From 8192ad24d564e3034e5d33c44abd3884febdd3cb Mon Sep 17 00:00:00 2001 From: = Date: Thu, 7 Apr 2016 18:22:23 +0100 Subject: [PATCH] adding the ability to manage binary registry data --- windows/win_regedit.ps1 | 39 +++++++++++++++++++++++++++++++++++++++ windows/win_regedit.py | 11 ++++++++++- 2 files changed, 49 insertions(+), 1 deletion(-) diff --git a/windows/win_regedit.ps1 b/windows/win_regedit.ps1 index fe060e101c6..806cc4ad5e4 100644 --- a/windows/win_regedit.ps1 +++ b/windows/win_regedit.ps1 @@ -56,6 +56,45 @@ Function Test-RegistryValueData { } } + +# Simplified version of Convert-HexStringToByteArray from +# https://cyber-defense.sans.org/blog/2010/02/11/powershell-byte-array-hex-convert +# Expects a hex in the format you get when you run reg.exe export, +# and converts to a byte array so powershell can modify binary registry entries +function Convert-RegExportHexStringToByteArray +{ + Param ( + [parameter(Mandatory=$true))] [String] $String + ) + +# remove 'hex:' from the front of the string if present +$String = $String.ToLower() -replace '^hex\:', '' + +#remove whitespace and any other non-hex crud. +$String = $String.ToLower() -replace '[^a-f0-9\\,x\-\:]','' + +# turn commas into colons +$String = $String -replace ',',':' + +#Maybe there's nothing left over to convert... +if ($String.Length -eq 0) { ,@() ; return } + +#Split string with or without colon delimiters. +if ($String.Length -eq 1) +{ ,@([System.Convert]::ToByte($String,16)) } +elseif (($String.Length % 2 -eq 0) -and ($String.IndexOf(":") -eq -1)) +{ ,@($String -split '([a-f0-9]{2})' | foreach-object { if ($_) {[System.Convert]::ToByte($_,16)}}) } +elseif ($String.IndexOf(":") -ne -1) +{ ,@($String -split ':+' | foreach-object {[System.Convert]::ToByte($_,16)}) } +else +{ ,@() } + +} + +if($registryDataType -eq "binary" -and $registryData -ne $null) { + $registryData = Convert-RegExportHexStringToByteArray($registryData) +} + if($state -eq "present") { if ((Test-Path $registryKey) -and $registryValue -ne $null) { diff --git a/windows/win_regedit.py b/windows/win_regedit.py index 5087a5eaa8f..3317d6e8dc4 100644 --- a/windows/win_regedit.py +++ b/windows/win_regedit.py @@ -43,7 +43,7 @@ options: aliases: [] data: description: - - Registry Value Data + - Registry Value Data. Binary data should be expressed as comma separated hex values. An easy way to generate this is to run regedit.exe and use the 'Export' option to save the registry values to a file. In the file binary values will look something like this: hex:be,ef,be,ef. The 'hex:' prefix is optional. required: false default: null aliases: [] @@ -94,6 +94,15 @@ EXAMPLES = ''' data: 1337 datatype: dword + # Creates Registry Key called MyCompany, + # a value within MyCompany Key called "hello", and + # binary data for the value "hello" as type "binary". + win_regedit: + key: HKCU:\Software\MyCompany + value: hello + data: hex:be,ef,be,ef,be,ef,be,ef,be,ef + datatype: binary + # Delete Registry Key MyCompany # NOTE: Not specifying a value will delete the root key which means # all values will be deleted