Adds reg queryclass

git-svn-id: file:///home/svn/framework3/trunk@8046 4d416f70-5f16-0410-b530-b9f4589650da

external/source/meterpreter/source/extensions/stdapi/server/fs/file.c

@@ -282,7 +282,7 @@ DWORD request_fs_delete_file(Remote *remote, Packet *packet)
 
 	if (!path)
 		result = ERROR_INVALID_PARAMETER;
-#ifdef __WIN32__
+#ifdef _WIN32
 	else if (!DeleteFile(path))
 #else
 	else if (!unlink(path))

external/source/meterpreter/source/extensions/stdapi/server/stdapi.c

@@ -213,6 +213,10 @@ Command customCommands[] =
 	  { request_registry_query_value,                      { 0 }, 0 },
 	  { EMPTY_DISPATCH_HANDLER                                      },
 	},
+	{ "stdapi_registry_query_class",
+	  { request_registry_query_class,                      { 0 }, 0 },
+	  { EMPTY_DISPATCH_HANDLER                                      },
+	},
 	{ "stdapi_registry_enum_value",
 	  { request_registry_enum_value,                       { 0 }, 0 },
 	  { EMPTY_DISPATCH_HANDLER                                      },

external/source/meterpreter/source/extensions/stdapi/server/sys/registry/registry.c

@@ -437,3 +437,42 @@ DWORD request_registry_delete_value(Remote *remote, Packet *packet)
 
 	return ERROR_SUCCESS;
 }
+
+/*
+ * Queries a registry class for a given HKEY.
+ *
+ * TLVs:
+ *
+ * req: TLV_TYPE_HKEY       - The HKEY to query the class on
+ */
+DWORD request_registry_query_class(Remote *remote, Packet *packet)
+{
+	Packet *response = packet_create_response(packet);
+	LPCSTR valueName = NULL;
+	BYTE valueData[4096];
+	DWORD valueDataSize = 4096;
+	DWORD result = ERROR_SUCCESS;
+	DWORD valueType = 0;
+	HKEY hkey = NULL;
+
+	// Acquire the standard TLVs
+	hkey      = (HKEY)packet_get_tlv_value_uint(packet, TLV_TYPE_HKEY);
+
+	do
+	{
+		// Get the size of the value data
+		if ((result = RegQueryInfoKey(hkey, valueData, &valueDataSize, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL)) != ERROR_SUCCESS)
+			break;
+
+		packet_add_tlv_string(response, TLV_TYPE_VALUE_DATA, (LPCSTR)valueData);
+
+	} while (0);
+
+	// Populate the result code
+	packet_add_tlv_uint(response, TLV_TYPE_RESULT, result);
+
+	// Transmit the response
+	packet_transmit(remote, response, NULL);
+
+	return ERROR_SUCCESS;
+}

external/source/meterpreter/source/extensions/stdapi/server/sys/registry/registry.h

@@ -11,6 +11,7 @@ DWORD request_registry_delete_key(Remote *remote, Packet *packet);
 DWORD request_registry_close_key(Remote *remote, Packet *packet);
 DWORD request_registry_set_value(Remote *remote, Packet *packet);
 DWORD request_registry_query_value(Remote *remote, Packet *packet);
+DWORD request_registry_query_class(Remote *remote, Packet *packet);
 DWORD request_registry_enum_value(Remote *remote, Packet *packet);
 DWORD request_registry_delete_value(Remote *remote, Packet *packet);
 

lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb

@@ -17,13 +17,13 @@ module Sys
 
 ###
 #
-# This class provides access to the Windows registry on the remote 
+# This class provides access to the Windows registry on the remote
 # machine.
 #
 ###
 class Registry
 
-	class <<self
+	class << self
 		attr_accessor :client
 	end
 
@@ -35,7 +35,7 @@ class Registry
 
 	#
 	# Opens the supplied registry key relative to the root key with
-	# the supplied permissions.  Right now this is merely a wrapper around 
+	# the supplied permissions.  Right now this is merely a wrapper around
 	# create_key.
 	#
 	def Registry.open_key(root_key, base_key, perm = KEY_READ)
@@ -52,7 +52,7 @@ class Registry
 	#
 	def Registry.create_key(root_key, base_key, perm = KEY_READ)
 		request = Packet.create_request('stdapi_registry_create_key')
-		
+
 		request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
 		request.add_tlv(TLV_TYPE_BASE_KEY, base_key)
 		request.add_tlv(TLV_TYPE_PERMISSION, perm)
@@ -84,7 +84,7 @@ class Registry
 
 		return false
 	end
-	
+
 	#
 	# Closes the supplied registry key.
 	#
@@ -188,6 +188,21 @@ class Registry
 		return false
 	end
 
+	#
+	# Queries the registry class name and returns a string
+	#
+	def Registry.query_class(hkey)
+		request = Packet.create_request('stdapi_registry_query_class')
+
+		request.add_tlv(TLV_TYPE_HKEY, hkey)
+
+		response = client.send_request(request)
+		cls = response.get_tlv(TLV_TYPE_VALUE_DATA)
+		return nil if not cls
+		data = cls.value.gsub(/\x00.*/, '')
+		return data
+	end
+
 	#
 	# Enumerates all of the values at the supplied hkey including their
 	# names.  An array of RegistryValue's is returned.
@@ -237,11 +252,11 @@ class Registry
 	# type (like REG_SZ).
 	#
 	def self.type2str(type)
-		return REG_SZ if (type == 'REG_SZ')	
-		return REG_DWORD if (type == 'REG_DWORD')	
-		return REG_BINARY if (type == 'REG_BINARY')	
-		return REG_EXPAND_SZ if (type == 'REG_EXPAND_SZ')	
-		return REG_NONE if (type == 'REG_NONE')	
+		return REG_SZ if (type == 'REG_SZ')
+		return REG_DWORD if (type == 'REG_DWORD')
+		return REG_BINARY if (type == 'REG_BINARY')
+		return REG_EXPAND_SZ if (type == 'REG_EXPAND_SZ')
+		return REG_NONE if (type == 'REG_NONE')
 		return nil
 	end
 
@@ -260,4 +275,5 @@ class Registry
 
 end
 
-end; end; end; end; end; end
+end; end; end; end; end; end
+

lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb

@@ -60,7 +60,7 @@ class RegistryKey
 	end
 
 	#
-	# Retrieves all of the registry values that exist within the opened 
+	# Retrieves all of the registry values that exist within the opened
 	# registry key.
 	#
 	def enum_value()
@@ -74,7 +74,7 @@ class RegistryKey
 	#
 	##
 
-	#	
+	#
 	# Opens a registry key that is relative to this registry key.
 	#
 	def open_key(base_key, perm = KEY_READ)
@@ -101,7 +101,7 @@ class RegistryKey
 	#
 	def close()
 		if (self.hkey != nil)
-			return self.client.sys.registry.close_key(hkey)			
+			return self.client.sys.registry.close_key(hkey)
 		end
 
 		return false
@@ -128,6 +128,13 @@ class RegistryKey
 		return self.client.sys.registry.query_value(self.hkey, name)
 	end
 
+	#
+	# Queries the class of the specified key
+	#
+	def query_class
+		return self.client.sys.registry.query_class(self.hkey)
+	end
+
 	#
 	# Delete the supplied registry value.
 	#
@@ -171,4 +178,5 @@ protected
 	attr_writer   :hkey, :root_key, :base_key, :perm # :nodoc:
 end
 
-end; end; end; end; end; end; end
+end; end; end; end; end; end; end
+

lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

@@ -119,7 +119,7 @@ class Console::CommandDispatcher::Stdapi::Sys
 		end
 
 		# Execute it
-		p = client.sys.process.execute(cmd_exec, cmd_args, 
+		p = client.sys.process.execute(cmd_exec, cmd_args,
 			'Channelized' => channelized,
 			'Hidden'      => hidden,
 			'InMemory'    => (from_mem) ? dummy_exec : nil,
@@ -142,15 +142,15 @@ class Console::CommandDispatcher::Stdapi::Sys
 		path = (path and not path.empty?) ? path : "cmd.exe"
 		cmd_execute("-f", path, "-c", "-H", "-i")
 	end
-	
-	
+
+
 	#
 	# Gets the process identifier that meterpreter is running in on the remote
 	# machine.
 	#
 	def cmd_getpid(*args)
 		print_line("Current pid: #{client.sys.process.getpid}")
-		
+
 		return true
 	end
 
@@ -160,7 +160,7 @@ class Console::CommandDispatcher::Stdapi::Sys
 	def cmd_getuid(*args)
 		print_line("Server username: #{client.sys.config.getuid}")
 	end
-	
+
 	#
 	# Clears the event log
 	#
@@ -169,7 +169,7 @@ class Console::CommandDispatcher::Stdapi::Sys
 		logs = ['Application', 'System', 'Security']
 		logs << args
 		logs.flatten!
-		
+
 		logs.each do |name|
 			log = client.sys.eventlog.open(name)
 			print_status("Wiping #{log.length} records from #{name}...")
@@ -191,7 +191,7 @@ class Console::CommandDispatcher::Stdapi::Sys
 		print_line("Killing: #{args.join(", ")}")
 
 		client.sys.process.kill(*(args.map { |x| x.to_i }))
-		
+
 		return true
 	end
 
@@ -257,11 +257,12 @@ class Console::CommandDispatcher::Stdapi::Sys
 					print_line(
 						"Usage: reg [command] [options]\n\n" +
 						"Interact with the target machine's registry.\n" +
-						@@reg_opts.usage + 
+						@@reg_opts.usage +
 						"COMMANDS:\n\n" +
 						"    enumkey    Enumerate the supplied registry key [-k <key>]\n" +
 						"    createkey  Create the supplied registry key  [-k <key>]\n" +
 						"    deletekey  Delete the supplied registry key  [-k <key>]\n" +
+						"    queryclass Queries the class of the supplied key [-k <key>]\n" +
 						"    setval     Set a registry value [-k <key> -v <val> -d <data>]\n" +
 						"    deleteval  Delete the supplied registry value [-k <key> -v <val>]\n" +
 						"    queryval   Queries the data contents of a value [-k <key> -v <val>]\n\n")
@@ -302,7 +303,7 @@ class Console::CommandDispatcher::Stdapi::Sys
 						print_line("  Keys (#{keys.length}):\n")
 
 						keys.each { |subkey|
-							print_line("\t#{subkey}")	
+							print_line("\t#{subkey}")
 						}
 
 						print_line
@@ -310,11 +311,11 @@ class Console::CommandDispatcher::Stdapi::Sys
 
 					if (vals.length > 0)
 						print_line("  Values (#{vals.length}):\n")
-	
+
 						vals.each { |val|
 							print_line("\t#{val.name}")
 						}
-	
+
 						print_line
 					end
 
@@ -373,7 +374,13 @@ class Console::CommandDispatcher::Stdapi::Sys
 						"Name: #{v.name}\n" +
 						"Type: #{v.type_to_s}\n" +
 						"Data: #{v.data}\n")
-	
+
+				when "queryclass"
+					open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ)
+
+					data = open_key.query_class
+
+					print("Data: #{data}\n")
 				else
 					print_error("Invalid command supplied: #{cmd}")
 			end
@@ -418,3 +425,4 @@ end
 end
 end
 end
+