{"id":1802,"date":"2013-03-15T13:41:21","date_gmt":"2013-03-15T13:41:21","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1802"},"modified":"2013-03-18T04:21:23","modified_gmt":"2013-03-18T04:21:23","slug":"3rpg-4-regripper-plugins-in-15-minutes","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2013\/03\/15\/3rpg-4-regripper-plugins-in-15-minutes\/","title":{"rendered":"3RPG \u2013 4 RegRipper Plugins in 15 minutes"},"content":{"rendered":"

In this post I show how to quickly develop 4 plugins using 3RPG<\/a>. Except for the documentation (this post) it took barely 10-15 minutes.<\/p>\n

You can download plugins here<\/a>.<\/p>\n

01. Detecting presence of 7zip on the system<\/h4>\n

7Zip has a key in the following location<\/p>\n

HKEY_LOCAL_MACHINE\\SOFTWARE\\7-Zip<\/pre>\n
This is enough to build the script:<\/p>\n
\"01_7zip1\"<\/a><\/p>\n
Note that the name of the script is automatically prefixed with an underscore (7zip -> _7zip) for names starting with digits (it’s because perl doesn’t ‘like’ it).<\/p>\n
Also, when you paste the 7zip registry key, and change the focus 3RPG will automatically strip HKEY_LOCAL_MACHINE\\SOFTWARE part:<\/p>\n
\"01_7zip2\"<\/a>Now click the code – 3RPG will automatically select it all for your convenience.<\/p>\n
\"01_7zip3\"<\/a><\/p>\n
You can now copy this to any editor and save – use a name highlighted in red and with an extension .pl i.e. _7zip.pl.<\/p>\n
Then run:<\/p>\n
perl rip.pl -r SOFTWARE.copy0 -p _7zip<\/pre>\n
The result:<\/p>\n
\"01_7zip4\"<\/a><\/p>\n
02 Listing persistent network mappings<\/h4>\n
All mapped drives are listed under the following key:<\/p>\n
HKEY_CURRENT_USER\\Network<\/pre>\n
Again, we run through the same exercise as previously – this time we include ‘Yes, scan subkeys, depth=2’<\/p>\n
\"02_netmap1\"<\/a><\/p>\n
Then run:<\/p>\n
perl rip.pl -r NTUSER.DAT -p netmap<\/pre>\n
and the result is:<\/p>\n
\"02_netmap2b\"<\/a><\/p>\n
03. Listing all possible CLSID autostart entries<\/h3>\n
Amongst various less-known autostart mechanisms that I listed in my older post<\/a> we can find adding or re-using entries of COM servers. Such technique can be used to introduce a man-in-the-middle code for a legitimate plugins, shell extensions, etc. .<\/p>\n
The information about the COM servers is stored under the following key:<\/p>\n
HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID<\/pre>\n
The names of DLLs, EXEs, etc. are usually listed under {Default}<\/em> value, so the plugin below will list (going recursively through the whole node) all possible {Default} <\/em>values listed under CLSID node.<\/p>\n
\"03_clsid1\"<\/a><\/p>\n
We run it as:<\/p>\n
perl rip.pl -r Software2 -p clsid<\/pre>\n
And the results are:<\/p>\n
\"03_clsid2\"<\/a><\/p>\n
This is not a perfect solution as many {Default}<\/em> values don’t include a file name, but we could either grep results by specific extension e.g. dll, or patch the script manually and add a better routine (e.g. only list values under InprocServer32<\/em> and LocalServer32<\/em>)<\/p>\n
\"03_clsid3\"<\/a><\/p>\n
Last, but not least – running this plugin often probably doesn’t make sense as it’s very slow, but it is a simple example that demonstrates how to search for {Default}<\/em> values.<\/p>\n
\u00a004. Listing keys with binary data<\/h3>\n
This is just another simple example showing how REG_BINARY data is presented in the output of plugins generated with 3RGP.<\/p>\n
For the example, I will look at the key<\/p>\n
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\\r\nCurrentVersion\\Print\\Printers\\Microsoft XPS Document Writer<\/pre>\n
associated with Microsoft XPS Document Writer and its value Default DevMode<\/em>.<\/p>\n
I don’t know what’s exactly inside this key, but since it contains a binary blob, it will serve the purpose here.<\/p>\n
\"04_xps1\"<\/a><\/p>\n
We run it as:<\/p>\n
perl rip.pl -r Software2 -p xps<\/pre>\n
And the results are:<\/p>\n
\"04_xps2\"<\/a><\/p>\n
That’s it! Thanks for reading!<\/p>\n","protected":false},"excerpt":{"rendered":"
In this post I show how to quickly develop 4 plugins using 3RPG. Except for the documentation (this post) it took barely 10-15 minutes. You can download plugins here. 01. Detecting presence of 7zip on the system 7Zip has a … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[30,19,5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1802"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1802"}],"version-history":[{"count":15,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1802\/revisions"}],"predecessor-version":[{"id":1835,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1802\/revisions\/1835"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1802"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1802"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1802"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}