You are browsing the archive for 3RPG.

RegRipper Ripper (3R) and the list of reg keys covered by RR plugins

April 4, 2013 in 3RPG, Forensic Analysis

update

Updated 3R to cover the latest archive from the RegRipper site – plugins20130403.zip (new version introduced over 40 new scripts)

old post

I got curious what keys are already covered by existing 280+ RegRipper Plugins so I wrote a quick and dirty script to retrieve the data from all plugins in an automated way. For the fun of it, I named the script RegRipper Ripper (3R).

The script is here, and the result of running it over the latest bundle is available here.

You may use the list to see what’s already covered and… avoid writing a plugin for a key that is already handled.

The 3R is a dumb script, so a few things I had to fix manually (but still inside the script, so it can be used to regenerate the tables anytime needed, e.g. after the bundle update). I hope there are no mistakes, but if you spot any, please let me know and I will fix that. Thanks!

3RPG – 4 RegRipper Plugins in 15 minutes

March 15, 2013 in 3RPG, Forensic Analysis, Software Releases

In this post I show how to quickly develop 4 plugins using 3RPG. Except for the documentation (this post) it took barely 10-15 minutes.

You can download plugins here.

01. Detecting presence of 7zip on the system

7Zip has a key in the following location

HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip

This is enough to build the script:

01_7zip1

Note that the name of the script is automatically prefixed with an underscore (7zip -> _7zip) for names starting with digits (it’s because perl doesn’t ‘like’ it).

Also, when you paste the 7zip registry key, and change the focus 3RPG will automatically strip HKEY_LOCAL_MACHINE\SOFTWARE part:

01_7zip2Now click the code – 3RPG will automatically select it all for your convenience.

01_7zip3

You can now copy this to any editor and save – use a name highlighted in red and with an extension .pl i.e. _7zip.pl.

Then run:

perl rip.pl -r SOFTWARE.copy0 -p _7zip

The result:

01_7zip4

02 Listing persistent network mappings

All mapped drives are listed under the following key:

HKEY_CURRENT_USER\Network

Again, we run through the same exercise as previously – this time we include ‘Yes, scan subkeys, depth=2’

02_netmap1

Then run:

perl rip.pl -r NTUSER.DAT -p netmap

and the result is:

02_netmap2b

03. Listing all possible CLSID autostart entries

Amongst various less-known autostart mechanisms that I listed in my older post we can find adding or re-using entries of COM servers. Such technique can be used to introduce a man-in-the-middle code for a legitimate plugins, shell extensions, etc. .

The information about the COM servers is stored under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

The names of DLLs, EXEs, etc. are usually listed under {Default} value, so the plugin below will list (going recursively through the whole node) all possible {Default} values listed under CLSID node.

03_clsid1

We run it as:

perl rip.pl -r Software2 -p clsid

And the results are:

03_clsid2

This is not a perfect solution as many {Default} values don’t include a file name, but we could either grep results by specific extension e.g. dll, or patch the script manually and add a better routine (e.g. only list values under InprocServer32 and LocalServer32)

03_clsid3

Last, but not least – running this plugin often probably doesn’t make sense as it’s very slow, but it is a simple example that demonstrates how to search for {Default} values.

 04. Listing keys with binary data

This is just another simple example showing how REG_BINARY data is presented in the output of plugins generated with 3RGP.

For the example, I will look at the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Print\Printers\Microsoft XPS Document Writer

associated with Microsoft XPS Document Writer and its value Default DevMode.

I don’t know what’s exactly inside this key, but since it contains a binary blob, it will serve the purpose here.

04_xps1

We run it as:

perl rip.pl -r Software2 -p xps

And the results are:

04_xps2

That’s it! Thanks for reading!