diff --git a/RecentActivity/nbproject/genfiles.properties b/RecentActivity/nbproject/genfiles.properties index edf146affb..9e5bb239dc 100644 --- a/RecentActivity/nbproject/genfiles.properties +++ b/RecentActivity/nbproject/genfiles.properties @@ -1,8 +1,8 @@ -build.xml.data.CRC32=9b8a08d3 +build.xml.data.CRC32=dacaa05a build.xml.script.CRC32=d323407a build.xml.stylesheet.CRC32=a56c6a5b@1.46.1 # This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml. # Do not edit this file. You may delete it but then the IDE will never regenerate such files for you. -nbproject/build-impl.xml.data.CRC32=9b8a08d3 +nbproject/build-impl.xml.data.CRC32=dacaa05a nbproject/build-impl.xml.script.CRC32=aef16a21 nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.1 diff --git a/RecentActivity/nbproject/project.properties b/RecentActivity/nbproject/project.properties index b9c82fbb81..c2587f0f66 100644 --- a/RecentActivity/nbproject/project.properties +++ b/RecentActivity/nbproject/project.properties @@ -1,4 +1,4 @@ -file.reference.jcalendarbutton-1.4.5.jar=release/modules/ext/jcalendarbutton-1.4.5.jar +file.reference.gson-2.1.jar=release/modules/ext/gson-2.1.jar file.reference.jdom-1.1.2.jar=release/modules/ext/jdom-1.1.2.jar file.reference.sqlite-jdbc-3.7.6.3-20110609.081603-3.jar=release/modules/ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar javac.source=1.6 diff --git a/RecentActivity/nbproject/project.xml b/RecentActivity/nbproject/project.xml index 1184a96e43..c6387afb84 100644 --- a/RecentActivity/nbproject/project.xml +++ b/RecentActivity/nbproject/project.xml @@ -195,12 +195,12 @@ release/modules/ext/gson-2.1.jar - ext/jdom-1.1.2.jar - release/modules/ext/jdom-1.1.2.jar + ext/commons-lang3-3.1.jar + release/modules/ext/commons-lang3-3.1.jar - ext/jcalendarbutton-1.4.5.jar - release/modules/ext/jcalendarbutton-1.4.5.jar + ext/jdom-1.1.2.jar + release/modules/ext/jdom-1.1.2.jar diff --git a/RecentActivity/release/modules/ext/commons-lang3-3.1.jar b/RecentActivity/release/modules/ext/commons-lang3-3.1.jar new file mode 100644 index 0000000000..a85e539b17 Binary files /dev/null and b/RecentActivity/release/modules/ext/commons-lang3-3.1.jar differ diff --git a/RecentActivity/release/rr/plugins/acmru.pl b/RecentActivity/release/rr/plugins/acmru.pl deleted file mode 100644 index 55efea5f5d..0000000000 --- a/RecentActivity/release/rr/plugins/acmru.pl +++ /dev/null @@ -1,72 +0,0 @@ -#----------------------------------------------------------- -# acmru.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# ACMru values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package acmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's ACMru key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching acmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Search Assistant\\ACMru'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ACMru - Search Assistant"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]"); - my @vals = $s->get_list_of_values(); - my %ac_vals; - foreach my $v (@vals) { - $ac_vals{$v->get_name()} = $v->get_data(); - } - foreach my $a (sort {$a <=> $b} keys %ac_vals) { - ::rptMsg("\t".$a." -> ".$ac_vals{$a}); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/adoberdr.pl b/RecentActivity/release/rr/plugins/adoberdr.pl deleted file mode 100644 index f46e5ebd67..0000000000 --- a/RecentActivity/release/rr/plugins/adoberdr.pl +++ /dev/null @@ -1,93 +0,0 @@ -#----------------------------------------------------------- -# adoberdr.pl -# Plugin for Registry Ripper -# Parse Adobe Reader MRU keys -# -# Change history -# 20100218 - added checks for versions 4.0, 5.0, 9.0 -# 20091125 - modified output to make a bit more clear -# -# References -# -# Note: LastWrite times on c subkeys will all be the same, -# as each subkey is modified as when a new entry is added -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package adoberdr; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Adobe Reader cRecentFiles values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching adoberdr v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("Adoberdr v.".$VERSION); -# First, let's find out which version of Adobe Acrobat Reader is installed - my $version; - my $tag = 0; - my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0"); - foreach my $ver (@versions) { - my $key_path = "Software\\Adobe\\Acrobat Reader\\".$ver."\\AVGeneral\\cRecentFiles"; - if (defined($root_key->get_subkey($key_path))) { - $version = $ver; - $tag = 1; - } - } - - if ($tag) { - ::rptMsg("Adobe Acrobat Reader version ".$version." located."); - my $key_path = "Software\\Adobe\\Acrobat Reader\\".$version."\\AVGeneral\\cRecentFiles"; - my $key = $root_key->get_subkey($key_path); - if ($key) { - ::rptMsg($key_path); - ::rptMsg(""); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my %arkeys; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $num = $s->get_name(); - my $data = $s->get_value('sDI')->get_data(); - $num =~ s/^c//; - $arkeys{$num}{lastwrite} = $s->get_timestamp(); - $arkeys{$num}{data} = $data; - } - ::rptMsg("Most recent PDF opened: ".gmtime($arkeys{1}{lastwrite})." (UTC)"); - foreach my $k (sort keys %arkeys) { - ::rptMsg(" c".$k." ".$arkeys{$k}{data}); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg("Could not access ".$key_path); - } - } - else { - ::rptMsg("Adobe Acrobat Reader version not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/aim.pl b/RecentActivity/release/rr/plugins/aim.pl deleted file mode 100644 index 32eeeae713..0000000000 --- a/RecentActivity/release/rr/plugins/aim.pl +++ /dev/null @@ -1,95 +0,0 @@ -#----------------------------------------------------------- -# aim -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package aim; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080325); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets info from the AOL Instant Messenger (not AIM) install"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching aim plugin v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("AIM"); - ::rptMsg($key_path); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $user = $s->get_name(); - ::rptMsg("User: $user [".gmtime($s->get_timestamp())."]"); - - my $login = "Login"; - my $recent = "recent IM ScreenNames"; - my $recent2 = "recent ScreenNames"; - - my @userkeys = $s->get_list_of_subkeys(); - foreach my $u (@userkeys) { - my $us = $u->get_name(); -# See if we can get the encrypted password - if ($us =~ m/^$login/) { - my $pwd = ""; - eval { - $pwd = $u->get_value("Password1")->get_data(); - }; - ::rptMsg("Pwd: ".$pwd) if ($pwd ne ""); - } -# See if we can get recent folks they've chatted with... - if ($us eq $recent || $us eq $recent2) { - - my @vals = $u->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg($user."\\".$us); - my %sns; - foreach my $v (@vals) { - $sns{$v->get_name()} = $v->get_data(); - } - - foreach my $i (sort {$a <=> $b} keys %sns) { - ::rptMsg("\t\t".$i." -> ".$sns{$i}); - } - } - else { -# No values - } - } - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/all b/RecentActivity/release/rr/plugins/all deleted file mode 100644 index 5f28a06eb6..0000000000 --- a/RecentActivity/release/rr/plugins/all +++ /dev/null @@ -1,3 +0,0 @@ -#------------------------------------- -# All -regtime \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/appinitdlls.pl b/RecentActivity/release/rr/plugins/appinitdlls.pl deleted file mode 100644 index 29c75915b1..0000000000 --- a/RecentActivity/release/rr/plugins/appinitdlls.pl +++ /dev/null @@ -1,61 +0,0 @@ -#----------------------------------------------------------- -# appinitdlls -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package appinitdlls; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of AppInit_DLLs value"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Working with the AppInit_DLLs Reg Value" => - "http://support.microsoft.com/kb/q197571"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching appinitdlls v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\Windows'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("AppInit_DLLs"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - foreach my $v (@vals) { - my $name = $v->get_name(); - if ($name eq "AppInit_DLLs") { - my $data = $v->get_data(); - $data = "{blank}" if ($data eq ""); - ::rptMsg($name." -> ".$data); - } - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/applets.pl b/RecentActivity/release/rr/plugins/applets.pl deleted file mode 100644 index e29fffa083..0000000000 --- a/RecentActivity/release/rr/plugins/applets.pl +++ /dev/null @@ -1,96 +0,0 @@ -#----------------------------------------------------------- -# applets.pl -# Plugin for Registry Ripper -# Windows\CurrentVersion\Applets Recent File List values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package applets; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's Applets key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching applets v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Applets'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Applets"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); -# Locate files opened in MS Paint - my $paint_key = 'Paint\\Recent File List'; - my $paint = $key->get_subkey($paint_key); - if (defined $paint) { - ::rptMsg($key_path."\\".$paint_key); - ::rptMsg("LastWrite Time ".gmtime($paint->get_timestamp())." (UTC)"); - - my @vals = $paint->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path."\\".$paint_key." has no values."); - } - } - else { - ::rptMsg($key_path."\\".$paint_key." not found."); - } -# Get Last Registry key opened in RegEdit - my $reg_key = "Regedit"; - my $reg = $key->get_subkey($reg_key); - if (defined $reg) { - ::rptMsg(""); - ::rptMsg($key_path."\\".$reg_key); - ::rptMsg("LastWrite Time ".gmtime($reg->get_timestamp())." (UTC)"); - my $lastkey = $reg->get_value("LastKey")->get_data(); - ::rptMsg("RegEdit LastKey value -> ".$lastkey); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/apppaths.pl b/RecentActivity/release/rr/plugins/apppaths.pl deleted file mode 100644 index 85e00aab25..0000000000 --- a/RecentActivity/release/rr/plugins/apppaths.pl +++ /dev/null @@ -1,83 +0,0 @@ -#----------------------------------------------------------- -# apppaths -# Gets contents of App Paths subkeys from the Software hive, -# diplaying the EXE name and path; all entries are sorted by -# LastWrite time -# -# References -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package apppaths; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080404); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets content of App Paths key"; -} -sub getDescr{} -sub getRefs { - my %refs = ("You cannot open Help and Support Center in Windows XP" => - "http://support.microsoft.com/kb/888018", - "Another installation program starts..." => - "http://support.microsoft.com/kb/888470"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching apppaths v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\App Paths"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("App Paths"); - ::rptMsg($key_path); - ::rptMsg(""); - my %apps; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - - my $name = $s->get_name(); - my $lastwrite = $s->get_timestamp(); - my $path; - eval { - $path = $s->get_value("")->get_data(); - }; - push(@{$apps{$lastwrite}},$name." [".$path."]"); - } - - foreach my $t (reverse sort {$a <=> $b} keys %apps) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$apps{$t}}) { - ::rptMsg(" $item"); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/arpcache.pl b/RecentActivity/release/rr/plugins/arpcache.pl deleted file mode 100644 index b8ed74f88f..0000000000 --- a/RecentActivity/release/rr/plugins/arpcache.pl +++ /dev/null @@ -1,133 +0,0 @@ -#----------------------------------------------------------- -# arpcache.pl -# Retrieves CurrentVersion\App Management\ARPCache entries; subkeys appear -# to maintain information about paths to installed applications in the -# SlowInfoCache value(0x10 - FILETIME object, null term. string with path -# starts at 0x1c) -# -# Change history -# 20090413 - Created -# -# References -# No references, but the subkeys appear to hold information about -# installed applications; some SlowInfoCache values appear to contain -# timestamp data (FILETIME object) and/or path information. Posts on -# the Internet indicate the existence of Kazaa beneath the APRCache key, -# as well as possibly an "Outerinfo" subkey indicating that spyware is -# installed. -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package arpcache; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090413); - -sub getConfig{return %config} -sub getShortDescr { - return "Retrieves CurrentVersion\\App Management\\ARPCache entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %arpcache; - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching arpcache v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $lw = $s->get_timestamp(); - my $name = $s->get_name(); - - my $path; - eval { - my $i = $s->get_value("SlowInfoCache")->get_data(); - $path = parsePath($i); - }; - ($@) ? ($name .= "|") : ($name .= "|".$path); - - my $date; - eval { - my $i = $s->get_value("SlowInfoCache")->get_data(); - $date = parseDate($i); - }; - ($@) ? ($name .= "|") : ($name .= "|".$date); - push(@{$arpcache{$lw}},$name); - } - - - foreach my $t (reverse sort {$a <=> $b} keys %arpcache) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$arpcache{$t}}) { - my ($name,$path,$date) = split(/\|/,$item,3); - ::rptMsg(" ".$name); - my $str = $path unless ($path eq ""); - $str .= " [".gmtime($date)."]" unless ($date == 0); - ::rptMsg(" -> ".$str) unless ($str eq ""); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; - -sub parseDate { - my $data = shift; - my ($t1,$t2) = unpack("VV",substr($data,0x10,8)); - return ::getTime($t1,$t2); -} - -sub parsePath { - my $data = shift; - my $ofs = 0x1c; - my $tag = 1; - - my $str = substr($data,$ofs,2); - if (unpack("v",$str) == 0) { - return ""; - } - else { - while($tag) { - $ofs += 2; - my $i = substr($data,$ofs,2); - if (unpack("v",$i) == 0) { - $tag = 0; - } - else { - $str .= $i; - } - } - } - $str =~ s/\00//g; - return $str; -} \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/assoc.pl b/RecentActivity/release/rr/plugins/assoc.pl deleted file mode 100644 index a2587da110..0000000000 --- a/RecentActivity/release/rr/plugins/assoc.pl +++ /dev/null @@ -1,87 +0,0 @@ -#----------------------------------------------------------- -# assoc.pl -# Plugin to extract file association data from the Software hive file -# Can take considerable time to run; recommend running it via rip.exe -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package assoc; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080815); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get list of file ext associations"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching assoc v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Classes"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("assoc"); - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); -# First step will be to get a list of all of the file extensions - my %ext; - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^\.\w+$/); - my $data; - eval { - $data = $s->get_value("")->get_data(); - }; - if ($@) { -# Error generated, as "(Default)" value was not found - } - else { - $ext{$name} = $data if ($data ne ""); - } - } -# Once a list of all file ext subkeys has been compiled, access the file type -# to determine the command line used to launch files with that extension - foreach my $e (keys %ext) { - my $cmd; - eval { - $cmd = $key->get_subkey($ext{$e}."\\shell\\open\\command")->get_value("")->get_data(); - }; - if ($@) { -# error generated attempting to locate .\shell\open\command\(Default) value - } - else { - ::rptMsg($e." : ".$cmd); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/auditfail.pl b/RecentActivity/release/rr/plugins/auditfail.pl deleted file mode 100644 index 019ec15eda..0000000000 --- a/RecentActivity/release/rr/plugins/auditfail.pl +++ /dev/null @@ -1,66 +0,0 @@ -#----------------------------------------------------------- -# auditfail.pl -# -# Ref: -# http://support.microsoft.com/kb/140058 -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package auditfail; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081212); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get CrashOnAuditFail value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %val = (0 => "Feature is off; the system will not halt", - 1 => "Feature is on; the system will halt when events cannot be written to the ". - "Security Event Log", - 2 => "Feature is on and has been triggered; only Administrators can log in"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching auditfail v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $lsa_path = "ControlSet00".$current."\\Control\\Lsa"; - my $lsa; - if ($lsa = $root_key->get_subkey($lsa_path)) { - - eval { - my $crash = $lsa->get_value("crashonauditfail")->get_data(); - ::rptMsg("CrashOnAuditFail = ".$crash); - ::rptMsg($val{$crash}); - }; - ::rptMsg($@) if ($@); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; diff --git a/RecentActivity/release/rr/plugins/auditpol.pl b/RecentActivity/release/rr/plugins/auditpol.pl deleted file mode 100644 index 11ea9a1096..0000000000 --- a/RecentActivity/release/rr/plugins/auditpol.pl +++ /dev/null @@ -1,88 +0,0 @@ -#----------------------------------------------------------- -# auditpol -# Get the audit policy from the Security hive file -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package auditpol; -use strict; - -my %config = (hive => "Security", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080327); - -sub getConfig{return %config} -sub getShortDescr { - return "Get audit policy from the Security hive file"; -} -sub getDescr{} -sub getRefs { - my %refs = ("How To Determine Audit Policies from the Registry" => - "http://support.microsoft.com/default.aspx?scid=kb;EN-US;q246120"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %audit = (0 => "N", - 1 => "S", - 2 => "F", - 3 => "S/F"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching auditpol v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Policy\\PolAdtEv"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("auditpol"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $data; - eval { - $data = $key->get_value("")->get_data(); - }; - if ($@) { - ::rptMsg("Error occurred getting data from ".$key_path); - ::rptMsg(" - ".$@); - } - else { -# Check to see if auditing is enabled - my $enabled = unpack("C",substr($data,0,1)); - if ($enabled) { - ::rptMsg("Auditing is enabled."); -# Get audit configuration settings - my @vals = unpack("V*",$data); - ::rptMsg("\tAudit System Events = ".$audit{$vals[1]}); - ::rptMsg("\tAudit Logon Events = ".$audit{$vals[2]}); - ::rptMsg("\tAudit Object Access = ".$audit{$vals[3]}); - ::rptMsg("\tAudit Privilege Use = ".$audit{$vals[4]}); - ::rptMsg("\tAudit Process Tracking = ".$audit{$vals[5]}); - ::rptMsg("\tAudit Policy Change = ".$audit{$vals[6]}); - ::rptMsg("\tAudit Account Management = ".$audit{$vals[7]}); - ::rptMsg("\tAudit Dir Service Access = ".$audit{$vals[8]}); - ::rptMsg("\tAudit Account Logon Events = ".$audit{$vals[9]}); - } - else { - ::rptMsg("**Auditing is NOT enabled."); - } - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/autoendtasks.pl b/RecentActivity/release/rr/plugins/autoendtasks.pl deleted file mode 100644 index 29b89d20ae..0000000000 --- a/RecentActivity/release/rr/plugins/autoendtasks.pl +++ /dev/null @@ -1,66 +0,0 @@ -#----------------------------------------------------------- -# autoendtasks.pl -# -# History -# 20081128 - created -# -# Ref: -# http://support.microsoft.com/kb/555619 -# This Registry setting tells XP (and Vista) to automatically -# end non-responsive tasks; value may not exist on Vista. -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package autoendtasks; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081128); - -sub getConfig{return %config} - -sub getShortDescr { - return "Automatically end a non-responsive task"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching autoendtasks v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = 'Control Panel\\Desktop'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("autoendtasks"); - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $autoend; - eval { - $autoend = $key->get_value("AutoEndTasks")->get_data(); - }; - if ($@) { - ::rptMsg("AutoEndTasks value not found."); - } - else { - ::rptMsg("AutoEndTasks = ".$autoend); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/autopsysystem b/RecentActivity/release/rr/plugins/autopsysystem new file mode 100644 index 0000000000..eebd89d7e9 --- /dev/null +++ b/RecentActivity/release/rr/plugins/autopsysystem @@ -0,0 +1,6 @@ +# List of plugins for the Registry Ripper + +#------------------------------------- +# system +autopsyusb +#autopsyusbdevices \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/usb.pl b/RecentActivity/release/rr/plugins/autopsyusb.pl similarity index 86% rename from RecentActivity/release/rr/plugins/usb.pl rename to RecentActivity/release/rr/plugins/autopsyusb.pl index 2a4c438c7c..9f5b97fdbd 100644 --- a/RecentActivity/release/rr/plugins/usb.pl +++ b/RecentActivity/release/rr/plugins/autopsyusb.pl @@ -6,7 +6,7 @@ # # copyright 2008 H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- -package usb; +package autopsyusb; use strict; my %config = (hive => "System", @@ -45,7 +45,7 @@ sub pluginmain { $ccs = "ControlSet00".$current; } else { - ::rptMsg($key_path." not found."); + #::rptMsg($key_path." not found."); return; } @@ -58,7 +58,8 @@ sub pluginmain { my $key_path = $ccs."\\Enum\\USB"; my $key; - if ($key = $root_key->get_subkey($key_path)) { + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); my @subkeys = $key->get_list_of_subkeys(); if (scalar(@subkeys) > 0) { @@ -93,19 +94,20 @@ sub pluginmain { }; - ::rptMsg($str); + ::rptMsg("" . $serial . ""); } } } } else { ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); + #::logMsg($key_path." has no subkeys."); } + ::rptMsg(""); } else { ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); + #::logMsg($key_path." not found."); } } 1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/usbdevices.pl b/RecentActivity/release/rr/plugins/autopsyusbdevices.pl similarity index 95% rename from RecentActivity/release/rr/plugins/usbdevices.pl rename to RecentActivity/release/rr/plugins/autopsyusbdevices.pl index 27f7ef8a29..b853d80c66 100644 --- a/RecentActivity/release/rr/plugins/usbdevices.pl +++ b/RecentActivity/release/rr/plugins/autopsyusbdevices.pl @@ -7,7 +7,7 @@ # # copyright 2010 Quantum Analytics Research, LLC #----------------------------------------------------------- -package usbdevices; +package autopsyusbdevices; use strict; my %config = (hive => "System", @@ -98,11 +98,11 @@ sub pluginmain { } } else { - ::rptMsg($key_path." has no subkeys."); + #::rptMsg($key_path." has no subkeys."); } } else { - ::rptMsg($key_path." not found."); + #::rptMsg($key_path." not found."); } } 1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/autorun.pl b/RecentActivity/release/rr/plugins/autorun.pl deleted file mode 100644 index 50604cf4dd..0000000000 --- a/RecentActivity/release/rr/plugins/autorun.pl +++ /dev/null @@ -1,74 +0,0 @@ -#----------------------------------------------------------- -# autorun.pl -# Get autorun settings -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/953252 -# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit -# /regentry/91525.mspx?mfr=true -# -# copyright 2008-2009 H. Carvey -#----------------------------------------------------------- -package autorun; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081212); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets autorun settings"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching autorun v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - eval { - my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data(); - my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive; - ::rptMsg($str); - }; - ::rptMsg("Error: ".$@) if ($@); - -# http://support.microsoft.com/kb/953252 - eval { - my $honor = $key->get_value("HonorAutorunSetting")->get_data(); - my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor; - ::rptMsg($str); - }; - ::rptMsg("HonorAutorunSetting not found.") if ($@); - ::rptMsg(""); - ::rptMsg("Autorun settings in the HKLM hive take precedence over those in"); - ::rptMsg("the HKCU hive."); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/bagtest.pl b/RecentActivity/release/rr/plugins/bagtest.pl deleted file mode 100644 index cdc5600d5c..0000000000 --- a/RecentActivity/release/rr/plugins/bagtest.pl +++ /dev/null @@ -1,170 +0,0 @@ -#----------------------------------------------------------- -# bagtest.pl -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bagtest; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090828); - -sub getConfig{return %config} - -sub getShortDescr { - return "Test -- BagMRU"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching bagtest v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\Shell\\BagMRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $subtree_iter = $key->get_subtree_iterator; - while (my ($k, $val) = $subtree_iter->get_next) { - if (defined $val) { - next unless ($val->get_name() =~ m/^\d+/); - - my $path; - my $data = $val->get_data(); - my $size = unpack("v",substr($data,0,20)); - my $type = unpack("C",substr($data,2,1)); - my $name = (split(/BagMRU/,$k->get_path()))[1]; - - if ($type == 0x47 || $type == 0x46 || $type == 0x42 || $type == 0x41 || - $type == 0xc3) { - - my $str1 = getStrings1($data); - $path = $str1; - - } - elsif ($type == 0x31 || $type == 0x32) { - my($ascii,$uni) = getStrings2($data); - $path = $uni; - } - elsif ($type == 0x2f) { -# bytes 3-5 of $data contain a drive letter - $path = substr($data,0x03,3); - } - else { -# Nothing - } -# my $str = sprintf "%-30s %-3s %-4s 0x%x",$name."\\".$val->get_name(),$size,length($data),$type; - my $str = sprintf "%-25s ".$path,$name."\\".$val->get_name(); - ::rptMsg($str); - - } - else { - - } - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -#sub getStrings1 { -# my $data = shift; -# my $str; -# my $cursor = 0x05; -# my $tag = 1; -# -# while($tag) { -# my $byte = substr($data,$cursor,1); -# if (unpack("C",$byte) == 0x00) { -# $tag = 0; -# } -# else { -# $str .= $byte; -# $cursor += 1; -# } -# } -# return $str; -#} - -sub getStrings1 { - my $data = shift; - my $d = substr($data,0x05,length($data) - 1); - $d =~ s/\00/-/g; - $d =~ s/[[:cntrl:]]//g; - - my @t = split(/-/,$d); - - my @s; - for my $i (1..scalar(@t) - 1) { - push(@s,$t[$i]) if (length($t[$i]) > 2); - } - - return $t[0]." (".join(',',@s).")"; -} - -sub getStrings2 { -# ASCII short name starts at 0x0E, and is \00 terminated; 0x14 bytes -# after that is the null-term Unicode name - my $data = shift; - my ($ascii,$uni); - my $cursor = 0x0e; - my $tag = 1; - - while($tag) { - my $byte = substr($data,$cursor,1); - if (unpack("C",$byte) == 0x00) { - $tag = 0; - } - else { - $ascii .= $byte; - $cursor += 1; - } - } - - $cursor += 0x14; - - $uni = substr($data,$cursor,length($data) - 1); - $uni =~ s/\00//g; - $uni =~ s/[[:cntrl:]]//g; - return ($ascii,$uni); -} - -1; - - - - - -# Original code to traverse through values and subkeys -# Retain for legacy code purposes -#sub traverse { -# my $key = shift; -# -# foreach my $val ($key->get_list_of_values()) { -# next unless ($val->get_name() =~ m/\d+/); -# -# ::rptMsg($val->get_name()); -# -# } -# -# foreach my $subkey ($key->get_list_of_subkeys()) { -# traverse($subkey); -# } -#} \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/bagtest2.pl b/RecentActivity/release/rr/plugins/bagtest2.pl deleted file mode 100644 index 59716d2fd8..0000000000 --- a/RecentActivity/release/rr/plugins/bagtest2.pl +++ /dev/null @@ -1,161 +0,0 @@ -#----------------------------------------------------------- -# bagtest2.pl -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bagtest2; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090828); - -sub getConfig{return %config} - -sub getShortDescr { - return "Test -- BagMRU"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %bagmru; -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching bagtest v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\Shell\\BagMRU"; - my $key; - - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - traverse($key); - - foreach my $i (sort keys %bagmru) { - my $str = sprintf "%-30s ".$bagmru{$i},$i; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub traverse { - my $key = shift; - my $name = (split(/BagMRU/,$key->get_path()))[1]; - - my @bags; - - foreach my $val ($key->get_list_of_values()) { - next unless ($val->get_name() =~ m/\d+/); - - my $path; - my $data = $val->get_data(); - my $size = unpack("v",substr($data,0,20)); - my $type = unpack("C",substr($data,2,1)); - - - if ($type == 0x47 || $type == 0x46 || $type == 0x42 || $type == 0x41 || - $type == 0xc3) { - - my $str1 = getStrings1($data); - $path = $str1; - - } - elsif ($type == 0x31 || $type == 0x32 || $type == 0xb1) { - my($ascii,$uni) = getStrings2($data); - $path = $uni; - } - elsif ($type == 0x2f) { -# bytes 3-5 of $data contain a drive letter - $path = substr($data,0x03,3); - } - else { -# Nothing - } - $bagmru{$name."\\".$val->get_name()} = $path; - } - - foreach my $subkey ($key->get_list_of_subkeys()) { - traverse($subkey); - } -} - - -sub getStrings1 { - my $data = shift; - my $d = substr($data,0x05,length($data) - 1); - $d =~ s/\00/-/g; - $d =~ s/[[:cntrl:]]//g; - - my @t = split(/-/,$d); - - my @s; - for my $i (1..scalar(@t) - 1) { - push(@s,$t[$i]) if (length($t[$i]) > 2); - } - - return $t[0]." (".join(',',@s).")"; -} - -sub getStrings2 { -# ASCII short name starts at 0x0E, and is \00 terminated; 0x14 bytes -# after that is the null-term Unicode name - my $data = shift; - my ($ascii,$uni); - my $cursor = 0x0e; - my $tag = 1; - - while($tag) { - my $byte = substr($data,$cursor,1); - if (unpack("C",$byte) == 0x00) { - $tag = 0; - } - else { - $ascii .= $byte; - $cursor += 1; - } - } - - $cursor += 0x14; - - if ($ascii eq "RECENT") { - $uni = substr($data,$cursor,length($data) - 1); - $uni =~ s/\00//g; - $uni =~ s/[[:cntrl:]]//g; - } - else { - my $tag = 1; - my $count = 0; - while($tag) { - my $byte = substr($data,$cursor,2); - if ($count > 2 && unpack("v",$byte) == 0x00) { - $tag = 0; - } - else { - $uni .= $byte; - $count++; - $cursor += 2; - } - } - $uni =~ s/\00//g; - $uni =~ s/[[:cntrl:]]//g; - } - return ($ascii,$uni); -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/banner.pl b/RecentActivity/release/rr/plugins/banner.pl deleted file mode 100644 index 44ae62a274..0000000000 --- a/RecentActivity/release/rr/plugins/banner.pl +++ /dev/null @@ -1,127 +0,0 @@ -#----------------------------------------------------------- -# banner -# Get banner information from the SOFTWARE hive file (if any) -# -# Written By: -# Special Agent Brook William Minnick -# Brook_Minnick@doioig.gov -# U.S. Department of the Interior - Office of Inspector General -# Computer Crimes Unit -# 12030 Sunrise Valley Drive Suite 250 -# Reston, VA 20191 -#----------------------------------------------------------- -package banner; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081119); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get HKLM\\SOFTWARE.. Logon Banner Values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching banner v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\policies\\system"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Logon Banner Information"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - -# GET LEGALNOTICECAPTION -- - - my $caption; - eval { - $caption = $key->get_value("Legalnoticecaption")->get_data(); - }; - if ($@) { - ::rptMsg("Legalnoticecaption value not found."); - } - else { - ::rptMsg("Legalnoticecaption value = ".$caption); - } - ::rptMsg(""); - -# GET LEGALNOTICETEXT -- - - my $banner; - eval { - $banner = $key->get_value("Legalnoticetext")->get_data(); - }; - if ($@) { - ::rptMsg("Legalnoticetext value not found."); - } - else { - ::rptMsg("Legalnoticetext value = ".$banner); - } - ::rptMsg(""); - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - -# GET LEGALNOTICECAPTION -- - - my $caption2; - eval { - $caption2 = $key->get_value("Legalnoticecaption")->get_data(); - }; - if ($@) { - ::rptMsg("Legalnoticecaption value not found."); - } - else { - ::rptMsg("Legalnoticecaption value = ".$caption2); - } - ::rptMsg(""); - -# GET LEGALNOTICETEXT -- - - my $banner2; - eval { - $banner2 = $key->get_value("Legalnoticetext")->get_data(); - }; - if ($@) { - ::rptMsg("Legalnoticetext value not found."); - } - else { - ::rptMsg("Legalnoticetext value = ".$banner2); - } - ::rptMsg(""); - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/bho.pl b/RecentActivity/release/rr/plugins/bho.pl deleted file mode 100644 index be3b8f6c85..0000000000 --- a/RecentActivity/release/rr/plugins/bho.pl +++ /dev/null @@ -1,107 +0,0 @@ -#----------------------------------------------------------- -# bho -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bho; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080418); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Browser Helper Objects from Software hive"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Browser Helper Objects" => - "http://msdn2.microsoft.com/en-us/library/bb250436.aspx"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %bhos; - ::logMsg("Launching bho v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects";; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Browser Helper Objects"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next if ($name =~ m/^-/); - my $clsid_path = "Classes\\CLSID\\".$name; - my $clsid; - if ($clsid = $root_key->get_subkey($clsid_path)) { - my $class; - my $mod; - my $lastwrite; - - eval { - $class = $clsid->get_value("")->get_data(); - $bhos{$name}{class} = $class; - }; - if ($@) { - ::logMsg("\tError getting Class name for CLSID\\".$name); - ::logMsg("\t".$@); - } - eval { - $mod = $clsid->get_subkey("InProcServer32")->get_value("")->get_data(); - $bhos{$name}{module} = $mod; - }; - if ($@) { - ::logMsg("\tError getting Module name for CLSID\\".$name); - ::logMsg("\t".$@); - } - eval{ - $lastwrite = $clsid->get_subkey("InProcServer32")->get_timestamp(); - $bhos{$name}{lastwrite} = $lastwrite; - }; - if ($@) { - ::logMsg("\tError getting LastWrite time for CLSID\\".$name); - ::logMsg("\t".$@); - } - - foreach my $b (keys %bhos) { - ::rptMsg($b); - ::rptMsg("\tClass => ".$bhos{$b}{class}); - ::rptMsg("\tModule => ".$bhos{$b}{module}); - ::rptMsg("\tLastWrite => ".gmtime($bhos{$b}{lastwrite})); - ::rptMsg(""); - } - } - else { - ::rptMsg($clsid_path." not found."); - ::rptMsg(""); - ::logMsg($clsid_path." not found."); - } - } - } - else { - ::rptMsg($key_path." has no subkeys. No BHOs installed."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/bitbucket.pl b/RecentActivity/release/rr/plugins/bitbucket.pl deleted file mode 100644 index 16e61480e9..0000000000 --- a/RecentActivity/release/rr/plugins/bitbucket.pl +++ /dev/null @@ -1,81 +0,0 @@ -#----------------------------------------------------------- -# bitbucket -# Get HKLM\..\BitBucket keys\values (if any) -# -# Change history -# 20091020 - Updated; collected additional values -# -# References -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bitbucket; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080418); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get HKLM\\..\\BitBucket keys\\values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching bitbucket v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - eval { - my $global = $key->get_value("UseGlobalSettings")->get_data(); - ::rptMsg("UseGlobalSettings = ".$global); - }; - - eval { - my $nuke = $key->get_value("NukeOnDelete")->get_data(); - ::rptMsg("NukeOnDelete = ".$nuke); - }; - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); - eval { - my $vol = $s->get_value("VolumeSerialNumber")->get_data(); - ::rptMsg("VolumeSerialNumber = 0x".uc(sprintf "%1x",$vol)); - }; - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/bitbucket_user.pl b/RecentActivity/release/rr/plugins/bitbucket_user.pl deleted file mode 100644 index e3374fd193..0000000000 --- a/RecentActivity/release/rr/plugins/bitbucket_user.pl +++ /dev/null @@ -1,71 +0,0 @@ -#----------------------------------------------------------- -# bitbucket_user -# Get HKLM\..\BitBucket keys\values (if any) -# -# Change history -# -# References -# -# NOTE: In limited testing, the volume letter subkeys beneath the -# BitBucket key appear to be volatile. -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bitbucket_user; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091020); - -sub getConfig{return %config} - -sub getShortDescr { - return "TEST - Get user BitBucket values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching bitbucket_user v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); - eval { - my $purge = $s->get_value("NeedToPurge")->get_data(); - ::rptMsg(" NeedToPurge = ".$purge); - }; - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/brisv.pl b/RecentActivity/release/rr/plugins/brisv.pl deleted file mode 100644 index c79aa3e651..0000000000 --- a/RecentActivity/release/rr/plugins/brisv.pl +++ /dev/null @@ -1,63 +0,0 @@ -#----------------------------------------------------------- -# brisv.pl -# Plugin to detect the presence of Trojan.Brisv.A -# Symantec write-up: http://www.symantec.com/security_response/writeup.jsp -# ?docid=2008-071823-1655-99 -# -# Change History: -# 20090210: Created -# -# Info on URLAndExitCommandsEnabled value: -# http://support.microsoft.com/kb/828026 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package brisv; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090210); - -sub getConfig{return %config} - -sub getShortDescr { - return "Detect artifacts of a Troj\.Brisv\.A infection"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching brisv v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\PIMSRV"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $mp_path = "Software\\Microsoft\\MediaPlayer\\Preferences"; - my $url; - eval { - $url = $key->get_subkey($mp_path)->get_value("URLAndExitCommandsEnabled")->get_data(); - ::rptMsg($mp_path."\\URLAndExitCommandsEnabled value set to ".$url); - }; -# if an error occurs within the eval{} statement, do nothing - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/clampi.pl b/RecentActivity/release/rr/plugins/clampi.pl deleted file mode 100644 index abf0ae537a..0000000000 --- a/RecentActivity/release/rr/plugins/clampi.pl +++ /dev/null @@ -1,120 +0,0 @@ -#----------------------------------------------------------- -# clampi.pl -# Checks keys/values set by new version of Trojan.Clampi -# -# Change history -# 20091019 - created -# -# NOTE: This is purely a test plugin, and based solely on the below -# reference. It has not been tested on any systems that were -# known to be infected. -# -# References -# http://www.symantec.com/connect/blogs/inside-trojanclampi-stealing-your-information -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package clampi; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091019); - -sub getConfig{return %config} -sub getShortDescr { - return "TEST - Checks for keys set by Trojan\.Clampi PROT module"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching clampi v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $count = 0; - - my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my ($form1, $form2, $form3); - - eval { - $form1 = $key->get_value("Use FormSuggest")->get_data(); - ::rptMsg("\tUse FormSuggest = ".$form1); - $count++ if ($form1 eq "true"); - }; - - eval { - $form2 = $key->get_value("FormSuggest_Passwords")->get_data(); - ::rptMsg("\tFormSuggest_Passwords = ".$form2); - $count++ if ($form2 eq "true"); - }; - - eval { - $form3 = $key->get_value("FormSuggest_PW_Ask")->get_data(); - ::rptMsg("\tUse FormSuggest = ".$form3); - $count++ if ($form3 eq "no"); - }; - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $auto; - eval { - $auto = $key->get_value("AutoSuggest")->get_data(); - ::rptMsg("\tAutoSuggest = ".$auto); - $count++ if ($auto eq "true"); - }; - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - my $key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $prompt; - eval { - $prompt = $key->get_value("POP3 Prompt for Password")->get_data(); - ::rptMsg("\tPOP3 Prompt for Password = ".$prompt); - $count++ if ($prompt eq "true"); - }; - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - if ($count == 5) { - ::rptMsg("The system may have been infected with the Trojan.Clampi PROT module."); - } - else { - ::rptMsg("The system does not appear to have been infected with the Trojan.Clampi"); - ::rptMsg("PROT module."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/clampitm.pl b/RecentActivity/release/rr/plugins/clampitm.pl deleted file mode 100644 index 60f21738c6..0000000000 --- a/RecentActivity/release/rr/plugins/clampitm.pl +++ /dev/null @@ -1,78 +0,0 @@ -#----------------------------------------------------------- -# clampitm.pl -# Checks keys/values set by new version of Trojan.Clampi -# -# Change history -# 20100624 - created -# -# NOTE: This is purely a test plugin, and based solely on the below -# reference. It has not been tested on any systems that were -# known to be infected. -# -# References -# http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ilomo_external.pdf -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package clampitm; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100624); - -sub getConfig{return %config} -sub getShortDescr { - return "Checks for IOCs for Clampi (per Trend Micro)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching clampitm v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $count = 0; - - my $key_path = 'Software\\Microsoft\\Internet Explorer\\Settings'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ClampiTM plugin"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $tag = 1; - my @list = qw/GatesList GID KeyE KeyM PID/; - my @vals = $key->get_list_of_values(); - if (scalar (@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - if (grep(/$name/,@list)) { - ::rptMsg(sprintf "%-10s %-30s",$name,$v->get_data()); - $tag = 0; - } - } - if ($tag) { - ::rptMsg("No Clampi values found."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/clsid.pl b/RecentActivity/release/rr/plugins/clsid.pl deleted file mode 100644 index 1823600295..0000000000 --- a/RecentActivity/release/rr/plugins/clsid.pl +++ /dev/null @@ -1,80 +0,0 @@ -#----------------------------------------------------------- -# clsid.pl -# Plugin to extract file association data from the Software hive file -# Can take considerable time to run; recommend running it via rip.exe -# -# History -# 20100227 - created -# -# References -# http://msdn.microsoft.com/en-us/library/ms724475%28VS.85%29.aspx -# -# copyright 2010, Quantum Analytics Research, LLC -#----------------------------------------------------------- -package clsid; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100227); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get list of CLSID/registered classes"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %clsid; - ::logMsg("Launching clsid v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Classes\\CLSID"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); -# First step will be to get a list of all of the file extensions - my %ext; - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - - my $name = $s->get_name(); - eval { - my $n = $s->get_value("")->get_data(); - $name .= " ".$n unless ($n eq ""); - }; - - push(@{$clsid{$s->get_timestamp()}},$name); - } - - foreach my $t (reverse sort {$a <=> $b} keys %clsid) { - ::rptMsg(gmtime($t)." Z"); - foreach my $item (@{$clsid{$t}}) { - ::rptMsg(" ".$item); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/cmd_shell.pl b/RecentActivity/release/rr/plugins/cmd_shell.pl deleted file mode 100644 index 84e40a7735..0000000000 --- a/RecentActivity/release/rr/plugins/cmd_shell.pl +++ /dev/null @@ -1,75 +0,0 @@ -#----------------------------------------------------------- -# cmd_shell -# -# -# Change History -# 20100830 - added "cs" shell command to the path -# 20080328 - created -# -# References -# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx? -# Name=TrojanClicker%3AWin32%2FVB.GE -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package cmd_shell; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20100830); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets shell open cmds for various file types"; -} -sub getDescr{} -sub getRefs { - my %refs = ("You Are Unable to Start a Program with an .exe File Extension" => - "http://support.microsoft.com/kb/310585"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching cmd_shell v.".$VERSION); - - my @shells = ("exe","cmd","bat","cs","hta","pif"); - - foreach my $sh (@shells) { - - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Classes\\".$sh."file\\shell\\open\\command"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("cmd_shell"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $val; - eval { - $val = $key->get_value("")->get_data(); - ::rptMsg("\tCmd: ".$val); - }; - ::rptMsg("Error: ".$@) if ($@); - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - } - ::rptMsg(""); -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/codeid.pl b/RecentActivity/release/rr/plugins/codeid.pl deleted file mode 100644 index f3eec03151..0000000000 --- a/RecentActivity/release/rr/plugins/codeid.pl +++ /dev/null @@ -1,75 +0,0 @@ -#----------------------------------------------------------- -# codeid -# Get DefaultLevel value from CodeIdentifiers key -# -# -# Change History -# 20100608 - created -# -# References -# SANS ISC blog - http://isc.sans.edu/diary.html?storyid=8917 -# CodeIdentifiers key -# - http://technet.microsoft.com/en-us/library/bb457006.aspx -# SAFER_LEVELID_FULLYTRUSTED value -# - http://msdn.microsoft.com/en-us/library/ms722424%28VS.85%29.aspx -# (262144 == Unrestricted) -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package codeid; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100608); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets CodeIdentifier DefaultLevel value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching codeid v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("CodeID"); - ::rptMsg($key_path); - my $lastwrite = $key->get_timestamp(); - ::rptMsg(" LastWrite time: ".gmtime($lastwrite)." Z"); - ::rptMsg(""); - - my $level; - eval { - $level = $key->get_value("DefaultLevel")->get_data(); - ::rptMsg(sprintf "DefaultLevel = 0x%08x",$level); - }; - - my $exe; - eval { - $exe = $key->get_value("ExecutableTypes")->get_data(); - $exe =~ s/\s/,/g; - ::rptMsg("ExecutableTypes = ".$exe); - - }; - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/comdlg32.pl b/RecentActivity/release/rr/plugins/comdlg32.pl deleted file mode 100644 index 61cda3c1e6..0000000000 --- a/RecentActivity/release/rr/plugins/comdlg32.pl +++ /dev/null @@ -1,145 +0,0 @@ -#----------------------------------------------------------- -# comdlg32.pl -# Plugin for Registry Ripper -# -# Change history -# 20100402 - updated IAW Chad Tilbury's post to SANS -# Forensic Blog -# 20080324 - created -# -# References -# Win2000 - http://support.microsoft.com/kb/319958 -# XP - http://support.microsoft.com/kb/322948/EN-US/ -# -# copyright 20100402 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package comdlg32; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100402); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's ComDlg32 key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching comdlg32 v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("comdlg32 v.".$VERSION); - -# LastVistedMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ComDlg32\\LastVisitedMRU"); - ::rptMsg("**All values printed in MRUList order."); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %lvmru; - my @mrulist; - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUList}) { - ::rptMsg(" MRUList = ".$lvmru{MRUList}); - @mrulist = split(//,$lvmru{MRUList}); - delete($lvmru{MRUList}); - foreach my $m (@mrulist) { - my ($file,$dir) = split(/\00\00/,$lvmru{$m},2); - $file =~ s/\00//g; - $dir =~ s/\00//g; - ::rptMsg(" ".$m." -> EXE: ".$file); - ::rptMsg(" -> Last Dir: ".$dir); - } - } - else { - ::rptMsg($key_path." does not have an MRUList value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - -# OpenSaveMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ComDlg32\\OpenSaveMRU"); - ::rptMsg("**All values printed in MRUList order."); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); -# First, process OpenSaveMRU key values - parseOpenSaveValues($key); - ::rptMsg(""); -# Now, let's get the subkeys - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - parseOpenSaveValues($s); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub parseOpenSaveValues { - my $key = shift; - ::rptMsg("OpenSaveMRU\\".$key->get_name()); - ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z"); - my %osmru; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - map{$osmru{$_->get_name()} = $_->get_data()}(@vals); - if (exists $osmru{MRUList}) { - ::rptMsg(" MRUList = ".$osmru{MRUList}); - my @mrulist = split(//,$osmru{MRUList}); - delete($osmru{MRUList}); - foreach my $m (@mrulist) { - ::rptMsg(" ".$m." -> ".$osmru{$m}); - } - } - else { - ::rptMsg($key->get_name()." does not have an MRUList value."); - } - } - else { - ::rptMsg($key->get_name()." has no values."); - } -} - - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/comdlg32a.pl b/RecentActivity/release/rr/plugins/comdlg32a.pl deleted file mode 100644 index 0187b945d5..0000000000 --- a/RecentActivity/release/rr/plugins/comdlg32a.pl +++ /dev/null @@ -1,225 +0,0 @@ -#----------------------------------------------------------- -# comdlg32a.pl -# Plugin for Registry Ripper -# -# Change history -# 20100409 - updated to include Vista and above -# 20100402 - updated IAW Chad Tilbury's post to SANS -# Forensic Blog -# 20080324 - created -# -# References -# Win2000 - http://support.microsoft.com/kb/319958 -# XP - http://support.microsoft.com/kb/322948/EN-US/ -# -# copyright 20100402 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package comdlg32a; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100409); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's ComDlg32 key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching comdlg32a v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("comdlg32 v.".$VERSION); - -# LastVistedMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @subkeys = $key->get_list_of_subkeys(); - - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - parseLastVisitedMRU($s) if ($s->get_name() eq "LastVisitedMRU"); - parseOpenSaveMRU($s) if ($s->get_name() eq "OpenSaveMRU"); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } -} - -sub parseLastVisitedMRU { - my $key = shift; - my %lvmru; - my @mrulist; - my @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUList}) { - ::rptMsg(" MRUList = ".$lvmru{MRUList}); - @mrulist = split(//,$lvmru{MRUList}); - delete($lvmru{MRUList}); - foreach my $m (@mrulist) { - my ($file,$dir) = split(/\00\00/,$lvmru{$m},2); - $file =~ s/\00//g; - $dir =~ s/\00//g; - ::rptMsg(" ".$m." -> EXE: ".$file); - ::rptMsg(" -> Last Dir: ".$dir); - } - } - else { - ::rptMsg("LastVisitedMRU key does not have an MRUList value."); - } - } - else { - ::rptMsg("LastVisitedMRU key has no values."); - } - ::rptMsg(""); -} - -sub parseOpenSaveMRU { - my $key = shift; - - parseOpenSaveValues($key); - ::rptMsg(""); -# Now, let's get the subkeys - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - parseOpenSaveValues($s); - ::rptMsg(""); - } - } - else { - ::rptMsg("OpenSaveMRU key has no subkeys."); - } - ::rptMsg(""); -} - -sub parseOpenSaveValues { - my $key = shift; - ::rptMsg("OpenSaveMRU\\".$key->get_name()); - ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z"); - my %osmru; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - map{$osmru{$_->get_name()} = $_->get_data()}(@vals); - if (exists $osmru{MRUList}) { - ::rptMsg(" MRUList = ".$osmru{MRUList}); - my @mrulist = split(//,$osmru{MRUList}); - delete($osmru{MRUList}); - foreach my $m (@mrulist) { - ::rptMsg(" ".$m." -> ".$osmru{$m}); - } - } - else { - ::rptMsg($key->get_name()." does not have an MRUList value."); - } - } - else { - ::rptMsg($key->get_name()." has no values."); - } -} - -sub parseCIDSizeMRU { - my $key = shift; - my %lvmru; - my @mrulist; - my @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUListEx}) { - delete($lvmru{MRUListEx}); - foreach my $m (keys %lvmru) { - my $file = parseStr($lvmru{$m}); - my $str = sprintf "%-4s ".$file,$m; - ::rptMsg(" ".$str); - } - } - else { - ::rptMsg($key_path." does not have an MRUList value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } -} - - -sub parseLastVisitedPidlMRU { - my $key = shift; - my %lvmru; - my @mrulist; - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUListEx}) { - delete($lvmru{MRUListEx}); - foreach my $m (keys %lvmru) { - my $file = parseStr($lvmru{$m}); - my $str = sprintf "%-4s ".$file,$m; - ::rptMsg(" ".$str); - } - } - else { - ::rptMsg("LastVisitedPidlMRU key does not have an MRUList value."); - } - } - else { - ::rptMsg("LastVisitedPidlMRU key has no values."); - } -} - -sub parseStr { - my $data = $_[0]; - my $temp; - my $tag = 1; - my $ofs = 0; - - while ($tag) { - my $t = substr($data,$ofs,2); - if (unpack("v",$t) == 0x00) { - $tag = 0; - } - else { - $temp .= $t; - $ofs += 2; - } - } - $temp =~ s/\00//g; - return $temp; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/compdesc.pl b/RecentActivity/release/rr/plugins/compdesc.pl deleted file mode 100644 index fc1f292089..0000000000 --- a/RecentActivity/release/rr/plugins/compdesc.pl +++ /dev/null @@ -1,65 +0,0 @@ -#----------------------------------------------------------- -# compdesc.pl -# Plugin for Registry Ripper, -# ComputerDescriptions key parser -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package compdesc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's ComputerDescriptions key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching compdesc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ComputerDescriptions"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()." ".$v->get_data()); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/compname.pl b/RecentActivity/release/rr/plugins/compname.pl deleted file mode 100644 index b07c44183c..0000000000 --- a/RecentActivity/release/rr/plugins/compname.pl +++ /dev/null @@ -1,75 +0,0 @@ -#----------------------------------------------------------- -# compname.pl -# Plugin for Registry Ripper; Access System hive file to get the -# computername -# -# Change history -# 20090727 - added Hostname -# -# References -# http://support.microsoft.com/kb/314053/ -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package compname; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090727); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets ComputerName and Hostname values from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching compname v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my ($current,$ccs); - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $cn_path = $ccs."\\Control\\ComputerName\\ComputerName"; - my $cn; - if ($cn = $root_key->get_subkey($cn_path)) { - my $name = $cn->get_value("ComputerName")->get_data(); - ::rptMsg("ComputerName = ".$name); - } - else { - ::rptMsg($cn_path." not found."); - ::logMsg($cn_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - my $hostname; - eval { - my $host_path = $ccs."\\Services\\Tcpip\\Parameters"; - $hostname = $root_key->get_subkey($host_path)->get_value("Hostname")->get_data(); - ::rptMsg("TCP/IP Hostname = ".$hostname); - }; - -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/controlpanel.pl b/RecentActivity/release/rr/plugins/controlpanel.pl deleted file mode 100644 index 67e06a906a..0000000000 --- a/RecentActivity/release/rr/plugins/controlpanel.pl +++ /dev/null @@ -1,64 +0,0 @@ -#----------------------------------------------------------- -# controlpanel.pl -# Vista ControlPanel key seems to contain some interesting info about the -# user's activities... -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package controlpanel; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 64, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080428); - -sub getConfig{return %config} - -sub getShortDescr { - return "Look for RecentTask* values in ControlPanel key (Vista)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching controlpanel v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - ::rptMsg("Analysis Tip: The RecentTask* entries appear to only be populated through the"); - ::rptMsg("choices in the Control Panel Home view (in Vista). As each new choice is"); - ::rptMsg("selected, the most recent choice is added as RecentTask1, and each "); - ::rptMsg("RecentTask* entry is incremented and pushed down in the stack."); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-15s %-45s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/cpldontload.pl b/RecentActivity/release/rr/plugins/cpldontload.pl deleted file mode 100644 index 620419ef9b..0000000000 --- a/RecentActivity/release/rr/plugins/cpldontload.pl +++ /dev/null @@ -1,72 +0,0 @@ -#----------------------------------------------------------- -# cpldontload.pl -# Check contents of user's Control Panel\don't load key -# -# Change history -# 20100116 - created -# -# References -# W32.Nekat - http://www.symantec.com/security_response/ -# writeup.jsp?docid=2008-011419-0705-99&tabid=2 -# http://www.2-viruses.com/remove-antispywarexp2009 -# -# Notes: Some malware appears to hide various Control Panel applets -# using this means. If some sort of malware/spyware is thought -# to be on the system, check the settings and note the key -# LastWrite time. -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package cpldontload; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100116); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's Control Panel don't load key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching cpldontload v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Control Panel\\don\'t load"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @vals = $key->get_list_of_values(); - if (scalar @vals > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-20s %-5s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/crashcontrol.pl b/RecentActivity/release/rr/plugins/crashcontrol.pl deleted file mode 100644 index 61cc30b815..0000000000 --- a/RecentActivity/release/rr/plugins/crashcontrol.pl +++ /dev/null @@ -1,93 +0,0 @@ -#----------------------------------------------------------- -# crashcontrol.pl -# -# Ref: -# http://support.microsoft.com/kb/254649 -# http://support.microsoft.com/kb/274598 -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package crashcontrol; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081212); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get crash control information"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %dumpenabled = (0 => "None", - 1 => "Complete memory dump", - 2 => "Kernel memory dump", - 3 => "Small (64kb) memory dump"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching crashcontrol v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $cc_path = "ControlSet00".$current."\\Control\\CrashControl"; - my $cc; - - if ($cc = $root_key->get_subkey($cc_path)) { - - eval { - my $cde = $cc->get_value("CrashDumpEnabled")->get_data(); - ::rptMsg("CrashDumpEnabled = ".$cde." [".$dumpenabled{$cde}."]"); - }; - - eval { - my $df = $cc->get_value("DumpFile")->get_data(); - ::rptMsg("DumpFile = ".$df); - }; - - eval { - my $mini = $cc->get_value("MinidumpDir")->get_data(); - ::rptMsg("MinidumpDir = ".$mini); - }; - - eval { - my $logevt = $cc->get_value("LogEvent")->get_data(); - ::rptMsg("LogEvent = ".$logevt); - ::rptMsg(" Logs an event to the System Event Log (event ID = 1001, source = Save Dump)") if ($logevt == 1); - }; - - eval { - my $sendalert = $cc->get_value("SendAlert")->get_data(); - ::rptMsg("SendAlert = ".$sendalert); - ::rptMsg(" Sends a \'net send\' pop-up if a crash occurs") if ($sendalert == 1); - }; - - - } - else { - ::rptMsg($cc_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; diff --git a/RecentActivity/release/rr/plugins/crashdump.pl b/RecentActivity/release/rr/plugins/crashdump.pl deleted file mode 100644 index eea639e827..0000000000 --- a/RecentActivity/release/rr/plugins/crashdump.pl +++ /dev/null @@ -1,115 +0,0 @@ -#----------------------------------------------------------- -# crashdump.pl -# Author: Don C. Weber -# Plugin for Registry Ripper; Access System hive file to get the -# crashdump settings from System hive -# -# Change history -# -# -# References -# Overview of memory dump file options for Windows Server 2003, Windows XP, and Windows 2000: http://support.microsoft.com/kb/254649/ -# -# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security -#----------------------------------------------------------- -package crashdump; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081219); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets crashdump settings from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching crashdump v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $win_path = $ccs."\\Control\\CrashControl"; - my $win; - if ($win = $root_key->get_subkey($win_path)) { - ::rptMsg("CrashControl Configuration"); - ::rptMsg($win_path); - ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); - } - else { - ::rptMsg($win_path." not found."); - } - - my %vals = getKeyValues($win); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - if ($v eq "CrashDumpEnabled"){ - if ($vals{$v} == 0x00){ - ::rptMsg("\t".$v." -> None"); - } elsif ($vals{$v} == 0x01){ - ::rptMsg("\t".$v." -> Complete memory dump"); - } elsif ($vals{$v} == 0x02){ - ::rptMsg("\t".$v." -> Kernel memory dump"); - } elsif ($vals{$v} == 0x03){ - ::rptMsg("\t".$v." -> Small memory dump (64KB)"); - } else{ - ::rptMsg($v." has no value."); - } - }else{ - if (($v eq "MinidumpDir") || ($v eq "DumpFile")){ - ::rptMsg("\t".$v." location ".$vals{$v}); - } else{ - ($vals{$v}) ? ::rptMsg("\t".$v." is Enabled") : ::rptMsg("\t".$v." is Disabled"); - } - } - } - } - else { -# ::rptMsg($key_path." has no values."); - } - ::rptMsg(""); - ::rptMsg("Analysis Tips: For crash dump information and tools check http://support.microsoft.com/kb/254649/"); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { - - } - return %vals; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ctrlpnl.pl b/RecentActivity/release/rr/plugins/ctrlpnl.pl deleted file mode 100644 index 13ce7bf906..0000000000 --- a/RecentActivity/release/rr/plugins/ctrlpnl.pl +++ /dev/null @@ -1,143 +0,0 @@ -#----------------------------------------------------------- -# ctrlpnl.pl -# Get Control Panel info from the Software hive -# -# Change history: -# 20100116 - created -# -# References: -# http://support.microsoft.com/kb/292463 -# http://learning.infocollections.com/ebook%202/Computer/ -# Operating%20Systems/Windows/Windows.XP.Hacks/ -# 0596005113_winxphks-chp-2-sect-3.html -# http://msdn.microsoft.com/en-us/library/cc144195%28VS.85%29.aspx -# -# Notes: -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package ctrlpnl; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get Control Panel info from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %comp; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ctrlpnl v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Control Panel"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg(""); - -# Cpls section - if (my $cpl = $key->get_subkey("Cpls")) { - my @vals = $cpl->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg("Cpls key"); - foreach my $v (@vals) { - my $str = sprintf "%-10s %-50s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - ::rptMsg(""); - } - else { - ::rptMsg("Cpls key has no values."); - } - } - else { - ::rptMsg("Cpls key not found."); - } - -# don't load section -# The 'don't load' key prevents applets from being loaded -# Be sure to check the user's don't load key, as well - if (my $cpl = $key->get_subkey("don't load")) { - my @vals = $cpl->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg("don't load key"); - foreach my $v (@vals) { - ::rptMsg($v->get_name()); - } - ::rptMsg(""); - } - else { - ::rptMsg("don't load key has no values."); - } - } - else { - ::rptMsg("don't load key not found."); - } - -# Extended Properties section - if (my $ext = $key->get_subkey("Extended Properties")) { - my @sk = $ext->get_list_of_subkeys(); - if (scalar @sk > 0) { - foreach my $s (@sk) { - my @vals = $s->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp)." UTC]"); - -# Ref: http://support.microsoft.com/kb/292463 - my %cat = (0x00000000 => "Other Control Panel Options", - 0x00000001 => "Appearance and Themes", - 0x00000002 => "Printers and Other Hardware", - 0x00000003 => "Network and Internet Connections", - 0x00000004 => "Sounds, Speech, and Audio Devices", - 0x00000005 => "Performance and Maintenance", - 0x00000006 => "Date, Time, Language, and Regional Options", - 0x00000007 => "Accessibility Options", - 0xFFFFFFFF => "No Category"); - my %prop; - foreach my $v (@vals) { - push(@{$prop{$v->get_data()}},$v->get_name()); - } - - foreach my $t (sort {$a <=> $b} keys %prop) { - (exists $cat{$t}) ? (::rptMsg($cat{$t})) : (::rptMsg("Category ".$t)); - foreach my $i (@{$prop{$t}}) { - ::rptMsg(" ".$i); - } - ::rptMsg(""); - } - } - } - ::rptMsg(""); - } - else { - ::rptMsg("Extended Properties key has no subkeys."); - } - } - else { - ::rptMsg("Extended Properties key not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ddm.pl b/RecentActivity/release/rr/plugins/ddm.pl deleted file mode 100644 index e66fb2697f..0000000000 --- a/RecentActivity/release/rr/plugins/ddm.pl +++ /dev/null @@ -1,82 +0,0 @@ -#----------------------------------------------------------- -# ddm.pl -# -# History: -# 20081129 - created -# -# Note - Not really sure what this is for or could be used for, other -# than to show devices that had been connected to the system -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package ddm; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081129); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get DDM data from Control Subkey"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ddm v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $key_path = $ccs."\\Control\\DDM"; - my $key; - my %dev; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $tag = (split(/\./,$name,2))[1]; - $dev{$tag}{timestamp} = $s->get_timestamp(); - eval { - $dev{$tag}{make} = $s->get_value("MakeName")->get_data(); - $dev{$tag}{model} = $s->get_value("ModelName")->get_data(); - }; - } - foreach my $d (sort keys %dev) { - ::rptMsg(gmtime($dev{$d}{timestamp})."Z Device\.".$d." ".$dev{$d}{make}." ".$dev{$d}{model}); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } - } - else { - ::logMsg("Current value not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/defbrowser.pl b/RecentActivity/release/rr/plugins/defbrowser.pl deleted file mode 100644 index ae7055aba1..0000000000 --- a/RecentActivity/release/rr/plugins/defbrowser.pl +++ /dev/null @@ -1,78 +0,0 @@ -#----------------------------------------------------------- -# defbrowser.pl -# Get default browser information - check #1 can apply to HKLM -# as well as to HKCU -# -# Change History: -# 20091116 - Added Check #1 -# 20081105 - created -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package defbrowser; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets default browser setting from HKLM"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching defbrowser v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Clients\\StartMenuInternet"; - if (my $key = $root_key->get_subkey($key_path)) { - ::rptMsg("Default Browser Check #1"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $browser = $key->get_value("")->get_data(); - ::rptMsg("Default Browser : ".$browser); - } - else { - ::rptMsg($key_path." not found."); - } - - ::rptMsg(""); - - my $key_path = "Classes\\HTTP\\shell\\open\\command"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Default Browser Check #2"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $browser; - eval { - $browser = $key->get_value("")->get_data(); - }; - if ($@) { - ::rptMsg("Error locating default browser setting."); - } - else { - ::rptMsg("Default Browser = ".$browser); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/devclass.pl b/RecentActivity/release/rr/plugins/devclass.pl deleted file mode 100644 index b6a57fff2f..0000000000 --- a/RecentActivity/release/rr/plugins/devclass.pl +++ /dev/null @@ -1,125 +0,0 @@ -#----------------------------------------------------------- -# devclass -# Get USB device info from the DeviceClasses keys in the System -# hive (Disks and Volumes GUIDs) -# -# Change History: -# 20100901 - spelling error in output corrected -# 20080331 - created -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package devclass; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100901); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USB device info from the DeviceClasses keys in the System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching devclass v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::logMsg("Could not find ".$key_path); - return - } -# Get devices from the Disk GUID - my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("DevClasses - Disks"); - ::rptMsg($key_path); - ::rptMsg(""); - my %disks; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless (grep(/USBSTOR/,$name)); - my $lastwrite = $s->get_timestamp(); - my ($dev, $serial) = (split(/#/,$name))[4,5]; - push(@{$disks{$lastwrite}},$dev.",".$serial); - } - - foreach my $t (reverse sort {$a <=> $b} keys %disks) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$disks{$t}}) { - ::rptMsg("\t$item"); - } - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg(""); -# Get devices from the Volume GUID - my $key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("DevClasses - Volumes"); - ::rptMsg($key_path); - ::rptMsg(""); - my %vols; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless (grep(/RemovableMedia/,$name)); - my $lastwrite = $s->get_timestamp(); - my $ppi = (split(/#/,$name))[5]; - push(@{$vols{$lastwrite}},$ppi); - } - - foreach my $t (reverse sort {$a <=> $b} keys %vols) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$vols{$t}}) { - ::rptMsg("\tParentIdPrefix: ".$item); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/dfrg.pl b/RecentActivity/release/rr/plugins/dfrg.pl deleted file mode 100644 index 29ac3b80ec..0000000000 --- a/RecentActivity/release/rr/plugins/dfrg.pl +++ /dev/null @@ -1,63 +0,0 @@ -#----------------------------------------------------------- -# dfrg.pl -# Gets contents of Dfrg\BootOptimizeFunction key -# -# Change history: -# 20110321 - created -# -# References -# http://technet.microsoft.com/en-us/library/cc784391%28WS.10%29.aspx -# -# copyright 2011 Quantum Analytics Research, LLC (keydet89@yahoo.com) -#----------------------------------------------------------- -package dfrg; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20110321); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets content of Dfrg BootOptim. key"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching dfrg v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Dfrg\\BootOptimizeFunction"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Dfrg"); - ::rptMsg($key_path); - ::rptMsg(""); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(sprintf "%-20s %-20s",$v->get_name(),$v->get_data()); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/disablelastaccess.pl b/RecentActivity/release/rr/plugins/disablelastaccess.pl deleted file mode 100644 index e064521726..0000000000 --- a/RecentActivity/release/rr/plugins/disablelastaccess.pl +++ /dev/null @@ -1,73 +0,0 @@ -#----------------------------------------------------------- -# disablelastaccess.pl -# -# References: -# http://support.microsoft.com/kb/555041 -# http://support.microsoft.com/kb/894372 -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package disablelastaccess; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090118); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get NTFSDisableLastAccessUpdate value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching disablelastaccess v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - my $ccs; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - - my $key_path = $ccs."\\Control\\FileSystem"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("NtfsDisableLastAccessUpdate"); - ::rptMsg($key_path); - my @vals = $key->get_list_of_values(); - my $found = 0; - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - if ($v->get_name() eq "NtfsDisableLastAccessUpdate") { - ::rptMsg("NtfsDisableLastAccessUpdate = ".$v->get_data()); - $found = 1; - } - } - ::rptMsg("NtfsDisableLastAccessUpdate value not found.") if ($found == 0); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/dllsearch.pl b/RecentActivity/release/rr/plugins/dllsearch.pl deleted file mode 100644 index 767042a8ec..0000000000 --- a/RecentActivity/release/rr/plugins/dllsearch.pl +++ /dev/null @@ -1,69 +0,0 @@ -#----------------------------------------------------------- -# dllsearch.pl -# -# References: -# http://support.microsoft.com/kb/2264107 -# -# Change History: -# 20100824: created -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package dllsearch; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100824); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get crash control information"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching dllsearch v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $cc_path = "ControlSet00".$current."\\Control\\Session Manager"; - my $cc; - if ($cc = $root_key->get_subkey($cc_path)) { - ::rptMsg("dllsearch v.".$VERSION); - ::rptMsg(""); - my $found = 1; - eval { - my $cde = $cc->get_value("CWDIllegalInDllSearch")->get_data(); - $found = 0; - ::rptMsg(sprintf "CWDIllegalInDllSearch = 0x%x",$cde); - }; - ::rptMsg("CWDIllegalInDllSearch value not found.") if ($found); - } - else { - ::rptMsg($cc_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; diff --git a/RecentActivity/release/rr/plugins/domains.pl b/RecentActivity/release/rr/plugins/domains.pl deleted file mode 100644 index 633ad87cfd..0000000000 --- a/RecentActivity/release/rr/plugins/domains.pl +++ /dev/null @@ -1,74 +0,0 @@ -#----------------------------------------------------------- -# domains.pl -# -# -# Change history -# 20100116 - Created -# -# References -# http://support.microsoft.com/kb/919748 -# http://support.microsoft.com/kb/922704 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package domains; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100116); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents Internet Settings\\ZoneMap\\Domains key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching domains v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"; - my $key; - if ($key = $root_key->get_subkey($key_path."\\Domains")) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]"); - - my @vals = $s->get_list_of_values(); - if (scalar @vals > 0) { - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()." -> ".$v->get_data); - } - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/drwatson.pl b/RecentActivity/release/rr/plugins/drwatson.pl deleted file mode 100644 index 0360c33fb3..0000000000 --- a/RecentActivity/release/rr/plugins/drwatson.pl +++ /dev/null @@ -1,77 +0,0 @@ -#----------------------------------------------------------- -# drwatson.pl -# Author: Don C. Weber -# Plugin for Registry Ripper; Access Software hive file to get the -# Dr. Watson settings from Software hive -# -# Change history -# -# -# References -# Dr Watson: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html -# -# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security -#----------------------------------------------------------- -package drwatson; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081219); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Dr. Watson settings from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching drwatson v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AeDebug"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ($key->get_value('Auto') == 0x0) ? ::rptMsg("Debugging is Disabled") : ::rptMsg("Debugging is Enabled"); - eval { - ::rptMsg("Debugger: ".$key->get_value('Debugger')->get_data()); - }; - - } else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - ::rptMsg(""); - my $key_path = "Microsoft\\DrWatson"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ($key->get_value('LogFilePath')) ? ::rptMsg("DrWatson LogFile Path location: ".$key->get_value('LogFilePath')->get_data()) : ::rptMsg("DrWatson LogFile Path location: %SystemRoot%\\Documents and Settings\\All Users\\Documents\\DrWatson"); - ($key->get_value('CreateCrashDump') == 0x0) ? ::rptMsg("CreateCrashDump is Disabled") : ::rptMsg("CreateCrashDump is Enabled"); - ($key->get_value('CrashDumpFile')) ? ::rptMsg("Crash Dump Path and Name: ".$key->get_value('CrashDumpFile')->get_data()) : ::rptMsg("CrashDumpFile is not set"); - ($key->get_value('AppendToLogFile') == 0x0) ? ::rptMsg("AppendToLogFile is set to create a new file each time") : ::rptMsg("AppendToLogFile is set to append"); - - } else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - ::rptMsg(""); - ::rptMsg("Analysis Tips: For Dr. Watson settings information check: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html"); -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/esent.pl b/RecentActivity/release/rr/plugins/esent.pl deleted file mode 100644 index 4ae7cd21b5..0000000000 --- a/RecentActivity/release/rr/plugins/esent.pl +++ /dev/null @@ -1,78 +0,0 @@ -#----------------------------------------------------------- -# esent -# Get contents of Esent\Process key from Software hive -# -# Note: Not sure why I wrote this one; just thought it might come -# in handy as info about this key is developed. -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package esent; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20101202); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get ESENT\\Process key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching esent v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\ESENT\\Process"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @sk = $key->get_list_of_subkeys(); - - if (scalar(@sk) > 0) { - my %esent; - - foreach my $s (@sk) { - my $sk = $s->get_subkey("DEBUG"); -# my $lw = $s->get_timestamp(); - my $lw = $sk->get_timestamp(); - - my $name = $s->get_name(); - - push(@{$esent{$lw}},$name); - } - - foreach my $t (reverse sort {$a <=> $b} keys %esent) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$esent{$t}}) { - ::rptMsg(" $item"); - } - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/eventlog.pl b/RecentActivity/release/rr/plugins/eventlog.pl deleted file mode 100644 index a51ca91282..0000000000 --- a/RecentActivity/release/rr/plugins/eventlog.pl +++ /dev/null @@ -1,156 +0,0 @@ -#----------------------------------------------------------- -# eventlog.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package eventlog; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090112); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get EventLog configuration info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching eventlog v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $evt_path = "ControlSet00".$current."\\Services\\Eventlog"; - my $evt; - if ($evt = $root_key->get_subkey($evt_path)) { - ::rptMsg(""); - my @subkeys = $evt->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $logname = $s->get_name(); - ::rptMsg($logname." \\ ".scalar gmtime($s->get_timestamp())."Z"); - eval { - my $file = $s->get_value("File")->get_data(); - ::rptMsg(" File = ".$file); - }; - - eval { - my $display = $s->get_value("DisplayNameFile")->get_data(); - ::rptMsg(" DisplayNameFile = ".$display); - }; - - eval { - my $max = $s->get_value("MaxSize")->get_data(); - ::rptMsg(" MaxSize = ".processSize($max)); - }; - - eval { - my $ret = $s->get_value("Retention")->get_data(); - ::rptMsg(" Retention = ".processRetention($ret)); - }; - -# AutoBackupLogFiles; http://support.microsoft.com/kb/312571/ - eval { - my $auto = $s->get_value("AutoBackupLogFiles")->get_data(); - ::rptMsg(" AutoBackupLogFiles = ".$auto); - }; - -# Check WarningLevel value on Security EventLog; http://support.microsoft.com/kb/945463 - eval { - if ($logname eq "Security") { - my $wl = $s->get_value("WarningLevel")->get_data(); - ::rptMsg(" WarningLevel = ".$wl); - } - }; - - ::rptMsg(""); - } - - } - else { - ::rptMsg($evt_path." has no subkeys."); - } - } - else { - ::rptMsg($evt_path." not found."); - ::logMsg($evt_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; - -sub processSize { - my $sz = shift; - - my $kb = 1024; - my $mb = $kb * 1024; - my $gb = $mb * 1024; - - if ($sz > $gb) { - my $d = $sz/$gb; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2fGB",$d; - } - elsif ($sz > $mb) { - my $d = $sz/$mb; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2fMB",$d; - } - elsif ($sz > $kb) { - my $d = $sz/$kb; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2fKB",$d; - } - else {return $sz."B"}; -} - -sub processRetention { -# Retention maintained in seconds -# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ -# regentry/30709.mspx?mfr=true - my $ret = shift; - - my $min = 60; - my $hr = $min * 60; - my $day = $hr * 24; - - if ($ret > $day) { - my $d = $ret/$day; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2f days",$d; - } - elsif ($ret > $hr) { - my $d = $ret/$hr; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2f hr",$d; - } - elsif ($ret > $min) { - my $d = $ret/$min; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2f min",$d; - } - else {return $ret." sec"}; -} \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/eventlogs.pl b/RecentActivity/release/rr/plugins/eventlogs.pl deleted file mode 100644 index d7557218c2..0000000000 --- a/RecentActivity/release/rr/plugins/eventlogs.pl +++ /dev/null @@ -1,98 +0,0 @@ -#----------------------------------------------------------- -# eventlogs.pl -# Author: Don C. Weber -# Plugin for Registry Ripper; Access System hive file to get the -# Event Log settings from System hive -# -# Change history -# -# -# References -# Eventlog Key: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx -# -# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security -#----------------------------------------------------------- -package eventlogs; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081219); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Event Log settings from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching eventlogs v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $win_path = $ccs."\\Services\\Eventlog"; - my $win; - if ($win = $root_key->get_subkey($win_path)) { - ::rptMsg("EventLog Configuration"); - ::rptMsg($win_path); - ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); - my $cn; - if ($cn = $win->get_value("ComputerName")->get_data()) { - ::rptMsg("ComputerName = ".$cn); - } - else { - ::rptMsg("ComputerName value not found."); - } - } - else { - ::rptMsg($win_path." not found."); - } - -# Cycle through each type of log - my $logname; - my $evpath; - my $evlog; - my @list_logs = $win->get_list_of_subkeys(); - foreach $logname (@list_logs){ - ::rptMsg(""); - $evpath = $win_path."\\".$logname->get_name(); - if ($evlog = $root_key->get_subkey($evpath)) { - ::rptMsg(" ".$logname->get_name()." EventLog"); - ::rptMsg(" ".$evpath); - ::rptMsg(" LastWrite Time ".gmtime($evlog->get_timestamp())." (UTC)"); - ::rptMsg(" Configuration Settings"); - ::rptMsg(" Log location: ".$evlog->get_value('File')->get_data()); - ::rptMsg(" Log Size: ".$evlog->get_value('MaxSize')->get_data()." Bytes"); - ($evlog->get_value('AutoBackupLogFiles') == 0x0) ? ::rptMsg(" AutoBackupLogFiles is Disabled") : ::rptMsg(" AutoBackupLogFiles is Enabled") - } - else { - ::rptMsg($logname->get_name()." Event Log not found."); - } - } - ::rptMsg(""); - ::rptMsg("Analysis Tips: For Event Log settings information check: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx"); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/fileexts.pl b/RecentActivity/release/rr/plugins/fileexts.pl deleted file mode 100644 index 5bd04db825..0000000000 --- a/RecentActivity/release/rr/plugins/fileexts.pl +++ /dev/null @@ -1,73 +0,0 @@ -#----------------------------------------------------------- -# fileexts.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package fileexts; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080818); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get user FileExts values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching fileexts v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("fileexts"); - ::rptMsg($key_path); - ::rptMsg(""); - - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^\.\w+/); - - eval { - my $data = $s->get_subkey("OpenWithList")->get_value("MRUList")->get_data(); - if ($data =~ m/^\w/) { - ::rptMsg("File Extension: ".$name); - ::rptMsg("LastWrite: ".gmtime($s->get_subkey("OpenWithList")->get_timestamp())); - ::rptMsg("MRUList: ".$data); - my @list = split(//,$data); - foreach my $l (@list) { - my $valdata = $s->get_subkey("OpenWithList")->get_value($l)->get_data(); - ::rptMsg(" ".$l." => ".$valdata); - } - ::rptMsg(""); - } - }; - } - } - else { - ::rptMsg($key_path." does not have subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/findexes.pl b/RecentActivity/release/rr/plugins/findexes.pl deleted file mode 100644 index ee2f027b35..0000000000 --- a/RecentActivity/release/rr/plugins/findexes.pl +++ /dev/null @@ -1,95 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# findexes.pl -# Plugin for RegRipper; traverses through a Registry hive, -# looking for values with binary data types, and checks to see -# if they start with "MZ"; if so, records the value path, key -# LastWrite time, and length of the data -# -# Change history -# 20090728 - Created -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package findexes; -use strict; - -my %config = (hive => "All", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090728); - -sub getConfig{return %config} -sub getShortDescr { - return "Scans a hive file looking for binary value data that contains MZ"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %vals; -my $bin_count = 0; -my $exe_count = 0; - -sub pluginmain { - my $class = shift; - my $file = shift; - my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; - ::logMsg("Launching findexes v.".$VERSION); - - traverse($root_key); -# Data structure containing findings is a hash of hashes - foreach my $k (keys %vals) { - ::rptMsg("Key: ".$k." LastWrite time: ".gmtime($vals{$k}{lastwrite})); - foreach my $i (keys %{$vals{$k}}) { - next if ($i eq "lastwrite"); - ::rptMsg(" Value: ".$i." Length: ".$vals{$k}{$i}." bytes"); - } - ::rptMsg(""); - } - ::rptMsg("Number of values w/ binary data types: ".$bin_count); - ::rptMsg("Number of values w/ MZ in binary data: ".$exe_count); -} - -sub traverse { - my $key = shift; -# my $ts = $key->get_timestamp(); - - foreach my $val ($key->get_list_of_values()) { - my $type = $val->get_type(); - if ($type == 0 || $type == 3) { - $bin_count++; - my $data = $val->get_data(); -# This code looks for data that starts with MZ -# my $i = unpack("v",substr($data,0,2)); -# if ($i == 0x5a4d) { - if (grep(/MZ/,$data)) { - $exe_count++; - my $path; - my @p = split(/\\/,$key->get_path()); - if (scalar(@p) == 1) { - $path = "root"; - } - else { - shift(@p); - $path = join('\\',@p); - } - - $vals{$path}{lastwrite} = $key->get_timestamp(); - $vals{$path}{$val->get_name()} = length($data); - } - } - } - - foreach my $subkey ($key->get_list_of_subkeys()) { - traverse($subkey); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/fw_config.pl b/RecentActivity/release/rr/plugins/fw_config.pl deleted file mode 100644 index e43e245837..0000000000 --- a/RecentActivity/release/rr/plugins/fw_config.pl +++ /dev/null @@ -1,116 +0,0 @@ -#----------------------------------------------------------- -# fw_config -# -# References -# http://technet2.microsoft.com/WindowsServer/en/library/47f25d7d- -# 882b-4f87-b05f-31e5664fc15e1033.mspx?mfr=true -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package fw_config; -use strict; - -my %config = (hive => "System", - osmask => 20, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets the Windows Firewall config from the System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching fw_config v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $select_path = 'Select'; - my $sel; - if ($sel = $root_key->get_subkey($select_path)) { - $current = $sel->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($select_path." could not be found."); - ::logMsg($select_path." could not be found."); - return; - } - - my @profiles = ("DomainProfile","StandardProfile"); - foreach my $profile (@profiles) { - my $key_path = $ccs."\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\".$profile; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Windows Firewall Configuration"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %vals = getKeyValues($key); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - else { -# ::rptMsg($key_path." has no values."); - } - - my @configs = ("RemoteAdminSettings", - "IcmpSettings", - "GloballyOpenPorts\\List", - "AuthorizedApplications\\List"); - - foreach my $config (@configs) { - eval { - my %vals = getKeyValues($key->get_subkey($config)); - if (scalar(keys %vals) > 0) { - ::rptMsg(""); - ::rptMsg($key_path."\\".$config); - ::rptMsg("LastWrite Time ".gmtime($key->get_subkey($config)->get_timestamp())." (UTC)"); - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - }; - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg(""); - } # end foreach -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { - - } - return %vals; -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/gthist.pl b/RecentActivity/release/rr/plugins/gthist.pl deleted file mode 100644 index bc52f909a9..0000000000 --- a/RecentActivity/release/rr/plugins/gthist.pl +++ /dev/null @@ -1,71 +0,0 @@ -#----------------------------------------------------------- -# gthist.pl -# Google Toolbar Search History plugin -# -# -# Change history -# 20100218 - created -# -# References -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package gthist; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Google Toolbar Search History"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching gthist v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Google\\NavClient\\1.1\\History'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg(""); - foreach my $v (@vals) { - my $tv = unpack("V",$v->get_data()); - $hist{$tv} = $v->get_name(); - } - - foreach my $t (reverse sort {$a <=> $b} keys %hist) { - my $str = gmtime($t)." ".$hist{$t}; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/gtwhitelist.pl b/RecentActivity/release/rr/plugins/gtwhitelist.pl deleted file mode 100644 index e8d0695eea..0000000000 --- a/RecentActivity/release/rr/plugins/gtwhitelist.pl +++ /dev/null @@ -1,74 +0,0 @@ -#----------------------------------------------------------- -# gtwhitelist.pl -# Google Toolbar Search History plugin -# -# -# Change history -# 20100218 - created -# -# References -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package gtwhitelist; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Google Toolbar whitelist values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching gtwhitelist v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Google\\Google Toolbar\\4.0\\whitelist'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my $allow2; - eval { - $allow2 = $key->get_value("allow2")->get_data(); - my @vals = split(/\|/,$allow2); - ::rptMsg(""); - ::rptMsg("whitelist"); - foreach my $v (@vals) { - next if ($v eq ""); - ::rptMsg(" ".$v); - } - ::rptMsg(""); - }; - - my $lastmod; - eval { - $lastmod = $key->get_value("lastmod")->get_data(); - ::rptMsg("lastmod ".gmtime($lastmod)." (UTC)"); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/hibernate.pl b/RecentActivity/release/rr/plugins/hibernate.pl deleted file mode 100644 index 64c5b3e359..0000000000 --- a/RecentActivity/release/rr/plugins/hibernate.pl +++ /dev/null @@ -1,78 +0,0 @@ -#----------------------------------------------------------- -# hibernate.pl -# -# Ref: -# http://support.microsoft.com/kb/293399 & testing -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package hibernate; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081216); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check hibernation status"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching hibernate v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $power_path = $ccs."\\Control\\Session Manager\\Power"; - my $power; - if ($power = $root_key->get_subkey($power_path)) { - - my $heur; - eval { - my $bin_val = $power->get_value("Heuristics")->get_data(); - $heur = (unpack("v*",$bin_val))[3]; - if ($heur == 0) { - ::rptMsg("Hibernation disabled."); - } - elsif ($heur == 1) { - ::rptMsg("Hibernation enabled."); - } - else { - ::rptMsg("Unknown hibernation value: ".$heur); - } - - }; - ::rptMsg("Error reading Heuristics value.") if ($@); - - } - else { - ::rptMsg($power_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ide.pl b/RecentActivity/release/rr/plugins/ide.pl deleted file mode 100644 index 789cbd1495..0000000000 --- a/RecentActivity/release/rr/plugins/ide.pl +++ /dev/null @@ -1,123 +0,0 @@ -#----------------------------------------------------------- -# ide.pl -# Get IDE device info from the System hive file -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package ide; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080418); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get IDE device info from the System hive file"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ide v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::rptMsg("IDE"); - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::logMsg("Could not find ".$key_path); - return - } - - my $key_path = $ccs."\\Enum\\IDE"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg(""); - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s2 (@sk) { - ::rptMsg($s2->get_name()." [".gmtime($s2->get_timestamp())." (UTC)]"); - eval { - ::rptMsg("FriendlyName : ".$s2->get_value("FriendlyName")->get_data()); - }; - ::rptMsg(""); - } - } - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("DevClasses - Disks"); - ::rptMsg($key_path); - my %disks; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless (grep(/IDE/,$name)); - my $lastwrite = $s->get_timestamp(); - my ($dev, $serial) = (split(/#/,$name))[4,5]; - push(@{$disks{$lastwrite}},$dev.",".$serial); - } - - if (scalar(keys %disks) == 0) { - ::rptMsg("No IDE subkeys were found."); - return; - } - ::rptMsg(""); - foreach my $t (reverse sort {$a <=> $b} keys %disks) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$disks{$t}}) { - ::rptMsg("\t$item"); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ie_main.pl b/RecentActivity/release/rr/plugins/ie_main.pl deleted file mode 100644 index aa48c4d4a3..0000000000 --- a/RecentActivity/release/rr/plugins/ie_main.pl +++ /dev/null @@ -1,82 +0,0 @@ -#----------------------------------------------------------- -# ie_main.pl -# Checks keys/values set by new version of Trojan.Clampi -# -# Change history -# 20091019 - created -# -# -# References -# http://support.microsoft.com/kb/895339 -# http://support.microsoft.com/kb/176497 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package ie_main; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091019); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets values beneath user's Internet Explorer\\Main key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching ie_main v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %main; - - my @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - next if ($name eq "Window_Placement"); - - $data = unpack("V",$data) if ($name eq "Do404Search"); - - if ($name eq "IE8RunOnceLastShown_TIMESTAMP" || $name eq "IE8TourShownTime") { - my ($t0,$t1) = unpack("VV",$data); - $data = gmtime(::getTime($t0,$t1))." UTC"; - } - $main{$name} = $data; - } - - foreach my $n (keys %main) { - my $str = sprintf "%-35s %-20s",$n,$main{$n}; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ie_settings.pl b/RecentActivity/release/rr/plugins/ie_settings.pl deleted file mode 100644 index fd3ee3857e..0000000000 --- a/RecentActivity/release/rr/plugins/ie_settings.pl +++ /dev/null @@ -1,72 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# ie_settings.pl -# Gets IE settings -# -# Change history -# -# -# References -# -# -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package ie_settings; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20091016); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets IE settings"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching ie_settings v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my $ua; - eval { - $ua = $key->get_value("User Agent")->get_data(); - ::rptMsg("User Agent = ".$ua); - }; - - my $zonessecupgrade; - eval { - $zonessecupgrade = $key->get_value("ZonesSecurityUpgrade")->get_data(); - my ($z0,$z1) = unpack("VV",$zonessecupgrade); - ::rptMsg("ZonesSecurityUpgrade = ".gmtime(::getTime($z0,$z1))." (UTC)"); - }; - - my $daystokeep; - eval { - $daystokeep = $key->get_subkey("Url History")->get_value("DaysToKeep")->get_data(); - ::rptMsg("DaysToKeep = ".$daystokeep); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ie_version.pl b/RecentActivity/release/rr/plugins/ie_version.pl deleted file mode 100644 index 64ce73b046..0000000000 --- a/RecentActivity/release/rr/plugins/ie_version.pl +++ /dev/null @@ -1,60 +0,0 @@ -#----------------------------------------------------------- -# ie_version -# Get IE version and build -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package ie_version; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091016); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get IE version and build"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ie_version v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Internet Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $version; - my $build; - eval { - $build = $key->get_value("Build")->get_data(); - ::rptMsg("IE Build = ".$build); - }; - - eval { - $version= $key->get_value("Version")->get_data(); - ::rptMsg("IE Version = ".$version); - }; - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/imagedev.pl b/RecentActivity/release/rr/plugins/imagedev.pl deleted file mode 100644 index 5822ae7a15..0000000000 --- a/RecentActivity/release/rr/plugins/imagedev.pl +++ /dev/null @@ -1,85 +0,0 @@ -#----------------------------------------------------------- -# imagedev.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package imagedev; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080730); - -sub getConfig{return %config} - -sub getShortDescr { - return " -- "; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching imagedev v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - eval { - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - }; - if ($@) { - ::rptMsg("Problem locating proper controlset: $@"); - return; - } - - my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("imagedev"); - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @sk = $key->get_list_of_subkeys(); - - if (scalar(@sk) > 0) { - ::rptMsg("Still Image Capture Devices"); - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^\d{4}$/); - my $friendly; - eval { - $friendly = $s->get_value("FriendlyName")->get_data(); - ::rptMsg(" ".$friendly); - }; - if ($@) { - ::logMsg("Error getting device FriendlyName in imagedev: ".$@); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/imagefile.pl b/RecentActivity/release/rr/plugins/imagefile.pl deleted file mode 100644 index 1f31f674b7..0000000000 --- a/RecentActivity/release/rr/plugins/imagefile.pl +++ /dev/null @@ -1,99 +0,0 @@ -#----------------------------------------------------------- -# imagefile -# -# References: -# http://msdn2.microsoft.com/en-us/library/a329t4ed(VS\.80)\.aspx -# http://support.microsoft.com/kb/2264107 -# -# Change history: -# 20100824 - added check for "CWDIllegalInDllSearch" value -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package imagefile; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100824); - -sub getConfig{return %config} -sub getShortDescr { - return "Checks IFEO subkeys for Debugger/CWDIllegalInDllSearch values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching imagefile v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Image File Execution Options"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - my %debug; - my $i = "Your Image File Name here without a path"; - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next if ($name =~ m/^$i/i); - my $debugger = ""; - eval { - $debugger = $s->get_value("Debugger")->get_data(); - }; -# If the eval{} throws an error, it's b/c the Debugger value isn't -# found within the key, so we don't need to do anything w/ the error - if ($debugger ne "") { - $debug{$name}{debug} = $debugger; - $debug{$name}{lastwrite} = $s->get_timestamp(); - } - - my $dllsearch = ""; - eval { - $dllsearch = $s->get_value("CWDIllegalInDllSearch")->get_data(); - }; -# If the eval{} throws an error, it's b/c the Debugger value isn't -# found within the key, so we don't need to do anything w/ the error - if ($dllsearch ne "") { - $debug{$name}{dllsearch} = $debugger; - $debug{$name}{lastwrite} = $s->get_timestamp(); - } - } - - if (scalar (keys %debug) > 0) { - foreach my $d (keys %debug) { - ::rptMsg($d." LastWrite: ".gmtime($debug{$d}{lastwrite})); - ::rptMsg(" Debugger : ".$debug{$d}{debug}) if (exists $debug{$d}{debug}); - ::rptMsg(" CWDIllegalInDllSearch: ".$debug{$d}{dllsearch}) if (exists $debug{$d}{dllsearch}); - } - } - else { - ::rptMsg("No Debugger/CWDIllegalInDllSearch values found."); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/init_dlls.pl b/RecentActivity/release/rr/plugins/init_dlls.pl deleted file mode 100644 index d729a6b716..0000000000 --- a/RecentActivity/release/rr/plugins/init_dlls.pl +++ /dev/null @@ -1,77 +0,0 @@ -#----------------------------------------------------------- -# init_dlls.pl -# Plugin to assist in the detection of malware per Mark Russinovich's -# blog post (References, below) -# -# Change History: -# 20110309 - created -# -# References -# http://blogs.technet.com/b/markrussinovich/archive/2011/02/27/3390475.aspx -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package init_dlls; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20110309); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check for odd **pInit_Dlls keys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my @init; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching init_dlls v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Windows"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("init_dlls"); - ::rptMsg($key_path); - ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next if ($name eq "AppInit_DLLs"); - push(@init,$name) if ($name =~ m/Init_DLLs$/); - } - - if (scalar @init > 0) { - foreach my $n (@init) { - ::rptMsg($n); - } - } - else { - ::rptMsg("No additional values named *Init_DLLs located."); - } - - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/installedcomp.pl b/RecentActivity/release/rr/plugins/installedcomp.pl deleted file mode 100644 index 9fd730301f..0000000000 --- a/RecentActivity/release/rr/plugins/installedcomp.pl +++ /dev/null @@ -1,120 +0,0 @@ -#----------------------------------------------------------- -# installedcomp.pl -# Get info about Installed Components -# -# Change history: -# 20100116 - updated for slightly better coverage -# 20100115 - created -# -# References: -# -# Notes: Look for out of place entries, particularly those -# that point to the Recycle Bin or a temp directory -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package installedcomp; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get info about Installed Components/StubPath"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %comp; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching installedcomp v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Active Setup\\Installed Components"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $lastwrite = $s->get_timestamp(); - - my $str; - eval { - $str = $s->get_value("ComponentID")->get_data(); - }; - - eval { - my $ver = $s->get_value("Version")->get_data(); - $str .= " v.".$ver if ($ver && $s->get_value("Version")->get_type() == 1); - }; - - eval { - my $stub = $s->get_value("StubPath")->get_data(); - $str .= "; ".$stub if ($stub ne ""); - }; - -# If the $str scalar is empty at this point, that means that for -# some reason, we haven't been able to populate the information -# we're looking for; in this case, we'll go looking for some info -# in a different area of the hive; the BHO.pl plugin does this, as -# well. I'd rather that the plugin look for the Classes info than -# leave a blank entry in the output. - if ($str eq "") { - my $name = $s->get_name(); - my $class_path = "Classes\\CLSID\\".$name; - my $proc; - if ($proc = $root_key->get_subkey($class_path)) { -# Try these two eval{} statements because I've seen the different -# spellings for InProcServer32/InprocServer32 in sequential keys - eval { - $str = $proc->get_subkey("InprocServer32")->get_value("")->get_data(); - }; - - eval { - $str = $proc->get_subkey("InProcServer32")->get_value("")->get_data(); - }; - } - else { - $str = $name." class not found."; - } - } - - push(@{$comp{$lastwrite}},$str); - } - - foreach my $t (reverse sort {$a <=> $b} keys %comp) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$comp{$t}}) { - ::rptMsg(" ".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/javafx.pl b/RecentActivity/release/rr/plugins/javafx.pl deleted file mode 100644 index 118e82cb58..0000000000 --- a/RecentActivity/release/rr/plugins/javafx.pl +++ /dev/null @@ -1,67 +0,0 @@ -#----------------------------------------------------------- -# javafx.pl -# Plugin written based on Cory Harrell's Exploit Artifacts posts at -# http://journeyintoir.blogspot.com/ -# -# Change history -# 20110322 - created -# -# References -# http://java.sun.com/j2se/1.4.2/runtime_win32.html -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package javafx; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20110322); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's JavaFX key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching javafx v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\JavaSoft\\Java Update\\Policy\\JavaFX"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("javafx v.".$VERSION); - ::rptMsg($key_path); - ::rptMsg("LastWrite time: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - ::rptMsg(sprintf "%-25s %-20s",$v->get_name(), $v->get_data()); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/kb950582.pl b/RecentActivity/release/rr/plugins/kb950582.pl deleted file mode 100644 index 4e24fe3dd2..0000000000 --- a/RecentActivity/release/rr/plugins/kb950582.pl +++ /dev/null @@ -1,90 +0,0 @@ -#----------------------------------------------------------- -# kb950582.pl -# Get autorun settings WRT KB950582 -# -# Change history -# 18 Dec 2008 - Updated to new name; added checks for Registry -# keys -# -# References -# http://support.microsoft.com/kb/953252 -# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit -# /regentry/91525.mspx?mfr=true -# -# copyright 2008-2009 H. Carvey -#----------------------------------------------------------- -package kb950582; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081212); - -sub getConfig{return %config} -sub getShortDescr { - return "KB950582 - Gets autorun settings from HKLM hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching kb950582 v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - eval { - my $path = "Microsoft\\Windows\\CurrentVersion\\Uninstall\\KB950582"; - if (my $kbkey = $root_key->get_subkey($path)) { - my $install = $kbkey->get_value("InstallDate")->get_data(); - ::rptMsg("KB950528 Uninstall Key ".gmtime($kbkey->get_timestamp())); - ::rptMsg(" InstallDate = ".$install."\n"); - } - }; - ::rptMsg("Uninstall\\KB950528 does not appear to be installed.\n") if ($@); - - eval { - my $path = "Microsoft\\Updates\\Windows XP\\SP4\\KB950582"; - if (my $kbkey = $root_key->get_subkey($path)) { - my $install = $kbkey->get_value("InstalledDate")->get_data(); - ::rptMsg("KB950528 Update Key ".gmtime($kbkey->get_timestamp())); - ::rptMsg(" InstalledDate = ".$install."\n"); - } - }; - ::rptMsg("KB950528 does not appear to be installed.\n") if ($@); - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - eval { - my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data(); - my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive; - ::rptMsg($str); - }; - ::rptMsg("Error: ".$@) if ($@); - -# http://support.microsoft.com/kb/953252 - eval { - my $honor = $key->get_value("HonorAutorunSetting")->get_data(); - my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor; - ::rptMsg($str); - }; - ::rptMsg("HonorAutorunSetting not found.") if ($@); - ::rptMsg(""); - ::rptMsg("Autorun settings in the HKLM hive take precedence over those in"); - ::rptMsg("the HKCU hive."); - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/kbdcrash.pl b/RecentActivity/release/rr/plugins/kbdcrash.pl deleted file mode 100644 index 560aef9785..0000000000 --- a/RecentActivity/release/rr/plugins/kbdcrash.pl +++ /dev/null @@ -1,65 +0,0 @@ -#----------------------------------------------------------- -# kbdcrash.pl -# -# Ref: -# http://support.microsoft.com/kb/244139 -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package kbdcrash; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081212); - -sub getConfig{return %config} - -sub getShortDescr { - return "Checks to see if system is config to crash via keyboard"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $enabled = 0; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching kbdcrash v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $svc = "ControlSet00".$current."\\Services"; - - eval { - my $ps2 = $svc->get_subkey("i8042prt\\Parameters")->get_value("CrashOnCtrlScroll")->get_data(); - ::rptMsg("CrashOnCtrlScroll set for PS2 keyboard") if ($ps2 == 1); - $enabled = 1 if ($ps2 == 1); - }; - - eval { - my $usb = $svc->get_subkey("kbdhid\\Parameters")->get_value("CrashOnCtrlScroll")->get_data(); - ::rptMsg("CrashOnCtrlScroll set for USB keyboard") if ($usb == 1); - $enabled = 1 if ($usb == 1); - }; - ::rptMsg("CrashOnCtrlScroll not set"); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; diff --git a/RecentActivity/release/rr/plugins/landesk.pl b/RecentActivity/release/rr/plugins/landesk.pl deleted file mode 100644 index d3dd8c5320..0000000000 --- a/RecentActivity/release/rr/plugins/landesk.pl +++ /dev/null @@ -1,71 +0,0 @@ -#----------------------------------------------------------- -# LANDESK Monitor Logs -# -# -# Change history -# 20090729 - updates, H. Carvey -# -# copyright 2009 Don C. Weber -#----------------------------------------------------------- -package landesk; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090729); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get list of programs monitored by LANDESK from Software hive file"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %ls; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching LANDESK v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "LANDesk\\ManagementSuite\\WinClient\\SoftwareMonitoring\\MonitorLog"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - eval { - my ($val1,$val2) = unpack("VV",$s->get_value("Last Started")->get_data()); -# Push the data into a hash of arrays - push(@{$ls{::getTime($val1,$val2)}},$s->get_name()); - }; - } - - foreach my $t (reverse sort {$a <=> $b} keys %ls) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$ls{$t}}) { - ::rptMsg("\t$item"); - } - } - } - else { - ::rptMsg($key_path." does not appear to have any subkeys.") - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/legacy.pl b/RecentActivity/release/rr/plugins/legacy.pl deleted file mode 100644 index 3c34a1a26a..0000000000 --- a/RecentActivity/release/rr/plugins/legacy.pl +++ /dev/null @@ -1,96 +0,0 @@ -#----------------------------------------------------------- -# legacy.pl -# -# -# Change history -# 20090429 - created -# -# Reference: http://support.microsoft.com/kb/310592 -# -# -# Analysis Tip: -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package legacy; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090429); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists LEGACY_ entries in Enum\\Root key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key(); -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $root_path = $ccs."\\Enum\\Root"; - - my %legacy; - if (my $root = $root_key->get_subkey($root_path)) { - my @sk = $root->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^LEGACY_/); - push(@{$legacy{$s->get_timestamp()}},$name); - - eval { - my @s_sk = $s->get_list_of_subkeys(); - if (scalar(@s_sk) > 0) { - foreach my $s_s (@s_sk) { - - my $desc; - eval { - $desc = $s_s->get_value("DeviceDesc")->get_data(); - push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()." - ".$desc); - }; - push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()) if ($@); - } - } - }; - } - } - else { - ::rptMsg($root_path." has no subkeys."); - } - - foreach my $t (reverse sort {$a <=> $b} keys %legacy) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$legacy{$t}}) { - ::rptMsg("\t$item"); - } - } - } - else { - ::rptMsg($root_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/listsoft.pl b/RecentActivity/release/rr/plugins/listsoft.pl deleted file mode 100644 index ae1c50a540..0000000000 --- a/RecentActivity/release/rr/plugins/listsoft.pl +++ /dev/null @@ -1,69 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# listsoft.pl -# Plugin for Registry Ripper; traverses thru the Software -# key of an NTUSER.DAT file, extracting all of the subkeys -# and listing them in order by LastWrite time. -# -# Change history -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package listsoft; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists contents of user's Software key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $file = shift; - my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; - ::logMsg("Launching listsoft v.".$VERSION); - my %soft; - my $key_path = 'Software'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("listsoft v.".$VERSION); - ::rptMsg("List the contents of the Software key in the NTUSER\.DAT hive"); - ::rptMsg("file, in order by LastWrite time."); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - push(@{$soft{$s->get_timestamp()}},$s->get_name()); - } - - foreach my $t (reverse sort {$a <=> $b} keys %soft) { - foreach my $item (@{$soft{$t}}) { - ::rptMsg(gmtime($t)."Z \t".$item); - } - } - } - else { - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::logMsg("Could not access ".$key_path); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/load.pl b/RecentActivity/release/rr/plugins/load.pl deleted file mode 100644 index 3ce6ca655e..0000000000 --- a/RecentActivity/release/rr/plugins/load.pl +++ /dev/null @@ -1,81 +0,0 @@ -#----------------------------------------------------------- -# load.pl -# The load and run values in the Windows NT\CurrentVersion\Windows -# key are throw-backs to the old win.ini file, and can be/are used -# by malware. -# -# Change history -# 20100811 - created -# -# References -# http://support.microsoft.com/kb/103865 -# http://security.fnal.gov/cookbook/WinStartup.html -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package load; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100811); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets load and run values from user hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching load v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("load"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg(""); - my %win; - foreach my $v (@vals) { - $win{$v->get_name()} = $v->get_data(); - } - - if (exists $win{"load"}) { - ::rptMsg("load = ".$win{"load"}); - } - else { - ::rptMsg("load value not found."); - } - - if (exists $win{"run"}) { - ::rptMsg("run = ".$win{"run"}); - } - else { - ::rptMsg("run value not found."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/logon_xp_run.pl b/RecentActivity/release/rr/plugins/logon_xp_run.pl deleted file mode 100644 index 831a5cd910..0000000000 --- a/RecentActivity/release/rr/plugins/logon_xp_run.pl +++ /dev/null @@ -1,98 +0,0 @@ -#----------------------------------------------------------- -# logon_xp_run -# Get contents of Run key from Software hive -# -# References: -# http://support.microsoft.com/kb/314488 -# -# Note: Needs testing to see if it applies beyond XP/XP-64 -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package logon_xp_run; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 12, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Autostart - Get XP user logon Run key contents from NTUSER\.DAT hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching user_xp_run v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %vals = getKeyValues($key); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - -# my @sk = $key->get_list_of_subkeys(); -# if (scalar(@sk) > 0) { -# foreach my $s (@sk) { -# ::rptMsg(""); -# ::rptMsg($key_path."\\".$s->get_name()); -# ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); -# my %vals = getKeyValues($s); -# foreach my $v (keys %vals) { -# ::rptMsg("\t".$v." -> ".$vals{$v}); -# } -# } -# } -# else { -# ::rptMsg(""); -# ::rptMsg($key_path." has no subkeys."); -# } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { -# do nothing - } - return %vals; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/logonusername.pl b/RecentActivity/release/rr/plugins/logonusername.pl deleted file mode 100644 index 098d89f5e6..0000000000 --- a/RecentActivity/release/rr/plugins/logonusername.pl +++ /dev/null @@ -1,68 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# logonusername.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# "Logon User Name" value -# -# Change history -# -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package logonusername; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get user's Logon User Name value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching logonusername v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $logon_name = "Logon User Name"; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg("Logon User Name"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time [".gmtime($key->get_timestamp())." (UTC)]"); - foreach my $v (@vals) { - if ($v->get_name() eq $logon_name) { - ::rptMsg($logon_name." = ".$v->get_data()); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/lsasecrets.pl b/RecentActivity/release/rr/plugins/lsasecrets.pl deleted file mode 100644 index 1e0048e973..0000000000 --- a/RecentActivity/release/rr/plugins/lsasecrets.pl +++ /dev/null @@ -1,71 +0,0 @@ -#----------------------------------------------------------- -# lsasecrets.pl -# Get update times for LSA Secrets from the Security hive file -# -# History -# 20100219 - created -# -# References -# http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package lsasecrets; -use strict; - -my %config = (hive => "Security", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100219); - -sub getConfig{return %config} -sub getShortDescr { - return "TEST - Get update times for LSA Secrets"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching lsasecrets v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Policy\\Secrets"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - -# -# http://support.microsoft.com/kb/175468 - eval { - ::rptMsg(""); - ::rptMsg("Domain secret - \$MACHINE\.ACC"); - my $c = $key->get_subkey("\$MACHINE\.ACC\\CupdTime")->get_value("")->get_data(); - my @v = unpack("VV",$c); - my $cupd = gmtime(::getTime($v[0],$v[1])); - ::rptMsg("CupdTime = ".$cupd); - - my $o = $key->get_subkey("\$MACHINE\.ACC\\OupdTime")->get_value("")->get_data(); - my @v = unpack("VV",$c); - my $oupd = gmtime(::getTime($v[0],$v[1])); - ::rptMsg("OupdTime = ".$oupd); - }; - ::rptMsg("Error: ".$@) if ($@); - - - - - - - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/macaddr.pl b/RecentActivity/release/rr/plugins/macaddr.pl deleted file mode 100644 index 50a034981a..0000000000 --- a/RecentActivity/release/rr/plugins/macaddr.pl +++ /dev/null @@ -1,156 +0,0 @@ -#----------------------------------------------------------- -# macaddr.pl -# Attempt to locate MAC address in either Software or System hive files; -# The plugin will determine which one its in and use the appropriate -# code -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package macaddr; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090118); - -sub getConfig{return %config} - -sub getShortDescr { - return " -- "; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching macaddr v.".$VERSION); - - my $guess = guessHive($hive); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - if ($guess eq "System") { -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $key_path = $ccs."\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318}"; - my $key; - my $found = 0; - ::rptMsg($key_path); - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $na; - eval { - $na = $key->get_subkey($name)->get_value("NetworkAddress")->get_data(); - ::rptMsg(" ".$name.": NetworkAddress = ".$na); - $found = 1; - }; - } - ::rptMsg("No NetworkAddress value found.") if ($found == 0); - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } - } - elsif ($guess eq "Software") { - my $key_path = "Microsoft\\Windows Genuine Advantage"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my $mac; - my $found = 0; - eval { - $mac = $key->get_value("MAC")->get_data(); - ::rptMsg("Mac Address(es) = ".$mac); - $found = 1; - }; - ::rptMsg("No MAC address(es) found.") if ($found == 0); - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg("Hive file ".$hive." appeared to be neither a Software nor a"); - ::rptMsg("System hive file."); - } -} - -#------------------------------------------------------------- -# guessHive() - attempts to determine the hive type; if NTUSER.DAT, -# attempt to retrieve the SID for the user; this function populates -# global variables (%config, @sids) -#------------------------------------------------------------- -sub guessHive { - my $hive = shift; - my $hive_guess; - my $reg; - my $root_key; - eval { - $reg = Parse::Win32Registry->new($hive); - $root_key = $reg->get_root_key; - }; - ::rptMsg($hive." may not be a valid hive.") if ($@); - -# Check for SAM - eval { - if (my $key = $root_key->get_subkey("SAM\\Domains\\Account\\Users")) { - $hive_guess = "SAM"; - } - }; -# Check for Software - eval { - if ($root_key->get_subkey("Microsoft\\Windows\\CurrentVersion") && - $root_key->get_subkey("Microsoft\\Windows NT\\CurrentVersion")) { - $hive_guess = "Software"; - } - }; - -# Check for System - eval { - if ($root_key->get_subkey("MountedDevices") && $root_key->get_subkey("Select")) { - $hive_guess = "System"; - } - }; - -# Check for Security - eval { - if ($root_key->get_subkey("Policy\\Accounts") && $root_key->get_subkey("Policy\\PolAdtEv")) { - $hive_guess = "Security"; - } - }; -# Check for NTUSER.DAT - eval { - if ($root_key->get_subkey("Software\\Microsoft\\Windows\\CurrentVersion")) { - $hive_guess = "NTUSER\.DAT"; - } - }; - return $hive_guess; -} - - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mmc.pl b/RecentActivity/release/rr/plugins/mmc.pl deleted file mode 100644 index d66557c5da..0000000000 --- a/RecentActivity/release/rr/plugins/mmc.pl +++ /dev/null @@ -1,75 +0,0 @@ -#----------------------------------------------------------- -# mmc.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# Microsoft Management Console Recent File List values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mmc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get contents of user's MMC\\Recent File List key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mmc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Microsoft Management Console\\Recent File List'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("MMC - Recent File List"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mndmru.pl b/RecentActivity/release/rr/plugins/mndmru.pl deleted file mode 100644 index d223d7f49c..0000000000 --- a/RecentActivity/release/rr/plugins/mndmru.pl +++ /dev/null @@ -1,77 +0,0 @@ -#----------------------------------------------------------- -# mndmru.pl -# Plugin for Registry Ripper, -# Map Network Drive MRU parser -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mndmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get contents of user's Map Network Drive MRU"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mndmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Map Network Drive MRU"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mnd; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - $mnd{$val} = $data; - } -# Print sorted content to report file - if (exists $mnd{"MRUList"}) { - ::rptMsg(" MRUList = ".$mnd{"MRUList"}); - delete $mnd{"MRUList"}; - } - foreach my $m (sort {$a <=> $b} keys %mnd) { - ::rptMsg(" ".$m." ".$mnd{$m}); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mountdev.pl b/RecentActivity/release/rr/plugins/mountdev.pl deleted file mode 100644 index ae0d58b26b..0000000000 --- a/RecentActivity/release/rr/plugins/mountdev.pl +++ /dev/null @@ -1,101 +0,0 @@ -#----------------------------------------------------------- -# mountdev.pl -# Plugin for Registry Ripper; Access System hive file to get the -# MountedDevices -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mountdev; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Return contents of System hive MountedDevices key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching mountdev v.".$VERSION); - ::rptMsg("mountdev v.".$VERSION); - ::rptMsg("Get MountedDevices key information from the System hive file."); - ::rptMsg(""); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my %md; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $data = $v->get_data(); - my $len = length($data); - if ($len == 12) { - my $sig = _translateBinary(substr($data,0,4)); - ::rptMsg($v->get_name()); - ::rptMsg("\tDrive Signature = ".$sig); - } - elsif ($len > 12) { - $data =~ s/\00//g; - push(@{$md{$data}},$v->get_name()); - } - else { - ::logMsg("mountdev v.".$VERSION."\tData length = $len"); - } - } - - ::rptMsg(""); - foreach my $m (keys %md) { - ::rptMsg("Device: ".$m); - foreach my $item (@{$md{$m}}) { - ::rptMsg("\t".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mountdev2.pl b/RecentActivity/release/rr/plugins/mountdev2.pl deleted file mode 100644 index d5b1c3e324..0000000000 --- a/RecentActivity/release/rr/plugins/mountdev2.pl +++ /dev/null @@ -1,106 +0,0 @@ -#----------------------------------------------------------- -# mountdev2.pl -# Plugin for Registry Ripper; Access System hive file to get the -# MountedDevices -# -# Change history -# 20091116 - changed output -# -# References -# -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package mountdev2; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091116); - -sub getConfig{return %config} -sub getShortDescr { - return "Return contents of System hive MountedDevices key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching mountdev2 v.".$VERSION); - ::rptMsg(""); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my (%md,%dos,%vol); - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $data = $v->get_data(); - my $len = length($data); - if ($len == 12) { - my $sig = _translateBinary(substr($data,0,4)); -# my $sig = _translateBinary($data); - $vol{$v->get_name()} = $sig; - } - elsif ($len > 12) { - $data =~ s/\00//g; - push(@{$md{$data}},$v->get_name()); - } - else { - ::logMsg("mountdev2 v.".$VERSION."\tData length = $len"); - } - } - - ::rptMsg(sprintf "%-50s %-20s","Volume","Disk Sig"); - ::rptMsg(sprintf "%-50s %-20s","-------","--------"); - foreach my $v (sort keys %vol) { - my $str = sprintf "%-50s %-20s",$v,$vol{$v}; - ::rptMsg($str); - } - - ::rptMsg(""); - foreach my $m (sort keys %md) { - ::rptMsg("Device: ".$m); - foreach my $item (@{$md{$m}}) { - ::rptMsg("\t".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mountdev3.pl b/RecentActivity/release/rr/plugins/mountdev3.pl deleted file mode 100644 index ff4d4cfbf0..0000000000 --- a/RecentActivity/release/rr/plugins/mountdev3.pl +++ /dev/null @@ -1,110 +0,0 @@ -#----------------------------------------------------------- -# mountdev3.pl -# Plugin for Registry Ripper; Access System hive file to get the -# MountedDevices -# -# Change history -# -# -# References -# -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package mountdev3; -use Math::BigInt; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090909); - -sub getConfig{return %config} -sub getShortDescr { - return "Return contents of System hive MountedDevices key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; -# ::logMsg("Launching mountdev3 v.".$VERSION); - ::rptMsg("mountdev3 v.".$VERSION); - ::rptMsg("Get MountedDevices key information from the System hive file."); - ::rptMsg(""); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my %md; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $data = $v->get_data(); - my $len = length($data); - if ($len == 12) { - my $sig = _translateBinary(substr($data,0,4)); - my ($low,$high) = unpack("VV",substr($data,4,8)); - my $val64 = Math::BigInt->new($high)->blsft(32)->bxor($low); - my $driveoffset = ($val64/512); - ::rptMsg($v->get_name()); - ::rptMsg("\tDrive Signature = ".$sig); - ::rptMsg("\tPartition offset = ".$driveoffset); - } - elsif ($len == 16) { - ::rptMsg($v->get_name()); - ::rptMsg("\t".$data); - } - elsif ($len > 16) { - $data =~ s/\00//g; - push(@{$md{$data}},$v->get_name()); - } - else { - ::logMsg("mountdev v.".$VERSION."\tData length = $len"); - } - } - - ::rptMsg(""); - foreach my $m (keys %md) { - ::rptMsg("Device: ".$m); - foreach my $item (@{$md{$m}}) { - ::rptMsg("\t".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mp2.pl b/RecentActivity/release/rr/plugins/mp2.pl deleted file mode 100644 index b7ef8f76d6..0000000000 --- a/RecentActivity/release/rr/plugins/mp2.pl +++ /dev/null @@ -1,114 +0,0 @@ -#----------------------------------------------------------- -# mp2.pl -# Plugin for Registry Ripper, -# MountPoints2 key parser -# -# Change history -# 20091116 - updated output/sorting; added getting -# _LabelFromReg value -# 20090115 - Removed printing of "volumes" -# -# References -# http://support.microsoft.com/kb/932463 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package mp2; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090115); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's MountPoints2 key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mp2 v.".$VERSION); - - my %drives; - my %volumes; - my %remote; - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("MountPoints2"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if ($name =~ m/^{/) { - my $label; - eval { - $label = $s->get_value("_LabelFromReg")->get_data(); - }; - $name = $name." (".$label.")" unless ($@); - push(@{$volumes{$s->get_timestamp()}},$name); - } - elsif ($name =~ m/^[A-Z]/) { - push(@{$drives{$s->get_timestamp()}},$name); - } - elsif ($name =~ m/^#/) { - push(@{$remote{$s->get_timestamp()}},$name); - } - else { - ::rptMsg(" Key name = ".$name); - } - } - ::rptMsg(""); - ::rptMsg("Remote Drives:"); - foreach my $t (reverse sort {$a <=> $b} keys %remote) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$remote{$t}}) { - ::rptMsg(" $item"); - } - } - - ::rptMsg(""); - ::rptMsg("Volumes:"); - foreach my $t (reverse sort {$a <=> $b} keys %volumes) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$volumes{$t}}) { - ::rptMsg(" $item"); - } - } - ::rptMsg(""); - ::rptMsg("Drives:"); - foreach my $t (reverse sort {$a <=> $b} keys %drives) { - my $d = join(',',(@{$drives{$t}})); - ::rptMsg(gmtime($t)." (UTC) - ".$d); - } - - ::rptMsg(""); - ::rptMsg("Analysis Tip: Correlate the Volume entries to those found in the MountedDevices"); - ::rptMsg("entries that begin with \"\\??\\Volume\"\."); - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mpmru.pl b/RecentActivity/release/rr/plugins/mpmru.pl deleted file mode 100644 index 701f0a802d..0000000000 --- a/RecentActivity/release/rr/plugins/mpmru.pl +++ /dev/null @@ -1,75 +0,0 @@ -#----------------------------------------------------------- -# mpmru.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# Media Player RecentFileList values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mpmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Media Player RecentFileList values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mpmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Media Player - RecentFileList"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mrt.pl b/RecentActivity/release/rr/plugins/mrt.pl deleted file mode 100644 index 89e9ebddaf..0000000000 --- a/RecentActivity/release/rr/plugins/mrt.pl +++ /dev/null @@ -1,72 +0,0 @@ -#----------------------------------------------------------- -# mrt.pl -# -# Per http://support.microsoft.com/kb/891716/, whenever MRT is run, a new -# GUID is written to the Version value. Check the KB article to compare -# GUIDs against the last time the tool was run. Also be sure to check the -# MRT logs in %WinDir%\Debug (mrt.log) -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package mrt; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080804); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check to see if Malicious Software Removal Tool has been run"; -} -sub getDescr{} -sub getRefs {"Deployment of the Microsoft Windows Malicious Software Removal Tool" => - "http://support.microsoft.com/kb/891716/", - "The Microsoft Windows Malicious Software Removal Tool" => "http://support.microsoft.com/?kbid=890830"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching MRT v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - - my $key_path = "Microsoft\\RemovalTools\\MRT"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Key Path: ".$key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $version; - eval { - $version = $key->get_value("Version")->get_data(); - }; - if ($@) { - ::rptMsg("Error getting Version information: ".$@); - - } - else { - ::rptMsg("Version: ".$version); - ::rptMsg(""); - ::rptMsg("Analysis Tip: Go to http://support.microsoft.com/kb/891716/ to see when MRT"); - ::rptMsg("was last run. According to the KB article, each time MRT is run, a new GUID"); - ::rptMsg("is written to the Version value."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/msis.pl b/RecentActivity/release/rr/plugins/msis.pl deleted file mode 100644 index cda7bc4cdd..0000000000 --- a/RecentActivity/release/rr/plugins/msis.pl +++ /dev/null @@ -1,96 +0,0 @@ -#----------------------------------------------------------- -# msis.pl -# Plugin to determine the MSI packages installed on the system -# -# Change history: -# 20090911 - created -# -# References: -# http://support.microsoft.com/kb/290134 -# http://support.microsoft.com/kb/931401 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package msis; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090911); - -sub getConfig{return %config} - -sub getShortDescr { - return "Determine MSI packages installed on the system"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %msi; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching msis v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Classes\\Installer\\Products"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $lastwrite = $s->get_timestamp(); - - my $product; - eval { - $product = $s->get_value("ProductName")->get_data(); - }; - - my $path; - my $pkg; - - eval { - my $p = $s->get_subkey("SourceList")->get_value("LastUsedSource")->get_data(); - $path = (split(/;/,$p,3))[2]; - }; - - eval { - $pkg = $s->get_subkey("SourceList")->get_value("PackageName")->get_data(); - }; - - push(@{$msi{$lastwrite}},$product.";".$path.$pkg); - } - - - foreach my $t (reverse sort {$a <=> $b} keys %msi) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$msi{$t}}) { - ::rptMsg(" ".$item); - } - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mspaper.pl b/RecentActivity/release/rr/plugins/mspaper.pl deleted file mode 100644 index da25ba65a0..0000000000 --- a/RecentActivity/release/rr/plugins/mspaper.pl +++ /dev/null @@ -1,100 +0,0 @@ -#----------------------------------------------------------- -# mspaper.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# MSPaper Recent File List values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mspaper; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets images listed in user's MSPaper key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mspaper v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $tick = 0; - my $key_path = 'Software\\Microsoft'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - - if (scalar @subkeys > 0) { - foreach my $sk (@subkeys) { - if ($sk->get_name() =~ m/^mspaper/i) { - $tick = 1; - my $nkey = $sk->get_name()."\\Recent File List"; - my $msp; - if ($msp = $key->get_subkey($nkey)) { - ::rptMsg("MSPaper - Recent File List"); - ::rptMsg($key_path."\\".$nkey); - ::rptMsg("LastWrite Time ".gmtime($msp->get_timestamp())." (UTC)"); - my @vals = $msp->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path."\\".$nkey." has no values."); - } - } - else { - ::rptMsg($key_path."\\".$nkey." not found."); - ::logMsg("Error: ".$key_path."\\".$nkey." not found."); - } - } - } - if ($tick == 0) { - ::rptMsg("SOFTWARE\\Microsoft\\MSPaper* not found."); - ::logMsg("SOFTWARE\\Microsoft\\MSPaper* not found."); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/muicache.pl b/RecentActivity/release/rr/plugins/muicache.pl deleted file mode 100644 index 8a980e3531..0000000000 --- a/RecentActivity/release/rr/plugins/muicache.pl +++ /dev/null @@ -1,66 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# muicache.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# MUICache values -# -# Change history -# -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package muicache; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets EXEs from user's MUICache key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching muicache v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("MUICache"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next if ($name =~ m/^@/ || $name eq "LangID"); - my $data = $v->get_data(); - ::rptMsg("\t".$name." (".$data.")"); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/nero.pl b/RecentActivity/release/rr/plugins/nero.pl deleted file mode 100644 index 30b861326a..0000000000 --- a/RecentActivity/release/rr/plugins/nero.pl +++ /dev/null @@ -1,75 +0,0 @@ -#----------------------------------------------------------- -# nero.pl -# **Very Beta! Based on one sample hive file only! -# -# Change history -# 20100218 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nero; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of Ahead\\Nero Recent File List subkeys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my @nerosubkeys = ("Cover Designer","FlmgPlg","Nero PhotoSnap", - "NSPluginMgr","PhotoEffects","XlmgPlg"); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching nero v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Ahead'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - foreach my $nsk (@nerosubkeys) { - eval { - my $nk; - if ($nk = $key->get_subkey($nsk."\\Recent File List")) { - my @vals = $nk->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg($nsk."\\Recent File List"); - ::rptMsg("LastWrite Time ".gmtime($nk->get_timestamp())." (UTC)"); - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()." -> ".$v->get_data()); - } - ::rptMsg(""); - } - else { - ::rptMsg($nsk."\\Recent File List has no values."); - } - } - }; - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/network.pl b/RecentActivity/release/rr/plugins/network.pl deleted file mode 100644 index 32853b3110..0000000000 --- a/RecentActivity/release/rr/plugins/network.pl +++ /dev/null @@ -1,95 +0,0 @@ -#----------------------------------------------------------- -# network.pl -# Plugin for Registry Ripper; Get information on network -# interfaces from the System hive file - from the -# Control\Network GUID subkeys... -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package network; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets info from System\\Control\\Network GUIDs"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching network v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"; - my $nw; - if ($nw = $root_key->get_subkey($nw_path)) { - ::rptMsg("Network key"); - ::rptMsg($nw_path); -# Get all of the subkey names - my @sk = $nw->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next if ($name eq "Descriptions"); - if (my $conn = $nw->get_subkey($name."\\Connection")) { - ::rptMsg("Interface ".$name); - ::rptMsg("LastWrite time ".gmtime($conn->get_timestamp())." (UTC)"); - my %conn_vals; - my @vals = $conn->get_list_of_values(); - map{$conn_vals{$_->get_name()} = $_->get_data()}@vals; - ::rptMsg("\tName = ".$conn_vals{Name}); - ::rptMsg("\tPnpInstanceID = ".$conn_vals{PnpInstanceID}); - ::rptMsg("\tMediaSubType = ".$conn_vals{MediaSubType}); - ::rptMsg("\tIpCheckingEnabled = ".$conn_vals{IpCheckingEnabled}) - if (exists $conn_vals{IpCheckingEnabled}); - - } - ::rptMsg(""); - } - - } - else { - ::rptMsg($nw_path." has no subkeys."); - } - } - else { - ::rptMsg($nw_path." could not be found."); - ::logMsg($nw_path." could not be found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/networkcards.pl b/RecentActivity/release/rr/plugins/networkcards.pl deleted file mode 100644 index c0ce64f41d..0000000000 --- a/RecentActivity/release/rr/plugins/networkcards.pl +++ /dev/null @@ -1,62 +0,0 @@ -#----------------------------------------------------------- -# networkcards -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package networkcards; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080325); - -sub getConfig{return %config} -sub getShortDescr { - return "Get NetworkCards"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching networkcards v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("NetworkCards"); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - my %nc; - foreach my $s (@subkeys) { - my $service = $s->get_value("ServiceName")->get_data(); - $nc{$service}{descr} = $s->get_value("Description")->get_data(); - $nc{$service}{lastwrite} = $s->get_timestamp(); - } - - foreach my $n (keys %nc) { - ::rptMsg($nc{$n}{descr}." [".gmtime($nc{$n}{lastwrite})."]"); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/networklist.pl b/RecentActivity/release/rr/plugins/networklist.pl deleted file mode 100644 index babf87d7d6..0000000000 --- a/RecentActivity/release/rr/plugins/networklist.pl +++ /dev/null @@ -1,142 +0,0 @@ -#----------------------------------------------------------- -# networklist.pl - Plugin to extract information from the -# NetworkList key, including the MAC address of the default -# gateway -# -# -# Change History: -# 20090812 - updated code to parse DateCreated and DateLastConnected -# values; modified output, as well -# 20090811 - created -# -# References -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package networklist; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090811); - -sub getConfig{return %config} - -sub getShortDescr { - return "Collects network info from Vista NetworkList key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching networklist v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $base_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkList"; - -# First, get profile info - my $key_path = $base_path."\\Profiles"; - my $key; - my %nl; # hash of hashes to hold data - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - $nl{$name}{LastWrite} = $s->get_timestamp(); - eval { - $nl{$name}{ProfileName} = $s->get_value("ProfileName")->get_data(); - $nl{$name}{Description} = $s->get_value("Description")->get_data(); - $nl{$name}{Managed} = $s->get_value("Managed")->get_data(); - - my $create = $s->get_value("DateCreated")->get_data(); - $nl{$name}{DateCreated} = parseDate128($create) if (length($create) == 16); - my $conn = $s->get_value("DateLastConnected")->get_data(); - $nl{$name}{DateLastConnected} = parseDate128($conn) if (length($conn) == 16); - -# $nl{$name}{NameType} = $s->get_value("ProfileName")->get_data(); - }; - } - -# Get additional information from the Signatures subkey - $key_path = $base_path."\\Signatures\\Managed"; - if ($key = $root_key->get_subkey($key_path)) { - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - eval { - my $prof = $s->get_value("ProfileGuid")->get_data(); - my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6); - my $mac = uc(unpack("H*",$tmp)); - my @t = split(//,$mac); - $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3]. - "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; - }; - } - } - } - - $key_path = $base_path."\\Signatures\\Unmanaged"; - if ($key = $root_key->get_subkey($key_path)) { - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - eval { - my $prof = $s->get_value("ProfileGuid")->get_data(); - my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6); - my $mac = uc(unpack("H*",$tmp)); - my @t = split(//,$mac); - $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3]. - "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; - }; - } - } - } - -# Now, display the information - foreach my $n (keys %nl) { - my $str = sprintf "%-15s Gateway Mac: ".$nl{$n}{DefaultGatewayMac},$nl{$n}{ProfileName}; - ::rptMsg($nl{$n}{ProfileName}); - ::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." UTC"); - ::rptMsg(" DateLastConnected: ".$nl{$n}{DateLastConnected}); - ::rptMsg(" DateCreated : ".$nl{$n}{DateCreated}); - ::rptMsg(" DefaultGatewayMac: ".$nl{$n}{DefaultGatewayMac}); - ::rptMsg(""); - } - - } - else { - ::rptMsg($key_path." has not subkeys"); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - - - -sub parseDate128 { - my $date = $_[0]; - my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul", - "Aug","Sep","Oct","Nov","Dec"); - my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat"); - my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date); - $hr = "0".$hr if ($hr < 10); - $min = "0".$min if ($min < 10); - $sec = "0".$sec if ($sec < 10); - my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom." ".$hr.":".$min.":".$sec." ".$yr; - return $str; -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/networkuid.pl b/RecentActivity/release/rr/plugins/networkuid.pl deleted file mode 100644 index 7a457e111f..0000000000 --- a/RecentActivity/release/rr/plugins/networkuid.pl +++ /dev/null @@ -1,57 +0,0 @@ -#----------------------------------------------------------- -# networkuid.pl -# Gets UID value from Network key -# -# References -# http://blogs.technet.com/mmpc/archive/2010/03/11/got-zbot.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package networkuid; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100312); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets Network key UID value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching networkuid v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Network"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())); - ::rptMsg(""); - - eval { - my $uid = $key->get_value("UID")->get_data(); - ::rptMsg("UID value = ".$uid); - }; - ::rptMsg("UID value not found.") if ($@); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/nic.pl b/RecentActivity/release/rr/plugins/nic.pl deleted file mode 100644 index f176150a92..0000000000 --- a/RecentActivity/release/rr/plugins/nic.pl +++ /dev/null @@ -1,80 +0,0 @@ -#----------------------------------------------------------- -# nic.pl -# -# -# Change history -# 20100401 - created -# -# References -# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx -# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nic; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100401); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NIC info from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching nic v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - eval { - $current = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - }; - my @nics; - my $key_path = "ControlSet00".$current."\\Services"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @svcs = $key->get_list_of_subkeys(); - foreach my $s (@svcs) { - push(@nics,$s) if ($s->get_name() =~ m/^{/); - } - foreach my $n (@nics) { - eval { - my @vals = $n->get_subkey("Parameters\\Tcpip")->get_list_of_values(); - ::rptMsg("Adapter: ".$n->get_name()); - ::rptMsg("LastWrite Time: ".gmtime($n->get_timestamp())." Z"); - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2"); - $data = gmtime($data)." Z" if ($name =~ m/Time$/); - - ::rptMsg(sprintf " %-20s %-20s",$name,$data); - - } - ::rptMsg(""); - }; - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/nic2.pl b/RecentActivity/release/rr/plugins/nic2.pl deleted file mode 100644 index 44d4d8099a..0000000000 --- a/RecentActivity/release/rr/plugins/nic2.pl +++ /dev/null @@ -1,80 +0,0 @@ -#----------------------------------------------------------- -# nic2.pl -# -# -# Change history -# 20100401 - created -# -# References -# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx -# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nic2; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100401); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NIC info from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching nic v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - eval { - $current = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - }; - my @nics; - my $key_path = "ControlSet00".$current."\\Services\\Tcpip\\Parameters\\Interfaces"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @guids = $key->get_list_of_subkeys(); - if (scalar @guids > 0) { - foreach my $g (@guids) { - ::rptMsg("Adapter: ".$g->get_name()); - ::rptMsg("LastWrite Time: ".gmtime($g->get_timestamp())." Z"); - eval { - my @vals = $g->get_list_of_values(); - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2"); - $data = gmtime($data)." Z" if ($name =~ m/Time$/); - ::rptMsg(sprintf " %-28s %-20s",$name,$data); - } - ::rptMsg(""); - }; - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/nic_mst2.pl b/RecentActivity/release/rr/plugins/nic_mst2.pl deleted file mode 100644 index 36c98b4270..0000000000 --- a/RecentActivity/release/rr/plugins/nic_mst2.pl +++ /dev/null @@ -1,148 +0,0 @@ -#----------------------------------------------------------- -# nic_mst2.pl -# Plugin for Registry Ripper; Get information on network -# interfaces from the System hive file - start with the -# Control\Network GUID subkeys...within the Connection key, -# look for MediaSubType == 2, and maintain a list of GUIDs. -# Then go over to the Services\Tcpip\Parameters\Interfaces -# key and get the IP configurations for each of the interface -# GUIDs -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/555382 -# http://support.microsoft.com/kb/894564 -# http://support.microsoft.com/kb/899868 -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package nic_mst2; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NICs from System hive; looks for MediaType = 2"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching nic_mst2 v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"; - my $nw; - if ($nw = $root_key->get_subkey($nw_path)) { - ::rptMsg("Network key"); - ::rptMsg($nw_path); -# Get all of the subkey names - my @sk = $nw->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next if ($name eq "Descriptions"); - if (my $conn = $nw->get_subkey($name."\\Connection")) { - my %conn_vals; - my @vals = $conn->get_list_of_values(); - map{$conn_vals{$_->get_name()} = $_->get_data()}@vals; -# See what the active NICs were on the system; "active" based on PnpInstanceID having -# a string value -# Get the GUID of the interface, the name, and the LastWrite time of the Connection -# key - if (exists $conn_vals{PnpInstanceID} && $conn_vals{PnpInstanceID} ne "") { - $nics{$name}{Name} = $conn_vals{Name}; - $nics{$name}{LastWrite} = $conn->get_timestamp(); - } - } - } - - } - else { - ::rptMsg($nw_path." has no subkeys."); - } - } - else { - ::rptMsg($nw_path." could not be found."); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); -# access the Tcpip Services key to get the IP address information - if (scalar(keys %nics) > 0) { - my $key_path = $ccs."\\Services\\Tcpip\\Parameters\\Interfaces"; - if ($key = $root_key->get_subkey($key_path)) { - my %guids; - ::rptMsg($key_path); - ::rptMsg("LastWrite time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); -# Dump the names of the subkeys under Parameters\Interfaces into a hash - my @sk = $key->get_list_of_subkeys(); - map{$guids{$_->get_name()} = 1}(@sk); - - foreach my $n (keys %nics) { - if (exists $guids{$n}) { - my $if = $key->get_subkey($n); - ::rptMsg("Interface ".$n); - ::rptMsg("Name: ".$nics{$n}{Name}); - ::rptMsg("Control\\Network key LastWrite time ".gmtime($nics{$n}{LastWrite})." (UTC)"); - ::rptMsg("Services\\Tcpip key LastWrite time ".gmtime($if->get_timestamp())." (UTC)"); - - my @vals = $if->get_list_of_values; - my %ip; - map{$ip{$_->get_name()} = $_->get_data()}@vals; - - if (exists $ip{EnableDHCP} && $ip{EnableDHCP} == 1) { - ::rptMsg("\tDhcpDomain = ".$ip{DhcpDomain}); - ::rptMsg("\tDhcpIPAddress = ".$ip{DhcpIPAddress}); - ::rptMsg("\tDhcpSubnetMask = ".$ip{DhcpSubnetMask}); - ::rptMsg("\tDhcpNameServer = ".$ip{DhcpNameServer}); - ::rptMsg("\tDhcpServer = ".$ip{DhcpServer}); - } - else { - ::rptMsg("\tIPAddress = ".$ip{IPAddress}); - ::rptMsg("\tSubnetMask = ".$ip{SubnetMask}); - ::rptMsg("\tDefaultGateway = ".$ip{DefaultGateway}); - } - - } - else { - ::rptMsg("Interface ".$n." not found in the ".$key_path." key."); - } - ::rptMsg(""); - } - } - } - else { - ::rptMsg("No active network interface cards were found."); - ::logMsg("No active network interface cards were found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/nolmhash.pl b/RecentActivity/release/rr/plugins/nolmhash.pl deleted file mode 100644 index 94f253e63d..0000000000 --- a/RecentActivity/release/rr/plugins/nolmhash.pl +++ /dev/null @@ -1,74 +0,0 @@ -#----------------------------------------------------------- -# nolmhash.pl -# Gets NoLMHash value -# -# Change history -# 20100712 - created -# -# References -# http://support.microsoft.com/kb/299656 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nolmhash; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100712); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NoLMHash value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching lsa v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my ($current,$ccs); - my $sel_path = 'Select'; - my $sel; - if ($sel = $root_key->get_subkey($sel_path)) { - $current = $sel->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $key_path = $ccs."\\Control\\Lsa"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("nolmhash v.".$VERSION); - ::rptMsg($key_path); - ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - my $nolmhash; - eval { - $nolmhash = $key->get_value("NoLMHash")->get_data(); - ::rptMsg("NoLMHash value = ".$nolmhash); - ::rptMsg(""); - ::rptMsg("A value of 1 indicates that LMHashes are not stored in the SAM."); - }; - ::rptMsg("Error occurred getting NoLMHash value: $@") if ($@); - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg($sel_path." not found."); - ::logMsg($sel_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/notify.pl b/RecentActivity/release/rr/plugins/notify.pl deleted file mode 100644 index 8919b6dbd9..0000000000 --- a/RecentActivity/release/rr/plugins/notify.pl +++ /dev/null @@ -1,79 +0,0 @@ -#----------------------------------------------------------- -# notify.pl -# -# -# Change History: -# 20110309 - updated output format to sort entries based on -# LastWrite time -# 20110308 - created -# -# References -# http://blogs.technet.com/b/markrussinovich/archive/2011/03/08/3392087.aspx -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package notify; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20110309); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get Notify subkey entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %notify; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching notify v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("notify"); - ::rptMsg($key_path); - ::rptMsg(""); - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - my $lw = $s->get_timestamp(); - my $dll; - eval { - $dll = $s->get_value("DLLName")->get_data(); - push(@{$notify{$lw}},sprintf "%-15s %-25s",$name,$dll); - }; - } - - foreach my $t (reverse sort {$a <=> $b} keys %notify) { - ::rptMsg(gmtime($t)." UTC"); - foreach my $i (@{$notify{$t}}) { - ::rptMsg(" ".$i); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ntuser b/RecentActivity/release/rr/plugins/ntuser deleted file mode 100644 index f2d6b0a366..0000000000 --- a/RecentActivity/release/rr/plugins/ntuser +++ /dev/null @@ -1,50 +0,0 @@ -# List of plugins for the Registry Ripper - -#------------------------------------- -# NTUSER.DAT -logonusername -autoendtasks -autorun -acmru -adoberdr -aim -applets -comdlg32 -compdesc -# The controlpanel plugin is intended for Vista systems only -# User hives from systems prior to Vista will show 'not found' -controlpanel -listsoft -logon_xp_run -load -mmc -mndmru -mp2 -mpmru -mspaper -officedocs -oisc -recentdocs -realplayer6 -runmru -tsclient -ie_main -ie_settings -typedurls -muicache -#userassist -userassist2 -user_run -userlocsvc -vncviewer -winzip -user_win -winrar -winlogon_u -policies_u -wallpaper -vista_bitbucket -shellfolders -arpcache -clampitm -unreadmail \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/officedocs.pl b/RecentActivity/release/rr/plugins/officedocs.pl deleted file mode 100644 index 8182a3d177..0000000000 --- a/RecentActivity/release/rr/plugins/officedocs.pl +++ /dev/null @@ -1,145 +0,0 @@ -#----------------------------------------------------------- -# officedocs.pl -# Plugin for Registry Ripper -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package officedocs; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's Office doc MRU keys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching officedocs v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("officedocs v.".$VERSION); -# First, let's find out which version of Office is installed - my $version; - my $tag = 0; - my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); - foreach my $ver (@versions) { - my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Open Find"; - if (defined($root_key->get_subkey($key_path))) { - $version = $ver; - $tag = 1; - } - } - - if ($tag) { - ::rptMsg("MSOffice version ".$version." located."); - my $key_path = "Software\\Microsoft\\Office\\".$version; - my $of_key = $root_key->get_subkey($key_path); - if ($of_key) { -# Attempt to retrieve Word docs - my @funcs = ("Open","Save As","File Save"); - foreach my $func (@funcs) { - my $word = "Common\\Open Find\\Microsoft Office Word\\Settings\\".$func."\\File Name MRU"; - my $word_key = $of_key->get_subkey($word); - if ($word_key) { - ::rptMsg($word); - ::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $value = $word_key->get_value("Value")->get_data(); - my @data = split(/\00/,$value); - map{::rptMsg("$_");}@data; - } - else { -# ::rptMsg("Could not access ".$word); - } - ::rptMsg(""); - } -# Attempt to retrieve Excel docs - my $excel = 'Excel\\Recent Files'; - if (my $excel_key = $of_key->get_subkey($excel)) { - ::rptMsg($key_path."\\".$excel); - ::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)"); - my @vals = $excel_key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path.$excel." has no values."); - } - } - else { - ::rptMsg($key_path.$excel." not found."); - } - ::rptMsg(""); -# Attempt to retrieve PowerPoint docs - my $ppt = 'PowerPoint\\Recent File List'; - if (my $ppt_key = $of_key->get_subkey($ppt)) { - ::rptMsg($key_path."\\".$ppt); - ::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)"); - my @vals = $ppt_key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path."\\".$ppt." has no values."); - } - } - else { - ::rptMsg($key_path."\\".$ppt." not found."); - } - } - else { - ::rptMsg("Could not access ".$key_path); - ::logMsg("Could not access ".$key_path); - } - } - else { - ::logMsg("MSOffice version not found."); - ::rptMsg("MSOffice version not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/oisc.pl b/RecentActivity/release/rr/plugins/oisc.pl deleted file mode 100644 index 2ddad06973..0000000000 --- a/RecentActivity/release/rr/plugins/oisc.pl +++ /dev/null @@ -1,123 +0,0 @@ -#----------------------------------------------------------- -# oisc.pl -# Plugin for Registry Ripper -# -# Change history -# 20091125 - modified by H. Carvey -# 20091110 - created -# -# References -# http://support.microsoft.com/kb/838028 -# http://support.microsoft.com/kb/916658 -# -# Derived from the officeDocs plugin -# copyright 2008-2009 H. Carvey, mangled 2009 M. Tarnawsky -# -# Michael Tarnawsky -# forensics@mialta.com -#----------------------------------------------------------- -package oisc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091125); - -my %prot = (0 => "Read-only HTTP", - 1 => "WEC to FPSE-enabled web folder", - 2 => "DAV to DAV-ext. web folder"); - -my %types = (0 => "no collaboration", - 1 => "SharePoint Team Server", - 2 => "Exchange 2000 Server", - 3 => "SharePoint Portal 2001 Server", - 4 => "SharePoint 2001 enhanced folder", - 5 => "Windows SharePoint Server/SharePoint Portal 2003 Server"); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's Office Internet Server Cache"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching oisc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; -# First, let's find out which version of Office is installed - my $version; - my $tag = 0; - my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); - foreach my $ver (@versions) { - my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Internet\\Server Cache"; - if (defined($root_key->get_subkey($key_path))) { - $version = $ver; - $tag = 1; - } - } - - if ($tag) { - - my %isc; - - ::rptMsg("MSOffice version ".$version." located."); - my $key_path = "Software\\Microsoft\\Office\\".$version."\\Common\\Internet\\Server Cache"; - my $sc_key; - if ($sc_key = $root_key->get_subkey($key_path)) { -# Attempt to retrieve Servers Cache subkeys - my @sc = ($sc_key->get_list_of_subkeys()); - if (scalar(@sc) > 0) { - foreach my $s (@sc) { - my $name = $s->get_name(); - $isc{$name}{lastwrite} = $s->get_timestamp(); - - eval { - my $t = $s->get_value("Type")->get_data(); - (exists $types{$t}) ? ($isc{$name}{type} = $types{$t}) - : ($isc{$name}{type} = $t); - }; - - eval { - my $p = $s->get_value("Protocol")->get_data(); - (exists $prot{$p}) ? ($isc{$name}{protocol} = $prot{$p}) - : ($isc{$name}{protocol} = $p); - }; - - eval { - my @e = unpack("VV",$s->get_value("Expiration")->get_data()); - $isc{$name}{expiry} = ::getTime($e[0],$e[1]); - }; - } - ::rptMsg(""); - foreach my $i (keys %isc) { - ::rptMsg($i); - ::rptMsg(" LastWrite : ".gmtime($isc{$i}{lastwrite})." UTC"); - ::rptMsg(" Expiry : ".gmtime($isc{$i}{expiry})." UTC"); - ::rptMsg(" Protocol : ".$isc{$i}{protocol}); - ::rptMsg(" Type : ".$isc{$i}{type}); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg("MSOffice version not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/outlook.pl b/RecentActivity/release/rr/plugins/outlook.pl deleted file mode 100644 index eafc9b3ade..0000000000 --- a/RecentActivity/release/rr/plugins/outlook.pl +++ /dev/null @@ -1,186 +0,0 @@ -#----------------------------------------------------------- -# outlook.pl -# **Very Beta! Based on one sample hive file only! -# -# Change history -# 20100218 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package outlook; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Outlook settings"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching outlook v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg(""); - foreach my $s (@subkeys) { - - my $profile = $s->get_name(); - ::rptMsg($profile." Profile"); - -# AutoArchive settings -# http://support.microsoft.com/kb/198479 - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0324")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2007 AutoArchive path -> ".$data); - }; - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e0324")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2003 AutoArchive path -> ".$data); - }; - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data); - }; - -# http://support.microsoft.com/kb/288570 - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101e0384")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Open Other Users MRU (Outlook 97) -> ".$data); - }; - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101f0390")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Open Other Users MRU (Outlook 2003) -> ".$data); - }; - - - - eval { - my $data = unpack("V",$s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("00036601")->get_data()); - my $str; - if ($data == 4) { - $str = " Cached Exchange Mode disabled."; - } - elsif ($data == 4484) { - $str = " Cached Exchange Mode enabled."; - } - else { - $str = sprintf " Cached Exchange Mode: 0x%x",$data; - } - ::rptMsg($str); - }; - - eval { - my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6610")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Path to OST file: ".$data); - }; - - eval { - my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6607")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Email: ".$data); - }; - - eval { - my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6620")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Email: ".$data); - }; - -# http://support.microsoft.com/kb/959956 -# eval { -# my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("01026687")->get_data(); -# $data =~ s/\00/\./g; -# $data =~ s/\W//g; -# ::rptMsg(" Non-SMTP Email: ".$data); -# }; - - - - - - - - - - - - - - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data); - }; - - - - - - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0418")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" 001f0418 -> ".$data); - }; -# ::rptMsg("Error : ".$@) if ($@); - - -# Account Names and signatures -# http://support.microsoft.com/kb/938360 - my @subkeys = $s->get_subkey("9375CFF0413111d3B88A00104B2A6676")->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - - foreach my $s2 (@subkeys) { - eval { - - - }; - } - } - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/pagefile.pl b/RecentActivity/release/rr/plugins/pagefile.pl deleted file mode 100644 index f0484de431..0000000000 --- a/RecentActivity/release/rr/plugins/pagefile.pl +++ /dev/null @@ -1,71 +0,0 @@ -#----------------------------------------------------------- -# pagefile.pl -# -# Ref: -# -# http://support.microsoft.com/kb/314834 - ClearPagefileAtShutdown -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package pagefile; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081212); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get info on pagefile(s)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching pagefile v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $mm_path = "ControlSet00".$current."\\Control\\Session Manager\\Memory Management"; - my $mm; - if ($mm = $root_key->get_subkey($mm_path)) { - - eval { - my $files = $mm->get_value("PagingFiles")->get_data(); - ::rptMsg("PagingFiles = ".$files); - }; - ::rptMsg($@) if ($@); - - eval { - my $cpf = $mm->get_value("ClearPageFileAtShutdown")->get_data(); - ::rptMsg("ClearPageFileAtShutdown = ".$cpf); - }; - - } - else { - ::rptMsg($mm_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; diff --git a/RecentActivity/release/rr/plugins/polacdms.pl b/RecentActivity/release/rr/plugins/polacdms.pl deleted file mode 100644 index 83efc86670..0000000000 --- a/RecentActivity/release/rr/plugins/polacdms.pl +++ /dev/null @@ -1,93 +0,0 @@ -#----------------------------------------------------------- -# polacdms -# Get the audit policy from the Security hive file; also, gets -# -# -# Change History: -# 20100531 - Created -# -# References: -# http://en.wikipedia.org/wiki/Security_Identifier -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package polacdms; -use strict; - -my %config = (hive => "Security", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100531); - -sub getConfig{return %config} -sub getShortDescr { - return "Get local machine SID from Security hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching polacdms v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Policy\\PolAcDmS"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("PolAcDmS"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $data; - eval { - $data = $key->get_value("")->get_data(); - }; - if ($@) { - ::rptMsg("Error occurred getting data from ".$key_path); - ::rptMsg(" - ".$@); - } - else { - my @d = unpack("V4",substr($data,8,16)); - ::rptMsg("Machine SID: S-1-5-".(join('-',@d))); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - my $key_path = "Policy\\PolPrDmS"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("PolPrDmS"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $data; - eval { - $data = $key->get_value("")->get_data(); - }; - if ($@) { - ::rptMsg("Error occurred getting data from ".$key_path); - ::rptMsg(" - ".$@); - } - else { - my @d = unpack("V4",substr($data,8,16)); - ::rptMsg("Primary Domain SID: S-1-5-".(join('-',@d))); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/policies_u.pl b/RecentActivity/release/rr/plugins/policies_u.pl deleted file mode 100644 index 9a15c13112..0000000000 --- a/RecentActivity/release/rr/plugins/policies_u.pl +++ /dev/null @@ -1,73 +0,0 @@ -#----------------------------------------------------------- -# policies_u -# Get values from user's WinLogon key -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package policies_u; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091021); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get values from the user's Policies key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching policies_u v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path."\\policies")) { -# ::rptMsg("policies key found."); - - } - elsif ($key = $root_key->get_subkey($key_path."\\Policies")) { -# ::rptMsg("Policies key found."); - - } - else { - ::rptMsg("Neither policies nor Policies key found."); - return; - } - - eval { - my @vals = $key->get_subkey("Explorer")->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg(""); - ::rptMsg("Explorer subkey values:"); - foreach my $v (@vals) { - my $str = sprintf "%-20s %-20s",$v->get_name(),$v->get_data(); - ::rptMsg(" ".$str); - } - } - }; - ::rptMsg(""); - eval { - my $quota = $key->get_subkey("System")->get_value("EnableProfileQuota")->get_data(); - ::rptMsg("EnableProfileQuota = ".$quota); - ::rptMsg(""); - ::rptMsg("The EnableProfileQuota = 1 setting causes the proquota\.exe to be run"); - ::rptMsg("automatically in order to limit the size of roaming profiles\. This"); - ::rptMsg("corresponds to the Limit Profile Size GPO setting\."); - }; - ::rptMsg("System\\EnableProfileQuota value not found\.") if ($@); -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/port_dev.pl b/RecentActivity/release/rr/plugins/port_dev.pl deleted file mode 100644 index 3ceaf1ae73..0000000000 --- a/RecentActivity/release/rr/plugins/port_dev.pl +++ /dev/null @@ -1,89 +0,0 @@ -#----------------------------------------------------------- -# port_dev -# Parse Microsoft\Windows Portable Devices\Devices key on Vista -# Get historical information about drive letter assigned to devices -# -# NOTE: Credit for "discovery" goes to Rob Lee -# -# Change History: -# 20090118 - changed the name of the plugin from "removdev" -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package port_dev; -use strict; - -my %config = (hive => "Software", - osmask => 192, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090118); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parses Windows Portable Devices key (Vista)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching port_dev v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows Portable Devices\\Devices"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("RemovDev"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $lastwrite = $s->get_timestamp(); - - my $letter; - eval { - $letter = $s->get_value("FriendlyName")->get_data(); - }; - ::rptMsg($name." key error: $@") if ($@); - - my $half; - if (grep(/##/,$name)) { - $half = (split(/##/,$name))[1]; - } - - if (grep(/\?\?/,$name)) { - $half = (split(/\?\?/,$name))[1]; - } - - my ($dev,$sn) = (split(/#/,$half))[1,2]; - - ::rptMsg("Device : ".$dev); - ::rptMsg("LastWrite : ".gmtime($lastwrite)." (UTC)"); - ::rptMsg("SN : ".$sn); - ::rptMsg("Drive : ".$letter); - ::rptMsg(""); - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/printermru.pl b/RecentActivity/release/rr/plugins/printermru.pl deleted file mode 100644 index 531f1f19ad..0000000000 --- a/RecentActivity/release/rr/plugins/printermru.pl +++ /dev/null @@ -1,74 +0,0 @@ -#----------------------------------------------------------- -# printermru.pl -# Plugin to get RealVNC MRU listings from NTUSER.DAT -# -# Change history -# 20091125 - created -# -# References -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package printermru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091125); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Printer Wizard MRU listing"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching printermru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Printers\\Settings\\Wizard\\ConnectMRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mru; - my @list; - foreach my $v (@vals) { - $mru{$v->get_name()} = $v->get_data(); - } - - if (exists $mru{MRUList}) { - @list = split(//,$mru{MRUList}); - } - - ::rptMsg("Printers listed in MRUList order."); - foreach my $i (0..scalar(@list) - 1) { - ::rptMsg(" ".$list[$i]." -> ".$mru{$list[$i]}); - } - - - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/printers.pl b/RecentActivity/release/rr/plugins/printers.pl deleted file mode 100644 index b01c920078..0000000000 --- a/RecentActivity/release/rr/plugins/printers.pl +++ /dev/null @@ -1,83 +0,0 @@ -#----------------------------------------------------------- -# printers.pl -# Get information about printers used by a user; System hive -# info is volatile -# -# Ref: -# http://support.microsoft.com/kb/102966 -# http://support.microsoft.com/kb/252388 -# http://support.microsoft.com/kb/102116 -# -# The following references contain information from the System -# hive that is volatile. -# http://www.undocprint.org/winspool/registry -# http://msdn.microsoft.com/en-us/library/aa394363(VS.85).aspx -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package printers; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090223); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get user's printers"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching printers v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()." (".$v->get_data().")"); - } - } - else { - ::rptMsg($key_path." has no values."); - } - ::rptMsg(""); -# Get default printer - my $def_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; - my $def; - eval { - $def = $root_key->get_subkey($def_path)->get_value("Device")->get_data(); - ::rptMsg("Default Printer (via CurrentVersion\\Windows): ".$def); - }; -# another attempt to get the default printer - my $def_path = "Printers"; - my $def; - eval { - $def = $root_key->get_subkey($def_path)->get_value("DeviceOld")->get_data(); - ::rptMsg("Default Printer (via Printers->DeviceOld): ".$def); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/product.pl b/RecentActivity/release/rr/plugins/product.pl deleted file mode 100644 index 6a70d719f4..0000000000 --- a/RecentActivity/release/rr/plugins/product.pl +++ /dev/null @@ -1,118 +0,0 @@ -#----------------------------------------------------------- -# product.pl -# Plugin to determine the MSI packages installed on the system -# -# Change history: -# 20100325 - created -# -# References: -# http://support.microsoft.com/kb/236590 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package product; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100325); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get installed product info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %msi; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching product v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Installer\\UserData"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { -# Each of these subkeys should be SIDs - foreach my $s (@subkeys) { - next unless ($s->get_name() =~ m/^S/); - ::rptMsg($s->get_name()); - if ($s->get_subkey("Products")) { - processSIDKey($s->get_subkey("Products")); - ::rptMsg(""); - } - else { - ::rptMsg($s->get_name()."\\Products subkey not found."); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub processSIDKey { - my $key = shift; - my %prod; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { -# ::rptMsg($key->get_name()); - foreach my $s (@subkeys) { - my ($displayname,$lastwrite); - eval { - $displayname = $s->get_subkey("InstallProperties")->get_value("DisplayName")->get_data(); - $lastwrite = $s->get_subkey("InstallProperties")->get_timestamp(); - }; - - my $displayversion; - eval { - $displayversion = $s->get_subkey("InstallProperties")->get_value("DisplayVersion")->get_data(); - }; - - my $installdate; - eval { - $installdate = $s->get_subkey("InstallProperties")->get_value("InstallDate")->get_data(); - }; - - my $str = $displayname." v.".$displayversion.", ".$installdate; - push(@{$prod{$lastwrite}},$str); - } - - foreach my $t (reverse sort {$a <=> $b} keys %prod) { - ::rptMsg(gmtime($t)." Z"); - foreach my $i (@{$prod{$t}}) { - ::rptMsg(" ".$i); - } - } - - - } - else { - ::rptMsg($key->get_name()." has no subkeys."); - return; - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/productpolicy.pl b/RecentActivity/release/rr/plugins/productpolicy.pl deleted file mode 100644 index 9437b84fbe..0000000000 --- a/RecentActivity/release/rr/plugins/productpolicy.pl +++ /dev/null @@ -1,145 +0,0 @@ -#----------------------------------------------------------- -# productpolicy.pl -# Extract/parse the ControlSet00x\Control\ProductOptions\ProductPolicy value -# -# NOTE: For Vista and 2008 ONLY; the value structure changed with Windows 7 -# -# Change History: -# 20091116 - created -# -# Ref: -# http://www.geoffchappell.com/viewer.htm?doc=studies/windows/km/ntoskrnl/ -# api/ex/slmem/productpolicy.htm&tx=19 -# http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/ -# install.htm&tx=3,5,6;4 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package productpolicy; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parse ProductPolicy value (Vista & Win2008 ONLY)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %prodinfo = (1 => "Ultimate", - 2 => "Home Basic", - 3 => "Home Premium", - 5 => "Home Basic N", - 6 => "Business", - 7 => "Standard", - 8 => "Data Center", - 10 => "Enterprise", - 11 => "Starter", - 12 => "Data Center Core", - 13 => "Standard Core", - 14 => "Enterprise Core", - 15 => "Business N"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - - ::logMsg("Launching productpolicy v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $curr; - eval { - $curr = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - }; - $curr = 1 if ($@); - - my $key; - my $key_path = "ControlSet00".$curr."\\Control\\ProductOptions"; - if ($key = $root_key->get_subkey($key_path)) { - my $prod; - eval { - $prod = $key->get_value("ProductPolicy")->get_data(); - }; - if ($@) { - ::rptMsg("Error getting ProductPolicy value: $@"); - } - else { - my %pol = parseData($prod); - ::rptMsg(""); - ::rptMsg("Note: This plugin applies to Vista and Windows 2008 ONLY."); - ::rptMsg("For a listing of names and values, see:"); - ::rptMsg("http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/install.htm&tx=3,5,6;4"); - ::rptMsg(""); - foreach my $p (sort keys %pol) { - ::rptMsg($p." - ".$pol{$p}); - } - - if (exists $prodinfo{$pol{"Kernel\-ProductInfo"}}) { - ::rptMsg(""); - ::rptMsg("Kernel\-ProductInfo = ".$prodinfo{$pol{"Kernel\-ProductInfo"}}); - } - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub parseHeader { -# Ref: http://www.geoffchappell.com/viewer.htm?doc=studies/windows/km/ntoskrnl/ -# api/ex/slmem/productpolicy.htm&tx=19,21 - my %h; - my @v = unpack("V*",shift); - $h{size} = $v[0]; - $h{array} = $v[1]; - $h{marker} = $v[2]; - $h{version} = $v[4]; - return %h; -} - -sub parseData { - my $pd = shift; - my %policy; - my $h = substr($pd,0,0x14); - my %hdr = parseHeader($h); - my $total_size = $hdr{size}; - my $cursor = 0x14; - - while ($cursor <= $total_size) { - my @vals = unpack("v4V2", substr($pd,$cursor,0x10)); - my $value = substr($pd,$cursor,$vals[0]); - my $name = substr($value,0x10,$vals[1]); - $name =~ s/\00//g; - - my $data = substr($value,0x10 + $vals[1],$vals[3]); - if ($vals[2] == 4) { -# $data = sprintf "0x%x",unpack("V",$data); - $data = unpack("V",$data); - } - elsif ($vals[2] == 1) { - $data =~ s/\00//g; - } - elsif ($vals[2] == 3) { - $data = unpack("H*",$data); - } - else { - - } - $policy{$name} = $data; - $cursor += $vals[0]; - } - delete $policy{""}; - return %policy; -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/producttype.pl b/RecentActivity/release/rr/plugins/producttype.pl deleted file mode 100644 index 41b39677b6..0000000000 --- a/RecentActivity/release/rr/plugins/producttype.pl +++ /dev/null @@ -1,88 +0,0 @@ -#----------------------------------------------------------- -# producttype.pl -# Determine Windows product information -# -# History -# 20100713 - updated reference info, formatting -# 20100325 - renamed to producttype.pl -# -# References -# http://support.microsoft.com/kb/181412 -# http://support.microsoft.com/kb/152078 -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package producttype; -use strict; -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100325); - -sub getConfig{return %config} -sub getShortDescr { - return "Queries System hive for Windows Product info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching producttype v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $prod_key_path = $ccs."\\Control\\ProductOptions"; - if (my $prod_key = $root_key->get_subkey($prod_key_path)) { - ::rptMsg($prod_key_path); - ::rptMsg("LastWrite = ".gmtime($prod_key->get_timestamp())); - ::rptMsg(""); - ::rptMsg("Ref: http://support.microsoft.com/kb/152078"); - ::rptMsg(" http://support.microsoft.com/kb/181412"); - ::rptMsg(""); - my $type; - eval { - $type = $prod_key->get_value("ProductType")->get_data(); - ::rptMsg("ProductType = ".$type); - ::rptMsg("Ref: http://technet.microsoft.com/en-us/library/cc782360%28WS.10%29.aspx"); - ::rptMsg("WinNT indicates a workstation."); - ::rptMsg("ServerNT indicates a standalone server."); - ::rptMsg("LanmanNT indicates a domain controller (pri/backup)."); - }; - ::rptMsg(""); -#----------------------------------------------------------- -# http://technet.microsoft.com/en-us/library/cc784364(WS.10).aspx -# -# http://www.geoffchappell.com/viewer.htm?doc=studies/windows/ -# km/ntoskrnl/api/ex/exinit/productsuite.htm -# -#----------------------------------------------------------- - my $suite; - eval { - $suite = $prod_key->get_value("ProductSuite")->get_data(); - ::rptMsg("ProductSuite = ".$suite); - ::rptMsg("Ref: http://technet.microsoft.com/en-us/library/cc784364%28WS.10%29.aspx"); - }; - } - else { - ::rptMsg($prod_key_path." not found."); - } - } - else { - ::rptMsg("Select key not found."); - } -} -1 \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/profilelist.pl b/RecentActivity/release/rr/plugins/profilelist.pl deleted file mode 100644 index bfeae8a6e7..0000000000 --- a/RecentActivity/release/rr/plugins/profilelist.pl +++ /dev/null @@ -1,137 +0,0 @@ -#----------------------------------------------------------- -# profilelist.pl -# Gets ProfileList subkeys and ProfileImagePath value; also -# gets the ProfileLoadTimeHigh and Low values, and translates them -# into a readable time -# -# History: -# 20100219 - updated to gather SpecialAccounts and domain -# user info -# 20080415 - created -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package profilelist; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100219); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get content of ProfileList key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - - my %profiles; - - ::logMsg("Launching profilelist v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\ProfileList"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $path; - eval { - $path = $s->get_value("ProfileImagePath")->get_data(); - }; - - ::rptMsg("Path : ".$path); - ::rptMsg("SID : ".$s->get_name()); - ::rptMsg("LastWrite : ".gmtime($s->get_timestamp())." (UTC)"); - - my $user; - if ($path) { - my @a = split(/\\/,$path); - my $end = scalar @a - 1; - $user = $a[$end]; - $profiles{$s->get_name()} = $user; - } - - my @load; - eval { - $load[0] = $s->get_value("ProfileLoadTimeLow")->get_data(); - $load[1] = $s->get_value("ProfileLoadTimeHigh")->get_data(); - }; - if (@load) { - my $loadtime = ::getTime($load[0],$load[1]); - ::rptMsg("LoadTime : ".gmtime($loadtime)." (UTC)"); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -# The following was added 20100219 - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg("Domain Accounts"); - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless ($name =~ m/^S\-1/); - - (exists $profiles{$name}) ? (::rptMsg($name." [".$profiles{$name}."]")) - : (::rptMsg($name)); -# ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())); -# ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - -# Domain Cache? - eval { - my @cache = $key->get_subkey("DomainCache")->get_list_of_values(); - if (scalar @cache > 0) { - ::rptMsg(""); - ::rptMsg("DomainCache"); - foreach my $d (@cache) { - my $str = sprintf "%-15s %-20s",$d->get_name(),$d->get_data(); - ::rptMsg($str); - } - } - }; - - - } - else { - ::rptMsg($key_path." not found."); - } - - - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/proxysettings.pl b/RecentActivity/release/rr/plugins/proxysettings.pl deleted file mode 100644 index d403c487d3..0000000000 --- a/RecentActivity/release/rr/plugins/proxysettings.pl +++ /dev/null @@ -1,70 +0,0 @@ -#----------------------------------------------------------- -# proxysettings.pl -# Plugin for Registry Ripper, -# Internet Explorer ProxySettings key parser -# -# Change history -# 20081224 - H. Carvey, updated sorting and printing routine -# -# -# copyright 2008 C. Bentley -#----------------------------------------------------------- -package proxysettings; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081224); - -sub getConfig{return %config} -sub getShortDescr {return "Gets contents of user's Proxy Settings";} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching proxysettings v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ProxySettings"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %proxy; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - my $type = $v->get_type(); - $data = unpack("V",$data) if ($type == 3); - $proxy{$name} = $data; - } - foreach my $n (sort keys %proxy) { - my $str = sprintf " %-30s %-30s",$n,$proxy{$n}; - ::rptMsg($str); -# ::rptMsg(" ".$v->get_name()." ".$v->get_data()); - } - } - else { - ::rptMsg($key_path." key has no values."); - ::logMsg($key_path." key has no values."); - } - } - else { - ::rptMsg($key_path." hat key not found."); - ::logMsg($key_path." hat key not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/rdphint.pl b/RecentActivity/release/rr/plugins/rdphint.pl deleted file mode 100644 index 680165812a..0000000000 --- a/RecentActivity/release/rr/plugins/rdphint.pl +++ /dev/null @@ -1,61 +0,0 @@ -#----------------------------------------------------------- -# rdphint.pl - http://www.regripper.net/ -# Gathers servers logged onto via RDP and last successful username -# -# by Brandon Nesbit, Trustwave -#----------------------------------------------------------- -package rdphint; -use strict; - -my %config = (hive => "NTUSER", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090715); - -sub getConfig{return %config} -sub getShortDescr { return "Gets hosts logged onto via RDP and the Domain\\Username";} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching RDPHint v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Terminal Server Client\\Servers"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $path; - eval { - $path = $s->get_value("UsernameHint")->get_data(); - }; - ::rptMsg(""); - ::rptMsg("Hostname: ".$s->get_name()); - ::rptMsg("Domain/Username: ".$path); - ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())." (UTC)"); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/rdpport.pl b/RecentActivity/release/rr/plugins/rdpport.pl deleted file mode 100644 index 44110d33cb..0000000000 --- a/RecentActivity/release/rr/plugins/rdpport.pl +++ /dev/null @@ -1,59 +0,0 @@ -#----------------------------------------------------------- -# rdpport.pl -# Determine the RDP Port used -# -# History -# 20100713 - created -# -# References -# http://support.microsoft.com/kb/306759 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package rdpport; -use strict; -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100713); - -sub getConfig{return %config} -sub getShortDescr { - return "Queries System hive for RDP Port"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $key; - - ::logMsg("Launching rdpport v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $ccs = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - my $key_path = "ControlSet00".$ccs."\\Control\\Terminal Server\\WinStations\\RDP-Tcp"; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("rdpport v.".$VERSION); - ::rptMsg(""); - my $port; - eval { - $port = $key->get_value("PortNumber")->get_data(); - ::rptMsg("Remote Desktop Listening Port Number = ".$port); - }; - ::rptMsg("Error getting PortNumber: ".$@) if ($@); - - } - else { - ::rptMsg($key_path." not found."); - } -} -1 \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/realplayer6.pl b/RecentActivity/release/rr/plugins/realplayer6.pl deleted file mode 100644 index 7ea5913a5f..0000000000 --- a/RecentActivity/release/rr/plugins/realplayer6.pl +++ /dev/null @@ -1,79 +0,0 @@ -#----------------------------------------------------------- -# realplayer6.pl -# Plugin for Registry Ripper -# Get Real Player 6 MostRecentClipsx values -# -# Change history -# -# -# References -# -# Note: LastWrite times on c subkeys will all be the same, -# as each subkey is modified as when a new entry is added -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package realplayer6; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's RealPlayer v6 MostRecentClips\(Default) values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching realplayer6 v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("Realplayer6 v.".$VERSION); - - my $key_path = "Software\\RealNetworks\\RealPlayer\\6.0\\Preferences"; - my $key = $root_key->get_subkey($key_path); - if ($key) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my %rpkeys; - my $tag = "MostRecentClips"; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if ($name =~ m/^$tag/) { - my $num = $name; - $num =~ s/$tag//; - $rpkeys{$num}{name} = $name; - $rpkeys{$num}{data} = $s->get_value('')->get_data(); - $rpkeys{$num}{lastwrite} = $s->get_timestamp(); - } - } - foreach my $k (sort keys %rpkeys) { - ::rptMsg("\t".$rpkeys{$k}{name}." -> ".$rpkeys{$k}{data}); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/realvnc.pl b/RecentActivity/release/rr/plugins/realvnc.pl deleted file mode 100644 index 667766aca4..0000000000 --- a/RecentActivity/release/rr/plugins/realvnc.pl +++ /dev/null @@ -1,75 +0,0 @@ -#----------------------------------------------------------- -# realvnc.pl -# Plugin to get RealVNC MRU listings from NTUSER.DAT -# -# Change history -# 20091125 - created -# -# References -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package realvnc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091125); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's RealVNC MRU listing"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching realvnc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\RealVNC\\VNCViewer4\\MRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mru; - my @order; - foreach my $v (@vals) { - $mru{$v->get_name()} = $v->get_data(); - } - - if (exists($mru{Order})) { - @order = unpack("C*",$mru{Order}); -# List systems connected to based on Order MRU value - ::rptMsg("*Systems output in \"Order\" sequence"); - foreach my $i (0..scalar(@order) - 1) { - $order[$i] = "0".$order[$i] if ($order[$i] < 10); - ::rptMsg(" ".$order[$i]." -> ".$mru{$order[$i]}); - } - } - else { - ::rptMsg("Could not find Order value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/recentdocs.pl b/RecentActivity/release/rr/plugins/recentdocs.pl deleted file mode 100644 index 7850665376..0000000000 --- a/RecentActivity/release/rr/plugins/recentdocs.pl +++ /dev/null @@ -1,161 +0,0 @@ -#----------------------------------------------------------- -# recentdocs.pl -# Plugin for Registry Ripper -# Parses RecentDocs keys/values in NTUSER.DAT -# -# Change history -# 20100405 - Updated to use Encode::decode to translate strings -# 20090115 - Minor update to keep plugin from printing terminating -# MRUListEx value of 0xFFFFFFFF -# 20080418 - Minor update to address NTUSER.DAT files that have -# MRUList values in this key, rather than MRUListEx -# values -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package recentdocs; -use strict; -use Encode; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100405); - -sub getShortDescr { - return "Gets contents of user's RecentDocs key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching recentdocs v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("RecentDocs"); - ::rptMsg("**All values printed in MRUList\\MRUListEx order."); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); -# Get RecentDocs values - my %rdvals = getRDValues($key); - if (%rdvals) { - my $tag; - if (exists $rdvals{"MRUListEx"}) { - $tag = "MRUListEx"; - } - elsif (exists $rdvals{"MRUList"}) { - $tag = "MRUList"; - } - else { - - } - - my @list = split(/,/,$rdvals{$tag}); - foreach my $i (@list) { - ::rptMsg(" ".$i." = ".$rdvals{$i}); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg("Error: ".$key_path." has no values."); - } -# Get RecentDocs subkeys' values - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - - my %rdvals = getRDValues($s); - if (%rdvals) { - my $tag; - if (exists $rdvals{"MRUListEx"}) { - $tag = "MRUListEx"; - } - elsif (exists $rdvals{"MRUList"}) { - $tag = "MRUList"; - } - else { - - } - - my @list = split(/,/,$rdvals{$tag}); - ::rptMsg($tag." = ".$rdvals{$tag}); - foreach my $i (@list) { - ::rptMsg(" ".$i." = ".$rdvals{$i}); - } - - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - - -sub getRDValues { - my $key = shift; - - my $mru = "MRUList"; - my %rdvals; - - my @vals = $key->get_list_of_values(); - if (scalar @vals > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - if ($name =~ m/^$mru/) { - my @mru; - if ($name eq "MRUList") { - @mru = split(//,$data); - } - elsif ($name eq "MRUListEx") { - @mru = unpack("V*",$data); - } -# Horrible, ugly cludge; the last, terminating value in MRUListEx -# is 0xFFFFFFFF, so we remove it. - pop(@mru); - $rdvals{$name} = join(',',@mru); - } - else { -# New code - $data = decode("ucs-2le", $data); - my $file = (split(/\00/,$data))[0]; -# my $file = (split(/\00\00/,$data))[0]; -# $file =~ s/\00//g; - $rdvals{$name} = $file; - } - } - return %rdvals; - } - else { - return undef; - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/regtime.pl b/RecentActivity/release/rr/plugins/regtime.pl deleted file mode 100644 index 03510c46d9..0000000000 --- a/RecentActivity/release/rr/plugins/regtime.pl +++ /dev/null @@ -1,65 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# regtime.pl -# Plugin for Registry Ripper; traverses through a Registry -# hive file, pulling out keys and their LastWrite times, and -# then listing them in order, sorted by the most recent time -# first - works with any Registry hive file. -# -# Change history -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package regtime; -use strict; - -my %config = (hive => "All", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Dumps entire hive - all keys sorted by LastWrite time"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %regkeys; - -sub pluginmain { - my $class = shift; - my $file = shift; - my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; - ::logMsg("Launching regtime v.".$VERSION); - - traverse($root_key); - - foreach my $t (reverse sort {$a <=> $b} keys %regkeys) { - foreach my $item (@{$regkeys{$t}}) { - ::rptMsg(gmtime($t)."Z \t".$item); - } - } -} - -sub traverse { - my $key = shift; - my $ts = $key->get_timestamp(); - my $name = $key->as_string(); - $name =~ s/\$\$\$PROTO\.HIV//; - $name = (split(/\[/,$name))[0]; - push(@{$regkeys{$ts}},$name); - foreach my $subkey ($key->get_list_of_subkeys()) { - traverse($subkey); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/regtime_tln.pl b/RecentActivity/release/rr/plugins/regtime_tln.pl deleted file mode 100644 index 558d7f0eeb..0000000000 --- a/RecentActivity/release/rr/plugins/regtime_tln.pl +++ /dev/null @@ -1,66 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# regtime.pl -# Plugin for Registry Ripper; traverses through a Registry -# hive file, pulling out keys and their LastWrite times, and -# then listing them in order, sorted by the most recent time -# first - works with any Registry hive file. -# -# Change history -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package regtime_tln; -use strict; - -my %config = (hive => "All", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Dumps entire hive - all keys sorted by LastWrite time"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %regkeys; - -sub pluginmain { - my $class = shift; - my $file = shift; - my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; - ::logMsg("Launching regtime_tln v.".$VERSION); - - traverse($root_key); - - foreach my $t (reverse sort {$a <=> $b} keys %regkeys) { - foreach my $item (@{$regkeys{$t}}) { - #::rptMsg(gmtime($t)."Z \t".$item); - ::rptMsg($t."|REG|M... ".$item); - } - } -} - -sub traverse { - my $key = shift; - my $ts = $key->get_timestamp(); - my $name = $key->as_string(); - $name =~ s/\$\$\$PROTO\.HIV//; - $name = (split(/\[/,$name))[0]; - push(@{$regkeys{$ts}},$name); - foreach my $subkey ($key->get_list_of_subkeys()) { - traverse($subkey); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/renocide.pl b/RecentActivity/release/rr/plugins/renocide.pl deleted file mode 100644 index 5f71f922f9..0000000000 --- a/RecentActivity/release/rr/plugins/renocide.pl +++ /dev/null @@ -1,65 +0,0 @@ -#----------------------------------------------------------- -# renocide.pl -# Plugin to assist in the detection of malware per MMPC -# blog post (References, below) -# -# Change History: -# 20110309 - created -# -# References -# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Renocide -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package renocide; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20110309); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check for Renocide malware"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching renocide v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\DRM\\amty"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("renocide"); - ::rptMsg($key_path); - ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - ::rptMst($key_path." found; possible Win32\\Renocide infection."); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(sprintf "%-12s %-20s",$v->get_name(),$v->get_data()); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/routes.pl b/RecentActivity/release/rr/plugins/routes.pl deleted file mode 100644 index 823f097b3e..0000000000 --- a/RecentActivity/release/rr/plugins/routes.pl +++ /dev/null @@ -1,81 +0,0 @@ -#----------------------------------------------------------- -# routes.pl -# -# Some malware is known to create persistent routes -# -# Change History: -# 20100817 - created -# -# Ref: -# http://support.microsoft.com/kb/141383 -# http://www.symantec.com/security_response/writeup.jsp?docid= -# 2010-041308-3301-99&tabid=2 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package routes; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100817); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get persistent routes"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching routes v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $sb_path = $ccs."\\Services\\Tcpip\\Parameters\\PersistentRoutes"; - - my $sb; - if ($sb = $root_key->get_subkey($sb_path)) { - ::rptMsg($sb_path); - ::rptMsg("LastWrite: ".gmtime($sb->get_timestamp())); - ::rptMsg(""); - my @vals = $sb->get_list_of_values(); - - if (scalar(@vals) > 0) { - ::rptMsg(sprintf "%-15s %-15s %-15s %-5s","Address","Netmask","Gateway","Metric"); - foreach my $v (@vals) { - my ($addr,$netmask,$gateway,$metric) = split(/,/,$v->get_name(),4); - ::rptMsg(sprintf "%-15s %-15s %-15s %-5s",$addr,$netmask,$gateway,$metric); - } - } - else { - ::rptMsg($sb_path." has no values."); - } - } - else { - ::rptMsg($sb_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/runmru.pl b/RecentActivity/release/rr/plugins/runmru.pl deleted file mode 100644 index f18a9ec434..0000000000 --- a/RecentActivity/release/rr/plugins/runmru.pl +++ /dev/null @@ -1,72 +0,0 @@ -#----------------------------------------------------------- -# runmru.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# RunMru values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package runmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's RunMRU key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching runmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("RunMru"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - my %runvals; - my $mru; - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - $runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i); - $mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i); - } - ::rptMsg("MRUList = ".$mru); - foreach my $r (sort keys %runvals) { - ::rptMsg($r." ".$runvals{$r}); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/safeboot.pl b/RecentActivity/release/rr/plugins/safeboot.pl deleted file mode 100644 index 66ee850137..0000000000 --- a/RecentActivity/release/rr/plugins/safeboot.pl +++ /dev/null @@ -1,104 +0,0 @@ -#----------------------------------------------------------- -# safeboot.pl -# -# Some malware is known to maintain persistence, even when the system -# is booted to SafeMode by writing entries to the SafeBoot subkeys -# ex: http://www.symantec.com/security_response/writeup.jsp? -# docid=2008-011507-0108-99&tabid=2 -# -# Ref: -# http://support.microsoft.com/kb/315222 -# http://support.microsoft.com/kb/202485/ -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package safeboot; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081216); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check SafeBoot entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching safeboot v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $sb_path = $ccs."\\Control\\SafeBoot"; - my $sb; - if ($sb = $root_key->get_subkey($sb_path)) { - - my @sks = $sb->get_list_of_subkeys(); - - if (scalar(@sks) > 0) { - - foreach my $s (@sks) { - my $name = $s->get_name(); - my $ts = $s->get_timestamp(); - ::rptMsg($name." [".gmtime($ts)." Z]"); - my %sk; - my @subkeys = $s->get_list_of_subkeys(); - - if (scalar(@subkeys) > 0) { - foreach my $s2 (@subkeys) { - my $str; - my $default; - eval { - $default = $s2->get_value("")->get_data(); - }; - ($@)?($str = $s2->get_name()):($str = $s2->get_name()." (".$default.")"); - push(@{$sk{$s2->get_timestamp()}},$str); - } - - foreach my $t (sort keys %sk) { - ::rptMsg(gmtime($t)." Z"); - foreach my $i (@{$sk{$t}}) { - ::rptMsg(" ".$i); - } - } - ::rptMsg(""); - } - else { - ::rptMsg($name." has no subkeys."); - } - } - } - else { - ::rptMsg($sb_path." has no subkeys."); - } - } - else { - ::rptMsg($sb_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/sam b/RecentActivity/release/rr/plugins/sam deleted file mode 100644 index 84568779ff..0000000000 --- a/RecentActivity/release/rr/plugins/sam +++ /dev/null @@ -1,3 +0,0 @@ -#------------------------------------- -# SAM -samparse \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/samparse.pl b/RecentActivity/release/rr/plugins/samparse.pl deleted file mode 100644 index 001857728e..0000000000 --- a/RecentActivity/release/rr/plugins/samparse.pl +++ /dev/null @@ -1,323 +0,0 @@ -#----------------------------------------------------------- -# samparse.pl -# Parse the SAM hive file for user/group membership info -# -# Change history: -# 20110303 - Fixed parsing of SID, added check for account type -# Acct type determined based on Dustin Hulburt's "Forensic -# Determination of a User's Logon Status in Windows" -# from 10 Aug 2009 (link below) -# 20100712 - Added References entry -# 20091020 - Added extracting UserPasswordHint value -# 20090413 - Added account creation date -# 20080415 - created -# -# References -# Source available here: http://pogostick.net/~pnh/ntpasswd/ -# http://accessdata.com/downloads/media/Forensic_Determination_Users_Logon_Status.pdf -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package samparse; -use strict; - -my %config = (hive => "SAM", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20110303); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parse SAM file for user/group mbrshp info"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Well-known SIDs" => "http://support.microsoft.com/kb/243330"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %acb_flags = (0x0001 => "Account Disabled", - 0x0002 => "Home directory required", - 0x0004 => "Password not required", - 0x0008 => "Temporary duplicate account", - 0x0010 => "Normal user account", - 0x0020 => "MNS logon user account", - 0x0040 => "Interdomain trust account", - 0x0080 => "Workstation trust account", - 0x0100 => "Server trust account", - 0x0200 => "Password does not expire", - 0x0400 => "Account auto locked"); - -my %types = (0xbc => "Default Admin User", - 0xd4 => "Custom Limited Acct", - 0xb0 => "Default Guest Acct"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching samparse v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::rptMsg(""); -# Get user information - ::rptMsg("User Information"); - ::rptMsg("-" x 25); - my $key_path = 'SAM\\Domains\\Account\\Users'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @user_list = $key->get_list_of_subkeys(); - if (scalar(@user_list) > 0) { - foreach my $u (@user_list) { - my $rid = $u->get_name(); - my $ts = $u->get_timestamp(); - my $tag = "0000"; - if ($rid =~ m/^$tag/) { - my $v_value = $u->get_value("V"); - my $v = $v_value->get_data(); - my %v_val = parseV($v); - $rid =~ s/^0000//; - $rid = hex($rid); - - my $c_date; - eval { - my $create_path = $key_path."\\Names\\".$v_val{name}; - if (my $create = $root_key->get_subkey($create_path)) { - $c_date = $create->get_timestamp(); - } - }; - - ::rptMsg("Username : ".$v_val{name}." [".$rid."]"); - ::rptMsg("Full Name : ".$v_val{fullname}); - ::rptMsg("User Comment : ".$v_val{comment}); - ::rptMsg("Account Type : ".$v_val{type}); - ::rptMsg("Account Created : ".gmtime($c_date)." Z") if ($c_date > 0); - - my $f_value = $u->get_value("F"); - my $f = $f_value->get_data(); - my %f_val = parseF($f); - - my $lastlogin; - my $pwdreset; - my $pwdfail; - ($f_val{last_login_date} == 0) ? ($lastlogin = "Never") : ($lastlogin = gmtime($f_val{last_login_date})." Z"); - ($f_val{pwd_reset_date} == 0) ? ($pwdreset = "Never") : ($pwdreset = gmtime($f_val{pwd_reset_date})." Z"); - ($f_val{pwd_fail_date} == 0) ? ($pwdfail = "Never") : ($pwdfail = gmtime($f_val{pwd_fail_date})." Z"); - - my $pw_hint; - eval { - $pw_hint = $u->get_value("UserPasswordHint")->get_data(); - $pw_hint =~ s/\00//g; - }; - ::rptMsg("Password Hint : ".$pw_hint) unless ($@); - ::rptMsg("Last Login Date : ".$lastlogin); - ::rptMsg("Pwd Reset Date : ".$pwdreset); - ::rptMsg("Pwd Fail Date : ".$pwdfail); - ::rptMsg("Login Count : ".$f_val{login_count}); - foreach my $flag (keys %acb_flags) { - ::rptMsg(" --> ".$acb_flags{$flag}) if ($f_val{acb_flags} & $flag); - } - ::rptMsg(""); - } - } - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg("-" x 25); - ::rptMsg("Group Membership Information"); - ::rptMsg("-" x 25); -# Get Group membership information - my $key_path = 'SAM\\Domains\\Builtin\\Aliases'; - if ($key = $root_key->get_subkey($key_path)) { - my %grps; - my @groups = $key->get_list_of_subkeys(); - if (scalar(@groups) > 0) { - foreach my $k (@groups) { - my $name = $k->get_name(); - if ($name =~ m/^0000/) { - $grps{$name}{LastWrite} = $k->get_timestamp(); - $grps{$name}{C_value} = $k->get_value("C")->get_data(); - } - } - - foreach my $k (keys %grps) { - my $name = $k; - $name =~ s/^0000//; - my %c_val = parseC($grps{$k}{C_value}); - ::rptMsg("Group Name : ".$c_val{group_name}." [".$c_val{num_users}."]"); - ::rptMsg("LastWrite : ".gmtime($grps{$k}{LastWrite})." Z"); - ::rptMsg("Group Comment : ".$c_val{comment}); - if ($c_val{num_users} == 0) { - ::rptMsg("Users : None"); - }else { - my %users = parseCUsers($grps{$k}{C_value}); - if (scalar(keys %users) != $c_val{num_users}) { - ::logMsg("parseC function reports ".$c_val{num_users}."; parseCUsers function returned ".(scalar(keys %users))); - } - ::rptMsg("Users :"); - foreach my $u (keys %users) { - ::rptMsg(" ".$u); - } - - } - ::rptMsg(""); - } - ::rptMsg("Analysis Tips:"); - ::rptMsg(" - For well-known SIDs, see http://support.microsoft.com/kb/243330"); - ::rptMsg(" - S-1-5-4 = Interactive"); - ::rptMsg(" - S-1-5-11 = Authenticated Users"); - ::rptMsg(" - Correlate the user SIDs to the output of the ProfileList plugin"); - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub parseF { - my $f = shift; - my %f_value = (); - my @tv; -# last login date - @tv = unpack("VV",substr($f,8,8)); - $f_value{last_login_date} = ::getTime($tv[0],$tv[1]); -# password reset/acct creation - @tv = unpack("VV",substr($f,24,8)); - $f_value{pwd_reset_date} = ::getTime($tv[0],$tv[1]); -# Account expires - @tv = unpack("VV",substr($f,32,8)); - $f_value{acct_exp_date} = ::getTime($tv[0],$tv[1]); -# Incorrect password - @tv = unpack("VV",substr($f,40,8)); - $f_value{pwd_fail_date} = ::getTime($tv[0],$tv[1]); - $f_value{rid} = unpack("V",substr($f,48,4)); - $f_value{acb_flags} = unpack("v",substr($f,56,2)); - $f_value{failed_count} = unpack("v",substr($f,64,2)); - $f_value{login_count} = unpack("v",substr($f,66,2)); - return %f_value; -} - -sub parseV { - my $v = shift; - my %v_val = (); - my $header = substr($v,0,44); - my @vals = unpack("V*",$header); - $v_val{type} = $types{$vals[1]}; - $v_val{name} = _uniToAscii(substr($v,($vals[3] + 0xCC),$vals[4])); - $v_val{fullname} = _uniToAscii(substr($v,($vals[6] + 0xCC),$vals[7])) if ($vals[7] > 0); - $v_val{comment} = _uniToAscii(substr($v,($vals[9] + 0xCC),$vals[10])) if ($vals[10] > 0); - return %v_val; -} - -sub parseC { - my $cv = $_[0]; - my %c_val = (); - my $header = substr($cv,0,0x34); - my @vals = unpack("V*",$header); - - $c_val{group_name} = _uniToAscii(substr($cv,(0x34 + $vals[4]),$vals[5])); - $c_val{comment} = _uniToAscii(substr($cv,(0x34 + $vals[7]),$vals[8])); - $c_val{num_users} = $vals[12]; - - return %c_val; -} - -sub parseCUsers { - my $cv = $_[0]; - my %members = (); - my $header = substr($cv,0,0x34); - my @vals = unpack("V*",$header); - - my $num = $vals[12]; - - my @users = (); - my $ofs; - if ($num > 0) { - my $count = 0; - foreach my $c (1..$num) { - my $ofs = $vals[10] + 52 + $count; - my $tmp = unpack("V",substr($cv,$ofs,4)); - - if ($tmp == 0x101) { - $ofs++ if (unpack("C",substr($cv,$ofs,1)) == 0); - $members{_translateSID(substr($cv,$ofs,12))} = 1; - $count += 12; - } - elsif ($tmp == 0x501) { - $members{_translateSID(substr($cv,$ofs,28))} = 1; - $count += 28; - } - else { - - } - } - } - return %members; -} - -#--------------------------------------------------------------------- -# _translateSID() -# Translate binary data into a SID -# References: -# http://blogs.msdn.com/oldnewthing/archive/2004/03/15/89753.aspx -# http://support.microsoft.com/kb/286182/ -# http://support.microsoft.com/kb/243330 -#--------------------------------------------------------------------- -sub _translateSID { - my $sid = $_[0]; - my $len = length($sid); - my $revision; - my $dashes; - my $idauth; - if ($len < 12) { -# Is a SID ever less than 12 bytes? - return "SID less than 12 bytes"; - } - elsif ($len == 12) { - $revision = unpack("C",substr($sid,0,1)); - $dashes = unpack("C",substr($sid,1,1)); - $idauth = unpack("H*",substr($sid,2,6)); - $idauth =~ s/^0+//g; - my $sub = unpack("V",substr($sid,8,4)); - return "S-".$revision."-".$idauth."-".$sub; - } - elsif ($len > 12) { - $revision = unpack("C",substr($sid,0,1)); - $dashes = unpack("C",substr($sid,1,1)); - $idauth = unpack("H*",substr($sid,2,6)); - $idauth =~ s/^0+//g; - my @sub = unpack("V4",substr($sid,8,16)); - my $rid = unpack("V",substr($sid,24,4)); - my $s = join('-',@sub); - return "S-".$revision."-".$idauth."-".$s."-".$rid; - } - else { -# Nothing to do - } -} - -#--------------------------------------------------------------------- -# _uniToAscii() -#--------------------------------------------------------------------- -sub _uniToAscii { - my $str = $_[0]; - $str =~ s/\00//g; - return $str; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/schedagent.pl b/RecentActivity/release/rr/plugins/schedagent.pl deleted file mode 100644 index a3f0d4012f..0000000000 --- a/RecentActivity/release/rr/plugins/schedagent.pl +++ /dev/null @@ -1,87 +0,0 @@ -#----------------------------------------------------------- -# schedagent -# Get contents of SchedulingAgent key from Software hive -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package schedagent; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20100817); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get SchedulingAgent key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching schedagent v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\SchedulingAgent"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my ($oldname,$logpath,$folder,$lastrun,$size); - eval { - $oldname = $key->get_value("OldName")->get_data(); - ::rptMsg("OldName = ".$oldname); - }; - - eval { - $logpath = $key->get_value("LogPath")->get_data(); - ::rptMsg("LogPath = ".$logpath); - }; - - eval { - $size = $key->get_value("MaxLogSizeKB")->get_data(); - ::rptMsg("MaxLogSizeKB = ".$size); - }; - - eval { - $folder = $key->get_value("TasksFolder")->get_data(); - ::rptMsg("TasksFolder = ".$folder); - }; -# - eval { - $lastrun = $key->get_value("LastTaskRun")->get_data(); - ::rptMsg("LastTaskRun = ".parseSystemTime($lastrun)); - ::rptMsg(""); - ::rptMsg("Note: LastTaskRun time is written in local system time, not GMT"); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub parseSystemTime { - my ($yr,$mon,$dow,$day,$hr,$min,$sec,$mil) = unpack("v8",$_[0]); - $mon = "0".$mon unless ($mon =~ /^\d\d$/); - $day = "0".$day unless ($day =~ /^\d\d$/); - $hr = "0".$hr unless ($hr =~ /^\d\d$/); - $min = "0".$min unless ($min =~ /^\d\d$/); - $sec = "0".$sec unless ($sec =~ /^\d\d$/); - return "$yr-$mon-$day $hr:$min:$sec"; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/secctr.pl b/RecentActivity/release/rr/plugins/secctr.pl deleted file mode 100644 index 19e53f71bb..0000000000 --- a/RecentActivity/release/rr/plugins/secctr.pl +++ /dev/null @@ -1,67 +0,0 @@ -#----------------------------------------------------------- -# secctr -# Plugin to get data from Security Center keys -# -# Change History: -# 20100310 - created -# -# References: -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package secctr; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100310); - -sub getConfig{return %config} -sub getShortDescr { - return "Get data from Security Center key"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $infected = 0; - ::logMsg("Launching secctr v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Microsoft\Security Center'; - my $key; - ::rptMsg("secctr"); - ::rptMsg(""); - - if ($key = $root_key->get_subkey($key_path)) { - $infected++; - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-25s 0x%02x",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::rptMsg(""); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/security b/RecentActivity/release/rr/plugins/security deleted file mode 100644 index 233d63ca80..0000000000 --- a/RecentActivity/release/rr/plugins/security +++ /dev/null @@ -1,4 +0,0 @@ -#------------------------------------- -# Security -polacdms -auditpol \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/services.pl b/RecentActivity/release/rr/plugins/services.pl deleted file mode 100644 index a22e24f8fa..0000000000 --- a/RecentActivity/release/rr/plugins/services.pl +++ /dev/null @@ -1,150 +0,0 @@ -#----------------------------------------------------------- -# services.pl -# Plugin for Registry Ripper; Access System hive file to get the -# services -# -# Change history -# 20080507 - Added collection of Type and Start values; separated -# data by Services vs. Drivers; created separate plugin -# for Drivers -# 20080505 - Added collection of ImagePath and DisplayName, if avail. -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package services; -#use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080507); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists services/drivers in Services key by LastWrite times"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -# Reference for types and start types: -# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx -my %types = (0x001 => "Kernel driver", - 0x002 => "File system driver", - 0x010 => "Own_Process", - 0x020 => "Share_Process", - 0x100 => "Interactive"); - -my %starts = (0x00 => "Boot Start", - 0x01 => "System Start", - 0x02 => "Auto Start", - 0x03 => "Manual", - 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching services v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { - ::rptMsg($s_path); - ::rptMsg(getShortDescr()); - ::rptMsg(""); -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - - my $type; - eval { - $type = $s->get_value("Type")->get_data(); -# Only look for services; drivers handled in another plugin - if (exists $types{$type}) { - $type = $types{$type}; - } - else { - $type = sprintf "0x%x",$t; - } - }; - - $name = $s->get_name(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); - }; - - my $image; - eval { - $image = $s->get_value("ImagePath")->get_data(); - }; - - my $start; - eval { - $start = $s->get_value("Start")->get_data(); - if (exists $starts{$start}) { - $start = $starts{$start}; - } - }; - - my $group; - eval { - $group = $s->get_value("Group")->get_data(); - }; - - my $str = $name.";".$display.";".$image.";".$type.";".$start.";".$group; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { - ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - my ($n,$d,$i,$t,$s,$g) = split(/;/,$item,6); - ::rptMsg(" Name = ".$n); - ::rptMsg(" Display = ".$d); - ::rptMsg(" ImagePath = ".$i); - ::rptMsg(" Type = ".$t); - ::rptMsg(" Start = ".$s); - ::rptMsg(" Group = ".$g); - ::rptMsg(""); - } - } - - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/sevenzip.pl b/RecentActivity/release/rr/plugins/sevenzip.pl deleted file mode 100644 index cc90d31a16..0000000000 --- a/RecentActivity/release/rr/plugins/sevenzip.pl +++ /dev/null @@ -1,83 +0,0 @@ -#----------------------------------------------------------- -# sevenzip.pl -# Google Toolbar Search History plugin -# -# -# Change history -# 20100218 - created -# -# References -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package sevenzip; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets records of histories from 7-Zip keys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching 7-zip v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\7-Zip'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - eval { - ::rptMsg(""); - my @arc = $key->get_subkey("Compression")->get_subkey("ArcHistory")->get_list_of_values(); - if (scalar @arc > 0) { - ::rptMsg("Compression\\ArcHistory"); - foreach my $a (@arc) { - ::rptMsg(" ".$a->get_name()." -> ".$a->get_data()); - } - } - }; - ::rptMsg("Error: ".$@) if ($@); - - eval { - ::rptMsg(""); - my @arc = $key->get_subkey("Extraction")->get_subkey("PathHistory")->get_list_of_values(); - if (scalar @arc > 0) { - ::rptMsg("Extraction\\PathHistory"); - foreach my $a (@arc) { - ::rptMsg(" ".$a->get_name()." -> ".$a->get_data()); - } - } - }; - ::rptMsg("Error: ".$@) if ($@); - - - - - - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/sfc.pl b/RecentActivity/release/rr/plugins/sfc.pl deleted file mode 100644 index 16e829670f..0000000000 --- a/RecentActivity/release/rr/plugins/sfc.pl +++ /dev/null @@ -1,107 +0,0 @@ -#----------------------------------------------------------- -# sfc.pl -# Check SFC settings in the Registry -# -# History -# 20100305 - updated -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package sfc; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100305); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get SFC values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching sfc v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("sfc v.".$VERSION); - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next unless ($name =~ m/^sfc/i); - my $str; - if ($name =~ m/^sfcquota$/i || $name =~ m/^sfcdisable$/i) { - $str = sprintf " %-20s 0x%08x",$name,$v->get_data(); - } - else { - $str = sprintf " %-20s %-20s",$name,$v->get_data(); - } - ::rptMsg($str); - } - - } - else { - ::rptMsg($key_path." key has no values."); - } - } - else { - ::rptMsg($key_path." key not found."); - ::logMsg($key_path." key not found."); - } - ::rptMsg(""); -# According to http://support.microsoft.com/kb/222193, sfc* values in this key, if -# it exists, take precedence over and are copied into the values within the Winlogon -# key; see also http://support.microsoft.com/kb/222473/ - my $key_path = "Policies\\Microsoft\\Windows NT\\Windows File Protection"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next unless ($name =~ m/^sfc/i); - my $str; - if ($name =~ m/^sfcquota$/i || $name =~ m/^sfcdisable$/i) { - $str = sprintf " %-20s 0x%08x",$name,$v->get_data(); - } - else { - $str = sprintf " %-20s %-20s",$name,$v->get_data(); - } - ::rptMsg($str); - } - - } - else { - ::rptMsg($key_path." key has no values."); - } - } - else { - ::rptMsg($key_path." key not found."); -# ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/shares.pl b/RecentActivity/release/rr/plugins/shares.pl deleted file mode 100644 index e36f4737cb..0000000000 --- a/RecentActivity/release/rr/plugins/shares.pl +++ /dev/null @@ -1,128 +0,0 @@ -#----------------------------------------------------------- -# shares.pl -# -# Retrieve information about shares from a System hive file -# -# References: -# http://support.microsoft.com/kb/556023 -# For info about share types, see the Win32_Share WMI class: -# http://msdn.microsoft.com/en-us/library/aa394435(VS.85).aspx -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shares; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090112); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get list of shares from System hive file"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $root_key; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shares v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - eval { - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - }; - if ($@) { - ::rptMsg("Problem locating proper controlset: $@"); - return; - } -# First, connect to the Services key; some versions of Windows appear to -# spell the lanmanserver key as "lanmanserver" and others as "LanmanServer" - my $key_path = $ccs."\\Services"; - my $key; - my $tag = "lanmanserver"; - my $lanman = getKeyPath($key_path,$tag); - if ($lanman ne "") { - my $share_path = $key_path."\\".$lanman."\\Shares"; - my $share; - if ($share = $root_key->get_subkey($share_path)) { - my @vals = $share->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()); - my @data = $v->get_data(); - ::rptMsg(" ".$data[2]); - ::rptMsg(" ".$data[4]); - ::rptMsg(" ".$data[5]); - ::rptMsg(""); - } - } - else { - ::rptMsg($share_path." has no values."); - } - } - else { - ::rptMsg($share_path." not found."); - } - } - else { - ::rptMsg($lanman." subkey not found."); - } - -# Determine of the AutoShareServer/Wks values have been set - my $path = $key_path."\\".$lanman; - my $tag = "parameters"; - my $para = getKeyPath($path,$tag); - eval { - if ($key = $root_key->get_subkey($path."\\".$para)) { - my $auto_svr = $key->get_value("AutoShareServer")->get_data(); - ::rptMsg(" AutoShareServer = ".$auto_svr); - } - }; - - eval { - if ($key = $root_key->get_subkey($path."\\".$para)) { - my $auto_wks = $key->get_value("AutoShareWks")->get_data(); - ::rptMsg(" AutoShareWks = ".$auto_wks); - } - }; -} - -# On different versions of Windows, subkeys such as lanmanserver -# and parameters are spelled differently; use this subroutine to get -# the correct spelling of the name of the subkey -# http://support.microsoft.com/kb/288164 -sub getKeyPath { - my $path = $_[0]; - my $tag = $_[1]; - my $subkey; - if (my $key = $root_key->get_subkey($path)) { - my @sk = $key->get_list_of_subkeys(); - foreach my $s (@sk) { - my $name = $s->get_name(); - $subkey = $name if ($name =~ m/^$tag/i); - } - } - return $subkey; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/shellexec.pl b/RecentActivity/release/rr/plugins/shellexec.pl deleted file mode 100644 index 608bacac02..0000000000 --- a/RecentActivity/release/rr/plugins/shellexec.pl +++ /dev/null @@ -1,118 +0,0 @@ -#----------------------------------------------------------- -# shellexec -# Get ShellExecuteHooks values from Software hive (based on BHO -# code) -# -# ShellExecuteHooks are DLLs that load as part of the Explorer.exe process, -# and can intercept commands. There are some legitimate applications that -# run as ShellExecuteHooks, but many times, malware (spy-, ad-ware) will -# install here. ShellExecuteHooks allow you to type a URL into the Start->Run -# box and have that URL opened in your browser. For example, in 2001, Michael -# Dunn wrote KBLaunch, a ShellExecuteHook that looked for "?q" in the Run box -# and would open the appropriate MS KB article. -# -# Refs: -# http://support.microsoft.com/kb/914922 -# http://support.microsoft.com/kb/170918 -# http://support.microsoft.com/kb/943460 -# -# History: -# 20081229 - initial creation -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shellexec; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081229); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets ShellExecuteHooks from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %bhos; - ::logMsg("Launching shellexec v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks";; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar (@vals) > 0) { - foreach my $s (@vals) { - my $name = $s->get_name(); - next if ($name =~ m/^-/ || $name eq ""); - my $clsid_path = "Classes\\CLSID\\".$name; - my $clsid; - if ($clsid = $root_key->get_subkey($clsid_path)) { - my $class; - my $mod; - my $lastwrite; - - eval { - $class = $clsid->get_value("")->get_data(); - $bhos{$name}{class} = $class; - }; - if ($@) { - ::logMsg("\tError getting Class name for CLSID\\".$name); - ::logMsg("\t".$@); - } - eval { - $mod = $clsid->get_subkey("InProcServer32")->get_value("")->get_data(); - $bhos{$name}{module} = $mod; - }; - if ($@) { - ::logMsg("\tError getting Module name for CLSID\\".$name); - ::logMsg("\t".$@); - } - eval{ - $lastwrite = $clsid->get_subkey("InProcServer32")->get_timestamp(); - $bhos{$name}{lastwrite} = $lastwrite; - }; - if ($@) { - ::logMsg("\tError getting LastWrite time for CLSID\\".$name); - ::logMsg("\t".$@); - } - - foreach my $b (keys %bhos) { - ::rptMsg($b); - ::rptMsg("\tClass => ".$bhos{$b}{class}); - ::rptMsg("\tModule => ".$bhos{$b}{module}); - ::rptMsg("\tLastWrite => ".gmtime($bhos{$b}{lastwrite})); - ::rptMsg(""); - } - } - else { - ::rptMsg($clsid_path." not found."); - ::rptMsg(""); - ::logMsg($clsid_path." not found."); - } - } - } - else { - ::rptMsg($key_path." has no values. No ShellExecuteHooks installed."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/shellext.pl b/RecentActivity/release/rr/plugins/shellext.pl deleted file mode 100644 index 8f9994d9d4..0000000000 --- a/RecentActivity/release/rr/plugins/shellext.pl +++ /dev/null @@ -1,96 +0,0 @@ -#----------------------------------------------------------- -# shellext -# Plugin to get approved shell extensions list from the -# Software hive -# -# This plugin retrieves the list of approved shell extensions from -# the Software hive; specifically, the "Shell Extensions\Approved" -# key. Once it has the names (GUID) and data (string) of each value, -# it then goes to the Classes\CLSID\{GUID} key to get the name of/path to -# the associated DLL, if available. It also gets the LastWrite time of the -# Classes\CLSID\{GUID} key. -# -# Analysis of an incident showed that the intruder placed their malware in -# the C:\Windows dir, using the same name as a known valid shell extension. -# When Explorer.exe launches, it reads the list of approved shell extensions, -# then goes to the Classes\CLSID key to get the path to the associated DLL. The -# intruder chose a shell extension that did not have an explicit path, so when -# explorer.exe looked for it, it started in the C:\Windows dir, and never got to -# the legit DLL in the C:\Windows\system32 dir. -# -# References: -# http://msdn.microsoft.com/en-us/library/ms682586%28VS.85%29.aspx -# -# -# Note: This plugin can take several minutes to run -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package shellext; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100515); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Shell Extensions from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %bhos; - ::logMsg("Launching shellext v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved";; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %exts; - - my @vals = $key->get_list_of_values(); - if (scalar (@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - $exts{$name}{name} = $v->get_data(); - - my $clsid_path = "Classes\\CLSID\\".$name; - my $clsid; - if ($clsid = $root_key->get_subkey($clsid_path)) { - eval { - $exts{$v->get_name()}{lastwrite} = $clsid->get_timestamp(); - $exts{$v->get_name()}{dll} = $clsid->get_subkey("InProcServer32")->get_value("")->get_data(); - }; - } - } - foreach my $e (keys %exts) { - ::rptMsg($e." ".$exts{$e}{name}); - ::rptMsg(" DLL: ".$exts{$e}{dll}); - ::rptMsg(" Timestamp: ".gmtime($exts{$e}{lastwrite})." Z"); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/shellfolders.pl b/RecentActivity/release/rr/plugins/shellfolders.pl deleted file mode 100644 index 42eb461f40..0000000000 --- a/RecentActivity/release/rr/plugins/shellfolders.pl +++ /dev/null @@ -1,71 +0,0 @@ -#----------------------------------------------------------- -# shellfolders.pl -# -# Retrieve the Shell Folders values from user's hive; while -# this may not be important in every instance, it may give the -# examiner indications as to where to look for certain items; -# for example, if the user's "My Documents" folder has been redirected -# as part of configuration changes (corporate policies, etc.). Also, -# this may be important as part of data leakage exams, as XP and Vista -# allow users to drop and drag files to the CD Burner. -# -# References: -# http://support.microsoft.com/kb/279157 -# http://support.microsoft.com/kb/326982 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shellfolders; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090115); - -sub getConfig{return %config} - -sub getShortDescr { - return "Retrieve user Shell Folders values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shellfolders v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-20s %-40s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/shelloverlay.pl b/RecentActivity/release/rr/plugins/shelloverlay.pl deleted file mode 100644 index 67c46b858f..0000000000 --- a/RecentActivity/release/rr/plugins/shelloverlay.pl +++ /dev/null @@ -1,86 +0,0 @@ -#----------------------------------------------------------- -# shelloverlay -# Get contents of ShellIconOverlayIdentifiers subkeys; sorts data -# based on LastWrite times of subkeys -# -# History -# 20100308 - created -# -# References -# http://msdn.microsoft.com/en-us/library/cc144123%28VS.85%29.aspx -# Coreflood - http://vil.nai.com/vil/content/v_102053.htm -# http://www.secureworks.com/research/threats/coreflood/?threat=coreflood -# -# Analysis Tip: Malware such as Coreflood uses a random subkey name and a -# random CLSID GUID value -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package shelloverlay; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100308); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets ShellIconOverlayIdentifiers values"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shelloverlay v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my %id; - - my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("shelloverlay"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $def; - eval { - $def = $s->get_value("")->get_data(); - $name .= " ".$def; - }; - push(@{$id{$s->get_timestamp()}},$name); - } - - foreach my $t (reverse sort {$a <=> $b} keys %id) { - ::rptMsg(gmtime($t)." Z"); - foreach my $item (@{$id{$t}}) { - ::rptMsg(" ".$item); - } - ::rptMsg(""); - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/shutdown.pl b/RecentActivity/release/rr/plugins/shutdown.pl deleted file mode 100644 index a63914d5c0..0000000000 --- a/RecentActivity/release/rr/plugins/shutdown.pl +++ /dev/null @@ -1,76 +0,0 @@ -#----------------------------------------------------------- -# shutdown.pl -# Plugin for Registry Ripper; Access System hive file to get the -# contents of the ShutdownTime value -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package shutdown; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets ShutdownTime value from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shutdown v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $win_path = $ccs."\\Control\\Windows"; - my $win; - if ($win = $root_key->get_subkey($win_path)) { - ::rptMsg($win_path." key, ShutdownTime value"); - ::rptMsg($win_path); - ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); - my $sd; - if ($sd = $win->get_value("ShutdownTime")->get_data()) { - my @vals = unpack("VV",$sd); - my $shutdown = ::getTime($vals[0],$vals[1]); - ::rptMsg(" ShutdownTime = ".gmtime($shutdown)." (UTC)"); - - } - else { - ::rptMsg("ShutdownTime value not found."); - } - } - else { - ::rptMsg($win_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/shutdowncount.pl b/RecentActivity/release/rr/plugins/shutdowncount.pl deleted file mode 100644 index 73d649117d..0000000000 --- a/RecentActivity/release/rr/plugins/shutdowncount.pl +++ /dev/null @@ -1,81 +0,0 @@ -#----------------------------------------------------------- -# shutdowncount.pl -# -# *Value info first seen at: -# http://forensicsfromthesausagefactory.blogspot.com/2008/06/install-dates-and-shutdown-times-found.html -# thanks to DC1743@gmail.com -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shutdowncount; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080709); - -sub getConfig{return %config} - -sub getShortDescr { - return "Retrieves ShutDownCount value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shutdowncount v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::logMsg("Could not find ".$key_path); - return - } - - my $key_path = $ccs."\\Control\\Watchdog\\Display"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ShutdownCount"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $count = 0; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - if ($v->get_name() eq "ShutdownCount") { - $count = 1; - ::rptMsg("ShutdownCount = ".$v->get_data()); - } - } - ::rptMsg("ShutdownCount value not found.") if ($count == 0); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/skype.pl b/RecentActivity/release/rr/plugins/skype.pl deleted file mode 100644 index 3c83bc65f1..0000000000 --- a/RecentActivity/release/rr/plugins/skype.pl +++ /dev/null @@ -1,60 +0,0 @@ -#----------------------------------------------------------- -# skype.pl -# -# -# History -# 20100713 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package skype; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100713); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets data user's Skype key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching acmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Skype'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $install; - eval { - $install = $key->get_subkey("Installer")->get_value("DonwloadLastModified")->get_data(); - ::rptMsg("DonwloadLastModified = ".$install); - }; - ::rptMsg("DonwloadLastModified value not found: ".$@) if ($@); - - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/snapshot.pl b/RecentActivity/release/rr/plugins/snapshot.pl deleted file mode 100644 index 29bf42b93b..0000000000 --- a/RecentActivity/release/rr/plugins/snapshot.pl +++ /dev/null @@ -1,96 +0,0 @@ -#----------------------------------------------------------- -# snapshot.pl -# Plugin to check the ActiveX component for the MS Access Snapshot -# Viewer kill bit -# -# Ref: US-CERT Vuln Note #837785, http://www.kb.cert.org/vuls/id/837785 -# -# Note: Look for each GUID key, and check for the Compatibility Flags value; -# if the value is 0x400, the kill bit is set; a vulnerable system is -# indicated by having IE version 6.x, and the kill bits NOT set (IE 7 -# requires user interaction to download the ActiveX component -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package snapshot; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080725); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check ActiveX comp kill bit; Access Snapshot"; -} -sub getDescr{} -sub getRefs {"US-CERT Vuln Note 837785" => "http://www.kb.cert.org/vuls/id/837785"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my @guids = ("{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}", - "{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}", - "{F2175210-368C-11D0-AD81-00A0C90DC8D9}"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching snapshot v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Internet Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ActiveX Snapshot Vuln"); - ::rptMsg($key_path); - ::rptMsg(""); - my $ver; - eval { - $ver = $key->get_value("Version")->get_data(); - }; - if ($@) { - ::rptMsg("IE Version not found."); - } - else { - ::rptMsg("IE Version = ".$ver) - } - - ::rptMsg(""); - foreach my $guid (@guids) { - my $g; - eval { - $g = $key->get_subkey("ActiveX Compatibility\\".$guid); - }; - if ($@) { - ::rptMsg("$guid not found."); - } - else { - ::rptMsg("GUID: $guid"); - my $flag; - eval { - $flag = $g->get_value("Compatibility Flags")->get_data(); - }; - if ($@) { - ::rptMsg("Compatibility Flags value not found."); - } - else { - my $str = sprintf "Compatibility Flags 0x%x",$flag; - ::rptMsg($str); - } - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/soft_run.pl b/RecentActivity/release/rr/plugins/soft_run.pl deleted file mode 100644 index 1c5e7a6d52..0000000000 --- a/RecentActivity/release/rr/plugins/soft_run.pl +++ /dev/null @@ -1,97 +0,0 @@ -#----------------------------------------------------------- -# soft_run -# Get contents of Run key from Software hive -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package soft_run; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Autostart - get Run key contents from Software hive"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Definition of the Run keys in the WinXP Registry" => - "http://support.microsoft.com/kb/314866"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching soft_run v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Run"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %vals = getKeyValues($key); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - ::rptMsg(""); - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - my %vals = getKeyValues($s); - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - } - else { - ::rptMsg(""); - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { - - } - return %vals; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/software b/RecentActivity/release/rr/plugins/software deleted file mode 100644 index 144bfaf466..0000000000 --- a/RecentActivity/release/rr/plugins/software +++ /dev/null @@ -1,36 +0,0 @@ -#------------------------------------- -# Software -winver -win_cv -winnt_cv -defbrowser -ie_version -banner -bitbucket -macaddr -cmd_shell -soft_run -networkcards -ssid -appinitdlls -bho -shellexec -imagefile -port_dev -userinit -winlogon -profilelist -specaccts -mrt -svchost -snapshot -sfc -uninstall -installedcomp -shelloverlay -msis -shellexec -apppaths -drwatson -schedagent -kb950582 \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/specaccts.pl b/RecentActivity/release/rr/plugins/specaccts.pl deleted file mode 100644 index 4933d865fa..0000000000 --- a/RecentActivity/release/rr/plugins/specaccts.pl +++ /dev/null @@ -1,68 +0,0 @@ -#----------------------------------------------------------- -# specaccts.pl -# Gets contents of SpecialAccounts\UserList key -# -# History -# 20100223 - created -# -# References -# http://www.microsoft.com/security/portal/Threat/Encyclopedia/ -# Entry.aspx?Name=Trojan%3AWin32%2FStarter -# -# http://www.microsoft.com/Security/portal/Threat/Encyclopedia/ -# Entry.aspx?Name=TrojanSpy%3AWin32%2FUrsnif.gen!H&ThreatID=-2147343835 -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package specaccts; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100223); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets contents of SpecialAccounts\\UserList key"; -} -sub getDescr{} - -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching specaccts v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my %apps; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(sprintf "%-20s 0x%x",$v->get_name(),$v->get_data()); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/sql_lastconnect.pl b/RecentActivity/release/rr/plugins/sql_lastconnect.pl deleted file mode 100644 index fb21951a75..0000000000 --- a/RecentActivity/release/rr/plugins/sql_lastconnect.pl +++ /dev/null @@ -1,66 +0,0 @@ -#----------------------------------------------------------- -# sql_lastconnect.pl -# -# Per MS, Microsoft Data Access Components (MDAC) clients can attempt -# to use multiple protocols based on a protocol ordering, which is -# listed in the SuperSocketNetLib\ProtocolOrder value. Successful -# connection attempts (for SQL Server 2000) are cached in the LastConnect -# key. -# -# References: -# http://support.microsoft.com/kb/273673/ -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package sql_lastconnect; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090112); - -sub getConfig{return %config} - -sub getShortDescr { - return "MDAC cache of successful connections"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching sql_lastconnect v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\MSSQLServer\\Client\\SuperSocketNetLib\\LastConnect"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("MDAC Cache of successful connections"); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-15s %-25s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ssid.pl b/RecentActivity/release/rr/plugins/ssid.pl deleted file mode 100644 index 1e7714ae56..0000000000 --- a/RecentActivity/release/rr/plugins/ssid.pl +++ /dev/null @@ -1,183 +0,0 @@ -#----------------------------------------------------------- -# ssid -# Gets SSID and other info from WZCSVC key -# -# -# Change History: -# 20100301 - Updated References; removed dwCtlFlags being -# printed; minor adjustments to formatting -# 20091102 - added code to parse EAPOL values for SSIDs -# 20090807 - updated code in accordance with WZC_WLAN_CONFIG -# structure -# -# References -# http://msdn.microsoft.com/en-us/library/aa448338.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package ssid; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100301); - -sub getConfig{return %config} -sub getShortDescr { - return "Get WZCSVC SSID Info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $error; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ssid v.".$VERSION); -# Get the NetworkCards values - my %nc; - if (%nc = getNetworkCards($hive)) { - - } - else { - ::logMsg("Problem w/ SSIDs, getting NetworkCards: ".$error); - return; - } - - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\WZCSVC\\Parameters\\Interfaces"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("SSID"); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if (exists($nc{$name})) { - ::rptMsg("NIC: ".$nc{$name}{descr}); - ::rptMsg("Key LastWrite: ".gmtime($s->get_timestamp())." UTC"); - ::rptMsg(""); - my @vals = $s->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $n = $v->get_name(); - if ($n =~ m/^Static#/) { - my $data = $v->get_data(); -# my $w = unpack("V",substr($data,0x04,0x04)); -# printf "dwCtlFlags = 0x%x\n",$w; - - my $l = unpack("V",substr($data, 0x10, 0x04)); - my $ssid = substr($data,0x14,$l); - - my $tm = uc(unpack("H*",substr($data,0x08,0x06))); - my @t = split(//,$tm); - my $mac = $t[0].$t[1]."-".$t[2].$t[3]."-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; - - my ($t1,$t2) = unpack("VV",substr($data,0x2B8,8)); - my $t = ::getTime($t1,$t2); - my $str = sprintf gmtime($t)." MAC: %-18s %-8s",$mac,$ssid; - ::rptMsg($str); - } - } - } - else { - ::rptMsg($name." has no values."); - } - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - -# Now, go to the EAPOL key, locate the appropriate subkeys and parse out -# any available SSIDs -# EAPOL is Extensible Authentication Protocol over LAN - my $key_path = "Microsoft\\EAPOL\\Parameters\\Interfaces"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if (exists $nc{$name}) { - ::rptMsg("NIC: ".$nc{$name}{descr}); - } - else { - ::rptMsg("NIC: ".$name); - } - ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())." UTC"); - - my @vals = $s->get_list_of_values(); - my %eapol; - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - $eapol{$v->get_name()} = parseEAPOLData($v->get_data()); - } - foreach my $i (sort {$a <=> $b} keys %eapol) { - my $str = sprintf "%-3d %s",$i,$eapol{$i}; - ::rptMsg($str); - } - } - ::rptMsg(""); - } - } - else { - ::rtpMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub getNetworkCards { - my $hive = shift; - my %nc; - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $service = $s->get_value("ServiceName")->get_data(); - $nc{$service}{descr} = $s->get_value("Description")->get_data(); - $nc{$service}{lastwrite} = $s->get_timestamp(); - } - } - else { - $error = $key_path." has no subkeys."; - } - } - else { - $error = $key_path." not found."; - } - return %nc; -} - -sub parseEAPOLData { - my $data = shift; - my $size = unpack("V",substr($data,0x10,4)); - return substr($data,0x14,$size); -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/startpage.pl b/RecentActivity/release/rr/plugins/startpage.pl deleted file mode 100644 index 78dcc9e426..0000000000 --- a/RecentActivity/release/rr/plugins/startpage.pl +++ /dev/null @@ -1,77 +0,0 @@ -#----------------------------------------------------------- -# startpage.pl -# For Windows 7 -# -# Change history -# 20100330 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package startpage; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100330); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's StartPage key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching startpage v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $menu; - my $balloon; - - eval { - my $val = $key->get_value("StartMenu_Start_Time")->get_data(); - my ($t0,$t1) = unpack("VV",$val); - $menu = ::getTime($t0,$t1); - ::rptMsg("StartMenu_Start_Time = ".gmtime($menu)." Z"); - }; - ::rptMsg("Error: ".@$) if (@$); - - eval { - my $val = $key->get_value("StartMenu_Balloon_Time")->get_data(); - my ($t0,$t1) = unpack("VV",$val); - $balloon = ::getTime($t0,$t1); - ::rptMsg("StartMenu_Balloon_Time = ".gmtime($balloon)." Z"); - }; - ::rptMsg("Error: ".@$) if (@$); - - - - - - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/stillimage.pl b/RecentActivity/release/rr/plugins/stillimage.pl deleted file mode 100644 index aaf23600e4..0000000000 --- a/RecentActivity/release/rr/plugins/stillimage.pl +++ /dev/null @@ -1,112 +0,0 @@ -#----------------------------------------------------------- -# stillimage.pl -# Parses contents of Enum\USB key for web cam -# -# History -# 20100222 - created -# -# References -# http://msdn.microsoft.com/en-us/library/ms791870.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package stillimage; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100222); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get info on StillImage devices"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $reg; - -sub pluginmain { - my $class = shift; - my $hive = shift; - $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -::logMsg("Launching stillimage v.".$VERSION); -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg(""); - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless ($name =~ m/\d\d/); - ::rptMsg($name); - - eval { - my $desc = $s->get_value("DriverDesc")->get_data(); - ::rptMsg(" ".$desc); - }; - - eval { - my $desc = $s->get_value("MatchingDeviceID")->get_data(); - ::rptMsg(" ".$desc); - }; - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - -# http://msdn.microsoft.com/en-us/library/ms791870.aspx -# StillImage logging levels - my $key_path = $ccs."\\Control\\StillImage\\Logging"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg("StillImage Logging Level"); - eval { - my $level = $key->get_subkey("STICLI")->get_value("Level")->get_data(); - my $str = sprintf " STICLI Logging Level = 0x%x",$level; - ::rptMsg($str); - }; - ::rptMsg("STICLI Error: ".$@) if ($@); - - eval { - my $level = $key->get_subkey("STIMON")->get_value("Level")->get_data(); - my $str = sprintf " STIMON Logging Level = 0x%x",$level; - ::rptMsg($str); - }; - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/streammru.pl b/RecentActivity/release/rr/plugins/streammru.pl deleted file mode 100644 index 0276cad084..0000000000 --- a/RecentActivity/release/rr/plugins/streammru.pl +++ /dev/null @@ -1,64 +0,0 @@ -#----------------------------------------------------------- -# streammru.pl -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package streammru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090205); - -sub getConfig{return %config} - -sub getShortDescr { - return "streammru"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching streammru v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg(""); - - my $data = $key->get_value("5")->get_data(); - - my $drive = substr($data, 0x16,4); - ::rptMsg("Drive = ".$drive); - ::rptMsg(""); - - my $size = substr($data, 0x2d, 1); - ::rptMsg("Size of first object: ".unpack("c",$size)." bytes"); - ::rptMsg(""); - - - - - - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/streams.pl b/RecentActivity/release/rr/plugins/streams.pl deleted file mode 100644 index e620c033df..0000000000 --- a/RecentActivity/release/rr/plugins/streams.pl +++ /dev/null @@ -1,63 +0,0 @@ -#----------------------------------------------------------- -# streams.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package streams; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081124); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parse Streams and StreamsMRU entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching streams v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("streamMRU"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $i (0..10) { - my $data = $key->get_value($i)->get_data(); - open(FH,">",$i); - binmode(FH); - print FH $data; - close(FH); - } - } - else { - ::rptMsg($key_path." has no values."); - } - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/svc.pl b/RecentActivity/release/rr/plugins/svc.pl deleted file mode 100644 index 32332bf723..0000000000 --- a/RecentActivity/release/rr/plugins/svc.pl +++ /dev/null @@ -1,149 +0,0 @@ -#----------------------------------------------------------- -# svc.pl -# Plugin for Registry Ripper; Access System hive file to get the -# services, display short format (hence "svc", shortened version -# of service.pl plugin) -# -# Change history -# 20080610 - created -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package svc; -#use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080610); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists services/drivers in Services key by LastWrite times (short format)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -# Reference for types and start types: -# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx -my %types = (0x001 => "Kernel driver", - 0x002 => "File system driver", - 0x010 => "Own_Process", - 0x020 => "Share_Process", - 0x100 => "Interactive"); - -my %starts = (0x00 => "Boot Start", - 0x01 => "System Start", - 0x02 => "Auto Start", - 0x03 => "Manual", - 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching svc v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { - ::rptMsg($s_path); - ::rptMsg(getShortDescr()); - ::rptMsg(""); -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - - my $type; - eval { - $type = $s->get_value("Type")->get_data(); - }; - - $name = $s->get_name(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); - }; - - my $image; - eval { - $image = $s->get_value("ImagePath")->get_data(); - }; - - my $start; - eval { - $start = $s->get_value("Start")->get_data(); - if (exists $starts{$start}) { - $start = $starts{$start}; - } - }; - - my $object; - eval { - $object = $s->get_value("ObjectName")->get_data(); - }; - next if ($type == 0x001 || $type == 0x002); - my $str = $name.";".$display.";".$image.";".$type.";".$start.";".$object; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { - ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - my ($n,$d,$i,$t,$s,$o) = split(/;/,$item,6); - my $str = " ".$n; - - if ($i eq "") { - if ($d eq "") { - - } - else { - $str = $str." (".$d.")"; - } - } - else { - $str = $str." (".$i.")"; - } - - $str = $str." [".$o."]" unless ($o eq ""); - - ::rptMsg($str); - } - ::rptMsg(""); - } - - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/svc2.pl b/RecentActivity/release/rr/plugins/svc2.pl deleted file mode 100644 index 0a12370371..0000000000 --- a/RecentActivity/release/rr/plugins/svc2.pl +++ /dev/null @@ -1,148 +0,0 @@ -#----------------------------------------------------------- -# svc2.pl -# Plugin for Registry Ripper; Access System hive file to get the -# services, display short format (hence "svc", shortened version -# of service.pl plugin); outputs info in .csv format -# -# Change history -# 20081129 - created -# -# Ref: -# http://msdn.microsoft.com/en-us/library/aa394073(VS.85).aspx -# -# Analysis Tip: Several services keys have Parameters subkeys that point to -# the ServiceDll value; During intrusions, a service key may be added to -# the system's Registry; using this module, send the output to .csv format -# and sort on column B to get the names to line up -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package svc2; -#use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081129); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists Services key contents by LastWrite times (CSV)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %types = (0x001 => "Kernel driver", - 0x002 => "File system driver", - 0x004 => "Adapter", - 0x010 => "Own_Process", - 0x020 => "Share_Process", - 0x100 => "Interactive"); - -my %starts = (0x00 => "Boot Start", - 0x01 => "System Start", - 0x02 => "Auto Start", - 0x03 => "Manual", - 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; -# ::logMsg("Launching svc2 v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { -# ::rptMsg($s_path); -# ::rptMsg(getShortDescr()); -# ::rptMsg(""); -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - $name = $s->get_name(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); -# take commas out of the display name, replace w/ semi-colons - $display =~ s/,/;/g; - }; - - my $type; - eval { - $type = $s->get_value("Type")->get_data(); - $type = $types{$type} if (exists $types{$type}); - - }; - - my $image; - eval { - $image = $s->get_value("ImagePath")->get_data(); - }; - - my $start; - eval { - $start = $s->get_value("Start")->get_data(); - $start = $starts{$start} if (exists $starts{$start}); - }; - - my $object; - eval { - $object = $s->get_value("ObjectName")->get_data(); - }; - - my $str = $name."\|".$display."\|".$image."\|".$type."\|".$start."\|".$object; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); -# Get ServiceDll value if there is one - eval { - my $para = $s->get_subkey("Parameters"); - my $dll = $para->get_value("ServiceDll")->get_data(); - my $str = $name."\\Parameters\|\|".$dll."\|\|\|"; - push(@{$svcs{$para->get_timestamp()}},$str); - }; - - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { -# ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - my ($n,$d,$i,$t2,$s,$o) = split(/\|/,$item,6); -# ::rptMsg($t.",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o); - ::rptMsg(gmtime($t)."Z".",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o); - } - } - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/svcdll.pl b/RecentActivity/release/rr/plugins/svcdll.pl deleted file mode 100644 index 3cfbcd2f24..0000000000 --- a/RecentActivity/release/rr/plugins/svcdll.pl +++ /dev/null @@ -1,131 +0,0 @@ -#----------------------------------------------------------- -# svcdll.pl -# -# Change history -# 20091104 - created -# -# Ref: -# http://msdn.microsoft.com/en-us/library/aa394073(VS.85).aspx -# -# Analysis Tip: Several services keys have Parameters subkeys that point to -# the ServiceDll value; During intrusions, a service key may be added to -# the system's Registry; this module provides a quick look, displaying the -# Service names (in malware, sometimes random) and the ServiceDll value, -# sorted based on the LastWrite time of the \Parameters subkey. -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package svcdll; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091104); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists Services keys with ServiceDll values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -#my %types = (0x001 => "Kernel driver", -# 0x002 => "File system driver", -# 0x004 => "Adapter", -# 0x010 => "Own_Process", -# 0x020 => "Share_Process", -# 0x100 => "Interactive"); - -#my %starts = (0x00 => "Boot Start", -# 0x01 => "System Start", -# 0x02 => "Auto Start", -# 0x03 => "Manual", -# 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching svcdll v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { - -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); -# my $display; -# eval { -# $display = $s->get_value("DisplayName")->get_data(); -# }; - -# my $type; -# eval { -# $type = $s->get_value("Type")->get_data(); -# $type = $types{$type} if (exists $types{$type}); -# }; - -# my $image; -# eval { -# $image = $s->get_value("ImagePath")->get_data(); -# }; - -# my $start; -# eval { -# $start = $s->get_value("Start")->get_data(); -# $start = $starts{$start} if (exists $starts{$start}); -# }; - - my $dll; - eval { - $dll = $s->get_subkey("Parameters")->get_value("ServiceDll")->get_data(); - my $str = $name." -> ".$dll; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); - }; - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { - ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - ::rptMsg(" ".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/svchost.pl b/RecentActivity/release/rr/plugins/svchost.pl deleted file mode 100644 index 481d08ca46..0000000000 --- a/RecentActivity/release/rr/plugins/svchost.pl +++ /dev/null @@ -1,74 +0,0 @@ -#----------------------------------------------------------- -# svchost -# Plugin to get data from Security Center keys -# -# Change History: -# 20100322 - created -# -# References: -# http://support.microsoft.com/kb/314056 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package svchost; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100322); - -sub getConfig{return %config} -sub getShortDescr { - return "Get entries from SvcHost key"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $infected = 0; - ::logMsg("Launching secctr v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Microsoft\Windows NT\CurrentVersion\SvcHost'; - my $key; - ::rptMsg("svchost"); - ::rptMsg(""); - - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my @data = $v->get_data(); - my $d; - if (scalar(@data) > 1) { - $d = join(',',@data); - } - else { - $d = $data[0]; - } - my $str = sprintf "%-15s %-55s",$v->get_name(),$d; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::rptMsg(""); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/system b/RecentActivity/release/rr/plugins/system deleted file mode 100644 index 366c10fc62..0000000000 --- a/RecentActivity/release/rr/plugins/system +++ /dev/null @@ -1,36 +0,0 @@ -#------------------------------------- -# System -compname -xpedition -producttype -dllsearch -termserv -rdpport -shutdown -shutdowncount -nolmhash -timezone -disablelastaccess -eventlog -auditfail -crashcontrol -kbdcrash -pagefile -hibernate -mountdev -routes -network -nic_mst2 -nic -nic2 -fw_config -ide -shares -svc2 -svcdll -imagedev -legacy -stillimage -usbdevices -usbstor -devclass \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/taskman.pl b/RecentActivity/release/rr/plugins/taskman.pl deleted file mode 100644 index 3a6b212a59..0000000000 --- a/RecentActivity/release/rr/plugins/taskman.pl +++ /dev/null @@ -1,61 +0,0 @@ -#----------------------------------------------------------- -# taskman.pl -# Get Taskman value from Winlogon -# -# References -# http://www.geoffchappell.com/viewer.htm?doc=notes/windows/shell/explorer/ -# taskman.htm&tx=3,5-7,12;4&ts=0,19 -# http://technet.microsoft.com/en-us/library/cc957402.aspx -# -# Change History: -# 20091116 - created -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package taskman; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets Taskman from HKLM\\..\\Winlogon"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching taskman v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - if (my $key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - - eval { - ::rptMsg(""); - my $task = $key->get_value("Taskman")->get_data(); - ::rptMsg("Taskman value = ".$task); - }; - if ($@) { - ::rptMsg("Taskman value not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/termcert.pl b/RecentActivity/release/rr/plugins/termcert.pl deleted file mode 100644 index 81e4b37505..0000000000 --- a/RecentActivity/release/rr/plugins/termcert.pl +++ /dev/null @@ -1,96 +0,0 @@ -#----------------------------------------------------------- -# termcert.pl -# Plugin for Registry Ripper; -# -# Change history -# 20110316 - created -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package termcert; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20110316); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Terminal Server certificate"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching termcert v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $ts_path = $ccs."\\Services\\TermService\\Parameters"; - my $ts; - if ($ts = $root_key->get_subkey($ts_path)) { - ::rptMsg($ts_path); - ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $cert; - eval { - $cert = $ts->get_value("Certificate")->get_raw_data(); - - printSector($cert); - }; - ::rptMsg("Certificate value not found.") if ($@); - } - else { - ::rptMsg($ts_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub printSector { - my $data = shift; - my $len = length($data); - my $remaining = $len; - my $i = 0; - - while ($remaining > 0) { - my $seg1 = substr($data,$i * 16,16); - my @str1 = split(//,unpack("H*",$seg1)); - - my @s3; - foreach my $i (0..15) { - $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; - } - - my $h = join(' ',@s3); - my @s1 = unpack("A*",$seg1); - my $s2 = join('',@s1); - $s2 =~ s/\W/\./g; - - ::rptMsg(sprintf "%-50s %-20s",$h,$s2); - $i++; - $remaining -= 16; - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/termserv.pl b/RecentActivity/release/rr/plugins/termserv.pl deleted file mode 100644 index 010e3aed5e..0000000000 --- a/RecentActivity/release/rr/plugins/termserv.pl +++ /dev/null @@ -1,137 +0,0 @@ -#----------------------------------------------------------- -# termserv.pl -# Plugin for Registry Ripper; -# -# Change history -# 20100713 - Updated to include additional values, based on references -# 20100119 - updated -# 20090727 - created -# -# References -# Change TS listening port number - http://support.microsoft.com/kb/187623 -# Examining TS key - http://support.microsoft.com/kb/243215 -# Win2K8 TS stops listening - http://support.microsoft.com/kb/954398 -# XP/Win2K3 TSAdvertise value - http://support.microsoft.com/kb/281307 -# AllowTSConnections value - http://support.microsoft.com/kb/305608 -# TSEnabled value - http://support.microsoft.com/kb/222992 -# TSUserEnabled value - http://support.microsoft.com/kb/238965 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package termserv; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100713); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Terminal Server values from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching termserv v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $ts_path = $ccs."\\Control\\Terminal Server"; - my $ts; - if ($ts = $root_key->get_subkey($ts_path)) { - ::rptMsg($ts_path); - ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)"); - ::rptMsg(""); - ::rptMsg("Reference: http://support.microsoft.com/kb/243215"); - ::rptMsg(""); - - my $ver; - eval { - $ver = $ts->get_value("ProductVersion")->get_data(); - ::rptMsg(" ProductVersion = ".$ver); - }; - ::rptMsg(""); - - my $fdeny; - eval { - $fdeny = $ts->get_value("fDenyTSConnections")->get_data(); - ::rptMsg(" fDenyTSConnections = ".$fdeny); - ::rptMsg(" 1 = connections denied"); - }; - ::rptMsg("fDenyTSConnections value not found.") if ($@); - ::rptMsg(""); - - my $allow; - eval { - $allow = $ts->get_value("AllowTSConnections")->get_data(); - ::rptMsg(" AllowTSConnections = ".$allow); - ::rptMsg(" Ref: http://support.microsoft.com/kb/305608"); - }; - ::rptMsg(""); - - my $ad; - eval { - $ad = $ts->get_value("TSAdvertise")->get_data(); - ::rptMsg(" TSAdvertise = ".$ad); - ::rptMsg(" 0 = disabled, 1 = enabled (advertise Terminal Services)"); - ::rptMsg(" Ref: http://support.microsoft.com/kb/281307"); - }; - ::rptMsg(""); - - my $enabled; - eval { - $enabled = $ts->get_value("TSEnabled")->get_data(); - ::rptMsg(" TSEnabled = ".$enabled); - ::rptMsg(" 0 = disabled, 1 = enabled (Terminal Services enabled)"); - ::rptMsg(" Ref: http://support.microsoft.com/kb/222992"); - }; - ::rptMsg(""); - - my $user; - eval { - $user = $ts->get_value("TSUserEnabled")->get_data(); - ::rptMsg(" TSUserEnabled = ".$user); - ::rptMsg(" 1 = All users logging in are automatically part of the"); - ::rptMsg(" built-in Terminal Server User group. 0 = No one is a"); - ::rptMsg(" member of the built-in group."); - ::rptMsg(" Ref: http://support.microsoft.com/kb/238965"); - }; - ::rptMsg(""); - - my $help; - eval { - $help = $ts->get_value("fAllowToGetHelp")->get_data(); - ::rptMsg(" fAllowToGetHelp = ".$user); - ::rptMsg(" 1 = Users can request assistance from friend or a "); - ::rptMsg(" support professional."); - ::rptMsg(" Ref: http://www.pctools.com/guides/registry/detail/1213/"); - }; - - } - else { - ::rptMsg($ts_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/timezone.pl b/RecentActivity/release/rr/plugins/timezone.pl deleted file mode 100644 index fa3f38729d..0000000000 --- a/RecentActivity/release/rr/plugins/timezone.pl +++ /dev/null @@ -1,88 +0,0 @@ -#----------------------------------------------------------- -# timezone.pl -# Plugin for Registry Ripper; Access System hive file to get the -# contents of the TimeZoneInformation key -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/102986 -# http://support.microsoft.com/kb/207563 -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package timezone; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get TimeZoneInformation key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching timezone v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $tz_path = $ccs."\\Control\\TimeZoneInformation"; - my $tz; - if ($tz = $root_key->get_subkey($tz_path)) { - ::rptMsg("TimeZoneInformation key"); - ::rptMsg($tz_path); - ::rptMsg("LastWrite Time ".gmtime($tz->get_timestamp())." (UTC)"); - my %tz_vals; - my @vals = $tz->get_list_of_values(); - if (scalar(@vals) > 0) { - map{$tz_vals{$_->get_name()} = $_->get_data()}(@vals); - - ::rptMsg(" DaylightName -> ".$tz_vals{"DaylightName"}); - ::rptMsg(" StandardName -> ".$tz_vals{"StandardName"}); - - my $bias = $tz_vals{"Bias"}/60; - my $atbias = $tz_vals{"ActiveTimeBias"}/60; - - ::rptMsg(" Bias -> ".$tz_vals{"Bias"}." (".$bias." hours)"); - ::rptMsg(" ActiveTimeBias -> ".$tz_vals{"ActiveTimeBias"}." (".$atbias." hours)"); - - } - else { - ::rptMsg($tz_path." has no values."); - ::logMsg($tz_path." has no values."); - } - } - else { - ::rptMsg($tz_path." could not be found."); - ::logMsg($tz_path." could not be found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/tsclient.pl b/RecentActivity/release/rr/plugins/tsclient.pl deleted file mode 100644 index 364c17bff0..0000000000 --- a/RecentActivity/release/rr/plugins/tsclient.pl +++ /dev/null @@ -1,72 +0,0 @@ -#----------------------------------------------------------- -# tsclient.pl -# Plugin for Registry Ripper -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/312169 -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package tsclient; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 0, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of user's Terminal Server Client\\Default key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching tsclient v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Default'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("TSClient"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mrus; - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/MRU/,$val))[1]; - $mrus{$tag} = $val.":".$data; - } - foreach my $u (sort {$a <=> $b} keys %mrus) { - my ($val,$data) = split(/:/,$mrus{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/typedpaths.pl b/RecentActivity/release/rr/plugins/typedpaths.pl deleted file mode 100644 index 292f0370b0..0000000000 --- a/RecentActivity/release/rr/plugins/typedpaths.pl +++ /dev/null @@ -1,69 +0,0 @@ -#----------------------------------------------------------- -# typedpaths.pl -# For Windows 7, Desktop Address Bar History -# -# Change history -# 20100330 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package typedpaths; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100330); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's typedpaths key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching typedpaths v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %paths; - foreach my $v (@vals) { - my $name = $v->get_name(); - $name =~ s/^url//; - my $data = $v->get_data(); - $paths{$name} = $data; - } - foreach my $p (sort {$a <=> $b} keys %paths) { - ::rptMsg(sprintf "%-8s %-30s","url".$p,$paths{$p}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/typedurls.pl b/RecentActivity/release/rr/plugins/typedurls.pl deleted file mode 100644 index fbd6c194e9..0000000000 --- a/RecentActivity/release/rr/plugins/typedurls.pl +++ /dev/null @@ -1,87 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# typedurls.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# TypedURLs values -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/157729 -# http://msdn2.microsoft.com/en-us/library/aa908115.aspx -# -# Notes: Reportedly, only the last 20 entries are maintained; -# Also, new entries aren't added to the key until the current -# instance of IE is terminated. -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package typedurls; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Returns contents of user's TypedURLs key."; -} -sub getDescr{} -sub getRefs { - my %refs = ("IESample Registry Settings" => - "http://msdn2.microsoft.com/en-us/library/aa908115.aspx", - "How to clear History entries in IE" => - "http://support.microsoft.com/kb/157729"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching typedurls v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Internet Explorer\\TypedURLs'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("TypedURLs"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %urls; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/url/,$val))[1]; - $urls{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %urls) { - my ($val,$data) = split(/:/,$urls{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/uninstall.pl b/RecentActivity/release/rr/plugins/uninstall.pl deleted file mode 100644 index 71975fd388..0000000000 --- a/RecentActivity/release/rr/plugins/uninstall.pl +++ /dev/null @@ -1,89 +0,0 @@ -#----------------------------------------------------------- -# uninstall.pl -# Gets contents of Uninstall key from Software hive; sorts -# display names based on key LastWrite time -# -# References: -# http://support.microsoft.com/kb/247501 -# http://support.microsoft.com/kb/314481 -# http://msdn.microsoft.com/en-us/library/ms954376.aspx -# -# Change History: -# 20100116 - Minor updates -# 20090413 - Extract DisplayVersion info -# 20090128 - Added references -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package uninstall; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets contents of Uninstall key from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching uninstall v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Uninstall'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Uninstall"); - ::rptMsg($key_path); - ::rptMsg(""); - - my %uninst; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $lastwrite = $s->get_timestamp(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); - }; - $display = $s->get_name() if ($display eq ""); - - my $ver; - eval { - $ver = $s->get_value("DisplayVersion")->get_data(); - }; - $display .= " v\.".$ver unless ($@); - - push(@{$uninst{$lastwrite}},$display); - } - foreach my $t (reverse sort {$a <=> $b} keys %uninst) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$uninst{$t}}) { - ::rptMsg("\t$item"); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/unreadmail.pl b/RecentActivity/release/rr/plugins/unreadmail.pl deleted file mode 100644 index 5f6aadcf6d..0000000000 --- a/RecentActivity/release/rr/plugins/unreadmail.pl +++ /dev/null @@ -1,89 +0,0 @@ -#----------------------------------------------------------- -# unreadmail.pl -# -# -# Change history -# 20100218 - created -# -# References -# http://support.microsoft.com/kb/304148 -# http://support.microsoft.com/kb/831403 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package unreadmail; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of Unreadmail key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching unreadmail v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - eval { - my $e = $key->get_value("MessageExpiryDays")->get_data(); - ::rptMsg("MessageExpiryDays : ".$e); - ::rptMsg(""); - }; - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg(""); - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - eval { - my $m = $s->get_value("MessageCount")->get_data(); - ::rptMsg(" MessageCount: ".$m); - }; - - eval { - my $a = $s->get_value("Application")->get_data(); - ::rptMsg(" Application : ".$a); - }; - - eval { - my @t = unpack("VV",$s->get_value("TimeStamp")->get_data()); - my $ts = ::getTime($t[0],$t[1]); - ::rptMsg(" TimeStamp : ".gmtime($ts)." (UTC)"); - }; - - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/urlzone.pl b/RecentActivity/release/rr/plugins/urlzone.pl deleted file mode 100644 index f48e82411f..0000000000 --- a/RecentActivity/release/rr/plugins/urlzone.pl +++ /dev/null @@ -1,96 +0,0 @@ -#----------------------------------------------------------- -# /root/bin/plugins/urlzone.pl -# Plugin to detect URLZONE infection -# -# copyright 2009 Stefan Kelm (skelm@bfk.de) -#----------------------------------------------------------- -package urlzone; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090526); - -sub getConfig{return %config} - -sub getShortDescr {return "URLZONE detection";} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { -my $class = shift; -my $hive = shift; -::logMsg("Launching urlzone v.".$VERSION); -my $reg = Parse::Win32Registry->new($hive); -my $root_key = $reg->get_root_key; - -my $key_path = "Microsoft\\Windows\\CurrentVersion\\Internet Settings\\urlzone"; -my $key; -if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); - eval { - my @vals = $s->get_list_of_values(); - if (scalar(@vals) > 0) { - my %sns; - foreach my $v (@vals) { - $sns{$v->get_name()} = $v->get_data(); - } - foreach my $i (keys %sns) { - ::rptMsg("\t\t".$i." = ".$sns{$i}); - } - } - else { -# No values - } - }; - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } - - my $key_path2 = "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\userinit.exe"; - my $key2; - if ($key2 = $root_key->get_subkey($key_path2)) { - ::rptMsg($key_path2); - ::rptMsg("LastWrite Time ".gmtime($key2->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $dbg; - eval { - $dbg = $key2->get_value("Debugger")->get_data(); - }; - if ($@) { - ::rptMsg("Debugger value not found."); - } - else { - ::rptMsg("Debugger = ".$dbg); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path2." not found."); -# ::logMsg($key_path2." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/usbstor.pl b/RecentActivity/release/rr/plugins/usbstor.pl deleted file mode 100644 index e0223805a4..0000000000 --- a/RecentActivity/release/rr/plugins/usbstor.pl +++ /dev/null @@ -1,91 +0,0 @@ -#----------------------------------------------------------- -# usbstor -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package usbstor; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080418); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USBStor key info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching usbstor v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("USBStor"); - ::rptMsg($key_path); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); - - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $k (@sk) { - my $serial = $k->get_name(); - ::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]"); - my $friendly; - eval { - $friendly = $k->get_value("FriendlyName")->get_data(); - }; - ::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne ""); - my $parent; - eval { - $parent = $k->get_value("ParentIdPrefix")->get_data(); - }; - ::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne ""); - } - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/usbstor2.pl b/RecentActivity/release/rr/plugins/usbstor2.pl deleted file mode 100644 index b62283bb1c..0000000000 --- a/RecentActivity/release/rr/plugins/usbstor2.pl +++ /dev/null @@ -1,134 +0,0 @@ -#----------------------------------------------------------- -# usbstor2 -# Similar to usbstor plugin, but prints output in .csv format; -# also checks MountedDevices keys -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package usbstor2; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080825); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USBStor key info; csv output"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $reg; - -sub pluginmain { - my $class = shift; - my $hive = shift; - $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $name_path = $ccs."\\Control\\ComputerName\\ComputerName"; - my $comp_name; - eval { - $comp_name = $root_key->get_subkey($name_path)->get_value("ComputerName")->get_data(); - }; - $comp_name = "Test" if ($@); - - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $dev_class = $s->get_name(); - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $k (@sk) { - my $serial = $k->get_name(); - my $sn_lw = $k->get_timestamp(); - my $str = $comp_name.",".$dev_class.",".$serial.",".$sn_lw; - - my $friendly; - eval { - $friendly = $k->get_value("FriendlyName")->get_data(); - $str .= ",".$friendly; - }; - $str .= ", " if ($@); - - my $parent; - eval { - $parent = $k->get_value("ParentIdPrefix")->get_data(); - $str .= ",".$parent; - - my $dev = checkMountedDevices($parent); - $str .= ",".$dev if ($dev); - - }; - - - ::rptMsg($str); - } - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub checkMountedDevices { - my $pip = shift; - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my %md; - if ($key = $root_key->get_subkey($key_path)) { - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next unless ($name =~ m/^\\DosDevices/); - my $data = $v->get_data(); - if (length($data) > 12) { - $data =~ s/\00//g; - return $name if (grep(/$pip/,$data)); - } - } - } - } - else { - return undef; - } - return undef; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/usbstor3.pl b/RecentActivity/release/rr/plugins/usbstor3.pl deleted file mode 100644 index 5215454818..0000000000 --- a/RecentActivity/release/rr/plugins/usbstor3.pl +++ /dev/null @@ -1,103 +0,0 @@ -#----------------------------------------------------------- -# usbstor3 -# Collects USBStor information, output in .csv -# -# History -# 20100312 - created -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package usbstor3; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100312); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USBStor key info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching usbstor3 v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("USBStor"); -# ::rptMsg($key_path); -# ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { -# ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); - my $name1 = $s->get_name(); - my $time1 = gmtime($s->get_timestamp()); - - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $k (@sk) { - my $serial = $k->get_name(); -# ::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]"); - my $str = $name1.",".$time1.",".$serial.",".gmtime($k->get_timestamp()); - - my $friendly; - eval { - $friendly = $k->get_value("FriendlyName")->get_data(); - $str .= ",".$friendly; - }; - $str .= "," if ($@); -# ::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne ""); - my $parent; - eval { - $parent = $k->get_value("ParentIdPrefix")->get_data(); - $str .= ",".$parent; - }; - $str .= "," if ($@); -# ::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne ""); - ::rptMsg($str); - } - } -# ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/user_run.pl b/RecentActivity/release/rr/plugins/user_run.pl deleted file mode 100644 index f982cfde9a..0000000000 --- a/RecentActivity/release/rr/plugins/user_run.pl +++ /dev/null @@ -1,102 +0,0 @@ -#----------------------------------------------------------- -# user_run -# Get contents of Run key from Software hive -# -# References: -# http://msdn2.microsoft.com/en-us/library/aa376977.aspx -# http://support.microsoft.com/kb/170086 -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package user_run; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Autostart - get Run key contents from NTUSER\.DAT hive"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Definition of the Run keys in the WinXP Registry" => - "http://support.microsoft.com/kb/314866"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching user_run v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %vals = getKeyValues($key); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - ::rptMsg(""); - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - my %vals = getKeyValues($s); - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - } - else { - ::rptMsg(""); - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { - - } - return %vals; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/user_win.pl b/RecentActivity/release/rr/plugins/user_win.pl deleted file mode 100644 index 107c71d4be..0000000000 --- a/RecentActivity/release/rr/plugins/user_win.pl +++ /dev/null @@ -1,60 +0,0 @@ -#----------------------------------------------------------- -# user_win.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package user_win; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080415); - -sub getConfig{return %config} - -sub getShortDescr { - return " -- "; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching user_win v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - eval { - my $load = $key->get_value("load")->get_data(); - ::rptMsg("load value = ".$load); - ::rptMsg("*Should be blank; anything listed gets run when the user logs in."); - }; - - eval { - my $run = $key->get_value("run")->get_data(); - ::rptMsg("run value = ".$run); - ::rptMsg("*Should be blank; anything listed gets run when the user logs in."); - }; - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/userassist.pl b/RecentActivity/release/rr/plugins/userassist.pl deleted file mode 100644 index d523444e85..0000000000 --- a/RecentActivity/release/rr/plugins/userassist.pl +++ /dev/null @@ -1,86 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userassist.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# UserAssist values -# -# Change history -# 20080726 - added reference to help examiner understand Control -# Panel entries found in output -# 20080301 - updated to include run count along with date -# -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package userassist; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080726); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of UserAssist Active Desktop key"; -} -sub getDescr{} -sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching UserAssist (Active Desktop) v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\'. - '{75048700-EF1F-11D0-9888-006097DEACF9}\\Count'; - my $key; - my %ua; - my $hrzr = "HRZR"; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("UserAssist (Active Desktop)"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $value_name = $v->get_name(); - my $data = $v->get_data(); - if (length($data) == 16) { - my ($session,$count,$val1,$val2) = unpack("V*",$data); - if ($val2 != 0) { - my $time_value = ::getTime($val1,$val2); - if ($value_name =~ m/^$hrzr/) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - } - $count -= 5 if ($count > 5); - push(@{$ua{$time_value}},$value_name." (".$count.")"); - } - } - } - foreach my $t (reverse sort {$a <=> $b} keys %ua) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$ua{$t}}) { - ::rptMsg("\t$item"); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/userassist2.pl b/RecentActivity/release/rr/plugins/userassist2.pl deleted file mode 100644 index 010b9899db..0000000000 --- a/RecentActivity/release/rr/plugins/userassist2.pl +++ /dev/null @@ -1,125 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userassist2.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# UserAssist values -# -# Change history -# 20100322 - Added CLSID list reference -# 20100308 - created, based on original userassist.pl plugin -# -# References -# Control Panel Applets - http://support.microsoft.com/kb/313808 -# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package userassist2; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100308); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of UserAssist subkeys"; -} -sub getDescr{} -sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching userassist2 v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; - my $key; - - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("UserAssist"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()); - processKey($s); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub processKey { - my $ua = shift; - - my $key = $ua->get_subkey("Count"); - - my %ua; - my $hrzr = "HRZR"; - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $value_name = $v->get_name(); - my $data = $v->get_data(); - -# Windows XP/2003/Vista/2008 - if (length($data) == 16) { - my ($session,$count,$val1,$val2) = unpack("V*",$data); - if ($val2 != 0) { - my $time_value = ::getTime($val1,$val2); - if ($value_name =~ m/^$hrzr/) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - } - $count -= 5 if ($count > 5); - push(@{$ua{$time_value}},$value_name." (".$count.")"); - } - } -# Windows 7 - elsif (length($data) == 72) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; -# if (unpack("V",substr($data,0,4)) == 0) { -# my $count = unpack("V",substr($data,4,4)); -# my @t = unpack("VV",substr($data,60,8)); -# next if ($t[0] == 0 && $t[1] == 0); -# my $time_val = ::getTime($t[0],$t[1]); -# print " .-> ".$time_val."\n"; -# push(@{$ua{$time_val}},$value_name." (".$count.")"); -# } - my $count = unpack("V",substr($data,4,4)); - my @t = unpack("VV",substr($data,60,8)); - next if ($t[0] == 0 && $t[1] == 0); - my $time_val = ::getTime($t[0],$t[1]); - push(@{$ua{$time_val}},$value_name." (".$count.")"); - } - else { -# Nothing else to do - } - } - foreach my $t (reverse sort {$a <=> $b} keys %ua) { - ::rptMsg(gmtime($t)." Z"); - foreach my $i (@{$ua{$t}}) { - ::rptMsg(" ".$i); - } - } - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/userassist_tln.pl b/RecentActivity/release/rr/plugins/userassist_tln.pl deleted file mode 100644 index ea87cb3787..0000000000 --- a/RecentActivity/release/rr/plugins/userassist_tln.pl +++ /dev/null @@ -1,114 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userassist_tln.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# UserAssist values -# -# Change history -# 20110516 - created, modified from userassist2.pl -# 20100322 - Added CLSID list reference -# 20100308 - created, based on original userassist.pl plugin -# -# References -# Control Panel Applets - http://support.microsoft.com/kb/313808 -# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package userassist_tln; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20110516); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of UserAssist subkeys in TLN format"; -} -sub getDescr{} -sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching userassist_tln v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; - my $key; - - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("UserAssist"); -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); -# ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()); - processKey($s); - ::rptMsg(""); - } - } - else { - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::logMsg($key_path." not found."); - } -} - -sub processKey { - my $ua = shift; - my $key = $ua->get_subkey("Count"); - my %ua; - my $hrzr = "HRZR"; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $value_name = $v->get_name(); - my $data = $v->get_data(); - -# Windows XP/2003/Vista/2008 - if (length($data) == 16) { - my ($session,$count,$val1,$val2) = unpack("V*",$data); - if ($val2 != 0) { - my $time_value = ::getTime($val1,$val2); - if ($value_name =~ m/^$hrzr/) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - } - $count -= 5 if ($count > 5); - push(@{$ua{$time_value}},$value_name." (".$count.")"); - } - } -# Windows 7 - elsif (length($data) == 72) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - my $count = unpack("V",substr($data,4,4)); - my @t = unpack("VV",substr($data,60,8)); - next if ($t[0] == 0 && $t[1] == 0); - my $time_val = ::getTime($t[0],$t[1]); - push(@{$ua{$time_val}},$value_name." (".$count.")"); - } - else { -# Nothing else to do - } - } - foreach my $t (reverse sort {$a <=> $b} keys %ua) { - foreach my $i (@{$ua{$t}}) { - ::rptMsg($t."|REG|||UserAssist - ".$i); - } - } - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/userinit.pl b/RecentActivity/release/rr/plugins/userinit.pl deleted file mode 100644 index b6664b8626..0000000000 --- a/RecentActivity/release/rr/plugins/userinit.pl +++ /dev/null @@ -1,63 +0,0 @@ -#----------------------------------------------------------- -# userinit -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package userinit; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets UserInit value"; -} -sub getDescr{} -sub getRefs { - my %refs = ("My Documents open at startup" => - "http://support.microsoft.com/kb/555294", - "Userinit" => - "http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/12330.mspx?mfr=true"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching userinit v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $ui; - eval { - $ui = $key->get_value("Userinit")->get_data(); - ::rptMsg("\tUserinit -> ".$ui); - }; - ::rptMsg("Error: ".$@) if ($@); - ::rptMsg(""); - ::rptMsg("Per references, content should be %SystemDrive%\\system32\\userinit.exe,"); - ::rptMsg(""); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/userlocsvc.pl b/RecentActivity/release/rr/plugins/userlocsvc.pl deleted file mode 100644 index 3974a036e1..0000000000 --- a/RecentActivity/release/rr/plugins/userlocsvc.pl +++ /dev/null @@ -1,62 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userlocsvc.pl -# Get the contents of the Microsoft\User Location Service\Clients key -# from the user's hive -# -# Ref: -# http://support.microsoft.com/kb/196301 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package userlocsvc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090411); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of User Location Service\\Client key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching UserLocSvc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\User Location Service\\Client'; - my $key; - my %ua; - my $hrzr = "HRZR"; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-15s %-30s",$v->get_name(),$v->get_data(); - ::rptMsg($str) if ($v->get_type() == 1); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/virut.pl b/RecentActivity/release/rr/plugins/virut.pl deleted file mode 100644 index eed5fc2a60..0000000000 --- a/RecentActivity/release/rr/plugins/virut.pl +++ /dev/null @@ -1,66 +0,0 @@ -#----------------------------------------------------------- -# virut.pl -# Plugin to detect artifacts of a Virut infection -# -# References: -# Symantec: http://www.symantec.com/security_response/ -# writeup.jsp?docid=2009-020411-2802-99&tabid=2 -# -# -# -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package virut; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090218); - -sub getConfig{return %config} - -sub getShortDescr { - return "Detect Virut artifacts"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching virut v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $update; - eval { - $update = $key->get_value("UpdateHost")->get_data(); - ::rptMsg("UpdateHost value detected! Possible Virut infection!"); - }; - ::rptMsg("UpdateHost value not found.") if ($@); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg(""); - ::rptMsg("Also be sure to check the SYSTEM\\ControlSet00n\\Services\\SharedAccess\\"); - ::rptMsg("Parameters\\FirewallPolicy\\DomainProfile\\AuthorizedApplications\\List key"); - ::rptMsg("for exceptions added to the firewall; use the fw_config\.pl plugin."); -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/vista_bitbucket.pl b/RecentActivity/release/rr/plugins/vista_bitbucket.pl deleted file mode 100644 index 6fa27c55a5..0000000000 --- a/RecentActivity/release/rr/plugins/vista_bitbucket.pl +++ /dev/null @@ -1,88 +0,0 @@ -#----------------------------------------------------------- -# vista_bitbucket -# BitBucket settings for Vista $Recylce.bin are maintained on a -# per-user, per-volume basis -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package vista_bitbucket; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 192, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080420); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get BitBucket settings from Vista via NTUSER\.DAT"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching vista_bitbucket v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg($v->get_name()." : ".$v->get_data()); - } - - } - else { - ::rptMsg($key_path." has no values."); - } - ::rptMsg(""); - - my @vols; - eval { - @vols = $key->get_subkey("Volume")->get_list_of_subkeys(); - }; - if ($@) { - ::rptMsg("Could not access ".$key_path."\\Volume subkey."); - return; - } - - if (scalar(@vols) > 0) { - foreach my $v (@vols) { - ::rptMsg($v->get_name()." [".gmtime($v->get_timestamp())."] (UTC)"); - eval { - ::rptMsg(sprintf " %-15s %-3s","NukeOnDelete",$v->get_value("NukeOnDelete")->get_data()); - }; - - - } - - } - else { - ::rptMsg($key_path."\\Volume key has no subkeys."); - } - - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/vista_comdlg32.pl b/RecentActivity/release/rr/plugins/vista_comdlg32.pl deleted file mode 100644 index d20b8fb89d..0000000000 --- a/RecentActivity/release/rr/plugins/vista_comdlg32.pl +++ /dev/null @@ -1,145 +0,0 @@ -#----------------------------------------------------------- -# vista_comdlg32.pl -# Plugin for Registry Ripper -# -# Change history -# 20090821 - created -# -# References -# -# -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package vista_comdlg32; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090821); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of Vista user's ComDlg32 key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching vista_comdlg32 v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("vista_comdlg32 v.".$VERSION); - ::rptMsg("**All values listed in MRU order."); - -# CIDSizeMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\CIDSizeMRU"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %lvmru; - my @mrulist; - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUListEx}) { - delete($lvmru{MRUListEx}); - foreach my $m (keys %lvmru) { - my $file = parseStr($lvmru{$m}); - my $str = sprintf "%-4s ".$file,$m; - ::rptMsg(" ".$str); - } - } - else { - ::rptMsg($key_path." does not have an MRUList value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - -# LastVistedPidlMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRU"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %lvmru; - my @mrulist; - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUListEx}) { - delete($lvmru{MRUListEx}); - foreach my $m (keys %lvmru) { - my $file = parseStr($lvmru{$m}); - my $str = sprintf "%-4s ".$file,$m; - ::rptMsg(" ".$str); - } - } - else { - ::rptMsg($key_path." does not have an MRUList value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - - -} - -sub parseStr { - my $data = $_[0]; - my $temp; - my $tag = 1; - my $ofs = 0; - - while ($tag) { - my $t = substr($data,$ofs,2); - if (unpack("v",$t) == 0x00) { - $tag = 0; - } - else { - $temp .= $t; - $ofs += 2; - } - } - $temp =~ s/\00//g; - return $temp; -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/vista_wireless.pl b/RecentActivity/release/rr/plugins/vista_wireless.pl deleted file mode 100644 index f6b74bcf7a..0000000000 --- a/RecentActivity/release/rr/plugins/vista_wireless.pl +++ /dev/null @@ -1,80 +0,0 @@ -#----------------------------------------------------------- -# vista_wireless -# -# Get Wireless info from Vista systems -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package vista_wireless; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090514); - -sub getConfig{return %config} -sub getShortDescr { - return "Get Vista Wireless Info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $error; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching vista_wireless v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $lastwrite = $s->get_timestamp(); - - my $nametype; - eval { - $nametype = $s->get_value("NameType")->get_data(); - }; - if ($@) { - - } - else { - if ($nametype == 0x47) { - my $profilename; - my $descr; - eval { - ::rptMsg("LastWrite = ".gmtime($lastwrite)." Z"); - $profilename = $s->get_value("ProfileName")->get_data(); - $descr = $s->get_value("Description")->get_data(); - ::rptMsg(" ".$profilename." [".$descr."]"); - - }; - } - } - - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/vncviewer.pl b/RecentActivity/release/rr/plugins/vncviewer.pl deleted file mode 100644 index 82049c93bd..0000000000 --- a/RecentActivity/release/rr/plugins/vncviewer.pl +++ /dev/null @@ -1,68 +0,0 @@ -#----------------------------------------------------------- -# vncviewer -# -# -#----------------------------------------------------------- -package vncviewer; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080325); - -sub getConfig{return %config} -sub getShortDescr { - return "Get VNCViewer system list"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching vncviewer v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\ORL\\VNCviewer\\MRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("VNCViewer\\MRU"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %vnc; - foreach my $v (@vals) { - $vnc{$v->get_name()} = $v->get_data(); - } - my $ind; - if (exists $vnc{'index'}) { - $ind = $vnc{'index'}; - delete $vnc{'index'}; - } - - ::rptMsg("Index = ".$ind); - my @i = split(//,$ind); - foreach my $i (@i) { - ::rptMsg(" ".$i." -> ".$vnc{$i}); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/wallpaper.pl b/RecentActivity/release/rr/plugins/wallpaper.pl deleted file mode 100644 index 2d930cb0b1..0000000000 --- a/RecentActivity/release/rr/plugins/wallpaper.pl +++ /dev/null @@ -1,90 +0,0 @@ -#----------------------------------------------------------- -# wallpaper.pl -# -# Wallpaper MRU -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package wallpaper; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 200800810); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parses Wallpaper MRU Entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching wallpaper v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("wallpaper"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %wp; - my @mrulist; - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (sort @vals) { - my $name = $v->get_name(); - if ($name =~ m/^\d/) { - my $data = $v->get_data(); - my $str = getStringValue($data); - $wp{$name} = $str; - } - elsif ($name =~ m/^MRUList/) { - @mrulist = unpack("V*",$v->get_data()); - } - else { -# nothing to do - } - } - foreach my $m (@mrulist) { - next if ($m == 0xffffffff); - ::rptMsg($m." -> ".$wp{$m}); - } - } - else { - ::rptMsg($key_path." has no values"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -#----------------------------------------------------------- -# getStringValue() - given a binary data type w/ a Unicode -# string at the beginning, delimited by \x00\x00, return an ASCII -# string -#----------------------------------------------------------- -sub getStringValue { - my $bin = shift; - my $str = (split(/\00\00/,$bin,2))[0]; - $str =~ s/\00//g; - return $str; -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/win7_ua.pl b/RecentActivity/release/rr/plugins/win7_ua.pl deleted file mode 100644 index be2ea1afa8..0000000000 --- a/RecentActivity/release/rr/plugins/win7_ua.pl +++ /dev/null @@ -1,140 +0,0 @@ -#----------------------------------------------------------- -# win7_ua.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package win7_ua; -use strict; -my $vignerekey = "BWHQNKTEZYFSLMRGXADUJOPIVC"; -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090121); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get Win7 UserAssist data"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching win7_ua v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @subkeys = $key->get_list_of_subkeys(); - - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - print $s->get_name()."\n"; - - my @vals = $s->get_subkey("Count")->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = decrypt_string($v->get_name(),$vignerekey); - my $data = $v->get_data(); - ::rptMsg(" ".$name); - if (length($data) == 72) { - my %vals = parseData($data); - ::rptMsg(" Counter 1 = ".$vals{counter1}); - ::rptMsg(" Counter 2 = ".$vals{counter2}); - ::rptMsg(" Runtime = ".$vals{runtime}." ms"); - ::rptMsg(" Last Run = ".$vals{lastrun}); - ::rptMsg(" MRU = ".$vals{mru}); - } - } - - } - else { - ::rptMsg($key_path."\\".$s->get_name()." has no values."); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; - -sub decrypt_string{ -# decrypts a full string of ciphertext, given the ciphertext and the key. -# returns the plaintext string. - my ($ciphertext, $key) = @_; - my $plaintext; - my @plain; - - $key = $key x (length($ciphertext) / length($key) + 1); - - my @cipherletters = split(//,$ciphertext); - foreach my $i (0..(scalar(@cipherletters) - 1)) { -# print "Cipher letter => ".$cipherletters[$i]."\n"; - if ($cipherletters[$i] =~ m/\w/ && !($cipherletters[$i] =~ m/\d/)) { -# print "Decrypting ".$cipherletters[$i]." with ".(substr($key,$i,1))."\n"; - $plain[$i] = decrypt_letter($cipherletters[$i], (substr($key,$i,1))); - } - else { - $plain[$i] = $cipherletters[$i]; - } - } - -# for( my $i=0; $i= 65 && ord($cipher) <= 90); - -# in row n, plaintext is ciphertext - n, mod 26. - $row = ord(lc($row)) - ord('a'); # enable mod 26 - $cipher = ord(lc($cipher)) - ord('a'); # enable mod 26 - $plain = ($cipher - $row) % 26; - $plain = chr($plain + ord('a')); - - $plain = uc($plain) if ($upper == 1); - return $plain; -} - -sub parseData { - my $data = shift; - my %vals; - - $vals{counter1} = unpack("V",substr($data,4,4)); - $vals{counter2} = unpack("V",substr($data,8,4)); - $vals{runtime} = unpack("V",substr($data,12,4)); - my @a = unpack("VV",substr($data,60,8)); - my $t = ::getTime($a[0],$a[1]); - ($t == 0) ? ($vals{lastrun} = 0) : ($vals{lastrun} = gmtime($t)); - - $vals{mru} = unpack("V",substr($data,68,4)); - return %vals; - -} \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/win_cv.pl b/RecentActivity/release/rr/plugins/win_cv.pl deleted file mode 100644 index 977eeb7920..0000000000 --- a/RecentActivity/release/rr/plugins/win_cv.pl +++ /dev/null @@ -1,85 +0,0 @@ -#----------------------------------------------------------- -# win_cv.pl -# Get and display the contents of the Windows\CurrentVersion key -# Output sorted based on length of data -# -# Change History: -# 20080609: added translation of InstallDate time -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package win_cv; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090312); - -sub getConfig{return %config} -sub getShortDescr { - return "Get & display the contents of the Windows\\CurrentVersion key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching win_cv v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my %cv; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - my $len = length($data); - next if ($name eq ""); - if ($v->get_type() == 3) { - $data = _translateBinary($data); - } - push(@{$cv{$len}},$name." : ".$data); - } - foreach my $t (sort {$a <=> $b} keys %cv) { - foreach my $item (@{$cv{$t}}) { - ::rptMsg(" $item"); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/winlogon.pl b/RecentActivity/release/rr/plugins/winlogon.pl deleted file mode 100644 index 6808f3e278..0000000000 --- a/RecentActivity/release/rr/plugins/winlogon.pl +++ /dev/null @@ -1,98 +0,0 @@ -#----------------------------------------------------------- -# WinLogon -# Get values from WinLogon key -# -# History -# 20100219 - Updated output to better present some data -# 20080415 - created -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package winlogon; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100219); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get values from the WinLogon key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winlogon v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %wl; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - my $len = length($data); - next if ($name eq ""); - if ($v->get_type() == 3 && $name ne "DCacheUpdate") { - $data = _translateBinary($data); - } - - $data = sprintf "0x%x",$data if ($name eq "SfcQuota"); - if ($name eq "DCacheUpdate") { - my @v = unpack("VV",$data); - $data = gmtime(::getTime($v[0],$v[1])); - } - - push(@{$wl{$len}},$name." = ".$data); - } - - foreach my $t (sort {$a <=> $b} keys %wl) { - foreach my $item (@{$wl{$t}}) { - ::rptMsg(" $item"); - } - } - - ::rptMsg(""); - ::rptMsg("Analysis Tips: The UserInit and Shell values are executed when a user logs on."); - - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/winlogon_u.pl b/RecentActivity/release/rr/plugins/winlogon_u.pl deleted file mode 100644 index f2355efe83..0000000000 --- a/RecentActivity/release/rr/plugins/winlogon_u.pl +++ /dev/null @@ -1,90 +0,0 @@ -#----------------------------------------------------------- -# winlogon_u -# Get values from user's WinLogon key -# -# Change History: -# 20091021 - created -# -# References: -# http://support.microsoft.com/kb/119941 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winlogon_u; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091021); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get values from the user's WinLogon key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winlogon_u v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %wl; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - my $len = length($data); - next if ($name eq ""); - if ($v->get_type() == 3) { - $data = _translateBinary($data); - } - push(@{$wl{$len}},$name." = ".$data); - } - - foreach my $t (sort {$a <=> $b} keys %wl) { - foreach my $item (@{$wl{$t}}) { - ::rptMsg(" $item"); - } - } - - ::rptMsg(""); - ::rptMsg("Analysis Tip: Existence of RunGrpConv = 1 value may indicate that the"); - ::rptMsg(" system had been infected with Bredolab (Symantec)."); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/winnt_cv.pl b/RecentActivity/release/rr/plugins/winnt_cv.pl deleted file mode 100644 index 537ced5ca8..0000000000 --- a/RecentActivity/release/rr/plugins/winnt_cv.pl +++ /dev/null @@ -1,87 +0,0 @@ -#----------------------------------------------------------- -# winnt_cv.pl -# Get and display the contents of the Windows\CurrentVersion key -# Output sorted based on length of data -# -# Change History: -# 20080609: added translation of InstallDate time -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winnt_cv; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080609); - -sub getConfig{return %config} -sub getShortDescr { - return "Get & display the contents of the Windows NT\\CurrentVersion key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winnt_cv v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("WinNT_CV"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my %cv; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - $data = gmtime($data)." (UTC)" if ($name eq "InstallDate"); - my $len = length($data); - next if ($name eq ""); - if ($v->get_type() == 3) { - $data = _translateBinary($data); - } - push(@{$cv{$len}},$name." : ".$data); - } - foreach my $t (sort {$a <=> $b} keys %cv) { - foreach my $item (@{$cv{$t}}) { - ::rptMsg(" $item"); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/winrar.pl b/RecentActivity/release/rr/plugins/winrar.pl deleted file mode 100644 index f66f06ff65..0000000000 --- a/RecentActivity/release/rr/plugins/winrar.pl +++ /dev/null @@ -1,66 +0,0 @@ -#----------------------------------------------------------- -# winrar.pl -# Get WinRAR\ArcHistory entries -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winrar; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080819); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get WinRAR\\ArcHistory entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winrar v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\WinRAR\\ArcHistory"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("WinRAR"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %arc; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - $arc{$v->get_name()} = $v->get_data(); - } - - foreach (sort keys %arc) { - ::rptMsg($_." -> ".$arc{$_}); - } - - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/winver.pl b/RecentActivity/release/rr/plugins/winver.pl deleted file mode 100644 index d59262e596..0000000000 --- a/RecentActivity/release/rr/plugins/winver.pl +++ /dev/null @@ -1,107 +0,0 @@ -#----------------------------------------------------------- -# winver.pl -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winver; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081210); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get Windows version"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winver v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("{name}"); -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my $prod; - eval { - $prod = $key->get_value("ProductName")->get_data(); - }; - if ($@) { -# ::rptMsg("ProductName value not found."); - } - else { - ::rptMsg("ProductName = ".$prod); - } - - my $csd; - eval { - $csd = $key->get_value("CSDVersion")->get_data(); - }; - if ($@) { -# ::rptMsg("CSDVersion value not found."); - } - else { - ::rptMsg("CSDVersion = ".$csd); - } - - - my $build; - eval { - $build = $key->get_value("BuildName")->get_data(); - }; - if ($@) { -# ::rptMsg("BuildName value not found."); - } - else { - ::rptMsg("BuildName = ".$build); - } - - my $buildex; - eval { - $buildex = $key->get_value("BuildNameEx")->get_data(); - }; - if ($@) { -# ::rptMsg("BuildName value not found."); - } - else { - ::rptMsg("BuildNameEx = ".$buildex); - } - - - my $install; - eval { - $install = $key->get_value("InstallDate")->get_data(); - }; - if ($@) { -# ::rptMsg("InstallDate value not found."); - } - else { - ::rptMsg("InstallDate = ".gmtime($install)); - } - - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/winzip.pl b/RecentActivity/release/rr/plugins/winzip.pl deleted file mode 100644 index 7fa815250b..0000000000 --- a/RecentActivity/release/rr/plugins/winzip.pl +++ /dev/null @@ -1,89 +0,0 @@ -#----------------------------------------------------------- -# WinZip -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winzip; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080325); - -sub getConfig{return %config} -sub getShortDescr { - return "Get WinZip extract and filemenu values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching WinZip v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Nico Mak Computing\\WinZip"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("WinZip"); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - my %sk; - foreach my $s (@subkeys) { - $sk{$s->get_name()} = $s; - } - - if (exists $sk{'extract'}) { - my $tag = "extract"; - ::rptMsg($key_path."\\extract [".gmtime($sk{'extract'}->get_timestamp)."]"); - my @vals = $sk{'extract'}->get_list_of_values(); - my %ext; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $num = $name; - $num =~ s/^$tag//; - $ext{$num} = $v->get_data(); - } - foreach my $e (sort {$a <=> $b} keys %ext) { - ::rptMsg(" extract".$e." -> ".$ext{$e}); - } - ::rptMsg(""); - } - else { - ::rptMsg("extract key not found."); - } - - if (exists $sk{'filemenu'}) { - my $tag = "filemenu"; - ::rptMsg($key_path."\\filemenu [".gmtime($sk{'extract'}->get_timestamp)."]"); - my @vals = $sk{'filemenu'}->get_list_of_values(); - my %ext; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $num = $name; - $num =~ s/^$tag//; - $ext{$num} = $v->get_data(); - } - foreach my $e (sort {$a <=> $b} keys %ext) { - ::rptMsg(" filemenu".$e." -> ".$ext{$e}); - } - } - else { - ::rptMsg("filemenu key not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/wordwheelquery.pl b/RecentActivity/release/rr/plugins/wordwheelquery.pl deleted file mode 100644 index 10a2eba1cf..0000000000 --- a/RecentActivity/release/rr/plugins/wordwheelquery.pl +++ /dev/null @@ -1,79 +0,0 @@ -#----------------------------------------------------------- -# wordwheelquery.pl -# For Windows 7 -# -# Change history -# 20100330 - created -# -# References -# http://www.winhelponline.com/blog/clear-file-search-mru-history-windows-7/ -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package wordwheelquery; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100330); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's WordWheelQuery key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching wordwheelquery v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my @list; - my %wwq; - foreach my $v (@vals) { - my $name = $v->get_name(); - if ($name eq "MRUListEx") { - @list = unpack("V*",$v->get_data()); - pop(@list) if ($list[scalar(@list) - 1] == 0xffffffff); - } - else { - my $data = $v->get_data(); - $data =~ s/\00//g; - $wwq{$name} = $data; - } - } -# list searches in MRUListEx order - ::rptMsg(""); - ::rptMsg("Searches listed in MRUListEx order"); - ::rptMsg(""); - foreach my $l (@list) { - ::rptMsg(sprintf "%-4d %-30s",$l,$wwq{$l}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/xpedition.pl b/RecentActivity/release/rr/plugins/xpedition.pl deleted file mode 100644 index f3a5d35914..0000000000 --- a/RecentActivity/release/rr/plugins/xpedition.pl +++ /dev/null @@ -1,60 +0,0 @@ -#----------------------------------------------------------- -# xpedition.pl -# Determine the edition of XP (MediaCenter, TabletPC) -# -# History -# -# References -# http://windowsitpro.com/article/articleid/94531/ -# how-can-a-script-determine-if-windows-xp-tablet-pc-edition-is-installed.html -# http://unasked.com/question/view/id/119610 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package xpedition; -use strict; -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090727); - -sub getConfig{return %config} -sub getShortDescr { - return "Queries System hive for XP Edition info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $key; - my $edition = 0; - - ::logMsg("Launching xpedition v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::rptMsg("xpedition v.".$VERSION); - eval { - $key = $root_key->get_subkey("WPA\\MediaCenter")->get_value("Installed")->get_data(); - if ($key == 1) { - ::rptMsg("MediaCenter Edition"); - $edition = 1; - } - }; - - eval { - $key = $root_key->get_subkey("WPA\\TabletPC")->get_value("Installed")->get_data(); - if ($key == 1) { - ::rptMsg("TabletPC Edition"); - $edition = 1; - } - }; -} -1 \ No newline at end of file diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index ce51b19478..1c7727b63b 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -35,9 +35,9 @@ public class Chrome { public static final String chquery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " - + "datetime(urls.last_visit_time/1000000-11644473600,'unixepoch','localtime') as last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; - public static final String chcookiequery = "select name, value, host_key, expires_utc, datetime(last_access_utc/1000000-11644473600,'unixepoch','localtime') as last_access_utc, creation_utc from cookies"; - public static final String chbookmarkquery = "SELECT starred.title, urls.url, starred.date_added, starred.date_modified, urls.typed_count, datetime(urls.last_visit_time/1000000-11644473600,'unixepoch','localtime') as urls._last_visit_time FROM starred INNER JOIN urls ON urls.id = starred.url_id"; + + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; + public static final String chcookiequery = "select name, value, host_key, expires_utc,last_access_utc, creation_utc from cookies"; + public static final String chbookmarkquery = "SELECT starred.title, urls.url, starred.date_added, starred.date_modified, urls.typed_count,urls._last_visit_time FROM starred INNER JOIN urls ON urls.id = starred.url_id"; public static final String chdownloadquery = "select full_path, url, start_time, received_bytes from downloads"; public static final String chloginquery = "select origin_url, username_value, signon_realm from logins"; private final Logger logger = Logger.getLogger(this.getClass().getName()); @@ -85,7 +85,7 @@ public class Chrome { while(temprs.next()) { - + String domain = Util.extractDomain(temprs.getString("url")); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); Collection bbattributes = new ArrayList(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",temprs.getString("url"))); @@ -93,6 +93,7 @@ public class Chrome { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),"RecentActivity","",temprs.getString("from_visit"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),"RecentActivity","",((temprs.getString("title") != null) ? temprs.getString("title") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbart.addAttributes(bbattributes); } @@ -156,11 +157,13 @@ public class Chrome { { BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE); Collection bbattributes = new ArrayList(); + String domain = temprs.getString("host_key"); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host_key"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity", "Last Visited",temprs.getString("last_access_utc"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",temprs.getString("value"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbart.addAttributes(bbattributes); } tempdbconnect.closeConnection(); @@ -231,13 +234,14 @@ public class Chrome { String url = address.get("url").getAsString(); String name = address.get("name").getAsString(); String date = address.get("date_added").getAsString(); - + String domain = Util.extractDomain(url); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); Collection bbattributes = new ArrayList(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",date)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbart.addAttributes(bbattributes); } @@ -298,11 +302,12 @@ public class Chrome { { BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD); Collection bbattributes = new ArrayList(); + String domain = Util.extractDomain(temprs.getString("url")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("start_time"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : ""))); //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", temprs.getString("full_path"))); - + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); bbart.addAttributes(bbattributes); @@ -370,7 +375,7 @@ public class Chrome { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity","", ((temprs.getString("username_value") != null) ? temprs.getString("username_value").replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", "", temprs.getString("signon_realm"))); - + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : "")))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); bbart.addAttributes(bbattributes); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java index 97399ef3c3..7c7035d79e 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java @@ -28,6 +28,8 @@ import java.sql.ResultSet; //Util Imports import java.sql.SQLException; +import java.text.ParseException; +import java.text.SimpleDateFormat; import java.util.ArrayList; import java.util.HashMap; import java.util.List; @@ -44,6 +46,7 @@ import org.openide.modules.InstalledFileLocator; import org.openide.util.Exceptions; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.datamodel.ContentUtils; +import org.sleuthkit.autopsy.datamodel.DataConversion; import org.sleuthkit.autopsy.datamodel.KeyValue; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; import org.sleuthkit.autopsy.ingest.IngestManager; @@ -125,13 +128,14 @@ public class ExtractIE { // implements BrowserActivity { } String name = Favorite.getName(); String datetime = Favorite.getCrtimeAsDate(); - + String domain = Util.extractDomain(url); BlackboardArtifact bbart = Favorite.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); Collection bbattributes = new ArrayList(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",datetime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbart.addAttributes(bbattributes); IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK)); @@ -182,7 +186,7 @@ public class ExtractIE { // implements BrowserActivity { String value = values.length > 1 ? values[1] : ""; String name = values.length > 0 ? values[0] : ""; String datetime = Cookie.getCrtimeAsDate(); - + String domain = Util.extractDomain(url); BlackboardArtifact bbart = Cookie.newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE); Collection bbattributes = new ArrayList(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url)); @@ -190,6 +194,7 @@ public class ExtractIE { // implements BrowserActivity { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",(name != null) ? name : "")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbart.addAttributes(bbattributes); } @@ -205,6 +210,79 @@ public class ExtractIE { // implements BrowserActivity { logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex); } + + //Recent Documents section + // This gets the recent object info + try + { + Case currentCase = Case.getCurrentCase(); // get the most updated case + SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + String allFS = new String(); + for(String img : image) + { + allFS += " AND fs_obj_id = '" + img + "'"; + } + List RecentList; + + ResultSet rs = tempDb.runQuery(recentQuery + allFS); + RecentList = tempDb.resultSetToFsContents(rs); + rs.close(); + rs.getStatement().close(); + + for(FsContent Recent : RecentList) + { + if (controller.isCancelled() ) { + break; + } + Content fav = Recent; + + byte[] t = new byte[(int) fav.getSize()]; + + int bytesRead = 0; + if (fav.getSize() > 0) { + bytesRead = fav.read(t, 0, fav.getSize()); // read the data + } + + + // set the data on the bottom and show it + + String recentString = new String(); + + + if (bytesRead > 0) { + recentString = DataConversion.getString(t, bytesRead, 4); + } + + + String path = Util.getPath(recentString); + String name = Util.getFileName(path); + String datetime = Recent.getCrtimeAsDate(); + BlackboardArtifact bbart = Recent.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); + Collection bbattributes = new ArrayList(); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(),"RecentActivity","Last Visited",path)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(),"RecentActivity","",Util.findID(path))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity","Date Created",datetime)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Windows Explorer")); + bbart.addAttributes(bbattributes); + IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT)); + + } + } + catch(IOException E) + { + + } + catch(TskException ex) + { + logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex); + } + catch(SQLException ioex) + { + logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex); + } + + } //@Override @@ -305,18 +383,17 @@ public class ExtractIE { // implements BrowserActivity { boolean success = true; try { - List command = new ArrayList(); + StringBuilder command = new StringBuilder(); - command.add("-cp"); - command.add("\"" + PASCO_LIB_PATH + "\""); - command.add(" isi.pasco2.Main"); - command.add(" -T history"); - command.add("\"" + indexFilePath + "\""); - command.add(" > \"" + PASCO_RESULTS_PATH + "\\pasco2Result." + Integer.toString(fileIndex) + ".txt\""); + command.append(" -cp"); + command.append(" \"" + PASCO_LIB_PATH + "\""); + command.append(" isi.pasco2.Main"); + command.append(" -T history"); + command.append(" \"" + indexFilePath + "\""); + command.append(" > \"" + PASCO_RESULTS_PATH + "\\pasco2Result." + Integer.toString(fileIndex) + ".txt\""); // command.add(" > " + "\"" + PASCO_RESULTS_PATH + File.separator + Long.toString(bbId) + "\""); - String[] cmd = command.toArray(new String[0]); - - JavaSystemCaller.Exec.execute("java", cmd); + String cmd = command.toString(); + JavaSystemCaller.Exec.execute("\"java "+cmd+ "\""); } catch (Exception e) { success = false; @@ -377,6 +454,7 @@ public class ExtractIE { // implements BrowserActivity { String actime = lineBuff[3]; String user = ""; String realurl = ""; + String domain = ""; if(url.length > 1) { user = url[0]; @@ -389,14 +467,20 @@ public class ExtractIE { // implements BrowserActivity { realurl = realurl.replaceAll(":(.*?):", ""); realurl = realurl.replace(":Host:", ""); realurl = realurl.trim(); + domain = Util.extractDomain(realurl); } if(!ddtime.isEmpty()){ ddtime = ddtime.replace("T"," "); ddtime = ddtime.substring(ddtime.length()-5); } if(!actime.isEmpty()){ - actime = actime.replace("T"," "); - actime = actime.substring(0,actime.length()-5); + try{ + Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(actime).getTime(); + actime = epochtime.toString(); + } + catch(ParseException e){ + logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage()); + } } // TODO: Need to fix this so we have the right obj_id @@ -411,7 +495,7 @@ public class ExtractIE { // implements BrowserActivity { // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "", ddtime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer")); - + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(),"RecentActivity","",user)); bbart.addAttributes(bbattributes); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 54ae347a38..7b0c29082a 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -8,10 +8,8 @@ import java.io.BufferedReader; import java.io.File; import java.io.FileInputStream; import java.io.IOException; -import java.io.InputStream; import java.io.InputStreamReader; import java.io.StringReader; -import java.nio.charset.Charset; import java.sql.ResultSet; import java.sql.SQLException; import java.util.ArrayList; @@ -21,6 +19,7 @@ import java.util.List; import java.util.Scanner; import java.util.logging.Level; import java.util.logging.Logger; +import org.apache.commons.lang3.StringEscapeUtils; import org.jdom.Document; import org.jdom.Element; import org.jdom.input.SAXBuilder; @@ -149,7 +148,7 @@ public void getregistryfiles(List image, IngestImageWorkerController con if(regFilePath.toLowerCase().contains("system")) { - type = "1system"; + type = "autopsysystem"; } if(regFilePath.toLowerCase().contains("software")) { @@ -172,8 +171,8 @@ public void getregistryfiles(List image, IngestImageWorkerController con type = "1security"; } - String command = RR_PATH + " -r " + regFilePath +" -f " + type + "> " + txtPath; - JavaSystemCaller.Exec.execute(command); + String command = "\"" + RR_PATH + "\" -r \"" + regFilePath +"\" -f " + type + " > \"" + txtPath + "\" 2> NUL"; + JavaSystemCaller.Exec.execute("\""+command + "\""); } @@ -196,13 +195,17 @@ public void getregistryfiles(List image, IngestImageWorkerController con File regfile = new File(regRecord); FileInputStream fstream = new FileInputStream(regfile); - InputStreamReader fstreamReader = new InputStreamReader(fstream, "UTF-8"); + InputStreamReader fstreamReader = new InputStreamReader(fstream, "UTF-16"); BufferedReader input = new BufferedReader(fstreamReader); //logger.log(Level.INFO, "using encoding " + fstreamReader.getEncoding()); String regString = new Scanner(input).useDelimiter("\\Z").next(); regfile.delete(); - String startdoc = ""; + String startdoc = ""; String result = regString.replaceAll("----------------------------------------",""); + result = result.replaceAll("\\n", ""); + result = result.replaceAll("\\r",""); + result = result.replaceAll("'","'"); + result = result.replaceAll("&", "&"); String enddoc = ""; String stringdoc = startdoc + result + enddoc; SAXBuilder sb = new SAXBuilder(); @@ -237,18 +240,19 @@ public void getregistryfiles(List image, IngestImageWorkerController con Collection bbattributes = new ArrayList(); if("recentdocs".equals(context)){ - BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value)); - bbart.addAttributes(bbattributes); +// BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); +// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time)); +// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name)); +// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value)); +// bbart.addAttributes(bbattributes); } - else if("runMRU".equals(context)){ - BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name)); + else if("usb".equals(context)){ + BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name)); + String dev = artnode.getAttributeValue("dev"); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", context, dev)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", context, value)); bbart.addAttributes(bbattributes); } else if("uninstall".equals(context)){ @@ -294,7 +298,8 @@ public void getregistryfiles(List image, IngestImageWorkerController con catch (Exception ex) { - logger.log(Level.WARNING, "Error while trying to read into a registry file." + ex); + logger.log(Level.WARNING, "Error while trying to read into a registry file." + ex); + String sadafd = ""; } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java index 4ae3be6e29..3da83643bf 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java @@ -31,10 +31,10 @@ import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; */ public class Firefox { - private static final String ffquery = "SELECT moz_historyvisits.id,url,title,visit_count,datetime(moz_historyvisits.visit_date/1000000,'unixepoch','localtime') as visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0"; - private static final String ffcookiequery = "SELECT name,value,host,expiry,datetime(moz_cookies.lastAccessed/1000000,'unixepoch','localtime') as lastAccessed,creationTime FROM moz_cookies"; + private static final String ffquery = "SELECT moz_historyvisits.id,url,title,visit_count,visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0"; + private static final String ffcookiequery = "SELECT name,value,host,expiry,lastAccessed,creationTime FROM moz_cookies"; private static final String ffbookmarkquery = "SELECT fk, moz_bookmarks.title, url FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id"; - private static final String ffdownloadquery = "select target, source, datetime(startTime/1000000,'unixepoch','localtime') as startTime, maxBytes from moz_downloads"; + private static final String ffdownloadquery = "select target, source,startTime, maxBytes from moz_downloads"; public Logger logger = Logger.getLogger(this.getClass().getName()); @@ -95,6 +95,7 @@ public class Firefox { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),"RecentActivity","",((temprs.getString("ref") != null) ? temprs.getString("ref") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),"RecentActivity","",((temprs.getString("title") != null) ? temprs.getString("title") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",(Util.extractDomain((temprs.getString("url") != null) ? temprs.getString("url") : "")))); bbart.addAttributes(bbattributes); } @@ -120,6 +121,7 @@ public class Firefox { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",((tempbm.getString("url") != null) ? tempbm.getString("url") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((tempbm.getString("title") != null) ? tempbm.getString("title").replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(tempbm.getString("url")))); bbart.addAttributes(bbattributes); } tempbm.close(); @@ -189,6 +191,7 @@ public class Firefox { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",temprs.getString("host"))); bbart.addAttributes(bbattributes); } @@ -257,7 +260,8 @@ public class Firefox { //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : ""))); String urldecodedtarget = URLDecoder.decode(temprs.getString("target").replaceAll("file:///", ""), "UTF-8"); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", urldecodedtarget)); - + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(temprs.getString("source")))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); bbart.addAttributes(bbattributes); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java index 90a75f165f..6dbe20bee1 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java @@ -6,6 +6,7 @@ package org.sleuthkit.autopsy.recentactivity; import java.io.File; import java.io.FileInputStream; import java.io.IOException; +import java.net.URL; import java.nio.MappedByteBuffer; import java.nio.channels.FileChannel; import java.nio.charset.Charset; @@ -15,7 +16,11 @@ import java.sql.Statement; import java.text.SimpleDateFormat; import java.util.Date; import java.util.List; +import java.util.logging.Level; import java.util.logging.Logger; +//import org.apache.commons.lang.NullArgumentException; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.SleuthkitCase; @@ -24,7 +29,7 @@ import org.sleuthkit.datamodel.SleuthkitCase; * @author Alex */ public class Util { -public Logger logger = Logger.getLogger(this.getClass().getName()); +private Logger logger = Logger.getLogger(this.getClass().getName()); private Util(){ @@ -87,4 +92,90 @@ public static boolean imgpathexists(String path){ } } + +public static String extractDomain(String value){ + if (value == null) throw new java.lang.NullPointerException("domains to extract"); + String result = ""; + // String domainPattern = "(\\w+)\\.(AC|AD|AE|AERO|AF|AG|AI|AL|AM|AN|AO|AQ|AR|ARPA|AS|ASIA|AT|AU|AW|AX|AZ|BA|BB|BD|BE|BF|BG|BH|BI|BIZ|BJ|BM|BN|BO|BR|BS|BT|BV|BW|BY|BZ|CA|CAT|CC|CD|CF|CG|CH|CI|CK|CL|CM|CN|CO|COM|COOP|CR|CU|CV|CW|CX|CY|CZ|DE|DJ|DK|DM|DO|DZ|EC|EDU|EE|EG|ER|ES|ET|EU|FI|FJ|FK|FM|FO|FR|GA|GB|GD|GE|GF|GG|GH|GI|GL|GM|GN|GOV|GP|GQ|GR|GS|GT|GU|GW|GY|HK|HM|HN|HR|HT|HU|ID|IE|IL|IM|IN|INFO|INT|IO|IQ|IR|IS|IT|JE|JM|JO|JOBS|JP|KE|KG|KH|KI|KM|KN|KP|KR|KW|KY|KZ|LA|LB|LC|LI|LK|LR|LS|LT|LU|LV|LY|MA|MC|MD|ME|MG|MH|MIL|MK|ML|MM|MN|MO|MOBI|MP|MQ|MR|MS|MT|MU|MUSEUM|MV|MW|MX|MY|MZ|NA|NAME|NC|NE|NET|NF|NG|NI|NL|NO|NP|NR|NU|NZ|OM|ORG|PA|PE|PF|PG|PH|PK|PL|PM|PN|PR|PRO|PS|PT|PW|PY|QA|RE|RO|RS|RU|RW|SA|SB|SC|SD|SE|SG|SH|SI|SJ|SK|SL|SM|SN|SO|SR|ST|SU|SV|SX|SY|SZ|TC|TD|TEL|TF|TG|TH|TJ|TK|TL|TM|TN|TO|TP|TR|TRAVEL|TT|TV|TW|TZ|UA|UG|UK|US|UY|UZ|VA|VC|VE|VG|VI|VN|VU|WF|WS|XXX|YE|YT|ZA|ZM|ZW(co\\.[a-z].))"; + // Pattern p = Pattern.compile(domainPattern,Pattern.CASE_INSENSITIVE); + // Matcher m = p.matcher(value); + // while (m.find()) { + // result = value.substring(m.start(0),m.end(0)); + // } + try{ + URL url = new URL(value); + result = url.getHost(); + } + catch(Exception e){ + + } + + return result; + } + +public static String getFileName(String value){ + String filename = ""; + String filematch = "^([a-zA-Z]\\:)(\\\\[^\\\\/:*?<>\"|]*(?|]+)+)"; // Windows network + + Pattern p2 = Pattern.compile(network,Pattern.CASE_INSENSITIVE | Pattern.DOTALL); + Matcher m2 = p2.matcher(txt); + if (m2.find()) + { + path = m2.group(1); + } + } + return path; + } + +public static long findID(String path) { + String parent_path = path.replace('\\', '/'); // fix Chrome paths + parent_path = parent_path.substring(2); // remove drive letter (e.g., 'C:') + int index = parent_path.lastIndexOf('/'); + String name = parent_path.substring(++index); + parent_path = parent_path.substring(0, index); + String query = "select * from tsk_files where parent_path like \"" + parent_path + "\" AND name like \"" + name + "\""; + Case currentCase = Case.getCurrentCase(); + SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + try { + ResultSet rs = tempDb.runQuery(query); + List results = tempDb.resultSetToFsContents(rs); + Statement s = rs.getStatement(); + rs.close(); + if (s != null) + s.close(); + if(results.size() > 0) { + return results.get(0).getId(); + } + } catch (Exception ex) { + // logger.log(Level.WARNING, "Error retrieving content from DB", ex); + } + return -1; + } } \ No newline at end of file diff --git a/Report/nbproject/genfiles.properties b/Report/nbproject/genfiles.properties index 945c2734f9..03f0e6b880 100644 --- a/Report/nbproject/genfiles.properties +++ b/Report/nbproject/genfiles.properties @@ -1,8 +1,8 @@ -build.xml.data.CRC32=9224614a +build.xml.data.CRC32=38c0b1aa build.xml.script.CRC32=bbb1c310 build.xml.stylesheet.CRC32=a56c6a5b@1.46.1 # This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml. # Do not edit this file. You may delete it but then the IDE will never regenerate such files for you. -nbproject/build-impl.xml.data.CRC32=9224614a +nbproject/build-impl.xml.data.CRC32=38c0b1aa nbproject/build-impl.xml.script.CRC32=1562aec2 nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.1 diff --git a/Report/nbproject/project.properties b/Report/nbproject/project.properties index 17255bac6b..256c008f13 100644 --- a/Report/nbproject/project.properties +++ b/Report/nbproject/project.properties @@ -1,2 +1,14 @@ +file.reference.commons-logging-1.1.jar=release/modules/ext/commons-logging-1.1.jar +file.reference.dom4j-1.6.1.jar=release/modules/ext/dom4j-1.6.1.jar +file.reference.jdom-1.1.2.jar=release/modules/ext/jdom-1.1.2.jar +file.reference.junit-3.8.1.jar=release/modules/ext/junit-3.8.1.jar +file.reference.log4j-1.2.13.jar=release/modules/ext/log4j-1.2.13.jar +file.reference.poi-3.8-20120326.jar=release/modules/ext/poi-3.8-20120326.jar +file.reference.poi-excelant-3.8-20120326.jar=release/modules/ext/poi-excelant-3.8-20120326.jar +file.reference.poi-ooxml-3.8-20120326.jar=release/modules/ext/poi-ooxml-3.8-20120326.jar +file.reference.poi-ooxml-schemas-3.8-20120326.jar=release/modules/ext/poi-ooxml-schemas-3.8-20120326.jar +file.reference.poi-scratchpad-3.8-20120326.jar=release/modules/ext/poi-scratchpad-3.8-20120326.jar +file.reference.stax-api-1.0.1.jar=release/modules/ext/stax-api-1.0.1.jar +file.reference.xmlbeans-2.3.0.jar=release/modules/ext/xmlbeans-2.3.0.jar javac.source=1.6 javac.compilerargs=-Xlint -Xlint:-serial diff --git a/Report/nbproject/project.xml b/Report/nbproject/project.xml index 959460f967..b7a7ee39b9 100644 --- a/Report/nbproject/project.xml +++ b/Report/nbproject/project.xml @@ -6,12 +6,6 @@ org.sleuthkit.autopsy.report - - org.netbeans.libs.felix - - 1.5.1 - - org.netbeans.swing.plaf @@ -143,10 +137,58 @@ + + ext/poi-excelant-3.8-20120326.jar + release/modules/ext/poi-excelant-3.8-20120326.jar + + + ext/junit-3.8.1.jar + release/modules/ext/junit-3.8.1.jar + + + ext/poi-ooxml-schemas-3.8-20120326.jar + release/modules/ext/poi-ooxml-schemas-3.8-20120326.jar + ext/jdom-1.1.2.jar release/modules/ext/jdom-1.1.2.jar + + ext/poi-3.8-20120326.jar + release/modules/ext/poi-3.8-20120326.jar + + + ext/poi-ooxml-3.8-20120326.jar + release/modules/ext/poi-ooxml-3.8-20120326.jar + + + ext/poi-scratchpad-3.8-20120326.jar + release/modules/ext/poi-scratchpad-3.8-20120326.jar + + + ext/dom4j-1.6.1.jar + release/modules/ext/dom4j-1.6.1.jar + + + ext/stax-api-1.0.1.jar + release/modules/ext/stax-api-1.0.1.jar + + + ext/commons-logging-1.1.jar + release/modules/ext/commons-logging-1.1.jar + + + ext/log4j-1.2.13.jar + release/modules/ext/log4j-1.2.13.jar + + + ext/xmlbeans-2.3.0.jar + release/modules/ext/xmlbeans-2.3.0.jar + + + ext/commons-lang3-3.1.jar + release/modules/ext/commons-lang3-3.1.jar + diff --git a/Report/release/modules/ext/cobra-0.98.4.zip b/Report/release/modules/ext/cobra-0.98.4.zip deleted file mode 100644 index 705d3772e8..0000000000 Binary files a/Report/release/modules/ext/cobra-0.98.4.zip and /dev/null differ diff --git a/Report/release/modules/ext/commons-lang3-3.1.jar b/Report/release/modules/ext/commons-lang3-3.1.jar new file mode 100644 index 0000000000..a85e539b17 Binary files /dev/null and b/Report/release/modules/ext/commons-lang3-3.1.jar differ diff --git a/Report/release/modules/ext/commons-logging-1.1.jar b/Report/release/modules/ext/commons-logging-1.1.jar new file mode 100644 index 0000000000..2ff9bbd90d Binary files /dev/null and b/Report/release/modules/ext/commons-logging-1.1.jar differ diff --git a/Report/release/modules/ext/dom4j-1.6.1.jar b/Report/release/modules/ext/dom4j-1.6.1.jar new file mode 100644 index 0000000000..c8c4dbb92d Binary files /dev/null and b/Report/release/modules/ext/dom4j-1.6.1.jar differ diff --git a/Report/release/modules/ext/install-lobo-0.98.4.jar b/Report/release/modules/ext/install-lobo-0.98.4.jar deleted file mode 100644 index d5e85d11d1..0000000000 Binary files a/Report/release/modules/ext/install-lobo-0.98.4.jar and /dev/null differ diff --git a/Report/release/modules/ext/junit-3.8.1.jar b/Report/release/modules/ext/junit-3.8.1.jar new file mode 100644 index 0000000000..674d71e89e Binary files /dev/null and b/Report/release/modules/ext/junit-3.8.1.jar differ diff --git a/Report/release/modules/ext/log4j-1.2.13.jar b/Report/release/modules/ext/log4j-1.2.13.jar new file mode 100644 index 0000000000..dde9972109 Binary files /dev/null and b/Report/release/modules/ext/log4j-1.2.13.jar differ diff --git a/Report/release/modules/ext/poi-3.8-20120326.jar b/Report/release/modules/ext/poi-3.8-20120326.jar new file mode 100644 index 0000000000..edc0ee59b8 Binary files /dev/null and b/Report/release/modules/ext/poi-3.8-20120326.jar differ diff --git a/Report/release/modules/ext/poi-excelant-3.8-20120326.jar b/Report/release/modules/ext/poi-excelant-3.8-20120326.jar new file mode 100644 index 0000000000..ad39033cfe Binary files /dev/null and b/Report/release/modules/ext/poi-excelant-3.8-20120326.jar differ diff --git a/Report/release/modules/ext/poi-ooxml-3.8-20120326.jar b/Report/release/modules/ext/poi-ooxml-3.8-20120326.jar new file mode 100644 index 0000000000..9175c16d95 Binary files /dev/null and b/Report/release/modules/ext/poi-ooxml-3.8-20120326.jar differ diff --git a/Report/release/modules/ext/poi-ooxml-schemas-3.8-20120326.jar b/Report/release/modules/ext/poi-ooxml-schemas-3.8-20120326.jar new file mode 100644 index 0000000000..2372d1edfb Binary files /dev/null and b/Report/release/modules/ext/poi-ooxml-schemas-3.8-20120326.jar differ diff --git a/Report/release/modules/ext/poi-scratchpad-3.8-20120326.jar b/Report/release/modules/ext/poi-scratchpad-3.8-20120326.jar new file mode 100644 index 0000000000..02e52e848d Binary files /dev/null and b/Report/release/modules/ext/poi-scratchpad-3.8-20120326.jar differ diff --git a/Report/release/modules/ext/stax-api-1.0.1.jar b/Report/release/modules/ext/stax-api-1.0.1.jar new file mode 100644 index 0000000000..d9a1665151 Binary files /dev/null and b/Report/release/modules/ext/stax-api-1.0.1.jar differ diff --git a/Report/release/modules/ext/xmlbeans-2.3.0.jar b/Report/release/modules/ext/xmlbeans-2.3.0.jar new file mode 100644 index 0000000000..ccd8163421 Binary files /dev/null and b/Report/release/modules/ext/xmlbeans-2.3.0.jar differ diff --git a/Report/src/org/sleuthkit/autopsy/report/report.java b/Report/src/org/sleuthkit/autopsy/report/report.java index e87d4e60ee..5365eae6ae 100644 --- a/Report/src/org/sleuthkit/autopsy/report/report.java +++ b/Report/src/org/sleuthkit/autopsy/report/report.java @@ -218,6 +218,28 @@ public HashMap> getInstalledPr return reportMap; } +@Override +public HashMap> getDevices() { + HashMap> reportMap = new HashMap(); + Case currentCase = Case.getCurrentCase(); // get the most updated case + SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + try + { + ArrayList bbart = tempDb.getBlackboardArtifacts(11); + for (BlackboardArtifact artifact : bbart) + { + ArrayList attributes = artifact.getAttributes(); + reportMap.put(artifact, attributes); + } + } + catch (Exception e) + { + Logger.getLogger(report.class.getName()).log(Level.INFO, "Exception occurred", e); + } + + return reportMap; +} + @Override public String getGroupedKeywordHit() { StringBuilder table = new StringBuilder(); diff --git a/Report/src/org/sleuthkit/autopsy/report/reportFilter.form b/Report/src/org/sleuthkit/autopsy/report/reportFilter.form index 381679b708..7b3e65968b 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportFilter.form +++ b/Report/src/org/sleuthkit/autopsy/report/reportFilter.form @@ -41,37 +41,30 @@ + - - - - - - - - - - - - + + + + + + + - - - - - - - - + - - + + + + + + @@ -96,7 +89,7 @@ - + diff --git a/Report/src/org/sleuthkit/autopsy/report/reportFilter.java b/Report/src/org/sleuthkit/autopsy/report/reportFilter.java index 6bab8b7846..aadf1692fa 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportFilter.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportFilter.java @@ -196,11 +196,13 @@ private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRS if(jCheckBox4.isSelected()) { filters.add(10); + } if(jCheckBox5.isSelected()) { filters.add(6); - filters.add(8); + filters.add(8); + filters.add(11); } getReports(); }//GEN-LAST:event_jButton1ActionPerformed diff --git a/Report/src/org/sleuthkit/autopsy/report/reportHTML.java b/Report/src/org/sleuthkit/autopsy/report/reportHTML.java index b7bfc91923..558fbab172 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportHTML.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportHTML.java @@ -55,6 +55,7 @@ public reportHTML (HashMap> re int countInstalled = 0; int countKeyword = 0; int countHash = 0; + int countDevice = 0; for (Entry> entry : report.entrySet()) { if(entry.getKey().getArtifactTypeID() == 1){ countGen++; @@ -88,6 +89,9 @@ public reportHTML (HashMap> re if(entry.getKey().getArtifactTypeID() == 10){ countHash++; } + if(entry.getKey().getArtifactTypeID() == 11){ + countDevice++; + } } try{ @@ -157,6 +161,9 @@ public reportHTML (HashMap> re formatted_Report.append("
"); if(countWebBookmark > 0){ formatted_Report.append(""); + } + if(countWebCookie > 0){ + formatted_Report.append(""); } if(countWebHistory > 0){ formatted_Report.append(""); @@ -175,6 +182,9 @@ public reportHTML (HashMap> re } if(countHash > 0){ formatted_Report.append(""); + } + if(countDevice > 0){ + formatted_Report.append(""); } formatted_Report.append("
SectionCount
Web Bookmarks").append(countWebBookmark).append("
Web Cookies").append(countWebCookie).append("
Web History").append(countWebHistory).append("
Hash Hits").append(countHash).append("
Attached Devices").append(countDevice).append("

"); String tableHeader = ""; @@ -183,11 +193,13 @@ public reportHTML (HashMap> re StringBuilder nodeWebCookie = new StringBuilder("

Web Cookies (").append(countWebCookie).append(")

").append(tableHeader).append(""); StringBuilder nodeWebHistory = new StringBuilder("

Web History (").append(countWebHistory).append(")

").append(tableHeader).append(""); StringBuilder nodeWebDownload = new StringBuilder("

Web Downloads (").append(countWebDownload).append(")

").append(tableHeader).append(""); - StringBuilder nodeRecentObjects = new StringBuilder("

Recent Documents (").append(countRecentObjects).append(")

").append(tableHeader).append(""); + StringBuilder nodeRecentObjects = new StringBuilder("

Recent Documents (").append(countRecentObjects).append(")

").append(tableHeader).append(""); StringBuilder nodeTrackPoint = new StringBuilder("

Track Points (").append(countTrackPoint).append(")

").append(tableHeader).append(""); StringBuilder nodeInstalled = new StringBuilder("

Installed Programs (").append(countInstalled).append(")

").append(tableHeader).append(""); StringBuilder nodeKeyword = new StringBuilder("

Keyword Search Hits (").append(countKeyword).append(")

"); StringBuilder nodeHash = new StringBuilder("

Hashset Hit (").append(countHash).append(")

").append(tableHeader).append(""); + StringBuilder nodeDevice = new StringBuilder("

Attached Devices (").append(countHash).append(")

").append(tableHeader).append(""); + int alt = 0; String altRow = ""; for (Entry> entry : report.entrySet()) { @@ -230,6 +242,9 @@ public reportHTML (HashMap> re int type = tempatt.getAttributeTypeID(); if(tempatt.getValueString() == null || tempatt.getValueString() == "null"){ + } + else if(type == 2){ + value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date ((tempatt.getValueLong())*1000)); } else { @@ -281,9 +296,9 @@ public reportHTML (HashMap> re } if(entry.getKey().getArtifactTypeID() == 6){ //artifact.append(""); - artifact.append(""); - artifact.append(""); + artifact.append(""); + artifact.append(""); + artifact.append(""); artifact.append(""); nodeRecentObjects.append(artifact); } @@ -316,6 +331,13 @@ public reportHTML (HashMap> re artifact.append(""); nodeHash.append(artifact); } + if(entry.getKey().getArtifactTypeID() == 11){ + artifact.append(""); + artifact.append(""); + artifact.append(""); + artifact.append(""); + nodeDevice.append(artifact); + } cc++; rr.progBarSet(cc); } @@ -359,6 +381,10 @@ public reportHTML (HashMap> re formatted_Report.append(nodeHash); formatted_Report.append("
URLDateNameValueProgram
URLDateReferrerTitleProgram
FileSourceTimeProgram
NamePathSize
NamePathRelated Shortcut
Artifact IDNameSizeAttributeValue
Program NameInstall Date/Time
NameSizeHashset Name
NameSerial #Time
").append(objId.toString()); - artifact.append("").append(attributes.get(6)).append("").append(attributes.get(5)).append("").append(filesize.toString()).append("").append(attributes.get(3)).append("").append(attributes.get(8)).append("").append(file.getName()).append("
").append(attributes.get(18)).append("").append(attributes.get(20)).append("").append(attributes.get(2)).append("
"); } + if(countDevice > 0){ + formatted_Report.append(nodeDevice); + formatted_Report.append(""); + } //end of master loop formatted_Report.append(""); diff --git a/Report/src/org/sleuthkit/autopsy/report/reportInterface.java b/Report/src/org/sleuthkit/autopsy/report/reportInterface.java index 61ab8b8dfe..3775b92fd3 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportInterface.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportInterface.java @@ -24,4 +24,5 @@ public interface reportInterface{ public HashMap> getKeywordHit(); public HashMap> getInstalledProg(); public String getGroupedKeywordHit(); + public HashMap> getDevices(); } diff --git a/Report/src/org/sleuthkit/autopsy/report/reportPanel.java b/Report/src/org/sleuthkit/autopsy/report/reportPanel.java index bd431208db..e5e5be057e 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportPanel.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportPanel.java @@ -146,6 +146,7 @@ private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI String htmlpath = reportUtils.changeExtension(path, ".html"); String xmlpath = reportUtils.changeExtension(path, ".xml"); + String xlspath = reportUtils.changeExtension(path, ".xlsx"); try { Writer out = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(htmlpath), "UTF-8")); @@ -154,6 +155,11 @@ private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI out.flush(); out.close(); + //xls report + FileOutputStream fos = new FileOutputStream(xlspath); + reportXLS.wb.write(fos); + fos.close(); + FileOutputStream xmlout = new FileOutputStream(xmlpath); XMLOutputter serializer = new XMLOutputter(); serializer.output(reportXML.xmldoc, xmlout); diff --git a/Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java b/Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java index 99e1f9fd46..863edd59d8 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java @@ -58,6 +58,7 @@ public class reportPanelAction { if(reportlist.contains(8)){Results.putAll(bbreport.getInstalledProg());} if(reportlist.contains(9)){Results.putAll(bbreport.getKeywordHit());} if(reportlist.contains(10)){Results.putAll(bbreport.getHashHit());} + if(reportlist.contains(11)){Results.putAll(bbreport.getDevices());} SwingUtilities.invokeLater(new Runnable() { @Override public void run() { @@ -83,11 +84,20 @@ public class reportPanelAction { // viewReport.append(reportHTML.unformatted_header.toString()); } }); + Thread xlsthread = new Thread(new Runnable() + { + @Override + public void run() + { + reportXLS xlsReport = new reportXLS(Results,rr); + // BrowserControl.openUrl(xlsReport.xlsPath); + } + }); // start our threads xmlthread.start(); htmlthread.start(); - + xlsthread.start(); // display the window // create the popUp window for it @@ -138,6 +148,7 @@ public class reportPanelAction { panel.setFinishedReportText(); popUpWindow.setVisible(true); xmlthread.join(); + xlsthread.join(); } diff --git a/Report/src/org/sleuthkit/autopsy/report/reportXLS.java b/Report/src/org/sleuthkit/autopsy/report/reportXLS.java new file mode 100644 index 0000000000..162baa03bf --- /dev/null +++ b/Report/src/org/sleuthkit/autopsy/report/reportXLS.java @@ -0,0 +1,312 @@ +/* + * To change this template, choose Tools | Templates + * and open the template in the editor. + */ +package org.sleuthkit.autopsy.report; + +import java.io.FileOutputStream; + +import java.io.IOException; +import java.text.DateFormat; +import java.text.SimpleDateFormat; +import java.util.ArrayList; +import java.util.Date; +import java.util.HashMap; +import java.util.Iterator; +import java.util.Map.Entry; +import java.util.TreeMap; +import org.apache.poi.ss.usermodel.Cell; +import org.apache.poi.ss.usermodel.CellStyle; +import org.apache.poi.ss.usermodel.Font; +import org.apache.poi.ss.usermodel.Row; +import org.apache.poi.ss.usermodel.Sheet; +import org.apache.poi.ss.usermodel.Workbook; +import org.apache.poi.xssf.usermodel.XSSFWorkbook; +import org.sleuthkit.autopsy.casemodule.Case; +import org.sleuthkit.datamodel.BlackboardArtifact; +import org.sleuthkit.datamodel.BlackboardAttribute; +import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.TskData; + +/** + * + * @author Alex + */ +public class reportXLS { + public static Workbook wb = new XSSFWorkbook(); + public reportXLS(HashMap> report, reportFilter rr){ + //Empty the workbook first + Workbook wbtemp = new XSSFWorkbook(); + + int countGen = 0; + int countBookmark = 0; + int countCookie = 0; + int countHistory = 0; + int countDownload = 0; + int countRecentObjects = 0; + int countTrackPoint = 0; + int countInstalled = 0; + int countKeyword = 0; + int countHash = 0; + int countDevice = 0; + for (Entry> entry : report.entrySet()) { + if(entry.getKey().getArtifactTypeID() == 1){ + countGen++; + } + if(entry.getKey().getArtifactTypeID() == 2){ + countBookmark++; + } + if(entry.getKey().getArtifactTypeID() == 3){ + + countCookie++; + } + if(entry.getKey().getArtifactTypeID() == 4){ + + countHistory++; + } + if(entry.getKey().getArtifactTypeID() == 5){ + countDownload++; + } + if(entry.getKey().getArtifactTypeID() == 6){ + countRecentObjects++; + } + if(entry.getKey().getArtifactTypeID() == 7){ + countTrackPoint++; + } + if(entry.getKey().getArtifactTypeID() == 8){ + countInstalled++; + } + if(entry.getKey().getArtifactTypeID() == 9){ + countKeyword++; + } + if(entry.getKey().getArtifactTypeID() == 10){ + countHash++; + } + if(entry.getKey().getArtifactTypeID() == 11){ + countDevice++; + } + } + + try{ + Case currentCase = Case.getCurrentCase(); // get the most updated case + SleuthkitCase skCase = currentCase.getSleuthkitCase(); + String caseName = currentCase.getName(); + Integer imagecount = currentCase.getImageIDs().length; + Integer filesystemcount = currentCase.getRootObjectsCount(); + Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG); + Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR); + DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss"); + DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy-HH-mm-ss"); + Date date = new Date(); + String datetime = datetimeFormat.format(date); + String datenotime = dateFormat.format(date); + + //Generate a sheet per artifact type + Sheet sheetGen = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getDisplayName()); + Sheet sheetHash = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getDisplayName()); + Sheet sheetDevice = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getDisplayName()); + Sheet sheetInstalled = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getDisplayName()); + Sheet sheetKeyword = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getDisplayName()); + Sheet sheetTrackpoint = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getDisplayName()); + Sheet sheetRecent = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getDisplayName()); + Sheet sheetCookie = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getDisplayName()); + Sheet sheetBookmark = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getDisplayName()); + Sheet sheetDownload = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getDisplayName()); + Sheet sheetHistory = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getDisplayName()); + + //Bold/underline cell style for the top header rows + CellStyle style = wbtemp.createCellStyle(); + style.setBorderBottom((short) 2); + Font font = wbtemp.createFont(); + font.setFontHeightInPoints((short)16); + font.setFontName("Courier New"); + font.setBoldweight((short)2); + style.setFont(font); + //create the rows in the worksheet for our records + //Create first row and header + sheetGen.createRow(0); + sheetGen.getRow(0).createCell(0).setCellValue("Name"); + sheetGen.getRow(0).createCell(1).setCellValue("Value"); + sheetGen.getRow(0).createCell(2).setCellValue("Date/Time"); + + sheetHash.createRow(0).setRowStyle(style); + sheetHash.getRow(0).createCell(0).setCellValue("Name"); + sheetHash.getRow(0).createCell(1).setCellValue("Size"); + sheetHash.getRow(0).createCell(2).setCellValue("Hashset Name"); + + sheetDevice.createRow(0).setRowStyle(style); + sheetDevice.getRow(0).createCell(0).setCellValue("Name"); + sheetDevice.getRow(0).createCell(1).setCellValue("Serial #"); + sheetDevice.getRow(0).createCell(2).setCellValue("Time"); + + sheetInstalled.createRow(0).setRowStyle(style); + sheetInstalled.getRow(0).createCell(0).setCellValue("Program Name"); + sheetInstalled.getRow(0).createCell(1).setCellValue("Install Date/Time"); + + sheetKeyword.createRow(0).setRowStyle(style); + sheetKeyword.getRow(0).createCell(0).setCellValue("Keyword"); + sheetKeyword.getRow(0).createCell(1).setCellValue("File Name"); + sheetKeyword.getRow(0).createCell(2).setCellValue("Preview"); + sheetKeyword.getRow(0).createCell(3).setCellValue("Keyword LIst"); + + sheetRecent.createRow(0).setRowStyle(style); + sheetRecent.getRow(0).createCell(0).setCellValue("Name"); + sheetRecent.getRow(0).createCell(1).setCellValue("Path"); + sheetRecent.getRow(0).createCell(2).setCellValue("Related Shortcut"); + + sheetCookie.createRow(0).setRowStyle(style); + sheetCookie.getRow(0).createCell(0).setCellValue("URL"); + sheetCookie.getRow(0).createCell(1).setCellValue("Date"); + sheetCookie.getRow(0).createCell(2).setCellValue("Name"); + sheetCookie.getRow(0).createCell(3).setCellValue("Value"); + sheetCookie.getRow(0).createCell(4).setCellValue("Program"); + + sheetBookmark.createRow(0).setRowStyle(style); + sheetBookmark.getRow(0).createCell(0).setCellValue("URL"); + sheetBookmark.getRow(0).createCell(1).setCellValue("Title"); + sheetBookmark.getRow(0).createCell(2).setCellValue("Program"); + + sheetDownload.createRow(0).setRowStyle(style); + sheetDownload.getRow(0).createCell(0).setCellValue("File"); + sheetDownload.getRow(0).createCell(1).setCellValue("Source"); + sheetDownload.getRow(0).createCell(2).setCellValue("Time"); + sheetDownload.getRow(0).createCell(3).setCellValue("Program"); + + sheetHistory.createRow(0).setRowStyle(style); + sheetHistory.getRow(0).createCell(0).setCellValue("URL"); + sheetHistory.getRow(0).createCell(1).setCellValue("Date"); + sheetHistory.getRow(0).createCell(2).setCellValue("Referrer"); + sheetHistory.getRow(0).createCell(3).setCellValue("Title"); + sheetHistory.getRow(0).createCell(4).setCellValue("Program"); + + for(int i = 0;i < wbtemp.getNumberOfSheets();i++){ + Sheet tempsheet = wbtemp.getSheetAt(i); + for (Row temprow : tempsheet){ + for (Cell cell : temprow) { + cell.setCellStyle(style); + } + } + } + + int countedGen = 0; + int countedBookmark = 0; + int countedCookie = 0; + int countedHistory = 0; + int countedDownload = 0; + int countedRecentObjects = 0; + int countedTrackPoint = 0; + int countedInstalled = 0; + int countedKeyword = 0; + int countedHash = 0; + int countedDevice = 0; + + //start populating the sheets in the workbook + for (Entry> entry : report.entrySet()) { + if(reportFilter.cancel == true){ + break; + } + int cc = 0; + TreeMap attributes = new TreeMap(); + // Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type + int n; + for(n=1;n<=36;n++) + { + attributes.put(n, ""); + + } + for (BlackboardAttribute tempatt : entry.getValue()) + { + if(reportFilter.cancel == true){ + break; + } + String value = ""; + int type = tempatt.getAttributeTypeID(); + if(tempatt.getValueString() == null || "null".equals(tempatt.getValueString())){ + + } + else if(type == 2){ + value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date ((tempatt.getValueLong())*1000)); + } + else + { + value = tempatt.getValueString(); + } + + attributes.put(type, value); + cc++; + } + + + if(entry.getKey().getArtifactTypeID() == 1){ + countedGen++; + Row temp = sheetGen.getRow(countedGen); + + } + if(entry.getKey().getArtifactTypeID() == 2){ + countedBookmark++; + Row temp = sheetBookmark.createRow(countedBookmark); + temp.createCell(0).setCellValue(attributes.get(1)); + temp.createCell(1).setCellValue(attributes.get(3)); + temp.createCell(2).setCellValue(attributes.get(4)); + + + // sheetBookmark.addContent(artifact); + } + if(entry.getKey().getArtifactTypeID() == 3){ + + // sheetCookie.addContent(artifact); + } + if(entry.getKey().getArtifactTypeID() == 4){ + + // sheetHistory.addContent(artifact); + } + if(entry.getKey().getArtifactTypeID() == 5){ + //sheetDownload.addContent(artifact); + } + if(entry.getKey().getArtifactTypeID() == 6){ + // sheetRecent.addContent(artifact); + } + if(entry.getKey().getArtifactTypeID() == 7){ + // sheetTrackpoint.addContent(artifact); + } + if(entry.getKey().getArtifactTypeID() == 8){ + // sheetInstalled.addContent(artifact); + } + if(entry.getKey().getArtifactTypeID() == 9){ + // sheetKeyword.addContent(artifact); + } + if(entry.getKey().getArtifactTypeID() == 10){ + // sheetHash.addContent(artifact); + } + if(entry.getKey().getArtifactTypeID() == 11){ + // sheetDevice.addContent(artifact); + } + + + cc++; + rr.progBarSet(cc); + } + + + //write out the report to the reports folder + try { + FileOutputStream fos = new FileOutputStream(currentCase.getCaseDirectory()+"/Reports/" + caseName + "-" + datenotime + ".xlsx"); + wbtemp.write(fos); + fos.close(); + wb = wbtemp; + } + catch (IOException e) { + System.err.println(e); + } + + } + + catch(Exception E) + { + String test = E.toString(); + } + + } + + +} diff --git a/Report/src/org/sleuthkit/autopsy/report/reportXML.java b/Report/src/org/sleuthkit/autopsy/report/reportXML.java index 6a25b35ba8..b7cbfc5bdc 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportXML.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportXML.java @@ -13,6 +13,8 @@ import java.util.HashMap; import java.util.Map.Entry; import java.util.logging.Level; import java.util.logging.Logger; +import java.util.regex.Pattern; +import org.apache.commons.lang3.StringEscapeUtils; import org.jdom.Comment; import org.jdom.Document; import org.jdom.Document.*; @@ -72,6 +74,9 @@ public class reportXML { Element nodeInstalled = new Element("Installed-Programfiles"); Element nodeKeyword = new Element("Keyword-Search-Hits"); Element nodeHash = new Element("Hashset-Hits"); + Element nodeDevice = new Element("Attached-Devices"); + //remove bytes + Pattern INVALID_XML_CHARS = Pattern.compile("[^\\u0009\\u000A\\u000D\\u0020-\\uD7FF\\uE000-\\uFFFD\uD800\uDC00-\uDBFF\uDFFF]"); for (Entry> entry : report.entrySet()) { if(reportFilter.cancel == true){ break; @@ -92,9 +97,11 @@ public class reportXML { break; } Element attribute = new Element("Attribute").setAttribute("Type",tempatt.getAttributeTypeDisplayName()); - Element value = new Element("Value").setText(tempatt.getValueString()); + String tempvalue = tempatt.getValueString(); + //INVALID_XML_CHARS.matcher(tempvalue).replaceAll(""); + Element value = new Element("Value").setText(tempvalue); attribute.addContent(value); - Element context = new Element("Context").setText(tempatt.getContext()); + Element context = new Element("Context").setText(StringEscapeUtils.escapeXml(tempatt.getContext())); attribute.addContent(context); artifact.addContent(attribute); cc++; @@ -136,6 +143,9 @@ public class reportXML { } if(entry.getKey().getArtifactTypeID() == 10){ nodeHash.addContent(artifact); + } + if(entry.getKey().getArtifactTypeID() == 11){ + nodeDevice.addContent(artifact); } cc++; rr.progBarSet(cc); @@ -153,6 +163,7 @@ public class reportXML { root.addContent(nodeInstalled); root.addContent(nodeKeyword); root.addContent(nodeHash); + root.addContent(nodeDevice); try { FileOutputStream out = new FileOutputStream(currentCase.getCaseDirectory()+"/Reports/" + caseName + "-" + datenotime + ".xml");