How to use regipy - 10 common examples

To help you get started, we’ve selected a few regipy examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github mkorman90 / regipy / regipy / recovery.py View on Github external
def _parse_dirt_block(hive_path, transaction_log, hbins_data_size):
    restored_hive_buffer = BytesIO(open(hive_path, 'rb').read())
    recovered_dirty_pages_count = 0

    dirty_vector_length = hbins_data_size // 4096

    if transaction_log.read(4) != b'DIRT':
        raise RegistryRecoveryException('Expected DIRT signature!')

    log_file_base = 1024  # 512 + len(b'DIRT') + dirty_vector_length
    primary_file_base = 4096
    bitmap = transaction_log.read(dirty_vector_length)

    bit_counter = 0
    bitmap_offset = 0

    # Tuples of offset in primary and offset in transaction log
    offsets = []
    while bit_counter < dirty_vector_length * 8:
        is_bit_set = ((bitmap[bit_counter // 8] >> (bit_counter % 8)) & 1) != 0
        if is_bit_set:
            # We skip the basic block for the offsets
            registry_offset = primary_file_base + (bit_counter * 512)
github mkorman90 / regipy / regipy_tests / plugin_tests.py View on Github external
def test_installed_programs_plugin_software(software_hive):
    registry_hive = RegistryHive(software_hive)
    plugin_instance = InstalledSoftwarePlugin(registry_hive, as_json=True)
    plugin_instance.run()

    assert len(plugin_instance.entries) == 67

    assert plugin_instance.entries[0] == {
        'registry_path': '\\Microsoft\\Windows\\CurrentVersion\\Uninstall',
        'service_name': 'AddressBook',
        'timestamp': '2009-07-14T04:41:12.758808+00:00'
    }

    assert plugin_instance.entries[-1].items() > {
        'service_name': '{FE2F6A2C-196E-4210-9C04-2B1BC21F07EF}',
        'timestamp': '2011-07-05T22:58:57.996094+00:00',
        'registry_path': '\\Microsoft\\Windows\\CurrentVersion\\Uninstall',
        'uninstall_string': 'MsiExec.exe /X{FE2F6A2C-196E-4210-9C04-2B1BC21F07EF}',
github mkorman90 / regipy / regipy_tests / tests.py View on Github external
def test_recurse_ntuser(ntuser_hive):
    registry_hive = RegistryHive(ntuser_hive)

    value_types = {
        'REG_BINARY': 0,
        'REG_DWORD': 0,
        'REG_EXPAND_SZ': 0,
        'REG_MULTI_SZ': 0,
        'REG_NONE': 0,
        'REG_QWORD': 0,
        'REG_SZ': 0
    }

    subkey_count = 0
    values_count = 0
    for subkey in registry_hive.recurse_subkeys(as_json=True):
        subkey_values = subkey.values
        subkey_count += 1
github mkorman90 / regipy / regipy_tests / tests.py View on Github external
def test_hive_serialization(ntuser_hive, temp_output_file):
    registry_hive = RegistryHive(ntuser_hive)
    dump_hive_to_json(registry_hive, temp_output_file, registry_hive.root, verbose=False)
    counter = 0
    with open(temp_output_file, 'r') as dumped_hive:
        for x in dumped_hive.readlines():
            assert json.loads(x)
            counter += 1
    assert counter == 2318
github mkorman90 / regipy / regipy_tests / tests.py View on Github external
def test_parse_header(ntuser_hive):
    registry_hive = RegistryHive(ntuser_hive)

    assert isinstance(registry_hive, RegistryHive)
    assert registry_hive.header.primary_sequence_num == 744
    assert registry_hive.header.secondary_sequence_num == 744
    assert registry_hive.header.last_modification_time == 129782982453388850
    assert registry_hive.header.major_version == 1
    assert registry_hive.header.minor_version == 3
    assert registry_hive.header.root_key_offset == 32
    assert registry_hive.header.hive_bins_data_size == 733184
    assert registry_hive.header.minor_version == 3
    assert registry_hive.header.file_name == '?\\C:\\Users\\vibranium\\ntuser.dat'
    assert registry_hive.header.checksum == 448714443
github mkorman90 / regipy / regipy_tests / plugin_tests.py View on Github external
def test_persistence_plugin_software(software_hive):
    registry_hive = RegistryHive(software_hive)
    plugin_instance = SoftwarePersistencePlugin(registry_hive, as_json=True)
    plugin_instance.run()

    assert plugin_instance.entries == {
        '\\Microsoft\\Windows\\CurrentVersion\\Run':
            {'timestamp': '2012-04-04T01:54:23.669836+00:00',
             'values': [
                 {
                     'name': 'VMware Tools',
                     'value_type': 'REG_SZ',
                     'value': '"C:\\Program Files\\VMware\\VMware Tools\\VMwareTray.exe"',
                     'is_corrupted': False
                 },
                 {
                     'name': 'VMware User Process',
                     'value_type': 'REG_SZ',
github mkorman90 / regipy / regipy_tests / plugin_tests.py View on Github external
def test_persistence_plugin_ntuser(ntuser_hive):
    registry_hive = RegistryHive(ntuser_hive)
    plugin_instance = NTUserPersistencePlugin(registry_hive, as_json=True)
    plugin_instance.run()

    assert plugin_instance.entries == {
        '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run': {
            'timestamp': '2012-04-03T21:19:54.837716+00:00',
            'values': [
                {'name': 'Sidebar',
                 'value_type': 'REG_EXPAND_SZ',
                 'value': '%ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun', 'is_corrupted': False
                 }
github mkorman90 / regipy / regipy_tests / plugin_tests.py View on Github external
def test_typed_urls_plugin_ntuser(ntuser_hive):
    registry_hive = RegistryHive(ntuser_hive)
    plugin_instance = TypedUrlsPlugin(registry_hive, as_json=True)
    plugin_instance.run()

    assert plugin_instance.entries == {
        'last_write': '2012-04-03T22:37:55.411500+00:00',
        'entries': [
            {'url1': 'http://199.73.28.114:53/'},
            {'url2': 'http://go.microsoft.com/fwlink/?LinkId=69157'}
        ]
github mkorman90 / regipy / regipy_tests / plugin_tests.py View on Github external
def test_shimcache_plugin(system_hive):
    registry_hive = RegistryHive(system_hive)
    plugin_instance = ShimCachePlugin(registry_hive, as_json=True)
    plugin_instance.run()

    assert len(plugin_instance.entries) == 660
    assert plugin_instance.entries[0] == {
        'last_mod_date': '2011-01-12T12:08:00+00:00',
        'path': '\\??\\C:\\Program Files\\McAfee\\VirusScan Enterprise\\mfeann.exe',
        'exec_flag': 'True'
    }
github mkorman90 / regipy / regipy_tests / plugin_tests.py View on Github external
def test_printdemon_plugin(software_hive):
    registry_hive = RegistryHive(software_hive)
    plugin_instance = PrintDemonPlugin(registry_hive, as_json=True)
    plugin_instance.run()
    
    assert plugin_instance.entries == [
        {'parameters': ['9600', 'n', '8', '1'],
         'port_name': 'COM1:',
         'timestamp': '2010-11-10T10:35:02.448040+00:00'},
        {'parameters': ['9600', 'n', '8', '1'],
         'port_name': 'COM2:',
         'timestamp': '2010-11-10T10:35:02.448040+00:00'},
        {'parameters': ['9600', 'n', '8', '1'],
         'port_name': 'COM3:',
         'timestamp': '2010-11-10T10:35:02.448040+00:00'},
        {'parameters': ['9600', 'n', '8', '1'],
         'port_name': 'COM4:',
         'timestamp': '2010-11-10T10:35:02.448040+00:00'},