mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 07:56:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update to RegRipper 2.8 plugins

Browse Source
This commit is contained in:
Richard Cordovano 2017-05-08 11:50:20 -04:00
parent 3e84286444
commit 2cb4d22e12
97 changed files with 1496 additions and 750 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
thirdparty/rr-full/plugins/adoberdr.pl vendored
View File

@ -4,16 +4,20 @@
# Parse Adobe Reader MRU keys
#
# Change history
# 20150717 - updated IAW Jason Hale's blog post (see ref), added
# .csv output format
# 20120716 - added version 10.0 to @versions
# 20100218 - added checks for versions 4.0, 5.0, 9.0
# 20091125 - modified output to make a bit more clear
#
# References
# http://dfstream.blogspot.com/2015/07/adobe-readers-not-so-crecentfiles.html
#
# Note: LastWrite times on c subkeys will all be the same,
# as each subkey is modified as when a new entry is added
#
# copyright 2010 Quantum Analytics Research, LLC
# copyright 2015 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package adoberdr;
use strict;
@ -23,7 +27,7 @@ my %config = (hive => "NTUSER\.DAT",
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120716);
version => 20150717);
sub getConfig{return %config}
sub getShortDescr {
@ -41,14 +45,14 @@ sub pluginmain {
my $ntuser = shift;
::logMsg("Launching adoberdr v.".$VERSION);
::rptMsg("adoberdr v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
::rptMsg("Adoberdr v.".$VERSION);
# First, let's find out which version of Adobe Acrobat Reader is installed
my $version;
my $tag = 0;
my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0","10\.0","11\.0","12\.0");
my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0","10\.0","11\.0","12\.0","13\.0","14\.0", "DC");
foreach my $ver (@versions) {
my $key_path = "Software\\Adobe\\Acrobat Reader\\".$ver."\\AVGeneral\\cRecentFiles";
if (defined($root_key->get_subkey($key_path))) {
@ -74,10 +78,30 @@ sub pluginmain {
$num =~ s/^c//;
$arkeys{$num}{lastwrite} = $s->get_timestamp();
$arkeys{$num}{data} = $data;
eval {
$arkeys{$num}{tDIText} = $s->get_value('tDIText')->get_data();
};
eval {
$arkeys{$num}{sDate} = $s->get_value('sDate')->get_data();
$arkeys{$num}{sDate} =~ s/^D://;
};
eval {
$arkeys{$num}{uFileSize} = $s->get_value('uFileSize')->get_data();
};
eval {
$arkeys{$num}{uPageCount} = $s->get_value('uPageCount')->get_data();
};
}
::rptMsg("Most recent PDF opened: ".gmtime($arkeys{1}{lastwrite})." (UTC)");
foreach my $k (sort keys %arkeys) {
::rptMsg(" c".$k." ".$arkeys{$k}{data});
::rptMsg("Key name,file name,sDate,uFileSize,uPageCount");
foreach my $k (sort {$a <=> $b} keys %arkeys) {
::rptMsg("c".$k.",".$arkeys{$k}{data}.",".$arkeys{$k}{sDate}.",".$arkeys{$k}{uFileSize}.",".$arkeys{$k}{uPageCount});
}
}
else {

19
thirdparty/rr-full/plugins/all vendored
View File

@ -1,6 +1,17 @@
# 20120528 *ALL* Plugins that apply on any HIVES, alphabetical order
# 20161213 *ALL* Plugins that apply on any HIVES, alphabetical order
baseline
findexes
regtime
rlo
del
del_tln
fileless
findexes
installedcomp
installer
malware
null
regtime
regtime_tln
rlo
sizes
uninstall
uninstall_tln
wallpaper

32
thirdparty/rr-full/plugins/amcache.pl vendored
View File

@ -2,6 +2,8 @@
# amcache.pl
#
# Change history
# 20170315 - added output for Product Name and File Description values
# 20160818 - added check for value 17
# 20131218 - fixed bug computing compile time
# 20131213 - updated
# 20131204 - created
@ -9,7 +11,7 @@
# References
# http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html
#
# Copyright (c) 2013 QAR, LLC
# Copyright (c) 2017 QAR, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package amcache;
@ -21,7 +23,7 @@ my %config = (hive => "amcache",
hasRefs => 1,
osmask => 22,
category => "program execution",
version => 20131218);
version => 20170315);
my $VERSION = getVersion();
# Functions #
@ -62,6 +64,7 @@ sub pluginmain {
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
::rptMsg("File Reference: ".$s->get_name());
::rptMsg("LastWrite : ".gmtime($s->get_timestamp())." Z");
# update 20131213: based on trial and error, it appears that not all file
# references will have all of the values, such as Path, or SHA-1
eval {
@ -72,6 +75,18 @@ sub pluginmain {
::rptMsg("Company Name : ".$s->get_value("1")->get_data());
};
eval {
::rptMsg("Product Name : ".$s->get_value("0")->get_data());
};
eval {
::rptMsg("File Descr : ".$s->get_value("c")->get_data());
};
eval {
::rptMsg("Lang Code : ".$s->get_value("3")->get_data());
};
eval {
::rptMsg("SHA-1 : ".$s->get_value("101")->get_data());
};
@ -79,21 +94,26 @@ sub pluginmain {
eval {
@t = unpack("VV",$s->get_value("11")->get_data());
$gt = gmtime(::getTime($t[0],$t[1]));
::rptMsg("Last Mod Time : ".$gt);
::rptMsg("Last Mod Time : ".$gt." Z");
};
eval {
@t = unpack("VV",$s->get_value("17")->get_data());
$gt = gmtime(::getTime($t[0],$t[1]));
::rptMsg("Last Mod Time2: ".$gt." Z");
};
eval {
@t = unpack("VV",$s->get_value("12")->get_data());
$gt = gmtime(::getTime($t[0],$t[1]));
::rptMsg("Create Time : ".$gt);
::rptMsg("Create Time : ".$gt." Z");
};
eval {
$gt = gmtime($s->get_value("f")->get_data());
# $gt = gmtime(unpack("V",$s->get_value("f")->get_data()));
::rptMsg("Compile Time : ".$gt);
::rptMsg("Compile Time : ".$gt." Z");
};
::rptMsg("");
}
}

156
thirdparty/rr-full/plugins/appcompatcache.pl vendored
View File

@ -2,6 +2,10 @@
# appcompatcache.pl
#
# History:
# 20160528 - updated code to not de-dup entries based on filename
# 20160217 - updated to correctly support Win10
# 20150611 - mod'd for Kevin Pagano
# 20150429 - updated to support Win10
# 20140724 - update based on data provided by Shafik Punja
# 20130801 - added initial Win8 support; very alpha at the moment
# 20130603 - updated alerts
@ -15,14 +19,16 @@
# 20120418 - created
#
# References:
# https://binaryforay.blogspot.com/2016/05/appcompatcacheparser-v0900-released-and.html
# Blog post: https://blog.mandiant.com/archives/2459
# Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf
# Tool: https://github.com/mandiant/ShimCacheParser
# Win10: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
#
# This plugin is based solely on the work and examples provided by Mandiant;
# thanks to them for sharing this information, and making the plugin possible.
#
# copyright 2013 Quantum Analytics Research, LLC
# copyright 2016 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package appcompatcache;
@ -36,11 +42,11 @@ my %config = (hive => "System",
hasDescr => 0,
hasRefs => 0,
osmask => 31, #XP - Win7
version => 20140724);
version => 20160528);
sub getConfig{return %config}
sub getShortDescr {
return "Parse files from System hive Shim Cache";
return "Parse files from System hive AppCompatCache";
}
sub getDescr{}
sub getRefs {}
@ -49,6 +55,7 @@ sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %files;
my $str = "";
sub pluginmain {
my $class = shift;
@ -75,13 +82,18 @@ sub pluginmain {
eval {
$app_data = $appcompat->get_subkey("AppCompatibility")->get_value("AppCompatCache")->get_data();
::rptMsg($appcompat_path."\\AppCompatibility");
::rptMsg("LastWrite Time: ".gmtime($appcompat->get_subkey("AppCompatibility")->get_timestamp())." Z");
};
eval {
$app_data = $appcompat->get_subkey("AppCompatCache")->get_value("AppCompatCache")->get_data();
::rptMsg($appcompat_path."\\AppCompatCache");
::rptMsg("LastWrite Time: ".gmtime($appcompat->get_subkey("AppCompatCache")->get_timestamp())." Z");
};
# ::rptMsg("Length of data: ".length($app_data));
# probe($app_data);
my $sig = unpack("V",substr($app_data,0,4));
::rptMsg(sprintf "Signature: 0x%x",$sig);
@ -102,31 +114,37 @@ sub pluginmain {
}
elsif ($sig == 0x80) {
::rptMsg("Possible Win8 system\.");
::rptMsg(sprintf "Data Length: 0x%08x",length($app_data));
# ::rptMsg("Possible Win8 system\.");
# ::rptMsg(sprintf "Data Length: 0x%08x",length($app_data));
appWin8($app_data);
# probe($app_data);
}
elsif ($sig == 0x30) {
# Windows 10 system
appWin10($app_data);
}
else {
::rptMsg(sprintf "Unknown signature: 0x%x",$sig);
}
# this is where we print out the files
foreach my $f (keys %files) {
::rptMsg($f);
# ::rptMsg($f);
# Warnings and alerts, updated 20130603
# alertCheckPath($f);
# alertCheckADS($f);
# ::alertMsg("WARN: appcompatcache: use of cacls\.exe found: ".$f) if ($f =~ m/cacls\.exe$/);
my $modtime = $files{$f}{modtime};
if ($modtime == 0) {
$modtime = "";
}
else {
$modtime = gmtime($modtime)." Z";
}
::rptMsg("ModTime: ".gmtime($files{$f}{modtime})." Z");
::rptMsg("UpdTime: ".gmtime($files{$f}{updtime})." Z") if (exists $files{$f}{updtime});
::rptMsg("Size : ".$files{$f}{size}." bytes") if (exists $files{$f}{size});
::rptMsg("Executed") if (exists $files{$f}{executed});
::rptMsg("");
$str = $files{$f}{filename}." ".$modtime;
$str .= " ".gmtime($files{$f}{updtime})." Z" if (exists $files{$f}{updtime});
$str .= " ".$files{$f}{size}." bytes" if (exists $files{$f}{size});
$str .= " Executed" if (exists $files{$f}{executed});
::rptMsg($str);
}
}
else {
::rptMsg($appcompat_path." not found.");
@ -160,9 +178,10 @@ sub appXP32Bit {
my ($up1,$up2) = unpack("VV",substr($x,544,8));
my $updtime = ::getTime($up1,$up2);
$files{$file}{size} = $sz;
$files{$file}{modtime} = $modtime;
$files{$file}{updtime} = $updtime;
$files{$i}{filename} = $file;
$files{$i}{size} = $sz;
$files{$i}{modtime} = $modtime;
$files{$i}{updtime} = $updtime;
}
}
#-----------------------------------------------------------
@ -196,13 +215,10 @@ sub appWin2k3 {
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastMod: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2));
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$i}{filename} = $file;
$files{$i}{modtime} = $t;
# $files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
$files{$i}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
}
elsif ($struct_sz == 32) {
my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvVVVVVVV",$struct);
@ -210,18 +226,13 @@ sub appWin2k3 {
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastMod: ".gmtime($t)." Z");
# ::rptMsg(" Size : ".$f0) if (($f1 == 0) && ($f0 > 3));
# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2));
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
$files{$i}{filename} = $file;
$files{$i}{modtime} = $t;
$files{$i}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
$files{$i}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
}
else {
#
}
}
}
@ -256,12 +267,9 @@ sub appWin7 {
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastModTime: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if ($f0 & 0x2);
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if ($f0 & 0x2);
$files{$i}{filename} = $file;
$files{$i}{modtime} = $t;
$files{$i}{executed} = 1 if ($f0 & 0x2);
}
else {
my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvV7x16",$struct);
@ -269,12 +277,9 @@ sub appWin7 {
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastModTime: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if ($f0 & 0x2);
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if ($f0 & 0x2);
$files{$i}{filename} = $file;
$files{$i}{modtime} = $t;
$files{$i}{executed} = 1 if ($f0 & 0x2);
}
}
}
@ -286,7 +291,7 @@ sub appWin8 {
my $data = shift;
my $len = length($data);
my ($jmp, $t0, $t1, $sz, $name);
my $ct = 0;
my $ofs = unpack("V",substr($data,0,4));
while($ofs < $len) {
@ -298,9 +303,9 @@ sub appWin8 {
$sz = unpack("v",substr($data,$ofs + 20,2));
$name = substr($data,$ofs + 22,$sz);
$name =~ s/\00//g;
$files{$name}{modtime} = ::getTime($t0,$t1);
$files{$ct}{filename} = $name;
$files{$ct}{modtime} = ::getTime($t0,$t1);
$ct++;
$ofs += ($jmp + 12);
}
# 64-bit
@ -309,10 +314,10 @@ sub appWin8 {
$sz = unpack("v",substr($data,$ofs + 0x0C,2));
$name = substr($data,$ofs + 0x0E,$sz + 2);
$name =~ s/\00//g;
($t0,$t1) = unpack("VV",substr($data,($ofs + 0x0E + $sz +2 + 8),8));
$files{$name}{modtime} = ::getTime($t0,$t1);
$files{$ct}{filename} = $name;
$files{$ct}{modtime} = ::getTime($t0,$t1);
$ct++;
$ofs += ($jmp + 12);
}
else {
@ -320,7 +325,35 @@ sub appWin8 {
}
}
}
#-----------------------------------------------------------
# appWin10()
# Ref: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
#-----------------------------------------------------------
sub appWin10 {
my $data = shift;
my $len = length($data);
my ($tag, $sz, $t0, $t1, $name, $name_len);
my $ct = 0;
my $ofs = 0x30;
while ($ofs < $len) {
$tag = substr($data,$ofs,4);
if ($tag eq "10ts") {
$sz = unpack("V",substr($data,$ofs + 0x08,4));
$name_len = unpack("v",substr($data,$ofs + 0x0c,2));
my $name = substr($data,$ofs + 0x0e,$name_len);
$name =~ s/\00//g;
# ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x03 + $name_len,8));
($t0,$t1) = unpack("VV",substr($data,$ofs + 0x0e + $name_len,8));
$files{$ct}{filename} = $name;
$files{$ct}{modtime} = ::getTime($t0,$t1);
$ct++;
$ofs += ($sz + 0x0c);
}
}
}
#-----------------------------------------------------------
@ -405,21 +438,6 @@ sub printData {
}
$display[$cnt] = sprintf("0x%08X %-50s %s",$cnt,$lhs,$rhs);
# my @str1 = split(//,unpack("H*",$seg));
# my @s3;
# my $str = "";
# foreach my $i (0..($n - 1)) {
# $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1];
#
# if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) {
# $str .= chr(hex($s3[$i]));
# }
# else {
# $str .= "\.";
# }
# }
# my $h = join(' ',@s3);
# $display[$cnt] = sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h;
}
return @display;
}

253
thirdparty/rr-full/plugins/appcompatcache_tln.pl vendored
View File

@ -2,25 +2,33 @@
# appcompatcache_tln.pl
#
# History:
# 20130509 - added additional alert/warn checks
# 20160528 - updated code to not de-dup entries based on filename
# 20160217 - updated to correctly support Win10
# 20150611 - mod'd for Kevin Pagano
# 20150429 - updated to support Win10
# 20140724 - update based on data provided by Shafik Punja
# 20130801 - added initial Win8 support; very alpha at the moment
# 20130603 - updated alerts
# 20130509 - added additional alerts/warnings
# 20130425 - added alertMsg() functionality
# 20120817 - updated to address extra data in XP data blocks
# 20120722 - updated %config hash
# 20120523 - created; updated from appcompatcache.pl
# 20120817 - updated to address issue with residual data in XP data blocks
# 20120722 - updated the %config hash
# 20120523 - updated to send all files to a single hash, and check for temp paths
# 20120515 - Updated to support 64-bit Win2003 and Vista/Win2008
# 20120424 - Modified/updated
# 20120418 - created
#
# References:
# https://binaryforay.blogspot.com/2016/05/appcompatcacheparser-v0900-released-and.html
# Blog post: https://blog.mandiant.com/archives/2459
# Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf
# Tool: https://github.com/mandiant/ShimCacheParser
# Win10: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
#
# This plugin is based solely on the work and examples provided by Mandiant;
# thanks to them for sharing this information, and making the plugin possible.
#
# copyright 2012 Quantum Analytics Research, LLC
# copyright 2016 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package appcompatcache_tln;
@ -34,11 +42,11 @@ my %config = (hive => "System",
hasDescr => 0,
hasRefs => 0,
osmask => 31, #XP - Win7
version => 20130509);
version => 20160528);
sub getConfig{return %config}
sub getShortDescr {
return "Parse files from System hive Shim Cache";
return "Parse files from System hive AppCompatCache";
}
sub getDescr{}
sub getRefs {}
@ -47,11 +55,14 @@ sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %files;
my $str = "";
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching appcompatcache_tln v.".$VERSION);
::rptMsg("appcompatcache_tln v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
@ -71,15 +82,20 @@ sub pluginmain {
eval {
$app_data = $appcompat->get_subkey("AppCompatibility")->get_value("AppCompatCache")->get_data();
::rptMsg($appcompat_path."\\AppCompatibility");
::rptMsg("LastWrite Time: ".gmtime($appcompat->get_subkey("AppCompatibility")->get_timestamp())." Z");
};
eval {
$app_data = $appcompat->get_subkey("AppCompatCache")->get_value("AppCompatCache")->get_data();
::rptMsg($appcompat_path."\\AppCompatCache");
::rptMsg("LastWrite Time: ".gmtime($appcompat->get_subkey("AppCompatCache")->get_timestamp())." Z");
};
# ::rptMsg("Length of data: ".length($app_data));
# probe($app_data);
my $sig = unpack("V",substr($app_data,0,4));
# ::rptMsg(sprintf "Signature: 0x%x",$sig);
::rptMsg(sprintf "Signature: 0x%x",$sig);
if ($sig == 0xdeadbeef) {
eval {
@ -97,26 +113,32 @@ sub pluginmain {
};
}
elsif ($sig == 0x80) {
# ::rptMsg("Possible Win8 system\.");
# ::rptMsg(sprintf "Data Length: 0x%08x",length($app_data));
appWin8($app_data);
# probe($app_data);
}
elsif ($sig == 0x30) {
# Windows 10 system
appWin10($app_data);
}
else {
::rptMsg("Unknown signature");
::rptMsg(sprintf "Unknown signature: 0x%x",$sig);
}
# this is where we print out the files
foreach my $f (keys %files) {
my $str;
if (exists $files{$f}{executed}) {
$str = "M... [Program Execution] AppCompatCache - ".$f;
$str = "M... [Program Execution] AppCompatCache - ".$files{$f}{filename};
}
else {
$str = "M... AppCompatCache - ".$f;
$str = "M... AppCompatCache - ".$files{$f}{filename};
}
$str .= " [Size = ".$files{$f}{size}." bytes]" if (exists $files{$f}{size});
# $str .= " [Executed]" if (exists $files{$f}{executed});
$str .= " [Executed]" if (exists $files{$f}{executed});
::rptMsg($files{$f}{modtime}."|REG|||".$str);
# added 20130603
alertCheckPathTLN($f,$files{$f}{modtime});
alertCheckADSTLN($f,$files{$f}{modtime});
::alertMsg($files{$f}{modtime}."|WARN|||Use of calcs\.exe. appcompatcache_tln: ".$f) if ($f =~ m/cacls\.exe$/);
}
}
else {
@ -151,14 +173,10 @@ sub appXP32Bit {
my ($up1,$up2) = unpack("VV",substr($x,544,8));
my $updtime = ::getTime($up1,$up2);
# ::rptMsg($file);
# ::rptMsg("Size : ".$sz." bytes");
# ::rptMsg("ModTime: ".gmtime($modtime)." Z");
# ::rptMsg("UpdTime: ".gmtime($updtime)." Z");
# ::rptMsg("");
$files{$file}{size} = $sz;
$files{$file}{modtime} = $modtime;
$files{$file}{updtime} = $updtime;
$files{$i}{filename} = $file;
$files{$i}{size} = $sz;
$files{$i}{modtime} = $modtime;
$files{$i}{updtime} = $updtime;
}
}
#-----------------------------------------------------------
@ -192,12 +210,10 @@ sub appWin2k3 {
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastMod: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2));
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
$files{$i}{filename} = $file;
$files{$i}{modtime} = $t;
# $files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
$files{$i}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
}
elsif ($struct_sz == 32) {
my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvVVVVVVV",$struct);
@ -205,18 +221,13 @@ sub appWin2k3 {
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastMod: ".gmtime($t)." Z");
# ::rptMsg(" Size : ".$f0) if (($f1 == 0) && ($f0 > 3));
# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2));
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
$files{$i}{filename} = $file;
$files{$i}{modtime} = $t;
$files{$i}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
$files{$i}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
}
else {
#
}
}
}
@ -251,12 +262,9 @@ sub appWin7 {
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastModTime: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if ($f0 & 0x2);
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if ($f0 & 0x2);
$files{$i}{filename} = $file;
$files{$i}{modtime} = $t;
$files{$i}{executed} = 1 if ($f0 & 0x2);
}
else {
my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvV7x16",$struct);
@ -264,12 +272,81 @@ sub appWin7 {
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastModTime: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if ($f0 & 0x2);
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if ($f0 & 0x2);
$files{$i}{filename} = $file;
$files{$i}{modtime} = $t;
$files{$i}{executed} = 1 if ($f0 & 0x2);
}
}
}
#-----------------------------------------------------------
# appWin8()
#-----------------------------------------------------------
sub appWin8 {
my $data = shift;
my $len = length($data);
my ($jmp, $t0, $t1, $sz, $name);
my $ct = 0;
my $ofs = unpack("V",substr($data,0,4));
while($ofs < $len) {
my $tag = unpack("V",substr($data,$ofs,4));
# 32-bit
if ($tag == 0x73746f72) {
$jmp = unpack("V",substr($data,$ofs + 8,4));
($t0,$t1) = unpack("VV",substr($data,$ofs + 12,8));
$sz = unpack("v",substr($data,$ofs + 20,2));
$name = substr($data,$ofs + 22,$sz);
$name =~ s/\00//g;
$files{$ct}{filename} = $name;
$files{$ct}{modtime} = ::getTime($t0,$t1);
$ct++;
$ofs += ($jmp + 12);
}
# 64-bit
elsif ($tag == 0x73743030 || $tag == 0x73743031) {
$jmp = unpack("V",substr($data,$ofs + 8,4));
$sz = unpack("v",substr($data,$ofs + 0x0C,2));
$name = substr($data,$ofs + 0x0E,$sz + 2);
$name =~ s/\00//g;
($t0,$t1) = unpack("VV",substr($data,($ofs + 0x0E + $sz +2 + 8),8));
$files{$ct}{filename} = $name;
$files{$ct}{modtime} = ::getTime($t0,$t1);
$ct++;
$ofs += ($jmp + 12);
}
else {
# Unknown tag
}
}
}
#-----------------------------------------------------------
# appWin10()
# Ref: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
#-----------------------------------------------------------
sub appWin10 {
my $data = shift;
my $len = length($data);
my ($tag, $sz, $t0, $t1, $name, $name_len);
my $ct = 0;
my $ofs = 0x30;
while ($ofs < $len) {
$tag = substr($data,$ofs,4);
if ($tag eq "10ts") {
$sz = unpack("V",substr($data,$ofs + 0x08,4));
$name_len = unpack("v",substr($data,$ofs + 0x0c,2));
my $name = substr($data,$ofs + 0x0e,$name_len);
$name =~ s/\00//g;
# ($t0,$t1) = unpack("VV",substr($data,$ofs + 0x03 + $name_len,8));
($t0,$t1) = unpack("VV",substr($data,$ofs + 0x0e + $name_len,8));
$files{$ct}{filename} = $name;
$files{$ct}{modtime} = ::getTime($t0,$t1);
$ct++;
$ofs += ($sz + 0x0c);
}
}
}
@ -277,16 +354,15 @@ sub appWin7 {
#-----------------------------------------------------------
# alertCheckPath()
#-----------------------------------------------------------
sub alertCheckPathTLN {
sub alertCheckPath {
my $path = shift;
my $tln = shift;
$path = lc($path);
my @alerts = ("recycle","globalroot","temp","system volume information","appdata",
"application data");
foreach my $a (@alerts) {
if (grep(/$a/,$path)) {
::alertMsg($tln."|ALERT|||appcompatcache_tln: ".$a." found in path: ".$path);
::alertMsg("ALERT: appcompatcache: ".$a." found in path: ".$path);
}
}
}
@ -294,11 +370,70 @@ sub alertCheckPathTLN {
#-----------------------------------------------------------
# alertCheckADS()
#-----------------------------------------------------------
sub alertCheckADSTLN {
sub alertCheckADS {
my $path = shift;
my $tln = shift;
my @list = split(/\\/,$path);
my $last = $list[scalar(@list) - 1];
::alertMsg($tln."|ALERT|||appcompatcache_tln: Poss. ADS found in path: ".$path) if grep(/:/,$last);
::alertMsg("ALERT: appcompatcache: Poss. ADS found in path: ".$path) if grep(/:/,$last);
}
#-----------------------------------------------------------
# probe()
#
# Code the uses printData() to insert a 'probe' into a specific
# location and display the data
#
# Input: binary data of arbitrary length
# Output: Nothing, no return value. Displays data to the console
#-----------------------------------------------------------
sub probe {
my $data = shift;
my @d = printData($data);
foreach (0..(scalar(@d) - 1)) {
print $d[$_]."\n";
}
}
#-----------------------------------------------------------
# printData()
# subroutine used primarily for debugging; takes an arbitrary
# length of binary data, prints it out in hex editor-style
# format for easy debugging
#-----------------------------------------------------------
sub printData {
my $data = shift;
my $len = length($data);
my @display = ();
my $loop = $len/16;
$loop++ if ($len%16);
foreach my $cnt (0..($loop - 1)) {
# How much is left?
my $left = $len - ($cnt * 16);
my $n;
($left < 16) ? ($n = $left) : ($n = 16);
my $seg = substr($data,$cnt * 16,$n);
my $lhs = "";
my $rhs = "";
foreach my $i ($seg =~ m/./gs) {
# This loop is to process each character at a time.
$lhs .= sprintf(" %02X",ord($i));
if ($i =~ m/[ -~]/) {
$rhs .= $i;
}
else {
$rhs .= ".";
}
}
$display[$cnt] = sprintf("0x%08X %-50s %s",$cnt,$lhs,$rhs);
}
return @display;
}
1;

56
thirdparty/rr-full/plugins/appcompatflags.pl vendored
View File

@ -76,8 +76,6 @@ sub pluginmain {
"Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers",
"Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers");
foreach my $key_path (@paths) {
# If AppCompatFlags path exists #
if ($key = $root_key->get_subkey($key_path)) {
@ -169,6 +167,60 @@ sub pluginmain {
# ::rptMsg($key_path." not found\.");
}
}
# Added check for use of AppCompat DB for persistence
# 21051021, H. Carvey
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom";
if ($key = $root_key->get_subkey($key_path)){
my @subkeys = $key->get_list_of_subkeys($key);
if (scalar @subkeys > 0) {
foreach my $sk (@subkeys) {
::rptMsg("Key name: ".$sk->get_name());
::rptMsg("LastWrite time: ".gmtime($sk->get_timestamp()));
my @vals = $sk->get_list_of_values();
if (scalar @vals > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
my ($t0,$t1) = unpack("VV",$v->get_data());
my $l = ::getTime($t0,$t1);
my $ts = gmtime($l);
::rptMsg(" ".$name." ".$ts);
}
}
::rptMsg("");
}
}
}
$key_path = "Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB";
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys($key);
if (scalar @subkeys > 0) {
foreach my $sk (@subkeys) {
my($path, $descr, $ts);
eval {
$descr = $sk->get_value("DatabaseDescription")->get_data();
::rptMsg("Description: ".$descr);
};
eval {
$path = $sk->get_value("DatabasePath")->get_data();
::rptMsg(" Path: ".$path);
};
eval {
my ($t0,$t1) = unpack("VV",$sk->get_value("DatabaseInstallTimeStamp")->get_data());
my $l = ::getTime($t0,$t1);
$ts = gmtime($l);
::rptMsg(" Install TimeStamp: ".$ts);
};
::rptMsg("");
}
}
}
}
1;

2
thirdparty/rr-full/plugins/arpcache.pl vendored
View File

@ -130,6 +130,6 @@ sub parsePath {
}
}
}
$str =~ s/\00//g;
$str =~ s/\x00//g;
return $str;
}

199
thirdparty/rr-full/plugins/auditpol.pl vendored
View File

@ -1,14 +1,19 @@
#-----------------------------------------------------------
# auditpol
# Get the audit policy from the Security hive file
#
# Get the audit policy from the Security hive file (Win7+)
# *Works for Win7 and Win10 at the moment
#
# History
# 20121128 - updated for later versions of Windows
# 20080327 - created
# 20151202 - created
#
# Ref:
# http://www.kazamiya.net/structure/poladtev
# http://www.kazamiya.net/en/poladtev
# http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
#
# copyright 2012 Quantum Analytics Research, LLC
# Equiv: auditpol /get /category:*
#
# copyright 2015 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package auditpol;
@ -17,20 +22,16 @@ use strict;
my %config = (hive => "Security",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
hasRefs => 0,
osmask => 22,
version => 20121128);
version => 20151202);
sub getConfig{return %config}
sub getShortDescr {
return "Get audit policy from the Security hive file";
}
sub getDescr{}
sub getRefs {
my %refs = ("How To Determine Audit Policies from the Registry" =>
"http://support.microsoft.com/default.aspx?scid=kb;EN-US;q246120");
return %refs;
}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
@ -46,7 +47,7 @@ sub pluginmain {
my $hive = shift;
::logMsg("Launching auditpol v.".$VERSION);
::rptMsg("auditpol v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
@ -59,53 +60,169 @@ sub pluginmain {
::rptMsg("");
my $data;
my @policy;
eval {
$data = $key->get_value("")->get_data();
::rptMsg("Length of data: ".length($data)." bytes.");
# ::rptMsg("Length of data: ".length($data)." bytes.");
my $id = unpack("v",substr($data,8,2));
# ::rptMsg(sprintf "Offset value is: 0x%x",$id);
my @d = printData($data);
foreach (0..(scalar(@d) - 1)) {
::rptMsg($d[$_]);
if (length($data) == 148 && $id == 0x82) {
@policy = processWin10($data)
}
};
if ($@) {
::rptMsg("Error occurred getting data from ".$key_path);
::rptMsg(" - ".$@);
}
else {
# Check to see if auditing is enabled
my $enabled = unpack("C",substr($data,0,1));
if ($enabled) {
::rptMsg("Auditing is enabled.");
# Get audit configuration settings
my @vals = unpack("V*",$data);
::rptMsg("\tAudit System Events = ".$audit{$vals[1]});
::rptMsg("\tAudit Logon Events = ".$audit{$vals[2]});
::rptMsg("\tAudit Object Access = ".$audit{$vals[3]});
::rptMsg("\tAudit Privilege Use = ".$audit{$vals[4]});
::rptMsg("\tAudit Process Tracking = ".$audit{$vals[5]});
::rptMsg("\tAudit Policy Change = ".$audit{$vals[6]});
::rptMsg("\tAudit Account Management = ".$audit{$vals[7]});
::rptMsg("\tAudit Dir Service Access = ".$audit{$vals[8]});
::rptMsg("\tAudit Account Logon Events = ".$audit{$vals[9]});
elsif (length($data) == 138 && $id == 0x78) {
@policy = processWin7($data);
}
else {
::rptMsg("**Auditing is NOT enabled.");
my @d = printData($data);
foreach (0..(scalar(@d) - 1)) {
::rptMsg($d[$_]);
}
}
}
foreach (0..((scalar @policy) - 1)) {
my ($aud,$pol) = split(/;/,$policy[$_],2);
::rptMsg(sprintf "%-50s %-5s",$aud,$audit{$pol});
}
};
}
else {
::rptMsg($key_path." not found.");
}
}
sub processWin10 {
my $data = shift;
my @win = ("System:Security State Change;".unpack("v",substr($data,0x0c,2)),
"System:Security System Extension;".unpack("v",substr($data,0x0e,2)),
"System:System Integrity;".unpack("v",substr($data,0x10,2)),
"System:IPsec Driver;".unpack("v",substr($data,0x12,2)),
"System:Other System Events;".unpack("v",substr($data,0x14,2)),
"Logon/Logoff:Logon;".unpack("v",substr($data,0x16,2)),
"Logon/Logoff:Logoff;".unpack("v",substr($data,0x18,2)),
"Logon/Logoff:Account Lockout;".unpack("v",substr($data,0x1a,2)),
"Logon/Logoff:IPsec Main Mode;".unpack("v",substr($data,0x1c,2)),
"Logon/Logoff:IPsec Quick Mode;".unpack("v",substr($data,0x1e,2)),
"Logon/Logoff:IPsec Extended Mode;".unpack("v",substr($data,0x20,2)),
"Logon/Logoff:Special Logon;".unpack("v",substr($data,0x22,2)),
"Logon/Logoff:Other Logon/Logoff Events;".unpack("v",substr($data,0x24,2)),
"Logon/Logoff:Network Policy Server;".unpack("v",substr($data,0x26,2)),
"Logon/Logoff:User Device Claims;".unpack("v",substr($data,0x28,2)),
"Logon/Logoff:Group Membership;".unpack("v",substr($data,0x2a,2)),
"Object Access:File System;".unpack("v",substr($data,0x2c,2)),
"Object Access:Registry;".unpack("v",substr($data,0x2e,2)),
"Object Access:Kernel Object;".unpack("v",substr($data,0x30,2)),
"Object Access:SAM;".unpack("v",substr($data,0x32,2)),
"Object Access:Certification Services;".unpack("v",substr($data,0x34,2)),
"Object Access:Application Generated;".unpack("v",substr($data,0x36,2)),
"Object Access:Handle Manipulation;".unpack("v",substr($data,0x38,2)),
"Object Access:File Share;".unpack("v",substr($data,0x3a,2)),
"Object Access:Filtering Platform Packet Drop;".unpack("v",substr($data,0x3c,2)),
"Object Access:Filtering Platform Connection;".unpack("v",substr($data,0x3e,2)),
"Object Access:Other Object Access Events;".unpack("v",substr($data,0x40,2)),
"Object Access:Detailed File Share;".unpack("v",substr($data,0x42,2)),
"Object Access:Removable Storage;".unpack("v",substr($data,0x44,2)),
"Object Access:Central Policy Staging;".unpack("v",substr($data,0x46,2)),
"Privilege Use:Sensitive Privilege Use;".unpack("v",substr($data,0x48,2)),
"Privilege Use:Non Sensitive Privilege Use;".unpack("v",substr($data,0x4a,2)),
"Privilege Use:Other Privilege Use Events;".unpack("v",substr($data,0x4c,2)),
"Detailed Tracking:Process Creation;".unpack("v",substr($data,0x4e,2)),
"Detailed Tracking:Process Termination;".unpack("v",substr($data,0x50,2)),
"Detailed Tracking:DPAPI Activity;".unpack("v",substr($data,0x52,2)),
"Detailed Tracking:RPC Events;".unpack("v",substr($data,0x54,2)),
"Detailed Tracking:Plug and Play Events;".unpack("v",substr($data,0x56,2)),
"Policy Change:Audit Policy Change;".unpack("v",substr($data,0x58,2)),
"Policy Change:Authentication Policy Change;".unpack("v",substr($data,0x5a,2)),
"Policy Change:Authorization Policy Change;".unpack("v",substr($data,0x5c,2)),
"Policy Change:MPSSVC Rule-Level Policy Change;".unpack("v",substr($data,0x5e,2)),
"Policy Change:Filtering Platform Policy Change;".unpack("v",substr($data,0x60,2)),
"Policy Change:Other Policy Change Events;".unpack("v",substr($data,0x62,2)),
"Account Management:User Account Management;".unpack("v",substr($data,0x64,2)),
"Account Management:Computer Account Management;".unpack("v",substr($data,0x66,2)),
"Account Management:Security Group Management;".unpack("v",substr($data,0x68,2)),
"Account Management:Distribution Group Management;".unpack("v",substr($data,0x6a,2)),
"Account Management:Application Group Management;".unpack("v",substr($data,0x6c,2)),
"Account Management:Other Account Management Events;".unpack("v",substr($data,0x6e,2)),
"DS Access:Directory Service Access;".unpack("v",substr($data,0x70,2)),
"DS Access:Directory Service Changes;".unpack("v",substr($data,0x72,2)),
"DS Access:Directory Service Replication;".unpack("v",substr($data,0x74,2)),
"DS Access:Detailed Directory Service Replication;".unpack("v",substr($data,0x76,2)),
"Account Logon:Credential Validation;".unpack("v",substr($data,0x78,2)),
"Account Logon:Kerberos Service Ticket Operations;".unpack("v",substr($data,0x7a,2)),
"Account Logon:Other Account Logon Events;".unpack("v",substr($data,0x7c,2)),
"Account Logon:Kerberos Authentication Service;".unpack("v",substr($data,0x7e,2)));
return @win;
}
sub processWin7 {
my $data = shift;
my @win = ("System:Security State Change;".unpack("v",substr($data,0x0c,2)),
"System:Security System Extension;".unpack("v",substr($data,0x0e,2)),
"System:System Integrity;".unpack("v",substr($data,0x10,2)),
"System:IPsec Driver;".unpack("v",substr($data,0x12,2)),
"System:Other System Events;".unpack("v",substr($data,0x14,2)),
"Logon/Logoff:Logon;".unpack("v",substr($data,0x16,2)),
"Logon/Logoff:Logoff;".unpack("v",substr($data,0x18,2)),
"Logon/Logoff:Account Lockout;".unpack("v",substr($data,0x1a,2)),
"Logon/Logoff:IPsec Main Mode;".unpack("v",substr($data,0x1c,2)),
"Logon/Logoff:IPsec Quick Mode;".unpack("v",substr($data,0x1e,2)),
"Logon/Logoff:IPsec Extended Mode;".unpack("v",substr($data,0x20,2)),
"Logon/Logoff:Special Logon;".unpack("v",substr($data,0x22,2)),
"Logon/Logoff:Other Logon/Logoff Events;".unpack("v",substr($data,0x24,2)),
"Logon/Logoff:Network Policy Server;".unpack("v",substr($data,0x26,2)),
"Object Access:File System;".unpack("v",substr($data,0x28,2)),
"Object Access:Registry;".unpack("v",substr($data,0x2a,2)),
"Object Access:Kernel Object;".unpack("v",substr($data,0x2c,2)),
"Object Access:SAM;".unpack("v",substr($data,0x2e,2)),
"Object Access:Other Object Access Events;".unpack("v",substr($data,0x30,2)),
"Object Access:Certification Services;".unpack("v",substr($data,0x32,2)),
"Object Access:Application Generated;".unpack("v",substr($data,0x34,2)),
"Object Access:Handle Manipulation;".unpack("v",substr($data,0x36,2)),
"Object Access:File Share;".unpack("v",substr($data,0x38,2)),
"Object Access:Filtering Platform Packet Drop;".unpack("v",substr($data,0x3a,2)),
"Object Access:Filtering Platform Connection;".unpack("v",substr($data,0x3c,2)),
"Object Access:Detailed File Share;".unpack("v",substr($data,0x3e,2)),
"Privilege Use:Sensitive Privilege Use;".unpack("v",substr($data,0x40,2)),
"Privilege Use:Non Sensitive Privilege Use;".unpack("v",substr($data,0x42,2)),
"Privilege Use:Other Privilege Use Events;".unpack("v",substr($data,0x44,2)),
"Detailed Tracking:Process Creation;".unpack("v",substr($data,0x46,2)),
"Detailed Tracking:Process Termination;".unpack("v",substr($data,0x48,2)),
"Detailed Tracking:DPAPI Activity;".unpack("v",substr($data,0x4a,2)),
"Detailed Tracking:RPC Events;".unpack("v",substr($data,0x4c,2)),
"Policy Change:Audit Policy Change;".unpack("v",substr($data,0x4e,2)),
"Policy Change:Authentication Policy Change;".unpack("v",substr($data,0x50,2)),
"Policy Change:Authorization Policy Change;".unpack("v",substr($data,0x52,2)),
"Policy Change:MPSSVC Rule-Level Policy Change;".unpack("v",substr($data,0x54,2)),
"Policy Change:Filtering Platform Policy Change;".unpack("v",substr($data,0x56,2)),
"Policy Change:Other Policy Change Events;".unpack("v",substr($data,0x58,2)),
"Account Management:User Account Management;".unpack("v",substr($data,0x5a,2)),
"Account Management:Computer Account Management;".unpack("v",substr($data,0x5c,2)),
"Account Management:Security Group Management;".unpack("v",substr($data,0x5e,2)),
"Account Management:Distribution Group Management;".unpack("v",substr($data,0x60,2)),
"Account Management:Application Group Management;".unpack("v",substr($data,0x62,2)),
"Account Management:Other Account Management Events;".unpack("v",substr($data,0x64,2)),
"DS Access:Directory Service Access;".unpack("v",substr($data,0x66,2)),
"DS Access:Directory Service Changes;".unpack("v",substr($data,0x68,2)),
"DS Access:Directory Service Replication;".unpack("v",substr($data,0x6a,2)),
"DS Access:Detailed Directory Service Replication;".unpack("v",substr($data,0x6c,2)),
"Account Logon:Credential Validation;".unpack("v",substr($data,0x6e,2)),
"Account Logon:Kerberos Service Ticket Operations;".unpack("v",substr($data,0x70,2)),
"Account Logon:Other Account Logon Events;".unpack("v",substr($data,0x72,2)),
"Account Logon:Kerberos Authentication Service;".unpack("v",substr($data,0x74,2)));
return @win;
}
#-----------------------------------------------------------
# printData()
# subroutine used primarily for debugging; takes an arbitrary
# length of binary data, prints it out in hex editor-style
# format for easy debugging
#
# my @d = printData($data);
# foreach (0..(scalar(@d) - 1)) {
# ::rptMsg($d[$_]);
# }
#-----------------------------------------------------------
sub printData {
my $data = shift;

3
thirdparty/rr-full/plugins/banner.pl vendored
View File

@ -83,8 +83,7 @@ sub pluginmain {
::logMsg($key_path." not found.");
}
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
my $key;
$key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");

2
thirdparty/rr-full/plugins/brisv.pl vendored
View File

@ -29,7 +29,7 @@ my %config = (hive => "NTUSER\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "Detect artifacts of a Troj\.Brisv\.A infection";
return "Detect artifacts of a Troj.Brisv.A infection";
}
sub getDescr{}
sub getRefs {}

23
thirdparty/rr-full/plugins/bthport.pl vendored
View File

@ -6,10 +6,11 @@
#
# Change history
# 20130115 - created
# 20170129 - added support for http://www.hexacorn.com/blog/2017/01/29/beyond-good-ol-run-key-part-59/
#
# Category:
#
# copyright 2013 Quantum Analytics Research, LLC
# copyright 2017 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bthport;
@ -20,7 +21,7 @@ my %config = (hive => "System",
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130115);
version => 20170129);
sub getConfig{return %config}
sub getShortDescr {
@ -38,7 +39,7 @@ sub pluginmain {
my $hive = shift;
::logMsg("Launching bthport v.".$VERSION);
::rptMsg("bthport v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
@ -91,11 +92,25 @@ sub pluginmain {
else {
::rptMsg($cn_path." not found.");
}
my $rs_path = $ccs."\\services\\BTHPORT\\Parameters\\Radio Support";
my $rs;
if ($rs = $root_key->get_subkey($rs_path)) {
::rptMsg($rs_path);
::rptMsg("LastWrite: ".gmtime($rs->get_timestamp())." UTC");
eval {
my $spt = $rs->get_value("SupportDLL")->get_data();
::rptMsg("SupportDLL = ".$spt);
};
}
else {
::rptMsg($rs_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

8
thirdparty/rr-full/plugins/clampi.pl vendored
View File

@ -26,7 +26,7 @@ my %config = (hive => "NTUSER\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "TEST - Checks for keys set by Trojan\.Clampi PROT module";
return "TEST - Checks for keys set by Trojan.Clampi PROT module";
}
sub getDescr{}
sub getRefs {}
@ -77,8 +77,7 @@ sub pluginmain {
::rptMsg($key_path." not found.");
}
::rptMsg("");
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete";
my $key;
$key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -94,8 +93,7 @@ sub pluginmain {
::rptMsg($key_path." not found.");
}
::rptMsg("");
my $key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts";
my $key;
$key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");

2
thirdparty/rr-full/plugins/cmd_shell_u.pl vendored
View File

@ -23,7 +23,7 @@ my %config = (hive => "USRCLASS\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "Gets shell open cmds for various file types from USRCLASS\.DAT";
return "Gets shell open cmds for various file types from USRCLASS.DAT";
}
sub getDescr{}
sub getRefs {}

2
thirdparty/rr-full/plugins/cmdproc.pl vendored
View File

@ -26,7 +26,7 @@ my %config = (hive => "NTUSER\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive";
return "Autostart - get Command Processor\\AutoRun value from NTUSER.DAT hive";
}
sub getDescr{}
sub getRefs {}

2
thirdparty/rr-full/plugins/cmdproc_tln.pl vendored
View File

@ -25,7 +25,7 @@ my %config = (hive => "NTUSER\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive (TLN)";
return "Autostart - get Command Processor\\AutoRun value from NTUSER.DAT hive (TLN)";
}
sub getDescr{}
sub getRefs {}

44
thirdparty/rr-full/plugins/comdlg32.pl vendored
View File

@ -128,9 +128,9 @@ sub parseLastVisitedMRU {
@mrulist = split(//,$lvmru{MRUList});
delete($lvmru{MRUList});
foreach my $m (@mrulist) {
my ($file,$dir) = split(/\00\00/,$lvmru{$m},2);
$file =~ s/\00//g;
$dir =~ s/\00//g;
my ($file,$dir) = split(/\x00\x00/,$lvmru{$m},2);
$file =~ s/\x00//g;
$dir =~ s/\x00//g;
::rptMsg(" ".$m." -> EXE: ".$file);
::rptMsg(" -> Last Dir: ".$dir);
}
@ -213,8 +213,8 @@ sub parseCIDSizeMRU {
delete $mru{0xffffffff};
foreach my $m (sort {$a <=> $b} keys %mru) {
# my $file = parseStr($mru{$m});
my $file = (split(/\00\00/,$mru{$m},2))[0];
$file =~ s/\00//g;
my $file = (split(/\x00\x00/,$mru{$m},2))[0];
$file =~ s/\x00//g;
::rptMsg(" ".$file);
}
}
@ -251,18 +251,18 @@ sub parseFirstFolder {
delete $mru{0xffffffff};
foreach my $m (sort {$a <=> $b} keys %mru) {
# my $file = parseStr($mru{$m});
my @files = split(/\00\00/,$mru{$m});
my @files = split(/\x00\x00/,$mru{$m});
if (scalar(@files) == 0) {
::rptMsg(" No files listed.");
}
elsif (scalar(@files) == 1) {
$files[0] =~ s/\00//g;
$files[0] =~ s/\x00//g;
::rptMsg(" ".$files[0]);
}
elsif (scalar(@files) > 1) {
my @files2;
foreach my $file (@files) {
$file =~ s/\00//g;
$file =~ s/\x00//g;
push(@files2,$file);
}
::rptMsg(" ".join(' ',@files2));
@ -305,9 +305,9 @@ sub parseLastVisitedPidlMRU {
delete $mru{0xffffffff};
foreach my $m (sort {$a <=> $b} keys %mru) {
my ($file,$shell) = split(/\00\00/,$mru{$m},2);
$file =~ s/\00//g;
$shell =~ s/^\00//;
my ($file,$shell) = split(/\x00\x00/,$mru{$m},2);
$file =~ s/\x00//g;
$shell =~ s/^\x00//;
my $str = parseShellItem($shell);
::rptMsg(" ".$file." - ".$str);
}
@ -497,7 +497,7 @@ sub parseNetworkEntry {
my %item = ();
$item{type} = unpack("C",substr($data,2,1));
my @n = split(/\00/,substr($data,4,length($data) - 4));
my @n = split(/\x00/,substr($data,4,length($data) - 4));
$item{name} = $n[0];
$item{name} =~ s/^\W//;
return %item;
@ -537,14 +537,14 @@ sub parseFolderEntry {
($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]);
# Need to read in short name; nul-term ASCII
# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0];
# $item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0];
$ofs_shortname = $ofs_mdate + 6;
my $tag = 1;
my $cnt = 0;
my $str = "";
while($tag) {
my $s = substr($data,$ofs_shortname + $cnt,1);
if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
$tag = 0;
}
else {
@ -552,12 +552,12 @@ sub parseFolderEntry {
$cnt++;
}
}
# $str =~ s/\00//g;
# $str =~ s/\x00//g;
my $shortname = $str;
my $ofs = $ofs_shortname + $cnt + 1;
# Read progressively, 1 byte at a time, looking for 0xbeef
my $tag = 1;
my $cnt = 0;
$tag = 1;
$cnt = 0;
while ($tag) {
if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) {
$tag = 0;
@ -573,10 +573,10 @@ sub parseFolderEntry {
$ofs = $ofs + $cnt + 2;
my @m = unpack("vv",substr($data,$ofs,4));
@m = unpack("vv",substr($data,$ofs,4));
($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]);
$ofs += 4;
my @m = unpack("vv",substr($data,$ofs,4));
@m = unpack("vv",substr($data,$ofs,4));
($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]);
$ofs += 4;
@ -595,10 +595,10 @@ sub parseFolderEntry {
$ofs += $jmp;
# ::rptMsg(sprintf " Offset: 0x%x",$ofs);
my $str = substr($data,$ofs,length($data) - $ofs);
$str = substr($data,$ofs,length($data) - $ofs);
my $longname = (split(/\00\00/,$str,2))[0];
$longname =~ s/\00//g;
my $longname = (split(/\x00\x00/,$str,2))[0];
$longname =~ s/\x00//g;
if ($longname ne "") {
$item{name} = $longname;

1
thirdparty/rr-full/plugins/comfoo.pl vendored
View File

@ -58,7 +58,6 @@ sub pluginmain {
foreach my $s (@svcs) {
$cf_path = $ccs."\\Services\\".$s;
$cf;
if ($cf = $root_key->get_subkey($cf_path)) {
::rptMsg($cf_path);
::rptMsg("LastWrite Time ".gmtime($cf->get_subkey("Parameters")->get_timestamp())." (UTC)");

8
thirdparty/rr-full/plugins/defbrowser.pl vendored
View File

@ -41,7 +41,8 @@ sub pluginmain {
my $root_key = $reg->get_root_key;
my $key_path = "Clients\\StartMenuInternet";
if (my $key = $root_key->get_subkey($key_path)) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Default Browser Check #1");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -55,9 +56,8 @@ sub pluginmain {
::rptMsg("");
my $key_path = "Classes\\HTTP\\shell\\open\\command";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$key_path = "Classes\\HTTP\\shell\\open\\command";
if (my $key = $root_key->get_subkey($key_path)) {
::rptMsg("Default Browser Check #2");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");

6
thirdparty/rr-full/plugins/devclass.pl vendored
View File

@ -56,8 +56,7 @@ sub pluginmain {
return
}
# Get devices from the Disk GUID
my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
my $key;
$key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("DevClasses - Disks");
::rptMsg($key_path);
@ -90,8 +89,7 @@ sub pluginmain {
}
::rptMsg("");
# Get devices from the Volume GUID
my $key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}";
my $key;
$key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("DevClasses - Volumes");
::rptMsg($key_path);

3
thirdparty/rr-full/plugins/disablelastaccess.pl vendored
View File

@ -48,8 +48,7 @@ sub pluginmain {
$ccs = "ControlSet00".$current;
}
my $key_path = $ccs."\\Control\\FileSystem";
my $key;
$key_path = $ccs."\\Control\\FileSystem";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("NtfsDisableLastAccessUpdate");
::rptMsg($key_path);

3
thirdparty/rr-full/plugins/drwatson.pl vendored
View File

@ -57,8 +57,7 @@ sub pluginmain {
}
::rptMsg("");
my $key_path = "Microsoft\\DrWatson";
my $key;
$key_path = "Microsoft\\DrWatson";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");

27
thirdparty/rr-full/plugins/environment.pl vendored
View File

@ -3,23 +3,23 @@
# Extracts user's Environment paths from NTUSER.DAT
#
# Change history
# 20150910 - added check for specific value, per Hexacorn blog
# 20110830 [fpi] + banner, no change to the version number
#
# References
# http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
#
# Copyright (c) 2011-02-04 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package environment;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20110204);
version => 20150910);
my $VERSION = getVersion();
# Functions #
@ -32,9 +32,6 @@ sub getShortDescr {
return "Extracts user's Environment paths from NTUSER.DAT";
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
@ -43,8 +40,8 @@ sub pluginmain {
# Initialize #
::logMsg("Launching environment v.".$VERSION);
::rptMsg("environment v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
::rptMsg("environment v.".$VERSION);
::rptMsg("(".getHive().") ".getShortDescr()."\n");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
@ -67,23 +64,27 @@ sub pluginmain {
# Extract # all key names+values for Environment registry path #
foreach my $v (@vals) {
::rptMsg($v->get_name()." -> ".$v->get_data());
my $name = $v->get_name();
::rptMsg($name." -> ".$v->get_data());
if ($name eq "UserInitMprLogonScript") {
::rptMsg("**ALERT: UserInitMprLogonScript value found: ".$v->get_data());
}
}
# Error # key value is null #
} else {
}
else {
::rptMsg($key_path." has no values.");
}
# Error # Environment isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

6
thirdparty/rr-full/plugins/ide.pl vendored
View File

@ -50,8 +50,7 @@ sub pluginmain {
return
}
my $key_path = $ccs."\\Enum\\IDE";
my $key;
$key_path = $ccs."\\Enum\\IDE";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -84,8 +83,7 @@ sub pluginmain {
::logMsg($key_path." not found.");
}
my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
my $key;
$key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("DevClasses - Disks");
::rptMsg($key_path);

3
thirdparty/rr-full/plugins/ie_settings.pl vendored
View File

@ -102,8 +102,7 @@ sub pluginmain {
#
#
#-----------------------------------------------------------
my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main\\WindowsSearch';
my $key;
$key_path = 'Software\\Microsoft\\Internet Explorer\\Main\\WindowsSearch';
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("");
::rptMsg($key_path);

19
thirdparty/rr-full/plugins/inprocserver.pl vendored
View File

@ -3,6 +3,7 @@
#
#
# History
# 20141126 - minor updates
# 20141112 - added support for Wow6432Node
# 20141103 - updated to include detection for PowerLiks
# 20141030 - added GDataSoftware reference
@ -36,7 +37,7 @@ my %config = (hive => "Software","NTUSER\.DAT","USRCLASS\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20141103);
version => 20141126);
sub getConfig{return %config}
@ -61,7 +62,7 @@ sub pluginmain {
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my @paths = ("Classes\\CLSID","Wow6432Node\\Classes\\CLSID","CLSID","Wow6432Node\\CLSID");
my @paths = ("Classes\\CLSID","Classes\\Wow6432Node\\CLSID","CLSID","Wow6432Node\\CLSID");
foreach my $key_path (@paths) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
@ -80,8 +81,10 @@ sub pluginmain {
my $l = $s->get_subkey("InprocServer32")->get_value("")->get_data();
$l =~ tr/[A-Z]/[a-z]/;
::rptMsg("Possible Lurk infection found!") unless ($l eq "c:\\windows\\system32\\pngfilt\.dll");
if ($l eq "c:\\windows\\system32\\pngfilt\.dll" || $l eq "c:\\windows\\syswow64\\pngfilt\.dll") {
::rptMsg("Possible Lurk infection found!");
::rptMsg(" ".$l);
}
}
eval {
@ -95,9 +98,9 @@ sub pluginmain {
eval {
my $local = $s->get_subkey("localserver32");
my $powerliks = $local->get_value("")->get_data();
::rptMsg($s->get_name()."\\LocalServer32 key found\.");
::rptMsg(" LastWrite: ".gmtime($local->get_timestamp()));
if ($powerliks =~ m/^rundll32/) {
# ::rptMsg($s->get_name()."\\LocalServer32 key found\.");
# ::rptMsg(" LastWrite: ".gmtime($local->get_timestamp()));
if ($powerliks =~ m/^rundll32 javascript/) {
::rptMsg("**Possible PowerLiks found\.");
::rptMsg(" ".$powerliks);
}
@ -123,7 +126,7 @@ sub alertCheckPath {
$path =~ tr/[A-Z]/[a-z]/;
my @alerts = ("recycle","globalroot","temp","system volume information","appdata",
"application data","c:\\users");
"application data","programdata","c:\\users");
foreach my $a (@alerts) {
if (grep(/$a/,$path)) {

23
thirdparty/rr-full/plugins/itempos.pl vendored
View File

@ -43,7 +43,7 @@ my %config = (hive => "NTUSER\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "Shell/Bags/1/Desktop ItemPos* value parsing; Win7 NTUSER\.DAT hives";
return "Shell/Bags/1/Desktop ItemPos* value parsing; Win7 NTUSER.DAT hives";
}
sub getDescr{}
sub getRefs {}
@ -98,8 +98,7 @@ sub pluginmain {
}
# ::rptMsg("");
# The following was added on 20130514 to address Windows XP systems
my $key_path = "Software\\Microsoft\\Windows\\ShellNoRoam\\Bags";
my $key;
$key_path = "Software\\Microsoft\\Windows\\ShellNoRoam\\Bags";
if ($key = $root_key->get_subkey($key_path)) {
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
@ -229,7 +228,7 @@ sub parseFolderItem {
my $str = "";
while($tag) {
my $s = substr($data,$ofs_shortname + $cnt,1);
if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
$tag = 0;
}
else {
@ -237,12 +236,12 @@ sub parseFolderItem {
$cnt++;
}
}
# $str =~ s/\00//g;
# $str =~ s/\x00//g;
my $shortname = $str;
my $ofs = $ofs_shortname + $cnt + 1;
# Read progressively, 1 byte at a time, looking for 0xbeef
my $tag = 1;
my $cnt = 0;
$tag = 1;
$cnt = 0;
while ($tag) {
if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) {
$tag = 0;
@ -254,10 +253,10 @@ sub parseFolderItem {
$item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2));
$ofs = $ofs + $cnt + 2;
my @m = unpack("vv",substr($data,$ofs,4));
@m = unpack("vv",substr($data,$ofs,4));
($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]);
$ofs += 4;
my @m = unpack("vv",substr($data,$ofs,4));
@m = unpack("vv",substr($data,$ofs,4));
($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]);
my $jmp;
@ -274,9 +273,9 @@ sub parseFolderItem {
$ofs += $jmp;
my $str = substr($data,$ofs,length($data) - 30);
my $longname = (split(/\00\00/,$str,2))[0];
$longname =~ s/\00//g;
$str = substr($data,$ofs,length($data) - 30);
my $longname = (split(/\x00\x00/,$str,2))[0];
$longname =~ s/\x00//g;
if ($longname ne "") {
$item{name} = $longname;

77
thirdparty/rr-full/plugins/landesk.pl vendored
View File

@ -3,7 +3,11 @@
# parses LANDESK Monitor Logs
#
#
# https://community.landesk.com/docs/DOC-3249
#
# Change history
# 20160823 - added "Current Duration" parsing
# 20160822 - updated based on client engagement
# 20130326 - added Wow6432Node path
# 20130214 - updated w/ Logon info
# 20090729 - updates, H. Carvey
@ -19,7 +23,7 @@ my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20130326);
version => 20160823);
sub getConfig{return %config}
@ -32,7 +36,7 @@ sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %ls;
my (@ts,$d);
sub pluginmain {
my $class = shift;
@ -53,18 +57,49 @@ sub pluginmain {
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
eval {
my $lw = $s->get_timestamp();
# Push the data into a hash of arrays
push(@{$ls{$lw}},$s->get_name());
};
}
::rptMsg($s->get_name());
::rptMsg(" LastWrite: ".gmtime($s->get_timestamp())." Z");
foreach my $t (reverse sort {$a <=> $b} keys %ls) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$ls{$t}}) {
::rptMsg(" $item");
}
eval {
@ts = unpack("VV",$s->get_value("Last Started")->get_data());
::rptMsg(" Last Started: ".gmtime(::getTime($ts[0],$ts[1]))." Z");
};
eval {
@ts = unpack("VV",$s->get_value("Last Duration")->get_data());
my $i = c64($ts[0],$ts[1]);
$i = $i/10000000;
::rptMsg(" Last Duration: ".$i." sec");
};
eval {
@ts = unpack("VV",$s->get_value("Current Duration")->get_data());
my $i = c64($ts[0],$ts[1]);
$i = $i/10000000;
::rptMsg(" Current Duration: ".$i." sec");
};
eval {
@ts = unpack("VV",$s->get_value("Total Duration")->get_data());
my $i = c64($ts[0],$ts[1]);
$i = $i/10000000;
::rptMsg(" Total Duration: ".$i." sec");
};
eval {
@ts = unpack("VV",$s->get_value("First Started")->get_data());
::rptMsg(" First Started: ".gmtime(::getTime($ts[0],$ts[1]))." Z");
};
eval {
::rptMsg(" Total Runs: ".$s->get_value("Total Runs")->get_data());
};
eval {
::rptMsg(" Current User: ".$s->get_value("Current User")->get_data());
};
::rptMsg("");
}
}
else {
@ -76,6 +111,7 @@ sub pluginmain {
}
}
::rptMsg("");
# update added 20130327
my @paths = ("LANDesk\\Inventory\\LogonHistory\\Logons",
"Wow6432Node\\LANDesk\\Inventory\\LogonHistory\\Logons");
@ -107,4 +143,19 @@ sub pluginmain {
}
}
# Thanks to David Cowen for sharing this code
sub c64 {
my $n1 = shift;
my $n2 = shift;
if ($n2 != 0) {
$n2 = ($n2 * 4294967296);
my $n = $n1 + $n2;
return $n;
}
else {
return $n1;
}
}
1;

38
thirdparty/rr-full/plugins/landesk_tln.pl vendored
View File

@ -4,6 +4,7 @@
#
#
# Change history
# 20160822 - minor updates based on client engagement
# 20130214 - updated with Logon info
# 20090729 - updates, H. Carvey
#
@ -31,7 +32,7 @@ sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %ls;
my (@f,$first);
sub pluginmain {
my $class = shift;
@ -62,17 +63,23 @@ sub pluginmain {
$user = "" if ($@);
# ::rptMsg($lw."|REG||".$user."|M... LanDesk - ".$name." key last modified");
# "Current User" value not included in "First Started" data, as the user value applies only to the
# "Last Started" value
eval {
my @f = unpack("VV",$s->get_value("First Started")->get_data());
my $first = ::getTime($f[0],$f[1]);
::rptMsg($first."|REG||".$user."|LanDesk - ".$name." First Started");
@f = unpack("VV",$s->get_value("First Started")->get_data());
$first = ::getTime($f[0],$f[1]);
::rptMsg($first."|REG|||LanDesk - ".$name." First Started");
};
eval {
my @f = unpack("VV",$s->get_value("Last Started")->get_data());
my $first = ::getTime($f[0],$f[1]);
::rptMsg($first."|REG||".$user."|LanDesk - ".$name." Last Started");
@f = unpack("VV",$s->get_value("Last Started")->get_data());
$first = ::getTime($f[0],$f[1]);
@f = unpack("VV",$s->get_value("Last Duration")->get_data());
my $i = c64($f[0],$f[1]);
$i = $i/10000000;
::rptMsg($first."|REG||".$user."|LanDesk - ".$name." Last Started, Last Duration : ".$i." sec. - Total Runs: ".$s->get_value("Total Runs")->get_data());
};
}
}
@ -115,4 +122,19 @@ sub pluginmain {
}
}
# Thanks to David Cowen for sharing this code
sub c64 {
my $n1 = shift;
my $n2 = shift;
if ($n2 != 0) {
$n2 = ($n2 * 4294967296);
my $n = $n1 + $n2;
return $n;
}
else {
return $n1;
}
}
1;

2
thirdparty/rr-full/plugins/lsasecrets.pl vendored
View File

@ -54,7 +54,7 @@ sub pluginmain {
::rptMsg("CupdTime = ".$cupd);
my $o = $key->get_subkey("\$MACHINE\.ACC\\OupdTime")->get_value("")->get_data();
my @v = unpack("VV",$c);
@v = unpack("VV",$c);
my $oupd = gmtime(::getTime($v[0],$v[1]));
::rptMsg("OupdTime = ".$oupd);
};

30
thirdparty/rr-full/plugins/menuorder.pl vendored
View File

@ -167,7 +167,7 @@ sub parseAugM {
my $str = "";
while($tag) {
my $s = substr($data,0x16 + $cnt,1);
if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
$tag = 0;
}
else {
@ -183,18 +183,18 @@ sub parseAugM {
$item{version} = unpack("v",substr($data2,2,2));
my $ext = unpack("v",substr($data2,4,2));
my $ofs = 0x08;
$ofs = 0x08;
# Get creation time values;
# my @m = unpack("vv",substr($data,$ofs,4));
$ofs += 4;
# Get last access time values
# my @m = unpack("vv",substr($data,$ofs,4));
# @m = unpack("vv",substr($data,$ofs,4));
$ofs += 4;
$ofs += 4;
my $tag = 1;
my $cnt = 0;
my $str = "";
$tag = 1;
$cnt = 0;
$str = "";
while ($tag) {
my $s = substr($data2,$ofs + $cnt,2);
if (unpack("v",$s) == 0) {
@ -205,15 +205,15 @@ sub parseAugM {
$cnt += 2;
}
}
$str =~ s/\00//g;
$str =~ s/\x00//g;
$item{name} = $str;
$ofs += $cnt;
# ::rptMsg(sprintf " - Ofs: 0x%x Remaining Data: 0x%x",$ofs,$sz - $ofs);
if (($sz - $ofs) > 0x10) {
my $str = substr($data2,$ofs,$sz - $ofs);
$str =~ s/^\00+//;
my $s = (split(/\00/,$str,2))[0];
$str =~ s/^\x00+//;
my $s = (split(/\x00/,$str,2))[0];
$item{name} .= " (".$s.")";
}
@ -241,7 +241,7 @@ sub parseItem {
my $str = "";
while($tag) {
my $s = substr($data,$ofs + $cnt,1);
if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
$tag = 0;
}
else {
@ -258,7 +258,7 @@ sub parseItem {
my $ext = unpack("v",substr($data2,4,2));
my $ofs = 0x08;
$ofs = 0x08;
# Get creation time values;
# my @m = unpack("vv",substr($data,$ofs,4));
$ofs += 4;
@ -280,9 +280,9 @@ sub parseItem {
$ofs += $jmp;
my $tag = 1;
my $cnt = 0;
my $str = "";
$tag = 1;
$cnt = 0;
$str = "";
while ($tag) {
my $s = substr($data2,$ofs + $cnt,2);
if (unpack("v",$s) == 0) {
@ -293,7 +293,7 @@ sub parseItem {
$cnt += 2;
}
}
$str =~ s/\00//g;
$str =~ s/\x00//g;
$item{name} = $str;
$ofs += $cnt;

3
thirdparty/rr-full/plugins/mmo.pl vendored
View File

@ -72,8 +72,7 @@ sub pluginmain {
}
# Section added 17 Feb 2013, to address Trojan.Swaylib
#
my $key_path = "Software\\Microsoft\\CTF\\LangBarAddIn";
my $key;
$key_path = "Software\\Microsoft\\CTF\\LangBarAddIn";
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {

2
thirdparty/rr-full/plugins/mountdev.pl vendored
View File

@ -63,7 +63,7 @@ sub pluginmain {
}
elsif ($len > 12) {
$data =~ s/\00//g;
$data =~ s/\x00//g;
push(@{$md{$data}},$v->get_name());
}
else {

10
thirdparty/rr-full/plugins/mountdev2.pl vendored
View File

@ -104,7 +104,7 @@ sub pluginmain {
$offset{$v->get_name()} = $o;
}
elsif ($len > 12) {
$data =~ s/\00//g;
$data =~ s/\x00//g;
push(@{$md{$data}},$v->get_name());
}
else {
@ -120,15 +120,15 @@ sub pluginmain {
}
::rptMsg("");
foreach my $v (sort keys %vol) {
next unless ($v =~ m/^\\\?\?\\Volume{/);
next unless ($v =~ m/^\\\?\?\\Volume\{/);
my $id = $v;
$id =~ s/^\\\?\?\\Volume{//;
$id =~ s/^\\\?\?\\Volume\{//;
$id =~ s/}$//;
$id =~ s/-//g;
my $l = hex(substr($id,0,8));
my $m = hex(substr($id,8,4));
my $h = hex(substr($id,12,4)) & 0x0fff;
my $h = $m | $h << 16;
$h = $m | $h << 16;
my $t = (::getTime($l,$h) - 574819200);
::rptMsg($v);
::rptMsg(" ".gmtime($t));
@ -141,7 +141,7 @@ sub pluginmain {
if ($item =~ m/^\\\?\?\\Volume/) {
my $id = $item;
$id =~ s/^\\\?\?\\Volume{//;
$id =~ s/^\\\?\?\\Volume\{//;
$id =~ s/}$//;
# $id =~ s/-//g;
# my $l = hex(substr($id,0,8));

2
thirdparty/rr-full/plugins/mp3.pl vendored
View File

@ -92,7 +92,7 @@ sub pluginmain {
my $l = hex(substr($id,0,8));
my $m = hex(substr($id,8,4));
my $h = hex(substr($id,12,4)) & 0x0fff;
my $h = $m | $h << 16;
$h = $m | $h << 16;
my $t2 = (::getTime($l,$h) - 574819200);
::rptMsg($t2."|REG|Server|User|".$id2." Vol GUID date");

3
thirdparty/rr-full/plugins/muicache.pl vendored
View File

@ -65,8 +65,7 @@ sub pluginmain {
::rptMsg("");
}
# Added for access to USRCLASS.DAT
my $key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache';
my $key;
$key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache';
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");

3
thirdparty/rr-full/plugins/muicache_tln.pl vendored
View File

@ -64,8 +64,7 @@ sub pluginmain {
# ::rptMsg("");
}
# Added for access to USRCLASS.DAT
my $key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache';
my $key;
$key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache';
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");

20
thirdparty/rr-full/plugins/networklist.pl vendored
View File

@ -5,6 +5,7 @@
#
#
# Change History:
# 20150812 - updated to include Nla\Cache data
# 20120917 - updated to include NameType value
# 20090812 - updated code to parse DateCreated and DateLastConnected
# values; modified output, as well
@ -12,7 +13,8 @@
#
# References
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
# copyright 2015 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package networklist;
use strict;
@ -22,7 +24,7 @@ my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20120917);
version => 20150812);
sub getConfig{return %config}
@ -123,7 +125,7 @@ sub pluginmain {
foreach my $n (keys %nl) {
my $str = sprintf "%-15s Gateway Mac: ".$nl{$n}{DefaultGatewayMac},$nl{$n}{ProfileName};
::rptMsg($nl{$n}{ProfileName});
::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." UTC");
::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." Z");
::rptMsg(" DateLastConnected: ".$nl{$n}{DateLastConnected});
::rptMsg(" DateCreated : ".$nl{$n}{DateCreated});
::rptMsg(" DefaultGatewayMac: ".$nl{$n}{DefaultGatewayMac});
@ -139,6 +141,18 @@ sub pluginmain {
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
# Get NLA info
$key_path = $base_path."\\Nla\\Cache\\Intranet";
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
::rptMsg(sprintf "%-26s %-30s","Date","Domain/IP");
foreach my $s (@subkeys) {
::rptMsg(sprintf "%-26s %-30s",gmtime($s->get_timestamp())." Z",$s->get_name());
}
}
}
}

17
thirdparty/rr-full/plugins/networklist_tln.pl vendored
View File

@ -5,6 +5,7 @@
#
#
# Change History:
# 20150812 - updated to include Nla\Cache data
# 20120608 - updated from networklist.pl to add TLN output
# 20090812 - updated code to parse DateCreated and DateLastConnected
# values; modified output, as well
@ -12,7 +13,7 @@
#
# References
#
# copyright 2012 Quantum Analytics Research, LLC
# copyright 2015 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package networklist_tln;
@ -23,7 +24,7 @@ my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20120608);
version => 20150812);
sub getConfig{return %config}
@ -130,6 +131,18 @@ sub pluginmain {
::rptMsg($nl{$n}{LastWrite}."|REG|||[".$nl{$n}{Type}." Connect] - Last Connected to ".$nl{$n}{ProfileName}." (".$nl{$n}{DefaultGatewayMac}.")");
}
# Get NLA info
$key_path = $base_path."\\Nla\\Cache\\Intranet";
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg($s->get_timestamp()."|REG|||First connected to: ".$s->get_name());
}
}
}
}
else {
# ::rptMsg($key_path." has not subkeys");

34
thirdparty/rr-full/plugins/nic2.pl vendored
View File

@ -1,15 +1,15 @@
#-----------------------------------------------------------
# nic2.pl
#
#
# Change history
# 20150812 - included updates from Yogesh Khatri
# 20100401 - created
#
# References
# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx
# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx
#
# copyright 2010 Quantum Analytics Research, LLC
# copyright 2015 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package nic2;
use strict;
@ -19,7 +19,7 @@ my %config = (hive => "System",
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100401);
version => 20150812);
sub getConfig{return %config}
sub getShortDescr {
@ -39,7 +39,7 @@ sub pluginmain {
my $ccs;
::logMsg("Launching nic2 v.".$VERSION);
::rptMsg("nic2 v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
@ -65,10 +65,36 @@ sub pluginmain {
my $data = $v->get_data();
$data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2");
$data = gmtime($data)." Z" if ($name =~ m/Time$/);
$data = pack("h*",reverse $data) if (uc($name) eq uc("DhcpNetworkHint")); # SSID nibbles reversed //YK
::rptMsg(sprintf " %-28s %-20s",$name,$data);
}
::rptMsg("");
};
# Parse subfolders having similar data for different wifi access points , key name is SSID (nibbles reversed) //YK
my @ssids = $g->get_list_of_subkeys();
if (scalar @ssids > 0) {
foreach my $ssid (@ssids) {
::rptMsg("Adapter: ".$g->get_name()."/".$ssid->get_name());
my $ssid_realname = pack("h*",reverse $ssid->get_name());
::rptMsg("SSID Decoded: ".$ssid_realname);
::rptMsg("LastWrite Time: ".gmtime($ssid->get_timestamp())." Z");
eval {
my @vals = $ssid->get_list_of_values();
foreach my $v (@vals) {
my $name = $v->get_name();
my $data = $v->get_data();
$data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2");
$data = gmtime($data)." Z" if ($name =~ m/Time$/);
$data = pack("h*",reverse $data) if (uc($name) eq uc("DhcpNetworkHint"));
::rptMsg(sprintf " %-28s %-20s",$name,$data);
}
::rptMsg("");
};
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
}
else {

61
thirdparty/rr-full/plugins/ntuser vendored
View File

@ -1,26 +1,35 @@
# 20120528 *ALL* Plugins that apply on NTUSER hive, alphabetical order
# 20161213 *ALL* Plugins that apply on NTUSER hive, alphabetical order
acmru
adoberdr
aim
aports
appcompatflags
applets
applets_tln
appspecific
ares
arpcache
attachmgr
attachmgr_tln
autoendtasks
autorun
bitbucket_user
brisv
cached
cached_tln
cain
ccleaner
cdstaginginfo
clampi
clampitm
cmdproc
cmdproc_tln
comdlg32
compatassist
compdesc
controlpanel
cortana
cpldontload
ddo
decaf
dependency_walker
domains
@ -30,62 +39,98 @@ filehistory
gthist
gtwhitelist
haven_and_hearth
identities
iejava
ie_main
ie_settings
ie_zones
internet_explorer_cu
internet_settings_cu
itempos
javafx
kankan
knowndev
latentbot
listsoft
liveContactsGUID
load
logonusername
menuorder
mixer
mixer_tln
mmc
mmc_tln
mmo
mndmru
mndmru_tln
mp2
mp3
mpmru
mspaper
muicache
muicache_tln
nero
netassist
ntusernetwork
odysseus
officedocs
officedocs2010
officedocs2010_tln
oisc
olsearch
osversion
osversion_tln
outlook
outlook2
policies_u
printermru
printers
privoxy
profiler
proxysettings
publishingwizard
putty
rdphint
reading_locations
realplayer6
realvnc
recentdocs
recentdocs_tln
reveton
rootkit_revealer
runmru
runmru_tln
sevenzip
shc
shellbags_xp
shellfolders
skype
snapshot_viewer
ssh_host_keys
startmenuinternetapps_cu
startpage
streammru
streams
startup
sysinternals
sysinternals_tln
trustrecords
trustrecords_tln
tsclient
tsclient_tln
typedpaths
typedpaths_tln
typedurls
typedurlstime
typedurlstime_tln
typedurls_tln
unreadmail
user_run
user_win
urun_tln
userassist
userassist_tln
userinfo
userlocsvc
user_run
user_win
vawtrak
vista_bitbucket
vmplayer
vmware_vsphere_client
@ -93,9 +138,11 @@ vnchooksapplicationprefs
vncviewer
wallpaper
warcraft3
winlivemail
winlogon_u
winrar
winrar2
winrar_tln
winscp
winscp_sessions
winvnc
winzip

2
thirdparty/rr-full/plugins/officedocs.pl vendored
View File

@ -67,7 +67,7 @@ sub pluginmain {
::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)");
::rptMsg("");
my $value = $word_key->get_value("Value")->get_data();
my @data = split(/\00/,$value);
my @data = split(/\x00/,$value);
map{::rptMsg("$_");}@data;
}
else {

2
thirdparty/rr-full/plugins/olsearch.pl vendored
View File

@ -87,7 +87,7 @@ sub parseSearchMRU {
foreach my $i (0..($num - 1)) {
$item{$i} = substr($data,$ofs[$i], $ofs[$i + 1] - $ofs[$i]);
$item{$i} =~ s/\00//g;
$item{$i} =~ s/\x00//g;
}
return %item;
}

22
thirdparty/rr-full/plugins/outlook.pl vendored
View File

@ -56,32 +56,32 @@ sub pluginmain {
# http://support.microsoft.com/kb/198479
eval {
my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0324")->get_data();
$data =~ s/\00//g;
$data =~ s/\x00//g;
::rptMsg(" Outlook 2007 AutoArchive path -> ".$data);
};
eval {
my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e0324")->get_data();
$data =~ s/\00//g;
$data =~ s/\x00//g;
::rptMsg(" Outlook 2003 AutoArchive path -> ".$data);
};
eval {
my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data();
$data =~ s/\00//g;
$data =~ s/\x00//g;
::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data);
};
# http://support.microsoft.com/kb/288570
eval {
my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101e0384")->get_data();
$data =~ s/\00//g;
$data =~ s/\x00//g;
::rptMsg(" Open Other Users MRU (Outlook 97) -> ".$data);
};
eval {
my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101f0390")->get_data();
$data =~ s/\00//g;
$data =~ s/\x00//g;
::rptMsg(" Open Other Users MRU (Outlook 2003) -> ".$data);
};
@ -104,26 +104,26 @@ sub pluginmain {
eval {
my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6610")->get_data();
$data =~ s/\00//g;
$data =~ s/\x00//g;
::rptMsg(" Path to OST file: ".$data);
};
eval {
my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6607")->get_data();
$data =~ s/\00//g;
$data =~ s/\x00//g;
::rptMsg(" Email: ".$data);
};
eval {
my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6620")->get_data();
$data =~ s/\00//g;
$data =~ s/\x00//g;
::rptMsg(" Email: ".$data);
};
# http://support.microsoft.com/kb/959956
# eval {
# my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("01026687")->get_data();
# $data =~ s/\00/\./g;
# $data =~ s/\x00/\./g;
# $data =~ s/\W//g;
# ::rptMsg(" Non-SMTP Email: ".$data);
# };
@ -143,7 +143,7 @@ sub pluginmain {
eval {
my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data();
$data =~ s/\00//g;
$data =~ s/\x00//g;
::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data);
};
@ -154,7 +154,7 @@ sub pluginmain {
eval {
my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0418")->get_data();
$data =~ s/\00//g;
$data =~ s/\x00//g;
::rptMsg(" 001f0418 -> ".$data);
};
# ::rptMsg("Error : ".$@) if ($@);

2
thirdparty/rr-full/plugins/photos.pl vendored
View File

@ -26,7 +26,7 @@ my %config = (hive => "USRCLASS\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives";
return "Shell/BagMRU traversal in Win7 USRCLASS.DAT hives";
}
sub getDescr{}
sub getRefs {}

3
thirdparty/rr-full/plugins/polacdms.pl vendored
View File

@ -67,8 +67,7 @@ sub pluginmain {
::rptMsg($key_path." not found.");
}
::rptMsg("");
my $key_path = "Policy\\PolPrDmS";
my $key;
$key_path = "Policy\\PolPrDmS";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("PolPrDmS");
::rptMsg($key_path);

28
thirdparty/rr-full/plugins/prefetch.pl vendored
View File

@ -3,7 +3,7 @@
# Access System hive file to get the Prefetch Parameters
#
# Change history
#
# 2016-05-06 Added check for SysMain service start method. James Habben
#
# References
# http://msdn.microsoft.com/en-us/library/bb499146(v=winembedded.5).aspx
@ -18,7 +18,13 @@ my %config = (hive => "SYSTEM",
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120914);
version => 20160506);
my %starts = (0x00 => "Boot Start",
0x01 => "System Start",
0x02 => "Auto Start",
0x03 => "Manual",
0x04 => "Disabled");
sub getConfig{return %config}
sub getShortDescr {
@ -65,6 +71,24 @@ sub pluginmain {
::rptMsg($pp_path." not found.");
::logMsg($pp_path." not found.");
}
my $pfsvc_path = $ccs."\\services\\SysMain";
my $pfsvc;
if ($pfsvc = $root_key->get_subkey($pfsvc_path)) {
my $svc_start = $pfsvc->get_value("Start")->get_data();
if (exists $starts{$svc_start}) {
$svc_start = $starts{$svc_start};
}
::rptMsg("");
::rptMsg("Superfetch service runs both Superfetch and Prefetch functions. Shortname is SysMain.");
::rptMsg("SysMain Service = ".$svc_start);
}
else {
::rptMsg($pfsvc_path." not found.");
::logMsg($pfsvc_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");

3
thirdparty/rr-full/plugins/printers.pl vendored
View File

@ -70,8 +70,7 @@ sub pluginmain {
::rptMsg("Default Printer (via CurrentVersion\\Windows): ".$def);
};
# another attempt to get the default printer
my $def_path = "Printers";
my $def;
$def_path = "Printers";
eval {
$def = $root_key->get_subkey($def_path)->get_value("DeviceOld")->get_data();
::rptMsg("Default Printer (via Printers->DeviceOld): ".$def);

43
thirdparty/rr-full/plugins/productpolicy.pl vendored
View File

@ -69,32 +69,29 @@ sub pluginmain {
my $key;
my $key_path = "ControlSet00".$curr."\\Control\\ProductOptions";
if ($key = $root_key->get_subkey($key_path)) {
my $prod;
eval {
my $v1 = $key->get_value("ProductPolicy");
if (defined $v1) {
my $prod = $v1->get_data();
my %pol = parseData($prod);
::rptMsg("");
::rptMsg("Note: This plugin applies to Vista and Windows 2008 ONLY.");
::rptMsg("For a listing of names and values, see:");
::rptMsg("http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/install.htm&tx=3,5,6;4");
::rptMsg("");
foreach my $p (sort keys %pol) {
::rptMsg($p." - ".$pol{$p});
}
if (exists $prodinfo{$pol{"Kernel\-ProductInfo"}}) {
::rptMsg("");
::rptMsg("Kernel\-ProductInfo = ".$prodinfo{$pol{"Kernel\-ProductInfo"}});
}
}
else {
::rptMsg("Error getting ProductPolicy value");
}
$prod = $key->get_value("ProductPolicy")->get_data();
};
if ($@) {
::rptMsg("Error getting ProductPolicy value: $@");
}
else {
my %pol = parseData($prod);
::rptMsg("");
::rptMsg("Note: This plugin applies to Vista and Windows 2008 ONLY.");
::rptMsg("For a listing of names and values, see:");
::rptMsg("http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/install.htm&tx=3,5,6;4");
::rptMsg("");
foreach my $p (sort keys %pol) {
::rptMsg($p." - ".$pol{$p});
}
if (exists $prodinfo{$pol{"Kernel\-ProductInfo"}}) {
::rptMsg("");
::rptMsg("Kernel\-ProductInfo = ".$prodinfo{$pol{"Kernel\-ProductInfo"}});
}
}
}
else {
::rptMsg($key_path." not found.");
@ -125,7 +122,7 @@ sub parseData {
my @vals = unpack("v4V2", substr($pd,$cursor,0x10));
my $value = substr($pd,$cursor,$vals[0]);
my $name = substr($value,0x10,$vals[1]);
$name =~ s/\00//g;
$name =~ s/\x00//g;
my $data = substr($value,0x10 + $vals[1],$vals[3]);
if ($vals[2] == 4) {
@ -133,7 +130,7 @@ sub parseData {
$data = unpack("V",$data);
}
elsif ($vals[2] == 1) {
$data =~ s/\00//g;
$data =~ s/\x00//g;
}
elsif ($vals[2] == 3) {
$data = unpack("H*",$data);

4
thirdparty/rr-full/plugins/profilelist.pl vendored
View File

@ -40,7 +40,7 @@ sub pluginmain {
my %profiles;
#::logMsg("Launching profilelist v.".$VERSION);
::logMsg("Launching profilelist v.".$VERSION);
::rptMsg("profilelist v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
@ -95,7 +95,7 @@ sub pluginmain {
}
# The following was added 20100219
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
$key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys();
if (scalar @subkeys > 0) {

2
thirdparty/rr-full/plugins/realplayer6.pl vendored
View File

@ -25,7 +25,7 @@ my %config = (hive => "NTUSER\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "Gets user's RealPlayer v6 MostRecentClips\(Default) values";
return "Gets user's RealPlayer v6 MostRecentClips(Default) values";
}
sub getDescr{}
sub getRefs {}

6
thirdparty/rr-full/plugins/recentdocs.pl vendored
View File

@ -147,9 +147,9 @@ sub getRDValues {
else {
# New code
$data = decode("ucs-2le", $data);
my $file = (split(/\00/,$data))[0];
# my $file = (split(/\00\00/,$data))[0];
# $file =~ s/\00//g;
my $file = (split(/\x00/,$data))[0];
# my $file = (split(/\x00\x00/,$data))[0];
# $file =~ s/\x00//g;
$rdvals{$name} = $file;
}
}

6
thirdparty/rr-full/plugins/recentdocs_tln.pl vendored
View File

@ -118,9 +118,9 @@ sub getRDValues {
else {
# New code
$data = decode("ucs-2le", $data);
my $file = (split(/\00/,$data))[0];
# my $file = (split(/\00\00/,$data))[0];
# $file =~ s/\00//g;
my $file = (split(/\x00/,$data))[0];
# my $file = (split(/\x00\x00/,$data))[0];
# $file =~ s/\x00//g;
$rdvals{$name} = $file;
}
}

20
thirdparty/rr-full/plugins/regback.pl vendored
View File

@ -30,8 +30,9 @@ my %config = (hive => "Software",
sub getConfig{return %config}
sub getShortDescr {
return "Get logfile name of registry backup tasks";
return "List all backup tasks along with logfile name and last written date/time";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
@ -42,8 +43,8 @@ my $VERSION = getVersion();
sub pluginmain {
::logMsg("Launching regback v.".$VERSION);
::rptMsg("regback v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
::rptMsg("regback v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $class = shift;
my $hive = shift;
@ -71,18 +72,13 @@ sub pluginmain {
::rptMsg($key_path." not found.");
}
my $class = shift;
my $hive = shift;
$class = shift;
$hive = shift;
my %tasks;
sub getShortDescr {
return "List all tasks along with logfile name and last written date/time";
}
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks";
my $key;
$root_key = $reg->get_root_key;
$key_path = "Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");

3
thirdparty/rr-full/plugins/sam vendored
View File

@ -1,2 +1,3 @@
# 20120528 *ALL* Plugins that apply on SAM hive, alphabetical order
# 20161213 *ALL* Plugins that apply on SAM hive, alphabetical order
samparse
samparse_ltn

36
thirdparty/rr-full/plugins/samparse.pl vendored
View File

@ -3,6 +3,7 @@
# Parse the SAM hive file for user/group membership info
#
# Change history:
# 20160203 - updated to include add'l values (randomaccess/Phill Moore contribution)
# 20120722 - updated %config hash
# 20110303 - Fixed parsing of SID, added check for account type
# Acct type determined based on Dustin Hulburt's "Forensic
@ -17,7 +18,7 @@
# Source available here: http://pogostick.net/~pnh/ntpasswd/
# http://accessdata.com/downloads/media/Forensic_Determination_Users_Logon_Status.pdf
#
# copyright 2012 Quantum Analytics Research, LLC
# copyright 2016 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package samparse;
@ -31,7 +32,7 @@ my %config = (hive => "SAM",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20120722);
version => 20160203);
sub getConfig{return %config}
@ -117,10 +118,33 @@ sub pluginmain {
($f_val{pwd_reset_date} == 0) ? ($pwdreset = "Never") : ($pwdreset = gmtime($f_val{pwd_reset_date})." Z");
($f_val{pwd_fail_date} == 0) ? ($pwdfail = "Never") : ($pwdfail = gmtime($f_val{pwd_fail_date})." Z");
my $given;
my $surname;
eval {
$given = $u->get_value("GivenName")->get_data();
$given =~ s/\x00//g;
};
eval {
$surname = $u->get_value("SurName")->get_data();
$surname =~ s/\x00//g;
};
::rptMsg("Name : ".$given." ".$surname);
my $internet;
eval {
$internet = $u->get_value("InternetUserName")->get_data();
$internet =~ s/\x00//g;
::rptMsg("InternetName : ".$internet);
};
my $pw_hint;
eval {
$pw_hint = $u->get_value("UserPasswordHint")->get_data();
$pw_hint =~ s/\00//g;
$pw_hint =~ s/\x00//g;
};
::rptMsg("Password Hint : ".$pw_hint) unless ($@);
::rptMsg("Last Login Date : ".$lastlogin);
@ -143,7 +167,7 @@ sub pluginmain {
::rptMsg("Group Membership Information");
::rptMsg("-" x 25);
# Get Group membership information
my $key_path = 'SAM\\Domains\\Builtin\\Aliases';
$key_path = 'SAM\\Domains\\Builtin\\Aliases';
if ($key = $root_key->get_subkey($key_path)) {
my %grps;
my @groups = $key->get_list_of_subkeys();
@ -187,12 +211,10 @@ sub pluginmain {
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
@ -323,7 +345,7 @@ sub _translateSID {
#---------------------------------------------------------------------
sub _uniToAscii {
my $str = $_[0];
$str =~ s/\00//g;
$str =~ s/\x00//g;
return $str;
}

4
thirdparty/rr-full/plugins/samparse_tln.pl vendored
View File

@ -121,7 +121,7 @@ sub pluginmain {
my $c_descr = "Acct Created (".$v_val{type}.")";
eval {
$pw_hint = $u->get_value("UserPasswordHint")->get_data();
$pw_hint =~ s/\00//g;
$pw_hint =~ s/\x00//g;
$c_descr .= " (Pwd Hint: ".$pw_hint.")";
};
@ -278,7 +278,7 @@ sub _translateSID {
#---------------------------------------------------------------------
sub _uniToAscii {
my $str = $_[0];
$str =~ s/\00//g;
$str =~ s/\x00//g;
return $str;
}

6
thirdparty/rr-full/plugins/security vendored
View File

@ -1,4 +1,8 @@
# 20120528 *ALL* Plugins that apply on SECURITY hive, alphabetical order
# 20161213 *ALL* Plugins that apply on SECURITY hive, alphabetical order
auditpol
auditpol_xp
lsasecrets
polacdms
secrets
secrets_tln
securityproviders

16
thirdparty/rr-full/plugins/sevenzip.pl vendored
View File

@ -59,9 +59,9 @@ sub pluginmain {
eval {
::rptMsg("ArcHistory:");
my $copy = $key->get_subkey("Compression")->get_value("ArcHistory")->get_data();
my @c = split(/\00\00/,$copy);
my @c = split(/\x00\x00/,$copy);
foreach my $hist (@c) {
$hist =~ s/\00//g;
$hist =~ s/\x00//g;
::rptMsg(" ".$hist);
}
};
@ -69,9 +69,9 @@ sub pluginmain {
eval {
::rptMsg("PathHistory:");
my $copy = $key->get_subkey("Extraction")->get_value("PathHistory")->get_data();
my @c = split(/\00\00/,$copy);
my @c = split(/\x00\x00/,$copy);
foreach my $hist (@c) {
$hist =~ s/\00//g;
$hist =~ s/\x00//g;
::rptMsg(" ".$hist);
}
::rptMsg("");
@ -80,9 +80,9 @@ sub pluginmain {
eval {
::rptMsg("CopyHistory:");
my $copy = $key->get_subkey("FM")->get_value("CopyHistory")->get_data();
my @c = split(/\00\00/,$copy);
my @c = split(/\x00\x00/,$copy);
foreach my $hist (@c) {
$hist =~ s/\00//g;
$hist =~ s/\x00//g;
::rptMsg(" ".$hist);
}
::rptMsg("");
@ -91,9 +91,9 @@ sub pluginmain {
eval {
::rptMsg("FolderHistory:");
my $copy = $key->get_subkey("FM")->get_value("FolderHistory")->get_data();
my @c = split(/\00\00/,$copy);
my @c = split(/\x00\x00/,$copy);
foreach my $hist (@c) {
$hist =~ s/\00//g;
$hist =~ s/\x00//g;
::rptMsg(" ".$hist);
}
};

3
thirdparty/rr-full/plugins/sfc.pl vendored
View File

@ -75,8 +75,7 @@ sub pluginmain {
# According to http://support.microsoft.com/kb/222193, sfc* values in this key, if
# it exists, take precedence over and are copied into the values within the Winlogon
# key; see also http://support.microsoft.com/kb/222473/
my $key_path = "Policies\\Microsoft\\Windows NT\\Windows File Protection";
my $key;
$key_path = "Policies\\Microsoft\\Windows NT\\Windows File Protection";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");

2
thirdparty/rr-full/plugins/shares.pl vendored
View File

@ -97,7 +97,7 @@ sub pluginmain {
# Determine of the AutoShareServer/Wks values have been set
my $path = $key_path."\\".$lanman;
my $tag = "parameters";
$tag = "parameters";
my $para = getKeyPath($path,$tag);
eval {
if ($key = $root_key->get_subkey($path."\\".$para)) {

173
thirdparty/rr-full/plugins/shellbags.pl vendored
View File

@ -3,6 +3,7 @@
# RR plugin to parse (Vista, Win7/Win2008R2) shell bags
#
# History:
# 20150325 - updated parsing based on input from Eric Zimmerman
# 20140728 - updated shell item 0x01 parsing
# 20131216 - updated to support shell item type 0x52
# 20130102 - updated to include type 0x35
@ -31,7 +32,7 @@
# assistance with some parsing.
#
# License: GPL v3
# copyright 2012 Quantum Analytics Research, LLC
# copyright 2015 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package shellbags;
@ -46,12 +47,12 @@ my %config = (hive => "USRCLASS\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20130102);
version => 20150325);
sub getConfig{return %config}
sub getShortDescr {
return "Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives";
return "Shell/BagMRU traversal in Win7 USRCLASS.DAT hives";
}
sub getDescr{}
sub getRefs {}
@ -72,6 +73,7 @@ my %cp_guids = ("{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}" => "Action Center",
"{e2e7934b-dce5-43c4-9576-7fe4f75e7480}" => "Date and Time",
"{00c6d95f-329c-409a-81d7-c46c66ea7f33}" => "Default Location",
"{17cd9488-1228-4b2f-88ce-4298e93e0966}" => "Default Programs",
"{b4bfcc3a-db2c-424c-b029-7fe99a87c641}" => "Desktop",
"{37efd44d-ef8d-41b1-940d-96973a50e9e0}" => "Desktop Gadgets",
"{74246bfc-4c96-11d0-abef-0020af6b0b7a}" => "Device Manager",
"{a8a91a66-3a7d-4424-8d24-04e180695c7a}" => "Devices and Printers",
@ -136,18 +138,22 @@ my %folder_types = ("{724ef170-a42d-4fef-9f26-b60e846fba4f}" => "Administrative
"{1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}" => "CSIDL_SYSTEM",
"{b4bfcc3a-db2c-424c-b029-7fe99a87c641}" => "Desktop",
"{7b0db17d-9cd2-4a93-9733-46cc89022e7c}" => "Documents Library",
"{a8cdff1c-4878-43be-b5fd-f8091c1c60d0}" => "Documents",
"{fdd39ad0-238f-46af-adb4-6c85480369c7}" => "Documents",
"{374de290-123f-4565-9164-39c4925e467b}" => "Downloads",
"{de61d971-5ebc-4f02-a3a9-6c82895e5c04}" => "Get Programs",
"{a305ce99-f527-492b-8b1a-7e76fa98d6e4}" => "Installed Updates",
"{871c5380-42a0-1069-a2ea-08002b30309d}" => "Internet Explorer (Homepage)",
"{031e4825-7b94-4dc3-b131-e946b44c8dd5}" => "Libraries",
"{2112ab0a-c86a-4ffe-a368-0de96e47012e}" => "Music",
"{1cf1260c-4dd0-4ebb-811f-33c572699fde}" => "Music",
"{4bd8d571-6d19-48d3-be97-422220080e43}" => "Music",
"{20d04fe0-3aea-1069-a2d8-08002b30309d}" => "My Computer",
"{450d8fba-ad25-11d0-98a8-0800361b1103}" => "My Documents",
"{ed228fdf-9ea8-4870-83b1-96b02cfe0d52}" => "My Games",
"{208d2c60-3aea-1069-a2d7-08002b30309d}" => "My Network Places",
"{f02c1a0d-be21-4350-88b0-7367fc96ef3c}" => "Network",
"{3add1653-eb32-4cb0-bbd7-dfa0abb5acca}" => "Pictures",
"{33e28130-4e1e-4676-835a-98395c3bc3bb}" => "Pictures",
"{a990ae9f-a03b-4e80-94bc-9912d7504104}" => "Pictures",
"{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}" => "Program Files (x86)",
@ -164,6 +170,7 @@ my %folder_types = ("{724ef170-a42d-4fef-9f26-b60e846fba4f}" => "Administrative
"{9e52ab10-f80d-49df-acb8-4330f5687855}" => "Temporary Burn Folder",
"{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}" => "Users Files",
"{59031a47-3f72-44a7-89c5-5595fe6b30ee}" => "Users",
"{a0953c92-50dc-43bf-be83-3742fed03c9c}" => "Videos",
"{b5947d7f-b489-4fde-9e77-23780cc610d1}" => "Virtual Machines",
"{f38bf404-1d43-42f2-9305-67de0b28fc23}" => "Windows");
@ -260,10 +267,10 @@ sub traverse {
elsif ($type == 0x31 || $type == 0x32 || $type == 0xb1 || $type == 0x74) {
# Folder or Zip File
%item = parseFolderEntry($values{$v});
# probe($values{$v});
}
elsif ($type == 0x35) {
%item = parseFolderEntry2($values{$v});
probe($values{$v});
}
elsif ($type == 0x71) {
# Control Panel
@ -387,35 +394,13 @@ sub parseVariableEntry {
my $num = unpack("V",substr($stuff,$cnt + 13,4));
my $str = substr($stuff,$cnt + 13 + 4,($num * 2));
$str =~ s/\00//g;
$str =~ s/\x00//g;
$item{name} = $str;
}
$cnt += $sz;
}
}
# if (exists $segs{"{5cbf2787-48cf-4208-b90e-ee5e5d420294}"}) {
# my $stuff = $segs{"{5cbf2787-48cf-4208-b90e-ee5e5d420294}"};
# my $tag = 1;
# my $cnt = 0x10;
# while($tag) {
# my $sz = unpack("V",substr($stuff,$cnt,4));
# my $id = unpack("V",substr($stuff,$cnt + 4,4));
#
# if ($sz == 0x00) {
# $tag = 0;
# next;
# }
# elsif ($id == 0x19) {
#
# my $num = unpack("V",substr($stuff,$cnt + 13,4));
# my $str = substr($stuff,$cnt + 13 + 4,($num * 2));
# $str =~ s/\00//g;
# $item{name} = $str;
# }
# $cnt += $sz;
# }
# }
}
elsif (substr($data,4,4) eq "AugM") {
%item = parseFolderEntry($data);
@ -424,12 +409,26 @@ sub parseVariableEntry {
elsif ($tag == 0x7b || $tag == 0xbb || $tag == 0xfb) {
my ($sz1,$sz2,$sz3) = unpack("VVV",substr($data,0x3e,12));
$item{name} = substr($data,0x4a,$sz1 * 2);
$item{name} =~ s/\00//g;
$item{name} =~ s/\x00//g;
}
elsif ($tag == 0x02 || $tag == 0x03) {
my ($sz1,$sz2,$sz3,$sz4) = unpack("VVVV",substr($data,0x26,16));
$item{name} = substr($data,0x36,$sz1 * 2);
$item{name} =~ s/\00//g;
$item{name} =~ s/\x00//g;
}
elsif (unpack("v",substr($data,6,2)) == 0x05) {
my $o = 0x26;
my $t = 1;
while ($t) {
my $i = substr($data,$o,1);
if ($i =~ m/\x00/) {
$t = 0;
}
else {
$item{name} .= $i;
$o++;
}
}
}
else {
$item{name} = "Unknown Type";
@ -446,7 +445,7 @@ sub parseNetworkEntry {
my %item = ();
$item{type} = unpack("C",substr($data,2,1));
my @n = split(/\00/,substr($data,4,length($data) - 4));
my @n = split(/\x00/,substr($data,4,length($data) - 4));
$item{name} = $n[0];
return %item;
}
@ -463,13 +462,13 @@ sub parseZipSubFolderItem {
# Get the opened/accessed date/time
$item{datetime} = substr($data,0x24,6);
$item{datetime} =~ s/\00//g;
$item{datetime} =~ s/\x00//g;
if ($item{datetime} eq "N/A") {
}
else {
$item{datetime} = substr($data,0x24,40);
$item{datetime} =~ s/\00//g;
$item{datetime} =~ s/\x00//g;
my ($date,$time) = split(/\s+/,$item{datetime},2);
my ($mon,$day,$yr) = split(/\//,$date,3);
my ($hr,$min,$sec) = split(/:/,$time,3);
@ -482,9 +481,9 @@ sub parseZipSubFolderItem {
my $sz2 = unpack("V",substr($data,0x58,4));
my $str1 = substr($data,0x5C,$sz *2) if ($sz > 0);
$str1 =~ s/\00//g;
$str1 =~ s/\x00//g;
my $str2 = substr($data,0x5C + ($sz * 2),$sz2 *2) if ($sz2 > 0);
$str2 =~ s/\00//g;
$str2 =~ s/\x00//g;
if ($sz2 > 0) {
$item{name} = $str1."\\".$str2;
@ -547,10 +546,10 @@ sub parseURIEntry {
my $sz = unpack("V",substr($data,0x2a,4));
my $uri = substr($data,0x2e,$sz);
$uri =~ s/\00//g;
$uri =~ s/\x00//g;
my $proto = substr($data,length($data) - 6, 6);
$proto =~ s/\00//g;
$proto =~ s/\x00//g;
$item{name} = $proto."://".$uri." [".gmtime($item{uritime})."]";
@ -600,7 +599,18 @@ sub parseGUID {
my $d3 = unpack("v",substr($data,6,2));
my $d4 = unpack("H*",substr($data,8,2));
my $d5 = unpack("H*",substr($data,10,6));
return sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3;
my $guid = sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3;
if (exists $cp_guids{$guid}) {
return "CLSID_".$cp_guids{$guid};
}
elsif (exists $folder_types{$guid}) {
return "CLSID_".$folder_types{$guid};
}
else {
return $guid;
}
}
#-----------------------------------------------------------
@ -610,16 +620,46 @@ sub parseDeviceEntry {
my $data = shift;
my %item = ();
my $userlen = unpack("V",substr($data,30,4));
my $devlen = unpack("V",substr($data,34,4));
my $ofs = unpack("v",substr($data,4,2));
my $tag = unpack("V",substr($data,6,4));
my $user = substr($data,0x28,$userlen * 2);
$user =~ s/\00//g;
if ($tag == 0) {
my $guid1 = parseGUID(substr($data,$ofs + 6,16));
my $guid2 = parseGUID(substr($data,$ofs + 6 + 16,16));
$item{name} = $guid1."\\".$guid2
}
elsif ($tag == 2) {
$item{name} = substr($data,0x0a,($ofs + 6) - 0x0a);
$item{name} =~ s/\x00//g;
}
else {
my $ver = unpack("C",substr($data,9,1));
my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2);
$dev =~ s/\00//g;
# Version 3 = XP
if ($ver == 3) {
my $guid1 = parseGUID(substr($data,$ofs + 6,16));
my $guid2 = parseGUID(substr($data,$ofs + 6 + 16,16));
$item{name} = $guid1."\\".$guid2
$item{name} = $user;
}
# Version 8 = Win7
elsif ($ver == 8) {
my $userlen = unpack("V",substr($data,30,4));
my $devlen = unpack("V",substr($data,34,4));
my $user = substr($data,0x28,$userlen * 2);
$user =~ s/\x00//g;
my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2);
$dev =~ s/\x00//g;
$item{name} = $user;
}
elsif (unpack("C",substr($data,3,1)) == 0x80) {
$item{name} = parseGUID(substr($data,4,16));
}
# Version unknown
else {
$item{name} = "Device Entry - Unknown Version";
}
}
return %item;
}
@ -685,14 +725,14 @@ sub parseFolderEntry {
($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]);
# Need to read in short name; nul-term ASCII
# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0];
# $item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0];
$ofs_shortname = $ofs_mdate + 6;
my $tag = 1;
my $cnt = 0;
my $str = "";
while($tag) {
my $s = substr($data,$ofs_shortname + $cnt,1);
if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
$tag = 0;
}
else {
@ -700,12 +740,12 @@ sub parseFolderEntry {
$cnt++;
}
}
# $str =~ s/\00//g;
# $str =~ s/\x00//g;
my $shortname = $str;
my $ofs = $ofs_shortname + $cnt + 1;
# Read progressively, 1 byte at a time, looking for 0xbeef
my $tag = 1;
my $cnt = 0;
$tag = 1;
$cnt = 0;
while ($tag) {
if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) {
$tag = 0;
@ -715,12 +755,13 @@ sub parseFolderEntry {
}
}
$item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2));
# printf "Version: 0x%x\n",$item{extver};
$ofs = $ofs + $cnt + 2;
my @m = unpack("vv",substr($data,$ofs,4));
@m = unpack("vv",substr($data,$ofs,4));
($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]);
$ofs += 4;
my @m = unpack("vv",substr($data,$ofs,4));
@m = unpack("vv",substr($data,$ofs,4));
($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]);
my $jmp;
@ -733,6 +774,9 @@ sub parseFolderEntry {
elsif ($item{extver} == 0x08) {
$jmp = 30;
}
elsif ($item{extver} == 0x09) {
$jmp = 34;
}
else {}
if ($item{type} == 0x31 && $item{extver} >= 0x07) {
@ -747,9 +791,9 @@ sub parseFolderEntry {
$ofs += $jmp;
my $str = substr($data,$ofs,length($data) - 30);
my $longname = (split(/\00\00/,$str,2))[0];
$longname =~ s/\00//g;
$str = substr($data,$ofs,length($data) - 30);
my $longname = (split(/\x00\x00/,$str,2))[0];
$longname =~ s/\x00//g;
if ($longname ne "") {
$item{name} = $longname;
@ -821,6 +865,9 @@ sub parseFolderEntry2 {
if ($item{extver} == 0x03) {
$jmp = 8;
}
elsif ($item{extver} == 0x04) {
$jmp = 34;
}
elsif ($item{extver} == 0x07) {
$jmp = 26;
}
@ -840,9 +887,9 @@ sub parseFolderEntry2 {
# }
# ::rptMsg("");
$item{name} = (split(/\00\00/,$str,2))[0];
$item{name} =~ s/\13\20/\2D\00/;
$item{name} =~ s/\00//g;
$item{name} = (split(/\x00\x00/,$str,2))[0];
$item{name} =~ s/\x13\x20/\x2D\x00/;
$item{name} =~ s/\x00//g;
return %item;
}
@ -853,7 +900,7 @@ sub parseNetworkEntry {
my $data = shift;
my %item = ();
$item{type} = unpack("C",substr($data,2,1));
my @names = split(/\00/,substr($data,5,length($data) - 5));
my @names = split(/\x00/,substr($data,5,length($data) - 5));
$item{name} = $names[0];
return %item;
}
@ -865,9 +912,9 @@ sub parseDatePathItem {
my $data = shift;
my %item = ();
$item{datestr} = substr($data,0x18,30);
my ($file,$dir) = split(/\00\00/,substr($data,0x44,length($data) - 0x44));
$file =~ s/\00//g;
$dir =~ s/\00//g;
my ($file,$dir) = split(/\x00\x00/,substr($data,0x44,length($data) - 0x44));
$file =~ s/\x00//g;
$dir =~ s/\x00//g;
$item{name} = $dir.$file;
return %item;
}
@ -912,7 +959,7 @@ sub shellItem0x52 {
$cnt += 2;
}
}
$item{name} =~ s/\00//g;
$item{name} =~ s/\x00//g;
if ($item{subtype} < 3) {
$ofs = 0x32 + $cnt + 2;
@ -922,7 +969,7 @@ sub shellItem0x52 {
}
$sz = unpack("V",substr($data,$ofs,4));
$item{str} = substr($data,$ofs + 4,$sz * 2);
$item{str} =~ s/\00//g;
$item{str} =~ s/\x00//g;
return %item;
}

18
thirdparty/rr-full/plugins/shellbags_test.pl vendored
View File

@ -358,7 +358,7 @@ sub parseFolderItem {
my $str = "";
while($tag) {
my $s = substr($data,$ofs_shortname + $cnt,1);
if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
$tag = 0;
}
else {
@ -366,12 +366,12 @@ sub parseFolderItem {
$cnt++;
}
}
# $str =~ s/\00//g;
# $str =~ s/\x00//g;
my $shortname = $str;
my $ofs = $ofs_shortname + $cnt + 1;
# Read progressively, 1 byte at a time, looking for 0xbeef
my $tag = 1;
my $cnt = 0;
$tag = 1;
$cnt = 0;
while ($tag) {
if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) {
$tag = 0;
@ -383,10 +383,10 @@ sub parseFolderItem {
$item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2));
$ofs = $ofs + $cnt + 2;
my @m = unpack("vv",substr($data,$ofs,4));
@m = unpack("vv",substr($data,$ofs,4));
($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]);
$ofs += 4;
my @m = unpack("vv",substr($data,$ofs,4));
@m = unpack("vv",substr($data,$ofs,4));
($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]);
my $jmp;
@ -403,9 +403,9 @@ sub parseFolderItem {
$ofs += $jmp;
my $str = substr($data,$ofs,length($data) - $ofs);
my $longname = (split(/\00\00/,$str,2))[0];
$longname =~ s/\00//g;
$str = substr($data,$ofs,length($data) - $ofs);
my $longname = (split(/\x00\x00/,$str,2))[0];
$longname =~ s/\x00//g;
if ($longname ne "") {
$item{name} = $longname;

50
thirdparty/rr-full/plugins/shellbags_tln.pl vendored
View File

@ -47,7 +47,7 @@ my %config = (hive => "USRCLASS\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives";
return "Shell/BagMRU traversal in Win7 USRCLASS.DAT hives";
}
sub getDescr{}
sub getRefs {}
@ -371,7 +371,7 @@ sub parseVariableEntry {
my $num = unpack("V",substr($stuff,$cnt + 13,4));
my $str = substr($stuff,$cnt + 13 + 4,($num * 2));
$str =~ s/\00//g;
$str =~ s/\x00//g;
$item{name} = $str;
}
$cnt += $sz;
@ -394,7 +394,7 @@ sub parseVariableEntry {
#
# my $num = unpack("V",substr($stuff,$cnt + 13,4));
# my $str = substr($stuff,$cnt + 13 + 4,($num * 2));
# $str =~ s/\00//g;
# $str =~ s/\x00//g;
# $item{name} = $str;
# }
# $cnt += $sz;
@ -408,12 +408,12 @@ sub parseVariableEntry {
elsif ($tag == 0x7b || $tag == 0xbb || $tag == 0xfb) {
my ($sz1,$sz2,$sz3) = unpack("VVV",substr($data,0x3e,12));
$item{name} = substr($data,0x4a,$sz1 * 2);
$item{name} =~ s/\00//g;
$item{name} =~ s/\x00//g;
}
elsif ($tag == 0x02 || $tag == 0x03) {
my ($sz1,$sz2,$sz3,$sz4) = unpack("VVVV",substr($data,0x26,16));
$item{name} = substr($data,0x36,$sz1 * 2);
$item{name} =~ s/\00//g;
$item{name} =~ s/\x00//g;
}
else {
$item{name} = "Unknown Type";
@ -430,7 +430,7 @@ sub parseNetworkEntry {
my %item = ();
$item{type} = unpack("C",substr($data,2,1));
my @n = split(/\00/,substr($data,4,length($data) - 4));
my @n = split(/\x00/,substr($data,4,length($data) - 4));
$item{name} = $n[0];
return %item;
}
@ -447,13 +447,13 @@ sub parseZipSubFolderItem {
# Get the opened/accessed date/time
$item{datetime} = substr($data,0x24,6);
$item{datetime} =~ s/\00//g;
$item{datetime} =~ s/\x00//g;
if ($item{datetime} eq "N/A") {
}
else {
$item{datetime} = substr($data,0x24,40);
$item{datetime} =~ s/\00//g;
$item{datetime} =~ s/\x00//g;
my ($date,$time) = split(/\s+/,$item{datetime},2);
my ($mon,$day,$yr) = split(/\//,$date,3);
my ($hr,$min,$sec) = split(/:/,$time,3);
@ -466,9 +466,9 @@ sub parseZipSubFolderItem {
my $sz2 = unpack("V",substr($data,0x58,4));
my $str1 = substr($data,0x5C,$sz *2) if ($sz > 0);
$str1 =~ s/\00//g;
$str1 =~ s/\x00//g;
my $str2 = substr($data,0x5C + ($sz * 2),$sz2 *2) if ($sz2 > 0);
$str2 =~ s/\00//g;
$str2 =~ s/\x00//g;
if ($sz2 > 0) {
$item{name} = $str1."\\".$str2;
@ -507,10 +507,10 @@ sub parseURIEntry {
my $sz = unpack("V",substr($data,0x2a,4));
my $uri = substr($data,0x2e,$sz);
$uri =~ s/\00//g;
$uri =~ s/\x00//g;
my $proto = substr($data,length($data) - 6, 6);
$proto =~ s/\00//g;
$proto =~ s/\x00//g;
$item{name} = $proto."://".$uri;
@ -574,10 +574,10 @@ sub parseDeviceEntry {
my $devlen = unpack("V",substr($data,34,4));
my $user = substr($data,0x28,$userlen * 2);
$user =~ s/\00//g;
$user =~ s/\x00//g;
my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2);
$dev =~ s/\00//g;
$dev =~ s/\x00//g;
$item{name} = $user;
return %item;
@ -645,14 +645,14 @@ sub parseFolderEntry {
($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]);
# Need to read in short name; nul-term ASCII
# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0];
# $item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0];
$ofs_shortname = $ofs_mdate + 6;
my $tag = 1;
my $cnt = 0;
my $str = "";
while($tag) {
my $s = substr($data,$ofs_shortname + $cnt,1);
if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
$tag = 0;
}
else {
@ -660,12 +660,12 @@ sub parseFolderEntry {
$cnt++;
}
}
# $str =~ s/\00//g;
# $str =~ s/\x00//g;
my $shortname = $str;
my $ofs = $ofs_shortname + $cnt + 1;
# Read progressively, 1 byte at a time, looking for 0xbeef
my $tag = 1;
my $cnt = 0;
$tag = 1;
$cnt = 0;
while ($tag) {
if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) {
$tag = 0;
@ -677,10 +677,10 @@ sub parseFolderEntry {
$item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2));
$ofs = $ofs + $cnt + 2;
my @m = unpack("vv",substr($data,$ofs,4));
@m = unpack("vv",substr($data,$ofs,4));
($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]);
$ofs += 4;
my @m = unpack("vv",substr($data,$ofs,4));
@m = unpack("vv",substr($data,$ofs,4));
($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]);
my $jmp;
@ -693,9 +693,9 @@ sub parseFolderEntry {
$ofs += $jmp;
my $str = substr($data,$ofs,length($data) - 30);
my $longname = (split(/\00\00/,$str,2))[0];
$longname =~ s/\00//g;
$str = substr($data,$ofs,length($data) - 30);
my $longname = (split(/\x00\x00/,$str,2))[0];
$longname =~ s/\x00//g;
if ($longname ne "") {
$item{name} = $longname;
@ -745,7 +745,7 @@ sub parseNetworkEntry {
my $data = shift;
my %item = ();
$item{type} = unpack("C",substr($data,2,1));
my @names = split(/\00/,substr($data,5,length($data) - 5));
my @names = split(/\x00/,substr($data,5,length($data) - 5));
$item{name} = $names[0];
return %item;
}

59
thirdparty/rr-full/plugins/shellbags_xp.pl vendored
View File

@ -50,7 +50,7 @@ my %config = (hive => "NTUSER\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "Shell/BagMRU traversal in XP NTUSER\.DAT hives";
return "Shell/BagMRU traversal in XP NTUSER.DAT hives";
}
sub getDescr{}
sub getRefs {}
@ -405,7 +405,7 @@ sub parseVariableEntry {
my $num = unpack("V",substr($stuff,$cnt + 13,4));
my $str = substr($stuff,$cnt + 13 + 4,($num * 2));
$str =~ s/\00//g;
$str =~ s/\x00//g;
$item{name} = $str;
}
$cnt += $sz;
@ -428,7 +428,7 @@ sub parseVariableEntry {
#
# my $num = unpack("V",substr($stuff,$cnt + 13,4));
# my $str = substr($stuff,$cnt + 13 + 4,($num * 2));
# $str =~ s/\00//g;
# $str =~ s/\x00//g;
# $item{name} = $str;
# }
# $cnt += $sz;
@ -442,12 +442,12 @@ sub parseVariableEntry {
elsif ($tag == 0x7b || $tag == 0xbb || $tag == 0xfb) {
my ($sz1,$sz2,$sz3) = unpack("VVV",substr($data,0x3e,12));
$item{name} = substr($data,0x4a,$sz1 * 2);
$item{name} =~ s/\00//g;
$item{name} =~ s/\x00//g;
}
elsif ($tag == 0x02 || $tag == 0x03) {
my ($sz1,$sz2,$sz3,$sz4) = unpack("VVVV",substr($data,0x26,16));
$item{name} = substr($data,0x36,$sz1 * 2);
$item{name} =~ s/\00//g;
$item{name} =~ s/\x00//g;
}
else {
$item{name} = "Unknown Type";
@ -464,7 +464,7 @@ sub parseNetworkEntry {
my %item = ();
$item{type} = unpack("C",substr($data,2,1));
my @n = split(/\00/,substr($data,4,length($data) - 4));
my @n = split(/\x00/,substr($data,4,length($data) - 4));
$item{name} = $n[0];
return %item;
}
@ -481,13 +481,13 @@ sub parseZipSubFolderItem {
# Get the opened/accessed date/time
$item{datetime} = substr($data,0x24,6);
$item{datetime} =~ s/\00//g;
$item{datetime} =~ s/\x00//g;
if ($item{datetime} eq "N/A") {
}
else {
$item{datetime} = substr($data,0x24,40);
$item{datetime} =~ s/\00//g;
$item{datetime} =~ s/\x00//g;
my ($date,$time) = split(/\s+/,$item{datetime},2);
my ($mon,$day,$yr) = split(/\//,$date,3);
my ($hr,$min,$sec) = split(/:/,$time,3);
@ -501,9 +501,9 @@ sub parseZipSubFolderItem {
my $sz2 = unpack("V",substr($data,0x58,4));
my $str1 = substr($data,0x5C,$sz *2) if ($sz > 0);
$str1 =~ s/\00//g;
$str1 =~ s/\x00//g;
my $str2 = substr($data,0x5C + ($sz * 2),$sz2 *2) if ($sz2 > 0);
$str2 =~ s/\00//g;
$str2 =~ s/\x00//g;
if ($sz2 > 0) {
$item{name} = $str1."\\".$str2;
@ -540,7 +540,7 @@ sub parseXPShellDeviceItem {
$item{timestamp} = ::getTime($t0,$t1);
# starting at offset 0x18, read the null-term. string as the name value
my $str = substr($data,0x18,length($data) - 0x18);
$item{name} = (split(/\00/,$str))[0];
$item{name} = (split(/\x00/,$str))[0];
return %item;
}
@ -558,10 +558,10 @@ sub parseURIEntry {
my $sz = unpack("V",substr($data,0x2a,4));
my $uri = substr($data,0x2e,$sz);
$uri =~ s/\00//g;
$uri =~ s/\x00//g;
my $proto = substr($data,length($data) - 6, 6);
$proto =~ s/\00//g;
$proto =~ s/\x00//g;
$item{name} = $proto."://".$uri." [".gmtime($item{uritime})."]";
@ -635,10 +635,10 @@ sub parseDeviceEntry {
# my $devlen = unpack("V",substr($data,34,4));
#
# my $user = substr($data,0x28,$userlen * 2);
# $user =~ s/\00//g;
# $user =~ s/\x00//g;
#
# my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2);
# $dev =~ s/\00//g;
# $dev =~ s/\x00//g;
#
# $item{name} = $user;
my $len = unpack("v",substr($data,0,2));
@ -718,14 +718,14 @@ sub parseFolderEntry {
($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]);
# Need to read in short name; nul-term ASCII
# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0];
# $item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0];
$ofs_shortname = $ofs_mdate + 6;
my $tag = 1;
my $cnt = 0;
my $str = "";
while($tag) {
my $s = substr($data,$ofs_shortname + $cnt,1);
if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
$tag = 0;
}
else {
@ -733,12 +733,12 @@ sub parseFolderEntry {
$cnt++;
}
}
# $str =~ s/\00//g;
# $str =~ s/\x00//g;
my $shortname = $str;
my $ofs = $ofs_shortname + $cnt + 1;
# Read progressively, 1 byte at a time, looking for 0xbeef
my $tag = 1;
my $cnt = 0;
$tag = 1;
$cnt = 0;
while ($tag) {
if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) {
$tag = 0;
@ -750,10 +750,10 @@ sub parseFolderEntry {
$item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2));
$ofs = $ofs + $cnt + 2;
my @m = unpack("vv",substr($data,$ofs,4));
@m = unpack("vv",substr($data,$ofs,4));
($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]);
$ofs += 4;
my @m = unpack("vv",substr($data,$ofs,4));
@m = unpack("vv",substr($data,$ofs,4));
($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]);
my $jmp;
@ -770,9 +770,9 @@ sub parseFolderEntry {
$ofs += $jmp;
my $str = substr($data,$ofs,length($data) - 30);
my $longname = (split(/\00\00/,$str,2))[0];
$longname =~ s/\00//g;
$str = substr($data,$ofs,length($data) - 30);
my $longname = (split(/\x00\x00/,$str,2))[0];
$longname =~ s/\x00//g;
if ($longname ne "") {
$item{name} = $longname;
@ -863,9 +863,9 @@ sub parseFolderEntry2 {
}
::rptMsg("");
$item{name} = (split(/\00\00/,$str,2))[0];
$item{name} =~ s/\13\20/\2D\00/;
$item{name} =~ s/\00//g;
$item{name} = (split(/\x00\x00/,$str,2))[0];
$item{name} =~ s/\x13\x20/\x2D\x00/;
$item{name} =~ s/\x00//g;
return %item;
}
@ -876,7 +876,7 @@ sub parseNetworkEntry {
my $data = shift;
my %item = ();
$item{type} = unpack("C",substr($data,2,1));
my @names = split(/\00/,substr($data,5,length($data) - 5));
my @names = split(/\x00/,substr($data,5,length($data) - 5));
$item{name} = $names[0];
return %item;
}
@ -890,7 +890,6 @@ sub printData {
my $data = shift;
my $len = length($data);
my $tag = 1;
my $cnt = 0;
my @display = ();
my $loop = $len/16;

3
thirdparty/rr-full/plugins/shutdowncount.pl vendored
View File

@ -52,8 +52,7 @@ sub pluginmain {
return
}
my $key_path = $ccs."\\Control\\Watchdog\\Display";
my $key;
$key_path = $ccs."\\Control\\Watchdog\\Display";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("ShutdownCount");
::rptMsg($key_path);

12
thirdparty/rr-full/plugins/skype.pl vendored
View File

@ -45,17 +45,13 @@ sub pluginmain {
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $install;
eval {
my $v1 = $install = $key->get_subkey("Installer")->get_value("DonwloadLastModified");
if (defined $v1) {
my $install = $v1->get_data()
::rptMsg("DonwloadLastModified = ".$install);
}
else {
::rptMsg("DonwloadLastModified value not found");
}
$install = $key->get_subkey("Installer")->get_value("DonwloadLastModified")->get_data();
::rptMsg("DonwloadLastModified = ".$install);
};
::rptMsg("DonwloadLastModified value not found: ".$@) if ($@);
}
else {
::rptMsg($key_path." not found.");

49
thirdparty/rr-full/plugins/software vendored
View File

@ -1,33 +1,61 @@
# 20120528 *ALL* Plugins that apply on SOFTWARE hive, alphabetical order
# 20161213 *ALL* Plugins that apply on SOFTWARE hive, alphabetical order
ahaha
appinitdlls
apppaths
apppaths_tln
assoc
at
at_tln
audiodev
banner
bho
bitbucket
btconfig
clsid
cmd_shell
cmd_shell_tln
codeid
ctrlpnl
defbrowser
dcom
dfrg
direct
direct_tln
disablesr
drivers32
drwatson
emdmgmt
esent
etos
gauss
gpohist
gpohist_tln
handler
ie_version
ie_zones
imagefile
init_dlls
inprocserver
installedcomp
installer
javasoft
kb950582
landesk
landesk_tln
lastloggedon
lazyshell
licenses
logmein
logmein_tln
macaddr
mrt
msis
netsh
networkcards
networklist
networklist_tln
networkuid
opencandy
port_dev
product
profilelist
regback
@ -43,17 +71,28 @@ snapshot
soft_run
spp_clients
sql_lastconnect
srun_tln
ssid
startmenuinternetapps_lm
susclient
svchost
systemindex
teamviewer
tracing
uninstall
urlzone
tracing_tln
trappoll
uac
uninstall
uninstall_tln
urlzone
virut
win_cv
volinfocache
wbem
winbackup
win_cv
winevt
winlogon
winlogon_tln
winnt_cv
winver
yahoo_lm

3
thirdparty/rr-full/plugins/ssid.pl vendored
View File

@ -109,8 +109,7 @@ sub pluginmain {
# Now, go to the EAPOL key, locate the appropriate subkeys and parse out
# any available SSIDs
# EAPOL is Extensible Authentication Protocol over LAN
my $key_path = "Microsoft\\EAPOL\\Parameters\\Interfaces";
my $key;
$key_path = "Microsoft\\EAPOL\\Parameters\\Interfaces";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("");
::rptMsg($key_path);

6
thirdparty/rr-full/plugins/stillimage.pl vendored
View File

@ -55,8 +55,7 @@ sub pluginmain {
return;
}
my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}";
my $key;
$key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}";
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys();
@ -89,8 +88,7 @@ sub pluginmain {
# http://msdn.microsoft.com/en-us/library/ms791870.aspx
# StillImage logging levels
my $key_path = $ccs."\\Control\\StillImage\\Logging";
my $key;
$key_path = $ccs."\\Control\\StillImage\\Logging";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("");
::rptMsg("StillImage Logging Level");

4
thirdparty/rr-full/plugins/susclient.pl vendored
View File

@ -90,8 +90,8 @@ sub parseSN {
my $sz = unpack("C",substr($data,2,1));
$sn = substr($data,$offset,$sz);
$sn =~ s/\00//g;
$sn =~ s/\20//g;
$sn =~ s/\x00//g;
$sn =~ s/\x20//g;
return $sn;
}

33
thirdparty/rr-full/plugins/system vendored
View File

@ -1,14 +1,19 @@
# 20120528 *ALL* Plugins that apply on SYSTEM hive, alphabetical order
# 20161213 *ALL* Plugins that apply on SYSTEM hive, alphabetical order
appcertdlls
appcompatcache
appcompatcache_tln
auditfail
backuprestore
bthport
comfoo
compname
crashcontrol
ddm
devclass
diag_sr
disablelastaccess
dllsearch
dnschanger
eventlog
eventlogs
fw_config
@ -17,29 +22,43 @@ ide
imagedev
kbdcrash
legacy
legacy_tln
lsa_packages
mountdev
mountdev2
netsvcs
network
nic
nic_mst2
nic2
nic_mst2
nolmhash
pagefile
pending
phdet
prefetch
#This currently gets stuck in an infinite loop
#productpolicy
processor_architecture
productpolicy
producttype
rdpnla
rdpport
regin
remoteaccess
routes
safeboot
securityproviders
services
shares
shimcache
shimcache_tln
shutdown
shutdowncount
stillimage
svc
svc2
svc_plus
svcdll
svc_plus
svc_tln
systemindex
termcert
termserv
timezone
usb
@ -47,5 +66,5 @@ usbdevices
usbstor
usbstor2
usbstor3
xpedition
wpdbusenum
xpedition

17
thirdparty/rr-full/plugins/termserv.pl vendored
View File

@ -3,6 +3,7 @@
# Plugin for Registry Ripper;
#
# Change history
# 20160224 - added SysProcs info
# 20131007 - updated with Sticky Keys info
# 20130307 - updated with autostart locations
# 20100713 - Updated to include additional values, based on references
@ -12,6 +13,7 @@
# Category: Autostart
#
# References
# SysProcs - https://support.microsoft.com/en-us/kb/899867
# Change TS listening port number - http://support.microsoft.com/kb/187623
# Examining TS key - http://support.microsoft.com/kb/243215
# Win2K8 TS stops listening - http://support.microsoft.com/kb/954398
@ -30,7 +32,7 @@ my %config = (hive => "System",
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130307);
version => 20160224);
sub getConfig{return %config}
sub getShortDescr {
@ -149,6 +151,19 @@ sub pluginmain {
};
::rptMsg(" InitialProgram value not found\.") if ($@);
# Added 20160224
eval {
my $sys = $ts->get_subkey("SysProcs");
my @vals = $sys->get_list_of_values();
if ((scalar @vals) > 0) {
::rptMsg("SysProcs key values");
::rptMsg("LastWrite: ".gmtime($sys->get_timestamp())." Z");
foreach my $v (@vals) {
::rptMsg(" ".$v->get_name()." - ".$v->get_data());
}
}
};
# Sticky Keys info, added 20131007
# ref: http://www.room362.com/blog/2012/5/25/sticky-keys-and-utilman-against-nla.html
eval {

4
thirdparty/rr-full/plugins/timezone.pl vendored
View File

@ -4,6 +4,7 @@
# contents of the TimeZoneInformation key
#
# Change history
# 20160318 - added display of TimeZoneKeyName value
# 20130830 - updated
# 20080324 - created
#
@ -24,7 +25,7 @@ my %config = (hive => "System",
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130830);
version => 20160318);
sub getConfig{return %config}
sub getShortDescr {
@ -73,6 +74,7 @@ sub pluginmain {
::rptMsg(" Bias -> ".$b." (".($b/60)." hours)");
::rptMsg(" ActiveTimeBias -> ".$a." (".($a/60)." hours)");
::rptMsg(" TimeZoneKeyName-> ".$tz_vals{"TimeZoneKeyName"}) if exists ($tz_vals{"TimeZoneKeyName"});
}
else {

56
thirdparty/rr-full/plugins/trustrecords.pl vendored
View File

@ -4,9 +4,11 @@
# the default security settings for the application
#
# Change history
# 20160224 - modified per Mari's blog post
# 20120716 - created
#
# References
# http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
# ForensicArtifacts.com posting by Andrew Case:
# http://forensicartifacts.com/2012/07/ntuser-trust-records/
# http://archive.hack.lu/2010/Filiol-Office-Documents-New-Weapons-of-Cyberwarfare-slides.pdf
@ -18,15 +20,16 @@ package trustrecords;
use strict;
my %config = (hive => "NTUSER\.DAT",
category => "User Activity",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120716);
version => 20160224);
sub getConfig{return %config}
sub getShortDescr {
return "Gets user's Office 2010 TrustRecords values";
return "Get user's MSOffice TrustRecords values";
}
sub getDescr{}
sub getRefs {}
@ -34,6 +37,11 @@ sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my $office_version;
my %vba = (1 => "Enable all macros",
2 => "Disable all macros w/ notification",
3 => "Disalbe all macros except dig. signed macros",
4 => "Disalbe all macros w/o notification");
sub pluginmain {
my $class = shift;
@ -43,43 +51,63 @@ sub pluginmain {
my $root_key = $reg->get_root_key;
::rptMsg("trustrecords v.".$VERSION);
::rptMsg("");
# First, let's find out which version of Office is installed
my @version;
my $key;
my $key_path = "Software\\Microsoft\\Office";
if (my $key = $root_key->get_subkey($key_path)) {
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys();
foreach my $s (@subkeys) {
my $name = $s->get_name();
push(@version,$name) if ($name =~ m/^\d/);
}
}
# Determine MSOffice version in use
my @v = reverse sort {$a<=>$b} @version;
# ::rptMsg("Office version = ".$v[0]);
foreach my $i (@v) {
eval {
if (my $o = $key->get_subkey($i."\\User Settings")) {
$office_version = $i;
}
};
}
# Now that we have the most recent version of Office installed, let's
# start looking at the various subkeys
my @apps = ("Word","PowerPoint","Excel","Access");
my $key_path = "Software\\Microsoft\\Office\\".$v[0];
$key_path = "Software\\Microsoft\\Office\\".$office_version;
foreach my $app (@apps) {
my $app_path = $key_path."\\".$app."\\Security\\Trusted Documents";
::rptMsg($app);
::rptMsg("**".$app."**");
::rptMsg("-" x 10);
my $app_path = $key_path."\\".$app."\\Security";
eval {
if (my $sec = $root_key->get_subkey($app_path)) {
::rptMsg("Security key LastWrite: ".gmtime($sec->get_timestamp())." Z");
my $w = $sec->get_value("VBAWarnings")->get_data();
::rptMsg("VBAWarnings = ".$vba{$w});
::rptMsg("");
}
};
# Trusted Documents/Trust Records
$app_path = $key_path."\\".$app."\\Security\\Trusted Documents";
if (my $app_key = $root_key->get_subkey($app_path)) {
my $lastpurge = $app_key->get_value("LastPurgeTime")->get_data();
::rptMsg("LastPurgeTime = ".gmtime($lastpurge));
if (my $trust = $app_key->get_subkey("TrustRecords")) {
my @vals = $trust->get_list_of_values();
foreach my $v (@vals) {
my ($t0,$t1) = (unpack("VV",substr($v->get_data(),0,8)));
my $data = $v->get_data();
my ($t0,$t1) = (unpack("VV",substr($data,0,8)));
my $t = ::getTime($t0,$t1);
::rptMsg(gmtime($t)." -> ".$v->get_name());
::rptMsg(gmtime($t)." Z : ".$v->get_name());
my $e = unpack("V",substr($data, length($data) - 4, 4));
::rptMsg("**Enable Content button clicked.") if ($e == 2147483647);
}
}
}
::rptMsg("");
}
}
1;

35
thirdparty/rr-full/plugins/trustrecords_tln.pl vendored
View File

@ -4,9 +4,11 @@
# the default security settings for the application
#
# Change history
# 20160224 - modified per Mari's blog post
# 20120717 - created; modified from trustrecords.pl plugin
#
# References
# http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
# ForensicArtifacts.com posting by Andrew Case:
# http://forensicartifacts.com/2012/07/ntuser-trust-records/
# http://archive.hack.lu/2010/Filiol-Office-Documents-New-Weapons-of-Cyberwarfare-slides.pdf
@ -18,15 +20,16 @@ package trustrecords_tln;
use strict;
my %config = (hive => "NTUSER\.DAT",
category => "User Activity",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120717);
version => 20160224);
sub getConfig{return %config}
sub getShortDescr {
return "Gets user's Office 2010 TrustRecords values; TLN output";
return "Get user's MSOffice TrustRecords values";
}
sub getDescr{}
sub getRefs {}
@ -34,6 +37,7 @@ sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my $office_version;
sub pluginmain {
my $class = shift;
@ -45,8 +49,9 @@ sub pluginmain {
# ::rptMsg("trustrecords v.".$VERSION);
# First, let's find out which version of Office is installed
my @version;
my $key;
my $key_path = "Software\\Microsoft\\Office";
if (my $key = $root_key->get_subkey($key_path)) {
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys();
foreach my $s (@subkeys) {
my $name = $s->get_name();
@ -54,29 +59,37 @@ sub pluginmain {
}
}
# Determine MSOffice version in use
my @v = reverse sort {$a<=>$b} @version;
# ::rptMsg("Office version = ".$v[0]);
foreach my $i (@v) {
eval {
if (my $o = $key->get_subkey($i."\\User Settings")) {
$office_version = $i;
}
};
}
::rptMsg("Version: ".$office_version);
# Now that we have the most recent version of Office installed, let's
# start looking at the various subkeys
my @apps = ("Word","PowerPoint","Excel","Access");
my $key_path = "Software\\Microsoft\\Office\\".$v[0];
$key_path = "Software\\Microsoft\\Office\\".$office_version;
foreach my $app (@apps) {
my $app_path = $key_path."\\".$app."\\Security\\Trusted Documents";
# ::rptMsg($app);
if (my $app_key = $root_key->get_subkey($app_path)) {
# my $lastpurge = $app_key->get_value("LastPurgeTime")->get_data();
# ::rptMsg("LastPurgeTime = ".gmtime($lastpurge));
if (my $trust = $app_key->get_subkey("TrustRecords")) {
my @vals = $trust->get_list_of_values();
foreach my $v (@vals) {
my ($t0,$t1) = (unpack("VV",substr($v->get_data(),0,8)));
my $data = $v->get_data();
my ($t0,$t1) = (unpack("VV",substr($data,0,8)));
my $t = ::getTime($t0,$t1);
# ::rptMsg(gmtime($t)." -> ".$v->get_name());
::rptMsg($t."|REG|||TrustRecords - ".$v->get_name());
my $descr = "TrustRecords - ".$v->get_name();
my $e = unpack("V",substr($data, length($data) - 4, 4));
$descr = $descr." [Enable Content button clicked]" if ($e == 2147483647);
::rptMsg($t."|REG|||".$descr);
}
}
}

3
thirdparty/rr-full/plugins/tsclient.pl vendored
View File

@ -71,8 +71,7 @@ sub pluginmain {
}
::rptMsg("");
my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers';
my $key;
$key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers';
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");

3
thirdparty/rr-full/plugins/tsclient_tln.pl vendored
View File

@ -64,8 +64,7 @@ sub pluginmain {
}
::rptMsg("");
my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers';
my $key;
$key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers';
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");

2
thirdparty/rr-full/plugins/uac.pl vendored
View File

@ -28,7 +28,7 @@ my %config = (hive => "Software",
sub getConfig{return %config}
sub getShortDescr {
return "Get Select User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System";
return "Get Select User Account Control (UAC) Values from HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System";
}
sub getDescr{}
sub getRefs {}

2
thirdparty/rr-full/plugins/uninstall.pl vendored
View File

@ -32,7 +32,7 @@ my %config = (hive => "Software, NTUSER\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of Uninstall keys from Software, NTUSER\.DAT hives";
return "Gets contents of Uninstall keys from Software, NTUSER.DAT hives";
}
sub getDescr{}
sub getRefs {}

2
thirdparty/rr-full/plugins/uninstall_tln.pl vendored
View File

@ -30,7 +30,7 @@ my %config = (hive => "Software, NTUSER\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of Uninstall keys from Software, NTUSER\.DAT hives(TLN format)";
return "Gets contents of Uninstall keys from Software, NTUSER.DAT hives(TLN format)";
}
sub getDescr{}
sub getRefs {}

2
thirdparty/rr-full/plugins/urun_tln.pl vendored
View File

@ -26,7 +26,7 @@ my %config = (hive => "NTUSER\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "[Autostart] Get autostart key contents from NTUSER\.DAT hive";
return "[Autostart] Get autostart key contents from NTUSER.DAT hive";
}
sub getDescr{}
sub getRefs {

3
thirdparty/rr-full/plugins/usb.pl vendored
View File

@ -56,8 +56,7 @@ sub pluginmain {
return;
}
my $key_path = $ccs."\\Enum\\USB";
my $key;
$key_path = $ccs."\\Enum\\USB";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("USBStor");
::rptMsg($key_path);

3
thirdparty/rr-full/plugins/usbdevices.pl vendored
View File

@ -54,8 +54,7 @@ sub pluginmain {
return;
}
my $key_path = $ccs."\\Enum\\USB";
my $key;
$key_path = $ccs."\\Enum\\USB";
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys();

3
thirdparty/rr-full/plugins/usbstor.pl vendored
View File

@ -58,8 +58,7 @@ sub pluginmain {
return;
}
my $key_path = $ccs."\\Enum\\USBStor";
my $key;
$key_path = $ccs."\\Enum\\USBStor";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("USBStor");
::rptMsg($key_path);

7
thirdparty/rr-full/plugins/usbstor2.pl vendored
View File

@ -30,6 +30,8 @@ my $VERSION = getVersion();
my $reg;
sub pluginmain {
::logMsg("Launching usbstor2 v.".$VERSION);
::rptMsg("usbstor2 v.".$VERSION); # banner
my $class = shift;
my $hive = shift;
$reg = Parse::Win32Registry->new($hive);
@ -56,8 +58,7 @@ sub pluginmain {
};
$comp_name = "Test" if ($@);
my $key_path = $ccs."\\Enum\\USBStor";
my $key;
$key_path = $ccs."\\Enum\\USBStor";
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys();
@ -119,7 +120,7 @@ sub checkMountedDevices {
next unless ($name =~ m/^\\DosDevices/);
my $data = $v->get_data();
if (length($data) > 12) {
$data =~ s/\00//g;
$data =~ s/\x00//g;
return $name if (grep(/$pip/,$data));
}
}

3
thirdparty/rr-full/plugins/usbstor3.pl vendored
View File

@ -51,8 +51,7 @@ sub pluginmain {
return;
}
my $key_path = $ccs."\\Enum\\USBStor";
my $key;
$key_path = $ccs."\\Enum\\USBStor";
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg("USBStor");
# ::rptMsg($key_path);

2
thirdparty/rr-full/plugins/user_run.pl vendored
View File

@ -33,7 +33,7 @@ my %config = (hive => "NTUSER\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "[Autostart] Get autostart key contents from NTUSER\.DAT hive";
return "[Autostart] Get autostart key contents from NTUSER.DAT hive";
}
sub getDescr{}
sub getRefs {

49
thirdparty/rr-full/plugins/userassist.pl vendored
View File

@ -5,6 +5,7 @@
# UserAssist values
#
# Change history
# 20170304 - removed alerts, added printing of values with no timestamps in the data
# 20130603 - added alert functionality
# 20100322 - Added CLSID list reference
# 20100308 - created, based on original userassist.pl plugin
@ -13,7 +14,7 @@
# Control Panel Applets - http://support.microsoft.com/kb/313808
# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm
#
# copyright 2010 Quantum Analytics Research, LLC
# copyright 2017 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package userassist;
use strict;
@ -23,12 +24,7 @@ my %config = (hive => "NTUSER\.DAT",
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130603);
my @paths = ("recycle","globalroot","temp","system volume information","appdata",
"application data");
my @alerts = ();
version => 20170204);
sub getConfig{return %config}
sub getShortDescr {
@ -44,7 +40,7 @@ my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching userassist2 v.".$VERSION);
::logMsg("Launching userassist v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
@ -78,7 +74,8 @@ sub processKey {
my $key = $ua->get_subkey("Count");
my %ua;
my %ua = ();
my @no_time = ();
my $hrzr = "HRZR";
my @vals = $key->get_list_of_values();
@ -98,6 +95,9 @@ sub processKey {
$count -= 5 if ($count > 5);
push(@{$ua{$time_value}},$value_name." (".$count.")");
}
else {
push(@no_time,$value_name);
}
}
# Windows 7
elsif (length($data) == 72) {
@ -112,9 +112,16 @@ sub processKey {
# }
my $count = unpack("V",substr($data,4,4));
my @t = unpack("VV",substr($data,60,8));
next if ($t[0] == 0 && $t[1] == 0);
my $time_val = ::getTime($t[0],$t[1]);
push(@{$ua{$time_val}},$value_name." (".$count.")");
if ($t[0] == 0 && $t[1] == 0) {
push(@no_time,$value_name);
}
else {
#
# print "Value name: ".$value_name."\n";
#
my $time_val = ::getTime($t[0],$t[1]);
push(@{$ua{$time_val}},$value_name." (".$count.")");
}
}
else {
# Nothing else to do
@ -124,22 +131,14 @@ sub processKey {
::rptMsg(gmtime($t)." Z");
foreach my $i (@{$ua{$t}}) {
::rptMsg(" ".$i);
my $lci = lc($i);
foreach my $a (@paths) {
push(@alerts,"ALERT: userassist: ".$a." found in path: ".$i) if (grep(/$a/,$lci));
}
}
}
}
if (scalar(@alerts) > 0) {
print "\n";
print "Alerts:\n";
foreach (@alerts) {
::alertMsg($_);
::rptMsg("");
::rptMsg("Value names with no time stamps:");
foreach my $n (@no_time) {
::rptMsg(" ".$n);
}
}
}
1;

6
thirdparty/rr-full/plugins/usrclass vendored
View File

@ -1,3 +1,5 @@
# 20120918 *ALL* Plugins that apply on USRCLASS hive, alphabetical order
muicache
# 20161213 *ALL* Plugins that apply on USRCLASS hive, alphabetical order
cmd_shell_u
photos
shellbags
shellbags_tln

2
thirdparty/rr-full/plugins/vista_bitbucket.pl vendored
View File

@ -23,7 +23,7 @@ my %config = (hive => "NTUSER\.DAT",
sub getConfig{return %config}
sub getShortDescr {
return "Get BitBucket settings from Vista via NTUSER\.DAT";
return "Get BitBucket settings from Vista via NTUSER.DAT";
}
sub getDescr{}
sub getRefs {}

3
thirdparty/rr-full/plugins/vncviewer.pl vendored
View File

@ -72,8 +72,7 @@ sub pluginmain {
::rptMsg($key_path." not found.");
}
my $key_path = "Software\\RealVNC\\VNCViewer4\\MRU";
my $key;
$key_path = "Software\\RealVNC\\VNCViewer4\\MRU";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");

4
thirdparty/rr-full/plugins/wallpaper.pl vendored
View File

@ -85,8 +85,8 @@ sub pluginmain {
#-----------------------------------------------------------
sub getStringValue {
my $bin = shift;
my $str = (split(/\00\00/,$bin,2))[0];
$str =~ s/\00//g;
my $str = (split(/\x00\x00/,$bin,2))[0];
$str =~ s/\x00//g;
return $str;
}
1;

3
thirdparty/rr-full/plugins/winbackup.pl vendored
View File

@ -136,8 +136,7 @@ sub pluginmain {
#status
::rptMsg("");
my $key_path = "Microsoft\\Windows\\CurrentVersion\\WindowsBackup\\Status";
my $key;
$key_path = "Microsoft\\Windows\\CurrentVersion\\WindowsBackup\\Status";
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg("{name}");
::rptMsg($key_path);

15
thirdparty/rr-full/plugins/winevt.pl vendored
View File

@ -25,8 +25,9 @@ my %config = (hive => "Software",
sub getConfig{return %config}
sub getShortDescr {
return "Get the Windows event log policy from the Winevt'\'Channels key";
return "Get the Windows event log policy from the Winevt\\Channels key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
@ -44,14 +45,10 @@ sub pluginmain {
my $hive = shift;
my $reg = Parse::Win32Registry->new($hive);
sub getShortDescr {
return "Get the Windows event log policy from the Winevt\Channels key";
}
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");

10
thirdparty/rr-full/plugins/winnt_cv.pl vendored
View File

@ -4,6 +4,8 @@
# Output sorted based on length of data
#
# Change History:
# 20161123: added translation of InstallTime time (found in Win10) - Phill Moore, randomaccess3@gmail.com
# InstallTime should match InstallDate
# 20080609: added translation of InstallDate time
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
@ -16,7 +18,7 @@ my %config = (hive => "Software",
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080609);
version => 20161123);
sub getConfig{return %config}
sub getShortDescr {
@ -51,6 +53,12 @@ sub pluginmain {
my $name = $v->get_name();
my $data = $v->get_data();
$data = gmtime($data)." (UTC)" if ($name eq "InstallDate");
if ($name eq "InstallTime"){
my @t = unpack("VV",$data);
$data = gmtime(::getTime($t[0],$t[1]))." (UTC)";
}
my $len = length($data);
next if ($name eq "");
if ($v->get_type() == 3) {

2
thirdparty/rr-full/plugins/wordwheelquery.pl vendored
View File

@ -57,7 +57,7 @@ sub pluginmain {
}
else {
my $data = $v->get_data();
$data =~ s/\00//g;
$data =~ s/\x00//g;
$wwq{$name} = $data;
}
}

6
thirdparty/rr-full/plugins/wpdbusenum.pl vendored
View File

@ -59,8 +59,7 @@ sub pluginmain {
return;
}
my $key_path = $ccs."\\Enum\\WpdBusEnumRoot";
my $key;
$key_path = $ccs."\\Enum\\WpdBusEnumRoot";
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys();
@ -129,8 +128,7 @@ sub pluginmain {
# number of references to USBOblivion, a tool described as being able to wipe
# out (all) indications of USB removable storage devices being connected to
# the system.
my $key_path = $ccs."\\Control\\DeviceClasses\\{10497b1b-ba51-44e5-8318-a65c837b6661}";
my $key;
$key_path = $ccs."\\Control\\DeviceClasses\\{10497b1b-ba51-44e5-8318-a65c837b6661}";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
my @subkeys = $key->get_list_of_subkeys();