Last active
August 29, 2015 13:56
-
-
Save blakefrantz/8792868 to your computer and use it in GitHub Desktop.
010 Template for analyzing registry.pol files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // 010 Editor v4.0.3d Binary Template | |
| // | |
| // File: RegistryPolicyFileTemplate.bt | |
| // Author: Blake Frantz (blakefrantz at gmail dot com) | |
| // Revision: 1.1, Last Updated on 6 Oct 2014. | |
| // Purpose: Parse registry.pol files. | |
| // See http://msdn.microsoft.com/en-us/library/windows/desktop/aa374407(v=vs.85).aspx | |
| // | |
| // Generate REG commands that align with contents of registry.pol file | |
| // | |
| const DWORD REG_SZ = 1; | |
| const DWORD REG_EXPAND_SZ = 2; | |
| const DWORD REG_BINARY = 3; | |
| const DWORD REG_DWORD = 4; | |
| const DWORD REG_MULTI_SZ = 7; | |
| typedef struct | |
| { | |
| CHAR LBRACKET[2] <hidden=true>; | |
| wstring Key; | |
| SHORT seperator0 <hidden=true>; | |
| wstring ValueName; | |
| SHORT seperator1 <hidden=true>; | |
| DWORD Type <comment=DataValueTypeComment>; | |
| SHORT seperator2 <hidden=true>; | |
| DWORD DataSize; | |
| SHORT seperator3 <hidden=true>; | |
| union { | |
| UBYTE Raw[DataSize]; | |
| DWORD Int; | |
| wstring String; | |
| } Data; | |
| CHAR RBRACKET[2] <hidden=true>; | |
| } REGISTRY_RECORD <comment=RegistryRecordComment>; | |
| string DataValueTypeComment( DWORD type ) | |
| { | |
| string comment = ""; | |
| switch ( type ) | |
| { | |
| case REG_SZ : comment = "REG_SZ"; break; | |
| case REG_EXPAND_SZ: comment = "REG_EXPAND_SZ"; break; | |
| case REG_BINARY : comment = "REG_BINARY"; break; | |
| case REG_DWORD : comment = "REG_DWORD"; break; | |
| case REG_MULTI_SZ : comment = "REG_MULTI_SZ"; break; | |
| default : comment = "UNKNOWN_TYPE"; break; | |
| } | |
| return comment; | |
| } | |
| string RegistryRecordComment( REGISTRY_RECORD &record ) | |
| { | |
| string comment; | |
| uchar tempBuffer[ sizeof(record) ]; | |
| ReadBytes( tempBuffer, startof(record), sizeof(record) ); | |
| string result; | |
| ChecksumAlgArrayStr( CHECKSUM_CRC32, result, tempBuffer, sizeof(record)); | |
| if(WStrnicmp(record.ValueName, "**Del.", 6) == 0 ) | |
| { | |
| SPrintf(comment, "ValueName '%s' will be deleted from '%s'. CRC=%s", SubStr(record.ValueName, 6), record.Key, result); | |
| } | |
| else if(WStrnicmp(record.ValueName, "**DeleteValues", 14) == 0 ) | |
| { | |
| SPrintf(comment, "ValueNames '%s' will be deleted from '%s'. CRC=%s", SubStr(record.ValueName, 14), record.Key, result); | |
| } | |
| else if(WStrnicmp(record.ValueName, "**DelVals", 9) == 0 ) | |
| { | |
| SPrintf(comment, "All ValueNames under '%s' will be deleted. CRC=%s", record.Key, result); | |
| } | |
| else if(WStrnicmp(record.ValueName, "**DeleteKeys", 12) == 0 ) | |
| { | |
| SPrintf(comment, "Keys '%s' under '%s' will be deleted. CRC=%s", SubStr(record.ValueName, 12), record.Key, result); | |
| } | |
| else if(WStrnicmp(record.ValueName, "**SecureKey=0", 13) == 0 ) | |
| { | |
| SPrintf(comment, "The DACL on '%s' will be reset to align with the root's DACL. CRC=%s", record.Key, result); | |
| } | |
| else if(WStrnicmp(record.ValueName, "**SecureKey=1", 13) == 0 ) | |
| { | |
| SPrintf(comment, "The DACL on '%s' will be set as follows: Administrators, SYSTEM = Full; Users = Read Only. CRC=%s", record.Key, result); | |
| } | |
| else if(record.Type == REG_DWORD) | |
| { | |
| SPrintf(comment, "%s:%s = (REG_DWORD) %d. CRC=%s", record.Key, record.ValueName, record.Data.Int, result); | |
| } | |
| else if(record.Type == REG_SZ) | |
| { | |
| SPrintf(comment, "%s:%s = (REG_SZ) '%s'. CRC=%s", record.Key, record.ValueName, record.Data.String, result); | |
| } | |
| else if(record.Type == REG_EXPAND_SZ) | |
| { | |
| SPrintf(comment, "%s:%s = (REG_EXPAND_SZ) ... CRC=%s", record.Key, record.ValueName, result); | |
| } | |
| else if(record.Type == REG_BINARY) | |
| { | |
| SPrintf(comment, "%s:%s = (REG_BINARY) ... CRC=%s", record.Key, record.ValueName, result); | |
| } | |
| else if(record.Type == REG_MULTI_SZ) | |
| { | |
| SPrintf(comment, "%s:%s = (REG_MULTI_SZ) ... CRC=%s", record.Key, record.ValueName, result); | |
| } | |
| else | |
| { | |
| SPrintf(comment, "%s:%s (%s)", record.Key, record.ValueName, result); | |
| } | |
| return comment; | |
| } | |
| BigEndian(); | |
| DWORD REGFILE_SIGNATURE; | |
| LittleEndian(); | |
| DWORD REGISTRY_FILE_VERSION; | |
| if (REGFILE_SIGNATURE !=0x50526567 || REGISTRY_FILE_VERSION != 0x01 ) | |
| { | |
| Warning( "File is not Registry Policy File Format Version 1. Template stopped." ); | |
| return -1; | |
| } | |
| local int records = 0; | |
| while( !FEof() ) | |
| { | |
| REGISTRY_RECORD record; | |
| records++; | |
| } | |
| local int i; | |
| local string regCmdPrefix = "REG ADD \"HKLM\\"; | |
| local string regCmdPrefixDel = "REG DELETE \"HKLM\\"; | |
| for (i=0; i < records; i++) | |
| { | |
| if(WStrnicmp(record[i].ValueName, "**Del.", 6) == 0 ) | |
| { | |
| Printf("%s%s\" /v \"%s\" /f", regCmdPrefixDel, record[i].Key, StrDel(record[i].ValueName,0,6)); | |
| // Printf("ValueName '%s' will be deleted from '%s'", SubStr(record[i].ValueName, 6), record[i].Key); | |
| } | |
| else if(WStrnicmp(record[i].ValueName, "**DeleteValues", 14) == 0 ) | |
| { | |
| Printf("ValueNames '%s' will be deleted from '%s'", SubStr(record[i].ValueName, 14), record[i].Key); | |
| } | |
| else if(WStrnicmp(record[i].ValueName, "**DelVals", 9) == 0 ) | |
| { | |
| Printf("%s%s\" /va /f", regCmdPrefixDel, record[i].Key); | |
| // Printf("All ValueNames under '%s' will be deleted", record[i].Key); | |
| } | |
| else if(WStrnicmp(record[i].ValueName, "**DeleteKeys", 12) == 0 ) | |
| { | |
| Printf("Keys '%s' under '%s' will be deleted", SubStr(record[i].ValueName, 12), record[i].Key); | |
| } | |
| else if(WStrnicmp(record[i].ValueName, "**SecureKey=0", 13) == 0 ) | |
| { | |
| Printf("The DACL on '%s' will be reset to align with the root's DACL", record[i].Key); | |
| } | |
| else if(WStrnicmp(record[i].ValueName, "**SecureKey=1", 13) == 0 ) | |
| { | |
| Printf("The DACL on '%s' will be set as follows: Administrators, SYSTEM = Full; Users = Read Only", record[i].Key); | |
| } | |
| else if(record[i].Type == REG_DWORD) | |
| { | |
| Printf("%s%s\" /v \"%s\" /t REG_DWORD /d %d /f", regCmdPrefix, record[i].Key, record[i].ValueName, record[i].Data.Int); | |
| } | |
| else if(record[i].Type == REG_SZ) | |
| { | |
| Printf("%s%s\" /v \"%s\" /t REG_SZ /d \"%s\" /f", regCmdPrefix, record[i].Key, record[i].ValueName, record[i].Data.String); | |
| } | |
| else if(record[i].Type == REG_EXPAND_SZ) | |
| { | |
| Printf("%s%s\" /v \"%s\" /t REG_EXPAND_SZ /d \"%s\" /f", regCmdPrefix, record[i].Key, record[i].ValueName, record[i].Data.String); | |
| } | |
| else if(record[i].Type == REG_BINARY) | |
| { | |
| Printf("%s%s\" /v \"%s\" /t REG_BINARY /d %s /f", regCmdPrefix, record[i].Key, record[i].ValueName); | |
| } | |
| else if(record[i].Type == REG_MULTI_SZ) | |
| { | |
| Printf("WARNING: Unsupported '%s%s' /v '%s' /t REG_MULTI_SZ /d %s", regCndPrefix, record[i].Key, record[i].ValueName); | |
| } | |
| else | |
| { | |
| Printf("WARNING: Unsupported '%s:%s' Type = (%d)", record[i].Key, record[i].ValueName, record[i].Type); | |
| } | |
| Printf("\n"); | |
| // Printf("%s\\%s\n", record[i].Key, record[i].ValueName); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment