Module: Msf::Post::Windows::Registry

Includes:

CliParse

Included in:

Accounts, Dotnet, Priv, Services, UserProfiles, Version

Defined in:

lib/msf/core/post/windows/registry.rb

Constant Summary

REGISTRY_VIEW_NATIVE =

This is the default view. It reflects what the remote process would see natively. So, if you are using a remote 32-bit meterpreter session, you will see 32-bit registry keys and values.

0

REGISTRY_VIEW_32_BIT =

Access 32-bit registry keys and values regardless of whether the session is 32 or 64-bit.

1

REGISTRY_VIEW_64_BIT =

Access 64-bit registry keys and values regardless of whether the session is 32 or 64-bit.

2

REG_NONE =

Windows Registry Constants.

0

REG_SZ =

1

REG_EXPAND_SZ =

2

REG_BINARY =

3

REG_DWORD =

4

REG_LITTLE_ENDIAN =

4

REG_BIG_ENDIAN =

5

REG_LINK =

6

REG_MULTI_SZ =

7

REG_QWORD =

11

HKEY_CLASSES_ROOT =

0x80000000

HKEY_CURRENT_USER =

0x80000001

HKEY_LOCAL_MACHINE =

0x80000002

HKEY_USERS =

0x80000003

HKEY_PERFORMANCE_DATA =

0x80000004

HKEY_CURRENT_CONFIG =

0x80000005

HKEY_DYN_DATA =

0x80000006

Instance Method Summary

• #initialize(info = {}) ⇒ Object
• #meterpreter_registry_createkey(key, view) ⇒ Object protected

  Create a new registry key.

• #meterpreter_registry_deletekey(key, view) ⇒ Object protected

  Delete the registry key key.

• #meterpreter_registry_deleteval(key, valname, view) ⇒ Object protected

  Delete the registry value valname store in key.

• #meterpreter_registry_enumkeys(key, view) ⇒ Object protected

  Enumerate the subkeys in key.

• #meterpreter_registry_enumvals(key, view) ⇒ Object protected

  Enumerate the values in key.

• #meterpreter_registry_getvaldata(key, valname, view) ⇒ Object protected

  Get the data stored in the value valname.

• #meterpreter_registry_getvalinfo(key, valname, view) ⇒ Object protected

  Enumerate the type and data of the value valname.

• #meterpreter_registry_key_exist?(key) ⇒ Boolean protected

  Checks if a key exists on the target registry using a meterpreter session.

• #meterpreter_registry_loadkey(key, file) ⇒ Object protected

  Load a registry hive stored in file into key.

• #meterpreter_registry_perms(perms, view = REGISTRY_VIEW_NATIVE) ⇒ Object protected

  Meterpreter-specific registry manipulation methods.

• #meterpreter_registry_setvaldata(key, valname, data, type, view) ⇒ Object protected

  Add the value valname to the key key with the specified type and data.

• #meterpreter_registry_unloadkey(key) ⇒ Object protected

  Unload the hive file stored in key.

• #normalize_key(key) ⇒ Object protected

  Normalize the supplied full registry key string so the root key is sane.

• #registry_createkey(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

  Create the given registry key.

• #registry_deletekey(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

  Delete a given registry key.

• #registry_deleteval(key, valname, view = REGISTRY_VIEW_NATIVE) ⇒ Object

  Deletes a registry value given the key and value name.

• #registry_enumkeys(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

  Return an array of subkeys for the given registry key.

• #registry_enumvals(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

  Return an array of value names for the given registry key.

• #registry_getvaldata(key, valname, view = REGISTRY_VIEW_NATIVE) ⇒ Object

  Return the data of a given registry key and value.

• #registry_getvalinfo(key, valname, view = REGISTRY_VIEW_NATIVE) ⇒ Object

  Return the data and type of a given registry key and value.

• #registry_hive_lookup(hive) ⇒ Object

  Lookup registry hives by key.

• #registry_key_exist?(key) ⇒ Boolean

  Checks if a key exists on the target registry.

• #registry_loadkey(key, file) ⇒ Object

  Load a hive file.

• #registry_setvaldata(key, valname, data, type, view = REGISTRY_VIEW_NATIVE) ⇒ Object

  Sets the data for a given value and type of data on the target registry.

• #registry_unloadkey(key) ⇒ Object

  Unload a hive file.

• #session_has_registry_ext ⇒ Object protected deprecated Deprecated.

  Use granular command ID checking session.commands instead

• #shell_registry_cmd(suffix, view = REGISTRY_VIEW_NATIVE) ⇒ Object protected

  Generic registry manipulation methods based on reg.exe.

• #shell_registry_cmd_result(suffix, view = REGISTRY_VIEW_NATIVE) ⇒ Object protected
• #shell_registry_createkey(key, view) ⇒ Object protected

  Use reg.exe to create a new registry key.

• #shell_registry_deletekey(key, view) ⇒ Object protected

  Use reg.exe to delete key and all its subkeys and values.

• #shell_registry_deleteval(key, valname, view) ⇒ Object protected

  Use reg.exe to delete valname in key.

• #shell_registry_enumkeys(key, view) ⇒ Object protected

  Use reg.exe to enumerate all the subkeys in key.

• #shell_registry_enumvals(key, view) ⇒ Object protected

  Use reg.exe to enumerate all the values in key.

• #shell_registry_getvaldata(key, valname, view) ⇒ Object protected

  Returns the data portion of the value valname.

• #shell_registry_getvalinfo(key, valname, view) ⇒ Object protected

  Enumerate the type and data stored in the registry value valname in key.

• #shell_registry_key_exist?(key) ⇒ Boolean protected

  Checks if a key exists on the target registry using a shell session.

• #shell_registry_loadkey(key, file) ⇒ Object protected

  Use reg.exe to load the hive file file into key.

• #shell_registry_setvaldata(key, valname, data, type, view) ⇒ Object protected

  Use reg.exe to add a value valname in the key key with the specified type and data.

• #shell_registry_unloadkey(key) ⇒ Object protected

  Use reg.exe to unload the hive in key.

• #split_key(str) ⇒ Object protected

  Split the supplied full registry key string into its root key and base key.

Methods included from CliParse

#win_parse_error, #win_parse_results

Instance Method Details

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/post/windows/registry.rb', line 52

def initialize(info = {})
  super(
    update_info(
      info,
      'Compat' => {
        'Meterpreter' => {
          'Commands' => %w[
            stdapi_registry_check_key_exists
            stdapi_registry_create_key
            stdapi_registry_delete_key
            stdapi_registry_enum_key_direct
            stdapi_registry_enum_value_direct
            stdapi_registry_load_key
            stdapi_registry_open_key
            stdapi_registry_query_value_direct
            stdapi_registry_set_value_direct
            stdapi_registry_unload_key
            stdapi_sys_config_getprivs
          ]
        }
      }
    )
  )
end

#meterpreter_registry_createkey(key, view) ⇒ Object (protected)

Create a new registry key

# File 'lib/msf/core/post/windows/registry.rb', line 529

def meterpreter_registry_createkey(key, view)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_WRITE, view)
    open_key = session.sys.registry.create_key(root_key, base_key, perms)
    open_key.close
    return true
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_deletekey(key, view) ⇒ Object (protected)

Delete the registry key key

# File 'lib/msf/core/post/windows/registry.rb', line 560

def meterpreter_registry_deletekey(key, view)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_WRITE, view)
    deleted = session.sys.registry.delete_key(root_key, base_key, perms)
    return deleted
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_deleteval(key, valname, view) ⇒ Object (protected)

Delete the registry value valname store in key

# File 'lib/msf/core/post/windows/registry.rb', line 544

def meterpreter_registry_deleteval(key, valname, view)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_WRITE, view)
    open_key = session.sys.registry.open_key(root_key, base_key, perms)
    open_key.delete_value(valname)
    open_key.close
    return true
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_enumkeys(key, view) ⇒ Object (protected)

Enumerate the subkeys in key

# File 'lib/msf/core/post/windows/registry.rb', line 574

def meterpreter_registry_enumkeys(key, view)
  begin
    subkeys = []
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_READ, view)
    keys = session.sys.registry.enum_key_direct(root_key, base_key, perms)
    keys.each { |subkey|
      subkeys << subkey
    }
    return subkeys
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_enumvals(key, view) ⇒ Object (protected)

Enumerate the values in key

# File 'lib/msf/core/post/windows/registry.rb', line 592

def meterpreter_registry_enumvals(key, view)
  begin
    values = []
    vals = {}
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_READ, view)
    vals = session.sys.registry.enum_value_direct(root_key, base_key, perms)
    vals.each { |val|
      values <<  val.name
    }
    return values
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_getvaldata(key, valname, view) ⇒ Object (protected)

Get the data stored in the value valname

# File 'lib/msf/core/post/windows/registry.rb', line 611

def meterpreter_registry_getvaldata(key, valname, view)
  begin
    value = nil
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_READ, view)
    v = session.sys.registry.query_value_direct(root_key, base_key, valname, perms)
    value = v.data
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
  return value
end

#meterpreter_registry_getvalinfo(key, valname, view) ⇒ Object (protected)

Enumerate the type and data of the value valname

# File 'lib/msf/core/post/windows/registry.rb', line 627

def meterpreter_registry_getvalinfo(key, valname, view)
  value = {}
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_READ, view)
    open_key = session.sys.registry.open_key(root_key, base_key, perms)
    v = open_key.query_value(valname)
    value["Data"] = v.data
    value["Type"] = v.type
    open_key.close
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
  return value
end

#meterpreter_registry_key_exist?(key) ⇒ Boolean (protected)

Checks if a key exists on the target registry using a meterpreter session

Parameters:

• key (String) —

  the full path of the key to check

Returns:

• (Boolean) —

  true if the key exists on the target registry, false otherwise (also in case of error)

# File 'lib/msf/core/post/windows/registry.rb', line 663

def meterpreter_registry_key_exist?(key)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
  rescue ArgumentError
    return false
  end

  begin
    check = session.sys.registry.check_key_exists(root_key, base_key)
  rescue Rex::Post::Meterpreter::RequestError, Rex::TimeoutError
    return false
  end

  check
end

#meterpreter_registry_loadkey(key, file) ⇒ Object (protected)

Load a registry hive stored in file into key

# File 'lib/msf/core/post/windows/registry.rb', line 470

def meterpreter_registry_loadkey(key, file)
  begin
    client.sys.config.getprivs()
    root_key, base_key = session.sys.registry.splitkey(key)
    begin
      loadres = session.sys.registry.load_key(root_key, base_key, file)
    rescue Rex::Post::Meterpreter::RequestError => e
      case e.to_s
      when "stdapi_registry_load_key: Operation failed: 1314"
        #print_error("You appear to be lacking the SeRestorePrivilege. Are you running with Admin privs?")
        return false
      when "stdapi_registry_load_key: Operation failed: The system cannot find the path specified."
        #print_error("The path you provided to the Registry Hive does not Appear to be valid: #{file}")
        return false
      when "stdapi_registry_load_key: Operation failed: The process cannot access the file because it is being used by another process."
        #print_error("The file you specified is currently locked by another process: #{file}")
        return false
      when /stdapi_registry_load_key: Operation failed:/
        #print_error("An unknown error has occurred: #{loadres.to_s}")
        return false
      else
        return true
      end
    end

  rescue
    return false
  end
end

#meterpreter_registry_perms(perms, view = REGISTRY_VIEW_NATIVE) ⇒ Object (protected)

Meterpreter-specific registry manipulation methods

# File 'lib/msf/core/post/windows/registry.rb', line 458

def meterpreter_registry_perms(perms, view = REGISTRY_VIEW_NATIVE)
  if view == REGISTRY_VIEW_32_BIT
    perms |= KEY_WOW64_32KEY
  elsif view == REGISTRY_VIEW_64_BIT
    perms |= KEY_WOW64_64KEY
  end
  perms
end

#meterpreter_registry_setvaldata(key, valname, data, type, view) ⇒ Object (protected)

Add the value valname to the key key with the specified type and data

# File 'lib/msf/core/post/windows/registry.rb', line 646

def meterpreter_registry_setvaldata(key, valname, data, type, view)
  begin
    root_key, base_key = session.sys.registry.splitkey(key)
    perms = meterpreter_registry_perms(KEY_WRITE, view)
    session.sys.registry.set_value_direct(root_key, base_key,
      valname, session.sys.registry.type2str(type), data, perms)
    return true
  rescue Rex::Post::Meterpreter::RequestError => e
    return nil
  end
end

#meterpreter_registry_unloadkey(key) ⇒ Object (protected)

Unload the hive file stored in key

# File 'lib/msf/core/post/windows/registry.rb', line 503

def meterpreter_registry_unloadkey(key)
  begin
    client.sys.config.getprivs()
    root_key, base_key = session.sys.registry.splitkey(key)
    begin
      unloadres= session.sys.registry.unload_key(root_key,base_key)
    rescue Rex::Post::Meterpreter::RequestError => e
      case e.to_s
      when "stdapi_registry_unload_key: Operation failed: The parameter is incorrect."
        #print_error("The KEY you provided does not appear to match a loaded Registry Hive: #{key}")
        return false
      when /stdapi_registry_unload_key: Operation failed:/
        #print_error("An unknown error has occurred: #{unloadres.to_s}")
        return false
      else
        return true
      end
    end
  rescue
    return false
  end
end

#normalize_key(key) ⇒ Object (protected)

Normalize the supplied full registry key string so the root key is sane. For instance, passing “HKLMSoftwareDog” will return ‘HKEY_LOCAL_MACHINESoftwareDog’

# File 'lib/msf/core/post/windows/registry.rb', line 683

def normalize_key(key)
  keys = split_key(key)
  if (keys[0] =~ /HKLM|HKEY_LOCAL_MACHINE/)
    keys[0] = 'HKEY_LOCAL_MACHINE'
  elsif (keys[0] =~ /HKCU|HKEY_CURRENT_USER/)
    keys[0] = 'HKEY_CURRENT_USER'
  elsif (keys[0] =~ /HKU|HKEY_USERS/)
    keys[0] = 'HKEY_USERS'
  elsif (keys[0] =~ /HKCR|HKEY_CLASSES_ROOT/)
    keys[0] = 'HKEY_CLASSES_ROOT'
  elsif (keys[0] =~ /HKCC|HKEY_CURRENT_CONFIG/)
    keys[0] = 'HKEY_CURRENT_CONFIG'
  elsif (keys[0] =~ /HKPD|HKEY_PERFORMANCE_DATA/)
    keys[0] = 'HKEY_PERFORMANCE_DATA'
  elsif (keys[0] =~ /HKDD|HKEY_DYN_DATA/)
    keys[0] = 'HKEY_DYN_DATA'
  else
    raise ArgumentError, "Cannot normalize unknown key: #{key}"
  end
  # print_status("Normalized #{key} to #{keys.join("\\")}")
  return keys.compact.join("\\")
end

#registry_createkey(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Create the given registry key

# File 'lib/msf/core/post/windows/registry.rb', line 126

def registry_createkey(key, view = REGISTRY_VIEW_NATIVE)
  if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_CREATE_KEY)
    meterpreter_registry_createkey(key, view)
  else
    shell_registry_createkey(key, view)
  end
end

#registry_deletekey(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Delete a given registry key

returns true if successful

# File 'lib/msf/core/post/windows/registry.rb', line 152

def registry_deletekey(key, view = REGISTRY_VIEW_NATIVE)
  if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_DELETE_KEY)
    meterpreter_registry_deletekey(key, view)
  else
    shell_registry_deletekey(key, view)
  end
end

#registry_deleteval(key, valname, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Deletes a registry value given the key and value name

returns true if successful

# File 'lib/msf/core/post/windows/registry.rb', line 139

def registry_deleteval(key, valname, view = REGISTRY_VIEW_NATIVE)
  if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_DELETE_KEY)
    meterpreter_registry_deleteval(key, valname, view)
  else
    shell_registry_deleteval(key, valname, view)
  end
end

#registry_enumkeys(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Return an array of subkeys for the given registry key

# File 'lib/msf/core/post/windows/registry.rb', line 163

def registry_enumkeys(key, view = REGISTRY_VIEW_NATIVE)
  if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_ENUM_KEY)
    meterpreter_registry_enumkeys(key, view)
  else
    shell_registry_enumkeys(key, view)
  end
end

#registry_enumvals(key, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Return an array of value names for the given registry key

# File 'lib/msf/core/post/windows/registry.rb', line 174

def registry_enumvals(key, view = REGISTRY_VIEW_NATIVE)
  if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_ENUM_VALUE_DIRECT)
    meterpreter_registry_enumvals(key, view)
  else
    shell_registry_enumvals(key, view)
  end
end

#registry_getvaldata(key, valname, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Return the data of a given registry key and value

# File 'lib/msf/core/post/windows/registry.rb', line 185

def registry_getvaldata(key, valname, view = REGISTRY_VIEW_NATIVE)
  if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_ENUM_VALUE_DIRECT)
    meterpreter_registry_getvaldata(key, valname, view)
  else
    shell_registry_getvaldata(key, valname, view)
  end
end

#registry_getvalinfo(key, valname, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Return the data and type of a given registry key and value

# File 'lib/msf/core/post/windows/registry.rb', line 196

def registry_getvalinfo(key, valname, view = REGISTRY_VIEW_NATIVE)
  if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_OPEN_KEY)
    meterpreter_registry_getvalinfo(key, valname, view)
  else
    shell_registry_getvalinfo(key, valname, view)
  end
end

#registry_hive_lookup(hive) ⇒ Object

Lookup registry hives by key.

# File 'lib/msf/core/post/windows/registry.rb', line 80

def registry_hive_lookup(hive)
  case hive
  when 'HKCR'
    HKEY_LOCAL_MACHINE
  when 'HKCU'
    HKEY_CURRENT_USER
  when 'HKLM'
    HKEY_LOCAL_MACHINE
  when 'HKU'
    HKEY_USERS
  when 'HKPD'
    HKEY_PERFORMANCE_DATA
  when 'HKCC'
    HKEY_CURRENT_CONFIG
  when 'HKDD'
    HKEY_DYN_DATA
  else
    HKEY_LOCAL_MACHINE
  end
end

#registry_key_exist?(key) ⇒ Boolean

Checks if a key exists on the target registry

Parameters:

• key (String) —

  the full path of the key to check

Returns:

• (Boolean) —

  true if the key exists on the target registry, false otherwise (also in case of error)

# File 'lib/msf/core/post/windows/registry.rb', line 222

def registry_key_exist?(key)
  if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_CHECK_KEY_EXISTS)
    meterpreter_registry_key_exist?(key)
  else
    shell_registry_key_exist?(key)
  end
end

#registry_loadkey(key, file) ⇒ Object

Load a hive file

# File 'lib/msf/core/post/windows/registry.rb', line 104

def registry_loadkey(key, file)
  if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_LOAD_KEY)
    meterpreter_registry_loadkey(key, file)
  else
    shell_registry_loadkey(key, file)
  end
end

#registry_setvaldata(key, valname, data, type, view = REGISTRY_VIEW_NATIVE) ⇒ Object

Sets the data for a given value and type of data on the target registry

returns true if successful

# File 'lib/msf/core/post/windows/registry.rb', line 209

def registry_setvaldata(key, valname, data, type, view = REGISTRY_VIEW_NATIVE)
  if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_SET_VALUE_DIRECT)
    meterpreter_registry_setvaldata(key, valname, data, type, view)
  else
    shell_registry_setvaldata(key, valname, data, type, view)
  end
end

#registry_unloadkey(key) ⇒ Object

Unload a hive file

# File 'lib/msf/core/post/windows/registry.rb', line 115

def registry_unloadkey(key)
  if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_UNLOAD_KEY)
    meterpreter_registry_unloadkey(key)
  else
    shell_registry_unloadkey(key)
  end
end

#session_has_registry_ext ⇒ Object (protected)

Deprecated.

Use granular command ID checking session.commands instead

Determines whether the session can use meterpreter registry methods

# File 'lib/msf/core/post/windows/registry.rb', line 236

def session_has_registry_ext
  begin
    return !!(session.sys and session.sys.registry)
  rescue NoMethodError
    return false
  end
end

#shell_registry_cmd(suffix, view = REGISTRY_VIEW_NATIVE) ⇒ Object (protected)

Generic registry manipulation methods based on reg.exe

# File 'lib/msf/core/post/windows/registry.rb', line 249

def shell_registry_cmd(suffix, view = REGISTRY_VIEW_NATIVE)
  cmd = "cmd.exe /c reg #{suffix}"
  if view == REGISTRY_VIEW_32_BIT
    cmd << " /reg:32"
  elsif view == REGISTRY_VIEW_64_BIT
    cmd << " /reg:64"
  end
  result = cmd_exec(cmd)
  result
end

#shell_registry_cmd_result(suffix, view = REGISTRY_VIEW_NATIVE) ⇒ Object (protected)

# File 'lib/msf/core/post/windows/registry.rb', line 260

def shell_registry_cmd_result(suffix, view = REGISTRY_VIEW_NATIVE)
  results = shell_registry_cmd(suffix, view)
  results.include?('The operation completed successfully')
end

#shell_registry_createkey(key, view) ⇒ Object (protected)

Use reg.exe to create a new registry key

# File 'lib/msf/core/post/windows/registry.rb', line 284

def shell_registry_createkey(key, view)
  key = normalize_key(key)
  # REG ADD KeyName [/v ValueName | /ve] [/t Type] [/s Separator] [/d Data] [/f]
  shell_registry_cmd_result("add \"#{key}\" /f", view)
end

#shell_registry_deletekey(key, view) ⇒ Object (protected)

Use reg.exe to delete key and all its subkeys and values

# File 'lib/msf/core/post/windows/registry.rb', line 302

def shell_registry_deletekey(key, view)
  key = normalize_key(key)
  # REG DELETE KeyName [/v ValueName | /ve | /va] [/f]
  shell_registry_cmd_result("delete \"#{key}\" /f", view)
end

#shell_registry_deleteval(key, valname, view) ⇒ Object (protected)

Use reg.exe to delete valname in key

# File 'lib/msf/core/post/windows/registry.rb', line 293

def shell_registry_deleteval(key, valname, view)
  key = normalize_key(key)
  # REG DELETE KeyName [/v ValueName | /ve | /va] [/f]
  shell_registry_cmd_result("delete \"#{key}\" /v \"#{valname}\" /f", view)
end

#shell_registry_enumkeys(key, view) ⇒ Object (protected)

Use reg.exe to enumerate all the subkeys in key

# File 'lib/msf/core/post/windows/registry.rb', line 311

def shell_registry_enumkeys(key, view)
  key = normalize_key(key)
  subkeys = []
  reg_data_types = 'REG_SZ|REG_MULTI_SZ|REG_DWORD_BIG_ENDIAN|REG_DWORD|REG_BINARY|'
  reg_data_types << 'REG_DWORD_LITTLE_ENDIAN|REG_NONE|REG_EXPAND_SZ|REG_LINK|REG_FULL_RESOURCE_DESCRIPTOR'

  bslashes = key.count('\\')
  bslashes = bslashes - 1 if key.ends_with?('\\')

  results = shell_registry_cmd("query \"#{key}\"", view)
  unless results.to_s.upcase.starts_with?('ERROR:')
    results.each_line do |line|
      # now let's keep the ones that have a count = bslashes+1
      # feels like there's a smarter way to do this but...
      if (line.count('\\') == bslashes+1 && !line.ends_with?('\\'))
        # then it's a first level subkey
        subkeys << line.split('\\').last.chomp # take & chomp the last item only
      end
    end
  end
  subkeys
end

#shell_registry_enumvals(key, view) ⇒ Object (protected)

Use reg.exe to enumerate all the values in key

# File 'lib/msf/core/post/windows/registry.rb', line 337

def shell_registry_enumvals(key, view)
  key = normalize_key(key)
  values = []
  reg_data_types = 'REG_SZ|REG_MULTI_SZ|REG_DWORD_BIG_ENDIAN|REG_DWORD|REG_BINARY|'
  reg_data_types << 'REG_DWORD_LITTLE_ENDIAN|REG_NONE|REG_EXPAND_SZ|REG_LINK|REG_FULL_RESOURCE_DESCRIPTOR'
  # REG QUERY KeyName [/v ValueName | /ve] [/s]
  results = shell_registry_cmd("query \"#{key}\"", view)
  unless results.to_s.upcase.starts_with?('ERROR:')
    if values = results.scan(/^ +.*[#{reg_data_types}].*/)
      # yanked the lines with legit REG value types like REG_SZ
      # now let's parse out the names (first field basically)
      values.collect! do |line|
        t = line.split(' ')[0].chomp #chomp for good measure
        # check if reg returned "<NO NAME>", which splits to "<NO", if so nil instead
        t = nil if t == "<NO"
        t
      end
    end
  end
  values
end

#shell_registry_getvaldata(key, valname, view) ⇒ Object (protected)

Returns the data portion of the value valname

# File 'lib/msf/core/post/windows/registry.rb', line 362

def shell_registry_getvaldata(key, valname, view)
  valinfo = shell_registry_getvalinfo(key, valname, view)
  return nil if valinfo.nil?

  valinfo['Data']
end

#shell_registry_getvalinfo(key, valname, view) ⇒ Object (protected)

Enumerate the type and data stored in the registry value valname in key

# File 'lib/msf/core/post/windows/registry.rb', line 373

def shell_registry_getvalinfo(key, valname, view)
  key = normalize_key(key)
  value = {
    'Data' => nil,
    'Type' => nil
  }

  # REG QUERY KeyName [/v ValueName | /ve] [/s]
  results = shell_registry_cmd("query \"#{key}\" /v \"#{valname}\"", view)

  # pull out the interesting line (the one with the value name in it)
  return nil unless match_arr = /^ +#{valname}.*/i.match(results)

  # split with ' ' yielding [valname,REGvaltype,REGdata] and extract reg type
  vtype = match_arr[0].split[1]
  if %w[ REG_BINARY REG_DWORD REG_EXPAND_SZ REG_MULTI_SZ REG_NONE REG_QWORD REG_SZ ].include?(vtype)
    value['Type'] = self.class.const_get(vtype)
  end
  # treat the remainder of the line after the reg type as the reg value
  vdata = match_arr[0].strip.scan(/#{vtype}\s+(.+)/).flatten.first
  case vtype
  when 'REG_BINARY'
    vdata = vdata.scan(/../).map { |x| x.hex.chr }.join
  when 'REG_DWORD', 'REG_QWORD'
    if vdata.start_with?('0x')
      vdata = vdata[2..].to_i(16)
    else
      vdata = vdata.to_i
    end
  when 'REG_MULTI_SZ'
    vdata = vdata.split('\0')
  end
  value['Data'] = vdata

  value
end

#shell_registry_key_exist?(key) ⇒ Boolean (protected)

Checks if a key exists on the target registry using a shell session

Parameters:

• key (String) —

  the full path of the key to check

Returns:

• (Boolean) —

  true if the key exists on the target registry, false otherwise, even if case of error (invalid arguments) or the session hasn't permission to access the key

# File 'lib/msf/core/post/windows/registry.rb', line 441

def shell_registry_key_exist?(key)
  begin
    key = normalize_key(key)
  rescue ArgumentError
    return false
  end

  results = shell_registry_cmd("query \"#{key}\"")
  return false if results.blank? || results =~ /ERROR: /i

  true
end

#shell_registry_loadkey(key, file) ⇒ Object (protected)

Use reg.exe to load the hive file file into key

# File 'lib/msf/core/post/windows/registry.rb', line 268

def shell_registry_loadkey(key, file)
  key = normalize_key(key)
  shell_registry_cmd_result("load \"#{key}\" \"#{file}\"")
end

#shell_registry_setvaldata(key, valname, data, type, view) ⇒ Object (protected)

Use reg.exe to add a value valname in the key key with the specified type and data

# File 'lib/msf/core/post/windows/registry.rb', line 414

def shell_registry_setvaldata(key, valname, data, type, view)
  key = normalize_key(key)

  case type
  when 'REG_BINARY'
    data = data.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join
  when 'REG_EXPAND_SZ'
    if session.type == 'powershell'
      data = data.gsub('%', '""%""')
    elsif session.type == 'shell'
      data = data.gsub('%', '"%"')
    end
  when 'REG_MULTI_SZ'
    data = data.join('\0')
  end

  # REG ADD KeyName [/v ValueName | /ve] [/t Type] [/s Separator] [/d Data] [/f]
  # /f to overwrite w/o prompt
  shell_registry_cmd_result("add \"#{key}\" /v \"#{valname}\" /t \"#{type}\" /d \"#{data}\" /f", view)
end

#shell_registry_unloadkey(key) ⇒ Object (protected)

Use reg.exe to unload the hive in key

# File 'lib/msf/core/post/windows/registry.rb', line 276

def shell_registry_unloadkey(key)
  key = normalize_key(key)
  shell_registry_cmd_result("unload \"#{key}\"")
end

#split_key(str) ⇒ Object (protected)

Split the supplied full registry key string into its root key and base key. For instance, passing “HKLMSoftwareDog” will return [ ‘HKEY_LOCAL_MACHINE’, ‘SoftwareDog’ ]

# File 'lib/msf/core/post/windows/registry.rb', line 711

def split_key(str)
  if (str =~ /^(.+?)\\(.*)$/)
    [ $1, $2 ]
  else
    [ str, nil ]
  end
end