Regipy is a python library for parsing offline registry hives. regipy has a lot of capabilities:
Also Read – Youzer : Fake User Generator For Active Directory Environments
Only python 3.7 is supported:
pip install regipy
also, it is possible to install from source by cloning the repository and executing:
python setup.py install
registry-parse-header ~/Documents/TestEvidence/Registry/SYSTEM
Dump entire hive to disk (this might take some time)
registry-dump ~/Documents/TestEvidence/Registry/NTUSER-CCLEANER.DAT -o /tmp/output.json
registry-dump util can also output a timeline instead of a JSON, by adding the -t
flag
registry-run-plugins ~/Documents/TestEvidence/Registry/SYSTEM -o /tmp/plugins_output.json
The hive type will be detected automatically and the relevant plugins will be executed. See the plugins section for more information
Compare registry hives of the same type and output to CSV (if -o
is not specified output will be printed to screen)
registry-diff NTUSER.dat NTUSER_modified.dat -o /tmp/diff.csv
Recover a registry hive, using transaction logs:
registry-transaction-logs NTUSER.DAT -p ntuser.dat.log1 -s ntuser.dat.log2 -o recovered_NTUSER.dat
After recovering, compare the hives with registry-diff to see what changed
Initiate the registry hive object
from regipy.registry import RegistryHive
reg = RegistryHive(‘/Users/martinkorman/Documents/TestEvidence/Registry/Vibranium-NTUSER.DAT’)
Iterate recursively over the entire hive, from root key
for entry in reg.recurse_subkeys(as_json=True):
print(entry)
Iterate over a key and get all subkeys and their modification time:
for sk in reg.get_key(‘Software’).iter_subkeys():
print(sk.name, convert_wintime(sk.header.last_modified).isoformat())
Adobe 2019-02-03T22:05:32.525965
AppDataLow 2019-02-03T22:05:32.526047
McAfee 2019-02-03T22:05:32.526140
Microsoft 2019-02-03T22:05:32.526282
Netscape 2019-02-03T22:05:32.526352
ODBC 2019-02-03T22:05:32.526521
Policies 2019-02-03T22:05:32.526592
reg.get_key(‘Software\Microsoft\Internet Explorer\BrowserEmulation’).get_values(as_json=True)
[{‘name’: ‘CVListTTL’,
‘value’: 0,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘UnattendLoaded’,
‘value’: 0,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘TLDUpdates’,
‘value’: 0,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘CVListXMLVersionLow’,
‘value’: 2097211,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘CVListXMLVersionHigh’,
‘value’: None,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘CVListLastUpdateTime’,
‘value’: None,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘IECompatVersionHigh’,
‘value’: None,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘IECompatVersionLow’,
‘value’: 2097211,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘StaleCompatCache’,
‘value’: 0,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False}]
from regipy.plugins.ntuser.ntuser_persistence import NTUserPersistencePlugin
NTUserPersistencePlugin(reg, as_json=True).run()
{
‘Software\Microsoft\Windows\CurrentVersion\Run’: {
‘timestamp’: ‘2019-02-03T22:10:52.655462’,
‘values’: [{
‘name’: ‘Sidebar’,
‘value’: ‘%ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun’,
‘value_type’: ‘REG_EXPAND_SZ’,
‘is_corrupted’: False
}]
}
}
Run all relevant plugins for a specific hive
from regipy.plugins.utils import run_relevant_plugins
reg = RegistryHive(‘/Users/martinkorman/Documents/TestEvidence/Registry/SYSTEM’)
run_relevant_plugins(reg, as_json=True)
{
‘routes’: {},
‘computer_name’: [{
‘control_set’: ‘ControlSet001\Control\ComputerName\ComputerName’,
‘computer_name’: ‘DESKTOP-5EG84UG’,
‘timestamp’: ‘2019-02-03T22:19:28.853219’
}]
}
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…
Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…