Saturday, April 05, 2008

Ripping the Registry w/ rip.exe

While I was developing the RegRipper, I found that I could use some means of testing plugins without having to fire up the RegRipper GUI each time, particularly if I just wanted to modify how the output was displayed...for example, once I got all the information I needed, say that I wanted to parse it and have it displayed based on the Registry key LastWrite times (so that it's easier to correlate to an incident timeline...). Do I want to fire things up all over again, or simply re-run the last command line?

So I wrote rip.exe, a small CLI utility that uses the same plugin structure as RegRipper, and lets me either run a single plugin against a hive file, or run an entire plugins file against a hive file. Here's what the syntax for rip.exe looks like:

Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.
All plugins must be located in the "plugins" directory; default plugins file
used if no other filename given is "plugins\plugins".

-r Reg hive file...Registry hive file to parse
-f [plugin file]...use the plugin file (default: plugins\plugins)
-p plugin module...use only this module
-l ................list all plugins
-h.......................Help (print this information)

Ex: C:\>rr -r c:\case\system -f system
C:\>rr -r c:\case\ntuser.dat -p userassist.pl
C:\>rr -l

All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.

copyright 2008 H. Carvey

Pretty cool. I even threw in a switch to just list all of the plugins in the plugins directory; the output includes the name of the plugin, the version, which hive file each plugin is for (ie, NTUSER.DAT, System, Software, etc.), and brief description of what the plugin does. Here are a couple of examples:

7. auditpol v.20080327 [Security]
- Get audit policy from the Security hive file

8. bho v.20080325 [Software]
- Gets Browser Helper Objects from Software hive

9. cmd_shell v.20080328 [Software]
- Gets shell open cmds for various file types

10. comdlg32 v.20080324 [NTUSER.DAT]
- Gets contents of user's ComDlg32 key

11. compdesc v.20080324 [NTUSER.DAT]
- Gets contents of user's ComputerDescriptions key

12. compname v.20080324 [System]
- Gets ComputerName value from System hive

13. devclass v.20080331 [System]
- Get USB device info from the DeviceClasses keys in the System hive

14. fw_config v.20080328 [System]
- Gets the Windows Firewall config from the System hive

So let's say that I have an image of a Windows system, and I've either extracted the Registry hive files from the image and placed them in a directory, or I've mounted the image file as a read-only file system using Mount Image Pro or VDKWin. If I want to take a cursory look at some things to sort of get an idea of what I'm looking at, I can run rip.exe to collect info for me:

C:\tools>rip rip -r d:\cases\ntuser.dat -p userassist

Let's say that I want to run an entire plugins file against a hive file...

C:\tools>rip rip -r f:\windows\system32\config\software -f software

Pretty straight-forward, simple, and quick. Very efficient, and keeps mistakes down. Rip.exe can also be incorporated into a batch file, to further enhance processing and reduce an analyst's interaction with the data even further.

9 comments:

SynJunkie said...

Is Reg Ripper (rip.exe) something you'll be releasing and if so will it be to people who specifically ask for a copy (as you mentioned in an earlier post?) Or will it be released with one of your books?

it sounds like a really interesting tool.

Macaroni said...

Harlan,

Sounds very cool, sound very much like NSM console that is used for network monitoring.

Dave

H. Carvey said...

SynJunkie...

I haven't figured out the distribution mechanism yet...I've been focusing on the tool itself.

Any thoughts or suggestions?

Macaroni said...

What about sourceforge? Don't you already have a number of your tools up there? I guess the question is how can we help you, since you are doing all the work?

Unknown said...

I like the sourceforge option too. If this is being written in a language that I understand, I would be happy to help with the development. Even if I can't write the app, I can help with testing and we can all put bugs and feature requests in.

SynJunkie said...

I like the sourceforge idea too. I would be glad of the opportunity of providing feedback and bug reports etc...

H. Carvey said...

Interesting...that might be the way to go...I'll have to think about it...

Anonymous said...

Seen very nice idea. We want do some plugins!!1. Release it ;-).

H. Carvey said...

Already did...a while ago...