本文整理汇总了Python中volatility.win32.rawreg.values函数的典型用法代码示例。如果您正苦于以下问题:Python values函数的具体用法?Python values怎么用?Python values使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了values函数的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Python代码示例。
示例1: render_text
def render_text(self, outfd, data):
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
keyfound = False
for reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
outfd.write(" {1:3s} {0}\n".format(s.Name, self.voltext(s)))
outfd.write("\n")
outfd.write("Values:\n")
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
dat = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))
if not keyfound:
outfd.write("The requested key could not be found in the hive(s) searched\n")
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:31,代码来源:printkey.py
示例2: render_text
def render_text(self, outfd, data):
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
keyfound = False
for reg, path, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key path: {0}\n".format(path))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Values:\n")
for s in rawreg.values(key):
tp, dat = rawreg.value_data(s)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
time = struct.unpack("<q", dat[0:8])[0]
seconds, msec= divmod(time, 10000000)
days, seconds = divmod(seconds, 86400)
if days > 160000 or days < 140000:
days = 0
seconds = 0
msec = 0
open_date = datetime.datetime(1601, 1, 1) + datetime.timedelta(days, seconds, msec)
outfd.write(str(open_date) + "\t" + s.Name + "\n")
开发者ID:kartikeyap,项目名称:volatility-plugins,代码行数:25,代码来源:trustrecords.py
示例3: get_hbootkey
def get_hbootkey(samaddr, bootkey):
sam_account_path = ["SAM", "Domains", "Account"]
if not bootkey:
return None
root = rawreg.get_root(samaddr)
if not root:
return None
sam_account_key = rawreg.open_key(root, sam_account_path)
if not sam_account_key:
return None
F = None
for v in rawreg.values(sam_account_key):
if v.Name == 'F':
F = samaddr.read(v.Data, v.DataLength)
if not F:
return None
md5 = MD5.new()
md5.update(F[0x70:0x80] + aqwerty + bootkey + anum)
rc4_key = md5.digest()
rc4 = ARC4.new(rc4_key)
hbootkey = rc4.encrypt(F[0x80:0xA0])
return hbootkey
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:29,代码来源:hashdump.py
示例4: render_text
def render_text(self, outfd, data):
for reg, key in data:
if not key:
if not self._config.BRUTE_FORCE:
outfd.write("Unable to find requested key\n")
continue
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
outfd.write(" {1:3s} {0}\n".format(s.Name, self.voltext(s)))
outfd.write("\n")
outfd.write("Values:\n")
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY':
dat = "\n" + hd(dat, length = 16)
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))
开发者ID:gleeda,项目名称:Volatility-Plugins,代码行数:29,代码来源:printkey.py
示例5: get_user_hashes
def get_user_hashes(user_key, hbootkey):
samaddr = user_key.obj_vm
rid = int(str(user_key.Name), 16)
V = None
for v in rawreg.values(user_key):
if v.Name == 'V':
V = samaddr.read(v.Data, v.DataLength)
if not V:
return None
lm_offset = unpack("<L", V[0x9c:0xa0])[0] + 0xCC + 4
lm_len = unpack("<L", V[0xa0:0xa4])[0] - 4
nt_offset = unpack("<L", V[0xa8:0xac])[0] + 0xCC + 4
nt_len = unpack("<L", V[0xac:0xb0])[0] - 4
if lm_len:
enc_lm_hash = V[lm_offset:lm_offset + 0x10]
else:
enc_lm_hash = ""
if nt_len:
enc_nt_hash = V[nt_offset:nt_offset + 0x10]
else:
enc_nt_hash = ""
return decrypt_hashes(rid, enc_lm_hash, enc_nt_hash, hbootkey)
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:26,代码来源:hashdump.py
示例6: reg_yield_values
def reg_yield_values(self, hive_name, key, thetype = None, given_root = None):
'''
This function yields all values for a requested registry key
'''
if key:
h = given_root if given_root != None else self.reg_get_key(hive_name, key)
if h != None:
for v in rawreg.values(h):
tp, dat = rawreg.value_data(v)
if thetype == None or tp == thetype:
yield v.Name, dat
开发者ID:Jack47,项目名称:volatility,代码行数:11,代码来源:registryapi.py
示例7: find_control_set
def find_control_set(sysaddr):
root = rawreg.get_root(sysaddr)
if not root:
return 1
csselect = rawreg.open_key(root, ["Select"])
if not csselect:
return 1
for v in rawreg.values(csselect):
if v.Name == "Current":
return v.Data
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:12,代码来源:hashdump.py
示例8: get_user_desc
def get_user_desc(user_key):
samaddr = user_key.obj_vm
V = None
for v in rawreg.values(user_key):
if v.Name == 'V':
V = samaddr.read(v.Data, v.DataLength)
if not V:
return None
desc_offset = unpack("<L", V[0x24:0x28])[0] + 0xCC
desc_length = unpack("<L", V[0x28:0x2c])[0]
desc = V[desc_offset:desc_offset + desc_length].decode('utf-16-le')
return desc
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:14,代码来源:hashdump.py
示例9: get_user_name
def get_user_name(user_key):
samaddr = user_key.obj_vm
V = None
for v in rawreg.values(user_key):
if v.Name == 'V':
V = samaddr.read(v.Data, v.DataLength)
if not V:
return None
name_offset = unpack("<L", V[0x0c:0x10])[0] + 0xCC
name_length = unpack("<L", V[0x10:0x14])[0]
username = V[name_offset:name_offset + name_length].decode('utf-16-le')
return username
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:14,代码来源:hashdump.py
示例10: dict_for_key
def dict_for_key(self, key):
# Inspired from the Volatility printkey plugin
valdict = {}
for v in rawreg.values(key):
tp, data = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
data = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(data)])
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
data = data.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(data)):
data[i] = data[i].encode("ascii", 'backslashreplace')
valdict[str(v.Name)] = str(data)
return valdict
开发者ID:andyvand,项目名称:sift-files,代码行数:16,代码来源:autoruns.py
示例11: dump_hashes
def dump_hashes(addr_space, sysaddr, secaddr):
bootkey = hashdump.get_bootkey(sysaddr)
if not bootkey:
return []
lsakey = lsasecrets.get_lsa_key(addr_space, secaddr, bootkey)
if not lsakey:
return []
nlkm = get_nlkm(addr_space, secaddr, lsakey)
if not nlkm:
return []
root = rawreg.get_root(secaddr)
if not root:
return []
cache = rawreg.open_key(root, ["Cache"])
if not cache:
return []
xp = addr_space.profile.metadata.get('major', 0) == 5
hashes = []
for v in rawreg.values(cache):
if v.Name == "NL$Control":
continue
data = v.obj_vm.read(v.Data, v.DataLength)
if data == None:
continue
(uname_len, domain_len, domain_name_len,
enc_data, ch) = parse_cache_entry(data)
# Skip if nothing in this cache entry
if uname_len == 0:
continue
dec_data = decrypt_hash(enc_data, nlkm, ch, xp)
(username, domain, domain_name,
hashh) = parse_decrypted_cache(dec_data, uname_len,
domain_len, domain_name_len)
hashes.append((username, domain, domain_name, hashh))
return hashes
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:47,代码来源:domcachedump.py
示例12: render_text
def render_text(self, outfd, data):
keyfound = False
for win7, reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0}\n".format(key.Name))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
outfd.write(" {0}\n".format(s.Name))
outfd.write("\n")
outfd.write("Values:\n")
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
subname = v.Name
if tp == 'REG_BINARY':
dat_raw = dat
dat = "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
try:
subname = subname.encode('rot_13')
except UnicodeDecodeError:
pass
if win7:
guid = subname.split("\\")[0]
if guid in folder_guids:
subname = subname.replace(guid, folder_guids[guid])
d = self.parse_data(dat_raw)
if d != None:
dat = d + dat
else:
dat = "\n" + dat
#these types shouldn't be encountered, but are just left here in case:
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
outfd.write("\n{0:13} {1:15} : {2}\n".format(tp, subname, dat))
if not keyfound:
outfd.write("The requested key could not be found in the hive(s) searched\n")
开发者ID:B-Rich,项目名称:amark,代码行数:46,代码来源:userassist.py
示例13: compare
def compare(reg_list, mem_list):
"""Compare the services found in the registry with those in memory"""
## the names of all services in only the registry list
missing = set(reg_list.keys()) - set(mem_list.keys())
for service in missing:
## the SCM only loads services with an ImagePath value so make
## sure to skip those entries, as they will not end up in memory
has_imagepath = False
for value in rawreg.values(reg_list[service]):
if str(value.Name) == "ImagePath":
has_imagepath = True
break
if has_imagepath:
yield reg_list[service]
开发者ID:BryanSingh,项目名称:volatility,代码行数:17,代码来源:servicediff.py
示例14: reg_get_value
def reg_get_value(self, hive_name, key, value, strcmp = None, given_root = None):
'''
This function returns the requested value of a registry key
'''
if key and value:
h = given_root if given_root != None else self.reg_get_key(hive_name, key)
if h != None:
for v in rawreg.values(h):
if value == v.Name:
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or strcmp == None:
# We want raw data
return dat
else:
# This is a string comparison
dat = str(dat)
dat = dat.strip()
dat = ''.join([x for x in dat if ord(x) != 0]) #get rid of funky nulls for string comparison
if strcmp == dat:
return dat
return None
开发者ID:Jack47,项目名称:volatility,代码行数:21,代码来源:registryapi.py
示例15: render_text
def render_text(self, outfd, data):
print_values = {5:'InstallSource', 6:'InstallLocation', 3:'Publisher',
1:'DisplayName', 2:'DisplayVersion', 4:'InstallDate'}
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
keyfound = False
for reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
key_info = {}
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
key_info['Name'] = s.Name
key_info['LastUpdated'] = s.LastWriteTime
for v in rawreg.values(s):
if v.Name not in print_values.values():
continue
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
dat = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
key_info[str(v.Name)] = dat
outfd.write("Subkey: {0}\n".format(key_info.get('Name','')))
outfd.write(" LastUpdated : {0}\n".format(key_info.get('LastUpdated','')))
for k, v in sorted(print_values.items()):
val = key_info.get(v, '')
if val != '':
outfd.write(" {0:16}: {1}\n".format(v, val))
outfd.write("\n")
开发者ID:chubbymaggie,项目名称:sift-files,代码行数:40,代码来源:uninstallinfo.py
示例16: reg_get_value
def reg_get_value(self, hive_name, key, value, data = None):
'''
This function returns the requested value of a registry key
'''
addr_space = utils.load_as(self._config)
if key and value:
h = self.reg_get_key(hive_name, key)
if h != None:
for v in rawreg.values(h):
if value == v.Name:
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY':
return dat
else:
dat = str(dat)
dat = dat.strip()
temp = ''
dat = temp.join([x for x in dat if ord(x) != 0]) #get rid of funky nulls for string comparison
if data != None and data == dat:
return dat
elif data == None:
return dat
return None
开发者ID:opexxx,项目名称:Volatility-Plugins,代码行数:23,代码来源:registryapi.py
示例17: getregistrykeyobject
def getregistrykeyobject(self,reg,key,regObjList):
regKeyObject = regObjList.RegistryKey.add(resultitemtype=19)
regKeyObject.Name=utils._utf8_encode(key.Name)
path = reg
lastSlash = reg.rfind("/")
if lastSlash >= 0:
path = "\\" + reg[:lastSlash].replace("/", "\\")
regKeyObject.Path=utils._utf8_encode(path)
regKeyObject.Volatile=self.voltext(key)
regvalues = rawreg.values(key)
if regvalues is not None and len(regvalues) > 0:
values = regKeyObject.Values
values.Count=len(regvalues)
for value in regvalues:
regKeyValue = values.RegistryValue.add(resultitemtype=21)
regKeyValue.Name=utils._utf8_encode(value.Name)
regKeyValue.Type=value.Type.v() or 0
try:
regKeyValue.Value = self._get_raw_registry_data2(value)
except Exception as e:
regKeyValue.Value = "EXCEPTION: " + str(e)
return regKeyObject
开发者ID:r1nswenson,项目名称:volatility,代码行数:23,代码来源:adregistry.py
示例18: render_key
def render_key(self, outfd, key, actions):
if len(actions) > 0:
action = actions[0]
else:
return
if action == PRT_VALUE:
valname = actions[1]
for v in rawreg.values(key):
# force conversion to string from String object
v_name = str(v.Name)
# Determine whether to print this value
if valname[0] == "all":
pass
# include specified values
elif valname[0] == "+":
if not v_name in valname:
continue
# exclude specified values
elif valname[0] == "-":
if v_name in valname:
continue
else:
debug.error("Pgm Error - Invalid valname render_key PRT_VALUE")
self.prt_val(outfd, v)
actions = actions[2:]
elif action == LIST_SUBKEYS:
subkey_1st = True
valname = actions[1]
for s in rawreg.subkeys(key):
s_name = str(s.Name)
# Determine whether to list this subkey
if valname[0] == "all":
pass
# include specified keys
elif valname[0] == "+":
if not s_name in valname:
continue
# exclude specified keys
elif valname[0] == "-":
if s_name in valname:
continue
# include subkey if starts with specified value
elif valname[0] == "s":
if not s_name.startswith( valname[1] ):
continue
else:
debug.error("Pgm Error - Invalid valname render_key LIST_SUBKEYS")
if subkey_1st:
outfd.write(" Subkeys:\n")
subkey_1st = False
if s_name == None:
outfd.write(" Unknown subkey: " + s_name.reason + "\n")
else:
outfd.write(" {1:3s} {0}\n".format(s_name, self.voltext(s)))
# If there is a recursive action specified for each subkey, then do it
if actions[2]:
self.render_key(outfd, s, actions[2])
outfd.write("\n")
actions = actions[3:]
# Print Windows Services
elif action == PRT_SRVC:
for s in rawreg.subkeys(key):
v_type, v_start, v_display, v_path = ('','','','')
for v in rawreg.values(s):
v_name = str(v.Name)
if v_name in ["Type",
"DisplayName",
"ImagePath",
"Start"
]:
tp, dat = rawreg.value_data(v)
if v_name == "Type":
if dat in serv_types:
v_type = serv_types[dat]
elif v_name == "Start":
if dat in serv_starts:
v_start = serv_starts[dat]
elif v_name == "ImagePath":
v_path = dat
else:
v_display = dat
outfd.write("\n {0:s} {1} {2:10s} {3}".format(s.Name,
#.........这里部分代码省略.........
开发者ID:lorgor,项目名称:lgvtotal,代码行数:101,代码来源:reglist.py
示例19: generator
def generator(self, data):
for reg, key in data:
if key:
subkeys = list(rawreg.subkeys(key))
values = list(rawreg.values(key))
yield (0, [str("{0}".format(reg)),
str("{0}".format(key.Name)),
str("{0:3s}".format(self.voltext(key))),
str("{0}".format(key.LastWriteTime)),
"-",
"-",
"-",
"-",
"-",
"-"])
if subkeys:
for s in subkeys:
if s.Name == None:
yield (0, [str("{0}".format(reg)),
str("{0}".format(key.Name)),
str("{0:3s}".format(self.voltext(key))),
str("{0}".format(key.LastWriteTime)),
str("Unknown subkey: {0}".format(s.Name.reason)),
"-",
"-",
"-",
"-",
"-"])
else:
yield (0, [str("{0}".format(reg)),
str("{0}".format(key.Name)),
str("{0:3s}".format(self.voltext(key))),
str("{0}".format(key.LastWriteTime)),
str("{0}".format(s.Name)),
str("{0:3s}".format(self.voltext(s))),
"-",
"-",
"-",
"-"])
if values:
for v in values:
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
dat = Bytes(dat)
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
yield (0, [str("{0}".format(reg)),
str("{0}".format(key.Name)),
str("{0:3s}".format(self.voltext(key))),
str("{0}".format(key.LastWriteTime)),
"-",
"-",
str(tp),
str("{0}".format(v.Name)),
str("{0:3s}".format(self.voltext(v))),
str(dat)])
开发者ID:DeborahN,项目名称:volatility,代码行数:61,代码来源:printkey.py
示例20: render_text
def render_text(self, outfd, data):
for subkey in data:
outfd.write("\n{0:<20}: {1}\n".format("Missing service", subkey.Name))
for value in rawreg.values(subkey):
value_type, value_data = rawreg.value_data(value)
outfd.write("{0:<20}: ({1}) {2}\n".format(value.Name, value_type, value_data))
开发者ID:BryanSingh,项目名称:volatility,代码行数:6,代码来源:servicediff.py
注:本文中的volatility.win32.rawreg.values函数示例由纯净天空整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
客服电话
APP下载
官方微信
请发表评论