Jump to content











Photo
- - - - -

offlinereg


  • Please log in to reply
200 replies to this topic

#151 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 26 January 2018 - 04:46 PM

 

No, you're right. No relative paths, it would just confuse things.
I was just asking because I was afraid I had missed something (could have been the case, considering the dozens of posts and versions). Please note, I'm NOT complaining, quite the opposite: as Misty already said, it's very cool and fun to watch the developments go so quickly!

 

no worries : the great and positive feedback I received these last few days in this thread contributed to significantly improved this software.


  • Atari800XL likes this

#152 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 26 January 2018 - 05:10 PM

Command
offlinereg.exe D:\PATH\System ControlSet001 run D:\commands.txt
D:\PATH\System is an existing hive (copied from a WinPE build)

Content of commands.txt
A\B\C\D\E\Test setvalue NewValue NewValueData 1 
A\B\C\D\E\Test setvalue "New Value" "New Value Data" 1 
A\B\C\D\E\Test setvalue ThreadingModel Both 1 
A\B\C\D\E\Test setvalue " " %SystemRoot%\System32\actxprxy.dll 2 
A\B\C\D\E\Test setvalue "Reg Binary Test" 80,00,00,00,00,00,00,00 3 
A\B\C\D\E\Test setvalue BootDriverFlags2 28 4 
Output
setvalue NewValue ok
setvalue New Value ok
setvalue ThreadingModel ok
setvalue   ok
setvalue Reg Binary Test ok
setvalue BootDriverFlags2 ok
saved to D:\PATH\System ok
The new keys were not added to a relative path (relative to ControlSet001), but were instead added to the hive root.

Not a problem and the new run command works great. Just worth mentioning to ensure that people add paths relative to the hive root at this stage. And personally I'm not sure that there is any benefit to adding the ability to write to relative paths.

Fantastic work. Now make sure you get some rest over the weekend.

Misty

EDIT - added bonus - escape characters do not seem to be required in the command list when the new run command is used. E.g. -
A\B\C\D\E\Test setvalue " " "%systemroot%\Path with spaces\actxprxy.dll" 2
Added the following to the registry -
(default)   REG_EXPAND_SZ   %systemroot%\Path with spaces\actxprxy.dll

  • Atari800XL likes this

#153 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 26 January 2018 - 05:26 PM

Guide updated and all traces of nobackup hopefully removed!

Link is in post #1 (and here)

Misty
  • Atari800XL likes this

#154 Atari800XL

Atari800XL

    Frequent Member

  • Advanced user
  • 111 posts
  •  
    Netherlands

Posted 26 January 2018 - 06:11 PM

Doing some more testing ("import") and can confirm that even "strange" entries like creating empty keys works fine:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\ControlSet001\Control\Network\NewNetworkWindowOff]

This is one of my w10 "pre-setup" tweaks, it prevents the "New Network" window sliding in from the right after setup completes. This setting doesn't require any value inside, just the presence of the key itself.



#155 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 26 January 2018 - 06:32 PM

Command

offlinereg.exe D:\PATH\System ControlSet001 run D:\commands.txt
D:\PATH\System is an existing hive (copied from a WinPE build)

Content of commands.txt
A\B\C\D\E\Test setvalue NewValue NewValueData 1 
A\B\C\D\E\Test setvalue "New Value" "New Value Data" 1 
A\B\C\D\E\Test setvalue ThreadingModel Both 1 
A\B\C\D\E\Test setvalue " " %SystemRoot%\System32\actxprxy.dll 2 
A\B\C\D\E\Test setvalue "Reg Binary Test" 80,00,00,00,00,00,00,00 3 
A\B\C\D\E\Test setvalue BootDriverFlags2 28 4 
Output
setvalue NewValue ok
setvalue New Value ok
setvalue ThreadingModel ok
setvalue   ok
setvalue Reg Binary Test ok
setvalue BootDriverFlags2 ok
saved to D:\PATH\System ok
The new keys were not added to a relative path (relative to ControlSet001), but were instead added to the hive root.

Not a problem and the new run command works great. Just worth mentioning to ensure that people add paths relative to the hive root at this stage. And personally I'm not sure that there is any benefit to adding the ability to write to relative paths.

Fantastic work. Now make sure you get some rest over the weekend.

Misty

 

 

Indeed, reviewing my code, only the hive (first parameter) is taken from the command line.

All other parameters are taken from the command file.

Below my code parsing the command file for you to eventually see the behind the scene.

 

I also recommend to start the command file with 

" " create
if gverb='run' then
  begin
  nosave:=true;
  commands:=TStringList.Create ;
  commands.LoadFromFile(paramstr(4));
  for i:=0 to commands.Count -1 do
    begin
    params:=tstringlist.create;
    params.Clear;
    params.Delimiter := ' ';
    params.DelimitedText := commands[i];
    if i=commands.Count -1 then nosave:=false; //time to toggle the save flag
    gvaluename:='';gvalue:='';gvaluetype:=1;
    if params.Count >=3 then gvaluename :=params[2];
    if params.Count >=4 then gvalue :=params[3];
    if params.Count >=5 then gvaluetype :=strtoint(params[4]);
    //hive, path, verb, value/key name, value, valuetype, nobackup
    main(ghive,params[0],params[1],gvaluename,gvalue,gvaluetype,bool);
    end;
  commands.Free ;
  end; //if gverb='run' then 

  • Atari800XL and misty like this

#156 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 26 January 2018 - 06:35 PM

Guide updated and all traces of nobackup hopefully removed!

Link is in post #1 (and here)

Misty

:worship:


  • misty likes this

#157 Atari800XL

Atari800XL

    Frequent Member

  • Advanced user
  • 111 posts
  •  
    Netherlands

Posted 26 January 2018 - 06:44 PM

Using offlinereg "import" would be a great help for Winbuilder-type applications (no need for taking ownership, I guess).

I asked Misty about this, and he reminded me of the fact that "some settings result in errors". On the other hand, a test file he used before seems to work OK now.

 

I would like to do some testing on this, but before I start: what is the current state of affairs? Which settings/ types are causing problems, and is there a size max to importing?


  • misty likes this

#158 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 26 January 2018 - 07:17 PM

Using offlinereg "import" would be a great help for Winbuilder-type applications (no need for taking ownership, I guess).

I asked Misty about this, and he reminded me of the fact that "some settings result in errors". On the other hand, a test file he used before seems to work OK now.

 

I would like to do some testing on this, but before I start: what is the current state of affairs? Which settings/ types are causing problems, and is there a size max to importing?

 

About import :

I dont see any limit apart from the key length for now (255) but if needed, it is easy to increase.

I have not encountered errors on my side but I am using rather simple test files.

 

Perform some tests and everytime you encounter an error, send me the file.



#159 Atari800XL

Atari800XL

    Frequent Member

  • Advanced user
  • 111 posts
  •  
    Netherlands

Posted 26 January 2018 - 07:46 PM

PM sent. No hurry, though!



#160 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 26 January 2018 - 07:53 PM

Just found a nasty bug in the multi level path parsing.

A\B\C will be parsed A+B+C but A\SOME KEY\C will be parsed as A+SOME+KEY+C...

 

Fixing it.


  • Atari800XL likes this

#161 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 26 January 2018 - 08:05 PM

version 1.0.2 uploaded

1.0.2
fixed : multi level path bug (space issue)

was able to run import (see below) without errors.

del TEMPREG.DAT
Offlinereg.exe TEMPREG.DAT " " create
reg export hklm\system\setup c:\temp\setup.reg
Offlinereg.exe TEMPREG.DAT " " import c:\temp\setup.reg

  • Atari800XL likes this

#162 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 26 January 2018 - 08:13 PM

Guys,

 

About windows reg file, you may have noticed that if you hex edit the file, it starts with a BOM (byte order mark) FF FE means UTF16LE.

 

It is a bit of a PITA and I basically have to dump it to a new (plain text) file before reading/parsing it.

 

If you have any knowledge, idea around this : i take it :)

Ideally I would like not have to bother about it and get text files as input.

 

Regards,

Erwan



#163 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 27 January 2018 - 02:07 PM

New version uploaded with lots of bug fixes (and built using another compiler i.e FPC 2.6.4 win32/win64).

 

The import function is being quite challenging : dealing with big reg files with many different scenarios is a good test case.

1.0.2
fixed : multi level path bug (space issue)
added : all registry type handled in the import function
fixed : faster import function (newstringreplace function in the parsing function)

1.0.3
todo : review multi_sz in setvalue function
fixed : createkey now handles 512 length keys
fixed : setvalue dynamically allocate buffer (no more fixed size)
fixed : setvalue will handle hex(b) type (binary form of REG_QWORD)
fixed : missing REG_NONE added
fixed : @="" case handled
fixed : under some circumstances, temp reg file was not being created leading to incomplete keys/values

  • Atari800XL likes this

#164 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 27 January 2018 - 07:54 PM

Small experiment (and possible application of offlinereg) and slightly deviating from the main topic (as it is more about forensic/security) :

 

1.From an offline SAM hive (could be from winpe), dump a user RID to a text file

offlinereg-win32.exe c:\windows\system32\config\SAM sam\domains\account\users\000003e8 getvalue v > x:\rid.txt

2.Edit rid.txt text file so that it looks like this

sam\domains\account\users\000003e8 setvalue v "AA BB CC ..." 3

3.Change byte 160 (0xA0) & 172 (0xAC) in your binary blob to 00.

 

4.Update your hive with the below command

OfflineReg-win32 "c:\windows\system32\config\SAM" " " run x:\rid.txt

The user should now be able to log on with a blank password.

 

 

Some extra details:

Some forensic related discussion here.

000003e8 is my custom local admin account.

000001f4 would be the default windows account.

0xA0 and 0xAC are the LM and NTLM hash lengths. See here.

 

Edit : or, simpler (one step), you can use the below new command to achieve the same result ("blank password").

OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 160
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 172

  • Atari800XL and misty like this

#165 Biatu

Biatu

    Member

  • Members
  • 62 posts
  •  
    United Kingdom

Posted 27 January 2018 - 09:44 PM

Guys,

 

About windows reg file, you may have noticed that if you hex edit the file, it starts with a BOM (byte order mark) FF FE means UTF16LE.

 

It is a bit of a PITA and I basically have to dump it to a new (plain text) file before reading/parsing it.

 

If you have any knowledge, idea around this : i take it :)

Ideally I would like not have to bother about it and get text files as input.

 

Regards,

Erwan

Well you could use Multibyte to wide char API call, right?



#166 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 28 January 2018 - 07:17 PM

some modifications brought in version 1.0.3 over the week end.

1.0.3
todo : review multi_sz in setvalue function
fixed : createkey now handles 512 length keys
fixed : setvalue dynamically allocate buffer (no more fixed size)
fixed : setvalue will handle hex(b) type (binary form of REG_QWORD)
fixed : missing REG_NONE added
fixed : @="" case handled
fixed : under some circumstances, temp reg file was not being created leading to incomplete keys/values
fixed : getvalue+binary was reading only 4 bytes - now can read 65535 bytes
fixed : oem function improved
fixed : wrong value in enumallvalues under some circumstances
added : enumkeysr will recursively loop thru a key and its subkeys
added : setvaluebyteat a_reg_binary_value byte offset
added : getvaluebyteat a_reg_binary_value offset

  • Atari800XL likes this

#167 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 28 January 2018 - 07:18 PM

Well you could use Multibyte to wide char API call, right?

 

This is more or less what I am doing today.

I was wondering if there anyway to generate utf8 files from regedit rather than utf16 or a simple way to convert it from the command line.

 

This is less of a problem for me : reading/converting the reg file is much faster now.



#168 Atari800XL

Atari800XL

    Frequent Member

  • Advanced user
  • 111 posts
  •  
    Netherlands

Posted 28 January 2018 - 07:51 PM

The SAM "experiment" with the new "setvaluebyteat" command is amazing!
I'm sure this will slowly trickle through the interwebz and will get Offlinereg a lot of new fans!
Thanks again!

#169 Atari800XL

Atari800XL

    Frequent Member

  • Advanced user
  • 111 posts
  •  
    Netherlands

Posted 28 January 2018 - 08:01 PM

I saw you updated the GUI version as well? Do you plan on a 64bit version of this? (Don't do it if it's too much trouble). Does the GUI version have any parameters? It would be nice if we could start if with a file as parameter? (Again, don't do it if...)

#170 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 28 January 2018 - 08:08 PM

I saw you updated the GUI version as well? Do you plan on a 64bit version of this? (Don't do it if it's too much trouble). Does the GUI version have any parameters? It would be nice if we could start if with a file as parameter? (Again, don't do it if...)

 

As the gui and the console exe's share code, I have taken the opportunity to recompile it.

Making a x64 version would be quite easy.

I am not planning on adding parameters to the GUI as the GUI and console exe are matching each others.



#171 Atari800XL

Atari800XL

    Frequent Member

  • Advanced user
  • 111 posts
  •  
    Netherlands

Posted 28 January 2018 - 08:12 PM

The GUI version takes the same parameters as the console version?
Did not know that...
(Sorry, I thought it was a "viewer" only... and haven't used it much yet)

#172 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 28 January 2018 - 08:14 PM

The SAM "experiment" with the new "setvaluebyteat" command is amazing!
I'm sure this will slowly trickle through the interwebz and will get Offlinereg a lot of new fans!
Thanks again!

 

Yes, this one is fun :)

There is more coming : how to (re) enable a disabled account.



#173 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 28 January 2018 - 08:15 PM

The GUI version takes the same parameters as the console version?
Did not know that...
(I thought it was a "viewer" only...)

 

sorry I was not clear enough.

The GUI does not take any parameter.

It can delete/create keys and values (in the menu).



#174 misty

misty

    Silver Member

  • Developer
  • 879 posts
  •  
    United Kingdom

Posted 29 January 2018 - 09:43 AM

Small experiment (and possible application of offlinereg) and slightly deviating from the main topic (as it is more about forensic/security) :
 
1.From an offline SAM hive ........

.........The user should now be able to log on with a blank password.
 
Some extra details:
Some forensic related discussion here.
000003e8 is my custom local admin account.
000001f4 would be the default windows account.
0xA0 and 0xAC are the LM and NTLM hash lengths. See here.
 
Edit : or, simpler (one step), you can use the below new command to achieve the same result ("blank password").




OfflineReg-win32 "c:\windows\system32\config32\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 160
OfflineReg-win32 "c:\windows\system32\config32\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 172


Tested the above in a WinPE after using the OfflineRegGUI to open the SAM hive and identify my user account (000003e9).

Then ran the following commands (note the path to the SAM hive as c:\windows\system32\config\SAM - not c:\windows\system32\config32\SAM) -
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e9 setvaluebyteat v 0 160
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e9 setvaluebyteat v 0 172
 
 
WOW. :worship:

Misty

P.s. I'll update the guide with the new commands asap.

#175 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2249 posts
  • Location:Nantes - France
  •  
    France

Posted 29 January 2018 - 09:53 AM

Tested the above in a WinPE after using the OfflineRegGUI to open the SAM hive and identify my user account (000003e9).

Then ran the following commands (note the path to the SAM hive as c:\windows\system32\config\SAM - not c:\windows\system32\config32\SAM) -

OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e9 setvaluebyteat v 0 160
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e9 setvaluebyteat v 0 172
 
 
WOW. :worship:

Misty

P.s. I'll update the guide with the new commands asap.

 

 

Good catch, I have edited post 164 to fix the typo (config32->config).

 

There is probably a way to retrive the RID from a username with an offlinereg command (need to look for it).

 

Side note : the new enumkeysr (note the 'r') may come handy as well associated to the dos findstr command.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users