Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def get_key(self, key_path):
if self.partial_hive_path:
if key_path.startswith(self.partial_hive_path):
key_path = key_path.partition(self.partial_hive_path)[-1]
else:
raise RegistryKeyNotFoundException(f'Did not find subkey at {key_path}, because this is a partial hive')
logger.debug('Getting key: {}'.format(key_path))
if key_path == '\\':
return self.root
key_path_parts = key_path.split('\\')[1:]
previous_key_name = []
subkey = self.root.get_key(key_path_parts.pop(0))
if not subkey:
raise RegistryKeyNotFoundException('Did not find subkey at {}'.format(key_path))
if not key_path_parts:
return subkey
key_path = key_path.partition(self.partial_hive_path)[-1]
else:
raise RegistryKeyNotFoundException(f'Did not find subkey at {key_path}, because this is a partial hive')
logger.debug('Getting key: {}'.format(key_path))
if key_path == '\\':
return self.root
key_path_parts = key_path.split('\\')[1:]
previous_key_name = []
subkey = self.root.get_key(key_path_parts.pop(0))
if not subkey:
raise RegistryKeyNotFoundException('Did not find subkey at {}'.format(key_path))
if not key_path_parts:
return subkey
for path_part in key_path_parts:
new_path = '\\'.join(previous_key_name)
previous_key_name.append(subkey.name)
subkey = subkey.get_key(path_part)
if not subkey:
raise RegistryKeyNotFoundException('Did not find {} at {}'.format(path_part, new_path))
return subkey
def run(self):
try:
subkey = self.registry_hive.get_key(WORD_WHEEL_QUERY_KEY_PATH)
except RegistryKeyNotFoundException as ex:
logger.error(f'Could not find {self.NAME} plugin data at: {WORD_WHEEL_QUERY_KEY_PATH}: {ex}')
return None
timestamp = convert_wintime(subkey.header.last_modified, as_json=self.as_json)
mru_list_order = subkey.get_value('MRUListEx')
# If this is the value, the list is empty
if mru_list_order == 0xffffffff:
return None
for i, entry_name in enumerate(GreedyRange(Int32ul).parse(mru_list_order)):
entry_value = subkey.get_value(str(entry_name))
if not entry_value:
continue
def run(self):
logger.info('Started Services enumeration Plugin...')
for control_set_services_path in self.registry_hive.get_control_sets(SERVICES_PATH):
try:
subkey = self.registry_hive.get_key(control_set_services_path)
except RegistryKeyNotFoundException as ex:
logger.error(ex)
continue
self.entries[control_set_services_path] = {
'timestamp': subkey.header.last_modified
}
services = []
for service in subkey.iter_subkeys():
values = None
if service.values_count > 0:
values = [x for x in service.iter_values(as_json=True)]
services.append({
'name': service.name,
'last_modified': convert_wintime(service.header.last_modified, as_json=self.as_json),
'values': values,
def run(self):
logger.info('Started profile list plugin...')
try:
subkey = self.registry_hive.get_key(PROFILE_LIST_KEY_PATH)
except RegistryKeyNotFoundException as ex:
logger.error(ex)
for profile in subkey.iter_subkeys():
self.entries.append({
'last_write': convert_wintime(profile.header.last_modified, as_json=self.as_json),
'path': profile.get_value('ProfileImagePath'),
'flags': profile.get_value('Flags'),
'full_profile': profile.get_value('FullProfile'),
'state': profile.get_value('State'),
'sid': profile.name,
'load_time': convert_filetime(profile.get_value('ProfileLoadTimeLow'), profile.get_value('ProfileLoadTimeHigh')),
'local_load_time': convert_filetime(profile.get_value('LocalProfileLoadTimeLow'), profile.get_value('LocalProfileLoadTimeHigh'))
})
def hive_to_json(hive_path, output_path, registry_path, timeline, hive_type, partial_hive_path, verbose):
with logbook.NestedSetup(_get_log_handlers(verbose=verbose)).applicationbound():
registry_hive = RegistryHive(hive_path, hive_type=hive_type, partial_hive_path=partial_hive_path)
if registry_path:
try:
name_key_entry = registry_hive.get_key(registry_path)
except RegistryKeyNotFoundException as ex:
logger.debug('Did not find the key: {}'.format(ex))
return
else:
name_key_entry = registry_hive.root
if timeline and not output_path:
click.secho('You must provide an output path if choosing timeline output!', fg='red')
return
if output_path:
if timeline:
with open(output_path, 'w') as csvfile:
csvwriter = csv.DictWriter(csvfile, delimiter=',',
quotechar='"', quoting=csv.QUOTE_MINIMAL,
fieldnames=['timestamp', 'subkey_name', 'values_count'])
csvwriter.writeheader()
def get_subkey_values_from_list(registry_hive, entries_list, as_json=False):
"""
Return a list of registry subkeys given a list of paths
:param registry_hive: A RegistryHive object
:param entries_list: A list of paths as strings
:param as_json: Whether to return the subkey as json
:return: A dict with each subkey and its values
"""
result = {}
for path in entries_list:
try:
subkey = registry_hive.get_key(path)
except (RegistryKeyNotFoundException, NoRegistrySubkeysException) as ex:
logger.debug('Could not find subkey: {} ({})'.format(path, ex))
continue
ts = convert_wintime(subkey.header.last_modified, as_json=as_json)
values = []
if subkey.values_count:
if as_json:
values = [attr.asdict(x) for x in subkey.iter_values(as_json=as_json)]
else:
values = list(subkey.iter_values(as_json=as_json))
if subkey.values_count:
result[path] = {
'timestamp': ts,
'values': values
}
def run(self):
logger.info('Started AmCache Plugin...')
try:
amcache_file_subkey = self.registry_hive.get_key(r'\Root\File')
except RegistryKeyNotFoundException:
logger.info(r'Could not find \Root\File subkey')
amcache_file_subkey = None
try:
amcache_inventory_file_subkey = self.registry_hive.get_key(r'\Root\InventoryApplicationFile')
except RegistryKeyNotFoundException:
logger.info(r'Could not find \Root\InventoryApplicationFile subkey')
amcache_inventory_file_subkey = None
if amcache_file_subkey:
for subkey in amcache_file_subkey.iter_subkeys():
if subkey.header.subkey_count > 0:
for file_subkey in subkey.iter_subkeys():
self.parse_amcache_file_entry(file_subkey)
if subkey.header.values_count > 0:
self.entries.append(subkey)