winreg.py
2.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
from module import Module
import tomb
import os
import winver
from runcmd import runProcess
from mount import mount,umount
def getInstance():
return RegistryModule()
class RegistryModule(Module):
def __init__(self):
self.name = "winreg"
self.description = "Extracts Windows Registry files"
self.requiredVars = ["winvol"]
self.vars = {}
def run(self):
path = tomb.getPath() + self.name + "/"
if(not os.path.exists(path)):
os.mkdir(path)
for vol in self.vars['winvol'].value:
mntpoint = "/mnt/"
mntid = mount("/dev/" + vol)
mntpoint += mntid
files = []
windir = winver.getWindowsDirectory(mntpoint)
if windir == None:
raise Exception("No Windows installation present")
version = winver.getWindowsVersion(mntpoint)
profiles = winver.getUserProfiles(mntpoint)
if version <= winver._WIN_ME:
#9x
files = [windir + "USER.DAT",windir + "SYSTEM.DAT"]
if(len(profiles) > 0):
for profile in profiles:
if(os.path.isfile(profile + "USER.DAT")):
files += [profile + "USER.DAT"]
if version == winver._WIN_ME:
#ME
files += [windir + "CLASSES.DAT"]
elif version > winver._WIN_ME:
#NT
files += [windir + "/System32/config/SAM" ]
files += [windir + "/System32/config/SECURITY"]
files += [windir + "/System32/config/SOFTWARE"]
files += [windir + "/System32/config/SYSTEM"]
files += [windir + "/System32/config/DEFAULT"]
for profile in profiles:
files += [profile + "/NTUSER.DAT"]
if version > winver._WIN_NT and version < winver._WIN_VISTA:
#2k XP 2k3
files += [profile + "/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat"]
else:
#Vista+
files += [profile + "/AppData/Local/Microsoft/Windows/UsrClass.dat"]
runProcess(["tar","-czvf",path + "winreg_" + vol + ".tar.gz"] + files)
umount(mntid)