keydet89 / regripper3.0 Goto Github PK

Error Message:
Number found where operator expected at C:\Tools\RegRipper\RegRipper3.0-master\plugins\winver.pl line 50, near "9"
(Missing semicolon on previous line?)
Error in C:\Tools\RegRipper\RegRipper3.0-master\plugins\winver.pl: syntax error at C:\Tools\RegRipper\RegRipper3.0-master\plugins\winver.pl line 50, near "9"
Compilation failed in require at C:\Tools\RegRipper\RegRipper3.0-master\rip.exe line 321.

The problem with the code is that there is a missing comma after the "RegisteredOwner" value at line 49, which is causing a syntax error.

After last update script rip.pl not working properly in linux.
It afected linux distros like sift.

Hi @keydet89,

I you are aware from IPED project thread, I've been trying to extract timestamps from RegRipper reports. The times representation seems well standardized, but it has been very difficult to identify a good, little and straightforward term that describes the event with which this timestamp is associated. Even in TLN reports.

This is very useful for timestamps filtering, grouping an representation in timeline chart.

Also, not every plugins that extract timestamps, has its TLN plugin counterpart.

So, it would be very useful to standardize the format and require from plugin developers this descriptive term associated with the timestamp entry.

Thanks

When we import a hive and Rip! the status display area does what it is expected to do. However, if we Rip! another hive the status display area does not clear. Two things of note

1. You can't CTRL+A in the status area to select all and then delete it manually
2. A "clear" button somewhere on the window to clear that box before we Rip! (or, just clear the display box each run?)

Hi, unsure if this was the intended behavior, but when running the latest "rr.exe" against UsrClass.dat hive files, it appears that the exe always identifies/classifies any USRCLASS hives as NTUSER hives. In doing so, the "rr.exe" ends up unnecessarily running all of the non-applicable NTUSER hive specific plugins against any USRCLASS hives. Unfortunately, I believe only two (2) of the current NTUSER hive plugins are actually designed to also work with UsrClass.DAT files. As a result, the output files for any "rr.exe" processed USRCLASS hives, end up being filled with tons of useless NTUSER hive specific plugin headers with no other underlying output. Can "rr.exe" be adjusted so that USRCLASS hives are specifically recognized, and only applicable RR plugins are run against them?

The above line has ->get_timestamp())."|REG|||CLID - "

removing that second closing paren, leaving: ->get_timestamp()."|REG|||CLID - " fixed a syntax error for me.

Thanks for a great tool!

Hi Harlan,
During an investigation I've noticed the registry timeline is missing entries related to persistence via autoruns via soft or user.
Any plan to update it or shall I do a PR request ?

::rtpMsg($key_path." has no subkeys.");
=>> should be:
::rptMsg($key_path."has no subkeys.")

I have the same error using all the plugins. I am executing using:

rip.exe c:\Windows\system32\config\SYSTEM '-f system (or -p plugin) . I am executing it in a windows system CMD

I was trying to use RegRipper and was stuck with a strange error message. I downloaded it from here, and no where else. I tried it on a Virtual Machine, and my host machine. Got the same error @ line 492 on both machines. Please advise as this is an issue that does not seem to be documented.

What the message says, " Can't call method "is_dirty" on an undefined value at C:\Users[redacted]\Downloads\RegRipper3.0-master\RegRipper3.0-master\rr.exe line 492."

Was not able to include the screen shot!!!

Hello,

thank you for the useful tool, we at the CinCan project (https://cincan.io) are packaging open source tools used for DFIR, and your tool is also included in our toolset (https://gitlab.com/CinCan/tools/-/tree/master/stable/regripper)

We are also tracking releases, but your release process makes things very difficult, so may I give some pointers to help us keep us updated.

1. Please do not change repo name when making a release, it breaks our automatic tracking of updates and we have to manually update this repository
2. Make a GitHub release when making a release. This is essentially a tagging a commit and marking it as a release in GitHub.

This will help us automate the update process greatly.

Thanks!

Hi,
Is there somewhere that the old 2.8 plugins can reside so that I can port over the old ones as needed, or just review for stored information?
I'm looking specifically for a plugin that I wrote and stored in that repository related to webroot registry artefacts
Thanks

I miss the "executed" flag in the output of the appcompatcache plugin. Signature is 0x80 and the server is a Windows Server 2012 R2 Standard. It's also missing for a Windows 10 machine (sig 0x34).

I will now try to play with the signature field and checks to trigger win10 or so, which maybe is the problem. Example output

appcompatcache v.20200428
(System) Parse files from System hive AppCompatCache
ControlSet001\Control\Session Manager\AppCompatCache
LastWrite Time: 2021-06-08 08:09:37Z
Signature: 0x80
SYSVOL\Program Files\Sysinternals\efsdump.exe  2006-11-01 13:05:23
SYSVOL\Windows\System32\sppsvc.exe  2015-05-01 01:13:15
...

The sig check is here: https://github.com/keydet89/RegRipper3.0/blob/master/plugins/appcompatcache.pl#L119

Maybe only the executed field ($files{$i}{executed} = 1 if ($f0 & 0x2);) is missing for some of the signatures (appWin8 among others): https://github.com/keydet89/RegRipper3.0/blob/master/plugins/appcompatcache.pl#L291

Executed flag is also missing for Win10: https://github.com/keydet89/RegRipper3.0/blob/master/plugins/appcompatcache.pl#L374

Received this error while attempting to parse an NTUSER.dat file. I will use Registry Explorer to receive a "clean" copy of the registry hive and see if this error persists.

I think the problem is that rip.pl ignores the $str variable in line 70 which is finally written in line 63:

I suggest the following change:

diff --git a/Analysis/RegRipper3.0/rip.pl b/Analysis/RegRipper3.0/rip.pl
index 8f626a7..9027209 100644
--- a/Analysis/RegRipper3.0/rip.pl
+++ b/Analysis/RegRipper3.0/rip.pl
@@ -67,7 +67,7 @@ $str =~ s/($path[scalar(@path) - 1])//;
 # code updated 20190318
 my $plugindir;
 ($^O eq "MSWin32") ? ($plugindir = $str."plugins/")
-                   : ($plugindir = File::Spec->catfile("plugins"));
+                   : ($plugindir = File::Spec->catfile($str, "plugins"));
 #my $plugindir = $str."plugins/";
 #my $plugindir = File::Spec->catfile("plugins");
 #print "Plugins Dir = ".$plugindir."\n";

This work very well on my system. The final question is: do we assume to have plugins in the current folder or in the folder where rip.pl ist stored in? Both variants are fine, but I'd like to have the same behavior in Windows and non-Windows.

Kind regards (and thx for your work), Jan

Hi there, I'm getting the following error message when attempting to run any RegRipper 3.0 plugin which calls the following Perl module:

1. Use of uninitialized value $list in pattern match (m//) at PERL2EXE_STORAGE/utf8_heavy.pl line 399.

Is this due to an error in the Perl module, a problem with the registry data that I'm feeding the RR 3.0 plugins that use the module, a bug in the either the Perl module or RR 3.0 plugins that might need to be fixed, not a bug at all, or something else? Many thanks!

Plugin idea: plugin dedicated to get WinRM service state and WinRM features.

Some registry keys are already available in the ryuk plugin

I'm getting error messages when attempting to run three (3) RegRipper 3.0 plugins. Specifically:

1. Error in C:\IRTools\keydet89\RegRipper3.0\plugins\installer.pl: Can't call method "get_list_of_subkeys" on an undefined value at C:\keydet89\RegRipper3.0\plugins\installer.pl line 72.

2. Error in C:\IRTools\keydet89\RegRipper3.0\plugins\eventlogs.pl: Can't call method "get_data" on an undefined value at C:\keydet89\RegRipper3.0\plugins\eventlogs.pl line 60.

3. Error in C:\IRTools\keydet89\RegRipper3.0\plugins\ie_zones.pl: Can't call method "get_list_of_subkeys" on an undefined value at C:\keydet89\RegRipper3.0\plugins\ie_zones.pl line 83.

Any idea why this might be happening? Can these plugins be fixed? Many thanks!

The test dd image is from https://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html

While examining an ntuser.dat hive, I noticed that the GUI (rr.exe) produces a different output than rip.exe: File MRUs are not printed when using the GUI

I traced the problem down to Line 295 in the plugin code (msoffice.pl), which seem to fail. It seems when using the GUI, method getFileTimeStr is either not found or fails for some reason. I verified that the return statement of processMRUValue is never called when using GUI. Copying getFileTimeStr from rip.pl into msoffice.pl and calling it locally made it work.

Detected this while running this test:
sepinf-inc/IPED#331 (comment)

This quick and dirty workaround fixed the issue:
sepinf-inc@e7f8a07

I'd like to add inprocserver plugin to usrclass profile. It was removed from the latest version.

Hi Harlan

A plugin for PortProxy registry key would be cool - one or multiple values could be there.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp\*

Command to trigger an addition

# create
netsh interface portproxy add v4tov4 listenport=1337 listenaddress=0.0.0.0 connectport=3389 connectaddress=10.2.0.12

# query
reg.exe query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp

# remove again
netsh interface portproxy delete v4tov4 listenport=1337 listenaddress=0.0.0.0

References:

• https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
• https://adepts.of0x.cc/netsh-portproxy-code/
• https://www.dfirnotes.net/portproxy_detection/
• Sigma PR for the key: https://github.com/SigmaHQ/sigma/pull/1569/files

Cheers
Andreas

I'd suggest to replace

which is included in [Eric's Registry Explorer/RECmd](https://f001.backblazeb2.com/file/EricZimmermanTools/RegistryExplorer_RECmd.zip).

here (which is apparently broken), with a hopefully more stable url:

which is included in [Eric's Registry Explorer/RECmd](https://ericzimmerman.github.io/).

PS. Many thanks for providing that link - it was really helpful, at least in my case.