-
Notifications
You must be signed in to change notification settings - Fork 20
/
syskey.py
107 lines (78 loc) · 2.74 KB
/
syskey.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# -*- coding: utf-8 -*-
"""System key (syskey) collector."""
import codecs
from winregrc import interface
class SystemKey(object):
"""System key.
Attributes:
boot_key (bytes): boot key.
"""
def __init__(self):
"""Initializes a system key."""
super(SystemKey, self).__init__()
self.boot_key = None
class SystemKeyCollector(interface.WindowsRegistryKeyCollector):
"""System key collector.
Attributes:
system_key (SystemKey): system key.
"""
_LSA_KEY_PATH = (
'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa')
def __init__(self, debug=False, output_writer=None):
"""Initializes a system key collector.
Args:
debug (Optional[bool]): True if debug information should be printed.
output_writer (Optional[OutputWriter]): output writer.
"""
super(SystemKeyCollector, self).__init__(debug=debug)
self._output_writer = output_writer
self.system_key = None
def _GetBootKey(self, registry):
"""Retrieves the boot key.
Args:
registry (dfwinreg.WinRegistry): Windows Registry.
Returns:
bytes: boot key or None if not found.
"""
try:
lsa_key = registry.GetKeyByPath(self._LSA_KEY_PATH)
except RuntimeError:
lsa_key = None
if not lsa_key:
return None
lsa_jd_key = lsa_key.GetSubkeyByName('JD')
lsa_skew1_key = lsa_key.GetSubkeyByName('Skew1')
lsa_gbg_key = lsa_key.GetSubkeyByName('GBG')
lsa_data_key = lsa_key.GetSubkeyByName('Data')
if None in (lsa_jd_key, lsa_skew1_key, lsa_gbg_key, lsa_data_key):
return None
lsa_jd_class_name = lsa_jd_key.class_name
lsa_skew1_class_name = lsa_skew1_key.class_name
lsa_gbg_class_name = lsa_gbg_key.class_name
lsa_data_class_name = lsa_data_key.class_name
if None in (
lsa_jd_class_name, lsa_skew1_class_name, lsa_gbg_class_name,
lsa_data_class_name):
return None
class_name_string = ''.join([
lsa_jd_class_name, lsa_skew1_class_name, lsa_gbg_class_name,
lsa_data_class_name])
scrambled_key = codecs.decode(class_name_string, 'hex')
key = bytearray([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0])
for index, scrambled_index in enumerate([
8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7]):
key[index] = scrambled_key[scrambled_index]
return bytes(key)
def Collect(self, registry): # pylint: disable=arguments-differ
"""Collects system information.
Args:
registry (dfwinreg.WinRegistry): Windows Registry.
Returns:
bool: True if the system key was found, False if not.
"""
boot_key = self._GetBootKey(registry)
if not boot_key:
return False
self.system_key = SystemKey()
self.system_key.boot_key = boot_key
return True