├── AutomatedProfiler.ps1
├── LICENSE
├── MFTECmd
└── MFTECmd.exe
├── Profiler.jpg
├── README.md
├── Recmd
├── Bookmarks
│ └── Common
│ │ ├── Autoruns_NtUser_Run_2ec3d165-3d58-417e-bf86-d30652b7b53a
│ │ ├── Autoruns_Software_Run_b747b395-acee-4576-9b52-a89349b8d831
│ │ ├── Autoruns_UsrClass_VirtualStore_bac80d4f-92ed-41a6-bb70-9749bf17736e
│ │ ├── Communication_NtUser_TeamViewer_d32c0647-339c-4d4f-8282-daf26b927699
│ │ ├── Communication_NtUser_UnreadMail_d6d419d3-bc7c-4e6c-b73d-e1235c3a2943
│ │ ├── Network_Software_LastConnect_1516cac4-ff62-4d2e-a9f5-a20815853b3e
│ │ ├── Network_Software_NetworkCards_3cfa462c-31d1-4ad6-8b47-98f281c50728
│ │ ├── Network_System_{4d36e972-e325-11ce-bfc1-08002be10318}_54796294-d279-4552-bda5-fe672b4ea675
│ │ ├── Operating system_NtUser_CD Burning_0f0005c8-7a16-4223-8a73-87dc0d307849
│ │ ├── Operating system_Sam_Users_58f6066e-53f0-43a7-823c-5679da0e4cd9
│ │ ├── Operating system_Software_Channels_8ab43ae7-05ce-4c41-9c70-f77df5317e67
│ │ ├── Operating system_Software_Control Panel_7e993a1a-b5af-4247-8b34-6bbe13eb7f3c
│ │ ├── Operating system_Software_CurrentVersion_0a017e3d-c0fe-40c9-84fb-8bcd45c96a7e
│ │ ├── Operating system_Software_CurrentVersion_3d9483dc-d89c-423a-ae83-a57405d6a752
│ │ ├── Operating system_Software_Devices_121a3617-c512-4b5f-a770-11b1cdb19983
│ │ ├── Operating system_Software_EMDMgmt_5c905164-7055-4422-a141-f8539d5ef4fe
│ │ ├── Operating system_Software_Image File Execution Options_59ddbb92-609a-44e8-9bb7-e1f5b797e397
│ │ ├── Operating system_Software_Windows Portable Devices_39661eda-1373-493a-b333-583c51c9e74b
│ │ ├── Operating system_Software_Winlogon_129b227e-57cd-400b-b370-4ef3d08f9627
│ │ ├── Operating system_System_ComputerName_f5259882-9906-413f-b845-b2bbca09ffeb
│ │ ├── Operating system_System_CrashControl_a4d38e6e-fa6e-4ceb-8a1f-b7b2f25bf573
│ │ ├── Operating system_System_Environment_7044cf87-168f-4588-bae0-426632d08330
│ │ ├── Operating system_System_EventLog_e99f1b87-9f35-4876-a5c5-3c99b92e4bfd
│ │ ├── Operating system_System_FileSystem_b20a0736-0d62-4a26-9539-a53ded5f152b
│ │ ├── Operating system_System_FilesNotToSnapshot_af3e091f-8598-43e1-9e19-39c1352a72ea
│ │ ├── Operating system_System_Memory Management_15dc67bb-bf95-46ef-87db-e4e34e387125
│ │ ├── Operating system_System_PrefetchParameters_0f9651f6-3aa8-4bac-89aa-e57a73744ee2
│ │ ├── Operating system_System_RDP-Tcp_6e9f18d0-7173-424c-b695-e8c2894ee110
│ │ ├── Operating system_System_SafeBoot_1da3ee50-90bf-49ed-9aa6-b97ba9948eee
│ │ ├── Operating system_System_Services_9a4c3785-ec1c-4248-8b0a-cc32a3578d67
│ │ ├── Operating system_System_Terminal Server_bc0da746-e8c5-465a-a70f-2779e7c914de
│ │ ├── Operating system_System_TimeZoneInformation_e16fbaa9-172c-4501-a55d-0cb4adb02cac
│ │ ├── Operating system_System_USB_d9ecec7b-e4c6-4c8d-9f65-2b971efbb4c4
│ │ ├── Operating system_System_VSS_7afab042-09fb-4f0f-ae3e-b3c58c93f83c
│ │ ├── Operating system_System_Windows_29e05135-bc83-4332-a11b-ea3c357e4de5
│ │ ├── Operating system_System_Windows_d73fc227-8ea3-45e8-ac69-041a06a6c629
│ │ ├── Operating system_System_{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_18c3eafb-034d-49b6-9558-45b92416bf33
│ │ ├── Operating system_System_{6bdd1fc6-810f-11d0-bec7-08002be2092f}_80aafc9b-f28d-41a8-929c-6c016c4b5bc0
│ │ ├── Program execution_NtUser_FileExts_03427bd9-675f-4564-9d7b-058e797a7cb6
│ │ ├── Program execution_NtUser_FirstFolder_a640410c-d053-4966-ace5-36bc4b977c9a
│ │ ├── Program execution_NtUser_MUICache_a51a8919-ffdd-4135-91fa-affac7f65bb5
│ │ ├── Program execution_NtUser_RunMRU_524957bc-0c7e-490c-a8cf-f6bce2e1e1b5
│ │ ├── Program execution_NtUser_Sysinternals_a801be22-7473-4c4c-9a57-9dbc90bcbf7c
│ │ ├── Program execution_NtUser_UserAssist_660a4ade-592f-4c64-bd85-8241378d0839
│ │ ├── Program execution_System_AppCompatCache_f1adf410-8700-4a83-bc2e-f53cededc03d
│ │ ├── Software_Software_Internet Explorer_140f36ce-6571-4966-b6e4-641c30a9b9b1
│ │ ├── Software_Software_Products_a3ce0f6a-434d-4c2d-ba8f-16ce24209fe4
│ │ ├── Software_Software_Products_c6b061c4-df1d-477f-bcde-4846ec328c31
│ │ ├── Storage_System_MountedDevices_0d010e87-8b14-4ce1-b084-e99b5ab9748c
│ │ ├── Storage_System_USBSTOR_3d1bc4ba-8eb2-4ec7-a4be-e6792505f999
│ │ ├── Storage_System_{10497b1b-ba51-44e5-8318-a65c837b6661}_9fe29ea5-44f1-4d92-82a0-d6b1fb84ee34
│ │ ├── User configuration_NtUser_CurrentVersion_9fef0ee2-99c9-4131-bd77-3f28fad9f8c7
│ │ ├── User configuration_NtUser_CurrentVersion_b8239cb1-3e84-41ae-a156-ebabfadea7d1
│ │ ├── User configuration_NtUser_Internet Settings_57563b19-0d7b-4f61-a76a-5ec5dfecb7c4
│ │ ├── User configuration_NtUser_PrinterPorts_fe1bbde9-e2bc-4764-9948-3c3b8d8c2112
│ │ ├── User configuration_Software_StartMenuInternet_dc7c443e-51be-41c6-bd71-851c9d108ad6
│ │ ├── User configuration_Software_command_0054aabe-ed43-4485-b3ce-bc6490cfe81e
│ │ ├── User files and folders_NtUser_7-Zip_af7dfd06-6a98-4c8b-a795-bfb9f5ae407d
│ │ ├── User files and folders_NtUser_ComDlg32_44d580cf-ef19-4749-b833-f787ac1b0220
│ │ ├── User files and folders_NtUser_Compression_d0e9ff87-f6be-47ec-888d-164cb58f19f3
│ │ ├── User files and folders_NtUser_FileHistory_2895d67d-8601-45df-9758-f72958482822
│ │ ├── User files and folders_NtUser_Map Network Drive MRU_df6ed689-944a-46b1-a806-f5f78830429a
│ │ ├── User files and folders_NtUser_MountPoints2_28014255-7733-4398-a859-dd76642a19c7
│ │ ├── User files and folders_NtUser_RecentDocs_51af122a-734f-4b9b-8138-4633f67e0cad
│ │ ├── User files and folders_NtUser_Shell Folders_feec11a9-1482-4629-a083-0caf2df99873
│ │ ├── User files and folders_NtUser_User MRU_41e2c5c4-4da2-4b96-99ae-a4fb532f93d4
│ │ ├── User files and folders_NtUser_User MRU_6bbf4038-b3c6-4ba5-a4e1-d04d3166e675
│ │ ├── User files and folders_NtUser_User MRU_83fcbc4b-a0d4-40d2-b414-91ffa96d778c
│ │ ├── User files and folders_NtUser_WinRAR_204cf564-85f5-42b9-983f-d94a970e7374
│ │ ├── User files and folders_UsrClass_BagMRU_237fdb41-7713-485d-94ab-f07f4c157356
│ │ ├── User general_NtUser_CCleaner_ec48ddd3-4f09-4431-b388-7f5d18eaab43
│ │ ├── User general_NtUser_WordWheelQuery_89ca3fef-d045-4ff2-8891-4c61cf6c30ea
│ │ ├── User network_NtUser_Ares_fe9bac6b-b1fd-4710-8579-80b31f4fe288
│ │ ├── User network_NtUser_Default_617e9fc6-565a-4986-a3fa-7e517fcbf6a3
│ │ ├── User network_NtUser_FTP_013baa05-0d47-4db7-9dbd-d4cb6231dc90
│ │ ├── User network_NtUser_TeamViewer_6aa0d3cd-9926-4f23-bf9b-f675636944f0
│ │ ├── User network_System_FirewallPolicy_6701136a-ccfb-476e-af28-d58543636ba4
│ │ ├── User network_System_Shares_7794e865-4630-4703-ac0f-76e650314b01
│ │ └── Web browsing_NtUser_TypedURLs_24aec1e0-f92a-49db-8ec0-8443a7bbd130
├── Plugins
│ ├── AppCompatCache
│ │ ├── AppCompatCache.dll
│ │ └── RegistryPlugin.AppCompatCache.dll
│ ├── RegistryPlugin.7-ZipHistory.dll
│ ├── RegistryPlugin.Ares.dll
│ ├── RegistryPlugin.CIDSizeMRU.dll
│ ├── RegistryPlugin.FileExts.dll
│ ├── RegistryPlugin.FirstFolder.dll
│ ├── RegistryPlugin.LastVisitedMRU.dll
│ ├── RegistryPlugin.LastVisitedPidlMRU.dll
│ ├── RegistryPlugin.OfficeMRU.dll
│ ├── RegistryPlugin.OpenSaveMRU.dll
│ ├── RegistryPlugin.OpenSavePidlMRU.dll
│ ├── RegistryPlugin.RecentDocs.dll
│ ├── RegistryPlugin.RunMRU.dll
│ ├── RegistryPlugin.SAM.dll
│ ├── RegistryPlugin.TimeZoneInformation.dll
│ └── RegistryPlugin.UserAssist.dll
├── RECmd
│ ├── NLog.config.xml
│ └── RECmd.exe
└── Settings
│ ├── AvailBookmarks.layout
│ ├── Categories
│ ├── FindGrid.layout
│ ├── General
│ ├── HiddenKeys
│ ├── RecentSearches
│ ├── RegistryHives.layout
│ └── ValuesGrid.layout
├── RegRipper
├── 1.mp3
├── README.md
├── _gitattributes
├── _gitignore
├── copying.txt
├── license.txt
├── p2x5124.dll
├── plugins
│ ├── acmru.pl
│ ├── adoberdr.pl
│ ├── ahaha.pl
│ ├── aim.pl
│ ├── all
│ ├── amcache.pl
│ ├── aports.pl
│ ├── appcertdlls.pl
│ ├── appcompatcache.pl
│ ├── appcompatcache_tln.pl
│ ├── appcompatflags.pl
│ ├── appinitdlls.pl
│ ├── applets.pl
│ ├── applets_tln.pl
│ ├── apppaths.pl
│ ├── apppaths_tln.pl
│ ├── appspecific.pl
│ ├── ares.pl
│ ├── arpcache.pl
│ ├── assoc.pl
│ ├── at.pl
│ ├── at_tln.pl
│ ├── attachmgr.pl
│ ├── attachmgr_tln.pl
│ ├── audiodev.pl
│ ├── auditfail.pl
│ ├── auditpol.pl
│ ├── auditpol_xp.pl
│ ├── autoendtasks.pl
│ ├── autorun.pl
│ ├── backuprestore.pl
│ ├── banner.pl
│ ├── baseline.pl
│ ├── bho.pl
│ ├── bitbucket.pl
│ ├── bitbucket_user.pl
│ ├── brisv.pl
│ ├── btconfig.pl
│ ├── bthport.pl
│ ├── cached.pl
│ ├── cached_tln.pl
│ ├── cain.pl
│ ├── ccleaner.pl
│ ├── cdstaginginfo.pl
│ ├── clampi.pl
│ ├── clampitm.pl
│ ├── clsid.pl
│ ├── cmd_shell.pl
│ ├── cmd_shell_tln.pl
│ ├── cmd_shell_u.pl
│ ├── cmdproc.pl
│ ├── cmdproc_tln.pl
│ ├── codeid.pl
│ ├── comdlg32.pl
│ ├── comfoo.pl
│ ├── compdesc.pl
│ ├── compname.pl
│ ├── controlpanel.pl
│ ├── cortana.pl
│ ├── cpldontload.pl
│ ├── crashcontrol.pl
│ ├── ctrlpnl.pl
│ ├── dcom.pl
│ ├── ddm.pl
│ ├── ddo.pl
│ ├── decaf.pl
│ ├── defbrowser.pl
│ ├── del.pl
│ ├── del_tln.pl
│ ├── dependency_walker.pl
│ ├── devclass.pl
│ ├── dfrg.pl
│ ├── diag_sr.pl
│ ├── direct.pl
│ ├── direct_tln.pl
│ ├── disablelastaccess.pl
│ ├── disablesr.pl
│ ├── dllsearch.pl
│ ├── dnschanger.pl
│ ├── domains.pl
│ ├── drivers32.pl
│ ├── drwatson.pl
│ ├── emdmgmt.pl
│ ├── environment.pl
│ ├── esent.pl
│ ├── etos.pl
│ ├── eventlog.pl
│ ├── eventlogs.pl
│ ├── fileexts.pl
│ ├── filehistory.pl
│ ├── fileless.pl
│ ├── findexes.pl
│ ├── fw_config.pl
│ ├── gauss.pl
│ ├── gpohist.pl
│ ├── gpohist_tln.pl
│ ├── gthist.pl
│ ├── gtwhitelist.pl
│ ├── handler.pl
│ ├── haven_and_hearth.pl
│ ├── hibernate.pl
│ ├── ide.pl
│ ├── identities.pl
│ ├── ie_main.pl
│ ├── ie_settings.pl
│ ├── ie_version.pl
│ ├── ie_zones.pl
│ ├── iejava.pl
│ ├── imagedev.pl
│ ├── imagefile.pl
│ ├── init_dlls.pl
│ ├── inprocserver.pl
│ ├── installedcomp.pl
│ ├── installer.pl
│ ├── internet_explorer_cu.pl
│ ├── internet_settings_cu.pl
│ ├── itempos.pl
│ ├── javafx.pl
│ ├── javasoft.pl
│ ├── kankan.pl
│ ├── kb950582.pl
│ ├── kbdcrash.pl
│ ├── knowndev.pl
│ ├── landesk.pl
│ ├── landesk_tln.pl
│ ├── lastloggedon.pl
│ ├── latentbot.pl
│ ├── lazyshell.pl
│ ├── legacy.pl
│ ├── legacy_tln.pl
│ ├── licenses.pl
│ ├── listsoft.pl
│ ├── liveContactsGUID.pl
│ ├── load.pl
│ ├── logonusername.pl
│ ├── lsa_packages.pl
│ ├── lsasecrets.pl
│ ├── macaddr.pl
│ ├── malware.pl
│ ├── menuorder.pl
│ ├── mixer.pl
│ ├── mixer_tln.pl
│ ├── mmc.pl
│ ├── mmc_tln.pl
│ ├── mmo.pl
│ ├── mndmru.pl
│ ├── mndmru_tln.pl
│ ├── mountdev.pl
│ ├── mountdev2.pl
│ ├── mp2.pl
│ ├── mp3.pl
│ ├── mpmru.pl
│ ├── mrt.pl
│ ├── msis.pl
│ ├── mspaper.pl
│ ├── muicache.pl
│ ├── muicache_tln.pl
│ ├── nero.pl
│ ├── netassist.pl
│ ├── netsvcs.pl
│ ├── network.pl
│ ├── networkcards.pl
│ ├── networklist.pl
│ ├── networklist_tln.pl
│ ├── networkuid.pl
│ ├── nic.pl
│ ├── nic2.pl
│ ├── nic_mst2.pl
│ ├── nolmhash.pl
│ ├── ntuser
│ ├── ntusernetwork.pl
│ ├── null.pl
│ ├── odysseus.pl
│ ├── officedocs.pl
│ ├── officedocs2010.pl
│ ├── officedocs2010_tln.pl
│ ├── oisc.pl
│ ├── olsearch.pl
│ ├── opencandy.pl
│ ├── osversion.pl
│ ├── osversion_tln.pl
│ ├── outlook.pl
│ ├── outlook2.pl
│ ├── pagefile.pl
│ ├── pending.pl
│ ├── phdet.pl
│ ├── photos.pl
│ ├── polacdms.pl
│ ├── policies_u.pl
│ ├── port_dev.pl
│ ├── prefetch.pl
│ ├── printermru.pl
│ ├── printers.pl
│ ├── privoxy.pl
│ ├── processor_architecture.pl
│ ├── product.pl
│ ├── productpolicy.pl
│ ├── producttype.pl
│ ├── profilelist.pl
│ ├── profiler.pl
│ ├── proxysettings.pl
│ ├── publishingwizard.pl
│ ├── putty.pl
│ ├── rdphint.pl
│ ├── rdpnla.pl
│ ├── rdpport.pl
│ ├── reading_locations.pl
│ ├── realplayer6.pl
│ ├── realvnc.pl
│ ├── recentdocs.pl
│ ├── recentdocs_tln.pl
│ ├── regback.pl
│ ├── regin.pl
│ ├── regtime.pl
│ ├── regtime_tln.pl
│ ├── removdev.pl
│ ├── renocide.pl
│ ├── reveton.pl
│ ├── rlo.pl
│ ├── rootkit_revealer.pl
│ ├── routes.pl
│ ├── runmru.pl
│ ├── runmru_tln.pl
│ ├── safeboot.pl
│ ├── sam
│ ├── samparse.pl
│ ├── samparse_tln.pl
│ ├── schedagent.pl
│ ├── secctr.pl
│ ├── secrets.pl
│ ├── secrets_tln.pl
│ ├── security
│ ├── securityproviders.pl
│ ├── services.pl
│ ├── sevenzip.pl
│ ├── sfc.pl
│ ├── shares.pl
│ ├── shc.pl
│ ├── shellbags.pl
│ ├── shellbags_test.pl
│ ├── shellbags_tln.pl
│ ├── shellbags_xp.pl
│ ├── shellexec.pl
│ ├── shellext.pl
│ ├── shellfolders.pl
│ ├── shelloverlay.pl
│ ├── shimcache.pl
│ ├── shimcache_tln.pl
│ ├── shutdown.pl
│ ├── shutdowncount.pl
│ ├── sizes.pl
│ ├── skype.pl
│ ├── snapshot.pl
│ ├── snapshot_viewer.pl
│ ├── soft_run.pl
│ ├── software
│ ├── spp_clients.pl
│ ├── sql_lastconnect.pl
│ ├── srun_tln.pl
│ ├── ssh_host_keys.pl
│ ├── ssid.pl
│ ├── startmenuinternetapps_cu.pl
│ ├── startmenuinternetapps_lm.pl
│ ├── startpage.pl
│ ├── startup.pl
│ ├── stillimage.pl
│ ├── susclient.pl
│ ├── svc.pl
│ ├── svc_plus.pl
│ ├── svc_tln.pl
│ ├── svcdll.pl
│ ├── svchost.pl
│ ├── sysinternals.pl
│ ├── sysinternals_tln.pl
│ ├── system
│ ├── systemindex.pl
│ ├── teamviewer.pl
│ ├── termcert.pl
│ ├── termserv.pl
│ ├── timezone.pl
│ ├── tracing.pl
│ ├── tracing_tln.pl
│ ├── trappoll.pl
│ ├── trustrecords.pl
│ ├── trustrecords_tln.pl
│ ├── tsclient.pl
│ ├── tsclient_tln.pl
│ ├── typedpaths.pl
│ ├── typedpaths_tln.pl
│ ├── typedurls.pl
│ ├── typedurls_tln.pl
│ ├── typedurlstime.pl
│ ├── typedurlstime_tln.pl
│ ├── uac.pl
│ ├── uninstall.pl
│ ├── uninstall_tln.pl
│ ├── unreadmail.pl
│ ├── urlzone.pl
│ ├── urun_tln.pl
│ ├── usb.pl
│ ├── usbdevices.pl
│ ├── usbstor.pl
│ ├── usbstor2.pl
│ ├── usbstor3.pl
│ ├── user_run.pl
│ ├── user_win.pl
│ ├── userassist.pl
│ ├── userassist_tln.pl
│ ├── userinfo.pl
│ ├── userlocsvc.pl
│ ├── usrclass
│ ├── vawtrak.pl
│ ├── virut.pl
│ ├── vista_bitbucket.pl
│ ├── vmplayer.pl
│ ├── vmware_vsphere_client.pl
│ ├── vnchooksapplicationprefs.pl
│ ├── vncviewer.pl
│ ├── volinfocache.pl
│ ├── wallpaper.pl
│ ├── warcraft3.pl
│ ├── wbem.pl
│ ├── win_cv.pl
│ ├── winbackup.pl
│ ├── winevt.pl
│ ├── winlogon.pl
│ ├── winlogon_tln.pl
│ ├── winlogon_u.pl
│ ├── winnt_cv.pl
│ ├── winrar.pl
│ ├── winrar2.pl
│ ├── winrar_tln.pl
│ ├── winscp.pl
│ ├── winscp_sessions.pl
│ ├── winver.pl
│ ├── winvnc.pl
│ ├── winzip.pl
│ ├── wordwheelquery.pl
│ ├── wpdbusenum.pl
│ ├── xpedition.pl
│ ├── yahoo_cu.pl
│ └── yahoo_lm.pl
├── regripper.pdf
├── rip.exe
├── rip.pl
├── rr.exe
├── rr.pl
├── sample.txt
├── shellitems.pl
├── time.pl
├── try.txt
├── updates.txt
└── winnt_cv.txt
├── __Example_Output.txt
└── plugins
├── acmru.pl
├── adoberdr.pl
├── ahaha.pl
├── aim.pl
├── all
├── amcache.pl
├── aports.pl
├── appcertdlls.pl
├── appcompatcache.pl
├── appcompatcache_tln.pl
├── appcompatflags.pl
├── appinitdlls.pl
├── applets.pl
├── applets_tln.pl
├── apppaths.pl
├── apppaths_tln.pl
├── appspecific.pl
├── ares.pl
├── arpcache.pl
├── assoc.pl
├── at.pl
├── at_tln.pl
├── attachmgr.pl
├── attachmgr_tln.pl
├── audiodev.pl
├── auditfail.pl
├── auditpol.pl
├── auditpol_xp.pl
├── autoendtasks.pl
├── autorun.pl
├── backuprestore.pl
├── banner.pl
├── baseline.pl
├── bho.pl
├── bitbucket.pl
├── bitbucket_user.pl
├── brisv.pl
├── btconfig.pl
├── bthport.pl
├── cached.pl
├── cached_tln.pl
├── cain.pl
├── ccleaner.pl
├── cdstaginginfo.pl
├── clampi.pl
├── clampitm.pl
├── clsid.pl
├── cmd_shell.pl
├── cmd_shell_tln.pl
├── cmd_shell_u.pl
├── cmdproc.pl
├── cmdproc_tln.pl
├── codeid.pl
├── comdlg32.pl
├── comfoo.pl
├── compdesc.pl
├── compname.pl
├── controlpanel.pl
├── cortana.pl
├── cpldontload.pl
├── crashcontrol.pl
├── dependency_walker.pl
├── devclass.pl
├── dfrg.pl
├── diag_sr.pl
├── direct.pl
├── direct_tln.pl
├── disablelastaccess.pl
├── disablesr.pl
├── dllsearch.pl
├── dnschanger.pl
├── domains.pl
├── drivers32.pl
├── drwatson.pl
├── emdmgmt.pl
├── environment.pl
├── esent.pl
├── etos.pl
├── eventlog.pl
├── eventlogs.pl
├── fileexts.pl
├── filehistory.pl
├── fileless.pl
├── findexes.pl
├── fw_config.pl
├── gauss.pl
├── gpohist.pl
├── gpohist_tln.pl
├── gthist.pl
├── gtwhitelist.pl
├── handler.pl
├── haven_and_hearth.pl
├── hibernate.pl
├── ide.pl
├── identities.pl
├── ie_main.pl
├── ie_settings.pl
├── ie_version.pl
├── ie_zones.pl
├── iejava.pl
├── imagedev.pl
├── imagefile.pl
├── init_dlls.pl
├── inprocserver.pl
├── installedcomp.pl
├── installer.pl
├── internet_explorer_cu.pl
├── internet_settings_cu.pl
├── itempos.pl
├── javafx.pl
├── javasoft.pl
├── kankan.pl
├── kb950582.pl
├── kbdcrash.pl
├── knowndev.pl
├── landesk.pl
├── landesk_tln.pl
├── lastloggedon.pl
├── latentbot.pl
├── lazyshell.pl
├── legacy.pl
├── legacy_tln.pl
├── licenses.pl
├── listsoft.pl
├── liveContactsGUID.pl
├── load.pl
├── logonusername.pl
├── lsa_packages.pl
├── lsasecrets.pl
├── macaddr.pl
├── malware.pl
├── menuorder.pl
├── mixer.pl
├── mixer_tln.pl
├── mmc.pl
├── mmc_tln.pl
├── mmo.pl
├── mndmru.pl
├── mndmru_tln.pl
├── mountdev.pl
├── mountdev2.pl
├── mp2.pl
├── mp3.pl
├── mpmru.pl
├── mrt.pl
├── msis.pl
├── mspaper.pl
├── muicache.pl
├── muicache_tln.pl
├── nero.pl
├── netassist.pl
├── netsvcs.pl
├── network.pl
├── networkcards.pl
├── networklist.pl
├── networklist_tln.pl
├── networkuid.pl
├── nic.pl
├── nic2.pl
├── nic_mst2.pl
├── nolmhash.pl
├── ntuser
├── ntusernetwork.pl
├── null.pl
├── odysseus.pl
├── officedocs.pl
├── officedocs2010.pl
├── officedocs2010_tln.pl
├── oisc.pl
├── olsearch.pl
├── opencandy.pl
├── osversion.pl
├── osversion_tln.pl
├── outlook.pl
├── outlook2.pl
├── profilelist.pl
├── profiler.pl
├── proxysettings.pl
├── publishingwizard.pl
├── putty.pl
├── rdphint.pl
├── rdpnla.pl
├── rdpport.pl
├── reading_locations.pl
├── realplayer6.pl
├── realvnc.pl
├── recentdocs.pl
├── recentdocs_tln.pl
├── regback.pl
├── regin.pl
├── regtime.pl
├── regtime_tln.pl
├── removdev.pl
├── renocide.pl
├── reveton.pl
├── rlo.pl
├── rootkit_revealer.pl
├── routes.pl
├── runmru.pl
├── runmru_tln.pl
├── safeboot.pl
├── sam
├── samparse.pl
├── samparse_tln.pl
├── schedagent.pl
├── secctr.pl
├── secrets.pl
├── secrets_tln.pl
├── security
├── securityproviders.pl
├── services.pl
├── sevenzip.pl
├── sfc.pl
├── shares.pl
├── shc.pl
├── shellbags.pl
├── shellbags_test.pl
├── shellbags_tln.pl
├── shellbags_xp.pl
├── shellexec.pl
├── shellext.pl
├── shellfolders.pl
├── shelloverlay.pl
├── shimcache.pl
├── shimcache_tln.pl
├── shutdown.pl
├── shutdowncount.pl
├── sizes.pl
├── skype.pl
├── snapshot.pl
├── snapshot_viewer.pl
├── soft_run.pl
├── software
├── spp_clients.pl
├── sql_lastconnect.pl
├── srun_tln.pl
├── ssh_host_keys.pl
├── ssid.pl
├── startmenuinternetapps_cu.pl
├── startmenuinternetapps_lm.pl
├── startpage.pl
├── startup.pl
├── stillimage.pl
├── susclient.pl
├── svc.pl
├── svc_plus.pl
├── svc_tln.pl
├── svcdll.pl
├── svchost.pl
├── sysinternals.pl
├── sysinternals_tln.pl
├── system
├── systemindex.pl
├── teamviewer.pl
├── termcert.pl
├── termserv.pl
├── timezone.pl
├── tracing.pl
├── tracing_tln.pl
├── trappoll.pl
├── trustrecords.pl
├── trustrecords_tln.pl
├── tsclient.pl
├── tsclient_tln.pl
├── typedpaths.pl
├── typedpaths_tln.pl
├── typedurls.pl
├── typedurls_tln.pl
├── typedurlstime.pl
├── typedurlstime_tln.pl
├── uac.pl
├── uninstall.pl
├── uninstall_tln.pl
├── unreadmail.pl
├── urlzone.pl
├── urun_tln.pl
├── usb.pl
├── usbdevices.pl
├── wallpaper.pl
├── warcraft3.pl
├── wbem.pl
├── win_cv.pl
├── winbackup.pl
├── winevt.pl
├── winlogon.pl
├── winlogon_tln.pl
├── winlogon_u.pl
├── winnt_cv.pl
├── winrar.pl
├── winrar2.pl
├── winrar_tln.pl
├── winscp.pl
├── winscp_sessions.pl
├── winver.pl
├── winvnc.pl
├── winzip.pl
├── wordwheelquery.pl
├── wpdbusenum.pl
├── xpedition.pl
├── yahoo_cu.pl
└── yahoo_lm.pl
/MFTECmd/MFTECmd.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/MFTECmd/MFTECmd.exe
--------------------------------------------------------------------------------
/Profiler.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Profiler.jpg
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AutomatedProfiler
2 |
3 | 
4 | AutomatedProfiler will parse an image utilizing RegRipper, RECmd, and various PowerShell cmdlets. The output of the script will be in a text file called 'profiler.txt' and will contain information about said system such as system info, networking settings, firewall details, user data, autorun, service, and mru keys. The returned data will not provide you everything you need to do forensics on the image but it will present a lot of the data that you would find yourself looking for.
5 | # Usage
6 | In order for this script to work, it will need to be in the same directory with the other supporting directories (RegRipper, RECmd, and plugins) that are included. A mounted image also needs to be available through FTK Imager.
7 | 1) Mount an image using FTK Imager.
8 | 2) Take note of the drive letter assigned to the mounted image.
9 | 3) Download this repository.
10 | 4) Unzip the contents of the zip.
11 | 5) Verify that a folder called ‘AutomatedProfiler-master’ is what was unzipped.
12 | 6) In PowerShell, navigate to the AutomatedProfiler-master directory and type '.\profiler.ps1'.
13 | 7) When prompted, input the drive letter assigned to the image. This will be in the form of e:\, d:\, etc...
14 | 8) Analyze the profiler.txt and mft.csv files once the script completes.
15 |
16 |
17 |
18 | # Output
19 | Example output from this script is in the '__example_output.txt' within this repo.
20 |
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Autoruns_NtUser_Run_2ec3d165-3d58-417e-bf86-d30652b7b53a:
--------------------------------------------------------------------------------
1 | {"Name":"Run","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Run","ShortDescription":"User run key","LongDescription":"Things set to start up automatically","InternalID":"2ec3d165-3d58-417e-bf86-d30652b7b53a","HiveType":"NtUser","Category":"Autoruns"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Autoruns_Software_Run_b747b395-acee-4576-9b52-a89349b8d831:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Run","KeyPath":"Microsoft\\Windows\\CurrentVersion\\Run","ShortDescription":"Run key","LongDescription":"Used to automatically start programs","InternalID":"b747b395-acee-4576-9b52-a89349b8d831","HiveType":"Software","Category":"Autoruns"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Autoruns_UsrClass_VirtualStore_bac80d4f-92ed-41a6-bb70-9749bf17736e:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"VirtualStore","KeyPath":"VirtualStore","ShortDescription":"Testing","LongDescription":"aaa","InternalID":"bac80d4f-92ed-41a6-bb70-9749bf17736e","HiveType":"UsrClass","Category":"Autoruns"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Communication_NtUser_TeamViewer_d32c0647-339c-4d4f-8282-daf26b927699:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"TeamViewer","KeyPath":"Software\\TeamViewer","ShortDescription":"Teamviewer info","LongDescription":"","InternalID":"d32c0647-339c-4d4f-8282-daf26b927699","HiveType":"NtUser","Category":"Communication"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Communication_NtUser_UnreadMail_d6d419d3-bc7c-4e6c-b73d-e1235c3a2943:
--------------------------------------------------------------------------------
1 | {"Name":"UnreadMail","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail","ShortDescription":"Unread email accounts","LongDescription":"","InternalID":"d6d419d3-bc7c-4e6c-b73d-e1235c3a2943","HiveType":"NtUser","Category":"Communication"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Network_Software_LastConnect_1516cac4-ff62-4d2e-a9f5-a20815853b3e:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"LastConnect","KeyPath":"Microsoft\\MSSQLServer\\Client\\SuperSocketNetLib\\LastConnect","ShortDescription":"SQL Server connection cache","LongDescription":"","InternalID":"1516cac4-ff62-4d2e-a9f5-a20815853b3e","HiveType":"Software","Category":"Network"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Network_Software_NetworkCards_3cfa462c-31d1-4ad6-8b47-98f281c50728:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"NetworkCards","KeyPath":"Microsoft\\Windows NT\\CurrentVersion\\NetworkCards","ShortDescription":"List of network cards","LongDescription":"https://support.microsoft.com/en-us/kb/102999","InternalID":"3cfa462c-31d1-4ad6-8b47-98f281c50728","HiveType":"Software","Category":"Network"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Network_System_{4d36e972-e325-11ce-bfc1-08002be10318}_54796294-d279-4552-bda5-fe672b4ea675:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"{4d36e972-e325-11ce-bfc1-08002be10318}","KeyPath":"ControlSet001\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}","ShortDescription":"Network adapters (Class key)","LongDescription":"","InternalID":"54796294-d279-4552-bda5-fe672b4ea675","HiveType":"System","Category":"Network"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_NtUser_CD Burning_0f0005c8-7a16-4223-8a73-87dc0d307849:
--------------------------------------------------------------------------------
1 | {"Name":"CD Burning","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CD Burning","ShortDescription":"CDROM burning info","LongDescription":"Includes device and staging info for files","InternalID":"0f0005c8-7a16-4223-8a73-87dc0d307849","HiveType":"NtUser","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_Sam_Users_58f6066e-53f0-43a7-823c-5679da0e4cd9:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Users","KeyPath":"SAM\\Domains\\Account\\Users","ShortDescription":"User accounts","LongDescription":"User accounts in SAM file","InternalID":"58f6066e-53f0-43a7-823c-5679da0e4cd9","HiveType":"Sam","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_Software_Channels_8ab43ae7-05ce-4c41-9c70-f77df5317e67:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Channels","KeyPath":"Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels","ShortDescription":"Windows Event log settings","LongDescription":"The various subkeys will indicate which event logging is enabled via the 'Enabled' value","InternalID":"8ab43ae7-05ce-4c41-9c70-f77df5317e67","HiveType":"Software","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_Software_Control Panel_7e993a1a-b5af-4247-8b34-6bbe13eb7f3c:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Control Panel","KeyPath":"Microsoft\\Windows\\CurrentVersion\\Control Panel","ShortDescription":"Control panel settings","LongDescription":"Includes categories and individual items, including those to not load, unload, etc.","InternalID":"7e993a1a-b5af-4247-8b34-6bbe13eb7f3c","HiveType":"Software","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_Software_CurrentVersion_0a017e3d-c0fe-40c9-84fb-8bcd45c96a7e:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"CurrentVersion","KeyPath":"Microsoft\\Windows\\CurrentVersion","ShortDescription":"Windows version information (Windows key)","LongDescription":"","InternalID":"0a017e3d-c0fe-40c9-84fb-8bcd45c96a7e","HiveType":"Software","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_Software_CurrentVersion_3d9483dc-d89c-423a-ae83-a57405d6a752:
--------------------------------------------------------------------------------
1 | {"Type":"Common","Name":"CurrentVersion","KeyPath":"Microsoft\\Windows NT\\CurrentVersion","ShortDescription":"Windows version information (Windows NT key)","LongDescription":"Details about Windows install including: install date, version, service pack, edition, etc.","InternalID":"3d9483dc-d89c-423a-ae83-a57405d6a752","HiveType":"Software","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_Software_Devices_121a3617-c512-4b5f-a770-11b1cdb19983:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Devices","KeyPath":"Microsoft\\Windows Portable Devices\\Devices","ShortDescription":"List of portable devices","LongDescription":"Includes friendly name, and serial # info (from subkey names)","InternalID":"121a3617-c512-4b5f-a770-11b1cdb19983","HiveType":"Software","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_Software_EMDMgmt_5c905164-7055-4422-a141-f8539d5ef4fe:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"EMDMgmt","KeyPath":"Microsoft\\Windows NT\\CurrentVersion\\EMDMgmt","ShortDescription":"External Memory Device Management","LongDescription":"Additional info:\r\nhttp://www.hecfblog.com/2013/08/daily-blog-65-understanding-artifacts.html\r\nhttp://windowsir.blogspot.com/2013/04/plugin-emdmgmt.html","InternalID":"5c905164-7055-4422-a141-f8539d5ef4fe","HiveType":"Software","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_Software_Image File Execution Options_59ddbb92-609a-44e8-9bb7-e1f5b797e397:
--------------------------------------------------------------------------------
1 | {"Name":"Image File Execution Options","KeyPath":"Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options","ShortDescription":"Force a program to run via debugger","LongDescription":"Its intended use is to force a program to run under a debugger regardless of how it is launched (and secondarily to alter how the system treats the program). It's handy if you need to debug a program \"in the wild\" rather than under the controlled environment of your favorite IDE. For example, you can use it if you want to debug how a program runs when it is launched by some other program you can't debug.","InternalID":"59ddbb92-609a-44e8-9bb7-e1f5b797e397","HiveType":"Software","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_Software_Windows Portable Devices_39661eda-1373-493a-b333-583c51c9e74b:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Windows Portable Devices","KeyPath":"Microsoft\\Windows Portable Devices","ShortDescription":"Historical portable drive information","LongDescription":"Can also include drive letter","InternalID":"39661eda-1373-493a-b333-583c51c9e74b","HiveType":"Software","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_Software_Winlogon_129b227e-57cd-400b-b370-4ef3d08f9627:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Winlogon","KeyPath":"Microsoft\\Windows NT\\CurrentVersion\\Winlogon","ShortDescription":"Information related to login","LongDescription":"Includes Default username, domain name, auto admin login, legal notice, etc","InternalID":"129b227e-57cd-400b-b370-4ef3d08f9627","HiveType":"Software","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_ComputerName_f5259882-9906-413f-b845-b2bbca09ffeb:
--------------------------------------------------------------------------------
1 | {"Name":"ComputerName","KeyPath":"ControlSet001\\Control\\ComputerName\\ComputerName","ShortDescription":"The name of the computer","LongDescription":"The name of the computer","InternalID":"f5259882-9906-413f-b845-b2bbca09ffeb","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_CrashControl_a4d38e6e-fa6e-4ceb-8a1f-b7b2f25bf573:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"CrashControl","KeyPath":"ControlSet001\\Control\\CrashControl","ShortDescription":"Crash dump info","LongDescription":" http://support.microsoft.com/kb/254649\r\n http://support.microsoft.com/kb/274598\r\n http://blogs.technet.com/b/askcore/archive/2012/09/12/windows-8-and-windows-server-2012-automatic-memory-dump.aspx","InternalID":"a4d38e6e-fa6e-4ceb-8a1f-b7b2f25bf573","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_Environment_7044cf87-168f-4588-bae0-426632d08330:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Environment","KeyPath":"ControlSet001\\Control\\Session Manager\\Environment","ShortDescription":"OS information","LongDescription":"Includes processor architecture, environment variables, etc","InternalID":"7044cf87-168f-4588-bae0-426632d08330","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_EventLog_e99f1b87-9f35-4876-a5c5-3c99b92e4bfd:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"EventLog","KeyPath":"ControlSet001\\Services\\EventLog","ShortDescription":"Event log information","LongDescription":"http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx","InternalID":"e99f1b87-9f35-4876-a5c5-3c99b92e4bfd","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_FileSystem_b20a0736-0d62-4a26-9539-a53ded5f152b:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"FileSystem","KeyPath":"ControlSet001\\Control\\FileSystem","ShortDescription":"File system options","LongDescription":"Includes such things as NTFSDisableLastAccessUpdate, 8.3 name creation, etc","InternalID":"b20a0736-0d62-4a26-9539-a53ded5f152b","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_FilesNotToSnapshot_af3e091f-8598-43e1-9e19-39c1352a72ea:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"FilesNotToSnapshot","KeyPath":"ControlSet001\\Control\\BackupRestore\\FilesNotToSnapshot","ShortDescription":"Files not to backup in volume snapshot","LongDescription":"http://msdn.microsoft.com/en-us/library/windows/desktop/bb891959(v=vs.85).aspx\r\n","InternalID":"af3e091f-8598-43e1-9e19-39c1352a72ea","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_Memory Management_15dc67bb-bf95-46ef-87db-e4e34e387125:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Memory Management","KeyPath":"ControlSet001\\Control\\Session Manager\\Memory Management","ShortDescription":"Page file parameters","LongDescription":"Includes ClearPageFileAtShutdown, page file name, etc","InternalID":"15dc67bb-bf95-46ef-87db-e4e34e387125","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_PrefetchParameters_0f9651f6-3aa8-4bac-89aa-e57a73744ee2:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"PrefetchParameters","KeyPath":"ControlSet001\\Control\\Session Manager\\Memory Management\\PrefetchParameters","ShortDescription":"Prefetch info","LongDescription":"http://msdn.microsoft.com/en-us/library/bb499146(v=winembedded.5).aspx","InternalID":"0f9651f6-3aa8-4bac-89aa-e57a73744ee2","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_RDP-Tcp_6e9f18d0-7173-424c-b695-e8c2894ee110:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"RDP-Tcp","KeyPath":"ControlSet001\\Control\\Terminal Server\\WinStations\\RDP-Tcp","ShortDescription":"RDP info","LongDescription":"Includes port # (PortNumber value) used for remote desktop","InternalID":"6e9f18d0-7173-424c-b695-e8c2894ee110","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_SafeBoot_1da3ee50-90bf-49ed-9aa6-b97ba9948eee:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"SafeBoot","KeyPath":"ControlSet001\\Control\\SafeBoot","ShortDescription":"Safe mode info","LongDescription":"https://support.microsoft.com/en-us/kb/202485","InternalID":"1da3ee50-90bf-49ed-9aa6-b97ba9948eee","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_Services_9a4c3785-ec1c-4248-8b0a-cc32a3578d67:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Services","KeyPath":"ControlSet001\\Services","ShortDescription":"Service definitions and parameters","LongDescription":"http://support.microsoft.com/kb/103000\r\n","InternalID":"9a4c3785-ec1c-4248-8b0a-cc32a3578d67","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_Terminal Server_bc0da746-e8c5-465a-a70f-2779e7c914de:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Terminal Server","KeyPath":"ControlSet001\\Control\\Terminal Server","ShortDescription":"Terminal server info","LongDescription":"From RegRipper plugin:\r\n\r\nChange TS listening port number - http://support.microsoft.com/kb/187623\r\nExamining TS key - http://support.microsoft.com/kb/243215\r\nWin2K8 TS stops listening - http://support.microsoft.com/kb/954398\r\nXP/Win2K3 TSAdvertise value - http://support.microsoft.com/kb/281307\r\nAllowTSConnections value - http://support.microsoft.com/kb/305608\r\nTSEnabled value - http://support.microsoft.com/kb/222992\r\nTSUserEnabled value - http://support.microsoft.com/kb/238965","InternalID":"bc0da746-e8c5-465a-a70f-2779e7c914de","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_TimeZoneInformation_e16fbaa9-172c-4501-a55d-0cb4adb02cac:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"TimeZoneInformation","KeyPath":"ControlSet001\\Control\\TimeZoneInformation","ShortDescription":"Time zone info","LongDescription":"http://support.microsoft.com/kb/102986\r\nhttp://msdn.microsoft.com/en-us/library/windows/desktop/ms725481(v=vs.85).aspx\r\n\r\nPlugin details\r\nhttp://binaryforay.blogspot.com/2015/12/registry-explorer-plugin-overview.html","InternalID":"e16fbaa9-172c-4501-a55d-0cb4adb02cac","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_USB_d9ecec7b-e4c6-4c8d-9f65-2b971efbb4c4:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"USB","KeyPath":"ControlSet001\\Enum\\USB","ShortDescription":"USB devices","LongDescription":"","InternalID":"d9ecec7b-e4c6-4c8d-9f65-2b971efbb4c4","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_VSS_7afab042-09fb-4f0f-ae3e-b3c58c93f83c:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"VSS","KeyPath":"ControlSet001\\Services\\VSS","ShortDescription":"Volume Shadow Service info","LongDescription":"","InternalID":"7afab042-09fb-4f0f-ae3e-b3c58c93f83c","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_Windows_29e05135-bc83-4332-a11b-ea3c357e4de5:
--------------------------------------------------------------------------------
1 | {"Name":"Windows","KeyPath":"ControlSet001\\Control\\Windows","ShortDescription":"Last shutdown time","LongDescription":"See shutdown key","InternalID":"29e05135-bc83-4332-a11b-ea3c357e4de5","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_Windows_d73fc227-8ea3-45e8-ac69-041a06a6c629:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Windows","KeyPath":"ControlSet001\\Control\\Windows","ShortDescription":"Windows shutdown time","LongDescription":"ShutdownTime value and last write time should match on clean shutdown. ShutdownTime is stored as a Windows file time.\r\n\r\nA Windows file time is a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 midnight, January 1, 1601 A.D. (C.E.) Coordinated Universal Time (UTC). ","InternalID":"d73fc227-8ea3-45e8-ac69-041a06a6c629","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_18c3eafb-034d-49b6-9558-45b92416bf33:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"{53f56307-b6bf-11d0-94f2-00a0c91efb8b}","KeyPath":"ControlSet001\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}","ShortDescription":"Disk info","LongDescription":"","InternalID":"18c3eafb-034d-49b6-9558-45b92416bf33","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Operating system_System_{6bdd1fc6-810f-11d0-bec7-08002be2092f}_80aafc9b-f28d-41a8-929c-6c016c4b5bc0:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"{6bdd1fc6-810f-11d0-bec7-08002be2092f}","KeyPath":"ControlSet001\\Control\\Class\\{6bdd1fc6-810f-11d0-bec7-08002be2092f}","ShortDescription":"Still image Devices (Webcams, etc)","LongDescription":"https://msdn.microsoft.com/en-us/library/windows/hardware/ff547024(v=vs.85).aspx","InternalID":"80aafc9b-f28d-41a8-929c-6c016c4b5bc0","HiveType":"System","Category":"Operating system"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Program execution_NtUser_FileExts_03427bd9-675f-4564-9d7b-058e797a7cb6:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"FileExts","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts","ShortDescription":"List of programs used to open files by extension","LongDescription":"Also includes which program a user selected.","InternalID":"03427bd9-675f-4564-9d7b-058e797a7cb6","HiveType":"NtUser","Category":"Program execution"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Program execution_NtUser_FirstFolder_a640410c-d053-4966-ace5-36bc4b977c9a:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"FirstFolder","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\FirstFolder","ShortDescription":"Programs executed","LongDescription":"Optionally includes a folder name used by the program","InternalID":"a640410c-d053-4966-ace5-36bc4b977c9a","HiveType":"NtUser","Category":"Program execution"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Program execution_NtUser_MUICache_a51a8919-ffdd-4135-91fa-affac7f65bb5:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"MUICache","KeyPath":"Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache","ShortDescription":"MUICache","LongDescription":"http://windowsir.blogspot.com/2005/12/mystery-of-muicachesolved.html","InternalID":"a51a8919-ffdd-4135-91fa-affac7f65bb5","HiveType":"NtUser","Category":"Program execution"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Program execution_NtUser_RunMRU_524957bc-0c7e-490c-a8cf-f6bce2e1e1b5:
--------------------------------------------------------------------------------
1 | {"Name":"RunMRU","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU","ShortDescription":"Most recently run programs","LongDescription":"Contains a list of the most recently started programs via the Start | Run menu","InternalID":"524957bc-0c7e-490c-a8cf-f6bce2e1e1b5","HiveType":"NtUser","Category":"Program execution"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Program execution_NtUser_Sysinternals_a801be22-7473-4c4c-9a57-9dbc90bcbf7c:
--------------------------------------------------------------------------------
1 | {"Name":"Sysinternals","KeyPath":"Software\\Sysinternals","ShortDescription":"Sysinternals config info","LongDescription":"Indicates Sysinternals tools have been executed","InternalID":"a801be22-7473-4c4c-9a57-9dbc90bcbf7c","HiveType":"NtUser","Category":"Program execution"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Program execution_NtUser_UserAssist_660a4ade-592f-4c64-bd85-8241378d0839:
--------------------------------------------------------------------------------
1 | {"Name":"UserAssist","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist","ShortDescription":"Recently accessed items","LongDescription":"Contains a list of ROT-13 encoded values for things like shortcuts, programs, etc","InternalID":"660a4ade-592f-4c64-bd85-8241378d0839","HiveType":"NtUser","Category":"Program execution"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Program execution_System_AppCompatCache_f1adf410-8700-4a83-bc2e-f53cededc03d:
--------------------------------------------------------------------------------
1 | {"Type":"Common","Name":"AppCompatCache","KeyPath":"ControlSet001\\Control\\Session Manager\\AppCompatCache","ShortDescription":"System compatibility database","LongDescription":"Helps identify Windows compatability issues with software.\r\n\r\nBe sure to check ControlSet002 for additional entries as well","InternalID":"f1adf410-8700-4a83-bc2e-f53cededc03d","HiveType":"System","Category":"Program execution"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Software_Software_Internet Explorer_140f36ce-6571-4966-b6e4-641c30a9b9b1:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Internet Explorer","KeyPath":"Microsoft\\Internet Explorer","ShortDescription":"Internet Explorer information","LongDescription":"Includes version # and build info","InternalID":"140f36ce-6571-4966-b6e4-641c30a9b9b1","HiveType":"Software","Category":"Software"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Software_Software_Products_a3ce0f6a-434d-4c2d-ba8f-16ce24209fe4:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Products","KeyPath":"Classes\\Installer\\Products","ShortDescription":"MSI packages","LongDescription":"List of MSI packages used to install software","InternalID":"a3ce0f6a-434d-4c2d-ba8f-16ce24209fe4","HiveType":"Software","Category":"Software"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Software_Software_Products_c6b061c4-df1d-477f-bcde-4846ec328c31:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Products","KeyPath":"Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products","ShortDescription":"MSI packages installed on system","LongDescription":"","InternalID":"c6b061c4-df1d-477f-bcde-4846ec328c31","HiveType":"Software","Category":"Software"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Storage_System_MountedDevices_0d010e87-8b14-4ce1-b084-e99b5ab9748c:
--------------------------------------------------------------------------------
1 | {"Name":"MountedDevices","KeyPath":"MountedDevices","ShortDescription":"Currently mounted volumes","LongDescription":"A list of hardware devices connected to a system","InternalID":"0d010e87-8b14-4ce1-b084-e99b5ab9748c","HiveType":"System","Category":"Storage"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Storage_System_USBSTOR_3d1bc4ba-8eb2-4ec7-a4be-e6792505f999:
--------------------------------------------------------------------------------
1 | {"Type":"Common","Name":"USBSTOR","KeyPath":"ControlSet001\\Enum\\USBSTOR","ShortDescription":"USB devices related to storage","LongDescription":"A list of properties about USB devices that have been connected to a computer","InternalID":"3d1bc4ba-8eb2-4ec7-a4be-e6792505f999","HiveType":"System","Category":"Storage"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Storage_System_{10497b1b-ba51-44e5-8318-a65c837b6661}_9fe29ea5-44f1-4d92-82a0-d6b1fb84ee34:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"{10497b1b-ba51-44e5-8318-a65c837b6661}","KeyPath":"ControlSet001\\Control\\DeviceClasses\\{10497b1b-ba51-44e5-8318-a65c837b6661}","ShortDescription":"Additional removable storage info","LongDescription":"Last write time can correlate first insertion of device. For more info, see\r\n\r\nhttp://www.hecfblog.com/2013/07/daily-blog-8-winner-of-630-sunday.html","InternalID":"9fe29ea5-44f1-4d92-82a0-d6b1fb84ee34","HiveType":"System","Category":"Storage"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User configuration_NtUser_CurrentVersion_9fef0ee2-99c9-4131-bd77-3f28fad9f8c7:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"CurrentVersion","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion","ShortDescription":"Windows","LongDescription":"","InternalID":"9fef0ee2-99c9-4131-bd77-3f28fad9f8c7","HiveType":"NtUser","Category":"User configuration"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User configuration_NtUser_CurrentVersion_b8239cb1-3e84-41ae-a156-ebabfadea7d1:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"CurrentVersion","KeyPath":"Software\\Microsoft\\Windows NT\\CurrentVersion","ShortDescription":"Wndows NT","LongDescription":"","InternalID":"b8239cb1-3e84-41ae-a156-ebabfadea7d1","HiveType":"NtUser","Category":"User configuration"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User configuration_NtUser_Internet Settings_57563b19-0d7b-4f61-a76a-5ec5dfecb7c4:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Internet Settings","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings","ShortDescription":"Internet Explorer settings","LongDescription":"","InternalID":"57563b19-0d7b-4f61-a76a-5ec5dfecb7c4","HiveType":"NtUser","Category":"User configuration"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User configuration_NtUser_PrinterPorts_fe1bbde9-e2bc-4764-9948-3c3b8d8c2112:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"PrinterPorts","KeyPath":"Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts","ShortDescription":"Printer info","LongDescription":"","InternalID":"fe1bbde9-e2bc-4764-9948-3c3b8d8c2112","HiveType":"NtUser","Category":"User configuration"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User configuration_Software_StartMenuInternet_dc7c443e-51be-41c6-bd71-851c9d108ad6:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"StartMenuInternet","KeyPath":"Clients\\StartMenuInternet","ShortDescription":"Default web browser","LongDescription":"(default) value contains executable name of default web browser","InternalID":"dc7c443e-51be-41c6-bd71-851c9d108ad6","HiveType":"Software","Category":"User configuration"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User configuration_Software_command_0054aabe-ed43-4485-b3ce-bc6490cfe81e:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"command","KeyPath":"Classes\\http\\shell\\open\\command","ShortDescription":"Default web browser","LongDescription":"(default value conrtains executable name of default web browser)","InternalID":"0054aabe-ed43-4485-b3ce-bc6490cfe81e","HiveType":"Software","Category":"User configuration"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User files and folders_NtUser_7-Zip_af7dfd06-6a98-4c8b-a795-bfb9f5ae407d:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"7-Zip","KeyPath":"Software\\7-Zip","ShortDescription":"7-Zip history and config","LongDescription":"","InternalID":"af7dfd06-6a98-4c8b-a795-bfb9f5ae407d","HiveType":"NtUser","Category":"User files and folders"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User files and folders_NtUser_ComDlg32_44d580cf-ef19-4749-b833-f787ac1b0220:
--------------------------------------------------------------------------------
1 | {"Name":"ComDlg32","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32","ShortDescription":"Common dialog","LongDescription":"Contains recently opened directories, files, etc","InternalID":"44d580cf-ef19-4749-b833-f787ac1b0220","HiveType":"NtUser","Category":"User files and folders"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User files and folders_NtUser_Compression_d0e9ff87-f6be-47ec-888d-164cb58f19f3:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Compression","KeyPath":"SOFTWARE\\7-Zip\\Compression","ShortDescription":"7-Zip archive history","LongDescription":"The ArcHistory value contains a list of nuill separated Unicode strings","InternalID":"d0e9ff87-f6be-47ec-888d-164cb58f19f3","HiveType":"NtUser","Category":"User files and folders"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User files and folders_NtUser_FileHistory_2895d67d-8601-45df-9758-f72958482822:
--------------------------------------------------------------------------------
1 | {"Name":"FileHistory","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory","ShortDescription":"File history info","LongDescription":"File history info stuff here","InternalID":"2895d67d-8601-45df-9758-f72958482822","HiveType":"NtUser","Category":"User files and folders"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User files and folders_NtUser_Map Network Drive MRU_df6ed689-944a-46b1-a806-f5f78830429a:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Map Network Drive MRU","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU","ShortDescription":"Recently used network shares","LongDescription":"","InternalID":"df6ed689-944a-46b1-a806-f5f78830429a","HiveType":"NtUser","Category":"User files and folders"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User files and folders_NtUser_MountPoints2_28014255-7733-4398-a859-dd76642a19c7:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"MountPoints2","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2","ShortDescription":"Mounted devices","LongDescription":"http://www.forensicmag.com/articles/2012/06/windows-7-registry-forensics-part-5","InternalID":"28014255-7733-4398-a859-dd76642a19c7","HiveType":"NtUser","Category":"User files and folders"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User files and folders_NtUser_RecentDocs_51af122a-734f-4b9b-8138-4633f67e0cad:
--------------------------------------------------------------------------------
1 | {"Name":"RecentDocs","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs","ShortDescription":"Recently opened files by extension","LongDescription":"See MRU key for order of opening","InternalID":"51af122a-734f-4b9b-8138-4633f67e0cad","HiveType":"NtUser","Category":"User files and folders"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User files and folders_NtUser_Shell Folders_feec11a9-1482-4629-a083-0caf2df99873:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Shell Folders","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders","ShortDescription":"Default locations for user created content","LongDescription":"","InternalID":"feec11a9-1482-4629-a083-0caf2df99873","HiveType":"NtUser","Category":"User files and folders"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User files and folders_NtUser_User MRU_41e2c5c4-4da2-4b96-99ae-a4fb532f93d4:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"User MRU","KeyPath":"Software\\Microsoft\\Office\\15.0\\Excel\\User MRU","ShortDescription":"Excel files and places","LongDescription":"List of recent Excel files and places","InternalID":"41e2c5c4-4da2-4b96-99ae-a4fb532f93d4","HiveType":"NtUser","Category":"User files and folders"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User files and folders_NtUser_User MRU_6bbf4038-b3c6-4ba5-a4e1-d04d3166e675:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"User MRU","KeyPath":"Software\\Microsoft\\Office\\15.0\\PowerPoint\\User MRU","ShortDescription":"Powerpoint files and places","LongDescription":"List of recent Powerpoint files and places","InternalID":"6bbf4038-b3c6-4ba5-a4e1-d04d3166e675","HiveType":"NtUser","Category":"User files and folders"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User files and folders_NtUser_User MRU_83fcbc4b-a0d4-40d2-b414-91ffa96d778c:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"User MRU","KeyPath":"Software\\Microsoft\\Office\\15.0\\Word\\User MRU","ShortDescription":"Word files and places","LongDescription":"List of recent Word files and places","InternalID":"83fcbc4b-a0d4-40d2-b414-91ffa96d778c","HiveType":"NtUser","Category":"User files and folders"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User files and folders_NtUser_WinRAR_204cf564-85f5-42b9-983f-d94a970e7374:
--------------------------------------------------------------------------------
1 | {"Name":"WinRAR","KeyPath":"Software\\WinRAR","ShortDescription":"WinRar history","LongDescription":"","InternalID":"204cf564-85f5-42b9-983f-d94a970e7374","HiveType":"NtUser","Category":"User files and folders"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User files and folders_UsrClass_BagMRU_237fdb41-7713-485d-94ab-f07f4c157356:
--------------------------------------------------------------------------------
1 | {"Name":"BagMRU","KeyPath":"Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU","ShortDescription":"ShellBag root key","LongDescription":"ShellBags hold user activity related to accessing resources on a computer","InternalID":"237fdb41-7713-485d-94ab-f07f4c157356","HiveType":"UsrClass","Category":"User files and folders"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User general_NtUser_CCleaner_ec48ddd3-4f09-4431-b388-7f5d18eaab43:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"CCleaner","KeyPath":"Software\\Piriform\\CCleaner","ShortDescription":"CCleaner info","LongDescription":"","InternalID":"ec48ddd3-4f09-4431-b388-7f5d18eaab43","HiveType":"NtUser","Category":"User general"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User general_NtUser_WordWheelQuery_89ca3fef-d045-4ff2-8891-4c61cf6c30ea:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"WordWheelQuery","KeyPath":"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery","ShortDescription":"User searches","LongDescription":"","InternalID":"89ca3fef-d045-4ff2-8891-4c61cf6c30ea","HiveType":"NtUser","Category":"User general"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User network_NtUser_Ares_fe9bac6b-b1fd-4710-8579-80b31f4fe288:
--------------------------------------------------------------------------------
1 | {"Name":"Ares","KeyPath":"Software\\Ares","ShortDescription":"Ares p2p client","LongDescription":"Information on Ares client","InternalID":"fe9bac6b-b1fd-4710-8579-80b31f4fe288","HiveType":"NtUser","Category":"User network"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User network_NtUser_Default_617e9fc6-565a-4986-a3fa-7e517fcbf6a3:
--------------------------------------------------------------------------------
1 | {"Name":"Default","KeyPath":"Software\\Microsoft\\Terminal Server Client\\Default","ShortDescription":"Terminal server hosts","LongDescription":"Servers connected via terminal services (MSTSC)","InternalID":"617e9fc6-565a-4986-a3fa-7e517fcbf6a3","HiveType":"NtUser","Category":"User network"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User network_NtUser_FTP_013baa05-0d47-4db7-9dbd-d4cb6231dc90:
--------------------------------------------------------------------------------
1 | {"Name":"FTP","KeyPath":"Software\\Microsoft\\FTP","ShortDescription":"FTP server and username info","LongDescription":"FTP server and username info","InternalID":"013baa05-0d47-4db7-9dbd-d4cb6231dc90","HiveType":"NtUser","Category":"User network"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User network_NtUser_TeamViewer_6aa0d3cd-9926-4f23-bf9b-f675636944f0:
--------------------------------------------------------------------------------
1 | {"Name":"TeamViewer","KeyPath":"Software\\TeamViewer","ShortDescription":"Teamviewer application","LongDescription":"","InternalID":"6aa0d3cd-9926-4f23-bf9b-f675636944f0","HiveType":"NtUser","Category":"User network"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User network_System_FirewallPolicy_6701136a-ccfb-476e-af28-d58543636ba4:
--------------------------------------------------------------------------------
1 | {"Name":"FirewallPolicy","KeyPath":"ControlSet001\\Services\\SharedAccess\\Parameters\\FirewallPolicy","ShortDescription":"Firewall rules","LongDescription":"A list of programs that have been allowed access to the Internet through the firewall","InternalID":"6701136a-ccfb-476e-af28-d58543636ba4","HiveType":"System","Category":"User network"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/User network_System_Shares_7794e865-4630-4703-ac0f-76e650314b01:
--------------------------------------------------------------------------------
1 | {"Type":"User","Name":"Shares","KeyPath":"ControlSet001\\Services\\LanmanServer\\Shares","ShortDescription":"User defined shares","LongDescription":"","InternalID":"7794e865-4630-4703-ac0f-76e650314b01","HiveType":"System","Category":"User network"}
--------------------------------------------------------------------------------
/Recmd/Bookmarks/Common/Web browsing_NtUser_TypedURLs_24aec1e0-f92a-49db-8ec0-8443a7bbd130:
--------------------------------------------------------------------------------
1 | {"Name":"TypedURLs","KeyPath":"Software\\Microsoft\\Internet Explorer\\TypedURLs","ShortDescription":"URLs entered by a user","LongDescription":"Contains a list of URLs that were typed in Internet Explorer","InternalID":"24aec1e0-f92a-49db-8ec0-8443a7bbd130","HiveType":"NtUser","Category":"Web browsing"}
--------------------------------------------------------------------------------
/Recmd/Plugins/AppCompatCache/AppCompatCache.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/AppCompatCache/AppCompatCache.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/AppCompatCache/RegistryPlugin.AppCompatCache.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/AppCompatCache/RegistryPlugin.AppCompatCache.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.7-ZipHistory.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.7-ZipHistory.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.Ares.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.Ares.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.CIDSizeMRU.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.CIDSizeMRU.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.FileExts.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.FileExts.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.FirstFolder.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.FirstFolder.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.LastVisitedMRU.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.LastVisitedMRU.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.LastVisitedPidlMRU.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.LastVisitedPidlMRU.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.OfficeMRU.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.OfficeMRU.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.OpenSaveMRU.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.OpenSaveMRU.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.OpenSavePidlMRU.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.OpenSavePidlMRU.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.RecentDocs.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.RecentDocs.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.RunMRU.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.RunMRU.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.SAM.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.SAM.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.TimeZoneInformation.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.TimeZoneInformation.dll
--------------------------------------------------------------------------------
/Recmd/Plugins/RegistryPlugin.UserAssist.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/Plugins/RegistryPlugin.UserAssist.dll
--------------------------------------------------------------------------------
/Recmd/RECmd/NLog.config.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/Recmd/RECmd/RECmd.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/Recmd/RECmd/RECmd.exe
--------------------------------------------------------------------------------
/Recmd/Settings/Categories:
--------------------------------------------------------------------------------
1 | ["Autoruns","Communication","Logging","Network","Operating system","Program execution","Software","Storage","User configuration","User files and folders","User general","User network","User virtualization","Web browsing"]
--------------------------------------------------------------------------------
/Recmd/Settings/General:
--------------------------------------------------------------------------------
1 | {"ActiveSkinName":"Seven Classic","VertSplitterPosition":"523","HorizSplitterPosition":"429","ShowRootKey":"False","RegBinaryAsBase64":"False","ValueSlackAsBase64":"False","DateTimeFormat":"yyyy-MM-dd HH:mm:ss K","DataInterpreterAlwaysOnTop":"False","MainWidth":"1168","MainHeight":"736","ShowHidden":"false","RecoverDeleted":"true","ShowAssociated":"True","ShowUnassociated":"True","ShowParentNodesWhenFiltering":"true","DataInterpreterX":"0","DataInterpreterY":"0"}
--------------------------------------------------------------------------------
/Recmd/Settings/HiddenKeys:
--------------------------------------------------------------------------------
1 | []
--------------------------------------------------------------------------------
/Recmd/Settings/RecentSearches:
--------------------------------------------------------------------------------
1 | []
--------------------------------------------------------------------------------
/RegRipper/1.mp3:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/RegRipper/1.mp3
--------------------------------------------------------------------------------
/RegRipper/README.md:
--------------------------------------------------------------------------------
1 | RegRipper2.8
2 | ============
3 |
4 | RegRipper version 2.8
5 |
6 | This is the GitHub repository for RegRipper version 2.8
7 |
--------------------------------------------------------------------------------
/RegRipper/_gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 |
4 | # Custom for Visual Studio
5 | *.cs diff=csharp
6 | *.sln merge=union
7 | *.csproj merge=union
8 | *.vbproj merge=union
9 | *.fsproj merge=union
10 | *.dbproj merge=union
11 |
12 | # Standard to msysgit
13 | *.doc diff=astextplain
14 | *.DOC diff=astextplain
15 | *.docx diff=astextplain
16 | *.DOCX diff=astextplain
17 | *.dot diff=astextplain
18 | *.DOT diff=astextplain
19 | *.pdf diff=astextplain
20 | *.PDF diff=astextplain
21 | *.rtf diff=astextplain
22 | *.RTF diff=astextplain
23 |
--------------------------------------------------------------------------------
/RegRipper/_gitignore:
--------------------------------------------------------------------------------
1 | # Windows image file caches
2 | Thumbs.db
3 | ehthumbs.db
4 |
5 | # Folder config file
6 | Desktop.ini
7 |
8 | # Recycle Bin used on file shares
9 | $RECYCLE.BIN/
10 |
11 | # Windows Installer files
12 | *.cab
13 | *.msi
14 | *.msm
15 | *.msp
16 |
17 | # =========================
18 | # Operating System Files
19 | # =========================
20 |
21 | # OSX
22 | # =========================
23 |
24 | .DS_Store
25 | .AppleDouble
26 | .LSOverride
27 |
28 | # Icon must end with two \r
29 | Icon
30 |
31 | # Thumbnails
32 | ._*
33 |
34 | # Files that might appear on external disk
35 | .Spotlight-V100
36 | .Trashes
37 |
38 | # Directories potentially created on remote AFP share
39 | .AppleDB
40 | .AppleDesktop
41 | Network Trash Folder
42 | Temporary Items
43 | .apdisk
44 |
--------------------------------------------------------------------------------
/RegRipper/license.txt:
--------------------------------------------------------------------------------
1 | This software is released AS-IS, with no statements or guarantees as to
2 | its effectiveness or stability. While it shouldn't cause any problems
3 | whatsoever with your system, there's always the chance that someone may find
4 | a way to blame a system crash or loss of data on software like this...you've
5 | been warned!
6 |
7 | This software is released under the GNU Public License -
8 | http://www.gnu.org/copyleft/gpl.html
9 |
10 | Specifically, GPL v2.0: http://www.gnu.org/licenses/gpl-2.0.html
11 |
12 | Questions, comments, etc., can be sent to keydet89 at yahoo dot com.
--------------------------------------------------------------------------------
/RegRipper/p2x5124.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/RegRipper/p2x5124.dll
--------------------------------------------------------------------------------
/RegRipper/plugins/all:
--------------------------------------------------------------------------------
1 | # 20120528 *ALL* Plugins that apply on any HIVES, alphabetical order
2 | baseline
3 | findexes
4 | regtime
5 | rlo
6 | del
--------------------------------------------------------------------------------
/RegRipper/plugins/appspecific.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # appspecific.pl
3 | #
4 | #
5 | # Change history
6 | # 20120820 - created
7 | #
8 | # References
9 | #
10 | #
11 | # copyright 2012 Quantum Analytics Research, LLC
12 | # Author: H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package appspecific;
15 | use strict;
16 |
17 | my %config = (hive => "NTUSER\.DAT",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20120820);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Gets contents of user's Intellipoint\\AppSpecific subkeys";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $ntuser = shift;
38 | ::logMsg("Launching appspecific v.".$VERSION);
39 | my $reg = Parse::Win32Registry->new($ntuser);
40 | my $root_key = $reg->get_root_key;
41 |
42 | my $key_path = 'Software\\Microsoft\\IntelliPoint\\AppSpecific';
43 | my $key;
44 | if ($key = $root_key->get_subkey($key_path)) {
45 | ::rptMsg("AppSpecific");
46 | ::rptMsg($key_path);
47 |
48 | my @subkeys = $key->get_list_of_subkeys();
49 | if (scalar(@subkeys) > 0) {
50 | foreach my $s (@subkeys) {
51 | ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]");
52 |
53 | my $ts;
54 | eval {
55 | $ts = $s->get_value("Timestamp")->get_data();
56 | my $t = ::getTime(0,$ts);
57 | ::rptMsg("Timestamp: ".gmtime($t));
58 |
59 | };
60 |
61 |
62 | ::rptMsg("");
63 | }
64 | }
65 | else {
66 | ::rptMsg($key_path." has no subkeys.");
67 | }
68 | }
69 | else {
70 | ::rptMsg($key_path." not found.");
71 | }
72 | }
73 |
74 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/at.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # at.pl
3 | #
4 | #
5 | # Change history
6 | # 20140821 - created
7 | #
8 | #
9 | #
10 | #
11 | # Copyright (c) 2014 QAR,LLC
12 | # Author: H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package at;
15 | use strict;
16 |
17 | my %config = (hive => "Software",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | category => "program execution",
23 | version => 20140821);
24 |
25 | my $VERSION = getVersion();
26 |
27 | sub getConfig {return %config}
28 | sub getHive {return $config{hive};}
29 | sub getVersion {return $config{version};}
30 | sub getDescr {}
31 | sub getShortDescr {return "Checks Software hive for AT jobs";}
32 | sub getRefs {}
33 |
34 | sub pluginmain {
35 | my $class = shift;
36 | my $hive = shift;
37 |
38 | ::logMsg("Launching at v.".$VERSION);
39 | ::rptMsg("at v.".$VERSION); # 20110830 [fpi] + banner
40 | ::rptMsg("(".$config{hive}.") ".getShortDescr());
41 | ::rptMsg("");
42 | my $reg = Parse::Win32Registry->new($hive);
43 | my $root_key = $reg->get_root_key;
44 | my $key;
45 | my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree';
46 |
47 | if ($key = $root_key->get_subkey($key_path)) {
48 |
49 | my @sk = $key->get_list_of_subkeys();
50 | if (scalar @sk > 0) {
51 | foreach my $s (@sk) {
52 | my $name = $s->get_name();
53 | next unless ($name =~ m/^At/);
54 | my $lw = $s->get_timestamp();
55 | ::rptMsg($name." - LastWrite time: ".gmtime($lw)." UTC");
56 | }
57 | }
58 | }
59 | else {
60 |
61 |
62 | }
63 | }
64 |
65 | 1;
66 |
--------------------------------------------------------------------------------
/RegRipper/plugins/at_tln.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # at_tln.pl
3 | #
4 | #
5 | # Change history
6 | # 20140821 - created
7 | #
8 | #
9 | #
10 | #
11 | # Copyright (c) 2014 QAR,LLC
12 | # Author: H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package at_tln;
15 | use strict;
16 |
17 | my %config = (hive => "Software",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | category => "program execution",
23 | version => 20140821);
24 |
25 | my $VERSION = getVersion();
26 |
27 | sub getConfig {return %config}
28 | sub getHive {return $config{hive};}
29 | sub getVersion {return $config{version};}
30 | sub getDescr {}
31 | sub getShortDescr {return "Checks Software hive for AT jobs";}
32 | sub getRefs {}
33 |
34 | sub pluginmain {
35 | my $class = shift;
36 | my $hive = shift;
37 | my $reg = Parse::Win32Registry->new($hive);
38 | my $root_key = $reg->get_root_key;
39 | my $key;
40 | my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree';
41 |
42 | if ($key = $root_key->get_subkey($key_path)) {
43 |
44 | my @sk = $key->get_list_of_subkeys();
45 | if (scalar @sk > 0) {
46 | foreach my $s (@sk) {
47 | my $name = $s->get_name();
48 | next unless ($name =~ m/^At/);
49 | my $lw = $s->get_timestamp();
50 | ::rptMsg($lw."|REG|||[AT Job] ".$name);
51 | }
52 | }
53 | }
54 | else {
55 |
56 |
57 | }
58 | }
59 |
60 | 1;
61 |
--------------------------------------------------------------------------------
/RegRipper/plugins/autoendtasks.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # autoendtasks.pl
3 | #
4 | # History
5 | # 20081128 - created
6 | #
7 | # Ref:
8 | # http://support.microsoft.com/kb/555619
9 | # This Registry setting tells XP (and Vista) to automatically
10 | # end non-responsive tasks; value may not exist on Vista.
11 | #
12 | # copyright 2008 H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package autoendtasks;
15 | use strict;
16 |
17 | my %config = (hive => "NTUSER\.DAT",
18 | osmask => 22,
19 | hasShortDescr => 1,
20 | hasDescr => 0,
21 | hasRefs => 0,
22 | version => 20081128);
23 |
24 | sub getConfig{return %config}
25 |
26 | sub getShortDescr {
27 | return "Automatically end a non-responsive task";
28 | }
29 | sub getDescr{}
30 | sub getRefs {}
31 | sub getHive {return $config{hive};}
32 | sub getVersion {return $config{version};}
33 |
34 | my $VERSION = getVersion();
35 |
36 | sub pluginmain {
37 | my $class = shift;
38 | my $hive = shift;
39 | ::logMsg("Launching autoendtasks v.".$VERSION);
40 | ::rptMsg("autoendtasks v.".$VERSION); # banner
41 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
42 | my $reg = Parse::Win32Registry->new($hive);
43 | my $root_key = $reg->get_root_key;
44 |
45 | my $key_path = 'Control Panel\\Desktop';
46 | my $key;
47 | if ($key = $root_key->get_subkey($key_path)) {
48 | # ::rptMsg("autoendtasks");
49 | ::rptMsg($key_path);
50 | # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
51 | ::rptMsg("");
52 | my $autoend;
53 | eval {
54 | $autoend = $key->get_value("AutoEndTasks")->get_data();
55 | };
56 | if ($@) {
57 | ::rptMsg("AutoEndTasks value not found.");
58 | }
59 | else {
60 | ::rptMsg("AutoEndTasks = ".$autoend);
61 | }
62 | }
63 | else {
64 | ::rptMsg($key_path." not found.");
65 | ::logMsg($key_path." not found.");
66 | }
67 | }
68 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/cmd_shell_u.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # cmd_shell_u
3 | # Get the shell\open\command settings for various file types; gets
4 | # info from USRCLASS.DAT hives, where Classes data is maintained on
5 | # Win7
6 | #
7 | # Change History
8 | # 20130405 - created
9 | #
10 | # copyright 2013 Quantum Analytics Research, LLC
11 | # Author: H. Carvey, keydet89@yahoo.com
12 | #-----------------------------------------------------------
13 | package cmd_shell_u;
14 | use strict;
15 |
16 | my %config = (hive => "USRCLASS\.DAT",
17 | osmask => 22,
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | version => 20130405);
22 |
23 | sub getConfig{return %config}
24 |
25 | sub getShortDescr {
26 | return "Gets shell open cmds for various file types from USRCLASS\.DAT";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $hive = shift;
38 | ::logMsg("Launching cmd_shell_u v.".$VERSION);
39 | ::rptMsg("cmd_shell_u v.".$VERSION); # banner
40 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
41 | my @shells = ("\.exe","exefile","ftp","http","https");
42 |
43 | my $reg = Parse::Win32Registry->new($hive);
44 | my $root_key = $reg->get_root_key;
45 |
46 | foreach my $sh (@shells) {
47 | my $key_path = $sh."\\shell\\open\\command";
48 | my $key;
49 | if ($key = $root_key->get_subkey($key_path)) {
50 | ::rptMsg($key_path);
51 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
52 | # ::rptMsg("");
53 | my $val;
54 | eval {
55 | $val = $key->get_value("")->get_data();
56 | ::rptMsg(" Cmd: ".$val);
57 | ::rptMsg("");
58 | };
59 | ::rptMsg("Error: ".$@) if ($@);
60 | }
61 | else {
62 | ::rptMsg($key_path." not found.");
63 | }
64 | }
65 | ::rptMsg("");
66 | }
67 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/cmdproc.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # cmdproc.pl
3 | # Checks key for files to autostart from cmd.exe
4 | #
5 | # Change History
6 | # 20130425 - added alertMsg() functionality
7 | # 20130115 - created
8 | #
9 | # References:
10 | #
11 | # Category: autostart,malware,programexecution
12 | #
13 | # copyright 2013 Quantum Analytics Research,
14 | # Author: H. Carvey, keydet89@yahoo.com
15 | #-----------------------------------------------------------
16 | package cmdproc;
17 | use strict;
18 |
19 | my %config = (hive => "NTUSER\.DAT",
20 | osmask => 22,
21 | hasShortDescr => 1,
22 | hasDescr => 0,
23 | hasRefs => 0,
24 | version => 20130425);
25 |
26 | sub getConfig{return %config}
27 |
28 | sub getShortDescr {
29 | return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive";
30 | }
31 | sub getDescr{}
32 | sub getRefs {}
33 | sub getHive {return $config{hive};}
34 | sub getVersion {return $config{version};}
35 |
36 | my $VERSION = getVersion();
37 |
38 | sub pluginmain {
39 | my $class = shift;
40 | my $hive = shift;
41 | ::logMsg("Launching cmdproc v.".$VERSION);
42 | ::rptMsg("cmdproc v.".$VERSION); # banner
43 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
44 | my $reg = Parse::Win32Registry->new($hive);
45 | my $root_key = $reg->get_root_key;
46 |
47 | my $key_path = "Software\\Microsoft\\Command Processor";
48 | my $key;
49 | if ($key = $root_key->get_subkey($key_path)) {
50 | ::rptMsg($key_path);
51 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
52 |
53 | my $auto;
54 | eval {
55 | $auto = $key->get_value("AutoRun")->get_data();
56 | ::rptMsg("AutoRun = ".$auto);
57 | ::alertMsg("ALERT: cmdproc: ".$key_path." AutoRun value found: ".$auto);
58 | };
59 | if ($@) {
60 | ::rptMsg("AutoRun value not found.");
61 | }
62 | }
63 | else {
64 | ::rptMsg($key_path." not found.");
65 | }
66 | }
67 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/compdesc.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # compdesc.pl
3 | # Plugin for Registry Ripper,
4 | # ComputerDescriptions key parser
5 | #
6 | # Change history
7 | #
8 | #
9 | # References
10 | #
11 | #
12 | # copyright 2008 H. Carvey
13 | #-----------------------------------------------------------
14 | package compdesc;
15 | use strict;
16 |
17 | my %config = (hive => "NTUSER\.DAT",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20080324);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Gets contents of user's ComputerDescriptions key";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $ntuser = shift;
38 | ::logMsg("Launching compdesc v.".$VERSION);
39 | ::rptMsg("compdesc v.".$VERSION); # banner
40 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
41 | my $reg = Parse::Win32Registry->new($ntuser);
42 | my $root_key = $reg->get_root_key;
43 |
44 | my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions';
45 | my $key;
46 | if ($key = $root_key->get_subkey($key_path)) {
47 | ::rptMsg("ComputerDescriptions");
48 | ::rptMsg($key_path);
49 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | my @vals = $key->get_list_of_values();
51 | if (scalar(@vals) > 0) {
52 | foreach my $v (@vals) {
53 | ::rptMsg(" ".$v->get_name()." ".$v->get_data());
54 | }
55 | }
56 | else {
57 | ::rptMsg($key_path." has no values.");
58 | ::logMsg($key_path." has no values.");
59 | }
60 | }
61 | else {
62 | ::rptMsg($key_path." not found.");
63 | ::logMsg($key_path." not found.");
64 | }
65 | }
66 |
67 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/ddo.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------------------------------------
2 | # ddo.pl
3 | #
4 | # History
5 | # 20140414 - created
6 | #
7 | # Registry entries created by devices that support device stage
8 | # Reference: http://nicoleibrahim.com/part-4-usb-device-research-usb-first-insert-results/
9 | #
10 | # # Author: Jasmine Chua, babymagic06@gmail.com
11 | #-----------------------------------------------------------------------------------------
12 | package ddo;
13 | use strict;
14 |
15 | my %config = (hive => "NTUSER\.DAT",
16 | hasShortDescr => 1,
17 | hasDescr => 0,
18 | hasRefs => 0,
19 | osmask => 22,
20 | version => 20140414);
21 |
22 | sub getConfig{return %config}
23 | sub getShortDescr {
24 | return "Gets user's DeviceDisplayObjects key contents";
25 | }
26 | sub getDescr{}
27 | sub getRefs {}
28 | sub getHive {return $config{hive};}
29 | sub getVersion {return $config{version};}
30 |
31 | my $VERSION = getVersion();
32 |
33 | sub pluginmain {
34 | my $class = shift;
35 | my $ntuser = shift;
36 | ::logMsg("Launching DDO v.".$VERSION);
37 | ::rptMsg("DDO v.".$VERSION); # banner
38 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
39 |
40 | my $reg = Parse::Win32Registry->new($ntuser);
41 | my $root_key = $reg->get_root_key;
42 |
43 | my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\DeviceDisplayObjects';
44 | my $key;
45 | if ($key = $root_key->get_subkey($key_path)) {
46 | ::rptMsg("DeviceDisplayObjects");
47 | ::rptMsg($key_path);
48 | ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." (UTC)\n");
49 | my @vals;
50 | eval {
51 | @vals = $key->get_list_of_values();
52 | };
53 | unless ($@) {
54 | foreach my $v (@vals) {
55 | ::rptMsg("Value Name: ".$v->get_name(). "\n");
56 | ::rptMsg("You can match the DDO values with the ContainerID in ENUM\\USB of SYSTEM hive.");
57 | }
58 | }
59 | }
60 | else {
61 | ::rptMsg($key_path." not found.");
62 | }
63 | }
64 |
--------------------------------------------------------------------------------
/RegRipper/plugins/dfrg.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # dfrg.pl
3 | # Gets contents of Dfrg\BootOptimizeFunction key
4 | #
5 | # Change history:
6 | # 20110321 - created
7 | #
8 | # References
9 | # http://technet.microsoft.com/en-us/library/cc784391%28WS.10%29.aspx
10 | #
11 | # copyright 2011 Quantum Analytics Research, LLC (keydet89@yahoo.com)
12 | #-----------------------------------------------------------
13 | package dfrg;
14 | use strict;
15 |
16 | my %config = (hive => "Software",
17 | osmask => 22,
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | version => 20110321);
22 |
23 | sub getConfig{return %config}
24 |
25 | sub getShortDescr {
26 | return "Gets content of Dfrg BootOptim. key";
27 | }
28 | sub getDescr{}
29 | sub getHive {return $config{hive};}
30 | sub getVersion {return $config{version};}
31 |
32 | my $VERSION = getVersion();
33 |
34 | sub pluginmain {
35 | my $class = shift;
36 | my $hive = shift;
37 | ::logMsg("Launching dfrg v.".$VERSION);
38 | ::rptMsg("dfrg v.".$VERSION); # banner
39 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
40 | my $reg = Parse::Win32Registry->new($hive);
41 | my $root_key = $reg->get_root_key;
42 |
43 | my $key_path = "Microsoft\\Dfrg\\BootOptimizeFunction";
44 | my $key;
45 | if ($key = $root_key->get_subkey($key_path)) {
46 | ::rptMsg("Dfrg");
47 | ::rptMsg($key_path);
48 | ::rptMsg("");
49 |
50 | my @vals = $key->get_list_of_values();
51 | if (scalar(@vals) > 0) {
52 | foreach my $v (@vals) {
53 | ::rptMsg(sprintf "%-20s %-20s",$v->get_name(),$v->get_data());
54 | }
55 | }
56 | else {
57 | ::rptMsg($key_path." has no values.");
58 | }
59 | }
60 | else {
61 | ::rptMsg($key_path." not found.");
62 | ::logMsg($key_path." not found.");
63 | }
64 | }
65 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/gthist.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # gthist.pl
3 | # Google Toolbar Search History plugin
4 | #
5 | #
6 | # Change history
7 | # 20100218 - created
8 | #
9 | # References
10 | #
11 | #
12 | #
13 | # copyright 2010 Quantum Analytics Research, LLC
14 | #-----------------------------------------------------------
15 | package gthist;
16 | use strict;
17 |
18 | my %config = (hive => "NTUSER\.DAT",
19 | hasShortDescr => 1,
20 | hasDescr => 0,
21 | hasRefs => 0,
22 | osmask => 22,
23 | version => 20100218);
24 |
25 | sub getConfig{return %config}
26 | sub getShortDescr {
27 | return "Gets Google Toolbar Search History";
28 | }
29 | sub getDescr{}
30 | sub getRefs {}
31 | sub getHive {return $config{hive};}
32 | sub getVersion {return $config{version};}
33 |
34 | my $VERSION = getVersion();
35 |
36 | sub pluginmain {
37 | my $class = shift;
38 | my $ntuser = shift;
39 | my %hist;
40 | ::logMsg("Launching gthist v.".$VERSION);
41 | ::rptMsg("gthist v.".$VERSION); # banner
42 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
43 | my $reg = Parse::Win32Registry->new($ntuser);
44 | my $root_key = $reg->get_root_key;
45 |
46 | my $key_path = 'Software\\Google\\NavClient\\1.1\\History';
47 | my $key;
48 | if ($key = $root_key->get_subkey($key_path)) {
49 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | my @vals = $key->get_list_of_values();
51 | if (scalar @vals > 0) {
52 | ::rptMsg("");
53 | foreach my $v (@vals) {
54 | my $tv = unpack("V",$v->get_data());
55 | $hist{$tv} = $v->get_name();
56 | }
57 |
58 | foreach my $t (reverse sort {$a <=> $b} keys %hist) {
59 | my $str = gmtime($t)." ".$hist{$t};
60 | ::rptMsg($str);
61 | }
62 | }
63 | else {
64 | ::rptMsg($key_path." has no values.");
65 | }
66 | }
67 | else {
68 | ::rptMsg($key_path." not found.");
69 | }
70 | }
71 |
72 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/gtwhitelist.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # gtwhitelist.pl
3 | # Google Toolbar Search History plugin
4 | #
5 | #
6 | # Change history
7 | # 20100218 - created
8 | #
9 | # References
10 | #
11 | #
12 | #
13 | # copyright 2010 Quantum Analytics Research, LLC
14 | #-----------------------------------------------------------
15 | package gtwhitelist;
16 | use strict;
17 |
18 | my %config = (hive => "NTUSER\.DAT",
19 | hasShortDescr => 1,
20 | hasDescr => 0,
21 | hasRefs => 0,
22 | osmask => 22,
23 | version => 20100218);
24 |
25 | sub getConfig{return %config}
26 | sub getShortDescr {
27 | return "Gets Google Toolbar whitelist values";
28 | }
29 | sub getDescr{}
30 | sub getRefs {}
31 | sub getHive {return $config{hive};}
32 | sub getVersion {return $config{version};}
33 |
34 | my $VERSION = getVersion();
35 |
36 | sub pluginmain {
37 | my $class = shift;
38 | my $ntuser = shift;
39 | my %hist;
40 | ::logMsg("Launching gtwhitelist v.".$VERSION);
41 | ::rptMsg("gtwhitelist v.".$VERSION); # banner
42 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
43 | my $reg = Parse::Win32Registry->new($ntuser);
44 | my $root_key = $reg->get_root_key;
45 |
46 | my $key_path = 'Software\\Google\\Google Toolbar\\4.0\\whitelist';
47 | my $key;
48 | if ($key = $root_key->get_subkey($key_path)) {
49 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | my $allow2;
51 | eval {
52 | $allow2 = $key->get_value("allow2")->get_data();
53 | my @vals = split(/\|/,$allow2);
54 | ::rptMsg("");
55 | ::rptMsg("whitelist");
56 | foreach my $v (@vals) {
57 | next if ($v eq "");
58 | ::rptMsg(" ".$v);
59 | }
60 | ::rptMsg("");
61 | };
62 |
63 | my $lastmod;
64 | eval {
65 | $lastmod = $key->get_value("lastmod")->get_data();
66 | ::rptMsg("lastmod ".gmtime($lastmod)." (UTC)");
67 | };
68 |
69 | }
70 | else {
71 | ::rptMsg($key_path." not found.");
72 | }
73 | }
74 |
75 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/handler.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # handler.pl
3 | #
4 | # Several pieces of malware will modify the HKCR\Network\SharingHandler key
5 | # default value, pointing it to something other than ntshrui.dll
6 | #
7 | #
8 | # References:
9 | # http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_cosmu.elg
10 | #
11 | # Change history:
12 | # 20150826 - created
13 | #
14 | # copyright 2015 Quantum Analytics Research, LLC
15 | # Author: H. Carvey, keydet89@yahoo.com
16 | #-----------------------------------------------------------
17 | package handler;
18 | use strict;
19 |
20 | my %config = (hive => "Software",
21 | hasShortDescr => 1,
22 | hasDescr => 0,
23 | hasRefs => 0,
24 | osmask => 22,
25 | category => "malware",
26 | version => 20150826);
27 |
28 | sub getConfig{return %config}
29 | sub getShortDescr {
30 | return "Checks HKCR/Network/SharingHandler (default) value";
31 | }
32 | sub getDescr{}
33 | sub getRefs {}
34 | sub getHive {return $config{hive};}
35 | sub getVersion {return $config{version};}
36 |
37 | my $VERSION = getVersion();
38 |
39 | sub pluginmain {
40 | my $class = shift;
41 | my $hive = shift;
42 | ::logMsg("Launching handler v.".$VERSION);
43 | ::rptMsg("handler v.".$VERSION); # banner
44 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
45 | my $reg = Parse::Win32Registry->new($hive);
46 | my $root_key = $reg->get_root_key;
47 | my $key_path = "Classes\\Network\\SharingHandler";
48 |
49 | my $key;
50 | if ($key = $root_key->get_subkey($key_path)) {
51 | ::rptMsg($key_path);
52 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
53 | ::rptMsg("");
54 | ::rptMsg("(Default) value = ".$key->get_value("")->get_data());
55 |
56 | }
57 | else {
58 | ::rptMsg($key_path." not found.");
59 | }
60 | }
61 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/identities.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # identities.pl
3 | #
4 | #
5 | # Change history
6 | # 20151211 - created
7 | #
8 | # References
9 | # https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html
10 | #
11 | # Copyright 2015 QAR LLC
12 | # Author: H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package identities;
15 | use strict;
16 |
17 | my %config = (hive => "NTUSER\.DAT",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20151211);
23 | my $VERSION = getVersion();
24 |
25 | sub getDescr {}
26 | sub getRefs {}
27 | sub getConfig {return %config}
28 | sub getHive {return $config{hive};}
29 | sub getVersion {return $config{version};}
30 | sub getShortDescr {
31 | return "Extracts values from Identities key; NTUSER\.DAT";
32 | }
33 |
34 | sub pluginmain {
35 | my $class = shift;
36 | my $hive = shift;
37 |
38 | ::logMsg("Launching identities v.".$VERSION);
39 | ::rptMsg("identities v.".$VERSION);
40 | ::rptMsg("(".getHive().") ".getShortDescr()."\n");
41 | my $reg = Parse::Win32Registry->new($hive);
42 | my $root_key = $reg->get_root_key;
43 | my $key;
44 | my $key_path = "Identities";
45 |
46 | if ($key = $root_key->get_subkey($key_path)) {
47 | ::rptMsg($key_path);
48 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
49 | ::rptMsg("");
50 |
51 | my @vals = $key->get_list_of_values();
52 | if (scalar(@vals) > 0) {
53 | foreach my $v (@vals) {
54 | my $name = $v->get_name();
55 | ::rptMsg(sprintf "%-40s %-30s",$name,$v->get_data());
56 | }
57 | }
58 | else {
59 | ::rptMsg($key_path." has no values.");
60 | }
61 | } else {
62 | ::rptMsg($key_path." not found.");
63 | }
64 | ::rptMsg("");
65 | }
66 | 1;
67 |
--------------------------------------------------------------------------------
/RegRipper/plugins/javasoft.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # javasoft.pl
3 | #
4 | # History
5 | # 20130216 - created
6 | #
7 | # References
8 | # http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
9 | # http://nakedsecurity.sophos.com/how-to-disable-java-internet-explorer/
10 | #
11 | # copyright 2013 QAR, LLC
12 | # Author: H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package javasoft;
15 | use strict;
16 |
17 | my %config = (hive => "Software",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20130216);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Gets contents of JavaSoft/UseJava2IExplorer value";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $hive = shift;
38 | ::logMsg("Launching javasoft v.".$VERSION);
39 | ::rptMsg("Launching javasoft v.".$VERSION);
40 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
41 | my $reg = Parse::Win32Registry->new($hive);
42 | my $root_key = $reg->get_root_key;
43 |
44 | my @k = ('JavaSoft\\Java Plug-in','Wow6432Node\\JavaSoft\\Java Plug-in');
45 | foreach my $key_path (@k) {
46 | my $key;
47 | if ($key = $root_key->get_subkey($key_path)) {
48 | ::rptMsg($key_path);
49 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | ::rptMsg("");
51 | my $ie;
52 | eval {
53 | $ie = $key->get_value("UseJava2IExplorer")->get_data();
54 | ::rptMsg(sprintf "UseJava2IExplorer = 0x%x",$ie);
55 | };
56 | ::rptMsg("UseJava2IExplorer value not found\.") if ($@);
57 | ::rptMsg("");
58 | }
59 | else {
60 | ::rptMsg("Key ".$key_path." not found.");
61 | }
62 | }
63 | }
64 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/lastloggedon.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # lastloggedon
3 | #
4 | #
5 | # References
6 | #
7 | #
8 | # History:
9 | # 20160531 - created
10 | #
11 | # copyright 2016 Quantum Analytics Research, LLC
12 | # Author: H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package lastloggedon;
15 | use strict;
16 |
17 | my %config = (hive => "Software",
18 | osmask => 22,
19 | hasShortDescr => 1,
20 | hasDescr => 0,
21 | hasRefs => 0,
22 | version => 20160531);
23 |
24 | sub getConfig{return %config}
25 |
26 | sub getShortDescr {
27 | return "Gets LastLoggedOn* values from LogonUI key";
28 | }
29 | sub getDescr{}
30 | sub getRefs {
31 | my %refs = ();
32 | return %refs;
33 | }
34 | sub getHive {return $config{hive};}
35 | sub getVersion {return $config{version};}
36 |
37 | my $VERSION = getVersion();
38 |
39 | sub pluginmain {
40 | my $class = shift;
41 | my $hive = shift;
42 | ::logMsg("Launching lastloggedon v.".$VERSION);
43 | ::rptMsg("lastloggedon v.".$VERSION);
44 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n");
45 | my $reg = Parse::Win32Registry->new($hive);
46 | my $root_key = $reg->get_root_key;
47 | my ($key_path, $key);
48 |
49 | $key_path = "Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI";
50 | if ($key = $root_key->get_subkey($key_path)) {
51 | ::rptMsg("LastLoggedOn");
52 | ::rptMsg($key_path);
53 | ::rptMsg("LastWrite: ".gmtime($key->get_timestamp()));
54 | ::rptMsg("");
55 |
56 | eval {
57 | my $lastuser = $key->get_value("LastLoggedOnUser")->get_data();
58 | ::rptMsg("LastLoggedOnUser = ".$lastuser);
59 | };
60 |
61 | eval {
62 | my $lastsamuser = $key->get_value("LastLoggedOnSAMUser")->get_data();
63 | ::rptMsg("LastLoggedOnSAMUser = ".$lastsamuser);
64 | };
65 | }
66 | else {
67 | ::rptMsg($key_path." not found.");
68 | }
69 | }
70 |
71 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/lazyshell.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # lazyshell
3 | #
4 | # Change history:
5 | # 20131007 - created
6 | #
7 | # Ref:
8 | #
9 | #
10 | # copyright 2013 QAR,LLC
11 | # Author: H. Carvey, keydet89@yahoo.com
12 | #-----------------------------------------------------------
13 | package lazyshell;
14 | use strict;
15 |
16 | my %config = (hive => "Software",
17 | category => "malware",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 1,
21 | osmask => 22,
22 | version => 20131007);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Checks for keys/values assoc. with LazyShell";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $hive = shift;
38 | ::rptMsg("Launching lazyshell v.".$VERSION);
39 | ::rptMsg("lazyshell v.".$VERSION); # banner
40 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
41 | my @paths = ('Microsoft\\Windows\\CurrentVersion\\Wordpad\\ComChecks\\Safelist',
42 | 'Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Wordpad\\ComChecks\\Safelist');
43 |
44 | my $reg = Parse::Win32Registry->new($hive);
45 | my $root_key = $reg->get_root_key;
46 |
47 | foreach my $key_path (@paths) {
48 | my $key;
49 | if ($key = $root_key->get_subkey($key_path)) {
50 | ::rptMsg($key_path);
51 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
52 |
53 | eval {
54 | my $cc = $key->get_value("CategoryCount")->get_data();
55 | ::rptMsg("CategoryCount value found\.");
56 | };
57 |
58 | eval {
59 | my $r = $key->get_value("ResetAU")->get_data();
60 | ::rptMsg("ResetAU value found\.");
61 | };
62 | ::rptMsg("");
63 | }
64 | else {
65 | ::rptMsg($key_path." not found.");
66 | }
67 | }
68 | }
69 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/licenses.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # licenses.pl
3 | # There are indications that the contents of this key may be associated
4 | # with a number of different malware variants, including the Elite
5 | # Keylogger.
6 | #
7 | # History
8 | # 20120305 - created
9 | #
10 | #
11 | # copyright 2012, Quantum Analytics Research, LLC
12 | #-----------------------------------------------------------
13 | package licenses;
14 | use strict;
15 |
16 | my %config = (hive => "Software",
17 | osmask => 22,
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | version => 20120305);
22 |
23 | sub getConfig{return %config}
24 |
25 | sub getShortDescr {
26 | return "Get contents of HKLM/Software/Licenses key";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $hive = shift;
38 | my %clsid;
39 | ::logMsg("Launching licenses v.".$VERSION);
40 | ::rptMsg("licenses v.".$VERSION); # banner
41 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
42 | my $reg = Parse::Win32Registry->new($hive);
43 | my $root_key = $reg->get_root_key;
44 |
45 | my $key_path = "Licenses";
46 | my $key;
47 | if ($key = $root_key->get_subkey($key_path)) {
48 | ::rptMsg($key_path);
49 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | ::rptMsg("");
51 |
52 | my @vals = $key->get_list_of_values();
53 | if (scalar(@vals) > 0) {
54 | foreach my $v (@vals) {
55 | if ($v->get_type() == 3) {
56 | ::rptMsg("Value: ".$v->get_name()." (Binary data: ".length($v->get_data())." bytes)");
57 | }
58 | }
59 | }
60 | else {
61 | ::rptMsg($key_path." has no values.");
62 | }
63 | }
64 | else {
65 | ::rptMsg($key_path." not found.");
66 | }
67 | }
68 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/mmc_tln.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # mmc_tln.pl
3 | # Plugin for Registry Ripper, NTUSER.DAT edition - gets the
4 | # Microsoft Management Console Recent File List values
5 | #
6 | # Change history
7 | # 20120828 - updated, transitioned to TLN format output
8 | # 20080324 - created
9 | #
10 | # References
11 | #
12 | #
13 | # copyright 2012
14 | # Author: H. Carvey, keydet89@yahoo.com
15 | #-----------------------------------------------------------
16 | package mmc_tln;
17 | use strict;
18 |
19 | my %config = (hive => "NTUSER\.DAT",
20 | hasShortDescr => 1,
21 | hasDescr => 0,
22 | hasRefs => 0,
23 | osmask => 22,
24 | version => 20120828);
25 |
26 | sub getConfig{return %config}
27 | sub getShortDescr {
28 | return "Get contents of user's MMC\\Recent File List key (TLN)";
29 | }
30 | sub getDescr{}
31 | sub getRefs {}
32 | sub getHive {return $config{hive};}
33 | sub getVersion {return $config{version};}
34 |
35 | my $VERSION = getVersion();
36 |
37 | sub pluginmain {
38 | my $class = shift;
39 | my $ntuser = shift;
40 | ::logMsg("Launching mmc v.".$VERSION);
41 | my $reg = Parse::Win32Registry->new($ntuser);
42 | my $root_key = $reg->get_root_key;
43 |
44 | my $key_path = 'Software\\Microsoft\\Microsoft Management Console\\Recent File List';
45 | my $key;
46 | if ($key = $root_key->get_subkey($key_path)) {
47 | # ::rptMsg("MMC - Recent File List");
48 | # ::rptMsg($key_path);
49 | # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | my $lw = $key->get_timestamp();
51 | my @vals = $key->get_list_of_values();
52 | if (scalar(@vals) > 0) {
53 | my $file1;
54 | eval {
55 | $file1 = $key->get_value("File1")->get_data();
56 | ::rptMsg($lw."|REG|||[Program Execution] MMC - Recent File List - ".$file1);
57 | };
58 |
59 | }
60 | else {
61 | # ::rptMsg($key_path." has no values.");
62 | }
63 | }
64 | else {
65 | # ::rptMsg($key_path." not found.");
66 | }
67 | }
68 |
69 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/mndmru_tln.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # mndmru_tln.pl
3 | # Plugin for Registry Ripper,
4 | # Map Network Drive MRU parser
5 | #
6 | # Change history
7 | # 20120829 - updated to TLN
8 | # 20080324 - mndmru.pl created
9 | #
10 | # References
11 | #
12 | #
13 | # copyright 2012
14 | # Author: H. Carvey, keydet89@yahoo.com
15 | #-----------------------------------------------------------
16 | package mndmru_tln;
17 | use strict;
18 |
19 | my %config = (hive => "NTUSER\.DAT",
20 | hasShortDescr => 1,
21 | hasDescr => 0,
22 | hasRefs => 0,
23 | osmask => 22,
24 | version => 20120829);
25 |
26 | sub getConfig{return %config}
27 | sub getShortDescr {
28 | return "Get user's Map Network Drive MRU (TLN)";
29 | }
30 | sub getDescr{}
31 | sub getRefs {}
32 | sub getHive {return $config{hive};}
33 | sub getVersion {return $config{version};}
34 |
35 | my $VERSION = getVersion();
36 |
37 | sub pluginmain {
38 | my $class = shift;
39 | my $ntuser = shift;
40 | ::logMsg("Launching mndmru v.".$VERSION);
41 | my $reg = Parse::Win32Registry->new($ntuser);
42 | my $root_key = $reg->get_root_key;
43 |
44 | my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU';
45 | my $key;
46 | if ($key = $root_key->get_subkey($key_path)) {
47 | # ::rptMsg("Map Network Drive MRU");
48 | # ::rptMsg($key_path);
49 | # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | my $lw = $key->get_timestamp();
51 | my @vals = $key->get_list_of_values();
52 | if (scalar(@vals) > 0) {
53 | eval {
54 | my $list = $key->get_value("MRUList")->get_data();
55 | my $l = (split(//,$list))[0];
56 | my $mru = $key->get_value($l)->get_data();
57 | ::rptMsg($lw."|REG|||Map Network Drive MRU - ".$mru);
58 | };
59 | }
60 | else {
61 | # ::rptMsg($key_path." has no values.");
62 | }
63 | }
64 | else {
65 | # ::rptMsg($key_path." not found.");
66 | }
67 | }
68 |
69 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/mountdev2.pl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/RegRipper/plugins/mountdev2.pl
--------------------------------------------------------------------------------
/RegRipper/plugins/networkcards.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # networkcards
3 | #
4 | # copyright 2008 H. Carvey, keydet89@yahoo.com
5 | #-----------------------------------------------------------
6 | package networkcards;
7 | use strict;
8 |
9 | my %config = (hive => "Software",
10 | hasShortDescr => 1,
11 | hasDescr => 0,
12 | hasRefs => 0,
13 | osmask => 22,
14 | version => 20080325);
15 |
16 | sub getConfig{return %config}
17 | sub getShortDescr {
18 | return "Get NetworkCards";
19 | }
20 | sub getDescr{}
21 | sub getRefs {}
22 | sub getHive {return $config{hive};}
23 | sub getVersion {return $config{version};}
24 |
25 | my $VERSION = getVersion();
26 |
27 | sub pluginmain {
28 | my $class = shift;
29 | my $hive = shift;
30 | ::logMsg("Launching networkcards v.".$VERSION);
31 | ::rptMsg("networkcards v.".$VERSION); # banner
32 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
33 | my $reg = Parse::Win32Registry->new($hive);
34 | my $root_key = $reg->get_root_key;
35 | my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards";
36 | my $key;
37 | if ($key = $root_key->get_subkey($key_path)) {
38 | ::rptMsg("NetworkCards");
39 | ::rptMsg($key_path);
40 | ::rptMsg("");
41 | my @subkeys = $key->get_list_of_subkeys();
42 | if (scalar(@subkeys) > 0) {
43 | my %nc;
44 | foreach my $s (@subkeys) {
45 | my $service = $s->get_value("ServiceName")->get_data();
46 | $nc{$service}{descr} = $s->get_value("Description")->get_data();
47 | $nc{$service}{lastwrite} = $s->get_timestamp();
48 | }
49 |
50 | foreach my $n (keys %nc) {
51 | ::rptMsg($nc{$n}{descr}." [".gmtime($nc{$n}{lastwrite})."]");
52 | }
53 | }
54 | else {
55 | ::rptMsg($key_path." has no subkeys.");
56 | ::logMsg($key_path." has no subkeys.");
57 | }
58 | }
59 | else {
60 | ::rptMsg($key_path." not found.");
61 | ::logMsg($key_path." not found.");
62 | }
63 | }
64 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/networkuid.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # networkuid.pl
3 | # Gets UID value from Network key
4 | #
5 | # References
6 | # http://blogs.technet.com/mmpc/archive/2010/03/11/got-zbot.aspx
7 | #
8 | # copyright 2010 Quantum Analytics Research, LLC
9 | #-----------------------------------------------------------
10 | package networkuid;
11 | use strict;
12 |
13 | my %config = (hive => "Software",
14 | osmask => 22,
15 | hasShortDescr => 1,
16 | hasDescr => 0,
17 | hasRefs => 0,
18 | version => 20100312);
19 |
20 | sub getConfig{return %config}
21 |
22 | sub getShortDescr {
23 | return "Gets Network key UID value";
24 | }
25 | sub getDescr{}
26 | sub getRefs {}
27 | sub getHive {return $config{hive};}
28 | sub getVersion {return $config{version};}
29 |
30 | my $VERSION = getVersion();
31 |
32 | sub pluginmain {
33 | my $class = shift;
34 | my $hive = shift;
35 | ::logMsg("Launching networkuid v.".$VERSION);
36 | ::rptMsg("networkuid v.".$VERSION); # banner
37 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
38 | my $reg = Parse::Win32Registry->new($hive);
39 | my $root_key = $reg->get_root_key;
40 |
41 | my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Network";
42 | my $key;
43 | if ($key = $root_key->get_subkey($key_path)) {
44 | ::rptMsg($key_path);
45 | ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp()));
46 | ::rptMsg("");
47 |
48 | eval {
49 | my $uid = $key->get_value("UID")->get_data();
50 | ::rptMsg("UID value = ".$uid);
51 | };
52 | ::rptMsg("UID value not found.") if ($@);
53 | }
54 | else {
55 | ::rptMsg($key_path." not found.");
56 | ::logMsg($key_path." not found.");
57 | }
58 | }
59 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/ntuser:
--------------------------------------------------------------------------------
1 | # 20120528 *ALL* Plugins that apply on NTUSER hive, alphabetical order
2 | acmru
3 | adoberdr
4 | aim
5 | aports
6 | appcompatflags
7 | applets
8 | appspecific
9 | ares
10 | arpcache
11 | autoendtasks
12 | autorun
13 | bitbucket_user
14 | brisv
15 | cain
16 | ccleaner
17 | clampi
18 | clampitm
19 | comdlg32
20 | compatassist
21 | compdesc
22 | controlpanel
23 | cpldontload
24 | decaf
25 | dependency_walker
26 | domains
27 | environment
28 | fileexts
29 | filehistory
30 | gthist
31 | gtwhitelist
32 | haven_and_hearth
33 | ie_settings
34 | internet_explorer_cu
35 | internet_settings_cu
36 | javafx
37 | listsoft
38 | liveContactsGUID
39 | load
40 | logonusername
41 | mmc
42 | mndmru
43 | mp2
44 | mpmru
45 | mspaper
46 | muicache
47 | nero
48 | netassist
49 | odysseus
50 | officedocs
51 | officedocs2010
52 | oisc
53 | osversion
54 | outlook
55 | policies_u
56 | printermru
57 | printers
58 | privoxy
59 | proxysettings
60 | publishingwizard
61 | putty
62 | rdphint
63 | realplayer6
64 | realvnc
65 | recentdocs
66 | rootkit_revealer
67 | runmru
68 | sevenzip
69 | shellfolders
70 | skype
71 | snapshot_viewer
72 | ssh_host_keys
73 | startmenuinternetapps_cu
74 | startpage
75 | streammru
76 | streams
77 | sysinternals
78 | trustrecords
79 | tsclient
80 | typedpaths
81 | typedurls
82 | typedurlstime
83 | unreadmail
84 | user_run
85 | user_win
86 | userassist
87 | userinfo
88 | userlocsvc
89 | vista_bitbucket
90 | vmplayer
91 | vmware_vsphere_client
92 | vnchooksapplicationprefs
93 | vncviewer
94 | wallpaper
95 | warcraft3
96 | winlivemail
97 | winlogon_u
98 | winrar
99 | winscp_sessions
100 | winvnc
101 | winzip
102 | wordwheelquery
103 | yahoo_cu
--------------------------------------------------------------------------------
/RegRipper/plugins/ntusernetwork.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # ntusernetwork.pl
3 | # Plugin for Registry Ripper,
4 | # Network key parser
5 | #
6 | #-----------------------------------------------------------
7 | package ntusernetwork;
8 | use strict;
9 |
10 | my %config = (hive => "NTUSER\.DAT",
11 | hasShortDescr => 1,
12 | hasDescr => 0,
13 | hasRefs => 0,
14 | osmask => 22,
15 | version => 20110601);
16 |
17 | sub getConfig{return %config}
18 | sub getShortDescr {
19 | return "Returns contents of user's Network subkeys";
20 | }
21 | sub getDescr{}
22 | sub getRefs {}
23 | sub getHive {return $config{hive};}
24 | sub getVersion {return $config{version};}
25 |
26 | my $VERSION = getVersion();
27 |
28 | sub pluginmain {
29 | my $class = shift;
30 | my $ntuser = shift;
31 | ::logMsg("Launching ntusernetwork v.".$VERSION);
32 | ::rptMsg("ntusernetwork v.".$VERSION); # banner
33 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
34 | my $reg = Parse::Win32Registry->new($ntuser);
35 | my $root_key = $reg->get_root_key;
36 |
37 | my $key_path = 'Network';
38 | my $key;
39 | if ($key = $root_key->get_subkey($key_path)) {
40 | ::rptMsg($key_path);
41 | ::rptMsg("");
42 |
43 | my @subkeys = $key->get_list_of_subkeys();
44 | if (scalar @subkeys > 0) {
45 | foreach my $s (@subkeys) {
46 | ::rptMsg($key_path."\\".$s->get_name());
47 | ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp()));
48 | my @vals = $s->get_list_of_values();
49 | if (scalar @vals > 0) {
50 | foreach my $v (@vals) {
51 | ::rptMsg(sprintf " %-15s %-25s",$v->get_name(),$v->get_data());
52 | }
53 | ::rptMsg("");
54 | }
55 | }
56 | }
57 | else {
58 | ::rptMsg($key_path." key has no subkeys.");
59 | }
60 | }
61 | else {
62 | ::rptMsg($key_path." key not found.");
63 | }
64 | }
65 | 1;
66 |
--------------------------------------------------------------------------------
/RegRipper/plugins/osversion.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # osversion.pl
3 | # Plugin to check for OSVersion value, which appears to be queried
4 | # by some malware, and used by others; getting a response of "OSVersion
5 | # not found" is a good thing.
6 | #
7 | # Change history
8 | # 20120601 - created
9 | #
10 | # References
11 | # Search Google for "Software\Microsoft\OSVersion" - you'll get several
12 | # hits that refer to various malware;
13 | #
14 | # copyright 2012 Quantum Analytics Research, LLC
15 | # Author: H. Carvey, keydet89@yahoo.com
16 | #-----------------------------------------------------------
17 | package osversion;
18 | use strict;
19 |
20 | my %config = (hive => "NTUSER\.DAT",
21 | hasShortDescr => 1,
22 | hasDescr => 0,
23 | hasRefs => 0,
24 | osmask => 22,
25 | version => 20120601);
26 |
27 | sub getConfig{return %config}
28 | sub getShortDescr {
29 | return "Checks for OSVersion value";
30 | }
31 | sub getDescr{}
32 | sub getRefs {}
33 | sub getHive {return $config{hive};}
34 | sub getVersion {return $config{version};}
35 |
36 | my $VERSION = getVersion();
37 |
38 | sub pluginmain {
39 | my $class = shift;
40 | my $ntuser = shift;
41 | ::logMsg("Launching osversion v.".$VERSION);
42 | my $reg = Parse::Win32Registry->new($ntuser);
43 | my $root_key = $reg->get_root_key;
44 |
45 | my $key_path = 'Software\\Microsoft';
46 | my $key;
47 | if ($key = $root_key->get_subkey($key_path)) {
48 | ::rptMsg("OSVersion");
49 | ::rptMsg($key_path);
50 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
51 | ::rptMsg("");
52 | my $os;
53 | eval {
54 | $os = $key->get_value("OSVersion")->get_data();
55 |
56 | };
57 | if ($@) {
58 | ::rptMsg("OSVersion value not found.");
59 | }
60 | else {
61 | ::rptMsg("OSVersion = ".$os);
62 | }
63 |
64 | }
65 | else {
66 | ::rptMsg($key_path." not found.");
67 | }
68 | }
69 |
70 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/rdphint.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # rdphint.pl - http://www.regripper.net/
3 | # Gathers servers logged onto via RDP and last successful username
4 | #
5 | # by Brandon Nesbit, Trustwave
6 | #-----------------------------------------------------------
7 | package rdphint;
8 | use strict;
9 |
10 | my %config = (hive => "NTUSER",
11 | osmask => 22,
12 | hasShortDescr => 1,
13 | hasDescr => 0,
14 | hasRefs => 0,
15 | version => 20090715);
16 |
17 | sub getConfig{return %config}
18 | sub getShortDescr { return "Gets hosts logged onto via RDP and the Domain\\Username";}
19 | sub getDescr{}
20 | sub getRefs {}
21 | sub getHive {return $config{hive};}
22 | sub getVersion {return $config{version};}
23 |
24 | my $VERSION = getVersion();
25 |
26 | sub pluginmain {
27 | my $class = shift;
28 | my $hive = shift;
29 | ::logMsg("Launching rdphint v.".$VERSION);
30 | ::rptMsg("rdphint v.".$VERSION); # banner
31 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
32 | my $reg = Parse::Win32Registry->new($hive);
33 | my $root_key = $reg->get_root_key;
34 | my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers';
35 | my $key;
36 | if ($key = $root_key->get_subkey($key_path)) {
37 | ::rptMsg("Terminal Server Client\\Servers");
38 | ::rptMsg($key_path);
39 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
40 | ::rptMsg("");
41 | my @subkeys = $key->get_list_of_subkeys();
42 | if (scalar(@subkeys) > 0) {
43 | foreach my $s (@subkeys) {
44 | my $path;
45 | eval {
46 | $path = $s->get_value("UsernameHint")->get_data();
47 | };
48 | ::rptMsg("");
49 | ::rptMsg("Hostname: ".$s->get_name());
50 | ::rptMsg("Domain/Username: ".$path);
51 | ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())." (UTC)");
52 | ::rptMsg("");
53 | }
54 | }
55 | else {
56 | ::rptMsg($key_path." has no subkeys.");
57 | }
58 | }
59 | else {
60 | ::rptMsg($key_path." not found.");
61 | }
62 | }
63 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/rdpnla.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # rdpnla.pl
3 | #
4 | # 20151203 - created
5 | #
6 | # Author: Chakib Gzenayi, chakib.gzenayi@gmail.com
7 | #-----------------------------------------------------------
8 | package rdpnla;
9 | use strict;
10 | my %config = (hive => "System",
11 | hasShortDescr => 1,
12 | hasDescr => 0,
13 | hasRefs => 0,
14 | osmask => 22,
15 | version => 20151203);
16 |
17 | sub getConfig{return %config}
18 | sub getShortDescr {
19 | return "Queries System hive for RDP NLA Checking";
20 | }
21 | sub getDescr{}
22 | sub getRefs {}
23 | sub getHive {return $config{hive};}
24 | sub getVersion {return $config{version};}
25 |
26 | my $VERSION = getVersion();
27 |
28 | sub pluginmain {
29 | my $class = shift;
30 | my $hive = shift;
31 | my $key;
32 |
33 | ::logMsg("Launching rdpnla v.".$VERSION);
34 | ::rptMsg("rdpnla v.".$VERSION);
35 | ::rptMsg("(".getHive().") ".getShortDescr()."\n");
36 | my $reg = Parse::Win32Registry->new($hive);
37 | my $root_key = $reg->get_root_key;
38 |
39 | my $chak = $root_key->get_subkey("Select")->get_value("Current")->get_data();
40 | my $key_path = "ControlSet00".$chak."\\Control\\Terminal Server\\WinStations\\RDP-Tcp";
41 | if ($key = $root_key->get_subkey($key_path)) {
42 | ::rptMsg($key_path);
43 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
44 | my $sec;
45 | eval {
46 | $sec = $key->get_value("SecurityLayer")->get_data();
47 | ::rptMsg("SecurityLayer = ".$sec );
48 | };
49 | ::rptMsg("Error getting Value: ".$@) if ($@);
50 |
51 | }
52 | else {
53 | ::rptMsg($key_path." not found.");
54 | }
55 | }
56 | 1;
57 |
--------------------------------------------------------------------------------
/RegRipper/plugins/rdpport.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # rdpport.pl
3 | # Determine the RDP Port used
4 | #
5 | # History
6 | # 20100713 - created
7 | #
8 | # References
9 | # http://support.microsoft.com/kb/306759
10 | #
11 | # copyright 2010 Quantum Analytics Research, LLC
12 | #-----------------------------------------------------------
13 | package rdpport;
14 | use strict;
15 | my %config = (hive => "System",
16 | hasShortDescr => 1,
17 | hasDescr => 0,
18 | hasRefs => 0,
19 | osmask => 22,
20 | version => 20100713);
21 |
22 | sub getConfig{return %config}
23 | sub getShortDescr {
24 | return "Queries System hive for RDP Port";
25 | }
26 | sub getDescr{}
27 | sub getRefs {}
28 | sub getHive {return $config{hive};}
29 | sub getVersion {return $config{version};}
30 |
31 | my $VERSION = getVersion();
32 |
33 | sub pluginmain {
34 | my $class = shift;
35 | my $hive = shift;
36 | my $key;
37 |
38 | ::logMsg("Launching rdpport v.".$VERSION);
39 | ::rptMsg("rdpport v.".$VERSION); # banner
40 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
41 | my $reg = Parse::Win32Registry->new($hive);
42 | my $root_key = $reg->get_root_key;
43 |
44 | my $ccs = $root_key->get_subkey("Select")->get_value("Current")->get_data();
45 | my $key_path = "ControlSet00".$ccs."\\Control\\Terminal Server\\WinStations\\RDP-Tcp";
46 | if ($key = $root_key->get_subkey($key_path)) {
47 | ::rptMsg("rdpport v.".$VERSION);
48 | ::rptMsg("");
49 | my $port;
50 | eval {
51 | $port = $key->get_value("PortNumber")->get_data();
52 | ::rptMsg("Remote Desktop Listening Port Number = ".$port);
53 | };
54 | ::rptMsg("Error getting PortNumber: ".$@) if ($@);
55 |
56 | }
57 | else {
58 | ::rptMsg($key_path." not found.");
59 | }
60 | }
61 | 1
--------------------------------------------------------------------------------
/RegRipper/plugins/regtime.pl:
--------------------------------------------------------------------------------
1 | #! c:\perl\bin\perl.exe
2 | #-----------------------------------------------------------
3 | # regtime.pl
4 | # Plugin for Registry Ripper; traverses through a Registry
5 | # hive file, pulling out keys and their LastWrite times, and
6 | # then listing them in order, sorted by the most recent time
7 | # first - works with any Registry hive file.
8 | #
9 | # Change history
10 | #
11 | #
12 | # copyright 2008 H. Carvey
13 | #-----------------------------------------------------------
14 | package regtime;
15 | use strict;
16 |
17 | my %config = (hive => "All",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20080324);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Dumps entire hive - all keys sorted by LastWrite time";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | my %regkeys;
36 |
37 | sub pluginmain {
38 | my $class = shift;
39 | my $file = shift;
40 | my $reg = Parse::Win32Registry->new($file);
41 | my $root_key = $reg->get_root_key;
42 | ::logMsg("Launching regtime v.".$VERSION);
43 | ::rptMsg("regtime v.".$VERSION); # banner
44 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
45 | traverse($root_key);
46 |
47 | foreach my $t (reverse sort {$a <=> $b} keys %regkeys) {
48 | foreach my $item (@{$regkeys{$t}}) {
49 | ::rptMsg(gmtime($t)."Z \t".$item);
50 | }
51 | }
52 | }
53 |
54 | sub traverse {
55 | my $key = shift;
56 | my $ts = $key->get_timestamp();
57 | my $name = $key->as_string();
58 | $name =~ s/\$\$\$PROTO\.HIV//;
59 | $name = (split(/\[/,$name))[0];
60 | push(@{$regkeys{$ts}},$name);
61 | foreach my $subkey ($key->get_list_of_subkeys()) {
62 | traverse($subkey);
63 | }
64 | }
65 |
66 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/regtime_tln.pl:
--------------------------------------------------------------------------------
1 | #! c:\perl\bin\perl.exe
2 | #-----------------------------------------------------------
3 | # regtime.pl
4 | # Plugin for Registry Ripper; traverses through a Registry
5 | # hive file, pulling out keys and their LastWrite times, and
6 | # then listing them in order, sorted by the most recent time
7 | # first - works with any Registry hive file.
8 | #
9 | # Change history
10 | #
11 | #
12 | # copyright 2008 H. Carvey
13 | #-----------------------------------------------------------
14 | package regtime_tln;
15 | use strict;
16 |
17 | my %config = (hive => "All",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20080324);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Dumps entire hive - all keys sorted by LastWrite time";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | my %regkeys;
36 |
37 | sub pluginmain {
38 | my $class = shift;
39 | my $file = shift;
40 | my $reg = Parse::Win32Registry->new($file);
41 | my $root_key = $reg->get_root_key;
42 | ::logMsg("Launching regtime_tln v.".$VERSION);
43 |
44 | traverse($root_key);
45 |
46 | foreach my $t (reverse sort {$a <=> $b} keys %regkeys) {
47 | foreach my $item (@{$regkeys{$t}}) {
48 | #::rptMsg(gmtime($t)."Z \t".$item);
49 | ::rptMsg($t."|REG|M... ".$item);
50 | }
51 | }
52 | }
53 |
54 | sub traverse {
55 | my $key = shift;
56 | my $ts = $key->get_timestamp();
57 | my $name = $key->as_string();
58 | $name =~ s/\$\$\$PROTO\.HIV//;
59 | $name = (split(/\[/,$name))[0];
60 | push(@{$regkeys{$ts}},$name);
61 | foreach my $subkey ($key->get_list_of_subkeys()) {
62 | traverse($subkey);
63 | }
64 | }
65 |
66 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/sam:
--------------------------------------------------------------------------------
1 | # 20120528 *ALL* Plugins that apply on SAM hive, alphabetical order
2 | samparse
--------------------------------------------------------------------------------
/RegRipper/plugins/secctr.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # secctr
3 | # Plugin to get data from Security Center keys
4 | #
5 | # Change History:
6 | # 20100310 - created
7 | #
8 | # References:
9 | #
10 | #
11 | # copyright 2010 Quantum Analytics Research, LLC
12 | #-----------------------------------------------------------
13 | package secctr;
14 | use strict;
15 |
16 | my %config = (hive => "Software",
17 | hasShortDescr => 1,
18 | hasDescr => 0,
19 | hasRefs => 0,
20 | osmask => 22,
21 | version => 20100310);
22 |
23 | sub getConfig{return %config}
24 | sub getShortDescr {
25 | return "Get data from Security Center key";
26 | }
27 | sub getDescr{}
28 | sub getHive {return $config{hive};}
29 | sub getVersion {return $config{version};}
30 |
31 | my $VERSION = getVersion();
32 |
33 | sub pluginmain {
34 | my $class = shift;
35 | my $hive = shift;
36 | my $infected = 0;
37 | ::logMsg("Launching secctr v.".$VERSION);
38 | ::rptMsg("secctr v.".$VERSION); # banner
39 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
40 | my $reg = Parse::Win32Registry->new($hive);
41 | my $root_key = $reg->get_root_key;
42 | my $key_path = 'Microsoft\Security Center';
43 | my $key;
44 | ::rptMsg("secctr");
45 | ::rptMsg("");
46 |
47 | if ($key = $root_key->get_subkey($key_path)) {
48 | $infected++;
49 | ::rptMsg("");
50 | ::rptMsg($key_path);
51 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
52 | ::rptMsg("");
53 | my @vals = $key->get_list_of_values();
54 | if (scalar(@vals) > 0) {
55 | foreach my $v (@vals) {
56 | my $str = sprintf "%-25s 0x%02x",$v->get_name(),$v->get_data();
57 | ::rptMsg($str);
58 | }
59 | }
60 | else {
61 | ::rptMsg($key_path." has no values.");
62 | }
63 | }
64 | else {
65 | ::rptMsg($key_path." not found.");
66 | ::rptMsg("");
67 | }
68 | }
69 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/secrets.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # secrets.pl
3 | # Get the last write time for the Policy\Secrets key
4 | #
5 | #
6 | # History
7 | # 20140730 - created
8 | #
9 | # Note: When gsecdump.exe is run with the "-a" switch, or the LSA
10 | # secrets are dumped, the tool accesses the Policy\Secrets key
11 | # in a way that modifies the key LastWrite time without changing
12 | # any values or data. As such, the LastWrite time of this key may
13 | # correlate to the time that gsecdump.exe was run. Insight for this
14 | # plugin was provided by Jamie Levy
15 | #
16 | # copyright 2014 Quantum Analytics Research, LLC
17 | # Author: H. Carvey, keydet89@yahoo.com
18 | #-----------------------------------------------------------
19 | package secrets;
20 | use strict;
21 |
22 | my %config = (hive => "Security",
23 | hasShortDescr => 1,
24 | hasDescr => 0,
25 | hasRefs => 0,
26 | osmask => 22,
27 | version => 20140730);
28 |
29 | sub getConfig{return %config}
30 | sub getShortDescr {
31 | return "Get the last write time for the Policy\\Secrets key";
32 | }
33 | sub getDescr{}
34 | sub getRefs {}
35 | sub getHive {return $config{hive};}
36 | sub getVersion {return $config{version};}
37 |
38 | my $VERSION = getVersion();
39 |
40 | sub pluginmain {
41 | my $class = shift;
42 | my $hive = shift;
43 | ::logMsg("Launching secrets v.".$VERSION);
44 | ::rptMsg("secrets v.".$VERSION); # banner
45 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
46 | my $reg = Parse::Win32Registry->new($hive);
47 | my $root_key = $reg->get_root_key;
48 |
49 | my $key_path = "Policy\\Secrets";
50 | my $key;
51 | if ($key = $root_key->get_subkey($key_path)) {
52 | ::rptMsg($key_path);
53 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
54 | ::rptMsg("");
55 |
56 | }
57 | else {
58 | ::rptMsg($key_path." not found.");
59 | }
60 | }
61 |
62 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/security:
--------------------------------------------------------------------------------
1 | # 20120528 *ALL* Plugins that apply on SECURITY hive, alphabetical order
2 | auditpol
3 | lsasecrets
4 | polacdms
--------------------------------------------------------------------------------
/RegRipper/plugins/skype.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # skype.pl
3 | #
4 | #
5 | # History
6 | # 20100713 - created
7 | #
8 | # References
9 | #
10 | #
11 | # copyright 2010 Quantum Analytics Research, LLC
12 | #-----------------------------------------------------------
13 | package skype;
14 | use strict;
15 |
16 | my %config = (hive => "NTUSER\.DAT",
17 | hasShortDescr => 1,
18 | hasDescr => 0,
19 | hasRefs => 0,
20 | osmask => 22,
21 | version => 20100713);
22 |
23 | sub getConfig{return %config}
24 | sub getShortDescr {
25 | return "Gets data user's Skype key";
26 | }
27 | sub getDescr{}
28 | sub getRefs {}
29 | sub getHive {return $config{hive};}
30 | sub getVersion {return $config{version};}
31 |
32 | my $VERSION = getVersion();
33 |
34 | sub pluginmain {
35 | my $class = shift;
36 | my $ntuser = shift;
37 | ::logMsg("Launching acmru v.".$VERSION);
38 | my $reg = Parse::Win32Registry->new($ntuser);
39 | my $root_key = $reg->get_root_key;
40 |
41 | my $key_path = 'Software\\Skype';
42 | my $key;
43 | if ($key = $root_key->get_subkey($key_path)) {
44 | ::rptMsg($key_path);
45 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
46 | ::rptMsg("");
47 |
48 | my $install;
49 | eval {
50 | $install = $key->get_subkey("Installer")->get_value("DonwloadLastModified")->get_data();
51 | ::rptMsg("DonwloadLastModified = ".$install);
52 | };
53 | ::rptMsg("DonwloadLastModified value not found: ".$@) if ($@);
54 |
55 | }
56 | else {
57 | ::rptMsg($key_path." not found.");
58 | }
59 | }
60 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/software:
--------------------------------------------------------------------------------
1 | # 20120528 *ALL* Plugins that apply on SOFTWARE hive, alphabetical order
2 | appinitdlls
3 | apppaths
4 | assoc
5 | banner
6 | bho
7 | bitbucket
8 | clsid
9 | cmd_shell
10 | codeid
11 | ctrlpnl
12 | defbrowser
13 | direct
14 | disablesr
15 | drivers32
16 | drwatson
17 | emdmgmt
18 | ie_version
19 | imagefile
20 | init_dlls
21 | installedcomp
22 | installer
23 | kb950582
24 | landesk
25 | macaddr
26 | mrt
27 | msis
28 | networkcards
29 | networklist
30 | networkuid
31 | product
32 | profilelist
33 | regback
34 | removdev
35 | renocide
36 | schedagent
37 | secctr
38 | sfc
39 | shellexec
40 | shellext
41 | shelloverlay
42 | snapshot
43 | soft_run
44 | spp_clients
45 | sql_lastconnect
46 | ssid
47 | startmenuinternetapps_lm
48 | svchost
49 | tracing
50 | uninstall
51 | urlzone
52 | uac
53 | virut
54 | win_cv
55 | winbackup
56 | winlogon
57 | winnt_cv
58 | winver
59 | yahoo_lm
--------------------------------------------------------------------------------
/RegRipper/plugins/spp_clients.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # spp_clients
3 | #
4 | # History
5 | # 20130429 - added alertMsg() functionality
6 | # 20120914 - created
7 | #
8 | # copyright 2013 Quantum Analytics Research, LLC
9 | # Author: H. Carvey, keydet89@yahoo.com
10 | #-----------------------------------------------------------
11 | package spp_clients;
12 | use strict;
13 |
14 | my %config = (hive => "Software",
15 | hasShortDescr => 1,
16 | hasDescr => 0,
17 | hasRefs => 0,
18 | osmask => 50, #Vista, Win7
19 | version => 20130429);
20 |
21 | sub getConfig{return %config}
22 | sub getShortDescr {
23 | return "Determines volumes monitored by VSS";
24 | }
25 | sub getDescr{}
26 | sub getRefs {}
27 | sub getHive {return $config{hive};}
28 | sub getVersion {return $config{version};}
29 |
30 | my $VERSION = getVersion();
31 |
32 | sub pluginmain {
33 | my $class = shift;
34 | my $hive = shift;
35 | ::logMsg("Launching spp_clients v.".$VERSION);
36 | ::rptMsg("spp_clients v.".$VERSION);
37 | ::rptMsg("(".getHive().") ".getShortDescr()."\n");
38 | my $reg = Parse::Win32Registry->new($hive);
39 | my $root_key = $reg->get_root_key;
40 |
41 | my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\SPP\\Clients';
42 | my $key;
43 | if ($key = $root_key->get_subkey($key_path)) {
44 | ::rptMsg("SPP_Clients");
45 | ::rptMsg($key_path);
46 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
47 | ::rptMsg("");
48 |
49 | my $mon;
50 | eval {
51 | $mon = $key->get_value("{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}")->get_data();
52 | ::rptMsg("Monitored volumes: ".$mon);
53 | ::alertMsg("ALERT: No volumes monitored by VSS\.") if ($mon eq "");
54 | };
55 |
56 | }
57 | else {
58 | ::rptMsg($key_path." not found.");
59 | }
60 | }
61 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/sysinternals.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # sysinternals.pl
3 | #
4 | #
5 | # Change history
6 | # 20120608- created
7 | #
8 | # References
9 | #
10 | #
11 | # copyright 2012 Quantum Analytics Research, LLC
12 | # Author: H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package sysinternals;
15 | use strict;
16 |
17 | my %config = (hive => "NTUSER\.DAT",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20080324);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Checks for SysInternals apps keys";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $ntuser = shift;
38 | ::logMsg("Launching sysinternals v.".$VERSION);
39 | my $reg = Parse::Win32Registry->new($ntuser);
40 | my $root_key = $reg->get_root_key;
41 |
42 | my $key_path = 'Software\\SysInternals';
43 | my $key;
44 | if ($key = $root_key->get_subkey($key_path)) {
45 | ::rptMsg("SysInternals");
46 | ::rptMsg($key_path);
47 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
48 | my @subkeys = $key->get_list_of_subkeys();
49 | if (scalar(@subkeys) > 0) {
50 | foreach my $s (@subkeys) {
51 | ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]");
52 |
53 | my $eula;
54 | eval {
55 | $eula = $s->get_value("EulaAccepted")->get_data();
56 | };
57 | if ($@) {
58 | ::rptMsg(" EulaAccepted value not found.");
59 | }
60 | else {
61 | ::rptMsg(" EulaAccepted: ".$eula);
62 | }
63 | ::rptMsg("");
64 | }
65 | }
66 | else {
67 | ::rptMsg($key_path." has no subkeys.");
68 | }
69 | }
70 | else {
71 | ::rptMsg($key_path." not found.");
72 | }
73 | }
74 |
75 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/system:
--------------------------------------------------------------------------------
1 | # 20120528 *ALL* Plugins that apply on SYSTEM hive, alphabetical order
2 | appcertdlls
3 | appcompatcache
4 | auditfail
5 | backuprestore
6 | compname
7 | crashcontrol
8 | ddm
9 | devclass
10 | disablelastaccess
11 | dllsearch
12 | eventlog
13 | eventlogs
14 | fw_config
15 | hibernate
16 | ide
17 | imagedev
18 | kbdcrash
19 | legacy
20 | mountdev
21 | network
22 | nic
23 | nic_mst2
24 | nic2
25 | nolmhash
26 | pagefile
27 | prefetch
28 | productpolicy
29 | producttype
30 | rdpport
31 | routes
32 | safeboot
33 | services
34 | shares
35 | shutdown
36 | shutdowncount
37 | stillimage
38 | svc
39 | svc2
40 | svc_plus
41 | svcdll
42 | termserv
43 | timezone
44 | usb
45 | usbdevices
46 | usbstor
47 | usbstor2
48 | usbstor3
49 | xpedition
50 | wpdbusenum
--------------------------------------------------------------------------------
/RegRipper/plugins/trappoll.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # trappoll.pl
3 | # There are indications that the contents of this value may be associated
4 | # with a number of different malware variants.
5 | #
6 | # History
7 | # 20120305 - created
8 | #
9 | # References
10 | # http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=903224#none
11 | #
12 | # copyright 2012, Quantum Analytics Research, LLC
13 | #-----------------------------------------------------------
14 | package trappoll;
15 | use strict;
16 |
17 | my %config = (hive => "Software",
18 | osmask => 22,
19 | hasShortDescr => 1,
20 | hasDescr => 0,
21 | hasRefs => 0,
22 | version => 20120305);
23 |
24 | sub getConfig{return %config}
25 |
26 | sub getShortDescr {
27 | return "Get TrapPollTimeMilliSecs value, if found";
28 | }
29 | sub getDescr{}
30 | sub getRefs {}
31 | sub getHive {return $config{hive};}
32 | sub getVersion {return $config{version};}
33 |
34 | my $VERSION = getVersion();
35 |
36 | sub pluginmain {
37 | my $class = shift;
38 | my $hive = shift;
39 | my %clsid;
40 | ::logMsg("Launching trappoll v.".$VERSION);
41 | ::rptMsg("Launching trappoll v.".$VERSION);
42 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
43 | my $reg = Parse::Win32Registry->new($hive);
44 | my $root_key = $reg->get_root_key;
45 |
46 | my $key_path = "Microsoft\\RFC1156Agent\\CurrentVersion\\Parameters";
47 | my $key;
48 | if ($key = $root_key->get_subkey($key_path)) {
49 | ::rptMsg($key_path);
50 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
51 | ::rptMsg("");
52 | if ($key->get_value("TrapPollTimeMilliSecs")) {
53 | my $val = $key->get_value("TrapPollTimeMilliSecs")->get_data();
54 | ::rptMsg(sprintf "TrapPollTimeMilliSecs = 0x%x (".$val.")", $val);
55 | }
56 | else {
57 | ::rptMsg("Value not found.");
58 | }
59 | }
60 | else {
61 | ::rptMsg($key_path." key not found.");
62 | }
63 | }
64 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/typedpaths_tln.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # typedpaths_tln.pl
3 | # For Windows 7, Desktop Address Bar History
4 | #
5 | # Change history
6 | # 20120828 - updated to TLN format
7 | # 20100330 - created
8 | #
9 | # References
10 | #
11 | #
12 | # copyright 2010 Quantum Analytics Research, LLC
13 | #-----------------------------------------------------------
14 | package typedpaths_tln;
15 | use strict;
16 |
17 | my %config = (hive => "NTUSER\.DAT",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20120828);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Gets contents of user's typedpaths key (TLN)";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $ntuser = shift;
38 | ::logMsg("Launching typedpaths v.".$VERSION);
39 | my $reg = Parse::Win32Registry->new($ntuser);
40 | my $root_key = $reg->get_root_key;
41 |
42 | my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths";
43 | my $key;
44 | if ($key = $root_key->get_subkey($key_path)) {
45 | # ::rptMsg($key_path);
46 | # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
47 | # ::rptMsg("");
48 | my $lw = $key->get_timestamp();
49 | my @vals = $key->get_list_of_values();
50 | if (scalar(@vals) > 0) {
51 | my $path;
52 | eval {
53 | $path = $key->get_value("url1")->get_data();
54 | ::rptMsg($lw."|REG|||TypedPaths - ".$path);
55 |
56 | };
57 | }
58 | else {
59 | # ::rptMsg($key_path." has no values.");
60 | }
61 | }
62 | else {
63 | # ::rptMsg($key_path." not found.");
64 | }
65 | }
66 |
67 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/uac.pl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/RegRipper/plugins/uac.pl
--------------------------------------------------------------------------------
/RegRipper/plugins/user_win.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # user_win.pl
3 | #
4 | # copyright 2008 H. Carvey, keydet89@yahoo.com
5 | #-----------------------------------------------------------
6 | package user_win;
7 | use strict;
8 |
9 | my %config = (hive => "NTUSER\.DAT",
10 | osmask => 22,
11 | hasShortDescr => 1,
12 | hasDescr => 0,
13 | hasRefs => 0,
14 | version => 20080415);
15 |
16 | sub getConfig{return %config}
17 |
18 | sub getShortDescr {
19 | return " -- ";
20 | }
21 | sub getDescr{}
22 | sub getRefs {}
23 | sub getHive {return $config{hive};}
24 | sub getVersion {return $config{version};}
25 |
26 | my $VERSION = getVersion();
27 |
28 | sub pluginmain {
29 | my $class = shift;
30 | my $hive = shift;
31 | ::logMsg("Launching user_win v.".$VERSION);
32 | ::rptMsg("user_win v.".$VERSION); # banner
33 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
34 | my $reg = Parse::Win32Registry->new($hive);
35 | my $root_key = $reg->get_root_key;
36 | my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
37 | my $key;
38 | if ($key = $root_key->get_subkey($key_path)) {
39 | ::rptMsg($key_path);
40 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
41 | ::rptMsg("");
42 |
43 | eval {
44 | my $load = $key->get_value("load")->get_data();
45 | ::rptMsg("load value = ".$load);
46 | ::rptMsg("*Should be blank; anything listed gets run when the user logs in.");
47 | };
48 |
49 | eval {
50 | my $run = $key->get_value("run")->get_data();
51 | ::rptMsg("run value = ".$run);
52 | ::rptMsg("*Should be blank; anything listed gets run when the user logs in.");
53 | };
54 |
55 | }
56 | else {
57 | ::rptMsg($key_path." not found.");
58 | ::logMsg($key_path." not found.");
59 | }
60 |
61 | }
62 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/userlocsvc.pl:
--------------------------------------------------------------------------------
1 | #! c:\perl\bin\perl.exe
2 | #-----------------------------------------------------------
3 | # userlocsvc.pl
4 | # Get the contents of the Microsoft\User Location Service\Clients key
5 | # from the user's hive
6 | #
7 | # Ref:
8 | # http://support.microsoft.com/kb/196301
9 | #
10 | # copyright 2009 H. Carvey
11 | #-----------------------------------------------------------
12 | package userlocsvc;
13 | use strict;
14 |
15 | my %config = (hive => "NTUSER\.DAT",
16 | hasShortDescr => 1,
17 | hasDescr => 0,
18 | hasRefs => 0,
19 | osmask => 22,
20 | version => 20090411);
21 |
22 | sub getConfig{return %config}
23 | sub getShortDescr {
24 | return "Displays contents of User Location Service\\Client key";
25 | }
26 | sub getDescr{}
27 | sub getRefs {}
28 | sub getHive {return $config{hive};}
29 | sub getVersion {return $config{version};}
30 |
31 | my $VERSION = getVersion();
32 |
33 | sub pluginmain {
34 | my $class = shift;
35 | my $ntuser = shift;
36 | ::logMsg("Launching userlocsvc v.".$VERSION);
37 | ::rptMsg("userlocsvc v.".$VERSION); # banner
38 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
39 | my $reg = Parse::Win32Registry->new($ntuser);
40 | my $root_key = $reg->get_root_key;
41 | my $key_path = 'Software\\Microsoft\\User Location Service\\Client';
42 | my $key;
43 | my %ua;
44 | my $hrzr = "HRZR";
45 | if ($key = $root_key->get_subkey($key_path)) {
46 | ::rptMsg($key_path);
47 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
48 | ::rptMsg("");
49 | my @vals = $key->get_list_of_values();
50 | if (scalar(@vals) > 0) {
51 | foreach my $v (@vals) {
52 | my $str = sprintf "%-15s %-30s",$v->get_name(),$v->get_data();
53 | ::rptMsg($str) if ($v->get_type() == 1);
54 | }
55 | }
56 | else {
57 | ::rptMsg($key_path." has no values.");
58 | }
59 | }
60 | else {
61 | ::rptMsg($key_path." not found.");
62 | }
63 | }
64 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/usrclass:
--------------------------------------------------------------------------------
1 | # 20120918 *ALL* Plugins that apply on USRCLASS hive, alphabetical order
2 | muicache
3 | shellbags
--------------------------------------------------------------------------------
/RegRipper/plugins/wbem.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # wbem.pl
3 | # There are indications that the contents of this key may be associated
4 | # with a number of different malware variants, including the Elite
5 | # Keylogger.
6 | #
7 | # History
8 | # 20120306 - created
9 | #
10 | #
11 | # copyright 2012, Quantum Analytics Research, LLC
12 | #-----------------------------------------------------------
13 | package wbem;
14 | use strict;
15 |
16 | my %config = (hive => "Software",
17 | osmask => 22,
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | version => 20120306);
22 |
23 | sub getConfig{return %config}
24 |
25 | sub getShortDescr {
26 | return "Get contents of WBEM\\WDM key";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $hive = shift;
38 | my %clsid;
39 | ::logMsg("Launching wbem v.".$VERSION);
40 | ::rptMsg("wbem v.".$VERSION); # banner
41 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
42 | my $reg = Parse::Win32Registry->new($hive);
43 | my $root_key = $reg->get_root_key;
44 |
45 | my $key_path = "Microsoft\\WBEM\\WDM";
46 | my $key;
47 | if ($key = $root_key->get_subkey($key_path)) {
48 | ::rptMsg($key_path);
49 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | ::rptMsg("");
51 |
52 | my @vals = $key->get_list_of_values();
53 | if (scalar(@vals) > 0) {
54 | foreach my $v (@vals) {
55 | ::rptMsg($v->get_name()." - ".$v->get_data());
56 | ::rptMsg("");
57 | }
58 | }
59 | else {
60 | ::rptMsg($key_path." has no values.");
61 | }
62 | }
63 | else {
64 | ::rptMsg($key_path." not found.");
65 | }
66 | }
67 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/winrar.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # winrar.pl
3 | # Get WinRAR\ArcHistory entries
4 | #
5 | # History
6 | # 20080819 - created
7 | #
8 | #
9 | # copyright 2008 H. Carvey, keydet89@yahoo.com
10 | #-----------------------------------------------------------
11 | package winrar;
12 | use strict;
13 |
14 | my %config = (hive => "NTUSER\.DAT",
15 | osmask => 22,
16 | hasShortDescr => 1,
17 | hasDescr => 0,
18 | hasRefs => 0,
19 | version => 20080819);
20 |
21 | sub getConfig{return %config}
22 |
23 | sub getShortDescr {
24 | return "Get WinRAR\\ArcHistory entries";
25 | }
26 | sub getDescr{}
27 | sub getRefs {}
28 | sub getHive {return $config{hive};}
29 | sub getVersion {return $config{version};}
30 |
31 | my $VERSION = getVersion();
32 |
33 | sub pluginmain {
34 | my $class = shift;
35 | my $hive = shift;
36 | ::logMsg("Launching winrar v.".$VERSION);
37 | ::rptMsg("winrar v.".$VERSION); # banner
38 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
39 | my $reg = Parse::Win32Registry->new($hive);
40 | my $root_key = $reg->get_root_key;
41 |
42 | my $key_path = "Software\\WinRAR\\ArcHistory";
43 | my $key;
44 | if ($key = $root_key->get_subkey($key_path)) {
45 | ::rptMsg("WinRAR");
46 | ::rptMsg($key_path);
47 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
48 | ::rptMsg("");
49 |
50 | my %arc;
51 | my @vals = $key->get_list_of_values();
52 | if (scalar(@vals) > 0) {
53 | foreach my $v (@vals) {
54 | $arc{$v->get_name()} = $v->get_data();
55 | }
56 |
57 | foreach (sort keys %arc) {
58 | ::rptMsg($_." -> ".$arc{$_});
59 | }
60 |
61 | }
62 | else {
63 | ::rptMsg($key_path." has no values.");
64 | }
65 | }
66 | else {
67 | ::rptMsg($key_path." not found.");
68 | ::logMsg($key_path." not found.");
69 | }
70 |
71 | }
72 | 1;
--------------------------------------------------------------------------------
/RegRipper/plugins/winrar_tln.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # winrar_tln.pl
3 | # Get WinRAR\ArcHistory entries
4 | #
5 | # History
6 | # 20120829 - updated to TLN
7 | # 20080819 - created (winrar.pl)
8 | #
9 | #
10 | # copyright 2008 H. Carvey, keydet89@yahoo.com
11 | #-----------------------------------------------------------
12 | package winrar_tln;
13 | use strict;
14 |
15 | my %config = (hive => "NTUSER\.DAT",
16 | osmask => 22,
17 | hasShortDescr => 1,
18 | hasDescr => 0,
19 | hasRefs => 0,
20 | version => 20120829);
21 |
22 | sub getConfig{return %config}
23 |
24 | sub getShortDescr {
25 | return "Get WinRAR\\ArcHistory entries (TLN)";
26 | }
27 | sub getDescr{}
28 | sub getRefs {}
29 | sub getHive {return $config{hive};}
30 | sub getVersion {return $config{version};}
31 |
32 | my $VERSION = getVersion();
33 |
34 | sub pluginmain {
35 | my $class = shift;
36 | my $hive = shift;
37 | ::logMsg("Launching winrar v.".$VERSION);
38 | my $reg = Parse::Win32Registry->new($hive);
39 | my $root_key = $reg->get_root_key;
40 |
41 | my $key_path = "Software\\WinRAR\\ArcHistory";
42 | my $key;
43 | if ($key = $root_key->get_subkey($key_path)) {
44 | # ::rptMsg("WinRAR");
45 | # ::rptMsg($key_path);
46 | # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
47 | # ::rptMsg("");
48 | my $lw = $key->get_timestamp();
49 | my %arc;
50 | my @vals = $key->get_list_of_values();
51 | if (scalar(@vals) > 0) {
52 | my $last;
53 | eval {
54 | $last = $key->get_value("0")->get_data();
55 | ::rptMsg($lw."|REG|||WinRAR/ArcHistory - ".$last);
56 | };
57 | }
58 | else {
59 | # ::rptMsg($key_path." has no values.");
60 | }
61 | }
62 | else {
63 | # ::rptMsg($key_path." not found.");
64 | }
65 | }
66 | 1;
--------------------------------------------------------------------------------
/RegRipper/regripper.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/RegRipper/regripper.pdf
--------------------------------------------------------------------------------
/RegRipper/rip.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/RegRipper/rip.exe
--------------------------------------------------------------------------------
/RegRipper/rr.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/RegRipper/rr.exe
--------------------------------------------------------------------------------
/RegRipper/try.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/RegRipper/try.txt
--------------------------------------------------------------------------------
/__Example_Output.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/__Example_Output.txt
--------------------------------------------------------------------------------
/plugins/all:
--------------------------------------------------------------------------------
1 | # 20120528 *ALL* Plugins that apply on any HIVES, alphabetical order
2 | baseline
3 | findexes
4 | regtime
5 | rlo
6 | del
--------------------------------------------------------------------------------
/plugins/appspecific.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # appspecific.pl
3 | #
4 | #
5 | # Change history
6 | # 20120820 - created
7 | #
8 | # References
9 | #
10 | #
11 | # copyright 2012 Quantum Analytics Research, LLC
12 | # Author: H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package appspecific;
15 | use strict;
16 |
17 | my %config = (hive => "NTUSER\.DAT",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20120820);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Gets contents of user's Intellipoint\\AppSpecific subkeys";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $ntuser = shift;
38 | ::logMsg("Launching appspecific v.".$VERSION);
39 | my $reg = Parse::Win32Registry->new($ntuser);
40 | my $root_key = $reg->get_root_key;
41 |
42 | my $key_path = 'Software\\Microsoft\\IntelliPoint\\AppSpecific';
43 | my $key;
44 | if ($key = $root_key->get_subkey($key_path)) {
45 | ::rptMsg("AppSpecific");
46 | ::rptMsg($key_path);
47 |
48 | my @subkeys = $key->get_list_of_subkeys();
49 | if (scalar(@subkeys) > 0) {
50 | foreach my $s (@subkeys) {
51 | ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]");
52 |
53 | my $ts;
54 | eval {
55 | $ts = $s->get_value("Timestamp")->get_data();
56 | my $t = ::getTime(0,$ts);
57 | ::rptMsg("Timestamp: ".gmtime($t));
58 |
59 | };
60 |
61 |
62 | ::rptMsg("");
63 | }
64 | }
65 | else {
66 | ::rptMsg($key_path." has no subkeys.");
67 | }
68 | }
69 | else {
70 | ::rptMsg($key_path." not found.");
71 | }
72 | }
73 |
74 | 1;
--------------------------------------------------------------------------------
/plugins/at.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # at.pl
3 | #
4 | #
5 | # Change history
6 | # 20140821 - created
7 | #
8 | #
9 | #
10 | #
11 | # Copyright (c) 2014 QAR,LLC
12 | # Author: H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package at;
15 | use strict;
16 |
17 | my %config = (hive => "Software",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | category => "program execution",
23 | version => 20140821);
24 |
25 | my $VERSION = getVersion();
26 |
27 | sub getConfig {return %config}
28 | sub getHive {return $config{hive};}
29 | sub getVersion {return $config{version};}
30 | sub getDescr {}
31 | sub getShortDescr {return "Checks Software hive for AT jobs";}
32 | sub getRefs {}
33 |
34 | sub pluginmain {
35 | my $class = shift;
36 | my $hive = shift;
37 |
38 | ::logMsg("Launching at v.".$VERSION);
39 | ::rptMsg("at v.".$VERSION); # 20110830 [fpi] + banner
40 | ::rptMsg("(".$config{hive}.") ".getShortDescr());
41 | ::rptMsg("");
42 | my $reg = Parse::Win32Registry->new($hive);
43 | my $root_key = $reg->get_root_key;
44 | my $key;
45 | my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree';
46 |
47 | if ($key = $root_key->get_subkey($key_path)) {
48 |
49 | my @sk = $key->get_list_of_subkeys();
50 | if (scalar @sk > 0) {
51 | foreach my $s (@sk) {
52 | my $name = $s->get_name();
53 | next unless ($name =~ m/^At/);
54 | my $lw = $s->get_timestamp();
55 | ::rptMsg($name." - LastWrite time: ".gmtime($lw)." UTC");
56 | }
57 | }
58 | }
59 | else {
60 |
61 |
62 | }
63 | }
64 |
65 | 1;
66 |
--------------------------------------------------------------------------------
/plugins/at_tln.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # at_tln.pl
3 | #
4 | #
5 | # Change history
6 | # 20140821 - created
7 | #
8 | #
9 | #
10 | #
11 | # Copyright (c) 2014 QAR,LLC
12 | # Author: H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package at_tln;
15 | use strict;
16 |
17 | my %config = (hive => "Software",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | category => "program execution",
23 | version => 20140821);
24 |
25 | my $VERSION = getVersion();
26 |
27 | sub getConfig {return %config}
28 | sub getHive {return $config{hive};}
29 | sub getVersion {return $config{version};}
30 | sub getDescr {}
31 | sub getShortDescr {return "Checks Software hive for AT jobs";}
32 | sub getRefs {}
33 |
34 | sub pluginmain {
35 | my $class = shift;
36 | my $hive = shift;
37 | my $reg = Parse::Win32Registry->new($hive);
38 | my $root_key = $reg->get_root_key;
39 | my $key;
40 | my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree';
41 |
42 | if ($key = $root_key->get_subkey($key_path)) {
43 |
44 | my @sk = $key->get_list_of_subkeys();
45 | if (scalar @sk > 0) {
46 | foreach my $s (@sk) {
47 | my $name = $s->get_name();
48 | next unless ($name =~ m/^At/);
49 | my $lw = $s->get_timestamp();
50 | ::rptMsg($lw."|REG|||[AT Job] ".$name);
51 | }
52 | }
53 | }
54 | else {
55 |
56 |
57 | }
58 | }
59 |
60 | 1;
61 |
--------------------------------------------------------------------------------
/plugins/autoendtasks.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # autoendtasks.pl
3 | #
4 | # History
5 | # 20081128 - created
6 | #
7 | # Ref:
8 | # http://support.microsoft.com/kb/555619
9 | # This Registry setting tells XP (and Vista) to automatically
10 | # end non-responsive tasks; value may not exist on Vista.
11 | #
12 | # copyright 2008 H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package autoendtasks;
15 | use strict;
16 |
17 | my %config = (hive => "NTUSER\.DAT",
18 | osmask => 22,
19 | hasShortDescr => 1,
20 | hasDescr => 0,
21 | hasRefs => 0,
22 | version => 20081128);
23 |
24 | sub getConfig{return %config}
25 |
26 | sub getShortDescr {
27 | return "Automatically end a non-responsive task";
28 | }
29 | sub getDescr{}
30 | sub getRefs {}
31 | sub getHive {return $config{hive};}
32 | sub getVersion {return $config{version};}
33 |
34 | my $VERSION = getVersion();
35 |
36 | sub pluginmain {
37 | my $class = shift;
38 | my $hive = shift;
39 | ::logMsg("Launching autoendtasks v.".$VERSION);
40 | ::rptMsg("autoendtasks v.".$VERSION); # banner
41 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
42 | my $reg = Parse::Win32Registry->new($hive);
43 | my $root_key = $reg->get_root_key;
44 |
45 | my $key_path = 'Control Panel\\Desktop';
46 | my $key;
47 | if ($key = $root_key->get_subkey($key_path)) {
48 | # ::rptMsg("autoendtasks");
49 | ::rptMsg($key_path);
50 | # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
51 | ::rptMsg("");
52 | my $autoend;
53 | eval {
54 | $autoend = $key->get_value("AutoEndTasks")->get_data();
55 | };
56 | if ($@) {
57 | ::rptMsg("AutoEndTasks value not found.");
58 | }
59 | else {
60 | ::rptMsg("AutoEndTasks = ".$autoend);
61 | }
62 | }
63 | else {
64 | ::rptMsg($key_path." not found.");
65 | ::logMsg($key_path." not found.");
66 | }
67 | }
68 | 1;
--------------------------------------------------------------------------------
/plugins/cmd_shell_u.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # cmd_shell_u
3 | # Get the shell\open\command settings for various file types; gets
4 | # info from USRCLASS.DAT hives, where Classes data is maintained on
5 | # Win7
6 | #
7 | # Change History
8 | # 20130405 - created
9 | #
10 | # copyright 2013 Quantum Analytics Research, LLC
11 | # Author: H. Carvey, keydet89@yahoo.com
12 | #-----------------------------------------------------------
13 | package cmd_shell_u;
14 | use strict;
15 |
16 | my %config = (hive => "USRCLASS\.DAT",
17 | osmask => 22,
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | version => 20130405);
22 |
23 | sub getConfig{return %config}
24 |
25 | sub getShortDescr {
26 | return "Gets shell open cmds for various file types from USRCLASS\.DAT";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $hive = shift;
38 | ::logMsg("Launching cmd_shell_u v.".$VERSION);
39 | ::rptMsg("cmd_shell_u v.".$VERSION); # banner
40 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
41 | my @shells = ("\.exe","exefile","ftp","http","https");
42 |
43 | my $reg = Parse::Win32Registry->new($hive);
44 | my $root_key = $reg->get_root_key;
45 |
46 | foreach my $sh (@shells) {
47 | my $key_path = $sh."\\shell\\open\\command";
48 | my $key;
49 | if ($key = $root_key->get_subkey($key_path)) {
50 | ::rptMsg($key_path);
51 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
52 | # ::rptMsg("");
53 | my $val;
54 | eval {
55 | $val = $key->get_value("")->get_data();
56 | ::rptMsg(" Cmd: ".$val);
57 | ::rptMsg("");
58 | };
59 | ::rptMsg("Error: ".$@) if ($@);
60 | }
61 | else {
62 | ::rptMsg($key_path." not found.");
63 | }
64 | }
65 | ::rptMsg("");
66 | }
67 | 1;
--------------------------------------------------------------------------------
/plugins/cmdproc.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # cmdproc.pl
3 | # Checks key for files to autostart from cmd.exe
4 | #
5 | # Change History
6 | # 20130425 - added alertMsg() functionality
7 | # 20130115 - created
8 | #
9 | # References:
10 | #
11 | # Category: autostart,malware,programexecution
12 | #
13 | # copyright 2013 Quantum Analytics Research,
14 | # Author: H. Carvey, keydet89@yahoo.com
15 | #-----------------------------------------------------------
16 | package cmdproc;
17 | use strict;
18 |
19 | my %config = (hive => "NTUSER\.DAT",
20 | osmask => 22,
21 | hasShortDescr => 1,
22 | hasDescr => 0,
23 | hasRefs => 0,
24 | version => 20130425);
25 |
26 | sub getConfig{return %config}
27 |
28 | sub getShortDescr {
29 | return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive";
30 | }
31 | sub getDescr{}
32 | sub getRefs {}
33 | sub getHive {return $config{hive};}
34 | sub getVersion {return $config{version};}
35 |
36 | my $VERSION = getVersion();
37 |
38 | sub pluginmain {
39 | my $class = shift;
40 | my $hive = shift;
41 | ::logMsg("Launching cmdproc v.".$VERSION);
42 | ::rptMsg("cmdproc v.".$VERSION); # banner
43 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
44 | my $reg = Parse::Win32Registry->new($hive);
45 | my $root_key = $reg->get_root_key;
46 |
47 | my $key_path = "Software\\Microsoft\\Command Processor";
48 | my $key;
49 | if ($key = $root_key->get_subkey($key_path)) {
50 | ::rptMsg($key_path);
51 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
52 |
53 | my $auto;
54 | eval {
55 | $auto = $key->get_value("AutoRun")->get_data();
56 | ::rptMsg("AutoRun = ".$auto);
57 | ::alertMsg("ALERT: cmdproc: ".$key_path." AutoRun value found: ".$auto);
58 | };
59 | if ($@) {
60 | ::rptMsg("AutoRun value not found.");
61 | }
62 | }
63 | else {
64 | ::rptMsg($key_path." not found.");
65 | }
66 | }
67 | 1;
--------------------------------------------------------------------------------
/plugins/compdesc.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # compdesc.pl
3 | # Plugin for Registry Ripper,
4 | # ComputerDescriptions key parser
5 | #
6 | # Change history
7 | #
8 | #
9 | # References
10 | #
11 | #
12 | # copyright 2008 H. Carvey
13 | #-----------------------------------------------------------
14 | package compdesc;
15 | use strict;
16 |
17 | my %config = (hive => "NTUSER\.DAT",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20080324);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Gets contents of user's ComputerDescriptions key";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $ntuser = shift;
38 | ::logMsg("Launching compdesc v.".$VERSION);
39 | ::rptMsg("compdesc v.".$VERSION); # banner
40 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
41 | my $reg = Parse::Win32Registry->new($ntuser);
42 | my $root_key = $reg->get_root_key;
43 |
44 | my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions';
45 | my $key;
46 | if ($key = $root_key->get_subkey($key_path)) {
47 | ::rptMsg("ComputerDescriptions");
48 | ::rptMsg($key_path);
49 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | my @vals = $key->get_list_of_values();
51 | if (scalar(@vals) > 0) {
52 | foreach my $v (@vals) {
53 | ::rptMsg(" ".$v->get_name()." ".$v->get_data());
54 | }
55 | }
56 | else {
57 | ::rptMsg($key_path." has no values.");
58 | ::logMsg($key_path." has no values.");
59 | }
60 | }
61 | else {
62 | ::rptMsg($key_path." not found.");
63 | ::logMsg($key_path." not found.");
64 | }
65 | }
66 |
67 | 1;
--------------------------------------------------------------------------------
/plugins/dfrg.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # dfrg.pl
3 | # Gets contents of Dfrg\BootOptimizeFunction key
4 | #
5 | # Change history:
6 | # 20110321 - created
7 | #
8 | # References
9 | # http://technet.microsoft.com/en-us/library/cc784391%28WS.10%29.aspx
10 | #
11 | # copyright 2011 Quantum Analytics Research, LLC (keydet89@yahoo.com)
12 | #-----------------------------------------------------------
13 | package dfrg;
14 | use strict;
15 |
16 | my %config = (hive => "Software",
17 | osmask => 22,
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | version => 20110321);
22 |
23 | sub getConfig{return %config}
24 |
25 | sub getShortDescr {
26 | return "Gets content of Dfrg BootOptim. key";
27 | }
28 | sub getDescr{}
29 | sub getHive {return $config{hive};}
30 | sub getVersion {return $config{version};}
31 |
32 | my $VERSION = getVersion();
33 |
34 | sub pluginmain {
35 | my $class = shift;
36 | my $hive = shift;
37 | ::logMsg("Launching dfrg v.".$VERSION);
38 | ::rptMsg("dfrg v.".$VERSION); # banner
39 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
40 | my $reg = Parse::Win32Registry->new($hive);
41 | my $root_key = $reg->get_root_key;
42 |
43 | my $key_path = "Microsoft\\Dfrg\\BootOptimizeFunction";
44 | my $key;
45 | if ($key = $root_key->get_subkey($key_path)) {
46 | ::rptMsg("Dfrg");
47 | ::rptMsg($key_path);
48 | ::rptMsg("");
49 |
50 | my @vals = $key->get_list_of_values();
51 | if (scalar(@vals) > 0) {
52 | foreach my $v (@vals) {
53 | ::rptMsg(sprintf "%-20s %-20s",$v->get_name(),$v->get_data());
54 | }
55 | }
56 | else {
57 | ::rptMsg($key_path." has no values.");
58 | }
59 | }
60 | else {
61 | ::rptMsg($key_path." not found.");
62 | ::logMsg($key_path." not found.");
63 | }
64 | }
65 | 1;
--------------------------------------------------------------------------------
/plugins/gthist.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # gthist.pl
3 | # Google Toolbar Search History plugin
4 | #
5 | #
6 | # Change history
7 | # 20100218 - created
8 | #
9 | # References
10 | #
11 | #
12 | #
13 | # copyright 2010 Quantum Analytics Research, LLC
14 | #-----------------------------------------------------------
15 | package gthist;
16 | use strict;
17 |
18 | my %config = (hive => "NTUSER\.DAT",
19 | hasShortDescr => 1,
20 | hasDescr => 0,
21 | hasRefs => 0,
22 | osmask => 22,
23 | version => 20100218);
24 |
25 | sub getConfig{return %config}
26 | sub getShortDescr {
27 | return "Gets Google Toolbar Search History";
28 | }
29 | sub getDescr{}
30 | sub getRefs {}
31 | sub getHive {return $config{hive};}
32 | sub getVersion {return $config{version};}
33 |
34 | my $VERSION = getVersion();
35 |
36 | sub pluginmain {
37 | my $class = shift;
38 | my $ntuser = shift;
39 | my %hist;
40 | ::logMsg("Launching gthist v.".$VERSION);
41 | ::rptMsg("gthist v.".$VERSION); # banner
42 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
43 | my $reg = Parse::Win32Registry->new($ntuser);
44 | my $root_key = $reg->get_root_key;
45 |
46 | my $key_path = 'Software\\Google\\NavClient\\1.1\\History';
47 | my $key;
48 | if ($key = $root_key->get_subkey($key_path)) {
49 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | my @vals = $key->get_list_of_values();
51 | if (scalar @vals > 0) {
52 | ::rptMsg("");
53 | foreach my $v (@vals) {
54 | my $tv = unpack("V",$v->get_data());
55 | $hist{$tv} = $v->get_name();
56 | }
57 |
58 | foreach my $t (reverse sort {$a <=> $b} keys %hist) {
59 | my $str = gmtime($t)." ".$hist{$t};
60 | ::rptMsg($str);
61 | }
62 | }
63 | else {
64 | ::rptMsg($key_path." has no values.");
65 | }
66 | }
67 | else {
68 | ::rptMsg($key_path." not found.");
69 | }
70 | }
71 |
72 | 1;
--------------------------------------------------------------------------------
/plugins/gtwhitelist.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # gtwhitelist.pl
3 | # Google Toolbar Search History plugin
4 | #
5 | #
6 | # Change history
7 | # 20100218 - created
8 | #
9 | # References
10 | #
11 | #
12 | #
13 | # copyright 2010 Quantum Analytics Research, LLC
14 | #-----------------------------------------------------------
15 | package gtwhitelist;
16 | use strict;
17 |
18 | my %config = (hive => "NTUSER\.DAT",
19 | hasShortDescr => 1,
20 | hasDescr => 0,
21 | hasRefs => 0,
22 | osmask => 22,
23 | version => 20100218);
24 |
25 | sub getConfig{return %config}
26 | sub getShortDescr {
27 | return "Gets Google Toolbar whitelist values";
28 | }
29 | sub getDescr{}
30 | sub getRefs {}
31 | sub getHive {return $config{hive};}
32 | sub getVersion {return $config{version};}
33 |
34 | my $VERSION = getVersion();
35 |
36 | sub pluginmain {
37 | my $class = shift;
38 | my $ntuser = shift;
39 | my %hist;
40 | ::logMsg("Launching gtwhitelist v.".$VERSION);
41 | ::rptMsg("gtwhitelist v.".$VERSION); # banner
42 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
43 | my $reg = Parse::Win32Registry->new($ntuser);
44 | my $root_key = $reg->get_root_key;
45 |
46 | my $key_path = 'Software\\Google\\Google Toolbar\\4.0\\whitelist';
47 | my $key;
48 | if ($key = $root_key->get_subkey($key_path)) {
49 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | my $allow2;
51 | eval {
52 | $allow2 = $key->get_value("allow2")->get_data();
53 | my @vals = split(/\|/,$allow2);
54 | ::rptMsg("");
55 | ::rptMsg("whitelist");
56 | foreach my $v (@vals) {
57 | next if ($v eq "");
58 | ::rptMsg(" ".$v);
59 | }
60 | ::rptMsg("");
61 | };
62 |
63 | my $lastmod;
64 | eval {
65 | $lastmod = $key->get_value("lastmod")->get_data();
66 | ::rptMsg("lastmod ".gmtime($lastmod)." (UTC)");
67 | };
68 |
69 | }
70 | else {
71 | ::rptMsg($key_path." not found.");
72 | }
73 | }
74 |
75 | 1;
--------------------------------------------------------------------------------
/plugins/handler.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # handler.pl
3 | #
4 | # Several pieces of malware will modify the HKCR\Network\SharingHandler key
5 | # default value, pointing it to something other than ntshrui.dll
6 | #
7 | #
8 | # References:
9 | # http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_cosmu.elg
10 | #
11 | # Change history:
12 | # 20150826 - created
13 | #
14 | # copyright 2015 Quantum Analytics Research, LLC
15 | # Author: H. Carvey, keydet89@yahoo.com
16 | #-----------------------------------------------------------
17 | package handler;
18 | use strict;
19 |
20 | my %config = (hive => "Software",
21 | hasShortDescr => 1,
22 | hasDescr => 0,
23 | hasRefs => 0,
24 | osmask => 22,
25 | category => "malware",
26 | version => 20150826);
27 |
28 | sub getConfig{return %config}
29 | sub getShortDescr {
30 | return "Checks HKCR/Network/SharingHandler (default) value";
31 | }
32 | sub getDescr{}
33 | sub getRefs {}
34 | sub getHive {return $config{hive};}
35 | sub getVersion {return $config{version};}
36 |
37 | my $VERSION = getVersion();
38 |
39 | sub pluginmain {
40 | my $class = shift;
41 | my $hive = shift;
42 | ::logMsg("Launching handler v.".$VERSION);
43 | ::rptMsg("handler v.".$VERSION); # banner
44 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
45 | my $reg = Parse::Win32Registry->new($hive);
46 | my $root_key = $reg->get_root_key;
47 | my $key_path = "Classes\\Network\\SharingHandler";
48 |
49 | my $key;
50 | if ($key = $root_key->get_subkey($key_path)) {
51 | ::rptMsg($key_path);
52 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
53 | ::rptMsg("");
54 | ::rptMsg("(Default) value = ".$key->get_value("")->get_data());
55 |
56 | }
57 | else {
58 | ::rptMsg($key_path." not found.");
59 | }
60 | }
61 | 1;
--------------------------------------------------------------------------------
/plugins/identities.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # identities.pl
3 | #
4 | #
5 | # Change history
6 | # 20151211 - created
7 | #
8 | # References
9 | # https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html
10 | #
11 | # Copyright 2015 QAR LLC
12 | # Author: H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package identities;
15 | use strict;
16 |
17 | my %config = (hive => "NTUSER\.DAT",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20151211);
23 | my $VERSION = getVersion();
24 |
25 | sub getDescr {}
26 | sub getRefs {}
27 | sub getConfig {return %config}
28 | sub getHive {return $config{hive};}
29 | sub getVersion {return $config{version};}
30 | sub getShortDescr {
31 | return "Extracts values from Identities key; NTUSER\.DAT";
32 | }
33 |
34 | sub pluginmain {
35 | my $class = shift;
36 | my $hive = shift;
37 |
38 | ::logMsg("Launching identities v.".$VERSION);
39 | ::rptMsg("identities v.".$VERSION);
40 | ::rptMsg("(".getHive().") ".getShortDescr()."\n");
41 | my $reg = Parse::Win32Registry->new($hive);
42 | my $root_key = $reg->get_root_key;
43 | my $key;
44 | my $key_path = "Identities";
45 |
46 | if ($key = $root_key->get_subkey($key_path)) {
47 | ::rptMsg($key_path);
48 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
49 | ::rptMsg("");
50 |
51 | my @vals = $key->get_list_of_values();
52 | if (scalar(@vals) > 0) {
53 | foreach my $v (@vals) {
54 | my $name = $v->get_name();
55 | ::rptMsg(sprintf "%-40s %-30s",$name,$v->get_data());
56 | }
57 | }
58 | else {
59 | ::rptMsg($key_path." has no values.");
60 | }
61 | } else {
62 | ::rptMsg($key_path." not found.");
63 | }
64 | ::rptMsg("");
65 | }
66 | 1;
67 |
--------------------------------------------------------------------------------
/plugins/javafx.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # javafx.pl
3 | # Plugin written based on Cory Harrell's Exploit Artifacts posts at
4 | # http://journeyintoir.blogspot.com/
5 | #
6 | # Change history
7 | # 20110322 - created
8 | #
9 | # References
10 | # http://java.sun.com/j2se/1.4.2/runtime_win32.html
11 | #
12 | # copyright 2011 Quantum Analytics Research, LLC
13 | #-----------------------------------------------------------
14 | package javafx;
15 | use strict;
16 |
17 | my %config = (hive => "NTUSER\.DAT",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20110322);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Gets contents of user's JavaFX key";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $ntuser = shift;
38 | ::logMsg("Launching javafx v.".$VERSION);
39 | ::rptMsg("javafx v.".$VERSION); # banner
40 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
41 | my $reg = Parse::Win32Registry->new($ntuser);
42 | my $root_key = $reg->get_root_key;
43 |
44 | my $key_path = "Software\\JavaSoft\\Java Update\\Policy\\JavaFX";
45 | my $key;
46 | my @vals;
47 | if ($key = $root_key->get_subkey($key_path)) {
48 | ::rptMsg("javafx v.".$VERSION);
49 | ::rptMsg($key_path);
50 | ::rptMsg("LastWrite time: ".gmtime($key->get_timestamp()));
51 | ::rptMsg("");
52 | @vals = $key->get_list_of_values();
53 |
54 | if (scalar(@vals) > 0) {
55 | # First, read in all of the values and the data
56 | foreach my $v (@vals) {
57 | ::rptMsg(sprintf "%-25s %-20s",$v->get_name(), $v->get_data());
58 | }
59 | }
60 | else {
61 | ::rptMsg($key_path." has no values.");
62 | }
63 | }
64 | else {
65 | ::rptMsg($key_path." not found.");
66 | }
67 | }
68 |
69 | 1;
--------------------------------------------------------------------------------
/plugins/javasoft.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # javasoft.pl
3 | #
4 | # History
5 | # 20130216 - created
6 | #
7 | # References
8 | # http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
9 | # http://nakedsecurity.sophos.com/how-to-disable-java-internet-explorer/
10 | #
11 | # copyright 2013 QAR, LLC
12 | # Author: H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package javasoft;
15 | use strict;
16 |
17 | my %config = (hive => "Software",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20130216);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Gets contents of JavaSoft/UseJava2IExplorer value";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $hive = shift;
38 | ::logMsg("Launching javasoft v.".$VERSION);
39 | ::rptMsg("Launching javasoft v.".$VERSION);
40 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
41 | my $reg = Parse::Win32Registry->new($hive);
42 | my $root_key = $reg->get_root_key;
43 |
44 | my @k = ('JavaSoft\\Java Plug-in','Wow6432Node\\JavaSoft\\Java Plug-in');
45 | foreach my $key_path (@k) {
46 | my $key;
47 | if ($key = $root_key->get_subkey($key_path)) {
48 | ::rptMsg($key_path);
49 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | ::rptMsg("");
51 | my $ie;
52 | eval {
53 | $ie = $key->get_value("UseJava2IExplorer")->get_data();
54 | ::rptMsg(sprintf "UseJava2IExplorer = 0x%x",$ie);
55 | };
56 | ::rptMsg("UseJava2IExplorer value not found\.") if ($@);
57 | ::rptMsg("");
58 | }
59 | else {
60 | ::rptMsg("Key ".$key_path." not found.");
61 | }
62 | }
63 | }
64 | 1;
--------------------------------------------------------------------------------
/plugins/lastloggedon.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # lastloggedon
3 | #
4 | #
5 | # References
6 | #
7 | #
8 | # History:
9 | # 20160531 - created
10 | #
11 | # copyright 2016 Quantum Analytics Research, LLC
12 | # Author: H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package lastloggedon;
15 | use strict;
16 |
17 | my %config = (hive => "Software",
18 | osmask => 22,
19 | hasShortDescr => 1,
20 | hasDescr => 0,
21 | hasRefs => 0,
22 | version => 20160531);
23 |
24 | sub getConfig{return %config}
25 |
26 | sub getShortDescr {
27 | return "Gets LastLoggedOn* values from LogonUI key";
28 | }
29 | sub getDescr{}
30 | sub getRefs {
31 | my %refs = ();
32 | return %refs;
33 | }
34 | sub getHive {return $config{hive};}
35 | sub getVersion {return $config{version};}
36 |
37 | my $VERSION = getVersion();
38 |
39 | sub pluginmain {
40 | my $class = shift;
41 | my $hive = shift;
42 | ::logMsg("Launching lastloggedon v.".$VERSION);
43 | ::rptMsg("lastloggedon v.".$VERSION);
44 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n");
45 | my $reg = Parse::Win32Registry->new($hive);
46 | my $root_key = $reg->get_root_key;
47 | my ($key_path, $key);
48 |
49 | $key_path = "Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI";
50 | if ($key = $root_key->get_subkey($key_path)) {
51 | ::rptMsg("LastLoggedOn");
52 | ::rptMsg($key_path);
53 | ::rptMsg("LastWrite: ".gmtime($key->get_timestamp()));
54 | ::rptMsg("");
55 |
56 | eval {
57 | my $lastuser = $key->get_value("LastLoggedOnUser")->get_data();
58 | ::rptMsg("LastLoggedOnUser = ".$lastuser);
59 | };
60 |
61 | eval {
62 | my $lastsamuser = $key->get_value("LastLoggedOnSAMUser")->get_data();
63 | ::rptMsg("LastLoggedOnSAMUser = ".$lastsamuser);
64 | };
65 | }
66 | else {
67 | ::rptMsg($key_path." not found.");
68 | }
69 | }
70 |
71 | 1;
--------------------------------------------------------------------------------
/plugins/lazyshell.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # lazyshell
3 | #
4 | # Change history:
5 | # 20131007 - created
6 | #
7 | # Ref:
8 | #
9 | #
10 | # copyright 2013 QAR,LLC
11 | # Author: H. Carvey, keydet89@yahoo.com
12 | #-----------------------------------------------------------
13 | package lazyshell;
14 | use strict;
15 |
16 | my %config = (hive => "Software",
17 | category => "malware",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 1,
21 | osmask => 22,
22 | version => 20131007);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Checks for keys/values assoc. with LazyShell";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $hive = shift;
38 | ::rptMsg("Launching lazyshell v.".$VERSION);
39 | ::rptMsg("lazyshell v.".$VERSION); # banner
40 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
41 | my @paths = ('Microsoft\\Windows\\CurrentVersion\\Wordpad\\ComChecks\\Safelist',
42 | 'Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Wordpad\\ComChecks\\Safelist');
43 |
44 | my $reg = Parse::Win32Registry->new($hive);
45 | my $root_key = $reg->get_root_key;
46 |
47 | foreach my $key_path (@paths) {
48 | my $key;
49 | if ($key = $root_key->get_subkey($key_path)) {
50 | ::rptMsg($key_path);
51 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
52 |
53 | eval {
54 | my $cc = $key->get_value("CategoryCount")->get_data();
55 | ::rptMsg("CategoryCount value found\.");
56 | };
57 |
58 | eval {
59 | my $r = $key->get_value("ResetAU")->get_data();
60 | ::rptMsg("ResetAU value found\.");
61 | };
62 | ::rptMsg("");
63 | }
64 | else {
65 | ::rptMsg($key_path." not found.");
66 | }
67 | }
68 | }
69 | 1;
--------------------------------------------------------------------------------
/plugins/licenses.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # licenses.pl
3 | # There are indications that the contents of this key may be associated
4 | # with a number of different malware variants, including the Elite
5 | # Keylogger.
6 | #
7 | # History
8 | # 20120305 - created
9 | #
10 | #
11 | # copyright 2012, Quantum Analytics Research, LLC
12 | #-----------------------------------------------------------
13 | package licenses;
14 | use strict;
15 |
16 | my %config = (hive => "Software",
17 | osmask => 22,
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | version => 20120305);
22 |
23 | sub getConfig{return %config}
24 |
25 | sub getShortDescr {
26 | return "Get contents of HKLM/Software/Licenses key";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $hive = shift;
38 | my %clsid;
39 | ::logMsg("Launching licenses v.".$VERSION);
40 | ::rptMsg("licenses v.".$VERSION); # banner
41 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
42 | my $reg = Parse::Win32Registry->new($hive);
43 | my $root_key = $reg->get_root_key;
44 |
45 | my $key_path = "Licenses";
46 | my $key;
47 | if ($key = $root_key->get_subkey($key_path)) {
48 | ::rptMsg($key_path);
49 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | ::rptMsg("");
51 |
52 | my @vals = $key->get_list_of_values();
53 | if (scalar(@vals) > 0) {
54 | foreach my $v (@vals) {
55 | if ($v->get_type() == 3) {
56 | ::rptMsg("Value: ".$v->get_name()." (Binary data: ".length($v->get_data())." bytes)");
57 | }
58 | }
59 | }
60 | else {
61 | ::rptMsg($key_path." has no values.");
62 | }
63 | }
64 | else {
65 | ::rptMsg($key_path." not found.");
66 | }
67 | }
68 | 1;
--------------------------------------------------------------------------------
/plugins/mmc_tln.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # mmc_tln.pl
3 | # Plugin for Registry Ripper, NTUSER.DAT edition - gets the
4 | # Microsoft Management Console Recent File List values
5 | #
6 | # Change history
7 | # 20120828 - updated, transitioned to TLN format output
8 | # 20080324 - created
9 | #
10 | # References
11 | #
12 | #
13 | # copyright 2012
14 | # Author: H. Carvey, keydet89@yahoo.com
15 | #-----------------------------------------------------------
16 | package mmc_tln;
17 | use strict;
18 |
19 | my %config = (hive => "NTUSER\.DAT",
20 | hasShortDescr => 1,
21 | hasDescr => 0,
22 | hasRefs => 0,
23 | osmask => 22,
24 | version => 20120828);
25 |
26 | sub getConfig{return %config}
27 | sub getShortDescr {
28 | return "Get contents of user's MMC\\Recent File List key (TLN)";
29 | }
30 | sub getDescr{}
31 | sub getRefs {}
32 | sub getHive {return $config{hive};}
33 | sub getVersion {return $config{version};}
34 |
35 | my $VERSION = getVersion();
36 |
37 | sub pluginmain {
38 | my $class = shift;
39 | my $ntuser = shift;
40 | ::logMsg("Launching mmc v.".$VERSION);
41 | my $reg = Parse::Win32Registry->new($ntuser);
42 | my $root_key = $reg->get_root_key;
43 |
44 | my $key_path = 'Software\\Microsoft\\Microsoft Management Console\\Recent File List';
45 | my $key;
46 | if ($key = $root_key->get_subkey($key_path)) {
47 | # ::rptMsg("MMC - Recent File List");
48 | # ::rptMsg($key_path);
49 | # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | my $lw = $key->get_timestamp();
51 | my @vals = $key->get_list_of_values();
52 | if (scalar(@vals) > 0) {
53 | my $file1;
54 | eval {
55 | $file1 = $key->get_value("File1")->get_data();
56 | ::rptMsg($lw."|REG|||[Program Execution] MMC - Recent File List - ".$file1);
57 | };
58 |
59 | }
60 | else {
61 | # ::rptMsg($key_path." has no values.");
62 | }
63 | }
64 | else {
65 | # ::rptMsg($key_path." not found.");
66 | }
67 | }
68 |
69 | 1;
--------------------------------------------------------------------------------
/plugins/mndmru_tln.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # mndmru_tln.pl
3 | # Plugin for Registry Ripper,
4 | # Map Network Drive MRU parser
5 | #
6 | # Change history
7 | # 20120829 - updated to TLN
8 | # 20080324 - mndmru.pl created
9 | #
10 | # References
11 | #
12 | #
13 | # copyright 2012
14 | # Author: H. Carvey, keydet89@yahoo.com
15 | #-----------------------------------------------------------
16 | package mndmru_tln;
17 | use strict;
18 |
19 | my %config = (hive => "NTUSER\.DAT",
20 | hasShortDescr => 1,
21 | hasDescr => 0,
22 | hasRefs => 0,
23 | osmask => 22,
24 | version => 20120829);
25 |
26 | sub getConfig{return %config}
27 | sub getShortDescr {
28 | return "Get user's Map Network Drive MRU (TLN)";
29 | }
30 | sub getDescr{}
31 | sub getRefs {}
32 | sub getHive {return $config{hive};}
33 | sub getVersion {return $config{version};}
34 |
35 | my $VERSION = getVersion();
36 |
37 | sub pluginmain {
38 | my $class = shift;
39 | my $ntuser = shift;
40 | ::logMsg("Launching mndmru v.".$VERSION);
41 | my $reg = Parse::Win32Registry->new($ntuser);
42 | my $root_key = $reg->get_root_key;
43 |
44 | my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU';
45 | my $key;
46 | if ($key = $root_key->get_subkey($key_path)) {
47 | # ::rptMsg("Map Network Drive MRU");
48 | # ::rptMsg($key_path);
49 | # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | my $lw = $key->get_timestamp();
51 | my @vals = $key->get_list_of_values();
52 | if (scalar(@vals) > 0) {
53 | eval {
54 | my $list = $key->get_value("MRUList")->get_data();
55 | my $l = (split(//,$list))[0];
56 | my $mru = $key->get_value($l)->get_data();
57 | ::rptMsg($lw."|REG|||Map Network Drive MRU - ".$mru);
58 | };
59 | }
60 | else {
61 | # ::rptMsg($key_path." has no values.");
62 | }
63 | }
64 | else {
65 | # ::rptMsg($key_path." not found.");
66 | }
67 | }
68 |
69 | 1;
--------------------------------------------------------------------------------
/plugins/mountdev2.pl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/plugins/mountdev2.pl
--------------------------------------------------------------------------------
/plugins/networkcards.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # networkcards
3 | #
4 | # copyright 2008 H. Carvey, keydet89@yahoo.com
5 | #-----------------------------------------------------------
6 | package networkcards;
7 | use strict;
8 |
9 | my %config = (hive => "Software",
10 | hasShortDescr => 1,
11 | hasDescr => 0,
12 | hasRefs => 0,
13 | osmask => 22,
14 | version => 20080325);
15 |
16 | sub getConfig{return %config}
17 | sub getShortDescr {
18 | return "Get NetworkCards";
19 | }
20 | sub getDescr{}
21 | sub getRefs {}
22 | sub getHive {return $config{hive};}
23 | sub getVersion {return $config{version};}
24 |
25 | my $VERSION = getVersion();
26 |
27 | sub pluginmain {
28 | my $class = shift;
29 | my $hive = shift;
30 | ::logMsg("Launching networkcards v.".$VERSION);
31 | ::rptMsg("networkcards v.".$VERSION); # banner
32 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
33 | my $reg = Parse::Win32Registry->new($hive);
34 | my $root_key = $reg->get_root_key;
35 | my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards";
36 | my $key;
37 | if ($key = $root_key->get_subkey($key_path)) {
38 | ::rptMsg("NetworkCards");
39 | ::rptMsg($key_path);
40 | ::rptMsg("");
41 | my @subkeys = $key->get_list_of_subkeys();
42 | if (scalar(@subkeys) > 0) {
43 | my %nc;
44 | foreach my $s (@subkeys) {
45 | my $service = $s->get_value("ServiceName")->get_data();
46 | $nc{$service}{descr} = $s->get_value("Description")->get_data();
47 | $nc{$service}{lastwrite} = $s->get_timestamp();
48 | }
49 |
50 | foreach my $n (keys %nc) {
51 | ::rptMsg($nc{$n}{descr}." [".gmtime($nc{$n}{lastwrite})."]");
52 | }
53 | }
54 | else {
55 | ::rptMsg($key_path." has no subkeys.");
56 | ::logMsg($key_path." has no subkeys.");
57 | }
58 | }
59 | else {
60 | ::rptMsg($key_path." not found.");
61 | ::logMsg($key_path." not found.");
62 | }
63 | }
64 | 1;
--------------------------------------------------------------------------------
/plugins/networkuid.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # networkuid.pl
3 | # Gets UID value from Network key
4 | #
5 | # References
6 | # http://blogs.technet.com/mmpc/archive/2010/03/11/got-zbot.aspx
7 | #
8 | # copyright 2010 Quantum Analytics Research, LLC
9 | #-----------------------------------------------------------
10 | package networkuid;
11 | use strict;
12 |
13 | my %config = (hive => "Software",
14 | osmask => 22,
15 | hasShortDescr => 1,
16 | hasDescr => 0,
17 | hasRefs => 0,
18 | version => 20100312);
19 |
20 | sub getConfig{return %config}
21 |
22 | sub getShortDescr {
23 | return "Gets Network key UID value";
24 | }
25 | sub getDescr{}
26 | sub getRefs {}
27 | sub getHive {return $config{hive};}
28 | sub getVersion {return $config{version};}
29 |
30 | my $VERSION = getVersion();
31 |
32 | sub pluginmain {
33 | my $class = shift;
34 | my $hive = shift;
35 | ::logMsg("Launching networkuid v.".$VERSION);
36 | ::rptMsg("networkuid v.".$VERSION); # banner
37 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
38 | my $reg = Parse::Win32Registry->new($hive);
39 | my $root_key = $reg->get_root_key;
40 |
41 | my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Network";
42 | my $key;
43 | if ($key = $root_key->get_subkey($key_path)) {
44 | ::rptMsg($key_path);
45 | ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp()));
46 | ::rptMsg("");
47 |
48 | eval {
49 | my $uid = $key->get_value("UID")->get_data();
50 | ::rptMsg("UID value = ".$uid);
51 | };
52 | ::rptMsg("UID value not found.") if ($@);
53 | }
54 | else {
55 | ::rptMsg($key_path." not found.");
56 | ::logMsg($key_path." not found.");
57 | }
58 | }
59 | 1;
--------------------------------------------------------------------------------
/plugins/ntuser:
--------------------------------------------------------------------------------
1 | # 20120528 *ALL* Plugins that apply on NTUSER hive, alphabetical order
2 | acmru
3 | adoberdr
4 | aim
5 | aports
6 | appcompatflags
7 | applets
8 | appspecific
9 | ares
10 | arpcache
11 | autoendtasks
12 | autorun
13 | bitbucket_user
14 | brisv
15 | cain
16 | ccleaner
17 | clampi
18 | clampitm
19 | comdlg32
20 | compatassist
21 | compdesc
22 | controlpanel
23 | cpldontload
24 | decaf
25 | dependency_walker
26 | domains
27 | environment
28 | fileexts
29 | filehistory
30 | gthist
31 | gtwhitelist
32 | haven_and_hearth
33 | ie_settings
34 | internet_explorer_cu
35 | internet_settings_cu
36 | javafx
37 | listsoft
38 | liveContactsGUID
39 | load
40 | logonusername
41 | mmc
42 | mndmru
43 | mp2
44 | mpmru
45 | mspaper
46 | muicache
47 | nero
48 | netassist
49 | odysseus
50 | officedocs
51 | officedocs2010
52 | oisc
53 | osversion
54 | outlook
55 | policies_u
56 | printermru
57 | printers
58 | privoxy
59 | proxysettings
60 | publishingwizard
61 | putty
62 | rdphint
63 | realplayer6
64 | realvnc
65 | recentdocs
66 | rootkit_revealer
67 | runmru
68 | sevenzip
69 | shellfolders
70 | skype
71 | snapshot_viewer
72 | ssh_host_keys
73 | startmenuinternetapps_cu
74 | startpage
75 | streammru
76 | streams
77 | sysinternals
78 | trustrecords
79 | tsclient
80 | typedpaths
81 | typedurls
82 | typedurlstime
83 | unreadmail
84 | user_run
85 | user_win
86 | userassist
87 | userinfo
88 | userlocsvc
89 | vista_bitbucket
90 | vmplayer
91 | vmware_vsphere_client
92 | vnchooksapplicationprefs
93 | vncviewer
94 | wallpaper
95 | warcraft3
96 | winlivemail
97 | winlogon_u
98 | winrar
99 | winscp_sessions
100 | winvnc
101 | winzip
102 | wordwheelquery
103 | yahoo_cu
--------------------------------------------------------------------------------
/plugins/ntusernetwork.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # ntusernetwork.pl
3 | # Plugin for Registry Ripper,
4 | # Network key parser
5 | #
6 | #-----------------------------------------------------------
7 | package ntusernetwork;
8 | use strict;
9 |
10 | my %config = (hive => "NTUSER\.DAT",
11 | hasShortDescr => 1,
12 | hasDescr => 0,
13 | hasRefs => 0,
14 | osmask => 22,
15 | version => 20110601);
16 |
17 | sub getConfig{return %config}
18 | sub getShortDescr {
19 | return "Returns contents of user's Network subkeys";
20 | }
21 | sub getDescr{}
22 | sub getRefs {}
23 | sub getHive {return $config{hive};}
24 | sub getVersion {return $config{version};}
25 |
26 | my $VERSION = getVersion();
27 |
28 | sub pluginmain {
29 | my $class = shift;
30 | my $ntuser = shift;
31 | ::logMsg("Launching ntusernetwork v.".$VERSION);
32 | ::rptMsg("ntusernetwork v.".$VERSION); # banner
33 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
34 | my $reg = Parse::Win32Registry->new($ntuser);
35 | my $root_key = $reg->get_root_key;
36 |
37 | my $key_path = 'Network';
38 | my $key;
39 | if ($key = $root_key->get_subkey($key_path)) {
40 | ::rptMsg($key_path);
41 | ::rptMsg("");
42 |
43 | my @subkeys = $key->get_list_of_subkeys();
44 | if (scalar @subkeys > 0) {
45 | foreach my $s (@subkeys) {
46 | ::rptMsg($key_path."\\".$s->get_name());
47 | ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp()));
48 | my @vals = $s->get_list_of_values();
49 | if (scalar @vals > 0) {
50 | foreach my $v (@vals) {
51 | ::rptMsg(sprintf " %-15s %-25s",$v->get_name(),$v->get_data());
52 | }
53 | ::rptMsg("");
54 | }
55 | }
56 | }
57 | else {
58 | ::rptMsg($key_path." key has no subkeys.");
59 | }
60 | }
61 | else {
62 | ::rptMsg($key_path." key not found.");
63 | }
64 | }
65 | 1;
66 |
--------------------------------------------------------------------------------
/plugins/osversion.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # osversion.pl
3 | # Plugin to check for OSVersion value, which appears to be queried
4 | # by some malware, and used by others; getting a response of "OSVersion
5 | # not found" is a good thing.
6 | #
7 | # Change history
8 | # 20120601 - created
9 | #
10 | # References
11 | # Search Google for "Software\Microsoft\OSVersion" - you'll get several
12 | # hits that refer to various malware;
13 | #
14 | # copyright 2012 Quantum Analytics Research, LLC
15 | # Author: H. Carvey, keydet89@yahoo.com
16 | #-----------------------------------------------------------
17 | package osversion;
18 | use strict;
19 |
20 | my %config = (hive => "NTUSER\.DAT",
21 | hasShortDescr => 1,
22 | hasDescr => 0,
23 | hasRefs => 0,
24 | osmask => 22,
25 | version => 20120601);
26 |
27 | sub getConfig{return %config}
28 | sub getShortDescr {
29 | return "Checks for OSVersion value";
30 | }
31 | sub getDescr{}
32 | sub getRefs {}
33 | sub getHive {return $config{hive};}
34 | sub getVersion {return $config{version};}
35 |
36 | my $VERSION = getVersion();
37 |
38 | sub pluginmain {
39 | my $class = shift;
40 | my $ntuser = shift;
41 | ::logMsg("Launching osversion v.".$VERSION);
42 | my $reg = Parse::Win32Registry->new($ntuser);
43 | my $root_key = $reg->get_root_key;
44 |
45 | my $key_path = 'Software\\Microsoft';
46 | my $key;
47 | if ($key = $root_key->get_subkey($key_path)) {
48 | ::rptMsg("OSVersion");
49 | ::rptMsg($key_path);
50 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
51 | ::rptMsg("");
52 | my $os;
53 | eval {
54 | $os = $key->get_value("OSVersion")->get_data();
55 |
56 | };
57 | if ($@) {
58 | ::rptMsg("OSVersion value not found.");
59 | }
60 | else {
61 | ::rptMsg("OSVersion = ".$os);
62 | }
63 |
64 | }
65 | else {
66 | ::rptMsg($key_path." not found.");
67 | }
68 | }
69 |
70 | 1;
--------------------------------------------------------------------------------
/plugins/rdphint.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # rdphint.pl - http://www.regripper.net/
3 | # Gathers servers logged onto via RDP and last successful username
4 | #
5 | # by Brandon Nesbit, Trustwave
6 | #-----------------------------------------------------------
7 | package rdphint;
8 | use strict;
9 |
10 | my %config = (hive => "NTUSER",
11 | osmask => 22,
12 | hasShortDescr => 1,
13 | hasDescr => 0,
14 | hasRefs => 0,
15 | version => 20090715);
16 |
17 | sub getConfig{return %config}
18 | sub getShortDescr { return "Gets hosts logged onto via RDP and the Domain\\Username";}
19 | sub getDescr{}
20 | sub getRefs {}
21 | sub getHive {return $config{hive};}
22 | sub getVersion {return $config{version};}
23 |
24 | my $VERSION = getVersion();
25 |
26 | sub pluginmain {
27 | my $class = shift;
28 | my $hive = shift;
29 | ::logMsg("Launching rdphint v.".$VERSION);
30 | ::rptMsg("rdphint v.".$VERSION); # banner
31 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
32 | my $reg = Parse::Win32Registry->new($hive);
33 | my $root_key = $reg->get_root_key;
34 | my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers';
35 | my $key;
36 | if ($key = $root_key->get_subkey($key_path)) {
37 | ::rptMsg("Terminal Server Client\\Servers");
38 | ::rptMsg($key_path);
39 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
40 | ::rptMsg("");
41 | my @subkeys = $key->get_list_of_subkeys();
42 | if (scalar(@subkeys) > 0) {
43 | foreach my $s (@subkeys) {
44 | my $path;
45 | eval {
46 | $path = $s->get_value("UsernameHint")->get_data();
47 | };
48 | ::rptMsg("");
49 | ::rptMsg("Hostname: ".$s->get_name());
50 | ::rptMsg("Domain/Username: ".$path);
51 | ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())." (UTC)");
52 | ::rptMsg("");
53 | }
54 | }
55 | else {
56 | ::rptMsg($key_path." has no subkeys.");
57 | }
58 | }
59 | else {
60 | ::rptMsg($key_path." not found.");
61 | }
62 | }
63 | 1;
--------------------------------------------------------------------------------
/plugins/rdpnla.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # rdpnla.pl
3 | #
4 | # 20151203 - created
5 | #
6 | # Author: Chakib Gzenayi, chakib.gzenayi@gmail.com
7 | #-----------------------------------------------------------
8 | package rdpnla;
9 | use strict;
10 | my %config = (hive => "System",
11 | hasShortDescr => 1,
12 | hasDescr => 0,
13 | hasRefs => 0,
14 | osmask => 22,
15 | version => 20151203);
16 |
17 | sub getConfig{return %config}
18 | sub getShortDescr {
19 | return "Queries System hive for RDP NLA Checking";
20 | }
21 | sub getDescr{}
22 | sub getRefs {}
23 | sub getHive {return $config{hive};}
24 | sub getVersion {return $config{version};}
25 |
26 | my $VERSION = getVersion();
27 |
28 | sub pluginmain {
29 | my $class = shift;
30 | my $hive = shift;
31 | my $key;
32 |
33 | ::logMsg("Launching rdpnla v.".$VERSION);
34 | ::rptMsg("rdpnla v.".$VERSION);
35 | ::rptMsg("(".getHive().") ".getShortDescr()."\n");
36 | my $reg = Parse::Win32Registry->new($hive);
37 | my $root_key = $reg->get_root_key;
38 |
39 | my $chak = $root_key->get_subkey("Select")->get_value("Current")->get_data();
40 | my $key_path = "ControlSet00".$chak."\\Control\\Terminal Server\\WinStations\\RDP-Tcp";
41 | if ($key = $root_key->get_subkey($key_path)) {
42 | ::rptMsg($key_path);
43 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
44 | my $sec;
45 | eval {
46 | $sec = $key->get_value("SecurityLayer")->get_data();
47 | ::rptMsg("SecurityLayer = ".$sec );
48 | };
49 | ::rptMsg("Error getting Value: ".$@) if ($@);
50 |
51 | }
52 | else {
53 | ::rptMsg($key_path." not found.");
54 | }
55 | }
56 | 1;
57 |
--------------------------------------------------------------------------------
/plugins/rdpport.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # rdpport.pl
3 | # Determine the RDP Port used
4 | #
5 | # History
6 | # 20100713 - created
7 | #
8 | # References
9 | # http://support.microsoft.com/kb/306759
10 | #
11 | # copyright 2010 Quantum Analytics Research, LLC
12 | #-----------------------------------------------------------
13 | package rdpport;
14 | use strict;
15 | my %config = (hive => "System",
16 | hasShortDescr => 1,
17 | hasDescr => 0,
18 | hasRefs => 0,
19 | osmask => 22,
20 | version => 20100713);
21 |
22 | sub getConfig{return %config}
23 | sub getShortDescr {
24 | return "Queries System hive for RDP Port";
25 | }
26 | sub getDescr{}
27 | sub getRefs {}
28 | sub getHive {return $config{hive};}
29 | sub getVersion {return $config{version};}
30 |
31 | my $VERSION = getVersion();
32 |
33 | sub pluginmain {
34 | my $class = shift;
35 | my $hive = shift;
36 | my $key;
37 |
38 | ::logMsg("Launching rdpport v.".$VERSION);
39 | ::rptMsg("rdpport v.".$VERSION); # banner
40 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
41 | my $reg = Parse::Win32Registry->new($hive);
42 | my $root_key = $reg->get_root_key;
43 |
44 | my $ccs = $root_key->get_subkey("Select")->get_value("Current")->get_data();
45 | my $key_path = "ControlSet00".$ccs."\\Control\\Terminal Server\\WinStations\\RDP-Tcp";
46 | if ($key = $root_key->get_subkey($key_path)) {
47 | ::rptMsg("rdpport v.".$VERSION);
48 | ::rptMsg("");
49 | my $port;
50 | eval {
51 | $port = $key->get_value("PortNumber")->get_data();
52 | ::rptMsg("Remote Desktop Listening Port Number = ".$port);
53 | };
54 | ::rptMsg("Error getting PortNumber: ".$@) if ($@);
55 |
56 | }
57 | else {
58 | ::rptMsg($key_path." not found.");
59 | }
60 | }
61 | 1
--------------------------------------------------------------------------------
/plugins/regtime.pl:
--------------------------------------------------------------------------------
1 | #! c:\perl\bin\perl.exe
2 | #-----------------------------------------------------------
3 | # regtime.pl
4 | # Plugin for Registry Ripper; traverses through a Registry
5 | # hive file, pulling out keys and their LastWrite times, and
6 | # then listing them in order, sorted by the most recent time
7 | # first - works with any Registry hive file.
8 | #
9 | # Change history
10 | #
11 | #
12 | # copyright 2008 H. Carvey
13 | #-----------------------------------------------------------
14 | package regtime;
15 | use strict;
16 |
17 | my %config = (hive => "All",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20080324);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Dumps entire hive - all keys sorted by LastWrite time";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | my %regkeys;
36 |
37 | sub pluginmain {
38 | my $class = shift;
39 | my $file = shift;
40 | my $reg = Parse::Win32Registry->new($file);
41 | my $root_key = $reg->get_root_key;
42 | ::logMsg("Launching regtime v.".$VERSION);
43 | ::rptMsg("regtime v.".$VERSION); # banner
44 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
45 | traverse($root_key);
46 |
47 | foreach my $t (reverse sort {$a <=> $b} keys %regkeys) {
48 | foreach my $item (@{$regkeys{$t}}) {
49 | ::rptMsg(gmtime($t)."Z \t".$item);
50 | }
51 | }
52 | }
53 |
54 | sub traverse {
55 | my $key = shift;
56 | my $ts = $key->get_timestamp();
57 | my $name = $key->as_string();
58 | $name =~ s/\$\$\$PROTO\.HIV//;
59 | $name = (split(/\[/,$name))[0];
60 | push(@{$regkeys{$ts}},$name);
61 | foreach my $subkey ($key->get_list_of_subkeys()) {
62 | traverse($subkey);
63 | }
64 | }
65 |
66 | 1;
--------------------------------------------------------------------------------
/plugins/regtime_tln.pl:
--------------------------------------------------------------------------------
1 | #! c:\perl\bin\perl.exe
2 | #-----------------------------------------------------------
3 | # regtime.pl
4 | # Plugin for Registry Ripper; traverses through a Registry
5 | # hive file, pulling out keys and their LastWrite times, and
6 | # then listing them in order, sorted by the most recent time
7 | # first - works with any Registry hive file.
8 | #
9 | # Change history
10 | #
11 | #
12 | # copyright 2008 H. Carvey
13 | #-----------------------------------------------------------
14 | package regtime_tln;
15 | use strict;
16 |
17 | my %config = (hive => "All",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20080324);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Dumps entire hive - all keys sorted by LastWrite time";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | my %regkeys;
36 |
37 | sub pluginmain {
38 | my $class = shift;
39 | my $file = shift;
40 | my $reg = Parse::Win32Registry->new($file);
41 | my $root_key = $reg->get_root_key;
42 | ::logMsg("Launching regtime_tln v.".$VERSION);
43 |
44 | traverse($root_key);
45 |
46 | foreach my $t (reverse sort {$a <=> $b} keys %regkeys) {
47 | foreach my $item (@{$regkeys{$t}}) {
48 | #::rptMsg(gmtime($t)."Z \t".$item);
49 | ::rptMsg($t."|REG|M... ".$item);
50 | }
51 | }
52 | }
53 |
54 | sub traverse {
55 | my $key = shift;
56 | my $ts = $key->get_timestamp();
57 | my $name = $key->as_string();
58 | $name =~ s/\$\$\$PROTO\.HIV//;
59 | $name = (split(/\[/,$name))[0];
60 | push(@{$regkeys{$ts}},$name);
61 | foreach my $subkey ($key->get_list_of_subkeys()) {
62 | traverse($subkey);
63 | }
64 | }
65 |
66 | 1;
--------------------------------------------------------------------------------
/plugins/runmru_tln.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # runmru_tln.pl
3 | # Plugin for Registry Ripper, NTUSER.DAT edition - gets the
4 | # RunMru values
5 | #
6 | # Change history
7 | # 20120828 - updated to TLN format
8 | # 20080324 - created
9 | #
10 | # References
11 | #
12 | #
13 | # copyright 2012 Quantum Analytics Research, LLC
14 | # Author: H. Carvey
15 | #-----------------------------------------------------------
16 | package runmru_tln;
17 | use strict;
18 |
19 | my %config = (hive => "NTUSER\.DAT",
20 | hasShortDescr => 1,
21 | hasDescr => 0,
22 | hasRefs => 0,
23 | osmask => 22,
24 | version => 20120828);
25 |
26 | sub getConfig{return %config}
27 | sub getShortDescr {
28 | return "Gets contents of user's RunMRU key (TLN)";
29 | }
30 | sub getDescr{}
31 | sub getRefs {}
32 | sub getHive {return $config{hive};}
33 | sub getVersion {return $config{version};}
34 |
35 | my $VERSION = getVersion();
36 |
37 | sub pluginmain {
38 | my $class = shift;
39 | my $ntuser = shift;
40 | ::logMsg("Launching runmru v.".$VERSION);
41 | my $reg = Parse::Win32Registry->new($ntuser);
42 | my $root_key = $reg->get_root_key;
43 |
44 | my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU';
45 | my $key;
46 | if ($key = $root_key->get_subkey($key_path)) {
47 | # ::rptMsg("RunMru");
48 | # ::rptMsg($key_path);
49 | # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | my $lw = $key->get_timestamp();
51 | my @vals = $key->get_list_of_values();
52 | my %runvals;
53 | my $mru;
54 | if (scalar(@vals) > 0) {
55 | my $mru;
56 | eval {
57 | my $m = $key->get_value("MRUList")->get_data();
58 | my $r = (split(//,$m))[0];
59 | $mru = $key->get_value($r)->get_data();
60 | ::rptMsg($lw."|REG|||RunMRU: ".$mru);
61 | };
62 | }
63 | else {
64 | # ::rptMsg($key_path." has no values.");
65 | }
66 | }
67 | else {
68 | # ::rptMsg($key_path." not found.");
69 | }
70 | }
71 |
72 | 1;
--------------------------------------------------------------------------------
/plugins/sam:
--------------------------------------------------------------------------------
1 | # 20120528 *ALL* Plugins that apply on SAM hive, alphabetical order
2 | samparse
--------------------------------------------------------------------------------
/plugins/secctr.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # secctr
3 | # Plugin to get data from Security Center keys
4 | #
5 | # Change History:
6 | # 20100310 - created
7 | #
8 | # References:
9 | #
10 | #
11 | # copyright 2010 Quantum Analytics Research, LLC
12 | #-----------------------------------------------------------
13 | package secctr;
14 | use strict;
15 |
16 | my %config = (hive => "Software",
17 | hasShortDescr => 1,
18 | hasDescr => 0,
19 | hasRefs => 0,
20 | osmask => 22,
21 | version => 20100310);
22 |
23 | sub getConfig{return %config}
24 | sub getShortDescr {
25 | return "Get data from Security Center key";
26 | }
27 | sub getDescr{}
28 | sub getHive {return $config{hive};}
29 | sub getVersion {return $config{version};}
30 |
31 | my $VERSION = getVersion();
32 |
33 | sub pluginmain {
34 | my $class = shift;
35 | my $hive = shift;
36 | my $infected = 0;
37 | ::logMsg("Launching secctr v.".$VERSION);
38 | ::rptMsg("secctr v.".$VERSION); # banner
39 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
40 | my $reg = Parse::Win32Registry->new($hive);
41 | my $root_key = $reg->get_root_key;
42 | my $key_path = 'Microsoft\Security Center';
43 | my $key;
44 | ::rptMsg("secctr");
45 | ::rptMsg("");
46 |
47 | if ($key = $root_key->get_subkey($key_path)) {
48 | $infected++;
49 | ::rptMsg("");
50 | ::rptMsg($key_path);
51 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
52 | ::rptMsg("");
53 | my @vals = $key->get_list_of_values();
54 | if (scalar(@vals) > 0) {
55 | foreach my $v (@vals) {
56 | my $str = sprintf "%-25s 0x%02x",$v->get_name(),$v->get_data();
57 | ::rptMsg($str);
58 | }
59 | }
60 | else {
61 | ::rptMsg($key_path." has no values.");
62 | }
63 | }
64 | else {
65 | ::rptMsg($key_path." not found.");
66 | ::rptMsg("");
67 | }
68 | }
69 | 1;
--------------------------------------------------------------------------------
/plugins/secrets.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # secrets.pl
3 | # Get the last write time for the Policy\Secrets key
4 | #
5 | #
6 | # History
7 | # 20140730 - created
8 | #
9 | # Note: When gsecdump.exe is run with the "-a" switch, or the LSA
10 | # secrets are dumped, the tool accesses the Policy\Secrets key
11 | # in a way that modifies the key LastWrite time without changing
12 | # any values or data. As such, the LastWrite time of this key may
13 | # correlate to the time that gsecdump.exe was run. Insight for this
14 | # plugin was provided by Jamie Levy
15 | #
16 | # copyright 2014 Quantum Analytics Research, LLC
17 | # Author: H. Carvey, keydet89@yahoo.com
18 | #-----------------------------------------------------------
19 | package secrets;
20 | use strict;
21 |
22 | my %config = (hive => "Security",
23 | hasShortDescr => 1,
24 | hasDescr => 0,
25 | hasRefs => 0,
26 | osmask => 22,
27 | version => 20140730);
28 |
29 | sub getConfig{return %config}
30 | sub getShortDescr {
31 | return "Get the last write time for the Policy\\Secrets key";
32 | }
33 | sub getDescr{}
34 | sub getRefs {}
35 | sub getHive {return $config{hive};}
36 | sub getVersion {return $config{version};}
37 |
38 | my $VERSION = getVersion();
39 |
40 | sub pluginmain {
41 | my $class = shift;
42 | my $hive = shift;
43 | ::logMsg("Launching secrets v.".$VERSION);
44 | ::rptMsg("secrets v.".$VERSION); # banner
45 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
46 | my $reg = Parse::Win32Registry->new($hive);
47 | my $root_key = $reg->get_root_key;
48 |
49 | my $key_path = "Policy\\Secrets";
50 | my $key;
51 | if ($key = $root_key->get_subkey($key_path)) {
52 | ::rptMsg($key_path);
53 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
54 | ::rptMsg("");
55 |
56 | }
57 | else {
58 | ::rptMsg($key_path." not found.");
59 | }
60 | }
61 |
62 | 1;
--------------------------------------------------------------------------------
/plugins/security:
--------------------------------------------------------------------------------
1 | # 20120528 *ALL* Plugins that apply on SECURITY hive, alphabetical order
2 | auditpol
3 | lsasecrets
4 | polacdms
--------------------------------------------------------------------------------
/plugins/skype.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # skype.pl
3 | #
4 | #
5 | # History
6 | # 20100713 - created
7 | #
8 | # References
9 | #
10 | #
11 | # copyright 2010 Quantum Analytics Research, LLC
12 | #-----------------------------------------------------------
13 | package skype;
14 | use strict;
15 |
16 | my %config = (hive => "NTUSER\.DAT",
17 | hasShortDescr => 1,
18 | hasDescr => 0,
19 | hasRefs => 0,
20 | osmask => 22,
21 | version => 20100713);
22 |
23 | sub getConfig{return %config}
24 | sub getShortDescr {
25 | return "Gets data user's Skype key";
26 | }
27 | sub getDescr{}
28 | sub getRefs {}
29 | sub getHive {return $config{hive};}
30 | sub getVersion {return $config{version};}
31 |
32 | my $VERSION = getVersion();
33 |
34 | sub pluginmain {
35 | my $class = shift;
36 | my $ntuser = shift;
37 | ::logMsg("Launching acmru v.".$VERSION);
38 | my $reg = Parse::Win32Registry->new($ntuser);
39 | my $root_key = $reg->get_root_key;
40 |
41 | my $key_path = 'Software\\Skype';
42 | my $key;
43 | if ($key = $root_key->get_subkey($key_path)) {
44 | ::rptMsg($key_path);
45 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
46 | ::rptMsg("");
47 |
48 | my $install;
49 | eval {
50 | $install = $key->get_subkey("Installer")->get_value("DonwloadLastModified")->get_data();
51 | ::rptMsg("DonwloadLastModified = ".$install);
52 | };
53 | ::rptMsg("DonwloadLastModified value not found: ".$@) if ($@);
54 |
55 | }
56 | else {
57 | ::rptMsg($key_path." not found.");
58 | }
59 | }
60 | 1;
--------------------------------------------------------------------------------
/plugins/software:
--------------------------------------------------------------------------------
1 | # 20120528 *ALL* Plugins that apply on SOFTWARE hive, alphabetical order
2 | appinitdlls
3 | apppaths
4 | assoc
5 | banner
6 | bho
7 | bitbucket
8 | clsid
9 | cmd_shell
10 | codeid
11 | ctrlpnl
12 | defbrowser
13 | direct
14 | disablesr
15 | drivers32
16 | drwatson
17 | emdmgmt
18 | ie_version
19 | imagefile
20 | init_dlls
21 | installedcomp
22 | installer
23 | kb950582
24 | landesk
25 | macaddr
26 | mrt
27 | msis
28 | networkcards
29 | networklist
30 | networkuid
31 | product
32 | profilelist
33 | regback
34 | removdev
35 | renocide
36 | schedagent
37 | secctr
38 | sfc
39 | shellexec
40 | shellext
41 | shelloverlay
42 | snapshot
43 | soft_run
44 | spp_clients
45 | sql_lastconnect
46 | ssid
47 | startmenuinternetapps_lm
48 | svchost
49 | tracing
50 | uninstall
51 | urlzone
52 | uac
53 | virut
54 | win_cv
55 | winbackup
56 | winlogon
57 | winnt_cv
58 | winver
59 | yahoo_lm
--------------------------------------------------------------------------------
/plugins/spp_clients.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # spp_clients
3 | #
4 | # History
5 | # 20130429 - added alertMsg() functionality
6 | # 20120914 - created
7 | #
8 | # copyright 2013 Quantum Analytics Research, LLC
9 | # Author: H. Carvey, keydet89@yahoo.com
10 | #-----------------------------------------------------------
11 | package spp_clients;
12 | use strict;
13 |
14 | my %config = (hive => "Software",
15 | hasShortDescr => 1,
16 | hasDescr => 0,
17 | hasRefs => 0,
18 | osmask => 50, #Vista, Win7
19 | version => 20130429);
20 |
21 | sub getConfig{return %config}
22 | sub getShortDescr {
23 | return "Determines volumes monitored by VSS";
24 | }
25 | sub getDescr{}
26 | sub getRefs {}
27 | sub getHive {return $config{hive};}
28 | sub getVersion {return $config{version};}
29 |
30 | my $VERSION = getVersion();
31 |
32 | sub pluginmain {
33 | my $class = shift;
34 | my $hive = shift;
35 | ::logMsg("Launching spp_clients v.".$VERSION);
36 | ::rptMsg("spp_clients v.".$VERSION);
37 | ::rptMsg("(".getHive().") ".getShortDescr()."\n");
38 | my $reg = Parse::Win32Registry->new($hive);
39 | my $root_key = $reg->get_root_key;
40 |
41 | my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\SPP\\Clients';
42 | my $key;
43 | if ($key = $root_key->get_subkey($key_path)) {
44 | ::rptMsg("SPP_Clients");
45 | ::rptMsg($key_path);
46 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
47 | ::rptMsg("");
48 |
49 | my $mon;
50 | eval {
51 | $mon = $key->get_value("{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}")->get_data();
52 | ::rptMsg("Monitored volumes: ".$mon);
53 | ::alertMsg("ALERT: No volumes monitored by VSS\.") if ($mon eq "");
54 | };
55 |
56 | }
57 | else {
58 | ::rptMsg($key_path." not found.");
59 | }
60 | }
61 | 1;
--------------------------------------------------------------------------------
/plugins/sysinternals.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # sysinternals.pl
3 | #
4 | #
5 | # Change history
6 | # 20120608- created
7 | #
8 | # References
9 | #
10 | #
11 | # copyright 2012 Quantum Analytics Research, LLC
12 | # Author: H. Carvey, keydet89@yahoo.com
13 | #-----------------------------------------------------------
14 | package sysinternals;
15 | use strict;
16 |
17 | my %config = (hive => "NTUSER\.DAT",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20080324);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Checks for SysInternals apps keys";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $ntuser = shift;
38 | ::logMsg("Launching sysinternals v.".$VERSION);
39 | my $reg = Parse::Win32Registry->new($ntuser);
40 | my $root_key = $reg->get_root_key;
41 |
42 | my $key_path = 'Software\\SysInternals';
43 | my $key;
44 | if ($key = $root_key->get_subkey($key_path)) {
45 | ::rptMsg("SysInternals");
46 | ::rptMsg($key_path);
47 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
48 | my @subkeys = $key->get_list_of_subkeys();
49 | if (scalar(@subkeys) > 0) {
50 | foreach my $s (@subkeys) {
51 | ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]");
52 |
53 | my $eula;
54 | eval {
55 | $eula = $s->get_value("EulaAccepted")->get_data();
56 | };
57 | if ($@) {
58 | ::rptMsg(" EulaAccepted value not found.");
59 | }
60 | else {
61 | ::rptMsg(" EulaAccepted: ".$eula);
62 | }
63 | ::rptMsg("");
64 | }
65 | }
66 | else {
67 | ::rptMsg($key_path." has no subkeys.");
68 | }
69 | }
70 | else {
71 | ::rptMsg($key_path." not found.");
72 | }
73 | }
74 |
75 | 1;
--------------------------------------------------------------------------------
/plugins/system:
--------------------------------------------------------------------------------
1 | # 20120528 *ALL* Plugins that apply on SYSTEM hive, alphabetical order
2 | appcertdlls
3 | appcompatcache
4 | auditfail
5 | backuprestore
6 | compname
7 | crashcontrol
8 | ddm
9 | devclass
10 | disablelastaccess
11 | dllsearch
12 | eventlog
13 | eventlogs
14 | fw_config
15 | hibernate
16 | ide
17 | imagedev
18 | kbdcrash
19 | legacy
20 | mountdev
21 | network
22 | nic
23 | nic_mst2
24 | nic2
25 | nolmhash
26 | pagefile
27 | prefetch
28 | productpolicy
29 | producttype
30 | rdpport
31 | routes
32 | safeboot
33 | services
34 | shares
35 | shutdown
36 | shutdowncount
37 | stillimage
38 | svc
39 | svc2
40 | svc_plus
41 | svcdll
42 | termserv
43 | timezone
44 | usb
45 | usbdevices
46 | usbstor
47 | usbstor2
48 | usbstor3
49 | xpedition
50 | wpdbusenum
--------------------------------------------------------------------------------
/plugins/trappoll.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # trappoll.pl
3 | # There are indications that the contents of this value may be associated
4 | # with a number of different malware variants.
5 | #
6 | # History
7 | # 20120305 - created
8 | #
9 | # References
10 | # http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=903224#none
11 | #
12 | # copyright 2012, Quantum Analytics Research, LLC
13 | #-----------------------------------------------------------
14 | package trappoll;
15 | use strict;
16 |
17 | my %config = (hive => "Software",
18 | osmask => 22,
19 | hasShortDescr => 1,
20 | hasDescr => 0,
21 | hasRefs => 0,
22 | version => 20120305);
23 |
24 | sub getConfig{return %config}
25 |
26 | sub getShortDescr {
27 | return "Get TrapPollTimeMilliSecs value, if found";
28 | }
29 | sub getDescr{}
30 | sub getRefs {}
31 | sub getHive {return $config{hive};}
32 | sub getVersion {return $config{version};}
33 |
34 | my $VERSION = getVersion();
35 |
36 | sub pluginmain {
37 | my $class = shift;
38 | my $hive = shift;
39 | my %clsid;
40 | ::logMsg("Launching trappoll v.".$VERSION);
41 | ::rptMsg("Launching trappoll v.".$VERSION);
42 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
43 | my $reg = Parse::Win32Registry->new($hive);
44 | my $root_key = $reg->get_root_key;
45 |
46 | my $key_path = "Microsoft\\RFC1156Agent\\CurrentVersion\\Parameters";
47 | my $key;
48 | if ($key = $root_key->get_subkey($key_path)) {
49 | ::rptMsg($key_path);
50 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
51 | ::rptMsg("");
52 | if ($key->get_value("TrapPollTimeMilliSecs")) {
53 | my $val = $key->get_value("TrapPollTimeMilliSecs")->get_data();
54 | ::rptMsg(sprintf "TrapPollTimeMilliSecs = 0x%x (".$val.")", $val);
55 | }
56 | else {
57 | ::rptMsg("Value not found.");
58 | }
59 | }
60 | else {
61 | ::rptMsg($key_path." key not found.");
62 | }
63 | }
64 | 1;
--------------------------------------------------------------------------------
/plugins/typedpaths_tln.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # typedpaths_tln.pl
3 | # For Windows 7, Desktop Address Bar History
4 | #
5 | # Change history
6 | # 20120828 - updated to TLN format
7 | # 20100330 - created
8 | #
9 | # References
10 | #
11 | #
12 | # copyright 2010 Quantum Analytics Research, LLC
13 | #-----------------------------------------------------------
14 | package typedpaths_tln;
15 | use strict;
16 |
17 | my %config = (hive => "NTUSER\.DAT",
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | osmask => 22,
22 | version => 20120828);
23 |
24 | sub getConfig{return %config}
25 | sub getShortDescr {
26 | return "Gets contents of user's typedpaths key (TLN)";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $ntuser = shift;
38 | ::logMsg("Launching typedpaths v.".$VERSION);
39 | my $reg = Parse::Win32Registry->new($ntuser);
40 | my $root_key = $reg->get_root_key;
41 |
42 | my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths";
43 | my $key;
44 | if ($key = $root_key->get_subkey($key_path)) {
45 | # ::rptMsg($key_path);
46 | # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
47 | # ::rptMsg("");
48 | my $lw = $key->get_timestamp();
49 | my @vals = $key->get_list_of_values();
50 | if (scalar(@vals) > 0) {
51 | my $path;
52 | eval {
53 | $path = $key->get_value("url1")->get_data();
54 | ::rptMsg($lw."|REG|||TypedPaths - ".$path);
55 |
56 | };
57 | }
58 | else {
59 | # ::rptMsg($key_path." has no values.");
60 | }
61 | }
62 | else {
63 | # ::rptMsg($key_path." not found.");
64 | }
65 | }
66 |
67 | 1;
--------------------------------------------------------------------------------
/plugins/uac.pl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WiredPulse/AutomatedProfiler/c145910e5fef8b0c9f7a9d405fff18b55314b065/plugins/uac.pl
--------------------------------------------------------------------------------
/plugins/wbem.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # wbem.pl
3 | # There are indications that the contents of this key may be associated
4 | # with a number of different malware variants, including the Elite
5 | # Keylogger.
6 | #
7 | # History
8 | # 20120306 - created
9 | #
10 | #
11 | # copyright 2012, Quantum Analytics Research, LLC
12 | #-----------------------------------------------------------
13 | package wbem;
14 | use strict;
15 |
16 | my %config = (hive => "Software",
17 | osmask => 22,
18 | hasShortDescr => 1,
19 | hasDescr => 0,
20 | hasRefs => 0,
21 | version => 20120306);
22 |
23 | sub getConfig{return %config}
24 |
25 | sub getShortDescr {
26 | return "Get contents of WBEM\\WDM key";
27 | }
28 | sub getDescr{}
29 | sub getRefs {}
30 | sub getHive {return $config{hive};}
31 | sub getVersion {return $config{version};}
32 |
33 | my $VERSION = getVersion();
34 |
35 | sub pluginmain {
36 | my $class = shift;
37 | my $hive = shift;
38 | my %clsid;
39 | ::logMsg("Launching wbem v.".$VERSION);
40 | ::rptMsg("wbem v.".$VERSION); # banner
41 | ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
42 | my $reg = Parse::Win32Registry->new($hive);
43 | my $root_key = $reg->get_root_key;
44 |
45 | my $key_path = "Microsoft\\WBEM\\WDM";
46 | my $key;
47 | if ($key = $root_key->get_subkey($key_path)) {
48 | ::rptMsg($key_path);
49 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
50 | ::rptMsg("");
51 |
52 | my @vals = $key->get_list_of_values();
53 | if (scalar(@vals) > 0) {
54 | foreach my $v (@vals) {
55 | ::rptMsg($v->get_name()." - ".$v->get_data());
56 | ::rptMsg("");
57 | }
58 | }
59 | else {
60 | ::rptMsg($key_path." has no values.");
61 | }
62 | }
63 | else {
64 | ::rptMsg($key_path." not found.");
65 | }
66 | }
67 | 1;
--------------------------------------------------------------------------------
/plugins/winrar.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # winrar.pl
3 | # Get WinRAR\ArcHistory entries
4 | #
5 | # History
6 | # 20080819 - created
7 | #
8 | #
9 | # copyright 2008 H. Carvey, keydet89@yahoo.com
10 | #-----------------------------------------------------------
11 | package winrar;
12 | use strict;
13 |
14 | my %config = (hive => "NTUSER\.DAT",
15 | osmask => 22,
16 | hasShortDescr => 1,
17 | hasDescr => 0,
18 | hasRefs => 0,
19 | version => 20080819);
20 |
21 | sub getConfig{return %config}
22 |
23 | sub getShortDescr {
24 | return "Get WinRAR\\ArcHistory entries";
25 | }
26 | sub getDescr{}
27 | sub getRefs {}
28 | sub getHive {return $config{hive};}
29 | sub getVersion {return $config{version};}
30 |
31 | my $VERSION = getVersion();
32 |
33 | sub pluginmain {
34 | my $class = shift;
35 | my $hive = shift;
36 | ::logMsg("Launching winrar v.".$VERSION);
37 | ::rptMsg("winrar v.".$VERSION); # banner
38 | ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
39 | my $reg = Parse::Win32Registry->new($hive);
40 | my $root_key = $reg->get_root_key;
41 |
42 | my $key_path = "Software\\WinRAR\\ArcHistory";
43 | my $key;
44 | if ($key = $root_key->get_subkey($key_path)) {
45 | ::rptMsg("WinRAR");
46 | ::rptMsg($key_path);
47 | ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
48 | ::rptMsg("");
49 |
50 | my %arc;
51 | my @vals = $key->get_list_of_values();
52 | if (scalar(@vals) > 0) {
53 | foreach my $v (@vals) {
54 | $arc{$v->get_name()} = $v->get_data();
55 | }
56 |
57 | foreach (sort keys %arc) {
58 | ::rptMsg($_." -> ".$arc{$_});
59 | }
60 |
61 | }
62 | else {
63 | ::rptMsg($key_path." has no values.");
64 | }
65 | }
66 | else {
67 | ::rptMsg($key_path." not found.");
68 | ::logMsg($key_path." not found.");
69 | }
70 |
71 | }
72 | 1;
--------------------------------------------------------------------------------
/plugins/winrar_tln.pl:
--------------------------------------------------------------------------------
1 | #-----------------------------------------------------------
2 | # winrar_tln.pl
3 | # Get WinRAR\ArcHistory entries
4 | #
5 | # History
6 | # 20120829 - updated to TLN
7 | # 20080819 - created (winrar.pl)
8 | #
9 | #
10 | # copyright 2008 H. Carvey, keydet89@yahoo.com
11 | #-----------------------------------------------------------
12 | package winrar_tln;
13 | use strict;
14 |
15 | my %config = (hive => "NTUSER\.DAT",
16 | osmask => 22,
17 | hasShortDescr => 1,
18 | hasDescr => 0,
19 | hasRefs => 0,
20 | version => 20120829);
21 |
22 | sub getConfig{return %config}
23 |
24 | sub getShortDescr {
25 | return "Get WinRAR\\ArcHistory entries (TLN)";
26 | }
27 | sub getDescr{}
28 | sub getRefs {}
29 | sub getHive {return $config{hive};}
30 | sub getVersion {return $config{version};}
31 |
32 | my $VERSION = getVersion();
33 |
34 | sub pluginmain {
35 | my $class = shift;
36 | my $hive = shift;
37 | ::logMsg("Launching winrar v.".$VERSION);
38 | my $reg = Parse::Win32Registry->new($hive);
39 | my $root_key = $reg->get_root_key;
40 |
41 | my $key_path = "Software\\WinRAR\\ArcHistory";
42 | my $key;
43 | if ($key = $root_key->get_subkey($key_path)) {
44 | # ::rptMsg("WinRAR");
45 | # ::rptMsg($key_path);
46 | # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
47 | # ::rptMsg("");
48 | my $lw = $key->get_timestamp();
49 | my %arc;
50 | my @vals = $key->get_list_of_values();
51 | if (scalar(@vals) > 0) {
52 | my $last;
53 | eval {
54 | $last = $key->get_value("0")->get_data();
55 | ::rptMsg($lw."|REG|||WinRAR/ArcHistory - ".$last);
56 | };
57 | }
58 | else {
59 | # ::rptMsg($key_path." has no values.");
60 | }
61 | }
62 | else {
63 | # ::rptMsg($key_path." not found.");
64 | }
65 | }
66 | 1;
--------------------------------------------------------------------------------