winreg.py

samba最新软件

#!/usr/bin/python

import sys, dcerpc

def test_OpenHKLM(pipe):

    r = {}
    r['unknown'] = {}
    r['unknown']['unknown0'] = 0x9038
    r['unknown']['unknown1'] = 0x0000
    r['access_required'] = 0x02000000

    result = dcerpc.winreg_OpenHKLM(pipe, r)

    return result['handle']

def test_QueryInfoKey(pipe, handle):

    r = {}
    r['handle'] = handle
    r['class'] = {}
    r['class']['name'] = None

    return dcerpc.winreg_QueryInfoKey(pipe, r)

def test_CloseKey(pipe, handle):

    r = {}
    r['handle'] = handle

    dcerpc.winreg_CloseKey(pipe, r)

def test_FlushKey(pipe, handle):

    r = {}
    r['handle'] = handle
    
    dcerpc.winreg_FlushKey(pipe, r)

def test_GetVersion(pipe, handle):

    r = {}
    r['handle'] = handle
    
    dcerpc.winreg_GetVersion(pipe, r)

def test_GetKeySecurity(pipe, handle):

    r = {}
    r['handle'] = handle
    r['unknown'] = 4
    r['size'] = None
    r['data'] = {}
    r['data']['max_len'] = 0
    r['data']['data'] = ''

    result = dcerpc.winreg_GetKeySecurity(pipe, r)

    print result

    if result['result'] == dcerpc.WERR_INSUFFICIENT_BUFFER:
        r['size'] = {}
        r['size']['max_len'] = result['data']['max_len']
        r['size']['offset'] = 0
        r['size']['len'] = result['data']['max_len']

        result = dcerpc.winreg_GetKeySecurity(pipe, r)

    print result

    sys.exit(1)
    
def test_Key(pipe, handle, name, depth = 0):

    # Don't descend too far.  Registries can be very deep.

    if depth > 2:
        return

    try:
        keyinfo = test_QueryInfoKey(pipe, handle)
    except dcerpc.WERROR, arg:
        if arg[0] == dcerpc.WERR_ACCESS_DENIED:
            return

    test_GetVersion(pipe, handle)

    test_FlushKey(pipe, handle)

    test_GetKeySecurity(pipe, handle)

    # Enumerate values in this key

    r = {}
    r['handle'] = handle
    r['name_in'] = {}
    r['name_in']['len'] = 0
    r['name_in']['max_len'] = (keyinfo['max_valnamelen'] + 1) * 2
    r['name_in']['buffer'] = {}
    r['name_in']['buffer']['max_len'] = keyinfo['max_valnamelen']  + 1
    r['name_in']['buffer']['offset'] = 0
    r['name_in']['buffer']['len'] = 0
    r['type'] = 0
    r['value_in'] = {}
    r['value_in']['max_len'] = keyinfo['max_valbufsize']
    r['value_in']['offset'] = 0
    r['value_in']['len'] = 0
    r['value_len1'] = keyinfo['max_valbufsize']
    r['value_len2'] = 0
    
    for i in range(0, keyinfo['num_values']):

        r['enum_index'] = i

        dcerpc.winreg_EnumValue(pipe, r)

    # Recursively test subkeys of this key

    r = {}
    r['handle'] = handle
    r['key_name_len'] = 0
    r['unknown'] = 0x0414
    r['in_name'] = {}
    r['in_name']['unknown'] = 0x20a
    r['in_name']['key_name'] = {}
    r['in_name']['key_name']['name'] = None
    r['class'] = {}
    r['class']['name'] = None
    r['last_changed_time'] = {}
    r['last_changed_time']['low'] = 0
    r['last_changed_time']['high'] = 0

    for i in range(0, keyinfo['num_subkeys']):

        r['enum_index'] = i

        subkey = dcerpc.winreg_EnumKey(pipe, r)

        s = {}
        s['handle'] = handle
        s['keyname'] = {}
        s['keyname']['name'] = subkey['out_name']['name']
        s['unknown'] = 0
        s['access_mask'] = 0x02000000

        result = dcerpc.winreg_OpenKey(pipe, s)

        test_Key(pipe, result['handle'], name + '/' + s['keyname']['name'],
                 depth + 1)

        test_CloseKey(pipe, result['handle'])

    # Enumerate values

def runtests(binding, domain, username, password):
    
    print 'Testing WINREG pipe'

    pipe = dcerpc.pipe_connect(binding,
            dcerpc.DCERPC_WINREG_UUID, dcerpc.DCERPC_WINREG_VERSION,
            domain, username, password)

    handle = test_OpenHKLM(pipe)

    test_Key(pipe, handle, 'HKLM')