Created
December 23, 2021 09:58
-
-
Save y0ug/d42d5e5e0361253ffce2f91364aea423 to your computer and use it in GitHub Desktop.
function to write/read from windows reg export
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import sys | |
import zlib | |
import io | |
import re | |
from configparser import ConfigParser | |
import binascii | |
import argparse | |
import struct | |
import socket | |
from datetime import datetime | |
def read_reg(filename): | |
out = [] | |
with io.open(filename, encoding='utf-16') as f: | |
data = f.read() | |
data = re.sub(r'^[^\[]*\n', '', data, flags=re.S) | |
cfg = ConfigParser(strict=False) | |
# dirty hack for "disabling" case-insensitive keys in "configparser" | |
cfg.optionxform=str | |
cfg.read_string(data) | |
for s in cfg.sections(): | |
for key in cfg[s]: | |
val = cfg[s][key] | |
if val.startswith('hex:'): | |
val = val[4:].replace('\\\n','').replace(',','') | |
val = binascii.unhexlify(val) | |
out.append([ s + '\\' + key.strip('"'), val]) | |
return out | |
def write_reg(key, vn, vd): | |
header = "Windows Registry Editor Version 5.00\n\n" | |
l1 = f'[{key}]\n' | |
vd_ = ','.join([f'{x:02x}' for x in vd]) | |
l2 = f'"{vn}"=hex:{vd_}\n' | |
return header + l1 + l2 | |
if __name__ == "__main__": | |
payload = read_reg(sys.argv[1]) | |
open('out.bin', 'wb').write(payload[0][1]) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment