class Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Registry
This class provides access to the Windows registry on the remote machine.
Attributes
Public Class Methods
Closes the supplied registry key.
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 139 def Registry.close_key(hkey) request = Packet.create_request('stdapi_registry_close_key') request.add_tlv(TLV_TYPE_HKEY, hkey) client.send_packet(request) return true end
Creates the supplied registry key or opens it if it already exists.
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 101 def Registry.create_key(root_key, base_key, perm = KEY_READ) request = Packet.create_request('stdapi_registry_create_key') request.add_tlv(TLV_TYPE_ROOT_KEY, root_key) request.add_tlv(TLV_TYPE_BASE_KEY, base_key) request.add_tlv(TLV_TYPE_PERMISSION, perm) response = client.send_request(request) return Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RegistryKey.new( client, root_key, base_key, perm, response.get_tlv(TLV_TYPE_HKEY).value) end
Deletes the supplied registry key.
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 117 def Registry.delete_key(root_key, base_key, recursive = true) request = Packet.create_request('stdapi_registry_delete_key') flags = 0 if (recursive) flags |= DELETE_KEY_FLAG_RECURSIVE end request.add_tlv(TLV_TYPE_ROOT_KEY, root_key) request.add_tlv(TLV_TYPE_BASE_KEY, base_key) request.add_tlv(TLV_TYPE_FLAGS, flags) if (client.send_request(request) != nil) return true end return false end
Deletes the registry value supplied in name from the supplied registry key.
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 226 def Registry.delete_value(hkey, name) request = Packet.create_request('stdapi_registry_delete_value') request.add_tlv(TLV_TYPE_HKEY, hkey) request.add_tlv(TLV_TYPE_VALUE_NAME, name) if (client.send_request(request) != nil) return true end return false end
Enumerates the supplied registry key returning an array of key names.
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 152 def Registry.enum_key(hkey) keys = [] request = Packet.create_request('stdapi_registry_enum_key') request.add_tlv(TLV_TYPE_HKEY, hkey) response = client.send_request(request) # Enumerate through all of the registry keys response.each(TLV_TYPE_KEY_NAME) { |key_name| keys << key_name.value } return keys end
Enumerates all of the values at the supplied hkey including their names. An array of RegistryValue’s is returned.
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 258 def Registry.enum_value(hkey) request = Packet.create_request('stdapi_registry_enum_value') values = [] request.add_tlv(TLV_TYPE_HKEY, hkey) response = client.send_request(request) response.each(TLV_TYPE_VALUE_NAME) { |value_name| values << Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RegistryValue.new( client, hkey, value_name.value) } return values end
Return the key value associated with the supplied string. This is useful for converting HKLM as a string into its actual integer representation.
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 278 def self.key2str(key) if (key == 'HKLM' or key == 'HKEY_LOCAL_MACHINE') return HKEY_LOCAL_MACHINE elsif (key == 'HKCU' or key == 'HKEY_CURRENT_USER') return HKEY_CURRENT_USER elsif (key == 'HKU' or key == 'HKEY_USERS') return HKEY_USERS elsif (key == 'HKCR' or key == 'HKEY_CLASSES_ROOT') return HKEY_CLASSES_ROOT elsif (key == 'HKEY_CURRENT_CONFIG') return HKEY_CURRENT_CONFIG elsif (key == 'HKEY_PERFORMANCE_DATA') return HKEY_PERFORMANCE_DATA elsif (key == 'HKEY_DYN_DATA') return HKEY_DYN_DATA else raise ArgumentError, "Unknown key: #{key}" end end
Opens the supplied registry key relative to the root key with the supplied permissions. Right now this is merely a wrapper around create_key.
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 42 def Registry.load_key(root_key,base_key,hive_file) request = Packet.create_request('stdapi_registry_load_key') request.add_tlv(TLV_TYPE_ROOT_KEY, root_key) request.add_tlv(TLV_TYPE_BASE_KEY, base_key) request.add_tlv(TLV_TYPE_FILE_PATH, client.unicode_filter_decode( hive_file )) response = client.send_request(request) return response.get_tlv(TLV_TYPE_RESULT).value end
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 61 def Registry.open_key(root_key, base_key, perm = KEY_READ) # If no base key was provided, just return the root_key. if (base_key == nil or base_key.length == 0) return RegistrySubsystem::RegistryKey.new(client, root_key, base_key, perm, root_key) end request = Packet.create_request('stdapi_registry_open_key') request.add_tlv(TLV_TYPE_ROOT_KEY, root_key) request.add_tlv(TLV_TYPE_BASE_KEY, base_key) request.add_tlv(TLV_TYPE_PERMISSION, perm) response = client.send_request(request) return Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RegistryKey.new( client, root_key, base_key, perm, response.get_tlv(TLV_TYPE_HKEY).value) end
Opens the supplied registry key on the specified remote host. Requires that the current process has credentials to access the target and that the target has the remote registry service running.
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 84 def Registry.open_remote_key(target_host, root_key) request = Packet.create_request('stdapi_registry_open_remote_key') request.add_tlv(TLV_TYPE_TARGET_HOST, target_host) request.add_tlv(TLV_TYPE_ROOT_KEY, root_key) response = client.send_request(request) return Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RemoteRegistryKey.new( client, target_host, root_key, response.get_tlv(TLV_TYPE_HKEY).value) end
Queries the registry class name and returns a string
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 242 def Registry.query_class(hkey) request = Packet.create_request('stdapi_registry_query_class') request.add_tlv(TLV_TYPE_HKEY, hkey) response = client.send_request(request) cls = response.get_tlv(TLV_TYPE_VALUE_DATA) return nil if not cls data = cls.value.gsub(/\x00.*/n, '') return data end
Queries the registry value supplied in name and returns an initialized RegistryValue instance if a match is found.
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 201 def Registry.query_value(hkey, name) request = Packet.create_request('stdapi_registry_query_value') request.add_tlv(TLV_TYPE_HKEY, hkey) request.add_tlv(TLV_TYPE_VALUE_NAME, name) response = client.send_request(request) data = response.get_tlv(TLV_TYPE_VALUE_DATA).value; type = response.get_tlv(TLV_TYPE_VALUE_TYPE).value; if (type == REG_SZ) data = data[0..-2] elsif (type == REG_DWORD) data = data.unpack("N")[0] end return Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RegistryValue.new( client, hkey, name, type, data) end
Sets the registry value relative to the supplied hkey.
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 177 def Registry.set_value(hkey, name, type, data) request = Packet.create_request('stdapi_registry_set_value') request.add_tlv(TLV_TYPE_HKEY, hkey) request.add_tlv(TLV_TYPE_VALUE_NAME, name) request.add_tlv(TLV_TYPE_VALUE_TYPE, type) if (type == REG_SZ) data += "\x00" elsif (type == REG_DWORD) data = [ data.to_i ].pack("V") end request.add_tlv(TLV_TYPE_VALUE_DATA, data) response = client.send_request(request) return true end
Split the supplied full registry key into its root key and base key. For instance, passing HKLMSoftwareDog will return [ HKEY_LOCAL_MACHINE, ‘SoftwareDog’ ]
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 316 def self.splitkey(str) if (str =~ /^(.+?)\\(.*)$/) [ key2str($1), $2 ] else [ key2str(str), nil ] end end
Returns the integer value associated with the supplied registry value type (like REG_SZ).
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 302 def self.type2str(type) return REG_SZ if (type == 'REG_SZ') return REG_DWORD if (type == 'REG_DWORD') return REG_BINARY if (type == 'REG_BINARY') return REG_EXPAND_SZ if (type == 'REG_EXPAND_SZ') return REG_NONE if (type == 'REG_NONE') return nil end
# File lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb, line 52 def Registry.unload_key(root_key,base_key) request = Packet.create_request('stdapi_registry_unload_key') request.add_tlv(TLV_TYPE_ROOT_KEY, root_key) request.add_tlv(TLV_TYPE_BASE_KEY, base_key) response = client.send_request(request) return response.get_tlv(TLV_TYPE_RESULT).value end