darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f5155d5eb4
PEASS-ng/winPEAS/winPEASexe/winPEAS/Helpers/RegistryHelper.cs
makikvues e16234b773 - refactoring & cleanup 
- TODO: first version of AppLocker implementation
- CredentialManager implementation
- added check of LsaCompatiblityLevel
- updated GetAutoRunsFolder
- updated PrintTranscriptPS
2021-01-17 23:38:39 +01:00

156 lines
5.4 KiB
C#
Raw Blame History

using System;
using System.Collections.Generic;
using System.Linq;
using Microsoft.Win32;
namespace winPEAS.Helpers
{
static class RegistryHelper
{
///////////////////////////////////////////
/// Interf. for Keys and Values in Reg. ///
///////////////////////////////////////////
/// Functions related to obtain keys and values from the registry
/// Some parts adapted from Seatbelt
public static string GetRegValue(string hive, string path, string value)
{
// returns a single registry value under the specified path in the specified hive (HKLM/HKCU)
string regKeyValue = "";
if (hive == "HKCU")
{
var regKey = Registry.CurrentUser.OpenSubKey(path);
if (regKey != null)
{
regKeyValue = string.Format("{0}", regKey.GetValue(value));
}
return regKeyValue;
}
else if (hive == "HKU")
{
var regKey = Registry.Users.OpenSubKey(path);
if (regKey != null)
{
regKeyValue = string.Format("{0}", regKey.GetValue(value));
}
return regKeyValue;
}
else
{
var regKey = Registry.LocalMachine.OpenSubKey(path);
if (regKey != null)
{
regKeyValue = string.Format("{0}", regKey.GetValue(value));
}
return regKeyValue;
}
}
public static Dictionary<string, object> GetRegValues(string hive, string path)
{
// returns all registry values under the specified path in the specified hive (HKLM/HKCU)
Dictionary<string, object> keyValuePairs = null;
try
{
if (hive == "HKCU")
{
using (var regKeyValues = Registry.CurrentUser.OpenSubKey(path))
{
if (regKeyValues != null)
{
var valueNames = regKeyValues.GetValueNames();
keyValuePairs = valueNames.ToDictionary(name => name, regKeyValues.GetValue);
}
}
}
else if (hive == "HKU")
{
using (var regKeyValues = Registry.Users.OpenSubKey(path))
{
if (regKeyValues != null)
{
var valueNames = regKeyValues.GetValueNames();
keyValuePairs = valueNames.ToDictionary(name => name, regKeyValues.GetValue);
}
}
}
else
{
using (var regKeyValues = Registry.LocalMachine.OpenSubKey(path))
{
if (regKeyValues != null)
{
var valueNames = regKeyValues.GetValueNames();
keyValuePairs = valueNames.ToDictionary(name => name, regKeyValues.GetValue);
}
}
}
return keyValuePairs;
}
catch
{
return null;
}
}
public static byte[] GetRegValueBytes(string hive, string path, string value)
{
// returns a byte array of single registry value under the specified path in the specified hive (HKLM/HKCU)
byte[] regKeyValue = null;
if (hive == "HKCU")
{
var regKey = Registry.CurrentUser.OpenSubKey(path);
if (regKey != null)
{
regKeyValue = (byte[])regKey.GetValue(value);
}
return regKeyValue;
}
else if (hive == "HKU")
{
var regKey = Registry.Users.OpenSubKey(path);
if (regKey != null)
{
regKeyValue = (byte[])regKey.GetValue(value);
}
return regKeyValue;
}
else
{
var regKey = Registry.LocalMachine.OpenSubKey(path);
if (regKey != null)
{
regKeyValue = (byte[])regKey.GetValue(value);
}
return regKeyValue;
}
}
public static string[] GetRegSubkeys(string hive, string path)
{
// returns an array of the subkeys names under the specified path in the specified hive (HKLM/HKCU/HKU)
try
{
RegistryKey myKey = null;
if (hive == "HKLM")
{
myKey = Registry.LocalMachine.OpenSubKey(path);
}
else if (hive == "HKU")
{
myKey = Registry.Users.OpenSubKey(path);
}
else
{
myKey = Registry.CurrentUser.OpenSubKey(path);
}
String[] subkeyNames = myKey.GetSubKeyNames();
return myKey.GetSubKeyNames();
}
catch
{
return new string[0];
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink