Add sys.get_reg() function to eldritch. (#362)

spellshift · Nov 14, 2023 · f7b5fc1 · f7b5fc1
1 parent f07d2fb
commit f7b5fc1
Show file tree

Hide file tree

Showing 6 changed files with 117 additions and 1 deletion.
diff --git a/docs/_docs/user-guide/eldritch.md b/docs/_docs/user-guide/eldritch.md
@@ -609,6 +609,30 @@ $> sys.get_pid()
 123456
 ```
 
+### sys.get_reg
+
+`sys.get_reg(reghive: str, regpath: str) -> Dict`
+
+The <b>sys.get_reg</b> method returns the registry values at the requested registry path.
+An example is below:
+
+```python
+$> sys.get_reg("HKEY_LOCAL_MACHINE","SOFTWARE\\Microsoft\\Windows\\CurrentVersion")
+{
+    "ProgramFilesDir": "C:\\Program Files", 
+    "CommonFilesDir": "C:\\Program Files\\Common Files", 
+    "ProgramFilesDir (x86)": "C:\\Program Files (x86)", 
+    "CommonFilesDir (x86)": "C:\\Program Files (x86)\\Common Files", 
+    "CommonW6432Dir": "C:\\Program Files\\Common Files", 
+    "DevicePath": "%SystemRoot%\\inf", 
+    "MediaPathUnexpanded": "%SystemRoot%\\Media", 
+    "ProgramFilesPath": "%ProgramFiles%", 
+    "ProgramW6432Dir": "C:\\Program Files", 
+    "SM_ConfigureProgramsName": "Set Program Access and Defaults", 
+    "SM_GamesName": "Games"
+}
+```
+
 ### sys.get_user
 
 `sys.get_user() -> Dict`

diff --git a/implants/Cargo.toml b/implants/Cargo.toml
@@ -64,6 +64,7 @@ tokio-test = "*"
 uuid = "1.3.0"
 whoami = "1.3.0"
 windows-sys = "0.45.0"
+winreg = "0.51.0"
 
 [profile.release]
 strip = true  # Automatically strip symbols from the binary.

diff --git a/implants/lib/eldritch/Cargo.toml b/implants/lib/eldritch/Cargo.toml
@@ -50,8 +50,10 @@ windows-sys = { workspace = true, features = [
 ]}
 whoami = { workspace = true }
 
+
 [target.'cfg(windows)'.dependencies]
 network-interface = { workspace = true }
+winreg = { workspace = true }
 
 [target.'cfg(not(windows))'.dependencies]
 pnet = { workspace = true }

diff --git a/implants/lib/eldritch/src/lib.rs b/implants/lib/eldritch/src/lib.rs
@@ -190,7 +190,7 @@ mod tests {
             r#"
 dir(file) == ["append", "compress", "copy", "download", "exists", "hash", "is_dir", "is_file", "list", "mkdir", "read", "remove", "rename", "replace", "replace_all", "template", "timestomp", "write"]
 dir(process) == ["info", "kill", "list", "name", "netstat"]
-dir(sys) == ["dll_inject", "exec", "get_env", "get_ip", "get_os", "get_pid", "get_user", "hostname", "is_linux", "is_macos", "is_windows", "shell"]
+dir(sys) == ["dll_inject", "exec", "get_env", "get_ip", "get_os", "get_pid", "get_reg", "get_user", "hostname", "is_linux", "is_macos", "is_windows", "shell"]
 dir(pivot) == ["arp_scan", "bind_proxy", "ncat", "port_forward", "port_scan", "smb_exec", "ssh_copy", "ssh_exec", "ssh_password_spray"]
 dir(assets) == ["copy","list","read","read_binary"]
 dir(crypto) == ["aes_decrypt_file", "aes_encrypt_file", "decode_b64", "encode_b64", "from_json", "hash_file", "to_json"]

diff --git a/implants/lib/eldritch/src/sys.rs b/implants/lib/eldritch/src/sys.rs
@@ -10,6 +10,7 @@ mod is_windows_impl;
 mod is_macos_impl;
 mod shell_impl;
 mod dll_inject_impl;
+mod get_reg_impl;
 
 use allocative::Allocative;
 use derive_more::Display;
@@ -119,4 +120,8 @@ fn methods(builder: &mut MethodsBuilder) {
         if false { println!("Ignore unused this var. _this isn't allowed by starlark. {:?}", this); }
         shell_impl::shell(starlark_heap, cmd)
     }
+    fn get_reg<'v>(this:  SysLibrary, starlark_heap: &'v Heap, reghiv: String, regpth: String) ->  anyhow::Result<Dict<'v>> {
+        if false { println!("Ignore unused this var. _this isn't allowed by starlark. {:?}", this); }
+        get_reg_impl::get_reg(starlark_heap, reghiv, regpth)
+    }
 }
diff --git a/implants/lib/eldritch/src/sys/get_reg_impl.rs b/implants/lib/eldritch/src/sys/get_reg_impl.rs
@@ -0,0 +1,84 @@
+use anyhow::Result;
+use starlark::{values::{dict::Dict, Heap, Value}, collections::SmallMap};
+
+
+pub fn get_reg(starlark_heap: &Heap, reghive: String, regpath: String) -> Result<Dict>  {
+
+    let res: SmallMap<Value, Value> = SmallMap::new();
+    let mut tmp_res = Dict::new(res);
+
+
+    #[cfg(not(target_os = "windows"))]
+        return Err(anyhow::anyhow!("This OS isn't supported by the get_reg function. Only windows systems are supported"));
+
+    #[cfg(target_os = "windows")]{
+        use winreg::{{enums::*}, RegKey, RegValue};
+        //Accepted values for reghive :
+        //HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_PERFORMANCE_DATA, HKEY_PERFORMANCE_TEXT, HKEY_PERFORMANCE_NLSTEXT, HKEY_CURRENT_CONFIG, HKEY_DYN_DATA, HKEY_CURRENT_USER_LOCAL_SETTINGS
+
+        let ihive: isize = match reghive.as_ref() {
+            "HKEY_CLASSES_ROOT" => HKEY_CLASSES_ROOT,
+            "HKEY_CURRENT_USER" => HKEY_CURRENT_USER,
+            "HKEY_LOCAL_MACHINE" => HKEY_LOCAL_MACHINE,
+            "HKEY_USERS" => HKEY_USERS,
+            "HKEY_PERFORMANCE_DATA" => HKEY_PERFORMANCE_DATA,
+            "HKEY_PERFORMANCE_TEXT" => HKEY_PERFORMANCE_TEXT,
+            "HKEY_PERFORMANCE_NLSTEXT" => HKEY_PERFORMANCE_NLSTEXT,
+            "HKEY_CURRENT_CONFIG" => HKEY_CURRENT_CONFIG,
+            "HKEY_DYN_DATA" => HKEY_DYN_DATA,
+            "HKEY_CURRENT_USER_LOCAL_SETTINGS" => HKEY_CURRENT_USER_LOCAL_SETTINGS,
+            _ => return Err(anyhow::anyhow!("RegHive can only be one of the following values - HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_PERFORMANCE_DATA, HKEY_PERFORMANCE_TEXT, HKEY_PERFORMANCE_NLSTEXT, HKEY_CURRENT_CONFIG, HKEY_DYN_DATA, HKEY_CURRENT_USER_LOCAL_SETTINGS ")),
+
+        };
+
+
+        let hive = RegKey::predef(ihive);
+        let subkey = hive.open_subkey(regpath)?;
+
+
+        for result in subkey.enum_values() {
+            let (key, val): (String, RegValue) = result?;
+            let key_value = starlark_heap.alloc_str(&key.to_string());
+            let val_value = starlark_heap.alloc_str(&val.to_string());
+            tmp_res.insert_hashed(
+                match key_value.to_value().get_hashed() {
+                    Ok(val) => val,
+                    Err(e) => return Err(anyhow::anyhow!("Failed to alloc name information: {}", e)),
+                },
+                val_value.to_value(),
+            );
+    	}
+    }
+    Ok(tmp_res)
+}
+
+#[cfg(test)]
+mod tests {
+    use starlark::{values::{Value, Heap}, const_frozen_string};
+    use super::*;
+
+
+    #[test]
+    fn test_get_reg() -> anyhow::Result<()> {
+
+        #[cfg(target_os = "windows")]{
+            use winreg::{{enums::*}, RegKey};
+            let binding = Heap::new();
+            //Write something into temp regkey...
+            let hkcu = RegKey::predef(HKEY_CURRENT_USER);
+            let (nkey, _ndisp) = hkcu.create_subkey("SOFTWARE\\TEST1")?;
+            nkey.set_value("FOO", &"BAR")?;
+
+            let ares = get_reg(&binding, "HKEY_CURRENT_USER".to_string(), "SOFTWARE\\TEST1".to_string());
+            let val2 : Value<'_> = ares?.get(const_frozen_string!("FOO").to_value())?.unwrap();
+            //delete temp regkey
+            nkey.delete_value("Foo")?;
+
+            assert_eq!(val2.unpack_str().unwrap(), "BAR");
+
+        }
+
+        Ok(())
+    }
+}
+