Michael, Thanks for all the tips. I made it work by querying "Classes\\CLSID" directly. Didn't update this thread because I though my email had bounced (as it had happened the last two times I posted here about exactly the same subject).
I'll be making some updates on the autoruns plugin soon enough. :) Cheers, On Thu, Mar 17, 2016 at 5:30 PM, Michael Ligh <[email protected]> wrote: > Hi Thomas, > > Sorry for the delay...I just saw this come through. I ran a similar test: > > $ volatility printkey -K "Software\\Classes" > Volatility Foundation Volatility Framework 2.5 > Legend: (S) = Stable (V) = Volatile > > ---------------------------- > Registry: \??\C:\Users\user\ntuser.dat > Key name: Classes (V) > Last updated: 2016-03-10 20:19:33 UTC+0000 > > Subkeys: > > Values: > REG_LINK SymbolicLinkValue : (V) > \Registry\User\S-1-5-21-928030315-4021721725-3028358750-1000_Classes > ---------------------------- > Registry: \SystemRoot\System32\Config\DEFAULT > Key name: Classes (S) > Last updated: 2009-07-14 04:48:57 UTC+0000 > > Subkeys: > (S) Local Settings > > The SymbolicLinkValue is pointing to another hive it appears. For > example if you use hivelist and look for the user's usrclass.dat: > > $ volatility hivelist | grep -i usrclass.dat > > 0xfffff8a0017b0010 0x000000000db8b010 > \??\C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat > > Then you can print that hive and see its Key name is the same as the > symbolic link above: > > $ volatility printkey -o 0xfffff8a0017b0010 > Volatility Foundation Volatility Framework 2.5 > Legend: (S) = Stable (V) = Volatile > > ---------------------------- > Registry: \??\C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat > Key name: S-1-5-21-928030315-4021721725-3028358750-1000_Classes (S) > Last updated: 2016-01-07 15:30:19 UTC+0000 > > Subkeys: > (S) Local Settings > > So then you could traverse into there with -o 0xfffff8a0017b0010 -K > "Local Settings" > > Also note that if you're looking for the local machine's CLSIDs, then > you would leave off the "Software" prefix (since they're found in the > SOFTWARE hive): > > $ volatility printkey -K "Classes\\CLSID" > Volatility Foundation Volatility Framework 2.5 > Legend: (S) = Stable (V) = Volatile > > ---------------------------- > Registry: \SystemRoot\System32\Config\SOFTWARE > Key name: CLSID (S) > Last updated: 2016-02-27 23:52:47 UTC+0000 > > Subkeys: > (S) CLSID > (S) {0000002F-0000-0000-C000-000000000046} > (S) {00000300-0000-0000-C000-000000000046} > (S) {00000301-A8F2-4877-BA0A-FD2B6645FB94} > (S) {00000303-0000-0000-C000-000000000046} > (S) {00000304-0000-0000-C000-000000000046} > [snip] > > The hive_name parameter to regapi is best described by looking at the > set_current method: > > > https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/registry/registryapi.py#L86 > > It looks like you can access a particular user's ntuser.dat by just > supplying user="username" instead of hive_name. Don't quote me on that, > but it looks like that would work. > > Hope this helps! > MHL > > On 2/26/16 7:01 AM, Thomas Chopitea wrote: > > Dear vol-users, > > > > I'm trying to get data from a volatile registry key using > > the regapi / rawreg classes in volatility. > > > > The key I'm looking for is under HKCU\Software\Classes\, and is called > CLSID > > > > vol.py > > > --plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns' > > -f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K > > "Software\\Classes\\CLSID" > > Volatility Foundation Volatility Framework 2.4 > > Legend: (S) = Stable (V) = Volatile > > > > The requested key could not be found in the hive(s) searched > > > > So I go up one level: > > > > vol.py > > > --plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns' > > -f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K > > "Software\\Classes" > > Volatility Foundation Volatility Framework 2.4 > > Legend: (S) = Stable (V) = Volatile > > > > ---------------------------- > > Registry: \??\C:\Users\admin\ntuser.dat > > Key name: Classes (V) > > Last updated: 2015-04-11 18:04:18 UTC+0000 > > > > Subkeys: > > > > Values: > > REG_LINK SymbolicLinkValue : (V) > > \Registry\User\S-1-5-21-978483858-511166411-2750856381-1000_Classes > > ---------------------------- > > Registry: \SystemRoot\System32\Config\DEFAULT > > Key name: Classes (S) > > Last updated: 2009-07-14 04:48:57 UTC+0000 > > > > Subkeys: > > (S) Local Settings > > > > Values: > > > > How can I query this key and keep on drilling its subkeys ? > > > > Also, my plugin is making extensive use of rawreg because I try to get > > each individual NTUSER.dat hive, and I don't know which hive_name to > > pass on to regapi. Should I use the full hive name, as > > in self.hive_name(obj.Object("_CMHIVE", vm = addr_space, offset = > > hive_offset)), or is there a better way of doing it? > > > > Any help is greatly appreciated. Have a great day! > > > > -- > > Thomas Chopitea > > > > > > _______________________________________________ > > Vol-users mailing list > > [email protected] > > http://lists.volatilesystems.com/mailman/listinfo/vol-users > > > > -- Thomas Chopitea
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
