-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathmain.py
More file actions
61 lines (46 loc) · 2.74 KB
/
main.py
File metadata and controls
61 lines (46 loc) · 2.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
import sys
from Registry import Registry
import re
reg = Registry.Registry(sys.argv[1])
def check_reg(rpath, rkey, regex=None):
#rpath = rpath.lower()
#rkey = rkey.lower()
try:
key = reg.open(rpath)
except Registry.RegistryKeyNotFoundException:
#print "Couldn't find Run key. Exiting..."
return
#sys.exit(-1)
if rkey == "*":
for value in [v for v in key.values() \
if v.value_type() == Registry.RegSZ or \
v.value_type() == Registry.RegExpandSZ]:
rkname = value.name()
rkvalue = value.value()
if regex is not None:
if re.search(regex, rkvalue):
print rpath
print "%s: %s" % (rkname, rkvalue)
print ""
else:
value = key.value(rkey)
print "%s: %s" % (value.name(),str(value.value()))
checks = [ { 'path' : 'Software\Microsoft\Windows\CurrentVersion\RunServices', 'key' : '*', 'regex' : 'exe|dll|bat|pif|com|hta' },
{ 'path' : 'Software\Microsoft\Windows\CurrentVersion\RunServicesOnce', 'key' : '*', 'regex' : 'exe|dll|bat|pif|com|hta' },
{ 'path' : 'Software\Microsoft\Windows\CurrentVersion\Run', 'key' : '*', 'regex' : 'exe|dll|bat|pif|com|hta' },
{ 'path' : 'Software\Microsoft\Windows\CurrentVersion\RunOnce', 'key' : '*', 'regex' : 'exe|dll|bat|pif|com|hta' },
{ 'path' : 'Software\Microsoft\Windows\CurrentVersion\RunOnceEx', 'key' : '*', 'regex' : 'exe|dll|bat|pif|com|hta' },
{ 'path' : 'Software\CLASSES\batfile\shell\open\command', 'key' : '*', 'regex' : 'exe|dll|bat|pif|com|hta' },
{ 'path' : 'Software\CLASSES\comfile\shell\open\command', 'key' : '*', 'regex' : 'exe|dll|bat|pif|com|hta' },
{ 'path' : 'Software\CLASSES\exe|dllfile\shell\open\command', 'key' : '*', 'regex' : 'exe|dll|bat|pif|com|hta' },
{ 'path' : 'Software\CLASSES\htafile\Shell\Open\Command', 'key' : '*', 'regex' : 'exe|dll|bat|pif|com|hta' },
{ 'path' : 'Software\CLASSES\piffile\shell\open\command', 'key' : '*', 'regex' : 'exe|dll|bat|pif|com|hta' },
{ 'path' : 'SOFTWARE\Microsoft\Code Store Database\Distribution Units', 'key' : '*', 'regex' : 'exe|dll|bat|pif|com|hta' },
{ 'path' : 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders', 'key' : '*', 'regex' : 'exe|dll|bat|pif|com|hta' },
{ 'path': 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'key' : 'AppInit_DLLs', 'regex' : '.' }
]
for check in checks:
try:
check_reg( check['path'], check['key'], check['regex'])
except Registry.RegistryParse.RegistryStructureDoesNotExist:
pass