In this post I show how to quickly develop 4 plugins using 3RPG. Except for the documentation (this post) it took barely 10-15 minutes.

You can download plugins here.

01. Detecting presence of 7zip on the system

7Zip has a key in the following location

HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip

This is enough to build the script:

Note that the name of the script is automatically prefixed with an underscore (7zip -> _7zip) for names starting with digits (it’s because perl doesn’t ‘like’ it).

Also, when you paste the 7zip registry key, and change the focus 3RPG will automatically strip HKEY_LOCAL_MACHINE\SOFTWARE part:

Now click the code – 3RPG will automatically select it all for your convenience.

You can now copy this to any editor and save – use a name highlighted in red and with an extension .pl i.e. _7zip.pl.

Then run:

perl rip.pl -r SOFTWARE.copy0 -p _7zip

The result:

02 Listing persistent network mappings

All mapped drives are listed under the following key:

HKEY_CURRENT_USER\Network

Again, we run through the same exercise as previously – this time we include ‘Yes, scan subkeys, depth=2’

Then run:

perl rip.pl -r NTUSER.DAT -p netmap

and the result is:

03. Listing all possible CLSID autostart entries

Amongst various less-known autostart mechanisms that I listed in my older post we can find adding or re-using entries of COM servers. Such technique can be used to introduce a man-in-the-middle code for a legitimate plugins, shell extensions, etc. .

The information about the COM servers is stored under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

The names of DLLs, EXEs, etc. are usually listed under {Default} value, so the plugin below will list (going recursively through the whole node) all possible {Default} values listed under CLSID node.

We run it as:

perl rip.pl -r Software2 -p clsid

And the results are:

This is not a perfect solution as many {Default} values don’t include a file name, but we could either grep results by specific extension e.g. dll, or patch the script manually and add a better routine (e.g. only list values under InprocServer32 and LocalServer32)

Last, but not least – running this plugin often probably doesn’t make sense as it’s very slow, but it is a simple example that demonstrates how to search for {Default} values.

 04. Listing keys with binary data

This is just another simple example showing how REG_BINARY data is presented in the output of plugins generated with 3RGP.

For the example, I will look at the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Print\Printers\Microsoft XPS Document Writer

associated with Microsoft XPS Document Writer and its value Default DevMode.

I don’t know what’s exactly inside this key, but since it contains a binary blob, it will serve the purpose here.

We run it as:

perl rip.pl -r Software2 -p xps

And the results are:

That’s it! Thanks for reading!