/extract_cit.py
Last active Dec 5, 2018
| #!/usr/bin/env python3 | |
| from yarp import * | |
| import sys | |
| if len(sys.argv) != 2: | |
| sys.exit('No file specified!') | |
| with open(sys.argv[1], 'rb') as hive_file: | |
| hive = Registry.RegistryHive(hive_file) | |
| cit_key = hive.find_key('Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\System') | |
| if cit_key is None: | |
| sys.exit('No CIT\\System key found in the hive specified!') | |
| for cit_value in cit_key.values(): | |
| data = cit_value.data_raw() | |
| if len(data) <= 8: | |
| continue | |
| compressed_data = data[8 : ] | |
| # This is an ugly hack to get the decompression code working without CyXpress. | |
| if len(compressed_data) < RegistryHelpers.NTFS_CLUSTER_SIZE: | |
| compressed_data += b'\x00' * (RegistryHelpers.NTFS_CLUSTER_SIZE - len(compressed_data)) | |
| decompressed_data = RegistryHelpers.NTFSDecompressUnit(compressed_data) | |
| dump_name = '{}.bin'.format(cit_value.name()) | |
| with open(dump_name, 'wb') as dump_file: | |
| dump_file.write(decompressed_data) | |
| print('Wrote: {}'.format(dump_name)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment