3RPG – Rapid RegRipper Plugin Development

March 14, 2013 in 3RPG, Forensic Analysis, Software Releases

Inspired by DFIR posts from users (often non-programmers) requesting help with writing/improving RegRipper plugins I created a new tool that aims at developing RR plugins in a much faster way.

The tool is called 3RPG and it’s oriented mainly at non-programmers and less experienced programmers. Of course, if you are an old school perl programmer, go ahead and try it as well. Any feedback and comments will be much appreciated.

What is 3RPG?

3RPG is a web form that helps you to quickly build Plugins for RegRipper by Harlan Carvey.

You just need to fill-in a few fields and the code of the new plugin will be ‘developed’ instantly in front of your eyes.

You can go and check how it works here – 1000 words worth screenshot should help you to get the idea:

3rpg_1

Benefits a.k.a. why 3RPG was created?

If you are a non-programmer…

  • You can use a web form to instantly create your own RegRipper Plugin for a specific registry node/key
  • If you need to add extra features, you can pass such script with example data to more experienced RegRipper plugin programmers – trust me, they will appreciate the effort you put into research and will be more eager to help
  • You can save 3RPG as an HTML page and use it offline

If you are a programmer…

  • You know that writing new RegRipper plugins ‘by hand’ is kinda painful i.e. it’s easier to modify existing script to add features than starting from the scratch
  • Creating new scripts is usually a copy and paste game – there is always a chance for making a silly typo or mistake
  • In general – in many cases simply (recursively) enumerating a specific registry node/key and cherry-picking something with a simple filter is enough
  • Also, adding a generic data print mechanism for all possible registry data types helps to quickly ‘analyze’ plugins’ output w/o any extra effort
  • ..and this is exactly what the 3RPG offers; more complex scenarios require (obviously) some manual coding
  • You can also fetch the template and adjust it to your needs manually – I am confident that with small modifications it may support all possible registry retrieval needs
  • If you are curious about technical details, I talk about it at the bottom of this post

How to use 3RPG?

Just go to the 3RPG Wizard, fill in the form (takes 1-2 minutes), then copy and paste the resulting script and save to a file – once you do, you are ready to go!

To run/test the script, use the newly created file (here myscript) with RegRipper:

perl rip.pl -r <hive> -p myscript

For a typical script, these fields are required:

  • a script name e.g. myplugin.pl
  • a hive name(s) e.g. Software
  • a node e.g. Microsoft\Windows\CurrentVersion\Run
  • a key name/value (works like a filter) e.g. x86
  • if you want to scan subkeys (recursively, you can also specify the depth)
  • if you want to include Wow6432Node keys (typically, you do since many new systems are 64-bit)

and then leave the rest fields with default values.

Share!

If you write a new plugin, share the script with the community (if you do, please fill-in the rest of the fields to avoid generic/default values in the scripts. Thanks!)

 

Examples

Software \ Run key enumeration

Implementing a classic Run key enumeration for the Software hive is easy – it’s actually already written for you on the 3RPG page (it’s based on default values of 3RPG).

Just copy the script from 3RPG page

3rpg_1c

and save it as ‘myscript.pl’, then run it as:

rip.pl -r SOFTWARE.copy0 -p myscript

Running it with a test hive gives the following results:

3rpg_2

Software \ Run key enumeration with a specific value

A similar example as before, we just want to narrow down the search looking for e.g. for ‘MSN’

We just need to type ‘msn’ (it’s case insensitive) in ‘What keys/values would you like to include?‘ field:

3rpg_3

Saving the resulting script and running as previous will only show keys/values/data for values/data that contain ‘msn’ (keys are not checked as you are enumerating recursively anyway).

3rpg_4

Technical details

3RPG is a web form. It’s written in HTML + JavaScript. As a base for the plug-in I relied on my old generic RR plugin template that I used in the past. It exploits the fact that the registry data is stored in a tree-like fashion, so recursive enumeration is a natural way of parsing such data w/o going into intricacies of parsing specific keys, values, and conditional processing. It is also very similar to the way command line reg.exe works when executed with ‘query’ or ‘query /s’.

Currently, the following features are supported:

  • 3RPG is interactive – changes to the script are instantly visible and highlighted in the source code
  • A script name can be specified from the form
  • A hive can be selected manually, but script will try to select the correct one based on the key i.e. some hive name(s) are automatically selected when key names including substrings like ‘HKEY_LOCAL_MACHINE\Software’ are pasted
  • Enumeration of keys can be recursive, with a specified depth
  • Filtering of key names/values is possible
  • Code for parsing Wow6432Node nodes can be added with a single click
  • Data dumping is supported for all registry data types (non-printable data is printed as hex)

Bugs

It’s the first version, so bugs are there for sure; if you spot any, please do let me know.

Thanks in advance!

Share this :)

Comments are closed.