Regipy : An OS Independent Python Library For Parsing Offline Registry Hives

Regipy is a python library for parsing offline registry hives. regipy has a lot of capabilities:

  • Use as a library:
    • Recurse over the registry hive, from root or a given path and get all subkeys and values
    • Read specific subkeys and values
    • Apply transaction logs on a registry hive
  • Command Line Tools
    • Dump an entire registry hive to json
    • Apply transaction logs on a registry hive
    • Compare registry hives
    • Execute plugins from a robust plugin system (i.e: amcache, shimcache, extract computer name…)

Also Read – Youzer : Fake User Generator For Active Directory Environments

Installation

Only python 3.7 is supported:

pip install regipy

also, it is possible to install from source by cloning the repository and executing:

python setup.py install

CLI

Parse the header:

registry-parse-header ~/Documents/TestEvidence/Registry/SYSTEM

Dump entire hive to disk (this might take some time)

registry-dump ~/Documents/TestEvidence/Registry/NTUSER-CCLEANER.DAT -o /tmp/output.json

registry-dump util can also output a timeline instead of a JSON, by adding the -t flag

Run relevant plugins on Hive

registry-run-plugins ~/Documents/TestEvidence/Registry/SYSTEM -o /tmp/plugins_output.json

The hive type will be detected automatically and the relevant plugins will be executed. See the plugins section for more information

Compare registry hives

Compare registry hives of the same type and output to CSV (if -o is not specified output will be printed to screen)

registry-diff NTUSER.dat NTUSER_modified.dat -o /tmp/diff.csv

Recover a registry hive, using transaction logs:

registry-transaction-logs NTUSER.DAT -p ntuser.dat.log1 -s ntuser.dat.log2 -o recovered_NTUSER.dat

After recovering, compare the hives with registry-diff to see what changed

Using as a library

Initiate the registry hive object

from regipy.registry import RegistryHive
reg = RegistryHive(‘/Users/martinkorman/Documents/TestEvidence/Registry/Vibranium-NTUSER.DAT’)

Iterate recursively over the entire hive, from root key

for entry in reg.recurse_subkeys(as_json=True):
print(entry)

Iterate over a key and get all subkeys and their modification time:

for sk in reg.get_key(‘Software’).iter_subkeys():
print(sk.name, convert_wintime(sk.header.last_modified).isoformat())

Adobe 2019-02-03T22:05:32.525965
AppDataLow 2019-02-03T22:05:32.526047
McAfee 2019-02-03T22:05:32.526140
Microsoft 2019-02-03T22:05:32.526282
Netscape 2019-02-03T22:05:32.526352
ODBC 2019-02-03T22:05:32.526521
Policies 2019-02-03T22:05:32.526592

Get the values of a key:

reg.get_key(‘Software\Microsoft\Internet Explorer\BrowserEmulation’).get_values(as_json=True)
[{‘name’: ‘CVListTTL’,
‘value’: 0,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘UnattendLoaded’,
‘value’: 0,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘TLDUpdates’,
‘value’: 0,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘CVListXMLVersionLow’,
‘value’: 2097211,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘CVListXMLVersionHigh’,
‘value’: None,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘CVListLastUpdateTime’,
‘value’: None,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘IECompatVersionHigh’,
‘value’: None,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘IECompatVersionLow’,
‘value’: 2097211,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False},
{‘name’: ‘StaleCompatCache’,
‘value’: 0,
‘value_type’: ‘REG_DWORD’,
‘is_corrupted’: False}]

Use as a plugin:

from regipy.plugins.ntuser.ntuser_persistence import NTUserPersistencePlugin
NTUserPersistencePlugin(reg, as_json=True).run()
{
‘Software\Microsoft\Windows\CurrentVersion\Run’: {
‘timestamp’: ‘2019-02-03T22:10:52.655462’,
‘values’: [{
‘name’: ‘Sidebar’,
‘value’: ‘%ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun’,
‘value_type’: ‘REG_EXPAND_SZ’,
‘is_corrupted’: False
}]
}
}

Run all relevant plugins for a specific hive

from regipy.plugins.utils import run_relevant_plugins
reg = RegistryHive(‘/Users/martinkorman/Documents/TestEvidence/Registry/SYSTEM’)
run_relevant_plugins(reg, as_json=True)
{
‘routes’: {},
‘computer_name’: [{
‘control_set’: ‘ControlSet001\Control\ComputerName\ComputerName’,
‘computer_name’: ‘DESKTOP-5EG84UG’,
‘timestamp’: ‘2019-02-03T22:19:28.853219’
}]
}

Download
R K

Share
Published by
R K
Tags: PythonPython LibraryRegipyRegistry Hives
5 years ago

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

2 days ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

2 days ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

4 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

7 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago