keydet89
commented
9 months ago I have no idea how you're running it, sorry.
Closed CmdrBurrito closed 9 months ago
keydet89
commented
9 months ago I have no idea how you're running it, sorry.
CmdrBurrito
commented
9 months ago Listed below are a bunch of example plugins that I've been running (using "rip.exe" on Windows) that have been returning the error listed above in their output. The specific plugin names are: shares, fileless, mspaper, internet_settings_cu and internet_explorer_cu. Please advise if any of what I've provided is unclear, or if you need any additional information, and I'll be happy to provide. Regards!
C:\keydet89\RegRipper3.0>rip.exe -r D:\Artifacts\RegFiles\SYSTEM -p shares Launching shares v.20200525 shares v.20200525 (System) Get list of shares from System hive file
Use of uninitialized value $list in pattern match (m//) at PERL2EXE_STORAGE/utf8_heavy.pl line 399. subkey not found.
C:\keydet89\RegRipper3.0>rip.exe -r D:\Artifacts\RegFiles\SYSTEM -p fileless Launching fileless v.20200525 fileless v.20200525 (All) Scans a hive file looking for fileless malware entries
Use of uninitialized value $list in pattern match (m//) at PERL2EXE_STORAGE/utf8_heavy.pl line 399.
C:\keydet89\RegRipper3.0>rip.exe -r D:\Artifacts\RegFiles\SOFTWARE -p fileless Launching fileless v.20200525 fileless v.20200525 (All) Scans a hive file looking for fileless malware entries
Use of uninitialized value $list in pattern match (m//) at PERL2EXE_STORAGE/utf8_heavy.pl line 399. **Possible fileless malware found. Classes\Directory\background\shell\Powershell\command LastWrite time: 2022-05-07 05:28:00Z Value Name: Data: powershell.exe -noexit -command Set-Location -literalPath '%V'
**Possible fileless malware found. Classes\Directory\shell\Powershell\command LastWrite time: 2022-05-07 05:28:00Z Value Name: Data: powershell.exe -noexit -command Set-Location -literalPath '%V'
**Possible fileless malware found. Classes\Drive\shell\Powershell\command LastWrite time: 2022-05-07 05:28:00Z Value Name: Data: powershell.exe -noexit -command Set-Location -literalPath '%V'
...
**Possible fileless malware found. WOW6432Node\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell LastWrite time: 2023-07-03 23:47:32Z Value Name: Path Data: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\keydet89\RegRipper3.0>rip.exe -r D:\Artifacts\RegFiles\SECURITY -p fileless Launching fileless v.20200525 fileless v.20200525 (All) Scans a hive file looking for fileless malware entries
Use of uninitialized value $list in pattern match (m//) at PERL2EXE_STORAGE/utf8_heavy.pl line 399.
C:\keydet89\RegRipper3.0>rip.exe -r D:\Artifacts\RegFiles\SAM -p fileless Launching fileless v.20200525 fileless v.20200525 (All) Scans a hive file looking for fileless malware entries
Use of uninitialized value $list in pattern match (m//) at PERL2EXE_STORAGE/utf8_heavy.pl line 399.
C:\keydet89\RegRipper3.0>rip.exe -r D:\Artifacts\RegFiles\Users\EXAMPLE_USER\NTUSER.DAT -p mspaper Launching mspaper v.20080324 mspaper v.20080324 (NTUSER.DAT) Gets images listed in user's MSPaper key
Use of uninitialized value $list in pattern match (m//) at PERL2EXE_STORAGE/utf8_heavy.pl line 399. SOFTWARE\Microsoft\MSPaper not found. SOFTWARE\Microsoft\MSPaper not found.
C:\keydet89\RegRipper3.0>rip.exe -r D:\Artifacts\RegFiles\Users\EXAMPLE_USER\NTUSER.DAT -p internet_settings_cu Launching internet_settings_cu v.20120528 internet_settings_cu v.20120528 (NTUSER.DAT) Get HKCU information on Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings LastWrite Time Tue Sep 26 14:59:26 2023 (UTC) Use of uninitialized value $list in pattern match (m//) at PERL2EXE_STORAGE/utf8_heavy.pl line 399. CertificateRevocation = true [1] DisableCachingOfSSLPages = false [0] EnableNegotiate = true [1] IE5_UA_Backup_Flag = 5.0 MigrateProxy = true [1] PrivacyAdvanced = true [1] ProxyEnable = false [0] SecureProtocols = 10240 [0x00002800] User Agent = Mozilla/4.0 (compatible; MSIE 8.0; Win32) WarnonZoneCrossing = false [0] ZonesSecurityUpgrade = Mon Jul 3 22:53:20 2023 UTC
*Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 LastWrite Time Tue Sep 26 14:59:26 2023 (UTC)
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache LastWrite Time Tue Sep 26 14:59:25 2023 (UTC) AppContainerContentLimit = 50 AppContainerTotalContentLimit = 1000 ContentLimit = 330 TotalContentLimit = 495 Version = 4
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content LastWrite Time Tue Sep 26 14:59:25 2023 (UTC) CacheLimit = 337920 KB CachePrefix = CacheVersion = 1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies LastWrite Time Tue Sep 26 14:59:25 2023 (UTC) CacheLimit = 1 KB CachePrefix = Cookie: CacheVersion = 1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History LastWrite Time Tue Sep 26 14:59:25 2023 (UTC) CacheLimit = 1 KB CachePrefix = Visited: CacheVersion = 1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache LastWrite Time Tue Sep 26 15:03:31 2023 (UTC)
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012023092620230927 LastWrite Time Tue Sep 26 15:03:31 2023 (UTC) CacheLimit = 1 KB CacheOptions = 0xB CachePath = C:\Users\EXAMPLE_USER\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012023092620230927 CachePrefix = :2023092620230927: CacheRelativePath = Microsoft\Windows\History\History.IE5\MSHist012023092620230927 CacheRepair = 0x0
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat LastWrite Time Tue Sep 26 14:59:26 2023 (UTC) CacheLimit = 1 KB CacheOptions = 0x0 CachePath = C:\Users\EXAMPLE_USER\AppData\Local\Microsoft\Feeds Cache CachePrefix = feedplat: CacheRelativePath = Microsoft\Feeds Cache CacheRepair = 0x0
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache LastWrite Time Tue Sep 26 15:02:34 2023 (UTC)
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache LastWrite Time Tue Sep 26 15:02:34 2023 (UTC)
*Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P LastWrite Time Tue Sep 26 14:58:43 2023 (UTC)
Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History LastWrite Time Tue Sep 26 14:58:43 2023 (UTC) ANALYST NOTE: No per-domain cookie decisions subkeys are present
*Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad LastWrite Time Tue Sep 26 14:59:25 2023 (UTC)
*Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap LastWrite Time Tue Sep 26 15:00:42 2023 (UTC) (default) = AutoDetect = 0 IntranetName = 1 ProxyByPass = 1 UNCAsIntranet = 1 -- 'ZoneMap' subkeys -- not parsed: Domains Tue Sep 26 14:59:25 2023 UTC ProtocolDefaults Tue Sep 26 14:59:25 2023 UTC Ranges Tue Sep 26 14:59:25 2023 UTC
Subkeys not parsed in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings'
Cache --- Tue Sep 26 14:58:43 2023 UTC
Connections --- Tue Sep 26 14:59:19 2023 UTC
Http Filters --- Tue Sep 26 14:58:43 2023 UTC
Lockdown_Zones --- Tue Sep 26 14:59:25 2023 UTC
Passport --- Tue Sep 26 14:59:25 2023 UTC
Zones --- Tue Sep 26 14:59:25 2023 UTCC:\keydet89\RegRipper3.0>rip.exe -r D:\Artifacts\RegFiles\Users\EXAMPLE_USER\NTUSER.DAT -p internet_explorer_cu Launching internet_explorer_cu v.20120528 internet_explorer_cu v.20120528 (NTUSER.DAT) Get HKCU information on Internet Explorer
Software\Microsoft\Internet Explorer LastWrite Time Tue Sep 26 16:26:56 2023 (UTC) Download Directory = ''
Software\Microsoft\Internet Explorer\AutoComplete not found. Software\Microsoft\Internet Explorer\AutoComplete not found.
Software\Microsoft\Internet Explorer\DOMStorage not found. Software\Microsoft\Internet Explorer\DOMStorage not found.
Software\Microsoft\Internet Explorer\IETld LastWrite Time Tue Sep 26 14:59:25 2023 (UTC) Internet Explorer version = 0.0.0.0
Software\Microsoft\Internet Explorer\Main LastWrite Time Tue Sep 26 15:03:31 2023 (UTC) Use of uninitialized value $list in pattern match (m//) at PERL2EXE_STORAGE/utf8_heavy.pl line 399. Anchor Underline = yes Cache_Update_Frequency = yes Default_Page_URL = about:blank Disable Script Debugger = yes DisableFirstRunCustomize = 1 DisableScriptDebuggerIE = yes Display Inline Images = yes Do404Search = 1 [0x01000000] Enable Browser Extensions = yes Local Page = %11%\blank.htm Play_Animations = yes Play_Background_Sounds = yes Save_Session_History_On_Exit = no Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 Show_FullURL = no Show_StatusBar = yes Show_ToolBar = yes Show_URLToolBar = yes Show_URLinStatusBar = yes Start Page = about:blank UseClearType = no Use_DlgBox_Colors = yes XMLHTTP = true [1] Software\Microsoft\Internet Explorer\Main\WindowsSearch not found. Software\Microsoft\Internet Explorer\Main\WindowsSearch not found.
Software\Microsoft\Internet Explorer\Privacy not found (IE should use the default Privacy settings) Software\Microsoft\Internet Explorer\Privacy not found.
Software\Microsoft\Internet Explorer\Recovery not found. Software\Microsoft\Internet Explorer\Recovery not found.
Software\Microsoft\Internet Explorer\Suggested Sites LastWrite Time Tue Sep 26 14:59:24 2023 (UTC) LogFileFolder = C:\Users\EXAMPLE_USER\AppData\Local\Microsoft\Windows\INetCache\Low
keydet89
commented
9 months ago A couple of things...
First, I'm not sure what to do with all of this output. I see some errors, and some messages that do not prevent the plugin from running, but I also see a great deal of valid output.
Second, I haven't touched RRv3.0 since August, 2020.
Third, I released RegRipper v.4.0 not long ago.
CmdrBurrito
commented
9 months ago OMG, there's a RegRipper 4.0 now! Wow, I actually had no idea, talk about being OBE! In that case, I'm going to upgrade immediately, and please ignore this. Many thanks!
Hi there, I'm getting the following error message when attempting to run any RegRipper 3.0 plugin which calls the following Perl module:
1) Use of uninitialized value $list in pattern match (m//) at PERL2EXE_STORAGE/utf8_heavy.pl line 399.
Is this due to an error in the Perl module, a problem with the registry data that I'm feeding the RR 3.0 plugins that use the module, a bug in the either the Perl module or RR 3.0 plugins that might need to be fixed, not a bug at all, or something else? Many thanks!