我正在尝试在我的 Ubuntu 19.10 台式机上安装 RegRipper。RegRipper 是一个可以分析 Windows 注册表文件的程序。可在此处获取:https://github.com/keydet89/RegRipper2.8.git
首先安装Git
sudo apt-get install git
安装 Win32Registry
perl -MCPAN -e 'install Parse::Win32Registry'
安装 Regripper
cd /opt
sudo git clone https://github.com/keydet89/RegRipper2.8.git
sudo mv RegRipper2.8 regripper
sudo chown -R $USER:$USER regripper
制作外壳
# Fix end of line
cd /opt/regripper
sudo cat rip.pl | sed 's|\r$||g' > /tmp/riplin0.pl
# Now fix the first line so linux perl executed
sudo cat /tmp/riplin0.pl | sed "s| c:\\\\perl\\\\bin\\\\perl.exe|`which perl`|" > /tmp/riplin1.pl
# Fix the backslash before the plugins directory
sudo cat /tmp/riplin1.pl | sed 's|plugins\\\\|plugins/|' > riplin.pl
# Make executable
sudo chmod +x riplin.pl
当我尝试执行 riplin 时出现错误:
opt/regripper$ ./riplin.pl -l
在 @INC 中找不到 Parse/Win32Registry.pm(您可能需要安装 Parse::Win32Registry 模块)(@INC 包含:/home/xxx/perl5/lib/perl5/5.28.1/x86_64-linux-gnu-thread-multi /home/xxx/perl5/lib/perl5/5.28.1 /home/xxx/perl5/lib/perl5/x86_64-linux-gnu-thread-multi /home/xxx/perl5/lib/perl5 /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.28.1 /usr/local/share/perl/5.28.1 /usr/lib/x86_64-linux-gnu/perl5/5.28 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.28 /usr/share/perl/5.28 /home/xxx/perl5/lib/perl5/5.28.0 /home/xxx/perl5/lib/perl5/5.28.0/x86_64-linux-gnu-thread-multi /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) 位于 ./riplin.pl 第 29 行。BEGIN 失败--编译中止于 ./riplin.pl 第 29 行。
所以错误是找不到 Parse/Win32Registry.pmriplin.pl 第 29 行显示使用 Parse::Win32Registry qw(:REG_);
riplin.pl
#!/usr/bin/perl
#-------------------------------------------------------------------------
# Rip - RegRipper, CLI version
# Use this utility to run a plugins file or a single plugin against a Reg
# hive file.
#
# Output goes to STDOUT
# Usage: see "_syntax()" function
#
# Change History
# 20190318 - modified code to allow the .exe to be run from anywhere within the file system
# 20190128 - added Time::Local, modifications to module Key.pm
# 20180406 - added "-uP" switch to update profiles
# 20130801 - added File::Spec support, for cross-platform compat.
# 20130716 - added 'push(@INC,$str);' line based on suggestion from
# Hal Pomeranz to support Linux compatibility
# 20130425 - added alertMsg() functionality, updated to v2.8
# 20120506 - updated to v2.5 release
# 20110516 - added -s & -u options for TLN support
# 20090102 - updated code for relative path to plugins dir
# 20080419 - added '-g' switch (experimental)
# 20080412 - added '-c' switch
#
# copyright 2013-2019 Quantum Analytics Research, LLC
# Author: H. Carvey, [email protected]
#
#-------------------------------------------------------------------------
use strict;
use Parse::Win32Registry qw(:REG_);
use Getopt::Long;
use Time::Local;
use File::Spec;
# Included to permit compiling via Perl2Exe
#perl2exe_include "Parse/Win32Registry.pm";
#perl2exe_include "Parse/Win32Registry/Key.pm";
#perl2exe_include "Parse/Win32Registry/Entry.pm";
#perl2exe_include "Parse/Win32Registry/Value.pm";
#perl2exe_include "Parse/Win32Registry/File.pm";
#perl2exe_include "Parse/Win32Registry/Win95/File.pm";
#perl2exe_include "Parse/Win32Registry/Win95/Key.pm";
#perl2exe_include "Encode.pm";
#perl2exe_include "Encode/Byte.pm";
#perl2exe_include "Encode/Unicode.pm";
#perl2exe_include "utf8.pm";
#perl2exe_include "unicore/Heavy.pl";
#perl2exe_include "unicore/To/Upper.pl";
my %config;
Getopt::Long::Configure("prefix_pattern=(-|\/)");
GetOptions(\%config,qw(reg|r=s file|f=s csv|c guess|g user|u=s sys|s=s plugin|p=s update|uP list|l help|?|h));
# Code updated 20090102
my @path;
my $str = $0;
($^O eq "MSWin32") ? (@path = split(/\\/,$0))
: (@path = split(/\//,$0));
$str =~ s/($path[scalar(@path) - 1])//;
# Suggested addition by Hal Pomeranz for compatibility with Linux
#push(@INC,$str);
# code updated 20190318
my $plugindir;
($^O eq "MSWin32") ? ($plugindir = $str."plugins/")
: ($plugindir = File::Spec->catfile("plugins"));
#my $plugindir = $str."plugins/";
#my $plugindir = File::Spec->catfile("plugins");
#print "Plugins Dir = ".$plugindir."\n";
# End code update
my $VERSION = "2\.8_20190318";
my @alerts = ();
if ($config{help} || !%config) {
_syntax();
exit;
}
#-------------------------------------------------------------
#
#-------------------------------------------------------------
if ($config{list}) {
my @plugins;
opendir(DIR,$plugindir) || die "Could not open $plugindir: $!\n";
@plugins = readdir(DIR);
closedir(DIR);
my $count = 1;
print "Plugin,Version,Hive,Description\n" if ($config{csv});
foreach my $p (@plugins) {
next unless ($p =~ m/\.pl$/);
my $pkg = (split(/\./,$p,2))[0];
# $p = $plugindir.$p;
$p = File::Spec->catfile($plugindir,$p);
eval {
require $p;
my $hive = $pkg->getHive();
my $version = $pkg->getVersion();
my $descr = $pkg->getShortDescr();
if ($config{csv}) {
print $pkg.",".$version.",".$hive.",".$descr."\n";
}
else {
print $count.". ".$pkg." v.".$version." [".$hive."]\n";
# printf "%-20s %-10s %-10s\n",$pkg,$version,$hive;
print " - ".$descr."\n\n";
$count++;
}
};
print "Error: $@\n" if ($@);
}
exit;
}
#-------------------------------------------------------------
#
#-------------------------------------------------------------
if ($config{update}) {
my @plugins;
opendir(DIR,$plugindir) || die "Could not open $plugindir: $!\n";
@plugins = readdir(DIR);
closedir(DIR);
# hash of lists to hold plugin names
my %files = ();
foreach my $p (@plugins) {
next unless ($p =~ m/\.pl$/);
# $pkg = name of plugin
my $pkg = (split(/\./,$p,2))[0];
# $p = $plugindir.$p;
$p = File::Spec->catfile($plugindir,$p);
eval {
require $p;
my $hive = $pkg->getHive();
my @hives = split(/,/,$hive);
foreach my $h (@hives) {
my $lch = lc($h);
$lch =~ s/\.dat$//;
$lch =~ s/^\s+//;
push(@{$files{$lch}},$pkg);
}
};
print "Error: $@\n" if ($@);
}
# once hash of lists is populated, print files
foreach my $f (keys %files) {
my $filepath = $plugindir."\\".$f;
open(FH,">",$filepath) || die "Could not open ".$filepath." to write: $!";
for my $i (0..$#{$files{$f}}) {
next if ($files{$f}[$i] =~ m/tln$/);
print FH $files{$f}[$i]."\n";
}
close(FH);
}
exit;
}
#-------------------------------------------------------------
#
#-------------------------------------------------------------
if ($config{file}) {
# First, check that a hive file was identified, and that the path is
# correct
my $hive = $config{reg};
die "You must enter a hive file path/name.\n" if ($hive eq "");
# die $hive." not found.\n" unless (-e $hive);
my %plugins = parsePluginsFile($config{file});
if (%plugins) {
logMsg("Parsed Plugins file.");
}
else {
logMsg("Plugins file not parsed.");
exit;
}
foreach my $i (sort {$a <=> $b} keys %plugins) {
eval {
# require "plugins/".$plugins{$i}."\.pl";
my $plugin_file = File::Spec->catfile($plugindir,$plugins{$i}.".pl");
require $plugin_file;
$plugins{$i}->pluginmain($hive);
};
if ($@) {
logMsg("Error in ".$plugins{$i}.": ".$@);
}
logMsg($plugins{$i}." complete.");
rptMsg("-" x 40);
}
printAlerts();
}
#-------------------------------------------------------------
#
#-------------------------------------------------------------
if ($config{reg} && $config{guess}) {
# Attempt to guess which kind of hive we have
my $hive = $config{reg};
die "You must enter a hive file path/name.\n" if ($hive eq "");
# die $hive." not found.\n" unless (-e $hive);
my $reg;
my $root_key;
my %guess = guessHive($hive);
foreach my $g (keys %guess) {
::rptMsg(sprintf "%-8s = %-2s",$g,$guess{$g});
}
}
#-------------------------------------------------------------
#
#-------------------------------------------------------------
if ($config{plugin}) {
# First, check that a hive file was identified, and that the path is
# correct
my $hive = $config{reg};
die "You must enter a hive file path/name.\n" if ($hive eq "");
# die $hive." not found.\n" unless (-e $hive);
# check to see if the plugin exists
my $plugin = $config{plugin};
# my $pluginfile = $plugindir.$config{plugin}."\.pl";
my $pluginfile = File::Spec->catfile($plugindir,$config{plugin}."\.pl");
die $pluginfile." not found.\n" unless (-e $pluginfile);
eval {
require $pluginfile;
$plugin->pluginmain($hive);
};
if ($@) {
logMsg("Error in ".$pluginfile.": ".$@);
}
printAlerts();
}
sub _syntax {
print<< "EOT";
Rip v.$VERSION - CLI RegRipper tool
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.
-r Reg hive file...Registry hive file to parse
-g ................Guess the hive file (experimental)
-f [profile].......use the plugin file (default: plugins/plugins)
-p plugin module...use only this module
-l ................list all plugins
-c ................Output list in CSV format (use with -l)
-s system name.....Server name (TLN support)
-u username........User name (TLN support)
-uP ...............Update profiles
-h.................Help (print this information)
Ex: C:\\>rip -r c:\\case\\system -f system
C:\\>rip -r c:\\case\\ntuser.dat -p userassist
C:\\>rip -l -c
All output goes to STDOUT; use redirection (ie, > or >>) to output to a file\.
copyright 2019 Quantum Analytics Research, LLC
EOT
}
#-------------------------------------------------------------
#
#-------------------------------------------------------------
sub logMsg {
print STDERR $_[0]."\n";
}
#-------------------------------------------------------------
#
#-------------------------------------------------------------
sub rptMsg {
binmode STDOUT,":utf8";
if ($config{sys} || $config{user}) {
my @vals = split(/\|/,$_[0],5);
my $str = $vals[0]."|".$vals[1]."|".$config{sys}."|".$config{user}."|".$vals[4];
print $str."\n";
}
else {
print $_[0]."\n";
}
}
#-------------------------------------------------------------
#
#-------------------------------------------------------------
sub alertMsg {
push(@alerts,$_[0]);
}
sub printAlerts {
if (scalar(@alerts) > 0) {
# print "\n";
# print "Alerts\n";
# print "-" x 40,"\n";
foreach (@alerts) {
print $_."\n";
}
}
}
#-------------------------------------------------------------
# parsePluginsFile()
# Parse the plugins file and get a list of plugins
#-------------------------------------------------------------
sub parsePluginsFile {
my $file = $_[0];
my %plugins;
# Parse a file containing a list of plugins
# Future versions of this tool may allow for the analyst to
# choose different plugins files
# my $pluginfile = $plugindir.$file;
my $pluginfile = File::Spec->catfile($plugindir,$file);
if (-e $pluginfile) {
open(FH,"<",$pluginfile);
my $count = 1;
while(<FH>) {
chomp;
next if ($_ =~ m/^#/ || $_ =~ m/^\s+$/);
# next unless ($_ =~ m/\.pl$/);
next if ($_ eq "");
$_ =~ s/^\s+//;
$_ =~ s/\s+$//;
$plugins{$count++} = $_;
}
close(FH);
return %plugins;
}
else {
return undef;
}
}
#-------------------------------------------------------------
# guessHive()
#
#-------------------------------------------------------------
sub guessHive {
my $hive = shift;
my $reg;
my $root_key;
my %guess;
eval {
$reg = Parse::Win32Registry->new($hive);
$root_key = $reg->get_root_key;
};
$guess{unknown} = 1 if ($@);
# Check for SAM
eval {
$guess{sam} = 1 if (my $key = $root_key->get_subkey("SAM\\Domains\\Account\\Users"));
};
# Check for Software
eval {
$guess{software} = 1 if ($root_key->get_subkey("Microsoft\\Windows\\CurrentVersion") &&
$root_key->get_subkey("Microsoft\\Windows NT\\CurrentVersion"));
};
# Check for System
eval {
$guess{system} = 1 if ($root_key->get_subkey("MountedDevices") &&
$root_key->get_subkey("Select"));
};
# Check for Security
eval {
$guess{security} = 1 if ($root_key->get_subkey("Policy\\Accounts") &&
$root_key->get_subkey("Policy\\PolAdtEv"));
};
# Check for NTUSER.DAT
eval {
$guess{ntuser} = 1 if ($root_key->get_subkey("Software\\Microsoft\\Windows\\CurrentVersion"));
};
return %guess;
}
#-------------------------------------------------------------
# getTime()
# Translate FILETIME object (2 DWORDS) to Unix time, to be passed
# to gmtime() or localtime()
#-------------------------------------------------------------
sub getTime($$) {
my $lo = shift;
my $hi = shift;
my $t;
if ($lo == 0 && $hi == 0) {
$t = 0;
} else {
$lo -= 0xd53e8000;
$hi -= 0x019db1de;
$t = int($hi*429.4967296 + $lo/1e7);
};
$t = 0 if ($t < 0);
return $t;
}
答案1
在 Ubuntu 上,你可以使用 apt 安装
apt-get install -y libparse-win32registry-perl -y