本文整理汇总了Python中volatility.win32.rawreg.get_root函数的典型用法代码示例。如果您正苦于以下问题:Python get_root函数的具体用法?Python get_root怎么用?Python get_root使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了get_root函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
software_hive = "SOFTWARE"
uninstall = "Microsoft\\Windows\\CurrentVersion\\Uninstall"
hive_offsets = []
if not self._config.HIVE_OFFSET:
for h in hivelist.HiveList.calculate(self):
hive_name = self.hive_name(h)
if software_hive in hive_name:
hive_offsets = [(hive_name, h.obj_offset)]
else:
hive_offsets = [("User Specified", self._config.HIVE_OFFSET)]
for name, hoff in set(hive_offsets):
h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
root = rawreg.get_root(h)
if not root:
if self._config.HIVE_OFFSET:
debug.error("Unable to find root key. Is the hive offset correct?")
else:
uninstall_key = rawreg.open_key(root, uninstall.split('\\'))
if uninstall_key:
yield name, uninstall_key
else:
outfd.write("The requested key could not be found in the hive(s) searched\n")示例2: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
win7 = addr_space.profile.metadata.get('major', 0) == 6 and addr_space.profile.metadata.get('minor', 0) == 1
if not self._config.HIVE_OFFSET:
hive_offsets = [(self.hive_name(h), h.obj_offset) for h in hivelist.HiveList.calculate(self)]
else:
hive_offsets = [("User Specified", self._config.HIVE_OFFSET)]
for name, hoff in set(hive_offsets):
h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
root = rawreg.get_root(h)
if not root:
if self._config.HIVE_OFFSET:
debug.error("Unable to find root key. Is the hive offset correct?")
else:
skey = "software\\microsoft\\windows\\currentversion\\explorer\\userassist\\"
if win7:
uakey = skey + "{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count"
yield win7, name, rawreg.open_key(root, uakey.split('\\'))
uakey = skey + "{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count"
yield win7, name, rawreg.open_key(root, uakey.split('\\'))
else:
uakey = skey + "{75048700-EF1F-11D0-9888-006097DEACF9}\\Count"
yield win7, name, rawreg.open_key(root, uakey.split('\\'))
uakey = skey + "{5E6AB780-7743-11CF-A12B-00AA004AE837}\\Count"
yield win7, name, rawreg.open_key(root, uakey.split('\\'))示例3: reg_get_all_keys
def reg_get_all_keys(self, hive_name, user = None, start = None, end = None, reg = False, rawtime = False):
'''
This function enumerates all keys in specified hives and
collects lastwrite times.
'''
keys = []
if self.all_offsets == {}:
self.populate_offsets()
if self.current_offsets == {}:
self.set_current(hive_name, user)
# Collect the root keys
for offset in self.current_offsets:
reg_name = self.current_offsets[offset]
h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset)
root = rawreg.get_root(h)
if not root:
pass
else:
time = "{0}".format(root.LastWriteTime) if not rawtime else root.LastWriteTime
if reg:
if start and end and str(time) >= start and str(time) <= end:
yield (time, reg_name, root.Name)
elif start == None and end == None:
yield (time, reg_name, root.Name)
else:
if start and end and str(time) >= start and str(time) <= end:
yield (time, root.Name)
elif start == None and end == None:
yield (time, root.Name)
for s in rawreg.subkeys(root):
if reg:
keys.append([s, reg_name, root.Name + "\\" + s.Name])
else:
keys.append([s, root.Name + "\\" + s.Name])
# Get subkeys
if reg:
for k, reg_name, name in keys:
time = "{0}".format(k.LastWriteTime) if not rawtime else root.LastWriteTime
if start and end and str(time) >= start and str(time) <= end:
yield (time, reg_name, name)
elif start == None and end == None:
yield (time, reg_name, name)
for s in rawreg.subkeys(k):
if name and s.Name:
item = name + '\\' + s.Name
keys.append([s, reg_name, item])
else:
for k, name in keys:
time = "{0}".format(k.LastWriteTime) if not rawtime else root.LastWriteTime
if start and end and str(time) >= start and str(time) <= end:
yield (time, name)
elif start == None and end == None:
yield (time, name)
for s in rawreg.subkeys(k):
if name and s.Name:
item = name + '\\' + s.Name
keys.append([s, item])示例4: get_bootkey
def get_bootkey(sysaddr):
cs = find_control_set(sysaddr)
lsa_base = ["ControlSet{0:03}".format(cs), "Control", "Lsa"]
lsa_keys = ["JD", "Skew1", "GBG", "Data"]
root = rawreg.get_root(sysaddr)
if not root:
return None
lsa = rawreg.open_key(root, lsa_base)
if not lsa:
return None
bootkey = ""
for lk in lsa_keys:
key = rawreg.open_key(lsa, [lk])
class_data = sysaddr.read(key.Class, key.ClassLength)
if class_data == None:
return ""
bootkey += class_data.decode('utf-16-le').decode('hex')
bootkey_scrambled = ""
for i in range(len(bootkey)):
bootkey_scrambled += bootkey[p[i]]
return bootkey_scrambled示例5: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
if self._config.BRUTE_FORCE:
hiveroot = hl.HiveList.calculate(self)
elif not self._config.hive_offset:
debug.error("No hive offset provided!")
else:
hiveroot = [obj.Object("_CMHIVE", self._config.hive_offset, addr_space)]
hive_offsets = []
for hive in hiveroot:
if hive.obj_offset not in hive_offsets:
try:
name = hive.FileFullPath.v() or hive.FileUserName.v() or hive.HiveRootPath.v() or "[no name]"
except:
name = "[no name]"
hive_offsets.append(hive.obj_offset)
h = hivemod.HiveAddressSpace(addr_space, self._config, hive.obj_offset)
root = rawreg.get_root(h)
if not root:
if not self._config.BRUTE_FORCE:
debug.error("Unable to find root key. Is the hive offset correct?")
else:
if self._config.KEY:
yield name, rawreg.open_key(root, self._config.KEY.split('\\'))
else:
yield name, root示例6: services_from_registry
def services_from_registry(addr_space):
"""Enumerate services from the cached registry hive"""
services = {}
plugin = hivelist.HiveList(addr_space.get_config())
for hive in plugin.calculate():
## find the SYSTEM hive
name = hive.get_name()
if not name.lower().endswith("system"):
continue
## get the root key
hive_space = hive.address_space()
root = rawreg.get_root(hive_space)
if not root:
break
## open the services key
key = rawreg.open_key(root, ["ControlSet001", "Services"])
if not key:
break
## build a dictionary of the key names
for subkey in rawreg.subkeys(key):
services[(str(subkey.Name).lower())] = subkey
## we don't need to keep trying
break
return services示例7: get_hbootkey
def get_hbootkey(samaddr, bootkey):
sam_account_path = ["SAM", "Domains", "Account"]
if not bootkey:
return None
root = rawreg.get_root(samaddr)
if not root:
return None
sam_account_key = rawreg.open_key(root, sam_account_path)
if not sam_account_key:
return None
F = None
for v in rawreg.values(sam_account_key):
if v.Name == 'F':
F = samaddr.read(v.Data, v.DataLength)
if not F:
return None
md5 = MD5.new()
md5.update(F[0x70:0x80] + aqwerty + bootkey + anum)
rc4_key = md5.digest()
rc4 = ARC4.new(rc4_key)
hbootkey = rc4.encrypt(F[0x80:0xA0])
return hbootkey示例8: get_secrets
def get_secrets(sysaddr, secaddr):
root = rawreg.get_root(secaddr)
if not root:
return None
bootkey = hashdump.get_bootkey(sysaddr)
lsakey = get_lsa_key(secaddr, bootkey)
if not bootkey or not lsakey:
return None
secrets_key = rawreg.open_key(root, ["Policy", "Secrets"])
if not secrets_key:
return None
secrets = {}
for key in rawreg.subkeys(secrets_key):
sec_val_key = rawreg.open_key(key, ["CurrVal"])
if not sec_val_key:
continue
enc_secret_value = sec_val_key.ValueList.List.dereference()[0]
if not enc_secret_value:
continue
enc_secret = secaddr.read(enc_secret_value.Data,
enc_secret_value.DataLength)
if not enc_secret:
continue
secret = decrypt_secret(enc_secret[0xC:], lsakey)
secrets[key.Name] = secret
return secrets示例9: get_lsa_key
def get_lsa_key(secaddr, bootkey):
if not bootkey:
return None
root = rawreg.get_root(secaddr)
if not root:
return None
enc_reg_key = rawreg.open_key(root, ["Policy", "PolSecretEncryptionKey"])
if not enc_reg_key:
return None
enc_reg_value = enc_reg_key.ValueList.List.dereference()[0]
if not enc_reg_value:
return None
obf_lsa_key = secaddr.read(enc_reg_value.Data,
enc_reg_value.DataLength)
if not obf_lsa_key:
return None
md5 = MD5.new()
md5.update(bootkey)
for _i in range(1000):
md5.update(obf_lsa_key[60:76])
rc4key = md5.digest()
rc4 = ARC4.new(rc4key)
lsa_key = rc4.decrypt(obf_lsa_key[12:60])
return lsa_key[0x10:0x20]示例10: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
if not self._config.hive_offset:
debug.error("A Hive offset must be provided (--hive-offset)")
h = hivemod.HiveAddressSpace(addr_space, self._config, self._config.hive_offset)
return rawreg.get_root(h)示例11: get_user_keys
def get_user_keys(samaddr):
user_key_path = ["SAM", "Domains", "Account", "Users"]
root = rawreg.get_root(samaddr)
if not root:
return []
user_key = rawreg.open_key(root, user_key_path)
if not user_key:
return []
return [k for k in rawreg.subkeys(user_key) if k.Name != "Names"]示例12: find_control_set
def find_control_set(sysaddr):
root = rawreg.get_root(sysaddr)
if not root:
return 1
csselect = rawreg.open_key(root, ["Select"])
if not csselect:
return 1
for v in rawreg.values(csselect):
if v.Name == "Current":
return v.Data示例13: dump_hashes
def dump_hashes(addr_space, sysaddr, secaddr):
bootkey = hashdump.get_bootkey(sysaddr)
if not bootkey:
return []
lsakey = lsasecrets.get_lsa_key(addr_space, secaddr, bootkey)
if not lsakey:
return []
nlkm = get_nlkm(addr_space, secaddr, lsakey)
if not nlkm:
return []
root = rawreg.get_root(secaddr)
if not root:
return []
cache = rawreg.open_key(root, ["Cache"])
if not cache:
return []
xp = addr_space.profile.metadata.get('major', 0) == 5
hashes = []
for v in rawreg.values(cache):
if v.Name == "NL$Control":
continue
data = v.obj_vm.read(v.Data, v.DataLength)
if data == None:
continue
(uname_len, domain_len, domain_name_len,
enc_data, ch) = parse_cache_entry(data)
# Skip if nothing in this cache entry
if uname_len == 0:
continue
dec_data = decrypt_hash(enc_data, nlkm, ch, xp)
(username, domain, domain_name,
hashh) = parse_decrypted_cache(dec_data, uname_len,
domain_len, domain_name_len)
hashes.append((username, domain, domain_name, hashh))
return hashes示例14: get_autoruns
def get_autoruns(self):
debug.debug("Getting offsets")
addr_space = utils.load_as(self._config)
hive_offsets = [h.obj_offset for h in hivelist.HiveList.calculate(self)]
debug.debug("Found %s hives" % len(hive_offsets))
hives = {}
ntuser_hive_roots = []
software_hive_root = None
system_hive_root = None
# Cycle through all hives until we find NTUSER.DAT or SOFTWARE
# This enables us to search all memory-resident NTUSER.DAT hives
for hoff in set(hive_offsets):
h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
name = self.hive_name(obj.Object("_CMHIVE", vm = addr_space, offset = hoff))
root = rawreg.get_root(h)
if 'ntuser.dat' in name.split('\\')[-1].lower():
keys = NTUSER_RUN_KEYS
ntuser_hive_roots.append(root)
elif 'software' in name.split('\\')[-1].lower():
keys = SOFTWARE_RUN_KEYS
software_hive_root = root
elif 'system' in name.split('\\')[-1].lower():
system_hive_root = root
continue
else: continue
debug.debug("Searching for keys in %s" % name)
for full_key in keys:
results = []
debug.debug(" Opening %s" % (full_key))
key = rawreg.open_key(root, full_key.split('\\'))
results = self.parse_autoruns_key(key)
if len(results) > 0:
h = hives.get(name, {})
h[(full_key, key.LastWriteTime)] = results
hives[name] = h
return hives示例15: get_secret_by_name
def get_secret_by_name(secaddr, name, lsakey):
root = rawreg.get_root(secaddr)
if not root:
return None
enc_secret_key = rawreg.open_key(root, ["Policy", "Secrets", name, "CurrVal"])
if not enc_secret_key:
return None
enc_secret_value = enc_secret_key.ValueList.List.dereference()[0]
if not enc_secret_value:
return None
enc_secret = secaddr.read(enc_secret_value.Data,
enc_secret_value.DataLength)
if not enc_secret:
return None
return decrypt_secret(enc_secret[0xC:], lsakey)