class Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Registry

This class provides access to the Windows registry on the remote machine.

Attributes

client[RW]

Public Class Methods

close_key(hkey) click to toggle source

Closes the supplied registry key.

# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 139
def Registry.close_key(hkey)
  request = Packet.create_request('stdapi_registry_close_key')

  request.add_tlv(TLV_TYPE_HKEY, hkey)

  client.send_packet(request)

  return true
end
create_key(root_key, base_key, perm = KEY_READ) click to toggle source

Creates the supplied registry key or opens it if it already exists.

# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 101
def Registry.create_key(root_key, base_key, perm = KEY_READ)
  request = Packet.create_request('stdapi_registry_create_key')

  request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
  request.add_tlv(TLV_TYPE_BASE_KEY, base_key)
  request.add_tlv(TLV_TYPE_PERMISSION, perm)

  response = client.send_request(request)

  return Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RegistryKey.new(
      client, root_key, base_key, perm, response.get_tlv(TLV_TYPE_HKEY).value)
end
delete_key(root_key, base_key, recursive = true) click to toggle source

Deletes the supplied registry key.

# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 117
def Registry.delete_key(root_key, base_key, recursive = true)
  request = Packet.create_request('stdapi_registry_delete_key')
  flags   = 0

  if (recursive)
    flags |= DELETE_KEY_FLAG_RECURSIVE
  end

  request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
  request.add_tlv(TLV_TYPE_BASE_KEY, base_key)
  request.add_tlv(TLV_TYPE_FLAGS, flags)

  if (client.send_request(request) != nil)
    return true
  end

  return false
end
delete_value(hkey, name) click to toggle source

Deletes the registry value supplied in name from the supplied registry key.

# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 226
def Registry.delete_value(hkey, name)
  request = Packet.create_request('stdapi_registry_delete_value')

  request.add_tlv(TLV_TYPE_HKEY, hkey)
  request.add_tlv(TLV_TYPE_VALUE_NAME, name)

  if (client.send_request(request) != nil)
    return true
  end

  return false
end
enum_key(hkey) click to toggle source

Enumerates the supplied registry key returning an array of key names.

# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 152
def Registry.enum_key(hkey)
  keys    = []
  request = Packet.create_request('stdapi_registry_enum_key')

  request.add_tlv(TLV_TYPE_HKEY, hkey)

  response = client.send_request(request)

  # Enumerate through all of the registry keys
  response.each(TLV_TYPE_KEY_NAME) { |key_name|
    keys << key_name.value
  }

  return keys
end
enum_value(hkey) click to toggle source

Enumerates all of the values at the supplied hkey including their names. An array of RegistryValue’s is returned.

# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 258
def Registry.enum_value(hkey)
  request = Packet.create_request('stdapi_registry_enum_value')
  values  = []

  request.add_tlv(TLV_TYPE_HKEY, hkey)

  response = client.send_request(request)

  response.each(TLV_TYPE_VALUE_NAME) { |value_name|
    values << Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RegistryValue.new(
        client, hkey, value_name.value)
  }

  return values
end
key2str(key) click to toggle source

Return the key value associated with the supplied string. This is useful for converting HKLM as a string into its actual integer representation.

# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 278
def self.key2str(key)
  if (key == 'HKLM' or key == 'HKEY_LOCAL_MACHINE')
    return HKEY_LOCAL_MACHINE
  elsif (key == 'HKCU' or key == 'HKEY_CURRENT_USER')
    return HKEY_CURRENT_USER
  elsif (key == 'HKU' or key == 'HKEY_USERS')
    return HKEY_USERS
  elsif (key == 'HKCR' or key == 'HKEY_CLASSES_ROOT')
    return HKEY_CLASSES_ROOT
  elsif (key == 'HKEY_CURRENT_CONFIG')
    return HKEY_CURRENT_CONFIG
  elsif (key == 'HKEY_PERFORMANCE_DATA')
    return HKEY_PERFORMANCE_DATA
  elsif (key == 'HKEY_DYN_DATA')
    return HKEY_DYN_DATA
  else
    raise ArgumentError, "Unknown key: #{key}"
  end
end
load_key(root_key,base_key,hive_file) click to toggle source

Opens the supplied registry key relative to the root key with the supplied permissions. Right now this is merely a wrapper around create_key.

# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 42
def Registry.load_key(root_key,base_key,hive_file)
  request = Packet.create_request('stdapi_registry_load_key')
  request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
  request.add_tlv(TLV_TYPE_BASE_KEY, base_key)
  request.add_tlv(TLV_TYPE_FILE_PATH, client.unicode_filter_decode( hive_file ))

  response = client.send_request(request)
  return response.get_tlv(TLV_TYPE_RESULT).value
end
open_key(root_key, base_key, perm = KEY_READ) click to toggle source
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 61
def Registry.open_key(root_key, base_key, perm = KEY_READ)
  # If no base key was provided, just return the root_key.
  if (base_key == nil or base_key.length == 0)
    return RegistrySubsystem::RegistryKey.new(client, root_key, base_key, perm, root_key)
  end

  request = Packet.create_request('stdapi_registry_open_key')

  request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
  request.add_tlv(TLV_TYPE_BASE_KEY, base_key)
  request.add_tlv(TLV_TYPE_PERMISSION, perm)

  response = client.send_request(request)

  return Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RegistryKey.new(
      client, root_key, base_key, perm, response.get_tlv(TLV_TYPE_HKEY).value)
end
open_remote_key(target_host, root_key) click to toggle source

Opens the supplied registry key on the specified remote host. Requires that the current process has credentials to access the target and that the target has the remote registry service running.

# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 84
def Registry.open_remote_key(target_host, root_key)

  request = Packet.create_request('stdapi_registry_open_remote_key')

  request.add_tlv(TLV_TYPE_TARGET_HOST, target_host)
  request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)


  response = client.send_request(request)

  return Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RemoteRegistryKey.new(
      client, target_host, root_key, response.get_tlv(TLV_TYPE_HKEY).value)
end
query_class(hkey) click to toggle source

Queries the registry class name and returns a string

# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 242
def Registry.query_class(hkey)
  request = Packet.create_request('stdapi_registry_query_class')

  request.add_tlv(TLV_TYPE_HKEY, hkey)

  response = client.send_request(request)
  cls = response.get_tlv(TLV_TYPE_VALUE_DATA)
  return nil if not cls
  data = cls.value.gsub(/\x00.*/n, '')
  return data
end
query_value(hkey, name) click to toggle source

Queries the registry value supplied in name and returns an initialized RegistryValue instance if a match is found.

# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 201
def Registry.query_value(hkey, name)
  request = Packet.create_request('stdapi_registry_query_value')

  request.add_tlv(TLV_TYPE_HKEY, hkey)
  request.add_tlv(TLV_TYPE_VALUE_NAME, name)

  response = client.send_request(request)

  data = response.get_tlv(TLV_TYPE_VALUE_DATA).value;
  type = response.get_tlv(TLV_TYPE_VALUE_TYPE).value;

  if (type == REG_SZ)
    data = data[0..-2]
  elsif (type == REG_DWORD)
    data = data.unpack("N")[0]
  end

  return Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RegistryValue.new(
      client, hkey, name, type, data)
end
set_value(hkey, name, type, data) click to toggle source

Sets the registry value relative to the supplied hkey.

# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 177
def Registry.set_value(hkey, name, type, data)
  request = Packet.create_request('stdapi_registry_set_value')

  request.add_tlv(TLV_TYPE_HKEY, hkey)
  request.add_tlv(TLV_TYPE_VALUE_NAME, name)
  request.add_tlv(TLV_TYPE_VALUE_TYPE, type)

  if (type == REG_SZ)
    data += "\x00"
  elsif (type == REG_DWORD)
    data = [ data.to_i ].pack("V")
  end

  request.add_tlv(TLV_TYPE_VALUE_DATA, data)

  response = client.send_request(request)

  return true
end
splitkey(str) click to toggle source

Split the supplied full registry key into its root key and base key. For instance, passing HKLMSoftwareDog will return [ HKEY_LOCAL_MACHINE, ‘SoftwareDog’ ]

# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 316
def self.splitkey(str)
  if (str =~ /^(.+?)\\(.*)$/)
    [ key2str($1), $2 ]
  else
    [ key2str(str), nil ]
  end
end
type2str(type) click to toggle source

Returns the integer value associated with the supplied registry value type (like REG_SZ).

# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 302
def self.type2str(type)
  return REG_SZ if (type == 'REG_SZ')
  return REG_DWORD if (type == 'REG_DWORD')
  return REG_BINARY if (type == 'REG_BINARY')
  return REG_EXPAND_SZ if (type == 'REG_EXPAND_SZ')
  return REG_NONE if (type == 'REG_NONE')
  return nil
end
unload_key(root_key,base_key) click to toggle source
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 52
def Registry.unload_key(root_key,base_key)
  request = Packet.create_request('stdapi_registry_unload_key')
  request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
  request.add_tlv(TLV_TYPE_BASE_KEY, base_key)
  response = client.send_request(request)
  return response.get_tlv(TLV_TYPE_RESULT).value
end