Skip to content

Instantly share code, notes, and snippets.

@williballenthin

williballenthin/rip-with-templates.md

Last active August 29, 2015 13:58
Show Gist options
  • Save williballenthin/9994660 to your computer and use it in GitHub Desktop.
Save williballenthin/9994660 to your computer and use it in GitHub Desktop.
Download ZIP
Example output from RegRipper with user defined template support.
Raw
rip-with-templates.md

By default, rip.pl continues to use a default tempate

In subsequent examples, the template name is "legacy".

» perl rip.pl -r samples/XP/system -p appcompatcache                           
Launching appcompatcache v.20130425
appcompatcache v.20130425
(System) Parse files from System hive Shim Cache

WinXP, 32-bit
C:\WINDOWS\system32\services.exe
UpdTime: Fri Jun 18 23:51:51 2004 Z
ModTime: Mon Jul  7 11:59:59 2003 Z
Size   : 101376

C:\WINDOWS\system32\lsass.exe
UpdTime: Fri Jun 18 23:51:51 2004 Z
ModTime: Mon Jul  7 11:59:59 2003 Z
Size   : 11776

...

Use -list_templates to show installed templates

» perl rip.pl -r samples/XP/system -p appcompatcache -list_templates
  - "legacy" version 20140405 by Willi Ballenthin <[email protected]>: The original appcompatcache output format developed by H. Carvey.
  - "just_paths" version 20140405 by Willi Ballenthin <[email protected]>: A list of only the filenames present in the artifact.

Select an installed template using -use_template

» perl rip.pl -r samples/XP/system -p appcompatcache -use_template legacy     
Launching appcompatcache v.20130425
appcompatcache v.20130425
(System) Parse files from System hive Shim Cache

WinXP, 32-bit
C:\WINDOWS\system32\services.exe
UpdTime: Fri Jun 18 23:51:51 2004 Z
ModTime: Mon Jul  7 11:59:59 2003 Z
Size   : 101376

C:\WINDOWS\system32\lsass.exe
UpdTime: Fri Jun 18 23:51:51 2004 Z
ModTime: Mon Jul  7 11:59:59 2003 Z
Size   : 11776

...

Another example

» perl rip.pl -r samples/XP/system -p appcompatcache -use_template just_paths
Launching appcompatcache v.20130425
appcompatcache v.20130425
(System) Parse files from System hive Shim Cache

WinXP, 32-bit
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\oobe\msoobe.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\msagent\agentsvr.exe
...

Provide a user defined template via the CLI using -template_text

» perl rip.pl -r samples/XP/system -p appcompatcache -template_text "[% FOREACH entry IN results.entries %]
  - \"[% entry.filename %]\" ([% entry.size %])[% END %]"
Launching appcompatcache v.20130425
appcompatcache v.20130425
(System) Parse files from System hive Shim Cache

WinXP, 32-bit

  - "C:\WINDOWS\system32\services.exe" (101376)
  - "C:\WINDOWS\system32\lsass.exe" (11776)
  - "C:\WINDOWS\system32\oobe\msoobe.exe" (28160)
  - "C:\WINDOWS\system32\svchost.exe" (12800)
  - "C:\WINDOWS\msagent\agentsvr.exe" (235008)
  - "C:\WINDOWS\system32\spoolsv.exe" (51200)
  - "C:\WINDOWS\system32\wbem\wmiprvse.exe" (203776)
  - "C:\WINDOWS\system32\logonui.exe" (504320)
  - "C:\WINDOWS\system32\userinit.exe" (22016)
  - "C:\WINDOWS\explorer.exe" (1004032)
  - "C:\WINDOWS\System32\cscui.dll" (307712)
  - "C:\WINDOWS\system32\ie4uinit.exe" (28672)
...

Provide a user defined template via an external file via -template_file

» cat /tmp/t.template 
[% FOREACH entry IN results.entries %]
  - "[% entry.filename %]" ([% helpers.gmtime(entry.size) %])[% END %]


 » perl rip.pl -r samples/XP/system -p appcompatcache -template_file /tmp/t.template
Launching appcompatcache v.20130425
appcompatcache v.20130425
(System) Parse files from System hive Shim Cache

WinXP, 32-bit

  - "C:\WINDOWS\system32\services.exe" (Fri Jan  2 04:09:36 1970 Z)
  - "C:\WINDOWS\system32\lsass.exe" (Thu Jan  1 03:16:16 1970 Z)
  - "C:\WINDOWS\system32\oobe\msoobe.exe" (Thu Jan  1 07:49:20 1970 Z)
  - "C:\WINDOWS\system32\svchost.exe" (Thu Jan  1 03:33:20 1970 Z)
  - "C:\WINDOWS\msagent\agentsvr.exe" (Sat Jan  3 17:16:48 1970 Z)
  - "C:\WINDOWS\system32\spoolsv.exe" (Thu Jan  1 14:13:20 1970 Z)
  - "C:\WINDOWS\system32\wbem\wmiprvse.exe" (Sat Jan  3 08:36:16 1970 Z)
  - "C:\WINDOWS\system32\logonui.exe" (Tue Jan  6 20:05:20 1970 Z)
...

Plugins that don't yet support templates continue to work as expected

» perl rip.pl -r samples/XP/system -p services
Launching services v.20080507
services v.20080507
(System) Lists services/drivers in Services key by LastWrite times

ControlSet001\Services
Lists services/drivers in Services key by LastWrite times

Fri Jan 18 00:38:13 2008Z
  Name      = MSKSSRV
  Display   = Microsoft Streaming Service Proxy
  ImagePath = system32\drivers\MSKSSRV.sys
  Type      = Kernel driver
  Start     = Manual
  Group     = Extended Base

  Name      = MSPCLOCK
  Display   = Microsoft Streaming Clock Proxy
  ImagePath = system32\drivers\MSPCLOCK.sys
  Type      = Kernel driver
  Start     = Manual
  Group     = Extended Base

...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment