msuhanov/extract_cit.py

## extract_cit.py
#!/usr/bin/env python3

from yarp import *
import sys

if len(sys.argv) != 2:
	sys.exit('No file specified!')

with open(sys.argv[1], 'rb') as hive_file:
	hive = Registry.RegistryHive(hive_file)
	cit_key = hive.find_key('Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\System')

	if cit_key is None:
		sys.exit('No CIT\\System key found in the hive specified!')

	for cit_value in cit_key.values():
		data = cit_value.data_raw()

		if len(data) <= 8:
			continue

		compressed_data = data[8 : ]

		# This is an ugly hack to get the decompression code working without CyXpress.
		if len(compressed_data) < RegistryHelpers.NTFS_CLUSTER_SIZE:
			compressed_data += b'\x00' * (RegistryHelpers.NTFS_CLUSTER_SIZE - len(compressed_data))

		decompressed_data = RegistryHelpers.NTFSDecompressUnit(compressed_data)

		dump_name = '{}.bin'.format(cit_value.name())
		with open(dump_name, 'wb') as dump_file:
			dump_file.write(decompressed_data)

		print('Wrote: {}'.format(dump_name))
	#!/usr/bin/env python3

	from yarp import *
	import sys

	if len(sys.argv) != 2:
	sys.exit('No file specified!')

	with open(sys.argv[1], 'rb') as hive_file:
	hive = Registry.RegistryHive(hive_file)
	cit_key = hive.find_key('Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\System')

	if cit_key is None:
	sys.exit('No CIT\\System key found in the hive specified!')

	for cit_value in cit_key.values():
	data = cit_value.data_raw()

	if len(data) <= 8:
	continue

	compressed_data = data[8 : ]

	# This is an ugly hack to get the decompression code working without CyXpress.
	if len(compressed_data) < RegistryHelpers.NTFS_CLUSTER_SIZE:
	compressed_data += b'\x00' * (RegistryHelpers.NTFS_CLUSTER_SIZE - len(compressed_data))

	decompressed_data = RegistryHelpers.NTFSDecompressUnit(compressed_data)

	dump_name = '{}.bin'.format(cit_value.name())
	with open(dump_name, 'wb') as dump_file:
	dump_file.write(decompressed_data)

	print('Wrote: {}'.format(dump_name))