4; $ofs += 4; - my $tag = 1; - my $cnt = 0; - my $str = ""; + $tag = 1; + $cnt = 0; + $str = ""; while ($tag) { my $s = substr($data2,$ofs + $cnt,2); if (unpack("v",$s) == 0) { @@ -205,15 +205,15 @@ sub parseAugM { $cnt += 2; } } - $str =~ s/\00//g; + $str =~ s/\x00//g; $item{name} = $str; $ofs += $cnt; # ::rptMsg(sprintf " - Ofs: 0x%x Remaining Data: 0x%x",$ofs,$sz - $ofs); if (($sz - $ofs) > 0x10) { my $str = substr($data2,$ofs,$sz - $ofs); - $str =~ s/^\00+//; - my $s = (split(/\00/,$str,2))[0]; + $str =~ s/^\x00+//; + my $s = (split(/\x00/,$str,2))[0]; $item{name} .= " (".$s.")"; } @@ -241,7 +241,7 @@ sub parseItem { my $str = ""; while($tag) { my $s = substr($data,$ofs + $cnt,1); - if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { + if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) { $tag = 0; } else { @@ -258,7 +258,7 @@ sub parseItem { my $ext = unpack("v",substr($data2,4,2)); - my $ofs = 0x08; + $ofs = 0x08; # Get creation time values; # my @m = unpack("vv",substr($data,$ofs,4)); $ofs += 4; @@ -280,9 +280,9 @@ sub parseItem { $ofs += $jmp; - my $tag = 1; - my $cnt = 0; - my $str = ""; + $tag = 1; + $cnt = 0; + $str = ""; while ($tag) { my $s = substr($data2,$ofs + $cnt,2); if (unpack("v",$s) == 0) { @@ -293,7 +293,7 @@ sub parseItem { $cnt += 2; } } - $str =~ s/\00//g; + $str =~ s/\x00//g; $item{name} = $str; $ofs += $cnt; @@ -377,4 +377,4 @@ sub convertDOSDate { -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/mmo.pl b/thirdparty/rr-full/plugins/mmo.pl index 8586b6a59d..06b94c32dc 100644 --- a/thirdparty/rr-full/plugins/mmo.pl +++ b/thirdparty/rr-full/plugins/mmo.pl @@ -72,8 +72,7 @@ sub pluginmain { } # Section added 17 Feb 2013, to address Trojan.Swaylib # - my $key_path = "Software\\Microsoft\\CTF\\LangBarAddIn"; - my $key; + $key_path = "Software\\Microsoft\\CTF\\LangBarAddIn"; if ($key = $root_key->get_subkey($key_path)) { my @subkeys = $key->get_list_of_subkeys(); if (scalar(@subkeys) > 0) { @@ -106,4 +105,4 @@ sub pluginmain { ::rptMsg($key_path." not found\."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/mountdev.pl b/thirdparty/rr-full/plugins/mountdev.pl index dd69aceb92..319f1f2be0 100644 --- a/thirdparty/rr-full/plugins/mountdev.pl +++ b/thirdparty/rr-full/plugins/mountdev.pl @@ -63,7 +63,7 @@ sub pluginmain { } elsif ($len > 12) { - $data =~ s/\00//g; + $data =~ s/\x00//g; push(@{$md{$data}},$v->get_name()); } else { diff --git a/thirdparty/rr-full/plugins/mountdev2.pl b/thirdparty/rr-full/plugins/mountdev2.pl index e010d17e68..075136e774 100644 --- a/thirdparty/rr-full/plugins/mountdev2.pl +++ b/thirdparty/rr-full/plugins/mountdev2.pl @@ -104,7 +104,7 @@ sub pluginmain { $offset{$v->get_name()} = $o; } elsif ($len > 12) { - $data =~ s/\00//g; + $data =~ s/\x00//g; push(@{$md{$data}},$v->get_name()); } else { @@ -120,15 +120,15 @@ sub pluginmain { } ::rptMsg(""); foreach my $v (sort keys %vol) { - next unless ($v =~ m/^\\\?\?\\Volume{/); + next unless ($v =~ m/^\\\?\?\\Volume\{/); my $id = $v; - $id =~ s/^\\\?\?\\Volume{//; + $id =~ s/^\\\?\?\\Volume\{//; $id =~ s/}$//; $id =~ s/-//g; my $l = hex(substr($id,0,8)); my $m = hex(substr($id,8,4)); my $h = hex(substr($id,12,4)) & 0x0fff; - my $h = $m | $h << 16; + $h = $m | $h << 16; my $t = (::getTime($l,$h) - 574819200); ::rptMsg($v); ::rptMsg(" ".gmtime($t)); @@ -141,7 +141,7 @@ sub pluginmain { if ($item =~ m/^\\\?\?\\Volume/) { my $id = $item; - $id =~ s/^\\\?\?\\Volume{//; + $id =~ s/^\\\?\?\\Volume\{//; $id =~ s/}$//; # $id =~ s/-//g; # my $l = hex(substr($id,0,8)); @@ -188,4 +188,4 @@ sub _translateBinary { return join(' ',reverse @list); } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/mp3.pl b/thirdparty/rr-full/plugins/mp3.pl index 3e4ddf92d7..479ada6e5a 100644 --- a/thirdparty/rr-full/plugins/mp3.pl +++ b/thirdparty/rr-full/plugins/mp3.pl @@ -92,7 +92,7 @@ sub pluginmain { my $l = hex(substr($id,0,8)); my $m = hex(substr($id,8,4)); my $h = hex(substr($id,12,4)) & 0x0fff; - my $h = $m | $h << 16; + $h = $m | $h << 16; my $t2 = (::getTime($l,$h) - 574819200); ::rptMsg($t2."|REG|Server|User|".$id2." Vol GUID date"); @@ -110,4 +110,4 @@ sub pluginmain { } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/muicache.pl b/thirdparty/rr-full/plugins/muicache.pl index 68de4dfa7d..5dd21847bc 100644 --- a/thirdparty/rr-full/plugins/muicache.pl +++ b/thirdparty/rr-full/plugins/muicache.pl @@ -65,8 +65,7 @@ sub pluginmain { ::rptMsg(""); } # Added for access to USRCLASS.DAT - my $key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache'; - my $key; + $key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache'; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg($key_path); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -90,4 +89,4 @@ sub pluginmain { } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/muicache_tln.pl b/thirdparty/rr-full/plugins/muicache_tln.pl index 57c12f78cc..2c3c4b6034 100644 --- a/thirdparty/rr-full/plugins/muicache_tln.pl +++ b/thirdparty/rr-full/plugins/muicache_tln.pl @@ -64,8 +64,7 @@ sub pluginmain { # ::rptMsg(""); } # Added for access to USRCLASS.DAT - my $key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache'; - my $key; + $key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache'; if ($key = $root_key->get_subkey($key_path)) { # ::rptMsg($key_path); # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -89,4 +88,4 @@ sub pluginmain { } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/networklist.pl b/thirdparty/rr-full/plugins/networklist.pl index 4e1fb05126..ac556d26cd 100644 --- a/thirdparty/rr-full/plugins/networklist.pl +++ b/thirdparty/rr-full/plugins/networklist.pl @@ -5,6 +5,7 @@ # # # Change History: +# 20150812 - updated to include Nla\Cache data # 20120917 - updated to include NameType value # 20090812 - updated code to parse DateCreated and DateLastConnected # values; modified output, as well @@ -12,7 +13,8 @@ # # References # -# copyright 2009 H. Carvey, keydet89@yahoo.com +# copyright 2015 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package networklist; use strict; @@ -22,7 +24,7 @@ my %config = (hive => "Software", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, - version => 20120917); + version => 20150812); sub getConfig{return %config} @@ -123,7 +125,7 @@ sub pluginmain { foreach my $n (keys %nl) { my $str = sprintf "%-15s Gateway Mac: ".$nl{$n}{DefaultGatewayMac},$nl{$n}{ProfileName}; ::rptMsg($nl{$n}{ProfileName}); - ::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." UTC"); + ::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." Z"); ::rptMsg(" DateLastConnected: ".$nl{$n}{DateLastConnected}); ::rptMsg(" DateCreated : ".$nl{$n}{DateCreated}); ::rptMsg(" DefaultGatewayMac: ".$nl{$n}{DefaultGatewayMac}); @@ -139,6 +141,18 @@ sub pluginmain { else { ::rptMsg($key_path." not found."); } + ::rptMsg(""); +# Get NLA info + $key_path = $base_path."\\Nla\\Cache\\Intranet"; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + ::rptMsg(sprintf "%-26s %-30s","Date","Domain/IP"); + foreach my $s (@subkeys) { + ::rptMsg(sprintf "%-26s %-30s",gmtime($s->get_timestamp())." Z",$s->get_name()); + } + } + } } diff --git a/thirdparty/rr-full/plugins/networklist_tln.pl b/thirdparty/rr-full/plugins/networklist_tln.pl index dd32d6c549..79d42e8eb2 100644 --- a/thirdparty/rr-full/plugins/networklist_tln.pl +++ b/thirdparty/rr-full/plugins/networklist_tln.pl @@ -5,6 +5,7 @@ # # # Change History: +# 20150812 - updated to include Nla\Cache data # 20120608 - updated from networklist.pl to add TLN output # 20090812 - updated code to parse DateCreated and DateLastConnected # values; modified output, as well @@ -12,7 +13,7 @@ # # References # -# copyright 2012 Quantum Analytics Research, LLC +# copyright 2015 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package networklist_tln; @@ -23,7 +24,7 @@ my %config = (hive => "Software", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, - version => 20120608); + version => 20150812); sub getConfig{return %config} @@ -130,6 +131,18 @@ sub pluginmain { ::rptMsg($nl{$n}{LastWrite}."|REG|||[".$nl{$n}{Type}." Connect] - Last Connected to ".$nl{$n}{ProfileName}." (".$nl{$n}{DefaultGatewayMac}.")"); } + +# Get NLA info + $key_path = $base_path."\\Nla\\Cache\\Intranet"; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($s->get_timestamp()."|REG|||First connected to: ".$s->get_name()); + } + } + } + } else { # ::rptMsg($key_path." has not subkeys"); diff --git a/thirdparty/rr-full/plugins/nic2.pl b/thirdparty/rr-full/plugins/nic2.pl index 7a833f1c5c..946034b584 100644 --- a/thirdparty/rr-full/plugins/nic2.pl +++ b/thirdparty/rr-full/plugins/nic2.pl @@ -1,15 +1,15 @@ #----------------------------------------------------------- # nic2.pl # -# # Change history +# 20150812 - included updates from Yogesh Khatri # 20100401 - created # # References # LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx # T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx # -# copyright 2010 Quantum Analytics Research, LLC +# copyright 2015 Quantum Analytics Research, LLC #----------------------------------------------------------- package nic2; use strict; @@ -19,7 +19,7 @@ my %config = (hive => "System", hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20100401); + version => 20150812); sub getConfig{return %config} sub getShortDescr { @@ -39,7 +39,7 @@ sub pluginmain { my $ccs; ::logMsg("Launching nic2 v.".$VERSION); ::rptMsg("nic2 v.".$VERSION); # banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner my $reg = Parse::Win32Registry->new($hive); my $root_key = $reg->get_root_key; # First thing to do is get the ControlSet00x marked current...this is @@ -65,10 +65,36 @@ sub pluginmain { my $data = $v->get_data(); $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2"); $data = gmtime($data)." Z" if ($name =~ m/Time$/); + $data = pack("h*",reverse $data) if (uc($name) eq uc("DhcpNetworkHint")); # SSID nibbles reversed //YK ::rptMsg(sprintf " %-28s %-20s",$name,$data); } ::rptMsg(""); }; + # Parse subfolders having similar data for different wifi access points , key name is SSID (nibbles reversed) //YK + my @ssids = $g->get_list_of_subkeys(); + if (scalar @ssids > 0) { + foreach my $ssid (@ssids) { + ::rptMsg("Adapter: ".$g->get_name()."/".$ssid->get_name()); + my $ssid_realname = pack("h*",reverse $ssid->get_name()); + ::rptMsg("SSID Decoded: ".$ssid_realname); + ::rptMsg("LastWrite Time: ".gmtime($ssid->get_timestamp())." Z"); + eval { + my @vals = $ssid->get_list_of_values(); + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2"); + $data = gmtime($data)." Z" if ($name =~ m/Time$/); + $data = pack("h*",reverse $data) if (uc($name) eq uc("DhcpNetworkHint")); + ::rptMsg(sprintf " %-28s %-20s",$name,$data); + } + ::rptMsg(""); + }; + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } } } else { diff --git a/thirdparty/rr-full/plugins/ntuser b/thirdparty/rr-full/plugins/ntuser index 4d724f2cb3..189ee3c33b 100644 --- a/thirdparty/rr-full/plugins/ntuser +++ b/thirdparty/rr-full/plugins/ntuser @@ -1,26 +1,35 @@ -# 20120528 *ALL* Plugins that apply on NTUSER hive, alphabetical order +# 20161213 *ALL* Plugins that apply on NTUSER hive, alphabetical order acmru adoberdr aim aports appcompatflags applets +applets_tln appspecific ares arpcache +attachmgr +attachmgr_tln autoendtasks autorun bitbucket_user brisv +cached +cached_tln cain ccleaner +cdstaginginfo clampi clampitm +cmdproc +cmdproc_tln comdlg32 -compatassist compdesc controlpanel +cortana cpldontload +ddo decaf dependency_walker domains @@ -30,62 +39,98 @@ filehistory gthist gtwhitelist haven_and_hearth +identities +iejava +ie_main ie_settings +ie_zones internet_explorer_cu internet_settings_cu +itempos javafx +kankan +knowndev +latentbot listsoft liveContactsGUID load logonusername +menuorder +mixer +mixer_tln mmc +mmc_tln +mmo mndmru +mndmru_tln mp2 +mp3 mpmru mspaper muicache +muicache_tln nero netassist +ntusernetwork odysseus officedocs officedocs2010 +officedocs2010_tln oisc +olsearch osversion +osversion_tln outlook +outlook2 policies_u printermru printers privoxy +profiler proxysettings publishingwizard putty rdphint +reading_locations realplayer6 realvnc recentdocs +recentdocs_tln +reveton rootkit_revealer runmru +runmru_tln sevenzip +shc +shellbags_xp shellfolders skype snapshot_viewer ssh_host_keys startmenuinternetapps_cu startpage -streammru -streams +startup sysinternals +sysinternals_tln trustrecords +trustrecords_tln tsclient +tsclient_tln typedpaths +typedpaths_tln typedurls typedurlstime +typedurlstime_tln +typedurls_tln unreadmail -user_run -user_win +urun_tln userassist +userassist_tln userinfo userlocsvc +user_run +user_win +vawtrak vista_bitbucket vmplayer vmware_vsphere_client @@ -93,11 +138,13 @@ vnchooksapplicationprefs vncviewer wallpaper warcraft3 -winlivemail winlogon_u winrar +winrar2 +winrar_tln +winscp winscp_sessions winvnc winzip wordwheelquery -yahoo_cu \ No newline at end of file +yahoo_cu diff --git a/thirdparty/rr-full/plugins/officedocs.pl b/thirdparty/rr-full/plugins/officedocs.pl index d5c10c5c0b..ba0d57b8fa 100644 --- a/thirdparty/rr-full/plugins/officedocs.pl +++ b/thirdparty/rr-full/plugins/officedocs.pl @@ -67,7 +67,7 @@ sub pluginmain { ::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)"); ::rptMsg(""); my $value = $word_key->get_value("Value")->get_data(); - my @data = split(/\00/,$value); + my @data = split(/\x00/,$value); map{::rptMsg("$_");}@data; } else { diff --git a/thirdparty/rr-full/plugins/olsearch.pl b/thirdparty/rr-full/plugins/olsearch.pl index baaf17096e..93ff6b12ff 100644 --- a/thirdparty/rr-full/plugins/olsearch.pl +++ b/thirdparty/rr-full/plugins/olsearch.pl @@ -87,7 +87,7 @@ sub parseSearchMRU { foreach my $i (0..($num - 1)) { $item{$i} = substr($data,$ofs[$i], $ofs[$i + 1] - $ofs[$i]); - $item{$i} =~ s/\00//g; + $item{$i} =~ s/\x00//g; } return %item; } diff --git a/thirdparty/rr-full/plugins/outlook.pl b/thirdparty/rr-full/plugins/outlook.pl index a566e0a36a..fc613edd1f 100644 --- a/thirdparty/rr-full/plugins/outlook.pl +++ b/thirdparty/rr-full/plugins/outlook.pl @@ -56,32 +56,32 @@ sub pluginmain { # http://support.microsoft.com/kb/198479 eval { my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0324")->get_data(); - $data =~ s/\00//g; + $data =~ s/\x00//g; ::rptMsg(" Outlook 2007 AutoArchive path -> ".$data); }; eval { my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e0324")->get_data(); - $data =~ s/\00//g; + $data =~ s/\x00//g; ::rptMsg(" Outlook 2003 AutoArchive path -> ".$data); }; eval { my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data(); - $data =~ s/\00//g; + $data =~ s/\x00//g; ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data); }; # http://support.microsoft.com/kb/288570 eval { my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101e0384")->get_data(); - $data =~ s/\00//g; + $data =~ s/\x00//g; ::rptMsg(" Open Other Users MRU (Outlook 97) -> ".$data); }; eval { my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101f0390")->get_data(); - $data =~ s/\00//g; + $data =~ s/\x00//g; ::rptMsg(" Open Other Users MRU (Outlook 2003) -> ".$data); }; @@ -104,26 +104,26 @@ sub pluginmain { eval { my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6610")->get_data(); - $data =~ s/\00//g; + $data =~ s/\x00//g; ::rptMsg(" Path to OST file: ".$data); }; eval { my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6607")->get_data(); - $data =~ s/\00//g; + $data =~ s/\x00//g; ::rptMsg(" Email: ".$data); }; eval { my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6620")->get_data(); - $data =~ s/\00//g; + $data =~ s/\x00//g; ::rptMsg(" Email: ".$data); }; # http://support.microsoft.com/kb/959956 # eval { # my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("01026687")->get_data(); -# $data =~ s/\00/\./g; +# $data =~ s/\x00/\./g; # $data =~ s/\W//g; # ::rptMsg(" Non-SMTP Email: ".$data); # }; @@ -143,7 +143,7 @@ sub pluginmain { eval { my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data(); - $data =~ s/\00//g; + $data =~ s/\x00//g; ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data); }; @@ -154,7 +154,7 @@ sub pluginmain { eval { my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0418")->get_data(); - $data =~ s/\00//g; + $data =~ s/\x00//g; ::rptMsg(" 001f0418 -> ".$data); }; # ::rptMsg("Error : ".$@) if ($@); diff --git a/thirdparty/rr-full/plugins/photos.pl b/thirdparty/rr-full/plugins/photos.pl index a63ab79b65..9f833d3a70 100644 --- a/thirdparty/rr-full/plugins/photos.pl +++ b/thirdparty/rr-full/plugins/photos.pl @@ -26,7 +26,7 @@ my %config = (hive => "USRCLASS\.DAT", sub getConfig{return %config} sub getShortDescr { - return "Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives"; + return "Shell/BagMRU traversal in Win7 USRCLASS.DAT hives"; } sub getDescr{} sub getRefs {} diff --git a/thirdparty/rr-full/plugins/polacdms.pl b/thirdparty/rr-full/plugins/polacdms.pl index 9117eec462..8147c53f0f 100644 --- a/thirdparty/rr-full/plugins/polacdms.pl +++ b/thirdparty/rr-full/plugins/polacdms.pl @@ -67,8 +67,7 @@ sub pluginmain { ::rptMsg($key_path." not found."); } ::rptMsg(""); - my $key_path = "Policy\\PolPrDmS"; - my $key; + $key_path = "Policy\\PolPrDmS"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg("PolPrDmS"); ::rptMsg($key_path); @@ -92,4 +91,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/prefetch.pl b/thirdparty/rr-full/plugins/prefetch.pl index 8bf6c1b59c..3fa5b08366 100644 --- a/thirdparty/rr-full/plugins/prefetch.pl +++ b/thirdparty/rr-full/plugins/prefetch.pl @@ -3,7 +3,7 @@ # Access System hive file to get the Prefetch Parameters # # Change history -# +# 2016-05-06 Added check for SysMain service start method. James Habben # # References # http://msdn.microsoft.com/en-us/library/bb499146(v=winembedded.5).aspx @@ -18,7 +18,13 @@ my %config = (hive => "SYSTEM", hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20120914); + version => 20160506); + +my %starts = (0x00 => "Boot Start", + 0x01 => "System Start", + 0x02 => "Auto Start", + 0x03 => "Manual", + 0x04 => "Disabled"); sub getConfig{return %config} sub getShortDescr { @@ -65,6 +71,24 @@ sub pluginmain { ::rptMsg($pp_path." not found."); ::logMsg($pp_path." not found."); } + + my $pfsvc_path = $ccs."\\services\\SysMain"; + my $pfsvc; + if ($pfsvc = $root_key->get_subkey($pfsvc_path)) { + my $svc_start = $pfsvc->get_value("Start")->get_data(); + if (exists $starts{$svc_start}) { + $svc_start = $starts{$svc_start}; + } + ::rptMsg(""); + ::rptMsg("Superfetch service runs both Superfetch and Prefetch functions. Shortname is SysMain."); + ::rptMsg("SysMain Service = ".$svc_start); + + + } + else { + ::rptMsg($pfsvc_path." not found."); + ::logMsg($pfsvc_path." not found."); + } } else { ::rptMsg($key_path." not found."); @@ -73,4 +97,4 @@ sub pluginmain { } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/printers.pl b/thirdparty/rr-full/plugins/printers.pl index 8c9a349bec..97a4a0f1aa 100644 --- a/thirdparty/rr-full/plugins/printers.pl +++ b/thirdparty/rr-full/plugins/printers.pl @@ -70,8 +70,7 @@ sub pluginmain { ::rptMsg("Default Printer (via CurrentVersion\\Windows): ".$def); }; # another attempt to get the default printer - my $def_path = "Printers"; - my $def; + $def_path = "Printers"; eval { $def = $root_key->get_subkey($def_path)->get_value("DeviceOld")->get_data(); ::rptMsg("Default Printer (via Printers->DeviceOld): ".$def); @@ -82,4 +81,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/productpolicy.pl b/thirdparty/rr-full/plugins/productpolicy.pl index daf4b96acf..0928db5fc6 100644 --- a/thirdparty/rr-full/plugins/productpolicy.pl +++ b/thirdparty/rr-full/plugins/productpolicy.pl @@ -69,32 +69,29 @@ sub pluginmain { my $key; my $key_path = "ControlSet00".$curr."\\Control\\ProductOptions"; if ($key = $root_key->get_subkey($key_path)) { + my $prod; eval { - my $v1 = $key->get_value("ProductPolicy"); - if (defined $v1) { - my $prod = $v1->get_data(); - my %pol = parseData($prod); - ::rptMsg(""); - ::rptMsg("Note: This plugin applies to Vista and Windows 2008 ONLY."); - ::rptMsg("For a listing of names and values, see:"); - ::rptMsg("http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/install.htm&tx=3,5,6;4"); - ::rptMsg(""); - foreach my $p (sort keys %pol) { - ::rptMsg($p." - ".$pol{$p}); - } - - if (exists $prodinfo{$pol{"Kernel\-ProductInfo"}}) { - ::rptMsg(""); - ::rptMsg("Kernel\-ProductInfo = ".$prodinfo{$pol{"Kernel\-ProductInfo"}}); - } - } - else { - ::rptMsg("Error getting ProductPolicy value"); - } + $prod = $key->get_value("ProductPolicy")->get_data(); }; if ($@) { ::rptMsg("Error getting ProductPolicy value: $@"); } + else { + my %pol = parseData($prod); + ::rptMsg(""); + ::rptMsg("Note: This plugin applies to Vista and Windows 2008 ONLY."); + ::rptMsg("For a listing of names and values, see:"); + ::rptMsg("http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/install.htm&tx=3,5,6;4"); + ::rptMsg(""); + foreach my $p (sort keys %pol) { + ::rptMsg($p." - ".$pol{$p}); + } + + if (exists $prodinfo{$pol{"Kernel\-ProductInfo"}}) { + ::rptMsg(""); + ::rptMsg("Kernel\-ProductInfo = ".$prodinfo{$pol{"Kernel\-ProductInfo"}}); + } + } } else { ::rptMsg($key_path." not found."); @@ -125,7 +122,7 @@ sub parseData { my @vals = unpack("v4V2", substr($pd,$cursor,0x10)); my $value = substr($pd,$cursor,$vals[0]); my $name = substr($value,0x10,$vals[1]); - $name =~ s/\00//g; + $name =~ s/\x00//g; my $data = substr($value,0x10 + $vals[1],$vals[3]); if ($vals[2] == 4) { @@ -133,7 +130,7 @@ sub parseData { $data = unpack("V",$data); } elsif ($vals[2] == 1) { - $data =~ s/\00//g; + $data =~ s/\x00//g; } elsif ($vals[2] == 3) { $data = unpack("H*",$data); diff --git a/thirdparty/rr-full/plugins/profilelist.pl b/thirdparty/rr-full/plugins/profilelist.pl index c928d32bc0..d06e9f4deb 100644 --- a/thirdparty/rr-full/plugins/profilelist.pl +++ b/thirdparty/rr-full/plugins/profilelist.pl @@ -40,7 +40,7 @@ sub pluginmain { my %profiles; - #::logMsg("Launching profilelist v.".$VERSION); + ::logMsg("Launching profilelist v.".$VERSION); ::rptMsg("profilelist v.".$VERSION); # banner ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner my $reg = Parse::Win32Registry->new($hive); @@ -95,7 +95,7 @@ sub pluginmain { } # The following was added 20100219 - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; + $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; if ($key = $root_key->get_subkey($key_path)) { my @subkeys = $key->get_list_of_subkeys(); if (scalar @subkeys > 0) { @@ -136,4 +136,4 @@ sub pluginmain { } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/realplayer6.pl b/thirdparty/rr-full/plugins/realplayer6.pl index 5193fef6bc..aaa70ef325 100644 --- a/thirdparty/rr-full/plugins/realplayer6.pl +++ b/thirdparty/rr-full/plugins/realplayer6.pl @@ -25,7 +25,7 @@ my %config = (hive => "NTUSER\.DAT", sub getConfig{return %config} sub getShortDescr { - return "Gets user's RealPlayer v6 MostRecentClips\(Default) values"; + return "Gets user's RealPlayer v6 MostRecentClips(Default) values"; } sub getDescr{} sub getRefs {} @@ -75,4 +75,4 @@ sub pluginmain { } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/recentdocs.pl b/thirdparty/rr-full/plugins/recentdocs.pl index b8f95b7f4f..4714db684a 100644 --- a/thirdparty/rr-full/plugins/recentdocs.pl +++ b/thirdparty/rr-full/plugins/recentdocs.pl @@ -147,9 +147,9 @@ sub getRDValues { else { # New code $data = decode("ucs-2le", $data); - my $file = (split(/\00/,$data))[0]; -# my $file = (split(/\00\00/,$data))[0]; -# $file =~ s/\00//g; + my $file = (split(/\x00/,$data))[0]; +# my $file = (split(/\x00\x00/,$data))[0]; +# $file =~ s/\x00//g; $rdvals{$name} = $file; } } diff --git a/thirdparty/rr-full/plugins/recentdocs_tln.pl b/thirdparty/rr-full/plugins/recentdocs_tln.pl index de02d71df2..1cdc7270ae 100644 --- a/thirdparty/rr-full/plugins/recentdocs_tln.pl +++ b/thirdparty/rr-full/plugins/recentdocs_tln.pl @@ -118,9 +118,9 @@ sub getRDValues { else { # New code $data = decode("ucs-2le", $data); - my $file = (split(/\00/,$data))[0]; -# my $file = (split(/\00\00/,$data))[0]; -# $file =~ s/\00//g; + my $file = (split(/\x00/,$data))[0]; +# my $file = (split(/\x00\x00/,$data))[0]; +# $file =~ s/\x00//g; $rdvals{$name} = $file; } } diff --git a/thirdparty/rr-full/plugins/regback.pl b/thirdparty/rr-full/plugins/regback.pl index 7c93b394cb..04423406fe 100644 --- a/thirdparty/rr-full/plugins/regback.pl +++ b/thirdparty/rr-full/plugins/regback.pl @@ -30,8 +30,9 @@ my %config = (hive => "Software", sub getConfig{return %config} sub getShortDescr { - return "Get logfile name of registry backup tasks"; + return "List all backup tasks along with logfile name and last written date/time"; } + sub getDescr{} sub getRefs {} sub getHive {return $config{hive};} @@ -42,8 +43,8 @@ my $VERSION = getVersion(); sub pluginmain { ::logMsg("Launching regback v.".$VERSION); - ::rptMsg("regback v.".$VERSION); # 20110830 [fpi] + banner - ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + ::rptMsg("regback v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner my $class = shift; my $hive = shift; @@ -71,18 +72,13 @@ sub pluginmain { ::rptMsg($key_path." not found."); } - my $class = shift; - my $hive = shift; + $class = shift; + $hive = shift; my %tasks; -sub getShortDescr { - return "List all tasks along with logfile name and last written date/time"; -} - - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks"; - my $key; + $root_key = $reg->get_root_key; + $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg($key_path); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -109,4 +105,4 @@ sub getShortDescr { } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/sam b/thirdparty/rr-full/plugins/sam index 31712a88c9..f91679f4b7 100644 --- a/thirdparty/rr-full/plugins/sam +++ b/thirdparty/rr-full/plugins/sam @@ -1,2 +1,3 @@ -# 20120528 *ALL* Plugins that apply on SAM hive, alphabetical order -samparse \ No newline at end of file +# 20161213 *ALL* Plugins that apply on SAM hive, alphabetical order +samparse +samparse_ltn diff --git a/thirdparty/rr-full/plugins/samparse.pl b/thirdparty/rr-full/plugins/samparse.pl index 60ec4f1dfe..bdcfedf571 100644 --- a/thirdparty/rr-full/plugins/samparse.pl +++ b/thirdparty/rr-full/plugins/samparse.pl @@ -3,6 +3,7 @@ # Parse the SAM hive file for user/group membership info # # Change history: +# 20160203 - updated to include add'l values (randomaccess/Phill Moore contribution) # 20120722 - updated %config hash # 20110303 - Fixed parsing of SID, added check for account type # Acct type determined based on Dustin Hulburt's "Forensic @@ -17,7 +18,7 @@ # Source available here: http://pogostick.net/~pnh/ntpasswd/ # http://accessdata.com/downloads/media/Forensic_Determination_Users_Logon_Status.pdf # -# copyright 2012 Quantum Analytics Research, LLC +# copyright 2016 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package samparse; @@ -31,7 +32,7 @@ my %config = (hive => "SAM", hasShortDescr => 1, hasDescr => 0, hasRefs => 1, - version => 20120722); + version => 20160203); sub getConfig{return %config} @@ -117,10 +118,33 @@ sub pluginmain { ($f_val{pwd_reset_date} == 0) ? ($pwdreset = "Never") : ($pwdreset = gmtime($f_val{pwd_reset_date})." Z"); ($f_val{pwd_fail_date} == 0) ? ($pwdfail = "Never") : ($pwdfail = gmtime($f_val{pwd_fail_date})." Z"); + my $given; + my $surname; + eval { + $given = $u->get_value("GivenName")->get_data(); + $given =~ s/\x00//g; + }; + + eval { + $surname = $u->get_value("SurName")->get_data(); + $surname =~ s/\x00//g; + }; + + ::rptMsg("Name : ".$given." ".$surname); + + my $internet; + eval { + $internet = $u->get_value("InternetUserName")->get_data(); + $internet =~ s/\x00//g; + ::rptMsg("InternetName : ".$internet); + }; + + + my $pw_hint; eval { $pw_hint = $u->get_value("UserPasswordHint")->get_data(); - $pw_hint =~ s/\00//g; + $pw_hint =~ s/\x00//g; }; ::rptMsg("Password Hint : ".$pw_hint) unless ($@); ::rptMsg("Last Login Date : ".$lastlogin); @@ -143,7 +167,7 @@ sub pluginmain { ::rptMsg("Group Membership Information"); ::rptMsg("-" x 25); # Get Group membership information - my $key_path = 'SAM\\Domains\\Builtin\\Aliases'; + $key_path = 'SAM\\Domains\\Builtin\\Aliases'; if ($key = $root_key->get_subkey($key_path)) { my %grps; my @groups = $key->get_list_of_subkeys(); @@ -187,12 +211,10 @@ sub pluginmain { } else { ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); } } else { ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); } } @@ -323,8 +345,8 @@ sub _translateSID { #--------------------------------------------------------------------- sub _uniToAscii { my $str = $_[0]; - $str =~ s/\00//g; + $str =~ s/\x00//g; return $str; } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/samparse_tln.pl b/thirdparty/rr-full/plugins/samparse_tln.pl index c3afb9d191..39df56ce4e 100644 --- a/thirdparty/rr-full/plugins/samparse_tln.pl +++ b/thirdparty/rr-full/plugins/samparse_tln.pl @@ -121,7 +121,7 @@ sub pluginmain { my $c_descr = "Acct Created (".$v_val{type}.")"; eval { $pw_hint = $u->get_value("UserPasswordHint")->get_data(); - $pw_hint =~ s/\00//g; + $pw_hint =~ s/\x00//g; $c_descr .= " (Pwd Hint: ".$pw_hint.")"; }; @@ -278,7 +278,7 @@ sub _translateSID { #--------------------------------------------------------------------- sub _uniToAscii { my $str = $_[0]; - $str =~ s/\00//g; + $str =~ s/\x00//g; return $str; } diff --git a/thirdparty/rr-full/plugins/security b/thirdparty/rr-full/plugins/security index 12841a87ca..628ca1c876 100644 --- a/thirdparty/rr-full/plugins/security +++ b/thirdparty/rr-full/plugins/security @@ -1,4 +1,8 @@ -# 20120528 *ALL* Plugins that apply on SECURITY hive, alphabetical order +# 20161213 *ALL* Plugins that apply on SECURITY hive, alphabetical order auditpol +auditpol_xp lsasecrets -polacdms \ No newline at end of file +polacdms +secrets +secrets_tln +securityproviders diff --git a/thirdparty/rr-full/plugins/sevenzip.pl b/thirdparty/rr-full/plugins/sevenzip.pl index 77309d7281..30abdaf299 100644 --- a/thirdparty/rr-full/plugins/sevenzip.pl +++ b/thirdparty/rr-full/plugins/sevenzip.pl @@ -59,9 +59,9 @@ sub pluginmain { eval { ::rptMsg("ArcHistory:"); my $copy = $key->get_subkey("Compression")->get_value("ArcHistory")->get_data(); - my @c = split(/\00\00/,$copy); + my @c = split(/\x00\x00/,$copy); foreach my $hist (@c) { - $hist =~ s/\00//g; + $hist =~ s/\x00//g; ::rptMsg(" ".$hist); } }; @@ -69,9 +69,9 @@ sub pluginmain { eval { ::rptMsg("PathHistory:"); my $copy = $key->get_subkey("Extraction")->get_value("PathHistory")->get_data(); - my @c = split(/\00\00/,$copy); + my @c = split(/\x00\x00/,$copy); foreach my $hist (@c) { - $hist =~ s/\00//g; + $hist =~ s/\x00//g; ::rptMsg(" ".$hist); } ::rptMsg(""); @@ -80,9 +80,9 @@ sub pluginmain { eval { ::rptMsg("CopyHistory:"); my $copy = $key->get_subkey("FM")->get_value("CopyHistory")->get_data(); - my @c = split(/\00\00/,$copy); + my @c = split(/\x00\x00/,$copy); foreach my $hist (@c) { - $hist =~ s/\00//g; + $hist =~ s/\x00//g; ::rptMsg(" ".$hist); } ::rptMsg(""); @@ -91,9 +91,9 @@ sub pluginmain { eval { ::rptMsg("FolderHistory:"); my $copy = $key->get_subkey("FM")->get_value("FolderHistory")->get_data(); - my @c = split(/\00\00/,$copy); + my @c = split(/\x00\x00/,$copy); foreach my $hist (@c) { - $hist =~ s/\00//g; + $hist =~ s/\x00//g; ::rptMsg(" ".$hist); } }; diff --git a/thirdparty/rr-full/plugins/sfc.pl b/thirdparty/rr-full/plugins/sfc.pl index f70e00daa0..4748240696 100644 --- a/thirdparty/rr-full/plugins/sfc.pl +++ b/thirdparty/rr-full/plugins/sfc.pl @@ -75,8 +75,7 @@ sub pluginmain { # According to http://support.microsoft.com/kb/222193, sfc* values in this key, if # it exists, take precedence over and are copied into the values within the Winlogon # key; see also http://support.microsoft.com/kb/222473/ - my $key_path = "Policies\\Microsoft\\Windows NT\\Windows File Protection"; - my $key; + $key_path = "Policies\\Microsoft\\Windows NT\\Windows File Protection"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg($key_path); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -106,4 +105,4 @@ sub pluginmain { # ::logMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/shares.pl b/thirdparty/rr-full/plugins/shares.pl index 3f3c2f2a23..143c282b1f 100644 --- a/thirdparty/rr-full/plugins/shares.pl +++ b/thirdparty/rr-full/plugins/shares.pl @@ -97,7 +97,7 @@ sub pluginmain { # Determine of the AutoShareServer/Wks values have been set my $path = $key_path."\\".$lanman; - my $tag = "parameters"; + $tag = "parameters"; my $para = getKeyPath($path,$tag); eval { if ($key = $root_key->get_subkey($path."\\".$para)) { @@ -139,4 +139,4 @@ sub getKeyPath { return $subkey; } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/shellbags.pl b/thirdparty/rr-full/plugins/shellbags.pl index fe7ed4c174..7625f0b83f 100644 --- a/thirdparty/rr-full/plugins/shellbags.pl +++ b/thirdparty/rr-full/plugins/shellbags.pl @@ -3,6 +3,7 @@ # RR plugin to parse (Vista, Win7/Win2008R2) shell bags # # History: +# 20150325 - updated parsing based on input from Eric Zimmerman # 20140728 - updated shell item 0x01 parsing # 20131216 - updated to support shell item type 0x52 # 20130102 - updated to include type 0x35 @@ -31,7 +32,7 @@ # assistance with some parsing. # # License: GPL v3 -# copyright 2012 Quantum Analytics Research, LLC +# copyright 2015 Quantum Analytics Research, LLC # Author: H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- package shellbags; @@ -46,12 +47,12 @@ my %config = (hive => "USRCLASS\.DAT", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, - version => 20130102); + version => 20150325); sub getConfig{return %config} sub getShortDescr { - return "Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives"; + return "Shell/BagMRU traversal in Win7 USRCLASS.DAT hives"; } sub getDescr{} sub getRefs {} @@ -72,6 +73,7 @@ my %cp_guids = ("{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}" => "Action Center", "{e2e7934b-dce5-43c4-9576-7fe4f75e7480}" => "Date and Time", "{00c6d95f-329c-409a-81d7-c46c66ea7f33}" => "Default Location", "{17cd9488-1228-4b2f-88ce-4298e93e0966}" => "Default Programs", + "{b4bfcc3a-db2c-424c-b029-7fe99a87c641}" => "Desktop", "{37efd44d-ef8d-41b1-940d-96973a50e9e0}" => "Desktop Gadgets", "{74246bfc-4c96-11d0-abef-0020af6b0b7a}" => "Device Manager", "{a8a91a66-3a7d-4424-8d24-04e180695c7a}" => "Devices and Printers", @@ -136,18 +138,22 @@ my %folder_types = ("{724ef170-a42d-4fef-9f26-b60e846fba4f}" => "Administrative "{1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}" => "CSIDL_SYSTEM", "{b4bfcc3a-db2c-424c-b029-7fe99a87c641}" => "Desktop", "{7b0db17d-9cd2-4a93-9733-46cc89022e7c}" => "Documents Library", + "{a8cdff1c-4878-43be-b5fd-f8091c1c60d0}" => "Documents", "{fdd39ad0-238f-46af-adb4-6c85480369c7}" => "Documents", "{374de290-123f-4565-9164-39c4925e467b}" => "Downloads", "{de61d971-5ebc-4f02-a3a9-6c82895e5c04}" => "Get Programs", "{a305ce99-f527-492b-8b1a-7e76fa98d6e4}" => "Installed Updates", "{871c5380-42a0-1069-a2ea-08002b30309d}" => "Internet Explorer (Homepage)", "{031e4825-7b94-4dc3-b131-e946b44c8dd5}" => "Libraries", + "{2112ab0a-c86a-4ffe-a368-0de96e47012e}" => "Music", + "{1cf1260c-4dd0-4ebb-811f-33c572699fde}" => "Music", "{4bd8d571-6d19-48d3-be97-422220080e43}" => "Music", "{20d04fe0-3aea-1069-a2d8-08002b30309d}" => "My Computer", "{450d8fba-ad25-11d0-98a8-0800361b1103}" => "My Documents", "{ed228fdf-9ea8-4870-83b1-96b02cfe0d52}" => "My Games", "{208d2c60-3aea-1069-a2d7-08002b30309d}" => "My Network Places", "{f02c1a0d-be21-4350-88b0-7367fc96ef3c}" => "Network", + "{3add1653-eb32-4cb0-bbd7-dfa0abb5acca}" => "Pictures", "{33e28130-4e1e-4676-835a-98395c3bc3bb}" => "Pictures", "{a990ae9f-a03b-4e80-94bc-9912d7504104}" => "Pictures", "{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}" => "Program Files (x86)", @@ -164,6 +170,7 @@ my %folder_types = ("{724ef170-a42d-4fef-9f26-b60e846fba4f}" => "Administrative "{9e52ab10-f80d-49df-acb8-4330f5687855}" => "Temporary Burn Folder", "{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}" => "Users Files", "{59031a47-3f72-44a7-89c5-5595fe6b30ee}" => "Users", + "{a0953c92-50dc-43bf-be83-3742fed03c9c}" => "Videos", "{b5947d7f-b489-4fde-9e77-23780cc610d1}" => "Virtual Machines", "{f38bf404-1d43-42f2-9305-67de0b28fc23}" => "Windows"); @@ -240,7 +247,7 @@ sub traverse { } elsif ($type == 0x2e) { # Device - %item = parseDeviceEntry($values{$v}); + %item = parseDeviceEntry($values{$v}); } elsif ($type == 0x2F) { # Volume (Drive Letter) @@ -260,10 +267,10 @@ sub traverse { elsif ($type == 0x31 || $type == 0x32 || $type == 0xb1 || $type == 0x74) { # Folder or Zip File %item = parseFolderEntry($values{$v}); +# probe($values{$v}); } elsif ($type == 0x35) { %item = parseFolderEntry2($values{$v}); - probe($values{$v}); } elsif ($type == 0x71) { # Control Panel @@ -387,35 +394,13 @@ sub parseVariableEntry { my $num = unpack("V",substr($stuff,$cnt + 13,4)); my $str = substr($stuff,$cnt + 13 + 4,($num * 2)); - $str =~ s/\00//g; + $str =~ s/\x00//g; $item{name} = $str; } $cnt += $sz; } } - -# if (exists $segs{"{5cbf2787-48cf-4208-b90e-ee5e5d420294}"}) { -# my $stuff = $segs{"{5cbf2787-48cf-4208-b90e-ee5e5d420294}"}; -# my $tag = 1; -# my $cnt = 0x10; -# while($tag) { -# my $sz = unpack("V",substr($stuff,$cnt,4)); -# my $id = unpack("V",substr($stuff,$cnt + 4,4)); -# -# if ($sz == 0x00) { -# $tag = 0; -# next; -# } -# elsif ($id == 0x19) { -# -# my $num = unpack("V",substr($stuff,$cnt + 13,4)); -# my $str = substr($stuff,$cnt + 13 + 4,($num * 2)); -# $str =~ s/\00//g; -# $item{name} = $str; -# } -# $cnt += $sz; -# } -# } + } elsif (substr($data,4,4) eq "AugM") { %item = parseFolderEntry($data); @@ -424,12 +409,26 @@ sub parseVariableEntry { elsif ($tag == 0x7b || $tag == 0xbb || $tag == 0xfb) { my ($sz1,$sz2,$sz3) = unpack("VVV",substr($data,0x3e,12)); $item{name} = substr($data,0x4a,$sz1 * 2); - $item{name} =~ s/\00//g; + $item{name} =~ s/\x00//g; } elsif ($tag == 0x02 || $tag == 0x03) { my ($sz1,$sz2,$sz3,$sz4) = unpack("VVVV",substr($data,0x26,16)); $item{name} = substr($data,0x36,$sz1 * 2); - $item{name} =~ s/\00//g; + $item{name} =~ s/\x00//g; + } + elsif (unpack("v",substr($data,6,2)) == 0x05) { + my $o = 0x26; + my $t = 1; + while ($t) { + my $i = substr($data,$o,1); + if ($i =~ m/\x00/) { + $t = 0; + } + else { + $item{name} .= $i; + $o++; + } + } } else { $item{name} = "Unknown Type"; @@ -446,7 +445,7 @@ sub parseNetworkEntry { my %item = (); $item{type} = unpack("C",substr($data,2,1)); - my @n = split(/\00/,substr($data,4,length($data) - 4)); + my @n = split(/\x00/,substr($data,4,length($data) - 4)); $item{name} = $n[0]; return %item; } @@ -463,13 +462,13 @@ sub parseZipSubFolderItem { # Get the opened/accessed date/time $item{datetime} = substr($data,0x24,6); - $item{datetime} =~ s/\00//g; + $item{datetime} =~ s/\x00//g; if ($item{datetime} eq "N/A") { } else { $item{datetime} = substr($data,0x24,40); - $item{datetime} =~ s/\00//g; + $item{datetime} =~ s/\x00//g; my ($date,$time) = split(/\s+/,$item{datetime},2); my ($mon,$day,$yr) = split(/\//,$date,3); my ($hr,$min,$sec) = split(/:/,$time,3); @@ -482,9 +481,9 @@ sub parseZipSubFolderItem { my $sz2 = unpack("V",substr($data,0x58,4)); my $str1 = substr($data,0x5C,$sz *2) if ($sz > 0); - $str1 =~ s/\00//g; + $str1 =~ s/\x00//g; my $str2 = substr($data,0x5C + ($sz * 2),$sz2 *2) if ($sz2 > 0); - $str2 =~ s/\00//g; + $str2 =~ s/\x00//g; if ($sz2 > 0) { $item{name} = $str1."\\".$str2; @@ -547,10 +546,10 @@ sub parseURIEntry { my $sz = unpack("V",substr($data,0x2a,4)); my $uri = substr($data,0x2e,$sz); - $uri =~ s/\00//g; + $uri =~ s/\x00//g; my $proto = substr($data,length($data) - 6, 6); - $proto =~ s/\00//g; + $proto =~ s/\x00//g; $item{name} = $proto."://".$uri." [".gmtime($item{uritime})."]"; @@ -600,7 +599,18 @@ sub parseGUID { my $d3 = unpack("v",substr($data,6,2)); my $d4 = unpack("H*",substr($data,8,2)); my $d5 = unpack("H*",substr($data,10,6)); - return sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3; + my $guid = sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3; + + if (exists $cp_guids{$guid}) { + return "CLSID_".$cp_guids{$guid}; + } + elsif (exists $folder_types{$guid}) { + return "CLSID_".$folder_types{$guid}; + } + else { + return $guid; + } + } #----------------------------------------------------------- @@ -609,17 +619,47 @@ sub parseGUID { sub parseDeviceEntry { my $data = shift; my %item = (); + + my $ofs = unpack("v",substr($data,4,2)); + my $tag = unpack("V",substr($data,6,4)); - my $userlen = unpack("V",substr($data,30,4)); - my $devlen = unpack("V",substr($data,34,4)); - - my $user = substr($data,0x28,$userlen * 2); - $user =~ s/\00//g; - - my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2); - $dev =~ s/\00//g; - - $item{name} = $user; + if ($tag == 0) { + my $guid1 = parseGUID(substr($data,$ofs + 6,16)); + my $guid2 = parseGUID(substr($data,$ofs + 6 + 16,16)); + $item{name} = $guid1."\\".$guid2 + } + elsif ($tag == 2) { + $item{name} = substr($data,0x0a,($ofs + 6) - 0x0a); + $item{name} =~ s/\x00//g; + } + else { + my $ver = unpack("C",substr($data,9,1)); + +# Version 3 = XP + if ($ver == 3) { + my $guid1 = parseGUID(substr($data,$ofs + 6,16)); + my $guid2 = parseGUID(substr($data,$ofs + 6 + 16,16)); + $item{name} = $guid1."\\".$guid2 + + } +# Version 8 = Win7 + elsif ($ver == 8) { + my $userlen = unpack("V",substr($data,30,4)); + my $devlen = unpack("V",substr($data,34,4)); + my $user = substr($data,0x28,$userlen * 2); + $user =~ s/\x00//g; + my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2); + $dev =~ s/\x00//g; + $item{name} = $user; + } + elsif (unpack("C",substr($data,3,1)) == 0x80) { + $item{name} = parseGUID(substr($data,4,16)); + } +# Version unknown + else { + $item{name} = "Device Entry - Unknown Version"; + } + } return %item; } @@ -685,14 +725,14 @@ sub parseFolderEntry { ($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]); # Need to read in short name; nul-term ASCII -# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0]; +# $item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0]; $ofs_shortname = $ofs_mdate + 6; my $tag = 1; my $cnt = 0; my $str = ""; while($tag) { my $s = substr($data,$ofs_shortname + $cnt,1); - if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { + if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) { $tag = 0; } else { @@ -700,12 +740,12 @@ sub parseFolderEntry { $cnt++; } } -# $str =~ s/\00//g; +# $str =~ s/\x00//g; my $shortname = $str; my $ofs = $ofs_shortname + $cnt + 1; # Read progressively, 1 byte at a time, looking for 0xbeef - my $tag = 1; - my $cnt = 0; + $tag = 1; + $cnt = 0; while ($tag) { if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) { $tag = 0; @@ -715,12 +755,13 @@ sub parseFolderEntry { } } $item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2)); +# printf "Version: 0x%x\n",$item{extver}; $ofs = $ofs + $cnt + 2; - my @m = unpack("vv",substr($data,$ofs,4)); + @m = unpack("vv",substr($data,$ofs,4)); ($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]); $ofs += 4; - my @m = unpack("vv",substr($data,$ofs,4)); + @m = unpack("vv",substr($data,$ofs,4)); ($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]); my $jmp; @@ -733,6 +774,9 @@ sub parseFolderEntry { elsif ($item{extver} == 0x08) { $jmp = 30; } + elsif ($item{extver} == 0x09) { + $jmp = 34; + } else {} if ($item{type} == 0x31 && $item{extver} >= 0x07) { @@ -747,9 +791,9 @@ sub parseFolderEntry { $ofs += $jmp; - my $str = substr($data,$ofs,length($data) - 30); - my $longname = (split(/\00\00/,$str,2))[0]; - $longname =~ s/\00//g; + $str = substr($data,$ofs,length($data) - 30); + my $longname = (split(/\x00\x00/,$str,2))[0]; + $longname =~ s/\x00//g; if ($longname ne "") { $item{name} = $longname; @@ -821,6 +865,9 @@ sub parseFolderEntry2 { if ($item{extver} == 0x03) { $jmp = 8; } + elsif ($item{extver} == 0x04) { + $jmp = 34; + } elsif ($item{extver} == 0x07) { $jmp = 26; } @@ -840,9 +887,9 @@ sub parseFolderEntry2 { # } # ::rptMsg(""); - $item{name} = (split(/\00\00/,$str,2))[0]; - $item{name} =~ s/\13\20/\2D\00/; - $item{name} =~ s/\00//g; + $item{name} = (split(/\x00\x00/,$str,2))[0]; + $item{name} =~ s/\x13\x20/\x2D\x00/; + $item{name} =~ s/\x00//g; return %item; } @@ -853,7 +900,7 @@ sub parseNetworkEntry { my $data = shift; my %item = (); $item{type} = unpack("C",substr($data,2,1)); - my @names = split(/\00/,substr($data,5,length($data) - 5)); + my @names = split(/\x00/,substr($data,5,length($data) - 5)); $item{name} = $names[0]; return %item; } @@ -865,9 +912,9 @@ sub parseDatePathItem { my $data = shift; my %item = (); $item{datestr} = substr($data,0x18,30); - my ($file,$dir) = split(/\00\00/,substr($data,0x44,length($data) - 0x44)); - $file =~ s/\00//g; - $dir =~ s/\00//g; + my ($file,$dir) = split(/\x00\x00/,substr($data,0x44,length($data) - 0x44)); + $file =~ s/\x00//g; + $dir =~ s/\x00//g; $item{name} = $dir.$file; return %item; } @@ -912,7 +959,7 @@ sub shellItem0x52 { $cnt += 2; } } - $item{name} =~ s/\00//g; + $item{name} =~ s/\x00//g; if ($item{subtype} < 3) { $ofs = 0x32 + $cnt + 2; @@ -922,7 +969,7 @@ sub shellItem0x52 { } $sz = unpack("V",substr($data,$ofs,4)); $item{str} = substr($data,$ofs + 4,$sz * 2); - $item{str} =~ s/\00//g; + $item{str} =~ s/\x00//g; return %item; } @@ -1003,4 +1050,4 @@ sub getNum48 { } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/shellbags_test.pl b/thirdparty/rr-full/plugins/shellbags_test.pl index 50a70d9c76..800592a8c2 100644 --- a/thirdparty/rr-full/plugins/shellbags_test.pl +++ b/thirdparty/rr-full/plugins/shellbags_test.pl @@ -358,7 +358,7 @@ sub parseFolderItem { my $str = ""; while($tag) { my $s = substr($data,$ofs_shortname + $cnt,1); - if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { + if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) { $tag = 0; } else { @@ -366,12 +366,12 @@ sub parseFolderItem { $cnt++; } } -# $str =~ s/\00//g; +# $str =~ s/\x00//g; my $shortname = $str; my $ofs = $ofs_shortname + $cnt + 1; # Read progressively, 1 byte at a time, looking for 0xbeef - my $tag = 1; - my $cnt = 0; + $tag = 1; + $cnt = 0; while ($tag) { if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) { $tag = 0; @@ -383,10 +383,10 @@ sub parseFolderItem { $item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2)); $ofs = $ofs + $cnt + 2; - my @m = unpack("vv",substr($data,$ofs,4)); + @m = unpack("vv",substr($data,$ofs,4)); ($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]); $ofs += 4; - my @m = unpack("vv",substr($data,$ofs,4)); + @m = unpack("vv",substr($data,$ofs,4)); ($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]); my $jmp; @@ -403,9 +403,9 @@ sub parseFolderItem { $ofs += $jmp; - my $str = substr($data,$ofs,length($data) - $ofs); - my $longname = (split(/\00\00/,$str,2))[0]; - $longname =~ s/\00//g; + $str = substr($data,$ofs,length($data) - $ofs); + my $longname = (split(/\x00\x00/,$str,2))[0]; + $longname =~ s/\x00//g; if ($longname ne "") { $item{name} = $longname; @@ -416,4 +416,4 @@ sub parseFolderItem { return %item; } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/shellbags_tln.pl b/thirdparty/rr-full/plugins/shellbags_tln.pl index dfc67e3017..c8f5bd0b22 100644 --- a/thirdparty/rr-full/plugins/shellbags_tln.pl +++ b/thirdparty/rr-full/plugins/shellbags_tln.pl @@ -47,7 +47,7 @@ my %config = (hive => "USRCLASS\.DAT", sub getConfig{return %config} sub getShortDescr { - return "Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives"; + return "Shell/BagMRU traversal in Win7 USRCLASS.DAT hives"; } sub getDescr{} sub getRefs {} @@ -371,7 +371,7 @@ sub parseVariableEntry { my $num = unpack("V",substr($stuff,$cnt + 13,4)); my $str = substr($stuff,$cnt + 13 + 4,($num * 2)); - $str =~ s/\00//g; + $str =~ s/\x00//g; $item{name} = $str; } $cnt += $sz; @@ -394,7 +394,7 @@ sub parseVariableEntry { # # my $num = unpack("V",substr($stuff,$cnt + 13,4)); # my $str = substr($stuff,$cnt + 13 + 4,($num * 2)); -# $str =~ s/\00//g; +# $str =~ s/\x00//g; # $item{name} = $str; # } # $cnt += $sz; @@ -408,12 +408,12 @@ sub parseVariableEntry { elsif ($tag == 0x7b || $tag == 0xbb || $tag == 0xfb) { my ($sz1,$sz2,$sz3) = unpack("VVV",substr($data,0x3e,12)); $item{name} = substr($data,0x4a,$sz1 * 2); - $item{name} =~ s/\00//g; + $item{name} =~ s/\x00//g; } elsif ($tag == 0x02 || $tag == 0x03) { my ($sz1,$sz2,$sz3,$sz4) = unpack("VVVV",substr($data,0x26,16)); $item{name} = substr($data,0x36,$sz1 * 2); - $item{name} =~ s/\00//g; + $item{name} =~ s/\x00//g; } else { $item{name} = "Unknown Type"; @@ -430,7 +430,7 @@ sub parseNetworkEntry { my %item = (); $item{type} = unpack("C",substr($data,2,1)); - my @n = split(/\00/,substr($data,4,length($data) - 4)); + my @n = split(/\x00/,substr($data,4,length($data) - 4)); $item{name} = $n[0]; return %item; } @@ -447,13 +447,13 @@ sub parseZipSubFolderItem { # Get the opened/accessed date/time $item{datetime} = substr($data,0x24,6); - $item{datetime} =~ s/\00//g; + $item{datetime} =~ s/\x00//g; if ($item{datetime} eq "N/A") { } else { $item{datetime} = substr($data,0x24,40); - $item{datetime} =~ s/\00//g; + $item{datetime} =~ s/\x00//g; my ($date,$time) = split(/\s+/,$item{datetime},2); my ($mon,$day,$yr) = split(/\//,$date,3); my ($hr,$min,$sec) = split(/:/,$time,3); @@ -466,9 +466,9 @@ sub parseZipSubFolderItem { my $sz2 = unpack("V",substr($data,0x58,4)); my $str1 = substr($data,0x5C,$sz *2) if ($sz > 0); - $str1 =~ s/\00//g; + $str1 =~ s/\x00//g; my $str2 = substr($data,0x5C + ($sz * 2),$sz2 *2) if ($sz2 > 0); - $str2 =~ s/\00//g; + $str2 =~ s/\x00//g; if ($sz2 > 0) { $item{name} = $str1."\\".$str2; @@ -507,10 +507,10 @@ sub parseURIEntry { my $sz = unpack("V",substr($data,0x2a,4)); my $uri = substr($data,0x2e,$sz); - $uri =~ s/\00//g; + $uri =~ s/\x00//g; my $proto = substr($data,length($data) - 6, 6); - $proto =~ s/\00//g; + $proto =~ s/\x00//g; $item{name} = $proto."://".$uri; @@ -574,10 +574,10 @@ sub parseDeviceEntry { my $devlen = unpack("V",substr($data,34,4)); my $user = substr($data,0x28,$userlen * 2); - $user =~ s/\00//g; + $user =~ s/\x00//g; my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2); - $dev =~ s/\00//g; + $dev =~ s/\x00//g; $item{name} = $user; return %item; @@ -645,14 +645,14 @@ sub parseFolderEntry { ($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]); # Need to read in short name; nul-term ASCII -# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0]; +# $item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0]; $ofs_shortname = $ofs_mdate + 6; my $tag = 1; my $cnt = 0; my $str = ""; while($tag) { my $s = substr($data,$ofs_shortname + $cnt,1); - if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { + if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) { $tag = 0; } else { @@ -660,12 +660,12 @@ sub parseFolderEntry { $cnt++; } } -# $str =~ s/\00//g; +# $str =~ s/\x00//g; my $shortname = $str; my $ofs = $ofs_shortname + $cnt + 1; # Read progressively, 1 byte at a time, looking for 0xbeef - my $tag = 1; - my $cnt = 0; + $tag = 1; + $cnt = 0; while ($tag) { if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) { $tag = 0; @@ -677,10 +677,10 @@ sub parseFolderEntry { $item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2)); $ofs = $ofs + $cnt + 2; - my @m = unpack("vv",substr($data,$ofs,4)); + @m = unpack("vv",substr($data,$ofs,4)); ($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]); $ofs += 4; - my @m = unpack("vv",substr($data,$ofs,4)); + @m = unpack("vv",substr($data,$ofs,4)); ($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]); my $jmp; @@ -693,9 +693,9 @@ sub parseFolderEntry { $ofs += $jmp; - my $str = substr($data,$ofs,length($data) - 30); - my $longname = (split(/\00\00/,$str,2))[0]; - $longname =~ s/\00//g; + $str = substr($data,$ofs,length($data) - 30); + my $longname = (split(/\x00\x00/,$str,2))[0]; + $longname =~ s/\x00//g; if ($longname ne "") { $item{name} = $longname; @@ -745,7 +745,7 @@ sub parseNetworkEntry { my $data = shift; my %item = (); $item{type} = unpack("C",substr($data,2,1)); - my @names = split(/\00/,substr($data,5,length($data) - 5)); + my @names = split(/\x00/,substr($data,5,length($data) - 5)); $item{name} = $names[0]; return %item; } @@ -792,4 +792,4 @@ sub printData { } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/shellbags_xp.pl b/thirdparty/rr-full/plugins/shellbags_xp.pl index 4bda17be60..2c427d6638 100644 --- a/thirdparty/rr-full/plugins/shellbags_xp.pl +++ b/thirdparty/rr-full/plugins/shellbags_xp.pl @@ -50,7 +50,7 @@ my %config = (hive => "NTUSER\.DAT", sub getConfig{return %config} sub getShortDescr { - return "Shell/BagMRU traversal in XP NTUSER\.DAT hives"; + return "Shell/BagMRU traversal in XP NTUSER.DAT hives"; } sub getDescr{} sub getRefs {} @@ -405,7 +405,7 @@ sub parseVariableEntry { my $num = unpack("V",substr($stuff,$cnt + 13,4)); my $str = substr($stuff,$cnt + 13 + 4,($num * 2)); - $str =~ s/\00//g; + $str =~ s/\x00//g; $item{name} = $str; } $cnt += $sz; @@ -428,7 +428,7 @@ sub parseVariableEntry { # # my $num = unpack("V",substr($stuff,$cnt + 13,4)); # my $str = substr($stuff,$cnt + 13 + 4,($num * 2)); -# $str =~ s/\00//g; +# $str =~ s/\x00//g; # $item{name} = $str; # } # $cnt += $sz; @@ -442,12 +442,12 @@ sub parseVariableEntry { elsif ($tag == 0x7b || $tag == 0xbb || $tag == 0xfb) { my ($sz1,$sz2,$sz3) = unpack("VVV",substr($data,0x3e,12)); $item{name} = substr($data,0x4a,$sz1 * 2); - $item{name} =~ s/\00//g; + $item{name} =~ s/\x00//g; } elsif ($tag == 0x02 || $tag == 0x03) { my ($sz1,$sz2,$sz3,$sz4) = unpack("VVVV",substr($data,0x26,16)); $item{name} = substr($data,0x36,$sz1 * 2); - $item{name} =~ s/\00//g; + $item{name} =~ s/\x00//g; } else { $item{name} = "Unknown Type"; @@ -464,7 +464,7 @@ sub parseNetworkEntry { my %item = (); $item{type} = unpack("C",substr($data,2,1)); - my @n = split(/\00/,substr($data,4,length($data) - 4)); + my @n = split(/\x00/,substr($data,4,length($data) - 4)); $item{name} = $n[0]; return %item; } @@ -481,13 +481,13 @@ sub parseZipSubFolderItem { # Get the opened/accessed date/time $item{datetime} = substr($data,0x24,6); - $item{datetime} =~ s/\00//g; + $item{datetime} =~ s/\x00//g; if ($item{datetime} eq "N/A") { } else { $item{datetime} = substr($data,0x24,40); - $item{datetime} =~ s/\00//g; + $item{datetime} =~ s/\x00//g; my ($date,$time) = split(/\s+/,$item{datetime},2); my ($mon,$day,$yr) = split(/\//,$date,3); my ($hr,$min,$sec) = split(/:/,$time,3); @@ -501,9 +501,9 @@ sub parseZipSubFolderItem { my $sz2 = unpack("V",substr($data,0x58,4)); my $str1 = substr($data,0x5C,$sz *2) if ($sz > 0); - $str1 =~ s/\00//g; + $str1 =~ s/\x00//g; my $str2 = substr($data,0x5C + ($sz * 2),$sz2 *2) if ($sz2 > 0); - $str2 =~ s/\00//g; + $str2 =~ s/\x00//g; if ($sz2 > 0) { $item{name} = $str1."\\".$str2; @@ -540,7 +540,7 @@ sub parseXPShellDeviceItem { $item{timestamp} = ::getTime($t0,$t1); # starting at offset 0x18, read the null-term. string as the name value my $str = substr($data,0x18,length($data) - 0x18); - $item{name} = (split(/\00/,$str))[0]; + $item{name} = (split(/\x00/,$str))[0]; return %item; } @@ -558,10 +558,10 @@ sub parseURIEntry { my $sz = unpack("V",substr($data,0x2a,4)); my $uri = substr($data,0x2e,$sz); - $uri =~ s/\00//g; + $uri =~ s/\x00//g; my $proto = substr($data,length($data) - 6, 6); - $proto =~ s/\00//g; + $proto =~ s/\x00//g; $item{name} = $proto."://".$uri." [".gmtime($item{uritime})."]"; @@ -635,10 +635,10 @@ sub parseDeviceEntry { # my $devlen = unpack("V",substr($data,34,4)); # # my $user = substr($data,0x28,$userlen * 2); -# $user =~ s/\00//g; +# $user =~ s/\x00//g; # # my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2); -# $dev =~ s/\00//g; +# $dev =~ s/\x00//g; # # $item{name} = $user; my $len = unpack("v",substr($data,0,2)); @@ -718,14 +718,14 @@ sub parseFolderEntry { ($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]); # Need to read in short name; nul-term ASCII -# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0]; +# $item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0]; $ofs_shortname = $ofs_mdate + 6; my $tag = 1; my $cnt = 0; my $str = ""; while($tag) { my $s = substr($data,$ofs_shortname + $cnt,1); - if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { + if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) { $tag = 0; } else { @@ -733,12 +733,12 @@ sub parseFolderEntry { $cnt++; } } -# $str =~ s/\00//g; +# $str =~ s/\x00//g; my $shortname = $str; my $ofs = $ofs_shortname + $cnt + 1; # Read progressively, 1 byte at a time, looking for 0xbeef - my $tag = 1; - my $cnt = 0; + $tag = 1; + $cnt = 0; while ($tag) { if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) { $tag = 0; @@ -750,10 +750,10 @@ sub parseFolderEntry { $item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2)); $ofs = $ofs + $cnt + 2; - my @m = unpack("vv",substr($data,$ofs,4)); + @m = unpack("vv",substr($data,$ofs,4)); ($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]); $ofs += 4; - my @m = unpack("vv",substr($data,$ofs,4)); + @m = unpack("vv",substr($data,$ofs,4)); ($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]); my $jmp; @@ -770,9 +770,9 @@ sub parseFolderEntry { $ofs += $jmp; - my $str = substr($data,$ofs,length($data) - 30); - my $longname = (split(/\00\00/,$str,2))[0]; - $longname =~ s/\00//g; + $str = substr($data,$ofs,length($data) - 30); + my $longname = (split(/\x00\x00/,$str,2))[0]; + $longname =~ s/\x00//g; if ($longname ne "") { $item{name} = $longname; @@ -863,9 +863,9 @@ sub parseFolderEntry2 { } ::rptMsg(""); - $item{name} = (split(/\00\00/,$str,2))[0]; - $item{name} =~ s/\13\20/\2D\00/; - $item{name} =~ s/\00//g; + $item{name} = (split(/\x00\x00/,$str,2))[0]; + $item{name} =~ s/\x13\x20/\x2D\x00/; + $item{name} =~ s/\x00//g; return %item; } @@ -876,7 +876,7 @@ sub parseNetworkEntry { my $data = shift; my %item = (); $item{type} = unpack("C",substr($data,2,1)); - my @names = split(/\00/,substr($data,5,length($data) - 5)); + my @names = split(/\x00/,substr($data,5,length($data) - 5)); $item{name} = $names[0]; return %item; } @@ -890,7 +890,6 @@ sub printData { my $data = shift; my $len = length($data); my $tag = 1; - my $cnt = 0; my @display = (); my $loop = $len/16; @@ -926,4 +925,4 @@ sub printData { return @display; } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/shutdowncount.pl b/thirdparty/rr-full/plugins/shutdowncount.pl index c82f8cc414..fed7a56538 100644 --- a/thirdparty/rr-full/plugins/shutdowncount.pl +++ b/thirdparty/rr-full/plugins/shutdowncount.pl @@ -52,8 +52,7 @@ sub pluginmain { return } - my $key_path = $ccs."\\Control\\Watchdog\\Display"; - my $key; + $key_path = $ccs."\\Control\\Watchdog\\Display"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg("ShutdownCount"); ::rptMsg($key_path); @@ -80,4 +79,4 @@ sub pluginmain { ::logMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/skype.pl b/thirdparty/rr-full/plugins/skype.pl index aac6de219c..3c83bc65f1 100644 --- a/thirdparty/rr-full/plugins/skype.pl +++ b/thirdparty/rr-full/plugins/skype.pl @@ -45,17 +45,13 @@ sub pluginmain { ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); ::rptMsg(""); + my $install; eval { - my $v1 = $install = $key->get_subkey("Installer")->get_value("DonwloadLastModified"); - if (defined $v1) { - my $install = $v1->get_data() - ::rptMsg("DonwloadLastModified = ".$install); - } - else { - ::rptMsg("DonwloadLastModified value not found"); - } + $install = $key->get_subkey("Installer")->get_value("DonwloadLastModified")->get_data(); + ::rptMsg("DonwloadLastModified = ".$install); }; ::rptMsg("DonwloadLastModified value not found: ".$@) if ($@); + } else { ::rptMsg($key_path." not found."); diff --git a/thirdparty/rr-full/plugins/software b/thirdparty/rr-full/plugins/software index 24d62ad19e..68e724d448 100644 --- a/thirdparty/rr-full/plugins/software +++ b/thirdparty/rr-full/plugins/software @@ -1,33 +1,61 @@ -# 20120528 *ALL* Plugins that apply on SOFTWARE hive, alphabetical order +# 20161213 *ALL* Plugins that apply on SOFTWARE hive, alphabetical order +ahaha appinitdlls apppaths +apppaths_tln assoc +at +at_tln +audiodev banner bho bitbucket +btconfig clsid cmd_shell +cmd_shell_tln codeid ctrlpnl -defbrowser +dcom +dfrg direct +direct_tln disablesr drivers32 drwatson emdmgmt +esent +etos +gauss +gpohist +gpohist_tln +handler ie_version +ie_zones imagefile init_dlls +inprocserver installedcomp installer +javasoft kb950582 landesk +landesk_tln +lastloggedon +lazyshell +licenses +logmein +logmein_tln macaddr mrt msis +netsh networkcards networklist +networklist_tln networkuid +opencandy +port_dev product profilelist regback @@ -43,17 +71,28 @@ snapshot soft_run spp_clients sql_lastconnect +srun_tln ssid startmenuinternetapps_lm +susclient svchost +systemindex +teamviewer tracing -uninstall -urlzone +tracing_tln +trappoll uac +uninstall +uninstall_tln +urlzone virut -win_cv +volinfocache +wbem winbackup +win_cv +winevt winlogon +winlogon_tln winnt_cv winver -yahoo_lm \ No newline at end of file +yahoo_lm diff --git a/thirdparty/rr-full/plugins/ssid.pl b/thirdparty/rr-full/plugins/ssid.pl index 082944088a..5a17305672 100644 --- a/thirdparty/rr-full/plugins/ssid.pl +++ b/thirdparty/rr-full/plugins/ssid.pl @@ -109,8 +109,7 @@ sub pluginmain { # Now, go to the EAPOL key, locate the appropriate subkeys and parse out # any available SSIDs # EAPOL is Extensible Authentication Protocol over LAN - my $key_path = "Microsoft\\EAPOL\\Parameters\\Interfaces"; - my $key; + $key_path = "Microsoft\\EAPOL\\Parameters\\Interfaces"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg(""); ::rptMsg($key_path); @@ -182,4 +181,4 @@ sub parseEAPOLData { return substr($data,0x14,$size); } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/stillimage.pl b/thirdparty/rr-full/plugins/stillimage.pl index 2a935db1b4..e1ed06788d 100644 --- a/thirdparty/rr-full/plugins/stillimage.pl +++ b/thirdparty/rr-full/plugins/stillimage.pl @@ -55,8 +55,7 @@ sub pluginmain { return; } - my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}"; - my $key; + $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}"; if ($key = $root_key->get_subkey($key_path)) { my @subkeys = $key->get_list_of_subkeys(); @@ -89,8 +88,7 @@ sub pluginmain { # http://msdn.microsoft.com/en-us/library/ms791870.aspx # StillImage logging levels - my $key_path = $ccs."\\Control\\StillImage\\Logging"; - my $key; + $key_path = $ccs."\\Control\\StillImage\\Logging"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg(""); ::rptMsg("StillImage Logging Level"); @@ -111,4 +109,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/susclient.pl b/thirdparty/rr-full/plugins/susclient.pl index 068e97a10e..f7b8a01d14 100644 --- a/thirdparty/rr-full/plugins/susclient.pl +++ b/thirdparty/rr-full/plugins/susclient.pl @@ -90,8 +90,8 @@ sub parseSN { my $sz = unpack("C",substr($data,2,1)); $sn = substr($data,$offset,$sz); - $sn =~ s/\00//g; - $sn =~ s/\20//g; + $sn =~ s/\x00//g; + $sn =~ s/\x20//g; return $sn; } diff --git a/thirdparty/rr-full/plugins/system b/thirdparty/rr-full/plugins/system index 2b0807cd78..e84ecb9f54 100644 --- a/thirdparty/rr-full/plugins/system +++ b/thirdparty/rr-full/plugins/system @@ -1,14 +1,19 @@ -# 20120528 *ALL* Plugins that apply on SYSTEM hive, alphabetical order +# 20161213 *ALL* Plugins that apply on SYSTEM hive, alphabetical order appcertdlls appcompatcache +appcompatcache_tln auditfail backuprestore +bthport +comfoo compname crashcontrol ddm devclass +diag_sr disablelastaccess dllsearch +dnschanger eventlog eventlogs fw_config @@ -17,29 +22,43 @@ ide imagedev kbdcrash legacy +legacy_tln +lsa_packages mountdev +mountdev2 +netsvcs network nic -nic_mst2 nic2 +nic_mst2 nolmhash pagefile +pending +phdet prefetch -#This currently gets stuck in an infinite loop -#productpolicy +processor_architecture +productpolicy producttype +rdpnla rdpport +regin +remoteaccess routes safeboot +securityproviders services shares +shimcache +shimcache_tln shutdown shutdowncount stillimage svc -svc2 -svc_plus svcdll +svc_plus +svc_tln +systemindex +termcert termserv timezone usb @@ -47,5 +66,5 @@ usbdevices usbstor usbstor2 usbstor3 -xpedition wpdbusenum +xpedition diff --git a/thirdparty/rr-full/plugins/termserv.pl b/thirdparty/rr-full/plugins/termserv.pl index 387bd7e92b..94b360b7f1 100644 --- a/thirdparty/rr-full/plugins/termserv.pl +++ b/thirdparty/rr-full/plugins/termserv.pl @@ -3,6 +3,7 @@ # Plugin for Registry Ripper; # # Change history +# 20160224 - added SysProcs info # 20131007 - updated with Sticky Keys info # 20130307 - updated with autostart locations # 20100713 - Updated to include additional values, based on references @@ -12,6 +13,7 @@ # Category: Autostart # # References +# SysProcs - https://support.microsoft.com/en-us/kb/899867 # Change TS listening port number - http://support.microsoft.com/kb/187623 # Examining TS key - http://support.microsoft.com/kb/243215 # Win2K8 TS stops listening - http://support.microsoft.com/kb/954398 @@ -30,7 +32,7 @@ my %config = (hive => "System", hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20130307); + version => 20160224); sub getConfig{return %config} sub getShortDescr { @@ -149,6 +151,19 @@ sub pluginmain { }; ::rptMsg(" InitialProgram value not found\.") if ($@); +# Added 20160224 + eval { + my $sys = $ts->get_subkey("SysProcs"); + my @vals = $sys->get_list_of_values(); + if ((scalar @vals) > 0) { + ::rptMsg("SysProcs key values"); + ::rptMsg("LastWrite: ".gmtime($sys->get_timestamp())." Z"); + foreach my $v (@vals) { + ::rptMsg(" ".$v->get_name()." - ".$v->get_data()); + } + } + }; + # Sticky Keys info, added 20131007 # ref: http://www.room362.com/blog/2012/5/25/sticky-keys-and-utilman-against-nla.html eval { diff --git a/thirdparty/rr-full/plugins/timezone.pl b/thirdparty/rr-full/plugins/timezone.pl index c4ddb31841..e45be3ec85 100644 --- a/thirdparty/rr-full/plugins/timezone.pl +++ b/thirdparty/rr-full/plugins/timezone.pl @@ -4,6 +4,7 @@ # contents of the TimeZoneInformation key # # Change history +# 20160318 - added display of TimeZoneKeyName value # 20130830 - updated # 20080324 - created # @@ -24,7 +25,7 @@ my %config = (hive => "System", hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20130830); + version => 20160318); sub getConfig{return %config} sub getShortDescr { @@ -73,6 +74,7 @@ sub pluginmain { ::rptMsg(" Bias -> ".$b." (".($b/60)." hours)"); ::rptMsg(" ActiveTimeBias -> ".$a." (".($a/60)." hours)"); + ::rptMsg(" TimeZoneKeyName-> ".$tz_vals{"TimeZoneKeyName"}) if exists ($tz_vals{"TimeZoneKeyName"}); } else { diff --git a/thirdparty/rr-full/plugins/trustrecords.pl b/thirdparty/rr-full/plugins/trustrecords.pl index aa25fec500..a32501a29e 100644 --- a/thirdparty/rr-full/plugins/trustrecords.pl +++ b/thirdparty/rr-full/plugins/trustrecords.pl @@ -4,9 +4,11 @@ # the default security settings for the application # # Change history +# 20160224 - modified per Mari's blog post # 20120716 - created # # References +# http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html # ForensicArtifacts.com posting by Andrew Case: # http://forensicartifacts.com/2012/07/ntuser-trust-records/ # http://archive.hack.lu/2010/Filiol-Office-Documents-New-Weapons-of-Cyberwarfare-slides.pdf @@ -18,15 +20,16 @@ package trustrecords; use strict; my %config = (hive => "NTUSER\.DAT", + category => "User Activity", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20120716); + version => 20160224); sub getConfig{return %config} sub getShortDescr { - return "Gets user's Office 2010 TrustRecords values"; + return "Get user's MSOffice TrustRecords values"; } sub getDescr{} sub getRefs {} @@ -34,7 +37,12 @@ sub getHive {return $config{hive};} sub getVersion {return $config{version};} my $VERSION = getVersion(); - +my $office_version; +my %vba = (1 => "Enable all macros", + 2 => "Disable all macros w/ notification", + 3 => "Disalbe all macros except dig. signed macros", + 4 => "Disalbe all macros w/o notification"); + sub pluginmain { my $class = shift; my $ntuser = shift; @@ -43,43 +51,63 @@ sub pluginmain { my $root_key = $reg->get_root_key; ::rptMsg("trustrecords v.".$VERSION); + ::rptMsg(""); # First, let's find out which version of Office is installed my @version; + my $key; my $key_path = "Software\\Microsoft\\Office"; - if (my $key = $root_key->get_subkey($key_path)) { + if ($key = $root_key->get_subkey($key_path)) { my @subkeys = $key->get_list_of_subkeys(); foreach my $s (@subkeys) { my $name = $s->get_name(); push(@version,$name) if ($name =~ m/^\d/); } } - +# Determine MSOffice version in use my @v = reverse sort {$a<=>$b} @version; -# ::rptMsg("Office version = ".$v[0]); + foreach my $i (@v) { + eval { + if (my $o = $key->get_subkey($i."\\User Settings")) { + $office_version = $i; + } + }; + } # Now that we have the most recent version of Office installed, let's # start looking at the various subkeys my @apps = ("Word","PowerPoint","Excel","Access"); - my $key_path = "Software\\Microsoft\\Office\\".$v[0]; + $key_path = "Software\\Microsoft\\Office\\".$office_version; foreach my $app (@apps) { - my $app_path = $key_path."\\".$app."\\Security\\Trusted Documents"; - ::rptMsg($app); + ::rptMsg("**".$app."**"); + ::rptMsg("-" x 10); + my $app_path = $key_path."\\".$app."\\Security"; + eval { + if (my $sec = $root_key->get_subkey($app_path)) { + ::rptMsg("Security key LastWrite: ".gmtime($sec->get_timestamp())." Z"); + my $w = $sec->get_value("VBAWarnings")->get_data(); + ::rptMsg("VBAWarnings = ".$vba{$w}); + ::rptMsg(""); + } + }; +# Trusted Documents/Trust Records + $app_path = $key_path."\\".$app."\\Security\\Trusted Documents"; if (my $app_key = $root_key->get_subkey($app_path)) { - my $lastpurge = $app_key->get_value("LastPurgeTime")->get_data(); - ::rptMsg("LastPurgeTime = ".gmtime($lastpurge)); - if (my $trust = $app_key->get_subkey("TrustRecords")) { my @vals = $trust->get_list_of_values(); - foreach my $v (@vals) { - my ($t0,$t1) = (unpack("VV",substr($v->get_data(),0,8))); + my $data = $v->get_data(); + my ($t0,$t1) = (unpack("VV",substr($data,0,8))); my $t = ::getTime($t0,$t1); - ::rptMsg(gmtime($t)." -> ".$v->get_name()); + ::rptMsg(gmtime($t)." Z : ".$v->get_name()); + + my $e = unpack("V",substr($data, length($data) - 4, 4)); + ::rptMsg("**Enable Content button clicked.") if ($e == 2147483647); } } } ::rptMsg(""); + } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/trustrecords_tln.pl b/thirdparty/rr-full/plugins/trustrecords_tln.pl index e7d24aae27..747bc011ec 100644 --- a/thirdparty/rr-full/plugins/trustrecords_tln.pl +++ b/thirdparty/rr-full/plugins/trustrecords_tln.pl @@ -4,9 +4,11 @@ # the default security settings for the application # # Change history +# 20160224 - modified per Mari's blog post # 20120717 - created; modified from trustrecords.pl plugin # # References +# http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html # ForensicArtifacts.com posting by Andrew Case: # http://forensicartifacts.com/2012/07/ntuser-trust-records/ # http://archive.hack.lu/2010/Filiol-Office-Documents-New-Weapons-of-Cyberwarfare-slides.pdf @@ -18,15 +20,16 @@ package trustrecords_tln; use strict; my %config = (hive => "NTUSER\.DAT", + category => "User Activity", hasShortDescr => 1, hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20120717); + version => 20160224); sub getConfig{return %config} sub getShortDescr { - return "Gets user's Office 2010 TrustRecords values; TLN output"; + return "Get user's MSOffice TrustRecords values"; } sub getDescr{} sub getRefs {} @@ -34,6 +37,7 @@ sub getHive {return $config{hive};} sub getVersion {return $config{version};} my $VERSION = getVersion(); +my $office_version; sub pluginmain { my $class = shift; @@ -45,8 +49,9 @@ sub pluginmain { # ::rptMsg("trustrecords v.".$VERSION); # First, let's find out which version of Office is installed my @version; + my $key; my $key_path = "Software\\Microsoft\\Office"; - if (my $key = $root_key->get_subkey($key_path)) { + if ($key = $root_key->get_subkey($key_path)) { my @subkeys = $key->get_list_of_subkeys(); foreach my $s (@subkeys) { my $name = $s->get_name(); @@ -54,33 +59,41 @@ sub pluginmain { } } +# Determine MSOffice version in use my @v = reverse sort {$a<=>$b} @version; -# ::rptMsg("Office version = ".$v[0]); - + foreach my $i (@v) { + eval { + if (my $o = $key->get_subkey($i."\\User Settings")) { + $office_version = $i; + } + }; + } + ::rptMsg("Version: ".$office_version); # Now that we have the most recent version of Office installed, let's # start looking at the various subkeys my @apps = ("Word","PowerPoint","Excel","Access"); - my $key_path = "Software\\Microsoft\\Office\\".$v[0]; + $key_path = "Software\\Microsoft\\Office\\".$office_version; foreach my $app (@apps) { my $app_path = $key_path."\\".$app."\\Security\\Trusted Documents"; # ::rptMsg($app); if (my $app_key = $root_key->get_subkey($app_path)) { -# my $lastpurge = $app_key->get_value("LastPurgeTime")->get_data(); -# ::rptMsg("LastPurgeTime = ".gmtime($lastpurge)); if (my $trust = $app_key->get_subkey("TrustRecords")) { my @vals = $trust->get_list_of_values(); foreach my $v (@vals) { - my ($t0,$t1) = (unpack("VV",substr($v->get_data(),0,8))); + my $data = $v->get_data(); + my ($t0,$t1) = (unpack("VV",substr($data,0,8))); my $t = ::getTime($t0,$t1); -# ::rptMsg(gmtime($t)." -> ".$v->get_name()); - ::rptMsg($t."|REG|||TrustRecords - ".$v->get_name()); + my $descr = "TrustRecords - ".$v->get_name(); + my $e = unpack("V",substr($data, length($data) - 4, 4)); + $descr = $descr." [Enable Content button clicked]" if ($e == 2147483647); + ::rptMsg($t."|REG|||".$descr); } } } # ::rptMsg(""); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/tsclient.pl b/thirdparty/rr-full/plugins/tsclient.pl index 755d3a9626..923bf50fe4 100644 --- a/thirdparty/rr-full/plugins/tsclient.pl +++ b/thirdparty/rr-full/plugins/tsclient.pl @@ -71,8 +71,7 @@ sub pluginmain { } ::rptMsg(""); - my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers'; - my $key; + $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers'; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg($key_path); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -100,4 +99,4 @@ sub pluginmain { } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/tsclient_tln.pl b/thirdparty/rr-full/plugins/tsclient_tln.pl index dce835ef3d..4ce0880317 100644 --- a/thirdparty/rr-full/plugins/tsclient_tln.pl +++ b/thirdparty/rr-full/plugins/tsclient_tln.pl @@ -64,8 +64,7 @@ sub pluginmain { } ::rptMsg(""); - my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers'; - my $key; + $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers'; if ($key = $root_key->get_subkey($key_path)) { # ::rptMsg($key_path); # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -94,4 +93,4 @@ sub pluginmain { } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/uac.pl b/thirdparty/rr-full/plugins/uac.pl index b0cbb1b460..372a594376 100644 --- a/thirdparty/rr-full/plugins/uac.pl +++ b/thirdparty/rr-full/plugins/uac.pl @@ -28,7 +28,7 @@ my %config = (hive => "Software", sub getConfig{return %config} sub getShortDescr { - return "Get Select User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"; + return "Get Select User Account Control (UAC) Values from HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"; } sub getDescr{} sub getRefs {} diff --git a/thirdparty/rr-full/plugins/uninstall.pl b/thirdparty/rr-full/plugins/uninstall.pl index 94f99e1a77..2457e77470 100644 --- a/thirdparty/rr-full/plugins/uninstall.pl +++ b/thirdparty/rr-full/plugins/uninstall.pl @@ -32,7 +32,7 @@ my %config = (hive => "Software, NTUSER\.DAT", sub getConfig{return %config} sub getShortDescr { - return "Gets contents of Uninstall keys from Software, NTUSER\.DAT hives"; + return "Gets contents of Uninstall keys from Software, NTUSER.DAT hives"; } sub getDescr{} sub getRefs {} @@ -98,4 +98,4 @@ sub pluginmain { } } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/uninstall_tln.pl b/thirdparty/rr-full/plugins/uninstall_tln.pl index 831d771e3d..2c349852f7 100644 --- a/thirdparty/rr-full/plugins/uninstall_tln.pl +++ b/thirdparty/rr-full/plugins/uninstall_tln.pl @@ -30,7 +30,7 @@ my %config = (hive => "Software, NTUSER\.DAT", sub getConfig{return %config} sub getShortDescr { - return "Gets contents of Uninstall keys from Software, NTUSER\.DAT hives(TLN format)"; + return "Gets contents of Uninstall keys from Software, NTUSER.DAT hives(TLN format)"; } sub getDescr{} sub getRefs {} @@ -93,4 +93,4 @@ sub pluginmain { } } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/urun_tln.pl b/thirdparty/rr-full/plugins/urun_tln.pl index 80270ebdeb..fbcc3b213a 100644 --- a/thirdparty/rr-full/plugins/urun_tln.pl +++ b/thirdparty/rr-full/plugins/urun_tln.pl @@ -26,7 +26,7 @@ my %config = (hive => "NTUSER\.DAT", sub getConfig{return %config} sub getShortDescr { - return "[Autostart] Get autostart key contents from NTUSER\.DAT hive"; + return "[Autostart] Get autostart key contents from NTUSER.DAT hive"; } sub getDescr{} sub getRefs { @@ -165,4 +165,4 @@ sub getKeyValues { return %vals; } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/usb.pl b/thirdparty/rr-full/plugins/usb.pl index 6c343e0f3f..33ba031b02 100644 --- a/thirdparty/rr-full/plugins/usb.pl +++ b/thirdparty/rr-full/plugins/usb.pl @@ -56,8 +56,7 @@ sub pluginmain { return; } - my $key_path = $ccs."\\Enum\\USB"; - my $key; + $key_path = $ccs."\\Enum\\USB"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg("USBStor"); ::rptMsg($key_path); @@ -119,4 +118,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/usbdevices.pl b/thirdparty/rr-full/plugins/usbdevices.pl index ee3c93436c..98f6573293 100644 --- a/thirdparty/rr-full/plugins/usbdevices.pl +++ b/thirdparty/rr-full/plugins/usbdevices.pl @@ -54,8 +54,7 @@ sub pluginmain { return; } - my $key_path = $ccs."\\Enum\\USB"; - my $key; + $key_path = $ccs."\\Enum\\USB"; if ($key = $root_key->get_subkey($key_path)) { my @subkeys = $key->get_list_of_subkeys(); @@ -124,4 +123,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/usbstor.pl b/thirdparty/rr-full/plugins/usbstor.pl index 90af4c823b..f33f0b2ca7 100644 --- a/thirdparty/rr-full/plugins/usbstor.pl +++ b/thirdparty/rr-full/plugins/usbstor.pl @@ -58,8 +58,7 @@ sub pluginmain { return; } - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; + $key_path = $ccs."\\Enum\\USBStor"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg("USBStor"); ::rptMsg($key_path); @@ -121,4 +120,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/usbstor2.pl b/thirdparty/rr-full/plugins/usbstor2.pl index b62283bb1c..7a1e0120db 100644 --- a/thirdparty/rr-full/plugins/usbstor2.pl +++ b/thirdparty/rr-full/plugins/usbstor2.pl @@ -30,6 +30,8 @@ my $VERSION = getVersion(); my $reg; sub pluginmain { + ::logMsg("Launching usbstor2 v.".$VERSION); + ::rptMsg("usbstor2 v.".$VERSION); # banner my $class = shift; my $hive = shift; $reg = Parse::Win32Registry->new($hive); @@ -56,8 +58,7 @@ sub pluginmain { }; $comp_name = "Test" if ($@); - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; + $key_path = $ccs."\\Enum\\USBStor"; if ($key = $root_key->get_subkey($key_path)) { my @subkeys = $key->get_list_of_subkeys(); @@ -119,7 +120,7 @@ sub checkMountedDevices { next unless ($name =~ m/^\\DosDevices/); my $data = $v->get_data(); if (length($data) > 12) { - $data =~ s/\00//g; + $data =~ s/\x00//g; return $name if (grep(/$pip/,$data)); } } @@ -131,4 +132,4 @@ sub checkMountedDevices { return undef; } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/usbstor3.pl b/thirdparty/rr-full/plugins/usbstor3.pl index 5215454818..d8c1479341 100644 --- a/thirdparty/rr-full/plugins/usbstor3.pl +++ b/thirdparty/rr-full/plugins/usbstor3.pl @@ -51,8 +51,7 @@ sub pluginmain { return; } - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; + $key_path = $ccs."\\Enum\\USBStor"; if ($key = $root_key->get_subkey($key_path)) { # ::rptMsg("USBStor"); # ::rptMsg($key_path); @@ -100,4 +99,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/user_run.pl b/thirdparty/rr-full/plugins/user_run.pl index 64479d08f6..f0e6e5fbcb 100644 --- a/thirdparty/rr-full/plugins/user_run.pl +++ b/thirdparty/rr-full/plugins/user_run.pl @@ -33,7 +33,7 @@ my %config = (hive => "NTUSER\.DAT", sub getConfig{return %config} sub getShortDescr { - return "[Autostart] Get autostart key contents from NTUSER\.DAT hive"; + return "[Autostart] Get autostart key contents from NTUSER.DAT hive"; } sub getDescr{} sub getRefs { @@ -203,4 +203,4 @@ sub alertCheckADS { my $last = $list[scalar(@list) - 1]; ::alertMsg("ALERT: user_run: Poss. ADS found in path: ".$path) if grep(/:/,$last); } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/userassist.pl b/thirdparty/rr-full/plugins/userassist.pl index cb85a15a40..7d4813781c 100644 --- a/thirdparty/rr-full/plugins/userassist.pl +++ b/thirdparty/rr-full/plugins/userassist.pl @@ -5,6 +5,7 @@ # UserAssist values # # Change history +# 20170304 - removed alerts, added printing of values with no timestamps in the data # 20130603 - added alert functionality # 20100322 - Added CLSID list reference # 20100308 - created, based on original userassist.pl plugin @@ -13,7 +14,7 @@ # Control Panel Applets - http://support.microsoft.com/kb/313808 # CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm # -# copyright 2010 Quantum Analytics Research, LLC +# copyright 2017 Quantum Analytics Research, LLC #----------------------------------------------------------- package userassist; use strict; @@ -23,12 +24,7 @@ my %config = (hive => "NTUSER\.DAT", hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20130603); - -my @paths = ("recycle","globalroot","temp","system volume information","appdata", - "application data"); - -my @alerts = (); + version => 20170204); sub getConfig{return %config} sub getShortDescr { @@ -44,7 +40,7 @@ my $VERSION = getVersion(); sub pluginmain { my $class = shift; my $ntuser = shift; - ::logMsg("Launching userassist2 v.".$VERSION); + ::logMsg("Launching userassist v.".$VERSION); my $reg = Parse::Win32Registry->new($ntuser); my $root_key = $reg->get_root_key; @@ -78,7 +74,8 @@ sub processKey { my $key = $ua->get_subkey("Count"); - my %ua; + my %ua = (); + my @no_time = (); my $hrzr = "HRZR"; my @vals = $key->get_list_of_values(); @@ -98,6 +95,9 @@ sub processKey { $count -= 5 if ($count > 5); push(@{$ua{$time_value}},$value_name." (".$count.")"); } + else { + push(@no_time,$value_name); + } } # Windows 7 elsif (length($data) == 72) { @@ -112,9 +112,16 @@ sub processKey { # } my $count = unpack("V",substr($data,4,4)); my @t = unpack("VV",substr($data,60,8)); - next if ($t[0] == 0 && $t[1] == 0); - my $time_val = ::getTime($t[0],$t[1]); - push(@{$ua{$time_val}},$value_name." (".$count.")"); + if ($t[0] == 0 && $t[1] == 0) { + push(@no_time,$value_name); + } + else { +# +# print "Value name: ".$value_name."\n"; +# + my $time_val = ::getTime($t[0],$t[1]); + push(@{$ua{$time_val}},$value_name." (".$count.")"); + } } else { # Nothing else to do @@ -124,22 +131,14 @@ sub processKey { ::rptMsg(gmtime($t)." Z"); foreach my $i (@{$ua{$t}}) { ::rptMsg(" ".$i); - - my $lci = lc($i); - foreach my $a (@paths) { - push(@alerts,"ALERT: userassist: ".$a." found in path: ".$i) if (grep(/$a/,$lci)); - } - } } - } - - if (scalar(@alerts) > 0) { - print "\n"; - print "Alerts:\n"; - foreach (@alerts) { - ::alertMsg($_); + ::rptMsg(""); + ::rptMsg("Value names with no time stamps:"); + foreach my $n (@no_time) { + ::rptMsg(" ".$n); } + } } 1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/usrclass b/thirdparty/rr-full/plugins/usrclass index 2f854cb1ee..fd2083b066 100644 --- a/thirdparty/rr-full/plugins/usrclass +++ b/thirdparty/rr-full/plugins/usrclass @@ -1,3 +1,5 @@ -# 20120918 *ALL* Plugins that apply on USRCLASS hive, alphabetical order -muicache -shellbags \ No newline at end of file +# 20161213 *ALL* Plugins that apply on USRCLASS hive, alphabetical order +cmd_shell_u +photos +shellbags +shellbags_tln diff --git a/thirdparty/rr-full/plugins/vista_bitbucket.pl b/thirdparty/rr-full/plugins/vista_bitbucket.pl index 9f883362d1..368c6c43c4 100644 --- a/thirdparty/rr-full/plugins/vista_bitbucket.pl +++ b/thirdparty/rr-full/plugins/vista_bitbucket.pl @@ -23,7 +23,7 @@ my %config = (hive => "NTUSER\.DAT", sub getConfig{return %config} sub getShortDescr { - return "Get BitBucket settings from Vista via NTUSER\.DAT"; + return "Get BitBucket settings from Vista via NTUSER.DAT"; } sub getDescr{} sub getRefs {} @@ -93,4 +93,4 @@ sub pluginmain { } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/vncviewer.pl b/thirdparty/rr-full/plugins/vncviewer.pl index 3660050adb..f6d57dad6b 100644 --- a/thirdparty/rr-full/plugins/vncviewer.pl +++ b/thirdparty/rr-full/plugins/vncviewer.pl @@ -72,8 +72,7 @@ sub pluginmain { ::rptMsg($key_path." not found."); } - my $key_path = "Software\\RealVNC\\VNCViewer4\\MRU"; - my $key; + $key_path = "Software\\RealVNC\\VNCViewer4\\MRU"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg($key_path); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -103,4 +102,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/wallpaper.pl b/thirdparty/rr-full/plugins/wallpaper.pl index d4e1a3b160..94572b99dc 100644 --- a/thirdparty/rr-full/plugins/wallpaper.pl +++ b/thirdparty/rr-full/plugins/wallpaper.pl @@ -85,8 +85,8 @@ sub pluginmain { #----------------------------------------------------------- sub getStringValue { my $bin = shift; - my $str = (split(/\00\00/,$bin,2))[0]; - $str =~ s/\00//g; + my $str = (split(/\x00\x00/,$bin,2))[0]; + $str =~ s/\x00//g; return $str; } 1; \ No newline at end of file diff --git a/thirdparty/rr-full/plugins/winbackup.pl b/thirdparty/rr-full/plugins/winbackup.pl index 667ae68cfb..252c0abc18 100644 --- a/thirdparty/rr-full/plugins/winbackup.pl +++ b/thirdparty/rr-full/plugins/winbackup.pl @@ -136,8 +136,7 @@ sub pluginmain { #status ::rptMsg(""); - my $key_path = "Microsoft\\Windows\\CurrentVersion\\WindowsBackup\\Status"; - my $key; + $key_path = "Microsoft\\Windows\\CurrentVersion\\WindowsBackup\\Status"; if ($key = $root_key->get_subkey($key_path)) { # ::rptMsg("{name}"); ::rptMsg($key_path); @@ -208,4 +207,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/winevt.pl b/thirdparty/rr-full/plugins/winevt.pl index 9b6b8475ff..1d59ba01f5 100644 --- a/thirdparty/rr-full/plugins/winevt.pl +++ b/thirdparty/rr-full/plugins/winevt.pl @@ -25,8 +25,9 @@ my %config = (hive => "Software", sub getConfig{return %config} sub getShortDescr { - return "Get the Windows event log policy from the Winevt'\'Channels key"; + return "Get the Windows event log policy from the Winevt\\Channels key"; } + sub getDescr{} sub getRefs {} sub getHive {return $config{hive};} @@ -44,14 +45,10 @@ sub pluginmain { my $hive = shift; my $reg = Parse::Win32Registry->new($hive); -sub getShortDescr { - return "Get the Windows event log policy from the Winevt\Channels key"; -} - -my $root_key = $reg->get_root_key; -my $key_path = "Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels"; -my $key; -if ($key = $root_key->get_subkey($key_path)) { + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { ::rptMsg(""); ::rptMsg($key_path); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); @@ -82,4 +79,4 @@ if ($key = $root_key->get_subkey($key_path)) { } } -1; \ No newline at end of file +1; diff --git a/thirdparty/rr-full/plugins/winnt_cv.pl b/thirdparty/rr-full/plugins/winnt_cv.pl index 55e84710fd..da2f316b9a 100644 --- a/thirdparty/rr-full/plugins/winnt_cv.pl +++ b/thirdparty/rr-full/plugins/winnt_cv.pl @@ -4,6 +4,8 @@ # Output sorted based on length of data # # Change History: +# 20161123: added translation of InstallTime time (found in Win10) - Phill Moore, randomaccess3@gmail.com +# InstallTime should match InstallDate # 20080609: added translation of InstallDate time # # copyright 2008 H. Carvey, keydet89@yahoo.com @@ -16,7 +18,7 @@ my %config = (hive => "Software", hasDescr => 0, hasRefs => 0, osmask => 22, - version => 20080609); + version => 20161123); sub getConfig{return %config} sub getShortDescr { @@ -51,6 +53,12 @@ sub pluginmain { my $name = $v->get_name(); my $data = $v->get_data(); $data = gmtime($data)." (UTC)" if ($name eq "InstallDate"); + + if ($name eq "InstallTime"){ + my @t = unpack("VV",$data); + $data = gmtime(::getTime($t[0],$t[1]))." (UTC)"; + } + my $len = length($data); next if ($name eq ""); if ($v->get_type() == 3) { diff --git a/thirdparty/rr-full/plugins/wordwheelquery.pl b/thirdparty/rr-full/plugins/wordwheelquery.pl index aa25a7fba5..1a45369814 100644 --- a/thirdparty/rr-full/plugins/wordwheelquery.pl +++ b/thirdparty/rr-full/plugins/wordwheelquery.pl @@ -57,7 +57,7 @@ sub pluginmain { } else { my $data = $v->get_data(); - $data =~ s/\00//g; + $data =~ s/\x00//g; $wwq{$name} = $data; } } diff --git a/thirdparty/rr-full/plugins/wpdbusenum.pl b/thirdparty/rr-full/plugins/wpdbusenum.pl index da1cacd9ad..7d88ee546d 100644 --- a/thirdparty/rr-full/plugins/wpdbusenum.pl +++ b/thirdparty/rr-full/plugins/wpdbusenum.pl @@ -59,8 +59,7 @@ sub pluginmain { return; } - my $key_path = $ccs."\\Enum\\WpdBusEnumRoot"; - my $key; + $key_path = $ccs."\\Enum\\WpdBusEnumRoot"; if ($key = $root_key->get_subkey($key_path)) { my @subkeys = $key->get_list_of_subkeys(); @@ -129,8 +128,7 @@ sub pluginmain { # number of references to USBOblivion, a tool described as being able to wipe # out (all) indications of USB removable storage devices being connected to # the system. - my $key_path = $ccs."\\Control\\DeviceClasses\\{10497b1b-ba51-44e5-8318-a65c837b6661}"; - my $key; + $key_path = $ccs."\\Control\\DeviceClasses\\{10497b1b-ba51-44e5-8318-a65c837b6661}"; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg($key_path); my @subkeys = $key->get_list_of_subkeys(); @@ -156,4 +154,4 @@ sub pluginmain { ::rptMsg($key_path." not found."); } } -1; \ No newline at end of file +1;