本文整理汇总了Python中volatility.win32.rawreg.subkeys函数的典型用法代码示例。如果您正苦于以下问题:Python subkeys函数的具体用法?Python subkeys怎么用?Python subkeys使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了subkeys函数的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Python代码示例。
示例1: reg_get_all_keys
def reg_get_all_keys(self, hive_name, user = None, start = None, end = None, reg = False, rawtime = False):
'''
This function enumerates all keys in specified hives and
collects lastwrite times.
'''
keys = []
if self.all_offsets == {}:
self.populate_offsets()
if self.current_offsets == {}:
self.set_current(hive_name, user)
# Collect the root keys
for offset in self.current_offsets:
reg_name = self.current_offsets[offset]
h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset)
root = rawreg.get_root(h)
if not root:
pass
else:
time = "{0}".format(root.LastWriteTime) if not rawtime else root.LastWriteTime
if reg:
if start and end and str(time) >= start and str(time) <= end:
yield (time, reg_name, root.Name)
elif start == None and end == None:
yield (time, reg_name, root.Name)
else:
if start and end and str(time) >= start and str(time) <= end:
yield (time, root.Name)
elif start == None and end == None:
yield (time, root.Name)
for s in rawreg.subkeys(root):
if reg:
keys.append([s, reg_name, root.Name + "\\" + s.Name])
else:
keys.append([s, root.Name + "\\" + s.Name])
# Get subkeys
if reg:
for k, reg_name, name in keys:
time = "{0}".format(k.LastWriteTime) if not rawtime else root.LastWriteTime
if start and end and str(time) >= start and str(time) <= end:
yield (time, reg_name, name)
elif start == None and end == None:
yield (time, reg_name, name)
for s in rawreg.subkeys(k):
if name and s.Name:
item = name + '\\' + s.Name
keys.append([s, reg_name, item])
else:
for k, name in keys:
time = "{0}".format(k.LastWriteTime) if not rawtime else root.LastWriteTime
if start and end and str(time) >= start and str(time) <= end:
yield (time, name)
elif start == None and end == None:
yield (time, name)
for s in rawreg.subkeys(k):
if name and s.Name:
item = name + '\\' + s.Name
keys.append([s, item])
开发者ID:Jack47,项目名称:volatility,代码行数:60,代码来源:registryapi.py
示例2: get_secrets
def get_secrets(sysaddr, secaddr):
root = rawreg.get_root(secaddr)
if not root:
return None
bootkey = hashdump.get_bootkey(sysaddr)
lsakey = get_lsa_key(secaddr, bootkey)
if not bootkey or not lsakey:
return None
secrets_key = rawreg.open_key(root, ["Policy", "Secrets"])
if not secrets_key:
return None
secrets = {}
for key in rawreg.subkeys(secrets_key):
sec_val_key = rawreg.open_key(key, ["CurrVal"])
if not sec_val_key:
continue
enc_secret_value = sec_val_key.ValueList.List.dereference()[0]
if not enc_secret_value:
continue
enc_secret = secaddr.read(enc_secret_value.Data,
enc_secret_value.DataLength)
if not enc_secret:
continue
secret = decrypt_secret(enc_secret[0xC:], lsakey)
secrets[key.Name] = secret
return secrets
开发者ID:Jonnyliu,项目名称:Malware_Analysis,代码行数:33,代码来源:lsasecrets.py
示例3: render_text
def render_text(self, outfd, data):
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
keyfound = False
for reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
outfd.write(" {1:3s} {0}\n".format(s.Name, self.voltext(s)))
outfd.write("\n")
outfd.write("Values:\n")
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
dat = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))
if not keyfound:
outfd.write("The requested key could not be found in the hive(s) searched\n")
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:31,代码来源:printkey.py
示例4: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
#scan for registries and populate them:
print "Scanning for registries...."
self.populate_offsets()
#set our current registry of interest and get its path
#and get current control set
print "Getting Current Control Set...."
currentcs = "ControlSet001"
self.set_current('system')
for o in self.current_offsets:
sysaddr = hivemod.HiveAddressSpace(addr_space, self._config, o)
cs = find_control_set(sysaddr)
currentcs = "ControlSet{0:03}".format(cs)
#set the services root.
print "Getting Services and calculating SIDs...."
services = self.reg_get_key('system', currentcs + '\\' + 'Services')
if services:
for s in rawreg.subkeys(services):
if s.Name not in servicesids.values():
sid = createservicesid(str(s.Name))
yield sid, str(s.Name)
for sid in servicesids:
yield sid, servicesids[sid]
开发者ID:gleeda,项目名称:Volatility-Plugins,代码行数:27,代码来源:getservicesids.py
示例5: render_text
def render_text(self, outfd, data):
for reg, key in data:
if not key:
if not self._config.BRUTE_FORCE:
outfd.write("Unable to find requested key\n")
continue
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
outfd.write(" {1:3s} {0}\n".format(s.Name, self.voltext(s)))
outfd.write("\n")
outfd.write("Values:\n")
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY':
dat = "\n" + hd(dat, length = 16)
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))
开发者ID:gleeda,项目名称:Volatility-Plugins,代码行数:29,代码来源:printkey.py
示例6: services_from_registry
def services_from_registry(addr_space):
"""Enumerate services from the cached registry hive"""
services = {}
plugin = hivelist.HiveList(addr_space.get_config())
for hive in plugin.calculate():
## find the SYSTEM hive
name = hive.get_name()
if not name.lower().endswith("system"):
continue
## get the root key
hive_space = hive.address_space()
root = rawreg.get_root(hive_space)
if not root:
break
## open the services key
key = rawreg.open_key(root, ["ControlSet001", "Services"])
if not key:
break
## build a dictionary of the key names
for subkey in rawreg.subkeys(key):
services[(str(subkey.Name).lower())] = subkey
## we don't need to keep trying
break
return services
开发者ID:BryanSingh,项目名称:volatility,代码行数:32,代码来源:servicediff.py
示例7: reg_get_all_subkeys
def reg_get_all_subkeys(self, hive_name, key, user = None, given_root = None):
'''
This function enumerates the subkeys of the requested key
'''
k = given_root if given_root != None else self.reg_get_key(hive_name, key)
if k:
for s in rawreg.subkeys(k):
if s.Name:
yield s
开发者ID:Jack47,项目名称:volatility,代码行数:9,代码来源:registryapi.py
示例8: generator
def generator(self, data):
path = str(data.Name)
keys = [(data, path)]
for key, path in keys:
if key:
yield (0, [str("{0}".format(key.LastWriteTime)),
str(path)])
for s in rawreg.subkeys(key):
item = "{0}\\{1}".format(path, s.Name)
keys.append((s, item))
开发者ID:DeborahN,项目名称:volatility,代码行数:10,代码来源:printkey.py
示例9: reg_enum_key
def reg_enum_key(self, hive_name, key, user = None):
'''
This function enumerates the requested key
'''
k = self.reg_get_key(hive_name, key, user)
if k:
for s in rawreg.subkeys(k):
if s.Name:
item = key + '\\' + s.Name
yield item
开发者ID:Jack47,项目名称:volatility,代码行数:10,代码来源:registryapi.py
示例10: reg_enum_key
def reg_enum_key(self, hive_name, key, user = None):
'''
This function enumerates the requested key
'''
addr_space = utils.load_as(self._config)
k = self.reg_get_key(hive_name, key, user)
if k:
for s in rawreg.subkeys(k):
if s.Name:
item = key + '\\' + s.Name
yield item
开发者ID:opexxx,项目名称:Volatility-Plugins,代码行数:11,代码来源:registryapi.py
示例11: get_user_keys
def get_user_keys(samaddr):
user_key_path = ["SAM", "Domains", "Account", "Users"]
root = rawreg.get_root(samaddr)
if not root:
return []
user_key = rawreg.open_key(root, user_key_path)
if not user_key:
return []
return [k for k in rawreg.subkeys(user_key) if k.Name != "Names"]
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:12,代码来源:hashdump.py
示例12: reg_get_all_subkeys
def reg_get_all_subkeys(self, hive_name, key, user = None, given_root = None):
'''
This function enumerates the subkeys of the requested key
'''
addr_space = utils.load_as(self._config)
if given_root == None:
k = self.reg_get_key(hive_name, key, user)
else:
k = given_root
if k:
for s in rawreg.subkeys(k):
if s.Name:
yield s
开发者ID:opexxx,项目名称:Volatility-Plugins,代码行数:13,代码来源:registryapi.py
示例13: render_text
def render_text(self, outfd, data):
keyfound = False
for win7, reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0}\n".format(key.Name))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
outfd.write(" {0}\n".format(s.Name))
outfd.write("\n")
outfd.write("Values:\n")
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
subname = v.Name
if tp == 'REG_BINARY':
dat_raw = dat
dat = "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
try:
subname = subname.encode('rot_13')
except UnicodeDecodeError:
pass
if win7:
guid = subname.split("\\")[0]
if guid in folder_guids:
subname = subname.replace(guid, folder_guids[guid])
d = self.parse_data(dat_raw)
if d != None:
dat = d + dat
else:
dat = "\n" + dat
#these types shouldn't be encountered, but are just left here in case:
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
outfd.write("\n{0:13} {1:15} : {2}\n".format(tp, subname, dat))
if not keyfound:
outfd.write("The requested key could not be found in the hive(s) searched\n")
开发者ID:B-Rich,项目名称:amark,代码行数:46,代码来源:userassist.py
示例14: render_text
def render_text(self, outfd, data):
print_values = {5:'InstallSource', 6:'InstallLocation', 3:'Publisher',
1:'DisplayName', 2:'DisplayVersion', 4:'InstallDate'}
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
keyfound = False
for reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
key_info = {}
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
key_info['Name'] = s.Name
key_info['LastUpdated'] = s.LastWriteTime
for v in rawreg.values(s):
if v.Name not in print_values.values():
continue
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
dat = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
key_info[str(v.Name)] = dat
outfd.write("Subkey: {0}\n".format(key_info.get('Name','')))
outfd.write(" LastUpdated : {0}\n".format(key_info.get('LastUpdated','')))
for k, v in sorted(print_values.items()):
val = key_info.get(v, '')
if val != '':
outfd.write(" {0:16}: {1}\n".format(v, val))
outfd.write("\n")
开发者ID:chubbymaggie,项目名称:sift-files,代码行数:40,代码来源:uninstallinfo.py
示例15: calculate
def calculate(self):
# scan for registries and populate them:
debug.debug("Scanning for registries....")
# set our current registry of interest and get its path
# and get current control set
debug.debug("Getting Current Control Set....")
regapi = registryapi.RegistryApi(self._config)
currentcs = regapi.reg_get_currentcontrolset()
if currentcs == None:
currentcs = "ControlSet001"
# set the services root.
regapi.set_current("system")
debug.debug("Getting Services and calculating SIDs....")
services = regapi.reg_get_key("system", currentcs + "\\" + "Services")
if services:
for s in rawreg.subkeys(services):
if s.Name not in servicesids.values():
sid = createservicesid(str(s.Name))
yield sid, str(s.Name)
for sid in servicesids:
yield sid, servicesids[sid]
开发者ID:woogers,项目名称:volatility,代码行数:23,代码来源:getservicesids.py
示例16: get_secrets
def get_secrets(addr_space, sysaddr, secaddr):
root = rawreg.get_root(secaddr)
if not root:
return None
bootkey = hashdump.get_bootkey(sysaddr)
lsakey = get_lsa_key(addr_space, secaddr, bootkey)
if not bootkey or not lsakey:
return None
secrets_key = rawreg.open_key(root, ["Policy", "Secrets"])
if not secrets_key:
return None
secrets = {}
for key in rawreg.subkeys(secrets_key):
sec_val_key = rawreg.open_key(key, ["CurrVal"])
if not sec_val_key:
continue
enc_secret_value = sec_val_key.ValueList.List.dereference()[0]
if not enc_secret_value:
continue
enc_secret = secaddr.read(enc_secret_value.Data,
enc_secret_value.DataLength)
if not enc_secret:
continue
if addr_space.profile.metadata.get('major', 0) == 5:
secret = enc_secret[0xC:]
else:
secret = enc_secret
secrets[key.Name] = secret
return secrets
开发者ID:Safe3,项目名称:volatility,代码行数:36,代码来源:lsasecrets.py
示例17: parse_service_key
def parse_service_key(self, service_key):
service_dict = self.dict_for_key(service_key)
name = str(service_key.Name)
display_name = service_dict.get('DisplayName', "Unknown").replace('\x00', '')
startup = int(service_dict.get("Start", -1))
type = int(service_dict.get("Type", -1))
image_path = service_dict.get("ImagePath", "Unknown").replace('\x00', '')
timestamp = service_key.LastWriteTime
# The service is run through svchost - try to resolve the parameter name
entry = None
if "svchost.exe -k" in image_path:
parameters = None
for sub in rawreg.subkeys(service_key):
if sub.Name == "Parameters":
parameters = self.dict_for_key(sub)
timestamp = sub.LastWriteTime
break
if parameters:
if 'ServiceDll' in parameters:
entry = parameters.get("ServiceDll")
main = parameters.get('ServiceMain')
if main:
entry += " ({})".format(main)
entry = entry.replace('\x00', '')
# Check if the service is set to automatically start
# More details here: http://technet.microsoft.com/en-us/library/cc759637(v=ws.10).aspx
if startup in [0, 1, 2]:
if entry:
pids = self.find_pids_for_imagepath(parameters.get("ServiceDll"))
else:
pids = self.find_pids_for_imagepath(image_path)
return (name, timestamp, display_name, service_startup[startup], service_types[type], image_path, entry, pids)
开发者ID:andyvand,项目名称:sift-files,代码行数:36,代码来源:autoruns.py
示例18: print_key
def print_key(self, outfd, keypath, key):
if key.Name != None:
outfd.write("{0:20s} {1}\n".format(key.LastWriteTime, keypath + "\\" + key.Name))
for k in rawreg.subkeys(key):
self.print_key(outfd, keypath + "\\" + key.Name, k)
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:5,代码来源:printkey.py
示例19: LoadSubKeys
def LoadSubKeys(self,reg,key,regObjectList):
for k in rawreg.subkeys(key):
r = reg + '\\' + utils._utf8_encode(k.Name)
self.getregistrykeyobject(r,k,regObjectList)
self.LoadSubKeys(r,k,regObjectList)
开发者ID:r1nswenson,项目名称:volatility,代码行数:5,代码来源:adregistry.py
示例20: render_key
def render_key(self, outfd, key, actions):
if len(actions) > 0:
action = actions[0]
else:
return
if action == PRT_VALUE:
valname = actions[1]
for v in rawreg.values(key):
# force conversion to string from String object
v_name = str(v.Name)
# Determine whether to print this value
if valname[0] == "all":
pass
# include specified values
elif valname[0] == "+":
if not v_name in valname:
continue
# exclude specified values
elif valname[0] == "-":
if v_name in valname:
continue
else:
debug.error("Pgm Error - Invalid valname render_key PRT_VALUE")
self.prt_val(outfd, v)
actions = actions[2:]
elif action == LIST_SUBKEYS:
subkey_1st = True
valname = actions[1]
for s in rawreg.subkeys(key):
s_name = str(s.Name)
# Determine whether to list this subkey
if valname[0] == "all":
pass
# include specified keys
elif valname[0] == "+":
if not s_name in valname:
continue
# exclude specified keys
elif valname[0] == "-":
if s_name in valname:
continue
# include subkey if starts with specified value
elif valname[0] == "s":
if not s_name.startswith( valname[1] ):
continue
else:
debug.error("Pgm Error - Invalid valname render_key LIST_SUBKEYS")
if subkey_1st:
outfd.write(" Subkeys:\n")
subkey_1st = False
if s_name == None:
outfd.write(" Unknown subkey: " + s_name.reason + "\n")
else:
outfd.write(" {1:3s} {0}\n".format(s_name, self.voltext(s)))
# If there is a recursive action specified for each subkey, then do it
if actions[2]:
self.render_key(outfd, s, actions[2])
outfd.write("\n")
actions = actions[3:]
# Print Windows Services
elif action == PRT_SRVC:
for s in rawreg.subkeys(key):
v_type, v_start, v_display, v_path = ('','','','')
for v in rawreg.values(s):
v_name = str(v.Name)
if v_name in ["Type",
"DisplayName",
"ImagePath",
"Start"
]:
tp, dat = rawreg.value_data(v)
if v_name == "Type":
if dat in serv_types:
v_type = serv_types[dat]
elif v_name == "Start":
if dat in serv_starts:
v_start = serv_starts[dat]
elif v_name == "ImagePath":
v_path = dat
else:
v_display = dat
outfd.write("\n {0:s} {1} {2:10s} {3}".format(s.Name,
#.........这里部分代码省略.........
开发者ID:lorgor,项目名称:lgvtotal,代码行数:101,代码来源:reglist.py
注:本文中的volatility.win32.rawreg.subkeys函数示例由纯净天空整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
客服电话
APP下载
官方微信
请发表评论