mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-11 23:46:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
This commit is contained in:
Richard Cordovano 2013-07-19 12:50:32 -04:00
commit d1f6036fc1
373 changed files with 36858 additions and 20425 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Core/src/org/sleuthkit/autopsy/casemodule/Case.java
View File

@ -194,9 +194,9 @@ public class Case {
} }
/** /**
* Creates a new case (create the XML config file and the directory) * Creates a new case (create the XML config file and database)
* *
* @param caseDir the base directory where the configuration file is saved * @param caseDir The directory to store case data in. Will be created if it doesn't already exist. If it exists, it should have all of the needed sub dirs that createCaseDirectory() will create.
* @param caseName the name of case * @param caseName the name of case
* @param caseNumber the case number * @param caseNumber the case number
* @param examiner the examiner for this case * @param examiner the examiner for this case
@ -204,6 +204,11 @@ public class Case {
public static void create(String caseDir, String caseName, String caseNumber, String examiner) throws CaseActionException { public static void create(String caseDir, String caseName, String caseNumber, String examiner) throws CaseActionException {
logger.log(Level.INFO, "Creating new case.\ncaseDir: {0}\ncaseName: {1}", new Object[]{caseDir, caseName}); logger.log(Level.INFO, "Creating new case.\ncaseDir: {0}\ncaseName: {1}", new Object[]{caseDir, caseName});
// create case directory if it doesn't already exist.
if (new File(caseDir).exists() == false) {
Case.createCaseDirectory(caseDir);
}
String configFilePath = caseDir + File.separator + caseName + CASE_DOT_EXTENSION; String configFilePath = caseDir + File.separator + caseName + CASE_DOT_EXTENSION;
XMLCaseManagement xmlcm = new XMLCaseManagement(); XMLCaseManagement xmlcm = new XMLCaseManagement();
@ -775,12 +780,22 @@ public class Case {
/** /**
* to create the case directory * to create the case directory
* *
* @param caseDir the case directory path * @param caseDir Path to the case directory (typically base + case name)
* @param caseName the case name * @param caseName the case name (used only for error messages)
* @throws CaseActionException throw if could not create the case dir * @throws CaseActionException throw if could not create the case dir
* @Deprecated
*/ */
static void createCaseDirectory(String caseDir, String caseName) throws CaseActionException { static void createCaseDirectory(String caseDir, String caseName) throws CaseActionException {
boolean result = false; createCaseDirectory(caseDir);
}
/**
* Create the case directory and its needed subfolders.
*
* @param caseDir Path to the case directory (typically base + case name)
* @throws CaseActionException throw if could not create the case dir
*/
static void createCaseDirectory(String caseDir) throws CaseActionException {
File caseDirF = new File(caseDir); File caseDirF = new File(caseDir);
if (caseDirF.exists()) { if (caseDirF.exists()) {
@ -792,7 +807,7 @@ public class Case {
} }
try { try {
result = (caseDirF).mkdirs(); // create root case Directory boolean result = (caseDirF).mkdirs(); // create root case Directory
if (result == false) { if (result == false) {
throw new CaseActionException("Cannot create case dir: " + caseDir); throw new CaseActionException("Cannot create case dir: " + caseDir);
} }
@ -804,17 +819,17 @@ public class Case {
&& (new File(caseDir + File.separator + XMLCaseManagement.CACHE_FOLDER_RELPATH)).mkdir(); && (new File(caseDir + File.separator + XMLCaseManagement.CACHE_FOLDER_RELPATH)).mkdir();
if (result == false) { if (result == false) {
throw new CaseActionException("Could not create case directory: " + caseDir + " for case: " + caseName); throw new CaseActionException("Could not create case directory: " + caseDir );
} }
final String modulesOutDir = caseDir + File.separator + getModulesOutputDirRelPath(); final String modulesOutDir = caseDir + File.separator + getModulesOutputDirRelPath();
result = new File(modulesOutDir).mkdir(); result = new File(modulesOutDir).mkdir();
if (result == false) { if (result == false) {
throw new CaseActionException("Could not create modules output directory: " + modulesOutDir + " for case: " + caseName); throw new CaseActionException("Could not create modules output directory: " + modulesOutDir );
} }
} catch (Exception e) { } catch (Exception e) {
throw new CaseActionException("Could not create case directory: " + caseDir + " for case: " + caseName, e); throw new CaseActionException("Could not create case directory: " + caseDir , e);
} }
} }

8
Core/src/org/sleuthkit/autopsy/casemodule/NewCaseWizardPanel1.java
View File

@ -228,7 +228,7 @@ class NewCaseWizardPanel1 implements WizardDescriptor.ValidatingPanel<WizardDesc
if (res2 != null && res2 == DialogDescriptor.YES_OPTION) { if (res2 != null && res2 == DialogDescriptor.YES_OPTION) {
// if user say yes // if user say yes
try { try {
createDirectory(caseDirPath, caseName); createDirectory(caseDirPath);
} catch (Exception ex) { } catch (Exception ex) {
String errorMsg = "Error: Couldn't create case parent directory " + caseParentDir; String errorMsg = "Error: Couldn't create case parent directory " + caseParentDir;
logger.log(Level.WARNING, errorMsg, ex); logger.log(Level.WARNING, errorMsg, ex);
@ -241,7 +241,7 @@ class NewCaseWizardPanel1 implements WizardDescriptor.ValidatingPanel<WizardDesc
} }
} else { } else {
try { try {
createDirectory(caseDirPath, caseName); createDirectory(caseDirPath);
} catch (Exception ex) { } catch (Exception ex) {
String errorMsg = "Error: Couldn't create directory."; String errorMsg = "Error: Couldn't create directory.";
logger.log(Level.WARNING, errorMsg, ex); logger.log(Level.WARNING, errorMsg, ex);
@ -264,11 +264,11 @@ class NewCaseWizardPanel1 implements WizardDescriptor.ValidatingPanel<WizardDesc
/* /*
* create the directory and create a new case * create the directory and create a new case
*/ */
private void createDirectory(final String caseDirPath, final String caseName) throws WizardValidationException { private void createDirectory(final String caseDirPath) throws WizardValidationException {
// try to create the directory with the case name in the choosen parent directory // try to create the directory with the case name in the choosen parent directory
boolean success = false; boolean success = false;
try { try {
Case.createCaseDirectory(caseDirPath, caseName); Case.createCaseDirectory(caseDirPath);
success = true; success = true;
} catch (CaseActionException ex) { } catch (CaseActionException ex) {
logger.log(Level.SEVERE, "Could not createDirectory for the case, ", ex); logger.log(Level.SEVERE, "Could not createDirectory for the case, ", ex);

17
Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java
View File

@ -197,7 +197,8 @@ public class FileManager implements Closeable {
} }
/** /**
* Interface for receiving notifications on folders being added via a callback * Interface for receiving notifications on folders being added via a
* callback
*/ */
public interface FileAddProgressUpdater { public interface FileAddProgressUpdater {
@ -304,12 +305,18 @@ public class FileManager implements Closeable {
if (isDir) { if (isDir) {
//create virtual folder //create virtual folder
final VirtualDirectory childVd = tskCase.addVirtualDirectory(parentVd.getId(), childLocalFile.getName()); final VirtualDirectory childVd = tskCase.addVirtualDirectory(parentVd.getId(), childLocalFile.getName());
if (childVd != null && addProgressUpdater != null ) { if (childVd != null && addProgressUpdater != null) {
addProgressUpdater.fileAdded(childVd); addProgressUpdater.fileAdded(childVd);
} }
//add children recursively //add children recursively
for (java.io.File childChild : childLocalFile.listFiles()) { final java.io.File[] childrenFiles = childLocalFile.listFiles();
addLocalDirectoryRecInt(childVd, childChild, addProgressUpdater); if (childrenFiles != null) {
for (java.io.File childChild : childrenFiles) {
addLocalDirectoryRecInt(childVd, childChild, addProgressUpdater);
}
} else {
//add leaf file, base case
this.addLocalFileSingle(childLocalFile.getAbsolutePath(), parentVd);
} }
} else { } else {
//add leaf file, base case //add leaf file, base case
@ -428,7 +435,7 @@ public class FileManager implements Closeable {
* closed * closed
* *
*/ */
private synchronized LocalFile addLocalFileSingle(String localAbsPath, AbstractFile parentFile ) throws TskCoreException { private synchronized LocalFile addLocalFileSingle(String localAbsPath, AbstractFile parentFile) throws TskCoreException {
if (tskCase == null) { if (tskCase == null) {
throw new TskCoreException("Attempted to use FileManager after it was closed."); throw new TskCoreException("Attempted to use FileManager after it was closed.");

9
Core/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerArtifact.java
View File

@ -348,6 +348,11 @@ public class DataContentViewerArtifact extends javax.swing.JPanel implements Dat
outputViewPane.setContentType("text/html"); outputViewPane.setContentType("text/html");
} }
/**
* Display a single artifact from a list.
* @param artifacts List of artifacts that could be displayed
* @param offset Index into the list for the artifact to display
*/
private void setDataView(List<BlackboardArtifact> artifacts, int offset) { private void setDataView(List<BlackboardArtifact> artifacts, int offset) {
// change the cursor to "waiting cursor" for this operation // change the cursor to "waiting cursor" for this operation
this.setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR)); this.setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR));
@ -377,6 +382,10 @@ public class DataContentViewerArtifact extends javax.swing.JPanel implements Dat
this.setCursor(null); this.setCursor(null);
} }
/**
* Set the displayed artifact to the specified one.
* @param artifact Artifact to display
*/
private void setSelectedArtifact(BlackboardArtifact artifact) { private void setSelectedArtifact(BlackboardArtifact artifact) {
if(artifacts.contains(artifact)) { if(artifacts.contains(artifact)) {
int index = artifacts.indexOf(artifact); int index = artifacts.indexOf(artifact);

21
Core/src/org/sleuthkit/autopsy/coreutils/PlatformUtil.java
View File

@ -141,6 +141,27 @@ public class PlatformUtil {
public static File getUserDirectory() { public static File getUserDirectory() {
return Places.getUserDirectory(); return Places.getUserDirectory();
} }
/**
* Get RCP project dirs
* @return
*/
public static List<String> getProjectsDirs() {
List<String> ret = new ArrayList<String>();
String projectDir = System.getProperty("netbeans.dirs");
if (projectDir == null) {
return ret;
}
String [] split = projectDir.split(";");
if (split == null || split.length == 0) {
return ret;
}
for (String path : split) {
ret.add(path);
}
return ret;
}
/** /**
* Get user config directory path * Get user config directory path

38
Core/src/org/sleuthkit/autopsy/datamodel/ArtifactStringContent.java
View File

@ -1,7 +1,7 @@
/* /*
* Autopsy Forensic Browser * Autopsy Forensic Browser
* *
* Copyright 2011 Basis Technology Corp. * Copyright 2011-2013 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org * Contact: carrier <at> sleuthkit <dot> org
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
@ -33,8 +33,7 @@ import org.sleuthkit.datamodel.TskException;
/** /**
* StringContent object for a blackboard artifact, that can be looked up and used * StringContent object for a blackboard artifact, that can be looked up and used
* to display text for the DataContent viewers * to display text for the DataContent viewers. Displays values in artifact in HTML.
* @author alawrence
*/ */
public class ArtifactStringContent implements StringContent { public class ArtifactStringContent implements StringContent {
@ -54,21 +53,32 @@ public class ArtifactStringContent implements StringContent {
buffer.append("<head>"); buffer.append("<head>");
buffer.append("<style type='text/css'>"); buffer.append("<style type='text/css'>");
buffer.append("table {table-layout:fixed;}"); buffer.append("table {table-layout:fixed;}");
buffer.append("td {font-family:Arial;font-size:10pt;overflow:hidden;padding-right:5px;padding-left:5px;}"); buffer.append("td {font-family:Arial;font-size:12pt;overflow:hidden;padding-right:5px;padding-left:5px;}");
buffer.append("th {font-family:Arial;font-size:10pt;overflow:hidden;padding-right:5px;padding-left:5px;font-weight:bold;}"); buffer.append("th {font-family:Arial;font-size:12pt;overflow:hidden;padding-right:5px;padding-left:5px;font-weight:bold;}");
buffer.append("p {font-family:Arial;font-size:10pt;}"); buffer.append("p {font-family:Arial;font-size:12pt;}");
buffer.append("</style>"); buffer.append("</style>");
buffer.append("<meta http-equiv=\"Content-Type\" content=\"text/html); charset=utf-8\">");
buffer.append("</head>"); buffer.append("</head>");
// artifact name header
buffer.append("<h4>"); buffer.append("<h4>");
buffer.append(wrapped.getDisplayName()); buffer.append(wrapped.getDisplayName());
buffer.append("</h4>"); buffer.append("</h4>");
// start table for attributes
buffer.append("<table border='0'>"); buffer.append("<table border='0'>");
buffer.append("<tr>"); buffer.append("<tr>");
buffer.append("</tr>"); buffer.append("</tr>");
// cycle through each attribute and display in a row in the table.
for (BlackboardAttribute attr : wrapped.getAttributes()) { for (BlackboardAttribute attr : wrapped.getAttributes()) {
// name column
buffer.append("<tr><td>"); buffer.append("<tr><td>");
buffer.append(attr.getAttributeTypeDisplayName()); buffer.append(attr.getAttributeTypeDisplayName());
buffer.append("</td>"); buffer.append("</td>");
// value column
buffer.append("<td>"); buffer.append("<td>");
if (attr.getAttributeTypeID() == ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID() if (attr.getAttributeTypeID() == ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID()
|| attr.getAttributeTypeID() == ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID()) { || attr.getAttributeTypeID() == ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID()) {
@ -82,7 +92,12 @@ public class ArtifactStringContent implements StringContent {
} else { } else {
switch (attr.getValueType()) { switch (attr.getValueType()) {
case STRING: case STRING:
buffer.append(attr.getValueString()); String str = attr.getValueString();
str = str.replaceAll(" ", "&nbsp;");
str = str.replaceAll("<", "&lt;");
str = str.replaceAll(">", "&gt;");
str = str.replaceAll("(\r\n|\n)", "<br />");
buffer.append(str);
break; break;
case INTEGER: case INTEGER:
buffer.append(attr.getValueInt()); buffer.append(attr.getValueInt());
@ -113,16 +128,11 @@ public class ArtifactStringContent implements StringContent {
try { try {
path = content.getUniquePath(); path = content.getUniquePath();
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Except while calling Content.getUniquePath() on " + content); logger.log(Level.SEVERE, "Exception while calling Content.getUniquePath() on {0} : {1}", new Object[]{content, ex.getLocalizedMessage()});
} }
//add file path //add file path
buffer.append("<tr>");
buffer.append("<td>Source File</td>");
buffer.append("<td>");
buffer.append(content.getName());
buffer.append("</td>");
buffer.append("</tr>");
buffer.append("<tr>"); buffer.append("<tr>");
buffer.append("<td>Source File Path</td>"); buffer.append("<td>Source File Path</td>");
buffer.append("<td>"); buffer.append("<td>");

4
Core/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java
View File

@ -30,7 +30,8 @@ import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskException; import org.sleuthkit.datamodel.TskException;
/** /**
* Node encapsulating blackboard artifact type * Node encapsulating blackboard artifact type. This is used on the left-hand navigation side of the Autopsy UI as the
* parent node for all of the artifacts of a given type. Its children will be BlackboardArtifactNode objects.
*/ */
public class ArtifactTypeNode extends DisplayableItemNode { public class ArtifactTypeNode extends DisplayableItemNode {
@ -82,6 +83,7 @@ public class ArtifactTypeNode extends DisplayableItemNode {
return v.visit(this); return v.visit(this);
} }
// @@@ TODO: Merge with BlackboartArtifactNode.getIcon()
private String getIcon(BlackboardArtifact.ARTIFACT_TYPE type) { private String getIcon(BlackboardArtifact.ARTIFACT_TYPE type) {
switch (type) { switch (type) {
case TSK_WEB_BOOKMARK: case TSK_WEB_BOOKMARK:

4
Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java
View File

@ -36,7 +36,8 @@ import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.TskException; import org.sleuthkit.datamodel.TskException;
/** /**
* Node wrapping a blackboard artifact object * Node wrapping a blackboard artifact object. This represents a single artifact.
* Its parent is typically an ArtifactTypeNode.
*/ */
public class BlackboardArtifactNode extends DisplayableItemNode { public class BlackboardArtifactNode extends DisplayableItemNode {
@ -259,6 +260,7 @@ public class BlackboardArtifactNode extends DisplayableItemNode {
return null; return null;
} }
// @@@ TODO: Merge with ArtifactTypeNode.getIcon()
private String getIcon(BlackboardArtifact.ARTIFACT_TYPE type) { private String getIcon(BlackboardArtifact.ARTIFACT_TYPE type) {
switch (type) { switch (type) {
case TSK_WEB_BOOKMARK: case TSK_WEB_BOOKMARK:

3
Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContent.java
View File

@ -21,7 +21,8 @@ package org.sleuthkit.autopsy.datamodel;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
/** /**
* Parent of all Blackboard Artifacts to be displayed * Parent of the "extracted content" artifacts to be displayed in the tree. Other
* artifacts are displayed under other more specific parents.
*/ */
public class ExtractedContent implements AutopsyVisitableItem{ public class ExtractedContent implements AutopsyVisitableItem{

52
Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContentChildren.java
View File

@ -1,7 +1,7 @@
/* /*
* Autopsy Forensic Browser * Autopsy Forensic Browser
* *
* Copyright 2011 Basis Technology Corp. * Copyright 2011-2013 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org * Contact: carrier <at> sleuthkit <dot> org
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
@ -18,41 +18,63 @@
*/ */
package org.sleuthkit.autopsy.datamodel; package org.sleuthkit.autopsy.datamodel;
import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.List; import java.util.List;
import java.util.logging.Level;
import org.openide.nodes.ChildFactory; import org.openide.nodes.ChildFactory;
import org.openide.nodes.Node; import org.openide.nodes.Node;
import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException;
/** /**
* * Creates the children for the ExtractedContent area of the results tree. This area
* has all of the blackboard artifacts that are not displayed in a more specific form elsewhere
* in the tree.
*/ */
public class ExtractedContentChildren extends ChildFactory<BlackboardArtifact.ARTIFACT_TYPE> { public class ExtractedContentChildren extends ChildFactory<BlackboardArtifact.ARTIFACT_TYPE> {
private SleuthkitCase skCase; private SleuthkitCase skCase;
private final ArrayList<BlackboardArtifact.ARTIFACT_TYPE> doNotShow;
public ExtractedContentChildren(SleuthkitCase skCase) { public ExtractedContentChildren(SleuthkitCase skCase) {
super(); super();
this.skCase = skCase; this.skCase = skCase;
// these are shown in other parts of the UI tree
doNotShow = new ArrayList();
//doNotShow.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO);
doNotShow.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG);
doNotShow.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT);
doNotShow.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT);
doNotShow.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT);
doNotShow.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_FILE);
} }
@Override @Override
protected boolean createKeys(List<BlackboardArtifact.ARTIFACT_TYPE> list) { protected boolean createKeys(List<BlackboardArtifact.ARTIFACT_TYPE> list) {
list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK); try {
list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE); List<BlackboardArtifact.ARTIFACT_TYPE> inUse = skCase.getBlackboardArtifactTypesInUse();
list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY); inUse.removeAll(doNotShow);
list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD); Collections.sort(inUse,
list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT); new Comparator<BlackboardArtifact.ARTIFACT_TYPE>() {
list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG); @Override
list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED); public int compare(BlackboardArtifact.ARTIFACT_TYPE a, BlackboardArtifact.ARTIFACT_TYPE b) {
list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY); return a.getDisplayName().compareTo(b.getDisplayName());
list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_METADATA_EXIF); }
});
list.addAll(inUse);
} catch (TskCoreException ex) {
Logger.getLogger(ExtractedContentChildren.class.getName()).log(Level.SEVERE, "Error getting list of artifacts in use: " + ex.getLocalizedMessage());
return false;
}
return true; return true;
} }
@Override @Override
protected Node createNodeForKey(BlackboardArtifact.ARTIFACT_TYPE key){ protected Node createNodeForKey(BlackboardArtifact.ARTIFACT_TYPE key){

2
Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContentNode.java
View File

@ -25,7 +25,7 @@ import org.openide.util.lookup.Lookups;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
/** /**
* Node for the extracted content * Node for the extracted content artifacts (artifacts that are not shown in more specific areas of the tree)
*/ */
public class ExtractedContentNode extends DisplayableItemNode { public class ExtractedContentNode extends DisplayableItemNode {

10
Core/src/org/sleuthkit/autopsy/ingest/IngestModuleLoader.java
View File

@ -442,6 +442,16 @@ public final class IngestModuleLoader {
//user modules //user modules
urls.addAll(getJarPaths(PlatformUtil.getUserModulesPath())); urls.addAll(getJarPaths(PlatformUtil.getUserModulesPath()));
// add other project dirs, such as from external modules
for (String projectDir : PlatformUtil.getProjectsDirs()) {
File modules = new File(projectDir + File.separator + "modules");
if (modules.exists()) {
urls.addAll(getJarPaths(modules.getAbsolutePath()));
}
}
return urls; return urls;
} }

22
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchQueryManager.java
View File

@ -34,8 +34,8 @@ import org.sleuthkit.autopsy.datamodel.KeyValue;
import org.sleuthkit.autopsy.keywordsearch.KeywordSearch.QueryType; import org.sleuthkit.autopsy.keywordsearch.KeywordSearch.QueryType;
/** /**
* Query manager responsible for running appropriate queries and displaying results * Query manager responsible for running appropriate queries and displaying
* for single, multi keyword queries, with detailed or collapsed results * results for single, multi keyword queries, with detailed or collapsed results
*/ */
public class KeywordSearchQueryManager { public class KeywordSearchQueryManager {
@ -59,7 +59,7 @@ public class KeywordSearchQueryManager {
public KeywordSearchQueryManager(String query, QueryType qt, Presentation presentation) { public KeywordSearchQueryManager(String query, QueryType qt, Presentation presentation) {
queries = new ArrayList<Keyword>(); queries = new ArrayList<Keyword>();
queries.add(new Keyword(query, qt==QueryType.REGEX?false:true)); queries.add(new Keyword(query, qt == QueryType.REGEX ? false : true));
this.presentation = presentation; this.presentation = presentation;
queryType = qt; queryType = qt;
init(); init();
@ -69,7 +69,7 @@ public class KeywordSearchQueryManager {
queries = new ArrayList<Keyword>(); queries = new ArrayList<Keyword>();
queries.add(new Keyword(query, isLiteral)); queries.add(new Keyword(query, isLiteral));
this.presentation = presentation; this.presentation = presentation;
queryType = isLiteral?QueryType.WORD:QueryType.REGEX; queryType = isLiteral ? QueryType.WORD : QueryType.REGEX;
init(); init();
} }
@ -112,15 +112,21 @@ public class KeywordSearchQueryManager {
//Collapsed view //Collapsed view
Collection<KeyValueQuery> things = new ArrayList<KeyValueQuery>(); Collection<KeyValueQuery> things = new ArrayList<KeyValueQuery>();
int queryID = 0; int queryID = 0;
StringBuilder queryConcat = new StringBuilder();
for (KeywordSearchQuery q : queryDelegates) { for (KeywordSearchQuery q : queryDelegates) {
Map<String, Object> kvs = new LinkedHashMap<String, Object>(); Map<String, Object> kvs = new LinkedHashMap<String, Object>();
final String queryStr = q.getQueryString(); final String queryStr = q.getQueryString();
queryConcat.append(queryStr).append(" ");
things.add(new KeyValueQuery(queryStr, kvs, ++queryID, q)); things.add(new KeyValueQuery(queryStr, kvs, ++queryID, q));
} }
Node rootNode = null; Node rootNode = null;
DataResultTopComponent searchResultWin = DataResultTopComponent.createInstance("Keyword search " + (++resultWindowCount)); String queryConcatStr = queryConcat.toString();
final int queryConcatStrLen = queryConcatStr.length();
final String queryStrShort = queryConcatStrLen > 15 ? queryConcatStr.substring(0, 14) + "..." : queryConcatStr;
final String windowTitle = "Keyword search " + (++resultWindowCount) + " - " + queryStrShort;
DataResultTopComponent searchResultWin = DataResultTopComponent.createInstance(windowTitle);
if (things.size() > 0) { if (things.size() > 0) {
Children childThingNodes = Children childThingNodes =
Children.create(new KeywordSearchResultFactory(queries, things, Presentation.COLLAPSE, searchResultWin), true); Children.create(new KeywordSearchResultFactory(queries, things, Presentation.COLLAPSE, searchResultWin), true);
@ -131,9 +137,9 @@ public class KeywordSearchQueryManager {
} }
final String pathText = "Keyword search"; final String pathText = "Keyword search";
DataResultTopComponent.initInstance(pathText, rootNode, things.size(), searchResultWin); DataResultTopComponent.initInstance(pathText, rootNode, things.size(), searchResultWin);
searchResultWin.requestActive(); searchResultWin.requestActive();
// } // }
} }
@ -152,7 +158,7 @@ public class KeywordSearchQueryManager {
} }
/** /**
* custom KeyValue that also stores query object to execute * custom KeyValue that also stores query object to execute
*/ */
class KeyValueQuery extends KeyValue { class KeyValueQuery extends KeyValue {

12
NEWS.txt
View File

@ -1,3 +1,15 @@
---------------- VERSION Current (development) --------------
New features:
Improvements:
Bugfixes:
---------------- VERSION 3.0.6 -------------- ---------------- VERSION 3.0.6 --------------
New features: New features:

60
RecentActivity/release/rr-full/faq Executable file
View File

@ -0,0 +1,60 @@
RegRipper FAQ
This is the FAQ for the RegRipper.
1. What is the RegRipper?
I should start by saying what the RegRipper is *not*...it's not
a Registry Viewer. An examiner would not open a Registry hive file
in RegRipper to "look around".
Further, RegRipper is NOT intended for use with live hive files. Hive
files need to be extracted from a case (or from a live system using FTK
Imager...), or accessible via a tool such as Mount Image Pro.
RegRipper is a Windows Registry data extractor. RegRipper uses plugins
(similar to Nessus) to access specific Registry hive files in order to
access and extract specific keys, values, and data, and does so by
bypassing the Win32API.
2. How does RegRipper work?
RegRipper uses James McFarlane's Parse::Win32Registry module to access
a Windows Registry hive file in an object-oriented manner, bypassing the
Win32API. This module is used to locate and access Registry key nodes
within the hive file, as well as value nodes and their data. When
accessing a key node, the LastWrite time is retrieved, parsed and
translated into something the examiner can understand. Data is retrieved
in much the same manner...if necessary, the plugin that retrieves the
data will also perform translation of that data into something readable.
3. Who wrote and maintains RegRipper?
I did/do. If you have any questions, concerns, comments, or suggestions
regarding how RegRipper works, please feel free to contact me.
4. Who should/can use RegRipper?
Anyone who wants to perform Windows Registry hive file analysis. This tool
is specifically intended for Windows 2000, XP, and 2003 hive files (there
has been limited testing on Vista/Win2K8 hive files...everything has worked
fine so far...).
5. How do I use RegRipper?
Simply launch rr.exe. Also, please be sure to read the RegRipper documentation.
6. Do I have to install anything to use the RegRipper?
Nope, not a thing. RegRipper ships as an EXE file, able to run on Windows
systems. All you need to do is extract the EXE and DLL in the same directory.
The source file (rr.pl) is also included, as are the plugins.
Further, RegRipper doesn't make any changes to your analysis system...no
Registry entries are made, nor are any files installed in odd, out-of-the-way
locations.
Links
Module - http://search.cpan.org/~jmacfarla/Parse-Win32Registry/lib/
Parse/Win32Registry.pm
Email - H. Carvey - keydet89@yahoo.com
RegRipper and rip.exe are released under the GPL license. Please see license.txt
for details.
RegRipper and rip.exe are copyrighted to H. Carvey.

12
RecentActivity/release/rr-full/license.txt Executable file
View File

@ -0,0 +1,12 @@
This software is released AS-IS, with no statements or guarantees as to
its effectiveness or stability. While it shouldn't cause any problems
whatsoever with your system, there's always the chance that someone may find
a way to blame a system crash or loss of data on software like this...you've
been warned!
This software is released under the GNU Public License -
http://www.gnu.org/copyleft/gpl.html
Specifically, GPL v3.0: http://www.gnu.org/licenses/quick-guide-gplv3.html
Questions, comments, etc., can be sent to keydet89 at yahoo dot com.

BIN
RecentActivity/release/rr-full/p2x5124.dll Executable file
View File

Binary file not shown.

BIN
RecentActivity/release/rr-full/pb.exe Executable file
View File

Binary file not shown.

314
RecentActivity/release/rr-full/pb.pl Executable file
View File

@ -0,0 +1,314 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# Plugins Browser - browse plugins, create plugins files, edit
# current files
#
#
# Change History
# 20100122 - Updated to include opening a plugins file
# 20091207 - Created
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
use strict;
use Win32::GUI();
use Win32::GUI::Constants qw(CW_USEDEFAULT);
use Encode;
my $plugindir;
my $mw = Win32::GUI::Window->new(
-title => "Plugin Browser",
-left => CW_USEDEFAULT,
-size => [560,440],
-maxsize => [560,440],
-dialogui => 1,
);
my $icon = new Win32::GUI::Icon('QAR.ICO');
$mw->SetIcon($icon);
$mw->AddLabel(
-text => "",
-name => "biglabel1",
-pos => [10,10],
-size => [530,40],
-sunken => 1
);
$mw->AddLabel(
-text => "Plugin Dir: ",
-pos => [20,23],
);
my $plugindirtext = $mw->AddTextfield(
-name => "plugindir",
-tabstop => 1,
-left => 100,
-top => 18,
-width => 300,
-height => 25,
-tabstop => 1,
-foreground => "#000000",
-background => "#FFFFFF"
);
my $browse = $mw->AddButton(
-name => 'browse',
-text => 'Browse',
-size => [50,25],
-pos => [450,18],
);
my $datatab = $mw->AddTabStrip(
-pos => [10,60],
-size => [530,280],
-name => "datatab"
);
$datatab->InsertItem(-text => "Browse");
$datatab->InsertItem(-text => "Plugin File");
my $lb1 = $mw->AddListbox(
-name => 'LB1',
-pos => [20,100],
-size => [180,240],
-multisel => 2,
-vscroll => 1
);
my $gb1 = $mw->AddGroupbox(
-name => 'GB',
-title => 'Plugin Info',
-pos => [260,100],
-size => [260,220],
);
my $gblbl = $mw->AddLabel(
-name => 'LBL',
-left => $mw->GB->Left()+10,
-top => $mw->GB->Top()+20,
-width => $mw->GB->ScaleWidth()-20,
-height => $mw->GB->ScaleHeight()-40,
);
# The following elements go on the "Plugin File" tab and
# are initially hidden
my $lb2 = $mw->AddListbox(
-name => 'LB2',
-pos => [320,100],
-size => [200,240],
-vscroll => 1,
-multisel => 2
# -onSelChange => \&newSelection,
);
$lb2->Hide();
my $add = $mw->AddButton(
-name => 'Add',
-text => '>>',
-tip => "Add Plugin",
-size => [50,25],
-pos => [230,130],
);
$add->Hide();
my $remove = $mw->AddButton(
-name => 'Remove',
-text => '<<',
-tip => "Remove Plugin",
-size => [50,25],
-pos => [230,180],
);
$remove->Hide();
my $open = $mw->AddButton(
-name => 'Open',
-tip => "Open Plugin File",
-text => 'Open',
-size => [50,25],
-pos => [230,230],
);
$open->Hide();
my $save = $mw->AddButton(
-name => 'Save',
-tip => "Save Plugin File",
-text => 'Save',
-size => [50,25],
-pos => [230,280],
);
$save->Hide();
$mw->AddButton(
-name => 'BT',
-text => 'Exit',
-size => [50,25],
-pos => [450,350],
-onClick => sub{-1;},
);
my $status = new Win32::GUI::StatusBar($mw,
-text => "copyright 2010 Quantum Analytics Research, LLC",
);
$mw->Show();
Win32::GUI::Dialog();
$mw->Hide();
exit(0);
sub datatab_Click {
if ($datatab->SelectedItem == 0) {
$lb2->Hide();
$add->Hide();
$remove->Hide();
$open->Hide();
$save->Hide();
$gb1->Show();
$gblbl->Show();
}
if ($datatab->SelectedItem == 1) {
$lb2->Show();
$add->Show();
$remove->Show();
$open->Show();
$save->Show();
$gb1->Hide();
$gblbl->Hide();
}
}
sub browse_Click {
$plugindir = Win32::GUI::BrowseForFolder(
-title => "Report Dir",
-root => 0x0011,
-folderonly => 1,
-includefiles => 0,
);
$plugindir = $plugindir."\\" unless $plugindir =~ m/\\$/;
$plugindirtext->Text("");
$plugindirtext->Text($plugindir);
$mw->LB1->ResetContent();
my @plugins;
opendir(DIR,$plugindir);
push(@plugins, grep(/\.pl$/,readdir(DIR)));
closedir(DIR);
$mw->LB1->Add(sort @plugins);
0;
}
sub LB1_SelChange {
if ($datatab->SelectedItem == 0) {
\&newSelection();
}
}
sub newSelection {
my $lb = shift;
# Set the label text to reflect the change
my $item = $lb1->GetCurSel();
my $text = $lb1->GetText($item);
$lb1->GetParent()->LBL->Text(get_plugin_info($text));
return 1;
}
sub get_plugin_info {
my $name = shift;
require $plugindir."\\".$name;
$name =~ s/\.pl$//;
my $text = "Plugin Name: ".$name."\r\n";
eval {
$text .= "Version: ".$name->getVersion."\r\n";
};
eval {
$text .= "Hive : ".$name->getHive."\r\n\r\n";
};
eval {
$text .= "Descr : \r\n";
$text .= $name->getShortDescr."\r\n";
};
return $text;
}
sub Add_Click {
my @list = $lb1->SelectedItems();
foreach my $i (sort {$a <=> $b} @list) {
my $str = $lb1->GetString($i);
$str =~ s/\.pl$//;
$lb2->InsertString($str);
}
}
#-----------------------------------------------------------
# Note regarding use of DeleteString(); if starting from index
# 0 and increasing, the index changes so that after the first
# index item is deleted, the second index item is reset. To
# avoid this issue, reverse the order of the indexes.
#-----------------------------------------------------------
sub Remove_Click {
my @list = $lb2->SelectedItems();
foreach my $i (reverse @list) {
$lb2->DeleteString($i);
}
}
sub Save_Click {
my $file = Win32::GUI::GetSaveFileName(
-owner => $mw,
-title => "Save Plugin File",
-explorer => 1,
-directory => $plugindir,
-filter => ['All files' => '*.*']
);
if ($file) {
$file =~ s/\.\w+$//;
}
elsif (Win32::GUI::CommDlgExtendedError()) {
$mw->MessageBox ("ERROR : ".Win32::GUI::CommDlgExtendedError(),
"GetSaveFileName Error");
}
open(FH,">",$file);
print FH "# Plugin file created via Plugin Browser\n";
print FH "# Date: ".localtime(time)."\n";
print FH "# User: ".$ENV{USERNAME}."\n";
print FH "#\n";
print FH "\n";
my $count = $lb2->GetCount();
foreach my $i (0..$count - 1) {
my $str = $lb2->GetString($i);
print FH $str."\n";
}
close(FH);
$lb2->ResetContent();
0;
}
sub Open_Click {
my $file = Win32::GUI::GetOpenFileName(
-owner => $mw,
-title => "Open Plugin File",
-explorer => 1,
-directory => $plugindir,
-filter => ['All files' => '*.*']
);
if ($file) {
open(FH,"<",$file);
while(<FH>) {
chomp;
$lb2->InsertString($_);
}
close(FH);
}
elsif (Win32::GUI::CommDlgExtendedError()) {
$mw->MessageBox ("ERROR : ".Win32::GUI::CommDlgExtendedError(),
"GetSaveFileName Error");
}
}

144
thirdparty/rr/plugins/acmru.pl → RecentActivity/release/rr-full/plugins/acmru.pl Normal file → Executable file
View File

@ -1,72 +1,74 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# acmru.pl # acmru.pl
# Plugin for Registry Ripper, NTUSER.DAT edition - gets the # Plugin for Registry Ripper, NTUSER.DAT edition - gets the
# ACMru values # ACMru values
# #
# Change history # Change history
# #
# #
# References # References
# #
# #
# copyright 2008 H. Carvey # copyright 2008 H. Carvey
#----------------------------------------------------------- #-----------------------------------------------------------
package acmru; package acmru;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20080324); version => 20080324);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets contents of user's ACMru key"; return "Gets contents of user's ACMru key";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
::logMsg("Launching acmru v.".$VERSION); ::logMsg("Launching acmru v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser); ::rptMsg("acmru v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("- ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $key_path = 'Software\\Microsoft\\Search Assistant\\ACMru'; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Software\\Microsoft\\Search Assistant\\ACMru';
::rptMsg("ACMru - Search Assistant"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); ::rptMsg("ACMru - Search Assistant");
my @subkeys = $key->get_list_of_subkeys(); ::rptMsg($key_path);
if (scalar(@subkeys) > 0) { ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
foreach my $s (@subkeys) { my @subkeys = $key->get_list_of_subkeys();
::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]"); if (scalar(@subkeys) > 0) {
my @vals = $s->get_list_of_values(); foreach my $s (@subkeys) {
my %ac_vals; ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]");
foreach my $v (@vals) { my @vals = $s->get_list_of_values();
$ac_vals{$v->get_name()} = $v->get_data(); my %ac_vals;
} foreach my $v (@vals) {
foreach my $a (sort {$a <=> $b} keys %ac_vals) { $ac_vals{$v->get_name()} = $v->get_data();
::rptMsg("\t".$a." -> ".$ac_vals{$a}); }
} foreach my $a (sort {$a <=> $b} keys %ac_vals) {
::rptMsg(""); ::rptMsg("\t".$a." -> ".$ac_vals{$a});
} }
} ::rptMsg("");
else { }
::rptMsg($key_path." has no subkeys."); }
} else {
} ::rptMsg($key_path." has no subkeys.");
else { }
::rptMsg($key_path." not found."); }
} else {
} ::rptMsg($key_path." not found.");
}
}
1; 1;

187
thirdparty/rr/plugins/adoberdr.pl → RecentActivity/release/rr-full/plugins/adoberdr.pl Normal file → Executable file
View File

@ -1,93 +1,96 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# adoberdr.pl # adoberdr.pl
# Plugin for Registry Ripper # Plugin for Registry Ripper
# Parse Adobe Reader MRU keys # Parse Adobe Reader MRU keys
# #
# Change history # Change history
# 20100218 - added checks for versions 4.0, 5.0, 9.0 # 20120716 - added version 10.0 to @versions
# 20091125 - modified output to make a bit more clear # 20100218 - added checks for versions 4.0, 5.0, 9.0
# # 20091125 - modified output to make a bit more clear
# References #
# # References
# Note: LastWrite times on c subkeys will all be the same, #
# as each subkey is modified as when a new entry is added # Note: LastWrite times on c subkeys will all be the same,
# # as each subkey is modified as when a new entry is added
# copyright 2010 Quantum Analytics Research, LLC #
#----------------------------------------------------------- # copyright 2010 Quantum Analytics Research, LLC
package adoberdr; #-----------------------------------------------------------
use strict; package adoberdr;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1, my %config = (hive => "NTUSER\.DAT",
hasDescr => 0, hasShortDescr => 1,
hasRefs => 0, hasDescr => 0,
osmask => 22, hasRefs => 0,
version => 20100218); osmask => 22,
version => 20120716);
sub getConfig{return %config}
sub getShortDescr { sub getConfig{return %config}
return "Gets user's Adobe Reader cRecentFiles values"; sub getShortDescr {
} return "Gets user's Adobe Reader cRecentFiles values";
sub getDescr{} }
sub getRefs {} sub getDescr{}
sub getHive {return $config{hive};} sub getRefs {}
sub getVersion {return $config{version};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my $VERSION = getVersion();
sub pluginmain {
my $class = shift; sub pluginmain {
my $ntuser = shift; my $class = shift;
::logMsg("Launching adoberdr v.".$VERSION); my $ntuser = shift;
my $reg = Parse::Win32Registry->new($ntuser); ::logMsg("Launching adoberdr v.".$VERSION);
my $root_key = $reg->get_root_key; ::rptMsg("adoberdr v.".$VERSION); # banner
::rptMsg("Adoberdr v.".$VERSION); ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
# First, let's find out which version of Adobe Acrobat Reader is installed my $reg = Parse::Win32Registry->new($ntuser);
my $version; my $root_key = $reg->get_root_key;
my $tag = 0; ::rptMsg("Adoberdr v.".$VERSION);
my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0"); # First, let's find out which version of Adobe Acrobat Reader is installed
foreach my $ver (@versions) { my $version;
my $key_path = "Software\\Adobe\\Acrobat Reader\\".$ver."\\AVGeneral\\cRecentFiles"; my $tag = 0;
if (defined($root_key->get_subkey($key_path))) { my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0","10\.0");
$version = $ver; foreach my $ver (@versions) {
$tag = 1; my $key_path = "Software\\Adobe\\Acrobat Reader\\".$ver."\\AVGeneral\\cRecentFiles";
} if (defined($root_key->get_subkey($key_path))) {
} $version = $ver;
$tag = 1;
if ($tag) { }
::rptMsg("Adobe Acrobat Reader version ".$version." located."); }
my $key_path = "Software\\Adobe\\Acrobat Reader\\".$version."\\AVGeneral\\cRecentFiles";
my $key = $root_key->get_subkey($key_path); if ($tag) {
if ($key) { ::rptMsg("Adobe Acrobat Reader version ".$version." located.");
::rptMsg($key_path); my $key_path = "Software\\Adobe\\Acrobat Reader\\".$version."\\AVGeneral\\cRecentFiles";
::rptMsg(""); my $key = $root_key->get_subkey($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key) {
my %arkeys; ::rptMsg($key_path);
my @subkeys = $key->get_list_of_subkeys(); ::rptMsg("");
if (scalar @subkeys > 0) { # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
foreach my $s (@subkeys) { my %arkeys;
my $num = $s->get_name(); my @subkeys = $key->get_list_of_subkeys();
my $data = $s->get_value('sDI')->get_data(); if (scalar @subkeys > 0) {
$num =~ s/^c//; foreach my $s (@subkeys) {
$arkeys{$num}{lastwrite} = $s->get_timestamp(); my $num = $s->get_name();
$arkeys{$num}{data} = $data; my $data = $s->get_value('sDI')->get_data();
} $num =~ s/^c//;
::rptMsg("Most recent PDF opened: ".gmtime($arkeys{1}{lastwrite})." (UTC)"); $arkeys{$num}{lastwrite} = $s->get_timestamp();
foreach my $k (sort keys %arkeys) { $arkeys{$num}{data} = $data;
::rptMsg(" c".$k." ".$arkeys{$k}{data}); }
} ::rptMsg("Most recent PDF opened: ".gmtime($arkeys{1}{lastwrite})." (UTC)");
} foreach my $k (sort keys %arkeys) {
else { ::rptMsg(" c".$k." ".$arkeys{$k}{data});
::rptMsg($key_path." has no subkeys."); }
} }
} else {
else { ::rptMsg($key_path." has no subkeys.");
::rptMsg("Could not access ".$key_path); }
} }
} else {
else { ::rptMsg("Could not access ".$key_path);
::rptMsg("Adobe Acrobat Reader version not found."); }
} }
} else {
::rptMsg("Adobe Acrobat Reader version not found.");
}
}
1; 1;

190
thirdparty/rr/plugins/aim.pl → RecentActivity/release/rr-full/plugins/aim.pl Normal file → Executable file
View File

@ -1,95 +1,97 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# aim # aim
# #
# copyright 2008 H. Carvey, keydet89@yahoo.com # copyright 2008 H. Carvey, keydet89@yahoo.com
#----------------------------------------------------------- #-----------------------------------------------------------
package aim; package aim;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20080325); version => 20080325);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets info from the AOL Instant Messenger (not AIM) install"; return "Gets info from the AOL Instant Messenger (not AIM) install";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching aim plugin v.".$VERSION); ::logMsg("Launching aim plugin v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("aim v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $key_path = 'Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users'; my $reg = Parse::Win32Registry->new($hive);
my $key; my $root_key = $reg->get_root_key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users';
::rptMsg("AIM"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg("AIM");
::rptMsg($key_path);
my @subkeys = $key->get_list_of_subkeys(); ::rptMsg("");
if (scalar(@subkeys) > 0) { my @subkeys = $key->get_list_of_subkeys();
foreach my $s (@subkeys) {
my $user = $s->get_name(); if (scalar(@subkeys) > 0) {
::rptMsg("User: $user [".gmtime($s->get_timestamp())."]"); foreach my $s (@subkeys) {
my $user = $s->get_name();
my $login = "Login"; ::rptMsg("User: $user [".gmtime($s->get_timestamp())."]");
my $recent = "recent IM ScreenNames";
my $recent2 = "recent ScreenNames"; my $login = "Login";
my $recent = "recent IM ScreenNames";
my @userkeys = $s->get_list_of_subkeys(); my $recent2 = "recent ScreenNames";
foreach my $u (@userkeys) {
my $us = $u->get_name(); my @userkeys = $s->get_list_of_subkeys();
# See if we can get the encrypted password foreach my $u (@userkeys) {
if ($us =~ m/^$login/) { my $us = $u->get_name();
my $pwd = ""; # See if we can get the encrypted password
eval { if ($us =~ m/^$login/) {
$pwd = $u->get_value("Password1")->get_data(); my $pwd = "";
}; eval {
::rptMsg("Pwd: ".$pwd) if ($pwd ne ""); $pwd = $u->get_value("Password1")->get_data();
} };
# See if we can get recent folks they've chatted with... ::rptMsg("Pwd: ".$pwd) if ($pwd ne "");
if ($us eq $recent || $us eq $recent2) { }
# See if we can get recent folks they've chatted with...
my @vals = $u->get_list_of_values(); if ($us eq $recent || $us eq $recent2) {
if (scalar(@vals) > 0) {
::rptMsg($user."\\".$us); my @vals = $u->get_list_of_values();
my %sns; if (scalar(@vals) > 0) {
foreach my $v (@vals) { ::rptMsg($user."\\".$us);
$sns{$v->get_name()} = $v->get_data(); my %sns;
} foreach my $v (@vals) {
$sns{$v->get_name()} = $v->get_data();
foreach my $i (sort {$a <=> $b} keys %sns) { }
::rptMsg("\t\t".$i." -> ".$sns{$i});
} foreach my $i (sort {$a <=> $b} keys %sns) {
} ::rptMsg("\t\t".$i." -> ".$sns{$i});
else { }
# No values }
} else {
} # No values
} }
::rptMsg(""); }
} }
} ::rptMsg("");
else { }
::rptMsg($key_path." has no subkeys."); }
::logMsg($key_path." has no subkeys."); else {
} ::rptMsg($key_path." has no subkeys.");
} ::logMsg($key_path." has no subkeys.");
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} ::logMsg($key_path." not found.");
}
}
1; 1;

4
RecentActivity/release/rr-full/plugins/all Executable file
View File

@ -0,0 +1,4 @@
# 20120528 *ALL* Plugins that apply on any HIVES, alphabetical order
baseline
findexes
regtime

104
RecentActivity/release/rr-full/plugins/aports.pl Executable file
View File

@ -0,0 +1,104 @@
#-----------------------------------------------------------
# aports.pl
# Extracts the install path for SmartLine Inc. Active Ports.
#
# Change history
# 20110830 [fpi] + banner, no change to the version number
#
# References
#
# Copyright (c) 2011-02-04 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package aports;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20110204);
my $VERSION = getVersion();
# Functions #
sub getDescr {}
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getShortDescr {
return "Extracts the install path for SmartLine Inc. Active Ports.";
}
sub getRefs {
my %refs = ("SmartLine Inc. Active Ports Homepage:" =>
"http://www.ntutility.com");
return %refs;
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
my $class = shift;
my $hive = shift;
my @interesting_keys = (
"InstallPath"
);
# Initialize #
::logMsg("Launching aports v.".$VERSION);
::rptMsg("aports v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Software\\SmartLine Vision\\aports";
# If # Active Ports path exists #
if ($key = $root_key->get_subkey($key_path)) {
# Return # plugin name, registry key and last modified date #
::rptMsg("Active Ports");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Extract # all keys from Active Ports registry path #
my %keys;
my @vals = $key->get_list_of_values();
# If # registry keys exist in path #
if (scalar(@vals) > 0) {
# Extract # all key names+values for Active Ports registry path #
foreach my $v (@vals) {
$keys{$v->get_name()} = $v->get_data();
}
# Return # all key names+values for interesting keys #
foreach my $var (@interesting_keys) {
if (exists $keys{$var}) {
::rptMsg($var." -> ".$keys{$var});
}
}
# Error # key value is null #
} else {
::rptMsg($key_path." has no values.");
}
# Error # Active Ports isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

83
RecentActivity/release/rr-full/plugins/appcertdlls.pl Executable file
View File

@ -0,0 +1,83 @@
#-----------------------------------------------------------
# appcertdlls.pl
#
# History:
# 20120912 - created
#
# References:
# Blog post: https://blog.mandiant.com/archives/2459
# Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf
# Tool: https://github.com/mandiant/ShimCacheParser
#
# This plugin is based solely on the work and examples provided by Mandiant;
# thanks to them for sharing this information, and making the plugin possible.
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package appcertdlls;
use strict;
my %config = (hive => "System",
hivemask => 4,
output => "report",
category => "malware",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 31, #XP - Win7
version => 20120817);
sub getConfig{return %config}
sub getShortDescr {
return "Get entries from AppCertDlls key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %files;
my @temps;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching appcertdlls v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $appcert_path = $ccs."\\Control\\Session Manager\\AppCertDlls";
my $appcert;
if ($appcert = $root_key->get_subkey($appcert_path)) {
my @vals = $appcert->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
my $data = $v->get_data();
::rptMsg($name." - ".$data);
}
}
else {
::rptMsg($appcert_path."has no values.");
}
}
else {
::rptMsg($appcert_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

315
RecentActivity/release/rr-full/plugins/appcompatcache.pl Executable file
View File

@ -0,0 +1,315 @@
#-----------------------------------------------------------
# appcompatcache.pl
#
# History:
# 20130425 - added alertMsg() functionality
# 20120817 - updated to address issue with residual data in XP data blocks
# 20120722 - updated the %config hash
# 20120523 - updated to send all files to a single hash, and check for temp paths
# 20120515 - Updated to support 64-bit Win2003 and Vista/Win2008
# 20120424 - Modified/updated
# 20120418 - created
#
# References:
# Blog post: https://blog.mandiant.com/archives/2459
# Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf
# Tool: https://github.com/mandiant/ShimCacheParser
#
# This plugin is based solely on the work and examples provided by Mandiant;
# thanks to them for sharing this information, and making the plugin possible.
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package appcompatcache;
use strict;
my %config = (hive => "System",
hivemask => 4,
output => "report",
category => "Program Execution",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 31, #XP - Win7
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Parse files from System hive Shim Cache";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %files;
my @temps;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching appcompatcache v.".$VERSION);
::rptMsg("appcompatcache v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $appcompat_path = $ccs."\\Control\\Session Manager";
my $appcompat;
if ($appcompat = $root_key->get_subkey($appcompat_path)) {
my $app_data;
eval {
$app_data = $appcompat->get_subkey("AppCompatibility")->get_value("AppCompatCache")->get_data();
};
eval {
$app_data = $appcompat->get_subkey("AppCompatCache")->get_value("AppCompatCache")->get_data();
};
# ::rptMsg("Length of data: ".length($app_data));
my $sig = unpack("V",substr($app_data,0,4));
::rptMsg(sprintf "Signature: 0x%x",$sig);
if ($sig == 0xdeadbeef) {
eval {
appXP32Bit($app_data);
};
}
elsif ($sig == 0xbadc0ffe) {
eval {
appWin2k3($app_data);
};
}
elsif ($sig == 0xbadc0fee) {
eval {
appWin7($app_data);
};
}
else {
::rptMsg("Unknown signature");
}
# this is where we print out the files
foreach my $f (keys %files) {
::rptMsg($f);
push(@temps,$f) if (grep(/[Tt]emp/,$f));
::rptMsg("ModTime: ".gmtime($files{$f}{modtime})." Z");
::rptMsg("UpdTime: ".gmtime($files{$f}{updtime})." Z") if (exists $files{$f}{updtime});
::rptMsg("Size : ".$files{$f}{size}." bytes") if (exists $files{$f}{size});
::rptMsg("Executed") if (exists $files{$f}{executed});
::rptMsg("");
}
if (scalar(@temps) > 0) {
foreach (@temps) {
::alertMsg("ALERT: appcompatcache: Temp path found: ".$_);
}
}
}
else {
::rptMsg($appcompat_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
#-----------------------------------------------------------
# appXP32Bit()
# parse 32-bit XP data
#-----------------------------------------------------------
sub appXP32Bit {
my $data = shift;
::rptMsg("WinXP, 32-bit");
# header is 400 bytes; each structure is 552 bytes in size
my $num_entries = unpack("V",substr($data,4,4));
foreach my $i (0..($num_entries - 1)) {
my $x = substr($data,(400 + ($i * 552)),552);
my $file = (split(/\00\00/,substr($x,0,488)))[0];
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my ($mod1,$mod2) = unpack("VV",substr($x,528,8));
my $modtime = ::getTime($mod1,$mod2);
my ($sz1,$sz2) = unpack("VV",substr($x,536,8));
my $sz;
($sz2 == 0)?($sz = $sz1):($sz = "Too big");
my ($up1,$up2) = unpack("VV",substr($x,544,8));
my $updtime = ::getTime($up1,$up2);
$files{$file}{size} = $sz;
$files{$file}{modtime} = $modtime;
$files{$file}{updtime} = $updtime;
}
}
#-----------------------------------------------------------
# appWin2k3()
# parse Win2k3, Vista, Win2k8 data
#-----------------------------------------------------------
sub appWin2k3 {
my $data = shift;
my $num_entries = unpack("V",substr($data,4,4));
# ::rptMsg("Num_entries: ".$num_entries);
my $struct_sz = 0;
my ($len,$max_len,$padding) = unpack("vvV",substr($data,8,8));
if (($max_len - $len) == 2) {
# if $padding == 0, 64-bit; otherwise, 32-bit
if ($padding == 0) {
$struct_sz = 32;
::rptMsg("Win2K3/Vista/Win2K8, 64-bit");
}
else {
$struct_sz = 24;
::rptMsg("Win2K3/Vista/Win2K8, 32-bit");
}
}
foreach my $i (0..($num_entries - 1)) {
my $struct = substr($data,(8 + ($struct_sz * $i)),$struct_sz);
if ($struct_sz == 24) {
my ($len,$max_len,$ofs,$t0,$t1,$f0,$f1) = unpack("vvVVVVV",$struct);
my $file = substr($data,$ofs,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastMod: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2));
# ::rptMsg("");
$files{$file}{modtime} = $t;
# $files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
}
elsif ($struct_sz == 32) {
my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvVVVVVVV",$struct);
my $file = substr($data,$ofs0,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastMod: ".gmtime($t)." Z");
# ::rptMsg(" Size : ".$f0) if (($f1 == 0) && ($f0 > 3));
# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2));
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
}
else {
}
}
}
#-----------------------------------------------------------
# appWin7()
# parse Win2k8R2, Win7 data
#-----------------------------------------------------------
sub appWin7 {
my $data = shift;
my $struct_sz = 0;
my $num_entries = unpack("V",substr($data,4,4));
# ::rptMsg("Num_entries: ".$num_entries);
# 128-byte header
my ($len,$max_len,$padding) = unpack("vvV",substr($data,128,8));
if (($max_len - $len) == 2) {
if ($padding == 0) {
$struct_sz = 48;
::rptMsg("Win2K8R2/Win7, 64-bit");
}
else {
$struct_sz = 32;
::rptMsg("Win2K8R2/Win7, 32-bit");
}
}
foreach my $i (0..($num_entries - 1)) {
my $struct = substr($data,(128 + ($struct_sz * $i)),$struct_sz);
if ($struct_sz == 32) {
my ($len,$max_len,$ofs,$t0,$t1,$f0,$f1) = unpack("vvV5x8",$struct);
my $file = substr($data,$ofs,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastModTime: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if ($f0 & 0x2);
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if ($f0 & 0x2);
}
else {
my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvV7x16",$struct);
my $file = substr($data,$ofs0,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastModTime: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if ($f0 & 0x2);
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if ($f0 & 0x2);
}
}
}
#-----------------------------------------------------------
# printData()
# subroutine used primarily for debugging; takes an arbitrary
# length of binary data, prints it out in hex editor-style
# format for easy debugging
#-----------------------------------------------------------
sub printData {
my $data = shift;
my $len = length($data);
my $tag = 1;
my $cnt = 0;
my $loop = $len/16;
$loop++ if ($len%16);
foreach my $cnt (0..($loop - 1)) {
# while ($tag) {
my $left = $len - ($cnt * 16);
my $n;
($left < 16) ? ($n = $left) : ($n = 16);
my $seg = substr($data,$cnt * 16,$n);
my @str1 = split(//,unpack("H*",$seg));
my @s3;
my $str = "";
foreach my $i (0..($n - 1)) {
$s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1];
if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) {
$str .= chr(hex($s3[$i]));
}
else {
$str .= "\.";
}
}
my $h = join(' ',@s3);
::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h);
}
}
1;

275
RecentActivity/release/rr-full/plugins/appcompatcache_tln.pl Executable file
View File

@ -0,0 +1,275 @@
#-----------------------------------------------------------
# appcompatcache_tln.pl
#
# History:
# 20130425 - added alertMsg() functionality
# 20120817 - updated to address extra data in XP data blocks
# 20120722 - updated %config hash
# 20120523 - created; updated from appcompatcache.pl
# 20120523 - updated to send all files to a single hash, and check for temp paths
# 20120515 - Updated to support 64-bit Win2003 and Vista/Win2008
# 20120424 - Modified/updated
# 20120418 - created
#
# References:
# Blog post: https://blog.mandiant.com/archives/2459
# Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf
# Tool: https://github.com/mandiant/ShimCacheParser
#
# This plugin is based solely on the work and examples provided by Mandiant;
# thanks to them for sharing this information, and making the plugin possible.
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package appcompatcache_tln;
use strict;
my %config = (hive => "System",
hivemask => 4,
output => "tln",
category => "Program Execution",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 31, #XP - Win7
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Parse files from System hive Shim Cache";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %files;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching appcompatcache_tln v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $appcompat_path = $ccs."\\Control\\Session Manager";
my $appcompat;
if ($appcompat = $root_key->get_subkey($appcompat_path)) {
my $app_data;
eval {
$app_data = $appcompat->get_subkey("AppCompatibility")->get_value("AppCompatCache")->get_data();
};
eval {
$app_data = $appcompat->get_subkey("AppCompatCache")->get_value("AppCompatCache")->get_data();
};
# ::rptMsg("Length of data: ".length($app_data));
my $sig = unpack("V",substr($app_data,0,4));
# ::rptMsg(sprintf "Signature: 0x%x",$sig);
if ($sig == 0xdeadbeef) {
eval {
appXP32Bit($app_data);
};
}
elsif ($sig == 0xbadc0ffe) {
eval {
appWin2k3($app_data);
};
}
elsif ($sig == 0xbadc0fee) {
eval {
appWin7($app_data);
};
}
else {
::rptMsg("Unknown signature");
}
# this is where we print out the files
foreach my $f (keys %files) {
my $str;
if (exists $files{$f}{executed}) {
$str = "M... [Program Execution] AppCompatCache - ".$f;
}
else {
$str = "M... AppCompatCache - ".$f;
}
$str .= " [Size = ".$files{$f}{size}."] bytes" if (exists $files{$f}{size});
# $str .= " [Executed]" if (exists $files{$f}{executed});
::rptMsg($files{$f}{modtime}."|REG|||".$str);
# alert added 20130425
if (grep(/[Tt]emp/,$f) {
::alertMsg($files{$f}{modtime}."|ALERT|||\"Temp\" found in path - ".$str);
}
}
}
else {
::rptMsg($appcompat_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
#-----------------------------------------------------------
# appXP32Bit()
# parse 32-bit XP data
#-----------------------------------------------------------
sub appXP32Bit {
my $data = shift;
::rptMsg("WinXP, 32-bit");
# header is 400 bytes; each structure is 552 bytes in size
my $num_entries = unpack("V",substr($data,4,4));
foreach my $i (0..($num_entries - 1)) {
my $x = substr($data,(400 + ($i * 552)),552);
my $file = (split(/\00\00/,substr($x,0,488)))[0];
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my ($mod1,$mod2) = unpack("VV",substr($x,528,8));
my $modtime = ::getTime($mod1,$mod2);
my ($sz1,$sz2) = unpack("VV",substr($x,536,8));
my $sz;
($sz2 == 0)?($sz = $sz1):($sz = "Too big");
my ($up1,$up2) = unpack("VV",substr($x,544,8));
my $updtime = ::getTime($up1,$up2);
# ::rptMsg($file);
# ::rptMsg("Size : ".$sz." bytes");
# ::rptMsg("ModTime: ".gmtime($modtime)." Z");
# ::rptMsg("UpdTime: ".gmtime($updtime)." Z");
# ::rptMsg("");
$files{$file}{size} = $sz;
$files{$file}{modtime} = $modtime;
$files{$file}{updtime} = $updtime;
}
}
#-----------------------------------------------------------
# appWin2k3()
# parse Win2k3, Vista, Win2k8 data
#-----------------------------------------------------------
sub appWin2k3 {
my $data = shift;
my $num_entries = unpack("V",substr($data,4,4));
# ::rptMsg("Num_entries: ".$num_entries);
my $struct_sz = 0;
my ($len,$max_len,$padding) = unpack("vvV",substr($data,8,8));
if (($max_len - $len) == 2) {
# if $padding == 0, 64-bit; otherwise, 32-bit
if ($padding == 0) {
$struct_sz = 32;
::rptMsg("Win2K3/Vista/Win2K8, 64-bit");
}
else {
$struct_sz = 24;
::rptMsg("Win2K3/Vista/Win2K8, 32-bit");
}
}
foreach my $i (0..($num_entries - 1)) {
my $struct = substr($data,(8 + ($struct_sz * $i)),$struct_sz);
if ($struct_sz == 24) {
my ($len,$max_len,$ofs,$t0,$t1,$f0,$f1) = unpack("vvVVVVV",$struct);
my $file = substr($data,$ofs,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastMod: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2));
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
}
elsif ($struct_sz == 32) {
my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvVVVVVVV",$struct);
my $file = substr($data,$ofs0,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastMod: ".gmtime($t)." Z");
# ::rptMsg(" Size : ".$f0) if (($f1 == 0) && ($f0 > 3));
# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2));
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
}
else {
}
}
}
#-----------------------------------------------------------
# appWin7()
# parse Win2k8R2, Win7 data
#-----------------------------------------------------------
sub appWin7 {
my $data = shift;
my $struct_sz = 0;
my $num_entries = unpack("V",substr($data,4,4));
# ::rptMsg("Num_entries: ".$num_entries);
# 128-byte header
my ($len,$max_len,$padding) = unpack("vvV",substr($data,128,8));
if (($max_len - $len) == 2) {
if ($padding == 0) {
$struct_sz = 48;
::rptMsg("Win2K8R2/Win7, 64-bit");
}
else {
$struct_sz = 32;
::rptMsg("Win2K8R2/Win7, 32-bit");
}
}
foreach my $i (0..($num_entries - 1)) {
my $struct = substr($data,(128 + ($struct_sz * $i)),$struct_sz);
if ($struct_sz == 32) {
my ($len,$max_len,$ofs,$t0,$t1,$f0,$f1) = unpack("vvV5x8",$struct);
my $file = substr($data,$ofs,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastModTime: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if ($f0 & 0x2);
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if ($f0 & 0x2);
}
else {
my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvV7x16",$struct);
my $file = substr($data,$ofs0,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastModTime: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if ($f0 & 0x2);
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if ($f0 & 0x2);
}
}
}
1;

104
RecentActivity/release/rr-full/plugins/appcompatflags.pl Executable file
View File

@ -0,0 +1,104 @@
#-----------------------------------------------------------
# appcompatflags.pl
# Extracts AppCompatFlags for Windows.
# This is a list of applications configured to run in
# compatibility mode. Some applications may be configured
# to run with elevated privilages (Tested in Vista only) :
# "ELEVATECREATEPROCESS" "RUNASADMIN" "WINXPSP2 RUNASADMIN"
#
# Change history
# 20110830 [fpi] + banner, no change to the version number
#
# References
# http://msdn.microsoft.com/en-us/library/bb756937.aspx
#
# Copyright (c) 2011-02-04 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package appcompatflags;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 1,
hasRefs => 1,
osmask => 22,
version => 20110204);
my $VERSION = getVersion();
# Functions #
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getDescr {
return "Extracts AppCompatFlags for Windows. This is a list".
" of applications configured to run in compatibility".
" mode. Some applications may be configured to run".
" with elevated privilages (Tested in Vista only) :".
'"ELEVATECREATEPROCESS" "RUNASADMIN" "WINXPSP2 RUNASADMIN"';
}
sub getShortDescr {
return "Extracts AppCompatFlags for Windows.";
}
sub getRefs {
my %refs = ("Application Compatibility: Program Compatibility Assistant" =>
"http://msdn.microsoft.com/en-us/library/bb756937.aspx");
return %refs;
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
my $class = shift;
my $hive = shift;
# Initialize #
::logMsg("Launching appcompatflags v.".$VERSION);
::rptMsg("appcompatflags v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers";
# If # AppCompatFlags path exists #
if ($key = $root_key->get_subkey($key_path)) {
# Return # plugin name, registry key and last modified date #
::rptMsg("AppCompatFlags");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Extract # all keys from AppCompatFlags registry path #
my @vals = $key->get_list_of_values();
# If # registry keys exist in path #
if (scalar(@vals) > 0) {
# Extract # all key names+values for AppCompatFlags registry path #
foreach my $v (@vals) {
::rptMsg($v->get_name()." -> ".$v->get_data());
}
# Error # key value is null #
} else {
::rptMsg($key_path." has no values.");
}
# Error # AppCompatFlags isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

93
RecentActivity/release/rr-full/plugins/appinitdlls.pl Executable file
View File

@ -0,0 +1,93 @@
#-----------------------------------------------------------
# appinitdlls
#
# Change history:
# 20130425 - added alertMsg() functionality
# 20130305 - updated to address 64-bit systems
# 20080324 - created
#
# Ref:
# http://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx
# http://support.microsoft.com/kb/q197571
#
# copyright 2013 QAR,LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package appinitdlls;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of AppInit_DLLs value";
}
sub getDescr{}
sub getRefs {
my %refs = ("Working with the AppInit_DLLs Reg Value" =>
"http://support.microsoft.com/kb/q197571");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::rptMsg("Launching appinitdlls v.".$VERSION);
::rptMsg("appinitdlls v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my @paths = ('Microsoft\\Windows NT\\CurrentVersion\\Windows',
'Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows');
::rptMsg("AppInit_DLLs");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
foreach my $key_path (@paths) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
eval {
my $app = $key->get_value("AppInit_DLLs")->get_data();
if ($app eq "") {
$app = "{blank}";
}
else {
::alertMsg("ALERT: appinitdlls: Entry not blank: ".$app);
}
::rptMsg(" AppInit_DLLs : ".$app);
};
eval {
my $load = $key->get_value("LoadAppInit_DLLs")->get_data();
::rptMsg(" LoadAppInit_DLLs : ".$load);
::rptMsg("*LoadAppInit_DLLs value globally enables/disables AppInit_DLLS\.");
::rptMsg("0 = disabled (default)");
};
eval {
my $req = $key->get_value("RequireSignedAppInit_DLLs")->get_data();
::rptMsg(" RequireSignedAppInit_DLLs : ".$req);
};
::rptMsg("");
}
else {
::rptMsg($key_path." not found.");
}
}
::rptMsg("Analysis Tip: The AppInit_DLLs value should be blank; any DLL listed");
::rptMsg("is launched with each user-mode process\. ");
}
1;

192
thirdparty/rr/plugins/applets.pl → RecentActivity/release/rr-full/plugins/applets.pl Normal file → Executable file
View File

@ -1,96 +1,98 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# applets.pl # applets.pl
# Plugin for Registry Ripper # Plugin for Registry Ripper
# Windows\CurrentVersion\Applets Recent File List values # Windows\CurrentVersion\Applets Recent File List values
# #
# Change history # Change history
# #
# #
# References # References
# #
# #
# copyright 2008 H. Carvey # copyright 2008 H. Carvey
#----------------------------------------------------------- #-----------------------------------------------------------
package applets; package applets;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20080324); version => 20080324);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets contents of user's Applets key"; return "Gets contents of user's Applets key";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
::logMsg("Launching applets v.".$VERSION); ::logMsg("Launching applets v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser); ::rptMsg("applets v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Applets'; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Applets';
::rptMsg("Applets"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); ::rptMsg("Applets");
::rptMsg(""); ::rptMsg($key_path);
# Locate files opened in MS Paint ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $paint_key = 'Paint\\Recent File List'; ::rptMsg("");
my $paint = $key->get_subkey($paint_key); # Locate files opened in MS Paint
if (defined $paint) { my $paint_key = 'Paint\\Recent File List';
::rptMsg($key_path."\\".$paint_key); my $paint = $key->get_subkey($paint_key);
::rptMsg("LastWrite Time ".gmtime($paint->get_timestamp())." (UTC)"); if (defined $paint) {
::rptMsg($key_path."\\".$paint_key);
my @vals = $paint->get_list_of_values(); ::rptMsg("LastWrite Time ".gmtime($paint->get_timestamp())." (UTC)");
if (scalar(@vals) > 0) {
my %files; my @vals = $paint->get_list_of_values();
# Retrieve values and load into a hash for sorting if (scalar(@vals) > 0) {
foreach my $v (@vals) { my %files;
my $val = $v->get_name(); # Retrieve values and load into a hash for sorting
my $data = $v->get_data(); foreach my $v (@vals) {
my $tag = (split(/File/,$val))[1]; my $val = $v->get_name();
$files{$tag} = $val.":".$data; my $data = $v->get_data();
} my $tag = (split(/File/,$val))[1];
# Print sorted content to report file $files{$tag} = $val.":".$data;
foreach my $u (sort {$a <=> $b} keys %files) { }
my ($val,$data) = split(/:/,$files{$u},2); # Print sorted content to report file
::rptMsg(" ".$val." -> ".$data); foreach my $u (sort {$a <=> $b} keys %files) {
} my ($val,$data) = split(/:/,$files{$u},2);
} ::rptMsg(" ".$val." -> ".$data);
else { }
::rptMsg($key_path."\\".$paint_key." has no values."); }
} else {
} ::rptMsg($key_path."\\".$paint_key." has no values.");
else { }
::rptMsg($key_path."\\".$paint_key." not found."); }
} else {
# Get Last Registry key opened in RegEdit ::rptMsg($key_path."\\".$paint_key." not found.");
my $reg_key = "Regedit"; }
my $reg = $key->get_subkey($reg_key); # Get Last Registry key opened in RegEdit
if (defined $reg) { my $reg_key = "Regedit";
::rptMsg(""); my $reg = $key->get_subkey($reg_key);
::rptMsg($key_path."\\".$reg_key); if (defined $reg) {
::rptMsg("LastWrite Time ".gmtime($reg->get_timestamp())." (UTC)"); ::rptMsg("");
my $lastkey = $reg->get_value("LastKey")->get_data(); ::rptMsg($key_path."\\".$reg_key);
::rptMsg("RegEdit LastKey value -> ".$lastkey); ::rptMsg("LastWrite Time ".gmtime($reg->get_timestamp())." (UTC)");
} my $lastkey = $reg->get_value("LastKey")->get_data();
} ::rptMsg("RegEdit LastKey value -> ".$lastkey);
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} ::logMsg($key_path." not found.");
}
}
1; 1;

84
RecentActivity/release/rr-full/plugins/applets_tln.pl Executable file
View File

@ -0,0 +1,84 @@
#-----------------------------------------------------------
# applets_tln.pl
# Plugin for Registry Ripper
# Windows\CurrentVersion\Applets Recent File List values
#
# Change history
# 20120613 - created
#
# References
#
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package applets_tln;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120613);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's Applets key (TLN)";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching applets_tln v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Applets';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg("Applets");
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# ::rptMsg("");
# Locate files opened in MS Paint
my $paint_key = 'Paint\\Recent File List';
my $paint = $key->get_subkey($paint_key);
if (defined $paint) {
# ::rptMsg($key_path."\\".$paint_key);
# ::rptMsg("LastWrite Time ".gmtime($paint->get_timestamp())." (UTC)");
my @vals = $paint->get_list_of_values();
if (scalar(@vals) > 0) {
::rptMsg($paint->get_timestamp()."|REG|||MS Paint Most Recent File = ".$paint->get_value("File1")->get_data());
}
else {
# ::rptMsg($key_path."\\".$paint_key." has no values.");
}
}
else {
# ::rptMsg($key_path."\\".$paint_key." not found.");
}
# Get Last Registry key opened in RegEdit
my $reg_key = "Regedit";
my $reg = $key->get_subkey($reg_key);
if (defined $reg) {
# ::rptMsg("");
# ::rptMsg($key_path."\\".$reg_key);
# ::rptMsg("LastWrite Time ".gmtime($reg->get_timestamp())." (UTC)");
my $lastkey = $reg->get_value("LastKey")->get_data();
::rptMsg($reg->get_timestamp()."|REG|||RegEdit LastKey value -> ".$lastkey);
}
}
else {
# ::rptMsg($key_path." not found.");
}
}
1;

94
RecentActivity/release/rr-full/plugins/apppaths.pl Executable file
View File

@ -0,0 +1,94 @@
#-----------------------------------------------------------
# apppaths
# Gets contents of App Paths subkeys from the Software hive,
# diplaying the EXE name and path; all entries are sorted by
# LastWrite time
#
# References
#
#
# History:
# 20120524 - updated to include 64-bit OSs
# 20080404 - created
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package apppaths;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20120524);
sub getConfig{return %config}
sub getShortDescr {
return "Gets content of App Paths subkeys";
}
sub getDescr{}
sub getRefs {
my %refs = ("You cannot open Help and Support Center in Windows XP" =>
"http://support.microsoft.com/kb/888018",
"Another installation program starts..." =>
"http://support.microsoft.com/kb/888470");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching apppaths v.".$VERSION);
::rptMsg("apppaths v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# used a list of values to address the need for parsing the App Paths key
# in the Wow6432Node key, if it exists.
my @paths = ("Microsoft\\Windows\\CurrentVersion\\App Paths");
foreach my $key_path (@paths) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("App Paths");
::rptMsg($key_path);
::rptMsg("");
my %apps;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
my $lastwrite = $s->get_timestamp();
my $path;
eval {
$path = $s->get_value("")->get_data();
};
push(@{$apps{$lastwrite}},$name." - ".$path);
}
foreach my $t (reverse sort {$a <=> $b} keys %apps) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$apps{$t}}) {
::rptMsg(" $item");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
}
1;

90
RecentActivity/release/rr-full/plugins/apppaths_tln.pl Executable file
View File

@ -0,0 +1,90 @@
#-----------------------------------------------------------
# apppaths_tln
# Gets contents of App Paths subkeys from the Software hive,
# Output in TLN format
#
# References
#
# History:
# 20130429 - created from apppaths.pl
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package apppaths_tln;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20130429);
sub getConfig{return %config}
sub getShortDescr {
return "Gets content of App Paths subkeys (TLN)";
}
sub getDescr{}
sub getRefs {
my %refs = ("You cannot open Help and Support Center in Windows XP" =>
"http://support.microsoft.com/kb/888018",
"Another installation program starts..." =>
"http://support.microsoft.com/kb/888470");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching apppaths_tln v.".$VERSION);
# ::rptMsg("apppaths v.".$VERSION); # banner
# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# used a list of values to address the need for parsing the App Paths key
# in the Wow6432Node key, if it exists.
my @paths = ("Microsoft\\Windows\\CurrentVersion\\App Paths");
foreach my $key_path (@paths) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("App Paths");
::rptMsg($key_path);
::rptMsg("");
my %apps;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
my $lastwrite = $s->get_timestamp();
my $path;
eval {
$path = $s->get_value("")->get_data();
};
push(@{$apps{$lastwrite}},$name." - ".$path);
}
foreach my $t (reverse sort {$a <=> $b} keys %apps) {
foreach my $item (@{$apps{$t}}) {
::rptMsg($t."|REG|||App Paths - ".$item);
}
}
}
else {
# ::rptMsg($key_path." has no subkeys.");
}
}
else {
# ::rptMsg($key_path." not found.");
}
}
}
1;

74
RecentActivity/release/rr-full/plugins/appspecific.pl Executable file
View File

@ -0,0 +1,74 @@
#-----------------------------------------------------------
# appspecific.pl
#
#
# Change history
# 20120820 - created
#
# References
#
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package appspecific;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120820);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's Intellipoint\\AppSpecific subkeys";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching appspecific v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\IntelliPoint\\AppSpecific';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("AppSpecific");
::rptMsg($key_path);
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]");
my $ts;
eval {
$ts = $s->get_value("Timestamp")->get_data();
my $t = ::getTime(0,$ts);
::rptMsg("Timestamp: ".gmtime($t));
};
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

109
RecentActivity/release/rr-full/plugins/ares.pl Executable file
View File

@ -0,0 +1,109 @@
#-----------------------------------------------------------
# ares.pl
#
#
# Change History
# 20130312 - updated based on data provided by J. Weg
# 20120507 - modified to remove the traversing function, to only get
# a limited amount of data.
# 20110603 - modified F. Kolenbrander
# parsing some values according ares source code, like searches and
# timestamps.
# 20110530 - created
#
# References
#
#
# copyright 2012 Quantum Analytics Research, LLC
# author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package ares;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130312);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's Software/Ares key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching ares v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Ares';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# ::rptMsg("");
my %ares = ();
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
$ares{$v->get_name()} = $v->get_data();
}
::rptMsg("");
::rptMsg("RegisterEmail: ".$ares{"RegisterEmail"}) if (exists $ares{"RegisterEmail"});
::rptMsg("Stats\.LstConnect: ".gmtime($ares{"Stats\.LstConnect"})." UTC") if (exists $ares{"Stats\.LstConnect"});
::rptMsg("Personal\.Nickname: ".hex2ascii($ares{"Personal\.Nickname"})) if (exists $ares{"Personal\.Nickname"});
::rptMsg("General\.Language: ".hex2ascii($ares{"General\.Language"})) if (exists $ares{"General\.Language"});
::rptMsg("PrivateMessage\.AwayMessage: ".hex2ascii($ares{"PrivateMessage\.AwayMessage"})) if (exists $ares{"PrivateMessage\.AwayMessage"});
}
else {
::rptMsg($key->get_name()." has no values.");
}
::rptMsg("");
getSearchTerms($key);
}
else {
::rptMsg($key_path." not found.");
}
}
sub getSearchTerms {
my $key = shift;
my $count = 0;
::rptMsg("Search Terms:");
my @subkeys = ("audio\.gen","gen\.gen","image\.gen","video\.gen");
foreach my $sk (@subkeys) {
my $gen = $key->get_subkey("Search\.History")->get_subkey($sk);
my @vals = $gen->get_list_of_values();
if (scalar(@vals) > 0) {
$count = 1;
::rptMsg($gen->get_name());
::rptMsg("LastWrite: ".gmtime($gen->get_timestamp()));
foreach my $v (@vals) {
next if ($v->get_name() eq "");
::rptMsg(" ".hex2ascii($v->get_name()));
}
}
}
::rptMsg("No search terms found\.") if ($count == 0);
}
sub hex2ascii {
return pack('H*',shift);
}
1;

266
thirdparty/rr/plugins/arpcache.pl → RecentActivity/release/rr-full/plugins/arpcache.pl Normal file → Executable file
View File

@ -1,133 +1,135 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# arpcache.pl # arpcache.pl
# Retrieves CurrentVersion\App Management\ARPCache entries; subkeys appear # Retrieves CurrentVersion\App Management\ARPCache entries; subkeys appear
# to maintain information about paths to installed applications in the # to maintain information about paths to installed applications in the
# SlowInfoCache value(0x10 - FILETIME object, null term. string with path # SlowInfoCache value(0x10 - FILETIME object, null term. string with path
# starts at 0x1c) # starts at 0x1c)
# #
# Change history # Change history
# 20090413 - Created # 20090413 - Created
# #
# References # References
# No references, but the subkeys appear to hold information about # No references, but the subkeys appear to hold information about
# installed applications; some SlowInfoCache values appear to contain # installed applications; some SlowInfoCache values appear to contain
# timestamp data (FILETIME object) and/or path information. Posts on # timestamp data (FILETIME object) and/or path information. Posts on
# the Internet indicate the existence of Kazaa beneath the APRCache key, # the Internet indicate the existence of Kazaa beneath the APRCache key,
# as well as possibly an "Outerinfo" subkey indicating that spyware is # as well as possibly an "Outerinfo" subkey indicating that spyware is
# installed. # installed.
# #
# copyright 2009 H. Carvey # copyright 2009 H. Carvey
#----------------------------------------------------------- #-----------------------------------------------------------
package arpcache; package arpcache;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20090413); version => 20090413);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Retrieves CurrentVersion\\App Management\\ARPCache entries"; return "Retrieves CurrentVersion\\App Management\\ARPCache entries";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
my %arpcache; my %arpcache;
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
::logMsg("Launching arpcache v.".$VERSION); ::logMsg("Launching arpcache v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser); ::rptMsg("arpcache v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache'; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache';
::rptMsg($key_path); my $key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg($key_path);
my @subkeys = $key->get_list_of_subkeys(); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
if (scalar(@subkeys) > 0) { ::rptMsg("");
foreach my $s (@subkeys) { my @subkeys = $key->get_list_of_subkeys();
my $lw = $s->get_timestamp(); if (scalar(@subkeys) > 0) {
my $name = $s->get_name(); foreach my $s (@subkeys) {
my $lw = $s->get_timestamp();
my $path; my $name = $s->get_name();
eval {
my $i = $s->get_value("SlowInfoCache")->get_data(); my $path;
$path = parsePath($i); eval {
}; my $i = $s->get_value("SlowInfoCache")->get_data();
($@) ? ($name .= "|") : ($name .= "|".$path); $path = parsePath($i);
};
my $date; ($@) ? ($name .= "|") : ($name .= "|".$path);
eval {
my $i = $s->get_value("SlowInfoCache")->get_data(); my $date;
$date = parseDate($i); eval {
}; my $i = $s->get_value("SlowInfoCache")->get_data();
($@) ? ($name .= "|") : ($name .= "|".$date); $date = parseDate($i);
push(@{$arpcache{$lw}},$name); };
} ($@) ? ($name .= "|") : ($name .= "|".$date);
push(@{$arpcache{$lw}},$name);
}
foreach my $t (reverse sort {$a <=> $b} keys %arpcache) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$arpcache{$t}}) { foreach my $t (reverse sort {$a <=> $b} keys %arpcache) {
my ($name,$path,$date) = split(/\|/,$item,3); ::rptMsg(gmtime($t)." (UTC)");
::rptMsg(" ".$name); foreach my $item (@{$arpcache{$t}}) {
my $str = $path unless ($path eq ""); my ($name,$path,$date) = split(/\|/,$item,3);
$str .= " [".gmtime($date)."]" unless ($date == 0); ::rptMsg(" ".$name);
::rptMsg(" -> ".$str) unless ($str eq ""); my $str = $path unless ($path eq "");
} $str .= " [".gmtime($date)."]" unless ($date == 0);
} ::rptMsg(" -> ".$str) unless ($str eq "");
} }
else { }
::rptMsg($key_path." has no subkeys."); }
::logMsg($key_path." has no subkeys."); else {
} ::rptMsg($key_path." has no subkeys.");
} ::logMsg($key_path." has no subkeys.");
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} ::logMsg($key_path." not found.");
}
1; }
sub parseDate { 1;
my $data = shift;
my ($t1,$t2) = unpack("VV",substr($data,0x10,8)); sub parseDate {
return ::getTime($t1,$t2); my $data = shift;
} my ($t1,$t2) = unpack("VV",substr($data,0x10,8));
return ::getTime($t1,$t2);
sub parsePath { }
my $data = shift;
my $ofs = 0x1c; sub parsePath {
my $tag = 1; my $data = shift;
my $ofs = 0x1c;
my $str = substr($data,$ofs,2); my $tag = 1;
if (unpack("v",$str) == 0) {
return ""; my $str = substr($data,$ofs,2);
} if (unpack("v",$str) == 0) {
else { return "";
while($tag) { }
$ofs += 2; else {
my $i = substr($data,$ofs,2); while($tag) {
if (unpack("v",$i) == 0) { $ofs += 2;
$tag = 0; my $i = substr($data,$ofs,2);
} if (unpack("v",$i) == 0) {
else { $tag = 0;
$str .= $i; }
} else {
} $str .= $i;
} }
$str =~ s/\00//g; }
return $str; }
$str =~ s/\00//g;
return $str;
} }

174
thirdparty/rr/plugins/assoc.pl → RecentActivity/release/rr-full/plugins/assoc.pl Normal file → Executable file
View File

@ -1,87 +1,89 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# assoc.pl # assoc.pl
# Plugin to extract file association data from the Software hive file # Plugin to extract file association data from the Software hive file
# Can take considerable time to run; recommend running it via rip.exe # Can take considerable time to run; recommend running it via rip.exe
# #
# copyright 2008 H. Carvey, keydet89@yahoo.com # copyright 2008 H. Carvey, keydet89@yahoo.com
#----------------------------------------------------------- #-----------------------------------------------------------
package assoc; package assoc;
use strict; use strict;
my %config = (hive => "Software", my %config = (hive => "Software",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20080815); version => 20080815);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Get list of file ext associations"; return "Get list of file ext associations";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching assoc v.".$VERSION); ::logMsg("Launching assoc v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("assoc v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $key_path = "Classes"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Classes";
::rptMsg("assoc"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); ::rptMsg("assoc");
::rptMsg(""); ::rptMsg($key_path);
# First step will be to get a list of all of the file extensions # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my %ext; ::rptMsg("");
my @sk = $key->get_list_of_subkeys(); # First step will be to get a list of all of the file extensions
if (scalar(@sk) > 0) { my %ext;
foreach my $s (@sk) { my @sk = $key->get_list_of_subkeys();
my $name = $s->get_name(); if (scalar(@sk) > 0) {
next unless ($name =~ m/^\.\w+$/); foreach my $s (@sk) {
my $data; my $name = $s->get_name();
eval { next unless ($name =~ m/^\.\w+$/);
$data = $s->get_value("")->get_data(); my $data;
}; eval {
if ($@) { $data = $s->get_value("")->get_data();
# Error generated, as "(Default)" value was not found };
} if ($@) {
else { # Error generated, as "(Default)" value was not found
$ext{$name} = $data if ($data ne ""); }
} else {
} $ext{$name} = $data if ($data ne "");
# Once a list of all file ext subkeys has been compiled, access the file type }
# to determine the command line used to launch files with that extension }
foreach my $e (keys %ext) { # Once a list of all file ext subkeys has been compiled, access the file type
my $cmd; # to determine the command line used to launch files with that extension
eval { foreach my $e (keys %ext) {
$cmd = $key->get_subkey($ext{$e}."\\shell\\open\\command")->get_value("")->get_data(); my $cmd;
}; eval {
if ($@) { $cmd = $key->get_subkey($ext{$e}."\\shell\\open\\command")->get_value("")->get_data();
# error generated attempting to locate <file type>.\shell\open\command\(Default) value };
} if ($@) {
else { # error generated attempting to locate <file type>.\shell\open\command\(Default) value
::rptMsg($e." : ".$cmd); }
} else {
} ::rptMsg($e." : ".$cmd);
} }
else { }
::rptMsg($key_path." has no subkeys."); }
} else {
} ::rptMsg($key_path." has no subkeys.");
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
} }
}
1; 1;

85
RecentActivity/release/rr-full/plugins/attachmgr.pl Executable file
View File

@ -0,0 +1,85 @@
#-----------------------------------------------------------
# attachmgr.pl
# The Windows Attachment Manager manages how attachments are handled,
# and settings are on a per-user basis. Malware has been shown to access
# these settings and make modifications.
#
# Category: Malware
#
# Change history
# 20130425 - added alertMsg() functionality
# 20130117 - created
#
# References
# http://journeyintoir.blogspot.com/2010/10/anatomy-of-drive-by-part-2.html
# http://support.microsoft.com/kb/883260
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package attachmgr;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Checks user's keys that manage the Attachment Manager functionality";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
my @temps;
::logMsg("Launching attachmgr v.".$VERSION);
::rptMsg("attachmgr v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my @attach = ('Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations',
'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments');
foreach my $key_path (@attach) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
my $data = $v->get_data();
# checks added 20130425
# settings information derived from MS KB 883260
::alertMsg("ALERT: attachmgr: ".$key_path." SaveZoneInformation value found: ".$data) if ($name eq "SaveZoneInformation");
::alertMsg("ALERT: attachmgr: ".$key_path." ScanWithAntiVirus value found: ".$data) if ($name eq "ScanWithAntiVirus");
::alertMsg("ALERT: attachmgr: ".$key_path." LowRiskFileTypes value includes exe: ".$data (if $name eq "LowRiskFileTypes" && grep(/exe/,$data));
::rptMsg(sprintf "%-15s %-6s",$name,$data);
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
}
}
1;

83
RecentActivity/release/rr-full/plugins/attachmgr_tln.pl Executable file
View File

@ -0,0 +1,83 @@
#-----------------------------------------------------------
# attachmgr_tln.pl
# The Windows Attachment Manager manages how attachments are handled,
# and settings are on a per-user basis. Malware has been shown to access
# these settings and make modifications.
#
# Category: Malware
#
# Change history
# 20130425 - created
#
# References
# http://journeyintoir.blogspot.com/2010/10/anatomy-of-drive-by-part-2.html
# http://support.microsoft.com/kb/883260
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package attachmgr_tln;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Checks user's keys that manage the Attachment Manager functionality (TLN)";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
my @temps;
::logMsg("Launching attachmgr_tln v.".$VERSION);
# ::rptMsg("attachmgr_tln v.".$VERSION); # banner
# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my @attach = ('Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations',
'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments');
foreach my $key_path (@attach) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $lw = $key->get_timestamp();
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
my $data = $v->get_data();
# checks added 20130425
# settings information derived from MS KB 883260
::alertMsg($lw."|ALERT|||HKCU\\".$key_path." SaveZoneInformation value found: ".$data) if ($name eq "SaveZoneInformation");
::alertMsg($lw."|ALERT|||HKCU\\".$key_path." ScanWithAntiVirus value found: ".$data) if ($name eq "ScanWithAntiVirus");
::alertMsg($lw."|ALERT|||HKCU\\".$key_path." LowRiskFileTypes value includes exe: ".$data (if $name eq "LowRiskFileTypes" && grep(/exe/,$data));
}
}
else {
# ::rptMsg($key_path." has no values.");
}
}
else {
# ::rptMsg($key_path." not found.");
}
# ::rptMsg("");
}
}
1;

134
thirdparty/rr/plugins/auditfail.pl → RecentActivity/release/rr-full/plugins/auditfail.pl Normal file → Executable file
View File

@ -1,66 +1,68 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# auditfail.pl # auditfail.pl
# #
# Ref: # Ref:
# http://support.microsoft.com/kb/140058 # http://support.microsoft.com/kb/140058
# #
# copyright 2008 H. Carvey, keydet89@yahoo.com # copyright 2008 H. Carvey, keydet89@yahoo.com
#----------------------------------------------------------- #-----------------------------------------------------------
package auditfail; package auditfail;
use strict; use strict;
my %config = (hive => "System", my %config = (hive => "System",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20081212); version => 20081212);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Get CrashOnAuditFail value"; return "Get CrashOnAuditFail value";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
my %val = (0 => "Feature is off; the system will not halt", my %val = (0 => "Feature is off; the system will not halt",
1 => "Feature is on; the system will halt when events cannot be written to the ". 1 => "Feature is on; the system will halt when events cannot be written to the ".
"Security Event Log", "Security Event Log",
2 => "Feature is on and has been triggered; only Administrators can log in"); 2 => "Feature is on and has been triggered; only Administrators can log in");
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching auditfail v.".$VERSION); ::logMsg("Launching auditfail v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("auditfail v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
# Code for System file, getting CurrentControlSet my $root_key = $reg->get_root_key;
my $current;
my $key_path = 'Select'; # Code for System file, getting CurrentControlSet
my $key; my $current;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Select';
$current = $key->get_value("Current")->get_data(); my $key;
if ($key = $root_key->get_subkey($key_path)) {
my $lsa_path = "ControlSet00".$current."\\Control\\Lsa"; $current = $key->get_value("Current")->get_data();
my $lsa;
if ($lsa = $root_key->get_subkey($lsa_path)) { my $lsa_path = "ControlSet00".$current."\\Control\\Lsa";
my $lsa;
eval { if ($lsa = $root_key->get_subkey($lsa_path)) {
my $crash = $lsa->get_value("crashonauditfail")->get_data();
::rptMsg("CrashOnAuditFail = ".$crash); eval {
::rptMsg($val{$crash}); my $crash = $lsa->get_value("crashonauditfail")->get_data();
}; ::rptMsg("CrashOnAuditFail = ".$crash);
::rptMsg($@) if ($@); ::rptMsg($val{$crash});
} };
} ::rptMsg($@) if ($@);
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} ::logMsg($key_path." not found.");
1; }
}
1;

237
thirdparty/rr/plugins/auditpol.pl → RecentActivity/release/rr-full/plugins/auditpol.pl Normal file → Executable file
View File

@ -1,88 +1,151 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# auditpol # auditpol
# Get the audit policy from the Security hive file # Get the audit policy from the Security hive file
# #
# copyright 2008 H. Carvey, keydet89@yahoo.com #
#----------------------------------------------------------- # History
package auditpol; # 20121128 - updated for later versions of Windows
use strict; # 20080327 - created
#
my %config = (hive => "Security", #
hasShortDescr => 1, # copyright 2012 Quantum Analytics Research, LLC
hasDescr => 0, # Author: H. Carvey, keydet89@yahoo.com
hasRefs => 1, #-----------------------------------------------------------
osmask => 22, package auditpol;
version => 20080327); use strict;
sub getConfig{return %config} my %config = (hive => "Security",
sub getShortDescr { hasShortDescr => 1,
return "Get audit policy from the Security hive file"; hasDescr => 0,
} hasRefs => 1,
sub getDescr{} osmask => 22,
sub getRefs { version => 20121128);
my %refs = ("How To Determine Audit Policies from the Registry" =>
"http://support.microsoft.com/default.aspx?scid=kb;EN-US;q246120"); sub getConfig{return %config}
return %refs; sub getShortDescr {
} return "Get audit policy from the Security hive file";
sub getHive {return $config{hive};} }
sub getVersion {return $config{version};} sub getDescr{}
sub getRefs {
my $VERSION = getVersion(); my %refs = ("How To Determine Audit Policies from the Registry" =>
"http://support.microsoft.com/default.aspx?scid=kb;EN-US;q246120");
my %audit = (0 => "N", return %refs;
1 => "S", }
2 => "F", sub getHive {return $config{hive};}
3 => "S/F"); sub getVersion {return $config{version};}
sub pluginmain { my $VERSION = getVersion();
my $class = shift;
my $hive = shift; my %audit = (0 => "N",
::logMsg("Launching auditpol v.".$VERSION); 1 => "S",
my $reg = Parse::Win32Registry->new($hive); 2 => "F",
my $root_key = $reg->get_root_key; 3 => "S/F");
my $key_path = "Policy\\PolAdtEv"; sub pluginmain {
my $key; my $class = shift;
if ($key = $root_key->get_subkey($key_path)) { my $hive = shift;
::rptMsg("auditpol"); ::logMsg("Launching auditpol v.".$VERSION);
::rptMsg($key_path); ::rptMsg("auditpol v.".$VERSION); # banner
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
::rptMsg(""); my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $data;
eval { my $key_path = "Policy\\PolAdtEv";
$data = $key->get_value("")->get_data(); my $key;
}; if ($key = $root_key->get_subkey($key_path)) {
if ($@) { ::rptMsg("auditpol");
::rptMsg("Error occurred getting data from ".$key_path); ::rptMsg($key_path);
::rptMsg(" - ".$@); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
} ::rptMsg("");
else {
# Check to see if auditing is enabled my $data;
my $enabled = unpack("C",substr($data,0,1)); eval {
if ($enabled) { $data = $key->get_value("")->get_data();
::rptMsg("Auditing is enabled."); ::rptMsg("Length of data: ".length($data)." bytes.");
# Get audit configuration settings
my @vals = unpack("V*",$data); my @d = printData($data);
::rptMsg("\tAudit System Events = ".$audit{$vals[1]}); foreach (0..(scalar(@d) - 1)) {
::rptMsg("\tAudit Logon Events = ".$audit{$vals[2]}); ::rptMsg($d[$_]);
::rptMsg("\tAudit Object Access = ".$audit{$vals[3]}); }
::rptMsg("\tAudit Privilege Use = ".$audit{$vals[4]});
::rptMsg("\tAudit Process Tracking = ".$audit{$vals[5]}); };
::rptMsg("\tAudit Policy Change = ".$audit{$vals[6]}); if ($@) {
::rptMsg("\tAudit Account Management = ".$audit{$vals[7]}); ::rptMsg("Error occurred getting data from ".$key_path);
::rptMsg("\tAudit Dir Service Access = ".$audit{$vals[8]}); ::rptMsg(" - ".$@);
::rptMsg("\tAudit Account Logon Events = ".$audit{$vals[9]}); }
} else {
else { # Check to see if auditing is enabled
::rptMsg("**Auditing is NOT enabled."); my $enabled = unpack("C",substr($data,0,1));
} if ($enabled) {
} ::rptMsg("Auditing is enabled.");
} # Get audit configuration settings
else { my @vals = unpack("V*",$data);
::rptMsg($key_path." not found."); ::rptMsg("\tAudit System Events = ".$audit{$vals[1]});
::logMsg($key_path." not found."); ::rptMsg("\tAudit Logon Events = ".$audit{$vals[2]});
} ::rptMsg("\tAudit Object Access = ".$audit{$vals[3]});
::rptMsg("\tAudit Privilege Use = ".$audit{$vals[4]});
} ::rptMsg("\tAudit Process Tracking = ".$audit{$vals[5]});
::rptMsg("\tAudit Policy Change = ".$audit{$vals[6]});
::rptMsg("\tAudit Account Management = ".$audit{$vals[7]});
::rptMsg("\tAudit Dir Service Access = ".$audit{$vals[8]});
::rptMsg("\tAudit Account Logon Events = ".$audit{$vals[9]});
}
else {
::rptMsg("**Auditing is NOT enabled.");
}
}
}
else {
::rptMsg($key_path." not found.");
}
}
#-----------------------------------------------------------
# printData()
# subroutine used primarily for debugging; takes an arbitrary
# length of binary data, prints it out in hex editor-style
# format for easy debugging
#-----------------------------------------------------------
sub printData {
my $data = shift;
my $len = length($data);
my $tag = 1;
my $cnt = 0;
my @display = ();
my $loop = $len/16;
$loop++ if ($len%16);
foreach my $cnt (0..($loop - 1)) {
# while ($tag) {
my $left = $len - ($cnt * 16);
my $n;
($left < 16) ? ($n = $left) : ($n = 16);
my $seg = substr($data,$cnt * 16,$n);
my @str1 = split(//,unpack("H*",$seg));
my @s3;
my $str = "";
foreach my $i (0..($n - 1)) {
$s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1];
if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) {
$str .= chr(hex($s3[$i]));
}
else {
$str .= "\.";
}
}
my $h = join(' ',@s3);
# ::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h);
$display[$cnt] = sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h;
}
return @display;
}
1; 1;

132
thirdparty/rr/plugins/autoendtasks.pl → RecentActivity/release/rr-full/plugins/autoendtasks.pl Normal file → Executable file
View File

@ -1,66 +1,68 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# autoendtasks.pl # autoendtasks.pl
# #
# History # History
# 20081128 - created # 20081128 - created
# #
# Ref: # Ref:
# http://support.microsoft.com/kb/555619 # http://support.microsoft.com/kb/555619
# This Registry setting tells XP (and Vista) to automatically # This Registry setting tells XP (and Vista) to automatically
# end non-responsive tasks; value may not exist on Vista. # end non-responsive tasks; value may not exist on Vista.
# #
# copyright 2008 H. Carvey, keydet89@yahoo.com # copyright 2008 H. Carvey, keydet89@yahoo.com
#----------------------------------------------------------- #-----------------------------------------------------------
package autoendtasks; package autoendtasks;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20081128); version => 20081128);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Automatically end a non-responsive task"; return "Automatically end a non-responsive task";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching autoendtasks v.".$VERSION); ::logMsg("Launching autoendtasks v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("autoendtasks v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $key_path = 'Control Panel\\Desktop'; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Control Panel\\Desktop';
# ::rptMsg("autoendtasks"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); # ::rptMsg("autoendtasks");
::rptMsg(""); ::rptMsg($key_path);
my $autoend; # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
eval { ::rptMsg("");
$autoend = $key->get_value("AutoEndTasks")->get_data(); my $autoend;
}; eval {
if ($@) { $autoend = $key->get_value("AutoEndTasks")->get_data();
::rptMsg("AutoEndTasks value not found."); };
} if ($@) {
else { ::rptMsg("AutoEndTasks value not found.");
::rptMsg("AutoEndTasks = ".$autoend); }
} else {
} ::rptMsg("AutoEndTasks = ".$autoend);
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} ::logMsg($key_path." not found.");
}
}
1; 1;

148
thirdparty/rr/plugins/autorun.pl → RecentActivity/release/rr-full/plugins/autorun.pl Normal file → Executable file
View File

@ -1,74 +1,76 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# autorun.pl # autorun.pl
# Get autorun settings # Get autorun settings
# #
# Change history # Change history
# #
# #
# References # References
# http://support.microsoft.com/kb/953252 # http://support.microsoft.com/kb/953252
# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit # http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit
# /regentry/91525.mspx?mfr=true # /regentry/91525.mspx?mfr=true
# #
# copyright 2008-2009 H. Carvey # copyright 2008-2009 H. Carvey
#----------------------------------------------------------- #-----------------------------------------------------------
package autorun; package autorun;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20081212); version => 20081212);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets autorun settings"; return "Gets autorun settings";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
::logMsg("Launching autorun v.".$VERSION); ::logMsg("Launching autorun v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser); ::rptMsg("autorun v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer";
# ::rptMsg($key_path); my $key;
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
eval { # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data();
my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive; eval {
::rptMsg($str); my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data();
}; my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive;
::rptMsg("Error: ".$@) if ($@); ::rptMsg($str);
};
# http://support.microsoft.com/kb/953252 ::rptMsg("Error: ".$@) if ($@);
eval {
my $honor = $key->get_value("HonorAutorunSetting")->get_data(); # http://support.microsoft.com/kb/953252
my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor; eval {
::rptMsg($str); my $honor = $key->get_value("HonorAutorunSetting")->get_data();
}; my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor;
::rptMsg("HonorAutorunSetting not found.") if ($@); ::rptMsg($str);
::rptMsg(""); };
::rptMsg("Autorun settings in the HKLM hive take precedence over those in"); ::rptMsg("HonorAutorunSetting not found.") if ($@);
::rptMsg("the HKCU hive."); ::rptMsg("");
} ::rptMsg("Autorun settings in the HKLM hive take precedence over those in");
else { ::rptMsg("the HKCU hive.");
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
} }
}
1; 1;

176
RecentActivity/release/rr-full/plugins/backuprestore.pl Executable file
View File

@ -0,0 +1,176 @@
#-----------------------------------------------------------
# backuprestore.pl
# Access System hive file to get the contents of the FilesNotToSnapshot, KeysNotToRestore, and FilesNotToBackup keys
#
# Change history
# 9/14/2012: retired the filesnottosnapshot.pl plugin since BackupRestore checks the same key
#
# References
# Troy Larson's Windows 7 presentation slide deck http://computer-forensics.sans.org/summit-archives/2010/files/12-larson-windows7-foreniscs.pdf
# QCCIS white paper Reliably recovering evidential data from Volume Shadow Copies http://www.qccis.com/downloads/whitepapers/QCC%20VSS
# http://msdn.microsoft.com/en-us/library/windows/desktop/bb891959(v=vs.85).aspx
#
# copyright 2012 Corey Harrell (Journey Into Incident Response)
#-----------------------------------------------------------
package backuprestore;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120914);
sub getConfig{return %config}
sub getShortDescr {
return "Gets the contents of the FilesNotToSnapshot, KeysNotToRestore, and FilesNotToBackup keys";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching backuprestore v.".$VERSION);
::rptMsg("backuprestore v.".$VERSION);
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $fns_path = $ccs."\\Control\\BackupRestore\\FilesNotToSnapshot";
my $fns;
if ($fns = $root_key->get_subkey($fns_path)) {
::rptMsg("FilesNotToSnapshot key");
::rptMsg($fns_path);
::rptMsg("LastWrite Time ".gmtime($fns->get_timestamp())." (UTC)");
::rptMsg("");
my %cv;
my @valfns = $fns->get_list_of_values();;
if (scalar(@valfns) > 0) {
foreach my $v (@valfns) {
my $name = $v->get_name();
my $data = $v->get_data();
my $len = length($data);
next if ($name eq "");
push(@{$cv{$len}},$name." : ".$data);
}
foreach my $t (sort {$a <=> $b} keys %cv) {
foreach my $item (@{$cv{$t}}) {
::rptMsg(" $item");
}
}
::rptMsg("");
::rptMsg("The listed directories/files are not backed up in Volume Shadow Copies");
::rptMsg("");
::rptMsg("");
}
else {
::rptMsg($fns_path." has no values.");
::logMsg($fns_path." has no values.");
::rptMsg("");
}
}
else {
::rptMsg($fns_path." not found.");
::logMsg($fns_path." not found.");
::rptMsg("");
}
my $fnb_path = $ccs."\\Control\\BackupRestore\\FilesNotToBackup";
my $fnb;
if ($fnb = $root_key->get_subkey($fnb_path)) {
::rptMsg("FilesNotToBackup key");
::rptMsg($fnb_path);
::rptMsg("LastWrite Time ".gmtime($fnb->get_timestamp())." (UTC)");
::rptMsg("");
my %cq;
my @valfnb = $fnb->get_list_of_values();;
if (scalar(@valfnb) > 0) {
foreach my $v (@valfnb) {
my $name = $v->get_name();
my $data = $v->get_data();
my $len = length($data);
next if ($name eq "");
push(@{$cq{$len}},$name." : ".$data);
}
foreach my $t (sort {$a <=> $b} keys %cq) {
foreach my $item (@{$cq{$t}}) {
::rptMsg(" $item");
}
}
::rptMsg("");
::rptMsg("Specifies the directories and files that backup applications should not backup or restore");
::rptMsg("");
::rptMsg("");
}
else {
::rptMsg($fnb_path." has no values.");
::logMsg($fnb_path." has no values.");
::rptMsg("");
}
}
else {
::rptMsg($fnb_path." not found.");
::logMsg($fnb_path." not found.");
::rptMsg("");
}
my $knr_path = $ccs."\\Control\\BackupRestore\\KeysNotToRestore";
my $knr;
if ($knr = $root_key->get_subkey($knr_path)) {
::rptMsg("KeysNotToRestore key");
::rptMsg($knr_path);
::rptMsg("LastWrite Time ".gmtime($knr->get_timestamp())." (UTC)");
::rptMsg("");
my %cw;
my @valknr = $knr->get_list_of_values();;
if (scalar(@valknr) > 0) {
foreach my $v (@valknr) {
my $name = $v->get_name();
my $data = $v->get_data();
my $len = length($data);
next if ($name eq "");
push(@{$cw{$len}},$name." : ".$data);
}
foreach my $t (sort {$a <=> $b} keys %cw) {
foreach my $item (@{$cw{$t}}) {
::rptMsg(" $item");
}
}
::rptMsg("");
::rptMsg("Specifies the names of the registry subkeys and values that backup applications should not restore");
::rptMsg("");
}
else {
::rptMsg($knr_path." has no values.");
::logMsg($knr_path." has no values.");
}
}
else {
::rptMsg($knr_path." not found.");
::logMsg($knr_path." not found.");
}
}
}
1;

254
thirdparty/rr/plugins/banner.pl → RecentActivity/release/rr-full/plugins/banner.pl Normal file → Executable file
View File

@ -1,127 +1,129 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# banner # banner
# Get banner information from the SOFTWARE hive file (if any) # Get banner information from the SOFTWARE hive file (if any)
# #
# Written By: # Written By:
# Special Agent Brook William Minnick # Special Agent Brook William Minnick
# Brook_Minnick@doioig.gov # Brook_Minnick@doioig.gov
# U.S. Department of the Interior - Office of Inspector General # U.S. Department of the Interior - Office of Inspector General
# Computer Crimes Unit # Computer Crimes Unit
# 12030 Sunrise Valley Drive Suite 250 # 12030 Sunrise Valley Drive Suite 250
# Reston, VA 20191 # Reston, VA 20191
#----------------------------------------------------------- #-----------------------------------------------------------
package banner; package banner;
use strict; use strict;
my %config = (hive => "Software", my %config = (hive => "Software",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20081119); version => 20081119);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Get HKLM\\SOFTWARE.. Logon Banner Values"; return "Get HKLM\\SOFTWARE.. Logon Banner Values";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching banner v.".$VERSION); ::logMsg("Launching banner v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("banner v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $key_path = "Microsoft\\Windows\\CurrentVersion\\policies\\system"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Microsoft\\Windows\\CurrentVersion\\policies\\system";
::rptMsg("Logon Banner Information"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); ::rptMsg("Logon Banner Information");
::rptMsg(""); ::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# GET LEGALNOTICECAPTION -- ::rptMsg("");
my $caption; # GET LEGALNOTICECAPTION --
eval {
$caption = $key->get_value("Legalnoticecaption")->get_data(); my $caption;
}; eval {
if ($@) { $caption = $key->get_value("Legalnoticecaption")->get_data();
::rptMsg("Legalnoticecaption value not found."); };
} if ($@) {
else { ::rptMsg("Legalnoticecaption value not found.");
::rptMsg("Legalnoticecaption value = ".$caption); }
} else {
::rptMsg(""); ::rptMsg("Legalnoticecaption value = ".$caption);
}
# GET LEGALNOTICETEXT -- ::rptMsg("");
my $banner; # GET LEGALNOTICETEXT --
eval {
$banner = $key->get_value("Legalnoticetext")->get_data(); my $banner;
}; eval {
if ($@) { $banner = $key->get_value("Legalnoticetext")->get_data();
::rptMsg("Legalnoticetext value not found."); };
} if ($@) {
else { ::rptMsg("Legalnoticetext value not found.");
::rptMsg("Legalnoticetext value = ".$banner); }
} else {
::rptMsg(""); ::rptMsg("Legalnoticetext value = ".$banner);
}
} ::rptMsg("");
else {
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; }
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
::rptMsg($key_path); my $key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# GET LEGALNOTICECAPTION -- ::rptMsg("");
my $caption2; # GET LEGALNOTICECAPTION --
eval {
$caption2 = $key->get_value("Legalnoticecaption")->get_data(); my $caption2;
}; eval {
if ($@) { $caption2 = $key->get_value("Legalnoticecaption")->get_data();
::rptMsg("Legalnoticecaption value not found."); };
} if ($@) {
else { ::rptMsg("Legalnoticecaption value not found.");
::rptMsg("Legalnoticecaption value = ".$caption2); }
} else {
::rptMsg(""); ::rptMsg("Legalnoticecaption value = ".$caption2);
}
# GET LEGALNOTICETEXT -- ::rptMsg("");
my $banner2; # GET LEGALNOTICETEXT --
eval {
$banner2 = $key->get_value("Legalnoticetext")->get_data(); my $banner2;
}; eval {
if ($@) { $banner2 = $key->get_value("Legalnoticetext")->get_data();
::rptMsg("Legalnoticetext value not found."); };
} if ($@) {
else { ::rptMsg("Legalnoticetext value not found.");
::rptMsg("Legalnoticetext value = ".$banner2); }
} else {
::rptMsg(""); ::rptMsg("Legalnoticetext value = ".$banner2);
}
} ::rptMsg("");
else {
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
} }
}
1; 1;

81
RecentActivity/release/rr-full/plugins/baseline.pl Executable file
View File

@ -0,0 +1,81 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# baseline.pl
#
# History
# 20130211 - Created
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package baseline;
use strict;
my %config = (hive => "All",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130211);
sub getConfig{return %config}
sub getShortDescr {
return "Scans a hive file, checking sizes of binary value data";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %vals;
my $count = 0;
my %data_len = ();
sub pluginmain {
my $class = shift;
my $file = shift;
my $reg = Parse::Win32Registry->new($file);
my $root_key = $reg->get_root_key;
::logMsg("Launching baseline v.".$VERSION);
::rptMsg("baseline v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
traverse($root_key);
# Data structure containing findings is a hash of hashes
::rptMsg("Total values checked : ".$count);
# ::rptMsg("");
::rptMsg("Number of binary value lengths : ".scalar(keys %data_len));
my @len = sort {$a <=> $b} keys %data_len;
# ::rptMsg("Value 0: ".$len[0]);
::rptMsg("...");
my $n = scalar @len - 1;
for my $i (($n - 15)..$n) {
::rptMsg("Value ".$i.": ".$len[$i]." bytes [# times: ".$data_len{$len[$i]}."]");
}
}
sub traverse {
my $key = shift;
# my $ts = $key->get_timestamp();
foreach my $val ($key->get_list_of_values()) {
my $type = $val->get_type();
if ($type == 0 || $type == 3) {
$count++;
my $data = $val->get_data();
if (exists $data_len{length($data)}) {
$data_len{length($data)}++;
}
else {
$data_len{length($data)} = 1;
}
}
}
foreach my $subkey ($key->get_list_of_subkeys()) {
traverse($subkey);
}
}
1;

117
RecentActivity/release/rr-full/plugins/bho.pl Executable file
View File

@ -0,0 +1,117 @@
#-----------------------------------------------------------
# bho
#
#
# Change history:
# 20130408 - updated to include Wow6432Node; formating updates
# 20080418 - created
#
#
# copyright 2013 QAR, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bho;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20130408);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Browser Helper Objects from Software hive";
}
sub getDescr{}
sub getRefs {
my %refs = ("Browser Helper Objects" =>
"http://msdn2.microsoft.com/en-us/library/bb250436.aspx");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching bho v.".$VERSION);
::rptMsg("bho v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my @paths = ("Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects",
"Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects");
foreach my $key_path (@paths) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar (@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
next if ($name =~ m/^-/);
my $clsid_path = "Classes\\CLSID\\".$name;
my $clsid;
my %bhos;
if ($clsid = $root_key->get_subkey($clsid_path)) {
my $class;
my $mod;
my $lastwrite;
eval {
$class = $clsid->get_value("")->get_data();
$bhos{$name}{class} = $class;
};
if ($@) {
::logMsg("Error getting Class name for CLSID\\".$name);
::logMsg("\t".$@);
}
eval {
$mod = $clsid->get_subkey("InProcServer32")->get_value("")->get_data();
$bhos{$name}{module} = $mod;
};
if ($@) {
::logMsg("\tError getting Module name for CLSID\\".$name);
::logMsg("\t".$@);
}
eval{
$lastwrite = $clsid->get_subkey("InProcServer32")->get_timestamp();
$bhos{$name}{lastwrite} = $lastwrite;
};
if ($@) {
::logMsg("\tError getting LastWrite time for CLSID\\".$name);
::logMsg("\t".$@);
}
foreach my $b (keys %bhos) {
::rptMsg($b);
::rptMsg(" Class => ".$bhos{$b}{class});
::rptMsg(" Module => ".$bhos{$b}{module});
::rptMsg(" LastWrite => ".gmtime($bhos{$b}{lastwrite}));
::rptMsg("");
}
}
else {
::rptMsg($clsid_path." not found.");
::rptMsg("");
}
}
}
else {
::rptMsg($key_path." has no subkeys. No BHOs installed.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
}
1;

162
thirdparty/rr/plugins/bitbucket.pl → RecentActivity/release/rr-full/plugins/bitbucket.pl Normal file → Executable file
View File

@ -1,81 +1,83 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# bitbucket # bitbucket
# Get HKLM\..\BitBucket keys\values (if any) # Get HKLM\..\BitBucket keys\values (if any)
# #
# Change history # Change history
# 20091020 - Updated; collected additional values # 20091020 - Updated; collected additional values
# #
# References # References
# #
# copyright 2009 H. Carvey, keydet89@yahoo.com # copyright 2009 H. Carvey, keydet89@yahoo.com
#----------------------------------------------------------- #-----------------------------------------------------------
package bitbucket; package bitbucket;
use strict; use strict;
my %config = (hive => "Software", my %config = (hive => "Software",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20080418); version => 20080418);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Get HKLM\\..\\BitBucket keys\\values"; return "Get HKLM\\..\\BitBucket keys\\values";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching bitbucket v.".$VERSION); ::logMsg("Launching bitbucket v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("bitbucket v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket";
::rptMsg($key_path); my $key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
eval { ::rptMsg("");
my $global = $key->get_value("UseGlobalSettings")->get_data();
::rptMsg("UseGlobalSettings = ".$global); eval {
}; my $global = $key->get_value("UseGlobalSettings")->get_data();
::rptMsg("UseGlobalSettings = ".$global);
eval { };
my $nuke = $key->get_value("NukeOnDelete")->get_data();
::rptMsg("NukeOnDelete = ".$nuke); eval {
}; my $nuke = $key->get_value("NukeOnDelete")->get_data();
::rptMsg(""); ::rptMsg("NukeOnDelete = ".$nuke);
};
my @subkeys = $key->get_list_of_subkeys(); ::rptMsg("");
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) { my @subkeys = $key->get_list_of_subkeys();
::rptMsg($key_path."\\".$s->get_name()); if (scalar(@subkeys) > 0) {
::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); foreach my $s (@subkeys) {
eval { ::rptMsg($key_path."\\".$s->get_name());
my $vol = $s->get_value("VolumeSerialNumber")->get_data(); ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)");
::rptMsg("VolumeSerialNumber = 0x".uc(sprintf "%1x",$vol)); eval {
}; my $vol = $s->get_value("VolumeSerialNumber")->get_data();
::rptMsg(""); ::rptMsg("VolumeSerialNumber = 0x".uc(sprintf "%1x",$vol));
} };
} ::rptMsg("");
else { }
::rptMsg($key_path." has no subkeys."); }
} else {
} ::rptMsg($key_path." has no subkeys.");
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} ::logMsg($key_path." not found.");
}
}
1; 1;

142
thirdparty/rr/plugins/bitbucket_user.pl → RecentActivity/release/rr-full/plugins/bitbucket_user.pl Normal file → Executable file
View File

@ -1,71 +1,73 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# bitbucket_user # bitbucket_user
# Get HKLM\..\BitBucket keys\values (if any) # Get HKLM\..\BitBucket keys\values (if any)
# #
# Change history # Change history
# #
# References # References
# #
# NOTE: In limited testing, the volume letter subkeys beneath the # NOTE: In limited testing, the volume letter subkeys beneath the
# BitBucket key appear to be volatile. # BitBucket key appear to be volatile.
# #
# copyright 2009 H. Carvey, keydet89@yahoo.com # copyright 2009 H. Carvey, keydet89@yahoo.com
#----------------------------------------------------------- #-----------------------------------------------------------
package bitbucket_user; package bitbucket_user;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20091020); version => 20091020);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "TEST - Get user BitBucket values"; return "TEST - Get user BitBucket values";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching bitbucket_user v.".$VERSION); ::logMsg("Launching bitbucket_user v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("bitbucket_user v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket";
::rptMsg($key_path); my $key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @subkeys = $key->get_list_of_subkeys(); ::rptMsg("");
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) { my @subkeys = $key->get_list_of_subkeys();
::rptMsg($key_path."\\".$s->get_name()); if (scalar(@subkeys) > 0) {
::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); foreach my $s (@subkeys) {
eval { ::rptMsg($key_path."\\".$s->get_name());
my $purge = $s->get_value("NeedToPurge")->get_data(); ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)");
::rptMsg(" NeedToPurge = ".$purge); eval {
}; my $purge = $s->get_value("NeedToPurge")->get_data();
::rptMsg(""); ::rptMsg(" NeedToPurge = ".$purge);
} };
} ::rptMsg("");
else { }
::rptMsg($key_path." has no subkeys."); }
} else {
} ::rptMsg($key_path." has no subkeys.");
else { }
::rptMsg($key_path." not found."); }
} else {
} ::rptMsg($key_path." not found.");
}
}
1; 1;

130
thirdparty/rr/plugins/brisv.pl → RecentActivity/release/rr-full/plugins/brisv.pl Normal file → Executable file
View File

@ -1,63 +1,69 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# brisv.pl # brisv.pl
# Plugin to detect the presence of Trojan.Brisv.A # Plugin to detect the presence of Trojan.Brisv.A
# Symantec write-up: http://www.symantec.com/security_response/writeup.jsp # Symantec write-up: http://www.symantec.com/security_response/writeup.jsp
# ?docid=2008-071823-1655-99 # ?docid=2008-071823-1655-99
# #
# Change History: # Change History:
# 20090210: Created # 20130429: added alertMsg() functionality
# # 20090210: Created
# Info on URLAndExitCommandsEnabled value: #
# http://support.microsoft.com/kb/828026 # Info on URLAndExitCommandsEnabled value:
# # http://support.microsoft.com/kb/828026
# copyright 2009 H. Carvey, keydet89@yahoo.com # http://www.hispasec.com/laboratorio/GetCodecAnalysis.pdf
#----------------------------------------------------------- #
package brisv; # copyright 2013 QAR, LLC
use strict; # Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
my %config = (hive => "NTUSER\.DAT", package brisv;
osmask => 22, use strict;
hasShortDescr => 1,
hasDescr => 0, my %config = (hive => "NTUSER\.DAT",
hasRefs => 0, osmask => 22,
version => 20090210); hasShortDescr => 1,
hasDescr => 0,
sub getConfig{return %config} hasRefs => 0,
version => 20130429);
sub getShortDescr {
return "Detect artifacts of a Troj\.Brisv\.A infection"; sub getConfig{return %config}
}
sub getDescr{} sub getShortDescr {
sub getRefs {} return "Detect artifacts of a Troj\.Brisv\.A infection";
sub getHive {return $config{hive};} }
sub getVersion {return $config{version};} sub getDescr{}
sub getRefs {}
my $VERSION = getVersion(); sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub pluginmain {
my $class = shift; my $VERSION = getVersion();
my $hive = shift;
::logMsg("Launching brisv v.".$VERSION); sub pluginmain {
my $reg = Parse::Win32Registry->new($hive); my $class = shift;
my $root_key = $reg->get_root_key; my $hive = shift;
::logMsg("Launching brisv v.".$VERSION);
my $key_path = "Software\\Microsoft\\PIMSRV"; ::rptMsg("brisv v.".$VERSION); # banner
my $key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
if ($key = $root_key->get_subkey($key_path)) { my $reg = Parse::Win32Registry->new($hive);
::rptMsg($key_path); my $root_key = $reg->get_root_key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg(""); my $key_path = "Software\\Microsoft\\PIMSRV";
my $key;
my $mp_path = "Software\\Microsoft\\MediaPlayer\\Preferences"; if ($key = $root_key->get_subkey($key_path)) {
my $url; ::rptMsg($key_path);
eval { ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
$url = $key->get_subkey($mp_path)->get_value("URLAndExitCommandsEnabled")->get_data(); ::rptMsg("");
::rptMsg($mp_path."\\URLAndExitCommandsEnabled value set to ".$url);
}; my $mp_path = "Software\\Microsoft\\MediaPlayer\\Preferences";
# if an error occurs within the eval{} statement, do nothing my $url;
} eval {
else { $url = $key->get_subkey($mp_path)->get_value("URLAndExitCommandsEnabled")->get_data();
::rptMsg($key_path." not found."); ::rptMsg($mp_path."\\URLAndExitCommandsEnabled value set to ".$url);
} ::alertMsg($mp_path."\\URLAndExitCommandsEnabled value set: ".$url);
} };
# if an error occurs within the eval{} statement, do nothing
}
else {
::rptMsg($key_path." not found.");
}
}
1; 1;

80
RecentActivity/release/rr-full/plugins/btconfig.pl Executable file
View File

@ -0,0 +1,80 @@
#-----------------------------------------------------------
# btconfig.pl
#
#
# History:
# 20130117 - created
#
# copyright 2013 Quantum Research Analytics, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package btconfig;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130117);
sub getConfig{return %config}
sub getShortDescr {
return "Determines BlueTooth devices 'seen' by BroadComm drivers";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching btconfig v.".$VERSION);
::rptMsg("Launching btconfig v.".$VERSION);
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'WidComm\\BTConfig\\Devices';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @sk = $key->get_list_of_subkeys();
foreach my $s (@sk) {
my $name = $s->get_name();
my $lw = $s->get_timestamp();
::rptMsg("Unique ID: ".$name);
::rptMsg(" LastWrite: ".gmtime($lw)." Z");
my $devname;
eval {
# May need to work on parsing the binary "Name" value data into an actual name...
my @str1 = split(//,unpack("H*",$s->get_value("Name")->get_data()));
my @s3;
my $str;
foreach my $i (0..((scalar(@str1)/2) - 1)) {
$s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1];
if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) {
$str .= chr(hex($s3[$i]));
}
else {
$str .= "";
}
}
::rptMsg(" Device Name: ".$str);
};
::rptMsg("");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

101
RecentActivity/release/rr-full/plugins/bthport.pl Executable file
View File

@ -0,0 +1,101 @@
#-----------------------------------------------------------
# bthport.pl
# Get BlueTooth device information from the Registry; assumes
# MS drivers (other drivers, such as BroadComm, will be found in
# other locations)
#
# Change history
# 20130115 - created
#
# Category:
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bthport;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130115);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Bluetooth-connected devices from System hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching bthport v.".$VERSION);
::rptMsg("bthport v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $cn_path = $ccs."\\services\\BTHPORT\\Parameters\\Devices";
my $cn;
if ($cn = $root_key->get_subkey($cn_path)) {
::rptMsg($cn_path);
::rptMsg("LastWrite: ".gmtime($cn->get_timestamp())." UTC");
my @sk = $cn->get_list_of_subkeys();
if (scalar(@sk) > 0) {
::rptMsg("");
foreach my $s (@sk) {
my $name = $s->get_name();
my $lw = $s->get_timestamp();
::rptMsg("Device Unique ID: ".$name);
# Note: Need to get VID and PID values for translation and mapping
my $devname;
eval {
# May need to work on parsing the binary "Name" value data into an actual name...
my @str1 = split(//,unpack("H*",$s->get_value("Name")->get_data()));
my @s3;
my $str;
foreach my $i (0..((scalar(@str1)/2) - 1)) {
$s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1];
if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) {
$str .= chr(hex($s3[$i]));
}
else {
$str .= " ";
}
}
::rptMsg("Device Name: ".$str);
};
}
}
else {
::rptMsg($cn_path." has no subkeys.");
}
}
else {
::rptMsg($cn_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

93
RecentActivity/release/rr-full/plugins/cain.pl Executable file
View File

@ -0,0 +1,93 @@
#-----------------------------------------------------------
# cain.pl
# Extracts details for Cain & Abel by oxid.it
#
# Change history
# 20110830 [fpi] + banner, no change to the version number
#
# References
#
# Copyright (c) 2011-02-04 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package cain;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20110204);
my $VERSION = getVersion();
# Functions #
sub getDescr {}
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getShortDescr {
return "Extracts details for Cain & Abel by oxid.it";
}
sub getRefs {
my %refs = ("Cain & Abel Homepage:" =>
"http://www.oxid.it/cain.html");
return %refs;
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
my $class = shift;
my $hive = shift;
# Initialize #
::logMsg("Launching cain v.".$VERSION);
::rptMsg("cain v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Software\\Cain\\Settings";
# If # Cain path exists #
if ($key = $root_key->get_subkey($key_path)) {
# Return # plugin name, registry key and last modified date #
::rptMsg("Cain");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Extract # all keys from Cain registry path #
my @vals = $key->get_list_of_values();
# If # registry keys exist in path #
if (scalar(@vals) > 0) {
# Extract # all key names+values for Cain registry path #
foreach my $v (@vals) {
::rptMsg($v->get_name()." -> ".$v->get_data());
}
# Error # key value is null #
} else {
::rptMsg($key_path." has no values.");
}
# Error # Cain isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

79
RecentActivity/release/rr-full/plugins/ccleaner.pl Executable file
View File

@ -0,0 +1,79 @@
#-----------------------------------------------------------
# ccleaner.pl
# Gets CCleaner User Settings
#
# Change history
# 20120128 [ale] % Initial Version based on warcraft3.pl plugin
#
# References
#
# Author: Adrian Leong <cheeky4n6monkey@gmail.com>
#-----------------------------------------------------------
package ccleaner;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120128);
sub getConfig{return %config}
sub getShortDescr {
return "Gets User's CCleaner Settings";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift; # pops the first element off @_ ie the parameter array passed in to pluginmain
my $hive = shift; # 1st element in @_ is class/package name (ccleaner), 2nd is the hive name passed in from rip.pl
::logMsg("Launching ccleaner v.".$VERSION);
::rptMsg("ccleaner v.".$VERSION);
::rptMsg("(".getHive().") ".getShortDescr()."\n");
my $reg = Parse::Win32Registry->new($hive); # creates a Win32Registry object
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Software\\Piriform\\CCleaner";
# If CCleaner key_path exists ... ie get_subkey returns a non-empty value
if ($key = $root_key->get_subkey($key_path)) {
# Print registry key name and last modified date
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my %cckeys; # temporary associative array for storing name / value pairs eg ("UpdateCheck", 1)
# Extract ccleaner key values into ccvals array
# Note: ccvals becomes an array of "Parse::Win32Registry::WinNT::Value"
# As this is implemented in an Object oriented manner, we cannot access the values directly -
# we have to use the "get_name" and "get_value" subroutines
my @ccvals = $key->get_list_of_values();
# If ccvals has any "Values" in it, call "Value::get_name" and "Value::get_data" for each
# and store the results in the %cckeys associative array using data returned by Value::get_name as the id/index
# and Value::get_data for the actual key value
if (scalar(@ccvals) > 0) {
foreach my $val (@ccvals) {
$cckeys{$val->get_name()} = $val->get_data();
}
# Sorts keynames into a temp list and then prints each key name + value in list order
# the values are retrieved from cckeys assoc. array which was populated in the previous foreach loop
foreach my $keyval (sort keys %cckeys) {
::rptMsg($keyval." -> ".$cckeys{$keyval});
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." does not exist.");
}
# Return obligatory new-line
::rptMsg("");
}
1;

240
thirdparty/rr/plugins/clampi.pl → RecentActivity/release/rr-full/plugins/clampi.pl Normal file → Executable file
View File

@ -1,120 +1,122 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# clampi.pl # clampi.pl
# Checks keys/values set by new version of Trojan.Clampi # Checks keys/values set by new version of Trojan.Clampi
# #
# Change history # Change history
# 20091019 - created # 20091019 - created
# #
# NOTE: This is purely a test plugin, and based solely on the below # NOTE: This is purely a test plugin, and based solely on the below
# reference. It has not been tested on any systems that were # reference. It has not been tested on any systems that were
# known to be infected. # known to be infected.
# #
# References # References
# http://www.symantec.com/connect/blogs/inside-trojanclampi-stealing-your-information # http://www.symantec.com/connect/blogs/inside-trojanclampi-stealing-your-information
# #
# copyright 2009 H. Carvey # copyright 2009 H. Carvey
#----------------------------------------------------------- #-----------------------------------------------------------
package clampi; package clampi;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20091019); version => 20091019);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "TEST - Checks for keys set by Trojan\.Clampi PROT module"; return "TEST - Checks for keys set by Trojan\.Clampi PROT module";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
::logMsg("Launching clampi v.".$VERSION); ::logMsg("Launching clampi v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser); ::rptMsg("clampi v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $count = 0; my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main'; my $count = 0;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main';
::rptMsg($key_path); my $key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my ($form1, $form2, $form3); ::rptMsg("");
eval { my ($form1, $form2, $form3);
$form1 = $key->get_value("Use FormSuggest")->get_data();
::rptMsg("\tUse FormSuggest = ".$form1); eval {
$count++ if ($form1 eq "true"); $form1 = $key->get_value("Use FormSuggest")->get_data();
}; ::rptMsg("\tUse FormSuggest = ".$form1);
$count++ if ($form1 eq "true");
eval { };
$form2 = $key->get_value("FormSuggest_Passwords")->get_data();
::rptMsg("\tFormSuggest_Passwords = ".$form2); eval {
$count++ if ($form2 eq "true"); $form2 = $key->get_value("FormSuggest_Passwords")->get_data();
}; ::rptMsg("\tFormSuggest_Passwords = ".$form2);
$count++ if ($form2 eq "true");
eval { };
$form3 = $key->get_value("FormSuggest_PW_Ask")->get_data();
::rptMsg("\tUse FormSuggest = ".$form3); eval {
$count++ if ($form3 eq "no"); $form3 = $key->get_value("FormSuggest_PW_Ask")->get_data();
}; ::rptMsg("\tUse FormSuggest = ".$form3);
} $count++ if ($form3 eq "no");
else { };
::rptMsg($key_path." not found."); }
} else {
::rptMsg(""); ::rptMsg($key_path." not found.");
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete"; }
my $key; ::rptMsg("");
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete";
::rptMsg($key_path); my $key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg($key_path);
my $auto; ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
eval { ::rptMsg("");
$auto = $key->get_value("AutoSuggest")->get_data(); my $auto;
::rptMsg("\tAutoSuggest = ".$auto); eval {
$count++ if ($auto eq "true"); $auto = $key->get_value("AutoSuggest")->get_data();
}; ::rptMsg("\tAutoSuggest = ".$auto);
} $count++ if ($auto eq "true");
else { };
::rptMsg($key_path." not found."); }
} else {
::rptMsg(""); ::rptMsg($key_path." not found.");
my $key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts"; }
my $key; ::rptMsg("");
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts";
::rptMsg($key_path); my $key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg($key_path);
my $prompt; ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
eval { ::rptMsg("");
$prompt = $key->get_value("POP3 Prompt for Password")->get_data(); my $prompt;
::rptMsg("\tPOP3 Prompt for Password = ".$prompt); eval {
$count++ if ($prompt eq "true"); $prompt = $key->get_value("POP3 Prompt for Password")->get_data();
}; ::rptMsg("\tPOP3 Prompt for Password = ".$prompt);
} $count++ if ($prompt eq "true");
else { };
::rptMsg($key_path." not found."); }
} else {
::rptMsg(""); ::rptMsg($key_path." not found.");
if ($count == 5) { }
::rptMsg("The system may have been infected with the Trojan.Clampi PROT module."); ::rptMsg("");
} if ($count == 5) {
else { ::rptMsg("The system may have been infected with the Trojan.Clampi PROT module.");
::rptMsg("The system does not appear to have been infected with the Trojan.Clampi"); }
::rptMsg("PROT module."); else {
} ::rptMsg("The system does not appear to have been infected with the Trojan.Clampi");
} ::rptMsg("PROT module.");
}
}
1; 1;

156
thirdparty/rr/plugins/clampitm.pl → RecentActivity/release/rr-full/plugins/clampitm.pl Normal file → Executable file
View File

@ -1,78 +1,80 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# clampitm.pl # clampitm.pl
# Checks keys/values set by new version of Trojan.Clampi # Checks keys/values set by new version of Trojan.Clampi
# #
# Change history # Change history
# 20100624 - created # 20100624 - created
# #
# NOTE: This is purely a test plugin, and based solely on the below # NOTE: This is purely a test plugin, and based solely on the below
# reference. It has not been tested on any systems that were # reference. It has not been tested on any systems that were
# known to be infected. # known to be infected.
# #
# References # References
# http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ilomo_external.pdf # http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ilomo_external.pdf
# #
# copyright 2010 Quantum Analytics Research, LLC # copyright 2010 Quantum Analytics Research, LLC
#----------------------------------------------------------- #-----------------------------------------------------------
package clampitm; package clampitm;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20100624); version => 20100624);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Checks for IOCs for Clampi (per Trend Micro)"; return "Checks for IOCs for Clampi (per Trend Micro)";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
::logMsg("Launching clampitm v.".$VERSION); ::logMsg("Launching clampitm v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser); ::rptMsg("clampitm v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $count = 0; my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Internet Explorer\\Settings'; my $count = 0;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Software\\Microsoft\\Internet Explorer\\Settings';
::rptMsg("ClampiTM plugin"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); ::rptMsg("ClampiTM plugin");
::rptMsg(""); ::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $tag = 1; ::rptMsg("");
my @list = qw/GatesList GID KeyE KeyM PID/;
my @vals = $key->get_list_of_values(); my $tag = 1;
if (scalar (@vals) > 0) { my @list = qw/GatesList GID KeyE KeyM PID/;
foreach my $v (@vals) { my @vals = $key->get_list_of_values();
my $name = $v->get_name(); if (scalar (@vals) > 0) {
if (grep(/$name/,@list)) { foreach my $v (@vals) {
::rptMsg(sprintf "%-10s %-30s",$name,$v->get_data()); my $name = $v->get_name();
$tag = 0; if (grep(/$name/,@list)) {
} ::rptMsg(sprintf "%-10s %-30s",$name,$v->get_data());
} $tag = 0;
if ($tag) { }
::rptMsg("No Clampi values found."); }
} if ($tag) {
} ::rptMsg("No Clampi values found.");
else { }
::rptMsg($key_path." has no values."); }
} else {
} ::rptMsg($key_path." has no values.");
else { }
::rptMsg($key_path." not found."); }
} else {
} ::rptMsg($key_path." not found.");
}
}
1; 1;

160
thirdparty/rr/plugins/clsid.pl → RecentActivity/release/rr-full/plugins/clsid.pl Normal file → Executable file
View File

@ -1,80 +1,82 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# clsid.pl # clsid.pl
# Plugin to extract file association data from the Software hive file # Plugin to extract file association data from the Software hive file
# Can take considerable time to run; recommend running it via rip.exe # Can take considerable time to run; recommend running it via rip.exe
# #
# History # History
# 20100227 - created # 20100227 - created
# #
# References # References
# http://msdn.microsoft.com/en-us/library/ms724475%28VS.85%29.aspx # http://msdn.microsoft.com/en-us/library/ms724475%28VS.85%29.aspx
# #
# copyright 2010, Quantum Analytics Research, LLC # copyright 2010, Quantum Analytics Research, LLC
#----------------------------------------------------------- #-----------------------------------------------------------
package clsid; package clsid;
use strict; use strict;
my %config = (hive => "Software", my %config = (hive => "Software",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20100227); version => 20100227);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Get list of CLSID/registered classes"; return "Get list of CLSID/registered classes";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
my %clsid; my %clsid;
::logMsg("Launching clsid v.".$VERSION); ::logMsg("Launching clsid v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("clsid v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $key_path = "Classes\\CLSID"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Classes\\CLSID";
::rptMsg($key_path); my $key;
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg($key_path);
# First step will be to get a list of all of the file extensions # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my %ext; ::rptMsg("");
my @sk = $key->get_list_of_subkeys(); # First step will be to get a list of all of the file extensions
if (scalar(@sk) > 0) { my %ext;
foreach my $s (@sk) { my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
my $name = $s->get_name(); foreach my $s (@sk) {
eval {
my $n = $s->get_value("")->get_data(); my $name = $s->get_name();
$name .= " ".$n unless ($n eq ""); eval {
}; my $n = $s->get_value("")->get_data();
$name .= " ".$n unless ($n eq "");
push(@{$clsid{$s->get_timestamp()}},$name); };
}
push(@{$clsid{$s->get_timestamp()}},$name);
foreach my $t (reverse sort {$a <=> $b} keys %clsid) { }
::rptMsg(gmtime($t)." Z");
foreach my $item (@{$clsid{$t}}) { foreach my $t (reverse sort {$a <=> $b} keys %clsid) {
::rptMsg(" ".$item); ::rptMsg(gmtime($t)." Z");
} foreach my $item (@{$clsid{$t}}) {
} ::rptMsg(" ".$item);
} }
else { }
::rptMsg($key_path." has no subkeys."); }
} else {
} ::rptMsg($key_path." has no subkeys.");
else { }
::rptMsg($key_path." not found."); }
} else {
} ::rptMsg($key_path." not found.");
}
}
1; 1;

187
thirdparty/rr/plugins/cmd_shell.pl → RecentActivity/release/rr-full/plugins/cmd_shell.pl Normal file → Executable file
View File

@ -1,75 +1,114 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# cmd_shell # cmd_shell
# #
# # Change History
# Change History # 20130405 - added Clients subkey
# 20100830 - added "cs" shell command to the path # 20100830 - added "cs" shell command to the path
# 20080328 - created # 20080328 - created
# #
# References # References
# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx? # http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?
# Name=TrojanClicker%3AWin32%2FVB.GE # Name=TrojanClicker%3AWin32%2FVB.GE
# #
# copyright 2010 Quantum Analytics Research, LLC # copyright 2013 Quantum Analytics Research, LLC
#----------------------------------------------------------- # Author: H. Carvey, keydet89@yahoo.com
package cmd_shell; #-----------------------------------------------------------
use strict; package cmd_shell;
use strict;
my %config = (hive => "Software",
osmask => 22, my %config = (hive => "Software",
hasShortDescr => 1, osmask => 22,
hasDescr => 0, hasShortDescr => 1,
hasRefs => 1, hasDescr => 0,
version => 20100830); hasRefs => 1,
version => 20130405);
sub getConfig{return %config}
sub getConfig{return %config}
sub getShortDescr {
return "Gets shell open cmds for various file types"; sub getShortDescr {
} return "Gets shell open cmds for various file types";
sub getDescr{} }
sub getRefs { sub getDescr{}
my %refs = ("You Are Unable to Start a Program with an .exe File Extension" => sub getRefs {
"http://support.microsoft.com/kb/310585"); my %refs = ("You Are Unable to Start a Program with an .exe File Extension" =>
return %refs; "http://support.microsoft.com/kb/310585");
} return %refs;
sub getHive {return $config{hive};} }
sub getVersion {return $config{version};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my $VERSION = getVersion();
sub pluginmain {
my $class = shift; sub pluginmain {
my $hive = shift; my $class = shift;
::logMsg("Launching cmd_shell v.".$VERSION); my $hive = shift;
::logMsg("Launching cmd_shell v.".$VERSION);
my @shells = ("exe","cmd","bat","cs","hta","pif"); ::rptMsg("cmd_shell v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
foreach my $sh (@shells) { my @shells = ("exe","cmd","bat","cs","hta","pif");
my $reg = Parse::Win32Registry->new($hive); my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key; my $root_key = $reg->get_root_key;
my $key_path = "Classes\\".$sh."file\\shell\\open\\command"; foreach my $sh (@shells) {
my $key; my $key_path = "Classes\\".$sh."file\\shell\\open\\command";
if ($key = $root_key->get_subkey($key_path)) { my $key;
::rptMsg("cmd_shell"); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path); ::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg(""); # ::rptMsg("");
my $val; my $val;
eval { eval {
$val = $key->get_value("")->get_data(); $val = $key->get_value("")->get_data();
::rptMsg("\tCmd: ".$val); ::rptMsg(" Cmd: ".$val);
};
::rptMsg("Error: ".$@) if ($@); if ($sh eq "hta") {
if ($val eq "C:\\Windows\\SysWOW64\\mshta\.exe \"%1\" %*" || $val eq "C:\\WINDOWS\\system32\\mshta\.exe \"%1\" %*") {
}
else { }
::rptMsg($key_path." not found."); else {
::logMsg($key_path." not found."); ::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$val);
} }
} }
::rptMsg(""); else {
} ::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$val) unless ($val eq "\"%1\" %*");
}
::rptMsg("");
};
::rptMsg("Error: ".$@) if ($@);
}
else {
::rptMsg($key_path." not found.");
::rptMsg("");
}
}
::rptMsg("");
my $key_path = "Clients\\StartMenuInternet\\IExplore.exe\\shell\\open\\command";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
eval {
my $cmd = $key->get_value("")->get_data();
::rptMsg(" Cmd: ".$cmd);
if ($cmd eq "\"C:\\Program Files\\Internet Explorer\\iexplore\.exe\"" ||
$cmd eq "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore\.exe\"") {
}
else {
::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$cmd);
}
};
::rptMsg("Error: ".$@) if ($@);
}
else {
::rptMsg($key_path." not found\.");
}
}
1; 1;

111
RecentActivity/release/rr-full/plugins/cmd_shell_tln.pl Executable file
View File

@ -0,0 +1,111 @@
#-----------------------------------------------------------
# cmd_shell_tln
#
# Change History
# 20130425 - created
#
# References
# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?
# Name=TrojanClicker%3AWin32%2FVB.GE
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package cmd_shell_tln;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Gets shell open cmds for various file types";
}
sub getDescr{}
sub getRefs {
my %refs = ("You Are Unable to Start a Program with an .exe File Extension" =>
"http://support.microsoft.com/kb/310585");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching cmd_shell_tln v.".$VERSION);
# ::rptMsg("cmd_shell v.".$VERSION); # banner
# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my @shells = ("exe","cmd","bat","cs","hta","pif");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
foreach my $sh (@shells) {
my $key_path = "Classes\\".$sh."file\\shell\\open\\command";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# ::rptMsg("");
my $lw = $key->get_timestamp();
my $val;
eval {
$val = $key->get_value("")->get_data();
# ::rptMsg(" Cmd: ".$val);
if ($sh eq "hta") {
if ($val eq "C:\\Windows\\SysWOW64\\mshta\.exe \"%1\" %*" || $val eq "C:\\WINDOWS\\system32\\mshta\.exe \"%1\" %*") {
}
else {
# ::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$val);
::alertMsg($lw."|ALERT|||Software\\".$key_path." warning: ".$val);
}
}
else {
# ::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$val) unless ($val eq "\"%1\" %*");
::alertMsg($lw."|ALERT|||Software\\".$key_path." warning: ".$val) unless ($val eq "\"%1\" %*");
}
};
}
else {
# ::rptMsg($key_path." not found.");
# ::rptMsg("");
}
}
# ::rptMsg("");
my $key_path = "Clients\\StartMenuInternet\\IExplore.exe\\shell\\open\\command";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $lw = $key->get_timestamp();
eval {
my $cmd = $key->get_value("")->get_data();
# ::rptMsg(" Cmd: ".$cmd);
if ($cmd eq "\"C:\\Program Files\\Internet Explorer\\iexplore\.exe\"" ||
$cmd eq "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore\.exe\"") {
}
else {
::alertMsg($lw."|ALERT|||Software\\".$key_path." warning: ".$cmd);
}
};
# ::rptMsg("Error: ".$@) if ($@);
}
else {
# ::rptMsg($key_path." not found\.");
}
}
1;

67
RecentActivity/release/rr-full/plugins/cmd_shell_u.pl Executable file
View File

@ -0,0 +1,67 @@
#-----------------------------------------------------------
# cmd_shell_u
# Get the shell\open\command settings for various file types; gets
# info from USRCLASS.DAT hives, where Classes data is maintained on
# Win7
#
# Change History
# 20130405 - created
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package cmd_shell_u;
use strict;
my %config = (hive => "USRCLASS\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20130405);
sub getConfig{return %config}
sub getShortDescr {
return "Gets shell open cmds for various file types from USRCLASS\.DAT";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching cmd_shell_u v.".$VERSION);
::rptMsg("cmd_shell_u v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my @shells = ("\.exe","exefile","ftp","http","https");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
foreach my $sh (@shells) {
my $key_path = $sh."\\shell\\open\\command";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# ::rptMsg("");
my $val;
eval {
$val = $key->get_value("")->get_data();
::rptMsg(" Cmd: ".$val);
::rptMsg("");
};
::rptMsg("Error: ".$@) if ($@);
}
else {
::rptMsg($key_path." not found.");
}
}
::rptMsg("");
}
1;

67
RecentActivity/release/rr-full/plugins/cmdproc.pl Executable file
View File

@ -0,0 +1,67 @@
#-----------------------------------------------------------
# cmdproc.pl
# Checks key for files to autostart from cmd.exe
#
# Change History
# 20130425 - added alertMsg() functionality
# 20130115 - created
#
# References:
#
# Category: autostart,malware,programexecution
#
# copyright 2013 Quantum Analytics Research,
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package cmdproc;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching cmdproc v.".$VERSION);
::rptMsg("cmdproc v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Command Processor";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $auto;
eval {
$auto = $key->get_value("AutoRun")->get_data();
::rptMsg("AutoRun = ".$auto);
::alertMsg("ALERT: cmdproc: ".$key_path." AutoRun value found: ".$auto);
};
if ($@) {
::rptMsg("AutoRun value not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

67
RecentActivity/release/rr-full/plugins/cmdproc_tln.pl Executable file
View File

@ -0,0 +1,67 @@
#-----------------------------------------------------------
# cmdproc_tln.pl
# Checks key for files to autostart from cmd.exe
#
# Change History
# 20130425 - created
#
# References:
#
# Category: autostart,malware,programexecution
#
# copyright 2013 Quantum Analytics Research,
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package cmdproc_tln;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive (TLN)";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching cmdproc_tln v.".$VERSION);
# ::rptMsg("cmdproc v.".$VERSION); # banner
# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Command Processor";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $lw = $key->get_timestamp();
my $auto;
eval {
$auto = $key->get_value("AutoRun")->get_data();
# ::rptMsg("AutoRun = ".$auto);
# ::alertMsg("ALERT: cmdproc: ".$key_path." AutoRun value found: ".$auto);
::alertMsg($lw."|ALERT|||HKCU\\".$key_path." AutoRun value found: ".$auto);
};
if ($@) {
# ::rptMsg("AutoRun value not found.");
}
}
else {
# ::rptMsg($key_path." not found.");
}
}
1;

150
thirdparty/rr/plugins/codeid.pl → RecentActivity/release/rr-full/plugins/codeid.pl Normal file → Executable file
View File

@ -1,75 +1,77 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# codeid # codeid
# Get DefaultLevel value from CodeIdentifiers key # Get DefaultLevel value from CodeIdentifiers key
# #
# #
# Change History # Change History
# 20100608 - created # 20100608 - created
# #
# References # References
# SANS ISC blog - http://isc.sans.edu/diary.html?storyid=8917 # SANS ISC blog - http://isc.sans.edu/diary.html?storyid=8917
# CodeIdentifiers key # CodeIdentifiers key
# - http://technet.microsoft.com/en-us/library/bb457006.aspx # - http://technet.microsoft.com/en-us/library/bb457006.aspx
# SAFER_LEVELID_FULLYTRUSTED value # SAFER_LEVELID_FULLYTRUSTED value
# - http://msdn.microsoft.com/en-us/library/ms722424%28VS.85%29.aspx # - http://msdn.microsoft.com/en-us/library/ms722424%28VS.85%29.aspx
# (262144 == Unrestricted) # (262144 == Unrestricted)
# #
# copyright 2010 Quantum Analytics Research, LLC # copyright 2010 Quantum Analytics Research, LLC
#----------------------------------------------------------- #-----------------------------------------------------------
package codeid; package codeid;
use strict; use strict;
my %config = (hive => "Software", my %config = (hive => "Software",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20100608); version => 20100608);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets CodeIdentifier DefaultLevel value"; return "Gets CodeIdentifier DefaultLevel value";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching codeid v.".$VERSION); ::logMsg("Launching codeid v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("codeid v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $key_path = "Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers";
::rptMsg("CodeID"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
my $lastwrite = $key->get_timestamp(); ::rptMsg("CodeID");
::rptMsg(" LastWrite time: ".gmtime($lastwrite)." Z"); ::rptMsg($key_path);
::rptMsg(""); my $lastwrite = $key->get_timestamp();
::rptMsg(" LastWrite time: ".gmtime($lastwrite)." Z");
my $level; ::rptMsg("");
eval {
$level = $key->get_value("DefaultLevel")->get_data(); my $level;
::rptMsg(sprintf "DefaultLevel = 0x%08x",$level); eval {
}; $level = $key->get_value("DefaultLevel")->get_data();
::rptMsg(sprintf "DefaultLevel = 0x%08x",$level);
my $exe; };
eval {
$exe = $key->get_value("ExecutableTypes")->get_data(); my $exe;
$exe =~ s/\s/,/g; eval {
::rptMsg("ExecutableTypes = ".$exe); $exe = $key->get_value("ExecutableTypes")->get_data();
$exe =~ s/\s/,/g;
}; ::rptMsg("ExecutableTypes = ".$exe);
}
else { };
::rptMsg($key_path." not found."); }
} else {
} ::rptMsg($key_path." not found.");
}
}
1; 1;

686
RecentActivity/release/rr-full/plugins/comdlg32.pl Executable file
View File

@ -0,0 +1,686 @@
#-----------------------------------------------------------
# comdlg32.pl
# Plugin for Registry Ripper
#
# Change history
# 20121005 - updated to address shell item type 0x3A
# 20121005 - updated to parse shell item ID lists
# 20100409 - updated to include Vista and above
# 20100402 - updated IAW Chad Tilbury's post to SANS
# Forensic Blog
# 20080324 - created
#
# References
# Win2000 - http://support.microsoft.com/kb/319958
# XP - http://support.microsoft.com/kb/322948/EN-US/
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package comdlg32;
use strict;
use Time::Local;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20121008);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's ComDlg32 key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching comdlg32 v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
::rptMsg("comdlg32 v.".$VERSION);
::rptMsg("");
# LastVistedMRU
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32";
my $key;
my @vals;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @subkeys = $key->get_list_of_subkeys();
if (scalar @subkeys > 0) {
foreach my $s (@subkeys) {
if ($s->get_name() eq "LastVisitedMRU") {
::rptMsg("LastVisitedMRU");
::rptMsg("LastWrite: ".gmtime($s->get_timestamp()));
parseLastVisitedMRU($s);
::rptMsg("");
}
if ($s->get_name() eq "OpenSaveMRU") {
::rptMsg("OpenSaveMRU");
::rptMsg("LastWrite: ".gmtime($s->get_timestamp()));
parseOpenSaveMRU($s);
::rptMsg("");
}
if ($s->get_name() eq "CIDSizeMRU") {
::rptMsg("CIDSizeMRU");
::rptMsg("LastWrite: ".gmtime($s->get_timestamp()));
parseCIDSizeMRU($s);
::rptMsg("");
}
if ($s->get_name() eq "FirstFolder") {
::rptMsg("FirstFolder");
::rptMsg("LastWrite: ".gmtime($s->get_timestamp()));
parseFirstFolder($s);
::rptMsg("");
}
if ($s->get_name() eq "LastVisitedPidlMRU" || $s->get_name() eq "LastVisitedPidlMRULegacy") {
::rptMsg("LastVisitedPidlMRU");
::rptMsg("LastWrite: ".gmtime($s->get_timestamp()));
parseLastVisitedPidlMRU($s);
::rptMsg("");
}
if ($s->get_name() eq "OpenSavePidlMRU") {
::rptMsg("OpenSavePidlMRU");
::rptMsg("LastWrite: ".gmtime($s->get_timestamp()));
parseOpenSavePidlMRU($s);
::rptMsg("");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
sub parseLastVisitedMRU {
my $key = shift;
my %lvmru;
my @mrulist;
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
if (exists $lvmru{MRUList}) {
::rptMsg(" MRUList = ".$lvmru{MRUList});
@mrulist = split(//,$lvmru{MRUList});
delete($lvmru{MRUList});
foreach my $m (@mrulist) {
my ($file,$dir) = split(/\00\00/,$lvmru{$m},2);
$file =~ s/\00//g;
$dir =~ s/\00//g;
::rptMsg(" ".$m." -> EXE: ".$file);
::rptMsg(" -> Last Dir: ".$dir);
}
}
else {
::rptMsg("LastVisitedMRU key does not have an MRUList value.");
}
}
else {
::rptMsg("LastVisitedMRU key has no values.");
}
::rptMsg("");
}
sub parseOpenSaveMRU {
my $key = shift;
parseOpenSaveValues($key);
::rptMsg("");
# Now, let's get the subkeys
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
parseOpenSaveValues($s);
::rptMsg("");
}
}
else {
::rptMsg("OpenSaveMRU key has no subkeys.");
}
::rptMsg("");
}
sub parseOpenSaveValues {
my $key = shift;
::rptMsg("OpenSaveMRU\\".$key->get_name());
::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z");
my %osmru;
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
map{$osmru{$_->get_name()} = $_->get_data()}(@vals);
if (exists $osmru{MRUList}) {
::rptMsg(" MRUList = ".$osmru{MRUList});
my @mrulist = split(//,$osmru{MRUList});
delete($osmru{MRUList});
foreach my $m (@mrulist) {
::rptMsg(" ".$m." -> ".$osmru{$m});
}
}
else {
::rptMsg($key->get_name()." does not have an MRUList value.");
}
}
else {
::rptMsg($key->get_name()." has no values.");
}
}
sub parseCIDSizeMRU {
my $key = shift;
my %lvmru;
my @mrulist;
my @vals = $key->get_list_of_values();
my %mru;
my $count = 0;
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
::rptMsg("Note: All value names are listed in MRUListEx order.");
::rptMsg("");
if (exists $lvmru{MRUListEx}) {
my @mrulist = unpack("V*",$lvmru{MRUListEx});
foreach my $n (0..(scalar(@mrulist) - 2)) {
$mru{$count++} = $lvmru{$mrulist[$n]};
}
delete $mru{0xffffffff};
foreach my $m (sort {$a <=> $b} keys %mru) {
# my $file = parseStr($mru{$m});
my $file = (split(/\00\00/,$mru{$m},2))[0];
$file =~ s/\00//g;
::rptMsg(" ".$file);
}
}
else {
# ::rptMsg($key_path." does not have an MRUList value.");
}
}
else {
# ::rptMsg($key_path." has no values.");
}
}
sub parseFirstFolder {
my $key = shift;
my %lvmru;
my @mrulist;
my @vals = $key->get_list_of_values();
my %mru;
my $count = 0;
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
::rptMsg("Note: All value names are listed in MRUListEx order.");
::rptMsg("");
if (exists $lvmru{MRUListEx}) {
my @mrulist = unpack("V*",$lvmru{MRUListEx});
foreach my $n (0..(scalar(@mrulist) - 2)) {
$mru{$count++} = $lvmru{$mrulist[$n]};
}
delete $mru{0xffffffff};
foreach my $m (sort {$a <=> $b} keys %mru) {
# my $file = parseStr($mru{$m});
my @files = split(/\00\00/,$mru{$m});
if (scalar(@files) == 0) {
::rptMsg(" No files listed.");
}
elsif (scalar(@files) == 1) {
$files[0] =~ s/\00//g;
::rptMsg(" ".$files[0]);
}
elsif (scalar(@files) > 1) {
my @files2;
foreach my $file (@files) {
$file =~ s/\00//g;
push(@files2,$file);
}
::rptMsg(" ".join(' ',@files2));
}
else {
}
}
}
else {
# ::rptMsg($key_path." does not have an MRUList value.");
}
}
else {
# ::rptMsg($key_path." has no values.");
}
}
sub parseLastVisitedPidlMRU {
my $key = shift;
my %lvmru;
my @mrulist;
my @vals = $key->get_list_of_values();
my %mru;
my $count = 0;
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
::rptMsg("Note: All value names are listed in MRUListEx order.");
::rptMsg("");
if (exists $lvmru{MRUListEx}) {
my @mrulist = unpack("V*",$lvmru{MRUListEx});
foreach my $n (0..(scalar(@mrulist) - 2)) {
$mru{$count++} = $lvmru{$mrulist[$n]};
}
delete $mru{0xffffffff};
foreach my $m (sort {$a <=> $b} keys %mru) {
my ($file,$shell) = split(/\00\00/,$mru{$m},2);
$file =~ s/\00//g;
$shell =~ s/^\00//;
my $str = parseShellItem($shell);
::rptMsg(" ".$file." - ".$str);
}
}
else {
::rptMsg("LastVisitedPidlMRU key does not have an MRUList value.");
}
}
else {
::rptMsg("LastVisitedPidlMRU key has no values.");
}
}
#-----------------------------------------------------------
#
#-----------------------------------------------------------
sub parseOpenSavePidlMRU {
my $key = shift;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg("OpenSavePidlMRU\\".$s->get_name());
::rptMsg("LastWrite Time: ".gmtime($s->get_timestamp()));
my @vals = $s->get_list_of_values();
my %lvmru = ();
my @mrulist = ();
my %mru = ();
my $count = 0;
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
::rptMsg("Note: All value names are listed in MRUListEx order.");
::rptMsg("");
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
if (exists $lvmru{MRUListEx}) {
my @mrulist = unpack("V*",$lvmru{MRUListEx});
foreach my $n (0..(scalar(@mrulist) - 2)) {
$mru{$count++} = $lvmru{$mrulist[$n]};
}
delete $mru{0xffffffff};
foreach my $m (sort {$a <=> $b} keys %mru) {
my $str = parseShellItem($mru{$m});
::rptMsg(" ".$str);
}
}
}
else {
::rptMsg($s->get_name()." has no values.");
}
::rptMsg("");
}
}
else {
::rptMsg($key->get_name()." has no subkeys.");
}
}
#-----------------------------------------------------------
#
#-----------------------------------------------------------
sub parseShellItem {
my $data = shift;
my $len = length($data);
my $str;
my $tag = 1;
my $cnt = 0;
while ($tag) {
my %item = ();
my $sz = unpack("v",substr($data,$cnt,2));
$tag = 0 if (($sz == 0) || ($cnt + $sz > $len));
my $dat = substr($data,$cnt,$sz);
my $type = unpack("C",substr($dat,2,1));
# ::rptMsg(sprintf " Size: ".$sz." Type: 0x%x",$type);
if ($type == 0x1F) {
# System Folder
%item = parseSystemFolderEntry($dat);
$str .= "\\".$item{name};
}
elsif ($type == 0x2F) {
# Volume (Drive Letter)
%item = parseDriveEntry($dat);
$item{name} =~ s/\\$//;
$str .= "\\".$item{name};
}
elsif ($type == 0x31 || $type == 0x32 || $type == 0x3a || $type == 0x74) {
%item = parseFolderEntry($dat);
$str .= "\\".$item{name};
}
elsif ($type == 0x00) {
}
elsif ($type == 0xc3 || $type == 0x41 || $type == 0x42 || $type == 0x46 || $type == 0x47) {
# Network stuff
my $id = unpack("C",substr($dat,3,1));
if ($type == 0xc3 && $id != 0x01) {
%item = parseNetworkEntry($dat);
}
else {
%item = parseNetworkEntry($dat);
}
$str .= "\\".$item{name};
}
else {
$item{name} = sprintf "Unknown Type (0x%x)",$type;
$str .= "\\".$item{name};
}
$cnt += $sz;
}
$str =~ s/^\\//;
return $str;
}
#-----------------------------------------------------------
#
#-----------------------------------------------------------
sub parseSystemFolderEntry {
my $data = shift;
my %item = ();
my %vals = (0x00 => "Explorer",
0x42 => "Libraries",
0x44 => "Users",
0x4c => "Public",
0x48 => "My Documents",
0x50 => "My Computer",
0x58 => "My Network Places",
0x60 => "Recycle Bin",
0x68 => "Explorer",
0x70 => "Control Panel",
0x78 => "Recycle Bin",
0x80 => "My Games");
$item{type} = unpack("C",substr($data,2,1));
$item{id} = unpack("C",substr($data,3,1));
if (exists $vals{$item{id}}) {
$item{name} = $vals{$item{id}};
}
else {
$item{name} = parseGUID(substr($data,4,16));
}
return %item;
}
#-----------------------------------------------------------
# parseGUID()
# Takes 16 bytes of binary data, returns a string formatted
# as an MS GUID.
#-----------------------------------------------------------
sub parseGUID {
my $data = shift;
my $d1 = unpack("V",substr($data,0,4));
my $d2 = unpack("v",substr($data,4,2));
my $d3 = unpack("v",substr($data,6,2));
my $d4 = unpack("H*",substr($data,8,2));
my $d5 = unpack("H*",substr($data,10,6));
return sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3;
}
#-----------------------------------------------------------
#
#-----------------------------------------------------------
sub parseDriveEntry {
my $data = shift;
my %item = ();
$item{type} = unpack("C",substr($data,2,1));;
$item{name} = substr($data,3,3);
return %item;
}
#-----------------------------------------------------------
# parseNetworkEntry()
#
#-----------------------------------------------------------
sub parseNetworkEntry {
my $data = shift;
my %item = ();
$item{type} = unpack("C",substr($data,2,1));
my @n = split(/\00/,substr($data,4,length($data) - 4));
$item{name} = $n[0];
$item{name} =~ s/^\W//;
return %item;
}
#-----------------------------------------------------------
#
#-----------------------------------------------------------
sub parseFolderEntry {
my $data = shift;
my %item = ();
$item{type} = unpack("C",substr($data,2,1));
# Type 0x74 folders have a slightly different format
my $ofs_mdate;
my $ofs_shortname;
if ($item{type} == 0x74) {
$ofs_mdate = 0x12;
}
elsif (substr($data,4,4) eq "AugM") {
$ofs_mdate = 0x1c;
}
elsif ($item{type} == 0x31 || $item{type} == 0x32 || $item{type} == 0x3a) {
$ofs_mdate = 0x08;
}
else {}
# some type 0x32 items will include a file size
if ($item{type} == 0x32) {
my $size = unpack("V",substr($data,4,4));
if ($size != 0) {
$item{filesize} = $size;
}
}
my @m = unpack("vv",substr($data,$ofs_mdate,4));
($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]);
# Need to read in short name; nul-term ASCII
# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0];
$ofs_shortname = $ofs_mdate + 6;
my $tag = 1;
my $cnt = 0;
my $str = "";
while($tag) {
my $s = substr($data,$ofs_shortname + $cnt,1);
if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
$tag = 0;
}
else {
$str .= $s;
$cnt++;
}
}
# $str =~ s/\00//g;
my $shortname = $str;
my $ofs = $ofs_shortname + $cnt + 1;
# Read progressively, 1 byte at a time, looking for 0xbeef
my $tag = 1;
my $cnt = 0;
while ($tag) {
if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) {
$tag = 0;
}
else {
$cnt++;
}
}
$item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2));
# ::rptMsg(sprintf " BEEF Offset: 0x%x",$ofs + $cnt);
# ::rptMsg(" Version: ".$item{extver});
$ofs = $ofs + $cnt + 2;
my @m = unpack("vv",substr($data,$ofs,4));
($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]);
$ofs += 4;
my @m = unpack("vv",substr($data,$ofs,4));
($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]);
$ofs += 4;
my $jmp;
if ($item{extver} == 0x03) {
$jmp = 8;
}
elsif ($item{extver} == 0x07) {
$jmp = 22;
}
elsif ($item{extver} == 0x08) {
$jmp = 26;
}
else {}
$ofs += $jmp;
# ::rptMsg(sprintf " Offset: 0x%x",$ofs);
my $str = substr($data,$ofs,length($data) - $ofs);
my $longname = (split(/\00\00/,$str,2))[0];
$longname =~ s/\00//g;
if ($longname ne "") {
$item{name} = $longname;
}
else {
$item{name} = $shortname;
}
return %item;
}
#-----------------------------------------------------------
# convertDOSDate()
# subroutine to convert 4 bytes of binary data into a human-
# readable format. Returns both a string and a Unix-epoch
# time.
#-----------------------------------------------------------
sub convertDOSDate {
my $date = shift;
my $time = shift;
if ($date == 0x00 || $time == 0x00){
return (0,0);
}
else {
my $sec = ($time & 0x1f) * 2;
$sec = "0".$sec if (length($sec) == 1);
if ($sec == 60) {$sec = 59};
my $min = ($time & 0x7e0) >> 5;
$min = "0".$min if (length($min) == 1);
my $hr = ($time & 0xF800) >> 11;
$hr = "0".$hr if (length($hr) == 1);
my $day = ($date & 0x1f);
$day = "0".$day if (length($day) == 1);
my $mon = ($date & 0x1e0) >> 5;
$mon = "0".$mon if (length($mon) == 1);
my $yr = (($date & 0xfe00) >> 9) + 1980;
my $gmtime = timegm($sec,$min,$hr,$day,($mon - 1),$yr);
return ("$yr-$mon-$day $hr:$min:$sec",$gmtime);
# return gmtime(timegm($sec,$min,$hr,$day,($mon - 1),$yr));
}
}
#-----------------------------------------------------------
# printData()
# subroutine used primarily for debugging; takes an arbitrary
# length of binary data, prints it out in hex editor-style
# format for easy debugging
#-----------------------------------------------------------
sub printData {
my $data = shift;
my $len = length($data);
my $tag = 1;
my $cnt = 0;
my $loop = $len/16;
$loop++ if ($len%16);
foreach my $cnt (0..($loop - 1)) {
# while ($tag) {
my $left = $len - ($cnt * 16);
my $n;
($left < 16) ? ($n = $left) : ($n = 16);
my $seg = substr($data,$cnt * 16,$n);
my @str1 = split(//,unpack("H*",$seg));
my @s3;
my $str = "";
foreach my $i (0..($n - 1)) {
$s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1];
if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) {
$str .= chr(hex($s3[$i]));
}
else {
$str .= "\.";
}
}
my $h = join(' ',@s3);
::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h);
}
}
1;

135
thirdparty/rr/plugins/muicache.pl → RecentActivity/release/rr-full/plugins/compatassist.pl Normal file → Executable file
View File

@ -1,66 +1,71 @@
#! c:\perl\bin\perl.exe #-----------------------------------------------------------
#----------------------------------------------------------- # compatassist.pl
# muicache.pl # Provides indication of applications run; see the Reference listed
# Plugin for Registry Ripper, NTUSER.DAT edition - gets the # below; note that there are no time stamps associated with this
# MUICache values # information. Note: Value names that start with "SIGN.MEDIA" indicate
# # that the app was run from removable media
# Change history #
# # Category: Programs launched by user
# #
# # Change history
# copyright 2008 H. Carvey # 20120515 - created
#----------------------------------------------------------- #
package muicache; # References
use strict; # http://msdn.microsoft.com/en-us/library/bb756937.aspx
#
my %config = (hive => "NTUSER\.DAT", # copyright 2012 Quantum Analytics Research, LLC
hasShortDescr => 1, # Author: H. Carvey, keydet89@yahoo.com
hasDescr => 0, #-----------------------------------------------------------
hasRefs => 0, package compatassist;
osmask => 22, use strict;
version => 20080324);
my %config = (hive => "NTUSER\.DAT",
sub getConfig{return %config} hasShortDescr => 1,
sub getShortDescr { hasDescr => 0,
return "Gets EXEs from user's MUICache key"; hasRefs => 0,
} osmask => 22,
sub getDescr{} version => 20120515);
sub getRefs {}
sub getHive {return $config{hive};} sub getConfig{return %config}
sub getVersion {return $config{version};} sub getShortDescr {
return "Checks user's Compatibility Assistant\\Persisted values";
my $VERSION = getVersion(); }
sub getDescr{}
sub pluginmain { sub getRefs {}
my $class = shift; sub getHive {return $config{hive};}
my $ntuser = shift; sub getVersion {return $config{version};}
::logMsg("Launching muicache v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser); my $VERSION = getVersion();
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache'; sub pluginmain {
my $key; my $class = shift;
if ($key = $root_key->get_subkey($key_path)) { my $ntuser = shift;
::rptMsg("MUICache"); my @temps;
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); ::logMsg("Launching compatassist v.".$VERSION);
my @vals = $key->get_list_of_values(); my $reg = Parse::Win32Registry->new($ntuser);
if (scalar(@vals) > 0) { my $root_key = $reg->get_root_key;
foreach my $v (@vals) {
my $name = $v->get_name(); my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted';
next if ($name =~ m/^@/ || $name eq "LangID"); my $key;
my $data = $v->get_data(); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("\t".$name." (".$data.")"); ::rptMsg("compatassist");
} ::rptMsg($key_path);
} ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
else { my @vals = $key->get_list_of_values();
::rptMsg($key_path." has no values."); if (scalar(@vals) > 0) {
::logMsg($key_path." has no values."); foreach my $v (@vals) {
} my $name = $v->get_name();
} ::rptMsg(" ".$name);
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." has no values.");
} }
}
else {
::rptMsg($key_path." not found.");
}
}
1; 1;

130
thirdparty/rr/plugins/compdesc.pl → RecentActivity/release/rr-full/plugins/compdesc.pl Normal file → Executable file
View File

@ -1,65 +1,67 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# compdesc.pl # compdesc.pl
# Plugin for Registry Ripper, # Plugin for Registry Ripper,
# ComputerDescriptions key parser # ComputerDescriptions key parser
# #
# Change history # Change history
# #
# #
# References # References
# #
# #
# copyright 2008 H. Carvey # copyright 2008 H. Carvey
#----------------------------------------------------------- #-----------------------------------------------------------
package compdesc; package compdesc;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20080324); version => 20080324);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets contents of user's ComputerDescriptions key"; return "Gets contents of user's ComputerDescriptions key";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
::logMsg("Launching compdesc v.".$VERSION); ::logMsg("Launching compdesc v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser); ::rptMsg("compdesc v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions'; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions';
::rptMsg("ComputerDescriptions"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); ::rptMsg("ComputerDescriptions");
my @vals = $key->get_list_of_values(); ::rptMsg($key_path);
if (scalar(@vals) > 0) { ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
foreach my $v (@vals) { my @vals = $key->get_list_of_values();
::rptMsg(" ".$v->get_name()." ".$v->get_data()); if (scalar(@vals) > 0) {
} foreach my $v (@vals) {
} ::rptMsg(" ".$v->get_name()." ".$v->get_data());
else { }
::rptMsg($key_path." has no values."); }
::logMsg($key_path." has no values."); else {
} ::rptMsg($key_path." has no values.");
} ::logMsg($key_path." has no values.");
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} ::logMsg($key_path." not found.");
}
}
1; 1;

150
thirdparty/rr/plugins/compname.pl → RecentActivity/release/rr-full/plugins/compname.pl Normal file → Executable file
View File

@ -1,75 +1,77 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# compname.pl # compname.pl
# Plugin for Registry Ripper; Access System hive file to get the # Plugin for Registry Ripper; Access System hive file to get the
# computername # computername
# #
# Change history # Change history
# 20090727 - added Hostname # 20090727 - added Hostname
# #
# References # References
# http://support.microsoft.com/kb/314053/ # http://support.microsoft.com/kb/314053/
# #
# copyright 2009 H. Carvey # copyright 2009 H. Carvey
#----------------------------------------------------------- #-----------------------------------------------------------
package compname; package compname;
use strict; use strict;
my %config = (hive => "System", my %config = (hive => "System",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20090727); version => 20090727);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets ComputerName and Hostname values from System hive"; return "Gets ComputerName and Hostname values from System hive";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching compname v.".$VERSION); ::logMsg("Launching compname v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("compname v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
# First thing to do is get the ControlSet00x marked current...this is my $reg = Parse::Win32Registry->new($hive);
# going to be used over and over again in plugins that access the system my $root_key = $reg->get_root_key;
# file # First thing to do is get the ControlSet00x marked current...this is
my ($current,$ccs); # going to be used over and over again in plugins that access the system
my $key_path = 'Select'; # file
my $key; my ($current,$ccs);
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Select';
$current = $key->get_value("Current")->get_data(); my $key;
$ccs = "ControlSet00".$current; if ($key = $root_key->get_subkey($key_path)) {
my $cn_path = $ccs."\\Control\\ComputerName\\ComputerName"; $current = $key->get_value("Current")->get_data();
my $cn; $ccs = "ControlSet00".$current;
if ($cn = $root_key->get_subkey($cn_path)) { my $cn_path = $ccs."\\Control\\ComputerName\\ComputerName";
my $name = $cn->get_value("ComputerName")->get_data(); my $cn;
::rptMsg("ComputerName = ".$name); if ($cn = $root_key->get_subkey($cn_path)) {
} my $name = $cn->get_value("ComputerName")->get_data();
else { ::rptMsg("ComputerName = ".$name);
::rptMsg($cn_path." not found."); }
::logMsg($cn_path." not found."); else {
} ::rptMsg($cn_path." not found.");
} ::logMsg($cn_path." not found.");
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
my $hostname; }
eval {
my $host_path = $ccs."\\Services\\Tcpip\\Parameters"; my $hostname;
$hostname = $root_key->get_subkey($host_path)->get_value("Hostname")->get_data(); eval {
::rptMsg("TCP/IP Hostname = ".$hostname); my $host_path = $ccs."\\Services\\Tcpip\\Parameters";
}; $hostname = $root_key->get_subkey($host_path)->get_value("Hostname")->get_data();
::rptMsg("TCP/IP Hostname = ".$hostname);
} };
}
1; 1;

128
thirdparty/rr/plugins/controlpanel.pl → RecentActivity/release/rr-full/plugins/controlpanel.pl Normal file → Executable file
View File

@ -1,64 +1,66 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# controlpanel.pl # controlpanel.pl
# Vista ControlPanel key seems to contain some interesting info about the # Vista ControlPanel key seems to contain some interesting info about the
# user's activities... # user's activities...
# #
# copyright 2008 H. Carvey, keydet89@yahoo.com # copyright 2008 H. Carvey, keydet89@yahoo.com
#----------------------------------------------------------- #-----------------------------------------------------------
package controlpanel; package controlpanel;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
osmask => 64, osmask => 64,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20080428); version => 20080428);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Look for RecentTask* values in ControlPanel key (Vista)"; return "Look for RecentTask* values in ControlPanel key (Vista)";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching controlpanel v.".$VERSION); ::logMsg("Launching controlpanel v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("controlpanel v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel";
::rptMsg($key_path); my $key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg($key_path);
::rptMsg("Analysis Tip: The RecentTask* entries appear to only be populated through the"); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("choices in the Control Panel Home view (in Vista). As each new choice is"); ::rptMsg("");
::rptMsg("selected, the most recent choice is added as RecentTask1, and each "); ::rptMsg("Analysis Tip: The RecentTask* entries appear to only be populated through the");
::rptMsg("RecentTask* entry is incremented and pushed down in the stack."); ::rptMsg("choices in the Control Panel Home view (in Vista). As each new choice is");
::rptMsg(""); ::rptMsg("selected, the most recent choice is added as RecentTask1, and each ");
my @vals = $key->get_list_of_values(); ::rptMsg("RecentTask* entry is incremented and pushed down in the stack.");
if (scalar(@vals) > 0) { ::rptMsg("");
foreach my $v (@vals) { my @vals = $key->get_list_of_values();
my $str = sprintf "%-15s %-45s",$v->get_name(),$v->get_data(); if (scalar(@vals) > 0) {
::rptMsg($str); foreach my $v (@vals) {
} my $str = sprintf "%-15s %-45s",$v->get_name(),$v->get_data();
::rptMsg(""); ::rptMsg($str);
} }
else { ::rptMsg("");
::rptMsg($key_path." has no values."); }
} else {
} ::rptMsg($key_path." has no values.");
else { }
::rptMsg($key_path." not found."); }
} else {
} ::rptMsg($key_path." not found.");
}
}
1; 1;

144
thirdparty/rr/plugins/cpldontload.pl → RecentActivity/release/rr-full/plugins/cpldontload.pl Normal file → Executable file
View File

@ -1,72 +1,74 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# cpldontload.pl # cpldontload.pl
# Check contents of user's Control Panel\don't load key # Check contents of user's Control Panel\don't load key
# #
# Change history # Change history
# 20100116 - created # 20100116 - created
# #
# References # References
# W32.Nekat - http://www.symantec.com/security_response/ # W32.Nekat - http://www.symantec.com/security_response/
# writeup.jsp?docid=2008-011419-0705-99&tabid=2 # writeup.jsp?docid=2008-011419-0705-99&tabid=2
# http://www.2-viruses.com/remove-antispywarexp2009 # http://www.2-viruses.com/remove-antispywarexp2009
# #
# Notes: Some malware appears to hide various Control Panel applets # Notes: Some malware appears to hide various Control Panel applets
# using this means. If some sort of malware/spyware is thought # using this means. If some sort of malware/spyware is thought
# to be on the system, check the settings and note the key # to be on the system, check the settings and note the key
# LastWrite time. # LastWrite time.
# #
# #
# copyright 2010 Quantum Analytics Research, LLC # copyright 2010 Quantum Analytics Research, LLC
#----------------------------------------------------------- #-----------------------------------------------------------
package cpldontload; package cpldontload;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20100116); version => 20100116);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets contents of user's Control Panel don't load key"; return "Gets contents of user's Control Panel don't load key";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
::logMsg("Launching cpldontload v.".$VERSION); ::logMsg("Launching cpldontload v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser); ::rptMsg("cpldontload v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $key_path = "Control Panel\\don\'t load"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Control Panel\\don\'t load";
::rptMsg($key_path); my $key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values(); ::rptMsg("");
if (scalar @vals > 0) {
foreach my $v (@vals) { my @vals = $key->get_list_of_values();
my $str = sprintf "%-20s %-5s",$v->get_name(),$v->get_data(); if (scalar @vals > 0) {
::rptMsg($str); foreach my $v (@vals) {
} my $str = sprintf "%-20s %-5s",$v->get_name(),$v->get_data();
} ::rptMsg($str);
else { }
::rptMsg($key_path." has no values."); }
} else {
} ::rptMsg($key_path." has no values.");
else { }
::rptMsg($key_path." not found."); }
} else {
} ::rptMsg($key_path." not found.");
}
}
1; 1;

188
thirdparty/rr/plugins/crashcontrol.pl → RecentActivity/release/rr-full/plugins/crashcontrol.pl Normal file → Executable file
View File

@ -1,93 +1,95 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# crashcontrol.pl # crashcontrol.pl
# #
# Ref: # Ref:
# http://support.microsoft.com/kb/254649 # http://support.microsoft.com/kb/254649
# http://support.microsoft.com/kb/274598 # http://support.microsoft.com/kb/274598
# #
# copyright 2008-2009 H. Carvey, keydet89@yahoo.com # copyright 2008-2009 H. Carvey, keydet89@yahoo.com
#----------------------------------------------------------- #-----------------------------------------------------------
package crashcontrol; package crashcontrol;
use strict; use strict;
my %config = (hive => "System", my %config = (hive => "System",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20081212); version => 20081212);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Get crash control information"; return "Get crash control information";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
my %dumpenabled = (0 => "None", my %dumpenabled = (0 => "None",
1 => "Complete memory dump", 1 => "Complete memory dump",
2 => "Kernel memory dump", 2 => "Kernel memory dump",
3 => "Small (64kb) memory dump"); 3 => "Small (64kb) memory dump");
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching crashcontrol v.".$VERSION); ::logMsg("Launching crashcontrol v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("crashcontrol v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
# Code for System file, getting CurrentControlSet my $root_key = $reg->get_root_key;
my $current;
my $key_path = 'Select'; # Code for System file, getting CurrentControlSet
my $key; my $current;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Select';
$current = $key->get_value("Current")->get_data(); my $key;
if ($key = $root_key->get_subkey($key_path)) {
my $cc_path = "ControlSet00".$current."\\Control\\CrashControl"; $current = $key->get_value("Current")->get_data();
my $cc;
my $cc_path = "ControlSet00".$current."\\Control\\CrashControl";
if ($cc = $root_key->get_subkey($cc_path)) { my $cc;
eval { if ($cc = $root_key->get_subkey($cc_path)) {
my $cde = $cc->get_value("CrashDumpEnabled")->get_data();
::rptMsg("CrashDumpEnabled = ".$cde." [".$dumpenabled{$cde}."]"); eval {
}; my $cde = $cc->get_value("CrashDumpEnabled")->get_data();
::rptMsg("CrashDumpEnabled = ".$cde." [".$dumpenabled{$cde}."]");
eval { };
my $df = $cc->get_value("DumpFile")->get_data();
::rptMsg("DumpFile = ".$df); eval {
}; my $df = $cc->get_value("DumpFile")->get_data();
::rptMsg("DumpFile = ".$df);
eval { };
my $mini = $cc->get_value("MinidumpDir")->get_data();
::rptMsg("MinidumpDir = ".$mini); eval {
}; my $mini = $cc->get_value("MinidumpDir")->get_data();
::rptMsg("MinidumpDir = ".$mini);
eval { };
my $logevt = $cc->get_value("LogEvent")->get_data();
::rptMsg("LogEvent = ".$logevt); eval {
::rptMsg(" Logs an event to the System Event Log (event ID = 1001, source = Save Dump)") if ($logevt == 1); my $logevt = $cc->get_value("LogEvent")->get_data();
}; ::rptMsg("LogEvent = ".$logevt);
::rptMsg(" Logs an event to the System Event Log (event ID = 1001, source = Save Dump)") if ($logevt == 1);
eval { };
my $sendalert = $cc->get_value("SendAlert")->get_data();
::rptMsg("SendAlert = ".$sendalert); eval {
::rptMsg(" Sends a \'net send\' pop-up if a crash occurs") if ($sendalert == 1); my $sendalert = $cc->get_value("SendAlert")->get_data();
}; ::rptMsg("SendAlert = ".$sendalert);
::rptMsg(" Sends a \'net send\' pop-up if a crash occurs") if ($sendalert == 1);
};
}
else {
::rptMsg($cc_path." not found."); }
} else {
} ::rptMsg($cc_path." not found.");
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} ::logMsg($key_path." not found.");
1; }
}
1;

286
thirdparty/rr/plugins/ctrlpnl.pl → RecentActivity/release/rr-full/plugins/ctrlpnl.pl Normal file → Executable file
View File

@ -1,143 +1,145 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# ctrlpnl.pl # ctrlpnl.pl
# Get Control Panel info from the Software hive # Get Control Panel info from the Software hive
# #
# Change history: # Change history:
# 20100116 - created # 20100116 - created
# #
# References: # References:
# http://support.microsoft.com/kb/292463 # http://support.microsoft.com/kb/292463
# http://learning.infocollections.com/ebook%202/Computer/ # http://learning.infocollections.com/ebook%202/Computer/
# Operating%20Systems/Windows/Windows.XP.Hacks/ # Operating%20Systems/Windows/Windows.XP.Hacks/
# 0596005113_winxphks-chp-2-sect-3.html # 0596005113_winxphks-chp-2-sect-3.html
# http://msdn.microsoft.com/en-us/library/cc144195%28VS.85%29.aspx # http://msdn.microsoft.com/en-us/library/cc144195%28VS.85%29.aspx
# #
# Notes: # Notes:
# #
# copyright 2010 Quantum Analytics Research, LLC # copyright 2010 Quantum Analytics Research, LLC
#----------------------------------------------------------- #-----------------------------------------------------------
package ctrlpnl; package ctrlpnl;
use strict; use strict;
my %config = (hive => "Software", my %config = (hive => "Software",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20100116); version => 20100116);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Get Control Panel info from Software hive"; return "Get Control Panel info from Software hive";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
my %comp; my %comp;
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching ctrlpnl v.".$VERSION); ::logMsg("Launching ctrlpnl v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("ctrlpnl v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $key_path = "Microsoft\\Windows\\CurrentVersion\\Control Panel"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Microsoft\\Windows\\CurrentVersion\\Control Panel";
::rptMsg(""); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg("");
::rptMsg($key_path);
# Cpls section ::rptMsg("");
if (my $cpl = $key->get_subkey("Cpls")) {
my @vals = $cpl->get_list_of_values(); # Cpls section
if (scalar @vals > 0) { if (my $cpl = $key->get_subkey("Cpls")) {
::rptMsg("Cpls key"); my @vals = $cpl->get_list_of_values();
foreach my $v (@vals) { if (scalar @vals > 0) {
my $str = sprintf "%-10s %-50s",$v->get_name(),$v->get_data(); ::rptMsg("Cpls key");
::rptMsg($str); foreach my $v (@vals) {
} my $str = sprintf "%-10s %-50s",$v->get_name(),$v->get_data();
::rptMsg(""); ::rptMsg($str);
} }
else { ::rptMsg("");
::rptMsg("Cpls key has no values."); }
} else {
} ::rptMsg("Cpls key has no values.");
else { }
::rptMsg("Cpls key not found."); }
} else {
::rptMsg("Cpls key not found.");
# don't load section }
# The 'don't load' key prevents applets from being loaded
# Be sure to check the user's don't load key, as well # don't load section
if (my $cpl = $key->get_subkey("don't load")) { # The 'don't load' key prevents applets from being loaded
my @vals = $cpl->get_list_of_values(); # Be sure to check the user's don't load key, as well
if (scalar @vals > 0) { if (my $cpl = $key->get_subkey("don't load")) {
::rptMsg("don't load key"); my @vals = $cpl->get_list_of_values();
foreach my $v (@vals) { if (scalar @vals > 0) {
::rptMsg($v->get_name()); ::rptMsg("don't load key");
} foreach my $v (@vals) {
::rptMsg(""); ::rptMsg($v->get_name());
} }
else { ::rptMsg("");
::rptMsg("don't load key has no values."); }
} else {
} ::rptMsg("don't load key has no values.");
else { }
::rptMsg("don't load key not found."); }
} else {
::rptMsg("don't load key not found.");
# Extended Properties section }
if (my $ext = $key->get_subkey("Extended Properties")) {
my @sk = $ext->get_list_of_subkeys(); # Extended Properties section
if (scalar @sk > 0) { if (my $ext = $key->get_subkey("Extended Properties")) {
foreach my $s (@sk) { my @sk = $ext->get_list_of_subkeys();
my @vals = $s->get_list_of_values(); if (scalar @sk > 0) {
if (scalar @vals > 0) { foreach my $s (@sk) {
::rptMsg($s->get_name()." [".gmtime($s->get_timestamp)." UTC]"); my @vals = $s->get_list_of_values();
if (scalar @vals > 0) {
# Ref: http://support.microsoft.com/kb/292463 ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp)." UTC]");
my %cat = (0x00000000 => "Other Control Panel Options",
0x00000001 => "Appearance and Themes", # Ref: http://support.microsoft.com/kb/292463
0x00000002 => "Printers and Other Hardware", my %cat = (0x00000000 => "Other Control Panel Options",
0x00000003 => "Network and Internet Connections", 0x00000001 => "Appearance and Themes",
0x00000004 => "Sounds, Speech, and Audio Devices", 0x00000002 => "Printers and Other Hardware",
0x00000005 => "Performance and Maintenance", 0x00000003 => "Network and Internet Connections",
0x00000006 => "Date, Time, Language, and Regional Options", 0x00000004 => "Sounds, Speech, and Audio Devices",
0x00000007 => "Accessibility Options", 0x00000005 => "Performance and Maintenance",
0xFFFFFFFF => "No Category"); 0x00000006 => "Date, Time, Language, and Regional Options",
my %prop; 0x00000007 => "Accessibility Options",
foreach my $v (@vals) { 0xFFFFFFFF => "No Category");
push(@{$prop{$v->get_data()}},$v->get_name()); my %prop;
} foreach my $v (@vals) {
push(@{$prop{$v->get_data()}},$v->get_name());
foreach my $t (sort {$a <=> $b} keys %prop) { }
(exists $cat{$t}) ? (::rptMsg($cat{$t})) : (::rptMsg("Category ".$t));
foreach my $i (@{$prop{$t}}) { foreach my $t (sort {$a <=> $b} keys %prop) {
::rptMsg(" ".$i); (exists $cat{$t}) ? (::rptMsg($cat{$t})) : (::rptMsg("Category ".$t));
} foreach my $i (@{$prop{$t}}) {
::rptMsg(""); ::rptMsg(" ".$i);
} }
} ::rptMsg("");
} }
::rptMsg(""); }
} }
else { ::rptMsg("");
::rptMsg("Extended Properties key has no subkeys."); }
} else {
} ::rptMsg("Extended Properties key has no subkeys.");
else { }
::rptMsg("Extended Properties key not found."); }
} else {
} ::rptMsg("Extended Properties key not found.");
else { }
::rptMsg($key_path." not found."); }
} else {
} ::rptMsg($key_path." not found.");
}
}
1; 1;

164
thirdparty/rr/plugins/ddm.pl → RecentActivity/release/rr-full/plugins/ddm.pl Normal file → Executable file
View File

@ -1,82 +1,84 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# ddm.pl # ddm.pl
# #
# History: # History:
# 20081129 - created # 20081129 - created
# #
# Note - Not really sure what this is for or could be used for, other # Note - Not really sure what this is for or could be used for, other
# than to show devices that had been connected to the system # than to show devices that had been connected to the system
# #
# #
# copyright 2008 H. Carvey, keydet89@yahoo.com # copyright 2008 H. Carvey, keydet89@yahoo.com
#----------------------------------------------------------- #-----------------------------------------------------------
package ddm; package ddm;
use strict; use strict;
my %config = (hive => "System", my %config = (hive => "System",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20081129); version => 20081129);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Get DDM data from Control Subkey"; return "Get DDM data from Control Subkey";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching ddm v.".$VERSION); ::logMsg("Launching ddm v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("ddm v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
# Code for System file, getting CurrentControlSet my $root_key = $reg->get_root_key;
my $current;
my $key_path = 'Select'; # Code for System file, getting CurrentControlSet
my $key; my $current;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Select';
$current = $key->get_value("Current")->get_data(); my $key;
my $ccs = "ControlSet00".$current; if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $key_path = $ccs."\\Control\\DDM"; my $ccs = "ControlSet00".$current;
my $key;
my %dev; my $key_path = $ccs."\\Control\\DDM";
if ($key = $root_key->get_subkey($key_path)) { my $key;
my @subkeys = $key->get_list_of_subkeys(); my %dev;
if (scalar (@subkeys) > 0) { if ($key = $root_key->get_subkey($key_path)) {
foreach my $s (@subkeys) { my @subkeys = $key->get_list_of_subkeys();
my $name = $s->get_name(); if (scalar (@subkeys) > 0) {
my $tag = (split(/\./,$name,2))[1]; foreach my $s (@subkeys) {
$dev{$tag}{timestamp} = $s->get_timestamp(); my $name = $s->get_name();
eval { my $tag = (split(/\./,$name,2))[1];
$dev{$tag}{make} = $s->get_value("MakeName")->get_data(); $dev{$tag}{timestamp} = $s->get_timestamp();
$dev{$tag}{model} = $s->get_value("ModelName")->get_data(); eval {
}; $dev{$tag}{make} = $s->get_value("MakeName")->get_data();
} $dev{$tag}{model} = $s->get_value("ModelName")->get_data();
foreach my $d (sort keys %dev) { };
::rptMsg(gmtime($dev{$d}{timestamp})."Z Device\.".$d." ".$dev{$d}{make}." ".$dev{$d}{model}); }
} foreach my $d (sort keys %dev) {
} ::rptMsg(gmtime($dev{$d}{timestamp})."Z Device\.".$d." ".$dev{$d}{make}." ".$dev{$d}{model});
else { }
::rptMsg($key_path." has no subkeys."); }
} else {
} ::rptMsg($key_path." has no subkeys.");
else { }
::rptMsg($key_path." not found."); }
# ::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} # ::logMsg($key_path." not found.");
else { }
::logMsg("Current value not found."); }
} else {
} ::logMsg("Current value not found.");
}
}
1; 1;

96
RecentActivity/release/rr-full/plugins/decaf.pl Executable file
View File

@ -0,0 +1,96 @@
#-----------------------------------------------------------
# decaf.pl
# Extracts the AcceptedEULA value for DECAF
#
# Change history
# 20110830 [fpi] + banner, no change to the version number
#
# References
# Detect and Eliminate Computer Acquired Forensics
# http://en.wikipedia.org/wiki/DECAF
#
# Copyright (c) 2011-02-10 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package decaf;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20110210);
my $VERSION = getVersion();
# Functions #
sub getDescr {}
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getShortDescr {
return "Extracts the EULA value for DECAF.";
}
sub getRefs {
my %refs = ("Detect and Eliminate Computer Acquired Forensics:" =>
"http://en.wikipedia.org/wiki/DECAF");
return %refs;
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
my $class = shift;
my $hive = shift;
# Initialize #
::logMsg("Launching decaf v.".$VERSION);
::rptMsg("decaf v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Software\\DECAFme";
# If # DECAF path exists #
if ($key = $root_key->get_subkey($key_path)) {
# Return # plugin name, registry key and last modified date #
::rptMsg("DECAF");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Extract # all keys from DECAF registry path #
my %keys;
my @vals = $key->get_list_of_values();
# If # registry keys exist in path #
if (scalar(@vals) > 0) {
# Extract # all key names+values for DECAF registry path #
foreach my $v (@vals) {
::rptMsg($v->get_name()." -> ".$v->get_data());
}
# Error # key value is null #
} else {
::rptMsg($key_path." has no values.");
}
# Error # DECAF isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

156
thirdparty/rr/plugins/defbrowser.pl → RecentActivity/release/rr-full/plugins/defbrowser.pl Normal file → Executable file
View File

@ -1,78 +1,80 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# defbrowser.pl # defbrowser.pl
# Get default browser information - check #1 can apply to HKLM # Get default browser information - check #1 can apply to HKLM
# as well as to HKCU # as well as to HKCU
# #
# Change History: # Change History:
# 20091116 - Added Check #1 # 20091116 - Added Check #1
# 20081105 - created # 20081105 - created
# #
# copyright 2009 H. Carvey, keydet89@yahoo.com # copyright 2009 H. Carvey, keydet89@yahoo.com
#----------------------------------------------------------- #-----------------------------------------------------------
package defbrowser; package defbrowser;
use strict; use strict;
my %config = (hive => "Software", my %config = (hive => "Software",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20091116); version => 20091116);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets default browser setting from HKLM"; return "Gets default browser setting from HKLM";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching defbrowser v.".$VERSION); ::logMsg("Launching defbrowser v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("defbrowser v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $key_path = "Clients\\StartMenuInternet"; my $root_key = $reg->get_root_key;
if (my $key = $root_key->get_subkey($key_path)) {
::rptMsg("Default Browser Check #1"); my $key_path = "Clients\\StartMenuInternet";
::rptMsg($key_path); if (my $key = $root_key->get_subkey($key_path)) {
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); ::rptMsg("Default Browser Check #1");
::rptMsg(""); ::rptMsg($key_path);
my $browser = $key->get_value("")->get_data(); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("Default Browser : ".$browser); ::rptMsg("");
} my $browser = $key->get_value("")->get_data();
else { ::rptMsg("Default Browser : ".$browser);
::rptMsg($key_path." not found."); }
} else {
::rptMsg($key_path." not found.");
::rptMsg(""); }
my $key_path = "Classes\\HTTP\\shell\\open\\command"; ::rptMsg("");
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Classes\\HTTP\\shell\\open\\command";
::rptMsg("Default Browser Check #2"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); ::rptMsg("Default Browser Check #2");
::rptMsg(""); ::rptMsg($key_path);
my $browser; ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
eval { ::rptMsg("");
$browser = $key->get_value("")->get_data(); my $browser;
}; eval {
if ($@) { $browser = $key->get_value("")->get_data();
::rptMsg("Error locating default browser setting."); };
} if ($@) {
else { ::rptMsg("Error locating default browser setting.");
::rptMsg("Default Browser = ".$browser); }
} else {
} ::rptMsg("Default Browser = ".$browser);
else { }
::rptMsg($key_path." not found."); }
} else {
} ::rptMsg($key_path." not found.");
}
}
1; 1;

95
RecentActivity/release/rr-full/plugins/dependency_walker.pl Executable file
View File

@ -0,0 +1,95 @@
#-----------------------------------------------------------
# dependency_walker.pl
# Extracts Recent File List for Dependency Walker.
#
# Change history
# 20110830 [fpi] + banner, no change to the version number
#
# References
# Dependency Walker Homepage
# http://www.dependencywalker.com/
#
# Copyright (c) 2011-02-04 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package dependency_walker;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20110204);
my $VERSION = getVersion();
# Functions #
sub getDescr {}
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getShortDescr {
return "Extracts Recent File List for Dependency Walker.";
}
sub getRefs {
my %refs = ("Dependency Walker Homepage:" =>
"http://www.dependencywalker.com/");
return %refs;
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
my $class = shift;
my $hive = shift;
# Initialize #
::logMsg("Launching dependency_walker v.".$VERSION);
::rptMsg("dependency_walker v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Software\\Microsoft\\Dependency Walker\\Recent File List";
# If # Dependency Walker path exists #
if ($key = $root_key->get_subkey($key_path)) {
# Return # plugin name, registry key and last modified date #
::rptMsg("Dependency Walker");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Extract # all keys from Dependency Walker registry path #
my @vals = $key->get_list_of_values();
# If # registry keys exist in path #
if (scalar(@vals) > 0) {
# Extract # all key names+values for Dependency Walker registry path #
foreach my $v (@vals) {
::rptMsg($v->get_name()." -> ".$v->get_data());
}
# Error # key value is null #
} else {
::rptMsg($key_path." has no values.");
}
# Error # Dependency Walker isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

250
thirdparty/rr/plugins/devclass.pl → RecentActivity/release/rr-full/plugins/devclass.pl Normal file → Executable file
View File

@ -1,125 +1,127 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# devclass # devclass
# Get USB device info from the DeviceClasses keys in the System # Get USB device info from the DeviceClasses keys in the System
# hive (Disks and Volumes GUIDs) # hive (Disks and Volumes GUIDs)
# #
# Change History: # Change History:
# 20100901 - spelling error in output corrected # 20100901 - spelling error in output corrected
# 20080331 - created # 20080331 - created
# #
# copyright 2010 Quantum Analytics Research, LLC # copyright 2010 Quantum Analytics Research, LLC
#----------------------------------------------------------- #-----------------------------------------------------------
package devclass; package devclass;
use strict; use strict;
my %config = (hive => "System", my %config = (hive => "System",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20100901); version => 20100901);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Get USB device info from the DeviceClasses keys in the System hive"; return "Get USB device info from the DeviceClasses keys in the System hive";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching devclass v.".$VERSION); ::logMsg("Launching devclass v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("devclass v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
# Code for System file, getting CurrentControlSet my $root_key = $reg->get_root_key;
my $current;
my $ccs; # Code for System file, getting CurrentControlSet
my $key_path = 'Select'; my $current;
my $key; my $ccs;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Select';
$current = $key->get_value("Current")->get_data(); my $key;
$ccs = "ControlSet00".$current; if ($key = $root_key->get_subkey($key_path)) {
} $current = $key->get_value("Current")->get_data();
else { $ccs = "ControlSet00".$current;
::logMsg("Could not find ".$key_path); }
return else {
} ::logMsg("Could not find ".$key_path);
# Get devices from the Disk GUID return
my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; }
my $key; # Get devices from the Disk GUID
if ($key = $root_key->get_subkey($key_path)) { my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
::rptMsg("DevClasses - Disks"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg("DevClasses - Disks");
my %disks; ::rptMsg($key_path);
my @subkeys = $key->get_list_of_subkeys(); ::rptMsg("");
if (scalar(@subkeys) > 0) { my %disks;
foreach my $s (@subkeys) { my @subkeys = $key->get_list_of_subkeys();
my $name = $s->get_name(); if (scalar(@subkeys) > 0) {
next unless (grep(/USBSTOR/,$name)); foreach my $s (@subkeys) {
my $lastwrite = $s->get_timestamp(); my $name = $s->get_name();
my ($dev, $serial) = (split(/#/,$name))[4,5]; next unless (grep(/USBSTOR/,$name));
push(@{$disks{$lastwrite}},$dev.",".$serial); my $lastwrite = $s->get_timestamp();
} my ($dev, $serial) = (split(/#/,$name))[4,5];
push(@{$disks{$lastwrite}},$dev.",".$serial);
foreach my $t (reverse sort {$a <=> $b} keys %disks) { }
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$disks{$t}}) { foreach my $t (reverse sort {$a <=> $b} keys %disks) {
::rptMsg("\t$item"); ::rptMsg(gmtime($t)." (UTC)");
} foreach my $item (@{$disks{$t}}) {
} ::rptMsg("\t$item");
}
} }
else {
::rptMsg($key_path." has no subkeys."); }
::logMsg($key_path." has no subkeys."); else {
} ::rptMsg($key_path." has no subkeys.");
} ::logMsg($key_path." has no subkeys.");
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
::rptMsg(""); ::logMsg($key_path." not found.");
# Get devices from the Volume GUID }
my $key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"; ::rptMsg("");
my $key; # Get devices from the Volume GUID
if ($key = $root_key->get_subkey($key_path)) { my $key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}";
::rptMsg("DevClasses - Volumes"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg("DevClasses - Volumes");
my %vols; ::rptMsg($key_path);
my @subkeys = $key->get_list_of_subkeys(); ::rptMsg("");
if (scalar(@subkeys) > 0) { my %vols;
foreach my $s (@subkeys) { my @subkeys = $key->get_list_of_subkeys();
my $name = $s->get_name(); if (scalar(@subkeys) > 0) {
next unless (grep(/RemovableMedia/,$name)); foreach my $s (@subkeys) {
my $lastwrite = $s->get_timestamp(); my $name = $s->get_name();
my $ppi = (split(/#/,$name))[5]; next unless (grep(/RemovableMedia/,$name));
push(@{$vols{$lastwrite}},$ppi); my $lastwrite = $s->get_timestamp();
} my $ppi = (split(/#/,$name))[5];
push(@{$vols{$lastwrite}},$ppi);
foreach my $t (reverse sort {$a <=> $b} keys %vols) { }
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$vols{$t}}) { foreach my $t (reverse sort {$a <=> $b} keys %vols) {
::rptMsg("\tParentIdPrefix: ".$item); ::rptMsg(gmtime($t)." (UTC)");
} foreach my $item (@{$vols{$t}}) {
} ::rptMsg("\tParentIdPrefix: ".$item);
} }
else { }
::rptMsg($key_path." has no subkeys."); }
::logMsg($key_path." has no subkeys."); else {
} ::rptMsg($key_path." has no subkeys.");
} ::logMsg($key_path." has no subkeys.");
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} ::logMsg($key_path." not found.");
}
}
1; 1;

126
thirdparty/rr/plugins/dfrg.pl → RecentActivity/release/rr-full/plugins/dfrg.pl Normal file → Executable file
View File

@ -1,63 +1,65 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# dfrg.pl # dfrg.pl
# Gets contents of Dfrg\BootOptimizeFunction key # Gets contents of Dfrg\BootOptimizeFunction key
# #
# Change history: # Change history:
# 20110321 - created # 20110321 - created
# #
# References # References
# http://technet.microsoft.com/en-us/library/cc784391%28WS.10%29.aspx # http://technet.microsoft.com/en-us/library/cc784391%28WS.10%29.aspx
# #
# copyright 2011 Quantum Analytics Research, LLC (keydet89@yahoo.com) # copyright 2011 Quantum Analytics Research, LLC (keydet89@yahoo.com)
#----------------------------------------------------------- #-----------------------------------------------------------
package dfrg; package dfrg;
use strict; use strict;
my %config = (hive => "Software", my %config = (hive => "Software",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20110321); version => 20110321);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets content of Dfrg BootOptim. key"; return "Gets content of Dfrg BootOptim. key";
} }
sub getDescr{} sub getDescr{}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching dfrg v.".$VERSION); ::logMsg("Launching dfrg v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("dfrg v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $key_path = "Microsoft\\Dfrg\\BootOptimizeFunction"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Microsoft\\Dfrg\\BootOptimizeFunction";
::rptMsg("Dfrg"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg("Dfrg");
::rptMsg($key_path);
my @vals = $key->get_list_of_values(); ::rptMsg("");
if (scalar(@vals) > 0) {
foreach my $v (@vals) { my @vals = $key->get_list_of_values();
::rptMsg(sprintf "%-20s %-20s",$v->get_name(),$v->get_data()); if (scalar(@vals) > 0) {
} foreach my $v (@vals) {
} ::rptMsg(sprintf "%-20s %-20s",$v->get_name(),$v->get_data());
else { }
::rptMsg($key_path." has no values."); }
} else {
} ::rptMsg($key_path." has no values.");
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} ::logMsg($key_path." not found.");
}
}
1; 1;

81
RecentActivity/release/rr-full/plugins/diag_sr.pl Executable file
View File

@ -0,0 +1,81 @@
#-----------------------------------------------------------
# diag_sr.pl
#
# History:
# 20120515: created
#
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey
#-----------------------------------------------------------
package diag_sr;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120515);
sub getConfig{return %config}
sub getShortDescr {
return "Get Diag\\SystemRestore values and data";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching diag_sr v.".$VERSION);
::rptMsg("diag_sr v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $volsnap_path = $ccs."\\Services\\VSS\\Diag\\SystemRestore";
my $volsnap;
if ($volsnap = $root_key->get_subkey($volsnap_path)) {
my @vals = $volsnap->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
my $t = gmtime(parseData($v->get_data()));
::rptMsg(sprintf "%-25s %-50s",$t,$name);
}
}
else {
::rptMsg($volsnap_path." has no values.");
}
}
else {
::rptMsg($volsnap_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
sub parseData {
my $data = shift;
my ($t0,$t1) = unpack("VV",substr($data,0x08,8));
return ::getTime($t0,$t1);
}
1;

75
RecentActivity/release/rr-full/plugins/direct.pl Executable file
View File

@ -0,0 +1,75 @@
#-----------------------------------------------------------
# direct.pl
# This plugin runs through the Direct* subkeys beneath the Microsoft key
# in the Software hive (as well as the Wow6432Node key, if it exists) and
# looks to see if there is a MostRecentApplication subkey; if there is, it
# then tries to retrieve the "Name" value/data
#
# History:
# 20120513 - created
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package direct;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20120513);
sub getConfig{return %config}
sub getShortDescr {
return "Searches Direct* keys for MostRecentApplication subkeys";
}
sub getDescr{}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my @keys = ('Microsoft','Wow6432Node\\Microsoft');
::rptMsg("Launching direct v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
foreach my $key_path (@keys) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# ::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
next unless ($s->get_name() =~ m/^Direct/);
my $name = $s->get_name();
eval {
my $app;
$app = $s->get_subkey("MostRecentApplication");
my $app_lw = gmtime($app->get_timestamp());
my $app_name = $app->get_value("Name")->get_data();
::rptMsg(sprintf "%-25s %-50s",$app_lw,$s->get_name()."\\".$app->get_name()." - ".$app_name);
};
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
::rptMsg("");
}
else {
::rptMsg($key_path." not found.");
}
}
}
1;

75
RecentActivity/release/rr-full/plugins/direct_tln.pl Executable file
View File

@ -0,0 +1,75 @@
#-----------------------------------------------------------
# direct_tln.pl
# This plugin runs through the Direct* subkeys beneath the Microsoft key
# in the Software hive (as well as the Wow6432Node key, if it exists) and
# looks to see if there is a MostRecentApplication subkey; if there is, it
# then tries to retrieve the "Name" value/data
#
# History:
# 20120608 - created
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package direct_tln;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20120608);
sub getConfig{return %config}
sub getShortDescr {
return "Searches Direct* keys for MostRecentApplication subkeys (TLN)";
}
sub getDescr{}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my @keys = ('Microsoft','Wow6432Node\\Microsoft');
::rptMsg("Launching direct v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
foreach my $key_path (@keys) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# ::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
next unless ($s->get_name() =~ m/^Direct/);
my $name = $s->get_name();
eval {
my $app;
$app = $s->get_subkey("MostRecentApplication");
my $app_lw = $app->get_timestamp();
my $app_name = $app->get_value("Name")->get_data();
# ::rptMsg(sprintf "%-25s %-50s",$app_lw,$s->get_name()."\\".$app->get_name()." - ".$app_name);
::rptMsg($app_lw."|REG|||[Program Execution] ".$key_path."\\".$s->get_name()."\\".$app->get_name()." - ".$app_name);
};
}
}
else {
# ::rptMsg($key_path." has no subkeys.");
}
# ::rptMsg("");
}
else {
# ::rptMsg($key_path." not found.");
}
}
}
1;

146
thirdparty/rr/plugins/disablelastaccess.pl → RecentActivity/release/rr-full/plugins/disablelastaccess.pl Normal file → Executable file
View File

@ -1,73 +1,75 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# disablelastaccess.pl # disablelastaccess.pl
# #
# References: # References:
# http://support.microsoft.com/kb/555041 # http://support.microsoft.com/kb/555041
# http://support.microsoft.com/kb/894372 # http://support.microsoft.com/kb/894372
# #
# copyright 2008 H. Carvey, keydet89@yahoo.com # copyright 2008 H. Carvey, keydet89@yahoo.com
#----------------------------------------------------------- #-----------------------------------------------------------
package disablelastaccess; package disablelastaccess;
use strict; use strict;
my %config = (hive => "System", my %config = (hive => "System",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20090118); version => 20090118);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Get NTFSDisableLastAccessUpdate value"; return "Get NTFSDisableLastAccessUpdate value";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching disablelastaccess v.".$VERSION); ::logMsg("Launching disablelastaccess v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("disablelastaccess v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
# Code for System file, getting CurrentControlSet my $root_key = $reg->get_root_key;
my $current;
my $key_path = 'Select'; # Code for System file, getting CurrentControlSet
my $key; my $current;
my $ccs; my $key_path = 'Select';
if ($key = $root_key->get_subkey($key_path)) { my $key;
$current = $key->get_value("Current")->get_data(); my $ccs;
$ccs = "ControlSet00".$current; if ($key = $root_key->get_subkey($key_path)) {
} $current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $key_path = $ccs."\\Control\\FileSystem"; }
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = $ccs."\\Control\\FileSystem";
::rptMsg("NtfsDisableLastAccessUpdate"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
my @vals = $key->get_list_of_values(); ::rptMsg("NtfsDisableLastAccessUpdate");
my $found = 0; ::rptMsg($key_path);
if (scalar(@vals) > 0) { my @vals = $key->get_list_of_values();
foreach my $v (@vals) { my $found = 0;
if ($v->get_name() eq "NtfsDisableLastAccessUpdate") { if (scalar(@vals) > 0) {
::rptMsg("NtfsDisableLastAccessUpdate = ".$v->get_data()); foreach my $v (@vals) {
$found = 1; if ($v->get_name() eq "NtfsDisableLastAccessUpdate") {
} ::rptMsg("NtfsDisableLastAccessUpdate = ".$v->get_data());
} $found = 1;
::rptMsg("NtfsDisableLastAccessUpdate value not found.") if ($found == 0); }
} }
else { ::rptMsg("NtfsDisableLastAccessUpdate value not found.") if ($found == 0);
::rptMsg($key_path." has no values."); }
} else {
} ::rptMsg($key_path." has no values.");
else { }
::rptMsg($key_path." not found."); }
} else {
} ::rptMsg($key_path." not found.");
}
}
1; 1;

71
RecentActivity/release/rr-full/plugins/disablesr.pl Executable file
View File

@ -0,0 +1,71 @@
#-----------------------------------------------------------
# disablesr.pl
# Gets the value that turns System Restore either on or off
#
# Change History
# 20120914
#
# References
# Registry Keys and Values for the System Restore Utility http://support.microsoft.com/kb/295659
#
# copyright 2012 Corey Harrell (Journey Into Incident Response)
#-----------------------------------------------------------
package disablesr;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20120914);
sub getConfig{return %config}
sub getShortDescr {
return "Gets the value that turns System Restore either on or off";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching disablesr v.".$VERSION);
::rptMsg("disablesr v.".$VERSION);
::rptMsg("(".getHive().") ".getShortDescr()."\n");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\SystemRestore";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $disable;
eval {
$disable = $key->get_value("DisableSR")->get_data();
};
if ($@) {
::rptMsg("DisableSR value not found.");
}
else {
::rptMsg("DisableSR = ".$disable);
::rptMsg("");
::rptMsg("1 means System Restore is turned off");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

140
thirdparty/rr/plugins/dllsearch.pl → RecentActivity/release/rr-full/plugins/dllsearch.pl Normal file → Executable file
View File

@ -1,69 +1,71 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# dllsearch.pl # dllsearch.pl
# #
# References: # References:
# http://support.microsoft.com/kb/2264107 # http://support.microsoft.com/kb/2264107
# #
# Change History: # Change History:
# 20100824: created # 20100824: created
# #
# copyright 2010 Quantum Analytics Research, LLC # copyright 2010 Quantum Analytics Research, LLC
#----------------------------------------------------------- #-----------------------------------------------------------
package dllsearch; package dllsearch;
use strict; use strict;
my %config = (hive => "System", my %config = (hive => "System",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20100824); version => 20100824);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Get crash control information"; return "Get crash control information";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching dllsearch v.".$VERSION); ::logMsg("Launching dllsearch v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("dllsearch v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
# Code for System file, getting CurrentControlSet my $root_key = $reg->get_root_key;
my $current;
my $key_path = 'Select'; # Code for System file, getting CurrentControlSet
my $key; my $current;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Select';
$current = $key->get_value("Current")->get_data(); my $key;
if ($key = $root_key->get_subkey($key_path)) {
my $cc_path = "ControlSet00".$current."\\Control\\Session Manager"; $current = $key->get_value("Current")->get_data();
my $cc;
if ($cc = $root_key->get_subkey($cc_path)) { my $cc_path = "ControlSet00".$current."\\Control\\Session Manager";
::rptMsg("dllsearch v.".$VERSION); my $cc;
::rptMsg(""); if ($cc = $root_key->get_subkey($cc_path)) {
my $found = 1; ::rptMsg("dllsearch v.".$VERSION);
eval { ::rptMsg("");
my $cde = $cc->get_value("CWDIllegalInDllSearch")->get_data(); my $found = 1;
$found = 0; eval {
::rptMsg(sprintf "CWDIllegalInDllSearch = 0x%x",$cde); my $cde = $cc->get_value("CWDIllegalInDllSearch")->get_data();
}; $found = 0;
::rptMsg("CWDIllegalInDllSearch value not found.") if ($found); ::rptMsg(sprintf "CWDIllegalInDllSearch = 0x%x",$cde);
} };
else { ::rptMsg("CWDIllegalInDllSearch value not found.") if ($found);
::rptMsg($cc_path." not found."); }
} else {
} ::rptMsg($cc_path." not found.");
else { }
::rptMsg($key_path." not found."); }
} else {
} ::rptMsg($key_path." not found.");
1; }
}
1;

94
RecentActivity/release/rr-full/plugins/dnschanger.pl Executable file
View File

@ -0,0 +1,94 @@
#-----------------------------------------------------------
# dnschanger.pl
# DNSChanger malware modifies the NameServer and/or DhcpNameServer values
# within the Registry for the interfaces.
#
# Change history
# 20120203 - created
#
# Need to add grep() for ranges:
# start range end range
# 85.255.112.0 85.255.127.255
# 67.210.0.0 67.210.15.255
# 93.188.160.0 93.188.167.255
# 77.67.83.0 77.67.83.255
# 213.109.64.0 213.109.79.255
# 64.28.176.0 64.28.191.255
#
# Note: these may not be the only ranges used. The best use of the
# plugin is to know what your ranges are, and eyeball the output of
# the plugin.
#
# References
# https://twitter.com/#!/saved-search/%23DFIR
#
# copyright 2012 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package dnschanger;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120203);
sub getConfig{return %config}
sub getShortDescr {
return "Check for indication of DNSChanger infection.";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my %nics;
my $ccs;
::logMsg("Launching dnschanger v.".$VERSION);
::rptMsg("dnschanger v.".$VERSION);
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my $current;
eval {
$current = $root_key->get_subkey("Select")->get_value("Current")->get_data();
};
my @nics;
my $key_path = "ControlSet00".$current."\\Services\\Tcpip\\Parameters\\Interfaces";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
my @guids = $key->get_list_of_subkeys();
if (scalar @guids > 0) {
foreach my $g (@guids) {
::rptMsg("Adapter: ".$g->get_name());
::rptMsg("LastWrite Time: ".gmtime($g->get_timestamp())." Z");
eval {
my @vals = $g->get_list_of_values();
foreach my $v (@vals) {
my $name = $v->get_name();
next unless ($name =~ m/NameServer$/);
my $data = $v->get_data();
::rptMsg(sprintf " %-28s %-20s",$name,$data);
}
::rptMsg("");
};
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

148
thirdparty/rr/plugins/domains.pl → RecentActivity/release/rr-full/plugins/domains.pl Normal file → Executable file
View File

@ -1,74 +1,76 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# domains.pl # domains.pl
# #
# #
# Change history # Change history
# 20100116 - Created # 20100116 - Created
# #
# References # References
# http://support.microsoft.com/kb/919748 # http://support.microsoft.com/kb/919748
# http://support.microsoft.com/kb/922704 # http://support.microsoft.com/kb/922704
# #
# copyright 2010 Quantum Analytics Research, LLC # copyright 2010 Quantum Analytics Research, LLC
#----------------------------------------------------------- #-----------------------------------------------------------
package domains; package domains;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20100116); version => 20100116);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets contents Internet Settings\\ZoneMap\\Domains key"; return "Gets contents Internet Settings\\ZoneMap\\Domains key";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
::logMsg("Launching domains v.".$VERSION); ::logMsg("Launching domains v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser); ::rptMsg("domains v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path."\\Domains")) { my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap";
::rptMsg($key_path); my $key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path."\\Domains")) {
::rptMsg(""); ::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @subkeys = $key->get_list_of_subkeys(); ::rptMsg("");
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) { my @subkeys = $key->get_list_of_subkeys();
::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]"); if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my @vals = $s->get_list_of_values(); ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]");
if (scalar @vals > 0) {
foreach my $v (@vals) { my @vals = $s->get_list_of_values();
::rptMsg(" ".$v->get_name()." -> ".$v->get_data); if (scalar @vals > 0) {
} foreach my $v (@vals) {
} ::rptMsg(" ".$v->get_name()." -> ".$v->get_data);
::rptMsg(""); }
} }
} ::rptMsg("");
else { }
::rptMsg($key_path." has no subkeys."); }
::logMsg($key_path." has no subkeys."); else {
} ::rptMsg($key_path." has no subkeys.");
} ::logMsg($key_path." has no subkeys.");
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} ::logMsg($key_path." not found.");
}
}
1; 1;

96
RecentActivity/release/rr-full/plugins/drivers32.pl Executable file
View File

@ -0,0 +1,96 @@
#-----------------------------------------------------------
# drivers32
# Get values from Drivers32 key
#
# History
# 20130408 - created by copying then modifying the soft_run plug-in
#
# References
# Location of Windows NT Multimedia Drivers in the Registry
# http://support.microsoft.com/kb/126054
#
# copyright 2013 Corey Harrell (jIIr)
#-----------------------------------------------------------
package drivers32;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20130408);
sub getConfig{return %config}
sub getShortDescr {
return "Get values from the Drivers32 key";
}
sub getDescr{}
sub getRefs {
my %refs = ("Location of Windows NT Multimedia Drivers in the Registry" =>
"http://support.microsoft.com/kb/126054");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching drivers32 v.".$VERSION);
::rptMsg("drivers32 v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my @paths = ("Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
"Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
);
foreach my $key_path (@paths) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my %vals = getKeyValues($key);
if (scalar(keys %vals) > 0) {
foreach my $v (keys %vals) {
::rptMsg(" ".$v." - ".$vals{$v});
}
::rptMsg("");
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::rptMsg("");
}
}
}
sub getKeyValues {
my $key = shift;
my %vals;
my @vk = $key->get_list_of_values();
if (scalar(@vk) > 0) {
foreach my $v (@vk) {
next if ($v->get_name() eq "" && $v->get_data() eq "");
$vals{$v->get_name()} = $v->get_data();
}
}
else {
}
return %vals;
}
1;

154
thirdparty/rr/plugins/drwatson.pl → RecentActivity/release/rr-full/plugins/drwatson.pl Normal file → Executable file
View File

@ -1,77 +1,79 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# drwatson.pl # drwatson.pl
# Author: Don C. Weber # Author: Don C. Weber
# Plugin for Registry Ripper; Access Software hive file to get the # Plugin for Registry Ripper; Access Software hive file to get the
# Dr. Watson settings from Software hive # Dr. Watson settings from Software hive
# #
# Change history # Change history
# #
# #
# References # References
# Dr Watson: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html # Dr Watson: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html
# #
# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security # Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security
#----------------------------------------------------------- #-----------------------------------------------------------
package drwatson; package drwatson;
use strict; use strict;
my %config = (hive => "Software", my %config = (hive => "Software",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20081219); version => 20081219);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets Dr. Watson settings from Software hive"; return "Gets Dr. Watson settings from Software hive";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching drwatson v.".$VERSION); ::logMsg("Launching drwatson v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("drwatson v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AeDebug"; my $reg = Parse::Win32Registry->new($hive);
my $key; my $root_key = $reg->get_root_key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AeDebug";
::rptMsg($key_path); my $key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
($key->get_value('Auto') == 0x0) ? ::rptMsg("Debugging is Disabled") : ::rptMsg("Debugging is Enabled"); ::rptMsg($key_path);
eval { ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("Debugger: ".$key->get_value('Debugger')->get_data()); ($key->get_value('Auto') == 0x0) ? ::rptMsg("Debugging is Disabled") : ::rptMsg("Debugging is Enabled");
}; eval {
::rptMsg("Debugger: ".$key->get_value('Debugger')->get_data());
} else { };
::rptMsg($key_path." not found.");
::logMsg($key_path." not found."); } else {
} ::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
::rptMsg(""); }
my $key_path = "Microsoft\\DrWatson";
my $key; ::rptMsg("");
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Microsoft\\DrWatson";
::rptMsg($key_path); my $key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
($key->get_value('LogFilePath')) ? ::rptMsg("DrWatson LogFile Path location: ".$key->get_value('LogFilePath')->get_data()) : ::rptMsg("DrWatson LogFile Path location: %SystemRoot%\\Documents and Settings\\All Users\\Documents\\DrWatson"); ::rptMsg($key_path);
($key->get_value('CreateCrashDump') == 0x0) ? ::rptMsg("CreateCrashDump is Disabled") : ::rptMsg("CreateCrashDump is Enabled"); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
($key->get_value('CrashDumpFile')) ? ::rptMsg("Crash Dump Path and Name: ".$key->get_value('CrashDumpFile')->get_data()) : ::rptMsg("CrashDumpFile is not set"); ($key->get_value('LogFilePath')) ? ::rptMsg("DrWatson LogFile Path location: ".$key->get_value('LogFilePath')->get_data()) : ::rptMsg("DrWatson LogFile Path location: %SystemRoot%\\Documents and Settings\\All Users\\Documents\\DrWatson");
($key->get_value('AppendToLogFile') == 0x0) ? ::rptMsg("AppendToLogFile is set to create a new file each time") : ::rptMsg("AppendToLogFile is set to append"); ($key->get_value('CreateCrashDump') == 0x0) ? ::rptMsg("CreateCrashDump is Disabled") : ::rptMsg("CreateCrashDump is Enabled");
($key->get_value('CrashDumpFile')) ? ::rptMsg("Crash Dump Path and Name: ".$key->get_value('CrashDumpFile')->get_data()) : ::rptMsg("CrashDumpFile is not set");
} else { ($key->get_value('AppendToLogFile') == 0x0) ? ::rptMsg("AppendToLogFile is set to create a new file each time") : ::rptMsg("AppendToLogFile is set to append");
::rptMsg($key_path." not found.");
::logMsg($key_path." not found."); } else {
} ::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
::rptMsg(""); }
::rptMsg("Analysis Tips: For Dr. Watson settings information check: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html");
} ::rptMsg("");
::rptMsg("Analysis Tips: For Dr. Watson settings information check: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html");
}
1; 1;

96
RecentActivity/release/rr-full/plugins/emdmgmt.pl Executable file
View File

@ -0,0 +1,96 @@
#-----------------------------------------------------------
# emdmgmt.pl
#
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package emdmgmt;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20120207);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of EMDMgmt subkeys and values";
}
sub getDescr{}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching emdmgmt v.".$VERSION);
::rptMsg("emdmgmt v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\EMDMgmt';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("EMDMgmt");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @sk = $key->get_list_of_subkeys();
foreach my $s (@sk) {
my $name = $s->get_name();
if ($name =~ m/^_\?\?_USBSTOR/) {
my ($usb,$sn,$vol) = (split(/#/,$name,4))[1,2,3];
::rptMsg($usb);
::rptMsg(" LastWrite: ".gmtime($s->get_timestamp())." Z");
::rptMsg(" SN: ".$sn);
$vol =~ s/{53f56307-b6bf-11d0-94f2-00a0c91efb8b}//;
my ($volname,$vsn) = split(/_/,$vol,2);
$vsn = uc(sprintf "%x",$vsn);
if (length($vsn) >= 8) {
my ($f,$l) = unpack("(A4)*",$vsn);
$vsn = $f."-".$l;
}
::rptMsg(" Vol Name: ".$volname) if ($volname ne "");
::rptMsg(" VSN: ".$vsn);
my $last = $s->get_value_data("LastTestedTime");
my ($lo,$hi) = unpack("VV",$last);
if ($lo != 0 && $hi != 0) {
::rptMsg(" LastTestedTime: ".gmtime(::getTime($lo,$hi))." Z");
}
::rptMsg("");
}
else {
my @n = split(/_/,$name);
my $t = scalar(@n);
my $volname = $n[$t - 2];
my $vsn = $n[$t - 1];
$vsn = uc(sprintf "%x",$vsn);
if (length($vsn) >= 8) {
my ($f,$l) = unpack("(A4)*",$vsn);
$vsn = $f."-".$l;
}
$volname = "Unknown Volume" unless ($volname ne "");
::rptMsg($volname);
::rptMsg(" LastWrite: ".gmtime($s->get_timestamp())." Z");
::rptMsg(" VSN: ".$vsn);
my $last = $s->get_value_data("LastTestedTime");
my ($lo,$hi) = unpack("VV",$last);
if ($lo != 0 && $hi != 0) {
::rptMsg(" LastTestedTime: ".gmtime(::getTime($lo,$hi))." Z");
}
::rptMsg("");
}
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

89
RecentActivity/release/rr-full/plugins/environment.pl Executable file
View File

@ -0,0 +1,89 @@
#-----------------------------------------------------------
# environment.pl
# Extracts user's Environment paths from NTUSER.DAT
#
# Change history
# 20110830 [fpi] + banner, no change to the version number
#
# References
#
# Copyright (c) 2011-02-04 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package environment;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20110204);
my $VERSION = getVersion();
# Functions #
sub getDescr {}
sub getRefs {}
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getShortDescr {
return "Extracts user's Environment paths from NTUSER.DAT";
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
my $class = shift;
my $hive = shift;
# Initialize #
::logMsg("Launching environment v.".$VERSION);
::rptMsg("environment v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Environment";
# If # Environment path exists #
if ($key = $root_key->get_subkey($key_path)) {
# Return # plugin name, registry key and last modified date #
::rptMsg("Environment");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Extract # all keys from Environment registry path #
my @vals = $key->get_list_of_values();
# If # registry keys exist in path #
if (scalar(@vals) > 0) {
# Extract # all key names+values for Environment registry path #
foreach my $v (@vals) {
::rptMsg($v->get_name()." -> ".$v->get_data());
}
# Error # key value is null #
} else {
::rptMsg($key_path." has no values.");
}
# Error # Environment isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

156
thirdparty/rr/plugins/esent.pl → RecentActivity/release/rr-full/plugins/esent.pl Normal file → Executable file
View File

@ -1,78 +1,80 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# esent # esent
# Get contents of Esent\Process key from Software hive # Get contents of Esent\Process key from Software hive
# #
# Note: Not sure why I wrote this one; just thought it might come # Note: Not sure why I wrote this one; just thought it might come
# in handy as info about this key is developed. # in handy as info about this key is developed.
# #
# copyright 2010 Quantum Analytics Research, LLC # copyright 2010 Quantum Analytics Research, LLC
#----------------------------------------------------------- #-----------------------------------------------------------
package esent; package esent;
use strict; use strict;
my %config = (hive => "Software", my %config = (hive => "Software",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 1, hasRefs => 1,
version => 20101202); version => 20101202);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Get ESENT\\Process key contents"; return "Get ESENT\\Process key contents";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching esent v.".$VERSION); ::logMsg("Launching esent v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("esent v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $key_path = "Microsoft\\ESENT\\Process"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Microsoft\\ESENT\\Process";
::rptMsg($key_path); my $key;
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @sk = $key->get_list_of_subkeys(); ::rptMsg("");
if (scalar(@sk) > 0) { my @sk = $key->get_list_of_subkeys();
my %esent;
if (scalar(@sk) > 0) {
foreach my $s (@sk) { my %esent;
my $sk = $s->get_subkey("DEBUG");
# my $lw = $s->get_timestamp(); foreach my $s (@sk) {
my $lw = $sk->get_timestamp(); my $sk = $s->get_subkey("DEBUG");
# my $lw = $s->get_timestamp();
my $name = $s->get_name(); my $lw = $sk->get_timestamp();
push(@{$esent{$lw}},$name); my $name = $s->get_name();
}
push(@{$esent{$lw}},$name);
foreach my $t (reverse sort {$a <=> $b} keys %esent) { }
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$esent{$t}}) { foreach my $t (reverse sort {$a <=> $b} keys %esent) {
::rptMsg(" $item"); ::rptMsg(gmtime($t)." (UTC)");
} foreach my $item (@{$esent{$t}}) {
} ::rptMsg(" $item");
}
} }
else {
::rptMsg($key_path." has no subkeys."); }
} else {
} ::rptMsg($key_path." has no subkeys.");
else { }
::rptMsg($key_path." not found."); }
} else {
} ::rptMsg($key_path." not found.");
}
}
1; 1;

312
thirdparty/rr/plugins/eventlog.pl → RecentActivity/release/rr-full/plugins/eventlog.pl Normal file → Executable file
View File

@ -1,156 +1,158 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# eventlog.pl # eventlog.pl
# #
# copyright 2008 H. Carvey, keydet89@yahoo.com # copyright 2008 H. Carvey, keydet89@yahoo.com
#----------------------------------------------------------- #-----------------------------------------------------------
package eventlog; package eventlog;
use strict; use strict;
my %config = (hive => "System", my %config = (hive => "System",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20090112); version => 20090112);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Get EventLog configuration info"; return "Get EventLog configuration info";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching eventlog v.".$VERSION); ::logMsg("Launching eventlog v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("eventlog v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
# Code for System file, getting CurrentControlSet my $root_key = $reg->get_root_key;
my $current;
my $key_path = 'Select'; # Code for System file, getting CurrentControlSet
my $key; my $current;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Select';
$current = $key->get_value("Current")->get_data(); my $key;
if ($key = $root_key->get_subkey($key_path)) {
my $evt_path = "ControlSet00".$current."\\Services\\Eventlog"; $current = $key->get_value("Current")->get_data();
my $evt;
if ($evt = $root_key->get_subkey($evt_path)) { my $evt_path = "ControlSet00".$current."\\Services\\Eventlog";
::rptMsg(""); my $evt;
my @subkeys = $evt->get_list_of_subkeys(); if ($evt = $root_key->get_subkey($evt_path)) {
if (scalar (@subkeys) > 0) { ::rptMsg("");
foreach my $s (@subkeys) { my @subkeys = $evt->get_list_of_subkeys();
my $logname = $s->get_name(); if (scalar (@subkeys) > 0) {
::rptMsg($logname." \\ ".scalar gmtime($s->get_timestamp())."Z"); foreach my $s (@subkeys) {
eval { my $logname = $s->get_name();
my $file = $s->get_value("File")->get_data(); ::rptMsg($logname." \\ ".scalar gmtime($s->get_timestamp())."Z");
::rptMsg(" File = ".$file); eval {
}; my $file = $s->get_value("File")->get_data();
::rptMsg(" File = ".$file);
eval { };
my $display = $s->get_value("DisplayNameFile")->get_data();
::rptMsg(" DisplayNameFile = ".$display); eval {
}; my $display = $s->get_value("DisplayNameFile")->get_data();
::rptMsg(" DisplayNameFile = ".$display);
eval { };
my $max = $s->get_value("MaxSize")->get_data();
::rptMsg(" MaxSize = ".processSize($max)); eval {
}; my $max = $s->get_value("MaxSize")->get_data();
::rptMsg(" MaxSize = ".processSize($max));
eval { };
my $ret = $s->get_value("Retention")->get_data();
::rptMsg(" Retention = ".processRetention($ret)); eval {
}; my $ret = $s->get_value("Retention")->get_data();
::rptMsg(" Retention = ".processRetention($ret));
# AutoBackupLogFiles; http://support.microsoft.com/kb/312571/ };
eval {
my $auto = $s->get_value("AutoBackupLogFiles")->get_data(); # AutoBackupLogFiles; http://support.microsoft.com/kb/312571/
::rptMsg(" AutoBackupLogFiles = ".$auto); eval {
}; my $auto = $s->get_value("AutoBackupLogFiles")->get_data();
::rptMsg(" AutoBackupLogFiles = ".$auto);
# Check WarningLevel value on Security EventLog; http://support.microsoft.com/kb/945463 };
eval {
if ($logname eq "Security") { # Check WarningLevel value on Security EventLog; http://support.microsoft.com/kb/945463
my $wl = $s->get_value("WarningLevel")->get_data(); eval {
::rptMsg(" WarningLevel = ".$wl); if ($logname eq "Security") {
} my $wl = $s->get_value("WarningLevel")->get_data();
}; ::rptMsg(" WarningLevel = ".$wl);
}
::rptMsg(""); };
}
::rptMsg("");
} }
else {
::rptMsg($evt_path." has no subkeys."); }
} else {
} ::rptMsg($evt_path." has no subkeys.");
else { }
::rptMsg($evt_path." not found."); }
::logMsg($evt_path." not found."); else {
} ::rptMsg($evt_path." not found.");
} ::logMsg($evt_path." not found.");
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} ::logMsg($key_path." not found.");
1; }
}
sub processSize { 1;
my $sz = shift;
sub processSize {
my $kb = 1024; my $sz = shift;
my $mb = $kb * 1024;
my $gb = $mb * 1024; my $kb = 1024;
my $mb = $kb * 1024;
if ($sz > $gb) { my $gb = $mb * 1024;
my $d = $sz/$gb;
my $l = length((split(/\./,$d,2))[0]) + 2; if ($sz > $gb) {
return sprintf "%$l.2fGB",$d; my $d = $sz/$gb;
} my $l = length((split(/\./,$d,2))[0]) + 2;
elsif ($sz > $mb) { return sprintf "%$l.2fGB",$d;
my $d = $sz/$mb; }
my $l = length((split(/\./,$d,2))[0]) + 2; elsif ($sz > $mb) {
return sprintf "%$l.2fMB",$d; my $d = $sz/$mb;
} my $l = length((split(/\./,$d,2))[0]) + 2;
elsif ($sz > $kb) { return sprintf "%$l.2fMB",$d;
my $d = $sz/$kb; }
my $l = length((split(/\./,$d,2))[0]) + 2; elsif ($sz > $kb) {
return sprintf "%$l.2fKB",$d; my $d = $sz/$kb;
} my $l = length((split(/\./,$d,2))[0]) + 2;
else {return $sz."B"}; return sprintf "%$l.2fKB",$d;
} }
else {return $sz."B"};
sub processRetention { }
# Retention maintained in seconds
# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ sub processRetention {
# regentry/30709.mspx?mfr=true # Retention maintained in seconds
my $ret = shift; # http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/
# regentry/30709.mspx?mfr=true
my $min = 60; my $ret = shift;
my $hr = $min * 60;
my $day = $hr * 24; my $min = 60;
my $hr = $min * 60;
if ($ret > $day) { my $day = $hr * 24;
my $d = $ret/$day;
my $l = length((split(/\./,$d,2))[0]) + 2; if ($ret > $day) {
return sprintf "%$l.2f days",$d; my $d = $ret/$day;
} my $l = length((split(/\./,$d,2))[0]) + 2;
elsif ($ret > $hr) { return sprintf "%$l.2f days",$d;
my $d = $ret/$hr; }
my $l = length((split(/\./,$d,2))[0]) + 2; elsif ($ret > $hr) {
return sprintf "%$l.2f hr",$d; my $d = $ret/$hr;
} my $l = length((split(/\./,$d,2))[0]) + 2;
elsif ($ret > $min) { return sprintf "%$l.2f hr",$d;
my $d = $ret/$min; }
my $l = length((split(/\./,$d,2))[0]) + 2; elsif ($ret > $min) {
return sprintf "%$l.2f min",$d; my $d = $ret/$min;
} my $l = length((split(/\./,$d,2))[0]) + 2;
else {return $ret." sec"}; return sprintf "%$l.2f min",$d;
}
else {return $ret." sec"};
} }

196
thirdparty/rr/plugins/eventlogs.pl → RecentActivity/release/rr-full/plugins/eventlogs.pl Normal file → Executable file
View File

@ -1,98 +1,100 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# eventlogs.pl # eventlogs.pl
# Author: Don C. Weber # Author: Don C. Weber
# Plugin for Registry Ripper; Access System hive file to get the # Plugin for Registry Ripper; Access System hive file to get the
# Event Log settings from System hive # Event Log settings from System hive
# #
# Change history # Change history
# #
# #
# References # References
# Eventlog Key: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx # Eventlog Key: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx
# #
# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security # Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security
#----------------------------------------------------------- #-----------------------------------------------------------
package eventlogs; package eventlogs;
use strict; use strict;
my %config = (hive => "System", my %config = (hive => "System",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20081219); version => 20081219);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets Event Log settings from System hive"; return "Gets Event Log settings from System hive";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching eventlogs v.".$VERSION); ::logMsg("Launching eventlogs v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("eventlogs v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
# First thing to do is get the ControlSet00x marked current...this is my $reg = Parse::Win32Registry->new($hive);
# going to be used over and over again in plugins that access the system my $root_key = $reg->get_root_key;
# file # First thing to do is get the ControlSet00x marked current...this is
my $current; # going to be used over and over again in plugins that access the system
my $key_path = 'Select'; # file
my $key; my $current;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = 'Select';
$current = $key->get_value("Current")->get_data(); my $key;
my $ccs = "ControlSet00".$current; if ($key = $root_key->get_subkey($key_path)) {
my $win_path = $ccs."\\Services\\Eventlog"; $current = $key->get_value("Current")->get_data();
my $win; my $ccs = "ControlSet00".$current;
if ($win = $root_key->get_subkey($win_path)) { my $win_path = $ccs."\\Services\\Eventlog";
::rptMsg("EventLog Configuration"); my $win;
::rptMsg($win_path); if ($win = $root_key->get_subkey($win_path)) {
::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); ::rptMsg("EventLog Configuration");
my $cn; ::rptMsg($win_path);
if ($cn = $win->get_value("ComputerName")->get_data()) { ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)");
::rptMsg("ComputerName = ".$cn); my $cn;
} if ($cn = $win->get_value("ComputerName")->get_data()) {
else { ::rptMsg("ComputerName = ".$cn);
::rptMsg("ComputerName value not found."); }
} else {
} ::rptMsg("ComputerName value not found.");
else { }
::rptMsg($win_path." not found."); }
} else {
::rptMsg($win_path." not found.");
# Cycle through each type of log }
my $logname;
my $evpath; # Cycle through each type of log
my $evlog; my $logname;
my @list_logs = $win->get_list_of_subkeys(); my $evpath;
foreach $logname (@list_logs){ my $evlog;
::rptMsg(""); my @list_logs = $win->get_list_of_subkeys();
$evpath = $win_path."\\".$logname->get_name(); foreach $logname (@list_logs){
if ($evlog = $root_key->get_subkey($evpath)) { ::rptMsg("");
::rptMsg(" ".$logname->get_name()." EventLog"); $evpath = $win_path."\\".$logname->get_name();
::rptMsg(" ".$evpath); if ($evlog = $root_key->get_subkey($evpath)) {
::rptMsg(" LastWrite Time ".gmtime($evlog->get_timestamp())." (UTC)"); ::rptMsg(" ".$logname->get_name()." EventLog");
::rptMsg(" Configuration Settings"); ::rptMsg(" ".$evpath);
::rptMsg(" Log location: ".$evlog->get_value('File')->get_data()); ::rptMsg(" LastWrite Time ".gmtime($evlog->get_timestamp())." (UTC)");
::rptMsg(" Log Size: ".$evlog->get_value('MaxSize')->get_data()." Bytes"); ::rptMsg(" Configuration Settings");
($evlog->get_value('AutoBackupLogFiles') == 0x0) ? ::rptMsg(" AutoBackupLogFiles is Disabled") : ::rptMsg(" AutoBackupLogFiles is Enabled") ::rptMsg(" Log location: ".$evlog->get_value('File')->get_data());
} ::rptMsg(" Log Size: ".$evlog->get_value('MaxSize')->get_data()." Bytes");
else { ($evlog->get_value('AutoBackupLogFiles') == 0x0) ? ::rptMsg(" AutoBackupLogFiles is Disabled") : ::rptMsg(" AutoBackupLogFiles is Enabled")
::rptMsg($logname->get_name()." Event Log not found."); }
} else {
} ::rptMsg($logname->get_name()." Event Log not found.");
::rptMsg(""); }
::rptMsg("Analysis Tips: For Event Log settings information check: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx"); }
} ::rptMsg("");
else { ::rptMsg("Analysis Tips: For Event Log settings information check: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx");
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} ::logMsg($key_path." not found.");
}
}
1; 1;

146
thirdparty/rr/plugins/fileexts.pl → RecentActivity/release/rr-full/plugins/fileexts.pl Normal file → Executable file
View File

@ -1,73 +1,75 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# fileexts.pl # fileexts.pl
# #
# copyright 2008 H. Carvey, keydet89@yahoo.com # copyright 2008 H. Carvey, keydet89@yahoo.com
#----------------------------------------------------------- #-----------------------------------------------------------
package fileexts; package fileexts;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
osmask => 22, osmask => 22,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20080818); version => 20080818);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Get user FileExts values"; return "Get user FileExts values";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching fileexts v.".$VERSION); ::logMsg("Launching fileexts v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("fileexts v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts"; my $root_key = $reg->get_root_key;
my $key;
if ($key = $root_key->get_subkey($key_path)) { my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts";
::rptMsg("fileexts"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg(""); ::rptMsg("fileexts");
::rptMsg($key_path);
my @sk = $key->get_list_of_subkeys(); ::rptMsg("");
if (scalar(@sk) > 0) {
foreach my $s (@sk) { my @sk = $key->get_list_of_subkeys();
my $name = $s->get_name(); if (scalar(@sk) > 0) {
next unless ($name =~ m/^\.\w+/); foreach my $s (@sk) {
my $name = $s->get_name();
eval { next unless ($name =~ m/^\.\w+/);
my $data = $s->get_subkey("OpenWithList")->get_value("MRUList")->get_data();
if ($data =~ m/^\w/) { eval {
::rptMsg("File Extension: ".$name); my $data = $s->get_subkey("OpenWithList")->get_value("MRUList")->get_data();
::rptMsg("LastWrite: ".gmtime($s->get_subkey("OpenWithList")->get_timestamp())); if ($data =~ m/^\w/) {
::rptMsg("MRUList: ".$data); ::rptMsg("File Extension: ".$name);
my @list = split(//,$data); ::rptMsg("LastWrite: ".gmtime($s->get_subkey("OpenWithList")->get_timestamp()));
foreach my $l (@list) { ::rptMsg("MRUList: ".$data);
my $valdata = $s->get_subkey("OpenWithList")->get_value($l)->get_data(); my @list = split(//,$data);
::rptMsg(" ".$l." => ".$valdata); foreach my $l (@list) {
} my $valdata = $s->get_subkey("OpenWithList")->get_value($l)->get_data();
::rptMsg(""); ::rptMsg(" ".$l." => ".$valdata);
} }
}; ::rptMsg("");
} }
} };
else { }
::rptMsg($key_path." does not have subkeys."); }
} else {
} ::rptMsg($key_path." does not have subkeys.");
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} ::logMsg($key_path." not found.");
}
}
1; 1;

95
RecentActivity/release/rr-full/plugins/filehistory.pl Executable file
View File

@ -0,0 +1,95 @@
#-----------------------------------------------------------
# filehistory.pl
# Get filehistory settings
#
# Change history
# 20120722 - updated %config hash
# 20120620 - updated/modified by H. Carvey
# 20120607 - created by K. Johnson
#
# References
# This RegRipper plugin was created based on research I have done on
# the FileHistory Feature of Windows 8.
# http://randomthoughtsofforensics.blogspot.com/
#
# FileHistoy Plugin copyright 2012 K. Johnson
# Edited by H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package filehistory;
use strict;
my %config = (hive => "NTUSER\.DAT",
hivemask => 16,
output => "report",
category => "",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 32, #Windows 8
version => 20120620);
sub getConfig{return %config}
sub getShortDescr {
return "Gets filehistory settings";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching filehistory v.".$VERSION);
::rptMsg("filehistory v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
if ($v->get_name() eq "ProtectedUpToTime") {
my @t = unpack("VV",$v->get_data());
my $pft = ::getTime($t[0],$t[1]);
::rptMsg(" ProtectedUpToTime = ".gmtime($pft)." (UTC)");
}
if ($v->get_name() eq "ReassociationPerformed") {
::rptMsg(sprintf "%-20s 0x%x","ReassociationPerformed",$v->get_data());
}
if ($v->get_name() eq "RestoreAllowed") {
::rptMsg(sprintf "%-20s 0x%x","RestoreAllowed",$v->get_data());
}
if ($v->get_name() eq "SearchRebuildRequired") {
::rptMsg(sprintf "%-20s 0x%x","SearchRebuildRequired",$v->get_data());
}
if ($v->get_name() eq "TargetChanged") {
::rptMsg(sprintf "%-20s 0x%x","TargetChanged",$v->get_data());
}
}
}
else {
::rptMsg($key_path." has no values.");
::rptMsg("File History may not be configured for this user.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

189
thirdparty/rr/plugins/findexes.pl → RecentActivity/release/rr-full/plugins/findexes.pl Normal file → Executable file
View File

@ -1,95 +1,96 @@
#! c:\perl\bin\perl.exe #! c:\perl\bin\perl.exe
#----------------------------------------------------------- #-----------------------------------------------------------
# findexes.pl # findexes.pl
# Plugin for RegRipper; traverses through a Registry hive, # Plugin for RegRipper; traverses through a Registry hive,
# looking for values with binary data types, and checks to see # looking for values with binary data types, and checks to see
# if they start with "MZ"; if so, records the value path, key # if they start with "MZ"; if so, records the value path, key
# LastWrite time, and length of the data # LastWrite time, and length of the data
# #
# Change history # Change history
# 20090728 - Created # 20090728 - Created
# #
# copyright 2009 H. Carvey # copyright 2009 H. Carvey
#----------------------------------------------------------- #-----------------------------------------------------------
package findexes; package findexes;
use strict; use strict;
my %config = (hive => "All", my %config = (hive => "All",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20090728); version => 20090728);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Scans a hive file looking for binary value data that contains MZ"; return "Scans a hive file looking for binary value data that contains MZ";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
my %vals; my %vals;
my $bin_count = 0; my $bin_count = 0;
my $exe_count = 0; my $exe_count = 0;
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $file = shift; my $file = shift;
my $reg = Parse::Win32Registry->new($file); my $reg = Parse::Win32Registry->new($file);
my $root_key = $reg->get_root_key; my $root_key = $reg->get_root_key;
::logMsg("Launching findexes v.".$VERSION); ::logMsg("Launching findexes v.".$VERSION);
::rptMsg("findexes v.".$VERSION); # banner
traverse($root_key); ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
# Data structure containing findings is a hash of hashes traverse($root_key);
foreach my $k (keys %vals) { # Data structure containing findings is a hash of hashes
::rptMsg("Key: ".$k." LastWrite time: ".gmtime($vals{$k}{lastwrite})); foreach my $k (keys %vals) {
foreach my $i (keys %{$vals{$k}}) { ::rptMsg("Key: ".$k." LastWrite time: ".gmtime($vals{$k}{lastwrite}));
next if ($i eq "lastwrite"); foreach my $i (keys %{$vals{$k}}) {
::rptMsg(" Value: ".$i." Length: ".$vals{$k}{$i}." bytes"); next if ($i eq "lastwrite");
} ::rptMsg(" Value: ".$i." Length: ".$vals{$k}{$i}." bytes");
::rptMsg(""); }
} ::rptMsg("");
::rptMsg("Number of values w/ binary data types: ".$bin_count); }
::rptMsg("Number of values w/ MZ in binary data: ".$exe_count); ::rptMsg("Number of values w/ binary data types: ".$bin_count);
} ::rptMsg("Number of values w/ MZ in binary data: ".$exe_count);
}
sub traverse {
my $key = shift; sub traverse {
# my $ts = $key->get_timestamp(); my $key = shift;
# my $ts = $key->get_timestamp();
foreach my $val ($key->get_list_of_values()) {
my $type = $val->get_type(); foreach my $val ($key->get_list_of_values()) {
if ($type == 0 || $type == 3) { my $type = $val->get_type();
$bin_count++; if ($type == 0 || $type == 3) {
my $data = $val->get_data(); $bin_count++;
# This code looks for data that starts with MZ my $data = $val->get_data();
# my $i = unpack("v",substr($data,0,2)); # This code looks for data that starts with MZ
# if ($i == 0x5a4d) { # my $i = unpack("v",substr($data,0,2));
if (grep(/MZ/,$data)) { # if ($i == 0x5a4d) {
$exe_count++; if (grep(/MZ/,$data)) {
my $path; $exe_count++;
my @p = split(/\\/,$key->get_path()); my $path;
if (scalar(@p) == 1) { my @p = split(/\\/,$key->get_path());
$path = "root"; if (scalar(@p) == 1) {
} $path = "root";
else { }
shift(@p); else {
$path = join('\\',@p); shift(@p);
} $path = join('\\',@p);
}
$vals{$path}{lastwrite} = $key->get_timestamp();
$vals{$path}{$val->get_name()} = length($data); $vals{$path}{lastwrite} = $key->get_timestamp();
} $vals{$path}{$val->get_name()} = length($data);
} }
} }
}
foreach my $subkey ($key->get_list_of_subkeys()) {
traverse($subkey); foreach my $subkey ($key->get_list_of_subkeys()) {
} traverse($subkey);
} }
}
1; 1;

232
thirdparty/rr/plugins/fw_config.pl → RecentActivity/release/rr-full/plugins/fw_config.pl Normal file → Executable file
View File

@ -1,116 +1,118 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# fw_config # fw_config
# #
# References # References
# http://technet2.microsoft.com/WindowsServer/en/library/47f25d7d- # http://technet2.microsoft.com/WindowsServer/en/library/47f25d7d-
# 882b-4f87-b05f-31e5664fc15e1033.mspx?mfr=true # 882b-4f87-b05f-31e5664fc15e1033.mspx?mfr=true
# #
# #
# copyright 2008 H. Carvey, keydet89@yahoo.com # copyright 2008 H. Carvey, keydet89@yahoo.com
#----------------------------------------------------------- #-----------------------------------------------------------
package fw_config; package fw_config;
use strict; use strict;
my %config = (hive => "System", my %config = (hive => "System",
osmask => 20, osmask => 20,
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
version => 20080328); version => 20080328);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets the Windows Firewall config from the System hive"; return "Gets the Windows Firewall config from the System hive";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
::logMsg("Launching fw_config v.".$VERSION); ::logMsg("Launching fw_config v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive); ::rptMsg("fw_config v.".$VERSION); # banner
my $root_key = $reg->get_root_key; ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
# Code for System file, getting CurrentControlSet my $reg = Parse::Win32Registry->new($hive);
my $current; my $root_key = $reg->get_root_key;
my $ccs; # Code for System file, getting CurrentControlSet
my $select_path = 'Select'; my $current;
my $sel; my $ccs;
if ($sel = $root_key->get_subkey($select_path)) { my $select_path = 'Select';
$current = $sel->get_value("Current")->get_data(); my $sel;
$ccs = "ControlSet00".$current; if ($sel = $root_key->get_subkey($select_path)) {
} $current = $sel->get_value("Current")->get_data();
else { $ccs = "ControlSet00".$current;
::rptMsg($select_path." could not be found."); }
::logMsg($select_path." could not be found."); else {
return; ::rptMsg($select_path." could not be found.");
} ::logMsg($select_path." could not be found.");
return;
my @profiles = ("DomainProfile","StandardProfile"); }
foreach my $profile (@profiles) {
my $key_path = $ccs."\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\".$profile; my @profiles = ("DomainProfile","StandardProfile");
my $key; foreach my $profile (@profiles) {
if ($key = $root_key->get_subkey($key_path)) { my $key_path = $ccs."\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\".$profile;
::rptMsg("Windows Firewall Configuration"); my $key;
::rptMsg($key_path); if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); ::rptMsg("Windows Firewall Configuration");
::rptMsg($key_path);
my %vals = getKeyValues($key); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
if (scalar(keys %vals) > 0) {
foreach my $v (keys %vals) { my %vals = getKeyValues($key);
::rptMsg("\t".$v." -> ".$vals{$v}); if (scalar(keys %vals) > 0) {
} foreach my $v (keys %vals) {
} ::rptMsg("\t".$v." -> ".$vals{$v});
else { }
# ::rptMsg($key_path." has no values."); }
} else {
# ::rptMsg($key_path." has no values.");
my @configs = ("RemoteAdminSettings", }
"IcmpSettings",
"GloballyOpenPorts\\List", my @configs = ("RemoteAdminSettings",
"AuthorizedApplications\\List"); "IcmpSettings",
"GloballyOpenPorts\\List",
foreach my $config (@configs) { "AuthorizedApplications\\List");
eval {
my %vals = getKeyValues($key->get_subkey($config)); foreach my $config (@configs) {
if (scalar(keys %vals) > 0) { eval {
::rptMsg(""); my %vals = getKeyValues($key->get_subkey($config));
::rptMsg($key_path."\\".$config); if (scalar(keys %vals) > 0) {
::rptMsg("LastWrite Time ".gmtime($key->get_subkey($config)->get_timestamp())." (UTC)"); ::rptMsg("");
foreach my $v (keys %vals) { ::rptMsg($key_path."\\".$config);
::rptMsg("\t".$v." -> ".$vals{$v}); ::rptMsg("LastWrite Time ".gmtime($key->get_subkey($config)->get_timestamp())." (UTC)");
} foreach my $v (keys %vals) {
} ::rptMsg("\t".$v." -> ".$vals{$v});
}; }
} }
} };
else { }
::rptMsg($key_path." not found."); }
::logMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
::rptMsg(""); ::logMsg($key_path." not found.");
} # end foreach }
} ::rptMsg("");
} # end foreach
sub getKeyValues { }
my $key = shift;
my %vals; sub getKeyValues {
my $key = shift;
my @vk = $key->get_list_of_values(); my %vals;
if (scalar(@vk) > 0) {
foreach my $v (@vk) { my @vk = $key->get_list_of_values();
next if ($v->get_name() eq "" && $v->get_data() eq ""); if (scalar(@vk) > 0) {
$vals{$v->get_name()} = $v->get_data(); foreach my $v (@vk) {
} next if ($v->get_name() eq "" && $v->get_data() eq "");
} $vals{$v->get_name()} = $v->get_data();
else { }
}
} else {
return %vals;
} }
return %vals;
}
1; 1;

66
RecentActivity/release/rr-full/plugins/gauss.pl Executable file
View File

@ -0,0 +1,66 @@
#-----------------------------------------------------------
# gauss.pl
# Checks Software hive for existance of TimeStampforUI value
# beneath the Reliability key within the Software hive. According
# to the Kasperky write-up for the malware, the configuration file is
# written to a binary value named "TimeStampforUI".
#
# copyright 2012 Quantum Analytics Research, LLC
# Author H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package gauss;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20120809);
sub getConfig{return %config}
sub getShortDescr {
return "Checks Reliability key for TimeStampforUI value";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching gauss v.".$VERSION);
::rptMsg("Launching gauss v.".$VERSION);
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my @key_paths = ('Microsoft\\Windows\\CurrentVersion\\Reliability',
'Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Reliability');
::rptMsg("gauss v\.".$VERSION);
foreach my $key_path (@key_paths) {
my $key;
my $notfound = 1;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
foreach my $v (@vals) {
my $name = $v->get_name();
if ($name eq "TimeStampforUI") {
::rptMsg("TimeStampforUI value found.");
$notfound = 0;
}
}
::rptMsg("TimeStampforUI value not found.") if ($notfound);
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
}
}
1;

141
thirdparty/rr/plugins/gthist.pl → RecentActivity/release/rr-full/plugins/gthist.pl Normal file → Executable file
View File

@ -1,71 +1,72 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# gthist.pl # gthist.pl
# Google Toolbar Search History plugin # Google Toolbar Search History plugin
# #
# #
# Change history # Change history
# 20100218 - created # 20100218 - created
# #
# References # References
# #
# #
# #
# copyright 2010 Quantum Analytics Research, LLC # copyright 2010 Quantum Analytics Research, LLC
#----------------------------------------------------------- #-----------------------------------------------------------
package gthist; package gthist;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20100218); version => 20100218);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets Google Toolbar Search History"; return "Gets Google Toolbar Search History";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
my %hist; my %hist;
::logMsg("Launching gthist v.".$VERSION); ::logMsg("Launching gthist v.".$VERSION);
::rptMsg("gthist v.".$VERSION); # banner
my $reg = Parse::Win32Registry->new($ntuser); ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $root_key = $reg->get_root_key; my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Google\\NavClient\\1.1\\History';
my $key; my $key_path = 'Software\\Google\\NavClient\\1.1\\History';
if ($key = $root_key->get_subkey($key_path)) { my $key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
my @vals = $key->get_list_of_values(); ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
if (scalar @vals > 0) { my @vals = $key->get_list_of_values();
::rptMsg(""); if (scalar @vals > 0) {
foreach my $v (@vals) { ::rptMsg("");
my $tv = unpack("V",$v->get_data()); foreach my $v (@vals) {
$hist{$tv} = $v->get_name(); my $tv = unpack("V",$v->get_data());
} $hist{$tv} = $v->get_name();
}
foreach my $t (reverse sort {$a <=> $b} keys %hist) {
my $str = gmtime($t)." ".$hist{$t}; foreach my $t (reverse sort {$a <=> $b} keys %hist) {
::rptMsg($str); my $str = gmtime($t)." ".$hist{$t};
} ::rptMsg($str);
} }
else { }
::rptMsg($key_path." has no values."); else {
} ::rptMsg($key_path." has no values.");
} }
else { }
::rptMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} }
}
1; 1;

147
thirdparty/rr/plugins/gtwhitelist.pl → RecentActivity/release/rr-full/plugins/gtwhitelist.pl Normal file → Executable file
View File

@ -1,74 +1,75 @@
#----------------------------------------------------------- #-----------------------------------------------------------
# gtwhitelist.pl # gtwhitelist.pl
# Google Toolbar Search History plugin # Google Toolbar Search History plugin
# #
# #
# Change history # Change history
# 20100218 - created # 20100218 - created
# #
# References # References
# #
# #
# #
# copyright 2010 Quantum Analytics Research, LLC # copyright 2010 Quantum Analytics Research, LLC
#----------------------------------------------------------- #-----------------------------------------------------------
package gtwhitelist; package gtwhitelist;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1, hasShortDescr => 1,
hasDescr => 0, hasDescr => 0,
hasRefs => 0, hasRefs => 0,
osmask => 22, osmask => 22,
version => 20100218); version => 20100218);
sub getConfig{return %config} sub getConfig{return %config}
sub getShortDescr { sub getShortDescr {
return "Gets Google Toolbar whitelist values"; return "Gets Google Toolbar whitelist values";
} }
sub getDescr{} sub getDescr{}
sub getRefs {} sub getRefs {}
sub getHive {return $config{hive};} sub getHive {return $config{hive};}
sub getVersion {return $config{version};} sub getVersion {return $config{version};}
my $VERSION = getVersion(); my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
my %hist; my %hist;
::logMsg("Launching gtwhitelist v.".$VERSION); ::logMsg("Launching gtwhitelist v.".$VERSION);
::rptMsg("gtwhitelist v.".$VERSION); # banner
my $reg = Parse::Win32Registry->new($ntuser); ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $root_key = $reg->get_root_key; my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Google\\Google Toolbar\\4.0\\whitelist';
my $key; my $key_path = 'Software\\Google\\Google Toolbar\\4.0\\whitelist';
if ($key = $root_key->get_subkey($key_path)) { my $key;
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); if ($key = $root_key->get_subkey($key_path)) {
my $allow2; ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
eval { my $allow2;
$allow2 = $key->get_value("allow2")->get_data(); eval {
my @vals = split(/\|/,$allow2); $allow2 = $key->get_value("allow2")->get_data();
::rptMsg(""); my @vals = split(/\|/,$allow2);
::rptMsg("whitelist"); ::rptMsg("");
foreach my $v (@vals) { ::rptMsg("whitelist");
next if ($v eq ""); foreach my $v (@vals) {
::rptMsg(" ".$v); next if ($v eq "");
} ::rptMsg(" ".$v);
::rptMsg(""); }
}; ::rptMsg("");
};
my $lastmod;
eval { my $lastmod;
$lastmod = $key->get_value("lastmod")->get_data(); eval {
::rptMsg("lastmod ".gmtime($lastmod)." (UTC)"); $lastmod = $key->get_value("lastmod")->get_data();
}; ::rptMsg("lastmod ".gmtime($lastmod)." (UTC)");
};
}
else { }
::rptMsg($key_path." not found."); else {
} ::rptMsg($key_path." not found.");
} }
}
1; 1;

108
RecentActivity/release/rr-full/plugins/haven_and_hearth.pl Executable file
View File

@ -0,0 +1,108 @@
#-----------------------------------------------------------
# haven_and_hearth.pl
# Extracts the username and savedtoken for Haven & Hearth
#
# Change history
# 20110830 [fpi] + banner, no change to the version number
#
# References
# Haven & Hearth Homepage
# http://www.havenandhearth.com/
#
# Copyright (c) 2011-02-04 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package haven_and_hearth;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20110204);
my $VERSION = getVersion();
# Functions #
sub getDescr {}
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getShortDescr {
return "Extracts the username and savedtoken for Haven & Hearth.";
}
sub getRefs {
my %refs = ("Haven & Hearth Homepage:" =>
"http://www.havenandhearth.com/");
return %refs;
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
my $class = shift;
my $hive = shift;
my @interesting_keys = (
"username",
"password",
"savedtoken"
);
# Initialize #
::logMsg("Launching haven_and_hearth v.".$VERSION);
::rptMsg("haven_and_hearth v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Software\\JavaSoft\\Prefs\\haven";
# If # Haven & Hearth path exists #
if ($key = $root_key->get_subkey($key_path)) {
# Return # plugin name, registry key and last modified date #
::rptMsg("Haven & Hearth");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Extract # all keys from Haven & Hearth registry path #
my %keys;
my @vals = $key->get_list_of_values();
# If # registry keys exist in path #
if (scalar(@vals) > 0) {
# Extract # all key names+values for Haven & Hearth registry path #
foreach my $v (@vals) {
$keys{$v->get_name()} = $v->get_data();
}
# Return # all key names+values for interesting keys #
foreach my $var (@interesting_keys) {
if (exists $keys{$var}) {
::rptMsg($var." -> ".$keys{$var});
}
}
# Error # key value is null #
} else {
::rptMsg($key_path." has no values.");
}
# Error # Haven & Hearth isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

Some files were not shown because too many files have changed in this diff Show More