-
Notifications
You must be signed in to change notification settings - Fork 122
/
clsid_tln.pl
127 lines (111 loc) · 3.8 KB
/
clsid_tln.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#-----------------------------------------------------------
# clsid_tln.pl
# Plugin to extract CLSID data from the Software hive file
# Can take considerable time to run; recommend running it via rip.exe
#
# History
# 20211209 - added support for ScriptletURL
# 20210208 - added support for LocalServer32
# 20200526 - updated date output format, added support for USRCLASS.DAT
# 20180823 - minor code fix
# 20180819 - updated to incorporate check for "TreatAs" value; code rewrite
# 20180319 - fixed minor code issue
# 20180117 - updated based on input from Jean, jean.crush@hotmail.fr
# 20130603 - added alert functionality
# 20100227 - created
#
# References
# https://pentestlab.blog/2020/05/20/persistence-com-hijacking/
# http://msdn.microsoft.com/en-us/library/ms724475%28VS.85%29.aspx
# https://docs.microsoft.com/en-us/windows/desktop/com/treatas
#
#
# copyright 2020 Quantum Analytics Research, LLC
# author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package clsid_tln;
use strict;
my %config = (hive => "Software, USRCLASS\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20200526);
sub getConfig{return %config}
sub getShortDescr {
return "Get list of CLSID/registered classes";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my %clsid;
# ::logMsg("Launching clsid v.".$VERSION);
# ::rptMsg("clsid v.".$VERSION);
# ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n");
#---------------------------------------------------------------
# First, determine the hive
my %guess = ();
my $hive_guess = "";
my %guess = ::guessHive($hive);
foreach my $g (keys %guess) {
$hive_guess = $g if ($guess{$g} == 1);
}
# Set paths
my @paths = ();
if ($hive_guess eq "software") {
@paths = ("Classes\\CLSID","Classes\\Wow6432Node\\CLSID");
}
elsif ($hive_guess eq "usrclass") {
@paths = ("CLSID");
}
else {}
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
foreach my $key_path (@paths) {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
my $name = $s->get_name();
::rptMsg($s->get_timestamp()."|REG|||CLSID - ".$name);
eval {
my $proc = $s->get_subkey("LocalServer32")->get_value("")->get_data();
::rptMsg($s->get_subkey("LocalServer32")->get_timestamp()."|REG|||CLSID - ".$name."\\LocalServer32: ".$proc);
};
eval {
my $proc = $s->get_subkey("InprocServer32")->get_value("")->get_data();
::rptMsg($s->get_subkey("InprocServer32")->get_timestamp()."|REG|||CLSID - ".$name."\\InprocServer32: ".$proc);
};
eval {
my $prog = $s->get_subkey("ProgID")->get_value("")->get_data();
::rptMsg($s->get_subkey("ProgID")->get_timestamp()."|REG|||CLSID - ".$name."\\ProgID: ".$prog);
};
eval {
my $treat = $s->get_subkey("TreatAs")->get_value("")->get_data();
::rptMsg($s->get_subkey("TreatAs")->get_timestamp()."|REG|||CLID - ".$name."\\TreatAs: ".$treat);
};
eval {
my $scriptlet = $s->get_subkey("ScriptletURL")->get_value("")->get_data();
::rptMsg($s->get_subkey("ScriptletURL")->get_timestamp())."|REG|||CLID - ".$name."\\ScriptletURL: ".$scriptlet);
};
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
}
1;