Imanol-Mikel Barba Sabariego / gravedigger · Files

import os

import logger
import tomb

import winver

from modules.module import Module

from mount import mount,umount

from runcmd import runProcess

import time

def getInstance():
    return RegistryModule()

class RegistryModule(Module):

    def __init__(self):
        self.name = "winreg"
        self.description = "Extracts Windows Registry files"

        self.requiredVars = ["winvol"]

        self.vars = {}

    def execute(self):

        path = tomb.getPath() + self.name + "/"

        if(not os.path.exists(path)):
            os.mkdir(path)

        logger.msgLog("Extracting Windows registry from volumes: " + repr(self.vars['winvol'].value), "winreg", logger.TYPE_INFO)

        for vol in self.vars['winvol'].value:
            mntpoint = "/mnt/"

            try:
                mntid = mount("/dev/" + vol)
            except:
                raise

            mntpoint += mntid
            files = []
            windir = winver.getWindowsDirectory(mntpoint)
            if windir == None:
                raise Exception("No Windows installation present")
            version = winver.getWindowsVersion(mntpoint)
            profiles = winver.getUserProfiles(mntpoint)
            if version <= winver._WIN_ME:
                #9x
                files = [windir + "USER.DAT",windir + "SYSTEM.DAT"]
                if(len(profiles) > 0):
                    for profile in profiles:
                        if(os.path.isfile(profile + "USER.DAT")):
                            files += [profile + "USER.DAT"]
                if version == winver._WIN_ME:
                    #ME
                    files += [windir + "CLASSES.DAT"]

            elif version > winver._WIN_ME:
                    #NT
                    files += [windir + "/System32/config/SAM" ]
                    files += [windir + "/System32/config/SECURITY"]
                    files += [windir + "/System32/config/SOFTWARE"]
                    files += [windir + "/System32/config/SYSTEM"]
                    files += [windir + "/System32/config/DEFAULT"]
                    for profile in profiles:
                        files += [profile + "/NTUSER.DAT"]
                        if version > winver._WIN_NT and version < winver._WIN_VISTA:
                            #2k XP 2k3
                            files += [profile + "/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat"]
                        else:
                            #Vista+
                            files += [profile + "/AppData/Local/Microsoft/Windows/UsrClass.dat"]

            runProcess(["tar","-czvf",path + "winreg_" + vol + "-" + str(int(time.time())) + ".tar.gz"] + files)

            try:
                umount(mntid)
            except:
                raise