Adds reg queryclass

git-svn-id: file:///home/svn/framework3/trunk@8046 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-31 15:52:30 +00:00 · 2009-12-31 15:52:30 +00:00 · 98f83bbab1
parent 64e524545e
commit 98f83bbab1
8 changed files with 104 additions and 28 deletions
--- a/data/meterpreter/ext_server_stdapi.dll
+++ b/data/meterpreter/ext_server_stdapi.dll
--- a/external/source/meterpreter/source/extensions/stdapi/server/fs/file.c
+++ b/external/source/meterpreter/source/extensions/stdapi/server/fs/file.c
@ -282,7 +282,7 @@ DWORD request_fs_delete_file(Remote *remote, Packet *packet)

 	if (!path)
 		result = ERROR_INVALID_PARAMETER;
-#ifdef __WIN32__
+#ifdef _WIN32
 	else if (!DeleteFile(path))
 #else
 	else if (!unlink(path))
--- a/external/source/meterpreter/source/extensions/stdapi/server/stdapi.c
+++ b/external/source/meterpreter/source/extensions/stdapi/server/stdapi.c
@ -213,6 +213,10 @@ Command customCommands[] =
 	  { request_registry_query_value,                      { 0 }, 0 },
 	  { EMPTY_DISPATCH_HANDLER                                      },
 	},
+	{ "stdapi_registry_query_class",
+	  { request_registry_query_class,                      { 0 }, 0 },
+	  { EMPTY_DISPATCH_HANDLER                                      },
+	},
 	{ "stdapi_registry_enum_value",
 	  { request_registry_enum_value,                       { 0 }, 0 },
 	  { EMPTY_DISPATCH_HANDLER                                      },
--- a/external/source/meterpreter/source/extensions/stdapi/server/sys/registry/registry.c
+++ b/external/source/meterpreter/source/extensions/stdapi/server/sys/registry/registry.c
@ -437,3 +437,42 @@ DWORD request_registry_delete_value(Remote *remote, Packet *packet)

 	return ERROR_SUCCESS;
 }
+
+/*
+ * Queries a registry class for a given HKEY.
+ *
+ * TLVs:
+ *
+ * req: TLV_TYPE_HKEY       - The HKEY to query the class on
+ */
+DWORD request_registry_query_class(Remote *remote, Packet *packet)
+{
+	Packet *response = packet_create_response(packet);
+	LPCSTR valueName = NULL;
+	BYTE valueData[4096];
+	DWORD valueDataSize = 4096;
+	DWORD result = ERROR_SUCCESS;
+	DWORD valueType = 0;
+	HKEY hkey = NULL;
+
+	// Acquire the standard TLVs
+	hkey      = (HKEY)packet_get_tlv_value_uint(packet, TLV_TYPE_HKEY);
+
+	do
+	{
+		// Get the size of the value data
+		if ((result = RegQueryInfoKey(hkey, valueData, &valueDataSize, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL)) != ERROR_SUCCESS)
+			break;
+
+		packet_add_tlv_string(response, TLV_TYPE_VALUE_DATA, (LPCSTR)valueData);
+
+	} while (0);
+
+	// Populate the result code
+	packet_add_tlv_uint(response, TLV_TYPE_RESULT, result);
+
+	// Transmit the response
+	packet_transmit(remote, response, NULL);
+
+	return ERROR_SUCCESS;
+}
--- a/external/source/meterpreter/source/extensions/stdapi/server/sys/registry/registry.h
+++ b/external/source/meterpreter/source/extensions/stdapi/server/sys/registry/registry.h
@ -11,6 +11,7 @@ DWORD request_registry_delete_key(Remote *remote, Packet *packet);
 DWORD request_registry_close_key(Remote *remote, Packet *packet);
 DWORD request_registry_set_value(Remote *remote, Packet *packet);
 DWORD request_registry_query_value(Remote *remote, Packet *packet);
+DWORD request_registry_query_class(Remote *remote, Packet *packet);
 DWORD request_registry_enum_value(Remote *remote, Packet *packet);
 DWORD request_registry_delete_value(Remote *remote, Packet *packet);

--- a/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb
@ -23,7 +23,7 @@ module Sys
 ###
 class Registry

-	class <<self
+	class << self
 		attr_accessor :client
 	end

@ -188,6 +188,21 @@ class Registry
 		return false
 	end

+	#
+	# Queries the registry class name and returns a string
+	#
+	def Registry.query_class(hkey)
+		request = Packet.create_request('stdapi_registry_query_class')
+
+		request.add_tlv(TLV_TYPE_HKEY, hkey)
+
+		response = client.send_request(request)
+		cls = response.get_tlv(TLV_TYPE_VALUE_DATA)
+		return nil if not cls
+		data = cls.value.gsub(/\x00.*/, '')
+		return data
+	end
+
 	#
 	# Enumerates all of the values at the supplied hkey including their
 	# names.  An array of RegistryValue's is returned.
@ -261,3 +276,4 @@ class Registry
 end

 end; end; end; end; end; end
+
--- a/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb
@ -128,6 +128,13 @@ class RegistryKey
 		return self.client.sys.registry.query_value(self.hkey, name)
 	end

+	#
+	# Queries the class of the specified key
+	#
+	def query_class
+		return self.client.sys.registry.query_class(self.hkey)
+	end
+
 	#
 	# Delete the supplied registry value.
 	#
@ -172,3 +179,4 @@ protected
 end

 end; end; end; end; end; end; end
+
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
@ -262,6 +262,7 @@ class Console::CommandDispatcher::Stdapi::Sys
 						"    enumkey    Enumerate the supplied registry key [-k <key>]\n" +
 						"    createkey  Create the supplied registry key  [-k <key>]\n" +
 						"    deletekey  Delete the supplied registry key  [-k <key>]\n" +
+						"    queryclass Queries the class of the supplied key [-k <key>]\n" +
 						"    setval     Set a registry value [-k <key> -v <val> -d <data>]\n" +
 						"    deleteval  Delete the supplied registry value [-k <key> -v <val>]\n" +
 						"    queryval   Queries the data contents of a value [-k <key> -v <val>]\n\n")
@ -374,6 +375,12 @@ class Console::CommandDispatcher::Stdapi::Sys
 						"Type: #{v.type_to_s}\n" +
 						"Data: #{v.data}\n")

+				when "queryclass"
+					open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ)
+
+					data = open_key.query_class
+
+					print("Data: #{data}\n")
 				else
 					print_error("Invalid command supplied: #{cmd}")
 			end
@ -418,3 +425,4 @@ end
 end
 end
 end
+