当前位置: 首页>>代码示例>>Python>>正文


Python rawreg.get_root函数代码示例

本文整理汇总了Python中volatility.win32.rawreg.get_root函数的典型用法代码示例。如果您正苦于以下问题:Python get_root函数的具体用法?Python get_root怎么用?Python get_root使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。


在下文中一共展示了get_root函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: calculate

    def calculate(self):
        addr_space = utils.load_as(self._config)
        regapi = registryapi.RegistryApi(self._config)

        software_hive = "SOFTWARE"
        uninstall = "Microsoft\\Windows\\CurrentVersion\\Uninstall"

        hive_offsets = []
        if not self._config.HIVE_OFFSET:
            for h in hivelist.HiveList.calculate(self):
                hive_name = self.hive_name(h)
                if software_hive in hive_name:
                    hive_offsets = [(hive_name, h.obj_offset)]
        else:
            hive_offsets = [("User Specified", self._config.HIVE_OFFSET)]

        for name, hoff in set(hive_offsets):
            h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
            root = rawreg.get_root(h)
            if not root:
                if self._config.HIVE_OFFSET:
                    debug.error("Unable to find root key. Is the hive offset correct?")
            else:
                uninstall_key = rawreg.open_key(root, uninstall.split('\\'))
                if uninstall_key:
                    yield name, uninstall_key
                else:
                    outfd.write("The requested key could not be found in the hive(s) searched\n")
开发者ID:chubbymaggie,项目名称:sift-files,代码行数:28,代码来源:uninstallinfo.py

示例2: calculate

    def calculate(self):
        addr_space = utils.load_as(self._config)
        win7 = addr_space.profile.metadata.get('major', 0) == 6 and addr_space.profile.metadata.get('minor', 0) == 1

        if not self._config.HIVE_OFFSET:
            hive_offsets = [(self.hive_name(h), h.obj_offset) for h in hivelist.HiveList.calculate(self)]
        else:
            hive_offsets = [("User Specified", self._config.HIVE_OFFSET)]

        for name, hoff in set(hive_offsets):
            h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
            root = rawreg.get_root(h)
            if not root:
                if self._config.HIVE_OFFSET:
                    debug.error("Unable to find root key. Is the hive offset correct?")
            else:
                skey = "software\\microsoft\\windows\\currentversion\\explorer\\userassist\\"
                if win7:
                    uakey = skey + "{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count"
                    yield win7, name, rawreg.open_key(root, uakey.split('\\'))
                    uakey = skey + "{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count"
                    yield win7, name, rawreg.open_key(root, uakey.split('\\'))
                else:
                    uakey = skey + "{75048700-EF1F-11D0-9888-006097DEACF9}\\Count"
                    yield win7, name, rawreg.open_key(root, uakey.split('\\'))
                    uakey = skey + "{5E6AB780-7743-11CF-A12B-00AA004AE837}\\Count"
                    yield win7, name, rawreg.open_key(root, uakey.split('\\'))
开发者ID:B-Rich,项目名称:amark,代码行数:27,代码来源:userassist.py

示例3: reg_get_all_keys

    def reg_get_all_keys(self, hive_name, user = None, start = None, end = None, reg = False, rawtime = False):
        '''
        This function enumerates all keys in specified hives and 
        collects lastwrite times.
        '''
        keys = []
        if self.all_offsets == {}:
            self.populate_offsets()
        if self.current_offsets == {}:
            self.set_current(hive_name, user)

        # Collect the root keys 
        for offset in self.current_offsets:
            reg_name = self.current_offsets[offset]
            h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset)
            root = rawreg.get_root(h)
            if not root:
                pass
            else:
                time = "{0}".format(root.LastWriteTime) if not rawtime else root.LastWriteTime
                if reg:
                    if start and end and str(time) >= start and str(time) <= end:
                        yield (time, reg_name, root.Name)
                    elif start == None and end == None:
                        yield (time, reg_name, root.Name)
                else:
                    if start and end and str(time) >= start and str(time) <= end:
                        yield (time, root.Name)
                    elif start == None and end == None:
                        yield (time, root.Name)
                for s in rawreg.subkeys(root):
                    if reg:
                        keys.append([s, reg_name, root.Name + "\\" + s.Name])
                    else:
                        keys.append([s, root.Name + "\\" + s.Name])

        # Get subkeys
        if reg:
            for k, reg_name, name in keys:
                time = "{0}".format(k.LastWriteTime) if not rawtime else root.LastWriteTime
                if start and end and str(time) >= start and str(time) <= end:
                    yield (time, reg_name, name)
                elif start == None and end == None:
                    yield (time, reg_name, name)
                for s in rawreg.subkeys(k):
                    if name and s.Name:
                        item = name + '\\' + s.Name
                        keys.append([s, reg_name, item])
        else:
            for k, name in keys:
                time = "{0}".format(k.LastWriteTime) if not rawtime else root.LastWriteTime
                if start and end and str(time) >= start and str(time) <= end:
                    yield (time, name)
                elif start == None and end == None:
                    yield (time, name)

                for s in rawreg.subkeys(k):
                    if name and s.Name:
                        item = name + '\\' + s.Name
                        keys.append([s, item])
开发者ID:Jack47,项目名称:volatility,代码行数:60,代码来源:registryapi.py

示例4: get_bootkey

def get_bootkey(sysaddr):
    cs = find_control_set(sysaddr)
    lsa_base = ["ControlSet{0:03}".format(cs), "Control", "Lsa"]
    lsa_keys = ["JD", "Skew1", "GBG", "Data"]

    root = rawreg.get_root(sysaddr)
    if not root:
        return None

    lsa = rawreg.open_key(root, lsa_base)
    if not lsa:
        return None

    bootkey = ""

    for lk in lsa_keys:
        key = rawreg.open_key(lsa, [lk])
        class_data = sysaddr.read(key.Class, key.ClassLength)
        if class_data == None:
            return ""
        bootkey += class_data.decode('utf-16-le').decode('hex')

    bootkey_scrambled = ""
    for i in range(len(bootkey)):
        bootkey_scrambled += bootkey[p[i]]

    return bootkey_scrambled
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:27,代码来源:hashdump.py

示例5: calculate

    def calculate(self):
        addr_space = utils.load_as(self._config)

        if self._config.BRUTE_FORCE:
            hiveroot = hl.HiveList.calculate(self)
        elif not self._config.hive_offset:
            debug.error("No hive offset provided!")
        else:
            hiveroot = [obj.Object("_CMHIVE", self._config.hive_offset, addr_space)]

        hive_offsets = []
        for hive in hiveroot:
            if hive.obj_offset not in hive_offsets:
                try:
                    name = hive.FileFullPath.v() or hive.FileUserName.v() or hive.HiveRootPath.v() or "[no name]"
                except:
                    name = "[no name]"
                hive_offsets.append(hive.obj_offset)
                h = hivemod.HiveAddressSpace(addr_space, self._config, hive.obj_offset)
                root = rawreg.get_root(h)
                if not root:
                    if not self._config.BRUTE_FORCE:
                        debug.error("Unable to find root key. Is the hive offset correct?")
                else:
                    if self._config.KEY:
                        yield name, rawreg.open_key(root, self._config.KEY.split('\\'))
                    else:
                        yield name, root
开发者ID:gleeda,项目名称:Volatility-Plugins,代码行数:28,代码来源:printkey.py

示例6: services_from_registry

    def services_from_registry(addr_space):
        """Enumerate services from the cached registry hive"""

        services = {}
        plugin = hivelist.HiveList(addr_space.get_config())
        for hive in plugin.calculate():

            ## find the SYSTEM hive 
            name = hive.get_name()
            if not name.lower().endswith("system"):
                continue 
        
            ## get the root key 
            hive_space = hive.address_space() 
            root = rawreg.get_root(hive_space)

            if not root:
                break 

            ## open the services key 
            key = rawreg.open_key(root, ["ControlSet001", "Services"])
            if not key:
                break 

            ## build a dictionary of the key names 
            for subkey in rawreg.subkeys(key):
                services[(str(subkey.Name).lower())] = subkey

            ## we don't need to keep trying 
            break

        return services
开发者ID:BryanSingh,项目名称:volatility,代码行数:32,代码来源:servicediff.py

示例7: get_hbootkey

def get_hbootkey(samaddr, bootkey):
    sam_account_path = ["SAM", "Domains", "Account"]

    if not bootkey:
        return None

    root = rawreg.get_root(samaddr)
    if not root:
        return None

    sam_account_key = rawreg.open_key(root, sam_account_path)
    if not sam_account_key:
        return None

    F = None
    for v in rawreg.values(sam_account_key):
        if v.Name == 'F':
            F = samaddr.read(v.Data, v.DataLength)
    if not F:
        return None

    md5 = MD5.new()
    md5.update(F[0x70:0x80] + aqwerty + bootkey + anum)
    rc4_key = md5.digest()

    rc4 = ARC4.new(rc4_key)
    hbootkey = rc4.encrypt(F[0x80:0xA0])

    return hbootkey
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:29,代码来源:hashdump.py

示例8: get_secrets

def get_secrets(sysaddr, secaddr):
    root = rawreg.get_root(secaddr)
    if not root:
        return None

    bootkey = hashdump.get_bootkey(sysaddr)
    lsakey = get_lsa_key(secaddr, bootkey)
    if not bootkey or not lsakey:
        return None

    secrets_key = rawreg.open_key(root, ["Policy", "Secrets"])
    if not secrets_key:
        return None

    secrets = {}
    for key in rawreg.subkeys(secrets_key):
        sec_val_key = rawreg.open_key(key, ["CurrVal"])
        if not sec_val_key:
            continue

        enc_secret_value = sec_val_key.ValueList.List.dereference()[0]
        if not enc_secret_value:
            continue

        enc_secret = secaddr.read(enc_secret_value.Data,
                enc_secret_value.DataLength)
        if not enc_secret:
            continue

        secret = decrypt_secret(enc_secret[0xC:], lsakey)
        secrets[key.Name] = secret

    return secrets
开发者ID:Jonnyliu,项目名称:Malware_Analysis,代码行数:33,代码来源:lsasecrets.py

示例9: get_lsa_key

def get_lsa_key(secaddr, bootkey):
    if not bootkey:
        return None

    root = rawreg.get_root(secaddr)
    if not root:
        return None

    enc_reg_key = rawreg.open_key(root, ["Policy", "PolSecretEncryptionKey"])
    if not enc_reg_key:
        return None

    enc_reg_value = enc_reg_key.ValueList.List.dereference()[0]
    if not enc_reg_value:
        return None

    obf_lsa_key = secaddr.read(enc_reg_value.Data,
            enc_reg_value.DataLength)
    if not obf_lsa_key:
        return None

    md5 = MD5.new()
    md5.update(bootkey)
    for _i in range(1000):
        md5.update(obf_lsa_key[60:76])
    rc4key = md5.digest()

    rc4 = ARC4.new(rc4key)
    lsa_key = rc4.decrypt(obf_lsa_key[12:60])

    return lsa_key[0x10:0x20]
开发者ID:Jonnyliu,项目名称:Malware_Analysis,代码行数:31,代码来源:lsasecrets.py

示例10: calculate

    def calculate(self):
        addr_space = utils.load_as(self._config)

        if not self._config.hive_offset:
            debug.error("A Hive offset must be provided (--hive-offset)")

        h = hivemod.HiveAddressSpace(addr_space, self._config, self._config.hive_offset)
        return rawreg.get_root(h)
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:8,代码来源:printkey.py

示例11: get_user_keys

def get_user_keys(samaddr):
    user_key_path = ["SAM", "Domains", "Account", "Users"]

    root = rawreg.get_root(samaddr)
    if not root:
        return []

    user_key = rawreg.open_key(root, user_key_path)
    if not user_key:
        return []

    return [k for k in rawreg.subkeys(user_key) if k.Name != "Names"]
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:12,代码来源:hashdump.py

示例12: find_control_set

def find_control_set(sysaddr):
    root = rawreg.get_root(sysaddr)
    if not root:
        return 1

    csselect = rawreg.open_key(root, ["Select"])
    if not csselect:
        return 1

    for v in rawreg.values(csselect):
        if v.Name == "Current":
            return v.Data
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:12,代码来源:hashdump.py

示例13: dump_hashes

def dump_hashes(addr_space, sysaddr, secaddr):
    bootkey = hashdump.get_bootkey(sysaddr)
    if not bootkey:
        return []

    lsakey = lsasecrets.get_lsa_key(addr_space, secaddr, bootkey)
    if not lsakey:
        return []

    nlkm = get_nlkm(addr_space, secaddr, lsakey)
    if not nlkm:
        return []

    root = rawreg.get_root(secaddr)
    if not root:
        return []

    cache = rawreg.open_key(root, ["Cache"])
    if not cache:
        return []

    xp = addr_space.profile.metadata.get('major', 0) == 5
    hashes = []
    for v in rawreg.values(cache):
        if v.Name == "NL$Control":
            continue

        data = v.obj_vm.read(v.Data, v.DataLength)
        if data == None:
            continue

        (uname_len, domain_len, domain_name_len,
            enc_data, ch) = parse_cache_entry(data)

        # Skip if nothing in this cache entry
        if uname_len == 0:
            continue

        dec_data = decrypt_hash(enc_data, nlkm, ch, xp)

        (username, domain, domain_name,
            hashh) = parse_decrypted_cache(dec_data, uname_len,
                    domain_len, domain_name_len)

        hashes.append((username, domain, domain_name, hashh))

    return hashes
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:47,代码来源:domcachedump.py

示例14: get_autoruns

    def get_autoruns(self):
        debug.debug("Getting offsets")
        addr_space = utils.load_as(self._config)
        hive_offsets = [h.obj_offset for h in hivelist.HiveList.calculate(self)]
        debug.debug("Found %s hives" % len(hive_offsets))
        hives = {}
        ntuser_hive_roots = []
        software_hive_root = None
        system_hive_root = None

        # Cycle through all hives until we find NTUSER.DAT or SOFTWARE
        # This enables us to search all memory-resident NTUSER.DAT hives

        for hoff in set(hive_offsets):
            h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
            
            name = self.hive_name(obj.Object("_CMHIVE", vm = addr_space, offset = hoff))
            root = rawreg.get_root(h)
            
            if 'ntuser.dat' in name.split('\\')[-1].lower():
                keys = NTUSER_RUN_KEYS
                ntuser_hive_roots.append(root)
            elif 'software' in name.split('\\')[-1].lower():
                keys = SOFTWARE_RUN_KEYS
                software_hive_root = root
            elif 'system' in name.split('\\')[-1].lower():
                system_hive_root = root
                continue
            else: continue
            
            debug.debug("Searching for keys in %s" % name)
            
            for full_key in keys:
                results = []
                debug.debug("  Opening %s" % (full_key))
                key = rawreg.open_key(root, full_key.split('\\'))
                results = self.parse_autoruns_key(key)
                
                if len(results) > 0:
                    h = hives.get(name, {})
                    h[(full_key, key.LastWriteTime)] = results
                    hives[name] = h

        return hives
开发者ID:andyvand,项目名称:sift-files,代码行数:44,代码来源:autoruns.py

示例15: get_secret_by_name

def get_secret_by_name(secaddr, name, lsakey):
    root = rawreg.get_root(secaddr)
    if not root:
        return None

    enc_secret_key = rawreg.open_key(root, ["Policy", "Secrets", name, "CurrVal"])
    if not enc_secret_key:
        return None

    enc_secret_value = enc_secret_key.ValueList.List.dereference()[0]
    if not enc_secret_value:
        return None

    enc_secret = secaddr.read(enc_secret_value.Data,
            enc_secret_value.DataLength)
    if not enc_secret:
        return None

    return decrypt_secret(enc_secret[0xC:], lsakey)
开发者ID:Jonnyliu,项目名称:Malware_Analysis,代码行数:19,代码来源:lsasecrets.py


注:本文中的volatility.win32.rawreg.get_root函数示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。