RegParser (rp) is a python wrapper script for python-registry framework (@williballenthin [FireEye]). This command-line utility is designed to slightly extend and facilitate framework’s capabilities. In general it’s used to parse any offline windows registry hives during malware hunting or forensic investigations.
It comes with following major features:
- Search for a registry key, value name or value data patterns described by a comma separated: strings, regex strings or utf8 hex binary strings
- Search for value data by its size, specified by operators like range, equality or inequality
- Search for registry modified keys at given date and time, specified by regex string pattern or range, or inequality operators
- Query the registry keys or values (including partial wildcard support)
- Enumerate and display hidden keys and values
- Hash registry value content
- Detect hive type
- Export results to .REG format (Simplifies malware analysis/infection reproduction based on file-less registry load points)
- Export results to SQLite (Used by regparser for plugin’s baseline)
- Export results to CSV or stout
- Customize output data (21 different format fields)
- Easy plugin implementation and support with built in plugins like "autoruns", "services", "apt", "macro"
- Plugins baseline support
Note: More details in README.pdf
- Python 3.6.1 Framework
- Operating system: Windows, Linux, MacOS, Cygwin
pip install -U pip pip install -U -r requirements.txt
In proxy enabled environment: pip --proxy http://PROXY_IP:PORT install -U pip pip --proxy http://PROXY_IP:PORT install -U -r requirements.txt
REMARK: Regarding git configuration:
To add proxy support:
git config --global http.proxy http://proxyUsername:[email protected]:port
git config --global http.proxy http://proxy.server.com:port
To remove proxy support:
git config --global --unset http.proxy
git clone https://github.com/wit0k/regparser.git cd regparser python rp.py -h
cd %regparser_location% git pull
optional arguments:
-h, --help show this help message and exit
Script arguments:
-s INPUT_FOLDER, --source INPUT_FOLDER
File/Folder with offline registry hive(s) to parse
[raw or .zip format supported]
-r, --recursive Enables recursive search for --source folder
-c, --case-sensitive Enables case sensitive search (Default: case-
insensitive
-v, --verbose Sends verbose debug data to stdout (Used for
debugging)
Query arguments:
-qk QUERY_KEY, --query-key QUERY_KEY
Query given comma separated registry keys, example:
-qk "Software\Microsoft\Windows\CurrentVersion\Run"
(all registry values from queried key(s) would be
printed)
-qv QUERY_VALUE, --query-value QUERY_VALUE
Query given comma separated registry values, example:
-qv "Software\Microsoft\Windows\CurrentVersion\Run\ctf
mon.exe" (only the queried value would be printed)
-qs, --query-subkeys Display root sub keys of given registry hive (Default:
False)
Search arguments:
-tm KEY_MODIFIED, --time-modified-string KEY_MODIFIED
Comma separated regex date patterns: -tm "2014-09-04
09:50",”2013|2014” would search for all keys modified
in 2014-09-04 at 09:50 and on 2013 or 2014
-td KEY_MODIFIED_DT, --time-modified-datetime KEY_MODIFIED_DT
Comma separated Date time patterns:
[datetime]..[datetime] or [Operator][datetime], where
opertor is one of: ">", "<". Example: -td "2014-09-04
13:12:19..2014-09-04 13:12:25.703125",">2014-09-04"
-ks KEY_STRING, --key-string KEY_STRING
A string value, example: -ks "\Run" would search for
all keys having given string anywhere in their key
path string
-kr KEY_REGEX, --key-regex KEY_REGEX
A regex string, example: -kr "\\Run$" would search for
all keys which ends with "\Run" string
-kb KEY_BIN, --key-bin KEY_BIN
A binary value expressed in UTF8 escaped hex string,
example: -kb "\x5C\x52\x75\x6E" would search for all
keys having given sequence of bytes anywhere their key
path bytes
-vs VALUE_STRING, --value-string VALUE_STRING
A string value, example: -vs "ctfmon" would search for
all values having given string anywhere in their value
name
-vr VALUE_REGEX, --value-regex VALUE_REGEX
A regex string, example: -vr "ctfmon\.exe$" would
search for value name which ends with "ctfmon.exe"
string
-vb VALUE_BIN, --value-bin VALUE_BIN
A binary value expressed in UTF8 escaped hex string,
example: -vb "\x63\x74\x66\x6D\x6F\x6E" would search
for all values having given sequence of bytes anywhere
their name bytes
-ds DATA_STRING, --data-string DATA_STRING
A string value, example: -ds "CTF" would search for
all values having given string anywhere in their data
value
-dr DATA_REGEX, --data-regex DATA_REGEX
A regex string, example: -dr "^CTF" would search for
all values which starts with "CTF" string
-db DATA_BIN, --data-bin DATA_BIN
A binary value expressed in UTF8 escaped hex string,
example: -db "\x43\x54\x46" would search for all
values having given sequence of bytes anywhere their
data bytes
-dl DATA_SIZE, --data-size DATA_SIZE
Comma separated Data size patterns: [int]..[int] or
[Operator][int], where operator is one of: ">", "<" or
"=". Example: -dl "3000..3225","=3226"
Output arguments:
-b, --baseline-output
Output to SQLite3 format (Used for baseline)
-o OUTPUT_FILE, --output-file OUTPUT_FILE
Filepath to output file (Default: stdout)
-a, --output-format-all
Output all format fields [Time consuming task]
-e EXPORT_FOLDER, --export-registry-folder EXPORT_FOLDER
Folder path for exported .reg files
-E EXPORT_FILE, --export-registry-file EXPORT_FILE
File path for exported single .reg file
-f OUTPUT_FORMAT, --output-format OUTPUT_FORMAT
Format of output data: field,field,field
-d FIELD_DELIMITER, --output-delimiter FIELD_DELIMITER
Used to separate the output fields (Default: ","
Plugin arguments:
-p PLUGINS_TO_EXECUTE, --plugins PLUGINS_TO_EXECUTE
Specify plugins to run with their parameters:
["autoruns -d","services"
Following query would execute autoruns-like scan and enumerate services on all hives from the hives/ folder recursively. (Result would be printed into standard output)
rp.py -r -s hives -p autoruns,services
Following query would display immediate sub keys of every registry hive in “hives/ folder”. (This option ignores the output format specified by -f option)
rp.py -s hives -qs Output : hives/NTUSER.DAT,AppEvents hives/NTUSER.DAT,Console hives/NTUSER.DAT,Control Panel hives/NTUSER.DAT,Environment hives/NTUSER.DAT,Identities hives/NTUSER.DAT,Keyboard Layout hives/NTUSER.DAT,Printers hives/NTUSER.DAT,Software hives/NTUSER.DAT,UNICODE Program Groups hives/NTUSER.DAT,Windows 3.1 Migration Status
Following query looks for value named “StubPath” in every sub key of “…\Installed Components” key. (It demonstrates limited wildcard support)
rp.py -s hives/sys_SOFTWARE.tmp -qv "Microsoft\Active Setup\Installed Components\*\StubPath"
Output (Shortened):
sys_SOFTWARE.tmp,,CMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820},StubPath,C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
Following query looks for all keys which end on “\Run” or “\RunOnce” (It demonstrates the regex support)
rp.py -s hives/sys_SOFTWARE.tmp -kr "\\Run$","\\RunOnce$"
Output (Shortened):
sys_SOFTWARE.tmp,,CMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}\Classes\SDRun.AutoPlayHandler\shell\run,None,None
sys_SOFTWARE.tmp,,CMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}\Microsoft\Group Policy\Client\RunOnce,{ECDBB9F9-F918-4B9C-BCA5-BC7518869245},
sys_SOFTWARE.tmp,,CMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}\Microsoft\Windows\CurrentVersion\Run,IgfxTray,C:\Windows\system32\igfxtray.exe
sys_SOFTWARE.tmp,,CMI-CreateHive{199DAFC2-6F16-4946-BF90-5A3FC3A60902}\Wow6432Node\Microsoft\Windows\CurrentVersion\Run,IMSS,"C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe"
Following query demonstrates how to search for hidden value names containing a NULL byte (\x00). Thanks to -v option you may observe what’s the real binary search pattern. Additionally via -f option you may adjust the output format, this time we are especially interested in “value_name_unicode” so we can see the exact position of the NULL byte:
rp.py -v -s hives/NTUSER-Trojan.Poweliks.dat -vb "\x00" -f "key_path,value_name_unicode,value_content"
Output (Shortened):
PARSER Started: 2017-08-13 13:21:21
WARNING: Binary arguments (-kb, -vb, -db) do not support case insensitive mode. Enabling cases-sensitive mode...
Loading hives from: hives/NTUSER-Trojan.Poweliks.dat
Hives:
- hives/NTUSER-Trojan.Poweliks.dat
Parameters:
- Export to: None
- Case sensitive: True
Search entries:
- { VALUE | BIN | b'\x00\x00' }
Load hive: hives/NTUSER-Trojan.Poweliks.dat
$$$PROTO.HIV\Software\Microsoft\Windows\CurrentVersion\Run,b'\x00\x00a\x00',rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>…