Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Importeer de juiste bibliotheken om de registry te kunnen lezen
- import sys
- import winreg
- import tabulate
- import os.path as osp
- import logging
- import hashlib
- logger = logging.getLogger('Registry Keys')
- logging.basicConfig(handlers=[logging.FileHandler('registry_keys.log', 'w', 'utf-8')],
- format='%(name)s: %(asctime)s %(levelname)s: %(message)s', datefmt='%d/%m/%Y %I:%M:%S %p',
- level=logging.DEBUG)
- def choice_menu(geef_HKEY, geef_pad):
- # input vragen aan de gebruiker.
- logger.info("Asked for input HKEY.")
- logger.info("Received input HKEY: " + geef_HKEY)
- logger.info("Asked for input path, ")
- logger.info("Received input path: " + geef_pad)
- # Wanneer er een enter wordt ingevoerd geeft het programma een fout melding
- if (geef_pad == ""):
- print("Path not found, please enter a valid path choice. Try again.")
- sys.exit(1)
- if (geef_HKEY == ""):
- print("HKEY not found, please enter a valid HKEY choice. Try again.")
- sys.exit(1)
- # Leest de gegeven HKEY-input van de gebruiker uit.
- try:
- HKEY_found = False
- logging.info("Analyzing HKEY and path choice")
- if (geef_HKEY == "HKEY_CLASSES_ROOT"):
- explorer = winreg.OpenKey(
- winreg.HKEY_CLASSES_ROOT, geef_pad)
- HKEY_found = True
- elif (geef_HKEY == "HKEY_CURRENT_USER"):
- explorer = winreg.OpenKey(
- winreg.HKEY_CURRENT_USER, geef_pad)
- HKEY_found = True
- elif (geef_HKEY == "HKEY_LOCAL_MACHINE"):
- explorer = winreg.OpenKey(
- winreg.HKEY_LOCAL_MACHINE, geef_pad)
- HKEY_found = True
- elif (geef_HKEY == "HKEY_USERS"):
- explorer = winreg.OpenKey(
- winreg.HKEY_USERS, geef_pad)
- HKEY_found = True
- elif (geef_HKEY == "HKEY_PERFORMANCE_DATA"):
- explorer = winreg.OpenKey(
- winreg.HKEY_PERFORMANCE_DATA, geef_pad)
- HKEY_found = True
- elif (geef_HKEY == "HKEY_CURRENT_CONFIG"):
- explorer = winreg.OpenKey(
- winreg.HKEY_CURRENT_CONFIG, geef_pad)
- HKEY_found = True
- elif (geef_HKEY == "HKEY_DYN_DATA"):
- explorer = winreg.OpenKey(
- winreg.HKEY_DYN_DATA, geef_pad)
- HKEY_found = True
- if (HKEY_found == False):
- print("HKEY not found, please enter a valid HKEY choice. Try again.")
- logging.info("HKEY not found")
- sys.exit(1)
- return
- return explorer
- except:
- print("Path not found, please enter a valid path choice. Try again.")
- logging.info("Path not found")
- sys.exit(1)
- def reg_reader(exp):
- registry = []
- # Geeft bij 'Type' de bijbehoorende state naam aan.
- TYPE_STATE = {0: 'REG_NONE',
- 1: 'REG_SZ',
- 2: 'REG_EXPAND_SZ',
- 3: 'REG_BINARY',
- 4: 'REG_DWORD ',
- 5: 'REG_DWORD_BIG_ENDIAN',
- 6: 'REG_LINK',
- 7: 'REG_MULTI_SZ',
- 8: 'REG_RESOURCE_LIST',
- 9: 'REG_FULL_RESOURCE_DESCRIPTOR',
- 10: 'REG_RESOURCE_REQUIREMENTS_LIST',
- 11: 'REG_QWORD '}
- # Waardes in de lijst van de registry keys
- try:
- i = 0
- while 1:
- name, data, type = winreg.EnumValue(exp, i)
- i += 1
- # Tabelontwerp creeëren
- name = str(name)
- type = str(TYPE_STATE.get(type))
- data = str(data)
- registry.append({
- 'Name': name, 'Type': type, 'Data': data,
- })
- logging.info("Append values to registry list.")
- except WindowsError:
- print
- return registry
- def filter_reg(registry, filter_vraag, filter_naam, filter_type):
- ongefilterd_lijst = registry
- filter_lijst = []
- logging.info("input for filter the registry: " + filter_vraag)
- if (filter_vraag.upper() == "N"):
- return ongefilterd_lijst
- elif (filter_vraag.upper() == "Y"):
- logging.info("input to filter on name: " + filter_naam)
- logging.info("input to filter on type: " + filter_type)
- if (filter_naam + filter_type == ""):
- return ongefilterd_lijst
- else:
- if (filter_naam != ""):
- for key in ongefilterd_lijst:
- if key in filter_lijst:
- continue
- elif (key['Name'] == filter_naam):
- filter_lijst.append(key)
- logging.info("Registry key list is filtered on name.")
- if (filter_lijst == []):
- print("Name not found in list of registry keys \n")
- logging.info("Name not found in the registry keys list.")
- if (filter_type != ""):
- for key in ongefilterd_lijst:
- if key in filter_lijst:
- continue
- elif (key['Type'] == filter_type):
- filter_lijst.append(key)
- logging.info("Registry key list is filtered on type.")
- if (filter_lijst == []):
- print("Type not found in list of registry keys \n")
- logging.info("Type not found in the registry keys list.")
- if filter_lijst == []:
- print("Did not find IOC in: Registry Keys ")
- sys.exit(1)
- else:
- print("Found IOC, possible malware in: Registry Keys ")
- return filter_lijst
- else:
- print("The input you gave did not correspond Y or N.")
- logging.info("The input did not correspond with Y or N.")
- def save_keys(final_list):
- # print tabel naar scherm
- header = final_list[0].keys()
- rows = [x.values() for x in final_list]
- tableregkey = tabulate.tabulate(rows, header, tablefmt='rst')
- logging.info("Create table of registry keys.")
- print(tableregkey)
- logging.info("Printed table of registry keys.")
- # schrijf de tabel met uitkomsten naar een .txt bestand.
- if osp.isfile("RegistryKeys.txt"):
- f = open('RegistryKeys.txt', 'w')
- else:
- f = open('RegistryKeys.txt', 'x')
- logging.info("Save list of registry keys.")
- f.write(tableregkey)
- logger.info('writing results to file.')
- f.close()
- logger.info('close txt file.')
- # hashing
- hasher = hashlib.md5()
- with open('RegistryKeys.txt', 'rb') as afile:
- buf = afile.read()
- hasher.update(buf)
- hash1 = 'RegistryKeys.txt MD5 Hashwaarde: ' + hasher.hexdigest()
- logger.debug('Generating MD5 hash: ' + hasher.hexdigest())
- hashersha = hashlib.sha256()
- with open('RegistryKeys.txt', 'rb') as afile:
- buf = afile.read()
- hashersha.update(buf)
- hash2 = 'RegistryKeys.txt SHA256 Hashwaarde: ' + hashersha.hexdigest()
- logger.debug('Generating SHA256 hash: ' + hashersha.hexdigest())
- f = open('hashfile.txt', 'a', encoding="utf-8")
- logger.info('open file: hashfile.txt')
- f.write(hash1 + '\n' + hash2 + '\n')
- logger.info('writing md5 hash to file')
- f.close()
- logger.info('close file: hashfile.txt')
- def main(geef_HKEY, geef_pad, filter_vraag, filter_naam, filter_type):
- save_keys(filter_reg(reg_reader(choice_menu(geef_HKEY, geef_pad)), filter_vraag, filter_naam, filter_type))
- if __name__ == '__main__':
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement