3RPG – 4 RegRipper Plugins in 15 minutes

March 15, 2013 in 3RPG, Forensic Analysis, Software Releases

In this post I show how to quickly develop 4 plugins using 3RPG. Except for the documentation (this post) it took barely 10-15 minutes.

You can download plugins here.

01. Detecting presence of 7zip on the system

7Zip has a key in the following location

HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip

This is enough to build the script:

01_7zip1

Note that the name of the script is automatically prefixed with an underscore (7zip -> _7zip) for names starting with digits (it’s because perl doesn’t ‘like’ it).

Also, when you paste the 7zip registry key, and change the focus 3RPG will automatically strip HKEY_LOCAL_MACHINE\SOFTWARE part:

01_7zip2Now click the code – 3RPG will automatically select it all for your convenience.

01_7zip3

You can now copy this to any editor and save – use a name highlighted in red and with an extension .pl i.e. _7zip.pl.

Then run:

perl rip.pl -r SOFTWARE.copy0 -p _7zip

The result:

01_7zip4

02 Listing persistent network mappings

All mapped drives are listed under the following key:

HKEY_CURRENT_USER\Network

Again, we run through the same exercise as previously – this time we include ‘Yes, scan subkeys, depth=2’

02_netmap1

Then run:

perl rip.pl -r NTUSER.DAT -p netmap

and the result is:

02_netmap2b

03. Listing all possible CLSID autostart entries

Amongst various less-known autostart mechanisms that I listed in my older post we can find adding or re-using entries of COM servers. Such technique can be used to introduce a man-in-the-middle code for a legitimate plugins, shell extensions, etc. .

The information about the COM servers is stored under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

The names of DLLs, EXEs, etc. are usually listed under {Default} value, so the plugin below will list (going recursively through the whole node) all possible {Default} values listed under CLSID node.

03_clsid1

We run it as:

perl rip.pl -r Software2 -p clsid

And the results are:

03_clsid2

This is not a perfect solution as many {Default} values don’t include a file name, but we could either grep results by specific extension e.g. dll, or patch the script manually and add a better routine (e.g. only list values under InprocServer32 and LocalServer32)

03_clsid3

Last, but not least – running this plugin often probably doesn’t make sense as it’s very slow, but it is a simple example that demonstrates how to search for {Default} values.

 04. Listing keys with binary data

This is just another simple example showing how REG_BINARY data is presented in the output of plugins generated with 3RGP.

For the example, I will look at the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Print\Printers\Microsoft XPS Document Writer

associated with Microsoft XPS Document Writer and its value Default DevMode.

I don’t know what’s exactly inside this key, but since it contains a binary blob, it will serve the purpose here.

04_xps1

We run it as:

perl rip.pl -r Software2 -p xps

And the results are:

04_xps2

That’s it! Thanks for reading!

Share this 🙂
3RPG – 4 RegRipper Plugins in 15 minutes

2 Comments

    1. H. Carvey says:

      Adam,

      Great examples, and great work.

      Just FYI…the sevenzip.pl plugin included in the distro is over 3 yrs old at this point…

      • adam says:

        Thanks, just wanted to show sth simple; I may post a few more examples for more real case-oriented plugins…

3RPG – 4 RegRipper Plugins in 15 minutes

0 Trackbacks