Ripping the Registry w/ rip.exe
While I was developing the RegRipper, I found that I could use some means of testing plugins without having to fire up the RegRipper GUI each time, particularly if I just wanted to modify how the output was displayed...for example, once I got all the information I needed, say that I wanted to parse it and have it displayed based on the Registry key LastWrite times (so that it's easier to correlate to an incident timeline...). Do I want to fire things up all over again, or simply re-run the last command line?
So I wrote rip.exe, a small CLI utility that uses the same plugin structure as RegRipper, and lets me either run a single plugin against a hive file, or run an entire plugins file against a hive file. Here's what the syntax for rip.exe looks like:
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.
All plugins must be located in the "plugins" directory; default plugins file
used if no other filename given is "plugins\plugins".
-r Reg hive file...Registry hive file to parse
-f [plugin file]...use the plugin file (default: plugins\plugins)
-p plugin module...use only this module
-l ................list all plugins
-h.......................Help (print this information)
Ex: C:\>rr -r c:\case\system -f system
C:\>rr -r c:\case\ntuser.dat -p userassist.pl
C:\>rr -l
All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
copyright 2008 H. Carvey
Pretty cool. I even threw in a switch to just list all of the plugins in the plugins directory; the output includes the name of the plugin, the version, which hive file each plugin is for (ie, NTUSER.DAT, System, Software, etc.), and brief description of what the plugin does. Here are a couple of examples:
7. auditpol v.20080327 [Security]
- Get audit policy from the Security hive file
8. bho v.20080325 [Software]
- Gets Browser Helper Objects from Software hive
9. cmd_shell v.20080328 [Software]
- Gets shell open cmds for various file types
10. comdlg32 v.20080324 [NTUSER.DAT]
- Gets contents of user's ComDlg32 key
11. compdesc v.20080324 [NTUSER.DAT]
- Gets contents of user's ComputerDescriptions key
12. compname v.20080324 [System]
- Gets ComputerName value from System hive
13. devclass v.20080331 [System]
- Get USB device info from the DeviceClasses keys in the System hive
14. fw_config v.20080328 [System]
- Gets the Windows Firewall config from the System hive
So let's say that I have an image of a Windows system, and I've either extracted the Registry hive files from the image and placed them in a directory, or I've mounted the image file as a read-only file system using Mount Image Pro or VDKWin. If I want to take a cursory look at some things to sort of get an idea of what I'm looking at, I can run rip.exe to collect info for me:
C:\tools>rip rip -r d:\cases\ntuser.dat -p userassist
Let's say that I want to run an entire plugins file against a hive file...
C:\tools>rip rip -r f:\windows\system32\config\software -f software
Pretty straight-forward, simple, and quick. Very efficient, and keeps mistakes down. Rip.exe can also be incorporated into a batch file, to further enhance processing and reduce an analyst's interaction with the data even further.
So I wrote rip.exe, a small CLI utility that uses the same plugin structure as RegRipper, and lets me either run a single plugin against a hive file, or run an entire plugins file against a hive file. Here's what the syntax for rip.exe looks like:
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.
All plugins must be located in the "plugins" directory; default plugins file
used if no other filename given is "plugins\plugins".
-r Reg hive file...Registry hive file to parse
-f [plugin file]...use the plugin file (default: plugins\plugins)
-p plugin module...use only this module
-l ................list all plugins
-h.......................Help (print this information)
Ex: C:\>rr -r c:\case\system -f system
C:\>rr -r c:\case\ntuser.dat -p userassist.pl
C:\>rr -l
All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
copyright 2008 H. Carvey
Pretty cool. I even threw in a switch to just list all of the plugins in the plugins directory; the output includes the name of the plugin, the version, which hive file each plugin is for (ie, NTUSER.DAT, System, Software, etc.), and brief description of what the plugin does. Here are a couple of examples:
7. auditpol v.20080327 [Security]
- Get audit policy from the Security hive file
8. bho v.20080325 [Software]
- Gets Browser Helper Objects from Software hive
9. cmd_shell v.20080328 [Software]
- Gets shell open cmds for various file types
10. comdlg32 v.20080324 [NTUSER.DAT]
- Gets contents of user's ComDlg32 key
11. compdesc v.20080324 [NTUSER.DAT]
- Gets contents of user's ComputerDescriptions key
12. compname v.20080324 [System]
- Gets ComputerName value from System hive
13. devclass v.20080331 [System]
- Get USB device info from the DeviceClasses keys in the System hive
14. fw_config v.20080328 [System]
- Gets the Windows Firewall config from the System hive
So let's say that I have an image of a Windows system, and I've either extracted the Registry hive files from the image and placed them in a directory, or I've mounted the image file as a read-only file system using Mount Image Pro or VDKWin. If I want to take a cursory look at some things to sort of get an idea of what I'm looking at, I can run rip.exe to collect info for me:
C:\tools>rip rip -r d:\cases\ntuser.dat -p userassist
Let's say that I want to run an entire plugins file against a hive file...
C:\tools>rip rip -r f:\windows\system32\config\software -f software
Pretty straight-forward, simple, and quick. Very efficient, and keeps mistakes down. Rip.exe can also be incorporated into a batch file, to further enhance processing and reduce an analyst's interaction with the data even further.