Lately I’ve been writing some plugins for Harlan Carvey’s RegRipper which I’ll release shortly. Harlan has done a great job adding support for lots of Registry Artifacts, kudos for that.
However, at times I find that RegRipper’s inability to present a complete view of the Registry to its plugins is quite limiting specially for application analysis since you can’t check both per-user and system-wide settings at once. There’s a lot of similar code in the modules as well, which I’m sure won’t help Harlan too much on mantaining the code.
Also, while I don’t usually do forensics under Linux, Regripper Regripper’s rip.pl tool doesn’t run under Linux due to some assumptions in the code. I’ve just submitted a small patch against the current Regripper codebase.
So while I’m thinking on how to reshape Regripper so that it supports my-desired-features(c) I’ve written a generic parsing and analysis module for it. Wait, generic… wut?
Basically, what this module does is: given a base key, a list of keys and subkeys and a formatting function for each of them, it walks the registry doing all the hard work for you :)
Which means that, in order to write a new module, you only need to take a look at any given registry hive, write down which information you want to report, its structure within the hive and transform your notes into something like:
[ path_to_key#1, "Output name of the first key", \&callback_function], [ path_to_key#2, "Output name of the second key", \&callback_function] [ path_to_subkey#1, "Output name of the first subkey", \&callback_function], [ path_to_subkey#2, "Output name of the second subkey", \&callback_function]
At the moment the library provides you with some common callback functions:
- parse_simple - Returns a string representation of the value. It handles every type of value(SZ, DWORD, BINARY,e tc) internally through Win32::ParseRegistry. You can check perldoc Parse::Win32Registry to see what output you expect.
- parse_key_snlist - Parses simple numbered lists under the given subkey. They are asc-ordered by key, which should give you the right order.
- parse_key_mrulist - Prints ordered MRU lists. Again, ordered by the MRUList key within the structure.
In case you need to parse some other kind of data, you just implement a new callback and it will get called with the Parse::Win32Registry type you are parsing. A Value Object for keys and a Subkey Object for subkeys. Again, perldoc Parse::Win32Registry is your friend :)
Stay tuned as I update the last details of the library!
Thanks for the shout-out on RegRipper…
Some questions re: your post…
> …RegRipper’s inability to present a complete
> view of the Registry to its plugins…
From a design standpoint, RR was never developed to _need_ a complete view of the Registry…only each specific hive file. As of yet, I haven’t seen a request or even someone simply musing about a plugin being able to access information in both the Software and System hives at the same time.
> Regripper doesn’t run under Linux due to some
> assumptions in the code.
One of the assumptions in the design of RegRipper is that it’s running on Windows…the GUI is specifically written to run on Windows. If you’re referring to rip.pl, I didn’t put a great deal of effort initially into Linux- or MacOSX-compatibility, due simply to the fact that I didn’t know of anyone who’d want to use it on those platforms.
I like your idea of callbacks, and I had thought of providing something similar in my code, but one of the things I ran into was issues with the Registry data itself. For example, in many cases, the code will fail all together simply because at some point in the path, a key is not required…by that I mean, it’s not a default key found in EVERY Software hive and is only available b/c a user installed something. Also, you have other unique situations, such as the UserAssist key…value names are ROT-13 encrypted.
Some of what I’ve found in the plugins is the ease by which I can change how the data is output in a particular plugin, w/o affecting others. Using callbacks, you either have to completely rewrite one plugin, or you risk affecting all plugins that employ that callback.
You’ve got some interesting ideas, and I think what you’ve really shown here is the true power of open-source projects like this…
Thanks!
Comment by H. Carvey — January 2, 2009 @ 13:28
I guess I’m trying to use regripper in ways it wasn’t intended to from the start :)
I wouldn’t expect having a full registry on every run. That’s part of what the module would have to deal with. But I don’t find that having to create two different modules when they target two different hives feels hmmm natural. Again, it’s a non-intended use of the tool :)
The magic about having callbacks is that you always have the option to shape the data as you wish. So if you have some kind of special parsing to do (ROT-13 for UserAssist keys is a perfect example you brought up) you just create a function and register it as the callback.
On the data formating topic, while I like fancy outputting features I first prefer to be able to export data to standard(ish) formats. TSV and XML come to mind. But you actually got me there, I have yet to implement some kind of output handling in the library.
Thanks for your opinions Harlan, I appreciate your promptly reply.
By the way, I just corrected my post to state “rip.pl” when it applies. My bad for the confusion I might have caused.
Comment by パルキ — January 2, 2009 @ 15:43
I’m not seeing where you’re trying to use RegRipper in a way that it wasn’t designed to be used.
At this point, all I’m seeing is that you’d like to be able to point RR/rip at a directory and run it against all hive files in the directory…does this sound about right?
If so, the only thing you’re really trying to do is run RR automagically, rather than against each hive file separately. There doesn’t seem to be any cross-correlation between hives, or anything like that.
As far as output formats go, we’ve sort of run that one down for now over on the RegRipper.net forums…while some folks say, “I’d like HTML” or “I’d like XML”, there are simply a couple of issues at hand…first, there’s a great deal of data that doesn’t lend itself well to a standard, normalized format, particularly when you’re correlating data from different keys. Second, if someone wants a straight transition to HTML from the text…well, RR is open source. ;-) Finally, w/ specialized formats, such as XML, once I ask someone for their thoughts on a style sheet, suddenly I no longer hear from them…
There is a LOT of power to a tool like RegRipper. My thoughts at the moment are to finish my book, and then work on updates to RR, but updates more along the lines of functionality, etc. One important thing will be to incorporate all of the my tools into a timeline analysis framework.
Comment by H. Carvey — January 3, 2009 @ 13:20
Well, sure you might find cross-correlation between hives. If you analyze application settings there are usually system defaults (in the SOFTWARE hive) and per-user defaults (in each NTUSER hive).
A sub-key for a specific application under the Software hive most likely means that that program is/was installed, while the existence of that same subkey in the NTUSER hive usually shows that interaction with the given program actually occurred.
In fact, it’s not only limited to applications. There’s a handful of Windows settings that work in a similar way.
Are you suggesting that plugins should blindly try to catch all its “known keys” and output different information when given different hives? As in, outputting System settings when run against a Software hive and User settings when run against a Ntuser hive? That doesn’t sound right to me :\
Comment by パルキ — January 3, 2009 @ 18:23
Hi,
with very light modification rip.pl runs perfectly under Linux,
i use it.
You can dowload my linux version here:
http://brainstretching.blogspot.com/2008/10/linux-e-regripper.html
Regards.
Daniele
Comment by Snip — January 3, 2009 @ 22:26
Hey Daniele, thanks for the heads up and for stopping by. I wasn’t aware of your version.
I made some simple changes to rip.pl to make it functional for most actual operating systems. Here you can find the patch I submitted to Harlan in case you’re interested on it :)
Comment by パルキ — January 4, 2009 @ 01:05
> Well, sure you might find cross-correlation between hives.
…and…
> Are you suggesting….
No, I’m not suggesting anything…I’m asking what it is you’re trying to accomplish with your original suggestion to pass RegRipper a directory that contains a number of hive files. That’s why I asked, “At this point, all I’m seeing is that you’d like to be able to point RR/rip at a directory and run it against all hive files in the directory…does this sound about right?”
I’m not suggesting that plugins try to blindly do anything…I’m asking what it is you’re looking for RegRipper to do that it doesn’t already. I got your part about callbacks, but as of yet, haven’t really seen anything that clearly states what you’re trying to do.
Also, my patch for RR and rip.pl (and ripxp.pl) looks something like this:
my $str = $0;
($^O eq “MSWin32″) ? (@path = split(/\\/,$0))
: (@path = split(/\//,$0));
$str =~ s/($path[scalar(@path) - 1])//;
$plugindir = $str.”plugins/”;
Comment by H. Carvey — January 4, 2009 @ 13:08
Harlan, wouldn’t that break under Windows due to the Unix-style slash on the last line?
File::Spec is a standard Perl library meant to resolve these kind of issues and it ships with the default installation of Perl afaik :)
About the hives stuff, let me clear it up with an example. I’ll post it soon.
Mental note: Change these default smileys. They are annoying.
Comment by パルキ — January 4, 2009 @ 19:30
> wouldn’t that break under Windows due to the Unix-style slash on the last line?
Wouldn’t _what_ break? I’ve been using the ‘patch’ I posted, testing it, and so far it works just fine.
Comment by H. Carvey — January 4, 2009 @ 21:18
I meant the patch. Nevermind, it’s handled just fine under Win32 despite the “/”. It’s good to know.
Comment by パルキ — January 5, 2009 @ 15:20
If you want to see a reader’s feedback :) , I rate this post for four from five. Decent info, but I have to go to that damn google to find the missed parts. Thank you, anyway!
Comment by Jane Goody — April 22, 2009 @ 07:34
Great blog. Do you know of any relevant marketing forums or discussion groups?
Comment by John Taylor — April 24, 2009 @ 00:01