Skip to content

Instantly share code, notes, and snippets.

@scudette
Created February 20, 2020 12:08
Show Gist options
  • Save scudette/dc5f142adc628d5f21f5e56d500d7935 to your computer and use it in GitHub Desktop.
Save scudette/dc5f142adc628d5f21f5e56d500d7935 to your computer and use it in GitHub Desktop.
Hash Run Key Binaries
name: HashRunKeys
description: |
Iterate over all the run keys and locate their binary then hash it.
parameters:
- name: runKeys
default: |
HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Run\*
- name: pathRegex
type: hidden
# Pick the first part - either quoted or not.
default: >-
(^"(?P<quoted_path>[^"]+)"|(?P<unquoted_path>^[^ ]+))
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
queries:
- LET paths = SELECT FullPath,Name, Data.value AS Value,
parse_string_with_regex(string=Data.value,
regex=pathRegex) as regData
FROM glob(globs=split(string=runKeys, sep="[, \\n]+"),
accessor="reg")
WHERE Data.value
# Handle some variations we see in the value:
# system32\drivers\XXX.sys -> %systemRoot%\System32\
# \SystemRoot\ -> %SystemRoot%\
- LET normalized = SELECT *,
expand(path=
regex_replace(re='(?i)^system32\\\\',
replace="%SystemRoot%\\system32\\",
source=regex_replace(
source=regData.quoted_path + regData.unquoted_path,
re="^\\\\SystemRoot\\\\",
replace="%SystemRoot%\\"))) AS RealPath
FROM paths
- SELECT FullPath, Name, Value, RealPath,
hash(path=expand(path=RealPath)).SHA256 AS Hash
FROM normalized
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment