mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/thirdparty/rr/plugins/arunmru.pl
Mark McKinnon 01494b3fb2 Fix Undefined Value in Autopsy Regripper Plugins 
Check for undefined values in Autopsy regripper plugins, this is for Autopsy version of regripper not full version of regripper.
2020-06-19 14:34:32 -04:00

80 lines
2.3 KiB
Perl
Raw Permalink Blame History

#-----------------------------------------------------------
# runmru.pl
# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
# RunMru values
#
# Change history
#
#
# References
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package arunmru;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's RunMRU key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
#::logMsg("autospyrunmru");
if (defined(Parse::Win32Registry->new($ntuser))) {
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("RunMru");
#::rptMsg($key_path);
my @vals = $key->get_list_of_values();
::rptMsg("<runMRU>");
::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>");
::rptMsg("<artifacts>");
my %runvals;
my $mru;
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
$runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i);
$mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i);
}
::rptMsg("<MRUList>".$mru."</MRUList>");
foreach my $r (sort keys %runvals) {
::rptMsg("<MRU>".$r." ".$runvals{$r}."</MRU>");
}
}
else {
#::rptMsg($key_path." has no values.");
#::logMsg($key_path." has no values.");
}
::rptMsg("</artifacts>");
::rptMsg("</runMRU>");
}
else {
#::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
}
}
1;
Reference in New Issue View Git Blame Copy Permalink