Category Archives: Software Releases

3RPG – 4 RegRipper Plugins in 15 minutes

Posted on by

In this post I show how to quickly develop 4 plugins using 3RPG. Except for the documentation (this post) it took barely 10-15 minutes.

You can download plugins here.

01. Detecting presence of 7zip on the system

7Zip has a key in the following location

HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip

This is enough to build the script:

01_7zip1

Note that the name of the script is automatically prefixed with an underscore (7zip -> _7zip) for names starting with digits (it’s because perl doesn’t ‘like’ it).

Also, when you paste the 7zip registry key, and change the focus 3RPG will automatically strip HKEY_LOCAL_MACHINE\SOFTWARE part:

01_7zip2Now click the code – 3RPG will automatically select it all for your convenience.

01_7zip3

You can now copy this to any editor and save – use a name highlighted in red and with an extension .pl i.e. _7zip.pl.

Then run:

perl rip.pl -r SOFTWARE.copy0 -p _7zip

The result:

01_7zip4

02 Listing persistent network mappings

All mapped drives are listed under the following key:

HKEY_CURRENT_USER\Network

Again, we run through the same exercise as previously – this time we include ‘Yes, scan subkeys, depth=2’

02_netmap1

Then run:

perl rip.pl -r NTUSER.DAT -p netmap

and the result is:

02_netmap2b

03. Listing all possible CLSID autostart entries

Amongst various less-known autostart mechanisms that I listed in my older post we can find adding or re-using entries of COM servers. Such technique can be used to introduce a man-in-the-middle code for a legitimate plugins, shell extensions, etc. .

The information about the COM servers is stored under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

The names of DLLs, EXEs, etc. are usually listed under {Default} value, so the plugin below will list (going recursively through the whole node) all possible {Default} values listed under CLSID node.

03_clsid1

We run it as:

perl rip.pl -r Software2 -p clsid

And the results are:

03_clsid2

This is not a perfect solution as many {Default} values don’t include a file name, but we could either grep results by specific extension e.g. dll, or patch the script manually and add a better routine (e.g. only list values under InprocServer32 and LocalServer32)

03_clsid3

Last, but not least – running this plugin often probably doesn’t make sense as it’s very slow, but it is a simple example that demonstrates how to search for {Default} values.

 04. Listing keys with binary data

This is just another simple example showing how REG_BINARY data is presented in the output of plugins generated with 3RGP.

For the example, I will look at the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Print\Printers\Microsoft XPS Document Writer

associated with Microsoft XPS Document Writer and its value Default DevMode.

I don’t know what’s exactly inside this key, but since it contains a binary blob, it will serve the purpose here.

04_xps1

We run it as:

perl rip.pl -r Software2 -p xps

And the results are:

04_xps2

That’s it! Thanks for reading!

3RPG – Rapid RegRipper Plugin Development

Posted on by

Inspired by DFIR posts from users (often non-programmers) requesting help with writing/improving RegRipper plugins I created a new tool that aims at developing RR plugins in a much faster way.

The tool is called 3RPG and it’s oriented mainly at non-programmers and less experienced programmers. Of course, if you are an old school perl programmer, go ahead and try it as well. Any feedback and comments will be much appreciated.

What is 3RPG?

3RPG is a web form that helps you to quickly build Plugins for RegRipper by Harlan Carvey.

You just need to fill-in a few fields and the code of the new plugin will be ‘developed’ instantly in front of your eyes.

You can go and check how it works here – 1000 words worth screenshot should help you to get the idea:

3rpg_1

Benefits a.k.a. why 3RPG was created?

If you are a non-programmer…

  • You can use a web form to instantly create your own RegRipper Plugin for a specific registry node/key
  • If you need to add extra features, you can pass such script with example data to more experienced RegRipper plugin programmers – trust me, they will appreciate the effort you put into research and will be more eager to help
  • You can save 3RPG as an HTML page and use it offline

If you are a programmer…

  • You know that writing new RegRipper plugins ‘by hand’ is kinda painful i.e. it’s easier to modify existing script to add features than starting from the scratch
  • Creating new scripts is usually a copy and paste game – there is always a chance for making a silly typo or mistake
  • In general – in many cases simply (recursively) enumerating a specific registry node/key and cherry-picking something with a simple filter is enough
  • Also, adding a generic data print mechanism for all possible registry data types helps to quickly ‘analyze’ plugins’ output w/o any extra effort
  • ..and this is exactly what the 3RPG offers; more complex scenarios require (obviously) some manual coding
  • You can also fetch the template and adjust it to your needs manually – I am confident that with small modifications it may support all possible registry retrieval needs
  • If you are curious about technical details, I talk about it at the bottom of this post

How to use 3RPG?

Just go to the 3RPG Wizard, fill in the form (takes 1-2 minutes), then copy and paste the resulting script and save to a file – once you do, you are ready to go!

To run/test the script, use the newly created file (here myscript) with RegRipper:

perl rip.pl -r <hive> -p myscript

For a typical script, these fields are required:

  • a script name e.g. myplugin.pl
  • a hive name(s) e.g. Software
  • a node e.g. Microsoft\Windows\CurrentVersion\Run
  • a key name/value (works like a filter) e.g. x86
  • if you want to scan subkeys (recursively, you can also specify the depth)
  • if you want to include Wow6432Node keys (typically, you do since many new systems are 64-bit)

and then leave the rest fields with default values.

Share!

If you write a new plugin, share the script with the community (if you do, please fill-in the rest of the fields to avoid generic/default values in the scripts. Thanks!)

 

Examples

Software \ Run key enumeration

Implementing a classic Run key enumeration for the Software hive is easy – it’s actually already written for you on the 3RPG page (it’s based on default values of 3RPG).

Just copy the script from 3RPG page

3rpg_1c

and save it as ‘myscript.pl’, then run it as:

rip.pl -r SOFTWARE.copy0 -p myscript

Running it with a test hive gives the following results:

3rpg_2

Software \ Run key enumeration with a specific value

A similar example as before, we just want to narrow down the search looking for e.g. for ‘MSN’

We just need to type ‘msn’ (it’s case insensitive) in ‘What keys/values would you like to include?‘ field:

3rpg_3

Saving the resulting script and running as previous will only show keys/values/data for values/data that contain ‘msn’ (keys are not checked as you are enumerating recursively anyway).

3rpg_4

Technical details

3RPG is a web form. It’s written in HTML + JavaScript. As a base for the plug-in I relied on my old generic RR plugin template that I used in the past. It exploits the fact that the registry data is stored in a tree-like fashion, so recursive enumeration is a natural way of parsing such data w/o going into intricacies of parsing specific keys, values, and conditional processing. It is also very similar to the way command line reg.exe works when executed with ‘query’ or ‘query /s’.

Currently, the following features are supported:

  • 3RPG is interactive – changes to the script are instantly visible and highlighted in the source code
  • A script name can be specified from the form
  • A hive can be selected manually, but script will try to select the correct one based on the key i.e. some hive name(s) are automatically selected when key names including substrings like ‘HKEY_LOCAL_MACHINE\Software’ are pasted
  • Enumeration of keys can be recursive, with a specified depth
  • Filtering of key names/values is possible
  • Code for parsing Wow6432Node nodes can be added with a single click
  • Data dumping is supported for all registry data types (non-printable data is printed as hex)

Bugs

It’s the first version, so bugs are there for sure; if you spot any, please do let me know.

Thanks in advance!