New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Offline registry reading library for rex (Rex::Registry) #98

Merged
merged 1 commit into from Jan 14, 2012

Conversation

Projects
None yet
3 participants
@brandonprry
Contributor

brandonprry commented Jan 11, 2012

I understand the unpack()'s (see regf, lfkey, nodekey, valuekey, and valuelist) are an issue, but I cannot for the life of me get them to work properly with any other unpack() combinations. Any thoughts or suggestions are much appreciated.

I would also like feedback on the reg.rb implementation. HD said to emulate reg.exe, but after some tinkering, I think that my way is a more usable (though inspired by the reg.exe syntax) way from a forensics/IG standpoint. Perhaps I am making the scope of reg.rb too wide by adding the specific IG commands to it, and these should be left for other registry-related module implementations? Thoughts are appreciated.

If you would like to parse the lib next to some documentation, I mainly followed this document while implementing:
http://files.volatileminds.net/winreg.txt

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Jan 11, 2012

Contributor

Also, if anyone has suggestions pertaining to the feature-set, feel free to share.

Contributor

brandonprry commented Jan 11, 2012

Also, if anyone has suggestions pertaining to the feature-set, feel free to share.

@kernelsmith

This comment has been minimized.

Show comment
Hide comment
@kernelsmith

kernelsmith Jan 11, 2012

Contributor

i wrote the code that uses and parses reg.exe if that is somehow helpful

Contributor

kernelsmith commented Jan 11, 2012

i wrote the code that uses and parses reg.exe if that is somehow helpful

todb-r7 added a commit that referenced this pull request Jan 14, 2012

Merge pull request #98 from brandonprry/master
Offline registry reading library for rex (Rex::Registry)

@todb-r7 todb-r7 merged commit 24aaf85 into rapid7:master Jan 14, 2012

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Jan 14, 2012

Contributor

So now you owe me a great big blog post showing use cases and junk. :) Thanks!

Contributor

todb-r7 commented Jan 14, 2012

So now you owe me a great big blog post showing use cases and junk. :) Thanks!

@kernelsmith

This comment has been minimized.

Show comment
Hide comment
@kernelsmith

kernelsmith Jan 14, 2012

Contributor

Hey this one is all bperry and to quote hdm "it would be great to have a pure ruby registry hive parser" so his fault too :)

My stuff is registry and services post stuff for shells/java meterpreter /php meterpreter

-Josh

On Jan 13, 2012, at 19:55, Tod Beardsley reply@reply.github.com wrote:

So now you owe me a great big blog post showing use cases and junk. :) Thanks!


Reply to this email directly or view it on GitHub:
#98 (comment)

Contributor

kernelsmith commented Jan 14, 2012

Hey this one is all bperry and to quote hdm "it would be great to have a pure ruby registry hive parser" so his fault too :)

My stuff is registry and services post stuff for shells/java meterpreter /php meterpreter

-Josh

On Jan 13, 2012, at 19:55, Tod Beardsley reply@reply.github.com wrote:

So now you owe me a great big blog post showing use cases and junk. :) Thanks!


Reply to this email directly or view it on GitHub:
#98 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment