diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/Case.java b/Core/src/org/sleuthkit/autopsy/casemodule/Case.java index 0e130f246f..7d39d8f05a 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/Case.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/Case.java @@ -194,9 +194,9 @@ public class Case { } /** - * Creates a new case (create the XML config file and the directory) + * Creates a new case (create the XML config file and database) * - * @param caseDir the base directory where the configuration file is saved + * @param caseDir The directory to store case data in. Will be created if it doesn't already exist. If it exists, it should have all of the needed sub dirs that createCaseDirectory() will create. * @param caseName the name of case * @param caseNumber the case number * @param examiner the examiner for this case @@ -204,6 +204,11 @@ public class Case { public static void create(String caseDir, String caseName, String caseNumber, String examiner) throws CaseActionException { logger.log(Level.INFO, "Creating new case.\ncaseDir: {0}\ncaseName: {1}", new Object[]{caseDir, caseName}); + // create case directory if it doesn't already exist. + if (new File(caseDir).exists() == false) { + Case.createCaseDirectory(caseDir); + } + String configFilePath = caseDir + File.separator + caseName + CASE_DOT_EXTENSION; XMLCaseManagement xmlcm = new XMLCaseManagement(); @@ -775,12 +780,22 @@ public class Case { /** * to create the case directory * - * @param caseDir the case directory path - * @param caseName the case name + * @param caseDir Path to the case directory (typically base + case name) + * @param caseName the case name (used only for error messages) * @throws CaseActionException throw if could not create the case dir + * @Deprecated */ static void createCaseDirectory(String caseDir, String caseName) throws CaseActionException { - boolean result = false; + createCaseDirectory(caseDir); + + } + /** + * Create the case directory and its needed subfolders. + * + * @param caseDir Path to the case directory (typically base + case name) + * @throws CaseActionException throw if could not create the case dir + */ + static void createCaseDirectory(String caseDir) throws CaseActionException { File caseDirF = new File(caseDir); if (caseDirF.exists()) { @@ -792,7 +807,7 @@ public class Case { } try { - result = (caseDirF).mkdirs(); // create root case Directory + boolean result = (caseDirF).mkdirs(); // create root case Directory if (result == false) { throw new CaseActionException("Cannot create case dir: " + caseDir); } @@ -804,17 +819,17 @@ public class Case { && (new File(caseDir + File.separator + XMLCaseManagement.CACHE_FOLDER_RELPATH)).mkdir(); if (result == false) { - throw new CaseActionException("Could not create case directory: " + caseDir + " for case: " + caseName); + throw new CaseActionException("Could not create case directory: " + caseDir ); } final String modulesOutDir = caseDir + File.separator + getModulesOutputDirRelPath(); result = new File(modulesOutDir).mkdir(); if (result == false) { - throw new CaseActionException("Could not create modules output directory: " + modulesOutDir + " for case: " + caseName); + throw new CaseActionException("Could not create modules output directory: " + modulesOutDir ); } } catch (Exception e) { - throw new CaseActionException("Could not create case directory: " + caseDir + " for case: " + caseName, e); + throw new CaseActionException("Could not create case directory: " + caseDir , e); } } diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/NewCaseWizardPanel1.java b/Core/src/org/sleuthkit/autopsy/casemodule/NewCaseWizardPanel1.java index 73a9ae671b..52be7a1a7d 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/NewCaseWizardPanel1.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/NewCaseWizardPanel1.java @@ -228,7 +228,7 @@ class NewCaseWizardPanel1 implements WizardDescriptor.ValidatingPanel artifacts, int offset) { // change the cursor to "waiting cursor" for this operation this.setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR)); @@ -377,6 +382,10 @@ public class DataContentViewerArtifact extends javax.swing.JPanel implements Dat this.setCursor(null); } + /** + * Set the displayed artifact to the specified one. + * @param artifact Artifact to display + */ private void setSelectedArtifact(BlackboardArtifact artifact) { if(artifacts.contains(artifact)) { int index = artifacts.indexOf(artifact); diff --git a/Core/src/org/sleuthkit/autopsy/coreutils/PlatformUtil.java b/Core/src/org/sleuthkit/autopsy/coreutils/PlatformUtil.java index fd64d080ce..40ced93327 100644 --- a/Core/src/org/sleuthkit/autopsy/coreutils/PlatformUtil.java +++ b/Core/src/org/sleuthkit/autopsy/coreutils/PlatformUtil.java @@ -141,6 +141,27 @@ public class PlatformUtil { public static File getUserDirectory() { return Places.getUserDirectory(); } + + /** + * Get RCP project dirs + * @return + */ + public static List getProjectsDirs() { + List ret = new ArrayList(); + String projectDir = System.getProperty("netbeans.dirs"); + if (projectDir == null) { + return ret; + } + String [] split = projectDir.split(";"); + if (split == null || split.length == 0) { + return ret; + } + for (String path : split) { + ret.add(path); + } + + return ret; + } /** * Get user config directory path diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactStringContent.java b/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactStringContent.java index 908fa037cb..dd2ef34791 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactStringContent.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactStringContent.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2011 Basis Technology Corp. + * Copyright 2011-2013 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -33,8 +33,7 @@ import org.sleuthkit.datamodel.TskException; /** * StringContent object for a blackboard artifact, that can be looked up and used - * to display text for the DataContent viewers - * @author alawrence + * to display text for the DataContent viewers. Displays values in artifact in HTML. */ public class ArtifactStringContent implements StringContent { @@ -54,21 +53,32 @@ public class ArtifactStringContent implements StringContent { buffer.append(""); buffer.append(""); + buffer.append(""); buffer.append(""); + + // artifact name header buffer.append("

"); buffer.append(wrapped.getDisplayName()); buffer.append("

"); + + // start table for attributes buffer.append(""); buffer.append(""); buffer.append(""); + + // cycle through each attribute and display in a row in the table. for (BlackboardAttribute attr : wrapped.getAttributes()) { + + // name column buffer.append(""); + + // value column buffer.append(""); - buffer.append(""); - buffer.append(""); - buffer.append(""); + buffer.append(""); buffer.append(""); buffer.append("
"); buffer.append(attr.getAttributeTypeDisplayName()); buffer.append(""); if (attr.getAttributeTypeID() == ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID() || attr.getAttributeTypeID() == ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID()) { @@ -82,7 +92,12 @@ public class ArtifactStringContent implements StringContent { } else { switch (attr.getValueType()) { case STRING: - buffer.append(attr.getValueString()); + String str = attr.getValueString(); + str = str.replaceAll(" ", " "); + str = str.replaceAll("<", "<"); + str = str.replaceAll(">", ">"); + str = str.replaceAll("(\r\n|\n)", "
"); + buffer.append(str); break; case INTEGER: buffer.append(attr.getValueInt()); @@ -113,16 +128,11 @@ public class ArtifactStringContent implements StringContent { try { path = content.getUniquePath(); } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Except while calling Content.getUniquePath() on " + content); + logger.log(Level.SEVERE, "Exception while calling Content.getUniquePath() on {0} : {1}", new Object[]{content, ex.getLocalizedMessage()}); } //add file path - buffer.append("
Source File"); - buffer.append(content.getName()); - buffer.append("
Source File Path"); diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java index 6d7239a37d..456f9f3bf6 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java @@ -30,7 +30,8 @@ import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.TskException; /** - * Node encapsulating blackboard artifact type + * Node encapsulating blackboard artifact type. This is used on the left-hand navigation side of the Autopsy UI as the + * parent node for all of the artifacts of a given type. Its children will be BlackboardArtifactNode objects. */ public class ArtifactTypeNode extends DisplayableItemNode { @@ -82,6 +83,7 @@ public class ArtifactTypeNode extends DisplayableItemNode { return v.visit(this); } + // @@@ TODO: Merge with BlackboartArtifactNode.getIcon() private String getIcon(BlackboardArtifact.ARTIFACT_TYPE type) { switch (type) { case TSK_WEB_BOOKMARK: diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java index 4f3da229dd..9a16de582a 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java @@ -36,7 +36,8 @@ import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskException; /** - * Node wrapping a blackboard artifact object + * Node wrapping a blackboard artifact object. This represents a single artifact. + * Its parent is typically an ArtifactTypeNode. */ public class BlackboardArtifactNode extends DisplayableItemNode { @@ -259,6 +260,7 @@ public class BlackboardArtifactNode extends DisplayableItemNode { return null; } + // @@@ TODO: Merge with ArtifactTypeNode.getIcon() private String getIcon(BlackboardArtifact.ARTIFACT_TYPE type) { switch (type) { case TSK_WEB_BOOKMARK: diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContent.java b/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContent.java index f662b4bb65..81bc791adf 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContent.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContent.java @@ -21,7 +21,8 @@ package org.sleuthkit.autopsy.datamodel; import org.sleuthkit.datamodel.SleuthkitCase; /** - * Parent of all Blackboard Artifacts to be displayed + * Parent of the "extracted content" artifacts to be displayed in the tree. Other + * artifacts are displayed under other more specific parents. */ public class ExtractedContent implements AutopsyVisitableItem{ diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContentChildren.java b/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContentChildren.java index 2e233d22f0..50061d1487 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContentChildren.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContentChildren.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2011 Basis Technology Corp. + * Copyright 2011-2013 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -18,41 +18,63 @@ */ package org.sleuthkit.autopsy.datamodel; +import java.util.ArrayList; import java.util.Arrays; +import java.util.Collections; +import java.util.Comparator; import java.util.List; +import java.util.logging.Level; import org.openide.nodes.ChildFactory; import org.openide.nodes.Node; +import org.openide.util.Exceptions; +import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.TskCoreException; /** - * + * Creates the children for the ExtractedContent area of the results tree. This area + * has all of the blackboard artifacts that are not displayed in a more specific form elsewhere + * in the tree. */ public class ExtractedContentChildren extends ChildFactory { - private SleuthkitCase skCase; - + private final ArrayList doNotShow; + public ExtractedContentChildren(SleuthkitCase skCase) { super(); this.skCase = skCase; + + // these are shown in other parts of the UI tree + doNotShow = new ArrayList(); + //doNotShow.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO); + doNotShow.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG); + doNotShow.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT); + doNotShow.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT); + doNotShow.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT); + doNotShow.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_FILE); } @Override protected boolean createKeys(List list) { - list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK); - list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE); - list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY); - list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD); - list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT); - list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG); - list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED); - list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY); - list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_METADATA_EXIF); + try { + List inUse = skCase.getBlackboardArtifactTypesInUse(); + inUse.removeAll(doNotShow); + Collections.sort(inUse, + new Comparator() { + @Override + public int compare(BlackboardArtifact.ARTIFACT_TYPE a, BlackboardArtifact.ARTIFACT_TYPE b) { + return a.getDisplayName().compareTo(b.getDisplayName()); + } + }); + list.addAll(inUse); + } catch (TskCoreException ex) { + Logger.getLogger(ExtractedContentChildren.class.getName()).log(Level.SEVERE, "Error getting list of artifacts in use: " + ex.getLocalizedMessage()); + return false; + } return true; } - - @Override protected Node createNodeForKey(BlackboardArtifact.ARTIFACT_TYPE key){ diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContentNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContentNode.java index 27d086f952..6d37c4392a 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContentNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContentNode.java @@ -25,7 +25,7 @@ import org.openide.util.lookup.Lookups; import org.sleuthkit.datamodel.SleuthkitCase; /** - * Node for the extracted content + * Node for the extracted content artifacts (artifacts that are not shown in more specific areas of the tree) */ public class ExtractedContentNode extends DisplayableItemNode { diff --git a/Core/src/org/sleuthkit/autopsy/ingest/IngestModuleLoader.java b/Core/src/org/sleuthkit/autopsy/ingest/IngestModuleLoader.java index 16ccae2b57..df5eceaadf 100644 --- a/Core/src/org/sleuthkit/autopsy/ingest/IngestModuleLoader.java +++ b/Core/src/org/sleuthkit/autopsy/ingest/IngestModuleLoader.java @@ -442,6 +442,16 @@ public final class IngestModuleLoader { //user modules urls.addAll(getJarPaths(PlatformUtil.getUserModulesPath())); + + // add other project dirs, such as from external modules + for (String projectDir : PlatformUtil.getProjectsDirs()) { + File modules = new File(projectDir + File.separator + "modules"); + if (modules.exists()) { + urls.addAll(getJarPaths(modules.getAbsolutePath())); + } + } + + return urls; } diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchQueryManager.java b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchQueryManager.java index 116f1e77a4..0ceb0cb306 100644 --- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchQueryManager.java +++ b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchQueryManager.java @@ -34,8 +34,8 @@ import org.sleuthkit.autopsy.datamodel.KeyValue; import org.sleuthkit.autopsy.keywordsearch.KeywordSearch.QueryType; /** - * Query manager responsible for running appropriate queries and displaying results - * for single, multi keyword queries, with detailed or collapsed results + * Query manager responsible for running appropriate queries and displaying + * results for single, multi keyword queries, with detailed or collapsed results */ public class KeywordSearchQueryManager { @@ -59,7 +59,7 @@ public class KeywordSearchQueryManager { public KeywordSearchQueryManager(String query, QueryType qt, Presentation presentation) { queries = new ArrayList(); - queries.add(new Keyword(query, qt==QueryType.REGEX?false:true)); + queries.add(new Keyword(query, qt == QueryType.REGEX ? false : true)); this.presentation = presentation; queryType = qt; init(); @@ -69,7 +69,7 @@ public class KeywordSearchQueryManager { queries = new ArrayList(); queries.add(new Keyword(query, isLiteral)); this.presentation = presentation; - queryType = isLiteral?QueryType.WORD:QueryType.REGEX; + queryType = isLiteral ? QueryType.WORD : QueryType.REGEX; init(); } @@ -112,15 +112,21 @@ public class KeywordSearchQueryManager { //Collapsed view Collection things = new ArrayList(); int queryID = 0; + StringBuilder queryConcat = new StringBuilder(); for (KeywordSearchQuery q : queryDelegates) { Map kvs = new LinkedHashMap(); final String queryStr = q.getQueryString(); + queryConcat.append(queryStr).append(" "); things.add(new KeyValueQuery(queryStr, kvs, ++queryID, q)); } Node rootNode = null; - DataResultTopComponent searchResultWin = DataResultTopComponent.createInstance("Keyword search " + (++resultWindowCount)); + String queryConcatStr = queryConcat.toString(); + final int queryConcatStrLen = queryConcatStr.length(); + final String queryStrShort = queryConcatStrLen > 15 ? queryConcatStr.substring(0, 14) + "..." : queryConcatStr; + final String windowTitle = "Keyword search " + (++resultWindowCount) + " - " + queryStrShort; + DataResultTopComponent searchResultWin = DataResultTopComponent.createInstance(windowTitle); if (things.size() > 0) { Children childThingNodes = Children.create(new KeywordSearchResultFactory(queries, things, Presentation.COLLAPSE, searchResultWin), true); @@ -131,9 +137,9 @@ public class KeywordSearchQueryManager { } final String pathText = "Keyword search"; - + DataResultTopComponent.initInstance(pathText, rootNode, things.size(), searchResultWin); - + searchResultWin.requestActive(); // } } @@ -152,7 +158,7 @@ public class KeywordSearchQueryManager { } /** - * custom KeyValue that also stores query object to execute + * custom KeyValue that also stores query object to execute */ class KeyValueQuery extends KeyValue { diff --git a/NEWS.txt b/NEWS.txt index 28a9453ec0..178b8136fc 100644 --- a/NEWS.txt +++ b/NEWS.txt @@ -1,3 +1,15 @@ +---------------- VERSION Current (development) -------------- + +New features: + + +Improvements: + + +Bugfixes: + + + ---------------- VERSION 3.0.6 -------------- New features: diff --git a/RecentActivity/release/rr-full/faq b/RecentActivity/release/rr-full/faq new file mode 100755 index 0000000000..d59a6f1a10 --- /dev/null +++ b/RecentActivity/release/rr-full/faq @@ -0,0 +1,60 @@ +RegRipper FAQ + +This is the FAQ for the RegRipper. + +1. What is the RegRipper? +I should start by saying what the RegRipper is *not*...it's not +a Registry Viewer. An examiner would not open a Registry hive file +in RegRipper to "look around". + +Further, RegRipper is NOT intended for use with live hive files. Hive +files need to be extracted from a case (or from a live system using FTK +Imager...), or accessible via a tool such as Mount Image Pro. + +RegRipper is a Windows Registry data extractor. RegRipper uses plugins +(similar to Nessus) to access specific Registry hive files in order to +access and extract specific keys, values, and data, and does so by +bypassing the Win32API. + +2. How does RegRipper work? +RegRipper uses James McFarlane's Parse::Win32Registry module to access +a Windows Registry hive file in an object-oriented manner, bypassing the +Win32API. This module is used to locate and access Registry key nodes +within the hive file, as well as value nodes and their data. When +accessing a key node, the LastWrite time is retrieved, parsed and +translated into something the examiner can understand. Data is retrieved +in much the same manner...if necessary, the plugin that retrieves the +data will also perform translation of that data into something readable. + +3. Who wrote and maintains RegRipper? +I did/do. If you have any questions, concerns, comments, or suggestions +regarding how RegRipper works, please feel free to contact me. + +4. Who should/can use RegRipper? +Anyone who wants to perform Windows Registry hive file analysis. This tool +is specifically intended for Windows 2000, XP, and 2003 hive files (there +has been limited testing on Vista/Win2K8 hive files...everything has worked +fine so far...). + +5. How do I use RegRipper? +Simply launch rr.exe. Also, please be sure to read the RegRipper documentation. + +6. Do I have to install anything to use the RegRipper? +Nope, not a thing. RegRipper ships as an EXE file, able to run on Windows +systems. All you need to do is extract the EXE and DLL in the same directory. +The source file (rr.pl) is also included, as are the plugins. + +Further, RegRipper doesn't make any changes to your analysis system...no +Registry entries are made, nor are any files installed in odd, out-of-the-way +locations. + +Links +Module - http://search.cpan.org/~jmacfarla/Parse-Win32Registry/lib/ + Parse/Win32Registry.pm + +Email - H. Carvey - keydet89@yahoo.com + +RegRipper and rip.exe are released under the GPL license. Please see license.txt +for details. + +RegRipper and rip.exe are copyrighted to H. Carvey. \ No newline at end of file diff --git a/RecentActivity/release/rr-full/license.txt b/RecentActivity/release/rr-full/license.txt new file mode 100755 index 0000000000..ab013e242d --- /dev/null +++ b/RecentActivity/release/rr-full/license.txt @@ -0,0 +1,12 @@ +This software is released AS-IS, with no statements or guarantees as to +its effectiveness or stability. While it shouldn't cause any problems +whatsoever with your system, there's always the chance that someone may find +a way to blame a system crash or loss of data on software like this...you've +been warned! + +This software is released under the GNU Public License - +http://www.gnu.org/copyleft/gpl.html + +Specifically, GPL v3.0: http://www.gnu.org/licenses/quick-guide-gplv3.html + +Questions, comments, etc., can be sent to keydet89 at yahoo dot com. \ No newline at end of file diff --git a/RecentActivity/release/rr-full/p2x5124.dll b/RecentActivity/release/rr-full/p2x5124.dll new file mode 100755 index 0000000000..7c4fe46bf9 Binary files /dev/null and b/RecentActivity/release/rr-full/p2x5124.dll differ diff --git a/RecentActivity/release/rr-full/pb.exe b/RecentActivity/release/rr-full/pb.exe new file mode 100755 index 0000000000..dde01e04d1 Binary files /dev/null and b/RecentActivity/release/rr-full/pb.exe differ diff --git a/RecentActivity/release/rr-full/pb.pl b/RecentActivity/release/rr-full/pb.pl new file mode 100755 index 0000000000..edf104c7cb --- /dev/null +++ b/RecentActivity/release/rr-full/pb.pl @@ -0,0 +1,314 @@ +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# Plugins Browser - browse plugins, create plugins files, edit +# current files +# +# +# Change History +# 20100122 - Updated to include opening a plugins file +# 20091207 - Created +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +use strict; +use Win32::GUI(); +use Win32::GUI::Constants qw(CW_USEDEFAULT); +use Encode; + +my $plugindir; + +my $mw = Win32::GUI::Window->new( + -title => "Plugin Browser", + -left => CW_USEDEFAULT, + -size => [560,440], + -maxsize => [560,440], + -dialogui => 1, +); + +my $icon = new Win32::GUI::Icon('QAR.ICO'); +$mw->SetIcon($icon); + +$mw->AddLabel( + -text => "", + -name => "biglabel1", + -pos => [10,10], + -size => [530,40], + -sunken => 1 +); + +$mw->AddLabel( + -text => "Plugin Dir: ", + -pos => [20,23], + +); + +my $plugindirtext = $mw->AddTextfield( + -name => "plugindir", + -tabstop => 1, + -left => 100, + -top => 18, + -width => 300, + -height => 25, + -tabstop => 1, + -foreground => "#000000", + -background => "#FFFFFF" +); + +my $browse = $mw->AddButton( + -name => 'browse', + -text => 'Browse', + -size => [50,25], + -pos => [450,18], +); + +my $datatab = $mw->AddTabStrip( + -pos => [10,60], + -size => [530,280], + -name => "datatab" +); + +$datatab->InsertItem(-text => "Browse"); +$datatab->InsertItem(-text => "Plugin File"); + +my $lb1 = $mw->AddListbox( + -name => 'LB1', + -pos => [20,100], + -size => [180,240], + -multisel => 2, + -vscroll => 1 +); + +my $gb1 = $mw->AddGroupbox( + -name => 'GB', + -title => 'Plugin Info', + -pos => [260,100], + -size => [260,220], +); + +my $gblbl = $mw->AddLabel( + -name => 'LBL', + -left => $mw->GB->Left()+10, + -top => $mw->GB->Top()+20, + -width => $mw->GB->ScaleWidth()-20, + -height => $mw->GB->ScaleHeight()-40, +); + +# The following elements go on the "Plugin File" tab and +# are initially hidden +my $lb2 = $mw->AddListbox( + -name => 'LB2', + -pos => [320,100], + -size => [200,240], + -vscroll => 1, + -multisel => 2 +# -onSelChange => \&newSelection, +); +$lb2->Hide(); + +my $add = $mw->AddButton( + -name => 'Add', + -text => '>>', + -tip => "Add Plugin", + -size => [50,25], + -pos => [230,130], +); +$add->Hide(); + +my $remove = $mw->AddButton( + -name => 'Remove', + -text => '<<', + -tip => "Remove Plugin", + -size => [50,25], + -pos => [230,180], +); +$remove->Hide(); + +my $open = $mw->AddButton( + -name => 'Open', + -tip => "Open Plugin File", + -text => 'Open', + -size => [50,25], + -pos => [230,230], +); +$open->Hide(); + +my $save = $mw->AddButton( + -name => 'Save', + -tip => "Save Plugin File", + -text => 'Save', + -size => [50,25], + -pos => [230,280], +); +$save->Hide(); + +$mw->AddButton( + -name => 'BT', + -text => 'Exit', + -size => [50,25], + -pos => [450,350], + -onClick => sub{-1;}, +); + +my $status = new Win32::GUI::StatusBar($mw, + -text => "copyright 2010 Quantum Analytics Research, LLC", +); + +$mw->Show(); +Win32::GUI::Dialog(); +$mw->Hide(); +exit(0); + +sub datatab_Click { + if ($datatab->SelectedItem == 0) { + $lb2->Hide(); + $add->Hide(); + $remove->Hide(); + $open->Hide(); + $save->Hide(); + $gb1->Show(); + $gblbl->Show(); + } + + if ($datatab->SelectedItem == 1) { + $lb2->Show(); + $add->Show(); + $remove->Show(); + $open->Show(); + $save->Show(); + $gb1->Hide(); + $gblbl->Hide(); + } +} + +sub browse_Click { + $plugindir = Win32::GUI::BrowseForFolder( + -title => "Report Dir", + -root => 0x0011, + -folderonly => 1, + -includefiles => 0, + ); + $plugindir = $plugindir."\\" unless $plugindir =~ m/\\$/; + $plugindirtext->Text(""); + $plugindirtext->Text($plugindir); + + $mw->LB1->ResetContent(); + my @plugins; + opendir(DIR,$plugindir); + push(@plugins, grep(/\.pl$/,readdir(DIR))); + closedir(DIR); + $mw->LB1->Add(sort @plugins); + 0; +} + +sub LB1_SelChange { + if ($datatab->SelectedItem == 0) { + \&newSelection(); + } +} + +sub newSelection { + my $lb = shift; +# Set the label text to reflect the change + my $item = $lb1->GetCurSel(); + my $text = $lb1->GetText($item); + $lb1->GetParent()->LBL->Text(get_plugin_info($text)); + return 1; +} + +sub get_plugin_info { + my $name = shift; + require $plugindir."\\".$name; + $name =~ s/\.pl$//; + my $text = "Plugin Name: ".$name."\r\n"; + eval { + $text .= "Version: ".$name->getVersion."\r\n"; + }; + + eval { + $text .= "Hive : ".$name->getHive."\r\n\r\n"; + }; + + eval { + $text .= "Descr : \r\n"; + $text .= $name->getShortDescr."\r\n"; + }; + return $text; +} + +sub Add_Click { + my @list = $lb1->SelectedItems(); + foreach my $i (sort {$a <=> $b} @list) { + my $str = $lb1->GetString($i); + $str =~ s/\.pl$//; + $lb2->InsertString($str); + } +} + +#----------------------------------------------------------- +# Note regarding use of DeleteString(); if starting from index +# 0 and increasing, the index changes so that after the first +# index item is deleted, the second index item is reset. To +# avoid this issue, reverse the order of the indexes. +#----------------------------------------------------------- +sub Remove_Click { + my @list = $lb2->SelectedItems(); + foreach my $i (reverse @list) { + $lb2->DeleteString($i); + } +} + +sub Save_Click { + my $file = Win32::GUI::GetSaveFileName( + -owner => $mw, + -title => "Save Plugin File", + -explorer => 1, + -directory => $plugindir, + -filter => ['All files' => '*.*'] + ); + + if ($file) { + $file =~ s/\.\w+$//; + } + elsif (Win32::GUI::CommDlgExtendedError()) { + $mw->MessageBox ("ERROR : ".Win32::GUI::CommDlgExtendedError(), + "GetSaveFileName Error"); + } + + open(FH,">",$file); + print FH "# Plugin file created via Plugin Browser\n"; + print FH "# Date: ".localtime(time)."\n"; + print FH "# User: ".$ENV{USERNAME}."\n"; + print FH "#\n"; + print FH "\n"; + my $count = $lb2->GetCount(); + foreach my $i (0..$count - 1) { + my $str = $lb2->GetString($i); + print FH $str."\n"; + } + close(FH); + $lb2->ResetContent(); + 0; +} + +sub Open_Click { + my $file = Win32::GUI::GetOpenFileName( + -owner => $mw, + -title => "Open Plugin File", + -explorer => 1, + -directory => $plugindir, + -filter => ['All files' => '*.*'] + ); + + if ($file) { + open(FH,"<",$file); + while() { + chomp; + $lb2->InsertString($_); + } + close(FH); + } + elsif (Win32::GUI::CommDlgExtendedError()) { + $mw->MessageBox ("ERROR : ".Win32::GUI::CommDlgExtendedError(), + "GetSaveFileName Error"); + } +} \ No newline at end of file diff --git a/thirdparty/rr/plugins/acmru.pl b/RecentActivity/release/rr-full/plugins/acmru.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/acmru.pl rename to RecentActivity/release/rr-full/plugins/acmru.pl index 55efea5f5d..b232894d42 --- a/thirdparty/rr/plugins/acmru.pl +++ b/RecentActivity/release/rr-full/plugins/acmru.pl @@ -1,72 +1,74 @@ -#----------------------------------------------------------- -# acmru.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# ACMru values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package acmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's ACMru key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching acmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Search Assistant\\ACMru'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ACMru - Search Assistant"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]"); - my @vals = $s->get_list_of_values(); - my %ac_vals; - foreach my $v (@vals) { - $ac_vals{$v->get_name()} = $v->get_data(); - } - foreach my $a (sort {$a <=> $b} keys %ac_vals) { - ::rptMsg("\t".$a." -> ".$ac_vals{$a}); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# acmru.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# ACMru values +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package acmru; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's ACMru key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching acmru v.".$VERSION); + ::rptMsg("acmru v.".$VERSION); # banner + ::rptMsg("- ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Search Assistant\\ACMru'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("ACMru - Search Assistant"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]"); + my @vals = $s->get_list_of_values(); + my %ac_vals; + foreach my $v (@vals) { + $ac_vals{$v->get_name()} = $v->get_data(); + } + foreach my $a (sort {$a <=> $b} keys %ac_vals) { + ::rptMsg("\t".$a." -> ".$ac_vals{$a}); + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/adoberdr.pl b/RecentActivity/release/rr-full/plugins/adoberdr.pl old mode 100644 new mode 100755 similarity index 87% rename from thirdparty/rr/plugins/adoberdr.pl rename to RecentActivity/release/rr-full/plugins/adoberdr.pl index f46e5ebd67..7448b034a8 --- a/thirdparty/rr/plugins/adoberdr.pl +++ b/RecentActivity/release/rr-full/plugins/adoberdr.pl @@ -1,93 +1,96 @@ -#----------------------------------------------------------- -# adoberdr.pl -# Plugin for Registry Ripper -# Parse Adobe Reader MRU keys -# -# Change history -# 20100218 - added checks for versions 4.0, 5.0, 9.0 -# 20091125 - modified output to make a bit more clear -# -# References -# -# Note: LastWrite times on c subkeys will all be the same, -# as each subkey is modified as when a new entry is added -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package adoberdr; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Adobe Reader cRecentFiles values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching adoberdr v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("Adoberdr v.".$VERSION); -# First, let's find out which version of Adobe Acrobat Reader is installed - my $version; - my $tag = 0; - my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0"); - foreach my $ver (@versions) { - my $key_path = "Software\\Adobe\\Acrobat Reader\\".$ver."\\AVGeneral\\cRecentFiles"; - if (defined($root_key->get_subkey($key_path))) { - $version = $ver; - $tag = 1; - } - } - - if ($tag) { - ::rptMsg("Adobe Acrobat Reader version ".$version." located."); - my $key_path = "Software\\Adobe\\Acrobat Reader\\".$version."\\AVGeneral\\cRecentFiles"; - my $key = $root_key->get_subkey($key_path); - if ($key) { - ::rptMsg($key_path); - ::rptMsg(""); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my %arkeys; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $num = $s->get_name(); - my $data = $s->get_value('sDI')->get_data(); - $num =~ s/^c//; - $arkeys{$num}{lastwrite} = $s->get_timestamp(); - $arkeys{$num}{data} = $data; - } - ::rptMsg("Most recent PDF opened: ".gmtime($arkeys{1}{lastwrite})." (UTC)"); - foreach my $k (sort keys %arkeys) { - ::rptMsg(" c".$k." ".$arkeys{$k}{data}); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg("Could not access ".$key_path); - } - } - else { - ::rptMsg("Adobe Acrobat Reader version not found."); - } -} - +#----------------------------------------------------------- +# adoberdr.pl +# Plugin for Registry Ripper +# Parse Adobe Reader MRU keys +# +# Change history +# 20120716 - added version 10.0 to @versions +# 20100218 - added checks for versions 4.0, 5.0, 9.0 +# 20091125 - modified output to make a bit more clear +# +# References +# +# Note: LastWrite times on c subkeys will all be the same, +# as each subkey is modified as when a new entry is added +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package adoberdr; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120716); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's Adobe Reader cRecentFiles values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching adoberdr v.".$VERSION); + ::rptMsg("adoberdr v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + ::rptMsg("Adoberdr v.".$VERSION); +# First, let's find out which version of Adobe Acrobat Reader is installed + my $version; + my $tag = 0; + my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0","10\.0"); + foreach my $ver (@versions) { + my $key_path = "Software\\Adobe\\Acrobat Reader\\".$ver."\\AVGeneral\\cRecentFiles"; + if (defined($root_key->get_subkey($key_path))) { + $version = $ver; + $tag = 1; + } + } + + if ($tag) { + ::rptMsg("Adobe Acrobat Reader version ".$version." located."); + my $key_path = "Software\\Adobe\\Acrobat Reader\\".$version."\\AVGeneral\\cRecentFiles"; + my $key = $root_key->get_subkey($key_path); + if ($key) { + ::rptMsg($key_path); + ::rptMsg(""); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my %arkeys; + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $s (@subkeys) { + my $num = $s->get_name(); + my $data = $s->get_value('sDI')->get_data(); + $num =~ s/^c//; + $arkeys{$num}{lastwrite} = $s->get_timestamp(); + $arkeys{$num}{data} = $data; + } + ::rptMsg("Most recent PDF opened: ".gmtime($arkeys{1}{lastwrite})." (UTC)"); + foreach my $k (sort keys %arkeys) { + ::rptMsg(" c".$k." ".$arkeys{$k}{data}); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg("Could not access ".$key_path); + } + } + else { + ::rptMsg("Adobe Acrobat Reader version not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/aim.pl b/RecentActivity/release/rr-full/plugins/aim.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/aim.pl rename to RecentActivity/release/rr-full/plugins/aim.pl index 32eeeae713..5edde697d9 --- a/thirdparty/rr/plugins/aim.pl +++ b/RecentActivity/release/rr-full/plugins/aim.pl @@ -1,95 +1,97 @@ -#----------------------------------------------------------- -# aim -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package aim; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080325); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets info from the AOL Instant Messenger (not AIM) install"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching aim plugin v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("AIM"); - ::rptMsg($key_path); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $user = $s->get_name(); - ::rptMsg("User: $user [".gmtime($s->get_timestamp())."]"); - - my $login = "Login"; - my $recent = "recent IM ScreenNames"; - my $recent2 = "recent ScreenNames"; - - my @userkeys = $s->get_list_of_subkeys(); - foreach my $u (@userkeys) { - my $us = $u->get_name(); -# See if we can get the encrypted password - if ($us =~ m/^$login/) { - my $pwd = ""; - eval { - $pwd = $u->get_value("Password1")->get_data(); - }; - ::rptMsg("Pwd: ".$pwd) if ($pwd ne ""); - } -# See if we can get recent folks they've chatted with... - if ($us eq $recent || $us eq $recent2) { - - my @vals = $u->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg($user."\\".$us); - my %sns; - foreach my $v (@vals) { - $sns{$v->get_name()} = $v->get_data(); - } - - foreach my $i (sort {$a <=> $b} keys %sns) { - ::rptMsg("\t\t".$i." -> ".$sns{$i}); - } - } - else { -# No values - } - } - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# aim +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package aim; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080325); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets info from the AOL Instant Messenger (not AIM) install"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching aim plugin v.".$VERSION); + ::rptMsg("aim v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = 'Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("AIM"); + ::rptMsg($key_path); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $user = $s->get_name(); + ::rptMsg("User: $user [".gmtime($s->get_timestamp())."]"); + + my $login = "Login"; + my $recent = "recent IM ScreenNames"; + my $recent2 = "recent ScreenNames"; + + my @userkeys = $s->get_list_of_subkeys(); + foreach my $u (@userkeys) { + my $us = $u->get_name(); +# See if we can get the encrypted password + if ($us =~ m/^$login/) { + my $pwd = ""; + eval { + $pwd = $u->get_value("Password1")->get_data(); + }; + ::rptMsg("Pwd: ".$pwd) if ($pwd ne ""); + } +# See if we can get recent folks they've chatted with... + if ($us eq $recent || $us eq $recent2) { + + my @vals = $u->get_list_of_values(); + if (scalar(@vals) > 0) { + ::rptMsg($user."\\".$us); + my %sns; + foreach my $v (@vals) { + $sns{$v->get_name()} = $v->get_data(); + } + + foreach my $i (sort {$a <=> $b} keys %sns) { + ::rptMsg("\t\t".$i." -> ".$sns{$i}); + } + } + else { +# No values + } + } + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/all b/RecentActivity/release/rr-full/plugins/all new file mode 100755 index 0000000000..9617eba1a1 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/all @@ -0,0 +1,4 @@ +# 20120528 *ALL* Plugins that apply on any HIVES, alphabetical order +baseline +findexes +regtime \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/aports.pl b/RecentActivity/release/rr-full/plugins/aports.pl new file mode 100755 index 0000000000..0ec91104e4 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/aports.pl @@ -0,0 +1,104 @@ +#----------------------------------------------------------- +# aports.pl +# Extracts the install path for SmartLine Inc. Active Ports. +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# Copyright (c) 2011-02-04 Brendan Coles +#----------------------------------------------------------- +# Require # +package aports; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110204); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extracts the install path for SmartLine Inc. Active Ports."; +} +sub getRefs { + my %refs = ("SmartLine Inc. Active Ports Homepage:" => + "http://www.ntutility.com"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + my @interesting_keys = ( + "InstallPath" + ); + + # Initialize # + ::logMsg("Launching aports v.".$VERSION); + ::rptMsg("aports v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\SmartLine Vision\\aports"; + + # If # Active Ports path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("Active Ports"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from Active Ports registry path # + my %keys; + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for Active Ports registry path # + foreach my $v (@vals) { + $keys{$v->get_name()} = $v->get_data(); + } + + # Return # all key names+values for interesting keys # + foreach my $var (@interesting_keys) { + if (exists $keys{$var}) { + ::rptMsg($var." -> ".$keys{$var}); + } + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # Active Ports isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/RecentActivity/release/rr-full/plugins/appcertdlls.pl b/RecentActivity/release/rr-full/plugins/appcertdlls.pl new file mode 100755 index 0000000000..925d015821 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/appcertdlls.pl @@ -0,0 +1,83 @@ +#----------------------------------------------------------- +# appcertdlls.pl +# +# History: +# 20120912 - created +# +# References: +# Blog post: https://blog.mandiant.com/archives/2459 +# Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf +# Tool: https://github.com/mandiant/ShimCacheParser +# +# This plugin is based solely on the work and examples provided by Mandiant; +# thanks to them for sharing this information, and making the plugin possible. +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package appcertdlls; +use strict; + +my %config = (hive => "System", + hivemask => 4, + output => "report", + category => "malware", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 31, #XP - Win7 + version => 20120817); + +sub getConfig{return %config} +sub getShortDescr { + return "Get entries from AppCertDlls key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my %files; +my @temps; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching appcertdlls v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $appcert_path = $ccs."\\Control\\Session Manager\\AppCertDlls"; + my $appcert; + if ($appcert = $root_key->get_subkey($appcert_path)) { + my @vals = $appcert->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + ::rptMsg($name." - ".$data); + } + } + else { + ::rptMsg($appcert_path."has no values."); + } + } + else { + ::rptMsg($appcert_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/appcompatcache.pl b/RecentActivity/release/rr-full/plugins/appcompatcache.pl new file mode 100755 index 0000000000..25031c7a75 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/appcompatcache.pl @@ -0,0 +1,315 @@ +#----------------------------------------------------------- +# appcompatcache.pl +# +# History: +# 20130425 - added alertMsg() functionality +# 20120817 - updated to address issue with residual data in XP data blocks +# 20120722 - updated the %config hash +# 20120523 - updated to send all files to a single hash, and check for temp paths +# 20120515 - Updated to support 64-bit Win2003 and Vista/Win2008 +# 20120424 - Modified/updated +# 20120418 - created +# +# References: +# Blog post: https://blog.mandiant.com/archives/2459 +# Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf +# Tool: https://github.com/mandiant/ShimCacheParser +# +# This plugin is based solely on the work and examples provided by Mandiant; +# thanks to them for sharing this information, and making the plugin possible. +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package appcompatcache; +use strict; + +my %config = (hive => "System", + hivemask => 4, + output => "report", + category => "Program Execution", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 31, #XP - Win7 + version => 20130425); + +sub getConfig{return %config} +sub getShortDescr { + return "Parse files from System hive Shim Cache"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my %files; +my @temps; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching appcompatcache v.".$VERSION); + ::rptMsg("appcompatcache v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $appcompat_path = $ccs."\\Control\\Session Manager"; + my $appcompat; + if ($appcompat = $root_key->get_subkey($appcompat_path)) { + + my $app_data; + + eval { + $app_data = $appcompat->get_subkey("AppCompatibility")->get_value("AppCompatCache")->get_data(); + }; + + eval { + $app_data = $appcompat->get_subkey("AppCompatCache")->get_value("AppCompatCache")->get_data(); + }; + +# ::rptMsg("Length of data: ".length($app_data)); + my $sig = unpack("V",substr($app_data,0,4)); + ::rptMsg(sprintf "Signature: 0x%x",$sig); + + if ($sig == 0xdeadbeef) { + eval { + appXP32Bit($app_data); + }; + } + elsif ($sig == 0xbadc0ffe) { + eval { + appWin2k3($app_data); + }; + } + elsif ($sig == 0xbadc0fee) { + eval { + appWin7($app_data); + }; + + } + else { + ::rptMsg("Unknown signature"); + } +# this is where we print out the files + foreach my $f (keys %files) { + ::rptMsg($f); + push(@temps,$f) if (grep(/[Tt]emp/,$f)); + ::rptMsg("ModTime: ".gmtime($files{$f}{modtime})." Z"); + ::rptMsg("UpdTime: ".gmtime($files{$f}{updtime})." Z") if (exists $files{$f}{updtime}); + ::rptMsg("Size : ".$files{$f}{size}." bytes") if (exists $files{$f}{size}); + ::rptMsg("Executed") if (exists $files{$f}{executed}); + ::rptMsg(""); + } + + if (scalar(@temps) > 0) { + foreach (@temps) { + ::alertMsg("ALERT: appcompatcache: Temp path found: ".$_); + } + } + } + else { + ::rptMsg($appcompat_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +#----------------------------------------------------------- +# appXP32Bit() +# parse 32-bit XP data +#----------------------------------------------------------- +sub appXP32Bit { + my $data = shift; + ::rptMsg("WinXP, 32-bit"); +# header is 400 bytes; each structure is 552 bytes in size + my $num_entries = unpack("V",substr($data,4,4)); + + foreach my $i (0..($num_entries - 1)) { + my $x = substr($data,(400 + ($i * 552)),552); + my $file = (split(/\00\00/,substr($x,0,488)))[0]; + $file =~ s/\00//g; + $file =~ s/^\\\?\?\\//; + my ($mod1,$mod2) = unpack("VV",substr($x,528,8)); + my $modtime = ::getTime($mod1,$mod2); + my ($sz1,$sz2) = unpack("VV",substr($x,536,8)); + my $sz; + ($sz2 == 0)?($sz = $sz1):($sz = "Too big"); + my ($up1,$up2) = unpack("VV",substr($x,544,8)); + my $updtime = ::getTime($up1,$up2); + + $files{$file}{size} = $sz; + $files{$file}{modtime} = $modtime; + $files{$file}{updtime} = $updtime; + } +} +#----------------------------------------------------------- +# appWin2k3() +# parse Win2k3, Vista, Win2k8 data +#----------------------------------------------------------- +sub appWin2k3 { + my $data = shift; + my $num_entries = unpack("V",substr($data,4,4)); +# ::rptMsg("Num_entries: ".$num_entries); + my $struct_sz = 0; + my ($len,$max_len,$padding) = unpack("vvV",substr($data,8,8)); + if (($max_len - $len) == 2) { +# if $padding == 0, 64-bit; otherwise, 32-bit + if ($padding == 0) { + $struct_sz = 32; + ::rptMsg("Win2K3/Vista/Win2K8, 64-bit"); + } + else { + $struct_sz = 24; + ::rptMsg("Win2K3/Vista/Win2K8, 32-bit"); + } + } + + foreach my $i (0..($num_entries - 1)) { + my $struct = substr($data,(8 + ($struct_sz * $i)),$struct_sz); + if ($struct_sz == 24) { + my ($len,$max_len,$ofs,$t0,$t1,$f0,$f1) = unpack("vvVVVVV",$struct); + + my $file = substr($data,$ofs,$len); + $file =~ s/\00//g; + $file =~ s/^\\\?\?\\//; + my $t = ::getTime($t0,$t1); +# ::rptMsg($file); +# ::rptMsg(" LastMod: ".gmtime($t)." Z"); +# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2)); +# ::rptMsg(""); + $files{$file}{modtime} = $t; +# $files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3)); + $files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2)); + } + elsif ($struct_sz == 32) { + my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvVVVVVVV",$struct); + my $file = substr($data,$ofs0,$len); + $file =~ s/\00//g; + $file =~ s/^\\\?\?\\//; + my $t = ::getTime($t0,$t1); +# ::rptMsg($file); +# ::rptMsg(" LastMod: ".gmtime($t)." Z"); +# ::rptMsg(" Size : ".$f0) if (($f1 == 0) && ($f0 > 3)); +# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2)); +# ::rptMsg(""); + $files{$file}{modtime} = $t; + $files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3)); + $files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2)); + } + else { + + + } + } +} + +#----------------------------------------------------------- +# appWin7() +# parse Win2k8R2, Win7 data +#----------------------------------------------------------- +sub appWin7 { + my $data = shift; + my $struct_sz = 0; + my $num_entries = unpack("V",substr($data,4,4)); +# ::rptMsg("Num_entries: ".$num_entries); +# 128-byte header + my ($len,$max_len,$padding) = unpack("vvV",substr($data,128,8)); + if (($max_len - $len) == 2) { + if ($padding == 0) { + $struct_sz = 48; + ::rptMsg("Win2K8R2/Win7, 64-bit"); + } + else { + $struct_sz = 32; + ::rptMsg("Win2K8R2/Win7, 32-bit"); + } + } + + foreach my $i (0..($num_entries - 1)) { + my $struct = substr($data,(128 + ($struct_sz * $i)),$struct_sz); + if ($struct_sz == 32) { + my ($len,$max_len,$ofs,$t0,$t1,$f0,$f1) = unpack("vvV5x8",$struct); + my $file = substr($data,$ofs,$len); + $file =~ s/\00//g; + $file =~ s/^\\\?\?\\//; + my $t = ::getTime($t0,$t1); +# ::rptMsg($file); +# ::rptMsg(" LastModTime: ".gmtime($t)." Z"); +# ::rptMsg(" [Executed]") if ($f0 & 0x2); +# ::rptMsg(""); + $files{$file}{modtime} = $t; + $files{$file}{executed} = 1 if ($f0 & 0x2); + } + else { + my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvV7x16",$struct); + my $file = substr($data,$ofs0,$len); + $file =~ s/\00//g; + $file =~ s/^\\\?\?\\//; + my $t = ::getTime($t0,$t1); +# ::rptMsg($file); +# ::rptMsg(" LastModTime: ".gmtime($t)." Z"); +# ::rptMsg(" [Executed]") if ($f0 & 0x2); +# ::rptMsg(""); + $files{$file}{modtime} = $t; + $files{$file}{executed} = 1 if ($f0 & 0x2); + } + } +} + + +#----------------------------------------------------------- +# printData() +# subroutine used primarily for debugging; takes an arbitrary +# length of binary data, prints it out in hex editor-style +# format for easy debugging +#----------------------------------------------------------- +sub printData { + my $data = shift; + my $len = length($data); + my $tag = 1; + my $cnt = 0; + + my $loop = $len/16; + $loop++ if ($len%16); + + foreach my $cnt (0..($loop - 1)) { +# while ($tag) { + my $left = $len - ($cnt * 16); + + my $n; + ($left < 16) ? ($n = $left) : ($n = 16); + + my $seg = substr($data,$cnt * 16,$n); + my @str1 = split(//,unpack("H*",$seg)); + + my @s3; + my $str = ""; + + foreach my $i (0..($n - 1)) { + $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; + + if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) { + $str .= chr(hex($s3[$i])); + } + else { + $str .= "\."; + } + } + my $h = join(' ',@s3); + ::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h); + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/appcompatcache_tln.pl b/RecentActivity/release/rr-full/plugins/appcompatcache_tln.pl new file mode 100755 index 0000000000..b8d7e78819 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/appcompatcache_tln.pl @@ -0,0 +1,275 @@ +#----------------------------------------------------------- +# appcompatcache_tln.pl +# +# History: +# 20130425 - added alertMsg() functionality +# 20120817 - updated to address extra data in XP data blocks +# 20120722 - updated %config hash +# 20120523 - created; updated from appcompatcache.pl +# 20120523 - updated to send all files to a single hash, and check for temp paths +# 20120515 - Updated to support 64-bit Win2003 and Vista/Win2008 +# 20120424 - Modified/updated +# 20120418 - created +# +# References: +# Blog post: https://blog.mandiant.com/archives/2459 +# Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf +# Tool: https://github.com/mandiant/ShimCacheParser +# +# This plugin is based solely on the work and examples provided by Mandiant; +# thanks to them for sharing this information, and making the plugin possible. +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package appcompatcache_tln; +use strict; + +my %config = (hive => "System", + hivemask => 4, + output => "tln", + category => "Program Execution", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 31, #XP - Win7 + version => 20130425); + +sub getConfig{return %config} +sub getShortDescr { + return "Parse files from System hive Shim Cache"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my %files; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching appcompatcache_tln v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $appcompat_path = $ccs."\\Control\\Session Manager"; + my $appcompat; + if ($appcompat = $root_key->get_subkey($appcompat_path)) { + + my $app_data; + + eval { + $app_data = $appcompat->get_subkey("AppCompatibility")->get_value("AppCompatCache")->get_data(); + }; + + eval { + $app_data = $appcompat->get_subkey("AppCompatCache")->get_value("AppCompatCache")->get_data(); + }; + +# ::rptMsg("Length of data: ".length($app_data)); + my $sig = unpack("V",substr($app_data,0,4)); +# ::rptMsg(sprintf "Signature: 0x%x",$sig); + + if ($sig == 0xdeadbeef) { + eval { + appXP32Bit($app_data); + }; + } + elsif ($sig == 0xbadc0ffe) { + eval { + appWin2k3($app_data); + }; + } + elsif ($sig == 0xbadc0fee) { + eval { + appWin7($app_data); + }; + + } + else { + ::rptMsg("Unknown signature"); + } +# this is where we print out the files + foreach my $f (keys %files) { + my $str; + if (exists $files{$f}{executed}) { + $str = "M... [Program Execution] AppCompatCache - ".$f; + } + else { + $str = "M... AppCompatCache - ".$f; + } + $str .= " [Size = ".$files{$f}{size}."] bytes" if (exists $files{$f}{size}); +# $str .= " [Executed]" if (exists $files{$f}{executed}); + ::rptMsg($files{$f}{modtime}."|REG|||".$str); +# alert added 20130425 + if (grep(/[Tt]emp/,$f) { + ::alertMsg($files{$f}{modtime}."|ALERT|||\"Temp\" found in path - ".$str); + } + + } + } + else { + ::rptMsg($appcompat_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +#----------------------------------------------------------- +# appXP32Bit() +# parse 32-bit XP data +#----------------------------------------------------------- +sub appXP32Bit { + my $data = shift; + ::rptMsg("WinXP, 32-bit"); +# header is 400 bytes; each structure is 552 bytes in size + my $num_entries = unpack("V",substr($data,4,4)); + + foreach my $i (0..($num_entries - 1)) { + my $x = substr($data,(400 + ($i * 552)),552); + my $file = (split(/\00\00/,substr($x,0,488)))[0]; + $file =~ s/\00//g; + $file =~ s/^\\\?\?\\//; + my ($mod1,$mod2) = unpack("VV",substr($x,528,8)); + my $modtime = ::getTime($mod1,$mod2); + my ($sz1,$sz2) = unpack("VV",substr($x,536,8)); + my $sz; + ($sz2 == 0)?($sz = $sz1):($sz = "Too big"); + my ($up1,$up2) = unpack("VV",substr($x,544,8)); + my $updtime = ::getTime($up1,$up2); + +# ::rptMsg($file); +# ::rptMsg("Size : ".$sz." bytes"); +# ::rptMsg("ModTime: ".gmtime($modtime)." Z"); +# ::rptMsg("UpdTime: ".gmtime($updtime)." Z"); +# ::rptMsg(""); + $files{$file}{size} = $sz; + $files{$file}{modtime} = $modtime; + $files{$file}{updtime} = $updtime; + } +} +#----------------------------------------------------------- +# appWin2k3() +# parse Win2k3, Vista, Win2k8 data +#----------------------------------------------------------- +sub appWin2k3 { + my $data = shift; + my $num_entries = unpack("V",substr($data,4,4)); +# ::rptMsg("Num_entries: ".$num_entries); + my $struct_sz = 0; + my ($len,$max_len,$padding) = unpack("vvV",substr($data,8,8)); + if (($max_len - $len) == 2) { +# if $padding == 0, 64-bit; otherwise, 32-bit + if ($padding == 0) { + $struct_sz = 32; + ::rptMsg("Win2K3/Vista/Win2K8, 64-bit"); + } + else { + $struct_sz = 24; + ::rptMsg("Win2K3/Vista/Win2K8, 32-bit"); + } + } + + foreach my $i (0..($num_entries - 1)) { + my $struct = substr($data,(8 + ($struct_sz * $i)),$struct_sz); + if ($struct_sz == 24) { + my ($len,$max_len,$ofs,$t0,$t1,$f0,$f1) = unpack("vvVVVVV",$struct); + + my $file = substr($data,$ofs,$len); + $file =~ s/\00//g; + $file =~ s/^\\\?\?\\//; + my $t = ::getTime($t0,$t1); +# ::rptMsg($file); +# ::rptMsg(" LastMod: ".gmtime($t)." Z"); +# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2)); +# ::rptMsg(""); + $files{$file}{modtime} = $t; + $files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2)); + } + elsif ($struct_sz == 32) { + my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvVVVVVVV",$struct); + my $file = substr($data,$ofs0,$len); + $file =~ s/\00//g; + $file =~ s/^\\\?\?\\//; + my $t = ::getTime($t0,$t1); +# ::rptMsg($file); +# ::rptMsg(" LastMod: ".gmtime($t)." Z"); +# ::rptMsg(" Size : ".$f0) if (($f1 == 0) && ($f0 > 3)); +# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2)); +# ::rptMsg(""); + $files{$file}{modtime} = $t; + $files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3)); + $files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2)); + } + else { + + + } + } +} + +#----------------------------------------------------------- +# appWin7() +# parse Win2k8R2, Win7 data +#----------------------------------------------------------- +sub appWin7 { + my $data = shift; + my $struct_sz = 0; + my $num_entries = unpack("V",substr($data,4,4)); +# ::rptMsg("Num_entries: ".$num_entries); +# 128-byte header + my ($len,$max_len,$padding) = unpack("vvV",substr($data,128,8)); + if (($max_len - $len) == 2) { + if ($padding == 0) { + $struct_sz = 48; + ::rptMsg("Win2K8R2/Win7, 64-bit"); + } + else { + $struct_sz = 32; + ::rptMsg("Win2K8R2/Win7, 32-bit"); + } + } + + foreach my $i (0..($num_entries - 1)) { + my $struct = substr($data,(128 + ($struct_sz * $i)),$struct_sz); + if ($struct_sz == 32) { + my ($len,$max_len,$ofs,$t0,$t1,$f0,$f1) = unpack("vvV5x8",$struct); + my $file = substr($data,$ofs,$len); + $file =~ s/\00//g; + $file =~ s/^\\\?\?\\//; + my $t = ::getTime($t0,$t1); +# ::rptMsg($file); +# ::rptMsg(" LastModTime: ".gmtime($t)." Z"); +# ::rptMsg(" [Executed]") if ($f0 & 0x2); +# ::rptMsg(""); + $files{$file}{modtime} = $t; + $files{$file}{executed} = 1 if ($f0 & 0x2); + } + else { + my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvV7x16",$struct); + my $file = substr($data,$ofs0,$len); + $file =~ s/\00//g; + $file =~ s/^\\\?\?\\//; + my $t = ::getTime($t0,$t1); +# ::rptMsg($file); +# ::rptMsg(" LastModTime: ".gmtime($t)." Z"); +# ::rptMsg(" [Executed]") if ($f0 & 0x2); +# ::rptMsg(""); + $files{$file}{modtime} = $t; + $files{$file}{executed} = 1 if ($f0 & 0x2); + } + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/appcompatflags.pl b/RecentActivity/release/rr-full/plugins/appcompatflags.pl new file mode 100755 index 0000000000..6892bc912f --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/appcompatflags.pl @@ -0,0 +1,104 @@ +#----------------------------------------------------------- +# appcompatflags.pl +# Extracts AppCompatFlags for Windows. +# This is a list of applications configured to run in +# compatibility mode. Some applications may be configured +# to run with elevated privilages (Tested in Vista only) : +# "ELEVATECREATEPROCESS" "RUNASADMIN" "WINXPSP2 RUNASADMIN" +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# http://msdn.microsoft.com/en-us/library/bb756937.aspx +# +# Copyright (c) 2011-02-04 Brendan Coles +#----------------------------------------------------------- +# Require # +package appcompatflags; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 1, + hasRefs => 1, + osmask => 22, + version => 20110204); +my $VERSION = getVersion(); + +# Functions # +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getDescr { + return "Extracts AppCompatFlags for Windows. This is a list". + " of applications configured to run in compatibility". + " mode. Some applications may be configured to run". + " with elevated privilages (Tested in Vista only) :". + '"ELEVATECREATEPROCESS" "RUNASADMIN" "WINXPSP2 RUNASADMIN"'; +} +sub getShortDescr { + return "Extracts AppCompatFlags for Windows."; +} +sub getRefs { + my %refs = ("Application Compatibility: Program Compatibility Assistant" => + "http://msdn.microsoft.com/en-us/library/bb756937.aspx"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + + # Initialize # + ::logMsg("Launching appcompatflags v.".$VERSION); + ::rptMsg("appcompatflags v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers"; + + # If # AppCompatFlags path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("AppCompatFlags"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from AppCompatFlags registry path # + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for AppCompatFlags registry path # + foreach my $v (@vals) { + ::rptMsg($v->get_name()." -> ".$v->get_data()); + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # AppCompatFlags isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/RecentActivity/release/rr-full/plugins/appinitdlls.pl b/RecentActivity/release/rr-full/plugins/appinitdlls.pl new file mode 100755 index 0000000000..15352e1dee --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/appinitdlls.pl @@ -0,0 +1,93 @@ +#----------------------------------------------------------- +# appinitdlls +# +# Change history: +# 20130425 - added alertMsg() functionality +# 20130305 - updated to address 64-bit systems +# 20080324 - created +# +# Ref: +# http://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx +# http://support.microsoft.com/kb/q197571 +# +# copyright 2013 QAR,LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package appinitdlls; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20130425); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of AppInit_DLLs value"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Working with the AppInit_DLLs Reg Value" => + "http://support.microsoft.com/kb/q197571"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::rptMsg("Launching appinitdlls v.".$VERSION); + ::rptMsg("appinitdlls v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my @paths = ('Microsoft\\Windows NT\\CurrentVersion\\Windows', + 'Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows'); + + ::rptMsg("AppInit_DLLs"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + eval { + my $app = $key->get_value("AppInit_DLLs")->get_data(); + + if ($app eq "") { + $app = "{blank}"; + } + else { + ::alertMsg("ALERT: appinitdlls: Entry not blank: ".$app); + } + ::rptMsg(" AppInit_DLLs : ".$app); + }; + + eval { + my $load = $key->get_value("LoadAppInit_DLLs")->get_data(); + ::rptMsg(" LoadAppInit_DLLs : ".$load); + ::rptMsg("*LoadAppInit_DLLs value globally enables/disables AppInit_DLLS\."); + ::rptMsg("0 = disabled (default)"); + }; + + eval { + my $req = $key->get_value("RequireSignedAppInit_DLLs")->get_data(); + ::rptMsg(" RequireSignedAppInit_DLLs : ".$req); + }; + + ::rptMsg(""); + } + else { + ::rptMsg($key_path." not found."); + } + } + ::rptMsg("Analysis Tip: The AppInit_DLLs value should be blank; any DLL listed"); + ::rptMsg("is launched with each user-mode process\. "); +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/applets.pl b/RecentActivity/release/rr-full/plugins/applets.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/applets.pl rename to RecentActivity/release/rr-full/plugins/applets.pl index e29fffa083..5e25c1ccce --- a/thirdparty/rr/plugins/applets.pl +++ b/RecentActivity/release/rr-full/plugins/applets.pl @@ -1,96 +1,98 @@ -#----------------------------------------------------------- -# applets.pl -# Plugin for Registry Ripper -# Windows\CurrentVersion\Applets Recent File List values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package applets; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's Applets key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching applets v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Applets'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Applets"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); -# Locate files opened in MS Paint - my $paint_key = 'Paint\\Recent File List'; - my $paint = $key->get_subkey($paint_key); - if (defined $paint) { - ::rptMsg($key_path."\\".$paint_key); - ::rptMsg("LastWrite Time ".gmtime($paint->get_timestamp())." (UTC)"); - - my @vals = $paint->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path."\\".$paint_key." has no values."); - } - } - else { - ::rptMsg($key_path."\\".$paint_key." not found."); - } -# Get Last Registry key opened in RegEdit - my $reg_key = "Regedit"; - my $reg = $key->get_subkey($reg_key); - if (defined $reg) { - ::rptMsg(""); - ::rptMsg($key_path."\\".$reg_key); - ::rptMsg("LastWrite Time ".gmtime($reg->get_timestamp())." (UTC)"); - my $lastkey = $reg->get_value("LastKey")->get_data(); - ::rptMsg("RegEdit LastKey value -> ".$lastkey); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# applets.pl +# Plugin for Registry Ripper +# Windows\CurrentVersion\Applets Recent File List values +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package applets; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's Applets key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching applets v.".$VERSION); + ::rptMsg("applets v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Applets'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Applets"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); +# Locate files opened in MS Paint + my $paint_key = 'Paint\\Recent File List'; + my $paint = $key->get_subkey($paint_key); + if (defined $paint) { + ::rptMsg($key_path."\\".$paint_key); + ::rptMsg("LastWrite Time ".gmtime($paint->get_timestamp())." (UTC)"); + + my @vals = $paint->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/File/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path."\\".$paint_key." has no values."); + } + } + else { + ::rptMsg($key_path."\\".$paint_key." not found."); + } +# Get Last Registry key opened in RegEdit + my $reg_key = "Regedit"; + my $reg = $key->get_subkey($reg_key); + if (defined $reg) { + ::rptMsg(""); + ::rptMsg($key_path."\\".$reg_key); + ::rptMsg("LastWrite Time ".gmtime($reg->get_timestamp())." (UTC)"); + my $lastkey = $reg->get_value("LastKey")->get_data(); + ::rptMsg("RegEdit LastKey value -> ".$lastkey); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/applets_tln.pl b/RecentActivity/release/rr-full/plugins/applets_tln.pl new file mode 100755 index 0000000000..02a2a34510 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/applets_tln.pl @@ -0,0 +1,84 @@ +#----------------------------------------------------------- +# applets_tln.pl +# Plugin for Registry Ripper +# Windows\CurrentVersion\Applets Recent File List values +# +# Change history +# 20120613 - created +# +# References +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package applets_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120613); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's Applets key (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching applets_tln v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Applets'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("Applets"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); +# Locate files opened in MS Paint + my $paint_key = 'Paint\\Recent File List'; + my $paint = $key->get_subkey($paint_key); + if (defined $paint) { +# ::rptMsg($key_path."\\".$paint_key); +# ::rptMsg("LastWrite Time ".gmtime($paint->get_timestamp())." (UTC)"); + + my @vals = $paint->get_list_of_values(); + if (scalar(@vals) > 0) { + ::rptMsg($paint->get_timestamp()."|REG|||MS Paint Most Recent File = ".$paint->get_value("File1")->get_data()); + } + else { +# ::rptMsg($key_path."\\".$paint_key." has no values."); + } + } + else { +# ::rptMsg($key_path."\\".$paint_key." not found."); + } +# Get Last Registry key opened in RegEdit + my $reg_key = "Regedit"; + my $reg = $key->get_subkey($reg_key); + if (defined $reg) { +# ::rptMsg(""); +# ::rptMsg($key_path."\\".$reg_key); +# ::rptMsg("LastWrite Time ".gmtime($reg->get_timestamp())." (UTC)"); + my $lastkey = $reg->get_value("LastKey")->get_data(); + ::rptMsg($reg->get_timestamp()."|REG|||RegEdit LastKey value -> ".$lastkey); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/apppaths.pl b/RecentActivity/release/rr-full/plugins/apppaths.pl new file mode 100755 index 0000000000..10006a6ee8 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/apppaths.pl @@ -0,0 +1,94 @@ +#----------------------------------------------------------- +# apppaths +# Gets contents of App Paths subkeys from the Software hive, +# diplaying the EXE name and path; all entries are sorted by +# LastWrite time +# +# References +# +# +# History: +# 20120524 - updated to include 64-bit OSs +# 20080404 - created +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package apppaths; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20120524); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets content of App Paths subkeys"; +} +sub getDescr{} +sub getRefs { + my %refs = ("You cannot open Help and Support Center in Windows XP" => + "http://support.microsoft.com/kb/888018", + "Another installation program starts..." => + "http://support.microsoft.com/kb/888470"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching apppaths v.".$VERSION); + ::rptMsg("apppaths v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# used a list of values to address the need for parsing the App Paths key +# in the Wow6432Node key, if it exists. + my @paths = ("Microsoft\\Windows\\CurrentVersion\\App Paths"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("App Paths"); + ::rptMsg($key_path); + ::rptMsg(""); + my %apps; + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + + my $name = $s->get_name(); + my $lastwrite = $s->get_timestamp(); + my $path; + eval { + $path = $s->get_value("")->get_data(); + }; + push(@{$apps{$lastwrite}},$name." - ".$path); + } + + foreach my $t (reverse sort {$a <=> $b} keys %apps) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$apps{$t}}) { + ::rptMsg(" $item"); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/apppaths_tln.pl b/RecentActivity/release/rr-full/plugins/apppaths_tln.pl new file mode 100755 index 0000000000..ae609af17e --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/apppaths_tln.pl @@ -0,0 +1,90 @@ +#----------------------------------------------------------- +# apppaths_tln +# Gets contents of App Paths subkeys from the Software hive, +# Output in TLN format +# +# References +# +# History: +# 20130429 - created from apppaths.pl +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package apppaths_tln; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20130429); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets content of App Paths subkeys (TLN)"; +} +sub getDescr{} +sub getRefs { + my %refs = ("You cannot open Help and Support Center in Windows XP" => + "http://support.microsoft.com/kb/888018", + "Another installation program starts..." => + "http://support.microsoft.com/kb/888470"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching apppaths_tln v.".$VERSION); +# ::rptMsg("apppaths v.".$VERSION); # banner +# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# used a list of values to address the need for parsing the App Paths key +# in the Wow6432Node key, if it exists. + my @paths = ("Microsoft\\Windows\\CurrentVersion\\App Paths"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("App Paths"); + ::rptMsg($key_path); + ::rptMsg(""); + my %apps; + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + + my $name = $s->get_name(); + my $lastwrite = $s->get_timestamp(); + my $path; + eval { + $path = $s->get_value("")->get_data(); + }; + push(@{$apps{$lastwrite}},$name." - ".$path); + } + + foreach my $t (reverse sort {$a <=> $b} keys %apps) { + foreach my $item (@{$apps{$t}}) { + ::rptMsg($t."|REG|||App Paths - ".$item); + } + } + } + else { +# ::rptMsg($key_path." has no subkeys."); + } + } + else { +# ::rptMsg($key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/appspecific.pl b/RecentActivity/release/rr-full/plugins/appspecific.pl new file mode 100755 index 0000000000..cf80f2c327 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/appspecific.pl @@ -0,0 +1,74 @@ +#----------------------------------------------------------- +# appspecific.pl +# +# +# Change history +# 20120820 - created +# +# References +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package appspecific; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120820); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's Intellipoint\\AppSpecific subkeys"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching appspecific v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\IntelliPoint\\AppSpecific'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("AppSpecific"); + ::rptMsg($key_path); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]"); + + my $ts; + eval { + $ts = $s->get_value("Timestamp")->get_data(); + my $t = ::getTime(0,$ts); + ::rptMsg("Timestamp: ".gmtime($t)); + + }; + + + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/ares.pl b/RecentActivity/release/rr-full/plugins/ares.pl new file mode 100755 index 0000000000..f264ea7781 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/ares.pl @@ -0,0 +1,109 @@ +#----------------------------------------------------------- +# ares.pl +# +# +# Change History +# 20130312 - updated based on data provided by J. Weg +# 20120507 - modified to remove the traversing function, to only get +# a limited amount of data. +# 20110603 - modified F. Kolenbrander +# parsing some values according ares source code, like searches and +# timestamps. +# 20110530 - created +# +# References +# +# +# copyright 2012 Quantum Analytics Research, LLC +# author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package ares; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130312); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's Software/Ares key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching ares v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Ares'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + my %ares = (); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + $ares{$v->get_name()} = $v->get_data(); + } + ::rptMsg(""); + ::rptMsg("RegisterEmail: ".$ares{"RegisterEmail"}) if (exists $ares{"RegisterEmail"}); + ::rptMsg("Stats\.LstConnect: ".gmtime($ares{"Stats\.LstConnect"})." UTC") if (exists $ares{"Stats\.LstConnect"}); + ::rptMsg("Personal\.Nickname: ".hex2ascii($ares{"Personal\.Nickname"})) if (exists $ares{"Personal\.Nickname"}); + ::rptMsg("General\.Language: ".hex2ascii($ares{"General\.Language"})) if (exists $ares{"General\.Language"}); + ::rptMsg("PrivateMessage\.AwayMessage: ".hex2ascii($ares{"PrivateMessage\.AwayMessage"})) if (exists $ares{"PrivateMessage\.AwayMessage"}); + + } + else { + ::rptMsg($key->get_name()." has no values."); + } + ::rptMsg(""); + getSearchTerms($key); + + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub getSearchTerms { + my $key = shift; + + my $count = 0; + ::rptMsg("Search Terms:"); + my @subkeys = ("audio\.gen","gen\.gen","image\.gen","video\.gen"); + + foreach my $sk (@subkeys) { + my $gen = $key->get_subkey("Search\.History")->get_subkey($sk); + my @vals = $gen->get_list_of_values(); + if (scalar(@vals) > 0) { + $count = 1; + ::rptMsg($gen->get_name()); + ::rptMsg("LastWrite: ".gmtime($gen->get_timestamp())); + foreach my $v (@vals) { + next if ($v->get_name() eq ""); + ::rptMsg(" ".hex2ascii($v->get_name())); + } + } + } + ::rptMsg("No search terms found\.") if ($count == 0); + +} + +sub hex2ascii { + return pack('H*',shift); +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/arpcache.pl b/RecentActivity/release/rr-full/plugins/arpcache.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/arpcache.pl rename to RecentActivity/release/rr-full/plugins/arpcache.pl index b8ed74f88f..abb9714301 --- a/thirdparty/rr/plugins/arpcache.pl +++ b/RecentActivity/release/rr-full/plugins/arpcache.pl @@ -1,133 +1,135 @@ -#----------------------------------------------------------- -# arpcache.pl -# Retrieves CurrentVersion\App Management\ARPCache entries; subkeys appear -# to maintain information about paths to installed applications in the -# SlowInfoCache value(0x10 - FILETIME object, null term. string with path -# starts at 0x1c) -# -# Change history -# 20090413 - Created -# -# References -# No references, but the subkeys appear to hold information about -# installed applications; some SlowInfoCache values appear to contain -# timestamp data (FILETIME object) and/or path information. Posts on -# the Internet indicate the existence of Kazaa beneath the APRCache key, -# as well as possibly an "Outerinfo" subkey indicating that spyware is -# installed. -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package arpcache; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090413); - -sub getConfig{return %config} -sub getShortDescr { - return "Retrieves CurrentVersion\\App Management\\ARPCache entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %arpcache; - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching arpcache v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $lw = $s->get_timestamp(); - my $name = $s->get_name(); - - my $path; - eval { - my $i = $s->get_value("SlowInfoCache")->get_data(); - $path = parsePath($i); - }; - ($@) ? ($name .= "|") : ($name .= "|".$path); - - my $date; - eval { - my $i = $s->get_value("SlowInfoCache")->get_data(); - $date = parseDate($i); - }; - ($@) ? ($name .= "|") : ($name .= "|".$date); - push(@{$arpcache{$lw}},$name); - } - - - foreach my $t (reverse sort {$a <=> $b} keys %arpcache) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$arpcache{$t}}) { - my ($name,$path,$date) = split(/\|/,$item,3); - ::rptMsg(" ".$name); - my $str = $path unless ($path eq ""); - $str .= " [".gmtime($date)."]" unless ($date == 0); - ::rptMsg(" -> ".$str) unless ($str eq ""); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; - -sub parseDate { - my $data = shift; - my ($t1,$t2) = unpack("VV",substr($data,0x10,8)); - return ::getTime($t1,$t2); -} - -sub parsePath { - my $data = shift; - my $ofs = 0x1c; - my $tag = 1; - - my $str = substr($data,$ofs,2); - if (unpack("v",$str) == 0) { - return ""; - } - else { - while($tag) { - $ofs += 2; - my $i = substr($data,$ofs,2); - if (unpack("v",$i) == 0) { - $tag = 0; - } - else { - $str .= $i; - } - } - } - $str =~ s/\00//g; - return $str; +#----------------------------------------------------------- +# arpcache.pl +# Retrieves CurrentVersion\App Management\ARPCache entries; subkeys appear +# to maintain information about paths to installed applications in the +# SlowInfoCache value(0x10 - FILETIME object, null term. string with path +# starts at 0x1c) +# +# Change history +# 20090413 - Created +# +# References +# No references, but the subkeys appear to hold information about +# installed applications; some SlowInfoCache values appear to contain +# timestamp data (FILETIME object) and/or path information. Posts on +# the Internet indicate the existence of Kazaa beneath the APRCache key, +# as well as possibly an "Outerinfo" subkey indicating that spyware is +# installed. +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package arpcache; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20090413); + +sub getConfig{return %config} +sub getShortDescr { + return "Retrieves CurrentVersion\\App Management\\ARPCache entries"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %arpcache; + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching arpcache v.".$VERSION); + ::rptMsg("arpcache v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $lw = $s->get_timestamp(); + my $name = $s->get_name(); + + my $path; + eval { + my $i = $s->get_value("SlowInfoCache")->get_data(); + $path = parsePath($i); + }; + ($@) ? ($name .= "|") : ($name .= "|".$path); + + my $date; + eval { + my $i = $s->get_value("SlowInfoCache")->get_data(); + $date = parseDate($i); + }; + ($@) ? ($name .= "|") : ($name .= "|".$date); + push(@{$arpcache{$lw}},$name); + } + + + foreach my $t (reverse sort {$a <=> $b} keys %arpcache) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$arpcache{$t}}) { + my ($name,$path,$date) = split(/\|/,$item,3); + ::rptMsg(" ".$name); + my $str = $path unless ($path eq ""); + $str .= " [".gmtime($date)."]" unless ($date == 0); + ::rptMsg(" -> ".$str) unless ($str eq ""); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + +1; + +sub parseDate { + my $data = shift; + my ($t1,$t2) = unpack("VV",substr($data,0x10,8)); + return ::getTime($t1,$t2); +} + +sub parsePath { + my $data = shift; + my $ofs = 0x1c; + my $tag = 1; + + my $str = substr($data,$ofs,2); + if (unpack("v",$str) == 0) { + return ""; + } + else { + while($tag) { + $ofs += 2; + my $i = substr($data,$ofs,2); + if (unpack("v",$i) == 0) { + $tag = 0; + } + else { + $str .= $i; + } + } + } + $str =~ s/\00//g; + return $str; } \ No newline at end of file diff --git a/thirdparty/rr/plugins/assoc.pl b/RecentActivity/release/rr-full/plugins/assoc.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/assoc.pl rename to RecentActivity/release/rr-full/plugins/assoc.pl index a2587da110..42c3ed0d6e --- a/thirdparty/rr/plugins/assoc.pl +++ b/RecentActivity/release/rr-full/plugins/assoc.pl @@ -1,87 +1,89 @@ -#----------------------------------------------------------- -# assoc.pl -# Plugin to extract file association data from the Software hive file -# Can take considerable time to run; recommend running it via rip.exe -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package assoc; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080815); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get list of file ext associations"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching assoc v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Classes"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("assoc"); - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); -# First step will be to get a list of all of the file extensions - my %ext; - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^\.\w+$/); - my $data; - eval { - $data = $s->get_value("")->get_data(); - }; - if ($@) { -# Error generated, as "(Default)" value was not found - } - else { - $ext{$name} = $data if ($data ne ""); - } - } -# Once a list of all file ext subkeys has been compiled, access the file type -# to determine the command line used to launch files with that extension - foreach my $e (keys %ext) { - my $cmd; - eval { - $cmd = $key->get_subkey($ext{$e}."\\shell\\open\\command")->get_value("")->get_data(); - }; - if ($@) { -# error generated attempting to locate .\shell\open\command\(Default) value - } - else { - ::rptMsg($e." : ".$cmd); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# assoc.pl +# Plugin to extract file association data from the Software hive file +# Can take considerable time to run; recommend running it via rip.exe +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package assoc; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080815); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get list of file ext associations"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching assoc v.".$VERSION); + ::rptMsg("assoc v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Classes"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("assoc"); + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); +# First step will be to get a list of all of the file extensions + my %ext; + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + next unless ($name =~ m/^\.\w+$/); + my $data; + eval { + $data = $s->get_value("")->get_data(); + }; + if ($@) { +# Error generated, as "(Default)" value was not found + } + else { + $ext{$name} = $data if ($data ne ""); + } + } +# Once a list of all file ext subkeys has been compiled, access the file type +# to determine the command line used to launch files with that extension + foreach my $e (keys %ext) { + my $cmd; + eval { + $cmd = $key->get_subkey($ext{$e}."\\shell\\open\\command")->get_value("")->get_data(); + }; + if ($@) { +# error generated attempting to locate .\shell\open\command\(Default) value + } + else { + ::rptMsg($e." : ".$cmd); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/attachmgr.pl b/RecentActivity/release/rr-full/plugins/attachmgr.pl new file mode 100755 index 0000000000..0a938b9c4c --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/attachmgr.pl @@ -0,0 +1,85 @@ +#----------------------------------------------------------- +# attachmgr.pl +# The Windows Attachment Manager manages how attachments are handled, +# and settings are on a per-user basis. Malware has been shown to access +# these settings and make modifications. +# +# Category: Malware +# +# Change history +# 20130425 - added alertMsg() functionality +# 20130117 - created +# +# References +# http://journeyintoir.blogspot.com/2010/10/anatomy-of-drive-by-part-2.html +# http://support.microsoft.com/kb/883260 +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package attachmgr; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130425); + +sub getConfig{return %config} +sub getShortDescr { + return "Checks user's keys that manage the Attachment Manager functionality"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + my @temps; + + ::logMsg("Launching attachmgr v.".$VERSION); + ::rptMsg("attachmgr v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my @attach = ('Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations', + 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments'); + + foreach my $key_path (@attach) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); +# checks added 20130425 +# settings information derived from MS KB 883260 + ::alertMsg("ALERT: attachmgr: ".$key_path." SaveZoneInformation value found: ".$data) if ($name eq "SaveZoneInformation"); + ::alertMsg("ALERT: attachmgr: ".$key_path." ScanWithAntiVirus value found: ".$data) if ($name eq "ScanWithAntiVirus"); + ::alertMsg("ALERT: attachmgr: ".$key_path." LowRiskFileTypes value includes exe: ".$data (if $name eq "LowRiskFileTypes" && grep(/exe/,$data)); + + ::rptMsg(sprintf "%-15s %-6s",$name,$data); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/attachmgr_tln.pl b/RecentActivity/release/rr-full/plugins/attachmgr_tln.pl new file mode 100755 index 0000000000..8b40decd2f --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/attachmgr_tln.pl @@ -0,0 +1,83 @@ +#----------------------------------------------------------- +# attachmgr_tln.pl +# The Windows Attachment Manager manages how attachments are handled, +# and settings are on a per-user basis. Malware has been shown to access +# these settings and make modifications. +# +# Category: Malware +# +# Change history +# 20130425 - created +# +# References +# http://journeyintoir.blogspot.com/2010/10/anatomy-of-drive-by-part-2.html +# http://support.microsoft.com/kb/883260 +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package attachmgr_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130425); + +sub getConfig{return %config} +sub getShortDescr { + return "Checks user's keys that manage the Attachment Manager functionality (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + my @temps; + + ::logMsg("Launching attachmgr_tln v.".$VERSION); +# ::rptMsg("attachmgr_tln v.".$VERSION); # banner +# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my @attach = ('Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations', + 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments'); + + foreach my $key_path (@attach) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); +# checks added 20130425 +# settings information derived from MS KB 883260 + ::alertMsg($lw."|ALERT|||HKCU\\".$key_path." SaveZoneInformation value found: ".$data) if ($name eq "SaveZoneInformation"); + ::alertMsg($lw."|ALERT|||HKCU\\".$key_path." ScanWithAntiVirus value found: ".$data) if ($name eq "ScanWithAntiVirus"); + ::alertMsg($lw."|ALERT|||HKCU\\".$key_path." LowRiskFileTypes value includes exe: ".$data (if $name eq "LowRiskFileTypes" && grep(/exe/,$data)); + } + } + else { +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +# ::rptMsg(""); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/auditfail.pl b/RecentActivity/release/rr-full/plugins/auditfail.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/auditfail.pl rename to RecentActivity/release/rr-full/plugins/auditfail.pl index 019ec15eda..9ccfb1fd01 --- a/thirdparty/rr/plugins/auditfail.pl +++ b/RecentActivity/release/rr-full/plugins/auditfail.pl @@ -1,66 +1,68 @@ -#----------------------------------------------------------- -# auditfail.pl -# -# Ref: -# http://support.microsoft.com/kb/140058 -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package auditfail; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081212); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get CrashOnAuditFail value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %val = (0 => "Feature is off; the system will not halt", - 1 => "Feature is on; the system will halt when events cannot be written to the ". - "Security Event Log", - 2 => "Feature is on and has been triggered; only Administrators can log in"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching auditfail v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $lsa_path = "ControlSet00".$current."\\Control\\Lsa"; - my $lsa; - if ($lsa = $root_key->get_subkey($lsa_path)) { - - eval { - my $crash = $lsa->get_value("crashonauditfail")->get_data(); - ::rptMsg("CrashOnAuditFail = ".$crash); - ::rptMsg($val{$crash}); - }; - ::rptMsg($@) if ($@); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; +#----------------------------------------------------------- +# auditfail.pl +# +# Ref: +# http://support.microsoft.com/kb/140058 +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package auditfail; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081212); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get CrashOnAuditFail value"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my %val = (0 => "Feature is off; the system will not halt", + 1 => "Feature is on; the system will halt when events cannot be written to the ". + "Security Event Log", + 2 => "Feature is on and has been triggered; only Administrators can log in"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching auditfail v.".$VERSION); + ::rptMsg("auditfail v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + + my $lsa_path = "ControlSet00".$current."\\Control\\Lsa"; + my $lsa; + if ($lsa = $root_key->get_subkey($lsa_path)) { + + eval { + my $crash = $lsa->get_value("crashonauditfail")->get_data(); + ::rptMsg("CrashOnAuditFail = ".$crash); + ::rptMsg($val{$crash}); + }; + ::rptMsg($@) if ($@); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} +1; diff --git a/thirdparty/rr/plugins/auditpol.pl b/RecentActivity/release/rr-full/plugins/auditpol.pl old mode 100644 new mode 100755 similarity index 58% rename from thirdparty/rr/plugins/auditpol.pl rename to RecentActivity/release/rr-full/plugins/auditpol.pl index 11ea9a1096..aeff3430a1 --- a/thirdparty/rr/plugins/auditpol.pl +++ b/RecentActivity/release/rr-full/plugins/auditpol.pl @@ -1,88 +1,151 @@ -#----------------------------------------------------------- -# auditpol -# Get the audit policy from the Security hive file -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package auditpol; -use strict; - -my %config = (hive => "Security", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080327); - -sub getConfig{return %config} -sub getShortDescr { - return "Get audit policy from the Security hive file"; -} -sub getDescr{} -sub getRefs { - my %refs = ("How To Determine Audit Policies from the Registry" => - "http://support.microsoft.com/default.aspx?scid=kb;EN-US;q246120"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %audit = (0 => "N", - 1 => "S", - 2 => "F", - 3 => "S/F"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching auditpol v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Policy\\PolAdtEv"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("auditpol"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $data; - eval { - $data = $key->get_value("")->get_data(); - }; - if ($@) { - ::rptMsg("Error occurred getting data from ".$key_path); - ::rptMsg(" - ".$@); - } - else { -# Check to see if auditing is enabled - my $enabled = unpack("C",substr($data,0,1)); - if ($enabled) { - ::rptMsg("Auditing is enabled."); -# Get audit configuration settings - my @vals = unpack("V*",$data); - ::rptMsg("\tAudit System Events = ".$audit{$vals[1]}); - ::rptMsg("\tAudit Logon Events = ".$audit{$vals[2]}); - ::rptMsg("\tAudit Object Access = ".$audit{$vals[3]}); - ::rptMsg("\tAudit Privilege Use = ".$audit{$vals[4]}); - ::rptMsg("\tAudit Process Tracking = ".$audit{$vals[5]}); - ::rptMsg("\tAudit Policy Change = ".$audit{$vals[6]}); - ::rptMsg("\tAudit Account Management = ".$audit{$vals[7]}); - ::rptMsg("\tAudit Dir Service Access = ".$audit{$vals[8]}); - ::rptMsg("\tAudit Account Logon Events = ".$audit{$vals[9]}); - } - else { - ::rptMsg("**Auditing is NOT enabled."); - } - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# auditpol +# Get the audit policy from the Security hive file +# +# +# History +# 20121128 - updated for later versions of Windows +# 20080327 - created +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package auditpol; +use strict; + +my %config = (hive => "Security", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20121128); + +sub getConfig{return %config} +sub getShortDescr { + return "Get audit policy from the Security hive file"; +} +sub getDescr{} +sub getRefs { + my %refs = ("How To Determine Audit Policies from the Registry" => + "http://support.microsoft.com/default.aspx?scid=kb;EN-US;q246120"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %audit = (0 => "N", + 1 => "S", + 2 => "F", + 3 => "S/F"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching auditpol v.".$VERSION); + ::rptMsg("auditpol v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Policy\\PolAdtEv"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("auditpol"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $data; + eval { + $data = $key->get_value("")->get_data(); + ::rptMsg("Length of data: ".length($data)." bytes."); + + my @d = printData($data); + foreach (0..(scalar(@d) - 1)) { + ::rptMsg($d[$_]); + } + + }; + if ($@) { + ::rptMsg("Error occurred getting data from ".$key_path); + ::rptMsg(" - ".$@); + } + else { +# Check to see if auditing is enabled + my $enabled = unpack("C",substr($data,0,1)); + if ($enabled) { + ::rptMsg("Auditing is enabled."); +# Get audit configuration settings + my @vals = unpack("V*",$data); + ::rptMsg("\tAudit System Events = ".$audit{$vals[1]}); + ::rptMsg("\tAudit Logon Events = ".$audit{$vals[2]}); + ::rptMsg("\tAudit Object Access = ".$audit{$vals[3]}); + ::rptMsg("\tAudit Privilege Use = ".$audit{$vals[4]}); + ::rptMsg("\tAudit Process Tracking = ".$audit{$vals[5]}); + ::rptMsg("\tAudit Policy Change = ".$audit{$vals[6]}); + ::rptMsg("\tAudit Account Management = ".$audit{$vals[7]}); + ::rptMsg("\tAudit Dir Service Access = ".$audit{$vals[8]}); + ::rptMsg("\tAudit Account Logon Events = ".$audit{$vals[9]}); + } + else { + ::rptMsg("**Auditing is NOT enabled."); + } + } + } + else { + ::rptMsg($key_path." not found."); + } +} + + +#----------------------------------------------------------- +# printData() +# subroutine used primarily for debugging; takes an arbitrary +# length of binary data, prints it out in hex editor-style +# format for easy debugging +#----------------------------------------------------------- +sub printData { + my $data = shift; + my $len = length($data); + my $tag = 1; + my $cnt = 0; + my @display = (); + + my $loop = $len/16; + $loop++ if ($len%16); + + foreach my $cnt (0..($loop - 1)) { +# while ($tag) { + my $left = $len - ($cnt * 16); + + my $n; + ($left < 16) ? ($n = $left) : ($n = 16); + + my $seg = substr($data,$cnt * 16,$n); + my @str1 = split(//,unpack("H*",$seg)); + + my @s3; + my $str = ""; + + foreach my $i (0..($n - 1)) { + $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; + + if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) { + $str .= chr(hex($s3[$i])); + } + else { + $str .= "\."; + } + } + my $h = join(' ',@s3); +# ::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h); + $display[$cnt] = sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h; + } + return @display; +} + + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/autoendtasks.pl b/RecentActivity/release/rr-full/plugins/autoendtasks.pl old mode 100644 new mode 100755 similarity index 89% rename from thirdparty/rr/plugins/autoendtasks.pl rename to RecentActivity/release/rr-full/plugins/autoendtasks.pl index 29b89d20ae..1b4fa05776 --- a/thirdparty/rr/plugins/autoendtasks.pl +++ b/RecentActivity/release/rr-full/plugins/autoendtasks.pl @@ -1,66 +1,68 @@ -#----------------------------------------------------------- -# autoendtasks.pl -# -# History -# 20081128 - created -# -# Ref: -# http://support.microsoft.com/kb/555619 -# This Registry setting tells XP (and Vista) to automatically -# end non-responsive tasks; value may not exist on Vista. -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package autoendtasks; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081128); - -sub getConfig{return %config} - -sub getShortDescr { - return "Automatically end a non-responsive task"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching autoendtasks v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = 'Control Panel\\Desktop'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("autoendtasks"); - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $autoend; - eval { - $autoend = $key->get_value("AutoEndTasks")->get_data(); - }; - if ($@) { - ::rptMsg("AutoEndTasks value not found."); - } - else { - ::rptMsg("AutoEndTasks = ".$autoend); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# autoendtasks.pl +# +# History +# 20081128 - created +# +# Ref: +# http://support.microsoft.com/kb/555619 +# This Registry setting tells XP (and Vista) to automatically +# end non-responsive tasks; value may not exist on Vista. +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package autoendtasks; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081128); + +sub getConfig{return %config} + +sub getShortDescr { + return "Automatically end a non-responsive task"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching autoendtasks v.".$VERSION); + ::rptMsg("autoendtasks v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = 'Control Panel\\Desktop'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("autoendtasks"); + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my $autoend; + eval { + $autoend = $key->get_value("AutoEndTasks")->get_data(); + }; + if ($@) { + ::rptMsg("AutoEndTasks value not found."); + } + else { + ::rptMsg("AutoEndTasks = ".$autoend); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/autorun.pl b/RecentActivity/release/rr-full/plugins/autorun.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/autorun.pl rename to RecentActivity/release/rr-full/plugins/autorun.pl index 50604cf4dd..f5f91dfa43 --- a/thirdparty/rr/plugins/autorun.pl +++ b/RecentActivity/release/rr-full/plugins/autorun.pl @@ -1,74 +1,76 @@ -#----------------------------------------------------------- -# autorun.pl -# Get autorun settings -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/953252 -# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit -# /regentry/91525.mspx?mfr=true -# -# copyright 2008-2009 H. Carvey -#----------------------------------------------------------- -package autorun; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081212); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets autorun settings"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching autorun v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - eval { - my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data(); - my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive; - ::rptMsg($str); - }; - ::rptMsg("Error: ".$@) if ($@); - -# http://support.microsoft.com/kb/953252 - eval { - my $honor = $key->get_value("HonorAutorunSetting")->get_data(); - my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor; - ::rptMsg($str); - }; - ::rptMsg("HonorAutorunSetting not found.") if ($@); - ::rptMsg(""); - ::rptMsg("Autorun settings in the HKLM hive take precedence over those in"); - ::rptMsg("the HKCU hive."); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - +#----------------------------------------------------------- +# autorun.pl +# Get autorun settings +# +# Change history +# +# +# References +# http://support.microsoft.com/kb/953252 +# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit +# /regentry/91525.mspx?mfr=true +# +# copyright 2008-2009 H. Carvey +#----------------------------------------------------------- +package autorun; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20081212); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets autorun settings"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching autorun v.".$VERSION); + ::rptMsg("autorun v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + eval { + my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data(); + my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive; + ::rptMsg($str); + }; + ::rptMsg("Error: ".$@) if ($@); + +# http://support.microsoft.com/kb/953252 + eval { + my $honor = $key->get_value("HonorAutorunSetting")->get_data(); + my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor; + ::rptMsg($str); + }; + ::rptMsg("HonorAutorunSetting not found.") if ($@); + ::rptMsg(""); + ::rptMsg("Autorun settings in the HKLM hive take precedence over those in"); + ::rptMsg("the HKCU hive."); + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/backuprestore.pl b/RecentActivity/release/rr-full/plugins/backuprestore.pl new file mode 100755 index 0000000000..6393624721 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/backuprestore.pl @@ -0,0 +1,176 @@ +#----------------------------------------------------------- +# backuprestore.pl +# Access System hive file to get the contents of the FilesNotToSnapshot, KeysNotToRestore, and FilesNotToBackup keys +# +# Change history +# 9/14/2012: retired the filesnottosnapshot.pl plugin since BackupRestore checks the same key +# +# References +# Troy Larson's Windows 7 presentation slide deck http://computer-forensics.sans.org/summit-archives/2010/files/12-larson-windows7-foreniscs.pdf +# QCCIS white paper Reliably recovering evidential data from Volume Shadow Copies http://www.qccis.com/downloads/whitepapers/QCC%20VSS +# http://msdn.microsoft.com/en-us/library/windows/desktop/bb891959(v=vs.85).aspx +# +# copyright 2012 Corey Harrell (Journey Into Incident Response) +#----------------------------------------------------------- +package backuprestore; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120914); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets the contents of the FilesNotToSnapshot, KeysNotToRestore, and FilesNotToBackup keys"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching backuprestore v.".$VERSION); + ::rptMsg("backuprestore v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + + my $fns_path = $ccs."\\Control\\BackupRestore\\FilesNotToSnapshot"; + my $fns; + if ($fns = $root_key->get_subkey($fns_path)) { + ::rptMsg("FilesNotToSnapshot key"); + ::rptMsg($fns_path); + ::rptMsg("LastWrite Time ".gmtime($fns->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my %cv; + my @valfns = $fns->get_list_of_values();; + if (scalar(@valfns) > 0) { + foreach my $v (@valfns) { + my $name = $v->get_name(); + my $data = $v->get_data(); + my $len = length($data); + next if ($name eq ""); + push(@{$cv{$len}},$name." : ".$data); + } + foreach my $t (sort {$a <=> $b} keys %cv) { + foreach my $item (@{$cv{$t}}) { + ::rptMsg(" $item"); + } + } + ::rptMsg(""); + ::rptMsg("The listed directories/files are not backed up in Volume Shadow Copies"); + ::rptMsg(""); + ::rptMsg(""); + } + else { + ::rptMsg($fns_path." has no values."); + ::logMsg($fns_path." has no values."); + ::rptMsg(""); + } + } + else { + ::rptMsg($fns_path." not found."); + ::logMsg($fns_path." not found."); + ::rptMsg(""); + } + + my $fnb_path = $ccs."\\Control\\BackupRestore\\FilesNotToBackup"; + my $fnb; + if ($fnb = $root_key->get_subkey($fnb_path)) { + ::rptMsg("FilesNotToBackup key"); + ::rptMsg($fnb_path); + ::rptMsg("LastWrite Time ".gmtime($fnb->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my %cq; + my @valfnb = $fnb->get_list_of_values();; + if (scalar(@valfnb) > 0) { + foreach my $v (@valfnb) { + my $name = $v->get_name(); + my $data = $v->get_data(); + my $len = length($data); + next if ($name eq ""); + push(@{$cq{$len}},$name." : ".$data); + } + foreach my $t (sort {$a <=> $b} keys %cq) { + foreach my $item (@{$cq{$t}}) { + ::rptMsg(" $item"); + } + } + ::rptMsg(""); + ::rptMsg("Specifies the directories and files that backup applications should not backup or restore"); + ::rptMsg(""); + ::rptMsg(""); + } + else { + ::rptMsg($fnb_path." has no values."); + ::logMsg($fnb_path." has no values."); + ::rptMsg(""); + } + } + else { + ::rptMsg($fnb_path." not found."); + ::logMsg($fnb_path." not found."); + ::rptMsg(""); + } + + my $knr_path = $ccs."\\Control\\BackupRestore\\KeysNotToRestore"; + my $knr; + if ($knr = $root_key->get_subkey($knr_path)) { + ::rptMsg("KeysNotToRestore key"); + ::rptMsg($knr_path); + ::rptMsg("LastWrite Time ".gmtime($knr->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my %cw; + my @valknr = $knr->get_list_of_values();; + if (scalar(@valknr) > 0) { + foreach my $v (@valknr) { + my $name = $v->get_name(); + my $data = $v->get_data(); + my $len = length($data); + next if ($name eq ""); + push(@{$cw{$len}},$name." : ".$data); + } + foreach my $t (sort {$a <=> $b} keys %cw) { + foreach my $item (@{$cw{$t}}) { + ::rptMsg(" $item"); + } + } + ::rptMsg(""); + ::rptMsg("Specifies the names of the registry subkeys and values that backup applications should not restore"); + ::rptMsg(""); + } + else { + ::rptMsg($knr_path." has no values."); + ::logMsg($knr_path." has no values."); + } + } + else { + ::rptMsg($knr_path." not found."); + ::logMsg($knr_path." not found."); + } + + } + +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/banner.pl b/RecentActivity/release/rr-full/plugins/banner.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/banner.pl rename to RecentActivity/release/rr-full/plugins/banner.pl index 44ae62a274..376dab140b --- a/thirdparty/rr/plugins/banner.pl +++ b/RecentActivity/release/rr-full/plugins/banner.pl @@ -1,127 +1,129 @@ -#----------------------------------------------------------- -# banner -# Get banner information from the SOFTWARE hive file (if any) -# -# Written By: -# Special Agent Brook William Minnick -# Brook_Minnick@doioig.gov -# U.S. Department of the Interior - Office of Inspector General -# Computer Crimes Unit -# 12030 Sunrise Valley Drive Suite 250 -# Reston, VA 20191 -#----------------------------------------------------------- -package banner; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081119); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get HKLM\\SOFTWARE.. Logon Banner Values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching banner v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\policies\\system"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Logon Banner Information"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - -# GET LEGALNOTICECAPTION -- - - my $caption; - eval { - $caption = $key->get_value("Legalnoticecaption")->get_data(); - }; - if ($@) { - ::rptMsg("Legalnoticecaption value not found."); - } - else { - ::rptMsg("Legalnoticecaption value = ".$caption); - } - ::rptMsg(""); - -# GET LEGALNOTICETEXT -- - - my $banner; - eval { - $banner = $key->get_value("Legalnoticetext")->get_data(); - }; - if ($@) { - ::rptMsg("Legalnoticetext value not found."); - } - else { - ::rptMsg("Legalnoticetext value = ".$banner); - } - ::rptMsg(""); - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - -# GET LEGALNOTICECAPTION -- - - my $caption2; - eval { - $caption2 = $key->get_value("Legalnoticecaption")->get_data(); - }; - if ($@) { - ::rptMsg("Legalnoticecaption value not found."); - } - else { - ::rptMsg("Legalnoticecaption value = ".$caption2); - } - ::rptMsg(""); - -# GET LEGALNOTICETEXT -- - - my $banner2; - eval { - $banner2 = $key->get_value("Legalnoticetext")->get_data(); - }; - if ($@) { - ::rptMsg("Legalnoticetext value not found."); - } - else { - ::rptMsg("Legalnoticetext value = ".$banner2); - } - ::rptMsg(""); - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - +#----------------------------------------------------------- +# banner +# Get banner information from the SOFTWARE hive file (if any) +# +# Written By: +# Special Agent Brook William Minnick +# Brook_Minnick@doioig.gov +# U.S. Department of the Interior - Office of Inspector General +# Computer Crimes Unit +# 12030 Sunrise Valley Drive Suite 250 +# Reston, VA 20191 +#----------------------------------------------------------- +package banner; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081119); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get HKLM\\SOFTWARE.. Logon Banner Values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching banner v.".$VERSION); + ::rptMsg("banner v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows\\CurrentVersion\\policies\\system"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Logon Banner Information"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + +# GET LEGALNOTICECAPTION -- + + my $caption; + eval { + $caption = $key->get_value("Legalnoticecaption")->get_data(); + }; + if ($@) { + ::rptMsg("Legalnoticecaption value not found."); + } + else { + ::rptMsg("Legalnoticecaption value = ".$caption); + } + ::rptMsg(""); + +# GET LEGALNOTICETEXT -- + + my $banner; + eval { + $banner = $key->get_value("Legalnoticetext")->get_data(); + }; + if ($@) { + ::rptMsg("Legalnoticetext value not found."); + } + else { + ::rptMsg("Legalnoticetext value = ".$banner); + } + ::rptMsg(""); + + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + +# GET LEGALNOTICECAPTION -- + + my $caption2; + eval { + $caption2 = $key->get_value("Legalnoticecaption")->get_data(); + }; + if ($@) { + ::rptMsg("Legalnoticecaption value not found."); + } + else { + ::rptMsg("Legalnoticecaption value = ".$caption2); + } + ::rptMsg(""); + +# GET LEGALNOTICETEXT -- + + my $banner2; + eval { + $banner2 = $key->get_value("Legalnoticetext")->get_data(); + }; + if ($@) { + ::rptMsg("Legalnoticetext value not found."); + } + else { + ::rptMsg("Legalnoticetext value = ".$banner2); + } + ::rptMsg(""); + + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/baseline.pl b/RecentActivity/release/rr-full/plugins/baseline.pl new file mode 100755 index 0000000000..abd096a966 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/baseline.pl @@ -0,0 +1,81 @@ +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# baseline.pl +# +# History +# 20130211 - Created +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package baseline; +use strict; + +my %config = (hive => "All", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130211); + +sub getConfig{return %config} +sub getShortDescr { + return "Scans a hive file, checking sizes of binary value data"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %vals; +my $count = 0; +my %data_len = (); + +sub pluginmain { + my $class = shift; + my $file = shift; + my $reg = Parse::Win32Registry->new($file); + my $root_key = $reg->get_root_key; + ::logMsg("Launching baseline v.".$VERSION); + ::rptMsg("baseline v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + traverse($root_key); +# Data structure containing findings is a hash of hashes + ::rptMsg("Total values checked : ".$count); +# ::rptMsg(""); + ::rptMsg("Number of binary value lengths : ".scalar(keys %data_len)); + my @len = sort {$a <=> $b} keys %data_len; +# ::rptMsg("Value 0: ".$len[0]); + ::rptMsg("..."); + my $n = scalar @len - 1; + for my $i (($n - 15)..$n) { + ::rptMsg("Value ".$i.": ".$len[$i]." bytes [# times: ".$data_len{$len[$i]}."]"); + } +} + +sub traverse { + my $key = shift; +# my $ts = $key->get_timestamp(); + + foreach my $val ($key->get_list_of_values()) { + my $type = $val->get_type(); + if ($type == 0 || $type == 3) { + $count++; + my $data = $val->get_data(); + if (exists $data_len{length($data)}) { + $data_len{length($data)}++; + } + else { + $data_len{length($data)} = 1; + } + } + } + + foreach my $subkey ($key->get_list_of_subkeys()) { + traverse($subkey); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/bho.pl b/RecentActivity/release/rr-full/plugins/bho.pl new file mode 100755 index 0000000000..558e0e8774 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/bho.pl @@ -0,0 +1,117 @@ +#----------------------------------------------------------- +# bho +# +# +# Change history: +# 20130408 - updated to include Wow6432Node; formating updates +# 20080418 - created +# +# +# copyright 2013 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package bho; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20130408); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Browser Helper Objects from Software hive"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Browser Helper Objects" => + "http://msdn2.microsoft.com/en-us/library/bb250436.aspx"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching bho v.".$VERSION); + ::rptMsg("bho v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my @paths = ("Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", + "Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + next if ($name =~ m/^-/); + my $clsid_path = "Classes\\CLSID\\".$name; + my $clsid; + my %bhos; + if ($clsid = $root_key->get_subkey($clsid_path)) { + my $class; + my $mod; + my $lastwrite; + + eval { + $class = $clsid->get_value("")->get_data(); + $bhos{$name}{class} = $class; + }; + if ($@) { + ::logMsg("Error getting Class name for CLSID\\".$name); + ::logMsg("\t".$@); + } + eval { + $mod = $clsid->get_subkey("InProcServer32")->get_value("")->get_data(); + $bhos{$name}{module} = $mod; + }; + if ($@) { + ::logMsg("\tError getting Module name for CLSID\\".$name); + ::logMsg("\t".$@); + } + eval{ + $lastwrite = $clsid->get_subkey("InProcServer32")->get_timestamp(); + $bhos{$name}{lastwrite} = $lastwrite; + }; + if ($@) { + ::logMsg("\tError getting LastWrite time for CLSID\\".$name); + ::logMsg("\t".$@); + } + + foreach my $b (keys %bhos) { + ::rptMsg($b); + ::rptMsg(" Class => ".$bhos{$b}{class}); + ::rptMsg(" Module => ".$bhos{$b}{module}); + ::rptMsg(" LastWrite => ".gmtime($bhos{$b}{lastwrite})); + ::rptMsg(""); + } + } + else { + ::rptMsg($clsid_path." not found."); + ::rptMsg(""); + } + } + } + else { + ::rptMsg($key_path." has no subkeys. No BHOs installed."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/bitbucket.pl b/RecentActivity/release/rr-full/plugins/bitbucket.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/bitbucket.pl rename to RecentActivity/release/rr-full/plugins/bitbucket.pl index 16e61480e9..e82926c3c7 --- a/thirdparty/rr/plugins/bitbucket.pl +++ b/RecentActivity/release/rr-full/plugins/bitbucket.pl @@ -1,81 +1,83 @@ -#----------------------------------------------------------- -# bitbucket -# Get HKLM\..\BitBucket keys\values (if any) -# -# Change history -# 20091020 - Updated; collected additional values -# -# References -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bitbucket; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080418); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get HKLM\\..\\BitBucket keys\\values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching bitbucket v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - eval { - my $global = $key->get_value("UseGlobalSettings")->get_data(); - ::rptMsg("UseGlobalSettings = ".$global); - }; - - eval { - my $nuke = $key->get_value("NukeOnDelete")->get_data(); - ::rptMsg("NukeOnDelete = ".$nuke); - }; - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); - eval { - my $vol = $s->get_value("VolumeSerialNumber")->get_data(); - ::rptMsg("VolumeSerialNumber = 0x".uc(sprintf "%1x",$vol)); - }; - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# bitbucket +# Get HKLM\..\BitBucket keys\values (if any) +# +# Change history +# 20091020 - Updated; collected additional values +# +# References +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package bitbucket; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080418); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get HKLM\\..\\BitBucket keys\\values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching bitbucket v.".$VERSION); + ::rptMsg("bitbucket v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + eval { + my $global = $key->get_value("UseGlobalSettings")->get_data(); + ::rptMsg("UseGlobalSettings = ".$global); + }; + + eval { + my $nuke = $key->get_value("NukeOnDelete")->get_data(); + ::rptMsg("NukeOnDelete = ".$nuke); + }; + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($key_path."\\".$s->get_name()); + ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); + eval { + my $vol = $s->get_value("VolumeSerialNumber")->get_data(); + ::rptMsg("VolumeSerialNumber = 0x".uc(sprintf "%1x",$vol)); + }; + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/bitbucket_user.pl b/RecentActivity/release/rr-full/plugins/bitbucket_user.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/bitbucket_user.pl rename to RecentActivity/release/rr-full/plugins/bitbucket_user.pl index e3374fd193..b4a381148f --- a/thirdparty/rr/plugins/bitbucket_user.pl +++ b/RecentActivity/release/rr-full/plugins/bitbucket_user.pl @@ -1,71 +1,73 @@ -#----------------------------------------------------------- -# bitbucket_user -# Get HKLM\..\BitBucket keys\values (if any) -# -# Change history -# -# References -# -# NOTE: In limited testing, the volume letter subkeys beneath the -# BitBucket key appear to be volatile. -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bitbucket_user; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091020); - -sub getConfig{return %config} - -sub getShortDescr { - return "TEST - Get user BitBucket values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching bitbucket_user v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); - eval { - my $purge = $s->get_value("NeedToPurge")->get_data(); - ::rptMsg(" NeedToPurge = ".$purge); - }; - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# bitbucket_user +# Get HKLM\..\BitBucket keys\values (if any) +# +# Change history +# +# References +# +# NOTE: In limited testing, the volume letter subkeys beneath the +# BitBucket key appear to be volatile. +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package bitbucket_user; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20091020); + +sub getConfig{return %config} + +sub getShortDescr { + return "TEST - Get user BitBucket values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching bitbucket_user v.".$VERSION); + ::rptMsg("bitbucket_user v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($key_path."\\".$s->get_name()); + ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); + eval { + my $purge = $s->get_value("NeedToPurge")->get_data(); + ::rptMsg(" NeedToPurge = ".$purge); + }; + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/brisv.pl b/RecentActivity/release/rr-full/plugins/brisv.pl old mode 100644 new mode 100755 similarity index 78% rename from thirdparty/rr/plugins/brisv.pl rename to RecentActivity/release/rr-full/plugins/brisv.pl index c79aa3e651..97c5f36494 --- a/thirdparty/rr/plugins/brisv.pl +++ b/RecentActivity/release/rr-full/plugins/brisv.pl @@ -1,63 +1,69 @@ -#----------------------------------------------------------- -# brisv.pl -# Plugin to detect the presence of Trojan.Brisv.A -# Symantec write-up: http://www.symantec.com/security_response/writeup.jsp -# ?docid=2008-071823-1655-99 -# -# Change History: -# 20090210: Created -# -# Info on URLAndExitCommandsEnabled value: -# http://support.microsoft.com/kb/828026 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package brisv; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090210); - -sub getConfig{return %config} - -sub getShortDescr { - return "Detect artifacts of a Troj\.Brisv\.A infection"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching brisv v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\PIMSRV"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $mp_path = "Software\\Microsoft\\MediaPlayer\\Preferences"; - my $url; - eval { - $url = $key->get_subkey($mp_path)->get_value("URLAndExitCommandsEnabled")->get_data(); - ::rptMsg($mp_path."\\URLAndExitCommandsEnabled value set to ".$url); - }; -# if an error occurs within the eval{} statement, do nothing - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# brisv.pl +# Plugin to detect the presence of Trojan.Brisv.A +# Symantec write-up: http://www.symantec.com/security_response/writeup.jsp +# ?docid=2008-071823-1655-99 +# +# Change History: +# 20130429: added alertMsg() functionality +# 20090210: Created +# +# Info on URLAndExitCommandsEnabled value: +# http://support.microsoft.com/kb/828026 +# http://www.hispasec.com/laboratorio/GetCodecAnalysis.pdf +# +# copyright 2013 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package brisv; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130429); + +sub getConfig{return %config} + +sub getShortDescr { + return "Detect artifacts of a Troj\.Brisv\.A infection"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching brisv v.".$VERSION); + ::rptMsg("brisv v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\PIMSRV"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $mp_path = "Software\\Microsoft\\MediaPlayer\\Preferences"; + my $url; + eval { + $url = $key->get_subkey($mp_path)->get_value("URLAndExitCommandsEnabled")->get_data(); + ::rptMsg($mp_path."\\URLAndExitCommandsEnabled value set to ".$url); + ::alertMsg($mp_path."\\URLAndExitCommandsEnabled value set: ".$url); + }; +# if an error occurs within the eval{} statement, do nothing + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/btconfig.pl b/RecentActivity/release/rr-full/plugins/btconfig.pl new file mode 100755 index 0000000000..91d63d13d4 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/btconfig.pl @@ -0,0 +1,80 @@ +#----------------------------------------------------------- +# btconfig.pl +# +# +# History: +# 20130117 - created +# +# copyright 2013 Quantum Research Analytics, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package btconfig; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130117); + +sub getConfig{return %config} +sub getShortDescr { + return "Determines BlueTooth devices 'seen' by BroadComm drivers"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching btconfig v.".$VERSION); + ::rptMsg("Launching btconfig v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = 'WidComm\\BTConfig\\Devices'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @sk = $key->get_list_of_subkeys(); + foreach my $s (@sk) { + my $name = $s->get_name(); + my $lw = $s->get_timestamp(); + + ::rptMsg("Unique ID: ".$name); + ::rptMsg(" LastWrite: ".gmtime($lw)." Z"); + + my $devname; + eval { +# May need to work on parsing the binary "Name" value data into an actual name... + my @str1 = split(//,unpack("H*",$s->get_value("Name")->get_data())); + my @s3; + my $str; + foreach my $i (0..((scalar(@str1)/2) - 1)) { + $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; + if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) { + $str .= chr(hex($s3[$i])); + } + else { + $str .= ""; + } + } + ::rptMsg(" Device Name: ".$str); + }; + + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/bthport.pl b/RecentActivity/release/rr-full/plugins/bthport.pl new file mode 100755 index 0000000000..345cbb929a --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/bthport.pl @@ -0,0 +1,101 @@ +#----------------------------------------------------------- +# bthport.pl +# Get BlueTooth device information from the Registry; assumes +# MS drivers (other drivers, such as BroadComm, will be found in +# other locations) +# +# Change history +# 20130115 - created +# +# Category: +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package bthport; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130115); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Bluetooth-connected devices from System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching bthport v.".$VERSION); + ::rptMsg("bthport v.".$VERSION); # banner +::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $cn_path = $ccs."\\services\\BTHPORT\\Parameters\\Devices"; + my $cn; + if ($cn = $root_key->get_subkey($cn_path)) { + ::rptMsg($cn_path); + ::rptMsg("LastWrite: ".gmtime($cn->get_timestamp())." UTC"); + + my @sk = $cn->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + ::rptMsg(""); + foreach my $s (@sk) { + my $name = $s->get_name(); + my $lw = $s->get_timestamp(); + ::rptMsg("Device Unique ID: ".$name); +# Note: Need to get VID and PID values for translation and mapping + my $devname; + eval { +# May need to work on parsing the binary "Name" value data into an actual name... + my @str1 = split(//,unpack("H*",$s->get_value("Name")->get_data())); + my @s3; + my $str; + foreach my $i (0..((scalar(@str1)/2) - 1)) { + $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; + if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) { + $str .= chr(hex($s3[$i])); + } + else { + $str .= " "; + } + } + ::rptMsg("Device Name: ".$str); + }; + + } + } + else { + ::rptMsg($cn_path." has no subkeys."); + } + } + else { + ::rptMsg($cn_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } + +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/cain.pl b/RecentActivity/release/rr-full/plugins/cain.pl new file mode 100755 index 0000000000..36bb7a4f07 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/cain.pl @@ -0,0 +1,93 @@ +#----------------------------------------------------------- +# cain.pl +# Extracts details for Cain & Abel by oxid.it +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# Copyright (c) 2011-02-04 Brendan Coles +#----------------------------------------------------------- +# Require # +package cain; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110204); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extracts details for Cain & Abel by oxid.it"; +} +sub getRefs { + my %refs = ("Cain & Abel Homepage:" => + "http://www.oxid.it/cain.html"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + + # Initialize # + ::logMsg("Launching cain v.".$VERSION); + ::rptMsg("cain v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\Cain\\Settings"; + + # If # Cain path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("Cain"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from Cain registry path # + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for Cain registry path # + foreach my $v (@vals) { + ::rptMsg($v->get_name()." -> ".$v->get_data()); + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # Cain isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/RecentActivity/release/rr-full/plugins/ccleaner.pl b/RecentActivity/release/rr-full/plugins/ccleaner.pl new file mode 100755 index 0000000000..9fece28971 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/ccleaner.pl @@ -0,0 +1,79 @@ +#----------------------------------------------------------- +# ccleaner.pl +# Gets CCleaner User Settings +# +# Change history +# 20120128 [ale] % Initial Version based on warcraft3.pl plugin +# +# References +# +# Author: Adrian Leong +#----------------------------------------------------------- +package ccleaner; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120128); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets User's CCleaner Settings"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; # pops the first element off @_ ie the parameter array passed in to pluginmain + my $hive = shift; # 1st element in @_ is class/package name (ccleaner), 2nd is the hive name passed in from rip.pl + ::logMsg("Launching ccleaner v.".$VERSION); + ::rptMsg("ccleaner v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); # creates a Win32Registry object + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\Piriform\\CCleaner"; + # If CCleaner key_path exists ... ie get_subkey returns a non-empty value + if ($key = $root_key->get_subkey($key_path)) { + # Print registry key name and last modified date + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my %cckeys; # temporary associative array for storing name / value pairs eg ("UpdateCheck", 1) + # Extract ccleaner key values into ccvals array + # Note: ccvals becomes an array of "Parse::Win32Registry::WinNT::Value" + # As this is implemented in an Object oriented manner, we cannot access the values directly - + # we have to use the "get_name" and "get_value" subroutines + my @ccvals = $key->get_list_of_values(); + # If ccvals has any "Values" in it, call "Value::get_name" and "Value::get_data" for each + # and store the results in the %cckeys associative array using data returned by Value::get_name as the id/index + # and Value::get_data for the actual key value + if (scalar(@ccvals) > 0) { + foreach my $val (@ccvals) { + $cckeys{$val->get_name()} = $val->get_data(); + } + # Sorts keynames into a temp list and then prints each key name + value in list order + # the values are retrieved from cckeys assoc. array which was populated in the previous foreach loop + foreach my $keyval (sort keys %cckeys) { + ::rptMsg($keyval." -> ".$cckeys{$keyval}); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." does not exist."); + } + # Return obligatory new-line + ::rptMsg(""); +} + +1; diff --git a/thirdparty/rr/plugins/clampi.pl b/RecentActivity/release/rr-full/plugins/clampi.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/clampi.pl rename to RecentActivity/release/rr-full/plugins/clampi.pl index abf0ae537a..825d69e3e2 --- a/thirdparty/rr/plugins/clampi.pl +++ b/RecentActivity/release/rr-full/plugins/clampi.pl @@ -1,120 +1,122 @@ -#----------------------------------------------------------- -# clampi.pl -# Checks keys/values set by new version of Trojan.Clampi -# -# Change history -# 20091019 - created -# -# NOTE: This is purely a test plugin, and based solely on the below -# reference. It has not been tested on any systems that were -# known to be infected. -# -# References -# http://www.symantec.com/connect/blogs/inside-trojanclampi-stealing-your-information -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package clampi; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091019); - -sub getConfig{return %config} -sub getShortDescr { - return "TEST - Checks for keys set by Trojan\.Clampi PROT module"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching clampi v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $count = 0; - - my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my ($form1, $form2, $form3); - - eval { - $form1 = $key->get_value("Use FormSuggest")->get_data(); - ::rptMsg("\tUse FormSuggest = ".$form1); - $count++ if ($form1 eq "true"); - }; - - eval { - $form2 = $key->get_value("FormSuggest_Passwords")->get_data(); - ::rptMsg("\tFormSuggest_Passwords = ".$form2); - $count++ if ($form2 eq "true"); - }; - - eval { - $form3 = $key->get_value("FormSuggest_PW_Ask")->get_data(); - ::rptMsg("\tUse FormSuggest = ".$form3); - $count++ if ($form3 eq "no"); - }; - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $auto; - eval { - $auto = $key->get_value("AutoSuggest")->get_data(); - ::rptMsg("\tAutoSuggest = ".$auto); - $count++ if ($auto eq "true"); - }; - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - my $key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $prompt; - eval { - $prompt = $key->get_value("POP3 Prompt for Password")->get_data(); - ::rptMsg("\tPOP3 Prompt for Password = ".$prompt); - $count++ if ($prompt eq "true"); - }; - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - if ($count == 5) { - ::rptMsg("The system may have been infected with the Trojan.Clampi PROT module."); - } - else { - ::rptMsg("The system does not appear to have been infected with the Trojan.Clampi"); - ::rptMsg("PROT module."); - } -} +#----------------------------------------------------------- +# clampi.pl +# Checks keys/values set by new version of Trojan.Clampi +# +# Change history +# 20091019 - created +# +# NOTE: This is purely a test plugin, and based solely on the below +# reference. It has not been tested on any systems that were +# known to be infected. +# +# References +# http://www.symantec.com/connect/blogs/inside-trojanclampi-stealing-your-information +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package clampi; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20091019); + +sub getConfig{return %config} +sub getShortDescr { + return "TEST - Checks for keys set by Trojan\.Clampi PROT module"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching clampi v.".$VERSION); + ::rptMsg("clampi v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $count = 0; + + my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my ($form1, $form2, $form3); + + eval { + $form1 = $key->get_value("Use FormSuggest")->get_data(); + ::rptMsg("\tUse FormSuggest = ".$form1); + $count++ if ($form1 eq "true"); + }; + + eval { + $form2 = $key->get_value("FormSuggest_Passwords")->get_data(); + ::rptMsg("\tFormSuggest_Passwords = ".$form2); + $count++ if ($form2 eq "true"); + }; + + eval { + $form3 = $key->get_value("FormSuggest_PW_Ask")->get_data(); + ::rptMsg("\tUse FormSuggest = ".$form3); + $count++ if ($form3 eq "no"); + }; + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my $auto; + eval { + $auto = $key->get_value("AutoSuggest")->get_data(); + ::rptMsg("\tAutoSuggest = ".$auto); + $count++ if ($auto eq "true"); + }; + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); + my $key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my $prompt; + eval { + $prompt = $key->get_value("POP3 Prompt for Password")->get_data(); + ::rptMsg("\tPOP3 Prompt for Password = ".$prompt); + $count++ if ($prompt eq "true"); + }; + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); + if ($count == 5) { + ::rptMsg("The system may have been infected with the Trojan.Clampi PROT module."); + } + else { + ::rptMsg("The system does not appear to have been infected with the Trojan.Clampi"); + ::rptMsg("PROT module."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/clampitm.pl b/RecentActivity/release/rr-full/plugins/clampitm.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/clampitm.pl rename to RecentActivity/release/rr-full/plugins/clampitm.pl index 60f21738c6..93071c27cd --- a/thirdparty/rr/plugins/clampitm.pl +++ b/RecentActivity/release/rr-full/plugins/clampitm.pl @@ -1,78 +1,80 @@ -#----------------------------------------------------------- -# clampitm.pl -# Checks keys/values set by new version of Trojan.Clampi -# -# Change history -# 20100624 - created -# -# NOTE: This is purely a test plugin, and based solely on the below -# reference. It has not been tested on any systems that were -# known to be infected. -# -# References -# http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ilomo_external.pdf -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package clampitm; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100624); - -sub getConfig{return %config} -sub getShortDescr { - return "Checks for IOCs for Clampi (per Trend Micro)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching clampitm v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $count = 0; - - my $key_path = 'Software\\Microsoft\\Internet Explorer\\Settings'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ClampiTM plugin"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $tag = 1; - my @list = qw/GatesList GID KeyE KeyM PID/; - my @vals = $key->get_list_of_values(); - if (scalar (@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - if (grep(/$name/,@list)) { - ::rptMsg(sprintf "%-10s %-30s",$name,$v->get_data()); - $tag = 0; - } - } - if ($tag) { - ::rptMsg("No Clampi values found."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# clampitm.pl +# Checks keys/values set by new version of Trojan.Clampi +# +# Change history +# 20100624 - created +# +# NOTE: This is purely a test plugin, and based solely on the below +# reference. It has not been tested on any systems that were +# known to be infected. +# +# References +# http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ilomo_external.pdf +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package clampitm; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100624); + +sub getConfig{return %config} +sub getShortDescr { + return "Checks for IOCs for Clampi (per Trend Micro)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching clampitm v.".$VERSION); + ::rptMsg("clampitm v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $count = 0; + + my $key_path = 'Software\\Microsoft\\Internet Explorer\\Settings'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("ClampiTM plugin"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $tag = 1; + my @list = qw/GatesList GID KeyE KeyM PID/; + my @vals = $key->get_list_of_values(); + if (scalar (@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + if (grep(/$name/,@list)) { + ::rptMsg(sprintf "%-10s %-30s",$name,$v->get_data()); + $tag = 0; + } + } + if ($tag) { + ::rptMsg("No Clampi values found."); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/clsid.pl b/RecentActivity/release/rr-full/plugins/clsid.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/clsid.pl rename to RecentActivity/release/rr-full/plugins/clsid.pl index 1823600295..dff4b1ca4d --- a/thirdparty/rr/plugins/clsid.pl +++ b/RecentActivity/release/rr-full/plugins/clsid.pl @@ -1,80 +1,82 @@ -#----------------------------------------------------------- -# clsid.pl -# Plugin to extract file association data from the Software hive file -# Can take considerable time to run; recommend running it via rip.exe -# -# History -# 20100227 - created -# -# References -# http://msdn.microsoft.com/en-us/library/ms724475%28VS.85%29.aspx -# -# copyright 2010, Quantum Analytics Research, LLC -#----------------------------------------------------------- -package clsid; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100227); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get list of CLSID/registered classes"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %clsid; - ::logMsg("Launching clsid v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Classes\\CLSID"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); -# First step will be to get a list of all of the file extensions - my %ext; - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - - my $name = $s->get_name(); - eval { - my $n = $s->get_value("")->get_data(); - $name .= " ".$n unless ($n eq ""); - }; - - push(@{$clsid{$s->get_timestamp()}},$name); - } - - foreach my $t (reverse sort {$a <=> $b} keys %clsid) { - ::rptMsg(gmtime($t)." Z"); - foreach my $item (@{$clsid{$t}}) { - ::rptMsg(" ".$item); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# clsid.pl +# Plugin to extract file association data from the Software hive file +# Can take considerable time to run; recommend running it via rip.exe +# +# History +# 20100227 - created +# +# References +# http://msdn.microsoft.com/en-us/library/ms724475%28VS.85%29.aspx +# +# copyright 2010, Quantum Analytics Research, LLC +#----------------------------------------------------------- +package clsid; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100227); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get list of CLSID/registered classes"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %clsid; + ::logMsg("Launching clsid v.".$VERSION); + ::rptMsg("clsid v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Classes\\CLSID"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); +# First step will be to get a list of all of the file extensions + my %ext; + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + + my $name = $s->get_name(); + eval { + my $n = $s->get_value("")->get_data(); + $name .= " ".$n unless ($n eq ""); + }; + + push(@{$clsid{$s->get_timestamp()}},$name); + } + + foreach my $t (reverse sort {$a <=> $b} keys %clsid) { + ::rptMsg(gmtime($t)." Z"); + foreach my $item (@{$clsid{$t}}) { + ::rptMsg(" ".$item); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/cmd_shell.pl b/RecentActivity/release/rr-full/plugins/cmd_shell.pl old mode 100644 new mode 100755 similarity index 50% rename from thirdparty/rr/plugins/cmd_shell.pl rename to RecentActivity/release/rr-full/plugins/cmd_shell.pl index 84e40a7735..5cbef9408f --- a/thirdparty/rr/plugins/cmd_shell.pl +++ b/RecentActivity/release/rr-full/plugins/cmd_shell.pl @@ -1,75 +1,114 @@ -#----------------------------------------------------------- -# cmd_shell -# -# -# Change History -# 20100830 - added "cs" shell command to the path -# 20080328 - created -# -# References -# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx? -# Name=TrojanClicker%3AWin32%2FVB.GE -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package cmd_shell; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20100830); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets shell open cmds for various file types"; -} -sub getDescr{} -sub getRefs { - my %refs = ("You Are Unable to Start a Program with an .exe File Extension" => - "http://support.microsoft.com/kb/310585"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching cmd_shell v.".$VERSION); - - my @shells = ("exe","cmd","bat","cs","hta","pif"); - - foreach my $sh (@shells) { - - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Classes\\".$sh."file\\shell\\open\\command"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("cmd_shell"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $val; - eval { - $val = $key->get_value("")->get_data(); - ::rptMsg("\tCmd: ".$val); - }; - ::rptMsg("Error: ".$@) if ($@); - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - } - ::rptMsg(""); -} +#----------------------------------------------------------- +# cmd_shell +# +# Change History +# 20130405 - added Clients subkey +# 20100830 - added "cs" shell command to the path +# 20080328 - created +# +# References +# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx? +# Name=TrojanClicker%3AWin32%2FVB.GE +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package cmd_shell; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20130405); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets shell open cmds for various file types"; +} +sub getDescr{} +sub getRefs { + my %refs = ("You Are Unable to Start a Program with an .exe File Extension" => + "http://support.microsoft.com/kb/310585"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching cmd_shell v.".$VERSION); + ::rptMsg("cmd_shell v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my @shells = ("exe","cmd","bat","cs","hta","pif"); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + foreach my $sh (@shells) { + my $key_path = "Classes\\".$sh."file\\shell\\open\\command"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + my $val; + eval { + $val = $key->get_value("")->get_data(); + ::rptMsg(" Cmd: ".$val); + + if ($sh eq "hta") { + if ($val eq "C:\\Windows\\SysWOW64\\mshta\.exe \"%1\" %*" || $val eq "C:\\WINDOWS\\system32\\mshta\.exe \"%1\" %*") { + + } + else { + ::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$val); + } + } + else { + ::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$val) unless ($val eq "\"%1\" %*"); + } + + ::rptMsg(""); + }; + ::rptMsg("Error: ".$@) if ($@); + + } + else { + ::rptMsg($key_path." not found."); + ::rptMsg(""); + } + } + ::rptMsg(""); + + my $key_path = "Clients\\StartMenuInternet\\IExplore.exe\\shell\\open\\command"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + eval { + my $cmd = $key->get_value("")->get_data(); + ::rptMsg(" Cmd: ".$cmd); + + if ($cmd eq "\"C:\\Program Files\\Internet Explorer\\iexplore\.exe\"" || + $cmd eq "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore\.exe\"") { + + } + else { + ::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$cmd); + } + }; + ::rptMsg("Error: ".$@) if ($@); + } + else { + ::rptMsg($key_path." not found\."); + } + +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/cmd_shell_tln.pl b/RecentActivity/release/rr-full/plugins/cmd_shell_tln.pl new file mode 100755 index 0000000000..1045282e00 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/cmd_shell_tln.pl @@ -0,0 +1,111 @@ +#----------------------------------------------------------- +# cmd_shell_tln +# +# Change History +# 20130425 - created +# +# References +# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx? +# Name=TrojanClicker%3AWin32%2FVB.GE +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package cmd_shell_tln; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20130425); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets shell open cmds for various file types"; +} +sub getDescr{} +sub getRefs { + my %refs = ("You Are Unable to Start a Program with an .exe File Extension" => + "http://support.microsoft.com/kb/310585"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching cmd_shell_tln v.".$VERSION); +# ::rptMsg("cmd_shell v.".$VERSION); # banner +# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my @shells = ("exe","cmd","bat","cs","hta","pif"); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + foreach my $sh (@shells) { + my $key_path = "Classes\\".$sh."file\\shell\\open\\command"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + my $lw = $key->get_timestamp(); + my $val; + eval { + $val = $key->get_value("")->get_data(); +# ::rptMsg(" Cmd: ".$val); + + if ($sh eq "hta") { + if ($val eq "C:\\Windows\\SysWOW64\\mshta\.exe \"%1\" %*" || $val eq "C:\\WINDOWS\\system32\\mshta\.exe \"%1\" %*") { + + } + else { +# ::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$val); + ::alertMsg($lw."|ALERT|||Software\\".$key_path." warning: ".$val); + } + } + else { +# ::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$val) unless ($val eq "\"%1\" %*"); + ::alertMsg($lw."|ALERT|||Software\\".$key_path." warning: ".$val) unless ($val eq "\"%1\" %*"); + } + }; + + } + else { +# ::rptMsg($key_path." not found."); +# ::rptMsg(""); + } + } +# ::rptMsg(""); + + my $key_path = "Clients\\StartMenuInternet\\IExplore.exe\\shell\\open\\command"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + eval { + my $cmd = $key->get_value("")->get_data(); +# ::rptMsg(" Cmd: ".$cmd); + + if ($cmd eq "\"C:\\Program Files\\Internet Explorer\\iexplore\.exe\"" || + $cmd eq "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore\.exe\"") { + + } + else { + ::alertMsg($lw."|ALERT|||Software\\".$key_path." warning: ".$cmd); + } + }; +# ::rptMsg("Error: ".$@) if ($@); + } + else { +# ::rptMsg($key_path." not found\."); + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/cmd_shell_u.pl b/RecentActivity/release/rr-full/plugins/cmd_shell_u.pl new file mode 100755 index 0000000000..c2783c0a15 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/cmd_shell_u.pl @@ -0,0 +1,67 @@ +#----------------------------------------------------------- +# cmd_shell_u +# Get the shell\open\command settings for various file types; gets +# info from USRCLASS.DAT hives, where Classes data is maintained on +# Win7 +# +# Change History +# 20130405 - created +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package cmd_shell_u; +use strict; + +my %config = (hive => "USRCLASS\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130405); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets shell open cmds for various file types from USRCLASS\.DAT"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching cmd_shell_u v.".$VERSION); + ::rptMsg("cmd_shell_u v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my @shells = ("\.exe","exefile","ftp","http","https"); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + foreach my $sh (@shells) { + my $key_path = $sh."\\shell\\open\\command"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + my $val; + eval { + $val = $key->get_value("")->get_data(); + ::rptMsg(" Cmd: ".$val); + ::rptMsg(""); + }; + ::rptMsg("Error: ".$@) if ($@); + } + else { + ::rptMsg($key_path." not found."); + } + } + ::rptMsg(""); +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/cmdproc.pl b/RecentActivity/release/rr-full/plugins/cmdproc.pl new file mode 100755 index 0000000000..5805fa1c69 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/cmdproc.pl @@ -0,0 +1,67 @@ +#----------------------------------------------------------- +# cmdproc.pl +# Checks key for files to autostart from cmd.exe +# +# Change History +# 20130425 - added alertMsg() functionality +# 20130115 - created +# +# References: +# +# Category: autostart,malware,programexecution +# +# copyright 2013 Quantum Analytics Research, +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package cmdproc; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130425); + +sub getConfig{return %config} + +sub getShortDescr { + return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching cmdproc v.".$VERSION); + ::rptMsg("cmdproc v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Command Processor"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my $auto; + eval { + $auto = $key->get_value("AutoRun")->get_data(); + ::rptMsg("AutoRun = ".$auto); + ::alertMsg("ALERT: cmdproc: ".$key_path." AutoRun value found: ".$auto); + }; + if ($@) { + ::rptMsg("AutoRun value not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/cmdproc_tln.pl b/RecentActivity/release/rr-full/plugins/cmdproc_tln.pl new file mode 100755 index 0000000000..decb37f2c2 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/cmdproc_tln.pl @@ -0,0 +1,67 @@ +#----------------------------------------------------------- +# cmdproc_tln.pl +# Checks key for files to autostart from cmd.exe +# +# Change History +# 20130425 - created +# +# References: +# +# Category: autostart,malware,programexecution +# +# copyright 2013 Quantum Analytics Research, +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package cmdproc_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130425); + +sub getConfig{return %config} + +sub getShortDescr { + return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching cmdproc_tln v.".$VERSION); +# ::rptMsg("cmdproc v.".$VERSION); # banner +# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Command Processor"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my $auto; + eval { + $auto = $key->get_value("AutoRun")->get_data(); +# ::rptMsg("AutoRun = ".$auto); +# ::alertMsg("ALERT: cmdproc: ".$key_path." AutoRun value found: ".$auto); + ::alertMsg($lw."|ALERT|||HKCU\\".$key_path." AutoRun value found: ".$auto); + }; + if ($@) { +# ::rptMsg("AutoRun value not found."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/codeid.pl b/RecentActivity/release/rr-full/plugins/codeid.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/codeid.pl rename to RecentActivity/release/rr-full/plugins/codeid.pl index f3eec03151..d0e1de4aa1 --- a/thirdparty/rr/plugins/codeid.pl +++ b/RecentActivity/release/rr-full/plugins/codeid.pl @@ -1,75 +1,77 @@ -#----------------------------------------------------------- -# codeid -# Get DefaultLevel value from CodeIdentifiers key -# -# -# Change History -# 20100608 - created -# -# References -# SANS ISC blog - http://isc.sans.edu/diary.html?storyid=8917 -# CodeIdentifiers key -# - http://technet.microsoft.com/en-us/library/bb457006.aspx -# SAFER_LEVELID_FULLYTRUSTED value -# - http://msdn.microsoft.com/en-us/library/ms722424%28VS.85%29.aspx -# (262144 == Unrestricted) -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package codeid; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100608); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets CodeIdentifier DefaultLevel value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching codeid v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("CodeID"); - ::rptMsg($key_path); - my $lastwrite = $key->get_timestamp(); - ::rptMsg(" LastWrite time: ".gmtime($lastwrite)." Z"); - ::rptMsg(""); - - my $level; - eval { - $level = $key->get_value("DefaultLevel")->get_data(); - ::rptMsg(sprintf "DefaultLevel = 0x%08x",$level); - }; - - my $exe; - eval { - $exe = $key->get_value("ExecutableTypes")->get_data(); - $exe =~ s/\s/,/g; - ::rptMsg("ExecutableTypes = ".$exe); - - }; - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# codeid +# Get DefaultLevel value from CodeIdentifiers key +# +# +# Change History +# 20100608 - created +# +# References +# SANS ISC blog - http://isc.sans.edu/diary.html?storyid=8917 +# CodeIdentifiers key +# - http://technet.microsoft.com/en-us/library/bb457006.aspx +# SAFER_LEVELID_FULLYTRUSTED value +# - http://msdn.microsoft.com/en-us/library/ms722424%28VS.85%29.aspx +# (262144 == Unrestricted) +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package codeid; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100608); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets CodeIdentifier DefaultLevel value"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching codeid v.".$VERSION); + ::rptMsg("codeid v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("CodeID"); + ::rptMsg($key_path); + my $lastwrite = $key->get_timestamp(); + ::rptMsg(" LastWrite time: ".gmtime($lastwrite)." Z"); + ::rptMsg(""); + + my $level; + eval { + $level = $key->get_value("DefaultLevel")->get_data(); + ::rptMsg(sprintf "DefaultLevel = 0x%08x",$level); + }; + + my $exe; + eval { + $exe = $key->get_value("ExecutableTypes")->get_data(); + $exe =~ s/\s/,/g; + ::rptMsg("ExecutableTypes = ".$exe); + + }; + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/comdlg32.pl b/RecentActivity/release/rr-full/plugins/comdlg32.pl new file mode 100755 index 0000000000..45ecd19c8d --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/comdlg32.pl @@ -0,0 +1,686 @@ +#----------------------------------------------------------- +# comdlg32.pl +# Plugin for Registry Ripper +# +# Change history +# 20121005 - updated to address shell item type 0x3A +# 20121005 - updated to parse shell item ID lists +# 20100409 - updated to include Vista and above +# 20100402 - updated IAW Chad Tilbury's post to SANS +# Forensic Blog +# 20080324 - created +# +# References +# Win2000 - http://support.microsoft.com/kb/319958 +# XP - http://support.microsoft.com/kb/322948/EN-US/ +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package comdlg32; +use strict; +use Time::Local; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20121008); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's ComDlg32 key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching comdlg32 v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + ::rptMsg("comdlg32 v.".$VERSION); + ::rptMsg(""); +# LastVistedMRU + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32"; + my $key; + my @vals; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @subkeys = $key->get_list_of_subkeys(); + + if (scalar @subkeys > 0) { + foreach my $s (@subkeys) { + if ($s->get_name() eq "LastVisitedMRU") { + ::rptMsg("LastVisitedMRU"); + ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())); + parseLastVisitedMRU($s); + ::rptMsg(""); + } + + if ($s->get_name() eq "OpenSaveMRU") { + ::rptMsg("OpenSaveMRU"); + ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())); + parseOpenSaveMRU($s); + ::rptMsg(""); + } + + if ($s->get_name() eq "CIDSizeMRU") { + ::rptMsg("CIDSizeMRU"); + ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())); + parseCIDSizeMRU($s); + ::rptMsg(""); + } + + if ($s->get_name() eq "FirstFolder") { + ::rptMsg("FirstFolder"); + ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())); + parseFirstFolder($s); + ::rptMsg(""); + } + + if ($s->get_name() eq "LastVisitedPidlMRU" || $s->get_name() eq "LastVisitedPidlMRULegacy") { + ::rptMsg("LastVisitedPidlMRU"); + ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())); + parseLastVisitedPidlMRU($s); + ::rptMsg(""); + } + + if ($s->get_name() eq "OpenSavePidlMRU") { + ::rptMsg("OpenSavePidlMRU"); + ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())); + parseOpenSavePidlMRU($s); + ::rptMsg(""); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub parseLastVisitedMRU { + my $key = shift; + my %lvmru; + my @mrulist; + my @vals = $key->get_list_of_values(); + + if (scalar(@vals) > 0) { +# First, read in all of the values and the data + foreach my $v (@vals) { + $lvmru{$v->get_name()} = $v->get_data(); + } +# Then, remove the MRUList value + if (exists $lvmru{MRUList}) { + ::rptMsg(" MRUList = ".$lvmru{MRUList}); + @mrulist = split(//,$lvmru{MRUList}); + delete($lvmru{MRUList}); + foreach my $m (@mrulist) { + my ($file,$dir) = split(/\00\00/,$lvmru{$m},2); + $file =~ s/\00//g; + $dir =~ s/\00//g; + ::rptMsg(" ".$m." -> EXE: ".$file); + ::rptMsg(" -> Last Dir: ".$dir); + } + } + else { + ::rptMsg("LastVisitedMRU key does not have an MRUList value."); + } + } + else { + ::rptMsg("LastVisitedMRU key has no values."); + } + ::rptMsg(""); +} + +sub parseOpenSaveMRU { + my $key = shift; + + parseOpenSaveValues($key); + ::rptMsg(""); +# Now, let's get the subkeys + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + parseOpenSaveValues($s); + ::rptMsg(""); + } + } + else { + ::rptMsg("OpenSaveMRU key has no subkeys."); + } + ::rptMsg(""); +} + +sub parseOpenSaveValues { + my $key = shift; + ::rptMsg("OpenSaveMRU\\".$key->get_name()); + ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z"); + my %osmru; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + map{$osmru{$_->get_name()} = $_->get_data()}(@vals); + if (exists $osmru{MRUList}) { + ::rptMsg(" MRUList = ".$osmru{MRUList}); + my @mrulist = split(//,$osmru{MRUList}); + delete($osmru{MRUList}); + foreach my $m (@mrulist) { + ::rptMsg(" ".$m." -> ".$osmru{$m}); + } + } + else { + ::rptMsg($key->get_name()." does not have an MRUList value."); + } + } + else { + ::rptMsg($key->get_name()." has no values."); + } +} + +sub parseCIDSizeMRU { + my $key = shift; + my %lvmru; + my @mrulist; + my @vals = $key->get_list_of_values(); + my %mru; + my $count = 0; + + if (scalar(@vals) > 0) { +# First, read in all of the values and the data + foreach my $v (@vals) { + $lvmru{$v->get_name()} = $v->get_data(); + } +# Then, remove the MRUList value + ::rptMsg("Note: All value names are listed in MRUListEx order."); + ::rptMsg(""); + if (exists $lvmru{MRUListEx}) { + my @mrulist = unpack("V*",$lvmru{MRUListEx}); + foreach my $n (0..(scalar(@mrulist) - 2)) { + $mru{$count++} = $lvmru{$mrulist[$n]}; + } + delete $mru{0xffffffff}; + foreach my $m (sort {$a <=> $b} keys %mru) { +# my $file = parseStr($mru{$m}); + my $file = (split(/\00\00/,$mru{$m},2))[0]; + $file =~ s/\00//g; + ::rptMsg(" ".$file); + } + } + else { +# ::rptMsg($key_path." does not have an MRUList value."); + } + } + else { +# ::rptMsg($key_path." has no values."); + } +} + +sub parseFirstFolder { + my $key = shift; + my %lvmru; + my @mrulist; + my @vals = $key->get_list_of_values(); + my %mru; + my $count = 0; + + if (scalar(@vals) > 0) { +# First, read in all of the values and the data + foreach my $v (@vals) { + $lvmru{$v->get_name()} = $v->get_data(); + } +# Then, remove the MRUList value + ::rptMsg("Note: All value names are listed in MRUListEx order."); + ::rptMsg(""); + if (exists $lvmru{MRUListEx}) { + my @mrulist = unpack("V*",$lvmru{MRUListEx}); + foreach my $n (0..(scalar(@mrulist) - 2)) { + $mru{$count++} = $lvmru{$mrulist[$n]}; + } + delete $mru{0xffffffff}; + foreach my $m (sort {$a <=> $b} keys %mru) { +# my $file = parseStr($mru{$m}); + my @files = split(/\00\00/,$mru{$m}); + if (scalar(@files) == 0) { + ::rptMsg(" No files listed."); + } + elsif (scalar(@files) == 1) { + $files[0] =~ s/\00//g; + ::rptMsg(" ".$files[0]); + } + elsif (scalar(@files) > 1) { + my @files2; + foreach my $file (@files) { + $file =~ s/\00//g; + push(@files2,$file); + } + ::rptMsg(" ".join(' ',@files2)); + } + else { + + } + } + } + else { +# ::rptMsg($key_path." does not have an MRUList value."); + } + } + else { +# ::rptMsg($key_path." has no values."); + } +} + +sub parseLastVisitedPidlMRU { + my $key = shift; + my %lvmru; + my @mrulist; + my @vals = $key->get_list_of_values(); + my %mru; + my $count = 0; + + if (scalar(@vals) > 0) { +# First, read in all of the values and the data + foreach my $v (@vals) { + $lvmru{$v->get_name()} = $v->get_data(); + } +# Then, remove the MRUList value + ::rptMsg("Note: All value names are listed in MRUListEx order."); + ::rptMsg(""); + if (exists $lvmru{MRUListEx}) { + my @mrulist = unpack("V*",$lvmru{MRUListEx}); + foreach my $n (0..(scalar(@mrulist) - 2)) { + $mru{$count++} = $lvmru{$mrulist[$n]}; + } + delete $mru{0xffffffff}; + + foreach my $m (sort {$a <=> $b} keys %mru) { + my ($file,$shell) = split(/\00\00/,$mru{$m},2); + $file =~ s/\00//g; + $shell =~ s/^\00//; + my $str = parseShellItem($shell); + ::rptMsg(" ".$file." - ".$str); + } + } + else { + ::rptMsg("LastVisitedPidlMRU key does not have an MRUList value."); + } + } + else { + ::rptMsg("LastVisitedPidlMRU key has no values."); + } +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseOpenSavePidlMRU { + my $key = shift; + my @subkeys = $key->get_list_of_subkeys(); + + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg("OpenSavePidlMRU\\".$s->get_name()); + ::rptMsg("LastWrite Time: ".gmtime($s->get_timestamp())); + + my @vals = $s->get_list_of_values(); + + my %lvmru = (); + my @mrulist = (); + my %mru = (); + my $count = 0; + + + if (scalar(@vals) > 0) { +# First, read in all of the values and the data + ::rptMsg("Note: All value names are listed in MRUListEx order."); + ::rptMsg(""); + foreach my $v (@vals) { + $lvmru{$v->get_name()} = $v->get_data(); + } +# Then, remove the MRUList value + if (exists $lvmru{MRUListEx}) { + my @mrulist = unpack("V*",$lvmru{MRUListEx}); + foreach my $n (0..(scalar(@mrulist) - 2)) { + $mru{$count++} = $lvmru{$mrulist[$n]}; + } + delete $mru{0xffffffff}; + + foreach my $m (sort {$a <=> $b} keys %mru) { + my $str = parseShellItem($mru{$m}); + ::rptMsg(" ".$str); + } + } + } + else { + ::rptMsg($s->get_name()." has no values."); + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key->get_name()." has no subkeys."); + } +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseShellItem { + my $data = shift; + my $len = length($data); + my $str; + + my $tag = 1; + my $cnt = 0; + while ($tag) { + my %item = (); + my $sz = unpack("v",substr($data,$cnt,2)); + $tag = 0 if (($sz == 0) || ($cnt + $sz > $len)); + + my $dat = substr($data,$cnt,$sz); + my $type = unpack("C",substr($dat,2,1)); +# ::rptMsg(sprintf " Size: ".$sz." Type: 0x%x",$type); + + if ($type == 0x1F) { +# System Folder + %item = parseSystemFolderEntry($dat); + $str .= "\\".$item{name}; + } + elsif ($type == 0x2F) { +# Volume (Drive Letter) + %item = parseDriveEntry($dat); + $item{name} =~ s/\\$//; + $str .= "\\".$item{name}; + } + elsif ($type == 0x31 || $type == 0x32 || $type == 0x3a || $type == 0x74) { + %item = parseFolderEntry($dat); + $str .= "\\".$item{name}; + } + elsif ($type == 0x00) { + + } + elsif ($type == 0xc3 || $type == 0x41 || $type == 0x42 || $type == 0x46 || $type == 0x47) { +# Network stuff + my $id = unpack("C",substr($dat,3,1)); + if ($type == 0xc3 && $id != 0x01) { + %item = parseNetworkEntry($dat); + } + else { + %item = parseNetworkEntry($dat); + } + $str .= "\\".$item{name}; + } + else { + $item{name} = sprintf "Unknown Type (0x%x)",$type; + $str .= "\\".$item{name}; + } + $cnt += $sz; + } + $str =~ s/^\\//; + return $str; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseSystemFolderEntry { + my $data = shift; + my %item = (); + + my %vals = (0x00 => "Explorer", + 0x42 => "Libraries", + 0x44 => "Users", + 0x4c => "Public", + 0x48 => "My Documents", + 0x50 => "My Computer", + 0x58 => "My Network Places", + 0x60 => "Recycle Bin", + 0x68 => "Explorer", + 0x70 => "Control Panel", + 0x78 => "Recycle Bin", + 0x80 => "My Games"); + + $item{type} = unpack("C",substr($data,2,1)); + $item{id} = unpack("C",substr($data,3,1)); + if (exists $vals{$item{id}}) { + $item{name} = $vals{$item{id}}; + } + else { + $item{name} = parseGUID(substr($data,4,16)); + } + return %item; +} + +#----------------------------------------------------------- +# parseGUID() +# Takes 16 bytes of binary data, returns a string formatted +# as an MS GUID. +#----------------------------------------------------------- +sub parseGUID { + my $data = shift; + my $d1 = unpack("V",substr($data,0,4)); + my $d2 = unpack("v",substr($data,4,2)); + my $d3 = unpack("v",substr($data,6,2)); + my $d4 = unpack("H*",substr($data,8,2)); + my $d5 = unpack("H*",substr($data,10,6)); + return sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseDriveEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1));; + $item{name} = substr($data,3,3); + return %item; +} +#----------------------------------------------------------- +# parseNetworkEntry() +# +#----------------------------------------------------------- +sub parseNetworkEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1)); + + my @n = split(/\00/,substr($data,4,length($data) - 4)); + $item{name} = $n[0]; + $item{name} =~ s/^\W//; + return %item; +} +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseFolderEntry { + my $data = shift; + my %item = (); + + $item{type} = unpack("C",substr($data,2,1)); +# Type 0x74 folders have a slightly different format + + my $ofs_mdate; + my $ofs_shortname; + + if ($item{type} == 0x74) { + $ofs_mdate = 0x12; + } + elsif (substr($data,4,4) eq "AugM") { + $ofs_mdate = 0x1c; + } + elsif ($item{type} == 0x31 || $item{type} == 0x32 || $item{type} == 0x3a) { + $ofs_mdate = 0x08; + } + else {} +# some type 0x32 items will include a file size + if ($item{type} == 0x32) { + my $size = unpack("V",substr($data,4,4)); + if ($size != 0) { + $item{filesize} = $size; + } + } + + my @m = unpack("vv",substr($data,$ofs_mdate,4)); + ($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]); + +# Need to read in short name; nul-term ASCII +# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0]; + $ofs_shortname = $ofs_mdate + 6; + my $tag = 1; + my $cnt = 0; + my $str = ""; + while($tag) { + my $s = substr($data,$ofs_shortname + $cnt,1); + if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { + $tag = 0; + } + else { + $str .= $s; + $cnt++; + } + } +# $str =~ s/\00//g; + my $shortname = $str; + my $ofs = $ofs_shortname + $cnt + 1; +# Read progressively, 1 byte at a time, looking for 0xbeef + my $tag = 1; + my $cnt = 0; + while ($tag) { + if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) { + $tag = 0; + } + else { + $cnt++; + } + } + $item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2)); + +# ::rptMsg(sprintf " BEEF Offset: 0x%x",$ofs + $cnt); +# ::rptMsg(" Version: ".$item{extver}); + + $ofs = $ofs + $cnt + 2; + + my @m = unpack("vv",substr($data,$ofs,4)); + ($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]); + $ofs += 4; + my @m = unpack("vv",substr($data,$ofs,4)); + ($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]); + $ofs += 4; + + my $jmp; + if ($item{extver} == 0x03) { + $jmp = 8; + } + elsif ($item{extver} == 0x07) { + $jmp = 22; + } + elsif ($item{extver} == 0x08) { + $jmp = 26; + } + else {} + + $ofs += $jmp; +# ::rptMsg(sprintf " Offset: 0x%x",$ofs); + + my $str = substr($data,$ofs,length($data) - $ofs); + + my $longname = (split(/\00\00/,$str,2))[0]; + $longname =~ s/\00//g; + + if ($longname ne "") { + $item{name} = $longname; + } + else { + $item{name} = $shortname; + } + return %item; +} + +#----------------------------------------------------------- +# convertDOSDate() +# subroutine to convert 4 bytes of binary data into a human- +# readable format. Returns both a string and a Unix-epoch +# time. +#----------------------------------------------------------- +sub convertDOSDate { + my $date = shift; + my $time = shift; + + if ($date == 0x00 || $time == 0x00){ + return (0,0); + } + else { + my $sec = ($time & 0x1f) * 2; + $sec = "0".$sec if (length($sec) == 1); + if ($sec == 60) {$sec = 59}; + my $min = ($time & 0x7e0) >> 5; + $min = "0".$min if (length($min) == 1); + my $hr = ($time & 0xF800) >> 11; + $hr = "0".$hr if (length($hr) == 1); + my $day = ($date & 0x1f); + $day = "0".$day if (length($day) == 1); + my $mon = ($date & 0x1e0) >> 5; + $mon = "0".$mon if (length($mon) == 1); + my $yr = (($date & 0xfe00) >> 9) + 1980; + my $gmtime = timegm($sec,$min,$hr,$day,($mon - 1),$yr); + return ("$yr-$mon-$day $hr:$min:$sec",$gmtime); +# return gmtime(timegm($sec,$min,$hr,$day,($mon - 1),$yr)); + } +} + +#----------------------------------------------------------- +# printData() +# subroutine used primarily for debugging; takes an arbitrary +# length of binary data, prints it out in hex editor-style +# format for easy debugging +#----------------------------------------------------------- +sub printData { + my $data = shift; + my $len = length($data); + my $tag = 1; + my $cnt = 0; + + my $loop = $len/16; + $loop++ if ($len%16); + + foreach my $cnt (0..($loop - 1)) { +# while ($tag) { + my $left = $len - ($cnt * 16); + + my $n; + ($left < 16) ? ($n = $left) : ($n = 16); + + my $seg = substr($data,$cnt * 16,$n); + my @str1 = split(//,unpack("H*",$seg)); + + my @s3; + my $str = ""; + + foreach my $i (0..($n - 1)) { + $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; + + if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) { + $str .= chr(hex($s3[$i])); + } + else { + $str .= "\."; + } + } + my $h = join(' ',@s3); + ::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/muicache.pl b/RecentActivity/release/rr-full/plugins/compatassist.pl old mode 100644 new mode 100755 similarity index 52% rename from thirdparty/rr/plugins/muicache.pl rename to RecentActivity/release/rr-full/plugins/compatassist.pl index 8a980e3531..6f3e2da87f --- a/thirdparty/rr/plugins/muicache.pl +++ b/RecentActivity/release/rr-full/plugins/compatassist.pl @@ -1,66 +1,71 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# muicache.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# MUICache values -# -# Change history -# -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package muicache; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets EXEs from user's MUICache key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching muicache v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("MUICache"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next if ($name =~ m/^@/ || $name eq "LangID"); - my $data = $v->get_data(); - ::rptMsg("\t".$name." (".$data.")"); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# compatassist.pl +# Provides indication of applications run; see the Reference listed +# below; note that there are no time stamps associated with this +# information. Note: Value names that start with "SIGN.MEDIA" indicate +# that the app was run from removable media +# +# Category: Programs launched by user +# +# Change history +# 20120515 - created +# +# References +# http://msdn.microsoft.com/en-us/library/bb756937.aspx +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package compatassist; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120515); + +sub getConfig{return %config} +sub getShortDescr { + return "Checks user's Compatibility Assistant\\Persisted values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + my @temps; + + ::logMsg("Launching compatassist v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("compatassist"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + ::rptMsg(" ".$name); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/compdesc.pl b/RecentActivity/release/rr-full/plugins/compdesc.pl old mode 100644 new mode 100755 similarity index 89% rename from thirdparty/rr/plugins/compdesc.pl rename to RecentActivity/release/rr-full/plugins/compdesc.pl index fc1f292089..8fe03e98bd --- a/thirdparty/rr/plugins/compdesc.pl +++ b/RecentActivity/release/rr-full/plugins/compdesc.pl @@ -1,65 +1,67 @@ -#----------------------------------------------------------- -# compdesc.pl -# Plugin for Registry Ripper, -# ComputerDescriptions key parser -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package compdesc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's ComputerDescriptions key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching compdesc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ComputerDescriptions"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()." ".$v->get_data()); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# compdesc.pl +# Plugin for Registry Ripper, +# ComputerDescriptions key parser +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package compdesc; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's ComputerDescriptions key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching compdesc v.".$VERSION); + ::rptMsg("compdesc v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("ComputerDescriptions"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg(" ".$v->get_name()." ".$v->get_data()); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/compname.pl b/RecentActivity/release/rr-full/plugins/compname.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/compname.pl rename to RecentActivity/release/rr-full/plugins/compname.pl index b07c44183c..687c568214 --- a/thirdparty/rr/plugins/compname.pl +++ b/RecentActivity/release/rr-full/plugins/compname.pl @@ -1,75 +1,77 @@ -#----------------------------------------------------------- -# compname.pl -# Plugin for Registry Ripper; Access System hive file to get the -# computername -# -# Change history -# 20090727 - added Hostname -# -# References -# http://support.microsoft.com/kb/314053/ -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package compname; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090727); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets ComputerName and Hostname values from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching compname v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my ($current,$ccs); - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $cn_path = $ccs."\\Control\\ComputerName\\ComputerName"; - my $cn; - if ($cn = $root_key->get_subkey($cn_path)) { - my $name = $cn->get_value("ComputerName")->get_data(); - ::rptMsg("ComputerName = ".$name); - } - else { - ::rptMsg($cn_path." not found."); - ::logMsg($cn_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - my $hostname; - eval { - my $host_path = $ccs."\\Services\\Tcpip\\Parameters"; - $hostname = $root_key->get_subkey($host_path)->get_value("Hostname")->get_data(); - ::rptMsg("TCP/IP Hostname = ".$hostname); - }; - -} - +#----------------------------------------------------------- +# compname.pl +# Plugin for Registry Ripper; Access System hive file to get the +# computername +# +# Change history +# 20090727 - added Hostname +# +# References +# http://support.microsoft.com/kb/314053/ +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package compname; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20090727); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets ComputerName and Hostname values from System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching compname v.".$VERSION); + ::rptMsg("compname v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $cn_path = $ccs."\\Control\\ComputerName\\ComputerName"; + my $cn; + if ($cn = $root_key->get_subkey($cn_path)) { + my $name = $cn->get_value("ComputerName")->get_data(); + ::rptMsg("ComputerName = ".$name); + } + else { + ::rptMsg($cn_path." not found."); + ::logMsg($cn_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + my $hostname; + eval { + my $host_path = $ccs."\\Services\\Tcpip\\Parameters"; + $hostname = $root_key->get_subkey($host_path)->get_value("Hostname")->get_data(); + ::rptMsg("TCP/IP Hostname = ".$hostname); + }; + +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/controlpanel.pl b/RecentActivity/release/rr-full/plugins/controlpanel.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/controlpanel.pl rename to RecentActivity/release/rr-full/plugins/controlpanel.pl index 67e06a906a..608eccf487 --- a/thirdparty/rr/plugins/controlpanel.pl +++ b/RecentActivity/release/rr-full/plugins/controlpanel.pl @@ -1,64 +1,66 @@ -#----------------------------------------------------------- -# controlpanel.pl -# Vista ControlPanel key seems to contain some interesting info about the -# user's activities... -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package controlpanel; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 64, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080428); - -sub getConfig{return %config} - -sub getShortDescr { - return "Look for RecentTask* values in ControlPanel key (Vista)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching controlpanel v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - ::rptMsg("Analysis Tip: The RecentTask* entries appear to only be populated through the"); - ::rptMsg("choices in the Control Panel Home view (in Vista). As each new choice is"); - ::rptMsg("selected, the most recent choice is added as RecentTask1, and each "); - ::rptMsg("RecentTask* entry is incremented and pushed down in the stack."); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-15s %-45s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# controlpanel.pl +# Vista ControlPanel key seems to contain some interesting info about the +# user's activities... +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package controlpanel; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 64, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080428); + +sub getConfig{return %config} + +sub getShortDescr { + return "Look for RecentTask* values in ControlPanel key (Vista)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching controlpanel v.".$VERSION); + ::rptMsg("controlpanel v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + ::rptMsg("Analysis Tip: The RecentTask* entries appear to only be populated through the"); + ::rptMsg("choices in the Control Panel Home view (in Vista). As each new choice is"); + ::rptMsg("selected, the most recent choice is added as RecentTask1, and each "); + ::rptMsg("RecentTask* entry is incremented and pushed down in the stack."); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $str = sprintf "%-15s %-45s",$v->get_name(),$v->get_data(); + ::rptMsg($str); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/cpldontload.pl b/RecentActivity/release/rr-full/plugins/cpldontload.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/cpldontload.pl rename to RecentActivity/release/rr-full/plugins/cpldontload.pl index 620419ef9b..ebaefab099 --- a/thirdparty/rr/plugins/cpldontload.pl +++ b/RecentActivity/release/rr-full/plugins/cpldontload.pl @@ -1,72 +1,74 @@ -#----------------------------------------------------------- -# cpldontload.pl -# Check contents of user's Control Panel\don't load key -# -# Change history -# 20100116 - created -# -# References -# W32.Nekat - http://www.symantec.com/security_response/ -# writeup.jsp?docid=2008-011419-0705-99&tabid=2 -# http://www.2-viruses.com/remove-antispywarexp2009 -# -# Notes: Some malware appears to hide various Control Panel applets -# using this means. If some sort of malware/spyware is thought -# to be on the system, check the settings and note the key -# LastWrite time. -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package cpldontload; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100116); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's Control Panel don't load key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching cpldontload v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Control Panel\\don\'t load"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @vals = $key->get_list_of_values(); - if (scalar @vals > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-20s %-5s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# cpldontload.pl +# Check contents of user's Control Panel\don't load key +# +# Change history +# 20100116 - created +# +# References +# W32.Nekat - http://www.symantec.com/security_response/ +# writeup.jsp?docid=2008-011419-0705-99&tabid=2 +# http://www.2-viruses.com/remove-antispywarexp2009 +# +# Notes: Some malware appears to hide various Control Panel applets +# using this means. If some sort of malware/spyware is thought +# to be on the system, check the settings and note the key +# LastWrite time. +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package cpldontload; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100116); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's Control Panel don't load key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching cpldontload v.".$VERSION); + ::rptMsg("cpldontload v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Control Panel\\don\'t load"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @vals = $key->get_list_of_values(); + if (scalar @vals > 0) { + foreach my $v (@vals) { + my $str = sprintf "%-20s %-5s",$v->get_name(),$v->get_data(); + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/crashcontrol.pl b/RecentActivity/release/rr-full/plugins/crashcontrol.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/crashcontrol.pl rename to RecentActivity/release/rr-full/plugins/crashcontrol.pl index 61cc30b815..830fff60cf --- a/thirdparty/rr/plugins/crashcontrol.pl +++ b/RecentActivity/release/rr-full/plugins/crashcontrol.pl @@ -1,93 +1,95 @@ -#----------------------------------------------------------- -# crashcontrol.pl -# -# Ref: -# http://support.microsoft.com/kb/254649 -# http://support.microsoft.com/kb/274598 -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package crashcontrol; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081212); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get crash control information"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %dumpenabled = (0 => "None", - 1 => "Complete memory dump", - 2 => "Kernel memory dump", - 3 => "Small (64kb) memory dump"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching crashcontrol v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $cc_path = "ControlSet00".$current."\\Control\\CrashControl"; - my $cc; - - if ($cc = $root_key->get_subkey($cc_path)) { - - eval { - my $cde = $cc->get_value("CrashDumpEnabled")->get_data(); - ::rptMsg("CrashDumpEnabled = ".$cde." [".$dumpenabled{$cde}."]"); - }; - - eval { - my $df = $cc->get_value("DumpFile")->get_data(); - ::rptMsg("DumpFile = ".$df); - }; - - eval { - my $mini = $cc->get_value("MinidumpDir")->get_data(); - ::rptMsg("MinidumpDir = ".$mini); - }; - - eval { - my $logevt = $cc->get_value("LogEvent")->get_data(); - ::rptMsg("LogEvent = ".$logevt); - ::rptMsg(" Logs an event to the System Event Log (event ID = 1001, source = Save Dump)") if ($logevt == 1); - }; - - eval { - my $sendalert = $cc->get_value("SendAlert")->get_data(); - ::rptMsg("SendAlert = ".$sendalert); - ::rptMsg(" Sends a \'net send\' pop-up if a crash occurs") if ($sendalert == 1); - }; - - - } - else { - ::rptMsg($cc_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; +#----------------------------------------------------------- +# crashcontrol.pl +# +# Ref: +# http://support.microsoft.com/kb/254649 +# http://support.microsoft.com/kb/274598 +# +# copyright 2008-2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package crashcontrol; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081212); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get crash control information"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my %dumpenabled = (0 => "None", + 1 => "Complete memory dump", + 2 => "Kernel memory dump", + 3 => "Small (64kb) memory dump"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching crashcontrol v.".$VERSION); + ::rptMsg("crashcontrol v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + + my $cc_path = "ControlSet00".$current."\\Control\\CrashControl"; + my $cc; + + if ($cc = $root_key->get_subkey($cc_path)) { + + eval { + my $cde = $cc->get_value("CrashDumpEnabled")->get_data(); + ::rptMsg("CrashDumpEnabled = ".$cde." [".$dumpenabled{$cde}."]"); + }; + + eval { + my $df = $cc->get_value("DumpFile")->get_data(); + ::rptMsg("DumpFile = ".$df); + }; + + eval { + my $mini = $cc->get_value("MinidumpDir")->get_data(); + ::rptMsg("MinidumpDir = ".$mini); + }; + + eval { + my $logevt = $cc->get_value("LogEvent")->get_data(); + ::rptMsg("LogEvent = ".$logevt); + ::rptMsg(" Logs an event to the System Event Log (event ID = 1001, source = Save Dump)") if ($logevt == 1); + }; + + eval { + my $sendalert = $cc->get_value("SendAlert")->get_data(); + ::rptMsg("SendAlert = ".$sendalert); + ::rptMsg(" Sends a \'net send\' pop-up if a crash occurs") if ($sendalert == 1); + }; + + + } + else { + ::rptMsg($cc_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} +1; diff --git a/thirdparty/rr/plugins/ctrlpnl.pl b/RecentActivity/release/rr-full/plugins/ctrlpnl.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/ctrlpnl.pl rename to RecentActivity/release/rr-full/plugins/ctrlpnl.pl index 13ce7bf906..521ded788f --- a/thirdparty/rr/plugins/ctrlpnl.pl +++ b/RecentActivity/release/rr-full/plugins/ctrlpnl.pl @@ -1,143 +1,145 @@ -#----------------------------------------------------------- -# ctrlpnl.pl -# Get Control Panel info from the Software hive -# -# Change history: -# 20100116 - created -# -# References: -# http://support.microsoft.com/kb/292463 -# http://learning.infocollections.com/ebook%202/Computer/ -# Operating%20Systems/Windows/Windows.XP.Hacks/ -# 0596005113_winxphks-chp-2-sect-3.html -# http://msdn.microsoft.com/en-us/library/cc144195%28VS.85%29.aspx -# -# Notes: -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package ctrlpnl; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get Control Panel info from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %comp; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ctrlpnl v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Control Panel"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg(""); - -# Cpls section - if (my $cpl = $key->get_subkey("Cpls")) { - my @vals = $cpl->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg("Cpls key"); - foreach my $v (@vals) { - my $str = sprintf "%-10s %-50s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - ::rptMsg(""); - } - else { - ::rptMsg("Cpls key has no values."); - } - } - else { - ::rptMsg("Cpls key not found."); - } - -# don't load section -# The 'don't load' key prevents applets from being loaded -# Be sure to check the user's don't load key, as well - if (my $cpl = $key->get_subkey("don't load")) { - my @vals = $cpl->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg("don't load key"); - foreach my $v (@vals) { - ::rptMsg($v->get_name()); - } - ::rptMsg(""); - } - else { - ::rptMsg("don't load key has no values."); - } - } - else { - ::rptMsg("don't load key not found."); - } - -# Extended Properties section - if (my $ext = $key->get_subkey("Extended Properties")) { - my @sk = $ext->get_list_of_subkeys(); - if (scalar @sk > 0) { - foreach my $s (@sk) { - my @vals = $s->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp)." UTC]"); - -# Ref: http://support.microsoft.com/kb/292463 - my %cat = (0x00000000 => "Other Control Panel Options", - 0x00000001 => "Appearance and Themes", - 0x00000002 => "Printers and Other Hardware", - 0x00000003 => "Network and Internet Connections", - 0x00000004 => "Sounds, Speech, and Audio Devices", - 0x00000005 => "Performance and Maintenance", - 0x00000006 => "Date, Time, Language, and Regional Options", - 0x00000007 => "Accessibility Options", - 0xFFFFFFFF => "No Category"); - my %prop; - foreach my $v (@vals) { - push(@{$prop{$v->get_data()}},$v->get_name()); - } - - foreach my $t (sort {$a <=> $b} keys %prop) { - (exists $cat{$t}) ? (::rptMsg($cat{$t})) : (::rptMsg("Category ".$t)); - foreach my $i (@{$prop{$t}}) { - ::rptMsg(" ".$i); - } - ::rptMsg(""); - } - } - } - ::rptMsg(""); - } - else { - ::rptMsg("Extended Properties key has no subkeys."); - } - } - else { - ::rptMsg("Extended Properties key not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# ctrlpnl.pl +# Get Control Panel info from the Software hive +# +# Change history: +# 20100116 - created +# +# References: +# http://support.microsoft.com/kb/292463 +# http://learning.infocollections.com/ebook%202/Computer/ +# Operating%20Systems/Windows/Windows.XP.Hacks/ +# 0596005113_winxphks-chp-2-sect-3.html +# http://msdn.microsoft.com/en-us/library/cc144195%28VS.85%29.aspx +# +# Notes: +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package ctrlpnl; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100116); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get Control Panel info from Software hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %comp; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching ctrlpnl v.".$VERSION); + ::rptMsg("ctrlpnl v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows\\CurrentVersion\\Control Panel"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg(""); + +# Cpls section + if (my $cpl = $key->get_subkey("Cpls")) { + my @vals = $cpl->get_list_of_values(); + if (scalar @vals > 0) { + ::rptMsg("Cpls key"); + foreach my $v (@vals) { + my $str = sprintf "%-10s %-50s",$v->get_name(),$v->get_data(); + ::rptMsg($str); + } + ::rptMsg(""); + } + else { + ::rptMsg("Cpls key has no values."); + } + } + else { + ::rptMsg("Cpls key not found."); + } + +# don't load section +# The 'don't load' key prevents applets from being loaded +# Be sure to check the user's don't load key, as well + if (my $cpl = $key->get_subkey("don't load")) { + my @vals = $cpl->get_list_of_values(); + if (scalar @vals > 0) { + ::rptMsg("don't load key"); + foreach my $v (@vals) { + ::rptMsg($v->get_name()); + } + ::rptMsg(""); + } + else { + ::rptMsg("don't load key has no values."); + } + } + else { + ::rptMsg("don't load key not found."); + } + +# Extended Properties section + if (my $ext = $key->get_subkey("Extended Properties")) { + my @sk = $ext->get_list_of_subkeys(); + if (scalar @sk > 0) { + foreach my $s (@sk) { + my @vals = $s->get_list_of_values(); + if (scalar @vals > 0) { + ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp)." UTC]"); + +# Ref: http://support.microsoft.com/kb/292463 + my %cat = (0x00000000 => "Other Control Panel Options", + 0x00000001 => "Appearance and Themes", + 0x00000002 => "Printers and Other Hardware", + 0x00000003 => "Network and Internet Connections", + 0x00000004 => "Sounds, Speech, and Audio Devices", + 0x00000005 => "Performance and Maintenance", + 0x00000006 => "Date, Time, Language, and Regional Options", + 0x00000007 => "Accessibility Options", + 0xFFFFFFFF => "No Category"); + my %prop; + foreach my $v (@vals) { + push(@{$prop{$v->get_data()}},$v->get_name()); + } + + foreach my $t (sort {$a <=> $b} keys %prop) { + (exists $cat{$t}) ? (::rptMsg($cat{$t})) : (::rptMsg("Category ".$t)); + foreach my $i (@{$prop{$t}}) { + ::rptMsg(" ".$i); + } + ::rptMsg(""); + } + } + } + ::rptMsg(""); + } + else { + ::rptMsg("Extended Properties key has no subkeys."); + } + } + else { + ::rptMsg("Extended Properties key not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/ddm.pl b/RecentActivity/release/rr-full/plugins/ddm.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/ddm.pl rename to RecentActivity/release/rr-full/plugins/ddm.pl index e66fb2697f..b40071b9de --- a/thirdparty/rr/plugins/ddm.pl +++ b/RecentActivity/release/rr-full/plugins/ddm.pl @@ -1,82 +1,84 @@ -#----------------------------------------------------------- -# ddm.pl -# -# History: -# 20081129 - created -# -# Note - Not really sure what this is for or could be used for, other -# than to show devices that had been connected to the system -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package ddm; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081129); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get DDM data from Control Subkey"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ddm v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $key_path = $ccs."\\Control\\DDM"; - my $key; - my %dev; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $tag = (split(/\./,$name,2))[1]; - $dev{$tag}{timestamp} = $s->get_timestamp(); - eval { - $dev{$tag}{make} = $s->get_value("MakeName")->get_data(); - $dev{$tag}{model} = $s->get_value("ModelName")->get_data(); - }; - } - foreach my $d (sort keys %dev) { - ::rptMsg(gmtime($dev{$d}{timestamp})."Z Device\.".$d." ".$dev{$d}{make}." ".$dev{$d}{model}); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } - } - else { - ::logMsg("Current value not found."); - } -} +#----------------------------------------------------------- +# ddm.pl +# +# History: +# 20081129 - created +# +# Note - Not really sure what this is for or could be used for, other +# than to show devices that had been connected to the system +# +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package ddm; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081129); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get DDM data from Control Subkey"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching ddm v.".$VERSION); + ::rptMsg("ddm v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + + my $key_path = $ccs."\\Control\\DDM"; + my $key; + my %dev; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $tag = (split(/\./,$name,2))[1]; + $dev{$tag}{timestamp} = $s->get_timestamp(); + eval { + $dev{$tag}{make} = $s->get_value("MakeName")->get_data(); + $dev{$tag}{model} = $s->get_value("ModelName")->get_data(); + }; + } + foreach my $d (sort keys %dev) { + ::rptMsg(gmtime($dev{$d}{timestamp})."Z Device\.".$d." ".$dev{$d}{make}." ".$dev{$d}{model}); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); +# ::logMsg($key_path." not found."); + } + } + else { + ::logMsg("Current value not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/decaf.pl b/RecentActivity/release/rr-full/plugins/decaf.pl new file mode 100755 index 0000000000..c39cb86d27 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/decaf.pl @@ -0,0 +1,96 @@ +#----------------------------------------------------------- +# decaf.pl +# Extracts the AcceptedEULA value for DECAF +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# Detect and Eliminate Computer Acquired Forensics +# http://en.wikipedia.org/wiki/DECAF +# +# Copyright (c) 2011-02-10 Brendan Coles +#----------------------------------------------------------- +# Require # +package decaf; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110210); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extracts the EULA value for DECAF."; +} +sub getRefs { + my %refs = ("Detect and Eliminate Computer Acquired Forensics:" => + "http://en.wikipedia.org/wiki/DECAF"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + + # Initialize # + ::logMsg("Launching decaf v.".$VERSION); + ::rptMsg("decaf v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\DECAFme"; + + # If # DECAF path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("DECAF"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from DECAF registry path # + my %keys; + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for DECAF registry path # + foreach my $v (@vals) { + ::rptMsg($v->get_name()." -> ".$v->get_data()); + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # DECAF isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/thirdparty/rr/plugins/defbrowser.pl b/RecentActivity/release/rr-full/plugins/defbrowser.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/defbrowser.pl rename to RecentActivity/release/rr-full/plugins/defbrowser.pl index ae7055aba1..17fbc543d0 --- a/thirdparty/rr/plugins/defbrowser.pl +++ b/RecentActivity/release/rr-full/plugins/defbrowser.pl @@ -1,78 +1,80 @@ -#----------------------------------------------------------- -# defbrowser.pl -# Get default browser information - check #1 can apply to HKLM -# as well as to HKCU -# -# Change History: -# 20091116 - Added Check #1 -# 20081105 - created -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package defbrowser; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets default browser setting from HKLM"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching defbrowser v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Clients\\StartMenuInternet"; - if (my $key = $root_key->get_subkey($key_path)) { - ::rptMsg("Default Browser Check #1"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $browser = $key->get_value("")->get_data(); - ::rptMsg("Default Browser : ".$browser); - } - else { - ::rptMsg($key_path." not found."); - } - - ::rptMsg(""); - - my $key_path = "Classes\\HTTP\\shell\\open\\command"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Default Browser Check #2"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $browser; - eval { - $browser = $key->get_value("")->get_data(); - }; - if ($@) { - ::rptMsg("Error locating default browser setting."); - } - else { - ::rptMsg("Default Browser = ".$browser); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# defbrowser.pl +# Get default browser information - check #1 can apply to HKLM +# as well as to HKCU +# +# Change History: +# 20091116 - Added Check #1 +# 20081105 - created +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package defbrowser; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20091116); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets default browser setting from HKLM"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching defbrowser v.".$VERSION); + ::rptMsg("defbrowser v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Clients\\StartMenuInternet"; + if (my $key = $root_key->get_subkey($key_path)) { + ::rptMsg("Default Browser Check #1"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my $browser = $key->get_value("")->get_data(); + ::rptMsg("Default Browser : ".$browser); + } + else { + ::rptMsg($key_path." not found."); + } + + ::rptMsg(""); + + my $key_path = "Classes\\HTTP\\shell\\open\\command"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Default Browser Check #2"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my $browser; + eval { + $browser = $key->get_value("")->get_data(); + }; + if ($@) { + ::rptMsg("Error locating default browser setting."); + } + else { + ::rptMsg("Default Browser = ".$browser); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/dependency_walker.pl b/RecentActivity/release/rr-full/plugins/dependency_walker.pl new file mode 100755 index 0000000000..e636e43209 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/dependency_walker.pl @@ -0,0 +1,95 @@ +#----------------------------------------------------------- +# dependency_walker.pl +# Extracts Recent File List for Dependency Walker. +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# Dependency Walker Homepage +# http://www.dependencywalker.com/ +# +# Copyright (c) 2011-02-04 Brendan Coles +#----------------------------------------------------------- +# Require # +package dependency_walker; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110204); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extracts Recent File List for Dependency Walker."; +} +sub getRefs { + my %refs = ("Dependency Walker Homepage:" => + "http://www.dependencywalker.com/"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + + # Initialize # + ::logMsg("Launching dependency_walker v.".$VERSION); + ::rptMsg("dependency_walker v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\Microsoft\\Dependency Walker\\Recent File List"; + + # If # Dependency Walker path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("Dependency Walker"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from Dependency Walker registry path # + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for Dependency Walker registry path # + foreach my $v (@vals) { + ::rptMsg($v->get_name()." -> ".$v->get_data()); + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # Dependency Walker isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/thirdparty/rr/plugins/devclass.pl b/RecentActivity/release/rr-full/plugins/devclass.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/devclass.pl rename to RecentActivity/release/rr-full/plugins/devclass.pl index b6a57fff2f..a4e5a55f5b --- a/thirdparty/rr/plugins/devclass.pl +++ b/RecentActivity/release/rr-full/plugins/devclass.pl @@ -1,125 +1,127 @@ -#----------------------------------------------------------- -# devclass -# Get USB device info from the DeviceClasses keys in the System -# hive (Disks and Volumes GUIDs) -# -# Change History: -# 20100901 - spelling error in output corrected -# 20080331 - created -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package devclass; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100901); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USB device info from the DeviceClasses keys in the System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching devclass v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::logMsg("Could not find ".$key_path); - return - } -# Get devices from the Disk GUID - my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("DevClasses - Disks"); - ::rptMsg($key_path); - ::rptMsg(""); - my %disks; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless (grep(/USBSTOR/,$name)); - my $lastwrite = $s->get_timestamp(); - my ($dev, $serial) = (split(/#/,$name))[4,5]; - push(@{$disks{$lastwrite}},$dev.",".$serial); - } - - foreach my $t (reverse sort {$a <=> $b} keys %disks) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$disks{$t}}) { - ::rptMsg("\t$item"); - } - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg(""); -# Get devices from the Volume GUID - my $key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("DevClasses - Volumes"); - ::rptMsg($key_path); - ::rptMsg(""); - my %vols; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless (grep(/RemovableMedia/,$name)); - my $lastwrite = $s->get_timestamp(); - my $ppi = (split(/#/,$name))[5]; - push(@{$vols{$lastwrite}},$ppi); - } - - foreach my $t (reverse sort {$a <=> $b} keys %vols) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$vols{$t}}) { - ::rptMsg("\tParentIdPrefix: ".$item); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# devclass +# Get USB device info from the DeviceClasses keys in the System +# hive (Disks and Volumes GUIDs) +# +# Change History: +# 20100901 - spelling error in output corrected +# 20080331 - created +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package devclass; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100901); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get USB device info from the DeviceClasses keys in the System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching devclass v.".$VERSION); + ::rptMsg("devclass v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::logMsg("Could not find ".$key_path); + return + } +# Get devices from the Disk GUID + my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("DevClasses - Disks"); + ::rptMsg($key_path); + ::rptMsg(""); + my %disks; + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + next unless (grep(/USBSTOR/,$name)); + my $lastwrite = $s->get_timestamp(); + my ($dev, $serial) = (split(/#/,$name))[4,5]; + push(@{$disks{$lastwrite}},$dev.",".$serial); + } + + foreach my $t (reverse sort {$a <=> $b} keys %disks) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$disks{$t}}) { + ::rptMsg("\t$item"); + } + } + + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + ::rptMsg(""); +# Get devices from the Volume GUID + my $key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("DevClasses - Volumes"); + ::rptMsg($key_path); + ::rptMsg(""); + my %vols; + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + next unless (grep(/RemovableMedia/,$name)); + my $lastwrite = $s->get_timestamp(); + my $ppi = (split(/#/,$name))[5]; + push(@{$vols{$lastwrite}},$ppi); + } + + foreach my $t (reverse sort {$a <=> $b} keys %vols) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$vols{$t}}) { + ::rptMsg("\tParentIdPrefix: ".$item); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/dfrg.pl b/RecentActivity/release/rr-full/plugins/dfrg.pl old mode 100644 new mode 100755 similarity index 89% rename from thirdparty/rr/plugins/dfrg.pl rename to RecentActivity/release/rr-full/plugins/dfrg.pl index 29ac3b80ec..e544e11a66 --- a/thirdparty/rr/plugins/dfrg.pl +++ b/RecentActivity/release/rr-full/plugins/dfrg.pl @@ -1,63 +1,65 @@ -#----------------------------------------------------------- -# dfrg.pl -# Gets contents of Dfrg\BootOptimizeFunction key -# -# Change history: -# 20110321 - created -# -# References -# http://technet.microsoft.com/en-us/library/cc784391%28WS.10%29.aspx -# -# copyright 2011 Quantum Analytics Research, LLC (keydet89@yahoo.com) -#----------------------------------------------------------- -package dfrg; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20110321); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets content of Dfrg BootOptim. key"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching dfrg v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Dfrg\\BootOptimizeFunction"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Dfrg"); - ::rptMsg($key_path); - ::rptMsg(""); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(sprintf "%-20s %-20s",$v->get_name(),$v->get_data()); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# dfrg.pl +# Gets contents of Dfrg\BootOptimizeFunction key +# +# Change history: +# 20110321 - created +# +# References +# http://technet.microsoft.com/en-us/library/cc784391%28WS.10%29.aspx +# +# copyright 2011 Quantum Analytics Research, LLC (keydet89@yahoo.com) +#----------------------------------------------------------- +package dfrg; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20110321); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets content of Dfrg BootOptim. key"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching dfrg v.".$VERSION); + ::rptMsg("dfrg v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Dfrg\\BootOptimizeFunction"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Dfrg"); + ::rptMsg($key_path); + ::rptMsg(""); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg(sprintf "%-20s %-20s",$v->get_name(),$v->get_data()); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/diag_sr.pl b/RecentActivity/release/rr-full/plugins/diag_sr.pl new file mode 100755 index 0000000000..8fbd7f5565 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/diag_sr.pl @@ -0,0 +1,81 @@ +#----------------------------------------------------------- +# diag_sr.pl +# +# History: +# 20120515: created +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey +#----------------------------------------------------------- +package diag_sr; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120515); + +sub getConfig{return %config} +sub getShortDescr { + return "Get Diag\\SystemRestore values and data"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching diag_sr v.".$VERSION); + ::rptMsg("diag_sr v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $volsnap_path = $ccs."\\Services\\VSS\\Diag\\SystemRestore"; + my $volsnap; + if ($volsnap = $root_key->get_subkey($volsnap_path)) { + my @vals = $volsnap->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $t = gmtime(parseData($v->get_data())); + + ::rptMsg(sprintf "%-25s %-50s",$t,$name); + + } + } + else { + ::rptMsg($volsnap_path." has no values."); + } + } + else { + ::rptMsg($volsnap_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub parseData { + my $data = shift; + my ($t0,$t1) = unpack("VV",substr($data,0x08,8)); + return ::getTime($t0,$t1); +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/direct.pl b/RecentActivity/release/rr-full/plugins/direct.pl new file mode 100755 index 0000000000..3cd1b8d18e --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/direct.pl @@ -0,0 +1,75 @@ +#----------------------------------------------------------- +# direct.pl +# This plugin runs through the Direct* subkeys beneath the Microsoft key +# in the Software hive (as well as the Wow6432Node key, if it exists) and +# looks to see if there is a MostRecentApplication subkey; if there is, it +# then tries to retrieve the "Name" value/data +# +# History: +# 20120513 - created +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package direct; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20120513); + +sub getConfig{return %config} +sub getShortDescr { + return "Searches Direct* keys for MostRecentApplication subkeys"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my @keys = ('Microsoft','Wow6432Node\\Microsoft'); + + ::rptMsg("Launching direct v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + foreach my $key_path (@keys) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + next unless ($s->get_name() =~ m/^Direct/); + my $name = $s->get_name(); + + eval { + my $app; + $app = $s->get_subkey("MostRecentApplication"); + my $app_lw = gmtime($app->get_timestamp()); + my $app_name = $app->get_value("Name")->get_data(); + ::rptMsg(sprintf "%-25s %-50s",$app_lw,$s->get_name()."\\".$app->get_name()." - ".$app_name); + + }; + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/direct_tln.pl b/RecentActivity/release/rr-full/plugins/direct_tln.pl new file mode 100755 index 0000000000..2564a7f7cd --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/direct_tln.pl @@ -0,0 +1,75 @@ +#----------------------------------------------------------- +# direct_tln.pl +# This plugin runs through the Direct* subkeys beneath the Microsoft key +# in the Software hive (as well as the Wow6432Node key, if it exists) and +# looks to see if there is a MostRecentApplication subkey; if there is, it +# then tries to retrieve the "Name" value/data +# +# History: +# 20120608 - created +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package direct_tln; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20120608); + +sub getConfig{return %config} +sub getShortDescr { + return "Searches Direct* keys for MostRecentApplication subkeys (TLN)"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my @keys = ('Microsoft','Wow6432Node\\Microsoft'); + + ::rptMsg("Launching direct v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + foreach my $key_path (@keys) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + next unless ($s->get_name() =~ m/^Direct/); + my $name = $s->get_name(); + + eval { + my $app; + $app = $s->get_subkey("MostRecentApplication"); + my $app_lw = $app->get_timestamp(); + my $app_name = $app->get_value("Name")->get_data(); +# ::rptMsg(sprintf "%-25s %-50s",$app_lw,$s->get_name()."\\".$app->get_name()." - ".$app_name); + ::rptMsg($app_lw."|REG|||[Program Execution] ".$key_path."\\".$s->get_name()."\\".$app->get_name()." - ".$app_name); + }; + } + } + else { +# ::rptMsg($key_path." has no subkeys."); + } +# ::rptMsg(""); + } + else { +# ::rptMsg($key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/disablelastaccess.pl b/RecentActivity/release/rr-full/plugins/disablelastaccess.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/disablelastaccess.pl rename to RecentActivity/release/rr-full/plugins/disablelastaccess.pl index e064521726..82c2093a7f --- a/thirdparty/rr/plugins/disablelastaccess.pl +++ b/RecentActivity/release/rr-full/plugins/disablelastaccess.pl @@ -1,73 +1,75 @@ -#----------------------------------------------------------- -# disablelastaccess.pl -# -# References: -# http://support.microsoft.com/kb/555041 -# http://support.microsoft.com/kb/894372 -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package disablelastaccess; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090118); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get NTFSDisableLastAccessUpdate value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching disablelastaccess v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - my $ccs; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - - my $key_path = $ccs."\\Control\\FileSystem"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("NtfsDisableLastAccessUpdate"); - ::rptMsg($key_path); - my @vals = $key->get_list_of_values(); - my $found = 0; - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - if ($v->get_name() eq "NtfsDisableLastAccessUpdate") { - ::rptMsg("NtfsDisableLastAccessUpdate = ".$v->get_data()); - $found = 1; - } - } - ::rptMsg("NtfsDisableLastAccessUpdate value not found.") if ($found == 0); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# disablelastaccess.pl +# +# References: +# http://support.microsoft.com/kb/555041 +# http://support.microsoft.com/kb/894372 +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package disablelastaccess; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090118); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get NTFSDisableLastAccessUpdate value"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching disablelastaccess v.".$VERSION); + ::rptMsg("disablelastaccess v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + my $ccs; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + + my $key_path = $ccs."\\Control\\FileSystem"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("NtfsDisableLastAccessUpdate"); + ::rptMsg($key_path); + my @vals = $key->get_list_of_values(); + my $found = 0; + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + if ($v->get_name() eq "NtfsDisableLastAccessUpdate") { + ::rptMsg("NtfsDisableLastAccessUpdate = ".$v->get_data()); + $found = 1; + } + } + ::rptMsg("NtfsDisableLastAccessUpdate value not found.") if ($found == 0); + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/disablesr.pl b/RecentActivity/release/rr-full/plugins/disablesr.pl new file mode 100755 index 0000000000..788fd89acb --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/disablesr.pl @@ -0,0 +1,71 @@ +#----------------------------------------------------------- +# disablesr.pl +# Gets the value that turns System Restore either on or off +# +# Change History +# 20120914 +# +# References +# Registry Keys and Values for the System Restore Utility http://support.microsoft.com/kb/295659 +# +# copyright 2012 Corey Harrell (Journey Into Incident Response) +#----------------------------------------------------------- +package disablesr; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120914); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets the value that turns System Restore either on or off"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching disablesr v.".$VERSION); + ::rptMsg("disablesr v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\SystemRestore"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $disable; + eval { + $disable = $key->get_value("DisableSR")->get_data(); + }; + if ($@) { + ::rptMsg("DisableSR value not found."); + } + else { + ::rptMsg("DisableSR = ".$disable); + ::rptMsg(""); + ::rptMsg("1 means System Restore is turned off"); + } + + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/dllsearch.pl b/RecentActivity/release/rr-full/plugins/dllsearch.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/dllsearch.pl rename to RecentActivity/release/rr-full/plugins/dllsearch.pl index 767042a8ec..0a7745a52d --- a/thirdparty/rr/plugins/dllsearch.pl +++ b/RecentActivity/release/rr-full/plugins/dllsearch.pl @@ -1,69 +1,71 @@ -#----------------------------------------------------------- -# dllsearch.pl -# -# References: -# http://support.microsoft.com/kb/2264107 -# -# Change History: -# 20100824: created -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package dllsearch; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100824); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get crash control information"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching dllsearch v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $cc_path = "ControlSet00".$current."\\Control\\Session Manager"; - my $cc; - if ($cc = $root_key->get_subkey($cc_path)) { - ::rptMsg("dllsearch v.".$VERSION); - ::rptMsg(""); - my $found = 1; - eval { - my $cde = $cc->get_value("CWDIllegalInDllSearch")->get_data(); - $found = 0; - ::rptMsg(sprintf "CWDIllegalInDllSearch = 0x%x",$cde); - }; - ::rptMsg("CWDIllegalInDllSearch value not found.") if ($found); - } - else { - ::rptMsg($cc_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; +#----------------------------------------------------------- +# dllsearch.pl +# +# References: +# http://support.microsoft.com/kb/2264107 +# +# Change History: +# 20100824: created +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package dllsearch; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100824); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get crash control information"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching dllsearch v.".$VERSION); + ::rptMsg("dllsearch v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + + my $cc_path = "ControlSet00".$current."\\Control\\Session Manager"; + my $cc; + if ($cc = $root_key->get_subkey($cc_path)) { + ::rptMsg("dllsearch v.".$VERSION); + ::rptMsg(""); + my $found = 1; + eval { + my $cde = $cc->get_value("CWDIllegalInDllSearch")->get_data(); + $found = 0; + ::rptMsg(sprintf "CWDIllegalInDllSearch = 0x%x",$cde); + }; + ::rptMsg("CWDIllegalInDllSearch value not found.") if ($found); + } + else { + ::rptMsg($cc_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; diff --git a/RecentActivity/release/rr-full/plugins/dnschanger.pl b/RecentActivity/release/rr-full/plugins/dnschanger.pl new file mode 100755 index 0000000000..0f05b4ffa5 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/dnschanger.pl @@ -0,0 +1,94 @@ +#----------------------------------------------------------- +# dnschanger.pl +# DNSChanger malware modifies the NameServer and/or DhcpNameServer values +# within the Registry for the interfaces. +# +# Change history +# 20120203 - created +# +# Need to add grep() for ranges: +# start range end range +# 85.255.112.0 85.255.127.255 +# 67.210.0.0 67.210.15.255 +# 93.188.160.0 93.188.167.255 +# 77.67.83.0 77.67.83.255 +# 213.109.64.0 213.109.79.255 +# 64.28.176.0 64.28.191.255 +# +# Note: these may not be the only ranges used. The best use of the +# plugin is to know what your ranges are, and eyeball the output of +# the plugin. +# +# References +# https://twitter.com/#!/saved-search/%23DFIR +# +# copyright 2012 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package dnschanger; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120203); + +sub getConfig{return %config} +sub getShortDescr { + return "Check for indication of DNSChanger infection."; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %nics; + my $ccs; + ::logMsg("Launching dnschanger v.".$VERSION); + ::rptMsg("dnschanger v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + eval { + $current = $root_key->get_subkey("Select")->get_value("Current")->get_data(); + }; + my @nics; + my $key_path = "ControlSet00".$current."\\Services\\Tcpip\\Parameters\\Interfaces"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @guids = $key->get_list_of_subkeys(); + if (scalar @guids > 0) { + foreach my $g (@guids) { + ::rptMsg("Adapter: ".$g->get_name()); + ::rptMsg("LastWrite Time: ".gmtime($g->get_timestamp())." Z"); + eval { + my @vals = $g->get_list_of_values(); + foreach my $v (@vals) { + my $name = $v->get_name(); + next unless ($name =~ m/NameServer$/); + my $data = $v->get_data(); + ::rptMsg(sprintf " %-28s %-20s",$name,$data); + } + ::rptMsg(""); + }; + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/domains.pl b/RecentActivity/release/rr-full/plugins/domains.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/domains.pl rename to RecentActivity/release/rr-full/plugins/domains.pl index 633ad87cfd..98b6284afb --- a/thirdparty/rr/plugins/domains.pl +++ b/RecentActivity/release/rr-full/plugins/domains.pl @@ -1,74 +1,76 @@ -#----------------------------------------------------------- -# domains.pl -# -# -# Change history -# 20100116 - Created -# -# References -# http://support.microsoft.com/kb/919748 -# http://support.microsoft.com/kb/922704 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package domains; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100116); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents Internet Settings\\ZoneMap\\Domains key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching domains v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"; - my $key; - if ($key = $root_key->get_subkey($key_path."\\Domains")) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]"); - - my @vals = $s->get_list_of_values(); - if (scalar @vals > 0) { - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()." -> ".$v->get_data); - } - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# domains.pl +# +# +# Change history +# 20100116 - Created +# +# References +# http://support.microsoft.com/kb/919748 +# http://support.microsoft.com/kb/922704 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package domains; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100116); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents Internet Settings\\ZoneMap\\Domains key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching domains v.".$VERSION); + ::rptMsg("domains v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"; + my $key; + if ($key = $root_key->get_subkey($key_path."\\Domains")) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]"); + + my @vals = $s->get_list_of_values(); + if (scalar @vals > 0) { + foreach my $v (@vals) { + ::rptMsg(" ".$v->get_name()." -> ".$v->get_data); + } + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/drivers32.pl b/RecentActivity/release/rr-full/plugins/drivers32.pl new file mode 100755 index 0000000000..3ec349bd66 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/drivers32.pl @@ -0,0 +1,96 @@ +#----------------------------------------------------------- +# drivers32 +# Get values from Drivers32 key +# +# History +# 20130408 - created by copying then modifying the soft_run plug-in +# +# References +# Location of Windows NT Multimedia Drivers in the Registry +# http://support.microsoft.com/kb/126054 +# +# copyright 2013 Corey Harrell (jIIr) +#----------------------------------------------------------- +package drivers32; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20130408); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get values from the Drivers32 key"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Location of Windows NT Multimedia Drivers in the Registry" => + "http://support.microsoft.com/kb/126054"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching drivers32 v.".$VERSION); + ::rptMsg("drivers32 v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my @paths = ("Microsoft\\Windows NT\\CurrentVersion\\Drivers32", + "Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32", + ); + + foreach my $key_path (@paths) { + + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my %vals = getKeyValues($key); + if (scalar(keys %vals) > 0) { + foreach my $v (keys %vals) { + ::rptMsg(" ".$v." - ".$vals{$v}); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no values."); + } + + } + else { + ::rptMsg($key_path." not found."); + ::rptMsg(""); + } + } +} + +sub getKeyValues { + my $key = shift; + my %vals; + + my @vk = $key->get_list_of_values(); + if (scalar(@vk) > 0) { + foreach my $v (@vk) { + next if ($v->get_name() eq "" && $v->get_data() eq ""); + $vals{$v->get_name()} = $v->get_data(); + } + } + else { + + } + return %vals; +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/drwatson.pl b/RecentActivity/release/rr-full/plugins/drwatson.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/drwatson.pl rename to RecentActivity/release/rr-full/plugins/drwatson.pl index 0360c33fb3..22af6e5813 --- a/thirdparty/rr/plugins/drwatson.pl +++ b/RecentActivity/release/rr-full/plugins/drwatson.pl @@ -1,77 +1,79 @@ -#----------------------------------------------------------- -# drwatson.pl -# Author: Don C. Weber -# Plugin for Registry Ripper; Access Software hive file to get the -# Dr. Watson settings from Software hive -# -# Change history -# -# -# References -# Dr Watson: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html -# -# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security -#----------------------------------------------------------- -package drwatson; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081219); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Dr. Watson settings from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching drwatson v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AeDebug"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ($key->get_value('Auto') == 0x0) ? ::rptMsg("Debugging is Disabled") : ::rptMsg("Debugging is Enabled"); - eval { - ::rptMsg("Debugger: ".$key->get_value('Debugger')->get_data()); - }; - - } else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - ::rptMsg(""); - my $key_path = "Microsoft\\DrWatson"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ($key->get_value('LogFilePath')) ? ::rptMsg("DrWatson LogFile Path location: ".$key->get_value('LogFilePath')->get_data()) : ::rptMsg("DrWatson LogFile Path location: %SystemRoot%\\Documents and Settings\\All Users\\Documents\\DrWatson"); - ($key->get_value('CreateCrashDump') == 0x0) ? ::rptMsg("CreateCrashDump is Disabled") : ::rptMsg("CreateCrashDump is Enabled"); - ($key->get_value('CrashDumpFile')) ? ::rptMsg("Crash Dump Path and Name: ".$key->get_value('CrashDumpFile')->get_data()) : ::rptMsg("CrashDumpFile is not set"); - ($key->get_value('AppendToLogFile') == 0x0) ? ::rptMsg("AppendToLogFile is set to create a new file each time") : ::rptMsg("AppendToLogFile is set to append"); - - } else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - ::rptMsg(""); - ::rptMsg("Analysis Tips: For Dr. Watson settings information check: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html"); -} - +#----------------------------------------------------------- +# drwatson.pl +# Author: Don C. Weber +# Plugin for Registry Ripper; Access Software hive file to get the +# Dr. Watson settings from Software hive +# +# Change history +# +# +# References +# Dr Watson: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html +# +# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security +#----------------------------------------------------------- +package drwatson; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20081219); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Dr. Watson settings from Software hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching drwatson v.".$VERSION); + ::rptMsg("drwatson v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AeDebug"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ($key->get_value('Auto') == 0x0) ? ::rptMsg("Debugging is Disabled") : ::rptMsg("Debugging is Enabled"); + eval { + ::rptMsg("Debugger: ".$key->get_value('Debugger')->get_data()); + }; + + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + ::rptMsg(""); + my $key_path = "Microsoft\\DrWatson"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ($key->get_value('LogFilePath')) ? ::rptMsg("DrWatson LogFile Path location: ".$key->get_value('LogFilePath')->get_data()) : ::rptMsg("DrWatson LogFile Path location: %SystemRoot%\\Documents and Settings\\All Users\\Documents\\DrWatson"); + ($key->get_value('CreateCrashDump') == 0x0) ? ::rptMsg("CreateCrashDump is Disabled") : ::rptMsg("CreateCrashDump is Enabled"); + ($key->get_value('CrashDumpFile')) ? ::rptMsg("Crash Dump Path and Name: ".$key->get_value('CrashDumpFile')->get_data()) : ::rptMsg("CrashDumpFile is not set"); + ($key->get_value('AppendToLogFile') == 0x0) ? ::rptMsg("AppendToLogFile is set to create a new file each time") : ::rptMsg("AppendToLogFile is set to append"); + + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + ::rptMsg(""); + ::rptMsg("Analysis Tips: For Dr. Watson settings information check: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html"); +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/emdmgmt.pl b/RecentActivity/release/rr-full/plugins/emdmgmt.pl new file mode 100755 index 0000000000..eab48962e3 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/emdmgmt.pl @@ -0,0 +1,96 @@ +#----------------------------------------------------------- +# emdmgmt.pl +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package emdmgmt; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20120207); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of EMDMgmt subkeys and values"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching emdmgmt v.".$VERSION); + ::rptMsg("emdmgmt v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\EMDMgmt'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("EMDMgmt"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @sk = $key->get_list_of_subkeys(); + foreach my $s (@sk) { + my $name = $s->get_name(); + if ($name =~ m/^_\?\?_USBSTOR/) { + my ($usb,$sn,$vol) = (split(/#/,$name,4))[1,2,3]; + ::rptMsg($usb); + ::rptMsg(" LastWrite: ".gmtime($s->get_timestamp())." Z"); + ::rptMsg(" SN: ".$sn); + $vol =~ s/{53f56307-b6bf-11d0-94f2-00a0c91efb8b}//; + my ($volname,$vsn) = split(/_/,$vol,2); + $vsn = uc(sprintf "%x",$vsn); + if (length($vsn) >= 8) { + my ($f,$l) = unpack("(A4)*",$vsn); + $vsn = $f."-".$l; + } + ::rptMsg(" Vol Name: ".$volname) if ($volname ne ""); + ::rptMsg(" VSN: ".$vsn); + my $last = $s->get_value_data("LastTestedTime"); + my ($lo,$hi) = unpack("VV",$last); + if ($lo != 0 && $hi != 0) { + ::rptMsg(" LastTestedTime: ".gmtime(::getTime($lo,$hi))." Z"); + } + ::rptMsg(""); + } + else { + my @n = split(/_/,$name); + my $t = scalar(@n); + my $volname = $n[$t - 2]; + my $vsn = $n[$t - 1]; + $vsn = uc(sprintf "%x",$vsn); + if (length($vsn) >= 8) { + my ($f,$l) = unpack("(A4)*",$vsn); + $vsn = $f."-".$l; + } + $volname = "Unknown Volume" unless ($volname ne ""); + ::rptMsg($volname); + ::rptMsg(" LastWrite: ".gmtime($s->get_timestamp())." Z"); + ::rptMsg(" VSN: ".$vsn); + + my $last = $s->get_value_data("LastTestedTime"); + my ($lo,$hi) = unpack("VV",$last); + if ($lo != 0 && $hi != 0) { + ::rptMsg(" LastTestedTime: ".gmtime(::getTime($lo,$hi))." Z"); + } + ::rptMsg(""); + } + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/environment.pl b/RecentActivity/release/rr-full/plugins/environment.pl new file mode 100755 index 0000000000..60f97f7a2d --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/environment.pl @@ -0,0 +1,89 @@ +#----------------------------------------------------------- +# environment.pl +# Extracts user's Environment paths from NTUSER.DAT +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# Copyright (c) 2011-02-04 Brendan Coles +#----------------------------------------------------------- +# Require # +package environment; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20110204); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getRefs {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extracts user's Environment paths from NTUSER.DAT"; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + + # Initialize # + ::logMsg("Launching environment v.".$VERSION); + ::rptMsg("environment v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Environment"; + + # If # Environment path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("Environment"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from Environment registry path # + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for Environment registry path # + foreach my $v (@vals) { + ::rptMsg($v->get_name()." -> ".$v->get_data()); + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # Environment isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/thirdparty/rr/plugins/esent.pl b/RecentActivity/release/rr-full/plugins/esent.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/esent.pl rename to RecentActivity/release/rr-full/plugins/esent.pl index 4ae7cd21b5..0d333ec3dd --- a/thirdparty/rr/plugins/esent.pl +++ b/RecentActivity/release/rr-full/plugins/esent.pl @@ -1,78 +1,80 @@ -#----------------------------------------------------------- -# esent -# Get contents of Esent\Process key from Software hive -# -# Note: Not sure why I wrote this one; just thought it might come -# in handy as info about this key is developed. -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package esent; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20101202); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get ESENT\\Process key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching esent v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\ESENT\\Process"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @sk = $key->get_list_of_subkeys(); - - if (scalar(@sk) > 0) { - my %esent; - - foreach my $s (@sk) { - my $sk = $s->get_subkey("DEBUG"); -# my $lw = $s->get_timestamp(); - my $lw = $sk->get_timestamp(); - - my $name = $s->get_name(); - - push(@{$esent{$lw}},$name); - } - - foreach my $t (reverse sort {$a <=> $b} keys %esent) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$esent{$t}}) { - ::rptMsg(" $item"); - } - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# esent +# Get contents of Esent\Process key from Software hive +# +# Note: Not sure why I wrote this one; just thought it might come +# in handy as info about this key is developed. +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package esent; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20101202); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get ESENT\\Process key contents"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching esent v.".$VERSION); + ::rptMsg("esent v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\ESENT\\Process"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @sk = $key->get_list_of_subkeys(); + + if (scalar(@sk) > 0) { + my %esent; + + foreach my $s (@sk) { + my $sk = $s->get_subkey("DEBUG"); +# my $lw = $s->get_timestamp(); + my $lw = $sk->get_timestamp(); + + my $name = $s->get_name(); + + push(@{$esent{$lw}},$name); + } + + foreach my $t (reverse sort {$a <=> $b} keys %esent) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$esent{$t}}) { + ::rptMsg(" $item"); + } + } + + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/eventlog.pl b/RecentActivity/release/rr-full/plugins/eventlog.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/eventlog.pl rename to RecentActivity/release/rr-full/plugins/eventlog.pl index a51ca91282..f44672a46d --- a/thirdparty/rr/plugins/eventlog.pl +++ b/RecentActivity/release/rr-full/plugins/eventlog.pl @@ -1,156 +1,158 @@ -#----------------------------------------------------------- -# eventlog.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package eventlog; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090112); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get EventLog configuration info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching eventlog v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $evt_path = "ControlSet00".$current."\\Services\\Eventlog"; - my $evt; - if ($evt = $root_key->get_subkey($evt_path)) { - ::rptMsg(""); - my @subkeys = $evt->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $logname = $s->get_name(); - ::rptMsg($logname." \\ ".scalar gmtime($s->get_timestamp())."Z"); - eval { - my $file = $s->get_value("File")->get_data(); - ::rptMsg(" File = ".$file); - }; - - eval { - my $display = $s->get_value("DisplayNameFile")->get_data(); - ::rptMsg(" DisplayNameFile = ".$display); - }; - - eval { - my $max = $s->get_value("MaxSize")->get_data(); - ::rptMsg(" MaxSize = ".processSize($max)); - }; - - eval { - my $ret = $s->get_value("Retention")->get_data(); - ::rptMsg(" Retention = ".processRetention($ret)); - }; - -# AutoBackupLogFiles; http://support.microsoft.com/kb/312571/ - eval { - my $auto = $s->get_value("AutoBackupLogFiles")->get_data(); - ::rptMsg(" AutoBackupLogFiles = ".$auto); - }; - -# Check WarningLevel value on Security EventLog; http://support.microsoft.com/kb/945463 - eval { - if ($logname eq "Security") { - my $wl = $s->get_value("WarningLevel")->get_data(); - ::rptMsg(" WarningLevel = ".$wl); - } - }; - - ::rptMsg(""); - } - - } - else { - ::rptMsg($evt_path." has no subkeys."); - } - } - else { - ::rptMsg($evt_path." not found."); - ::logMsg($evt_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; - -sub processSize { - my $sz = shift; - - my $kb = 1024; - my $mb = $kb * 1024; - my $gb = $mb * 1024; - - if ($sz > $gb) { - my $d = $sz/$gb; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2fGB",$d; - } - elsif ($sz > $mb) { - my $d = $sz/$mb; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2fMB",$d; - } - elsif ($sz > $kb) { - my $d = $sz/$kb; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2fKB",$d; - } - else {return $sz."B"}; -} - -sub processRetention { -# Retention maintained in seconds -# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ -# regentry/30709.mspx?mfr=true - my $ret = shift; - - my $min = 60; - my $hr = $min * 60; - my $day = $hr * 24; - - if ($ret > $day) { - my $d = $ret/$day; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2f days",$d; - } - elsif ($ret > $hr) { - my $d = $ret/$hr; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2f hr",$d; - } - elsif ($ret > $min) { - my $d = $ret/$min; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2f min",$d; - } - else {return $ret." sec"}; +#----------------------------------------------------------- +# eventlog.pl +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package eventlog; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090112); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get EventLog configuration info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching eventlog v.".$VERSION); + ::rptMsg("eventlog v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + + my $evt_path = "ControlSet00".$current."\\Services\\Eventlog"; + my $evt; + if ($evt = $root_key->get_subkey($evt_path)) { + ::rptMsg(""); + my @subkeys = $evt->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + my $logname = $s->get_name(); + ::rptMsg($logname." \\ ".scalar gmtime($s->get_timestamp())."Z"); + eval { + my $file = $s->get_value("File")->get_data(); + ::rptMsg(" File = ".$file); + }; + + eval { + my $display = $s->get_value("DisplayNameFile")->get_data(); + ::rptMsg(" DisplayNameFile = ".$display); + }; + + eval { + my $max = $s->get_value("MaxSize")->get_data(); + ::rptMsg(" MaxSize = ".processSize($max)); + }; + + eval { + my $ret = $s->get_value("Retention")->get_data(); + ::rptMsg(" Retention = ".processRetention($ret)); + }; + +# AutoBackupLogFiles; http://support.microsoft.com/kb/312571/ + eval { + my $auto = $s->get_value("AutoBackupLogFiles")->get_data(); + ::rptMsg(" AutoBackupLogFiles = ".$auto); + }; + +# Check WarningLevel value on Security EventLog; http://support.microsoft.com/kb/945463 + eval { + if ($logname eq "Security") { + my $wl = $s->get_value("WarningLevel")->get_data(); + ::rptMsg(" WarningLevel = ".$wl); + } + }; + + ::rptMsg(""); + } + + } + else { + ::rptMsg($evt_path." has no subkeys."); + } + } + else { + ::rptMsg($evt_path." not found."); + ::logMsg($evt_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} +1; + +sub processSize { + my $sz = shift; + + my $kb = 1024; + my $mb = $kb * 1024; + my $gb = $mb * 1024; + + if ($sz > $gb) { + my $d = $sz/$gb; + my $l = length((split(/\./,$d,2))[0]) + 2; + return sprintf "%$l.2fGB",$d; + } + elsif ($sz > $mb) { + my $d = $sz/$mb; + my $l = length((split(/\./,$d,2))[0]) + 2; + return sprintf "%$l.2fMB",$d; + } + elsif ($sz > $kb) { + my $d = $sz/$kb; + my $l = length((split(/\./,$d,2))[0]) + 2; + return sprintf "%$l.2fKB",$d; + } + else {return $sz."B"}; +} + +sub processRetention { +# Retention maintained in seconds +# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ +# regentry/30709.mspx?mfr=true + my $ret = shift; + + my $min = 60; + my $hr = $min * 60; + my $day = $hr * 24; + + if ($ret > $day) { + my $d = $ret/$day; + my $l = length((split(/\./,$d,2))[0]) + 2; + return sprintf "%$l.2f days",$d; + } + elsif ($ret > $hr) { + my $d = $ret/$hr; + my $l = length((split(/\./,$d,2))[0]) + 2; + return sprintf "%$l.2f hr",$d; + } + elsif ($ret > $min) { + my $d = $ret/$min; + my $l = length((split(/\./,$d,2))[0]) + 2; + return sprintf "%$l.2f min",$d; + } + else {return $ret." sec"}; } \ No newline at end of file diff --git a/thirdparty/rr/plugins/eventlogs.pl b/RecentActivity/release/rr-full/plugins/eventlogs.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/eventlogs.pl rename to RecentActivity/release/rr-full/plugins/eventlogs.pl index d7557218c2..856adcfce7 --- a/thirdparty/rr/plugins/eventlogs.pl +++ b/RecentActivity/release/rr-full/plugins/eventlogs.pl @@ -1,98 +1,100 @@ -#----------------------------------------------------------- -# eventlogs.pl -# Author: Don C. Weber -# Plugin for Registry Ripper; Access System hive file to get the -# Event Log settings from System hive -# -# Change history -# -# -# References -# Eventlog Key: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx -# -# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security -#----------------------------------------------------------- -package eventlogs; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081219); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Event Log settings from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching eventlogs v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $win_path = $ccs."\\Services\\Eventlog"; - my $win; - if ($win = $root_key->get_subkey($win_path)) { - ::rptMsg("EventLog Configuration"); - ::rptMsg($win_path); - ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); - my $cn; - if ($cn = $win->get_value("ComputerName")->get_data()) { - ::rptMsg("ComputerName = ".$cn); - } - else { - ::rptMsg("ComputerName value not found."); - } - } - else { - ::rptMsg($win_path." not found."); - } - -# Cycle through each type of log - my $logname; - my $evpath; - my $evlog; - my @list_logs = $win->get_list_of_subkeys(); - foreach $logname (@list_logs){ - ::rptMsg(""); - $evpath = $win_path."\\".$logname->get_name(); - if ($evlog = $root_key->get_subkey($evpath)) { - ::rptMsg(" ".$logname->get_name()." EventLog"); - ::rptMsg(" ".$evpath); - ::rptMsg(" LastWrite Time ".gmtime($evlog->get_timestamp())." (UTC)"); - ::rptMsg(" Configuration Settings"); - ::rptMsg(" Log location: ".$evlog->get_value('File')->get_data()); - ::rptMsg(" Log Size: ".$evlog->get_value('MaxSize')->get_data()." Bytes"); - ($evlog->get_value('AutoBackupLogFiles') == 0x0) ? ::rptMsg(" AutoBackupLogFiles is Disabled") : ::rptMsg(" AutoBackupLogFiles is Enabled") - } - else { - ::rptMsg($logname->get_name()." Event Log not found."); - } - } - ::rptMsg(""); - ::rptMsg("Analysis Tips: For Event Log settings information check: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx"); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# eventlogs.pl +# Author: Don C. Weber +# Plugin for Registry Ripper; Access System hive file to get the +# Event Log settings from System hive +# +# Change history +# +# +# References +# Eventlog Key: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx +# +# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security +#----------------------------------------------------------- +package eventlogs; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20081219); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Event Log settings from System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching eventlogs v.".$VERSION); + ::rptMsg("eventlogs v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $win_path = $ccs."\\Services\\Eventlog"; + my $win; + if ($win = $root_key->get_subkey($win_path)) { + ::rptMsg("EventLog Configuration"); + ::rptMsg($win_path); + ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); + my $cn; + if ($cn = $win->get_value("ComputerName")->get_data()) { + ::rptMsg("ComputerName = ".$cn); + } + else { + ::rptMsg("ComputerName value not found."); + } + } + else { + ::rptMsg($win_path." not found."); + } + +# Cycle through each type of log + my $logname; + my $evpath; + my $evlog; + my @list_logs = $win->get_list_of_subkeys(); + foreach $logname (@list_logs){ + ::rptMsg(""); + $evpath = $win_path."\\".$logname->get_name(); + if ($evlog = $root_key->get_subkey($evpath)) { + ::rptMsg(" ".$logname->get_name()." EventLog"); + ::rptMsg(" ".$evpath); + ::rptMsg(" LastWrite Time ".gmtime($evlog->get_timestamp())." (UTC)"); + ::rptMsg(" Configuration Settings"); + ::rptMsg(" Log location: ".$evlog->get_value('File')->get_data()); + ::rptMsg(" Log Size: ".$evlog->get_value('MaxSize')->get_data()." Bytes"); + ($evlog->get_value('AutoBackupLogFiles') == 0x0) ? ::rptMsg(" AutoBackupLogFiles is Disabled") : ::rptMsg(" AutoBackupLogFiles is Enabled") + } + else { + ::rptMsg($logname->get_name()." Event Log not found."); + } + } + ::rptMsg(""); + ::rptMsg("Analysis Tips: For Event Log settings information check: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx"); + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/fileexts.pl b/RecentActivity/release/rr-full/plugins/fileexts.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/fileexts.pl rename to RecentActivity/release/rr-full/plugins/fileexts.pl index 5bd04db825..6fde48fdab --- a/thirdparty/rr/plugins/fileexts.pl +++ b/RecentActivity/release/rr-full/plugins/fileexts.pl @@ -1,73 +1,75 @@ -#----------------------------------------------------------- -# fileexts.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package fileexts; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080818); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get user FileExts values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching fileexts v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("fileexts"); - ::rptMsg($key_path); - ::rptMsg(""); - - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^\.\w+/); - - eval { - my $data = $s->get_subkey("OpenWithList")->get_value("MRUList")->get_data(); - if ($data =~ m/^\w/) { - ::rptMsg("File Extension: ".$name); - ::rptMsg("LastWrite: ".gmtime($s->get_subkey("OpenWithList")->get_timestamp())); - ::rptMsg("MRUList: ".$data); - my @list = split(//,$data); - foreach my $l (@list) { - my $valdata = $s->get_subkey("OpenWithList")->get_value($l)->get_data(); - ::rptMsg(" ".$l." => ".$valdata); - } - ::rptMsg(""); - } - }; - } - } - else { - ::rptMsg($key_path." does not have subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# fileexts.pl +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package fileexts; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080818); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get user FileExts values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching fileexts v.".$VERSION); + ::rptMsg("fileexts v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("fileexts"); + ::rptMsg($key_path); + ::rptMsg(""); + + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + next unless ($name =~ m/^\.\w+/); + + eval { + my $data = $s->get_subkey("OpenWithList")->get_value("MRUList")->get_data(); + if ($data =~ m/^\w/) { + ::rptMsg("File Extension: ".$name); + ::rptMsg("LastWrite: ".gmtime($s->get_subkey("OpenWithList")->get_timestamp())); + ::rptMsg("MRUList: ".$data); + my @list = split(//,$data); + foreach my $l (@list) { + my $valdata = $s->get_subkey("OpenWithList")->get_value($l)->get_data(); + ::rptMsg(" ".$l." => ".$valdata); + } + ::rptMsg(""); + } + }; + } + } + else { + ::rptMsg($key_path." does not have subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/filehistory.pl b/RecentActivity/release/rr-full/plugins/filehistory.pl new file mode 100755 index 0000000000..13ee5ee6e5 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/filehistory.pl @@ -0,0 +1,95 @@ +#----------------------------------------------------------- +# filehistory.pl +# Get filehistory settings +# +# Change history +# 20120722 - updated %config hash +# 20120620 - updated/modified by H. Carvey +# 20120607 - created by K. Johnson +# +# References +# This RegRipper plugin was created based on research I have done on +# the FileHistory Feature of Windows 8. +# http://randomthoughtsofforensics.blogspot.com/ +# +# FileHistoy Plugin copyright 2012 K. Johnson +# Edited by H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package filehistory; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hivemask => 16, + output => "report", + category => "", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 32, #Windows 8 + version => 20120620); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets filehistory settings"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching filehistory v.".$VERSION); + ::rptMsg("filehistory v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + + if ($v->get_name() eq "ProtectedUpToTime") { + my @t = unpack("VV",$v->get_data()); + my $pft = ::getTime($t[0],$t[1]); + ::rptMsg(" ProtectedUpToTime = ".gmtime($pft)." (UTC)"); + } + + if ($v->get_name() eq "ReassociationPerformed") { + ::rptMsg(sprintf "%-20s 0x%x","ReassociationPerformed",$v->get_data()); + } + + if ($v->get_name() eq "RestoreAllowed") { + ::rptMsg(sprintf "%-20s 0x%x","RestoreAllowed",$v->get_data()); + } + + if ($v->get_name() eq "SearchRebuildRequired") { + ::rptMsg(sprintf "%-20s 0x%x","SearchRebuildRequired",$v->get_data()); + } + + if ($v->get_name() eq "TargetChanged") { + ::rptMsg(sprintf "%-20s 0x%x","TargetChanged",$v->get_data()); + } + } + } + else { + ::rptMsg($key_path." has no values."); + ::rptMsg("File History may not be configured for this user."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/findexes.pl b/RecentActivity/release/rr-full/plugins/findexes.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/findexes.pl rename to RecentActivity/release/rr-full/plugins/findexes.pl index ee2f027b35..c8934fe3dd --- a/thirdparty/rr/plugins/findexes.pl +++ b/RecentActivity/release/rr-full/plugins/findexes.pl @@ -1,95 +1,96 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# findexes.pl -# Plugin for RegRipper; traverses through a Registry hive, -# looking for values with binary data types, and checks to see -# if they start with "MZ"; if so, records the value path, key -# LastWrite time, and length of the data -# -# Change history -# 20090728 - Created -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package findexes; -use strict; - -my %config = (hive => "All", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090728); - -sub getConfig{return %config} -sub getShortDescr { - return "Scans a hive file looking for binary value data that contains MZ"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %vals; -my $bin_count = 0; -my $exe_count = 0; - -sub pluginmain { - my $class = shift; - my $file = shift; - my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; - ::logMsg("Launching findexes v.".$VERSION); - - traverse($root_key); -# Data structure containing findings is a hash of hashes - foreach my $k (keys %vals) { - ::rptMsg("Key: ".$k." LastWrite time: ".gmtime($vals{$k}{lastwrite})); - foreach my $i (keys %{$vals{$k}}) { - next if ($i eq "lastwrite"); - ::rptMsg(" Value: ".$i." Length: ".$vals{$k}{$i}." bytes"); - } - ::rptMsg(""); - } - ::rptMsg("Number of values w/ binary data types: ".$bin_count); - ::rptMsg("Number of values w/ MZ in binary data: ".$exe_count); -} - -sub traverse { - my $key = shift; -# my $ts = $key->get_timestamp(); - - foreach my $val ($key->get_list_of_values()) { - my $type = $val->get_type(); - if ($type == 0 || $type == 3) { - $bin_count++; - my $data = $val->get_data(); -# This code looks for data that starts with MZ -# my $i = unpack("v",substr($data,0,2)); -# if ($i == 0x5a4d) { - if (grep(/MZ/,$data)) { - $exe_count++; - my $path; - my @p = split(/\\/,$key->get_path()); - if (scalar(@p) == 1) { - $path = "root"; - } - else { - shift(@p); - $path = join('\\',@p); - } - - $vals{$path}{lastwrite} = $key->get_timestamp(); - $vals{$path}{$val->get_name()} = length($data); - } - } - } - - foreach my $subkey ($key->get_list_of_subkeys()) { - traverse($subkey); - } -} - +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# findexes.pl +# Plugin for RegRipper; traverses through a Registry hive, +# looking for values with binary data types, and checks to see +# if they start with "MZ"; if so, records the value path, key +# LastWrite time, and length of the data +# +# Change history +# 20090728 - Created +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package findexes; +use strict; + +my %config = (hive => "All", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20090728); + +sub getConfig{return %config} +sub getShortDescr { + return "Scans a hive file looking for binary value data that contains MZ"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %vals; +my $bin_count = 0; +my $exe_count = 0; + +sub pluginmain { + my $class = shift; + my $file = shift; + my $reg = Parse::Win32Registry->new($file); + my $root_key = $reg->get_root_key; + ::logMsg("Launching findexes v.".$VERSION); + ::rptMsg("findexes v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + traverse($root_key); +# Data structure containing findings is a hash of hashes + foreach my $k (keys %vals) { + ::rptMsg("Key: ".$k." LastWrite time: ".gmtime($vals{$k}{lastwrite})); + foreach my $i (keys %{$vals{$k}}) { + next if ($i eq "lastwrite"); + ::rptMsg(" Value: ".$i." Length: ".$vals{$k}{$i}." bytes"); + } + ::rptMsg(""); + } + ::rptMsg("Number of values w/ binary data types: ".$bin_count); + ::rptMsg("Number of values w/ MZ in binary data: ".$exe_count); +} + +sub traverse { + my $key = shift; +# my $ts = $key->get_timestamp(); + + foreach my $val ($key->get_list_of_values()) { + my $type = $val->get_type(); + if ($type == 0 || $type == 3) { + $bin_count++; + my $data = $val->get_data(); +# This code looks for data that starts with MZ +# my $i = unpack("v",substr($data,0,2)); +# if ($i == 0x5a4d) { + if (grep(/MZ/,$data)) { + $exe_count++; + my $path; + my @p = split(/\\/,$key->get_path()); + if (scalar(@p) == 1) { + $path = "root"; + } + else { + shift(@p); + $path = join('\\',@p); + } + + $vals{$path}{lastwrite} = $key->get_timestamp(); + $vals{$path}{$val->get_name()} = length($data); + } + } + } + + foreach my $subkey ($key->get_list_of_subkeys()) { + traverse($subkey); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/fw_config.pl b/RecentActivity/release/rr-full/plugins/fw_config.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/fw_config.pl rename to RecentActivity/release/rr-full/plugins/fw_config.pl index e43e245837..ae9bb43aca --- a/thirdparty/rr/plugins/fw_config.pl +++ b/RecentActivity/release/rr-full/plugins/fw_config.pl @@ -1,116 +1,118 @@ -#----------------------------------------------------------- -# fw_config -# -# References -# http://technet2.microsoft.com/WindowsServer/en/library/47f25d7d- -# 882b-4f87-b05f-31e5664fc15e1033.mspx?mfr=true -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package fw_config; -use strict; - -my %config = (hive => "System", - osmask => 20, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets the Windows Firewall config from the System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching fw_config v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $select_path = 'Select'; - my $sel; - if ($sel = $root_key->get_subkey($select_path)) { - $current = $sel->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($select_path." could not be found."); - ::logMsg($select_path." could not be found."); - return; - } - - my @profiles = ("DomainProfile","StandardProfile"); - foreach my $profile (@profiles) { - my $key_path = $ccs."\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\".$profile; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Windows Firewall Configuration"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %vals = getKeyValues($key); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - else { -# ::rptMsg($key_path." has no values."); - } - - my @configs = ("RemoteAdminSettings", - "IcmpSettings", - "GloballyOpenPorts\\List", - "AuthorizedApplications\\List"); - - foreach my $config (@configs) { - eval { - my %vals = getKeyValues($key->get_subkey($config)); - if (scalar(keys %vals) > 0) { - ::rptMsg(""); - ::rptMsg($key_path."\\".$config); - ::rptMsg("LastWrite Time ".gmtime($key->get_subkey($config)->get_timestamp())." (UTC)"); - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - }; - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg(""); - } # end foreach -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { - - } - return %vals; -} +#----------------------------------------------------------- +# fw_config +# +# References +# http://technet2.microsoft.com/WindowsServer/en/library/47f25d7d- +# 882b-4f87-b05f-31e5664fc15e1033.mspx?mfr=true +# +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package fw_config; +use strict; + +my %config = (hive => "System", + osmask => 20, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080328); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets the Windows Firewall config from the System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching fw_config v.".$VERSION); + ::rptMsg("fw_config v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $select_path = 'Select'; + my $sel; + if ($sel = $root_key->get_subkey($select_path)) { + $current = $sel->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($select_path." could not be found."); + ::logMsg($select_path." could not be found."); + return; + } + + my @profiles = ("DomainProfile","StandardProfile"); + foreach my $profile (@profiles) { + my $key_path = $ccs."\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\".$profile; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Windows Firewall Configuration"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my %vals = getKeyValues($key); + if (scalar(keys %vals) > 0) { + foreach my $v (keys %vals) { + ::rptMsg("\t".$v." -> ".$vals{$v}); + } + } + else { +# ::rptMsg($key_path." has no values."); + } + + my @configs = ("RemoteAdminSettings", + "IcmpSettings", + "GloballyOpenPorts\\List", + "AuthorizedApplications\\List"); + + foreach my $config (@configs) { + eval { + my %vals = getKeyValues($key->get_subkey($config)); + if (scalar(keys %vals) > 0) { + ::rptMsg(""); + ::rptMsg($key_path."\\".$config); + ::rptMsg("LastWrite Time ".gmtime($key->get_subkey($config)->get_timestamp())." (UTC)"); + foreach my $v (keys %vals) { + ::rptMsg("\t".$v." -> ".$vals{$v}); + } + } + }; + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + ::rptMsg(""); + } # end foreach +} + +sub getKeyValues { + my $key = shift; + my %vals; + + my @vk = $key->get_list_of_values(); + if (scalar(@vk) > 0) { + foreach my $v (@vk) { + next if ($v->get_name() eq "" && $v->get_data() eq ""); + $vals{$v->get_name()} = $v->get_data(); + } + } + else { + + } + return %vals; +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/gauss.pl b/RecentActivity/release/rr-full/plugins/gauss.pl new file mode 100755 index 0000000000..25e98c91d0 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/gauss.pl @@ -0,0 +1,66 @@ +#----------------------------------------------------------- +# gauss.pl +# Checks Software hive for existance of TimeStampforUI value +# beneath the Reliability key within the Software hive. According +# to the Kasperky write-up for the malware, the configuration file is +# written to a binary value named "TimeStampforUI". +# +# copyright 2012 Quantum Analytics Research, LLC +# Author H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package gauss; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20120809); + +sub getConfig{return %config} +sub getShortDescr { + return "Checks Reliability key for TimeStampforUI value"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching gauss v.".$VERSION); + ::rptMsg("Launching gauss v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my @key_paths = ('Microsoft\\Windows\\CurrentVersion\\Reliability', + 'Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Reliability'); + ::rptMsg("gauss v\.".$VERSION); + foreach my $key_path (@key_paths) { + my $key; + my $notfound = 1; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + foreach my $v (@vals) { + my $name = $v->get_name(); + if ($name eq "TimeStampforUI") { + ::rptMsg("TimeStampforUI value found."); + $notfound = 0; + } + } + ::rptMsg("TimeStampforUI value not found.") if ($notfound); + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/gthist.pl b/RecentActivity/release/rr-full/plugins/gthist.pl old mode 100644 new mode 100755 similarity index 89% rename from thirdparty/rr/plugins/gthist.pl rename to RecentActivity/release/rr-full/plugins/gthist.pl index bc52f909a9..b206c6912f --- a/thirdparty/rr/plugins/gthist.pl +++ b/RecentActivity/release/rr-full/plugins/gthist.pl @@ -1,71 +1,72 @@ -#----------------------------------------------------------- -# gthist.pl -# Google Toolbar Search History plugin -# -# -# Change history -# 20100218 - created -# -# References -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package gthist; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Google Toolbar Search History"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching gthist v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Google\\NavClient\\1.1\\History'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg(""); - foreach my $v (@vals) { - my $tv = unpack("V",$v->get_data()); - $hist{$tv} = $v->get_name(); - } - - foreach my $t (reverse sort {$a <=> $b} keys %hist) { - my $str = gmtime($t)." ".$hist{$t}; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# gthist.pl +# Google Toolbar Search History plugin +# +# +# Change history +# 20100218 - created +# +# References +# +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package gthist; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100218); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Google Toolbar Search History"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + my %hist; + ::logMsg("Launching gthist v.".$VERSION); + ::rptMsg("gthist v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Google\\NavClient\\1.1\\History'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar @vals > 0) { + ::rptMsg(""); + foreach my $v (@vals) { + my $tv = unpack("V",$v->get_data()); + $hist{$tv} = $v->get_name(); + } + + foreach my $t (reverse sort {$a <=> $b} keys %hist) { + my $str = gmtime($t)." ".$hist{$t}; + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/gtwhitelist.pl b/RecentActivity/release/rr-full/plugins/gtwhitelist.pl old mode 100644 new mode 100755 similarity index 89% rename from thirdparty/rr/plugins/gtwhitelist.pl rename to RecentActivity/release/rr-full/plugins/gtwhitelist.pl index e8d0695eea..17e2fbfc45 --- a/thirdparty/rr/plugins/gtwhitelist.pl +++ b/RecentActivity/release/rr-full/plugins/gtwhitelist.pl @@ -1,74 +1,75 @@ -#----------------------------------------------------------- -# gtwhitelist.pl -# Google Toolbar Search History plugin -# -# -# Change history -# 20100218 - created -# -# References -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package gtwhitelist; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Google Toolbar whitelist values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching gtwhitelist v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Google\\Google Toolbar\\4.0\\whitelist'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my $allow2; - eval { - $allow2 = $key->get_value("allow2")->get_data(); - my @vals = split(/\|/,$allow2); - ::rptMsg(""); - ::rptMsg("whitelist"); - foreach my $v (@vals) { - next if ($v eq ""); - ::rptMsg(" ".$v); - } - ::rptMsg(""); - }; - - my $lastmod; - eval { - $lastmod = $key->get_value("lastmod")->get_data(); - ::rptMsg("lastmod ".gmtime($lastmod)." (UTC)"); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# gtwhitelist.pl +# Google Toolbar Search History plugin +# +# +# Change history +# 20100218 - created +# +# References +# +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package gtwhitelist; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100218); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Google Toolbar whitelist values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + my %hist; + ::logMsg("Launching gtwhitelist v.".$VERSION); + ::rptMsg("gtwhitelist v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Google\\Google Toolbar\\4.0\\whitelist'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $allow2; + eval { + $allow2 = $key->get_value("allow2")->get_data(); + my @vals = split(/\|/,$allow2); + ::rptMsg(""); + ::rptMsg("whitelist"); + foreach my $v (@vals) { + next if ($v eq ""); + ::rptMsg(" ".$v); + } + ::rptMsg(""); + }; + + my $lastmod; + eval { + $lastmod = $key->get_value("lastmod")->get_data(); + ::rptMsg("lastmod ".gmtime($lastmod)." (UTC)"); + }; + + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/haven_and_hearth.pl b/RecentActivity/release/rr-full/plugins/haven_and_hearth.pl new file mode 100755 index 0000000000..db92c644a2 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/haven_and_hearth.pl @@ -0,0 +1,108 @@ +#----------------------------------------------------------- +# haven_and_hearth.pl +# Extracts the username and savedtoken for Haven & Hearth +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# Haven & Hearth Homepage +# http://www.havenandhearth.com/ +# +# Copyright (c) 2011-02-04 Brendan Coles +#----------------------------------------------------------- +# Require # +package haven_and_hearth; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110204); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extracts the username and savedtoken for Haven & Hearth."; +} +sub getRefs { + my %refs = ("Haven & Hearth Homepage:" => + "http://www.havenandhearth.com/"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + my @interesting_keys = ( + "username", + "password", + "savedtoken" + ); + + # Initialize # + ::logMsg("Launching haven_and_hearth v.".$VERSION); + ::rptMsg("haven_and_hearth v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\JavaSoft\\Prefs\\haven"; + + # If # Haven & Hearth path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("Haven & Hearth"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from Haven & Hearth registry path # + my %keys; + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for Haven & Hearth registry path # + foreach my $v (@vals) { + $keys{$v->get_name()} = $v->get_data(); + } + + # Return # all key names+values for interesting keys # + foreach my $var (@interesting_keys) { + if (exists $keys{$var}) { + ::rptMsg($var." -> ".$keys{$var}); + } + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # Haven & Hearth isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/thirdparty/rr/plugins/hibernate.pl b/RecentActivity/release/rr-full/plugins/hibernate.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/hibernate.pl rename to RecentActivity/release/rr-full/plugins/hibernate.pl index 64c5b3e359..a3ad5a3bbe --- a/thirdparty/rr/plugins/hibernate.pl +++ b/RecentActivity/release/rr-full/plugins/hibernate.pl @@ -1,78 +1,80 @@ -#----------------------------------------------------------- -# hibernate.pl -# -# Ref: -# http://support.microsoft.com/kb/293399 & testing -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package hibernate; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081216); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check hibernation status"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching hibernate v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $power_path = $ccs."\\Control\\Session Manager\\Power"; - my $power; - if ($power = $root_key->get_subkey($power_path)) { - - my $heur; - eval { - my $bin_val = $power->get_value("Heuristics")->get_data(); - $heur = (unpack("v*",$bin_val))[3]; - if ($heur == 0) { - ::rptMsg("Hibernation disabled."); - } - elsif ($heur == 1) { - ::rptMsg("Hibernation enabled."); - } - else { - ::rptMsg("Unknown hibernation value: ".$heur); - } - - }; - ::rptMsg("Error reading Heuristics value.") if ($@); - - } - else { - ::rptMsg($power_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# hibernate.pl +# +# Ref: +# http://support.microsoft.com/kb/293399 & testing +# +# copyright 2008-2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package hibernate; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081216); + +sub getConfig{return %config} + +sub getShortDescr { + return "Check hibernation status"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching hibernate v.".$VERSION); + ::rptMsg("hibernate v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + + my $power_path = $ccs."\\Control\\Session Manager\\Power"; + my $power; + if ($power = $root_key->get_subkey($power_path)) { + + my $heur; + eval { + my $bin_val = $power->get_value("Heuristics")->get_data(); + $heur = (unpack("v*",$bin_val))[3]; + if ($heur == 0) { + ::rptMsg("Hibernation disabled."); + } + elsif ($heur == 1) { + ::rptMsg("Hibernation enabled."); + } + else { + ::rptMsg("Unknown hibernation value: ".$heur); + } + + }; + ::rptMsg("Error reading Heuristics value.") if ($@); + + } + else { + ::rptMsg($power_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); +# ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/ide.pl b/RecentActivity/release/rr-full/plugins/ide.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/ide.pl rename to RecentActivity/release/rr-full/plugins/ide.pl index 789cbd1495..e9cc3825ae --- a/thirdparty/rr/plugins/ide.pl +++ b/RecentActivity/release/rr-full/plugins/ide.pl @@ -1,123 +1,125 @@ -#----------------------------------------------------------- -# ide.pl -# Get IDE device info from the System hive file -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package ide; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080418); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get IDE device info from the System hive file"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ide v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::rptMsg("IDE"); - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::logMsg("Could not find ".$key_path); - return - } - - my $key_path = $ccs."\\Enum\\IDE"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg(""); - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s2 (@sk) { - ::rptMsg($s2->get_name()." [".gmtime($s2->get_timestamp())." (UTC)]"); - eval { - ::rptMsg("FriendlyName : ".$s2->get_value("FriendlyName")->get_data()); - }; - ::rptMsg(""); - } - } - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("DevClasses - Disks"); - ::rptMsg($key_path); - my %disks; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless (grep(/IDE/,$name)); - my $lastwrite = $s->get_timestamp(); - my ($dev, $serial) = (split(/#/,$name))[4,5]; - push(@{$disks{$lastwrite}},$dev.",".$serial); - } - - if (scalar(keys %disks) == 0) { - ::rptMsg("No IDE subkeys were found."); - return; - } - ::rptMsg(""); - foreach my $t (reverse sort {$a <=> $b} keys %disks) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$disks{$t}}) { - ::rptMsg("\t$item"); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# ide.pl +# Get IDE device info from the System hive file +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package ide; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080418); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get IDE device info from the System hive file"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching ide v.".$VERSION); + ::rptMsg("ide v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + ::rptMsg("IDE"); + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::logMsg("Could not find ".$key_path); + return + } + + my $key_path = $ccs."\\Enum\\IDE"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg(""); + ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); + my @sk = $s->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s2 (@sk) { + ::rptMsg($s2->get_name()." [".gmtime($s2->get_timestamp())." (UTC)]"); + eval { + ::rptMsg("FriendlyName : ".$s2->get_value("FriendlyName")->get_data()); + }; + ::rptMsg(""); + } + } + + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("DevClasses - Disks"); + ::rptMsg($key_path); + my %disks; + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + next unless (grep(/IDE/,$name)); + my $lastwrite = $s->get_timestamp(); + my ($dev, $serial) = (split(/#/,$name))[4,5]; + push(@{$disks{$lastwrite}},$dev.",".$serial); + } + + if (scalar(keys %disks) == 0) { + ::rptMsg("No IDE subkeys were found."); + return; + } + ::rptMsg(""); + foreach my $t (reverse sort {$a <=> $b} keys %disks) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$disks{$t}}) { + ::rptMsg("\t$item"); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/ie_main.pl b/RecentActivity/release/rr-full/plugins/ie_main.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/ie_main.pl rename to RecentActivity/release/rr-full/plugins/ie_main.pl index aa48c4d4a3..e7c5dfd3a7 --- a/thirdparty/rr/plugins/ie_main.pl +++ b/RecentActivity/release/rr-full/plugins/ie_main.pl @@ -1,82 +1,84 @@ -#----------------------------------------------------------- -# ie_main.pl -# Checks keys/values set by new version of Trojan.Clampi -# -# Change history -# 20091019 - created -# -# -# References -# http://support.microsoft.com/kb/895339 -# http://support.microsoft.com/kb/176497 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package ie_main; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091019); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets values beneath user's Internet Explorer\\Main key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching ie_main v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %main; - - my @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - next if ($name eq "Window_Placement"); - - $data = unpack("V",$data) if ($name eq "Do404Search"); - - if ($name eq "IE8RunOnceLastShown_TIMESTAMP" || $name eq "IE8TourShownTime") { - my ($t0,$t1) = unpack("VV",$data); - $data = gmtime(::getTime($t0,$t1))." UTC"; - } - $main{$name} = $data; - } - - foreach my $n (keys %main) { - my $str = sprintf "%-35s %-20s",$n,$main{$n}; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# ie_main.pl +# Checks keys/values set by new version of Trojan.Clampi +# +# Change history +# 20091019 - created +# +# +# References +# http://support.microsoft.com/kb/895339 +# http://support.microsoft.com/kb/176497 +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package ie_main; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20091019); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets values beneath user's Internet Explorer\\Main key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching ie_main v.".$VERSION); + ::rptMsg("ie_main v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my %main; + + my @vals = $key->get_list_of_values(); + + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + next if ($name eq "Window_Placement"); + + $data = unpack("V",$data) if ($name eq "Do404Search"); + + if ($name eq "IE8RunOnceLastShown_TIMESTAMP" || $name eq "IE8TourShownTime") { + my ($t0,$t1) = unpack("VV",$data); + $data = gmtime(::getTime($t0,$t1))." UTC"; + } + $main{$name} = $data; + } + + foreach my $n (keys %main) { + my $str = sprintf "%-35s %-20s",$n,$main{$n}; + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/ie_settings.pl b/RecentActivity/release/rr-full/plugins/ie_settings.pl new file mode 100755 index 0000000000..5e508d08d3 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/ie_settings.pl @@ -0,0 +1,147 @@ +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# ie_settings.pl +# Gets IE settings +# +# Change history +# 20130328 - added "AutoConfigURL" value info +# 20130223 - updated +# 20091016 - created +# +# References +# http://blog.digital-forensics.it/2012/05/exploring-internet-explorer-with.html +# +# +# copyright 2013 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package ie_settings; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20130328); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets important user IE settings"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching ie_settings v.".$VERSION); + ::rptMsg("ie_settings v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my $ua; + eval { + $ua = $key->get_value("User Agent")->get_data(); + ::rptMsg("User Agent = ".$ua); + }; + + my $zonessecupgrade; + eval { + $zonessecupgrade = $key->get_value("ZonesSecurityUpgrade")->get_data(); + my ($z0,$z1) = unpack("VV",$zonessecupgrade); + ::rptMsg("ZonesSecurityUpgrade = ".gmtime(::getTime($z0,$z1))." (UTC)"); + }; + + my $daystokeep; + eval { + $daystokeep = $key->get_subkey("Url History")->get_value("DaysToKeep")->get_data(); + ::rptMsg("DaysToKeep = ".$daystokeep); + }; + if ($@) { + ::rptMsg("DaysToKeep value not found - default is 20 days"); + } + +# AutoConfigURL +# ref: http://technet.microsoft.com/en-us/library/cc736412%28v=ws.10%29.aspx +# http://blog.spiderlabs.com/2012/04/brazilian-banking-malware-pay-your-bill-slacker-.html + eval { + my $auto = $key->get_value("AutoConfigURL")->get_data(); + ::rptMsg("AutoConfigURL: ".$auto); + ::rptMsg("**Possible malware indicator found!!"); + }; + + } + else { + ::rptMsg($key_path." not found."); + } +#----------------------------------------------------------- +# Windows Search integration into IE +# Windows Search indexes URLs for autocompletion +# +# Ref: +# http://www.ghacks.net/2011/03/17/disable-indexing-of-internet-explorer-web-history-by-windows-search/ +# +# +#----------------------------------------------------------- + my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main\\WindowsSearch'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + eval { + my $v = $key->get_value("Version")->get_data(); + ::rptMsg("Version = ".$v); + }; + + ::rptMsg(""); +# Gets information about when the IE history was last cleared by the user + my $cleared; + eval { + $cleared = $key->get_value("Cleared")->get_data(); + if ($cleared == 1) { + ::rptMsg("Cleared = 1"); + my @t = unpack("VV",$key->get_value("Cleared_TIMESTAMP")->get_data()); + my $cl_ts = ::getTime($t[0],$t[1]); + ::rptMsg("Cleared_TIMESTAMP = ".gmtime($cl_ts)." UTC"); + ::rptMsg("Analysis Tip: The \'Cleared\' value indicates that the user account "); + ::rptMsg("was used to clear the IE browser history, and the timestamp value indicates"); + ::rptMsg("when this occurred\."); + } + }; + if ($@) { + ::rptMsg("\'Cleared\' value not found\."); + } + ::rptMsg(""); + eval { + my @v = unpack("VV",$key->get_value("LastCrawl")->get_data()); + my $crawl = ::getTime($v[0],$v[1]); + ::rptMsg("LastCrawl = ".gmtime($crawl)." UTC"); + }; + + eval { + my @v = unpack("VV",$key->get_value("UpgradeTime")->get_data()); + my $up = ::getTime($v[0],$v[1]); + ::rptMsg("UpgradeTime = ".gmtime($up)." UTC"); + }; + + eval { + my $path = $key->get_value("User Favorites Path")->get_data(); + ::rptMsg("User Favorites Path = ".$path); + }; + + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/ie_version.pl b/RecentActivity/release/rr-full/plugins/ie_version.pl old mode 100644 new mode 100755 similarity index 88% rename from thirdparty/rr/plugins/ie_version.pl rename to RecentActivity/release/rr-full/plugins/ie_version.pl index 64ce73b046..ca35830b8b --- a/thirdparty/rr/plugins/ie_version.pl +++ b/RecentActivity/release/rr-full/plugins/ie_version.pl @@ -1,60 +1,62 @@ -#----------------------------------------------------------- -# ie_version -# Get IE version and build -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package ie_version; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091016); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get IE version and build"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ie_version v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Internet Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $version; - my $build; - eval { - $build = $key->get_value("Build")->get_data(); - ::rptMsg("IE Build = ".$build); - }; - - eval { - $version= $key->get_value("Version")->get_data(); - ::rptMsg("IE Version = ".$version); - }; - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# ie_version +# Get IE version and build +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package ie_version; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20091016); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get IE version and build"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching ie_version v.".$VERSION); + ::rptMsg("ie_version v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Internet Explorer"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $version; + my $build; + eval { + $build = $key->get_value("Build")->get_data(); + ::rptMsg("IE Build = ".$build); + }; + + eval { + $version= $key->get_value("Version")->get_data(); + ::rptMsg("IE Version = ".$version); + }; + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/iejava.pl b/RecentActivity/release/rr-full/plugins/iejava.pl new file mode 100755 index 0000000000..160e875c84 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/iejava.pl @@ -0,0 +1,81 @@ +#----------------------------------------------------------- +# iejava.pl +# checks contents of Multimedia\Other key +# Category: Malware +# +# History +# 20130429 - added alertMsg() functionality +# 20130214 - created +# +# References +# http://www.greyhathacker.net/?p=610 +# +# See also: http://support.microsoft.com/kb/2751647 +# +# Notes: this was seen on a system that was infected with ZeroAccess; during +# the infection process, the key in question was set and the Flags value was +# set to 1. +# +# copyright 2013, Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package iejava; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130429); + +sub getConfig{return %config} + +sub getShortDescr { + return "Checks NTUSER for status of kill bit for IE Java ActiveX control"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + + ::logMsg("Launching iejava v.".$VERSION); + ::rptMsg("iejava v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $flags; + eval { + $flags = $key->get_value("Flags")->get_data(); + ::rptMsg("Flags: ".$flags); + if ($flags == 1) { + ::rptMsg(" If the Flags value is set to 1, the IE Java ActiveX control is disabled,"); + ::rptMsg(" as if thru IE's \"Manage Add-ons\"\. Note: this NOT setting the kill bit."); + ::alertMsg("ALERT: ".$key_path." Flag value set to 1; IE Java ActiveX control disabled\."); + } + + }; + if ($@) { + ::rptMsg("Flags value not found\."); + } + + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/imagedev.pl b/RecentActivity/release/rr-full/plugins/imagedev.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/imagedev.pl rename to RecentActivity/release/rr-full/plugins/imagedev.pl index 5822ae7a15..4a486a9874 --- a/thirdparty/rr/plugins/imagedev.pl +++ b/RecentActivity/release/rr-full/plugins/imagedev.pl @@ -1,85 +1,87 @@ -#----------------------------------------------------------- -# imagedev.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package imagedev; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080730); - -sub getConfig{return %config} - -sub getShortDescr { - return " -- "; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching imagedev v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - eval { - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - }; - if ($@) { - ::rptMsg("Problem locating proper controlset: $@"); - return; - } - - my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("imagedev"); - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @sk = $key->get_list_of_subkeys(); - - if (scalar(@sk) > 0) { - ::rptMsg("Still Image Capture Devices"); - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^\d{4}$/); - my $friendly; - eval { - $friendly = $s->get_value("FriendlyName")->get_data(); - ::rptMsg(" ".$friendly); - }; - if ($@) { - ::logMsg("Error getting device FriendlyName in imagedev: ".$@); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# imagedev.pl +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package imagedev; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080730); + +sub getConfig{return %config} + +sub getShortDescr { + return " -- "; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching imagedev v.".$VERSION); + ::rptMsg("imagedev v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + eval { + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + }; + if ($@) { + ::rptMsg("Problem locating proper controlset: $@"); + return; + } + + my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("imagedev"); + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @sk = $key->get_list_of_subkeys(); + + if (scalar(@sk) > 0) { + ::rptMsg("Still Image Capture Devices"); + foreach my $s (@sk) { + my $name = $s->get_name(); + next unless ($name =~ m/^\d{4}$/); + my $friendly; + eval { + $friendly = $s->get_value("FriendlyName")->get_data(); + ::rptMsg(" ".$friendly); + }; + if ($@) { + ::logMsg("Error getting device FriendlyName in imagedev: ".$@); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/imagefile.pl b/RecentActivity/release/rr-full/plugins/imagefile.pl new file mode 100755 index 0000000000..17a94f4688 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/imagefile.pl @@ -0,0 +1,106 @@ +#----------------------------------------------------------- +# imagefile +# +# References: +# http://msdn2.microsoft.com/en-us/library/a329t4ed(VS\.80)\.aspx +# CWDIllegalInDllSearch: http://support.microsoft.com/kb/2264107 +# +# Change history: +# 20130425 - added alertMsg() functionality +# 20130410 - added Wow6432Node support +# 20100824 - added check for "CWDIllegalInDllSearch" value +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package imagefile; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130425); + +sub getConfig{return %config} +sub getShortDescr { + return "Checks IFEO subkeys for Debugger & CWDIllegalInDllSearch values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching imagefile v.".$VERSION); + ::rptMsg("imagefile v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my @paths = ("Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", + "Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + my %debug; + my $i = "Your Image File Name here without a path"; + foreach my $s (@subkeys) { + my $name = $s->get_name(); + next if ($name =~ m/^$i/i); + my $debugger; + eval { + $debugger = $s->get_value("Debugger")->get_data(); + }; +# If the eval{} throws an error, it's b/c the Debugger value isn't +# found within the key, so we don't need to do anything w/ the error + if ($debugger ne "") { + $debug{$name}{debug} = $debugger; + $debug{$name}{lastwrite} = $s->get_timestamp(); + } + + my $dllsearch = ""; + eval { + $dllsearch = $s->get_value("CWDIllegalInDllSearch")->get_data(); + }; +# If the eval{} throws an error, it's b/c the Debugger value isn't +# found within the key, so we don't need to do anything w/ the error + if ($dllsearch ne "") { + $debug{$name}{dllsearch} = sprintf "0x%x",$dllsearch; + $debug{$name}{lastwrite} = $s->get_timestamp(); + } + } + + if (scalar (keys %debug) > 0) { + foreach my $d (keys %debug) { + ::rptMsg($d." LastWrite: ".gmtime($debug{$d}{lastwrite})); + ::rptMsg(" Debugger : ".$debug{$d}{debug}) if (exists $debug{$d}{debug}); + ::alertMsg("Alert: imagefile: Debugger value found : ".$debug{$d}{debug}) if (exists $debug{$d}{debug}); + ::rptMsg(" CWDIllegalInDllSearch: ".$debug{$d}{dllsearch}) if (exists $debug{$d}{dllsearch}); + } + } + else { + ::rptMsg("No Debugger/CWDIllegalInDllSearch values found."); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/init_dlls.pl b/RecentActivity/release/rr-full/plugins/init_dlls.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/init_dlls.pl rename to RecentActivity/release/rr-full/plugins/init_dlls.pl index d729a6b716..58fcbc3766 --- a/thirdparty/rr/plugins/init_dlls.pl +++ b/RecentActivity/release/rr-full/plugins/init_dlls.pl @@ -1,77 +1,79 @@ -#----------------------------------------------------------- -# init_dlls.pl -# Plugin to assist in the detection of malware per Mark Russinovich's -# blog post (References, below) -# -# Change History: -# 20110309 - created -# -# References -# http://blogs.technet.com/b/markrussinovich/archive/2011/02/27/3390475.aspx -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package init_dlls; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20110309); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check for odd **pInit_Dlls keys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my @init; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching init_dlls v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Windows"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("init_dlls"); - ::rptMsg($key_path); - ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next if ($name eq "AppInit_DLLs"); - push(@init,$name) if ($name =~ m/Init_DLLs$/); - } - - if (scalar @init > 0) { - foreach my $n (@init) { - ::rptMsg($n); - } - } - else { - ::rptMsg("No additional values named *Init_DLLs located."); - } - - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# init_dlls.pl +# Plugin to assist in the detection of malware per Mark Russinovich's +# blog post (References, below) +# +# Change History: +# 20110309 - created +# +# References +# http://blogs.technet.com/b/markrussinovich/archive/2011/02/27/3390475.aspx +# +# copyright 2011 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package init_dlls; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20110309); + +sub getConfig{return %config} + +sub getShortDescr { + return "Check for odd **pInit_Dlls keys"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my @init; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching init_dlls v.".$VERSION); + ::rptMsg("init_dlls v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Windows"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("init_dlls"); + ::rptMsg($key_path); + ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + next if ($name eq "AppInit_DLLs"); + push(@init,$name) if ($name =~ m/Init_DLLs$/); + } + + if (scalar @init > 0) { + foreach my $n (@init) { + ::rptMsg($n); + } + } + else { + ::rptMsg("No additional values named *Init_DLLs located."); + } + + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/inprocserver.pl b/RecentActivity/release/rr-full/plugins/inprocserver.pl new file mode 100755 index 0000000000..8281f210e0 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/inprocserver.pl @@ -0,0 +1,100 @@ +#----------------------------------------------------------- +# inprocserver.pl +# Plugin to extract file association data from the Software hive file +# Can take considerable time to run; recommend running it via rip.exe +# +# History +# 20130429 - added alertMsg() functionality +# 20130212 - fixed retrieving LW time from correct key +# 20121213 - created +# +# To-Do: +# - add support for NTUSER.DAT (XP) and USRCLASS.DAT (Win7) +# +# References +# http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx +# Apparently, per Sophos, ZeroAccess remains persistent by modifying a CLSID value that +# points to a WMI component. The key identifier is that it employs a path to +# "\\.\globalroot...", hence the match function. +# +# copyright 2012, Quantum Analytics Research, LLC +#----------------------------------------------------------- +package inprocserver; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130429); + +sub getConfig{return %config} + +sub getShortDescr { + return "Checks CLSID InProcServer32 values for indications of ZeroAccess infection"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %clsid; + my %susp = (); + + ::logMsg("Launching inprocserver v.".$VERSION); + ::rptMsg("inprocserver v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Classes\\CLSID"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); +# First step will be to get a list of all of the file extensions + my %ext; + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + eval { + my $n = $s->get_subkey("InprocServer32")->get_value("")->get_data(); + if (($n =~ m/^C:\\Users/) || grep(/Recycle/,$n) || grep(/RECYCLE/,$n) || grep(/globalroot/,$n) || $n =~ m/\\n\.$/) { + my $lw = $s->get_subkey("InprocServer32")->get_timestamp(); + $susp{$lw}{name} = $name; + $susp{$lw}{data} = $n; + } + }; + + } + + if (scalar(keys %susp) > 0) { + foreach my $t (sort {$a <=> $b} keys %susp) { + ::rptMsg("Key path: ".$key_path."\\".$susp{$t}{name}); + ::rptMsg("LastWrite: ".gmtime($t)); + ::rptMsg("Value Data: ".$susp{$t}{data}); + ::alertMsg($key_path."\\".$susp{$t}{name}.": ".$susp{$t}{data}); + ::rptMsg(""); + } + } + else { + ::rptMsg("No suspicious InprocServer32 values found."); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/inprocserver_u.pl b/RecentActivity/release/rr-full/plugins/inprocserver_u.pl new file mode 100755 index 0000000000..986c6fcd1d --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/inprocserver_u.pl @@ -0,0 +1,101 @@ +#----------------------------------------------------------- +# inprocserver_u.pl +# Plugin to extract file association data from the Software hive file +# Can take considerable time to run; recommend running it via rip.exe +# +# History +# 20130429 - added alertMsg() functionality +# 20130212 - fixed retrieving LW time from correct key +# 20121219 - created +# +# To-Do: +# - add support for NTUSER.DAT (XP) and USRCLASS.DAT (Win7) +# +# References +# http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx +# Apparently, per Sophos, ZeroAccess remains persistent by modifying a CLSID value that +# points to a WMI component. The key identifier is that it employs a path to +# "\\.\globalroot...", hence the match function. +# +# copyright 2012, Quantum Analytics Research, LLC +#----------------------------------------------------------- +package inprocserver_u; +use strict; + +my %config = (hive => "USRCLASS\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130429); + +sub getConfig{return %config} + +sub getShortDescr { + return "Checks CLSID InProcServer32 values for indications of ZeroAccess infection"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %clsid; + my %susp = (); + + ::logMsg("Launching inprocserver_u v.".$VERSION); + ::rptMsg("inprocserver_u v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "CLSID"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); +# First step will be to get a list of all of the file extensions + my %ext; + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + eval { + my $n = $s->get_subkey("InprocServer32")->get_value("")->get_data(); +# ::rptMsg(" -> ".$n); + if (($n =~ m/^C:\\Users/) || grep(/Recycle/,$n) || grep(/RECYCLE/,$n)|| grep(/globalroot/,$n) || $n =~ m/\\n\.$/) { + my $lw = $s->get_subkey("InprocServer32")->get_timestamp(); + $susp{$lw}{name} = $name; + $susp{$lw}{data} = $n; + } + }; + + } + + if (scalar(keys %susp) > 0) { + foreach my $t (sort {$a <=> $b} keys %susp) { + ::rptMsg("Key path: ".$key_path."\\".$susp{$t}{name}); + ::rptMsg("LastWrite: ".gmtime($t)); + ::rptMsg("Value Data: ".$susp{$t}{data}); + ::alertMsg($key_path."\\".$susp{$t}{name}.": ".$susp{$t}{data}); + ::rptMsg(""); + } + } + else { + ::rptMsg("No suspicious InprocServer32 values found."); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/installedcomp.pl b/RecentActivity/release/rr-full/plugins/installedcomp.pl new file mode 100755 index 0000000000..4cd51fef90 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/installedcomp.pl @@ -0,0 +1,127 @@ +#----------------------------------------------------------- +# installedcomp.pl +# Get info about Installed Components +# +# Change history: +# 20130410 - added Wow6432Node support +# 20100116 - updated for slightly better coverage +# 20100115 - created +# +# References: +# +# Notes: Look for out of place entries, particularly those +# that point to the Recycle Bin or a temp directory +# +# copyright 2013 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package installedcomp; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130410); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get info about Installed Components/StubPath"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %comp; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching installedcomp v.".$VERSION); + ::rptMsg("installedcomp v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my @paths = ("Microsoft\\Active Setup\\Installed Components", + "Wow6432Node\\Microsoft\\Active Setup\\Installed Components"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $lastwrite = $s->get_timestamp(); + + my $str; + eval { + $str = $s->get_value("ComponentID")->get_data(); + }; + + eval { + my $ver = $s->get_value("Version")->get_data(); + $str .= " v.".$ver if ($ver && $s->get_value("Version")->get_type() == 1); + }; + + eval { + my $stub = $s->get_value("StubPath")->get_data(); + $str .= "; ".$stub if ($stub ne ""); + }; + +# If the $str scalar is empty at this point, that means that for +# some reason, we haven't been able to populate the information +# we're looking for; in this case, we'll go looking for some info +# in a different area of the hive; the BHO.pl plugin does this, as +# well. I'd rather that the plugin look for the Classes info than +# leave a blank entry in the output. + if ($str eq "") { + my $name = $s->get_name(); + my $class_path = "Classes\\CLSID\\".$name; + my $proc; + if ($proc = $root_key->get_subkey($class_path)) { +# Try these two eval{} statements because I've seen the different +# spellings for InProcServer32/InprocServer32 in sequential keys + eval { + $str = $proc->get_subkey("InprocServer32")->get_value("")->get_data(); + }; + + eval { + $str = $proc->get_subkey("InProcServer32")->get_value("")->get_data(); + }; + } + else { + $str = $name." class not found."; + } + } + + push(@{$comp{$lastwrite}},$str); + } + + foreach my $t (reverse sort {$a <=> $b} keys %comp) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$comp{$t}}) { + ::rptMsg(" ".$item); + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/installer.pl b/RecentActivity/release/rr-full/plugins/installer.pl new file mode 100755 index 0000000000..4bb94e943b --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/installer.pl @@ -0,0 +1,110 @@ +#----------------------------------------------------------- +# installer.pl +# Attempts to get InstallDate, DisplayName, DisplayVersion, and +# Publisher values from Installer\UserData subkeys +# +# History +# 20120917 - created +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package installer; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 31, #XP - Win7 + version => 20120917); + +sub getConfig{return %config} +sub getShortDescr { + return "Determines product install information"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching installer v.".$VERSION); + ::rptMsg("Launching installer v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Installer\\UserData'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Installer"); + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg("User SID: ".$s->get_name()); + processSubkeys($s); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub processSubkeys { + my $key = shift; + my $name = $key->get_name(); + + my @subkeys = $key->get_subkey("Products")->get_list_of_subkeys(); + + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + + my ($display, $date, $version, $publisher); + my $str; + my $lw = $s->get_timestamp(); + ::rptMsg("Key : ".$s->get_name()); + ::rptMsg("LastWrite: ".gmtime($lw)); + eval { + $date = $s->get_subkey("InstallProperties")->get_value("InstallDate")->get_data(); + $str = $date." - "; + }; + + eval { + $display = $s->get_subkey("InstallProperties")->get_value("DisplayName")->get_data(); + $str .= $display; + }; + + eval { + $version = $s->get_subkey("InstallProperties")->get_value("DisplayVersion")->get_data(); + $str .= " ".$version; + }; + + eval { + $publisher = $s->get_subkey("InstallProperties")->get_value("Publisher")->get_data(); + $str .= " (".$publisher.") "; + }; + + ::rptMsg($str); + ::rptMsg(""); + } + + } + else { + ::rptMsg("Key ".$name." has no subkeys."); + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/internet_explorer_cu.pl b/RecentActivity/release/rr-full/plugins/internet_explorer_cu.pl new file mode 100755 index 0000000000..2211215371 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/internet_explorer_cu.pl @@ -0,0 +1,575 @@ +#------------------------------------------------------------------------------ +# internet_explorer_cu.pl +# NTUSER.DAT Internet Explorer key parser +# Try to get useful information on IE +# Note: it's not tested against all IE versions available +# WARNING: there exist a huge work to be done, IE settings +# are a lot and they are sparse in registries +# +# Change history +# 20120426 [fpi] % created and working on +# 20120513 [fpi] % first release +# 20120528 [fpi] % released to public +# +# References +# "Geoff Chappell - Internet Explorer Registry API " => +# "http://www.geoffchappell.com/studies/windows/ie/iertutil/api/ierapi/index.htm", +# "Internet Explorer Maintenance Extension Tools and Settings" +# http://technet.microsoft.com/en-us/library/cc736412%28v=ws.10%29.aspx +# "Introduction to Web Storage" +# http://msdn.microsoft.com/en-us/library/cc197062%28v=vs.85%29.aspx +# "How can I configure my Internet Explorer browser settings after I have removed malicious software from my computer?" +# http://support.microsoft.com/kb/895339 +# "How to Change the Internet Explorer Window Title" +# http://support.microsoft.com/kb/176497 +# +# The plugin will not parse *every* IE subkeys. The list of subkeys I was able +# to found inside my NTUSER.DAT registries (a join of XP, Vista, 7) is following. Note that: +# (P) means parsed, (*) means not parsed but interesting (a TODO), nothing means not parsed. +# +# Registries coming from (and tested on): +# (A) Windows7 Professional 32bit - IE 9.0.8112.16421 +# (B) Windows7 Ultimate 64bit - IE 9.0.8112.16421 +# (C) Windows XP Home 32bit - IE 8.0.6001.18702 +# (D) Windows Vista 64bit - IE 7.0.6002.18005 +# +# HKCU\Software\Microsoft\Internet Explorer subkeys list: +# +# Activities (*) [ A ] +# ApprovedExtensions (*) [ B ] +# ApproveExtensionsMigration (*) [ A B ] +# AutoComplete (P) [ A ] +# BrowserEmulation [ A B C ] +# CaretBrowsing [ A ] +# CommandBar [ A B C D ] +# Default HTML Editor [ C D ] +# Default MHTML Editor [ D ] +# Desktop [ A B C D ] +# Document Windows [ A B C D ] +# DOMStorage (P) [ A B C ] +# Download (*) [ A B C D ] +# DxTrans [ A ] +# Expiration [ A ] +# Explorer Bars [ A ] +# Extensions (*) [ A B C D ] +# Feed Discovery [ A ] +# Feeds [ A D ] +# Geolocation (*) [ A ] +# GPActivities [ A ] +# GPU [ A B ] +# Help_Menu_URLs [ A B C D ] +# IEDevTools (*) [ A B ] +# IETld (P) [ A B C ] +# InformationBar [ C D ] +# IntelliForms (*) [ A B C D ] +# International (*) [ A B C D ] +# InternetRegistry [ A B C D ] +# LinksBar [ A B C ] +# LinksExplorer [ A C D ] +# LowRights [ B D ] +# LowRegistry [ A B C D ] +# Main (P) [ A B C D ] +# MAO Settings [ A B C ] +# Media [ A C D ] +# MenuExt (*) [ A B C D ] +# MINIE [ A B ] +# New Windows [ A B C D ] +# PageSetup [ A B C D ] +# PhishingFilter (*) [ A B C D ] +# Privacy (P) [ A C ] (user settings ndr) +# ProtocolExecute [ A ] +# Recovery (P) [ A B C ] +# Safety [ A ] +# SearchScopes (*) [ A B C D ] +# SearchUrl [ A B C D ] +# Security (*) [ A B C D ] +# Services [ A B C D ] (empty? ndr) +# Settings [ A B C D ] +# Setup [ A B D ] +# SiteMode [ A B C D ] +# SQM (*) [ A B C ] +# Styles [ A ] +# Suggested Sites (P) [ A B C ] +# TabbedBrowsing [ A B C D ] +# TaskbarPreview [ A ] +# Text Scaling [ A ] +# Toolbar [ A B C D ] +# TypedURLs [ B C ] (hum?! ndr) +# UpgradeIEAd [ A ] +# URLSearchHooks (*) [ A B C D ] +# User Preferences (*) [ A B C ] +# View Source Editor [ A ] +# Zoom [ A B C D ] +# +# copyright 2012 F. Picasso francesco.picasso@gmail.com +#------------------------------------------------------------------------------ +package internet_explorer_cu; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120528); + +sub getConfig{return %config} +sub getShortDescr { + return "Get HKCU information on Internet Explorer"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Geoff Chappell - Internet Explorer Registry API " => + "http://www.geoffchappell.com/studies/windows/ie/iertutil/api/ierapi/index.htm", + "Internet Explorer Maintenance Extension Tools and Settings" => + "http://technet.microsoft.com/en-us/library/cc736412%28v=ws.10%29.aspx", + "Introduction to Web Storage" => + "http://msdn.microsoft.com/en-us/library/cc197062%28v=vs.85%29.aspx", + "How can I configure my Internet Explorer browser settings after I have removed malicious software from my computer?" => + "http://support.microsoft.com/kb/895339", + "How to Change the Internet Explorer Window Title" => + "http://support.microsoft.com/kb/176497" + ); +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +my $VERSION = getVersion(); + +#------------------------------------------------------------------------------ + +my $tab0 = ""; +my $tab2 = " "; +my $tab4 = " "; +my $tab6 = " "; +my $tab8 = " "; + +my $align10 = "%-10s"; +my $align15 = "%-15s"; +my $align20 = "%-20s"; +my $align25 = "%-25s"; +my $align30 = "%-30s"; +my $align40 = "%-40s"; + +#------------------------------------------------------------------------------ + +my %IE_MAIN_TRANSLATE = ( + "AdminTabProcs" => \&trBool, + "AllowWindowReuse" => \&trBool, + "AlwaysShowMenus" => \&trBool, + "AutoSearch" => \&trBool, + "Cleanup HTCs" => \&trBool, + "CompatibilityFlags" => \&trNumHex, + "Display Inline Videos" => \&trBool, + "DNSPreresolution" => \&trNumHex, + "Do404Search" => \&trDo404Search, + "DOMStorage" => \&trBool, + "DownloadWindowPlacement" => \&trSkip, + "EnableSearchPane" => \&trBool, + "ForceGDIPlus" => \&trBool, + "FrameMerging" => \&trBool, + "FrameShutdownDelay" => \&trBool, + "FrameTabWindow" => \&trBool, + "GotoIntranetSiteForSingleWordEntry" => \&trBool, + "HangRecovery" => \&trBool, + "HistoryViewType" => \&trHex, + "IE8RunOnceCompletionTime" => \&trFileTime, + "IE8RunOnceLastShown" => \&trBool, + "IE8RunOnceLastShown_TIMESTAMP" => \&trFileTime, + "IE8RunOncePerInstallCompleted" => \&trBool, + "IE8TourShown" => \&trBool, + "IE8TourShownTime" => \&trFileTime, + "IE9RecommendedSettingsNo" => \&trBool, + "IE9RunOnceCompletionTime" => \&trFileTime, + "IE9RunOnceLastShown" => \&trBool, + "IE9RunOncePerInstallCompleted" => \&trBool, + "IE9TourNoShow" => \&trBool, + "IE9TourShown" => \&trBool, + "IE9TourShownTime" => \&trFileTime, + "MinIEEnabled" => \&trBool, + "NoUpdateCheck" => \&trBool, + "NscSingleExpand" => \&trBool, + "Q300829" => \&trBool, + "SearchControlWidth" => \&trSkip, + "SessionMerging" => \&trBool, + "Show image placeholders" => \&trBool, + "ShutdownWaitForOnUnload" => \&trBool, + "SmoothScroll" => \&trSkip, + "Start Page Redirect Cache_TIMESTAMP" => \&trFileTime, + "StatusBarWeb" => \&trBool, + "SuppressScriptDebuggerDialog" => \&trBool, + "TabShutdownDelay" => \&trNumHex, + "Use Stylesheets" => \&trBool, + "UseHR" => \&trBool, + "UseThemes" => \&trBool, + "Window_Placement" => \&trSkip, + "XDomainRequest" => \&trBool, + "XMLHTTP" => \&trBool +); + +my %IE_MAIN_WINSEARCH_TRANSLATE = ( + "AutoCompleteGroups" => \&trNumHex, + "Cleared" => \&trBool, + "Cleared_TIMESTAMP" => \&trFileTime, + "ConfiguredScopes" => \&trNumHex, + "Disabled" => \&trBool, + "EnabledScopes" => \&trNumHex, + "LastCrawl" => \&trFileTime, + "UpgradeTime" => \&trFileTime +); + +my %IE_PRIVACY_TRANSLATE = ( + "CleanDownloadHistory" => \&trBool, + "CleanInPrivateBlocking" => \&trBool, + "CleanPassword" => \&trBool, + "CleanTrackingProtection" => \&trBool, + "ClearBrowsingHistoryOnExit" => \&trBool, + "UseAllowList" => \&trBool +); + +my %IE_RECOVERY_TRANSLATE = ( + "AutoRecover" => \&trBool, + "NoReopenLastSession" => \&trBool +); + +my %IE_SUGGSITES_TRANSLATE = ( + "MigrationTime" => \&trFileTime, + "ObjectsCreated" => \&trBool, + "ObjectsCreated_TIMESTAMP" => \&trFileTime +); + +#------------------------------------------------------------------------------ + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg( "Launching internet_explorer_cu v.".$VERSION ); + ::rptMsg( "internet_explorer_cu v.".$VERSION ); + ::rptMsg( "(".getHive().") ".getShortDescr()."\n" ); + + my $reg = Parse::Win32Registry->new( $hive ); + my $root_key = $reg->get_root_key; + my $key_path_ie = "Software\\Microsoft\\Internet Explorer"; + my $key_path = $key_path_ie; + my $key; + my $tab; my $align; + my $vdata; my $vname; + + # 20120426 [fpi] : getting the main key + $key = $root_key->get_subkey( $key_path ); + if ( not $key ) { + ::rptMsg( $key_path." not found." ); + ::logMsg( $key_path." not found." ); + return; + } + + # 20120426 [fpi] : getting, if available, the DownloadDirectory + $tab = $tab2; + $align = $align10; + $vname = "Download Directory"; + ::rptMsg( $key_path ); + ::rptMsg( "LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + $vdata = getValueData( $key, $vname, undef ); + ::rptMsg( sprintf( $tab."$align = '%s'", $vname, $vdata ) ); + ::rptMsg( "" ); + + # --------------------------------------------------------------- + # 20120426 [fpi] : not parsing "ApprovedExtensionsMigration" and + # "ApprovedExtensions" subkeys, which could be + # useful for malware removal and/or for IE timestamping + # Ref: "Internet Explorer Maintenance Extension Tools and Settings" + # http://technet.microsoft.com/en-us/library/cc736412%28v=ws.10%29.aspx + + # --------------------------------------------------------------- + # 20120426 [fpi] : parsing, if available, the AutoComplete subkey + $key_path = $key_path_ie."\\AutoComplete"; + if ( $key = $root_key->get_subkey( $key_path ) ) { + ::rptMsg( $key_path ); + ::rptMsg( "LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + rptAllKeyValues( $key, $tab2, $align10 ); + } + else { + ::rptMsg( $key_path." not found." ); + ::logMsg( $key_path." not found." ); + } + ::rptMsg( "" ); + + # --------------------------------------------------------------- + # 20120426 [fpi] : parsing "DOMstorage", no informations (apart guessing) on the Total + # subkey and values + # Ref: "Introduction to Web Storage" + # http://msdn.microsoft.com/en-us/library/cc197062%28v=vs.85%29.aspx + $key_path = $key_path_ie."\\DOMStorage"; + if ( $key = $root_key->get_subkey( $key_path ) ) { + ::rptMsg( $key_path ); + ::rptMsg( "LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + ::rptMsg( "Subkeys:" ); + rptAllSubKeys( $key, $tab2, $align20 ); + } + else { + ::rptMsg( $key_path." not found." ); + ::logMsg( $key_path." not found." ); + } + ::rptMsg( "" ); + + # --------------------------------------------------------------- + # 20120502 [fpi] : parsing "IETld", no informations found, guessing + # I sometimes noticed a discrepancy in the last WORD (16bit) + # value between SOFTWARE key and NTUSER key (??) + $key_path = $key_path_ie."\\IETld"; + if ( $key = $root_key->get_subkey( $key_path ) ) { + ::rptMsg( $key_path ); + ::rptMsg( "LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + $vname = "IETldDllVersionHigh"; + $vdata = getValueData( $key, $vname, undef, 1 ); + my ($vhi1, $vhi2) = ("????", "????"); + if ( defined $vdata ) { $vhi1 = $vdata >> 16; $vhi2 = $vdata & 0x0000FFFF; } + $vname = "IETldDllVersionLow"; + $vdata = getValueData( $key, $vname, undef, 1 ); + my ($vlo1, $vlo2) = ("????", "????"); + if ( defined $vdata ) { $vlo1 = $vdata >> 16; $vlo2 = $vdata & 0x0000FFFF; } + ::rptMsg( $tab2."Internet Explorer version = $vhi1.$vhi2.$vlo1.$vlo2" ); + } + else { + ::rptMsg( $key_path." not found." ); + ::logMsg( $key_path." not found." ); + } + ::rptMsg( "" ); + + # --------------------------------------------------------------- + # 20120502 [fpi] : parsing "Main" and "WindowsSearch" subkey. + # Not parsing subkeys "FeatureControl" (could be relevant for + # the security settings) and "Touch". + $key_path = $key_path_ie."\\Main"; + if ( $key = $root_key->get_subkey( $key_path ) ) { + ::rptMsg( $key_path ); + ::rptMsg( "LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + rptAllKeyValuesTrans( $key, \%IE_MAIN_TRANSLATE, $tab2, $align40 ); + #--- Windows Search subkey + $key_path .= "\\WindowsSearch"; + if ( $key = $root_key->get_subkey( $key_path ) ) { + ::rptMsg( "" ); + ::rptMsg( $tab2.$key_path ); + ::rptMsg( $tab2."LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + rptAllKeyValuesTrans( $key, \%IE_MAIN_WINSEARCH_TRANSLATE, $tab4, $align25 ); + } + else { + ::rptMsg( $tab.$key_path." not found." ); + ::logMsg( $key_path." not found." ); + } + } + else { + ::rptMsg( $key_path." not found." ); + ::logMsg( $key_path." not found." ); + } + ::rptMsg( "" ); + + # --------------------------------------------------------------- + # 20120502 [fpi] : parsing "Privacy", no info here apart guessing. Tests were + # made on Win7 systems: the presence of this key should attest + # that the user changed the Privacy settings; the absence that + # IE is using defaults settings. Counterchecks welcome. + $key_path = $key_path_ie."\\Privacy"; + if ( $key = $root_key->get_subkey( $key_path ) ) { + ::rptMsg( $key_path ); + ::rptMsg( "LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + rptAllKeyValuesTrans( $key, \%IE_PRIVACY_TRANSLATE, $tab2, $align30 ); + } + else { + ::rptMsg( $key_path." not found (IE should use the default Privacy settings)" ); + ::logMsg( $key_path." not found." ); + } + ::rptMsg( "" ); + + # --------------------------------------------------------------- + # 20120502 [fpi] : parsing "Recovery", no information just parsing + $key_path = $key_path_ie."\\Recovery"; + if ( $key = $root_key->get_subkey( $key_path ) ) { + ::rptMsg( $key_path ); + ::rptMsg( "LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + rptAllKeyValuesTrans( $key, \%IE_RECOVERY_TRANSLATE, $tab2, $align25 ); + #--- Subkeys + $key_path = $key_path_ie."\\Recovery"."\\Active"; + if ( $key = $root_key->get_subkey( $key_path ) ) { + ::rptMsg( "\n".$tab2.$key_path ); + ::rptMsg( $tab2."LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + rptAllKeyValues( $key, $tab4, $align25 ); + } + else { + ::rptMsg( "\n".$tab2.$key_path." not found." ); + ::logMsg( $key_path." not found." ); + } + $key_path = $key_path_ie."\\Recovery"."\\AdminActive"; + if ( $key = $root_key->get_subkey( $key_path ) ) { + ::rptMsg( "\n".$tab2.$key_path ); + ::rptMsg( $tab2."LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + rptAllKeyValues( $key, $tab4, $align25 ); + } + else { + ::rptMsg( "\n".$tab2.$key_path." not found." ); + ::logMsg( $key_path." not found." ); + } + $key_path = $key_path_ie."\\Recovery"."\\PendingDelete"; + if ( $key = $root_key->get_subkey( $key_path ) ) { + ::rptMsg( "\n".$tab2.$key_path ); + ::rptMsg( $tab2."LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + rptAllKeyValues( $key, $tab4, $align25 ); + } + else { + ::rptMsg( "\n".$tab2.$key_path." not found." ); + ::logMsg( $key_path." not found." ); + } + } + else { + ::rptMsg( $key_path." not found." ); + ::logMsg( $key_path." not found." ); + } + ::rptMsg( "" ); + + # --------------------------------------------------------------- + # 20120502 [fpi] : parsing "Suggested Site", lot of web info regarding + # the privacy issue derived from this feature. But almost + # every privacy issue is a good source for an analyst ;) + $key_path = $key_path_ie."\\Suggested Sites"; + if ( $key = $root_key->get_subkey( $key_path ) ) { + ::rptMsg( $key_path ); + ::rptMsg( "LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + rptAllKeyValuesTrans( $key, \%IE_SUGGSITES_TRANSLATE, $tab2, $align30 ); + } + else { + ::rptMsg( $key_path." not found." ); + ::logMsg( $key_path." not found." ); + } + ::rptMsg( "" ); +} + +#------------------------------------------------------------------------------ + +sub trBool +{ + my $data = shift; my $temp = "true "; + if ( $data != 0 and $data != 1 ) { + $temp = "$data (WARNING: expected a boolean '0|1'!)"; + return $temp; + } + $temp = "false" if ( $data == 0 ); + $temp .= " [$data]"; + return $temp; +} + +sub trDo404Search +{ + my $data = shift; my $temp; + $temp = unpack( "V" , $data ); + return $temp." [0x".unpack( "H*", $data )."]"; +} + +sub trFileTime +{ + my $data = shift; + my ( $t0, $t1 ) = unpack( "VV",$data ); + $data = gmtime( ::getTime( $t0, $t1 ) )." UTC"; + return $data; +} + +sub trHex +{ + my $data = shift; + $data = unpack( "H*", $data ); + return "0x".$data; +} + +sub trNumHex +{ + my $data = shift; + return sprintf( "%u [0x%08X]", $data, $data ); +} + +sub trSkip +{ + return ""; +} + +#------------------------------------------------------------------------------ + +sub getKeyValues { + my $key = shift; + my %vals; + my @vk = $key->get_list_of_values(); + if (scalar(@vk) > 0) { + foreach my $v (@vk) { + next if ($v->get_name() eq "" && $v->get_data() eq ""); + $vals{$v->get_name()} = $v->get_data(); + } + } + else { + } + return %vals; +} + +#------------------------------------------------------------------------------ + +sub getValueData +{ + # key, value name, translator, use stub + my $key = shift; my $vn = shift; + my $trans = shift; my $stub = shift; + my $vd; my $vo; + $vo = $key->get_value( $vn ); + if ( not defined $vo ) { + return undef unless defined $stub; + $vd = ""; + } + else { + $vd = $vo->get_data(); + if ( defined $trans ) { + $vd = $trans->( $vd ); + } + } + return $vd; +} + +#------------------------------------------------------------------------------ + +sub rptAllSubKeys +{ + # key, tab, align + my @subkeys = $_[0]->get_list_of_subkeys(); + foreach my $k (@subkeys) { + ::rptMsg( sprintf( $_[1]."$_[2] --- %s", + $k->get_name() ) . gmtime( $k->get_timestamp() ) . " UTC" ); + } +} + +#------------------------------------------------------------------------------ + +sub rptAllKeyValues +{ + # key, tab, align + my @vals = sort {lc $a->get_name() cmp lc $b->get_name} $_[0]->get_list_of_values(); + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + ::rptMsg( sprintf( $_[1]."$_[2] = %s", $val, $data ) ); + } +} +#------------------------------------------------------------------------------ + +sub rptAllKeyValuesTrans +{ + # key, ttlb, tab, align, + my $key = shift; my $ttlb = shift; + my $tab = shift; my $align = shift; + my $vname; my $vdata; my $trans; + + my @vals = sort {lc $a->get_name() cmp lc $b->get_name} $key->get_list_of_values(); + foreach my $v (@vals) { + $vname = $v->get_name(); + $vdata = $v->get_data(); + $trans = ${$ttlb}{$vname}; + $vdata = $trans->( $vdata ) if ( defined $trans ); + ::rptMsg( sprintf( $tab."$align = %s", $vname, $vdata ) ); + } +} + +#------------------------------------------------------------------------------ +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/internet_settings_cu.pl b/RecentActivity/release/rr-full/plugins/internet_settings_cu.pl new file mode 100755 index 0000000000..6fa678d913 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/internet_settings_cu.pl @@ -0,0 +1,534 @@ +#------------------------------------------------------------------------------ +# internet_settings_cu.pl +# NTUSER.DAT Internet Settings key parser +# Note: it's not tested against all IE versions available, neither +# it parses all available keys/subkeys +# +# Change history +# 20120513 [fpi] % created and working on +# 20120515 [fpi] % first release +# 20120528 [fpi] % released to public +# +# References +# "Internet Explorer 6.0 Registry Settings" +# http://msdn.microsoft.com/en-us/library/ms902093.aspx +# "WinInet Registry Settings" +# http://msdn.microsoft.com/en-us/library/aa918417.aspx +# +# copyright 2012 F. Picasso francesco.picasso@gmail.com +#------------------------------------------------------------------------------ +package internet_settings_cu; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120528); + +sub getConfig{return %config} +sub getShortDescr { + return "Get HKCU information on Internet Settings"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Internet Explorer 6.0 Registry Settings" => + "http://msdn.microsoft.com/en-us/library/ms902093.aspx", + "WinInet Registry Settings" => + "http://msdn.microsoft.com/en-us/library/aa918417.aspx" + ); +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +my $VERSION = getVersion(); + +#------------------------------------------------------------------------------ + +my $tab0 = ""; +my $tab2 = " "; +my $tab4 = " "; +my $tab6 = " "; +my $tab8 = " "; + +my $align10 = "%-10s"; +my $align15 = "%-15s"; +my $align20 = "%-20s"; +my $align25 = "%-25s"; +my $align30 = "%-30s"; +my $align40 = "%-40s"; + +#------------------------------------------------------------------------------ + +my %PARSED_SUBKEYS = ( + "5.0" => \&cb50, + "CACHE" => \&cbCACHE, + "P3P" => \&cbP3P, + "Url History" => \&cbUrlHistory, + "Wpad" => \&cbWpad, + "ZoneMap" => \&cbZoneMap +); + +my %INTERNET_SETTINGS = ( + "AutoConfigProxy" => undef, + "BackgroundConnections" => \&trBool, + "CertificateRevocation" => \&trBool, + "CoInternetCombineIUriCacheSize" => \&trNumHex, + "CreateUriCacheSize" => \&trNumHex, + "DisableCachingOfSSLPages" => \&trBool, + "EmailName" => undef, + "EnableAutodial" => \&trBool, + "EnableHttp1_1" => \&trBool, + "EnableNegotiate" => \&trBool, + "EnablePunycode" => \&trBool, + "GlobalUserOffline" => \&trBool, + "IE5_UA_Backup_Flag" => undef, + "MigrateProxy" => \&trBool, + "MimeExclusionListForCache" => undef, + "NoNetAutodial" => \&trBool, + "PrivacyAdvanced" => \&trBool, + "PrivDiscUiShown" => \&trBool, + "ProxyEnable" => \&trBool, + "ProxyHttp1.1" => \&trBool, + "ProxyOverride" => undef, + "SecureProtocols" => \&trNumHex, + "SecurityIdIUriCacheSize" => \&trNumHex, + "ShowPunycode" => \&trBool, + "SpecialFoldersCacheSize" => \&trNumHex, + "SyncMode5" => \&trSyncMode5, + "UrlEncoding" => \&trBool, + "User Agent" => undef, + "UseSchannelDirectly" => \&trHex, + "WarnOnIntranet" => \&trBool, + "WarnOnPost" => \&trHex, + "WarnonZoneCrossing" => \&trBool, + "ZonesSecurityUpgrade" => \&trFileTime +); + +my %CACHE_VALUES = ( + "LastScavenge" => \&trBool, + "LastScavenge_TIMESTAMP" => \&trFileTime, + "Persisten" => \&trBool +); + +my %WPAD_VALUES = ( + "WpadDecision" => undef, + "WpadDecisionReason" => undef, + "WpadDecisionTime" => \&trFileTime, + "WpadNetworkName" => undef +); + +#------------------------------------------------------------------------------ + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg( "Launching internet_settings_cu v.".$VERSION ); + ::rptMsg( "internet_settings_cu v.".$VERSION ); + ::rptMsg( "(".getHive().") ".getShortDescr()."\n" ); + + my $reg = Parse::Win32Registry->new( $hive ); + my $root_key = $reg->get_root_key; + my $key_path_main = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"; + my $key_path = $key_path_main; + my $key; + my $tab; my $align; + my $vdata; my $vname; + my @subkeys; my $subkey; my @subkeysnp; + my $callback; + + # --------------------------------------------------------------- + # 20120513 [fpi] : getting the main key + $key = $root_key->get_subkey( $key_path ); + if ( not $key ) { + ::rptMsg( $key_path." not found." ); + ::logMsg( $key_path." not found." ); + return; + } + + # --------------------------------------------------------------- + # 20120513 [fpi] : parsing all values inside the main key + if ( $key = $root_key->get_subkey( $key_path ) ) { + ::rptMsg( $key_path ); + ::rptMsg( "LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + rptAllKeyValuesTrans( $key, \%INTERNET_SETTINGS, $tab2, $align30 ); + } + else { + ::rptMsg( $key_path." not found." ); + ::logMsg( $key_path." not found." ); + } + ::rptMsg(); + + # --------------------------------------------------------------- + # 20120513 [fpi] : getting all the first level subkeys, parsing some of them + # and reporting all subkeys parsed and not parsed as list + @subkeys = sort {lc $a->get_name() cmp lc $b->get_name} $key->get_list_of_subkeys(); + foreach my $subkey ( @subkeys ) { + $callback = $PARSED_SUBKEYS{ $subkey->get_name() }; + if ( defined $callback ) { + ::rptMsg(); + $key_path = $key_path_main."\\".$subkey->get_name(); + ::rptMsg( ' *'.$key_path ); + ::rptMsg( $tab2."LastWrite Time ".gmtime( $subkey->get_timestamp() )." (UTC)" ); + $callback->( $key_path, $subkey, $tab2, $align25 ); + } + else { + push @subkeysnp, $subkey; + } + } + + ::rptMsg( "\nSubkeys not parsed in '$key_path_main'\n" ); + foreach my $subkey ( @subkeysnp ) { + ::rptMsg( sprintf( $tab4."$align20 --- %s", + $subkey->get_name() ) . gmtime( $subkey->get_timestamp() ) . " UTC" ); + } + ::rptMsg( "" ); +} + +#------------------------------------------------------------------------------ + +sub trBool +{ + my $data = shift; my $temp = "true "; + if ( $data != 0 and $data != 1 ) { + $temp = "$data (WARNING: expected a boolean '0|1'!)"; + return $temp; + } + $temp = "false" if ( $data == 0 ); + $temp .= " [$data]"; + return $temp; +} + +sub trFileTime +{ + my $data = shift; + my ( $t0, $t1 ) = unpack( "VV",$data ); + $data = gmtime( ::getTime( $t0, $t1 ) )." UTC"; + return $data; +} + +sub trHex +{ + my $data = shift; + $data = unpack( "H*", $data ); + return "0x".$data; +} + +sub trNumHex +{ + my $data = shift; + return sprintf( "%u [0x%08X]", $data, $data ); +} + +sub trSkip +{ + return ""; +} + +sub trSyncMode5 +{ + my $data = shift; my $ret; + $ret = sprintf( "%u ", $data ); + if ( $data == 4 ) { $ret .= "(automatically check for updated Web pages)"; } + elsif ( $data == 3 ) { $ret .= "(always check for updated Web pages)"; } + elsif ( $data == 2 ) { $ret .= "(check one per session for updated Web pages)"; } + elsif ( $data == 0 ) { $ret .= "(never check for updated Web pages, use cached pages)"; } + else { $ret .= "(unknown value)"; } + return $ret; +} + +#------------------------------------------------------------------------------ + +sub getKeyValues { + my $key = shift; + my %vals; + my @vk = $key->get_list_of_values(); + if (scalar(@vk) > 0) { + foreach my $v (@vk) { + next if ($v->get_name() eq "" && $v->get_data() eq ""); + $vals{$v->get_name()} = $v->get_data(); + } + } + else { + } + return %vals; +} + +#------------------------------------------------------------------------------ + +sub getValueData +{ + # key, value name, translator, use stub + my $key = shift; my $vn = shift; + my $trans = shift; my $stub = shift; + my $vd; my $vo; + $vo = $key->get_value( $vn ); + if ( not defined $vo ) { + return undef unless defined $stub; + $vd = ""; + } + else { + $vd = $vo->get_data(); + if ( defined $trans ) { + $vd = $trans->( $vd ); + } + } + return $vd; +} + +#------------------------------------------------------------------------------ + +sub rptAllSubKeys +{ + # key, tab, align + my @subkeys = $_[0]->get_list_of_subkeys(); + foreach my $k (@subkeys) { + ::rptMsg( sprintf( $_[1]."$_[2] --- %s", + $k->get_name() ) . gmtime( $k->get_timestamp() ) . " UTC" ); + } +} + +#------------------------------------------------------------------------------ + +sub rptAllKeyValues +{ + # key, tab, align + my @vals = sort {lc $a->get_name() cmp lc $b->get_name} $_[0]->get_list_of_values(); + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + $val = '(default)' if ( $val eq "" ); + ::rptMsg( sprintf( $_[1]."$_[2] = %s", $val, $data ) ); + } +} +#------------------------------------------------------------------------------ + +sub rptAllKeyValuesTrans +{ + # key, ttlb, tab, align, + my $key = shift; my $ttlb = shift; + my $tab = shift; my $align = shift; + my $vname; my $vdata; my $trans; + + my @vals = sort {lc $a->get_name() cmp lc $b->get_name} $key->get_list_of_values(); + foreach my $v (@vals) { + $vname = $v->get_name(); + $vname = '(default)' if ( $vname eq "" ); + $vdata = $v->get_data(); + $trans = ${$ttlb}{$vname}; + $vdata = $trans->( $vdata ) if ( defined $trans ); + ::rptMsg( sprintf( $tab."$align = %s", $vname, $vdata ) ); + } +} + +#------------------------------------------------------------------------------ + +sub cbZoneMap +{ + my $rkeypath = shift; my $rkey = shift; my $tab = shift; my $align = shift; + my @NETID; my @MACS; my @subkeys; my $subkey; + + rptAllKeyValues( $rkey, $tab.$tab2, $align ); + + ::rptMsg( $tab.$tab2."-- 'ZoneMap' subkeys -- not parsed:" ); + foreach my $subkey ( $rkey->get_list_of_subkeys() ) { + ::rptMsg( sprintf( $tab.$tab4."$align25 %s", + $subkey->get_name() ) . gmtime( $subkey->get_timestamp() ) . " UTC" ); + } +} + +#------------------------------------------------------------------------------ + +sub rptAllSubKeysWpad +{ + # key, tab, align + my @subkeys = $_[0]->get_list_of_subkeys(); + if ( not scalar( @subkeys ) ) { + ::rptMsg( sprintf( $_[1]."$_[2] %s", "-- MAC SUBKEYS --", "*no* MAC subkeys (unidentified network)" ) ); + return; + } + ::rptMsg( sprintf( $_[1]."$_[2] %s", "-- MAC SUBKEYS --", "" ) ); + foreach my $k (@subkeys) { + ::rptMsg( sprintf( $_[1]."$_[2] LastWritten %s", + $k->get_name() ) . gmtime( $k->get_timestamp() ) . " UTC" ); + } +} + +sub cbWpad +{ + my $rkeypath = shift; my $rkey = shift; my $tab = shift; my $align = shift; + my @NETID; my @MACS; my @subkeys; my $subkey; + + # 20120515 [fpi] : divide ID from MACs (brutally rustic raw algo... TBR) + @subkeys = $rkey->get_list_of_subkeys(); + foreach $subkey ( @subkeys ) { + my $kname = $subkey->get_name(); + if ( ( substr( $kname, 0, 1 ) eq '{' ) and ( substr( $kname, -1, 1 ) eq '}' ) ) { + push @NETID, $subkey; + } + elsif ( length $kname == 17 ) { + push @MACS, $subkey; + } + else { + ::logMsg( "Unexpected key '$kname' in $rkeypath" ); + } + } + $tab .= $tab2; + + @NETID = sort {$b->get_timestamp >= $a->get_timestamp} @NETID; + foreach my $subkey ( @NETID ) { + ::rptMsg(); + ::rptMsg( $tab."NETWORK SUBKEY: ".$subkey->get_name() ); + ::rptMsg( $tab."LastWrite Time ".gmtime( $subkey->get_timestamp() )." (UTC)" ); + rptAllKeyValuesTrans( $subkey, \%WPAD_VALUES, $tab.$tab2, $align ); + rptAllSubKeysWpad( $subkey, $tab.$tab2, $align ); + } + + @MACS = sort {$a->get_timestamp >= $b->get_timestamp} @MACS; + foreach my $subkey ( @MACS ) { + ::rptMsg(); + ::rptMsg( $tab."MACs SUBKEY: ".$subkey->get_name() ); + ::rptMsg( $tab."LastWrite Time ".gmtime( $subkey->get_timestamp() )." (UTC)" ); + rptAllKeyValuesTrans( $subkey, \%WPAD_VALUES, $tab.$tab2, $align ); + } + ::rptMsg(); +} + +#------------------------------------------------------------------------------ + +sub cbUrlHistory +{ + my $rkeypath = shift; my $rkey = shift; my $tab = shift; my $align = shift; + + rptAllKeyValues( $rkey, $tab.$tab2, $align ); + ::rptMsg(); +} + +#------------------------------------------------------------------------------ + +sub cbP3P +{ + my $rkeypath = shift; my $rkey = shift; my $tab = shift; my $align = shift; + my $key; my @subkeys; my $subkey; my $lkeypath; + + if ( $key = $rkey->get_subkey( "History" ) ) + { + ::rptMsg(); + $lkeypath = $rkeypath."\\History"; + ::rptMsg( $tab.$lkeypath ); + ::rptMsg( $tab."LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + + @subkeys = $key->get_list_of_subkeys(); + ::rptMsg( $tab."ANALYST NOTE:" ); + if ( scalar( @subkeys ) > 0 ) { + ::rptMsg( $tab.$tab2.sprintf( "There are ". + "%u per-domain cookie decisions subkeys, check them", scalar( @subkeys ) ) ); + } + else { + ::rptMsg( $tab.$tab2."No per-domain cookie decisions subkeys are present" ); + } + } + else { + ::rptMsg( $tab.$lkeypath." not present" ); + ::logMsg( $lkeypath." not present" ); + } + ::rptMsg(); +} + +#------------------------------------------------------------------------------ + +sub cbCACHE +{ + my $rkeypath = shift; my $rkey = shift; my $tab = shift; my $align = shift; + rptAllKeyValuesTrans( $rkey, \%CACHE_VALUES, $tab.$tab2, $align ); + ::rptMsg(); +} + +#------------------------------------------------------------------------------ + +sub parseCacheKeyValues +{ + my $key = shift; my $tab = shift; my $align = shift; + my $vname; my $vdata; + + my @vals = sort {lc $a->get_name() cmp lc $b->get_name} $key->get_list_of_values(); + + foreach my $v (@vals) { + $vname = $v->get_name(); + $vdata = $v->get_data(); + if ( $vname eq "CacheLimit" ) { + ::rptMsg( sprintf( $tab."$align = %u KB", $vname, $vdata ) ); + } + elsif ( $vname eq "CacheOptions" ) { + ::rptMsg( sprintf( $tab."$align = 0x%X", $vname, $vdata ) ); + } + elsif ( $vname eq "CacheRepair" ) { + ::rptMsg( sprintf( $tab."$align = 0x%X", $vname, $vdata ) ); + } + else { + ::rptMsg( sprintf( $tab."$align = %s", $vname, $vdata ) ); + } + } +} + +sub parseCacheKeys +{ + my $rkeypath = shift; my $rkey = shift; my $tab = shift; my $align = shift; + my $subkeyname = shift; + my $key; my $lkeypath; + my @subkeys; my $subkey; + + if ( $key = $rkey->get_subkey( $subkeyname ) ) { + ::rptMsg(); + ::rptMsg( $tab.$rkeypath."\\".$subkeyname ); + ::rptMsg( $tab."LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + rptAllKeyValues( $key, $tab.$tab2, $align ); + ::rptMsg(); + + $lkeypath = $rkeypath."\\".$subkeyname; + @subkeys = sort {lc $a->get_name() cmp lc $b->get_name} $key->get_list_of_subkeys(); + foreach $subkey ( @subkeys ) { + if ( $subkey->get_name() ne "Extensible Cache" ) { + ::rptMsg( $tab.$lkeypath."\\".$subkey->get_name() ); + ::rptMsg( $tab."LastWrite Time ".gmtime( $subkey->get_timestamp() )." (UTC)" ); + parseCacheKeyValues( $subkey, $tab.$tab2, $align ); + ::rptMsg(); + } + } + + if ( $key = $key->get_subkey( "Extensible Cache" ) ) { + ::rptMsg(); + $lkeypath .= "\\Extensible Cache"; + ::rptMsg( $tab.$lkeypath ); + ::rptMsg( $tab."LastWrite Time ".gmtime( $key->get_timestamp() )." (UTC)" ); + ::rptMsg(); + + @subkeys = sort {lc $a->get_name() cmp lc $b->get_name} $key->get_list_of_subkeys(); + foreach $subkey ( @subkeys ) { + ::rptMsg( $tab.$lkeypath."\\".$subkey->get_name() ); + ::rptMsg( $tab."LastWrite Time ".gmtime( $subkey->get_timestamp() )." (UTC)" ); + parseCacheKeyValues( $subkey, $tab.$tab2, $align ); + ::rptMsg(); + } + } + else { ::rptMsg( $tab."subkey 'Extensible Cache' not present" ); ::rptMsg(); } + } + else { + ::rptMsg( $tab.$rkeypath."\\".$subkeyname." not found." ); + ::rptMsg(); + ::logMsg( $rkeypath."\\".$subkeyname." not found." ); + } +} + +sub cb50 +{ + my $rkeypath = shift; my $rkey = shift; my $tab = shift; my $align = shift; + + parseCacheKeys( $rkeypath, $rkey, $tab, $align, "Cache" ); + parseCacheKeys( $rkeypath, $rkey, $tab, $align, "LowCache" ); + + # NSCookieUpgrade and User Agent keys not parsed (TBR) +} + +#------------------------------------------------------------------------------ +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/itempos.pl b/RecentActivity/release/rr-full/plugins/itempos.pl new file mode 100755 index 0000000000..b2f72c36c5 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/itempos.pl @@ -0,0 +1,339 @@ +#----------------------------------------------------------- +# shellbags.pl +# RR plugin to parse (Vista, Win7/Win2008R2) shell bags +# +# History: +# 20120814 - created +# +# References +# Andrew's Python code for Registry Decoder +# http://code.google.com/p/registrydecoder/source/browse/trunk/templates/template_files/ShellBag.py +# Joachim Metz's shell item format specification +# http://download.polytechnic.edu.na/pub4/download.sourceforge.net/pub/ +# sourceforge/l/project/li/liblnk/Documentation/Windows%20Shell%20Item%20format/ +# Windows%20Shell%20Item%20format.pdf +# Converting DOS Date format +# http://msdn.microsoft.com/en-us/library/windows/desktop/ms724274(v=VS.85).aspx +# +# Thanks to Willi Ballenthin and Joachim Metz for the documentation they +# provided, Andrew Case for posting the Registry Decoder code, and Kevin +# Moore for writing the shell bag parser for Registry Decoder, as well as +# assistance with some parsing. +# +# License: GPL v3 +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package itempos; +use strict; +use Time::Local; + +my %config = (hive => "NTUSER\.DAT", + hivemask => 16, + output => "report", + category => "User Activity", + osmask => 16, #Win7/Win2008R2 + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120814); + +sub getConfig{return %config} + +sub getShortDescr { + return "Shell/Bags/1/Desktop ItemPos* value parsing; Win7 NTUSER\.DAT hives"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching itempos v.".$VERSION); + ::rptMsg("itempos v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my %itempos = (); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop"; + my $key; + + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + my $lw = $key->get_timestamp(); + ::rptMsg("LastWrite: ".gmtime($lw)); + ::rptMsg(""); + + my @vals = $key->get_list_of_values(); + foreach my $v (@vals) { + my $name = $v->get_name(); + if ($name =~ m/^ItemPos/) { + $itempos{$name} = $v->get_data(); + } + } + + if (scalar keys %itempos > 0) { + foreach my $i (keys %itempos) { + ::rptMsg("Value: ".$i); + ::rptMsg(sprintf "%-10s|%-20s|%-20s|%-20s|Name","Size","Modified","Accessed","Created"); + ::rptMsg(sprintf "%-10s|%-20s|%-20s|%-20s|"."-" x 10,"-" x 10,"-" x 20,"-" x 20,"-" x 20); + parseBagEntry($itempos{$i}); + ::rptMsg(""); + } + } + else { + ::rptMsg("No ItemPos* values found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- + + +#----------------------------------------------------------- +# parseBagEntry() +#----------------------------------------------------------- +sub parseBagEntry { + my $data = shift; + my $ofs = 24; + my $len = length($data); + while ($ofs < $len) { + my %item = (); + my $sz = unpack("v",substr($data,$ofs,2)); + + my $data = substr($data,$ofs,$sz); + + my $type = unpack("C",substr($data,2,1)); + + if ($type == 0x1f) { + %item = parseSystemBagItem($data); + ::rptMsg(sprintf "%-10s|%-20s|%-20s|%-20s|".$item{name},"","","",""); + } + elsif ($type == 0x31 || $type == 0x32 || $type == 0x3a) { + %item = parseFolderItem($data); + + my ($m,$a,$c); + (exists $item{mtime_str} && $item{mtime_str} ne "0") ? ($m = $item{mtime_str}) : ($m = ""); + (exists $item{atime_str} && $item{atime_str} ne "0") ? ($a = $item{atime_str}) : ($a = ""); + (exists $item{ctime_str} && $item{ctime_str} ne "0") ? ($c = $item{ctime_str}) : ($c = ""); + ::rptMsg(sprintf "%-10s|%-20s|%-20s|%-20s|".$item{name},$item{size},$m,$a,$c); + } + else { + + } + $ofs += $sz + 8; + } +} +#----------------------------------------------------------- +# parseSystemBagItem() +#----------------------------------------------------------- +sub parseSystemBagItem { + my $data = shift; + my %item = (); + my %vals = (0x00 => "Explorer", + 0x42 => "Libraries", + 0x44 => "Users", + 0x4c => "Public", + 0x48 => "My Documents", + 0x50 => "My Computer", + 0x58 => "My Network Places", + 0x60 => "Recycle Bin", + 0x68 => "Explorer", + 0x70 => "Control Panel", + 0x78 => "Recycle Bin", + 0x80 => "My Games"); + + $item{type} = unpack("C",substr($data,2,1)); + $item{id} = unpack("C",substr($data,3,1)); + if (exists $vals{$item{id}}) { + $item{name} = $vals{$item{id}}; + } + else { + $item{name} = parseGUID(substr($data,4,16)); + } + return %item; +} + +#----------------------------------------------------------- +# parseFolderItem() +#----------------------------------------------------------- +sub parseFolderItem { + my $data = shift; + my %item = (); + my $ofs_mdate = 0x08; + $item{type} = unpack("C",substr($data,2,1)); + + $item{size} = unpack("V",substr($data,4,4)); + + my @m = unpack("vv",substr($data,$ofs_mdate,4)); + ($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]); + + my $ofs_shortname = $ofs_mdate + 6; + my $tag = 1; + my $cnt = 0; + my $str = ""; + while($tag) { + my $s = substr($data,$ofs_shortname + $cnt,1); + if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { + $tag = 0; + } + else { + $str .= $s; + $cnt++; + } + } +# $str =~ s/\00//g; + my $shortname = $str; + my $ofs = $ofs_shortname + $cnt + 1; +# Read progressively, 1 byte at a time, looking for 0xbeef + my $tag = 1; + my $cnt = 0; + while ($tag) { + if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) { + $tag = 0; + } + else { + $cnt++; + } + } + $item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2)); + $ofs = $ofs + $cnt + 2; + + my @m = unpack("vv",substr($data,$ofs,4)); + ($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]); + $ofs += 4; + my @m = unpack("vv",substr($data,$ofs,4)); + ($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]); + + my $jmp; + if ($item{extver} == 0x03) { + $jmp = 8; + } + elsif ($item{extver} == 0x07) { + $jmp = 26; + } + elsif ($item{extver} == 0x08) { + $jmp = 30; + } + else {} + + $ofs += $jmp; + + my $str = substr($data,$ofs,length($data) - 30); + my $longname = (split(/\00\00/,$str,2))[0]; + $longname =~ s/\00//g; + + if ($longname ne "") { + $item{name} = $longname; + } + else { + $item{name} = $shortname; + } + return %item; + + +} + +#----------------------------------------------------------- +# convertDOSDate() +# subroutine to convert 4 bytes of binary data into a human- +# readable format. Returns both a string and a Unix-epoch +# time. +#----------------------------------------------------------- +sub convertDOSDate { + my $date = shift; + my $time = shift; + + if ($date == 0x00 || $time == 0x00){ + return (0,0); + } + else { + my $sec = ($time & 0x1f) * 2; + $sec = "0".$sec if (length($sec) == 1); + if ($sec == 60) {$sec = 59}; + my $min = ($time & 0x7e0) >> 5; + $min = "0".$min if (length($min) == 1); + my $hr = ($time & 0xF800) >> 11; + $hr = "0".$hr if (length($hr) == 1); + my $day = ($date & 0x1f); + $day = "0".$day if (length($day) == 1); + my $mon = ($date & 0x1e0) >> 5; + $mon = "0".$mon if (length($mon) == 1); + my $yr = (($date & 0xfe00) >> 9) + 1980; + my $gmtime = timegm($sec,$min,$hr,$day,($mon - 1),$yr); + return ("$yr-$mon-$day $hr:$min:$sec",$gmtime); +# return gmtime(timegm($sec,$min,$hr,$day,($mon - 1),$yr)); + } +} + +#----------------------------------------------------------- +# parseGUID() +# Takes 16 bytes of binary data, returns a string formatted +# as an MS GUID. +#----------------------------------------------------------- +sub parseGUID { + my $data = shift; + my $d1 = unpack("V",substr($data,0,4)); + my $d2 = unpack("v",substr($data,4,2)); + my $d3 = unpack("v",substr($data,6,2)); + my $d4 = unpack("H*",substr($data,8,2)); + my $d5 = unpack("H*",substr($data,10,6)); + return sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3; +} + +#----------------------------------------------------------- +# printData() +# subroutine used primarily for debugging; takes an arbitrary +# length of binary data, prints it out in hex editor-style +# format for easy debugging +#----------------------------------------------------------- +sub printData { + my $data = shift; + my $len = length($data); + my $tag = 1; + my $cnt = 0; + + my $loop = $len/16; + $loop++ if ($len%16); + + foreach my $cnt (0..($loop - 1)) { +# while ($tag) { + my $left = $len - ($cnt * 16); + + my $n; + ($left < 16) ? ($n = $left) : ($n = 16); + + my $seg = substr($data,$cnt * 16,$n); + my @str1 = split(//,unpack("H*",$seg)); + + my @s3; + my $str = ""; + + foreach my $i (0..($n - 1)) { + $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; + + if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) { + $str .= chr(hex($s3[$i])); + } + else { + $str .= "\."; + } + } + my $h = join(' ',@s3); + ::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h); + } +} + + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/javafx.pl b/RecentActivity/release/rr-full/plugins/javafx.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/javafx.pl rename to RecentActivity/release/rr-full/plugins/javafx.pl index 118e82cb58..369a365b7b --- a/thirdparty/rr/plugins/javafx.pl +++ b/RecentActivity/release/rr-full/plugins/javafx.pl @@ -1,67 +1,69 @@ -#----------------------------------------------------------- -# javafx.pl -# Plugin written based on Cory Harrell's Exploit Artifacts posts at -# http://journeyintoir.blogspot.com/ -# -# Change history -# 20110322 - created -# -# References -# http://java.sun.com/j2se/1.4.2/runtime_win32.html -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package javafx; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20110322); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's JavaFX key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching javafx v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\JavaSoft\\Java Update\\Policy\\JavaFX"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("javafx v.".$VERSION); - ::rptMsg($key_path); - ::rptMsg("LastWrite time: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - ::rptMsg(sprintf "%-25s %-20s",$v->get_name(), $v->get_data()); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# javafx.pl +# Plugin written based on Cory Harrell's Exploit Artifacts posts at +# http://journeyintoir.blogspot.com/ +# +# Change history +# 20110322 - created +# +# References +# http://java.sun.com/j2se/1.4.2/runtime_win32.html +# +# copyright 2011 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package javafx; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20110322); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's JavaFX key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching javafx v.".$VERSION); + ::rptMsg("javafx v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\JavaSoft\\Java Update\\Policy\\JavaFX"; + my $key; + my @vals; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("javafx v.".$VERSION); + ::rptMsg($key_path); + ::rptMsg("LastWrite time: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + @vals = $key->get_list_of_values(); + + if (scalar(@vals) > 0) { +# First, read in all of the values and the data + foreach my $v (@vals) { + ::rptMsg(sprintf "%-25s %-20s",$v->get_name(), $v->get_data()); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/javasoft.pl b/RecentActivity/release/rr-full/plugins/javasoft.pl new file mode 100755 index 0000000000..bab7a088fb --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/javasoft.pl @@ -0,0 +1,64 @@ +#----------------------------------------------------------- +# javasoft.pl +# +# History +# 20130216 - created +# +# References +# http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/ +# http://nakedsecurity.sophos.com/how-to-disable-java-internet-explorer/ +# +# copyright 2013 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package javasoft; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130216); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of JavaSoft/UseJava2IExplorer value"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching javasoft v.".$VERSION); + ::rptMsg("Launching javasoft v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my @k = ('JavaSoft\\Java Plug-in','Wow6432Node\\JavaSoft\\Java Plug-in'); + foreach my $key_path (@k) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my $ie; + eval { + $ie = $key->get_value("UseJava2IExplorer")->get_data(); + ::rptMsg(sprintf "UseJava2IExplorer = 0x%x",$ie); + }; + ::rptMsg("UseJava2IExplorer value not found\.") if ($@); + ::rptMsg(""); + } + else { + ::rptMsg("Key ".$key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/kb950582.pl b/RecentActivity/release/rr-full/plugins/kb950582.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/kb950582.pl rename to RecentActivity/release/rr-full/plugins/kb950582.pl index 4e24fe3dd2..6e3f409c87 --- a/thirdparty/rr/plugins/kb950582.pl +++ b/RecentActivity/release/rr-full/plugins/kb950582.pl @@ -1,90 +1,92 @@ -#----------------------------------------------------------- -# kb950582.pl -# Get autorun settings WRT KB950582 -# -# Change history -# 18 Dec 2008 - Updated to new name; added checks for Registry -# keys -# -# References -# http://support.microsoft.com/kb/953252 -# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit -# /regentry/91525.mspx?mfr=true -# -# copyright 2008-2009 H. Carvey -#----------------------------------------------------------- -package kb950582; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081212); - -sub getConfig{return %config} -sub getShortDescr { - return "KB950582 - Gets autorun settings from HKLM hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching kb950582 v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - eval { - my $path = "Microsoft\\Windows\\CurrentVersion\\Uninstall\\KB950582"; - if (my $kbkey = $root_key->get_subkey($path)) { - my $install = $kbkey->get_value("InstallDate")->get_data(); - ::rptMsg("KB950528 Uninstall Key ".gmtime($kbkey->get_timestamp())); - ::rptMsg(" InstallDate = ".$install."\n"); - } - }; - ::rptMsg("Uninstall\\KB950528 does not appear to be installed.\n") if ($@); - - eval { - my $path = "Microsoft\\Updates\\Windows XP\\SP4\\KB950582"; - if (my $kbkey = $root_key->get_subkey($path)) { - my $install = $kbkey->get_value("InstalledDate")->get_data(); - ::rptMsg("KB950528 Update Key ".gmtime($kbkey->get_timestamp())); - ::rptMsg(" InstalledDate = ".$install."\n"); - } - }; - ::rptMsg("KB950528 does not appear to be installed.\n") if ($@); - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - eval { - my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data(); - my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive; - ::rptMsg($str); - }; - ::rptMsg("Error: ".$@) if ($@); - -# http://support.microsoft.com/kb/953252 - eval { - my $honor = $key->get_value("HonorAutorunSetting")->get_data(); - my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor; - ::rptMsg($str); - }; - ::rptMsg("HonorAutorunSetting not found.") if ($@); - ::rptMsg(""); - ::rptMsg("Autorun settings in the HKLM hive take precedence over those in"); - ::rptMsg("the HKCU hive."); - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# kb950582.pl +# Get autorun settings WRT KB950582 +# +# Change history +# 18 Dec 2008 - Updated to new name; added checks for Registry +# keys +# +# References +# http://support.microsoft.com/kb/953252 +# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit +# /regentry/91525.mspx?mfr=true +# +# copyright 2008-2009 H. Carvey +#----------------------------------------------------------- +package kb950582; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20081212); + +sub getConfig{return %config} +sub getShortDescr { + return "KB950582 - Gets autorun settings from HKLM hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching kb950582 v.".$VERSION); + ::rptMsg("kb950582 v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + eval { + my $path = "Microsoft\\Windows\\CurrentVersion\\Uninstall\\KB950582"; + if (my $kbkey = $root_key->get_subkey($path)) { + my $install = $kbkey->get_value("InstallDate")->get_data(); + ::rptMsg("KB950528 Uninstall Key ".gmtime($kbkey->get_timestamp())); + ::rptMsg(" InstallDate = ".$install."\n"); + } + }; + ::rptMsg("Uninstall\\KB950528 does not appear to be installed.\n") if ($@); + + eval { + my $path = "Microsoft\\Updates\\Windows XP\\SP4\\KB950582"; + if (my $kbkey = $root_key->get_subkey($path)) { + my $install = $kbkey->get_value("InstalledDate")->get_data(); + ::rptMsg("KB950528 Update Key ".gmtime($kbkey->get_timestamp())); + ::rptMsg(" InstalledDate = ".$install."\n"); + } + }; + ::rptMsg("KB950528 does not appear to be installed.\n") if ($@); + + my $key_path = "Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + eval { + my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data(); + my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive; + ::rptMsg($str); + }; + ::rptMsg("Error: ".$@) if ($@); + +# http://support.microsoft.com/kb/953252 + eval { + my $honor = $key->get_value("HonorAutorunSetting")->get_data(); + my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor; + ::rptMsg($str); + }; + ::rptMsg("HonorAutorunSetting not found.") if ($@); + ::rptMsg(""); + ::rptMsg("Autorun settings in the HKLM hive take precedence over those in"); + ::rptMsg("the HKCU hive."); + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/kbdcrash.pl b/RecentActivity/release/rr-full/plugins/kbdcrash.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/kbdcrash.pl rename to RecentActivity/release/rr-full/plugins/kbdcrash.pl index 560aef9785..c1e68e8011 --- a/thirdparty/rr/plugins/kbdcrash.pl +++ b/RecentActivity/release/rr-full/plugins/kbdcrash.pl @@ -1,65 +1,67 @@ -#----------------------------------------------------------- -# kbdcrash.pl -# -# Ref: -# http://support.microsoft.com/kb/244139 -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package kbdcrash; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081212); - -sub getConfig{return %config} - -sub getShortDescr { - return "Checks to see if system is config to crash via keyboard"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $enabled = 0; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching kbdcrash v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $svc = "ControlSet00".$current."\\Services"; - - eval { - my $ps2 = $svc->get_subkey("i8042prt\\Parameters")->get_value("CrashOnCtrlScroll")->get_data(); - ::rptMsg("CrashOnCtrlScroll set for PS2 keyboard") if ($ps2 == 1); - $enabled = 1 if ($ps2 == 1); - }; - - eval { - my $usb = $svc->get_subkey("kbdhid\\Parameters")->get_value("CrashOnCtrlScroll")->get_data(); - ::rptMsg("CrashOnCtrlScroll set for USB keyboard") if ($usb == 1); - $enabled = 1 if ($usb == 1); - }; - ::rptMsg("CrashOnCtrlScroll not set"); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; +#----------------------------------------------------------- +# kbdcrash.pl +# +# Ref: +# http://support.microsoft.com/kb/244139 +# +# copyright 2008-2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package kbdcrash; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081212); + +sub getConfig{return %config} + +sub getShortDescr { + return "Checks to see if system is config to crash via keyboard"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my $enabled = 0; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching kbdcrash v.".$VERSION); + ::rptMsg("kbdcrash v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $svc = "ControlSet00".$current."\\Services"; + + eval { + my $ps2 = $svc->get_subkey("i8042prt\\Parameters")->get_value("CrashOnCtrlScroll")->get_data(); + ::rptMsg("CrashOnCtrlScroll set for PS2 keyboard") if ($ps2 == 1); + $enabled = 1 if ($ps2 == 1); + }; + + eval { + my $usb = $svc->get_subkey("kbdhid\\Parameters")->get_value("CrashOnCtrlScroll")->get_data(); + ::rptMsg("CrashOnCtrlScroll set for USB keyboard") if ($usb == 1); + $enabled = 1 if ($usb == 1); + }; + ::rptMsg("CrashOnCtrlScroll not set"); + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} +1; diff --git a/RecentActivity/release/rr-full/plugins/landesk.pl b/RecentActivity/release/rr-full/plugins/landesk.pl new file mode 100755 index 0000000000..8cca8222a3 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/landesk.pl @@ -0,0 +1,110 @@ +#----------------------------------------------------------- +# landesk.pl +# parses LANDESK Monitor Logs +# +# +# Change history +# 20130326 - added Wow6432Node path +# 20130214 - updated w/ Logon info +# 20090729 - updates, H. Carvey +# +# Orignal copyright 2009 Don C. Weber +# Updated copyright 2013 QAR, LLC +#----------------------------------------------------------- +package landesk; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130326); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get list of programs monitored by LANDESK - Software hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my %ls; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching landesk v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# updated added 20130326 + my @paths = ("LANDesk\\ManagementSuite\\WinClient\\SoftwareMonitoring\\MonitorLog", + "Wow6432Node\\LANDesk\\ManagementSuite\\WinClient\\SoftwareMonitoring\\MonitorLog"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + eval { + my $lw = $s->get_timestamp(); +# Push the data into a hash of arrays + push(@{$ls{$lw}},$s->get_name()); + }; + } + + foreach my $t (reverse sort {$a <=> $b} keys %ls) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$ls{$t}}) { + ::rptMsg(" $item"); + } + } + } + else { + ::rptMsg($key_path." does not appear to have any subkeys.") + } + } + else { + ::rptMsg($key_path." not found."); + } + } + +# update added 20130327 + my @paths = ("LANDesk\\Inventory\\LogonHistory\\Logons", + "Wow6432Node\\LANDesk\\Inventory\\LogonHistory\\Logons"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + ::rptMsg($data." Logon: ".gmtime($name)); + } + + } + else { + ::rptMsg($key_path." has not values\."); + } + } + else { + ::rptMsg($key_path." not found\."); + } + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/landesk_tln.pl b/RecentActivity/release/rr-full/plugins/landesk_tln.pl new file mode 100755 index 0000000000..2c326fdb8c --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/landesk_tln.pl @@ -0,0 +1,118 @@ +#----------------------------------------------------------- +# landesk_tln.pl +# +# +# +# Change history +# 20130214 - updated with Logon info +# 20090729 - updates, H. Carvey +# +# Original copyright 2009 Don C. Weber +# Updated copyright 2013 QAR, LLC +#----------------------------------------------------------- +package landesk_tln; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130214); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get list of programs monitored by LANDESK from Software hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my %ls; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching landesk (TLN) v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + # updated added 20130326 + my @paths = ("LANDesk\\ManagementSuite\\WinClient\\SoftwareMonitoring\\MonitorLog", + "Wow6432Node\\LANDesk\\ManagementSuite\\WinClient\\SoftwareMonitoring\\MonitorLog"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $lw = $s->get_timestamp(); + my $name = $s->get_name(); + + my $user; + eval { + $user = $s->get_value("Current User")->get_data(); + }; + $user = "" if ($@); + +# ::rptMsg($lw."|REG||".$user."|M... LanDesk - ".$name." key last modified"); + + eval { + my @f = unpack("VV",$s->get_value("First Started")->get_data()); + my $first = ::getTime($f[0],$f[1]); + ::rptMsg($first."|REG||".$user."|LanDesk - ".$name." First Started"); + }; + + eval { + my @f = unpack("VV",$s->get_value("Last Started")->get_data()); + my $first = ::getTime($f[0],$f[1]); + ::rptMsg($first."|REG||".$user."|LanDesk - ".$name." Last Started"); + }; + } + } + else { +# ::rptMsg($key_path." does not appear to have any subkeys.") + } + } + else { +# ::rptMsg($key_path." not found."); + } + } +# update added 20130327 + my @paths = ("LANDesk\\Inventory\\LogonHistory\\Logons", + "Wow6432Node\\LANDesk\\Inventory\\LogonHistory\\Logons"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg(""); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); +# ::rptMsg(""); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); +# ::rptMsg($data." Logon: ".gmtime($name)); + ::rptMsg($name."|REG||".$data."|LANDesk - user login recorded"); + } + } + else { +# ::rptMsg($key_path." has not values\."); + } + } + else { +# ::rptMsg($key_path." not found\."); + } + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/legacy.pl b/RecentActivity/release/rr-full/plugins/legacy.pl old mode 100644 new mode 100755 similarity index 70% rename from thirdparty/rr/plugins/legacy.pl rename to RecentActivity/release/rr-full/plugins/legacy.pl index 3c34a1a26a..bfeac48f9c --- a/thirdparty/rr/plugins/legacy.pl +++ b/RecentActivity/release/rr-full/plugins/legacy.pl @@ -1,96 +1,107 @@ -#----------------------------------------------------------- -# legacy.pl -# -# -# Change history -# 20090429 - created -# -# Reference: http://support.microsoft.com/kb/310592 -# -# -# Analysis Tip: -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package legacy; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090429); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists LEGACY_ entries in Enum\\Root key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key(); -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $root_path = $ccs."\\Enum\\Root"; - - my %legacy; - if (my $root = $root_key->get_subkey($root_path)) { - my @sk = $root->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^LEGACY_/); - push(@{$legacy{$s->get_timestamp()}},$name); - - eval { - my @s_sk = $s->get_list_of_subkeys(); - if (scalar(@s_sk) > 0) { - foreach my $s_s (@s_sk) { - - my $desc; - eval { - $desc = $s_s->get_value("DeviceDesc")->get_data(); - push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()." - ".$desc); - }; - push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()) if ($@); - } - } - }; - } - } - else { - ::rptMsg($root_path." has no subkeys."); - } - - foreach my $t (reverse sort {$a <=> $b} keys %legacy) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$legacy{$t}}) { - ::rptMsg("\t$item"); - } - } - } - else { - ::rptMsg($root_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# legacy.pl +# +# +# Change history +# 20120524 +# 20090429 - created +# +# Reference: http://support.microsoft.com/kb/310592 +# +# +# Analysis Tip: +# The keys of interested begin with LEGACY_, for example, +# "LEGACY_EVENTSYSTEM". The LastWrite time on this key seems to indicate +# the first time that the serivce was launched. The LastWrite time on +# keys named, for example, "LEGACY_EVENTSYSTEM\0000", appear to indicate +# the most recent time that the service was launched. One example to look +# for is services related to malware/lateral movement, such as PSExec. +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package legacy; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120524); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists LEGACY_* entries in Enum\\Root key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching legacy v.".$VERSION); # message + ::rptMsg("legacy v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key(); +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $root_path = $ccs."\\Enum\\Root"; + + my %legacy; + if (my $root = $root_key->get_subkey($root_path)) { + my @sk = $root->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + next unless ($name =~ m/^LEGACY_/); + push(@{$legacy{$s->get_timestamp()}},$name); + + eval { + my @s_sk = $s->get_list_of_subkeys(); + if (scalar(@s_sk) > 0) { + foreach my $s_s (@s_sk) { + + my $desc; + eval { + $desc = $s_s->get_value("DeviceDesc")->get_data(); + push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()." - ".$desc); + }; + push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()) if ($@); + } + } + }; + } + } + else { + ::rptMsg($root_path." has no subkeys."); + } + + foreach my $t (reverse sort {$a <=> $b} keys %legacy) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$legacy{$t}}) { + ::rptMsg(" ".$item); + } + } + } + else { + ::rptMsg($root_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/legacy_tln.pl b/RecentActivity/release/rr-full/plugins/legacy_tln.pl new file mode 100755 index 0000000000..937f5e97ad --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/legacy_tln.pl @@ -0,0 +1,108 @@ +#----------------------------------------------------------- +# legacy_tln.pl +# +# +# Change history +# 20120620 - modified legacy.pl to legacy_tln.pl +# 20090429 - legacy.pl created +# +# Reference: http://support.microsoft.com/kb/310592 +# +# +# Analysis Tip: +# The keys of interested begin with LEGACY_, for example, +# "LEGACY_EVENTSYSTEM". The LastWrite time on this key seems to indicate +# the first time that the serivce was launched. The LastWrite time on +# keys named, for example, "LEGACY_EVENTSYSTEM\0000", appear to indicate +# the most recent time that the service was launched. One example to look +# for is services related to malware/lateral movement, such as PSExec. +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package legacy_tln; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120620); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists LEGACY_* entries in Enum\\Root key in TLN format"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key(); +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $root_path = $ccs."\\Enum\\Root"; + + my %legacy; + if (my $root = $root_key->get_subkey($root_path)) { + my @sk = $root->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + next unless ($name =~ m/^LEGACY_/); + push(@{$legacy{$s->get_timestamp()}},$name); + + eval { + my @s_sk = $s->get_list_of_subkeys(); + if (scalar(@s_sk) > 0) { + foreach my $s_s (@s_sk) { + + my $desc; + eval { + $desc = $s_s->get_value("DeviceDesc")->get_data(); + push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()." - ".$desc); + }; + push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()) if ($@); + } + } + }; + } + } + else { + ::rptMsg($root_path." has no subkeys."); + } + + foreach my $t (reverse sort {$a <=> $b} keys %legacy) { + foreach my $item (@{$legacy{$t}}) { + ::rptMsg($t."|REG|||[Program Execution] - $item"); + } + +# ::rptMsg(gmtime($t)." (UTC)"); +# foreach my $item (@{$legacy{$t}}) { +# ::rptMsg(" ".$item); +# } + } + } + else { + ::rptMsg($root_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/licenses.pl b/RecentActivity/release/rr-full/plugins/licenses.pl new file mode 100755 index 0000000000..37675395fa --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/licenses.pl @@ -0,0 +1,68 @@ +#----------------------------------------------------------- +# licenses.pl +# There are indications that the contents of this key may be associated +# with a number of different malware variants, including the Elite +# Keylogger. +# +# History +# 20120305 - created +# +# +# copyright 2012, Quantum Analytics Research, LLC +#----------------------------------------------------------- +package licenses; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120305); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get contents of HKLM/Software/Licenses key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %clsid; + ::logMsg("Launching licenses v.".$VERSION); + ::rptMsg("licenses v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Licenses"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + if ($v->get_type() == 3) { + ::rptMsg("Value: ".$v->get_name()." (Binary data: ".length($v->get_data())." bytes)"); + } + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/listsoft.pl b/RecentActivity/release/rr-full/plugins/listsoft.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/listsoft.pl rename to RecentActivity/release/rr-full/plugins/listsoft.pl index ae1c50a540..4d27eeda96 --- a/thirdparty/rr/plugins/listsoft.pl +++ b/RecentActivity/release/rr-full/plugins/listsoft.pl @@ -1,69 +1,71 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# listsoft.pl -# Plugin for Registry Ripper; traverses thru the Software -# key of an NTUSER.DAT file, extracting all of the subkeys -# and listing them in order by LastWrite time. -# -# Change history -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package listsoft; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists contents of user's Software key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $file = shift; - my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; - ::logMsg("Launching listsoft v.".$VERSION); - my %soft; - my $key_path = 'Software'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("listsoft v.".$VERSION); - ::rptMsg("List the contents of the Software key in the NTUSER\.DAT hive"); - ::rptMsg("file, in order by LastWrite time."); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - push(@{$soft{$s->get_timestamp()}},$s->get_name()); - } - - foreach my $t (reverse sort {$a <=> $b} keys %soft) { - foreach my $item (@{$soft{$t}}) { - ::rptMsg(gmtime($t)."Z \t".$item); - } - } - } - else { - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::logMsg("Could not access ".$key_path); - } -} - +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# listsoft.pl +# Plugin for Registry Ripper; traverses thru the Software +# key of an NTUSER.DAT file, extracting all of the subkeys +# and listing them in order by LastWrite time. +# +# Change history +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package listsoft; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists contents of user's Software key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $file = shift; + my $reg = Parse::Win32Registry->new($file); + my $root_key = $reg->get_root_key; + ::logMsg("Launching listsoft v.".$VERSION); + ::rptMsg("listsoft v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my %soft; + my $key_path = 'Software'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("listsoft v.".$VERSION); + ::rptMsg("List the contents of the Software key in the NTUSER\.DAT hive"); + ::rptMsg("file, in order by LastWrite time."); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + push(@{$soft{$s->get_timestamp()}},$s->get_name()); + } + + foreach my $t (reverse sort {$a <=> $b} keys %soft) { + foreach my $item (@{$soft{$t}}) { + ::rptMsg(gmtime($t)."Z \t".$item); + } + } + } + else { + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::logMsg("Could not access ".$key_path); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/liveContactsGUID.pl b/RecentActivity/release/rr-full/plugins/liveContactsGUID.pl new file mode 100755 index 0000000000..1a874efd56 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/liveContactsGUID.pl @@ -0,0 +1,66 @@ +#----------------------------------------------------------- +# liveContactsGUID.pl +# +# Change history +# 20110221 [pbo] % created +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# (C) 2011 Pierre-Yves Bonnetain - B&A Consultants +# expert-judiciaire@ba-consultants.fr +#----------------------------------------------------------- +package liveContactsGUID; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20110221); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user Windows Live Messenger GUIDs"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching liveContactsGUID v." . $VERSION); + ::rptMsg("liveContactsGUID v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows Live Contacts\\Database"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subvals = $key->get_list_of_values(); + if (scalar(@subvals) > 0) { + foreach my $valeur (@subvals) { + ::rptMsg($valeur->get_data . " : " . $valeur->get_name); + } + } else { + ::rptMsg($key_path." has no subvalues."); + ::logMsg($key_path." has no subvalues."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + +1; diff --git a/thirdparty/rr/plugins/load.pl b/RecentActivity/release/rr-full/plugins/load.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/load.pl rename to RecentActivity/release/rr-full/plugins/load.pl index 3ce6ca655e..430ec5528a --- a/thirdparty/rr/plugins/load.pl +++ b/RecentActivity/release/rr-full/plugins/load.pl @@ -1,81 +1,83 @@ -#----------------------------------------------------------- -# load.pl -# The load and run values in the Windows NT\CurrentVersion\Windows -# key are throw-backs to the old win.ini file, and can be/are used -# by malware. -# -# Change history -# 20100811 - created -# -# References -# http://support.microsoft.com/kb/103865 -# http://security.fnal.gov/cookbook/WinStartup.html -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package load; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100811); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets load and run values from user hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching load v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("load"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg(""); - my %win; - foreach my $v (@vals) { - $win{$v->get_name()} = $v->get_data(); - } - - if (exists $win{"load"}) { - ::rptMsg("load = ".$win{"load"}); - } - else { - ::rptMsg("load value not found."); - } - - if (exists $win{"run"}) { - ::rptMsg("run = ".$win{"run"}); - } - else { - ::rptMsg("run value not found."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# load.pl +# The load and run values in the Windows NT\CurrentVersion\Windows +# key are throw-backs to the old win.ini file, and can be/are used +# by malware. +# +# Change history +# 20100811 - created +# +# References +# http://support.microsoft.com/kb/103865 +# http://security.fnal.gov/cookbook/WinStartup.html +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package load; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100811); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets load and run values from user hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching load v.".$VERSION); + ::rptMsg("load v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("load"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + ::rptMsg(""); + my %win; + foreach my $v (@vals) { + $win{$v->get_name()} = $v->get_data(); + } + + if (exists $win{"load"}) { + ::rptMsg("load = ".$win{"load"}); + } + else { + ::rptMsg("load value not found."); + } + + if (exists $win{"run"}) { + ::rptMsg("run = ".$win{"run"}); + } + else { + ::rptMsg("run value not found."); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/logonusername.pl b/RecentActivity/release/rr-full/plugins/logonusername.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/logonusername.pl rename to RecentActivity/release/rr-full/plugins/logonusername.pl index 098d89f5e6..422b60fb91 --- a/thirdparty/rr/plugins/logonusername.pl +++ b/RecentActivity/release/rr-full/plugins/logonusername.pl @@ -1,68 +1,70 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# logonusername.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# "Logon User Name" value -# -# Change history -# -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package logonusername; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get user's Logon User Name value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching logonusername v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $logon_name = "Logon User Name"; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg("Logon User Name"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time [".gmtime($key->get_timestamp())." (UTC)]"); - foreach my $v (@vals) { - if ($v->get_name() eq $logon_name) { - ::rptMsg($logon_name." = ".$v->get_data()); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# logonusername.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# "Logon User Name" value +# +# Change history +# +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package logonusername; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Get user's Logon User Name value"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching logonusername v.".$VERSION); + ::rptMsg("logonusername v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $logon_name = "Logon User Name"; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + ::rptMsg("Logon User Name"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time [".gmtime($key->get_timestamp())." (UTC)]"); + foreach my $v (@vals) { + if ($v->get_name() eq $logon_name) { + ::rptMsg($logon_name." = ".$v->get_data()); + } + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/lsa_packages.pl b/RecentActivity/release/rr-full/plugins/lsa_packages.pl new file mode 100755 index 0000000000..8bac4bb1bc --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/lsa_packages.pl @@ -0,0 +1,79 @@ +#----------------------------------------------------------- +# lsa_packages.pl +# +# +# Change history +# 20130307 - created +# +# Reference: +# +# +# Category: Autostart +# +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package lsa_packages; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130307); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists various *Packages key contents beneath LSA key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my @pkgs = ("Authentication Packages", "Notification Packages", "Security Packages"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching lsa_packages v.".$VERSION); + ::rptMsg("lsa_packages v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key(); +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + + $key_path = $ccs.'\\Control\\LSA'; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())." UTC"); + ::rptMsg(""); + + foreach my $v (@pkgs) { + eval { + my $d = $key->get_value($v)->get_data(); + ::rptMsg(sprintf "%-23s: ".$d,$v); + }; + } + } + else { + ::rptMsg($key_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/lsasecrets.pl b/RecentActivity/release/rr-full/plugins/lsasecrets.pl old mode 100644 new mode 100755 similarity index 88% rename from thirdparty/rr/plugins/lsasecrets.pl rename to RecentActivity/release/rr-full/plugins/lsasecrets.pl index 1e0048e973..ad067c38fc --- a/thirdparty/rr/plugins/lsasecrets.pl +++ b/RecentActivity/release/rr-full/plugins/lsasecrets.pl @@ -1,71 +1,74 @@ -#----------------------------------------------------------- -# lsasecrets.pl -# Get update times for LSA Secrets from the Security hive file -# -# History -# 20100219 - created -# -# References -# http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package lsasecrets; -use strict; - -my %config = (hive => "Security", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100219); - -sub getConfig{return %config} -sub getShortDescr { - return "TEST - Get update times for LSA Secrets"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching lsasecrets v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Policy\\Secrets"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - -# -# http://support.microsoft.com/kb/175468 - eval { - ::rptMsg(""); - ::rptMsg("Domain secret - \$MACHINE\.ACC"); - my $c = $key->get_subkey("\$MACHINE\.ACC\\CupdTime")->get_value("")->get_data(); - my @v = unpack("VV",$c); - my $cupd = gmtime(::getTime($v[0],$v[1])); - ::rptMsg("CupdTime = ".$cupd); - - my $o = $key->get_subkey("\$MACHINE\.ACC\\OupdTime")->get_value("")->get_data(); - my @v = unpack("VV",$c); - my $oupd = gmtime(::getTime($v[0],$v[1])); - ::rptMsg("OupdTime = ".$oupd); - }; - ::rptMsg("Error: ".$@) if ($@); - - - - - - - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# lsasecrets.pl +# Get update times for LSA Secrets from the Security hive file +# +# History +# 20100219 - created +# +# References +# http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package lsasecrets; +use strict; + +my %config = (hive => "Security", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100219); + +sub getConfig{return %config} +sub getShortDescr { + return "TEST - Get update times for LSA Secrets"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching lsasecrets v.".$VERSION); + ::logMsg("Launching lsasecrets v.".$VERSION); + ::rptMsg("lsasecrets v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Policy\\Secrets"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + +# +# http://support.microsoft.com/kb/175468 + eval { + ::rptMsg(""); + ::rptMsg("Domain secret - \$MACHINE\.ACC"); + my $c = $key->get_subkey("\$MACHINE\.ACC\\CupdTime")->get_value("")->get_data(); + my @v = unpack("VV",$c); + my $cupd = gmtime(::getTime($v[0],$v[1])); + ::rptMsg("CupdTime = ".$cupd); + + my $o = $key->get_subkey("\$MACHINE\.ACC\\OupdTime")->get_value("")->get_data(); + my @v = unpack("VV",$c); + my $oupd = gmtime(::getTime($v[0],$v[1])); + ::rptMsg("OupdTime = ".$oupd); + }; + ::rptMsg("Error: ".$@) if ($@); + + + + + + + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/macaddr.pl b/RecentActivity/release/rr-full/plugins/macaddr.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/macaddr.pl rename to RecentActivity/release/rr-full/plugins/macaddr.pl index 50a034981a..a43ffa6d13 --- a/thirdparty/rr/plugins/macaddr.pl +++ b/RecentActivity/release/rr-full/plugins/macaddr.pl @@ -1,156 +1,157 @@ -#----------------------------------------------------------- -# macaddr.pl -# Attempt to locate MAC address in either Software or System hive files; -# The plugin will determine which one its in and use the appropriate -# code -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package macaddr; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090118); - -sub getConfig{return %config} - -sub getShortDescr { - return " -- "; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching macaddr v.".$VERSION); - - my $guess = guessHive($hive); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - if ($guess eq "System") { -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $key_path = $ccs."\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318}"; - my $key; - my $found = 0; - ::rptMsg($key_path); - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $na; - eval { - $na = $key->get_subkey($name)->get_value("NetworkAddress")->get_data(); - ::rptMsg(" ".$name.": NetworkAddress = ".$na); - $found = 1; - }; - } - ::rptMsg("No NetworkAddress value found.") if ($found == 0); - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } - } - elsif ($guess eq "Software") { - my $key_path = "Microsoft\\Windows Genuine Advantage"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my $mac; - my $found = 0; - eval { - $mac = $key->get_value("MAC")->get_data(); - ::rptMsg("Mac Address(es) = ".$mac); - $found = 1; - }; - ::rptMsg("No MAC address(es) found.") if ($found == 0); - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg("Hive file ".$hive." appeared to be neither a Software nor a"); - ::rptMsg("System hive file."); - } -} - -#------------------------------------------------------------- -# guessHive() - attempts to determine the hive type; if NTUSER.DAT, -# attempt to retrieve the SID for the user; this function populates -# global variables (%config, @sids) -#------------------------------------------------------------- -sub guessHive { - my $hive = shift; - my $hive_guess; - my $reg; - my $root_key; - eval { - $reg = Parse::Win32Registry->new($hive); - $root_key = $reg->get_root_key; - }; - ::rptMsg($hive." may not be a valid hive.") if ($@); - -# Check for SAM - eval { - if (my $key = $root_key->get_subkey("SAM\\Domains\\Account\\Users")) { - $hive_guess = "SAM"; - } - }; -# Check for Software - eval { - if ($root_key->get_subkey("Microsoft\\Windows\\CurrentVersion") && - $root_key->get_subkey("Microsoft\\Windows NT\\CurrentVersion")) { - $hive_guess = "Software"; - } - }; - -# Check for System - eval { - if ($root_key->get_subkey("MountedDevices") && $root_key->get_subkey("Select")) { - $hive_guess = "System"; - } - }; - -# Check for Security - eval { - if ($root_key->get_subkey("Policy\\Accounts") && $root_key->get_subkey("Policy\\PolAdtEv")) { - $hive_guess = "Security"; - } - }; -# Check for NTUSER.DAT - eval { - if ($root_key->get_subkey("Software\\Microsoft\\Windows\\CurrentVersion")) { - $hive_guess = "NTUSER\.DAT"; - } - }; - return $hive_guess; -} - - +#----------------------------------------------------------- +# macaddr.pl +# Attempt to locate MAC address in either Software or System hive files; +# The plugin will determine which one its in and use the appropriate +# code +# +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package macaddr; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090118); + +sub getConfig{return %config} + +sub getShortDescr { + return " -- "; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching macaddr v.".$VERSION); + ::rptMsg("macaddr v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $guess = guessHive($hive); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + if ($guess eq "System") { +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + + my $key_path = $ccs."\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318}"; + my $key; + my $found = 0; + ::rptMsg($key_path); + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $na; + eval { + $na = $key->get_subkey($name)->get_value("NetworkAddress")->get_data(); + ::rptMsg(" ".$name.": NetworkAddress = ".$na); + $found = 1; + }; + } + ::rptMsg("No NetworkAddress value found.") if ($found == 0); + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } + elsif ($guess eq "Software") { + my $key_path = "Microsoft\\Windows Genuine Advantage"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my $mac; + my $found = 0; + eval { + $mac = $key->get_value("MAC")->get_data(); + ::rptMsg("Mac Address(es) = ".$mac); + $found = 1; + }; + ::rptMsg("No MAC address(es) found.") if ($found == 0); + } + else { + ::rptMsg($key_path." not found."); + } + } + else { + ::rptMsg("Hive file ".$hive." appeared to be neither a Software nor a"); + ::rptMsg("System hive file."); + } +} + +#------------------------------------------------------------- +# guessHive() - attempts to determine the hive type; if NTUSER.DAT, +# attempt to retrieve the SID for the user; this function populates +# global variables (%config, @sids) +#------------------------------------------------------------- +sub guessHive { + my $hive = shift; + my $hive_guess; + my $reg; + my $root_key; + eval { + $reg = Parse::Win32Registry->new($hive); + $root_key = $reg->get_root_key; + }; + ::rptMsg($hive." may not be a valid hive.") if ($@); + +# Check for SAM + eval { + if (my $key = $root_key->get_subkey("SAM\\Domains\\Account\\Users")) { + $hive_guess = "SAM"; + } + }; +# Check for Software + eval { + if ($root_key->get_subkey("Microsoft\\Windows\\CurrentVersion") && + $root_key->get_subkey("Microsoft\\Windows NT\\CurrentVersion")) { + $hive_guess = "Software"; + } + }; + +# Check for System + eval { + if ($root_key->get_subkey("MountedDevices") && $root_key->get_subkey("Select")) { + $hive_guess = "System"; + } + }; + +# Check for Security + eval { + if ($root_key->get_subkey("Policy\\Accounts") && $root_key->get_subkey("Policy\\PolAdtEv")) { + $hive_guess = "Security"; + } + }; +# Check for NTUSER.DAT + eval { + if ($root_key->get_subkey("Software\\Microsoft\\Windows\\CurrentVersion")) { + $hive_guess = "NTUSER\.DAT"; + } + }; + return $hive_guess; +} + + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/menuorder.pl b/RecentActivity/release/rr-full/plugins/menuorder.pl new file mode 100755 index 0000000000..6f7b9ae325 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/menuorder.pl @@ -0,0 +1,378 @@ +#----------------------------------------------------------- +# menuorder.pl +# Plugin for Registry Ripper +# +# Change history +# 20121005 - created Tested on XP & Win7 only (not Vista) +# +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package menuorder; +use strict; +use Time::Local; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20121005); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's MenuOrder subkeys"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching menuorder v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + ::rptMsg("menuorder v.".$VERSION); + ::rptMsg(""); +# LastVistedMRU + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder"; + my $key; + my @vals; + if ($key = $root_key->get_subkey($key_path)) { + + eval { + my $start = $key->get_subkey("Start Menu2"); + recurseKeys($start,""); + + }; +# ::rptMsg("Error: ".$@) if ($@); + + eval { + my $fav = $key->get_subkey("Favorites"); + recurseKeys2($fav,""); + + }; +# ::rptMsg("Error: ".$@) if ($@); + + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub recurseKeys { + my $key = shift; + my $name = shift; + + ::rptMsg($name."\\".$key->get_name()); + ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())." Z"); + + my $order; + eval { + $order = $key->get_value("Order")->get_data(); + my @dat = split(/AugM/,$order); +# $dat[0] appears to be a header of some kind. +# ::rptMsg("Entries: ".unpack("V",substr($dat[0],0x10,4))); +# Within each section, starting with $dat[1], the 2nd DWORD appears to be the number of +# entries recorded in that section. + foreach my $n (1..(scalar(@dat) - 1)) { + my %item = parseAugM($dat[$n]); + ::rptMsg(" ".$item{name}); + } + }; + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + recurseKeys($s,$name."\\".$key->get_name()); + } + } + else { +# No subkeys + } + +} + + +sub recurseKeys2 { + my $key = shift; + my $name = shift; + + ::rptMsg($name."\\".$key->get_name()); + ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())." Z"); + + my $order; + eval { + $order = $key->get_value("Order")->get_data(); +# ::rptMsg(" - Order value found."); + parseOrder2($order); + + }; +# ::rptMsg("Error: ".$@) if ($@); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + recurseKeys2($s,$name."\\".$key->get_name()); + } + } + else { +# No subkeys + } + +} + +#----------------------------------------------------------- +# parseOrder2() +# +#----------------------------------------------------------- +sub parseOrder2 { + my $data = shift; + my $ofs = 0x1c; + + my $num = unpack("V",substr($data,0x10,4)); + + foreach my $n (1..$num) { + my $sz = unpack("v",substr($data,$ofs,2)); + my $dat = substr($data,$ofs,$sz); + my %item = parseItem($dat); + ::rptMsg(" ".$item{name}); + $ofs += ($sz + 0x0e); + } +} + +#----------------------------------------------------------- +# parseAugM() +# +#----------------------------------------------------------- +sub parseAugM { + my $data = shift; + my %item = (); + + if (unpack("V",substr($data,0,4)) == 0x2) { + + my @mdate = unpack("VV",substr($data,0x10,4)); + my $tag = 1; + my $cnt = 0; + my $str = ""; + while($tag) { + my $s = substr($data,0x16 + $cnt,1); + if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { + $tag = 0; + } + else { + $str .= $s; + $cnt++; + } + } + my $ofs = 0x16 + $cnt + 1; + my $shortname = $str; + + my $data2 = substr($data,$ofs,unpack("v",substr($data,$ofs,2))); + my $sz = unpack("v",substr($data2,0,2)); + $item{version} = unpack("v",substr($data2,2,2)); + my $ext = unpack("v",substr($data2,4,2)); + + my $ofs = 0x08; +# Get creation time values; +# my @m = unpack("vv",substr($data,$ofs,4)); + $ofs += 4; +# Get last access time values +# my @m = unpack("vv",substr($data,$ofs,4)); + $ofs += 4; + $ofs += 4; + + my $tag = 1; + my $cnt = 0; + my $str = ""; + while ($tag) { + my $s = substr($data2,$ofs + $cnt,2); + if (unpack("v",$s) == 0) { + $tag = 0; + } + else { + $str .= $s; + $cnt += 2; + } + } + $str =~ s/\00//g; + $item{name} = $str; + $ofs += $cnt; +# ::rptMsg(sprintf " - Ofs: 0x%x Remaining Data: 0x%x",$ofs,$sz - $ofs); + + if (($sz - $ofs) > 0x10) { + my $str = substr($data2,$ofs,$sz - $ofs); + $str =~ s/^\00+//; + my $s = (split(/\00/,$str,2))[0]; + $item{name} .= " (".$s.")"; + } + + } + else { + + } + return %item; +} + +#----------------------------------------------------------- +# parseItem() +# +#----------------------------------------------------------- +sub parseItem { + my $data = shift; + my %item = (); + + my $ofs = 0x08; + my @mdate = unpack("VV",substr($data,$ofs,4)); + $ofs += 6; + + my $tag = 1; + my $cnt = 0; + my $str = ""; + while($tag) { + my $s = substr($data,$ofs + $cnt,1); + if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { + $tag = 0; + } + else { + $str .= $s; + $cnt++; + } + } + $ofs += ($cnt + 1); + $item{shortname} = $str; + + my $data2 = substr($data,$ofs,unpack("v",substr($data,$ofs,2))); + my $sz = unpack("v",substr($data2,0,2)); + $item{version} = unpack("v",substr($data2,2,2)); + + my $ext = unpack("v",substr($data2,4,2)); + + my $ofs = 0x08; +# Get creation time values; +# my @m = unpack("vv",substr($data,$ofs,4)); + $ofs += 4; +# Get last access time values +# my @m = unpack("vv",substr($data,$ofs,4)); + $ofs += 4; +# Check the version + my $jmp; + if ($item{version} == 0x03) { + $jmp = 4; + } + elsif ($item{version} == 0x07) { + $jmp = 22; + } + elsif ($item{version} == 0x08) { + $jmp = 26; + } + else {} + + $ofs += $jmp; + + my $tag = 1; + my $cnt = 0; + my $str = ""; + while ($tag) { + my $s = substr($data2,$ofs + $cnt,2); + if (unpack("v",$s) == 0) { + $tag = 0; + } + else { + $str .= $s; + $cnt += 2; + } + } + $str =~ s/\00//g; + $item{name} = $str; + $ofs += $cnt; + + return %item; +} + +#----------------------------------------------------------- +# printData() +# subroutine used primarily for debugging; takes an arbitrary +# length of binary data, prints it out in hex editor-style +# format for easy debugging +#----------------------------------------------------------- +sub printData { + my $data = shift; + my $len = length($data); + my $tag = 1; + my $cnt = 0; + + my $loop = $len/16; + $loop++ if ($len%16); + + foreach my $cnt (0..($loop - 1)) { +# while ($tag) { + my $left = $len - ($cnt * 16); + + my $n; + ($left < 16) ? ($n = $left) : ($n = 16); + + my $seg = substr($data,$cnt * 16,$n); + my @str1 = split(//,unpack("H*",$seg)); + + my @s3; + my $str = ""; + + foreach my $i (0..($n - 1)) { + $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; + + if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) { + $str .= chr(hex($s3[$i])); + } + else { + $str .= "\."; + } + } + my $h = join(' ',@s3); + ::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h); + } +} + +#----------------------------------------------------------- +# convertDOSDate() +# subroutine to convert 4 bytes of binary data into a human- +# readable format. Returns both a string and a Unix-epoch +# time. +#----------------------------------------------------------- +sub convertDOSDate { + my $date = shift; + my $time = shift; + + if ($date == 0x00 || $time == 0x00){ + return (0,0); + } + else { + my $sec = ($time & 0x1f) * 2; + $sec = "0".$sec if (length($sec) == 1); + if ($sec == 60) {$sec = 59}; + my $min = ($time & 0x7e0) >> 5; + $min = "0".$min if (length($min) == 1); + my $hr = ($time & 0xF800) >> 11; + $hr = "0".$hr if (length($hr) == 1); + my $day = ($date & 0x1f); + $day = "0".$day if (length($day) == 1); + my $mon = ($date & 0x1e0) >> 5; + $mon = "0".$mon if (length($mon) == 1); + my $yr = (($date & 0xfe00) >> 9) + 1980; + my $gmtime = timegm($sec,$min,$hr,$day,($mon - 1),$yr); + return ("$yr-$mon-$day $hr:$min:$sec",$gmtime); +# return gmtime(timegm($sec,$min,$hr,$day,($mon - 1),$yr)); + } +} + + + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/mmc.pl b/RecentActivity/release/rr-full/plugins/mmc.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/mmc.pl rename to RecentActivity/release/rr-full/plugins/mmc.pl index d66557c5da..d10ed82c2d --- a/thirdparty/rr/plugins/mmc.pl +++ b/RecentActivity/release/rr-full/plugins/mmc.pl @@ -1,75 +1,77 @@ -#----------------------------------------------------------- -# mmc.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# Microsoft Management Console Recent File List values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mmc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get contents of user's MMC\\Recent File List key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mmc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Microsoft Management Console\\Recent File List'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("MMC - Recent File List"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# mmc.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# Microsoft Management Console Recent File List values +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package mmc; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Get contents of user's MMC\\Recent File List key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mmc v.".$VERSION); + ::rptMsg("mmc v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Microsoft Management Console\\Recent File List'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("MMC - Recent File List"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/File/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/mmc_tln.pl b/RecentActivity/release/rr-full/plugins/mmc_tln.pl new file mode 100755 index 0000000000..3287f795ab --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/mmc_tln.pl @@ -0,0 +1,69 @@ +#----------------------------------------------------------- +# mmc_tln.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# Microsoft Management Console Recent File List values +# +# Change history +# 20120828 - updated, transitioned to TLN format output +# 20080324 - created +# +# References +# +# +# copyright 2012 +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package mmc_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120828); + +sub getConfig{return %config} +sub getShortDescr { + return "Get contents of user's MMC\\Recent File List key (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mmc v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Microsoft Management Console\\Recent File List'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("MMC - Recent File List"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my $file1; + eval { + $file1 = $key->get_value("File1")->get_data(); + ::rptMsg($lw."|REG|||[Program Execution] MMC - Recent File List - ".$file1); + }; + + } + else { +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/mmo.pl b/RecentActivity/release/rr-full/plugins/mmo.pl new file mode 100755 index 0000000000..89ebcec63c --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/mmo.pl @@ -0,0 +1,108 @@ +#----------------------------------------------------------- +# mmo.pl +# checks contents of Multimedia\Other key +# Category: AutoStart, Malware +# +# History +# 20130217 - updated with Trojan.Swaylib detection +# 20130214 created +# +# Trojan.Swaylib - http://www.symantec.com/security_response/writeup.jsp?docid +# =2013-021418-2701-99&tabid=2 +# +# References +# http://blog.fireeye.com/research/2013/02/the-number-of-the-beast.html +# http://www.joesecurity.org/reports/report-f3b9663a01a73c5eca9d6b2a0519049e.html +# +# copyright 2013, Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package mmo; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130217); + +sub getConfig{return %config} + +sub getShortDescr { + return "Checks NTUSER for Multimedia\\Other values [malware]"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + + ::logMsg("Launching mmo v.".$VERSION); + ::rptMsg("mmo v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Multimedia\\Other"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + ::rptMsg("Values:"); + foreach my $v (@vals) { + ::rptMsg(" Name: ".$v->get_name()); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +# Section added 17 Feb 2013, to address Trojan.Swaylib +# + my $key_path = "Software\\Microsoft\\CTF\\LangBarAddIn"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + ::rptMsg(""); + ::rptMsg($key_path); + foreach my $s (@subkeys) { + ::rptMsg(" ".$s->get_name()); + ::rptMsg(" LastWrite time: ".gmtime($s->get_timestamp())); + ::rptMsg(""); + + my $path; + eval { + $path = $s->get_value("FilePath")->get_data(); + ::rptMsg(" FilePath: ".$path); + }; + + my $e; + eval { + $e = $s->get_value("Enable")->get_data(); + ::rptMsg(" Enable: ".$path); + }; + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no subkeys\."); + } + } + else { + ::rptMsg($key_path." not found\."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/mndmru.pl b/RecentActivity/release/rr-full/plugins/mndmru.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/mndmru.pl rename to RecentActivity/release/rr-full/plugins/mndmru.pl index d223d7f49c..852309bec5 --- a/thirdparty/rr/plugins/mndmru.pl +++ b/RecentActivity/release/rr-full/plugins/mndmru.pl @@ -1,77 +1,79 @@ -#----------------------------------------------------------- -# mndmru.pl -# Plugin for Registry Ripper, -# Map Network Drive MRU parser -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mndmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get contents of user's Map Network Drive MRU"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mndmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Map Network Drive MRU"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mnd; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - $mnd{$val} = $data; - } -# Print sorted content to report file - if (exists $mnd{"MRUList"}) { - ::rptMsg(" MRUList = ".$mnd{"MRUList"}); - delete $mnd{"MRUList"}; - } - foreach my $m (sort {$a <=> $b} keys %mnd) { - ::rptMsg(" ".$m." ".$mnd{$m}); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# mndmru.pl +# Plugin for Registry Ripper, +# Map Network Drive MRU parser +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package mndmru; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Get contents of user's Map Network Drive MRU"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mndmru v.".$VERSION); + ::rptMsg("mndmru v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Map Network Drive MRU"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %mnd; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + $mnd{$val} = $data; + } +# Print sorted content to report file + if (exists $mnd{"MRUList"}) { + ::rptMsg(" MRUList = ".$mnd{"MRUList"}); + delete $mnd{"MRUList"}; + } + foreach my $m (sort {$a <=> $b} keys %mnd) { + ::rptMsg(" ".$m." ".$mnd{$m}); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/mndmru_tln.pl b/RecentActivity/release/rr-full/plugins/mndmru_tln.pl new file mode 100755 index 0000000000..406af0d286 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/mndmru_tln.pl @@ -0,0 +1,69 @@ +#----------------------------------------------------------- +# mndmru_tln.pl +# Plugin for Registry Ripper, +# Map Network Drive MRU parser +# +# Change history +# 20120829 - updated to TLN +# 20080324 - mndmru.pl created +# +# References +# +# +# copyright 2012 +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package mndmru_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120829); + +sub getConfig{return %config} +sub getShortDescr { + return "Get user's Map Network Drive MRU (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mndmru v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("Map Network Drive MRU"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + eval { + my $list = $key->get_value("MRUList")->get_data(); + my $l = (split(//,$list))[0]; + my $mru = $key->get_value($l)->get_data(); + ::rptMsg($lw."|REG|||Map Network Drive MRU - ".$mru); + }; + } + else { +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/mountdev.pl b/RecentActivity/release/rr-full/plugins/mountdev.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/mountdev.pl rename to RecentActivity/release/rr-full/plugins/mountdev.pl index ae0d58b26b..0407331bf8 --- a/thirdparty/rr/plugins/mountdev.pl +++ b/RecentActivity/release/rr-full/plugins/mountdev.pl @@ -1,101 +1,101 @@ -#----------------------------------------------------------- -# mountdev.pl -# Plugin for Registry Ripper; Access System hive file to get the -# MountedDevices -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mountdev; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Return contents of System hive MountedDevices key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching mountdev v.".$VERSION); - ::rptMsg("mountdev v.".$VERSION); - ::rptMsg("Get MountedDevices key information from the System hive file."); - ::rptMsg(""); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my %md; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $data = $v->get_data(); - my $len = length($data); - if ($len == 12) { - my $sig = _translateBinary(substr($data,0,4)); - ::rptMsg($v->get_name()); - ::rptMsg("\tDrive Signature = ".$sig); - } - elsif ($len > 12) { - $data =~ s/\00//g; - push(@{$md{$data}},$v->get_name()); - } - else { - ::logMsg("mountdev v.".$VERSION."\tData length = $len"); - } - } - - ::rptMsg(""); - foreach my $m (keys %md) { - ::rptMsg("Device: ".$m); - foreach my $item (@{$md{$m}}) { - ::rptMsg("\t".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} - +#----------------------------------------------------------- +# mountdev.pl +# Plugin for Registry Ripper; Access System hive file to get the +# MountedDevices +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package mountdev; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Return contents of System hive MountedDevices key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching mountdev v.".$VERSION); + ::rptMsg("mountdev v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); #banner + ::rptMsg(""); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = 'MountedDevices'; + my $key; + my %md; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $data = $v->get_data(); + my $len = length($data); + if ($len == 12) { + my $sig = _translateBinary(substr($data,0,4)); + ::rptMsg($v->get_name()); + ::rptMsg("\tDrive Signature = ".$sig); + } + elsif ($len > 12) { + $data =~ s/\00//g; + push(@{$md{$data}},$v->get_name()); + } + else { + ::logMsg("mountdev v.".$VERSION."\tData length = $len"); + } + } + + ::rptMsg(""); + foreach my $m (keys %md) { + ::rptMsg("Device: ".$m); + foreach my $item (@{$md{$m}}) { + ::rptMsg("\t".$item); + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + +sub _translateBinary { + my $str = unpack("H*",$_[0]); + my $len = length($str); + my @nstr = split(//,$str,$len); + my @list = (); + foreach (0..($len/2)) { + push(@list,$nstr[$_*2].$nstr[($_*2)+1]); + } + return join(' ',@list); +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/mountdev2.pl b/RecentActivity/release/rr-full/plugins/mountdev2.pl old mode 100644 new mode 100755 similarity index 59% rename from thirdparty/rr/plugins/mountdev2.pl rename to RecentActivity/release/rr-full/plugins/mountdev2.pl index d5b1c3e324..5c7770a142 --- a/thirdparty/rr/plugins/mountdev2.pl +++ b/RecentActivity/release/rr-full/plugins/mountdev2.pl @@ -1,106 +1,150 @@ -#----------------------------------------------------------- -# mountdev2.pl -# Plugin for Registry Ripper; Access System hive file to get the -# MountedDevices -# -# Change history -# 20091116 - changed output -# -# References -# -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package mountdev2; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091116); - -sub getConfig{return %config} -sub getShortDescr { - return "Return contents of System hive MountedDevices key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching mountdev2 v.".$VERSION); - ::rptMsg(""); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my (%md,%dos,%vol); - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $data = $v->get_data(); - my $len = length($data); - if ($len == 12) { - my $sig = _translateBinary(substr($data,0,4)); -# my $sig = _translateBinary($data); - $vol{$v->get_name()} = $sig; - } - elsif ($len > 12) { - $data =~ s/\00//g; - push(@{$md{$data}},$v->get_name()); - } - else { - ::logMsg("mountdev2 v.".$VERSION."\tData length = $len"); - } - } - - ::rptMsg(sprintf "%-50s %-20s","Volume","Disk Sig"); - ::rptMsg(sprintf "%-50s %-20s","-------","--------"); - foreach my $v (sort keys %vol) { - my $str = sprintf "%-50s %-20s",$v,$vol{$v}; - ::rptMsg($str); - } - - ::rptMsg(""); - foreach my $m (sort keys %md) { - ::rptMsg("Device: ".$m); - foreach my $item (@{$md{$m}}) { - ::rptMsg("\t".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} - +#----------------------------------------------------------- +# mountdev2.pl +# Plugin for Registry Ripper; Access System hive file to get the +# MountedDevices +# +# Change history +# 20120403 - commented out time stamp info from volume GUIDs, added +# listing of unique MAC addresses +# 20120330 - updated to parse the Volume GUIDs to get the time stamps +# 20091116 - changed output +# +# References +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey +#----------------------------------------------------------- +package mountdev2; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120403); + +sub getConfig{return %config} +sub getShortDescr { + return "Return contents of System hive MountedDevices key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching mountdev2 v.".$VERSION); + ::rptMsg(""); + ::rptMsg("mountdev2 v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = 'MountedDevices'; + my $key; + my (%md,%dos,%vol,%macs); + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $data = $v->get_data(); + my $len = length($data); + if ($len == 12) { + my $sig = _translateBinary(substr($data,0,4)); +# my $sig = _translateBinary($data); + $vol{$v->get_name()} = $sig; + } + elsif ($len > 12) { + $data =~ s/\00//g; + push(@{$md{$data}},$v->get_name()); + } + else { + ::logMsg("mountdev2 v.".$VERSION."\tData length = $len"); + } + } + + ::rptMsg(sprintf "%-50s %-20s","Volume","Disk Sig"); + ::rptMsg(sprintf "%-50s %-20s","-------","--------"); + foreach my $v (sort keys %vol) { + my $str = sprintf "%-50s %-20s",$v,$vol{$v}; + ::rptMsg($str); + } + ::rptMsg(""); + foreach my $v (sort keys %vol) { + next unless ($v =~ m/^\\\?\?\\Volume{/); + my $id = $v; + $id =~ s/^\\\?\?\\Volume{//; + $id =~ s/}$//; + $id =~ s/-//g; + my $l = hex(substr($id,0,8)); + my $m = hex(substr($id,8,4)); + my $h = hex(substr($id,12,4)) & 0x0fff; + my $h = $m | $h << 16; + my $t = (::getTime($l,$h) - 574819200); + ::rptMsg($v); + ::rptMsg(" ".gmtime($t)); + } + + ::rptMsg(""); + foreach my $m (sort keys %md) { + ::rptMsg("Device: ".$m); + foreach my $item (@{$md{$m}}) { + + if ($item =~ m/^\\\?\?\\Volume/) { + my $id = $item; + $id =~ s/^\\\?\?\\Volume{//; + $id =~ s/}$//; +# $id =~ s/-//g; +# my $l = hex(substr($id,0,8)); +# my $m = hex(substr($id,8,4)); +# my $h = hex(substr($id,12,4)) & 0x0fff; +# my $h = $m | $h << 16; +# my $t = (::getTime($l,$h) - 574819200); +# $item .= " ".gmtime($t); + my $m = (split(/-/,$id,5))[4]; + $m = uc($m); + $m = join(':',unpack("(A2)*",$m)); + $macs{$m} = 1; + } + + ::rptMsg(" ".$item); + } + ::rptMsg(""); + } + ::rptMsg(""); + ::rptMsg("Unique MAC Addresses:"); + foreach (keys %macs) { + ::rptMsg($_); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + +sub _translateBinary { + my $str = unpack("H*",$_[0]); + my $len = length($str); + my @nstr = split(//,$str,$len); + my @list = (); + foreach (0..($len/2)) { + push(@list,$nstr[$_*2].$nstr[($_*2)+1]); + } + return join(' ',@list); +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/mp2.pl b/RecentActivity/release/rr-full/plugins/mp2.pl old mode 100644 new mode 100755 similarity index 80% rename from thirdparty/rr/plugins/mp2.pl rename to RecentActivity/release/rr-full/plugins/mp2.pl index b7ef8f76d6..b3ae838692 --- a/thirdparty/rr/plugins/mp2.pl +++ b/RecentActivity/release/rr-full/plugins/mp2.pl @@ -1,114 +1,132 @@ -#----------------------------------------------------------- -# mp2.pl -# Plugin for Registry Ripper, -# MountPoints2 key parser -# -# Change history -# 20091116 - updated output/sorting; added getting -# _LabelFromReg value -# 20090115 - Removed printing of "volumes" -# -# References -# http://support.microsoft.com/kb/932463 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package mp2; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090115); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's MountPoints2 key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mp2 v.".$VERSION); - - my %drives; - my %volumes; - my %remote; - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("MountPoints2"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if ($name =~ m/^{/) { - my $label; - eval { - $label = $s->get_value("_LabelFromReg")->get_data(); - }; - $name = $name." (".$label.")" unless ($@); - push(@{$volumes{$s->get_timestamp()}},$name); - } - elsif ($name =~ m/^[A-Z]/) { - push(@{$drives{$s->get_timestamp()}},$name); - } - elsif ($name =~ m/^#/) { - push(@{$remote{$s->get_timestamp()}},$name); - } - else { - ::rptMsg(" Key name = ".$name); - } - } - ::rptMsg(""); - ::rptMsg("Remote Drives:"); - foreach my $t (reverse sort {$a <=> $b} keys %remote) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$remote{$t}}) { - ::rptMsg(" $item"); - } - } - - ::rptMsg(""); - ::rptMsg("Volumes:"); - foreach my $t (reverse sort {$a <=> $b} keys %volumes) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$volumes{$t}}) { - ::rptMsg(" $item"); - } - } - ::rptMsg(""); - ::rptMsg("Drives:"); - foreach my $t (reverse sort {$a <=> $b} keys %drives) { - my $d = join(',',(@{$drives{$t}})); - ::rptMsg(gmtime($t)." (UTC) - ".$d); - } - - ::rptMsg(""); - ::rptMsg("Analysis Tip: Correlate the Volume entries to those found in the MountedDevices"); - ::rptMsg("entries that begin with \"\\??\\Volume\"\."); - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# mp2.pl +# Plugin for Registry Ripper, +# MountPoints2 key parser +# +# Change history +# 20120330 - updated to include parsing of UUID v1 GUIDs to get unique +# MAC addresses +# 20091116 - updated output/sorting; added getting +# _LabelFromReg value +# 20090115 - Removed printing of "volumes" +# +# References +# http://support.microsoft.com/kb/932463 +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey +#----------------------------------------------------------- +package mp2; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120330); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's MountPoints2 key contents"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mp2 v.".$VERSION); + ::rptMsg("mp2 v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my %drives; + my %volumes; + my %remote; + my %macs; + + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("MountPoints2"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + if ($name =~ m/^{/) { + my $label; + eval { + $label = $s->get_value("_LabelFromReg")->get_data(); + }; + + my $m = (split(/-/,$name,5))[4]; + $m =~ s/}$//; + $m = uc($m); + $m = join(':',unpack("(A2)*",$m)); + $macs{$m} = 1; + + $name = $name." (".$label.")" unless ($@); + + push(@{$volumes{$s->get_timestamp()}},$name); + } + elsif ($name =~ m/^[A-Z]/) { + push(@{$drives{$s->get_timestamp()}},$name); + } + elsif ($name =~ m/^#/) { + push(@{$remote{$s->get_timestamp()}},$name); + } + else { + ::rptMsg(" Key name = ".$name); + } + } + ::rptMsg(""); + ::rptMsg("Remote Drives:"); + foreach my $t (reverse sort {$a <=> $b} keys %remote) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$remote{$t}}) { + ::rptMsg(" $item"); + } + } + + ::rptMsg(""); + ::rptMsg("Volumes:"); + foreach my $t (reverse sort {$a <=> $b} keys %volumes) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$volumes{$t}}) { + ::rptMsg(" $item"); + } + } + ::rptMsg(""); + ::rptMsg("Drives:"); + foreach my $t (reverse sort {$a <=> $b} keys %drives) { + my $d = join(',',(@{$drives{$t}})); + ::rptMsg(gmtime($t)." (UTC) - ".$d); + } + ::rptMsg(""); + ::rptMsg("Unique MAC Addresses:"); + foreach (keys %macs) { + ::rptMsg($_); + } + + ::rptMsg(""); + ::rptMsg("Analysis Tip: Correlate the Volume entries to those found in the MountedDevices"); + ::rptMsg("entries that begin with \"\\??\\Volume\"\."); + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/mp3.pl b/RecentActivity/release/rr-full/plugins/mp3.pl new file mode 100755 index 0000000000..b51c5e5568 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/mp3.pl @@ -0,0 +1,113 @@ +#----------------------------------------------------------- +# mp3.pl +# Plugin for Registry Ripper, +# MountPoints2 key parser +# +# Change history +# 20120330 - updated to include parsing of UUID v1 GUIDs to get unique +# MAC addresses +# 20091116 - updated output/sorting; added getting +# _LabelFromReg value +# 20090115 - Removed printing of "volumes" +# +# References +# http://support.microsoft.com/kb/932463 +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey +#----------------------------------------------------------- +package mp3; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120330); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's MountPoints2 key contents"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mp3 v.".$VERSION); + ::rptMsg("mp3 v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my %drives; + my %volumes; + my %remote; + my %macs; + + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("MountPoints2"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + if ($name =~ m/^{/) { + my $label; + eval { + $label = $s->get_value("_LabelFromReg")->get_data(); + }; + + my $m = (split(/-/,$name,5))[4]; + $m =~ s/}$//; + $m = uc($m); + $m = join(':',unpack("(A2)*",$m)); + $macs{$m} = 1; + + $name = $name." (".$label.")" unless ($@); + + push(@{$volumes{$s->get_timestamp()}},$name); + } + else { +# ::rptMsg(" Key name = ".$name); + } + } + foreach my $t (reverse sort {$a <=> $b} keys %volumes) { + foreach my $id (@{$volumes{$t}}) { + ::rptMsg($t."|REG|Server|User|".$id." Volume MP2 key LastWrite"); + my $id2 = $id; + $id =~ s/^{//; + $id =~ s/}$//; + $id =~ s/-//g; + + my $l = hex(substr($id,0,8)); + my $m = hex(substr($id,8,4)); + my $h = hex(substr($id,12,4)) & 0x0fff; + my $h = $m | $h << 16; + my $t2 = (::getTime($l,$h) - 574819200); + + ::rptMsg($t2."|REG|Server|User|".$id2." Vol GUID date"); + + } + } + + } + else { +# ::rptMsg($key_path." has no subkeys."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/mpmru.pl b/RecentActivity/release/rr-full/plugins/mpmru.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/mpmru.pl rename to RecentActivity/release/rr-full/plugins/mpmru.pl index 701f0a802d..87e449a936 --- a/thirdparty/rr/plugins/mpmru.pl +++ b/RecentActivity/release/rr-full/plugins/mpmru.pl @@ -1,75 +1,77 @@ -#----------------------------------------------------------- -# mpmru.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# Media Player RecentFileList values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mpmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Media Player RecentFileList values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mpmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Media Player - RecentFileList"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# mpmru.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# Media Player RecentFileList values +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package mpmru; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's Media Player RecentFileList values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mpmru v.".$VERSION); + ::rptMsg("mpmru v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Media Player - RecentFileList"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/File/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/mrt.pl b/RecentActivity/release/rr-full/plugins/mrt.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/mrt.pl rename to RecentActivity/release/rr-full/plugins/mrt.pl index 89e9ebddaf..aee2c361dc --- a/thirdparty/rr/plugins/mrt.pl +++ b/RecentActivity/release/rr-full/plugins/mrt.pl @@ -1,72 +1,74 @@ -#----------------------------------------------------------- -# mrt.pl -# -# Per http://support.microsoft.com/kb/891716/, whenever MRT is run, a new -# GUID is written to the Version value. Check the KB article to compare -# GUIDs against the last time the tool was run. Also be sure to check the -# MRT logs in %WinDir%\Debug (mrt.log) -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package mrt; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080804); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check to see if Malicious Software Removal Tool has been run"; -} -sub getDescr{} -sub getRefs {"Deployment of the Microsoft Windows Malicious Software Removal Tool" => - "http://support.microsoft.com/kb/891716/", - "The Microsoft Windows Malicious Software Removal Tool" => "http://support.microsoft.com/?kbid=890830"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching MRT v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - - my $key_path = "Microsoft\\RemovalTools\\MRT"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Key Path: ".$key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $version; - eval { - $version = $key->get_value("Version")->get_data(); - }; - if ($@) { - ::rptMsg("Error getting Version information: ".$@); - - } - else { - ::rptMsg("Version: ".$version); - ::rptMsg(""); - ::rptMsg("Analysis Tip: Go to http://support.microsoft.com/kb/891716/ to see when MRT"); - ::rptMsg("was last run. According to the KB article, each time MRT is run, a new GUID"); - ::rptMsg("is written to the Version value."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# mrt.pl +# +# Per http://support.microsoft.com/kb/891716/, whenever MRT is run, a new +# GUID is written to the Version value. Check the KB article to compare +# GUIDs against the last time the tool was run. Also be sure to check the +# MRT logs in %WinDir%\Debug (mrt.log) +# +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package mrt; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20080804); + +sub getConfig{return %config} + +sub getShortDescr { + return "Check to see if Malicious Software Removal Tool has been run"; +} +sub getDescr{} +sub getRefs {"Deployment of the Microsoft Windows Malicious Software Removal Tool" => + "http://support.microsoft.com/kb/891716/", + "The Microsoft Windows Malicious Software Removal Tool" => "http://support.microsoft.com/?kbid=890830"} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching mrt v.".$VERSION); + ::rptMsg("mrt v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + + my $key_path = "Microsoft\\RemovalTools\\MRT"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Key Path: ".$key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $version; + eval { + $version = $key->get_value("Version")->get_data(); + }; + if ($@) { + ::rptMsg("Error getting Version information: ".$@); + + } + else { + ::rptMsg("Version: ".$version); + ::rptMsg(""); + ::rptMsg("Analysis Tip: Go to http://support.microsoft.com/kb/891716/ to see when MRT"); + ::rptMsg("was last run. According to the KB article, each time MRT is run, a new GUID"); + ::rptMsg("is written to the Version value."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/msis.pl b/RecentActivity/release/rr-full/plugins/msis.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/msis.pl rename to RecentActivity/release/rr-full/plugins/msis.pl index cda7bc4cdd..0075eec172 --- a/thirdparty/rr/plugins/msis.pl +++ b/RecentActivity/release/rr-full/plugins/msis.pl @@ -1,96 +1,98 @@ -#----------------------------------------------------------- -# msis.pl -# Plugin to determine the MSI packages installed on the system -# -# Change history: -# 20090911 - created -# -# References: -# http://support.microsoft.com/kb/290134 -# http://support.microsoft.com/kb/931401 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package msis; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090911); - -sub getConfig{return %config} - -sub getShortDescr { - return "Determine MSI packages installed on the system"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %msi; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching msis v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Classes\\Installer\\Products"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $lastwrite = $s->get_timestamp(); - - my $product; - eval { - $product = $s->get_value("ProductName")->get_data(); - }; - - my $path; - my $pkg; - - eval { - my $p = $s->get_subkey("SourceList")->get_value("LastUsedSource")->get_data(); - $path = (split(/;/,$p,3))[2]; - }; - - eval { - $pkg = $s->get_subkey("SourceList")->get_value("PackageName")->get_data(); - }; - - push(@{$msi{$lastwrite}},$product.";".$path.$pkg); - } - - - foreach my $t (reverse sort {$a <=> $b} keys %msi) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$msi{$t}}) { - ::rptMsg(" ".$item); - } - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# msis.pl +# Plugin to determine the MSI packages installed on the system +# +# Change history: +# 20090911 - created +# +# References: +# http://support.microsoft.com/kb/290134 +# http://support.microsoft.com/kb/931401 +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package msis; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090911); + +sub getConfig{return %config} + +sub getShortDescr { + return "Determine MSI packages installed on the system"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %msi; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching msis v.".$VERSION); + ::rptMsg("msis v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Classes\\Installer\\Products"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $lastwrite = $s->get_timestamp(); + + my $product; + eval { + $product = $s->get_value("ProductName")->get_data(); + }; + + my $path; + my $pkg; + + eval { + my $p = $s->get_subkey("SourceList")->get_value("LastUsedSource")->get_data(); + $path = (split(/;/,$p,3))[2]; + }; + + eval { + $pkg = $s->get_subkey("SourceList")->get_value("PackageName")->get_data(); + }; + + push(@{$msi{$lastwrite}},$product.";".$path.$pkg); + } + + + foreach my $t (reverse sort {$a <=> $b} keys %msi) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$msi{$t}}) { + ::rptMsg(" ".$item); + } + } + + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/mspaper.pl b/RecentActivity/release/rr-full/plugins/mspaper.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/mspaper.pl rename to RecentActivity/release/rr-full/plugins/mspaper.pl index da25ba65a0..f4038b321d --- a/thirdparty/rr/plugins/mspaper.pl +++ b/RecentActivity/release/rr-full/plugins/mspaper.pl @@ -1,100 +1,102 @@ -#----------------------------------------------------------- -# mspaper.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# MSPaper Recent File List values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mspaper; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets images listed in user's MSPaper key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mspaper v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $tick = 0; - my $key_path = 'Software\\Microsoft'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - - if (scalar @subkeys > 0) { - foreach my $sk (@subkeys) { - if ($sk->get_name() =~ m/^mspaper/i) { - $tick = 1; - my $nkey = $sk->get_name()."\\Recent File List"; - my $msp; - if ($msp = $key->get_subkey($nkey)) { - ::rptMsg("MSPaper - Recent File List"); - ::rptMsg($key_path."\\".$nkey); - ::rptMsg("LastWrite Time ".gmtime($msp->get_timestamp())." (UTC)"); - my @vals = $msp->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path."\\".$nkey." has no values."); - } - } - else { - ::rptMsg($key_path."\\".$nkey." not found."); - ::logMsg("Error: ".$key_path."\\".$nkey." not found."); - } - } - } - if ($tick == 0) { - ::rptMsg("SOFTWARE\\Microsoft\\MSPaper* not found."); - ::logMsg("SOFTWARE\\Microsoft\\MSPaper* not found."); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# mspaper.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# MSPaper Recent File List values +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package mspaper; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets images listed in user's MSPaper key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching mspaper v.".$VERSION); + ::rptMsg("mspaper v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $tick = 0; + my $key_path = 'Software\\Microsoft'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + + if (scalar @subkeys > 0) { + foreach my $sk (@subkeys) { + if ($sk->get_name() =~ m/^mspaper/i) { + $tick = 1; + my $nkey = $sk->get_name()."\\Recent File List"; + my $msp; + if ($msp = $key->get_subkey($nkey)) { + ::rptMsg("MSPaper - Recent File List"); + ::rptMsg($key_path."\\".$nkey); + ::rptMsg("LastWrite Time ".gmtime($msp->get_timestamp())." (UTC)"); + my @vals = $msp->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/File/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path."\\".$nkey." has no values."); + } + } + else { + ::rptMsg($key_path."\\".$nkey." not found."); + ::logMsg("Error: ".$key_path."\\".$nkey." not found."); + } + } + } + if ($tick == 0) { + ::rptMsg("SOFTWARE\\Microsoft\\MSPaper* not found."); + ::logMsg("SOFTWARE\\Microsoft\\MSPaper* not found."); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/muicache.pl b/RecentActivity/release/rr-full/plugins/muicache.pl new file mode 100755 index 0000000000..96f564b834 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/muicache.pl @@ -0,0 +1,93 @@ +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# muicache.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# MUICache values +# +# Change history +# 20130425 - added alertMsg() functionality +# 20120522 - updated to collect info from Win7 USRCLASS.DAT +# +# +# copyright 2012 Quantum Research Analytics, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package muicache; +use strict; + +my %config = (hive => "NTUSER\.DAT,USRCLASS\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130425); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets EXEs from user's MUICache key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching muicache v.".$VERSION); + ::rptMsg("muicache v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + my $key_path = 'Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + ::alertMsg("ALERT: muicache: ".$key_path." ".$name." has \"Temp\" in path\.") if (grep(/[Tt]emp/,$name)); + next if ($name =~ m/^@/ || $name eq "LangID"); + my $data = $v->get_data(); + ::rptMsg(" ".$name." (".$data.")"); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::rptMsg(""); + } +# Added for access to USRCLASS.DAT + my $key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + ::alertMsg("ALERT: muicache: ".$key_path." ".$name." has \"Temp\" in path\.") if (grep(/[Tt]emp/,$name)); + next if ($name =~ m/^@/ || $name eq "LangID"); + my $data = $v->get_data(); + ::rptMsg($name." (".$data.")"); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } + +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/muicache_tln.pl b/RecentActivity/release/rr-full/plugins/muicache_tln.pl new file mode 100755 index 0000000000..c0c5c0eac4 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/muicache_tln.pl @@ -0,0 +1,91 @@ +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# muicache_tln.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# MUICache values +# +# Change history +# 20130425 - added alertMsg() functionality +# 20120522 - updated to collect info from Win7 USRCLASS.DAT +# +# +# copyright 2013 Quantum Research Analytics, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package muicache_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT,USRCLASS\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130425); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets EXEs from user's MUICache key (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching muicache_tln v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + my $key_path = 'Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + next if ($name =~ m/^@/ || $name eq "LangID"); + my $data = $v->get_data(); + ::alertMsg($lw."|ALERT|||HKCU\\".$key_path." ".$name." has \"Temp\" in path: ".$data) if (grep(/[Tt]emp/,$name)); +# ::rptMsg(" ".$name." (".$data.")"); + } + } + else { +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); +# ::rptMsg(""); + } +# Added for access to USRCLASS.DAT + my $key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + next if ($name =~ m/^@/ || $name eq "LangID"); + my $data = $v->get_data(); + ::alertMsg($lw."|ALERT|||HKCU\\".$key_path." ".$name." has \"Temp\" in path: ".$data) if (grep(/[Tt]emp/,$name)); + } + } + else { +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); + } + +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/nero.pl b/RecentActivity/release/rr-full/plugins/nero.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/nero.pl rename to RecentActivity/release/rr-full/plugins/nero.pl index 30b861326a..5ec0065264 --- a/thirdparty/rr/plugins/nero.pl +++ b/RecentActivity/release/rr-full/plugins/nero.pl @@ -1,75 +1,76 @@ -#----------------------------------------------------------- -# nero.pl -# **Very Beta! Based on one sample hive file only! -# -# Change history -# 20100218 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nero; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of Ahead\\Nero Recent File List subkeys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my @nerosubkeys = ("Cover Designer","FlmgPlg","Nero PhotoSnap", - "NSPluginMgr","PhotoEffects","XlmgPlg"); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching nero v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Ahead'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - foreach my $nsk (@nerosubkeys) { - eval { - my $nk; - if ($nk = $key->get_subkey($nsk."\\Recent File List")) { - my @vals = $nk->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg($nsk."\\Recent File List"); - ::rptMsg("LastWrite Time ".gmtime($nk->get_timestamp())." (UTC)"); - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()." -> ".$v->get_data()); - } - ::rptMsg(""); - } - else { - ::rptMsg($nsk."\\Recent File List has no values."); - } - } - }; - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# nero.pl +# **Very Beta! Based on one sample hive file only! +# +# Change history +# 20100218 - created +# +# References +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package nero; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100218); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of Ahead\\Nero Recent File List subkeys"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my @nerosubkeys = ("Cover Designer","FlmgPlg","Nero PhotoSnap", + "NSPluginMgr","PhotoEffects","XlmgPlg"); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + my %hist; + ::logMsg("Launching nero v.".$VERSION); + ::rptMsg("nero v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Ahead'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + foreach my $nsk (@nerosubkeys) { + eval { + my $nk; + if ($nk = $key->get_subkey($nsk."\\Recent File List")) { + my @vals = $nk->get_list_of_values(); + if (scalar @vals > 0) { + ::rptMsg($nsk."\\Recent File List"); + ::rptMsg("LastWrite Time ".gmtime($nk->get_timestamp())." (UTC)"); + foreach my $v (@vals) { + ::rptMsg(" ".$v->get_name()." -> ".$v->get_data()); + } + ::rptMsg(""); + } + else { + ::rptMsg($nsk."\\Recent File List has no values."); + } + } + }; + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/netassist.pl b/RecentActivity/release/rr-full/plugins/netassist.pl new file mode 100755 index 0000000000..985da5eb48 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/netassist.pl @@ -0,0 +1,123 @@ +#----------------------------------------------------------- +# netassist.pl +# Plugin to determine if a system is infected with the BHO "My.Freeze.com". +# This is a BHO specifically for firefox and is installed as an addon using a +# third party installer. This is usually done when a user installs a product +# and is installed without the user reading all the information on the install. +# It usually requires the user to uncheck a box but as most users do not read +# everything it is installed unknowingly. +# If you look under the "addons" in firefox you will see an addon called +# "Freeze.com Net Assistant for Firefox", but you can only enable or disable +# it from there. To uninstall it completely from #the system you must +# uninstall from the system "add/remove" program under the control panel. +# +# Change history +# 20110427 [mmo] % created +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# Script written by Mark Morgan +#----------------------------------------------------------- +# Require # +package netassist; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110427); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Check for Firefox Extensions."; +} +sub getRefs { + my %refs = (""); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + my @interesting_paths = ( + 'Software\\Mozilla\\Firefox\\Extensions', + 'Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\NetAssistant', + 'Software\\Microsoft\\Installer\\Products\\D4676621F4CF7AF46BB388D4351B86F0', + 'Software\\Microsoft\\Installer\\Products\\D4676621F4CF7AF46BB388D4351B86F0\\SourceList', + + ); + my @interesting_keys = ( + "Values", + "ValueViewOnly" + ); + + # Initialize # + ::logMsg("Launching netassist v.".$VERSION); + ::rptMsg("netassist v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + # Extract # possible registry paths + foreach my $key_path (@interesting_paths) { + + # If # WinVNC path exists # + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + ::rptMsg("netassist"); + ::rptMsg($key_path); + ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + my %keys; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg(sprintf "%-12s %-20s",$v->get_name(),$v->get_data()); + } + + # Return # all key names+values for interesting keys # + foreach my $var (@interesting_keys) { + if (exists $keys{$var}) { + my $hstring = unpack ("H*",$keys{$var}); + ::rptMsg($var." -> ".$hstring); + } + } + + # Return # obligatory new-line # + ::rptMsg(""); + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # WinVNC isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/thirdparty/rr/plugins/network.pl b/RecentActivity/release/rr-full/plugins/network.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/network.pl rename to RecentActivity/release/rr-full/plugins/network.pl index 32853b3110..c8be89b91d --- a/thirdparty/rr/plugins/network.pl +++ b/RecentActivity/release/rr-full/plugins/network.pl @@ -1,95 +1,97 @@ -#----------------------------------------------------------- -# network.pl -# Plugin for Registry Ripper; Get information on network -# interfaces from the System hive file - from the -# Control\Network GUID subkeys... -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package network; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets info from System\\Control\\Network GUIDs"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching network v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"; - my $nw; - if ($nw = $root_key->get_subkey($nw_path)) { - ::rptMsg("Network key"); - ::rptMsg($nw_path); -# Get all of the subkey names - my @sk = $nw->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next if ($name eq "Descriptions"); - if (my $conn = $nw->get_subkey($name."\\Connection")) { - ::rptMsg("Interface ".$name); - ::rptMsg("LastWrite time ".gmtime($conn->get_timestamp())." (UTC)"); - my %conn_vals; - my @vals = $conn->get_list_of_values(); - map{$conn_vals{$_->get_name()} = $_->get_data()}@vals; - ::rptMsg("\tName = ".$conn_vals{Name}); - ::rptMsg("\tPnpInstanceID = ".$conn_vals{PnpInstanceID}); - ::rptMsg("\tMediaSubType = ".$conn_vals{MediaSubType}); - ::rptMsg("\tIpCheckingEnabled = ".$conn_vals{IpCheckingEnabled}) - if (exists $conn_vals{IpCheckingEnabled}); - - } - ::rptMsg(""); - } - - } - else { - ::rptMsg($nw_path." has no subkeys."); - } - } - else { - ::rptMsg($nw_path." could not be found."); - ::logMsg($nw_path." could not be found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# network.pl +# Plugin for Registry Ripper; Get information on network +# interfaces from the System hive file - from the +# Control\Network GUID subkeys... +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package network; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets info from System\\Control\\Network GUIDs"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %nics; + my $ccs; + ::logMsg("Launching network v.".$VERSION); + ::rptMsg("network v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"; + my $nw; + if ($nw = $root_key->get_subkey($nw_path)) { + ::rptMsg("Network key"); + ::rptMsg($nw_path); +# Get all of the subkey names + my @sk = $nw->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + next if ($name eq "Descriptions"); + if (my $conn = $nw->get_subkey($name."\\Connection")) { + ::rptMsg("Interface ".$name); + ::rptMsg("LastWrite time ".gmtime($conn->get_timestamp())." (UTC)"); + my %conn_vals; + my @vals = $conn->get_list_of_values(); + map{$conn_vals{$_->get_name()} = $_->get_data()}@vals; + ::rptMsg("\tName = ".$conn_vals{Name}); + ::rptMsg("\tPnpInstanceID = ".$conn_vals{PnpInstanceID}); + ::rptMsg("\tMediaSubType = ".$conn_vals{MediaSubType}); + ::rptMsg("\tIpCheckingEnabled = ".$conn_vals{IpCheckingEnabled}) + if (exists $conn_vals{IpCheckingEnabled}); + + } + ::rptMsg(""); + } + + } + else { + ::rptMsg($nw_path." has no subkeys."); + } + } + else { + ::rptMsg($nw_path." could not be found."); + ::logMsg($nw_path." could not be found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/networkcards.pl b/RecentActivity/release/rr-full/plugins/networkcards.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/networkcards.pl rename to RecentActivity/release/rr-full/plugins/networkcards.pl index c0ce64f41d..e2d9508c0f --- a/thirdparty/rr/plugins/networkcards.pl +++ b/RecentActivity/release/rr-full/plugins/networkcards.pl @@ -1,62 +1,64 @@ -#----------------------------------------------------------- -# networkcards -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package networkcards; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080325); - -sub getConfig{return %config} -sub getShortDescr { - return "Get NetworkCards"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching networkcards v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("NetworkCards"); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - my %nc; - foreach my $s (@subkeys) { - my $service = $s->get_value("ServiceName")->get_data(); - $nc{$service}{descr} = $s->get_value("Description")->get_data(); - $nc{$service}{lastwrite} = $s->get_timestamp(); - } - - foreach my $n (keys %nc) { - ::rptMsg($nc{$n}{descr}." [".gmtime($nc{$n}{lastwrite})."]"); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# networkcards +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package networkcards; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080325); + +sub getConfig{return %config} +sub getShortDescr { + return "Get NetworkCards"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching networkcards v.".$VERSION); + ::rptMsg("networkcards v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("NetworkCards"); + ::rptMsg($key_path); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + my %nc; + foreach my $s (@subkeys) { + my $service = $s->get_value("ServiceName")->get_data(); + $nc{$service}{descr} = $s->get_value("Description")->get_data(); + $nc{$service}{lastwrite} = $s->get_timestamp(); + } + + foreach my $n (keys %nc) { + ::rptMsg($nc{$n}{descr}." [".gmtime($nc{$n}{lastwrite})."]"); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/networklist.pl b/RecentActivity/release/rr-full/plugins/networklist.pl old mode 100644 new mode 100755 similarity index 84% rename from thirdparty/rr/plugins/networklist.pl rename to RecentActivity/release/rr-full/plugins/networklist.pl index babf87d7d6..ccdd4ad86c --- a/thirdparty/rr/plugins/networklist.pl +++ b/RecentActivity/release/rr-full/plugins/networklist.pl @@ -1,142 +1,158 @@ -#----------------------------------------------------------- -# networklist.pl - Plugin to extract information from the -# NetworkList key, including the MAC address of the default -# gateway -# -# -# Change History: -# 20090812 - updated code to parse DateCreated and DateLastConnected -# values; modified output, as well -# 20090811 - created -# -# References -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package networklist; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090811); - -sub getConfig{return %config} - -sub getShortDescr { - return "Collects network info from Vista NetworkList key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching networklist v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $base_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkList"; - -# First, get profile info - my $key_path = $base_path."\\Profiles"; - my $key; - my %nl; # hash of hashes to hold data - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - $nl{$name}{LastWrite} = $s->get_timestamp(); - eval { - $nl{$name}{ProfileName} = $s->get_value("ProfileName")->get_data(); - $nl{$name}{Description} = $s->get_value("Description")->get_data(); - $nl{$name}{Managed} = $s->get_value("Managed")->get_data(); - - my $create = $s->get_value("DateCreated")->get_data(); - $nl{$name}{DateCreated} = parseDate128($create) if (length($create) == 16); - my $conn = $s->get_value("DateLastConnected")->get_data(); - $nl{$name}{DateLastConnected} = parseDate128($conn) if (length($conn) == 16); - -# $nl{$name}{NameType} = $s->get_value("ProfileName")->get_data(); - }; - } - -# Get additional information from the Signatures subkey - $key_path = $base_path."\\Signatures\\Managed"; - if ($key = $root_key->get_subkey($key_path)) { - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - eval { - my $prof = $s->get_value("ProfileGuid")->get_data(); - my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6); - my $mac = uc(unpack("H*",$tmp)); - my @t = split(//,$mac); - $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3]. - "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; - }; - } - } - } - - $key_path = $base_path."\\Signatures\\Unmanaged"; - if ($key = $root_key->get_subkey($key_path)) { - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - eval { - my $prof = $s->get_value("ProfileGuid")->get_data(); - my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6); - my $mac = uc(unpack("H*",$tmp)); - my @t = split(//,$mac); - $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3]. - "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; - }; - } - } - } - -# Now, display the information - foreach my $n (keys %nl) { - my $str = sprintf "%-15s Gateway Mac: ".$nl{$n}{DefaultGatewayMac},$nl{$n}{ProfileName}; - ::rptMsg($nl{$n}{ProfileName}); - ::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." UTC"); - ::rptMsg(" DateLastConnected: ".$nl{$n}{DateLastConnected}); - ::rptMsg(" DateCreated : ".$nl{$n}{DateCreated}); - ::rptMsg(" DefaultGatewayMac: ".$nl{$n}{DefaultGatewayMac}); - ::rptMsg(""); - } - - } - else { - ::rptMsg($key_path." has not subkeys"); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - - - -sub parseDate128 { - my $date = $_[0]; - my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul", - "Aug","Sep","Oct","Nov","Dec"); - my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat"); - my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date); - $hr = "0".$hr if ($hr < 10); - $min = "0".$min if ($min < 10); - $sec = "0".$sec if ($sec < 10); - my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom." ".$hr.":".$min.":".$sec." ".$yr; - return $str; -} +#----------------------------------------------------------- +# networklist.pl - Plugin to extract information from the +# NetworkList key, including the MAC address of the default +# gateway +# +# +# Change History: +# 20120917 - updated to include NameType value +# 20090812 - updated code to parse DateCreated and DateLastConnected +# values; modified output, as well +# 20090811 - created +# +# References +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package networklist; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120917); + +sub getConfig{return %config} + +sub getShortDescr { + return "Collects network info from Vista+ NetworkList key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %types = (0x47 => "wireless", + 0x06 => "wired", + 0x17 => "broadband (3g)"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching networklist v.".$VERSION); + ::rptMsg("Launching networklist v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $base_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkList"; + +# First, get profile info + my $key_path = $base_path."\\Profiles"; + my $key; + my %nl; # hash of hashes to hold data + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + $nl{$name}{LastWrite} = $s->get_timestamp(); + eval { + $nl{$name}{ProfileName} = $s->get_value("ProfileName")->get_data(); + $nl{$name}{Description} = $s->get_value("Description")->get_data(); + $nl{$name}{Managed} = $s->get_value("Managed")->get_data(); + + my $create = $s->get_value("DateCreated")->get_data(); + $nl{$name}{DateCreated} = parseDate128($create) if (length($create) == 16); + my $conn = $s->get_value("DateLastConnected")->get_data(); + $nl{$name}{DateLastConnected} = parseDate128($conn) if (length($conn) == 16); + + $nl{$name}{NameType} = $s->get_value("NameType")->get_data(); + + if (exists $types{$nl{$name}{NameType}}) { + $nl{$name}{Type} = $types{$nl{$name}{NameType}}; + } + else { + $nl{$name}{Type} = $nl{$name}{NameType}; + } + + }; + } + +# Get additional information from the Signatures subkey + $key_path = $base_path."\\Signatures\\Managed"; + if ($key = $root_key->get_subkey($key_path)) { + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + eval { + my $prof = $s->get_value("ProfileGuid")->get_data(); + my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6); + my $mac = uc(unpack("H*",$tmp)); + my @t = split(//,$mac); + $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3]. + "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; + }; + } + } + } + + $key_path = $base_path."\\Signatures\\Unmanaged"; + if ($key = $root_key->get_subkey($key_path)) { + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + eval { + my $prof = $s->get_value("ProfileGuid")->get_data(); + my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6); + my $mac = uc(unpack("H*",$tmp)); + my @t = split(//,$mac); + $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3]. + "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; + }; + } + } + } + +# Now, display the information + foreach my $n (keys %nl) { + my $str = sprintf "%-15s Gateway Mac: ".$nl{$n}{DefaultGatewayMac},$nl{$n}{ProfileName}; + ::rptMsg($nl{$n}{ProfileName}); + ::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." UTC"); + ::rptMsg(" DateLastConnected: ".$nl{$n}{DateLastConnected}); + ::rptMsg(" DateCreated : ".$nl{$n}{DateCreated}); + ::rptMsg(" DefaultGatewayMac: ".$nl{$n}{DefaultGatewayMac}); + ::rptMsg(" Type : ".$nl{$n}{Type}); + ::rptMsg(""); + } + + } + else { + ::rptMsg($key_path." has not subkeys"); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + + + +sub parseDate128 { + my $date = $_[0]; + my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul", + "Aug","Sep","Oct","Nov","Dec"); + my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat"); + my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date); + $hr = "0".$hr if ($hr < 10); + $min = "0".$min if ($min < 10); + $sec = "0".$sec if ($sec < 10); + my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom." ".$hr.":".$min.":".$sec." ".$yr; + return $str; +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/networklist_tln.pl b/RecentActivity/release/rr-full/plugins/networklist_tln.pl new file mode 100755 index 0000000000..8d416bf4ff --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/networklist_tln.pl @@ -0,0 +1,155 @@ +#----------------------------------------------------------- +# networklist_tln.pl - Plugin to extract information from the +# NetworkList key, including the MAC address of the default +# gateway +# +# +# Change History: +# 20120608 - updated from networklist.pl to add TLN output +# 20090812 - updated code to parse DateCreated and DateLastConnected +# values; modified output, as well +# 20090811 - created +# +# References +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package networklist_tln; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120608); + +sub getConfig{return %config} + +sub getShortDescr { + return "Collects network info from NetworkList key (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my %types = (0x47 => "wireless", + 0x06 => "wired", + 0x17 => "broadband (3g)"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching networklist_tln v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $base_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkList"; + +# First, get profile info + my $key_path = $base_path."\\Profiles"; + my $key; + my %nl; # hash of hashes to hold data + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); + + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + $nl{$name}{LastWrite} = $s->get_timestamp(); + eval { + $nl{$name}{ProfileName} = $s->get_value("ProfileName")->get_data(); + $nl{$name}{Description} = $s->get_value("Description")->get_data(); + $nl{$name}{Managed} = $s->get_value("Managed")->get_data(); + + my $create = $s->get_value("DateCreated")->get_data(); + $nl{$name}{DateCreated} = parseDate128($create) if (length($create) == 16); + my $conn = $s->get_value("DateLastConnected")->get_data(); + $nl{$name}{DateLastConnected} = parseDate128($conn) if (length($conn) == 16); + +# $nl{$name}{NameType} = $s->get_value("ProfileName")->get_data(); + + $nl{$name}{NameType} = $s->get_value("NameType")->get_data(); + + if (exists $types{$nl{$name}{NameType}}) { + $nl{$name}{Type} = $types{$nl{$name}{NameType}}; + } + else { + $nl{$name}{Type} = $nl{$name}{NameType}; + } + }; + } + +# Get additional information from the Signatures subkey + $key_path = $base_path."\\Signatures\\Managed"; + if ($key = $root_key->get_subkey($key_path)) { + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + eval { + my $prof = $s->get_value("ProfileGuid")->get_data(); + my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6); + my $mac = uc(unpack("H*",$tmp)); + my @t = split(//,$mac); + $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3]. + "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; + }; + } + } + } + + $key_path = $base_path."\\Signatures\\Unmanaged"; + if ($key = $root_key->get_subkey($key_path)) { + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + eval { + my $prof = $s->get_value("ProfileGuid")->get_data(); + my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6); + my $mac = uc(unpack("H*",$tmp)); + my @t = split(//,$mac); + $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3]. + "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; + }; + } + } + } + +# Now, display the information + foreach my $n (keys %nl) { + my $str = sprintf "%-15s Gateway Mac: ".$nl{$n}{DefaultGatewayMac},$nl{$n}{ProfileName}; +# ::rptMsg($nl{$n}{ProfileName}); +# ::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." UTC"); +# ::rptMsg(" DateLastConnected: ".$nl{$n}{DateLastConnected}); +# ::rptMsg(" DateCreated : ".$nl{$n}{DateCreated}); +# ::rptMsg(" DefaultGatewayMac: ".$nl{$n}{DefaultGatewayMac}); +# ::rptMsg(""); + + ::rptMsg($nl{$n}{LastWrite}."|REG|||[".$nl{$n}{Type}." Connect] - Last Connected to ".$nl{$n}{ProfileName}." (".$nl{$n}{DefaultGatewayMac}.")"); + } + } + else { +# ::rptMsg($key_path." has not subkeys"); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + +sub parseDate128 { + my $date = $_[0]; + my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul", + "Aug","Sep","Oct","Nov","Dec"); + my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat"); + my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date); + $hr = "0".$hr if ($hr < 10); + $min = "0".$min if ($min < 10); + $sec = "0".$sec if ($sec < 10); + my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom." ".$hr.":".$min.":".$sec." ".$yr; + return $str; +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/networkuid.pl b/RecentActivity/release/rr-full/plugins/networkuid.pl old mode 100644 new mode 100755 similarity index 89% rename from thirdparty/rr/plugins/networkuid.pl rename to RecentActivity/release/rr-full/plugins/networkuid.pl index 7a457e111f..a8ceea9dc0 --- a/thirdparty/rr/plugins/networkuid.pl +++ b/RecentActivity/release/rr-full/plugins/networkuid.pl @@ -1,57 +1,59 @@ -#----------------------------------------------------------- -# networkuid.pl -# Gets UID value from Network key -# -# References -# http://blogs.technet.com/mmpc/archive/2010/03/11/got-zbot.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package networkuid; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100312); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets Network key UID value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching networkuid v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Network"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())); - ::rptMsg(""); - - eval { - my $uid = $key->get_value("UID")->get_data(); - ::rptMsg("UID value = ".$uid); - }; - ::rptMsg("UID value not found.") if ($@); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# networkuid.pl +# Gets UID value from Network key +# +# References +# http://blogs.technet.com/mmpc/archive/2010/03/11/got-zbot.aspx +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package networkuid; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100312); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets Network key UID value"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching networkuid v.".$VERSION); + ::rptMsg("networkuid v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Network"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())); + ::rptMsg(""); + + eval { + my $uid = $key->get_value("UID")->get_data(); + ::rptMsg("UID value = ".$uid); + }; + ::rptMsg("UID value not found.") if ($@); + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/nic.pl b/RecentActivity/release/rr-full/plugins/nic.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/nic.pl rename to RecentActivity/release/rr-full/plugins/nic.pl index f176150a92..a8d095d448 --- a/thirdparty/rr/plugins/nic.pl +++ b/RecentActivity/release/rr-full/plugins/nic.pl @@ -1,80 +1,82 @@ -#----------------------------------------------------------- -# nic.pl -# -# -# Change history -# 20100401 - created -# -# References -# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx -# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nic; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100401); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NIC info from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching nic v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - eval { - $current = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - }; - my @nics; - my $key_path = "ControlSet00".$current."\\Services"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @svcs = $key->get_list_of_subkeys(); - foreach my $s (@svcs) { - push(@nics,$s) if ($s->get_name() =~ m/^{/); - } - foreach my $n (@nics) { - eval { - my @vals = $n->get_subkey("Parameters\\Tcpip")->get_list_of_values(); - ::rptMsg("Adapter: ".$n->get_name()); - ::rptMsg("LastWrite Time: ".gmtime($n->get_timestamp())." Z"); - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2"); - $data = gmtime($data)." Z" if ($name =~ m/Time$/); - - ::rptMsg(sprintf " %-20s %-20s",$name,$data); - - } - ::rptMsg(""); - }; - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# nic.pl +# +# +# Change history +# 20100401 - created +# +# References +# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx +# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package nic; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100401); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets NIC info from System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %nics; + my $ccs; + ::logMsg("Launching nic v.".$VERSION); + ::rptMsg("nic v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + eval { + $current = $root_key->get_subkey("Select")->get_value("Current")->get_data(); + }; + my @nics; + my $key_path = "ControlSet00".$current."\\Services"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @svcs = $key->get_list_of_subkeys(); + foreach my $s (@svcs) { + push(@nics,$s) if ($s->get_name() =~ m/^{/); + } + foreach my $n (@nics) { + eval { + my @vals = $n->get_subkey("Parameters\\Tcpip")->get_list_of_values(); + ::rptMsg("Adapter: ".$n->get_name()); + ::rptMsg("LastWrite Time: ".gmtime($n->get_timestamp())." Z"); + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2"); + $data = gmtime($data)." Z" if ($name =~ m/Time$/); + + ::rptMsg(sprintf " %-20s %-20s",$name,$data); + + } + ::rptMsg(""); + }; + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/nic2.pl b/RecentActivity/release/rr-full/plugins/nic2.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/nic2.pl rename to RecentActivity/release/rr-full/plugins/nic2.pl index 44d4d8099a..0585e9f39e --- a/thirdparty/rr/plugins/nic2.pl +++ b/RecentActivity/release/rr-full/plugins/nic2.pl @@ -1,80 +1,82 @@ -#----------------------------------------------------------- -# nic2.pl -# -# -# Change history -# 20100401 - created -# -# References -# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx -# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nic2; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100401); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NIC info from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching nic v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - eval { - $current = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - }; - my @nics; - my $key_path = "ControlSet00".$current."\\Services\\Tcpip\\Parameters\\Interfaces"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @guids = $key->get_list_of_subkeys(); - if (scalar @guids > 0) { - foreach my $g (@guids) { - ::rptMsg("Adapter: ".$g->get_name()); - ::rptMsg("LastWrite Time: ".gmtime($g->get_timestamp())." Z"); - eval { - my @vals = $g->get_list_of_values(); - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2"); - $data = gmtime($data)." Z" if ($name =~ m/Time$/); - ::rptMsg(sprintf " %-28s %-20s",$name,$data); - } - ::rptMsg(""); - }; - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# nic2.pl +# +# +# Change history +# 20100401 - created +# +# References +# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx +# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package nic2; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100401); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets NIC info from System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %nics; + my $ccs; + ::logMsg("Launching nic2 v.".$VERSION); + ::rptMsg("nic2 v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + eval { + $current = $root_key->get_subkey("Select")->get_value("Current")->get_data(); + }; + my @nics; + my $key_path = "ControlSet00".$current."\\Services\\Tcpip\\Parameters\\Interfaces"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @guids = $key->get_list_of_subkeys(); + if (scalar @guids > 0) { + foreach my $g (@guids) { + ::rptMsg("Adapter: ".$g->get_name()); + ::rptMsg("LastWrite Time: ".gmtime($g->get_timestamp())." Z"); + eval { + my @vals = $g->get_list_of_values(); + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2"); + $data = gmtime($data)." Z" if ($name =~ m/Time$/); + ::rptMsg(sprintf " %-28s %-20s",$name,$data); + } + ::rptMsg(""); + }; + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/nic_mst2.pl b/RecentActivity/release/rr-full/plugins/nic_mst2.pl old mode 100644 new mode 100755 similarity index 94% rename from thirdparty/rr/plugins/nic_mst2.pl rename to RecentActivity/release/rr-full/plugins/nic_mst2.pl index 36c98b4270..25f8fbecb3 --- a/thirdparty/rr/plugins/nic_mst2.pl +++ b/RecentActivity/release/rr-full/plugins/nic_mst2.pl @@ -1,148 +1,150 @@ -#----------------------------------------------------------- -# nic_mst2.pl -# Plugin for Registry Ripper; Get information on network -# interfaces from the System hive file - start with the -# Control\Network GUID subkeys...within the Connection key, -# look for MediaSubType == 2, and maintain a list of GUIDs. -# Then go over to the Services\Tcpip\Parameters\Interfaces -# key and get the IP configurations for each of the interface -# GUIDs -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/555382 -# http://support.microsoft.com/kb/894564 -# http://support.microsoft.com/kb/899868 -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package nic_mst2; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NICs from System hive; looks for MediaType = 2"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching nic_mst2 v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"; - my $nw; - if ($nw = $root_key->get_subkey($nw_path)) { - ::rptMsg("Network key"); - ::rptMsg($nw_path); -# Get all of the subkey names - my @sk = $nw->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next if ($name eq "Descriptions"); - if (my $conn = $nw->get_subkey($name."\\Connection")) { - my %conn_vals; - my @vals = $conn->get_list_of_values(); - map{$conn_vals{$_->get_name()} = $_->get_data()}@vals; -# See what the active NICs were on the system; "active" based on PnpInstanceID having -# a string value -# Get the GUID of the interface, the name, and the LastWrite time of the Connection -# key - if (exists $conn_vals{PnpInstanceID} && $conn_vals{PnpInstanceID} ne "") { - $nics{$name}{Name} = $conn_vals{Name}; - $nics{$name}{LastWrite} = $conn->get_timestamp(); - } - } - } - - } - else { - ::rptMsg($nw_path." has no subkeys."); - } - } - else { - ::rptMsg($nw_path." could not be found."); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); -# access the Tcpip Services key to get the IP address information - if (scalar(keys %nics) > 0) { - my $key_path = $ccs."\\Services\\Tcpip\\Parameters\\Interfaces"; - if ($key = $root_key->get_subkey($key_path)) { - my %guids; - ::rptMsg($key_path); - ::rptMsg("LastWrite time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); -# Dump the names of the subkeys under Parameters\Interfaces into a hash - my @sk = $key->get_list_of_subkeys(); - map{$guids{$_->get_name()} = 1}(@sk); - - foreach my $n (keys %nics) { - if (exists $guids{$n}) { - my $if = $key->get_subkey($n); - ::rptMsg("Interface ".$n); - ::rptMsg("Name: ".$nics{$n}{Name}); - ::rptMsg("Control\\Network key LastWrite time ".gmtime($nics{$n}{LastWrite})." (UTC)"); - ::rptMsg("Services\\Tcpip key LastWrite time ".gmtime($if->get_timestamp())." (UTC)"); - - my @vals = $if->get_list_of_values; - my %ip; - map{$ip{$_->get_name()} = $_->get_data()}@vals; - - if (exists $ip{EnableDHCP} && $ip{EnableDHCP} == 1) { - ::rptMsg("\tDhcpDomain = ".$ip{DhcpDomain}); - ::rptMsg("\tDhcpIPAddress = ".$ip{DhcpIPAddress}); - ::rptMsg("\tDhcpSubnetMask = ".$ip{DhcpSubnetMask}); - ::rptMsg("\tDhcpNameServer = ".$ip{DhcpNameServer}); - ::rptMsg("\tDhcpServer = ".$ip{DhcpServer}); - } - else { - ::rptMsg("\tIPAddress = ".$ip{IPAddress}); - ::rptMsg("\tSubnetMask = ".$ip{SubnetMask}); - ::rptMsg("\tDefaultGateway = ".$ip{DefaultGateway}); - } - - } - else { - ::rptMsg("Interface ".$n." not found in the ".$key_path." key."); - } - ::rptMsg(""); - } - } - } - else { - ::rptMsg("No active network interface cards were found."); - ::logMsg("No active network interface cards were found."); - } -} +#----------------------------------------------------------- +# nic_mst2.pl +# Plugin for Registry Ripper; Get information on network +# interfaces from the System hive file - start with the +# Control\Network GUID subkeys...within the Connection key, +# look for MediaSubType == 2, and maintain a list of GUIDs. +# Then go over to the Services\Tcpip\Parameters\Interfaces +# key and get the IP configurations for each of the interface +# GUIDs +# +# Change history +# +# +# References +# http://support.microsoft.com/kb/555382 +# http://support.microsoft.com/kb/894564 +# http://support.microsoft.com/kb/899868 +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package nic_mst2; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets NICs from System hive; looks for MediaType = 2"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %nics; + my $ccs; + ::logMsg("Launching nic_mst2 v.".$VERSION); + ::rptMsg("nic_mst2 v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"; + my $nw; + if ($nw = $root_key->get_subkey($nw_path)) { + ::rptMsg("Network key"); + ::rptMsg($nw_path); +# Get all of the subkey names + my @sk = $nw->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); + next if ($name eq "Descriptions"); + if (my $conn = $nw->get_subkey($name."\\Connection")) { + my %conn_vals; + my @vals = $conn->get_list_of_values(); + map{$conn_vals{$_->get_name()} = $_->get_data()}@vals; +# See what the active NICs were on the system; "active" based on PnpInstanceID having +# a string value +# Get the GUID of the interface, the name, and the LastWrite time of the Connection +# key + if (exists $conn_vals{PnpInstanceID} && $conn_vals{PnpInstanceID} ne "") { + $nics{$name}{Name} = $conn_vals{Name}; + $nics{$name}{LastWrite} = $conn->get_timestamp(); + } + } + } + + } + else { + ::rptMsg($nw_path." has no subkeys."); + } + } + else { + ::rptMsg($nw_path." could not be found."); + } + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); +# access the Tcpip Services key to get the IP address information + if (scalar(keys %nics) > 0) { + my $key_path = $ccs."\\Services\\Tcpip\\Parameters\\Interfaces"; + if ($key = $root_key->get_subkey($key_path)) { + my %guids; + ::rptMsg($key_path); + ::rptMsg("LastWrite time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); +# Dump the names of the subkeys under Parameters\Interfaces into a hash + my @sk = $key->get_list_of_subkeys(); + map{$guids{$_->get_name()} = 1}(@sk); + + foreach my $n (keys %nics) { + if (exists $guids{$n}) { + my $if = $key->get_subkey($n); + ::rptMsg("Interface ".$n); + ::rptMsg("Name: ".$nics{$n}{Name}); + ::rptMsg("Control\\Network key LastWrite time ".gmtime($nics{$n}{LastWrite})." (UTC)"); + ::rptMsg("Services\\Tcpip key LastWrite time ".gmtime($if->get_timestamp())." (UTC)"); + + my @vals = $if->get_list_of_values; + my %ip; + map{$ip{$_->get_name()} = $_->get_data()}@vals; + + if (exists $ip{EnableDHCP} && $ip{EnableDHCP} == 1) { + ::rptMsg("\tDhcpDomain = ".$ip{DhcpDomain}); + ::rptMsg("\tDhcpIPAddress = ".$ip{DhcpIPAddress}); + ::rptMsg("\tDhcpSubnetMask = ".$ip{DhcpSubnetMask}); + ::rptMsg("\tDhcpNameServer = ".$ip{DhcpNameServer}); + ::rptMsg("\tDhcpServer = ".$ip{DhcpServer}); + } + else { + ::rptMsg("\tIPAddress = ".$ip{IPAddress}); + ::rptMsg("\tSubnetMask = ".$ip{SubnetMask}); + ::rptMsg("\tDefaultGateway = ".$ip{DefaultGateway}); + } + + } + else { + ::rptMsg("Interface ".$n." not found in the ".$key_path." key."); + } + ::rptMsg(""); + } + } + } + else { + ::rptMsg("No active network interface cards were found."); + ::logMsg("No active network interface cards were found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/nolmhash.pl b/RecentActivity/release/rr-full/plugins/nolmhash.pl old mode 100644 new mode 100755 similarity index 89% rename from thirdparty/rr/plugins/nolmhash.pl rename to RecentActivity/release/rr-full/plugins/nolmhash.pl index 94f253e63d..f5b25569c8 --- a/thirdparty/rr/plugins/nolmhash.pl +++ b/RecentActivity/release/rr-full/plugins/nolmhash.pl @@ -1,74 +1,76 @@ -#----------------------------------------------------------- -# nolmhash.pl -# Gets NoLMHash value -# -# Change history -# 20100712 - created -# -# References -# http://support.microsoft.com/kb/299656 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nolmhash; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100712); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NoLMHash value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching lsa v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my ($current,$ccs); - my $sel_path = 'Select'; - my $sel; - if ($sel = $root_key->get_subkey($sel_path)) { - $current = $sel->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $key_path = $ccs."\\Control\\Lsa"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("nolmhash v.".$VERSION); - ::rptMsg($key_path); - ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - my $nolmhash; - eval { - $nolmhash = $key->get_value("NoLMHash")->get_data(); - ::rptMsg("NoLMHash value = ".$nolmhash); - ::rptMsg(""); - ::rptMsg("A value of 1 indicates that LMHashes are not stored in the SAM."); - }; - ::rptMsg("Error occurred getting NoLMHash value: $@") if ($@); - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg($sel_path." not found."); - ::logMsg($sel_path." not found."); - } -} +#----------------------------------------------------------- +# nolmhash.pl +# Gets NoLMHash value +# +# Change history +# 20100712 - created +# +# References +# http://support.microsoft.com/kb/299656 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package nolmhash; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100712); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets NoLMHash value"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching nolmhash v.".$VERSION); + ::rptMsg("nolmhash v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $sel_path = 'Select'; + my $sel; + if ($sel = $root_key->get_subkey($sel_path)) { + $current = $sel->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $key_path = $ccs."\\Control\\Lsa"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("nolmhash v.".$VERSION); + ::rptMsg($key_path); + ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + my $nolmhash; + eval { + $nolmhash = $key->get_value("NoLMHash")->get_data(); + ::rptMsg("NoLMHash value = ".$nolmhash); + ::rptMsg(""); + ::rptMsg("A value of 1 indicates that LMHashes are not stored in the SAM."); + }; + ::rptMsg("Error occurred getting NoLMHash value: $@") if ($@); + } + else { + ::rptMsg($key_path." not found."); + } + } + else { + ::rptMsg($sel_path." not found."); + ::logMsg($sel_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/ntuser b/RecentActivity/release/rr-full/plugins/ntuser new file mode 100755 index 0000000000..29d3b0be86 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/ntuser @@ -0,0 +1,105 @@ +# 20120528 *ALL* Plugins that apply on NTUSER hive, alphabetical order +acmru +adoberdr +aim +aports +appcompatflags +applets +appspecific +ares +arpcache +autoendtasks +autorun +bitbucket_user +brisv +cain +ccleaner +clampi +clampitm +comdlg32 +compatassist +compdesc +controlpanel +cpldontload +decaf +dependency_walker +domains +environment +fileexts +filehistory +gthist +gtwhitelist +haven_and_hearth +ie_settings +internet_explorer_cu +internet_settings_cu +javafx +listsoft +liveContactsGUID +load +logon_xp_run +logonusername +mmc +mndmru +mp2 +mpmru +mspaper +muicache +nero +netassist +odysseus +officedocs +officedocs2010 +oisc +osversion +outlook +policies_u +printermru +printers +privoxy +proxysettings +publishingwizard +putty +rdphint +realplayer6 +realvnc +recentdocs +rootkit_revealer +runmru +sevenzip +shellfolders +skype +snapshot_viewer +ssh_host_keys +startmenuinternetapps_cu +startpage +streammru +streams +sysinternals +trustrecords +tsclient +typedpaths +typedurls +typedurlstime +unreadmail +user_run +user_win +userassist +userinfo +userlocsvc +vista_bitbucket +vmplayer +vmware_vsphere_client +vnchooksapplicationprefs +vncviewer +wallpaper +warcraft3 +winlivemail +winlivemsn +winlogon_u +winrar +winscp_sessions +winvnc +winzip +wordwheelquery +yahoo_cu \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/ntusernetwork.pl b/RecentActivity/release/rr-full/plugins/ntusernetwork.pl new file mode 100755 index 0000000000..03101097ea --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/ntusernetwork.pl @@ -0,0 +1,65 @@ +#----------------------------------------------------------- +# ntusernetwork.pl +# Plugin for Registry Ripper, +# Network key parser +# +#----------------------------------------------------------- +package ntusernetwork; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20110601); + +sub getConfig{return %config} +sub getShortDescr { + return "Returns contents of user's Network subkeys"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching ntusernetwork v.".$VERSION); + ::rptMsg("ntusernetwork v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Network'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $s (@subkeys) { + ::rptMsg($key_path."\\".$s->get_name()); + ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())); + my @vals = $s->get_list_of_values(); + if (scalar @vals > 0) { + foreach my $v (@vals) { + ::rptMsg(sprintf " %-15s %-25s",$v->get_name(),$v->get_data()); + } + ::rptMsg(""); + } + } + } + else { + ::rptMsg($key_path." key has no subkeys."); + } + } + else { + ::rptMsg($key_path." key not found."); + } +} +1; diff --git a/RecentActivity/release/rr-full/plugins/odysseus.pl b/RecentActivity/release/rr-full/plugins/odysseus.pl new file mode 100755 index 0000000000..59566cdc96 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/odysseus.pl @@ -0,0 +1,114 @@ +#----------------------------------------------------------- +# odysseus.pl +# Extract registry keys for Odysseus by bindshell.net +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# http://blogs.technet.com/b/markrussinovich/archive/2011/03/08/3392087.aspx +# +# copyright (c) 2011-02-02 Brendan Coles +#----------------------------------------------------------- +# Require # +package odysseus; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 1, + hasRefs => 1, + osmask => 22, + version => 20110202); +my $VERSION = getVersion(); + +# Functions # +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extract registry keys for Odysseus by bindshell.net."; +} +sub getDescr { + return 'Extracts the following registry keys for Odysseus by'. + ' bindshell.net : "ProxyUpstreamHost","ProxyUpstreamPort",'. + '"ProxyPort","ServerCert","ServerCertPass"'; +} +sub getRefs { + my %refs = ("Odysseus Homepage:" => + "http://www.bindshell.net/tools/odysseus"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + my @interesting_keys = ( + "ProxyUpstreamHost", + "ProxyUpstreamPort", + "ProxyPort", + "ServerCert", + "ServerCertPass" + ); + + # Initialize # + ::logMsg("Launching odysseus v.".$VERSION); + ::rptMsg("odysseus v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\bindshell.net\\Odysseus"; + + # If # odysseus path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("Odysseus"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from Odysseus registry path # + my %keys; + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for Odysseus registry path # + foreach my $v (@vals) { + $keys{$v->get_name()} = $v->get_data(); + } + + # Return # all key names+values for interesting keys # + foreach my $var (@interesting_keys) { + if (exists $keys{$var}) { + ::rptMsg($var." -> ".$keys{$var}); + } + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # Odysseus isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/thirdparty/rr/plugins/officedocs.pl b/RecentActivity/release/rr-full/plugins/officedocs.pl old mode 100644 new mode 100755 similarity index 94% rename from thirdparty/rr/plugins/officedocs.pl rename to RecentActivity/release/rr-full/plugins/officedocs.pl index 8182a3d177..523252cf05 --- a/thirdparty/rr/plugins/officedocs.pl +++ b/RecentActivity/release/rr-full/plugins/officedocs.pl @@ -1,145 +1,147 @@ -#----------------------------------------------------------- -# officedocs.pl -# Plugin for Registry Ripper -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package officedocs; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's Office doc MRU keys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching officedocs v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("officedocs v.".$VERSION); -# First, let's find out which version of Office is installed - my $version; - my $tag = 0; - my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); - foreach my $ver (@versions) { - my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Open Find"; - if (defined($root_key->get_subkey($key_path))) { - $version = $ver; - $tag = 1; - } - } - - if ($tag) { - ::rptMsg("MSOffice version ".$version." located."); - my $key_path = "Software\\Microsoft\\Office\\".$version; - my $of_key = $root_key->get_subkey($key_path); - if ($of_key) { -# Attempt to retrieve Word docs - my @funcs = ("Open","Save As","File Save"); - foreach my $func (@funcs) { - my $word = "Common\\Open Find\\Microsoft Office Word\\Settings\\".$func."\\File Name MRU"; - my $word_key = $of_key->get_subkey($word); - if ($word_key) { - ::rptMsg($word); - ::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $value = $word_key->get_value("Value")->get_data(); - my @data = split(/\00/,$value); - map{::rptMsg("$_");}@data; - } - else { -# ::rptMsg("Could not access ".$word); - } - ::rptMsg(""); - } -# Attempt to retrieve Excel docs - my $excel = 'Excel\\Recent Files'; - if (my $excel_key = $of_key->get_subkey($excel)) { - ::rptMsg($key_path."\\".$excel); - ::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)"); - my @vals = $excel_key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path.$excel." has no values."); - } - } - else { - ::rptMsg($key_path.$excel." not found."); - } - ::rptMsg(""); -# Attempt to retrieve PowerPoint docs - my $ppt = 'PowerPoint\\Recent File List'; - if (my $ppt_key = $of_key->get_subkey($ppt)) { - ::rptMsg($key_path."\\".$ppt); - ::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)"); - my @vals = $ppt_key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path."\\".$ppt." has no values."); - } - } - else { - ::rptMsg($key_path."\\".$ppt." not found."); - } - } - else { - ::rptMsg("Could not access ".$key_path); - ::logMsg("Could not access ".$key_path); - } - } - else { - ::logMsg("MSOffice version not found."); - ::rptMsg("MSOffice version not found."); - } -} - +#----------------------------------------------------------- +# officedocs.pl +# Plugin for Registry Ripper +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package officedocs; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's Office doc MRU keys"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching officedocs v.".$VERSION); + ::rptMsg("officedocs v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + ::rptMsg("officedocs v.".$VERSION); +# First, let's find out which version of Office is installed + my $version; + my $tag = 0; + my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); + foreach my $ver (@versions) { + my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Open Find"; + if (defined($root_key->get_subkey($key_path))) { + $version = $ver; + $tag = 1; + } + } + + if ($tag) { + ::rptMsg("MSOffice version ".$version." located."); + my $key_path = "Software\\Microsoft\\Office\\".$version; + my $of_key = $root_key->get_subkey($key_path); + if ($of_key) { +# Attempt to retrieve Word docs + my @funcs = ("Open","Save As","File Save"); + foreach my $func (@funcs) { + my $word = "Common\\Open Find\\Microsoft Office Word\\Settings\\".$func."\\File Name MRU"; + my $word_key = $of_key->get_subkey($word); + if ($word_key) { + ::rptMsg($word); + ::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my $value = $word_key->get_value("Value")->get_data(); + my @data = split(/\00/,$value); + map{::rptMsg("$_");}@data; + } + else { +# ::rptMsg("Could not access ".$word); + } + ::rptMsg(""); + } +# Attempt to retrieve Excel docs + my $excel = 'Excel\\Recent Files'; + if (my $excel_key = $of_key->get_subkey($excel)) { + ::rptMsg($key_path."\\".$excel); + ::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)"); + my @vals = $excel_key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/File/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path.$excel." has no values."); + } + } + else { + ::rptMsg($key_path.$excel." not found."); + } + ::rptMsg(""); +# Attempt to retrieve PowerPoint docs + my $ppt = 'PowerPoint\\Recent File List'; + if (my $ppt_key = $of_key->get_subkey($ppt)) { + ::rptMsg($key_path."\\".$ppt); + ::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)"); + my @vals = $ppt_key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/File/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path."\\".$ppt." has no values."); + } + } + else { + ::rptMsg($key_path."\\".$ppt." not found."); + } + } + else { + ::rptMsg("Could not access ".$key_path); + ::logMsg("Could not access ".$key_path); + } + } + else { + ::logMsg("MSOffice version not found."); + ::rptMsg("MSOffice version not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/officedocs2010.pl b/RecentActivity/release/rr-full/plugins/officedocs2010.pl new file mode 100755 index 0000000000..381bd8de0c --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/officedocs2010.pl @@ -0,0 +1,205 @@ +#----------------------------------------------------------- +# officedocs2010.pl +# Plugin to parse Office 2010 MRU entries (Word, Excel, Access, and PowerPoint) +# +# Change history +# 20110901 - updated to remove dependency on the DateTime module +# 20010415 [fpi] * added this banner and change the name from "officedocs" +# to "officedocs2010", since this plugins is little different +# from Harlan's one (merging suggested) +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# copyright 2011 Cameron Howell +# modified 20110901, H. Carvey keydet89@yahoo.com +#----------------------------------------------------------- + +package officedocs2010; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 2011090); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's Office 2010 doc MRU values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getWinTS { + my $data = $_[0]; + my $winTS; + my $dateTime; + (my $prefix, my $suffix) = split(/\*/,$data); + if ($prefix =~ /\[.{9}\]\[T(.{16})\]/) { + $winTS = $1; + my @vals = split(//,$winTS); + my $t0 = join('',@vals[0..7]); + my $t1 = join('',@vals[8..15]); + $dateTime = ::getTime(hex($t1),hex($t0)); + } + return ($suffix ." ". gmtime($dateTime)); +} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching officedocs2010 v.".$VERSION); + ::rptMsg("officedocs2010 v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + # ::rptMsg("officedocs v.".$VERSION); # 20110830 [fpi] - redundant + my $tag = 0; + my $key_path = "Software\\Microsoft\\Office\\14.0"; + if (defined($root_key->get_subkey($key_path))) { + $tag = 1; + } + + if ($tag) { + ::rptMsg("MSOffice version 2010 located."); + my $key_path = "Software\\Microsoft\\Office\\14.0"; + my $of_key = $root_key->get_subkey($key_path); + if ($of_key) { +# Attempt to retrieve Word docs + my $word = 'Word\\File MRU'; + if (my $word_key = $of_key->get_subkey($word)) { + ::rptMsg($key_path."\\".$word); + ::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)"); + my @vals = $word_key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + if ($val eq "Max Display") { next; } + my $data = getWinTS($v->get_data()); + my $tag = (split(/Item/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path.$word." has no values."); + } + } + else { + ::rptMsg($key_path.$word." not found."); + } + ::rptMsg(""); +# Attempt to retrieve Excel docs + my $excel = 'Excel\\File MRU'; + if (my $excel_key = $of_key->get_subkey($excel)) { + ::rptMsg($key_path."\\".$excel); + ::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)"); + my @vals = $excel_key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + if ($val eq "Max Display") { next; } + my $data = getWinTS($v->get_data()); + my $tag = (split(/Item/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path.$excel." has no values."); + } + } + else { + ::rptMsg($key_path.$excel." not found."); + } + ::rptMsg(""); +# Attempt to retrieve Access docs + my $access = 'Access\\File MRU'; + if (my $access_key = $of_key->get_subkey($access)) { + ::rptMsg($key_path."\\".$access); + ::rptMsg("LastWrite Time ".gmtime($access_key->get_timestamp())." (UTC)"); + my @vals = $access_key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + if ($val eq "Max Display") { next; } + my $data = getWinTS($v->get_data()); + my $tag = (split(/Item/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path."\\".$access." has no values."); + } + } + else { + ::rptMsg($key_path."\\".$access." not found."); + } + ::rptMsg(""); +# Attempt to retrieve PowerPoint docs + my $ppt = 'PowerPoint\\File MRU'; + if (my $ppt_key = $of_key->get_subkey($ppt)) { + ::rptMsg($key_path."\\".$ppt); + ::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)"); + my @vals = $ppt_key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %files; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + if ($val eq "Max Display") { next; } + my $data = getWinTS($v->get_data()); + my $tag = (split(/Item/,$val))[1]; + $files{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %files) { + my ($val,$data) = split(/:/,$files{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path."\\".$ppt." has no values."); + } + } + else { + ::rptMsg($key_path."\\".$ppt." not found."); + } + } + else { + ::rptMsg("Could not access ".$key_path); + ::logMsg("Could not access ".$key_path); + } + } + else { + ::logMsg("MSOffice version not found."); + ::rptMsg("MSOffice version not found."); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/officedocs2010_tln.pl b/RecentActivity/release/rr-full/plugins/officedocs2010_tln.pl new file mode 100755 index 0000000000..858f70ef52 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/officedocs2010_tln.pl @@ -0,0 +1,179 @@ +#----------------------------------------------------------- +# officedocs2010_tln.pl +# Plugin to parse Office 2010 MRU entries (Word, Excel, Access, and PowerPoint) +# +# Change history +# 20120717 - created from officedocs2010.pl +# 20110901 - updated to remove dependency on the DateTime module +# 20010415 [fpi] * added this banner and change the name from "officedocs" +# to "officedocs2010", since this plugins is little different +# from Harlan's one (merging suggested) +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# copyright 2011 Cameron Howell +# modified 20110901, H. Carvey keydet89@yahoo.com +#----------------------------------------------------------- + +package officedocs2010_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120717); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's Office 2010 doc MRU values; TLN output"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getWinTS { + my $data = $_[0]; + my $winTS; + my $dateTime; + (my $prefix, my $suffix) = split(/\*/,$data); + if ($prefix =~ /\[.{9}\]\[T(.{16})\]/) { + $winTS = $1; + my @vals = split(//,$winTS); + my $t0 = join('',@vals[0..7]); + my $t1 = join('',@vals[8..15]); + $dateTime = ::getTime(hex($t1),hex($t0)); + } +# return ($suffix ." ". gmtime($dateTime)); + return ($suffix,$dateTime); +} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching officedocs2010 v.".$VERSION); +# ::rptMsg("officedocs2010 v.".$VERSION); # 20110830 [fpi] + banner +# ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + # ::rptMsg("officedocs v.".$VERSION); # 20110830 [fpi] - redundant + my $tag = 0; + my $key_path = "Software\\Microsoft\\Office\\14.0"; + if (defined($root_key->get_subkey($key_path))) { + $tag = 1; + } + + if ($tag) { +# ::rptMsg("MSOffice version 2010 located."); + my $key_path = "Software\\Microsoft\\Office\\14.0"; + my $of_key = $root_key->get_subkey($key_path); + if ($of_key) { +# Attempt to retrieve Word docs + my $word = 'Word\\File MRU'; + if (my $word_key = $of_key->get_subkey($word)) { +# ::rptMsg($key_path."\\".$word); +# ::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)"); + my @vals = $word_key->get_list_of_values(); + if (scalar(@vals) > 0) { +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + if ($val eq "Max Display") { next; } + my ($d0,$d1) = getWinTS($v->get_data()); + ::rptMsg($d1."|REG|||OfficeDocs2010 - ".$d0); + } + } + else { +# ::rptMsg($key_path.$word." has no values."); + } + } + else { +# ::rptMsg($key_path.$word." not found."); + } +# ::rptMsg(""); +# Attempt to retrieve Excel docs + my $excel = 'Excel\\File MRU'; + if (my $excel_key = $of_key->get_subkey($excel)) { +# ::rptMsg($key_path."\\".$excel); +# ::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)"); + my @vals = $excel_key->get_list_of_values(); + if (scalar(@vals) > 0) { +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + if ($val eq "Max Display") { next; } + my ($d0,$d1) = getWinTS($v->get_data()); + ::rptMsg($d1."|REG|||OfficeDocs2010 - ".$d0); + } + } + else { +# ::rptMsg($key_path.$excel." has no values."); + } + } + else { +# ::rptMsg($key_path.$excel." not found."); + } +# ::rptMsg(""); +# Attempt to retrieve Access docs + my $access = 'Access\\File MRU'; + if (my $access_key = $of_key->get_subkey($access)) { +# ::rptMsg($key_path."\\".$access); +# ::rptMsg("LastWrite Time ".gmtime($access_key->get_timestamp())." (UTC)"); + my @vals = $access_key->get_list_of_values(); + if (scalar(@vals) > 0) { +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + if ($val eq "Max Display") { next; } + my ($d0,$d1) = getWinTS($v->get_data()); + ::rptMsg($d1."|REG|||OfficeDocs2010 - ".$d0); + } + } + else { +# ::rptMsg($key_path."\\".$access." has no values."); + } + } + else { +# ::rptMsg($key_path."\\".$access." not found."); + } +# ::rptMsg(""); +# Attempt to retrieve PowerPoint docs + my $ppt = 'PowerPoint\\File MRU'; + if (my $ppt_key = $of_key->get_subkey($ppt)) { +# ::rptMsg($key_path."\\".$ppt); +# ::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)"); + my @vals = $ppt_key->get_list_of_values(); + if (scalar(@vals) > 0) { +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + if ($val eq "Max Display") { next; } + my ($d0,$d1) = getWinTS($v->get_data()); + ::rptMsg($d1."|REG|||OfficeDocs2010 - ".$d0); + } + } + else { +# ::rptMsg($key_path."\\".$ppt." has no values."); + } + } + else { +# ::rptMsg($key_path."\\".$ppt." not found."); + } + } + else { +# ::rptMsg("Could not access ".$key_path); + ::logMsg("Could not access ".$key_path); + } + } + else { + ::logMsg("MSOffice version not found."); +# ::rptMsg("MSOffice version not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/oisc.pl b/RecentActivity/release/rr-full/plugins/oisc.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/oisc.pl rename to RecentActivity/release/rr-full/plugins/oisc.pl index 2ddad06973..af938d8d9b --- a/thirdparty/rr/plugins/oisc.pl +++ b/RecentActivity/release/rr-full/plugins/oisc.pl @@ -1,123 +1,125 @@ -#----------------------------------------------------------- -# oisc.pl -# Plugin for Registry Ripper -# -# Change history -# 20091125 - modified by H. Carvey -# 20091110 - created -# -# References -# http://support.microsoft.com/kb/838028 -# http://support.microsoft.com/kb/916658 -# -# Derived from the officeDocs plugin -# copyright 2008-2009 H. Carvey, mangled 2009 M. Tarnawsky -# -# Michael Tarnawsky -# forensics@mialta.com -#----------------------------------------------------------- -package oisc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091125); - -my %prot = (0 => "Read-only HTTP", - 1 => "WEC to FPSE-enabled web folder", - 2 => "DAV to DAV-ext. web folder"); - -my %types = (0 => "no collaboration", - 1 => "SharePoint Team Server", - 2 => "Exchange 2000 Server", - 3 => "SharePoint Portal 2001 Server", - 4 => "SharePoint 2001 enhanced folder", - 5 => "Windows SharePoint Server/SharePoint Portal 2003 Server"); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's Office Internet Server Cache"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching oisc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; -# First, let's find out which version of Office is installed - my $version; - my $tag = 0; - my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); - foreach my $ver (@versions) { - my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Internet\\Server Cache"; - if (defined($root_key->get_subkey($key_path))) { - $version = $ver; - $tag = 1; - } - } - - if ($tag) { - - my %isc; - - ::rptMsg("MSOffice version ".$version." located."); - my $key_path = "Software\\Microsoft\\Office\\".$version."\\Common\\Internet\\Server Cache"; - my $sc_key; - if ($sc_key = $root_key->get_subkey($key_path)) { -# Attempt to retrieve Servers Cache subkeys - my @sc = ($sc_key->get_list_of_subkeys()); - if (scalar(@sc) > 0) { - foreach my $s (@sc) { - my $name = $s->get_name(); - $isc{$name}{lastwrite} = $s->get_timestamp(); - - eval { - my $t = $s->get_value("Type")->get_data(); - (exists $types{$t}) ? ($isc{$name}{type} = $types{$t}) - : ($isc{$name}{type} = $t); - }; - - eval { - my $p = $s->get_value("Protocol")->get_data(); - (exists $prot{$p}) ? ($isc{$name}{protocol} = $prot{$p}) - : ($isc{$name}{protocol} = $p); - }; - - eval { - my @e = unpack("VV",$s->get_value("Expiration")->get_data()); - $isc{$name}{expiry} = ::getTime($e[0],$e[1]); - }; - } - ::rptMsg(""); - foreach my $i (keys %isc) { - ::rptMsg($i); - ::rptMsg(" LastWrite : ".gmtime($isc{$i}{lastwrite})." UTC"); - ::rptMsg(" Expiry : ".gmtime($isc{$i}{expiry})." UTC"); - ::rptMsg(" Protocol : ".$isc{$i}{protocol}); - ::rptMsg(" Type : ".$isc{$i}{type}); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg("MSOffice version not found."); - } -} +#----------------------------------------------------------- +# oisc.pl +# Plugin for Registry Ripper +# +# Change history +# 20091125 - modified by H. Carvey +# 20091110 - created +# +# References +# http://support.microsoft.com/kb/838028 +# http://support.microsoft.com/kb/916658 +# +# Derived from the officeDocs plugin +# copyright 2008-2009 H. Carvey, mangled 2009 M. Tarnawsky +# +# Michael Tarnawsky +# forensics@mialta.com +#----------------------------------------------------------- +package oisc; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20091125); + +my %prot = (0 => "Read-only HTTP", + 1 => "WEC to FPSE-enabled web folder", + 2 => "DAV to DAV-ext. web folder"); + +my %types = (0 => "no collaboration", + 1 => "SharePoint Team Server", + 2 => "Exchange 2000 Server", + 3 => "SharePoint Portal 2001 Server", + 4 => "SharePoint 2001 enhanced folder", + 5 => "Windows SharePoint Server/SharePoint Portal 2003 Server"); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's Office Internet Server Cache"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching oisc v.".$VERSION); + ::rptMsg("oisc v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; +# First, let's find out which version of Office is installed + my $version; + my $tag = 0; + my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); + foreach my $ver (@versions) { + my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Internet\\Server Cache"; + if (defined($root_key->get_subkey($key_path))) { + $version = $ver; + $tag = 1; + } + } + + if ($tag) { + + my %isc; + + ::rptMsg("MSOffice version ".$version." located."); + my $key_path = "Software\\Microsoft\\Office\\".$version."\\Common\\Internet\\Server Cache"; + my $sc_key; + if ($sc_key = $root_key->get_subkey($key_path)) { +# Attempt to retrieve Servers Cache subkeys + my @sc = ($sc_key->get_list_of_subkeys()); + if (scalar(@sc) > 0) { + foreach my $s (@sc) { + my $name = $s->get_name(); + $isc{$name}{lastwrite} = $s->get_timestamp(); + + eval { + my $t = $s->get_value("Type")->get_data(); + (exists $types{$t}) ? ($isc{$name}{type} = $types{$t}) + : ($isc{$name}{type} = $t); + }; + + eval { + my $p = $s->get_value("Protocol")->get_data(); + (exists $prot{$p}) ? ($isc{$name}{protocol} = $prot{$p}) + : ($isc{$name}{protocol} = $p); + }; + + eval { + my @e = unpack("VV",$s->get_value("Expiration")->get_data()); + $isc{$name}{expiry} = ::getTime($e[0],$e[1]); + }; + } + ::rptMsg(""); + foreach my $i (keys %isc) { + ::rptMsg($i); + ::rptMsg(" LastWrite : ".gmtime($isc{$i}{lastwrite})." UTC"); + ::rptMsg(" Expiry : ".gmtime($isc{$i}{expiry})." UTC"); + ::rptMsg(" Protocol : ".$isc{$i}{protocol}); + ::rptMsg(" Type : ".$isc{$i}{type}); + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } + else { + ::rptMsg("MSOffice version not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/olsearch.pl b/RecentActivity/release/rr-full/plugins/olsearch.pl new file mode 100755 index 0000000000..c603e021c0 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/olsearch.pl @@ -0,0 +1,95 @@ +#----------------------------------------------------------- +# olsearch.pl +# Get OutLook search MRU +# +# Change history +# 20130124 - created +# +# References +# +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package olsearch; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130124); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's OutLook Searches"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching olsearch v.".$VERSION); + ::rptMsg("olsearch v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg(""); + my $search; + eval { + $search = $key->get_value("101f0445")->get_data(); + my %items = parseSearchMRU($search); + ::rptMsg(sprintf "%-4s %-45s","No.","Search Term"); + foreach my $i (sort keys %items) { + ::rptMsg(sprintf "%-4s %-45s",$i,$items{$i}); + + } + }; + + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub parseSearchMRU { + my $data = shift; + my $len = length($data); + my %item; + my @ofs = (); + + my $num = unpack("V",substr($data,0,4)); + +# Ugly kludge to check for 64-bit OutLook; this is ugly b/c it +# won't work if the data is really, really huge...enough to require +# 8 bytes to store the offset to the string + if (unpack("V",substr($data,8,4)) == 0) { + my @o = unpack("V*",substr($data,4,4 * ($num * 2))); + foreach my $i (0..(scalar(@o) - 1)) { + push(@ofs,$o[$i]) if (($i % 2) == 0); + } + } + else { + @ofs = unpack("V*",substr($data,4,4 * $num)); + } + push(@ofs,$len); + + foreach my $i (0..($num - 1)) { + $item{$i} = substr($data,$ofs[$i], $ofs[$i + 1] - $ofs[$i]); + $item{$i} =~ s/\00//g; + } + return %item; +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/osversion.pl b/RecentActivity/release/rr-full/plugins/osversion.pl new file mode 100755 index 0000000000..72765224b9 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/osversion.pl @@ -0,0 +1,70 @@ +#----------------------------------------------------------- +# osversion.pl +# Plugin to check for OSVersion value, which appears to be queried +# by some malware, and used by others; getting a response of "OSVersion +# not found" is a good thing. +# +# Change history +# 20120601 - created +# +# References +# Search Google for "Software\Microsoft\OSVersion" - you'll get several +# hits that refer to various malware; +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package osversion; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120601); + +sub getConfig{return %config} +sub getShortDescr { + return "Checks for OSVersion value"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching osversion v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("OSVersion"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my $os; + eval { + $os = $key->get_value("OSVersion")->get_data(); + + }; + if ($@) { + ::rptMsg("OSVersion value not found."); + } + else { + ::rptMsg("OSVersion = ".$os); + } + + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/osversion_tln.pl b/RecentActivity/release/rr-full/plugins/osversion_tln.pl new file mode 100755 index 0000000000..ff0ba466c8 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/osversion_tln.pl @@ -0,0 +1,70 @@ +#----------------------------------------------------------- +# osversion_tln.pl +# Plugin to check for OSVersion value, which appears to be queried +# by some malware, and used by others; getting a response of "OSVersion +# not found" is a good thing. +# +# Change history +# 20120608 - created +# +# References +# Search Google for "Software\Microsoft\OSVersion" - you'll get several +# hits that refer to various malware; +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package osversion_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120608); + +sub getConfig{return %config} +sub getShortDescr { + return "Checks for OSVersion value (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching osversion_tln v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("OSVersion"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $t = $key->get_timestamp(); +# ::rptMsg(""); + my $os; + eval { + $os = $key->get_value("OSVersion")->get_data(); + + }; + if ($@) { + ::rptMsg("OSVersion value not found."); + } + else { + ::rptMsg($t."|REG|||[Malware] HKCU\\Software\\Microsoft, OSVersion = ".$os); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/outlook.pl b/RecentActivity/release/rr-full/plugins/outlook.pl old mode 100644 new mode 100755 similarity index 94% rename from thirdparty/rr/plugins/outlook.pl rename to RecentActivity/release/rr-full/plugins/outlook.pl index eafc9b3ade..c2fb6d1075 --- a/thirdparty/rr/plugins/outlook.pl +++ b/RecentActivity/release/rr-full/plugins/outlook.pl @@ -1,186 +1,187 @@ -#----------------------------------------------------------- -# outlook.pl -# **Very Beta! Based on one sample hive file only! -# -# Change history -# 20100218 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package outlook; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Outlook settings"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching outlook v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg(""); - foreach my $s (@subkeys) { - - my $profile = $s->get_name(); - ::rptMsg($profile." Profile"); - -# AutoArchive settings -# http://support.microsoft.com/kb/198479 - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0324")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2007 AutoArchive path -> ".$data); - }; - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e0324")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2003 AutoArchive path -> ".$data); - }; - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data); - }; - -# http://support.microsoft.com/kb/288570 - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101e0384")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Open Other Users MRU (Outlook 97) -> ".$data); - }; - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101f0390")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Open Other Users MRU (Outlook 2003) -> ".$data); - }; - - - - eval { - my $data = unpack("V",$s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("00036601")->get_data()); - my $str; - if ($data == 4) { - $str = " Cached Exchange Mode disabled."; - } - elsif ($data == 4484) { - $str = " Cached Exchange Mode enabled."; - } - else { - $str = sprintf " Cached Exchange Mode: 0x%x",$data; - } - ::rptMsg($str); - }; - - eval { - my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6610")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Path to OST file: ".$data); - }; - - eval { - my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6607")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Email: ".$data); - }; - - eval { - my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6620")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Email: ".$data); - }; - -# http://support.microsoft.com/kb/959956 -# eval { -# my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("01026687")->get_data(); -# $data =~ s/\00/\./g; -# $data =~ s/\W//g; -# ::rptMsg(" Non-SMTP Email: ".$data); -# }; - - - - - - - - - - - - - - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data); - }; - - - - - - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0418")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" 001f0418 -> ".$data); - }; -# ::rptMsg("Error : ".$@) if ($@); - - -# Account Names and signatures -# http://support.microsoft.com/kb/938360 - my @subkeys = $s->get_subkey("9375CFF0413111d3B88A00104B2A6676")->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - - foreach my $s2 (@subkeys) { - eval { - - - }; - } - } - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# outlook.pl +# **Very Beta! Based on one sample hive file only! +# +# Change history +# 20100218 - created +# +# References +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package outlook; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100218); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's Outlook settings"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + my %hist; + ::logMsg("Launching outlook v.".$VERSION); + ::rptMsg("outlook v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + ::rptMsg(""); + foreach my $s (@subkeys) { + + my $profile = $s->get_name(); + ::rptMsg($profile." Profile"); + +# AutoArchive settings +# http://support.microsoft.com/kb/198479 + eval { + my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0324")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Outlook 2007 AutoArchive path -> ".$data); + }; + + eval { + my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e0324")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Outlook 2003 AutoArchive path -> ".$data); + }; + + eval { + my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data); + }; + +# http://support.microsoft.com/kb/288570 + eval { + my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101e0384")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Open Other Users MRU (Outlook 97) -> ".$data); + }; + + eval { + my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101f0390")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Open Other Users MRU (Outlook 2003) -> ".$data); + }; + + + + eval { + my $data = unpack("V",$s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("00036601")->get_data()); + my $str; + if ($data == 4) { + $str = " Cached Exchange Mode disabled."; + } + elsif ($data == 4484) { + $str = " Cached Exchange Mode enabled."; + } + else { + $str = sprintf " Cached Exchange Mode: 0x%x",$data; + } + ::rptMsg($str); + }; + + eval { + my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6610")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Path to OST file: ".$data); + }; + + eval { + my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6607")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Email: ".$data); + }; + + eval { + my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6620")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Email: ".$data); + }; + +# http://support.microsoft.com/kb/959956 +# eval { +# my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("01026687")->get_data(); +# $data =~ s/\00/\./g; +# $data =~ s/\W//g; +# ::rptMsg(" Non-SMTP Email: ".$data); +# }; + + + + + + + + + + + + + + + eval { + my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data); + }; + + + + + + + eval { + my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0418")->get_data(); + $data =~ s/\00//g; + ::rptMsg(" 001f0418 -> ".$data); + }; +# ::rptMsg("Error : ".$@) if ($@); + + +# Account Names and signatures +# http://support.microsoft.com/kb/938360 + my @subkeys = $s->get_subkey("9375CFF0413111d3B88A00104B2A6676")->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + + foreach my $s2 (@subkeys) { + eval { + + + }; + } + } + + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/outlook2.pl b/RecentActivity/release/rr-full/plugins/outlook2.pl new file mode 100755 index 0000000000..97712e8642 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/outlook2.pl @@ -0,0 +1,234 @@ +#------------------------------------------------------------------------------ +# outlook2.pl +# A step in the swampy MAPI +# Plugin for RegRipper +# * BETA open to suggestions and corrections * +# +# Change history +# 20130308 created +# +# References +# [1] http://www.windowsitpro.com/article/registry2/inside-mapi-profiles-45347 +# [2] http://msdn.microsoft.com/en-us/library/ms526356(v=exchg.10).aspx +# +# Todo +# 001f6700 PST +# 001f6610 OST +# +# copyright 2013 Realitynet System Solutions snc +# author: francesco picasso +#------------------------------------------------------------------------------ +package outlook2; +use strict; + +use Parse::Win32Registry qw( unpack_windows_time + unpack_unicode_string + unpack_sid + unpack_ace + unpack_acl + unpack_security_descriptor ); + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130308); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets MAPI (Outlook) settings *BETA*"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %outlook_subkeys; + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching outlook2 v.".$VERSION); + ::rptMsg("outlook2 v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $tab; + my $key; + my $key_path; + my $outlook_key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook'; + my $accounts_key_name = '9375CFF0413111d3B88A00104B2A6676'; + ::rptMsg("Working path is '$key_path'"); + ::rptMsg(""); + + $key = $root_key->get_subkey($outlook_key_path); + if (!$key) { ::rptMsg("Outlook key not found"); return; } + my @subkeys = $key->get_list_of_subkeys(); + foreach my $s (@subkeys) { $outlook_subkeys{$s->get_name()} = $s; } + + # Accessing ACCOUNTS + # "Another well-known GUID is 9375CFF0413111d3B88A00104B2A6676, which is + # used to hold details about all the accounts that are in use within the + # profile. Under this subkey, you will find a subkey per account. + # For example, you'll typically find a subkey relating to the Outlook + # Address Book (OAB) account, the Exchange account, an account for each PST + # file that's been added to the profile, and any POP3/IMAP mail accounts + # that are defined within the profile." Ref[1] + $key_path = $outlook_key_path.'\\'.$accounts_key_name; + $key = $root_key->get_subkey($key_path); + if (!$key) { ::rptMsg("Accounts key '$accounts_key_name' not found"); return; } + ::rptMsg("__key_ $accounts_key_name"); + ::rptMsg("_time_ ".gmtime($key->get_timestamp())); + ::rptMsg("_desc_ accounts used within the profile"); + ::rptMsg(""); + + my @accounts_keys = $key->get_list_of_subkeys(); + foreach my $account_key (@accounts_keys) + { + $tab = ' '; + ::rptMsg($tab.'-----------------------------------'); + ::rptMsg($tab.$account_key->get_name()." [".gmtime($account_key->get_timestamp())."]"); + ::rptMsg($tab.'-----------------------------------'); + ::rptMsg($tab.get_unicode_string($account_key, 'Account Name')); + ::rptMsg($tab.get_dword_string_long($account_key, 'MAPI provider')); + ::rptMsg($tab.get_dword_string($account_key, 'Mini UID')); + ::rptMsg($tab.get_unicode_string($account_key, 'Service Name')); + ::rptMsg($tab.get_hex_string($account_key, 'Service UID')); + + my $service_id_key_name = $account_key->get_value('Service UID'); + if (!$service_id_key_name) { ::rptMsg(""); next; } + + ::rptMsg($tab.'\\'); + $tab = ' '; + parse_service($root_key, $outlook_key_path, $service_id_key_name, $tab); + $tab = ' '; + ::rptMsg($tab.'/'); + + ::rptMsg($tab.get_dword_string($account_key, 'XP Status')); + ::rptMsg($tab.get_hex_string($account_key, 'XP Provider UID')); + + my $xp_id_key_name = $account_key->get_value('XP Provider UID'); + if (!$xp_id_key_name) { ::rptMsg(""); next; } + ::rptMsg($tab.'\\'); + $tab = ' '; + parse_service($root_key, $outlook_key_path, $xp_id_key_name, $tab, 1); + $tab = ' '; + ::rptMsg($tab.'/'); + + ::rptMsg(""); + } + $tab = ''; + ::rptMsg(""); + ::rptMsg("Outlook subkeys not direclty linked to accounts"); + foreach my $okey_name (keys %outlook_subkeys) + { + ::rptMsg($tab."$okey_name"); + } +} + +sub parse_service +{ + my $root_key = shift; + my $outlook_key_path = shift; + my $ids = shift; + my $tab = shift; + my $xp_type = shift; + + $ids = $ids->get_raw_data(); + my $num_of_ids = length($ids) / 16; + for (my $i = 0; $i < $num_of_ids; $i += 1) + { + my $service_id_key_name = join('', unpack('(H2)16', $ids)); + $ids = substr($ids, 16); + my $service_id_key = $root_key->get_subkey($outlook_key_path.'\\'.$service_id_key_name); + if (!$service_id_key) + { + ::rptMsg($tab.'Service UID not found in Outlook path!'); + if (($i+1) != $num_of_ids) { ::rptMsg($tab.'+'); } + next; + } + ::rptMsg($tab.$service_id_key_name.' ['.gmtime($service_id_key->get_timestamp()).']'); + ::rptMsg($tab.'--------------------------------'); + + delete($outlook_subkeys{$service_id_key_name}); + + if ($xp_type) + { + ::rptMsg($tab.get_ascii_string($service_id_key, '001e660b', 'User')); + ::rptMsg($tab.get_ascii_string($service_id_key, '001e6614', 'Server')); + ::rptMsg($tab.get_ascii_string($service_id_key, '001e660c', 'Server Name')); + ::rptMsg($tab.get_unicode_string($service_id_key, '001f662b', 'Server Domain(?)')); + ::rptMsg($tab.get_unicode_string($service_id_key, '001f3001', 'Display Name')); + ::rptMsg($tab.get_unicode_string($service_id_key, '001f3006', 'Provider Display')); + ::rptMsg($tab.get_unicode_string($service_id_key, '001f300a', 'Provider DLL Name')); + } + else + { + ::rptMsg($tab.get_unicode_string($service_id_key, '001f3001', 'Display Name')); + ::rptMsg($tab.get_unicode_string($service_id_key, '001f3d0a', 'Service DLL Name')); + ::rptMsg($tab.get_unicode_string($service_id_key, '001f3d0b', 'Service Entry')); + } + + if (($i+1) != $num_of_ids) { ::rptMsg($tab.'+'); } + } +} + +sub get_hex_string +{ + my $key = shift; + my $value = shift; + my $data = $key->get_value($value); + if ($data) { $data = join('', unpack('(H2)*', $data->get_raw_data()));} + else { $data = ''; } + return sprintf("%-20s %s", $value.':', $data); +} + +sub get_dword_string +{ + my $key = shift; + my $value = shift; + my $data = $key->get_value($value); + if ($data) { $data = $data->get_data(); $data = sprintf('0x%08X', $data); } + else { $data = ''; } + return sprintf("%-20s %s", $value.':', $data); +} + +sub get_dword_string_long +{ + my $key = shift; + my $value = shift; + my $data = $key->get_value($value); + if ($data) { $data = $data->get_data(); $data = sprintf('%u [0x%08X]', $data, $data); } + else { $data = ''; } + return sprintf("%-20s %s", $value.':', $data); +} + +sub get_unicode_string +{ + my $key = shift; + my $value = shift; + my $value_desc = shift; + my $data = $key->get_value($value); + if ($data) { $data = unpack_unicode_string($data->get_data()); } + else { $data = ''; } + if (!$value_desc) { return sprintf("%-20s %s", $value.':', $data); } + return sprintf("%s %-20s %s", $value, '['.$value_desc.']:', $data); +} + +sub get_ascii_string +{ + my $key = shift; + my $value = shift; + my $value_desc = shift; + my $data = $key->get_value($value); + if ($data) { $data = $data->get_data(); } else { $data = ''; } + if (!$value_desc) { return sprintf("%-20s %s", $value.':', $data); } + return sprintf("%s %-20s %s", $value, '['.$value_desc.']:', $data); +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/pagefile.pl b/RecentActivity/release/rr-full/plugins/pagefile.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/pagefile.pl rename to RecentActivity/release/rr-full/plugins/pagefile.pl index f0484de431..147f352c9f --- a/thirdparty/rr/plugins/pagefile.pl +++ b/RecentActivity/release/rr-full/plugins/pagefile.pl @@ -1,71 +1,73 @@ -#----------------------------------------------------------- -# pagefile.pl -# -# Ref: -# -# http://support.microsoft.com/kb/314834 - ClearPagefileAtShutdown -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package pagefile; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081212); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get info on pagefile(s)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching pagefile v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $mm_path = "ControlSet00".$current."\\Control\\Session Manager\\Memory Management"; - my $mm; - if ($mm = $root_key->get_subkey($mm_path)) { - - eval { - my $files = $mm->get_value("PagingFiles")->get_data(); - ::rptMsg("PagingFiles = ".$files); - }; - ::rptMsg($@) if ($@); - - eval { - my $cpf = $mm->get_value("ClearPageFileAtShutdown")->get_data(); - ::rptMsg("ClearPageFileAtShutdown = ".$cpf); - }; - - } - else { - ::rptMsg($mm_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; +#----------------------------------------------------------- +# pagefile.pl +# +# Ref: +# +# http://support.microsoft.com/kb/314834 - ClearPagefileAtShutdown +# +# copyright 2008-2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package pagefile; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081212); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get info on pagefile(s)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching pagefile v.".$VERSION); + ::rptMsg("pagefile v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + + my $mm_path = "ControlSet00".$current."\\Control\\Session Manager\\Memory Management"; + my $mm; + if ($mm = $root_key->get_subkey($mm_path)) { + + eval { + my $files = $mm->get_value("PagingFiles")->get_data(); + ::rptMsg("PagingFiles = ".$files); + }; + ::rptMsg($@) if ($@); + + eval { + my $cpf = $mm->get_value("ClearPageFileAtShutdown")->get_data(); + ::rptMsg("ClearPageFileAtShutdown = ".$cpf); + }; + + } + else { + ::rptMsg($mm_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} +1; diff --git a/RecentActivity/release/rr-full/plugins/phdet.pl b/RecentActivity/release/rr-full/plugins/phdet.pl new file mode 100755 index 0000000000..3c05849b79 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/phdet.pl @@ -0,0 +1,82 @@ +#----------------------------------------------------------- +# phdet.pl +# +# History: +# 20121213 - created +# +# References: +# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Phdet +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package phdet; +use strict; + +my %config = (hive => "System", + hivemask => 4, + output => "report", + category => "Malware", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 31, #XP - Win7 + version => 20120817); + +sub getConfig{return %config} +sub getShortDescr { + return "Check for a Phdet infection"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my %files; +my @temps; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching phdet v.".$VERSION); + ::rptMsg("phdet v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $phdet_path = $ccs."\\Services\\msupdate"; + my $phdet; + if ($phdet = $root_key->get_subkey($phdet_path)) { + my @vals = $phdet->get_values(); + if (scalar(@vals) > 0) { + my %p_vals; + foreach my $v (@vals) { + $p_vals{$v->get_name()} = $v->get_data(); + } + ::rptMsg("DisplayName: ".$p_vals{"DisplayName"}); + ::rptMsg("Image Path : ".$p_vals{"ImagePath"}); + } + else { + ::rptMsg($phdet_path." key has no values."); + } + } + else { + ::rptMsg($phdet_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/photos.pl b/RecentActivity/release/rr-full/plugins/photos.pl new file mode 100755 index 0000000000..3f2f007daa --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/photos.pl @@ -0,0 +1,95 @@ +package photos; +#------------------------------------------------------------ +# photos.pl - read data on images opened via Win8 Photos app +# +# Change history +# 20130308 - created +# +# Ref: +# http://dfstream.blogspot.com/2013/03/windows-8-tracking-opened-photos.html +# +# Copyright 2013 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#------------------------------------------------------------ +use strict; + +my %config = (hive => "USRCLASS\.DAT", + hivemask => 32, + output => "report", + category => "User Activity", + osmask => 20, #Vista, Win7/Win2008R2 + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130102); + +sub getConfig{return %config} + +sub getShortDescr { + return "Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching photos v.".$VERSION); + ::rptMsg("photos v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + +#\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\ +#SystemAppData\microsoft.windowsphotos_8wekyb3d8bbwe\ +#PersistedStorageItemTable\ManagedByApp + + my $key_path = "Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\". + "AppModel\\SystemAppData\\microsoft\.windowsphotos_8wekyb3d8bbwe\\". + "PersistedStorageItemTable\\ManagedByApp"; + my $key; + + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $lw = $s->get_timestamp(); + ::rptMsg($name); + ::rptMsg("LastWrite: ".gmtime($lw)." UTC"); + + eval { + my $fp = $s->get_value("FilePath")->get_data(); + ::rptMsg("FilePath: ".$fp); + }; + + eval { + my $last = $s->get_value("LastUpdatedTime")->get_data(); + my ($v0,$v1) = unpack("VV",$last); + my $l = ::getTime($v0,$v1); + ::rptMsg("LastUpdatedTime: ".gmtime($l)." UTC"); + }; + + eval { + my $flags = $s->get_value("Flags")->get_data(); + ::rptMsg(sprintf "Flags: 0x%x",$flags); + ::rptMsg(" Removable media") if ($flags == 0x09); + ::rptMsg(" Local media") if ($flags == 0x0d); + }; + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." key has no subkeys\."); + } + } + else { + ::rptMsg($key_path." key not found\."); + } +} +1; diff --git a/thirdparty/rr/plugins/polacdms.pl b/RecentActivity/release/rr-full/plugins/polacdms.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/polacdms.pl rename to RecentActivity/release/rr-full/plugins/polacdms.pl index 83efc86670..ba74600fcf --- a/thirdparty/rr/plugins/polacdms.pl +++ b/RecentActivity/release/rr-full/plugins/polacdms.pl @@ -1,93 +1,95 @@ -#----------------------------------------------------------- -# polacdms -# Get the audit policy from the Security hive file; also, gets -# -# -# Change History: -# 20100531 - Created -# -# References: -# http://en.wikipedia.org/wiki/Security_Identifier -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package polacdms; -use strict; - -my %config = (hive => "Security", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100531); - -sub getConfig{return %config} -sub getShortDescr { - return "Get local machine SID from Security hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching polacdms v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Policy\\PolAcDmS"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("PolAcDmS"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $data; - eval { - $data = $key->get_value("")->get_data(); - }; - if ($@) { - ::rptMsg("Error occurred getting data from ".$key_path); - ::rptMsg(" - ".$@); - } - else { - my @d = unpack("V4",substr($data,8,16)); - ::rptMsg("Machine SID: S-1-5-".(join('-',@d))); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - my $key_path = "Policy\\PolPrDmS"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("PolPrDmS"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $data; - eval { - $data = $key->get_value("")->get_data(); - }; - if ($@) { - ::rptMsg("Error occurred getting data from ".$key_path); - ::rptMsg(" - ".$@); - } - else { - my @d = unpack("V4",substr($data,8,16)); - ::rptMsg("Primary Domain SID: S-1-5-".(join('-',@d))); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# polacdms +# Get the audit policy from the Security hive file; also, gets +# +# +# Change History: +# 20100531 - Created +# +# References: +# http://en.wikipedia.org/wiki/Security_Identifier +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package polacdms; +use strict; + +my %config = (hive => "Security", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100531); + +sub getConfig{return %config} +sub getShortDescr { + return "Get local machine SID from Security hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching polacdms v.".$VERSION); + ::rptMsg("polacdms v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Policy\\PolAcDmS"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("PolAcDmS"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $data; + eval { + $data = $key->get_value("")->get_data(); + }; + if ($@) { + ::rptMsg("Error occurred getting data from ".$key_path); + ::rptMsg(" - ".$@); + } + else { + my @d = unpack("V4",substr($data,8,16)); + ::rptMsg("Machine SID: S-1-5-".(join('-',@d))); + } + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); + my $key_path = "Policy\\PolPrDmS"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("PolPrDmS"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $data; + eval { + $data = $key->get_value("")->get_data(); + }; + if ($@) { + ::rptMsg("Error occurred getting data from ".$key_path); + ::rptMsg(" - ".$@); + } + else { + my @d = unpack("V4",substr($data,8,16)); + ::rptMsg("Primary Domain SID: S-1-5-".(join('-',@d))); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/policies_u.pl b/RecentActivity/release/rr-full/plugins/policies_u.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/policies_u.pl rename to RecentActivity/release/rr-full/plugins/policies_u.pl index 9a15c13112..ce9430a641 --- a/thirdparty/rr/plugins/policies_u.pl +++ b/RecentActivity/release/rr-full/plugins/policies_u.pl @@ -1,73 +1,75 @@ -#----------------------------------------------------------- -# policies_u -# Get values from user's WinLogon key -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package policies_u; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091021); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get values from the user's Policies key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching policies_u v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path."\\policies")) { -# ::rptMsg("policies key found."); - - } - elsif ($key = $root_key->get_subkey($key_path."\\Policies")) { -# ::rptMsg("Policies key found."); - - } - else { - ::rptMsg("Neither policies nor Policies key found."); - return; - } - - eval { - my @vals = $key->get_subkey("Explorer")->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg(""); - ::rptMsg("Explorer subkey values:"); - foreach my $v (@vals) { - my $str = sprintf "%-20s %-20s",$v->get_name(),$v->get_data(); - ::rptMsg(" ".$str); - } - } - }; - ::rptMsg(""); - eval { - my $quota = $key->get_subkey("System")->get_value("EnableProfileQuota")->get_data(); - ::rptMsg("EnableProfileQuota = ".$quota); - ::rptMsg(""); - ::rptMsg("The EnableProfileQuota = 1 setting causes the proquota\.exe to be run"); - ::rptMsg("automatically in order to limit the size of roaming profiles\. This"); - ::rptMsg("corresponds to the Limit Profile Size GPO setting\."); - }; - ::rptMsg("System\\EnableProfileQuota value not found\.") if ($@); -} - +#----------------------------------------------------------- +# policies_u +# Get values from user's WinLogon key +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package policies_u; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20091021); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get values from the user's Policies key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching policies_u v.".$VERSION); + ::rptMsg("policies_u v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion"; + my $key; + if ($key = $root_key->get_subkey($key_path."\\policies")) { +# ::rptMsg("policies key found."); + + } + elsif ($key = $root_key->get_subkey($key_path."\\Policies")) { +# ::rptMsg("Policies key found."); + + } + else { + ::rptMsg("Neither policies nor Policies key found."); + return; + } + + eval { + my @vals = $key->get_subkey("Explorer")->get_list_of_values(); + if (scalar(@vals) > 0) { + ::rptMsg(""); + ::rptMsg("Explorer subkey values:"); + foreach my $v (@vals) { + my $str = sprintf "%-20s %-20s",$v->get_name(),$v->get_data(); + ::rptMsg(" ".$str); + } + } + }; + ::rptMsg(""); + eval { + my $quota = $key->get_subkey("System")->get_value("EnableProfileQuota")->get_data(); + ::rptMsg("EnableProfileQuota = ".$quota); + ::rptMsg(""); + ::rptMsg("The EnableProfileQuota = 1 setting causes the proquota\.exe to be run"); + ::rptMsg("automatically in order to limit the size of roaming profiles\. This"); + ::rptMsg("corresponds to the Limit Profile Size GPO setting\."); + }; + ::rptMsg("System\\EnableProfileQuota value not found\.") if ($@); +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/port_dev.pl b/RecentActivity/release/rr-full/plugins/port_dev.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/port_dev.pl rename to RecentActivity/release/rr-full/plugins/port_dev.pl index 3ceaf1ae73..23fdcd8e8c --- a/thirdparty/rr/plugins/port_dev.pl +++ b/RecentActivity/release/rr-full/plugins/port_dev.pl @@ -1,89 +1,91 @@ -#----------------------------------------------------------- -# port_dev -# Parse Microsoft\Windows Portable Devices\Devices key on Vista -# Get historical information about drive letter assigned to devices -# -# NOTE: Credit for "discovery" goes to Rob Lee -# -# Change History: -# 20090118 - changed the name of the plugin from "removdev" -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package port_dev; -use strict; - -my %config = (hive => "Software", - osmask => 192, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090118); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parses Windows Portable Devices key (Vista)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching port_dev v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows Portable Devices\\Devices"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("RemovDev"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $lastwrite = $s->get_timestamp(); - - my $letter; - eval { - $letter = $s->get_value("FriendlyName")->get_data(); - }; - ::rptMsg($name." key error: $@") if ($@); - - my $half; - if (grep(/##/,$name)) { - $half = (split(/##/,$name))[1]; - } - - if (grep(/\?\?/,$name)) { - $half = (split(/\?\?/,$name))[1]; - } - - my ($dev,$sn) = (split(/#/,$half))[1,2]; - - ::rptMsg("Device : ".$dev); - ::rptMsg("LastWrite : ".gmtime($lastwrite)." (UTC)"); - ::rptMsg("SN : ".$sn); - ::rptMsg("Drive : ".$letter); - ::rptMsg(""); - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# port_dev +# Parse Microsoft\Windows Portable Devices\Devices key on Vista +# Get historical information about drive letter assigned to devices +# +# NOTE: Credit for "discovery" goes to Rob Lee +# +# Change History: +# 20090118 - changed the name of the plugin from "removdev" +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package port_dev; +use strict; + +my %config = (hive => "Software", + osmask => 192, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090118); + +sub getConfig{return %config} + +sub getShortDescr { + return "Parses Windows Portable Devices key (Vista)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching port_dev v.".$VERSION); + ::rptMsg("port_dev v.".$VERSION); # banner + :rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows Portable Devices\\Devices"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("RemovDev"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $lastwrite = $s->get_timestamp(); + + my $letter; + eval { + $letter = $s->get_value("FriendlyName")->get_data(); + }; + ::rptMsg($name." key error: $@") if ($@); + + my $half; + if (grep(/##/,$name)) { + $half = (split(/##/,$name))[1]; + } + + if (grep(/\?\?/,$name)) { + $half = (split(/\?\?/,$name))[1]; + } + + my ($dev,$sn) = (split(/#/,$half))[1,2]; + + ::rptMsg("Device : ".$dev); + ::rptMsg("LastWrite : ".gmtime($lastwrite)." (UTC)"); + ::rptMsg("SN : ".$sn); + ::rptMsg("Drive : ".$letter); + ::rptMsg(""); + + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/prefetch.pl b/RecentActivity/release/rr-full/plugins/prefetch.pl new file mode 100755 index 0000000000..7363b001e4 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/prefetch.pl @@ -0,0 +1,76 @@ +#----------------------------------------------------------- +# prefetch.pl +# Access System hive file to get the Prefetch Parameters +# +# Change history +# +# +# References +# http://msdn.microsoft.com/en-us/library/bb499146(v=winembedded.5).aspx +# +# copyright 2012 Corey Harrell (Journey Into Incident Response) +#----------------------------------------------------------- +package prefetch; +use strict; + +my %config = (hive => "SYSTEM", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120914); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets the the Prefetch Parameters"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching prefetch v.".$VERSION); + ::rptMsg("prefetch v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $pp_path = $ccs."\\Control\\Session Manager\\Memory Management\\PrefetchParameters"; + my $pp; + if ($pp = $root_key->get_subkey($pp_path)) { + my $ep = $pp->get_value("EnablePrefetcher")->get_data(); + ::rptMsg("EnablePrefetcher = ".$ep); + ::rptMsg(""); + ::rptMsg("0 = Prefetching is disabled"); + ::rptMsg("1 = Application prefetching is enabled"); + ::rptMsg("2 = Boot prefetching is enabled"); + ::rptMsg("3 = Both boot and application prefetching is enabled"); + + } + else { + ::rptMsg($pp_path." not found."); + ::logMsg($pp_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/printermru.pl b/RecentActivity/release/rr-full/plugins/printermru.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/printermru.pl rename to RecentActivity/release/rr-full/plugins/printermru.pl index 531f1f19ad..6a75763524 --- a/thirdparty/rr/plugins/printermru.pl +++ b/RecentActivity/release/rr-full/plugins/printermru.pl @@ -1,74 +1,76 @@ -#----------------------------------------------------------- -# printermru.pl -# Plugin to get RealVNC MRU listings from NTUSER.DAT -# -# Change history -# 20091125 - created -# -# References -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package printermru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091125); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Printer Wizard MRU listing"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching printermru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Printers\\Settings\\Wizard\\ConnectMRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mru; - my @list; - foreach my $v (@vals) { - $mru{$v->get_name()} = $v->get_data(); - } - - if (exists $mru{MRUList}) { - @list = split(//,$mru{MRUList}); - } - - ::rptMsg("Printers listed in MRUList order."); - foreach my $i (0..scalar(@list) - 1) { - ::rptMsg(" ".$list[$i]." -> ".$mru{$list[$i]}); - } - - - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# printermru.pl +# Plugin to get RealVNC MRU listings from NTUSER.DAT +# +# Change history +# 20091125 - created +# +# References +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package printermru; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20091125); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's Printer Wizard MRU listing"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching printermru v.".$VERSION); + ::rptMsg("printermru v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Printers\\Settings\\Wizard\\ConnectMRU'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %mru; + my @list; + foreach my $v (@vals) { + $mru{$v->get_name()} = $v->get_data(); + } + + if (exists $mru{MRUList}) { + @list = split(//,$mru{MRUList}); + } + + ::rptMsg("Printers listed in MRUList order."); + foreach my $i (0..scalar(@list) - 1) { + ::rptMsg(" ".$list[$i]." -> ".$mru{$list[$i]}); + } + + + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/printers.pl b/RecentActivity/release/rr-full/plugins/printers.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/printers.pl rename to RecentActivity/release/rr-full/plugins/printers.pl index b01c920078..0c6da4338a --- a/thirdparty/rr/plugins/printers.pl +++ b/RecentActivity/release/rr-full/plugins/printers.pl @@ -1,83 +1,85 @@ -#----------------------------------------------------------- -# printers.pl -# Get information about printers used by a user; System hive -# info is volatile -# -# Ref: -# http://support.microsoft.com/kb/102966 -# http://support.microsoft.com/kb/252388 -# http://support.microsoft.com/kb/102116 -# -# The following references contain information from the System -# hive that is volatile. -# http://www.undocprint.org/winspool/registry -# http://msdn.microsoft.com/en-us/library/aa394363(VS.85).aspx -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package printers; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090223); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get user's printers"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching printers v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()." (".$v->get_data().")"); - } - } - else { - ::rptMsg($key_path." has no values."); - } - ::rptMsg(""); -# Get default printer - my $def_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; - my $def; - eval { - $def = $root_key->get_subkey($def_path)->get_value("Device")->get_data(); - ::rptMsg("Default Printer (via CurrentVersion\\Windows): ".$def); - }; -# another attempt to get the default printer - my $def_path = "Printers"; - my $def; - eval { - $def = $root_key->get_subkey($def_path)->get_value("DeviceOld")->get_data(); - ::rptMsg("Default Printer (via Printers->DeviceOld): ".$def); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# printers.pl +# Get information about printers used by a user; System hive +# info is volatile +# +# Ref: +# http://support.microsoft.com/kb/102966 +# http://support.microsoft.com/kb/252388 +# http://support.microsoft.com/kb/102116 +# +# The following references contain information from the System +# hive that is volatile. +# http://www.undocprint.org/winspool/registry +# http://msdn.microsoft.com/en-us/library/aa394363(VS.85).aspx +# +# copyright 2008-2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package printers; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090223); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get user's printers"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching printers v.".$VERSION); + ::rptMsg("printers v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg(" ".$v->get_name()." (".$v->get_data().")"); + } + } + else { + ::rptMsg($key_path." has no values."); + } + ::rptMsg(""); +# Get default printer + my $def_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; + my $def; + eval { + $def = $root_key->get_subkey($def_path)->get_value("Device")->get_data(); + ::rptMsg("Default Printer (via CurrentVersion\\Windows): ".$def); + }; +# another attempt to get the default printer + my $def_path = "Printers"; + my $def; + eval { + $def = $root_key->get_subkey($def_path)->get_value("DeviceOld")->get_data(); + ::rptMsg("Default Printer (via Printers->DeviceOld): ".$def); + }; + + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/privoxy.pl b/RecentActivity/release/rr-full/plugins/privoxy.pl new file mode 100755 index 0000000000..a5a7881320 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/privoxy.pl @@ -0,0 +1,94 @@ +#----------------------------------------------------------- +# privoxy.pl +# Extracts the install path for Privoxy +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# copyright (c) 2011-02-04 Brendan Coles +#----------------------------------------------------------- +# Require # +package privoxy; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110204); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extracts the install path for Privoxy."; +} +sub getRefs { + my %refs = ("Privoxy Homepage:" => + "http://www.privoxy.org/"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + + # Initialize # + ::logMsg("Launching privoxy v.".$VERSION); + ::rptMsg("privoxy v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\Privoxy"; + + # If # Privoxy path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("Privoxy"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from Privoxy registry path # + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for Privoxy registry path # + foreach my $v (@vals) { + ::rptMsg($v->get_name()." -> ".$v->get_data()); + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # Privoxy isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/thirdparty/rr/plugins/product.pl b/RecentActivity/release/rr-full/plugins/product.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/product.pl rename to RecentActivity/release/rr-full/plugins/product.pl index 6a70d719f4..9beacc2aad --- a/thirdparty/rr/plugins/product.pl +++ b/RecentActivity/release/rr-full/plugins/product.pl @@ -1,118 +1,120 @@ -#----------------------------------------------------------- -# product.pl -# Plugin to determine the MSI packages installed on the system -# -# Change history: -# 20100325 - created -# -# References: -# http://support.microsoft.com/kb/236590 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package product; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100325); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get installed product info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %msi; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching product v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Installer\\UserData"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { -# Each of these subkeys should be SIDs - foreach my $s (@subkeys) { - next unless ($s->get_name() =~ m/^S/); - ::rptMsg($s->get_name()); - if ($s->get_subkey("Products")) { - processSIDKey($s->get_subkey("Products")); - ::rptMsg(""); - } - else { - ::rptMsg($s->get_name()."\\Products subkey not found."); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub processSIDKey { - my $key = shift; - my %prod; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { -# ::rptMsg($key->get_name()); - foreach my $s (@subkeys) { - my ($displayname,$lastwrite); - eval { - $displayname = $s->get_subkey("InstallProperties")->get_value("DisplayName")->get_data(); - $lastwrite = $s->get_subkey("InstallProperties")->get_timestamp(); - }; - - my $displayversion; - eval { - $displayversion = $s->get_subkey("InstallProperties")->get_value("DisplayVersion")->get_data(); - }; - - my $installdate; - eval { - $installdate = $s->get_subkey("InstallProperties")->get_value("InstallDate")->get_data(); - }; - - my $str = $displayname." v.".$displayversion.", ".$installdate; - push(@{$prod{$lastwrite}},$str); - } - - foreach my $t (reverse sort {$a <=> $b} keys %prod) { - ::rptMsg(gmtime($t)." Z"); - foreach my $i (@{$prod{$t}}) { - ::rptMsg(" ".$i); - } - } - - - } - else { - ::rptMsg($key->get_name()." has no subkeys."); - return; - } -} - +#----------------------------------------------------------- +# product.pl +# Plugin to determine the MSI packages installed on the system +# +# Change history: +# 20100325 - created +# +# References: +# http://support.microsoft.com/kb/236590 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package product; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100325); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get installed product info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %msi; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching product v.".$VERSION); + ::rptMsg("product v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows\\CurrentVersion\\Installer\\UserData"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { +# Each of these subkeys should be SIDs + foreach my $s (@subkeys) { + next unless ($s->get_name() =~ m/^S/); + ::rptMsg($s->get_name()); + if ($s->get_subkey("Products")) { + processSIDKey($s->get_subkey("Products")); + ::rptMsg(""); + } + else { + ::rptMsg($s->get_name()."\\Products subkey not found."); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub processSIDKey { + my $key = shift; + my %prod; + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { +# ::rptMsg($key->get_name()); + foreach my $s (@subkeys) { + my ($displayname,$lastwrite); + eval { + $displayname = $s->get_subkey("InstallProperties")->get_value("DisplayName")->get_data(); + $lastwrite = $s->get_subkey("InstallProperties")->get_timestamp(); + }; + + my $displayversion; + eval { + $displayversion = $s->get_subkey("InstallProperties")->get_value("DisplayVersion")->get_data(); + }; + + my $installdate; + eval { + $installdate = $s->get_subkey("InstallProperties")->get_value("InstallDate")->get_data(); + }; + + my $str = $displayname." v.".$displayversion.", ".$installdate; + push(@{$prod{$lastwrite}},$str); + } + + foreach my $t (reverse sort {$a <=> $b} keys %prod) { + ::rptMsg(gmtime($t)." Z"); + foreach my $i (@{$prod{$t}}) { + ::rptMsg(" ".$i); + } + } + + + } + else { + ::rptMsg($key->get_name()." has no subkeys."); + return; + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/productpolicy.pl b/RecentActivity/release/rr-full/plugins/productpolicy.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/productpolicy.pl rename to RecentActivity/release/rr-full/plugins/productpolicy.pl index 9437b84fbe..0d99e5a469 --- a/thirdparty/rr/plugins/productpolicy.pl +++ b/RecentActivity/release/rr-full/plugins/productpolicy.pl @@ -1,145 +1,147 @@ -#----------------------------------------------------------- -# productpolicy.pl -# Extract/parse the ControlSet00x\Control\ProductOptions\ProductPolicy value -# -# NOTE: For Vista and 2008 ONLY; the value structure changed with Windows 7 -# -# Change History: -# 20091116 - created -# -# Ref: -# http://www.geoffchappell.com/viewer.htm?doc=studies/windows/km/ntoskrnl/ -# api/ex/slmem/productpolicy.htm&tx=19 -# http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/ -# install.htm&tx=3,5,6;4 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package productpolicy; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parse ProductPolicy value (Vista & Win2008 ONLY)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %prodinfo = (1 => "Ultimate", - 2 => "Home Basic", - 3 => "Home Premium", - 5 => "Home Basic N", - 6 => "Business", - 7 => "Standard", - 8 => "Data Center", - 10 => "Enterprise", - 11 => "Starter", - 12 => "Data Center Core", - 13 => "Standard Core", - 14 => "Enterprise Core", - 15 => "Business N"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - - ::logMsg("Launching productpolicy v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $curr; - eval { - $curr = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - }; - $curr = 1 if ($@); - - my $key; - my $key_path = "ControlSet00".$curr."\\Control\\ProductOptions"; - if ($key = $root_key->get_subkey($key_path)) { - my $prod; - eval { - $prod = $key->get_value("ProductPolicy")->get_data(); - }; - if ($@) { - ::rptMsg("Error getting ProductPolicy value: $@"); - } - else { - my %pol = parseData($prod); - ::rptMsg(""); - ::rptMsg("Note: This plugin applies to Vista and Windows 2008 ONLY."); - ::rptMsg("For a listing of names and values, see:"); - ::rptMsg("http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/install.htm&tx=3,5,6;4"); - ::rptMsg(""); - foreach my $p (sort keys %pol) { - ::rptMsg($p." - ".$pol{$p}); - } - - if (exists $prodinfo{$pol{"Kernel\-ProductInfo"}}) { - ::rptMsg(""); - ::rptMsg("Kernel\-ProductInfo = ".$prodinfo{$pol{"Kernel\-ProductInfo"}}); - } - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub parseHeader { -# Ref: http://www.geoffchappell.com/viewer.htm?doc=studies/windows/km/ntoskrnl/ -# api/ex/slmem/productpolicy.htm&tx=19,21 - my %h; - my @v = unpack("V*",shift); - $h{size} = $v[0]; - $h{array} = $v[1]; - $h{marker} = $v[2]; - $h{version} = $v[4]; - return %h; -} - -sub parseData { - my $pd = shift; - my %policy; - my $h = substr($pd,0,0x14); - my %hdr = parseHeader($h); - my $total_size = $hdr{size}; - my $cursor = 0x14; - - while ($cursor <= $total_size) { - my @vals = unpack("v4V2", substr($pd,$cursor,0x10)); - my $value = substr($pd,$cursor,$vals[0]); - my $name = substr($value,0x10,$vals[1]); - $name =~ s/\00//g; - - my $data = substr($value,0x10 + $vals[1],$vals[3]); - if ($vals[2] == 4) { -# $data = sprintf "0x%x",unpack("V",$data); - $data = unpack("V",$data); - } - elsif ($vals[2] == 1) { - $data =~ s/\00//g; - } - elsif ($vals[2] == 3) { - $data = unpack("H*",$data); - } - else { - - } - $policy{$name} = $data; - $cursor += $vals[0]; - } - delete $policy{""}; - return %policy; -} +#----------------------------------------------------------- +# productpolicy.pl +# Extract/parse the ControlSet00x\Control\ProductOptions\ProductPolicy value +# +# NOTE: For Vista and 2008 ONLY; the value structure changed with Windows 7 +# +# Change History: +# 20091116 - created +# +# Ref: +# http://www.geoffchappell.com/viewer.htm?doc=studies/windows/km/ntoskrnl/ +# api/ex/slmem/productpolicy.htm&tx=19 +# http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/ +# install.htm&tx=3,5,6;4 +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package productpolicy; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20091116); + +sub getConfig{return %config} + +sub getShortDescr { + return "Parse ProductPolicy value (Vista & Win2008 ONLY)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my %prodinfo = (1 => "Ultimate", + 2 => "Home Basic", + 3 => "Home Premium", + 5 => "Home Basic N", + 6 => "Business", + 7 => "Standard", + 8 => "Data Center", + 10 => "Enterprise", + 11 => "Starter", + 12 => "Data Center Core", + 13 => "Standard Core", + 14 => "Enterprise Core", + 15 => "Business N"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + + ::logMsg("Launching productpolicy v.".$VERSION); + ::rptMsg("productpolicy v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $curr; + eval { + $curr = $root_key->get_subkey("Select")->get_value("Current")->get_data(); + }; + $curr = 1 if ($@); + + my $key; + my $key_path = "ControlSet00".$curr."\\Control\\ProductOptions"; + if ($key = $root_key->get_subkey($key_path)) { + my $prod; + eval { + $prod = $key->get_value("ProductPolicy")->get_data(); + }; + if ($@) { + ::rptMsg("Error getting ProductPolicy value: $@"); + } + else { + my %pol = parseData($prod); + ::rptMsg(""); + ::rptMsg("Note: This plugin applies to Vista and Windows 2008 ONLY."); + ::rptMsg("For a listing of names and values, see:"); + ::rptMsg("http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/install.htm&tx=3,5,6;4"); + ::rptMsg(""); + foreach my $p (sort keys %pol) { + ::rptMsg($p." - ".$pol{$p}); + } + + if (exists $prodinfo{$pol{"Kernel\-ProductInfo"}}) { + ::rptMsg(""); + ::rptMsg("Kernel\-ProductInfo = ".$prodinfo{$pol{"Kernel\-ProductInfo"}}); + } + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub parseHeader { +# Ref: http://www.geoffchappell.com/viewer.htm?doc=studies/windows/km/ntoskrnl/ +# api/ex/slmem/productpolicy.htm&tx=19,21 + my %h; + my @v = unpack("V*",shift); + $h{size} = $v[0]; + $h{array} = $v[1]; + $h{marker} = $v[2]; + $h{version} = $v[4]; + return %h; +} + +sub parseData { + my $pd = shift; + my %policy; + my $h = substr($pd,0,0x14); + my %hdr = parseHeader($h); + my $total_size = $hdr{size}; + my $cursor = 0x14; + + while ($cursor <= $total_size) { + my @vals = unpack("v4V2", substr($pd,$cursor,0x10)); + my $value = substr($pd,$cursor,$vals[0]); + my $name = substr($value,0x10,$vals[1]); + $name =~ s/\00//g; + + my $data = substr($value,0x10 + $vals[1],$vals[3]); + if ($vals[2] == 4) { +# $data = sprintf "0x%x",unpack("V",$data); + $data = unpack("V",$data); + } + elsif ($vals[2] == 1) { + $data =~ s/\00//g; + } + elsif ($vals[2] == 3) { + $data = unpack("H*",$data); + } + else { + + } + $policy{$name} = $data; + $cursor += $vals[0]; + } + delete $policy{""}; + return %policy; +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/producttype.pl b/RecentActivity/release/rr-full/plugins/producttype.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/producttype.pl rename to RecentActivity/release/rr-full/plugins/producttype.pl index 41b39677b6..17885ddd2b --- a/thirdparty/rr/plugins/producttype.pl +++ b/RecentActivity/release/rr-full/plugins/producttype.pl @@ -1,88 +1,90 @@ -#----------------------------------------------------------- -# producttype.pl -# Determine Windows product information -# -# History -# 20100713 - updated reference info, formatting -# 20100325 - renamed to producttype.pl -# -# References -# http://support.microsoft.com/kb/181412 -# http://support.microsoft.com/kb/152078 -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package producttype; -use strict; -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100325); - -sub getConfig{return %config} -sub getShortDescr { - return "Queries System hive for Windows Product info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching producttype v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $prod_key_path = $ccs."\\Control\\ProductOptions"; - if (my $prod_key = $root_key->get_subkey($prod_key_path)) { - ::rptMsg($prod_key_path); - ::rptMsg("LastWrite = ".gmtime($prod_key->get_timestamp())); - ::rptMsg(""); - ::rptMsg("Ref: http://support.microsoft.com/kb/152078"); - ::rptMsg(" http://support.microsoft.com/kb/181412"); - ::rptMsg(""); - my $type; - eval { - $type = $prod_key->get_value("ProductType")->get_data(); - ::rptMsg("ProductType = ".$type); - ::rptMsg("Ref: http://technet.microsoft.com/en-us/library/cc782360%28WS.10%29.aspx"); - ::rptMsg("WinNT indicates a workstation."); - ::rptMsg("ServerNT indicates a standalone server."); - ::rptMsg("LanmanNT indicates a domain controller (pri/backup)."); - }; - ::rptMsg(""); -#----------------------------------------------------------- -# http://technet.microsoft.com/en-us/library/cc784364(WS.10).aspx -# -# http://www.geoffchappell.com/viewer.htm?doc=studies/windows/ -# km/ntoskrnl/api/ex/exinit/productsuite.htm -# -#----------------------------------------------------------- - my $suite; - eval { - $suite = $prod_key->get_value("ProductSuite")->get_data(); - ::rptMsg("ProductSuite = ".$suite); - ::rptMsg("Ref: http://technet.microsoft.com/en-us/library/cc784364%28WS.10%29.aspx"); - }; - } - else { - ::rptMsg($prod_key_path." not found."); - } - } - else { - ::rptMsg("Select key not found."); - } -} +#----------------------------------------------------------- +# producttype.pl +# Determine Windows product information +# +# History +# 20100713 - updated reference info, formatting +# 20100325 - renamed to producttype.pl +# +# References +# http://support.microsoft.com/kb/181412 +# http://support.microsoft.com/kb/152078 +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package producttype; +use strict; +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100325); + +sub getConfig{return %config} +sub getShortDescr { + return "Queries System hive for Windows Product info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching producttype v.".$VERSION); + ::rptMsg("producttype v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $prod_key_path = $ccs."\\Control\\ProductOptions"; + if (my $prod_key = $root_key->get_subkey($prod_key_path)) { + ::rptMsg($prod_key_path); + ::rptMsg("LastWrite = ".gmtime($prod_key->get_timestamp())); + ::rptMsg(""); + ::rptMsg("Ref: http://support.microsoft.com/kb/152078"); + ::rptMsg(" http://support.microsoft.com/kb/181412"); + ::rptMsg(""); + my $type; + eval { + $type = $prod_key->get_value("ProductType")->get_data(); + ::rptMsg("ProductType = ".$type); + ::rptMsg("Ref: http://technet.microsoft.com/en-us/library/cc782360%28WS.10%29.aspx"); + ::rptMsg("WinNT indicates a workstation."); + ::rptMsg("ServerNT indicates a standalone server."); + ::rptMsg("LanmanNT indicates a domain controller (pri/backup)."); + }; + ::rptMsg(""); +#----------------------------------------------------------- +# http://technet.microsoft.com/en-us/library/cc784364(WS.10).aspx +# +# http://www.geoffchappell.com/viewer.htm?doc=studies/windows/ +# km/ntoskrnl/api/ex/exinit/productsuite.htm +# +#----------------------------------------------------------- + my $suite; + eval { + $suite = $prod_key->get_value("ProductSuite")->get_data(); + ::rptMsg("ProductSuite = ".$suite); + ::rptMsg("Ref: http://technet.microsoft.com/en-us/library/cc784364%28WS.10%29.aspx"); + }; + } + else { + ::rptMsg($prod_key_path." not found."); + } + } + else { + ::rptMsg("Select key not found."); + } +} 1 \ No newline at end of file diff --git a/thirdparty/rr/plugins/profilelist.pl b/RecentActivity/release/rr-full/plugins/profilelist.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/profilelist.pl rename to RecentActivity/release/rr-full/plugins/profilelist.pl index bfeae8a6e7..89d5e42e0c --- a/thirdparty/rr/plugins/profilelist.pl +++ b/RecentActivity/release/rr-full/plugins/profilelist.pl @@ -1,137 +1,139 @@ -#----------------------------------------------------------- -# profilelist.pl -# Gets ProfileList subkeys and ProfileImagePath value; also -# gets the ProfileLoadTimeHigh and Low values, and translates them -# into a readable time -# -# History: -# 20100219 - updated to gather SpecialAccounts and domain -# user info -# 20080415 - created -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package profilelist; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100219); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get content of ProfileList key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - - my %profiles; - - ::logMsg("Launching profilelist v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\ProfileList"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $path; - eval { - $path = $s->get_value("ProfileImagePath")->get_data(); - }; - - ::rptMsg("Path : ".$path); - ::rptMsg("SID : ".$s->get_name()); - ::rptMsg("LastWrite : ".gmtime($s->get_timestamp())." (UTC)"); - - my $user; - if ($path) { - my @a = split(/\\/,$path); - my $end = scalar @a - 1; - $user = $a[$end]; - $profiles{$s->get_name()} = $user; - } - - my @load; - eval { - $load[0] = $s->get_value("ProfileLoadTimeLow")->get_data(); - $load[1] = $s->get_value("ProfileLoadTimeHigh")->get_data(); - }; - if (@load) { - my $loadtime = ::getTime($load[0],$load[1]); - ::rptMsg("LoadTime : ".gmtime($loadtime)." (UTC)"); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -# The following was added 20100219 - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg("Domain Accounts"); - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless ($name =~ m/^S\-1/); - - (exists $profiles{$name}) ? (::rptMsg($name." [".$profiles{$name}."]")) - : (::rptMsg($name)); -# ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())); -# ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - -# Domain Cache? - eval { - my @cache = $key->get_subkey("DomainCache")->get_list_of_values(); - if (scalar @cache > 0) { - ::rptMsg(""); - ::rptMsg("DomainCache"); - foreach my $d (@cache) { - my $str = sprintf "%-15s %-20s",$d->get_name(),$d->get_data(); - ::rptMsg($str); - } - } - }; - - - } - else { - ::rptMsg($key_path." not found."); - } - - - -} +#----------------------------------------------------------- +# profilelist.pl +# Gets ProfileList subkeys and ProfileImagePath value; also +# gets the ProfileLoadTimeHigh and Low values, and translates them +# into a readable time +# +# History: +# 20100219 - updated to gather SpecialAccounts and domain +# user info +# 20080415 - created +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package profilelist; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100219); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get content of ProfileList key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + + my %profiles; + + ::logMsg("Launching profilelist v.".$VERSION); + ::rptMsg("profilelist v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\ProfileList"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $path; + eval { + $path = $s->get_value("ProfileImagePath")->get_data(); + }; + + ::rptMsg("Path : ".$path); + ::rptMsg("SID : ".$s->get_name()); + ::rptMsg("LastWrite : ".gmtime($s->get_timestamp())." (UTC)"); + + my $user; + if ($path) { + my @a = split(/\\/,$path); + my $end = scalar @a - 1; + $user = $a[$end]; + $profiles{$s->get_name()} = $user; + } + + my @load; + eval { + $load[0] = $s->get_value("ProfileLoadTimeLow")->get_data(); + $load[1] = $s->get_value("ProfileLoadTimeHigh")->get_data(); + }; + if (@load) { + my $loadtime = ::getTime($load[0],$load[1]); + ::rptMsg("LoadTime : ".gmtime($loadtime)." (UTC)"); + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +# The following was added 20100219 + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + ::rptMsg("Domain Accounts"); + foreach my $s (@subkeys) { + my $name = $s->get_name(); + next unless ($name =~ m/^S\-1/); + + (exists $profiles{$name}) ? (::rptMsg($name." [".$profiles{$name}."]")) + : (::rptMsg($name)); +# ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())); +# ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + +# Domain Cache? + eval { + my @cache = $key->get_subkey("DomainCache")->get_list_of_values(); + if (scalar @cache > 0) { + ::rptMsg(""); + ::rptMsg("DomainCache"); + foreach my $d (@cache) { + my $str = sprintf "%-15s %-20s",$d->get_name(),$d->get_data(); + ::rptMsg($str); + } + } + }; + + + } + else { + ::rptMsg($key_path." not found."); + } + + + +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/proxysettings.pl b/RecentActivity/release/rr-full/plugins/proxysettings.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/proxysettings.pl rename to RecentActivity/release/rr-full/plugins/proxysettings.pl index d403c487d3..aeb47aa370 --- a/thirdparty/rr/plugins/proxysettings.pl +++ b/RecentActivity/release/rr-full/plugins/proxysettings.pl @@ -1,70 +1,72 @@ -#----------------------------------------------------------- -# proxysettings.pl -# Plugin for Registry Ripper, -# Internet Explorer ProxySettings key parser -# -# Change history -# 20081224 - H. Carvey, updated sorting and printing routine -# -# -# copyright 2008 C. Bentley -#----------------------------------------------------------- -package proxysettings; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081224); - -sub getConfig{return %config} -sub getShortDescr {return "Gets contents of user's Proxy Settings";} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching proxysettings v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ProxySettings"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %proxy; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - my $type = $v->get_type(); - $data = unpack("V",$data) if ($type == 3); - $proxy{$name} = $data; - } - foreach my $n (sort keys %proxy) { - my $str = sprintf " %-30s %-30s",$n,$proxy{$n}; - ::rptMsg($str); -# ::rptMsg(" ".$v->get_name()." ".$v->get_data()); - } - } - else { - ::rptMsg($key_path." key has no values."); - ::logMsg($key_path." key has no values."); - } - } - else { - ::rptMsg($key_path." hat key not found."); - ::logMsg($key_path." hat key not found."); - } -} +#----------------------------------------------------------- +# proxysettings.pl +# Plugin for Registry Ripper, +# Internet Explorer ProxySettings key parser +# +# Change history +# 20081224 - H. Carvey, updated sorting and printing routine +# +# +# copyright 2008 C. Bentley +#----------------------------------------------------------- +package proxysettings; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20081224); + +sub getConfig{return %config} +sub getShortDescr {return "Gets contents of user's Proxy Settings";} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching proxysettings v.".$VERSION); + ::rptMsg("proxysettings v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("ProxySettings"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %proxy; + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + my $type = $v->get_type(); + $data = unpack("V",$data) if ($type == 3); + $proxy{$name} = $data; + } + foreach my $n (sort keys %proxy) { + my $str = sprintf " %-30s %-30s",$n,$proxy{$n}; + ::rptMsg($str); +# ::rptMsg(" ".$v->get_name()." ".$v->get_data()); + } + } + else { + ::rptMsg($key_path." key has no values."); + ::logMsg($key_path." key has no values."); + } + } + else { + ::rptMsg($key_path." hat key not found."); + ::logMsg($key_path." hat key not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/publishingwizard.pl b/RecentActivity/release/rr-full/plugins/publishingwizard.pl new file mode 100755 index 0000000000..6416a11d26 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/publishingwizard.pl @@ -0,0 +1,100 @@ +#----------------------------------------------------------- +# publishingwizard.pl +# Extract Extract AddNetPlace\\LocationMRU +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# copyright (c) 2011-02-02 Brendan Coles +#----------------------------------------------------------- +# Require # +package publishingwizard; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110202); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extract AddNetPlace\\LocationMRU for Microsoft Publishing Wizard"; +} +sub getRefs { + my %refs = ("Microsoft Publishing Wizard Homepage:" => + "http://www.microsoft.com/downloads/details.aspx?FamilyId=56E5B1C5-BF17-42E0-A410-371A838E570A"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + + # Initialize # + ::logMsg("Launching publishingwizard v.".$VERSION); + ::rptMsg("publishingwizard v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU"; + + # If # Publishing Wizard path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("Publishing Wizard"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from Publishing Wizard registry path # + my %keys; + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for Publishing Wizard registry path # + foreach my $v (@vals) { + $keys{$v->get_name()} = $v->get_data(); + } + + # Return # all key names+values # + foreach (sort keys %keys) { + ::rptMsg($_." -> ".$keys{$_}); + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # Publishing Wizard isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/RecentActivity/release/rr-full/plugins/putty.pl b/RecentActivity/release/rr-full/plugins/putty.pl new file mode 100755 index 0000000000..03fdb714f2 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/putty.pl @@ -0,0 +1,96 @@ +#----------------------------------------------------------- +# putty.pl +# Extracts the saved SshHostKeys for PuTTY +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# copyright (c) 2011-02-04 Brendan Coles +#----------------------------------------------------------- +# Require # +package putty; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110204); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extracts the saved SshHostKeys for PuTTY."; +} +sub getRefs { + my %refs = ("PuTTY Homepage:" => + "http://www.chiark.greenend.org.uk/~sgtatham/putty/"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + + # Initialize # + ::logMsg("Launching putty v.".$VERSION); + ::rptMsg("putty v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\SimonTatham\\PuTTY\\SshHostKeys"; + + # If # PuTTY path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("PuTTY"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from PuTTY registry path # + my %keys; + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for PuTTY registry path # + foreach my $v (@vals) { + $keys{$v->get_name()} = $v->get_data(); + ::rptMsg($v->get_name()." -> ".$v->get_data()); + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # PuTTY isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/thirdparty/rr/plugins/rdphint.pl b/RecentActivity/release/rr-full/plugins/rdphint.pl old mode 100644 new mode 100755 similarity index 88% rename from thirdparty/rr/plugins/rdphint.pl rename to RecentActivity/release/rr-full/plugins/rdphint.pl index 680165812a..66cbc86351 --- a/thirdparty/rr/plugins/rdphint.pl +++ b/RecentActivity/release/rr-full/plugins/rdphint.pl @@ -1,61 +1,63 @@ -#----------------------------------------------------------- -# rdphint.pl - http://www.regripper.net/ -# Gathers servers logged onto via RDP and last successful username -# -# by Brandon Nesbit, Trustwave -#----------------------------------------------------------- -package rdphint; -use strict; - -my %config = (hive => "NTUSER", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090715); - -sub getConfig{return %config} -sub getShortDescr { return "Gets hosts logged onto via RDP and the Domain\\Username";} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching RDPHint v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Terminal Server Client\\Servers"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $path; - eval { - $path = $s->get_value("UsernameHint")->get_data(); - }; - ::rptMsg(""); - ::rptMsg("Hostname: ".$s->get_name()); - ::rptMsg("Domain/Username: ".$path); - ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())." (UTC)"); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# rdphint.pl - http://www.regripper.net/ +# Gathers servers logged onto via RDP and last successful username +# +# by Brandon Nesbit, Trustwave +#----------------------------------------------------------- +package rdphint; +use strict; + +my %config = (hive => "NTUSER", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090715); + +sub getConfig{return %config} +sub getShortDescr { return "Gets hosts logged onto via RDP and the Domain\\Username";} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching rdphint v.".$VERSION); + ::rptMsg("rdphint v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("Terminal Server Client\\Servers"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $path; + eval { + $path = $s->get_value("UsernameHint")->get_data(); + }; + ::rptMsg(""); + ::rptMsg("Hostname: ".$s->get_name()); + ::rptMsg("Domain/Username: ".$path); + ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())." (UTC)"); + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/rdpport.pl b/RecentActivity/release/rr-full/plugins/rdpport.pl old mode 100644 new mode 100755 similarity index 89% rename from thirdparty/rr/plugins/rdpport.pl rename to RecentActivity/release/rr-full/plugins/rdpport.pl index 44110d33cb..49425060ba --- a/thirdparty/rr/plugins/rdpport.pl +++ b/RecentActivity/release/rr-full/plugins/rdpport.pl @@ -1,59 +1,61 @@ -#----------------------------------------------------------- -# rdpport.pl -# Determine the RDP Port used -# -# History -# 20100713 - created -# -# References -# http://support.microsoft.com/kb/306759 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package rdpport; -use strict; -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100713); - -sub getConfig{return %config} -sub getShortDescr { - return "Queries System hive for RDP Port"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $key; - - ::logMsg("Launching rdpport v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $ccs = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - my $key_path = "ControlSet00".$ccs."\\Control\\Terminal Server\\WinStations\\RDP-Tcp"; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("rdpport v.".$VERSION); - ::rptMsg(""); - my $port; - eval { - $port = $key->get_value("PortNumber")->get_data(); - ::rptMsg("Remote Desktop Listening Port Number = ".$port); - }; - ::rptMsg("Error getting PortNumber: ".$@) if ($@); - - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# rdpport.pl +# Determine the RDP Port used +# +# History +# 20100713 - created +# +# References +# http://support.microsoft.com/kb/306759 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package rdpport; +use strict; +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100713); + +sub getConfig{return %config} +sub getShortDescr { + return "Queries System hive for RDP Port"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my $key; + + ::logMsg("Launching rdpport v.".$VERSION); + ::rptMsg("rdpport v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $ccs = $root_key->get_subkey("Select")->get_value("Current")->get_data(); + my $key_path = "ControlSet00".$ccs."\\Control\\Terminal Server\\WinStations\\RDP-Tcp"; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("rdpport v.".$VERSION); + ::rptMsg(""); + my $port; + eval { + $port = $key->get_value("PortNumber")->get_data(); + ::rptMsg("Remote Desktop Listening Port Number = ".$port); + }; + ::rptMsg("Error getting PortNumber: ".$@) if ($@); + + } + else { + ::rptMsg($key_path." not found."); + } +} 1 \ No newline at end of file diff --git a/thirdparty/rr/plugins/realplayer6.pl b/RecentActivity/release/rr-full/plugins/realplayer6.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/realplayer6.pl rename to RecentActivity/release/rr-full/plugins/realplayer6.pl index 7ea5913a5f..bdf0db0605 --- a/thirdparty/rr/plugins/realplayer6.pl +++ b/RecentActivity/release/rr-full/plugins/realplayer6.pl @@ -1,79 +1,80 @@ -#----------------------------------------------------------- -# realplayer6.pl -# Plugin for Registry Ripper -# Get Real Player 6 MostRecentClipsx values -# -# Change history -# -# -# References -# -# Note: LastWrite times on c subkeys will all be the same, -# as each subkey is modified as when a new entry is added -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package realplayer6; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's RealPlayer v6 MostRecentClips\(Default) values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching realplayer6 v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("Realplayer6 v.".$VERSION); - - my $key_path = "Software\\RealNetworks\\RealPlayer\\6.0\\Preferences"; - my $key = $root_key->get_subkey($key_path); - if ($key) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my %rpkeys; - my $tag = "MostRecentClips"; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if ($name =~ m/^$tag/) { - my $num = $name; - $num =~ s/$tag//; - $rpkeys{$num}{name} = $name; - $rpkeys{$num}{data} = $s->get_value('')->get_data(); - $rpkeys{$num}{lastwrite} = $s->get_timestamp(); - } - } - foreach my $k (sort keys %rpkeys) { - ::rptMsg("\t".$rpkeys{$k}{name}." -> ".$rpkeys{$k}{data}); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# realplayer6.pl +# Plugin for Registry Ripper +# Get Real Player 6 MostRecentClipsx values +# +# Change history +# +# +# References +# +# Note: LastWrite times on c subkeys will all be the same, +# as each subkey is modified as when a new entry is added +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package realplayer6; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's RealPlayer v6 MostRecentClips\(Default) values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching realplayer6 v.".$VERSION); + ::rptMsg("realplayer6 v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\RealNetworks\\RealPlayer\\6.0\\Preferences"; + my $key = $root_key->get_subkey($key_path); + if ($key) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my %rpkeys; + my $tag = "MostRecentClips"; + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + if ($name =~ m/^$tag/) { + my $num = $name; + $num =~ s/$tag//; + $rpkeys{$num}{name} = $name; + $rpkeys{$num}{data} = $s->get_value('')->get_data(); + $rpkeys{$num}{lastwrite} = $s->get_timestamp(); + } + } + foreach my $k (sort keys %rpkeys) { + ::rptMsg("\t".$rpkeys{$k}{name}." -> ".$rpkeys{$k}{data}); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/realvnc.pl b/RecentActivity/release/rr-full/plugins/realvnc.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/realvnc.pl rename to RecentActivity/release/rr-full/plugins/realvnc.pl index 667766aca4..18a1d2a6ab --- a/thirdparty/rr/plugins/realvnc.pl +++ b/RecentActivity/release/rr-full/plugins/realvnc.pl @@ -1,75 +1,77 @@ -#----------------------------------------------------------- -# realvnc.pl -# Plugin to get RealVNC MRU listings from NTUSER.DAT -# -# Change history -# 20091125 - created -# -# References -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package realvnc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091125); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's RealVNC MRU listing"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching realvnc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\RealVNC\\VNCViewer4\\MRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mru; - my @order; - foreach my $v (@vals) { - $mru{$v->get_name()} = $v->get_data(); - } - - if (exists($mru{Order})) { - @order = unpack("C*",$mru{Order}); -# List systems connected to based on Order MRU value - ::rptMsg("*Systems output in \"Order\" sequence"); - foreach my $i (0..scalar(@order) - 1) { - $order[$i] = "0".$order[$i] if ($order[$i] < 10); - ::rptMsg(" ".$order[$i]." -> ".$mru{$order[$i]}); - } - } - else { - ::rptMsg("Could not find Order value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# realvnc.pl +# Plugin to get RealVNC MRU listings from NTUSER.DAT +# +# Change history +# 20091125 - created +# +# References +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package realvnc; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20091125); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's RealVNC MRU listing"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching realvnc v.".$VERSION); + ::rptMsg("realvnc v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\RealVNC\\VNCViewer4\\MRU'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %mru; + my @order; + foreach my $v (@vals) { + $mru{$v->get_name()} = $v->get_data(); + } + + if (exists($mru{Order})) { + @order = unpack("C*",$mru{Order}); +# List systems connected to based on Order MRU value + ::rptMsg("*Systems output in \"Order\" sequence"); + foreach my $i (0..scalar(@order) - 1) { + $order[$i] = "0".$order[$i] if ($order[$i] < 10); + ::rptMsg(" ".$order[$i]." -> ".$mru{$order[$i]}); + } + } + else { + ::rptMsg("Could not find Order value."); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/recentdocs.pl b/RecentActivity/release/rr-full/plugins/recentdocs.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/recentdocs.pl rename to RecentActivity/release/rr-full/plugins/recentdocs.pl index 7850665376..ef44a1766b --- a/thirdparty/rr/plugins/recentdocs.pl +++ b/RecentActivity/release/rr-full/plugins/recentdocs.pl @@ -1,161 +1,163 @@ -#----------------------------------------------------------- -# recentdocs.pl -# Plugin for Registry Ripper -# Parses RecentDocs keys/values in NTUSER.DAT -# -# Change history -# 20100405 - Updated to use Encode::decode to translate strings -# 20090115 - Minor update to keep plugin from printing terminating -# MRUListEx value of 0xFFFFFFFF -# 20080418 - Minor update to address NTUSER.DAT files that have -# MRUList values in this key, rather than MRUListEx -# values -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package recentdocs; -use strict; -use Encode; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100405); - -sub getShortDescr { - return "Gets contents of user's RecentDocs key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching recentdocs v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("RecentDocs"); - ::rptMsg("**All values printed in MRUList\\MRUListEx order."); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); -# Get RecentDocs values - my %rdvals = getRDValues($key); - if (%rdvals) { - my $tag; - if (exists $rdvals{"MRUListEx"}) { - $tag = "MRUListEx"; - } - elsif (exists $rdvals{"MRUList"}) { - $tag = "MRUList"; - } - else { - - } - - my @list = split(/,/,$rdvals{$tag}); - foreach my $i (@list) { - ::rptMsg(" ".$i." = ".$rdvals{$i}); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg("Error: ".$key_path." has no values."); - } -# Get RecentDocs subkeys' values - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - - my %rdvals = getRDValues($s); - if (%rdvals) { - my $tag; - if (exists $rdvals{"MRUListEx"}) { - $tag = "MRUListEx"; - } - elsif (exists $rdvals{"MRUList"}) { - $tag = "MRUList"; - } - else { - - } - - my @list = split(/,/,$rdvals{$tag}); - ::rptMsg($tag." = ".$rdvals{$tag}); - foreach my $i (@list) { - ::rptMsg(" ".$i." = ".$rdvals{$i}); - } - - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - - -sub getRDValues { - my $key = shift; - - my $mru = "MRUList"; - my %rdvals; - - my @vals = $key->get_list_of_values(); - if (scalar @vals > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - if ($name =~ m/^$mru/) { - my @mru; - if ($name eq "MRUList") { - @mru = split(//,$data); - } - elsif ($name eq "MRUListEx") { - @mru = unpack("V*",$data); - } -# Horrible, ugly cludge; the last, terminating value in MRUListEx -# is 0xFFFFFFFF, so we remove it. - pop(@mru); - $rdvals{$name} = join(',',@mru); - } - else { -# New code - $data = decode("ucs-2le", $data); - my $file = (split(/\00/,$data))[0]; -# my $file = (split(/\00\00/,$data))[0]; -# $file =~ s/\00//g; - $rdvals{$name} = $file; - } - } - return %rdvals; - } - else { - return undef; - } -} - +#----------------------------------------------------------- +# recentdocs.pl +# Plugin for Registry Ripper +# Parses RecentDocs keys/values in NTUSER.DAT +# +# Change history +# 20100405 - Updated to use Encode::decode to translate strings +# 20090115 - Minor update to keep plugin from printing terminating +# MRUListEx value of 0xFFFFFFFF +# 20080418 - Minor update to address NTUSER.DAT files that have +# MRUList values in this key, rather than MRUListEx +# values +# +# References +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package recentdocs; +use strict; +use Encode; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100405); + +sub getShortDescr { + return "Gets contents of user's RecentDocs key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching recentdocs v.".$VERSION); + ::rptMsg("recentdocs v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("RecentDocs"); + ::rptMsg("**All values printed in MRUList\\MRUListEx order."); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# Get RecentDocs values + my %rdvals = getRDValues($key); + if (%rdvals) { + my $tag; + if (exists $rdvals{"MRUListEx"}) { + $tag = "MRUListEx"; + } + elsif (exists $rdvals{"MRUList"}) { + $tag = "MRUList"; + } + else { + + } + + my @list = split(/,/,$rdvals{$tag}); + foreach my $i (@list) { + ::rptMsg(" ".$i." = ".$rdvals{$i}); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg("Error: ".$key_path." has no values."); + } +# Get RecentDocs subkeys' values + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($key_path."\\".$s->get_name()); + ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); + + my %rdvals = getRDValues($s); + if (%rdvals) { + my $tag; + if (exists $rdvals{"MRUListEx"}) { + $tag = "MRUListEx"; + } + elsif (exists $rdvals{"MRUList"}) { + $tag = "MRUList"; + } + else { + + } + + my @list = split(/,/,$rdvals{$tag}); + ::rptMsg($tag." = ".$rdvals{$tag}); + foreach my $i (@list) { + ::rptMsg(" ".$i." = ".$rdvals{$i}); + } + + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no values."); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + + +sub getRDValues { + my $key = shift; + + my $mru = "MRUList"; + my %rdvals; + + my @vals = $key->get_list_of_values(); + if (scalar @vals > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + if ($name =~ m/^$mru/) { + my @mru; + if ($name eq "MRUList") { + @mru = split(//,$data); + } + elsif ($name eq "MRUListEx") { + @mru = unpack("V*",$data); + } +# Horrible, ugly cludge; the last, terminating value in MRUListEx +# is 0xFFFFFFFF, so we remove it. + pop(@mru); + $rdvals{$name} = join(',',@mru); + } + else { +# New code + $data = decode("ucs-2le", $data); + my $file = (split(/\00/,$data))[0]; +# my $file = (split(/\00\00/,$data))[0]; +# $file =~ s/\00//g; + $rdvals{$name} = $file; + } + } + return %rdvals; + } + else { + return undef; + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/regback.pl b/RecentActivity/release/rr-full/plugins/regback.pl new file mode 100755 index 0000000000..368754b43b --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/regback.pl @@ -0,0 +1,123 @@ +#----------------------------------------------------------- +# regback.pl +# Plugin to assist to determine if a registry backup was executed and +# provide the key name of the log file which is located at +# Windows/System32/logfiles/Scm/. +# It will then go out and list all tasks scheduled through the +# task scheduler along with the name of each log file associated +# with that task. It will then print out the last written time and date. +# This is for Windows NT systems ONLY (Vista, Win 7, 2008) blog post +# +# Change History: +# 20110427 [mmo] % created +# 20110830 [fpi] + banner, no change to the version number +# +# References +# http://dfsforensics.blogspot.com/2011/03/interesting-regsitry-backup-feature-of.html +# +# Script written by Mark Morgan +#----------------------------------------------------------- +package regback; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100219); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get logfile name of registry backup tasks"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + + ::logMsg("Launching regback v.".$VERSION); + ::rptMsg("regback v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $class = shift; + my $hive = shift; + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\Registry\\RegIdleBackup"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("regidle"); + ::rptMsg($key_path); + ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg(sprintf "%-12s %-20s",$v->get_name(),$v->get_data()); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } + + my $class = shift; + my $hive = shift; + + my %tasks; + +sub getShortDescr { + return "List all tasks along with logfile name and last written date/time"; +} + + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $path; + eval { + $path = $s->get_value("Path")->get_data(); + }; + + ::rptMsg("Path : ".$path); + ::rptMsg("Dynamicinfo : ".$s->get_name()); + ::rptMsg("LastWrite : ".gmtime($s->get_timestamp())." (UTC)"); + + + } + + + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + +} + + + + + + + + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/regtime.pl b/RecentActivity/release/rr-full/plugins/regtime.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/regtime.pl rename to RecentActivity/release/rr-full/plugins/regtime.pl index 03510c46d9..eb2e0d1e05 --- a/thirdparty/rr/plugins/regtime.pl +++ b/RecentActivity/release/rr-full/plugins/regtime.pl @@ -1,65 +1,66 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# regtime.pl -# Plugin for Registry Ripper; traverses through a Registry -# hive file, pulling out keys and their LastWrite times, and -# then listing them in order, sorted by the most recent time -# first - works with any Registry hive file. -# -# Change history -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package regtime; -use strict; - -my %config = (hive => "All", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Dumps entire hive - all keys sorted by LastWrite time"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %regkeys; - -sub pluginmain { - my $class = shift; - my $file = shift; - my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; - ::logMsg("Launching regtime v.".$VERSION); - - traverse($root_key); - - foreach my $t (reverse sort {$a <=> $b} keys %regkeys) { - foreach my $item (@{$regkeys{$t}}) { - ::rptMsg(gmtime($t)."Z \t".$item); - } - } -} - -sub traverse { - my $key = shift; - my $ts = $key->get_timestamp(); - my $name = $key->as_string(); - $name =~ s/\$\$\$PROTO\.HIV//; - $name = (split(/\[/,$name))[0]; - push(@{$regkeys{$ts}},$name); - foreach my $subkey ($key->get_list_of_subkeys()) { - traverse($subkey); - } -} - +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# regtime.pl +# Plugin for Registry Ripper; traverses through a Registry +# hive file, pulling out keys and their LastWrite times, and +# then listing them in order, sorted by the most recent time +# first - works with any Registry hive file. +# +# Change history +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package regtime; +use strict; + +my %config = (hive => "All", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Dumps entire hive - all keys sorted by LastWrite time"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %regkeys; + +sub pluginmain { + my $class = shift; + my $file = shift; + my $reg = Parse::Win32Registry->new($file); + my $root_key = $reg->get_root_key; + ::logMsg("Launching regtime v.".$VERSION); + ::rptMsg("regtime v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + traverse($root_key); + + foreach my $t (reverse sort {$a <=> $b} keys %regkeys) { + foreach my $item (@{$regkeys{$t}}) { + ::rptMsg(gmtime($t)."Z \t".$item); + } + } +} + +sub traverse { + my $key = shift; + my $ts = $key->get_timestamp(); + my $name = $key->as_string(); + $name =~ s/\$\$\$PROTO\.HIV//; + $name = (split(/\[/,$name))[0]; + push(@{$regkeys{$ts}},$name); + foreach my $subkey ($key->get_list_of_subkeys()) { + traverse($subkey); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/regtime_tln.pl b/RecentActivity/release/rr-full/plugins/regtime_tln.pl old mode 100644 new mode 100755 similarity index 100% rename from thirdparty/rr/plugins/regtime_tln.pl rename to RecentActivity/release/rr-full/plugins/regtime_tln.pl diff --git a/RecentActivity/release/rr-full/plugins/removdev.pl b/RecentActivity/release/rr-full/plugins/removdev.pl new file mode 100755 index 0000000000..0ee26ec281 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/removdev.pl @@ -0,0 +1,97 @@ +#----------------------------------------------------------- +# removdev.pl +# Parse Microsoft\Windows Portable Devices\Devices key on Vista +# Get historical information about drive letter assigned to devices +# +# Change history +# 20090118 [hca] * changed the name of the plugin from "removdev" +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# NOTE: Credit for "discovery" goes to Rob Lee +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package removdev; +use strict; + +my %config = (hive => "Software", + osmask => 192, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 200800611); + +sub getConfig{return %config} + +sub getShortDescr { + return "Parses Windows Portable Devices key (Vista)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching removdev v.".$VERSION); + ::rptMsg("removdev v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows Portable Devices\\Devices"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("RemovDev"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $lastwrite = $s->get_timestamp(); + + my $letter; + eval { + $letter = $s->get_value("FriendlyName")->get_data(); + }; + ::rptMsg($name." key error: $@") if ($@); + + my $half; + if (grep(/##/,$name)) { + $half = (split(/##/,$name))[1]; + } + + if (grep(/\?\?/,$name)) { + $half = (split(/\?\?/,$name))[1]; + } + + my ($dev,$sn) = (split(/#/,$half))[1,2]; + + ::rptMsg("Device : ".$dev); + ::rptMsg("LastWrite : ".gmtime($lastwrite)." (UTC)"); + ::rptMsg("SN : ".$sn); + ::rptMsg("Drive : ".$letter); + ::rptMsg(""); + + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/renocide.pl b/RecentActivity/release/rr-full/plugins/renocide.pl old mode 100644 new mode 100755 similarity index 79% rename from thirdparty/rr/plugins/renocide.pl rename to RecentActivity/release/rr-full/plugins/renocide.pl index 5f71f922f9..bda30e7307 --- a/thirdparty/rr/plugins/renocide.pl +++ b/RecentActivity/release/rr-full/plugins/renocide.pl @@ -1,65 +1,69 @@ -#----------------------------------------------------------- -# renocide.pl -# Plugin to assist in the detection of malware per MMPC -# blog post (References, below) -# -# Change History: -# 20110309 - created -# -# References -# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Renocide -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package renocide; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20110309); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check for Renocide malware"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching renocide v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\DRM\\amty"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("renocide"); - ::rptMsg($key_path); - ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - ::rptMst($key_path." found; possible Win32\\Renocide infection."); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(sprintf "%-12s %-20s",$v->get_name(),$v->get_data()); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# renocide.pl +# Plugin to assist in the detection of malware per MMPC +# blog post (References, below) +# +# Change History: +# 20130425 - added alertMsg() functionality +# 20110309 - created +# +# References +# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Renocide +# +# copyright 2013 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package renocide; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130425); + +sub getConfig{return %config} + +sub getShortDescr { + return "Check for Renocide malware"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching renocide v.".$VERSION); + ::rptMsg("renocide v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\DRM\\amty"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("renocide"); + ::rptMsg($key_path); + ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + ::rptMst($key_path." found; possible Win32\\Renocide infection\."); + ::alertMsg($key_path." found; possible Win32\\Renocide infection\."); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg(sprintf "%-12s %-20s",$v->get_name(),$v->get_data()); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/rootkit_revealer.pl b/RecentActivity/release/rr-full/plugins/rootkit_revealer.pl new file mode 100755 index 0000000000..ee1f0579dd --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/rootkit_revealer.pl @@ -0,0 +1,105 @@ +#----------------------------------------------------------- +# rootkit_revealer.pl +# Extracts the EULA value for Sysinternals Rootkit Revealer +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# copyright (c) 2011-02-04 Brendan Coles +#----------------------------------------------------------- +# Require # +package rootkit_revealer; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110204); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extracts the EULA value for Sysinternals Rootkit Revealer."; +} +sub getRefs { + my %refs = ("Sysinternals Rootkit Revealer Homepage:" => + "http://technet.microsoft.com/en-us/sysinternals/bb897445"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + my @interesting_keys = ( + "EulaAccepted" + ); + + # Initialize # + ::logMsg("Launching rootkit_revealer v.".$VERSION); + ::rptMsg("rootkit_revealer v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\Sysinternals\\RootkitRevealer"; + + # If # Rootkit Revealer path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("Rootkit Revealer"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from Rootkit Revealer registry path # + my %keys; + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for Rootkit Revealer registry path # + foreach my $v (@vals) { + $keys{$v->get_name()} = $v->get_data(); + } + + # Return # all key names+values for interesting keys # + foreach my $var (@interesting_keys) { + if (exists $keys{$var}) { + ::rptMsg($var." -> ".$keys{$var}); + } + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # Rootkit Revealer isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/thirdparty/rr/plugins/routes.pl b/RecentActivity/release/rr-full/plugins/routes.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/routes.pl rename to RecentActivity/release/rr-full/plugins/routes.pl index 823f097b3e..b557740a64 --- a/thirdparty/rr/plugins/routes.pl +++ b/RecentActivity/release/rr-full/plugins/routes.pl @@ -1,81 +1,83 @@ -#----------------------------------------------------------- -# routes.pl -# -# Some malware is known to create persistent routes -# -# Change History: -# 20100817 - created -# -# Ref: -# http://support.microsoft.com/kb/141383 -# http://www.symantec.com/security_response/writeup.jsp?docid= -# 2010-041308-3301-99&tabid=2 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package routes; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100817); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get persistent routes"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching routes v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $sb_path = $ccs."\\Services\\Tcpip\\Parameters\\PersistentRoutes"; - - my $sb; - if ($sb = $root_key->get_subkey($sb_path)) { - ::rptMsg($sb_path); - ::rptMsg("LastWrite: ".gmtime($sb->get_timestamp())); - ::rptMsg(""); - my @vals = $sb->get_list_of_values(); - - if (scalar(@vals) > 0) { - ::rptMsg(sprintf "%-15s %-15s %-15s %-5s","Address","Netmask","Gateway","Metric"); - foreach my $v (@vals) { - my ($addr,$netmask,$gateway,$metric) = split(/,/,$v->get_name(),4); - ::rptMsg(sprintf "%-15s %-15s %-15s %-5s",$addr,$netmask,$gateway,$metric); - } - } - else { - ::rptMsg($sb_path." has no values."); - } - } - else { - ::rptMsg($sb_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# routes.pl +# +# Some malware is known to create persistent routes +# +# Change History: +# 20100817 - created +# +# Ref: +# http://support.microsoft.com/kb/141383 +# http://www.symantec.com/security_response/writeup.jsp?docid= +# 2010-041308-3301-99&tabid=2 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package routes; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100817); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get persistent routes"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching routes v.".$VERSION); + ::rptMsg("routes v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + + my $sb_path = $ccs."\\Services\\Tcpip\\Parameters\\PersistentRoutes"; + + my $sb; + if ($sb = $root_key->get_subkey($sb_path)) { + ::rptMsg($sb_path); + ::rptMsg("LastWrite: ".gmtime($sb->get_timestamp())); + ::rptMsg(""); + my @vals = $sb->get_list_of_values(); + + if (scalar(@vals) > 0) { + ::rptMsg(sprintf "%-15s %-15s %-15s %-5s","Address","Netmask","Gateway","Metric"); + foreach my $v (@vals) { + my ($addr,$netmask,$gateway,$metric) = split(/,/,$v->get_name(),4); + ::rptMsg(sprintf "%-15s %-15s %-15s %-5s",$addr,$netmask,$gateway,$metric); + } + } + else { + ::rptMsg($sb_path." has no values."); + } + } + else { + ::rptMsg($sb_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/runmru.pl b/RecentActivity/release/rr-full/plugins/runmru.pl old mode 100644 new mode 100755 similarity index 89% rename from thirdparty/rr/plugins/runmru.pl rename to RecentActivity/release/rr-full/plugins/runmru.pl index f18a9ec434..f321cd91c8 --- a/thirdparty/rr/plugins/runmru.pl +++ b/RecentActivity/release/rr-full/plugins/runmru.pl @@ -1,72 +1,74 @@ -#----------------------------------------------------------- -# runmru.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# RunMru values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package runmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's RunMRU key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching runmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("RunMru"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - my %runvals; - my $mru; - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - $runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i); - $mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i); - } - ::rptMsg("MRUList = ".$mru); - foreach my $r (sort keys %runvals) { - ::rptMsg($r." ".$runvals{$r}); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# runmru.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# RunMru values +# +# Change history +# 20080324 - created +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package runmru; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's RunMRU key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching runmru v.".$VERSION); + ::rptMsg("runmru v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("RunMru"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + my %runvals; + my $mru; + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + $runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i); + $mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i); + } + ::rptMsg("MRUList = ".$mru); + foreach my $r (sort keys %runvals) { + ::rptMsg($r." ".$runvals{$r}); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/arunmru.pl b/RecentActivity/release/rr-full/plugins/runmru_tln.pl old mode 100644 new mode 100755 similarity index 54% rename from thirdparty/rr/plugins/arunmru.pl rename to RecentActivity/release/rr-full/plugins/runmru_tln.pl index 7370685b45..f4f1024376 --- a/thirdparty/rr/plugins/arunmru.pl +++ b/RecentActivity/release/rr-full/plugins/runmru_tln.pl @@ -1,77 +1,72 @@ -#----------------------------------------------------------- -# runmru.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# RunMru values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package arunmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's RunMRU key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - #::logMsg("autospyrunmru"); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - #::rptMsg("RunMru"); - #::rptMsg($key_path); - - my @vals = $key->get_list_of_values(); - ::rptMsg(""); - ::rptMsg(""); - ::rptMsg(""); - my %runvals; - my $mru; - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - $runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i); - $mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i); - } - ::rptMsg("".$mru.""); - foreach my $r (sort keys %runvals) { - ::rptMsg("".$r." ".$runvals{$r}.""); - } - } - else { - #::rptMsg($key_path." has no values."); - #::logMsg($key_path." has no values."); - } - ::rptMsg(""); - } - else { - #::rptMsg($key_path." not found."); - #::logMsg($key_path." not found."); - } - ::rptMsg(""); -} - +#----------------------------------------------------------- +# runmru_tln.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# RunMru values +# +# Change history +# 20120828 - updated to TLN format +# 20080324 - created +# +# References +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey +#----------------------------------------------------------- +package runmru_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120828); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's RunMRU key (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching runmru v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("RunMru"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my @vals = $key->get_list_of_values(); + my %runvals; + my $mru; + if (scalar(@vals) > 0) { + my $mru; + eval { + my $m = $key->get_value("MRUList")->get_data(); + my $r = (split(//,$m))[0]; + $mru = $key->get_value($r)->get_data(); + ::rptMsg($lw."|REG|||RunMRU: ".$mru); + }; + } + else { +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/safeboot.pl b/RecentActivity/release/rr-full/plugins/safeboot.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/safeboot.pl rename to RecentActivity/release/rr-full/plugins/safeboot.pl index 66ee850137..7a56f548d1 --- a/thirdparty/rr/plugins/safeboot.pl +++ b/RecentActivity/release/rr-full/plugins/safeboot.pl @@ -1,104 +1,106 @@ -#----------------------------------------------------------- -# safeboot.pl -# -# Some malware is known to maintain persistence, even when the system -# is booted to SafeMode by writing entries to the SafeBoot subkeys -# ex: http://www.symantec.com/security_response/writeup.jsp? -# docid=2008-011507-0108-99&tabid=2 -# -# Ref: -# http://support.microsoft.com/kb/315222 -# http://support.microsoft.com/kb/202485/ -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package safeboot; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081216); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check SafeBoot entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching safeboot v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $sb_path = $ccs."\\Control\\SafeBoot"; - my $sb; - if ($sb = $root_key->get_subkey($sb_path)) { - - my @sks = $sb->get_list_of_subkeys(); - - if (scalar(@sks) > 0) { - - foreach my $s (@sks) { - my $name = $s->get_name(); - my $ts = $s->get_timestamp(); - ::rptMsg($name." [".gmtime($ts)." Z]"); - my %sk; - my @subkeys = $s->get_list_of_subkeys(); - - if (scalar(@subkeys) > 0) { - foreach my $s2 (@subkeys) { - my $str; - my $default; - eval { - $default = $s2->get_value("")->get_data(); - }; - ($@)?($str = $s2->get_name()):($str = $s2->get_name()." (".$default.")"); - push(@{$sk{$s2->get_timestamp()}},$str); - } - - foreach my $t (sort keys %sk) { - ::rptMsg(gmtime($t)." Z"); - foreach my $i (@{$sk{$t}}) { - ::rptMsg(" ".$i); - } - } - ::rptMsg(""); - } - else { - ::rptMsg($name." has no subkeys."); - } - } - } - else { - ::rptMsg($sb_path." has no subkeys."); - } - } - else { - ::rptMsg($sb_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# safeboot.pl +# +# Some malware is known to maintain persistence, even when the system +# is booted to SafeMode by writing entries to the SafeBoot subkeys +# ex: http://www.symantec.com/security_response/writeup.jsp? +# docid=2008-011507-0108-99&tabid=2 +# +# Ref: +# http://support.microsoft.com/kb/315222 +# http://support.microsoft.com/kb/202485/ +# +# copyright 2008-2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package safeboot; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081216); + +sub getConfig{return %config} + +sub getShortDescr { + return "Check SafeBoot entries"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching safeboot v.".$VERSION); + ::rptMsg("safeboot v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + + my $sb_path = $ccs."\\Control\\SafeBoot"; + my $sb; + if ($sb = $root_key->get_subkey($sb_path)) { + + my @sks = $sb->get_list_of_subkeys(); + + if (scalar(@sks) > 0) { + + foreach my $s (@sks) { + my $name = $s->get_name(); + my $ts = $s->get_timestamp(); + ::rptMsg($name." [".gmtime($ts)." Z]"); + my %sk; + my @subkeys = $s->get_list_of_subkeys(); + + if (scalar(@subkeys) > 0) { + foreach my $s2 (@subkeys) { + my $str; + my $default; + eval { + $default = $s2->get_value("")->get_data(); + }; + ($@)?($str = $s2->get_name()):($str = $s2->get_name()." (".$default.")"); + push(@{$sk{$s2->get_timestamp()}},$str); + } + + foreach my $t (sort keys %sk) { + ::rptMsg(gmtime($t)." Z"); + foreach my $i (@{$sk{$t}}) { + ::rptMsg(" ".$i); + } + } + ::rptMsg(""); + } + else { + ::rptMsg($name." has no subkeys."); + } + } + } + else { + ::rptMsg($sb_path." has no subkeys."); + } + } + else { + ::rptMsg($sb_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); +# ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/sam b/RecentActivity/release/rr-full/plugins/sam new file mode 100755 index 0000000000..5a42c8bbb4 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/sam @@ -0,0 +1,2 @@ +# 20120528 *ALL* Plugins that apply on SAM hive, alphabetical order +samparse \ No newline at end of file diff --git a/thirdparty/rr/plugins/samparse.pl b/RecentActivity/release/rr-full/plugins/samparse.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/samparse.pl rename to RecentActivity/release/rr-full/plugins/samparse.pl index 001857728e..a47766e822 --- a/thirdparty/rr/plugins/samparse.pl +++ b/RecentActivity/release/rr-full/plugins/samparse.pl @@ -1,323 +1,330 @@ -#----------------------------------------------------------- -# samparse.pl -# Parse the SAM hive file for user/group membership info -# -# Change history: -# 20110303 - Fixed parsing of SID, added check for account type -# Acct type determined based on Dustin Hulburt's "Forensic -# Determination of a User's Logon Status in Windows" -# from 10 Aug 2009 (link below) -# 20100712 - Added References entry -# 20091020 - Added extracting UserPasswordHint value -# 20090413 - Added account creation date -# 20080415 - created -# -# References -# Source available here: http://pogostick.net/~pnh/ntpasswd/ -# http://accessdata.com/downloads/media/Forensic_Determination_Users_Logon_Status.pdf -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package samparse; -use strict; - -my %config = (hive => "SAM", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20110303); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parse SAM file for user/group mbrshp info"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Well-known SIDs" => "http://support.microsoft.com/kb/243330"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %acb_flags = (0x0001 => "Account Disabled", - 0x0002 => "Home directory required", - 0x0004 => "Password not required", - 0x0008 => "Temporary duplicate account", - 0x0010 => "Normal user account", - 0x0020 => "MNS logon user account", - 0x0040 => "Interdomain trust account", - 0x0080 => "Workstation trust account", - 0x0100 => "Server trust account", - 0x0200 => "Password does not expire", - 0x0400 => "Account auto locked"); - -my %types = (0xbc => "Default Admin User", - 0xd4 => "Custom Limited Acct", - 0xb0 => "Default Guest Acct"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching samparse v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::rptMsg(""); -# Get user information - ::rptMsg("User Information"); - ::rptMsg("-" x 25); - my $key_path = 'SAM\\Domains\\Account\\Users'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @user_list = $key->get_list_of_subkeys(); - if (scalar(@user_list) > 0) { - foreach my $u (@user_list) { - my $rid = $u->get_name(); - my $ts = $u->get_timestamp(); - my $tag = "0000"; - if ($rid =~ m/^$tag/) { - my $v_value = $u->get_value("V"); - my $v = $v_value->get_data(); - my %v_val = parseV($v); - $rid =~ s/^0000//; - $rid = hex($rid); - - my $c_date; - eval { - my $create_path = $key_path."\\Names\\".$v_val{name}; - if (my $create = $root_key->get_subkey($create_path)) { - $c_date = $create->get_timestamp(); - } - }; - - ::rptMsg("Username : ".$v_val{name}." [".$rid."]"); - ::rptMsg("Full Name : ".$v_val{fullname}); - ::rptMsg("User Comment : ".$v_val{comment}); - ::rptMsg("Account Type : ".$v_val{type}); - ::rptMsg("Account Created : ".gmtime($c_date)." Z") if ($c_date > 0); - - my $f_value = $u->get_value("F"); - my $f = $f_value->get_data(); - my %f_val = parseF($f); - - my $lastlogin; - my $pwdreset; - my $pwdfail; - ($f_val{last_login_date} == 0) ? ($lastlogin = "Never") : ($lastlogin = gmtime($f_val{last_login_date})." Z"); - ($f_val{pwd_reset_date} == 0) ? ($pwdreset = "Never") : ($pwdreset = gmtime($f_val{pwd_reset_date})." Z"); - ($f_val{pwd_fail_date} == 0) ? ($pwdfail = "Never") : ($pwdfail = gmtime($f_val{pwd_fail_date})." Z"); - - my $pw_hint; - eval { - $pw_hint = $u->get_value("UserPasswordHint")->get_data(); - $pw_hint =~ s/\00//g; - }; - ::rptMsg("Password Hint : ".$pw_hint) unless ($@); - ::rptMsg("Last Login Date : ".$lastlogin); - ::rptMsg("Pwd Reset Date : ".$pwdreset); - ::rptMsg("Pwd Fail Date : ".$pwdfail); - ::rptMsg("Login Count : ".$f_val{login_count}); - foreach my $flag (keys %acb_flags) { - ::rptMsg(" --> ".$acb_flags{$flag}) if ($f_val{acb_flags} & $flag); - } - ::rptMsg(""); - } - } - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg("-" x 25); - ::rptMsg("Group Membership Information"); - ::rptMsg("-" x 25); -# Get Group membership information - my $key_path = 'SAM\\Domains\\Builtin\\Aliases'; - if ($key = $root_key->get_subkey($key_path)) { - my %grps; - my @groups = $key->get_list_of_subkeys(); - if (scalar(@groups) > 0) { - foreach my $k (@groups) { - my $name = $k->get_name(); - if ($name =~ m/^0000/) { - $grps{$name}{LastWrite} = $k->get_timestamp(); - $grps{$name}{C_value} = $k->get_value("C")->get_data(); - } - } - - foreach my $k (keys %grps) { - my $name = $k; - $name =~ s/^0000//; - my %c_val = parseC($grps{$k}{C_value}); - ::rptMsg("Group Name : ".$c_val{group_name}." [".$c_val{num_users}."]"); - ::rptMsg("LastWrite : ".gmtime($grps{$k}{LastWrite})." Z"); - ::rptMsg("Group Comment : ".$c_val{comment}); - if ($c_val{num_users} == 0) { - ::rptMsg("Users : None"); - }else { - my %users = parseCUsers($grps{$k}{C_value}); - if (scalar(keys %users) != $c_val{num_users}) { - ::logMsg("parseC function reports ".$c_val{num_users}."; parseCUsers function returned ".(scalar(keys %users))); - } - ::rptMsg("Users :"); - foreach my $u (keys %users) { - ::rptMsg(" ".$u); - } - - } - ::rptMsg(""); - } - ::rptMsg("Analysis Tips:"); - ::rptMsg(" - For well-known SIDs, see http://support.microsoft.com/kb/243330"); - ::rptMsg(" - S-1-5-4 = Interactive"); - ::rptMsg(" - S-1-5-11 = Authenticated Users"); - ::rptMsg(" - Correlate the user SIDs to the output of the ProfileList plugin"); - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub parseF { - my $f = shift; - my %f_value = (); - my @tv; -# last login date - @tv = unpack("VV",substr($f,8,8)); - $f_value{last_login_date} = ::getTime($tv[0],$tv[1]); -# password reset/acct creation - @tv = unpack("VV",substr($f,24,8)); - $f_value{pwd_reset_date} = ::getTime($tv[0],$tv[1]); -# Account expires - @tv = unpack("VV",substr($f,32,8)); - $f_value{acct_exp_date} = ::getTime($tv[0],$tv[1]); -# Incorrect password - @tv = unpack("VV",substr($f,40,8)); - $f_value{pwd_fail_date} = ::getTime($tv[0],$tv[1]); - $f_value{rid} = unpack("V",substr($f,48,4)); - $f_value{acb_flags} = unpack("v",substr($f,56,2)); - $f_value{failed_count} = unpack("v",substr($f,64,2)); - $f_value{login_count} = unpack("v",substr($f,66,2)); - return %f_value; -} - -sub parseV { - my $v = shift; - my %v_val = (); - my $header = substr($v,0,44); - my @vals = unpack("V*",$header); - $v_val{type} = $types{$vals[1]}; - $v_val{name} = _uniToAscii(substr($v,($vals[3] + 0xCC),$vals[4])); - $v_val{fullname} = _uniToAscii(substr($v,($vals[6] + 0xCC),$vals[7])) if ($vals[7] > 0); - $v_val{comment} = _uniToAscii(substr($v,($vals[9] + 0xCC),$vals[10])) if ($vals[10] > 0); - return %v_val; -} - -sub parseC { - my $cv = $_[0]; - my %c_val = (); - my $header = substr($cv,0,0x34); - my @vals = unpack("V*",$header); - - $c_val{group_name} = _uniToAscii(substr($cv,(0x34 + $vals[4]),$vals[5])); - $c_val{comment} = _uniToAscii(substr($cv,(0x34 + $vals[7]),$vals[8])); - $c_val{num_users} = $vals[12]; - - return %c_val; -} - -sub parseCUsers { - my $cv = $_[0]; - my %members = (); - my $header = substr($cv,0,0x34); - my @vals = unpack("V*",$header); - - my $num = $vals[12]; - - my @users = (); - my $ofs; - if ($num > 0) { - my $count = 0; - foreach my $c (1..$num) { - my $ofs = $vals[10] + 52 + $count; - my $tmp = unpack("V",substr($cv,$ofs,4)); - - if ($tmp == 0x101) { - $ofs++ if (unpack("C",substr($cv,$ofs,1)) == 0); - $members{_translateSID(substr($cv,$ofs,12))} = 1; - $count += 12; - } - elsif ($tmp == 0x501) { - $members{_translateSID(substr($cv,$ofs,28))} = 1; - $count += 28; - } - else { - - } - } - } - return %members; -} - -#--------------------------------------------------------------------- -# _translateSID() -# Translate binary data into a SID -# References: -# http://blogs.msdn.com/oldnewthing/archive/2004/03/15/89753.aspx -# http://support.microsoft.com/kb/286182/ -# http://support.microsoft.com/kb/243330 -#--------------------------------------------------------------------- -sub _translateSID { - my $sid = $_[0]; - my $len = length($sid); - my $revision; - my $dashes; - my $idauth; - if ($len < 12) { -# Is a SID ever less than 12 bytes? - return "SID less than 12 bytes"; - } - elsif ($len == 12) { - $revision = unpack("C",substr($sid,0,1)); - $dashes = unpack("C",substr($sid,1,1)); - $idauth = unpack("H*",substr($sid,2,6)); - $idauth =~ s/^0+//g; - my $sub = unpack("V",substr($sid,8,4)); - return "S-".$revision."-".$idauth."-".$sub; - } - elsif ($len > 12) { - $revision = unpack("C",substr($sid,0,1)); - $dashes = unpack("C",substr($sid,1,1)); - $idauth = unpack("H*",substr($sid,2,6)); - $idauth =~ s/^0+//g; - my @sub = unpack("V4",substr($sid,8,16)); - my $rid = unpack("V",substr($sid,24,4)); - my $s = join('-',@sub); - return "S-".$revision."-".$idauth."-".$s."-".$rid; - } - else { -# Nothing to do - } -} - -#--------------------------------------------------------------------- -# _uniToAscii() -#--------------------------------------------------------------------- -sub _uniToAscii { - my $str = $_[0]; - $str =~ s/\00//g; - return $str; -} - +#----------------------------------------------------------- +# samparse.pl +# Parse the SAM hive file for user/group membership info +# +# Change history: +# 20120722 - updated %config hash +# 20110303 - Fixed parsing of SID, added check for account type +# Acct type determined based on Dustin Hulburt's "Forensic +# Determination of a User's Logon Status in Windows" +# from 10 Aug 2009 (link below) +# 20100712 - Added References entry +# 20091020 - Added extracting UserPasswordHint value +# 20090413 - Added account creation date +# 20080415 - created +# +# References +# Source available here: http://pogostick.net/~pnh/ntpasswd/ +# http://accessdata.com/downloads/media/Forensic_Determination_Users_Logon_Status.pdf +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package samparse; +use strict; + +my %config = (hive => "SAM", + hivemask => 2, + output => "report", + category => "", + osmask => 63, #XP - Win8 + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20120722); + +sub getConfig{return %config} + +sub getShortDescr { + return "Parse SAM file for user & group mbrshp info"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Well-known SIDs" => "http://support.microsoft.com/kb/243330"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %acb_flags = (0x0001 => "Account Disabled", + 0x0002 => "Home directory required", + 0x0004 => "Password not required", + 0x0008 => "Temporary duplicate account", + 0x0010 => "Normal user account", + 0x0020 => "MNS logon user account", + 0x0040 => "Interdomain trust account", + 0x0080 => "Workstation trust account", + 0x0100 => "Server trust account", + 0x0200 => "Password does not expire", + 0x0400 => "Account auto locked"); + +my %types = (0xbc => "Default Admin User", + 0xd4 => "Custom Limited Acct", + 0xb0 => "Default Guest Acct"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching samparse v.".$VERSION); + ::rptMsg("samparse v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + ::rptMsg(""); +# Get user information + ::rptMsg("User Information"); + ::rptMsg("-" x 25); + my $key_path = 'SAM\\Domains\\Account\\Users'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @user_list = $key->get_list_of_subkeys(); + if (scalar(@user_list) > 0) { + foreach my $u (@user_list) { + my $rid = $u->get_name(); + my $ts = $u->get_timestamp(); + my $tag = "0000"; + if ($rid =~ m/^$tag/) { + my $v_value = $u->get_value("V"); + my $v = $v_value->get_data(); + my %v_val = parseV($v); + $rid =~ s/^0000//; + $rid = hex($rid); + + my $c_date; + eval { + my $create_path = $key_path."\\Names\\".$v_val{name}; + if (my $create = $root_key->get_subkey($create_path)) { + $c_date = $create->get_timestamp(); + } + }; + + ::rptMsg("Username : ".$v_val{name}." [".$rid."]"); + ::rptMsg("Full Name : ".$v_val{fullname}); + ::rptMsg("User Comment : ".$v_val{comment}); + ::rptMsg("Account Type : ".$v_val{type}); + ::rptMsg("Account Created : ".gmtime($c_date)." Z") if ($c_date > 0); + + my $f_value = $u->get_value("F"); + my $f = $f_value->get_data(); + my %f_val = parseF($f); + + my $lastlogin; + my $pwdreset; + my $pwdfail; + ($f_val{last_login_date} == 0) ? ($lastlogin = "Never") : ($lastlogin = gmtime($f_val{last_login_date})." Z"); + ($f_val{pwd_reset_date} == 0) ? ($pwdreset = "Never") : ($pwdreset = gmtime($f_val{pwd_reset_date})." Z"); + ($f_val{pwd_fail_date} == 0) ? ($pwdfail = "Never") : ($pwdfail = gmtime($f_val{pwd_fail_date})." Z"); + + my $pw_hint; + eval { + $pw_hint = $u->get_value("UserPasswordHint")->get_data(); + $pw_hint =~ s/\00//g; + }; + ::rptMsg("Password Hint : ".$pw_hint) unless ($@); + ::rptMsg("Last Login Date : ".$lastlogin); + ::rptMsg("Pwd Reset Date : ".$pwdreset); + ::rptMsg("Pwd Fail Date : ".$pwdfail); + ::rptMsg("Login Count : ".$f_val{login_count}); + foreach my $flag (keys %acb_flags) { + ::rptMsg(" --> ".$acb_flags{$flag}) if ($f_val{acb_flags} & $flag); + } + ::rptMsg(""); + } + } + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + ::rptMsg("-" x 25); + ::rptMsg("Group Membership Information"); + ::rptMsg("-" x 25); +# Get Group membership information + my $key_path = 'SAM\\Domains\\Builtin\\Aliases'; + if ($key = $root_key->get_subkey($key_path)) { + my %grps; + my @groups = $key->get_list_of_subkeys(); + if (scalar(@groups) > 0) { + foreach my $k (@groups) { + my $name = $k->get_name(); + if ($name =~ m/^0000/) { + $grps{$name}{LastWrite} = $k->get_timestamp(); + $grps{$name}{C_value} = $k->get_value("C")->get_data(); + } + } + + foreach my $k (keys %grps) { + my $name = $k; + $name =~ s/^0000//; + my %c_val = parseC($grps{$k}{C_value}); + ::rptMsg("Group Name : ".$c_val{group_name}." [".$c_val{num_users}."]"); + ::rptMsg("LastWrite : ".gmtime($grps{$k}{LastWrite})." Z"); + ::rptMsg("Group Comment : ".$c_val{comment}); + if ($c_val{num_users} == 0) { + ::rptMsg("Users : None"); + }else { + my %users = parseCUsers($grps{$k}{C_value}); + if (scalar(keys %users) != $c_val{num_users}) { + ::logMsg("parseC function reports ".$c_val{num_users}."; parseCUsers function returned ".(scalar(keys %users))); + } + ::rptMsg("Users :"); + foreach my $u (keys %users) { + ::rptMsg(" ".$u); + } + + } + ::rptMsg(""); + } + ::rptMsg("Analysis Tips:"); + ::rptMsg(" - For well-known SIDs, see http://support.microsoft.com/kb/243330"); + ::rptMsg(" - S-1-5-4 = Interactive"); + ::rptMsg(" - S-1-5-11 = Authenticated Users"); + ::rptMsg(" - Correlate the user SIDs to the output of the ProfileList plugin"); + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + +sub parseF { + my $f = shift; + my %f_value = (); + my @tv; +# last login date + @tv = unpack("VV",substr($f,8,8)); + $f_value{last_login_date} = ::getTime($tv[0],$tv[1]); +# password reset/acct creation + @tv = unpack("VV",substr($f,24,8)); + $f_value{pwd_reset_date} = ::getTime($tv[0],$tv[1]); +# Account expires + @tv = unpack("VV",substr($f,32,8)); + $f_value{acct_exp_date} = ::getTime($tv[0],$tv[1]); +# Incorrect password + @tv = unpack("VV",substr($f,40,8)); + $f_value{pwd_fail_date} = ::getTime($tv[0],$tv[1]); + $f_value{rid} = unpack("V",substr($f,48,4)); + $f_value{acb_flags} = unpack("v",substr($f,56,2)); + $f_value{failed_count} = unpack("v",substr($f,64,2)); + $f_value{login_count} = unpack("v",substr($f,66,2)); + return %f_value; +} + +sub parseV { + my $v = shift; + my %v_val = (); + my $header = substr($v,0,44); + my @vals = unpack("V*",$header); + $v_val{type} = $types{$vals[1]}; + $v_val{name} = _uniToAscii(substr($v,($vals[3] + 0xCC),$vals[4])); + $v_val{fullname} = _uniToAscii(substr($v,($vals[6] + 0xCC),$vals[7])) if ($vals[7] > 0); + $v_val{comment} = _uniToAscii(substr($v,($vals[9] + 0xCC),$vals[10])) if ($vals[10] > 0); + return %v_val; +} + +sub parseC { + my $cv = $_[0]; + my %c_val = (); + my $header = substr($cv,0,0x34); + my @vals = unpack("V*",$header); + + $c_val{group_name} = _uniToAscii(substr($cv,(0x34 + $vals[4]),$vals[5])); + $c_val{comment} = _uniToAscii(substr($cv,(0x34 + $vals[7]),$vals[8])); + $c_val{num_users} = $vals[12]; + + return %c_val; +} + +sub parseCUsers { + my $cv = $_[0]; + my %members = (); + my $header = substr($cv,0,0x34); + my @vals = unpack("V*",$header); + + my $num = $vals[12]; + + my @users = (); + my $ofs; + if ($num > 0) { + my $count = 0; + foreach my $c (1..$num) { + my $ofs = $vals[10] + 52 + $count; + my $tmp = unpack("V",substr($cv,$ofs,4)); + + if ($tmp == 0x101) { + $ofs++ if (unpack("C",substr($cv,$ofs,1)) == 0); + $members{_translateSID(substr($cv,$ofs,12))} = 1; + $count += 12; + } + elsif ($tmp == 0x501) { + $members{_translateSID(substr($cv,$ofs,28))} = 1; + $count += 28; + } + else { + + } + } + } + return %members; +} + +#--------------------------------------------------------------------- +# _translateSID() +# Translate binary data into a SID +# References: +# http://blogs.msdn.com/oldnewthing/archive/2004/03/15/89753.aspx +# http://support.microsoft.com/kb/286182/ +# http://support.microsoft.com/kb/243330 +#--------------------------------------------------------------------- +sub _translateSID { + my $sid = $_[0]; + my $len = length($sid); + my $revision; + my $dashes; + my $idauth; + if ($len < 12) { +# Is a SID ever less than 12 bytes? + return "SID less than 12 bytes"; + } + elsif ($len == 12) { + $revision = unpack("C",substr($sid,0,1)); + $dashes = unpack("C",substr($sid,1,1)); + $idauth = unpack("H*",substr($sid,2,6)); + $idauth =~ s/^0+//g; + my $sub = unpack("V",substr($sid,8,4)); + return "S-".$revision."-".$idauth."-".$sub; + } + elsif ($len > 12) { + $revision = unpack("C",substr($sid,0,1)); + $dashes = unpack("C",substr($sid,1,1)); + $idauth = unpack("H*",substr($sid,2,6)); + $idauth =~ s/^0+//g; + my @sub = unpack("V4",substr($sid,8,16)); + my $rid = unpack("V",substr($sid,24,4)); + my $s = join('-',@sub); + return "S-".$revision."-".$idauth."-".$s."-".$rid; + } + else { +# Nothing to do + } +} + +#--------------------------------------------------------------------- +# _uniToAscii() +#--------------------------------------------------------------------- +sub _uniToAscii { + my $str = $_[0]; + $str =~ s/\00//g; + return $str; +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/samparse_tln.pl b/RecentActivity/release/rr-full/plugins/samparse_tln.pl new file mode 100755 index 0000000000..8b5fe94fc3 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/samparse_tln.pl @@ -0,0 +1,285 @@ +#----------------------------------------------------------- +# samparse_tln.pl +# Parse the SAM hive file for user/group membership info +# +# Change history: +# 20120827 - TLN version created from original samparse.pl +# 20120722 - updated %config hash +# 20110303 - Fixed parsing of SID, added check for account type +# Acct type determined based on Dustin Hulburt's "Forensic +# Determination of a User's Logon Status in Windows" +# from 10 Aug 2009 (link below) +# 20100712 - Added References entry +# 20091020 - Added extracting UserPasswordHint value +# 20090413 - Added account creation date +# 20080415 - created +# +# References +# Source available here: http://pogostick.net/~pnh/ntpasswd/ +# http://accessdata.com/downloads/media/Forensic_Determination_Users_Logon_Status.pdf +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package samparse_tln; +use strict; + +my %config = (hive => "SAM", + hivemask => 2, + output => "report", + category => "User Activity", + class => 0, # system + output => "TLN", + osmask => 63, #XP - Win8 + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20120827); + +sub getConfig{return %config} + +sub getShortDescr { + return "Parse SAM file for user acct info (TLN)"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Well-known SIDs" => "http://support.microsoft.com/kb/243330"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %acb_flags = (0x0001 => "Account Disabled", + 0x0002 => "Home directory required", + 0x0004 => "Password not required", + 0x0008 => "Temporary duplicate account", + 0x0010 => "Normal user account", + 0x0020 => "MNS logon user account", + 0x0040 => "Interdomain trust account", + 0x0080 => "Workstation trust account", + 0x0100 => "Server trust account", + 0x0200 => "Password does not expire", + 0x0400 => "Account auto locked"); + +my %types = (0xbc => "Default Admin User", + 0xd4 => "Custom Limited Acct", + 0xb0 => "Default Guest Acct"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching samparse_tln v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Get user information + + my $key_path = 'SAM\\Domains\\Account\\Users'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @user_list = $key->get_list_of_subkeys(); + if (scalar(@user_list) > 0) { + foreach my $u (@user_list) { + my $rid = $u->get_name(); + my $ts = $u->get_timestamp(); + my $tag = "0000"; + if ($rid =~ m/^$tag/) { + my $v_value = $u->get_value("V"); + my $v = $v_value->get_data(); + my %v_val = parseV($v); + $rid =~ s/^0000//; + $rid = hex($rid); + + my $c_date; + eval { + my $create_path = $key_path."\\Names\\".$v_val{name}; + if (my $create = $root_key->get_subkey($create_path)) { + $c_date = $create->get_timestamp(); + } + }; + +# ::rptMsg("Username : ".$v_val{name}." [".$rid."]"); +# ::rptMsg("Full Name : ".$v_val{fullname}); +# ::rptMsg("User Comment : ".$v_val{comment}); +# ::rptMsg("Account Type : ".$v_val{type}); +# ::rptMsg("Account Created : ".gmtime($c_date)." Z") if ($c_date > 0); + + my $f_value = $u->get_value("F"); + my $f = $f_value->get_data(); + my %f_val = parseF($f); + +# my $lastlogin; +# my $pwdreset; +# my $pwdfail; +# ($f_val{last_login_date} == 0) ? ($lastlogin = "Never") : ($lastlogin = gmtime($f_val{last_login_date})." Z"); +# ($f_val{pwd_reset_date} == 0) ? ($pwdreset = "Never") : ($pwdreset = gmtime($f_val{pwd_reset_date})." Z"); +# ($f_val{pwd_fail_date} == 0) ? ($pwdfail = "Never") : ($pwdfail = gmtime($f_val{pwd_fail_date})." Z"); + + my $pw_hint; + my $c_descr = "Acct Created (".$v_val{type}.")"; + eval { + $pw_hint = $u->get_value("UserPasswordHint")->get_data(); + $pw_hint =~ s/\00//g; + $c_descr .= " (Pwd Hint: ".$pw_hint.")"; + }; + + if ($c_date > 0) { + ::rptMsg($c_date."|SAM||".$v_val{name}."|".$c_descr); + } + + if ($f_val{pwd_reset_date} > 0) { + ::rptMsg($f_val{pwd_reset_date}."|SAM||".$v_val{name}."|Password Reset Date"); + } + + if ($f_val{pwd_fail_date} > 0) { + ::rptMsg($f_val{pwd_fail_date}."|SAM||".$v_val{name}."|Password Failure Date"); + } + + if ($f_val{last_login_date} > 0) { + ::rptMsg($f_val{last_login_date}."|SAM||".$v_val{name}."|Last Login (".$f_val{login_count}.")"); + } + + + } + } + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub parseF { + my $f = shift; + my %f_value = (); + my @tv; +# last login date + @tv = unpack("VV",substr($f,8,8)); + $f_value{last_login_date} = ::getTime($tv[0],$tv[1]); +# password reset/acct creation + @tv = unpack("VV",substr($f,24,8)); + $f_value{pwd_reset_date} = ::getTime($tv[0],$tv[1]); +# Account expires + @tv = unpack("VV",substr($f,32,8)); + $f_value{acct_exp_date} = ::getTime($tv[0],$tv[1]); +# Incorrect password + @tv = unpack("VV",substr($f,40,8)); + $f_value{pwd_fail_date} = ::getTime($tv[0],$tv[1]); + $f_value{rid} = unpack("V",substr($f,48,4)); + $f_value{acb_flags} = unpack("v",substr($f,56,2)); + $f_value{failed_count} = unpack("v",substr($f,64,2)); + $f_value{login_count} = unpack("v",substr($f,66,2)); + return %f_value; +} + +sub parseV { + my $v = shift; + my %v_val = (); + my $header = substr($v,0,44); + my @vals = unpack("V*",$header); + $v_val{type} = $types{$vals[1]}; + $v_val{name} = _uniToAscii(substr($v,($vals[3] + 0xCC),$vals[4])); + $v_val{fullname} = _uniToAscii(substr($v,($vals[6] + 0xCC),$vals[7])) if ($vals[7] > 0); + $v_val{comment} = _uniToAscii(substr($v,($vals[9] + 0xCC),$vals[10])) if ($vals[10] > 0); + return %v_val; +} + +sub parseC { + my $cv = $_[0]; + my %c_val = (); + my $header = substr($cv,0,0x34); + my @vals = unpack("V*",$header); + + $c_val{group_name} = _uniToAscii(substr($cv,(0x34 + $vals[4]),$vals[5])); + $c_val{comment} = _uniToAscii(substr($cv,(0x34 + $vals[7]),$vals[8])); + $c_val{num_users} = $vals[12]; + + return %c_val; +} + +sub parseCUsers { + my $cv = $_[0]; + my %members = (); + my $header = substr($cv,0,0x34); + my @vals = unpack("V*",$header); + + my $num = $vals[12]; + + my @users = (); + my $ofs; + if ($num > 0) { + my $count = 0; + foreach my $c (1..$num) { + my $ofs = $vals[10] + 52 + $count; + my $tmp = unpack("V",substr($cv,$ofs,4)); + + if ($tmp == 0x101) { + $ofs++ if (unpack("C",substr($cv,$ofs,1)) == 0); + $members{_translateSID(substr($cv,$ofs,12))} = 1; + $count += 12; + } + elsif ($tmp == 0x501) { + $members{_translateSID(substr($cv,$ofs,28))} = 1; + $count += 28; + } + else { + + } + } + } + return %members; +} + +#--------------------------------------------------------------------- +# _translateSID() +# Translate binary data into a SID +# References: +# http://blogs.msdn.com/oldnewthing/archive/2004/03/15/89753.aspx +# http://support.microsoft.com/kb/286182/ +# http://support.microsoft.com/kb/243330 +#--------------------------------------------------------------------- +sub _translateSID { + my $sid = $_[0]; + my $len = length($sid); + my $revision; + my $dashes; + my $idauth; + if ($len < 12) { +# Is a SID ever less than 12 bytes? + return "SID less than 12 bytes"; + } + elsif ($len == 12) { + $revision = unpack("C",substr($sid,0,1)); + $dashes = unpack("C",substr($sid,1,1)); + $idauth = unpack("H*",substr($sid,2,6)); + $idauth =~ s/^0+//g; + my $sub = unpack("V",substr($sid,8,4)); + return "S-".$revision."-".$idauth."-".$sub; + } + elsif ($len > 12) { + $revision = unpack("C",substr($sid,0,1)); + $dashes = unpack("C",substr($sid,1,1)); + $idauth = unpack("H*",substr($sid,2,6)); + $idauth =~ s/^0+//g; + my @sub = unpack("V4",substr($sid,8,16)); + my $rid = unpack("V",substr($sid,24,4)); + my $s = join('-',@sub); + return "S-".$revision."-".$idauth."-".$s."-".$rid; + } + else { +# Nothing to do + } +} + +#--------------------------------------------------------------------- +# _uniToAscii() +#--------------------------------------------------------------------- +sub _uniToAscii { + my $str = $_[0]; + $str =~ s/\00//g; + return $str; +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/schedagent.pl b/RecentActivity/release/rr-full/plugins/schedagent.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/schedagent.pl rename to RecentActivity/release/rr-full/plugins/schedagent.pl index a3f0d4012f..7c560b7f63 --- a/thirdparty/rr/plugins/schedagent.pl +++ b/RecentActivity/release/rr-full/plugins/schedagent.pl @@ -1,87 +1,89 @@ -#----------------------------------------------------------- -# schedagent -# Get contents of SchedulingAgent key from Software hive -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package schedagent; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20100817); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get SchedulingAgent key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching schedagent v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\SchedulingAgent"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my ($oldname,$logpath,$folder,$lastrun,$size); - eval { - $oldname = $key->get_value("OldName")->get_data(); - ::rptMsg("OldName = ".$oldname); - }; - - eval { - $logpath = $key->get_value("LogPath")->get_data(); - ::rptMsg("LogPath = ".$logpath); - }; - - eval { - $size = $key->get_value("MaxLogSizeKB")->get_data(); - ::rptMsg("MaxLogSizeKB = ".$size); - }; - - eval { - $folder = $key->get_value("TasksFolder")->get_data(); - ::rptMsg("TasksFolder = ".$folder); - }; -# - eval { - $lastrun = $key->get_value("LastTaskRun")->get_data(); - ::rptMsg("LastTaskRun = ".parseSystemTime($lastrun)); - ::rptMsg(""); - ::rptMsg("Note: LastTaskRun time is written in local system time, not GMT"); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub parseSystemTime { - my ($yr,$mon,$dow,$day,$hr,$min,$sec,$mil) = unpack("v8",$_[0]); - $mon = "0".$mon unless ($mon =~ /^\d\d$/); - $day = "0".$day unless ($day =~ /^\d\d$/); - $hr = "0".$hr unless ($hr =~ /^\d\d$/); - $min = "0".$min unless ($min =~ /^\d\d$/); - $sec = "0".$sec unless ($sec =~ /^\d\d$/); - return "$yr-$mon-$day $hr:$min:$sec"; -} - +#----------------------------------------------------------- +# schedagent +# Get contents of SchedulingAgent key from Software hive +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package schedagent; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20100817); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get SchedulingAgent key contents"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching schedagent v.".$VERSION); + ::rptMsg("schedagent v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\SchedulingAgent"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my ($oldname,$logpath,$folder,$lastrun,$size); + eval { + $oldname = $key->get_value("OldName")->get_data(); + ::rptMsg("OldName = ".$oldname); + }; + + eval { + $logpath = $key->get_value("LogPath")->get_data(); + ::rptMsg("LogPath = ".$logpath); + }; + + eval { + $size = $key->get_value("MaxLogSizeKB")->get_data(); + ::rptMsg("MaxLogSizeKB = ".$size); + }; + + eval { + $folder = $key->get_value("TasksFolder")->get_data(); + ::rptMsg("TasksFolder = ".$folder); + }; +# + eval { + $lastrun = $key->get_value("LastTaskRun")->get_data(); + ::rptMsg("LastTaskRun = ".parseSystemTime($lastrun)); + ::rptMsg(""); + ::rptMsg("Note: LastTaskRun time is written in local system time, not GMT"); + }; + + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub parseSystemTime { + my ($yr,$mon,$dow,$day,$hr,$min,$sec,$mil) = unpack("v8",$_[0]); + $mon = "0".$mon unless ($mon =~ /^\d\d$/); + $day = "0".$day unless ($day =~ /^\d\d$/); + $hr = "0".$hr unless ($hr =~ /^\d\d$/); + $min = "0".$min unless ($min =~ /^\d\d$/); + $sec = "0".$sec unless ($sec =~ /^\d\d$/); + return "$yr-$mon-$day $hr:$min:$sec"; +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/secctr.pl b/RecentActivity/release/rr-full/plugins/secctr.pl old mode 100644 new mode 100755 similarity index 89% rename from thirdparty/rr/plugins/secctr.pl rename to RecentActivity/release/rr-full/plugins/secctr.pl index 19e53f71bb..f321e7318b --- a/thirdparty/rr/plugins/secctr.pl +++ b/RecentActivity/release/rr-full/plugins/secctr.pl @@ -1,67 +1,69 @@ -#----------------------------------------------------------- -# secctr -# Plugin to get data from Security Center keys -# -# Change History: -# 20100310 - created -# -# References: -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package secctr; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100310); - -sub getConfig{return %config} -sub getShortDescr { - return "Get data from Security Center key"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $infected = 0; - ::logMsg("Launching secctr v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Microsoft\Security Center'; - my $key; - ::rptMsg("secctr"); - ::rptMsg(""); - - if ($key = $root_key->get_subkey($key_path)) { - $infected++; - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-25s 0x%02x",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::rptMsg(""); - } -} +#----------------------------------------------------------- +# secctr +# Plugin to get data from Security Center keys +# +# Change History: +# 20100310 - created +# +# References: +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package secctr; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100310); + +sub getConfig{return %config} +sub getShortDescr { + return "Get data from Security Center key"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my $infected = 0; + ::logMsg("Launching secctr v.".$VERSION); + ::rptMsg("secctr v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = 'Microsoft\Security Center'; + my $key; + ::rptMsg("secctr"); + ::rptMsg(""); + + if ($key = $root_key->get_subkey($key_path)) { + $infected++; + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $str = sprintf "%-25s 0x%02x",$v->get_name(),$v->get_data(); + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::rptMsg(""); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/security b/RecentActivity/release/rr-full/plugins/security new file mode 100755 index 0000000000..57e2f96cfc --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/security @@ -0,0 +1,4 @@ +# 20120528 *ALL* Plugins that apply on SECURITY hive, alphabetical order +auditpol +lsasecrets +polacdms \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/securityproviders.pl b/RecentActivity/release/rr-full/plugins/securityproviders.pl new file mode 100755 index 0000000000..8034d080f5 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/securityproviders.pl @@ -0,0 +1,69 @@ +#----------------------------------------------------------- +# securityproviders.pl +# Get contents of SecurityProviders value in System hive; MS says +# that Win32/Hioles.C uses this key as a persistence mechanism +# +# Change history +# 20120312 - added Hostname +# +# References +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package securityproviders; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120312); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets SecurityProvider value from System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching securityproviders v.".$VERSION); + ::rptMsg("Launching securityproviders v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my ($current,$ccs); + my $sel_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($sel_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + my $key_path = $ccs."\\Control\\SecurityProviders"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); + ::rptMsg(""); + my $providers = $key->get_value("SecurityProviders")->get_data(); + ::rptMsg("SecurityPrividers = ".$providers); + } + else { + ::rptMsg($key_path." not found."); + } + } + else { + ::rptMsg($sel_path." not found."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/services.pl b/RecentActivity/release/rr-full/plugins/services.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/services.pl rename to RecentActivity/release/rr-full/plugins/services.pl index a22e24f8fa..90c2b323c6 --- a/thirdparty/rr/plugins/services.pl +++ b/RecentActivity/release/rr-full/plugins/services.pl @@ -1,150 +1,152 @@ -#----------------------------------------------------------- -# services.pl -# Plugin for Registry Ripper; Access System hive file to get the -# services -# -# Change history -# 20080507 - Added collection of Type and Start values; separated -# data by Services vs. Drivers; created separate plugin -# for Drivers -# 20080505 - Added collection of ImagePath and DisplayName, if avail. -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package services; -#use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080507); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists services/drivers in Services key by LastWrite times"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -# Reference for types and start types: -# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx -my %types = (0x001 => "Kernel driver", - 0x002 => "File system driver", - 0x010 => "Own_Process", - 0x020 => "Share_Process", - 0x100 => "Interactive"); - -my %starts = (0x00 => "Boot Start", - 0x01 => "System Start", - 0x02 => "Auto Start", - 0x03 => "Manual", - 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching services v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { - ::rptMsg($s_path); - ::rptMsg(getShortDescr()); - ::rptMsg(""); -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - - my $type; - eval { - $type = $s->get_value("Type")->get_data(); -# Only look for services; drivers handled in another plugin - if (exists $types{$type}) { - $type = $types{$type}; - } - else { - $type = sprintf "0x%x",$t; - } - }; - - $name = $s->get_name(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); - }; - - my $image; - eval { - $image = $s->get_value("ImagePath")->get_data(); - }; - - my $start; - eval { - $start = $s->get_value("Start")->get_data(); - if (exists $starts{$start}) { - $start = $starts{$start}; - } - }; - - my $group; - eval { - $group = $s->get_value("Group")->get_data(); - }; - - my $str = $name.";".$display.";".$image.";".$type.";".$start.";".$group; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { - ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - my ($n,$d,$i,$t,$s,$g) = split(/;/,$item,6); - ::rptMsg(" Name = ".$n); - ::rptMsg(" Display = ".$d); - ::rptMsg(" ImagePath = ".$i); - ::rptMsg(" Type = ".$t); - ::rptMsg(" Start = ".$s); - ::rptMsg(" Group = ".$g); - ::rptMsg(""); - } - } - - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# services.pl +# Plugin for Registry Ripper; Access System hive file to get the +# services +# +# Change history +# 20080507 - Added collection of Type and Start values; separated +# data by Services vs. Drivers; created separate plugin +# for Drivers +# 20080505 - Added collection of ImagePath and DisplayName, if avail. +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package services; +#use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080507); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists services/drivers in Services key by LastWrite times"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +# Reference for types and start types: +# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx +my %types = (0x001 => "Kernel driver", + 0x002 => "File system driver", + 0x010 => "Own_Process", + 0x020 => "Share_Process", + 0x100 => "Interactive"); + +my %starts = (0x00 => "Boot Start", + 0x01 => "System Start", + 0x02 => "Auto Start", + 0x03 => "Manual", + 0x04 => "Disabled"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching services v.".$VERSION); + ::rptMsg("services v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $s_path = $ccs."\\Services"; + my $svc; + my %svcs; + if ($svc = $root_key->get_subkey($s_path)) { + ::rptMsg($s_path); + ::rptMsg(getShortDescr()); + ::rptMsg(""); +# Get all subkeys and sort based on LastWrite times + my @subkeys = $svc->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + + my $type; + eval { + $type = $s->get_value("Type")->get_data(); +# Only look for services; drivers handled in another plugin + if (exists $types{$type}) { + $type = $types{$type}; + } + else { + $type = sprintf "0x%x",$t; + } + }; + + $name = $s->get_name(); + my $display; + eval { + $display = $s->get_value("DisplayName")->get_data(); + }; + + my $image; + eval { + $image = $s->get_value("ImagePath")->get_data(); + }; + + my $start; + eval { + $start = $s->get_value("Start")->get_data(); + if (exists $starts{$start}) { + $start = $starts{$start}; + } + }; + + my $group; + eval { + $group = $s->get_value("Group")->get_data(); + }; + + my $str = $name.";".$display.";".$image.";".$type.";".$start.";".$group; + push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); + } + + foreach my $t (reverse sort {$a <=> $b} keys %svcs) { + ::rptMsg(gmtime($t)."Z"); + foreach my $item (@{$svcs{$t}}) { + my ($n,$d,$i,$t,$s,$g) = split(/;/,$item,6); + ::rptMsg(" Name = ".$n); + ::rptMsg(" Display = ".$d); + ::rptMsg(" ImagePath = ".$i); + ::rptMsg(" Type = ".$t); + ::rptMsg(" Start = ".$s); + ::rptMsg(" Group = ".$g); + ::rptMsg(""); + } + } + + } + else { + ::rptMsg($s_path." has no subkeys."); + ::logMsg("Error: ".$s_path." has no subkeys."); + } + } + else { + ::rptMsg($s_path." not found."); + ::logMsg($s_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/sevenzip.pl b/RecentActivity/release/rr-full/plugins/sevenzip.pl new file mode 100755 index 0000000000..6f0e398060 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/sevenzip.pl @@ -0,0 +1,107 @@ +#----------------------------------------------------------- +# sevenzip.pl +# +# +# +# Change history +# 20130315 - minor updates added +# 20100218 - created +# +# References +# +# +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package sevenzip; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130315); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets records of histories from 7-Zip keys"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + my %hist; + ::logMsg("Launching 7-zip v.".$VERSION); + + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my @keys = ('Software\\7-Zip', + 'Software\\Wow6432Node\\7-Zip'); + + foreach my $key_path (@keys) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + eval { + ::rptMsg("PanelPath0: ".$key->get_subkey("FM")->get_value("PanelPath0")->get_data()); + ::rptMsg(""); + }; + + eval { + ::rptMsg("ArcHistory:"); + my $copy = $key->get_subkey("Compression")->get_value("ArcHistory")->get_data(); + my @c = split(/\00\00/,$copy); + foreach my $hist (@c) { + $hist =~ s/\00//g; + ::rptMsg(" ".$hist); + } + }; + + eval { + ::rptMsg("PathHistory:"); + my $copy = $key->get_subkey("Extraction")->get_value("PathHistory")->get_data(); + my @c = split(/\00\00/,$copy); + foreach my $hist (@c) { + $hist =~ s/\00//g; + ::rptMsg(" ".$hist); + } + ::rptMsg(""); + }; + + eval { + ::rptMsg("CopyHistory:"); + my $copy = $key->get_subkey("FM")->get_value("CopyHistory")->get_data(); + my @c = split(/\00\00/,$copy); + foreach my $hist (@c) { + $hist =~ s/\00//g; + ::rptMsg(" ".$hist); + } + ::rptMsg(""); + }; + + eval { + ::rptMsg("FolderHistory:"); + my $copy = $key->get_subkey("FM")->get_value("FolderHistory")->get_data(); + my @c = split(/\00\00/,$copy); + foreach my $hist (@c) { + $hist =~ s/\00//g; + ::rptMsg(" ".$hist); + } + }; + + } + else { + ::rptMsg($key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/sfc.pl b/RecentActivity/release/rr-full/plugins/sfc.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/sfc.pl rename to RecentActivity/release/rr-full/plugins/sfc.pl index 16e829670f..4f223fb763 --- a/thirdparty/rr/plugins/sfc.pl +++ b/RecentActivity/release/rr-full/plugins/sfc.pl @@ -1,107 +1,109 @@ -#----------------------------------------------------------- -# sfc.pl -# Check SFC settings in the Registry -# -# History -# 20100305 - updated -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package sfc; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100305); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get SFC values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching sfc v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("sfc v.".$VERSION); - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next unless ($name =~ m/^sfc/i); - my $str; - if ($name =~ m/^sfcquota$/i || $name =~ m/^sfcdisable$/i) { - $str = sprintf " %-20s 0x%08x",$name,$v->get_data(); - } - else { - $str = sprintf " %-20s %-20s",$name,$v->get_data(); - } - ::rptMsg($str); - } - - } - else { - ::rptMsg($key_path." key has no values."); - } - } - else { - ::rptMsg($key_path." key not found."); - ::logMsg($key_path." key not found."); - } - ::rptMsg(""); -# According to http://support.microsoft.com/kb/222193, sfc* values in this key, if -# it exists, take precedence over and are copied into the values within the Winlogon -# key; see also http://support.microsoft.com/kb/222473/ - my $key_path = "Policies\\Microsoft\\Windows NT\\Windows File Protection"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next unless ($name =~ m/^sfc/i); - my $str; - if ($name =~ m/^sfcquota$/i || $name =~ m/^sfcdisable$/i) { - $str = sprintf " %-20s 0x%08x",$name,$v->get_data(); - } - else { - $str = sprintf " %-20s %-20s",$name,$v->get_data(); - } - ::rptMsg($str); - } - - } - else { - ::rptMsg($key_path." key has no values."); - } - } - else { - ::rptMsg($key_path." key not found."); -# ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# sfc.pl +# Check SFC settings in the Registry +# +# History +# 20100305 - updated +# +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package sfc; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100305); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get SFC values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching sfc v.".$VERSION); + ::rptMsg("sfc v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("sfc v.".$VERSION); + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + next unless ($name =~ m/^sfc/i); + my $str; + if ($name =~ m/^sfcquota$/i || $name =~ m/^sfcdisable$/i) { + $str = sprintf " %-20s 0x%08x",$name,$v->get_data(); + } + else { + $str = sprintf " %-20s %-20s",$name,$v->get_data(); + } + ::rptMsg($str); + } + + } + else { + ::rptMsg($key_path." key has no values."); + } + } + else { + ::rptMsg($key_path." key not found."); + ::logMsg($key_path." key not found."); + } + ::rptMsg(""); +# According to http://support.microsoft.com/kb/222193, sfc* values in this key, if +# it exists, take precedence over and are copied into the values within the Winlogon +# key; see also http://support.microsoft.com/kb/222473/ + my $key_path = "Policies\\Microsoft\\Windows NT\\Windows File Protection"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + next unless ($name =~ m/^sfc/i); + my $str; + if ($name =~ m/^sfcquota$/i || $name =~ m/^sfcdisable$/i) { + $str = sprintf " %-20s 0x%08x",$name,$v->get_data(); + } + else { + $str = sprintf " %-20s %-20s",$name,$v->get_data(); + } + ::rptMsg($str); + } + + } + else { + ::rptMsg($key_path." key has no values."); + } + } + else { + ::rptMsg($key_path." key not found."); +# ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/shares.pl b/RecentActivity/release/rr-full/plugins/shares.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/shares.pl rename to RecentActivity/release/rr-full/plugins/shares.pl index e36f4737cb..4739032688 --- a/thirdparty/rr/plugins/shares.pl +++ b/RecentActivity/release/rr-full/plugins/shares.pl @@ -1,128 +1,130 @@ -#----------------------------------------------------------- -# shares.pl -# -# Retrieve information about shares from a System hive file -# -# References: -# http://support.microsoft.com/kb/556023 -# For info about share types, see the Win32_Share WMI class: -# http://msdn.microsoft.com/en-us/library/aa394435(VS.85).aspx -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shares; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090112); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get list of shares from System hive file"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $root_key; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shares v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - eval { - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - }; - if ($@) { - ::rptMsg("Problem locating proper controlset: $@"); - return; - } -# First, connect to the Services key; some versions of Windows appear to -# spell the lanmanserver key as "lanmanserver" and others as "LanmanServer" - my $key_path = $ccs."\\Services"; - my $key; - my $tag = "lanmanserver"; - my $lanman = getKeyPath($key_path,$tag); - if ($lanman ne "") { - my $share_path = $key_path."\\".$lanman."\\Shares"; - my $share; - if ($share = $root_key->get_subkey($share_path)) { - my @vals = $share->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()); - my @data = $v->get_data(); - ::rptMsg(" ".$data[2]); - ::rptMsg(" ".$data[4]); - ::rptMsg(" ".$data[5]); - ::rptMsg(""); - } - } - else { - ::rptMsg($share_path." has no values."); - } - } - else { - ::rptMsg($share_path." not found."); - } - } - else { - ::rptMsg($lanman." subkey not found."); - } - -# Determine of the AutoShareServer/Wks values have been set - my $path = $key_path."\\".$lanman; - my $tag = "parameters"; - my $para = getKeyPath($path,$tag); - eval { - if ($key = $root_key->get_subkey($path."\\".$para)) { - my $auto_svr = $key->get_value("AutoShareServer")->get_data(); - ::rptMsg(" AutoShareServer = ".$auto_svr); - } - }; - - eval { - if ($key = $root_key->get_subkey($path."\\".$para)) { - my $auto_wks = $key->get_value("AutoShareWks")->get_data(); - ::rptMsg(" AutoShareWks = ".$auto_wks); - } - }; -} - -# On different versions of Windows, subkeys such as lanmanserver -# and parameters are spelled differently; use this subroutine to get -# the correct spelling of the name of the subkey -# http://support.microsoft.com/kb/288164 -sub getKeyPath { - my $path = $_[0]; - my $tag = $_[1]; - my $subkey; - if (my $key = $root_key->get_subkey($path)) { - my @sk = $key->get_list_of_subkeys(); - foreach my $s (@sk) { - my $name = $s->get_name(); - $subkey = $name if ($name =~ m/^$tag/i); - } - } - return $subkey; -} - +#----------------------------------------------------------- +# shares.pl +# +# Retrieve information about shares from a System hive file +# +# References: +# http://support.microsoft.com/kb/556023 +# For info about share types, see the Win32_Share WMI class: +# http://msdn.microsoft.com/en-us/library/aa394435(VS.85).aspx +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package shares; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090112); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get list of shares from System hive file"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my $root_key; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching shares v.".$VERSION); + ::rptMsg("shares v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + eval { + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + }; + if ($@) { + ::rptMsg("Problem locating proper controlset: $@"); + return; + } +# First, connect to the Services key; some versions of Windows appear to +# spell the lanmanserver key as "lanmanserver" and others as "LanmanServer" + my $key_path = $ccs."\\Services"; + my $key; + my $tag = "lanmanserver"; + my $lanman = getKeyPath($key_path,$tag); + if ($lanman ne "") { + my $share_path = $key_path."\\".$lanman."\\Shares"; + my $share; + if ($share = $root_key->get_subkey($share_path)) { + my @vals = $share->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg(" ".$v->get_name()); + my @data = $v->get_data(); + ::rptMsg(" ".$data[2]); + ::rptMsg(" ".$data[4]); + ::rptMsg(" ".$data[5]); + ::rptMsg(""); + } + } + else { + ::rptMsg($share_path." has no values."); + } + } + else { + ::rptMsg($share_path." not found."); + } + } + else { + ::rptMsg($lanman." subkey not found."); + } + +# Determine of the AutoShareServer/Wks values have been set + my $path = $key_path."\\".$lanman; + my $tag = "parameters"; + my $para = getKeyPath($path,$tag); + eval { + if ($key = $root_key->get_subkey($path."\\".$para)) { + my $auto_svr = $key->get_value("AutoShareServer")->get_data(); + ::rptMsg(" AutoShareServer = ".$auto_svr); + } + }; + + eval { + if ($key = $root_key->get_subkey($path."\\".$para)) { + my $auto_wks = $key->get_value("AutoShareWks")->get_data(); + ::rptMsg(" AutoShareWks = ".$auto_wks); + } + }; +} + +# On different versions of Windows, subkeys such as lanmanserver +# and parameters are spelled differently; use this subroutine to get +# the correct spelling of the name of the subkey +# http://support.microsoft.com/kb/288164 +sub getKeyPath { + my $path = $_[0]; + my $tag = $_[1]; + my $subkey; + if (my $key = $root_key->get_subkey($path)) { + my @sk = $key->get_list_of_subkeys(); + foreach my $s (@sk) { + my $name = $s->get_name(); + $subkey = $name if ($name =~ m/^$tag/i); + } + } + return $subkey; +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/shc.pl b/RecentActivity/release/rr-full/plugins/shc.pl new file mode 100755 index 0000000000..7d4dfd555f --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/shc.pl @@ -0,0 +1,75 @@ +#----------------------------------------------------------- +# shc.pl +# This key may have something to do with the Start Menu Cache - nothing +# definitive yet. +# +# Change history +# 20130412 - created - IN PROCESS; NOT COMPLETE +# +# +# References +# +# https://chentiangemalc.wordpress.com/2011/11/02/customizing-default-start-menu-in-windows-developer-preview/ +# http://social.msdn.microsoft.com/Forums/en-US/windowsdeveloperpreviewgeneral/thread/296cd88b-d806-4a81-a3d0-ea27de4c8b52 +# +# Copyright 2013 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package shc; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hivemask => 16, + output => "report", + category => "", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 32, #Windows 8 + version => 20130412); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets SHC entries from user hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching shc v.".$VERSION); + ::rptMsg("shc v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + + + } + } + else { + ::rptMsg($key_path." has no values."); + ::rptMsg("File History may not be configured for this user."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/shellbags.pl b/RecentActivity/release/rr-full/plugins/shellbags.pl new file mode 100755 index 0000000000..11b964ce47 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/shellbags.pl @@ -0,0 +1,854 @@ +#----------------------------------------------------------- +# shellbags.pl +# RR plugin to parse (Vista, Win7/Win2008R2) shell bags +# +# History: +# 20130102 - updated to include type 0x35 +# 20120824 - updated parseFolderEntry() for XP (extver == 3) +# 20120810 - added support for parsing Network types; added handling of +# offsets for Folder types (ie, transition to long name offset), +# based on OS version (Vista, Win7); tested against one Win2008R2 +# system (successfully); added parsing of URI types. +# 20120809 - added parsing of file szie values for type 0x32 items +# 20120808 - Updated +# 20120720 - created +# +# References +# Andrew's Python code for Registry Decoder +# http://code.google.com/p/registrydecoder/source/browse/trunk/templates/template_files/ShellBagMRU.py +# Joachim Metz's shell item format specification +# http://download.polytechnic.edu.na/pub4/download.sourceforge.net/pub/ +# sourceforge/l/project/li/liblnk/Documentation/Windows%20Shell%20Item%20format/ +# Windows%20Shell%20Item%20format.pdf +# Converting DOS Date format +# http://msdn.microsoft.com/en-us/library/windows/desktop/ms724274(v=VS.85).aspx +# +# Thanks to Willi Ballenthin and Joachim Metz for the documentation they +# provided, Andrew Case for posting the Registry Decoder code, and Kevin +# Moore for writing the shell bag parser for Registry Decoder, as well as +# assistance with some parsing. +# +# License: GPL v3 +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package shellbags; +use strict; +use Time::Local; + +my %config = (hive => "USRCLASS\.DAT", + hivemask => 32, + output => "report", + category => "User Activity", + osmask => 20, #Vista, Win7/Win2008R2 + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130102); + +sub getConfig{return %config} + +sub getShortDescr { + return "Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %cp_guids = ("{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}" => "Action Center", + "{7a979262-40ce-46ff-aeee-7884ac3b6136}" => "Add Hardware", + "{d20ea4e1-3957-11d2-a40b-0c5020524153}" => "Administrative Tools", + "{9c60de1e-e5fc-40f4-a487-460851a8d915}" => "AutoPlay", + "{b98a2bea-7d42-4558-8bd1-832f41bac6fd}" => "Backup and Restore Center", + "{0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}" => "Biometric Devices", + "{d9ef8727-cac2-4e60-809e-86f80a666c91}" => "BitLocker Drive Encryption", + "{b2c761c6-29bc-4f19-9251-e6195265baf1}" => "Color Management", + "{1206f5f1-0569-412c-8fec-3204630dfb70}" => "Credential Manager", + "{e2e7934b-dce5-43c4-9576-7fe4f75e7480}" => "Date and Time", + "{00c6d95f-329c-409a-81d7-c46c66ea7f33}" => "Default Location", + "{17cd9488-1228-4b2f-88ce-4298e93e0966}" => "Default Programs", + "{37efd44d-ef8d-41b1-940d-96973a50e9e0}" => "Desktop Gadgets", + "{74246bfc-4c96-11d0-abef-0020af6b0b7a}" => "Device Manager", + "{a8a91a66-3a7d-4424-8d24-04e180695c7a}" => "Devices and Printers", + "{c555438b-3c23-4769-a71f-b6d3d9b6053a}" => "Display", + "{d555645e-d4f8-4c29-a827-d93c859c4f2a}" => "Ease of Access Center", + "{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}" => "Folder Options", + "{93412589-74d4-4e4e-ad0e-e0cb621440fd}" => "Fonts", + "{259ef4b1-e6c9-4176-b574-481532c9bce8}" => "Game Controllers", + "{15eae92e-f17a-4431-9f28-805e482dafd4}" => "Get Programs", + "{cb1b7f8c-c50a-4176-b604-9e24dee8d4d1}" => "Getting Started", + "{67ca7650-96e6-4fdd-bb43-a8e774f73a57}" => "HomeGroup", + "{87d66a43-7b11-4a28-9811-c86ee395acf7}" => "Indexing Options", + "{a0275511-0e86-4eca-97c2-ecd8f1221d08}" => "Infrared", + "{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}" => "Internet Options", + "{a304259d-52b8-4526-8b1a-a1d6cecc8243}" => "iSCSI Initiator", + "{725be8f7-668e-4c7b-8f90-46bdb0936430}" => "Keyboard", + "{e9950154-c418-419e-a90a-20c5287ae24b}" => "Location and Other Sensors", + "{1fa9085f-25a2-489b-85d4-86326eedcd87}" => "Manage Wireless Networks", + "{6c8eec18-8d75-41b2-a177-8831d59d2d50}" => "Mouse", + "{7007acc7-3202-11d1-aad2-00805fc1270e}" => "Network Connections", + "{8e908fc9-becc-40f6-915b-f4ca0e70d03d}" => "Network and Sharing Center", + "{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}" => "Notification Area Icons", + "{d24f75aa-4f2b-4d07-a3c4-469b3d9030c4}" => "Offline Files", + "{96ae8d84-a250-4520-95a5-a47a7e3c548b}" => "Parental Controls", + "{f82df8f7-8b9f-442e-a48c-818ea735ff9b}" => "Pen and Input Devices", + "{5224f545-a443-4859-ba23-7b5a95bdc8ef}" => "People Near Me", + "{78f3955e-3b90-4184-bd14-5397c15f1efc}" => "Performance Information and Tools", + "{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}" => "Personalization", + "{40419485-c444-4567-851a-2dd7bfa1684d}" => "Phone and Modem", + "{025a5937-a6be-4686-a844-36fe4bec8b6d}" => "Power Options", + "{2227a280-3aea-1069-a2de-08002b30309d}" => "Printers", + "{fcfeecae-ee1b-4849-ae50-685dcf7717ec}" => "Problem Reports and Solutions", + "{7b81be6a-ce2b-4676-a29e-eb907a5126c5}" => "Programs and Features", + "{9fe63afd-59cf-4419-9775-abcc3849f861}" => "Recovery", + "{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}" => "Regional and Language Options", + "{241d7c96-f8bf-4f85-b01f-e2b043341a4b}" => "RemoteApp and Desktop Connections", + "{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3}" => "Scanners and Cameras", + "{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}" => "Sound", + "{58e3c745-d971-4081-9034-86e34b30836a}" => "Speech Recognition Options", + "{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}" => "Sync Center", + "{bb06c0e4-d293-4f75-8a90-cb05b6477eee}" => "System", + "{80f3f1d5-feca-45f3-bc32-752c152e456e}" => "Tablet PC Settings", + "{0df44eaa-ff21-4412-828e-260a8728e7f1}" => "Taskbar and Start Menu", + "{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}" => "Text to Speech", + "{c58c4893-3be0-4b45-abb5-a63e4b8c8651}" => "Troubleshooting", + "{60632754-c523-4b62-b45c-4172da012619}" => "User Accounts", + "{be122a0e-4503-11da-8bde-f66bad1e3f3a}" => "Windows Anytime Upgrade", + "{78cb147a-98ea-4aa6-b0df-c8681f69341c}" => "Windows CardSpace", + "{d8559eb9-20c0-410e-beda-7ed416aecc2a}" => "Windows Defender", + "{4026492f-2f69-46b8-b9bf-5654fc07e423}" => "Windows Firewall", + "{3e7efb4c-faf1-453d-89eb-56026875ef90}" => "Windows Marketplace", + "{5ea4f148-308c-46d7-98a9-49041b1dd468}" => "Windows Mobility Center", + "{087da31b-0dd3-4537-8e23-64a18591f88b}" => "Windows Security Center", + "{e95a4861-d57a-4be1-ad0f-35267e261739}" => "Windows SideShow", + "{36eef7db-88ad-4e81-ad49-0e313f0c35f8}" => "Windows Update"); + +my %folder_types = ("{724ef170-a42d-4fef-9f26-b60e846fba4f}" => "Administrative Tools", + "{d0384e7d-bac3-4797-8f14-cba229b392b5}" => "Common Administrative Tools", + "{de974d24-d9c6-4d3e-bf91-f4455120b917}" => "Common Files", + "{c1bae2d0-10df-4334-bedd-7aa20b227a9d}" => "Common OEM Links", + "{5399e694-6ce5-4d6c-8fce-1d8870fdcba0}" => "Control Panel", + "{1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}" => "CSIDL_SYSTEM", + "{b4bfcc3a-db2c-424c-b029-7fe99a87c641}" => "Desktop", + "{7b0db17d-9cd2-4a93-9733-46cc89022e7c}" => "Documents Library", + "{fdd39ad0-238f-46af-adb4-6c85480369c7}" => "Documents", + "{374de290-123f-4565-9164-39c4925e467b}" => "Downloads", + "{de61d971-5ebc-4f02-a3a9-6c82895e5c04}" => "Get Programs", + "{a305ce99-f527-492b-8b1a-7e76fa98d6e4}" => "Installed Updates", + "{871c5380-42a0-1069-a2ea-08002b30309d}" => "Internet Explorer (Homepage)", + "{031e4825-7b94-4dc3-b131-e946b44c8dd5}" => "Libraries", + "{4bd8d571-6d19-48d3-be97-422220080e43}" => "Music", + "{20d04fe0-3aea-1069-a2d8-08002b30309d}" => "My Computer", + "{450d8fba-ad25-11d0-98a8-0800361b1103}" => "My Documents", + "{ed228fdf-9ea8-4870-83b1-96b02cfe0d52}" => "My Games", + "{208d2c60-3aea-1069-a2d7-08002b30309d}" => "My Network Places", + "{f02c1a0d-be21-4350-88b0-7367fc96ef3c}" => "Network", + "{33e28130-4e1e-4676-835a-98395c3bc3bb}" => "Pictures", + "{a990ae9f-a03b-4e80-94bc-9912d7504104}" => "Pictures", + "{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}" => "Program Files (x86)", + "{905e63b6-c1bf-494e-b29c-65b732d3d21a}" => "Program Files", + "{df7266ac-9274-4867-8d55-3bd661de872d}" => "Programs and Features", + "{3214fab5-9757-4298-bb61-92a9deaa44ff}" => "Public Music", + "{b6ebfb86-6907-413c-9af7-4fc2abf07cc5}" => "Public Pictures", + "{2400183a-6185-49fb-a2d8-4a392a602ba3}" => "Public Videos", + "{4336a54d-38b-4685-ab02-99bb52d3fb8b}" => "Public", + "{491e922f-5643-4af4-a7eb-4e7a138d8174}" => "Public", + "{dfdf76a2-c82a-4d63-906a-5644ac457385}" => "Public", + "{645ff040-5081-101b-9f08-00aa002f954e}" => "Recycle Bin", + "{d65231b0-b2f1-4857-a4ce-a8e7c6ea7d27}" => "System32 (x86)", + "{9e52ab10-f80d-49df-acb8-4330f5687855}" => "Temporary Burn Folder", + "{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}" => "Users Files", + "{59031a47-3f72-44a7-89c5-5595fe6b30ee}" => "Users", + "{f38bf404-1d43-42f2-9305-67de0b28fc23}" => "Windows"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching shellbags v.".$VERSION); + ::rptMsg("shellbags v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my %item = (); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU"; + my $key; + + if ($key = $root_key->get_subkey($key_path)) { + $item{path} = "Desktop\\"; + $item{name} = ""; +# Print header info + ::rptMsg(sprintf "%-20s |%-20s | %-20s | %-20s | %-20s |Resource","MRU Time","Modified","Accessed","Created","Zip_Subfolder"); + ::rptMsg(sprintf "%-20s |%-20s | %-20s | %-20s | %-20s |"."-" x 12,"-" x 12,"-" x 12,"-" x 12,"-" x 12,"-" x 12); + traverse($key,\%item); + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub traverse { + my $key = shift; + my $parent = shift; + + my %item = (); + my @vals = $key->get_list_of_values(); + + my %values; + foreach my $v (@vals) { + my $name = $v->get_name(); + $values{$name} = $v->get_data(); + } + + delete $values{NodeSlot}; + my $mru; + if (exists $values{MRUListEx}) { + $mru = unpack("V",substr($values{MRUListEx},0,4)); + } + delete $values{MRUListEx}; + + foreach my $v (sort {$a <=> $b} keys %values) { + next unless ($v =~ m/^\d/); + + my $type = unpack("C",substr($values{$v},2,1)); + +# Need to first check to see if the parent of the item was a zip folder +# and if the 'zipsubfolder' value is set to 1 + if (exists ${$parent}{zipsubfolder} && ${$parent}{zipsubfolder} == 1) { + %item = parseZipSubFolderItem($values{$v}); + $item{zipsubfolder} = 1; + } + elsif ($type == 0x00) { +# Variable/Property Sheet + %item = parseVariableEntry($values{$v}); + } + elsif ($type == 0x01) { +# + %item = parse01ShellItem($values{$v}); + } + elsif ($type == 0x1F) { +# System Folder + %item = parseSystemFolderEntry($values{$v}); + } + elsif ($type == 0x2e) { +# Device + %item = parseDeviceEntry($values{$v}); + } + elsif ($type == 0x2F) { +# Volume (Drive Letter) + %item = parseDriveEntry($values{$v}); + + } + elsif ($type == 0xc3 || $type == 0x41 || $type == 0x42 || $type == 0x46 || $type == 0x47) { +# Network stuff + my $id = unpack("C",substr($values{$v},3,1)); + if ($type == 0xc3 && $id != 0x01) { + %item = parseNetworkEntry($values{$v}); + } + else { + %item = parseNetworkEntry($values{$v}); + } + } + elsif ($type == 0x31 || $type == 0x32 || $type == 0xb1 || $type == 0x74) { +# Folder or Zip File + %item = parseFolderEntry($values{$v}); + } + elsif ($type == 0x35) { + %item = parseFolderEntry2($values{$v}); + } + elsif ($type == 0x71) { +# Control Panel + %item = parseControlPanelEntry($values{$v}); + } + elsif ($type == 0x61) { +# URI type + %item = parseURIEntry($values{$v}); + } + else { +# Unknown type + $item{name} = sprintf "Unknown Type (0x%x)",$type; + } + + if ($item{name} =~ m/\.zip$/ && $type == 0x32) { + $item{zipsubfolder} = 1; + } +# for debug purposes +# $item{name} = $item{name}."[".$v."]"; +# ::rptMsg(${$parent}{path}.$item{name}); + + if ($mru != 4294967295 && ($v == $mru)) { + $item{mrutime} = $key->get_timestamp(); + $item{mrutime_str} = $key->get_timestamp_as_string(); + $item{mrutime_str} =~ s/T/ /; + $item{mrutime_str} =~ s/Z/ /; + } + + my ($m,$a,$c,$o); + (exists $item{mtime_str} && $item{mtime_str} ne "0") ? ($m = $item{mtime_str}) : ($m = ""); + (exists $item{atime_str} && $item{atime_str} ne "0") ? ($a = $item{atime_str}) : ($a = ""); + (exists $item{ctime_str} && $item{ctime_str} ne "0") ? ($c = $item{ctime_str}) : ($c = ""); + (exists $item{datetime} && $item{datetime} ne "N/A") ? ($o = $item{datetime}) : ($o = ""); + + my $resource = ${$parent}{path}.$item{name}; + if (exists $item{filesize}) { + $resource .= " [".$item{filesize}."]"; + } + + my $str = sprintf "%-20s |%-20s | %-20s | %-20s | %-20s |".$resource,$item{mrutime_str},$m,$a,$c,$o; + ::rptMsg($str); + + if ($item{name} eq "" || $item{name} =~ m/\\$/) { + + } + else { + $item{name} = $item{name}."\\"; + } + $item{path} = ${$parent}{path}.$item{name}; + traverse($key->get_subkey($v),\%item); + } +} +#------------------------------------------------------------------------------- +## Functions +#------------------------------------------------------------------------------- + +#----------------------------------------------------------- +# parseVariableEntry() +# +#----------------------------------------------------------- +sub parseVariableEntry { + my $data = shift; + my %item = (); + + $item{type} = unpack("C",substr($data,2,1)); + my $tag = unpack("C",substr($data,0x0A,1)); + + if (unpack("v",substr($data,4,2)) == 0x1A) { + my $guid = parseGUID(substr($data,14,16)); + + if (exists $folder_types{$guid}) { + $item{name} = $folder_types{$guid}; + } + else { + $item{name} = $guid; + } + } + elsif (grep(/1SPS/,$data)) { + my @seg = split(/1SPS/,$data); + + my %segs = (); + foreach my $s (0..(scalar(@seg) - 1)) { + my $guid = parseGUID(substr($seg[$s],0,16)); + $segs{$guid} = $seg[$s]; + } + + if (exists $segs{"{b725f130-47ef-101a-a5f1-02608c9eebac}"}) { +# Ref: http://msdn.microsoft.com/en-us/library/aa965725(v=vs.85).aspx + my $stuff = $segs{"{b725f130-47ef-101a-a5f1-02608c9eebac}"}; + + my $tag = 1; + my $cnt = 0x10; + while($tag) { + my $sz = unpack("V",substr($stuff,$cnt,4)); + my $id = unpack("V",substr($stuff,$cnt + 4,4)); +#-------------------------------------------------------------- +# sub-segment types +# 0x0a - file name +# 0x14 - short name +# 0x0e, 0x0f, 0x10 - mod date, create date, access date(?) +# 0x0c - size +#-------------------------------------------------------------- + if ($sz == 0x00) { + $tag = 0; + next; + } + elsif ($id == 0x0a) { + + my $num = unpack("V",substr($stuff,$cnt + 13,4)); + my $str = substr($stuff,$cnt + 13 + 4,($num * 2)); + $str =~ s/\00//g; + $item{name} = $str; + } + $cnt += $sz; + } + } + +# if (exists $segs{"{5cbf2787-48cf-4208-b90e-ee5e5d420294}"}) { +# my $stuff = $segs{"{5cbf2787-48cf-4208-b90e-ee5e5d420294}"}; +# my $tag = 1; +# my $cnt = 0x10; +# while($tag) { +# my $sz = unpack("V",substr($stuff,$cnt,4)); +# my $id = unpack("V",substr($stuff,$cnt + 4,4)); +# +# if ($sz == 0x00) { +# $tag = 0; +# next; +# } +# elsif ($id == 0x19) { +# +# my $num = unpack("V",substr($stuff,$cnt + 13,4)); +# my $str = substr($stuff,$cnt + 13 + 4,($num * 2)); +# $str =~ s/\00//g; +# $item{name} = $str; +# } +# $cnt += $sz; +# } +# } + } + elsif (substr($data,4,4) eq "AugM") { + %item = parseFolderEntry($data); + } +# Following two entries are for Device Property data + elsif ($tag == 0x7b || $tag == 0xbb || $tag == 0xfb) { + my ($sz1,$sz2,$sz3) = unpack("VVV",substr($data,0x3e,12)); + $item{name} = substr($data,0x4a,$sz1 * 2); + $item{name} =~ s/\00//g; + } + elsif ($tag == 0x02 || $tag == 0x03) { + my ($sz1,$sz2,$sz3,$sz4) = unpack("VVVV",substr($data,0x26,16)); + $item{name} = substr($data,0x36,$sz1 * 2); + $item{name} =~ s/\00//g; + } + else { + $item{name} = "Unknown Type"; + } + return %item; +} + +#----------------------------------------------------------- +# parseNetworkEntry() +# +#----------------------------------------------------------- +sub parseNetworkEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1)); + + my @n = split(/\00/,substr($data,4,length($data) - 4)); + $item{name} = $n[0]; + return %item; +} + +#----------------------------------------------------------- +# parseZipSubFolderItem() +# parses what appears to be Zip file subfolders; this type +# appears to contain the date and time of when the subfolder +# was accessed/opened, in string format. +#----------------------------------------------------------- +sub parseZipSubFolderItem { + my $data = shift; + my %item = (); + +# Get the opened/accessed date/time + $item{datetime} = substr($data,0x24,6); + $item{datetime} =~ s/\00//g; + if ($item{datetime} eq "N/A") { + + } + else { + $item{datetime} = substr($data,0x24,40); + $item{datetime} =~ s/\00//g; + my ($date,$time) = split(/\s+/,$item{datetime},2); + my ($mon,$day,$yr) = split(/\//,$date,3); + my ($hr,$min,$sec) = split(/:/,$time,3); + my $gmtime = timegm($sec,$min,$hr,$day,($mon - 1),$yr); + $item{datetime} = "$yr-$mon-$day $hr:$min:$sec"; +# ::rptMsg("[Access_Time]: ".gmtime($gmtime)); + } + + my $sz = unpack("V",substr($data,0x54,4)); + my $sz2 = unpack("V",substr($data,0x58,4)); + + my $str1 = substr($data,0x5C,$sz *2) if ($sz > 0); + $str1 =~ s/\00//g; + my $str2 = substr($data,0x5C + ($sz * 2),$sz2 *2) if ($sz2 > 0); + $str2 =~ s/\00//g; + + if ($sz2 > 0) { + $item{name} = $str1."\\".$str2; + } + else { + $item{name} = $str1; + } + return %item; +} + +#----------------------------------------------------------- +# parse01ShellItem() +# I honestly have no idea what to do with this data; there's really +# no reference for or description of the format of this data. For +# now, this is just a place holder +#----------------------------------------------------------- +sub parse01ShellItem { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1));; + $item{name} = ""; +# ($item{val0},$item{val1}) = unpack("VV",substr($data,2,length($data) - 2)); + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseURIEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1)); + + my ($lo,$hi) = unpack("VV",substr($data,0x0e,8)); + $item{uritime} = ::getTime($lo,$hi); + + my $sz = unpack("V",substr($data,0x2a,4)); + my $uri = substr($data,0x2e,$sz); + $uri =~ s/\00//g; + + my $proto = substr($data,length($data) - 6, 6); + $proto =~ s/\00//g; + + $item{name} = $proto."://".$uri." [".gmtime($item{uritime})."]"; + + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseSystemFolderEntry { + my $data = shift; + my %item = (); + + my %vals = (0x00 => "Explorer", + 0x42 => "Libraries", + 0x44 => "Users", + 0x4c => "Public", + 0x48 => "My Documents", + 0x50 => "My Computer", + 0x58 => "My Network Places", + 0x60 => "Recycle Bin", + 0x68 => "Explorer", + 0x70 => "Control Panel", + 0x78 => "Recycle Bin", + 0x80 => "My Games"); + + $item{type} = unpack("C",substr($data,2,1)); + $item{id} = unpack("C",substr($data,3,1)); + if (exists $vals{$item{id}}) { + $item{name} = $vals{$item{id}}; + } + else { + $item{name} = parseGUID(substr($data,4,16)); + } + return %item; +} + +#----------------------------------------------------------- +# parseGUID() +# Takes 16 bytes of binary data, returns a string formatted +# as an MS GUID. +#----------------------------------------------------------- +sub parseGUID { + my $data = shift; + my $d1 = unpack("V",substr($data,0,4)); + my $d2 = unpack("v",substr($data,4,2)); + my $d3 = unpack("v",substr($data,6,2)); + my $d4 = unpack("H*",substr($data,8,2)); + my $d5 = unpack("H*",substr($data,10,6)); + return sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseDeviceEntry { + my $data = shift; + my %item = (); + + my $userlen = unpack("V",substr($data,30,4)); + my $devlen = unpack("V",substr($data,34,4)); + + my $user = substr($data,0x28,$userlen * 2); + $user =~ s/\00//g; + + my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2); + $dev =~ s/\00//g; + + $item{name} = $user; + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseDriveEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1));; + $item{name} = substr($data,3,3); + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseControlPanelEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1)); + my $guid = parseGUID(substr($data,14,16)); + if (exists $cp_guids{$guid}) { + $item{name} = $cp_guids{$guid}; + } + else { + $item{name} = $guid; + } + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseFolderEntry { + my $data = shift; + my %item = (); + + $item{type} = unpack("C",substr($data,2,1)); +# Type 0x74 folders have a slightly different format + + my $ofs_mdate; + my $ofs_shortname; + + if ($item{type} == 0x74) { + $ofs_mdate = 0x12; + } + elsif (substr($data,4,4) eq "AugM") { + $ofs_mdate = 0x1c; + } + else { + $ofs_mdate = 0x08; + } +# some type 0x32 items will include a file size + if ($item{type} == 0x32) { + my $size = unpack("V",substr($data,4,4)); + if ($size != 0) { + $item{filesize} = $size; + } + } + + my @m = unpack("vv",substr($data,$ofs_mdate,4)); + ($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]); + +# Need to read in short name; nul-term ASCII +# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0]; + $ofs_shortname = $ofs_mdate + 6; + my $tag = 1; + my $cnt = 0; + my $str = ""; + while($tag) { + my $s = substr($data,$ofs_shortname + $cnt,1); + if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { + $tag = 0; + } + else { + $str .= $s; + $cnt++; + } + } +# $str =~ s/\00//g; + my $shortname = $str; + my $ofs = $ofs_shortname + $cnt + 1; +# Read progressively, 1 byte at a time, looking for 0xbeef + my $tag = 1; + my $cnt = 0; + while ($tag) { + if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) { + $tag = 0; + } + else { + $cnt++; + } + } + $item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2)); + $ofs = $ofs + $cnt + 2; + + my @m = unpack("vv",substr($data,$ofs,4)); + ($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]); + $ofs += 4; + my @m = unpack("vv",substr($data,$ofs,4)); + ($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]); + + my $jmp; + if ($item{extver} == 0x03) { + $jmp = 8; + } + elsif ($item{extver} == 0x07) { + $jmp = 26; + } + elsif ($item{extver} == 0x08) { + $jmp = 30; + } + else {} + + $ofs += $jmp; + + my $str = substr($data,$ofs,length($data) - 30); + my $longname = (split(/\00\00/,$str,2))[0]; + $longname =~ s/\00//g; + + if ($longname ne "") { + $item{name} = $longname; + } + else { + $item{name} = $shortname; + } + return %item; +} + +#----------------------------------------------------------- +# convertDOSDate() +# subroutine to convert 4 bytes of binary data into a human- +# readable format. Returns both a string and a Unix-epoch +# time. +#----------------------------------------------------------- +sub convertDOSDate { + my $date = shift; + my $time = shift; + + if ($date == 0x00 || $time == 0x00){ + return (0,0); + } + else { + my $sec = ($time & 0x1f) * 2; + $sec = "0".$sec if (length($sec) == 1); + if ($sec == 60) {$sec = 59}; + my $min = ($time & 0x7e0) >> 5; + $min = "0".$min if (length($min) == 1); + my $hr = ($time & 0xF800) >> 11; + $hr = "0".$hr if (length($hr) == 1); + my $day = ($date & 0x1f); + $day = "0".$day if (length($day) == 1); + my $mon = ($date & 0x1e0) >> 5; + $mon = "0".$mon if (length($mon) == 1); + my $yr = (($date & 0xfe00) >> 9) + 1980; + my $gmtime = timegm($sec,$min,$hr,$day,($mon - 1),$yr); + return ("$yr-$mon-$day $hr:$min:$sec",$gmtime); +# return gmtime(timegm($sec,$min,$hr,$day,($mon - 1),$yr)); + } +} + + +#----------------------------------------------------------- +# parseFolderEntry2() +# +# Initial code for parsing type 0x35 +#----------------------------------------------------------- +sub parseFolderEntry2 { + my $data = shift; + my %item = (); + + my $ofs = 0; + my $tag = 1; + + while ($tag) { + if (unpack("v",substr($data,$ofs,2)) == 0xbeef) { + $tag = 0; + } + else { + $ofs++; + } + } + $item{extver} = unpack("v",substr($data,$ofs - 4,2)); +# Move offset over to end of where the ctime value would be + $ofs += 4; + + my $jmp; + if ($item{extver} == 0x03) { + $jmp = 8; + } + elsif ($item{extver} == 0x07) { + $jmp = 26; + } + elsif ($item{extver} == 0x08) { + $jmp = 30; + } + else {} + + $ofs += $jmp; + + my $str = substr($data,$ofs,length($data) - 30); + + ::rptMsg(" --- parseFolderEntry2 --- "); + my @d = printData($str); + foreach (0..(scalar(@d) - 1)) { + ::rptMsg($d[$_]); + } + ::rptMsg(""); + + $item{name} = (split(/\00\00/,$str,2))[0]; + $item{name} =~ s/\13\20/\2D\00/; + $item{name} =~ s/\00//g; + + return %item; +} +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseNetworkEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1)); + my @names = split(/\00/,substr($data,5,length($data) - 5)); + $item{name} = $names[0]; + return %item; +} +#----------------------------------------------------------- +# printData() +# subroutine used primarily for debugging; takes an arbitrary +# length of binary data, prints it out in hex editor-style +# format for easy debugging +#----------------------------------------------------------- +sub printData { + my $data = shift; + my $len = length($data); + my $tag = 1; + my $cnt = 0; + my @display = (); + + my $loop = $len/16; + $loop++ if ($len%16); + + foreach my $cnt (0..($loop - 1)) { +# while ($tag) { + my $left = $len - ($cnt * 16); + + my $n; + ($left < 16) ? ($n = $left) : ($n = 16); + + my $seg = substr($data,$cnt * 16,$n); + my @str1 = split(//,unpack("H*",$seg)); + + my @s3; + my $str = ""; + + foreach my $i (0..($n - 1)) { + $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; + + if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) { + $str .= chr(hex($s3[$i])); + } + else { + $str .= "\."; + } + } + my $h = join(' ',@s3); +# ::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h); + $display[$cnt] = sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h; + } + return @display; +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/shellbags_tln.pl b/RecentActivity/release/rr-full/plugins/shellbags_tln.pl new file mode 100755 index 0000000000..37ced7b750 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/shellbags_tln.pl @@ -0,0 +1,795 @@ +#----------------------------------------------------------- +# shellbags_tln.pl +# RR plugin to parse (Vista, Win7/Win2008R2) shell bags +# +# History: +# 20120810 - added support for parsing Network types; added handling of +# offsets for Folder types (ie, transition to long name offset), +# based on OS version (Vista, Win7); tested against one Win2008R2 +# system (successfully); added parsing of URI types. +# 20120809 - added parsing of file szie values for type 0x32 items +# 20120808 - Updated +# 20120720 - created +# +# References +# Andrew's Python code for Registry Decoder +# http://code.google.com/p/registrydecoder/source/browse/trunk/templates/template_files/ShellBagMRU.py +# Joachim Metz's shell item format specification +# http://download.polytechnic.edu.na/pub4/download.sourceforge.net/pub/ +# sourceforge/l/project/li/liblnk/Documentation/Windows%20Shell%20Item%20format/ +# Windows%20Shell%20Item%20format.pdf +# Converting DOS Date format +# http://msdn.microsoft.com/en-us/library/windows/desktop/ms724274(v=VS.85).aspx +# +# Thanks to Willi Ballenthin and Joachim Metz for the documentation they +# provided, Andrew Case for posting the Registry Decoder code, and Kevin +# Moore for writing the shell bag parser for Registry Decoder, as well as +# assistance with some parsing. +# +# License: GPL v3 +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package shellbags_tln; +use strict; +use Time::Local; + +my %config = (hive => "USRCLASS\.DAT", + hivemask => 16, + output => "tln", + category => "User Activity", + osmask => 20, #Vista, Win7/Win2008R2 + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120810); + +sub getConfig{return %config} + +sub getShortDescr { + return "Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %cp_guids = ("{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}" => "Action Center", + "{7a979262-40ce-46ff-aeee-7884ac3b6136}" => "Add Hardware", + "{d20ea4e1-3957-11d2-a40b-0c5020524153}" => "Administrative Tools", + "{9c60de1e-e5fc-40f4-a487-460851a8d915}" => "AutoPlay", + "{b98a2bea-7d42-4558-8bd1-832f41bac6fd}" => "Backup and Restore Center", + "{0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}" => "Biometric Devices", + "{d9ef8727-cac2-4e60-809e-86f80a666c91}" => "BitLocker Drive Encryption", + "{b2c761c6-29bc-4f19-9251-e6195265baf1}" => "Color Management", + "{1206f5f1-0569-412c-8fec-3204630dfb70}" => "Credential Manager", + "{e2e7934b-dce5-43c4-9576-7fe4f75e7480}" => "Date and Time", + "{00c6d95f-329c-409a-81d7-c46c66ea7f33}" => "Default Location", + "{17cd9488-1228-4b2f-88ce-4298e93e0966}" => "Default Programs", + "{37efd44d-ef8d-41b1-940d-96973a50e9e0}" => "Desktop Gadgets", + "{74246bfc-4c96-11d0-abef-0020af6b0b7a}" => "Device Manager", + "{a8a91a66-3a7d-4424-8d24-04e180695c7a}" => "Devices and Printers", + "{c555438b-3c23-4769-a71f-b6d3d9b6053a}" => "Display", + "{d555645e-d4f8-4c29-a827-d93c859c4f2a}" => "Ease of Access Center", + "{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}" => "Folder Options", + "{93412589-74d4-4e4e-ad0e-e0cb621440fd}" => "Fonts", + "{259ef4b1-e6c9-4176-b574-481532c9bce8}" => "Game Controllers", + "{15eae92e-f17a-4431-9f28-805e482dafd4}" => "Get Programs", + "{cb1b7f8c-c50a-4176-b604-9e24dee8d4d1}" => "Getting Started", + "{67ca7650-96e6-4fdd-bb43-a8e774f73a57}" => "HomeGroup", + "{87d66a43-7b11-4a28-9811-c86ee395acf7}" => "Indexing Options", + "{a0275511-0e86-4eca-97c2-ecd8f1221d08}" => "Infrared", + "{a3dd4f92-658a-410f-84fd-6fbbbef2fffe}" => "Internet Options", + "{a304259d-52b8-4526-8b1a-a1d6cecc8243}" => "iSCSI Initiator", + "{725be8f7-668e-4c7b-8f90-46bdb0936430}" => "Keyboard", + "{e9950154-c418-419e-a90a-20c5287ae24b}" => "Location and Other Sensors", + "{1fa9085f-25a2-489b-85d4-86326eedcd87}" => "Manage Wireless Networks", + "{6c8eec18-8d75-41b2-a177-8831d59d2d50}" => "Mouse", + "{7007acc7-3202-11d1-aad2-00805fc1270e}" => "Network Connections", + "{8e908fc9-becc-40f6-915b-f4ca0e70d03d}" => "Network and Sharing Center", + "{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}" => "Notification Area Icons", + "{d24f75aa-4f2b-4d07-a3c4-469b3d9030c4}" => "Offline Files", + "{96ae8d84-a250-4520-95a5-a47a7e3c548b}" => "Parental Controls", + "{f82df8f7-8b9f-442e-a48c-818ea735ff9b}" => "Pen and Input Devices", + "{5224f545-a443-4859-ba23-7b5a95bdc8ef}" => "People Near Me", + "{78f3955e-3b90-4184-bd14-5397c15f1efc}" => "Performance Information and Tools", + "{ed834ed6-4b5a-4bfe-8f11-a626dcb6a921}" => "Personalization", + "{40419485-c444-4567-851a-2dd7bfa1684d}" => "Phone and Modem", + "{025a5937-a6be-4686-a844-36fe4bec8b6d}" => "Power Options", + "{2227a280-3aea-1069-a2de-08002b30309d}" => "Printers", + "{fcfeecae-ee1b-4849-ae50-685dcf7717ec}" => "Problem Reports and Solutions", + "{7b81be6a-ce2b-4676-a29e-eb907a5126c5}" => "Programs and Features", + "{9fe63afd-59cf-4419-9775-abcc3849f861}" => "Recovery", + "{62d8ed13-c9d0-4ce8-a914-47dd628fb1b0}" => "Regional and Language Options", + "{241d7c96-f8bf-4f85-b01f-e2b043341a4b}" => "RemoteApp and Desktop Connections", + "{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3}" => "Scanners and Cameras", + "{f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d}" => "Sound", + "{58e3c745-d971-4081-9034-86e34b30836a}" => "Speech Recognition Options", + "{9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf}" => "Sync Center", + "{bb06c0e4-d293-4f75-8a90-cb05b6477eee}" => "System", + "{80f3f1d5-feca-45f3-bc32-752c152e456e}" => "Tablet PC Settings", + "{0df44eaa-ff21-4412-828e-260a8728e7f1}" => "Taskbar and Start Menu", + "{d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3}" => "Text to Speech", + "{c58c4893-3be0-4b45-abb5-a63e4b8c8651}" => "Troubleshooting", + "{60632754-c523-4b62-b45c-4172da012619}" => "User Accounts", + "{be122a0e-4503-11da-8bde-f66bad1e3f3a}" => "Windows Anytime Upgrade", + "{78cb147a-98ea-4aa6-b0df-c8681f69341c}" => "Windows CardSpace", + "{d8559eb9-20c0-410e-beda-7ed416aecc2a}" => "Windows Defender", + "{4026492f-2f69-46b8-b9bf-5654fc07e423}" => "Windows Firewall", + "{3e7efb4c-faf1-453d-89eb-56026875ef90}" => "Windows Marketplace", + "{5ea4f148-308c-46d7-98a9-49041b1dd468}" => "Windows Mobility Center", + "{087da31b-0dd3-4537-8e23-64a18591f88b}" => "Windows Security Center", + "{e95a4861-d57a-4be1-ad0f-35267e261739}" => "Windows SideShow", + "{36eef7db-88ad-4e81-ad49-0e313f0c35f8}" => "Windows Update"); + +my %folder_types = ("{724ef170-a42d-4fef-9f26-b60e846fba4f}" => "Administrative Tools", + "{d0384e7d-bac3-4797-8f14-cba229b392b5}" => "Common Administrative Tools", + "{de974d24-d9c6-4d3e-bf91-f4455120b917}" => "Common Files", + "{c1bae2d0-10df-4334-bedd-7aa20b227a9d}" => "Common OEM Links", + "{5399e694-6ce5-4d6c-8fce-1d8870fdcba0}" => "Control Panel", + "{1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}" => "CSIDL_SYSTEM", + "{b4bfcc3a-db2c-424c-b029-7fe99a87c641}" => "Desktop", + "{7b0db17d-9cd2-4a93-9733-46cc89022e7c}" => "Documents Library", + "{fdd39ad0-238f-46af-adb4-6c85480369c7}" => "Documents", + "{374de290-123f-4565-9164-39c4925e467b}" => "Downloads", + "{de61d971-5ebc-4f02-a3a9-6c82895e5c04}" => "Get Programs", + "{a305ce99-f527-492b-8b1a-7e76fa98d6e4}" => "Installed Updates", + "{871c5380-42a0-1069-a2ea-08002b30309d}" => "Internet Explorer (Homepage)", + "{031e4825-7b94-4dc3-b131-e946b44c8dd5}" => "Libraries", + "{4bd8d571-6d19-48d3-be97-422220080e43}" => "Music", + "{20d04fe0-3aea-1069-a2d8-08002b30309d}" => "My Computer", + "{450d8fba-ad25-11d0-98a8-0800361b1103}" => "My Documents", + "{ed228fdf-9ea8-4870-83b1-96b02cfe0d52}" => "My Games", + "{208d2c60-3aea-1069-a2d7-08002b30309d}" => "My Network Places", + "{f02c1a0d-be21-4350-88b0-7367fc96ef3c}" => "Network", + "{33e28130-4e1e-4676-835a-98395c3bc3bb}" => "Pictures", + "{a990ae9f-a03b-4e80-94bc-9912d7504104}" => "Pictures", + "{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}" => "Program Files (x86)", + "{905e63b6-c1bf-494e-b29c-65b732d3d21a}" => "Program Files", + "{df7266ac-9274-4867-8d55-3bd661de872d}" => "Programs and Features", + "{3214fab5-9757-4298-bb61-92a9deaa44ff}" => "Public Music", + "{b6ebfb86-6907-413c-9af7-4fc2abf07cc5}" => "Public Pictures", + "{2400183a-6185-49fb-a2d8-4a392a602ba3}" => "Public Videos", + "{4336a54d-38b-4685-ab02-99bb52d3fb8b}" => "Public", + "{491e922f-5643-4af4-a7eb-4e7a138d8174}" => "Public", + "{dfdf76a2-c82a-4d63-906a-5644ac457385}" => "Public", + "{645ff040-5081-101b-9f08-00aa002f954e}" => "Recycle Bin", + "{d65231b0-b2f1-4857-a4ce-a8e7c6ea7d27}" => "System32 (x86)", + "{9e52ab10-f80d-49df-acb8-4330f5687855}" => "Temporary Burn Folder", + "{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}" => "Users Files", + "{59031a47-3f72-44a7-89c5-5595fe6b30ee}" => "Users", + "{f38bf404-1d43-42f2-9305-67de0b28fc23}" => "Windows"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching shellbag2 v.".$VERSION); + my %item = (); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU"; + my $key; + + if ($key = $root_key->get_subkey($key_path)) { + $item{path} = "Desktop\\"; + $item{name} = ""; +# Print header info +# ::rptMsg(sprintf "%-20s |%-20s | %-20s | %-20s | %-20s |Resource","MRU Time","Modified","Accessed","Created","Zip_Subfolder"); +# ::rptMsg(sprintf "%-20s |%-20s | %-20s | %-20s | %-20s |"."-" x 12,"-" x 12,"-" x 12,"-" x 12,"-" x 12,"-" x 12); + traverse($key,\%item); + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub traverse { + my $key = shift; + my $parent = shift; + + my %item = (); + my @vals = $key->get_list_of_values(); + + my %values; + foreach my $v (@vals) { + my $name = $v->get_name(); + $values{$name} = $v->get_data(); + } + + delete $values{NodeSlot}; + my $mru; + if (exists $values{MRUListEx}) { + $mru = unpack("V",substr($values{MRUListEx},0,4)); + } + delete $values{MRUListEx}; + + foreach my $v (sort {$a <=> $b} keys %values) { + next unless ($v =~ m/^\d/); + + my $type = unpack("C",substr($values{$v},2,1)); + +# Need to first check to see if the parent of the item was a zip folder +# and if the 'zipsubfolder' value is set to 1 + if (exists ${$parent}{zipsubfolder} && ${$parent}{zipsubfolder} == 1) { + %item = parseZipSubFolderItem($values{$v}); + $item{zipsubfolder} = 1; + } + elsif ($type == 0x00) { +# Variable/Property Sheet + %item = parseVariableEntry($values{$v}); + } + elsif ($type == 0x01) { +# + %item = parse01ShellItem($values{$v}); + } + elsif ($type == 0x1F) { +# System Folder + %item = parseSystemFolderEntry($values{$v}); + } + elsif ($type == 0x2e) { +# Device + %item = parseDeviceEntry($values{$v}); + } + elsif ($type == 0x2F) { +# Volume (Drive Letter) + %item = parseDriveEntry($values{$v}); + } + elsif ($type == 0xc3 || $type == 0x41 || $type == 0x42 || $type == 0x46 || $type == 0x47) { +# Network stuff + my $id = unpack("C",substr($values{$v},3,1)); + if ($type == 0xc3 && $id != 0x01) { + %item = parseNetworkEntry($values{$v}); + } + else { + %item = parseNetworkEntry($values{$v}); + } + } + elsif ($type == 0x31 || $type == 0x32 || $type == 0xb1 || $type == 0x74) { +# Folder or Zip File + %item = parseFolderEntry($values{$v}); + } + elsif ($type == 0x71) { +# Control Panel + %item = parseControlPanelEntry($values{$v}); + } + elsif ($type == 0x61) { +# URI type + %item = parseURIEntry($values{$v}); + } + else { +# Unknown type + $item{name} = sprintf "Unknown Type (0x%x)",$type; + } + + if ($item{name} =~ m/\.zip$/ && $type == 0x32) { + $item{zipsubfolder} = 1; + } +# for debug purposes +# $item{name} = $item{name}."[".$v."]"; +# ::rptMsg(${$parent}{path}.$item{name}); + + if ($mru != 4294967295 && ($v == $mru)) { + $item{mrutime} = $key->get_timestamp(); + $item{mrutime_str} = $key->get_timestamp_as_string(); + $item{mrutime_str} =~ s/T/ /; + $item{mrutime_str} =~ s/Z/ /; + } + + my ($m,$a,$c,$o); + (exists $item{mtime_str} && $item{mtime_str} ne "0") ? ($m = $item{mtime_str}) : ($m = ""); + (exists $item{atime_str} && $item{atime_str} ne "0") ? ($a = $item{atime_str}) : ($a = ""); + (exists $item{ctime_str} && $item{ctime_str} ne "0") ? ($c = $item{ctime_str}) : ($c = ""); + (exists $item{datetime} && $item{datetime} ne "N/A") ? ($o = $item{datetime}) : ($o = ""); + + my $resource = ${$parent}{path}.$item{name}; + if (exists $item{filesize}) { + $resource .= " [".$item{filesize}."]"; + } + +# TLN output + if (exists $item{mrutime}) { + my $str = $item{mrutime}."|REG|||ShellBags - ".$resource; + ::rptMsg($str); + } + + if (exists $item{uritime}) { + my $str = $item{uritime}."|REG|||ShellBags/URI - ".$resource; + ::rptMsg($str); + } +# my $str = sprintf "%-20s |%-20s | %-20s | %-20s | %-20s |".$resource,$item{mrutime_str},$m,$a,$c,$o; +# ::rptMsg($str); + + if ($item{name} eq "" || $item{name} =~ m/\\$/) { + + } + else { + $item{name} = $item{name}."\\"; + } + $item{path} = ${$parent}{path}.$item{name}; + traverse($key->get_subkey($v),\%item); + } +} +#------------------------------------------------------------------------------- +## Functions +#------------------------------------------------------------------------------- + +#----------------------------------------------------------- +# parseVariableEntry() +# +#----------------------------------------------------------- +sub parseVariableEntry { + my $data = shift; + my %item = (); + + $item{type} = unpack("C",substr($data,2,1)); + my $tag = unpack("C",substr($data,0x0A,1)); + + if (unpack("v",substr($data,4,2)) == 0x1A) { + my $guid = parseGUID(substr($data,14,16)); + + if (exists $folder_types{$guid}) { + $item{name} = $folder_types{$guid}; + } + else { + $item{name} = $guid; + } + } + elsif (grep(/1SPS/,$data)) { + my @seg = split(/1SPS/,$data); + + my %segs = (); + foreach my $s (0..(scalar(@seg) - 1)) { + my $guid = parseGUID(substr($seg[$s],0,16)); + $segs{$guid} = $seg[$s]; + } + + if (exists $segs{"{b725f130-47ef-101a-a5f1-02608c9eebac}"}) { +# Ref: http://msdn.microsoft.com/en-us/library/aa965725(v=vs.85).aspx + my $stuff = $segs{"{b725f130-47ef-101a-a5f1-02608c9eebac}"}; + + my $tag = 1; + my $cnt = 0x10; + while($tag) { + my $sz = unpack("V",substr($stuff,$cnt,4)); + my $id = unpack("V",substr($stuff,$cnt + 4,4)); +#-------------------------------------------------------------- +# sub-segment types +# 0x0a - file name +# 0x14 - short name +# 0x0e, 0x0f, 0x10 - mod date, create date, access date(?) +# 0x0c - size +#-------------------------------------------------------------- + if ($sz == 0x00) { + $tag = 0; + next; + } + elsif ($id == 0x0a) { + + my $num = unpack("V",substr($stuff,$cnt + 13,4)); + my $str = substr($stuff,$cnt + 13 + 4,($num * 2)); + $str =~ s/\00//g; + $item{name} = $str; + } + $cnt += $sz; + } + } + +# if (exists $segs{"{5cbf2787-48cf-4208-b90e-ee5e5d420294}"}) { +# my $stuff = $segs{"{5cbf2787-48cf-4208-b90e-ee5e5d420294}"}; +# my $tag = 1; +# my $cnt = 0x10; +# while($tag) { +# my $sz = unpack("V",substr($stuff,$cnt,4)); +# my $id = unpack("V",substr($stuff,$cnt + 4,4)); +# +# if ($sz == 0x00) { +# $tag = 0; +# next; +# } +# elsif ($id == 0x19) { +# +# my $num = unpack("V",substr($stuff,$cnt + 13,4)); +# my $str = substr($stuff,$cnt + 13 + 4,($num * 2)); +# $str =~ s/\00//g; +# $item{name} = $str; +# } +# $cnt += $sz; +# } +# } + } + elsif (substr($data,4,4) eq "AugM") { + %item = parseFolderEntry($data); + } +# Following two entries are for Device Property data + elsif ($tag == 0x7b || $tag == 0xbb || $tag == 0xfb) { + my ($sz1,$sz2,$sz3) = unpack("VVV",substr($data,0x3e,12)); + $item{name} = substr($data,0x4a,$sz1 * 2); + $item{name} =~ s/\00//g; + } + elsif ($tag == 0x02 || $tag == 0x03) { + my ($sz1,$sz2,$sz3,$sz4) = unpack("VVVV",substr($data,0x26,16)); + $item{name} = substr($data,0x36,$sz1 * 2); + $item{name} =~ s/\00//g; + } + else { + $item{name} = "Unknown Type"; + } + return %item; +} + +#----------------------------------------------------------- +# parseNetworkEntry() +# +#----------------------------------------------------------- +sub parseNetworkEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1)); + + my @n = split(/\00/,substr($data,4,length($data) - 4)); + $item{name} = $n[0]; + return %item; +} + +#----------------------------------------------------------- +# parseZipSubFolderItem() +# parses what appears to be Zip file subfolders; this type +# appears to contain the date and time of when the subfolder +# was accessed/opened, in string format. +#----------------------------------------------------------- +sub parseZipSubFolderItem { + my $data = shift; + my %item = (); + +# Get the opened/accessed date/time + $item{datetime} = substr($data,0x24,6); + $item{datetime} =~ s/\00//g; + if ($item{datetime} eq "N/A") { + + } + else { + $item{datetime} = substr($data,0x24,40); + $item{datetime} =~ s/\00//g; + my ($date,$time) = split(/\s+/,$item{datetime},2); + my ($mon,$day,$yr) = split(/\//,$date,3); + my ($hr,$min,$sec) = split(/:/,$time,3); + my $gmtime = timegm($sec,$min,$hr,$day,($mon - 1),$yr); + $item{datetime} = "$yr-$mon-$day $hr:$min:$sec"; +# ::rptMsg("[Access_Time]: ".gmtime($gmtime)); + } + + my $sz = unpack("V",substr($data,0x54,4)); + my $sz2 = unpack("V",substr($data,0x58,4)); + + my $str1 = substr($data,0x5C,$sz *2) if ($sz > 0); + $str1 =~ s/\00//g; + my $str2 = substr($data,0x5C + ($sz * 2),$sz2 *2) if ($sz2 > 0); + $str2 =~ s/\00//g; + + if ($sz2 > 0) { + $item{name} = $str1."\\".$str2; + } + else { + $item{name} = $str1; + } + return %item; +} + +#----------------------------------------------------------- +# parse01ShellItem() +# I honestly have no idea what to do with this data; there's really +# no reference for or description of the format of this data. For +# now, this is just a place holder +#----------------------------------------------------------- +sub parse01ShellItem { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1));; + $item{name} = ""; +# ($item{val0},$item{val1}) = unpack("VV",substr($data,2,length($data) - 2)); + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseURIEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1)); + + my ($lo,$hi) = unpack("VV",substr($data,0x0e,8)); + $item{uritime} = ::getTime($lo,$hi); + + my $sz = unpack("V",substr($data,0x2a,4)); + my $uri = substr($data,0x2e,$sz); + $uri =~ s/\00//g; + + my $proto = substr($data,length($data) - 6, 6); + $proto =~ s/\00//g; + + $item{name} = $proto."://".$uri; + + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseSystemFolderEntry { + my $data = shift; + my %item = (); + + my %vals = (0x00 => "Explorer", + 0x42 => "Libraries", + 0x44 => "Users", + 0x4c => "Public", + 0x48 => "My Documents", + 0x50 => "My Computer", + 0x58 => "My Network Places", + 0x60 => "Recycle Bin", + 0x68 => "Explorer", + 0x70 => "Control Panel", + 0x78 => "Recycle Bin", + 0x80 => "My Games"); + + $item{type} = unpack("C",substr($data,2,1)); + $item{id} = unpack("C",substr($data,3,1)); + if (exists $vals{$item{id}}) { + $item{name} = $vals{$item{id}}; + } + else { + $item{name} = parseGUID(substr($data,4,16)); + } + return %item; +} + +#----------------------------------------------------------- +# parseGUID() +# Takes 16 bytes of binary data, returns a string formatted +# as an MS GUID. +#----------------------------------------------------------- +sub parseGUID { + my $data = shift; + my $d1 = unpack("V",substr($data,0,4)); + my $d2 = unpack("v",substr($data,4,2)); + my $d3 = unpack("v",substr($data,6,2)); + my $d4 = unpack("H*",substr($data,8,2)); + my $d5 = unpack("H*",substr($data,10,6)); + return sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseDeviceEntry { + my $data = shift; + my %item = (); + + my $userlen = unpack("V",substr($data,30,4)); + my $devlen = unpack("V",substr($data,34,4)); + + my $user = substr($data,0x28,$userlen * 2); + $user =~ s/\00//g; + + my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2); + $dev =~ s/\00//g; + + $item{name} = $user; + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseDriveEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1));; + $item{name} = substr($data,3,3); + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseControlPanelEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1)); + my $guid = parseGUID(substr($data,14,16)); + if (exists $cp_guids{$guid}) { + $item{name} = $cp_guids{$guid}; + } + else { + $item{name} = $guid; + } + return %item; +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseFolderEntry { + my $data = shift; + my %item = (); + + $item{type} = unpack("C",substr($data,2,1)); +# Type 0x74 folders have a slightly different format + + my $ofs_mdate; + my $ofs_shortname; + + if ($item{type} == 0x74) { + $ofs_mdate = 0x12; + } + elsif (substr($data,4,4) eq "AugM") { + $ofs_mdate = 0x1c; + } + else { + $ofs_mdate = 0x08; + } +# some type 0x32 items will include a file size + if ($item{type} == 0x32) { + my $size = unpack("V",substr($data,4,4)); + if ($size != 0) { + $item{filesize} = $size; + } + } + + my @m = unpack("vv",substr($data,$ofs_mdate,4)); + ($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]); + +# Need to read in short name; nul-term ASCII +# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0]; + $ofs_shortname = $ofs_mdate + 6; + my $tag = 1; + my $cnt = 0; + my $str = ""; + while($tag) { + my $s = substr($data,$ofs_shortname + $cnt,1); + if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) { + $tag = 0; + } + else { + $str .= $s; + $cnt++; + } + } +# $str =~ s/\00//g; + my $shortname = $str; + my $ofs = $ofs_shortname + $cnt + 1; +# Read progressively, 1 byte at a time, looking for 0xbeef + my $tag = 1; + my $cnt = 0; + while ($tag) { + if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) { + $tag = 0; + } + else { + $cnt++; + } + } + $item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2)); + $ofs = $ofs + $cnt + 2; + + my @m = unpack("vv",substr($data,$ofs,4)); + ($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]); + $ofs += 4; + my @m = unpack("vv",substr($data,$ofs,4)); + ($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]); + + my $jmp; + if ($item{extver} == 0x07) { + $jmp = 26; + } + elsif ($item{extver} == 0x08) { + $jmp = 30; + } + + $ofs += $jmp; + + my $str = substr($data,$ofs,length($data) - 30); + my $longname = (split(/\00\00/,$str,2))[0]; + $longname =~ s/\00//g; + + if ($longname ne "") { + $item{name} = $longname; + } + else { + $item{name} = $shortname; + } + return %item; +} + +#----------------------------------------------------------- +# convertDOSDate() +# subroutine to convert 4 bytes of binary data into a human- +# readable format. Returns both a string and a Unix-epoch +# time. +#----------------------------------------------------------- +sub convertDOSDate { + my $date = shift; + my $time = shift; + + if ($date == 0x00 || $time == 0x00){ + return (0,0); + } + else { + my $sec = ($time & 0x1f) * 2; + $sec = "0".$sec if (length($sec) == 1); + if ($sec == 60) {$sec = 59}; + my $min = ($time & 0x7e0) >> 5; + $min = "0".$min if (length($min) == 1); + my $hr = ($time & 0xF800) >> 11; + $hr = "0".$hr if (length($hr) == 1); + my $day = ($date & 0x1f); + $day = "0".$day if (length($day) == 1); + my $mon = ($date & 0x1e0) >> 5; + $mon = "0".$mon if (length($mon) == 1); + my $yr = (($date & 0xfe00) >> 9) + 1980; + my $gmtime = timegm($sec,$min,$hr,$day,($mon - 1),$yr); + return ("$yr-$mon-$day $hr:$min:$sec",$gmtime); +# return gmtime(timegm($sec,$min,$hr,$day,($mon - 1),$yr)); + } +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parseNetworkEntry { + my $data = shift; + my %item = (); + $item{type} = unpack("C",substr($data,2,1)); + my @names = split(/\00/,substr($data,5,length($data) - 5)); + $item{name} = $names[0]; + return %item; +} +#----------------------------------------------------------- +# printData() +# subroutine used primarily for debugging; takes an arbitrary +# length of binary data, prints it out in hex editor-style +# format for easy debugging +#----------------------------------------------------------- +sub printData { + my $data = shift; + my $len = length($data); + my $tag = 1; + my $cnt = 0; + + my $loop = $len/16; + $loop++ if ($len%16); + + foreach my $cnt (0..($loop - 1)) { +# while ($tag) { + my $left = $len - ($cnt * 16); + + my $n; + ($left < 16) ? ($n = $left) : ($n = 16); + + my $seg = substr($data,$cnt * 16,$n); + my @str1 = split(//,unpack("H*",$seg)); + + my @s3; + my $str = ""; + + foreach my $i (0..($n - 1)) { + $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; + + if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) { + $str .= chr(hex($s3[$i])); + } + else { + $str .= "\."; + } + } + my $h = join(' ',@s3); + ::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/shellexec.pl b/RecentActivity/release/rr-full/plugins/shellexec.pl new file mode 100755 index 0000000000..33ffd65fcc --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/shellexec.pl @@ -0,0 +1,125 @@ +#----------------------------------------------------------- +# shellexec +# Get ShellExecuteHooks values from Software hive (based on BHO +# code) +# +# ShellExecuteHooks are DLLs that load as part of the Explorer.exe process, +# and can intercept commands. There are some legitimate applications that +# run as ShellExecuteHooks, but many times, malware (spy-, ad-ware) will +# install here. ShellExecuteHooks allow you to type a URL into the Start->Run +# box and have that URL opened in your browser. For example, in 2001, Michael +# Dunn wrote KBLaunch, a ShellExecuteHook that looked for "?q" in the Run box +# and would open the appropriate MS KB article. +# +# Refs: +# http://support.microsoft.com/kb/914922 +# http://support.microsoft.com/kb/170918 +# http://support.microsoft.com/kb/943460 +# +# History: +# 20130410 - added Wow6432Node support +# 20081229 - initial creation +# +# copyright 2013 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package shellexec; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130410); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets ShellExecuteHooks from Software hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %bhos; + ::logMsg("Launching shellexec v.".$VERSION); + ::rptMsg("shellexec v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my @paths = ("Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks", + "Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar (@vals) > 0) { + foreach my $s (@vals) { + my $name = $s->get_name(); + next if ($name =~ m/^-/ || $name eq ""); + my $clsid_path = "Classes\\CLSID\\".$name; + my $clsid; + if ($clsid = $root_key->get_subkey($clsid_path)) { + my $class; + my $mod; + my $lastwrite; + + eval { + $class = $clsid->get_value("")->get_data(); + $bhos{$name}{class} = $class; + }; + if ($@) { + ::logMsg(" Error getting Class name for CLSID\\".$name); + ::logMsg(" ".$@); + } + eval { + $mod = $clsid->get_subkey("InProcServer32")->get_value("")->get_data(); + $bhos{$name}{module} = $mod; + }; + if ($@) { + ::logMsg(" Error getting Module name for CLSID\\".$name); + ::logMsg(" ".$@); + } + eval{ + $lastwrite = $clsid->get_subkey("InProcServer32")->get_timestamp(); + $bhos{$name}{lastwrite} = $lastwrite; + }; + if ($@) { + ::logMsg(" Error getting LastWrite time for CLSID\\".$name); + ::logMsg(" ".$@); + } + + foreach my $b (keys %bhos) { + ::rptMsg($b); + ::rptMsg(" Class => ".$bhos{$b}{class}); + ::rptMsg(" Module => ".$bhos{$b}{module}); + ::rptMsg(" LastWrite => ".gmtime($bhos{$b}{lastwrite})); + ::rptMsg(""); + } + } + else { + ::rptMsg($clsid_path." not found."); + ::rptMsg(""); + } + } + } + else { + ::rptMsg($key_path." has no values. No ShellExecuteHooks installed."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/shellext.pl b/RecentActivity/release/rr-full/plugins/shellext.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/shellext.pl rename to RecentActivity/release/rr-full/plugins/shellext.pl index 8f9994d9d4..620abc5dff --- a/thirdparty/rr/plugins/shellext.pl +++ b/RecentActivity/release/rr-full/plugins/shellext.pl @@ -1,96 +1,98 @@ -#----------------------------------------------------------- -# shellext -# Plugin to get approved shell extensions list from the -# Software hive -# -# This plugin retrieves the list of approved shell extensions from -# the Software hive; specifically, the "Shell Extensions\Approved" -# key. Once it has the names (GUID) and data (string) of each value, -# it then goes to the Classes\CLSID\{GUID} key to get the name of/path to -# the associated DLL, if available. It also gets the LastWrite time of the -# Classes\CLSID\{GUID} key. -# -# Analysis of an incident showed that the intruder placed their malware in -# the C:\Windows dir, using the same name as a known valid shell extension. -# When Explorer.exe launches, it reads the list of approved shell extensions, -# then goes to the Classes\CLSID key to get the path to the associated DLL. The -# intruder chose a shell extension that did not have an explicit path, so when -# explorer.exe looked for it, it started in the C:\Windows dir, and never got to -# the legit DLL in the C:\Windows\system32 dir. -# -# References: -# http://msdn.microsoft.com/en-us/library/ms682586%28VS.85%29.aspx -# -# -# Note: This plugin can take several minutes to run -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package shellext; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100515); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Shell Extensions from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %bhos; - ::logMsg("Launching shellext v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved";; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %exts; - - my @vals = $key->get_list_of_values(); - if (scalar (@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - $exts{$name}{name} = $v->get_data(); - - my $clsid_path = "Classes\\CLSID\\".$name; - my $clsid; - if ($clsid = $root_key->get_subkey($clsid_path)) { - eval { - $exts{$v->get_name()}{lastwrite} = $clsid->get_timestamp(); - $exts{$v->get_name()}{dll} = $clsid->get_subkey("InProcServer32")->get_value("")->get_data(); - }; - } - } - foreach my $e (keys %exts) { - ::rptMsg($e." ".$exts{$e}{name}); - ::rptMsg(" DLL: ".$exts{$e}{dll}); - ::rptMsg(" Timestamp: ".gmtime($exts{$e}{lastwrite})." Z"); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# shellext +# Plugin to get approved shell extensions list from the +# Software hive +# +# This plugin retrieves the list of approved shell extensions from +# the Software hive; specifically, the "Shell Extensions\Approved" +# key. Once it has the names (GUID) and data (string) of each value, +# it then goes to the Classes\CLSID\{GUID} key to get the name of/path to +# the associated DLL, if available. It also gets the LastWrite time of the +# Classes\CLSID\{GUID} key. +# +# Analysis of an incident showed that the intruder placed their malware in +# the C:\Windows dir, using the same name as a known valid shell extension. +# When Explorer.exe launches, it reads the list of approved shell extensions, +# then goes to the Classes\CLSID key to get the path to the associated DLL. The +# intruder chose a shell extension that did not have an explicit path, so when +# explorer.exe looked for it, it started in the C:\Windows dir, and never got to +# the legit DLL in the C:\Windows\system32 dir. +# +# References: +# http://msdn.microsoft.com/en-us/library/ms682586%28VS.85%29.aspx +# +# +# Note: This plugin can take several minutes to run +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package shellext; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100515); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Shell Extensions from Software hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %bhos; + ::logMsg("Launching shellext v.".$VERSION); + ::rptMsg("shellext v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved";; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my %exts; + + my @vals = $key->get_list_of_values(); + if (scalar (@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + $exts{$name}{name} = $v->get_data(); + + my $clsid_path = "Classes\\CLSID\\".$name; + my $clsid; + if ($clsid = $root_key->get_subkey($clsid_path)) { + eval { + $exts{$v->get_name()}{lastwrite} = $clsid->get_timestamp(); + $exts{$v->get_name()}{dll} = $clsid->get_subkey("InProcServer32")->get_value("")->get_data(); + }; + } + } + foreach my $e (keys %exts) { + ::rptMsg($e." ".$exts{$e}{name}); + ::rptMsg(" DLL: ".$exts{$e}{dll}); + ::rptMsg(" Timestamp: ".gmtime($exts{$e}{lastwrite})." Z"); + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/shellfolders.pl b/RecentActivity/release/rr-full/plugins/shellfolders.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/shellfolders.pl rename to RecentActivity/release/rr-full/plugins/shellfolders.pl index 42eb461f40..dce73911f0 --- a/thirdparty/rr/plugins/shellfolders.pl +++ b/RecentActivity/release/rr-full/plugins/shellfolders.pl @@ -1,71 +1,73 @@ -#----------------------------------------------------------- -# shellfolders.pl -# -# Retrieve the Shell Folders values from user's hive; while -# this may not be important in every instance, it may give the -# examiner indications as to where to look for certain items; -# for example, if the user's "My Documents" folder has been redirected -# as part of configuration changes (corporate policies, etc.). Also, -# this may be important as part of data leakage exams, as XP and Vista -# allow users to drop and drag files to the CD Burner. -# -# References: -# http://support.microsoft.com/kb/279157 -# http://support.microsoft.com/kb/326982 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shellfolders; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090115); - -sub getConfig{return %config} - -sub getShortDescr { - return "Retrieve user Shell Folders values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shellfolders v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-20s %-40s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# shellfolders.pl +# +# Retrieve the Shell Folders values from user's hive; while +# this may not be important in every instance, it may give the +# examiner indications as to where to look for certain items; +# for example, if the user's "My Documents" folder has been redirected +# as part of configuration changes (corporate policies, etc.). Also, +# this may be important as part of data leakage exams, as XP and Vista +# allow users to drop and drag files to the CD Burner. +# +# References: +# http://support.microsoft.com/kb/279157 +# http://support.microsoft.com/kb/326982 +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package shellfolders; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090115); + +sub getConfig{return %config} + +sub getShortDescr { + return "Retrieve user Shell Folders values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching shellfolders v.".$VERSION); + ::rptMsg("shellfolders v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @vals = $key->get_list_of_values(); + + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $str = sprintf "%-20s %-40s",$v->get_name(),$v->get_data(); + ::rptMsg($str); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/shelloverlay.pl b/RecentActivity/release/rr-full/plugins/shelloverlay.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/shelloverlay.pl rename to RecentActivity/release/rr-full/plugins/shelloverlay.pl index 67c46b858f..8bf496cbed --- a/thirdparty/rr/plugins/shelloverlay.pl +++ b/RecentActivity/release/rr-full/plugins/shelloverlay.pl @@ -1,86 +1,88 @@ -#----------------------------------------------------------- -# shelloverlay -# Get contents of ShellIconOverlayIdentifiers subkeys; sorts data -# based on LastWrite times of subkeys -# -# History -# 20100308 - created -# -# References -# http://msdn.microsoft.com/en-us/library/cc144123%28VS.85%29.aspx -# Coreflood - http://vil.nai.com/vil/content/v_102053.htm -# http://www.secureworks.com/research/threats/coreflood/?threat=coreflood -# -# Analysis Tip: Malware such as Coreflood uses a random subkey name and a -# random CLSID GUID value -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package shelloverlay; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100308); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets ShellIconOverlayIdentifiers values"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shelloverlay v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my %id; - - my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("shelloverlay"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $def; - eval { - $def = $s->get_value("")->get_data(); - $name .= " ".$def; - }; - push(@{$id{$s->get_timestamp()}},$name); - } - - foreach my $t (reverse sort {$a <=> $b} keys %id) { - ::rptMsg(gmtime($t)." Z"); - foreach my $item (@{$id{$t}}) { - ::rptMsg(" ".$item); - } - ::rptMsg(""); - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# shelloverlay +# Get contents of ShellIconOverlayIdentifiers subkeys; sorts data +# based on LastWrite times of subkeys +# +# History +# 20100308 - created +# +# References +# http://msdn.microsoft.com/en-us/library/cc144123%28VS.85%29.aspx +# Coreflood - http://vil.nai.com/vil/content/v_102053.htm +# http://www.secureworks.com/research/threats/coreflood/?threat=coreflood +# +# Analysis Tip: Malware such as Coreflood uses a random subkey name and a +# random CLSID GUID value +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package shelloverlay; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100308); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets ShellIconOverlayIdentifiers values"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching shelloverlay v.".$VERSION); + ::rptMsg("shelloverlay v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my %id; + + my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("shelloverlay"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $def; + eval { + $def = $s->get_value("")->get_data(); + $name .= " ".$def; + }; + push(@{$id{$s->get_timestamp()}},$name); + } + + foreach my $t (reverse sort {$a <=> $b} keys %id) { + ::rptMsg(gmtime($t)." Z"); + foreach my $item (@{$id{$t}}) { + ::rptMsg(" ".$item); + } + ::rptMsg(""); + } + + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/shutdown.pl b/RecentActivity/release/rr-full/plugins/shutdown.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/shutdown.pl rename to RecentActivity/release/rr-full/plugins/shutdown.pl index a63914d5c0..727b74a1db --- a/thirdparty/rr/plugins/shutdown.pl +++ b/RecentActivity/release/rr-full/plugins/shutdown.pl @@ -1,76 +1,78 @@ -#----------------------------------------------------------- -# shutdown.pl -# Plugin for Registry Ripper; Access System hive file to get the -# contents of the ShutdownTime value -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package shutdown; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets ShutdownTime value from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shutdown v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $win_path = $ccs."\\Control\\Windows"; - my $win; - if ($win = $root_key->get_subkey($win_path)) { - ::rptMsg($win_path." key, ShutdownTime value"); - ::rptMsg($win_path); - ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); - my $sd; - if ($sd = $win->get_value("ShutdownTime")->get_data()) { - my @vals = unpack("VV",$sd); - my $shutdown = ::getTime($vals[0],$vals[1]); - ::rptMsg(" ShutdownTime = ".gmtime($shutdown)." (UTC)"); - - } - else { - ::rptMsg("ShutdownTime value not found."); - } - } - else { - ::rptMsg($win_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# shutdown.pl +# Plugin for Registry Ripper; Access System hive file to get the +# contents of the ShutdownTime value +# +# Change history +# +# +# References +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package shutdown; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets ShutdownTime value from System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching shutdown v.".$VERSION); + ::rptMsg("shutdown v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $win_path = $ccs."\\Control\\Windows"; + my $win; + if ($win = $root_key->get_subkey($win_path)) { + ::rptMsg($win_path." key, ShutdownTime value"); + ::rptMsg($win_path); + ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); + my $sd; + if ($sd = $win->get_value("ShutdownTime")->get_data()) { + my @vals = unpack("VV",$sd); + my $shutdown = ::getTime($vals[0],$vals[1]); + ::rptMsg(" ShutdownTime = ".gmtime($shutdown)." (UTC)"); + + } + else { + ::rptMsg("ShutdownTime value not found."); + } + } + else { + ::rptMsg($win_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/shutdowncount.pl b/RecentActivity/release/rr-full/plugins/shutdowncount.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/shutdowncount.pl rename to RecentActivity/release/rr-full/plugins/shutdowncount.pl index 73d649117d..65efe79f4f --- a/thirdparty/rr/plugins/shutdowncount.pl +++ b/RecentActivity/release/rr-full/plugins/shutdowncount.pl @@ -1,81 +1,83 @@ -#----------------------------------------------------------- -# shutdowncount.pl -# -# *Value info first seen at: -# http://forensicsfromthesausagefactory.blogspot.com/2008/06/install-dates-and-shutdown-times-found.html -# thanks to DC1743@gmail.com -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shutdowncount; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080709); - -sub getConfig{return %config} - -sub getShortDescr { - return "Retrieves ShutDownCount value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shutdowncount v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::logMsg("Could not find ".$key_path); - return - } - - my $key_path = $ccs."\\Control\\Watchdog\\Display"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ShutdownCount"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $count = 0; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - if ($v->get_name() eq "ShutdownCount") { - $count = 1; - ::rptMsg("ShutdownCount = ".$v->get_data()); - } - } - ::rptMsg("ShutdownCount value not found.") if ($count == 0); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# shutdowncount.pl +# +# *Value info first seen at: +# http://forensicsfromthesausagefactory.blogspot.com/2008/06/install-dates-and-shutdown-times-found.html +# thanks to DC1743@gmail.com +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package shutdowncount; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080709); + +sub getConfig{return %config} + +sub getShortDescr { + return "Retrieves ShutDownCount value"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching shutdowncount v.".$VERSION); + ::rptMsg("shutdowncount v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::logMsg("Could not find ".$key_path); + return + } + + my $key_path = $ccs."\\Control\\Watchdog\\Display"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("ShutdownCount"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $count = 0; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + if ($v->get_name() eq "ShutdownCount") { + $count = 1; + ::rptMsg("ShutdownCount = ".$v->get_data()); + } + } + ::rptMsg("ShutdownCount value not found.") if ($count == 0); + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/skype.pl b/RecentActivity/release/rr-full/plugins/skype.pl old mode 100644 new mode 100755 similarity index 95% rename from thirdparty/rr/plugins/skype.pl rename to RecentActivity/release/rr-full/plugins/skype.pl index 3c83bc65f1..94e199da35 --- a/thirdparty/rr/plugins/skype.pl +++ b/RecentActivity/release/rr-full/plugins/skype.pl @@ -1,60 +1,60 @@ -#----------------------------------------------------------- -# skype.pl -# -# -# History -# 20100713 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package skype; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100713); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets data user's Skype key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching acmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Skype'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $install; - eval { - $install = $key->get_subkey("Installer")->get_value("DonwloadLastModified")->get_data(); - ::rptMsg("DonwloadLastModified = ".$install); - }; - ::rptMsg("DonwloadLastModified value not found: ".$@) if ($@); - - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# skype.pl +# +# +# History +# 20100713 - created +# +# References +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package skype; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100713); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets data user's Skype key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching acmru v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Skype'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $install; + eval { + $install = $key->get_subkey("Installer")->get_value("DonwloadLastModified")->get_data(); + ::rptMsg("DonwloadLastModified = ".$install); + }; + ::rptMsg("DonwloadLastModified value not found: ".$@) if ($@); + + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/snapshot.pl b/RecentActivity/release/rr-full/plugins/snapshot.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/snapshot.pl rename to RecentActivity/release/rr-full/plugins/snapshot.pl index 29bf42b93b..5d175f09b5 --- a/thirdparty/rr/plugins/snapshot.pl +++ b/RecentActivity/release/rr-full/plugins/snapshot.pl @@ -1,96 +1,98 @@ -#----------------------------------------------------------- -# snapshot.pl -# Plugin to check the ActiveX component for the MS Access Snapshot -# Viewer kill bit -# -# Ref: US-CERT Vuln Note #837785, http://www.kb.cert.org/vuls/id/837785 -# -# Note: Look for each GUID key, and check for the Compatibility Flags value; -# if the value is 0x400, the kill bit is set; a vulnerable system is -# indicated by having IE version 6.x, and the kill bits NOT set (IE 7 -# requires user interaction to download the ActiveX component -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package snapshot; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080725); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check ActiveX comp kill bit; Access Snapshot"; -} -sub getDescr{} -sub getRefs {"US-CERT Vuln Note 837785" => "http://www.kb.cert.org/vuls/id/837785"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my @guids = ("{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}", - "{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}", - "{F2175210-368C-11D0-AD81-00A0C90DC8D9}"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching snapshot v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Internet Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ActiveX Snapshot Vuln"); - ::rptMsg($key_path); - ::rptMsg(""); - my $ver; - eval { - $ver = $key->get_value("Version")->get_data(); - }; - if ($@) { - ::rptMsg("IE Version not found."); - } - else { - ::rptMsg("IE Version = ".$ver) - } - - ::rptMsg(""); - foreach my $guid (@guids) { - my $g; - eval { - $g = $key->get_subkey("ActiveX Compatibility\\".$guid); - }; - if ($@) { - ::rptMsg("$guid not found."); - } - else { - ::rptMsg("GUID: $guid"); - my $flag; - eval { - $flag = $g->get_value("Compatibility Flags")->get_data(); - }; - if ($@) { - ::rptMsg("Compatibility Flags value not found."); - } - else { - my $str = sprintf "Compatibility Flags 0x%x",$flag; - ::rptMsg($str); - } - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# snapshot.pl +# Plugin to check the ActiveX component for the MS Access Snapshot +# Viewer kill bit +# +# Ref: US-CERT Vuln Note #837785, http://www.kb.cert.org/vuls/id/837785 +# +# Note: Look for each GUID key, and check for the Compatibility Flags value; +# if the value is 0x400, the kill bit is set; a vulnerable system is +# indicated by having IE version 6.x, and the kill bits NOT set (IE 7 +# requires user interaction to download the ActiveX component +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package snapshot; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20080725); + +sub getConfig{return %config} + +sub getShortDescr { + return "Check ActiveX comp kill bit; Access Snapshot"; +} +sub getDescr{} +sub getRefs {"US-CERT Vuln Note 837785" => "http://www.kb.cert.org/vuls/id/837785"} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my @guids = ("{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}", + "{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}", + "{F2175210-368C-11D0-AD81-00A0C90DC8D9}"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching snapshot v.".$VERSION); + ::rptMsg("snapshot v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Internet Explorer"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("ActiveX Snapshot Vuln"); + ::rptMsg($key_path); + ::rptMsg(""); + my $ver; + eval { + $ver = $key->get_value("Version")->get_data(); + }; + if ($@) { + ::rptMsg("IE Version not found."); + } + else { + ::rptMsg("IE Version = ".$ver) + } + + ::rptMsg(""); + foreach my $guid (@guids) { + my $g; + eval { + $g = $key->get_subkey("ActiveX Compatibility\\".$guid); + }; + if ($@) { + ::rptMsg("$guid not found."); + } + else { + ::rptMsg("GUID: $guid"); + my $flag; + eval { + $flag = $g->get_value("Compatibility Flags")->get_data(); + }; + if ($@) { + ::rptMsg("Compatibility Flags value not found."); + } + else { + my $str = sprintf "Compatibility Flags 0x%x",$flag; + ::rptMsg($str); + } + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/snapshot_viewer.pl b/RecentActivity/release/rr-full/plugins/snapshot_viewer.pl new file mode 100755 index 0000000000..0c4ee47698 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/snapshot_viewer.pl @@ -0,0 +1,94 @@ +#----------------------------------------------------------- +# snapshot_viewer.pl +# Extracts Recent File List for Microsoft Snapshot Viewer +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# copyright (c) 2011-02-10 Brendan Coles +#----------------------------------------------------------- +# Require # +package snapshot_viewer; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110210); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extracts Recent File List for Microsoft Snapshot Viewer."; +} +sub getRefs { + my %refs = ("Microsoft Snapshot Viewer Homepage:" => + "http://support.microsoft.com/kb/175274"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + + # Initialize # + ::logMsg("Launching snapshot_viewer v.".$VERSION); + ::rptMsg("snapshot_viewer v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\Microsoft\\Snapshot Viewer\\Recent File List"; + + # If # Microsoft Snapshot Viewer path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("Snapshot Viewer"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from Microsoft Snapshot Viewer registry path # + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for Microsoft Snapshot Viewer registry path # + foreach my $v (@vals) { + ::rptMsg($v->get_name()." -> ".$v->get_data()); + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # Microsoft Snapshot Viewer isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/RecentActivity/release/rr-full/plugins/soft_run.pl b/RecentActivity/release/rr-full/plugins/soft_run.pl new file mode 100755 index 0000000000..3574023281 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/soft_run.pl @@ -0,0 +1,132 @@ +#----------------------------------------------------------- +# soft_run +# Get contents of Run key from Software hive +# +# History: +# 20130425 - added alertMsg() functionality +# 20130329 - added additional keys +# 20130314 - updated to include Policies keys +# 20120524 - updated to support newer OS's, and 64-bit +# 20080328 - created +# +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package soft_run; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20130425); + +sub getConfig{return %config} + +sub getShortDescr { + return "[Autostart] Get autostart key contents from Software hive"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Definition of the Run keys in the WinXP Registry" => + "http://support.microsoft.com/kb/314866"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching soft_run v.".$VERSION); + ::rptMsg("soft_run v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my @paths = ("Microsoft\\Windows\\CurrentVersion\\Run", + "Microsoft\\Windows\\CurrentVersion\\RunOnce", + "Microsoft\\Windows\\CurrentVersion\\RunServices", + "Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\". + "Windows\\CurrentVersion\\Run", + "Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\". + "Windows\\CurrentVersion\\RunOnce", + ); + + foreach my $key_path (@paths) { + + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my %vals = getKeyValues($key); + if (scalar(keys %vals) > 0) { + foreach my $v (keys %vals) { +# check for "Temp" in the path/data + if (grep(/[Tt]emp/,$vals{$v})) { + ::alertMsg("ALERT: soft_run: Temp Path found: ".$key_path." : ".$v." -> ".$vals{$v}); + } +# check to see if the data ends in .com + if ($vals{$v} =~ m/\.com$/ || $vals{$v} =~ m/\.bat$/ || $vals{$v} =~ m/\.pif$/) { + ::alertMsg("ALERT: soft_run: Path ends in \.com/\.bat/\.pif: ".$key_path." : ".$v." -> ".$vals{$v}); + } + ::rptMsg(" ".$v." - ".$vals{$v}); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no values."); + } + + my @sk = $key->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + ::rptMsg(""); + ::rptMsg($key_path."\\".$s->get_name()); + ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); + my %vals = getKeyValues($s); + foreach my $v (keys %vals) { + ::rptMsg(" ".$v." -> ".$vals{$v}); + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." not found."); + ::rptMsg(""); + } + } +} + +sub getKeyValues { + my $key = shift; + my %vals; + + my @vk = $key->get_list_of_values(); + if (scalar(@vk) > 0) { + foreach my $v (@vk) { + next if ($v->get_name() eq "" && $v->get_data() eq ""); + $vals{$v->get_name()} = $v->get_data(); + } + } + else { + + } + return %vals; +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/software b/RecentActivity/release/rr-full/plugins/software new file mode 100755 index 0000000000..f3e22104b0 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/software @@ -0,0 +1,59 @@ +# 20120528 *ALL* Plugins that apply on SOFTWARE hive, alphabetical order +appinitdlls +apppaths +assoc +banner +bho +bitbucket +clsid +cmd_shell +codeid +ctrlpnl +defbrowser +direct +disablesr +drivers32 +drwatson +EMDMgmt +ie_version +imagefile +init_dlls +installedcomp +installer +kb950582 +landesk +macaddr +mrt +msis +networkcards +networklist +networkuid +product +profilelist +regback +removdev +renocide +schedagent +secctr +sfc +shellexec +shellext +shelloverlay +snapshot +soft_run +spp_clients +sql_lastconnect +ssid +startmenuinternetapps_lm +svchost +tracing +uninstall +urlzone +uac +virut +win_cv +winbackup +winlogon +winnt_cv +winver +yahoo_lm \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/spp_clients.pl b/RecentActivity/release/rr-full/plugins/spp_clients.pl new file mode 100755 index 0000000000..7dcb948c21 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/spp_clients.pl @@ -0,0 +1,61 @@ +#----------------------------------------------------------- +# spp_clients +# +# History +# 20130429 - added alertMsg() functionality +# 20120914 - created +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package spp_clients; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 50, #Vista, Win7 + version => 20130429); + +sub getConfig{return %config} +sub getShortDescr { + return "Determines volumes monitored by VSS"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching spp_clients v.".$VERSION); + ::rptMsg("spp_clients v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\SPP\\Clients'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("SPP_Clients"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $mon; + eval { + $mon = $key->get_value("{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}")->get_data(); + ::rptMsg("Monitored volumes: ".$mon); + ::alertMsg("ALERT: No volumes monitored by VSS\.") if ($mon eq ""); + }; + + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/sql_lastconnect.pl b/RecentActivity/release/rr-full/plugins/sql_lastconnect.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/sql_lastconnect.pl rename to RecentActivity/release/rr-full/plugins/sql_lastconnect.pl index fb21951a75..fb1a216894 --- a/thirdparty/rr/plugins/sql_lastconnect.pl +++ b/RecentActivity/release/rr-full/plugins/sql_lastconnect.pl @@ -1,66 +1,68 @@ -#----------------------------------------------------------- -# sql_lastconnect.pl -# -# Per MS, Microsoft Data Access Components (MDAC) clients can attempt -# to use multiple protocols based on a protocol ordering, which is -# listed in the SuperSocketNetLib\ProtocolOrder value. Successful -# connection attempts (for SQL Server 2000) are cached in the LastConnect -# key. -# -# References: -# http://support.microsoft.com/kb/273673/ -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package sql_lastconnect; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090112); - -sub getConfig{return %config} - -sub getShortDescr { - return "MDAC cache of successful connections"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching sql_lastconnect v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\MSSQLServer\\Client\\SuperSocketNetLib\\LastConnect"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("MDAC Cache of successful connections"); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-15s %-25s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# sql_lastconnect.pl +# +# Per MS, Microsoft Data Access Components (MDAC) clients can attempt +# to use multiple protocols based on a protocol ordering, which is +# listed in the SuperSocketNetLib\ProtocolOrder value. Successful +# connection attempts (for SQL Server 2000) are cached in the LastConnect +# key. +# +# References: +# http://support.microsoft.com/kb/273673/ +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package sql_lastconnect; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090112); + +sub getConfig{return %config} + +sub getShortDescr { + return "MDAC cache of successful connections"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching sql_lastconnect v.".$VERSION); + ::rptMsg("sql_lastconnect v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\MSSQLServer\\Client\\SuperSocketNetLib\\LastConnect"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("MDAC Cache of successful connections"); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $str = sprintf "%-15s %-25s",$v->get_name(),$v->get_data(); + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/srun_tln.pl b/RecentActivity/release/rr-full/plugins/srun_tln.pl new file mode 100755 index 0000000000..7e65bf3d77 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/srun_tln.pl @@ -0,0 +1,109 @@ +#----------------------------------------------------------- +# srun_tln +# Get contents of Run key from Software hive +# +# History: +# 20130425 - created +# +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package srun_tln; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20130425); + +sub getConfig{return %config} + +sub getShortDescr { + return "[Autostart] Get autostart key contents from Software hive (TLN)"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Definition of the Run keys in the WinXP Registry" => + "http://support.microsoft.com/kb/314866"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching srun_tln v.".$VERSION); +# ::rptMsg("srun_tln v.".$VERSION); # banner +# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my @paths = ("Microsoft\\Windows\\CurrentVersion\\Run", + "Microsoft\\Windows\\CurrentVersion\\RunOnce", + "Microsoft\\Windows\\CurrentVersion\\RunServices", + "Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\". + "Windows\\CurrentVersion\\Run", + "Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\". + "Windows\\CurrentVersion\\RunOnce", + ); + + foreach my $key_path (@paths) { + + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my %vals = getKeyValues($key); + if (scalar(keys %vals) > 0) { + foreach my $v (keys %vals) { +# check for "Temp" in the path/data + if (grep(/[Tt]emp/,$vals{$v})) { +# ::alertMsg("ALERT: soft_run: Temp Path found: ".$key_path." : ".$v." -> ".$vals{$v}); + ::alertMsg($lw."|ALERT|||Software\\".$key_path." Temp path: ".$v.": ".$vals{$v}); + } +# check to see if the data ends in .com + if ($vals{$v} =~ m/\.com$/ || $vals{$v} =~ m/\.bat$/ || $vals{$v} =~ m/\.pif$/) { +# ::alertMsg("ALERT: soft_run: Path ends in \.com/\.bat/\.pif: ".$key_path." : ".$v." -> ".$vals{$v}); + ::alertMsg($lw."|ALERT|||Software\\".$key_path." ends in \.com/\.bat/\.pif: ".$v.": ".$vals{$v}); + } +# ::rptMsg(" ".$v." - ".$vals{$v}); + } +# ::rptMsg(""); + } + else { +# ::rptMsg($key_path." has no values."); + } + } + + } +} + +sub getKeyValues { + my $key = shift; + my %vals; + + my @vk = $key->get_list_of_values(); + if (scalar(@vk) > 0) { + foreach my $v (@vk) { + next if ($v->get_name() eq "" && $v->get_data() eq ""); + $vals{$v->get_name()} = $v->get_data(); + } + } + else { + + } + return %vals; +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/ssh_host_keys.pl b/RecentActivity/release/rr-full/plugins/ssh_host_keys.pl new file mode 100755 index 0000000000..64d331f2ab --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/ssh_host_keys.pl @@ -0,0 +1,109 @@ +# ssh_host_keys.pl +# +# RegRipper module to extract stored Putty and WinSCP host keys. +# The keys are found in NTUSER.DAT under: +# +# Software\Martin Prikryl\WinSCP 2\SshHostKeys +# Software\SimonTatham\Putty\SshHostKeys +# +# Change History +# 04/02/2013 Added rptMsg for key not found errors by Corey Harrell +# +# Presence of a host key indicates a successful connection to a given host, +# but not necessarily a successful login. +# +# RegRipper module author Hal Pomeranz + +package ssh_host_keys; + +use strict; + +my %config = ('hive' => 'NTUSER.DAT', + 'hasShortDescr' => 1, + 'hasDescr' => 0, + 'hasRefs' => 0, + 'osmask' => 22, + 'version' => '20120809'); + +sub getConfig { return(%config); } +sub getShortDescr { return('Extracts Putty/WinSCP SSH Host Keys'); } +sub getDescr {} +sub getRefs {} +sub getHive { return($config{'hive'}); } +sub getVersion { return($config{'version'}); } + +my $VERSION = $config{'version'}; + +sub pluginmain { + my($class, $hive) = @_; + my($reg, $root, $key) = (); + + ::logMsg("Launching ssh_host_keys v.$VERSION\n"); + ::rptMsg("ssh_host_keys v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + unless ($reg = Parse::Win32Registry->new($hive)) { + ::logMsg("Failed to open $hive: $!"); + return(); + } + unless ($root = $reg->get_root_key()) { + ::logMsg("Failed to get root key from $hive: $!"); + return(); + } + + if ($key = $root->get_subkey('Software\SimonTatham\Putty\SshHostKeys')) { + display_key_data($key); + } + else { + ::logMsg('"Software\SimonTatham\Putty\SshHostKeys" does not exist' . "\n"); + ::rptMsg('"Software\SimonTatham\Putty\SshHostKeys" does not exist' . "\n"); # line added on 04/02/2013 + } + + if ($key = $root->get_subkey('Software\Martin Prikryl\WinSCP 2\SshHostKeys')) { + display_key_data($key); + } + else { + ::logMsg('"Software\Martin Prikryl\WinSCP 2\SshHostKeys" does not exist'); + ::rptMsg('"Software\Martin Prikryl\WinSCP 2\SshHostKeys" does not exist'); # line added on 04/02/2013 + } +} + + +sub display_key_data { + my($key) = @_; + + my $path = $key->get_path(); + $path =~ s/.*?\\//; + + ::rptMsg("$path\nLast Updated: " . scalar(gmtime($key->get_timestamp())) . " UTC\n"); + + my(%sort, %host_info) = (); + my @vals = $key->get_list_of_values(); + foreach my $val (@vals) { + my $name = $val->get_name(); + my($type, $port, $host) = $name =~ /^([^@]+)@(\d+):(.*)$/; + my $host_key = $val->get_data(); + + if ($host =~ /^[\d.]+$/) { + $sort{$name} = sprintf("%03d%03d%03d%03d", split(/\./, $host)); + } + else { $sort{$name} = $host; } + + $host_info{$name} = { + 'host' => $host, + 'port' => $port, + 'type' => $type, + 'key' => $host_key + }; + } + + foreach my $name ( + sort { $sort{$a} cmp $sort{$b} || + $host_info{$a}{'port'} <=> $host_info{$b}{'port'} || + $host_info{$a}{'type'} cmp $host_info{$b}{'type'} + } keys(%host_info)) { + ::rptMsg("$host_info{$name}{'host'}:$host_info{$name}{'port'} ($host_info{$name}{'type'})"); + ::rptMsg("$host_info{$name}{'key'}\n"); + } +} + +1; diff --git a/thirdparty/rr/plugins/ssid.pl b/RecentActivity/release/rr-full/plugins/ssid.pl old mode 100644 new mode 100755 similarity index 94% rename from thirdparty/rr/plugins/ssid.pl rename to RecentActivity/release/rr-full/plugins/ssid.pl index 1e7714ae56..b8ac575414 --- a/thirdparty/rr/plugins/ssid.pl +++ b/RecentActivity/release/rr-full/plugins/ssid.pl @@ -1,183 +1,185 @@ -#----------------------------------------------------------- -# ssid -# Gets SSID and other info from WZCSVC key -# -# -# Change History: -# 20100301 - Updated References; removed dwCtlFlags being -# printed; minor adjustments to formatting -# 20091102 - added code to parse EAPOL values for SSIDs -# 20090807 - updated code in accordance with WZC_WLAN_CONFIG -# structure -# -# References -# http://msdn.microsoft.com/en-us/library/aa448338.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package ssid; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100301); - -sub getConfig{return %config} -sub getShortDescr { - return "Get WZCSVC SSID Info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $error; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ssid v.".$VERSION); -# Get the NetworkCards values - my %nc; - if (%nc = getNetworkCards($hive)) { - - } - else { - ::logMsg("Problem w/ SSIDs, getting NetworkCards: ".$error); - return; - } - - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\WZCSVC\\Parameters\\Interfaces"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("SSID"); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if (exists($nc{$name})) { - ::rptMsg("NIC: ".$nc{$name}{descr}); - ::rptMsg("Key LastWrite: ".gmtime($s->get_timestamp())." UTC"); - ::rptMsg(""); - my @vals = $s->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $n = $v->get_name(); - if ($n =~ m/^Static#/) { - my $data = $v->get_data(); -# my $w = unpack("V",substr($data,0x04,0x04)); -# printf "dwCtlFlags = 0x%x\n",$w; - - my $l = unpack("V",substr($data, 0x10, 0x04)); - my $ssid = substr($data,0x14,$l); - - my $tm = uc(unpack("H*",substr($data,0x08,0x06))); - my @t = split(//,$tm); - my $mac = $t[0].$t[1]."-".$t[2].$t[3]."-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; - - my ($t1,$t2) = unpack("VV",substr($data,0x2B8,8)); - my $t = ::getTime($t1,$t2); - my $str = sprintf gmtime($t)." MAC: %-18s %-8s",$mac,$ssid; - ::rptMsg($str); - } - } - } - else { - ::rptMsg($name." has no values."); - } - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - -# Now, go to the EAPOL key, locate the appropriate subkeys and parse out -# any available SSIDs -# EAPOL is Extensible Authentication Protocol over LAN - my $key_path = "Microsoft\\EAPOL\\Parameters\\Interfaces"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if (exists $nc{$name}) { - ::rptMsg("NIC: ".$nc{$name}{descr}); - } - else { - ::rptMsg("NIC: ".$name); - } - ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())." UTC"); - - my @vals = $s->get_list_of_values(); - my %eapol; - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - $eapol{$v->get_name()} = parseEAPOLData($v->get_data()); - } - foreach my $i (sort {$a <=> $b} keys %eapol) { - my $str = sprintf "%-3d %s",$i,$eapol{$i}; - ::rptMsg($str); - } - } - ::rptMsg(""); - } - } - else { - ::rtpMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub getNetworkCards { - my $hive = shift; - my %nc; - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $service = $s->get_value("ServiceName")->get_data(); - $nc{$service}{descr} = $s->get_value("Description")->get_data(); - $nc{$service}{lastwrite} = $s->get_timestamp(); - } - } - else { - $error = $key_path." has no subkeys."; - } - } - else { - $error = $key_path." not found."; - } - return %nc; -} - -sub parseEAPOLData { - my $data = shift; - my $size = unpack("V",substr($data,0x10,4)); - return substr($data,0x14,$size); -} - +#----------------------------------------------------------- +# ssid +# Gets SSID and other info from WZCSVC key +# +# +# Change History: +# 20100301 - Updated References; removed dwCtlFlags being +# printed; minor adjustments to formatting +# 20091102 - added code to parse EAPOL values for SSIDs +# 20090807 - updated code in accordance with WZC_WLAN_CONFIG +# structure +# +# References +# http://msdn.microsoft.com/en-us/library/aa448338.aspx +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package ssid; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100301); + +sub getConfig{return %config} +sub getShortDescr { + return "Get WZCSVC SSID Info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my $error; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching ssid v.".$VERSION); + ::rptMsg("ssid v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner +# Get the NetworkCards values + my %nc; + if (%nc = getNetworkCards($hive)) { + + } + else { + ::logMsg("Problem w/ SSIDs, getting NetworkCards: ".$error); + return; + } + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\WZCSVC\\Parameters\\Interfaces"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("SSID"); + ::rptMsg($key_path); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + if (exists($nc{$name})) { + ::rptMsg("NIC: ".$nc{$name}{descr}); + ::rptMsg("Key LastWrite: ".gmtime($s->get_timestamp())." UTC"); + ::rptMsg(""); + my @vals = $s->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $n = $v->get_name(); + if ($n =~ m/^Static#/) { + my $data = $v->get_data(); +# my $w = unpack("V",substr($data,0x04,0x04)); +# printf "dwCtlFlags = 0x%x\n",$w; + + my $l = unpack("V",substr($data, 0x10, 0x04)); + my $ssid = substr($data,0x14,$l); + + my $tm = uc(unpack("H*",substr($data,0x08,0x06))); + my @t = split(//,$tm); + my $mac = $t[0].$t[1]."-".$t[2].$t[3]."-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; + + my ($t1,$t2) = unpack("VV",substr($data,0x2B8,8)); + my $t = ::getTime($t1,$t2); + my $str = sprintf gmtime($t)." MAC: %-18s %-8s",$mac,$ssid; + ::rptMsg($str); + } + } + } + else { + ::rptMsg($name." has no values."); + } + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + +# Now, go to the EAPOL key, locate the appropriate subkeys and parse out +# any available SSIDs +# EAPOL is Extensible Authentication Protocol over LAN + my $key_path = "Microsoft\\EAPOL\\Parameters\\Interfaces"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + if (exists $nc{$name}) { + ::rptMsg("NIC: ".$nc{$name}{descr}); + } + else { + ::rptMsg("NIC: ".$name); + } + ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())." UTC"); + + my @vals = $s->get_list_of_values(); + my %eapol; + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + $eapol{$v->get_name()} = parseEAPOLData($v->get_data()); + } + foreach my $i (sort {$a <=> $b} keys %eapol) { + my $str = sprintf "%-3d %s",$i,$eapol{$i}; + ::rptMsg($str); + } + } + ::rptMsg(""); + } + } + else { + ::rtpMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub getNetworkCards { + my $hive = shift; + my %nc; + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $service = $s->get_value("ServiceName")->get_data(); + $nc{$service}{descr} = $s->get_value("Description")->get_data(); + $nc{$service}{lastwrite} = $s->get_timestamp(); + } + } + else { + $error = $key_path." has no subkeys."; + } + } + else { + $error = $key_path." not found."; + } + return %nc; +} + +sub parseEAPOLData { + my $data = shift; + my $size = unpack("V",substr($data,0x10,4)); + return substr($data,0x14,$size); +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/startmenuinternetapps_cu.pl b/RecentActivity/release/rr-full/plugins/startmenuinternetapps_cu.pl new file mode 100755 index 0000000000..14b4369f47 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/startmenuinternetapps_cu.pl @@ -0,0 +1,98 @@ +#----------------------------------------------------------- +# startmenuinternetapps_cu.pl +# Start Menu Internet Applications settings (HKCU) parser +# +# Change history +# 20100906 [fpi] % created +# 20101219 [fpi] % first version +# 20110830 [fpi] + banner, no change to the version number +# +# References +# http://msdn.microsoft.com/en-us/library/dd203067(VS.85).aspx +# +# copyright 2010 F. Picasso, francesco.picasso@gmail.com +#----------------------------------------------------------- +package startmenuinternetapps_cu; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20101219); + +sub getConfig{return %config} +sub getShortDescr { + return "Start Menu Internet Applications info current user"; +} +sub getDescr{} +sub getRefs { + my %refs = ("How to Register an Internet Browser or E-mail Client With the Windows Start Menu" => + "http://msdn.microsoft.com/en-us/library/dd203067(VS.85).aspx"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg( "Launching startmenuinternetapps_cu v.".$VERSION ); + ::rptMsg("startmenuinternetapps_cu v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new( $ntuser ); + my $root_key = $reg->get_root_key; + + my $path = 'Software\\Clients'; + my $key; + + if ( $key = $root_key->get_subkey( $path ) ) { + ::rptMsg( "Start Menu Internet Applications\n" ); + + my @subkeys = $key->get_list_of_subkeys(); + if ( ( scalar @subkeys ) > 0 ) { + + foreach my $sbk ( @subkeys ) { + my $tmp = $sbk->get_name(); + ::rptMsg( $tmp." [".gmtime( $sbk->get_timestamp() )." (UTC)]" ); + + if ( $tmp eq "StartMenuInternet" ) { + ::rptMsg( "NOTE: default Internet Browser client key" ); + } + elsif ( $tmp eq "Mail" ) { + ::rptMsg( "NOTE: default Mail client key" ); + } + + my @vals = $sbk->get_list_of_values(); + + if ( ( scalar @vals ) > 0 ) { + foreach my $val ( @vals ) { + $tmp = $val->get_name(); + if ( $tmp eq "" ) { + $tmp = "(default)"; + } + ::rptMsg( $tmp." -> ".$val->get_data()."\n" ); + } + } + else { + ::rptMsg( $sbk->get_name()." has no values." ); + ::logMsg( $sbk->get_name()." has no values." ); + } + } + } + else { + ::rptMsg( $key->get_name()." has no subkeys." ); + ::logMsg( $key->get_name()." has no subkeys." ); + } + } + else { + ::rptMsg( $path." not found. Check the same path in HKLM" ); + ::logMsg( $path." not found. Check the same path in HKLM" ); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/startmenuinternetapps_lm.pl b/RecentActivity/release/rr-full/plugins/startmenuinternetapps_lm.pl new file mode 100755 index 0000000000..c5f658d8b4 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/startmenuinternetapps_lm.pl @@ -0,0 +1,101 @@ +#----------------------------------------------------------- +# startmenuinternetapps_lm.pl +# Start Menu Internet Applications settings (HKLM) parser +# +# Change history +# 20100906 [fpi] % created +# 20101219 [fpi] % first version +# 20110830 [fpi] + banner, no change to the version number +# +# References +# http://msdn.microsoft.com/en-us/library/dd203067(VS.85).aspx +# +# copyright 2010 F. Picasso, francesco.picasso@gmail.com +#----------------------------------------------------------- +package startmenuinternetapps_lm; +use strict; + +my %config = (hive => "SOFTWARE", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20101219); + +sub getConfig{return %config} +sub getShortDescr { + return "Start Menu Internet Applications info"; +} +sub getDescr{} +sub getRefs { + my %refs = ("How to Register an Internet Browser or E-mail Client With the Windows Start Menu" => + "http://msdn.microsoft.com/en-us/library/dd203067(VS.85).aspx"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg( "Launching startmenuinternetapps_lm.".$VERSION ); + ::rptMsg("startmenuinternetapps_lm v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new( $ntuser ); + my $root_key = $reg->get_root_key; + + my $path = 'Clients'; + my $key; + + if ( $key = $root_key->get_subkey( $path ) ) { + ::rptMsg( "Start Menu Internet Applications" ); + + my @subkeys = $key->get_list_of_subkeys(); + if ( ( scalar @subkeys ) > 0 ) { + + foreach my $sbk ( @subkeys ) { + ::rptMsg( "\n" ); + my $tmp = $sbk->get_name(); + ::rptMsg( " [".gmtime( $sbk->get_timestamp() )." (UTC)] ".$tmp ); + + my @vals = $sbk->get_list_of_values(); + + if ( ( scalar @vals ) > 0 ) { + foreach my $val ( @vals ) { + $tmp = $val->get_name(); + # print default only + if ( $tmp eq "" ) { + ::rptMsg( " VALUE: ".$tmp."(default) -> ".$val->get_data() ); + } + + } + } + else { + ::rptMsg( " VALUE: no values." ); + } + + # getting subkeys + my @subkeys2 = $sbk->get_list_of_subkeys(); + if ( ( scalar @subkeys2 ) > 0 ) { + foreach my $sbk2 ( @subkeys2 ) { + $tmp = $sbk2->get_name(); + ::rptMsg( " SUBKEY: "." [".gmtime( $sbk2->get_timestamp() )." (UTC)] ".$tmp ); + } + } + } + } + else { + ::rptMsg( $key->get_name()." has no subkeys." ); + ::logMsg( $key->get_name()." has no subkeys." ); + } + } + else { + ::rptMsg( $path." not found." ); + ::logMsg( $path." not found." ); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/startpage.pl b/RecentActivity/release/rr-full/plugins/startpage.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/startpage.pl rename to RecentActivity/release/rr-full/plugins/startpage.pl index 78dcc9e426..6cc8d5743d --- a/thirdparty/rr/plugins/startpage.pl +++ b/RecentActivity/release/rr-full/plugins/startpage.pl @@ -1,77 +1,79 @@ -#----------------------------------------------------------- -# startpage.pl -# For Windows 7 -# -# Change history -# 20100330 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package startpage; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100330); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's StartPage key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching startpage v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $menu; - my $balloon; - - eval { - my $val = $key->get_value("StartMenu_Start_Time")->get_data(); - my ($t0,$t1) = unpack("VV",$val); - $menu = ::getTime($t0,$t1); - ::rptMsg("StartMenu_Start_Time = ".gmtime($menu)." Z"); - }; - ::rptMsg("Error: ".@$) if (@$); - - eval { - my $val = $key->get_value("StartMenu_Balloon_Time")->get_data(); - my ($t0,$t1) = unpack("VV",$val); - $balloon = ::getTime($t0,$t1); - ::rptMsg("StartMenu_Balloon_Time = ".gmtime($balloon)." Z"); - }; - ::rptMsg("Error: ".@$) if (@$); - - - - - - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# startpage.pl +# For Windows 7 +# +# Change history +# 20100330 - created +# +# References +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package startpage; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100330); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's StartPage key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching startpage v.".$VERSION); + ::rptMsg("startpage v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $menu; + my $balloon; + + eval { + my $val = $key->get_value("StartMenu_Start_Time")->get_data(); + my ($t0,$t1) = unpack("VV",$val); + $menu = ::getTime($t0,$t1); + ::rptMsg("StartMenu_Start_Time = ".gmtime($menu)." Z"); + }; + ::rptMsg("Error: ".@$) if (@$); + + eval { + my $val = $key->get_value("StartMenu_Balloon_Time")->get_data(); + my ($t0,$t1) = unpack("VV",$val); + $balloon = ::getTime($t0,$t1); + ::rptMsg("StartMenu_Balloon_Time = ".gmtime($balloon)." Z"); + }; + ::rptMsg("Error: ".@$) if (@$); + + + + + + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/stillimage.pl b/RecentActivity/release/rr-full/plugins/stillimage.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/stillimage.pl rename to RecentActivity/release/rr-full/plugins/stillimage.pl index aaf23600e4..8c447e88e8 --- a/thirdparty/rr/plugins/stillimage.pl +++ b/RecentActivity/release/rr-full/plugins/stillimage.pl @@ -1,112 +1,114 @@ -#----------------------------------------------------------- -# stillimage.pl -# Parses contents of Enum\USB key for web cam -# -# History -# 20100222 - created -# -# References -# http://msdn.microsoft.com/en-us/library/ms791870.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package stillimage; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100222); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get info on StillImage devices"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $reg; - -sub pluginmain { - my $class = shift; - my $hive = shift; - $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -::logMsg("Launching stillimage v.".$VERSION); -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg(""); - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless ($name =~ m/\d\d/); - ::rptMsg($name); - - eval { - my $desc = $s->get_value("DriverDesc")->get_data(); - ::rptMsg(" ".$desc); - }; - - eval { - my $desc = $s->get_value("MatchingDeviceID")->get_data(); - ::rptMsg(" ".$desc); - }; - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - -# http://msdn.microsoft.com/en-us/library/ms791870.aspx -# StillImage logging levels - my $key_path = $ccs."\\Control\\StillImage\\Logging"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg("StillImage Logging Level"); - eval { - my $level = $key->get_subkey("STICLI")->get_value("Level")->get_data(); - my $str = sprintf " STICLI Logging Level = 0x%x",$level; - ::rptMsg($str); - }; - ::rptMsg("STICLI Error: ".$@) if ($@); - - eval { - my $level = $key->get_subkey("STIMON")->get_value("Level")->get_data(); - my $str = sprintf " STIMON Logging Level = 0x%x",$level; - ::rptMsg($str); - }; - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# stillimage.pl +# Parses contents of Enum\USB key for web cam +# +# History +# 20100222 - created +# +# References +# http://msdn.microsoft.com/en-us/library/ms791870.aspx +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package stillimage; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100222); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get info on StillImage devices"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my $reg; + +sub pluginmain { + my $class = shift; + my $hive = shift; + $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + ::logMsg("Launching stillimage v.".$VERSION); + ::rptMsg("stillimage v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($key_path." not found."); + return; + } + + my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + ::rptMsg(""); + foreach my $s (@subkeys) { + my $name = $s->get_name(); + next unless ($name =~ m/\d\d/); + ::rptMsg($name); + + eval { + my $desc = $s->get_value("DriverDesc")->get_data(); + ::rptMsg(" ".$desc); + }; + + eval { + my $desc = $s->get_value("MatchingDeviceID")->get_data(); + ::rptMsg(" ".$desc); + }; + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + +# http://msdn.microsoft.com/en-us/library/ms791870.aspx +# StillImage logging levels + my $key_path = $ccs."\\Control\\StillImage\\Logging"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg("StillImage Logging Level"); + eval { + my $level = $key->get_subkey("STICLI")->get_value("Level")->get_data(); + my $str = sprintf " STICLI Logging Level = 0x%x",$level; + ::rptMsg($str); + }; + ::rptMsg("STICLI Error: ".$@) if ($@); + + eval { + my $level = $key->get_subkey("STIMON")->get_value("Level")->get_data(); + my $str = sprintf " STIMON Logging Level = 0x%x",$level; + ::rptMsg($str); + }; + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/streammru.pl b/RecentActivity/release/rr-full/plugins/streammru.pl old mode 100644 new mode 100755 similarity index 88% rename from thirdparty/rr/plugins/streammru.pl rename to RecentActivity/release/rr-full/plugins/streammru.pl index 0276cad084..82242cb8da --- a/thirdparty/rr/plugins/streammru.pl +++ b/RecentActivity/release/rr-full/plugins/streammru.pl @@ -1,64 +1,66 @@ -#----------------------------------------------------------- -# streammru.pl -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package streammru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090205); - -sub getConfig{return %config} - -sub getShortDescr { - return "streammru"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching streammru v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg(""); - - my $data = $key->get_value("5")->get_data(); - - my $drive = substr($data, 0x16,4); - ::rptMsg("Drive = ".$drive); - ::rptMsg(""); - - my $size = substr($data, 0x2d, 1); - ::rptMsg("Size of first object: ".unpack("c",$size)." bytes"); - ::rptMsg(""); - - - - - - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# streammru.pl +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package streammru; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090205); + +sub getConfig{return %config} + +sub getShortDescr { + return "streammru"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching streammru v.".$VERSION); + ::rptMsg("streammru v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg(""); + + my $data = $key->get_value("5")->get_data(); + + my $drive = substr($data, 0x16,4); + ::rptMsg("Drive = ".$drive); + ::rptMsg(""); + + my $size = substr($data, 0x2d, 1); + ::rptMsg("Size of first object: ".unpack("c",$size)." bytes"); + ::rptMsg(""); + + + + + + + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/streams.pl b/RecentActivity/release/rr-full/plugins/streams.pl old mode 100644 new mode 100755 similarity index 89% rename from thirdparty/rr/plugins/streams.pl rename to RecentActivity/release/rr-full/plugins/streams.pl index e620c033df..ac423af250 --- a/thirdparty/rr/plugins/streams.pl +++ b/RecentActivity/release/rr-full/plugins/streams.pl @@ -1,63 +1,65 @@ -#----------------------------------------------------------- -# streams.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package streams; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081124); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parse Streams and StreamsMRU entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching streams v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("streamMRU"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $i (0..10) { - my $data = $key->get_value($i)->get_data(); - open(FH,">",$i); - binmode(FH); - print FH $data; - close(FH); - } - } - else { - ::rptMsg($key_path." has no values."); - } - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# streams.pl +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package streams; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081124); + +sub getConfig{return %config} + +sub getShortDescr { + return "Parse Streams and StreamsMRU entries"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching streams v.".$VERSION); + ::rptMsg("streams v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("streamMRU"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $i (0..10) { + my $data = $key->get_value($i)->get_data(); + open(FH,">",$i); + binmode(FH); + print FH $data; + close(FH); + } + } + else { + ::rptMsg($key_path." has no values."); + } + + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/svc.pl b/RecentActivity/release/rr-full/plugins/svc.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/svc.pl rename to RecentActivity/release/rr-full/plugins/svc.pl index 32332bf723..cdb52f4fa9 --- a/thirdparty/rr/plugins/svc.pl +++ b/RecentActivity/release/rr-full/plugins/svc.pl @@ -1,149 +1,151 @@ -#----------------------------------------------------------- -# svc.pl -# Plugin for Registry Ripper; Access System hive file to get the -# services, display short format (hence "svc", shortened version -# of service.pl plugin) -# -# Change history -# 20080610 - created -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package svc; -#use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080610); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists services/drivers in Services key by LastWrite times (short format)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -# Reference for types and start types: -# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx -my %types = (0x001 => "Kernel driver", - 0x002 => "File system driver", - 0x010 => "Own_Process", - 0x020 => "Share_Process", - 0x100 => "Interactive"); - -my %starts = (0x00 => "Boot Start", - 0x01 => "System Start", - 0x02 => "Auto Start", - 0x03 => "Manual", - 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching svc v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { - ::rptMsg($s_path); - ::rptMsg(getShortDescr()); - ::rptMsg(""); -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - - my $type; - eval { - $type = $s->get_value("Type")->get_data(); - }; - - $name = $s->get_name(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); - }; - - my $image; - eval { - $image = $s->get_value("ImagePath")->get_data(); - }; - - my $start; - eval { - $start = $s->get_value("Start")->get_data(); - if (exists $starts{$start}) { - $start = $starts{$start}; - } - }; - - my $object; - eval { - $object = $s->get_value("ObjectName")->get_data(); - }; - next if ($type == 0x001 || $type == 0x002); - my $str = $name.";".$display.";".$image.";".$type.";".$start.";".$object; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { - ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - my ($n,$d,$i,$t,$s,$o) = split(/;/,$item,6); - my $str = " ".$n; - - if ($i eq "") { - if ($d eq "") { - - } - else { - $str = $str." (".$d.")"; - } - } - else { - $str = $str." (".$i.")"; - } - - $str = $str." [".$o."]" unless ($o eq ""); - - ::rptMsg($str); - } - ::rptMsg(""); - } - - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# svc.pl +# Plugin for Registry Ripper; Access System hive file to get the +# services, display short format (hence "svc", shortened version +# of service.pl plugin) +# +# Change history +# 20080610 - created +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package svc; +#use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080610); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists services/drivers in Services key by LastWrite times (short format)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +# Reference for types and start types: +# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx +my %types = (0x001 => "Kernel driver", + 0x002 => "File system driver", + 0x010 => "Own_Process", + 0x020 => "Share_Process", + 0x100 => "Interactive"); + +my %starts = (0x00 => "Boot Start", + 0x01 => "System Start", + 0x02 => "Auto Start", + 0x03 => "Manual", + 0x04 => "Disabled"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching svc v.".$VERSION); + ::rptMsg("svc v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $s_path = $ccs."\\Services"; + my $svc; + my %svcs; + if ($svc = $root_key->get_subkey($s_path)) { + ::rptMsg($s_path); + ::rptMsg(getShortDescr()); + ::rptMsg(""); +# Get all subkeys and sort based on LastWrite times + my @subkeys = $svc->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + + my $type; + eval { + $type = $s->get_value("Type")->get_data(); + }; + + $name = $s->get_name(); + my $display; + eval { + $display = $s->get_value("DisplayName")->get_data(); + }; + + my $image; + eval { + $image = $s->get_value("ImagePath")->get_data(); + }; + + my $start; + eval { + $start = $s->get_value("Start")->get_data(); + if (exists $starts{$start}) { + $start = $starts{$start}; + } + }; + + my $object; + eval { + $object = $s->get_value("ObjectName")->get_data(); + }; + next if ($type == 0x001 || $type == 0x002); + my $str = $name.";".$display.";".$image.";".$type.";".$start.";".$object; + push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); + } + + foreach my $t (reverse sort {$a <=> $b} keys %svcs) { + ::rptMsg(gmtime($t)."Z"); + foreach my $item (@{$svcs{$t}}) { + my ($n,$d,$i,$t,$s,$o) = split(/;/,$item,6); + my $str = " ".$n; + + if ($i eq "") { + if ($d eq "") { + + } + else { + $str = $str." (".$d.")"; + } + } + else { + $str = $str." (".$i.")"; + } + + $str = $str." [".$o."]" unless ($o eq ""); + + ::rptMsg($str); + } + ::rptMsg(""); + } + + } + else { + ::rptMsg($s_path." has no subkeys."); + ::logMsg("Error: ".$s_path." has no subkeys."); + } + } + else { + ::rptMsg($s_path." not found."); + ::logMsg($s_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/svc2.pl b/RecentActivity/release/rr-full/plugins/svc2.pl old mode 100644 new mode 100755 similarity index 96% rename from thirdparty/rr/plugins/svc2.pl rename to RecentActivity/release/rr-full/plugins/svc2.pl index 0a12370371..33718a6a7c --- a/thirdparty/rr/plugins/svc2.pl +++ b/RecentActivity/release/rr-full/plugins/svc2.pl @@ -1,148 +1,148 @@ -#----------------------------------------------------------- -# svc2.pl -# Plugin for Registry Ripper; Access System hive file to get the -# services, display short format (hence "svc", shortened version -# of service.pl plugin); outputs info in .csv format -# -# Change history -# 20081129 - created -# -# Ref: -# http://msdn.microsoft.com/en-us/library/aa394073(VS.85).aspx -# -# Analysis Tip: Several services keys have Parameters subkeys that point to -# the ServiceDll value; During intrusions, a service key may be added to -# the system's Registry; using this module, send the output to .csv format -# and sort on column B to get the names to line up -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package svc2; -#use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081129); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists Services key contents by LastWrite times (CSV)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %types = (0x001 => "Kernel driver", - 0x002 => "File system driver", - 0x004 => "Adapter", - 0x010 => "Own_Process", - 0x020 => "Share_Process", - 0x100 => "Interactive"); - -my %starts = (0x00 => "Boot Start", - 0x01 => "System Start", - 0x02 => "Auto Start", - 0x03 => "Manual", - 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; -# ::logMsg("Launching svc2 v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { -# ::rptMsg($s_path); -# ::rptMsg(getShortDescr()); -# ::rptMsg(""); -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - $name = $s->get_name(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); -# take commas out of the display name, replace w/ semi-colons - $display =~ s/,/;/g; - }; - - my $type; - eval { - $type = $s->get_value("Type")->get_data(); - $type = $types{$type} if (exists $types{$type}); - - }; - - my $image; - eval { - $image = $s->get_value("ImagePath")->get_data(); - }; - - my $start; - eval { - $start = $s->get_value("Start")->get_data(); - $start = $starts{$start} if (exists $starts{$start}); - }; - - my $object; - eval { - $object = $s->get_value("ObjectName")->get_data(); - }; - - my $str = $name."\|".$display."\|".$image."\|".$type."\|".$start."\|".$object; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); -# Get ServiceDll value if there is one - eval { - my $para = $s->get_subkey("Parameters"); - my $dll = $para->get_value("ServiceDll")->get_data(); - my $str = $name."\\Parameters\|\|".$dll."\|\|\|"; - push(@{$svcs{$para->get_timestamp()}},$str); - }; - - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { -# ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - my ($n,$d,$i,$t2,$s,$o) = split(/\|/,$item,6); -# ::rptMsg($t.",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o); - ::rptMsg(gmtime($t)."Z".",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o); - } - } - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# svc2.pl +# Plugin for Registry Ripper; Access System hive file to get the +# services, display short format (hence "svc", shortened version +# of service.pl plugin); outputs info in .csv format +# +# Change history +# 20081129 - created +# +# Ref: +# http://msdn.microsoft.com/en-us/library/aa394073(VS.85).aspx +# +# Analysis Tip: Several services keys have Parameters subkeys that point to +# the ServiceDll value; During intrusions, a service key may be added to +# the system's Registry; using this module, send the output to .csv format +# and sort on column B to get the names to line up +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package svc2; +#use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20081129); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists Services key contents by LastWrite times (CSV)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my %types = (0x001 => "Kernel driver", + 0x002 => "File system driver", + 0x004 => "Adapter", + 0x010 => "Own_Process", + 0x020 => "Share_Process", + 0x100 => "Interactive"); + +my %starts = (0x00 => "Boot Start", + 0x01 => "System Start", + 0x02 => "Auto Start", + 0x03 => "Manual", + 0x04 => "Disabled"); + +sub pluginmain { + my $class = shift; + my $hive = shift; +# ::logMsg("Launching svc2 v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $s_path = $ccs."\\Services"; + my $svc; + my %svcs; + if ($svc = $root_key->get_subkey($s_path)) { +# ::rptMsg($s_path); +# ::rptMsg(getShortDescr()); +# ::rptMsg(""); +# Get all subkeys and sort based on LastWrite times + my @subkeys = $svc->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + $name = $s->get_name(); + my $display; + eval { + $display = $s->get_value("DisplayName")->get_data(); +# take commas out of the display name, replace w/ semi-colons + $display =~ s/,/;/g; + }; + + my $type; + eval { + $type = $s->get_value("Type")->get_data(); + $type = $types{$type} if (exists $types{$type}); + + }; + + my $image; + eval { + $image = $s->get_value("ImagePath")->get_data(); + }; + + my $start; + eval { + $start = $s->get_value("Start")->get_data(); + $start = $starts{$start} if (exists $starts{$start}); + }; + + my $object; + eval { + $object = $s->get_value("ObjectName")->get_data(); + }; + + my $str = $name."\|".$display."\|".$image."\|".$type."\|".$start."\|".$object; + push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); +# Get ServiceDll value if there is one + eval { + my $para = $s->get_subkey("Parameters"); + my $dll = $para->get_value("ServiceDll")->get_data(); + my $str = $name."\\Parameters\|\|".$dll."\|\|\|"; + push(@{$svcs{$para->get_timestamp()}},$str); + }; + + } + + foreach my $t (reverse sort {$a <=> $b} keys %svcs) { +# ::rptMsg(gmtime($t)."Z"); + foreach my $item (@{$svcs{$t}}) { + my ($n,$d,$i,$t2,$s,$o) = split(/\|/,$item,6); +# ::rptMsg($t.",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o); + ::rptMsg(gmtime($t)."Z".",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o); + } + } + } + else { + ::rptMsg($s_path." has no subkeys."); + ::logMsg("Error: ".$s_path." has no subkeys."); + } + } + else { + ::rptMsg($s_path." not found."); + ::logMsg($s_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/svc_plus.pl b/RecentActivity/release/rr-full/plugins/svc_plus.pl new file mode 100755 index 0000000000..82ba8fdb46 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/svc_plus.pl @@ -0,0 +1,182 @@ +#----------------------------------------------------------- +# svc_plus.pl +# Plugin for Registry Ripper; Access System hive file to get the +# services, display short format (hence "svc", shortened version +# of service.pl plugin) +# +# Change history +# 20080610 [hca] % created +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# Author Elizabeth schweinsberg bethlogic@gmail.com +# based on svc2.pl copyright 2008 H. Carvey +#----------------------------------------------------------- +package svc_plus; +#use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120625); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists services/drivers in Services key by LastWrite times in a short format with warnings for type mismatches\n^^^^ Indicates non-standard Type\n<<<< Indicates Start mismatch for Driver\n**** Indicates ObjectName mismatch for Driver\n>>>> Indicates Start mismatch for Service\n++++ Indicates nonstandard ObjectName for Service."; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +# Reference for types and start types: +# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx +my %types = (0x001 => "Kernel driver", + 0x002 => "File system driver", + 0x010 => "Own_Process", + 0x020 => "Share_Process", + 0x100 => "Interactive"); + +my %starts = (0x00 => "Boot Start", + 0x01 => "System Start", + 0x02 => "Auto Start", + 0x03 => "Manual", + 0x04 => "Disabled"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching svc_plus v.".$VERSION); + ::rptMsg("svc_plus v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $s_path = $ccs."\\Services"; + my $svc; + my %svcs; + if ($svc = $root_key->get_subkey($s_path)) { + ::rptMsg($s_path); + ::rptMsg(getShortDescr()); + ::rptMsg(""); + # Get all subkeys and sort based on LastWrite times + my @subkeys = $svc->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + + my $type; + eval { + $type = $s->get_value("Type")->get_data(); + }; + + $name = $s->get_name(); + my $display; + eval { + $display = $s->get_value("DisplayName")->get_data(); + # take commas out of the display name, replace w/ semi-colons + $display =~ s/,/;/g; + }; + + my $image; + eval { + $image = $s->get_value("ImagePath")->get_data(); + }; + + my $start; + eval { + $start = $s->get_value("Start")->get_data(); + }; + + my $object; + eval { + $object = $s->get_value("ObjectName")->get_data(); + }; + # Check for the proper start for each type + if ($type == 0x001 || $type == 0x002) { + if ($start == 0x002) { + $start = "<<<<".$starts{$start}; + } + else { + if (exists $starts{$start}) { + $start = $starts{$start}; + } + } + # Drivers should not have an object + if ($object ne "") { + $object = "++++".$object; + } + } + if ($type == 0x010 || $type == 0x020 || $type == 0x100) { + if ($start == 0x000 || $start == 0x001) { + $start = ">>>>".$starts{$start} + } + else { + if (exists $starts{$start}) { + $start = $starts{$start}; + } + } + # Services MUST have an ObjectName, and if it's not one of these 3, check it out + @list = ("nt authority\\localservice", "nt authority\\networkservice", "localsystem"); + if (grep {"$_" eq lc($object)} @list ) { + } + else { + $object = "****".$object; + } + } + + if (exists $types{$type}) { + $type = $types{$types}; + } + else { + $type = "^^^^".$type; + } + my $str = $name."\|".$display."\|".$image."\|".$type."\|".$start."\|".$object; + push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); + # Get ServiceDll value if there is one + eval { + my $para = $s->get_subkey("Parameters"); + my $dll = $para->get_value("ServiceDll")->get_data(); + my $str = $name."\\Parameters\|\|".$dll."\|\|\|"; + push(@{$svcs{$para->get_timestamp()}},$str); + }; + } + + foreach my $t (reverse sort {$a <=> $b} keys %svcs) { + foreach my $item (@{$svcs{$t}}) { + my ($n,$d,$i,$t2,$s,$o) = split(/\|/,$item,6); + ::rptMsg(gmtime($t)."Z".",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o); + } + } + + } + else { + ::rptMsg($s_path." has no subkeys."); + ::logMsg("Error: ".$s_path." has no subkeys."); + } + } + else { + ::rptMsg($s_path." not found."); + ::logMsg($s_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + +1; diff --git a/thirdparty/rr/plugins/svcdll.pl b/RecentActivity/release/rr-full/plugins/svcdll.pl old mode 100644 new mode 100755 similarity index 93% rename from thirdparty/rr/plugins/svcdll.pl rename to RecentActivity/release/rr-full/plugins/svcdll.pl index 3cfbcd2f24..ec5b9b1edf --- a/thirdparty/rr/plugins/svcdll.pl +++ b/RecentActivity/release/rr-full/plugins/svcdll.pl @@ -1,131 +1,133 @@ -#----------------------------------------------------------- -# svcdll.pl -# -# Change history -# 20091104 - created -# -# Ref: -# http://msdn.microsoft.com/en-us/library/aa394073(VS.85).aspx -# -# Analysis Tip: Several services keys have Parameters subkeys that point to -# the ServiceDll value; During intrusions, a service key may be added to -# the system's Registry; this module provides a quick look, displaying the -# Service names (in malware, sometimes random) and the ServiceDll value, -# sorted based on the LastWrite time of the \Parameters subkey. -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package svcdll; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091104); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists Services keys with ServiceDll values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -#my %types = (0x001 => "Kernel driver", -# 0x002 => "File system driver", -# 0x004 => "Adapter", -# 0x010 => "Own_Process", -# 0x020 => "Share_Process", -# 0x100 => "Interactive"); - -#my %starts = (0x00 => "Boot Start", -# 0x01 => "System Start", -# 0x02 => "Auto Start", -# 0x03 => "Manual", -# 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching svcdll v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { - -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); -# my $display; -# eval { -# $display = $s->get_value("DisplayName")->get_data(); -# }; - -# my $type; -# eval { -# $type = $s->get_value("Type")->get_data(); -# $type = $types{$type} if (exists $types{$type}); -# }; - -# my $image; -# eval { -# $image = $s->get_value("ImagePath")->get_data(); -# }; - -# my $start; -# eval { -# $start = $s->get_value("Start")->get_data(); -# $start = $starts{$start} if (exists $starts{$start}); -# }; - - my $dll; - eval { - $dll = $s->get_subkey("Parameters")->get_value("ServiceDll")->get_data(); - my $str = $name." -> ".$dll; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); - }; - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { - ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - ::rptMsg(" ".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# svcdll.pl +# +# Change history +# 20091104 - created +# +# Ref: +# http://msdn.microsoft.com/en-us/library/aa394073(VS.85).aspx +# +# Analysis Tip: Several services keys have Parameters subkeys that point to +# the ServiceDll value; During intrusions, a service key may be added to +# the system's Registry; this module provides a quick look, displaying the +# Service names (in malware, sometimes random) and the ServiceDll value, +# sorted based on the LastWrite time of the \Parameters subkey. +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package svcdll; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20091104); + +sub getConfig{return %config} +sub getShortDescr { + return "Lists Services keys with ServiceDll values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +#my %types = (0x001 => "Kernel driver", +# 0x002 => "File system driver", +# 0x004 => "Adapter", +# 0x010 => "Own_Process", +# 0x020 => "Share_Process", +# 0x100 => "Interactive"); + +#my %starts = (0x00 => "Boot Start", +# 0x01 => "System Start", +# 0x02 => "Auto Start", +# 0x03 => "Manual", +# 0x04 => "Disabled"); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching svcdll v.".$VERSION); + ::rptMsg("svcdll v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $s_path = $ccs."\\Services"; + my $svc; + my %svcs; + if ($svc = $root_key->get_subkey($s_path)) { + +# Get all subkeys and sort based on LastWrite times + my @subkeys = $svc->get_list_of_subkeys(); + if (scalar (@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); +# my $display; +# eval { +# $display = $s->get_value("DisplayName")->get_data(); +# }; + +# my $type; +# eval { +# $type = $s->get_value("Type")->get_data(); +# $type = $types{$type} if (exists $types{$type}); +# }; + +# my $image; +# eval { +# $image = $s->get_value("ImagePath")->get_data(); +# }; + +# my $start; +# eval { +# $start = $s->get_value("Start")->get_data(); +# $start = $starts{$start} if (exists $starts{$start}); +# }; + + my $dll; + eval { + $dll = $s->get_subkey("Parameters")->get_value("ServiceDll")->get_data(); + my $str = $name." -> ".$dll; + push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); + }; + } + + foreach my $t (reverse sort {$a <=> $b} keys %svcs) { + ::rptMsg(gmtime($t)."Z"); + foreach my $item (@{$svcs{$t}}) { + ::rptMsg(" ".$item); + } + ::rptMsg(""); + } + } + else { + ::rptMsg($s_path." has no subkeys."); + ::logMsg("Error: ".$s_path." has no subkeys."); + } + } + else { + ::rptMsg($s_path." not found."); + ::logMsg($s_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/svchost.pl b/RecentActivity/release/rr-full/plugins/svchost.pl old mode 100644 new mode 100755 similarity index 88% rename from thirdparty/rr/plugins/svchost.pl rename to RecentActivity/release/rr-full/plugins/svchost.pl index 481d08ca46..ce097da173 --- a/thirdparty/rr/plugins/svchost.pl +++ b/RecentActivity/release/rr-full/plugins/svchost.pl @@ -1,74 +1,76 @@ -#----------------------------------------------------------- -# svchost -# Plugin to get data from Security Center keys -# -# Change History: -# 20100322 - created -# -# References: -# http://support.microsoft.com/kb/314056 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package svchost; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100322); - -sub getConfig{return %config} -sub getShortDescr { - return "Get entries from SvcHost key"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $infected = 0; - ::logMsg("Launching secctr v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Microsoft\Windows NT\CurrentVersion\SvcHost'; - my $key; - ::rptMsg("svchost"); - ::rptMsg(""); - - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my @data = $v->get_data(); - my $d; - if (scalar(@data) > 1) { - $d = join(',',@data); - } - else { - $d = $data[0]; - } - my $str = sprintf "%-15s %-55s",$v->get_name(),$d; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::rptMsg(""); - } -} +#----------------------------------------------------------- +# svchost +# Plugin to get data from Security Center keys +# +# Change History: +# 20100322 - created +# +# References: +# http://support.microsoft.com/kb/314056 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package svchost; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100322); + +sub getConfig{return %config} +sub getShortDescr { + return "Get entries from SvcHost key"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my $infected = 0; + ::logMsg("Launching svchost v.".$VERSION); + ::rptMsg("svchost v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = 'Microsoft\Windows NT\CurrentVersion\SvcHost'; + my $key; + ::rptMsg("svchost"); + ::rptMsg(""); + + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my @data = $v->get_data(); + my $d; + if (scalar(@data) > 1) { + $d = join(',',@data); + } + else { + $d = $data[0]; + } + my $str = sprintf "%-15s %-55s",$v->get_name(),$d; + ::rptMsg($str); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::rptMsg(""); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/sysinternals.pl b/RecentActivity/release/rr-full/plugins/sysinternals.pl new file mode 100755 index 0000000000..6d9d81e54e --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/sysinternals.pl @@ -0,0 +1,75 @@ +#----------------------------------------------------------- +# sysinternals.pl +# +# +# Change history +# 20120608- created +# +# References +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package sysinternals; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Checks for SysInternals apps keys"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching sysinternals v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\SysInternals'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("SysInternals"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]"); + + my $eula; + eval { + $eula = $s->get_value("EulaAccepted")->get_data(); + }; + if ($@) { + ::rptMsg(" EulaAccepted value not found."); + } + else { + ::rptMsg(" EulaAccepted: ".$eula); + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/sysinternals_tln.pl b/RecentActivity/release/rr-full/plugins/sysinternals_tln.pl new file mode 100755 index 0000000000..8f49f1ffef --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/sysinternals_tln.pl @@ -0,0 +1,76 @@ +#----------------------------------------------------------- +# sysinternals_tln.pl +# +# +# Change history +# 20120608- created +# +# References +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package sysinternals_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Checks for SysInternals apps keys (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching sysinternals_tln v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\SysInternals'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("SysInternals"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $lw = $s->get_timestamp(); + my $str = $key_path."\\".$s->get_name(); + + my $eula; + eval { + $eula = $s->get_value("EulaAccepted")->get_data(); + }; + if ($@) { + $str .= " (EulaAccepted value not found)"; + } + else { + $str .= " (EulaAccepted)"; + } + ::rptMsg($lw."|REG|||[Program Execution] ".$str); + } + } + else { +# ::rptMsg($key_path." has no subkeys."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/system b/RecentActivity/release/rr-full/plugins/system old mode 100644 new mode 100755 similarity index 51% rename from thirdparty/rr/plugins/system rename to RecentActivity/release/rr-full/plugins/system index 366c10fc62..2c5adceb32 --- a/thirdparty/rr/plugins/system +++ b/RecentActivity/release/rr-full/plugins/system @@ -1,36 +1,50 @@ -#------------------------------------- -# System -compname -xpedition -producttype -dllsearch -termserv -rdpport -shutdown -shutdowncount -nolmhash -timezone -disablelastaccess -eventlog -auditfail -crashcontrol -kbdcrash -pagefile -hibernate -mountdev -routes -network -nic_mst2 -nic -nic2 -fw_config -ide -shares -svc2 -svcdll -imagedev -legacy -stillimage -usbdevices -usbstor -devclass \ No newline at end of file +# 20120528 *ALL* Plugins that apply on SYSTEM hive, alphabetical order +appcertdlls +appcompatcache +auditfail +backuprestore +compname +crashcontrol +ddm +devclass +disablelastaccess +dllsearch +eventlog +eventlogs +fw_config +hibernate +ide +imagedev +kbdcrash +legacy +mountdev +network +nic +nic_mst2 +nic2 +nolmhash +pagefile +prefetch +productpolicy +producttype +rdpport +routes +safeboot +services +shares +shutdown +shutdowncount +stillimage +svc +svc2 +svc_plus +svcdll +termserv +timezone +usb +usbdevices +usbstor +usbstor2 +usbstor3 +xpedition +wpdbusenum \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/systemindex.pl b/RecentActivity/release/rr-full/plugins/systemindex.pl new file mode 100755 index 0000000000..75b5cac7fd --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/systemindex.pl @@ -0,0 +1,71 @@ +#----------------------------------------------------------- +# systemindex.pl +# +# Note: Andrew Case pointed out this key to me on 16 July 2012, +# and after seeing what was in it, I just wrote up a plugin +# +# History: +# 20120716 - created +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package systemindex; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20120716); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets systemindex\\..\\Paths info from Windows Search key"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching systemindex v.".$VERSION); + ::rptMsg("Launching systemindex v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key; + my $key_path = "Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\Sites\\LocalHost\\Paths"; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $ts = $s->get_timestamp(); + ::rptMsg($name." - LastWrite: ".gmtime($ts)); + + my $path; + eval { + $path = $s->get_value("Path")->get_data(); + ::rptMsg("Path: ".$path); + }; + + + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/termcert.pl b/RecentActivity/release/rr-full/plugins/termcert.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/termcert.pl rename to RecentActivity/release/rr-full/plugins/termcert.pl index 81e4b37505..1871dc5035 --- a/thirdparty/rr/plugins/termcert.pl +++ b/RecentActivity/release/rr-full/plugins/termcert.pl @@ -1,96 +1,98 @@ -#----------------------------------------------------------- -# termcert.pl -# Plugin for Registry Ripper; -# -# Change history -# 20110316 - created -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package termcert; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20110316); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Terminal Server certificate"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching termcert v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $ts_path = $ccs."\\Services\\TermService\\Parameters"; - my $ts; - if ($ts = $root_key->get_subkey($ts_path)) { - ::rptMsg($ts_path); - ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $cert; - eval { - $cert = $ts->get_value("Certificate")->get_raw_data(); - - printSector($cert); - }; - ::rptMsg("Certificate value not found.") if ($@); - } - else { - ::rptMsg($ts_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub printSector { - my $data = shift; - my $len = length($data); - my $remaining = $len; - my $i = 0; - - while ($remaining > 0) { - my $seg1 = substr($data,$i * 16,16); - my @str1 = split(//,unpack("H*",$seg1)); - - my @s3; - foreach my $i (0..15) { - $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; - } - - my $h = join(' ',@s3); - my @s1 = unpack("A*",$seg1); - my $s2 = join('',@s1); - $s2 =~ s/\W/\./g; - - ::rptMsg(sprintf "%-50s %-20s",$h,$s2); - $i++; - $remaining -= 16; - } -} - +#----------------------------------------------------------- +# termcert.pl +# Plugin for Registry Ripper; +# +# Change history +# 20110316 - created +# +# copyright 2011 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package termcert; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20110316); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Terminal Server certificate"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching termcert v.".$VERSION); + ::rptMsg("termcert v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $ts_path = $ccs."\\Services\\TermService\\Parameters"; + my $ts; + if ($ts = $root_key->get_subkey($ts_path)) { + ::rptMsg($ts_path); + ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $cert; + eval { + $cert = $ts->get_value("Certificate")->get_raw_data(); + + printSector($cert); + }; + ::rptMsg("Certificate value not found.") if ($@); + } + else { + ::rptMsg($ts_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub printSector { + my $data = shift; + my $len = length($data); + my $remaining = $len; + my $i = 0; + + while ($remaining > 0) { + my $seg1 = substr($data,$i * 16,16); + my @str1 = split(//,unpack("H*",$seg1)); + + my @s3; + foreach my $i (0..15) { + $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; + } + + my $h = join(' ',@s3); + my @s1 = unpack("A*",$seg1); + my $s2 = join('',@s1); + $s2 =~ s/\W/\./g; + + ::rptMsg(sprintf "%-50s %-20s",$h,$s2); + $i++; + $remaining -= 16; + } +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/termserv.pl b/RecentActivity/release/rr-full/plugins/termserv.pl old mode 100644 new mode 100755 similarity index 79% rename from thirdparty/rr/plugins/termserv.pl rename to RecentActivity/release/rr-full/plugins/termserv.pl index 010e3aed5e..9eac550290 --- a/thirdparty/rr/plugins/termserv.pl +++ b/RecentActivity/release/rr-full/plugins/termserv.pl @@ -1,137 +1,161 @@ -#----------------------------------------------------------- -# termserv.pl -# Plugin for Registry Ripper; -# -# Change history -# 20100713 - Updated to include additional values, based on references -# 20100119 - updated -# 20090727 - created -# -# References -# Change TS listening port number - http://support.microsoft.com/kb/187623 -# Examining TS key - http://support.microsoft.com/kb/243215 -# Win2K8 TS stops listening - http://support.microsoft.com/kb/954398 -# XP/Win2K3 TSAdvertise value - http://support.microsoft.com/kb/281307 -# AllowTSConnections value - http://support.microsoft.com/kb/305608 -# TSEnabled value - http://support.microsoft.com/kb/222992 -# TSUserEnabled value - http://support.microsoft.com/kb/238965 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package termserv; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100713); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Terminal Server values from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching termserv v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $ts_path = $ccs."\\Control\\Terminal Server"; - my $ts; - if ($ts = $root_key->get_subkey($ts_path)) { - ::rptMsg($ts_path); - ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)"); - ::rptMsg(""); - ::rptMsg("Reference: http://support.microsoft.com/kb/243215"); - ::rptMsg(""); - - my $ver; - eval { - $ver = $ts->get_value("ProductVersion")->get_data(); - ::rptMsg(" ProductVersion = ".$ver); - }; - ::rptMsg(""); - - my $fdeny; - eval { - $fdeny = $ts->get_value("fDenyTSConnections")->get_data(); - ::rptMsg(" fDenyTSConnections = ".$fdeny); - ::rptMsg(" 1 = connections denied"); - }; - ::rptMsg("fDenyTSConnections value not found.") if ($@); - ::rptMsg(""); - - my $allow; - eval { - $allow = $ts->get_value("AllowTSConnections")->get_data(); - ::rptMsg(" AllowTSConnections = ".$allow); - ::rptMsg(" Ref: http://support.microsoft.com/kb/305608"); - }; - ::rptMsg(""); - - my $ad; - eval { - $ad = $ts->get_value("TSAdvertise")->get_data(); - ::rptMsg(" TSAdvertise = ".$ad); - ::rptMsg(" 0 = disabled, 1 = enabled (advertise Terminal Services)"); - ::rptMsg(" Ref: http://support.microsoft.com/kb/281307"); - }; - ::rptMsg(""); - - my $enabled; - eval { - $enabled = $ts->get_value("TSEnabled")->get_data(); - ::rptMsg(" TSEnabled = ".$enabled); - ::rptMsg(" 0 = disabled, 1 = enabled (Terminal Services enabled)"); - ::rptMsg(" Ref: http://support.microsoft.com/kb/222992"); - }; - ::rptMsg(""); - - my $user; - eval { - $user = $ts->get_value("TSUserEnabled")->get_data(); - ::rptMsg(" TSUserEnabled = ".$user); - ::rptMsg(" 1 = All users logging in are automatically part of the"); - ::rptMsg(" built-in Terminal Server User group. 0 = No one is a"); - ::rptMsg(" member of the built-in group."); - ::rptMsg(" Ref: http://support.microsoft.com/kb/238965"); - }; - ::rptMsg(""); - - my $help; - eval { - $help = $ts->get_value("fAllowToGetHelp")->get_data(); - ::rptMsg(" fAllowToGetHelp = ".$user); - ::rptMsg(" 1 = Users can request assistance from friend or a "); - ::rptMsg(" support professional."); - ::rptMsg(" Ref: http://www.pctools.com/guides/registry/detail/1213/"); - }; - - } - else { - ::rptMsg($ts_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# termserv.pl +# Plugin for Registry Ripper; +# +# Change history +# 20130307 - updated with autostart locations +# 20100713 - Updated to include additional values, based on references +# 20100119 - updated +# 20090727 - created +# +# Category: Autostart +# +# References +# Change TS listening port number - http://support.microsoft.com/kb/187623 +# Examining TS key - http://support.microsoft.com/kb/243215 +# Win2K8 TS stops listening - http://support.microsoft.com/kb/954398 +# XP/Win2K3 TSAdvertise value - http://support.microsoft.com/kb/281307 +# AllowTSConnections value - http://support.microsoft.com/kb/305608 +# TSEnabled value - http://support.microsoft.com/kb/222992 +# TSUserEnabled value - http://support.microsoft.com/kb/238965 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package termserv; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20130307); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets Terminal Server values from System hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching termserv v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $ts_path = $ccs."\\Control\\Terminal Server"; + my $ts; + if ($ts = $root_key->get_subkey($ts_path)) { + ::rptMsg($ts_path); + ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)"); + ::rptMsg(""); + ::rptMsg("Reference: http://support.microsoft.com/kb/243215"); + ::rptMsg(""); + + my $ver; + eval { + $ver = $ts->get_value("ProductVersion")->get_data(); + ::rptMsg(" ProductVersion = ".$ver); + }; + ::rptMsg(""); + + my $fdeny; + eval { + $fdeny = $ts->get_value("fDenyTSConnections")->get_data(); + ::rptMsg(" fDenyTSConnections = ".$fdeny); + ::rptMsg(" 1 = connections denied"); + }; + ::rptMsg("fDenyTSConnections value not found.") if ($@); + ::rptMsg(""); + + my $allow; + eval { + $allow = $ts->get_value("AllowTSConnections")->get_data(); + ::rptMsg(" AllowTSConnections = ".$allow); + ::rptMsg(" Ref: http://support.microsoft.com/kb/305608"); + }; + ::rptMsg(""); + + my $ad; + eval { + $ad = $ts->get_value("TSAdvertise")->get_data(); + ::rptMsg(" TSAdvertise = ".$ad); + ::rptMsg(" 0 = disabled, 1 = enabled (advertise Terminal Services)"); + ::rptMsg(" Ref: http://support.microsoft.com/kb/281307"); + }; + ::rptMsg(""); + + my $enabled; + eval { + $enabled = $ts->get_value("TSEnabled")->get_data(); + ::rptMsg(" TSEnabled = ".$enabled); + ::rptMsg(" 0 = disabled, 1 = enabled (Terminal Services enabled)"); + ::rptMsg(" Ref: http://support.microsoft.com/kb/222992"); + }; + ::rptMsg(""); + + my $user; + eval { + $user = $ts->get_value("TSUserEnabled")->get_data(); + ::rptMsg(" TSUserEnabled = ".$user); + ::rptMsg(" 1 = All users logging in are automatically part of the"); + ::rptMsg(" built-in Terminal Server User group. 0 = No one is a"); + ::rptMsg(" member of the built-in group."); + ::rptMsg(" Ref: http://support.microsoft.com/kb/238965"); + }; + ::rptMsg(""); + + my $help; + eval { + $help = $ts->get_value("fAllowToGetHelp")->get_data(); + ::rptMsg(" fAllowToGetHelp = ".$user); + ::rptMsg(" 1 = Users can request assistance from friend or a "); + ::rptMsg(" support professional."); + ::rptMsg(" Ref: http://www.pctools.com/guides/registry/detail/1213/"); + }; + + ::rptMsg("AutoStart Locations"); + eval { + my $start = $ts->get_subkey("Wds\\rdpwd")->get_value("StartupPrograms")->get_data(); + ::rptMsg("Wds\\rdpwd key"); + ::rptMsg(" StartupPrograms: ".$start); + ::rptMsg("Analysis Tip: This value usually contains 'rdpclip'; any additional entries "); + ::rptMsg("should be investigated\."); + ::rptMsg(""); + }; + ::rptMsg(" StartupPrograms value not found\.") if ($@); + + eval { + my $init = $ts->get_subkey("WinStations\\RDP-Tcp")->get_value("InitialProgram")->get_data(); + ::rptMsg("WinStations\\RDP-Tcp key"); + $init = "{blank}" if ($init eq ""); + ::rptMsg(" InitialProgram: ".$init); + ::rptMsg("Analysis Tip: Maybe be empty; appears as '{blank}'"); + }; + ::rptMsg(" InitialProgram value not found\.") if ($@); + + + } + else { + ::rptMsg($ts_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/timezone.pl b/RecentActivity/release/rr-full/plugins/timezone.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/timezone.pl rename to RecentActivity/release/rr-full/plugins/timezone.pl index fa3f38729d..81655c82f0 --- a/thirdparty/rr/plugins/timezone.pl +++ b/RecentActivity/release/rr-full/plugins/timezone.pl @@ -1,88 +1,90 @@ -#----------------------------------------------------------- -# timezone.pl -# Plugin for Registry Ripper; Access System hive file to get the -# contents of the TimeZoneInformation key -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/102986 -# http://support.microsoft.com/kb/207563 -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package timezone; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get TimeZoneInformation key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching timezone v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $tz_path = $ccs."\\Control\\TimeZoneInformation"; - my $tz; - if ($tz = $root_key->get_subkey($tz_path)) { - ::rptMsg("TimeZoneInformation key"); - ::rptMsg($tz_path); - ::rptMsg("LastWrite Time ".gmtime($tz->get_timestamp())." (UTC)"); - my %tz_vals; - my @vals = $tz->get_list_of_values(); - if (scalar(@vals) > 0) { - map{$tz_vals{$_->get_name()} = $_->get_data()}(@vals); - - ::rptMsg(" DaylightName -> ".$tz_vals{"DaylightName"}); - ::rptMsg(" StandardName -> ".$tz_vals{"StandardName"}); - - my $bias = $tz_vals{"Bias"}/60; - my $atbias = $tz_vals{"ActiveTimeBias"}/60; - - ::rptMsg(" Bias -> ".$tz_vals{"Bias"}." (".$bias." hours)"); - ::rptMsg(" ActiveTimeBias -> ".$tz_vals{"ActiveTimeBias"}." (".$atbias." hours)"); - - } - else { - ::rptMsg($tz_path." has no values."); - ::logMsg($tz_path." has no values."); - } - } - else { - ::rptMsg($tz_path." could not be found."); - ::logMsg($tz_path." could not be found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# timezone.pl +# Plugin for Registry Ripper; Access System hive file to get the +# contents of the TimeZoneInformation key +# +# Change history +# +# +# References +# http://support.microsoft.com/kb/102986 +# http://support.microsoft.com/kb/207563 +# +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package timezone; +use strict; + +my %config = (hive => "System", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Get TimeZoneInformation key contents"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching timezone v.".$VERSION); + ::rptMsg("timezone v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; +# First thing to do is get the ControlSet00x marked current...this is +# going to be used over and over again in plugins that access the system +# file + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + my $ccs = "ControlSet00".$current; + my $tz_path = $ccs."\\Control\\TimeZoneInformation"; + my $tz; + if ($tz = $root_key->get_subkey($tz_path)) { + ::rptMsg("TimeZoneInformation key"); + ::rptMsg($tz_path); + ::rptMsg("LastWrite Time ".gmtime($tz->get_timestamp())." (UTC)"); + my %tz_vals; + my @vals = $tz->get_list_of_values(); + if (scalar(@vals) > 0) { + map{$tz_vals{$_->get_name()} = $_->get_data()}(@vals); + + ::rptMsg(" DaylightName -> ".$tz_vals{"DaylightName"}); + ::rptMsg(" StandardName -> ".$tz_vals{"StandardName"}); + + my $bias = $tz_vals{"Bias"}/60; + my $atbias = $tz_vals{"ActiveTimeBias"}/60; + + ::rptMsg(" Bias -> ".$tz_vals{"Bias"}." (".$bias." hours)"); + ::rptMsg(" ActiveTimeBias -> ".$tz_vals{"ActiveTimeBias"}." (".$atbias." hours)"); + + } + else { + ::rptMsg($tz_path." has no values."); + ::logMsg($tz_path." has no values."); + } + } + else { + ::rptMsg($tz_path." could not be found."); + ::logMsg($tz_path." could not be found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/tracing.pl b/RecentActivity/release/rr-full/plugins/tracing.pl new file mode 100755 index 0000000000..8f5227f751 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/tracing.pl @@ -0,0 +1,71 @@ +#----------------------------------------------------------- +# tracing.pl +# +# +# History: +# 20120509 - created +# +# References: +# http://support.microsoft.com/kb/816110 +# http://answers.microsoft.com/en-us/windows/forum/windows_7-system/ms-removal +# -tool-malware-and-proxycheckexe/d0d6dc68-1ab0-4148-9501-374d80f0a064 +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package tracing; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20120509); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets list of apps that can be traced"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my @keys = ('Microsoft\\Tracing','Wow6432Node\\Microsoft\\Tracing'); + + ::rptMsg("Launching tracing v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + foreach my $key_path (@keys) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + next if (scalar(@subkeys) == 1); + foreach my $s (@subkeys) { + my $lw = $s->get_timestamp(); + my $t = gmtime($lw); + my $name = $s->get_name(); + ::rptMsg(sprintf "%-25s %-50s",$t,$name); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/tracing_tln.pl b/RecentActivity/release/rr-full/plugins/tracing_tln.pl new file mode 100755 index 0000000000..d7fdab9d0a --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/tracing_tln.pl @@ -0,0 +1,70 @@ +#----------------------------------------------------------- +# tracing_tln.pl +# +# +# History: +# 20120608 - created +# +# References: +# http://support.microsoft.com/kb/816110 +# http://answers.microsoft.com/en-us/windows/forum/windows_7-system/ms-removal +# -tool-malware-and-proxycheckexe/d0d6dc68-1ab0-4148-9501-374d80f0a064 +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package tracing_tln; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20120608); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets list of apps that can be traced (TLN)"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my @keys = ('Microsoft\\Tracing','Wow6432Node\\Microsoft\\Tracing'); + + ::rptMsg("Launching tracing v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + foreach my $key_path (@keys) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + next if (scalar(@subkeys) == 1); + foreach my $s (@subkeys) { + my $lw = $s->get_timestamp(); + my $name = $s->get_name(); + ::rptMsg($lw."|REG|||[Program Execution] Tracing key - ".$name); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/trappoll.pl b/RecentActivity/release/rr-full/plugins/trappoll.pl new file mode 100755 index 0000000000..e8ad36d43f --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/trappoll.pl @@ -0,0 +1,64 @@ +#----------------------------------------------------------- +# trappoll.pl +# There are indications that the contents of this value may be associated +# with a number of different malware variants. +# +# History +# 20120305 - created +# +# References +# http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=903224#none +# +# copyright 2012, Quantum Analytics Research, LLC +#----------------------------------------------------------- +package trappoll; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120305); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get TrapPollTimeMilliSecs value, if found"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %clsid; + ::logMsg("Launching trappoll v.".$VERSION); + ::rptMsg("Launching trappoll v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\RFC1156Agent\\CurrentVersion\\Parameters"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + if ($key->get_value("TrapPollTimeMilliSecs")) { + my $val = $key->get_value("TrapPollTimeMilliSecs")->get_data(); + ::rptMsg(sprintf "TrapPollTimeMilliSecs = 0x%x (".$val.")", $val); + } + else { + ::rptMsg("Value not found."); + } + } + else { + ::rptMsg($key_path." key not found."); + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/trustrecords.pl b/RecentActivity/release/rr-full/plugins/trustrecords.pl new file mode 100755 index 0000000000..7ba3447afe --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/trustrecords.pl @@ -0,0 +1,85 @@ +#----------------------------------------------------------- +# trustrecords.pl +# List Office documents for which the user explicitly opted to accept bypassing +# the default security settings for the application +# +# Change history +# 20120716 - created +# +# References +# ForensicArtifacts.com posting by Andrew Case: +# http://forensicartifacts.com/2012/07/ntuser-trust-records/ +# http://archive.hack.lu/2010/Filiol-Office-Documents-New-Weapons-of-Cyberwarfare-slides.pdf +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package trustrecords; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120716); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's Office 2010 TrustRecords values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching trustrecords v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + ::rptMsg("trustrecords v.".$VERSION); +# First, let's find out which version of Office is installed + my @version; + my $key_path = "Software\\Microsoft\\Office"; + if (my $key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + foreach my $s (@subkeys) { + my $name = $s->get_name(); + push(@version,$name) if ($name =~ m/^\d/); + } + } + + my @v = reverse sort {$a<=>$b} @version; +# ::rptMsg("Office version = ".$v[0]); + +# Now that we have the most recent version of Office installed, let's +# start looking at the various subkeys + my @apps = ("Word","PowerPoint","Excel","Access"); + my $key_path = "Software\\Microsoft\\Office\\".$v[0]; + + foreach my $app (@apps) { + my $app_path = $key_path."\\".$app."\\Security\\Trusted Documents"; + ::rptMsg($app); + if (my $app_key = $root_key->get_subkey($app_path)) { + my $lastpurge = $app_key->get_value("LastPurgeTime")->get_data(); + ::rptMsg("LastPurgeTime = ".gmtime($lastpurge)); + + if (my $trust = $app_key->get_subkey("TrustRecords")) { + my @vals = $trust->get_list_of_values(); + + foreach my $v (@vals) { + my ($t0,$t1) = (unpack("VV",substr($v->get_data(),0,8))); + my $t = ::getTime($t0,$t1); + ::rptMsg(gmtime($t)." -> ".$v->get_name()); + } + } + } + ::rptMsg(""); + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/trustrecords_tln.pl b/RecentActivity/release/rr-full/plugins/trustrecords_tln.pl new file mode 100755 index 0000000000..1ec1252295 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/trustrecords_tln.pl @@ -0,0 +1,86 @@ +#----------------------------------------------------------- +# trustrecords_tln.pl +# List Office documents for which the user explicitly opted to accept bypassing +# the default security settings for the application +# +# Change history +# 20120717 - created; modified from trustrecords.pl plugin +# +# References +# ForensicArtifacts.com posting by Andrew Case: +# http://forensicartifacts.com/2012/07/ntuser-trust-records/ +# http://archive.hack.lu/2010/Filiol-Office-Documents-New-Weapons-of-Cyberwarfare-slides.pdf +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package trustrecords_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120717); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets user's Office 2010 TrustRecords values; TLN output"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching trustrecords_tln v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + +# ::rptMsg("trustrecords v.".$VERSION); +# First, let's find out which version of Office is installed + my @version; + my $key_path = "Software\\Microsoft\\Office"; + if (my $key = $root_key->get_subkey($key_path)) { + my @subkeys = $key->get_list_of_subkeys(); + foreach my $s (@subkeys) { + my $name = $s->get_name(); + push(@version,$name) if ($name =~ m/^\d/); + } + } + + my @v = reverse sort {$a<=>$b} @version; +# ::rptMsg("Office version = ".$v[0]); + +# Now that we have the most recent version of Office installed, let's +# start looking at the various subkeys + my @apps = ("Word","PowerPoint","Excel","Access"); + my $key_path = "Software\\Microsoft\\Office\\".$v[0]; + + foreach my $app (@apps) { + my $app_path = $key_path."\\".$app."\\Security\\Trusted Documents"; +# ::rptMsg($app); + if (my $app_key = $root_key->get_subkey($app_path)) { +# my $lastpurge = $app_key->get_value("LastPurgeTime")->get_data(); +# ::rptMsg("LastPurgeTime = ".gmtime($lastpurge)); + + if (my $trust = $app_key->get_subkey("TrustRecords")) { + my @vals = $trust->get_list_of_values(); + + foreach my $v (@vals) { + my ($t0,$t1) = (unpack("VV",substr($v->get_data(),0,8))); + my $t = ::getTime($t0,$t1); +# ::rptMsg(gmtime($t)." -> ".$v->get_name()); + ::rptMsg($t."|REG|||TrustRecords - ".$v->get_name()); + } + } + } +# ::rptMsg(""); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/tsclient.pl b/RecentActivity/release/rr-full/plugins/tsclient.pl old mode 100644 new mode 100755 similarity index 60% rename from thirdparty/rr/plugins/tsclient.pl rename to RecentActivity/release/rr-full/plugins/tsclient.pl index 364c17bff0..2b338f6a2c --- a/thirdparty/rr/plugins/tsclient.pl +++ b/RecentActivity/release/rr-full/plugins/tsclient.pl @@ -1,72 +1,103 @@ -#----------------------------------------------------------- -# tsclient.pl -# Plugin for Registry Ripper -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/312169 -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package tsclient; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 0, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of user's Terminal Server Client\\Default key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching tsclient v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Default'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("TSClient"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mrus; - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/MRU/,$val))[1]; - $mrus{$tag} = $val.":".$data; - } - foreach my $u (sort {$a <=> $b} keys %mrus) { - my ($val,$data) = split(/:/,$mrus{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# tsclient.pl +# Plugin for Registry Ripper +# +# Change history +# 20120827 - updated +# 20080324 - created +# +# References +# http://support.microsoft.com/kb/312169 +# +# copyright 2012 +# Author: H. Carvey +#----------------------------------------------------------- +package tsclient; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 0, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120827); + +sub getConfig{return %config} +sub getShortDescr { + return "Displays contents of user's Terminal Server Client\\Default key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching tsclient v.".$VERSION); + ::rptMsg("Launching tsclient v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Default'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("TSClient"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %mrus; + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/MRU/,$val))[1]; + $mrus{$tag} = $val.":".$data; + } + foreach my $u (sort {$a <=> $b} keys %mrus) { + my ($val,$data) = split(/:/,$mrus{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); + + my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $lw = $s->get_timestamp(); + ::rptMsg($name." LastWrite: ".gmtime($lw)); + my $hint; + eval { + $hint = $s->get_value("UsernameHint")->get_data(); + ::rptMsg(" UsernameHint: ".$hint); + }; + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/tsclient_tln.pl b/RecentActivity/release/rr-full/plugins/tsclient_tln.pl new file mode 100755 index 0000000000..4246768c26 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/tsclient_tln.pl @@ -0,0 +1,97 @@ +#----------------------------------------------------------- +# tsclient_tln.pl +# Plugin for Registry Ripper +# +# Change history +# 20120827 - updated; added "Servers" key check, translated to TLN output +# 20080324 - created +# +# References +# http://support.microsoft.com/kb/312169 +# +# copyright 2012 +# Author: H. Carvey +#----------------------------------------------------------- +package tsclient_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 0, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120827); + +sub getConfig{return %config} +sub getShortDescr { + return "Displays contents of user's Terminal Server Client key (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching tsclient v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Default'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("TSClient"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my $mru0; + eval { + $mru0 = $key->get_value("MRU0")->get_data(); + ::rptMsg($lw."|REG|||TSClient/Default - ".$mru0); + }; + } + else { +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); + } + ::rptMsg(""); + + my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $lw = $s->get_timestamp(); + my $descr = "TSClient/Servers - ".$name; + my $hint; + eval { + $hint = $s->get_value("UsernameHint")->get_data(); + $descr .= " (Hint: ".$hint.")"; +# ::rptMsg(" UsernameHint: ".$hint); + }; + ::rptMsg($lw."|REG|||".$descr); + } + } + else { +# ::rptMsg($key_path." has no subkeys."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/typedpaths.pl b/RecentActivity/release/rr-full/plugins/typedpaths.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/typedpaths.pl rename to RecentActivity/release/rr-full/plugins/typedpaths.pl index 292f0370b0..927dbe4dd8 --- a/thirdparty/rr/plugins/typedpaths.pl +++ b/RecentActivity/release/rr-full/plugins/typedpaths.pl @@ -1,69 +1,71 @@ -#----------------------------------------------------------- -# typedpaths.pl -# For Windows 7, Desktop Address Bar History -# -# Change history -# 20100330 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package typedpaths; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100330); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's typedpaths key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching typedpaths v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %paths; - foreach my $v (@vals) { - my $name = $v->get_name(); - $name =~ s/^url//; - my $data = $v->get_data(); - $paths{$name} = $data; - } - foreach my $p (sort {$a <=> $b} keys %paths) { - ::rptMsg(sprintf "%-8s %-30s","url".$p,$paths{$p}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# typedpaths.pl +# For Windows 7, Desktop Address Bar History +# +# Change history +# 20100330 - created +# +# References +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package typedpaths; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100330); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's typedpaths key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching typedpaths v.".$VERSION); + ::rptMsg("typedpaths v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %paths; + foreach my $v (@vals) { + my $name = $v->get_name(); + $name =~ s/^url//; + my $data = $v->get_data(); + $paths{$name} = $data; + } + foreach my $p (sort {$a <=> $b} keys %paths) { + ::rptMsg(sprintf "%-8s %-30s","url".$p,$paths{$p}); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/typedpaths_tln.pl b/RecentActivity/release/rr-full/plugins/typedpaths_tln.pl new file mode 100755 index 0000000000..52add06296 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/typedpaths_tln.pl @@ -0,0 +1,67 @@ +#----------------------------------------------------------- +# typedpaths_tln.pl +# For Windows 7, Desktop Address Bar History +# +# Change history +# 20120828 - updated to TLN format +# 20100330 - created +# +# References +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package typedpaths_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20120828); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's typedpaths key (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching typedpaths v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + my $lw = $key->get_timestamp(); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my $path; + eval { + $path = $key->get_value("url1")->get_data(); + ::rptMsg($lw."|REG|||TypedPaths - ".$path); + + }; + } + else { +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/typedurls.pl b/RecentActivity/release/rr-full/plugins/typedurls.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/typedurls.pl rename to RecentActivity/release/rr-full/plugins/typedurls.pl index fbd6c194e9..0a665ead1a --- a/thirdparty/rr/plugins/typedurls.pl +++ b/RecentActivity/release/rr-full/plugins/typedurls.pl @@ -1,87 +1,90 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# typedurls.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# TypedURLs values -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/157729 -# http://msdn2.microsoft.com/en-us/library/aa908115.aspx -# -# Notes: Reportedly, only the last 20 entries are maintained; -# Also, new entries aren't added to the key until the current -# instance of IE is terminated. -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package typedurls; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Returns contents of user's TypedURLs key."; -} -sub getDescr{} -sub getRefs { - my %refs = ("IESample Registry Settings" => - "http://msdn2.microsoft.com/en-us/library/aa908115.aspx", - "How to clear History entries in IE" => - "http://support.microsoft.com/kb/157729"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching typedurls v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Internet Explorer\\TypedURLs'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("TypedURLs"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %urls; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/url/,$val))[1]; - $urls{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %urls) { - my ($val,$data) = split(/:/,$urls{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# typedurls.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# TypedURLs values +# +# Change history +# 20120827 - TLN version created +# 20080324 - created +# +# References +# http://support.microsoft.com/kb/157729 +# http://msdn2.microsoft.com/en-us/library/aa908115.aspx +# +# Notes: Reportedly, only the last 20 entries are maintained; +# Also, new entries aren't added to the key until the current +# instance of IE is terminated. +# +# copyright 2008 H. Carvey +#----------------------------------------------------------- +package typedurls; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20080324); + +sub getConfig{return %config} +sub getShortDescr { + return "Returns contents of user's TypedURLs key."; +} +sub getDescr{} +sub getRefs { + my %refs = ("IESample Registry Settings" => + "http://msdn2.microsoft.com/en-us/library/aa908115.aspx", + "How to clear History entries in IE" => + "http://support.microsoft.com/kb/157729"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching typedurls v.".$VERSION); + ::rptMsg("typedurls v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Internet Explorer\\TypedURLs'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("TypedURLs"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %urls; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + my $tag = (split(/url/,$val))[1]; + $urls{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %urls) { + my ($val,$data) = split(/:/,$urls{$u},2); + ::rptMsg(" ".$val." -> ".$data); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/typedurls_tln.pl b/RecentActivity/release/rr-full/plugins/typedurls_tln.pl new file mode 100755 index 0000000000..b0910f7c27 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/typedurls_tln.pl @@ -0,0 +1,79 @@ +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# typedurls_tln.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# TypedURLs values +# +# Change history +# 20120827 - TLN version created +# 20080324 - created +# +# References +# http://support.microsoft.com/kb/157729 +# http://msdn2.microsoft.com/en-us/library/aa908115.aspx +# +# Notes: Reportedly, only the last 20 entries are maintained; +# Also, new entries aren't added to the key until the current +# instance of IE is terminated. +# +# copyright 2012 +# Author: H. Carvey +#----------------------------------------------------------- +package typedurls_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20120827); + +sub getConfig{return %config} +sub getShortDescr { + return "Returns MRU for user's TypedURLs key (TLN)"; +} +sub getDescr{} +sub getRefs { + my %refs = ("IESample Registry Settings" => + "http://msdn2.microsoft.com/en-us/library/aa908115.aspx", + "How to clear History entries in IE" => + "http://support.microsoft.com/kb/157729"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching typedurls v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Internet Explorer\\TypedURLs'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("TypedURLs"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my $url1; + eval { + $url1 = $key->get_value("url1")->get_data(); + ::rptMsg($lw."|REG|||TypedURLs - url1: ".$url1); + }; + } + else { +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/typedurlstime.pl b/RecentActivity/release/rr-full/plugins/typedurlstime.pl new file mode 100755 index 0000000000..7b6081fbff --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/typedurlstime.pl @@ -0,0 +1,92 @@ +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# typedurlstime.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# TypedURLsTime values/data from Windows 8 systems +# +# Change history +# 20120613 - created +# +# References +# http://dfstream.blogspot.com/2012/05/windows-8-typedurlstime.html +# +# Notes: New entries aren't added to the key until the current +# instance of IE is terminated. +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package typedurlstime; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20120613); + +sub getConfig{return %config} +sub getShortDescr { + return "Returns contents of user's TypedURLsTime key."; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching typedurlstime v.".$VERSION); + ::rptMsg("typedurlstime v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Internet Explorer\\TypedURLsTime'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("TypedURLsTime"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %urls; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my ($t0,$t1) = unpack("VV",$v->get_data()); + my $data = ::getTime($t0,$t1); + my $tag = (split(/url/,$val))[1]; + $urls{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %urls) { + my ($val,$data) = split(/:/,$urls{$u},2); + + my $url; + eval { + $url = $root_key->get_subkey('Software\\Microsoft\\Internet Explorer\\TypedURLs')->get_value($val)->get_data(); + }; + + if ($data == 0) { + ::rptMsg(" ".$val." -> ".$data); + } + else { + ::rptMsg(" ".$val." -> ".gmtime($data)." Z (".$url.")"); + } + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/typedurlstime_tln.pl b/RecentActivity/release/rr-full/plugins/typedurlstime_tln.pl new file mode 100755 index 0000000000..9b253c8699 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/typedurlstime_tln.pl @@ -0,0 +1,92 @@ +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# typedurlstime_tln.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# TypedURLsTime values/data from Windows 8 systems +# +# Change history +# 20120613 - created +# +# References +# http://dfstream.blogspot.com/2012/05/windows-8-typedurlstime.html +# +# Notes: New entries aren't added to the key until the current +# instance of IE is terminated. +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package typedurlstime_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20120613); + +sub getConfig{return %config} +sub getShortDescr { + return "Returns contents of Win8 user's TypedURLsTime key (TLN)."; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching typedurlstime v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Internet Explorer\\TypedURLsTime'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("TypedURLsTime"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %urls; +# Retrieve values and load into a hash for sorting + foreach my $v (@vals) { + my $val = $v->get_name(); + my ($t0,$t1) = unpack("VV",$v->get_data()); + my $data = ::getTime($t0,$t1); + my $tag = (split(/url/,$val))[1]; + $urls{$tag} = $val.":".$data; + } +# Print sorted content to report file + foreach my $u (sort {$a <=> $b} keys %urls) { + my ($val,$data) = split(/:/,$urls{$u},2); + + my $url; + eval { + $url = $root_key->get_subkey('Software\\Microsoft\\Internet Explorer\\TypedURLs')->get_value($val)->get_data(); + }; + + if ($data == 0) { +# Do nothing +# ::rptMsg(" ".$val." -> ".$data); + } + else { +# ::rptMsg(" ".$val." -> ".gmtime($data)." Z (".$url.")"); + ::rptMsg($data."|REG|||TypedURLsTime ".$val." (".$url.")"); + } + } + } + else { +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/uac.pl b/RecentActivity/release/rr-full/plugins/uac.pl new file mode 100755 index 0000000000..4f4854f43e --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/uac.pl @@ -0,0 +1,160 @@ +#----------------------------------------------------------- +# uac.pl +# Gets the User Account Configuration settings from the SOFTWARE hive file +# +# Change history +# 20130213 Created +# +# References +# +# UAC Group Policy Settings and Registry Key Settings http://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx +# +# Plugin was created from the banner plugin authored by Special Agent Brook William Minnick +# Written By: +# +# Corey Harrell (Journey Into IR) +# Plugin was created from the banner plugin authored by Special Agent Brook William Minnick +#----------------------------------------------------------- +package uac; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130213); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get Select User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching uac v.".$VERSION); + ::rptMsg("uac v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows\\CurrentVersion\\policies\\system"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("UAC Information"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # GET EnableLUA – + + my $enablelua; + eval { + $enablelua = $key->get_value("EnableLUA")->get_data(); + }; + if ($@) { + ::rptMsg("EnableLUA value not found."); + } + else { + ::rptMsg("EnableLUA value = ".$enablelua); + ::rptMsg(""); + ::rptMsg("User Account Control: Run all administrators in Admin Approval Mode"); + ::rptMsg("0 = Disabled"); + ::rptMsg("1 = Enabled (Default)"); + } + ::rptMsg(""); + + # GET EnableVirtualization – + + my $enablevirtualization; + eval { + $enablevirtualization = $key->get_value("EnableVirtualization")->get_data(); + }; + if ($@) { + ::rptMsg("EnableVirtualization value not found."); + } + else { + ::rptMsg("EnableVirtualization value = ".$enablevirtualization); + ::rptMsg(""); + ::rptMsg("User Account Control: Virtualize file and registry write failures to per-user locations"); + ::rptMsg("0 = Disabled"); + ::rptMsg("1 = Enabled (Default)"); + } + ::rptMsg(""); + + # GET FilterAdministratorToken – + + my $filteradministratortoken; + eval { + $filteradministratortoken = $key->get_value("FilterAdministratorToken")->get_data(); + }; + if ($@) { + ::rptMsg("FilterAdministratorToken value not found."); + } + else { + ::rptMsg("FilterAdministratorToken value = ".$filteradministratortoken); + ::rptMsg(""); + ::rptMsg("User Account Control: Admin Approval Mode for the built-in Administrator account"); + ::rptMsg("0 = Disabled (Default)"); + ::rptMsg("1 = Enabled"); + } + ::rptMsg(""); + + # GET ConsentPromptBehaviorAdmin – + + my $consentpromptbehavioradmin; + eval { + $consentpromptbehavioradmin = $key->get_value("ConsentPromptBehaviorAdmin")->get_data(); + }; + if ($@) { + ::rptMsg("ConsentPromptBehaviorAdmin value not found."); + } + else { + ::rptMsg("ConsentPromptBehaviorAdmin value = ".$consentpromptbehavioradmin); + ::rptMsg(""); + ::rptMsg("User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode"); + ::rptMsg("0 = Elevate without prompting"); + ::rptMsg("1 = Prompt for credentials on the secure desktop"); + ::rptMsg("2 = Prompt for consent on the secure desktop"); + ::rptMsg("3 = Prompt for credentials"); + ::rptMsg("4 = Prompt for consent"); + ::rptMsg("5 = Prompt for consent for non-Windows binaries (Default)"); + } + ::rptMsg(""); + + # GET ConsentPromptBehaviorUser – + + my $consentpromptbehavioruser; + eval { + $consentpromptbehavioruser = $key->get_value("ConsentPromptBehaviorUser")->get_data(); + }; + if ($@) { + ::rptMsg("ConsentPromptBehaviorUser value not found."); + } + else { + ::rptMsg("ConsentPromptBehaviorUser value = ".$consentpromptbehavioruser); + ::rptMsg(""); + ::rptMsg("User Account Control: Behavior of the elevation prompt for standard users"); + ::rptMsg("0 = Automatically deny elevation requests"); + ::rptMsg("1 = Prompt for consent on the secure desktop"); + ::rptMsg("3 = Prompt for consent on the secure desktop (Default)"); + } + ::rptMsg(""); + + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} + +1; diff --git a/RecentActivity/release/rr-full/plugins/uninstall.pl b/RecentActivity/release/rr-full/plugins/uninstall.pl new file mode 100755 index 0000000000..70c4b58908 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/uninstall.pl @@ -0,0 +1,96 @@ +#----------------------------------------------------------- +# uninstall.pl +# Gets contents of Uninstall key from Software hive; sorts +# display names based on key LastWrite time +# +# References: +# http://support.microsoft.com/kb/247501 +# http://support.microsoft.com/kb/314481 +# http://msdn.microsoft.com/en-us/library/ms954376.aspx +# +# Change History: +# 20120523 - updated to include 64-bit systems +# 20100116 - Minor updates +# 20090413 - Extract DisplayVersion info +# 20090128 - Added references +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package uninstall; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120523); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets contents of Uninstall keys (64- & 32-bit) from Software hive"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching uninstall v.".$VERSION); + ::rptMsg("uninstall v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my @keys = ('Microsoft\\Windows\\CurrentVersion\\Uninstall', + 'Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall'); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + ::rptMsg("Uninstall"); + foreach my $key_path (@keys) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + ::rptMsg($key_path); + ::rptMsg(""); + + my %uninst; + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $lastwrite = $s->get_timestamp(); + my $display; + eval { + $display = $s->get_value("DisplayName")->get_data(); + }; + $display = $s->get_name() if ($display eq ""); + + my $ver; + eval { + $ver = $s->get_value("DisplayVersion")->get_data(); + }; + $display .= " v\.".$ver unless ($@); + + push(@{$uninst{$lastwrite}},$display); + } + foreach my $t (reverse sort {$a <=> $b} keys %uninst) { + ::rptMsg(gmtime($t)." (UTC)"); + foreach my $item (@{$uninst{$t}}) { + ::rptMsg(" ".$item); + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/uninstall_tln.pl b/RecentActivity/release/rr-full/plugins/uninstall_tln.pl new file mode 100755 index 0000000000..9709abef24 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/uninstall_tln.pl @@ -0,0 +1,94 @@ +#----------------------------------------------------------- +# uninstall_tln.pl +# Gets contents of Uninstall key from Software hive; sorts +# display names based on key LastWrite time; displays in TLN +# format +# +# References: +# http://support.microsoft.com/kb/247501 +# http://support.microsoft.com/kb/314481 +# http://msdn.microsoft.com/en-us/library/ms954376.aspx +# +# Change History: +# 20120523 - updated to include 64-bit systems +# 20100116 - Minor updates +# 20090413 - Extract DisplayVersion info +# 20090128 - Added references +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package uninstall_tln; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120523); + +sub getConfig{return %config} + +sub getShortDescr { + return "Gets contents of Uninstall keys (64- & 32-bit) from Software hive (TLN format)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching uninstall v.".$VERSION); + + my @keys = ('Microsoft\\Windows\\CurrentVersion\\Uninstall', + 'Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall'); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + ::rptMsg("Uninstall"); + foreach my $key_path (@keys) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + ::rptMsg($key_path); + ::rptMsg(""); + + my %uninst; + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $lastwrite = $s->get_timestamp(); + my $display; + eval { + $display = $s->get_value("DisplayName")->get_data(); + }; + $display = $s->get_name() if ($display eq ""); + + my $ver; + eval { + $ver = $s->get_value("DisplayVersion")->get_data(); + }; + $display .= " v\.".$ver unless ($@); + + push(@{$uninst{$lastwrite}},$display); + } + foreach my $t (reverse sort {$a <=> $b} keys %uninst) { + foreach my $item (@{$uninst{$t}}) { + ::rptMsg($t."|REG|||[Uninstall] - $item"); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/unreadmail.pl b/RecentActivity/release/rr-full/plugins/unreadmail.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/unreadmail.pl rename to RecentActivity/release/rr-full/plugins/unreadmail.pl index 5f6aadcf6d..75bd88e562 --- a/thirdparty/rr/plugins/unreadmail.pl +++ b/RecentActivity/release/rr-full/plugins/unreadmail.pl @@ -1,89 +1,90 @@ -#----------------------------------------------------------- -# unreadmail.pl -# -# -# Change history -# 20100218 - created -# -# References -# http://support.microsoft.com/kb/304148 -# http://support.microsoft.com/kb/831403 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package unreadmail; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of Unreadmail key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching unreadmail v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - eval { - my $e = $key->get_value("MessageExpiryDays")->get_data(); - ::rptMsg("MessageExpiryDays : ".$e); - ::rptMsg(""); - }; - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg(""); - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - eval { - my $m = $s->get_value("MessageCount")->get_data(); - ::rptMsg(" MessageCount: ".$m); - }; - - eval { - my $a = $s->get_value("Application")->get_data(); - ::rptMsg(" Application : ".$a); - }; - - eval { - my @t = unpack("VV",$s->get_value("TimeStamp")->get_data()); - my $ts = ::getTime($t[0],$t[1]); - ::rptMsg(" TimeStamp : ".gmtime($ts)." (UTC)"); - }; - - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# unreadmail.pl +# +# +# Change history +# 20100218 - created +# +# References +# http://support.microsoft.com/kb/304148 +# http://support.microsoft.com/kb/831403 +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package unreadmail; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100218); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of Unreadmail key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + my %hist; + ::logMsg("Launching unreadmail v.".$VERSION); + ::rptMsg("unreadmail v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + eval { + my $e = $key->get_value("MessageExpiryDays")->get_data(); + ::rptMsg("MessageExpiryDays : ".$e); + ::rptMsg(""); + }; + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + ::rptMsg(""); + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()); + ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); + eval { + my $m = $s->get_value("MessageCount")->get_data(); + ::rptMsg(" MessageCount: ".$m); + }; + + eval { + my $a = $s->get_value("Application")->get_data(); + ::rptMsg(" Application : ".$a); + }; + + eval { + my @t = unpack("VV",$s->get_value("TimeStamp")->get_data()); + my $ts = ::getTime($t[0],$t[1]); + ::rptMsg(" TimeStamp : ".gmtime($ts)." (UTC)"); + }; + + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/updates.txt b/RecentActivity/release/rr-full/plugins/updates.txt new file mode 100755 index 0000000000..3c6f076f52 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/updates.txt @@ -0,0 +1,51 @@ + +20130429 + -created winlogon_tln.pl, applets_tln.pl + + -added alertMsg() func. to: + -brisv.pl, inprocserver.pl, inprocserver_u.pl, iejava.pl, + spp_clients.pl + + -retired scanwithav.pl (func. included in attachmgr.pl) + -retired taskman.pl (func. included in winlogon.pl) + -retired vista_wireless.pl (func. in networklist.pl) + +20130425 + -RegRipper and rip updated to v2.8; added alertMsg() capability + -retired userinit.pl (functionality included in winlogon.pl) + -created new plugins + -srun_tln.pl, urun_tln.pl,cmdproc_tln.pl + -cmd_shell_tln.pl,muicache_tln.pl + + -added alertMsg() functionality to rip.pl, rr.pl, and plugins + -appcompatcache.pl, appcompatcache_tln.pl + -appinitdlls.pl + -soft_run.pl, user_run.pl + -imagefile.pl + -winlogon.pl, winlogon_u.pl + -muicache.pl (look for values with "[Tt]emp" paths) + -attachmgr.pl (look for values per KB 883260) + -virut.pl + -cmdproc.pl, cmd_shell.pl + +20130411 + -retired specaccts.pl & notify.pl; incorporated functionality into + winlogon.pl + +20130410 + -retired taskman.pl; merged into winlogon.pl + -updated winlogon.pl (Wow6432Node support, etc.) + -updated winlogon_u.pl (Wow6432Node support) + -updated shellexec.pl, imagefile.pl, installedcomp.pl (Wow6432Node support) + +20130409 + -added drivers32.pl (C. Harrell) to the archive + +20130408 + -updated bho.pl to support Wow6432Node + +20130405 + -updated cmd_shell.pl to include Clients subkey in the Software hive + -created cmd_shell_u.pl + -fixed issue with rip.exe syntax info containing 'rr' + -fixed banner in findexes.pl \ No newline at end of file diff --git a/thirdparty/rr/plugins/urlzone.pl b/RecentActivity/release/rr-full/plugins/urlzone.pl old mode 100644 new mode 100755 similarity index 92% rename from thirdparty/rr/plugins/urlzone.pl rename to RecentActivity/release/rr-full/plugins/urlzone.pl index f48e82411f..899779a463 --- a/thirdparty/rr/plugins/urlzone.pl +++ b/RecentActivity/release/rr-full/plugins/urlzone.pl @@ -1,96 +1,98 @@ -#----------------------------------------------------------- -# /root/bin/plugins/urlzone.pl -# Plugin to detect URLZONE infection -# -# copyright 2009 Stefan Kelm (skelm@bfk.de) -#----------------------------------------------------------- -package urlzone; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090526); - -sub getConfig{return %config} - -sub getShortDescr {return "URLZONE detection";} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { -my $class = shift; -my $hive = shift; -::logMsg("Launching urlzone v.".$VERSION); -my $reg = Parse::Win32Registry->new($hive); -my $root_key = $reg->get_root_key; - -my $key_path = "Microsoft\\Windows\\CurrentVersion\\Internet Settings\\urlzone"; -my $key; -if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); - eval { - my @vals = $s->get_list_of_values(); - if (scalar(@vals) > 0) { - my %sns; - foreach my $v (@vals) { - $sns{$v->get_name()} = $v->get_data(); - } - foreach my $i (keys %sns) { - ::rptMsg("\t\t".$i." = ".$sns{$i}); - } - } - else { -# No values - } - }; - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } - - my $key_path2 = "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\userinit.exe"; - my $key2; - if ($key2 = $root_key->get_subkey($key_path2)) { - ::rptMsg($key_path2); - ::rptMsg("LastWrite Time ".gmtime($key2->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $dbg; - eval { - $dbg = $key2->get_value("Debugger")->get_data(); - }; - if ($@) { - ::rptMsg("Debugger value not found."); - } - else { - ::rptMsg("Debugger = ".$dbg); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path2." not found."); -# ::logMsg($key_path2." not found."); - } -} +#----------------------------------------------------------- +# /root/bin/plugins/urlzone.pl +# Plugin to detect URLZONE infection +# +# copyright 2009 Stefan Kelm (skelm@bfk.de) +#----------------------------------------------------------- +package urlzone; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20090526); + +sub getConfig{return %config} + +sub getShortDescr {return "URLZONE detection";} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { +my $class = shift; +my $hive = shift; +::logMsg("Launching urlzone v.".$VERSION); +::rptMsg("urlzone v.".$VERSION); # banner +::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner +my $reg = Parse::Win32Registry->new($hive); +my $root_key = $reg->get_root_key; + +my $key_path = "Microsoft\\Windows\\CurrentVersion\\Internet Settings\\urlzone"; +my $key; +if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($key_path."\\".$s->get_name()); + ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); + eval { + my @vals = $s->get_list_of_values(); + if (scalar(@vals) > 0) { + my %sns; + foreach my $v (@vals) { + $sns{$v->get_name()} = $v->get_data(); + } + foreach my $i (keys %sns) { + ::rptMsg("\t\t".$i." = ".$sns{$i}); + } + } + else { +# No values + } + }; + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); +# ::logMsg($key_path." not found."); + } + + my $key_path2 = "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\userinit.exe"; + my $key2; + if ($key2 = $root_key->get_subkey($key_path2)) { + ::rptMsg($key_path2); + ::rptMsg("LastWrite Time ".gmtime($key2->get_timestamp())." (UTC)"); + ::rptMsg(""); + my $dbg; + eval { + $dbg = $key2->get_value("Debugger")->get_data(); + }; + if ($@) { + ::rptMsg("Debugger value not found."); + } + else { + ::rptMsg("Debugger = ".$dbg); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path2." not found."); +# ::logMsg($key_path2." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/urun_tln.pl b/RecentActivity/release/rr-full/plugins/urun_tln.pl new file mode 100755 index 0000000000..06f084882c --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/urun_tln.pl @@ -0,0 +1,158 @@ +#----------------------------------------------------------- +# urun_tln.pl +# Get contents of Run key from NTUSER.DAT hive +# +# Change History +# 20130425 - created +# +# References: +# http://msdn2.microsoft.com/en-us/library/aa376977.aspx +# http://support.microsoft.com/kb/170086 +# +# +# copyright 2013 Quantum Analytics Research, +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package urun_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20130425); + +sub getConfig{return %config} + +sub getShortDescr { + return "[Autostart] Get autostart key contents from NTUSER\.DAT hive"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Definition of the Run keys in the WinXP Registry" => + "http://support.microsoft.com/kb/314866"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching urun_tln v.".$VERSION); +# ::rptMsg("urun_tln v.".$VERSION); # banner +# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my @run = ("Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", + "Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", + "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\". + "Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\". + "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run"); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + foreach my $key_path (@run) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my %vals = getKeyValues($key); + if (scalar(keys %vals) > 0) { + foreach my $v (keys %vals) { +# check for "Temp" in the path/data + if (grep(/[Tt]emp/,$vals{$v})) { +# ::alertMsg("ALERT: user_run: Temp Path found: ".$key_path." : ".$v." -> ".$vals{$v}); + ::alertMsg($lw."|ALERT|||HKCU\\".$key_path." Temp path found: ".$v.": ".$vals{$v}); + } +# check to see if the data ends in .com + if ($vals{$v} =~ m/\.com$/ || $vals{$v} =~ m/\.bat$/ || $vals{$v} =~ m/\.pif$/) { +# ::alertMsg("ALERT: user_run: Path ends in \.com/\.bat: ".$key_path." : ".$v." -> ".$vals{$v}); + ::alertMsg($lw."|ALERT|||HKCU\\".$key_path." \.com/\.bat/\.pif file found: ".$v.": ".$vals{$v}); + } +# ::rptMsg(" ".$v.": ".$vals{$v}); + } + } + else { +# ::rptMsg(""); +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +# ::rptMsg(""); + } + +# This section was added on 20130115 to address the 'run' and 'load' values that +# could be added to the key + my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg(""); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my $run; + my $count = 0; + eval { + $run = $key->get_value("Run")->get_data(); +# ::rptMsg("Run value = ".$run); +# ::alertMsg("ALERT: user_run: ".$key_path." Run value found: ".$run); + ::alertMsg($lw."|ALERT|||HKCU\\".$key_path." Run value found: ".$run); + }; + if ($@) { +# ::rptMsg("Run value not found."); + } + + eval { + $run = $key->get_value("run")->get_data(); +# ::rptMsg("run value = ".$run); +# ::alertMsg("ALERT: user_run: ".$key_path." run value found: ".$run); + ::alertMsg($lw."|ALERT|||HKCU\\".$key_path." run value found: ".$run); + }; + if ($@) { +# ::rptMsg("run value not found."); + } + + my $load; + eval { + $load = $key->get_value("load")->get_data(); +# ::rptMsg("load value = ".$load); +# ::alertMsg("ALERT: user_run: ".$key_path." load value found: ".$load); + ::alertMsg($lw."|ALERT|||HKCU\\".$key_path." load value found: ".$load); + }; + if ($@) { +# ::rptMsg("load value not found."); + } + + } +} + +sub getKeyValues { + my $key = shift; + my %vals; + + my @vk = $key->get_list_of_values(); + if (scalar(@vk) > 0) { + foreach my $v (@vk) { + next if ($v->get_name() eq "" && $v->get_data() eq ""); + $vals{$v->get_name()} = $v->get_data(); + } + } + else { + + } + return %vals; +} + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/usb.pl b/RecentActivity/release/rr-full/plugins/usb.pl new file mode 100755 index 0000000000..57457e0b42 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/usb.pl @@ -0,0 +1,196 @@ +#----------------------------------------------------------- +# usb +# +# +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package usb; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20121102); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get USB device info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my $reg; + +my %usb = (); + +sub pluginmain { + my $class = shift; + my $hive = shift; + $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($key_path." not found."); + return; + } + + my $key_path = $ccs."\\Enum\\USB"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + next unless ($name =~ m/^VID/); + + my @n = split(/&/,$name); + $n[0] =~ s/^VID_//; + $n[1] =~ s/^PID_//; + + my @sk = $s->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $k (@sk) { + my $serial = $k->get_name(); + my $class = ""; + eval { + $class = $k->get_value("Class")->get_data(); + }; + next unless ($class =~ m/^USB/ || $class =~ m/^WPD/); + + my $serv = ""; + eval { + $serv = $k->get_value("Service")->get_data(); + }; + next if ($serv =~ m/^usbhub/ || $serv =~ m/^usbprint/); + $usb{$serial}{usb_class} = $class; + $usb{$serial}{usb_service} = $serv; + $usb{$serial}{VID} = $n[0]; + $usb{$serial}{PID} = $n[1]; + $usb{$serial}{sn_lastwrite} = $k->get_timestamp(); + + eval { + my $dd = $k->get_value("DeviceDesc")->get_data(); + my @f = split(/;/,$dd); + if (scalar(@f) > 1) { + my $n = scalar(@f) - 1; + $usb{$serial}{usb_devicedesc} = $f[$n]; + } + else { + $usb{$serial}{usb_devicedesc} = $dd; + } + }; + + eval { + my $fr = $k->get_value("FriendlyName")->get_data(); + + my @f = split(/;/,$fr); + if (scalar(@f) > 1) { + my $n = scalar(@f) - 1; + $usb{$serial}{usb_friendly} = $f[$n]; + } + else { + $usb{$serial}{usb_friendly} = $fr; + } + }; + + eval { + $usb{$serial}{usb_service} = $k->get_value("Service")->get_data(); + }; + + } + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + +# Now, access the USBStor key + my $key_path = $ccs."\\Enum\\USBStor"; + my $key; + my %usbstor = (); + if ($key = $root_key->get_subkey($key_path)) { + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + + my @n = split(/&/,$name); + $n[1] =~ s/^Ven_//; + $n[2] =~ s/^Prod_//; + + my @sk = $s->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $k (@sk) { + my $serial = $k->get_name(); + + eval { + my $dd = $k->get_value("DeviceDesc")->get_data(); + my @f = split(/;/,$dd); + if (scalar(@f) > 1) { + my $n = scalar(@f) - 1; + $usbstor{$serial}{usbstor_devicedesc} = $f[$n]; + } + else { + $usbstor{$serial}{usbstor_devicedesc} = $dd; + } + }; + + eval { + $usbstor{$serial}{usbstor_friendly} = $k->get_value("FriendlyName")->get_data(); + }; + $usbstor{$serial}{usbstor_ven} = $n[1]; + $usbstor{$serial}{usbstor_prod} = $n[2]; + + } + + } + } + + } + } + +# Match SNs from USBStor key against those we found in the USB key + foreach my $k (keys %usb) { + foreach my $s (keys %usbstor) { + if ($s =~ m/^$k&/) { + $usb{$k}{usbstor_friendly} = $usbstor{$s}{usbstor_friendly}; + $usb{$k}{usbstor_devicedesc} = $usbstor{$s}{usbstor_devicedesc}; + $usb{$k}{usbstor_ven} = $usbstor{$s}{usbstor_ven}; + $usb{$k}{usbstor_prod} = $usbstor{$s}{usbstor_prod}; + } + } + } + + foreach my $k (keys %usb) { + ::rptMsg($k); + ::rptMsg(" VID/PID : ".$usb{$k}{VID}."/".$usb{$k}{PID}); + ::rptMsg(" Ven/Prod : ".$usb{$k}{usbstor_ven}."/".$usb{$k}{usbstor_prod}); + ::rptMsg(""); + } + +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/usbdevices.pl b/RecentActivity/release/rr-full/plugins/usbdevices.pl old mode 100644 new mode 100755 similarity index 55% rename from thirdparty/rr/plugins/usbdevices.pl rename to RecentActivity/release/rr-full/plugins/usbdevices.pl index 27f7ef8a29..75b1ae5009 --- a/thirdparty/rr/plugins/usbdevices.pl +++ b/RecentActivity/release/rr-full/plugins/usbdevices.pl @@ -1,108 +1,115 @@ -#----------------------------------------------------------- -# usbdevices.pl -# Parses contents of Enum\USB key for web cam -# -# History -# 20100219 - created -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package usbdevices; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100219); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parses Enum\\USB key for devices"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $reg; - -sub pluginmain { - my $class = shift; - my $hive = shift; - $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -::logMsg("Launching usbdevices v.".$VERSION); -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $key_path = $ccs."\\Enum\\USB"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my @sk = $s->get_list_of_subkeys(); - if (scalar @sk > 0) { - foreach my $s2 (@sk) { - ::rptMsg(""); - eval { - my $desc = $s2->get_value("DeviceDesc")->get_data(); - ::rptMsg($desc." [".$s->get_name()."\\".$s2->get_name()."]"); - }; - - my $str; - eval { - my $class = $s2->get_value("Class")->get_data(); - ::rptMsg(" Class : ".$class); - }; - - eval { - my $serv = $s2->get_value("Service")->get_data(); - ::rptMsg(" Service : ".$serv); - }; - - eval { - my $serv = $s2->get_value("LocationInformation")->get_data(); - ::rptMsg(" Location Information: ".$serv); - }; - - eval { - my $serv = $s2->get_value("Mfg")->get_data(); - ::rptMsg(" Mfg : ".$serv); - }; - -# eval { -# if ($s2->get_value("Class")->get_data() eq "Image") { -# ::rptMsg("Possible webcam at ".$s->get_name()."\\".$s2->get_name()); -# } -# }; -# ::rptMsg("Error: ".$@) if ($@); - } - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# usbdevices.pl +# Parses contents of Enum\USB key for USB storage devices +# +# History +# 20120522 - updated to report only USBStor devices +# 20100219 - created +# +# copyright 2012 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package usbdevices; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120522); + +sub getConfig{return %config} + +sub getShortDescr { + return "Parses Enum\\USB key for devices"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my $reg; + +sub pluginmain { + my $class = shift; + my $hive = shift; + $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + ::logMsg("Launching usbdevices v.".$VERSION); + ::rptMsg("usbdevices v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($key_path." not found."); + return; + } + + my $key_path = $ccs."\\Enum\\USB"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar @subkeys > 0) { + foreach my $s (@subkeys) { + my @sk = $s->get_list_of_subkeys(); + if (scalar @sk > 0) { + foreach my $s2 (@sk) { + + my ($desc,$class,$serv,$loc,$mfg); + + eval { + $desc = $s2->get_value("DeviceDesc")->get_data(); +# ::rptMsg($desc." [".$s->get_name()."\\".$s2->get_name()."]"); + }; + + eval { + $class = $s2->get_value("Class")->get_data(); + }; + + eval { + $serv = $s2->get_value("Service")->get_data(); + }; + + eval { + $loc = $s2->get_value("LocationInformation")->get_data(); + }; + + eval { + $mfg = $s2->get_value("Mfg")->get_data(); + }; + + if ($serv eq "USBSTOR") { + ::rptMsg($s->get_name()); + ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())); + ::rptMsg(" SN : ".$s2->get_name()); + ::rptMsg(" LastWrite: ".gmtime($s2->get_timestamp())); +# ::rptMsg("DeviceDesc: ".$desc); +# ::rptMsg("Class : ".$class); +# ::rptMsg("Location : ".$loc); +# ::rptMsg("MFG : ".$mfg); + ::rptMsg(""); + + } + + } + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/usbstor.pl b/RecentActivity/release/rr-full/plugins/usbstor.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/usbstor.pl rename to RecentActivity/release/rr-full/plugins/usbstor.pl index e0223805a4..ba5ad1f1c5 --- a/thirdparty/rr/plugins/usbstor.pl +++ b/RecentActivity/release/rr-full/plugins/usbstor.pl @@ -1,91 +1,93 @@ -#----------------------------------------------------------- -# usbstor -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package usbstor; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080418); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USBStor key info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching usbstor v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("USBStor"); - ::rptMsg($key_path); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); - - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $k (@sk) { - my $serial = $k->get_name(); - ::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]"); - my $friendly; - eval { - $friendly = $k->get_value("FriendlyName")->get_data(); - }; - ::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne ""); - my $parent; - eval { - $parent = $k->get_value("ParentIdPrefix")->get_data(); - }; - ::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne ""); - } - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# usbstor +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package usbstor; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080418); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get USBStor key info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching usbstor v.".$VERSION); + ::rptMsg("usbstor v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($key_path." not found."); + return; + } + + my $key_path = $ccs."\\Enum\\USBStor"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("USBStor"); + ::rptMsg($key_path); + ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); + + my @sk = $s->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $k (@sk) { + my $serial = $k->get_name(); + ::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]"); + my $friendly; + eval { + $friendly = $k->get_value("FriendlyName")->get_data(); + }; + ::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne ""); + my $parent; + eval { + $parent = $k->get_value("ParentIdPrefix")->get_data(); + }; + ::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne ""); + } + } + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/usbstor2.pl b/RecentActivity/release/rr-full/plugins/usbstor2.pl old mode 100644 new mode 100755 similarity index 95% rename from thirdparty/rr/plugins/usbstor2.pl rename to RecentActivity/release/rr-full/plugins/usbstor2.pl index b62283bb1c..b0beedc7b2 --- a/thirdparty/rr/plugins/usbstor2.pl +++ b/RecentActivity/release/rr-full/plugins/usbstor2.pl @@ -1,134 +1,134 @@ -#----------------------------------------------------------- -# usbstor2 -# Similar to usbstor plugin, but prints output in .csv format; -# also checks MountedDevices keys -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package usbstor2; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080825); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USBStor key info; csv output"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $reg; - -sub pluginmain { - my $class = shift; - my $hive = shift; - $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $name_path = $ccs."\\Control\\ComputerName\\ComputerName"; - my $comp_name; - eval { - $comp_name = $root_key->get_subkey($name_path)->get_value("ComputerName")->get_data(); - }; - $comp_name = "Test" if ($@); - - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $dev_class = $s->get_name(); - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $k (@sk) { - my $serial = $k->get_name(); - my $sn_lw = $k->get_timestamp(); - my $str = $comp_name.",".$dev_class.",".$serial.",".$sn_lw; - - my $friendly; - eval { - $friendly = $k->get_value("FriendlyName")->get_data(); - $str .= ",".$friendly; - }; - $str .= ", " if ($@); - - my $parent; - eval { - $parent = $k->get_value("ParentIdPrefix")->get_data(); - $str .= ",".$parent; - - my $dev = checkMountedDevices($parent); - $str .= ",".$dev if ($dev); - - }; - - - ::rptMsg($str); - } - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub checkMountedDevices { - my $pip = shift; - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my %md; - if ($key = $root_key->get_subkey($key_path)) { - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next unless ($name =~ m/^\\DosDevices/); - my $data = $v->get_data(); - if (length($data) > 12) { - $data =~ s/\00//g; - return $name if (grep(/$pip/,$data)); - } - } - } - } - else { - return undef; - } - return undef; -} - +#----------------------------------------------------------- +# usbstor2 +# Similar to usbstor plugin, but prints output in .csv format; +# also checks MountedDevices keys +# +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package usbstor2; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080825); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get USBStor key info; csv output"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my $reg; + +sub pluginmain { + my $class = shift; + my $hive = shift; + $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($key_path." not found."); + return; + } + + my $name_path = $ccs."\\Control\\ComputerName\\ComputerName"; + my $comp_name; + eval { + $comp_name = $root_key->get_subkey($name_path)->get_value("ComputerName")->get_data(); + }; + $comp_name = "Test" if ($@); + + my $key_path = $ccs."\\Enum\\USBStor"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $dev_class = $s->get_name(); + my @sk = $s->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $k (@sk) { + my $serial = $k->get_name(); + my $sn_lw = $k->get_timestamp(); + my $str = $comp_name.",".$dev_class.",".$serial.",".$sn_lw; + + my $friendly; + eval { + $friendly = $k->get_value("FriendlyName")->get_data(); + $str .= ",".$friendly; + }; + $str .= ", " if ($@); + + my $parent; + eval { + $parent = $k->get_value("ParentIdPrefix")->get_data(); + $str .= ",".$parent; + + my $dev = checkMountedDevices($parent); + $str .= ",".$dev if ($dev); + + }; + + + ::rptMsg($str); + } + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + +sub checkMountedDevices { + my $pip = shift; + my $root_key = $reg->get_root_key; + my $key_path = 'MountedDevices'; + my $key; + my %md; + if ($key = $root_key->get_subkey($key_path)) { + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + next unless ($name =~ m/^\\DosDevices/); + my $data = $v->get_data(); + if (length($data) > 12) { + $data =~ s/\00//g; + return $name if (grep(/$pip/,$data)); + } + } + } + } + else { + return undef; + } + return undef; +} + 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/usbstor3.pl b/RecentActivity/release/rr-full/plugins/usbstor3.pl old mode 100644 new mode 100755 similarity index 96% rename from thirdparty/rr/plugins/usbstor3.pl rename to RecentActivity/release/rr-full/plugins/usbstor3.pl index 5215454818..9bcdeb5980 --- a/thirdparty/rr/plugins/usbstor3.pl +++ b/RecentActivity/release/rr-full/plugins/usbstor3.pl @@ -1,103 +1,103 @@ -#----------------------------------------------------------- -# usbstor3 -# Collects USBStor information, output in .csv -# -# History -# 20100312 - created -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package usbstor3; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100312); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USBStor key info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching usbstor3 v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("USBStor"); -# ::rptMsg($key_path); -# ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { -# ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); - my $name1 = $s->get_name(); - my $time1 = gmtime($s->get_timestamp()); - - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $k (@sk) { - my $serial = $k->get_name(); -# ::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]"); - my $str = $name1.",".$time1.",".$serial.",".gmtime($k->get_timestamp()); - - my $friendly; - eval { - $friendly = $k->get_value("FriendlyName")->get_data(); - $str .= ",".$friendly; - }; - $str .= "," if ($@); -# ::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne ""); - my $parent; - eval { - $parent = $k->get_value("ParentIdPrefix")->get_data(); - $str .= ",".$parent; - }; - $str .= "," if ($@); -# ::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne ""); - ::rptMsg($str); - } - } -# ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# usbstor3 +# Collects USBStor information, output in .csv +# +# History +# 20100312 - created +# +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package usbstor3; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20100312); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get USBStor key info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching usbstor3 v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($key_path." not found."); + return; + } + + my $key_path = $ccs."\\Enum\\USBStor"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("USBStor"); +# ::rptMsg($key_path); +# ::rptMsg(""); + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { +# ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); + my $name1 = $s->get_name(); + my $time1 = gmtime($s->get_timestamp()); + + my @sk = $s->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $k (@sk) { + my $serial = $k->get_name(); +# ::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]"); + my $str = $name1.",".$time1.",".$serial.",".gmtime($k->get_timestamp()); + + my $friendly; + eval { + $friendly = $k->get_value("FriendlyName")->get_data(); + $str .= ",".$friendly; + }; + $str .= "," if ($@); +# ::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne ""); + my $parent; + eval { + $parent = $k->get_value("ParentIdPrefix")->get_data(); + $str .= ",".$parent; + }; + $str .= "," if ($@); +# ::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne ""); + ::rptMsg($str); + } + } +# ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/user_run.pl b/RecentActivity/release/rr-full/plugins/user_run.pl new file mode 100755 index 0000000000..23c2cb8226 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/user_run.pl @@ -0,0 +1,157 @@ +#----------------------------------------------------------- +# user_run +# Get contents of Run key from NTUSER.DAT hive +# +# Change History +# 20130425 - added alertMsg() functionality +# 20120329 - added additional keys +# 20130314 - updated to include Policies keys +# 20130313 - updated to include additional keys +# 20130115 - updated to include 64-bit, additional keys/values +# 20080328 - created +# +# References: +# http://msdn2.microsoft.com/en-us/library/aa376977.aspx +# http://support.microsoft.com/kb/170086 +# +# +# copyright 2013 Quantum Analytics Research, +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package user_run; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + version => 20130425); + +sub getConfig{return %config} + +sub getShortDescr { + return "[Autostart] Get autostart key contents from NTUSER\.DAT hive"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Definition of the Run keys in the WinXP Registry" => + "http://support.microsoft.com/kb/314866"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching user_run v.".$VERSION); + ::rptMsg("user_run v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my @run = ("Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", + "Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", + "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\". + "Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\". + "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run"); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + foreach my $key_path (@run) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my %vals = getKeyValues($key); + if (scalar(keys %vals) > 0) { + foreach my $v (keys %vals) { +# check for "Temp" in the path/data + if (grep(/[Tt]emp/,$vals{$v})) { + ::alertMsg("ALERT: user_run: Temp Path found: ".$key_path." : ".$v." -> ".$vals{$v}); + } +# check to see if the data ends in .com + if ($vals{$v} =~ m/\.com$/ || $vals{$v} =~ m/\.bat$/) { + ::alertMsg("ALERT: user_run: Path ends in \.com/\.bat: ".$key_path." : ".$v." -> ".$vals{$v}); + } + ::rptMsg(" ".$v.": ".$vals{$v}); + } + } + else { + ::rptMsg(""); + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); + } + +# This section was added on 20130115 to address the 'run' and 'load' values that +# could be added to the key + my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my $run; + my $count = 0; + eval { + $run = $key->get_value("Run")->get_data(); + ::rptMsg("Run value = ".$run); + ::alertMsg("ALERT: user_run: ".$key_path." Run value found: ".$run); + }; + if ($@) { + ::rptMsg("Run value not found."); + } + + eval { + $run = $key->get_value("run")->get_data(); + ::rptMsg("run value = ".$run); + ::alertMsg("ALERT: user_run: ".$key_path." run value found: ".$run); + }; + if ($@) { + ::rptMsg("run value not found."); + } + + my $load; + eval { + $load = $key->get_value("load")->get_data(); + ::rptMsg("load value = ".$load); + ::alertMsg("ALERT: user_run: ".$key_path." load value found: ".$load); + }; + if ($@) { + ::rptMsg("load value not found."); + } + + } +} + +sub getKeyValues { + my $key = shift; + my %vals; + + my @vk = $key->get_list_of_values(); + if (scalar(@vk) > 0) { + foreach my $v (@vk) { + next if ($v->get_name() eq "" && $v->get_data() eq ""); + $vals{$v->get_name()} = $v->get_data(); + } + } + else { + + } + return %vals; +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/user_win.pl b/RecentActivity/release/rr-full/plugins/user_win.pl old mode 100644 new mode 100755 similarity index 89% rename from thirdparty/rr/plugins/user_win.pl rename to RecentActivity/release/rr-full/plugins/user_win.pl index 107c71d4be..27f69912a1 --- a/thirdparty/rr/plugins/user_win.pl +++ b/RecentActivity/release/rr-full/plugins/user_win.pl @@ -1,60 +1,62 @@ -#----------------------------------------------------------- -# user_win.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package user_win; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080415); - -sub getConfig{return %config} - -sub getShortDescr { - return " -- "; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching user_win v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - eval { - my $load = $key->get_value("load")->get_data(); - ::rptMsg("load value = ".$load); - ::rptMsg("*Should be blank; anything listed gets run when the user logs in."); - }; - - eval { - my $run = $key->get_value("run")->get_data(); - ::rptMsg("run value = ".$run); - ::rptMsg("*Should be blank; anything listed gets run when the user logs in."); - }; - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# user_win.pl +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package user_win; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080415); + +sub getConfig{return %config} + +sub getShortDescr { + return " -- "; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching user_win v.".$VERSION); + ::rptMsg("user_win v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + eval { + my $load = $key->get_value("load")->get_data(); + ::rptMsg("load value = ".$load); + ::rptMsg("*Should be blank; anything listed gets run when the user logs in."); + }; + + eval { + my $run = $key->get_value("run")->get_data(); + ::rptMsg("run value = ".$run); + ::rptMsg("*Should be blank; anything listed gets run when the user logs in."); + }; + + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/userassist2.pl b/RecentActivity/release/rr-full/plugins/userassist.pl old mode 100644 new mode 100755 similarity index 95% rename from thirdparty/rr/plugins/userassist2.pl rename to RecentActivity/release/rr-full/plugins/userassist.pl index 010b9899db..ab055f7b19 --- a/thirdparty/rr/plugins/userassist2.pl +++ b/RecentActivity/release/rr-full/plugins/userassist.pl @@ -1,125 +1,125 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userassist2.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# UserAssist values -# -# Change history -# 20100322 - Added CLSID list reference -# 20100308 - created, based on original userassist.pl plugin -# -# References -# Control Panel Applets - http://support.microsoft.com/kb/313808 -# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package userassist2; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100308); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of UserAssist subkeys"; -} -sub getDescr{} -sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching userassist2 v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; - my $key; - - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("UserAssist"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()); - processKey($s); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub processKey { - my $ua = shift; - - my $key = $ua->get_subkey("Count"); - - my %ua; - my $hrzr = "HRZR"; - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $value_name = $v->get_name(); - my $data = $v->get_data(); - -# Windows XP/2003/Vista/2008 - if (length($data) == 16) { - my ($session,$count,$val1,$val2) = unpack("V*",$data); - if ($val2 != 0) { - my $time_value = ::getTime($val1,$val2); - if ($value_name =~ m/^$hrzr/) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - } - $count -= 5 if ($count > 5); - push(@{$ua{$time_value}},$value_name." (".$count.")"); - } - } -# Windows 7 - elsif (length($data) == 72) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; -# if (unpack("V",substr($data,0,4)) == 0) { -# my $count = unpack("V",substr($data,4,4)); -# my @t = unpack("VV",substr($data,60,8)); -# next if ($t[0] == 0 && $t[1] == 0); -# my $time_val = ::getTime($t[0],$t[1]); -# print " .-> ".$time_val."\n"; -# push(@{$ua{$time_val}},$value_name." (".$count.")"); -# } - my $count = unpack("V",substr($data,4,4)); - my @t = unpack("VV",substr($data,60,8)); - next if ($t[0] == 0 && $t[1] == 0); - my $time_val = ::getTime($t[0],$t[1]); - push(@{$ua{$time_val}},$value_name." (".$count.")"); - } - else { -# Nothing else to do - } - } - foreach my $t (reverse sort {$a <=> $b} keys %ua) { - ::rptMsg(gmtime($t)." Z"); - foreach my $i (@{$ua{$t}}) { - ::rptMsg(" ".$i); - } - } - } -} +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# userassist.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# UserAssist values +# +# Change history +# 20100322 - Added CLSID list reference +# 20100308 - created, based on original userassist.pl plugin +# +# References +# Control Panel Applets - http://support.microsoft.com/kb/313808 +# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package userassist; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100308); + +sub getConfig{return %config} +sub getShortDescr { + return "Displays contents of UserAssist subkeys"; +} +sub getDescr{} +sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching userassist2 v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; + my $key; + + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("UserAssist"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()); + processKey($s); + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + +sub processKey { + my $ua = shift; + + my $key = $ua->get_subkey("Count"); + + my %ua; + my $hrzr = "HRZR"; + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $value_name = $v->get_name(); + my $data = $v->get_data(); + +# Windows XP/2003/Vista/2008 + if (length($data) == 16) { + my ($session,$count,$val1,$val2) = unpack("V*",$data); + if ($val2 != 0) { + my $time_value = ::getTime($val1,$val2); + if ($value_name =~ m/^$hrzr/) { + $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; + } + $count -= 5 if ($count > 5); + push(@{$ua{$time_value}},$value_name." (".$count.")"); + } + } +# Windows 7 + elsif (length($data) == 72) { + $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; +# if (unpack("V",substr($data,0,4)) == 0) { +# my $count = unpack("V",substr($data,4,4)); +# my @t = unpack("VV",substr($data,60,8)); +# next if ($t[0] == 0 && $t[1] == 0); +# my $time_val = ::getTime($t[0],$t[1]); +# print " .-> ".$time_val."\n"; +# push(@{$ua{$time_val}},$value_name." (".$count.")"); +# } + my $count = unpack("V",substr($data,4,4)); + my @t = unpack("VV",substr($data,60,8)); + next if ($t[0] == 0 && $t[1] == 0); + my $time_val = ::getTime($t[0],$t[1]); + push(@{$ua{$time_val}},$value_name." (".$count.")"); + } + else { +# Nothing else to do + } + } + foreach my $t (reverse sort {$a <=> $b} keys %ua) { + ::rptMsg(gmtime($t)." Z"); + foreach my $i (@{$ua{$t}}) { + ::rptMsg(" ".$i); + } + } + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/userassist_tln.pl b/RecentActivity/release/rr-full/plugins/userassist_tln.pl old mode 100644 new mode 100755 similarity index 94% rename from thirdparty/rr/plugins/userassist_tln.pl rename to RecentActivity/release/rr-full/plugins/userassist_tln.pl index ea87cb3787..1d10585b97 --- a/thirdparty/rr/plugins/userassist_tln.pl +++ b/RecentActivity/release/rr-full/plugins/userassist_tln.pl @@ -1,114 +1,114 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userassist_tln.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# UserAssist values -# -# Change history -# 20110516 - created, modified from userassist2.pl -# 20100322 - Added CLSID list reference -# 20100308 - created, based on original userassist.pl plugin -# -# References -# Control Panel Applets - http://support.microsoft.com/kb/313808 -# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package userassist_tln; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20110516); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of UserAssist subkeys in TLN format"; -} -sub getDescr{} -sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching userassist_tln v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; - my $key; - - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("UserAssist"); -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); -# ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()); - processKey($s); - ::rptMsg(""); - } - } - else { - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::logMsg($key_path." not found."); - } -} - -sub processKey { - my $ua = shift; - my $key = $ua->get_subkey("Count"); - my %ua; - my $hrzr = "HRZR"; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $value_name = $v->get_name(); - my $data = $v->get_data(); - -# Windows XP/2003/Vista/2008 - if (length($data) == 16) { - my ($session,$count,$val1,$val2) = unpack("V*",$data); - if ($val2 != 0) { - my $time_value = ::getTime($val1,$val2); - if ($value_name =~ m/^$hrzr/) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - } - $count -= 5 if ($count > 5); - push(@{$ua{$time_value}},$value_name." (".$count.")"); - } - } -# Windows 7 - elsif (length($data) == 72) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - my $count = unpack("V",substr($data,4,4)); - my @t = unpack("VV",substr($data,60,8)); - next if ($t[0] == 0 && $t[1] == 0); - my $time_val = ::getTime($t[0],$t[1]); - push(@{$ua{$time_val}},$value_name." (".$count.")"); - } - else { -# Nothing else to do - } - } - foreach my $t (reverse sort {$a <=> $b} keys %ua) { - foreach my $i (@{$ua{$t}}) { - ::rptMsg($t."|REG|||UserAssist - ".$i); - } - } - } -} +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# userassist_tln.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# UserAssist values +# +# Change history +# 20110516 - created, modified from userassist2.pl +# 20100322 - Added CLSID list reference +# 20100308 - created, based on original userassist.pl plugin +# +# References +# Control Panel Applets - http://support.microsoft.com/kb/313808 +# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm +# +# copyright 2011 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package userassist_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20110516); + +sub getConfig{return %config} +sub getShortDescr { + return "Displays contents of UserAssist subkeys in TLN format"; +} +sub getDescr{} +sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching userassist_tln v.".$VERSION); + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; + my $key; + + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("UserAssist"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + ::rptMsg($s->get_name()); + processKey($s); + ::rptMsg(""); + } + } + else { + ::logMsg($key_path." has no subkeys."); + } + } + else { + ::logMsg($key_path." not found."); + } +} + +sub processKey { + my $ua = shift; + my $key = $ua->get_subkey("Count"); + my %ua; + my $hrzr = "HRZR"; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $value_name = $v->get_name(); + my $data = $v->get_data(); + +# Windows XP/2003/Vista/2008 + if (length($data) == 16) { + my ($session,$count,$val1,$val2) = unpack("V*",$data); + if ($val2 != 0) { + my $time_value = ::getTime($val1,$val2); + if ($value_name =~ m/^$hrzr/) { + $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; + } + $count -= 5 if ($count > 5); + push(@{$ua{$time_value}},$value_name." (".$count.")"); + } + } +# Windows 7 + elsif (length($data) == 72) { + $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; + my $count = unpack("V",substr($data,4,4)); + my @t = unpack("VV",substr($data,60,8)); + next if ($t[0] == 0 && $t[1] == 0); + my $time_val = ::getTime($t[0],$t[1]); + push(@{$ua{$time_val}},$value_name." (".$count.")"); + } + else { +# Nothing else to do + } + } + foreach my $t (reverse sort {$a <=> $b} keys %ua) { + foreach my $i (@{$ua{$t}}) { + ::rptMsg($t."|REG|||[Program Execution] UserAssist - ".$i); + } + } + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/userinfo.pl b/RecentActivity/release/rr-full/plugins/userinfo.pl new file mode 100755 index 0000000000..7f8b1264f9 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/userinfo.pl @@ -0,0 +1,72 @@ +#----------------------------------------------------------- +# userinfo.pl +# Plugin for Registry Ripper, NTUSER.DAT edition - gets the +# MS Office UserInfo values +# +# Change history +# 20110609 - created +# +# References +# Based on Joe G.'s post to ForensicArtifacts.com +# +# +# copyright 2011 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package userinfo; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20110609); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of MS Office UserInfo values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching userinfo v.".$VERSION); + ::rptMsg("userinfo v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my %keys = (2003 => 'Software\\Microsoft\\Office\\11\.0\\Common\\UserInfo', + 2007 => 'Software\\Microsoft\\Office\\Common\\UserInfo'); + + foreach my $k (keys %keys) { + my $key_path = $keys{$k}; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @vals = $key->get_list_of_values(); + if (scalar (@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg(sprintf " %-15s %-20s",$v->get_name(),$v->get_data()); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } + ::rptMsg(""); + } +} + +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/userlocsvc.pl b/RecentActivity/release/rr-full/plugins/userlocsvc.pl old mode 100644 new mode 100755 similarity index 87% rename from thirdparty/rr/plugins/userlocsvc.pl rename to RecentActivity/release/rr-full/plugins/userlocsvc.pl index 3974a036e1..2b21e1758c --- a/thirdparty/rr/plugins/userlocsvc.pl +++ b/RecentActivity/release/rr-full/plugins/userlocsvc.pl @@ -1,62 +1,64 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userlocsvc.pl -# Get the contents of the Microsoft\User Location Service\Clients key -# from the user's hive -# -# Ref: -# http://support.microsoft.com/kb/196301 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package userlocsvc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090411); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of User Location Service\\Client key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching UserLocSvc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\User Location Service\\Client'; - my $key; - my %ua; - my $hrzr = "HRZR"; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-15s %-30s",$v->get_name(),$v->get_data(); - ::rptMsg($str) if ($v->get_type() == 1); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#! c:\perl\bin\perl.exe +#----------------------------------------------------------- +# userlocsvc.pl +# Get the contents of the Microsoft\User Location Service\Clients key +# from the user's hive +# +# Ref: +# http://support.microsoft.com/kb/196301 +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package userlocsvc; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20090411); + +sub getConfig{return %config} +sub getShortDescr { + return "Displays contents of User Location Service\\Client key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching userlocsvc v.".$VERSION); + ::rptMsg("userlocsvc v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + my $key_path = 'Software\\Microsoft\\User Location Service\\Client'; + my $key; + my %ua; + my $hrzr = "HRZR"; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $str = sprintf "%-15s %-30s",$v->get_name(),$v->get_data(); + ::rptMsg($str) if ($v->get_type() == 1); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/usrclass b/RecentActivity/release/rr-full/plugins/usrclass new file mode 100755 index 0000000000..5d6c153909 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/usrclass @@ -0,0 +1,3 @@ +# 20120918 *ALL* Plugins that apply on USRCLASS hive, alphabetical order +muicache +shellbags \ No newline at end of file diff --git a/thirdparty/rr/plugins/virut.pl b/RecentActivity/release/rr-full/plugins/virut.pl old mode 100644 new mode 100755 similarity index 79% rename from thirdparty/rr/plugins/virut.pl rename to RecentActivity/release/rr-full/plugins/virut.pl index eed5fc2a60..9d51fdb2c4 --- a/thirdparty/rr/plugins/virut.pl +++ b/RecentActivity/release/rr-full/plugins/virut.pl @@ -1,66 +1,72 @@ -#----------------------------------------------------------- -# virut.pl -# Plugin to detect artifacts of a Virut infection -# -# References: -# Symantec: http://www.symantec.com/security_response/ -# writeup.jsp?docid=2009-020411-2802-99&tabid=2 -# -# -# -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package virut; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090218); - -sub getConfig{return %config} - -sub getShortDescr { - return "Detect Virut artifacts"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching virut v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $update; - eval { - $update = $key->get_value("UpdateHost")->get_data(); - ::rptMsg("UpdateHost value detected! Possible Virut infection!"); - }; - ::rptMsg("UpdateHost value not found.") if ($@); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg(""); - ::rptMsg("Also be sure to check the SYSTEM\\ControlSet00n\\Services\\SharedAccess\\"); - ::rptMsg("Parameters\\FirewallPolicy\\DomainProfile\\AuthorizedApplications\\List key"); - ::rptMsg("for exceptions added to the firewall; use the fw_config\.pl plugin."); -} +#----------------------------------------------------------- +# virut.pl +# Plugin to detect artifacts of a Virut infection +# +# References: +# Symantec: http://www.symantec.com/security_response/ +# writeup.jsp?docid=2009-020411-2802-99&tabid=2 +# +# Change History: +# 20130425 - added alertMsg() functionality +# 20090218 - created +# +# +# copyright 2013 QAR, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package virut; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130425); + +sub getConfig{return %config} + +sub getShortDescr { + return "Detect Virut artifacts"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching virut v.".$VERSION); + ::rptMsg("virut v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $update; + eval { + $update = $key->get_value("UpdateHost")->get_data(); + ::rptMsg("UpdateHost value detected! Possible Virut infection!"); + ::alertMsg("ALERT: virut: UpdateHost value detected! Possible Virut infection!"); + }; + ::rptMsg("UpdateHost value not found.") if ($@); + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + ::rptMsg(""); + ::rptMsg("Also be sure to check the SYSTEM\\ControlSet00n\\Services\\SharedAccess\\"); + ::rptMsg("Parameters\\FirewallPolicy\\DomainProfile\\AuthorizedApplications\\List key"); + ::rptMsg("for exceptions added to the firewall; use the fw_config\.pl plugin."); +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/vista_bitbucket.pl b/RecentActivity/release/rr-full/plugins/vista_bitbucket.pl old mode 100644 new mode 100755 similarity index 81% rename from thirdparty/rr/plugins/vista_bitbucket.pl rename to RecentActivity/release/rr-full/plugins/vista_bitbucket.pl index 6fa27c55a5..f1b32757ee --- a/thirdparty/rr/plugins/vista_bitbucket.pl +++ b/RecentActivity/release/rr-full/plugins/vista_bitbucket.pl @@ -1,88 +1,96 @@ -#----------------------------------------------------------- -# vista_bitbucket -# BitBucket settings for Vista $Recylce.bin are maintained on a -# per-user, per-volume basis -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package vista_bitbucket; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 192, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080420); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get BitBucket settings from Vista via NTUSER\.DAT"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching vista_bitbucket v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg($v->get_name()." : ".$v->get_data()); - } - - } - else { - ::rptMsg($key_path." has no values."); - } - ::rptMsg(""); - - my @vols; - eval { - @vols = $key->get_subkey("Volume")->get_list_of_subkeys(); - }; - if ($@) { - ::rptMsg("Could not access ".$key_path."\\Volume subkey."); - return; - } - - if (scalar(@vols) > 0) { - foreach my $v (@vols) { - ::rptMsg($v->get_name()." [".gmtime($v->get_timestamp())."] (UTC)"); - eval { - ::rptMsg(sprintf " %-15s %-3s","NukeOnDelete",$v->get_value("NukeOnDelete")->get_data()); - }; - - - } - - } - else { - ::rptMsg($key_path."\\Volume key has no subkeys."); - } - - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# vista_bitbucket.pl +# BitBucket settings for Vista $Recylce.bin are maintained on a +# per-user, per-volume basis +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package vista_bitbucket; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 192, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080420); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get BitBucket settings from Vista via NTUSER\.DAT"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching vista_bitbucket v.".$VERSION); + ::rptMsg("vista_bitbucket v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg($v->get_name()." : ".$v->get_data()); + } + + } + else { + ::rptMsg($key_path." has no values."); + } + ::rptMsg(""); + + my @vols; + eval { + @vols = $key->get_subkey("Volume")->get_list_of_subkeys(); + }; + if ($@) { + ::rptMsg("Could not access ".$key_path."\\Volume subkey."); + return; + } + + if (scalar(@vols) > 0) { + foreach my $v (@vols) { + ::rptMsg($v->get_name()." [".gmtime($v->get_timestamp())."] (UTC)"); + eval { + ::rptMsg(sprintf " %-15s %-3s","NukeOnDelete",$v->get_value("NukeOnDelete")->get_data()); + }; + + + } + + } + else { + ::rptMsg($key_path."\\Volume key has no subkeys."); + } + + + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/vmplayer.pl b/RecentActivity/release/rr-full/plugins/vmplayer.pl new file mode 100755 index 0000000000..8069fbc1b5 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/vmplayer.pl @@ -0,0 +1,94 @@ +#----------------------------------------------------------- +# vmplayer.pl +# Extracts full filepath for recent VMware Player VM images +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# copyright (c) 2011-02-04 Brendan Coles +#----------------------------------------------------------- +# Require # +package vmplayer; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110204); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extracts full filepath for recent VMware Player VM images."; +} +sub getRefs { + my %refs = ("VMware Player Homepage:" => + "http://www.vmware.com/products/player/"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + + # Initialize # + ::logMsg("Launching vmplayer v.".$VERSION); + ::rptMsg("vmplayer v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\VMware, Inc.\\VMware Player\\VMplayer\\Window position"; + + # If # VMware Player path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("VMware Player"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from VMware Player registry path # + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for VMware Player registry path # + foreach my $v (@vals) { + ::rptMsg($v->get_name()." -> ".$v->get_data()); + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # VMware Player isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/RecentActivity/release/rr-full/plugins/vmware_vsphere_client.pl b/RecentActivity/release/rr-full/plugins/vmware_vsphere_client.pl new file mode 100755 index 0000000000..8e4156b498 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/vmware_vsphere_client.pl @@ -0,0 +1,108 @@ +#----------------------------------------------------------- +# vmware_vsphere_client.pl +# Extract recent connections list for VMware vSphere Client +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# copyright (c) 2011-02-04 Brendan Coles +#----------------------------------------------------------- +# Require # +package vmware_vsphere_client; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110204); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extract recent connections list for VMware vSphere Client."; +} +sub getRefs { + my %refs = ("VMware vSphere Client Homepage:" => + "http://www.vmware.com/products/vsphere/"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + my @interesting_paths = ( + 'Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\ClientsXml', + 'Software\\VMware\\VMware Infrastructure Client\\Preferences' + ); + + # Initialize # + ::logMsg("Launching vmware_vsphere_client v.".$VERSION); + ::rptMsg("vmware_vsphere_client v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + # Extract # possible registry paths + foreach my $key_path (@interesting_paths) { + + # If # VMware vSphere Client path exists # + my $xml; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("VMware vSphere Client"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from VMware vSphere Client registry path # + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Return # all key names+values for VMware vSphere Client registry path # + foreach my $v (@vals) { + # Format # XML data with no new line characters + $xml = $v->get_data(); + $xml =~ s/>\s*\r*\n*/>/g; + ::rptMsg($v->get_name()." -> ".$xml); + } + # Return # obligatory new-line # + ::rptMsg(""); + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # VMware vSphere Client isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/RecentActivity/release/rr-full/plugins/vnchooksapplicationprefs.pl b/RecentActivity/release/rr-full/plugins/vnchooksapplicationprefs.pl new file mode 100755 index 0000000000..c305199bc2 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/vnchooksapplicationprefs.pl @@ -0,0 +1,70 @@ +#----------------------------------------------------------- +# vnchooksapplicationprefs.pl +# read application preference keys for apps launched in VNC session. +# Beta version. +# +# Change history +# 20110208 [sme] % created +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# Copyright 2011 SecurityMetrics, Inc. +#----------------------------------------------------------- +package vnchooksapplicationprefs; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20110208); + +sub getConfig{return %config} +sub getShortDescr { + return "Get VNCHooks Application Prefs list"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching vnchookapplicationprefs v.".$VERSION); + ::rptMsg("vnchookapplicationprefs v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Software\\ORL\\VNCHooks\\Application_Prefs"; + my $app_pref; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("VNCHooks\\Application_Prefs"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @apps = $key->get_list_of_subkeys(); + if (scalar(@apps) > 0) { + foreach my $a (@apps) { + ::rptMsg($a->get_name()); + ::rptMsg(" ".gmtime($a->get_timestamp())." Z"); + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/vncviewer.pl b/RecentActivity/release/rr-full/plugins/vncviewer.pl old mode 100644 new mode 100755 similarity index 59% rename from thirdparty/rr/plugins/vncviewer.pl rename to RecentActivity/release/rr-full/plugins/vncviewer.pl index 82049c93bd..be9fb8e34e --- a/thirdparty/rr/plugins/vncviewer.pl +++ b/RecentActivity/release/rr-full/plugins/vncviewer.pl @@ -1,68 +1,106 @@ -#----------------------------------------------------------- -# vncviewer -# -# -#----------------------------------------------------------- -package vncviewer; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080325); - -sub getConfig{return %config} -sub getShortDescr { - return "Get VNCViewer system list"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching vncviewer v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\ORL\\VNCviewer\\MRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("VNCViewer\\MRU"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %vnc; - foreach my $v (@vals) { - $vnc{$v->get_name()} = $v->get_data(); - } - my $ind; - if (exists $vnc{'index'}) { - $ind = $vnc{'index'}; - delete $vnc{'index'}; - } - - ::rptMsg("Index = ".$ind); - my @i = split(//,$ind); - foreach my $i (@i) { - ::rptMsg(" ".$i." -> ".$vnc{$i}); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# vncviewer +# +# +# History: +# 20121231 - Updated to include VNCViewer4 +# 20080325 - created +# +# +# +#----------------------------------------------------------- +package vncviewer; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20121231); + +sub getConfig{return %config} +sub getShortDescr { + return "Get VNCViewer system list"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching vncviewer v.".$VERSION); + ::rptMsg("vncviewer v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Software\\ORL\\VNCviewer\\MRU"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("VNCViewer\\MRU"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %vnc; + foreach my $v (@vals) { + $vnc{$v->get_name()} = $v->get_data(); + } + my $ind; + if (exists $vnc{'index'}) { + $ind = $vnc{'index'}; + delete $vnc{'index'}; + } + + ::rptMsg("Index = ".$ind); + my @i = split(//,$ind); + foreach my $i (@i) { + ::rptMsg(" ".$i." -> ".$vnc{$i}); + } + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } + + my $key_path = "Software\\RealVNC\\VNCViewer4\\MRU"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $type = $v->get_type(); + my $data; + if ($type == 3) { + $data = $v->get_data_as_string(); + } + else { + $data = $v->get_data(); + } + + ::rptMsg(sprintf "%-8s %-25s",$name,$data); + } + + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/volinfocache.pl b/RecentActivity/release/rr-full/plugins/volinfocache.pl new file mode 100755 index 0000000000..e6ed795349 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/volinfocache.pl @@ -0,0 +1,87 @@ +#----------------------------------------------------------- +# volinfocache.pl +# +# Note: Andrew Case pointed out this key to me on 16 July 2012, +# and after seeing what was in it, I just wrote up a plugin +# +# History: +# 20120822 - added drive types hash based on MS KB161300 +# 20120716 - created +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package volinfocache; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20120822); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets VolumeInfoCache from Windows Search key"; +} +sub getDescr{} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + + my %types = (0x0 => "Undetermined", + 0x1 => "Root_not_exist", + 0x2 => "Removable", + 0x3 => "Fixed", + 0x4 => "Remote", + 0x5 => "CDROM", + 0x6 => "RAMDISK"); + + ::logMsg("Launching volinfocache v.".$VERSION); + ::rptMsg("Launching volinfocache v.".$VERSION); + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key; + my $key_path = "Microsoft\\Windows Search\\VolumeInfoCache"; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $ts = $s->get_timestamp(); + ::rptMsg($name." - LastWrite: ".gmtime($ts)); + + my $type; + eval { + $type = $s->get_value("DriveType")->get_data(); + $type = $types{$type} if (exists $types{$type}); + ::rptMsg("DriveType: ".$type); + }; + + my $label; + eval { + $label = $s->get_value("VolumeLabel")->get_data(); + ::rptMsg("VolumeLabel: ".$label); + }; + + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/wallpaper.pl b/RecentActivity/release/rr-full/plugins/wallpaper.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/wallpaper.pl rename to RecentActivity/release/rr-full/plugins/wallpaper.pl index 2d930cb0b1..8fec33eef1 --- a/thirdparty/rr/plugins/wallpaper.pl +++ b/RecentActivity/release/rr-full/plugins/wallpaper.pl @@ -1,90 +1,92 @@ -#----------------------------------------------------------- -# wallpaper.pl -# -# Wallpaper MRU -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package wallpaper; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 200800810); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parses Wallpaper MRU Entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching wallpaper v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("wallpaper"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %wp; - my @mrulist; - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (sort @vals) { - my $name = $v->get_name(); - if ($name =~ m/^\d/) { - my $data = $v->get_data(); - my $str = getStringValue($data); - $wp{$name} = $str; - } - elsif ($name =~ m/^MRUList/) { - @mrulist = unpack("V*",$v->get_data()); - } - else { -# nothing to do - } - } - foreach my $m (@mrulist) { - next if ($m == 0xffffffff); - ::rptMsg($m." -> ".$wp{$m}); - } - } - else { - ::rptMsg($key_path." has no values"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -#----------------------------------------------------------- -# getStringValue() - given a binary data type w/ a Unicode -# string at the beginning, delimited by \x00\x00, return an ASCII -# string -#----------------------------------------------------------- -sub getStringValue { - my $bin = shift; - my $str = (split(/\00\00/,$bin,2))[0]; - $str =~ s/\00//g; - return $str; -} +#----------------------------------------------------------- +# wallpaper.pl +# +# Wallpaper MRU +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package wallpaper; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 200800810); + +sub getConfig{return %config} + +sub getShortDescr { + return "Parses Wallpaper MRU Entries"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching wallpaper v.".$VERSION); + ::rptMsg("wallpaper v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("wallpaper"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my %wp; + my @mrulist; + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (sort @vals) { + my $name = $v->get_name(); + if ($name =~ m/^\d/) { + my $data = $v->get_data(); + my $str = getStringValue($data); + $wp{$name} = $str; + } + elsif ($name =~ m/^MRUList/) { + @mrulist = unpack("V*",$v->get_data()); + } + else { +# nothing to do + } + } + foreach my $m (@mrulist) { + next if ($m == 0xffffffff); + ::rptMsg($m." -> ".$wp{$m}); + } + } + else { + ::rptMsg($key_path." has no values"); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + +#----------------------------------------------------------- +# getStringValue() - given a binary data type w/ a Unicode +# string at the beginning, delimited by \x00\x00, return an ASCII +# string +#----------------------------------------------------------- +sub getStringValue { + my $bin = shift; + my $str = (split(/\00\00/,$bin,2))[0]; + $str =~ s/\00//g; + return $str; +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/warcraft3.pl b/RecentActivity/release/rr-full/plugins/warcraft3.pl new file mode 100755 index 0000000000..d321c52393 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/warcraft3.pl @@ -0,0 +1,106 @@ +#----------------------------------------------------------- +# warcraft3.pl +# Extract usernames for Warcraft III +# +# Change history +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# copyright (c) 2011-02-02 Brendan Coles +#----------------------------------------------------------- +# Require # +package warcraft3; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110202); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extract usernames for Warcraft 3."; +} +sub getRefs { + my %refs = ("Warcraft 3 Homepage:" => + "http://us.blizzard.com/games/war3/"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + my @interesting_keys = ( + "userbnet", + "userlocal" + ); + + # Initialize # + ::logMsg("Launching warcraft3 v.".$VERSION); + ::rptMsg("warcraft3 v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key; + my $key_path = "Software\\Blizzard Entertainment\\Warcraft III\\String"; + + # If # Warcraft III path exists # + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("Warcraft III"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from Warcraft III registry path # + my %keys; + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for Warcraft III registry path # + foreach my $v (@vals) { + $keys{$v->get_name()} = $v->get_data(); + } + + # Return # all key names+values for interesting keys # + foreach my $var (@interesting_keys) { + if (exists $keys{$var}) { + ::rptMsg($var." -> ".$keys{$var}); + } + } + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # Warcraft III isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/thirdparty/rr/plugins/specaccts.pl b/RecentActivity/release/rr-full/plugins/wbem.pl old mode 100644 new mode 100755 similarity index 55% rename from thirdparty/rr/plugins/specaccts.pl rename to RecentActivity/release/rr-full/plugins/wbem.pl index 4933d865fa..b59ebe755b --- a/thirdparty/rr/plugins/specaccts.pl +++ b/RecentActivity/release/rr-full/plugins/wbem.pl @@ -1,68 +1,67 @@ -#----------------------------------------------------------- -# specaccts.pl -# Gets contents of SpecialAccounts\UserList key -# -# History -# 20100223 - created -# -# References -# http://www.microsoft.com/security/portal/Threat/Encyclopedia/ -# Entry.aspx?Name=Trojan%3AWin32%2FStarter -# -# http://www.microsoft.com/Security/portal/Threat/Encyclopedia/ -# Entry.aspx?Name=TrojanSpy%3AWin32%2FUrsnif.gen!H&ThreatID=-2147343835 -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package specaccts; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100223); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets contents of SpecialAccounts\\UserList key"; -} -sub getDescr{} - -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching specaccts v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my %apps; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(sprintf "%-20s 0x%x",$v->get_name(),$v->get_data()); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# wbem.pl +# There are indications that the contents of this key may be associated +# with a number of different malware variants, including the Elite +# Keylogger. +# +# History +# 20120306 - created +# +# +# copyright 2012, Quantum Analytics Research, LLC +#----------------------------------------------------------- +package wbem; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120306); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get contents of WBEM\\WDM key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my %clsid; + ::logMsg("Launching wbem v.".$VERSION); + ::rptMsg("wbem v.".$VERSION); # banner + ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\WBEM\\WDM"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg($v->get_name()." - ".$v->get_data()); + ::rptMsg(""); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/win_cv.pl b/RecentActivity/release/rr-full/plugins/win_cv.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/win_cv.pl rename to RecentActivity/release/rr-full/plugins/win_cv.pl index 977eeb7920..ecea0c0502 --- a/thirdparty/rr/plugins/win_cv.pl +++ b/RecentActivity/release/rr-full/plugins/win_cv.pl @@ -1,85 +1,87 @@ -#----------------------------------------------------------- -# win_cv.pl -# Get and display the contents of the Windows\CurrentVersion key -# Output sorted based on length of data -# -# Change History: -# 20080609: added translation of InstallDate time -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package win_cv; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090312); - -sub getConfig{return %config} -sub getShortDescr { - return "Get & display the contents of the Windows\\CurrentVersion key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching win_cv v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my %cv; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - my $len = length($data); - next if ($name eq ""); - if ($v->get_type() == 3) { - $data = _translateBinary($data); - } - push(@{$cv{$len}},$name." : ".$data); - } - foreach my $t (sort {$a <=> $b} keys %cv) { - foreach my $item (@{$cv{$t}}) { - ::rptMsg(" $item"); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} +#----------------------------------------------------------- +# win_cv.pl +# Get and display the contents of the Windows\CurrentVersion key +# Output sorted based on length of data +# +# Change History: +# 20080609: added translation of InstallDate time +# +# copyright 2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package win_cv; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20090312); + +sub getConfig{return %config} +sub getShortDescr { + return "Get & display the contents of the Windows\\CurrentVersion key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching win_cv v.".$VERSION); + ::rptMsg("win_cv v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows\\CurrentVersion"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my %cv; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + my $len = length($data); + next if ($name eq ""); + if ($v->get_type() == 3) { + $data = _translateBinary($data); + } + push(@{$cv{$len}},$name." : ".$data); + } + foreach my $t (sort {$a <=> $b} keys %cv) { + foreach my $item (@{$cv{$t}}) { + ::rptMsg(" $item"); + } + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values"); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + + +sub _translateBinary { + my $str = unpack("H*",$_[0]); + my $len = length($str); + my @nstr = split(//,$str,$len); + my @list = (); + foreach (0..($len/2)) { + push(@list,$nstr[$_*2].$nstr[($_*2)+1]); + } + return join(' ',@list); +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/winbackup.pl b/RecentActivity/release/rr-full/plugins/winbackup.pl new file mode 100755 index 0000000000..5bf99ff6b5 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/winbackup.pl @@ -0,0 +1,211 @@ +#----------------------------------------------------------- +# winbackup.pl +# +# Change History +# 20120812 [fpi] % created from winver.pl +# +# References +# +# copyright 2012 M. DeGrazia, arizona4n6@gmail.com +#----------------------------------------------------------- +package winbackup; +use strict; + +my %config = (hive => "Software", + osmask => 16, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120812); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get Windows Backup"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching winbackup v.".$VERSION); + ::rptMsg("winbackup v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows\\CurrentVersion\\WindowsBackup\\ScheduleParams\\TargetDevice"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + + my $name; + eval { + $name = $key->get_value("PresentableName")->get_data(); + }; + if ($@) { +# ::rptMsg("PresentableName value not found."); + } + else { + ::rptMsg(" PresentableName = ".$name); + } + + my $uniquename; + eval { + $uniquename = $key->get_value("UniqueName")->get_data(); + }; + if ($@) { +# ::rptMsg("UniqueName value not found."); + } + else { + ::rptMsg(" UniqueName = ".$uniquename); + } + + + my $devlabel; + eval { + $devlabel = $key->get_value("Label")->get_data(); + }; + if ($@) { +# ::rptMsg("Label value not found."); + } + else { + ::rptMsg(" Label = ".$devlabel); + } + + + my $vendor; + eval { + $vendor = $key->get_value("DeviceVendor")->get_data(); + }; + if ($@) { +# ::rptMsg("DeviceVendor value not found."); + } + else { + ::rptMsg(" DeviceVendor = ".$vendor); + } + + my $deviceproduct; + eval { + $deviceproduct = $key->get_value("DeviceProduct")->get_data(); + }; + if ($@) { +# ::rptMsg("DeviceVendor value not found."); + } + else { + ::rptMsg(" DeviceProduct = ".$deviceproduct); + } + + my $deviceversion; + eval { + $deviceversion = $key->get_value("DeviceVersion")->get_data(); + }; + if ($@) { +# ::rptMsg("DeviceVendor value not found."); + } + else { + ::rptMsg(" DeviceVersion = ".$deviceversion); + } + + + my $devserial; + eval { + $devserial = $key->get_value("DeviceSerial")->get_data(); + }; + if ($@) { +# ::rptMsg("DeviceSerial value not found."); + } + else { + ::rptMsg(" DeviceSerial = ".$devserial); + } + } + else { + ::rptMsg($key_path." not found."); + } + +#status + + ::rptMsg(""); + my $key_path = "Microsoft\\Windows\\CurrentVersion\\WindowsBackup\\Status"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("{name}"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my $lastresulttime; + eval { + $lastresulttime = $key->get_value("LastResultTime")->get_data(); + }; + if ($@) { +# ::rptMsg("LastSuccess value not found."); + } + else { + my @vals = unpack("VV",$lastresulttime); + my $lrt = ::getTime($vals[0],$vals[1]); + ::rptMsg(" LastResultTime = ".gmtime($lrt)." (UTC)"); + } + + my $lastsuccess; + eval { + $lastsuccess = $key->get_value("LastSuccess")->get_data(); + }; + if ($@) { +# ::rptMsg("LastSuccess value not found."); + } + else { + my @vals = unpack("VV",$lastsuccess); + my $ls = ::getTime($vals[0],$vals[1]); + ::rptMsg(" LastSuccess = ".gmtime($ls)." (UTC)"); + } + + my $lasttarget; + eval { + $lasttarget = $key->get_value("LastResultTarget")->get_data(); + }; + if ($@) { +# ::rptMsg("LastResultTarget value not found."); + } + else { + ::rptMsg(" LastResultTarget = ".$lasttarget); + } + + my $LRTPrestName; + eval { + $LRTPrestName = $key->get_value("LastResultTargetPresentableName")->get_data(); + }; + if ($@) { +# ::rptMsg("LastResultTargetPresentableName value not found."); + } + else { + ::rptMsg(" LastResultTargetPresentableName = ".$LRTPrestName); + } + + + my $LRTTargetLabel; + eval { + $LRTTargetLabel = $key->get_value("LastResultTargetLabel")->get_data(); + }; + if ($@) { +# ::rptMsg("LastResultTargetLabel value not found."); + } + else { + ::rptMsg(" LastResultTargetLabel = ".$LRTTargetLabel); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/winlivemail.pl b/RecentActivity/release/rr-full/plugins/winlivemail.pl new file mode 100755 index 0000000000..243aa1d5b7 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/winlivemail.pl @@ -0,0 +1,136 @@ +#----------------------------------------------------------- +# winlivemail.pl +# Get and display the contents of the key +# "HKCU\Software\Microsoft\Windows Live Mail" +# +# Change history +# 20111115 [fpi] % created +# 20111118 [fpi] % minor fix +# +# References +# +# copyright 2011 F. Picasso, francesco.picasso@gmail.com +#----------------------------------------------------------- +package winlivemail; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20111118); + +sub getConfig{return %config} +sub getShortDescr { + return "Get & display the contents of the Windows Live Mail key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +my @VALOUT = ( + [ "Store Root", undef, undef ], + [ "Attachment Path", undef, undef ], + [ "Default User", undef, undef ], + [ "Default Mail Account", undef, undef ], + [ "Default LDAP Account", undef, undef ], + [ "TotalUpTime", undef, undef ], + [ "AppRuns", undef, undef ], + [ "LastRun", undef, \&trFILETIME ], + [ "First Run Done", undef, undef ], + [ "Email Security Zone", undef, undef ], + [ "DesktopSearchIndexed", undef, undef ], + [ "DatabaseVersion", undef, undef ] +); + +my @VALOUT_MAIL = ( + [ "Accounts Checked", undef, undef ], + [ "Attach VCard", undef, undef ], + [ "Block External Content", undef, undef ], + [ "Check Mail on Startup", undef, undef ], + [ "Digitally Sign Messages", undef, undef ], + [ "EnablePhishing", undef, undef ], + [ "Encrypt Messages", undef, undef ], + [ "Safe Attachments", undef, undef ], + [ "Secure Safe Attachments", undef, undef ], + [ "Show Header Info", undef, undef ], + [ "Show Images From Contacts", undef, undef ], + [ "Warn on Mapi Send", undef, undef ] +); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching winlivemail v.".$VERSION); + ::rptMsg("winlivemail v.".$VERSION); + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Software\\Microsoft\\Windows Live Mail"; + my $key; + my $ref; + + if ( $key = $root_key->get_subkey( $key_path ) ) { + ::rptMsg( $key_path ); + ::rptMsg( "LastWrite Time ".gmtime($key->get_timestamp())." (UTC)" ); + ::rptMsg( "" ); + + foreach $ref ( @VALOUT ) { + $ref->[1] = getValueData( $key, $ref->[0], $ref->[2] ); + ::rptMsg( sprintf( "%-20s = %s", $ref->[0], $ref->[1] ) ); + } + + my $tab = " "; + $key_path .= "\\mail"; + if ( $key = $root_key->get_subkey( $key_path ) ) { + ::rptMsg(""); + ::rptMsg( $tab.$key_path ); + ::rptMsg( $tab."LastWrite Time ".gmtime($key->get_timestamp())." (UTC)" ); + ::rptMsg( "" ); + + foreach $ref ( @VALOUT_MAIL ) { + $ref->[1] = getValueData( $key, $ref->[0], $ref->[2] ); + ::rptMsg( $tab.sprintf( "%-25s = %s", $ref->[0], $ref->[1] ) ); + } + } + else { + ::rptMsg( $key_path." not found." ); + ::logMsg( $key_path." not found." ); + } + } + else { + ::rptMsg( $key_path." not found." ); + ::logMsg( $key_path." not found." ); + } +} + +sub trFILETIME +{ + my $data = shift; + my ( $t0, $t1 ) = unpack( "VV",$data ); + $data = gmtime( ::getTime( $t0, $t1 ) )." UTC"; + return $data; +} + +sub getValueData +{ + my $key = shift; my $vn = shift; my $trans = shift; + my $vd; + my $vo = $key->get_value( $vn ); + if ( not defined $vo ) { + $vd = ""; + } + else { + $vd = $vo->get_data(); + if ( defined $trans ) { + $vd = $trans->( $vd ); + } + } + return $vd; +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/winlivemsn.pl b/RecentActivity/release/rr-full/plugins/winlivemsn.pl new file mode 100755 index 0000000000..9098354365 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/winlivemsn.pl @@ -0,0 +1,505 @@ +#----------------------------------------------------------- +# winlivemsn.pl +# Microsoft Messenger parser (HKCU) +# Microsoft Windows Live Messenger parser (HKCU) +# +# Change history +# 20110511 [fpi] % created +# 20110830 [fpi] + banner, no change to the version number +# 20111117 [fpi] * rewritten with new name "winlivemsn" +# 20111118 [fpi] + added parsing of 'SoundEvents' +# +# References +# Registry Quick Find Chart - AccessData +# MSN Messenger - Bruce Long Internet Forensics +# “Forensic artefacts left by Windows Live Messenger 8.0”, Journal of Digital Investigations 2007.v4.i2 +# “The Forensic Recovery of Instant Messages from MSN Messenger and Windows Live Messenger”, Harry Parsonage 08 +# MSN http://imfreedom.org/wiki/MSN +# +# copyright 2011 F. Picasso +#----------------------------------------------------------- +package winlivemsn; +use strict; +use Encode; +use MIME::Base64; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20111118); + +sub getConfig{return %config} +sub getShortDescr { + return "Windows Live Messenger parser"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Registry Quick Find Chart - AccessData" => + "http://www.accessdata.com/media/en_us/print/papers/wp.Registry_Quick_Find_Chart.en_us.pdf", + "MSN Messenger - Bruce Long Internet Forensics" => + "http://www.slidefinder.net/M/MSN_20Messenger/7261350", + "The Forensic Recovery of Instant Messages from MSN Messenger and Windows Live Messenger" => + "http://computerforensics.parsonage.co.uk/downloads/MSNandLiveMessengerArtefactsOfConversations.pdf", + "Forensic artefacts left by Windows Live Messenger 8.0" => + "http://linkinghub.elsevier.com/retrieve/pii/S1742287607000527", + "MSN protocol reversed" => + "http://imfreedom.org/wiki/MSN" + ); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +my $VERSION = getVersion(); + +#------------------------------------------------------------------------------ + +my $tab0 = ""; +my $tab2 = " "; +my $tab4 = " "; +my $tab6 = " "; +my $tab8 = " "; + +my $align10 = "%-10s"; +my $align15 = "%-15s"; +my $align20 = "%-20s"; +my $align25 = "%-25s"; + +#------------------------------------------------------------------------------ + +my @MSNOBJ_TYPE = ( + "none", + "Avatar (Unknown, present since Messenger 6.0)", + "Custom Emoticon", + "User Tile (Static display picture only)", + "Shared File (Unkonw, present since Messenger 6.0)", + "Backgrounds (Static backgrounds only)", + "History (Unknown)", + "Deluxe Display Pictures (Dynamic display pictures)", + "Wink", + "Map File (A map file contains a list of items in the store)", + "Dynamic Background (Animated)", + "Voice Clip", + "Plug-in State (Saved state of Add-ins)", + "Roaming Objects (eg.Roaming display picture)", + "Signature Sounds (Introduced in Messenger 9.0)" +); + +#------------------------------------------------------------------------------ + +my @VALOUT = ( + [ "LastAppVersion", undef, \&trLastAppVersion ], + [ "AppCompatCanary", undef, undef ], + [ "MachineGuid", undef, undef ], + [ "MachineName", undef, \&trUnicodeStr ], + [ "RtlLogOutput", undef, undef ] +); + +my @VALOUT_SQM = ( + [ "TotalUpTime", undef, undef ] +); + +my @VALOUT_PPS = ( + [ "DefaultIdentityMigrated", undef, undef ], + [ "LiveIdentitiesMigrated", undef, undef ] +); + +my @VALOUT_ACCOUNT = ( + [ "MessengerFirstRunDone", undef, undef ], + [ "MessageLoggingEnabled", undef, \&acctMsnLogging ], + [ "MessageLogPath", undef, undef ], + [ "MessageLogVersion", undef, \&trHex ], + [ "DateOfLastHighlightLaunch", undef, \&trFILETIME ], + [ "LastActiveProvider", undef, undef ], + [ "MSN", undef, undef ], + [ "UTL", undef, \&acctUTL ], + [ "UTT", undef, \&trUnicodeStr ] + +); + +# ID, LastWriteTime, Email, Logging +my @NOACCOUNT = ( ); +my @ACCOUNT = ( ); + +#------------------------------------------------------------------------------ + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg( "Launching winlivemsn v.".$VERSION ); + ::rptMsg("winlivemsn v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new( $ntuser ); + my $root_key = $reg->get_root_key; + my $kpath = 'Software\\Microsoft\\MSNMessenger'; + my $path = $kpath; + my $key; + + if ( $key = $root_key->get_subkey( $path ) ) { + rptKeyAndValues( $path, \$key, \@VALOUT, $tab0, $align15 ); + + $path = $kpath.'\\SQM'; + if ( $key = $root_key->get_subkey( $path ) ) { + ::rptMsg( "" ); + rptKeyAndValues( $path, \$key, \@VALOUT_SQM, $tab2, $align10 ); + } + else { + ::rptMsg( $path." not found." ); + ::logMsg( $path." not found." ); + } + + $path = $kpath.'\\PerPassportSettings'; + if ( $key = $root_key->get_subkey( $path ) ) { + ::rptMsg( "" ); + rptKeyAndValues( $path, \$key, \@VALOUT_PPS, $tab2, $align10 ); + + my @subkeys = $key->get_list_of_subkeys(); + if ( scalar( @subkeys ) > 0 ) { + foreach my $s (@subkeys) { + ::rptMsg( "" ); + analyzeAccount( \$s, $tab4, $align25 ); + } + } + else { + ::rptMsg( $path." has no subkeys." ); + ::logMsg( $path." has no subkeys." ); + } + } + else { + ::rptMsg( $path." not found." ); + ::logMsg( $path." not found." ); + } + } + else { + ::rptMsg( $path." not found." ); + ::logMsg( $path." not found." ); + } + + rptAcctSummary(); + ::rptMsg( "\n" ); + + $kpath = 'Software\\Microsoft\\Windows Live Contacts'; + $path = $kpath; + + if ( $key = $root_key->get_subkey( $path ) ) { + ::rptMsg( $path ); + + ::rptMsg( $key->get_name() ); + ::rptMsg( "LastWrite Time ".gmtime($key->get_timestamp())." (UTC)" ); + + ::rptMsg( " " ); + $path = $kpath.'\\Database'; + if ( $key = $root_key->get_subkey( $path ) ) { + ::rptMsg( $tab2.$path ); + ::rptMsg( $tab2."LastWrite Time ".gmtime($key->get_timestamp())." (UTC)\n" ); + _getAllKeyValue( \$key, $tab2 ); + } + else { + ::rptMsg( $path." not found." ); + ::logMsg( $path." not found." ); + } + + ::rptMsg( "" ); + $path = $kpath.'\\Me'; + if ( $key = $root_key->get_subkey( $path ) ) { + ::rptMsg( $tab2.$path ); + ::rptMsg( $tab2."LastWrite Time ".gmtime($key->get_timestamp())." (UTC)\n" ); + _getAllKeyValue( \$key, $tab2 ); + } + else { + ::rptMsg( $path." not found." ); + ::logMsg( $path." not found." ); + } + + ::rptMsg( "" ); + ::rptMsg( "Analysis Tip: bad accounts should be identified by missing 'shadow' Database\n". + "and should not appear under the 'Me' subkey"); + } + else { + ::rptMsg( $path." not found." ); + ::logMsg( $path." not found." ); + } +} + +#------------------------------------------------------------------------------ + +sub trLastAppVersion +{ + my $data = shift; + my $ver1 = $data >> 24; + my $ver2 = ( $data >> 16 ) & 0xFF; + my $ver3 = $data & 0xFFFF; + return sprintf( "0x%08X (%u.%u.%u)", $data, $ver1, $ver2, $ver3 ); +} + +sub trUnicodeStr +{ + my $data = shift; + $data = decode( "UCS-2LE", $data ); + chop( $data ); # remove last NULL (sig) + return $data; +} + +sub trHex +{ + my $data = shift; + $data = unpack( "H*", $data ); + return "0x".$data; +} + +sub trFILETIME +{ + my $data = shift; + my ( $t0, $t1 ) = unpack( "VV",$data ); + $data = gmtime( ::getTime( $t0, $t1 ) )." UTC"; + return $data; +} + +sub acctMsnLogging +{ + my $data = shift; my $acctRef = shift; my $valueObj = shift; + + if ( 'REG_BINARY' eq $valueObj->get_type_as_string() ) { + $data = 'yes (binary not reported)'; ${$acctRef}[3] = 'yes'; + } + else { + if ( 0 == $data ) { $data = "no ($data)"; ${$acctRef}[3] = 'no'; } + else { + $data = "unknown ($data)"; ${$acctRef}[3] = 'unknown'; + ::logMsg( "expected a value of 0 for REG_DWORD MessageLoggingEnabled but found unknown '$data'" ); } + } + return $data; +} + +sub acctUTL +{ + my $data = shift; my $acctRef = shift; + + if ( $data =~ m/Creator="([^"]*)/) { + ${$acctRef}[2] = $1; + } + else { + ${$acctRef}[2] = 'unknown'; + ::logMsg( "accUTL method not found email address as expected" ); + } + return $data; +} + +#------------------------------------------------------------------------------ + +sub getValueData +{ + my $keyRef = shift; my $vn = shift; my $trans = shift; + my $vd; my $vo; + $vo = ${$keyRef}->get_value( $vn ); + if ( not defined $vo ) { + $vd = ""; + } + else { + $vd = $vo->get_data(); + if ( defined $trans ) { + $vd = $trans->( $vd ); + } + } + return $vd; +} + +#------------------------------------------------------------------------------ + +sub rptKeyAndValues +{ + my $path = shift; my $keyRef = shift; my $valoutRef = shift; + my $tab = shift; my $align = shift; + ::rptMsg( $tab.$path ); + ::rptMsg( $tab."LastWrite Time ".gmtime( ${$keyRef}->get_timestamp() )." (UTC)\n" ); + foreach my $ref ( @{$valoutRef} ) { + $ref->[1] = getValueData( $keyRef, $ref->[0], $ref->[2] ); + ::rptMsg( sprintf( $tab."$align = %s", $ref->[0], $ref->[1] ) ); + } +} + +#------------------------------------------------------------------------------ + +sub analyzeAccount +{ + my $keyRef = shift; my $tab = shift; my $align = shift; + my $accid = ${$keyRef}->get_name(); + my $acckt = ${$keyRef}->get_timestamp(); + + ::rptMsg( $tab."Key (account): $accid" ); + ::rptMsg( $tab."LastWrite Time ".gmtime( $acckt ) ); + + my @values = ${$keyRef}->get_list_of_values(); + if ( scalar( @values ) == 1 ) { + ::rptMsg( sprintf( $tab."%s = %s", $values[0]->get_name(), $values[0]->get_data() ) ); + push( @NOACCOUNT, [ $accid, $acckt, "n/a", "n/a" ] ); + return; + } + + my @acct = ( $accid, $acckt, undef, undef ); + my $vd; my $vo; + foreach my $ref ( @VALOUT_ACCOUNT ) { + $vo = ${$keyRef}->get_value( $ref->[0] ); + if ( not defined $vo ) { $vd = ""; } + else { + $vd = $vo->get_data(); + if ( defined $ref->[2] ) { $vd = $ref->[2]->( $vd, \@acct, $vo ); } + # decode msnobj + if ( "UTL" eq $ref->[0] ) { + rptDecodedMsnObj( $vd, $tab, $align ); + } + } + $ref->[1] = $vd; + ::rptMsg( sprintf( $tab."$align = %s", $ref->[0], $ref->[1] ) ); + } + + ::rptMsg( $tab."---\\" ); + if ( my $subkey = ${$keyRef}->get_subkey( 'DisplayPicsMRUList' ) ) { + ::rptMsg( $tab."SubKey : DisplayPicsMRUList" ); + ::rptMsg( $tab."LastWrite Time ".gmtime( $subkey->get_timestamp() ) ); + $vo = $subkey->get_value( 'CurrentEntries' ); + if ( defined $vo ) { + $vd = int( $vo->get_data() ); + ::rptMsg( sprintf( $tab."$align = %s", 'CurrentEntries', $vd ) ); + if ( $vd > 0 ) { + my $temp = $vd - 1; + foreach my $i ( 0..$temp ) { + $vo = $subkey->get_value( $i ); + $vd = $vo->get_data(); + $vd = decode( "UCS-2LE", $vd ); + chop( $vd ); + ::rptMsg( sprintf( $tab."$align = %s", $i, $vd ) ); + rptDecodedMsnObj( $vd, $tab, $align ); + # try to get email if not yet (re-using acctUTL) + if ( not defined $acct[2] ) { + acctUTL( $vd, \@acct ); + } + } + } + } + else { ::rptMsg( $tab."No CurrentEntries" ); } + } + else { + ::rptMsg( $tab. "DisplayPicsMRUList subkey not found." ); + ::logMsg( $tab. "DisplayPicsMRUList subkey not found." ); + } + + ::rptMsg( $tab."---\\" ); + # 20111118 [fpi] add check for SoundEvents trying to retrieve email address + if ( my $subkey = ${$keyRef}->get_subkey( 'SoundEvents' ) ) { + ::rptMsg( $tab."SubKey : SoundEvents" ); + ::rptMsg( $tab."LastWrite Time ".gmtime( $subkey->get_timestamp() ) ); + + my @subkeys = $subkey->get_list_of_subkeys(); + if ( scalar( @subkeys ) > 0 ) { + foreach my $s (@subkeys) { + $vo = $s->get_value( 'OSName' ); + if ( defined $vo ) { + ::rptMsg( $tab."------\\" ); + ::rptMsg( $tab."SubKey : SoundEvents\\".$s->get_name() ); + ::rptMsg( $tab."LastWrite Time ".gmtime( $s->get_timestamp() ) ); + $vd = $vo->get_data(); + ::rptMsg( sprintf( $tab."$align = %s", 'OSName', $vd ) ); + rptDecodedMsnObj( $vd, $tab, $align ); + # try to get email if not yet (re-using acctUTL) + if ( not defined $acct[2] ) { + acctUTL( $vd, \@acct ); + } + } + } + } + else { ::rptMsg( $tab."no subkeys found" ); } + } + else { + ::rptMsg( $tab. "SoundEvents subkey not found." ); + ::logMsg( $tab. "SoundEvents subkey not found." ); + } + push( @ACCOUNT, [ @acct ] ); +} + +#------------------------------------------------------------------------------ + +sub rptDecodedMsnObj +{ + my $data = shift; my $tab = shift; my $align = shift; + my $temp; my $leg; + + if ( $data =~ m/Creator="([^"]*)/ ) { + $leg = "---> creator account"; + ::rptMsg( sprintf( $tab."$align = %s", $leg, $1 ) ); + } + else { + $leg = "unable to get Creator account"; + ::rptMsg( sprintf( $tab."$align", $leg ) ); + } + + if ( $data =~ m/Type="([^"]*)/ ) { + $leg = "---> decoded 'Type=$1'"; + ::rptMsg( sprintf( $tab."$align = %s", $leg, $MSNOBJ_TYPE[$1] ) ); + } + else { + $leg = "unable to decode MSNOBJ type"; + ::rptMsg( sprintf( $tab."$align", $leg ) ); + } + + if ( $data =~ m/Friendly="([^"]*)/ ) { + $leg = "---> decoded 'Friendly'"; + $temp = decode_base64( $1 ); + $temp = decode( "UCS-2LE", $temp ); + chop( $temp ); + ::rptMsg( sprintf( $tab."$align = %s", $leg, $temp ) ); + } + else { + $leg = "unable to decode MSNOBJ type"; + ::rptMsg( sprintf( $tab."$align", $leg ) ); + } +} + +#------------------------------------------------------------------------------ + +sub _getAllKeyValue() { + my @vals = ${$_[0]}->get_list_of_values(); + my $tab = $_[1]; + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + ::rptMsg( $tab.$val." = ".$data ); + } +} + +#------------------------------------------------------------------------------ + +sub rptAcctSummary +{ + ::rptMsg( "\n" ); + ::rptMsg( "ACCOUNT SUMMARY" ); + ::rptMsg( "" ); + if ( scalar( @ACCOUNT ) > 0 ) { + ::rptMsg( sprintf( " %-10s | %-24s | %-30s | %s", "ID", "IDKey Last Write Time", "Account", "Log") ); + ::rptMsg( "-------------------------------------------------------------------------------"); + foreach my $acct ( sort { $a->[1] <=> $b->[1] } @ACCOUNT) { + ::rptMsg( sprintf( " %-10s | %-24s | %-30s | %s", + $acct->[0], "".gmtime( $acct->[1] ), $acct->[2], $acct->[3] ) ); + } + } + else { ::rptMsg( "no accounts retrieved" ); } + + ::rptMsg( "\n" ); + ::rptMsg( "BAD ACCOUNT SUMMARY" ); + ::rptMsg( "bad login attempts or at least account without any information" ); + ::rptMsg( "" ); + if ( scalar( @NOACCOUNT ) > 0 ) { + ::rptMsg( sprintf( " %-10s | %-24s | %-30s | %s", "ID", "IDKey Last Write Time", "Account", "Log") ); + ::rptMsg( "-------------------------------------------------------------------------------"); + foreach my $acct ( sort { $a->[1] <=> $b->[1] } @NOACCOUNT) { + ::rptMsg( sprintf( " %-10s | %-24s | %-30s | %s", + $acct->[0], "".gmtime( $acct->[1] ), $acct->[2], $acct->[3] ) ); + } + } + else { ::rptMsg( "no bad accounts retrieved" ); } +} + +#------------------------------------------------------------------------------ +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/winlogon.pl b/RecentActivity/release/rr-full/plugins/winlogon.pl new file mode 100755 index 0000000000..3c1d79db6d --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/winlogon.pl @@ -0,0 +1,189 @@ +#----------------------------------------------------------- +# WinLogon +# Get values from WinLogon key +# +# History +# 20130425 - added alertMsg() functionality +# 20130411 - added specaccts.pl & notify.pl functionality +# 20130410 - updated; added Wow6432Node support, merged TaskMan +# 20100219 - Updated output to better present some data +# 20080415 - created +# +# References +# http://technet.microsoft.com/en-us/library/cc738733(v=ws.10).aspx +# +# TaskMan: http://technet.microsoft.com/en-us/library/cc957402.aspx +# http://www.geoffchappell.com/viewer.htm?doc=notes/windows/shell/explorer/ +# taskman.htm&tx=3,5-7,12;4&ts=0,19 +# System: http://technet.microsoft.com/en-us/library/cc784246(v=ws.10).aspx +# +# copyright 2013 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package winlogon; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130425); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get values from the WinLogon key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching winlogon v.".$VERSION); + ::rptMsg("winlogon v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my @paths = ("Microsoft\\Windows NT\\CurrentVersion\\Winlogon", + "Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %wl; + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); +# checks added 20130425 + if ($name eq "Userinit") { + my @ui = split(/,/,$data); + if (scalar(@ui) > 1 && $ui[1] ne "") { + ::alertMsg("ALERT: winlogon: ".$key_path." Userinit value has multiple entries: ".$data); + } +# alert if the Userinit value does not end in "userinit.exe" (after taking commas into account) + ::alertMsg("ALERT: winlogon: ".$key_path." Userinit value: ".$ui[0]) unless ($ui[0] =~ m/userinit\.exe$/); + } + + if ($name =~ m/^[Ss]hell/) { + ::alertMsg("ALERT: winlogon: ".$key_path." Shell value not explorer\.exe: ".$data) unless ($data eq "explorer\.exe"); + } + + ::alertMsg("ALERT: winlogon: ".$key_path." TaskMan value found: ".$data) if ($name eq "TaskMan"); + ::alertMsg("ALERT: winlogon: ".$key_path." System value found: ".$data) if ($name eq "System"); +# /end 20130425 additions + + my $len = length($data); + next if ($name eq ""); + if ($v->get_type() == 3 && $name ne "DCacheUpdate") { + $data = _translateBinary($data); + } + + $data = sprintf "0x%x",$data if ($name eq "SfcQuota"); + if ($name eq "DCacheUpdate") { + my @v = unpack("VV",$data); + $data = gmtime(::getTime($v[0],$v[1])); + } + + push(@{$wl{$len}},$name." = ".$data); + } + + foreach my $t (sort {$a <=> $b} keys %wl) { + foreach my $item (@{$wl{$t}}) { + ::rptMsg(" $item"); + } + } + ::rptMsg(""); + \checkNotifySubkey($key); + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::rptMsg(""); + } + + } + ::rptMsg("Analysis Tips: The UserInit and Shell values are executed when a user logs on\."); + ::rptMsg("The UserInit value should contain a reference to userinit.exe; the Shell value"); + ::rptMsg("should contain just 'explorer.exe'\. Check TaskMan & System values, if found\."); + ::rptMsg(""); + +# SpecialAccounts/UserList functionality added 20130411 + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my %apps; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + ::rptMsg(sprintf "%-20s 0x%x",$v->get_name(),$v->get_data()); + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + +} + +sub checkNotifySubkey { + my $key = shift; + my $notify; + if ($notify = $key->get_subkey("Notify")) { + ::rptMsg("Notify subkey contents:"); + my @sk = $notify->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); +# added 20130425 + ::alertMsg("winlogon: Notify subkey: possible Troj_Tracor infection\.") if ($name =~ m/^f0bd/); + my $lw = $s->get_timestamp(); + ::rptMsg(" ".$name." - ".gmtime($lw)); + my $dllname; + eval { + $dllname = $s->get_value("DLLName")->get_data(); + ::rptMsg(" DLLName: ".$dllname); + }; + ::rptMsg(""); + } + } + else { + ::rptMsg("Notify subkey has no subkeys."); + } + } + else { + ::rptMsg("Notify subkey not found\."); + } + ::rptMsg(""); +} + +sub _translateBinary { + my $str = unpack("H*",$_[0]); + my $len = length($str); + my @nstr = split(//,$str,$len); + my @list = (); + foreach (0..($len/2)) { + push(@list,$nstr[$_*2].$nstr[($_*2)+1]); + } + return join(' ',@list); +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/winlogon_tln.pl b/RecentActivity/release/rr-full/plugins/winlogon_tln.pl new file mode 100755 index 0000000000..02b9d79d24 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/winlogon_tln.pl @@ -0,0 +1,182 @@ +#----------------------------------------------------------- +# WinLogon_tln +# Get values from WinLogon key +# +# History +# 20130429 - created, from winlogon.pl +# +# References +# http://technet.microsoft.com/en-us/library/cc738733(v=ws.10).aspx +# +# TaskMan: http://technet.microsoft.com/en-us/library/cc957402.aspx +# System: http://technet.microsoft.com/en-us/library/cc784246(v=ws.10).aspx +# +# copyright 2013 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package winlogon_tln; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130429); + +sub getConfig{return %config} + +sub getShortDescr { + return "Alerts on values from the WinLogon key (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching winlogon_tln v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my @paths = ("Microsoft\\Windows NT\\CurrentVersion\\Winlogon", + "Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my $lw = $key->get_timestamp(); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %wl; + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); +# checks added 20130425 to winlogon.pl + if ($name eq "Userinit") { + my @ui = split(/,/,$data); + if (scalar(@ui) > 1 && $ui[1] ne "") { +# ::alertMsg("ALERT: winlogon: ".$key_path." Userinit value has multiple entries: ".$data); + ::alertMsg($lw."|ALERT|||".$key_path." Userinit value has multiple entries: ".$data); + } +# alert if the Userinit value does not end in "userinit.exe" (after taking commas into account) + ::alertMsg($lw."|ALERT|||".$key_path." Userinit value does not end in \"userinit\.exe\": ".$ui[0]) unless ($ui[0] =~ m/userinit\.exe$/); + } + + if ($name =~ m/^[Ss]hell/) { + ::alertMsg($lw."|ALERT|||".$key_path." Shell value not explorer\.exe: ".$data) unless ($data eq "explorer\.exe"); + } + + ::alertMsg($lw."|ALERT|||".$key_path." TaskMan value found: ".$data) if ($name eq "TaskMan"); + ::alertMsg($lw."|ALERT|||".$key_path." System value found: ".$data) if ($name eq "System"); +# /end 20130425 additions (winlogon.pl) + + my $len = length($data); + next if ($name eq ""); + if ($v->get_type() == 3 && $name ne "DCacheUpdate") { + $data = _translateBinary($data); + } + + $data = sprintf "0x%x",$data if ($name eq "SfcQuota"); + if ($name eq "DCacheUpdate") { + my @v = unpack("VV",$data); + $data = gmtime(::getTime($v[0],$v[1])); + } + push(@{$wl{$len}},$name." = ".$data); + } + + foreach my $t (sort {$a <=> $b} keys %wl) { + foreach my $item (@{$wl{$t}}) { +# ::rptMsg(" $item"); + } + } +# ::rptMsg(""); +# Disabled the check of the Notify subkeys for winlogon_tln.pl as, at this +# point, I don't have any real alerts for those subkeys +# \checkNotifySubkey($key); + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); +# ::rptMsg(""); + } + + } +# ::rptMsg("Analysis Tips: The UserInit and Shell values are executed when a user logs on\."); +# ::rptMsg("The UserInit value should contain a reference to userinit.exe; the Shell value"); +# ::rptMsg("should contain just 'explorer.exe'\. Check TaskMan & System values, if found\."); +# ::rptMsg(""); + +# SpecialAccounts/UserList functionality added 20130411 + my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my %apps; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { +# ::rptMsg(sprintf "%-20s 0x%x",$v->get_name(),$v->get_data()); + } + } + else { +# ::rptMsg($key_path." has no subkeys."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} + +sub checkNotifySubkey { + my $key = shift; + my $notify; + if ($notify = $key->get_subkey("Notify")) { +# ::rptMsg("Notify subkey contents:"); + my @sk = $notify->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $s (@sk) { + my $name = $s->get_name(); +# added 20130425 +# ::alertMsg("winlogon: Notify subkey: possible Troj_Tracor infection\.") if ($name =~ m/^f0bd/); + my $lw = $s->get_timestamp(); +# ::rptMsg(" ".$name." - ".gmtime($lw)); + my $dllname; + eval { + $dllname = $s->get_value("DLLName")->get_data(); +# ::rptMsg(" DLLName: ".$dllname); + }; +# ::rptMsg(""); + } + } + else { +# ::rptMsg("Notify subkey has no subkeys."); + } + } + else { +# ::rptMsg("Notify subkey not found\."); + } +# ::rptMsg(""); +} + +sub _translateBinary { + my $str = unpack("H*",$_[0]); + my $len = length($str); + my @nstr = split(//,$str,$len); + my @list = (); + foreach (0..($len/2)) { + push(@list,$nstr[$_*2].$nstr[($_*2)+1]); + } + return join(' ',@list); +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/winlogon_u.pl b/RecentActivity/release/rr-full/plugins/winlogon_u.pl new file mode 100755 index 0000000000..b85c357971 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/winlogon_u.pl @@ -0,0 +1,108 @@ +#----------------------------------------------------------- +# winlogon_u +# Get values from user's WinLogon key +# +# Change History: +# 20130425 - added alertMsg() functionality +# 20130410 - added Wow6432Node support +# 20130328 - updated with ThreatExpert info +# 20091021 - created +# +# References: +# http://support.microsoft.com/kb/119941 +# http://www.threatexpert.com/report.aspx?md5=c463f9829bc79e0bb7296e1396ce4e01 +# +# copyright 2013 QAR,LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package winlogon_u; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20130425); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get values from the user's WinLogon key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching winlogon_u v.".$VERSION); + ::rptMsg("winlogon_u v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my @paths = ("Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", + "Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"); + + foreach my $key_path (@paths) { + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my %wl; + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); +# checks added 20130425 + ::alertMsg("ALERT: winlogon_u: ".$key_path." RunGrpConv value found: ".$data) if ($name eq "RunGrpConv"); + if ($name =~ m/^[Ss]hell/) { + ::alertMsg("ALERT: winlogon_u: ".$key_path." Shell value not explorer\.exe: ".$data) unless ($data eq "explorer\.exe"); + } + my $len = length($data); + next if ($name eq ""); + if ($v->get_type() == 3) { + $data = _translateBinary($data); + } + push(@{$wl{$len}},$name." = ".$data); + } + + foreach my $t (sort {$a <=> $b} keys %wl) { + foreach my $item (@{$wl{$t}}) { + ::rptMsg(" $item"); + } + } + + ::rptMsg(""); + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } + } + ::rptMsg("Analysis Tip: Existence of RunGrpConv = 1 value may indicate that the"); + ::rptMsg(" system had been infected with Bredolab (Symantec)\. Also, check the"); + ::rptMsg(" contents of a \"shell\" value - should only include Explorer\.exe, if"); + ::rptMsg(" it exists\."); +} + +sub _translateBinary { + my $str = unpack("H*",$_[0]); + my $len = length($str); + my @nstr = split(//,$str,$len); + my @list = (); + foreach (0..($len/2)) { + push(@list,$nstr[$_*2].$nstr[($_*2)+1]); + } + return join(' ',@list); +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/winnt_cv.pl b/RecentActivity/release/rr-full/plugins/winnt_cv.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/winnt_cv.pl rename to RecentActivity/release/rr-full/plugins/winnt_cv.pl index 537ced5ca8..3c8e1016d5 --- a/thirdparty/rr/plugins/winnt_cv.pl +++ b/RecentActivity/release/rr-full/plugins/winnt_cv.pl @@ -1,87 +1,89 @@ -#----------------------------------------------------------- -# winnt_cv.pl -# Get and display the contents of the Windows\CurrentVersion key -# Output sorted based on length of data -# -# Change History: -# 20080609: added translation of InstallDate time -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winnt_cv; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080609); - -sub getConfig{return %config} -sub getShortDescr { - return "Get & display the contents of the Windows NT\\CurrentVersion key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winnt_cv v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("WinNT_CV"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my %cv; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - $data = gmtime($data)." (UTC)" if ($name eq "InstallDate"); - my $len = length($data); - next if ($name eq ""); - if ($v->get_type() == 3) { - $data = _translateBinary($data); - } - push(@{$cv{$len}},$name." : ".$data); - } - foreach my $t (sort {$a <=> $b} keys %cv) { - foreach my $item (@{$cv{$t}}) { - ::rptMsg(" $item"); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} +#----------------------------------------------------------- +# winnt_cv.pl +# Get and display the contents of the Windows\CurrentVersion key +# Output sorted based on length of data +# +# Change History: +# 20080609: added translation of InstallDate time +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package winnt_cv; +use strict; + +my %config = (hive => "Software", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080609); + +sub getConfig{return %config} +sub getShortDescr { + return "Get & display the contents of the Windows NT\\CurrentVersion key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching winnt_cv v.".$VERSION); + ::rptMsg("winnt_cv v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("WinNT_CV"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + my %cv; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + my $name = $v->get_name(); + my $data = $v->get_data(); + $data = gmtime($data)." (UTC)" if ($name eq "InstallDate"); + my $len = length($data); + next if ($name eq ""); + if ($v->get_type() == 3) { + $data = _translateBinary($data); + } + push(@{$cv{$len}},$name." : ".$data); + } + foreach my $t (sort {$a <=> $b} keys %cv) { + foreach my $item (@{$cv{$t}}) { + ::rptMsg(" $item"); + } + } + } + else { + ::rptMsg($key_path." has no values."); + ::logMsg($key_path." has no values"); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} + + +sub _translateBinary { + my $str = unpack("H*",$_[0]); + my $len = length($str); + my @nstr = split(//,$str,$len); + my @list = (); + foreach (0..($len/2)) { + push(@list,$nstr[$_*2].$nstr[($_*2)+1]); + } + return join(' ',@list); +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/winrar.pl b/RecentActivity/release/rr-full/plugins/winrar.pl old mode 100644 new mode 100755 similarity index 87% rename from thirdparty/rr/plugins/winrar.pl rename to RecentActivity/release/rr-full/plugins/winrar.pl index f66f06ff65..e44be05b45 --- a/thirdparty/rr/plugins/winrar.pl +++ b/RecentActivity/release/rr-full/plugins/winrar.pl @@ -1,66 +1,72 @@ -#----------------------------------------------------------- -# winrar.pl -# Get WinRAR\ArcHistory entries -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winrar; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080819); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get WinRAR\\ArcHistory entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winrar v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\WinRAR\\ArcHistory"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("WinRAR"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %arc; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - $arc{$v->get_name()} = $v->get_data(); - } - - foreach (sort keys %arc) { - ::rptMsg($_." -> ".$arc{$_}); - } - - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# winrar.pl +# Get WinRAR\ArcHistory entries +# +# History +# 20080819 - created +# +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package winrar; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20080819); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get WinRAR\\ArcHistory entries"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching winrar v.".$VERSION); + ::rptMsg("winrar v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\WinRAR\\ArcHistory"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("WinRAR"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + my %arc; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + foreach my $v (@vals) { + $arc{$v->get_name()} = $v->get_data(); + } + + foreach (sort keys %arc) { + ::rptMsg($_." -> ".$arc{$_}); + } + + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/winrar_tln.pl b/RecentActivity/release/rr-full/plugins/winrar_tln.pl new file mode 100755 index 0000000000..448e486f3f --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/winrar_tln.pl @@ -0,0 +1,66 @@ +#----------------------------------------------------------- +# winrar_tln.pl +# Get WinRAR\ArcHistory entries +# +# History +# 20120829 - updated to TLN +# 20080819 - created (winrar.pl) +# +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package winrar_tln; +use strict; + +my %config = (hive => "NTUSER\.DAT", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120829); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get WinRAR\\ArcHistory entries (TLN)"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching winrar v.".$VERSION); + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\WinRAR\\ArcHistory"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("WinRAR"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); +# ::rptMsg(""); + my $lw = $key->get_timestamp(); + my %arc; + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my $last; + eval { + $last = $key->get_value("0")->get_data(); + ::rptMsg($lw."|REG|||WinRAR/ArcHistory - ".$last); + }; + } + else { +# ::rptMsg($key_path." has no values."); + } + } + else { +# ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/winscp_sessions.pl b/RecentActivity/release/rr-full/plugins/winscp_sessions.pl new file mode 100755 index 0000000000..e923bed4d1 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/winscp_sessions.pl @@ -0,0 +1,125 @@ +# winscp_sessions.pl +# +# RegRipper module to extract saved session data from NTUSER.DAT +# Software\Martin Prikryl\WinSCP 2\Sessions key. Password decoding +# algorithm adapted from Metasploit's winscp.rb module, originally +# written by TheLightCosine (http://cosine-security.blogspot.com) +# +# Change History +# 04/02/2013 Added rptMsg for key not found errors by Corey Harrell +# +# RegRipper module author Hal Pomeranz + +package winscp_sessions; + +use strict; + +my %config = ('hive' => 'NTUSER.DAT', + 'hasShortDescr' => 1, + 'hasDescr' => 0, + 'hasRefs' => 0, + 'osmask' => 22, + 'version' => '20120809'); + +sub getConfig { return(%config); } +sub getShortDescr { return('Extracts WinSCP stored session data'); } +sub getDescr {} +sub getRefs {} +sub getHive { return($config{'hive'}); } +sub getVersion { return($config{'version'}); } + +my $VERSION = $config{'version'}; + +sub pluginmain { + my($class, $hive) = @_; + my($reg, $root, $key) = (); + + ::logMsg("Launching winscp_sessions v.$VERSION\n"); + ::rptMsg("winscp_sessions v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + unless ($reg = Parse::Win32Registry->new($hive)) { + ::logMsg("Failed to open $hive: $!"); + return(); + } + unless ($root = $reg->get_root_key()) { + ::logMsg("Failed to get root key from $hive: $!"); + ::rptMsg("Failed to get root key from $hive: $!"); # line added on 04/02/2013 + return(); + } + + unless ($key = $root->get_subkey('Software\Martin Prikryl\WinSCP 2\Sessions')) { + ::logMsg('"Software\Martin Prikryl\WinSCP 2\Sessions" does not exist'); + ::rptMsg('"Software\Martin Prikryl\WinSCP 2\Sessions" does not exist'); # line added on 04/02/2013 + return(); + } + + my %sessions = (); + my @subkeys = $key->get_list_of_subkeys(); + foreach my $sk (@subkeys) { + my $session_name = $sk->get_name(); + my $epoch = $sk->get_timestamp(); + + my $host = $sk->get_value_data('HostName'); + my $user = $sk->get_value_data('Username'); + my $enc_pass = $sk->get_value_data('PASSWORD'); + my $dec_pass = undef; + if (length($enc_pass)) { + $dec_pass = decrypt_password($enc_pass, $user . $host); + } + + $sessions{$session_name} = { + 'last_update' => $epoch, + 'host' => $host, + 'user' => $user, + 'password' => $dec_pass + }; + } + + foreach my $session_name ( + sort { $sessions{$a}{'last_update'} <=> $sessions{$b}{'last_update'} || + $a cmp $b } keys(%sessions)) { + + my $header = sprintf("%-35s Last Updated: %s UTC", $session_name, scalar(gmtime($sessions{$session_name}{'last_update'}))); + + ::rptMsg("$header"); + ::rptMsg(" Host: $sessions{$session_name}{'host'}"); + ::rptMsg(" User: $sessions{$session_name}{'user'}"); + ::rptMsg(" Password: $sessions{$session_name}{'password'}\n"); + } +} + + +# This code adapted from TheLightCosine's winscp.rb Metasploit module +# +sub decrypt_password { + my($enc, $prefix) = @_; + + my $user_host_encoded = 0; + + my $length = decode_chars(substr($enc, 0, 2, undef)); + if ($length == 0xFF) { + $user_host_encoded = 1; + $enc = substr($enc, 2); + $length = decode_chars(substr($enc, 0, 2, undef)); + } + + my $skip_len = decode_chars(substr($enc, 0, 2, undef)) * 2; + $enc = substr($enc, $skip_len); + + my $dec = ''; + for (my $i = 0; $i < $length; $i++) { + last if (length($enc) < 2); + $dec .= chr(decode_chars(substr($enc, 0, 2, undef))); + } + + $dec = substr($dec, length($prefix)) if ($user_host_encoded); + return($dec); +} + +sub decode_chars { + my($hex) = @_; + + return((hex($hex) ^ 0xA3) ^ 0xFF); +} + +1; diff --git a/thirdparty/rr/plugins/winver.pl b/RecentActivity/release/rr-full/plugins/winver.pl old mode 100644 new mode 100755 similarity index 90% rename from thirdparty/rr/plugins/winver.pl rename to RecentActivity/release/rr-full/plugins/winver.pl index d59262e596..2f042253be --- a/thirdparty/rr/plugins/winver.pl +++ b/RecentActivity/release/rr-full/plugins/winver.pl @@ -1,107 +1,109 @@ -#----------------------------------------------------------- -# winver.pl -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winver; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081210); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get Windows version"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winver v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("{name}"); -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my $prod; - eval { - $prod = $key->get_value("ProductName")->get_data(); - }; - if ($@) { -# ::rptMsg("ProductName value not found."); - } - else { - ::rptMsg("ProductName = ".$prod); - } - - my $csd; - eval { - $csd = $key->get_value("CSDVersion")->get_data(); - }; - if ($@) { -# ::rptMsg("CSDVersion value not found."); - } - else { - ::rptMsg("CSDVersion = ".$csd); - } - - - my $build; - eval { - $build = $key->get_value("BuildName")->get_data(); - }; - if ($@) { -# ::rptMsg("BuildName value not found."); - } - else { - ::rptMsg("BuildName = ".$build); - } - - my $buildex; - eval { - $buildex = $key->get_value("BuildNameEx")->get_data(); - }; - if ($@) { -# ::rptMsg("BuildName value not found."); - } - else { - ::rptMsg("BuildNameEx = ".$buildex); - } - - - my $install; - eval { - $install = $key->get_value("InstallDate")->get_data(); - }; - if ($@) { -# ::rptMsg("InstallDate value not found."); - } - else { - ::rptMsg("InstallDate = ".gmtime($install)); - } - - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} +#----------------------------------------------------------- +# winver.pl +# +# copyright 2008-2009 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package winver; +use strict; + +my %config = (hive => "Software", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081210); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get Windows version"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching winver v.".$VERSION); + ::rptMsg("winver v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { +# ::rptMsg("{name}"); +# ::rptMsg($key_path); +# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + + my $prod; + eval { + $prod = $key->get_value("ProductName")->get_data(); + }; + if ($@) { +# ::rptMsg("ProductName value not found."); + } + else { + ::rptMsg("ProductName = ".$prod); + } + + my $csd; + eval { + $csd = $key->get_value("CSDVersion")->get_data(); + }; + if ($@) { +# ::rptMsg("CSDVersion value not found."); + } + else { + ::rptMsg("CSDVersion = ".$csd); + } + + + my $build; + eval { + $build = $key->get_value("BuildName")->get_data(); + }; + if ($@) { +# ::rptMsg("BuildName value not found."); + } + else { + ::rptMsg("BuildName = ".$build); + } + + my $buildex; + eval { + $buildex = $key->get_value("BuildNameEx")->get_data(); + }; + if ($@) { +# ::rptMsg("BuildName value not found."); + } + else { + ::rptMsg("BuildNameEx = ".$buildex); + } + + + my $install; + eval { + $install = $key->get_value("InstallDate")->get_data(); + }; + if ($@) { +# ::rptMsg("InstallDate value not found."); + } + else { + ::rptMsg("InstallDate = ".gmtime($install)); + } + + + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + +} 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/winvnc.pl b/RecentActivity/release/rr-full/plugins/winvnc.pl new file mode 100755 index 0000000000..85b0b2842d --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/winvnc.pl @@ -0,0 +1,122 @@ +#----------------------------------------------------------- +# winvnc.pl +# Extracts the encrypted password for WinVNC +# +# Change History +# 20110205 [bco] * bug fix, password output now in hex format +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# copyright (c) 2011-02-02 Brendan Coles +#----------------------------------------------------------- +# Require # +package winvnc; +use strict; + +# Declarations # +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20110202); +my $VERSION = getVersion(); + +# Functions # +sub getDescr {} +sub getConfig {return %config} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} +sub getShortDescr { + return "Extracts the encrypted password for WinVNC."; +} +sub getRefs { + my %refs = ("WinVNC Homepage:" => + "http://www.realvnc.com/"); + return %refs; +} + +############################################################ +# pluginmain # +############################################################ +sub pluginmain { + + # Declarations # + my $class = shift; + my $hive = shift; + my @interesting_paths = ( + 'Software\\ORL\\WinVNC3', + 'Software\\ORL\\WinVNC3\\Default', + 'Software\\ORL\\WinVNC\\Default', + 'Software\\RealVNC\\WinVNC4', + 'Software\\RealVNC\\Default' + ); + my @interesting_keys = ( + "Password", + "PasswordViewOnly" + ); + + # Initialize # + ::logMsg("Launching winvnc v.".$VERSION); + ::rptMsg("winvnc v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + + # Extract # possible registry paths + foreach my $key_path (@interesting_paths) { + + # If # WinVNC path exists # + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + # Return # plugin name, registry key and last modified date # + ::rptMsg("WinVNC"); + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + ::rptMsg(""); + + # Extract # all keys from winvnc registry path # + my %keys; + my @vals = $key->get_list_of_values(); + + # If # registry keys exist in path # + if (scalar(@vals) > 0) { + + # Extract # all key names+values for winvnc registry path # + foreach my $v (@vals) { + $keys{$v->get_name()} = $v->get_data(); + } + + # Return # all key names+values for interesting keys # + foreach my $var (@interesting_keys) { + if (exists $keys{$var}) { + my $hstring = unpack ("H*",$keys{$var}); + ::rptMsg($var." -> ".$hstring); + } + } + + # Return # obligatory new-line # + ::rptMsg(""); + + # Error # key value is null # + } else { + ::rptMsg($key_path." has no values."); + } + + # Error # WinVNC isn't here, try another castle # + } else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } + + } + + # Return # obligatory new-line # + ::rptMsg(""); +} + +# Error # oh snap! # +1; diff --git a/thirdparty/rr/plugins/winzip.pl b/RecentActivity/release/rr-full/plugins/winzip.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/winzip.pl rename to RecentActivity/release/rr-full/plugins/winzip.pl index 7fa815250b..d0d00c5452 --- a/thirdparty/rr/plugins/winzip.pl +++ b/RecentActivity/release/rr-full/plugins/winzip.pl @@ -1,89 +1,91 @@ -#----------------------------------------------------------- -# WinZip -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winzip; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080325); - -sub getConfig{return %config} -sub getShortDescr { - return "Get WinZip extract and filemenu values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching WinZip v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Nico Mak Computing\\WinZip"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("WinZip"); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - my %sk; - foreach my $s (@subkeys) { - $sk{$s->get_name()} = $s; - } - - if (exists $sk{'extract'}) { - my $tag = "extract"; - ::rptMsg($key_path."\\extract [".gmtime($sk{'extract'}->get_timestamp)."]"); - my @vals = $sk{'extract'}->get_list_of_values(); - my %ext; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $num = $name; - $num =~ s/^$tag//; - $ext{$num} = $v->get_data(); - } - foreach my $e (sort {$a <=> $b} keys %ext) { - ::rptMsg(" extract".$e." -> ".$ext{$e}); - } - ::rptMsg(""); - } - else { - ::rptMsg("extract key not found."); - } - - if (exists $sk{'filemenu'}) { - my $tag = "filemenu"; - ::rptMsg($key_path."\\filemenu [".gmtime($sk{'extract'}->get_timestamp)."]"); - my @vals = $sk{'filemenu'}->get_list_of_values(); - my %ext; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $num = $name; - $num =~ s/^$tag//; - $ext{$num} = $v->get_data(); - } - foreach my $e (sort {$a <=> $b} keys %ext) { - ::rptMsg(" filemenu".$e." -> ".$ext{$e}); - } - } - else { - ::rptMsg("filemenu key not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} +#----------------------------------------------------------- +# WinZip +# +# copyright 2008 H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package winzip; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20080325); + +sub getConfig{return %config} +sub getShortDescr { + return "Get WinZip extract and filemenu values"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching WinZip v.".$VERSION); + ::rptMsg("winzip v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + my $key_path = "Software\\Nico Mak Computing\\WinZip"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg("WinZip"); + ::rptMsg($key_path); + ::rptMsg(""); + my @subkeys = $key->get_list_of_subkeys(); + my %sk; + foreach my $s (@subkeys) { + $sk{$s->get_name()} = $s; + } + + if (exists $sk{'extract'}) { + my $tag = "extract"; + ::rptMsg($key_path."\\extract [".gmtime($sk{'extract'}->get_timestamp)."]"); + my @vals = $sk{'extract'}->get_list_of_values(); + my %ext; + foreach my $v (@vals) { + my $name = $v->get_name(); + my $num = $name; + $num =~ s/^$tag//; + $ext{$num} = $v->get_data(); + } + foreach my $e (sort {$a <=> $b} keys %ext) { + ::rptMsg(" extract".$e." -> ".$ext{$e}); + } + ::rptMsg(""); + } + else { + ::rptMsg("extract key not found."); + } + + if (exists $sk{'filemenu'}) { + my $tag = "filemenu"; + ::rptMsg($key_path."\\filemenu [".gmtime($sk{'extract'}->get_timestamp)."]"); + my @vals = $sk{'filemenu'}->get_list_of_values(); + my %ext; + foreach my $v (@vals) { + my $name = $v->get_name(); + my $num = $name; + $num =~ s/^$tag//; + $ext{$num} = $v->get_data(); + } + foreach my $e (sort {$a <=> $b} keys %ext) { + ::rptMsg(" filemenu".$e." -> ".$ext{$e}); + } + } + else { + ::rptMsg("filemenu key not found."); + } + } + else { + ::rptMsg($key_path." not found."); + ::logMsg($key_path." not found."); + } +} 1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/wordwheelquery.pl b/RecentActivity/release/rr-full/plugins/wordwheelquery.pl old mode 100644 new mode 100755 similarity index 91% rename from thirdparty/rr/plugins/wordwheelquery.pl rename to RecentActivity/release/rr-full/plugins/wordwheelquery.pl index 10a2eba1cf..f307100d86 --- a/thirdparty/rr/plugins/wordwheelquery.pl +++ b/RecentActivity/release/rr-full/plugins/wordwheelquery.pl @@ -1,79 +1,81 @@ -#----------------------------------------------------------- -# wordwheelquery.pl -# For Windows 7 -# -# Change history -# 20100330 - created -# -# References -# http://www.winhelponline.com/blog/clear-file-search-mru-history-windows-7/ -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package wordwheelquery; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100330); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's WordWheelQuery key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching wordwheelquery v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my @list; - my %wwq; - foreach my $v (@vals) { - my $name = $v->get_name(); - if ($name eq "MRUListEx") { - @list = unpack("V*",$v->get_data()); - pop(@list) if ($list[scalar(@list) - 1] == 0xffffffff); - } - else { - my $data = $v->get_data(); - $data =~ s/\00//g; - $wwq{$name} = $data; - } - } -# list searches in MRUListEx order - ::rptMsg(""); - ::rptMsg("Searches listed in MRUListEx order"); - ::rptMsg(""); - foreach my $l (@list) { - ::rptMsg(sprintf "%-4d %-30s",$l,$wwq{$l}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - +#----------------------------------------------------------- +# wordwheelquery.pl +# For Windows 7 +# +# Change history +# 20100330 - created +# +# References +# http://www.winhelponline.com/blog/clear-file-search-mru-history-windows-7/ +# +# copyright 2010 Quantum Analytics Research, LLC +#----------------------------------------------------------- +package wordwheelquery; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 22, + version => 20100330); + +sub getConfig{return %config} +sub getShortDescr { + return "Gets contents of user's WordWheelQuery key"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg("Launching wordwheelquery v.".$VERSION); + ::rptMsg("wordwheelquery v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + my $reg = Parse::Win32Registry->new($ntuser); + my $root_key = $reg->get_root_key; + + my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); + my @vals = $key->get_list_of_values(); + if (scalar(@vals) > 0) { + my @list; + my %wwq; + foreach my $v (@vals) { + my $name = $v->get_name(); + if ($name eq "MRUListEx") { + @list = unpack("V*",$v->get_data()); + pop(@list) if ($list[scalar(@list) - 1] == 0xffffffff); + } + else { + my $data = $v->get_data(); + $data =~ s/\00//g; + $wwq{$name} = $data; + } + } +# list searches in MRUListEx order + ::rptMsg(""); + ::rptMsg("Searches listed in MRUListEx order"); + ::rptMsg(""); + foreach my $l (@list) { + ::rptMsg(sprintf "%-4d %-30s",$l,$wwq{$l}); + } + } + else { + ::rptMsg($key_path." has no values."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} + 1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/wpdbusenum.pl b/RecentActivity/release/rr-full/plugins/wpdbusenum.pl new file mode 100755 index 0000000000..3e2ba31f54 --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/wpdbusenum.pl @@ -0,0 +1,135 @@ +#----------------------------------------------------------- +# wpdbusenum +# Gets contents of Enum\WpdBusEnumRoot keys +# +# +# History: +# 20120523 - Added support for a DeviceClasses subkey that includes +# "WpdBusEnum" in the names; from MarkW and ColinC +# 20120410 - created +# +# copyright 2012 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +#----------------------------------------------------------- +package wpdbusenum; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20120523); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get WpdBusEnumRoot subkey info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); +my $reg; + +sub pluginmain { + my $class = shift; + my $hive = shift; + ::logMsg("Launching wpdbusenum v.".$VERSION); + ::rptMsg("wpdbusenum v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner + $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $ccs; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + $ccs = "ControlSet00".$current; + } + else { + ::rptMsg($key_path." not found."); + return; + } + + my $key_path = $ccs."\\Enum\\WpdBusEnumRoot"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $dev_class = $s->get_name(); + my @sk = $s->get_list_of_subkeys(); + if (scalar(@sk) > 0) { + foreach my $k (@sk) { + my $serial = $k->get_name(); + my ($dev,$sn) = (split(/#/,$k->get_name(),5))[3,4]; + $sn =~ s/#$//; + ::rptMsg($dev." (".$sn.")"); + + my $sn_lw = $k->get_timestamp(); + ::rptMsg(" LastWrite: ".gmtime($sn_lw)); + + eval { + ::rptMsg("DeviceDesc: ".$k->get_value("DeviceDesc")->get_data()); + }; + + eval { + ::rptMsg("Friendly: ".$k->get_value("FriendlyName")->get_data()); + }; + + eval { + ::rptMsg("Mfg: ".$k->get_value("Mfg")->get_data()); + }; + ::rptMsg(""); + } + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } + +# Added on 20120523, based on a tweet from Mark Woan while he was attending +# CEIC2012; he attributes this to ColinC. Googling for this key, I found a +# number of references to USBOblivion, a tool described as being able to wipe +# out (all) indications of USB removable storage devices being connected to +# the system. + my $key_path = $ccs."\\Control\\DeviceClasses\\{10497b1b-ba51-44e5-8318-a65c837b6661}"; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg($key_path); + my @subkeys = $key->get_list_of_subkeys(); + if (scalar(@subkeys) > 0) { + foreach my $s (@subkeys) { + my $name = $s->get_name(); + my $lw = $s->get_timestamp(); + + my (@n) = split(/#/,$name); + + if ($n[3] eq "WpdBusEnumRoot") { + ::rptMsg($n[8]."\\".$n[9]); + ::rptMsg("LastWrite: ".gmtime($lw)); + ::rptMsg(""); + } + } + } + else { + ::rptMsg($key_path." has no subkeys."); + } + } + else { + ::rptMsg($key_path." not found."); + } +} +1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/xpedition.pl b/RecentActivity/release/rr-full/plugins/xpedition.pl old mode 100644 new mode 100755 similarity index 77% rename from thirdparty/rr/plugins/xpedition.pl rename to RecentActivity/release/rr-full/plugins/xpedition.pl index f3a5d35914..3f89d07fdf --- a/thirdparty/rr/plugins/xpedition.pl +++ b/RecentActivity/release/rr-full/plugins/xpedition.pl @@ -1,60 +1,67 @@ -#----------------------------------------------------------- -# xpedition.pl -# Determine the edition of XP (MediaCenter, TabletPC) -# -# History -# -# References -# http://windowsitpro.com/article/articleid/94531/ -# how-can-a-script-determine-if-windows-xp-tablet-pc-edition-is-installed.html -# http://unasked.com/question/view/id/119610 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package xpedition; -use strict; -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090727); - -sub getConfig{return %config} -sub getShortDescr { - return "Queries System hive for XP Edition info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $key; - my $edition = 0; - - ::logMsg("Launching xpedition v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::rptMsg("xpedition v.".$VERSION); - eval { - $key = $root_key->get_subkey("WPA\\MediaCenter")->get_value("Installed")->get_data(); - if ($key == 1) { - ::rptMsg("MediaCenter Edition"); - $edition = 1; - } - }; - - eval { - $key = $root_key->get_subkey("WPA\\TabletPC")->get_value("Installed")->get_data(); - if ($key == 1) { - ::rptMsg("TabletPC Edition"); - $edition = 1; - } - }; -} +#----------------------------------------------------------- +# xpedition.pl +# Determine the edition of XP (MediaCenter, TabletPC) +# +# History +# 20120722 - updated the %config hash +# 20090727 - created +# +# References +# http://windowsitpro.com/article/articleid/94531/ +# how-can-a-script-determine-if-windows-xp-tablet-pc-edition-is-installed.html +# http://unasked.com/question/view/id/119610 +# +# copyright 2009 H. Carvey +#----------------------------------------------------------- +package xpedition; +use strict; +my %config = (hive => "System", + hivemask => 4, + output => "report", + category => "", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + osmask => 1, + version => 20120722); + +sub getConfig{return %config} +sub getShortDescr { + return "Queries System hive for XP Edition info"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + my $key; + my $edition = 0; + + ::logMsg("Launching xpedition v.".$VERSION); + ::rptMsg("xpedition v.".$VERSION); # banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + ::rptMsg("xpedition v.".$VERSION); + eval { + $key = $root_key->get_subkey("WPA\\MediaCenter")->get_value("Installed")->get_data(); + if ($key == 1) { + ::rptMsg("MediaCenter Edition"); + $edition = 1; + } + }; + + eval { + $key = $root_key->get_subkey("WPA\\TabletPC")->get_value("Installed")->get_data(); + if ($key == 1) { + ::rptMsg("TabletPC Edition"); + $edition = 1; + } + }; +} 1 \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/yahoo_cu.pl b/RecentActivity/release/rr-full/plugins/yahoo_cu.pl new file mode 100755 index 0000000000..0eeabe497d --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/yahoo_cu.pl @@ -0,0 +1,349 @@ +#----------------------------------------------------------- +# yahoo_cu.pl +# Yahoo Messenger parser (HKCU) +# +# Change history +# 20101219 [fpi] % created +# 20101219 [fpi] % first version +# 20101221 [fpi] * added refences, minor changes +# 20110830 [fpi] + banner, no change to the version number +# +# References +# Registry Quick Find Chart - AccessData +# Bruce Long Internet Forensics - Yahoo Instant Messenger +# http://www.xssed.com/article/14/Paper_In-Depth_Analysis_of_Yahoo_Authentication_Schemes/ +# +# +# NOTE: missing to manage the following +# - IMVironments (global and user) +# - user\Cache (missing informations about it) +# - user\Chat +# +# copyright 2011 F. Picasso +#----------------------------------------------------------- +package yahoo_cu; +use strict; + +my %config = (hive => "NTUSER\.DAT", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20101219); + +sub getConfig{return %config} +sub getShortDescr { + return "Yahoo Messenger parser"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Registry Quick Find Chart - AccessData" => + "http://www.accessdata.com/media/en_us/print/papers/wp.Registry_Quick_Find_Chart.en_us.pdf", + "In-Depth Analysis of Yahoo! Authentication Schemes" => + "http://www.xssed.com/article/14/Paper_In-Depth_Analysis_of_Yahoo_Authentication_Schemes/", + "Bruce Long" => + "Internet Forensics - Yahoo Instant Messenger"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg( "Launching yahoo_cu v.".$VERSION ); + ::rptMsg("yahoo_cu v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new( $ntuser ); + my $root_key = $reg->get_root_key; + + my $path = 'Software\\Yahoo\\pager'; + my $key; + + if ( $key = $root_key->get_subkey( $path ) ) { + + ::rptMsg( "LastWrite Time ".gmtime($key->get_timestamp())." (UTC) ".$key->get_name() ); + + my %summary = ( 'Version' => '', + 'Launch on Startup' => '', + 'Connection Server' => '', + 'Last Login UserName' => '', + 'Last Local IP' => '', + 'AutoLogin' => '', + 'Save Password' => '', + 'Encrypted Password' => '', + 'Yahoo Token' => '' + ); + + my @vals = $key->get_list_of_values(); + if ( ( scalar @vals ) > 0 ) { + foreach my $val ( @vals ) { + _fillSummary( $val, \%summary ); + } + _printSummary( \%summary ); + } + else { + ::rptMsg( $key->get_name()." has no values." ); + ::logMsg( $key->get_name()." has no values." ); + } + + if ( $key = $key->get_subkey( 'profiles' ) ) { + ::rptMsg( "\n LastWrite Time ".gmtime($key->get_timestamp())." (UTC) ".$key->get_name() ); + my $tmp; + my $cu; + my $sbk; + my @badusers; + my @users; + my @subkeys = $key->get_list_of_subkeys(); + if ( ( scalar @subkeys ) > 0 ) { + # finding users and bad users (bad logins) + # 1- if subkey has no subkeys, is not a user + # 2- if subkey has 3 or less subkeys, probably it's a bad user + # 3- if subkey has >3 subkeys, probably it's a good user + foreach $sbk ( @subkeys ) { + my @subkeys2 = $sbk->get_list_of_subkeys(); + $tmp = scalar @subkeys2; + if ( $tmp > 0 && $tmp < 4 ) { + push( @badusers, $sbk ); + } + elsif ( $tmp >= 4 ) { + push( @users, $sbk ); + } + } + } + + # got users and badusers + ::rptMsg( " Found ".scalar @users." users." ); + ::rptMsg( " Found ".scalar @badusers." bad users logins." ); + ::rptMsg( "" ); + + # let's parse users + my $spaces = ' '; + if ( scalar @users ) { + foreach $cu ( @users ) { + ::rptMsg( $spaces."USER: ".$cu->get_name() ); + ::rptMsg( $spaces."LastWrite Time ".gmtime($cu->get_timestamp())." (UTC) ".$cu->get_name() ); + _parseUserValues( \$cu, $spaces ); + $spaces = ' '; + _parseAlerts( \$cu, $spaces ); + _parseArchives( \$cu, $spaces ); + _parseFriendIcons( \$cu, $spaces ); + _parseFT( \$cu, $spaces ); + } + } + + # let's parse badusers + ::rptMsg( "" ); + if ( scalar @badusers ) { + foreach $cu ( @badusers ) { + ::rptMsg( " BAD LOGIN USER: ".$cu->get_name() ); + ::rptMsg( " LastWrite Time ".gmtime($cu->get_timestamp())." (UTC) ".$cu->get_name() ); + if ( $sbk = $cu->get_subkey( 'Alerts' ) ) { + ::rptMsg( " LastWrite Time ".gmtime($sbk->get_timestamp())." (UTC) ".$sbk->get_name() ); + _printExpectedValue( \$sbk, 'Total Login Tries', ' ' ); + } + else { + ::rptMsg( " Missing expected 'Alerts' subkey" ); + } + ::rptMsg( "" ); + } + } + } + else { + ::rptMsg( "No profiles found." ); + ::logMsg( "No profiles found." ); + } + } + else { + ::rptMsg( $path." not found." ); + ::logMsg( $path." not found." ); + } +} + +#------------------------------------------------------------------------------ + +sub _parseUserValues() { + my @vals = ${$_[0]}->get_list_of_values(); + foreach my $v (@vals) { + my $val = $v->get_name(); + my $data = $v->get_data(); + if ( $val eq 'All Identities' ) { + ::rptMsg( $_[1].$val." = ".$data ); + } + elsif ( $val eq 'Selected Identities' ) { + ::rptMsg( $_[1].$val." = ".$data ); + } + elsif ( $val eq 'pref' ) { + ::rptMsg( $_[1].$val." = ".$data ); + } + elsif ( $val eq 'yinsider date' ) { + ::rptMsg( $_[1].$val." = ".gmtime($data)." (UTC)" ); + } + } +} + +#------------------------------------------------------------------------------ + +sub _parseAlerts() { + if ( my $local = ${$_[0]}->get_subkey( 'Alerts' ) ) { + ::rptMsg( $_[1]."LastWrite Time ".gmtime( $local->get_timestamp())." (UTC) ".$local->get_name() ); + _printExpectedValue( \$local, 'Total Login Tries', $_[1] ); + _printExpectedValue( \$local, 'Total Disconnects', $_[1] ); + } + else { + ::rptMsg( $_[1]."Missing expected 'Alerts' subkey." ); + } +} + +#------------------------------------------------------------------------------ + +sub _parseArchives() { + my $got1; + my $got2; + my $val1; + my $val2; + my $str; + if ( my $local = ${$_[0]}->get_subkey( 'Archive' ) ) { + ::rptMsg( $_[1]."LastWrite Time ".gmtime( $local->get_timestamp())." (UTC) ".$local->get_name() ); + # messages archive policies + ( $got1, $val1 ) = _printExpectedValue( \$local, 'Enabled', $_[1] ); + ( $got2, $val2 ) = _printExpectedValue( \$local, 'Autodelete', $_[1] ); + + if ( $got1 && $got2 ) { + if ( $val1 != 0 ) { + $str = "Messages archiving is ENABLED. " + } + else { + $str = "Messages archiving is NOT enabled. " + } + if ( $val2 != 0 ) { + $str .= "Archived messages are DELETED automatically on user sign-off."; + } + else { + $str .= "Archived messages are NOT automatically deleted on user sign-off."; + } + ::rptMsg( $_[1]."NOTE: ".$str ); + } + else { + ::rptMsg( $_[1]."NOTE: cannot determine archived messages policy due to missing values." ); + } + # voice call archive policies + ( $got1, $val1 ) = _printExpectedValue( \$local, 'CallHistoryEnabled', $_[1] ); + ( $got2, $val2 ) = _printExpectedValue( \$local, 'CallHistoryAutodelete', $_[1] ); + + if ( $got1 && $got2 ) { + if ( $val1 != 0 ) { + $str = "Call history archiving is ENABLED. " + } + else { + $str = "Call history archiving is NOT enabled. " + } + if ( $val2 != 0 ) { + $str .= "Call history is DELETED automatically on user sign-off."; + } + else { + $str .= "Call history is NOT automatically deleted on user sign-off."; + } + ::rptMsg( $_[1]."NOTE: ".$str ); + } + else { + ::rptMsg( $_[1]."NOTE: cannot determine call history policy due to missing values." ); + } + + } + else { + ::rptMsg( $_[1]."Missing expected 'Archive' subkey." ); + } +} + +#------------------------------------------------------------------------------ + +sub _parseFriendIcons() { + if ( my $local = ${$_[0]}->get_subkey( 'FriendIcons' ) ) { + ::rptMsg( $_[1]."LastWrite Time ".gmtime( $local->get_timestamp())." (UTC) ".$local->get_name() ); + _printExpectedValue( \$local, 'Checksum', $_[1] ); + _printExpectedValue( \$local, 'LastDir', $_[1] ); + _printExpectedValue( \$local, 'Path', $_[1] ); + } + else { + ::rptMsg( $_[1]."Missing expected 'FriendIcons' subkey." ); + } +} + +#------------------------------------------------------------------------------ + +sub _parseFT() { + if ( my $local = ${$_[0]}->get_subkey( 'FT' ) ) { + ::rptMsg( $_[1]."LastWrite Time ".gmtime( $local->get_timestamp())." (UTC) ".$local->get_name() ); + _printExpectedValue( \$local, 'LastSaveLocation', $_[1] ); + _printExpectedValue( \$local, 'LastSendLocation', $_[1] ); + } + else { + ::rptMsg( $_[1]."Missing expected 'FT' subkey." ); + } +} + +#------------------------------------------------------------------------------ + +sub _printExpectedValue() { + my $got; + my $val; + my $tmp; + if ( $tmp = ${$_[0]}->get_value( $_[1] ) ) { + $val = $tmp->get_data(); + ::rptMsg( $_[2].$_[1]." = ".$val ); + $got = 1; + } + else { + ::rptMsg( $_[2]."Missing expected value '".$_[1]."'" ); + $got = 0; + } + return ( $got, $val ); +} + +#------------------------------------------------------------------------------ + +sub _fillSummary() { + my $tmp = $_[0]->get_name(); + if ( $tmp eq 'Version' ) { ${$_[1]}{'Version'} = $_[0]->get_data(); } + elsif ( $tmp eq 'Launch on Startup' ) { ${$_[1]}{'Launch on Startup'} = $_[0]->get_data(); } + elsif ( $tmp eq 'ConnServer' ) { ${$_[1]}{'Connection Server'} = $_[0]->get_data(); } + elsif ( $tmp eq 'Yahoo! User ID' ) { ${$_[1]}{'Last Login UserName'} = $_[0]->get_data(); } + elsif ( $tmp eq 'CurrentUserLocalIP' ) { ${$_[1]}{'Last Local IP'} = $_[0]->get_data(); } + elsif ( $tmp eq 'Auto Login' ) { ${$_[1]}{'AutoLogin'} = $_[0]->get_data(); } + elsif ( $tmp eq 'Save Password' ) { ${$_[1]}{'Save Password'} = $_[0]->get_data(); } + elsif ( $tmp eq 'EOptions string' ) { ${$_[1]}{'Encrypted Password'} = $_[0]->get_data(); } + elsif ( $tmp eq 'ETS' ) { ${$_[1]}{'Yahoo Token'} = $_[0]->get_data(); } +} + +#------------------------------------------------------------------------------ + +sub _printSummary() { + ::rptMsg( ' Version = '.${$_[0]}{'Version'} ); + ::rptMsg( ' Launch on Startup = '.${$_[0]}{'Launch on Startup'} ); + ::rptMsg( ' Connection Server = '.${$_[0]}{'Connection Server'} ); + ::rptMsg( ' Last Login UserName = '.${$_[0]}{'Last Login UserName'} ); + ::rptMsg( ' Last Local IP = '.${$_[0]}{'Last Local IP'} ); + ::rptMsg( ' AutoLogin = '.${$_[0]}{'AutoLogin'} ); + ::rptMsg( ' Save Password = '.${$_[0]}{'Save Password'} ); + ::rptMsg( ' Encrypted Password = '.${$_[0]}{'Encrypted Password'} ); + ::rptMsg( ' Yahoo Token = '.${$_[0]}{'Yahoo Token'} ); + + if ( ${$_[0]}{'Encrypted Password'} ne '' ) { + ::rptMsg( " NOTE: detected encrypted password.\nYou should be able to decrypt the password." ); + } + elsif ( ${$_[0]}{'Yahoo Token'} ne '' ) { + ::rptMsg( " NOTE: detected Yahoo ETS Token. You should be able to impersonificate the user "); + ::rptMsg( " using the Yahoo Token but you cannot obtain the cleartext password." ); + } + else { + ::rptMsg( " NOTE: you should not be able to obtain the password." ); + } +} + +#------------------------------------------------------------------------------ + +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/plugins/yahoo_lm.pl b/RecentActivity/release/rr-full/plugins/yahoo_lm.pl new file mode 100755 index 0000000000..7f3eaf601b --- /dev/null +++ b/RecentActivity/release/rr-full/plugins/yahoo_lm.pl @@ -0,0 +1,97 @@ +#----------------------------------------------------------- +# yahoo_lm.pl +# Yahoo Messenger parser (HKLM) +# +# Change history +# 20101219 [fpi] % created +# 20101219 [fpi] % first version +# 20110830 [fpi] + banner, no change to the version number +# +# References +# +# copyright 2011 F. Picasso +#----------------------------------------------------------- +package yahoo_lm; +use strict; + +my %config = (hive => "SOFTWARE", + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 1, + osmask => 22, + version => 20101219); + +sub getConfig{return %config} +sub getShortDescr { + return "Yahoo Messenger parser"; +} +sub getDescr{} +sub getRefs { + my %refs = ("Access Data Registry Quick Reference" => + "google it!"); + return %refs; +} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $ntuser = shift; + ::logMsg( "Launching yahoo_lm v.".$VERSION ); + ::rptMsg("yahoo_lm v.".$VERSION); # 20110830 [fpi] + banner + ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner + + my $reg = Parse::Win32Registry->new( $ntuser ); + my $root_key = $reg->get_root_key; + + my $path = 'Yahoo'; + my $key; + + if ( $key = $root_key->get_subkey( $path ) ) { + ::rptMsg( "Searching for Yahoo Messenger installation..." ); + + my $found = 0; + my @subkeys = $key->get_list_of_subkeys(); + if ( ( scalar @subkeys ) > 0 ) { + + foreach my $sbk ( @subkeys ) { + my $tmp = $sbk->get_name(); + + if ( $tmp eq "pager" ) { + $found++; + ::rptMsg( "... 'pager' key is present." ); + ::rptMsg( "[".gmtime( $sbk->get_timestamp() )." (UTC)] ".$tmp ); + + my @vals = $sbk->get_list_of_values(); + + if ( ( scalar @vals ) > 0 ) { + foreach my $val ( @vals ) { + $tmp = $val->get_name(); + if ( $tmp eq "ProductVersion" ) { + $found++; + ::rptMsg( $tmp." -> ".$val->get_data() ); + } + } + if ( $found == 1 ) { + ::rptMsg( "unable to get 'ProductVersion' value." ); + } + } + } + } + if ( $found == 0 ) { + ::rptMsg( "No Yahoo Messenger installation detected." ); + } + } + else { + ::rptMsg( $key->get_name()." has no subkeys." ); + ::logMsg( $key->get_name()." has no subkeys." ); + } + } + else { + ::rptMsg( $path." not found." ); + ::logMsg( $path." not found." ); + } +} +1; \ No newline at end of file diff --git a/RecentActivity/release/rr-full/q.ico b/RecentActivity/release/rr-full/q.ico new file mode 100755 index 0000000000..8737cc16e3 Binary files /dev/null and b/RecentActivity/release/rr-full/q.ico differ diff --git a/RecentActivity/release/rr-full/regrip.bat b/RecentActivity/release/rr-full/regrip.bat new file mode 100755 index 0000000000..6c86c1363f --- /dev/null +++ b/RecentActivity/release/rr-full/regrip.bat @@ -0,0 +1,13 @@ +@echo off +echo ***Scanning Software hive*** +echo ------------------------------------------------------- +REM rip -r %1\software -f software +echo ***Scanning System hive*** +echo ------------------------------------------------------- +REM rip -r %1\system -f system +echo ***Scanning SAM hive*** +echo ------------------------------------------------------- +REM rip -r %1\sam -f sam +echo ***Scanning Security hive*** +echo ------------------------------------------------------- +rip -r %1\SECURITY –f security \ No newline at end of file diff --git a/RecentActivity/release/rr-full/regripper.pdf b/RecentActivity/release/rr-full/regripper.pdf new file mode 100755 index 0000000000..49c45abe77 Binary files /dev/null and b/RecentActivity/release/rr-full/regripper.pdf differ diff --git a/RecentActivity/release/rr-full/rip.exe b/RecentActivity/release/rr-full/rip.exe new file mode 100755 index 0000000000..e0b1203181 Binary files /dev/null and b/RecentActivity/release/rr-full/rip.exe differ diff --git a/thirdparty/rr/rip.pl b/RecentActivity/release/rr-full/rip.pl old mode 100644 new mode 100755 similarity index 78% rename from thirdparty/rr/rip.pl rename to RecentActivity/release/rr-full/rip.pl index ffbd632d7a..b16786608a --- a/thirdparty/rr/rip.pl +++ b/RecentActivity/release/rr-full/rip.pl @@ -1,291 +1,335 @@ -#! c:\perl\bin\perl.exe -#------------------------------------------------------------------------- -# Rip - RegRipper, CLI version -# Use this utility to run a plugins file or a single plugin against a Reg -# hive file. -# -# Output goes to STDOUT -# Usage: see "_syntax()" function -# -# Change History -# 20110516 - added -s & -u options for TLN support -# 20090102 - updated code for relative path to plugins dir -# 20080419 - added '-g' switch (experimental) -# 20080412 - added '-c' switch -# -# copyright 2011 Quantum Analytics Research, LLC -#------------------------------------------------------------------------- -use strict; -use Parse::Win32Registry qw(:REG_); -use Getopt::Long; - -# Included to permit compiling via Perl2Exe -#perl2exe_include "Parse/Win32Registry.pm"; -#perl2exe_include "Parse/Win32Registry/Key.pm"; -#perl2exe_include "Parse/Win32Registry/Entry.pm"; -#perl2exe_include "Parse/Win32Registry/Value.pm"; -#perl2exe_include "Parse/Win32Registry/File.pm"; -#perl2exe_include "Parse/Win32Registry/Win95/File.pm"; -#perl2exe_include "Parse/Win32Registry/Win95/Key.pm"; -#perl2exe_include "Encode/Unicode.pm"; - -my %config; -Getopt::Long::Configure("prefix_pattern=(-|\/)"); -GetOptions(\%config,qw(reg|r=s file|f=s csv|c guess|g user|u=s sys|s=s plugin|p=s list|l help|?|h)); - -# Code updated 20090102 -my @path; -my $str = $0; -($^O eq "MSWin32") ? (@path = split(/\\/,$0)) - : (@path = split(/\//,$0)); -$str =~ s/($path[scalar(@path) - 1])//; -my $plugindir = $str."plugins/"; -#print "Plugins Dir = ".$plugindir."\n"; -# End code update -my $VERSION = "20090102"; - -if ($config{help} || !%config) { - _syntax(); - exit; -} - -#------------------------------------------------------------- -# -#------------------------------------------------------------- -if ($config{list}) { - my @plugins; - opendir(DIR,$plugindir) || die "Could not open $plugindir: $!\n"; - @plugins = readdir(DIR); - closedir(DIR); - - my $count = 1; - print "Plugin,Version,Hive,Description\n" if ($config{csv}); - foreach my $p (@plugins) { - next unless ($p =~ m/\.pl$/); - my $pkg = (split(/\./,$p,2))[0]; - $p = $plugindir.$p; - eval { - require $p; - my $hive = $pkg->getHive(); - my $version = $pkg->getVersion(); - my $descr = $pkg->getShortDescr(); - if ($config{csv}) { - print $pkg.",".$version.",".$hive.",".$descr."\n"; - } - else { - print $count.". ".$pkg." v.".$version." [".$hive."]\n"; -# printf "%-20s %-10s %-10s\n",$pkg,$version,$hive; - print " - ".$descr."\n\n"; - $count++; - } - }; - print "Error: $@\n" if ($@); - } - exit; -} - -#------------------------------------------------------------- -# -#------------------------------------------------------------- -if ($config{file}) { -# First, check that a hive file was identified, and that the path is -# correct - my $hive = $config{reg}; - die "You must enter a hive file path/name.\n" if ($hive eq ""); - die $hive." not found.\n" unless (-e $hive); - - my %plugins = parsePluginsFile($config{file}); - if (%plugins) { - #logMsg("Parsed Plugins file."); - } - else { - #logMsg("Plugins file not parsed."); - exit; - } - foreach my $i (sort {$a <=> $b} keys %plugins) { - eval { - require "plugins\\".$plugins{$i}."\.pl"; - $plugins{$i}->pluginmain($hive); - }; - if ($@) { - logMsg("Error in ".$plugins{$i}.": ".$@); - } - #logMsg($plugins{$i}." complete."); - - } -} - -#------------------------------------------------------------- -# -#------------------------------------------------------------- -if ($config{reg} && $config{guess}) { -# Attempt to guess which kind of hive we have - my $hive = $config{reg}; - die "You must enter a hive file path/name.\n" if ($hive eq ""); - die $hive." not found.\n" unless (-e $hive); - - my $reg; - my $root_key; - my %guess; - eval { - $reg = Parse::Win32Registry->new($hive); - $root_key = $reg->get_root_key; - }; - ::rptMsg($config{reg}." may not be a valid hive.") if ($@); - -# Check for SAM - eval { - $guess{sam} = 1 if (my $key = $root_key->get_subkey("SAM\\Domains\\Account\\Users")); - }; -# Check for Software - eval { - $guess{software} = 1 if ($root_key->get_subkey("Microsoft\\Windows\\CurrentVersion") && - $root_key->get_subkey("Microsoft\\Windows NT\\CurrentVersion")); - }; - -# Check for System - eval { - $guess{system} = 1 if ($root_key->get_subkey("MountedDevices") && - $root_key->get_subkey("Select")); - }; - -# Check for Security - eval { - $guess{security} = 1 if ($root_key->get_subkey("Policy\\Accounts") && - $root_key->get_subkey("Policy\\PolAdtEv")); - }; -# Check for NTUSER.DAT - eval { - $guess{ntuser} = 1 if ($root_key->get_subkey("Software\\Microsoft\\Windows\\CurrentVersion")); - - }; - - foreach my $g (keys %guess) { - ::rptMsg(sprintf "%-8s = %-2s",$g,$guess{$g}); - } -} - -#------------------------------------------------------------- -# -#------------------------------------------------------------- -if ($config{plugin}) { -# First, check that a hive file was identified, and that the path is -# correct - my $hive = $config{reg}; - die "You must enter a hive file path/name.\n" if ($hive eq ""); - die $hive." not found.\n" unless (-e $hive); - -# check to see if the plugin exists - my $plugin = $config{plugin}; - my $pluginfile = $plugindir.$config{plugin}."\.pl"; - die $pluginfile." not found.\n" unless (-e $pluginfile); - - eval { - require $pluginfile; - $plugin->pluginmain($hive); - }; - if ($@) { - logMsg("Error in ".$pluginfile.": ".$@); - } -} - -sub _syntax { - print<< "EOT"; -Rip v.$VERSION - CLI RegRipper tool -Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h] -Parse Windows Registry files, using either a single module, or a plugins file. -All plugins must be located in the \"plugins\" directory; default plugins file -used if no other filename given is \"plugins\\plugins\"\. - - -r Reg hive file...Registry hive file to parse - -g ................Guess the hive file (experimental) - -f [plugin file]...use the plugin file (default: plugins\\plugins) - -p plugin module...use only this module - -l ................list all plugins - -c ................Output list in CSV format (use with -l) - -s system name.....Server name (TLN support) - -u username........User name (TLN support) - -h.................Help (print this information) -Ex: C:\\>rr -r c:\\case\\system -f system - C:\\>rr -r c:\\case\\ntuser.dat -p userassist - C:\\>rr -l -c - -All output goes to STDOUT; use redirection (ie, > or >>) to output to a file\. - -copyright 2011 Quantum Analytics Research, LLC -EOT -} - -#------------------------------------------------------------- -# -#------------------------------------------------------------- -sub logMsg { - print STDERR $_[0]."\n"; -} - -#------------------------------------------------------------- -# -#------------------------------------------------------------- -sub rptMsg { - binmode STDOUT,":utf8"; - if ($config{sys} || $config{user}) { - my @vals = split(/\|/,$_[0],5); - my $str = $vals[0]."|".$vals[1]."|".$config{sys}."|".$config{user}."|".$vals[4]; - print $str."\n"; - } - else { - print $_[0]."\n"; - } -} - -#------------------------------------------------------------- -# parsePluginsFile() -# Parse the plugins file and get a list of plugins -#------------------------------------------------------------- -sub parsePluginsFile { - my $file = $_[0]; - my %plugins; -# Parse a file containing a list of plugins -# Future versions of this tool may allow for the analyst to -# choose different plugins files - my $pluginfile = $plugindir.$file; - if (-e $pluginfile) { - open(FH,"<",$pluginfile); - my $count = 1; - while() { - chomp; - next if ($_ =~ m/^#/ || $_ =~ m/^\s+$/); -# next unless ($_ =~ m/\.pl$/); - next if ($_ eq ""); - $_ =~ s/^\s+//; - $_ =~ s/\s+$//; - $plugins{$count++} = $_; - } - close(FH); - return %plugins; - } - else { - return undef; - } -} - -#------------------------------------------------------------- -# getTime() -# Translate FILETIME object (2 DWORDS) to Unix time, to be passed -# to gmtime() or localtime() -#------------------------------------------------------------- -sub getTime($$) { - my $lo = shift; - my $hi = shift; - my $t; - - if ($lo == 0 && $hi == 0) { - $t = 0; - } else { - $lo -= 0xd53e8000; - $hi -= 0x019db1de; - $t = int($hi*429.4967296 + $lo/1e7); - }; - $t = 0 if ($t < 0); - return $t; +#! c:\perl\bin\perl.exe +#------------------------------------------------------------------------- +# Rip - RegRipper, CLI version +# Use this utility to run a plugins file or a single plugin against a Reg +# hive file. +# +# Output goes to STDOUT +# Usage: see "_syntax()" function +# +# Change History +# 20130425 - added alertMsg() functionality, updated to v2.8 +# 20120506 - updated to v2.5 release +# 20110516 - added -s & -u options for TLN support +# 20090102 - updated code for relative path to plugins dir +# 20080419 - added '-g' switch (experimental) +# 20080412 - added '-c' switch +# +# copyright 2013 Quantum Analytics Research, LLC +# Author: H. Carvey, keydet89@yahoo.com +# +# This software is released via the GPL v3.0 license: +# http://www.gnu.org/licenses/gpl.html +#------------------------------------------------------------------------- +use strict; +use Parse::Win32Registry qw(:REG_); +use Getopt::Long; + +# Included to permit compiling via Perl2Exe +#perl2exe_include "Parse/Win32Registry.pm"; +#perl2exe_include "Parse/Win32Registry/Key.pm"; +#perl2exe_include "Parse/Win32Registry/Entry.pm"; +#perl2exe_include "Parse/Win32Registry/Value.pm"; +#perl2exe_include "Parse/Win32Registry/File.pm"; +#perl2exe_include "Parse/Win32Registry/Win95/File.pm"; +#perl2exe_include "Parse/Win32Registry/Win95/Key.pm"; +#perl2exe_include "Encode.pm"; +#perl2exe_include "Encode/Byte.pm"; +#perl2exe_include "Encode/Unicode.pm"; +#perl2exe_include "utf8.pm"; +#perl2exe_include "unicore/Heavy.pl"; +#perl2exe_include "unicore/To/Upper.pl"; + +my %config; +Getopt::Long::Configure("prefix_pattern=(-|\/)"); +GetOptions(\%config,qw(reg|r=s file|f=s csv|c guess|g user|u=s sys|s=s plugin|p=s list|l help|?|h)); + +# Code updated 20090102 +my @path; +my $str = $0; +($^O eq "MSWin32") ? (@path = split(/\\/,$0)) + : (@path = split(/\//,$0)); +$str =~ s/($path[scalar(@path) - 1])//; +my $plugindir = $str."plugins/"; +#print "Plugins Dir = ".$plugindir."\n"; +# End code update +my $VERSION = "2\.8"; +my @alerts = (); + +if ($config{help} || !%config) { + _syntax(); + exit; +} + +#------------------------------------------------------------- +# +#------------------------------------------------------------- +if ($config{list}) { + my @plugins; + opendir(DIR,$plugindir) || die "Could not open $plugindir: $!\n"; + @plugins = readdir(DIR); + closedir(DIR); + + my $count = 1; + print "Plugin,Version,Hive,Description\n" if ($config{csv}); + foreach my $p (@plugins) { + next unless ($p =~ m/\.pl$/); + my $pkg = (split(/\./,$p,2))[0]; + $p = $plugindir.$p; + eval { + require $p; + my $hive = $pkg->getHive(); + my $version = $pkg->getVersion(); + my $descr = $pkg->getShortDescr(); + if ($config{csv}) { + print $pkg.",".$version.",".$hive.",".$descr."\n"; + } + else { + print $count.". ".$pkg." v.".$version." [".$hive."]\n"; +# printf "%-20s %-10s %-10s\n",$pkg,$version,$hive; + print " - ".$descr."\n\n"; + $count++; + } + }; + print "Error: $@\n" if ($@); + } + exit; +} + +#------------------------------------------------------------- +# +#------------------------------------------------------------- +if ($config{file}) { +# First, check that a hive file was identified, and that the path is +# correct + my $hive = $config{reg}; + die "You must enter a hive file path/name.\n" if ($hive eq ""); +# die $hive." not found.\n" unless (-e $hive); + + my %plugins = parsePluginsFile($config{file}); + if (%plugins) { + logMsg("Parsed Plugins file."); + } + else { + logMsg("Plugins file not parsed."); + exit; + } + foreach my $i (sort {$a <=> $b} keys %plugins) { + eval { + require "plugins/".$plugins{$i}."\.pl"; + $plugins{$i}->pluginmain($hive); + }; + if ($@) { + logMsg("Error in ".$plugins{$i}.": ".$@); + } + logMsg($plugins{$i}." complete."); + rptMsg("-" x 40); + } + printAlerts(); +} + +#------------------------------------------------------------- +# +#------------------------------------------------------------- +if ($config{reg} && $config{guess}) { +# Attempt to guess which kind of hive we have + my $hive = $config{reg}; + die "You must enter a hive file path/name.\n" if ($hive eq ""); +# die $hive." not found.\n" unless (-e $hive); + + my $reg; + my $root_key; + my %guess = guessHive($hive); + + foreach my $g (keys %guess) { + ::rptMsg(sprintf "%-8s = %-2s",$g,$guess{$g}); + } +} + +#------------------------------------------------------------- +# +#------------------------------------------------------------- +if ($config{plugin}) { +# First, check that a hive file was identified, and that the path is +# correct + my $hive = $config{reg}; + die "You must enter a hive file path/name.\n" if ($hive eq ""); +# die $hive." not found.\n" unless (-e $hive); + +# check to see if the plugin exists + my $plugin = $config{plugin}; + my $pluginfile = $plugindir.$config{plugin}."\.pl"; + die $pluginfile." not found.\n" unless (-e $pluginfile); + + eval { + require $pluginfile; + $plugin->pluginmain($hive); + }; + if ($@) { + logMsg("Error in ".$pluginfile.": ".$@); + } + printAlerts(); +} + +sub _syntax { + print<< "EOT"; +Rip v.$VERSION - CLI RegRipper tool +Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h] +Parse Windows Registry files, using either a single module, or a plugins file. + + -r Reg hive file...Registry hive file to parse + -g ................Guess the hive file (experimental) + -f [profile].......use the plugin file (default: plugins\\plugins) + -p plugin module...use only this module + -l ................list all plugins + -c ................Output list in CSV format (use with -l) + -s system name.....Server name (TLN support) + -u username........User name (TLN support) + -h.................Help (print this information) + +Ex: C:\\>rip -r c:\\case\\system -f system + C:\\>rip -r c:\\case\\ntuser.dat -p userassist + C:\\>rip -l -c + +All output goes to STDOUT; use redirection (ie, > or >>) to output to a file\. + +copyright 2013 Quantum Analytics Research, LLC +EOT +} + +#------------------------------------------------------------- +# +#------------------------------------------------------------- +sub logMsg { + print STDERR $_[0]."\n"; +} + +#------------------------------------------------------------- +# +#------------------------------------------------------------- +sub rptMsg { + binmode STDOUT,":utf8"; + if ($config{sys} || $config{user}) { + my @vals = split(/\|/,$_[0],5); + my $str = $vals[0]."|".$vals[1]."|".$config{sys}."|".$config{user}."|".$vals[4]; + print $str."\n"; + } + else { + print $_[0]."\n"; + } +} + +#------------------------------------------------------------- +# +#------------------------------------------------------------- +sub alertMsg { + push(@alerts,$_[0]); +} + +sub printAlerts { + if (scalar(@alerts) > 0) { +# print "\n"; +# print "Alerts\n"; +# print "-" x 40,"\n"; + foreach (@alerts) { + print $_."\n"; + } + } +} + +#------------------------------------------------------------- +# parsePluginsFile() +# Parse the plugins file and get a list of plugins +#------------------------------------------------------------- +sub parsePluginsFile { + my $file = $_[0]; + my %plugins; +# Parse a file containing a list of plugins +# Future versions of this tool may allow for the analyst to +# choose different plugins files + my $pluginfile = $plugindir.$file; + if (-e $pluginfile) { + open(FH,"<",$pluginfile); + my $count = 1; + while() { + chomp; + next if ($_ =~ m/^#/ || $_ =~ m/^\s+$/); +# next unless ($_ =~ m/\.pl$/); + next if ($_ eq ""); + $_ =~ s/^\s+//; + $_ =~ s/\s+$//; + $plugins{$count++} = $_; + } + close(FH); + return %plugins; + } + else { + return undef; + } +} + +#------------------------------------------------------------- +# guessHive() +# +#------------------------------------------------------------- +sub guessHive { + my $hive = shift; + my $reg; + my $root_key; + my %guess; + eval { + $reg = Parse::Win32Registry->new($hive); + $root_key = $reg->get_root_key; + }; + $guess{unknown} = 1 if ($@); + +# Check for SAM + eval { + $guess{sam} = 1 if (my $key = $root_key->get_subkey("SAM\\Domains\\Account\\Users")); + }; +# Check for Software + eval { + $guess{software} = 1 if ($root_key->get_subkey("Microsoft\\Windows\\CurrentVersion") && + $root_key->get_subkey("Microsoft\\Windows NT\\CurrentVersion")); + }; + +# Check for System + eval { + $guess{system} = 1 if ($root_key->get_subkey("MountedDevices") && + $root_key->get_subkey("Select")); + }; + +# Check for Security + eval { + $guess{security} = 1 if ($root_key->get_subkey("Policy\\Accounts") && + $root_key->get_subkey("Policy\\PolAdtEv")); + }; +# Check for NTUSER.DAT + eval { + $guess{ntuser} = 1 if ($root_key->get_subkey("Software\\Microsoft\\Windows\\CurrentVersion")); + + }; + + return %guess; +} + +#------------------------------------------------------------- +# getTime() +# Translate FILETIME object (2 DWORDS) to Unix time, to be passed +# to gmtime() or localtime() +#------------------------------------------------------------- +sub getTime($$) { + my $lo = shift; + my $hi = shift; + my $t; + + if ($lo == 0 && $hi == 0) { + $t = 0; + } else { + $lo -= 0xd53e8000; + $hi -= 0x019db1de; + $t = int($hi*429.4967296 + $lo/1e7); + }; + $t = 0 if ($t < 0); + return $t; } \ No newline at end of file diff --git a/RecentActivity/release/rr-full/rr.exe b/RecentActivity/release/rr-full/rr.exe new file mode 100755 index 0000000000..db4d072f25 Binary files /dev/null and b/RecentActivity/release/rr-full/rr.exe differ diff --git a/thirdparty/rr/rr.pl b/RecentActivity/release/rr-full/rr.pl old mode 100644 new mode 100755 similarity index 83% rename from thirdparty/rr/rr.pl rename to RecentActivity/release/rr-full/rr.pl index e39be3df66..8cd9aee011 --- a/thirdparty/rr/rr.pl +++ b/RecentActivity/release/rr-full/rr.pl @@ -1,442 +1,454 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# Registry Ripper -# Parse a Registry hive file for data pertinent to an investigation -# -# Adv version...provides the basic functionality. All plugins -# can be used with both the basic version and the full-featured -# version -# -# Change History: -# 20081111 - Updated code in setUpEnv() to parse the file paths for -# output files (log, etc) so that they paths were handled -# properly; updated Perl2Exe include statements to support -# Parse::Win32Registry 0.40 -# 20080512 - Consolidated Basic and Advanced versions into a single -# track -# 20080429 - Fixed issue with output report and log files having the -# same (.log) file extension -# 20080422 - Added ComboBox to choose plugins file -# 20080414 - updated code to check for a selected hive file; set -# default plugin file to "ntuser" if none selected; check -# for plugins file with no plugins or all plugins commented -# out; keep track of plugins w/ hard errors generated via -# this GUI. -# 20080412 - added listbox; populate with list of plugin files -# from plugin dir -# - Log file now based on report file name and location -# 20080226 - added eval{} to wrap require pragma in go_Click() -# -# -# Functionality: -# - plugins file is selectable -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -#use strict; -use Win32::GUI(); -use Parse::Win32Registry qw(:REG_); - -# Included to permit compiling via Perl2Exe -#perl2exe_include "Parse/Win32Registry.pm"; -#perl2exe_include "Parse/Win32Registry/Key.pm"; -#perl2exe_include "Parse/Win32Registry/Entry.pm"; -#perl2exe_include "Parse/Win32Registry/Value.pm"; -#perl2exe_include "Parse/Win32Registry/File.pm"; -#perl2exe_include "Parse/Win32Registry/Win95/File.pm"; -#perl2exe_include "Parse/Win32Registry/Win95/Key.pm"; -#perl2exe_include "Encode/Unicode.pm"; -#----------------------------------------------------------- -# Global variables -#----------------------------------------------------------- -my $VERSION = "2\.02"; -my %env; - -#----------------------------------------------------------- -# GUI -#----------------------------------------------------------- -# create our menu -my $menu = Win32::GUI::MakeMenu( - "&File" => "File", - " > O&pen..." => { -name => "Open"}, - " > -" => 0, - " > E&xit" => { -name => "Exit", -onClick => sub {exit 1;}}, - "&Help" => "Help", - " > &About" => { -name => "About", -onClick => \&RR_OnAbout}, -); - -# Create Main Window -my $main = new Win32::GUI::Window ( - -name => "Main", - -title => "Registry Ripper, v.".$VERSION, - -pos => [200, 200], -# Format: [width, height] - -maxsize => [500, 420], - -size => [500, 420], - -menu => $menu, - -dialogui => 1, -) or die "Could not create a new Window: $!\n"; - -$main->AddLabel( - -text => "Hive File:", - -left => 20, - -top => 10); - -my $ntuserfile = $main->AddTextfield( - -name => "ntuserdat", - -tabstop => 1, - -left => 100, - -top => 10, - -width => 250, - -height => 22, - -tabstop => 1, - -foreground => "#000000", - -background => "#FFFFFF"); - -my $browse1 = $main->AddButton( - -name => 'browse1', - -left => 375, - -top => 10, - -width => 50, - -height => 22, - -tabstop => 1, - -text => "Browse"); - -$main->AddLabel( - -text => "Report File:", - -left => 20, - -top => 50); - -my $rptfile = $main->AddTextfield( - -name => "rptfile", - -tabstop => 1, - -left => 100, - -top => 50, - -width => 250, - -height => 22, - -tabstop => 1, - -foreground => "#000000", - -background => "#FFFFFF"); - -my $browse2 = $main->AddButton( - -name => 'browse2', - -left => 375, - -top => 50, - -width => 50, - -height => 22, - -tabstop => 1, - -text => "Browse"); - -$main->AddLabel( - -text => "Plugin File:", - -left => 20, - -top => 90); - -# http://perl-win32-gui.sourceforge.net/cgi-bin/docs.cgi?doc=combobox -my $combo = $main->AddCombobox( - -name => "Combobox", -# -dropdown => 1, - -dropdownlist => 1, - -top => 90, - -left => 100, - -width => 120, - -height => 110, - -tabstop=> 1, - ); - -my $testlabel = $main->AddLabel( - -text => "", - -name => "TestLabel", - -pos => [10,140], - -size => [445,160], - -frame => etched, - -sunken => 1 -); - -my $report = $main->AddTextfield( - -name => "Report", - -pos => [20,150], - -size => [425,140], - -multiline => 1, - -vscroll => 1, - -autohscroll => 1, - -autovscroll => 1, - -keepselection => 1 , - -tabstop => 1, -); - -my $go = $main->AddButton( - -name => 'go', - -left => 320, - -top => 310, - -width => 50, - -height => 25, - -tabstop => 1, - -text => "Rip It"); - -$main->AddButton( - -name => 'close', - -left => 390, - -top => 310, - -width => 50, - -height => 25, - -tabstop => 1, - -text => "Close"); - -my $status = new Win32::GUI::StatusBar($main, - -text => "Registry Ripper v.".$VERSION." opened.", -); - -populatePluginsList(); -$combo->Text(""); +$status->Text("Profile List Populated."); + +$main->Show(); +Win32::GUI::Dialog(); +#----------------------------------------------------------- +sub Open_Click { + \&browse1_Click(); +} + +sub browse1_Click { + # Open a file + my $file = Win32::GUI::GetOpenFileName( + -owner => $main, + -title => "Open a hive file", + -filter => ['All files' => '*.*',], + ); + + $ntuserfile->Text($file); + 0; +} + +sub browse2_Click { + # Open a file + my $file = Win32::GUI::GetSaveFileName( + -owner => $main, + -title => "Save a report file", + -filter => [ + 'Report file (*.txt)' => '*.txt', + 'All files' => '*.*', + ], + ); + + $file = $file."\.txt" unless ($file =~ m/\.\w+$/i); + $rptfile->Text($file); + 0; +} + +sub go_Click { +# Set up the environment + setUpEnv(); + if ($env{ntuser} eq "") { + Win32::GUI::MessageBox($main,$ENV{USERNAME}.", you did not select a hive file.\r\n", + "Doh!!",16); + return; + } +# Get the selected item from the Plugins file listbox +# only allows for single selections at this time; defaults to ntuser +# if none selected + my $pluginfile = $combo->GetLBText($combo->GetCurSel()); + $pluginfile = "ntuser" if ($pluginfile eq ""); + $report->Append("Logging to ".$env{logfile}."\r\n"); + $report->Append("Using plugins file ".$pluginfile."\r\n"); + logMsg("Log opened."); + logMsg("File: ".$env{ntuser}); + logMsg("Environment set up."); + my %plugins = parsePluginsFile($pluginfile); + logMsg("Parsed Plugins file ".$pluginfile); + if (scalar(keys %plugins) == 0) { + Win32::GUI::MessageBox($main,$ENV{USERNAME}.", the plugins file has no plugins!!.\r\n", + "Doh!!",16); + return; + } + my $err_cnt = 0; + foreach my $i (sort {$a <=> $b} keys %plugins) { + eval { + require "plugins\\".$plugins{$i}."\.pl"; + $plugins{$i}->pluginmain($env{ntuser}); + }; + if ($@) { + $err_cnt++; + logMsg("Error in ".$plugins{$i}.": ".$@); + } + + $report->Append($plugins{$i}."...Done.\r\n"); + $status->Text($plugins{$i}." completed."); + + Win32::GUI::DoEvents(); + logMsg($err_cnt." plugins completed with errors."); + logMsg($plugins{$i}." complete."); + rptMsg("-" x 40); + } +# add output of alerts to the report file here + if (scalar(@alerts) > 0) { +# rptMsg(""); +# rptMsg("Alerts"); +# rptMsg("-" x 40); + foreach my $a (@alerts) { + rptMsg($a); + } + } + + $report->Append($err_cnt." plugins completed with errors.\r\n"); + $status->Text("Done."); +} + +sub close_Click { + $main->Hide(); + exit -1; +} + +sub Combobox_CloseUp { + $status->Text("Profile = ".$combo->GetLBText($combo->GetCurSel())); +} + +# About box +sub RR_OnAbout { + my $self = shift; + $self->MessageBox( + "Registry Ripper, v.".$VERSION."\r\n". + "Parses Registry hive (NTUSER\.DAT, System, etc.) files, placing pertinent info in a report ". + "file in a readable manner.\r\n". + "\r\n". + "Copyright 2013 Quantum Analytics Research, LLC.\r\n". + "H\. Carvey, keydet89\@yahoo\.com", + "About...", + MB_ICONINFORMATION | MB_OK, + ); + 0; +} +#----------------------------------------------------------- + +#----------------------------------------------------------- +sub setUpEnv { + $env{ntuser} = $ntuserfile->Text(); + $env{rptfile} = $rptfile->Text(); +# Ensure that the report file has a .txt extension if none was given + $env{rptfile} = $env{rptfile}."\.txt" unless ($env{rptfile} =~ m/\.\w+$/i); + $rptfile->Text($env{rptfile}); + + my @path = split(/\\/,$env{rptfile}); + my $last = scalar(@path) - 1; + my @f = split(/\./,$path[$last]); + my $ext = $f[scalar(@f) - 1]; + +# Assemble path to log file + $f[scalar(@f) - 1] = "log"; + $path[$last] = join('.',@f); + print join('\\',@path)."\n"; + $env{logfile} = join('\\',@path); + +# Use the above code to set up the path to the Timeline +# (.tln) file +# Assemble path to log file +# $f[scalar(@f) - 1] = "tln"; +# $path[$last] = join('.',@f); +# print join('\\',@path)."\n"; +# $env{tlnfile} = join('\\',@path); + +} + +#----------------------------------------------------------- +# get a list of plugins files from the plugins dir +#----------------------------------------------------------- +sub getProfiles { + my @pluginfiles; + opendir(DIR,"plugins"); + my @files = readdir(DIR); + close(DIR); + + foreach my $f (@files) { + next if ($f =~ m/^\.$/ || $f =~ m/^\.\.$/); + next if ($f =~ m/\.pl$/ || $f =~ m/\.txt$/); + push(@pluginfiles,$f); + } + return @pluginfiles; +} + +#----------------------------------------------------------- +# populate the list of plugins files +#----------------------------------------------------------- +sub populatePluginsList { + my @files = getProfiles(); + foreach my $f (@files) { + $combo->InsertItem($f); + } +} + +#----------------------------------------------------------- +# +#----------------------------------------------------------- +sub parsePluginsFile { + my $file = $_[0]; + my %plugins; +# Parse a file containing a list of plugins +# Future versions of this tool may allow for the analyst to +# choose different plugins files + my $pluginfile = "plugins\\".$file; + if (-e $pluginfile) { + open(FH,"<",$pluginfile); + my $count = 1; + while() { + chomp; + next if ($_ =~ m/^#/ || $_ =~ m/^\s+$/); +# next unless ($_ =~ m/\.pl$/); + next if ($_ eq ""); + $_ =~ s/^\s+//; + $_ =~ s/\s+$//; + $plugins{$count++} = $_; + } + close(FH); + $status->Text("Plugin file parsed and loaded."); + return %plugins; + } + else { + $report->Append($pluginfile." not found.\r\n"); + return undef; + } +} + +sub logMsg { + open(FH,">>",$env{logfile}); + print FH localtime(time).": ".$_[0]."\n"; + close(FH); +} + +sub rptMsg { + open(FH,">>",$env{rptfile}); + binmode FH,":utf8"; + print FH $_[0]."\n"; + close(FH); +} + +sub alertMsg { + push(@alerts,$_[0]); +} + +#------------------------------------------------------------- +# getTime() +# Translate FILETIME object (2 DWORDS) to Unix time, to be passed +# to gmtime() or localtime() +#------------------------------------------------------------- +sub getTime($$) { + my $lo = shift; + my $hi = shift; + my $t; + + if ($lo == 0 && $hi == 0) { + $t = 0; + } else { + $lo -= 0xd53e8000; + $hi -= 0x019db1de; + $t = int($hi*429.4967296 + $lo/1e7); + }; + $t = 0 if ($t < 0); + return $t; } \ No newline at end of file diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index 7a6ced53ee..1ca8ff9a0e 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -113,7 +113,7 @@ public class Chrome extends Extract { int j = 0; while (j < historyFiles.size()) { - String temps = currentCase.getTempDirectory() + File.separator + historyFiles.get(j).getName().toString() + j + ".db"; + String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + historyFiles.get(j).getName().toString() + j + ".db"; int errors = 0; final AbstractFile historyFile = historyFiles.get(j++); if (historyFile.getSize() == 0) { @@ -124,6 +124,7 @@ public class Chrome extends Extract { } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome web history artifacts.{0}", ex); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + historyFile.getName()); + continue; } File dbFile = new File(temps); if (controller.isCancelled()) { @@ -172,13 +173,14 @@ public class Chrome extends Extract { if (bookmarkFiles != null && !bookmarkFiles.isEmpty()) { while (j < bookmarkFiles.size()) { AbstractFile bookmarkFile = bookmarkFiles.get(j++); - String temps = currentCase.getTempDirectory() + File.separator + bookmarkFile.getName().toString() + j + ".db"; + String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + bookmarkFile.getName().toString() + j + ".db"; int errors = 0; try { ContentUtils.writeToFile(bookmarkFile, new File(temps)); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome bookmark artifacts.{0}", ex); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + bookmarkFile.getName()); + continue; } logger.log(Level.INFO, moduleName + "- Now getting Bookmarks from " + temps); File dbFile = new File(temps); @@ -270,13 +272,14 @@ public class Chrome extends Extract { if (cookiesFiles != null && !cookiesFiles.isEmpty()) { while (j < cookiesFiles.size()) { AbstractFile cookiesFile = cookiesFiles.get(j++); - String temps = currentCase.getTempDirectory() + File.separator + cookiesFile.getName().toString() + j + ".db"; + String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + cookiesFile.getName().toString() + j + ".db"; int errors = 0; try { ContentUtils.writeToFile(cookiesFile, new File(temps)); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome cookie artifacts.{0}", ex); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + cookiesFile.getName()); + continue; } File dbFile = new File(temps); if (controller.isCancelled()) { @@ -333,13 +336,14 @@ public class Chrome extends Extract { if (historyFile.getSize() == 0) { continue; } - String temps = currentCase.getTempDirectory() + File.separator + historyFile.getName().toString() + j + ".db"; + String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + historyFile.getName().toString() + j + ".db"; int errors = 0; try { ContentUtils.writeToFile(historyFile, new File(temps)); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome download artifacts.{0}", ex); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + historyFile.getName()); + continue; } File dbFile = new File(temps); if (controller.isCancelled()) { @@ -394,13 +398,14 @@ public class Chrome extends Extract { if (signonFiles != null && !signonFiles.isEmpty()) { while (j < signonFiles.size()) { AbstractFile signonFile = signonFiles.get(j++); - String temps = currentCase.getTempDirectory() + File.separator + signonFile.getName().toString() + j + ".db"; + String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + signonFile.getName().toString() + j + ".db"; int errors = 0; try { ContentUtils.writeToFile(signonFile, new File(temps)); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome login artifacts.{0}", ex); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + signonFile.getName()); + continue; } File dbFile = new File(temps); if (controller.isCancelled()) { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java index 73335594a6..d0087a237e 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java @@ -282,7 +282,7 @@ public class ExtractIE extends Extract { currentCase = Case.getCurrentCase(); tskCase = currentCase.getSleuthkitCase(); - PASCO_RESULTS_PATH = Case.getCurrentCase().getTempDirectory() + File.separator + "results"; + PASCO_RESULTS_PATH = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), "IE") + File.separator + "results"; JAVA_PATH = PlatformUtil.getJavaPath(); pascoResults = new ArrayList(); @@ -326,7 +326,7 @@ public class ExtractIE extends Extract { //BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); indexFileName = "index" + Integer.toString((int) indexFile.getId()) + ".dat"; //indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat"; - temps = currentCase.getTempDirectory() + File.separator + indexFileName; + temps = RAImageIngestModule.getRATempPath(currentCase, "IE") + File.separator + indexFileName; File datFile = new File(temps); if (controller.isCancelled()) { datFile.delete(); @@ -336,6 +336,8 @@ public class ExtractIE extends Extract { ContentUtils.writeToFile(indexFile, datFile); } catch (IOException e) { logger.log(Level.SEVERE, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e); + this.addErrorMessage(this.getName() + ": Error while trying to write file:" + datFile.getAbsolutePath()); + continue; } String filename = "pasco2Result." + indexFile.getId() + ".txt"; diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 8bb43a94b9..5643a8e0c1 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -2,7 +2,7 @@ * * Autopsy Forensic Browser * - * Copyright 2012 Basis Technology Corp. + * Copyright 2012-2013 Basis Technology Corp. * * Copyright 2012 42six Solutions. * Contact: aebadirad 42six com @@ -60,7 +60,9 @@ public class ExtractRegistry extends Extract { public Logger logger = Logger.getLogger(this.getClass().getName()); private String RR_PATH; + private String RR_FULL_PATH; boolean rrFound = false; + boolean rrFullFound = false; private int sysid; private IngestServices services; final public static String MODULE_VERSION = "1.0"; @@ -76,16 +78,7 @@ public class ExtractRegistry extends Extract { } else { rrFound = true; } -// try { -// Case currentCase = Case.getCurrentCase(); // get the most updated case -// SleuthkitCase tempDb = currentCase.getSleuthkitCase(); -// ResultSet artset = tempDb.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'"); -// -// while (artset.next()) { -// sysid = artset.getInt("artifact_type_id"); -// } -// } catch (Exception e) { -// } + final String rrHome = rrRoot.getAbsolutePath(); logger.log(Level.INFO, "RegRipper home: " + rrHome); @@ -94,6 +87,23 @@ public class ExtractRegistry extends Extract { } else { RR_PATH = "perl " + rrHome + File.separator + "rip.pl"; } + + final File rrFullRoot = InstalledFileLocator.getDefault().locate("rr-full", ExtractRegistry.class.getPackage().getName(), false); + if (rrFullRoot == null) { + logger.log(Level.SEVERE, "RegRipper Full not found"); + rrFullFound = false; + } else { + rrFullFound = true; + } + + final String rrFullHome = rrFullRoot.getAbsolutePath(); + logger.log(Level.INFO, "RegRipper Full home: " + rrFullHome); + + if (PlatformUtil.isWindowsOS()) { + RR_FULL_PATH = rrFullHome + File.separator + "rip.exe"; + } else { + RR_FULL_PATH = "perl " + rrFullHome + File.separator + "rip.pl"; + } } @Override @@ -101,9 +111,15 @@ public class ExtractRegistry extends Extract { return MODULE_VERSION; } + /** + * Identifies registry files in the database by name, runs regripper on them, and parses the output. + * + * @param dataSource + * @param controller + */ private void getRegistryFiles(Content dataSource, IngestDataSourceWorkerController controller) { org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); - List allRegistryFiles = new ArrayList(); + List allRegistryFiles = new ArrayList<>(); try { allRegistryFiles.addAll(fileManager.findFiles(dataSource, "ntuser.dat")); } catch (TskCoreException ex) { @@ -111,7 +127,6 @@ public class ExtractRegistry extends Extract { } // try to find each of the listed registry files whose parent directory - // is like '/system32/config' String[] regFileNames = new String[] {"system", "software", "security", "sam", "default"}; for (String regFileName : regFileNames) { @@ -122,89 +137,195 @@ public class ExtractRegistry extends Extract { } } ExtractUSB extrctr = new ExtractUSB(); + FileWriter logFile = null; + try { + logFile = new FileWriter(RAImageIngestModule.getRAOutputPath(currentCase, "reg") + File.separator + "regripper-info.txt"); + } catch (IOException ex) { + java.util.logging.Logger.getLogger(ExtractRegistry.class.getName()).log(Level.SEVERE, null, ex); + logFile = null; + } + int j = 0; for (AbstractFile regFile : allRegistryFiles) { String regFileName = regFile.getName(); - String temps = currentCase.getTempDirectory() + "\\" + regFileName; + String regFileNameLocal = RAImageIngestModule.getRATempPath(currentCase, "reg") + File.separator + regFileName; + String outputPathBase = RAImageIngestModule.getRAOutputPath(currentCase, "reg") + File.separator + regFileName + "-regripper-" + Integer.toString(j++); + File regFileNameLocalFile = new File(regFileNameLocal); try { - ContentUtils.writeToFile(regFile, new File(currentCase.getTempDirectory() + "\\" + regFileName)); + ContentUtils.writeToFile(regFile, regFileNameLocalFile); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing the temp registry file. {0}", ex); + continue; } - File aRegFile = new File(temps); - logger.log(Level.INFO, moduleName + "- Now getting registry information from " + temps); - String txtPath = executeRegRip(temps, j++); - if (txtPath.length() > 0) { - if (parseReg(txtPath, regFile.getId(), extrctr) == false) { - continue; + + try { + if (logFile != null) { + logFile.write(Integer.toString(j-1) + "\t" + regFile.getUniquePath() + "\n"); } + } catch (TskCoreException ex) { + java.util.logging.Logger.getLogger(ExtractRegistry.class.getName()).log(Level.SEVERE, null, ex); + } + catch (IOException ex) { + java.util.logging.Logger.getLogger(ExtractRegistry.class.getName()).log(Level.SEVERE, null, ex); + } + + logger.log(Level.INFO, moduleName + "- Now getting registry information from " + regFileNameLocal); + RegOutputFiles regOutputFiles = executeRegRip(regFileNameLocal, outputPathBase); + if (parseReg(regOutputFiles.autopsyPlugins, regFile.getId(), extrctr) == false) { + continue; } - //At this point pasco2 proccessed the index files. - //Now fetch the results, parse them and the delete the files. - aRegFile.delete(); + try { + BlackboardArtifact art = regFile.newArtifact(ARTIFACT_TYPE.TSK_TOOL_OUTPUT.getTypeID()); + BlackboardAttribute att = new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "RegRipper"); + art.addAttribute(att); + + FileReader fread = new FileReader(regOutputFiles.fullPlugins); + BufferedReader input = new BufferedReader(fread); + + StringBuilder sb = new StringBuilder(); + while (true) { + + try { + String s = input.readLine(); + if (s == null) { + break; + } + sb.append(s).append("\n"); + } catch (IOException ex) { + java.util.logging.Logger.getLogger(ExtractRegistry.class.getName()).log(Level.SEVERE, null, ex); + break; + } + } + + att = new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TEXT.getTypeID(), "RecentActivity", sb.toString()); + art.addAttribute(att); + } catch (FileNotFoundException ex) { + java.util.logging.Logger.getLogger(ExtractRegistry.class.getName()).log(Level.SEVERE, null, ex); + } catch (TskCoreException ex) { + java.util.logging.Logger.getLogger(ExtractRegistry.class.getName()).log(Level.SEVERE, null, ex); + } + + regFileNameLocalFile.delete(); } + try { + if (logFile != null) { + logFile.close(); + } + } catch (IOException ex) { + java.util.logging.Logger.getLogger(ExtractRegistry.class.getName()).log(Level.SEVERE, null, ex); + } + } + + private class RegOutputFiles { + public String autopsyPlugins = ""; + public String fullPlugins = ""; } // TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath // I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now. - private String executeRegRip(String regFilePath, int fileIndex) { - String txtPath = regFilePath + Integer.toString(fileIndex) + ".txt"; - String type = ""; - + /** + * Execute regripper on the given registry. + * @param regFilePath Path to local copy of registry + * @param outFilePathBase Path to location to save output file to. Base name that will be extended on + */ + private RegOutputFiles executeRegRip(String regFilePath, String outFilePathBase) { Writer writer = null; - try { - if (regFilePath.toLowerCase().contains("system")) { - type = "autopsysystem"; - } else if (regFilePath.toLowerCase().contains("software")) { - type = "autopsysoftware"; - } else if (regFilePath.toLowerCase().contains("ntuser")) { - type = "autopsy"; - } else if (regFilePath.toLowerCase().contains("default")) { - type = "1default"; - } else if (regFilePath.toLowerCase().contains("sam")) { - type = "1sam"; - } else if (regFilePath.toLowerCase().contains("security")) { - type = "1security"; - } else { - type = "1default"; - } + + String type = ""; + String fullType = ""; + RegOutputFiles regOutputFiles = new RegOutputFiles(); - logger.log(Level.INFO, "Writing RegRipper results to: " + txtPath); - writer = new FileWriter(txtPath); - execRR = new ExecUtil(); - execRR.execute(writer, RR_PATH, - "-r", regFilePath, "-f", type); + if (regFilePath.toLowerCase().contains("system")) { + type = "autopsysystem"; + fullType = "system"; + } else if (regFilePath.toLowerCase().contains("software")) { + type = "autopsysoftware"; + fullType = "software"; + } else if (regFilePath.toLowerCase().contains("ntuser")) { + type = "autopsy"; + fullType = "ntuser"; + } else if (regFilePath.toLowerCase().contains("default")) { + //type = "1default"; + } else if (regFilePath.toLowerCase().contains("sam")) { + fullType = "sam"; + } else if (regFilePath.toLowerCase().contains("security")) { + fullType = "security"; + } else { + // @@@ Seems like we should error out or something... + type = "1default"; + } - } catch (IOException ex) { - logger.log(Level.SEVERE, "Unable to RegRipper and process parse some registry files.", ex); - } catch (InterruptedException ex) { - logger.log(Level.SEVERE, "RegRipper has been interrupted, failed to parse registry.", ex); - } finally { - if (writer != null) { - try { - writer.close(); - } catch (IOException ex) { - logger.log(Level.SEVERE, "Error closing output writer after running RegRipper", ex); + if ((type.equals("") == false) && (rrFound)) { + try { + regOutputFiles.autopsyPlugins = outFilePathBase + "-autopsy.txt"; + logger.log(Level.INFO, "Writing RegRipper results to: " + regOutputFiles.autopsyPlugins); + writer = new FileWriter(regOutputFiles.autopsyPlugins); + execRR = new ExecUtil(); + execRR.execute(writer, RR_PATH, + "-r", regFilePath, "-f", type); + } catch (IOException ex) { + logger.log(Level.SEVERE, "Unable to RegRipper and process parse some registry files.", ex); + } catch (InterruptedException ex) { + logger.log(Level.SEVERE, "RegRipper has been interrupted, failed to parse registry.", ex); + } finally { + if (writer != null) { + try { + writer.close(); + } catch (IOException ex) { + logger.log(Level.SEVERE, "Error closing output writer after running RegRipper", ex); + } } } } - - return txtPath; + else { + logger.log(Level.INFO, "Not running Autopsy-only modules on hive"); + } + + if ((fullType.equals("") == false) && (rrFullFound)) { + try { + regOutputFiles.fullPlugins = outFilePathBase + "-full.txt"; + logger.log(Level.INFO, "Writing Full RegRipper results to: " + regOutputFiles.fullPlugins); + writer = new FileWriter(regOutputFiles.fullPlugins); + execRR = new ExecUtil(); + execRR.execute(writer, RR_FULL_PATH, + "-r", regFilePath, "-f", fullType); + } catch (IOException ex) { + logger.log(Level.SEVERE, "Unable to run full RegRipper and process parse some registry files.", ex); + } catch (InterruptedException ex) { + logger.log(Level.SEVERE, "RegRipper full has been interrupted, failed to parse registry.", ex); + } finally { + if (writer != null) { + try { + writer.close(); + } catch (IOException ex) { + logger.log(Level.SEVERE, "Error closing output writer after running RegRipper full", ex); + } + } + } + } + else { + logger.log(Level.INFO, "Not running original RR modules on hive"); + } + return regOutputFiles; } + + // @@@ VERIFY that we are doing the right thing when we parse multiple NTUSER.DAT private boolean parseReg(String regRecord, long orgId, ExtractUSB extrctr) { FileInputStream fstream = null; try { Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + + // Read the file in and create a Document and elements File regfile = new File(regRecord); fstream = new FileInputStream(regfile); //InputStreamReader fstreamReader = new InputStreamReader(fstream, "UTF-8"); //BufferedReader input = new BufferedReader(fstreamReader); //logger.log(Level.INFO, "using encoding " + fstreamReader.getEncoding()); String regString = new Scanner(fstream, "UTF-8").useDelimiter("\\Z").next(); - regfile.delete(); + //regfile.delete(); String startdoc = ""; String result = regString.replaceAll("----------------------------------------", ""); result = result.replaceAll("\\n", ""); @@ -215,6 +336,8 @@ public class ExtractRegistry extends Extract { String stringdoc = startdoc + result + enddoc; DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); Document doc = builder.parse(new InputSource(new StringReader(stringdoc))); + + // cycle through the elements in the doc Element oroot = doc.getDocumentElement(); NodeList children = oroot.getChildNodes(); int len = children.getLength(); @@ -242,6 +365,7 @@ public class ExtractRegistry extends Extract { // If there isn't an artifact node, skip this entry continue; } + Element artroot = (Element) artroots.item(0); NodeList myartlist = artroot.getChildNodes(); String winver = ""; diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java index d2afe844ea..3b39b21ff8 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java @@ -100,13 +100,14 @@ public class Firefox extends Extract { int j = 0; for (AbstractFile historyFile : historyFiles) { String fileName = historyFile.getName(); - String temps = currentCase.getTempDirectory() + File.separator + fileName + j + ".db"; + String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + j + ".db"; int errors = 0; try { - ContentUtils.writeToFile(historyFile, new File(currentCase.getTempDirectory() + File.separator + fileName + j + ".db")); + ContentUtils.writeToFile(historyFile, new File(temps)); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing the sqlite db for firefox web history artifacts.{0}", ex); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + fileName); + continue; } File dbFile = new File(temps); if (controller.isCancelled()) { @@ -156,13 +157,14 @@ public class Firefox extends Extract { int j = 0; for (AbstractFile bookmarkFile : bookmarkFiles) { String fileName = bookmarkFile.getName(); - String temps = currentCase.getTempDirectory() + File.separator + fileName + j + ".db"; + String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + j + ".db"; int errors = 0; try { - ContentUtils.writeToFile(bookmarkFile, new File(currentCase.getTempDirectory() + File.separator + fileName + j + ".db")); + ContentUtils.writeToFile(bookmarkFile, new File(temps)); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing the sqlite db for firefox bookmark artifacts.{0}", ex); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + fileName); + continue; } File dbFile = new File(temps); if (controller.isCancelled()) { @@ -211,13 +213,14 @@ public class Firefox extends Extract { int j = 0; for (AbstractFile cookiesFile : cookiesFiles) { String fileName = cookiesFile.getName(); - String temps = currentCase.getTempDirectory() + File.separator + fileName + j + ".db"; + String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + j + ".db"; int errors = 0; try { - ContentUtils.writeToFile(cookiesFile, new File(currentCase.getTempDirectory() + File.separator + fileName + j + ".db")); + ContentUtils.writeToFile(cookiesFile, new File(temps)); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing the sqlite db for firefox cookie artifacts.{0}", ex); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + fileName); + continue; } File dbFile = new File(temps); if (controller.isCancelled()) { @@ -287,13 +290,14 @@ public class Firefox extends Extract { int j = 0; for (AbstractFile downloadsFile : downloadsFiles) { String fileName = downloadsFile.getName(); - String temps = currentCase.getTempDirectory() + File.separator + fileName + j + ".db"; + String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + j + ".db"; int errors = 0; try { - ContentUtils.writeToFile(downloadsFile, new File(currentCase.getTempDirectory() + File.separator + fileName + j + ".db")); + ContentUtils.writeToFile(downloadsFile, new File(temps)); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing the sqlite db for firefox download artifacts.{0}", ex); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + fileName); + continue; } File dbFile = new File(temps); if (controller.isCancelled()) { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java index 2c157e92f6..dd0ddb8a9e 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java @@ -22,8 +22,11 @@ */ package org.sleuthkit.autopsy.recentactivity; +import java.io.File; +import java.nio.file.Path; import java.util.ArrayList; import java.util.logging.Level; +import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.ingest.PipelineContext; import org.sleuthkit.autopsy.ingest.IngestDataSourceWorkerController; @@ -179,4 +182,34 @@ public final class RAImageIngestModule extends IngestModuleDataSource { public boolean hasBackgroundJobsRunning() { return false; } + + /** + * Get the temp path for a specific sub-module in recent activity. Will create the dir if it doesn't exist. + * @param a_case Case that directory is for + * @param mod Module name that will be used for a sub folder in the temp folder to prevent name collisions + * @return Path to directory + */ + protected static String getRATempPath(Case a_case, String mod) { + String tmpDir = a_case.getTempDirectory() + File.separator + "RecentActivity" + File.separator + mod; + File dir = new File(tmpDir); + if (dir.exists() == false) { + dir.mkdirs(); + } + return tmpDir; + } + + /** + * Get the output path for a specific sub-module in recent activity. Will create the dir if it doesn't exist. + * @param a_case Case that directory is for + * @param mod Module name that will be used for a sub folder in the temp folder to prevent name collisions + * @return Path to directory + */ + protected static String getRAOutputPath(Case a_case, String mod) { + String tmpDir = a_case.getModulesOutputDirAbsPath() + File.separator + "RecentActivity" + File.separator + mod; + File dir = new File(tmpDir); + if (dir.exists() == false) { + dir.mkdirs(); + } + return tmpDir; + } } diff --git a/test/README.txt b/test/README.txt index 658a906181..d0064b4f95 100644 --- a/test/README.txt +++ b/test/README.txt @@ -1,8 +1,13 @@ -This folder contains the data and scripts required to run regression tests -for Autopsy. There is a 'Testing' folder in the root directory that contains -the Java code that drives Autopsy to perform the tests. - -To run these tests: -- You will need python3. We run this from within Cygwin. -- Download the input images by typing 'ant test-download-imgs' in the root Autopsy folder. This will place images in 'test/input'. -- Run 'regression.py' from inside of the 'test/scripts' folder. +This folder contains the data and scripts required to run regression tests +for Autopsy. There is a 'Testing' folder in the root directory that contains +the Java code that drives Autopsy to perform the tests. + +To run these tests: +- You will need python3. We run this from within Cygwin. +- Download the input images by typing 'ant test-download-imgs' in the root Autopsy folder. + This will place images in 'test/input'. +- Run 'python3 regression.py' from inside of the 'test/scripts' folder. +- Alternatively, run 'python3 regression.py -l [CONFIGFILE] to run the tests on a specified + list of images using a configuration file. See config.xml in the 'test/scripts' folder to + see configuration file formatting. +- Run 'python3 regression.py -h' to see other options. diff --git a/test/script/Emailer.py b/test/script/Emailer.py index d1accc0e6a..5d12e6afa3 100644 --- a/test/script/Emailer.py +++ b/test/script/Emailer.py @@ -1,124 +1,49 @@ -import smtplib -from email.mime.image import MIMEImage -from email.mime.multipart import MIMEMultipart -from email.mime.text import MIMEText -from email.mime.base import MIMEBase -from email import encoders -import xml -from time import localtime, strftime -from xml.dom.minidom import parse, parseString -import subprocess -import sys -import os - -def send_email(parsed, errorem, attachl, passFail): - element = parsed.getElementsByTagName("email") - if(len(element)<=0): - return - element = element[0] - toval = element.getAttribute("value").encode().decode("utf_8") - if(toval==None): - return - element = parsed.getElementsByTagName("mail_server")[0] - serverval = element.getAttribute("value").encode().decode("utf_8") - # Create the container (outer) email message. - msg = MIMEMultipart() - element = parsed.getElementsByTagName("subject")[0] - subval = element.getAttribute("value").encode().decode("utf_8") - if(passFail): - msg['Subject'] = '[Test]Autopsy ' + subval + ' test passed.' - else: - msg['Subject'] = '[Test]Autopsy ' + subval + ' test failed.' - # me == the sender's email address - # family = the list of all recipients' email addresses - msg['From'] = 'AutopsyTest' - msg['To'] = toval - msg.preamble = 'This is a test' - container = MIMEText(errorem, 'plain') - msg.attach(container) - Build_email(msg, attachl) - s = smtplib.SMTP(serverval) - try: - print('Sending Email') - s.sendmail(msg['From'], msg['To'], msg.as_string()) - except Exception as e: - print(str(e)) - s.quit() - -def Build_email(msg, attachl): - for file in attachl: - part = MIMEBase('application', "octet-stream") - atach = open(file, "rb") - attch = atach.read() - noml = file.split("\\") - nom = noml[len(noml)-1] - part.set_payload(attch) - encoders.encode_base64(part) - part.add_header('Content-Disposition', 'attachment; filename="' + nom + '"') - msg.attach(part) - -# Returns a Windows style path starting with the cwd and -# ending with the list of directories given -def make_local_path(*dirs): - path = wgetcwd().decode("utf-8") - for dir in dirs: - path += ("\\" + str(dir)) - return path_fix(path) - -# Returns a Windows style path based only off the given directories -def make_path(*dirs): - path = dirs[0] - for dir in dirs[1:]: - path += ("\\" + str(dir)) - return path_fix(path) - -# Fix a standard os.path by making it Windows format -def path_fix(path): - return path.replace("/", "\\") - -# Gets the true current working directory instead of Cygwin's -def wgetcwd(): - proc = subprocess.Popen(("cygpath", "-m", os.getcwd()), stdout=subprocess.PIPE) - out,err = proc.communicate() - tst = out.rstrip() - if os.getcwd == tst: - return os.getcwd - else: - proc = subprocess.Popen(("cygpath", "-m", os.getcwd()), stdout=subprocess.PIPE) - out,err = proc.communicate() - return out.rstrip() -# Verifies a file's existance -def file_exists(file): - try: - if os.path.exists(file): - return os.path.isfile(file) - except: - return False - -# Verifies a directory's existance -def dir_exists(dir): - try: - return os.path.exists(dir) - except: - return False - - - -# Returns the nth word in the given string or "" if n is out of bounds -# n starts at 0 for the first word -def get_word_at(string, n): - words = string.split(" ") - if len(words) >= n: - return words[n] - else: - return "" - -# Returns true if the given file is one of the required input files -# for ingest testing -def required_input_file(name): - if ((name == "notablehashes.txt-md5.idx") or - (name == "notablekeywords.xml") or - (name == "nsrl.txt-md5.idx")): - return True - else: - return False \ No newline at end of file +import smtplib +from email.mime.image import MIMEImage +from email.mime.multipart import MIMEMultipart +from email.mime.text import MIMEText +from email.mime.base import MIMEBase +from email import encoders +import xml +from xml.dom.minidom import parse, parseString + +def send_email(to, server, subj, body, attachments): + """Send an email with the given information. + + Args: + to: a String, the email address to send the email to + server: a String, the mail server to send from + subj: a String, the subject line of the message + body: a String, the body of the message + attachments: a listof_pathto_File, the attachements to include + """ + msg = MIMEMultipart() + msg['Subject'] = subj + # me == the sender's email address + # family = the list of all recipients' email addresses + msg['From'] = 'AutopsyTest' + msg['To'] = to + msg.preamble = 'This is a test' + container = MIMEText(body, 'plain') + msg.attach(container) + Build_email(msg, attachments) + s = smtplib.SMTP(server) + try: + print('Sending Email') + s.sendmail(msg['From'], msg['To'], msg.as_string()) + except Exception as e: + print(str(e)) + s.quit() + +def Build_email(msg, attachments): + for file in attachments: + part = MIMEBase('application', "octet-stream") + atach = open(file, "rb") + attch = atach.read() + noml = file.split("\\") + nom = noml[len(noml)-1] + part.set_payload(attch) + encoders.encode_base64(part) + part.add_header('Content-Disposition', 'attachment; filename="' + nom + '"') + msg.attach(part) + diff --git a/test/script/regression.py b/test/script/regression.py index e2dbde4c26..6cf2172c4a 100644 --- a/test/script/regression.py +++ b/test/script/regression.py @@ -1,1953 +1,2206 @@ -#!/usr/bin/python -# -*- coding: utf_8 -*- - - # Autopsy Forensic Browser - # - # Copyright 2013 Basis Technology Corp. - # - # Licensed under the Apache License, Version 2.0 (the "License"); - # you may not use this file except in compliance with the License. - # You may obtain a copy of the License at - # - # http://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, - # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - # See the License for the specific language governing permissions and - # limitations under the License. - - -import codecs -import datetime -import logging -import os -import re -import shutil -import socket -import sqlite3 -import subprocess -import sys -from sys import platform as _platform -import time -import traceback -import xml -from time import localtime, strftime -from xml.dom.minidom import parse, parseString -import smtplib -from email.mime.image import MIMEImage -from email.mime.multipart import MIMEMultipart -from email.mime.text import MIMEText -import re -import zipfile -import zlib -import Emailer -import srcupdater - -# -# Please read me... -# -# This is the regression testing Python script. -# It uses an ant command to run build.xml for RegressionTest.java -# -# The code is cleanly sectioned and commented. -# Please follow the current formatting. -# It is a long and potentially confusing script. -# -# Variable, function, and class names are written in Python conventions: -# this_is_a_variable this_is_a_function() ThisIsAClass -# -# All variables that are needed throughout the script have been initialized -# in a global class. -# - Command line arguments are in Args (named args) -# - Information pertaining to each test is in TestAutopsy (named test_case) -# - Queried information from the databases is in DatabaseDiff (named database) -# Feel free to add additional global classes or add to the existing ones, -# but do not overwrite any existing variables as they are used frequently. -# - -Day = 0 -#-------------------------------------------------------------# -# Parses argv and stores booleans to match command line input # -#-------------------------------------------------------------# -class Args: - def __init__(self): - self.single = False - self.single_file = "" - self.rebuild = False - self.list = False - self.config_file = "" - self.unallocated = False - self.ignore = False - self.keep = False - self.verbose = False - self.exception = False - self.exception_string = "" - self.fr = False - - def parse(self): - global nxtproc - nxtproc = [] - nxtproc.append("python3") - nxtproc.append(sys.argv.pop(0)) - while sys.argv: - arg = sys.argv.pop(0) - nxtproc.append(arg) - if(arg == "-f"): - #try: @@@ Commented out until a more specific except statement is added - arg = sys.argv.pop(0) - print("Running on a single file:") - print(Emailer.path_fix(arg) + "\n") - self.single = True - self.single_file = Emailer.path_fix(arg) - #except: - # print("Error: No single file given.\n") - # return False - elif(arg == "-r" or arg == "--rebuild"): - print("Running in rebuild mode.\n") - self.rebuild = True - elif(arg == "-l" or arg == "--list"): - try: - arg = sys.argv.pop(0) - nxtproc.append(arg) - print("Running from configuration file:") - print(arg + "\n") - self.list = True - self.config_file = arg - except: - print("Error: No configuration file given.\n") - return False - elif(arg == "-u" or arg == "--unallocated"): - print("Ignoring unallocated space.\n") - self.unallocated = True - elif(arg == "-k" or arg == "--keep"): - print("Keeping the Solr index.\n") - self.keep = True - elif(arg == "-v" or arg == "--verbose"): - print("Running in verbose mode:") - print("Printing all thrown exceptions.\n") - self.verbose = True - elif(arg == "-e" or arg == "--exception"): - try: - arg = sys.argv.pop(0) - nxtproc.append(arg) - print("Running in exception mode: ") - print("Printing all exceptions with the string '" + arg + "'\n") - self.exception = True - self.exception_string = arg - except: - print("Error: No exception string given.") - elif arg == "-h" or arg == "--help": - print(usage()) - return False - elif arg == "-fr" or arg == "--forcerun": - print("Not downloading new images") - self.fr = True - else: - print(usage()) - return False - # Return the args were sucessfully parsed - return True -#-----------------------------------------------------# -# Holds all global variables for each individual test # -#-----------------------------------------------------# -class TestAutopsy: - def __init__(self, args): - self.args = args - # Paths: - self.output_dir = "" - self.input_dir = Emailer.make_local_path("..","input") - self.gold = Emailer.make_path("..", "output", "gold") - self.img_gold = Emailer.make_path(self.gold, 'tmp') - self.gold_parse = "" - self.img_gold_parse = "" - self.common_log = "AutopsyErrors.txt" - self.test_db_file = "autopsy.db" - self.Img_Test_Folder = "AutopsyTestCase" - # Logs: - self.csv = "" - self.global_csv = "" - self.html_log = "" - # Ant info: - self.known_bad_path = "" - self.keyword_path = "" - self.nsrl_path = "" - self.build_path = "" - # test_case info - self.autopsy_version = "" - self.ingest_messages = 0 - self.indexed_files = 0 - self.indexed_chunks = 0 - # Infinite Testing info - timer = 0 - self.images = [] - # Set the timeout to something huge - # The entire tester should not timeout before this number in ms - # However it only seems to take about half this time - # And it's very buggy, so we're being careful - self.timeout = 24 * 60 * 60 * 1000 * 1000 - self.ant = [] - - def get_image_name(self, image_file): - path_end = image_file.rfind("/") - path_end2 = image_file.rfind("\\") - ext_start = image_file.rfind(".") - if(ext_start == -1): - name = image_file - if(path_end2 != -1): - name = image_file[path_end2+1:ext_start] - elif(ext_start == -1): - name = image_file[path_end+1:] - elif(path_end == -1): - name = image_file[:ext_start] - elif(path_end!=-1 and ext_start!=-1): - name = image_file[path_end+1:ext_start] - else: - name = image_file[path_end2+1:ext_start] - return name - - def ant_to_string(self): - string = "" - for arg in self.ant: - string += (arg + " ") - return string - - def reset(self): - # Error tracking - self.printerror = [] - self.printout = [] - - # Set the timeout to something huge - # The entire tester should not timeout before this number in ms - # However it only seems to take about half this time - # And it's very buggy, so we're being careful - self.timeout = 24 * 60 * 60 * 1000 * 1000 - self.ant = [] - -#---------------------------------------------------------# -# Contains methods to compare two databases and internally -# stores some of the results. # -#---------------------------------------------------------# -class DatabaseDiff: - def __init__(self, case): - self.gold_artifacts = [] - self.autopsy_artifacts = [] - self.gold_attributes = 0 - self.autopsy_attributes = 0 - self.gold_objects = 0 - self.autopsy_objects = 0 - self.artifact_comparison = [] - self.attribute_comparison = [] - self.test_data = case - - def clear(self): - self.gold_artifacts = [] - self.autopsy_artifacts = [] - self.gold_attributes = 0 - self.autopsy_attributes = 0 - self.gold_objects = 0 - self.autopsy_objects = 0 - self.artifact_comparison = [] - self.attribute_comparison = [] - - - - def get_artifacts_count(self): - total = 0 - for nums in self.autopsy_artifacts: - total += nums - return total - - def get_artifact_comparison(self): - if not self.artifact_comparison: - return "All counts matched" - else: - global failedbool - global errorem - failedbool = True - global imgfail - imgfail = True - return "; ".join(self.artifact_comparison) - - def get_attribute_comparison(self): - if not self.attribute_comparison: - return "All counts matched" - global failedbool - global errorem - failedbool = True - global imgfail - imgfail = True - list = [] - for error in self.attribute_comparison: - list.append(error) - return ";".join(list) - - def _count_output_artifacts(self): - if not self.autopsy_artifacts: - autopsy_db_file = Emailer.make_path(test_case.output_dir, self.test_data.image_name, - test_case.Img_Test_Folder, test_case.test_db_file) - autopsy_con = sqlite3.connect(autopsy_db_file) - autopsy_cur = autopsy_con.cursor() - autopsy_cur.execute("SELECT COUNT(*) FROM blackboard_artifact_types") - length = autopsy_cur.fetchone()[0] + 1 - for type_id in range(1, length): - autopsy_cur.execute("SELECT COUNT(*) FROM blackboard_artifacts WHERE artifact_type_id=%d" % type_id) - self.autopsy_artifacts.append(autopsy_cur.fetchone()[0]) - - def _count_output_attributes(self): - if self.autopsy_attributes == 0: - autopsy_db_file = Emailer.make_path(test_case.output_dir, self.test_data.image_name, - test_case.Img_Test_Folder, test_case.test_db_file) - autopsy_con = sqlite3.connect(autopsy_db_file) - autopsy_cur = autopsy_con.cursor() - autopsy_cur.execute("SELECT COUNT(*) FROM blackboard_attributes") - autopsy_attributes = autopsy_cur.fetchone()[0] - self.autopsy_attributes = autopsy_attributes - - # Counts number of objects and saves them into database. - # @@@ Does not need to connect again. Should be storing connection in DatabaseDiff - # See also for _generate_autopsy_attributes - def _count_output_objects(self): - if self.autopsy_objects == 0: - autopsy_db_file = Emailer.make_path(test_case.output_dir, self.test_data.image_name, - test_case.Img_Test_Folder, test_case.test_db_file) - autopsy_con = sqlite3.connect(autopsy_db_file) - autopsy_cur = autopsy_con.cursor() - autopsy_cur.execute("SELECT COUNT(*) FROM tsk_objects") - autopsy_objects = autopsy_cur.fetchone()[0] - self.autopsy_objects = autopsy_objects - - # @@@ see _generate_autopsy_objects comment about saving connections, etc. Or could have design where connection - # is passed in so that we do not need separate methods for gold and output. - def _count_gold_artifacts(self): - if not self.gold_artifacts: - gold_db_file = Emailer.make_path(test_case.img_gold, self.test_data.image_name, test_case.test_db_file) - if(not Emailer.file_exists(gold_db_file)): - gold_db_file = Emailer.make_path(test_case.img_gold_parse, self.test_data.image_name, test_case.test_db_file) - gold_con = sqlite3.connect(gold_db_file) - gold_cur = gold_con.cursor() - gold_cur.execute("SELECT COUNT(*) FROM blackboard_artifact_types") - length = gold_cur.fetchone()[0] + 1 - for type_id in range(1, length): - gold_cur.execute("SELECT COUNT(*) FROM blackboard_artifacts WHERE artifact_type_id=%d" % type_id) - self.gold_artifacts.append(gold_cur.fetchone()[0]) - gold_cur.execute("SELECT * FROM blackboard_artifacts") - self.gold_artifacts_list = [] - for row in gold_cur.fetchall(): - for item in row: - self.gold_artifacts_list.append(item) - - def _count_gold_attributes(self): - if self.gold_attributes == 0: - gold_db_file = Emailer.make_path(test_case.img_gold, self.test_data.image_name, test_case.test_db_file) - if(not Emailer.file_exists(gold_db_file)): - gold_db_file = Emailer.make_path(test_case.img_gold_parse, self.test_data.image_name, test_case.test_db_file) - gold_con = sqlite3.connect(gold_db_file) - gold_cur = gold_con.cursor() - gold_cur.execute("SELECT COUNT(*) FROM blackboard_attributes") - self.gold_attributes = gold_cur.fetchone()[0] - - def _count_gold_objects(self): - if self.gold_objects == 0: - gold_db_file = Emailer.make_path(test_case.img_gold, self.test_data.image_name, test_case.test_db_file) - if(not Emailer.file_exists(gold_db_file)): - gold_db_file = Emailer.make_path(test_case.img_gold_parse, self.test_data.image_name, test_case.test_db_file) - gold_con = sqlite3.connect(gold_db_file) - gold_cur = gold_con.cursor() - gold_cur.execute("SELECT COUNT(*) FROM tsk_objects") - self.gold_objects = gold_cur.fetchone()[0] - - # Compares the blackboard artifact counts of two databases - def _compare_bb_artifacts(self): - exceptions = [] - try: - global failedbool - global errorem - if self.gold_artifacts != self.autopsy_artifacts: - failedbool = True - global imgfail - imgfail = True - errorem += self.test_data.image + ":There was a difference in the number of artifacts.\n" - rner = len(self.gold_artifacts) - for type_id in range(1, rner): - if self.gold_artifacts[type_id] != self.autopsy_artifacts[type_id]: - error = str("Artifact counts do not match for type id %d. " % type_id) - error += str("Gold: %d, Test: %d" % - (self.gold_artifacts[type_id], - self.autopsy_artifacts[type_id])) - exceptions.append(error) - return exceptions - except Exception as e: - printerror(self.test_data, str(e)) - exceptions.append("Error: Unable to compare blackboard_artifacts.\n") - return exceptions - - # Compares the blackboard atribute counts of two databases - # given the two database cursors - def _compare_bb_attributes(self): - exceptions = [] - try: - if self.gold_attributes != self.autopsy_attributes: - error = "Attribute counts do not match. " - error += str("Gold: %d, Test: %d" % (self.gold_attributes, self.autopsy_attributes)) - exceptions.append(error) - global failedbool - global errorem - failedbool = True - global imgfail - imgfail = True - errorem += self.test_data.image + ":There was a difference in the number of attributes.\n" - return exceptions - except Exception as e: - exceptions.append("Error: Unable to compare blackboard_attributes.\n") - return exceptions - - # Compares the tsk object counts of two databases - # given the two database cursors - def _compare_tsk_objects(self): - exceptions = [] - try: - if self.gold_objects != self.autopsy_objects: - error = "TSK Object counts do not match. " - error += str("Gold: %d, Test: %d" % (self.gold_objects, self.autopsy_objects)) - exceptions.append(error) - global failedbool - global errorem - failedbool = True - global imgfail - imgfail = True - errorem += self.test_data.image + ":There was a difference between the tsk object counts.\n" - return exceptions - except Exception as e: - exceptions.append("Error: Unable to compare tsk_objects.\n") - return exceptions - - - # Basic test between output and gold databases. Compares only counts of objects and blackboard items - def compare_basic_counts(self): - # SQLITE needs unix style pathing - - # Get connection to output database from current run - autopsy_db_file = Emailer.make_path(test_case.output_dir, self.test_data.image_name, - test_case.Img_Test_Folder, test_case.test_db_file) - autopsy_con = sqlite3.connect(autopsy_db_file) - autopsy_cur = autopsy_con.cursor() - - # Get connection to gold DB and count artifacts, etc. - gold_db_file = Emailer.make_path(test_case.img_gold, self.test_data.image_name, test_case.test_db_file) - if(not Emailer.file_exists(gold_db_file)): - gold_db_file = Emailer.make_path(test_case.img_gold_parse, self.test_data.image_name, test_case.test_db_file) - try: - self._count_gold_objects() - self._count_gold_artifacts() - self._count_gold_attributes() - except Exception as e: - printerror(self.test_data, "Way out:" + str(e)) - - # This is where we return if a file doesn't exist, because we don't want to - # compare faulty databases, but we do however want to try to run all queries - # regardless of the other database - if not Emailer.file_exists(autopsy_db_file): - printerror(self.test_data, "Error: DatabaseDiff file does not exist at:") - printerror(self.test_data, autopsy_db_file + "\n") - return - if not Emailer.file_exists(gold_db_file): - printerror(self.test_data, "Error: Gold database file does not exist at:") - printerror(self.test_data, gold_db_file + "\n") - return - - # compare size of bb artifacts, attributes, and tsk objects - gold_con = sqlite3.connect(gold_db_file) - gold_cur = gold_con.cursor() - - exceptions = [] - - autopsy_db_file = Emailer.make_path(test_case.output_dir, self.test_data.image_name, - test_case.Img_Test_Folder, test_case.test_db_file) - # Connect again and count things - autopsy_con = sqlite3.connect(autopsy_db_file) - try: - self._count_output_objects() - self._count_output_artifacts() - self._count_output_attributes() - except Exception as e: - printerror(self.test_data, "Way out:" + str(e)) - - # Compare counts - exceptions.append(self._compare_tsk_objects()) - exceptions.append(self._compare_bb_artifacts()) - exceptions.append(self._compare_bb_attributes()) - - self.artifact_comparison = exceptions[1] - self.attribute_comparison = exceptions[2] - - okay = "All counts match." - print_report(self.test_data, exceptions[0], "COMPARE TSK OBJECTS", okay) - print_report(self.test_data, exceptions[1], "COMPARE ARTIFACTS", okay) - print_report(self.test_data, exceptions[2], "COMPARE ATTRIBUTES", okay) - - - - - - - - # smart method that deals with blackboard comparison to avoid issues with different IDs based on when artifacts were created. - # Dumps sorted text results to output location stored in test_data. - # autopsy_db_file: Output database file - def _dump_output_db_bb(autopsy_con, autopsy_db_file, test_data): - autopsy_cur2 = autopsy_con.cursor() - global errorem - global attachl - global failedbool - # Get the list of all artifacts - # @@@ Could add a SORT by parent_path in here since that is how we are going to later sort it. - autopsy_cur2.execute("SELECT tsk_files.parent_path, tsk_files.name, blackboard_artifact_types.display_name, blackboard_artifacts.artifact_id FROM blackboard_artifact_types INNER JOIN blackboard_artifacts ON blackboard_artifact_types.artifact_type_id = blackboard_artifacts.artifact_type_id INNER JOIN tsk_files ON tsk_files.obj_id = blackboard_artifacts.obj_id") - database_log = codecs.open(test_data.autopsy_data_file, "wb", "utf_8") - rw = autopsy_cur2.fetchone() - appnd = False - counter = 0 - # Cycle through artifacts - try: - while (rw != None): - # File Name and artifact type - if(rw[0] != None): - database_log.write(rw[0] + rw[1] + ' ') - else: - database_log.write(rw[1] + ' ') - - # Get attributes for this artifact - autopsy_cur1 = autopsy_con.cursor() - looptry = True - test_data.artifact_count += 1 - try: - key = "" - key = str(rw[3]) - key = key, - autopsy_cur1.execute("SELECT blackboard_attributes.source, blackboard_attribute_types.display_name, blackboard_attributes.value_type, blackboard_attributes.value_text, blackboard_attributes.value_int32, blackboard_attributes.value_int64, blackboard_attributes.value_double FROM blackboard_attributes INNER JOIN blackboard_attribute_types ON blackboard_attributes.attribute_type_id = blackboard_attribute_types.attribute_type_id WHERE artifact_id =? ORDER BY blackboard_attributes.source, blackboard_attribute_types.display_name, blackboard_attributes.value_type, blackboard_attributes.value_text, blackboard_attributes.value_int32, blackboard_attributes.value_int64, blackboard_attributes.value_double", key) - attributes = autopsy_cur1.fetchall() - except Exception as e: - printerror(test_data, str(e)) - printerror(test_data, str(rw[3])) - print(test_data.image_name) - errorem += test_data.image_name + ":Attributes in artifact id (in output DB)# " + str(rw[3]) + " encountered an error: " + str(e) +" .\n" - looptry = False - print(test_data.artifact_fail) - test_data.artifact_fail += 1 - print(test_data.artifact_fail) - database_log.write('Error Extracting Attributes'); - - # Print attributes - if(looptry == True): - src = attributes[0][0] - for attr in attributes: - val = 3 + attr[2] - numvals = 0 - for x in range(3, 6): - if(attr[x] != None): - numvals += 1 - if(numvals > 1): - errorem += test_data.image_name + ":There were too many values for attribute type: " + attr[1] + " for artifact with id #" + str(rw[3]) + ".\n" - printerror(test_data, "There were too many values for attribute type: " + attr[1] + " for artifact with id #" + str(rw[3]) + " for image " + test_data.image_name + ".") - failedbool = True - if(not appnd): - attachl.append(autopsy_db_file) - appnd = True - if(not attr[0] == src): - errorem += test_data.image_name + ":There were inconsistent sources for artifact with id #" + str(rw[3]) + ".\n" - printerror(test_data, "There were inconsistent sources for artifact with id #" + str(rw[3]) + " for image " + test_data.image_name + ".") - failedbool = True - if(not appnd): - attachl.append(autopsy_db_file) - appnd = True - try: - database_log.write('') - database_log.write(' \n') - rw = autopsy_cur2.fetchone() - - # Now sort the file - srtcmdlst = ["sort", test_data.autopsy_data_file, "-o", test_data.sorted_data_file] - subprocess.call(srtcmdlst) - print(test_data.artifact_fail) - if(test_data.artifact_fail > 0): - errorem += test_data.image_name + ":There were " + str(test_data.artifact_count) + " artifacts and " + str(test_data.artifact_fail) + " threw an exception while loading.\n" - except Exception as e: - printerror(test_data, 'outer exception: ' + str(e)) - - # Dumps a database (minus the artifact and attributes) to a text file. - def _dump_output_db_nonbb(test_data): - # Make a copy of the DB - autopsy_db_file = Emailer.make_path(test_case.output_dir, test_data.image_name, - test_case.Img_Test_Folder, test_case.test_db_file) - backup_db_file = Emailer.make_path(test_case.output_dir, test_data.image_name, - test_case.Img_Test_Folder, "autopsy_backup.db") - copy_file(autopsy_db_file,backup_db_file) - autopsy_con = sqlite3.connect(backup_db_file) - - # Delete the blackboard tables - autopsy_con.execute("DROP TABLE blackboard_artifacts") - autopsy_con.execute("DROP TABLE blackboard_attributes") - dump_file = Emailer.make_path(test_case.output_dir, test_data.image_name, test_data.image_name + "Dump.txt") - database_log = codecs.open(dump_file, "wb", "utf_8") - dump_list = autopsy_con.iterdump() - try: - for line in dump_list: - try: - database_log.write(line + "\n") - except Exception as e: - printerror(test_data, "dump_output_db_nonbb: Inner dump Exception:" + str(e)) - except Exception as e: - printerror(test_data, "dump_output_db_nonbb: Outer dump Exception:" + str(e)) - - - # Dumps the given database to text files for later comparison - def dump_output_db(test_data): - autopsy_db_file = Emailer.make_path(test_case.output_dir, test_data.image_name, - test_case.Img_Test_Folder, test_case.test_db_file) - autopsy_con = sqlite3.connect(autopsy_db_file) - autopsy_cur = autopsy_con.cursor() - # Try to query the databases. Ignore any exceptions, the function will - # return an error later on if these do fail - DatabaseDiff._dump_output_db_bb(autopsy_con,autopsy_db_file, test_data) - DatabaseDiff._dump_output_db_nonbb(test_data) - - - -#-------------------------------------------------# -# Functions relating to comparing outputs # -#-------------------------------------------------# -class TestDiffer: - - # Compares results for a single test. Autopsy has already been run. - # test_data: TestData object - # databaseDiff: DatabaseDiff object created based on test_data - def run_diff(test_data, databaseDiff): - try: - gold_path = test_case.gold - # Tmp location to extract ZIP file into - img_gold = Emailer.make_path(test_case.gold, "tmp", test_data.image_name) - - # Open gold archive file - img_archive = Emailer.make_path("..", "output", "gold", test_data.image_name+"-archive.zip") - if(not Emailer.file_exists(img_archive)): - img_archive = Emailer.make_path(test_case.gold_parse, test_data.image_name+"-archive.zip") - gold_path = test_case.gold_parse - img_gold = Emailer.make_path(gold_path, "tmp", test_data.image_name) - extrctr = zipfile.ZipFile(img_archive, 'r', compression=zipfile.ZIP_DEFLATED) - extrctr.extractall(gold_path) - extrctr.close - time.sleep(2) - - # Lists of tests to run - TestDiffer._compare_errors(test_data) - - # Compare database count to gold - databaseDiff.compare_basic_counts() - - # Compare smart blackboard results - TestDiffer._compare_text(test_data.sorted_data_file, "SortedData", test_data) - - # Compare the rest of the database (non-BB) - TestDiffer._compare_text(test_data.test_dbdump, "DBDump", test_data) - - # Compare html output - TestDiffer._compare_to_gold_html(test_data) - - # Clean up tmp folder - del_dir(img_gold) - - except Exception as e: - printerror(test_data, "Tests failed due to an error, try rebuilding or creating gold standards.\n") - printerror(test_data, str(e) + "\n") - print(traceback.format_exc()) - - - - # @@@ _compare_text could be made more generic with how it forms the paths (i.e. not add ".txt" in the method) and probably merged with - # compare_errors since they both do basic comparison of text files - - # Compares two text files - # output_file: output text file - # gold_file: gold text file - # test_data: Test being performed - def _compare_text(output_file, gold_file, test_data): - gold_dir = Emailer.make_path(test_case.img_gold, test_data.image_name, test_data.image_name + gold_file + ".txt") - if(not Emailer.file_exists(gold_dir)): - gold_dir = Emailer.make_path(test_case.img_gold_parse, test_data.image_name, test_data.image_name + gold_file + ".txt") - if(not Emailer.file_exists(output_file)): - return - srtd_data = codecs.open(output_file, "r", "utf_8") - gold_data = codecs.open(gold_dir, "r", "utf_8") - gold_dat = gold_data.read() - srtd_dat = srtd_data.read() - if (not(gold_dat == srtd_dat)): - diff_dir = Emailer.make_local_path(test_case.output_dir, test_data.image_name, test_data.image_name+gold_file+"-Diff.txt") - diff_file = codecs.open(diff_dir, "wb", "utf_8") - dffcmdlst = ["diff", test_data.sorted_data_file, gold_dir] - subprocess.call(dffcmdlst, stdout = diff_file) - global attachl - global errorem - global failedbool - attachl.append(diff_dir) - errorem += test_data.image_name + ":There was a difference in the database file " + gold_file + ".\n" - printerror(test_data, "There was a database difference for " + test_data.image_name + " versus " + gold_file + ".\n") - failedbool = True - global imgfail - imgfail = True - - # Compare merged error log files - def _compare_errors(test_data): - gold_dir = Emailer.make_path(test_case.img_gold, test_data.image_name, test_data.image_name + "SortedErrors.txt") - if(not Emailer.file_exists(gold_dir)): - gold_dir = Emailer.make_path(test_case.img_gold_parse, test_data.image_name, test_data.image_name + "SortedErrors.txt") - common_log = codecs.open(test_data.sorted_log, "r", "utf_8") - gold_log = codecs.open(gold_dir, "r", "utf_8") - gold_dat = gold_log.read() - common_dat = common_log.read() - patrn = re.compile("\d") - if (not((re.sub(patrn, 'd', gold_dat)) == (re.sub(patrn, 'd', common_dat)))): - diff_dir = Emailer.make_local_path(test_case.output_dir, test_data.image_name, test_data.image_name+"AutopsyErrors-Diff.txt") - diff_file = open(diff_dir, "w") - dffcmdlst = ["diff", test_data.sorted_log, gold_dir] - subprocess.call(dffcmdlst, stdout = diff_file) - global attachl - global errorem - global failedbool - attachl.append(test_data.sorted_log) - attachl.append(diff_dir) - errorem += test_data.image_name + ":There was a difference in the exceptions Log.\n" - printerror(test_data, "Exceptions didn't match.\n") - failedbool = True - global imgfail - imgfail = True - - # Compare the html report file made by - # the regression test against the gold standard html report - def _compare_to_gold_html(test_data): - gold_html_file = Emailer.make_path(test_case.img_gold, test_data.image_name, "Report", "index.html") - if(not Emailer.file_exists(gold_html_file)): - gold_html_file = Emailer.make_path(test_case.img_gold_parse, test_data.image_name, "Report", "index.html") - htmlfolder = "" - for fs in os.listdir(Emailer.make_path(test_case.output_dir, test_data.image_name, test_case.Img_Test_Folder, "Reports")): - if os.path.isdir(Emailer.make_path(test_case.output_dir, test_data.image_name, test_case.Img_Test_Folder, "Reports", fs)): - htmlfolder = fs - autopsy_html_path = Emailer.make_path(test_case.output_dir, test_data.image_name, test_case.Img_Test_Folder, "Reports", htmlfolder, "HTML Report") - - - try: - autopsy_html_file = get_file_in_dir(autopsy_html_path, "index.html") - if not Emailer.file_exists(gold_html_file): - printerror(test_data, "Error: No gold html report exists at:") - printerror(test_data, gold_html_file + "\n") - return - if not Emailer.file_exists(autopsy_html_file): - printerror(test_data, "Error: No test_case html report exists at:") - printerror(test_data, autopsy_html_file + "\n") - return - #Find all gold .html files belonging to this test_case - ListGoldHTML = [] - for fs in os.listdir(Emailer.make_path(test_case.output_dir, test_data.image_name, test_case.Img_Test_Folder, "Reports", htmlfolder)): - if(fs.endswith(".html")): - ListGoldHTML.append(Emailer.make_path(test_case.output_dir, test_data.image_name, test_case.Img_Test_Folder, "Reports", htmlfolder, fs)) - #Find all new .html files belonging to this test_case - ListNewHTML = [] - if(os.path.exists(Emailer.make_path(test_case.img_gold, test_data.image_name))): - for fs in os.listdir(Emailer.make_path(test_case.img_gold, test_data.image_name)): - if (fs.endswith(".html")): - ListNewHTML.append(Emailer.make_path(test_case.img_gold, test_data.image_name, fs)) - if(not test_case.img_gold_parse == "" or test_case.img_gold == test_case.img_gold_parse): - if(Emailer.file_exists(Emailer.make_path(test_case.img_gold_parse, test_data.image_name))): - for fs in os.listdir(Emailer.make_path(test_case.img_gold_parse,test_data.image_name)): - if (fs.endswith(".html")): - ListNewHTML.append(Emailer.make_path(test_case.img_gold_parse, test_data.image_name, fs)) - #ensure both reports have the same number of files and are in the same order - if(len(ListGoldHTML) != len(ListNewHTML)): - printerror(test_data, "The reports did not have the same number of files. One of the reports may have been corrupted") - else: - ListGoldHTML.sort() - ListNewHTML.sort() - - total = {"Gold": 0, "New": 0} - for x in range(0, len(ListGoldHTML)): - count = TestDiffer._compare_report_files(ListGoldHTML[x], ListNewHTML[x]) - total["Gold"]+=count[0] - total["New"]+=count[1] - okay = "The test report matches the gold report." - errors=["Gold report had " + str(total["Gold"]) +" errors", "New report had " + str(total["New"]) + " errors."] - print_report(test_data, errors, "REPORT COMPARISON", okay) - if total["Gold"] == total["New"]: - test_data.report_passed = True - else: - printerror(test_data, "The reports did not match each other.\n " + errors[0] +" and the " + errors[1]) - except FileNotFoundException as e: - e.print_error() - except DirNotFoundException as e: - e.print_error() - except Exception as e: - printerror(test_data, "Error: Unknown fatal error comparing reports.") - printerror(test_data, str(e) + "\n") - logging.critical(traceback.format_exc()) - - # Compares file a to file b and any differences are returned - # Only works with report html files, as it searches for the first
    - def _compare_report_files(a_path, b_path): - a_file = open(a_path) - b_file = open(b_path) - a = a_file.read() - b = b_file.read() - a = a[a.find("
      "):] - b = b[b.find("
        "):] - - a_list = TestDiffer._split(a, 50) - b_list = TestDiffer._split(b, 50) - if not len(a_list) == len(b_list): - ex = (len(a_list), len(b_list)) - return ex - else: - return (0, 0) - - # Split a string into an array of string of the given size - def _split(input, size): - return [input[start:start+size] for start in range(0, len(input), size)] - -class TestData: - def __init__(self): - self.image = "" - self.image_file = "" - self.image_name = "" - self.sorted_log = "" - self.warning_log = "" - self.autopsy_data_file = "" - self.sorted_data_file = "" - self.common_log_path = "" - self.antlog_dir = "" - self.test_dbdump = "" - self.total_test_time = "" - self.start_date = "" - self.end_date = "" - self.total_ingest_time = "" - self.artifact_count = 0 - self.artifact_fail = 0 - self.heap_space = "" - self.service_times = "" - self.report_passed = False - # Error tracking - self.printerror = [] - self.printout = [] - def reset(self): - self.image = "" - self.image_file = "" - self.image_name = "" - self.sorted_log = "" - self.warning_log = "" - self.autopsy_data_file = "" - self.sorted_data_file = "" - self.common_log_path = "" - self.antlog_dir = "" - self.test_dbdump = "" - self.total_test_time = "" - self.start_date = "" - self.end_date = "" - self.total_ingest_time = "" - self.artifact_count = 0 - self.artifact_fail = 0 - self.heap_space = "" - self.service_times = "" - # Error tracking - self.printerror = [] - self.printout = [] - -class Reports: - def generate_reports(csv_path, database, test_data): - Reports._generate_html(database, test_data) - if test_case.global_csv: - Reports._generate_csv(test_case.global_csv, database, test_data) - else: - Reports._generate_csv(csv_path, database, test_data) - - # Generates the HTML log file - def _generate_html(database, test_data): - # If the file doesn't exist yet, this is the first test_case to run for - # this test, so we need to make the start of the html log - global imgfail - if not Emailer.file_exists(test_case.html_log): - Reports.write_html_head() - try: - global html - html = open(test_case.html_log, "a") - # The image title - title = "

        " + test_data.image_name + " \ - tested on " + socket.gethostname() + "

        \ -

        \ - Errors and Warnings |\ - Information |\ - General Output |\ - Logs\ -

        " - # The script errors found - if imgfail: - ids = 'errors1' - else: - ids = 'errors' - errors = "
        \ -

        Errors and Warnings

        \ -
        " - # For each error we have logged in the test_case - for error in test_data.printerror: - # Replace < and > to avoid any html display errors - errors += "

        " + error.replace("<", "<").replace(">", ">") + "

        " - # If there is a \n, we probably want a
        in the html - if "\n" in error: - errors += "
        " - errors += "
        " - - # Links to the logs - logs = "
        \ -

        Logs

        \ -
        " - logs_path = Emailer.make_local_path(test_case.output_dir, test_data.image_name, "logs") - for file in os.listdir(logs_path): - logs += "

        " + file + "

        " - logs += "
        " - - # All the testing information - info = "
        \ -

        Information

        \ -
        \ - " - # The individual elements - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "" - info += "
        Image Path:" + test_data.image_file + "
        Image Name:" + test_data.image_name + "
        test_case Output Directory:" + test_case.output_dir + "
        Autopsy Version:" + test_case.autopsy_version + "
        Heap Space:" + test_data.heap_space + "
        Test Start Date:" + test_data.start_date + "
        Test End Date:" + test_data.end_date + "
        Total Test Time:" + test_data.total_test_time + "
        Total Ingest Time:" + test_data.total_ingest_time + "
        Exceptions Count:" + str(len(get_exceptions(test_data))) + "
        Autopsy OutOfMemoryExceptions:" + str(len(search_logs("OutOfMemoryException", test_data))) + "
        Autopsy OutOfMemoryErrors:" + str(len(search_logs("OutOfMemoryError", test_data))) + "
        Tika OutOfMemoryErrors/Exceptions:" + str(Reports._get_num_memory_errors("tika", test_data)) + "
        Solr OutOfMemoryErrors/Exceptions:" + str(Reports._get_num_memory_errors("solr", test_data)) + "
        TskCoreExceptions:" + str(len(search_log_set("autopsy", "TskCoreException", test_data))) + "
        TskDataExceptions:" + str(len(search_log_set("autopsy", "TskDataException", test_data))) + "
        Ingest Messages Count:" + str(test_case.ingest_messages) + "
        Indexed Files Count:" + str(test_case.indexed_files) + "
        Indexed File Chunks Count:" + str(test_case.indexed_chunks) + "
        Out Of Disk Space:\ -

        (will skew other test results)

        		" + str(len(search_log_set("autopsy", "Stopping ingest due to low disk space on disk", test_data))) + "
        TSK Objects Count:" + str(database.autopsy_objects) + "
        Artifacts Count:" + str(database.get_artifacts_count()) + "
        Attributes Count:" + str(database.autopsy_attributes) + "
        \ -
        " - # For all the general print statements in the test_case - output = "
        \ -

        General Output

        \ -
        " - # For each printout in the test_case's list - for out in test_data.printout: - output += "

        " + out + "

        " - # If there was a \n it probably means we want a
        in the html - if "\n" in out: - output += "
        " - output += "
        " - - html.write(title) - html.write(errors) - html.write(info) - html.write(logs) - html.write(output) - html.close() - except Exception as e: - printerror(test_data, "Error: Unknown fatal error when creating HTML log at:") - printerror(test_data, test_case.html_log) - printerror(test_data, str(e) + "\n") - logging.critical(traceback.format_exc()) - - # Writed the top of the HTML log file - def write_html_head(): - print(test_case.html_log) - html = open(str(test_case.html_log), "a") - head = "\ - \ - AutopsyTesttest_case Output\ - \ - \ - " - html.write(head) - html.close() - - # Writed the bottom of the HTML log file - def write_html_foot(): - html = open(test_case.html_log, "a") - head = "" - html.write(head) - html.close() - - # Adds all the image names to the HTML log for easy access - def html_add_images(full_image_names): - # If the file doesn't exist yet, this is the first test_case to run for - # this test, so we need to make the start of the html log - if not Emailer.file_exists(test_case.html_log): - Reports.write_html_head() - html = open(test_case.html_log, "a") - links = [] - for full_name in full_image_names: - name = test_case.get_image_name(full_name) - links.append("" + name + "") - html.write("

        " + (" | ".join(links)) + "

        ") - - # Generate the CSV log file - def _generate_csv(csv_path, database, test_data): - try: - # If the CSV file hasn't already been generated, this is the - # first run, and we need to add the column names - if not Emailer.file_exists(csv_path): - Reports.csv_header(csv_path) - # Now add on the fields to a new row - csv = open(csv_path, "a") - - # Variables that need to be written - vars = [] - vars.append( test_data.image_file ) - vars.append( test_data.image_name ) - vars.append( test_case.output_dir ) - vars.append( socket.gethostname() ) - vars.append( test_case.autopsy_version ) - vars.append( test_data.heap_space ) - vars.append( test_data.start_date ) - vars.append( test_data.end_date ) - vars.append( test_data.total_test_time ) - vars.append( test_data.total_ingest_time ) - vars.append( test_data.service_times ) - vars.append( str(len(get_exceptions(test_data))) ) - vars.append( str(Reports._get_num_memory_errors("autopsy", test_data)) ) - vars.append( str(Reports._get_num_memory_errors("tika", test_data)) ) - vars.append( str(Reports._get_num_memory_errors("solr", test_data)) ) - vars.append( str(len(search_log_set("autopsy", "TskCoreException", test_data))) ) - vars.append( str(len(search_log_set("autopsy", "TskDataException", test_data))) ) - vars.append( str(test_case.ingest_messages) ) - vars.append( str(test_case.indexed_files) ) - vars.append( str(test_case.indexed_chunks) ) - vars.append( str(len(search_log_set("autopsy", "Stopping ingest due to low disk space on disk", test_data))) ) - vars.append( str(database.autopsy_objects) ) - vars.append( str(database.get_artifacts_count()) ) - vars.append( str(database.autopsy_attributes) ) - vars.append( Emailer.make_local_path("gold", test_data.image_name, test_case.test_db_file) ) - vars.append( database.get_artifact_comparison() ) - vars.append( database.get_attribute_comparison() ) - vars.append( Emailer.make_local_path("gold", test_data.image_name, "standard.html") ) - vars.append( str(test_data.report_passed) ) - vars.append( test_case.ant_to_string() ) - # Join it together with a ", " - output = "|".join(vars) - output += "\n" - # Write to the log! - csv.write(output) - csv.close() - except Exception as e: - printerror(test_data, "Error: Unknown fatal error when creating CSV file at:") - printerror(test_data, csv_path) - printerror(test_data, str(e) + "\n") - print(traceback.format_exc()) - logging.critical(traceback.format_exc()) - - # Generates the CSV header (column names) - def csv_header(csv_path): - csv = open(csv_path, "w") - titles = [] - titles.append("Image Path") - titles.append("Image Name") - titles.append("Output test_case Directory") - titles.append("Host Name") - titles.append("Autopsy Version") - titles.append("Heap Space Setting") - titles.append("Test Start Date") - titles.append("Test End Date") - titles.append("Total Test Time") - titles.append("Total Ingest Time") - titles.append("Service Times") - titles.append("Autopsy Exceptions") - titles.append("Autopsy OutOfMemoryErrors/Exceptions") - titles.append("Tika OutOfMemoryErrors/Exceptions") - titles.append("Solr OutOfMemoryErrors/Exceptions") - titles.append("TskCoreExceptions") - titles.append("TskDataExceptions") - titles.append("Ingest Messages Count") - titles.append("Indexed Files Count") - titles.append("Indexed File Chunks Count") - titles.append("Out Of Disk Space") - titles.append("Tsk Objects Count") - titles.append("Artifacts Count") - titles.append("Attributes Count") - titles.append("Gold Database Name") - titles.append("Artifacts Comparison") - titles.append("Attributes Comparison") - titles.append("Gold Report Name") - titles.append("Report Comparison") - titles.append("Ant Command Line") - output = "|".join(titles) - output += "\n" - csv.write(output) - csv.close() - - # Returns the number of OutOfMemoryErrors and OutOfMemoryExceptions - # for a certain type of log - def _get_num_memory_errors(type, test_data): - return (len(search_log_set(type, "OutOfMemoryError", test_data)) + - len(search_log_set(type, "OutOfMemoryException", test_data))) - -class Logs: - def generate_log_data(test_data): - Logs._generate_common_log(test_data) - try: - Logs._fill_test_case_data(test_data) - except Exception as e: - printerror(test_data, "Error: Unknown fatal error when filling test_case data.") - printerror(test_data, str(e) + "\n") - logging.critical(traceback.format_exc()) - # If running in verbose mode (-v) - if test_case.args.verbose: - errors = Logs._report_all_errors() - okay = "No warnings or errors in any log files." - print_report(test_data, errors, "VERBOSE", okay) - # Generate the "common log": a log of all exceptions and warnings - # from each log file generated by Autopsy - def _generate_common_log(test_data): - try: - logs_path = Emailer.make_local_path(test_case.output_dir, test_data.image_name, "logs") - common_log = codecs.open(test_case.common_log_path, "w", "utf_8") - warning_log = codecs.open(test_data.warning_log, "w", "utf_8") - common_log.write("--------------------------------------------------\n") - common_log.write(test_data.image_name + "\n") - common_log.write("--------------------------------------------------\n") - rep_path = Emailer.make_local_path(test_case.output_dir) - rep_path = rep_path.replace("\\\\", "\\") - for file in os.listdir(logs_path): - log = codecs.open(Emailer.make_path(logs_path, file), "r", "utf_8") - for line in log: - line = line.replace(rep_path, "test_data") - if line.startswith("Exception"): - common_log.write(file +": " + line) - elif line.startswith("Error"): - common_log.write(file +": " + line) - elif line.startswith("SEVERE"): - common_log.write(file +":" + line) - else: - warning_log.write(file +": " + line) - log.close() - common_log.write("\n") - common_log.close() - print(test_data.sorted_log) - srtcmdlst = ["sort", test_case.common_log_path, "-o", test_data.sorted_log] - subprocess.call(srtcmdlst) - except Exception as e: - printerror(test_data, "Error: Unable to generate the common log.") - printerror(test_data, str(e) + "\n") - printerror(test_data, traceback.format_exc()) - logging.critical(traceback.format_exc()) - - # Fill in the global test_case's variables that require the log files - def _fill_test_case_data(test_data): - try: - # Open autopsy.log.0 - log_path = Emailer.make_path(test_case.output_dir, test_data.image_name, "logs", "autopsy.log.0") - log = open(log_path) - - # Set the test_case starting time based off the first line of autopsy.log.0 - # *** If logging time format ever changes this will break *** - test_data.start_date = log.readline().split(" org.")[0] - - # Set the test_case ending time based off the "create" time (when the file was copied) - test_data.end_date = time.ctime(os.path.getmtime(log_path)) - except Exception as e: - printerror(test_data, "Error: Unable to open autopsy.log.0.") - printerror(test_data, str(e) + "\n") - logging.warning(traceback.format_exc()) - # Set the test_case total test time - # Start date must look like: "Jul 16, 2012 12:57:53 PM" - # End date must look like: "Mon Jul 16 13:02:42 2012" - # *** If logging time format ever changes this will break *** - start = datetime.datetime.strptime(test_data.start_date, "%b %d, %Y %I:%M:%S %p") - end = datetime.datetime.strptime(test_data.end_date, "%a %b %d %H:%M:%S %Y") - test_data.total_test_time = str(end - start) - - try: - # Set Autopsy version, heap space, ingest time, and service times - - version_line = search_logs("INFO: Application name: Autopsy, version:", test_data)[0] - test_case.autopsy_version = Emailer.get_word_at(version_line, 5).rstrip(",") - - test_data.heap_space = search_logs("Heap memory usage:", test_data)[0].rstrip().split(": ")[1] - - ingest_line = search_logs("Ingest (including enqueue)", test_data)[0] - test_data.total_ingest_time = Emailer.get_word_at(ingest_line, 6).rstrip() - - message_line = search_log_set("autopsy", "Ingest messages count:", test_data)[0] - test_case.ingest_messages = int(message_line.rstrip().split(": ")[2]) - - files_line = search_log_set("autopsy", "Indexed files count:", test_data)[0] - test_case.indexed_files = int(files_line.rstrip().split(": ")[2]) - - chunks_line = search_log_set("autopsy", "Indexed file chunks count:", test_data)[0] - test_case.indexed_chunks = int(chunks_line.rstrip().split(": ")[2]) - except Exception as e: - printerror(test_data, "Error: Unable to find the required information to fill test_case data.") - printerror(test_data, str(e) + "\n") - logging.critical(traceback.format_exc()) - print(traceback.format_exc()) - try: - service_lines = search_log("autopsy.log.0", "to process()", test_data) - service_list = [] - for line in service_lines: - words = line.split(" ") - # Kind of forcing our way into getting this data - # If this format changes, the tester will break - i = words.index("secs.") - times = words[i-4] + " " - times += words[i-3] + " " - times += words[i-2] + " " - times += words[i-1] + " " - times += words[i] - service_list.append(times) - test_data.service_times = "; ".join(service_list) - except Exception as e: - printerror(test_data, "Error: Unknown fatal error when finding service times.") - printerror(test_data, str(e) + "\n") - logging.critical(traceback.format_exc()) - - # Returns all the errors found in the common log in a list - def _report_all_errors(): - try: - return get_warnings() + get_exceptions() - except Exception as e: - printerror(test_data, "Error: Unknown fatal error when reporting all errors.") - printerror(test_data, str(e) + "\n") - logging.warning(traceback.format_exc()) - # Searches the common log for any instances of a specific string. - def search_common_log(string, test_data): - results = [] - log = codecs.open(test_case.common_log_path, "r", "utf_8") - for line in log: - if string in line: - results.append(line) - log.close() - return results - -# Returns the type of image file, based off extension -class IMGTYPE: - RAW, ENCASE, SPLIT, UNKNOWN = range(4) - -def image_type(image_file): - ext_start = image_file.rfind(".") - if (ext_start == -1): - return IMGTYPE.UNKNOWN - ext = image_file[ext_start:].lower() - if (ext == ".img" or ext == ".dd"): - return IMGTYPE.RAW - elif (ext == ".e01"): - return IMGTYPE.ENCASE - elif (ext == ".aa" or ext == ".001"): - return IMGTYPE.SPLIT - else: - return IMGTYPE.UNKNOWN - -# Search through all the known log files for a specific string. -# Returns a list of all lines with that string -def search_logs(string, test_data): - logs_path = Emailer.make_local_path(test_case.output_dir, test_data.image_name, "logs") - results = [] - for file in os.listdir(logs_path): - log = codecs.open(Emailer.make_path(logs_path, file), "r", "utf_8") - for line in log: - if string in line: - results.append(line) - log.close() - return results - -# Searches the given log for the given string -# Returns a list of all lines with that string -def search_log(log, string, test_data): - logs_path = Emailer.make_local_path(test_case.output_dir, test_data.image_name, "logs", log) - try: - results = [] - log = codecs.open(logs_path, "r", "utf_8") - for line in log: - if string in line: - results.append(line) - log.close() - if results: - return results - except: - raise FileNotFoundException(logs_path) - -# Search through all the the logs of the given type -# Types include autopsy, tika, and solr -def search_log_set(type, string, test_data): - logs_path = Emailer.make_local_path(test_case.output_dir, test_data.image_name, "logs") - results = [] - for file in os.listdir(logs_path): - if type in file: - log = codecs.open(Emailer.make_path(logs_path, file), "r", "utf_8") - for line in log: - if string in line: - results.append(line) - log.close() - return results - -# Print a report for the given errors with the report name as name -# and if no errors are found, print the okay message -def print_report(test_data, errors, name, okay): - if errors: - printerror(test_data, "--------< " + name + " >----------") - for error in errors: - printerror(test_data, str(error)) - printerror(test_data, "--------< / " + name + " >--------\n") - else: - printout(test_data, "-----------------------------------------------------------------") - printout(test_data, "< " + name + " - " + okay + " />") - printout(test_data, "-----------------------------------------------------------------\n") - -# Used instead of the print command when printing out an error -def printerror(test_data, string): - print(string) - test_data.printerror.append(string) - -# Used instead of the print command when printing out anything besides errors -def printout(test_data, string): - print(string) - test_data.printout.append(string) - -#----------------------------------# -# Helper functions # -#----------------------------------# -# Returns a list of all the exceptions listed in all the autopsy logs -def get_exceptions(test_data): - exceptions = [] - logs_path = Emailer.make_path(test_case.output_dir, test_data.image_name, "logs") - results = [] - for file in os.listdir(logs_path): - if "autopsy.log" in file: - log = codecs.open(Emailer.make_path(logs_path, file), "r", "utf_8") - ex = re.compile("\SException") - er = re.compile("\SError") - for line in log: - if ex.search(line) or er.search(line): - exceptions.append(line) - log.close() - return exceptions - -# Returns a list of all the warnings listed in the common log -def get_warnings(test_data): - warnings = [] - common_log = codecs.open(test_data.warning_log, "r", "utf_8") - for line in common_log: - if "warning" in line.lower(): - warnings.append(line) - common_log.close() - return warnings - -def copy_logs(test_data): - try: - log_dir = os.path.join("..", "..", "Testing","build","test","qa-functional","work","userdir0","var","log") - shutil.copytree(log_dir, Emailer.make_local_path(test_case.output_dir, test_data.image_name, "logs")) - except Exception as e: - printerror(test_data,"Error: Failed to copy the logs.") - printerror(test_data,str(e) + "\n") - logging.warning(traceback.format_exc()) -# Clears all the files from a directory and remakes it -def clear_dir(dir): - try: - if Emailer.dir_exists(dir): - shutil.rmtree(dir) - os.makedirs(dir) - return True; - except Exception as e: - printerror(test_data,"Error: Cannot clear the given directory:") - printerror(test_data,dir + "\n") - print(str(e)) - return False; - -def del_dir(dir): - try: - if Emailer.dir_exists(dir): - shutil.rmtree(dir) - return True; - except: - printerror(test_data,"Error: Cannot delete the given directory:") - printerror(test_data,dir + "\n") - return False; -#Copies a given file from "ffrom" to "to" -def copy_file(ffrom, to): - try : - shutil.copy(ffrom, to) - except Exception as e: - print(str(e)) - print(traceback.format_exc()) - -# Copies a directory file from "ffrom" to "to" -def copy_dir(ffrom, to): - try : - if not os.path.isdir(ffrom): - raise FileNotFoundException(ffrom) - shutil.copytree(ffrom, to) - except: - raise FileNotFoundException(to) -# Returns the first file in the given directory with the given extension -def get_file_in_dir(dir, ext): - try: - for file in os.listdir(dir): - if file.endswith(ext): - return Emailer.make_path(dir, file) - # If nothing has been found, raise an exception - raise FileNotFoundException(dir) - except: - raise DirNotFoundException(dir) - -def find_file_in_dir(dir, name, ext): - try: - for file in os.listdir(dir): - if file.startswith(name): - if file.endswith(ext): - return Emailer.make_path(dir, file) - raise FileNotFoundException(dir) - except: - raise DirNotFoundException(dir) - -def setDay(): - global Day - Day = int(strftime("%d", localtime())) - -def getLastDay(): - return Day - -def getDay(): - return int(strftime("%d", localtime())) - -def newDay(): - return getLastDay() != getDay() - -# Returns the args of the test script -def usage(): - return """ -Usage: ./regression.py [-f FILE] [OPTIONS] - - Run RegressionTest.java, and compare the result with a gold standard. - By default, the script tests every image in ../input - When the -f flag is set, this script only tests a single given image. - When the -l flag is set, the script looks for a configuration file, - which may outsource to a new input directory and to individual images. - - Expected files: - An NSRL database at: ../input/nsrl.txt-md5.idx - A notable hash database at: ../input/notablehashes.txt-md5.idx - A notable keyword file at: ../input/notablekeywords.xml - -Options: - -r Rebuild the gold standards for the image(s) tested. - -i Ignores the ../input directory and all files within it. - -u Tells Autopsy not to ingest unallocated space. - -k Keeps each image's Solr index instead of deleting it. - -v Verbose mode; prints all errors to the screen. - -e ex Prints out all errors containing ex. - -l cfg Runs from configuration file cfg. - -c Runs in a loop over the configuration file until canceled. Must be used in conjunction with -l - -fr Will not try download gold standard images - """ - -#------------------------------------------------------------# -# Exception classes to manage "acceptable" thrown exceptions # -# versus unexpected and fatal exceptions # -#------------------------------------------------------------# - -# If a file cannot be found by one of the helper functions -# they will throw a FileNotFoundException unless the purpose -# is to return False -class FileNotFoundException(Exception): - def __init__(self, file): - self.file = file - self.strerror = "FileNotFoundException: " + file - - def print_error(self): - printerror(test_data,"Error: File could not be found at:") - printerror(test_data,self.file + "\n") - def error(self): - error = "Error: File could not be found at:\n" + self.file + "\n" - return error - -# If a directory cannot be found by a helper function, -# it will throw this exception -class DirNotFoundException(Exception): - def __init__(self, dir): - self.dir = dir - self.strerror = "DirNotFoundException: " + dir - - def print_error(self): - printerror(test_data, "Error: Directory could not be found at:") - printerror(test_data, self.dir + "\n") - def error(self): - error = "Error: Directory could not be found at:\n" + self.dir + "\n" - return error - -############################# -# Main Testing Functions # -############################# -class Test_Runner: - - #Executes the tests, makes continuous testing easier - # Identifies the tests to run and runs the tests - def run_tests(): - global parsed - global errorem - global failedbool - global html - global attachl - - # Setup output folder and reporting infrastructure - if(not Emailer.dir_exists(Emailer.make_path("..", "output", "results"))): - os.makedirs(Emailer.make_path("..", "output", "results",)) - test_case.output_dir = Emailer.make_path("..", "output", "results", time.strftime("%Y.%m.%d-%H.%M.%S")) - os.makedirs(test_case.output_dir) - test_case.csv = Emailer.make_local_path(test_case.output_dir, "CSV.txt") - test_case.html_log = Emailer.make_path(test_case.output_dir, "AutopsyTestCase.html") - test_data = TestData() - log_name = test_case.output_dir + "\\regression.log" - logging.basicConfig(filename=log_name, level=logging.DEBUG) - - - #Identify tests to run and populate test_case with list - # If user wants to do a single file and a list (contradictory?) - if test_case.args.single and test_case.args.list: - printerror(test_data, "Error: Cannot run both from config file and on a single file.") - return - # If working from a configuration file - if test_case.args.list: - if not Emailer.file_exists(test_case.args.config_file): - printerror(test_data, "Error: Configuration file does not exist at:") - printerror(test_data, test_case.args.config_file) - return - Test_Runner._load_config_file(test_case.args.config_file,test_data) - # Else if working on a single file - elif test_case.args.single: - if not Emailer.file_exists(test_case.args.single_file): - printerror(test_data, "Error: Image file does not exist at:") - printerror(test_data, test_case.args.single_file) - return - test_case.images.append(test_case.args.single_file) - - # If user has not selected a single file, and does not want to ignore - # the input directory, continue on to parsing ../input - if (not test_case.args.single) and (not test_case.args.ignore) and (not test_case.args.list): - test_case.args.config_file = "config.xml" - if not Emailer.file_exists(test_case.args.config_file): - printerror(test_data, "Error: Configuration file does not exist at:") - printerror(test_data, test_case.args.config_file) - return - Test_Runner._load_config_file(test_case.args.config_file, test_data) - - # Cycle through images in test_case and run tests - logres =[] - for img in test_case.images: - if Emailer.file_exists(img): - # Set the test_case to work for this test - test_data.image_file = str(img) - # @@@ This 0 should be be refactored out, but it will require rebuilding and changing of outputs. - test_data.image_name = test_case.get_image_name(test_data.image_file) + "(0)" - test_data.autopsy_data_file = Emailer.make_path(test_case.output_dir, test_data.image_name, test_data.image_name + "Autopsy_data.txt") - test_data.sorted_data_file = Emailer.make_path(test_case.output_dir, test_data.image_name, "Sorted_Autopsy_data.txt") - test_data.warning_log = Emailer.make_local_path(test_case.output_dir, test_data.image_name, "AutopsyLogs.txt") - test_data.antlog_dir = Emailer.make_local_path(test_case.output_dir, test_data.image_name, "antlog.txt") - test_data.test_dbdump = Emailer.make_path(test_case.output_dir, test_data.image_name, - test_data.image_name + "Dump.txt") - test_data.image = test_case.get_image_name(test_data.image_file) - - logres.append(Test_Runner._run_test(test_data)) - else: - printerror(test_data, "Warning: Image file listed in configuration does not exist:") - printerror(value + "\n") - test_data.reset() - Reports.write_html_foot() - html.close() - if (len(logres)>0): - failedbool = True - imgfail = True - passFail = False - for lm in logres: - for ln in lm: - errorem += ln - html.close() - if failedbool: - passFail = False - errorem += "The test output didn't match the gold standard.\n" - errorem += "Autopsy test failed.\n" - attachl.insert(0, html.name) - else: - errorem += "Autopsy test passed.\n" - passFail = True - attachl = [] - - # @@@ This fails here if we didn't parse an XML file - try: - Emailer.send_email(parsed, errorem, attachl, passFail) - except NameError: - printerror(test_data, "Could not send e-mail because of no XML file --maybe"); - - - # Run autopsy for a single test to generate output file and do comparison - # test_data: TestData object populated with locations and such for test - def _run_test(test_data): - global parsed - global imgfail - global failedbool - imgfail = False - if image_type(test_data.image_file) == IMGTYPE.UNKNOWN: - printerror(test_data, "Error: Image type is unrecognized:") - printerror(test_data, test_data.image_file + "\n") - return - - if(test_case.args.list): - element = parsed.getElementsByTagName("build") - if(len(element)<=0): - toval = Emailer.make_path("..", "build.xml") - else: - element = element[0] - toval = element.getAttribute("value").encode().decode("utf_8") - if(toval==None): - toval = Emailer.make_path("..", "build.xml") - else: - toval = Emailer.make_path("..", "build.xml") - test_case.build_path = toval - test_case.known_bad_path = Emailer.make_path(test_case.input_dir, "notablehashes.txt-md5.idx") - test_case.keyword_path = Emailer.make_path(test_case.input_dir, "notablekeywords.xml") - test_case.nsrl_path = Emailer.make_path(test_case.input_dir, "nsrl.txt-md5.idx") - logging.debug("--------------------") - logging.debug(test_data.image_name) - logging.debug("--------------------") - Test_Runner._run_ant(test_data) - time.sleep(2) # Give everything a second to process - - - # Autopsy has finished running, we will now process the results - test_case.common_log_path = Emailer.make_local_path(test_case.output_dir, test_data.image_name, test_data.image_name+test_case.common_log) - - # Dump the database before we diff or use it for rebuild - DatabaseDiff.dump_output_db(test_data) - - # merges logs into a single log for later diff / rebuild - copy_logs(test_data) - test_data.sorted_log = Emailer.make_local_path(test_case.output_dir, test_data.image_name, test_data.image_name + "SortedErrors.txt") - Logs.generate_log_data(test_data) - - # Look for core exceptions - # @@@ Should be moved to TestDiffer, but it didn't know about logres -- need to look into that - logres = Logs.search_common_log("TskCoreException", test_data) - - # Cleanup SOLR: If NOT keeping Solr index (-k) - if not test_case.args.keep: - solr_index = Emailer.make_path(test_case.output_dir, test_data.image_name, test_case.Img_Test_Folder, "ModuleOutput", "KeywordSearch") - if clear_dir(solr_index): - print_report(test_data, [], "DELETE SOLR INDEX", "Solr index deleted.") - elif test_case.args.keep: - print_report(test_data, [], "KEEP SOLR INDEX", "Solr index has been kept.") - - # If running in exception mode, print exceptions to log - if test_case.args.exception: - exceptions = search_logs(test_case.args.exception_string, test_data) - okay = "No warnings or exceptions found containing text '" + test_case.args.exception_string + "'." - print_report(test_data, exceptions, "EXCEPTION", okay) - - # @@@ We only need to create this here so that it can be passed into the - # Report because it stores results. Results should be stored somewhere else - # and then this can get pushed into only the diffing code. - databaseDiff = DatabaseDiff(test_data) - - # Now either diff or rebuild - if not test_case.args.rebuild: - TestDiffer.run_diff(test_data, databaseDiff) - # If running in rebuild mode (-r) - else: - Test_Runner.rebuild(test_data) - - # @@@ COnsider if we want to do this for a rebuild. - # Make the CSV log and the html log viewer - Reports.generate_reports(test_case.csv, databaseDiff, test_data) - # Reset the test_case and return the tests sucessfully finished - clear_dir(Emailer.make_path(test_case.output_dir, test_data.image_name, test_case.Img_Test_Folder, "ModuleOutput", "keywordsearch")) - if(failedbool): - attachl.append(test_case.common_log_path) - test_case.reset() - return logres - - # Iterates through an XML configuration file to find all given elements. Populates global test_case object with tests to run - # config_file: Path to the config file - # test_data: TestData object (@@@ Only being passed in for print messages) - def _load_config_file(config_file, test_data): - try: - global parsed - global errorem - global attachl - count = 0 - parsed = parse(config_file) - logres = [] - test_case - counts = {} - if parsed.getElementsByTagName("indir"): - test_case.input_dir = parsed.getElementsByTagName("indir")[0].getAttribute("value").encode().decode("utf_8") - if parsed.getElementsByTagName("global_csv"): - test_case.global_csv = parsed.getElementsByTagName("global_csv")[0].getAttribute("value").encode().decode("utf_8") - test_case.global_csv = Emailer.make_local_path(test_case.global_csv) - if parsed.getElementsByTagName("golddir"): - test_case.gold_parse = parsed.getElementsByTagName("golddir")[0].getAttribute("value").encode().decode("utf_8") - test_case.img_gold_parse = Emailer.make_path(test_case.gold_parse, 'tmp') - else: - test_case.gold_parse = test_case.gold - test_case.img_gold_parse = Emailer.make_path(test_case.gold_parse, 'tmp') - - # Generate the top navbar of the HTML for easy access to all images - images = [] - for element in parsed.getElementsByTagName("image"): - value = element.getAttribute("value").encode().decode("utf_8") - print ("Image in Config File: " + value) - if Emailer.file_exists(value): - test_case.images.append(value) - else: - printout(test_data, "File: " + value + " doesn't exist") - image_count = len(images) - Reports.html_add_images(images) - - # Sanity check to see if there are obvious gold images that we are not testing - gold_count = 0 - for file in os.listdir(test_case.gold): - if not(file == 'tmp'): - gold_count+=1 - - if (image_count > gold_count): - print("******Alert: There are more input images than gold standards, some images will not be properly tested.\n") - elif (image_count < gold_count): - print("******Alert: There are more gold standards than input images, this will not check all gold Standards.\n") - - except Exception as e: - printerror(test_data, "Error: There was an error running with the configuration file.") - printerror(test_data, str(e) + "\n") - logging.critical(traceback.format_exc()) - print(traceback.format_exc()) - - - # Rebuilds the gold standards by copying the test-generated database - # and html report files into the gold directory. Autopsy has already been run - def rebuild(test_data): - # Errors to print - errors = [] - if(test_case.gold_parse == "" ): - test_case.gold_parse = test_case.gold - test_case.img_gold_parse = test_case.img_gold - # Delete the current gold standards - gold_dir = test_case.img_gold_parse - clear_dir(test_case.img_gold_parse) - tmpdir = Emailer.make_path(gold_dir, test_data.image_name) - dbinpth = Emailer.make_path(test_case.output_dir, test_data.image_name, test_case.Img_Test_Folder, test_case.test_db_file) - dboutpth = Emailer.make_path(tmpdir, test_case.test_db_file) - dataoutpth = Emailer.make_path(tmpdir, test_data.image_name + "SortedData.txt") - dbdumpinpth = test_data.test_dbdump - dbdumpoutpth = Emailer.make_path(tmpdir, test_data.image_name + "DBDump.txt") - if not os.path.exists(test_case.img_gold_parse): - os.makedirs(test_case.img_gold_parse) - if not os.path.exists(gold_dir): - os.makedirs(gold_dir) - if not os.path.exists(tmpdir): - os.makedirs(tmpdir) - try: - copy_file(dbinpth, dboutpth) - if Emailer.file_exists(test_data.sorted_data_file): - copy_file(test_data.sorted_data_file, dataoutpth) - copy_file(dbdumpinpth, dbdumpoutpth) - error_pth = Emailer.make_path(tmpdir, test_data.image_name+"SortedErrors.txt") - copy_file(test_data.sorted_log, error_pth) - except Exception as e: - printerror(test_data, str(e)) - print(str(e)) - print(traceback.format_exc()) - # Rebuild the HTML report - htmlfolder = "" - for fs in os.listdir(os.path.join(os.getcwd(),test_case.output_dir, test_data.image_name, test_case.Img_Test_Folder, "Reports")): - if os.path.isdir(os.path.join(os.getcwd(), test_case.output_dir, test_data.image_name, test_case.Img_Test_Folder, "Reports", fs)): - htmlfolder = fs - autopsy_html_path = Emailer.make_local_path(test_case.output_dir, test_data.image_name, test_case.Img_Test_Folder, "Reports", htmlfolder) - - html_path = Emailer.make_path(test_case.output_dir, test_data.image_name, - test_case.Img_Test_Folder, "Reports") - try: - if not os.path.exists(Emailer.make_path(tmpdir, htmlfolder)): - os.makedirs(Emailer.make_path(tmpdir, htmlfolder)) - for file in os.listdir(autopsy_html_path): - html_to = Emailer.make_path(tmpdir, file.replace("HTML Report", "Report")) - copy_dir(get_file_in_dir(autopsy_html_path, file), html_to) - except FileNotFoundException as e: - errors.append(e.error) - except Exception as e: - errors.append("Error: Unknown fatal error when rebuilding the gold html report.") - errors.append(str(e) + "\n") - print(traceback.format_exc()) - oldcwd = os.getcwd() - zpdir = gold_dir - os.chdir(zpdir) - os.chdir("..") - img_gold = "tmp" - img_archive = Emailer.make_path(test_data.image_name+"-archive.zip") - comprssr = zipfile.ZipFile(img_archive, 'w',compression=zipfile.ZIP_DEFLATED) - Test_Runner.zipdir(img_gold, comprssr) - comprssr.close() - os.chdir(oldcwd) - del_dir(test_case.img_gold_parse) - okay = "Sucessfully rebuilt all gold standards." - print_report(test_data, errors, "REBUILDING", okay) - - def zipdir(path, zip): - for root, dirs, files in os.walk(path): - for file in files: - zip.write(os.path.join(root, file)) - - # Tests Autopsy with RegressionTest.java by by running - # the build.xml file through ant - def _run_ant(test_data): - # Set up the directories - test_case_path = os.path.join(test_case.output_dir, test_data.image_name) - if Emailer.dir_exists(test_case_path): - shutil.rmtree(test_case_path) - os.makedirs(test_case_path) - test_case.ant = ["ant"] - test_case.ant.append("-v") - test_case.ant.append("-f") - # case.ant.append(case.build_path) - test_case.ant.append(os.path.join("..","..","Testing","build.xml")) - test_case.ant.append("regression-test") - test_case.ant.append("-l") - test_case.ant.append(test_data.antlog_dir) - test_case.ant.append("-Dimg_path=" + test_data.image_file) - test_case.ant.append("-Dknown_bad_path=" + test_case.known_bad_path) - test_case.ant.append("-Dkeyword_path=" + test_case.keyword_path) - test_case.ant.append("-Dnsrl_path=" + test_case.nsrl_path) - test_case.ant.append("-Dgold_path=" + Emailer.make_path(test_case.gold)) - test_case.ant.append("-Dout_path=" + Emailer.make_local_path(test_case.output_dir, test_data.image_name)) - test_case.ant.append("-Dignore_unalloc=" + "%s" % test_case.args.unallocated) - test_case.ant.append("-Dtest.timeout=" + str(test_case.timeout)) - - printout(test_data, "Ingesting Image:\n" + test_data.image_file + "\n") - printout(test_data, "CMD: " + " ".join(test_case.ant)) - printout(test_data, "Starting test...\n") - antoutpth = Emailer.make_local_path(test_case.output_dir, "antRunOutput.txt") - antout = open(antoutpth, "a") - if SYS is OS.CYGWIN: - subprocess.call(test_case.ant, stdout=subprocess.PIPE) - elif SYS is OS.WIN: - theproc = subprocess.Popen(test_case.ant, shell = True, stdout=subprocess.PIPE) - theproc.communicate() - antout.close() - -#----------------------# -# Main # -#----------------------# -def main(): - # Global variables - global failedbool - global inform - global fl - global test_case - global errorem - global attachl - global daycount - global redo - global passed - daycount = 0 - failedbool = False - redo = False - errorem = "" - args = Args() - test_case = TestAutopsy(args) - attachl = [] - passed = False - # The arguments were given wrong: - if not args.parse(): - case.reset() - return - if(not args.fr): - antin = ["ant"] - antin.append("-f") - antin.append(os.path.join("..","..","build.xml")) - antin.append("test-download-imgs") - if SYS is OS.CYGWIN: - subprocess.call(antin) - elif SYS is OS.WIN: - theproc = subprocess.Popen(antin, shell = True, stdout=subprocess.PIPE) - theproc.communicate() - # Otherwise test away! - Test_Runner.run_tests() - -class OS: - LINUX, MAC, WIN, CYGWIN = range(4) -if __name__ == "__main__": - global SYS - if _platform == "linux" or _platform == "linux2": - SYS = OS.LINUX - elif _platform == "darwin": - SYS = OS.MAC - elif _platform == "win32": - SYS = OS.WIN - elif _platform == "cygwin": - SYS = OS.CYGWIN - - if SYS is OS.WIN or SYS is OS.CYGWIN: - main() - else: - print("We only support Windows and Cygwin at this time.") \ No newline at end of file +#!/usr/bin/python +# -*- coding: utf_8 -*- + + # Autopsy Forensic Browser + # + # Copyright 2013 Basis Technology Corp. + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + +import codecs +import datetime +import logging +import os +import re +import shutil +import socket +import sqlite3 +import subprocess +import sys +from sys import platform as _platform +import time +import traceback +import xml +from time import localtime, strftime +from xml.dom.minidom import parse, parseString +import smtplib +from email.mime.image import MIMEImage +from email.mime.multipart import MIMEMultipart +from email.mime.text import MIMEText +import re +import zipfile +import zlib +import Emailer +import srcupdater +from regression_utils import * + +# +# Please read me... +# +# This is the regression testing Python script. +# It uses an ant command to run build.xml for RegressionTest.java +# +# The code is cleanly sectioned and commented. +# Please follow the current formatting. +# It is a long and potentially confusing script. +# +# Variable, function, and class names are written in Python conventions: +# this_is_a_variable this_is_a_function() ThisIsAClass +# +# + + +# Data Definitions: +# +# pathto_X: A path to type X. +# ConfigFile: An XML file formatted according to the template in myconfig.xml +# ParsedConfig: A dom object that represents a ConfigFile +# SQLCursor: A cursor recieved from a connection to an SQL database +# Nat: A Natural Number +# Image: An image +# + +# Enumeration of database types used for the simplification of generating database paths +DBType = enum('OUTPUT', 'GOLD', 'BACKUP') + +# Common filename of the output and gold databases (although they are in different directories +DB_FILENAME = "autopsy.db" + +# Backup database filename +BACKUP_DB_FILENAME = "autopsy_backup.db" + +# TODO: Double check this purpose statement +# Folder name for gold standard database testing +AUTOPSY_TEST_CASE = "AutopsyTestCase" + +# TODO: Double check this purpose statement +# The filename of the log to store error messages +COMMON_LOG = "AutopsyErrors.txt" + +Day = 0 + +#----------------------# +# Main # +#----------------------# +def main(): + """Parse the command-line arguments, create the configuration, and run the tests.""" + args = Args() + parse_result = args.parse() + test_config = TestConfiguration(args) + # The arguments were given wrong: + if not parse_result: + return + if(not args.fr): + antin = ["ant"] + antin.append("-f") + antin.append(os.path.join("..","..","build.xml")) + antin.append("test-download-imgs") + if SYS is OS.CYGWIN: + subprocess.call(antin) + elif SYS is OS.WIN: + theproc = subprocess.Popen(antin, shell = True, stdout=subprocess.PIPE) + theproc.communicate() + # Otherwise test away! + TestRunner.run_tests(test_config) + + +class TestRunner(object): + """A collection of functions to run the regression tests.""" + + def run_tests(test_config): + """Run the tests specified by the main TestConfiguration. + + Executes the AutopsyIngest for each image and dispatches the results based on + the mode (rebuild or testing) + """ + test_data_list = [ TestData(image, test_config) for image in test_config.images ] + + Reports.html_add_images(test_config.html_log, test_config.images) + + logres =[] + for test_data in test_data_list: + Errors.clear_print_logs() + Errors.set_testing_phase(test_data.image) + if not (test_config.args.rebuild or os.path.exists(test_data.gold_archive)): + msg = "Gold standard doesn't exist, skipping image:" + Errors.print_error(msg) + Errors.print_error(test_data.gold_archive) + continue + TestRunner._run_autopsy_ingest(test_data) + + if test_config.args.rebuild: + TestRunner.rebuild(test_data) + else: + logres.append(TestRunner._run_test(test_data)) + test_data.printout = Errors.printout + test_data.printerror = Errors.printerror + + Reports.write_html_foot(test_config.html_log) + # TODO: move this elsewhere + if (len(logres)>0): + for lm in logres: + for ln in lm: + Errors.add_email_msg(ln) + + # TODO: possibly worth putting this in a sub method + if all([ test_data.overall_passed for test_data in test_data_list ]): + Errors.add_email_msg("All images passed.\n") + else: + msg = "The following images failed:\n" + for test_data in test_data_list: + if not test_data.overall_passed: + msg += "\t" + test_data.image + "\n" + Errors.add_email_msg(msg) + html = open(test_config.html_log) + Errors.add_email_attachment(html.name) + html.close() + + if test_config.email_enabled: + Emailer.send_email(test_config.mail_to, test_config.mail_server, + test_config.mail_subject, Errors.email_body, Errors.email_attachs) + + def _run_autopsy_ingest(test_data): + """Run Autopsy ingest for the image in the given TestData. + + Also generates the necessary logs for rebuilding or diff. + + Args: + test_data: the TestData to run the ingest on. + """ + if image_type(test_data.image_file) == IMGTYPE.UNKNOWN: + Errors.print_error("Error: Image type is unrecognized:") + Errors.print_error(test_data.image_file + "\n") + return + + logging.debug("--------------------") + logging.debug(test_data.image_name) + logging.debug("--------------------") + TestRunner._run_ant(test_data) + time.sleep(2) # Give everything a second to process + + try: + # Dump the database before we diff or use it for rebuild + TskDbDiff.dump_output_db(test_data) + except sqlite3.OperationalError as e: + print("Ingest did not run properly.", + "Make sure no other instances of Autopsy are open and try again.") + sys.exit() + + # merges logs into a single log for later diff / rebuild + copy_logs(test_data) + Logs.generate_log_data(test_data) + + TestRunner._handle_solr(test_data) + TestRunner._handle_exception(test_data) + + #TODO: figure out return type of _run_test (logres) + def _run_test(test_data): + """Compare the results of the output to the gold standard. + + Args: + test_data: the TestData + + Returns: + logres? + """ + TestRunner._extract_gold(test_data) + + # Look for core exceptions + # @@@ Should be moved to TestResultsDiffer, but it didn't know about logres -- need to look into that + logres = Logs.search_common_log("TskCoreException", test_data) + + TestResultsDiffer.run_diff(test_data) + test_data.overall_passed = (test_data.html_report_passed and + test_data.errors_diff_passed and test_data.sorted_data_passed and + test_data.db_dump_passed and test_data.db_diff_results.passed) + + Reports.generate_reports(test_data) + if(not test_data.overall_passed): + Errors.add_email_attachment(test_data.common_log_path) + return logres + + def _extract_gold(test_data): + """Extract gold archive file to output/gold/tmp/ + + Args: + test_data: the TestData + """ + extrctr = zipfile.ZipFile(test_data.gold_archive, 'r', compression=zipfile.ZIP_DEFLATED) + extrctr.extractall(test_data.main_config.gold) + extrctr.close + time.sleep(2) + + def _handle_solr(test_data): + """Clean up SOLR index if in keep mode (-k). + + Args: + test_data: the TestData + """ + if not test_data.main_config.args.keep: + if clear_dir(test_data.solr_index): + print_report([], "DELETE SOLR INDEX", "Solr index deleted.") + else: + print_report([], "KEEP SOLR INDEX", "Solr index has been kept.") + + def _handle_exception(test_data): + """If running in exception mode, print exceptions to log. + + Args: + test_data: the TestData + """ + if test_data.main_config.args.exception: + exceptions = search_logs(test_data.main_config.args.exception_string, test_data) + okay = ("No warnings or exceptions found containing text '" + + test_data.main_config.args.exception_string + "'.") + print_report(exceptions, "EXCEPTION", okay) + + def rebuild(test_data): + """Rebuild the gold standard with the given TestData. + + Copies the test-generated database and html report files into the gold directory. + """ + test_config = test_data.main_config + # Errors to print + errors = [] + # Delete the current gold standards + gold_dir = test_config.img_gold + clear_dir(test_config.img_gold) + tmpdir = make_path(gold_dir, test_data.image_name) + dbinpth = test_data.get_db_path(DBType.OUTPUT) + dboutpth = make_path(tmpdir, DB_FILENAME) + dataoutpth = make_path(tmpdir, test_data.image_name + "SortedData.txt") + dbdumpinpth = test_data.get_db_dump_path(DBType.OUTPUT) + dbdumpoutpth = make_path(tmpdir, test_data.image_name + "DBDump.txt") + if not os.path.exists(test_config.img_gold): + os.makedirs(test_config.img_gold) + if not os.path.exists(tmpdir): + os.makedirs(tmpdir) + try: + shutil.copy(dbinpth, dboutpth) + if file_exists(test_data.get_sorted_data_path(DBType.OUTPUT)): + shutil.copy(test_data.get_sorted_data_path(DBType.OUTPUT), dataoutpth) + shutil.copy(dbdumpinpth, dbdumpoutpth) + error_pth = make_path(tmpdir, test_data.image_name+"SortedErrors.txt") + shutil.copy(test_data.sorted_log, error_pth) + except IOError as e: + Errors.print_error(str(e)) + Errors.add_email_message("Not rebuilt properly") + print(str(e)) + print(traceback.format_exc()) + # Rebuild the HTML report + output_html_report_dir = test_data.get_html_report_path(DBType.OUTPUT) + gold_html_report_dir = make_path(tmpdir, "Report") + + try: + shutil.copytree(output_html_report_dir, gold_html_report_dir) + except OSError as e: + errors.append(e.error()) + except Exception as e: + errors.append("Error: Unknown fatal error when rebuilding the gold html report.") + errors.append(str(e) + "\n") + print(traceback.format_exc()) + oldcwd = os.getcwd() + zpdir = gold_dir + os.chdir(zpdir) + os.chdir("..") + img_gold = "tmp" + img_archive = make_path(test_data.image_name+"-archive.zip") + comprssr = zipfile.ZipFile(img_archive, 'w',compression=zipfile.ZIP_DEFLATED) + TestRunner.zipdir(img_gold, comprssr) + comprssr.close() + os.chdir(oldcwd) + del_dir(test_config.img_gold) + okay = "Sucessfully rebuilt all gold standards." + print_report(errors, "REBUILDING", okay) + + def zipdir(path, zip): + for root, dirs, files in os.walk(path): + for file in files: + zip.write(os.path.join(root, file)) + + def _run_ant(test_data): + """Construct and run the ant build command for the given TestData. + + Tests Autopsy by calling RegressionTest.java via the ant build file. + + Args: + test_data: the TestData + """ + test_config = test_data.main_config + # Set up the directories + if dir_exists(test_data.output_path): + shutil.rmtree(test_data.output_path) + os.makedirs(test_data.output_path) + test_data.ant = ["ant"] + test_data.ant.append("-v") + test_data.ant.append("-f") + # case.ant.append(case.build_path) + test_data.ant.append(os.path.join("..","..","Testing","build.xml")) + test_data.ant.append("regression-test") + test_data.ant.append("-l") + test_data.ant.append(test_data.antlog_dir) + test_data.ant.append("-Dimg_path=" + test_data.image_file) + test_data.ant.append("-Dknown_bad_path=" + test_config.known_bad_path) + test_data.ant.append("-Dkeyword_path=" + test_config.keyword_path) + test_data.ant.append("-Dnsrl_path=" + test_config.nsrl_path) + test_data.ant.append("-Dgold_path=" + test_config.gold) + test_data.ant.append("-Dout_path=" + + make_local_path(test_data.output_path)) + test_data.ant.append("-Dignore_unalloc=" + "%s" % test_config.args.unallocated) + test_data.ant.append("-Dtest.timeout=" + str(test_config.timeout)) + + Errors.print_out("Ingesting Image:\n" + test_data.image_file + "\n") + Errors.print_out("CMD: " + " ".join(test_data.ant)) + Errors.print_out("Starting test...\n") + antoutpth = make_local_path(test_data.main_config.output_dir, "antRunOutput.txt") + antout = open(antoutpth, "a") + if SYS is OS.CYGWIN: + subprocess.call(test_data.ant, stdout=subprocess.PIPE) + elif SYS is OS.WIN: + theproc = subprocess.Popen(test_data.ant, shell = True, stdout=subprocess.PIPE) + theproc.communicate() + antout.close() + + +class TestData(object): + """Container for the input and output of a single image. + + Represents data for the test of a single image, including path to the image, + database paths, etc. + + Attributes: + main_config: the global TestConfiguration + ant: a listof_String, the ant command for this TestData + image_file: a pathto_Image, the image for this TestData + image: a String, the image file's name + image_name: a String, the image file's name with a trailing (0) + output_path: pathto_Dir, the output directory for this TestData + autopsy_data_file: a pathto_File, the IMAGE_NAMEAutopsy_data.txt file + warning_log: a pathto_File, the AutopsyLogs.txt file + antlog_dir: a pathto_File, the antlog.txt file + test_dbdump: a pathto_File, the database dump, IMAGENAMEDump.txt + common_log_path: a pathto_File, the IMAGE_NAMECOMMON_LOG file + sorted_log: a pathto_File, the IMAGENAMESortedErrors.txt file + reports_dir: a pathto_Dir, the AutopsyTestCase/Reports folder + gold_data_dir: a pathto_Dir, the gold standard directory + gold_archive: a pathto_File, the gold standard archive + logs_dir: a pathto_Dir, the location where autopsy logs are stored + solr_index: a pathto_Dir, the locatino of the solr index + db_diff_results: a DiffResults, the results of the database comparison + html_report_passed: a boolean, did the HTML report diff pass? + errors_diff_passed: a boolean, did the error diff pass? + db_dump_passed: a boolean, did the db dump diff pass? + overall_passed: a boolean, did the test pass? + total_test_time: a String representation of the test duration + start_date: a String representation of this TestData's start date + end_date: a String representation of the TestData's end date + total_ingest_time: a String representation of the total ingest time + artifact_count: a Nat, the number of artifacts + artifact_fail: a Nat, the number of artifact failures + heap_space: a String representation of TODO + service_times: a String representation of TODO + autopsy_version: a String, the version of autopsy that was run + ingest_messages: a Nat, the number of ingest messages + indexed_files: a Nat, the number of files indexed during the ingest + indexed_chunks: a Nat, the number of chunks indexed during the ingest + printerror: a listof_String, the error messages printed during this TestData's test + printout: a listof_String, the messages pritned during this TestData's test + """ + + def __init__(self, image, main_config): + """Init this TestData with it's image and the test configuration. + + Args: + image: the Image to be tested. + main_config: the global TestConfiguration. + """ + # Configuration Data + self.main_config = main_config + self.ant = [] + self.image_file = str(image) + # TODO: This 0 should be be refactored out, but it will require rebuilding and changing of outputs. + self.image = get_image_name(self.image_file) + self.image_name = self.image + "(0)" + # Directory structure and files + self.output_path = make_path(self.main_config.output_dir, self.image_name) + self.autopsy_data_file = make_path(self.output_path, self.image_name + "Autopsy_data.txt") + self.warning_log = make_local_path(self.output_path, "AutopsyLogs.txt") + self.antlog_dir = make_local_path(self.output_path, "antlog.txt") + self.test_dbdump = make_path(self.output_path, self.image_name + + "DBDump.txt") + self.common_log_path = make_local_path(self.output_path, self.image_name + COMMON_LOG) + self.sorted_log = make_local_path(self.output_path, self.image_name + "SortedErrors.txt") + self.reports_dir = make_path(self.output_path, AUTOPSY_TEST_CASE, "Reports") + self.gold_data_dir = make_path(self.main_config.img_gold, self.image_name) + self.gold_archive = make_path(self.main_config.gold, + self.image_name + "-archive.zip") + self.logs_dir = make_path(self.output_path, "logs") + self.solr_index = make_path(self.output_path, AUTOPSY_TEST_CASE, + "ModuleOutput", "KeywordSearch") + # Results and Info + self.db_diff_results = None + self.html_report_passed = False + self.errors_diff_passed = False + self.sorted_data_passed = False + self.db_dump_passed = False + self.overall_passed = False + # Ingest info + self.total_test_time = "" + self.start_date = "" + self.end_date = "" + self.total_ingest_time = "" + self.artifact_count = 0 + self.artifact_fail = 0 + self.heap_space = "" + self.service_times = "" + self.autopsy_version = "" + self.ingest_messages = 0 + self.indexed_files = 0 + self.indexed_chunks = 0 + # Error tracking + self.printerror = [] + self.printout = [] + + def ant_to_string(self): + string = "" + for arg in self.ant: + string += (arg + " ") + return string + + def get_db_path(self, db_type): + """Get the path to the database file that corresponds to the given DBType. + + Args: + DBType: the DBType of the path to be generated. + """ + if(db_type == DBType.GOLD): + db_path = make_path(self.gold_data_dir, DB_FILENAME) + elif(db_type == DBType.OUTPUT): + db_path = make_path(self.main_config.output_dir, self.image_name, AUTOPSY_TEST_CASE, DB_FILENAME) + else: + db_path = make_path(self.main_config.output_dir, self.image_name, AUTOPSY_TEST_CASE, BACKUP_DB_FILENAME) + return db_path + + def get_html_report_path(self, html_type): + """Get the path to the HTML Report folder that corresponds to the given DBType. + + Args: + DBType: the DBType of the path to be generated. + """ + if(html_type == DBType.GOLD): + return make_path(self.gold_data_dir, "Report") + else: + # Autopsy creates an HTML report folder in the form AutopsyTestCase DATE-TIME + # It's impossible to get the exact time the folder was created, but the folder + # we are looking for is the only one in the self.reports_dir folder + html_path = "" + for fs in os.listdir(self.reports_dir): + html_path = make_path(self.reports_dir, fs) + if os.path.isdir(html_path): + break + return make_path(html_path, os.listdir(html_path)[0]) + + def get_sorted_data_path(self, file_type): + """Get the path to the SortedData file that corresponds to the given DBType. + + Args: + file_type: the DBType of the path to be generated + """ + return self._get_path_to_file(file_type, "SortedData.txt") + + def get_sorted_errors_path(self, file_type): + """Get the path to the SortedErrors file that correspodns to the given + DBType. + + Args: + file_type: the DBType of the path to be generated + """ + return self._get_path_to_file(file_type, "SortedErrors.txt") + + def get_db_dump_path(self, file_type): + """Get the path to the DBDump file that corresponds to the given DBType. + + Args: + file_type: the DBType of the path to be generated + """ + return self._get_path_to_file(file_type, "DBDump.txt") + + def _get_path_to_file(self, file_type, file_name): + """Get the path to the specified file with the specified type. + + Args: + file_type: the DBType of the path to be generated + file_name: a String, the filename of the path to be generated + """ + full_filename = self.image_name + file_name + if(file_type == DBType.GOLD): + return make_path(self.gold_data_dir, full_filename) + else: + return make_path(self.output_path, full_filename) + + +class TestConfiguration(object): + """Container for test configuration data. + + The Master Test Configuration. Encapsulates consolidated high level input from + config XML file and command-line arguments. + + Attributes: + args: an Args, the command line arguments + output_dir: a pathto_Dir, the output directory + input_dir: a pathto_Dir, the input directory + gold: a pathto_Dir, the gold directory + img_gold: a pathto_Dir, the temp directory where gold images are unzipped to + csv: a pathto_File, the local csv file + global_csv: a pathto_File, the global csv file + html_log: a pathto_File + known_bad_path: + keyword_path: + nsrl_path: + build_path: a pathto_File, the ant build file which runs the tests + autopsy_version: + ingest_messages: a Nat, number of ingest messages + indexed_files: a Nat, the number of indexed files + indexed_chunks: a Nat, the number of indexed chunks + timer: + images: a listof_Image, the images to be tested + timeout: a Nat, the amount of time before killing the test + ant: a listof_String, the ant command to run the tests + """ + + def __init__(self, args): + """Inits TestConfiguration and loads a config file if available. + + Args: + args: an Args, the command line arguments. + """ + self.args = args + # Paths: + self.output_dir = "" + self.input_dir = make_local_path("..","input") + self.gold = make_path("..", "output", "gold") + self.img_gold = make_path(self.gold, 'tmp') + # Logs: + self.csv = "" + self.global_csv = "" + self.html_log = "" + # Ant info: + self.known_bad_path = make_path(self.input_dir, "notablehashes.txt-md5.idx") + self.keyword_path = make_path(self.input_dir, "notablekeywords.xml") + self.nsrl_path = make_path(self.input_dir, "nsrl.txt-md5.idx") + self.build_path = make_path("..", "build.xml") + # Infinite Testing info + timer = 0 + self.images = [] + # Email info + self.email_enabled = False + self.mail_server = "" + self.mail_to = "" + self.mail_subject = "" + # Set the timeout to something huge + # The entire tester should not timeout before this number in ms + # However it only seems to take about half this time + # And it's very buggy, so we're being careful + self.timeout = 24 * 60 * 60 * 1000 * 1000 + + if not self.args.single: + self._load_config_file(self.args.config_file) + else: + self.images.append(self.args.single_file) + self._init_logs() + #self._init_imgs() + #self._init_build_info() + + + def _load_config_file(self, config_file): + """Updates this TestConfiguration's attributes from the config file. + + Initializes this TestConfiguration by iterating through the XML config file + command-line argument. Populates self.images and optional email configuration + + Args: + config_file: ConfigFile - the configuration file to load + """ + try: + count = 0 + parsed_config = parse(config_file) + logres = [] + counts = {} + if parsed_config.getElementsByTagName("indir"): + self.input_dir = parsed_config.getElementsByTagName("indir")[0].getAttribute("value").encode().decode("utf_8") + if parsed_config.getElementsByTagName("global_csv"): + self.global_csv = parsed_config.getElementsByTagName("global_csv")[0].getAttribute("value").encode().decode("utf_8") + self.global_csv = make_local_path(self.global_csv) + if parsed_config.getElementsByTagName("golddir"): + self.gold = parsed_config.getElementsByTagName("golddir")[0].getAttribute("value").encode().decode("utf_8") + self.img_gold = make_path(self.gold, 'tmp') + + self._init_imgs(parsed_config) + self._init_build_info(parsed_config) + self._init_email_info(parsed_config) + + except IOError as e: + msg = "There was an error loading the configuration file.\n" + msg += "\t" + str(e) + Errors.add_email_msg(msg) + logging.critical(traceback.format_exc()) + print(traceback.format_exc()) + + def _init_logs(self): + """Setup output folder, logs, and reporting infrastructure.""" + if(not dir_exists(make_path("..", "output", "results"))): + os.makedirs(make_path("..", "output", "results",)) + self.output_dir = make_path("..", "output", "results", time.strftime("%Y.%m.%d-%H.%M.%S")) + os.makedirs(self.output_dir) + self.csv = make_local_path(self.output_dir, "CSV.txt") + self.html_log = make_path(self.output_dir, "AutopsyTestCase.html") + log_name = self.output_dir + "\\regression.log" + logging.basicConfig(filename=log_name, level=logging.DEBUG) + + def _init_build_info(self, parsed_config): + """Initializes paths that point to information necessary to run the AutopsyIngest.""" + build_elements = parsed_config.getElementsByTagName("build") + if build_elements: + build_element = build_elements[0] + build_path = build_element.getAttribute("value").encode().decode("utf_8") + self.build_path = build_path + + def _init_imgs(self, parsed_config): + """Initialize the list of images to run tests on.""" + for element in parsed_config.getElementsByTagName("image"): + value = element.getAttribute("value").encode().decode("utf_8") + print ("Image in Config File: " + value) + if file_exists(value): + self.images.append(value) + else: + msg = "File: " + value + " doesn't exist" + Errors.print_error(msg) + Errors.add_email_msg(msg) + image_count = len(self.images) + + # Sanity check to see if there are obvious gold images that we are not testing + gold_count = 0 + for file in os.listdir(self.gold): + if not(file == 'tmp'): + gold_count+=1 + + if (image_count > gold_count): + print("******Alert: There are more input images than gold standards, some images will not be properly tested.\n") + elif (image_count < gold_count): + print("******Alert: There are more gold standards than input images, this will not check all gold Standards.\n") + + def _init_email_info(self, parsed_config): + """Initializes email information dictionary""" + email_elements = parsed_config.getElementsByTagName("email") + if email_elements: + mail_to = email_elements[0] + self.mail_to = mail_to.getAttribute("value").encode().decode("utf_8") + mail_server_elements = parsed_config.getElementsByTagName("mail_server") + if mail_server_elements: + mail_from = mail_server_elements[0] + self.mail_server = mail_from.getAttribute("value").encode().decode("utf_8") + subject_elements = parsed_config.getElementsByTagName("subject") + if subject_elements: + subject = subject_elements[0] + self.mail_subject = subject.getAttribute("value").encode().decode("utf_8") + if self.mail_server and self.mail_to: + self.email_enabled = True + + + +class TskDbDiff(object): + """Represents the differences between the gold and output databases. + + Contains methods to compare two databases. + + Attributes: + gold_artifacts: + autopsy_artifacts: + gold_attributes: + autopsy_attributes: + gold_objects: + autopsy_objects: + artifact_comparison: + attribute_comparision: + report_errors: a listof_listof_String, the error messages that will be + printed to screen in the run_diff method + passed: a boolean, did the diff pass? + autopsy_db_file: + gold_db_file: + """ + def __init__(self, output_db_path, gold_db_path): + """Constructor for TskDbDiff. + + Args: + output_db_path: a pathto_File, the output database + gold_db_path: a pathto_File, the gold database + """ + self.gold_artifacts = [] + self.autopsy_artifacts = [] + self.gold_attributes = 0 + self.autopsy_attributes = 0 + self.gold_objects = 0 + self.autopsy_objects = 0 + self.artifact_comparison = [] + self.attribute_comparison = [] + self.report_errors = [] + self.autopsy_db_file = output_db_path + self.gold_db_file = gold_db_path + + def _get_artifacts(self, cursor): + """Get a list of artifacts from the given SQLCursor. + + Args: + cursor: SQLCursor - the cursor to execute on + + Returns: + listof_Artifact - the artifacts found by the query + """ + cursor.execute("SELECT COUNT(*) FROM blackboard_artifact_types") + length = cursor.fetchone()[0] + 1 + artifacts = [] + for type_id in range(1, length): + cursor.execute("SELECT COUNT(*) FROM blackboard_artifacts WHERE artifact_type_id=%d" % type_id) + artifacts.append(cursor.fetchone()[0]) + return artifacts + + def _count_attributes(self, cursor): + """Count the attributes from the given SQLCursor. + + Args: + cursor: SQLCursor - the cursor to execute on + + Returns: + Nat - the number of attributes found by the query + """ + cursor.execute("SELECT COUNT(*) FROM blackboard_attributes") + return cursor.fetchone()[0] + + def _count_objects(self, cursor): + """Count the objects from the given SQLCursor. + + Args: + cursor: SQLCursor - the cursor to execute on + + Returns: + Nat - the number of objects found by the query + """ + cursor.execute("SELECT COUNT(*) FROM tsk_objects") + return cursor.fetchone()[0] + + def _compare_bb_artifacts(self): + """Compares the blackboard artifact counts of two databases. + + Returns: + True if the artifacts are the same, false otherwise. + """ + exceptions = [] + passed = True + if self.gold_artifacts != self.autopsy_artifacts: + msg = "There was a difference in the number of artifacts.\n" + exceptions.append(msg) + Errors.add_email_msg(msg) + passed = False + else: + rner = len(self.gold_artifacts) + for type_id in range(1, rner): + if self.gold_artifacts[type_id] != self.autopsy_artifacts[type_id]: + error = str("Artifact counts do not match for type id %d. " % type_id) + error += str("Gold: %d, Test: %d" % + (self.gold_artifacts[type_id], + self.autopsy_artifacts[type_id])) + exceptions.append(error) + passed = False + self.report_errors.append(exceptions) + return passed + + def _compare_bb_attributes(self): + """Compares the blackboard attribute counts of two databases. + + Updates this TskDbDiff's report_errors with the error messages from the + attribute diff + + Returns: + True is the attributes are the same, False otherwise. + """ + exceptions = [] + passed = True + if self.gold_attributes != self.autopsy_attributes: + error = "Attribute counts do not match. " + error += str("Gold: %d, Test: %d" % (self.gold_attributes, self.autopsy_attributes)) + exceptions.append(error) + msg = "There was a difference in the number of attributes.\n" + Errors.add_email_msg(msg) + passed = False + self.report_errors.append(exceptions) + return passed + + def _compare_tsk_objects(self): + """Compares the TSK object counts of two databases.""" + exceptions = [] + passed = True + if self.gold_objects != self.autopsy_objects: + error = "TSK Object counts do not match. " + error += str("Gold: %d, Test: %d" % (self.gold_objects, self.autopsy_objects)) + exceptions.append(error) + msg ="There was a difference between the tsk object counts.\n" + Errors.add_email_msg(msg) + passed = False + self.report_errors.append(exceptions) + return passed + + def _get_basic_counts(self, autopsy_cur, gold_cur): + """Count the items necessary to compare the databases. + + Gets the counts of objects, artifacts, and attributes in the Gold + and Ouput databases and updates this TskDbDiff's attributes + accordingly + + Args: + autopsy_cur: SQLCursor - the cursor for the output database + gold_cur: SQLCursor - the cursor for the gold database + """ + try: + # Objects + self.gold_objects = self._count_objects(gold_cur) + self.autopsy_objects = self._count_objects(autopsy_cur) + # Artifacts + self.gold_artifacts = self._get_artifacts(gold_cur) + self.autopsy_artifacts = self._get_artifacts(autopsy_cur) + # Attributes + self.gold_attributes = self._count_attributes(gold_cur) + self.autopsy_attributes = self._count_attributes(autopsy_cur) + except sqlite3.Error as e: + Errors.print_error("Error while querying the databases:" + str(e)) + + def run_diff(self): + """Basic test between output and gold databases. + + Compares only counts of objects and blackboard items. + Note: SQLITE needs unix style pathing + + Raises: + sqlite3.OperationalError, if either of the database files do not + exist + """ + # Get connections and cursors to output / gold databases + autopsy_con = sqlite3.connect(self.autopsy_db_file) + autopsy_cur = autopsy_con.cursor() + gold_con = sqlite3.connect(self.gold_db_file) + gold_cur = gold_con.cursor() + + # Get Counts of objects, artifacts, and attributes + self._get_basic_counts(autopsy_cur, gold_cur) + + # We're done with the databases, close up the connections + autopsy_con.close() + gold_con.close() + + # Compare counts + objects_passed = self._compare_tsk_objects() + artifacts_passed = self._compare_bb_artifacts() + attributes_passed = self._compare_bb_attributes() + + self.passed = objects_passed and artifacts_passed and attributes_passed + + self.artifact_comparison = self.report_errors[1] + self.attribute_comparison = self.report_errors[2] + + okay = "All counts match." + print_report(self.report_errors[0], "COMPARE TSK OBJECTS", okay) + print_report(self.report_errors[1], "COMPARE ARTIFACTS", okay) + print_report(self.report_errors[2], "COMPARE ATTRIBUTES", okay) + + return DiffResults(self) + + def _dump_output_db_bb(autopsy_con, db_file, data_file, sorted_data_file): + """Dumps sorted text results to the given output location. + + Smart method that deals with a blackboard comparison to avoid issues + with different IDs based on when artifacts were created. + + Args: + autopsy_con: a SQLConn to the autopsy database. + db_file: a pathto_File, the output database. + data_file: a pathto_File, the dump file to write to + sorted_data_file: a pathto_File, the sorted dump file to write to + """ + autopsy_cur2 = autopsy_con.cursor() + # Get the list of all artifacts + # @@@ Could add a SORT by parent_path in here since that is how we are going to later sort it. + autopsy_cur2.execute("SELECT tsk_files.parent_path, tsk_files.name, blackboard_artifact_types.display_name, blackboard_artifacts.artifact_id FROM blackboard_artifact_types INNER JOIN blackboard_artifacts ON blackboard_artifact_types.artifact_type_id = blackboard_artifacts.artifact_type_id INNER JOIN tsk_files ON tsk_files.obj_id = blackboard_artifacts.obj_id") + database_log = codecs.open(data_file, "wb", "utf_8") + rw = autopsy_cur2.fetchone() + appnd = False + counter = 0 + artifact_count = 0 + artifact_fail = 0 + # Cycle through artifacts + try: + while (rw != None): + # File Name and artifact type + if(rw[0] != None): + database_log.write(rw[0] + rw[1] + ' ') + else: + database_log.write(rw[1] + ' ') + + # Get attributes for this artifact + autopsy_cur1 = autopsy_con.cursor() + looptry = True + artifact_count += 1 + try: + key = "" + key = str(rw[3]) + key = key, + autopsy_cur1.execute("SELECT blackboard_attributes.source, blackboard_attribute_types.display_name, blackboard_attributes.value_type, blackboard_attributes.value_text, blackboard_attributes.value_int32, blackboard_attributes.value_int64, blackboard_attributes.value_double FROM blackboard_attributes INNER JOIN blackboard_attribute_types ON blackboard_attributes.attribute_type_id = blackboard_attribute_types.attribute_type_id WHERE artifact_id =? ORDER BY blackboard_attributes.source, blackboard_attribute_types.display_name, blackboard_attributes.value_type, blackboard_attributes.value_text, blackboard_attributes.value_int32, blackboard_attributes.value_int64, blackboard_attributes.value_double", key) + attributes = autopsy_cur1.fetchall() + except sqlite3.Error as e: + Errors.print_error(str(e)) + Errors.print_error(str(rw[3])) + msg ="Attributes in artifact id (in output DB)# " + str(rw[3]) + " encountered an error: " + str(e) +" .\n" + Errors.add_email_msg(msg) + looptry = False + print(artifact_fail) + artifact_fail += 1 + print(artifact_fail) + database_log.write('Error Extracting Attributes'); + + # Print attributes + if(looptry == True): + src = attributes[0][0] + for attr in attributes: + val = 3 + attr[2] + numvals = 0 + for x in range(3, 6): + if(attr[x] != None): + numvals += 1 + if(numvals > 1): + msg = "There were too many values for attribute type: " + attr[1] + " for artifact with id #" + str(rw[3]) + ".\n" + Errors.add_email_msg(msg) + Errors.print_error(msg) + if(not appnd): + Errors.add_email_attachment(db_file) + appnd = True + if(not attr[0] == src): + msg ="There were inconsistent sources for artifact with id #" + str(rw[3]) + ".\n" + Errors.add_email_msg(msg) + Errors.print_error(msg) + if(not appnd): + Errors.add_email_attachment(db_file) + appnd = True + try: + database_log.write('') + database_log.write(' \n') + rw = autopsy_cur2.fetchone() + + # Now sort the file + srtcmdlst = ["sort", data_file, "-o", sorted_data_file] + subprocess.call(srtcmdlst) + print(artifact_fail) + if(artifact_fail > 0): + msg ="There were " + str(artifact_count) + " artifacts and " + str(artifact_fail) + " threw an exception while loading.\n" + Errors.add_email_msg(msg) + except Exception as e: + Errors.print_error('outer exception: ' + str(e)) + + def _dump_output_db_nonbb(test_data): + """Dumps a database to a text file. + + Does not dump the artifact and attributes. + + Args: + test_data: the TestData that corresponds with this dump. + """ + # Make a copy of the DB + autopsy_db_file = test_data.get_db_path(DBType.OUTPUT) + backup_db_file = test_data.get_db_path(DBType.BACKUP) + shutil.copy(autopsy_db_file, backup_db_file) + autopsy_con = sqlite3.connect(backup_db_file) + + # Delete the blackboard tables + autopsy_con.execute("DROP TABLE blackboard_artifacts") + autopsy_con.execute("DROP TABLE blackboard_attributes") + + # Write to the database dump + with codecs.open(test_data.test_dbdump, "wb", "utf_8") as db_log: + for line in autopsy_con.iterdump(): + db_log.write('%s\n' %line) + + + def dump_output_db(test_data): + """Dumps the given database to text files for later comparison. + + Args: + test_data: the TestData that corresponds to this dump. + """ + autopsy_db_file = test_data.get_db_path(DBType.OUTPUT) + autopsy_con = sqlite3.connect(autopsy_db_file) + autopsy_cur = autopsy_con.cursor() + # Try to query the databases. Ignore any exceptions, the function will + # return an error later on if these do fail + TskDbDiff._dump_output_db_bb(autopsy_con, autopsy_db_file, + test_data.autopsy_data_file, + test_data.get_sorted_data_path(DBType.OUTPUT)) + TskDbDiff._dump_output_db_nonbb(test_data) + autopsy_con.close() + +#-------------------------------------------------# +# Functions relating to comparing outputs # +#-------------------------------------------------# +class TestResultsDiffer(object): + """Compares results for a single test.""" + + def run_diff(test_data): + """Compares results for a single test. + + Args: + test_data: the TestData to use. + databaseDiff: TskDbDiff object created based off test_data + """ + try: + # Diff the gold and output databases + output_db_path = test_data.get_db_path(DBType.OUTPUT) + gold_db_path = test_data.get_db_path(DBType.GOLD) + db_diff = TskDbDiff(output_db_path, gold_db_path) + test_data.db_diff_results = db_diff.run_diff() + + # Compare Exceptions + # replace is a fucntion that replaces strings of digits with 'd' + # this is needed so dates and times will not cause the diff to fail + replace = lambda file: re.sub(re.compile("\d"), "d", file) + output_errors = test_data.get_sorted_errors_path(DBType.OUTPUT) + gold_errors = test_data.get_sorted_errors_path(DBType.GOLD) + passed = TestResultsDiffer._compare_text(output_errors, gold_errors, + replace) + test_data.errors_diff_passed = passed + + # Compare smart blackboard results + output_data = test_data.get_sorted_data_path(DBType.OUTPUT) + gold_data = test_data.get_sorted_data_path(DBType.GOLD) + passed = TestResultsDiffer._compare_text(output_data, gold_data) + test_data.sorted_data_passed = passed + + # Compare the rest of the database (non-BB) + output_dump = test_data.get_db_dump_path(DBType.OUTPUT) + gold_dump = test_data.get_db_dump_path(DBType.GOLD) + passed = TestResultsDiffer._compare_text(output_dump, gold_dump) + test_data.db_dump_passed = passed + + # Compare html output + gold_report_path = test_data.get_html_report_path(DBType.GOLD) + output_report_path = test_data.get_html_report_path(DBType.OUTPUT) + passed = TestResultsDiffer._html_report_diff(gold_report_path, + output_report_path) + test_data.html_report_passed = passed + + # Clean up tmp folder + del_dir(test_data.gold_data_dir) + + except sqlite3.OperationalError as e: + Errors.print_error("Tests failed while running the diff:\n") + Errors.print_error(str(e)) + except Exception as e: + Errors.print_error("Tests failed due to an error, try rebuilding or creating gold standards.\n") + Errors.print_error(str(e) + "\n") + print(traceback.format_exc()) + + def _compare_text(output_file, gold_file, process=None): + """Compare two text files. + + Args: + output_file: a pathto_File, the output text file + gold_file: a pathto_File, the input text file + pre-process: (optional) a function of String -> String that will be + called on each input file before the diff, if specified. + """ + if(not file_exists(output_file)): + return False + output_data = codecs.open(output_file, "r", "utf_8").read() + gold_data = codecs.open(gold_file, "r", "utf_8").read() + + if process is not None: + output_data = process(output_data) + gold_data = process(gold_data) + + if (not(gold_data == output_data)): + diff_path = os.path.splitext(os.path.basename(output_file))[0] + diff_path += "-Diff.txt" + diff_file = codecs.open(diff_path, "wb", "utf_8") + dffcmdlst = ["diff", output_file, gold_file] + subprocess.call(dffcmdlst, stdout = diff_file) + Errors.add_email_attachment(diff_path) + msg = "There was a difference in " + msg += os.path.basename(output_file) + ".\n" + Errors.add_email_msg(msg) + Errors.print_error(msg) + return False + else: + return True + + def _html_report_diff(gold_report_path, output_report_path): + """Compare the output and gold html reports. + + Args: + gold_report_path: a pathto_Dir, the gold HTML report directory + output_report_path: a pathto_Dir, the output HTML report directory + + Returns: + true, if the reports match, false otherwise. + """ + try: + gold_html_files = get_files_by_ext(gold_report_path, ".html") + output_html_files = get_files_by_ext(output_report_path, ".html") + + #ensure both reports have the same number of files and are in the same order + if(len(gold_html_files) != len(output_html_files)): + msg = "The reports did not have the same number or files." + msg += "One of the reports may have been corrupted." + Errors.print_error(msg) + else: + gold_html_files.sort() + output_html_files.sort() + + total = {"Gold": 0, "New": 0} + for gold, output in zip(gold_html_files, output_html_files): + count = TestResultsDiffer._compare_report_files(gold, output) + total["Gold"] += count[0] + total["New"] += count[1] + + okay = "The test report matches the gold report." + errors=["Gold report had " + str(total["Gold"]) +" errors", "New report had " + str(total["New"]) + " errors."] + print_report(errors, "REPORT COMPARISON", okay) + + if total["Gold"] == total["New"]: + return True + else: + Errors.print_error("The reports did not match each other.\n " + errors[0] +" and the " + errors[1]) + return False + except OSError as e: + e.print_error() + return False + except Exception as e: + Errors.print_error("Error: Unknown fatal error comparing reports.") + Errors.print_error(str(e) + "\n") + logging.critical(traceback.format_exc()) + return False + + def _compare_report_files(a_path, b_path): + """Compares the two specified report html files. + + Args: + a_path: a pathto_File, the first html report file + b_path: a pathto_File, the second html report file + + Returns: + a tuple of (Nat, Nat), which represent the length of each + unordered list in the html report files, or (0, 0) if the + lenghts are the same. + """ + a_file = open(a_path) + b_file = open(b_path) + a = a_file.read() + b = b_file.read() + a = a[a.find("
          "):] + b = b[b.find("
            "):] + + a_list = TestResultsDiffer._split(a, 50) + b_list = TestResultsDiffer._split(b, 50) + if not len(a_list) == len(b_list): + ex = (len(a_list), len(b_list)) + return ex + else: + return (0, 0) + + # Split a string into an array of string of the given size + def _split(input, size): + return [input[start:start+size] for start in range(0, len(input), size)] + + +class Reports(object): + def generate_reports(test_data): + """Generate the reports for a single test + + Args: + test_data: the TestData + """ + Reports._generate_html(test_data) + if test_data.main_config.global_csv: + Reports._generate_csv(test_data.main_config.global_csv, test_data) + else: + Reports._generate_csv(test_data.main_config.csv, test_data) + + def _generate_html(test_data): + """Generate the HTML log file.""" + # If the file doesn't exist yet, this is the first test_config to run for + # this test, so we need to make the start of the html log + html_log = test_data.main_config.html_log + if not file_exists(html_log): + Reports.write_html_head() + with open(html_log, "a") as html: + # The image title + title = "

            " + test_data.image_name + " \ + tested on " + socket.gethostname() + "

            \ +

            \ + Errors and Warnings |\ + Information |\ + General Output |\ + Logs\ +

            " + # The script errors found + if not test_data.overall_passed: + ids = 'errors1' + else: + ids = 'errors' + errors = "
            \ +

            Errors and Warnings

            \ +
            " + # For each error we have logged in the test_config + for error in test_data.printerror: + # Replace < and > to avoid any html display errors + errors += "

            " + error.replace("<", "<").replace(">", ">") + "

            " + # If there is a \n, we probably want a
            in the html + if "\n" in error: + errors += "
            " + errors += "
            " + + # Links to the logs + logs = "
            \ +

            Logs

            \ +
            " + logs_path = test_data.logs_dir + for file in os.listdir(logs_path): + logs += "

            " + file + "

            " + logs += "
            " + + # All the testing information + info = "
            \ +

            Information

            \ +
            \ + " + # The individual elements + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "" + info += "
            Image Path:" + test_data.image_file + "
            Image Name:" + test_data.image_name + "
            test_config Output Directory:" + test_data.main_config.output_dir + "
            Autopsy Version:" + test_data.autopsy_version + "
            Heap Space:" + test_data.heap_space + "
            Test Start Date:" + test_data.start_date + "
            Test End Date:" + test_data.end_date + "
            Total Test Time:" + test_data.total_test_time + "
            Total Ingest Time:" + test_data.total_ingest_time + "
            Exceptions Count:" + str(len(get_exceptions(test_data))) + "
            Autopsy OutOfMemoryExceptions:" + str(len(search_logs("OutOfMemoryException", test_data))) + "
            Autopsy OutOfMemoryErrors:" + str(len(search_logs("OutOfMemoryError", test_data))) + "
            Tika OutOfMemoryErrors/Exceptions:" + str(Reports._get_num_memory_errors("tika", test_data)) + "
            Solr OutOfMemoryErrors/Exceptions:" + str(Reports._get_num_memory_errors("solr", test_data)) + "
            TskCoreExceptions:" + str(len(search_log_set("autopsy", "TskCoreException", test_data))) + "
            TskDataExceptions:" + str(len(search_log_set("autopsy", "TskDataException", test_data))) + "
            Ingest Messages Count:" + str(test_data.ingest_messages) + "
            Indexed Files Count:" + str(test_data.indexed_files) + "
            Indexed File Chunks Count:" + str(test_data.indexed_chunks) + "
            Out Of Disk Space:\ +

            (will skew other test results)

            		" + str(len(search_log_set("autopsy", "Stopping ingest due to low disk space on disk", test_data))) + "
            TSK Objects Count:" + str(test_data.db_diff_results.output_objs) + "
            Artifacts Count:" + str(test_data.db_diff_results.output_artifacts)+ "
            Attributes Count:" + str(test_data.db_diff_results.output_attrs) + "
            \ +
            " + # For all the general print statements in the test_config + output = "
            \ +

            General Output

            \ +
            " + # For each printout in the test_config's list + for out in test_data.printout: + output += "

            " + out + "

            " + # If there was a \n it probably means we want a
            in the html + if "\n" in out: + output += "
            " + output += "
            " + + html.write(title) + html.write(errors) + html.write(info) + html.write(logs) + html.write(output) + + def write_html_head(html_log): + """Write the top of the HTML log file. + + Args: + html_log: a pathto_File, the global HTML log + """ + with open(str(html_log), "a") as html: + head = "\ + \ + AutopsyTesttest_config Output\ + \ + \ + " + html.write(head) + + def write_html_foot(html_log): + """Write the bottom of the HTML log file. + + Args: + html_log: a pathto_File, the global HTML log + """ + with open(html_log, "a") as html: + head = "" + html.write(head) + + def html_add_images(html_log, full_image_names): + """Add all the image names to the HTML log. + + Args: + full_image_names: a listof_String, each representing an image name + html_log: a pathto_File, the global HTML log + """ + # If the file doesn't exist yet, this is the first test_config to run for + # this test, so we need to make the start of the html log + if not file_exists(html_log): + Reports.write_html_head(html_log) + with open(html_log, "a") as html: + links = [] + for full_name in full_image_names: + name = get_image_name(full_name) + links.append("" + name + "") + html.write("

            " + (" | ".join(links)) + "

            ") + + def _generate_csv(csv_path, test_data): + """Generate the CSV log file""" + # If the CSV file hasn't already been generated, this is the + # first run, and we need to add the column names + if not file_exists(csv_path): + Reports.csv_header(csv_path) + # Now add on the fields to a new row + with open(csv_path, "a") as csv: + # Variables that need to be written + vars = [] + vars.append( test_data.image_file ) + vars.append( test_data.image_name ) + vars.append( test_data.main_config.output_dir ) + vars.append( socket.gethostname() ) + vars.append( test_data.autopsy_version ) + vars.append( test_data.heap_space ) + vars.append( test_data.start_date ) + vars.append( test_data.end_date ) + vars.append( test_data.total_test_time ) + vars.append( test_data.total_ingest_time ) + vars.append( test_data.service_times ) + vars.append( str(len(get_exceptions(test_data))) ) + vars.append( str(Reports._get_num_memory_errors("autopsy", test_data)) ) + vars.append( str(Reports._get_num_memory_errors("tika", test_data)) ) + vars.append( str(Reports._get_num_memory_errors("solr", test_data)) ) + vars.append( str(len(search_log_set("autopsy", "TskCoreException", test_data))) ) + vars.append( str(len(search_log_set("autopsy", "TskDataException", test_data))) ) + vars.append( str(test_data.ingest_messages) ) + vars.append( str(test_data.indexed_files) ) + vars.append( str(test_data.indexed_chunks) ) + vars.append( str(len(search_log_set("autopsy", "Stopping ingest due to low disk space on disk", test_data))) ) + vars.append( str(test_data.db_diff_results.output_objs) ) + vars.append( str(test_data.db_diff_results.output_artifacts) ) + vars.append( str(test_data.db_diff_results.output_objs) ) + vars.append( make_local_path("gold", test_data.image_name, DB_FILENAME) ) + vars.append( test_data.db_diff_results.get_artifact_comparison() ) + vars.append( test_data.db_diff_results.get_attribute_comparison() ) + vars.append( make_local_path("gold", test_data.image_name, "standard.html") ) + vars.append( str(test_data.html_report_passed) ) + vars.append( test_data.ant_to_string() ) + # Join it together with a ", " + output = "|".join(vars) + output += "\n" + # Write to the log! + csv.write(output) + + def csv_header(csv_path): + """Generate the CSV column names.""" + with open(csv_path, "w") as csv: + titles = [] + titles.append("Image Path") + titles.append("Image Name") + titles.append("Output test_config Directory") + titles.append("Host Name") + titles.append("Autopsy Version") + titles.append("Heap Space Setting") + titles.append("Test Start Date") + titles.append("Test End Date") + titles.append("Total Test Time") + titles.append("Total Ingest Time") + titles.append("Service Times") + titles.append("Autopsy Exceptions") + titles.append("Autopsy OutOfMemoryErrors/Exceptions") + titles.append("Tika OutOfMemoryErrors/Exceptions") + titles.append("Solr OutOfMemoryErrors/Exceptions") + titles.append("TskCoreExceptions") + titles.append("TskDataExceptions") + titles.append("Ingest Messages Count") + titles.append("Indexed Files Count") + titles.append("Indexed File Chunks Count") + titles.append("Out Of Disk Space") + titles.append("Tsk Objects Count") + titles.append("Artifacts Count") + titles.append("Attributes Count") + titles.append("Gold Database Name") + titles.append("Artifacts Comparison") + titles.append("Attributes Comparison") + titles.append("Gold Report Name") + titles.append("Report Comparison") + titles.append("Ant Command Line") + output = "|".join(titles) + output += "\n" + csv.write(output) + + def _get_num_memory_errors(type, test_data): + """Get the number of OutOfMemory errors and Exceptions. + + Args: + type: a String representing the type of log to check. + test_data: the TestData to examine. + """ + return (len(search_log_set(type, "OutOfMemoryError", test_data)) + + len(search_log_set(type, "OutOfMemoryException", test_data))) + +class Logs(object): + + def generate_log_data(test_data): + """Find and handle relevent data from the Autopsy logs. + + Args: + test_data: the TestData whose logs to examine + """ + Logs._generate_common_log(test_data) + try: + Logs._fill_ingest_data(test_data) + except Exception as e: + Errors.print_error("Error: Unknown fatal error when filling test_config data.") + Errors.print_error(str(e) + "\n") + logging.critical(traceback.format_exc()) + # If running in verbose mode (-v) + if test_data.main_config.args.verbose: + errors = Logs._report_all_errors() + okay = "No warnings or errors in any log files." + print_report(errors, "VERBOSE", okay) + + def _generate_common_log(test_data): + """Generate the common log, the log of all exceptions and warnings from + each log file generated by Autopsy. + + Args: + test_data: the TestData to generate a log for + """ + try: + logs_path = test_data.logs_dir + common_log = codecs.open(test_data.common_log_path, "w", "utf_8") + warning_log = codecs.open(test_data.warning_log, "w", "utf_8") + common_log.write("--------------------------------------------------\n") + common_log.write(test_data.image_name + "\n") + common_log.write("--------------------------------------------------\n") + rep_path = make_local_path(test_data.main_config.output_dir) + rep_path = rep_path.replace("\\\\", "\\") + for file in os.listdir(logs_path): + log = codecs.open(make_path(logs_path, file), "r", "utf_8") + for line in log: + line = line.replace(rep_path, "test_data") + if line.startswith("Exception"): + common_log.write(file +": " + line) + elif line.startswith("Error"): + common_log.write(file +": " + line) + elif line.startswith("SEVERE"): + common_log.write(file +":" + line) + else: + warning_log.write(file +": " + line) + log.close() + common_log.write("\n") + common_log.close() + print(test_data.sorted_log) + srtcmdlst = ["sort", test_data.common_log_path, "-o", test_data.sorted_log] + subprocess.call(srtcmdlst) + except (OSError, IOError) as e: + Errors.print_error("Error: Unable to generate the common log.") + Errors.print_error(str(e) + "\n") + Errors.print_error(traceback.format_exc()) + logging.critical(traceback.format_exc()) + + def _fill_ingest_data(test_data): + """Fill the TestDatas variables that require the log files. + + Args: + test_data: the TestData to modify + """ + try: + # Open autopsy.log.0 + log_path = make_path(test_data.logs_dir, "autopsy.log.0") + log = open(log_path) + + # Set the TestData start time based off the first line of autopsy.log.0 + # *** If logging time format ever changes this will break *** + test_data.start_date = log.readline().split(" org.")[0] + + # Set the test_data ending time based off the "create" time (when the file was copied) + test_data.end_date = time.ctime(os.path.getmtime(log_path)) + except IOError as e: + Errors.print_error("Error: Unable to open autopsy.log.0.") + Errors.print_error(str(e) + "\n") + logging.warning(traceback.format_exc()) + # Start date must look like: "Jul 16, 2012 12:57:53 PM" + # End date must look like: "Mon Jul 16 13:02:42 2012" + # *** If logging time format ever changes this will break *** + start = datetime.datetime.strptime(test_data.start_date, "%b %d, %Y %I:%M:%S %p") + end = datetime.datetime.strptime(test_data.end_date, "%a %b %d %H:%M:%S %Y") + test_data.total_test_time = str(end - start) + + try: + # Set Autopsy version, heap space, ingest time, and service times + + version_line = search_logs("INFO: Application name: Autopsy, version:", test_data)[0] + test_data.autopsy_version = get_word_at(version_line, 5).rstrip(",") + + test_data.heap_space = search_logs("Heap memory usage:", test_data)[0].rstrip().split(": ")[1] + + ingest_line = search_logs("Ingest (including enqueue)", test_data)[0] + test_data.total_ingest_time = get_word_at(ingest_line, 6).rstrip() + + message_line = search_log_set("autopsy", "Ingest messages count:", test_data)[0] + test_data.ingest_messages = int(message_line.rstrip().split(": ")[2]) + + files_line = search_log_set("autopsy", "Indexed files count:", test_data)[0] + test_data.indexed_files = int(files_line.rstrip().split(": ")[2]) + + chunks_line = search_log_set("autopsy", "Indexed file chunks count:", test_data)[0] + test_data.indexed_chunks = int(chunks_line.rstrip().split(": ")[2]) + except (OSError, IOError) as e: + Errors.print_error("Error: Unable to find the required information to fill test_config data.") + Errors.print_error(str(e) + "\n") + logging.critical(traceback.format_exc()) + print(traceback.format_exc()) + try: + service_lines = search_log("autopsy.log.0", "to process()", test_data) + service_list = [] + for line in service_lines: + words = line.split(" ") + # Kind of forcing our way into getting this data + # If this format changes, the tester will break + i = words.index("secs.") + times = words[i-4] + " " + times += words[i-3] + " " + times += words[i-2] + " " + times += words[i-1] + " " + times += words[i] + service_list.append(times) + test_data.service_times = "; ".join(service_list) + except (OSError, IOError) as e: + Errors.print_error("Error: Unknown fatal error when finding service times.") + Errors.print_error(str(e) + "\n") + logging.critical(traceback.format_exc()) + + def _report_all_errors(): + """Generate a list of all the errors found in the common log. + + Returns: + a listof_String, the errors found in the common log + """ + try: + return get_warnings() + get_exceptions() + except (OSError, IOError) as e: + Errors.print_error("Error: Unknown fatal error when reporting all errors.") + Errors.print_error(str(e) + "\n") + logging.warning(traceback.format_exc()) + + def search_common_log(string, test_data): + """Search the common log for any instances of a given string. + + Args: + string: the String to search for. + test_data: the TestData that holds the log to search. + + Returns: + a listof_String, all the lines that the string is found on + """ + results = [] + log = codecs.open(test_data.common_log_path, "r", "utf_8") + for line in log: + if string in line: + results.append(line) + log.close() + return results + + +def print_report(errors, name, okay): + """Print a report with the specified information. + + Args: + errors: a listof_String, the errors to report. + name: a String, the name of the report. + okay: the String to print when there are no errors. + """ + if errors: + Errors.print_error("--------< " + name + " >----------") + for error in errors: + Errors.print_error(str(error)) + Errors.print_error("--------< / " + name + " >--------\n") + else: + Errors.print_out("-----------------------------------------------------------------") + Errors.print_out("< " + name + " - " + okay + " />") + Errors.print_out("-----------------------------------------------------------------\n") + + +def get_exceptions(test_data): + """Get a list of the exceptions in the autopsy logs. + + Args: + test_data: the TestData to use to find the exceptions. + Returns: + a listof_String, the exceptions found in the logs. + """ + exceptions = [] + logs_path = test_data.logs_dir + results = [] + for file in os.listdir(logs_path): + if "autopsy.log" in file: + log = codecs.open(make_path(logs_path, file), "r", "utf_8") + ex = re.compile("\SException") + er = re.compile("\SError") + for line in log: + if ex.search(line) or er.search(line): + exceptions.append(line) + log.close() + return exceptions + +def get_warnings(test_data): + """Get a list of the warnings listed in the common log. + + Args: + test_data: the TestData to use to find the warnings + + Returns: + listof_String, the warnings found. + """ + warnings = [] + common_log = codecs.open(test_data.warning_log, "r", "utf_8") + for line in common_log: + if "warning" in line.lower(): + warnings.append(line) + common_log.close() + return warnings + +def copy_logs(test_data): + """Copy the Autopsy generated logs to output directory. + + Args: + test_data: the TestData whose logs will be copied + """ + try: + log_dir = os.path.join("..", "..", "Testing","build","test","qa-functional","work","userdir0","var","log") + shutil.copytree(log_dir, test_data.logs_dir) + except OSError as e: + printerror(test_data,"Error: Failed to copy the logs.") + printerror(test_data,str(e) + "\n") + logging.warning(traceback.format_exc()) + +def setDay(): + global Day + Day = int(strftime("%d", localtime())) + +def getLastDay(): + return Day + +def getDay(): + return int(strftime("%d", localtime())) + +def newDay(): + return getLastDay() != getDay() + +#------------------------------------------------------------# +# Exception classes to manage "acceptable" thrown exceptions # +# versus unexpected and fatal exceptions # +#------------------------------------------------------------# + +class FileNotFoundException(Exception): + """ + If a file cannot be found by one of the helper functions, + they will throw a FileNotFoundException unless the purpose + is to return False. + """ + def __init__(self, file): + self.file = file + self.strerror = "FileNotFoundException: " + file + + def print_error(self): + Errors.print_error("Error: File could not be found at:") + Errors.print_error(self.file + "\n") + + def error(self): + error = "Error: File could not be found at:\n" + self.file + "\n" + return error + +class DirNotFoundException(Exception): + """ + If a directory cannot be found by a helper function, + it will throw this exception + """ + def __init__(self, dir): + self.dir = dir + self.strerror = "DirNotFoundException: " + dir + + def print_error(self): + Errors.print_error("Error: Directory could not be found at:") + Errors.print_error(self.dir + "\n") + + def error(self): + error = "Error: Directory could not be found at:\n" + self.dir + "\n" + return error + + +class Errors: + """A class used to manage error reporting. + + Attributes: + printout: a listof_String, the non-error messages that were printed + printerror: a listof_String, the error messages that were printed + email_body: a String, the body of the report email + email_msg_prefix: a String, the prefix for lines added to the email + email_attchs: a listof_pathto_File, the files to be attached to the + report email + """ + printout = [] + printerror = [] + email_body = "" + email_msg_prefix = "Configuration" + email_attachs = [] + + def set_testing_phase(image_name): + """Change the email message prefix to be the given testing phase. + + Args: + image_name: a String, representing the current image being tested + """ + Errors.email_msg_prefix = image_name + + def print_out(msg): + """Print out an informational message. + + Args: + msg: a String, the message to be printed + """ + print(msg) + Errors.printout.append(msg) + + def print_error(msg): + """Print out an error message. + + Args: + msg: a String, the error message to be printed. + """ + print(msg) + Errors.printerror.append(msg) + + def clear_print_logs(): + """Reset the image-specific attributes of the Errors class.""" + Errors.printout = [] + Errors.printerror = [] + + def add_email_msg(msg): + """Add the given message to the body of the report email. + + Args: + msg: a String, the message to be added to the email + """ + Errors.email_body += Errors.email_msg_prefix + ":" + msg + + def add_email_attachment(path): + """Add the given file to be an attachment for the report email + + Args: + file: a pathto_File, the file to add + """ + Errors.email_attachs.append(path) + + +class DiffResults(object): + """Container for the results of the database diff tests. + + Stores artifact, object, and attribute counts and comparisons generated by + TskDbDiff. + + Attributes: + gold_attrs: a Nat, the number of gold attributes + output_attrs: a Nat, the number of output attributes + gold_objs: a Nat, the number of gold objects + output_objs: a Nat, the number of output objects + artifact_comp: a listof_String, describing the differences + attribute_comp: a listof_String, describing the differences + passed: a boolean, did the diff pass? + """ + def __init__(self, tsk_diff): + """Inits a DiffResults + + Args: + tsk_diff: a TskDBDiff + """ + self.gold_attrs = tsk_diff.gold_attributes + self.output_attrs = tsk_diff.autopsy_attributes + self.gold_objs = tsk_diff.gold_objects + self.output_objs = tsk_diff.autopsy_objects + self.artifact_comp = tsk_diff.artifact_comparison + self.attribute_comp = tsk_diff.attribute_comparison + self.gold_artifacts = len(tsk_diff.gold_artifacts) + self.output_artifacts = len(tsk_diff.autopsy_artifacts) + self.passed = tsk_diff.passed + + def get_artifact_comparison(self): + if not self.artifact_comp: + return "All counts matched" + else: + return "; ".join(self.artifact_comp) + + def get_attribute_comparison(self): + if not self.attribute_comp: + return "All counts matched" + list = [] + for error in self.attribute_comp: + list.append(error) + return ";".join(list) + + +#-------------------------------------------------------------# +# Parses argv and stores booleans to match command line input # +#-------------------------------------------------------------# +class Args(object): + """A container for command line options and arguments. + + Attributes: + single: a boolean indicating whether to run in single file mode + single_file: an Image to run the test on + rebuild: a boolean indicating whether to run in rebuild mode + list: a boolean indicating a config file was specified + unallocated: a boolean indicating unallocated space should be ignored + ignore: a boolean indicating the input directory should be ingnored + keep: a boolean indicating whether to keep the SOLR index + verbose: a boolean indicating whether verbose output should be printed + exeception: a boolean indicating whether errors containing exception + exception_string should be printed + exception_sring: a String representing and exception name + fr: a boolean indicating whether gold standard images will be downloaded + """ + def __init__(self): + self.single = False + self.single_file = "" + self.rebuild = False + self.list = False + self.config_file = "" + self.unallocated = False + self.ignore = False + self.keep = False + self.verbose = False + self.exception = False + self.exception_string = "" + self.fr = False + + def parse(self): + """Get the command line arguments and parse them.""" + nxtproc = [] + nxtproc.append("python3") + nxtproc.append(sys.argv.pop(0)) + while sys.argv: + arg = sys.argv.pop(0) + nxtproc.append(arg) + if(arg == "-f"): + #try: @@@ Commented out until a more specific except statement is added + arg = sys.argv.pop(0) + print("Running on a single file:") + print(path_fix(arg) + "\n") + self.single = True + self.single_file = path_fix(arg) + #except: + # print("Error: No single file given.\n") + # return False + elif(arg == "-r" or arg == "--rebuild"): + print("Running in rebuild mode.\n") + self.rebuild = True + elif(arg == "-l" or arg == "--list"): + try: + arg = sys.argv.pop(0) + nxtproc.append(arg) + print("Running from configuration file:") + print(arg + "\n") + self.list = True + self.config_file = arg + except: + print("Error: No configuration file given.\n") + return False + elif(arg == "-u" or arg == "--unallocated"): + print("Ignoring unallocated space.\n") + self.unallocated = True + elif(arg == "-k" or arg == "--keep"): + print("Keeping the Solr index.\n") + self.keep = True + elif(arg == "-v" or arg == "--verbose"): + print("Running in verbose mode:") + print("Printing all thrown exceptions.\n") + self.verbose = True + elif(arg == "-e" or arg == "--exception"): + try: + arg = sys.argv.pop(0) + nxtproc.append(arg) + print("Running in exception mode: ") + print("Printing all exceptions with the string '" + arg + "'\n") + self.exception = True + self.exception_string = arg + except: + print("Error: No exception string given.") + elif arg == "-h" or arg == "--help": + print(usage()) + return False + elif arg == "-fr" or arg == "--forcerun": + print("Not downloading new images") + self.fr = True + else: + print(usage()) + return False + # Return the args were sucessfully parsed + return self._sanity_check() + + def _sanity_check(self): + """Check to make sure there are no conflicting arguments and the + specified files exist. + + Returns: + False if there are conflicting arguments or a specified file does + not exist, True otherwise + """ + if self.single and self.list: + print("Cannot run both from config file and on a single file.") + return False + if self.list: + if not file_exists(self.config_file): + print("Configuration file does not exist at:", + self.config_file) + return False + elif self.single: + if not file_exists(self.single_file): + msg = "Image file does not exist at: " + self.single_file + return False + if (not self.single) and (not self.ignore) and (not self.list): + self.config_file = "config.xml" + if not file_exists(self.config_file): + msg = "Configuration file does not exist at: " + self.config_file + return False + + return True + +#### +# Helper Functions +#### +def search_logs(string, test_data): + """Search through all the known log files for a given string. + + Args: + string: the String to search for. + test_data: the TestData that holds the logs to search. + + Returns: + a listof_String, the lines that contained the given String. + """ + logs_path = test_data.logs_dir + results = [] + for file in os.listdir(logs_path): + log = codecs.open(make_path(logs_path, file), "r", "utf_8") + for line in log: + if string in line: + results.append(line) + log.close() + return results + +def search_log(log, string, test_data): + """Search the given log for any instances of a given string. + + Args: + log: a pathto_File, the log to search in + string: the String to search for. + test_data: the TestData that holds the log to search. + + Returns: + a listof_String, all the lines that the string is found on + """ + logs_path = make_path(test_data.logs_dir, log) + try: + results = [] + log = codecs.open(logs_path, "r", "utf_8") + for line in log: + if string in line: + results.append(line) + log.close() + if results: + return results + except: + raise FileNotFoundException(logs_path) + +# Search through all the the logs of the given type +# Types include autopsy, tika, and solr +def search_log_set(type, string, test_data): + """Search through all logs to the given type for the given string. + + Args: + type: the type of log to search in. + string: the String to search for. + test_data: the TestData containing the logs to search. + + Returns: + a listof_String, the lines on which the String was found. + """ + logs_path = test_data.logs_dir + results = [] + for file in os.listdir(logs_path): + if type in file: + log = codecs.open(make_path(logs_path, file), "r", "utf_8") + for line in log: + if string in line: + results.append(line) + log.close() + return results + + +def clear_dir(dir): + """Clears all files from a directory and remakes it. + + Args: + dir: a pathto_Dir, the directory to clear + """ + try: + if dir_exists(dir): + shutil.rmtree(dir) + os.makedirs(dir) + return True; + except OSError as e: + printerror(test_data,"Error: Cannot clear the given directory:") + printerror(test_data,dir + "\n") + print(str(e)) + return False; + +def del_dir(dir): + """Delete the given directory. + + Args: + dir: a pathto_Dir, the directory to delete + """ + try: + if dir_exists(dir): + shutil.rmtree(dir) + return True; + except: + printerror(test_data,"Error: Cannot delete the given directory:") + printerror(test_data,dir + "\n") + return False; + +def get_file_in_dir(dir, ext): + """Returns the first file in the given directory with the given extension. + + Args: + dir: a pathto_Dir, the directory to search + ext: a String, the extension to search for + + Returns: + pathto_File, the file that was found + """ + try: + for file in os.listdir(dir): + if file.endswith(ext): + return make_path(dir, file) + # If nothing has been found, raise an exception + raise FileNotFoundException(dir) + except: + raise DirNotFoundException(dir) + +def find_file_in_dir(dir, name, ext): + """Find the file with the given name in the given directory. + + Args: + dir: a pathto_Dir, the directory to search + name: a String, the basename of the file to search for + ext: a String, the extension of the file to search for + """ + try: + for file in os.listdir(dir): + if file.startswith(name): + if file.endswith(ext): + return make_path(dir, file) + raise FileNotFoundException(dir) + except: + raise DirNotFoundException(dir) + + +class OS: + LINUX, MAC, WIN, CYGWIN = range(4) + + +if __name__ == "__main__": + global SYS + if _platform == "linux" or _platform == "linux2": + SYS = OS.LINUX + elif _platform == "darwin": + SYS = OS.MAC + elif _platform == "win32": + SYS = OS.WIN + elif _platform == "cygwin": + SYS = OS.CYGWIN + + if SYS is OS.WIN or SYS is OS.CYGWIN: + main() + else: + print("We only support Windows and Cygwin at this time.") diff --git a/test/script/regression_utils.py b/test/script/regression_utils.py new file mode 100644 index 0000000000..cf3c117df4 --- /dev/null +++ b/test/script/regression_utils.py @@ -0,0 +1,154 @@ +import os +import sys +import subprocess +from time import localtime, strftime +import traceback + +# Returns a Windows style path starting with the cwd and +# ending with the list of directories given +def make_local_path(*dirs): + path = wgetcwd().decode("utf-8") + for dir in dirs: + path += ("\\" + str(dir)) + return path_fix(path) + +# Returns a Windows style path based only off the given directories +def make_path(*dirs): + path = dirs[0] + for dir in dirs[1:]: + path += ("\\" + str(dir)) + return path_fix(path) + +# Fix a standard os.path by making it Windows format +def path_fix(path): + return path.replace("/", "\\") + +# Gets the true current working directory instead of Cygwin's +def wgetcwd(): + proc = subprocess.Popen(("cygpath", "-m", os.getcwd()), stdout=subprocess.PIPE) + out,err = proc.communicate() + tst = out.rstrip() + if os.getcwd == tst: + return os.getcwd + else: + proc = subprocess.Popen(("cygpath", "-m", os.getcwd()), stdout=subprocess.PIPE) + out,err = proc.communicate() + return out.rstrip() +# Verifies a file's existance +def file_exists(file): + try: + if os.path.exists(file): + return os.path.isfile(file) + except: + return False + +# Verifies a directory's existance +def dir_exists(dir): + try: + return os.path.exists(dir) + except: + return False + + + +# Returns the nth word in the given string or "" if n is out of bounds +# n starts at 0 for the first word +def get_word_at(string, n): + words = string.split(" ") + if len(words) >= n: + return words[n] + else: + return "" + +# Returns true if the given file is one of the required input files +# for ingest testing +def required_input_file(name): + if ((name == "notablehashes.txt-md5.idx") or + (name == "notablekeywords.xml") or + (name == "nsrl.txt-md5.idx")): + return True + else: + return False + +def image_type(image_file): + ext_start = image_file.rfind(".") + if (ext_start == -1): + return IMGTYPE.UNKNOWN + ext = image_file[ext_start:].lower() + if (ext == ".img" or ext == ".dd"): + return IMGTYPE.RAW + elif (ext == ".e01"): + return IMGTYPE.ENCASE + elif (ext == ".aa" or ext == ".001"): + return IMGTYPE.SPLIT + else: + return IMGTYPE.UNKNOWN + +# Returns the type of image file, based off extension +class IMGTYPE: + RAW, ENCASE, SPLIT, UNKNOWN = range(4) + +def get_image_name(image_file): + path_end = image_file.rfind("/") + path_end2 = image_file.rfind("\\") + ext_start = image_file.rfind(".") + if(ext_start == -1): + name = image_file + if(path_end2 != -1): + name = image_file[path_end2+1:ext_start] + elif(ext_start == -1): + name = image_file[path_end+1:] + elif(path_end == -1): + name = image_file[:ext_start] + elif(path_end!=-1 and ext_start!=-1): + name = image_file[path_end+1:ext_start] + else: + name = image_file[path_end2+1:ext_start] + return name + +def usage(): + """Return the usage description of the test script.""" + return """ +Usage: ./regression.py [-f FILE] [OPTIONS] + + Run RegressionTest.java, and compare the result with a gold standard. + By default, the script tests every image in ../input + When the -f flag is set, this script only tests a single given image. + When the -l flag is set, the script looks for a configuration file, + which may outsource to a new input directory and to individual images. + + Expected files: + An NSRL database at: ../input/nsrl.txt-md5.idx + A notable hash database at: ../input/notablehashes.txt-md5.idx + A notable keyword file at: ../input/notablekeywords.xml + +Options: + -r Rebuild the gold standards for the image(s) tested. + -i Ignores the ../input directory and all files within it. + -u Tells Autopsy not to ingest unallocated space. + -k Keeps each image's Solr index instead of deleting it. + -v Verbose mode; prints all errors to the screen. + -e ex Prints out all errors containing ex. + -l cfg Runs from configuration file cfg. + -c Runs in a loop over the configuration file until canceled. Must be used in conjunction with -l + -fr Will not try download gold standard images + """ + +##### +# Enumeration definition (python 3.2 doesn't have enumerations, this is a common solution +# that allows you to access a named enum in a Java-like style, i.e. Numbers.ONE) +##### +def enum(*seq, **named): + enums = dict(zip(seq, range(len(seq))), **named) + return type('Enum', (), enums) + + +def get_files_by_ext(dir_path, ext): + """Get a list of all the files with a given extenstion in the directory. + + Args: + dir: a pathto_Dir, the directory to search. + ext: a String, the extension to search for. i.e. ".html" + """ + return [ os.path.join(dir_path, file) for file in os.listdir(dir_path) if + file.endswith(ext) ] diff --git a/thirdparty/libscalpel_jni/current/libscalpel_jni.zip b/thirdparty/libscalpel_jni/current/libscalpel_jni.zip index ca55c79238..18e01c315d 100644 Binary files a/thirdparty/libscalpel_jni/current/libscalpel_jni.zip and b/thirdparty/libscalpel_jni/current/libscalpel_jni.zip differ diff --git a/thirdparty/rr/p2x588.dll b/thirdparty/rr/p2x588.dll deleted file mode 100644 index e250d47eed..0000000000 Binary files a/thirdparty/rr/p2x588.dll and /dev/null differ diff --git a/thirdparty/rr/plugins/all b/thirdparty/rr/plugins/all deleted file mode 100644 index 5f28a06eb6..0000000000 --- a/thirdparty/rr/plugins/all +++ /dev/null @@ -1,3 +0,0 @@ -#------------------------------------- -# All -regtime \ No newline at end of file diff --git a/thirdparty/rr/plugins/appinitdlls.pl b/thirdparty/rr/plugins/appinitdlls.pl deleted file mode 100644 index 29c75915b1..0000000000 --- a/thirdparty/rr/plugins/appinitdlls.pl +++ /dev/null @@ -1,61 +0,0 @@ -#----------------------------------------------------------- -# appinitdlls -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package appinitdlls; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of AppInit_DLLs value"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Working with the AppInit_DLLs Reg Value" => - "http://support.microsoft.com/kb/q197571"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching appinitdlls v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\Windows'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("AppInit_DLLs"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - foreach my $v (@vals) { - my $name = $v->get_name(); - if ($name eq "AppInit_DLLs") { - my $data = $v->get_data(); - $data = "{blank}" if ($data eq ""); - ::rptMsg($name." -> ".$data); - } - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/apppaths.pl b/thirdparty/rr/plugins/apppaths.pl deleted file mode 100644 index 85e00aab25..0000000000 --- a/thirdparty/rr/plugins/apppaths.pl +++ /dev/null @@ -1,83 +0,0 @@ -#----------------------------------------------------------- -# apppaths -# Gets contents of App Paths subkeys from the Software hive, -# diplaying the EXE name and path; all entries are sorted by -# LastWrite time -# -# References -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package apppaths; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080404); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets content of App Paths key"; -} -sub getDescr{} -sub getRefs { - my %refs = ("You cannot open Help and Support Center in Windows XP" => - "http://support.microsoft.com/kb/888018", - "Another installation program starts..." => - "http://support.microsoft.com/kb/888470"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching apppaths v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\App Paths"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("App Paths"); - ::rptMsg($key_path); - ::rptMsg(""); - my %apps; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - - my $name = $s->get_name(); - my $lastwrite = $s->get_timestamp(); - my $path; - eval { - $path = $s->get_value("")->get_data(); - }; - push(@{$apps{$lastwrite}},$name." [".$path."]"); - } - - foreach my $t (reverse sort {$a <=> $b} keys %apps) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$apps{$t}}) { - ::rptMsg(" $item"); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/autopsy b/thirdparty/rr/plugins/autopsy deleted file mode 100644 index 49ef69b395..0000000000 --- a/thirdparty/rr/plugins/autopsy +++ /dev/null @@ -1,8 +0,0 @@ -# List of plugins for the Registry Ripper - -#------------------------------------- -# NTUSER.DAT -autopsylogin -autopsyrecentdocs -arunmru -autopsyshellfolders \ No newline at end of file diff --git a/thirdparty/rr/plugins/autopsylogin.pl b/thirdparty/rr/plugins/autopsylogin.pl deleted file mode 100644 index 5f83827176..0000000000 --- a/thirdparty/rr/plugins/autopsylogin.pl +++ /dev/null @@ -1,70 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# logonusername.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# "Logon User Name" value -# -# Change history -# -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package autopsylogin; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get user's Logon User Name value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - #::logMsg("||logonusername||"); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $logon_name = "Username"; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - #::rptMsg("Logon User Name"); - #::rptMsg($key_path); - ::rptMsg(""); - ::rptMsg(""); - foreach my $v (@vals) { - if ($v->get_name() eq $logon_name) { - ::rptMsg(" ".$v->get_data() .""); - } - } - ::rptMsg(""); - } - else { - #::rptMsg($key_path." has no values."); - #::logMsg($key_path." has no values."); - } - } - else { - #::rptMsg($key_path." not found."); - #::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/autopsyrecentdocs.pl b/thirdparty/rr/plugins/autopsyrecentdocs.pl deleted file mode 100644 index 34e3bf1034..0000000000 --- a/thirdparty/rr/plugins/autopsyrecentdocs.pl +++ /dev/null @@ -1,161 +0,0 @@ -#----------------------------------------------------------- -# recentdocs.pl -# Plugin for Registry Ripper -# Parses RecentDocs keys/values in NTUSER.DAT -# -# Change history -# 20100405 - Updated to use Encode::decode to translate strings -# 20090115 - Minor update to keep plugin from printing terminating -# MRUListEx value of 0xFFFFFFFF -# 20080418 - Minor update to address NTUSER.DAT files that have -# MRUList values in this key, rather than MRUListEx -# values -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package autopsyrecentdocs; -use strict; -use Encode; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100405); - -sub getShortDescr { - return "Gets contents of user's RecentDocs key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - #::logMsg("||recentdocs||"); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - #::rptMsg("RecentDocs"); - #::rptMsg("**All values printed in MRUList\\MRUListEx order."); - #::rptMsg($key_path); - ::rptMsg(""); -# Get RecentDocs values - my %rdvals = getRDValues($key); - if (%rdvals) { - my $tag; - if (exists $rdvals{"MRUListEx"}) { - $tag = "MRUListEx"; - } - elsif (exists $rdvals{"MRUList"}) { - $tag = "MRUList"; - } - else { - - } - - my @list = split(/,/,$rdvals{$tag}); - foreach my $i (@list) { - ::rptMsg("".$i." = ".$rdvals{$i} . ""); - } - - } - else { - #::rptMsg($key_path." has no values."); - #::logMsg("Error: ".$key_path." has no values."); - } - ::rptMsg(""); -# Get RecentDocs subkeys' values - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - - my %rdvals = getRDValues($s); - if (%rdvals) { - my $tag; - if (exists $rdvals{"MRUListEx"}) { - $tag = "MRUListEx"; - } - elsif (exists $rdvals{"MRUList"}) { - $tag = "MRUList"; - } - else { - - } - - my @list = split(/,/,$rdvals{$tag}); - ::rptMsg($tag." = ".$rdvals{$tag}); - foreach my $i (@list) { - ::rptMsg(" ".$i." = ".$rdvals{$i}); - } - - ::rptMsg(""); - } - else { - #::rptMsg($key_path." has no values."); - } - } - } - else { - #::rptMsg($key_path." has no subkeys."); - } - } - else { - #::rptMsg($key_path." not found."); - } -} - - -sub getRDValues { - my $key = shift; - - my $mru = "MRUList"; - my %rdvals; - - my @vals = $key->get_list_of_values(); - if (scalar @vals > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - if ($name =~ m/^$mru/) { - my @mru; - if ($name eq "MRUList") { - @mru = split(//,$data); - } - elsif ($name eq "MRUListEx") { - @mru = unpack("V*",$data); - } -# Horrible, ugly cludge; the last, terminating value in MRUListEx -# is 0xFFFFFFFF, so we remove it. - pop(@mru); - $rdvals{$name} = join(',',@mru); - } - else { -# New code - $data = decode("ucs-2le", $data); - my $file = (split(/\00/,$data))[0]; -# my $file = (split(/\00\00/,$data))[0]; -# $file =~ s/\00//g; - $rdvals{$name} = $file; - } - } - return %rdvals; - } - else { - return undef; - } -} - -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/autopsyshellfolders.pl b/thirdparty/rr/plugins/autopsyshellfolders.pl deleted file mode 100644 index de3115f9dd..0000000000 --- a/thirdparty/rr/plugins/autopsyshellfolders.pl +++ /dev/null @@ -1,72 +0,0 @@ -#----------------------------------------------------------- -# shellfolders.pl -# -# Retrieve the Shell Folders values from user's hive; while -# this may not be important in every instance, it may give the -# examiner indications as to where to look for certain items; -# for example, if the user's "My Documents" folder has been redirected -# as part of configuration changes (corporate policies, etc.). Also, -# this may be important as part of data leakage exams, as XP and Vista -# allow users to drop and drag files to the CD Burner. -# -# References: -# http://support.microsoft.com/kb/279157 -# http://support.microsoft.com/kb/326982 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package autopsyshellfolders; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090115); - -sub getConfig{return %config} - -sub getShortDescr { - return "Retrieve user Shell Folders values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - #::logMsg("Launching shellfolders v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg(""); - - my @vals = $key->get_list_of_values(); - ::rptMsg(""); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-20s %-40s","get_name()."\">",$v->get_data().""; - ::rptMsg($str); - } - ::rptMsg(""); - } - else { - #::rptMsg($key_path." has no values."); - } - ::rptMsg(""); - } - else { - #::rptMsg($key_path." not found."); - #::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/autopsysoftware b/thirdparty/rr/plugins/autopsysoftware deleted file mode 100644 index 5d94ff6883..0000000000 --- a/thirdparty/rr/plugins/autopsysoftware +++ /dev/null @@ -1,6 +0,0 @@ - List of plugins for the Registry Ripper - -#------------------------------------- -# SOFTWARE -autopsywinver -autopsyuninstall \ No newline at end of file diff --git a/thirdparty/rr/plugins/autopsyuninstall.pl b/thirdparty/rr/plugins/autopsyuninstall.pl deleted file mode 100644 index 1cff08cf14..0000000000 --- a/thirdparty/rr/plugins/autopsyuninstall.pl +++ /dev/null @@ -1,92 +0,0 @@ -#----------------------------------------------------------- -# uninstall.pl -# Gets contents of Uninstall key from Software hive; sorts -# display names based on key LastWrite time -# -# References: -# http://support.microsoft.com/kb/247501 -# http://support.microsoft.com/kb/314481 -# http://msdn.microsoft.com/en-us/library/ms954376.aspx -# -# Change History: -# 20100116 - Minor updates -# 20090413 - Extract DisplayVersion info -# 20090128 - Added references -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package autopsyuninstall; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets contents of Uninstall key from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - #::logMsg("Launching uninstall v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Uninstall'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - #::rptMsg("Uninstall"); - #::rptMsg($key_path); - #::rptMsg(""); - ::rptMsg(""); - ::rptMsg(""); - ::rptMsg(""); - my %uninst; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $lastwrite = $s->get_timestamp(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); - }; - $display = $s->get_name() if ($display eq ""); - - my $ver; - eval { - $ver = $s->get_value("DisplayVersion")->get_data(); - }; - $display .= " v\.".$ver unless ($@); - - push(@{$uninst{$lastwrite}},$display); - } - foreach my $t (reverse sort {$a <=> $b} keys %uninst) { - ::rptMsg(""); - foreach my $item (@{$uninst{$t}}) { - ::rptMsg($item.""); - } - #::rptMsg(""); - } - } - else { - #::rptMsg($key_path." has no subkeys."); - } - } - else { - #::rptMsg($key_path." not found."); - } - ::rptMsg(""); -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/autopsywinver.pl b/thirdparty/rr/plugins/autopsywinver.pl deleted file mode 100644 index a13795b6b6..0000000000 --- a/thirdparty/rr/plugins/autopsywinver.pl +++ /dev/null @@ -1,109 +0,0 @@ -#----------------------------------------------------------- -# winver.pl -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package autopsywinver; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081210); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get Windows version"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - #::logMsg("Launching winver v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::rptMsg(""); - ::rptMsg(""); - ::rptMsg(""); - my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("{name}"); -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my $prod; - eval { - $prod = $key->get_value("ProductName")->get_data(); - }; - if ($@) { -# ::rptMsg("ProductName value not found."); - } - else { - ::rptMsg("".$prod .""); - } - - my $csd; - eval { - $csd = $key->get_value("CSDVersion")->get_data(); - }; - if ($@) { -# ::rptMsg("CSDVersion value not found."); - } - else { - ::rptMsg("".$csd.""); - } - - - my $build; - eval { - $build = $key->get_value("BuildName")->get_data(); - }; - if ($@) { -# ::rptMsg("BuildName value not found."); - } - else { - ::rptMsg("".$build.""); - } - - my $buildex; - eval { - $buildex = $key->get_value("BuildNameEx")->get_data(); - }; - if ($@) { -# ::rptMsg("BuildName value not found."); - } - else { - ::rptMsg("".$buildex.""); - } - - - my $install; - eval { - $install = $key->get_value("InstallDate")->get_data(); - }; - if ($@) { -# ::rptMsg("InstallDate value not found."); - } - else { - ::rptMsg("".gmtime($install).""); - } - - - } - else { - #::rptMsg($key_path." not found."); - #::logMsg($key_path." not found."); - } - ::rptMsg(""); -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/bagtest.pl b/thirdparty/rr/plugins/bagtest.pl deleted file mode 100644 index cdc5600d5c..0000000000 --- a/thirdparty/rr/plugins/bagtest.pl +++ /dev/null @@ -1,170 +0,0 @@ -#----------------------------------------------------------- -# bagtest.pl -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bagtest; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090828); - -sub getConfig{return %config} - -sub getShortDescr { - return "Test -- BagMRU"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching bagtest v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\Shell\\BagMRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $subtree_iter = $key->get_subtree_iterator; - while (my ($k, $val) = $subtree_iter->get_next) { - if (defined $val) { - next unless ($val->get_name() =~ m/^\d+/); - - my $path; - my $data = $val->get_data(); - my $size = unpack("v",substr($data,0,20)); - my $type = unpack("C",substr($data,2,1)); - my $name = (split(/BagMRU/,$k->get_path()))[1]; - - if ($type == 0x47 || $type == 0x46 || $type == 0x42 || $type == 0x41 || - $type == 0xc3) { - - my $str1 = getStrings1($data); - $path = $str1; - - } - elsif ($type == 0x31 || $type == 0x32) { - my($ascii,$uni) = getStrings2($data); - $path = $uni; - } - elsif ($type == 0x2f) { -# bytes 3-5 of $data contain a drive letter - $path = substr($data,0x03,3); - } - else { -# Nothing - } -# my $str = sprintf "%-30s %-3s %-4s 0x%x",$name."\\".$val->get_name(),$size,length($data),$type; - my $str = sprintf "%-25s ".$path,$name."\\".$val->get_name(); - ::rptMsg($str); - - } - else { - - } - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -#sub getStrings1 { -# my $data = shift; -# my $str; -# my $cursor = 0x05; -# my $tag = 1; -# -# while($tag) { -# my $byte = substr($data,$cursor,1); -# if (unpack("C",$byte) == 0x00) { -# $tag = 0; -# } -# else { -# $str .= $byte; -# $cursor += 1; -# } -# } -# return $str; -#} - -sub getStrings1 { - my $data = shift; - my $d = substr($data,0x05,length($data) - 1); - $d =~ s/\00/-/g; - $d =~ s/[[:cntrl:]]//g; - - my @t = split(/-/,$d); - - my @s; - for my $i (1..scalar(@t) - 1) { - push(@s,$t[$i]) if (length($t[$i]) > 2); - } - - return $t[0]." (".join(',',@s).")"; -} - -sub getStrings2 { -# ASCII short name starts at 0x0E, and is \00 terminated; 0x14 bytes -# after that is the null-term Unicode name - my $data = shift; - my ($ascii,$uni); - my $cursor = 0x0e; - my $tag = 1; - - while($tag) { - my $byte = substr($data,$cursor,1); - if (unpack("C",$byte) == 0x00) { - $tag = 0; - } - else { - $ascii .= $byte; - $cursor += 1; - } - } - - $cursor += 0x14; - - $uni = substr($data,$cursor,length($data) - 1); - $uni =~ s/\00//g; - $uni =~ s/[[:cntrl:]]//g; - return ($ascii,$uni); -} - -1; - - - - - -# Original code to traverse through values and subkeys -# Retain for legacy code purposes -#sub traverse { -# my $key = shift; -# -# foreach my $val ($key->get_list_of_values()) { -# next unless ($val->get_name() =~ m/\d+/); -# -# ::rptMsg($val->get_name()); -# -# } -# -# foreach my $subkey ($key->get_list_of_subkeys()) { -# traverse($subkey); -# } -#} \ No newline at end of file diff --git a/thirdparty/rr/plugins/bagtest2.pl b/thirdparty/rr/plugins/bagtest2.pl deleted file mode 100644 index 59716d2fd8..0000000000 --- a/thirdparty/rr/plugins/bagtest2.pl +++ /dev/null @@ -1,161 +0,0 @@ -#----------------------------------------------------------- -# bagtest2.pl -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bagtest2; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090828); - -sub getConfig{return %config} - -sub getShortDescr { - return "Test -- BagMRU"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %bagmru; -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching bagtest v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\Shell\\BagMRU"; - my $key; - - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - traverse($key); - - foreach my $i (sort keys %bagmru) { - my $str = sprintf "%-30s ".$bagmru{$i},$i; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub traverse { - my $key = shift; - my $name = (split(/BagMRU/,$key->get_path()))[1]; - - my @bags; - - foreach my $val ($key->get_list_of_values()) { - next unless ($val->get_name() =~ m/\d+/); - - my $path; - my $data = $val->get_data(); - my $size = unpack("v",substr($data,0,20)); - my $type = unpack("C",substr($data,2,1)); - - - if ($type == 0x47 || $type == 0x46 || $type == 0x42 || $type == 0x41 || - $type == 0xc3) { - - my $str1 = getStrings1($data); - $path = $str1; - - } - elsif ($type == 0x31 || $type == 0x32 || $type == 0xb1) { - my($ascii,$uni) = getStrings2($data); - $path = $uni; - } - elsif ($type == 0x2f) { -# bytes 3-5 of $data contain a drive letter - $path = substr($data,0x03,3); - } - else { -# Nothing - } - $bagmru{$name."\\".$val->get_name()} = $path; - } - - foreach my $subkey ($key->get_list_of_subkeys()) { - traverse($subkey); - } -} - - -sub getStrings1 { - my $data = shift; - my $d = substr($data,0x05,length($data) - 1); - $d =~ s/\00/-/g; - $d =~ s/[[:cntrl:]]//g; - - my @t = split(/-/,$d); - - my @s; - for my $i (1..scalar(@t) - 1) { - push(@s,$t[$i]) if (length($t[$i]) > 2); - } - - return $t[0]." (".join(',',@s).")"; -} - -sub getStrings2 { -# ASCII short name starts at 0x0E, and is \00 terminated; 0x14 bytes -# after that is the null-term Unicode name - my $data = shift; - my ($ascii,$uni); - my $cursor = 0x0e; - my $tag = 1; - - while($tag) { - my $byte = substr($data,$cursor,1); - if (unpack("C",$byte) == 0x00) { - $tag = 0; - } - else { - $ascii .= $byte; - $cursor += 1; - } - } - - $cursor += 0x14; - - if ($ascii eq "RECENT") { - $uni = substr($data,$cursor,length($data) - 1); - $uni =~ s/\00//g; - $uni =~ s/[[:cntrl:]]//g; - } - else { - my $tag = 1; - my $count = 0; - while($tag) { - my $byte = substr($data,$cursor,2); - if ($count > 2 && unpack("v",$byte) == 0x00) { - $tag = 0; - } - else { - $uni .= $byte; - $count++; - $cursor += 2; - } - } - $uni =~ s/\00//g; - $uni =~ s/[[:cntrl:]]//g; - } - return ($ascii,$uni); -} - -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/bho.pl b/thirdparty/rr/plugins/bho.pl deleted file mode 100644 index be3b8f6c85..0000000000 --- a/thirdparty/rr/plugins/bho.pl +++ /dev/null @@ -1,107 +0,0 @@ -#----------------------------------------------------------- -# bho -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bho; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080418); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Browser Helper Objects from Software hive"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Browser Helper Objects" => - "http://msdn2.microsoft.com/en-us/library/bb250436.aspx"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %bhos; - ::logMsg("Launching bho v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects";; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Browser Helper Objects"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next if ($name =~ m/^-/); - my $clsid_path = "Classes\\CLSID\\".$name; - my $clsid; - if ($clsid = $root_key->get_subkey($clsid_path)) { - my $class; - my $mod; - my $lastwrite; - - eval { - $class = $clsid->get_value("")->get_data(); - $bhos{$name}{class} = $class; - }; - if ($@) { - ::logMsg("\tError getting Class name for CLSID\\".$name); - ::logMsg("\t".$@); - } - eval { - $mod = $clsid->get_subkey("InProcServer32")->get_value("")->get_data(); - $bhos{$name}{module} = $mod; - }; - if ($@) { - ::logMsg("\tError getting Module name for CLSID\\".$name); - ::logMsg("\t".$@); - } - eval{ - $lastwrite = $clsid->get_subkey("InProcServer32")->get_timestamp(); - $bhos{$name}{lastwrite} = $lastwrite; - }; - if ($@) { - ::logMsg("\tError getting LastWrite time for CLSID\\".$name); - ::logMsg("\t".$@); - } - - foreach my $b (keys %bhos) { - ::rptMsg($b); - ::rptMsg("\tClass => ".$bhos{$b}{class}); - ::rptMsg("\tModule => ".$bhos{$b}{module}); - ::rptMsg("\tLastWrite => ".gmtime($bhos{$b}{lastwrite})); - ::rptMsg(""); - } - } - else { - ::rptMsg($clsid_path." not found."); - ::rptMsg(""); - ::logMsg($clsid_path." not found."); - } - } - } - else { - ::rptMsg($key_path." has no subkeys. No BHOs installed."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/comdlg32.pl b/thirdparty/rr/plugins/comdlg32.pl deleted file mode 100644 index 61cda3c1e6..0000000000 --- a/thirdparty/rr/plugins/comdlg32.pl +++ /dev/null @@ -1,145 +0,0 @@ -#----------------------------------------------------------- -# comdlg32.pl -# Plugin for Registry Ripper -# -# Change history -# 20100402 - updated IAW Chad Tilbury's post to SANS -# Forensic Blog -# 20080324 - created -# -# References -# Win2000 - http://support.microsoft.com/kb/319958 -# XP - http://support.microsoft.com/kb/322948/EN-US/ -# -# copyright 20100402 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package comdlg32; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100402); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's ComDlg32 key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching comdlg32 v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("comdlg32 v.".$VERSION); - -# LastVistedMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ComDlg32\\LastVisitedMRU"); - ::rptMsg("**All values printed in MRUList order."); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %lvmru; - my @mrulist; - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUList}) { - ::rptMsg(" MRUList = ".$lvmru{MRUList}); - @mrulist = split(//,$lvmru{MRUList}); - delete($lvmru{MRUList}); - foreach my $m (@mrulist) { - my ($file,$dir) = split(/\00\00/,$lvmru{$m},2); - $file =~ s/\00//g; - $dir =~ s/\00//g; - ::rptMsg(" ".$m." -> EXE: ".$file); - ::rptMsg(" -> Last Dir: ".$dir); - } - } - else { - ::rptMsg($key_path." does not have an MRUList value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - -# OpenSaveMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ComDlg32\\OpenSaveMRU"); - ::rptMsg("**All values printed in MRUList order."); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); -# First, process OpenSaveMRU key values - parseOpenSaveValues($key); - ::rptMsg(""); -# Now, let's get the subkeys - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - parseOpenSaveValues($s); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub parseOpenSaveValues { - my $key = shift; - ::rptMsg("OpenSaveMRU\\".$key->get_name()); - ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z"); - my %osmru; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - map{$osmru{$_->get_name()} = $_->get_data()}(@vals); - if (exists $osmru{MRUList}) { - ::rptMsg(" MRUList = ".$osmru{MRUList}); - my @mrulist = split(//,$osmru{MRUList}); - delete($osmru{MRUList}); - foreach my $m (@mrulist) { - ::rptMsg(" ".$m." -> ".$osmru{$m}); - } - } - else { - ::rptMsg($key->get_name()." does not have an MRUList value."); - } - } - else { - ::rptMsg($key->get_name()." has no values."); - } -} - - -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/comdlg32a.pl b/thirdparty/rr/plugins/comdlg32a.pl deleted file mode 100644 index 0187b945d5..0000000000 --- a/thirdparty/rr/plugins/comdlg32a.pl +++ /dev/null @@ -1,225 +0,0 @@ -#----------------------------------------------------------- -# comdlg32a.pl -# Plugin for Registry Ripper -# -# Change history -# 20100409 - updated to include Vista and above -# 20100402 - updated IAW Chad Tilbury's post to SANS -# Forensic Blog -# 20080324 - created -# -# References -# Win2000 - http://support.microsoft.com/kb/319958 -# XP - http://support.microsoft.com/kb/322948/EN-US/ -# -# copyright 20100402 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package comdlg32a; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100409); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's ComDlg32 key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching comdlg32a v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("comdlg32 v.".$VERSION); - -# LastVistedMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @subkeys = $key->get_list_of_subkeys(); - - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - parseLastVisitedMRU($s) if ($s->get_name() eq "LastVisitedMRU"); - parseOpenSaveMRU($s) if ($s->get_name() eq "OpenSaveMRU"); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } -} - -sub parseLastVisitedMRU { - my $key = shift; - my %lvmru; - my @mrulist; - my @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUList}) { - ::rptMsg(" MRUList = ".$lvmru{MRUList}); - @mrulist = split(//,$lvmru{MRUList}); - delete($lvmru{MRUList}); - foreach my $m (@mrulist) { - my ($file,$dir) = split(/\00\00/,$lvmru{$m},2); - $file =~ s/\00//g; - $dir =~ s/\00//g; - ::rptMsg(" ".$m." -> EXE: ".$file); - ::rptMsg(" -> Last Dir: ".$dir); - } - } - else { - ::rptMsg("LastVisitedMRU key does not have an MRUList value."); - } - } - else { - ::rptMsg("LastVisitedMRU key has no values."); - } - ::rptMsg(""); -} - -sub parseOpenSaveMRU { - my $key = shift; - - parseOpenSaveValues($key); - ::rptMsg(""); -# Now, let's get the subkeys - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - parseOpenSaveValues($s); - ::rptMsg(""); - } - } - else { - ::rptMsg("OpenSaveMRU key has no subkeys."); - } - ::rptMsg(""); -} - -sub parseOpenSaveValues { - my $key = shift; - ::rptMsg("OpenSaveMRU\\".$key->get_name()); - ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z"); - my %osmru; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - map{$osmru{$_->get_name()} = $_->get_data()}(@vals); - if (exists $osmru{MRUList}) { - ::rptMsg(" MRUList = ".$osmru{MRUList}); - my @mrulist = split(//,$osmru{MRUList}); - delete($osmru{MRUList}); - foreach my $m (@mrulist) { - ::rptMsg(" ".$m." -> ".$osmru{$m}); - } - } - else { - ::rptMsg($key->get_name()." does not have an MRUList value."); - } - } - else { - ::rptMsg($key->get_name()." has no values."); - } -} - -sub parseCIDSizeMRU { - my $key = shift; - my %lvmru; - my @mrulist; - my @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUListEx}) { - delete($lvmru{MRUListEx}); - foreach my $m (keys %lvmru) { - my $file = parseStr($lvmru{$m}); - my $str = sprintf "%-4s ".$file,$m; - ::rptMsg(" ".$str); - } - } - else { - ::rptMsg($key_path." does not have an MRUList value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } -} - - -sub parseLastVisitedPidlMRU { - my $key = shift; - my %lvmru; - my @mrulist; - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUListEx}) { - delete($lvmru{MRUListEx}); - foreach my $m (keys %lvmru) { - my $file = parseStr($lvmru{$m}); - my $str = sprintf "%-4s ".$file,$m; - ::rptMsg(" ".$str); - } - } - else { - ::rptMsg("LastVisitedPidlMRU key does not have an MRUList value."); - } - } - else { - ::rptMsg("LastVisitedPidlMRU key has no values."); - } -} - -sub parseStr { - my $data = $_[0]; - my $temp; - my $tag = 1; - my $ofs = 0; - - while ($tag) { - my $t = substr($data,$ofs,2); - if (unpack("v",$t) == 0x00) { - $tag = 0; - } - else { - $temp .= $t; - $ofs += 2; - } - } - $temp =~ s/\00//g; - return $temp; -} - -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/crashdump.pl b/thirdparty/rr/plugins/crashdump.pl deleted file mode 100644 index eea639e827..0000000000 --- a/thirdparty/rr/plugins/crashdump.pl +++ /dev/null @@ -1,115 +0,0 @@ -#----------------------------------------------------------- -# crashdump.pl -# Author: Don C. Weber -# Plugin for Registry Ripper; Access System hive file to get the -# crashdump settings from System hive -# -# Change history -# -# -# References -# Overview of memory dump file options for Windows Server 2003, Windows XP, and Windows 2000: http://support.microsoft.com/kb/254649/ -# -# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security -#----------------------------------------------------------- -package crashdump; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081219); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets crashdump settings from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching crashdump v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $win_path = $ccs."\\Control\\CrashControl"; - my $win; - if ($win = $root_key->get_subkey($win_path)) { - ::rptMsg("CrashControl Configuration"); - ::rptMsg($win_path); - ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); - } - else { - ::rptMsg($win_path." not found."); - } - - my %vals = getKeyValues($win); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - if ($v eq "CrashDumpEnabled"){ - if ($vals{$v} == 0x00){ - ::rptMsg("\t".$v." -> None"); - } elsif ($vals{$v} == 0x01){ - ::rptMsg("\t".$v." -> Complete memory dump"); - } elsif ($vals{$v} == 0x02){ - ::rptMsg("\t".$v." -> Kernel memory dump"); - } elsif ($vals{$v} == 0x03){ - ::rptMsg("\t".$v." -> Small memory dump (64KB)"); - } else{ - ::rptMsg($v." has no value."); - } - }else{ - if (($v eq "MinidumpDir") || ($v eq "DumpFile")){ - ::rptMsg("\t".$v." location ".$vals{$v}); - } else{ - ($vals{$v}) ? ::rptMsg("\t".$v." is Enabled") : ::rptMsg("\t".$v." is Disabled"); - } - } - } - } - else { -# ::rptMsg($key_path." has no values."); - } - ::rptMsg(""); - ::rptMsg("Analysis Tips: For crash dump information and tools check http://support.microsoft.com/kb/254649/"); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { - - } - return %vals; -} - -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/ie_settings.pl b/thirdparty/rr/plugins/ie_settings.pl deleted file mode 100644 index fd3ee3857e..0000000000 --- a/thirdparty/rr/plugins/ie_settings.pl +++ /dev/null @@ -1,72 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# ie_settings.pl -# Gets IE settings -# -# Change history -# -# -# References -# -# -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package ie_settings; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20091016); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets IE settings"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching ie_settings v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my $ua; - eval { - $ua = $key->get_value("User Agent")->get_data(); - ::rptMsg("User Agent = ".$ua); - }; - - my $zonessecupgrade; - eval { - $zonessecupgrade = $key->get_value("ZonesSecurityUpgrade")->get_data(); - my ($z0,$z1) = unpack("VV",$zonessecupgrade); - ::rptMsg("ZonesSecurityUpgrade = ".gmtime(::getTime($z0,$z1))." (UTC)"); - }; - - my $daystokeep; - eval { - $daystokeep = $key->get_subkey("Url History")->get_value("DaysToKeep")->get_data(); - ::rptMsg("DaysToKeep = ".$daystokeep); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/imagefile.pl b/thirdparty/rr/plugins/imagefile.pl deleted file mode 100644 index 1f31f674b7..0000000000 --- a/thirdparty/rr/plugins/imagefile.pl +++ /dev/null @@ -1,99 +0,0 @@ -#----------------------------------------------------------- -# imagefile -# -# References: -# http://msdn2.microsoft.com/en-us/library/a329t4ed(VS\.80)\.aspx -# http://support.microsoft.com/kb/2264107 -# -# Change history: -# 20100824 - added check for "CWDIllegalInDllSearch" value -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package imagefile; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100824); - -sub getConfig{return %config} -sub getShortDescr { - return "Checks IFEO subkeys for Debugger/CWDIllegalInDllSearch values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching imagefile v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Image File Execution Options"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - my %debug; - my $i = "Your Image File Name here without a path"; - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next if ($name =~ m/^$i/i); - my $debugger = ""; - eval { - $debugger = $s->get_value("Debugger")->get_data(); - }; -# If the eval{} throws an error, it's b/c the Debugger value isn't -# found within the key, so we don't need to do anything w/ the error - if ($debugger ne "") { - $debug{$name}{debug} = $debugger; - $debug{$name}{lastwrite} = $s->get_timestamp(); - } - - my $dllsearch = ""; - eval { - $dllsearch = $s->get_value("CWDIllegalInDllSearch")->get_data(); - }; -# If the eval{} throws an error, it's b/c the Debugger value isn't -# found within the key, so we don't need to do anything w/ the error - if ($dllsearch ne "") { - $debug{$name}{dllsearch} = $debugger; - $debug{$name}{lastwrite} = $s->get_timestamp(); - } - } - - if (scalar (keys %debug) > 0) { - foreach my $d (keys %debug) { - ::rptMsg($d." LastWrite: ".gmtime($debug{$d}{lastwrite})); - ::rptMsg(" Debugger : ".$debug{$d}{debug}) if (exists $debug{$d}{debug}); - ::rptMsg(" CWDIllegalInDllSearch: ".$debug{$d}{dllsearch}) if (exists $debug{$d}{dllsearch}); - } - } - else { - ::rptMsg("No Debugger/CWDIllegalInDllSearch values found."); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/installedcomp.pl b/thirdparty/rr/plugins/installedcomp.pl deleted file mode 100644 index 9fd730301f..0000000000 --- a/thirdparty/rr/plugins/installedcomp.pl +++ /dev/null @@ -1,120 +0,0 @@ -#----------------------------------------------------------- -# installedcomp.pl -# Get info about Installed Components -# -# Change history: -# 20100116 - updated for slightly better coverage -# 20100115 - created -# -# References: -# -# Notes: Look for out of place entries, particularly those -# that point to the Recycle Bin or a temp directory -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package installedcomp; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get info about Installed Components/StubPath"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %comp; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching installedcomp v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Active Setup\\Installed Components"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $lastwrite = $s->get_timestamp(); - - my $str; - eval { - $str = $s->get_value("ComponentID")->get_data(); - }; - - eval { - my $ver = $s->get_value("Version")->get_data(); - $str .= " v.".$ver if ($ver && $s->get_value("Version")->get_type() == 1); - }; - - eval { - my $stub = $s->get_value("StubPath")->get_data(); - $str .= "; ".$stub if ($stub ne ""); - }; - -# If the $str scalar is empty at this point, that means that for -# some reason, we haven't been able to populate the information -# we're looking for; in this case, we'll go looking for some info -# in a different area of the hive; the BHO.pl plugin does this, as -# well. I'd rather that the plugin look for the Classes info than -# leave a blank entry in the output. - if ($str eq "") { - my $name = $s->get_name(); - my $class_path = "Classes\\CLSID\\".$name; - my $proc; - if ($proc = $root_key->get_subkey($class_path)) { -# Try these two eval{} statements because I've seen the different -# spellings for InProcServer32/InprocServer32 in sequential keys - eval { - $str = $proc->get_subkey("InprocServer32")->get_value("")->get_data(); - }; - - eval { - $str = $proc->get_subkey("InProcServer32")->get_value("")->get_data(); - }; - } - else { - $str = $name." class not found."; - } - } - - push(@{$comp{$lastwrite}},$str); - } - - foreach my $t (reverse sort {$a <=> $b} keys %comp) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$comp{$t}}) { - ::rptMsg(" ".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/landesk.pl b/thirdparty/rr/plugins/landesk.pl deleted file mode 100644 index d3dd8c5320..0000000000 --- a/thirdparty/rr/plugins/landesk.pl +++ /dev/null @@ -1,71 +0,0 @@ -#----------------------------------------------------------- -# LANDESK Monitor Logs -# -# -# Change history -# 20090729 - updates, H. Carvey -# -# copyright 2009 Don C. Weber -#----------------------------------------------------------- -package landesk; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090729); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get list of programs monitored by LANDESK from Software hive file"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %ls; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching LANDESK v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "LANDesk\\ManagementSuite\\WinClient\\SoftwareMonitoring\\MonitorLog"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - eval { - my ($val1,$val2) = unpack("VV",$s->get_value("Last Started")->get_data()); -# Push the data into a hash of arrays - push(@{$ls{::getTime($val1,$val2)}},$s->get_name()); - }; - } - - foreach my $t (reverse sort {$a <=> $b} keys %ls) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$ls{$t}}) { - ::rptMsg("\t$item"); - } - } - } - else { - ::rptMsg($key_path." does not appear to have any subkeys.") - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/logon_xp_run.pl b/thirdparty/rr/plugins/logon_xp_run.pl deleted file mode 100644 index 831a5cd910..0000000000 --- a/thirdparty/rr/plugins/logon_xp_run.pl +++ /dev/null @@ -1,98 +0,0 @@ -#----------------------------------------------------------- -# logon_xp_run -# Get contents of Run key from Software hive -# -# References: -# http://support.microsoft.com/kb/314488 -# -# Note: Needs testing to see if it applies beyond XP/XP-64 -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package logon_xp_run; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 12, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Autostart - Get XP user logon Run key contents from NTUSER\.DAT hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching user_xp_run v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %vals = getKeyValues($key); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - -# my @sk = $key->get_list_of_subkeys(); -# if (scalar(@sk) > 0) { -# foreach my $s (@sk) { -# ::rptMsg(""); -# ::rptMsg($key_path."\\".$s->get_name()); -# ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); -# my %vals = getKeyValues($s); -# foreach my $v (keys %vals) { -# ::rptMsg("\t".$v." -> ".$vals{$v}); -# } -# } -# } -# else { -# ::rptMsg(""); -# ::rptMsg($key_path." has no subkeys."); -# } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { -# do nothing - } - return %vals; -} - -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/mountdev3.pl b/thirdparty/rr/plugins/mountdev3.pl deleted file mode 100644 index ff4d4cfbf0..0000000000 --- a/thirdparty/rr/plugins/mountdev3.pl +++ /dev/null @@ -1,110 +0,0 @@ -#----------------------------------------------------------- -# mountdev3.pl -# Plugin for Registry Ripper; Access System hive file to get the -# MountedDevices -# -# Change history -# -# -# References -# -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package mountdev3; -use Math::BigInt; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090909); - -sub getConfig{return %config} -sub getShortDescr { - return "Return contents of System hive MountedDevices key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; -# ::logMsg("Launching mountdev3 v.".$VERSION); - ::rptMsg("mountdev3 v.".$VERSION); - ::rptMsg("Get MountedDevices key information from the System hive file."); - ::rptMsg(""); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my %md; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $data = $v->get_data(); - my $len = length($data); - if ($len == 12) { - my $sig = _translateBinary(substr($data,0,4)); - my ($low,$high) = unpack("VV",substr($data,4,8)); - my $val64 = Math::BigInt->new($high)->blsft(32)->bxor($low); - my $driveoffset = ($val64/512); - ::rptMsg($v->get_name()); - ::rptMsg("\tDrive Signature = ".$sig); - ::rptMsg("\tPartition offset = ".$driveoffset); - } - elsif ($len == 16) { - ::rptMsg($v->get_name()); - ::rptMsg("\t".$data); - } - elsif ($len > 16) { - $data =~ s/\00//g; - push(@{$md{$data}},$v->get_name()); - } - else { - ::logMsg("mountdev v.".$VERSION."\tData length = $len"); - } - } - - ::rptMsg(""); - foreach my $m (keys %md) { - ::rptMsg("Device: ".$m); - foreach my $item (@{$md{$m}}) { - ::rptMsg("\t".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} - -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/notify.pl b/thirdparty/rr/plugins/notify.pl deleted file mode 100644 index 8919b6dbd9..0000000000 --- a/thirdparty/rr/plugins/notify.pl +++ /dev/null @@ -1,79 +0,0 @@ -#----------------------------------------------------------- -# notify.pl -# -# -# Change History: -# 20110309 - updated output format to sort entries based on -# LastWrite time -# 20110308 - created -# -# References -# http://blogs.technet.com/b/markrussinovich/archive/2011/03/08/3392087.aspx -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package notify; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20110309); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get Notify subkey entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %notify; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching notify v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("notify"); - ::rptMsg($key_path); - ::rptMsg(""); - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - my $lw = $s->get_timestamp(); - my $dll; - eval { - $dll = $s->get_value("DLLName")->get_data(); - push(@{$notify{$lw}},sprintf "%-15s %-25s",$name,$dll); - }; - } - - foreach my $t (reverse sort {$a <=> $b} keys %notify) { - ::rptMsg(gmtime($t)." UTC"); - foreach my $i (@{$notify{$t}}) { - ::rptMsg(" ".$i); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/ntuser b/thirdparty/rr/plugins/ntuser deleted file mode 100644 index f2d6b0a366..0000000000 --- a/thirdparty/rr/plugins/ntuser +++ /dev/null @@ -1,50 +0,0 @@ -# List of plugins for the Registry Ripper - -#------------------------------------- -# NTUSER.DAT -logonusername -autoendtasks -autorun -acmru -adoberdr -aim -applets -comdlg32 -compdesc -# The controlpanel plugin is intended for Vista systems only -# User hives from systems prior to Vista will show 'not found' -controlpanel -listsoft -logon_xp_run -load -mmc -mndmru -mp2 -mpmru -mspaper -officedocs -oisc -recentdocs -realplayer6 -runmru -tsclient -ie_main -ie_settings -typedurls -muicache -#userassist -userassist2 -user_run -userlocsvc -vncviewer -winzip -user_win -winrar -winlogon_u -policies_u -wallpaper -vista_bitbucket -shellfolders -arpcache -clampitm -unreadmail \ No newline at end of file diff --git a/thirdparty/rr/plugins/sam b/thirdparty/rr/plugins/sam deleted file mode 100644 index 84568779ff..0000000000 --- a/thirdparty/rr/plugins/sam +++ /dev/null @@ -1,3 +0,0 @@ -#------------------------------------- -# SAM -samparse \ No newline at end of file diff --git a/thirdparty/rr/plugins/security b/thirdparty/rr/plugins/security deleted file mode 100644 index 233d63ca80..0000000000 --- a/thirdparty/rr/plugins/security +++ /dev/null @@ -1,4 +0,0 @@ -#------------------------------------- -# Security -polacdms -auditpol \ No newline at end of file diff --git a/thirdparty/rr/plugins/sevenzip.pl b/thirdparty/rr/plugins/sevenzip.pl deleted file mode 100644 index cc90d31a16..0000000000 --- a/thirdparty/rr/plugins/sevenzip.pl +++ /dev/null @@ -1,83 +0,0 @@ -#----------------------------------------------------------- -# sevenzip.pl -# Google Toolbar Search History plugin -# -# -# Change history -# 20100218 - created -# -# References -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package sevenzip; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets records of histories from 7-Zip keys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching 7-zip v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\7-Zip'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - eval { - ::rptMsg(""); - my @arc = $key->get_subkey("Compression")->get_subkey("ArcHistory")->get_list_of_values(); - if (scalar @arc > 0) { - ::rptMsg("Compression\\ArcHistory"); - foreach my $a (@arc) { - ::rptMsg(" ".$a->get_name()." -> ".$a->get_data()); - } - } - }; - ::rptMsg("Error: ".$@) if ($@); - - eval { - ::rptMsg(""); - my @arc = $key->get_subkey("Extraction")->get_subkey("PathHistory")->get_list_of_values(); - if (scalar @arc > 0) { - ::rptMsg("Extraction\\PathHistory"); - foreach my $a (@arc) { - ::rptMsg(" ".$a->get_name()." -> ".$a->get_data()); - } - } - }; - ::rptMsg("Error: ".$@) if ($@); - - - - - - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/shellexec.pl b/thirdparty/rr/plugins/shellexec.pl deleted file mode 100644 index 608bacac02..0000000000 --- a/thirdparty/rr/plugins/shellexec.pl +++ /dev/null @@ -1,118 +0,0 @@ -#----------------------------------------------------------- -# shellexec -# Get ShellExecuteHooks values from Software hive (based on BHO -# code) -# -# ShellExecuteHooks are DLLs that load as part of the Explorer.exe process, -# and can intercept commands. There are some legitimate applications that -# run as ShellExecuteHooks, but many times, malware (spy-, ad-ware) will -# install here. ShellExecuteHooks allow you to type a URL into the Start->Run -# box and have that URL opened in your browser. For example, in 2001, Michael -# Dunn wrote KBLaunch, a ShellExecuteHook that looked for "?q" in the Run box -# and would open the appropriate MS KB article. -# -# Refs: -# http://support.microsoft.com/kb/914922 -# http://support.microsoft.com/kb/170918 -# http://support.microsoft.com/kb/943460 -# -# History: -# 20081229 - initial creation -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shellexec; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081229); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets ShellExecuteHooks from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %bhos; - ::logMsg("Launching shellexec v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks";; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar (@vals) > 0) { - foreach my $s (@vals) { - my $name = $s->get_name(); - next if ($name =~ m/^-/ || $name eq ""); - my $clsid_path = "Classes\\CLSID\\".$name; - my $clsid; - if ($clsid = $root_key->get_subkey($clsid_path)) { - my $class; - my $mod; - my $lastwrite; - - eval { - $class = $clsid->get_value("")->get_data(); - $bhos{$name}{class} = $class; - }; - if ($@) { - ::logMsg("\tError getting Class name for CLSID\\".$name); - ::logMsg("\t".$@); - } - eval { - $mod = $clsid->get_subkey("InProcServer32")->get_value("")->get_data(); - $bhos{$name}{module} = $mod; - }; - if ($@) { - ::logMsg("\tError getting Module name for CLSID\\".$name); - ::logMsg("\t".$@); - } - eval{ - $lastwrite = $clsid->get_subkey("InProcServer32")->get_timestamp(); - $bhos{$name}{lastwrite} = $lastwrite; - }; - if ($@) { - ::logMsg("\tError getting LastWrite time for CLSID\\".$name); - ::logMsg("\t".$@); - } - - foreach my $b (keys %bhos) { - ::rptMsg($b); - ::rptMsg("\tClass => ".$bhos{$b}{class}); - ::rptMsg("\tModule => ".$bhos{$b}{module}); - ::rptMsg("\tLastWrite => ".gmtime($bhos{$b}{lastwrite})); - ::rptMsg(""); - } - } - else { - ::rptMsg($clsid_path." not found."); - ::rptMsg(""); - ::logMsg($clsid_path." not found."); - } - } - } - else { - ::rptMsg($key_path." has no values. No ShellExecuteHooks installed."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/soft_run.pl b/thirdparty/rr/plugins/soft_run.pl deleted file mode 100644 index 1c5e7a6d52..0000000000 --- a/thirdparty/rr/plugins/soft_run.pl +++ /dev/null @@ -1,97 +0,0 @@ -#----------------------------------------------------------- -# soft_run -# Get contents of Run key from Software hive -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package soft_run; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Autostart - get Run key contents from Software hive"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Definition of the Run keys in the WinXP Registry" => - "http://support.microsoft.com/kb/314866"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching soft_run v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Run"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %vals = getKeyValues($key); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - ::rptMsg(""); - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - my %vals = getKeyValues($s); - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - } - else { - ::rptMsg(""); - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { - - } - return %vals; -} - -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/software b/thirdparty/rr/plugins/software deleted file mode 100644 index 144bfaf466..0000000000 --- a/thirdparty/rr/plugins/software +++ /dev/null @@ -1,36 +0,0 @@ -#------------------------------------- -# Software -winver -win_cv -winnt_cv -defbrowser -ie_version -banner -bitbucket -macaddr -cmd_shell -soft_run -networkcards -ssid -appinitdlls -bho -shellexec -imagefile -port_dev -userinit -winlogon -profilelist -specaccts -mrt -svchost -snapshot -sfc -uninstall -installedcomp -shelloverlay -msis -shellexec -apppaths -drwatson -schedagent -kb950582 \ No newline at end of file diff --git a/thirdparty/rr/plugins/taskman.pl b/thirdparty/rr/plugins/taskman.pl deleted file mode 100644 index 3a6b212a59..0000000000 --- a/thirdparty/rr/plugins/taskman.pl +++ /dev/null @@ -1,61 +0,0 @@ -#----------------------------------------------------------- -# taskman.pl -# Get Taskman value from Winlogon -# -# References -# http://www.geoffchappell.com/viewer.htm?doc=notes/windows/shell/explorer/ -# taskman.htm&tx=3,5-7,12;4&ts=0,19 -# http://technet.microsoft.com/en-us/library/cc957402.aspx -# -# Change History: -# 20091116 - created -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package taskman; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets Taskman from HKLM\\..\\Winlogon"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching taskman v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - if (my $key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - - eval { - ::rptMsg(""); - my $task = $key->get_value("Taskman")->get_data(); - ::rptMsg("Taskman value = ".$task); - }; - if ($@) { - ::rptMsg("Taskman value not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/uninstall.pl b/thirdparty/rr/plugins/uninstall.pl deleted file mode 100644 index 71975fd388..0000000000 --- a/thirdparty/rr/plugins/uninstall.pl +++ /dev/null @@ -1,89 +0,0 @@ -#----------------------------------------------------------- -# uninstall.pl -# Gets contents of Uninstall key from Software hive; sorts -# display names based on key LastWrite time -# -# References: -# http://support.microsoft.com/kb/247501 -# http://support.microsoft.com/kb/314481 -# http://msdn.microsoft.com/en-us/library/ms954376.aspx -# -# Change History: -# 20100116 - Minor updates -# 20090413 - Extract DisplayVersion info -# 20090128 - Added references -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package uninstall; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets contents of Uninstall key from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching uninstall v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Uninstall'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Uninstall"); - ::rptMsg($key_path); - ::rptMsg(""); - - my %uninst; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $lastwrite = $s->get_timestamp(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); - }; - $display = $s->get_name() if ($display eq ""); - - my $ver; - eval { - $ver = $s->get_value("DisplayVersion")->get_data(); - }; - $display .= " v\.".$ver unless ($@); - - push(@{$uninst{$lastwrite}},$display); - } - foreach my $t (reverse sort {$a <=> $b} keys %uninst) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$uninst{$t}}) { - ::rptMsg("\t$item"); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/usb.pl b/thirdparty/rr/plugins/usb.pl deleted file mode 100644 index 2a4c438c7c..0000000000 --- a/thirdparty/rr/plugins/usb.pl +++ /dev/null @@ -1,111 +0,0 @@ -#----------------------------------------------------------- -# usb -# Similar to usbstor plugin, but prints output in .csv format; -# also checks MountedDevices keys -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package usb; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080825); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USB subkeys info; csv output"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $reg; - -sub pluginmain { - my $class = shift; - my $hive = shift; - $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $name_path = $ccs."\\Control\\ComputerName\\ComputerName"; - my $comp_name; - eval { - $comp_name = $root_key->get_subkey($name_path)->get_value("ComputerName")->get_data(); - }; - $comp_name = "Test" if ($@); - - my $key_path = $ccs."\\Enum\\USB"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $dev_class = $s->get_name(); - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $k (@sk) { - my $serial = $k->get_name(); - my $sn_lw = $k->get_timestamp(); - my $str = $comp_name.",".$dev_class.",".$serial.",".$sn_lw; - - my $loc; - eval { - $loc = $k->get_value("LocationInformation")->get_data(); - $str .= ",".$loc; - }; - $str .= ", " if ($@); - - - my $friendly; - eval { - $friendly = $k->get_value("FriendlyName")->get_data(); - $str .= ",".$friendly; - }; - $str .= ", " if ($@); - - my $parent; - eval { - $parent = $k->get_value("ParentIdPrefix")->get_data(); - $str .= ",".$parent; - }; - - - ::rptMsg($str); - } - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/user_run.pl b/thirdparty/rr/plugins/user_run.pl deleted file mode 100644 index f982cfde9a..0000000000 --- a/thirdparty/rr/plugins/user_run.pl +++ /dev/null @@ -1,102 +0,0 @@ -#----------------------------------------------------------- -# user_run -# Get contents of Run key from Software hive -# -# References: -# http://msdn2.microsoft.com/en-us/library/aa376977.aspx -# http://support.microsoft.com/kb/170086 -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package user_run; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Autostart - get Run key contents from NTUSER\.DAT hive"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Definition of the Run keys in the WinXP Registry" => - "http://support.microsoft.com/kb/314866"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching user_run v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %vals = getKeyValues($key); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - ::rptMsg(""); - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - my %vals = getKeyValues($s); - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - } - else { - ::rptMsg(""); - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { - - } - return %vals; -} - -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/userassist.pl b/thirdparty/rr/plugins/userassist.pl deleted file mode 100644 index d523444e85..0000000000 --- a/thirdparty/rr/plugins/userassist.pl +++ /dev/null @@ -1,86 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userassist.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# UserAssist values -# -# Change history -# 20080726 - added reference to help examiner understand Control -# Panel entries found in output -# 20080301 - updated to include run count along with date -# -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package userassist; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080726); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of UserAssist Active Desktop key"; -} -sub getDescr{} -sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching UserAssist (Active Desktop) v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\'. - '{75048700-EF1F-11D0-9888-006097DEACF9}\\Count'; - my $key; - my %ua; - my $hrzr = "HRZR"; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("UserAssist (Active Desktop)"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $value_name = $v->get_name(); - my $data = $v->get_data(); - if (length($data) == 16) { - my ($session,$count,$val1,$val2) = unpack("V*",$data); - if ($val2 != 0) { - my $time_value = ::getTime($val1,$val2); - if ($value_name =~ m/^$hrzr/) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - } - $count -= 5 if ($count > 5); - push(@{$ua{$time_value}},$value_name." (".$count.")"); - } - } - } - foreach my $t (reverse sort {$a <=> $b} keys %ua) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$ua{$t}}) { - ::rptMsg("\t$item"); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/userinit.pl b/thirdparty/rr/plugins/userinit.pl deleted file mode 100644 index b6664b8626..0000000000 --- a/thirdparty/rr/plugins/userinit.pl +++ /dev/null @@ -1,63 +0,0 @@ -#----------------------------------------------------------- -# userinit -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package userinit; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets UserInit value"; -} -sub getDescr{} -sub getRefs { - my %refs = ("My Documents open at startup" => - "http://support.microsoft.com/kb/555294", - "Userinit" => - "http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/12330.mspx?mfr=true"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching userinit v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $ui; - eval { - $ui = $key->get_value("Userinit")->get_data(); - ::rptMsg("\tUserinit -> ".$ui); - }; - ::rptMsg("Error: ".$@) if ($@); - ::rptMsg(""); - ::rptMsg("Per references, content should be %SystemDrive%\\system32\\userinit.exe,"); - ::rptMsg(""); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/vista_comdlg32.pl b/thirdparty/rr/plugins/vista_comdlg32.pl deleted file mode 100644 index d20b8fb89d..0000000000 --- a/thirdparty/rr/plugins/vista_comdlg32.pl +++ /dev/null @@ -1,145 +0,0 @@ -#----------------------------------------------------------- -# vista_comdlg32.pl -# Plugin for Registry Ripper -# -# Change history -# 20090821 - created -# -# References -# -# -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package vista_comdlg32; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090821); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of Vista user's ComDlg32 key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching vista_comdlg32 v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("vista_comdlg32 v.".$VERSION); - ::rptMsg("**All values listed in MRU order."); - -# CIDSizeMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\CIDSizeMRU"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %lvmru; - my @mrulist; - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUListEx}) { - delete($lvmru{MRUListEx}); - foreach my $m (keys %lvmru) { - my $file = parseStr($lvmru{$m}); - my $str = sprintf "%-4s ".$file,$m; - ::rptMsg(" ".$str); - } - } - else { - ::rptMsg($key_path." does not have an MRUList value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - -# LastVistedPidlMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRU"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %lvmru; - my @mrulist; - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUListEx}) { - delete($lvmru{MRUListEx}); - foreach my $m (keys %lvmru) { - my $file = parseStr($lvmru{$m}); - my $str = sprintf "%-4s ".$file,$m; - ::rptMsg(" ".$str); - } - } - else { - ::rptMsg($key_path." does not have an MRUList value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - - -} - -sub parseStr { - my $data = $_[0]; - my $temp; - my $tag = 1; - my $ofs = 0; - - while ($tag) { - my $t = substr($data,$ofs,2); - if (unpack("v",$t) == 0x00) { - $tag = 0; - } - else { - $temp .= $t; - $ofs += 2; - } - } - $temp =~ s/\00//g; - return $temp; -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/vista_wireless.pl b/thirdparty/rr/plugins/vista_wireless.pl deleted file mode 100644 index f6b74bcf7a..0000000000 --- a/thirdparty/rr/plugins/vista_wireless.pl +++ /dev/null @@ -1,80 +0,0 @@ -#----------------------------------------------------------- -# vista_wireless -# -# Get Wireless info from Vista systems -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package vista_wireless; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090514); - -sub getConfig{return %config} -sub getShortDescr { - return "Get Vista Wireless Info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $error; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching vista_wireless v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $lastwrite = $s->get_timestamp(); - - my $nametype; - eval { - $nametype = $s->get_value("NameType")->get_data(); - }; - if ($@) { - - } - else { - if ($nametype == 0x47) { - my $profilename; - my $descr; - eval { - ::rptMsg("LastWrite = ".gmtime($lastwrite)." Z"); - $profilename = $s->get_value("ProfileName")->get_data(); - $descr = $s->get_value("Description")->get_data(); - ::rptMsg(" ".$profilename." [".$descr."]"); - - }; - } - } - - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/win7_ua.pl b/thirdparty/rr/plugins/win7_ua.pl deleted file mode 100644 index be2ea1afa8..0000000000 --- a/thirdparty/rr/plugins/win7_ua.pl +++ /dev/null @@ -1,140 +0,0 @@ -#----------------------------------------------------------- -# win7_ua.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package win7_ua; -use strict; -my $vignerekey = "BWHQNKTEZYFSLMRGXADUJOPIVC"; -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090121); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get Win7 UserAssist data"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching win7_ua v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @subkeys = $key->get_list_of_subkeys(); - - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - print $s->get_name()."\n"; - - my @vals = $s->get_subkey("Count")->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = decrypt_string($v->get_name(),$vignerekey); - my $data = $v->get_data(); - ::rptMsg(" ".$name); - if (length($data) == 72) { - my %vals = parseData($data); - ::rptMsg(" Counter 1 = ".$vals{counter1}); - ::rptMsg(" Counter 2 = ".$vals{counter2}); - ::rptMsg(" Runtime = ".$vals{runtime}." ms"); - ::rptMsg(" Last Run = ".$vals{lastrun}); - ::rptMsg(" MRU = ".$vals{mru}); - } - } - - } - else { - ::rptMsg($key_path."\\".$s->get_name()." has no values."); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; - -sub decrypt_string{ -# decrypts a full string of ciphertext, given the ciphertext and the key. -# returns the plaintext string. - my ($ciphertext, $key) = @_; - my $plaintext; - my @plain; - - $key = $key x (length($ciphertext) / length($key) + 1); - - my @cipherletters = split(//,$ciphertext); - foreach my $i (0..(scalar(@cipherletters) - 1)) { -# print "Cipher letter => ".$cipherletters[$i]."\n"; - if ($cipherletters[$i] =~ m/\w/ && !($cipherletters[$i] =~ m/\d/)) { -# print "Decrypting ".$cipherletters[$i]." with ".(substr($key,$i,1))."\n"; - $plain[$i] = decrypt_letter($cipherletters[$i], (substr($key,$i,1))); - } - else { - $plain[$i] = $cipherletters[$i]; - } - } - -# for( my $i=0; $i= 65 && ord($cipher) <= 90); - -# in row n, plaintext is ciphertext - n, mod 26. - $row = ord(lc($row)) - ord('a'); # enable mod 26 - $cipher = ord(lc($cipher)) - ord('a'); # enable mod 26 - $plain = ($cipher - $row) % 26; - $plain = chr($plain + ord('a')); - - $plain = uc($plain) if ($upper == 1); - return $plain; -} - -sub parseData { - my $data = shift; - my %vals; - - $vals{counter1} = unpack("V",substr($data,4,4)); - $vals{counter2} = unpack("V",substr($data,8,4)); - $vals{runtime} = unpack("V",substr($data,12,4)); - my @a = unpack("VV",substr($data,60,8)); - my $t = ::getTime($a[0],$a[1]); - ($t == 0) ? ($vals{lastrun} = 0) : ($vals{lastrun} = gmtime($t)); - - $vals{mru} = unpack("V",substr($data,68,4)); - return %vals; - -} \ No newline at end of file diff --git a/thirdparty/rr/plugins/winlogon.pl b/thirdparty/rr/plugins/winlogon.pl deleted file mode 100644 index 6808f3e278..0000000000 --- a/thirdparty/rr/plugins/winlogon.pl +++ /dev/null @@ -1,98 +0,0 @@ -#----------------------------------------------------------- -# WinLogon -# Get values from WinLogon key -# -# History -# 20100219 - Updated output to better present some data -# 20080415 - created -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package winlogon; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100219); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get values from the WinLogon key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winlogon v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %wl; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - my $len = length($data); - next if ($name eq ""); - if ($v->get_type() == 3 && $name ne "DCacheUpdate") { - $data = _translateBinary($data); - } - - $data = sprintf "0x%x",$data if ($name eq "SfcQuota"); - if ($name eq "DCacheUpdate") { - my @v = unpack("VV",$data); - $data = gmtime(::getTime($v[0],$v[1])); - } - - push(@{$wl{$len}},$name." = ".$data); - } - - foreach my $t (sort {$a <=> $b} keys %wl) { - foreach my $item (@{$wl{$t}}) { - ::rptMsg(" $item"); - } - } - - ::rptMsg(""); - ::rptMsg("Analysis Tips: The UserInit and Shell values are executed when a user logs on."); - - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} -1; \ No newline at end of file diff --git a/thirdparty/rr/plugins/winlogon_u.pl b/thirdparty/rr/plugins/winlogon_u.pl deleted file mode 100644 index f2355efe83..0000000000 --- a/thirdparty/rr/plugins/winlogon_u.pl +++ /dev/null @@ -1,90 +0,0 @@ -#----------------------------------------------------------- -# winlogon_u -# Get values from user's WinLogon key -# -# Change History: -# 20091021 - created -# -# References: -# http://support.microsoft.com/kb/119941 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winlogon_u; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091021); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get values from the user's WinLogon key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winlogon_u v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %wl; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - my $len = length($data); - next if ($name eq ""); - if ($v->get_type() == 3) { - $data = _translateBinary($data); - } - push(@{$wl{$len}},$name." = ".$data); - } - - foreach my $t (sort {$a <=> $b} keys %wl) { - foreach my $item (@{$wl{$t}}) { - ::rptMsg(" $item"); - } - } - - ::rptMsg(""); - ::rptMsg("Analysis Tip: Existence of RunGrpConv = 1 value may indicate that the"); - ::rptMsg(" system had been infected with Bredolab (Symantec)."); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} -1; \ No newline at end of file diff --git a/thirdparty/rr/rip.exe b/thirdparty/rr/rip.exe deleted file mode 100644 index 6ecc7fec59..0000000000 Binary files a/thirdparty/rr/rip.exe and /dev/null differ diff --git a/thirdparty/rr/rr.exe b/thirdparty/rr/rr.exe deleted file mode 100644 index 0a89f5b83c..0000000000 Binary files a/thirdparty/rr/rr.exe and /dev/null differ