mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-17 18:17:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge https://github.com/sleuthkit/autopsy

Browse Source
This commit is contained in:
Jeff Wallace 2013-07-16 15:21:18 -04:00
commit f3515efaa5
358 changed files with 34321 additions and 18308 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Core/src/org/sleuthkit/autopsy/casemodule/Case.java
View File

@ -194,9 +194,9 @@ public class Case {
}
/**
* Creates a new case (create the XML config file and the directory)
* Creates a new case (create the XML config file and database)
*
* @param caseDir the base directory where the configuration file is saved
* @param caseDir The directory to store case data in. Will be created if it doesn't already exist. If it exists, it should have all of the needed sub dirs that createCaseDirectory() will create.
* @param caseName the name of case
* @param caseNumber the case number
* @param examiner the examiner for this case
@ -204,6 +204,11 @@ public class Case {
public static void create(String caseDir, String caseName, String caseNumber, String examiner) throws CaseActionException {
logger.log(Level.INFO, "Creating new case.\ncaseDir: {0}\ncaseName: {1}", new Object[]{caseDir, caseName});
// create case directory if it doesn't already exist.
if (new File(caseDir).exists() == false) {
Case.createCaseDirectory(caseDir);
}
String configFilePath = caseDir + File.separator + caseName + CASE_DOT_EXTENSION;
XMLCaseManagement xmlcm = new XMLCaseManagement();
@ -775,12 +780,22 @@ public class Case {
/**
* to create the case directory
*
* @param caseDir the case directory path
* @param caseName the case name
* @param caseDir Path to the case directory (typically base + case name)
* @param caseName the case name (used only for error messages)
* @throws CaseActionException throw if could not create the case dir
* @Deprecated
*/
static void createCaseDirectory(String caseDir, String caseName) throws CaseActionException {
boolean result = false;
createCaseDirectory(caseDir);
}
/**
* Create the case directory and its needed subfolders.
*
* @param caseDir Path to the case directory (typically base + case name)
* @throws CaseActionException throw if could not create the case dir
*/
static void createCaseDirectory(String caseDir) throws CaseActionException {
File caseDirF = new File(caseDir);
if (caseDirF.exists()) {
@ -792,7 +807,7 @@ public class Case {
}
try {
result = (caseDirF).mkdirs(); // create root case Directory
boolean result = (caseDirF).mkdirs(); // create root case Directory
if (result == false) {
throw new CaseActionException("Cannot create case dir: " + caseDir);
}
@ -804,17 +819,17 @@ public class Case {
&& (new File(caseDir + File.separator + XMLCaseManagement.CACHE_FOLDER_RELPATH)).mkdir();
if (result == false) {
throw new CaseActionException("Could not create case directory: " + caseDir + " for case: " + caseName);
throw new CaseActionException("Could not create case directory: " + caseDir );
}
final String modulesOutDir = caseDir + File.separator + getModulesOutputDirRelPath();
result = new File(modulesOutDir).mkdir();
if (result == false) {
throw new CaseActionException("Could not create modules output directory: " + modulesOutDir + " for case: " + caseName);
throw new CaseActionException("Could not create modules output directory: " + modulesOutDir );
}
} catch (Exception e) {
throw new CaseActionException("Could not create case directory: " + caseDir + " for case: " + caseName, e);
throw new CaseActionException("Could not create case directory: " + caseDir , e);
}
}

8
Core/src/org/sleuthkit/autopsy/casemodule/NewCaseWizardPanel1.java
View File

@ -228,7 +228,7 @@ class NewCaseWizardPanel1 implements WizardDescriptor.ValidatingPanel<WizardDesc
if (res2 != null && res2 == DialogDescriptor.YES_OPTION) {
// if user say yes
try {
createDirectory(caseDirPath, caseName);
createDirectory(caseDirPath);
} catch (Exception ex) {
String errorMsg = "Error: Couldn't create case parent directory " + caseParentDir;
logger.log(Level.WARNING, errorMsg, ex);
@ -241,7 +241,7 @@ class NewCaseWizardPanel1 implements WizardDescriptor.ValidatingPanel<WizardDesc
}
} else {
try {
createDirectory(caseDirPath, caseName);
createDirectory(caseDirPath);
} catch (Exception ex) {
String errorMsg = "Error: Couldn't create directory.";
logger.log(Level.WARNING, errorMsg, ex);
@ -264,11 +264,11 @@ class NewCaseWizardPanel1 implements WizardDescriptor.ValidatingPanel<WizardDesc
/*
* create the directory and create a new case
*/
private void createDirectory(final String caseDirPath, final String caseName) throws WizardValidationException {
private void createDirectory(final String caseDirPath) throws WizardValidationException {
// try to create the directory with the case name in the choosen parent directory
boolean success = false;
try {
Case.createCaseDirectory(caseDirPath, caseName);
Case.createCaseDirectory(caseDirPath);
success = true;
} catch (CaseActionException ex) {
logger.log(Level.SEVERE, "Could not createDirectory for the case, ", ex);

9
Core/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerArtifact.java
View File

@ -348,6 +348,11 @@ public class DataContentViewerArtifact extends javax.swing.JPanel implements Dat
outputViewPane.setContentType("text/html");
}
/**
* Display a single artifact from a list.
* @param artifacts List of artifacts that could be displayed
* @param offset Index into the list for the artifact to display
*/
private void setDataView(List<BlackboardArtifact> artifacts, int offset) {
// change the cursor to "waiting cursor" for this operation
this.setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR));
@ -377,6 +382,10 @@ public class DataContentViewerArtifact extends javax.swing.JPanel implements Dat
this.setCursor(null);
}
/**
* Set the displayed artifact to the specified one.
* @param artifact Artifact to display
*/
private void setSelectedArtifact(BlackboardArtifact artifact) {
if(artifacts.contains(artifact)) {
int index = artifacts.indexOf(artifact);

38
Core/src/org/sleuthkit/autopsy/datamodel/ArtifactStringContent.java
View File

@ -1,7 +1,7 @@
/*
* Autopsy Forensic Browser
*
* Copyright 2011 Basis Technology Corp.
* Copyright 2011-2013 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -33,8 +33,7 @@ import org.sleuthkit.datamodel.TskException;
/**
* StringContent object for a blackboard artifact, that can be looked up and used
* to display text for the DataContent viewers
* @author alawrence
* to display text for the DataContent viewers. Displays values in artifact in HTML.
*/
public class ArtifactStringContent implements StringContent {
@ -54,21 +53,32 @@ public class ArtifactStringContent implements StringContent {
buffer.append("<head>");
buffer.append("<style type='text/css'>");
buffer.append("table {table-layout:fixed;}");
buffer.append("td {font-family:Arial;font-size:10pt;overflow:hidden;padding-right:5px;padding-left:5px;}");
buffer.append("th {font-family:Arial;font-size:10pt;overflow:hidden;padding-right:5px;padding-left:5px;font-weight:bold;}");
buffer.append("p {font-family:Arial;font-size:10pt;}");
buffer.append("td {font-family:Arial;font-size:12pt;overflow:hidden;padding-right:5px;padding-left:5px;}");
buffer.append("th {font-family:Arial;font-size:12pt;overflow:hidden;padding-right:5px;padding-left:5px;font-weight:bold;}");
buffer.append("p {font-family:Arial;font-size:12pt;}");
buffer.append("</style>");
buffer.append("<meta http-equiv=\"Content-Type\" content=\"text/html); charset=utf-8\">");
buffer.append("</head>");
// artifact name header
buffer.append("<h4>");
buffer.append(wrapped.getDisplayName());
buffer.append("</h4>");
// start table for attributes
buffer.append("<table border='0'>");
buffer.append("<tr>");
buffer.append("</tr>");
// cycle through each attribute and display in a row in the table.
for (BlackboardAttribute attr : wrapped.getAttributes()) {
// name column
buffer.append("<tr><td>");
buffer.append(attr.getAttributeTypeDisplayName());
buffer.append("</td>");
// value column
buffer.append("<td>");
if (attr.getAttributeTypeID() == ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID()
|| attr.getAttributeTypeID() == ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID()) {
@ -82,7 +92,12 @@ public class ArtifactStringContent implements StringContent {
} else {
switch (attr.getValueType()) {
case STRING:
buffer.append(attr.getValueString());
String str = attr.getValueString();
str = str.replaceAll(" ", "&nbsp;");
str = str.replaceAll("<", "&lt;");
str = str.replaceAll(">", "&gt;");
str = str.replaceAll("(\r\n|\n)", "<br />");
buffer.append(str);
break;
case INTEGER:
buffer.append(attr.getValueInt());
@ -113,16 +128,11 @@ public class ArtifactStringContent implements StringContent {
try {
path = content.getUniquePath();
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Except while calling Content.getUniquePath() on " + content);
logger.log(Level.SEVERE, "Exception while calling Content.getUniquePath() on {0} : {1}", new Object[]{content, ex.getLocalizedMessage()});
}
//add file path
buffer.append("<tr>");
buffer.append("<td>Source File</td>");
buffer.append("<td>");
buffer.append(content.getName());
buffer.append("</td>");
buffer.append("</tr>");
buffer.append("<tr>");
buffer.append("<td>Source File Path</td>");
buffer.append("<td>");

60
RecentActivity/release/rr-full/faq Executable file
View File

@ -0,0 +1,60 @@
RegRipper FAQ
This is the FAQ for the RegRipper.
1. What is the RegRipper?
I should start by saying what the RegRipper is *not*...it's not
a Registry Viewer. An examiner would not open a Registry hive file
in RegRipper to "look around".
Further, RegRipper is NOT intended for use with live hive files. Hive
files need to be extracted from a case (or from a live system using FTK
Imager...), or accessible via a tool such as Mount Image Pro.
RegRipper is a Windows Registry data extractor. RegRipper uses plugins
(similar to Nessus) to access specific Registry hive files in order to
access and extract specific keys, values, and data, and does so by
bypassing the Win32API.
2. How does RegRipper work?
RegRipper uses James McFarlane's Parse::Win32Registry module to access
a Windows Registry hive file in an object-oriented manner, bypassing the
Win32API. This module is used to locate and access Registry key nodes
within the hive file, as well as value nodes and their data. When
accessing a key node, the LastWrite time is retrieved, parsed and
translated into something the examiner can understand. Data is retrieved
in much the same manner...if necessary, the plugin that retrieves the
data will also perform translation of that data into something readable.
3. Who wrote and maintains RegRipper?
I did/do. If you have any questions, concerns, comments, or suggestions
regarding how RegRipper works, please feel free to contact me.
4. Who should/can use RegRipper?
Anyone who wants to perform Windows Registry hive file analysis. This tool
is specifically intended for Windows 2000, XP, and 2003 hive files (there
has been limited testing on Vista/Win2K8 hive files...everything has worked
fine so far...).
5. How do I use RegRipper?
Simply launch rr.exe. Also, please be sure to read the RegRipper documentation.
6. Do I have to install anything to use the RegRipper?
Nope, not a thing. RegRipper ships as an EXE file, able to run on Windows
systems. All you need to do is extract the EXE and DLL in the same directory.
The source file (rr.pl) is also included, as are the plugins.
Further, RegRipper doesn't make any changes to your analysis system...no
Registry entries are made, nor are any files installed in odd, out-of-the-way
locations.
Links
Module - http://search.cpan.org/~jmacfarla/Parse-Win32Registry/lib/
Parse/Win32Registry.pm
Email - H. Carvey - keydet89@yahoo.com
RegRipper and rip.exe are released under the GPL license. Please see license.txt
for details.
RegRipper and rip.exe are copyrighted to H. Carvey.

12
RecentActivity/release/rr-full/license.txt Executable file
View File

@ -0,0 +1,12 @@
This software is released AS-IS, with no statements or guarantees as to
its effectiveness or stability. While it shouldn't cause any problems
whatsoever with your system, there's always the chance that someone may find
a way to blame a system crash or loss of data on software like this...you've
been warned!
This software is released under the GNU Public License -
http://www.gnu.org/copyleft/gpl.html
Specifically, GPL v3.0: http://www.gnu.org/licenses/quick-guide-gplv3.html
Questions, comments, etc., can be sent to keydet89 at yahoo dot com.

BIN
RecentActivity/release/rr-full/p2x5124.dll Executable file
View File

Binary file not shown.

BIN
RecentActivity/release/rr-full/pb.exe Executable file
View File

Binary file not shown.

314
RecentActivity/release/rr-full/pb.pl Executable file
View File

@ -0,0 +1,314 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# Plugins Browser - browse plugins, create plugins files, edit
# current files
#
#
# Change History
# 20100122 - Updated to include opening a plugins file
# 20091207 - Created
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
use strict;
use Win32::GUI();
use Win32::GUI::Constants qw(CW_USEDEFAULT);
use Encode;
my $plugindir;
my $mw = Win32::GUI::Window->new(
-title => "Plugin Browser",
-left => CW_USEDEFAULT,
-size => [560,440],
-maxsize => [560,440],
-dialogui => 1,
);
my $icon = new Win32::GUI::Icon('QAR.ICO');
$mw->SetIcon($icon);
$mw->AddLabel(
-text => "",
-name => "biglabel1",
-pos => [10,10],
-size => [530,40],
-sunken => 1
);
$mw->AddLabel(
-text => "Plugin Dir: ",
-pos => [20,23],
);
my $plugindirtext = $mw->AddTextfield(
-name => "plugindir",
-tabstop => 1,
-left => 100,
-top => 18,
-width => 300,
-height => 25,
-tabstop => 1,
-foreground => "#000000",
-background => "#FFFFFF"
);
my $browse = $mw->AddButton(
-name => 'browse',
-text => 'Browse',
-size => [50,25],
-pos => [450,18],
);
my $datatab = $mw->AddTabStrip(
-pos => [10,60],
-size => [530,280],
-name => "datatab"
);
$datatab->InsertItem(-text => "Browse");
$datatab->InsertItem(-text => "Plugin File");
my $lb1 = $mw->AddListbox(
-name => 'LB1',
-pos => [20,100],
-size => [180,240],
-multisel => 2,
-vscroll => 1
);
my $gb1 = $mw->AddGroupbox(
-name => 'GB',
-title => 'Plugin Info',
-pos => [260,100],
-size => [260,220],
);
my $gblbl = $mw->AddLabel(
-name => 'LBL',
-left => $mw->GB->Left()+10,
-top => $mw->GB->Top()+20,
-width => $mw->GB->ScaleWidth()-20,
-height => $mw->GB->ScaleHeight()-40,
);
# The following elements go on the "Plugin File" tab and
# are initially hidden
my $lb2 = $mw->AddListbox(
-name => 'LB2',
-pos => [320,100],
-size => [200,240],
-vscroll => 1,
-multisel => 2
# -onSelChange => \&newSelection,
);
$lb2->Hide();
my $add = $mw->AddButton(
-name => 'Add',
-text => '>>',
-tip => "Add Plugin",
-size => [50,25],
-pos => [230,130],
);
$add->Hide();
my $remove = $mw->AddButton(
-name => 'Remove',
-text => '<<',
-tip => "Remove Plugin",
-size => [50,25],
-pos => [230,180],
);
$remove->Hide();
my $open = $mw->AddButton(
-name => 'Open',
-tip => "Open Plugin File",
-text => 'Open',
-size => [50,25],
-pos => [230,230],
);
$open->Hide();
my $save = $mw->AddButton(
-name => 'Save',
-tip => "Save Plugin File",
-text => 'Save',
-size => [50,25],
-pos => [230,280],
);
$save->Hide();
$mw->AddButton(
-name => 'BT',
-text => 'Exit',
-size => [50,25],
-pos => [450,350],
-onClick => sub{-1;},
);
my $status = new Win32::GUI::StatusBar($mw,
-text => "copyright 2010 Quantum Analytics Research, LLC",
);
$mw->Show();
Win32::GUI::Dialog();
$mw->Hide();
exit(0);
sub datatab_Click {
if ($datatab->SelectedItem == 0) {
$lb2->Hide();
$add->Hide();
$remove->Hide();
$open->Hide();
$save->Hide();
$gb1->Show();
$gblbl->Show();
}
if ($datatab->SelectedItem == 1) {
$lb2->Show();
$add->Show();
$remove->Show();
$open->Show();
$save->Show();
$gb1->Hide();
$gblbl->Hide();
}
}
sub browse_Click {
$plugindir = Win32::GUI::BrowseForFolder(
-title => "Report Dir",
-root => 0x0011,
-folderonly => 1,
-includefiles => 0,
);
$plugindir = $plugindir."\\" unless $plugindir =~ m/\\$/;
$plugindirtext->Text("");
$plugindirtext->Text($plugindir);
$mw->LB1->ResetContent();
my @plugins;
opendir(DIR,$plugindir);
push(@plugins, grep(/\.pl$/,readdir(DIR)));
closedir(DIR);
$mw->LB1->Add(sort @plugins);
0;
}
sub LB1_SelChange {
if ($datatab->SelectedItem == 0) {
\&newSelection();
}
}
sub newSelection {
my $lb = shift;
# Set the label text to reflect the change
my $item = $lb1->GetCurSel();
my $text = $lb1->GetText($item);
$lb1->GetParent()->LBL->Text(get_plugin_info($text));
return 1;
}
sub get_plugin_info {
my $name = shift;
require $plugindir."\\".$name;
$name =~ s/\.pl$//;
my $text = "Plugin Name: ".$name."\r\n";
eval {
$text .= "Version: ".$name->getVersion."\r\n";
};
eval {
$text .= "Hive : ".$name->getHive."\r\n\r\n";
};
eval {
$text .= "Descr : \r\n";
$text .= $name->getShortDescr."\r\n";
};
return $text;
}
sub Add_Click {
my @list = $lb1->SelectedItems();
foreach my $i (sort {$a <=> $b} @list) {
my $str = $lb1->GetString($i);
$str =~ s/\.pl$//;
$lb2->InsertString($str);
}
}
#-----------------------------------------------------------
# Note regarding use of DeleteString(); if starting from index
# 0 and increasing, the index changes so that after the first
# index item is deleted, the second index item is reset. To
# avoid this issue, reverse the order of the indexes.
#-----------------------------------------------------------
sub Remove_Click {
my @list = $lb2->SelectedItems();
foreach my $i (reverse @list) {
$lb2->DeleteString($i);
}
}
sub Save_Click {
my $file = Win32::GUI::GetSaveFileName(
-owner => $mw,
-title => "Save Plugin File",
-explorer => 1,
-directory => $plugindir,
-filter => ['All files' => '*.*']
);
if ($file) {
$file =~ s/\.\w+$//;
}
elsif (Win32::GUI::CommDlgExtendedError()) {
$mw->MessageBox ("ERROR : ".Win32::GUI::CommDlgExtendedError(),
"GetSaveFileName Error");
}
open(FH,">",$file);
print FH "# Plugin file created via Plugin Browser\n";
print FH "# Date: ".localtime(time)."\n";
print FH "# User: ".$ENV{USERNAME}."\n";
print FH "#\n";
print FH "\n";
my $count = $lb2->GetCount();
foreach my $i (0..$count - 1) {
my $str = $lb2->GetString($i);
print FH $str."\n";
}
close(FH);
$lb2->ResetContent();
0;
}
sub Open_Click {
my $file = Win32::GUI::GetOpenFileName(
-owner => $mw,
-title => "Open Plugin File",
-explorer => 1,
-directory => $plugindir,
-filter => ['All files' => '*.*']
);
if ($file) {
open(FH,"<",$file);
while(<FH>) {
chomp;
$lb2->InsertString($_);
}
close(FH);
}
elsif (Win32::GUI::CommDlgExtendedError()) {
$mw->MessageBox ("ERROR : ".Win32::GUI::CommDlgExtendedError(),
"GetSaveFileName Error");
}
}

2
thirdparty/rr/plugins/acmru.pl → RecentActivity/release/rr-full/plugins/acmru.pl Normal file → Executable file
View File

@ -36,6 +36,8 @@ sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching acmru v.".$VERSION);
::rptMsg("acmru v.".$VERSION); # banner
::rptMsg("- ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;

7
thirdparty/rr/plugins/adoberdr.pl → RecentActivity/release/rr-full/plugins/adoberdr.pl Normal file → Executable file
View File

@ -4,6 +4,7 @@
# Parse Adobe Reader MRU keys
#
# Change history
# 20120716 - added version 10.0 to @versions
# 20100218 - added checks for versions 4.0, 5.0, 9.0
# 20091125 - modified output to make a bit more clear
#
@ -22,7 +23,7 @@ my %config = (hive => "NTUSER\.DAT",
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100218);
version => 20120716);
sub getConfig{return %config}
sub getShortDescr {
@ -39,13 +40,15 @@ sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching adoberdr v.".$VERSION);
::rptMsg("adoberdr v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
::rptMsg("Adoberdr v.".$VERSION);
# First, let's find out which version of Adobe Acrobat Reader is installed
my $version;
my $tag = 0;
my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0");
my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0","10\.0");
foreach my $ver (@versions) {
my $key_path = "Software\\Adobe\\Acrobat Reader\\".$ver."\\AVGeneral\\cRecentFiles";
if (defined($root_key->get_subkey($key_path))) {

2
thirdparty/rr/plugins/aim.pl → RecentActivity/release/rr-full/plugins/aim.pl Normal file → Executable file
View File

@ -28,6 +28,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching aim plugin v.".$VERSION);
::rptMsg("aim v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users';

4
RecentActivity/release/rr-full/plugins/all Executable file
View File

@ -0,0 +1,4 @@
# 20120528 *ALL* Plugins that apply on any HIVES, alphabetical order
baseline
findexes
regtime

104
RecentActivity/release/rr-full/plugins/aports.pl Executable file
View File

@ -0,0 +1,104 @@
#-----------------------------------------------------------
# aports.pl
# Extracts the install path for SmartLine Inc. Active Ports.
#
# Change history
# 20110830 [fpi] + banner, no change to the version number
#
# References
#
# Copyright (c) 2011-02-04 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package aports;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20110204);
my $VERSION = getVersion();
# Functions #
sub getDescr {}
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getShortDescr {
return "Extracts the install path for SmartLine Inc. Active Ports.";
}
sub getRefs {
my %refs = ("SmartLine Inc. Active Ports Homepage:" =>
"http://www.ntutility.com");
return %refs;
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
my $class = shift;
my $hive = shift;
my @interesting_keys = (
"InstallPath"
);
# Initialize #
::logMsg("Launching aports v.".$VERSION);
::rptMsg("aports v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Software\\SmartLine Vision\\aports";
# If # Active Ports path exists #
if ($key = $root_key->get_subkey($key_path)) {
# Return # plugin name, registry key and last modified date #
::rptMsg("Active Ports");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Extract # all keys from Active Ports registry path #
my %keys;
my @vals = $key->get_list_of_values();
# If # registry keys exist in path #
if (scalar(@vals) > 0) {
# Extract # all key names+values for Active Ports registry path #
foreach my $v (@vals) {
$keys{$v->get_name()} = $v->get_data();
}
# Return # all key names+values for interesting keys #
foreach my $var (@interesting_keys) {
if (exists $keys{$var}) {
::rptMsg($var." -> ".$keys{$var});
}
}
# Error # key value is null #
} else {
::rptMsg($key_path." has no values.");
}
# Error # Active Ports isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

83
RecentActivity/release/rr-full/plugins/appcertdlls.pl Executable file
View File

@ -0,0 +1,83 @@
#-----------------------------------------------------------
# appcertdlls.pl
#
# History:
# 20120912 - created
#
# References:
# Blog post: https://blog.mandiant.com/archives/2459
# Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf
# Tool: https://github.com/mandiant/ShimCacheParser
#
# This plugin is based solely on the work and examples provided by Mandiant;
# thanks to them for sharing this information, and making the plugin possible.
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package appcertdlls;
use strict;
my %config = (hive => "System",
hivemask => 4,
output => "report",
category => "malware",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 31, #XP - Win7
version => 20120817);
sub getConfig{return %config}
sub getShortDescr {
return "Get entries from AppCertDlls key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %files;
my @temps;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching appcertdlls v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $appcert_path = $ccs."\\Control\\Session Manager\\AppCertDlls";
my $appcert;
if ($appcert = $root_key->get_subkey($appcert_path)) {
my @vals = $appcert->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
my $data = $v->get_data();
::rptMsg($name." - ".$data);
}
}
else {
::rptMsg($appcert_path."has no values.");
}
}
else {
::rptMsg($appcert_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

315
RecentActivity/release/rr-full/plugins/appcompatcache.pl Executable file
View File

@ -0,0 +1,315 @@
#-----------------------------------------------------------
# appcompatcache.pl
#
# History:
# 20130425 - added alertMsg() functionality
# 20120817 - updated to address issue with residual data in XP data blocks
# 20120722 - updated the %config hash
# 20120523 - updated to send all files to a single hash, and check for temp paths
# 20120515 - Updated to support 64-bit Win2003 and Vista/Win2008
# 20120424 - Modified/updated
# 20120418 - created
#
# References:
# Blog post: https://blog.mandiant.com/archives/2459
# Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf
# Tool: https://github.com/mandiant/ShimCacheParser
#
# This plugin is based solely on the work and examples provided by Mandiant;
# thanks to them for sharing this information, and making the plugin possible.
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package appcompatcache;
use strict;
my %config = (hive => "System",
hivemask => 4,
output => "report",
category => "Program Execution",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 31, #XP - Win7
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Parse files from System hive Shim Cache";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %files;
my @temps;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching appcompatcache v.".$VERSION);
::rptMsg("appcompatcache v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $appcompat_path = $ccs."\\Control\\Session Manager";
my $appcompat;
if ($appcompat = $root_key->get_subkey($appcompat_path)) {
my $app_data;
eval {
$app_data = $appcompat->get_subkey("AppCompatibility")->get_value("AppCompatCache")->get_data();
};
eval {
$app_data = $appcompat->get_subkey("AppCompatCache")->get_value("AppCompatCache")->get_data();
};
# ::rptMsg("Length of data: ".length($app_data));
my $sig = unpack("V",substr($app_data,0,4));
::rptMsg(sprintf "Signature: 0x%x",$sig);
if ($sig == 0xdeadbeef) {
eval {
appXP32Bit($app_data);
};
}
elsif ($sig == 0xbadc0ffe) {
eval {
appWin2k3($app_data);
};
}
elsif ($sig == 0xbadc0fee) {
eval {
appWin7($app_data);
};
}
else {
::rptMsg("Unknown signature");
}
# this is where we print out the files
foreach my $f (keys %files) {
::rptMsg($f);
push(@temps,$f) if (grep(/[Tt]emp/,$f));
::rptMsg("ModTime: ".gmtime($files{$f}{modtime})." Z");
::rptMsg("UpdTime: ".gmtime($files{$f}{updtime})." Z") if (exists $files{$f}{updtime});
::rptMsg("Size : ".$files{$f}{size}." bytes") if (exists $files{$f}{size});
::rptMsg("Executed") if (exists $files{$f}{executed});
::rptMsg("");
}
if (scalar(@temps) > 0) {
foreach (@temps) {
::alertMsg("ALERT: appcompatcache: Temp path found: ".$_);
}
}
}
else {
::rptMsg($appcompat_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
#-----------------------------------------------------------
# appXP32Bit()
# parse 32-bit XP data
#-----------------------------------------------------------
sub appXP32Bit {
my $data = shift;
::rptMsg("WinXP, 32-bit");
# header is 400 bytes; each structure is 552 bytes in size
my $num_entries = unpack("V",substr($data,4,4));
foreach my $i (0..($num_entries - 1)) {
my $x = substr($data,(400 + ($i * 552)),552);
my $file = (split(/\00\00/,substr($x,0,488)))[0];
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my ($mod1,$mod2) = unpack("VV",substr($x,528,8));
my $modtime = ::getTime($mod1,$mod2);
my ($sz1,$sz2) = unpack("VV",substr($x,536,8));
my $sz;
($sz2 == 0)?($sz = $sz1):($sz = "Too big");
my ($up1,$up2) = unpack("VV",substr($x,544,8));
my $updtime = ::getTime($up1,$up2);
$files{$file}{size} = $sz;
$files{$file}{modtime} = $modtime;
$files{$file}{updtime} = $updtime;
}
}
#-----------------------------------------------------------
# appWin2k3()
# parse Win2k3, Vista, Win2k8 data
#-----------------------------------------------------------
sub appWin2k3 {
my $data = shift;
my $num_entries = unpack("V",substr($data,4,4));
# ::rptMsg("Num_entries: ".$num_entries);
my $struct_sz = 0;
my ($len,$max_len,$padding) = unpack("vvV",substr($data,8,8));
if (($max_len - $len) == 2) {
# if $padding == 0, 64-bit; otherwise, 32-bit
if ($padding == 0) {
$struct_sz = 32;
::rptMsg("Win2K3/Vista/Win2K8, 64-bit");
}
else {
$struct_sz = 24;
::rptMsg("Win2K3/Vista/Win2K8, 32-bit");
}
}
foreach my $i (0..($num_entries - 1)) {
my $struct = substr($data,(8 + ($struct_sz * $i)),$struct_sz);
if ($struct_sz == 24) {
my ($len,$max_len,$ofs,$t0,$t1,$f0,$f1) = unpack("vvVVVVV",$struct);
my $file = substr($data,$ofs,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastMod: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2));
# ::rptMsg("");
$files{$file}{modtime} = $t;
# $files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
}
elsif ($struct_sz == 32) {
my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvVVVVVVV",$struct);
my $file = substr($data,$ofs0,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastMod: ".gmtime($t)." Z");
# ::rptMsg(" Size : ".$f0) if (($f1 == 0) && ($f0 > 3));
# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2));
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
}
else {
}
}
}
#-----------------------------------------------------------
# appWin7()
# parse Win2k8R2, Win7 data
#-----------------------------------------------------------
sub appWin7 {
my $data = shift;
my $struct_sz = 0;
my $num_entries = unpack("V",substr($data,4,4));
# ::rptMsg("Num_entries: ".$num_entries);
# 128-byte header
my ($len,$max_len,$padding) = unpack("vvV",substr($data,128,8));
if (($max_len - $len) == 2) {
if ($padding == 0) {
$struct_sz = 48;
::rptMsg("Win2K8R2/Win7, 64-bit");
}
else {
$struct_sz = 32;
::rptMsg("Win2K8R2/Win7, 32-bit");
}
}
foreach my $i (0..($num_entries - 1)) {
my $struct = substr($data,(128 + ($struct_sz * $i)),$struct_sz);
if ($struct_sz == 32) {
my ($len,$max_len,$ofs,$t0,$t1,$f0,$f1) = unpack("vvV5x8",$struct);
my $file = substr($data,$ofs,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastModTime: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if ($f0 & 0x2);
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if ($f0 & 0x2);
}
else {
my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvV7x16",$struct);
my $file = substr($data,$ofs0,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastModTime: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if ($f0 & 0x2);
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if ($f0 & 0x2);
}
}
}
#-----------------------------------------------------------
# printData()
# subroutine used primarily for debugging; takes an arbitrary
# length of binary data, prints it out in hex editor-style
# format for easy debugging
#-----------------------------------------------------------
sub printData {
my $data = shift;
my $len = length($data);
my $tag = 1;
my $cnt = 0;
my $loop = $len/16;
$loop++ if ($len%16);
foreach my $cnt (0..($loop - 1)) {
# while ($tag) {
my $left = $len - ($cnt * 16);
my $n;
($left < 16) ? ($n = $left) : ($n = 16);
my $seg = substr($data,$cnt * 16,$n);
my @str1 = split(//,unpack("H*",$seg));
my @s3;
my $str = "";
foreach my $i (0..($n - 1)) {
$s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1];
if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) {
$str .= chr(hex($s3[$i]));
}
else {
$str .= "\.";
}
}
my $h = join(' ',@s3);
::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h);
}
}
1;

275
RecentActivity/release/rr-full/plugins/appcompatcache_tln.pl Executable file
View File

@ -0,0 +1,275 @@
#-----------------------------------------------------------
# appcompatcache_tln.pl
#
# History:
# 20130425 - added alertMsg() functionality
# 20120817 - updated to address extra data in XP data blocks
# 20120722 - updated %config hash
# 20120523 - created; updated from appcompatcache.pl
# 20120523 - updated to send all files to a single hash, and check for temp paths
# 20120515 - Updated to support 64-bit Win2003 and Vista/Win2008
# 20120424 - Modified/updated
# 20120418 - created
#
# References:
# Blog post: https://blog.mandiant.com/archives/2459
# Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf
# Tool: https://github.com/mandiant/ShimCacheParser
#
# This plugin is based solely on the work and examples provided by Mandiant;
# thanks to them for sharing this information, and making the plugin possible.
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package appcompatcache_tln;
use strict;
my %config = (hive => "System",
hivemask => 4,
output => "tln",
category => "Program Execution",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 31, #XP - Win7
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Parse files from System hive Shim Cache";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %files;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching appcompatcache_tln v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $appcompat_path = $ccs."\\Control\\Session Manager";
my $appcompat;
if ($appcompat = $root_key->get_subkey($appcompat_path)) {
my $app_data;
eval {
$app_data = $appcompat->get_subkey("AppCompatibility")->get_value("AppCompatCache")->get_data();
};
eval {
$app_data = $appcompat->get_subkey("AppCompatCache")->get_value("AppCompatCache")->get_data();
};
# ::rptMsg("Length of data: ".length($app_data));
my $sig = unpack("V",substr($app_data,0,4));
# ::rptMsg(sprintf "Signature: 0x%x",$sig);
if ($sig == 0xdeadbeef) {
eval {
appXP32Bit($app_data);
};
}
elsif ($sig == 0xbadc0ffe) {
eval {
appWin2k3($app_data);
};
}
elsif ($sig == 0xbadc0fee) {
eval {
appWin7($app_data);
};
}
else {
::rptMsg("Unknown signature");
}
# this is where we print out the files
foreach my $f (keys %files) {
my $str;
if (exists $files{$f}{executed}) {
$str = "M... [Program Execution] AppCompatCache - ".$f;
}
else {
$str = "M... AppCompatCache - ".$f;
}
$str .= " [Size = ".$files{$f}{size}."] bytes" if (exists $files{$f}{size});
# $str .= " [Executed]" if (exists $files{$f}{executed});
::rptMsg($files{$f}{modtime}."|REG|||".$str);
# alert added 20130425
if (grep(/[Tt]emp/,$f) {
::alertMsg($files{$f}{modtime}."|ALERT|||\"Temp\" found in path - ".$str);
}
}
}
else {
::rptMsg($appcompat_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
#-----------------------------------------------------------
# appXP32Bit()
# parse 32-bit XP data
#-----------------------------------------------------------
sub appXP32Bit {
my $data = shift;
::rptMsg("WinXP, 32-bit");
# header is 400 bytes; each structure is 552 bytes in size
my $num_entries = unpack("V",substr($data,4,4));
foreach my $i (0..($num_entries - 1)) {
my $x = substr($data,(400 + ($i * 552)),552);
my $file = (split(/\00\00/,substr($x,0,488)))[0];
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my ($mod1,$mod2) = unpack("VV",substr($x,528,8));
my $modtime = ::getTime($mod1,$mod2);
my ($sz1,$sz2) = unpack("VV",substr($x,536,8));
my $sz;
($sz2 == 0)?($sz = $sz1):($sz = "Too big");
my ($up1,$up2) = unpack("VV",substr($x,544,8));
my $updtime = ::getTime($up1,$up2);
# ::rptMsg($file);
# ::rptMsg("Size : ".$sz." bytes");
# ::rptMsg("ModTime: ".gmtime($modtime)." Z");
# ::rptMsg("UpdTime: ".gmtime($updtime)." Z");
# ::rptMsg("");
$files{$file}{size} = $sz;
$files{$file}{modtime} = $modtime;
$files{$file}{updtime} = $updtime;
}
}
#-----------------------------------------------------------
# appWin2k3()
# parse Win2k3, Vista, Win2k8 data
#-----------------------------------------------------------
sub appWin2k3 {
my $data = shift;
my $num_entries = unpack("V",substr($data,4,4));
# ::rptMsg("Num_entries: ".$num_entries);
my $struct_sz = 0;
my ($len,$max_len,$padding) = unpack("vvV",substr($data,8,8));
if (($max_len - $len) == 2) {
# if $padding == 0, 64-bit; otherwise, 32-bit
if ($padding == 0) {
$struct_sz = 32;
::rptMsg("Win2K3/Vista/Win2K8, 64-bit");
}
else {
$struct_sz = 24;
::rptMsg("Win2K3/Vista/Win2K8, 32-bit");
}
}
foreach my $i (0..($num_entries - 1)) {
my $struct = substr($data,(8 + ($struct_sz * $i)),$struct_sz);
if ($struct_sz == 24) {
my ($len,$max_len,$ofs,$t0,$t1,$f0,$f1) = unpack("vvVVVVV",$struct);
my $file = substr($data,$ofs,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastMod: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2));
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
}
elsif ($struct_sz == 32) {
my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvVVVVVVV",$struct);
my $file = substr($data,$ofs0,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastMod: ".gmtime($t)." Z");
# ::rptMsg(" Size : ".$f0) if (($f1 == 0) && ($f0 > 3));
# ::rptMsg(" [Executed]") if (($f0 < 4) && ($f0 & 0x2));
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
}
else {
}
}
}
#-----------------------------------------------------------
# appWin7()
# parse Win2k8R2, Win7 data
#-----------------------------------------------------------
sub appWin7 {
my $data = shift;
my $struct_sz = 0;
my $num_entries = unpack("V",substr($data,4,4));
# ::rptMsg("Num_entries: ".$num_entries);
# 128-byte header
my ($len,$max_len,$padding) = unpack("vvV",substr($data,128,8));
if (($max_len - $len) == 2) {
if ($padding == 0) {
$struct_sz = 48;
::rptMsg("Win2K8R2/Win7, 64-bit");
}
else {
$struct_sz = 32;
::rptMsg("Win2K8R2/Win7, 32-bit");
}
}
foreach my $i (0..($num_entries - 1)) {
my $struct = substr($data,(128 + ($struct_sz * $i)),$struct_sz);
if ($struct_sz == 32) {
my ($len,$max_len,$ofs,$t0,$t1,$f0,$f1) = unpack("vvV5x8",$struct);
my $file = substr($data,$ofs,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastModTime: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if ($f0 & 0x2);
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if ($f0 & 0x2);
}
else {
my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvV7x16",$struct);
my $file = substr($data,$ofs0,$len);
$file =~ s/\00//g;
$file =~ s/^\\\?\?\\//;
my $t = ::getTime($t0,$t1);
# ::rptMsg($file);
# ::rptMsg(" LastModTime: ".gmtime($t)." Z");
# ::rptMsg(" [Executed]") if ($f0 & 0x2);
# ::rptMsg("");
$files{$file}{modtime} = $t;
$files{$file}{executed} = 1 if ($f0 & 0x2);
}
}
}
1;

104
RecentActivity/release/rr-full/plugins/appcompatflags.pl Executable file
View File

@ -0,0 +1,104 @@
#-----------------------------------------------------------
# appcompatflags.pl
# Extracts AppCompatFlags for Windows.
# This is a list of applications configured to run in
# compatibility mode. Some applications may be configured
# to run with elevated privilages (Tested in Vista only) :
# "ELEVATECREATEPROCESS" "RUNASADMIN" "WINXPSP2 RUNASADMIN"
#
# Change history
# 20110830 [fpi] + banner, no change to the version number
#
# References
# http://msdn.microsoft.com/en-us/library/bb756937.aspx
#
# Copyright (c) 2011-02-04 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package appcompatflags;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 1,
hasRefs => 1,
osmask => 22,
version => 20110204);
my $VERSION = getVersion();
# Functions #
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getDescr {
return "Extracts AppCompatFlags for Windows. This is a list".
" of applications configured to run in compatibility".
" mode. Some applications may be configured to run".
" with elevated privilages (Tested in Vista only) :".
'"ELEVATECREATEPROCESS" "RUNASADMIN" "WINXPSP2 RUNASADMIN"';
}
sub getShortDescr {
return "Extracts AppCompatFlags for Windows.";
}
sub getRefs {
my %refs = ("Application Compatibility: Program Compatibility Assistant" =>
"http://msdn.microsoft.com/en-us/library/bb756937.aspx");
return %refs;
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
my $class = shift;
my $hive = shift;
# Initialize #
::logMsg("Launching appcompatflags v.".$VERSION);
::rptMsg("appcompatflags v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers";
# If # AppCompatFlags path exists #
if ($key = $root_key->get_subkey($key_path)) {
# Return # plugin name, registry key and last modified date #
::rptMsg("AppCompatFlags");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Extract # all keys from AppCompatFlags registry path #
my @vals = $key->get_list_of_values();
# If # registry keys exist in path #
if (scalar(@vals) > 0) {
# Extract # all key names+values for AppCompatFlags registry path #
foreach my $v (@vals) {
::rptMsg($v->get_name()." -> ".$v->get_data());
}
# Error # key value is null #
} else {
::rptMsg($key_path." has no values.");
}
# Error # AppCompatFlags isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

93
RecentActivity/release/rr-full/plugins/appinitdlls.pl Executable file
View File

@ -0,0 +1,93 @@
#-----------------------------------------------------------
# appinitdlls
#
# Change history:
# 20130425 - added alertMsg() functionality
# 20130305 - updated to address 64-bit systems
# 20080324 - created
#
# Ref:
# http://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx
# http://support.microsoft.com/kb/q197571
#
# copyright 2013 QAR,LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package appinitdlls;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of AppInit_DLLs value";
}
sub getDescr{}
sub getRefs {
my %refs = ("Working with the AppInit_DLLs Reg Value" =>
"http://support.microsoft.com/kb/q197571");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::rptMsg("Launching appinitdlls v.".$VERSION);
::rptMsg("appinitdlls v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my @paths = ('Microsoft\\Windows NT\\CurrentVersion\\Windows',
'Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows');
::rptMsg("AppInit_DLLs");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
foreach my $key_path (@paths) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
eval {
my $app = $key->get_value("AppInit_DLLs")->get_data();
if ($app eq "") {
$app = "{blank}";
}
else {
::alertMsg("ALERT: appinitdlls: Entry not blank: ".$app);
}
::rptMsg(" AppInit_DLLs : ".$app);
};
eval {
my $load = $key->get_value("LoadAppInit_DLLs")->get_data();
::rptMsg(" LoadAppInit_DLLs : ".$load);
::rptMsg("*LoadAppInit_DLLs value globally enables/disables AppInit_DLLS\.");
::rptMsg("0 = disabled (default)");
};
eval {
my $req = $key->get_value("RequireSignedAppInit_DLLs")->get_data();
::rptMsg(" RequireSignedAppInit_DLLs : ".$req);
};
::rptMsg("");
}
else {
::rptMsg($key_path." not found.");
}
}
::rptMsg("Analysis Tip: The AppInit_DLLs value should be blank; any DLL listed");
::rptMsg("is launched with each user-mode process\. ");
}
1;

2
thirdparty/rr/plugins/applets.pl → RecentActivity/release/rr-full/plugins/applets.pl Normal file → Executable file
View File

@ -36,6 +36,8 @@ sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching applets v.".$VERSION);
::rptMsg("applets v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;

84
RecentActivity/release/rr-full/plugins/applets_tln.pl Executable file
View File

@ -0,0 +1,84 @@
#-----------------------------------------------------------
# applets_tln.pl
# Plugin for Registry Ripper
# Windows\CurrentVersion\Applets Recent File List values
#
# Change history
# 20120613 - created
#
# References
#
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package applets_tln;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120613);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's Applets key (TLN)";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching applets_tln v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Applets';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg("Applets");
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# ::rptMsg("");
# Locate files opened in MS Paint
my $paint_key = 'Paint\\Recent File List';
my $paint = $key->get_subkey($paint_key);
if (defined $paint) {
# ::rptMsg($key_path."\\".$paint_key);
# ::rptMsg("LastWrite Time ".gmtime($paint->get_timestamp())." (UTC)");
my @vals = $paint->get_list_of_values();
if (scalar(@vals) > 0) {
::rptMsg($paint->get_timestamp()."|REG|||MS Paint Most Recent File = ".$paint->get_value("File1")->get_data());
}
else {
# ::rptMsg($key_path."\\".$paint_key." has no values.");
}
}
else {
# ::rptMsg($key_path."\\".$paint_key." not found.");
}
# Get Last Registry key opened in RegEdit
my $reg_key = "Regedit";
my $reg = $key->get_subkey($reg_key);
if (defined $reg) {
# ::rptMsg("");
# ::rptMsg($key_path."\\".$reg_key);
# ::rptMsg("LastWrite Time ".gmtime($reg->get_timestamp())." (UTC)");
my $lastkey = $reg->get_value("LastKey")->get_data();
::rptMsg($reg->get_timestamp()."|REG|||RegEdit LastKey value -> ".$lastkey);
}
}
else {
# ::rptMsg($key_path." not found.");
}
}
1;

94
RecentActivity/release/rr-full/plugins/apppaths.pl Executable file
View File

@ -0,0 +1,94 @@
#-----------------------------------------------------------
# apppaths
# Gets contents of App Paths subkeys from the Software hive,
# diplaying the EXE name and path; all entries are sorted by
# LastWrite time
#
# References
#
#
# History:
# 20120524 - updated to include 64-bit OSs
# 20080404 - created
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package apppaths;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20120524);
sub getConfig{return %config}
sub getShortDescr {
return "Gets content of App Paths subkeys";
}
sub getDescr{}
sub getRefs {
my %refs = ("You cannot open Help and Support Center in Windows XP" =>
"http://support.microsoft.com/kb/888018",
"Another installation program starts..." =>
"http://support.microsoft.com/kb/888470");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching apppaths v.".$VERSION);
::rptMsg("apppaths v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# used a list of values to address the need for parsing the App Paths key
# in the Wow6432Node key, if it exists.
my @paths = ("Microsoft\\Windows\\CurrentVersion\\App Paths");
foreach my $key_path (@paths) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("App Paths");
::rptMsg($key_path);
::rptMsg("");
my %apps;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
my $lastwrite = $s->get_timestamp();
my $path;
eval {
$path = $s->get_value("")->get_data();
};
push(@{$apps{$lastwrite}},$name." - ".$path);
}
foreach my $t (reverse sort {$a <=> $b} keys %apps) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$apps{$t}}) {
::rptMsg(" $item");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
}
1;

90
RecentActivity/release/rr-full/plugins/apppaths_tln.pl Executable file
View File

@ -0,0 +1,90 @@
#-----------------------------------------------------------
# apppaths_tln
# Gets contents of App Paths subkeys from the Software hive,
# Output in TLN format
#
# References
#
# History:
# 20130429 - created from apppaths.pl
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package apppaths_tln;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20130429);
sub getConfig{return %config}
sub getShortDescr {
return "Gets content of App Paths subkeys (TLN)";
}
sub getDescr{}
sub getRefs {
my %refs = ("You cannot open Help and Support Center in Windows XP" =>
"http://support.microsoft.com/kb/888018",
"Another installation program starts..." =>
"http://support.microsoft.com/kb/888470");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching apppaths_tln v.".$VERSION);
# ::rptMsg("apppaths v.".$VERSION); # banner
# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# used a list of values to address the need for parsing the App Paths key
# in the Wow6432Node key, if it exists.
my @paths = ("Microsoft\\Windows\\CurrentVersion\\App Paths");
foreach my $key_path (@paths) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("App Paths");
::rptMsg($key_path);
::rptMsg("");
my %apps;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
my $lastwrite = $s->get_timestamp();
my $path;
eval {
$path = $s->get_value("")->get_data();
};
push(@{$apps{$lastwrite}},$name." - ".$path);
}
foreach my $t (reverse sort {$a <=> $b} keys %apps) {
foreach my $item (@{$apps{$t}}) {
::rptMsg($t."|REG|||App Paths - ".$item);
}
}
}
else {
# ::rptMsg($key_path." has no subkeys.");
}
}
else {
# ::rptMsg($key_path." not found.");
}
}
}
1;

74
RecentActivity/release/rr-full/plugins/appspecific.pl Executable file
View File

@ -0,0 +1,74 @@
#-----------------------------------------------------------
# appspecific.pl
#
#
# Change history
# 20120820 - created
#
# References
#
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package appspecific;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120820);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's Intellipoint\\AppSpecific subkeys";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching appspecific v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\IntelliPoint\\AppSpecific';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("AppSpecific");
::rptMsg($key_path);
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]");
my $ts;
eval {
$ts = $s->get_value("Timestamp")->get_data();
my $t = ::getTime(0,$ts);
::rptMsg("Timestamp: ".gmtime($t));
};
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

109
RecentActivity/release/rr-full/plugins/ares.pl Executable file
View File

@ -0,0 +1,109 @@
#-----------------------------------------------------------
# ares.pl
#
#
# Change History
# 20130312 - updated based on data provided by J. Weg
# 20120507 - modified to remove the traversing function, to only get
# a limited amount of data.
# 20110603 - modified F. Kolenbrander
# parsing some values according ares source code, like searches and
# timestamps.
# 20110530 - created
#
# References
#
#
# copyright 2012 Quantum Analytics Research, LLC
# author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package ares;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130312);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's Software/Ares key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching ares v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Ares';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# ::rptMsg("");
my %ares = ();
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
$ares{$v->get_name()} = $v->get_data();
}
::rptMsg("");
::rptMsg("RegisterEmail: ".$ares{"RegisterEmail"}) if (exists $ares{"RegisterEmail"});
::rptMsg("Stats\.LstConnect: ".gmtime($ares{"Stats\.LstConnect"})." UTC") if (exists $ares{"Stats\.LstConnect"});
::rptMsg("Personal\.Nickname: ".hex2ascii($ares{"Personal\.Nickname"})) if (exists $ares{"Personal\.Nickname"});
::rptMsg("General\.Language: ".hex2ascii($ares{"General\.Language"})) if (exists $ares{"General\.Language"});
::rptMsg("PrivateMessage\.AwayMessage: ".hex2ascii($ares{"PrivateMessage\.AwayMessage"})) if (exists $ares{"PrivateMessage\.AwayMessage"});
}
else {
::rptMsg($key->get_name()." has no values.");
}
::rptMsg("");
getSearchTerms($key);
}
else {
::rptMsg($key_path." not found.");
}
}
sub getSearchTerms {
my $key = shift;
my $count = 0;
::rptMsg("Search Terms:");
my @subkeys = ("audio\.gen","gen\.gen","image\.gen","video\.gen");
foreach my $sk (@subkeys) {
my $gen = $key->get_subkey("Search\.History")->get_subkey($sk);
my @vals = $gen->get_list_of_values();
if (scalar(@vals) > 0) {
$count = 1;
::rptMsg($gen->get_name());
::rptMsg("LastWrite: ".gmtime($gen->get_timestamp()));
foreach my $v (@vals) {
next if ($v->get_name() eq "");
::rptMsg(" ".hex2ascii($v->get_name()));
}
}
}
::rptMsg("No search terms found\.") if ($count == 0);
}
sub hex2ascii {
return pack('H*',shift);
}
1;

2
thirdparty/rr/plugins/arpcache.pl → RecentActivity/release/rr-full/plugins/arpcache.pl Normal file → Executable file
View File

@ -45,6 +45,8 @@ sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching arpcache v.".$VERSION);
::rptMsg("arpcache v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;

2
thirdparty/rr/plugins/assoc.pl → RecentActivity/release/rr-full/plugins/assoc.pl Normal file → Executable file
View File

@ -31,6 +31,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching assoc v.".$VERSION);
::rptMsg("assoc v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

85
RecentActivity/release/rr-full/plugins/attachmgr.pl Executable file
View File

@ -0,0 +1,85 @@
#-----------------------------------------------------------
# attachmgr.pl
# The Windows Attachment Manager manages how attachments are handled,
# and settings are on a per-user basis. Malware has been shown to access
# these settings and make modifications.
#
# Category: Malware
#
# Change history
# 20130425 - added alertMsg() functionality
# 20130117 - created
#
# References
# http://journeyintoir.blogspot.com/2010/10/anatomy-of-drive-by-part-2.html
# http://support.microsoft.com/kb/883260
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package attachmgr;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Checks user's keys that manage the Attachment Manager functionality";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
my @temps;
::logMsg("Launching attachmgr v.".$VERSION);
::rptMsg("attachmgr v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my @attach = ('Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations',
'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments');
foreach my $key_path (@attach) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
my $data = $v->get_data();
# checks added 20130425
# settings information derived from MS KB 883260
::alertMsg("ALERT: attachmgr: ".$key_path." SaveZoneInformation value found: ".$data) if ($name eq "SaveZoneInformation");
::alertMsg("ALERT: attachmgr: ".$key_path." ScanWithAntiVirus value found: ".$data) if ($name eq "ScanWithAntiVirus");
::alertMsg("ALERT: attachmgr: ".$key_path." LowRiskFileTypes value includes exe: ".$data (if $name eq "LowRiskFileTypes" && grep(/exe/,$data));
::rptMsg(sprintf "%-15s %-6s",$name,$data);
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
}
}
1;

83
RecentActivity/release/rr-full/plugins/attachmgr_tln.pl Executable file
View File

@ -0,0 +1,83 @@
#-----------------------------------------------------------
# attachmgr_tln.pl
# The Windows Attachment Manager manages how attachments are handled,
# and settings are on a per-user basis. Malware has been shown to access
# these settings and make modifications.
#
# Category: Malware
#
# Change history
# 20130425 - created
#
# References
# http://journeyintoir.blogspot.com/2010/10/anatomy-of-drive-by-part-2.html
# http://support.microsoft.com/kb/883260
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package attachmgr_tln;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Checks user's keys that manage the Attachment Manager functionality (TLN)";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
my @temps;
::logMsg("Launching attachmgr_tln v.".$VERSION);
# ::rptMsg("attachmgr_tln v.".$VERSION); # banner
# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my @attach = ('Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations',
'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments');
foreach my $key_path (@attach) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $lw = $key->get_timestamp();
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
my $data = $v->get_data();
# checks added 20130425
# settings information derived from MS KB 883260
::alertMsg($lw."|ALERT|||HKCU\\".$key_path." SaveZoneInformation value found: ".$data) if ($name eq "SaveZoneInformation");
::alertMsg($lw."|ALERT|||HKCU\\".$key_path." ScanWithAntiVirus value found: ".$data) if ($name eq "ScanWithAntiVirus");
::alertMsg($lw."|ALERT|||HKCU\\".$key_path." LowRiskFileTypes value includes exe: ".$data (if $name eq "LowRiskFileTypes" && grep(/exe/,$data));
}
}
else {
# ::rptMsg($key_path." has no values.");
}
}
else {
# ::rptMsg($key_path." not found.");
}
# ::rptMsg("");
}
}
1;

2
thirdparty/rr/plugins/auditfail.pl → RecentActivity/release/rr-full/plugins/auditfail.pl Normal file → Executable file
View File

@ -36,6 +36,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching auditfail v.".$VERSION);
::rptMsg("auditfail v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

71
thirdparty/rr/plugins/auditpol.pl → RecentActivity/release/rr-full/plugins/auditpol.pl Normal file → Executable file
View File

@ -2,7 +2,14 @@
# auditpol
# Get the audit policy from the Security hive file
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#
# History
# 20121128 - updated for later versions of Windows
# 20080327 - created
#
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package auditpol;
use strict;
@ -12,7 +19,7 @@ my %config = (hive => "Security",
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20080327);
version => 20121128);
sub getConfig{return %config}
sub getShortDescr {
@ -38,6 +45,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching auditpol v.".$VERSION);
::rptMsg("auditpol v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
@ -52,6 +61,13 @@ sub pluginmain {
my $data;
eval {
$data = $key->get_value("")->get_data();
::rptMsg("Length of data: ".length($data)." bytes.");
my @d = printData($data);
foreach (0..(scalar(@d) - 1)) {
::rptMsg($d[$_]);
}
};
if ($@) {
::rptMsg("Error occurred getting data from ".$key_path);
@ -81,8 +97,55 @@ sub pluginmain {
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
#-----------------------------------------------------------
# printData()
# subroutine used primarily for debugging; takes an arbitrary
# length of binary data, prints it out in hex editor-style
# format for easy debugging
#-----------------------------------------------------------
sub printData {
my $data = shift;
my $len = length($data);
my $tag = 1;
my $cnt = 0;
my @display = ();
my $loop = $len/16;
$loop++ if ($len%16);
foreach my $cnt (0..($loop - 1)) {
# while ($tag) {
my $left = $len - ($cnt * 16);
my $n;
($left < 16) ? ($n = $left) : ($n = 16);
my $seg = substr($data,$cnt * 16,$n);
my @str1 = split(//,unpack("H*",$seg));
my @s3;
my $str = "";
foreach my $i (0..($n - 1)) {
$s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1];
if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) {
$str .= chr(hex($s3[$i]));
}
else {
$str .= "\.";
}
}
my $h = join(' ',@s3);
# ::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h);
$display[$cnt] = sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h;
}
return @display;
}
1;

2
thirdparty/rr/plugins/autoendtasks.pl → RecentActivity/release/rr-full/plugins/autoendtasks.pl Normal file → Executable file
View File

@ -37,6 +37,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching autoendtasks v.".$VERSION);
::rptMsg("autoendtasks v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

2
thirdparty/rr/plugins/autorun.pl → RecentActivity/release/rr-full/plugins/autorun.pl Normal file → Executable file
View File

@ -37,6 +37,8 @@ sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching autorun v.".$VERSION);
::rptMsg("autorun v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;

176
RecentActivity/release/rr-full/plugins/backuprestore.pl Executable file
View File

@ -0,0 +1,176 @@
#-----------------------------------------------------------
# backuprestore.pl
# Access System hive file to get the contents of the FilesNotToSnapshot, KeysNotToRestore, and FilesNotToBackup keys
#
# Change history
# 9/14/2012: retired the filesnottosnapshot.pl plugin since BackupRestore checks the same key
#
# References
# Troy Larson's Windows 7 presentation slide deck http://computer-forensics.sans.org/summit-archives/2010/files/12-larson-windows7-foreniscs.pdf
# QCCIS white paper Reliably recovering evidential data from Volume Shadow Copies http://www.qccis.com/downloads/whitepapers/QCC%20VSS
# http://msdn.microsoft.com/en-us/library/windows/desktop/bb891959(v=vs.85).aspx
#
# copyright 2012 Corey Harrell (Journey Into Incident Response)
#-----------------------------------------------------------
package backuprestore;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120914);
sub getConfig{return %config}
sub getShortDescr {
return "Gets the contents of the FilesNotToSnapshot, KeysNotToRestore, and FilesNotToBackup keys";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching backuprestore v.".$VERSION);
::rptMsg("backuprestore v.".$VERSION);
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $fns_path = $ccs."\\Control\\BackupRestore\\FilesNotToSnapshot";
my $fns;
if ($fns = $root_key->get_subkey($fns_path)) {
::rptMsg("FilesNotToSnapshot key");
::rptMsg($fns_path);
::rptMsg("LastWrite Time ".gmtime($fns->get_timestamp())." (UTC)");
::rptMsg("");
my %cv;
my @valfns = $fns->get_list_of_values();;
if (scalar(@valfns) > 0) {
foreach my $v (@valfns) {
my $name = $v->get_name();
my $data = $v->get_data();
my $len = length($data);
next if ($name eq "");
push(@{$cv{$len}},$name." : ".$data);
}
foreach my $t (sort {$a <=> $b} keys %cv) {
foreach my $item (@{$cv{$t}}) {
::rptMsg(" $item");
}
}
::rptMsg("");
::rptMsg("The listed directories/files are not backed up in Volume Shadow Copies");
::rptMsg("");
::rptMsg("");
}
else {
::rptMsg($fns_path." has no values.");
::logMsg($fns_path." has no values.");
::rptMsg("");
}
}
else {
::rptMsg($fns_path." not found.");
::logMsg($fns_path." not found.");
::rptMsg("");
}
my $fnb_path = $ccs."\\Control\\BackupRestore\\FilesNotToBackup";
my $fnb;
if ($fnb = $root_key->get_subkey($fnb_path)) {
::rptMsg("FilesNotToBackup key");
::rptMsg($fnb_path);
::rptMsg("LastWrite Time ".gmtime($fnb->get_timestamp())." (UTC)");
::rptMsg("");
my %cq;
my @valfnb = $fnb->get_list_of_values();;
if (scalar(@valfnb) > 0) {
foreach my $v (@valfnb) {
my $name = $v->get_name();
my $data = $v->get_data();
my $len = length($data);
next if ($name eq "");
push(@{$cq{$len}},$name." : ".$data);
}
foreach my $t (sort {$a <=> $b} keys %cq) {
foreach my $item (@{$cq{$t}}) {
::rptMsg(" $item");
}
}
::rptMsg("");
::rptMsg("Specifies the directories and files that backup applications should not backup or restore");
::rptMsg("");
::rptMsg("");
}
else {
::rptMsg($fnb_path." has no values.");
::logMsg($fnb_path." has no values.");
::rptMsg("");
}
}
else {
::rptMsg($fnb_path." not found.");
::logMsg($fnb_path." not found.");
::rptMsg("");
}
my $knr_path = $ccs."\\Control\\BackupRestore\\KeysNotToRestore";
my $knr;
if ($knr = $root_key->get_subkey($knr_path)) {
::rptMsg("KeysNotToRestore key");
::rptMsg($knr_path);
::rptMsg("LastWrite Time ".gmtime($knr->get_timestamp())." (UTC)");
::rptMsg("");
my %cw;
my @valknr = $knr->get_list_of_values();;
if (scalar(@valknr) > 0) {
foreach my $v (@valknr) {
my $name = $v->get_name();
my $data = $v->get_data();
my $len = length($data);
next if ($name eq "");
push(@{$cw{$len}},$name." : ".$data);
}
foreach my $t (sort {$a <=> $b} keys %cw) {
foreach my $item (@{$cw{$t}}) {
::rptMsg(" $item");
}
}
::rptMsg("");
::rptMsg("Specifies the names of the registry subkeys and values that backup applications should not restore");
::rptMsg("");
}
else {
::rptMsg($knr_path." has no values.");
::logMsg($knr_path." has no values.");
}
}
else {
::rptMsg($knr_path." not found.");
::logMsg($knr_path." not found.");
}
}
}
1;

2
thirdparty/rr/plugins/banner.pl → RecentActivity/release/rr-full/plugins/banner.pl Normal file → Executable file
View File

@ -36,6 +36,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching banner v.".$VERSION);
::rptMsg("banner v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

81
RecentActivity/release/rr-full/plugins/baseline.pl Executable file
View File

@ -0,0 +1,81 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# baseline.pl
#
# History
# 20130211 - Created
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package baseline;
use strict;
my %config = (hive => "All",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130211);
sub getConfig{return %config}
sub getShortDescr {
return "Scans a hive file, checking sizes of binary value data";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %vals;
my $count = 0;
my %data_len = ();
sub pluginmain {
my $class = shift;
my $file = shift;
my $reg = Parse::Win32Registry->new($file);
my $root_key = $reg->get_root_key;
::logMsg("Launching baseline v.".$VERSION);
::rptMsg("baseline v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
traverse($root_key);
# Data structure containing findings is a hash of hashes
::rptMsg("Total values checked : ".$count);
# ::rptMsg("");
::rptMsg("Number of binary value lengths : ".scalar(keys %data_len));
my @len = sort {$a <=> $b} keys %data_len;
# ::rptMsg("Value 0: ".$len[0]);
::rptMsg("...");
my $n = scalar @len - 1;
for my $i (($n - 15)..$n) {
::rptMsg("Value ".$i.": ".$len[$i]." bytes [# times: ".$data_len{$len[$i]}."]");
}
}
sub traverse {
my $key = shift;
# my $ts = $key->get_timestamp();
foreach my $val ($key->get_list_of_values()) {
my $type = $val->get_type();
if ($type == 0 || $type == 3) {
$count++;
my $data = $val->get_data();
if (exists $data_len{length($data)}) {
$data_len{length($data)}++;
}
else {
$data_len{length($data)} = 1;
}
}
}
foreach my $subkey ($key->get_list_of_subkeys()) {
traverse($subkey);
}
}
1;

117
RecentActivity/release/rr-full/plugins/bho.pl Executable file
View File

@ -0,0 +1,117 @@
#-----------------------------------------------------------
# bho
#
#
# Change history:
# 20130408 - updated to include Wow6432Node; formating updates
# 20080418 - created
#
#
# copyright 2013 QAR, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bho;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20130408);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Browser Helper Objects from Software hive";
}
sub getDescr{}
sub getRefs {
my %refs = ("Browser Helper Objects" =>
"http://msdn2.microsoft.com/en-us/library/bb250436.aspx");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching bho v.".$VERSION);
::rptMsg("bho v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my @paths = ("Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects",
"Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects");
foreach my $key_path (@paths) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar (@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
next if ($name =~ m/^-/);
my $clsid_path = "Classes\\CLSID\\".$name;
my $clsid;
my %bhos;
if ($clsid = $root_key->get_subkey($clsid_path)) {
my $class;
my $mod;
my $lastwrite;
eval {
$class = $clsid->get_value("")->get_data();
$bhos{$name}{class} = $class;
};
if ($@) {
::logMsg("Error getting Class name for CLSID\\".$name);
::logMsg("\t".$@);
}
eval {
$mod = $clsid->get_subkey("InProcServer32")->get_value("")->get_data();
$bhos{$name}{module} = $mod;
};
if ($@) {
::logMsg("\tError getting Module name for CLSID\\".$name);
::logMsg("\t".$@);
}
eval{
$lastwrite = $clsid->get_subkey("InProcServer32")->get_timestamp();
$bhos{$name}{lastwrite} = $lastwrite;
};
if ($@) {
::logMsg("\tError getting LastWrite time for CLSID\\".$name);
::logMsg("\t".$@);
}
foreach my $b (keys %bhos) {
::rptMsg($b);
::rptMsg(" Class => ".$bhos{$b}{class});
::rptMsg(" Module => ".$bhos{$b}{module});
::rptMsg(" LastWrite => ".gmtime($bhos{$b}{lastwrite}));
::rptMsg("");
}
}
else {
::rptMsg($clsid_path." not found.");
::rptMsg("");
}
}
}
else {
::rptMsg($key_path." has no subkeys. No BHOs installed.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
}
1;

2
thirdparty/rr/plugins/bitbucket.pl → RecentActivity/release/rr-full/plugins/bitbucket.pl Normal file → Executable file
View File

@ -35,6 +35,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching bitbucket v.".$VERSION);
::rptMsg("bitbucket v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

2
thirdparty/rr/plugins/bitbucket_user.pl → RecentActivity/release/rr-full/plugins/bitbucket_user.pl Normal file → Executable file
View File

@ -37,6 +37,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching bitbucket_user v.".$VERSION);
::rptMsg("bitbucket_user v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

10
thirdparty/rr/plugins/brisv.pl → RecentActivity/release/rr-full/plugins/brisv.pl Normal file → Executable file
View File

@ -5,12 +5,15 @@
# ?docid=2008-071823-1655-99
#
# Change History:
# 20130429: added alertMsg() functionality
# 20090210: Created
#
# Info on URLAndExitCommandsEnabled value:
# http://support.microsoft.com/kb/828026
# http://www.hispasec.com/laboratorio/GetCodecAnalysis.pdf
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
# copyright 2013 QAR, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package brisv;
use strict;
@ -20,7 +23,7 @@ my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090210);
version => 20130429);
sub getConfig{return %config}
@ -38,6 +41,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching brisv v.".$VERSION);
::rptMsg("brisv v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
@ -53,6 +58,7 @@ sub pluginmain {
eval {
$url = $key->get_subkey($mp_path)->get_value("URLAndExitCommandsEnabled")->get_data();
::rptMsg($mp_path."\\URLAndExitCommandsEnabled value set to ".$url);
::alertMsg($mp_path."\\URLAndExitCommandsEnabled value set: ".$url);
};
# if an error occurs within the eval{} statement, do nothing
}

80
RecentActivity/release/rr-full/plugins/btconfig.pl Executable file
View File

@ -0,0 +1,80 @@
#-----------------------------------------------------------
# btconfig.pl
#
#
# History:
# 20130117 - created
#
# copyright 2013 Quantum Research Analytics, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package btconfig;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130117);
sub getConfig{return %config}
sub getShortDescr {
return "Determines BlueTooth devices 'seen' by BroadComm drivers";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching btconfig v.".$VERSION);
::rptMsg("Launching btconfig v.".$VERSION);
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'WidComm\\BTConfig\\Devices';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @sk = $key->get_list_of_subkeys();
foreach my $s (@sk) {
my $name = $s->get_name();
my $lw = $s->get_timestamp();
::rptMsg("Unique ID: ".$name);
::rptMsg(" LastWrite: ".gmtime($lw)." Z");
my $devname;
eval {
# May need to work on parsing the binary "Name" value data into an actual name...
my @str1 = split(//,unpack("H*",$s->get_value("Name")->get_data()));
my @s3;
my $str;
foreach my $i (0..((scalar(@str1)/2) - 1)) {
$s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1];
if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) {
$str .= chr(hex($s3[$i]));
}
else {
$str .= "";
}
}
::rptMsg(" Device Name: ".$str);
};
::rptMsg("");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

101
RecentActivity/release/rr-full/plugins/bthport.pl Executable file
View File

@ -0,0 +1,101 @@
#-----------------------------------------------------------
# bthport.pl
# Get BlueTooth device information from the Registry; assumes
# MS drivers (other drivers, such as BroadComm, will be found in
# other locations)
#
# Change history
# 20130115 - created
#
# Category:
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bthport;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130115);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Bluetooth-connected devices from System hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching bthport v.".$VERSION);
::rptMsg("bthport v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $cn_path = $ccs."\\services\\BTHPORT\\Parameters\\Devices";
my $cn;
if ($cn = $root_key->get_subkey($cn_path)) {
::rptMsg($cn_path);
::rptMsg("LastWrite: ".gmtime($cn->get_timestamp())." UTC");
my @sk = $cn->get_list_of_subkeys();
if (scalar(@sk) > 0) {
::rptMsg("");
foreach my $s (@sk) {
my $name = $s->get_name();
my $lw = $s->get_timestamp();
::rptMsg("Device Unique ID: ".$name);
# Note: Need to get VID and PID values for translation and mapping
my $devname;
eval {
# May need to work on parsing the binary "Name" value data into an actual name...
my @str1 = split(//,unpack("H*",$s->get_value("Name")->get_data()));
my @s3;
my $str;
foreach my $i (0..((scalar(@str1)/2) - 1)) {
$s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1];
if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) {
$str .= chr(hex($s3[$i]));
}
else {
$str .= " ";
}
}
::rptMsg("Device Name: ".$str);
};
}
}
else {
::rptMsg($cn_path." has no subkeys.");
}
}
else {
::rptMsg($cn_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

93
RecentActivity/release/rr-full/plugins/cain.pl Executable file
View File

@ -0,0 +1,93 @@
#-----------------------------------------------------------
# cain.pl
# Extracts details for Cain & Abel by oxid.it
#
# Change history
# 20110830 [fpi] + banner, no change to the version number
#
# References
#
# Copyright (c) 2011-02-04 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package cain;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20110204);
my $VERSION = getVersion();
# Functions #
sub getDescr {}
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getShortDescr {
return "Extracts details for Cain & Abel by oxid.it";
}
sub getRefs {
my %refs = ("Cain & Abel Homepage:" =>
"http://www.oxid.it/cain.html");
return %refs;
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
my $class = shift;
my $hive = shift;
# Initialize #
::logMsg("Launching cain v.".$VERSION);
::rptMsg("cain v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Software\\Cain\\Settings";
# If # Cain path exists #
if ($key = $root_key->get_subkey($key_path)) {
# Return # plugin name, registry key and last modified date #
::rptMsg("Cain");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Extract # all keys from Cain registry path #
my @vals = $key->get_list_of_values();
# If # registry keys exist in path #
if (scalar(@vals) > 0) {
# Extract # all key names+values for Cain registry path #
foreach my $v (@vals) {
::rptMsg($v->get_name()." -> ".$v->get_data());
}
# Error # key value is null #
} else {
::rptMsg($key_path." has no values.");
}
# Error # Cain isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

79
RecentActivity/release/rr-full/plugins/ccleaner.pl Executable file
View File

@ -0,0 +1,79 @@
#-----------------------------------------------------------
# ccleaner.pl
# Gets CCleaner User Settings
#
# Change history
# 20120128 [ale] % Initial Version based on warcraft3.pl plugin
#
# References
#
# Author: Adrian Leong <cheeky4n6monkey@gmail.com>
#-----------------------------------------------------------
package ccleaner;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120128);
sub getConfig{return %config}
sub getShortDescr {
return "Gets User's CCleaner Settings";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift; # pops the first element off @_ ie the parameter array passed in to pluginmain
my $hive = shift; # 1st element in @_ is class/package name (ccleaner), 2nd is the hive name passed in from rip.pl
::logMsg("Launching ccleaner v.".$VERSION);
::rptMsg("ccleaner v.".$VERSION);
::rptMsg("(".getHive().") ".getShortDescr()."\n");
my $reg = Parse::Win32Registry->new($hive); # creates a Win32Registry object
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Software\\Piriform\\CCleaner";
# If CCleaner key_path exists ... ie get_subkey returns a non-empty value
if ($key = $root_key->get_subkey($key_path)) {
# Print registry key name and last modified date
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my %cckeys; # temporary associative array for storing name / value pairs eg ("UpdateCheck", 1)
# Extract ccleaner key values into ccvals array
# Note: ccvals becomes an array of "Parse::Win32Registry::WinNT::Value"
# As this is implemented in an Object oriented manner, we cannot access the values directly -
# we have to use the "get_name" and "get_value" subroutines
my @ccvals = $key->get_list_of_values();
# If ccvals has any "Values" in it, call "Value::get_name" and "Value::get_data" for each
# and store the results in the %cckeys associative array using data returned by Value::get_name as the id/index
# and Value::get_data for the actual key value
if (scalar(@ccvals) > 0) {
foreach my $val (@ccvals) {
$cckeys{$val->get_name()} = $val->get_data();
}
# Sorts keynames into a temp list and then prints each key name + value in list order
# the values are retrieved from cckeys assoc. array which was populated in the previous foreach loop
foreach my $keyval (sort keys %cckeys) {
::rptMsg($keyval." -> ".$cckeys{$keyval});
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." does not exist.");
}
# Return obligatory new-line
::rptMsg("");
}
1;

2
thirdparty/rr/plugins/clampi.pl → RecentActivity/release/rr-full/plugins/clampi.pl Normal file → Executable file
View File

@ -39,6 +39,8 @@ sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching clampi v.".$VERSION);
::rptMsg("clampi v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;

2
thirdparty/rr/plugins/clampitm.pl → RecentActivity/release/rr-full/plugins/clampitm.pl Normal file → Executable file
View File

@ -39,6 +39,8 @@ sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching clampitm v.".$VERSION);
::rptMsg("clampitm v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;

2
thirdparty/rr/plugins/clsid.pl → RecentActivity/release/rr-full/plugins/clsid.pl Normal file → Executable file
View File

@ -38,6 +38,8 @@ sub pluginmain {
my $hive = shift;
my %clsid;
::logMsg("Launching clsid v.".$VERSION);
::rptMsg("clsid v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

59
thirdparty/rr/plugins/cmd_shell.pl → RecentActivity/release/rr-full/plugins/cmd_shell.pl Normal file → Executable file
View File

@ -1,8 +1,8 @@
#-----------------------------------------------------------
# cmd_shell
#
#
# Change History
# 20130405 - added Clients subkey
# 20100830 - added "cs" shell command to the path
# 20080328 - created
#
@ -10,7 +10,8 @@
# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?
# Name=TrojanClicker%3AWin32%2FVB.GE
#
# copyright 2010 Quantum Analytics Research, LLC
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package cmd_shell;
use strict;
@ -20,7 +21,7 @@ my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20100830);
version => 20130405);
sub getConfig{return %config}
@ -42,34 +43,72 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching cmd_shell v.".$VERSION);
::rptMsg("cmd_shell v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my @shells = ("exe","cmd","bat","cs","hta","pif");
foreach my $sh (@shells) {
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
foreach my $sh (@shells) {
my $key_path = "Classes\\".$sh."file\\shell\\open\\command";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("cmd_shell");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# ::rptMsg("");
my $val;
eval {
$val = $key->get_value("")->get_data();
::rptMsg("\tCmd: ".$val);
::rptMsg(" Cmd: ".$val);
if ($sh eq "hta") {
if ($val eq "C:\\Windows\\SysWOW64\\mshta\.exe \"%1\" %*" || $val eq "C:\\WINDOWS\\system32\\mshta\.exe \"%1\" %*") {
}
else {
::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$val);
}
}
else {
::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$val) unless ($val eq "\"%1\" %*");
}
::rptMsg("");
};
::rptMsg("Error: ".$@) if ($@);
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
::rptMsg("");
}
}
::rptMsg("");
my $key_path = "Clients\\StartMenuInternet\\IExplore.exe\\shell\\open\\command";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
eval {
my $cmd = $key->get_value("")->get_data();
::rptMsg(" Cmd: ".$cmd);
if ($cmd eq "\"C:\\Program Files\\Internet Explorer\\iexplore\.exe\"" ||
$cmd eq "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore\.exe\"") {
}
else {
::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$cmd);
}
};
::rptMsg("Error: ".$@) if ($@);
}
else {
::rptMsg($key_path." not found\.");
}
}
1;

111
RecentActivity/release/rr-full/plugins/cmd_shell_tln.pl Executable file
View File

@ -0,0 +1,111 @@
#-----------------------------------------------------------
# cmd_shell_tln
#
# Change History
# 20130425 - created
#
# References
# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?
# Name=TrojanClicker%3AWin32%2FVB.GE
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package cmd_shell_tln;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Gets shell open cmds for various file types";
}
sub getDescr{}
sub getRefs {
my %refs = ("You Are Unable to Start a Program with an .exe File Extension" =>
"http://support.microsoft.com/kb/310585");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching cmd_shell_tln v.".$VERSION);
# ::rptMsg("cmd_shell v.".$VERSION); # banner
# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my @shells = ("exe","cmd","bat","cs","hta","pif");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
foreach my $sh (@shells) {
my $key_path = "Classes\\".$sh."file\\shell\\open\\command";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# ::rptMsg("");
my $lw = $key->get_timestamp();
my $val;
eval {
$val = $key->get_value("")->get_data();
# ::rptMsg(" Cmd: ".$val);
if ($sh eq "hta") {
if ($val eq "C:\\Windows\\SysWOW64\\mshta\.exe \"%1\" %*" || $val eq "C:\\WINDOWS\\system32\\mshta\.exe \"%1\" %*") {
}
else {
# ::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$val);
::alertMsg($lw."|ALERT|||Software\\".$key_path." warning: ".$val);
}
}
else {
# ::alertMsg("ALERT: cmd_shell: ".$key_path." warning: ".$val) unless ($val eq "\"%1\" %*");
::alertMsg($lw."|ALERT|||Software\\".$key_path." warning: ".$val) unless ($val eq "\"%1\" %*");
}
};
}
else {
# ::rptMsg($key_path." not found.");
# ::rptMsg("");
}
}
# ::rptMsg("");
my $key_path = "Clients\\StartMenuInternet\\IExplore.exe\\shell\\open\\command";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $lw = $key->get_timestamp();
eval {
my $cmd = $key->get_value("")->get_data();
# ::rptMsg(" Cmd: ".$cmd);
if ($cmd eq "\"C:\\Program Files\\Internet Explorer\\iexplore\.exe\"" ||
$cmd eq "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore\.exe\"") {
}
else {
::alertMsg($lw."|ALERT|||Software\\".$key_path." warning: ".$cmd);
}
};
# ::rptMsg("Error: ".$@) if ($@);
}
else {
# ::rptMsg($key_path." not found\.");
}
}
1;

67
RecentActivity/release/rr-full/plugins/cmd_shell_u.pl Executable file
View File

@ -0,0 +1,67 @@
#-----------------------------------------------------------
# cmd_shell_u
# Get the shell\open\command settings for various file types; gets
# info from USRCLASS.DAT hives, where Classes data is maintained on
# Win7
#
# Change History
# 20130405 - created
#
# copyright 2013 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package cmd_shell_u;
use strict;
my %config = (hive => "USRCLASS\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20130405);
sub getConfig{return %config}
sub getShortDescr {
return "Gets shell open cmds for various file types from USRCLASS\.DAT";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching cmd_shell_u v.".$VERSION);
::rptMsg("cmd_shell_u v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my @shells = ("\.exe","exefile","ftp","http","https");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
foreach my $sh (@shells) {
my $key_path = $sh."\\shell\\open\\command";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# ::rptMsg("");
my $val;
eval {
$val = $key->get_value("")->get_data();
::rptMsg(" Cmd: ".$val);
::rptMsg("");
};
::rptMsg("Error: ".$@) if ($@);
}
else {
::rptMsg($key_path." not found.");
}
}
::rptMsg("");
}
1;

67
RecentActivity/release/rr-full/plugins/cmdproc.pl Executable file
View File

@ -0,0 +1,67 @@
#-----------------------------------------------------------
# cmdproc.pl
# Checks key for files to autostart from cmd.exe
#
# Change History
# 20130425 - added alertMsg() functionality
# 20130115 - created
#
# References:
#
# Category: autostart,malware,programexecution
#
# copyright 2013 Quantum Analytics Research,
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package cmdproc;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching cmdproc v.".$VERSION);
::rptMsg("cmdproc v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Command Processor";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $auto;
eval {
$auto = $key->get_value("AutoRun")->get_data();
::rptMsg("AutoRun = ".$auto);
::alertMsg("ALERT: cmdproc: ".$key_path." AutoRun value found: ".$auto);
};
if ($@) {
::rptMsg("AutoRun value not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

67
RecentActivity/release/rr-full/plugins/cmdproc_tln.pl Executable file
View File

@ -0,0 +1,67 @@
#-----------------------------------------------------------
# cmdproc_tln.pl
# Checks key for files to autostart from cmd.exe
#
# Change History
# 20130425 - created
#
# References:
#
# Category: autostart,malware,programexecution
#
# copyright 2013 Quantum Analytics Research,
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package cmdproc_tln;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive (TLN)";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching cmdproc_tln v.".$VERSION);
# ::rptMsg("cmdproc v.".$VERSION); # banner
# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Command Processor";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $lw = $key->get_timestamp();
my $auto;
eval {
$auto = $key->get_value("AutoRun")->get_data();
# ::rptMsg("AutoRun = ".$auto);
# ::alertMsg("ALERT: cmdproc: ".$key_path." AutoRun value found: ".$auto);
::alertMsg($lw."|ALERT|||HKCU\\".$key_path." AutoRun value found: ".$auto);
};
if ($@) {
# ::rptMsg("AutoRun value not found.");
}
}
else {
# ::rptMsg($key_path." not found.");
}
}
1;

2
thirdparty/rr/plugins/codeid.pl → RecentActivity/release/rr-full/plugins/codeid.pl Normal file → Executable file
View File

@ -42,6 +42,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching codeid v.".$VERSION);
::rptMsg("codeid v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

686
RecentActivity/release/rr-full/plugins/comdlg32.pl Executable file
View File

@ -0,0 +1,686 @@
#-----------------------------------------------------------
# comdlg32.pl
# Plugin for Registry Ripper
#
# Change history
# 20121005 - updated to address shell item type 0x3A
# 20121005 - updated to parse shell item ID lists
# 20100409 - updated to include Vista and above
# 20100402 - updated IAW Chad Tilbury's post to SANS
# Forensic Blog
# 20080324 - created
#
# References
# Win2000 - http://support.microsoft.com/kb/319958
# XP - http://support.microsoft.com/kb/322948/EN-US/
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package comdlg32;
use strict;
use Time::Local;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20121008);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's ComDlg32 key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching comdlg32 v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
::rptMsg("comdlg32 v.".$VERSION);
::rptMsg("");
# LastVistedMRU
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32";
my $key;
my @vals;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @subkeys = $key->get_list_of_subkeys();
if (scalar @subkeys > 0) {
foreach my $s (@subkeys) {
if ($s->get_name() eq "LastVisitedMRU") {
::rptMsg("LastVisitedMRU");
::rptMsg("LastWrite: ".gmtime($s->get_timestamp()));
parseLastVisitedMRU($s);
::rptMsg("");
}
if ($s->get_name() eq "OpenSaveMRU") {
::rptMsg("OpenSaveMRU");
::rptMsg("LastWrite: ".gmtime($s->get_timestamp()));
parseOpenSaveMRU($s);
::rptMsg("");
}
if ($s->get_name() eq "CIDSizeMRU") {
::rptMsg("CIDSizeMRU");
::rptMsg("LastWrite: ".gmtime($s->get_timestamp()));
parseCIDSizeMRU($s);
::rptMsg("");
}
if ($s->get_name() eq "FirstFolder") {
::rptMsg("FirstFolder");
::rptMsg("LastWrite: ".gmtime($s->get_timestamp()));
parseFirstFolder($s);
::rptMsg("");
}
if ($s->get_name() eq "LastVisitedPidlMRU" || $s->get_name() eq "LastVisitedPidlMRULegacy") {
::rptMsg("LastVisitedPidlMRU");
::rptMsg("LastWrite: ".gmtime($s->get_timestamp()));
parseLastVisitedPidlMRU($s);
::rptMsg("");
}
if ($s->get_name() eq "OpenSavePidlMRU") {
::rptMsg("OpenSavePidlMRU");
::rptMsg("LastWrite: ".gmtime($s->get_timestamp()));
parseOpenSavePidlMRU($s);
::rptMsg("");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
sub parseLastVisitedMRU {
my $key = shift;
my %lvmru;
my @mrulist;
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
if (exists $lvmru{MRUList}) {
::rptMsg(" MRUList = ".$lvmru{MRUList});
@mrulist = split(//,$lvmru{MRUList});
delete($lvmru{MRUList});
foreach my $m (@mrulist) {
my ($file,$dir) = split(/\00\00/,$lvmru{$m},2);
$file =~ s/\00//g;
$dir =~ s/\00//g;
::rptMsg(" ".$m." -> EXE: ".$file);
::rptMsg(" -> Last Dir: ".$dir);
}
}
else {
::rptMsg("LastVisitedMRU key does not have an MRUList value.");
}
}
else {
::rptMsg("LastVisitedMRU key has no values.");
}
::rptMsg("");
}
sub parseOpenSaveMRU {
my $key = shift;
parseOpenSaveValues($key);
::rptMsg("");
# Now, let's get the subkeys
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
parseOpenSaveValues($s);
::rptMsg("");
}
}
else {
::rptMsg("OpenSaveMRU key has no subkeys.");
}
::rptMsg("");
}
sub parseOpenSaveValues {
my $key = shift;
::rptMsg("OpenSaveMRU\\".$key->get_name());
::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z");
my %osmru;
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
map{$osmru{$_->get_name()} = $_->get_data()}(@vals);
if (exists $osmru{MRUList}) {
::rptMsg(" MRUList = ".$osmru{MRUList});
my @mrulist = split(//,$osmru{MRUList});
delete($osmru{MRUList});
foreach my $m (@mrulist) {
::rptMsg(" ".$m." -> ".$osmru{$m});
}
}
else {
::rptMsg($key->get_name()." does not have an MRUList value.");
}
}
else {
::rptMsg($key->get_name()." has no values.");
}
}
sub parseCIDSizeMRU {
my $key = shift;
my %lvmru;
my @mrulist;
my @vals = $key->get_list_of_values();
my %mru;
my $count = 0;
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
::rptMsg("Note: All value names are listed in MRUListEx order.");
::rptMsg("");
if (exists $lvmru{MRUListEx}) {
my @mrulist = unpack("V*",$lvmru{MRUListEx});
foreach my $n (0..(scalar(@mrulist) - 2)) {
$mru{$count++} = $lvmru{$mrulist[$n]};
}
delete $mru{0xffffffff};
foreach my $m (sort {$a <=> $b} keys %mru) {
# my $file = parseStr($mru{$m});
my $file = (split(/\00\00/,$mru{$m},2))[0];
$file =~ s/\00//g;
::rptMsg(" ".$file);
}
}
else {
# ::rptMsg($key_path." does not have an MRUList value.");
}
}
else {
# ::rptMsg($key_path." has no values.");
}
}
sub parseFirstFolder {
my $key = shift;
my %lvmru;
my @mrulist;
my @vals = $key->get_list_of_values();
my %mru;
my $count = 0;
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
::rptMsg("Note: All value names are listed in MRUListEx order.");
::rptMsg("");
if (exists $lvmru{MRUListEx}) {
my @mrulist = unpack("V*",$lvmru{MRUListEx});
foreach my $n (0..(scalar(@mrulist) - 2)) {
$mru{$count++} = $lvmru{$mrulist[$n]};
}
delete $mru{0xffffffff};
foreach my $m (sort {$a <=> $b} keys %mru) {
# my $file = parseStr($mru{$m});
my @files = split(/\00\00/,$mru{$m});
if (scalar(@files) == 0) {
::rptMsg(" No files listed.");
}
elsif (scalar(@files) == 1) {
$files[0] =~ s/\00//g;
::rptMsg(" ".$files[0]);
}
elsif (scalar(@files) > 1) {
my @files2;
foreach my $file (@files) {
$file =~ s/\00//g;
push(@files2,$file);
}
::rptMsg(" ".join(' ',@files2));
}
else {
}
}
}
else {
# ::rptMsg($key_path." does not have an MRUList value.");
}
}
else {
# ::rptMsg($key_path." has no values.");
}
}
sub parseLastVisitedPidlMRU {
my $key = shift;
my %lvmru;
my @mrulist;
my @vals = $key->get_list_of_values();
my %mru;
my $count = 0;
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
::rptMsg("Note: All value names are listed in MRUListEx order.");
::rptMsg("");
if (exists $lvmru{MRUListEx}) {
my @mrulist = unpack("V*",$lvmru{MRUListEx});
foreach my $n (0..(scalar(@mrulist) - 2)) {
$mru{$count++} = $lvmru{$mrulist[$n]};
}
delete $mru{0xffffffff};
foreach my $m (sort {$a <=> $b} keys %mru) {
my ($file,$shell) = split(/\00\00/,$mru{$m},2);
$file =~ s/\00//g;
$shell =~ s/^\00//;
my $str = parseShellItem($shell);
::rptMsg(" ".$file." - ".$str);
}
}
else {
::rptMsg("LastVisitedPidlMRU key does not have an MRUList value.");
}
}
else {
::rptMsg("LastVisitedPidlMRU key has no values.");
}
}
#-----------------------------------------------------------
#
#-----------------------------------------------------------
sub parseOpenSavePidlMRU {
my $key = shift;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg("OpenSavePidlMRU\\".$s->get_name());
::rptMsg("LastWrite Time: ".gmtime($s->get_timestamp()));
my @vals = $s->get_list_of_values();
my %lvmru = ();
my @mrulist = ();
my %mru = ();
my $count = 0;
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
::rptMsg("Note: All value names are listed in MRUListEx order.");
::rptMsg("");
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
if (exists $lvmru{MRUListEx}) {
my @mrulist = unpack("V*",$lvmru{MRUListEx});
foreach my $n (0..(scalar(@mrulist) - 2)) {
$mru{$count++} = $lvmru{$mrulist[$n]};
}
delete $mru{0xffffffff};
foreach my $m (sort {$a <=> $b} keys %mru) {
my $str = parseShellItem($mru{$m});
::rptMsg(" ".$str);
}
}
}
else {
::rptMsg($s->get_name()." has no values.");
}
::rptMsg("");
}
}
else {
::rptMsg($key->get_name()." has no subkeys.");
}
}
#-----------------------------------------------------------
#
#-----------------------------------------------------------
sub parseShellItem {
my $data = shift;
my $len = length($data);
my $str;
my $tag = 1;
my $cnt = 0;
while ($tag) {
my %item = ();
my $sz = unpack("v",substr($data,$cnt,2));
$tag = 0 if (($sz == 0) || ($cnt + $sz > $len));
my $dat = substr($data,$cnt,$sz);
my $type = unpack("C",substr($dat,2,1));
# ::rptMsg(sprintf " Size: ".$sz." Type: 0x%x",$type);
if ($type == 0x1F) {
# System Folder
%item = parseSystemFolderEntry($dat);
$str .= "\\".$item{name};
}
elsif ($type == 0x2F) {
# Volume (Drive Letter)
%item = parseDriveEntry($dat);
$item{name} =~ s/\\$//;
$str .= "\\".$item{name};
}
elsif ($type == 0x31 || $type == 0x32 || $type == 0x3a || $type == 0x74) {
%item = parseFolderEntry($dat);
$str .= "\\".$item{name};
}
elsif ($type == 0x00) {
}
elsif ($type == 0xc3 || $type == 0x41 || $type == 0x42 || $type == 0x46 || $type == 0x47) {
# Network stuff
my $id = unpack("C",substr($dat,3,1));
if ($type == 0xc3 && $id != 0x01) {
%item = parseNetworkEntry($dat);
}
else {
%item = parseNetworkEntry($dat);
}
$str .= "\\".$item{name};
}
else {
$item{name} = sprintf "Unknown Type (0x%x)",$type;
$str .= "\\".$item{name};
}
$cnt += $sz;
}
$str =~ s/^\\//;
return $str;
}
#-----------------------------------------------------------
#
#-----------------------------------------------------------
sub parseSystemFolderEntry {
my $data = shift;
my %item = ();
my %vals = (0x00 => "Explorer",
0x42 => "Libraries",
0x44 => "Users",
0x4c => "Public",
0x48 => "My Documents",
0x50 => "My Computer",
0x58 => "My Network Places",
0x60 => "Recycle Bin",
0x68 => "Explorer",
0x70 => "Control Panel",
0x78 => "Recycle Bin",
0x80 => "My Games");
$item{type} = unpack("C",substr($data,2,1));
$item{id} = unpack("C",substr($data,3,1));
if (exists $vals{$item{id}}) {
$item{name} = $vals{$item{id}};
}
else {
$item{name} = parseGUID(substr($data,4,16));
}
return %item;
}
#-----------------------------------------------------------
# parseGUID()
# Takes 16 bytes of binary data, returns a string formatted
# as an MS GUID.
#-----------------------------------------------------------
sub parseGUID {
my $data = shift;
my $d1 = unpack("V",substr($data,0,4));
my $d2 = unpack("v",substr($data,4,2));
my $d3 = unpack("v",substr($data,6,2));
my $d4 = unpack("H*",substr($data,8,2));
my $d5 = unpack("H*",substr($data,10,6));
return sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3;
}
#-----------------------------------------------------------
#
#-----------------------------------------------------------
sub parseDriveEntry {
my $data = shift;
my %item = ();
$item{type} = unpack("C",substr($data,2,1));;
$item{name} = substr($data,3,3);
return %item;
}
#-----------------------------------------------------------
# parseNetworkEntry()
#
#-----------------------------------------------------------
sub parseNetworkEntry {
my $data = shift;
my %item = ();
$item{type} = unpack("C",substr($data,2,1));
my @n = split(/\00/,substr($data,4,length($data) - 4));
$item{name} = $n[0];
$item{name} =~ s/^\W//;
return %item;
}
#-----------------------------------------------------------
#
#-----------------------------------------------------------
sub parseFolderEntry {
my $data = shift;
my %item = ();
$item{type} = unpack("C",substr($data,2,1));
# Type 0x74 folders have a slightly different format
my $ofs_mdate;
my $ofs_shortname;
if ($item{type} == 0x74) {
$ofs_mdate = 0x12;
}
elsif (substr($data,4,4) eq "AugM") {
$ofs_mdate = 0x1c;
}
elsif ($item{type} == 0x31 || $item{type} == 0x32 || $item{type} == 0x3a) {
$ofs_mdate = 0x08;
}
else {}
# some type 0x32 items will include a file size
if ($item{type} == 0x32) {
my $size = unpack("V",substr($data,4,4));
if ($size != 0) {
$item{filesize} = $size;
}
}
my @m = unpack("vv",substr($data,$ofs_mdate,4));
($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]);
# Need to read in short name; nul-term ASCII
# $item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0];
$ofs_shortname = $ofs_mdate + 6;
my $tag = 1;
my $cnt = 0;
my $str = "";
while($tag) {
my $s = substr($data,$ofs_shortname + $cnt,1);
if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
$tag = 0;
}
else {
$str .= $s;
$cnt++;
}
}
# $str =~ s/\00//g;
my $shortname = $str;
my $ofs = $ofs_shortname + $cnt + 1;
# Read progressively, 1 byte at a time, looking for 0xbeef
my $tag = 1;
my $cnt = 0;
while ($tag) {
if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) {
$tag = 0;
}
else {
$cnt++;
}
}
$item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2));
# ::rptMsg(sprintf " BEEF Offset: 0x%x",$ofs + $cnt);
# ::rptMsg(" Version: ".$item{extver});
$ofs = $ofs + $cnt + 2;
my @m = unpack("vv",substr($data,$ofs,4));
($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]);
$ofs += 4;
my @m = unpack("vv",substr($data,$ofs,4));
($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]);
$ofs += 4;
my $jmp;
if ($item{extver} == 0x03) {
$jmp = 8;
}
elsif ($item{extver} == 0x07) {
$jmp = 22;
}
elsif ($item{extver} == 0x08) {
$jmp = 26;
}
else {}
$ofs += $jmp;
# ::rptMsg(sprintf " Offset: 0x%x",$ofs);
my $str = substr($data,$ofs,length($data) - $ofs);
my $longname = (split(/\00\00/,$str,2))[0];
$longname =~ s/\00//g;
if ($longname ne "") {
$item{name} = $longname;
}
else {
$item{name} = $shortname;
}
return %item;
}
#-----------------------------------------------------------
# convertDOSDate()
# subroutine to convert 4 bytes of binary data into a human-
# readable format. Returns both a string and a Unix-epoch
# time.
#-----------------------------------------------------------
sub convertDOSDate {
my $date = shift;
my $time = shift;
if ($date == 0x00 || $time == 0x00){
return (0,0);
}
else {
my $sec = ($time & 0x1f) * 2;
$sec = "0".$sec if (length($sec) == 1);
if ($sec == 60) {$sec = 59};
my $min = ($time & 0x7e0) >> 5;
$min = "0".$min if (length($min) == 1);
my $hr = ($time & 0xF800) >> 11;
$hr = "0".$hr if (length($hr) == 1);
my $day = ($date & 0x1f);
$day = "0".$day if (length($day) == 1);
my $mon = ($date & 0x1e0) >> 5;
$mon = "0".$mon if (length($mon) == 1);
my $yr = (($date & 0xfe00) >> 9) + 1980;
my $gmtime = timegm($sec,$min,$hr,$day,($mon - 1),$yr);
return ("$yr-$mon-$day $hr:$min:$sec",$gmtime);
# return gmtime(timegm($sec,$min,$hr,$day,($mon - 1),$yr));
}
}
#-----------------------------------------------------------
# printData()
# subroutine used primarily for debugging; takes an arbitrary
# length of binary data, prints it out in hex editor-style
# format for easy debugging
#-----------------------------------------------------------
sub printData {
my $data = shift;
my $len = length($data);
my $tag = 1;
my $cnt = 0;
my $loop = $len/16;
$loop++ if ($len%16);
foreach my $cnt (0..($loop - 1)) {
# while ($tag) {
my $left = $len - ($cnt * 16);
my $n;
($left < 16) ? ($n = $left) : ($n = 16);
my $seg = substr($data,$cnt * 16,$n);
my @str1 = split(//,unpack("H*",$seg));
my @s3;
my $str = "";
foreach my $i (0..($n - 1)) {
$s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1];
if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) {
$str .= chr(hex($s3[$i]));
}
else {
$str .= "\.";
}
}
my $h = join(' ',@s3);
::rptMsg(sprintf "0x%08x: %-47s ".$str,($cnt * 16),$h);
}
}
1;

39
thirdparty/rr/plugins/muicache.pl → RecentActivity/release/rr-full/plugins/compatassist.pl Normal file → Executable file
View File

@ -1,16 +1,22 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# muicache.pl
# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
# MUICache values
# compatassist.pl
# Provides indication of applications run; see the Reference listed
# below; note that there are no time stamps associated with this
# information. Note: Value names that start with "SIGN.MEDIA" indicate
# that the app was run from removable media
#
# Category: Programs launched by user
#
# Change history
# 20120515 - created
#
# References
# http://msdn.microsoft.com/en-us/library/bb756937.aspx
#
#
# copyright 2008 H. Carvey
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package muicache;
package compatassist;
use strict;
my %config = (hive => "NTUSER\.DAT",
@ -18,11 +24,11 @@ my %config = (hive => "NTUSER\.DAT",
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
version => 20120515);
sub getConfig{return %config}
sub getShortDescr {
return "Gets EXEs from user's MUICache key";
return "Checks user's Compatibility Assistant\\Persisted values";
}
sub getDescr{}
sub getRefs {}
@ -34,32 +40,31 @@ my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching muicache v.".$VERSION);
my @temps;
::logMsg("Launching compatassist v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache';
my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("MUICache");
::rptMsg("compatassist");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
next if ($name =~ m/^@/ || $name eq "LangID");
my $data = $v->get_data();
::rptMsg("\t".$name." (".$data.")");
::rptMsg(" ".$name);
}
}
else {
::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}

2
thirdparty/rr/plugins/compdesc.pl → RecentActivity/release/rr-full/plugins/compdesc.pl Normal file → Executable file
View File

@ -36,6 +36,8 @@ sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching compdesc v.".$VERSION);
::rptMsg("compdesc v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;

2
thirdparty/rr/plugins/compname.pl → RecentActivity/release/rr-full/plugins/compname.pl Normal file → Executable file
View File

@ -36,6 +36,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching compname v.".$VERSION);
::rptMsg("compname v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is

2
thirdparty/rr/plugins/controlpanel.pl → RecentActivity/release/rr-full/plugins/controlpanel.pl Normal file → Executable file
View File

@ -31,6 +31,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching controlpanel v.".$VERSION);
::rptMsg("controlpanel v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

2
thirdparty/rr/plugins/cpldontload.pl → RecentActivity/release/rr-full/plugins/cpldontload.pl Normal file → Executable file
View File

@ -43,6 +43,8 @@ sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching cpldontload v.".$VERSION);
::rptMsg("cpldontload v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;

2
thirdparty/rr/plugins/crashcontrol.pl → RecentActivity/release/rr-full/plugins/crashcontrol.pl Normal file → Executable file
View File

@ -37,6 +37,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching crashcontrol v.".$VERSION);
::rptMsg("crashcontrol v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

2
thirdparty/rr/plugins/ctrlpnl.pl → RecentActivity/release/rr-full/plugins/ctrlpnl.pl Normal file → Executable file
View File

@ -44,6 +44,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching ctrlpnl v.".$VERSION);
::rptMsg("ctrlpnl v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

2
thirdparty/rr/plugins/ddm.pl → RecentActivity/release/rr-full/plugins/ddm.pl Normal file → Executable file
View File

@ -36,6 +36,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching ddm v.".$VERSION);
::rptMsg("ddm v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

96
RecentActivity/release/rr-full/plugins/decaf.pl Executable file
View File

@ -0,0 +1,96 @@
#-----------------------------------------------------------
# decaf.pl
# Extracts the AcceptedEULA value for DECAF
#
# Change history
# 20110830 [fpi] + banner, no change to the version number
#
# References
# Detect and Eliminate Computer Acquired Forensics
# http://en.wikipedia.org/wiki/DECAF
#
# Copyright (c) 2011-02-10 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package decaf;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20110210);
my $VERSION = getVersion();
# Functions #
sub getDescr {}
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getShortDescr {
return "Extracts the EULA value for DECAF.";
}
sub getRefs {
my %refs = ("Detect and Eliminate Computer Acquired Forensics:" =>
"http://en.wikipedia.org/wiki/DECAF");
return %refs;
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
my $class = shift;
my $hive = shift;
# Initialize #
::logMsg("Launching decaf v.".$VERSION);
::rptMsg("decaf v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Software\\DECAFme";
# If # DECAF path exists #
if ($key = $root_key->get_subkey($key_path)) {
# Return # plugin name, registry key and last modified date #
::rptMsg("DECAF");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Extract # all keys from DECAF registry path #
my %keys;
my @vals = $key->get_list_of_values();
# If # registry keys exist in path #
if (scalar(@vals) > 0) {
# Extract # all key names+values for DECAF registry path #
foreach my $v (@vals) {
::rptMsg($v->get_name()." -> ".$v->get_data());
}
# Error # key value is null #
} else {
::rptMsg($key_path." has no values.");
}
# Error # DECAF isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

2
thirdparty/rr/plugins/defbrowser.pl → RecentActivity/release/rr-full/plugins/defbrowser.pl Normal file → Executable file
View File

@ -35,6 +35,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching defbrowser v.".$VERSION);
::rptMsg("defbrowser v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

95
RecentActivity/release/rr-full/plugins/dependency_walker.pl Executable file
View File

@ -0,0 +1,95 @@
#-----------------------------------------------------------
# dependency_walker.pl
# Extracts Recent File List for Dependency Walker.
#
# Change history
# 20110830 [fpi] + banner, no change to the version number
#
# References
# Dependency Walker Homepage
# http://www.dependencywalker.com/
#
# Copyright (c) 2011-02-04 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package dependency_walker;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20110204);
my $VERSION = getVersion();
# Functions #
sub getDescr {}
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getShortDescr {
return "Extracts Recent File List for Dependency Walker.";
}
sub getRefs {
my %refs = ("Dependency Walker Homepage:" =>
"http://www.dependencywalker.com/");
return %refs;
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
my $class = shift;
my $hive = shift;
# Initialize #
::logMsg("Launching dependency_walker v.".$VERSION);
::rptMsg("dependency_walker v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Software\\Microsoft\\Dependency Walker\\Recent File List";
# If # Dependency Walker path exists #
if ($key = $root_key->get_subkey($key_path)) {
# Return # plugin name, registry key and last modified date #
::rptMsg("Dependency Walker");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Extract # all keys from Dependency Walker registry path #
my @vals = $key->get_list_of_values();
# If # registry keys exist in path #
if (scalar(@vals) > 0) {
# Extract # all key names+values for Dependency Walker registry path #
foreach my $v (@vals) {
::rptMsg($v->get_name()." -> ".$v->get_data());
}
# Error # key value is null #
} else {
::rptMsg($key_path." has no values.");
}
# Error # Dependency Walker isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

2
thirdparty/rr/plugins/devclass.pl → RecentActivity/release/rr-full/plugins/devclass.pl Normal file → Executable file
View File

@ -35,6 +35,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching devclass v.".$VERSION);
::rptMsg("devclass v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

2
thirdparty/rr/plugins/dfrg.pl → RecentActivity/release/rr-full/plugins/dfrg.pl Normal file → Executable file
View File

@ -35,6 +35,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching dfrg v.".$VERSION);
::rptMsg("dfrg v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

81
RecentActivity/release/rr-full/plugins/diag_sr.pl Executable file
View File

@ -0,0 +1,81 @@
#-----------------------------------------------------------
# diag_sr.pl
#
# History:
# 20120515: created
#
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey
#-----------------------------------------------------------
package diag_sr;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120515);
sub getConfig{return %config}
sub getShortDescr {
return "Get Diag\\SystemRestore values and data";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching diag_sr v.".$VERSION);
::rptMsg("diag_sr v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $volsnap_path = $ccs."\\Services\\VSS\\Diag\\SystemRestore";
my $volsnap;
if ($volsnap = $root_key->get_subkey($volsnap_path)) {
my @vals = $volsnap->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
my $t = gmtime(parseData($v->get_data()));
::rptMsg(sprintf "%-25s %-50s",$t,$name);
}
}
else {
::rptMsg($volsnap_path." has no values.");
}
}
else {
::rptMsg($volsnap_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
sub parseData {
my $data = shift;
my ($t0,$t1) = unpack("VV",substr($data,0x08,8));
return ::getTime($t0,$t1);
}
1;

75
RecentActivity/release/rr-full/plugins/direct.pl Executable file
View File

@ -0,0 +1,75 @@
#-----------------------------------------------------------
# direct.pl
# This plugin runs through the Direct* subkeys beneath the Microsoft key
# in the Software hive (as well as the Wow6432Node key, if it exists) and
# looks to see if there is a MostRecentApplication subkey; if there is, it
# then tries to retrieve the "Name" value/data
#
# History:
# 20120513 - created
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package direct;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20120513);
sub getConfig{return %config}
sub getShortDescr {
return "Searches Direct* keys for MostRecentApplication subkeys";
}
sub getDescr{}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my @keys = ('Microsoft','Wow6432Node\\Microsoft');
::rptMsg("Launching direct v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
foreach my $key_path (@keys) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# ::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
next unless ($s->get_name() =~ m/^Direct/);
my $name = $s->get_name();
eval {
my $app;
$app = $s->get_subkey("MostRecentApplication");
my $app_lw = gmtime($app->get_timestamp());
my $app_name = $app->get_value("Name")->get_data();
::rptMsg(sprintf "%-25s %-50s",$app_lw,$s->get_name()."\\".$app->get_name()." - ".$app_name);
};
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
::rptMsg("");
}
else {
::rptMsg($key_path." not found.");
}
}
}
1;

75
RecentActivity/release/rr-full/plugins/direct_tln.pl Executable file
View File

@ -0,0 +1,75 @@
#-----------------------------------------------------------
# direct_tln.pl
# This plugin runs through the Direct* subkeys beneath the Microsoft key
# in the Software hive (as well as the Wow6432Node key, if it exists) and
# looks to see if there is a MostRecentApplication subkey; if there is, it
# then tries to retrieve the "Name" value/data
#
# History:
# 20120608 - created
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package direct_tln;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20120608);
sub getConfig{return %config}
sub getShortDescr {
return "Searches Direct* keys for MostRecentApplication subkeys (TLN)";
}
sub getDescr{}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my @keys = ('Microsoft','Wow6432Node\\Microsoft');
::rptMsg("Launching direct v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
foreach my $key_path (@keys) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# ::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
next unless ($s->get_name() =~ m/^Direct/);
my $name = $s->get_name();
eval {
my $app;
$app = $s->get_subkey("MostRecentApplication");
my $app_lw = $app->get_timestamp();
my $app_name = $app->get_value("Name")->get_data();
# ::rptMsg(sprintf "%-25s %-50s",$app_lw,$s->get_name()."\\".$app->get_name()." - ".$app_name);
::rptMsg($app_lw."|REG|||[Program Execution] ".$key_path."\\".$s->get_name()."\\".$app->get_name()." - ".$app_name);
};
}
}
else {
# ::rptMsg($key_path." has no subkeys.");
}
# ::rptMsg("");
}
else {
# ::rptMsg($key_path." not found.");
}
}
}
1;

2
thirdparty/rr/plugins/disablelastaccess.pl → RecentActivity/release/rr-full/plugins/disablelastaccess.pl Normal file → Executable file
View File

@ -33,6 +33,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching disablelastaccess v.".$VERSION);
::rptMsg("disablelastaccess v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

71
RecentActivity/release/rr-full/plugins/disablesr.pl Executable file
View File

@ -0,0 +1,71 @@
#-----------------------------------------------------------
# disablesr.pl
# Gets the value that turns System Restore either on or off
#
# Change History
# 20120914
#
# References
# Registry Keys and Values for the System Restore Utility http://support.microsoft.com/kb/295659
#
# copyright 2012 Corey Harrell (Journey Into Incident Response)
#-----------------------------------------------------------
package disablesr;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20120914);
sub getConfig{return %config}
sub getShortDescr {
return "Gets the value that turns System Restore either on or off";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching disablesr v.".$VERSION);
::rptMsg("disablesr v.".$VERSION);
::rptMsg("(".getHive().") ".getShortDescr()."\n");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\SystemRestore";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $disable;
eval {
$disable = $key->get_value("DisableSR")->get_data();
};
if ($@) {
::rptMsg("DisableSR value not found.");
}
else {
::rptMsg("DisableSR = ".$disable);
::rptMsg("");
::rptMsg("1 means System Restore is turned off");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

2
thirdparty/rr/plugins/dllsearch.pl → RecentActivity/release/rr-full/plugins/dllsearch.pl Normal file → Executable file
View File

@ -35,6 +35,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching dllsearch v.".$VERSION);
::rptMsg("dllsearch v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

94
RecentActivity/release/rr-full/plugins/dnschanger.pl Executable file
View File

@ -0,0 +1,94 @@
#-----------------------------------------------------------
# dnschanger.pl
# DNSChanger malware modifies the NameServer and/or DhcpNameServer values
# within the Registry for the interfaces.
#
# Change history
# 20120203 - created
#
# Need to add grep() for ranges:
# start range end range
# 85.255.112.0 85.255.127.255
# 67.210.0.0 67.210.15.255
# 93.188.160.0 93.188.167.255
# 77.67.83.0 77.67.83.255
# 213.109.64.0 213.109.79.255
# 64.28.176.0 64.28.191.255
#
# Note: these may not be the only ranges used. The best use of the
# plugin is to know what your ranges are, and eyeball the output of
# the plugin.
#
# References
# https://twitter.com/#!/saved-search/%23DFIR
#
# copyright 2012 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package dnschanger;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20120203);
sub getConfig{return %config}
sub getShortDescr {
return "Check for indication of DNSChanger infection.";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my %nics;
my $ccs;
::logMsg("Launching dnschanger v.".$VERSION);
::rptMsg("dnschanger v.".$VERSION);
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my $current;
eval {
$current = $root_key->get_subkey("Select")->get_value("Current")->get_data();
};
my @nics;
my $key_path = "ControlSet00".$current."\\Services\\Tcpip\\Parameters\\Interfaces";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
my @guids = $key->get_list_of_subkeys();
if (scalar @guids > 0) {
foreach my $g (@guids) {
::rptMsg("Adapter: ".$g->get_name());
::rptMsg("LastWrite Time: ".gmtime($g->get_timestamp())." Z");
eval {
my @vals = $g->get_list_of_values();
foreach my $v (@vals) {
my $name = $v->get_name();
next unless ($name =~ m/NameServer$/);
my $data = $v->get_data();
::rptMsg(sprintf " %-28s %-20s",$name,$data);
}
::rptMsg("");
};
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

2
thirdparty/rr/plugins/domains.pl → RecentActivity/release/rr-full/plugins/domains.pl Normal file → Executable file
View File

@ -36,6 +36,8 @@ sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching domains v.".$VERSION);
::rptMsg("domains v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;

96
RecentActivity/release/rr-full/plugins/drivers32.pl Executable file
View File

@ -0,0 +1,96 @@
#-----------------------------------------------------------
# drivers32
# Get values from Drivers32 key
#
# History
# 20130408 - created by copying then modifying the soft_run plug-in
#
# References
# Location of Windows NT Multimedia Drivers in the Registry
# http://support.microsoft.com/kb/126054
#
# copyright 2013 Corey Harrell (jIIr)
#-----------------------------------------------------------
package drivers32;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20130408);
sub getConfig{return %config}
sub getShortDescr {
return "Get values from the Drivers32 key";
}
sub getDescr{}
sub getRefs {
my %refs = ("Location of Windows NT Multimedia Drivers in the Registry" =>
"http://support.microsoft.com/kb/126054");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching drivers32 v.".$VERSION);
::rptMsg("drivers32 v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my @paths = ("Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
"Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",
);
foreach my $key_path (@paths) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my %vals = getKeyValues($key);
if (scalar(keys %vals) > 0) {
foreach my $v (keys %vals) {
::rptMsg(" ".$v." - ".$vals{$v});
}
::rptMsg("");
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::rptMsg("");
}
}
}
sub getKeyValues {
my $key = shift;
my %vals;
my @vk = $key->get_list_of_values();
if (scalar(@vk) > 0) {
foreach my $v (@vk) {
next if ($v->get_name() eq "" && $v->get_data() eq "");
$vals{$v->get_name()} = $v->get_data();
}
}
else {
}
return %vals;
}
1;

2
thirdparty/rr/plugins/drwatson.pl → RecentActivity/release/rr-full/plugins/drwatson.pl Normal file → Executable file
View File

@ -37,6 +37,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching drwatson v.".$VERSION);
::rptMsg("drwatson v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AeDebug";

96
RecentActivity/release/rr-full/plugins/emdmgmt.pl Executable file
View File

@ -0,0 +1,96 @@
#-----------------------------------------------------------
# emdmgmt.pl
#
#
# copyright 2012 Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package emdmgmt;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20120207);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of EMDMgmt subkeys and values";
}
sub getDescr{}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching emdmgmt v.".$VERSION);
::rptMsg("emdmgmt v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\EMDMgmt';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("EMDMgmt");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @sk = $key->get_list_of_subkeys();
foreach my $s (@sk) {
my $name = $s->get_name();
if ($name =~ m/^_\?\?_USBSTOR/) {
my ($usb,$sn,$vol) = (split(/#/,$name,4))[1,2,3];
::rptMsg($usb);
::rptMsg(" LastWrite: ".gmtime($s->get_timestamp())." Z");
::rptMsg(" SN: ".$sn);
$vol =~ s/{53f56307-b6bf-11d0-94f2-00a0c91efb8b}//;
my ($volname,$vsn) = split(/_/,$vol,2);
$vsn = uc(sprintf "%x",$vsn);
if (length($vsn) >= 8) {
my ($f,$l) = unpack("(A4)*",$vsn);
$vsn = $f."-".$l;
}
::rptMsg(" Vol Name: ".$volname) if ($volname ne "");
::rptMsg(" VSN: ".$vsn);
my $last = $s->get_value_data("LastTestedTime");
my ($lo,$hi) = unpack("VV",$last);
if ($lo != 0 && $hi != 0) {
::rptMsg(" LastTestedTime: ".gmtime(::getTime($lo,$hi))." Z");
}
::rptMsg("");
}
else {
my @n = split(/_/,$name);
my $t = scalar(@n);
my $volname = $n[$t - 2];
my $vsn = $n[$t - 1];
$vsn = uc(sprintf "%x",$vsn);
if (length($vsn) >= 8) {
my ($f,$l) = unpack("(A4)*",$vsn);
$vsn = $f."-".$l;
}
$volname = "Unknown Volume" unless ($volname ne "");
::rptMsg($volname);
::rptMsg(" LastWrite: ".gmtime($s->get_timestamp())." Z");
::rptMsg(" VSN: ".$vsn);
my $last = $s->get_value_data("LastTestedTime");
my ($lo,$hi) = unpack("VV",$last);
if ($lo != 0 && $hi != 0) {
::rptMsg(" LastTestedTime: ".gmtime(::getTime($lo,$hi))." Z");
}
::rptMsg("");
}
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

89
RecentActivity/release/rr-full/plugins/environment.pl Executable file
View File

@ -0,0 +1,89 @@
#-----------------------------------------------------------
# environment.pl
# Extracts user's Environment paths from NTUSER.DAT
#
# Change history
# 20110830 [fpi] + banner, no change to the version number
#
# References
#
# Copyright (c) 2011-02-04 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package environment;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20110204);
my $VERSION = getVersion();
# Functions #
sub getDescr {}
sub getRefs {}
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getShortDescr {
return "Extracts user's Environment paths from NTUSER.DAT";
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
my $class = shift;
my $hive = shift;
# Initialize #
::logMsg("Launching environment v.".$VERSION);
::rptMsg("environment v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Environment";
# If # Environment path exists #
if ($key = $root_key->get_subkey($key_path)) {
# Return # plugin name, registry key and last modified date #
::rptMsg("Environment");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Extract # all keys from Environment registry path #
my @vals = $key->get_list_of_values();
# If # registry keys exist in path #
if (scalar(@vals) > 0) {
# Extract # all key names+values for Environment registry path #
foreach my $v (@vals) {
::rptMsg($v->get_name()." -> ".$v->get_data());
}
# Error # key value is null #
} else {
::rptMsg($key_path." has no values.");
}
# Error # Environment isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

2
thirdparty/rr/plugins/esent.pl → RecentActivity/release/rr-full/plugins/esent.pl Normal file → Executable file
View File

@ -33,6 +33,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching esent v.".$VERSION);
::rptMsg("esent v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

2
thirdparty/rr/plugins/eventlog.pl → RecentActivity/release/rr-full/plugins/eventlog.pl Normal file → Executable file
View File

@ -29,6 +29,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching eventlog v.".$VERSION);
::rptMsg("eventlog v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

2
thirdparty/rr/plugins/eventlogs.pl → RecentActivity/release/rr-full/plugins/eventlogs.pl Normal file → Executable file
View File

@ -37,6 +37,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching eventlogs v.".$VERSION);
::rptMsg("eventlogs v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is

2
thirdparty/rr/plugins/fileexts.pl → RecentActivity/release/rr-full/plugins/fileexts.pl Normal file → Executable file
View File

@ -29,6 +29,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching fileexts v.".$VERSION);
::rptMsg("fileexts v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

95
RecentActivity/release/rr-full/plugins/filehistory.pl Executable file
View File

@ -0,0 +1,95 @@
#-----------------------------------------------------------
# filehistory.pl
# Get filehistory settings
#
# Change history
# 20120722 - updated %config hash
# 20120620 - updated/modified by H. Carvey
# 20120607 - created by K. Johnson
#
# References
# This RegRipper plugin was created based on research I have done on
# the FileHistory Feature of Windows 8.
# http://randomthoughtsofforensics.blogspot.com/
#
# FileHistoy Plugin copyright 2012 K. Johnson
# Edited by H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package filehistory;
use strict;
my %config = (hive => "NTUSER\.DAT",
hivemask => 16,
output => "report",
category => "",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 32, #Windows 8
version => 20120620);
sub getConfig{return %config}
sub getShortDescr {
return "Gets filehistory settings";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching filehistory v.".$VERSION);
::rptMsg("filehistory v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
if ($v->get_name() eq "ProtectedUpToTime") {
my @t = unpack("VV",$v->get_data());
my $pft = ::getTime($t[0],$t[1]);
::rptMsg(" ProtectedUpToTime = ".gmtime($pft)." (UTC)");
}
if ($v->get_name() eq "ReassociationPerformed") {
::rptMsg(sprintf "%-20s 0x%x","ReassociationPerformed",$v->get_data());
}
if ($v->get_name() eq "RestoreAllowed") {
::rptMsg(sprintf "%-20s 0x%x","RestoreAllowed",$v->get_data());
}
if ($v->get_name() eq "SearchRebuildRequired") {
::rptMsg(sprintf "%-20s 0x%x","SearchRebuildRequired",$v->get_data());
}
if ($v->get_name() eq "TargetChanged") {
::rptMsg(sprintf "%-20s 0x%x","TargetChanged",$v->get_data());
}
}
}
else {
::rptMsg($key_path." has no values.");
::rptMsg("File History may not be configured for this user.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

3
thirdparty/rr/plugins/findexes.pl → RecentActivity/release/rr-full/plugins/findexes.pl Normal file → Executable file
View File

@ -42,7 +42,8 @@ sub pluginmain {
my $reg = Parse::Win32Registry->new($file);
my $root_key = $reg->get_root_key;
::logMsg("Launching findexes v.".$VERSION);
::rptMsg("findexes v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
traverse($root_key);
# Data structure containing findings is a hash of hashes
foreach my $k (keys %vals) {

2
thirdparty/rr/plugins/fw_config.pl → RecentActivity/release/rr-full/plugins/fw_config.pl Normal file → Executable file
View File

@ -34,6 +34,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching fw_config v.".$VERSION);
::rptMsg("fw_config v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet

66
RecentActivity/release/rr-full/plugins/gauss.pl Executable file
View File

@ -0,0 +1,66 @@
#-----------------------------------------------------------
# gauss.pl
# Checks Software hive for existance of TimeStampforUI value
# beneath the Reliability key within the Software hive. According
# to the Kasperky write-up for the malware, the configuration file is
# written to a binary value named "TimeStampforUI".
#
# copyright 2012 Quantum Analytics Research, LLC
# Author H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package gauss;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20120809);
sub getConfig{return %config}
sub getShortDescr {
return "Checks Reliability key for TimeStampforUI value";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching gauss v.".$VERSION);
::rptMsg("Launching gauss v.".$VERSION);
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my @key_paths = ('Microsoft\\Windows\\CurrentVersion\\Reliability',
'Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Reliability');
::rptMsg("gauss v\.".$VERSION);
foreach my $key_path (@key_paths) {
my $key;
my $notfound = 1;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
foreach my $v (@vals) {
my $name = $v->get_name();
if ($name eq "TimeStampforUI") {
::rptMsg("TimeStampforUI value found.");
$notfound = 0;
}
}
::rptMsg("TimeStampforUI value not found.") if ($notfound);
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
}
}
1;

3
thirdparty/rr/plugins/gthist.pl → RecentActivity/release/rr-full/plugins/gthist.pl Normal file → Executable file
View File

@ -38,7 +38,8 @@ sub pluginmain {
my $ntuser = shift;
my %hist;
::logMsg("Launching gthist v.".$VERSION);
::rptMsg("gthist v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;

3
thirdparty/rr/plugins/gtwhitelist.pl → RecentActivity/release/rr-full/plugins/gtwhitelist.pl Normal file → Executable file
View File

@ -38,7 +38,8 @@ sub pluginmain {
my $ntuser = shift;
my %hist;
::logMsg("Launching gtwhitelist v.".$VERSION);
::rptMsg("gtwhitelist v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;

108
RecentActivity/release/rr-full/plugins/haven_and_hearth.pl Executable file
View File

@ -0,0 +1,108 @@
#-----------------------------------------------------------
# haven_and_hearth.pl
# Extracts the username and savedtoken for Haven & Hearth
#
# Change history
# 20110830 [fpi] + banner, no change to the version number
#
# References
# Haven & Hearth Homepage
# http://www.havenandhearth.com/
#
# Copyright (c) 2011-02-04 Brendan Coles <bcoles@gmail.com>
#-----------------------------------------------------------
# Require #
package haven_and_hearth;
use strict;
# Declarations #
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20110204);
my $VERSION = getVersion();
# Functions #
sub getDescr {}
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getShortDescr {
return "Extracts the username and savedtoken for Haven & Hearth.";
}
sub getRefs {
my %refs = ("Haven & Hearth Homepage:" =>
"http://www.havenandhearth.com/");
return %refs;
}
############################################################
# pluginmain #
############################################################
sub pluginmain {
# Declarations #
my $class = shift;
my $hive = shift;
my @interesting_keys = (
"username",
"password",
"savedtoken"
);
# Initialize #
::logMsg("Launching haven_and_hearth v.".$VERSION);
::rptMsg("haven_and_hearth v.".$VERSION); # 20110830 [fpi] + banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $key_path = "Software\\JavaSoft\\Prefs\\haven";
# If # Haven & Hearth path exists #
if ($key = $root_key->get_subkey($key_path)) {
# Return # plugin name, registry key and last modified date #
::rptMsg("Haven & Hearth");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Extract # all keys from Haven & Hearth registry path #
my %keys;
my @vals = $key->get_list_of_values();
# If # registry keys exist in path #
if (scalar(@vals) > 0) {
# Extract # all key names+values for Haven & Hearth registry path #
foreach my $v (@vals) {
$keys{$v->get_name()} = $v->get_data();
}
# Return # all key names+values for interesting keys #
foreach my $var (@interesting_keys) {
if (exists $keys{$var}) {
::rptMsg($var." -> ".$keys{$var});
}
}
# Error # key value is null #
} else {
::rptMsg($key_path." has no values.");
}
# Error # Haven & Hearth isn't here, try another castle #
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
# Return # obligatory new-line #
::rptMsg("");
}
# Error # oh snap! #
1;

2
thirdparty/rr/plugins/hibernate.pl → RecentActivity/release/rr-full/plugins/hibernate.pl Normal file → Executable file
View File

@ -32,6 +32,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching hibernate v.".$VERSION);
::rptMsg("hibernate v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

2
thirdparty/rr/plugins/ide.pl → RecentActivity/release/rr-full/plugins/ide.pl Normal file → Executable file
View File

@ -30,6 +30,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching ide v.".$VERSION);
::rptMsg("ide v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
::rptMsg("IDE");

2
thirdparty/rr/plugins/ie_main.pl → RecentActivity/release/rr-full/plugins/ie_main.pl Normal file → Executable file
View File

@ -37,6 +37,8 @@ sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching ie_main v.".$VERSION);
::rptMsg("ie_main v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;

147
RecentActivity/release/rr-full/plugins/ie_settings.pl Executable file
View File

@ -0,0 +1,147 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# ie_settings.pl
# Gets IE settings
#
# Change history
# 20130328 - added "AutoConfigURL" value info
# 20130223 - updated
# 20091016 - created
#
# References
# http://blog.digital-forensics.it/2012/05/exploring-internet-explorer-with.html
#
#
# copyright 2013 QAR, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package ie_settings;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20130328);
sub getConfig{return %config}
sub getShortDescr {
return "Gets important user IE settings";
}
sub getDescr{}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching ie_settings v.".$VERSION);
::rptMsg("ie_settings v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $ua;
eval {
$ua = $key->get_value("User Agent")->get_data();
::rptMsg("User Agent = ".$ua);
};
my $zonessecupgrade;
eval {
$zonessecupgrade = $key->get_value("ZonesSecurityUpgrade")->get_data();
my ($z0,$z1) = unpack("VV",$zonessecupgrade);
::rptMsg("ZonesSecurityUpgrade = ".gmtime(::getTime($z0,$z1))." (UTC)");
};
my $daystokeep;
eval {
$daystokeep = $key->get_subkey("Url History")->get_value("DaysToKeep")->get_data();
::rptMsg("DaysToKeep = ".$daystokeep);
};
if ($@) {
::rptMsg("DaysToKeep value not found - default is 20 days");
}
# AutoConfigURL
# ref: http://technet.microsoft.com/en-us/library/cc736412%28v=ws.10%29.aspx
# http://blog.spiderlabs.com/2012/04/brazilian-banking-malware-pay-your-bill-slacker-.html
eval {
my $auto = $key->get_value("AutoConfigURL")->get_data();
::rptMsg("AutoConfigURL: ".$auto);
::rptMsg("**Possible malware indicator found!!");
};
}
else {
::rptMsg($key_path." not found.");
}
#-----------------------------------------------------------
# Windows Search integration into IE
# Windows Search indexes URLs for autocompletion
#
# Ref:
# http://www.ghacks.net/2011/03/17/disable-indexing-of-internet-explorer-web-history-by-windows-search/
#
#
#-----------------------------------------------------------
my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main\\WindowsSearch';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
eval {
my $v = $key->get_value("Version")->get_data();
::rptMsg("Version = ".$v);
};
::rptMsg("");
# Gets information about when the IE history was last cleared by the user
my $cleared;
eval {
$cleared = $key->get_value("Cleared")->get_data();
if ($cleared == 1) {
::rptMsg("Cleared = 1");
my @t = unpack("VV",$key->get_value("Cleared_TIMESTAMP")->get_data());
my $cl_ts = ::getTime($t[0],$t[1]);
::rptMsg("Cleared_TIMESTAMP = ".gmtime($cl_ts)." UTC");
::rptMsg("Analysis Tip: The \'Cleared\' value indicates that the user account ");
::rptMsg("was used to clear the IE browser history, and the timestamp value indicates");
::rptMsg("when this occurred\.");
}
};
if ($@) {
::rptMsg("\'Cleared\' value not found\.");
}
::rptMsg("");
eval {
my @v = unpack("VV",$key->get_value("LastCrawl")->get_data());
my $crawl = ::getTime($v[0],$v[1]);
::rptMsg("LastCrawl = ".gmtime($crawl)." UTC");
};
eval {
my @v = unpack("VV",$key->get_value("UpgradeTime")->get_data());
my $up = ::getTime($v[0],$v[1]);
::rptMsg("UpgradeTime = ".gmtime($up)." UTC");
};
eval {
my $path = $key->get_value("User Favorites Path")->get_data();
::rptMsg("User Favorites Path = ".$path);
};
}
}
1;

2
thirdparty/rr/plugins/ie_version.pl → RecentActivity/release/rr-full/plugins/ie_version.pl Normal file → Executable file
View File

@ -30,6 +30,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching ie_version v.".$VERSION);
::rptMsg("ie_version v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

81
RecentActivity/release/rr-full/plugins/iejava.pl Executable file
View File

@ -0,0 +1,81 @@
#-----------------------------------------------------------
# iejava.pl
# checks contents of Multimedia\Other key
# Category: Malware
#
# History
# 20130429 - added alertMsg() functionality
# 20130214 - created
#
# References
# http://www.greyhathacker.net/?p=610
#
# See also: http://support.microsoft.com/kb/2751647
#
# Notes: this was seen on a system that was infected with ZeroAccess; during
# the infection process, the key in question was set and the Flags value was
# set to 1.
#
# copyright 2013, Quantum Analytics Research, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package iejava;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20130429);
sub getConfig{return %config}
sub getShortDescr {
return "Checks NTUSER for status of kill bit for IE Java ActiveX control";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching iejava v.".$VERSION);
::rptMsg("iejava v.".$VERSION); # banner
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $flags;
eval {
$flags = $key->get_value("Flags")->get_data();
::rptMsg("Flags: ".$flags);
if ($flags == 1) {
::rptMsg(" If the Flags value is set to 1, the IE Java ActiveX control is disabled,");
::rptMsg(" as if thru IE's \"Manage Add-ons\"\. Note: this NOT setting the kill bit.");
::alertMsg("ALERT: ".$key_path." Flag value set to 1; IE Java ActiveX control disabled\.");
}
};
if ($@) {
::rptMsg("Flags value not found\.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

2
thirdparty/rr/plugins/imagedev.pl → RecentActivity/release/rr-full/plugins/imagedev.pl Normal file → Executable file
View File

@ -29,6 +29,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching imagedev v.".$VERSION);
::rptMsg("imagedev v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

106
RecentActivity/release/rr-full/plugins/imagefile.pl Executable file
View File

@ -0,0 +1,106 @@
#-----------------------------------------------------------
# imagefile
#
# References:
# http://msdn2.microsoft.com/en-us/library/a329t4ed(VS\.80)\.aspx
# CWDIllegalInDllSearch: http://support.microsoft.com/kb/2264107
#
# Change history:
# 20130425 - added alertMsg() functionality
# 20130410 - added Wow6432Node support
# 20100824 - added check for "CWDIllegalInDllSearch" value
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package imagefile;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20130425);
sub getConfig{return %config}
sub getShortDescr {
return "Checks IFEO subkeys for Debugger & CWDIllegalInDllSearch values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching imagefile v.".$VERSION);
::rptMsg("imagefile v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my @paths = ("Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options");
foreach my $key_path (@paths) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# ::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
my %debug;
my $i = "Your Image File Name here without a path";
foreach my $s (@subkeys) {
my $name = $s->get_name();
next if ($name =~ m/^$i/i);
my $debugger;
eval {
$debugger = $s->get_value("Debugger")->get_data();
};
# If the eval{} throws an error, it's b/c the Debugger value isn't
# found within the key, so we don't need to do anything w/ the error
if ($debugger ne "") {
$debug{$name}{debug} = $debugger;
$debug{$name}{lastwrite} = $s->get_timestamp();
}
my $dllsearch = "";
eval {
$dllsearch = $s->get_value("CWDIllegalInDllSearch")->get_data();
};
# If the eval{} throws an error, it's b/c the Debugger value isn't
# found within the key, so we don't need to do anything w/ the error
if ($dllsearch ne "") {
$debug{$name}{dllsearch} = sprintf "0x%x",$dllsearch;
$debug{$name}{lastwrite} = $s->get_timestamp();
}
}
if (scalar (keys %debug) > 0) {
foreach my $d (keys %debug) {
::rptMsg($d." LastWrite: ".gmtime($debug{$d}{lastwrite}));
::rptMsg(" Debugger : ".$debug{$d}{debug}) if (exists $debug{$d}{debug});
::alertMsg("Alert: imagefile: Debugger value found : ".$debug{$d}{debug}) if (exists $debug{$d}{debug});
::rptMsg(" CWDIllegalInDllSearch: ".$debug{$d}{dllsearch}) if (exists $debug{$d}{dllsearch});
}
}
else {
::rptMsg("No Debugger/CWDIllegalInDllSearch values found.");
}
::rptMsg("");
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
}
1;

2
thirdparty/rr/plugins/init_dlls.pl → RecentActivity/release/rr-full/plugins/init_dlls.pl Normal file → Executable file
View File

@ -38,6 +38,8 @@ sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching init_dlls v.".$VERSION);
::rptMsg("init_dlls v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;

100
RecentActivity/release/rr-full/plugins/inprocserver.pl Executable file
View File

@ -0,0 +1,100 @@
#-----------------------------------------------------------
# inprocserver.pl
# Plugin to extract file association data from the Software hive file
# Can take considerable time to run; recommend running it via rip.exe
#
# History
# 20130429 - added alertMsg() functionality
# 20130212 - fixed retrieving LW time from correct key
# 20121213 - created
#
# To-Do:
# - add support for NTUSER.DAT (XP) and USRCLASS.DAT (Win7)
#
# References
# http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx
# Apparently, per Sophos, ZeroAccess remains persistent by modifying a CLSID value that
# points to a WMI component. The key identifier is that it employs a path to
# "\\.\globalroot...", hence the match function.
#
# copyright 2012, Quantum Analytics Research, LLC
#-----------------------------------------------------------
package inprocserver;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20130429);
sub getConfig{return %config}
sub getShortDescr {
return "Checks CLSID InProcServer32 values for indications of ZeroAccess infection";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my %clsid;
my %susp = ();
::logMsg("Launching inprocserver v.".$VERSION);
::rptMsg("inprocserver v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Classes\\CLSID";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# First step will be to get a list of all of the file extensions
my %ext;
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
my $name = $s->get_name();
eval {
my $n = $s->get_subkey("InprocServer32")->get_value("")->get_data();
if (($n =~ m/^C:\\Users/) || grep(/Recycle/,$n) || grep(/RECYCLE/,$n) || grep(/globalroot/,$n) || $n =~ m/\\n\.$/) {
my $lw = $s->get_subkey("InprocServer32")->get_timestamp();
$susp{$lw}{name} = $name;
$susp{$lw}{data} = $n;
}
};
}
if (scalar(keys %susp) > 0) {
foreach my $t (sort {$a <=> $b} keys %susp) {
::rptMsg("Key path: ".$key_path."\\".$susp{$t}{name});
::rptMsg("LastWrite: ".gmtime($t));
::rptMsg("Value Data: ".$susp{$t}{data});
::alertMsg($key_path."\\".$susp{$t}{name}.": ".$susp{$t}{data});
::rptMsg("");
}
}
else {
::rptMsg("No suspicious InprocServer32 values found.");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

Some files were not shown because too many files have changed in this diff Show More