## Script for carving out the REG_BINARY data from ## an exported registry key. Created by alexander.hanel@gmail.com ## ## Example Key: ## [HKEY_CURRENT_USER\Software\.........A ## "Data"=hex:24,56,04,00,1b,e1,80,02,41,4c,3a,45 ## python RegHex2Bin.py data.reg ## ## HEX VIEW ## 24 56 04 00 1B E1 80 02 41 4C 3A 45 $V......AL:EBCa_ ## ## If multiple REG_BINARY there will be a string of '_end_' ## to separate the data. import codecs import sys try: ## Registry is exported as utf-16 f = codecs.open(sys.argv[1],'rb', "utf-16") except Exception: print "\t[ERROR]: Could not access file [ERROR]" sys.exit(1) # data flag df = 0 # temp buffer bf = '' lines = f.read().splitlines() for line in lines: # "=hex: used to determine if the value is REG_BINARY if '=hex:' in line: df = 1 bf = bf + line[int(line.find('=hex:')) + 6:].replace(chr(92),'') continue if df == 1 and chr(92) not in line: # ',5f,65,6e,64,5f,' is the string '_end_' bf = bf + line + ',5f,65,6e,64,5f,' df = 0 if df == 1 and chr(92) in line: bf = bf + line.replace(chr(92),'') bf = bf.split(',') tmp = '' for b in bf: try: tmp = tmp + chr(int(b,16)) except: pass try: out = open(sys.argv[1] + str('.out'),'wb') except Exception: print "\t[ERROR]: Could not write file [ERROR]" out.write(tmp) out.close()
Download LINK
No comments:
Post a Comment