Pretty much everyone is aware by now that the full version of RegRipper is available on SF.net. I made a couple of minor updates to some of the plugins the other day (so you won't find these in the currently available distribution) that I wanted to mention briefly...
First, I updated the winnt_cv plugin so that the InstallDate value is converted to a readable time stamp, such as:
InstallDate : Fri Aug 31 15:21:10 2007 (UTC)
Much better than just spewing the DWORD data to the output, don't'cha think?
Second, after using RegRipper on some actual engagements recently, I decided that I wanted a plugin that would display information about the services in a shorter format so that its easier to read. The services plugin displays the following about services and drivers:
Name = SNMPTRAP
Display = @%SystemRoot%\system32\snmptrap.exe,-3
ImagePath = %SystemRoot%\System32\snmptrap.exe
Type = Own_Process
Start = Manual
Group =
The svc plugin (get it...shorter name, shorter format for the output??) displays the following about services:
Thu Nov 2 12:53:48 2006Z
Appinfo (%SystemRoot%\system32\svchost.exe -k netsvcs) [LocalSystem]
Thu Nov 2 12:53:38 2006Z
SessionEnv (%SystemRoot%\System32\svchost.exe -k netsvcs) [localSystem]
Thu Nov 2 12:53:22 2006Z
TrkWks (%SystemRoot%\System32\svchost.exe -k LocalSystem NetworkRestricted) [LocalSystem]
Thu Nov 2 12:53:11 2006Z
Dhcp (%SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted) [NT Authority\LocalService]
The svc plugin grabs much of the same information as the services plugin, but presents it in a shorter format, so that it's much easier to read at a glance. In addition, svc also grabs the ObjectName value (if available), which indicates the account that the service runs under.
For analysis purposes, I generally try to look for services and drivers that have a LastWrite time around the reported date of the incident, as this has indicated the use of keystroke loggers and kernel-mode rootkits.
What's also really sweet about this is that, as always, the plugins work great with rip.exe...check out the batch files that were included in the most recent distribution of RegRipper.
Two other items that are yet to be completed (currently in progress) with regards to RegRipper are:
1. Extraction of time-based data in a common format, for correlation with other sources of time-based data, and then display of that data using Timeline or some other visualization tool.
2. Development of a separate, standalone copy of rip.exe (to start, anyway) that will not only run a plugin or plugins file against a hive, but also against the appropriate hive files in XP System Restore Points (all automatically).
Thoughts? Just more RegRipper goodness...no hive files were harmed in the making of these tools or of this post...
4 comments:
One very usefull feature would be the ability to run regripper against a remmote pc(assuming you have admin access)
You can...either use FTK Imager to extract the hive files from the system, or use F-Response, as has been documented on this blog and others.
To get RegRipper to have the ability to just access the live system would require a complete rewrite of the interface. Even the plugins would need to be rewritten.
It might be worth doing it there were a market...
Harlan,
WE LOVE REGRIPPER! You are a rockstar! Been using it a lot lately here!
May I get the USBSTOR2 script please?
Also, is there a doc yet on creation of our own .pl scripts?
I looked at the existing .pl scripts, and it looks fairly straightforward, but was wondering if there was anything that you already had put together.
In thinking out loud, what might be nice is an import feature where I could have a bunch of keys listed in a CSV file and be able to convert them into a .pl?
Thanks,
Sam
Sam,
May I get the USBSTOR2 script please?
I responded to your email on this...
Also, is there a doc yet on creation of our own .pl scripts?
Not yet, but folks have already done this simply by opening the current plugins...much like Nessus, the plugins are in plain text.
I looked at the existing .pl scripts, and it looks fairly straightforward, but was wondering if there was anything that you already had put together.
Not yet. Sometimes writing the plugins isn't the easiest thing to do, even with a familiarity of the Registry. Querying a value is simple...but other things you want to look for, to include correlating between different keys can be challenging.
In thinking out loud, what might be nice is an import feature where I could have a bunch of keys listed in a CSV file and be able to convert them into a .pl?
Again, it's just not that easy. If what you wanted to do was simply straightforward, like just grab a value (if it exists), then yeah, you could do that easily...but that doesn't take advantage of the full power of a tool like this.
Post a Comment