本文整理汇总了Python中volatility.win32.rawreg.subkeys函数的典型用法代码示例。如果您正苦于以下问题:Python subkeys函数的具体用法?Python subkeys怎么用?Python subkeys使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了subkeys函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: reg_get_all_keys
def reg_get_all_keys(self, hive_name, user = None, start = None, end = None, reg = False, rawtime = False):
'''
This function enumerates all keys in specified hives and
collects lastwrite times.
'''
keys = []
if self.all_offsets == {}:
self.populate_offsets()
if self.current_offsets == {}:
self.set_current(hive_name, user)
# Collect the root keys
for offset in self.current_offsets:
reg_name = self.current_offsets[offset]
h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset)
root = rawreg.get_root(h)
if not root:
pass
else:
time = "{0}".format(root.LastWriteTime) if not rawtime else root.LastWriteTime
if reg:
if start and end and str(time) >= start and str(time) <= end:
yield (time, reg_name, root.Name)
elif start == None and end == None:
yield (time, reg_name, root.Name)
else:
if start and end and str(time) >= start and str(time) <= end:
yield (time, root.Name)
elif start == None and end == None:
yield (time, root.Name)
for s in rawreg.subkeys(root):
if reg:
keys.append([s, reg_name, root.Name + "\\" + s.Name])
else:
keys.append([s, root.Name + "\\" + s.Name])
# Get subkeys
if reg:
for k, reg_name, name in keys:
time = "{0}".format(k.LastWriteTime) if not rawtime else root.LastWriteTime
if start and end and str(time) >= start and str(time) <= end:
yield (time, reg_name, name)
elif start == None and end == None:
yield (time, reg_name, name)
for s in rawreg.subkeys(k):
if name and s.Name:
item = name + '\\' + s.Name
keys.append([s, reg_name, item])
else:
for k, name in keys:
time = "{0}".format(k.LastWriteTime) if not rawtime else root.LastWriteTime
if start and end and str(time) >= start and str(time) <= end:
yield (time, name)
elif start == None and end == None:
yield (time, name)
for s in rawreg.subkeys(k):
if name and s.Name:
item = name + '\\' + s.Name
keys.append([s, item])示例2: get_secrets
def get_secrets(sysaddr, secaddr):
root = rawreg.get_root(secaddr)
if not root:
return None
bootkey = hashdump.get_bootkey(sysaddr)
lsakey = get_lsa_key(secaddr, bootkey)
if not bootkey or not lsakey:
return None
secrets_key = rawreg.open_key(root, ["Policy", "Secrets"])
if not secrets_key:
return None
secrets = {}
for key in rawreg.subkeys(secrets_key):
sec_val_key = rawreg.open_key(key, ["CurrVal"])
if not sec_val_key:
continue
enc_secret_value = sec_val_key.ValueList.List.dereference()[0]
if not enc_secret_value:
continue
enc_secret = secaddr.read(enc_secret_value.Data,
enc_secret_value.DataLength)
if not enc_secret:
continue
secret = decrypt_secret(enc_secret[0xC:], lsakey)
secrets[key.Name] = secret
return secrets示例3: render_text
def render_text(self, outfd, data):
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
keyfound = False
for reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
outfd.write(" {1:3s} {0}\n".format(s.Name, self.voltext(s)))
outfd.write("\n")
outfd.write("Values:\n")
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
dat = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))
if not keyfound:
outfd.write("The requested key could not be found in the hive(s) searched\n")示例4: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
#scan for registries and populate them:
print "Scanning for registries...."
self.populate_offsets()
#set our current registry of interest and get its path
#and get current control set
print "Getting Current Control Set...."
currentcs = "ControlSet001"
self.set_current('system')
for o in self.current_offsets:
sysaddr = hivemod.HiveAddressSpace(addr_space, self._config, o)
cs = find_control_set(sysaddr)
currentcs = "ControlSet{0:03}".format(cs)
#set the services root.
print "Getting Services and calculating SIDs...."
services = self.reg_get_key('system', currentcs + '\\' + 'Services')
if services:
for s in rawreg.subkeys(services):
if s.Name not in servicesids.values():
sid = createservicesid(str(s.Name))
yield sid, str(s.Name)
for sid in servicesids:
yield sid, servicesids[sid]示例5: render_text
def render_text(self, outfd, data):
for reg, key in data:
if not key:
if not self._config.BRUTE_FORCE:
outfd.write("Unable to find requested key\n")
continue
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
outfd.write(" {1:3s} {0}\n".format(s.Name, self.voltext(s)))
outfd.write("\n")
outfd.write("Values:\n")
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY':
dat = "\n" + hd(dat, length = 16)
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))示例6: services_from_registry
def services_from_registry(addr_space):
"""Enumerate services from the cached registry hive"""
services = {}
plugin = hivelist.HiveList(addr_space.get_config())
for hive in plugin.calculate():
## find the SYSTEM hive
name = hive.get_name()
if not name.lower().endswith("system"):
continue
## get the root key
hive_space = hive.address_space()
root = rawreg.get_root(hive_space)
if not root:
break
## open the services key
key = rawreg.open_key(root, ["ControlSet001", "Services"])
if not key:
break
## build a dictionary of the key names
for subkey in rawreg.subkeys(key):
services[(str(subkey.Name).lower())] = subkey
## we don't need to keep trying
break
return services示例7: reg_get_all_subkeys
def reg_get_all_subkeys(self, hive_name, key, user = None, given_root = None):
'''
This function enumerates the subkeys of the requested key
'''
k = given_root if given_root != None else self.reg_get_key(hive_name, key)
if k:
for s in rawreg.subkeys(k):
if s.Name:
yield s示例8: generator
def generator(self, data):
path = str(data.Name)
keys = [(data, path)]
for key, path in keys:
if key:
yield (0, [str("{0}".format(key.LastWriteTime)),
str(path)])
for s in rawreg.subkeys(key):
item = "{0}\\{1}".format(path, s.Name)
keys.append((s, item))示例9: reg_enum_key
def reg_enum_key(self, hive_name, key, user = None):
'''
This function enumerates the requested key
'''
k = self.reg_get_key(hive_name, key, user)
if k:
for s in rawreg.subkeys(k):
if s.Name:
item = key + '\\' + s.Name
yield item示例10: reg_enum_key
def reg_enum_key(self, hive_name, key, user = None):
'''
This function enumerates the requested key
'''
addr_space = utils.load_as(self._config)
k = self.reg_get_key(hive_name, key, user)
if k:
for s in rawreg.subkeys(k):
if s.Name:
item = key + '\\' + s.Name
yield item示例11: get_user_keys
def get_user_keys(samaddr):
user_key_path = ["SAM", "Domains", "Account", "Users"]
root = rawreg.get_root(samaddr)
if not root:
return []
user_key = rawreg.open_key(root, user_key_path)
if not user_key:
return []
return [k for k in rawreg.subkeys(user_key) if k.Name != "Names"]示例12: reg_get_all_subkeys
def reg_get_all_subkeys(self, hive_name, key, user = None, given_root = None):
'''
This function enumerates the subkeys of the requested key
'''
addr_space = utils.load_as(self._config)
if given_root == None:
k = self.reg_get_key(hive_name, key, user)
else:
k = given_root
if k:
for s in rawreg.subkeys(k):
if s.Name:
yield s示例13: render_text
def render_text(self, outfd, data):
keyfound = False
for win7, reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0}\n".format(key.Name))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
outfd.write(" {0}\n".format(s.Name))
outfd.write("\n")
outfd.write("Values:\n")
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
subname = v.Name
if tp == 'REG_BINARY':
dat_raw = dat
dat = "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
try:
subname = subname.encode('rot_13')
except UnicodeDecodeError:
pass
if win7:
guid = subname.split("\\")[0]
if guid in folder_guids:
subname = subname.replace(guid, folder_guids[guid])
d = self.parse_data(dat_raw)
if d != None:
dat = d + dat
else:
dat = "\n" + dat
#these types shouldn't be encountered, but are just left here in case:
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
outfd.write("\n{0:13} {1:15} : {2}\n".format(tp, subname, dat))
if not keyfound:
outfd.write("The requested key could not be found in the hive(s) searched\n")示例14: render_text
def render_text(self, outfd, data):
print_values = {5:'InstallSource', 6:'InstallLocation', 3:'Publisher',
1:'DisplayName', 2:'DisplayVersion', 4:'InstallDate'}
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
keyfound = False
for reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
key_info = {}
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
key_info['Name'] = s.Name
key_info['LastUpdated'] = s.LastWriteTime
for v in rawreg.values(s):
if v.Name not in print_values.values():
continue
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
dat = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
key_info[str(v.Name)] = dat
outfd.write("Subkey: {0}\n".format(key_info.get('Name','')))
outfd.write(" LastUpdated : {0}\n".format(key_info.get('LastUpdated','')))
for k, v in sorted(print_values.items()):
val = key_info.get(v, '')
if val != '':
outfd.write(" {0:16}: {1}\n".format(v, val))
outfd.write("\n")示例15: calculate
def calculate(self):
# scan for registries and populate them:
debug.debug("Scanning for registries....")
# set our current registry of interest and get its path
# and get current control set
debug.debug("Getting Current Control Set....")
regapi = registryapi.RegistryApi(self._config)
currentcs = regapi.reg_get_currentcontrolset()
if currentcs == None:
currentcs = "ControlSet001"
# set the services root.
regapi.set_current("system")
debug.debug("Getting Services and calculating SIDs....")
services = regapi.reg_get_key("system", currentcs + "\\" + "Services")
if services:
for s in rawreg.subkeys(services):
if s.Name not in servicesids.values():
sid = createservicesid(str(s.Name))
yield sid, str(s.Name)
for sid in servicesids:
yield sid, servicesids[sid]