diff --git a/RecentActivity/release/rr/p2x588.dll b/RecentActivity/release/rr/p2x588.dll
new file mode 100644
index 0000000000..e250d47eed
Binary files /dev/null and b/RecentActivity/release/rr/p2x588.dll differ
diff --git a/RecentActivity/release/rr/plugins/acmru.pl b/RecentActivity/release/rr/plugins/acmru.pl
new file mode 100644
index 0000000000..55efea5f5d
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/acmru.pl
@@ -0,0 +1,72 @@
+#-----------------------------------------------------------
+# acmru.pl
+# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
+# ACMru values
+#
+# Change history
+#
+#
+# References
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package acmru;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of user's ACMru key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching acmru v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Search Assistant\\ACMru';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("ACMru - Search Assistant");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]");
+ my @vals = $s->get_list_of_values();
+ my %ac_vals;
+ foreach my $v (@vals) {
+ $ac_vals{$v->get_name()} = $v->get_data();
+ }
+ foreach my $a (sort {$a <=> $b} keys %ac_vals) {
+ ::rptMsg("\t".$a." -> ".$ac_vals{$a});
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/adoberdr.pl b/RecentActivity/release/rr/plugins/adoberdr.pl
new file mode 100644
index 0000000000..f46e5ebd67
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/adoberdr.pl
@@ -0,0 +1,93 @@
+#-----------------------------------------------------------
+# adoberdr.pl
+# Plugin for Registry Ripper
+# Parse Adobe Reader MRU keys
+#
+# Change history
+# 20100218 - added checks for versions 4.0, 5.0, 9.0
+# 20091125 - modified output to make a bit more clear
+#
+# References
+#
+# Note: LastWrite times on c subkeys will all be the same,
+# as each subkey is modified as when a new entry is added
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package adoberdr;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100218);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets user's Adobe Reader cRecentFiles values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching adoberdr v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+ ::rptMsg("Adoberdr v.".$VERSION);
+# First, let's find out which version of Adobe Acrobat Reader is installed
+ my $version;
+ my $tag = 0;
+ my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0");
+ foreach my $ver (@versions) {
+ my $key_path = "Software\\Adobe\\Acrobat Reader\\".$ver."\\AVGeneral\\cRecentFiles";
+ if (defined($root_key->get_subkey($key_path))) {
+ $version = $ver;
+ $tag = 1;
+ }
+ }
+
+ if ($tag) {
+ ::rptMsg("Adobe Acrobat Reader version ".$version." located.");
+ my $key_path = "Software\\Adobe\\Acrobat Reader\\".$version."\\AVGeneral\\cRecentFiles";
+ my $key = $root_key->get_subkey($key_path);
+ if ($key) {
+ ::rptMsg($key_path);
+ ::rptMsg("");
+# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my %arkeys;
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar @subkeys > 0) {
+ foreach my $s (@subkeys) {
+ my $num = $s->get_name();
+ my $data = $s->get_value('sDI')->get_data();
+ $num =~ s/^c//;
+ $arkeys{$num}{lastwrite} = $s->get_timestamp();
+ $arkeys{$num}{data} = $data;
+ }
+ ::rptMsg("Most recent PDF opened: ".gmtime($arkeys{1}{lastwrite})." (UTC)");
+ foreach my $k (sort keys %arkeys) {
+ ::rptMsg(" c".$k." ".$arkeys{$k}{data});
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg("Could not access ".$key_path);
+ }
+ }
+ else {
+ ::rptMsg("Adobe Acrobat Reader version not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/aim.pl b/RecentActivity/release/rr/plugins/aim.pl
new file mode 100644
index 0000000000..32eeeae713
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/aim.pl
@@ -0,0 +1,95 @@
+#-----------------------------------------------------------
+# aim
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package aim;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080325);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets info from the AOL Instant Messenger (not AIM) install";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching aim plugin v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = 'Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("AIM");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+
+ my @subkeys = $key->get_list_of_subkeys();
+
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $user = $s->get_name();
+ ::rptMsg("User: $user [".gmtime($s->get_timestamp())."]");
+
+ my $login = "Login";
+ my $recent = "recent IM ScreenNames";
+ my $recent2 = "recent ScreenNames";
+
+ my @userkeys = $s->get_list_of_subkeys();
+ foreach my $u (@userkeys) {
+ my $us = $u->get_name();
+# See if we can get the encrypted password
+ if ($us =~ m/^$login/) {
+ my $pwd = "";
+ eval {
+ $pwd = $u->get_value("Password1")->get_data();
+ };
+ ::rptMsg("Pwd: ".$pwd) if ($pwd ne "");
+ }
+# See if we can get recent folks they've chatted with...
+ if ($us eq $recent || $us eq $recent2) {
+
+ my @vals = $u->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ ::rptMsg($user."\\".$us);
+ my %sns;
+ foreach my $v (@vals) {
+ $sns{$v->get_name()} = $v->get_data();
+ }
+
+ foreach my $i (sort {$a <=> $b} keys %sns) {
+ ::rptMsg("\t\t".$i." -> ".$sns{$i});
+ }
+ }
+ else {
+# No values
+ }
+ }
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/all b/RecentActivity/release/rr/plugins/all
new file mode 100644
index 0000000000..5f28a06eb6
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/all
@@ -0,0 +1,3 @@
+#-------------------------------------
+# All
+regtime
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/appinitdlls.pl b/RecentActivity/release/rr/plugins/appinitdlls.pl
new file mode 100644
index 0000000000..29c75915b1
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/appinitdlls.pl
@@ -0,0 +1,61 @@
+#-----------------------------------------------------------
+# appinitdlls
+#
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package appinitdlls;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of AppInit_DLLs value";
+}
+sub getDescr{}
+sub getRefs {
+ my %refs = ("Working with the AppInit_DLLs Reg Value" =>
+ "http://support.microsoft.com/kb/q197571");
+ return %refs;
+}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching appinitdlls v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\Windows';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("AppInit_DLLs");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ if ($name eq "AppInit_DLLs") {
+ my $data = $v->get_data();
+ $data = "{blank}" if ($data eq "");
+ ::rptMsg($name." -> ".$data);
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/applets.pl b/RecentActivity/release/rr/plugins/applets.pl
new file mode 100644
index 0000000000..e29fffa083
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/applets.pl
@@ -0,0 +1,96 @@
+#-----------------------------------------------------------
+# applets.pl
+# Plugin for Registry Ripper
+# Windows\CurrentVersion\Applets Recent File List values
+#
+# Change history
+#
+#
+# References
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package applets;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of user's Applets key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching applets v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Applets';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("Applets");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+# Locate files opened in MS Paint
+ my $paint_key = 'Paint\\Recent File List';
+ my $paint = $key->get_subkey($paint_key);
+ if (defined $paint) {
+ ::rptMsg($key_path."\\".$paint_key);
+ ::rptMsg("LastWrite Time ".gmtime($paint->get_timestamp())." (UTC)");
+
+ my @vals = $paint->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %files;
+# Retrieve values and load into a hash for sorting
+ foreach my $v (@vals) {
+ my $val = $v->get_name();
+ my $data = $v->get_data();
+ my $tag = (split(/File/,$val))[1];
+ $files{$tag} = $val.":".$data;
+ }
+# Print sorted content to report file
+ foreach my $u (sort {$a <=> $b} keys %files) {
+ my ($val,$data) = split(/:/,$files{$u},2);
+ ::rptMsg(" ".$val." -> ".$data);
+ }
+ }
+ else {
+ ::rptMsg($key_path."\\".$paint_key." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path."\\".$paint_key." not found.");
+ }
+# Get Last Registry key opened in RegEdit
+ my $reg_key = "Regedit";
+ my $reg = $key->get_subkey($reg_key);
+ if (defined $reg) {
+ ::rptMsg("");
+ ::rptMsg($key_path."\\".$reg_key);
+ ::rptMsg("LastWrite Time ".gmtime($reg->get_timestamp())." (UTC)");
+ my $lastkey = $reg->get_value("LastKey")->get_data();
+ ::rptMsg("RegEdit LastKey value -> ".$lastkey);
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/apppaths.pl b/RecentActivity/release/rr/plugins/apppaths.pl
new file mode 100644
index 0000000000..85e00aab25
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/apppaths.pl
@@ -0,0 +1,83 @@
+#-----------------------------------------------------------
+# apppaths
+# Gets contents of App Paths subkeys from the Software hive,
+# diplaying the EXE name and path; all entries are sorted by
+# LastWrite time
+#
+# References
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package apppaths;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ version => 20080404);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Gets content of App Paths key";
+}
+sub getDescr{}
+sub getRefs {
+ my %refs = ("You cannot open Help and Support Center in Windows XP" =>
+ "http://support.microsoft.com/kb/888018",
+ "Another installation program starts..." =>
+ "http://support.microsoft.com/kb/888470");
+ return %refs;
+}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching apppaths v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows\\CurrentVersion\\App Paths";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("App Paths");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+ my %apps;
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+
+ my $name = $s->get_name();
+ my $lastwrite = $s->get_timestamp();
+ my $path;
+ eval {
+ $path = $s->get_value("")->get_data();
+ };
+ push(@{$apps{$lastwrite}},$name." [".$path."]");
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %apps) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$apps{$t}}) {
+ ::rptMsg(" $item");
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/arpcache.pl b/RecentActivity/release/rr/plugins/arpcache.pl
new file mode 100644
index 0000000000..b8ed74f88f
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/arpcache.pl
@@ -0,0 +1,133 @@
+#-----------------------------------------------------------
+# arpcache.pl
+# Retrieves CurrentVersion\App Management\ARPCache entries; subkeys appear
+# to maintain information about paths to installed applications in the
+# SlowInfoCache value(0x10 - FILETIME object, null term. string with path
+# starts at 0x1c)
+#
+# Change history
+# 20090413 - Created
+#
+# References
+# No references, but the subkeys appear to hold information about
+# installed applications; some SlowInfoCache values appear to contain
+# timestamp data (FILETIME object) and/or path information. Posts on
+# the Internet indicate the existence of Kazaa beneath the APRCache key,
+# as well as possibly an "Outerinfo" subkey indicating that spyware is
+# installed.
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package arpcache;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20090413);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Retrieves CurrentVersion\\App Management\\ARPCache entries";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+my %arpcache;
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching arpcache v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $lw = $s->get_timestamp();
+ my $name = $s->get_name();
+
+ my $path;
+ eval {
+ my $i = $s->get_value("SlowInfoCache")->get_data();
+ $path = parsePath($i);
+ };
+ ($@) ? ($name .= "|") : ($name .= "|".$path);
+
+ my $date;
+ eval {
+ my $i = $s->get_value("SlowInfoCache")->get_data();
+ $date = parseDate($i);
+ };
+ ($@) ? ($name .= "|") : ($name .= "|".$date);
+ push(@{$arpcache{$lw}},$name);
+ }
+
+
+ foreach my $t (reverse sort {$a <=> $b} keys %arpcache) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$arpcache{$t}}) {
+ my ($name,$path,$date) = split(/\|/,$item,3);
+ ::rptMsg(" ".$name);
+ my $str = $path unless ($path eq "");
+ $str .= " [".gmtime($date)."]" unless ($date == 0);
+ ::rptMsg(" -> ".$str) unless ($str eq "");
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
+
+sub parseDate {
+ my $data = shift;
+ my ($t1,$t2) = unpack("VV",substr($data,0x10,8));
+ return ::getTime($t1,$t2);
+}
+
+sub parsePath {
+ my $data = shift;
+ my $ofs = 0x1c;
+ my $tag = 1;
+
+ my $str = substr($data,$ofs,2);
+ if (unpack("v",$str) == 0) {
+ return "";
+ }
+ else {
+ while($tag) {
+ $ofs += 2;
+ my $i = substr($data,$ofs,2);
+ if (unpack("v",$i) == 0) {
+ $tag = 0;
+ }
+ else {
+ $str .= $i;
+ }
+ }
+ }
+ $str =~ s/\00//g;
+ return $str;
+}
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/arunmru.pl b/RecentActivity/release/rr/plugins/arunmru.pl
new file mode 100644
index 0000000000..7370685b45
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/arunmru.pl
@@ -0,0 +1,77 @@
+#-----------------------------------------------------------
+# runmru.pl
+# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
+# RunMru values
+#
+# Change history
+#
+#
+# References
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package arunmru;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of user's RunMRU key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ #::logMsg("autospyrunmru");
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ #::rptMsg("RunMru");
+ #::rptMsg($key_path);
+
+ my @vals = $key->get_list_of_values();
+ ::rptMsg("");
+ ::rptMsg("");
+ ::rptMsg("");
+ my %runvals;
+ my $mru;
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ $runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i);
+ $mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i);
+ }
+ ::rptMsg("".$mru."");
+ foreach my $r (sort keys %runvals) {
+ ::rptMsg("".$r." ".$runvals{$r}."");
+ }
+ }
+ else {
+ #::rptMsg($key_path." has no values.");
+ #::logMsg($key_path." has no values.");
+ }
+ ::rptMsg("");
+ }
+ else {
+ #::rptMsg($key_path." not found.");
+ #::logMsg($key_path." not found.");
+ }
+ ::rptMsg("");
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/assoc.pl b/RecentActivity/release/rr/plugins/assoc.pl
new file mode 100644
index 0000000000..a2587da110
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/assoc.pl
@@ -0,0 +1,87 @@
+#-----------------------------------------------------------
+# assoc.pl
+# Plugin to extract file association data from the Software hive file
+# Can take considerable time to run; recommend running it via rip.exe
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package assoc;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080815);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get list of file ext associations";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching assoc v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Classes";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("assoc");
+ ::rptMsg($key_path);
+# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+# First step will be to get a list of all of the file extensions
+ my %ext;
+ my @sk = $key->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s (@sk) {
+ my $name = $s->get_name();
+ next unless ($name =~ m/^\.\w+$/);
+ my $data;
+ eval {
+ $data = $s->get_value("")->get_data();
+ };
+ if ($@) {
+# Error generated, as "(Default)" value was not found
+ }
+ else {
+ $ext{$name} = $data if ($data ne "");
+ }
+ }
+# Once a list of all file ext subkeys has been compiled, access the file type
+# to determine the command line used to launch files with that extension
+ foreach my $e (keys %ext) {
+ my $cmd;
+ eval {
+ $cmd = $key->get_subkey($ext{$e}."\\shell\\open\\command")->get_value("")->get_data();
+ };
+ if ($@) {
+# error generated attempting to locate .\shell\open\command\(Default) value
+ }
+ else {
+ ::rptMsg($e." : ".$cmd);
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/auditfail.pl b/RecentActivity/release/rr/plugins/auditfail.pl
new file mode 100644
index 0000000000..019ec15eda
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/auditfail.pl
@@ -0,0 +1,66 @@
+#-----------------------------------------------------------
+# auditfail.pl
+#
+# Ref:
+# http://support.microsoft.com/kb/140058
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package auditfail;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20081212);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get CrashOnAuditFail value";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my %val = (0 => "Feature is off; the system will not halt",
+ 1 => "Feature is on; the system will halt when events cannot be written to the ".
+ "Security Event Log",
+ 2 => "Feature is on and has been triggered; only Administrators can log in");
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching auditfail v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+
+ my $lsa_path = "ControlSet00".$current."\\Control\\Lsa";
+ my $lsa;
+ if ($lsa = $root_key->get_subkey($lsa_path)) {
+
+ eval {
+ my $crash = $lsa->get_value("crashonauditfail")->get_data();
+ ::rptMsg("CrashOnAuditFail = ".$crash);
+ ::rptMsg($val{$crash});
+ };
+ ::rptMsg($@) if ($@);
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
diff --git a/RecentActivity/release/rr/plugins/auditpol.pl b/RecentActivity/release/rr/plugins/auditpol.pl
new file mode 100644
index 0000000000..11ea9a1096
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/auditpol.pl
@@ -0,0 +1,88 @@
+#-----------------------------------------------------------
+# auditpol
+# Get the audit policy from the Security hive file
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package auditpol;
+use strict;
+
+my %config = (hive => "Security",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ osmask => 22,
+ version => 20080327);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get audit policy from the Security hive file";
+}
+sub getDescr{}
+sub getRefs {
+ my %refs = ("How To Determine Audit Policies from the Registry" =>
+ "http://support.microsoft.com/default.aspx?scid=kb;EN-US;q246120");
+ return %refs;
+}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+my %audit = (0 => "N",
+ 1 => "S",
+ 2 => "F",
+ 3 => "S/F");
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching auditpol v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Policy\\PolAdtEv";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("auditpol");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my $data;
+ eval {
+ $data = $key->get_value("")->get_data();
+ };
+ if ($@) {
+ ::rptMsg("Error occurred getting data from ".$key_path);
+ ::rptMsg(" - ".$@);
+ }
+ else {
+# Check to see if auditing is enabled
+ my $enabled = unpack("C",substr($data,0,1));
+ if ($enabled) {
+ ::rptMsg("Auditing is enabled.");
+# Get audit configuration settings
+ my @vals = unpack("V*",$data);
+ ::rptMsg("\tAudit System Events = ".$audit{$vals[1]});
+ ::rptMsg("\tAudit Logon Events = ".$audit{$vals[2]});
+ ::rptMsg("\tAudit Object Access = ".$audit{$vals[3]});
+ ::rptMsg("\tAudit Privilege Use = ".$audit{$vals[4]});
+ ::rptMsg("\tAudit Process Tracking = ".$audit{$vals[5]});
+ ::rptMsg("\tAudit Policy Change = ".$audit{$vals[6]});
+ ::rptMsg("\tAudit Account Management = ".$audit{$vals[7]});
+ ::rptMsg("\tAudit Dir Service Access = ".$audit{$vals[8]});
+ ::rptMsg("\tAudit Account Logon Events = ".$audit{$vals[9]});
+ }
+ else {
+ ::rptMsg("**Auditing is NOT enabled.");
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/autoendtasks.pl b/RecentActivity/release/rr/plugins/autoendtasks.pl
new file mode 100644
index 0000000000..29b89d20ae
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/autoendtasks.pl
@@ -0,0 +1,66 @@
+#-----------------------------------------------------------
+# autoendtasks.pl
+#
+# History
+# 20081128 - created
+#
+# Ref:
+# http://support.microsoft.com/kb/555619
+# This Registry setting tells XP (and Vista) to automatically
+# end non-responsive tasks; value may not exist on Vista.
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package autoendtasks;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20081128);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Automatically end a non-responsive task";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching autoendtasks v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Control Panel\\Desktop';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+# ::rptMsg("autoendtasks");
+ ::rptMsg($key_path);
+# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my $autoend;
+ eval {
+ $autoend = $key->get_value("AutoEndTasks")->get_data();
+ };
+ if ($@) {
+ ::rptMsg("AutoEndTasks value not found.");
+ }
+ else {
+ ::rptMsg("AutoEndTasks = ".$autoend);
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/autopsy b/RecentActivity/release/rr/plugins/autopsy
new file mode 100644
index 0000000000..49ef69b395
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/autopsy
@@ -0,0 +1,8 @@
+# List of plugins for the Registry Ripper
+
+#-------------------------------------
+# NTUSER.DAT
+autopsylogin
+autopsyrecentdocs
+arunmru
+autopsyshellfolders
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/autopsylogin.pl b/RecentActivity/release/rr/plugins/autopsylogin.pl
new file mode 100644
index 0000000000..5f83827176
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/autopsylogin.pl
@@ -0,0 +1,70 @@
+#! c:\perl\bin\perl.exe
+#-----------------------------------------------------------
+# logonusername.pl
+# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
+# "Logon User Name" value
+#
+# Change history
+#
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package autopsylogin;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get user's Logon User Name value";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ #::logMsg("||logonusername||");
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $logon_name = "Username";
+
+ my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ #::rptMsg("Logon User Name");
+ #::rptMsg($key_path);
+ ::rptMsg("");
+ ::rptMsg("");
+ foreach my $v (@vals) {
+ if ($v->get_name() eq $logon_name) {
+ ::rptMsg(" ".$v->get_data() ."");
+ }
+ }
+ ::rptMsg("");
+ }
+ else {
+ #::rptMsg($key_path." has no values.");
+ #::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ #::rptMsg($key_path." not found.");
+ #::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/autopsyrecentdocs.pl b/RecentActivity/release/rr/plugins/autopsyrecentdocs.pl
new file mode 100644
index 0000000000..34e3bf1034
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/autopsyrecentdocs.pl
@@ -0,0 +1,161 @@
+#-----------------------------------------------------------
+# recentdocs.pl
+# Plugin for Registry Ripper
+# Parses RecentDocs keys/values in NTUSER.DAT
+#
+# Change history
+# 20100405 - Updated to use Encode::decode to translate strings
+# 20090115 - Minor update to keep plugin from printing terminating
+# MRUListEx value of 0xFFFFFFFF
+# 20080418 - Minor update to address NTUSER.DAT files that have
+# MRUList values in this key, rather than MRUListEx
+# values
+#
+# References
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package autopsyrecentdocs;
+use strict;
+use Encode;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100405);
+
+sub getShortDescr {
+ return "Gets contents of user's RecentDocs key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ #::logMsg("||recentdocs||");
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ #::rptMsg("RecentDocs");
+ #::rptMsg("**All values printed in MRUList\\MRUListEx order.");
+ #::rptMsg($key_path);
+ ::rptMsg("");
+# Get RecentDocs values
+ my %rdvals = getRDValues($key);
+ if (%rdvals) {
+ my $tag;
+ if (exists $rdvals{"MRUListEx"}) {
+ $tag = "MRUListEx";
+ }
+ elsif (exists $rdvals{"MRUList"}) {
+ $tag = "MRUList";
+ }
+ else {
+
+ }
+
+ my @list = split(/,/,$rdvals{$tag});
+ foreach my $i (@list) {
+ ::rptMsg("".$i." = ".$rdvals{$i} . "");
+ }
+
+ }
+ else {
+ #::rptMsg($key_path." has no values.");
+ #::logMsg("Error: ".$key_path." has no values.");
+ }
+ ::rptMsg("");
+# Get RecentDocs subkeys' values
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ ::rptMsg($key_path."\\".$s->get_name());
+ ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
+
+ my %rdvals = getRDValues($s);
+ if (%rdvals) {
+ my $tag;
+ if (exists $rdvals{"MRUListEx"}) {
+ $tag = "MRUListEx";
+ }
+ elsif (exists $rdvals{"MRUList"}) {
+ $tag = "MRUList";
+ }
+ else {
+
+ }
+
+ my @list = split(/,/,$rdvals{$tag});
+ ::rptMsg($tag." = ".$rdvals{$tag});
+ foreach my $i (@list) {
+ ::rptMsg(" ".$i." = ".$rdvals{$i});
+ }
+
+ ::rptMsg("");
+ }
+ else {
+ #::rptMsg($key_path." has no values.");
+ }
+ }
+ }
+ else {
+ #::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ #::rptMsg($key_path." not found.");
+ }
+}
+
+
+sub getRDValues {
+ my $key = shift;
+
+ my $mru = "MRUList";
+ my %rdvals;
+
+ my @vals = $key->get_list_of_values();
+ if (scalar @vals > 0) {
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ my $data = $v->get_data();
+ if ($name =~ m/^$mru/) {
+ my @mru;
+ if ($name eq "MRUList") {
+ @mru = split(//,$data);
+ }
+ elsif ($name eq "MRUListEx") {
+ @mru = unpack("V*",$data);
+ }
+# Horrible, ugly cludge; the last, terminating value in MRUListEx
+# is 0xFFFFFFFF, so we remove it.
+ pop(@mru);
+ $rdvals{$name} = join(',',@mru);
+ }
+ else {
+# New code
+ $data = decode("ucs-2le", $data);
+ my $file = (split(/\00/,$data))[0];
+# my $file = (split(/\00\00/,$data))[0];
+# $file =~ s/\00//g;
+ $rdvals{$name} = $file;
+ }
+ }
+ return %rdvals;
+ }
+ else {
+ return undef;
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/autopsyshellfolders.pl b/RecentActivity/release/rr/plugins/autopsyshellfolders.pl
new file mode 100644
index 0000000000..de3115f9dd
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/autopsyshellfolders.pl
@@ -0,0 +1,72 @@
+#-----------------------------------------------------------
+# shellfolders.pl
+#
+# Retrieve the Shell Folders values from user's hive; while
+# this may not be important in every instance, it may give the
+# examiner indications as to where to look for certain items;
+# for example, if the user's "My Documents" folder has been redirected
+# as part of configuration changes (corporate policies, etc.). Also,
+# this may be important as part of data leakage exams, as XP and Vista
+# allow users to drop and drag files to the CD Burner.
+#
+# References:
+# http://support.microsoft.com/kb/279157
+# http://support.microsoft.com/kb/326982
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package autopsyshellfolders;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090115);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Retrieve user Shell Folders values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ #::logMsg("Launching shellfolders v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("");
+ ::rptMsg("");
+
+ my @vals = $key->get_list_of_values();
+ ::rptMsg("");
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $str = sprintf "%-20s %-40s","get_name()."\">",$v->get_data()."";
+ ::rptMsg($str);
+ }
+ ::rptMsg("");
+ }
+ else {
+ #::rptMsg($key_path." has no values.");
+ }
+ ::rptMsg("");
+ }
+ else {
+ #::rptMsg($key_path." not found.");
+ #::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/autopsysoftware b/RecentActivity/release/rr/plugins/autopsysoftware
new file mode 100644
index 0000000000..5d94ff6883
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/autopsysoftware
@@ -0,0 +1,6 @@
+ List of plugins for the Registry Ripper
+
+#-------------------------------------
+# SOFTWARE
+autopsywinver
+autopsyuninstall
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/autopsyuninstall.pl b/RecentActivity/release/rr/plugins/autopsyuninstall.pl
new file mode 100644
index 0000000000..1cff08cf14
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/autopsyuninstall.pl
@@ -0,0 +1,92 @@
+#-----------------------------------------------------------
+# uninstall.pl
+# Gets contents of Uninstall key from Software hive; sorts
+# display names based on key LastWrite time
+#
+# References:
+# http://support.microsoft.com/kb/247501
+# http://support.microsoft.com/kb/314481
+# http://msdn.microsoft.com/en-us/library/ms954376.aspx
+#
+# Change History:
+# 20100116 - Minor updates
+# 20090413 - Extract DisplayVersion info
+# 20090128 - Added references
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package autopsyuninstall;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100116);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Gets contents of Uninstall key from Software hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ #::logMsg("Launching uninstall v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Uninstall';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ #::rptMsg("Uninstall");
+ #::rptMsg($key_path);
+ #::rptMsg("");
+ ::rptMsg("");
+ ::rptMsg("");
+ ::rptMsg("");
+ my %uninst;
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $lastwrite = $s->get_timestamp();
+ my $display;
+ eval {
+ $display = $s->get_value("DisplayName")->get_data();
+ };
+ $display = $s->get_name() if ($display eq "");
+
+ my $ver;
+ eval {
+ $ver = $s->get_value("DisplayVersion")->get_data();
+ };
+ $display .= " v\.".$ver unless ($@);
+
+ push(@{$uninst{$lastwrite}},$display);
+ }
+ foreach my $t (reverse sort {$a <=> $b} keys %uninst) {
+ ::rptMsg("- ");
+ foreach my $item (@{$uninst{$t}}) {
+ ::rptMsg($item."
");
+ }
+ #::rptMsg("");
+ }
+ }
+ else {
+ #::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ #::rptMsg($key_path." not found.");
+ }
+ ::rptMsg("");
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/autopsywinver.pl b/RecentActivity/release/rr/plugins/autopsywinver.pl
new file mode 100644
index 0000000000..a13795b6b6
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/autopsywinver.pl
@@ -0,0 +1,109 @@
+#-----------------------------------------------------------
+# winver.pl
+#
+# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package autopsywinver;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20081210);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get Windows version";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ #::logMsg("Launching winver v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ ::rptMsg("");
+ ::rptMsg("");
+ ::rptMsg("");
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+# ::rptMsg("{name}");
+# ::rptMsg($key_path);
+# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my $prod;
+ eval {
+ $prod = $key->get_value("ProductName")->get_data();
+ };
+ if ($@) {
+# ::rptMsg("ProductName value not found.");
+ }
+ else {
+ ::rptMsg("".$prod ."");
+ }
+
+ my $csd;
+ eval {
+ $csd = $key->get_value("CSDVersion")->get_data();
+ };
+ if ($@) {
+# ::rptMsg("CSDVersion value not found.");
+ }
+ else {
+ ::rptMsg("".$csd."");
+ }
+
+
+ my $build;
+ eval {
+ $build = $key->get_value("BuildName")->get_data();
+ };
+ if ($@) {
+# ::rptMsg("BuildName value not found.");
+ }
+ else {
+ ::rptMsg("".$build."");
+ }
+
+ my $buildex;
+ eval {
+ $buildex = $key->get_value("BuildNameEx")->get_data();
+ };
+ if ($@) {
+# ::rptMsg("BuildName value not found.");
+ }
+ else {
+ ::rptMsg("".$buildex."");
+ }
+
+
+ my $install;
+ eval {
+ $install = $key->get_value("InstallDate")->get_data();
+ };
+ if ($@) {
+# ::rptMsg("InstallDate value not found.");
+ }
+ else {
+ ::rptMsg("".gmtime($install)."");
+ }
+
+
+ }
+ else {
+ #::rptMsg($key_path." not found.");
+ #::logMsg($key_path." not found.");
+ }
+ ::rptMsg("");
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/autorun.pl b/RecentActivity/release/rr/plugins/autorun.pl
new file mode 100644
index 0000000000..50604cf4dd
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/autorun.pl
@@ -0,0 +1,74 @@
+#-----------------------------------------------------------
+# autorun.pl
+# Get autorun settings
+#
+# Change history
+#
+#
+# References
+# http://support.microsoft.com/kb/953252
+# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit
+# /regentry/91525.mspx?mfr=true
+#
+# copyright 2008-2009 H. Carvey
+#-----------------------------------------------------------
+package autorun;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20081212);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets autorun settings";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching autorun v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+# ::rptMsg($key_path);
+# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ eval {
+ my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data();
+ my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive;
+ ::rptMsg($str);
+ };
+ ::rptMsg("Error: ".$@) if ($@);
+
+# http://support.microsoft.com/kb/953252
+ eval {
+ my $honor = $key->get_value("HonorAutorunSetting")->get_data();
+ my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor;
+ ::rptMsg($str);
+ };
+ ::rptMsg("HonorAutorunSetting not found.") if ($@);
+ ::rptMsg("");
+ ::rptMsg("Autorun settings in the HKLM hive take precedence over those in");
+ ::rptMsg("the HKCU hive.");
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/bagtest.pl b/RecentActivity/release/rr/plugins/bagtest.pl
new file mode 100644
index 0000000000..cdc5600d5c
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/bagtest.pl
@@ -0,0 +1,170 @@
+#-----------------------------------------------------------
+# bagtest.pl
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package bagtest;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090828);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Test -- BagMRU";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching bagtest v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\Shell\\BagMRU";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my $subtree_iter = $key->get_subtree_iterator;
+ while (my ($k, $val) = $subtree_iter->get_next) {
+ if (defined $val) {
+ next unless ($val->get_name() =~ m/^\d+/);
+
+ my $path;
+ my $data = $val->get_data();
+ my $size = unpack("v",substr($data,0,20));
+ my $type = unpack("C",substr($data,2,1));
+ my $name = (split(/BagMRU/,$k->get_path()))[1];
+
+ if ($type == 0x47 || $type == 0x46 || $type == 0x42 || $type == 0x41 ||
+ $type == 0xc3) {
+
+ my $str1 = getStrings1($data);
+ $path = $str1;
+
+ }
+ elsif ($type == 0x31 || $type == 0x32) {
+ my($ascii,$uni) = getStrings2($data);
+ $path = $uni;
+ }
+ elsif ($type == 0x2f) {
+# bytes 3-5 of $data contain a drive letter
+ $path = substr($data,0x03,3);
+ }
+ else {
+# Nothing
+ }
+# my $str = sprintf "%-30s %-3s %-4s 0x%x",$name."\\".$val->get_name(),$size,length($data),$type;
+ my $str = sprintf "%-25s ".$path,$name."\\".$val->get_name();
+ ::rptMsg($str);
+
+ }
+ else {
+
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+#sub getStrings1 {
+# my $data = shift;
+# my $str;
+# my $cursor = 0x05;
+# my $tag = 1;
+#
+# while($tag) {
+# my $byte = substr($data,$cursor,1);
+# if (unpack("C",$byte) == 0x00) {
+# $tag = 0;
+# }
+# else {
+# $str .= $byte;
+# $cursor += 1;
+# }
+# }
+# return $str;
+#}
+
+sub getStrings1 {
+ my $data = shift;
+ my $d = substr($data,0x05,length($data) - 1);
+ $d =~ s/\00/-/g;
+ $d =~ s/[[:cntrl:]]//g;
+
+ my @t = split(/-/,$d);
+
+ my @s;
+ for my $i (1..scalar(@t) - 1) {
+ push(@s,$t[$i]) if (length($t[$i]) > 2);
+ }
+
+ return $t[0]." (".join(',',@s).")";
+}
+
+sub getStrings2 {
+# ASCII short name starts at 0x0E, and is \00 terminated; 0x14 bytes
+# after that is the null-term Unicode name
+ my $data = shift;
+ my ($ascii,$uni);
+ my $cursor = 0x0e;
+ my $tag = 1;
+
+ while($tag) {
+ my $byte = substr($data,$cursor,1);
+ if (unpack("C",$byte) == 0x00) {
+ $tag = 0;
+ }
+ else {
+ $ascii .= $byte;
+ $cursor += 1;
+ }
+ }
+
+ $cursor += 0x14;
+
+ $uni = substr($data,$cursor,length($data) - 1);
+ $uni =~ s/\00//g;
+ $uni =~ s/[[:cntrl:]]//g;
+ return ($ascii,$uni);
+}
+
+1;
+
+
+
+
+
+# Original code to traverse through values and subkeys
+# Retain for legacy code purposes
+#sub traverse {
+# my $key = shift;
+#
+# foreach my $val ($key->get_list_of_values()) {
+# next unless ($val->get_name() =~ m/\d+/);
+#
+# ::rptMsg($val->get_name());
+#
+# }
+#
+# foreach my $subkey ($key->get_list_of_subkeys()) {
+# traverse($subkey);
+# }
+#}
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/bagtest2.pl b/RecentActivity/release/rr/plugins/bagtest2.pl
new file mode 100644
index 0000000000..59716d2fd8
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/bagtest2.pl
@@ -0,0 +1,161 @@
+#-----------------------------------------------------------
+# bagtest2.pl
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package bagtest2;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090828);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Test -- BagMRU";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+my %bagmru;
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching bagtest v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\Shell\\BagMRU";
+ my $key;
+
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ traverse($key);
+
+ foreach my $i (sort keys %bagmru) {
+ my $str = sprintf "%-30s ".$bagmru{$i},$i;
+ ::rptMsg($str);
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+sub traverse {
+ my $key = shift;
+ my $name = (split(/BagMRU/,$key->get_path()))[1];
+
+ my @bags;
+
+ foreach my $val ($key->get_list_of_values()) {
+ next unless ($val->get_name() =~ m/\d+/);
+
+ my $path;
+ my $data = $val->get_data();
+ my $size = unpack("v",substr($data,0,20));
+ my $type = unpack("C",substr($data,2,1));
+
+
+ if ($type == 0x47 || $type == 0x46 || $type == 0x42 || $type == 0x41 ||
+ $type == 0xc3) {
+
+ my $str1 = getStrings1($data);
+ $path = $str1;
+
+ }
+ elsif ($type == 0x31 || $type == 0x32 || $type == 0xb1) {
+ my($ascii,$uni) = getStrings2($data);
+ $path = $uni;
+ }
+ elsif ($type == 0x2f) {
+# bytes 3-5 of $data contain a drive letter
+ $path = substr($data,0x03,3);
+ }
+ else {
+# Nothing
+ }
+ $bagmru{$name."\\".$val->get_name()} = $path;
+ }
+
+ foreach my $subkey ($key->get_list_of_subkeys()) {
+ traverse($subkey);
+ }
+}
+
+
+sub getStrings1 {
+ my $data = shift;
+ my $d = substr($data,0x05,length($data) - 1);
+ $d =~ s/\00/-/g;
+ $d =~ s/[[:cntrl:]]//g;
+
+ my @t = split(/-/,$d);
+
+ my @s;
+ for my $i (1..scalar(@t) - 1) {
+ push(@s,$t[$i]) if (length($t[$i]) > 2);
+ }
+
+ return $t[0]." (".join(',',@s).")";
+}
+
+sub getStrings2 {
+# ASCII short name starts at 0x0E, and is \00 terminated; 0x14 bytes
+# after that is the null-term Unicode name
+ my $data = shift;
+ my ($ascii,$uni);
+ my $cursor = 0x0e;
+ my $tag = 1;
+
+ while($tag) {
+ my $byte = substr($data,$cursor,1);
+ if (unpack("C",$byte) == 0x00) {
+ $tag = 0;
+ }
+ else {
+ $ascii .= $byte;
+ $cursor += 1;
+ }
+ }
+
+ $cursor += 0x14;
+
+ if ($ascii eq "RECENT") {
+ $uni = substr($data,$cursor,length($data) - 1);
+ $uni =~ s/\00//g;
+ $uni =~ s/[[:cntrl:]]//g;
+ }
+ else {
+ my $tag = 1;
+ my $count = 0;
+ while($tag) {
+ my $byte = substr($data,$cursor,2);
+ if ($count > 2 && unpack("v",$byte) == 0x00) {
+ $tag = 0;
+ }
+ else {
+ $uni .= $byte;
+ $count++;
+ $cursor += 2;
+ }
+ }
+ $uni =~ s/\00//g;
+ $uni =~ s/[[:cntrl:]]//g;
+ }
+ return ($ascii,$uni);
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/banner.pl b/RecentActivity/release/rr/plugins/banner.pl
new file mode 100644
index 0000000000..44ae62a274
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/banner.pl
@@ -0,0 +1,127 @@
+#-----------------------------------------------------------
+# banner
+# Get banner information from the SOFTWARE hive file (if any)
+#
+# Written By:
+# Special Agent Brook William Minnick
+# Brook_Minnick@doioig.gov
+# U.S. Department of the Interior - Office of Inspector General
+# Computer Crimes Unit
+# 12030 Sunrise Valley Drive Suite 250
+# Reston, VA 20191
+#-----------------------------------------------------------
+package banner;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20081119);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get HKLM\\SOFTWARE.. Logon Banner Values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching banner v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows\\CurrentVersion\\policies\\system";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("Logon Banner Information");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+# GET LEGALNOTICECAPTION --
+
+ my $caption;
+ eval {
+ $caption = $key->get_value("Legalnoticecaption")->get_data();
+ };
+ if ($@) {
+ ::rptMsg("Legalnoticecaption value not found.");
+ }
+ else {
+ ::rptMsg("Legalnoticecaption value = ".$caption);
+ }
+ ::rptMsg("");
+
+# GET LEGALNOTICETEXT --
+
+ my $banner;
+ eval {
+ $banner = $key->get_value("Legalnoticetext")->get_data();
+ };
+ if ($@) {
+ ::rptMsg("Legalnoticetext value not found.");
+ }
+ else {
+ ::rptMsg("Legalnoticetext value = ".$banner);
+ }
+ ::rptMsg("");
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+# GET LEGALNOTICECAPTION --
+
+ my $caption2;
+ eval {
+ $caption2 = $key->get_value("Legalnoticecaption")->get_data();
+ };
+ if ($@) {
+ ::rptMsg("Legalnoticecaption value not found.");
+ }
+ else {
+ ::rptMsg("Legalnoticecaption value = ".$caption2);
+ }
+ ::rptMsg("");
+
+# GET LEGALNOTICETEXT --
+
+ my $banner2;
+ eval {
+ $banner2 = $key->get_value("Legalnoticetext")->get_data();
+ };
+ if ($@) {
+ ::rptMsg("Legalnoticetext value not found.");
+ }
+ else {
+ ::rptMsg("Legalnoticetext value = ".$banner2);
+ }
+ ::rptMsg("");
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/bho.pl b/RecentActivity/release/rr/plugins/bho.pl
new file mode 100644
index 0000000000..be3b8f6c85
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/bho.pl
@@ -0,0 +1,107 @@
+#-----------------------------------------------------------
+# bho
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package bho;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ osmask => 22,
+ version => 20080418);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets Browser Helper Objects from Software hive";
+}
+sub getDescr{}
+sub getRefs {
+ my %refs = ("Browser Helper Objects" =>
+ "http://msdn2.microsoft.com/en-us/library/bb250436.aspx");
+ return %refs;
+}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ my %bhos;
+ ::logMsg("Launching bho v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects";;
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("Browser Helper Objects");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar (@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ next if ($name =~ m/^-/);
+ my $clsid_path = "Classes\\CLSID\\".$name;
+ my $clsid;
+ if ($clsid = $root_key->get_subkey($clsid_path)) {
+ my $class;
+ my $mod;
+ my $lastwrite;
+
+ eval {
+ $class = $clsid->get_value("")->get_data();
+ $bhos{$name}{class} = $class;
+ };
+ if ($@) {
+ ::logMsg("\tError getting Class name for CLSID\\".$name);
+ ::logMsg("\t".$@);
+ }
+ eval {
+ $mod = $clsid->get_subkey("InProcServer32")->get_value("")->get_data();
+ $bhos{$name}{module} = $mod;
+ };
+ if ($@) {
+ ::logMsg("\tError getting Module name for CLSID\\".$name);
+ ::logMsg("\t".$@);
+ }
+ eval{
+ $lastwrite = $clsid->get_subkey("InProcServer32")->get_timestamp();
+ $bhos{$name}{lastwrite} = $lastwrite;
+ };
+ if ($@) {
+ ::logMsg("\tError getting LastWrite time for CLSID\\".$name);
+ ::logMsg("\t".$@);
+ }
+
+ foreach my $b (keys %bhos) {
+ ::rptMsg($b);
+ ::rptMsg("\tClass => ".$bhos{$b}{class});
+ ::rptMsg("\tModule => ".$bhos{$b}{module});
+ ::rptMsg("\tLastWrite => ".gmtime($bhos{$b}{lastwrite}));
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($clsid_path." not found.");
+ ::rptMsg("");
+ ::logMsg($clsid_path." not found.");
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys. No BHOs installed.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/bitbucket.pl b/RecentActivity/release/rr/plugins/bitbucket.pl
new file mode 100644
index 0000000000..16e61480e9
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/bitbucket.pl
@@ -0,0 +1,81 @@
+#-----------------------------------------------------------
+# bitbucket
+# Get HKLM\..\BitBucket keys\values (if any)
+#
+# Change history
+# 20091020 - Updated; collected additional values
+#
+# References
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package bitbucket;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080418);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get HKLM\\..\\BitBucket keys\\values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching bitbucket v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ eval {
+ my $global = $key->get_value("UseGlobalSettings")->get_data();
+ ::rptMsg("UseGlobalSettings = ".$global);
+ };
+
+ eval {
+ my $nuke = $key->get_value("NukeOnDelete")->get_data();
+ ::rptMsg("NukeOnDelete = ".$nuke);
+ };
+ ::rptMsg("");
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ ::rptMsg($key_path."\\".$s->get_name());
+ ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)");
+ eval {
+ my $vol = $s->get_value("VolumeSerialNumber")->get_data();
+ ::rptMsg("VolumeSerialNumber = 0x".uc(sprintf "%1x",$vol));
+ };
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/bitbucket_user.pl b/RecentActivity/release/rr/plugins/bitbucket_user.pl
new file mode 100644
index 0000000000..e3374fd193
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/bitbucket_user.pl
@@ -0,0 +1,71 @@
+#-----------------------------------------------------------
+# bitbucket_user
+# Get HKLM\..\BitBucket keys\values (if any)
+#
+# Change history
+#
+# References
+#
+# NOTE: In limited testing, the volume letter subkeys beneath the
+# BitBucket key appear to be volatile.
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package bitbucket_user;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20091020);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "TEST - Get user BitBucket values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching bitbucket_user v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ ::rptMsg($key_path."\\".$s->get_name());
+ ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)");
+ eval {
+ my $purge = $s->get_value("NeedToPurge")->get_data();
+ ::rptMsg(" NeedToPurge = ".$purge);
+ };
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/brisv.pl b/RecentActivity/release/rr/plugins/brisv.pl
new file mode 100644
index 0000000000..c79aa3e651
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/brisv.pl
@@ -0,0 +1,63 @@
+#-----------------------------------------------------------
+# brisv.pl
+# Plugin to detect the presence of Trojan.Brisv.A
+# Symantec write-up: http://www.symantec.com/security_response/writeup.jsp
+# ?docid=2008-071823-1655-99
+#
+# Change History:
+# 20090210: Created
+#
+# Info on URLAndExitCommandsEnabled value:
+# http://support.microsoft.com/kb/828026
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package brisv;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090210);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Detect artifacts of a Troj\.Brisv\.A infection";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching brisv v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\PIMSRV";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my $mp_path = "Software\\Microsoft\\MediaPlayer\\Preferences";
+ my $url;
+ eval {
+ $url = $key->get_subkey($mp_path)->get_value("URLAndExitCommandsEnabled")->get_data();
+ ::rptMsg($mp_path."\\URLAndExitCommandsEnabled value set to ".$url);
+ };
+# if an error occurs within the eval{} statement, do nothing
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/clampi.pl b/RecentActivity/release/rr/plugins/clampi.pl
new file mode 100644
index 0000000000..abf0ae537a
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/clampi.pl
@@ -0,0 +1,120 @@
+#-----------------------------------------------------------
+# clampi.pl
+# Checks keys/values set by new version of Trojan.Clampi
+#
+# Change history
+# 20091019 - created
+#
+# NOTE: This is purely a test plugin, and based solely on the below
+# reference. It has not been tested on any systems that were
+# known to be infected.
+#
+# References
+# http://www.symantec.com/connect/blogs/inside-trojanclampi-stealing-your-information
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package clampi;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20091019);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "TEST - Checks for keys set by Trojan\.Clampi PROT module";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching clampi v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $count = 0;
+
+ my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my ($form1, $form2, $form3);
+
+ eval {
+ $form1 = $key->get_value("Use FormSuggest")->get_data();
+ ::rptMsg("\tUse FormSuggest = ".$form1);
+ $count++ if ($form1 eq "true");
+ };
+
+ eval {
+ $form2 = $key->get_value("FormSuggest_Passwords")->get_data();
+ ::rptMsg("\tFormSuggest_Passwords = ".$form2);
+ $count++ if ($form2 eq "true");
+ };
+
+ eval {
+ $form3 = $key->get_value("FormSuggest_PW_Ask")->get_data();
+ ::rptMsg("\tUse FormSuggest = ".$form3);
+ $count++ if ($form3 eq "no");
+ };
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+ ::rptMsg("");
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my $auto;
+ eval {
+ $auto = $key->get_value("AutoSuggest")->get_data();
+ ::rptMsg("\tAutoSuggest = ".$auto);
+ $count++ if ($auto eq "true");
+ };
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+ ::rptMsg("");
+ my $key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my $prompt;
+ eval {
+ $prompt = $key->get_value("POP3 Prompt for Password")->get_data();
+ ::rptMsg("\tPOP3 Prompt for Password = ".$prompt);
+ $count++ if ($prompt eq "true");
+ };
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+ ::rptMsg("");
+ if ($count == 5) {
+ ::rptMsg("The system may have been infected with the Trojan.Clampi PROT module.");
+ }
+ else {
+ ::rptMsg("The system does not appear to have been infected with the Trojan.Clampi");
+ ::rptMsg("PROT module.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/clampitm.pl b/RecentActivity/release/rr/plugins/clampitm.pl
new file mode 100644
index 0000000000..60f21738c6
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/clampitm.pl
@@ -0,0 +1,78 @@
+#-----------------------------------------------------------
+# clampitm.pl
+# Checks keys/values set by new version of Trojan.Clampi
+#
+# Change history
+# 20100624 - created
+#
+# NOTE: This is purely a test plugin, and based solely on the below
+# reference. It has not been tested on any systems that were
+# known to be infected.
+#
+# References
+# http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ilomo_external.pdf
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package clampitm;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100624);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Checks for IOCs for Clampi (per Trend Micro)";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching clampitm v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $count = 0;
+
+ my $key_path = 'Software\\Microsoft\\Internet Explorer\\Settings';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("ClampiTM plugin");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my $tag = 1;
+ my @list = qw/GatesList GID KeyE KeyM PID/;
+ my @vals = $key->get_list_of_values();
+ if (scalar (@vals) > 0) {
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ if (grep(/$name/,@list)) {
+ ::rptMsg(sprintf "%-10s %-30s",$name,$v->get_data());
+ $tag = 0;
+ }
+ }
+ if ($tag) {
+ ::rptMsg("No Clampi values found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/clsid.pl b/RecentActivity/release/rr/plugins/clsid.pl
new file mode 100644
index 0000000000..1823600295
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/clsid.pl
@@ -0,0 +1,80 @@
+#-----------------------------------------------------------
+# clsid.pl
+# Plugin to extract file association data from the Software hive file
+# Can take considerable time to run; recommend running it via rip.exe
+#
+# History
+# 20100227 - created
+#
+# References
+# http://msdn.microsoft.com/en-us/library/ms724475%28VS.85%29.aspx
+#
+# copyright 2010, Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package clsid;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100227);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get list of CLSID/registered classes";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ my %clsid;
+ ::logMsg("Launching clsid v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Classes\\CLSID";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+# First step will be to get a list of all of the file extensions
+ my %ext;
+ my @sk = $key->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s (@sk) {
+
+ my $name = $s->get_name();
+ eval {
+ my $n = $s->get_value("")->get_data();
+ $name .= " ".$n unless ($n eq "");
+ };
+
+ push(@{$clsid{$s->get_timestamp()}},$name);
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %clsid) {
+ ::rptMsg(gmtime($t)." Z");
+ foreach my $item (@{$clsid{$t}}) {
+ ::rptMsg(" ".$item);
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/cmd_shell.pl b/RecentActivity/release/rr/plugins/cmd_shell.pl
new file mode 100644
index 0000000000..84e40a7735
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/cmd_shell.pl
@@ -0,0 +1,75 @@
+#-----------------------------------------------------------
+# cmd_shell
+#
+#
+# Change History
+# 20100830 - added "cs" shell command to the path
+# 20080328 - created
+#
+# References
+# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?
+# Name=TrojanClicker%3AWin32%2FVB.GE
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package cmd_shell;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ version => 20100830);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Gets shell open cmds for various file types";
+}
+sub getDescr{}
+sub getRefs {
+ my %refs = ("You Are Unable to Start a Program with an .exe File Extension" =>
+ "http://support.microsoft.com/kb/310585");
+ return %refs;
+}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching cmd_shell v.".$VERSION);
+
+ my @shells = ("exe","cmd","bat","cs","hta","pif");
+
+ foreach my $sh (@shells) {
+
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Classes\\".$sh."file\\shell\\open\\command";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("cmd_shell");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my $val;
+ eval {
+ $val = $key->get_value("")->get_data();
+ ::rptMsg("\tCmd: ".$val);
+ };
+ ::rptMsg("Error: ".$@) if ($@);
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+ }
+ ::rptMsg("");
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/codeid.pl b/RecentActivity/release/rr/plugins/codeid.pl
new file mode 100644
index 0000000000..f3eec03151
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/codeid.pl
@@ -0,0 +1,75 @@
+#-----------------------------------------------------------
+# codeid
+# Get DefaultLevel value from CodeIdentifiers key
+#
+#
+# Change History
+# 20100608 - created
+#
+# References
+# SANS ISC blog - http://isc.sans.edu/diary.html?storyid=8917
+# CodeIdentifiers key
+# - http://technet.microsoft.com/en-us/library/bb457006.aspx
+# SAFER_LEVELID_FULLYTRUSTED value
+# - http://msdn.microsoft.com/en-us/library/ms722424%28VS.85%29.aspx
+# (262144 == Unrestricted)
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package codeid;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100608);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Gets CodeIdentifier DefaultLevel value";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching codeid v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("CodeID");
+ ::rptMsg($key_path);
+ my $lastwrite = $key->get_timestamp();
+ ::rptMsg(" LastWrite time: ".gmtime($lastwrite)." Z");
+ ::rptMsg("");
+
+ my $level;
+ eval {
+ $level = $key->get_value("DefaultLevel")->get_data();
+ ::rptMsg(sprintf "DefaultLevel = 0x%08x",$level);
+ };
+
+ my $exe;
+ eval {
+ $exe = $key->get_value("ExecutableTypes")->get_data();
+ $exe =~ s/\s/,/g;
+ ::rptMsg("ExecutableTypes = ".$exe);
+
+ };
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/comdlg32.pl b/RecentActivity/release/rr/plugins/comdlg32.pl
new file mode 100644
index 0000000000..61cda3c1e6
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/comdlg32.pl
@@ -0,0 +1,145 @@
+#-----------------------------------------------------------
+# comdlg32.pl
+# Plugin for Registry Ripper
+#
+# Change history
+# 20100402 - updated IAW Chad Tilbury's post to SANS
+# Forensic Blog
+# 20080324 - created
+#
+# References
+# Win2000 - http://support.microsoft.com/kb/319958
+# XP - http://support.microsoft.com/kb/322948/EN-US/
+#
+# copyright 20100402 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package comdlg32;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100402);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of user's ComDlg32 key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching comdlg32 v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+ ::rptMsg("comdlg32 v.".$VERSION);
+
+# LastVistedMRU
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU";
+ my $key;
+ my @vals;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("ComDlg32\\LastVisitedMRU");
+ ::rptMsg("**All values printed in MRUList order.");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my %lvmru;
+ my @mrulist;
+ @vals = $key->get_list_of_values();
+
+ if (scalar(@vals) > 0) {
+# First, read in all of the values and the data
+ foreach my $v (@vals) {
+ $lvmru{$v->get_name()} = $v->get_data();
+ }
+# Then, remove the MRUList value
+ if (exists $lvmru{MRUList}) {
+ ::rptMsg(" MRUList = ".$lvmru{MRUList});
+ @mrulist = split(//,$lvmru{MRUList});
+ delete($lvmru{MRUList});
+ foreach my $m (@mrulist) {
+ my ($file,$dir) = split(/\00\00/,$lvmru{$m},2);
+ $file =~ s/\00//g;
+ $dir =~ s/\00//g;
+ ::rptMsg(" ".$m." -> EXE: ".$file);
+ ::rptMsg(" -> Last Dir: ".$dir);
+ }
+ }
+ else {
+ ::rptMsg($key_path." does not have an MRUList value.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+ ::rptMsg("");
+
+# OpenSaveMRU
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU";
+ my $key;
+ my @vals;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("ComDlg32\\OpenSaveMRU");
+ ::rptMsg("**All values printed in MRUList order.");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+# First, process OpenSaveMRU key values
+ parseOpenSaveValues($key);
+ ::rptMsg("");
+# Now, let's get the subkeys
+ my @sk = $key->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s (@sk) {
+ parseOpenSaveValues($s);
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+sub parseOpenSaveValues {
+ my $key = shift;
+ ::rptMsg("OpenSaveMRU\\".$key->get_name());
+ ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z");
+ my %osmru;
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ map{$osmru{$_->get_name()} = $_->get_data()}(@vals);
+ if (exists $osmru{MRUList}) {
+ ::rptMsg(" MRUList = ".$osmru{MRUList});
+ my @mrulist = split(//,$osmru{MRUList});
+ delete($osmru{MRUList});
+ foreach my $m (@mrulist) {
+ ::rptMsg(" ".$m." -> ".$osmru{$m});
+ }
+ }
+ else {
+ ::rptMsg($key->get_name()." does not have an MRUList value.");
+ }
+ }
+ else {
+ ::rptMsg($key->get_name()." has no values.");
+ }
+}
+
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/comdlg32a.pl b/RecentActivity/release/rr/plugins/comdlg32a.pl
new file mode 100644
index 0000000000..0187b945d5
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/comdlg32a.pl
@@ -0,0 +1,225 @@
+#-----------------------------------------------------------
+# comdlg32a.pl
+# Plugin for Registry Ripper
+#
+# Change history
+# 20100409 - updated to include Vista and above
+# 20100402 - updated IAW Chad Tilbury's post to SANS
+# Forensic Blog
+# 20080324 - created
+#
+# References
+# Win2000 - http://support.microsoft.com/kb/319958
+# XP - http://support.microsoft.com/kb/322948/EN-US/
+#
+# copyright 20100402 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package comdlg32a;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100409);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of user's ComDlg32 key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching comdlg32a v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+ ::rptMsg("comdlg32 v.".$VERSION);
+
+# LastVistedMRU
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32";
+ my $key;
+ my @vals;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my @subkeys = $key->get_list_of_subkeys();
+
+ if (scalar @subkeys > 0) {
+ foreach my $s (@subkeys) {
+ parseLastVisitedMRU($s) if ($s->get_name() eq "LastVisitedMRU");
+ parseOpenSaveMRU($s) if ($s->get_name() eq "OpenSaveMRU");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+}
+
+sub parseLastVisitedMRU {
+ my $key = shift;
+ my %lvmru;
+ my @mrulist;
+ my @vals = $key->get_list_of_values();
+
+ if (scalar(@vals) > 0) {
+# First, read in all of the values and the data
+ foreach my $v (@vals) {
+ $lvmru{$v->get_name()} = $v->get_data();
+ }
+# Then, remove the MRUList value
+ if (exists $lvmru{MRUList}) {
+ ::rptMsg(" MRUList = ".$lvmru{MRUList});
+ @mrulist = split(//,$lvmru{MRUList});
+ delete($lvmru{MRUList});
+ foreach my $m (@mrulist) {
+ my ($file,$dir) = split(/\00\00/,$lvmru{$m},2);
+ $file =~ s/\00//g;
+ $dir =~ s/\00//g;
+ ::rptMsg(" ".$m." -> EXE: ".$file);
+ ::rptMsg(" -> Last Dir: ".$dir);
+ }
+ }
+ else {
+ ::rptMsg("LastVisitedMRU key does not have an MRUList value.");
+ }
+ }
+ else {
+ ::rptMsg("LastVisitedMRU key has no values.");
+ }
+ ::rptMsg("");
+}
+
+sub parseOpenSaveMRU {
+ my $key = shift;
+
+ parseOpenSaveValues($key);
+ ::rptMsg("");
+# Now, let's get the subkeys
+ my @sk = $key->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s (@sk) {
+ parseOpenSaveValues($s);
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg("OpenSaveMRU key has no subkeys.");
+ }
+ ::rptMsg("");
+}
+
+sub parseOpenSaveValues {
+ my $key = shift;
+ ::rptMsg("OpenSaveMRU\\".$key->get_name());
+ ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z");
+ my %osmru;
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ map{$osmru{$_->get_name()} = $_->get_data()}(@vals);
+ if (exists $osmru{MRUList}) {
+ ::rptMsg(" MRUList = ".$osmru{MRUList});
+ my @mrulist = split(//,$osmru{MRUList});
+ delete($osmru{MRUList});
+ foreach my $m (@mrulist) {
+ ::rptMsg(" ".$m." -> ".$osmru{$m});
+ }
+ }
+ else {
+ ::rptMsg($key->get_name()." does not have an MRUList value.");
+ }
+ }
+ else {
+ ::rptMsg($key->get_name()." has no values.");
+ }
+}
+
+sub parseCIDSizeMRU {
+ my $key = shift;
+ my %lvmru;
+ my @mrulist;
+ my @vals = $key->get_list_of_values();
+
+ if (scalar(@vals) > 0) {
+# First, read in all of the values and the data
+ foreach my $v (@vals) {
+ $lvmru{$v->get_name()} = $v->get_data();
+ }
+# Then, remove the MRUList value
+ if (exists $lvmru{MRUListEx}) {
+ delete($lvmru{MRUListEx});
+ foreach my $m (keys %lvmru) {
+ my $file = parseStr($lvmru{$m});
+ my $str = sprintf "%-4s ".$file,$m;
+ ::rptMsg(" ".$str);
+ }
+ }
+ else {
+ ::rptMsg($key_path." does not have an MRUList value.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+}
+
+
+sub parseLastVisitedPidlMRU {
+ my $key = shift;
+ my %lvmru;
+ my @mrulist;
+ @vals = $key->get_list_of_values();
+
+ if (scalar(@vals) > 0) {
+# First, read in all of the values and the data
+ foreach my $v (@vals) {
+ $lvmru{$v->get_name()} = $v->get_data();
+ }
+# Then, remove the MRUList value
+ if (exists $lvmru{MRUListEx}) {
+ delete($lvmru{MRUListEx});
+ foreach my $m (keys %lvmru) {
+ my $file = parseStr($lvmru{$m});
+ my $str = sprintf "%-4s ".$file,$m;
+ ::rptMsg(" ".$str);
+ }
+ }
+ else {
+ ::rptMsg("LastVisitedPidlMRU key does not have an MRUList value.");
+ }
+ }
+ else {
+ ::rptMsg("LastVisitedPidlMRU key has no values.");
+ }
+}
+
+sub parseStr {
+ my $data = $_[0];
+ my $temp;
+ my $tag = 1;
+ my $ofs = 0;
+
+ while ($tag) {
+ my $t = substr($data,$ofs,2);
+ if (unpack("v",$t) == 0x00) {
+ $tag = 0;
+ }
+ else {
+ $temp .= $t;
+ $ofs += 2;
+ }
+ }
+ $temp =~ s/\00//g;
+ return $temp;
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/compdesc.pl b/RecentActivity/release/rr/plugins/compdesc.pl
new file mode 100644
index 0000000000..fc1f292089
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/compdesc.pl
@@ -0,0 +1,65 @@
+#-----------------------------------------------------------
+# compdesc.pl
+# Plugin for Registry Ripper,
+# ComputerDescriptions key parser
+#
+# Change history
+#
+#
+# References
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package compdesc;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of user's ComputerDescriptions key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching compdesc v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("ComputerDescriptions");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ ::rptMsg(" ".$v->get_name()." ".$v->get_data());
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/compname.pl b/RecentActivity/release/rr/plugins/compname.pl
new file mode 100644
index 0000000000..b07c44183c
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/compname.pl
@@ -0,0 +1,75 @@
+#-----------------------------------------------------------
+# compname.pl
+# Plugin for Registry Ripper; Access System hive file to get the
+# computername
+#
+# Change history
+# 20090727 - added Hostname
+#
+# References
+# http://support.microsoft.com/kb/314053/
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package compname;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20090727);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets ComputerName and Hostname values from System hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching compname v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my ($current,$ccs);
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ my $cn_path = $ccs."\\Control\\ComputerName\\ComputerName";
+ my $cn;
+ if ($cn = $root_key->get_subkey($cn_path)) {
+ my $name = $cn->get_value("ComputerName")->get_data();
+ ::rptMsg("ComputerName = ".$name);
+ }
+ else {
+ ::rptMsg($cn_path." not found.");
+ ::logMsg($cn_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+ my $hostname;
+ eval {
+ my $host_path = $ccs."\\Services\\Tcpip\\Parameters";
+ $hostname = $root_key->get_subkey($host_path)->get_value("Hostname")->get_data();
+ ::rptMsg("TCP/IP Hostname = ".$hostname);
+ };
+
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/controlpanel.pl b/RecentActivity/release/rr/plugins/controlpanel.pl
new file mode 100644
index 0000000000..67e06a906a
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/controlpanel.pl
@@ -0,0 +1,64 @@
+#-----------------------------------------------------------
+# controlpanel.pl
+# Vista ControlPanel key seems to contain some interesting info about the
+# user's activities...
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package controlpanel;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 64,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080428);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Look for RecentTask* values in ControlPanel key (Vista)";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching controlpanel v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ ::rptMsg("Analysis Tip: The RecentTask* entries appear to only be populated through the");
+ ::rptMsg("choices in the Control Panel Home view (in Vista). As each new choice is");
+ ::rptMsg("selected, the most recent choice is added as RecentTask1, and each ");
+ ::rptMsg("RecentTask* entry is incremented and pushed down in the stack.");
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $str = sprintf "%-15s %-45s",$v->get_name(),$v->get_data();
+ ::rptMsg($str);
+ }
+ ::rptMsg("");
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/cpldontload.pl b/RecentActivity/release/rr/plugins/cpldontload.pl
new file mode 100644
index 0000000000..620419ef9b
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/cpldontload.pl
@@ -0,0 +1,72 @@
+#-----------------------------------------------------------
+# cpldontload.pl
+# Check contents of user's Control Panel\don't load key
+#
+# Change history
+# 20100116 - created
+#
+# References
+# W32.Nekat - http://www.symantec.com/security_response/
+# writeup.jsp?docid=2008-011419-0705-99&tabid=2
+# http://www.2-viruses.com/remove-antispywarexp2009
+#
+# Notes: Some malware appears to hide various Control Panel applets
+# using this means. If some sort of malware/spyware is thought
+# to be on the system, check the settings and note the key
+# LastWrite time.
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package cpldontload;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100116);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of user's Control Panel don't load key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching cpldontload v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Control Panel\\don\'t load";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my @vals = $key->get_list_of_values();
+ if (scalar @vals > 0) {
+ foreach my $v (@vals) {
+ my $str = sprintf "%-20s %-5s",$v->get_name(),$v->get_data();
+ ::rptMsg($str);
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/crashcontrol.pl b/RecentActivity/release/rr/plugins/crashcontrol.pl
new file mode 100644
index 0000000000..61cc30b815
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/crashcontrol.pl
@@ -0,0 +1,93 @@
+#-----------------------------------------------------------
+# crashcontrol.pl
+#
+# Ref:
+# http://support.microsoft.com/kb/254649
+# http://support.microsoft.com/kb/274598
+#
+# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package crashcontrol;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20081212);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get crash control information";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my %dumpenabled = (0 => "None",
+ 1 => "Complete memory dump",
+ 2 => "Kernel memory dump",
+ 3 => "Small (64kb) memory dump");
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching crashcontrol v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+
+ my $cc_path = "ControlSet00".$current."\\Control\\CrashControl";
+ my $cc;
+
+ if ($cc = $root_key->get_subkey($cc_path)) {
+
+ eval {
+ my $cde = $cc->get_value("CrashDumpEnabled")->get_data();
+ ::rptMsg("CrashDumpEnabled = ".$cde." [".$dumpenabled{$cde}."]");
+ };
+
+ eval {
+ my $df = $cc->get_value("DumpFile")->get_data();
+ ::rptMsg("DumpFile = ".$df);
+ };
+
+ eval {
+ my $mini = $cc->get_value("MinidumpDir")->get_data();
+ ::rptMsg("MinidumpDir = ".$mini);
+ };
+
+ eval {
+ my $logevt = $cc->get_value("LogEvent")->get_data();
+ ::rptMsg("LogEvent = ".$logevt);
+ ::rptMsg(" Logs an event to the System Event Log (event ID = 1001, source = Save Dump)") if ($logevt == 1);
+ };
+
+ eval {
+ my $sendalert = $cc->get_value("SendAlert")->get_data();
+ ::rptMsg("SendAlert = ".$sendalert);
+ ::rptMsg(" Sends a \'net send\' pop-up if a crash occurs") if ($sendalert == 1);
+ };
+
+
+ }
+ else {
+ ::rptMsg($cc_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
diff --git a/RecentActivity/release/rr/plugins/crashdump.pl b/RecentActivity/release/rr/plugins/crashdump.pl
new file mode 100644
index 0000000000..eea639e827
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/crashdump.pl
@@ -0,0 +1,115 @@
+#-----------------------------------------------------------
+# crashdump.pl
+# Author: Don C. Weber
+# Plugin for Registry Ripper; Access System hive file to get the
+# crashdump settings from System hive
+#
+# Change history
+#
+#
+# References
+# Overview of memory dump file options for Windows Server 2003, Windows XP, and Windows 2000: http://support.microsoft.com/kb/254649/
+#
+# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security
+#-----------------------------------------------------------
+package crashdump;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20081219);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets crashdump settings from System hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching crashdump v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+ my $win_path = $ccs."\\Control\\CrashControl";
+ my $win;
+ if ($win = $root_key->get_subkey($win_path)) {
+ ::rptMsg("CrashControl Configuration");
+ ::rptMsg($win_path);
+ ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)");
+ }
+ else {
+ ::rptMsg($win_path." not found.");
+ }
+
+ my %vals = getKeyValues($win);
+ if (scalar(keys %vals) > 0) {
+ foreach my $v (keys %vals) {
+ if ($v eq "CrashDumpEnabled"){
+ if ($vals{$v} == 0x00){
+ ::rptMsg("\t".$v." -> None");
+ } elsif ($vals{$v} == 0x01){
+ ::rptMsg("\t".$v." -> Complete memory dump");
+ } elsif ($vals{$v} == 0x02){
+ ::rptMsg("\t".$v." -> Kernel memory dump");
+ } elsif ($vals{$v} == 0x03){
+ ::rptMsg("\t".$v." -> Small memory dump (64KB)");
+ } else{
+ ::rptMsg($v." has no value.");
+ }
+ }else{
+ if (($v eq "MinidumpDir") || ($v eq "DumpFile")){
+ ::rptMsg("\t".$v." location ".$vals{$v});
+ } else{
+ ($vals{$v}) ? ::rptMsg("\t".$v." is Enabled") : ::rptMsg("\t".$v." is Disabled");
+ }
+ }
+ }
+ }
+ else {
+# ::rptMsg($key_path." has no values.");
+ }
+ ::rptMsg("");
+ ::rptMsg("Analysis Tips: For crash dump information and tools check http://support.microsoft.com/kb/254649/");
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+sub getKeyValues {
+ my $key = shift;
+ my %vals;
+
+ my @vk = $key->get_list_of_values();
+ if (scalar(@vk) > 0) {
+ foreach my $v (@vk) {
+ next if ($v->get_name() eq "" && $v->get_data() eq "");
+ $vals{$v->get_name()} = $v->get_data();
+ }
+ }
+ else {
+
+ }
+ return %vals;
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/ctrlpnl.pl b/RecentActivity/release/rr/plugins/ctrlpnl.pl
new file mode 100644
index 0000000000..13ce7bf906
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/ctrlpnl.pl
@@ -0,0 +1,143 @@
+#-----------------------------------------------------------
+# ctrlpnl.pl
+# Get Control Panel info from the Software hive
+#
+# Change history:
+# 20100116 - created
+#
+# References:
+# http://support.microsoft.com/kb/292463
+# http://learning.infocollections.com/ebook%202/Computer/
+# Operating%20Systems/Windows/Windows.XP.Hacks/
+# 0596005113_winxphks-chp-2-sect-3.html
+# http://msdn.microsoft.com/en-us/library/cc144195%28VS.85%29.aspx
+#
+# Notes:
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package ctrlpnl;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100116);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get Control Panel info from Software hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+my %comp;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching ctrlpnl v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows\\CurrentVersion\\Control Panel";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+
+# Cpls section
+ if (my $cpl = $key->get_subkey("Cpls")) {
+ my @vals = $cpl->get_list_of_values();
+ if (scalar @vals > 0) {
+ ::rptMsg("Cpls key");
+ foreach my $v (@vals) {
+ my $str = sprintf "%-10s %-50s",$v->get_name(),$v->get_data();
+ ::rptMsg($str);
+ }
+ ::rptMsg("");
+ }
+ else {
+ ::rptMsg("Cpls key has no values.");
+ }
+ }
+ else {
+ ::rptMsg("Cpls key not found.");
+ }
+
+# don't load section
+# The 'don't load' key prevents applets from being loaded
+# Be sure to check the user's don't load key, as well
+ if (my $cpl = $key->get_subkey("don't load")) {
+ my @vals = $cpl->get_list_of_values();
+ if (scalar @vals > 0) {
+ ::rptMsg("don't load key");
+ foreach my $v (@vals) {
+ ::rptMsg($v->get_name());
+ }
+ ::rptMsg("");
+ }
+ else {
+ ::rptMsg("don't load key has no values.");
+ }
+ }
+ else {
+ ::rptMsg("don't load key not found.");
+ }
+
+# Extended Properties section
+ if (my $ext = $key->get_subkey("Extended Properties")) {
+ my @sk = $ext->get_list_of_subkeys();
+ if (scalar @sk > 0) {
+ foreach my $s (@sk) {
+ my @vals = $s->get_list_of_values();
+ if (scalar @vals > 0) {
+ ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp)." UTC]");
+
+# Ref: http://support.microsoft.com/kb/292463
+ my %cat = (0x00000000 => "Other Control Panel Options",
+ 0x00000001 => "Appearance and Themes",
+ 0x00000002 => "Printers and Other Hardware",
+ 0x00000003 => "Network and Internet Connections",
+ 0x00000004 => "Sounds, Speech, and Audio Devices",
+ 0x00000005 => "Performance and Maintenance",
+ 0x00000006 => "Date, Time, Language, and Regional Options",
+ 0x00000007 => "Accessibility Options",
+ 0xFFFFFFFF => "No Category");
+ my %prop;
+ foreach my $v (@vals) {
+ push(@{$prop{$v->get_data()}},$v->get_name());
+ }
+
+ foreach my $t (sort {$a <=> $b} keys %prop) {
+ (exists $cat{$t}) ? (::rptMsg($cat{$t})) : (::rptMsg("Category ".$t));
+ foreach my $i (@{$prop{$t}}) {
+ ::rptMsg(" ".$i);
+ }
+ ::rptMsg("");
+ }
+ }
+ }
+ ::rptMsg("");
+ }
+ else {
+ ::rptMsg("Extended Properties key has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg("Extended Properties key not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/ddm.pl b/RecentActivity/release/rr/plugins/ddm.pl
new file mode 100644
index 0000000000..e66fb2697f
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/ddm.pl
@@ -0,0 +1,82 @@
+#-----------------------------------------------------------
+# ddm.pl
+#
+# History:
+# 20081129 - created
+#
+# Note - Not really sure what this is for or could be used for, other
+# than to show devices that had been connected to the system
+#
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package ddm;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20081129);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get DDM data from Control Subkey";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching ddm v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+
+ my $key_path = $ccs."\\Control\\DDM";
+ my $key;
+ my %dev;
+ if ($key = $root_key->get_subkey($key_path)) {
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar (@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ my $tag = (split(/\./,$name,2))[1];
+ $dev{$tag}{timestamp} = $s->get_timestamp();
+ eval {
+ $dev{$tag}{make} = $s->get_value("MakeName")->get_data();
+ $dev{$tag}{model} = $s->get_value("ModelName")->get_data();
+ };
+ }
+ foreach my $d (sort keys %dev) {
+ ::rptMsg(gmtime($dev{$d}{timestamp})."Z Device\.".$d." ".$dev{$d}{make}." ".$dev{$d}{model});
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+# ::logMsg($key_path." not found.");
+ }
+ }
+ else {
+ ::logMsg("Current value not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/defbrowser.pl b/RecentActivity/release/rr/plugins/defbrowser.pl
new file mode 100644
index 0000000000..ae7055aba1
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/defbrowser.pl
@@ -0,0 +1,78 @@
+#-----------------------------------------------------------
+# defbrowser.pl
+# Get default browser information - check #1 can apply to HKLM
+# as well as to HKCU
+#
+# Change History:
+# 20091116 - Added Check #1
+# 20081105 - created
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package defbrowser;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20091116);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Gets default browser setting from HKLM";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching defbrowser v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Clients\\StartMenuInternet";
+ if (my $key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("Default Browser Check #1");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my $browser = $key->get_value("")->get_data();
+ ::rptMsg("Default Browser : ".$browser);
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+
+ ::rptMsg("");
+
+ my $key_path = "Classes\\HTTP\\shell\\open\\command";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("Default Browser Check #2");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my $browser;
+ eval {
+ $browser = $key->get_value("")->get_data();
+ };
+ if ($@) {
+ ::rptMsg("Error locating default browser setting.");
+ }
+ else {
+ ::rptMsg("Default Browser = ".$browser);
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/devclass.pl b/RecentActivity/release/rr/plugins/devclass.pl
new file mode 100644
index 0000000000..b6a57fff2f
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/devclass.pl
@@ -0,0 +1,125 @@
+#-----------------------------------------------------------
+# devclass
+# Get USB device info from the DeviceClasses keys in the System
+# hive (Disks and Volumes GUIDs)
+#
+# Change History:
+# 20100901 - spelling error in output corrected
+# 20080331 - created
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package devclass;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100901);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get USB device info from the DeviceClasses keys in the System hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching devclass v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $ccs;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+ else {
+ ::logMsg("Could not find ".$key_path);
+ return
+ }
+# Get devices from the Disk GUID
+ my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("DevClasses - Disks");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+ my %disks;
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ next unless (grep(/USBSTOR/,$name));
+ my $lastwrite = $s->get_timestamp();
+ my ($dev, $serial) = (split(/#/,$name))[4,5];
+ push(@{$disks{$lastwrite}},$dev.",".$serial);
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %disks) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$disks{$t}}) {
+ ::rptMsg("\t$item");
+ }
+ }
+
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+ ::rptMsg("");
+# Get devices from the Volume GUID
+ my $key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("DevClasses - Volumes");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+ my %vols;
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ next unless (grep(/RemovableMedia/,$name));
+ my $lastwrite = $s->get_timestamp();
+ my $ppi = (split(/#/,$name))[5];
+ push(@{$vols{$lastwrite}},$ppi);
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %vols) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$vols{$t}}) {
+ ::rptMsg("\tParentIdPrefix: ".$item);
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/dfrg.pl b/RecentActivity/release/rr/plugins/dfrg.pl
new file mode 100644
index 0000000000..29ac3b80ec
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/dfrg.pl
@@ -0,0 +1,63 @@
+#-----------------------------------------------------------
+# dfrg.pl
+# Gets contents of Dfrg\BootOptimizeFunction key
+#
+# Change history:
+# 20110321 - created
+#
+# References
+# http://technet.microsoft.com/en-us/library/cc784391%28WS.10%29.aspx
+#
+# copyright 2011 Quantum Analytics Research, LLC (keydet89@yahoo.com)
+#-----------------------------------------------------------
+package dfrg;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20110321);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Gets content of Dfrg BootOptim. key";
+}
+sub getDescr{}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching dfrg v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Dfrg\\BootOptimizeFunction";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("Dfrg");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ ::rptMsg(sprintf "%-20s %-20s",$v->get_name(),$v->get_data());
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/disablelastaccess.pl b/RecentActivity/release/rr/plugins/disablelastaccess.pl
new file mode 100644
index 0000000000..e064521726
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/disablelastaccess.pl
@@ -0,0 +1,73 @@
+#-----------------------------------------------------------
+# disablelastaccess.pl
+#
+# References:
+# http://support.microsoft.com/kb/555041
+# http://support.microsoft.com/kb/894372
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package disablelastaccess;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090118);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get NTFSDisableLastAccessUpdate value";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching disablelastaccess v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ my $ccs;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+
+ my $key_path = $ccs."\\Control\\FileSystem";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("NtfsDisableLastAccessUpdate");
+ ::rptMsg($key_path);
+ my @vals = $key->get_list_of_values();
+ my $found = 0;
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ if ($v->get_name() eq "NtfsDisableLastAccessUpdate") {
+ ::rptMsg("NtfsDisableLastAccessUpdate = ".$v->get_data());
+ $found = 1;
+ }
+ }
+ ::rptMsg("NtfsDisableLastAccessUpdate value not found.") if ($found == 0);
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/dllsearch.pl b/RecentActivity/release/rr/plugins/dllsearch.pl
new file mode 100644
index 0000000000..767042a8ec
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/dllsearch.pl
@@ -0,0 +1,69 @@
+#-----------------------------------------------------------
+# dllsearch.pl
+#
+# References:
+# http://support.microsoft.com/kb/2264107
+#
+# Change History:
+# 20100824: created
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package dllsearch;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100824);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get crash control information";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching dllsearch v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+
+ my $cc_path = "ControlSet00".$current."\\Control\\Session Manager";
+ my $cc;
+ if ($cc = $root_key->get_subkey($cc_path)) {
+ ::rptMsg("dllsearch v.".$VERSION);
+ ::rptMsg("");
+ my $found = 1;
+ eval {
+ my $cde = $cc->get_value("CWDIllegalInDllSearch")->get_data();
+ $found = 0;
+ ::rptMsg(sprintf "CWDIllegalInDllSearch = 0x%x",$cde);
+ };
+ ::rptMsg("CWDIllegalInDllSearch value not found.") if ($found);
+ }
+ else {
+ ::rptMsg($cc_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
diff --git a/RecentActivity/release/rr/plugins/domains.pl b/RecentActivity/release/rr/plugins/domains.pl
new file mode 100644
index 0000000000..633ad87cfd
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/domains.pl
@@ -0,0 +1,74 @@
+#-----------------------------------------------------------
+# domains.pl
+#
+#
+# Change history
+# 20100116 - Created
+#
+# References
+# http://support.microsoft.com/kb/919748
+# http://support.microsoft.com/kb/922704
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package domains;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100116);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents Internet Settings\\ZoneMap\\Domains key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching domains v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path."\\Domains")) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]");
+
+ my @vals = $s->get_list_of_values();
+ if (scalar @vals > 0) {
+ foreach my $v (@vals) {
+ ::rptMsg(" ".$v->get_name()." -> ".$v->get_data);
+ }
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/drwatson.pl b/RecentActivity/release/rr/plugins/drwatson.pl
new file mode 100644
index 0000000000..0360c33fb3
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/drwatson.pl
@@ -0,0 +1,77 @@
+#-----------------------------------------------------------
+# drwatson.pl
+# Author: Don C. Weber
+# Plugin for Registry Ripper; Access Software hive file to get the
+# Dr. Watson settings from Software hive
+#
+# Change history
+#
+#
+# References
+# Dr Watson: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html
+#
+# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security
+#-----------------------------------------------------------
+package drwatson;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20081219);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets Dr. Watson settings from Software hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching drwatson v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AeDebug";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ($key->get_value('Auto') == 0x0) ? ::rptMsg("Debugging is Disabled") : ::rptMsg("Debugging is Enabled");
+ eval {
+ ::rptMsg("Debugger: ".$key->get_value('Debugger')->get_data());
+ };
+
+ } else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+ ::rptMsg("");
+ my $key_path = "Microsoft\\DrWatson";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ($key->get_value('LogFilePath')) ? ::rptMsg("DrWatson LogFile Path location: ".$key->get_value('LogFilePath')->get_data()) : ::rptMsg("DrWatson LogFile Path location: %SystemRoot%\\Documents and Settings\\All Users\\Documents\\DrWatson");
+ ($key->get_value('CreateCrashDump') == 0x0) ? ::rptMsg("CreateCrashDump is Disabled") : ::rptMsg("CreateCrashDump is Enabled");
+ ($key->get_value('CrashDumpFile')) ? ::rptMsg("Crash Dump Path and Name: ".$key->get_value('CrashDumpFile')->get_data()) : ::rptMsg("CrashDumpFile is not set");
+ ($key->get_value('AppendToLogFile') == 0x0) ? ::rptMsg("AppendToLogFile is set to create a new file each time") : ::rptMsg("AppendToLogFile is set to append");
+
+ } else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+ ::rptMsg("");
+ ::rptMsg("Analysis Tips: For Dr. Watson settings information check: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html");
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/esent.pl b/RecentActivity/release/rr/plugins/esent.pl
new file mode 100644
index 0000000000..4ae7cd21b5
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/esent.pl
@@ -0,0 +1,78 @@
+#-----------------------------------------------------------
+# esent
+# Get contents of Esent\Process key from Software hive
+#
+# Note: Not sure why I wrote this one; just thought it might come
+# in handy as info about this key is developed.
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package esent;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ version => 20101202);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get ESENT\\Process key contents";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching esent v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\ESENT\\Process";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my @sk = $key->get_list_of_subkeys();
+
+ if (scalar(@sk) > 0) {
+ my %esent;
+
+ foreach my $s (@sk) {
+ my $sk = $s->get_subkey("DEBUG");
+# my $lw = $s->get_timestamp();
+ my $lw = $sk->get_timestamp();
+
+ my $name = $s->get_name();
+
+ push(@{$esent{$lw}},$name);
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %esent) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$esent{$t}}) {
+ ::rptMsg(" $item");
+ }
+ }
+
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/eventlog.pl b/RecentActivity/release/rr/plugins/eventlog.pl
new file mode 100644
index 0000000000..a51ca91282
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/eventlog.pl
@@ -0,0 +1,156 @@
+#-----------------------------------------------------------
+# eventlog.pl
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package eventlog;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090112);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get EventLog configuration info";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching eventlog v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+
+ my $evt_path = "ControlSet00".$current."\\Services\\Eventlog";
+ my $evt;
+ if ($evt = $root_key->get_subkey($evt_path)) {
+ ::rptMsg("");
+ my @subkeys = $evt->get_list_of_subkeys();
+ if (scalar (@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $logname = $s->get_name();
+ ::rptMsg($logname." \\ ".scalar gmtime($s->get_timestamp())."Z");
+ eval {
+ my $file = $s->get_value("File")->get_data();
+ ::rptMsg(" File = ".$file);
+ };
+
+ eval {
+ my $display = $s->get_value("DisplayNameFile")->get_data();
+ ::rptMsg(" DisplayNameFile = ".$display);
+ };
+
+ eval {
+ my $max = $s->get_value("MaxSize")->get_data();
+ ::rptMsg(" MaxSize = ".processSize($max));
+ };
+
+ eval {
+ my $ret = $s->get_value("Retention")->get_data();
+ ::rptMsg(" Retention = ".processRetention($ret));
+ };
+
+# AutoBackupLogFiles; http://support.microsoft.com/kb/312571/
+ eval {
+ my $auto = $s->get_value("AutoBackupLogFiles")->get_data();
+ ::rptMsg(" AutoBackupLogFiles = ".$auto);
+ };
+
+# Check WarningLevel value on Security EventLog; http://support.microsoft.com/kb/945463
+ eval {
+ if ($logname eq "Security") {
+ my $wl = $s->get_value("WarningLevel")->get_data();
+ ::rptMsg(" WarningLevel = ".$wl);
+ }
+ };
+
+ ::rptMsg("");
+ }
+
+ }
+ else {
+ ::rptMsg($evt_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($evt_path." not found.");
+ ::logMsg($evt_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
+
+sub processSize {
+ my $sz = shift;
+
+ my $kb = 1024;
+ my $mb = $kb * 1024;
+ my $gb = $mb * 1024;
+
+ if ($sz > $gb) {
+ my $d = $sz/$gb;
+ my $l = length((split(/\./,$d,2))[0]) + 2;
+ return sprintf "%$l.2fGB",$d;
+ }
+ elsif ($sz > $mb) {
+ my $d = $sz/$mb;
+ my $l = length((split(/\./,$d,2))[0]) + 2;
+ return sprintf "%$l.2fMB",$d;
+ }
+ elsif ($sz > $kb) {
+ my $d = $sz/$kb;
+ my $l = length((split(/\./,$d,2))[0]) + 2;
+ return sprintf "%$l.2fKB",$d;
+ }
+ else {return $sz."B"};
+}
+
+sub processRetention {
+# Retention maintained in seconds
+# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/
+# regentry/30709.mspx?mfr=true
+ my $ret = shift;
+
+ my $min = 60;
+ my $hr = $min * 60;
+ my $day = $hr * 24;
+
+ if ($ret > $day) {
+ my $d = $ret/$day;
+ my $l = length((split(/\./,$d,2))[0]) + 2;
+ return sprintf "%$l.2f days",$d;
+ }
+ elsif ($ret > $hr) {
+ my $d = $ret/$hr;
+ my $l = length((split(/\./,$d,2))[0]) + 2;
+ return sprintf "%$l.2f hr",$d;
+ }
+ elsif ($ret > $min) {
+ my $d = $ret/$min;
+ my $l = length((split(/\./,$d,2))[0]) + 2;
+ return sprintf "%$l.2f min",$d;
+ }
+ else {return $ret." sec"};
+}
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/eventlogs.pl b/RecentActivity/release/rr/plugins/eventlogs.pl
new file mode 100644
index 0000000000..d7557218c2
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/eventlogs.pl
@@ -0,0 +1,98 @@
+#-----------------------------------------------------------
+# eventlogs.pl
+# Author: Don C. Weber
+# Plugin for Registry Ripper; Access System hive file to get the
+# Event Log settings from System hive
+#
+# Change history
+#
+#
+# References
+# Eventlog Key: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx
+#
+# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security
+#-----------------------------------------------------------
+package eventlogs;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20081219);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets Event Log settings from System hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching eventlogs v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+ my $win_path = $ccs."\\Services\\Eventlog";
+ my $win;
+ if ($win = $root_key->get_subkey($win_path)) {
+ ::rptMsg("EventLog Configuration");
+ ::rptMsg($win_path);
+ ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)");
+ my $cn;
+ if ($cn = $win->get_value("ComputerName")->get_data()) {
+ ::rptMsg("ComputerName = ".$cn);
+ }
+ else {
+ ::rptMsg("ComputerName value not found.");
+ }
+ }
+ else {
+ ::rptMsg($win_path." not found.");
+ }
+
+# Cycle through each type of log
+ my $logname;
+ my $evpath;
+ my $evlog;
+ my @list_logs = $win->get_list_of_subkeys();
+ foreach $logname (@list_logs){
+ ::rptMsg("");
+ $evpath = $win_path."\\".$logname->get_name();
+ if ($evlog = $root_key->get_subkey($evpath)) {
+ ::rptMsg(" ".$logname->get_name()." EventLog");
+ ::rptMsg(" ".$evpath);
+ ::rptMsg(" LastWrite Time ".gmtime($evlog->get_timestamp())." (UTC)");
+ ::rptMsg(" Configuration Settings");
+ ::rptMsg(" Log location: ".$evlog->get_value('File')->get_data());
+ ::rptMsg(" Log Size: ".$evlog->get_value('MaxSize')->get_data()." Bytes");
+ ($evlog->get_value('AutoBackupLogFiles') == 0x0) ? ::rptMsg(" AutoBackupLogFiles is Disabled") : ::rptMsg(" AutoBackupLogFiles is Enabled")
+ }
+ else {
+ ::rptMsg($logname->get_name()." Event Log not found.");
+ }
+ }
+ ::rptMsg("");
+ ::rptMsg("Analysis Tips: For Event Log settings information check: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx");
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/fileexts.pl b/RecentActivity/release/rr/plugins/fileexts.pl
new file mode 100644
index 0000000000..5bd04db825
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/fileexts.pl
@@ -0,0 +1,73 @@
+#-----------------------------------------------------------
+# fileexts.pl
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package fileexts;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080818);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get user FileExts values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching fileexts v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("fileexts");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+
+ my @sk = $key->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s (@sk) {
+ my $name = $s->get_name();
+ next unless ($name =~ m/^\.\w+/);
+
+ eval {
+ my $data = $s->get_subkey("OpenWithList")->get_value("MRUList")->get_data();
+ if ($data =~ m/^\w/) {
+ ::rptMsg("File Extension: ".$name);
+ ::rptMsg("LastWrite: ".gmtime($s->get_subkey("OpenWithList")->get_timestamp()));
+ ::rptMsg("MRUList: ".$data);
+ my @list = split(//,$data);
+ foreach my $l (@list) {
+ my $valdata = $s->get_subkey("OpenWithList")->get_value($l)->get_data();
+ ::rptMsg(" ".$l." => ".$valdata);
+ }
+ ::rptMsg("");
+ }
+ };
+ }
+ }
+ else {
+ ::rptMsg($key_path." does not have subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/findexes.pl b/RecentActivity/release/rr/plugins/findexes.pl
new file mode 100644
index 0000000000..ee2f027b35
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/findexes.pl
@@ -0,0 +1,95 @@
+#! c:\perl\bin\perl.exe
+#-----------------------------------------------------------
+# findexes.pl
+# Plugin for RegRipper; traverses through a Registry hive,
+# looking for values with binary data types, and checks to see
+# if they start with "MZ"; if so, records the value path, key
+# LastWrite time, and length of the data
+#
+# Change history
+# 20090728 - Created
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package findexes;
+use strict;
+
+my %config = (hive => "All",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20090728);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Scans a hive file looking for binary value data that contains MZ";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+my %vals;
+my $bin_count = 0;
+my $exe_count = 0;
+
+sub pluginmain {
+ my $class = shift;
+ my $file = shift;
+ my $reg = Parse::Win32Registry->new($file);
+ my $root_key = $reg->get_root_key;
+ ::logMsg("Launching findexes v.".$VERSION);
+
+ traverse($root_key);
+# Data structure containing findings is a hash of hashes
+ foreach my $k (keys %vals) {
+ ::rptMsg("Key: ".$k." LastWrite time: ".gmtime($vals{$k}{lastwrite}));
+ foreach my $i (keys %{$vals{$k}}) {
+ next if ($i eq "lastwrite");
+ ::rptMsg(" Value: ".$i." Length: ".$vals{$k}{$i}." bytes");
+ }
+ ::rptMsg("");
+ }
+ ::rptMsg("Number of values w/ binary data types: ".$bin_count);
+ ::rptMsg("Number of values w/ MZ in binary data: ".$exe_count);
+}
+
+sub traverse {
+ my $key = shift;
+# my $ts = $key->get_timestamp();
+
+ foreach my $val ($key->get_list_of_values()) {
+ my $type = $val->get_type();
+ if ($type == 0 || $type == 3) {
+ $bin_count++;
+ my $data = $val->get_data();
+# This code looks for data that starts with MZ
+# my $i = unpack("v",substr($data,0,2));
+# if ($i == 0x5a4d) {
+ if (grep(/MZ/,$data)) {
+ $exe_count++;
+ my $path;
+ my @p = split(/\\/,$key->get_path());
+ if (scalar(@p) == 1) {
+ $path = "root";
+ }
+ else {
+ shift(@p);
+ $path = join('\\',@p);
+ }
+
+ $vals{$path}{lastwrite} = $key->get_timestamp();
+ $vals{$path}{$val->get_name()} = length($data);
+ }
+ }
+ }
+
+ foreach my $subkey ($key->get_list_of_subkeys()) {
+ traverse($subkey);
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/fw_config.pl b/RecentActivity/release/rr/plugins/fw_config.pl
new file mode 100644
index 0000000000..e43e245837
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/fw_config.pl
@@ -0,0 +1,116 @@
+#-----------------------------------------------------------
+# fw_config
+#
+# References
+# http://technet2.microsoft.com/WindowsServer/en/library/47f25d7d-
+# 882b-4f87-b05f-31e5664fc15e1033.mspx?mfr=true
+#
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package fw_config;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 20,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080328);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Gets the Windows Firewall config from the System hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching fw_config v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $ccs;
+ my $select_path = 'Select';
+ my $sel;
+ if ($sel = $root_key->get_subkey($select_path)) {
+ $current = $sel->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+ else {
+ ::rptMsg($select_path." could not be found.");
+ ::logMsg($select_path." could not be found.");
+ return;
+ }
+
+ my @profiles = ("DomainProfile","StandardProfile");
+ foreach my $profile (@profiles) {
+ my $key_path = $ccs."\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\".$profile;
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("Windows Firewall Configuration");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my %vals = getKeyValues($key);
+ if (scalar(keys %vals) > 0) {
+ foreach my $v (keys %vals) {
+ ::rptMsg("\t".$v." -> ".$vals{$v});
+ }
+ }
+ else {
+# ::rptMsg($key_path." has no values.");
+ }
+
+ my @configs = ("RemoteAdminSettings",
+ "IcmpSettings",
+ "GloballyOpenPorts\\List",
+ "AuthorizedApplications\\List");
+
+ foreach my $config (@configs) {
+ eval {
+ my %vals = getKeyValues($key->get_subkey($config));
+ if (scalar(keys %vals) > 0) {
+ ::rptMsg("");
+ ::rptMsg($key_path."\\".$config);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_subkey($config)->get_timestamp())." (UTC)");
+ foreach my $v (keys %vals) {
+ ::rptMsg("\t".$v." -> ".$vals{$v});
+ }
+ }
+ };
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+ ::rptMsg("");
+ } # end foreach
+}
+
+sub getKeyValues {
+ my $key = shift;
+ my %vals;
+
+ my @vk = $key->get_list_of_values();
+ if (scalar(@vk) > 0) {
+ foreach my $v (@vk) {
+ next if ($v->get_name() eq "" && $v->get_data() eq "");
+ $vals{$v->get_name()} = $v->get_data();
+ }
+ }
+ else {
+
+ }
+ return %vals;
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/gthist.pl b/RecentActivity/release/rr/plugins/gthist.pl
new file mode 100644
index 0000000000..bc52f909a9
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/gthist.pl
@@ -0,0 +1,71 @@
+#-----------------------------------------------------------
+# gthist.pl
+# Google Toolbar Search History plugin
+#
+#
+# Change history
+# 20100218 - created
+#
+# References
+#
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package gthist;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100218);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets Google Toolbar Search History";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ my %hist;
+ ::logMsg("Launching gthist v.".$VERSION);
+
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Google\\NavClient\\1.1\\History';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @vals = $key->get_list_of_values();
+ if (scalar @vals > 0) {
+ ::rptMsg("");
+ foreach my $v (@vals) {
+ my $tv = unpack("V",$v->get_data());
+ $hist{$tv} = $v->get_name();
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %hist) {
+ my $str = gmtime($t)." ".$hist{$t};
+ ::rptMsg($str);
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/gtwhitelist.pl b/RecentActivity/release/rr/plugins/gtwhitelist.pl
new file mode 100644
index 0000000000..e8d0695eea
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/gtwhitelist.pl
@@ -0,0 +1,74 @@
+#-----------------------------------------------------------
+# gtwhitelist.pl
+# Google Toolbar Search History plugin
+#
+#
+# Change history
+# 20100218 - created
+#
+# References
+#
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package gtwhitelist;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100218);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets Google Toolbar whitelist values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ my %hist;
+ ::logMsg("Launching gtwhitelist v.".$VERSION);
+
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Google\\Google Toolbar\\4.0\\whitelist';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my $allow2;
+ eval {
+ $allow2 = $key->get_value("allow2")->get_data();
+ my @vals = split(/\|/,$allow2);
+ ::rptMsg("");
+ ::rptMsg("whitelist");
+ foreach my $v (@vals) {
+ next if ($v eq "");
+ ::rptMsg(" ".$v);
+ }
+ ::rptMsg("");
+ };
+
+ my $lastmod;
+ eval {
+ $lastmod = $key->get_value("lastmod")->get_data();
+ ::rptMsg("lastmod ".gmtime($lastmod)." (UTC)");
+ };
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/hibernate.pl b/RecentActivity/release/rr/plugins/hibernate.pl
new file mode 100644
index 0000000000..64c5b3e359
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/hibernate.pl
@@ -0,0 +1,78 @@
+#-----------------------------------------------------------
+# hibernate.pl
+#
+# Ref:
+# http://support.microsoft.com/kb/293399 & testing
+#
+# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package hibernate;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20081216);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Check hibernation status";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching hibernate v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+
+ my $power_path = $ccs."\\Control\\Session Manager\\Power";
+ my $power;
+ if ($power = $root_key->get_subkey($power_path)) {
+
+ my $heur;
+ eval {
+ my $bin_val = $power->get_value("Heuristics")->get_data();
+ $heur = (unpack("v*",$bin_val))[3];
+ if ($heur == 0) {
+ ::rptMsg("Hibernation disabled.");
+ }
+ elsif ($heur == 1) {
+ ::rptMsg("Hibernation enabled.");
+ }
+ else {
+ ::rptMsg("Unknown hibernation value: ".$heur);
+ }
+
+ };
+ ::rptMsg("Error reading Heuristics value.") if ($@);
+
+ }
+ else {
+ ::rptMsg($power_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+# ::logMsg($key_path." not found.");
+ }
+
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/ide.pl b/RecentActivity/release/rr/plugins/ide.pl
new file mode 100644
index 0000000000..789cbd1495
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/ide.pl
@@ -0,0 +1,123 @@
+#-----------------------------------------------------------
+# ide.pl
+# Get IDE device info from the System hive file
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package ide;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080418);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get IDE device info from the System hive file";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching ide v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ ::rptMsg("IDE");
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $ccs;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+ else {
+ ::logMsg("Could not find ".$key_path);
+ return
+ }
+
+ my $key_path = $ccs."\\Enum\\IDE";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ ::rptMsg("");
+ ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]");
+ my @sk = $s->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s2 (@sk) {
+ ::rptMsg($s2->get_name()." [".gmtime($s2->get_timestamp())." (UTC)]");
+ eval {
+ ::rptMsg("FriendlyName : ".$s2->get_value("FriendlyName")->get_data());
+ };
+ ::rptMsg("");
+ }
+ }
+
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+ my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("DevClasses - Disks");
+ ::rptMsg($key_path);
+ my %disks;
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ next unless (grep(/IDE/,$name));
+ my $lastwrite = $s->get_timestamp();
+ my ($dev, $serial) = (split(/#/,$name))[4,5];
+ push(@{$disks{$lastwrite}},$dev.",".$serial);
+ }
+
+ if (scalar(keys %disks) == 0) {
+ ::rptMsg("No IDE subkeys were found.");
+ return;
+ }
+ ::rptMsg("");
+ foreach my $t (reverse sort {$a <=> $b} keys %disks) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$disks{$t}}) {
+ ::rptMsg("\t$item");
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/ie_main.pl b/RecentActivity/release/rr/plugins/ie_main.pl
new file mode 100644
index 0000000000..aa48c4d4a3
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/ie_main.pl
@@ -0,0 +1,82 @@
+#-----------------------------------------------------------
+# ie_main.pl
+# Checks keys/values set by new version of Trojan.Clampi
+#
+# Change history
+# 20091019 - created
+#
+#
+# References
+# http://support.microsoft.com/kb/895339
+# http://support.microsoft.com/kb/176497
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package ie_main;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20091019);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets values beneath user's Internet Explorer\\Main key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching ie_main v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my %main;
+
+ my @vals = $key->get_list_of_values();
+
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ my $data = $v->get_data();
+ next if ($name eq "Window_Placement");
+
+ $data = unpack("V",$data) if ($name eq "Do404Search");
+
+ if ($name eq "IE8RunOnceLastShown_TIMESTAMP" || $name eq "IE8TourShownTime") {
+ my ($t0,$t1) = unpack("VV",$data);
+ $data = gmtime(::getTime($t0,$t1))." UTC";
+ }
+ $main{$name} = $data;
+ }
+
+ foreach my $n (keys %main) {
+ my $str = sprintf "%-35s %-20s",$n,$main{$n};
+ ::rptMsg($str);
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/ie_settings.pl b/RecentActivity/release/rr/plugins/ie_settings.pl
new file mode 100644
index 0000000000..fd3ee3857e
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/ie_settings.pl
@@ -0,0 +1,72 @@
+#! c:\perl\bin\perl.exe
+#-----------------------------------------------------------
+# ie_settings.pl
+# Gets IE settings
+#
+# Change history
+#
+#
+# References
+#
+#
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package ie_settings;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ osmask => 22,
+ version => 20091016);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets IE settings";
+}
+sub getDescr{}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching ie_settings v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my $ua;
+ eval {
+ $ua = $key->get_value("User Agent")->get_data();
+ ::rptMsg("User Agent = ".$ua);
+ };
+
+ my $zonessecupgrade;
+ eval {
+ $zonessecupgrade = $key->get_value("ZonesSecurityUpgrade")->get_data();
+ my ($z0,$z1) = unpack("VV",$zonessecupgrade);
+ ::rptMsg("ZonesSecurityUpgrade = ".gmtime(::getTime($z0,$z1))." (UTC)");
+ };
+
+ my $daystokeep;
+ eval {
+ $daystokeep = $key->get_subkey("Url History")->get_value("DaysToKeep")->get_data();
+ ::rptMsg("DaysToKeep = ".$daystokeep);
+ };
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/ie_version.pl b/RecentActivity/release/rr/plugins/ie_version.pl
new file mode 100644
index 0000000000..64ce73b046
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/ie_version.pl
@@ -0,0 +1,60 @@
+#-----------------------------------------------------------
+# ie_version
+# Get IE version and build
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package ie_version;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20091016);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get IE version and build";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching ie_version v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Internet Explorer";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my $version;
+ my $build;
+ eval {
+ $build = $key->get_value("Build")->get_data();
+ ::rptMsg("IE Build = ".$build);
+ };
+
+ eval {
+ $version= $key->get_value("Version")->get_data();
+ ::rptMsg("IE Version = ".$version);
+ };
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/imagedev.pl b/RecentActivity/release/rr/plugins/imagedev.pl
new file mode 100644
index 0000000000..5822ae7a15
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/imagedev.pl
@@ -0,0 +1,85 @@
+#-----------------------------------------------------------
+# imagedev.pl
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package imagedev;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080730);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return " -- ";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching imagedev v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $ccs;
+ eval {
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+ };
+ if ($@) {
+ ::rptMsg("Problem locating proper controlset: $@");
+ return;
+ }
+
+ my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("imagedev");
+ ::rptMsg($key_path);
+# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my @sk = $key->get_list_of_subkeys();
+
+ if (scalar(@sk) > 0) {
+ ::rptMsg("Still Image Capture Devices");
+ foreach my $s (@sk) {
+ my $name = $s->get_name();
+ next unless ($name =~ m/^\d{4}$/);
+ my $friendly;
+ eval {
+ $friendly = $s->get_value("FriendlyName")->get_data();
+ ::rptMsg(" ".$friendly);
+ };
+ if ($@) {
+ ::logMsg("Error getting device FriendlyName in imagedev: ".$@);
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/imagefile.pl b/RecentActivity/release/rr/plugins/imagefile.pl
new file mode 100644
index 0000000000..1f31f674b7
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/imagefile.pl
@@ -0,0 +1,99 @@
+#-----------------------------------------------------------
+# imagefile
+#
+# References:
+# http://msdn2.microsoft.com/en-us/library/a329t4ed(VS\.80)\.aspx
+# http://support.microsoft.com/kb/2264107
+#
+# Change history:
+# 20100824 - added check for "CWDIllegalInDllSearch" value
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package imagefile;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100824);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Checks IFEO subkeys for Debugger/CWDIllegalInDllSearch values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching imagefile v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("Image File Execution Options");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ my %debug;
+ my $i = "Your Image File Name here without a path";
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ next if ($name =~ m/^$i/i);
+ my $debugger = "";
+ eval {
+ $debugger = $s->get_value("Debugger")->get_data();
+ };
+# If the eval{} throws an error, it's b/c the Debugger value isn't
+# found within the key, so we don't need to do anything w/ the error
+ if ($debugger ne "") {
+ $debug{$name}{debug} = $debugger;
+ $debug{$name}{lastwrite} = $s->get_timestamp();
+ }
+
+ my $dllsearch = "";
+ eval {
+ $dllsearch = $s->get_value("CWDIllegalInDllSearch")->get_data();
+ };
+# If the eval{} throws an error, it's b/c the Debugger value isn't
+# found within the key, so we don't need to do anything w/ the error
+ if ($dllsearch ne "") {
+ $debug{$name}{dllsearch} = $debugger;
+ $debug{$name}{lastwrite} = $s->get_timestamp();
+ }
+ }
+
+ if (scalar (keys %debug) > 0) {
+ foreach my $d (keys %debug) {
+ ::rptMsg($d." LastWrite: ".gmtime($debug{$d}{lastwrite}));
+ ::rptMsg(" Debugger : ".$debug{$d}{debug}) if (exists $debug{$d}{debug});
+ ::rptMsg(" CWDIllegalInDllSearch: ".$debug{$d}{dllsearch}) if (exists $debug{$d}{dllsearch});
+ }
+ }
+ else {
+ ::rptMsg("No Debugger/CWDIllegalInDllSearch values found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/init_dlls.pl b/RecentActivity/release/rr/plugins/init_dlls.pl
new file mode 100644
index 0000000000..d729a6b716
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/init_dlls.pl
@@ -0,0 +1,77 @@
+#-----------------------------------------------------------
+# init_dlls.pl
+# Plugin to assist in the detection of malware per Mark Russinovich's
+# blog post (References, below)
+#
+# Change History:
+# 20110309 - created
+#
+# References
+# http://blogs.technet.com/b/markrussinovich/archive/2011/02/27/3390475.aspx
+#
+# copyright 2011 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package init_dlls;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20110309);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Check for odd **pInit_Dlls keys";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my @init;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching init_dlls v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Windows";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("init_dlls");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite: ".gmtime($key->get_timestamp()));
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ next if ($name eq "AppInit_DLLs");
+ push(@init,$name) if ($name =~ m/Init_DLLs$/);
+ }
+
+ if (scalar @init > 0) {
+ foreach my $n (@init) {
+ ::rptMsg($n);
+ }
+ }
+ else {
+ ::rptMsg("No additional values named *Init_DLLs located.");
+ }
+
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/installedcomp.pl b/RecentActivity/release/rr/plugins/installedcomp.pl
new file mode 100644
index 0000000000..9fd730301f
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/installedcomp.pl
@@ -0,0 +1,120 @@
+#-----------------------------------------------------------
+# installedcomp.pl
+# Get info about Installed Components
+#
+# Change history:
+# 20100116 - updated for slightly better coverage
+# 20100115 - created
+#
+# References:
+#
+# Notes: Look for out of place entries, particularly those
+# that point to the Recycle Bin or a temp directory
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package installedcomp;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100116);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get info about Installed Components/StubPath";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+my %comp;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching installedcomp v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Active Setup\\Installed Components";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $lastwrite = $s->get_timestamp();
+
+ my $str;
+ eval {
+ $str = $s->get_value("ComponentID")->get_data();
+ };
+
+ eval {
+ my $ver = $s->get_value("Version")->get_data();
+ $str .= " v.".$ver if ($ver && $s->get_value("Version")->get_type() == 1);
+ };
+
+ eval {
+ my $stub = $s->get_value("StubPath")->get_data();
+ $str .= "; ".$stub if ($stub ne "");
+ };
+
+# If the $str scalar is empty at this point, that means that for
+# some reason, we haven't been able to populate the information
+# we're looking for; in this case, we'll go looking for some info
+# in a different area of the hive; the BHO.pl plugin does this, as
+# well. I'd rather that the plugin look for the Classes info than
+# leave a blank entry in the output.
+ if ($str eq "") {
+ my $name = $s->get_name();
+ my $class_path = "Classes\\CLSID\\".$name;
+ my $proc;
+ if ($proc = $root_key->get_subkey($class_path)) {
+# Try these two eval{} statements because I've seen the different
+# spellings for InProcServer32/InprocServer32 in sequential keys
+ eval {
+ $str = $proc->get_subkey("InprocServer32")->get_value("")->get_data();
+ };
+
+ eval {
+ $str = $proc->get_subkey("InProcServer32")->get_value("")->get_data();
+ };
+ }
+ else {
+ $str = $name." class not found.";
+ }
+ }
+
+ push(@{$comp{$lastwrite}},$str);
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %comp) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$comp{$t}}) {
+ ::rptMsg(" ".$item);
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/javafx.pl b/RecentActivity/release/rr/plugins/javafx.pl
new file mode 100644
index 0000000000..118e82cb58
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/javafx.pl
@@ -0,0 +1,67 @@
+#-----------------------------------------------------------
+# javafx.pl
+# Plugin written based on Cory Harrell's Exploit Artifacts posts at
+# http://journeyintoir.blogspot.com/
+#
+# Change history
+# 20110322 - created
+#
+# References
+# http://java.sun.com/j2se/1.4.2/runtime_win32.html
+#
+# copyright 2011 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package javafx;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20110322);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of user's JavaFX key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching javafx v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\JavaSoft\\Java Update\\Policy\\JavaFX";
+ my $key;
+ my @vals;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("javafx v.".$VERSION);
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite time: ".gmtime($key->get_timestamp()));
+ ::rptMsg("");
+ @vals = $key->get_list_of_values();
+
+ if (scalar(@vals) > 0) {
+# First, read in all of the values and the data
+ foreach my $v (@vals) {
+ ::rptMsg(sprintf "%-25s %-20s",$v->get_name(), $v->get_data());
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/kb950582.pl b/RecentActivity/release/rr/plugins/kb950582.pl
new file mode 100644
index 0000000000..4e24fe3dd2
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/kb950582.pl
@@ -0,0 +1,90 @@
+#-----------------------------------------------------------
+# kb950582.pl
+# Get autorun settings WRT KB950582
+#
+# Change history
+# 18 Dec 2008 - Updated to new name; added checks for Registry
+# keys
+#
+# References
+# http://support.microsoft.com/kb/953252
+# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit
+# /regentry/91525.mspx?mfr=true
+#
+# copyright 2008-2009 H. Carvey
+#-----------------------------------------------------------
+package kb950582;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20081212);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "KB950582 - Gets autorun settings from HKLM hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching kb950582 v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ eval {
+ my $path = "Microsoft\\Windows\\CurrentVersion\\Uninstall\\KB950582";
+ if (my $kbkey = $root_key->get_subkey($path)) {
+ my $install = $kbkey->get_value("InstallDate")->get_data();
+ ::rptMsg("KB950528 Uninstall Key ".gmtime($kbkey->get_timestamp()));
+ ::rptMsg(" InstallDate = ".$install."\n");
+ }
+ };
+ ::rptMsg("Uninstall\\KB950528 does not appear to be installed.\n") if ($@);
+
+ eval {
+ my $path = "Microsoft\\Updates\\Windows XP\\SP4\\KB950582";
+ if (my $kbkey = $root_key->get_subkey($path)) {
+ my $install = $kbkey->get_value("InstalledDate")->get_data();
+ ::rptMsg("KB950528 Update Key ".gmtime($kbkey->get_timestamp()));
+ ::rptMsg(" InstalledDate = ".$install."\n");
+ }
+ };
+ ::rptMsg("KB950528 does not appear to be installed.\n") if ($@);
+
+ my $key_path = "Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+
+ eval {
+ my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data();
+ my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive;
+ ::rptMsg($str);
+ };
+ ::rptMsg("Error: ".$@) if ($@);
+
+# http://support.microsoft.com/kb/953252
+ eval {
+ my $honor = $key->get_value("HonorAutorunSetting")->get_data();
+ my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor;
+ ::rptMsg($str);
+ };
+ ::rptMsg("HonorAutorunSetting not found.") if ($@);
+ ::rptMsg("");
+ ::rptMsg("Autorun settings in the HKLM hive take precedence over those in");
+ ::rptMsg("the HKCU hive.");
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/kbdcrash.pl b/RecentActivity/release/rr/plugins/kbdcrash.pl
new file mode 100644
index 0000000000..560aef9785
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/kbdcrash.pl
@@ -0,0 +1,65 @@
+#-----------------------------------------------------------
+# kbdcrash.pl
+#
+# Ref:
+# http://support.microsoft.com/kb/244139
+#
+# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package kbdcrash;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20081212);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Checks to see if system is config to crash via keyboard";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my $enabled = 0;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching kbdcrash v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $svc = "ControlSet00".$current."\\Services";
+
+ eval {
+ my $ps2 = $svc->get_subkey("i8042prt\\Parameters")->get_value("CrashOnCtrlScroll")->get_data();
+ ::rptMsg("CrashOnCtrlScroll set for PS2 keyboard") if ($ps2 == 1);
+ $enabled = 1 if ($ps2 == 1);
+ };
+
+ eval {
+ my $usb = $svc->get_subkey("kbdhid\\Parameters")->get_value("CrashOnCtrlScroll")->get_data();
+ ::rptMsg("CrashOnCtrlScroll set for USB keyboard") if ($usb == 1);
+ $enabled = 1 if ($usb == 1);
+ };
+ ::rptMsg("CrashOnCtrlScroll not set");
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
diff --git a/RecentActivity/release/rr/plugins/landesk.pl b/RecentActivity/release/rr/plugins/landesk.pl
new file mode 100644
index 0000000000..d3dd8c5320
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/landesk.pl
@@ -0,0 +1,71 @@
+#-----------------------------------------------------------
+# LANDESK Monitor Logs
+#
+#
+# Change history
+# 20090729 - updates, H. Carvey
+#
+# copyright 2009 Don C. Weber
+#-----------------------------------------------------------
+package landesk;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090729);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get list of programs monitored by LANDESK from Software hive file";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my %ls;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching LANDESK v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "LANDesk\\ManagementSuite\\WinClient\\SoftwareMonitoring\\MonitorLog";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("");
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ eval {
+ my ($val1,$val2) = unpack("VV",$s->get_value("Last Started")->get_data());
+# Push the data into a hash of arrays
+ push(@{$ls{::getTime($val1,$val2)}},$s->get_name());
+ };
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %ls) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$ls{$t}}) {
+ ::rptMsg("\t$item");
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." does not appear to have any subkeys.")
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/legacy.pl b/RecentActivity/release/rr/plugins/legacy.pl
new file mode 100644
index 0000000000..3c34a1a26a
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/legacy.pl
@@ -0,0 +1,96 @@
+#-----------------------------------------------------------
+# legacy.pl
+#
+#
+# Change history
+# 20090429 - created
+#
+# Reference: http://support.microsoft.com/kb/310592
+#
+#
+# Analysis Tip:
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package legacy;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20090429);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Lists LEGACY_ entries in Enum\\Root key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key();
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+ my $root_path = $ccs."\\Enum\\Root";
+
+ my %legacy;
+ if (my $root = $root_key->get_subkey($root_path)) {
+ my @sk = $root->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s (@sk) {
+ my $name = $s->get_name();
+ next unless ($name =~ m/^LEGACY_/);
+ push(@{$legacy{$s->get_timestamp()}},$name);
+
+ eval {
+ my @s_sk = $s->get_list_of_subkeys();
+ if (scalar(@s_sk) > 0) {
+ foreach my $s_s (@s_sk) {
+
+ my $desc;
+ eval {
+ $desc = $s_s->get_value("DeviceDesc")->get_data();
+ push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()." - ".$desc);
+ };
+ push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()) if ($@);
+ }
+ }
+ };
+ }
+ }
+ else {
+ ::rptMsg($root_path." has no subkeys.");
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %legacy) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$legacy{$t}}) {
+ ::rptMsg("\t$item");
+ }
+ }
+ }
+ else {
+ ::rptMsg($root_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/listsoft.pl b/RecentActivity/release/rr/plugins/listsoft.pl
new file mode 100644
index 0000000000..ae1c50a540
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/listsoft.pl
@@ -0,0 +1,69 @@
+#! c:\perl\bin\perl.exe
+#-----------------------------------------------------------
+# listsoft.pl
+# Plugin for Registry Ripper; traverses thru the Software
+# key of an NTUSER.DAT file, extracting all of the subkeys
+# and listing them in order by LastWrite time.
+#
+# Change history
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package listsoft;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Lists contents of user's Software key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $file = shift;
+ my $reg = Parse::Win32Registry->new($file);
+ my $root_key = $reg->get_root_key;
+ ::logMsg("Launching listsoft v.".$VERSION);
+ my %soft;
+ my $key_path = 'Software';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("listsoft v.".$VERSION);
+ ::rptMsg("List the contents of the Software key in the NTUSER\.DAT hive");
+ ::rptMsg("file, in order by LastWrite time.");
+ ::rptMsg("");
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ push(@{$soft{$s->get_timestamp()}},$s->get_name());
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %soft) {
+ foreach my $item (@{$soft{$t}}) {
+ ::rptMsg(gmtime($t)."Z \t".$item);
+ }
+ }
+ }
+ else {
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::logMsg("Could not access ".$key_path);
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/load.pl b/RecentActivity/release/rr/plugins/load.pl
new file mode 100644
index 0000000000..3ce6ca655e
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/load.pl
@@ -0,0 +1,81 @@
+#-----------------------------------------------------------
+# load.pl
+# The load and run values in the Windows NT\CurrentVersion\Windows
+# key are throw-backs to the old win.ini file, and can be/are used
+# by malware.
+#
+# Change history
+# 20100811 - created
+#
+# References
+# http://support.microsoft.com/kb/103865
+# http://security.fnal.gov/cookbook/WinStartup.html
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package load;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100811);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets load and run values from user hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching load v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("load");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ ::rptMsg("");
+ my %win;
+ foreach my $v (@vals) {
+ $win{$v->get_name()} = $v->get_data();
+ }
+
+ if (exists $win{"load"}) {
+ ::rptMsg("load = ".$win{"load"});
+ }
+ else {
+ ::rptMsg("load value not found.");
+ }
+
+ if (exists $win{"run"}) {
+ ::rptMsg("run = ".$win{"run"});
+ }
+ else {
+ ::rptMsg("run value not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/logon_xp_run.pl b/RecentActivity/release/rr/plugins/logon_xp_run.pl
new file mode 100644
index 0000000000..831a5cd910
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/logon_xp_run.pl
@@ -0,0 +1,98 @@
+#-----------------------------------------------------------
+# logon_xp_run
+# Get contents of Run key from Software hive
+#
+# References:
+# http://support.microsoft.com/kb/314488
+#
+# Note: Needs testing to see if it applies beyond XP/XP-64
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package logon_xp_run;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 12,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080328);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Autostart - Get XP user logon Run key contents from NTUSER\.DAT hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching user_xp_run v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my %vals = getKeyValues($key);
+ if (scalar(keys %vals) > 0) {
+ foreach my $v (keys %vals) {
+ ::rptMsg("\t".$v." -> ".$vals{$v});
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+
+# my @sk = $key->get_list_of_subkeys();
+# if (scalar(@sk) > 0) {
+# foreach my $s (@sk) {
+# ::rptMsg("");
+# ::rptMsg($key_path."\\".$s->get_name());
+# ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
+# my %vals = getKeyValues($s);
+# foreach my $v (keys %vals) {
+# ::rptMsg("\t".$v." -> ".$vals{$v});
+# }
+# }
+# }
+# else {
+# ::rptMsg("");
+# ::rptMsg($key_path." has no subkeys.");
+# }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+
+sub getKeyValues {
+ my $key = shift;
+ my %vals;
+
+ my @vk = $key->get_list_of_values();
+ if (scalar(@vk) > 0) {
+ foreach my $v (@vk) {
+ next if ($v->get_name() eq "" && $v->get_data() eq "");
+ $vals{$v->get_name()} = $v->get_data();
+ }
+ }
+ else {
+# do nothing
+ }
+ return %vals;
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/logonusername.pl b/RecentActivity/release/rr/plugins/logonusername.pl
new file mode 100644
index 0000000000..098d89f5e6
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/logonusername.pl
@@ -0,0 +1,68 @@
+#! c:\perl\bin\perl.exe
+#-----------------------------------------------------------
+# logonusername.pl
+# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
+# "Logon User Name" value
+#
+# Change history
+#
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package logonusername;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get user's Logon User Name value";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching logonusername v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $logon_name = "Logon User Name";
+
+ my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ ::rptMsg("Logon User Name");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time [".gmtime($key->get_timestamp())." (UTC)]");
+ foreach my $v (@vals) {
+ if ($v->get_name() eq $logon_name) {
+ ::rptMsg($logon_name." = ".$v->get_data());
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/lsasecrets.pl b/RecentActivity/release/rr/plugins/lsasecrets.pl
new file mode 100644
index 0000000000..1e0048e973
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/lsasecrets.pl
@@ -0,0 +1,71 @@
+#-----------------------------------------------------------
+# lsasecrets.pl
+# Get update times for LSA Secrets from the Security hive file
+#
+# History
+# 20100219 - created
+#
+# References
+# http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package lsasecrets;
+use strict;
+
+my %config = (hive => "Security",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100219);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "TEST - Get update times for LSA Secrets";
+}
+sub getDescr{}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching lsasecrets v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Policy\\Secrets";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+
+#
+# http://support.microsoft.com/kb/175468
+ eval {
+ ::rptMsg("");
+ ::rptMsg("Domain secret - \$MACHINE\.ACC");
+ my $c = $key->get_subkey("\$MACHINE\.ACC\\CupdTime")->get_value("")->get_data();
+ my @v = unpack("VV",$c);
+ my $cupd = gmtime(::getTime($v[0],$v[1]));
+ ::rptMsg("CupdTime = ".$cupd);
+
+ my $o = $key->get_subkey("\$MACHINE\.ACC\\OupdTime")->get_value("")->get_data();
+ my @v = unpack("VV",$c);
+ my $oupd = gmtime(::getTime($v[0],$v[1]));
+ ::rptMsg("OupdTime = ".$oupd);
+ };
+ ::rptMsg("Error: ".$@) if ($@);
+
+
+
+
+
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/macaddr.pl b/RecentActivity/release/rr/plugins/macaddr.pl
new file mode 100644
index 0000000000..50a034981a
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/macaddr.pl
@@ -0,0 +1,156 @@
+#-----------------------------------------------------------
+# macaddr.pl
+# Attempt to locate MAC address in either Software or System hive files;
+# The plugin will determine which one its in and use the appropriate
+# code
+#
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package macaddr;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090118);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return " -- ";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching macaddr v.".$VERSION);
+
+ my $guess = guessHive($hive);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ if ($guess eq "System") {
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+
+ my $key_path = $ccs."\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318}";
+ my $key;
+ my $found = 0;
+ ::rptMsg($key_path);
+ if ($key = $root_key->get_subkey($key_path)) {
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar (@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ my $na;
+ eval {
+ $na = $key->get_subkey($name)->get_value("NetworkAddress")->get_data();
+ ::rptMsg(" ".$name.": NetworkAddress = ".$na);
+ $found = 1;
+ };
+ }
+ ::rptMsg("No NetworkAddress value found.") if ($found == 0);
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+ }
+ elsif ($guess eq "Software") {
+ my $key_path = "Microsoft\\Windows Genuine Advantage";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ my $mac;
+ my $found = 0;
+ eval {
+ $mac = $key->get_value("MAC")->get_data();
+ ::rptMsg("Mac Address(es) = ".$mac);
+ $found = 1;
+ };
+ ::rptMsg("No MAC address(es) found.") if ($found == 0);
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg("Hive file ".$hive." appeared to be neither a Software nor a");
+ ::rptMsg("System hive file.");
+ }
+}
+
+#-------------------------------------------------------------
+# guessHive() - attempts to determine the hive type; if NTUSER.DAT,
+# attempt to retrieve the SID for the user; this function populates
+# global variables (%config, @sids)
+#-------------------------------------------------------------
+sub guessHive {
+ my $hive = shift;
+ my $hive_guess;
+ my $reg;
+ my $root_key;
+ eval {
+ $reg = Parse::Win32Registry->new($hive);
+ $root_key = $reg->get_root_key;
+ };
+ ::rptMsg($hive." may not be a valid hive.") if ($@);
+
+# Check for SAM
+ eval {
+ if (my $key = $root_key->get_subkey("SAM\\Domains\\Account\\Users")) {
+ $hive_guess = "SAM";
+ }
+ };
+# Check for Software
+ eval {
+ if ($root_key->get_subkey("Microsoft\\Windows\\CurrentVersion") &&
+ $root_key->get_subkey("Microsoft\\Windows NT\\CurrentVersion")) {
+ $hive_guess = "Software";
+ }
+ };
+
+# Check for System
+ eval {
+ if ($root_key->get_subkey("MountedDevices") && $root_key->get_subkey("Select")) {
+ $hive_guess = "System";
+ }
+ };
+
+# Check for Security
+ eval {
+ if ($root_key->get_subkey("Policy\\Accounts") && $root_key->get_subkey("Policy\\PolAdtEv")) {
+ $hive_guess = "Security";
+ }
+ };
+# Check for NTUSER.DAT
+ eval {
+ if ($root_key->get_subkey("Software\\Microsoft\\Windows\\CurrentVersion")) {
+ $hive_guess = "NTUSER\.DAT";
+ }
+ };
+ return $hive_guess;
+}
+
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/mmc.pl b/RecentActivity/release/rr/plugins/mmc.pl
new file mode 100644
index 0000000000..d66557c5da
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/mmc.pl
@@ -0,0 +1,75 @@
+#-----------------------------------------------------------
+# mmc.pl
+# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
+# Microsoft Management Console Recent File List values
+#
+# Change history
+#
+#
+# References
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package mmc;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get contents of user's MMC\\Recent File List key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching mmc v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Microsoft Management Console\\Recent File List';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("MMC - Recent File List");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %files;
+# Retrieve values and load into a hash for sorting
+ foreach my $v (@vals) {
+ my $val = $v->get_name();
+ my $data = $v->get_data();
+ my $tag = (split(/File/,$val))[1];
+ $files{$tag} = $val.":".$data;
+ }
+# Print sorted content to report file
+ foreach my $u (sort {$a <=> $b} keys %files) {
+ my ($val,$data) = split(/:/,$files{$u},2);
+ ::rptMsg(" ".$val." -> ".$data);
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/mndmru.pl b/RecentActivity/release/rr/plugins/mndmru.pl
new file mode 100644
index 0000000000..d223d7f49c
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/mndmru.pl
@@ -0,0 +1,77 @@
+#-----------------------------------------------------------
+# mndmru.pl
+# Plugin for Registry Ripper,
+# Map Network Drive MRU parser
+#
+# Change history
+#
+#
+# References
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package mndmru;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get contents of user's Map Network Drive MRU";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching mndmru v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("Map Network Drive MRU");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %mnd;
+# Retrieve values and load into a hash for sorting
+ foreach my $v (@vals) {
+ my $val = $v->get_name();
+ my $data = $v->get_data();
+ $mnd{$val} = $data;
+ }
+# Print sorted content to report file
+ if (exists $mnd{"MRUList"}) {
+ ::rptMsg(" MRUList = ".$mnd{"MRUList"});
+ delete $mnd{"MRUList"};
+ }
+ foreach my $m (sort {$a <=> $b} keys %mnd) {
+ ::rptMsg(" ".$m." ".$mnd{$m});
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/mountdev.pl b/RecentActivity/release/rr/plugins/mountdev.pl
new file mode 100644
index 0000000000..ae0d58b26b
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/mountdev.pl
@@ -0,0 +1,101 @@
+#-----------------------------------------------------------
+# mountdev.pl
+# Plugin for Registry Ripper; Access System hive file to get the
+# MountedDevices
+#
+# Change history
+#
+#
+# References
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package mountdev;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Return contents of System hive MountedDevices key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching mountdev v.".$VERSION);
+ ::rptMsg("mountdev v.".$VERSION);
+ ::rptMsg("Get MountedDevices key information from the System hive file.");
+ ::rptMsg("");
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = 'MountedDevices';
+ my $key;
+ my %md;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z");
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $data = $v->get_data();
+ my $len = length($data);
+ if ($len == 12) {
+ my $sig = _translateBinary(substr($data,0,4));
+ ::rptMsg($v->get_name());
+ ::rptMsg("\tDrive Signature = ".$sig);
+ }
+ elsif ($len > 12) {
+ $data =~ s/\00//g;
+ push(@{$md{$data}},$v->get_name());
+ }
+ else {
+ ::logMsg("mountdev v.".$VERSION."\tData length = $len");
+ }
+ }
+
+ ::rptMsg("");
+ foreach my $m (keys %md) {
+ ::rptMsg("Device: ".$m);
+ foreach my $item (@{$md{$m}}) {
+ ::rptMsg("\t".$item);
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+sub _translateBinary {
+ my $str = unpack("H*",$_[0]);
+ my $len = length($str);
+ my @nstr = split(//,$str,$len);
+ my @list = ();
+ foreach (0..($len/2)) {
+ push(@list,$nstr[$_*2].$nstr[($_*2)+1]);
+ }
+ return join(' ',@list);
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/mountdev2.pl b/RecentActivity/release/rr/plugins/mountdev2.pl
new file mode 100644
index 0000000000..d5b1c3e324
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/mountdev2.pl
@@ -0,0 +1,106 @@
+#-----------------------------------------------------------
+# mountdev2.pl
+# Plugin for Registry Ripper; Access System hive file to get the
+# MountedDevices
+#
+# Change history
+# 20091116 - changed output
+#
+# References
+#
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package mountdev2;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20091116);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Return contents of System hive MountedDevices key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching mountdev2 v.".$VERSION);
+ ::rptMsg("");
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = 'MountedDevices';
+ my $key;
+ my (%md,%dos,%vol);
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z");
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $data = $v->get_data();
+ my $len = length($data);
+ if ($len == 12) {
+ my $sig = _translateBinary(substr($data,0,4));
+# my $sig = _translateBinary($data);
+ $vol{$v->get_name()} = $sig;
+ }
+ elsif ($len > 12) {
+ $data =~ s/\00//g;
+ push(@{$md{$data}},$v->get_name());
+ }
+ else {
+ ::logMsg("mountdev2 v.".$VERSION."\tData length = $len");
+ }
+ }
+
+ ::rptMsg(sprintf "%-50s %-20s","Volume","Disk Sig");
+ ::rptMsg(sprintf "%-50s %-20s","-------","--------");
+ foreach my $v (sort keys %vol) {
+ my $str = sprintf "%-50s %-20s",$v,$vol{$v};
+ ::rptMsg($str);
+ }
+
+ ::rptMsg("");
+ foreach my $m (sort keys %md) {
+ ::rptMsg("Device: ".$m);
+ foreach my $item (@{$md{$m}}) {
+ ::rptMsg("\t".$item);
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+sub _translateBinary {
+ my $str = unpack("H*",$_[0]);
+ my $len = length($str);
+ my @nstr = split(//,$str,$len);
+ my @list = ();
+ foreach (0..($len/2)) {
+ push(@list,$nstr[$_*2].$nstr[($_*2)+1]);
+ }
+ return join(' ',@list);
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/mountdev3.pl b/RecentActivity/release/rr/plugins/mountdev3.pl
new file mode 100644
index 0000000000..ff4d4cfbf0
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/mountdev3.pl
@@ -0,0 +1,110 @@
+#-----------------------------------------------------------
+# mountdev3.pl
+# Plugin for Registry Ripper; Access System hive file to get the
+# MountedDevices
+#
+# Change history
+#
+#
+# References
+#
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package mountdev3;
+use Math::BigInt;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20090909);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Return contents of System hive MountedDevices key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+# ::logMsg("Launching mountdev3 v.".$VERSION);
+ ::rptMsg("mountdev3 v.".$VERSION);
+ ::rptMsg("Get MountedDevices key information from the System hive file.");
+ ::rptMsg("");
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = 'MountedDevices';
+ my $key;
+ my %md;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z");
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $data = $v->get_data();
+ my $len = length($data);
+ if ($len == 12) {
+ my $sig = _translateBinary(substr($data,0,4));
+ my ($low,$high) = unpack("VV",substr($data,4,8));
+ my $val64 = Math::BigInt->new($high)->blsft(32)->bxor($low);
+ my $driveoffset = ($val64/512);
+ ::rptMsg($v->get_name());
+ ::rptMsg("\tDrive Signature = ".$sig);
+ ::rptMsg("\tPartition offset = ".$driveoffset);
+ }
+ elsif ($len == 16) {
+ ::rptMsg($v->get_name());
+ ::rptMsg("\t".$data);
+ }
+ elsif ($len > 16) {
+ $data =~ s/\00//g;
+ push(@{$md{$data}},$v->get_name());
+ }
+ else {
+ ::logMsg("mountdev v.".$VERSION."\tData length = $len");
+ }
+ }
+
+ ::rptMsg("");
+ foreach my $m (keys %md) {
+ ::rptMsg("Device: ".$m);
+ foreach my $item (@{$md{$m}}) {
+ ::rptMsg("\t".$item);
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+sub _translateBinary {
+ my $str = unpack("H*",$_[0]);
+ my $len = length($str);
+ my @nstr = split(//,$str,$len);
+ my @list = ();
+ foreach (0..($len/2)) {
+ push(@list,$nstr[$_*2].$nstr[($_*2)+1]);
+ }
+ return join(' ',@list);
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/mp2.pl b/RecentActivity/release/rr/plugins/mp2.pl
new file mode 100644
index 0000000000..b7ef8f76d6
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/mp2.pl
@@ -0,0 +1,114 @@
+#-----------------------------------------------------------
+# mp2.pl
+# Plugin for Registry Ripper,
+# MountPoints2 key parser
+#
+# Change history
+# 20091116 - updated output/sorting; added getting
+# _LabelFromReg value
+# 20090115 - Removed printing of "volumes"
+#
+# References
+# http://support.microsoft.com/kb/932463
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package mp2;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20090115);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets user's MountPoints2 key contents";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching mp2 v.".$VERSION);
+
+ my %drives;
+ my %volumes;
+ my %remote;
+
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("MountPoints2");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar @subkeys > 0) {
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ if ($name =~ m/^{/) {
+ my $label;
+ eval {
+ $label = $s->get_value("_LabelFromReg")->get_data();
+ };
+ $name = $name." (".$label.")" unless ($@);
+ push(@{$volumes{$s->get_timestamp()}},$name);
+ }
+ elsif ($name =~ m/^[A-Z]/) {
+ push(@{$drives{$s->get_timestamp()}},$name);
+ }
+ elsif ($name =~ m/^#/) {
+ push(@{$remote{$s->get_timestamp()}},$name);
+ }
+ else {
+ ::rptMsg(" Key name = ".$name);
+ }
+ }
+ ::rptMsg("");
+ ::rptMsg("Remote Drives:");
+ foreach my $t (reverse sort {$a <=> $b} keys %remote) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$remote{$t}}) {
+ ::rptMsg(" $item");
+ }
+ }
+
+ ::rptMsg("");
+ ::rptMsg("Volumes:");
+ foreach my $t (reverse sort {$a <=> $b} keys %volumes) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$volumes{$t}}) {
+ ::rptMsg(" $item");
+ }
+ }
+ ::rptMsg("");
+ ::rptMsg("Drives:");
+ foreach my $t (reverse sort {$a <=> $b} keys %drives) {
+ my $d = join(',',(@{$drives{$t}}));
+ ::rptMsg(gmtime($t)." (UTC) - ".$d);
+ }
+
+ ::rptMsg("");
+ ::rptMsg("Analysis Tip: Correlate the Volume entries to those found in the MountedDevices");
+ ::rptMsg("entries that begin with \"\\??\\Volume\"\.");
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/mpmru.pl b/RecentActivity/release/rr/plugins/mpmru.pl
new file mode 100644
index 0000000000..701f0a802d
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/mpmru.pl
@@ -0,0 +1,75 @@
+#-----------------------------------------------------------
+# mpmru.pl
+# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
+# Media Player RecentFileList values
+#
+# Change history
+#
+#
+# References
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package mpmru;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets user's Media Player RecentFileList values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching mpmru v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("Media Player - RecentFileList");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %files;
+# Retrieve values and load into a hash for sorting
+ foreach my $v (@vals) {
+ my $val = $v->get_name();
+ my $data = $v->get_data();
+ my $tag = (split(/File/,$val))[1];
+ $files{$tag} = $val.":".$data;
+ }
+# Print sorted content to report file
+ foreach my $u (sort {$a <=> $b} keys %files) {
+ my ($val,$data) = split(/:/,$files{$u},2);
+ ::rptMsg(" ".$val." -> ".$data);
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/mrt.pl b/RecentActivity/release/rr/plugins/mrt.pl
new file mode 100644
index 0000000000..89e9ebddaf
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/mrt.pl
@@ -0,0 +1,72 @@
+#-----------------------------------------------------------
+# mrt.pl
+#
+# Per http://support.microsoft.com/kb/891716/, whenever MRT is run, a new
+# GUID is written to the Version value. Check the KB article to compare
+# GUIDs against the last time the tool was run. Also be sure to check the
+# MRT logs in %WinDir%\Debug (mrt.log)
+#
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package mrt;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ version => 20080804);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Check to see if Malicious Software Removal Tool has been run";
+}
+sub getDescr{}
+sub getRefs {"Deployment of the Microsoft Windows Malicious Software Removal Tool" =>
+ "http://support.microsoft.com/kb/891716/",
+ "The Microsoft Windows Malicious Software Removal Tool" => "http://support.microsoft.com/?kbid=890830"}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching MRT v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+
+ my $key_path = "Microsoft\\RemovalTools\\MRT";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("Key Path: ".$key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my $version;
+ eval {
+ $version = $key->get_value("Version")->get_data();
+ };
+ if ($@) {
+ ::rptMsg("Error getting Version information: ".$@);
+
+ }
+ else {
+ ::rptMsg("Version: ".$version);
+ ::rptMsg("");
+ ::rptMsg("Analysis Tip: Go to http://support.microsoft.com/kb/891716/ to see when MRT");
+ ::rptMsg("was last run. According to the KB article, each time MRT is run, a new GUID");
+ ::rptMsg("is written to the Version value.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/msis.pl b/RecentActivity/release/rr/plugins/msis.pl
new file mode 100644
index 0000000000..cda7bc4cdd
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/msis.pl
@@ -0,0 +1,96 @@
+#-----------------------------------------------------------
+# msis.pl
+# Plugin to determine the MSI packages installed on the system
+#
+# Change history:
+# 20090911 - created
+#
+# References:
+# http://support.microsoft.com/kb/290134
+# http://support.microsoft.com/kb/931401
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package msis;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090911);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Determine MSI packages installed on the system";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+my %msi;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching msis v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Classes\\Installer\\Products";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $lastwrite = $s->get_timestamp();
+
+ my $product;
+ eval {
+ $product = $s->get_value("ProductName")->get_data();
+ };
+
+ my $path;
+ my $pkg;
+
+ eval {
+ my $p = $s->get_subkey("SourceList")->get_value("LastUsedSource")->get_data();
+ $path = (split(/;/,$p,3))[2];
+ };
+
+ eval {
+ $pkg = $s->get_subkey("SourceList")->get_value("PackageName")->get_data();
+ };
+
+ push(@{$msi{$lastwrite}},$product.";".$path.$pkg);
+ }
+
+
+ foreach my $t (reverse sort {$a <=> $b} keys %msi) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$msi{$t}}) {
+ ::rptMsg(" ".$item);
+ }
+ }
+
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/mspaper.pl b/RecentActivity/release/rr/plugins/mspaper.pl
new file mode 100644
index 0000000000..da25ba65a0
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/mspaper.pl
@@ -0,0 +1,100 @@
+#-----------------------------------------------------------
+# mspaper.pl
+# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
+# MSPaper Recent File List values
+#
+# Change history
+#
+#
+# References
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package mspaper;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets images listed in user's MSPaper key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching mspaper v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $tick = 0;
+ my $key_path = 'Software\\Microsoft';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ my @subkeys = $key->get_list_of_subkeys();
+
+ if (scalar @subkeys > 0) {
+ foreach my $sk (@subkeys) {
+ if ($sk->get_name() =~ m/^mspaper/i) {
+ $tick = 1;
+ my $nkey = $sk->get_name()."\\Recent File List";
+ my $msp;
+ if ($msp = $key->get_subkey($nkey)) {
+ ::rptMsg("MSPaper - Recent File List");
+ ::rptMsg($key_path."\\".$nkey);
+ ::rptMsg("LastWrite Time ".gmtime($msp->get_timestamp())." (UTC)");
+ my @vals = $msp->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %files;
+# Retrieve values and load into a hash for sorting
+ foreach my $v (@vals) {
+ my $val = $v->get_name();
+ my $data = $v->get_data();
+ my $tag = (split(/File/,$val))[1];
+ $files{$tag} = $val.":".$data;
+ }
+# Print sorted content to report file
+ foreach my $u (sort {$a <=> $b} keys %files) {
+ my ($val,$data) = split(/:/,$files{$u},2);
+ ::rptMsg(" ".$val." -> ".$data);
+ }
+ }
+ else {
+ ::rptMsg($key_path."\\".$nkey." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path."\\".$nkey." not found.");
+ ::logMsg("Error: ".$key_path."\\".$nkey." not found.");
+ }
+ }
+ }
+ if ($tick == 0) {
+ ::rptMsg("SOFTWARE\\Microsoft\\MSPaper* not found.");
+ ::logMsg("SOFTWARE\\Microsoft\\MSPaper* not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/muicache.pl b/RecentActivity/release/rr/plugins/muicache.pl
new file mode 100644
index 0000000000..8a980e3531
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/muicache.pl
@@ -0,0 +1,66 @@
+#! c:\perl\bin\perl.exe
+#-----------------------------------------------------------
+# muicache.pl
+# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
+# MUICache values
+#
+# Change history
+#
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package muicache;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets EXEs from user's MUICache key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching muicache v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+ my $key_path = 'Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("MUICache");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ next if ($name =~ m/^@/ || $name eq "LangID");
+ my $data = $v->get_data();
+ ::rptMsg("\t".$name." (".$data.")");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/nero.pl b/RecentActivity/release/rr/plugins/nero.pl
new file mode 100644
index 0000000000..30b861326a
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/nero.pl
@@ -0,0 +1,75 @@
+#-----------------------------------------------------------
+# nero.pl
+# **Very Beta! Based on one sample hive file only!
+#
+# Change history
+# 20100218 - created
+#
+# References
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package nero;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100218);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of Ahead\\Nero Recent File List subkeys";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+my @nerosubkeys = ("Cover Designer","FlmgPlg","Nero PhotoSnap",
+ "NSPluginMgr","PhotoEffects","XlmgPlg");
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ my %hist;
+ ::logMsg("Launching nero v.".$VERSION);
+
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Ahead';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("");
+ foreach my $nsk (@nerosubkeys) {
+ eval {
+ my $nk;
+ if ($nk = $key->get_subkey($nsk."\\Recent File List")) {
+ my @vals = $nk->get_list_of_values();
+ if (scalar @vals > 0) {
+ ::rptMsg($nsk."\\Recent File List");
+ ::rptMsg("LastWrite Time ".gmtime($nk->get_timestamp())." (UTC)");
+ foreach my $v (@vals) {
+ ::rptMsg(" ".$v->get_name()." -> ".$v->get_data());
+ }
+ ::rptMsg("");
+ }
+ else {
+ ::rptMsg($nsk."\\Recent File List has no values.");
+ }
+ }
+ };
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/network.pl b/RecentActivity/release/rr/plugins/network.pl
new file mode 100644
index 0000000000..32853b3110
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/network.pl
@@ -0,0 +1,95 @@
+#-----------------------------------------------------------
+# network.pl
+# Plugin for Registry Ripper; Get information on network
+# interfaces from the System hive file - from the
+# Control\Network GUID subkeys...
+#
+# Change history
+#
+#
+# References
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package network;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets info from System\\Control\\Network GUIDs";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ my %nics;
+ my $ccs;
+ ::logMsg("Launching network v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}";
+ my $nw;
+ if ($nw = $root_key->get_subkey($nw_path)) {
+ ::rptMsg("Network key");
+ ::rptMsg($nw_path);
+# Get all of the subkey names
+ my @sk = $nw->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s (@sk) {
+ my $name = $s->get_name();
+ next if ($name eq "Descriptions");
+ if (my $conn = $nw->get_subkey($name."\\Connection")) {
+ ::rptMsg("Interface ".$name);
+ ::rptMsg("LastWrite time ".gmtime($conn->get_timestamp())." (UTC)");
+ my %conn_vals;
+ my @vals = $conn->get_list_of_values();
+ map{$conn_vals{$_->get_name()} = $_->get_data()}@vals;
+ ::rptMsg("\tName = ".$conn_vals{Name});
+ ::rptMsg("\tPnpInstanceID = ".$conn_vals{PnpInstanceID});
+ ::rptMsg("\tMediaSubType = ".$conn_vals{MediaSubType});
+ ::rptMsg("\tIpCheckingEnabled = ".$conn_vals{IpCheckingEnabled})
+ if (exists $conn_vals{IpCheckingEnabled});
+
+ }
+ ::rptMsg("");
+ }
+
+ }
+ else {
+ ::rptMsg($nw_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($nw_path." could not be found.");
+ ::logMsg($nw_path." could not be found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/networkcards.pl b/RecentActivity/release/rr/plugins/networkcards.pl
new file mode 100644
index 0000000000..c0ce64f41d
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/networkcards.pl
@@ -0,0 +1,62 @@
+#-----------------------------------------------------------
+# networkcards
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package networkcards;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080325);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get NetworkCards";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching networkcards v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("NetworkCards");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ my %nc;
+ foreach my $s (@subkeys) {
+ my $service = $s->get_value("ServiceName")->get_data();
+ $nc{$service}{descr} = $s->get_value("Description")->get_data();
+ $nc{$service}{lastwrite} = $s->get_timestamp();
+ }
+
+ foreach my $n (keys %nc) {
+ ::rptMsg($nc{$n}{descr}." [".gmtime($nc{$n}{lastwrite})."]");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/networklist.pl b/RecentActivity/release/rr/plugins/networklist.pl
new file mode 100644
index 0000000000..babf87d7d6
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/networklist.pl
@@ -0,0 +1,142 @@
+#-----------------------------------------------------------
+# networklist.pl - Plugin to extract information from the
+# NetworkList key, including the MAC address of the default
+# gateway
+#
+#
+# Change History:
+# 20090812 - updated code to parse DateCreated and DateLastConnected
+# values; modified output, as well
+# 20090811 - created
+#
+# References
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package networklist;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090811);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Collects network info from Vista NetworkList key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching networklist v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $base_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkList";
+
+# First, get profile info
+ my $key_path = $base_path."\\Profiles";
+ my $key;
+ my %nl; # hash of hashes to hold data
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+
+ my @sk = $key->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s (@sk) {
+ my $name = $s->get_name();
+ $nl{$name}{LastWrite} = $s->get_timestamp();
+ eval {
+ $nl{$name}{ProfileName} = $s->get_value("ProfileName")->get_data();
+ $nl{$name}{Description} = $s->get_value("Description")->get_data();
+ $nl{$name}{Managed} = $s->get_value("Managed")->get_data();
+
+ my $create = $s->get_value("DateCreated")->get_data();
+ $nl{$name}{DateCreated} = parseDate128($create) if (length($create) == 16);
+ my $conn = $s->get_value("DateLastConnected")->get_data();
+ $nl{$name}{DateLastConnected} = parseDate128($conn) if (length($conn) == 16);
+
+# $nl{$name}{NameType} = $s->get_value("ProfileName")->get_data();
+ };
+ }
+
+# Get additional information from the Signatures subkey
+ $key_path = $base_path."\\Signatures\\Managed";
+ if ($key = $root_key->get_subkey($key_path)) {
+ my @sk = $key->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s (@sk) {
+ eval {
+ my $prof = $s->get_value("ProfileGuid")->get_data();
+ my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6);
+ my $mac = uc(unpack("H*",$tmp));
+ my @t = split(//,$mac);
+ $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3].
+ "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11];
+ };
+ }
+ }
+ }
+
+ $key_path = $base_path."\\Signatures\\Unmanaged";
+ if ($key = $root_key->get_subkey($key_path)) {
+ my @sk = $key->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s (@sk) {
+ eval {
+ my $prof = $s->get_value("ProfileGuid")->get_data();
+ my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6);
+ my $mac = uc(unpack("H*",$tmp));
+ my @t = split(//,$mac);
+ $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3].
+ "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11];
+ };
+ }
+ }
+ }
+
+# Now, display the information
+ foreach my $n (keys %nl) {
+ my $str = sprintf "%-15s Gateway Mac: ".$nl{$n}{DefaultGatewayMac},$nl{$n}{ProfileName};
+ ::rptMsg($nl{$n}{ProfileName});
+ ::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." UTC");
+ ::rptMsg(" DateLastConnected: ".$nl{$n}{DateLastConnected});
+ ::rptMsg(" DateCreated : ".$nl{$n}{DateCreated});
+ ::rptMsg(" DefaultGatewayMac: ".$nl{$n}{DefaultGatewayMac});
+ ::rptMsg("");
+ }
+
+ }
+ else {
+ ::rptMsg($key_path." has not subkeys");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+
+
+sub parseDate128 {
+ my $date = $_[0];
+ my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul",
+ "Aug","Sep","Oct","Nov","Dec");
+ my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat");
+ my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date);
+ $hr = "0".$hr if ($hr < 10);
+ $min = "0".$min if ($min < 10);
+ $sec = "0".$sec if ($sec < 10);
+ my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom." ".$hr.":".$min.":".$sec." ".$yr;
+ return $str;
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/networkuid.pl b/RecentActivity/release/rr/plugins/networkuid.pl
new file mode 100644
index 0000000000..7a457e111f
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/networkuid.pl
@@ -0,0 +1,57 @@
+#-----------------------------------------------------------
+# networkuid.pl
+# Gets UID value from Network key
+#
+# References
+# http://blogs.technet.com/mmpc/archive/2010/03/11/got-zbot.aspx
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package networkuid;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100312);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Gets Network key UID value";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching networkuid v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Network";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp()));
+ ::rptMsg("");
+
+ eval {
+ my $uid = $key->get_value("UID")->get_data();
+ ::rptMsg("UID value = ".$uid);
+ };
+ ::rptMsg("UID value not found.") if ($@);
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/nic.pl b/RecentActivity/release/rr/plugins/nic.pl
new file mode 100644
index 0000000000..f176150a92
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/nic.pl
@@ -0,0 +1,80 @@
+#-----------------------------------------------------------
+# nic.pl
+#
+#
+# Change history
+# 20100401 - created
+#
+# References
+# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx
+# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package nic;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100401);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets NIC info from System hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ my %nics;
+ my $ccs;
+ ::logMsg("Launching nic v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ eval {
+ $current = $root_key->get_subkey("Select")->get_value("Current")->get_data();
+ };
+ my @nics;
+ my $key_path = "ControlSet00".$current."\\Services";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ my @svcs = $key->get_list_of_subkeys();
+ foreach my $s (@svcs) {
+ push(@nics,$s) if ($s->get_name() =~ m/^{/);
+ }
+ foreach my $n (@nics) {
+ eval {
+ my @vals = $n->get_subkey("Parameters\\Tcpip")->get_list_of_values();
+ ::rptMsg("Adapter: ".$n->get_name());
+ ::rptMsg("LastWrite Time: ".gmtime($n->get_timestamp())." Z");
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ my $data = $v->get_data();
+ $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2");
+ $data = gmtime($data)." Z" if ($name =~ m/Time$/);
+
+ ::rptMsg(sprintf " %-20s %-20s",$name,$data);
+
+ }
+ ::rptMsg("");
+ };
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/nic2.pl b/RecentActivity/release/rr/plugins/nic2.pl
new file mode 100644
index 0000000000..44d4d8099a
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/nic2.pl
@@ -0,0 +1,80 @@
+#-----------------------------------------------------------
+# nic2.pl
+#
+#
+# Change history
+# 20100401 - created
+#
+# References
+# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx
+# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package nic2;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100401);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets NIC info from System hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ my %nics;
+ my $ccs;
+ ::logMsg("Launching nic v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ eval {
+ $current = $root_key->get_subkey("Select")->get_value("Current")->get_data();
+ };
+ my @nics;
+ my $key_path = "ControlSet00".$current."\\Services\\Tcpip\\Parameters\\Interfaces";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ my @guids = $key->get_list_of_subkeys();
+ if (scalar @guids > 0) {
+ foreach my $g (@guids) {
+ ::rptMsg("Adapter: ".$g->get_name());
+ ::rptMsg("LastWrite Time: ".gmtime($g->get_timestamp())." Z");
+ eval {
+ my @vals = $g->get_list_of_values();
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ my $data = $v->get_data();
+ $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2");
+ $data = gmtime($data)." Z" if ($name =~ m/Time$/);
+ ::rptMsg(sprintf " %-28s %-20s",$name,$data);
+ }
+ ::rptMsg("");
+ };
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/nic_mst2.pl b/RecentActivity/release/rr/plugins/nic_mst2.pl
new file mode 100644
index 0000000000..36c98b4270
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/nic_mst2.pl
@@ -0,0 +1,148 @@
+#-----------------------------------------------------------
+# nic_mst2.pl
+# Plugin for Registry Ripper; Get information on network
+# interfaces from the System hive file - start with the
+# Control\Network GUID subkeys...within the Connection key,
+# look for MediaSubType == 2, and maintain a list of GUIDs.
+# Then go over to the Services\Tcpip\Parameters\Interfaces
+# key and get the IP configurations for each of the interface
+# GUIDs
+#
+# Change history
+#
+#
+# References
+# http://support.microsoft.com/kb/555382
+# http://support.microsoft.com/kb/894564
+# http://support.microsoft.com/kb/899868
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package nic_mst2;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets NICs from System hive; looks for MediaType = 2";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ my %nics;
+ my $ccs;
+ ::logMsg("Launching nic_mst2 v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}";
+ my $nw;
+ if ($nw = $root_key->get_subkey($nw_path)) {
+ ::rptMsg("Network key");
+ ::rptMsg($nw_path);
+# Get all of the subkey names
+ my @sk = $nw->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s (@sk) {
+ my $name = $s->get_name();
+ next if ($name eq "Descriptions");
+ if (my $conn = $nw->get_subkey($name."\\Connection")) {
+ my %conn_vals;
+ my @vals = $conn->get_list_of_values();
+ map{$conn_vals{$_->get_name()} = $_->get_data()}@vals;
+# See what the active NICs were on the system; "active" based on PnpInstanceID having
+# a string value
+# Get the GUID of the interface, the name, and the LastWrite time of the Connection
+# key
+ if (exists $conn_vals{PnpInstanceID} && $conn_vals{PnpInstanceID} ne "") {
+ $nics{$name}{Name} = $conn_vals{Name};
+ $nics{$name}{LastWrite} = $conn->get_timestamp();
+ }
+ }
+ }
+
+ }
+ else {
+ ::rptMsg($nw_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($nw_path." could not be found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+ ::rptMsg("");
+# access the Tcpip Services key to get the IP address information
+ if (scalar(keys %nics) > 0) {
+ my $key_path = $ccs."\\Services\\Tcpip\\Parameters\\Interfaces";
+ if ($key = $root_key->get_subkey($key_path)) {
+ my %guids;
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+# Dump the names of the subkeys under Parameters\Interfaces into a hash
+ my @sk = $key->get_list_of_subkeys();
+ map{$guids{$_->get_name()} = 1}(@sk);
+
+ foreach my $n (keys %nics) {
+ if (exists $guids{$n}) {
+ my $if = $key->get_subkey($n);
+ ::rptMsg("Interface ".$n);
+ ::rptMsg("Name: ".$nics{$n}{Name});
+ ::rptMsg("Control\\Network key LastWrite time ".gmtime($nics{$n}{LastWrite})." (UTC)");
+ ::rptMsg("Services\\Tcpip key LastWrite time ".gmtime($if->get_timestamp())." (UTC)");
+
+ my @vals = $if->get_list_of_values;
+ my %ip;
+ map{$ip{$_->get_name()} = $_->get_data()}@vals;
+
+ if (exists $ip{EnableDHCP} && $ip{EnableDHCP} == 1) {
+ ::rptMsg("\tDhcpDomain = ".$ip{DhcpDomain});
+ ::rptMsg("\tDhcpIPAddress = ".$ip{DhcpIPAddress});
+ ::rptMsg("\tDhcpSubnetMask = ".$ip{DhcpSubnetMask});
+ ::rptMsg("\tDhcpNameServer = ".$ip{DhcpNameServer});
+ ::rptMsg("\tDhcpServer = ".$ip{DhcpServer});
+ }
+ else {
+ ::rptMsg("\tIPAddress = ".$ip{IPAddress});
+ ::rptMsg("\tSubnetMask = ".$ip{SubnetMask});
+ ::rptMsg("\tDefaultGateway = ".$ip{DefaultGateway});
+ }
+
+ }
+ else {
+ ::rptMsg("Interface ".$n." not found in the ".$key_path." key.");
+ }
+ ::rptMsg("");
+ }
+ }
+ }
+ else {
+ ::rptMsg("No active network interface cards were found.");
+ ::logMsg("No active network interface cards were found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/nolmhash.pl b/RecentActivity/release/rr/plugins/nolmhash.pl
new file mode 100644
index 0000000000..94f253e63d
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/nolmhash.pl
@@ -0,0 +1,74 @@
+#-----------------------------------------------------------
+# nolmhash.pl
+# Gets NoLMHash value
+#
+# Change history
+# 20100712 - created
+#
+# References
+# http://support.microsoft.com/kb/299656
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package nolmhash;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100712);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets NoLMHash value";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching lsa v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my ($current,$ccs);
+ my $sel_path = 'Select';
+ my $sel;
+ if ($sel = $root_key->get_subkey($sel_path)) {
+ $current = $sel->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ my $key_path = $ccs."\\Control\\Lsa";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("nolmhash v.".$VERSION);
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite: ".gmtime($key->get_timestamp()));
+ ::rptMsg("");
+ my $nolmhash;
+ eval {
+ $nolmhash = $key->get_value("NoLMHash")->get_data();
+ ::rptMsg("NoLMHash value = ".$nolmhash);
+ ::rptMsg("");
+ ::rptMsg("A value of 1 indicates that LMHashes are not stored in the SAM.");
+ };
+ ::rptMsg("Error occurred getting NoLMHash value: $@") if ($@);
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($sel_path." not found.");
+ ::logMsg($sel_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/notify.pl b/RecentActivity/release/rr/plugins/notify.pl
new file mode 100644
index 0000000000..8919b6dbd9
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/notify.pl
@@ -0,0 +1,79 @@
+#-----------------------------------------------------------
+# notify.pl
+#
+#
+# Change History:
+# 20110309 - updated output format to sort entries based on
+# LastWrite time
+# 20110308 - created
+#
+# References
+# http://blogs.technet.com/b/markrussinovich/archive/2011/03/08/3392087.aspx
+#
+# copyright 2011 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package notify;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20110309);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get Notify subkey entries";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my %notify;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching notify v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("notify");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+ my @sk = $key->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s (@sk) {
+ my $name = $s->get_name();
+ my $lw = $s->get_timestamp();
+ my $dll;
+ eval {
+ $dll = $s->get_value("DLLName")->get_data();
+ push(@{$notify{$lw}},sprintf "%-15s %-25s",$name,$dll);
+ };
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %notify) {
+ ::rptMsg(gmtime($t)." UTC");
+ foreach my $i (@{$notify{$t}}) {
+ ::rptMsg(" ".$i);
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/ntuser b/RecentActivity/release/rr/plugins/ntuser
new file mode 100644
index 0000000000..f2d6b0a366
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/ntuser
@@ -0,0 +1,50 @@
+# List of plugins for the Registry Ripper
+
+#-------------------------------------
+# NTUSER.DAT
+logonusername
+autoendtasks
+autorun
+acmru
+adoberdr
+aim
+applets
+comdlg32
+compdesc
+# The controlpanel plugin is intended for Vista systems only
+# User hives from systems prior to Vista will show 'not found'
+controlpanel
+listsoft
+logon_xp_run
+load
+mmc
+mndmru
+mp2
+mpmru
+mspaper
+officedocs
+oisc
+recentdocs
+realplayer6
+runmru
+tsclient
+ie_main
+ie_settings
+typedurls
+muicache
+#userassist
+userassist2
+user_run
+userlocsvc
+vncviewer
+winzip
+user_win
+winrar
+winlogon_u
+policies_u
+wallpaper
+vista_bitbucket
+shellfolders
+arpcache
+clampitm
+unreadmail
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/officedocs.pl b/RecentActivity/release/rr/plugins/officedocs.pl
new file mode 100644
index 0000000000..8182a3d177
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/officedocs.pl
@@ -0,0 +1,145 @@
+#-----------------------------------------------------------
+# officedocs.pl
+# Plugin for Registry Ripper
+#
+# Change history
+#
+#
+# References
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package officedocs;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of user's Office doc MRU keys";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching officedocs v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+ ::rptMsg("officedocs v.".$VERSION);
+# First, let's find out which version of Office is installed
+ my $version;
+ my $tag = 0;
+ my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0");
+ foreach my $ver (@versions) {
+ my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Open Find";
+ if (defined($root_key->get_subkey($key_path))) {
+ $version = $ver;
+ $tag = 1;
+ }
+ }
+
+ if ($tag) {
+ ::rptMsg("MSOffice version ".$version." located.");
+ my $key_path = "Software\\Microsoft\\Office\\".$version;
+ my $of_key = $root_key->get_subkey($key_path);
+ if ($of_key) {
+# Attempt to retrieve Word docs
+ my @funcs = ("Open","Save As","File Save");
+ foreach my $func (@funcs) {
+ my $word = "Common\\Open Find\\Microsoft Office Word\\Settings\\".$func."\\File Name MRU";
+ my $word_key = $of_key->get_subkey($word);
+ if ($word_key) {
+ ::rptMsg($word);
+ ::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my $value = $word_key->get_value("Value")->get_data();
+ my @data = split(/\00/,$value);
+ map{::rptMsg("$_");}@data;
+ }
+ else {
+# ::rptMsg("Could not access ".$word);
+ }
+ ::rptMsg("");
+ }
+# Attempt to retrieve Excel docs
+ my $excel = 'Excel\\Recent Files';
+ if (my $excel_key = $of_key->get_subkey($excel)) {
+ ::rptMsg($key_path."\\".$excel);
+ ::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)");
+ my @vals = $excel_key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %files;
+# Retrieve values and load into a hash for sorting
+ foreach my $v (@vals) {
+ my $val = $v->get_name();
+ my $data = $v->get_data();
+ my $tag = (split(/File/,$val))[1];
+ $files{$tag} = $val.":".$data;
+ }
+# Print sorted content to report file
+ foreach my $u (sort {$a <=> $b} keys %files) {
+ my ($val,$data) = split(/:/,$files{$u},2);
+ ::rptMsg(" ".$val." -> ".$data);
+ }
+ }
+ else {
+ ::rptMsg($key_path.$excel." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path.$excel." not found.");
+ }
+ ::rptMsg("");
+# Attempt to retrieve PowerPoint docs
+ my $ppt = 'PowerPoint\\Recent File List';
+ if (my $ppt_key = $of_key->get_subkey($ppt)) {
+ ::rptMsg($key_path."\\".$ppt);
+ ::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)");
+ my @vals = $ppt_key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %files;
+# Retrieve values and load into a hash for sorting
+ foreach my $v (@vals) {
+ my $val = $v->get_name();
+ my $data = $v->get_data();
+ my $tag = (split(/File/,$val))[1];
+ $files{$tag} = $val.":".$data;
+ }
+# Print sorted content to report file
+ foreach my $u (sort {$a <=> $b} keys %files) {
+ my ($val,$data) = split(/:/,$files{$u},2);
+ ::rptMsg(" ".$val." -> ".$data);
+ }
+ }
+ else {
+ ::rptMsg($key_path."\\".$ppt." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path."\\".$ppt." not found.");
+ }
+ }
+ else {
+ ::rptMsg("Could not access ".$key_path);
+ ::logMsg("Could not access ".$key_path);
+ }
+ }
+ else {
+ ::logMsg("MSOffice version not found.");
+ ::rptMsg("MSOffice version not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/oisc.pl b/RecentActivity/release/rr/plugins/oisc.pl
new file mode 100644
index 0000000000..2ddad06973
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/oisc.pl
@@ -0,0 +1,123 @@
+#-----------------------------------------------------------
+# oisc.pl
+# Plugin for Registry Ripper
+#
+# Change history
+# 20091125 - modified by H. Carvey
+# 20091110 - created
+#
+# References
+# http://support.microsoft.com/kb/838028
+# http://support.microsoft.com/kb/916658
+#
+# Derived from the officeDocs plugin
+# copyright 2008-2009 H. Carvey, mangled 2009 M. Tarnawsky
+#
+# Michael Tarnawsky
+# forensics@mialta.com
+#-----------------------------------------------------------
+package oisc;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20091125);
+
+my %prot = (0 => "Read-only HTTP",
+ 1 => "WEC to FPSE-enabled web folder",
+ 2 => "DAV to DAV-ext. web folder");
+
+my %types = (0 => "no collaboration",
+ 1 => "SharePoint Team Server",
+ 2 => "Exchange 2000 Server",
+ 3 => "SharePoint Portal 2001 Server",
+ 4 => "SharePoint 2001 enhanced folder",
+ 5 => "Windows SharePoint Server/SharePoint Portal 2003 Server");
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of user's Office Internet Server Cache";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching oisc v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+# First, let's find out which version of Office is installed
+ my $version;
+ my $tag = 0;
+ my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0");
+ foreach my $ver (@versions) {
+ my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Internet\\Server Cache";
+ if (defined($root_key->get_subkey($key_path))) {
+ $version = $ver;
+ $tag = 1;
+ }
+ }
+
+ if ($tag) {
+
+ my %isc;
+
+ ::rptMsg("MSOffice version ".$version." located.");
+ my $key_path = "Software\\Microsoft\\Office\\".$version."\\Common\\Internet\\Server Cache";
+ my $sc_key;
+ if ($sc_key = $root_key->get_subkey($key_path)) {
+# Attempt to retrieve Servers Cache subkeys
+ my @sc = ($sc_key->get_list_of_subkeys());
+ if (scalar(@sc) > 0) {
+ foreach my $s (@sc) {
+ my $name = $s->get_name();
+ $isc{$name}{lastwrite} = $s->get_timestamp();
+
+ eval {
+ my $t = $s->get_value("Type")->get_data();
+ (exists $types{$t}) ? ($isc{$name}{type} = $types{$t})
+ : ($isc{$name}{type} = $t);
+ };
+
+ eval {
+ my $p = $s->get_value("Protocol")->get_data();
+ (exists $prot{$p}) ? ($isc{$name}{protocol} = $prot{$p})
+ : ($isc{$name}{protocol} = $p);
+ };
+
+ eval {
+ my @e = unpack("VV",$s->get_value("Expiration")->get_data());
+ $isc{$name}{expiry} = ::getTime($e[0],$e[1]);
+ };
+ }
+ ::rptMsg("");
+ foreach my $i (keys %isc) {
+ ::rptMsg($i);
+ ::rptMsg(" LastWrite : ".gmtime($isc{$i}{lastwrite})." UTC");
+ ::rptMsg(" Expiry : ".gmtime($isc{$i}{expiry})." UTC");
+ ::rptMsg(" Protocol : ".$isc{$i}{protocol});
+ ::rptMsg(" Type : ".$isc{$i}{type});
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg("MSOffice version not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/outlook.pl b/RecentActivity/release/rr/plugins/outlook.pl
new file mode 100644
index 0000000000..eafc9b3ade
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/outlook.pl
@@ -0,0 +1,186 @@
+#-----------------------------------------------------------
+# outlook.pl
+# **Very Beta! Based on one sample hive file only!
+#
+# Change history
+# 20100218 - created
+#
+# References
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package outlook;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100218);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets user's Outlook settings";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ my %hist;
+ ::logMsg("Launching outlook v.".$VERSION);
+
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar @subkeys > 0) {
+ ::rptMsg("");
+ foreach my $s (@subkeys) {
+
+ my $profile = $s->get_name();
+ ::rptMsg($profile." Profile");
+
+# AutoArchive settings
+# http://support.microsoft.com/kb/198479
+ eval {
+ my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0324")->get_data();
+ $data =~ s/\00//g;
+ ::rptMsg(" Outlook 2007 AutoArchive path -> ".$data);
+ };
+
+ eval {
+ my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e0324")->get_data();
+ $data =~ s/\00//g;
+ ::rptMsg(" Outlook 2003 AutoArchive path -> ".$data);
+ };
+
+ eval {
+ my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data();
+ $data =~ s/\00//g;
+ ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data);
+ };
+
+# http://support.microsoft.com/kb/288570
+ eval {
+ my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101e0384")->get_data();
+ $data =~ s/\00//g;
+ ::rptMsg(" Open Other Users MRU (Outlook 97) -> ".$data);
+ };
+
+ eval {
+ my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101f0390")->get_data();
+ $data =~ s/\00//g;
+ ::rptMsg(" Open Other Users MRU (Outlook 2003) -> ".$data);
+ };
+
+
+
+ eval {
+ my $data = unpack("V",$s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("00036601")->get_data());
+ my $str;
+ if ($data == 4) {
+ $str = " Cached Exchange Mode disabled.";
+ }
+ elsif ($data == 4484) {
+ $str = " Cached Exchange Mode enabled.";
+ }
+ else {
+ $str = sprintf " Cached Exchange Mode: 0x%x",$data;
+ }
+ ::rptMsg($str);
+ };
+
+ eval {
+ my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6610")->get_data();
+ $data =~ s/\00//g;
+ ::rptMsg(" Path to OST file: ".$data);
+ };
+
+ eval {
+ my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6607")->get_data();
+ $data =~ s/\00//g;
+ ::rptMsg(" Email: ".$data);
+ };
+
+ eval {
+ my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6620")->get_data();
+ $data =~ s/\00//g;
+ ::rptMsg(" Email: ".$data);
+ };
+
+# http://support.microsoft.com/kb/959956
+# eval {
+# my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("01026687")->get_data();
+# $data =~ s/\00/\./g;
+# $data =~ s/\W//g;
+# ::rptMsg(" Non-SMTP Email: ".$data);
+# };
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ eval {
+ my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data();
+ $data =~ s/\00//g;
+ ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data);
+ };
+
+
+
+
+
+
+ eval {
+ my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0418")->get_data();
+ $data =~ s/\00//g;
+ ::rptMsg(" 001f0418 -> ".$data);
+ };
+# ::rptMsg("Error : ".$@) if ($@);
+
+
+# Account Names and signatures
+# http://support.microsoft.com/kb/938360
+ my @subkeys = $s->get_subkey("9375CFF0413111d3B88A00104B2A6676")->get_list_of_subkeys();
+ if (scalar @subkeys > 0) {
+
+ foreach my $s2 (@subkeys) {
+ eval {
+
+
+ };
+ }
+ }
+
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/pagefile.pl b/RecentActivity/release/rr/plugins/pagefile.pl
new file mode 100644
index 0000000000..f0484de431
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/pagefile.pl
@@ -0,0 +1,71 @@
+#-----------------------------------------------------------
+# pagefile.pl
+#
+# Ref:
+#
+# http://support.microsoft.com/kb/314834 - ClearPagefileAtShutdown
+#
+# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package pagefile;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20081212);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get info on pagefile(s)";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching pagefile v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+
+ my $mm_path = "ControlSet00".$current."\\Control\\Session Manager\\Memory Management";
+ my $mm;
+ if ($mm = $root_key->get_subkey($mm_path)) {
+
+ eval {
+ my $files = $mm->get_value("PagingFiles")->get_data();
+ ::rptMsg("PagingFiles = ".$files);
+ };
+ ::rptMsg($@) if ($@);
+
+ eval {
+ my $cpf = $mm->get_value("ClearPageFileAtShutdown")->get_data();
+ ::rptMsg("ClearPageFileAtShutdown = ".$cpf);
+ };
+
+ }
+ else {
+ ::rptMsg($mm_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
diff --git a/RecentActivity/release/rr/plugins/polacdms.pl b/RecentActivity/release/rr/plugins/polacdms.pl
new file mode 100644
index 0000000000..83efc86670
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/polacdms.pl
@@ -0,0 +1,93 @@
+#-----------------------------------------------------------
+# polacdms
+# Get the audit policy from the Security hive file; also, gets
+#
+#
+# Change History:
+# 20100531 - Created
+#
+# References:
+# http://en.wikipedia.org/wiki/Security_Identifier
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package polacdms;
+use strict;
+
+my %config = (hive => "Security",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100531);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get local machine SID from Security hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching polacdms v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Policy\\PolAcDmS";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("PolAcDmS");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my $data;
+ eval {
+ $data = $key->get_value("")->get_data();
+ };
+ if ($@) {
+ ::rptMsg("Error occurred getting data from ".$key_path);
+ ::rptMsg(" - ".$@);
+ }
+ else {
+ my @d = unpack("V4",substr($data,8,16));
+ ::rptMsg("Machine SID: S-1-5-".(join('-',@d)));
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+ ::rptMsg("");
+ my $key_path = "Policy\\PolPrDmS";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("PolPrDmS");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my $data;
+ eval {
+ $data = $key->get_value("")->get_data();
+ };
+ if ($@) {
+ ::rptMsg("Error occurred getting data from ".$key_path);
+ ::rptMsg(" - ".$@);
+ }
+ else {
+ my @d = unpack("V4",substr($data,8,16));
+ ::rptMsg("Primary Domain SID: S-1-5-".(join('-',@d)));
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/policies_u.pl b/RecentActivity/release/rr/plugins/policies_u.pl
new file mode 100644
index 0000000000..9a15c13112
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/policies_u.pl
@@ -0,0 +1,73 @@
+#-----------------------------------------------------------
+# policies_u
+# Get values from user's WinLogon key
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package policies_u;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20091021);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get values from the user's Policies key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching policies_u v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path."\\policies")) {
+# ::rptMsg("policies key found.");
+
+ }
+ elsif ($key = $root_key->get_subkey($key_path."\\Policies")) {
+# ::rptMsg("Policies key found.");
+
+ }
+ else {
+ ::rptMsg("Neither policies nor Policies key found.");
+ return;
+ }
+
+ eval {
+ my @vals = $key->get_subkey("Explorer")->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ ::rptMsg("");
+ ::rptMsg("Explorer subkey values:");
+ foreach my $v (@vals) {
+ my $str = sprintf "%-20s %-20s",$v->get_name(),$v->get_data();
+ ::rptMsg(" ".$str);
+ }
+ }
+ };
+ ::rptMsg("");
+ eval {
+ my $quota = $key->get_subkey("System")->get_value("EnableProfileQuota")->get_data();
+ ::rptMsg("EnableProfileQuota = ".$quota);
+ ::rptMsg("");
+ ::rptMsg("The EnableProfileQuota = 1 setting causes the proquota\.exe to be run");
+ ::rptMsg("automatically in order to limit the size of roaming profiles\. This");
+ ::rptMsg("corresponds to the Limit Profile Size GPO setting\.");
+ };
+ ::rptMsg("System\\EnableProfileQuota value not found\.") if ($@);
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/port_dev.pl b/RecentActivity/release/rr/plugins/port_dev.pl
new file mode 100644
index 0000000000..3ceaf1ae73
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/port_dev.pl
@@ -0,0 +1,89 @@
+#-----------------------------------------------------------
+# port_dev
+# Parse Microsoft\Windows Portable Devices\Devices key on Vista
+# Get historical information about drive letter assigned to devices
+#
+# NOTE: Credit for "discovery" goes to Rob Lee
+#
+# Change History:
+# 20090118 - changed the name of the plugin from "removdev"
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package port_dev;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 192,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090118);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Parses Windows Portable Devices key (Vista)";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching port_dev v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows Portable Devices\\Devices";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("RemovDev");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ my $lastwrite = $s->get_timestamp();
+
+ my $letter;
+ eval {
+ $letter = $s->get_value("FriendlyName")->get_data();
+ };
+ ::rptMsg($name." key error: $@") if ($@);
+
+ my $half;
+ if (grep(/##/,$name)) {
+ $half = (split(/##/,$name))[1];
+ }
+
+ if (grep(/\?\?/,$name)) {
+ $half = (split(/\?\?/,$name))[1];
+ }
+
+ my ($dev,$sn) = (split(/#/,$half))[1,2];
+
+ ::rptMsg("Device : ".$dev);
+ ::rptMsg("LastWrite : ".gmtime($lastwrite)." (UTC)");
+ ::rptMsg("SN : ".$sn);
+ ::rptMsg("Drive : ".$letter);
+ ::rptMsg("");
+
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/printermru.pl b/RecentActivity/release/rr/plugins/printermru.pl
new file mode 100644
index 0000000000..531f1f19ad
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/printermru.pl
@@ -0,0 +1,74 @@
+#-----------------------------------------------------------
+# printermru.pl
+# Plugin to get RealVNC MRU listings from NTUSER.DAT
+#
+# Change history
+# 20091125 - created
+#
+# References
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package printermru;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20091125);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets user's Printer Wizard MRU listing";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching printermru v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Printers\\Settings\\Wizard\\ConnectMRU';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %mru;
+ my @list;
+ foreach my $v (@vals) {
+ $mru{$v->get_name()} = $v->get_data();
+ }
+
+ if (exists $mru{MRUList}) {
+ @list = split(//,$mru{MRUList});
+ }
+
+ ::rptMsg("Printers listed in MRUList order.");
+ foreach my $i (0..scalar(@list) - 1) {
+ ::rptMsg(" ".$list[$i]." -> ".$mru{$list[$i]});
+ }
+
+
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/printers.pl b/RecentActivity/release/rr/plugins/printers.pl
new file mode 100644
index 0000000000..b01c920078
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/printers.pl
@@ -0,0 +1,83 @@
+#-----------------------------------------------------------
+# printers.pl
+# Get information about printers used by a user; System hive
+# info is volatile
+#
+# Ref:
+# http://support.microsoft.com/kb/102966
+# http://support.microsoft.com/kb/252388
+# http://support.microsoft.com/kb/102116
+#
+# The following references contain information from the System
+# hive that is volatile.
+# http://www.undocprint.org/winspool/registry
+# http://msdn.microsoft.com/en-us/library/aa394363(VS.85).aspx
+#
+# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package printers;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090223);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get user's printers";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching printers v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp()));
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ ::rptMsg(" ".$v->get_name()." (".$v->get_data().")");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ ::rptMsg("");
+# Get default printer
+ my $def_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
+ my $def;
+ eval {
+ $def = $root_key->get_subkey($def_path)->get_value("Device")->get_data();
+ ::rptMsg("Default Printer (via CurrentVersion\\Windows): ".$def);
+ };
+# another attempt to get the default printer
+ my $def_path = "Printers";
+ my $def;
+ eval {
+ $def = $root_key->get_subkey($def_path)->get_value("DeviceOld")->get_data();
+ ::rptMsg("Default Printer (via Printers->DeviceOld): ".$def);
+ };
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/product.pl b/RecentActivity/release/rr/plugins/product.pl
new file mode 100644
index 0000000000..6a70d719f4
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/product.pl
@@ -0,0 +1,118 @@
+#-----------------------------------------------------------
+# product.pl
+# Plugin to determine the MSI packages installed on the system
+#
+# Change history:
+# 20100325 - created
+#
+# References:
+# http://support.microsoft.com/kb/236590
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package product;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100325);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get installed product info";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+my %msi;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching product v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows\\CurrentVersion\\Installer\\UserData";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("");
+ ::rptMsg($key_path);
+# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+# Each of these subkeys should be SIDs
+ foreach my $s (@subkeys) {
+ next unless ($s->get_name() =~ m/^S/);
+ ::rptMsg($s->get_name());
+ if ($s->get_subkey("Products")) {
+ processSIDKey($s->get_subkey("Products"));
+ ::rptMsg("");
+ }
+ else {
+ ::rptMsg($s->get_name()."\\Products subkey not found.");
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+sub processSIDKey {
+ my $key = shift;
+ my %prod;
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+# ::rptMsg($key->get_name());
+ foreach my $s (@subkeys) {
+ my ($displayname,$lastwrite);
+ eval {
+ $displayname = $s->get_subkey("InstallProperties")->get_value("DisplayName")->get_data();
+ $lastwrite = $s->get_subkey("InstallProperties")->get_timestamp();
+ };
+
+ my $displayversion;
+ eval {
+ $displayversion = $s->get_subkey("InstallProperties")->get_value("DisplayVersion")->get_data();
+ };
+
+ my $installdate;
+ eval {
+ $installdate = $s->get_subkey("InstallProperties")->get_value("InstallDate")->get_data();
+ };
+
+ my $str = $displayname." v.".$displayversion.", ".$installdate;
+ push(@{$prod{$lastwrite}},$str);
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %prod) {
+ ::rptMsg(gmtime($t)." Z");
+ foreach my $i (@{$prod{$t}}) {
+ ::rptMsg(" ".$i);
+ }
+ }
+
+
+ }
+ else {
+ ::rptMsg($key->get_name()." has no subkeys.");
+ return;
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/productpolicy.pl b/RecentActivity/release/rr/plugins/productpolicy.pl
new file mode 100644
index 0000000000..9437b84fbe
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/productpolicy.pl
@@ -0,0 +1,145 @@
+#-----------------------------------------------------------
+# productpolicy.pl
+# Extract/parse the ControlSet00x\Control\ProductOptions\ProductPolicy value
+#
+# NOTE: For Vista and 2008 ONLY; the value structure changed with Windows 7
+#
+# Change History:
+# 20091116 - created
+#
+# Ref:
+# http://www.geoffchappell.com/viewer.htm?doc=studies/windows/km/ntoskrnl/
+# api/ex/slmem/productpolicy.htm&tx=19
+# http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/
+# install.htm&tx=3,5,6;4
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package productpolicy;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20091116);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Parse ProductPolicy value (Vista & Win2008 ONLY)";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my %prodinfo = (1 => "Ultimate",
+ 2 => "Home Basic",
+ 3 => "Home Premium",
+ 5 => "Home Basic N",
+ 6 => "Business",
+ 7 => "Standard",
+ 8 => "Data Center",
+ 10 => "Enterprise",
+ 11 => "Starter",
+ 12 => "Data Center Core",
+ 13 => "Standard Core",
+ 14 => "Enterprise Core",
+ 15 => "Business N");
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+
+ ::logMsg("Launching productpolicy v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $curr;
+ eval {
+ $curr = $root_key->get_subkey("Select")->get_value("Current")->get_data();
+ };
+ $curr = 1 if ($@);
+
+ my $key;
+ my $key_path = "ControlSet00".$curr."\\Control\\ProductOptions";
+ if ($key = $root_key->get_subkey($key_path)) {
+ my $prod;
+ eval {
+ $prod = $key->get_value("ProductPolicy")->get_data();
+ };
+ if ($@) {
+ ::rptMsg("Error getting ProductPolicy value: $@");
+ }
+ else {
+ my %pol = parseData($prod);
+ ::rptMsg("");
+ ::rptMsg("Note: This plugin applies to Vista and Windows 2008 ONLY.");
+ ::rptMsg("For a listing of names and values, see:");
+ ::rptMsg("http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/install.htm&tx=3,5,6;4");
+ ::rptMsg("");
+ foreach my $p (sort keys %pol) {
+ ::rptMsg($p." - ".$pol{$p});
+ }
+
+ if (exists $prodinfo{$pol{"Kernel\-ProductInfo"}}) {
+ ::rptMsg("");
+ ::rptMsg("Kernel\-ProductInfo = ".$prodinfo{$pol{"Kernel\-ProductInfo"}});
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+sub parseHeader {
+# Ref: http://www.geoffchappell.com/viewer.htm?doc=studies/windows/km/ntoskrnl/
+# api/ex/slmem/productpolicy.htm&tx=19,21
+ my %h;
+ my @v = unpack("V*",shift);
+ $h{size} = $v[0];
+ $h{array} = $v[1];
+ $h{marker} = $v[2];
+ $h{version} = $v[4];
+ return %h;
+}
+
+sub parseData {
+ my $pd = shift;
+ my %policy;
+ my $h = substr($pd,0,0x14);
+ my %hdr = parseHeader($h);
+ my $total_size = $hdr{size};
+ my $cursor = 0x14;
+
+ while ($cursor <= $total_size) {
+ my @vals = unpack("v4V2", substr($pd,$cursor,0x10));
+ my $value = substr($pd,$cursor,$vals[0]);
+ my $name = substr($value,0x10,$vals[1]);
+ $name =~ s/\00//g;
+
+ my $data = substr($value,0x10 + $vals[1],$vals[3]);
+ if ($vals[2] == 4) {
+# $data = sprintf "0x%x",unpack("V",$data);
+ $data = unpack("V",$data);
+ }
+ elsif ($vals[2] == 1) {
+ $data =~ s/\00//g;
+ }
+ elsif ($vals[2] == 3) {
+ $data = unpack("H*",$data);
+ }
+ else {
+
+ }
+ $policy{$name} = $data;
+ $cursor += $vals[0];
+ }
+ delete $policy{""};
+ return %policy;
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/producttype.pl b/RecentActivity/release/rr/plugins/producttype.pl
new file mode 100644
index 0000000000..41b39677b6
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/producttype.pl
@@ -0,0 +1,88 @@
+#-----------------------------------------------------------
+# producttype.pl
+# Determine Windows product information
+#
+# History
+# 20100713 - updated reference info, formatting
+# 20100325 - renamed to producttype.pl
+#
+# References
+# http://support.microsoft.com/kb/181412
+# http://support.microsoft.com/kb/152078
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package producttype;
+use strict;
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100325);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Queries System hive for Windows Product info";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching producttype v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+ my $prod_key_path = $ccs."\\Control\\ProductOptions";
+ if (my $prod_key = $root_key->get_subkey($prod_key_path)) {
+ ::rptMsg($prod_key_path);
+ ::rptMsg("LastWrite = ".gmtime($prod_key->get_timestamp()));
+ ::rptMsg("");
+ ::rptMsg("Ref: http://support.microsoft.com/kb/152078");
+ ::rptMsg(" http://support.microsoft.com/kb/181412");
+ ::rptMsg("");
+ my $type;
+ eval {
+ $type = $prod_key->get_value("ProductType")->get_data();
+ ::rptMsg("ProductType = ".$type);
+ ::rptMsg("Ref: http://technet.microsoft.com/en-us/library/cc782360%28WS.10%29.aspx");
+ ::rptMsg("WinNT indicates a workstation.");
+ ::rptMsg("ServerNT indicates a standalone server.");
+ ::rptMsg("LanmanNT indicates a domain controller (pri/backup).");
+ };
+ ::rptMsg("");
+#-----------------------------------------------------------
+# http://technet.microsoft.com/en-us/library/cc784364(WS.10).aspx
+#
+# http://www.geoffchappell.com/viewer.htm?doc=studies/windows/
+# km/ntoskrnl/api/ex/exinit/productsuite.htm
+#
+#-----------------------------------------------------------
+ my $suite;
+ eval {
+ $suite = $prod_key->get_value("ProductSuite")->get_data();
+ ::rptMsg("ProductSuite = ".$suite);
+ ::rptMsg("Ref: http://technet.microsoft.com/en-us/library/cc784364%28WS.10%29.aspx");
+ };
+ }
+ else {
+ ::rptMsg($prod_key_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg("Select key not found.");
+ }
+}
+1
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/profilelist.pl b/RecentActivity/release/rr/plugins/profilelist.pl
new file mode 100644
index 0000000000..bfeae8a6e7
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/profilelist.pl
@@ -0,0 +1,137 @@
+#-----------------------------------------------------------
+# profilelist.pl
+# Gets ProfileList subkeys and ProfileImagePath value; also
+# gets the ProfileLoadTimeHigh and Low values, and translates them
+# into a readable time
+#
+# History:
+# 20100219 - updated to gather SpecialAccounts and domain
+# user info
+# 20080415 - created
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package profilelist;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100219);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get content of ProfileList key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+
+ my %profiles;
+
+ ::logMsg("Launching profilelist v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\ProfileList";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $path;
+ eval {
+ $path = $s->get_value("ProfileImagePath")->get_data();
+ };
+
+ ::rptMsg("Path : ".$path);
+ ::rptMsg("SID : ".$s->get_name());
+ ::rptMsg("LastWrite : ".gmtime($s->get_timestamp())." (UTC)");
+
+ my $user;
+ if ($path) {
+ my @a = split(/\\/,$path);
+ my $end = scalar @a - 1;
+ $user = $a[$end];
+ $profiles{$s->get_name()} = $user;
+ }
+
+ my @load;
+ eval {
+ $load[0] = $s->get_value("ProfileLoadTimeLow")->get_data();
+ $load[1] = $s->get_value("ProfileLoadTimeHigh")->get_data();
+ };
+ if (@load) {
+ my $loadtime = ::getTime($load[0],$load[1]);
+ ::rptMsg("LoadTime : ".gmtime($loadtime)." (UTC)");
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+# The following was added 20100219
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
+ if ($key = $root_key->get_subkey($key_path)) {
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar @subkeys > 0) {
+ ::rptMsg("Domain Accounts");
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ next unless ($name =~ m/^S\-1/);
+
+ (exists $profiles{$name}) ? (::rptMsg($name." [".$profiles{$name}."]"))
+ : (::rptMsg($name));
+# ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp()));
+# ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+
+# Domain Cache?
+ eval {
+ my @cache = $key->get_subkey("DomainCache")->get_list_of_values();
+ if (scalar @cache > 0) {
+ ::rptMsg("");
+ ::rptMsg("DomainCache");
+ foreach my $d (@cache) {
+ my $str = sprintf "%-15s %-20s",$d->get_name(),$d->get_data();
+ ::rptMsg($str);
+ }
+ }
+ };
+
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+
+
+
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/proxysettings.pl b/RecentActivity/release/rr/plugins/proxysettings.pl
new file mode 100644
index 0000000000..d403c487d3
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/proxysettings.pl
@@ -0,0 +1,70 @@
+#-----------------------------------------------------------
+# proxysettings.pl
+# Plugin for Registry Ripper,
+# Internet Explorer ProxySettings key parser
+#
+# Change history
+# 20081224 - H. Carvey, updated sorting and printing routine
+#
+#
+# copyright 2008 C. Bentley
+#-----------------------------------------------------------
+package proxysettings;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20081224);
+
+sub getConfig{return %config}
+sub getShortDescr {return "Gets contents of user's Proxy Settings";}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching proxysettings v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("ProxySettings");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %proxy;
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ my $data = $v->get_data();
+ my $type = $v->get_type();
+ $data = unpack("V",$data) if ($type == 3);
+ $proxy{$name} = $data;
+ }
+ foreach my $n (sort keys %proxy) {
+ my $str = sprintf " %-30s %-30s",$n,$proxy{$n};
+ ::rptMsg($str);
+# ::rptMsg(" ".$v->get_name()." ".$v->get_data());
+ }
+ }
+ else {
+ ::rptMsg($key_path." key has no values.");
+ ::logMsg($key_path." key has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." hat key not found.");
+ ::logMsg($key_path." hat key not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/rdphint.pl b/RecentActivity/release/rr/plugins/rdphint.pl
new file mode 100644
index 0000000000..680165812a
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/rdphint.pl
@@ -0,0 +1,61 @@
+#-----------------------------------------------------------
+# rdphint.pl - http://www.regripper.net/
+# Gathers servers logged onto via RDP and last successful username
+#
+# by Brandon Nesbit, Trustwave
+#-----------------------------------------------------------
+package rdphint;
+use strict;
+
+my %config = (hive => "NTUSER",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090715);
+
+sub getConfig{return %config}
+sub getShortDescr { return "Gets hosts logged onto via RDP and the Domain\\Username";}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching RDPHint v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("Terminal Server Client\\Servers");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $path;
+ eval {
+ $path = $s->get_value("UsernameHint")->get_data();
+ };
+ ::rptMsg("");
+ ::rptMsg("Hostname: ".$s->get_name());
+ ::rptMsg("Domain/Username: ".$path);
+ ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/rdpport.pl b/RecentActivity/release/rr/plugins/rdpport.pl
new file mode 100644
index 0000000000..44110d33cb
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/rdpport.pl
@@ -0,0 +1,59 @@
+#-----------------------------------------------------------
+# rdpport.pl
+# Determine the RDP Port used
+#
+# History
+# 20100713 - created
+#
+# References
+# http://support.microsoft.com/kb/306759
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package rdpport;
+use strict;
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100713);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Queries System hive for RDP Port";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ my $key;
+
+ ::logMsg("Launching rdpport v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $ccs = $root_key->get_subkey("Select")->get_value("Current")->get_data();
+ my $key_path = "ControlSet00".$ccs."\\Control\\Terminal Server\\WinStations\\RDP-Tcp";
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("rdpport v.".$VERSION);
+ ::rptMsg("");
+ my $port;
+ eval {
+ $port = $key->get_value("PortNumber")->get_data();
+ ::rptMsg("Remote Desktop Listening Port Number = ".$port);
+ };
+ ::rptMsg("Error getting PortNumber: ".$@) if ($@);
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/realplayer6.pl b/RecentActivity/release/rr/plugins/realplayer6.pl
new file mode 100644
index 0000000000..7ea5913a5f
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/realplayer6.pl
@@ -0,0 +1,79 @@
+#-----------------------------------------------------------
+# realplayer6.pl
+# Plugin for Registry Ripper
+# Get Real Player 6 MostRecentClipsx values
+#
+# Change history
+#
+#
+# References
+#
+# Note: LastWrite times on c subkeys will all be the same,
+# as each subkey is modified as when a new entry is added
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package realplayer6;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets user's RealPlayer v6 MostRecentClips\(Default) values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching realplayer6 v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+ ::rptMsg("Realplayer6 v.".$VERSION);
+
+ my $key_path = "Software\\RealNetworks\\RealPlayer\\6.0\\Preferences";
+ my $key = $root_key->get_subkey($key_path);
+ if ($key) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my %rpkeys;
+ my $tag = "MostRecentClips";
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar @subkeys > 0) {
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ if ($name =~ m/^$tag/) {
+ my $num = $name;
+ $num =~ s/$tag//;
+ $rpkeys{$num}{name} = $name;
+ $rpkeys{$num}{data} = $s->get_value('')->get_data();
+ $rpkeys{$num}{lastwrite} = $s->get_timestamp();
+ }
+ }
+ foreach my $k (sort keys %rpkeys) {
+ ::rptMsg("\t".$rpkeys{$k}{name}." -> ".$rpkeys{$k}{data});
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/realvnc.pl b/RecentActivity/release/rr/plugins/realvnc.pl
new file mode 100644
index 0000000000..667766aca4
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/realvnc.pl
@@ -0,0 +1,75 @@
+#-----------------------------------------------------------
+# realvnc.pl
+# Plugin to get RealVNC MRU listings from NTUSER.DAT
+#
+# Change history
+# 20091125 - created
+#
+# References
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package realvnc;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20091125);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets user's RealVNC MRU listing";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching realvnc v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\RealVNC\\VNCViewer4\\MRU';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %mru;
+ my @order;
+ foreach my $v (@vals) {
+ $mru{$v->get_name()} = $v->get_data();
+ }
+
+ if (exists($mru{Order})) {
+ @order = unpack("C*",$mru{Order});
+# List systems connected to based on Order MRU value
+ ::rptMsg("*Systems output in \"Order\" sequence");
+ foreach my $i (0..scalar(@order) - 1) {
+ $order[$i] = "0".$order[$i] if ($order[$i] < 10);
+ ::rptMsg(" ".$order[$i]." -> ".$mru{$order[$i]});
+ }
+ }
+ else {
+ ::rptMsg("Could not find Order value.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/recentdocs.pl b/RecentActivity/release/rr/plugins/recentdocs.pl
new file mode 100644
index 0000000000..7850665376
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/recentdocs.pl
@@ -0,0 +1,161 @@
+#-----------------------------------------------------------
+# recentdocs.pl
+# Plugin for Registry Ripper
+# Parses RecentDocs keys/values in NTUSER.DAT
+#
+# Change history
+# 20100405 - Updated to use Encode::decode to translate strings
+# 20090115 - Minor update to keep plugin from printing terminating
+# MRUListEx value of 0xFFFFFFFF
+# 20080418 - Minor update to address NTUSER.DAT files that have
+# MRUList values in this key, rather than MRUListEx
+# values
+#
+# References
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package recentdocs;
+use strict;
+use Encode;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100405);
+
+sub getShortDescr {
+ return "Gets contents of user's RecentDocs key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching recentdocs v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("RecentDocs");
+ ::rptMsg("**All values printed in MRUList\\MRUListEx order.");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+# Get RecentDocs values
+ my %rdvals = getRDValues($key);
+ if (%rdvals) {
+ my $tag;
+ if (exists $rdvals{"MRUListEx"}) {
+ $tag = "MRUListEx";
+ }
+ elsif (exists $rdvals{"MRUList"}) {
+ $tag = "MRUList";
+ }
+ else {
+
+ }
+
+ my @list = split(/,/,$rdvals{$tag});
+ foreach my $i (@list) {
+ ::rptMsg(" ".$i." = ".$rdvals{$i});
+ }
+ ::rptMsg("");
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg("Error: ".$key_path." has no values.");
+ }
+# Get RecentDocs subkeys' values
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ ::rptMsg($key_path."\\".$s->get_name());
+ ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
+
+ my %rdvals = getRDValues($s);
+ if (%rdvals) {
+ my $tag;
+ if (exists $rdvals{"MRUListEx"}) {
+ $tag = "MRUListEx";
+ }
+ elsif (exists $rdvals{"MRUList"}) {
+ $tag = "MRUList";
+ }
+ else {
+
+ }
+
+ my @list = split(/,/,$rdvals{$tag});
+ ::rptMsg($tag." = ".$rdvals{$tag});
+ foreach my $i (@list) {
+ ::rptMsg(" ".$i." = ".$rdvals{$i});
+ }
+
+ ::rptMsg("");
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+
+sub getRDValues {
+ my $key = shift;
+
+ my $mru = "MRUList";
+ my %rdvals;
+
+ my @vals = $key->get_list_of_values();
+ if (scalar @vals > 0) {
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ my $data = $v->get_data();
+ if ($name =~ m/^$mru/) {
+ my @mru;
+ if ($name eq "MRUList") {
+ @mru = split(//,$data);
+ }
+ elsif ($name eq "MRUListEx") {
+ @mru = unpack("V*",$data);
+ }
+# Horrible, ugly cludge; the last, terminating value in MRUListEx
+# is 0xFFFFFFFF, so we remove it.
+ pop(@mru);
+ $rdvals{$name} = join(',',@mru);
+ }
+ else {
+# New code
+ $data = decode("ucs-2le", $data);
+ my $file = (split(/\00/,$data))[0];
+# my $file = (split(/\00\00/,$data))[0];
+# $file =~ s/\00//g;
+ $rdvals{$name} = $file;
+ }
+ }
+ return %rdvals;
+ }
+ else {
+ return undef;
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/regtime.pl b/RecentActivity/release/rr/plugins/regtime.pl
new file mode 100644
index 0000000000..03510c46d9
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/regtime.pl
@@ -0,0 +1,65 @@
+#! c:\perl\bin\perl.exe
+#-----------------------------------------------------------
+# regtime.pl
+# Plugin for Registry Ripper; traverses through a Registry
+# hive file, pulling out keys and their LastWrite times, and
+# then listing them in order, sorted by the most recent time
+# first - works with any Registry hive file.
+#
+# Change history
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package regtime;
+use strict;
+
+my %config = (hive => "All",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Dumps entire hive - all keys sorted by LastWrite time";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+my %regkeys;
+
+sub pluginmain {
+ my $class = shift;
+ my $file = shift;
+ my $reg = Parse::Win32Registry->new($file);
+ my $root_key = $reg->get_root_key;
+ ::logMsg("Launching regtime v.".$VERSION);
+
+ traverse($root_key);
+
+ foreach my $t (reverse sort {$a <=> $b} keys %regkeys) {
+ foreach my $item (@{$regkeys{$t}}) {
+ ::rptMsg(gmtime($t)."Z \t".$item);
+ }
+ }
+}
+
+sub traverse {
+ my $key = shift;
+ my $ts = $key->get_timestamp();
+ my $name = $key->as_string();
+ $name =~ s/\$\$\$PROTO\.HIV//;
+ $name = (split(/\[/,$name))[0];
+ push(@{$regkeys{$ts}},$name);
+ foreach my $subkey ($key->get_list_of_subkeys()) {
+ traverse($subkey);
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/regtime_tln.pl b/RecentActivity/release/rr/plugins/regtime_tln.pl
new file mode 100644
index 0000000000..558d7f0eeb
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/regtime_tln.pl
@@ -0,0 +1,66 @@
+#! c:\perl\bin\perl.exe
+#-----------------------------------------------------------
+# regtime.pl
+# Plugin for Registry Ripper; traverses through a Registry
+# hive file, pulling out keys and their LastWrite times, and
+# then listing them in order, sorted by the most recent time
+# first - works with any Registry hive file.
+#
+# Change history
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package regtime_tln;
+use strict;
+
+my %config = (hive => "All",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Dumps entire hive - all keys sorted by LastWrite time";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+my %regkeys;
+
+sub pluginmain {
+ my $class = shift;
+ my $file = shift;
+ my $reg = Parse::Win32Registry->new($file);
+ my $root_key = $reg->get_root_key;
+ ::logMsg("Launching regtime_tln v.".$VERSION);
+
+ traverse($root_key);
+
+ foreach my $t (reverse sort {$a <=> $b} keys %regkeys) {
+ foreach my $item (@{$regkeys{$t}}) {
+ #::rptMsg(gmtime($t)."Z \t".$item);
+ ::rptMsg($t."|REG|M... ".$item);
+ }
+ }
+}
+
+sub traverse {
+ my $key = shift;
+ my $ts = $key->get_timestamp();
+ my $name = $key->as_string();
+ $name =~ s/\$\$\$PROTO\.HIV//;
+ $name = (split(/\[/,$name))[0];
+ push(@{$regkeys{$ts}},$name);
+ foreach my $subkey ($key->get_list_of_subkeys()) {
+ traverse($subkey);
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/renocide.pl b/RecentActivity/release/rr/plugins/renocide.pl
new file mode 100644
index 0000000000..5f71f922f9
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/renocide.pl
@@ -0,0 +1,65 @@
+#-----------------------------------------------------------
+# renocide.pl
+# Plugin to assist in the detection of malware per MMPC
+# blog post (References, below)
+#
+# Change History:
+# 20110309 - created
+#
+# References
+# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Renocide
+#
+# copyright 2011 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package renocide;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20110309);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Check for Renocide malware";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching renocide v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\DRM\\amty";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("renocide");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite: ".gmtime($key->get_timestamp()));
+ ::rptMsg("");
+ ::rptMst($key_path." found; possible Win32\\Renocide infection.");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ ::rptMsg(sprintf "%-12s %-20s",$v->get_name(),$v->get_data());
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/routes.pl b/RecentActivity/release/rr/plugins/routes.pl
new file mode 100644
index 0000000000..823f097b3e
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/routes.pl
@@ -0,0 +1,81 @@
+#-----------------------------------------------------------
+# routes.pl
+#
+# Some malware is known to create persistent routes
+#
+# Change History:
+# 20100817 - created
+#
+# Ref:
+# http://support.microsoft.com/kb/141383
+# http://www.symantec.com/security_response/writeup.jsp?docid=
+# 2010-041308-3301-99&tabid=2
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package routes;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100817);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get persistent routes";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching routes v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+
+ my $sb_path = $ccs."\\Services\\Tcpip\\Parameters\\PersistentRoutes";
+
+ my $sb;
+ if ($sb = $root_key->get_subkey($sb_path)) {
+ ::rptMsg($sb_path);
+ ::rptMsg("LastWrite: ".gmtime($sb->get_timestamp()));
+ ::rptMsg("");
+ my @vals = $sb->get_list_of_values();
+
+ if (scalar(@vals) > 0) {
+ ::rptMsg(sprintf "%-15s %-15s %-15s %-5s","Address","Netmask","Gateway","Metric");
+ foreach my $v (@vals) {
+ my ($addr,$netmask,$gateway,$metric) = split(/,/,$v->get_name(),4);
+ ::rptMsg(sprintf "%-15s %-15s %-15s %-5s",$addr,$netmask,$gateway,$metric);
+ }
+ }
+ else {
+ ::rptMsg($sb_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($sb_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/runmru.pl b/RecentActivity/release/rr/plugins/runmru.pl
new file mode 100644
index 0000000000..f18a9ec434
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/runmru.pl
@@ -0,0 +1,72 @@
+#-----------------------------------------------------------
+# runmru.pl
+# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
+# RunMru values
+#
+# Change history
+#
+#
+# References
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package runmru;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of user's RunMRU key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching runmru v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("RunMru");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @vals = $key->get_list_of_values();
+ my %runvals;
+ my $mru;
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ $runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i);
+ $mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i);
+ }
+ ::rptMsg("MRUList = ".$mru);
+ foreach my $r (sort keys %runvals) {
+ ::rptMsg($r." ".$runvals{$r});
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/safeboot.pl b/RecentActivity/release/rr/plugins/safeboot.pl
new file mode 100644
index 0000000000..66ee850137
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/safeboot.pl
@@ -0,0 +1,104 @@
+#-----------------------------------------------------------
+# safeboot.pl
+#
+# Some malware is known to maintain persistence, even when the system
+# is booted to SafeMode by writing entries to the SafeBoot subkeys
+# ex: http://www.symantec.com/security_response/writeup.jsp?
+# docid=2008-011507-0108-99&tabid=2
+#
+# Ref:
+# http://support.microsoft.com/kb/315222
+# http://support.microsoft.com/kb/202485/
+#
+# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package safeboot;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20081216);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Check SafeBoot entries";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching safeboot v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+
+ my $sb_path = $ccs."\\Control\\SafeBoot";
+ my $sb;
+ if ($sb = $root_key->get_subkey($sb_path)) {
+
+ my @sks = $sb->get_list_of_subkeys();
+
+ if (scalar(@sks) > 0) {
+
+ foreach my $s (@sks) {
+ my $name = $s->get_name();
+ my $ts = $s->get_timestamp();
+ ::rptMsg($name." [".gmtime($ts)." Z]");
+ my %sk;
+ my @subkeys = $s->get_list_of_subkeys();
+
+ if (scalar(@subkeys) > 0) {
+ foreach my $s2 (@subkeys) {
+ my $str;
+ my $default;
+ eval {
+ $default = $s2->get_value("")->get_data();
+ };
+ ($@)?($str = $s2->get_name()):($str = $s2->get_name()." (".$default.")");
+ push(@{$sk{$s2->get_timestamp()}},$str);
+ }
+
+ foreach my $t (sort keys %sk) {
+ ::rptMsg(gmtime($t)." Z");
+ foreach my $i (@{$sk{$t}}) {
+ ::rptMsg(" ".$i);
+ }
+ }
+ ::rptMsg("");
+ }
+ else {
+ ::rptMsg($name." has no subkeys.");
+ }
+ }
+ }
+ else {
+ ::rptMsg($sb_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($sb_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+# ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/sam b/RecentActivity/release/rr/plugins/sam
new file mode 100644
index 0000000000..84568779ff
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/sam
@@ -0,0 +1,3 @@
+#-------------------------------------
+# SAM
+samparse
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/samparse.pl b/RecentActivity/release/rr/plugins/samparse.pl
new file mode 100644
index 0000000000..001857728e
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/samparse.pl
@@ -0,0 +1,323 @@
+#-----------------------------------------------------------
+# samparse.pl
+# Parse the SAM hive file for user/group membership info
+#
+# Change history:
+# 20110303 - Fixed parsing of SID, added check for account type
+# Acct type determined based on Dustin Hulburt's "Forensic
+# Determination of a User's Logon Status in Windows"
+# from 10 Aug 2009 (link below)
+# 20100712 - Added References entry
+# 20091020 - Added extracting UserPasswordHint value
+# 20090413 - Added account creation date
+# 20080415 - created
+#
+# References
+# Source available here: http://pogostick.net/~pnh/ntpasswd/
+# http://accessdata.com/downloads/media/Forensic_Determination_Users_Logon_Status.pdf
+#
+# copyright 2011 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package samparse;
+use strict;
+
+my %config = (hive => "SAM",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ version => 20110303);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Parse SAM file for user/group mbrshp info";
+}
+sub getDescr{}
+sub getRefs {
+ my %refs = ("Well-known SIDs" => "http://support.microsoft.com/kb/243330");
+ return %refs;
+}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+my %acb_flags = (0x0001 => "Account Disabled",
+ 0x0002 => "Home directory required",
+ 0x0004 => "Password not required",
+ 0x0008 => "Temporary duplicate account",
+ 0x0010 => "Normal user account",
+ 0x0020 => "MNS logon user account",
+ 0x0040 => "Interdomain trust account",
+ 0x0080 => "Workstation trust account",
+ 0x0100 => "Server trust account",
+ 0x0200 => "Password does not expire",
+ 0x0400 => "Account auto locked");
+
+my %types = (0xbc => "Default Admin User",
+ 0xd4 => "Custom Limited Acct",
+ 0xb0 => "Default Guest Acct");
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching samparse v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ ::rptMsg("");
+# Get user information
+ ::rptMsg("User Information");
+ ::rptMsg("-" x 25);
+ my $key_path = 'SAM\\Domains\\Account\\Users';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ my @user_list = $key->get_list_of_subkeys();
+ if (scalar(@user_list) > 0) {
+ foreach my $u (@user_list) {
+ my $rid = $u->get_name();
+ my $ts = $u->get_timestamp();
+ my $tag = "0000";
+ if ($rid =~ m/^$tag/) {
+ my $v_value = $u->get_value("V");
+ my $v = $v_value->get_data();
+ my %v_val = parseV($v);
+ $rid =~ s/^0000//;
+ $rid = hex($rid);
+
+ my $c_date;
+ eval {
+ my $create_path = $key_path."\\Names\\".$v_val{name};
+ if (my $create = $root_key->get_subkey($create_path)) {
+ $c_date = $create->get_timestamp();
+ }
+ };
+
+ ::rptMsg("Username : ".$v_val{name}." [".$rid."]");
+ ::rptMsg("Full Name : ".$v_val{fullname});
+ ::rptMsg("User Comment : ".$v_val{comment});
+ ::rptMsg("Account Type : ".$v_val{type});
+ ::rptMsg("Account Created : ".gmtime($c_date)." Z") if ($c_date > 0);
+
+ my $f_value = $u->get_value("F");
+ my $f = $f_value->get_data();
+ my %f_val = parseF($f);
+
+ my $lastlogin;
+ my $pwdreset;
+ my $pwdfail;
+ ($f_val{last_login_date} == 0) ? ($lastlogin = "Never") : ($lastlogin = gmtime($f_val{last_login_date})." Z");
+ ($f_val{pwd_reset_date} == 0) ? ($pwdreset = "Never") : ($pwdreset = gmtime($f_val{pwd_reset_date})." Z");
+ ($f_val{pwd_fail_date} == 0) ? ($pwdfail = "Never") : ($pwdfail = gmtime($f_val{pwd_fail_date})." Z");
+
+ my $pw_hint;
+ eval {
+ $pw_hint = $u->get_value("UserPasswordHint")->get_data();
+ $pw_hint =~ s/\00//g;
+ };
+ ::rptMsg("Password Hint : ".$pw_hint) unless ($@);
+ ::rptMsg("Last Login Date : ".$lastlogin);
+ ::rptMsg("Pwd Reset Date : ".$pwdreset);
+ ::rptMsg("Pwd Fail Date : ".$pwdfail);
+ ::rptMsg("Login Count : ".$f_val{login_count});
+ foreach my $flag (keys %acb_flags) {
+ ::rptMsg(" --> ".$acb_flags{$flag}) if ($f_val{acb_flags} & $flag);
+ }
+ ::rptMsg("");
+ }
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+ ::rptMsg("-" x 25);
+ ::rptMsg("Group Membership Information");
+ ::rptMsg("-" x 25);
+# Get Group membership information
+ my $key_path = 'SAM\\Domains\\Builtin\\Aliases';
+ if ($key = $root_key->get_subkey($key_path)) {
+ my %grps;
+ my @groups = $key->get_list_of_subkeys();
+ if (scalar(@groups) > 0) {
+ foreach my $k (@groups) {
+ my $name = $k->get_name();
+ if ($name =~ m/^0000/) {
+ $grps{$name}{LastWrite} = $k->get_timestamp();
+ $grps{$name}{C_value} = $k->get_value("C")->get_data();
+ }
+ }
+
+ foreach my $k (keys %grps) {
+ my $name = $k;
+ $name =~ s/^0000//;
+ my %c_val = parseC($grps{$k}{C_value});
+ ::rptMsg("Group Name : ".$c_val{group_name}." [".$c_val{num_users}."]");
+ ::rptMsg("LastWrite : ".gmtime($grps{$k}{LastWrite})." Z");
+ ::rptMsg("Group Comment : ".$c_val{comment});
+ if ($c_val{num_users} == 0) {
+ ::rptMsg("Users : None");
+ }else {
+ my %users = parseCUsers($grps{$k}{C_value});
+ if (scalar(keys %users) != $c_val{num_users}) {
+ ::logMsg("parseC function reports ".$c_val{num_users}."; parseCUsers function returned ".(scalar(keys %users)));
+ }
+ ::rptMsg("Users :");
+ foreach my $u (keys %users) {
+ ::rptMsg(" ".$u);
+ }
+
+ }
+ ::rptMsg("");
+ }
+ ::rptMsg("Analysis Tips:");
+ ::rptMsg(" - For well-known SIDs, see http://support.microsoft.com/kb/243330");
+ ::rptMsg(" - S-1-5-4 = Interactive");
+ ::rptMsg(" - S-1-5-11 = Authenticated Users");
+ ::rptMsg(" - Correlate the user SIDs to the output of the ProfileList plugin");
+ ::rptMsg("");
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+sub parseF {
+ my $f = shift;
+ my %f_value = ();
+ my @tv;
+# last login date
+ @tv = unpack("VV",substr($f,8,8));
+ $f_value{last_login_date} = ::getTime($tv[0],$tv[1]);
+# password reset/acct creation
+ @tv = unpack("VV",substr($f,24,8));
+ $f_value{pwd_reset_date} = ::getTime($tv[0],$tv[1]);
+# Account expires
+ @tv = unpack("VV",substr($f,32,8));
+ $f_value{acct_exp_date} = ::getTime($tv[0],$tv[1]);
+# Incorrect password
+ @tv = unpack("VV",substr($f,40,8));
+ $f_value{pwd_fail_date} = ::getTime($tv[0],$tv[1]);
+ $f_value{rid} = unpack("V",substr($f,48,4));
+ $f_value{acb_flags} = unpack("v",substr($f,56,2));
+ $f_value{failed_count} = unpack("v",substr($f,64,2));
+ $f_value{login_count} = unpack("v",substr($f,66,2));
+ return %f_value;
+}
+
+sub parseV {
+ my $v = shift;
+ my %v_val = ();
+ my $header = substr($v,0,44);
+ my @vals = unpack("V*",$header);
+ $v_val{type} = $types{$vals[1]};
+ $v_val{name} = _uniToAscii(substr($v,($vals[3] + 0xCC),$vals[4]));
+ $v_val{fullname} = _uniToAscii(substr($v,($vals[6] + 0xCC),$vals[7])) if ($vals[7] > 0);
+ $v_val{comment} = _uniToAscii(substr($v,($vals[9] + 0xCC),$vals[10])) if ($vals[10] > 0);
+ return %v_val;
+}
+
+sub parseC {
+ my $cv = $_[0];
+ my %c_val = ();
+ my $header = substr($cv,0,0x34);
+ my @vals = unpack("V*",$header);
+
+ $c_val{group_name} = _uniToAscii(substr($cv,(0x34 + $vals[4]),$vals[5]));
+ $c_val{comment} = _uniToAscii(substr($cv,(0x34 + $vals[7]),$vals[8]));
+ $c_val{num_users} = $vals[12];
+
+ return %c_val;
+}
+
+sub parseCUsers {
+ my $cv = $_[0];
+ my %members = ();
+ my $header = substr($cv,0,0x34);
+ my @vals = unpack("V*",$header);
+
+ my $num = $vals[12];
+
+ my @users = ();
+ my $ofs;
+ if ($num > 0) {
+ my $count = 0;
+ foreach my $c (1..$num) {
+ my $ofs = $vals[10] + 52 + $count;
+ my $tmp = unpack("V",substr($cv,$ofs,4));
+
+ if ($tmp == 0x101) {
+ $ofs++ if (unpack("C",substr($cv,$ofs,1)) == 0);
+ $members{_translateSID(substr($cv,$ofs,12))} = 1;
+ $count += 12;
+ }
+ elsif ($tmp == 0x501) {
+ $members{_translateSID(substr($cv,$ofs,28))} = 1;
+ $count += 28;
+ }
+ else {
+
+ }
+ }
+ }
+ return %members;
+}
+
+#---------------------------------------------------------------------
+# _translateSID()
+# Translate binary data into a SID
+# References:
+# http://blogs.msdn.com/oldnewthing/archive/2004/03/15/89753.aspx
+# http://support.microsoft.com/kb/286182/
+# http://support.microsoft.com/kb/243330
+#---------------------------------------------------------------------
+sub _translateSID {
+ my $sid = $_[0];
+ my $len = length($sid);
+ my $revision;
+ my $dashes;
+ my $idauth;
+ if ($len < 12) {
+# Is a SID ever less than 12 bytes?
+ return "SID less than 12 bytes";
+ }
+ elsif ($len == 12) {
+ $revision = unpack("C",substr($sid,0,1));
+ $dashes = unpack("C",substr($sid,1,1));
+ $idauth = unpack("H*",substr($sid,2,6));
+ $idauth =~ s/^0+//g;
+ my $sub = unpack("V",substr($sid,8,4));
+ return "S-".$revision."-".$idauth."-".$sub;
+ }
+ elsif ($len > 12) {
+ $revision = unpack("C",substr($sid,0,1));
+ $dashes = unpack("C",substr($sid,1,1));
+ $idauth = unpack("H*",substr($sid,2,6));
+ $idauth =~ s/^0+//g;
+ my @sub = unpack("V4",substr($sid,8,16));
+ my $rid = unpack("V",substr($sid,24,4));
+ my $s = join('-',@sub);
+ return "S-".$revision."-".$idauth."-".$s."-".$rid;
+ }
+ else {
+# Nothing to do
+ }
+}
+
+#---------------------------------------------------------------------
+# _uniToAscii()
+#---------------------------------------------------------------------
+sub _uniToAscii {
+ my $str = $_[0];
+ $str =~ s/\00//g;
+ return $str;
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/schedagent.pl b/RecentActivity/release/rr/plugins/schedagent.pl
new file mode 100644
index 0000000000..a3f0d4012f
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/schedagent.pl
@@ -0,0 +1,87 @@
+#-----------------------------------------------------------
+# schedagent
+# Get contents of SchedulingAgent key from Software hive
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package schedagent;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ version => 20100817);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get SchedulingAgent key contents";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching schedagent v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\SchedulingAgent";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my ($oldname,$logpath,$folder,$lastrun,$size);
+ eval {
+ $oldname = $key->get_value("OldName")->get_data();
+ ::rptMsg("OldName = ".$oldname);
+ };
+
+ eval {
+ $logpath = $key->get_value("LogPath")->get_data();
+ ::rptMsg("LogPath = ".$logpath);
+ };
+
+ eval {
+ $size = $key->get_value("MaxLogSizeKB")->get_data();
+ ::rptMsg("MaxLogSizeKB = ".$size);
+ };
+
+ eval {
+ $folder = $key->get_value("TasksFolder")->get_data();
+ ::rptMsg("TasksFolder = ".$folder);
+ };
+#
+ eval {
+ $lastrun = $key->get_value("LastTaskRun")->get_data();
+ ::rptMsg("LastTaskRun = ".parseSystemTime($lastrun));
+ ::rptMsg("");
+ ::rptMsg("Note: LastTaskRun time is written in local system time, not GMT");
+ };
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+sub parseSystemTime {
+ my ($yr,$mon,$dow,$day,$hr,$min,$sec,$mil) = unpack("v8",$_[0]);
+ $mon = "0".$mon unless ($mon =~ /^\d\d$/);
+ $day = "0".$day unless ($day =~ /^\d\d$/);
+ $hr = "0".$hr unless ($hr =~ /^\d\d$/);
+ $min = "0".$min unless ($min =~ /^\d\d$/);
+ $sec = "0".$sec unless ($sec =~ /^\d\d$/);
+ return "$yr-$mon-$day $hr:$min:$sec";
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/secctr.pl b/RecentActivity/release/rr/plugins/secctr.pl
new file mode 100644
index 0000000000..19e53f71bb
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/secctr.pl
@@ -0,0 +1,67 @@
+#-----------------------------------------------------------
+# secctr
+# Plugin to get data from Security Center keys
+#
+# Change History:
+# 20100310 - created
+#
+# References:
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package secctr;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100310);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get data from Security Center key";
+}
+sub getDescr{}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ my $infected = 0;
+ ::logMsg("Launching secctr v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = 'Microsoft\Security Center';
+ my $key;
+ ::rptMsg("secctr");
+ ::rptMsg("");
+
+ if ($key = $root_key->get_subkey($key_path)) {
+ $infected++;
+ ::rptMsg("");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $str = sprintf "%-25s 0x%02x",$v->get_name(),$v->get_data();
+ ::rptMsg($str);
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::rptMsg("");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/security b/RecentActivity/release/rr/plugins/security
new file mode 100644
index 0000000000..233d63ca80
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/security
@@ -0,0 +1,4 @@
+#-------------------------------------
+# Security
+polacdms
+auditpol
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/services.pl b/RecentActivity/release/rr/plugins/services.pl
new file mode 100644
index 0000000000..a22e24f8fa
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/services.pl
@@ -0,0 +1,150 @@
+#-----------------------------------------------------------
+# services.pl
+# Plugin for Registry Ripper; Access System hive file to get the
+# services
+#
+# Change history
+# 20080507 - Added collection of Type and Start values; separated
+# data by Services vs. Drivers; created separate plugin
+# for Drivers
+# 20080505 - Added collection of ImagePath and DisplayName, if avail.
+#
+# References
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package services;
+#use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080507);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Lists services/drivers in Services key by LastWrite times";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+# Reference for types and start types:
+# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx
+my %types = (0x001 => "Kernel driver",
+ 0x002 => "File system driver",
+ 0x010 => "Own_Process",
+ 0x020 => "Share_Process",
+ 0x100 => "Interactive");
+
+my %starts = (0x00 => "Boot Start",
+ 0x01 => "System Start",
+ 0x02 => "Auto Start",
+ 0x03 => "Manual",
+ 0x04 => "Disabled");
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching services v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+ my $s_path = $ccs."\\Services";
+ my $svc;
+ my %svcs;
+ if ($svc = $root_key->get_subkey($s_path)) {
+ ::rptMsg($s_path);
+ ::rptMsg(getShortDescr());
+ ::rptMsg("");
+# Get all subkeys and sort based on LastWrite times
+ my @subkeys = $svc->get_list_of_subkeys();
+ if (scalar (@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+
+ my $type;
+ eval {
+ $type = $s->get_value("Type")->get_data();
+# Only look for services; drivers handled in another plugin
+ if (exists $types{$type}) {
+ $type = $types{$type};
+ }
+ else {
+ $type = sprintf "0x%x",$t;
+ }
+ };
+
+ $name = $s->get_name();
+ my $display;
+ eval {
+ $display = $s->get_value("DisplayName")->get_data();
+ };
+
+ my $image;
+ eval {
+ $image = $s->get_value("ImagePath")->get_data();
+ };
+
+ my $start;
+ eval {
+ $start = $s->get_value("Start")->get_data();
+ if (exists $starts{$start}) {
+ $start = $starts{$start};
+ }
+ };
+
+ my $group;
+ eval {
+ $group = $s->get_value("Group")->get_data();
+ };
+
+ my $str = $name.";".$display.";".$image.";".$type.";".$start.";".$group;
+ push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq "");
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %svcs) {
+ ::rptMsg(gmtime($t)."Z");
+ foreach my $item (@{$svcs{$t}}) {
+ my ($n,$d,$i,$t,$s,$g) = split(/;/,$item,6);
+ ::rptMsg(" Name = ".$n);
+ ::rptMsg(" Display = ".$d);
+ ::rptMsg(" ImagePath = ".$i);
+ ::rptMsg(" Type = ".$t);
+ ::rptMsg(" Start = ".$s);
+ ::rptMsg(" Group = ".$g);
+ ::rptMsg("");
+ }
+ }
+
+ }
+ else {
+ ::rptMsg($s_path." has no subkeys.");
+ ::logMsg("Error: ".$s_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($s_path." not found.");
+ ::logMsg($s_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/sevenzip.pl b/RecentActivity/release/rr/plugins/sevenzip.pl
new file mode 100644
index 0000000000..cc90d31a16
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/sevenzip.pl
@@ -0,0 +1,83 @@
+#-----------------------------------------------------------
+# sevenzip.pl
+# Google Toolbar Search History plugin
+#
+#
+# Change history
+# 20100218 - created
+#
+# References
+#
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package sevenzip;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100218);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets records of histories from 7-Zip keys";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ my %hist;
+ ::logMsg("Launching 7-zip v.".$VERSION);
+
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\7-Zip';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+
+ eval {
+ ::rptMsg("");
+ my @arc = $key->get_subkey("Compression")->get_subkey("ArcHistory")->get_list_of_values();
+ if (scalar @arc > 0) {
+ ::rptMsg("Compression\\ArcHistory");
+ foreach my $a (@arc) {
+ ::rptMsg(" ".$a->get_name()." -> ".$a->get_data());
+ }
+ }
+ };
+ ::rptMsg("Error: ".$@) if ($@);
+
+ eval {
+ ::rptMsg("");
+ my @arc = $key->get_subkey("Extraction")->get_subkey("PathHistory")->get_list_of_values();
+ if (scalar @arc > 0) {
+ ::rptMsg("Extraction\\PathHistory");
+ foreach my $a (@arc) {
+ ::rptMsg(" ".$a->get_name()." -> ".$a->get_data());
+ }
+ }
+ };
+ ::rptMsg("Error: ".$@) if ($@);
+
+
+
+
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/sfc.pl b/RecentActivity/release/rr/plugins/sfc.pl
new file mode 100644
index 0000000000..16e829670f
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/sfc.pl
@@ -0,0 +1,107 @@
+#-----------------------------------------------------------
+# sfc.pl
+# Check SFC settings in the Registry
+#
+# History
+# 20100305 - updated
+#
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package sfc;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100305);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get SFC values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching sfc v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("sfc v.".$VERSION);
+ ::rptMsg("");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ next unless ($name =~ m/^sfc/i);
+ my $str;
+ if ($name =~ m/^sfcquota$/i || $name =~ m/^sfcdisable$/i) {
+ $str = sprintf " %-20s 0x%08x",$name,$v->get_data();
+ }
+ else {
+ $str = sprintf " %-20s %-20s",$name,$v->get_data();
+ }
+ ::rptMsg($str);
+ }
+
+ }
+ else {
+ ::rptMsg($key_path." key has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." key not found.");
+ ::logMsg($key_path." key not found.");
+ }
+ ::rptMsg("");
+# According to http://support.microsoft.com/kb/222193, sfc* values in this key, if
+# it exists, take precedence over and are copied into the values within the Winlogon
+# key; see also http://support.microsoft.com/kb/222473/
+ my $key_path = "Policies\\Microsoft\\Windows NT\\Windows File Protection";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ next unless ($name =~ m/^sfc/i);
+ my $str;
+ if ($name =~ m/^sfcquota$/i || $name =~ m/^sfcdisable$/i) {
+ $str = sprintf " %-20s 0x%08x",$name,$v->get_data();
+ }
+ else {
+ $str = sprintf " %-20s %-20s",$name,$v->get_data();
+ }
+ ::rptMsg($str);
+ }
+
+ }
+ else {
+ ::rptMsg($key_path." key has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." key not found.");
+# ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/shares.pl b/RecentActivity/release/rr/plugins/shares.pl
new file mode 100644
index 0000000000..e36f4737cb
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/shares.pl
@@ -0,0 +1,128 @@
+#-----------------------------------------------------------
+# shares.pl
+#
+# Retrieve information about shares from a System hive file
+#
+# References:
+# http://support.microsoft.com/kb/556023
+# For info about share types, see the Win32_Share WMI class:
+# http://msdn.microsoft.com/en-us/library/aa394435(VS.85).aspx
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package shares;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090112);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get list of shares from System hive file";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my $root_key;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching shares v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $ccs;
+ eval {
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+ };
+ if ($@) {
+ ::rptMsg("Problem locating proper controlset: $@");
+ return;
+ }
+# First, connect to the Services key; some versions of Windows appear to
+# spell the lanmanserver key as "lanmanserver" and others as "LanmanServer"
+ my $key_path = $ccs."\\Services";
+ my $key;
+ my $tag = "lanmanserver";
+ my $lanman = getKeyPath($key_path,$tag);
+ if ($lanman ne "") {
+ my $share_path = $key_path."\\".$lanman."\\Shares";
+ my $share;
+ if ($share = $root_key->get_subkey($share_path)) {
+ my @vals = $share->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ ::rptMsg(" ".$v->get_name());
+ my @data = $v->get_data();
+ ::rptMsg(" ".$data[2]);
+ ::rptMsg(" ".$data[4]);
+ ::rptMsg(" ".$data[5]);
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($share_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($share_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($lanman." subkey not found.");
+ }
+
+# Determine of the AutoShareServer/Wks values have been set
+ my $path = $key_path."\\".$lanman;
+ my $tag = "parameters";
+ my $para = getKeyPath($path,$tag);
+ eval {
+ if ($key = $root_key->get_subkey($path."\\".$para)) {
+ my $auto_svr = $key->get_value("AutoShareServer")->get_data();
+ ::rptMsg(" AutoShareServer = ".$auto_svr);
+ }
+ };
+
+ eval {
+ if ($key = $root_key->get_subkey($path."\\".$para)) {
+ my $auto_wks = $key->get_value("AutoShareWks")->get_data();
+ ::rptMsg(" AutoShareWks = ".$auto_wks);
+ }
+ };
+}
+
+# On different versions of Windows, subkeys such as lanmanserver
+# and parameters are spelled differently; use this subroutine to get
+# the correct spelling of the name of the subkey
+# http://support.microsoft.com/kb/288164
+sub getKeyPath {
+ my $path = $_[0];
+ my $tag = $_[1];
+ my $subkey;
+ if (my $key = $root_key->get_subkey($path)) {
+ my @sk = $key->get_list_of_subkeys();
+ foreach my $s (@sk) {
+ my $name = $s->get_name();
+ $subkey = $name if ($name =~ m/^$tag/i);
+ }
+ }
+ return $subkey;
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/shellexec.pl b/RecentActivity/release/rr/plugins/shellexec.pl
new file mode 100644
index 0000000000..608bacac02
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/shellexec.pl
@@ -0,0 +1,118 @@
+#-----------------------------------------------------------
+# shellexec
+# Get ShellExecuteHooks values from Software hive (based on BHO
+# code)
+#
+# ShellExecuteHooks are DLLs that load as part of the Explorer.exe process,
+# and can intercept commands. There are some legitimate applications that
+# run as ShellExecuteHooks, but many times, malware (spy-, ad-ware) will
+# install here. ShellExecuteHooks allow you to type a URL into the Start->Run
+# box and have that URL opened in your browser. For example, in 2001, Michael
+# Dunn wrote KBLaunch, a ShellExecuteHook that looked for "?q" in the Run box
+# and would open the appropriate MS KB article.
+#
+# Refs:
+# http://support.microsoft.com/kb/914922
+# http://support.microsoft.com/kb/170918
+# http://support.microsoft.com/kb/943460
+#
+# History:
+# 20081229 - initial creation
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package shellexec;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20081229);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets ShellExecuteHooks from Software hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ my %bhos;
+ ::logMsg("Launching shellexec v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks";;
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar (@vals) > 0) {
+ foreach my $s (@vals) {
+ my $name = $s->get_name();
+ next if ($name =~ m/^-/ || $name eq "");
+ my $clsid_path = "Classes\\CLSID\\".$name;
+ my $clsid;
+ if ($clsid = $root_key->get_subkey($clsid_path)) {
+ my $class;
+ my $mod;
+ my $lastwrite;
+
+ eval {
+ $class = $clsid->get_value("")->get_data();
+ $bhos{$name}{class} = $class;
+ };
+ if ($@) {
+ ::logMsg("\tError getting Class name for CLSID\\".$name);
+ ::logMsg("\t".$@);
+ }
+ eval {
+ $mod = $clsid->get_subkey("InProcServer32")->get_value("")->get_data();
+ $bhos{$name}{module} = $mod;
+ };
+ if ($@) {
+ ::logMsg("\tError getting Module name for CLSID\\".$name);
+ ::logMsg("\t".$@);
+ }
+ eval{
+ $lastwrite = $clsid->get_subkey("InProcServer32")->get_timestamp();
+ $bhos{$name}{lastwrite} = $lastwrite;
+ };
+ if ($@) {
+ ::logMsg("\tError getting LastWrite time for CLSID\\".$name);
+ ::logMsg("\t".$@);
+ }
+
+ foreach my $b (keys %bhos) {
+ ::rptMsg($b);
+ ::rptMsg("\tClass => ".$bhos{$b}{class});
+ ::rptMsg("\tModule => ".$bhos{$b}{module});
+ ::rptMsg("\tLastWrite => ".gmtime($bhos{$b}{lastwrite}));
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($clsid_path." not found.");
+ ::rptMsg("");
+ ::logMsg($clsid_path." not found.");
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values. No ShellExecuteHooks installed.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/shellext.pl b/RecentActivity/release/rr/plugins/shellext.pl
new file mode 100644
index 0000000000..8f9994d9d4
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/shellext.pl
@@ -0,0 +1,96 @@
+#-----------------------------------------------------------
+# shellext
+# Plugin to get approved shell extensions list from the
+# Software hive
+#
+# This plugin retrieves the list of approved shell extensions from
+# the Software hive; specifically, the "Shell Extensions\Approved"
+# key. Once it has the names (GUID) and data (string) of each value,
+# it then goes to the Classes\CLSID\{GUID} key to get the name of/path to
+# the associated DLL, if available. It also gets the LastWrite time of the
+# Classes\CLSID\{GUID} key.
+#
+# Analysis of an incident showed that the intruder placed their malware in
+# the C:\Windows dir, using the same name as a known valid shell extension.
+# When Explorer.exe launches, it reads the list of approved shell extensions,
+# then goes to the Classes\CLSID key to get the path to the associated DLL. The
+# intruder chose a shell extension that did not have an explicit path, so when
+# explorer.exe looked for it, it started in the C:\Windows dir, and never got to
+# the legit DLL in the C:\Windows\system32 dir.
+#
+# References:
+# http://msdn.microsoft.com/en-us/library/ms682586%28VS.85%29.aspx
+#
+#
+# Note: This plugin can take several minutes to run
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package shellext;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100515);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets Shell Extensions from Software hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ my %bhos;
+ ::logMsg("Launching shellext v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved";;
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my %exts;
+
+ my @vals = $key->get_list_of_values();
+ if (scalar (@vals) > 0) {
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ $exts{$name}{name} = $v->get_data();
+
+ my $clsid_path = "Classes\\CLSID\\".$name;
+ my $clsid;
+ if ($clsid = $root_key->get_subkey($clsid_path)) {
+ eval {
+ $exts{$v->get_name()}{lastwrite} = $clsid->get_timestamp();
+ $exts{$v->get_name()}{dll} = $clsid->get_subkey("InProcServer32")->get_value("")->get_data();
+ };
+ }
+ }
+ foreach my $e (keys %exts) {
+ ::rptMsg($e." ".$exts{$e}{name});
+ ::rptMsg(" DLL: ".$exts{$e}{dll});
+ ::rptMsg(" Timestamp: ".gmtime($exts{$e}{lastwrite})." Z");
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/shellfolders.pl b/RecentActivity/release/rr/plugins/shellfolders.pl
new file mode 100644
index 0000000000..42eb461f40
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/shellfolders.pl
@@ -0,0 +1,71 @@
+#-----------------------------------------------------------
+# shellfolders.pl
+#
+# Retrieve the Shell Folders values from user's hive; while
+# this may not be important in every instance, it may give the
+# examiner indications as to where to look for certain items;
+# for example, if the user's "My Documents" folder has been redirected
+# as part of configuration changes (corporate policies, etc.). Also,
+# this may be important as part of data leakage exams, as XP and Vista
+# allow users to drop and drag files to the CD Burner.
+#
+# References:
+# http://support.microsoft.com/kb/279157
+# http://support.microsoft.com/kb/326982
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package shellfolders;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090115);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Retrieve user Shell Folders values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching shellfolders v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my @vals = $key->get_list_of_values();
+
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $str = sprintf "%-20s %-40s",$v->get_name(),$v->get_data();
+ ::rptMsg($str);
+ }
+ ::rptMsg("");
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/shelloverlay.pl b/RecentActivity/release/rr/plugins/shelloverlay.pl
new file mode 100644
index 0000000000..67c46b858f
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/shelloverlay.pl
@@ -0,0 +1,86 @@
+#-----------------------------------------------------------
+# shelloverlay
+# Get contents of ShellIconOverlayIdentifiers subkeys; sorts data
+# based on LastWrite times of subkeys
+#
+# History
+# 20100308 - created
+#
+# References
+# http://msdn.microsoft.com/en-us/library/cc144123%28VS.85%29.aspx
+# Coreflood - http://vil.nai.com/vil/content/v_102053.htm
+# http://www.secureworks.com/research/threats/coreflood/?threat=coreflood
+#
+# Analysis Tip: Malware such as Coreflood uses a random subkey name and a
+# random CLSID GUID value
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package shelloverlay;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100308);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets ShellIconOverlayIdentifiers values";
+}
+sub getDescr{}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching shelloverlay v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my %id;
+
+ my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("shelloverlay");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar @subkeys > 0) {
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ my $def;
+ eval {
+ $def = $s->get_value("")->get_data();
+ $name .= " ".$def;
+ };
+ push(@{$id{$s->get_timestamp()}},$name);
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %id) {
+ ::rptMsg(gmtime($t)." Z");
+ foreach my $item (@{$id{$t}}) {
+ ::rptMsg(" ".$item);
+ }
+ ::rptMsg("");
+ }
+
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/shutdown.pl b/RecentActivity/release/rr/plugins/shutdown.pl
new file mode 100644
index 0000000000..a63914d5c0
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/shutdown.pl
@@ -0,0 +1,76 @@
+#-----------------------------------------------------------
+# shutdown.pl
+# Plugin for Registry Ripper; Access System hive file to get the
+# contents of the ShutdownTime value
+#
+# Change history
+#
+#
+# References
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package shutdown;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets ShutdownTime value from System hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching shutdown v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+ my $win_path = $ccs."\\Control\\Windows";
+ my $win;
+ if ($win = $root_key->get_subkey($win_path)) {
+ ::rptMsg($win_path." key, ShutdownTime value");
+ ::rptMsg($win_path);
+ ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)");
+ my $sd;
+ if ($sd = $win->get_value("ShutdownTime")->get_data()) {
+ my @vals = unpack("VV",$sd);
+ my $shutdown = ::getTime($vals[0],$vals[1]);
+ ::rptMsg(" ShutdownTime = ".gmtime($shutdown)." (UTC)");
+
+ }
+ else {
+ ::rptMsg("ShutdownTime value not found.");
+ }
+ }
+ else {
+ ::rptMsg($win_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/shutdowncount.pl b/RecentActivity/release/rr/plugins/shutdowncount.pl
new file mode 100644
index 0000000000..73d649117d
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/shutdowncount.pl
@@ -0,0 +1,81 @@
+#-----------------------------------------------------------
+# shutdowncount.pl
+#
+# *Value info first seen at:
+# http://forensicsfromthesausagefactory.blogspot.com/2008/06/install-dates-and-shutdown-times-found.html
+# thanks to DC1743@gmail.com
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package shutdowncount;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080709);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Retrieves ShutDownCount value";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching shutdowncount v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $ccs;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+ else {
+ ::logMsg("Could not find ".$key_path);
+ return
+ }
+
+ my $key_path = $ccs."\\Control\\Watchdog\\Display";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("ShutdownCount");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my $count = 0;
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ if ($v->get_name() eq "ShutdownCount") {
+ $count = 1;
+ ::rptMsg("ShutdownCount = ".$v->get_data());
+ }
+ }
+ ::rptMsg("ShutdownCount value not found.") if ($count == 0);
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/skype.pl b/RecentActivity/release/rr/plugins/skype.pl
new file mode 100644
index 0000000000..3c83bc65f1
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/skype.pl
@@ -0,0 +1,60 @@
+#-----------------------------------------------------------
+# skype.pl
+#
+#
+# History
+# 20100713 - created
+#
+# References
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package skype;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100713);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets data user's Skype key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching acmru v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Skype';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my $install;
+ eval {
+ $install = $key->get_subkey("Installer")->get_value("DonwloadLastModified")->get_data();
+ ::rptMsg("DonwloadLastModified = ".$install);
+ };
+ ::rptMsg("DonwloadLastModified value not found: ".$@) if ($@);
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/snapshot.pl b/RecentActivity/release/rr/plugins/snapshot.pl
new file mode 100644
index 0000000000..29bf42b93b
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/snapshot.pl
@@ -0,0 +1,96 @@
+#-----------------------------------------------------------
+# snapshot.pl
+# Plugin to check the ActiveX component for the MS Access Snapshot
+# Viewer kill bit
+#
+# Ref: US-CERT Vuln Note #837785, http://www.kb.cert.org/vuls/id/837785
+#
+# Note: Look for each GUID key, and check for the Compatibility Flags value;
+# if the value is 0x400, the kill bit is set; a vulnerable system is
+# indicated by having IE version 6.x, and the kill bits NOT set (IE 7
+# requires user interaction to download the ActiveX component
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package snapshot;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ version => 20080725);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Check ActiveX comp kill bit; Access Snapshot";
+}
+sub getDescr{}
+sub getRefs {"US-CERT Vuln Note 837785" => "http://www.kb.cert.org/vuls/id/837785"}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+my @guids = ("{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}",
+ "{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}",
+ "{F2175210-368C-11D0-AD81-00A0C90DC8D9}");
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching snapshot v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Internet Explorer";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("ActiveX Snapshot Vuln");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+ my $ver;
+ eval {
+ $ver = $key->get_value("Version")->get_data();
+ };
+ if ($@) {
+ ::rptMsg("IE Version not found.");
+ }
+ else {
+ ::rptMsg("IE Version = ".$ver)
+ }
+
+ ::rptMsg("");
+ foreach my $guid (@guids) {
+ my $g;
+ eval {
+ $g = $key->get_subkey("ActiveX Compatibility\\".$guid);
+ };
+ if ($@) {
+ ::rptMsg("$guid not found.");
+ }
+ else {
+ ::rptMsg("GUID: $guid");
+ my $flag;
+ eval {
+ $flag = $g->get_value("Compatibility Flags")->get_data();
+ };
+ if ($@) {
+ ::rptMsg("Compatibility Flags value not found.");
+ }
+ else {
+ my $str = sprintf "Compatibility Flags 0x%x",$flag;
+ ::rptMsg($str);
+ }
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/soft_run.pl b/RecentActivity/release/rr/plugins/soft_run.pl
new file mode 100644
index 0000000000..1c5e7a6d52
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/soft_run.pl
@@ -0,0 +1,97 @@
+#-----------------------------------------------------------
+# soft_run
+# Get contents of Run key from Software hive
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package soft_run;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ version => 20080328);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Autostart - get Run key contents from Software hive";
+}
+sub getDescr{}
+sub getRefs {
+ my %refs = ("Definition of the Run keys in the WinXP Registry" =>
+ "http://support.microsoft.com/kb/314866");
+ return %refs;
+}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching soft_run v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows\\CurrentVersion\\Run";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my %vals = getKeyValues($key);
+ if (scalar(keys %vals) > 0) {
+ foreach my $v (keys %vals) {
+ ::rptMsg("\t".$v." -> ".$vals{$v});
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+
+ my @sk = $key->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s (@sk) {
+ ::rptMsg("");
+ ::rptMsg($key_path."\\".$s->get_name());
+ ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
+ my %vals = getKeyValues($s);
+ foreach my $v (keys %vals) {
+ ::rptMsg("\t".$v." -> ".$vals{$v});
+ }
+ }
+ }
+ else {
+ ::rptMsg("");
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+
+sub getKeyValues {
+ my $key = shift;
+ my %vals;
+
+ my @vk = $key->get_list_of_values();
+ if (scalar(@vk) > 0) {
+ foreach my $v (@vk) {
+ next if ($v->get_name() eq "" && $v->get_data() eq "");
+ $vals{$v->get_name()} = $v->get_data();
+ }
+ }
+ else {
+
+ }
+ return %vals;
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/software b/RecentActivity/release/rr/plugins/software
new file mode 100644
index 0000000000..144bfaf466
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/software
@@ -0,0 +1,36 @@
+#-------------------------------------
+# Software
+winver
+win_cv
+winnt_cv
+defbrowser
+ie_version
+banner
+bitbucket
+macaddr
+cmd_shell
+soft_run
+networkcards
+ssid
+appinitdlls
+bho
+shellexec
+imagefile
+port_dev
+userinit
+winlogon
+profilelist
+specaccts
+mrt
+svchost
+snapshot
+sfc
+uninstall
+installedcomp
+shelloverlay
+msis
+shellexec
+apppaths
+drwatson
+schedagent
+kb950582
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/specaccts.pl b/RecentActivity/release/rr/plugins/specaccts.pl
new file mode 100644
index 0000000000..4933d865fa
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/specaccts.pl
@@ -0,0 +1,68 @@
+#-----------------------------------------------------------
+# specaccts.pl
+# Gets contents of SpecialAccounts\UserList key
+#
+# History
+# 20100223 - created
+#
+# References
+# http://www.microsoft.com/security/portal/Threat/Encyclopedia/
+# Entry.aspx?Name=Trojan%3AWin32%2FStarter
+#
+# http://www.microsoft.com/Security/portal/Threat/Encyclopedia/
+# Entry.aspx?Name=TrojanSpy%3AWin32%2FUrsnif.gen!H&ThreatID=-2147343835
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package specaccts;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100223);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Gets contents of SpecialAccounts\\UserList key";
+}
+sub getDescr{}
+
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching specaccts v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my %apps;
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ ::rptMsg(sprintf "%-20s 0x%x",$v->get_name(),$v->get_data());
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/sql_lastconnect.pl b/RecentActivity/release/rr/plugins/sql_lastconnect.pl
new file mode 100644
index 0000000000..fb21951a75
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/sql_lastconnect.pl
@@ -0,0 +1,66 @@
+#-----------------------------------------------------------
+# sql_lastconnect.pl
+#
+# Per MS, Microsoft Data Access Components (MDAC) clients can attempt
+# to use multiple protocols based on a protocol ordering, which is
+# listed in the SuperSocketNetLib\ProtocolOrder value. Successful
+# connection attempts (for SQL Server 2000) are cached in the LastConnect
+# key.
+#
+# References:
+# http://support.microsoft.com/kb/273673/
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package sql_lastconnect;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090112);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "MDAC cache of successful connections";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching sql_lastconnect v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\MSSQLServer\\Client\\SuperSocketNetLib\\LastConnect";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("MDAC Cache of successful connections");
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $str = sprintf "%-15s %-25s",$v->get_name(),$v->get_data();
+ ::rptMsg($str);
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/ssid.pl b/RecentActivity/release/rr/plugins/ssid.pl
new file mode 100644
index 0000000000..1e7714ae56
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/ssid.pl
@@ -0,0 +1,183 @@
+#-----------------------------------------------------------
+# ssid
+# Gets SSID and other info from WZCSVC key
+#
+#
+# Change History:
+# 20100301 - Updated References; removed dwCtlFlags being
+# printed; minor adjustments to formatting
+# 20091102 - added code to parse EAPOL values for SSIDs
+# 20090807 - updated code in accordance with WZC_WLAN_CONFIG
+# structure
+#
+# References
+# http://msdn.microsoft.com/en-us/library/aa448338.aspx
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package ssid;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100301);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get WZCSVC SSID Info";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my $error;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching ssid v.".$VERSION);
+# Get the NetworkCards values
+ my %nc;
+ if (%nc = getNetworkCards($hive)) {
+
+ }
+ else {
+ ::logMsg("Problem w/ SSIDs, getting NetworkCards: ".$error);
+ return;
+ }
+
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Microsoft\\WZCSVC\\Parameters\\Interfaces";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("SSID");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ if (exists($nc{$name})) {
+ ::rptMsg("NIC: ".$nc{$name}{descr});
+ ::rptMsg("Key LastWrite: ".gmtime($s->get_timestamp())." UTC");
+ ::rptMsg("");
+ my @vals = $s->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $n = $v->get_name();
+ if ($n =~ m/^Static#/) {
+ my $data = $v->get_data();
+# my $w = unpack("V",substr($data,0x04,0x04));
+# printf "dwCtlFlags = 0x%x\n",$w;
+
+ my $l = unpack("V",substr($data, 0x10, 0x04));
+ my $ssid = substr($data,0x14,$l);
+
+ my $tm = uc(unpack("H*",substr($data,0x08,0x06)));
+ my @t = split(//,$tm);
+ my $mac = $t[0].$t[1]."-".$t[2].$t[3]."-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11];
+
+ my ($t1,$t2) = unpack("VV",substr($data,0x2B8,8));
+ my $t = ::getTime($t1,$t2);
+ my $str = sprintf gmtime($t)." MAC: %-18s %-8s",$mac,$ssid;
+ ::rptMsg($str);
+ }
+ }
+ }
+ else {
+ ::rptMsg($name." has no values.");
+ }
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+
+# Now, go to the EAPOL key, locate the appropriate subkeys and parse out
+# any available SSIDs
+# EAPOL is Extensible Authentication Protocol over LAN
+ my $key_path = "Microsoft\\EAPOL\\Parameters\\Interfaces";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ if (exists $nc{$name}) {
+ ::rptMsg("NIC: ".$nc{$name}{descr});
+ }
+ else {
+ ::rptMsg("NIC: ".$name);
+ }
+ ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())." UTC");
+
+ my @vals = $s->get_list_of_values();
+ my %eapol;
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ $eapol{$v->get_name()} = parseEAPOLData($v->get_data());
+ }
+ foreach my $i (sort {$a <=> $b} keys %eapol) {
+ my $str = sprintf "%-3d %s",$i,$eapol{$i};
+ ::rptMsg($str);
+ }
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rtpMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+sub getNetworkCards {
+ my $hive = shift;
+ my %nc;
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $service = $s->get_value("ServiceName")->get_data();
+ $nc{$service}{descr} = $s->get_value("Description")->get_data();
+ $nc{$service}{lastwrite} = $s->get_timestamp();
+ }
+ }
+ else {
+ $error = $key_path." has no subkeys.";
+ }
+ }
+ else {
+ $error = $key_path." not found.";
+ }
+ return %nc;
+}
+
+sub parseEAPOLData {
+ my $data = shift;
+ my $size = unpack("V",substr($data,0x10,4));
+ return substr($data,0x14,$size);
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/startpage.pl b/RecentActivity/release/rr/plugins/startpage.pl
new file mode 100644
index 0000000000..78dcc9e426
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/startpage.pl
@@ -0,0 +1,77 @@
+#-----------------------------------------------------------
+# startpage.pl
+# For Windows 7
+#
+# Change history
+# 20100330 - created
+#
+# References
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package startpage;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100330);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of user's StartPage key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching startpage v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my $menu;
+ my $balloon;
+
+ eval {
+ my $val = $key->get_value("StartMenu_Start_Time")->get_data();
+ my ($t0,$t1) = unpack("VV",$val);
+ $menu = ::getTime($t0,$t1);
+ ::rptMsg("StartMenu_Start_Time = ".gmtime($menu)." Z");
+ };
+ ::rptMsg("Error: ".@$) if (@$);
+
+ eval {
+ my $val = $key->get_value("StartMenu_Balloon_Time")->get_data();
+ my ($t0,$t1) = unpack("VV",$val);
+ $balloon = ::getTime($t0,$t1);
+ ::rptMsg("StartMenu_Balloon_Time = ".gmtime($balloon)." Z");
+ };
+ ::rptMsg("Error: ".@$) if (@$);
+
+
+
+
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/stillimage.pl b/RecentActivity/release/rr/plugins/stillimage.pl
new file mode 100644
index 0000000000..aaf23600e4
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/stillimage.pl
@@ -0,0 +1,112 @@
+#-----------------------------------------------------------
+# stillimage.pl
+# Parses contents of Enum\USB key for web cam
+#
+# History
+# 20100222 - created
+#
+# References
+# http://msdn.microsoft.com/en-us/library/ms791870.aspx
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package stillimage;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100222);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get info on StillImage devices";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my $reg;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+::logMsg("Launching stillimage v.".$VERSION);
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $ccs;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ return;
+ }
+
+ my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar @subkeys > 0) {
+ ::rptMsg("");
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ next unless ($name =~ m/\d\d/);
+ ::rptMsg($name);
+
+ eval {
+ my $desc = $s->get_value("DriverDesc")->get_data();
+ ::rptMsg(" ".$desc);
+ };
+
+ eval {
+ my $desc = $s->get_value("MatchingDeviceID")->get_data();
+ ::rptMsg(" ".$desc);
+ };
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+
+# http://msdn.microsoft.com/en-us/library/ms791870.aspx
+# StillImage logging levels
+ my $key_path = $ccs."\\Control\\StillImage\\Logging";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("");
+ ::rptMsg("StillImage Logging Level");
+ eval {
+ my $level = $key->get_subkey("STICLI")->get_value("Level")->get_data();
+ my $str = sprintf " STICLI Logging Level = 0x%x",$level;
+ ::rptMsg($str);
+ };
+ ::rptMsg("STICLI Error: ".$@) if ($@);
+
+ eval {
+ my $level = $key->get_subkey("STIMON")->get_value("Level")->get_data();
+ my $str = sprintf " STIMON Logging Level = 0x%x",$level;
+ ::rptMsg($str);
+ };
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/streammru.pl b/RecentActivity/release/rr/plugins/streammru.pl
new file mode 100644
index 0000000000..0276cad084
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/streammru.pl
@@ -0,0 +1,64 @@
+#-----------------------------------------------------------
+# streammru.pl
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package streammru;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090205);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "streammru";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching streammru v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+
+ my $data = $key->get_value("5")->get_data();
+
+ my $drive = substr($data, 0x16,4);
+ ::rptMsg("Drive = ".$drive);
+ ::rptMsg("");
+
+ my $size = substr($data, 0x2d, 1);
+ ::rptMsg("Size of first object: ".unpack("c",$size)." bytes");
+ ::rptMsg("");
+
+
+
+
+
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/streams.pl b/RecentActivity/release/rr/plugins/streams.pl
new file mode 100644
index 0000000000..e620c033df
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/streams.pl
@@ -0,0 +1,63 @@
+#-----------------------------------------------------------
+# streams.pl
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package streams;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20081124);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Parse Streams and StreamsMRU entries";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching streams v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("streamMRU");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $i (0..10) {
+ my $data = $key->get_value($i)->get_data();
+ open(FH,">",$i);
+ binmode(FH);
+ print FH $data;
+ close(FH);
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/svc.pl b/RecentActivity/release/rr/plugins/svc.pl
new file mode 100644
index 0000000000..32332bf723
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/svc.pl
@@ -0,0 +1,149 @@
+#-----------------------------------------------------------
+# svc.pl
+# Plugin for Registry Ripper; Access System hive file to get the
+# services, display short format (hence "svc", shortened version
+# of service.pl plugin)
+#
+# Change history
+# 20080610 - created
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package svc;
+#use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080610);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Lists services/drivers in Services key by LastWrite times (short format)";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+# Reference for types and start types:
+# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx
+my %types = (0x001 => "Kernel driver",
+ 0x002 => "File system driver",
+ 0x010 => "Own_Process",
+ 0x020 => "Share_Process",
+ 0x100 => "Interactive");
+
+my %starts = (0x00 => "Boot Start",
+ 0x01 => "System Start",
+ 0x02 => "Auto Start",
+ 0x03 => "Manual",
+ 0x04 => "Disabled");
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching svc v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+ my $s_path = $ccs."\\Services";
+ my $svc;
+ my %svcs;
+ if ($svc = $root_key->get_subkey($s_path)) {
+ ::rptMsg($s_path);
+ ::rptMsg(getShortDescr());
+ ::rptMsg("");
+# Get all subkeys and sort based on LastWrite times
+ my @subkeys = $svc->get_list_of_subkeys();
+ if (scalar (@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+
+ my $type;
+ eval {
+ $type = $s->get_value("Type")->get_data();
+ };
+
+ $name = $s->get_name();
+ my $display;
+ eval {
+ $display = $s->get_value("DisplayName")->get_data();
+ };
+
+ my $image;
+ eval {
+ $image = $s->get_value("ImagePath")->get_data();
+ };
+
+ my $start;
+ eval {
+ $start = $s->get_value("Start")->get_data();
+ if (exists $starts{$start}) {
+ $start = $starts{$start};
+ }
+ };
+
+ my $object;
+ eval {
+ $object = $s->get_value("ObjectName")->get_data();
+ };
+ next if ($type == 0x001 || $type == 0x002);
+ my $str = $name.";".$display.";".$image.";".$type.";".$start.";".$object;
+ push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq "");
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %svcs) {
+ ::rptMsg(gmtime($t)."Z");
+ foreach my $item (@{$svcs{$t}}) {
+ my ($n,$d,$i,$t,$s,$o) = split(/;/,$item,6);
+ my $str = " ".$n;
+
+ if ($i eq "") {
+ if ($d eq "") {
+
+ }
+ else {
+ $str = $str." (".$d.")";
+ }
+ }
+ else {
+ $str = $str." (".$i.")";
+ }
+
+ $str = $str." [".$o."]" unless ($o eq "");
+
+ ::rptMsg($str);
+ }
+ ::rptMsg("");
+ }
+
+ }
+ else {
+ ::rptMsg($s_path." has no subkeys.");
+ ::logMsg("Error: ".$s_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($s_path." not found.");
+ ::logMsg($s_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/svc2.pl b/RecentActivity/release/rr/plugins/svc2.pl
new file mode 100644
index 0000000000..0a12370371
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/svc2.pl
@@ -0,0 +1,148 @@
+#-----------------------------------------------------------
+# svc2.pl
+# Plugin for Registry Ripper; Access System hive file to get the
+# services, display short format (hence "svc", shortened version
+# of service.pl plugin); outputs info in .csv format
+#
+# Change history
+# 20081129 - created
+#
+# Ref:
+# http://msdn.microsoft.com/en-us/library/aa394073(VS.85).aspx
+#
+# Analysis Tip: Several services keys have Parameters subkeys that point to
+# the ServiceDll value; During intrusions, a service key may be added to
+# the system's Registry; using this module, send the output to .csv format
+# and sort on column B to get the names to line up
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package svc2;
+#use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20081129);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Lists Services key contents by LastWrite times (CSV)";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+my %types = (0x001 => "Kernel driver",
+ 0x002 => "File system driver",
+ 0x004 => "Adapter",
+ 0x010 => "Own_Process",
+ 0x020 => "Share_Process",
+ 0x100 => "Interactive");
+
+my %starts = (0x00 => "Boot Start",
+ 0x01 => "System Start",
+ 0x02 => "Auto Start",
+ 0x03 => "Manual",
+ 0x04 => "Disabled");
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+# ::logMsg("Launching svc2 v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+ my $s_path = $ccs."\\Services";
+ my $svc;
+ my %svcs;
+ if ($svc = $root_key->get_subkey($s_path)) {
+# ::rptMsg($s_path);
+# ::rptMsg(getShortDescr());
+# ::rptMsg("");
+# Get all subkeys and sort based on LastWrite times
+ my @subkeys = $svc->get_list_of_subkeys();
+ if (scalar (@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ $name = $s->get_name();
+ my $display;
+ eval {
+ $display = $s->get_value("DisplayName")->get_data();
+# take commas out of the display name, replace w/ semi-colons
+ $display =~ s/,/;/g;
+ };
+
+ my $type;
+ eval {
+ $type = $s->get_value("Type")->get_data();
+ $type = $types{$type} if (exists $types{$type});
+
+ };
+
+ my $image;
+ eval {
+ $image = $s->get_value("ImagePath")->get_data();
+ };
+
+ my $start;
+ eval {
+ $start = $s->get_value("Start")->get_data();
+ $start = $starts{$start} if (exists $starts{$start});
+ };
+
+ my $object;
+ eval {
+ $object = $s->get_value("ObjectName")->get_data();
+ };
+
+ my $str = $name."\|".$display."\|".$image."\|".$type."\|".$start."\|".$object;
+ push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq "");
+# Get ServiceDll value if there is one
+ eval {
+ my $para = $s->get_subkey("Parameters");
+ my $dll = $para->get_value("ServiceDll")->get_data();
+ my $str = $name."\\Parameters\|\|".$dll."\|\|\|";
+ push(@{$svcs{$para->get_timestamp()}},$str);
+ };
+
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %svcs) {
+# ::rptMsg(gmtime($t)."Z");
+ foreach my $item (@{$svcs{$t}}) {
+ my ($n,$d,$i,$t2,$s,$o) = split(/\|/,$item,6);
+# ::rptMsg($t.",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o);
+ ::rptMsg(gmtime($t)."Z".",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o);
+ }
+ }
+ }
+ else {
+ ::rptMsg($s_path." has no subkeys.");
+ ::logMsg("Error: ".$s_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($s_path." not found.");
+ ::logMsg($s_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/svcdll.pl b/RecentActivity/release/rr/plugins/svcdll.pl
new file mode 100644
index 0000000000..3cfbcd2f24
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/svcdll.pl
@@ -0,0 +1,131 @@
+#-----------------------------------------------------------
+# svcdll.pl
+#
+# Change history
+# 20091104 - created
+#
+# Ref:
+# http://msdn.microsoft.com/en-us/library/aa394073(VS.85).aspx
+#
+# Analysis Tip: Several services keys have Parameters subkeys that point to
+# the ServiceDll value; During intrusions, a service key may be added to
+# the system's Registry; this module provides a quick look, displaying the
+# Service names (in malware, sometimes random) and the ServiceDll value,
+# sorted based on the LastWrite time of the \Parameters subkey.
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package svcdll;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20091104);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Lists Services keys with ServiceDll values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+#my %types = (0x001 => "Kernel driver",
+# 0x002 => "File system driver",
+# 0x004 => "Adapter",
+# 0x010 => "Own_Process",
+# 0x020 => "Share_Process",
+# 0x100 => "Interactive");
+
+#my %starts = (0x00 => "Boot Start",
+# 0x01 => "System Start",
+# 0x02 => "Auto Start",
+# 0x03 => "Manual",
+# 0x04 => "Disabled");
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching svcdll v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+ my $s_path = $ccs."\\Services";
+ my $svc;
+ my %svcs;
+ if ($svc = $root_key->get_subkey($s_path)) {
+
+# Get all subkeys and sort based on LastWrite times
+ my @subkeys = $svc->get_list_of_subkeys();
+ if (scalar (@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+# my $display;
+# eval {
+# $display = $s->get_value("DisplayName")->get_data();
+# };
+
+# my $type;
+# eval {
+# $type = $s->get_value("Type")->get_data();
+# $type = $types{$type} if (exists $types{$type});
+# };
+
+# my $image;
+# eval {
+# $image = $s->get_value("ImagePath")->get_data();
+# };
+
+# my $start;
+# eval {
+# $start = $s->get_value("Start")->get_data();
+# $start = $starts{$start} if (exists $starts{$start});
+# };
+
+ my $dll;
+ eval {
+ $dll = $s->get_subkey("Parameters")->get_value("ServiceDll")->get_data();
+ my $str = $name." -> ".$dll;
+ push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq "");
+ };
+ }
+
+ foreach my $t (reverse sort {$a <=> $b} keys %svcs) {
+ ::rptMsg(gmtime($t)."Z");
+ foreach my $item (@{$svcs{$t}}) {
+ ::rptMsg(" ".$item);
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($s_path." has no subkeys.");
+ ::logMsg("Error: ".$s_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($s_path." not found.");
+ ::logMsg($s_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/svchost.pl b/RecentActivity/release/rr/plugins/svchost.pl
new file mode 100644
index 0000000000..481d08ca46
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/svchost.pl
@@ -0,0 +1,74 @@
+#-----------------------------------------------------------
+# svchost
+# Plugin to get data from Security Center keys
+#
+# Change History:
+# 20100322 - created
+#
+# References:
+# http://support.microsoft.com/kb/314056
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package svchost;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100322);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get entries from SvcHost key";
+}
+sub getDescr{}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ my $infected = 0;
+ ::logMsg("Launching secctr v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = 'Microsoft\Windows NT\CurrentVersion\SvcHost';
+ my $key;
+ ::rptMsg("svchost");
+ ::rptMsg("");
+
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my @data = $v->get_data();
+ my $d;
+ if (scalar(@data) > 1) {
+ $d = join(',',@data);
+ }
+ else {
+ $d = $data[0];
+ }
+ my $str = sprintf "%-15s %-55s",$v->get_name(),$d;
+ ::rptMsg($str);
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::rptMsg("");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/system b/RecentActivity/release/rr/plugins/system
new file mode 100644
index 0000000000..366c10fc62
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/system
@@ -0,0 +1,36 @@
+#-------------------------------------
+# System
+compname
+xpedition
+producttype
+dllsearch
+termserv
+rdpport
+shutdown
+shutdowncount
+nolmhash
+timezone
+disablelastaccess
+eventlog
+auditfail
+crashcontrol
+kbdcrash
+pagefile
+hibernate
+mountdev
+routes
+network
+nic_mst2
+nic
+nic2
+fw_config
+ide
+shares
+svc2
+svcdll
+imagedev
+legacy
+stillimage
+usbdevices
+usbstor
+devclass
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/taskman.pl b/RecentActivity/release/rr/plugins/taskman.pl
new file mode 100644
index 0000000000..3a6b212a59
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/taskman.pl
@@ -0,0 +1,61 @@
+#-----------------------------------------------------------
+# taskman.pl
+# Get Taskman value from Winlogon
+#
+# References
+# http://www.geoffchappell.com/viewer.htm?doc=notes/windows/shell/explorer/
+# taskman.htm&tx=3,5-7,12;4&ts=0,19
+# http://technet.microsoft.com/en-us/library/cc957402.aspx
+#
+# Change History:
+# 20091116 - created
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package taskman;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20091116);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Gets Taskman from HKLM\\..\\Winlogon";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching taskman v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
+ if (my $key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+
+ eval {
+ ::rptMsg("");
+ my $task = $key->get_value("Taskman")->get_data();
+ ::rptMsg("Taskman value = ".$task);
+ };
+ if ($@) {
+ ::rptMsg("Taskman value not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/termcert.pl b/RecentActivity/release/rr/plugins/termcert.pl
new file mode 100644
index 0000000000..81e4b37505
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/termcert.pl
@@ -0,0 +1,96 @@
+#-----------------------------------------------------------
+# termcert.pl
+# Plugin for Registry Ripper;
+#
+# Change history
+# 20110316 - created
+#
+# copyright 2011 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package termcert;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20110316);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets Terminal Server certificate";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching termcert v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+ my $ts_path = $ccs."\\Services\\TermService\\Parameters";
+ my $ts;
+ if ($ts = $root_key->get_subkey($ts_path)) {
+ ::rptMsg($ts_path);
+ ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my $cert;
+ eval {
+ $cert = $ts->get_value("Certificate")->get_raw_data();
+
+ printSector($cert);
+ };
+ ::rptMsg("Certificate value not found.") if ($@);
+ }
+ else {
+ ::rptMsg($ts_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+sub printSector {
+ my $data = shift;
+ my $len = length($data);
+ my $remaining = $len;
+ my $i = 0;
+
+ while ($remaining > 0) {
+ my $seg1 = substr($data,$i * 16,16);
+ my @str1 = split(//,unpack("H*",$seg1));
+
+ my @s3;
+ foreach my $i (0..15) {
+ $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1];
+ }
+
+ my $h = join(' ',@s3);
+ my @s1 = unpack("A*",$seg1);
+ my $s2 = join('',@s1);
+ $s2 =~ s/\W/\./g;
+
+ ::rptMsg(sprintf "%-50s %-20s",$h,$s2);
+ $i++;
+ $remaining -= 16;
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/termserv.pl b/RecentActivity/release/rr/plugins/termserv.pl
new file mode 100644
index 0000000000..010e3aed5e
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/termserv.pl
@@ -0,0 +1,137 @@
+#-----------------------------------------------------------
+# termserv.pl
+# Plugin for Registry Ripper;
+#
+# Change history
+# 20100713 - Updated to include additional values, based on references
+# 20100119 - updated
+# 20090727 - created
+#
+# References
+# Change TS listening port number - http://support.microsoft.com/kb/187623
+# Examining TS key - http://support.microsoft.com/kb/243215
+# Win2K8 TS stops listening - http://support.microsoft.com/kb/954398
+# XP/Win2K3 TSAdvertise value - http://support.microsoft.com/kb/281307
+# AllowTSConnections value - http://support.microsoft.com/kb/305608
+# TSEnabled value - http://support.microsoft.com/kb/222992
+# TSUserEnabled value - http://support.microsoft.com/kb/238965
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package termserv;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100713);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets Terminal Server values from System hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching termserv v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+ my $ts_path = $ccs."\\Control\\Terminal Server";
+ my $ts;
+ if ($ts = $root_key->get_subkey($ts_path)) {
+ ::rptMsg($ts_path);
+ ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ ::rptMsg("Reference: http://support.microsoft.com/kb/243215");
+ ::rptMsg("");
+
+ my $ver;
+ eval {
+ $ver = $ts->get_value("ProductVersion")->get_data();
+ ::rptMsg(" ProductVersion = ".$ver);
+ };
+ ::rptMsg("");
+
+ my $fdeny;
+ eval {
+ $fdeny = $ts->get_value("fDenyTSConnections")->get_data();
+ ::rptMsg(" fDenyTSConnections = ".$fdeny);
+ ::rptMsg(" 1 = connections denied");
+ };
+ ::rptMsg("fDenyTSConnections value not found.") if ($@);
+ ::rptMsg("");
+
+ my $allow;
+ eval {
+ $allow = $ts->get_value("AllowTSConnections")->get_data();
+ ::rptMsg(" AllowTSConnections = ".$allow);
+ ::rptMsg(" Ref: http://support.microsoft.com/kb/305608");
+ };
+ ::rptMsg("");
+
+ my $ad;
+ eval {
+ $ad = $ts->get_value("TSAdvertise")->get_data();
+ ::rptMsg(" TSAdvertise = ".$ad);
+ ::rptMsg(" 0 = disabled, 1 = enabled (advertise Terminal Services)");
+ ::rptMsg(" Ref: http://support.microsoft.com/kb/281307");
+ };
+ ::rptMsg("");
+
+ my $enabled;
+ eval {
+ $enabled = $ts->get_value("TSEnabled")->get_data();
+ ::rptMsg(" TSEnabled = ".$enabled);
+ ::rptMsg(" 0 = disabled, 1 = enabled (Terminal Services enabled)");
+ ::rptMsg(" Ref: http://support.microsoft.com/kb/222992");
+ };
+ ::rptMsg("");
+
+ my $user;
+ eval {
+ $user = $ts->get_value("TSUserEnabled")->get_data();
+ ::rptMsg(" TSUserEnabled = ".$user);
+ ::rptMsg(" 1 = All users logging in are automatically part of the");
+ ::rptMsg(" built-in Terminal Server User group. 0 = No one is a");
+ ::rptMsg(" member of the built-in group.");
+ ::rptMsg(" Ref: http://support.microsoft.com/kb/238965");
+ };
+ ::rptMsg("");
+
+ my $help;
+ eval {
+ $help = $ts->get_value("fAllowToGetHelp")->get_data();
+ ::rptMsg(" fAllowToGetHelp = ".$user);
+ ::rptMsg(" 1 = Users can request assistance from friend or a ");
+ ::rptMsg(" support professional.");
+ ::rptMsg(" Ref: http://www.pctools.com/guides/registry/detail/1213/");
+ };
+
+ }
+ else {
+ ::rptMsg($ts_path." not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/timezone.pl b/RecentActivity/release/rr/plugins/timezone.pl
new file mode 100644
index 0000000000..fa3f38729d
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/timezone.pl
@@ -0,0 +1,88 @@
+#-----------------------------------------------------------
+# timezone.pl
+# Plugin for Registry Ripper; Access System hive file to get the
+# contents of the TimeZoneInformation key
+#
+# Change history
+#
+#
+# References
+# http://support.microsoft.com/kb/102986
+# http://support.microsoft.com/kb/207563
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package timezone;
+use strict;
+
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get TimeZoneInformation key contents";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching timezone v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+# First thing to do is get the ControlSet00x marked current...this is
+# going to be used over and over again in plugins that access the system
+# file
+ my $current;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ my $ccs = "ControlSet00".$current;
+ my $tz_path = $ccs."\\Control\\TimeZoneInformation";
+ my $tz;
+ if ($tz = $root_key->get_subkey($tz_path)) {
+ ::rptMsg("TimeZoneInformation key");
+ ::rptMsg($tz_path);
+ ::rptMsg("LastWrite Time ".gmtime($tz->get_timestamp())." (UTC)");
+ my %tz_vals;
+ my @vals = $tz->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ map{$tz_vals{$_->get_name()} = $_->get_data()}(@vals);
+
+ ::rptMsg(" DaylightName -> ".$tz_vals{"DaylightName"});
+ ::rptMsg(" StandardName -> ".$tz_vals{"StandardName"});
+
+ my $bias = $tz_vals{"Bias"}/60;
+ my $atbias = $tz_vals{"ActiveTimeBias"}/60;
+
+ ::rptMsg(" Bias -> ".$tz_vals{"Bias"}." (".$bias." hours)");
+ ::rptMsg(" ActiveTimeBias -> ".$tz_vals{"ActiveTimeBias"}." (".$atbias." hours)");
+
+ }
+ else {
+ ::rptMsg($tz_path." has no values.");
+ ::logMsg($tz_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($tz_path." could not be found.");
+ ::logMsg($tz_path." could not be found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/tsclient.pl b/RecentActivity/release/rr/plugins/tsclient.pl
new file mode 100644
index 0000000000..364c17bff0
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/tsclient.pl
@@ -0,0 +1,72 @@
+#-----------------------------------------------------------
+# tsclient.pl
+# Plugin for Registry Ripper
+#
+# Change history
+#
+#
+# References
+# http://support.microsoft.com/kb/312169
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package tsclient;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 0,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Displays contents of user's Terminal Server Client\\Default key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching tsclient v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Default';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("TSClient");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %mrus;
+ foreach my $v (@vals) {
+ my $val = $v->get_name();
+ my $data = $v->get_data();
+ my $tag = (split(/MRU/,$val))[1];
+ $mrus{$tag} = $val.":".$data;
+ }
+ foreach my $u (sort {$a <=> $b} keys %mrus) {
+ my ($val,$data) = split(/:/,$mrus{$u},2);
+ ::rptMsg(" ".$val." -> ".$data);
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/typedpaths.pl b/RecentActivity/release/rr/plugins/typedpaths.pl
new file mode 100644
index 0000000000..292f0370b0
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/typedpaths.pl
@@ -0,0 +1,69 @@
+#-----------------------------------------------------------
+# typedpaths.pl
+# For Windows 7, Desktop Address Bar History
+#
+# Change history
+# 20100330 - created
+#
+# References
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package typedpaths;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100330);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of user's typedpaths key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching typedpaths v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %paths;
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ $name =~ s/^url//;
+ my $data = $v->get_data();
+ $paths{$name} = $data;
+ }
+ foreach my $p (sort {$a <=> $b} keys %paths) {
+ ::rptMsg(sprintf "%-8s %-30s","url".$p,$paths{$p});
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/typedurls.pl b/RecentActivity/release/rr/plugins/typedurls.pl
new file mode 100644
index 0000000000..fbd6c194e9
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/typedurls.pl
@@ -0,0 +1,87 @@
+#! c:\perl\bin\perl.exe
+#-----------------------------------------------------------
+# typedurls.pl
+# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
+# TypedURLs values
+#
+# Change history
+#
+#
+# References
+# http://support.microsoft.com/kb/157729
+# http://msdn2.microsoft.com/en-us/library/aa908115.aspx
+#
+# Notes: Reportedly, only the last 20 entries are maintained;
+# Also, new entries aren't added to the key until the current
+# instance of IE is terminated.
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package typedurls;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ osmask => 22,
+ version => 20080324);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Returns contents of user's TypedURLs key.";
+}
+sub getDescr{}
+sub getRefs {
+ my %refs = ("IESample Registry Settings" =>
+ "http://msdn2.microsoft.com/en-us/library/aa908115.aspx",
+ "How to clear History entries in IE" =>
+ "http://support.microsoft.com/kb/157729");
+ return %refs;
+}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching typedurls v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Internet Explorer\\TypedURLs';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("TypedURLs");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %urls;
+# Retrieve values and load into a hash for sorting
+ foreach my $v (@vals) {
+ my $val = $v->get_name();
+ my $data = $v->get_data();
+ my $tag = (split(/url/,$val))[1];
+ $urls{$tag} = $val.":".$data;
+ }
+# Print sorted content to report file
+ foreach my $u (sort {$a <=> $b} keys %urls) {
+ my ($val,$data) = split(/:/,$urls{$u},2);
+ ::rptMsg(" ".$val." -> ".$data);
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/uninstall.pl b/RecentActivity/release/rr/plugins/uninstall.pl
new file mode 100644
index 0000000000..71975fd388
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/uninstall.pl
@@ -0,0 +1,89 @@
+#-----------------------------------------------------------
+# uninstall.pl
+# Gets contents of Uninstall key from Software hive; sorts
+# display names based on key LastWrite time
+#
+# References:
+# http://support.microsoft.com/kb/247501
+# http://support.microsoft.com/kb/314481
+# http://msdn.microsoft.com/en-us/library/ms954376.aspx
+#
+# Change History:
+# 20100116 - Minor updates
+# 20090413 - Extract DisplayVersion info
+# 20090128 - Added references
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package uninstall;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100116);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Gets contents of Uninstall key from Software hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching uninstall v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Uninstall';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("Uninstall");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+
+ my %uninst;
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $lastwrite = $s->get_timestamp();
+ my $display;
+ eval {
+ $display = $s->get_value("DisplayName")->get_data();
+ };
+ $display = $s->get_name() if ($display eq "");
+
+ my $ver;
+ eval {
+ $ver = $s->get_value("DisplayVersion")->get_data();
+ };
+ $display .= " v\.".$ver unless ($@);
+
+ push(@{$uninst{$lastwrite}},$display);
+ }
+ foreach my $t (reverse sort {$a <=> $b} keys %uninst) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$uninst{$t}}) {
+ ::rptMsg("\t$item");
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/unreadmail.pl b/RecentActivity/release/rr/plugins/unreadmail.pl
new file mode 100644
index 0000000000..5f6aadcf6d
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/unreadmail.pl
@@ -0,0 +1,89 @@
+#-----------------------------------------------------------
+# unreadmail.pl
+#
+#
+# Change history
+# 20100218 - created
+#
+# References
+# http://support.microsoft.com/kb/304148
+# http://support.microsoft.com/kb/831403
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package unreadmail;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100218);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of Unreadmail key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ my %hist;
+ ::logMsg("Launching unreadmail v.".$VERSION);
+
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ eval {
+ my $e = $key->get_value("MessageExpiryDays")->get_data();
+ ::rptMsg("MessageExpiryDays : ".$e);
+ ::rptMsg("");
+ };
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar @subkeys > 0) {
+ ::rptMsg("");
+ foreach my $s (@subkeys) {
+ ::rptMsg($s->get_name());
+ ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
+ eval {
+ my $m = $s->get_value("MessageCount")->get_data();
+ ::rptMsg(" MessageCount: ".$m);
+ };
+
+ eval {
+ my $a = $s->get_value("Application")->get_data();
+ ::rptMsg(" Application : ".$a);
+ };
+
+ eval {
+ my @t = unpack("VV",$s->get_value("TimeStamp")->get_data());
+ my $ts = ::getTime($t[0],$t[1]);
+ ::rptMsg(" TimeStamp : ".gmtime($ts)." (UTC)");
+ };
+
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/urlzone.pl b/RecentActivity/release/rr/plugins/urlzone.pl
new file mode 100644
index 0000000000..f48e82411f
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/urlzone.pl
@@ -0,0 +1,96 @@
+#-----------------------------------------------------------
+# /root/bin/plugins/urlzone.pl
+# Plugin to detect URLZONE infection
+#
+# copyright 2009 Stefan Kelm (skelm@bfk.de)
+#-----------------------------------------------------------
+package urlzone;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090526);
+
+sub getConfig{return %config}
+
+sub getShortDescr {return "URLZONE detection";}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+my $class = shift;
+my $hive = shift;
+::logMsg("Launching urlzone v.".$VERSION);
+my $reg = Parse::Win32Registry->new($hive);
+my $root_key = $reg->get_root_key;
+
+my $key_path = "Microsoft\\Windows\\CurrentVersion\\Internet Settings\\urlzone";
+my $key;
+if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ ::rptMsg($key_path."\\".$s->get_name());
+ ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)");
+ eval {
+ my @vals = $s->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %sns;
+ foreach my $v (@vals) {
+ $sns{$v->get_name()} = $v->get_data();
+ }
+ foreach my $i (keys %sns) {
+ ::rptMsg("\t\t".$i." = ".$sns{$i});
+ }
+ }
+ else {
+# No values
+ }
+ };
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+# ::logMsg($key_path." not found.");
+ }
+
+ my $key_path2 = "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\userinit.exe";
+ my $key2;
+ if ($key2 = $root_key->get_subkey($key_path2)) {
+ ::rptMsg($key_path2);
+ ::rptMsg("LastWrite Time ".gmtime($key2->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my $dbg;
+ eval {
+ $dbg = $key2->get_value("Debugger")->get_data();
+ };
+ if ($@) {
+ ::rptMsg("Debugger value not found.");
+ }
+ else {
+ ::rptMsg("Debugger = ".$dbg);
+ }
+ ::rptMsg("");
+ }
+ else {
+ ::rptMsg($key_path2." not found.");
+# ::logMsg($key_path2." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/usb.pl b/RecentActivity/release/rr/plugins/usb.pl
new file mode 100644
index 0000000000..2a4c438c7c
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/usb.pl
@@ -0,0 +1,111 @@
+#-----------------------------------------------------------
+# usb
+# Similar to usbstor plugin, but prints output in .csv format;
+# also checks MountedDevices keys
+#
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package usb;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080825);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get USB subkeys info; csv output";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my $reg;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $ccs;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ return;
+ }
+
+ my $name_path = $ccs."\\Control\\ComputerName\\ComputerName";
+ my $comp_name;
+ eval {
+ $comp_name = $root_key->get_subkey($name_path)->get_value("ComputerName")->get_data();
+ };
+ $comp_name = "Test" if ($@);
+
+ my $key_path = $ccs."\\Enum\\USB";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $dev_class = $s->get_name();
+ my @sk = $s->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $k (@sk) {
+ my $serial = $k->get_name();
+ my $sn_lw = $k->get_timestamp();
+ my $str = $comp_name.",".$dev_class.",".$serial.",".$sn_lw;
+
+ my $loc;
+ eval {
+ $loc = $k->get_value("LocationInformation")->get_data();
+ $str .= ",".$loc;
+ };
+ $str .= ", " if ($@);
+
+
+ my $friendly;
+ eval {
+ $friendly = $k->get_value("FriendlyName")->get_data();
+ $str .= ",".$friendly;
+ };
+ $str .= ", " if ($@);
+
+ my $parent;
+ eval {
+ $parent = $k->get_value("ParentIdPrefix")->get_data();
+ $str .= ",".$parent;
+ };
+
+
+ ::rptMsg($str);
+ }
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/usbdevices.pl b/RecentActivity/release/rr/plugins/usbdevices.pl
new file mode 100644
index 0000000000..27f7ef8a29
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/usbdevices.pl
@@ -0,0 +1,108 @@
+#-----------------------------------------------------------
+# usbdevices.pl
+# Parses contents of Enum\USB key for web cam
+#
+# History
+# 20100219 - created
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package usbdevices;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100219);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Parses Enum\\USB key for devices";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my $reg;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+::logMsg("Launching usbdevices v.".$VERSION);
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $ccs;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ return;
+ }
+
+ my $key_path = $ccs."\\Enum\\USB";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar @subkeys > 0) {
+ foreach my $s (@subkeys) {
+ my @sk = $s->get_list_of_subkeys();
+ if (scalar @sk > 0) {
+ foreach my $s2 (@sk) {
+ ::rptMsg("");
+ eval {
+ my $desc = $s2->get_value("DeviceDesc")->get_data();
+ ::rptMsg($desc." [".$s->get_name()."\\".$s2->get_name()."]");
+ };
+
+ my $str;
+ eval {
+ my $class = $s2->get_value("Class")->get_data();
+ ::rptMsg(" Class : ".$class);
+ };
+
+ eval {
+ my $serv = $s2->get_value("Service")->get_data();
+ ::rptMsg(" Service : ".$serv);
+ };
+
+ eval {
+ my $serv = $s2->get_value("LocationInformation")->get_data();
+ ::rptMsg(" Location Information: ".$serv);
+ };
+
+ eval {
+ my $serv = $s2->get_value("Mfg")->get_data();
+ ::rptMsg(" Mfg : ".$serv);
+ };
+
+# eval {
+# if ($s2->get_value("Class")->get_data() eq "Image") {
+# ::rptMsg("Possible webcam at ".$s->get_name()."\\".$s2->get_name());
+# }
+# };
+# ::rptMsg("Error: ".$@) if ($@);
+ }
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/usbstor.pl b/RecentActivity/release/rr/plugins/usbstor.pl
new file mode 100644
index 0000000000..e0223805a4
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/usbstor.pl
@@ -0,0 +1,91 @@
+#-----------------------------------------------------------
+# usbstor
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package usbstor;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080418);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get USBStor key info";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching usbstor v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $ccs;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ return;
+ }
+
+ my $key_path = $ccs."\\Enum\\USBStor";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("USBStor");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]");
+
+ my @sk = $s->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $k (@sk) {
+ my $serial = $k->get_name();
+ ::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]");
+ my $friendly;
+ eval {
+ $friendly = $k->get_value("FriendlyName")->get_data();
+ };
+ ::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne "");
+ my $parent;
+ eval {
+ $parent = $k->get_value("ParentIdPrefix")->get_data();
+ };
+ ::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne "");
+ }
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/usbstor2.pl b/RecentActivity/release/rr/plugins/usbstor2.pl
new file mode 100644
index 0000000000..b62283bb1c
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/usbstor2.pl
@@ -0,0 +1,134 @@
+#-----------------------------------------------------------
+# usbstor2
+# Similar to usbstor plugin, but prints output in .csv format;
+# also checks MountedDevices keys
+#
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package usbstor2;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080825);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get USBStor key info; csv output";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my $reg;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $ccs;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ return;
+ }
+
+ my $name_path = $ccs."\\Control\\ComputerName\\ComputerName";
+ my $comp_name;
+ eval {
+ $comp_name = $root_key->get_subkey($name_path)->get_value("ComputerName")->get_data();
+ };
+ $comp_name = "Test" if ($@);
+
+ my $key_path = $ccs."\\Enum\\USBStor";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $dev_class = $s->get_name();
+ my @sk = $s->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $k (@sk) {
+ my $serial = $k->get_name();
+ my $sn_lw = $k->get_timestamp();
+ my $str = $comp_name.",".$dev_class.",".$serial.",".$sn_lw;
+
+ my $friendly;
+ eval {
+ $friendly = $k->get_value("FriendlyName")->get_data();
+ $str .= ",".$friendly;
+ };
+ $str .= ", " if ($@);
+
+ my $parent;
+ eval {
+ $parent = $k->get_value("ParentIdPrefix")->get_data();
+ $str .= ",".$parent;
+
+ my $dev = checkMountedDevices($parent);
+ $str .= ",".$dev if ($dev);
+
+ };
+
+
+ ::rptMsg($str);
+ }
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+sub checkMountedDevices {
+ my $pip = shift;
+ my $root_key = $reg->get_root_key;
+ my $key_path = 'MountedDevices';
+ my $key;
+ my %md;
+ if ($key = $root_key->get_subkey($key_path)) {
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ next unless ($name =~ m/^\\DosDevices/);
+ my $data = $v->get_data();
+ if (length($data) > 12) {
+ $data =~ s/\00//g;
+ return $name if (grep(/$pip/,$data));
+ }
+ }
+ }
+ }
+ else {
+ return undef;
+ }
+ return undef;
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/usbstor3.pl b/RecentActivity/release/rr/plugins/usbstor3.pl
new file mode 100644
index 0000000000..5215454818
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/usbstor3.pl
@@ -0,0 +1,103 @@
+#-----------------------------------------------------------
+# usbstor3
+# Collects USBStor information, output in .csv
+#
+# History
+# 20100312 - created
+#
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package usbstor3;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100312);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get USBStor key info";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching usbstor3 v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $ccs;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ return;
+ }
+
+ my $key_path = $ccs."\\Enum\\USBStor";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+# ::rptMsg("USBStor");
+# ::rptMsg($key_path);
+# ::rptMsg("");
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+# ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]");
+ my $name1 = $s->get_name();
+ my $time1 = gmtime($s->get_timestamp());
+
+ my @sk = $s->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $k (@sk) {
+ my $serial = $k->get_name();
+# ::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]");
+ my $str = $name1.",".$time1.",".$serial.",".gmtime($k->get_timestamp());
+
+ my $friendly;
+ eval {
+ $friendly = $k->get_value("FriendlyName")->get_data();
+ $str .= ",".$friendly;
+ };
+ $str .= "," if ($@);
+# ::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne "");
+ my $parent;
+ eval {
+ $parent = $k->get_value("ParentIdPrefix")->get_data();
+ $str .= ",".$parent;
+ };
+ $str .= "," if ($@);
+# ::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne "");
+ ::rptMsg($str);
+ }
+ }
+# ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/user_run.pl b/RecentActivity/release/rr/plugins/user_run.pl
new file mode 100644
index 0000000000..f982cfde9a
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/user_run.pl
@@ -0,0 +1,102 @@
+#-----------------------------------------------------------
+# user_run
+# Get contents of Run key from Software hive
+#
+# References:
+# http://msdn2.microsoft.com/en-us/library/aa376977.aspx
+# http://support.microsoft.com/kb/170086
+#
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package user_run;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ version => 20080328);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Autostart - get Run key contents from NTUSER\.DAT hive";
+}
+sub getDescr{}
+sub getRefs {
+ my %refs = ("Definition of the Run keys in the WinXP Registry" =>
+ "http://support.microsoft.com/kb/314866");
+ return %refs;
+}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching user_run v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my %vals = getKeyValues($key);
+ if (scalar(keys %vals) > 0) {
+ foreach my $v (keys %vals) {
+ ::rptMsg("\t".$v." -> ".$vals{$v});
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+
+ my @sk = $key->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $s (@sk) {
+ ::rptMsg("");
+ ::rptMsg($key_path."\\".$s->get_name());
+ ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
+ my %vals = getKeyValues($s);
+ foreach my $v (keys %vals) {
+ ::rptMsg("\t".$v." -> ".$vals{$v});
+ }
+ }
+ }
+ else {
+ ::rptMsg("");
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+
+sub getKeyValues {
+ my $key = shift;
+ my %vals;
+
+ my @vk = $key->get_list_of_values();
+ if (scalar(@vk) > 0) {
+ foreach my $v (@vk) {
+ next if ($v->get_name() eq "" && $v->get_data() eq "");
+ $vals{$v->get_name()} = $v->get_data();
+ }
+ }
+ else {
+
+ }
+ return %vals;
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/user_win.pl b/RecentActivity/release/rr/plugins/user_win.pl
new file mode 100644
index 0000000000..107c71d4be
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/user_win.pl
@@ -0,0 +1,60 @@
+#-----------------------------------------------------------
+# user_win.pl
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package user_win;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080415);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return " -- ";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching user_win v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ eval {
+ my $load = $key->get_value("load")->get_data();
+ ::rptMsg("load value = ".$load);
+ ::rptMsg("*Should be blank; anything listed gets run when the user logs in.");
+ };
+
+ eval {
+ my $run = $key->get_value("run")->get_data();
+ ::rptMsg("run value = ".$run);
+ ::rptMsg("*Should be blank; anything listed gets run when the user logs in.");
+ };
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/userassist.pl b/RecentActivity/release/rr/plugins/userassist.pl
new file mode 100644
index 0000000000..d523444e85
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/userassist.pl
@@ -0,0 +1,86 @@
+#! c:\perl\bin\perl.exe
+#-----------------------------------------------------------
+# userassist.pl
+# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
+# UserAssist values
+#
+# Change history
+# 20080726 - added reference to help examiner understand Control
+# Panel entries found in output
+# 20080301 - updated to include run count along with date
+#
+#
+#
+# copyright 2008 H. Carvey
+#-----------------------------------------------------------
+package userassist;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ osmask => 22,
+ version => 20080726);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Displays contents of UserAssist Active Desktop key";
+}
+sub getDescr{}
+sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching UserAssist (Active Desktop) v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+ my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\'.
+ '{75048700-EF1F-11D0-9888-006097DEACF9}\\Count';
+ my $key;
+ my %ua;
+ my $hrzr = "HRZR";
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("UserAssist (Active Desktop)");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $value_name = $v->get_name();
+ my $data = $v->get_data();
+ if (length($data) == 16) {
+ my ($session,$count,$val1,$val2) = unpack("V*",$data);
+ if ($val2 != 0) {
+ my $time_value = ::getTime($val1,$val2);
+ if ($value_name =~ m/^$hrzr/) {
+ $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/;
+ }
+ $count -= 5 if ($count > 5);
+ push(@{$ua{$time_value}},$value_name." (".$count.")");
+ }
+ }
+ }
+ foreach my $t (reverse sort {$a <=> $b} keys %ua) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$ua{$t}}) {
+ ::rptMsg("\t$item");
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/userassist2.pl b/RecentActivity/release/rr/plugins/userassist2.pl
new file mode 100644
index 0000000000..010b9899db
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/userassist2.pl
@@ -0,0 +1,125 @@
+#! c:\perl\bin\perl.exe
+#-----------------------------------------------------------
+# userassist2.pl
+# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
+# UserAssist values
+#
+# Change history
+# 20100322 - Added CLSID list reference
+# 20100308 - created, based on original userassist.pl plugin
+#
+# References
+# Control Panel Applets - http://support.microsoft.com/kb/313808
+# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package userassist2;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100308);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Displays contents of UserAssist subkeys";
+}
+sub getDescr{}
+sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching userassist2 v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist";
+ my $key;
+
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("UserAssist");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ ::rptMsg($s->get_name());
+ processKey($s);
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+sub processKey {
+ my $ua = shift;
+
+ my $key = $ua->get_subkey("Count");
+
+ my %ua;
+ my $hrzr = "HRZR";
+
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $value_name = $v->get_name();
+ my $data = $v->get_data();
+
+# Windows XP/2003/Vista/2008
+ if (length($data) == 16) {
+ my ($session,$count,$val1,$val2) = unpack("V*",$data);
+ if ($val2 != 0) {
+ my $time_value = ::getTime($val1,$val2);
+ if ($value_name =~ m/^$hrzr/) {
+ $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/;
+ }
+ $count -= 5 if ($count > 5);
+ push(@{$ua{$time_value}},$value_name." (".$count.")");
+ }
+ }
+# Windows 7
+ elsif (length($data) == 72) {
+ $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/;
+# if (unpack("V",substr($data,0,4)) == 0) {
+# my $count = unpack("V",substr($data,4,4));
+# my @t = unpack("VV",substr($data,60,8));
+# next if ($t[0] == 0 && $t[1] == 0);
+# my $time_val = ::getTime($t[0],$t[1]);
+# print " .-> ".$time_val."\n";
+# push(@{$ua{$time_val}},$value_name." (".$count.")");
+# }
+ my $count = unpack("V",substr($data,4,4));
+ my @t = unpack("VV",substr($data,60,8));
+ next if ($t[0] == 0 && $t[1] == 0);
+ my $time_val = ::getTime($t[0],$t[1]);
+ push(@{$ua{$time_val}},$value_name." (".$count.")");
+ }
+ else {
+# Nothing else to do
+ }
+ }
+ foreach my $t (reverse sort {$a <=> $b} keys %ua) {
+ ::rptMsg(gmtime($t)." Z");
+ foreach my $i (@{$ua{$t}}) {
+ ::rptMsg(" ".$i);
+ }
+ }
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/userassist_tln.pl b/RecentActivity/release/rr/plugins/userassist_tln.pl
new file mode 100644
index 0000000000..ea87cb3787
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/userassist_tln.pl
@@ -0,0 +1,114 @@
+#! c:\perl\bin\perl.exe
+#-----------------------------------------------------------
+# userassist_tln.pl
+# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
+# UserAssist values
+#
+# Change history
+# 20110516 - created, modified from userassist2.pl
+# 20100322 - Added CLSID list reference
+# 20100308 - created, based on original userassist.pl plugin
+#
+# References
+# Control Panel Applets - http://support.microsoft.com/kb/313808
+# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm
+#
+# copyright 2011 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package userassist_tln;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20110516);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Displays contents of UserAssist subkeys in TLN format";
+}
+sub getDescr{}
+sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching userassist_tln v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist";
+ my $key;
+
+ if ($key = $root_key->get_subkey($key_path)) {
+# ::rptMsg("UserAssist");
+# ::rptMsg($key_path);
+# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+# ::rptMsg("");
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ ::rptMsg($s->get_name());
+ processKey($s);
+ ::rptMsg("");
+ }
+ }
+ else {
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::logMsg($key_path." not found.");
+ }
+}
+
+sub processKey {
+ my $ua = shift;
+ my $key = $ua->get_subkey("Count");
+ my %ua;
+ my $hrzr = "HRZR";
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $value_name = $v->get_name();
+ my $data = $v->get_data();
+
+# Windows XP/2003/Vista/2008
+ if (length($data) == 16) {
+ my ($session,$count,$val1,$val2) = unpack("V*",$data);
+ if ($val2 != 0) {
+ my $time_value = ::getTime($val1,$val2);
+ if ($value_name =~ m/^$hrzr/) {
+ $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/;
+ }
+ $count -= 5 if ($count > 5);
+ push(@{$ua{$time_value}},$value_name." (".$count.")");
+ }
+ }
+# Windows 7
+ elsif (length($data) == 72) {
+ $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/;
+ my $count = unpack("V",substr($data,4,4));
+ my @t = unpack("VV",substr($data,60,8));
+ next if ($t[0] == 0 && $t[1] == 0);
+ my $time_val = ::getTime($t[0],$t[1]);
+ push(@{$ua{$time_val}},$value_name." (".$count.")");
+ }
+ else {
+# Nothing else to do
+ }
+ }
+ foreach my $t (reverse sort {$a <=> $b} keys %ua) {
+ foreach my $i (@{$ua{$t}}) {
+ ::rptMsg($t."|REG|||UserAssist - ".$i);
+ }
+ }
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/userinit.pl b/RecentActivity/release/rr/plugins/userinit.pl
new file mode 100644
index 0000000000..b6664b8626
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/userinit.pl
@@ -0,0 +1,63 @@
+#-----------------------------------------------------------
+# userinit
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package userinit;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 1,
+ version => 20080328);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Gets UserInit value";
+}
+sub getDescr{}
+sub getRefs {
+ my %refs = ("My Documents open at startup" =>
+ "http://support.microsoft.com/kb/555294",
+ "Userinit" =>
+ "http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/12330.mspx?mfr=true");
+ return %refs;
+}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching userinit v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my $ui;
+ eval {
+ $ui = $key->get_value("Userinit")->get_data();
+ ::rptMsg("\tUserinit -> ".$ui);
+ };
+ ::rptMsg("Error: ".$@) if ($@);
+ ::rptMsg("");
+ ::rptMsg("Per references, content should be %SystemDrive%\\system32\\userinit.exe,");
+ ::rptMsg("");
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/userlocsvc.pl b/RecentActivity/release/rr/plugins/userlocsvc.pl
new file mode 100644
index 0000000000..3974a036e1
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/userlocsvc.pl
@@ -0,0 +1,62 @@
+#! c:\perl\bin\perl.exe
+#-----------------------------------------------------------
+# userlocsvc.pl
+# Get the contents of the Microsoft\User Location Service\Clients key
+# from the user's hive
+#
+# Ref:
+# http://support.microsoft.com/kb/196301
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package userlocsvc;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20090411);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Displays contents of User Location Service\\Client key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching UserLocSvc v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+ my $key_path = 'Software\\Microsoft\\User Location Service\\Client';
+ my $key;
+ my %ua;
+ my $hrzr = "HRZR";
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $str = sprintf "%-15s %-30s",$v->get_name(),$v->get_data();
+ ::rptMsg($str) if ($v->get_type() == 1);
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/virut.pl b/RecentActivity/release/rr/plugins/virut.pl
new file mode 100644
index 0000000000..eed5fc2a60
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/virut.pl
@@ -0,0 +1,66 @@
+#-----------------------------------------------------------
+# virut.pl
+# Plugin to detect artifacts of a Virut infection
+#
+# References:
+# Symantec: http://www.symantec.com/security_response/
+# writeup.jsp?docid=2009-020411-2802-99&tabid=2
+#
+#
+#
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package virut;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090218);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Detect Virut artifacts";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching virut v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my $update;
+ eval {
+ $update = $key->get_value("UpdateHost")->get_data();
+ ::rptMsg("UpdateHost value detected! Possible Virut infection!");
+ };
+ ::rptMsg("UpdateHost value not found.") if ($@);
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+ ::rptMsg("");
+ ::rptMsg("Also be sure to check the SYSTEM\\ControlSet00n\\Services\\SharedAccess\\");
+ ::rptMsg("Parameters\\FirewallPolicy\\DomainProfile\\AuthorizedApplications\\List key");
+ ::rptMsg("for exceptions added to the firewall; use the fw_config\.pl plugin.");
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/vista_bitbucket.pl b/RecentActivity/release/rr/plugins/vista_bitbucket.pl
new file mode 100644
index 0000000000..6fa27c55a5
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/vista_bitbucket.pl
@@ -0,0 +1,88 @@
+#-----------------------------------------------------------
+# vista_bitbucket
+# BitBucket settings for Vista $Recylce.bin are maintained on a
+# per-user, per-volume basis
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package vista_bitbucket;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 192,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080420);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get BitBucket settings from Vista via NTUSER\.DAT";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching vista_bitbucket v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ ::rptMsg($v->get_name()." : ".$v->get_data());
+ }
+
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ ::rptMsg("");
+
+ my @vols;
+ eval {
+ @vols = $key->get_subkey("Volume")->get_list_of_subkeys();
+ };
+ if ($@) {
+ ::rptMsg("Could not access ".$key_path."\\Volume subkey.");
+ return;
+ }
+
+ if (scalar(@vols) > 0) {
+ foreach my $v (@vols) {
+ ::rptMsg($v->get_name()." [".gmtime($v->get_timestamp())."] (UTC)");
+ eval {
+ ::rptMsg(sprintf " %-15s %-3s","NukeOnDelete",$v->get_value("NukeOnDelete")->get_data());
+ };
+
+
+ }
+
+ }
+ else {
+ ::rptMsg($key_path."\\Volume key has no subkeys.");
+ }
+
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/vista_comdlg32.pl b/RecentActivity/release/rr/plugins/vista_comdlg32.pl
new file mode 100644
index 0000000000..d20b8fb89d
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/vista_comdlg32.pl
@@ -0,0 +1,145 @@
+#-----------------------------------------------------------
+# vista_comdlg32.pl
+# Plugin for Registry Ripper
+#
+# Change history
+# 20090821 - created
+#
+# References
+#
+#
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package vista_comdlg32;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20090821);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of Vista user's ComDlg32 key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching vista_comdlg32 v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+ ::rptMsg("vista_comdlg32 v.".$VERSION);
+ ::rptMsg("**All values listed in MRU order.");
+
+# CIDSizeMRU
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\CIDSizeMRU";
+ my $key;
+ my @vals;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my %lvmru;
+ my @mrulist;
+ @vals = $key->get_list_of_values();
+
+ if (scalar(@vals) > 0) {
+# First, read in all of the values and the data
+ foreach my $v (@vals) {
+ $lvmru{$v->get_name()} = $v->get_data();
+ }
+# Then, remove the MRUList value
+ if (exists $lvmru{MRUListEx}) {
+ delete($lvmru{MRUListEx});
+ foreach my $m (keys %lvmru) {
+ my $file = parseStr($lvmru{$m});
+ my $str = sprintf "%-4s ".$file,$m;
+ ::rptMsg(" ".$str);
+ }
+ }
+ else {
+ ::rptMsg($key_path." does not have an MRUList value.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+ ::rptMsg("");
+
+# LastVistedPidlMRU
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRU";
+ my $key;
+ my @vals;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my %lvmru;
+ my @mrulist;
+ @vals = $key->get_list_of_values();
+
+ if (scalar(@vals) > 0) {
+# First, read in all of the values and the data
+ foreach my $v (@vals) {
+ $lvmru{$v->get_name()} = $v->get_data();
+ }
+# Then, remove the MRUList value
+ if (exists $lvmru{MRUListEx}) {
+ delete($lvmru{MRUListEx});
+ foreach my $m (keys %lvmru) {
+ my $file = parseStr($lvmru{$m});
+ my $str = sprintf "%-4s ".$file,$m;
+ ::rptMsg(" ".$str);
+ }
+ }
+ else {
+ ::rptMsg($key_path." does not have an MRUList value.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+ ::rptMsg("");
+
+
+}
+
+sub parseStr {
+ my $data = $_[0];
+ my $temp;
+ my $tag = 1;
+ my $ofs = 0;
+
+ while ($tag) {
+ my $t = substr($data,$ofs,2);
+ if (unpack("v",$t) == 0x00) {
+ $tag = 0;
+ }
+ else {
+ $temp .= $t;
+ $ofs += 2;
+ }
+ }
+ $temp =~ s/\00//g;
+ return $temp;
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/vista_wireless.pl b/RecentActivity/release/rr/plugins/vista_wireless.pl
new file mode 100644
index 0000000000..f6b74bcf7a
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/vista_wireless.pl
@@ -0,0 +1,80 @@
+#-----------------------------------------------------------
+# vista_wireless
+#
+# Get Wireless info from Vista systems
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package vista_wireless;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20090514);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get Vista Wireless Info";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my $error;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching vista_wireless v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("");
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $name = $s->get_name();
+ my $lastwrite = $s->get_timestamp();
+
+ my $nametype;
+ eval {
+ $nametype = $s->get_value("NameType")->get_data();
+ };
+ if ($@) {
+
+ }
+ else {
+ if ($nametype == 0x47) {
+ my $profilename;
+ my $descr;
+ eval {
+ ::rptMsg("LastWrite = ".gmtime($lastwrite)." Z");
+ $profilename = $s->get_value("ProfileName")->get_data();
+ $descr = $s->get_value("Description")->get_data();
+ ::rptMsg(" ".$profilename." [".$descr."]");
+
+ };
+ }
+ }
+
+
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/vncviewer.pl b/RecentActivity/release/rr/plugins/vncviewer.pl
new file mode 100644
index 0000000000..82049c93bd
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/vncviewer.pl
@@ -0,0 +1,68 @@
+#-----------------------------------------------------------
+# vncviewer
+#
+#
+#-----------------------------------------------------------
+package vncviewer;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080325);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get VNCViewer system list";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching vncviewer v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Software\\ORL\\VNCviewer\\MRU";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("VNCViewer\\MRU");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %vnc;
+ foreach my $v (@vals) {
+ $vnc{$v->get_name()} = $v->get_data();
+ }
+ my $ind;
+ if (exists $vnc{'index'}) {
+ $ind = $vnc{'index'};
+ delete $vnc{'index'};
+ }
+
+ ::rptMsg("Index = ".$ind);
+ my @i = split(//,$ind);
+ foreach my $i (@i) {
+ ::rptMsg(" ".$i." -> ".$vnc{$i});
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/wallpaper.pl b/RecentActivity/release/rr/plugins/wallpaper.pl
new file mode 100644
index 0000000000..2d930cb0b1
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/wallpaper.pl
@@ -0,0 +1,90 @@
+#-----------------------------------------------------------
+# wallpaper.pl
+#
+# Wallpaper MRU
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package wallpaper;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 200800810);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Parses Wallpaper MRU Entries";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching wallpaper v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("wallpaper");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my %wp;
+ my @mrulist;
+
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (sort @vals) {
+ my $name = $v->get_name();
+ if ($name =~ m/^\d/) {
+ my $data = $v->get_data();
+ my $str = getStringValue($data);
+ $wp{$name} = $str;
+ }
+ elsif ($name =~ m/^MRUList/) {
+ @mrulist = unpack("V*",$v->get_data());
+ }
+ else {
+# nothing to do
+ }
+ }
+ foreach my $m (@mrulist) {
+ next if ($m == 0xffffffff);
+ ::rptMsg($m." -> ".$wp{$m});
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+#-----------------------------------------------------------
+# getStringValue() - given a binary data type w/ a Unicode
+# string at the beginning, delimited by \x00\x00, return an ASCII
+# string
+#-----------------------------------------------------------
+sub getStringValue {
+ my $bin = shift;
+ my $str = (split(/\00\00/,$bin,2))[0];
+ $str =~ s/\00//g;
+ return $str;
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/win7_ua.pl b/RecentActivity/release/rr/plugins/win7_ua.pl
new file mode 100644
index 0000000000..be2ea1afa8
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/win7_ua.pl
@@ -0,0 +1,140 @@
+#-----------------------------------------------------------
+# win7_ua.pl
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package win7_ua;
+use strict;
+my $vignerekey = "BWHQNKTEZYFSLMRGXADUJOPIVC";
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090121);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get Win7 UserAssist data";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching win7_ua v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my @subkeys = $key->get_list_of_subkeys();
+
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ print $s->get_name()."\n";
+
+ my @vals = $s->get_subkey("Count")->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $name = decrypt_string($v->get_name(),$vignerekey);
+ my $data = $v->get_data();
+ ::rptMsg(" ".$name);
+ if (length($data) == 72) {
+ my %vals = parseData($data);
+ ::rptMsg(" Counter 1 = ".$vals{counter1});
+ ::rptMsg(" Counter 2 = ".$vals{counter2});
+ ::rptMsg(" Runtime = ".$vals{runtime}." ms");
+ ::rptMsg(" Last Run = ".$vals{lastrun});
+ ::rptMsg(" MRU = ".$vals{mru});
+ }
+ }
+
+ }
+ else {
+ ::rptMsg($key_path."\\".$s->get_name()." has no values.");
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
+
+sub decrypt_string{
+# decrypts a full string of ciphertext, given the ciphertext and the key.
+# returns the plaintext string.
+ my ($ciphertext, $key) = @_;
+ my $plaintext;
+ my @plain;
+
+ $key = $key x (length($ciphertext) / length($key) + 1);
+
+ my @cipherletters = split(//,$ciphertext);
+ foreach my $i (0..(scalar(@cipherletters) - 1)) {
+# print "Cipher letter => ".$cipherletters[$i]."\n";
+ if ($cipherletters[$i] =~ m/\w/ && !($cipherletters[$i] =~ m/\d/)) {
+# print "Decrypting ".$cipherletters[$i]." with ".(substr($key,$i,1))."\n";
+ $plain[$i] = decrypt_letter($cipherletters[$i], (substr($key,$i,1)));
+ }
+ else {
+ $plain[$i] = $cipherletters[$i];
+ }
+ }
+
+# for( my $i=0; $i= 65 && ord($cipher) <= 90);
+
+# in row n, plaintext is ciphertext - n, mod 26.
+ $row = ord(lc($row)) - ord('a'); # enable mod 26
+ $cipher = ord(lc($cipher)) - ord('a'); # enable mod 26
+ $plain = ($cipher - $row) % 26;
+ $plain = chr($plain + ord('a'));
+
+ $plain = uc($plain) if ($upper == 1);
+ return $plain;
+}
+
+sub parseData {
+ my $data = shift;
+ my %vals;
+
+ $vals{counter1} = unpack("V",substr($data,4,4));
+ $vals{counter2} = unpack("V",substr($data,8,4));
+ $vals{runtime} = unpack("V",substr($data,12,4));
+ my @a = unpack("VV",substr($data,60,8));
+ my $t = ::getTime($a[0],$a[1]);
+ ($t == 0) ? ($vals{lastrun} = 0) : ($vals{lastrun} = gmtime($t));
+
+ $vals{mru} = unpack("V",substr($data,68,4));
+ return %vals;
+
+}
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/win_cv.pl b/RecentActivity/release/rr/plugins/win_cv.pl
new file mode 100644
index 0000000000..977eeb7920
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/win_cv.pl
@@ -0,0 +1,85 @@
+#-----------------------------------------------------------
+# win_cv.pl
+# Get and display the contents of the Windows\CurrentVersion key
+# Output sorted based on length of data
+#
+# Change History:
+# 20080609: added translation of InstallDate time
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package win_cv;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20090312);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get & display the contents of the Windows\\CurrentVersion key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching win_cv v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Microsoft\\Windows\\CurrentVersion";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my %cv;
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ my $data = $v->get_data();
+ my $len = length($data);
+ next if ($name eq "");
+ if ($v->get_type() == 3) {
+ $data = _translateBinary($data);
+ }
+ push(@{$cv{$len}},$name." : ".$data);
+ }
+ foreach my $t (sort {$a <=> $b} keys %cv) {
+ foreach my $item (@{$cv{$t}}) {
+ ::rptMsg(" $item");
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+
+sub _translateBinary {
+ my $str = unpack("H*",$_[0]);
+ my $len = length($str);
+ my @nstr = split(//,$str,$len);
+ my @list = ();
+ foreach (0..($len/2)) {
+ push(@list,$nstr[$_*2].$nstr[($_*2)+1]);
+ }
+ return join(' ',@list);
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/winlogon.pl b/RecentActivity/release/rr/plugins/winlogon.pl
new file mode 100644
index 0000000000..6808f3e278
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/winlogon.pl
@@ -0,0 +1,98 @@
+#-----------------------------------------------------------
+# WinLogon
+# Get values from WinLogon key
+#
+# History
+# 20100219 - Updated output to better present some data
+# 20080415 - created
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package winlogon;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100219);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get values from the WinLogon key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching winlogon v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %wl;
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ my $data = $v->get_data();
+ my $len = length($data);
+ next if ($name eq "");
+ if ($v->get_type() == 3 && $name ne "DCacheUpdate") {
+ $data = _translateBinary($data);
+ }
+
+ $data = sprintf "0x%x",$data if ($name eq "SfcQuota");
+ if ($name eq "DCacheUpdate") {
+ my @v = unpack("VV",$data);
+ $data = gmtime(::getTime($v[0],$v[1]));
+ }
+
+ push(@{$wl{$len}},$name." = ".$data);
+ }
+
+ foreach my $t (sort {$a <=> $b} keys %wl) {
+ foreach my $item (@{$wl{$t}}) {
+ ::rptMsg(" $item");
+ }
+ }
+
+ ::rptMsg("");
+ ::rptMsg("Analysis Tips: The UserInit and Shell values are executed when a user logs on.");
+
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+
+sub _translateBinary {
+ my $str = unpack("H*",$_[0]);
+ my $len = length($str);
+ my @nstr = split(//,$str,$len);
+ my @list = ();
+ foreach (0..($len/2)) {
+ push(@list,$nstr[$_*2].$nstr[($_*2)+1]);
+ }
+ return join(' ',@list);
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/winlogon_u.pl b/RecentActivity/release/rr/plugins/winlogon_u.pl
new file mode 100644
index 0000000000..f2355efe83
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/winlogon_u.pl
@@ -0,0 +1,90 @@
+#-----------------------------------------------------------
+# winlogon_u
+# Get values from user's WinLogon key
+#
+# Change History:
+# 20091021 - created
+#
+# References:
+# http://support.microsoft.com/kb/119941
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package winlogon_u;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20091021);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get values from the user's WinLogon key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching winlogon_u v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my %wl;
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ my $data = $v->get_data();
+ my $len = length($data);
+ next if ($name eq "");
+ if ($v->get_type() == 3) {
+ $data = _translateBinary($data);
+ }
+ push(@{$wl{$len}},$name." = ".$data);
+ }
+
+ foreach my $t (sort {$a <=> $b} keys %wl) {
+ foreach my $item (@{$wl{$t}}) {
+ ::rptMsg(" $item");
+ }
+ }
+
+ ::rptMsg("");
+ ::rptMsg("Analysis Tip: Existence of RunGrpConv = 1 value may indicate that the");
+ ::rptMsg(" system had been infected with Bredolab (Symantec).");
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+sub _translateBinary {
+ my $str = unpack("H*",$_[0]);
+ my $len = length($str);
+ my @nstr = split(//,$str,$len);
+ my @list = ();
+ foreach (0..($len/2)) {
+ push(@list,$nstr[$_*2].$nstr[($_*2)+1]);
+ }
+ return join(' ',@list);
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/winnt_cv.pl b/RecentActivity/release/rr/plugins/winnt_cv.pl
new file mode 100644
index 0000000000..537ced5ca8
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/winnt_cv.pl
@@ -0,0 +1,87 @@
+#-----------------------------------------------------------
+# winnt_cv.pl
+# Get and display the contents of the Windows\CurrentVersion key
+# Output sorted based on length of data
+#
+# Change History:
+# 20080609: added translation of InstallDate time
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package winnt_cv;
+use strict;
+
+my %config = (hive => "Software",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080609);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get & display the contents of the Windows NT\\CurrentVersion key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching winnt_cv v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("WinNT_CV");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+ my %cv;
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ my $data = $v->get_data();
+ $data = gmtime($data)." (UTC)" if ($name eq "InstallDate");
+ my $len = length($data);
+ next if ($name eq "");
+ if ($v->get_type() == 3) {
+ $data = _translateBinary($data);
+ }
+ push(@{$cv{$len}},$name." : ".$data);
+ }
+ foreach my $t (sort {$a <=> $b} keys %cv) {
+ foreach my $item (@{$cv{$t}}) {
+ ::rptMsg(" $item");
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ ::logMsg($key_path." has no values");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+
+
+sub _translateBinary {
+ my $str = unpack("H*",$_[0]);
+ my $len = length($str);
+ my @nstr = split(//,$str,$len);
+ my @list = ();
+ foreach (0..($len/2)) {
+ push(@list,$nstr[$_*2].$nstr[($_*2)+1]);
+ }
+ return join(' ',@list);
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/winrar.pl b/RecentActivity/release/rr/plugins/winrar.pl
new file mode 100644
index 0000000000..f66f06ff65
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/winrar.pl
@@ -0,0 +1,66 @@
+#-----------------------------------------------------------
+# winrar.pl
+# Get WinRAR\ArcHistory entries
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package winrar;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080819);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get WinRAR\\ArcHistory entries";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching winrar v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\WinRAR\\ArcHistory";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("WinRAR");
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ ::rptMsg("");
+
+ my %arc;
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ $arc{$v->get_name()} = $v->get_data();
+ }
+
+ foreach (sort keys %arc) {
+ ::rptMsg($_." -> ".$arc{$_});
+ }
+
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/winver.pl b/RecentActivity/release/rr/plugins/winver.pl
new file mode 100644
index 0000000000..d59262e596
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/winver.pl
@@ -0,0 +1,107 @@
+#-----------------------------------------------------------
+# winver.pl
+#
+# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package winver;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20081210);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get Windows version";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching winver v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Microsoft\\Windows NT\\CurrentVersion";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+# ::rptMsg("{name}");
+# ::rptMsg($key_path);
+# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+
+ my $prod;
+ eval {
+ $prod = $key->get_value("ProductName")->get_data();
+ };
+ if ($@) {
+# ::rptMsg("ProductName value not found.");
+ }
+ else {
+ ::rptMsg("ProductName = ".$prod);
+ }
+
+ my $csd;
+ eval {
+ $csd = $key->get_value("CSDVersion")->get_data();
+ };
+ if ($@) {
+# ::rptMsg("CSDVersion value not found.");
+ }
+ else {
+ ::rptMsg("CSDVersion = ".$csd);
+ }
+
+
+ my $build;
+ eval {
+ $build = $key->get_value("BuildName")->get_data();
+ };
+ if ($@) {
+# ::rptMsg("BuildName value not found.");
+ }
+ else {
+ ::rptMsg("BuildName = ".$build);
+ }
+
+ my $buildex;
+ eval {
+ $buildex = $key->get_value("BuildNameEx")->get_data();
+ };
+ if ($@) {
+# ::rptMsg("BuildName value not found.");
+ }
+ else {
+ ::rptMsg("BuildNameEx = ".$buildex);
+ }
+
+
+ my $install;
+ eval {
+ $install = $key->get_value("InstallDate")->get_data();
+ };
+ if ($@) {
+# ::rptMsg("InstallDate value not found.");
+ }
+ else {
+ ::rptMsg("InstallDate = ".gmtime($install));
+ }
+
+
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/winzip.pl b/RecentActivity/release/rr/plugins/winzip.pl
new file mode 100644
index 0000000000..7fa815250b
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/winzip.pl
@@ -0,0 +1,89 @@
+#-----------------------------------------------------------
+# WinZip
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package winzip;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20080325);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Get WinZip extract and filemenu values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ ::logMsg("Launching WinZip v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ my $key_path = "Software\\Nico Mak Computing\\WinZip";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("WinZip");
+ ::rptMsg($key_path);
+ ::rptMsg("");
+ my @subkeys = $key->get_list_of_subkeys();
+ my %sk;
+ foreach my $s (@subkeys) {
+ $sk{$s->get_name()} = $s;
+ }
+
+ if (exists $sk{'extract'}) {
+ my $tag = "extract";
+ ::rptMsg($key_path."\\extract [".gmtime($sk{'extract'}->get_timestamp)."]");
+ my @vals = $sk{'extract'}->get_list_of_values();
+ my %ext;
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ my $num = $name;
+ $num =~ s/^$tag//;
+ $ext{$num} = $v->get_data();
+ }
+ foreach my $e (sort {$a <=> $b} keys %ext) {
+ ::rptMsg(" extract".$e." -> ".$ext{$e});
+ }
+ ::rptMsg("");
+ }
+ else {
+ ::rptMsg("extract key not found.");
+ }
+
+ if (exists $sk{'filemenu'}) {
+ my $tag = "filemenu";
+ ::rptMsg($key_path."\\filemenu [".gmtime($sk{'extract'}->get_timestamp)."]");
+ my @vals = $sk{'filemenu'}->get_list_of_values();
+ my %ext;
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ my $num = $name;
+ $num =~ s/^$tag//;
+ $ext{$num} = $v->get_data();
+ }
+ foreach my $e (sort {$a <=> $b} keys %ext) {
+ ::rptMsg(" filemenu".$e." -> ".$ext{$e});
+ }
+ }
+ else {
+ ::rptMsg("filemenu key not found.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/wordwheelquery.pl b/RecentActivity/release/rr/plugins/wordwheelquery.pl
new file mode 100644
index 0000000000..10a2eba1cf
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/wordwheelquery.pl
@@ -0,0 +1,79 @@
+#-----------------------------------------------------------
+# wordwheelquery.pl
+# For Windows 7
+#
+# Change history
+# 20100330 - created
+#
+# References
+# http://www.winhelponline.com/blog/clear-file-search-mru-history-windows-7/
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package wordwheelquery;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20100330);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Gets contents of user's WordWheelQuery key";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $ntuser = shift;
+ ::logMsg("Launching wordwheelquery v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($ntuser);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg($key_path);
+ ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ my @vals = $key->get_list_of_values();
+ if (scalar(@vals) > 0) {
+ my @list;
+ my %wwq;
+ foreach my $v (@vals) {
+ my $name = $v->get_name();
+ if ($name eq "MRUListEx") {
+ @list = unpack("V*",$v->get_data());
+ pop(@list) if ($list[scalar(@list) - 1] == 0xffffffff);
+ }
+ else {
+ my $data = $v->get_data();
+ $data =~ s/\00//g;
+ $wwq{$name} = $data;
+ }
+ }
+# list searches in MRUListEx order
+ ::rptMsg("");
+ ::rptMsg("Searches listed in MRUListEx order");
+ ::rptMsg("");
+ foreach my $l (@list) {
+ ::rptMsg(sprintf "%-4d %-30s",$l,$wwq{$l});
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no values.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/xpedition.pl b/RecentActivity/release/rr/plugins/xpedition.pl
new file mode 100644
index 0000000000..f3a5d35914
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/xpedition.pl
@@ -0,0 +1,60 @@
+#-----------------------------------------------------------
+# xpedition.pl
+# Determine the edition of XP (MediaCenter, TabletPC)
+#
+# History
+#
+# References
+# http://windowsitpro.com/article/articleid/94531/
+# how-can-a-script-determine-if-windows-xp-tablet-pc-edition-is-installed.html
+# http://unasked.com/question/view/id/119610
+#
+# copyright 2009 H. Carvey
+#-----------------------------------------------------------
+package xpedition;
+use strict;
+my %config = (hive => "System",
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ osmask => 22,
+ version => 20090727);
+
+sub getConfig{return %config}
+sub getShortDescr {
+ return "Queries System hive for XP Edition info";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ my $key;
+ my $edition = 0;
+
+ ::logMsg("Launching xpedition v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+ ::rptMsg("xpedition v.".$VERSION);
+ eval {
+ $key = $root_key->get_subkey("WPA\\MediaCenter")->get_value("Installed")->get_data();
+ if ($key == 1) {
+ ::rptMsg("MediaCenter Edition");
+ $edition = 1;
+ }
+ };
+
+ eval {
+ $key = $root_key->get_subkey("WPA\\TabletPC")->get_value("Installed")->get_data();
+ if ($key == 1) {
+ ::rptMsg("TabletPC Edition");
+ $edition = 1;
+ }
+ };
+}
+1
\ No newline at end of file
diff --git a/RecentActivity/release/rr/rip.exe b/RecentActivity/release/rr/rip.exe
new file mode 100644
index 0000000000..6ecc7fec59
Binary files /dev/null and b/RecentActivity/release/rr/rip.exe differ
diff --git a/RecentActivity/release/rr/rip.pl b/RecentActivity/release/rr/rip.pl
new file mode 100644
index 0000000000..ffbd632d7a
--- /dev/null
+++ b/RecentActivity/release/rr/rip.pl
@@ -0,0 +1,291 @@
+#! c:\perl\bin\perl.exe
+#-------------------------------------------------------------------------
+# Rip - RegRipper, CLI version
+# Use this utility to run a plugins file or a single plugin against a Reg
+# hive file.
+#
+# Output goes to STDOUT
+# Usage: see "_syntax()" function
+#
+# Change History
+# 20110516 - added -s & -u options for TLN support
+# 20090102 - updated code for relative path to plugins dir
+# 20080419 - added '-g' switch (experimental)
+# 20080412 - added '-c' switch
+#
+# copyright 2011 Quantum Analytics Research, LLC
+#-------------------------------------------------------------------------
+use strict;
+use Parse::Win32Registry qw(:REG_);
+use Getopt::Long;
+
+# Included to permit compiling via Perl2Exe
+#perl2exe_include "Parse/Win32Registry.pm";
+#perl2exe_include "Parse/Win32Registry/Key.pm";
+#perl2exe_include "Parse/Win32Registry/Entry.pm";
+#perl2exe_include "Parse/Win32Registry/Value.pm";
+#perl2exe_include "Parse/Win32Registry/File.pm";
+#perl2exe_include "Parse/Win32Registry/Win95/File.pm";
+#perl2exe_include "Parse/Win32Registry/Win95/Key.pm";
+#perl2exe_include "Encode/Unicode.pm";
+
+my %config;
+Getopt::Long::Configure("prefix_pattern=(-|\/)");
+GetOptions(\%config,qw(reg|r=s file|f=s csv|c guess|g user|u=s sys|s=s plugin|p=s list|l help|?|h));
+
+# Code updated 20090102
+my @path;
+my $str = $0;
+($^O eq "MSWin32") ? (@path = split(/\\/,$0))
+ : (@path = split(/\//,$0));
+$str =~ s/($path[scalar(@path) - 1])//;
+my $plugindir = $str."plugins/";
+#print "Plugins Dir = ".$plugindir."\n";
+# End code update
+my $VERSION = "20090102";
+
+if ($config{help} || !%config) {
+ _syntax();
+ exit;
+}
+
+#-------------------------------------------------------------
+#
+#-------------------------------------------------------------
+if ($config{list}) {
+ my @plugins;
+ opendir(DIR,$plugindir) || die "Could not open $plugindir: $!\n";
+ @plugins = readdir(DIR);
+ closedir(DIR);
+
+ my $count = 1;
+ print "Plugin,Version,Hive,Description\n" if ($config{csv});
+ foreach my $p (@plugins) {
+ next unless ($p =~ m/\.pl$/);
+ my $pkg = (split(/\./,$p,2))[0];
+ $p = $plugindir.$p;
+ eval {
+ require $p;
+ my $hive = $pkg->getHive();
+ my $version = $pkg->getVersion();
+ my $descr = $pkg->getShortDescr();
+ if ($config{csv}) {
+ print $pkg.",".$version.",".$hive.",".$descr."\n";
+ }
+ else {
+ print $count.". ".$pkg." v.".$version." [".$hive."]\n";
+# printf "%-20s %-10s %-10s\n",$pkg,$version,$hive;
+ print " - ".$descr."\n\n";
+ $count++;
+ }
+ };
+ print "Error: $@\n" if ($@);
+ }
+ exit;
+}
+
+#-------------------------------------------------------------
+#
+#-------------------------------------------------------------
+if ($config{file}) {
+# First, check that a hive file was identified, and that the path is
+# correct
+ my $hive = $config{reg};
+ die "You must enter a hive file path/name.\n" if ($hive eq "");
+ die $hive." not found.\n" unless (-e $hive);
+
+ my %plugins = parsePluginsFile($config{file});
+ if (%plugins) {
+ #logMsg("Parsed Plugins file.");
+ }
+ else {
+ #logMsg("Plugins file not parsed.");
+ exit;
+ }
+ foreach my $i (sort {$a <=> $b} keys %plugins) {
+ eval {
+ require "plugins\\".$plugins{$i}."\.pl";
+ $plugins{$i}->pluginmain($hive);
+ };
+ if ($@) {
+ logMsg("Error in ".$plugins{$i}.": ".$@);
+ }
+ #logMsg($plugins{$i}." complete.");
+
+ }
+}
+
+#-------------------------------------------------------------
+#
+#-------------------------------------------------------------
+if ($config{reg} && $config{guess}) {
+# Attempt to guess which kind of hive we have
+ my $hive = $config{reg};
+ die "You must enter a hive file path/name.\n" if ($hive eq "");
+ die $hive." not found.\n" unless (-e $hive);
+
+ my $reg;
+ my $root_key;
+ my %guess;
+ eval {
+ $reg = Parse::Win32Registry->new($hive);
+ $root_key = $reg->get_root_key;
+ };
+ ::rptMsg($config{reg}." may not be a valid hive.") if ($@);
+
+# Check for SAM
+ eval {
+ $guess{sam} = 1 if (my $key = $root_key->get_subkey("SAM\\Domains\\Account\\Users"));
+ };
+# Check for Software
+ eval {
+ $guess{software} = 1 if ($root_key->get_subkey("Microsoft\\Windows\\CurrentVersion") &&
+ $root_key->get_subkey("Microsoft\\Windows NT\\CurrentVersion"));
+ };
+
+# Check for System
+ eval {
+ $guess{system} = 1 if ($root_key->get_subkey("MountedDevices") &&
+ $root_key->get_subkey("Select"));
+ };
+
+# Check for Security
+ eval {
+ $guess{security} = 1 if ($root_key->get_subkey("Policy\\Accounts") &&
+ $root_key->get_subkey("Policy\\PolAdtEv"));
+ };
+# Check for NTUSER.DAT
+ eval {
+ $guess{ntuser} = 1 if ($root_key->get_subkey("Software\\Microsoft\\Windows\\CurrentVersion"));
+
+ };
+
+ foreach my $g (keys %guess) {
+ ::rptMsg(sprintf "%-8s = %-2s",$g,$guess{$g});
+ }
+}
+
+#-------------------------------------------------------------
+#
+#-------------------------------------------------------------
+if ($config{plugin}) {
+# First, check that a hive file was identified, and that the path is
+# correct
+ my $hive = $config{reg};
+ die "You must enter a hive file path/name.\n" if ($hive eq "");
+ die $hive." not found.\n" unless (-e $hive);
+
+# check to see if the plugin exists
+ my $plugin = $config{plugin};
+ my $pluginfile = $plugindir.$config{plugin}."\.pl";
+ die $pluginfile." not found.\n" unless (-e $pluginfile);
+
+ eval {
+ require $pluginfile;
+ $plugin->pluginmain($hive);
+ };
+ if ($@) {
+ logMsg("Error in ".$pluginfile.": ".$@);
+ }
+}
+
+sub _syntax {
+ print<< "EOT";
+Rip v.$VERSION - CLI RegRipper tool
+Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
+Parse Windows Registry files, using either a single module, or a plugins file.
+All plugins must be located in the \"plugins\" directory; default plugins file
+used if no other filename given is \"plugins\\plugins\"\.
+
+ -r Reg hive file...Registry hive file to parse
+ -g ................Guess the hive file (experimental)
+ -f [plugin file]...use the plugin file (default: plugins\\plugins)
+ -p plugin module...use only this module
+ -l ................list all plugins
+ -c ................Output list in CSV format (use with -l)
+ -s system name.....Server name (TLN support)
+ -u username........User name (TLN support)
+ -h.................Help (print this information)
+Ex: C:\\>rr -r c:\\case\\system -f system
+ C:\\>rr -r c:\\case\\ntuser.dat -p userassist
+ C:\\>rr -l -c
+
+All output goes to STDOUT; use redirection (ie, > or >>) to output to a file\.
+
+copyright 2011 Quantum Analytics Research, LLC
+EOT
+}
+
+#-------------------------------------------------------------
+#
+#-------------------------------------------------------------
+sub logMsg {
+ print STDERR $_[0]."\n";
+}
+
+#-------------------------------------------------------------
+#
+#-------------------------------------------------------------
+sub rptMsg {
+ binmode STDOUT,":utf8";
+ if ($config{sys} || $config{user}) {
+ my @vals = split(/\|/,$_[0],5);
+ my $str = $vals[0]."|".$vals[1]."|".$config{sys}."|".$config{user}."|".$vals[4];
+ print $str."\n";
+ }
+ else {
+ print $_[0]."\n";
+ }
+}
+
+#-------------------------------------------------------------
+# parsePluginsFile()
+# Parse the plugins file and get a list of plugins
+#-------------------------------------------------------------
+sub parsePluginsFile {
+ my $file = $_[0];
+ my %plugins;
+# Parse a file containing a list of plugins
+# Future versions of this tool may allow for the analyst to
+# choose different plugins files
+ my $pluginfile = $plugindir.$file;
+ if (-e $pluginfile) {
+ open(FH,"<",$pluginfile);
+ my $count = 1;
+ while() {
+ chomp;
+ next if ($_ =~ m/^#/ || $_ =~ m/^\s+$/);
+# next unless ($_ =~ m/\.pl$/);
+ next if ($_ eq "");
+ $_ =~ s/^\s+//;
+ $_ =~ s/\s+$//;
+ $plugins{$count++} = $_;
+ }
+ close(FH);
+ return %plugins;
+ }
+ else {
+ return undef;
+ }
+}
+
+#-------------------------------------------------------------
+# getTime()
+# Translate FILETIME object (2 DWORDS) to Unix time, to be passed
+# to gmtime() or localtime()
+#-------------------------------------------------------------
+sub getTime($$) {
+ my $lo = shift;
+ my $hi = shift;
+ my $t;
+
+ if ($lo == 0 && $hi == 0) {
+ $t = 0;
+ } else {
+ $lo -= 0xd53e8000;
+ $hi -= 0x019db1de;
+ $t = int($hi*429.4967296 + $lo/1e7);
+ };
+ $t = 0 if ($t < 0);
+ return $t;
+}
\ No newline at end of file
diff --git a/RecentActivity/release/rr/rr.exe b/RecentActivity/release/rr/rr.exe
new file mode 100644
index 0000000000..0a89f5b83c
Binary files /dev/null and b/RecentActivity/release/rr/rr.exe differ
diff --git a/RecentActivity/release/rr/rr.pl b/RecentActivity/release/rr/rr.pl
new file mode 100644
index 0000000000..e39be3df66
--- /dev/null
+++ b/RecentActivity/release/rr/rr.pl
@@ -0,0 +1,442 @@
+#! c:\perl\bin\perl.exe
+#-----------------------------------------------------------
+# Registry Ripper
+# Parse a Registry hive file for data pertinent to an investigation
+#
+# Adv version...provides the basic functionality. All plugins
+# can be used with both the basic version and the full-featured
+# version
+#
+# Change History:
+# 20081111 - Updated code in setUpEnv() to parse the file paths for
+# output files (log, etc) so that they paths were handled
+# properly; updated Perl2Exe include statements to support
+# Parse::Win32Registry 0.40
+# 20080512 - Consolidated Basic and Advanced versions into a single
+# track
+# 20080429 - Fixed issue with output report and log files having the
+# same (.log) file extension
+# 20080422 - Added ComboBox to choose plugins file
+# 20080414 - updated code to check for a selected hive file; set
+# default plugin file to "ntuser" if none selected; check
+# for plugins file with no plugins or all plugins commented
+# out; keep track of plugins w/ hard errors generated via
+# this GUI.
+# 20080412 - added listbox; populate with list of plugin files
+# from plugin dir
+# - Log file now based on report file name and location
+# 20080226 - added eval{} to wrap require pragma in go_Click()
+#
+#
+# Functionality:
+# - plugins file is selectable
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+#use strict;
+use Win32::GUI();
+use Parse::Win32Registry qw(:REG_);
+
+# Included to permit compiling via Perl2Exe
+#perl2exe_include "Parse/Win32Registry.pm";
+#perl2exe_include "Parse/Win32Registry/Key.pm";
+#perl2exe_include "Parse/Win32Registry/Entry.pm";
+#perl2exe_include "Parse/Win32Registry/Value.pm";
+#perl2exe_include "Parse/Win32Registry/File.pm";
+#perl2exe_include "Parse/Win32Registry/Win95/File.pm";
+#perl2exe_include "Parse/Win32Registry/Win95/Key.pm";
+#perl2exe_include "Encode/Unicode.pm";
+#-----------------------------------------------------------
+# Global variables
+#-----------------------------------------------------------
+my $VERSION = "2\.02";
+my %env;
+
+#-----------------------------------------------------------
+# GUI
+#-----------------------------------------------------------
+# create our menu
+my $menu = Win32::GUI::MakeMenu(
+ "&File" => "File",
+ " > O&pen..." => { -name => "Open"},
+ " > -" => 0,
+ " > E&xit" => { -name => "Exit", -onClick => sub {exit 1;}},
+ "&Help" => "Help",
+ " > &About" => { -name => "About", -onClick => \&RR_OnAbout},
+);
+
+# Create Main Window
+my $main = new Win32::GUI::Window (
+ -name => "Main",
+ -title => "Registry Ripper, v.".$VERSION,
+ -pos => [200, 200],
+# Format: [width, height]
+ -maxsize => [500, 420],
+ -size => [500, 420],
+ -menu => $menu,
+ -dialogui => 1,
+) or die "Could not create a new Window: $!\n";
+
+$main->AddLabel(
+ -text => "Hive File:",
+ -left => 20,
+ -top => 10);
+
+my $ntuserfile = $main->AddTextfield(
+ -name => "ntuserdat",
+ -tabstop => 1,
+ -left => 100,
+ -top => 10,
+ -width => 250,
+ -height => 22,
+ -tabstop => 1,
+ -foreground => "#000000",
+ -background => "#FFFFFF");
+
+my $browse1 = $main->AddButton(
+ -name => 'browse1',
+ -left => 375,
+ -top => 10,
+ -width => 50,
+ -height => 22,
+ -tabstop => 1,
+ -text => "Browse");
+
+$main->AddLabel(
+ -text => "Report File:",
+ -left => 20,
+ -top => 50);
+
+my $rptfile = $main->AddTextfield(
+ -name => "rptfile",
+ -tabstop => 1,
+ -left => 100,
+ -top => 50,
+ -width => 250,
+ -height => 22,
+ -tabstop => 1,
+ -foreground => "#000000",
+ -background => "#FFFFFF");
+
+my $browse2 = $main->AddButton(
+ -name => 'browse2',
+ -left => 375,
+ -top => 50,
+ -width => 50,
+ -height => 22,
+ -tabstop => 1,
+ -text => "Browse");
+
+$main->AddLabel(
+ -text => "Plugin File:",
+ -left => 20,
+ -top => 90);
+
+# http://perl-win32-gui.sourceforge.net/cgi-bin/docs.cgi?doc=combobox
+my $combo = $main->AddCombobox(
+ -name => "Combobox",
+# -dropdown => 1,
+ -dropdownlist => 1,
+ -top => 90,
+ -left => 100,
+ -width => 120,
+ -height => 110,
+ -tabstop=> 1,
+ );
+
+my $testlabel = $main->AddLabel(
+ -text => "",
+ -name => "TestLabel",
+ -pos => [10,140],
+ -size => [445,160],
+ -frame => etched,
+ -sunken => 1
+);
+
+my $report = $main->AddTextfield(
+ -name => "Report",
+ -pos => [20,150],
+ -size => [425,140],
+ -multiline => 1,
+ -vscroll => 1,
+ -autohscroll => 1,
+ -autovscroll => 1,
+ -keepselection => 1 ,
+ -tabstop => 1,
+);
+
+my $go = $main->AddButton(
+ -name => 'go',
+ -left => 320,
+ -top => 310,
+ -width => 50,
+ -height => 25,
+ -tabstop => 1,
+ -text => "Rip It");
+
+$main->AddButton(
+ -name => 'close',
+ -left => 390,
+ -top => 310,
+ -width => 50,
+ -height => 25,
+ -tabstop => 1,
+ -text => "Close");
+
+my $status = new Win32::GUI::StatusBar($main,
+ -text => "Registry Ripper v.".$VERSION." opened.",
+);
+
+populatePluginsList();
+$combo->Text("