Command line registry parser / secrets extractor for MemProcFS

gistfile1.txt

#
# Command-line interface to extract well-known secrets from registry hives 
# using MemProcFS's registry API
#
#
# IMPORTANT: use the !latest! AIOWinreg version (0.0.2) from pip or github
#
# Author: Tamas Jos @skelsec

from vmmpy import *
from pypykatz.registry.sam.sam import *
from pypykatz.registry.security.security import *
from pypykatz.registry.system.system import *
from pypykatz.registry.software.software import *
from aiowinreg.hive import AIOWinRegHive
from aiowinreg.filestruct.hbin import NTRegistryHbin



class MemProcFS_RegReader:
    """
    This class provides buffer-like reader interface which can be delegated to AIOWinreg's HIVE classes.
    Emulates reading and seeking capablities of a buffer but actually calling the underlying MemProcFS API. 
    """
    def __init__(self, va_hive):
        self.va_hive = va_hive
        self.position = 0
        self.firstread = True

    def read(self, count = -1):
        if count < 0:
            raise Exception('Cant read negative count')
        elif count == 0:
            return None
        
        data = VmmPy_WinReg_HiveRead(self.va_hive, self.position, count, flags = 0)
        self.position += count
        return data

    def seek(self, count, whence = 0):
        if whence == 0:
            if count < 0:
                raise Exception('whence 0 requires positive values or 0')
            self.position = count
        elif whence == 1:
            self.position += count
        elif whence == 2:
            raise Exception('Cant seek from the end!')

def list_hives():
    for x in VmmPy_WinReg_HiveList():
        yield x

def get_hive_va(hive_name):
    for hiveinfo in list_hives():
        if 'name' in hiveinfo and hiveinfo['name'].endswith(hive_name):
            return hiveinfo['va_hive']

def create_hive(hive_name):
    hive_va = get_hive_va(hive_name)
    reader = MemProcFS_RegReader(hive_va)
    hroot = NTRegistryHbin.read(reader)
    reader = MemProcFS_RegReader(hive_va)
    return AIOWinRegHive(reader, hroot, is_file = False)

def parse_reg():
    sam_hive = create_hive('SAM-MACHINE_SAM')
    security_hive = create_hive('SECURITY-MACHINE_SECURITY')
    system_hive = create_hive('SYSTEM-MACHINE_SYSTEM')
    software_hive = create_hive('SOFTWARE-MACHINE_SOFTWARE')

    if system_hive is None:
        raise Exception('System hive not found! this is mandatory for extracting secrets!')
    system = SYSTEM(system_hive)
    bootkey = system.get_bootkey()
    #input('BootKey: %s' % bootkey.hex())

    if sam_hive is not None:
        sam = SAM(sam_hive, bootkey)
        sam.get_secrets()
        
    else:
        print('SAM hive not found!')

    if security_hive is not None:
        security = SECURITY(security_hive, bootkey)
        security.get_secrets()
        
    else:
        print('SECURITY hive not found!')

    if software_hive is not None:
        software = SOFTWARE(software_hive, bootkey)
        software.get_default_logon()
        
    else:
        print('SOFTWARE hive not found!')

    print(str(sam))
    print(str(security))
    print(str(software))


def run(dump_file_name):
    try:
        VmmPy_Initialize(["-device", dump_file_name])
        parse_reg()
        list_hives()
    except Exception as e:
        print('Something bad happened :( {}'.format(e))

    finally:
        VmmPy_Close()

def main():
    import argparse

    parser = argparse.ArgumentParser(description='Extract registry secrets from memory dump')
    parser.add_argument('dump_file_name', help='Dump file name')
    args = parser.parse_args()
    
    run(args.dump_file_name)

if __name__ == '__main__':
    main()