From 0af3e6af24ab59d7931ca268a4e51608914e5297 Mon Sep 17 00:00:00 2001
From: hulto <7121375+hulto@users.noreply.github.com>
Date: Tue, 20 Feb 2024 21:19:35 -0800
Subject: [PATCH 1/4] Add new tome
---
tavern/tomes/get_registry/main.eldritch | 15 +++++++++++++++
tavern/tomes/get_registry/metadata.yml | 14 ++++++++++++++
2 files changed, 29 insertions(+)
create mode 100644 tavern/tomes/get_registry/main.eldritch
create mode 100644 tavern/tomes/get_registry/metadata.yml
diff --git a/tavern/tomes/get_registry/main.eldritch b/tavern/tomes/get_registry/main.eldritch
new file mode 100644
index 000000000..0bfd13cb1
--- /dev/null
+++ b/tavern/tomes/get_registry/main.eldritch
@@ -0,0 +1,15 @@
+def pad_key(key, max_len):
+ res = key+" "*(max_len-len(key))
+ return res
+
+def get_registry(hive, path):
+ res = sys.get_reg(hive, path)
+ max_len = max([ len(i) for i in res.keys()])
+ for k in res:
+ v = res[k]
+ pk = pad_key(k,max_len)
+ print(f"{pk} : {v}")
+
+get_registry(input_params['hive'], input_params['path'])
+print()
+
diff --git a/tavern/tomes/get_registry/metadata.yml b/tavern/tomes/get_registry/metadata.yml
new file mode 100644
index 000000000..525c6b5c9
--- /dev/null
+++ b/tavern/tomes/get_registry/metadata.yml
@@ -0,0 +1,14 @@
+name: Get Registry
+description: List the subkeys and their values at a provided hive and path.
+author: hulto
+support_model: FIRST_PARTY
+tactic: RECON
+paramdefs:
+- name: hive
+ type: string
+ label: Registry hive
+ placeholder: "HKEY_LOCAL_MACHINE"
+- name: path
+ type: string
+ label: Registry key path
+ placeholder: "SOFTWARE\\Microsoft\\Windows\\CurrentVersion" # Single backslash can be used too but you may encounter issues if you specify "\x64" as that's hex.
From 2380616ece7b18d085c7fbdc087849bff40a08a7 Mon Sep 17 00:00:00 2001
From: Hulto <7121375+hulto@users.noreply.github.com>
Date: Sat, 24 Feb 2024 00:33:00 +0000
Subject: [PATCH 2/4] Implement, test, docs
---
docs/_docs/user-guide/eldritch.md | 6 ++
implants/lib/eldritch/src/file/mod.rs | 5 ++
.../lib/eldritch/src/file/parent_dir_impl.rs | 69 +++++++++++++++++++
3 files changed, 80 insertions(+)
create mode 100644 implants/lib/eldritch/src/file/parent_dir_impl.rs
diff --git a/docs/_docs/user-guide/eldritch.md b/docs/_docs/user-guide/eldritch.md
index 2132a69be..dd4779872 100644
--- a/docs/_docs/user-guide/eldritch.md
+++ b/docs/_docs/user-guide/eldritch.md
@@ -346,6 +346,12 @@ The file.mkdir method will make a new directory at `path`. If the parent
The file.moveto method moves a file or directory from `src` to `dst`. If the `dst` directory or file exists it will be deleted before being replaced to ensure consistency across systems.
+### file.parent_dir
+
+`file.parent_dir(path: str) -> str`
+
+The file.parent_dir method returns the parent directory of a give path. Eg `/etc/ssh/sshd_config` -> `/etc/ssh`
+
### file.read
`file.read(path: str) -> str`
diff --git a/implants/lib/eldritch/src/file/mod.rs b/implants/lib/eldritch/src/file/mod.rs
index c7b1a6d99..a02cfbe8e 100644
--- a/implants/lib/eldritch/src/file/mod.rs
+++ b/implants/lib/eldritch/src/file/mod.rs
@@ -9,6 +9,7 @@ mod is_file_impl;
mod list_impl;
mod mkdir_impl;
mod moveto_impl;
+mod parent_dir_impl;
mod read_impl;
mod remove_impl;
mod replace_all_impl;
@@ -130,6 +131,10 @@ fn methods(builder: &mut MethodsBuilder) {
moveto_impl::moveto(old, new)?;
Ok(NoneType{})
}
+ #[allow(unused_variables)]
+ fn parent_dir(this: &FileLibrary, path: String) -> anyhow::Result {
+ parent_dir_impl::parent_dir(path)
+ }
#[allow(unused_variables)]
fn replace_all(this: &FileLibrary, path: String, pattern: String, value: String) -> anyhow::Result {
diff --git a/implants/lib/eldritch/src/file/parent_dir_impl.rs b/implants/lib/eldritch/src/file/parent_dir_impl.rs
new file mode 100644
index 000000000..79be18f07
--- /dev/null
+++ b/implants/lib/eldritch/src/file/parent_dir_impl.rs
@@ -0,0 +1,69 @@
+use anyhow::{Context, Result};
+use std::path::PathBuf;
+
+pub fn parent_dir(path: String) -> Result {
+ let mut res = PathBuf::from(&path);
+ res.pop();
+ Ok(res
+ .to_str()
+ .context("Failed to convert to str")?
+ .to_string())
+}
+
+#[cfg(test)]
+mod test {
+ use crate::runtime::Message;
+ use pb::eldritch::Tome;
+ use std::collections::HashMap;
+
+ macro_rules! test_cases {
+ ($($name:ident: $value:expr,)*) => {
+ $(
+ #[tokio::test]
+ async fn $name() {
+ let tc: TestCase = $value;
+
+ // Run Eldritch (until finished)
+ let mut runtime = crate::start(tc.id, tc.tome).await;
+ runtime.finish().await;
+
+ // Read Messages
+ let mut found = false;
+ for msg in runtime.messages() {
+ if let Message::ReportText(m) = msg {
+ assert_eq!(tc.id, m.id);
+ assert_eq!(tc.want_text, m.text);
+ found = true;
+ }
+ }
+ assert!(found);
+ }
+ )*
+ }
+ }
+
+ struct TestCase {
+ pub id: i64,
+ pub tome: Tome,
+ pub want_text: String,
+ }
+
+
+ test_cases! {
+ simple_ssh: TestCase{
+ id: 123,
+ tome: Tome{
+ eldritch: String::from(r#"print(file.parent_dir(input_params['path']))"#),
+ #[cfg(target_os="linux")]
+ parameters: HashMap::from([(String::from("path"),String::from("/etc/ssh/sshd_config"))]),
+ #[cfg(target_os="windows")]
+ parameters: HashMap::from([(String::from("path"),String::from("C:\\ProgramData\\ssh\\sshd_config"))]),
+ file_names: Vec::new(),
+ },
+ #[cfg(target_os="linux")]
+ want_text: String::from("/etc/ssh\n"),
+ #[cfg(target_os="windows")]
+ want_text: String::from("C:\\ProgramData\\ssh\n"),
+ },
+ }
+}
From a9ecad45e2e449a5d12d08e33cd64ab18487921b Mon Sep 17 00:00:00 2001
From: Hulto <7121375+hulto@users.noreply.github.com>
Date: Sat, 24 Feb 2024 00:44:31 +0000
Subject: [PATCH 3/4] Fix mod test.
---
implants/lib/eldritch/src/runtime/mod.rs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/implants/lib/eldritch/src/runtime/mod.rs b/implants/lib/eldritch/src/runtime/mod.rs
index 1a8d7b449..1c6bd7b1a 100644
--- a/implants/lib/eldritch/src/runtime/mod.rs
+++ b/implants/lib/eldritch/src/runtime/mod.rs
@@ -89,7 +89,7 @@ mod tests {
parameters: HashMap::new(),
file_names: Vec::new(),
},
- want_text: format!("{}\n", r#"["append", "compress", "copy", "exists", "find", "follow", "is_dir", "is_file", "list", "mkdir", "moveto", "read", "remove", "replace", "replace_all", "template", "timestomp", "write"]"#),
+ want_text: format!("{}\n", r#"["append", "compress", "copy", "exists", "find", "follow", "is_dir", "is_file", "list", "mkdir", "moveto", "parent_dir", "read", "remove", "replace", "replace_all", "template", "timestomp", "write"]"#),
want_error: None,
},
process_bindings: TestCase {
From 34c67c8b6fdfd4ca4d170f82bcf1ba71fb3b6428 Mon Sep 17 00:00:00 2001
From: Hulto <7121375+hulto@users.noreply.github.com>
Date: Sat, 24 Feb 2024 01:04:07 +0000
Subject: [PATCH 4/4] fix for osx
---
implants/lib/eldritch/src/file/parent_dir_impl.rs | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/implants/lib/eldritch/src/file/parent_dir_impl.rs b/implants/lib/eldritch/src/file/parent_dir_impl.rs
index 79be18f07..8a15db5a0 100644
--- a/implants/lib/eldritch/src/file/parent_dir_impl.rs
+++ b/implants/lib/eldritch/src/file/parent_dir_impl.rs
@@ -54,13 +54,13 @@ mod test {
id: 123,
tome: Tome{
eldritch: String::from(r#"print(file.parent_dir(input_params['path']))"#),
- #[cfg(target_os="linux")]
+ #[cfg(not(target_os="windows"))]
parameters: HashMap::from([(String::from("path"),String::from("/etc/ssh/sshd_config"))]),
#[cfg(target_os="windows")]
parameters: HashMap::from([(String::from("path"),String::from("C:\\ProgramData\\ssh\\sshd_config"))]),
file_names: Vec::new(),
},
- #[cfg(target_os="linux")]
+ #[cfg(not(target_os="windows"))]
want_text: String::from("/etc/ssh\n"),
#[cfg(target_os="windows")]
want_text: String::from("C:\\ProgramData\\ssh\n"),