1#!/usr/bin/python 2 3import sys, dcerpc 4 5def test_OpenHKLM(pipe): 6 7 r = {} 8 r['unknown'] = {} 9 r['unknown']['unknown0'] = 0x9038 10 r['unknown']['unknown1'] = 0x0000 11 r['access_required'] = 0x02000000 12 13 result = dcerpc.winreg_OpenHKLM(pipe, r) 14 15 return result['handle'] 16 17def test_QueryInfoKey(pipe, handle): 18 19 r = {} 20 r['handle'] = handle 21 r['class'] = {} 22 r['class']['name'] = None 23 24 return dcerpc.winreg_QueryInfoKey(pipe, r) 25 26def test_CloseKey(pipe, handle): 27 28 r = {} 29 r['handle'] = handle 30 31 dcerpc.winreg_CloseKey(pipe, r) 32 33def test_FlushKey(pipe, handle): 34 35 r = {} 36 r['handle'] = handle 37 38 dcerpc.winreg_FlushKey(pipe, r) 39 40def test_GetVersion(pipe, handle): 41 42 r = {} 43 r['handle'] = handle 44 45 dcerpc.winreg_GetVersion(pipe, r) 46 47def test_GetKeySecurity(pipe, handle): 48 49 r = {} 50 r['handle'] = handle 51 r['unknown'] = 4 52 r['size'] = None 53 r['data'] = {} 54 r['data']['max_len'] = 0 55 r['data']['data'] = '' 56 57 result = dcerpc.winreg_GetKeySecurity(pipe, r) 58 59 print result 60 61 if result['result'] == dcerpc.WERR_INSUFFICIENT_BUFFER: 62 r['size'] = {} 63 r['size']['max_len'] = result['data']['max_len'] 64 r['size']['offset'] = 0 65 r['size']['len'] = result['data']['max_len'] 66 67 result = dcerpc.winreg_GetKeySecurity(pipe, r) 68 69 print result 70 71 sys.exit(1) 72 73def test_Key(pipe, handle, name, depth = 0): 74 75 # Don't descend too far. Registries can be very deep. 76 77 if depth > 2: 78 return 79 80 try: 81 keyinfo = test_QueryInfoKey(pipe, handle) 82 except dcerpc.WERROR, arg: 83 if arg[0] == dcerpc.WERR_ACCESS_DENIED: 84 return 85 86 test_GetVersion(pipe, handle) 87 88 test_FlushKey(pipe, handle) 89 90 test_GetKeySecurity(pipe, handle) 91 92 # Enumerate values in this key 93 94 r = {} 95 r['handle'] = handle 96 r['name_in'] = {} 97 r['name_in']['len'] = 0 98 r['name_in']['max_len'] = (keyinfo['max_valnamelen'] + 1) * 2 99 r['name_in']['buffer'] = {} 100 r['name_in']['buffer']['max_len'] = keyinfo['max_valnamelen'] + 1 101 r['name_in']['buffer']['offset'] = 0 102 r['name_in']['buffer']['len'] = 0 103 r['type'] = 0 104 r['value_in'] = {} 105 r['value_in']['max_len'] = keyinfo['max_valbufsize'] 106 r['value_in']['offset'] = 0 107 r['value_in']['len'] = 0 108 r['value_len1'] = keyinfo['max_valbufsize'] 109 r['value_len2'] = 0 110 111 for i in range(0, keyinfo['num_values']): 112 113 r['enum_index'] = i 114 115 dcerpc.winreg_EnumValue(pipe, r) 116 117 # Recursively test subkeys of this key 118 119 r = {} 120 r['handle'] = handle 121 r['key_name_len'] = 0 122 r['unknown'] = 0x0414 123 r['in_name'] = {} 124 r['in_name']['unknown'] = 0x20a 125 r['in_name']['key_name'] = {} 126 r['in_name']['key_name']['name'] = None 127 r['class'] = {} 128 r['class']['name'] = None 129 r['last_changed_time'] = {} 130 r['last_changed_time']['low'] = 0 131 r['last_changed_time']['high'] = 0 132 133 for i in range(0, keyinfo['num_subkeys']): 134 135 r['enum_index'] = i 136 137 subkey = dcerpc.winreg_EnumKey(pipe, r) 138 139 s = {} 140 s['handle'] = handle 141 s['keyname'] = {} 142 s['keyname']['name'] = subkey['out_name']['name'] 143 s['unknown'] = 0 144 s['access_mask'] = 0x02000000 145 146 result = dcerpc.winreg_OpenKey(pipe, s) 147 148 test_Key(pipe, result['handle'], name + '/' + s['keyname']['name'], 149 depth + 1) 150 151 test_CloseKey(pipe, result['handle']) 152 153 # Enumerate values 154 155def runtests(binding, domain, username, password): 156 157 print 'Testing WINREG pipe' 158 159 pipe = dcerpc.pipe_connect(binding, 160 dcerpc.DCERPC_WINREG_UUID, dcerpc.DCERPC_WINREG_VERSION, 161 domain, username, password) 162 163 handle = test_OpenHKLM(pipe) 164 165 test_Key(pipe, handle, 'HKLM') 166