rekall.plugins.windows.registry.userassist

Source Code for Module rekall.plugins.windows.registry.userassist

1 # Rekall Memory Forensics 2 # Copyright (C) 2008-2011 Volatile Systems 3 # Copyright 2013 Google Inc. All Rights Reserved. 4 # 5 # This program is free software; you can redistribute it and/or modify 6 # it under the terms of the GNU General Public License as published by 7 # the Free Software Foundation; either version 2 of the License, or (at 8 # your option) any later version. 9 # 10 # This program is distributed in the hope that it will be useful, but 11 # WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 # General Public License for more details. 14 # 15 # You should have received a copy of the GNU General Public License 16 # along with this program; if not, write to the Free Software 17 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 # 19 20 """ 21 @author: Jamie Levy (gleeda) 22 @license: GNU General Public License 2.0 or later 23 @contact: jamie.levy@gmail.com 24 @organization: Volatile Systems 25 """ 26 import datetime 27 28 from rekall import obj 29 from rekall.plugins.windows.registry import registry 30 from rekall_lib import utils 31 32 33 # for Windows 7 userassist info check out Didier Stevens' article 34 # from Into the Boxes issue 0x0: 35 # http://intotheboxes.wordpress.com/2010/01/01/into-the-boxes-issue-0x0/ 36 ua_win7_vtypes = { 37 '_VOLUSER_ASSIST_TYPES' : [0x48, { 38 'Count': [0x04, ['unsigned int']], 39 'FocusCount': [0x08, ['unsigned int']], 40 'FocusTime': [0x0C, ['unsigned int']], 41 'LastUpdated' : [0x3C, ['WinFileTime']] 42 }], 43 } 44 45 ua_vtypes = { 46 '_VOLUSER_ASSIST_TYPES' : [0x10, { 47 'ID': [0x0, ['unsigned int']], 48 'CountStartingAtFive': [0x04, ['unsigned int']], 49 'LastUpdated' : [0x08, ['WinFileTime']] 50 }], 51 } 52 53 # taken from http://msdn.microsoft.com/en-us/library/dd378457%28v=vs.85%29.aspx 54 FOLDER_GUIDS = { 55 "{de61d971-5ebc-4f02-a3a9-6c82895e5c04}": "Add or Remove Programs (Control Panel)", 56 "{724EF170-A42D-4FEF-9F26-B60E846FBA4F}": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", 57 "{a305ce99-f527-492b-8b1a-7e76fa98d6e4}":"Installed Updates", 58 "{9E52AB10-F80D-49DF-ACB8-4330F5687855}":"%LOCALAPPDATA%\\Microsoft\\Windows\\Burn\\Burn", 59 "{df7266ac-9274-4867-8d55-3bd661de872d}":"Programs and Features", 60 "{D0384E7D-BAC3-4797-8F14-CBA229B392B5}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", 61 "{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}":"%ALLUSERSPROFILE%\\OEM Links", 62 "{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs", 63 "{A4115719-D62E-491D-AA7C-E74B8BE3B067}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu", 64 "{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp", 65 "{B94237E7-57AC-4347-9151-B08C6C32D1F7}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Templates", 66 "{0AC0837C-BBF8-452A-850D-79D08E667CA7}":"(My) Computer", 67 "{4bfefb45-347d-4006-a5be-ac0cb0567192}":"Conflicts", 68 "{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}":"Network Connections", 69 "{56784854-C6CB-462b-8169-88E350ACB882}":"%USERPROFILE%\\Contacts", 70 "{82A74AEB-AEB4-465C-A014-D097EE346D63}":"Control Panel", 71 "{2B0F765D-C0E9-4171-908E-08A611B84FF6}":"%APPDATA%\\Microsoft\\Windows\\Cookies", 72 "{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}":"Desktop", 73 "{5CE4A5E9-E4EB-479D-B89F-130C02886155}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\DeviceMetadataStore", 74 "{7B0DB17D-9CD2-4A93-9733-46CC89022E7C}":"%APPDATA%\\Microsoft\\Windows\\Libraries\\Documents.library-ms", 75 "{374DE290-123F-4565-9164-39C4925E467B}":"%USERPROFILE%\\Downloads", 76 "{1777F761-68AD-4D8A-87BD-30B759FA33DD}":"%USERPROFILE%\\Favorites", 77 "{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}":"%windir%\\Fonts", 78 "{CAC52C1A-B53D-4edc-92D7-6B2E8AC19434}":"Games", 79 "{054FAE61-4DD8-4787-80B6-090220C4B700}":"GameExplorer", 80 "{D9DC8A3B-B784-432E-A781-5A1130A75963}":"%LOCALAPPDATA%\\Microsoft\\Windows\\History", 81 "{52528A6B-B9E3-4ADD-B60D-588C2DBA842D}":"Homegroup", 82 "{BCB5256F-79F6-4CEE-B725-DC34E402FD46}":"%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", 83 "{352481E8-33BE-4251-BA85-6007CAEDCF9D}":"%LOCALAPPDATA%\\Microsoft\\Windows\\Temporary Internet Files", 84 "{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}":"The Internet", 85 "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}":"%APPDATA%\\Microsoft\\Windows\\Libraries", 86 "{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}":"%USERPROFILE%\\Links", 87 "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}":"%LOCALAPPDATA% (%USERPROFILE%\\AppData\\Local)", 88 "{A520A1A4-1780-4FF6-BD18-167343C5AF16}":"%USERPROFILE%\\AppData\\LocalLow", 89 "{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}":"%windir%\\resources\\0409 (code page)", 90 "{4BD8D571-6D19-48D3-BE97-422220080E43}":"%USERPROFILE%\\Music", 91 "{2112AB0A-C86A-4FFE-A368-0DE96E47012E}":"%APPDATA%\\Microsoft\\Windows\\Libraries\\Music.library-ms", 92 "{C5ABBF53-E17F-4121-8900-86626FC2C973}":"%APPDATA%\\Microsoft\\Windows\\Network Shortcuts", 93 "{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}":"Network", 94 "{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}":"%LOCALAPPDATA%\\Microsoft\\Windows Photo Gallery\\Original Images", 95 "{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}":"%USERPROFILE%\\Pictures\\Slide Shows", 96 "{A990AE9F-A03B-4E80-94BC-9912D7504104}":"%APPDATA%\\Microsoft\\Windows\\Libraries\\Pictures.library-ms", 97 "{33E28130-4E1E-4676-835A-98395C3BC3BB}":"%USERPROFILE%\\Pictures", 98 "{DE92C1C7-837F-4F69-A3BB-86E631204A23}":"%USERPROFILE%\\Music\\Playlists", 99 "{76FC4E2D-D6AD-4519-A663-37BD56068185}":"Printers", 100 "{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}":"%APPDATA%\\Microsoft\\Windows\\Printer Shortcuts", 101 "{5E6C858F-0E22-4760-9AFE-EA3317B67173}":"%USERPROFILE% (%SystemDrive%\\Users\\%USERNAME%)", 102 "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}":"%ALLUSERSPROFILE% (%ProgramData%, %SystemDrive%\\ProgramData)", 103 "{905e63b6-c1bf-494e-b29c-65b732d3d21a}":"%ProgramFiles%", 104 "{6D809377-6AF0-444b-8957-A3773F02200E}":"%ProgramFiles%", 105 "{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}":"%ProgramFiles%", 106 "{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}":"%ProgramFiles%\\Common Files", 107 "{6365D5A7-0F0D-45E5-87F6-0DA56B6A4F7D}":"%ProgramFiles%\\Common Files", 108 "{DE974D24-D9C6-4D3E-BF91-F4455120B917}":"%ProgramFiles%\\Common Files", 109 "{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs", 110 "{DFDF76A2-C82A-4D63-906A-5644AC457385}":"%PUBLIC% (%SystemDrive%\\Users\\Public)", 111 "{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}":"%PUBLIC%\\Desktop", 112 "{ED4824AF-DCE4-45A8-81E2-FC7965083634}":"%PUBLIC%\\Documents", 113 "{3D644C9B-1FB8-4f30-9B45-F670235F79C0}":"%PUBLIC%\\Downloads", 114 "{DEBF2536-E1A8-4c59-B6A2-414586476AEA}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\GameExplorer", 115 "{48DAF80B-E6CF-4F4E-B800-0E69D84EE384}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Libraries", 116 "{3214FAB5-9757-4298-BB61-92A9DEAA44FF}":"%PUBLIC%\\Music", 117 "{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}":"%PUBLIC%\\Pictures", 118 "{E555AB60-153B-4D17-9F04-A5FE99FC15EC}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Ringtones", 119 "{2400183A-6185-49FB-A2D8-4A392A602BA3}":"%PUBLIC%\\Videos", 120 "{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}":"%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch", 121 "{AE50C081-EBD2-438A-8655-8A092E34987A}":"%APPDATA%\\Microsoft\\Windows\\Recent", 122 "{1A6FDBA2-F42D-4358-A798-B74D745926C5}":"%PUBLIC%\\RecordedTV.library-ms", 123 "{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}":"Recycle Bin", 124 "{8AD10C31-2ADB-4296-A8F7-E4701232C972}":"%windir%\\Resources", 125 "{C870044B-F49E-4126-A9C3-B52A1FF411E8}":"%LOCALAPPDATA%\\Microsoft\\Windows\\Ringtones", 126 "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}":"%APPDATA% (%USERPROFILE%\\AppData\\Roaming)", 127 "{B250C668-F57D-4EE1-A63C-290EE7D1AA1F}":"%PUBLIC%\\Music\\Sample Music", 128 "{C4900540-2379-4C75-844B-64E6FAF8716B}":"%PUBLIC%\\Pictures\\Sample Pictures", 129 "{15CA69B3-30EE-49C1-ACE1-6B5EC372AFB5}":"%PUBLIC%\\Music\\Sample Playlists", 130 "{859EAD94-2E85-48AD-A71A-0969CB56A6CD}":"%PUBLIC%\\Videos\\Sample Videos", 131 "{4C5C32FF-BB9D-43b0-B5B4-2D72E54EAAA4}":"%USERPROFILE%\\Saved Games", 132 "{7d1d3a04-debb-4115-95cf-2f29da2920da}":"%USERPROFILE%\\Searches", 133 "{ee32e446-31ca-4aba-814f-a5ebd2fd6d5e}":"Offline Files", 134 "{98ec0e18-2098-4d44-8644-66979315a281}":"Microsoft Office Outlook", 135 "{190337d1-b8ca-4121-a639-6d472d16972a}":"Search Results", 136 "{8983036C-27C0-404B-8F08-102D10DCFD74}":"%APPDATA%\\Microsoft\\Windows\\SendTo", 137 "{7B396E54-9EC5-4300-BE0A-2482EBAE1A26}":"%ProgramFiles%\\Windows Sidebar\\Gadgets", 138 "{A75D362E-50FC-4fb7-AC2C-A8BEAA314493}":"%LOCALAPPDATA%\\Microsoft\\Windows Sidebar\\Gadgets", 139 "{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}":"%APPDATA%\\Microsoft\\Windows\\Start Menu", 140 "{B97D20BB-F46A-4C97-BA10-5E3608430854}":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp", 141 "{43668BF8-C14E-49B2-97C9-747784D784B7}":"Sync Center", 142 "{289a9a43-be44-4057-a41b-587a76d7e7f9}":"Sync Results", 143 "{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}":"Sync Setup", 144 "{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}":"%windir%\\system32", 145 "{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}":"%windir%\\system32", 146 "{A63293E8-664E-48DB-A079-DF759E0509F7}":"%APPDATA%\\Microsoft\\Windows\\Templates", 147 "{9E3995AB-1F9C-4F13-B827-48B24B6C7174}":"%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", 148 "{0762D272-C50A-4BB0-A382-697DCD729B80}":"%SystemDrive%\\Users", 149 "{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}":"%LOCALAPPDATA%\\Programs", 150 "{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}":"%LOCALAPPDATA%\\Programs\\Common", 151 "{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}":"The user's full name", 152 "{A302545D-DEFF-464b-ABE8-61C8648D939B}":"Libraries", 153 "{18989B1D-99B5-455B-841C-AB7C74E4DDFC}":"%USERPROFILE%\\Videos", 154 "{491E922F-5643-4AF4-A7EB-4E7A138D8174}":"%APPDATA%\\Microsoft\\Windows\\Libraries\\Videos.library-ms", 155 "{F38BF404-1D43-42F2-9305-67DE0B28FC23}":"%windir%", 156 }

157 158 159 -class UserAssistModification(obj.ProfileModification):

160 """Add special types to the profile to deal with user assist records.""" 161 162 @classmethod

163 - def modify(cls, profile):

164 # Update the profiles for user assist types. 165 if profile.metadata('version') >= 6.1: 166 profile.add_types(ua_win7_vtypes) 167 else: 168 profile.add_types(ua_vtypes)

169

170 171 -class UserAssist(registry.RegistryPlugin):

172 "Print userassist registry keys and information" 173 174 __name = "userassist" 175

176 - def __init__(self, **kwargs):

177 """Search the hives for userassist keys.""" 178 super(UserAssist, self).__init__(**kwargs) 179 180 # Profile to deal with userassist data. 181 self.ua_profile = UserAssistModification(self.profile)

182

183 - def find_count_keys(self):

184 for hive_offset in self.hive_offsets: 185 hive_address_space = registry.HiveAddressSpace( 186 base=self.kernel_address_space, session=self.session, 187 hive_addr=hive_offset, profile=self.profile) 188 189 reg = registry.Registry( 190 profile=self.profile, address_space=hive_address_space) 191 192 key = reg.open_key("software\\microsoft\\windows\\currentversion\\" 193 "explorer\\userassist\\") 194 for subkey in key.subkeys(): 195 yield reg, subkey.open_subkey("Count")

196

197 - def _resolve_gui_folders(self, name):

198 """In windows 7, the folder name is encoded as a GUID.""" 199 guid = name.split("\\")[0] 200 return name.replace(guid, FOLDER_GUIDS.get(guid, guid))

201

202 - def _render_assist_type(self, outfd, uadata):

203 try: outfd.write(u"{0:15} {1}\n".format("ID:", uadata.ID)) 204 except AttributeError: pass 205 206 # Count. 207 try: 208 outfd.write(u"{0:15} {1}\n".format("Count:", uadata.Count)) 209 except AttributeError: 210 count = uadata.CountStartingAtFive 211 if uadata.CountStartingAtFive > 5: 212 count -= 5 213 214 outfd.write(u"{0:15} {1}\n".format("Count:", count)) 215 216 # Focus time. 217 try: 218 timestamp = uadata.FocusTime 219 seconds = (uadata.FocusTime + 500) / 1000.0 220 if seconds > 0: 221 timestamp = datetime.timedelta(seconds = seconds) 222 outfd.write(u"{0:15} {1}\n{2:15} {3}\n".format( 223 "Focus Count:", uadata.FocusCount, "Time Focused:", 224 timestamp)) 225 except AttributeError: 226 pass 227 228 outfd.write(u"{0:15} {1}\n".format( 229 "Last updated:", uadata.LastUpdated))

230

231 - def render(self, outfd):

232 for reg, key in self.find_count_keys(): 233 if not key: 234 continue 235 236 outfd.write("----------------------------\n") 237 outfd.write("Registry: {0}\n".format(reg.Name)) 238 outfd.write("Key path: {0}\n".format(key.Path)) 239 outfd.write("Last updated: {0}\n".format(key.LastWriteTime)) 240 outfd.write("\n") 241 outfd.write("Subkeys:\n") 242 243 for subkey in key.subkeys(): 244 outfd.write(" {0}\n".format(subkey.Name)) 245 246 outfd.write("\n") 247 outfd.write("Values:\n") 248 for value in key.values(): 249 # In windows 7, folder names are replaced by guids. 250 value_name = str(value.Name).decode("rot13") 251 value_name = self._resolve_gui_folders(value_name) 252 253 outfd.write("\n{0:13} {1:15} :\n".format(value.Type, value_name)) 254 255 # Decode the data 256 if value.Type == "REG_BINARY": 257 # Does this look like a userassist record? 258 if value.DataLength == self.ua_profile.get_obj_size( 259 "_VOLUSER_ASSIST_TYPES"): 260 261 # Use the specialized profile to instantiate this object. 262 uadata = self.ua_profile.Object( 263 "_VOLUSER_ASSIST_TYPES", offset=value.Data, vm=value.obj_vm) 264 265 self._render_assist_type(outfd, uadata) 266 267 # Show a hexdump of the value as well. 268 utils.WriteHexdump(outfd, value.DecodedData)

269