def set_value(self, key, subkey, value):
""" Set a value in a custom subkey
"""
try:
return winreg.SetValue(key, subkey, winreg.REG_SZ, value)
except WindowsError as error:
print "Error al crear un valor"
self.no_restore = True
python类REG_SZ的实例源码
def create_value(self, key, value_name, value):
""" Creates a value THAT DOESN'T EXIST, we need
to keep track of the keys that we are creating
"""
self.no_restore = False
try:
return winreg.SetValueEx(key, value_name, 0, winreg.REG_SZ, value)
except WindowsError as error:
print "Error al crear clave"
self.no_restore = True
def add(name, application):
"""add a new autostart entry"""
key = get_runonce()
_winreg.SetValueEx(key, name, 0, _winreg.REG_SZ, application)
_winreg.CloseKey(key)
def add(name, application):
"""add a new autostart entry"""
key = get_runonce()
_winreg.SetValueEx(key, name, 0, _winreg.REG_SZ, application)
_winreg.CloseKey(key)
def RegisterAddin(klass):
import _winreg
key = _winreg.CreateKey(_winreg.HKEY_CURRENT_USER, "Software\\Microsoft\\Office\\Excel\\Addins")
subkey = _winreg.CreateKey(key, klass._reg_progid_)
_winreg.SetValueEx(subkey, "CommandLineSafe", 0, _winreg.REG_DWORD, 0)
_winreg.SetValueEx(subkey, "LoadBehavior", 0, _winreg.REG_DWORD, 3)
_winreg.SetValueEx(subkey, "Description", 0, _winreg.REG_SZ, "Excel Addin")
_winreg.SetValueEx(subkey, "FriendlyName", 0, _winreg.REG_SZ, "A Simple Excel Addin")
def RegisterAddin(klass):
import _winreg
key = _winreg.CreateKey(_winreg.HKEY_CURRENT_USER, "Software\\Microsoft\\Office\\Outlook\\Addins")
subkey = _winreg.CreateKey(key, klass._reg_progid_)
_winreg.SetValueEx(subkey, "CommandLineSafe", 0, _winreg.REG_DWORD, 0)
_winreg.SetValueEx(subkey, "LoadBehavior", 0, _winreg.REG_DWORD, 3)
_winreg.SetValueEx(subkey, "Description", 0, _winreg.REG_SZ, klass._reg_progid_)
_winreg.SetValueEx(subkey, "FriendlyName", 0, _winreg.REG_SZ, klass._reg_progid_)
def __add_to_startup_programs(self):
'''
@summary: Adds Crypter to the list of Windows startup programs
@todo: Code and test
@todo: Restore try and except catch
'''
try:
reg = _winreg.CreateKeyEx(_winreg.HKEY_CURRENT_USER, self.STARTUP_REGISTRY_LOCATION)
_winreg.SetValueEx(reg, "Crypter", 0, _winreg.REG_SZ, sys.executable)
_winreg.CloseKey(reg)
except WindowsError:
pass
def test_type_map_values(self):
import _winreg
class MockWinreg(object):
def __getattr__(self, name):
if name == 'QueryValueEx':
return lambda subkey, label: (u'text/plain', _winreg.REG_SZ)
return getattr(_winreg, name)
mimetypes._winreg = MockWinreg()
try:
mimetypes.init()
self.assertTrue(isinstance(mimetypes.types_map.values()[0], str))
finally:
mimetypes._winreg = _winreg
def test_type_map_values(self):
import _winreg
class MockWinreg(object):
def __getattr__(self, name):
if name == 'QueryValueEx':
return lambda subkey, label: (u'text/plain', _winreg.REG_SZ)
return getattr(_winreg, name)
mimetypes._winreg = MockWinreg()
try:
mimetypes.init()
self.assertTrue(isinstance(mimetypes.types_map.values()[0], str))
finally:
mimetypes._winreg = _winreg
def install(self):
self.copy_driver()
self.set_regkey(
"ImagePath", _winreg.REG_SZ,
"\\SystemRoot\\system32\\drivers\\%s.sys" % self.install_name
)
self.set_regkey("Start", _winreg.REG_DWORD, 3)
self.set_regkey("Type", _winreg.REG_DWORD, 1)
self.set_regkey("ErrorControl", _winreg.REG_DWORD, 1)
self.load_driver()
self.del_regkeys()
def change_productid(self):
"""Randomizes Windows ProductId.
The Windows ProductId is occasionally used by malware
to detect public setups of Cuckoo, e.g., Malwr.com.
"""
value = "{0}-{1}-{2}-{3}".format(random_integer(5), random_integer(3),
random_integer(7), random_integer(5))
set_regkey(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"ProductId", REG_SZ, value)
def patch_bios(self):
set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "SystemBiosDate", REG_SZ, random.choice(self.SYSTEM_BIOS_DATES))
set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "SystemBiosVersion", REG_MULTI_SZ, random.choice(self.SYSTEM_BIOS_VERSIONS))
set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "VideoBiosDate", REG_SZ, random.choice(self.VIDEO_BIOS_DATES))
set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "VideoBiosVersion", REG_MULTI_SZ, random.choice(self.VIDEO_BIOS_VERSIONS))
def patch_processor(self):
keywords = {
"QEMU Virtual CPU version 2.0.0": "Intel(R) Core(TM) i7 CPU @3GHz",
}
for idx in xrange(32):
value = query_value(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\%d" % idx, "ProcessorNameString")
if value is None:
continue
for k, v in keywords.items():
value = value.replace(k, v)
set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\%d" % idx,
"ProcessorNameString", REG_SZ, value)
def patch_manufacturer(self):
set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation",
"BIOSVersion", REG_SZ, random.choice(self.BIOS_VERSIONS))
set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation",
"BIOSReleaseDate", REG_SZ, random.choice(self.SYSTEM_BIOS_DATES))
set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation",
"SystemManufacturer", REG_SZ, random.choice(self.SYSTEM_MANUFACTURERS))
set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation",
"SystemProductName", REG_SZ, random.choice(self.SYSTEM_PRODUCTNAMES))
def patch_hdd_path(self):
set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Services\\Disk\\Enum",
"0", REG_SZ, random.choice(self.HDD_PATHS))
def change_productid(self):
"""Randomizes Windows ProductId.
The Windows ProductId is occasionally used by malware
to detect public setups of Cuckoo, e.g., Malwr.com.
"""
value = "{0}-{1}-{2}-{3}".format(random_integer(5), random_integer(3),
random_integer(7), random_integer(5))
set_regkey(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
"ProductId", REG_SZ, value)
def patch_bios(self):
set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "SystemBiosDate", REG_SZ, random.choice(self.SYSTEM_BIOS_DATES))
set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "SystemBiosVersion", REG_MULTI_SZ, random.choice(self.SYSTEM_BIOS_VERSIONS))
set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "VideoBiosDate", REG_SZ, random.choice(self.VIDEO_BIOS_DATES))
set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System", "VideoBiosVersion", REG_MULTI_SZ, random.choice(self.VIDEO_BIOS_VERSIONS))
def patch_processor(self):
keywords = {
"QEMU Virtual CPU version 2.0.0": "Intel(R) Core(TM) i7 CPU @3GHz",
}
for idx in xrange(32):
value = query_value(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\%d" % idx, "ProcessorNameString")
if value is None:
continue
for k, v in keywords.items():
value = value.replace(k, v)
set_regkey(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\%d" % idx,
"ProcessorNameString", REG_SZ, value)
def patch_manufacturer(self):
set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation",
"BIOSVersion", REG_SZ, random.choice(self.BIOS_VERSIONS))
set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation",
"BIOSReleaseDate", REG_SZ, random.choice(self.SYSTEM_BIOS_DATES))
set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation",
"SystemManufacturer", REG_SZ, random.choice(self.SYSTEM_MANUFACTURERS))
set_regkey(HKEY_LOCAL_MACHINE, "SYSTEM\\ControlSet001\\Control\\SystemInformation",
"SystemProductName", REG_SZ, random.choice(self.SYSTEM_PRODUCTNAMES))
def windows_persistence():
import _winreg
from _winreg import HKEY_CURRENT_USER as HKCU
run_key = r'Software\Microsoft\Windows\CurrentVersion\Run'
bin_path = sys.executable
try:
reg_key = _winreg.OpenKey(HKCU, run_key, 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(reg_key, 'br', 0, _winreg.REG_SZ, bin_path)
_winreg.CloseKey(reg_key)
return True, 'HKCU Run registry key applied'
except WindowsError:
return False, 'HKCU Run registry key failed'
