EnCaseNetworkFramework/RegHexDump.EnScript at master · JamesHabben/EnCaseNetworkFramework · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
//===============================================
// RegHexDump Registry Scanner
// Written by: James Habben
// Version: 1.0
// Updated: 2014-12-10
// Based on: @patrickrolsen
// https://sysforensics.org/2015/04/your-registry-blobs-belong-to-me-reghexdump.html
//===============================================
include "EncaseNetworkFrameworkLib"

class RegHexDumpScanClass;

class MainDialogClass : NetworkDialogClass {

  UIntEditClass UntValueSize;

  MainDialogClass (RegHexDumpScanClass n, const String &title) :
    super(n, title),
    UntValueSize(this, "Value Size Threshold", START, NEXT, 100, DEFAULT, 0, n.ValueSize, 0, -1, 0)
  {
  }
}

class RegHexDumpScanClass : NetworkFrameworkClass {
  String FileNames;
  NameListClass FileList;
  ItemCacheClass ItemCache;
  CaseClass C;
  uint ValueSize;

  RegHexDumpScanClass () :
    super("RegHexDump Scanner"),
    HelpText("Scan a network for the existance of registry blobs over a certain size"),
    FileNames("system, software, ntuser.dat"),
    FileList(),
    C()

  {
    FileList.Parse(FileNames, ",");
    ItemCache = new ItemCacheClass(C);
    Dialog = new MainDialogClass(this, "RegHexDump Scanner");
  }

  virtual void ScanNode (ConnectionClass con, SnapshotClass snap, DeviceInfoClass devList) {
    Console.WriteLine("Scanning host: {0}", con.Name());
    foreach (DeviceInfoClass di in devList) {
      if (di.IsPhysical() == false) {
        forall (EntryClass entry in GetEntryRoot(di)) {
          if (entry.IsFolder() == false && FileList.Find(entry.Name())) {
            Console.WriteLine(" Mounting hive: {0}", entry.ItemPath());
            if (VolumeClass vol = entry.MountVolume(0)) {
              Console.WriteLine("  Done.");
              forall (EntryClass reg in vol) {
                if (reg.IsFolder() == false && reg.LogicalSize() > ValueSize && reg.Description().Contains("BINARY")) {
                  FileClass file = ItemCache.GetRawFile(reg);
                  file.Seek(0);
                  Console.WriteLine("!!! Suspicious value found at:\n  {0}", reg.ItemPath());
                  Console.WriteLine("!!! Value size: {0}", ValueSize);
                  while (file.More()) {
                    Console.Write("!!! ");
                    for (int i; i < 50; ++i) {
                      Console.Write("{0} ", String::FormatInt(file.ReadBinaryInt(1), int::HEX, 0, 2));
                    }
                    Console.WriteLine();
                  }
                  Console.WriteLine("!!! ======= end of data =======\n");
                }
              }
            }
          }
        }
      }
    }
    Console.WriteLine("Host done: {0}", con.Name());
  }

}

class MainClass {
  void Main(CaseClass c) {
    SystemClass::ClearConsole(1);
    RegHexDumpScanClass scan();
    scan.ShowDialog();
    Console.WriteLine("Starting RegHexDump Registry Scan...");
    scan.RunScan();
    Console.WriteLine("Scan Finished.");
  }
}