mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-14 08:56:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Exported xml report as well

Browse Source 
Signed-off-by: Alex Ebadirad <aebadirad@42six.com>
This commit is contained in:
Alex Ebadirad 2012-03-16 14:23:57 -07:00
parent af5086d53b
commit c80496fb36
202 changed files with 18433 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
RecentActivity/release/rr/p2x588.dll Normal file
View File

Binary file not shown.

72
RecentActivity/release/rr/plugins/acmru.pl Normal file
View File

@ -0,0 +1,72 @@
#-----------------------------------------------------------
# acmru.pl
# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
# ACMru values
#
# Change history
#
#
# References
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package acmru;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's ACMru key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching acmru v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Search Assistant\\ACMru';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("ACMru - Search Assistant");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]");
my @vals = $s->get_list_of_values();
my %ac_vals;
foreach my $v (@vals) {
$ac_vals{$v->get_name()} = $v->get_data();
}
foreach my $a (sort {$a <=> $b} keys %ac_vals) {
::rptMsg("\t".$a." -> ".$ac_vals{$a});
}
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

93
RecentActivity/release/rr/plugins/adoberdr.pl Normal file
View File

@ -0,0 +1,93 @@
#-----------------------------------------------------------
# adoberdr.pl
# Plugin for Registry Ripper
# Parse Adobe Reader MRU keys
#
# Change history
# 20100218 - added checks for versions 4.0, 5.0, 9.0
# 20091125 - modified output to make a bit more clear
#
# References
#
# Note: LastWrite times on c subkeys will all be the same,
# as each subkey is modified as when a new entry is added
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package adoberdr;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100218);
sub getConfig{return %config}
sub getShortDescr {
return "Gets user's Adobe Reader cRecentFiles values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching adoberdr v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
::rptMsg("Adoberdr v.".$VERSION);
# First, let's find out which version of Adobe Acrobat Reader is installed
my $version;
my $tag = 0;
my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0");
foreach my $ver (@versions) {
my $key_path = "Software\\Adobe\\Acrobat Reader\\".$ver."\\AVGeneral\\cRecentFiles";
if (defined($root_key->get_subkey($key_path))) {
$version = $ver;
$tag = 1;
}
}
if ($tag) {
::rptMsg("Adobe Acrobat Reader version ".$version." located.");
my $key_path = "Software\\Adobe\\Acrobat Reader\\".$version."\\AVGeneral\\cRecentFiles";
my $key = $root_key->get_subkey($key_path);
if ($key) {
::rptMsg($key_path);
::rptMsg("");
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my %arkeys;
my @subkeys = $key->get_list_of_subkeys();
if (scalar @subkeys > 0) {
foreach my $s (@subkeys) {
my $num = $s->get_name();
my $data = $s->get_value('sDI')->get_data();
$num =~ s/^c//;
$arkeys{$num}{lastwrite} = $s->get_timestamp();
$arkeys{$num}{data} = $data;
}
::rptMsg("Most recent PDF opened: ".gmtime($arkeys{1}{lastwrite})." (UTC)");
foreach my $k (sort keys %arkeys) {
::rptMsg(" c".$k." ".$arkeys{$k}{data});
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg("Could not access ".$key_path);
}
}
else {
::rptMsg("Adobe Acrobat Reader version not found.");
}
}
1;

95
RecentActivity/release/rr/plugins/aim.pl Normal file
View File

@ -0,0 +1,95 @@
#-----------------------------------------------------------
# aim
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package aim;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080325);
sub getConfig{return %config}
sub getShortDescr {
return "Gets info from the AOL Instant Messenger (not AIM) install";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching aim plugin v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("AIM");
::rptMsg($key_path);
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $user = $s->get_name();
::rptMsg("User: $user [".gmtime($s->get_timestamp())."]");
my $login = "Login";
my $recent = "recent IM ScreenNames";
my $recent2 = "recent ScreenNames";
my @userkeys = $s->get_list_of_subkeys();
foreach my $u (@userkeys) {
my $us = $u->get_name();
# See if we can get the encrypted password
if ($us =~ m/^$login/) {
my $pwd = "";
eval {
$pwd = $u->get_value("Password1")->get_data();
};
::rptMsg("Pwd: ".$pwd) if ($pwd ne "");
}
# See if we can get recent folks they've chatted with...
if ($us eq $recent || $us eq $recent2) {
my @vals = $u->get_list_of_values();
if (scalar(@vals) > 0) {
::rptMsg($user."\\".$us);
my %sns;
foreach my $v (@vals) {
$sns{$v->get_name()} = $v->get_data();
}
foreach my $i (sort {$a <=> $b} keys %sns) {
::rptMsg("\t\t".$i." -> ".$sns{$i});
}
}
else {
# No values
}
}
}
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

3
RecentActivity/release/rr/plugins/all Normal file
View File

@ -0,0 +1,3 @@
#-------------------------------------
# All
regtime

61
RecentActivity/release/rr/plugins/appinitdlls.pl Normal file
View File

@ -0,0 +1,61 @@
#-----------------------------------------------------------
# appinitdlls
#
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package appinitdlls;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of AppInit_DLLs value";
}
sub getDescr{}
sub getRefs {
my %refs = ("Working with the AppInit_DLLs Reg Value" =>
"http://support.microsoft.com/kb/q197571");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching appinitdlls v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\Windows';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("AppInit_DLLs");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @vals = $key->get_list_of_values();
foreach my $v (@vals) {
my $name = $v->get_name();
if ($name eq "AppInit_DLLs") {
my $data = $v->get_data();
$data = "{blank}" if ($data eq "");
::rptMsg($name." -> ".$data);
}
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

96
RecentActivity/release/rr/plugins/applets.pl Normal file
View File

@ -0,0 +1,96 @@
#-----------------------------------------------------------
# applets.pl
# Plugin for Registry Ripper
# Windows\CurrentVersion\Applets Recent File List values
#
# Change history
#
#
# References
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package applets;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's Applets key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching applets v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Applets';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Applets");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Locate files opened in MS Paint
my $paint_key = 'Paint\\Recent File List';
my $paint = $key->get_subkey($paint_key);
if (defined $paint) {
::rptMsg($key_path."\\".$paint_key);
::rptMsg("LastWrite Time ".gmtime($paint->get_timestamp())." (UTC)");
my @vals = $paint->get_list_of_values();
if (scalar(@vals) > 0) {
my %files;
# Retrieve values and load into a hash for sorting
foreach my $v (@vals) {
my $val = $v->get_name();
my $data = $v->get_data();
my $tag = (split(/File/,$val))[1];
$files{$tag} = $val.":".$data;
}
# Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg(" ".$val." -> ".$data);
}
}
else {
::rptMsg($key_path."\\".$paint_key." has no values.");
}
}
else {
::rptMsg($key_path."\\".$paint_key." not found.");
}
# Get Last Registry key opened in RegEdit
my $reg_key = "Regedit";
my $reg = $key->get_subkey($reg_key);
if (defined $reg) {
::rptMsg("");
::rptMsg($key_path."\\".$reg_key);
::rptMsg("LastWrite Time ".gmtime($reg->get_timestamp())." (UTC)");
my $lastkey = $reg->get_value("LastKey")->get_data();
::rptMsg("RegEdit LastKey value -> ".$lastkey);
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

83
RecentActivity/release/rr/plugins/apppaths.pl Normal file
View File

@ -0,0 +1,83 @@
#-----------------------------------------------------------
# apppaths
# Gets contents of App Paths subkeys from the Software hive,
# diplaying the EXE name and path; all entries are sorted by
# LastWrite time
#
# References
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package apppaths;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20080404);
sub getConfig{return %config}
sub getShortDescr {
return "Gets content of App Paths key";
}
sub getDescr{}
sub getRefs {
my %refs = ("You cannot open Help and Support Center in Windows XP" =>
"http://support.microsoft.com/kb/888018",
"Another installation program starts..." =>
"http://support.microsoft.com/kb/888470");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching apppaths v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows\\CurrentVersion\\App Paths";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("App Paths");
::rptMsg($key_path);
::rptMsg("");
my %apps;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
my $lastwrite = $s->get_timestamp();
my $path;
eval {
$path = $s->get_value("")->get_data();
};
push(@{$apps{$lastwrite}},$name." [".$path."]");
}
foreach my $t (reverse sort {$a <=> $b} keys %apps) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$apps{$t}}) {
::rptMsg(" $item");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

133
RecentActivity/release/rr/plugins/arpcache.pl Normal file
View File

@ -0,0 +1,133 @@
#-----------------------------------------------------------
# arpcache.pl
# Retrieves CurrentVersion\App Management\ARPCache entries; subkeys appear
# to maintain information about paths to installed applications in the
# SlowInfoCache value(0x10 - FILETIME object, null term. string with path
# starts at 0x1c)
#
# Change history
# 20090413 - Created
#
# References
# No references, but the subkeys appear to hold information about
# installed applications; some SlowInfoCache values appear to contain
# timestamp data (FILETIME object) and/or path information. Posts on
# the Internet indicate the existence of Kazaa beneath the APRCache key,
# as well as possibly an "Outerinfo" subkey indicating that spyware is
# installed.
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package arpcache;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20090413);
sub getConfig{return %config}
sub getShortDescr {
return "Retrieves CurrentVersion\\App Management\\ARPCache entries";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %arpcache;
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching arpcache v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $lw = $s->get_timestamp();
my $name = $s->get_name();
my $path;
eval {
my $i = $s->get_value("SlowInfoCache")->get_data();
$path = parsePath($i);
};
($@) ? ($name .= "|") : ($name .= "|".$path);
my $date;
eval {
my $i = $s->get_value("SlowInfoCache")->get_data();
$date = parseDate($i);
};
($@) ? ($name .= "|") : ($name .= "|".$date);
push(@{$arpcache{$lw}},$name);
}
foreach my $t (reverse sort {$a <=> $b} keys %arpcache) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$arpcache{$t}}) {
my ($name,$path,$date) = split(/\|/,$item,3);
::rptMsg(" ".$name);
my $str = $path unless ($path eq "");
$str .= " [".gmtime($date)."]" unless ($date == 0);
::rptMsg(" -> ".$str) unless ($str eq "");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;
sub parseDate {
my $data = shift;
my ($t1,$t2) = unpack("VV",substr($data,0x10,8));
return ::getTime($t1,$t2);
}
sub parsePath {
my $data = shift;
my $ofs = 0x1c;
my $tag = 1;
my $str = substr($data,$ofs,2);
if (unpack("v",$str) == 0) {
return "";
}
else {
while($tag) {
$ofs += 2;
my $i = substr($data,$ofs,2);
if (unpack("v",$i) == 0) {
$tag = 0;
}
else {
$str .= $i;
}
}
}
$str =~ s/\00//g;
return $str;
}

77
RecentActivity/release/rr/plugins/arunmru.pl Normal file
View File

@ -0,0 +1,77 @@
#-----------------------------------------------------------
# runmru.pl
# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
# RunMru values
#
# Change history
#
#
# References
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package arunmru;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's RunMRU key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
#::logMsg("autospyrunmru");
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("RunMru");
#::rptMsg($key_path);
my @vals = $key->get_list_of_values();
::rptMsg("<runMRU>");
::rptMsg("<time>".gmtime($key->get_timestamp())."</time>");
::rptMsg("<artifacts>");
my %runvals;
my $mru;
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
$runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i);
$mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i);
}
::rptMsg("<MRUList>".$mru."</MRUList>");
foreach my $r (sort keys %runvals) {
::rptMsg("<MRU>".$r." ".$runvals{$r}."</MRU>");
}
}
else {
#::rptMsg($key_path." has no values.");
#::logMsg($key_path." has no values.");
}
::rptMsg("</artifacts>");
}
else {
#::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
::rptMsg("</runMRU>");
}
1;

87
RecentActivity/release/rr/plugins/assoc.pl Normal file
View File

@ -0,0 +1,87 @@
#-----------------------------------------------------------
# assoc.pl
# Plugin to extract file association data from the Software hive file
# Can take considerable time to run; recommend running it via rip.exe
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package assoc;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080815);
sub getConfig{return %config}
sub getShortDescr {
return "Get list of file ext associations";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching assoc v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Classes";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("assoc");
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# First step will be to get a list of all of the file extensions
my %ext;
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
my $name = $s->get_name();
next unless ($name =~ m/^\.\w+$/);
my $data;
eval {
$data = $s->get_value("")->get_data();
};
if ($@) {
# Error generated, as "(Default)" value was not found
}
else {
$ext{$name} = $data if ($data ne "");
}
}
# Once a list of all file ext subkeys has been compiled, access the file type
# to determine the command line used to launch files with that extension
foreach my $e (keys %ext) {
my $cmd;
eval {
$cmd = $key->get_subkey($ext{$e}."\\shell\\open\\command")->get_value("")->get_data();
};
if ($@) {
# error generated attempting to locate <file type>.\shell\open\command\(Default) value
}
else {
::rptMsg($e." : ".$cmd);
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

66
RecentActivity/release/rr/plugins/auditfail.pl Normal file
View File

@ -0,0 +1,66 @@
#-----------------------------------------------------------
# auditfail.pl
#
# Ref:
# http://support.microsoft.com/kb/140058
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package auditfail;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081212);
sub getConfig{return %config}
sub getShortDescr {
return "Get CrashOnAuditFail value";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %val = (0 => "Feature is off; the system will not halt",
1 => "Feature is on; the system will halt when events cannot be written to the ".
"Security Event Log",
2 => "Feature is on and has been triggered; only Administrators can log in");
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching auditfail v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $lsa_path = "ControlSet00".$current."\\Control\\Lsa";
my $lsa;
if ($lsa = $root_key->get_subkey($lsa_path)) {
eval {
my $crash = $lsa->get_value("crashonauditfail")->get_data();
::rptMsg("CrashOnAuditFail = ".$crash);
::rptMsg($val{$crash});
};
::rptMsg($@) if ($@);
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

88
RecentActivity/release/rr/plugins/auditpol.pl Normal file
View File

@ -0,0 +1,88 @@
#-----------------------------------------------------------
# auditpol
# Get the audit policy from the Security hive file
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package auditpol;
use strict;
my %config = (hive => "Security",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20080327);
sub getConfig{return %config}
sub getShortDescr {
return "Get audit policy from the Security hive file";
}
sub getDescr{}
sub getRefs {
my %refs = ("How To Determine Audit Policies from the Registry" =>
"http://support.microsoft.com/default.aspx?scid=kb;EN-US;q246120");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %audit = (0 => "N",
1 => "S",
2 => "F",
3 => "S/F");
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching auditpol v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Policy\\PolAdtEv";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("auditpol");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $data;
eval {
$data = $key->get_value("")->get_data();
};
if ($@) {
::rptMsg("Error occurred getting data from ".$key_path);
::rptMsg(" - ".$@);
}
else {
# Check to see if auditing is enabled
my $enabled = unpack("C",substr($data,0,1));
if ($enabled) {
::rptMsg("Auditing is enabled.");
# Get audit configuration settings
my @vals = unpack("V*",$data);
::rptMsg("\tAudit System Events = ".$audit{$vals[1]});
::rptMsg("\tAudit Logon Events = ".$audit{$vals[2]});
::rptMsg("\tAudit Object Access = ".$audit{$vals[3]});
::rptMsg("\tAudit Privilege Use = ".$audit{$vals[4]});
::rptMsg("\tAudit Process Tracking = ".$audit{$vals[5]});
::rptMsg("\tAudit Policy Change = ".$audit{$vals[6]});
::rptMsg("\tAudit Account Management = ".$audit{$vals[7]});
::rptMsg("\tAudit Dir Service Access = ".$audit{$vals[8]});
::rptMsg("\tAudit Account Logon Events = ".$audit{$vals[9]});
}
else {
::rptMsg("**Auditing is NOT enabled.");
}
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

66
RecentActivity/release/rr/plugins/autoendtasks.pl Normal file
View File

@ -0,0 +1,66 @@
#-----------------------------------------------------------
# autoendtasks.pl
#
# History
# 20081128 - created
#
# Ref:
# http://support.microsoft.com/kb/555619
# This Registry setting tells XP (and Vista) to automatically
# end non-responsive tasks; value may not exist on Vista.
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package autoendtasks;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081128);
sub getConfig{return %config}
sub getShortDescr {
return "Automatically end a non-responsive task";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching autoendtasks v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'Control Panel\\Desktop';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg("autoendtasks");
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $autoend;
eval {
$autoend = $key->get_value("AutoEndTasks")->get_data();
};
if ($@) {
::rptMsg("AutoEndTasks value not found.");
}
else {
::rptMsg("AutoEndTasks = ".$autoend);
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

8
RecentActivity/release/rr/plugins/autopsy Normal file
View File

@ -0,0 +1,8 @@
# List of plugins for the Registry Ripper
#-------------------------------------
# NTUSER.DAT
autopsylogin
autopsyrecentdocs
arunmru
autopsyshellfolders

70
RecentActivity/release/rr/plugins/autopsylogin.pl Normal file
View File

@ -0,0 +1,70 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# logonusername.pl
# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
# "Logon User Name" value
#
# Change history
#
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package autopsylogin;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Get user's Logon User Name value";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
#::logMsg("||logonusername||");
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $logon_name = "Username";
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
#::rptMsg("Logon User Name");
#::rptMsg($key_path);
::rptMsg("<logon>");
::rptMsg("<time>".gmtime($key->get_timestamp())."</time><artifacts>");
foreach my $v (@vals) {
if ($v->get_name() eq $logon_name) {
::rptMsg("<user name=\"".$logon_name."\"> ".$v->get_data() ."</user>");
}
}
::rptMsg("</artifacts></logon>");
}
else {
#::rptMsg($key_path." has no values.");
#::logMsg($key_path." has no values.");
}
}
else {
#::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
}
1;

161
RecentActivity/release/rr/plugins/autopsyrecentdocs.pl Normal file
View File

@ -0,0 +1,161 @@
#-----------------------------------------------------------
# recentdocs.pl
# Plugin for Registry Ripper
# Parses RecentDocs keys/values in NTUSER.DAT
#
# Change history
# 20100405 - Updated to use Encode::decode to translate strings
# 20090115 - Minor update to keep plugin from printing terminating
# MRUListEx value of 0xFFFFFFFF
# 20080418 - Minor update to address NTUSER.DAT files that have
# MRUList values in this key, rather than MRUListEx
# values
#
# References
#
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package autopsyrecentdocs;
use strict;
use Encode;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100405);
sub getShortDescr {
return "Gets contents of user's RecentDocs key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
#::logMsg("||recentdocs||");
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("RecentDocs");
#::rptMsg("**All values printed in MRUList\\MRUListEx order.");
#::rptMsg($key_path);
::rptMsg("<recentdocs><time>".gmtime($key->get_timestamp())."</time><artifacts>");
# Get RecentDocs values
my %rdvals = getRDValues($key);
if (%rdvals) {
my $tag;
if (exists $rdvals{"MRUListEx"}) {
$tag = "MRUListEx";
}
elsif (exists $rdvals{"MRUList"}) {
$tag = "MRUList";
}
else {
}
my @list = split(/,/,$rdvals{$tag});
foreach my $i (@list) {
::rptMsg("<doc>".$i." = ".$rdvals{$i} . "</doc>");
}
}
else {
#::rptMsg($key_path." has no values.");
#::logMsg("Error: ".$key_path." has no values.");
}
::rptMsg("</artifacts></recentdocs>");
# Get RecentDocs subkeys' values
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg($key_path."\\".$s->get_name());
::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
my %rdvals = getRDValues($s);
if (%rdvals) {
my $tag;
if (exists $rdvals{"MRUListEx"}) {
$tag = "MRUListEx";
}
elsif (exists $rdvals{"MRUList"}) {
$tag = "MRUList";
}
else {
}
my @list = split(/,/,$rdvals{$tag});
::rptMsg($tag." = ".$rdvals{$tag});
foreach my $i (@list) {
::rptMsg(" ".$i." = ".$rdvals{$i});
}
::rptMsg("");
}
else {
#::rptMsg($key_path." has no values.");
}
}
}
else {
#::rptMsg($key_path." has no subkeys.");
}
}
else {
#::rptMsg($key_path." not found.");
}
}
sub getRDValues {
my $key = shift;
my $mru = "MRUList";
my %rdvals;
my @vals = $key->get_list_of_values();
if (scalar @vals > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
my $data = $v->get_data();
if ($name =~ m/^$mru/) {
my @mru;
if ($name eq "MRUList") {
@mru = split(//,$data);
}
elsif ($name eq "MRUListEx") {
@mru = unpack("V*",$data);
}
# Horrible, ugly cludge; the last, terminating value in MRUListEx
# is 0xFFFFFFFF, so we remove it.
pop(@mru);
$rdvals{$name} = join(',',@mru);
}
else {
# New code
$data = decode("ucs-2le", $data);
my $file = (split(/\00/,$data))[0];
# my $file = (split(/\00\00/,$data))[0];
# $file =~ s/\00//g;
$rdvals{$name} = $file;
}
}
return %rdvals;
}
else {
return undef;
}
}
1;

72
RecentActivity/release/rr/plugins/autopsyshellfolders.pl Normal file
View File

@ -0,0 +1,72 @@
#-----------------------------------------------------------
# shellfolders.pl
#
# Retrieve the Shell Folders values from user's hive; while
# this may not be important in every instance, it may give the
# examiner indications as to where to look for certain items;
# for example, if the user's "My Documents" folder has been redirected
# as part of configuration changes (corporate policies, etc.). Also,
# this may be important as part of data leakage exams, as XP and Vista
# allow users to drop and drag files to the CD Burner.
#
# References:
# http://support.microsoft.com/kb/279157
# http://support.microsoft.com/kb/326982
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package autopsyshellfolders;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090115);
sub getConfig{return %config}
sub getShortDescr {
return "Retrieve user Shell Folders values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
#::logMsg("Launching shellfolders v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("<shellfolders>");
::rptMsg("<time>".gmtime($key->get_timestamp())."</time>");
my @vals = $key->get_list_of_values();
::rptMsg("<artifacts>");
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $str = sprintf "%-20s %-40s","<shell name=\"".$v->get_name()."\">",$v->get_data()."</shell>";
::rptMsg($str);
}
::rptMsg("");
}
else {
#::rptMsg($key_path." has no values.");
}
::rptMsg("</artifacts></shellfolders>");
}
else {
#::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
}
1;

6
RecentActivity/release/rr/plugins/autopsysoftware Normal file
View File

@ -0,0 +1,6 @@
List of plugins for the Registry Ripper
#-------------------------------------
# SOFTWARE
autopsywinver
autopsyuninstall

92
RecentActivity/release/rr/plugins/autopsyuninstall.pl Normal file
View File

@ -0,0 +1,92 @@
#-----------------------------------------------------------
# uninstall.pl
# Gets contents of Uninstall key from Software hive; sorts
# display names based on key LastWrite time
#
# References:
# http://support.microsoft.com/kb/247501
# http://support.microsoft.com/kb/314481
# http://msdn.microsoft.com/en-us/library/ms954376.aspx
#
# Change History:
# 20100116 - Minor updates
# 20090413 - Extract DisplayVersion info
# 20090128 - Added references
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package autopsyuninstall;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100116);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of Uninstall key from Software hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
#::logMsg("Launching uninstall v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Uninstall';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("Uninstall");
#::rptMsg($key_path);
#::rptMsg("");
::rptMsg("<uninstall>");
::rptMsg("<time>".gmtime($key->get_timestamp())."</time>");
::rptMsg("<artifacts>");
my %uninst;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $lastwrite = $s->get_timestamp();
my $display;
eval {
$display = $s->get_value("DisplayName")->get_data();
};
$display = $s->get_name() if ($display eq "");
my $ver;
eval {
$ver = $s->get_value("DisplayVersion")->get_data();
};
$display .= " v\.".$ver unless ($@);
push(@{$uninst{$lastwrite}},$display);
}
foreach my $t (reverse sort {$a <=> $b} keys %uninst) {
::rptMsg("<item name=\"". gmtime($t).">");
foreach my $item (@{$uninst{$t}}) {
::rptMsg($item."</item>");
}
#::rptMsg("");
}
}
else {
#::rptMsg($key_path." has no subkeys.");
}
}
else {
#::rptMsg($key_path." not found.");
}
::rptMsg("</artifacts></uninstall>");
}
1;

109
RecentActivity/release/rr/plugins/autopsywinver.pl Normal file
View File

@ -0,0 +1,109 @@
#-----------------------------------------------------------
# winver.pl
#
# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package autopsywinver;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081210);
sub getConfig{return %config}
sub getShortDescr {
return "Get Windows version";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
#::logMsg("Launching winver v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
::rptMsg("<WinVersion>");
::rptMsg("<time>Not Available</time>");
::rptMsg("<artifacts>");
my $key_path = "Microsoft\\Windows NT\\CurrentVersion";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg("{name}");
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $prod;
eval {
$prod = $key->get_value("ProductName")->get_data();
};
if ($@) {
# ::rptMsg("ProductName value not found.");
}
else {
::rptMsg("<winver name=\"ProductName\">".$prod ."</winver>");
}
my $csd;
eval {
$csd = $key->get_value("CSDVersion")->get_data();
};
if ($@) {
# ::rptMsg("CSDVersion value not found.");
}
else {
::rptMsg("<winver name=\"CSDVersion\">".$csd."</winver>");
}
my $build;
eval {
$build = $key->get_value("BuildName")->get_data();
};
if ($@) {
# ::rptMsg("BuildName value not found.");
}
else {
::rptMsg("<winver name=\"BuildName\">".$build."</winver>");
}
my $buildex;
eval {
$buildex = $key->get_value("BuildNameEx")->get_data();
};
if ($@) {
# ::rptMsg("BuildName value not found.");
}
else {
::rptMsg("<winver name=\"BuildNameEx\">".$buildex."</winver>");
}
my $install;
eval {
$install = $key->get_value("InstallDate")->get_data();
};
if ($@) {
# ::rptMsg("InstallDate value not found.");
}
else {
::rptMsg("<winver name=\"InstallDate\">".gmtime($install)."</winver>");
}
}
else {
#::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
::rptMsg("</artifacts></shellfolders>");
}
1;

74
RecentActivity/release/rr/plugins/autorun.pl Normal file
View File

@ -0,0 +1,74 @@
#-----------------------------------------------------------
# autorun.pl
# Get autorun settings
#
# Change history
#
#
# References
# http://support.microsoft.com/kb/953252
# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit
# /regentry/91525.mspx?mfr=true
#
# copyright 2008-2009 H. Carvey
#-----------------------------------------------------------
package autorun;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20081212);
sub getConfig{return %config}
sub getShortDescr {
return "Gets autorun settings";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching autorun v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
eval {
my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data();
my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive;
::rptMsg($str);
};
::rptMsg("Error: ".$@) if ($@);
# http://support.microsoft.com/kb/953252
eval {
my $honor = $key->get_value("HonorAutorunSetting")->get_data();
my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor;
::rptMsg($str);
};
::rptMsg("HonorAutorunSetting not found.") if ($@);
::rptMsg("");
::rptMsg("Autorun settings in the HKLM hive take precedence over those in");
::rptMsg("the HKCU hive.");
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

170
RecentActivity/release/rr/plugins/bagtest.pl Normal file
View File

@ -0,0 +1,170 @@
#-----------------------------------------------------------
# bagtest.pl
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bagtest;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090828);
sub getConfig{return %config}
sub getShortDescr {
return "Test -- BagMRU";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching bagtest v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\Shell\\BagMRU";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $subtree_iter = $key->get_subtree_iterator;
while (my ($k, $val) = $subtree_iter->get_next) {
if (defined $val) {
next unless ($val->get_name() =~ m/^\d+/);
my $path;
my $data = $val->get_data();
my $size = unpack("v",substr($data,0,20));
my $type = unpack("C",substr($data,2,1));
my $name = (split(/BagMRU/,$k->get_path()))[1];
if ($type == 0x47 || $type == 0x46 || $type == 0x42 || $type == 0x41 ||
$type == 0xc3) {
my $str1 = getStrings1($data);
$path = $str1;
}
elsif ($type == 0x31 || $type == 0x32) {
my($ascii,$uni) = getStrings2($data);
$path = $uni;
}
elsif ($type == 0x2f) {
# bytes 3-5 of $data contain a drive letter
$path = substr($data,0x03,3);
}
else {
# Nothing
}
# my $str = sprintf "%-30s %-3s %-4s 0x%x",$name."\\".$val->get_name(),$size,length($data),$type;
my $str = sprintf "%-25s ".$path,$name."\\".$val->get_name();
::rptMsg($str);
}
else {
}
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
#sub getStrings1 {
# my $data = shift;
# my $str;
# my $cursor = 0x05;
# my $tag = 1;
#
# while($tag) {
# my $byte = substr($data,$cursor,1);
# if (unpack("C",$byte) == 0x00) {
# $tag = 0;
# }
# else {
# $str .= $byte;
# $cursor += 1;
# }
# }
# return $str;
#}
sub getStrings1 {
my $data = shift;
my $d = substr($data,0x05,length($data) - 1);
$d =~ s/\00/-/g;
$d =~ s/[[:cntrl:]]//g;
my @t = split(/-/,$d);
my @s;
for my $i (1..scalar(@t) - 1) {
push(@s,$t[$i]) if (length($t[$i]) > 2);
}
return $t[0]." (".join(',',@s).")";
}
sub getStrings2 {
# ASCII short name starts at 0x0E, and is \00 terminated; 0x14 bytes
# after that is the null-term Unicode name
my $data = shift;
my ($ascii,$uni);
my $cursor = 0x0e;
my $tag = 1;
while($tag) {
my $byte = substr($data,$cursor,1);
if (unpack("C",$byte) == 0x00) {
$tag = 0;
}
else {
$ascii .= $byte;
$cursor += 1;
}
}
$cursor += 0x14;
$uni = substr($data,$cursor,length($data) - 1);
$uni =~ s/\00//g;
$uni =~ s/[[:cntrl:]]//g;
return ($ascii,$uni);
}
1;
# Original code to traverse through values and subkeys
# Retain for legacy code purposes
#sub traverse {
# my $key = shift;
#
# foreach my $val ($key->get_list_of_values()) {
# next unless ($val->get_name() =~ m/\d+/);
#
# ::rptMsg($val->get_name());
#
# }
#
# foreach my $subkey ($key->get_list_of_subkeys()) {
# traverse($subkey);
# }
#}

161
RecentActivity/release/rr/plugins/bagtest2.pl Normal file
View File

@ -0,0 +1,161 @@
#-----------------------------------------------------------
# bagtest2.pl
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bagtest2;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090828);
sub getConfig{return %config}
sub getShortDescr {
return "Test -- BagMRU";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %bagmru;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching bagtest v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\Shell\\BagMRU";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
traverse($key);
foreach my $i (sort keys %bagmru) {
my $str = sprintf "%-30s ".$bagmru{$i},$i;
::rptMsg($str);
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
sub traverse {
my $key = shift;
my $name = (split(/BagMRU/,$key->get_path()))[1];
my @bags;
foreach my $val ($key->get_list_of_values()) {
next unless ($val->get_name() =~ m/\d+/);
my $path;
my $data = $val->get_data();
my $size = unpack("v",substr($data,0,20));
my $type = unpack("C",substr($data,2,1));
if ($type == 0x47 || $type == 0x46 || $type == 0x42 || $type == 0x41 ||
$type == 0xc3) {
my $str1 = getStrings1($data);
$path = $str1;
}
elsif ($type == 0x31 || $type == 0x32 || $type == 0xb1) {
my($ascii,$uni) = getStrings2($data);
$path = $uni;
}
elsif ($type == 0x2f) {
# bytes 3-5 of $data contain a drive letter
$path = substr($data,0x03,3);
}
else {
# Nothing
}
$bagmru{$name."\\".$val->get_name()} = $path;
}
foreach my $subkey ($key->get_list_of_subkeys()) {
traverse($subkey);
}
}
sub getStrings1 {
my $data = shift;
my $d = substr($data,0x05,length($data) - 1);
$d =~ s/\00/-/g;
$d =~ s/[[:cntrl:]]//g;
my @t = split(/-/,$d);
my @s;
for my $i (1..scalar(@t) - 1) {
push(@s,$t[$i]) if (length($t[$i]) > 2);
}
return $t[0]." (".join(',',@s).")";
}
sub getStrings2 {
# ASCII short name starts at 0x0E, and is \00 terminated; 0x14 bytes
# after that is the null-term Unicode name
my $data = shift;
my ($ascii,$uni);
my $cursor = 0x0e;
my $tag = 1;
while($tag) {
my $byte = substr($data,$cursor,1);
if (unpack("C",$byte) == 0x00) {
$tag = 0;
}
else {
$ascii .= $byte;
$cursor += 1;
}
}
$cursor += 0x14;
if ($ascii eq "RECENT") {
$uni = substr($data,$cursor,length($data) - 1);
$uni =~ s/\00//g;
$uni =~ s/[[:cntrl:]]//g;
}
else {
my $tag = 1;
my $count = 0;
while($tag) {
my $byte = substr($data,$cursor,2);
if ($count > 2 && unpack("v",$byte) == 0x00) {
$tag = 0;
}
else {
$uni .= $byte;
$count++;
$cursor += 2;
}
}
$uni =~ s/\00//g;
$uni =~ s/[[:cntrl:]]//g;
}
return ($ascii,$uni);
}
1;

127
RecentActivity/release/rr/plugins/banner.pl Normal file
View File

@ -0,0 +1,127 @@
#-----------------------------------------------------------
# banner
# Get banner information from the SOFTWARE hive file (if any)
#
# Written By:
# Special Agent Brook William Minnick
# Brook_Minnick@doioig.gov
# U.S. Department of the Interior - Office of Inspector General
# Computer Crimes Unit
# 12030 Sunrise Valley Drive Suite 250
# Reston, VA 20191
#-----------------------------------------------------------
package banner;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081119);
sub getConfig{return %config}
sub getShortDescr {
return "Get HKLM\\SOFTWARE.. Logon Banner Values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching banner v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows\\CurrentVersion\\policies\\system";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Logon Banner Information");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# GET LEGALNOTICECAPTION --
my $caption;
eval {
$caption = $key->get_value("Legalnoticecaption")->get_data();
};
if ($@) {
::rptMsg("Legalnoticecaption value not found.");
}
else {
::rptMsg("Legalnoticecaption value = ".$caption);
}
::rptMsg("");
# GET LEGALNOTICETEXT --
my $banner;
eval {
$banner = $key->get_value("Legalnoticetext")->get_data();
};
if ($@) {
::rptMsg("Legalnoticetext value not found.");
}
else {
::rptMsg("Legalnoticetext value = ".$banner);
}
::rptMsg("");
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# GET LEGALNOTICECAPTION --
my $caption2;
eval {
$caption2 = $key->get_value("Legalnoticecaption")->get_data();
};
if ($@) {
::rptMsg("Legalnoticecaption value not found.");
}
else {
::rptMsg("Legalnoticecaption value = ".$caption2);
}
::rptMsg("");
# GET LEGALNOTICETEXT --
my $banner2;
eval {
$banner2 = $key->get_value("Legalnoticetext")->get_data();
};
if ($@) {
::rptMsg("Legalnoticetext value not found.");
}
else {
::rptMsg("Legalnoticetext value = ".$banner2);
}
::rptMsg("");
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

107
RecentActivity/release/rr/plugins/bho.pl Normal file
View File

@ -0,0 +1,107 @@
#-----------------------------------------------------------
# bho
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bho;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20080418);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Browser Helper Objects from Software hive";
}
sub getDescr{}
sub getRefs {
my %refs = ("Browser Helper Objects" =>
"http://msdn2.microsoft.com/en-us/library/bb250436.aspx");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my %bhos;
::logMsg("Launching bho v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects";;
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Browser Helper Objects");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar (@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
next if ($name =~ m/^-/);
my $clsid_path = "Classes\\CLSID\\".$name;
my $clsid;
if ($clsid = $root_key->get_subkey($clsid_path)) {
my $class;
my $mod;
my $lastwrite;
eval {
$class = $clsid->get_value("")->get_data();
$bhos{$name}{class} = $class;
};
if ($@) {
::logMsg("\tError getting Class name for CLSID\\".$name);
::logMsg("\t".$@);
}
eval {
$mod = $clsid->get_subkey("InProcServer32")->get_value("")->get_data();
$bhos{$name}{module} = $mod;
};
if ($@) {
::logMsg("\tError getting Module name for CLSID\\".$name);
::logMsg("\t".$@);
}
eval{
$lastwrite = $clsid->get_subkey("InProcServer32")->get_timestamp();
$bhos{$name}{lastwrite} = $lastwrite;
};
if ($@) {
::logMsg("\tError getting LastWrite time for CLSID\\".$name);
::logMsg("\t".$@);
}
foreach my $b (keys %bhos) {
::rptMsg($b);
::rptMsg("\tClass => ".$bhos{$b}{class});
::rptMsg("\tModule => ".$bhos{$b}{module});
::rptMsg("\tLastWrite => ".gmtime($bhos{$b}{lastwrite}));
::rptMsg("");
}
}
else {
::rptMsg($clsid_path." not found.");
::rptMsg("");
::logMsg($clsid_path." not found.");
}
}
}
else {
::rptMsg($key_path." has no subkeys. No BHOs installed.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

81
RecentActivity/release/rr/plugins/bitbucket.pl Normal file
View File

@ -0,0 +1,81 @@
#-----------------------------------------------------------
# bitbucket
# Get HKLM\..\BitBucket keys\values (if any)
#
# Change history
# 20091020 - Updated; collected additional values
#
# References
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bitbucket;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080418);
sub getConfig{return %config}
sub getShortDescr {
return "Get HKLM\\..\\BitBucket keys\\values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching bitbucket v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
eval {
my $global = $key->get_value("UseGlobalSettings")->get_data();
::rptMsg("UseGlobalSettings = ".$global);
};
eval {
my $nuke = $key->get_value("NukeOnDelete")->get_data();
::rptMsg("NukeOnDelete = ".$nuke);
};
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg($key_path."\\".$s->get_name());
::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)");
eval {
my $vol = $s->get_value("VolumeSerialNumber")->get_data();
::rptMsg("VolumeSerialNumber = 0x".uc(sprintf "%1x",$vol));
};
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

71
RecentActivity/release/rr/plugins/bitbucket_user.pl Normal file
View File

@ -0,0 +1,71 @@
#-----------------------------------------------------------
# bitbucket_user
# Get HKLM\..\BitBucket keys\values (if any)
#
# Change history
#
# References
#
# NOTE: In limited testing, the volume letter subkeys beneath the
# BitBucket key appear to be volatile.
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bitbucket_user;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20091020);
sub getConfig{return %config}
sub getShortDescr {
return "TEST - Get user BitBucket values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching bitbucket_user v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg($key_path."\\".$s->get_name());
::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)");
eval {
my $purge = $s->get_value("NeedToPurge")->get_data();
::rptMsg(" NeedToPurge = ".$purge);
};
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

63
RecentActivity/release/rr/plugins/brisv.pl Normal file
View File

@ -0,0 +1,63 @@
#-----------------------------------------------------------
# brisv.pl
# Plugin to detect the presence of Trojan.Brisv.A
# Symantec write-up: http://www.symantec.com/security_response/writeup.jsp
# ?docid=2008-071823-1655-99
#
# Change History:
# 20090210: Created
#
# Info on URLAndExitCommandsEnabled value:
# http://support.microsoft.com/kb/828026
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package brisv;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090210);
sub getConfig{return %config}
sub getShortDescr {
return "Detect artifacts of a Troj\.Brisv\.A infection";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching brisv v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\PIMSRV";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $mp_path = "Software\\Microsoft\\MediaPlayer\\Preferences";
my $url;
eval {
$url = $key->get_subkey($mp_path)->get_value("URLAndExitCommandsEnabled")->get_data();
::rptMsg($mp_path."\\URLAndExitCommandsEnabled value set to ".$url);
};
# if an error occurs within the eval{} statement, do nothing
}
else {
::rptMsg($key_path." not found.");
}
}
1;

120
RecentActivity/release/rr/plugins/clampi.pl Normal file
View File

@ -0,0 +1,120 @@
#-----------------------------------------------------------
# clampi.pl
# Checks keys/values set by new version of Trojan.Clampi
#
# Change history
# 20091019 - created
#
# NOTE: This is purely a test plugin, and based solely on the below
# reference. It has not been tested on any systems that were
# known to be infected.
#
# References
# http://www.symantec.com/connect/blogs/inside-trojanclampi-stealing-your-information
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package clampi;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20091019);
sub getConfig{return %config}
sub getShortDescr {
return "TEST - Checks for keys set by Trojan\.Clampi PROT module";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching clampi v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $count = 0;
my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my ($form1, $form2, $form3);
eval {
$form1 = $key->get_value("Use FormSuggest")->get_data();
::rptMsg("\tUse FormSuggest = ".$form1);
$count++ if ($form1 eq "true");
};
eval {
$form2 = $key->get_value("FormSuggest_Passwords")->get_data();
::rptMsg("\tFormSuggest_Passwords = ".$form2);
$count++ if ($form2 eq "true");
};
eval {
$form3 = $key->get_value("FormSuggest_PW_Ask")->get_data();
::rptMsg("\tUse FormSuggest = ".$form3);
$count++ if ($form3 eq "no");
};
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $auto;
eval {
$auto = $key->get_value("AutoSuggest")->get_data();
::rptMsg("\tAutoSuggest = ".$auto);
$count++ if ($auto eq "true");
};
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
my $key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $prompt;
eval {
$prompt = $key->get_value("POP3 Prompt for Password")->get_data();
::rptMsg("\tPOP3 Prompt for Password = ".$prompt);
$count++ if ($prompt eq "true");
};
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
if ($count == 5) {
::rptMsg("The system may have been infected with the Trojan.Clampi PROT module.");
}
else {
::rptMsg("The system does not appear to have been infected with the Trojan.Clampi");
::rptMsg("PROT module.");
}
}
1;

78
RecentActivity/release/rr/plugins/clampitm.pl Normal file
View File

@ -0,0 +1,78 @@
#-----------------------------------------------------------
# clampitm.pl
# Checks keys/values set by new version of Trojan.Clampi
#
# Change history
# 20100624 - created
#
# NOTE: This is purely a test plugin, and based solely on the below
# reference. It has not been tested on any systems that were
# known to be infected.
#
# References
# http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ilomo_external.pdf
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package clampitm;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100624);
sub getConfig{return %config}
sub getShortDescr {
return "Checks for IOCs for Clampi (per Trend Micro)";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching clampitm v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $count = 0;
my $key_path = 'Software\\Microsoft\\Internet Explorer\\Settings';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("ClampiTM plugin");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $tag = 1;
my @list = qw/GatesList GID KeyE KeyM PID/;
my @vals = $key->get_list_of_values();
if (scalar (@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
if (grep(/$name/,@list)) {
::rptMsg(sprintf "%-10s %-30s",$name,$v->get_data());
$tag = 0;
}
}
if ($tag) {
::rptMsg("No Clampi values found.");
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

80
RecentActivity/release/rr/plugins/clsid.pl Normal file
View File

@ -0,0 +1,80 @@
#-----------------------------------------------------------
# clsid.pl
# Plugin to extract file association data from the Software hive file
# Can take considerable time to run; recommend running it via rip.exe
#
# History
# 20100227 - created
#
# References
# http://msdn.microsoft.com/en-us/library/ms724475%28VS.85%29.aspx
#
# copyright 2010, Quantum Analytics Research, LLC
#-----------------------------------------------------------
package clsid;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100227);
sub getConfig{return %config}
sub getShortDescr {
return "Get list of CLSID/registered classes";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my %clsid;
::logMsg("Launching clsid v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Classes\\CLSID";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# First step will be to get a list of all of the file extensions
my %ext;
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
my $name = $s->get_name();
eval {
my $n = $s->get_value("")->get_data();
$name .= " ".$n unless ($n eq "");
};
push(@{$clsid{$s->get_timestamp()}},$name);
}
foreach my $t (reverse sort {$a <=> $b} keys %clsid) {
::rptMsg(gmtime($t)." Z");
foreach my $item (@{$clsid{$t}}) {
::rptMsg(" ".$item);
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

75
RecentActivity/release/rr/plugins/cmd_shell.pl Normal file
View File

@ -0,0 +1,75 @@
#-----------------------------------------------------------
# cmd_shell
#
#
# Change History
# 20100830 - added "cs" shell command to the path
# 20080328 - created
#
# References
# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?
# Name=TrojanClicker%3AWin32%2FVB.GE
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package cmd_shell;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20100830);
sub getConfig{return %config}
sub getShortDescr {
return "Gets shell open cmds for various file types";
}
sub getDescr{}
sub getRefs {
my %refs = ("You Are Unable to Start a Program with an .exe File Extension" =>
"http://support.microsoft.com/kb/310585");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching cmd_shell v.".$VERSION);
my @shells = ("exe","cmd","bat","cs","hta","pif");
foreach my $sh (@shells) {
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Classes\\".$sh."file\\shell\\open\\command";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("cmd_shell");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $val;
eval {
$val = $key->get_value("")->get_data();
::rptMsg("\tCmd: ".$val);
};
::rptMsg("Error: ".$@) if ($@);
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
::rptMsg("");
}
1;

75
RecentActivity/release/rr/plugins/codeid.pl Normal file
View File

@ -0,0 +1,75 @@
#-----------------------------------------------------------
# codeid
# Get DefaultLevel value from CodeIdentifiers key
#
#
# Change History
# 20100608 - created
#
# References
# SANS ISC blog - http://isc.sans.edu/diary.html?storyid=8917
# CodeIdentifiers key
# - http://technet.microsoft.com/en-us/library/bb457006.aspx
# SAFER_LEVELID_FULLYTRUSTED value
# - http://msdn.microsoft.com/en-us/library/ms722424%28VS.85%29.aspx
# (262144 == Unrestricted)
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package codeid;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100608);
sub getConfig{return %config}
sub getShortDescr {
return "Gets CodeIdentifier DefaultLevel value";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching codeid v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("CodeID");
::rptMsg($key_path);
my $lastwrite = $key->get_timestamp();
::rptMsg(" LastWrite time: ".gmtime($lastwrite)." Z");
::rptMsg("");
my $level;
eval {
$level = $key->get_value("DefaultLevel")->get_data();
::rptMsg(sprintf "DefaultLevel = 0x%08x",$level);
};
my $exe;
eval {
$exe = $key->get_value("ExecutableTypes")->get_data();
$exe =~ s/\s/,/g;
::rptMsg("ExecutableTypes = ".$exe);
};
}
else {
::rptMsg($key_path." not found.");
}
}
1;

145
RecentActivity/release/rr/plugins/comdlg32.pl Normal file
View File

@ -0,0 +1,145 @@
#-----------------------------------------------------------
# comdlg32.pl
# Plugin for Registry Ripper
#
# Change history
# 20100402 - updated IAW Chad Tilbury's post to SANS
# Forensic Blog
# 20080324 - created
#
# References
# Win2000 - http://support.microsoft.com/kb/319958
# XP - http://support.microsoft.com/kb/322948/EN-US/
#
# copyright 20100402 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package comdlg32;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100402);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's ComDlg32 key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching comdlg32 v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
::rptMsg("comdlg32 v.".$VERSION);
# LastVistedMRU
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU";
my $key;
my @vals;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("ComDlg32\\LastVisitedMRU");
::rptMsg("**All values printed in MRUList order.");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my %lvmru;
my @mrulist;
@vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
if (exists $lvmru{MRUList}) {
::rptMsg(" MRUList = ".$lvmru{MRUList});
@mrulist = split(//,$lvmru{MRUList});
delete($lvmru{MRUList});
foreach my $m (@mrulist) {
my ($file,$dir) = split(/\00\00/,$lvmru{$m},2);
$file =~ s/\00//g;
$dir =~ s/\00//g;
::rptMsg(" ".$m." -> EXE: ".$file);
::rptMsg(" -> Last Dir: ".$dir);
}
}
else {
::rptMsg($key_path." does not have an MRUList value.");
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
# OpenSaveMRU
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU";
my $key;
my @vals;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("ComDlg32\\OpenSaveMRU");
::rptMsg("**All values printed in MRUList order.");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# First, process OpenSaveMRU key values
parseOpenSaveValues($key);
::rptMsg("");
# Now, let's get the subkeys
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
parseOpenSaveValues($s);
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
sub parseOpenSaveValues {
my $key = shift;
::rptMsg("OpenSaveMRU\\".$key->get_name());
::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z");
my %osmru;
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
map{$osmru{$_->get_name()} = $_->get_data()}(@vals);
if (exists $osmru{MRUList}) {
::rptMsg(" MRUList = ".$osmru{MRUList});
my @mrulist = split(//,$osmru{MRUList});
delete($osmru{MRUList});
foreach my $m (@mrulist) {
::rptMsg(" ".$m." -> ".$osmru{$m});
}
}
else {
::rptMsg($key->get_name()." does not have an MRUList value.");
}
}
else {
::rptMsg($key->get_name()." has no values.");
}
}
1;

225
RecentActivity/release/rr/plugins/comdlg32a.pl Normal file
View File

@ -0,0 +1,225 @@
#-----------------------------------------------------------
# comdlg32a.pl
# Plugin for Registry Ripper
#
# Change history
# 20100409 - updated to include Vista and above
# 20100402 - updated IAW Chad Tilbury's post to SANS
# Forensic Blog
# 20080324 - created
#
# References
# Win2000 - http://support.microsoft.com/kb/319958
# XP - http://support.microsoft.com/kb/322948/EN-US/
#
# copyright 20100402 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package comdlg32a;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100409);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's ComDlg32 key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching comdlg32a v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
::rptMsg("comdlg32 v.".$VERSION);
# LastVistedMRU
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32";
my $key;
my @vals;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @subkeys = $key->get_list_of_subkeys();
if (scalar @subkeys > 0) {
foreach my $s (@subkeys) {
parseLastVisitedMRU($s) if ($s->get_name() eq "LastVisitedMRU");
parseOpenSaveMRU($s) if ($s->get_name() eq "OpenSaveMRU");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
}
sub parseLastVisitedMRU {
my $key = shift;
my %lvmru;
my @mrulist;
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
if (exists $lvmru{MRUList}) {
::rptMsg(" MRUList = ".$lvmru{MRUList});
@mrulist = split(//,$lvmru{MRUList});
delete($lvmru{MRUList});
foreach my $m (@mrulist) {
my ($file,$dir) = split(/\00\00/,$lvmru{$m},2);
$file =~ s/\00//g;
$dir =~ s/\00//g;
::rptMsg(" ".$m." -> EXE: ".$file);
::rptMsg(" -> Last Dir: ".$dir);
}
}
else {
::rptMsg("LastVisitedMRU key does not have an MRUList value.");
}
}
else {
::rptMsg("LastVisitedMRU key has no values.");
}
::rptMsg("");
}
sub parseOpenSaveMRU {
my $key = shift;
parseOpenSaveValues($key);
::rptMsg("");
# Now, let's get the subkeys
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
parseOpenSaveValues($s);
::rptMsg("");
}
}
else {
::rptMsg("OpenSaveMRU key has no subkeys.");
}
::rptMsg("");
}
sub parseOpenSaveValues {
my $key = shift;
::rptMsg("OpenSaveMRU\\".$key->get_name());
::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z");
my %osmru;
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
map{$osmru{$_->get_name()} = $_->get_data()}(@vals);
if (exists $osmru{MRUList}) {
::rptMsg(" MRUList = ".$osmru{MRUList});
my @mrulist = split(//,$osmru{MRUList});
delete($osmru{MRUList});
foreach my $m (@mrulist) {
::rptMsg(" ".$m." -> ".$osmru{$m});
}
}
else {
::rptMsg($key->get_name()." does not have an MRUList value.");
}
}
else {
::rptMsg($key->get_name()." has no values.");
}
}
sub parseCIDSizeMRU {
my $key = shift;
my %lvmru;
my @mrulist;
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
if (exists $lvmru{MRUListEx}) {
delete($lvmru{MRUListEx});
foreach my $m (keys %lvmru) {
my $file = parseStr($lvmru{$m});
my $str = sprintf "%-4s ".$file,$m;
::rptMsg(" ".$str);
}
}
else {
::rptMsg($key_path." does not have an MRUList value.");
}
}
else {
::rptMsg($key_path." has no values.");
}
}
sub parseLastVisitedPidlMRU {
my $key = shift;
my %lvmru;
my @mrulist;
@vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
if (exists $lvmru{MRUListEx}) {
delete($lvmru{MRUListEx});
foreach my $m (keys %lvmru) {
my $file = parseStr($lvmru{$m});
my $str = sprintf "%-4s ".$file,$m;
::rptMsg(" ".$str);
}
}
else {
::rptMsg("LastVisitedPidlMRU key does not have an MRUList value.");
}
}
else {
::rptMsg("LastVisitedPidlMRU key has no values.");
}
}
sub parseStr {
my $data = $_[0];
my $temp;
my $tag = 1;
my $ofs = 0;
while ($tag) {
my $t = substr($data,$ofs,2);
if (unpack("v",$t) == 0x00) {
$tag = 0;
}
else {
$temp .= $t;
$ofs += 2;
}
}
$temp =~ s/\00//g;
return $temp;
}
1;

65
RecentActivity/release/rr/plugins/compdesc.pl Normal file
View File

@ -0,0 +1,65 @@
#-----------------------------------------------------------
# compdesc.pl
# Plugin for Registry Ripper,
# ComputerDescriptions key parser
#
# Change history
#
#
# References
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package compdesc;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's ComputerDescriptions key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching compdesc v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("ComputerDescriptions");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
::rptMsg(" ".$v->get_name()." ".$v->get_data());
}
}
else {
::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

75
RecentActivity/release/rr/plugins/compname.pl Normal file
View File

@ -0,0 +1,75 @@
#-----------------------------------------------------------
# compname.pl
# Plugin for Registry Ripper; Access System hive file to get the
# computername
#
# Change history
# 20090727 - added Hostname
#
# References
# http://support.microsoft.com/kb/314053/
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package compname;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20090727);
sub getConfig{return %config}
sub getShortDescr {
return "Gets ComputerName and Hostname values from System hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching compname v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $cn_path = $ccs."\\Control\\ComputerName\\ComputerName";
my $cn;
if ($cn = $root_key->get_subkey($cn_path)) {
my $name = $cn->get_value("ComputerName")->get_data();
::rptMsg("ComputerName = ".$name);
}
else {
::rptMsg($cn_path." not found.");
::logMsg($cn_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
my $hostname;
eval {
my $host_path = $ccs."\\Services\\Tcpip\\Parameters";
$hostname = $root_key->get_subkey($host_path)->get_value("Hostname")->get_data();
::rptMsg("TCP/IP Hostname = ".$hostname);
};
}
1;

64
RecentActivity/release/rr/plugins/controlpanel.pl Normal file
View File

@ -0,0 +1,64 @@
#-----------------------------------------------------------
# controlpanel.pl
# Vista ControlPanel key seems to contain some interesting info about the
# user's activities...
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package controlpanel;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 64,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080428);
sub getConfig{return %config}
sub getShortDescr {
return "Look for RecentTask* values in ControlPanel key (Vista)";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching controlpanel v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
::rptMsg("Analysis Tip: The RecentTask* entries appear to only be populated through the");
::rptMsg("choices in the Control Panel Home view (in Vista). As each new choice is");
::rptMsg("selected, the most recent choice is added as RecentTask1, and each ");
::rptMsg("RecentTask* entry is incremented and pushed down in the stack.");
::rptMsg("");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $str = sprintf "%-15s %-45s",$v->get_name(),$v->get_data();
::rptMsg($str);
}
::rptMsg("");
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

72
RecentActivity/release/rr/plugins/cpldontload.pl Normal file
View File

@ -0,0 +1,72 @@
#-----------------------------------------------------------
# cpldontload.pl
# Check contents of user's Control Panel\don't load key
#
# Change history
# 20100116 - created
#
# References
# W32.Nekat - http://www.symantec.com/security_response/
# writeup.jsp?docid=2008-011419-0705-99&tabid=2
# http://www.2-viruses.com/remove-antispywarexp2009
#
# Notes: Some malware appears to hide various Control Panel applets
# using this means. If some sort of malware/spyware is thought
# to be on the system, check the settings and note the key
# LastWrite time.
#
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package cpldontload;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100116);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's Control Panel don't load key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching cpldontload v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = "Control Panel\\don\'t load";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @vals = $key->get_list_of_values();
if (scalar @vals > 0) {
foreach my $v (@vals) {
my $str = sprintf "%-20s %-5s",$v->get_name(),$v->get_data();
::rptMsg($str);
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

93
RecentActivity/release/rr/plugins/crashcontrol.pl Normal file
View File

@ -0,0 +1,93 @@
#-----------------------------------------------------------
# crashcontrol.pl
#
# Ref:
# http://support.microsoft.com/kb/254649
# http://support.microsoft.com/kb/274598
#
# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package crashcontrol;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081212);
sub getConfig{return %config}
sub getShortDescr {
return "Get crash control information";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %dumpenabled = (0 => "None",
1 => "Complete memory dump",
2 => "Kernel memory dump",
3 => "Small (64kb) memory dump");
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching crashcontrol v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $cc_path = "ControlSet00".$current."\\Control\\CrashControl";
my $cc;
if ($cc = $root_key->get_subkey($cc_path)) {
eval {
my $cde = $cc->get_value("CrashDumpEnabled")->get_data();
::rptMsg("CrashDumpEnabled = ".$cde." [".$dumpenabled{$cde}."]");
};
eval {
my $df = $cc->get_value("DumpFile")->get_data();
::rptMsg("DumpFile = ".$df);
};
eval {
my $mini = $cc->get_value("MinidumpDir")->get_data();
::rptMsg("MinidumpDir = ".$mini);
};
eval {
my $logevt = $cc->get_value("LogEvent")->get_data();
::rptMsg("LogEvent = ".$logevt);
::rptMsg(" Logs an event to the System Event Log (event ID = 1001, source = Save Dump)") if ($logevt == 1);
};
eval {
my $sendalert = $cc->get_value("SendAlert")->get_data();
::rptMsg("SendAlert = ".$sendalert);
::rptMsg(" Sends a \'net send\' pop-up if a crash occurs") if ($sendalert == 1);
};
}
else {
::rptMsg($cc_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

115
RecentActivity/release/rr/plugins/crashdump.pl Normal file
View File

@ -0,0 +1,115 @@
#-----------------------------------------------------------
# crashdump.pl
# Author: Don C. Weber
# Plugin for Registry Ripper; Access System hive file to get the
# crashdump settings from System hive
#
# Change history
#
#
# References
# Overview of memory dump file options for Windows Server 2003, Windows XP, and Windows 2000: http://support.microsoft.com/kb/254649/
#
# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security
#-----------------------------------------------------------
package crashdump;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20081219);
sub getConfig{return %config}
sub getShortDescr {
return "Gets crashdump settings from System hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching crashdump v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $ccs = "ControlSet00".$current;
my $win_path = $ccs."\\Control\\CrashControl";
my $win;
if ($win = $root_key->get_subkey($win_path)) {
::rptMsg("CrashControl Configuration");
::rptMsg($win_path);
::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)");
}
else {
::rptMsg($win_path." not found.");
}
my %vals = getKeyValues($win);
if (scalar(keys %vals) > 0) {
foreach my $v (keys %vals) {
if ($v eq "CrashDumpEnabled"){
if ($vals{$v} == 0x00){
::rptMsg("\t".$v." -> None");
} elsif ($vals{$v} == 0x01){
::rptMsg("\t".$v." -> Complete memory dump");
} elsif ($vals{$v} == 0x02){
::rptMsg("\t".$v." -> Kernel memory dump");
} elsif ($vals{$v} == 0x03){
::rptMsg("\t".$v." -> Small memory dump (64KB)");
} else{
::rptMsg($v." has no value.");
}
}else{
if (($v eq "MinidumpDir") || ($v eq "DumpFile")){
::rptMsg("\t".$v." location ".$vals{$v});
} else{
($vals{$v}) ? ::rptMsg("\t".$v." is Enabled") : ::rptMsg("\t".$v." is Disabled");
}
}
}
}
else {
# ::rptMsg($key_path." has no values.");
}
::rptMsg("");
::rptMsg("Analysis Tips: For crash dump information and tools check http://support.microsoft.com/kb/254649/");
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
sub getKeyValues {
my $key = shift;
my %vals;
my @vk = $key->get_list_of_values();
if (scalar(@vk) > 0) {
foreach my $v (@vk) {
next if ($v->get_name() eq "" && $v->get_data() eq "");
$vals{$v->get_name()} = $v->get_data();
}
}
else {
}
return %vals;
}
1;

143
RecentActivity/release/rr/plugins/ctrlpnl.pl Normal file
View File

@ -0,0 +1,143 @@
#-----------------------------------------------------------
# ctrlpnl.pl
# Get Control Panel info from the Software hive
#
# Change history:
# 20100116 - created
#
# References:
# http://support.microsoft.com/kb/292463
# http://learning.infocollections.com/ebook%202/Computer/
# Operating%20Systems/Windows/Windows.XP.Hacks/
# 0596005113_winxphks-chp-2-sect-3.html
# http://msdn.microsoft.com/en-us/library/cc144195%28VS.85%29.aspx
#
# Notes:
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package ctrlpnl;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100116);
sub getConfig{return %config}
sub getShortDescr {
return "Get Control Panel info from Software hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %comp;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching ctrlpnl v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows\\CurrentVersion\\Control Panel";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("");
::rptMsg($key_path);
::rptMsg("");
# Cpls section
if (my $cpl = $key->get_subkey("Cpls")) {
my @vals = $cpl->get_list_of_values();
if (scalar @vals > 0) {
::rptMsg("Cpls key");
foreach my $v (@vals) {
my $str = sprintf "%-10s %-50s",$v->get_name(),$v->get_data();
::rptMsg($str);
}
::rptMsg("");
}
else {
::rptMsg("Cpls key has no values.");
}
}
else {
::rptMsg("Cpls key not found.");
}
# don't load section
# The 'don't load' key prevents applets from being loaded
# Be sure to check the user's don't load key, as well
if (my $cpl = $key->get_subkey("don't load")) {
my @vals = $cpl->get_list_of_values();
if (scalar @vals > 0) {
::rptMsg("don't load key");
foreach my $v (@vals) {
::rptMsg($v->get_name());
}
::rptMsg("");
}
else {
::rptMsg("don't load key has no values.");
}
}
else {
::rptMsg("don't load key not found.");
}
# Extended Properties section
if (my $ext = $key->get_subkey("Extended Properties")) {
my @sk = $ext->get_list_of_subkeys();
if (scalar @sk > 0) {
foreach my $s (@sk) {
my @vals = $s->get_list_of_values();
if (scalar @vals > 0) {
::rptMsg($s->get_name()." [".gmtime($s->get_timestamp)." UTC]");
# Ref: http://support.microsoft.com/kb/292463
my %cat = (0x00000000 => "Other Control Panel Options",
0x00000001 => "Appearance and Themes",
0x00000002 => "Printers and Other Hardware",
0x00000003 => "Network and Internet Connections",
0x00000004 => "Sounds, Speech, and Audio Devices",
0x00000005 => "Performance and Maintenance",
0x00000006 => "Date, Time, Language, and Regional Options",
0x00000007 => "Accessibility Options",
0xFFFFFFFF => "No Category");
my %prop;
foreach my $v (@vals) {
push(@{$prop{$v->get_data()}},$v->get_name());
}
foreach my $t (sort {$a <=> $b} keys %prop) {
(exists $cat{$t}) ? (::rptMsg($cat{$t})) : (::rptMsg("Category ".$t));
foreach my $i (@{$prop{$t}}) {
::rptMsg(" ".$i);
}
::rptMsg("");
}
}
}
::rptMsg("");
}
else {
::rptMsg("Extended Properties key has no subkeys.");
}
}
else {
::rptMsg("Extended Properties key not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

82
RecentActivity/release/rr/plugins/ddm.pl Normal file
View File

@ -0,0 +1,82 @@
#-----------------------------------------------------------
# ddm.pl
#
# History:
# 20081129 - created
#
# Note - Not really sure what this is for or could be used for, other
# than to show devices that had been connected to the system
#
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package ddm;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081129);
sub getConfig{return %config}
sub getShortDescr {
return "Get DDM data from Control Subkey";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching ddm v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $ccs = "ControlSet00".$current;
my $key_path = $ccs."\\Control\\DDM";
my $key;
my %dev;
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys();
if (scalar (@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
my $tag = (split(/\./,$name,2))[1];
$dev{$tag}{timestamp} = $s->get_timestamp();
eval {
$dev{$tag}{make} = $s->get_value("MakeName")->get_data();
$dev{$tag}{model} = $s->get_value("ModelName")->get_data();
};
}
foreach my $d (sort keys %dev) {
::rptMsg(gmtime($dev{$d}{timestamp})."Z Device\.".$d." ".$dev{$d}{make}." ".$dev{$d}{model});
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
# ::logMsg($key_path." not found.");
}
}
else {
::logMsg("Current value not found.");
}
}
1;

78
RecentActivity/release/rr/plugins/defbrowser.pl Normal file
View File

@ -0,0 +1,78 @@
#-----------------------------------------------------------
# defbrowser.pl
# Get default browser information - check #1 can apply to HKLM
# as well as to HKCU
#
# Change History:
# 20091116 - Added Check #1
# 20081105 - created
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package defbrowser;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20091116);
sub getConfig{return %config}
sub getShortDescr {
return "Gets default browser setting from HKLM";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching defbrowser v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Clients\\StartMenuInternet";
if (my $key = $root_key->get_subkey($key_path)) {
::rptMsg("Default Browser Check #1");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $browser = $key->get_value("")->get_data();
::rptMsg("Default Browser : ".$browser);
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
my $key_path = "Classes\\HTTP\\shell\\open\\command";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Default Browser Check #2");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $browser;
eval {
$browser = $key->get_value("")->get_data();
};
if ($@) {
::rptMsg("Error locating default browser setting.");
}
else {
::rptMsg("Default Browser = ".$browser);
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

125
RecentActivity/release/rr/plugins/devclass.pl Normal file
View File

@ -0,0 +1,125 @@
#-----------------------------------------------------------
# devclass
# Get USB device info from the DeviceClasses keys in the System
# hive (Disks and Volumes GUIDs)
#
# Change History:
# 20100901 - spelling error in output corrected
# 20080331 - created
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package devclass;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100901);
sub getConfig{return %config}
sub getShortDescr {
return "Get USB device info from the DeviceClasses keys in the System hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching devclass v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $ccs;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
}
else {
::logMsg("Could not find ".$key_path);
return
}
# Get devices from the Disk GUID
my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("DevClasses - Disks");
::rptMsg($key_path);
::rptMsg("");
my %disks;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
next unless (grep(/USBSTOR/,$name));
my $lastwrite = $s->get_timestamp();
my ($dev, $serial) = (split(/#/,$name))[4,5];
push(@{$disks{$lastwrite}},$dev.",".$serial);
}
foreach my $t (reverse sort {$a <=> $b} keys %disks) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$disks{$t}}) {
::rptMsg("\t$item");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
::rptMsg("");
# Get devices from the Volume GUID
my $key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("DevClasses - Volumes");
::rptMsg($key_path);
::rptMsg("");
my %vols;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
next unless (grep(/RemovableMedia/,$name));
my $lastwrite = $s->get_timestamp();
my $ppi = (split(/#/,$name))[5];
push(@{$vols{$lastwrite}},$ppi);
}
foreach my $t (reverse sort {$a <=> $b} keys %vols) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$vols{$t}}) {
::rptMsg("\tParentIdPrefix: ".$item);
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

63
RecentActivity/release/rr/plugins/dfrg.pl Normal file
View File

@ -0,0 +1,63 @@
#-----------------------------------------------------------
# dfrg.pl
# Gets contents of Dfrg\BootOptimizeFunction key
#
# Change history:
# 20110321 - created
#
# References
# http://technet.microsoft.com/en-us/library/cc784391%28WS.10%29.aspx
#
# copyright 2011 Quantum Analytics Research, LLC (keydet89@yahoo.com)
#-----------------------------------------------------------
package dfrg;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20110321);
sub getConfig{return %config}
sub getShortDescr {
return "Gets content of Dfrg BootOptim. key";
}
sub getDescr{}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching dfrg v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Dfrg\\BootOptimizeFunction";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Dfrg");
::rptMsg($key_path);
::rptMsg("");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
::rptMsg(sprintf "%-20s %-20s",$v->get_name(),$v->get_data());
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

73
RecentActivity/release/rr/plugins/disablelastaccess.pl Normal file
View File

@ -0,0 +1,73 @@
#-----------------------------------------------------------
# disablelastaccess.pl
#
# References:
# http://support.microsoft.com/kb/555041
# http://support.microsoft.com/kb/894372
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package disablelastaccess;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090118);
sub getConfig{return %config}
sub getShortDescr {
return "Get NTFSDisableLastAccessUpdate value";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching disablelastaccess v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
my $ccs;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
}
my $key_path = $ccs."\\Control\\FileSystem";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("NtfsDisableLastAccessUpdate");
::rptMsg($key_path);
my @vals = $key->get_list_of_values();
my $found = 0;
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
if ($v->get_name() eq "NtfsDisableLastAccessUpdate") {
::rptMsg("NtfsDisableLastAccessUpdate = ".$v->get_data());
$found = 1;
}
}
::rptMsg("NtfsDisableLastAccessUpdate value not found.") if ($found == 0);
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

69
RecentActivity/release/rr/plugins/dllsearch.pl Normal file
View File

@ -0,0 +1,69 @@
#-----------------------------------------------------------
# dllsearch.pl
#
# References:
# http://support.microsoft.com/kb/2264107
#
# Change History:
# 20100824: created
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package dllsearch;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100824);
sub getConfig{return %config}
sub getShortDescr {
return "Get crash control information";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching dllsearch v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $cc_path = "ControlSet00".$current."\\Control\\Session Manager";
my $cc;
if ($cc = $root_key->get_subkey($cc_path)) {
::rptMsg("dllsearch v.".$VERSION);
::rptMsg("");
my $found = 1;
eval {
my $cde = $cc->get_value("CWDIllegalInDllSearch")->get_data();
$found = 0;
::rptMsg(sprintf "CWDIllegalInDllSearch = 0x%x",$cde);
};
::rptMsg("CWDIllegalInDllSearch value not found.") if ($found);
}
else {
::rptMsg($cc_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

74
RecentActivity/release/rr/plugins/domains.pl Normal file
View File

@ -0,0 +1,74 @@
#-----------------------------------------------------------
# domains.pl
#
#
# Change history
# 20100116 - Created
#
# References
# http://support.microsoft.com/kb/919748
# http://support.microsoft.com/kb/922704
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package domains;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100116);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents Internet Settings\\ZoneMap\\Domains key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching domains v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap";
my $key;
if ($key = $root_key->get_subkey($key_path."\\Domains")) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]");
my @vals = $s->get_list_of_values();
if (scalar @vals > 0) {
foreach my $v (@vals) {
::rptMsg(" ".$v->get_name()." -> ".$v->get_data);
}
}
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

77
RecentActivity/release/rr/plugins/drwatson.pl Normal file
View File

@ -0,0 +1,77 @@
#-----------------------------------------------------------
# drwatson.pl
# Author: Don C. Weber
# Plugin for Registry Ripper; Access Software hive file to get the
# Dr. Watson settings from Software hive
#
# Change history
#
#
# References
# Dr Watson: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html
#
# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security
#-----------------------------------------------------------
package drwatson;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20081219);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Dr. Watson settings from Software hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching drwatson v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AeDebug";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
($key->get_value('Auto') == 0x0) ? ::rptMsg("Debugging is Disabled") : ::rptMsg("Debugging is Enabled");
eval {
::rptMsg("Debugger: ".$key->get_value('Debugger')->get_data());
};
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
::rptMsg("");
my $key_path = "Microsoft\\DrWatson";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
($key->get_value('LogFilePath')) ? ::rptMsg("DrWatson LogFile Path location: ".$key->get_value('LogFilePath')->get_data()) : ::rptMsg("DrWatson LogFile Path location: %SystemRoot%\\Documents and Settings\\All Users\\Documents\\DrWatson");
($key->get_value('CreateCrashDump') == 0x0) ? ::rptMsg("CreateCrashDump is Disabled") : ::rptMsg("CreateCrashDump is Enabled");
($key->get_value('CrashDumpFile')) ? ::rptMsg("Crash Dump Path and Name: ".$key->get_value('CrashDumpFile')->get_data()) : ::rptMsg("CrashDumpFile is not set");
($key->get_value('AppendToLogFile') == 0x0) ? ::rptMsg("AppendToLogFile is set to create a new file each time") : ::rptMsg("AppendToLogFile is set to append");
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
::rptMsg("");
::rptMsg("Analysis Tips: For Dr. Watson settings information check: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html");
}
1;

78
RecentActivity/release/rr/plugins/esent.pl Normal file
View File

@ -0,0 +1,78 @@
#-----------------------------------------------------------
# esent
# Get contents of Esent\Process key from Software hive
#
# Note: Not sure why I wrote this one; just thought it might come
# in handy as info about this key is developed.
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package esent;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20101202);
sub getConfig{return %config}
sub getShortDescr {
return "Get ESENT\\Process key contents";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching esent v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\ESENT\\Process";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
my %esent;
foreach my $s (@sk) {
my $sk = $s->get_subkey("DEBUG");
# my $lw = $s->get_timestamp();
my $lw = $sk->get_timestamp();
my $name = $s->get_name();
push(@{$esent{$lw}},$name);
}
foreach my $t (reverse sort {$a <=> $b} keys %esent) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$esent{$t}}) {
::rptMsg(" $item");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

156
RecentActivity/release/rr/plugins/eventlog.pl Normal file
View File

@ -0,0 +1,156 @@
#-----------------------------------------------------------
# eventlog.pl
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package eventlog;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090112);
sub getConfig{return %config}
sub getShortDescr {
return "Get EventLog configuration info";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching eventlog v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $evt_path = "ControlSet00".$current."\\Services\\Eventlog";
my $evt;
if ($evt = $root_key->get_subkey($evt_path)) {
::rptMsg("");
my @subkeys = $evt->get_list_of_subkeys();
if (scalar (@subkeys) > 0) {
foreach my $s (@subkeys) {
my $logname = $s->get_name();
::rptMsg($logname." \\ ".scalar gmtime($s->get_timestamp())."Z");
eval {
my $file = $s->get_value("File")->get_data();
::rptMsg(" File = ".$file);
};
eval {
my $display = $s->get_value("DisplayNameFile")->get_data();
::rptMsg(" DisplayNameFile = ".$display);
};
eval {
my $max = $s->get_value("MaxSize")->get_data();
::rptMsg(" MaxSize = ".processSize($max));
};
eval {
my $ret = $s->get_value("Retention")->get_data();
::rptMsg(" Retention = ".processRetention($ret));
};
# AutoBackupLogFiles; http://support.microsoft.com/kb/312571/
eval {
my $auto = $s->get_value("AutoBackupLogFiles")->get_data();
::rptMsg(" AutoBackupLogFiles = ".$auto);
};
# Check WarningLevel value on Security EventLog; http://support.microsoft.com/kb/945463
eval {
if ($logname eq "Security") {
my $wl = $s->get_value("WarningLevel")->get_data();
::rptMsg(" WarningLevel = ".$wl);
}
};
::rptMsg("");
}
}
else {
::rptMsg($evt_path." has no subkeys.");
}
}
else {
::rptMsg($evt_path." not found.");
::logMsg($evt_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;
sub processSize {
my $sz = shift;
my $kb = 1024;
my $mb = $kb * 1024;
my $gb = $mb * 1024;
if ($sz > $gb) {
my $d = $sz/$gb;
my $l = length((split(/\./,$d,2))[0]) + 2;
return sprintf "%$l.2fGB",$d;
}
elsif ($sz > $mb) {
my $d = $sz/$mb;
my $l = length((split(/\./,$d,2))[0]) + 2;
return sprintf "%$l.2fMB",$d;
}
elsif ($sz > $kb) {
my $d = $sz/$kb;
my $l = length((split(/\./,$d,2))[0]) + 2;
return sprintf "%$l.2fKB",$d;
}
else {return $sz."B"};
}
sub processRetention {
# Retention maintained in seconds
# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/
# regentry/30709.mspx?mfr=true
my $ret = shift;
my $min = 60;
my $hr = $min * 60;
my $day = $hr * 24;
if ($ret > $day) {
my $d = $ret/$day;
my $l = length((split(/\./,$d,2))[0]) + 2;
return sprintf "%$l.2f days",$d;
}
elsif ($ret > $hr) {
my $d = $ret/$hr;
my $l = length((split(/\./,$d,2))[0]) + 2;
return sprintf "%$l.2f hr",$d;
}
elsif ($ret > $min) {
my $d = $ret/$min;
my $l = length((split(/\./,$d,2))[0]) + 2;
return sprintf "%$l.2f min",$d;
}
else {return $ret." sec"};
}

98
RecentActivity/release/rr/plugins/eventlogs.pl Normal file
View File

@ -0,0 +1,98 @@
#-----------------------------------------------------------
# eventlogs.pl
# Author: Don C. Weber
# Plugin for Registry Ripper; Access System hive file to get the
# Event Log settings from System hive
#
# Change history
#
#
# References
# Eventlog Key: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx
#
# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security
#-----------------------------------------------------------
package eventlogs;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20081219);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Event Log settings from System hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching eventlogs v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $ccs = "ControlSet00".$current;
my $win_path = $ccs."\\Services\\Eventlog";
my $win;
if ($win = $root_key->get_subkey($win_path)) {
::rptMsg("EventLog Configuration");
::rptMsg($win_path);
::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)");
my $cn;
if ($cn = $win->get_value("ComputerName")->get_data()) {
::rptMsg("ComputerName = ".$cn);
}
else {
::rptMsg("ComputerName value not found.");
}
}
else {
::rptMsg($win_path." not found.");
}
# Cycle through each type of log
my $logname;
my $evpath;
my $evlog;
my @list_logs = $win->get_list_of_subkeys();
foreach $logname (@list_logs){
::rptMsg("");
$evpath = $win_path."\\".$logname->get_name();
if ($evlog = $root_key->get_subkey($evpath)) {
::rptMsg(" ".$logname->get_name()." EventLog");
::rptMsg(" ".$evpath);
::rptMsg(" LastWrite Time ".gmtime($evlog->get_timestamp())." (UTC)");
::rptMsg(" Configuration Settings");
::rptMsg(" Log location: ".$evlog->get_value('File')->get_data());
::rptMsg(" Log Size: ".$evlog->get_value('MaxSize')->get_data()." Bytes");
($evlog->get_value('AutoBackupLogFiles') == 0x0) ? ::rptMsg(" AutoBackupLogFiles is Disabled") : ::rptMsg(" AutoBackupLogFiles is Enabled")
}
else {
::rptMsg($logname->get_name()." Event Log not found.");
}
}
::rptMsg("");
::rptMsg("Analysis Tips: For Event Log settings information check: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx");
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

73
RecentActivity/release/rr/plugins/fileexts.pl Normal file
View File

@ -0,0 +1,73 @@
#-----------------------------------------------------------
# fileexts.pl
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package fileexts;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080818);
sub getConfig{return %config}
sub getShortDescr {
return "Get user FileExts values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching fileexts v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("fileexts");
::rptMsg($key_path);
::rptMsg("");
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
my $name = $s->get_name();
next unless ($name =~ m/^\.\w+/);
eval {
my $data = $s->get_subkey("OpenWithList")->get_value("MRUList")->get_data();
if ($data =~ m/^\w/) {
::rptMsg("File Extension: ".$name);
::rptMsg("LastWrite: ".gmtime($s->get_subkey("OpenWithList")->get_timestamp()));
::rptMsg("MRUList: ".$data);
my @list = split(//,$data);
foreach my $l (@list) {
my $valdata = $s->get_subkey("OpenWithList")->get_value($l)->get_data();
::rptMsg(" ".$l." => ".$valdata);
}
::rptMsg("");
}
};
}
}
else {
::rptMsg($key_path." does not have subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

95
RecentActivity/release/rr/plugins/findexes.pl Normal file
View File

@ -0,0 +1,95 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# findexes.pl
# Plugin for RegRipper; traverses through a Registry hive,
# looking for values with binary data types, and checks to see
# if they start with "MZ"; if so, records the value path, key
# LastWrite time, and length of the data
#
# Change history
# 20090728 - Created
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package findexes;
use strict;
my %config = (hive => "All",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20090728);
sub getConfig{return %config}
sub getShortDescr {
return "Scans a hive file looking for binary value data that contains MZ";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %vals;
my $bin_count = 0;
my $exe_count = 0;
sub pluginmain {
my $class = shift;
my $file = shift;
my $reg = Parse::Win32Registry->new($file);
my $root_key = $reg->get_root_key;
::logMsg("Launching findexes v.".$VERSION);
traverse($root_key);
# Data structure containing findings is a hash of hashes
foreach my $k (keys %vals) {
::rptMsg("Key: ".$k." LastWrite time: ".gmtime($vals{$k}{lastwrite}));
foreach my $i (keys %{$vals{$k}}) {
next if ($i eq "lastwrite");
::rptMsg(" Value: ".$i." Length: ".$vals{$k}{$i}." bytes");
}
::rptMsg("");
}
::rptMsg("Number of values w/ binary data types: ".$bin_count);
::rptMsg("Number of values w/ MZ in binary data: ".$exe_count);
}
sub traverse {
my $key = shift;
# my $ts = $key->get_timestamp();
foreach my $val ($key->get_list_of_values()) {
my $type = $val->get_type();
if ($type == 0 || $type == 3) {
$bin_count++;
my $data = $val->get_data();
# This code looks for data that starts with MZ
# my $i = unpack("v",substr($data,0,2));
# if ($i == 0x5a4d) {
if (grep(/MZ/,$data)) {
$exe_count++;
my $path;
my @p = split(/\\/,$key->get_path());
if (scalar(@p) == 1) {
$path = "root";
}
else {
shift(@p);
$path = join('\\',@p);
}
$vals{$path}{lastwrite} = $key->get_timestamp();
$vals{$path}{$val->get_name()} = length($data);
}
}
}
foreach my $subkey ($key->get_list_of_subkeys()) {
traverse($subkey);
}
}
1;

116
RecentActivity/release/rr/plugins/fw_config.pl Normal file
View File

@ -0,0 +1,116 @@
#-----------------------------------------------------------
# fw_config
#
# References
# http://technet2.microsoft.com/WindowsServer/en/library/47f25d7d-
# 882b-4f87-b05f-31e5664fc15e1033.mspx?mfr=true
#
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package fw_config;
use strict;
my %config = (hive => "System",
osmask => 20,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080328);
sub getConfig{return %config}
sub getShortDescr {
return "Gets the Windows Firewall config from the System hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching fw_config v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $ccs;
my $select_path = 'Select';
my $sel;
if ($sel = $root_key->get_subkey($select_path)) {
$current = $sel->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
}
else {
::rptMsg($select_path." could not be found.");
::logMsg($select_path." could not be found.");
return;
}
my @profiles = ("DomainProfile","StandardProfile");
foreach my $profile (@profiles) {
my $key_path = $ccs."\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\".$profile;
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Windows Firewall Configuration");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my %vals = getKeyValues($key);
if (scalar(keys %vals) > 0) {
foreach my $v (keys %vals) {
::rptMsg("\t".$v." -> ".$vals{$v});
}
}
else {
# ::rptMsg($key_path." has no values.");
}
my @configs = ("RemoteAdminSettings",
"IcmpSettings",
"GloballyOpenPorts\\List",
"AuthorizedApplications\\List");
foreach my $config (@configs) {
eval {
my %vals = getKeyValues($key->get_subkey($config));
if (scalar(keys %vals) > 0) {
::rptMsg("");
::rptMsg($key_path."\\".$config);
::rptMsg("LastWrite Time ".gmtime($key->get_subkey($config)->get_timestamp())." (UTC)");
foreach my $v (keys %vals) {
::rptMsg("\t".$v." -> ".$vals{$v});
}
}
};
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
::rptMsg("");
} # end foreach
}
sub getKeyValues {
my $key = shift;
my %vals;
my @vk = $key->get_list_of_values();
if (scalar(@vk) > 0) {
foreach my $v (@vk) {
next if ($v->get_name() eq "" && $v->get_data() eq "");
$vals{$v->get_name()} = $v->get_data();
}
}
else {
}
return %vals;
}
1;

71
RecentActivity/release/rr/plugins/gthist.pl Normal file
View File

@ -0,0 +1,71 @@
#-----------------------------------------------------------
# gthist.pl
# Google Toolbar Search History plugin
#
#
# Change history
# 20100218 - created
#
# References
#
#
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package gthist;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100218);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Google Toolbar Search History";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
my %hist;
::logMsg("Launching gthist v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Google\\NavClient\\1.1\\History';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
if (scalar @vals > 0) {
::rptMsg("");
foreach my $v (@vals) {
my $tv = unpack("V",$v->get_data());
$hist{$tv} = $v->get_name();
}
foreach my $t (reverse sort {$a <=> $b} keys %hist) {
my $str = gmtime($t)." ".$hist{$t};
::rptMsg($str);
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

74
RecentActivity/release/rr/plugins/gtwhitelist.pl Normal file
View File

@ -0,0 +1,74 @@
#-----------------------------------------------------------
# gtwhitelist.pl
# Google Toolbar Search History plugin
#
#
# Change history
# 20100218 - created
#
# References
#
#
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package gtwhitelist;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100218);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Google Toolbar whitelist values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
my %hist;
::logMsg("Launching gtwhitelist v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Google\\Google Toolbar\\4.0\\whitelist';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $allow2;
eval {
$allow2 = $key->get_value("allow2")->get_data();
my @vals = split(/\|/,$allow2);
::rptMsg("");
::rptMsg("whitelist");
foreach my $v (@vals) {
next if ($v eq "");
::rptMsg(" ".$v);
}
::rptMsg("");
};
my $lastmod;
eval {
$lastmod = $key->get_value("lastmod")->get_data();
::rptMsg("lastmod ".gmtime($lastmod)." (UTC)");
};
}
else {
::rptMsg($key_path." not found.");
}
}
1;

78
RecentActivity/release/rr/plugins/hibernate.pl Normal file
View File

@ -0,0 +1,78 @@
#-----------------------------------------------------------
# hibernate.pl
#
# Ref:
# http://support.microsoft.com/kb/293399 & testing
#
# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package hibernate;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081216);
sub getConfig{return %config}
sub getShortDescr {
return "Check hibernation status";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching hibernate v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $ccs = "ControlSet00".$current;
my $power_path = $ccs."\\Control\\Session Manager\\Power";
my $power;
if ($power = $root_key->get_subkey($power_path)) {
my $heur;
eval {
my $bin_val = $power->get_value("Heuristics")->get_data();
$heur = (unpack("v*",$bin_val))[3];
if ($heur == 0) {
::rptMsg("Hibernation disabled.");
}
elsif ($heur == 1) {
::rptMsg("Hibernation enabled.");
}
else {
::rptMsg("Unknown hibernation value: ".$heur);
}
};
::rptMsg("Error reading Heuristics value.") if ($@);
}
else {
::rptMsg($power_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
# ::logMsg($key_path." not found.");
}
}
1;

123
RecentActivity/release/rr/plugins/ide.pl Normal file
View File

@ -0,0 +1,123 @@
#-----------------------------------------------------------
# ide.pl
# Get IDE device info from the System hive file
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package ide;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080418);
sub getConfig{return %config}
sub getShortDescr {
return "Get IDE device info from the System hive file";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching ide v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
::rptMsg("IDE");
# Code for System file, getting CurrentControlSet
my $current;
my $ccs;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
}
else {
::logMsg("Could not find ".$key_path);
return
}
my $key_path = $ccs."\\Enum\\IDE";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg("");
::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]");
my @sk = $s->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s2 (@sk) {
::rptMsg($s2->get_name()." [".gmtime($s2->get_timestamp())." (UTC)]");
eval {
::rptMsg("FriendlyName : ".$s2->get_value("FriendlyName")->get_data());
};
::rptMsg("");
}
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("DevClasses - Disks");
::rptMsg($key_path);
my %disks;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
next unless (grep(/IDE/,$name));
my $lastwrite = $s->get_timestamp();
my ($dev, $serial) = (split(/#/,$name))[4,5];
push(@{$disks{$lastwrite}},$dev.",".$serial);
}
if (scalar(keys %disks) == 0) {
::rptMsg("No IDE subkeys were found.");
return;
}
::rptMsg("");
foreach my $t (reverse sort {$a <=> $b} keys %disks) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$disks{$t}}) {
::rptMsg("\t$item");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

82
RecentActivity/release/rr/plugins/ie_main.pl Normal file
View File

@ -0,0 +1,82 @@
#-----------------------------------------------------------
# ie_main.pl
# Checks keys/values set by new version of Trojan.Clampi
#
# Change history
# 20091019 - created
#
#
# References
# http://support.microsoft.com/kb/895339
# http://support.microsoft.com/kb/176497
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package ie_main;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20091019);
sub getConfig{return %config}
sub getShortDescr {
return "Gets values beneath user's Internet Explorer\\Main key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching ie_main v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my %main;
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
my $data = $v->get_data();
next if ($name eq "Window_Placement");
$data = unpack("V",$data) if ($name eq "Do404Search");
if ($name eq "IE8RunOnceLastShown_TIMESTAMP" || $name eq "IE8TourShownTime") {
my ($t0,$t1) = unpack("VV",$data);
$data = gmtime(::getTime($t0,$t1))." UTC";
}
$main{$name} = $data;
}
foreach my $n (keys %main) {
my $str = sprintf "%-35s %-20s",$n,$main{$n};
::rptMsg($str);
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

72
RecentActivity/release/rr/plugins/ie_settings.pl Normal file
View File

@ -0,0 +1,72 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# ie_settings.pl
# Gets IE settings
#
# Change history
#
#
# References
#
#
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package ie_settings;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20091016);
sub getConfig{return %config}
sub getShortDescr {
return "Gets IE settings";
}
sub getDescr{}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching ie_settings v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $ua;
eval {
$ua = $key->get_value("User Agent")->get_data();
::rptMsg("User Agent = ".$ua);
};
my $zonessecupgrade;
eval {
$zonessecupgrade = $key->get_value("ZonesSecurityUpgrade")->get_data();
my ($z0,$z1) = unpack("VV",$zonessecupgrade);
::rptMsg("ZonesSecurityUpgrade = ".gmtime(::getTime($z0,$z1))." (UTC)");
};
my $daystokeep;
eval {
$daystokeep = $key->get_subkey("Url History")->get_value("DaysToKeep")->get_data();
::rptMsg("DaysToKeep = ".$daystokeep);
};
}
else {
::rptMsg($key_path." not found.");
}
}
1;

60
RecentActivity/release/rr/plugins/ie_version.pl Normal file
View File

@ -0,0 +1,60 @@
#-----------------------------------------------------------
# ie_version
# Get IE version and build
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package ie_version;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20091016);
sub getConfig{return %config}
sub getShortDescr {
return "Get IE version and build";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching ie_version v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Internet Explorer";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $version;
my $build;
eval {
$build = $key->get_value("Build")->get_data();
::rptMsg("IE Build = ".$build);
};
eval {
$version= $key->get_value("Version")->get_data();
::rptMsg("IE Version = ".$version);
};
}
else {
::rptMsg($key_path." not found.");
}
}
1;

85
RecentActivity/release/rr/plugins/imagedev.pl Normal file
View File

@ -0,0 +1,85 @@
#-----------------------------------------------------------
# imagedev.pl
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package imagedev;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080730);
sub getConfig{return %config}
sub getShortDescr {
return " -- ";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching imagedev v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $ccs;
eval {
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
}
};
if ($@) {
::rptMsg("Problem locating proper controlset: $@");
return;
}
my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("imagedev");
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
::rptMsg("Still Image Capture Devices");
foreach my $s (@sk) {
my $name = $s->get_name();
next unless ($name =~ m/^\d{4}$/);
my $friendly;
eval {
$friendly = $s->get_value("FriendlyName")->get_data();
::rptMsg(" ".$friendly);
};
if ($@) {
::logMsg("Error getting device FriendlyName in imagedev: ".$@);
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

99
RecentActivity/release/rr/plugins/imagefile.pl Normal file
View File

@ -0,0 +1,99 @@
#-----------------------------------------------------------
# imagefile
#
# References:
# http://msdn2.microsoft.com/en-us/library/a329t4ed(VS\.80)\.aspx
# http://support.microsoft.com/kb/2264107
#
# Change history:
# 20100824 - added check for "CWDIllegalInDllSearch" value
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package imagefile;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100824);
sub getConfig{return %config}
sub getShortDescr {
return "Checks IFEO subkeys for Debugger/CWDIllegalInDllSearch values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching imagefile v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Image File Execution Options");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
my %debug;
my $i = "Your Image File Name here without a path";
foreach my $s (@subkeys) {
my $name = $s->get_name();
next if ($name =~ m/^$i/i);
my $debugger = "";
eval {
$debugger = $s->get_value("Debugger")->get_data();
};
# If the eval{} throws an error, it's b/c the Debugger value isn't
# found within the key, so we don't need to do anything w/ the error
if ($debugger ne "") {
$debug{$name}{debug} = $debugger;
$debug{$name}{lastwrite} = $s->get_timestamp();
}
my $dllsearch = "";
eval {
$dllsearch = $s->get_value("CWDIllegalInDllSearch")->get_data();
};
# If the eval{} throws an error, it's b/c the Debugger value isn't
# found within the key, so we don't need to do anything w/ the error
if ($dllsearch ne "") {
$debug{$name}{dllsearch} = $debugger;
$debug{$name}{lastwrite} = $s->get_timestamp();
}
}
if (scalar (keys %debug) > 0) {
foreach my $d (keys %debug) {
::rptMsg($d." LastWrite: ".gmtime($debug{$d}{lastwrite}));
::rptMsg(" Debugger : ".$debug{$d}{debug}) if (exists $debug{$d}{debug});
::rptMsg(" CWDIllegalInDllSearch: ".$debug{$d}{dllsearch}) if (exists $debug{$d}{dllsearch});
}
}
else {
::rptMsg("No Debugger/CWDIllegalInDllSearch values found.");
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

77
RecentActivity/release/rr/plugins/init_dlls.pl Normal file
View File

@ -0,0 +1,77 @@
#-----------------------------------------------------------
# init_dlls.pl
# Plugin to assist in the detection of malware per Mark Russinovich's
# blog post (References, below)
#
# Change History:
# 20110309 - created
#
# References
# http://blogs.technet.com/b/markrussinovich/archive/2011/02/27/3390475.aspx
#
# copyright 2011 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package init_dlls;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20110309);
sub getConfig{return %config}
sub getShortDescr {
return "Check for odd **pInit_Dlls keys";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my @init;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching init_dlls v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Windows";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("init_dlls");
::rptMsg($key_path);
::rptMsg("LastWrite: ".gmtime($key->get_timestamp()));
::rptMsg("");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
next if ($name eq "AppInit_DLLs");
push(@init,$name) if ($name =~ m/Init_DLLs$/);
}
if (scalar @init > 0) {
foreach my $n (@init) {
::rptMsg($n);
}
}
else {
::rptMsg("No additional values named *Init_DLLs located.");
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

120
RecentActivity/release/rr/plugins/installedcomp.pl Normal file
View File

@ -0,0 +1,120 @@
#-----------------------------------------------------------
# installedcomp.pl
# Get info about Installed Components
#
# Change history:
# 20100116 - updated for slightly better coverage
# 20100115 - created
#
# References:
#
# Notes: Look for out of place entries, particularly those
# that point to the Recycle Bin or a temp directory
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package installedcomp;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100116);
sub getConfig{return %config}
sub getShortDescr {
return "Get info about Installed Components/StubPath";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %comp;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching installedcomp v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Active Setup\\Installed Components";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $lastwrite = $s->get_timestamp();
my $str;
eval {
$str = $s->get_value("ComponentID")->get_data();
};
eval {
my $ver = $s->get_value("Version")->get_data();
$str .= " v.".$ver if ($ver && $s->get_value("Version")->get_type() == 1);
};
eval {
my $stub = $s->get_value("StubPath")->get_data();
$str .= "; ".$stub if ($stub ne "");
};
# If the $str scalar is empty at this point, that means that for
# some reason, we haven't been able to populate the information
# we're looking for; in this case, we'll go looking for some info
# in a different area of the hive; the BHO.pl plugin does this, as
# well. I'd rather that the plugin look for the Classes info than
# leave a blank entry in the output.
if ($str eq "") {
my $name = $s->get_name();
my $class_path = "Classes\\CLSID\\".$name;
my $proc;
if ($proc = $root_key->get_subkey($class_path)) {
# Try these two eval{} statements because I've seen the different
# spellings for InProcServer32/InprocServer32 in sequential keys
eval {
$str = $proc->get_subkey("InprocServer32")->get_value("")->get_data();
};
eval {
$str = $proc->get_subkey("InProcServer32")->get_value("")->get_data();
};
}
else {
$str = $name." class not found.";
}
}
push(@{$comp{$lastwrite}},$str);
}
foreach my $t (reverse sort {$a <=> $b} keys %comp) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$comp{$t}}) {
::rptMsg(" ".$item);
}
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

67
RecentActivity/release/rr/plugins/javafx.pl Normal file
View File

@ -0,0 +1,67 @@
#-----------------------------------------------------------
# javafx.pl
# Plugin written based on Cory Harrell's Exploit Artifacts posts at
# http://journeyintoir.blogspot.com/
#
# Change history
# 20110322 - created
#
# References
# http://java.sun.com/j2se/1.4.2/runtime_win32.html
#
# copyright 2011 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package javafx;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20110322);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's JavaFX key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching javafx v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\JavaSoft\\Java Update\\Policy\\JavaFX";
my $key;
my @vals;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("javafx v.".$VERSION);
::rptMsg($key_path);
::rptMsg("LastWrite time: ".gmtime($key->get_timestamp()));
::rptMsg("");
@vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
::rptMsg(sprintf "%-25s %-20s",$v->get_name(), $v->get_data());
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

90
RecentActivity/release/rr/plugins/kb950582.pl Normal file
View File

@ -0,0 +1,90 @@
#-----------------------------------------------------------
# kb950582.pl
# Get autorun settings WRT KB950582
#
# Change history
# 18 Dec 2008 - Updated to new name; added checks for Registry
# keys
#
# References
# http://support.microsoft.com/kb/953252
# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit
# /regentry/91525.mspx?mfr=true
#
# copyright 2008-2009 H. Carvey
#-----------------------------------------------------------
package kb950582;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20081212);
sub getConfig{return %config}
sub getShortDescr {
return "KB950582 - Gets autorun settings from HKLM hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching kb950582 v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
eval {
my $path = "Microsoft\\Windows\\CurrentVersion\\Uninstall\\KB950582";
if (my $kbkey = $root_key->get_subkey($path)) {
my $install = $kbkey->get_value("InstallDate")->get_data();
::rptMsg("KB950528 Uninstall Key ".gmtime($kbkey->get_timestamp()));
::rptMsg(" InstallDate = ".$install."\n");
}
};
::rptMsg("Uninstall\\KB950528 does not appear to be installed.\n") if ($@);
eval {
my $path = "Microsoft\\Updates\\Windows XP\\SP4\\KB950582";
if (my $kbkey = $root_key->get_subkey($path)) {
my $install = $kbkey->get_value("InstalledDate")->get_data();
::rptMsg("KB950528 Update Key ".gmtime($kbkey->get_timestamp()));
::rptMsg(" InstalledDate = ".$install."\n");
}
};
::rptMsg("KB950528 does not appear to be installed.\n") if ($@);
my $key_path = "Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
eval {
my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data();
my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive;
::rptMsg($str);
};
::rptMsg("Error: ".$@) if ($@);
# http://support.microsoft.com/kb/953252
eval {
my $honor = $key->get_value("HonorAutorunSetting")->get_data();
my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor;
::rptMsg($str);
};
::rptMsg("HonorAutorunSetting not found.") if ($@);
::rptMsg("");
::rptMsg("Autorun settings in the HKLM hive take precedence over those in");
::rptMsg("the HKCU hive.");
}
else {
::rptMsg($key_path." not found.");
}
}
1;

65
RecentActivity/release/rr/plugins/kbdcrash.pl Normal file
View File

@ -0,0 +1,65 @@
#-----------------------------------------------------------
# kbdcrash.pl
#
# Ref:
# http://support.microsoft.com/kb/244139
#
# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package kbdcrash;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081212);
sub getConfig{return %config}
sub getShortDescr {
return "Checks to see if system is config to crash via keyboard";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my $enabled = 0;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching kbdcrash v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $svc = "ControlSet00".$current."\\Services";
eval {
my $ps2 = $svc->get_subkey("i8042prt\\Parameters")->get_value("CrashOnCtrlScroll")->get_data();
::rptMsg("CrashOnCtrlScroll set for PS2 keyboard") if ($ps2 == 1);
$enabled = 1 if ($ps2 == 1);
};
eval {
my $usb = $svc->get_subkey("kbdhid\\Parameters")->get_value("CrashOnCtrlScroll")->get_data();
::rptMsg("CrashOnCtrlScroll set for USB keyboard") if ($usb == 1);
$enabled = 1 if ($usb == 1);
};
::rptMsg("CrashOnCtrlScroll not set");
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

71
RecentActivity/release/rr/plugins/landesk.pl Normal file
View File

@ -0,0 +1,71 @@
#-----------------------------------------------------------
# LANDESK Monitor Logs
#
#
# Change history
# 20090729 - updates, H. Carvey
#
# copyright 2009 Don C. Weber
#-----------------------------------------------------------
package landesk;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090729);
sub getConfig{return %config}
sub getShortDescr {
return "Get list of programs monitored by LANDESK from Software hive file";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %ls;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching LANDESK v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "LANDesk\\ManagementSuite\\WinClient\\SoftwareMonitoring\\MonitorLog";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
eval {
my ($val1,$val2) = unpack("VV",$s->get_value("Last Started")->get_data());
# Push the data into a hash of arrays
push(@{$ls{::getTime($val1,$val2)}},$s->get_name());
};
}
foreach my $t (reverse sort {$a <=> $b} keys %ls) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$ls{$t}}) {
::rptMsg("\t$item");
}
}
}
else {
::rptMsg($key_path." does not appear to have any subkeys.")
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

96
RecentActivity/release/rr/plugins/legacy.pl Normal file
View File

@ -0,0 +1,96 @@
#-----------------------------------------------------------
# legacy.pl
#
#
# Change history
# 20090429 - created
#
# Reference: http://support.microsoft.com/kb/310592
#
#
# Analysis Tip:
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package legacy;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20090429);
sub getConfig{return %config}
sub getShortDescr {
return "Lists LEGACY_ entries in Enum\\Root key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key();
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $ccs = "ControlSet00".$current;
my $root_path = $ccs."\\Enum\\Root";
my %legacy;
if (my $root = $root_key->get_subkey($root_path)) {
my @sk = $root->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
my $name = $s->get_name();
next unless ($name =~ m/^LEGACY_/);
push(@{$legacy{$s->get_timestamp()}},$name);
eval {
my @s_sk = $s->get_list_of_subkeys();
if (scalar(@s_sk) > 0) {
foreach my $s_s (@s_sk) {
my $desc;
eval {
$desc = $s_s->get_value("DeviceDesc")->get_data();
push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()." - ".$desc);
};
push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()) if ($@);
}
}
};
}
}
else {
::rptMsg($root_path." has no subkeys.");
}
foreach my $t (reverse sort {$a <=> $b} keys %legacy) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$legacy{$t}}) {
::rptMsg("\t$item");
}
}
}
else {
::rptMsg($root_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

69
RecentActivity/release/rr/plugins/listsoft.pl Normal file
View File

@ -0,0 +1,69 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# listsoft.pl
# Plugin for Registry Ripper; traverses thru the Software
# key of an NTUSER.DAT file, extracting all of the subkeys
# and listing them in order by LastWrite time.
#
# Change history
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package listsoft;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Lists contents of user's Software key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $file = shift;
my $reg = Parse::Win32Registry->new($file);
my $root_key = $reg->get_root_key;
::logMsg("Launching listsoft v.".$VERSION);
my %soft;
my $key_path = 'Software';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("listsoft v.".$VERSION);
::rptMsg("List the contents of the Software key in the NTUSER\.DAT hive");
::rptMsg("file, in order by LastWrite time.");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
push(@{$soft{$s->get_timestamp()}},$s->get_name());
}
foreach my $t (reverse sort {$a <=> $b} keys %soft) {
foreach my $item (@{$soft{$t}}) {
::rptMsg(gmtime($t)."Z \t".$item);
}
}
}
else {
::logMsg($key_path." has no subkeys.");
}
}
else {
::logMsg("Could not access ".$key_path);
}
}
1;

81
RecentActivity/release/rr/plugins/load.pl Normal file
View File

@ -0,0 +1,81 @@
#-----------------------------------------------------------
# load.pl
# The load and run values in the Windows NT\CurrentVersion\Windows
# key are throw-backs to the old win.ini file, and can be/are used
# by malware.
#
# Change history
# 20100811 - created
#
# References
# http://support.microsoft.com/kb/103865
# http://security.fnal.gov/cookbook/WinStartup.html
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package load;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100811);
sub getConfig{return %config}
sub getShortDescr {
return "Gets load and run values from user hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching load v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("load");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
::rptMsg("");
my %win;
foreach my $v (@vals) {
$win{$v->get_name()} = $v->get_data();
}
if (exists $win{"load"}) {
::rptMsg("load = ".$win{"load"});
}
else {
::rptMsg("load value not found.");
}
if (exists $win{"run"}) {
::rptMsg("run = ".$win{"run"});
}
else {
::rptMsg("run value not found.");
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

98
RecentActivity/release/rr/plugins/logon_xp_run.pl Normal file
View File

@ -0,0 +1,98 @@
#-----------------------------------------------------------
# logon_xp_run
# Get contents of Run key from Software hive
#
# References:
# http://support.microsoft.com/kb/314488
#
# Note: Needs testing to see if it applies beyond XP/XP-64
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package logon_xp_run;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 12,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080328);
sub getConfig{return %config}
sub getShortDescr {
return "Autostart - Get XP user logon Run key contents from NTUSER\.DAT hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching user_xp_run v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my %vals = getKeyValues($key);
if (scalar(keys %vals) > 0) {
foreach my $v (keys %vals) {
::rptMsg("\t".$v." -> ".$vals{$v});
}
}
else {
::rptMsg($key_path." has no values.");
}
# my @sk = $key->get_list_of_subkeys();
# if (scalar(@sk) > 0) {
# foreach my $s (@sk) {
# ::rptMsg("");
# ::rptMsg($key_path."\\".$s->get_name());
# ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
# my %vals = getKeyValues($s);
# foreach my $v (keys %vals) {
# ::rptMsg("\t".$v." -> ".$vals{$v});
# }
# }
# }
# else {
# ::rptMsg("");
# ::rptMsg($key_path." has no subkeys.");
# }
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
sub getKeyValues {
my $key = shift;
my %vals;
my @vk = $key->get_list_of_values();
if (scalar(@vk) > 0) {
foreach my $v (@vk) {
next if ($v->get_name() eq "" && $v->get_data() eq "");
$vals{$v->get_name()} = $v->get_data();
}
}
else {
# do nothing
}
return %vals;
}
1;

68
RecentActivity/release/rr/plugins/logonusername.pl Normal file
View File

@ -0,0 +1,68 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# logonusername.pl
# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
# "Logon User Name" value
#
# Change history
#
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package logonusername;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Get user's Logon User Name value";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching logonusername v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $logon_name = "Logon User Name";
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
::rptMsg("Logon User Name");
::rptMsg($key_path);
::rptMsg("LastWrite Time [".gmtime($key->get_timestamp())." (UTC)]");
foreach my $v (@vals) {
if ($v->get_name() eq $logon_name) {
::rptMsg($logon_name." = ".$v->get_data());
}
}
}
else {
::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

71
RecentActivity/release/rr/plugins/lsasecrets.pl Normal file
View File

@ -0,0 +1,71 @@
#-----------------------------------------------------------
# lsasecrets.pl
# Get update times for LSA Secrets from the Security hive file
#
# History
# 20100219 - created
#
# References
# http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package lsasecrets;
use strict;
my %config = (hive => "Security",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100219);
sub getConfig{return %config}
sub getShortDescr {
return "TEST - Get update times for LSA Secrets";
}
sub getDescr{}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching lsasecrets v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Policy\\Secrets";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
#
# http://support.microsoft.com/kb/175468
eval {
::rptMsg("");
::rptMsg("Domain secret - \$MACHINE\.ACC");
my $c = $key->get_subkey("\$MACHINE\.ACC\\CupdTime")->get_value("")->get_data();
my @v = unpack("VV",$c);
my $cupd = gmtime(::getTime($v[0],$v[1]));
::rptMsg("CupdTime = ".$cupd);
my $o = $key->get_subkey("\$MACHINE\.ACC\\OupdTime")->get_value("")->get_data();
my @v = unpack("VV",$c);
my $oupd = gmtime(::getTime($v[0],$v[1]));
::rptMsg("OupdTime = ".$oupd);
};
::rptMsg("Error: ".$@) if ($@);
}
else {
::rptMsg($key_path." not found.");
}
}
1;

156
RecentActivity/release/rr/plugins/macaddr.pl Normal file
View File

@ -0,0 +1,156 @@
#-----------------------------------------------------------
# macaddr.pl
# Attempt to locate MAC address in either Software or System hive files;
# The plugin will determine which one its in and use the appropriate
# code
#
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package macaddr;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090118);
sub getConfig{return %config}
sub getShortDescr {
return " -- ";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching macaddr v.".$VERSION);
my $guess = guessHive($hive);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
if ($guess eq "System") {
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $ccs = "ControlSet00".$current;
my $key_path = $ccs."\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318}";
my $key;
my $found = 0;
::rptMsg($key_path);
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys();
if (scalar (@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
my $na;
eval {
$na = $key->get_subkey($name)->get_value("NetworkAddress")->get_data();
::rptMsg(" ".$name.": NetworkAddress = ".$na);
$found = 1;
};
}
::rptMsg("No NetworkAddress value found.") if ($found == 0);
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
elsif ($guess eq "Software") {
my $key_path = "Microsoft\\Windows Genuine Advantage";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
my $mac;
my $found = 0;
eval {
$mac = $key->get_value("MAC")->get_data();
::rptMsg("Mac Address(es) = ".$mac);
$found = 1;
};
::rptMsg("No MAC address(es) found.") if ($found == 0);
}
else {
::rptMsg($key_path." not found.");
}
}
else {
::rptMsg("Hive file ".$hive." appeared to be neither a Software nor a");
::rptMsg("System hive file.");
}
}
#-------------------------------------------------------------
# guessHive() - attempts to determine the hive type; if NTUSER.DAT,
# attempt to retrieve the SID for the user; this function populates
# global variables (%config, @sids)
#-------------------------------------------------------------
sub guessHive {
my $hive = shift;
my $hive_guess;
my $reg;
my $root_key;
eval {
$reg = Parse::Win32Registry->new($hive);
$root_key = $reg->get_root_key;
};
::rptMsg($hive." may not be a valid hive.") if ($@);
# Check for SAM
eval {
if (my $key = $root_key->get_subkey("SAM\\Domains\\Account\\Users")) {
$hive_guess = "SAM";
}
};
# Check for Software
eval {
if ($root_key->get_subkey("Microsoft\\Windows\\CurrentVersion") &&
$root_key->get_subkey("Microsoft\\Windows NT\\CurrentVersion")) {
$hive_guess = "Software";
}
};
# Check for System
eval {
if ($root_key->get_subkey("MountedDevices") && $root_key->get_subkey("Select")) {
$hive_guess = "System";
}
};
# Check for Security
eval {
if ($root_key->get_subkey("Policy\\Accounts") && $root_key->get_subkey("Policy\\PolAdtEv")) {
$hive_guess = "Security";
}
};
# Check for NTUSER.DAT
eval {
if ($root_key->get_subkey("Software\\Microsoft\\Windows\\CurrentVersion")) {
$hive_guess = "NTUSER\.DAT";
}
};
return $hive_guess;
}
1;

75
RecentActivity/release/rr/plugins/mmc.pl Normal file
View File

@ -0,0 +1,75 @@
#-----------------------------------------------------------
# mmc.pl
# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
# Microsoft Management Console Recent File List values
#
# Change history
#
#
# References
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package mmc;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Get contents of user's MMC\\Recent File List key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching mmc v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Microsoft Management Console\\Recent File List';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("MMC - Recent File List");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
my %files;
# Retrieve values and load into a hash for sorting
foreach my $v (@vals) {
my $val = $v->get_name();
my $data = $v->get_data();
my $tag = (split(/File/,$val))[1];
$files{$tag} = $val.":".$data;
}
# Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg(" ".$val." -> ".$data);
}
}
else {
::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

77
RecentActivity/release/rr/plugins/mndmru.pl Normal file
View File

@ -0,0 +1,77 @@
#-----------------------------------------------------------
# mndmru.pl
# Plugin for Registry Ripper,
# Map Network Drive MRU parser
#
# Change history
#
#
# References
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package mndmru;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Get contents of user's Map Network Drive MRU";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching mndmru v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Map Network Drive MRU");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
my %mnd;
# Retrieve values and load into a hash for sorting
foreach my $v (@vals) {
my $val = $v->get_name();
my $data = $v->get_data();
$mnd{$val} = $data;
}
# Print sorted content to report file
if (exists $mnd{"MRUList"}) {
::rptMsg(" MRUList = ".$mnd{"MRUList"});
delete $mnd{"MRUList"};
}
foreach my $m (sort {$a <=> $b} keys %mnd) {
::rptMsg(" ".$m." ".$mnd{$m});
}
}
else {
::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

101
RecentActivity/release/rr/plugins/mountdev.pl Normal file
View File

@ -0,0 +1,101 @@
#-----------------------------------------------------------
# mountdev.pl
# Plugin for Registry Ripper; Access System hive file to get the
# MountedDevices
#
# Change history
#
#
# References
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package mountdev;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Return contents of System hive MountedDevices key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching mountdev v.".$VERSION);
::rptMsg("mountdev v.".$VERSION);
::rptMsg("Get MountedDevices key information from the System hive file.");
::rptMsg("");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'MountedDevices';
my $key;
my %md;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z");
::rptMsg("");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $data = $v->get_data();
my $len = length($data);
if ($len == 12) {
my $sig = _translateBinary(substr($data,0,4));
::rptMsg($v->get_name());
::rptMsg("\tDrive Signature = ".$sig);
}
elsif ($len > 12) {
$data =~ s/\00//g;
push(@{$md{$data}},$v->get_name());
}
else {
::logMsg("mountdev v.".$VERSION."\tData length = $len");
}
}
::rptMsg("");
foreach my $m (keys %md) {
::rptMsg("Device: ".$m);
foreach my $item (@{$md{$m}}) {
::rptMsg("\t".$item);
}
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
sub _translateBinary {
my $str = unpack("H*",$_[0]);
my $len = length($str);
my @nstr = split(//,$str,$len);
my @list = ();
foreach (0..($len/2)) {
push(@list,$nstr[$_*2].$nstr[($_*2)+1]);
}
return join(' ',@list);
}
1;

106
RecentActivity/release/rr/plugins/mountdev2.pl Normal file
View File

@ -0,0 +1,106 @@
#-----------------------------------------------------------
# mountdev2.pl
# Plugin for Registry Ripper; Access System hive file to get the
# MountedDevices
#
# Change history
# 20091116 - changed output
#
# References
#
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package mountdev2;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20091116);
sub getConfig{return %config}
sub getShortDescr {
return "Return contents of System hive MountedDevices key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching mountdev2 v.".$VERSION);
::rptMsg("");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'MountedDevices';
my $key;
my (%md,%dos,%vol);
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z");
::rptMsg("");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $data = $v->get_data();
my $len = length($data);
if ($len == 12) {
my $sig = _translateBinary(substr($data,0,4));
# my $sig = _translateBinary($data);
$vol{$v->get_name()} = $sig;
}
elsif ($len > 12) {
$data =~ s/\00//g;
push(@{$md{$data}},$v->get_name());
}
else {
::logMsg("mountdev2 v.".$VERSION."\tData length = $len");
}
}
::rptMsg(sprintf "%-50s %-20s","Volume","Disk Sig");
::rptMsg(sprintf "%-50s %-20s","-------","--------");
foreach my $v (sort keys %vol) {
my $str = sprintf "%-50s %-20s",$v,$vol{$v};
::rptMsg($str);
}
::rptMsg("");
foreach my $m (sort keys %md) {
::rptMsg("Device: ".$m);
foreach my $item (@{$md{$m}}) {
::rptMsg("\t".$item);
}
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
sub _translateBinary {
my $str = unpack("H*",$_[0]);
my $len = length($str);
my @nstr = split(//,$str,$len);
my @list = ();
foreach (0..($len/2)) {
push(@list,$nstr[$_*2].$nstr[($_*2)+1]);
}
return join(' ',@list);
}
1;

110
RecentActivity/release/rr/plugins/mountdev3.pl Normal file
View File

@ -0,0 +1,110 @@
#-----------------------------------------------------------
# mountdev3.pl
# Plugin for Registry Ripper; Access System hive file to get the
# MountedDevices
#
# Change history
#
#
# References
#
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package mountdev3;
use Math::BigInt;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20090909);
sub getConfig{return %config}
sub getShortDescr {
return "Return contents of System hive MountedDevices key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
# ::logMsg("Launching mountdev3 v.".$VERSION);
::rptMsg("mountdev3 v.".$VERSION);
::rptMsg("Get MountedDevices key information from the System hive file.");
::rptMsg("");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'MountedDevices';
my $key;
my %md;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z");
::rptMsg("");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $data = $v->get_data();
my $len = length($data);
if ($len == 12) {
my $sig = _translateBinary(substr($data,0,4));
my ($low,$high) = unpack("VV",substr($data,4,8));
my $val64 = Math::BigInt->new($high)->blsft(32)->bxor($low);
my $driveoffset = ($val64/512);
::rptMsg($v->get_name());
::rptMsg("\tDrive Signature = ".$sig);
::rptMsg("\tPartition offset = ".$driveoffset);
}
elsif ($len == 16) {
::rptMsg($v->get_name());
::rptMsg("\t".$data);
}
elsif ($len > 16) {
$data =~ s/\00//g;
push(@{$md{$data}},$v->get_name());
}
else {
::logMsg("mountdev v.".$VERSION."\tData length = $len");
}
}
::rptMsg("");
foreach my $m (keys %md) {
::rptMsg("Device: ".$m);
foreach my $item (@{$md{$m}}) {
::rptMsg("\t".$item);
}
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
sub _translateBinary {
my $str = unpack("H*",$_[0]);
my $len = length($str);
my @nstr = split(//,$str,$len);
my @list = ();
foreach (0..($len/2)) {
push(@list,$nstr[$_*2].$nstr[($_*2)+1]);
}
return join(' ',@list);
}
1;

114
RecentActivity/release/rr/plugins/mp2.pl Normal file
View File

@ -0,0 +1,114 @@
#-----------------------------------------------------------
# mp2.pl
# Plugin for Registry Ripper,
# MountPoints2 key parser
#
# Change history
# 20091116 - updated output/sorting; added getting
# _LabelFromReg value
# 20090115 - Removed printing of "volumes"
#
# References
# http://support.microsoft.com/kb/932463
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package mp2;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20090115);
sub getConfig{return %config}
sub getShortDescr {
return "Gets user's MountPoints2 key contents";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching mp2 v.".$VERSION);
my %drives;
my %volumes;
my %remote;
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("MountPoints2");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @subkeys = $key->get_list_of_subkeys();
if (scalar @subkeys > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
if ($name =~ m/^{/) {
my $label;
eval {
$label = $s->get_value("_LabelFromReg")->get_data();
};
$name = $name." (".$label.")" unless ($@);
push(@{$volumes{$s->get_timestamp()}},$name);
}
elsif ($name =~ m/^[A-Z]/) {
push(@{$drives{$s->get_timestamp()}},$name);
}
elsif ($name =~ m/^#/) {
push(@{$remote{$s->get_timestamp()}},$name);
}
else {
::rptMsg(" Key name = ".$name);
}
}
::rptMsg("");
::rptMsg("Remote Drives:");
foreach my $t (reverse sort {$a <=> $b} keys %remote) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$remote{$t}}) {
::rptMsg(" $item");
}
}
::rptMsg("");
::rptMsg("Volumes:");
foreach my $t (reverse sort {$a <=> $b} keys %volumes) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$volumes{$t}}) {
::rptMsg(" $item");
}
}
::rptMsg("");
::rptMsg("Drives:");
foreach my $t (reverse sort {$a <=> $b} keys %drives) {
my $d = join(',',(@{$drives{$t}}));
::rptMsg(gmtime($t)." (UTC) - ".$d);
}
::rptMsg("");
::rptMsg("Analysis Tip: Correlate the Volume entries to those found in the MountedDevices");
::rptMsg("entries that begin with \"\\??\\Volume\"\.");
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

75
RecentActivity/release/rr/plugins/mpmru.pl Normal file
View File

@ -0,0 +1,75 @@
#-----------------------------------------------------------
# mpmru.pl
# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
# Media Player RecentFileList values
#
# Change history
#
#
# References
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package mpmru;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets user's Media Player RecentFileList values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching mpmru v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Media Player - RecentFileList");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
my %files;
# Retrieve values and load into a hash for sorting
foreach my $v (@vals) {
my $val = $v->get_name();
my $data = $v->get_data();
my $tag = (split(/File/,$val))[1];
$files{$tag} = $val.":".$data;
}
# Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg(" ".$val." -> ".$data);
}
}
else {
::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

72
RecentActivity/release/rr/plugins/mrt.pl Normal file
View File

@ -0,0 +1,72 @@
#-----------------------------------------------------------
# mrt.pl
#
# Per http://support.microsoft.com/kb/891716/, whenever MRT is run, a new
# GUID is written to the Version value. Check the KB article to compare
# GUIDs against the last time the tool was run. Also be sure to check the
# MRT logs in %WinDir%\Debug (mrt.log)
#
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package mrt;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20080804);
sub getConfig{return %config}
sub getShortDescr {
return "Check to see if Malicious Software Removal Tool has been run";
}
sub getDescr{}
sub getRefs {"Deployment of the Microsoft Windows Malicious Software Removal Tool" =>
"http://support.microsoft.com/kb/891716/",
"The Microsoft Windows Malicious Software Removal Tool" => "http://support.microsoft.com/?kbid=890830"}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching MRT v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\RemovalTools\\MRT";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Key Path: ".$key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $version;
eval {
$version = $key->get_value("Version")->get_data();
};
if ($@) {
::rptMsg("Error getting Version information: ".$@);
}
else {
::rptMsg("Version: ".$version);
::rptMsg("");
::rptMsg("Analysis Tip: Go to http://support.microsoft.com/kb/891716/ to see when MRT");
::rptMsg("was last run. According to the KB article, each time MRT is run, a new GUID");
::rptMsg("is written to the Version value.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

96
RecentActivity/release/rr/plugins/msis.pl Normal file
View File

@ -0,0 +1,96 @@
#-----------------------------------------------------------
# msis.pl
# Plugin to determine the MSI packages installed on the system
#
# Change history:
# 20090911 - created
#
# References:
# http://support.microsoft.com/kb/290134
# http://support.microsoft.com/kb/931401
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package msis;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090911);
sub getConfig{return %config}
sub getShortDescr {
return "Determine MSI packages installed on the system";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %msi;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching msis v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Classes\\Installer\\Products";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $lastwrite = $s->get_timestamp();
my $product;
eval {
$product = $s->get_value("ProductName")->get_data();
};
my $path;
my $pkg;
eval {
my $p = $s->get_subkey("SourceList")->get_value("LastUsedSource")->get_data();
$path = (split(/;/,$p,3))[2];
};
eval {
$pkg = $s->get_subkey("SourceList")->get_value("PackageName")->get_data();
};
push(@{$msi{$lastwrite}},$product.";".$path.$pkg);
}
foreach my $t (reverse sort {$a <=> $b} keys %msi) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$msi{$t}}) {
::rptMsg(" ".$item);
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

100
RecentActivity/release/rr/plugins/mspaper.pl Normal file
View File

@ -0,0 +1,100 @@
#-----------------------------------------------------------
# mspaper.pl
# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
# MSPaper Recent File List values
#
# Change history
#
#
# References
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package mspaper;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets images listed in user's MSPaper key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching mspaper v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $tick = 0;
my $key_path = 'Software\\Microsoft';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys();
if (scalar @subkeys > 0) {
foreach my $sk (@subkeys) {
if ($sk->get_name() =~ m/^mspaper/i) {
$tick = 1;
my $nkey = $sk->get_name()."\\Recent File List";
my $msp;
if ($msp = $key->get_subkey($nkey)) {
::rptMsg("MSPaper - Recent File List");
::rptMsg($key_path."\\".$nkey);
::rptMsg("LastWrite Time ".gmtime($msp->get_timestamp())." (UTC)");
my @vals = $msp->get_list_of_values();
if (scalar(@vals) > 0) {
my %files;
# Retrieve values and load into a hash for sorting
foreach my $v (@vals) {
my $val = $v->get_name();
my $data = $v->get_data();
my $tag = (split(/File/,$val))[1];
$files{$tag} = $val.":".$data;
}
# Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg(" ".$val." -> ".$data);
}
}
else {
::rptMsg($key_path."\\".$nkey." has no values.");
}
}
else {
::rptMsg($key_path."\\".$nkey." not found.");
::logMsg("Error: ".$key_path."\\".$nkey." not found.");
}
}
}
if ($tick == 0) {
::rptMsg("SOFTWARE\\Microsoft\\MSPaper* not found.");
::logMsg("SOFTWARE\\Microsoft\\MSPaper* not found.");
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

66
RecentActivity/release/rr/plugins/muicache.pl Normal file
View File

@ -0,0 +1,66 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# muicache.pl
# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
# MUICache values
#
# Change history
#
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package muicache;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets EXEs from user's MUICache key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching muicache v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("MUICache");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
next if ($name =~ m/^@/ || $name eq "LangID");
my $data = $v->get_data();
::rptMsg("\t".$name." (".$data.")");
}
}
else {
::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

75
RecentActivity/release/rr/plugins/nero.pl Normal file
View File

@ -0,0 +1,75 @@
#-----------------------------------------------------------
# nero.pl
# **Very Beta! Based on one sample hive file only!
#
# Change history
# 20100218 - created
#
# References
#
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package nero;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100218);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of Ahead\\Nero Recent File List subkeys";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my @nerosubkeys = ("Cover Designer","FlmgPlg","Nero PhotoSnap",
"NSPluginMgr","PhotoEffects","XlmgPlg");
sub pluginmain {
my $class = shift;
my $ntuser = shift;
my %hist;
::logMsg("Launching nero v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Ahead';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("");
foreach my $nsk (@nerosubkeys) {
eval {
my $nk;
if ($nk = $key->get_subkey($nsk."\\Recent File List")) {
my @vals = $nk->get_list_of_values();
if (scalar @vals > 0) {
::rptMsg($nsk."\\Recent File List");
::rptMsg("LastWrite Time ".gmtime($nk->get_timestamp())." (UTC)");
foreach my $v (@vals) {
::rptMsg(" ".$v->get_name()." -> ".$v->get_data());
}
::rptMsg("");
}
else {
::rptMsg($nsk."\\Recent File List has no values.");
}
}
};
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

95
RecentActivity/release/rr/plugins/network.pl Normal file
View File

@ -0,0 +1,95 @@
#-----------------------------------------------------------
# network.pl
# Plugin for Registry Ripper; Get information on network
# interfaces from the System hive file - from the
# Control\Network GUID subkeys...
#
# Change history
#
#
# References
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package network;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets info from System\\Control\\Network GUIDs";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my %nics;
my $ccs;
::logMsg("Launching network v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}";
my $nw;
if ($nw = $root_key->get_subkey($nw_path)) {
::rptMsg("Network key");
::rptMsg($nw_path);
# Get all of the subkey names
my @sk = $nw->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
my $name = $s->get_name();
next if ($name eq "Descriptions");
if (my $conn = $nw->get_subkey($name."\\Connection")) {
::rptMsg("Interface ".$name);
::rptMsg("LastWrite time ".gmtime($conn->get_timestamp())." (UTC)");
my %conn_vals;
my @vals = $conn->get_list_of_values();
map{$conn_vals{$_->get_name()} = $_->get_data()}@vals;
::rptMsg("\tName = ".$conn_vals{Name});
::rptMsg("\tPnpInstanceID = ".$conn_vals{PnpInstanceID});
::rptMsg("\tMediaSubType = ".$conn_vals{MediaSubType});
::rptMsg("\tIpCheckingEnabled = ".$conn_vals{IpCheckingEnabled})
if (exists $conn_vals{IpCheckingEnabled});
}
::rptMsg("");
}
}
else {
::rptMsg($nw_path." has no subkeys.");
}
}
else {
::rptMsg($nw_path." could not be found.");
::logMsg($nw_path." could not be found.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

62
RecentActivity/release/rr/plugins/networkcards.pl Normal file
View File

@ -0,0 +1,62 @@
#-----------------------------------------------------------
# networkcards
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package networkcards;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080325);
sub getConfig{return %config}
sub getShortDescr {
return "Get NetworkCards";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching networkcards v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("NetworkCards");
::rptMsg($key_path);
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
my %nc;
foreach my $s (@subkeys) {
my $service = $s->get_value("ServiceName")->get_data();
$nc{$service}{descr} = $s->get_value("Description")->get_data();
$nc{$service}{lastwrite} = $s->get_timestamp();
}
foreach my $n (keys %nc) {
::rptMsg($nc{$n}{descr}." [".gmtime($nc{$n}{lastwrite})."]");
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

142
RecentActivity/release/rr/plugins/networklist.pl Normal file
View File

@ -0,0 +1,142 @@
#-----------------------------------------------------------
# networklist.pl - Plugin to extract information from the
# NetworkList key, including the MAC address of the default
# gateway
#
#
# Change History:
# 20090812 - updated code to parse DateCreated and DateLastConnected
# values; modified output, as well
# 20090811 - created
#
# References
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package networklist;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090811);
sub getConfig{return %config}
sub getShortDescr {
return "Collects network info from Vista NetworkList key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching networklist v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $base_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkList";
# First, get profile info
my $key_path = $base_path."\\Profiles";
my $key;
my %nl; # hash of hashes to hold data
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
my $name = $s->get_name();
$nl{$name}{LastWrite} = $s->get_timestamp();
eval {
$nl{$name}{ProfileName} = $s->get_value("ProfileName")->get_data();
$nl{$name}{Description} = $s->get_value("Description")->get_data();
$nl{$name}{Managed} = $s->get_value("Managed")->get_data();
my $create = $s->get_value("DateCreated")->get_data();
$nl{$name}{DateCreated} = parseDate128($create) if (length($create) == 16);
my $conn = $s->get_value("DateLastConnected")->get_data();
$nl{$name}{DateLastConnected} = parseDate128($conn) if (length($conn) == 16);
# $nl{$name}{NameType} = $s->get_value("ProfileName")->get_data();
};
}
# Get additional information from the Signatures subkey
$key_path = $base_path."\\Signatures\\Managed";
if ($key = $root_key->get_subkey($key_path)) {
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
eval {
my $prof = $s->get_value("ProfileGuid")->get_data();
my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6);
my $mac = uc(unpack("H*",$tmp));
my @t = split(//,$mac);
$nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3].
"-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11];
};
}
}
}
$key_path = $base_path."\\Signatures\\Unmanaged";
if ($key = $root_key->get_subkey($key_path)) {
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
eval {
my $prof = $s->get_value("ProfileGuid")->get_data();
my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6);
my $mac = uc(unpack("H*",$tmp));
my @t = split(//,$mac);
$nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3].
"-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11];
};
}
}
}
# Now, display the information
foreach my $n (keys %nl) {
my $str = sprintf "%-15s Gateway Mac: ".$nl{$n}{DefaultGatewayMac},$nl{$n}{ProfileName};
::rptMsg($nl{$n}{ProfileName});
::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." UTC");
::rptMsg(" DateLastConnected: ".$nl{$n}{DateLastConnected});
::rptMsg(" DateCreated : ".$nl{$n}{DateCreated});
::rptMsg(" DefaultGatewayMac: ".$nl{$n}{DefaultGatewayMac});
::rptMsg("");
}
}
else {
::rptMsg($key_path." has not subkeys");
}
}
else {
::rptMsg($key_path." not found.");
}
}
sub parseDate128 {
my $date = $_[0];
my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul",
"Aug","Sep","Oct","Nov","Dec");
my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat");
my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date);
$hr = "0".$hr if ($hr < 10);
$min = "0".$min if ($min < 10);
$sec = "0".$sec if ($sec < 10);
my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom." ".$hr.":".$min.":".$sec." ".$yr;
return $str;
}
1;

57
RecentActivity/release/rr/plugins/networkuid.pl Normal file
View File

@ -0,0 +1,57 @@
#-----------------------------------------------------------
# networkuid.pl
# Gets UID value from Network key
#
# References
# http://blogs.technet.com/mmpc/archive/2010/03/11/got-zbot.aspx
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package networkuid;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100312);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Network key UID value";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching networkuid v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Network";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite time = ".gmtime($key->get_timestamp()));
::rptMsg("");
eval {
my $uid = $key->get_value("UID")->get_data();
::rptMsg("UID value = ".$uid);
};
::rptMsg("UID value not found.") if ($@);
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

80
RecentActivity/release/rr/plugins/nic.pl Normal file
View File

@ -0,0 +1,80 @@
#-----------------------------------------------------------
# nic.pl
#
#
# Change history
# 20100401 - created
#
# References
# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx
# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package nic;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100401);
sub getConfig{return %config}
sub getShortDescr {
return "Gets NIC info from System hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my %nics;
my $ccs;
::logMsg("Launching nic v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my $current;
eval {
$current = $root_key->get_subkey("Select")->get_value("Current")->get_data();
};
my @nics;
my $key_path = "ControlSet00".$current."\\Services";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
my @svcs = $key->get_list_of_subkeys();
foreach my $s (@svcs) {
push(@nics,$s) if ($s->get_name() =~ m/^{/);
}
foreach my $n (@nics) {
eval {
my @vals = $n->get_subkey("Parameters\\Tcpip")->get_list_of_values();
::rptMsg("Adapter: ".$n->get_name());
::rptMsg("LastWrite Time: ".gmtime($n->get_timestamp())." Z");
foreach my $v (@vals) {
my $name = $v->get_name();
my $data = $v->get_data();
$data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2");
$data = gmtime($data)." Z" if ($name =~ m/Time$/);
::rptMsg(sprintf " %-20s %-20s",$name,$data);
}
::rptMsg("");
};
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

80
RecentActivity/release/rr/plugins/nic2.pl Normal file
View File

@ -0,0 +1,80 @@
#-----------------------------------------------------------
# nic2.pl
#
#
# Change history
# 20100401 - created
#
# References
# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx
# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package nic2;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100401);
sub getConfig{return %config}
sub getShortDescr {
return "Gets NIC info from System hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my %nics;
my $ccs;
::logMsg("Launching nic v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my $current;
eval {
$current = $root_key->get_subkey("Select")->get_value("Current")->get_data();
};
my @nics;
my $key_path = "ControlSet00".$current."\\Services\\Tcpip\\Parameters\\Interfaces";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
my @guids = $key->get_list_of_subkeys();
if (scalar @guids > 0) {
foreach my $g (@guids) {
::rptMsg("Adapter: ".$g->get_name());
::rptMsg("LastWrite Time: ".gmtime($g->get_timestamp())." Z");
eval {
my @vals = $g->get_list_of_values();
foreach my $v (@vals) {
my $name = $v->get_name();
my $data = $v->get_data();
$data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2");
$data = gmtime($data)." Z" if ($name =~ m/Time$/);
::rptMsg(sprintf " %-28s %-20s",$name,$data);
}
::rptMsg("");
};
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

148
RecentActivity/release/rr/plugins/nic_mst2.pl Normal file
View File

@ -0,0 +1,148 @@
#-----------------------------------------------------------
# nic_mst2.pl
# Plugin for Registry Ripper; Get information on network
# interfaces from the System hive file - start with the
# Control\Network GUID subkeys...within the Connection key,
# look for MediaSubType == 2, and maintain a list of GUIDs.
# Then go over to the Services\Tcpip\Parameters\Interfaces
# key and get the IP configurations for each of the interface
# GUIDs
#
# Change history
#
#
# References
# http://support.microsoft.com/kb/555382
# http://support.microsoft.com/kb/894564
# http://support.microsoft.com/kb/899868
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package nic_mst2;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets NICs from System hive; looks for MediaType = 2";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my %nics;
my $ccs;
::logMsg("Launching nic_mst2 v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}";
my $nw;
if ($nw = $root_key->get_subkey($nw_path)) {
::rptMsg("Network key");
::rptMsg($nw_path);
# Get all of the subkey names
my @sk = $nw->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
my $name = $s->get_name();
next if ($name eq "Descriptions");
if (my $conn = $nw->get_subkey($name."\\Connection")) {
my %conn_vals;
my @vals = $conn->get_list_of_values();
map{$conn_vals{$_->get_name()} = $_->get_data()}@vals;
# See what the active NICs were on the system; "active" based on PnpInstanceID having
# a string value
# Get the GUID of the interface, the name, and the LastWrite time of the Connection
# key
if (exists $conn_vals{PnpInstanceID} && $conn_vals{PnpInstanceID} ne "") {
$nics{$name}{Name} = $conn_vals{Name};
$nics{$name}{LastWrite} = $conn->get_timestamp();
}
}
}
}
else {
::rptMsg($nw_path." has no subkeys.");
}
}
else {
::rptMsg($nw_path." could not be found.");
}
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
# access the Tcpip Services key to get the IP address information
if (scalar(keys %nics) > 0) {
my $key_path = $ccs."\\Services\\Tcpip\\Parameters\\Interfaces";
if ($key = $root_key->get_subkey($key_path)) {
my %guids;
::rptMsg($key_path);
::rptMsg("LastWrite time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Dump the names of the subkeys under Parameters\Interfaces into a hash
my @sk = $key->get_list_of_subkeys();
map{$guids{$_->get_name()} = 1}(@sk);
foreach my $n (keys %nics) {
if (exists $guids{$n}) {
my $if = $key->get_subkey($n);
::rptMsg("Interface ".$n);
::rptMsg("Name: ".$nics{$n}{Name});
::rptMsg("Control\\Network key LastWrite time ".gmtime($nics{$n}{LastWrite})." (UTC)");
::rptMsg("Services\\Tcpip key LastWrite time ".gmtime($if->get_timestamp())." (UTC)");
my @vals = $if->get_list_of_values;
my %ip;
map{$ip{$_->get_name()} = $_->get_data()}@vals;
if (exists $ip{EnableDHCP} && $ip{EnableDHCP} == 1) {
::rptMsg("\tDhcpDomain = ".$ip{DhcpDomain});
::rptMsg("\tDhcpIPAddress = ".$ip{DhcpIPAddress});
::rptMsg("\tDhcpSubnetMask = ".$ip{DhcpSubnetMask});
::rptMsg("\tDhcpNameServer = ".$ip{DhcpNameServer});
::rptMsg("\tDhcpServer = ".$ip{DhcpServer});
}
else {
::rptMsg("\tIPAddress = ".$ip{IPAddress});
::rptMsg("\tSubnetMask = ".$ip{SubnetMask});
::rptMsg("\tDefaultGateway = ".$ip{DefaultGateway});
}
}
else {
::rptMsg("Interface ".$n." not found in the ".$key_path." key.");
}
::rptMsg("");
}
}
}
else {
::rptMsg("No active network interface cards were found.");
::logMsg("No active network interface cards were found.");
}
}
1;

74
RecentActivity/release/rr/plugins/nolmhash.pl Normal file
View File

@ -0,0 +1,74 @@
#-----------------------------------------------------------
# nolmhash.pl
# Gets NoLMHash value
#
# Change history
# 20100712 - created
#
# References
# http://support.microsoft.com/kb/299656
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package nolmhash;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100712);
sub getConfig{return %config}
sub getShortDescr {
return "Gets NoLMHash value";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching lsa v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $sel_path = 'Select';
my $sel;
if ($sel = $root_key->get_subkey($sel_path)) {
$current = $sel->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $key_path = $ccs."\\Control\\Lsa";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("nolmhash v.".$VERSION);
::rptMsg($key_path);
::rptMsg("LastWrite: ".gmtime($key->get_timestamp()));
::rptMsg("");
my $nolmhash;
eval {
$nolmhash = $key->get_value("NoLMHash")->get_data();
::rptMsg("NoLMHash value = ".$nolmhash);
::rptMsg("");
::rptMsg("A value of 1 indicates that LMHashes are not stored in the SAM.");
};
::rptMsg("Error occurred getting NoLMHash value: $@") if ($@);
}
else {
::rptMsg($key_path." not found.");
}
}
else {
::rptMsg($sel_path." not found.");
::logMsg($sel_path." not found.");
}
}
1;

79
RecentActivity/release/rr/plugins/notify.pl Normal file
View File

@ -0,0 +1,79 @@
#-----------------------------------------------------------
# notify.pl
#
#
# Change History:
# 20110309 - updated output format to sort entries based on
# LastWrite time
# 20110308 - created
#
# References
# http://blogs.technet.com/b/markrussinovich/archive/2011/03/08/3392087.aspx
#
# copyright 2011 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package notify;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20110309);
sub getConfig{return %config}
sub getShortDescr {
return "Get Notify subkey entries";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %notify;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching notify v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("notify");
::rptMsg($key_path);
::rptMsg("");
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
my $name = $s->get_name();
my $lw = $s->get_timestamp();
my $dll;
eval {
$dll = $s->get_value("DLLName")->get_data();
push(@{$notify{$lw}},sprintf "%-15s %-25s",$name,$dll);
};
}
foreach my $t (reverse sort {$a <=> $b} keys %notify) {
::rptMsg(gmtime($t)." UTC");
foreach my $i (@{$notify{$t}}) {
::rptMsg(" ".$i);
}
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

Some files were not shown because too many files have changed in this diff Show More