本文整理汇总了Python中volatility.win32.rawreg.values函数的典型用法代码示例。如果您正苦于以下问题:Python values函数的具体用法?Python values怎么用?Python values使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了values函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: render_text
def render_text(self, outfd, data):
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
keyfound = False
for reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
outfd.write(" {1:3s} {0}\n".format(s.Name, self.voltext(s)))
outfd.write("\n")
outfd.write("Values:\n")
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
dat = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))
if not keyfound:
outfd.write("The requested key could not be found in the hive(s) searched\n")示例2: render_text
def render_text(self, outfd, data):
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
keyfound = False
for reg, path, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key path: {0}\n".format(path))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Values:\n")
for s in rawreg.values(key):
tp, dat = rawreg.value_data(s)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
time = struct.unpack("<q", dat[0:8])[0]
seconds, msec= divmod(time, 10000000)
days, seconds = divmod(seconds, 86400)
if days > 160000 or days < 140000:
days = 0
seconds = 0
msec = 0
open_date = datetime.datetime(1601, 1, 1) + datetime.timedelta(days, seconds, msec)
outfd.write(str(open_date) + "\t" + s.Name + "\n")示例3: get_hbootkey
def get_hbootkey(samaddr, bootkey):
sam_account_path = ["SAM", "Domains", "Account"]
if not bootkey:
return None
root = rawreg.get_root(samaddr)
if not root:
return None
sam_account_key = rawreg.open_key(root, sam_account_path)
if not sam_account_key:
return None
F = None
for v in rawreg.values(sam_account_key):
if v.Name == 'F':
F = samaddr.read(v.Data, v.DataLength)
if not F:
return None
md5 = MD5.new()
md5.update(F[0x70:0x80] + aqwerty + bootkey + anum)
rc4_key = md5.digest()
rc4 = ARC4.new(rc4_key)
hbootkey = rc4.encrypt(F[0x80:0xA0])
return hbootkey示例4: render_text
def render_text(self, outfd, data):
for reg, key in data:
if not key:
if not self._config.BRUTE_FORCE:
outfd.write("Unable to find requested key\n")
continue
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
outfd.write(" {1:3s} {0}\n".format(s.Name, self.voltext(s)))
outfd.write("\n")
outfd.write("Values:\n")
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY':
dat = "\n" + hd(dat, length = 16)
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))示例5: get_user_hashes
def get_user_hashes(user_key, hbootkey):
samaddr = user_key.obj_vm
rid = int(str(user_key.Name), 16)
V = None
for v in rawreg.values(user_key):
if v.Name == 'V':
V = samaddr.read(v.Data, v.DataLength)
if not V:
return None
lm_offset = unpack("<L", V[0x9c:0xa0])[0] + 0xCC + 4
lm_len = unpack("<L", V[0xa0:0xa4])[0] - 4
nt_offset = unpack("<L", V[0xa8:0xac])[0] + 0xCC + 4
nt_len = unpack("<L", V[0xac:0xb0])[0] - 4
if lm_len:
enc_lm_hash = V[lm_offset:lm_offset + 0x10]
else:
enc_lm_hash = ""
if nt_len:
enc_nt_hash = V[nt_offset:nt_offset + 0x10]
else:
enc_nt_hash = ""
return decrypt_hashes(rid, enc_lm_hash, enc_nt_hash, hbootkey)示例6: reg_yield_values
def reg_yield_values(self, hive_name, key, thetype = None, given_root = None):
'''
This function yields all values for a requested registry key
'''
if key:
h = given_root if given_root != None else self.reg_get_key(hive_name, key)
if h != None:
for v in rawreg.values(h):
tp, dat = rawreg.value_data(v)
if thetype == None or tp == thetype:
yield v.Name, dat 示例7: find_control_set
def find_control_set(sysaddr):
root = rawreg.get_root(sysaddr)
if not root:
return 1
csselect = rawreg.open_key(root, ["Select"])
if not csselect:
return 1
for v in rawreg.values(csselect):
if v.Name == "Current":
return v.Data示例8: get_user_desc
def get_user_desc(user_key):
samaddr = user_key.obj_vm
V = None
for v in rawreg.values(user_key):
if v.Name == 'V':
V = samaddr.read(v.Data, v.DataLength)
if not V:
return None
desc_offset = unpack("<L", V[0x24:0x28])[0] + 0xCC
desc_length = unpack("<L", V[0x28:0x2c])[0]
desc = V[desc_offset:desc_offset + desc_length].decode('utf-16-le')
return desc示例9: get_user_name
def get_user_name(user_key):
samaddr = user_key.obj_vm
V = None
for v in rawreg.values(user_key):
if v.Name == 'V':
V = samaddr.read(v.Data, v.DataLength)
if not V:
return None
name_offset = unpack("<L", V[0x0c:0x10])[0] + 0xCC
name_length = unpack("<L", V[0x10:0x14])[0]
username = V[name_offset:name_offset + name_length].decode('utf-16-le')
return username示例10: dict_for_key
def dict_for_key(self, key):
# Inspired from the Volatility printkey plugin
valdict = {}
for v in rawreg.values(key):
tp, data = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
data = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(data)])
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
data = data.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(data)):
data[i] = data[i].encode("ascii", 'backslashreplace')
valdict[str(v.Name)] = str(data)
return valdict示例11: dump_hashes
def dump_hashes(addr_space, sysaddr, secaddr):
bootkey = hashdump.get_bootkey(sysaddr)
if not bootkey:
return []
lsakey = lsasecrets.get_lsa_key(addr_space, secaddr, bootkey)
if not lsakey:
return []
nlkm = get_nlkm(addr_space, secaddr, lsakey)
if not nlkm:
return []
root = rawreg.get_root(secaddr)
if not root:
return []
cache = rawreg.open_key(root, ["Cache"])
if not cache:
return []
xp = addr_space.profile.metadata.get('major', 0) == 5
hashes = []
for v in rawreg.values(cache):
if v.Name == "NL$Control":
continue
data = v.obj_vm.read(v.Data, v.DataLength)
if data == None:
continue
(uname_len, domain_len, domain_name_len,
enc_data, ch) = parse_cache_entry(data)
# Skip if nothing in this cache entry
if uname_len == 0:
continue
dec_data = decrypt_hash(enc_data, nlkm, ch, xp)
(username, domain, domain_name,
hashh) = parse_decrypted_cache(dec_data, uname_len,
domain_len, domain_name_len)
hashes.append((username, domain, domain_name, hashh))
return hashes示例12: render_text
def render_text(self, outfd, data):
keyfound = False
for win7, reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0}\n".format(key.Name))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
outfd.write(" {0}\n".format(s.Name))
outfd.write("\n")
outfd.write("Values:\n")
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
subname = v.Name
if tp == 'REG_BINARY':
dat_raw = dat
dat = "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
try:
subname = subname.encode('rot_13')
except UnicodeDecodeError:
pass
if win7:
guid = subname.split("\\")[0]
if guid in folder_guids:
subname = subname.replace(guid, folder_guids[guid])
d = self.parse_data(dat_raw)
if d != None:
dat = d + dat
else:
dat = "\n" + dat
#these types shouldn't be encountered, but are just left here in case:
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
outfd.write("\n{0:13} {1:15} : {2}\n".format(tp, subname, dat))
if not keyfound:
outfd.write("The requested key could not be found in the hive(s) searched\n")示例13: compare
def compare(reg_list, mem_list):
"""Compare the services found in the registry with those in memory"""
## the names of all services in only the registry list
missing = set(reg_list.keys()) - set(mem_list.keys())
for service in missing:
## the SCM only loads services with an ImagePath value so make
## sure to skip those entries, as they will not end up in memory
has_imagepath = False
for value in rawreg.values(reg_list[service]):
if str(value.Name) == "ImagePath":
has_imagepath = True
break
if has_imagepath:
yield reg_list[service] 示例14: reg_get_value
def reg_get_value(self, hive_name, key, value, strcmp = None, given_root = None):
'''
This function returns the requested value of a registry key
'''
if key and value:
h = given_root if given_root != None else self.reg_get_key(hive_name, key)
if h != None:
for v in rawreg.values(h):
if value == v.Name:
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or strcmp == None:
# We want raw data
return dat
else:
# This is a string comparison
dat = str(dat)
dat = dat.strip()
dat = ''.join([x for x in dat if ord(x) != 0]) #get rid of funky nulls for string comparison
if strcmp == dat:
return dat
return None示例15: render_text
def render_text(self, outfd, data):
print_values = {5:'InstallSource', 6:'InstallLocation', 3:'Publisher',
1:'DisplayName', 2:'DisplayVersion', 4:'InstallDate'}
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
keyfound = False
for reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
key_info = {}
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
key_info['Name'] = s.Name
key_info['LastUpdated'] = s.LastWriteTime
for v in rawreg.values(s):
if v.Name not in print_values.values():
continue
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
dat = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
key_info[str(v.Name)] = dat
outfd.write("Subkey: {0}\n".format(key_info.get('Name','')))
outfd.write(" LastUpdated : {0}\n".format(key_info.get('LastUpdated','')))
for k, v in sorted(print_values.items()):
val = key_info.get(v, '')
if val != '':
outfd.write(" {0:16}: {1}\n".format(v, val))
outfd.write("\n")