[Vol-users] Volatile registry keys

Thomas Chopitea tomchop at gmail.com
Fri Mar 18 05:42:25 CDT 2016


Michael,

Thanks for all the tips. I made it work by querying "Classes\\CLSID"
directly. Didn't update this thread because I though my email had bounced
(as it had happened the last two times I posted here about exactly the same
subject).

I'll be making some updates on the autoruns plugin soon enough. :)

Cheers,

On Thu, Mar 17, 2016 at 5:30 PM, Michael Ligh <michael.ligh at mnin.org> wrote:

> Hi Thomas,
>
> Sorry for the delay...I just saw this come through. I ran a similar test:
>
> $ volatility printkey -K "Software\\Classes"
> Volatility Foundation Volatility Framework 2.5
> Legend: (S) = Stable   (V) = Volatile
>
> ----------------------------
> Registry: \??\C:\Users\user\ntuser.dat
> Key name: Classes (V)
> Last updated: 2016-03-10 20:19:33 UTC+0000
>
> Subkeys:
>
> Values:
> REG_LINK      SymbolicLinkValue : (V)
> \Registry\User\S-1-5-21-928030315-4021721725-3028358750-1000_Classes
> ----------------------------
> Registry: \SystemRoot\System32\Config\DEFAULT
> Key name: Classes (S)
> Last updated: 2009-07-14 04:48:57 UTC+0000
>
> Subkeys:
>   (S) Local Settings
>
> The SymbolicLinkValue is pointing to another hive it appears. For
> example if you use hivelist and look for the user's usrclass.dat:
>
> $ volatility hivelist | grep -i usrclass.dat
>
> 0xfffff8a0017b0010 0x000000000db8b010
> \??\C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat
>
> Then you can print that hive and see its Key name is the same as the
> symbolic link above:
>
> $ volatility printkey -o 0xfffff8a0017b0010
> Volatility Foundation Volatility Framework 2.5
> Legend: (S) = Stable   (V) = Volatile
>
> ----------------------------
> Registry: \??\C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat
> Key name: S-1-5-21-928030315-4021721725-3028358750-1000_Classes (S)
> Last updated: 2016-01-07 15:30:19 UTC+0000
>
> Subkeys:
>   (S) Local Settings
>
> So then you could traverse into there with -o 0xfffff8a0017b0010 -K
> "Local Settings"
>
> Also note that if you're looking for the local machine's CLSIDs, then
> you would leave off the "Software" prefix (since they're found in the
> SOFTWARE hive):
>
> $ volatility printkey -K "Classes\\CLSID"
> Volatility Foundation Volatility Framework 2.5
> Legend: (S) = Stable   (V) = Volatile
>
> ----------------------------
> Registry: \SystemRoot\System32\Config\SOFTWARE
> Key name: CLSID (S)
> Last updated: 2016-02-27 23:52:47 UTC+0000
>
> Subkeys:
>   (S) CLSID
>   (S) {0000002F-0000-0000-C000-000000000046}
>   (S) {00000300-0000-0000-C000-000000000046}
>   (S) {00000301-A8F2-4877-BA0A-FD2B6645FB94}
>   (S) {00000303-0000-0000-C000-000000000046}
>   (S) {00000304-0000-0000-C000-000000000046}
> [snip]
>
> The hive_name parameter to regapi is best described by looking at the
> set_current method:
>
>
> https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/registry/registryapi.py#L86
>
> It looks like you can access a particular user's ntuser.dat by just
> supplying user="username" instead of hive_name. Don't quote me on that,
> but it looks like that would work.
>
> Hope this helps!
> MHL
>
> On 2/26/16 7:01 AM, Thomas Chopitea wrote:
> > Dear vol-users,
> >
> > I'm trying to get data from a volatile registry key using
> > the regapi / rawreg classes in volatility.
> >
> > The key I'm looking for is under HKCU\Software\Classes\, and is called
> CLSID
> >
> > vol.py
> >
> --plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns'
> > -f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K
> > "Software\\Classes\\CLSID"
> > Volatility Foundation Volatility Framework 2.4
> > Legend: (S) = Stable   (V) = Volatile
> >
> > The requested key could not be found in the hive(s) searched
> >
> > So I go up one level:
> >
> > vol.py
> >
> --plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns'
> > -f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K
> > "Software\\Classes"
> > Volatility Foundation Volatility Framework 2.4
> > Legend: (S) = Stable   (V) = Volatile
> >
> > ----------------------------
> > Registry: \??\C:\Users\admin\ntuser.dat
> > Key name: Classes (V)
> > Last updated: 2015-04-11 18:04:18 UTC+0000
> >
> > Subkeys:
> >
> > Values:
> > REG_LINK      SymbolicLinkValue : (V)
> > \Registry\User\S-1-5-21-978483858-511166411-2750856381-1000_Classes
> > ----------------------------
> > Registry: \SystemRoot\System32\Config\DEFAULT
> > Key name: Classes (S)
> > Last updated: 2009-07-14 04:48:57 UTC+0000
> >
> > Subkeys:
> >   (S) Local Settings
> >
> > Values:
> >
> > How can I query this key and keep on drilling its subkeys ?
> >
> > Also, my plugin is making extensive use of rawreg because I try to get
> > each individual NTUSER.dat hive, and I don't know which hive_name to
> > pass on to regapi. Should I use the full hive name, as
> > in self.hive_name(obj.Object("_CMHIVE", vm = addr_space, offset =
> > hive_offset)), or is there a better way of doing it?
> >
> > Any help is greatly appreciated. Have a great day!
> >
> > --
> > Thomas Chopitea
> >
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users at volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
>
>


-- 
Thomas Chopitea
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20160318/b5097d59/attachment.html


More information about the Vol-users mailing list