impacket icon indicating copy to clipboard operation
impacket copied to clipboard
verified publisher icon fortra

Can't add REG_MULTI_SZ registry values using reg.py

Open gabrielg5 opened this issue 1 year ago • 3 comments

Configuration

impacket version: 0.11.0 Python version: N/A Target OS: Windows

There's no way to add multi string keys in the registry using reg.py example.

According to MS documentation https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types value should be

A sequence of null-terminated strings, terminated by an empty string (\0).

Here it can be seen how winreg is handling it -> https://github.com/python/cpython/blob/main/PC/winreg.c#L660

I guess we should define a syntax on how different strings will be passed to the script.

Additional context

As a side note, reading MULTI_SZ keys is ommiting the separation. For example

multi

└─$ python reg.py <domain>/<user>@<target> query -keyName "HKCU\TEST" -v multi
Impacket v0.12.0.dev1+20240318.182010.0d2b72ae - Copyright 2023 Fortra

Password:
HKCU\TEST
        multi   REG_MULTI_SZ     line 1line 2line3

gabrielg5 avatar Mar 20 '24 14:03 gabrielg5

Hey just noticed this from the other issue I was tagged in. If I'm not understanding it, ignore me, but you can pass them in as a list (including data with spaces, just quote it) and parse it with argparse with the "nargs" set to "+" (or * if you want to be able to accept no data as well): https://docs.python.org/3/library/argparse.html#nargs

An example command would look like: python reg.py <domain>/<user>@<target> add -keyName <whatever> -v <whatever> -vt REG_MULTI_SZ -vd First Second 'Multi Space' Fourth

This will be a list like: ['First', 'Second' 'Multi Space', 'Fourth'] which you can then concat together with NULL strings inbetween and an empty string at the end (going off of the documentation that's what it wants).

Marshall-Hallenbeck avatar Mar 20 '24 16:03 Marshall-Hallenbeck

An example command would look like: python reg.py <domain>/<user>@<target> add -keyName <whatever> -v <whatever> -vt REG_MULTI_SZ -vd First Second 'Multi Space' Fourth

Really like this format. @Marshall-Hallenbeck 👍

mubix avatar Mar 21 '24 13:03 mubix

For clarity I would have used this format:

python reg.py "<domain>/<user>@<target>" add -keyName "<whatever>" -v "<whatever>" -vt "REG_MULTI_SZ" -vd "First" -vd "Second" -vd "Multi Space" -vd "Fourth"

In my opinion this would be clearer in the command line syntax. We could use the parseargs append action, and the following line:

https://github.com/fortra/impacket/blob/269ce69872f0e8f2188a80addb0c39fedfa6dcb8/examples/reg.py#L562-L563

Would become:

    add_parser.add_argument('-vd', action='append', metavar="VALUEDATA", required=False, help='Specifies the registry '
                           'value data that is to be set.', default=[''])

What do you think?

p0dalirius avatar May 20 '24 14:05 p0dalirius

Implemented in #1785

gabrielg5 avatar Aug 06 '24 21:08 gabrielg5