In this post I show how to quickly develop 4 plugins using 3RPG. Except for the documentation (this post) it took barely 10-15 minutes.
You can download plugins here.
01. Detecting presence of 7zip on the system
7Zip has a key in the following location
HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip
This is enough to build the script:

Note that the name of the script is automatically prefixed with an underscore (7zip -> _7zip) for names starting with digits (it’s because perl doesn’t ‘like’ it).
Also, when you paste the 7zip registry key, and change the focus 3RPG will automatically strip HKEY_LOCAL_MACHINE\SOFTWARE part:
Now click the code – 3RPG will automatically select it all for your convenience.

You can now copy this to any editor and save – use a name highlighted in red and with an extension .pl i.e. _7zip.pl.
Then run:
perl rip.pl -r SOFTWARE.copy0 -p _7zip
The result:

02 Listing persistent network mappings
All mapped drives are listed under the following key:
HKEY_CURRENT_USER\Network
Again, we run through the same exercise as previously – this time we include ‘Yes, scan subkeys, depth=2’

Then run:
perl rip.pl -r NTUSER.DAT -p netmap
and the result is:

03. Listing all possible CLSID autostart entries
Amongst various less-known autostart mechanisms that I listed in my older post we can find adding or re-using entries of COM servers. Such technique can be used to introduce a man-in-the-middle code for a legitimate plugins, shell extensions, etc. .
The information about the COM servers is stored under the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
The names of DLLs, EXEs, etc. are usually listed under {Default} value, so the plugin below will list (going recursively through the whole node) all possible {Default} values listed under CLSID node.

We run it as:
perl rip.pl -r Software2 -p clsid
And the results are:

This is not a perfect solution as many {Default} values don’t include a file name, but we could either grep results by specific extension e.g. dll, or patch the script manually and add a better routine (e.g. only list values under InprocServer32 and LocalServer32)

Last, but not least – running this plugin often probably doesn’t make sense as it’s very slow, but it is a simple example that demonstrates how to search for {Default} values.
04. Listing keys with binary data
This is just another simple example showing how REG_BINARY data is presented in the output of plugins generated with 3RGP.
For the example, I will look at the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Print\Printers\Microsoft XPS Document Writer
associated with Microsoft XPS Document Writer and its value Default DevMode.
I don’t know what’s exactly inside this key, but since it contains a binary blob, it will serve the purpose here.

We run it as:
perl rip.pl -r Software2 -p xps
And the results are:

That’s it! Thanks for reading!