search

msuhanov / yarp

Yet another registry parser
GNU General Public License v3.0
126 stars 18 forks source link

Does this work with exported registry (.reg) files? #7

Closed jt0dd closed 2 years ago

jt0dd commented 2 years ago

New to forensics, but we're thinking in order to pull registries from many machines for analysis, we would use PowerShell to run:

reg export HKLM hklm.reg

on every machine and then parse the exported hklm.reg file.

Seemed simple enough, so I tried using yarp to parse it like:

from yarp import *

# A primary file is specified here.
primary_path = './data/registry/hklm.reg'

# Open the primary file and each transaction log file discovered.
primary_file = open(primary_path, 'rb')

# Open the hive and recover it, if required.
hive = Registry.RegistryHive(primary_file)

and got this error:

---------------------------------------------------------------------------
BaseBlockException                        Traceback (most recent call last)
~\AppData\Local\Temp\ipykernel_28960\903824968.py in <module>
      9 
     10 # Open the hive and recover it, if required.
---> 11 hive = Registry.RegistryHive(primary_file)
     12 
     13 '''

~\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.7_qbz5n2kfra8p0\LocalCache\local-packages\Python37\site-packages\yarp\Registry.py in __init__(self, file_object, tolerate_minor_errors)
    205 
    206         def __init__(self, file_object, tolerate_minor_errors = True):
--> 207                 self.registry_file = RegistryFile.PrimaryFile(file_object, tolerate_minor_errors)
    208                 self.tolerate_minor_errors = tolerate_minor_errors
    209                 self.effective_slack = set()

~\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.7_qbz5n2kfra8p0\LocalCache\local-packages\Python37\site-packages\yarp\RegistryFile.py in __init__(self, file_object, tolerate_minor_errors)
   1107                 self.last_sequence_number = None
   1108 
-> 1109                 self.baseblock = BaseBlock(self.file_object)
   1110                 if not self.baseblock.is_primary_file:
   1111                         raise NotSupportedException('Invalid file type')

~\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.7_qbz5n2kfra8p0\LocalCache\local-packages\Python37\site-packages\yarp\RegistryFile.py in __init__(self, file_object, no_hive_bins)
    307                 signature = self.get_signature()
    308                 if signature != b'regf': # This is the only check possible before we validate the base block.
--> 309                         raise BaseBlockException('Invalid signature: {}'.format(signature))
    310 
    311                 # We have to trust these fields even if the base block is not valid. We can adjust these values later (according to the log file).

BaseBlockException: "Invalid signature: b'\\xff\\xfeW\\x00'"

Am I misusing the library?

msuhanov commented 2 years ago

Hello.

You are trying to use the library against a text file containing exported registry data. This is not supported.

And such text files do not contain deleted data, as well as some important metadata for allocated keys and values. For analysis, a better option is "reg save \<hive> \<file>" (see: https://dfir.ru/2020/10/03/exporting-registry-hives-from-a-live-system/).

jt0dd commented 2 years ago

Thanks, perfect!