malwarelab / malwarecookbook

Automatically exported from code.google.com/p/malwarecookbook
0 stars 0 forks source link

problem with pendingdelete.pl #4

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

1. "perl rip.pl -r SYSTEM -p pendingdelete"

*****

What is the expected output? What do you see instead?

expected output as described in malware cookbook

received the following error:
-----------------------
Launching pendingdelete v.20100809
PendingFileRenameOperations
ControlSet001\Control\Session Manager
LastWrite Time Mon Jul 12 13:16:21 2010 (UTC)

Error in plugins/pendingdelete.pl: Can't call method "get_data" on an undefined 
value at plugins/pendingdelete.pl line 38.
-----------------------

*****

What version of the product are you using? On what operating system?

using current version, on Ubuntu 10.04.  Error replicates both from Linux CLI 
and wine cmd CLI using "perl rip.pl" and "rip.exe"

*****

Please provide any additional information below.

Disclaimer: I am not a Perl coder, but can usually figure out how to make it 
work.  I have performed a line by line comparison between the file I have (from 
the book DVD) and the one in this repository.  They are the same.  This leads 
me to believe the problem may be a missing Perl module or a configuration 
problem on my end, but all the other RegRipper plugins and Perl scripts from 
recipe 10-8 are working as expected.  Looking at the code from the 
Parse::Win32Registry module in CPAN, I can't see why pendingdelete is not 
working and the others are.  Any help would be appreciated!  GREAT JOB on the 
book, BTW.  MUCH needed resource!

Original issue reported on code.google.com by toharperjr@gmail.com on 9 Jan 2011 at 4:51

GoogleCodeExporter commented 9 years ago
Based on the "Can't call method get_data" error, it seems like this line is 
causing a problem:

my $data = $key->get_value("PendingFileRenameOperations")->get_data();

So the call to get_value("PendingFileRenameOperations") is failing, which 
usually only happens if the key doesn't exist in the hive. 

I haven't seen a system where the PendingFileRenameOperations key didn't exist 
(or existed in a different location), but I guess its possible. If you have 
access to the machine from which you gathered the SYSTEM file, can you check if 
PendingFileRenameOperations exists (using regedit or something)?

Original comment by michael.hale@gmail.com on 10 Jan 2011 at 6:01

GoogleCodeExporter commented 9 years ago
Parse with reglookup and grep for "filerename" yields the following:

/ControlSet001/Control/BackupRestore/KeysNotToRestore/Pending Rename
Operations,MULTI_SZ,CurrentControlSet\x5CControl\x5CSession
Manager\x5CPendingFileRenameOperations,
/ControlSet001/Control/BackupRestore/KeysNotToRestore/Pending Rename
Operations2,MULTI_SZ,CurrentControlSet\x5CControl\x5CSession
Manager\x5CPendingFileRenameOperations2,
/ControlSet001/Control/Session Manager/FileRenameOperations,KEY,,2006-11-02
12:49:55
/ControlSet002/Control/BackupRestore/KeysNotToRestore/Pending Rename
Operations,MULTI_SZ,CurrentControlSet\x5CControl\x5CSession
Manager\x5CPendingFileRenameOperations,
/ControlSet002/Control/BackupRestore/KeysNotToRestore/Pending Rename
Operations2,MULTI_SZ,CurrentControlSet\x5CControl\x5CSession
Manager\x5CPendingFileRenameOperations2,
/ControlSet002/Control/Session Manager/FileRenameOperations,KEY,,2006-11-02
12:49:55

so evidently the key was there at one time?

Original comment by toharperjr@gmail.com on 10 Jan 2011 at 8:32

GoogleCodeExporter commented 9 years ago
Ah, okay. What version of Windows is your registry hive from? 

It looks like the key name on your system is FileRenameOperations instead of 
PendingFileRenameOperations. If you change the key name in pendingdelete.pl, do 
you see results then? 

I CC'ed Harlan, author of the upcoming Registry Forensics book, to see if he 
has any insights as to why/when the key name changed. 

Original comment by michael.hale@gmail.com on 11 Jan 2011 at 2:08

GoogleCodeExporter commented 9 years ago
Hive is from the following system:

CurrentVersion : 6.0
  CurrentBuildNumber : 6002
  CurrentBuild : 6002
  CSDBuildNumber : 1621
  SoftwareType : System
  SystemRoot : C:\Windows
  EditionID : Enterprise
  PathName : C:\Windows
  CSDVersion : Service Pack 2
  RegisteredOwner : Authorised User
  CurrentType : Multiprocessor Free
  ProductName : Windows Vista (TM) Enterprise
  BuildLab : 6002.vistasp2_gdr.100218-0019
  InstallDate : Mon Mar  9 18:28:10 2009 (UTC)
  BuildGUID : a88c5de1-11b5-4a92-b4bd-b045f921b4f7
  BuildLabEx : 6002.18209.x86fre.vistasp2_gdr.100218-0019

Thanks again for taking a look at this!  I actually spoke to Harlan a few
weeks ago about this exam and he recommended getting the cookbook.

Original comment by toharperjr@gmail.com on 11 Jan 2011 at 2:35

GoogleCodeExporter commented 9 years ago
Oh, I see the problem. I'll have a fix committed tomorrow. 

Original comment by michael.hale@gmail.com on 11 Jan 2011 at 4:57

GoogleCodeExporter commented 9 years ago
Very Cool....Thanks!

Original comment by toharperjr@gmail.com on 11 Jan 2011 at 5:09

GoogleCodeExporter commented 9 years ago
Actually, I think the problem is that the hive you're using is from a system 
that has never had a pending delete before. In this case, the 
PendingFileRenameOperations value doesn't exist in the Session Manager key. 

So two things:

1) I updated pendingdelete.pl to alert you if the PendingFileRenameOperations 
value doesn't exist (instead of causing an error)

2) If you want to test this, you'll first need to use a tool like MoveFile.exe 
from SysInternals (http://technet.microsoft.com/en-us/sysinternals/bb897556) in 
order to delete something. The first time you use the tool, the 
PendingFileRenameOperations value will get created. 

Original comment by michael.hale@gmail.com on 11 Jan 2011 at 5:36

GoogleCodeExporter commented 9 years ago
Absolutely Fabulous.

Original comment by toharperjr@gmail.com on 11 Jan 2011 at 4:26