Class: Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Registry

Inherits:

Object

• Object
• Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Registry

Defined in:

lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb

Overview

This class provides access to the Windows registry on the remote machine.

Class Attribute Summary

• .client ⇒ Object

  Returns the value of attribute client.

Class Method Summary

• .close_key(hkey) ⇒ Object

  Closes the supplied registry key.

• .create_key(root_key, base_key, perm = KEY_READ) ⇒ Object

  Creates the supplied registry key or opens it if it already exists.

• .delete_key(root_key, base_key, recursive = true) ⇒ Object

  Deletes the supplied registry key.

• .delete_value(hkey, name) ⇒ Object

  Deletes the registry value supplied in name from the supplied registry key.

• .enum_key(hkey) ⇒ Object

  Enumerates the supplied registry key returning an array of key names.

• .enum_value(hkey) ⇒ Object

  Enumerates all of the values at the supplied hkey including their names.

• .key2str(key) ⇒ Object

  Return the key value associated with the supplied string.

• .open_key(root_key, base_key, perm = KEY_READ) ⇒ Object

  Opens the supplied registry key relative to the root key with the supplied permissions.

• .query_class(hkey) ⇒ Object

  Queries the registry class name and returns a string.

• .query_value(hkey, name) ⇒ Object

  Queries the registry value supplied in name and returns an initialized RegistryValue instance if a match is found.

• .set_value(hkey, name, type, data) ⇒ Object

  Sets the registry value relative to the supplied hkey.

• .splitkey(str) ⇒ Object

  Split the supplied full registry key into its root key and base key.

• .type2str(type) ⇒ Object

  Returns the integer value associated with the supplied registry value type (like REG_SZ).

Class Attribute Details

.client ⇒ Object

Returns the value of attribute client.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb', line 27

def client
  @client
end

Class Method Details

.close_key(hkey) ⇒ Object

Closes the supplied registry key.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb', line 91

def Registry.close_key(hkey)
	request = Packet.create_request('stdapi_registry_close_key')

	request.add_tlv(TLV_TYPE_HKEY, hkey)

	client.send_packet(request)

	return true
end

.create_key(root_key, base_key, perm = KEY_READ) ⇒ Object

Creates the supplied registry key or opens it if it already exists.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb', line 53

def Registry.create_key(root_key, base_key, perm = KEY_READ)
	request = Packet.create_request('stdapi_registry_create_key')

	request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
	request.add_tlv(TLV_TYPE_BASE_KEY, base_key)
	request.add_tlv(TLV_TYPE_PERMISSION, perm)

	response = client.send_request(request)

	return Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RegistryKey.new(
			client, root_key, base_key, perm, response.get_tlv(TLV_TYPE_HKEY).value)
end

.delete_key(root_key, base_key, recursive = true) ⇒ Object

Deletes the supplied registry key.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb', line 69

def Registry.delete_key(root_key, base_key, recursive = true)
	request = Packet.create_request('stdapi_registry_delete_key')
	flags   = 0

	if (recursive)
		flags |= DELETE_KEY_FLAG_RECURSIVE
	end

	request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
	request.add_tlv(TLV_TYPE_BASE_KEY, base_key)
	request.add_tlv(TLV_TYPE_FLAGS, flags)

	if (client.send_request(request) != nil)
		return true
	end

	return false
end

.delete_value(hkey, name) ⇒ Object

Deletes the registry value supplied in name from the supplied registry key.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb', line 178

def Registry.delete_value(hkey, name)
	request = Packet.create_request('stdapi_registry_delete_value')

	request.add_tlv(TLV_TYPE_HKEY, hkey)
	request.add_tlv(TLV_TYPE_VALUE_NAME, name)

	if (client.send_request(request) != nil)
		return true
	end

	return false
end

.enum_key(hkey) ⇒ Object

Enumerates the supplied registry key returning an array of key names.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb', line 104

def Registry.enum_key(hkey)
	keys    = []
	request = Packet.create_request('stdapi_registry_enum_key')

	request.add_tlv(TLV_TYPE_HKEY, hkey)

	response = client.send_request(request)

	# Enumerate through all of the registry keys
	response.each(TLV_TYPE_KEY_NAME) { |key_name|
		keys << key_name.value
	}

	return keys
end

.enum_value(hkey) ⇒ Object

Enumerates all of the values at the supplied hkey including their names. An array of RegistryValue’s is returned.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb', line 210

def Registry.enum_value(hkey)
	request = Packet.create_request('stdapi_registry_enum_value')
	values  = []

	request.add_tlv(TLV_TYPE_HKEY, hkey)

	response = client.send_request(request)

	response.each(TLV_TYPE_VALUE_NAME) { |value_name|
		values << Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RegistryValue.new(
				client, hkey, value_name.value)
	}

	return values
end

.key2str(key) ⇒ Object

Return the key value associated with the supplied string. This is useful for converting HKLM as a string into its actual integer representation.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb', line 230

def self.key2str(key)
	if (key == 'HKLM' or key == 'HKEY_LOCAL_MACHINE')
		return HKEY_LOCAL_MACHINE
	elsif (key == 'HKCU' or key == 'HKEY_CURRENT_USER')
		return HKEY_CURRENT_USER
	elsif (key == 'HKU' or key == 'HKEY_USERS')
		return HKEY_USERS
	elsif (key == 'HKCR' or key == 'HKEY_CLASSES_ROOT')
		return HKEY_CLASSES_ROOT
	elsif (key == 'HKEY_CURRENT_CONFIG')
		return HKEY_CURRENT_CONFIG
	elsif (key == 'HKEY_PERFORMANCE_DATA')
		return HKEY_PERFORMANCE_DATA
	elsif (key == 'HKEY_DYN_DATA')
		return HKEY_DYN_DATA
	else
		raise ArgumentError, "Unknown key: #{key}"
	end
end

.open_key(root_key, base_key, perm = KEY_READ) ⇒ Object

Opens the supplied registry key relative to the root key with the supplied permissions. Right now this is merely a wrapper around create_key.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb', line 41

def Registry.open_key(root_key, base_key, perm = KEY_READ)
	# If no base key was provided, just return the root_key.
	if (base_key == nil or base_key.length == 0)
		return RegistrySubsystem::RegistryKey.new(client, root_key, base_key, perm, root_key)
	end

	return self.create_key(root_key, base_key, perm)
end

.query_class(hkey) ⇒ Object

Queries the registry class name and returns a string

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb', line 194

def Registry.query_class(hkey)
	request = Packet.create_request('stdapi_registry_query_class')

	request.add_tlv(TLV_TYPE_HKEY, hkey)

	response = client.send_request(request)
	cls = response.get_tlv(TLV_TYPE_VALUE_DATA)
	return nil if not cls
	data = cls.value.gsub(/\x00.*/, '')
	return data
end

.query_value(hkey, name) ⇒ Object

Queries the registry value supplied in name and returns an initialized RegistryValue instance if a match is found.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb', line 153

def Registry.query_value(hkey, name)
	request = Packet.create_request('stdapi_registry_query_value')

	request.add_tlv(TLV_TYPE_HKEY, hkey)
	request.add_tlv(TLV_TYPE_VALUE_NAME, name)

	response = client.send_request(request)

	data = response.get_tlv(TLV_TYPE_VALUE_DATA).value;
	type = response.get_tlv(TLV_TYPE_VALUE_TYPE).value;

	if (type == REG_SZ)
		data = data[0..-2]
	elsif (type == REG_DWORD)
		data = data.unpack("N")[0]
	end

	return Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RegistryValue.new(
			client, hkey, name, type, data)
end

.set_value(hkey, name, type, data) ⇒ Object

Sets the registry value relative to the supplied hkey.

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb', line 129

def Registry.set_value(hkey, name, type, data)
	request = Packet.create_request('stdapi_registry_set_value')

	request.add_tlv(TLV_TYPE_HKEY, hkey)
	request.add_tlv(TLV_TYPE_VALUE_NAME, name)
	request.add_tlv(TLV_TYPE_VALUE_TYPE, type)

	if (type == REG_SZ)
		data += "\x00"
	elsif (type == REG_DWORD)
		data = [ data.to_i ].pack("V")
	end

	request.add_tlv(TLV_TYPE_VALUE_DATA, data)

	response = client.send_request(request)

	return true
end

.splitkey(str) ⇒ Object

Split the supplied full registry key into its root key and base key. For instance, passing HKLMSoftwareDog will return [ HKEY_LOCAL_MACHINE, ‘SoftwareDog’ ]

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb', line 268

def self.splitkey(str)
	if (str =~ /^(.+?)\\(.*)$/)
		[ key2str($1), $2 ]
	else
		[ key2str(str), nil ]
	end
end

.type2str(type) ⇒ Object

Returns the integer value associated with the supplied registry value type (like REG_SZ).

# File 'lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb', line 254

def self.type2str(type)
	return REG_SZ if (type == 'REG_SZ')
	return REG_DWORD if (type == 'REG_DWORD')
	return REG_BINARY if (type == 'REG_BINARY')
	return REG_EXPAND_SZ if (type == 'REG_EXPAND_SZ')
	return REG_NONE if (type == 'REG_NONE')
	return nil
end