Last active
August 29, 2015 13:56
-
-
Save blakefrantz/8792868 to your computer and use it in GitHub Desktop.
Revisions
-
blakefrantz revised this gist
Oct 7, 2014 . 1 changed file with 6 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,13 +1,14 @@ // // 010 Editor v4.0.3d Binary Template // // File: RegistryPolicyFileTemplate.bt // Author: Blake Frantz (blakefrantz at gmail dot com) // Revision: 1.1, Last Updated on 6 Oct 2014. // Purpose: Parse registry.pol files. // See http://msdn.microsoft.com/en-us/library/windows/desktop/aa374407(v=vs.85).aspx // // Generate REG commands that align with contents of registry.pol file // const DWORD REG_SZ = 1; const DWORD REG_EXPAND_SZ = 2; @@ -138,9 +139,9 @@ while( !FEof() ) } local int i; local string regCmdPrefix = "REG ADD \"HKLM\\"; local string regCmdPrefixDel = "REG DELETE \"HKLM\\"; for (i=0; i < records; i++) { -
Oct 7, 2014 . 1 changed file with 7 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,14 +1,13 @@ // // 010 Editor v4.0.3d Binary Template // // File: RegistryPolicyFileTemplate.bt // Author: Blake Frantz (blakefrantz at gmail dot com) // Revision: 1.0, Last Updated on 6 Mar 2013. // Purpose: Parse registry.pol files. // See http://msdn.microsoft.com/en-us/library/windows/desktop/aa374407(v=vs.85).aspx // const DWORD REG_SZ = 1; const DWORD REG_EXPAND_SZ = 2; @@ -148,7 +147,7 @@ for (i=0; i < records; i++) if(WStrnicmp(record[i].ValueName, "**Del.", 6) == 0 ) { Printf("%s%s\" /v \"%s\" /f", regCmdPrefixDel, record[i].Key, StrDel(record[i].ValueName,0,6)); // Printf("ValueName '%s' will be deleted from '%s'", SubStr(record[i].ValueName, 6), record[i].Key); } else if(WStrnicmp(record[i].ValueName, "**DeleteValues", 14) == 0 ) @@ -174,20 +173,20 @@ for (i=0; i < records; i++) } else if(record[i].Type == REG_DWORD) { Printf("%s%s\" /v \"%s\" /t REG_DWORD /d %d /f", regCmdPrefix, record[i].Key, record[i].ValueName, record[i].Data.Int); } else if(record[i].Type == REG_SZ) { Printf("%s%s\" /v \"%s\" /t REG_SZ /d \"%s\" /f", regCmdPrefix, record[i].Key, record[i].ValueName, record[i].Data.String); } else if(record[i].Type == REG_EXPAND_SZ) { Printf("%s%s\" /v \"%s\" /t REG_EXPAND_SZ /d \"%s\" /f", regCmdPrefix, record[i].Key, record[i].ValueName, record[i].Data.String); } else if(record[i].Type == REG_BINARY) { Printf("%s%s\" /v \"%s\" /t REG_BINARY /d %s /f", regCmdPrefix, record[i].Key, record[i].ValueName); } else if(record[i].Type == REG_MULTI_SZ) { -
Oct 6, 2014 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,3 @@ // // 010 Editor v4.0.3d Binary Template // @@ -8,6 +7,8 @@ // Purpose: Parse registry.pol files. // See http://msdn.microsoft.com/en-us/library/windows/desktop/aa374407(v=vs.85).aspx // // Outputs a series of REG.EXE commands to implement the .POL file. // const DWORD REG_SZ = 1; const DWORD REG_EXPAND_SZ = 2; -
Oct 6, 2014 . 1 changed file with 86 additions and 27 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,19 +1,20 @@ // // 010 Editor v4.0.3d Binary Template // // File: RegistryPolicyFileTemplate.bt // Author: Blake Frantz (blakefrantz at gmail dot com) // Revision: 1.0, Last Updated on 6 Oct 2014. // Purpose: Parse registry.pol files. // See http://msdn.microsoft.com/en-us/library/windows/desktop/aa374407(v=vs.85).aspx // const DWORD REG_SZ = 1; const DWORD REG_EXPAND_SZ = 2; const DWORD REG_BINARY = 3; const DWORD REG_DWORD = 4; const DWORD REG_MULTI_SZ = 7; typedef struct { CHAR LBRACKET[2] <hidden=true>; @@ -30,15 +31,15 @@ typedef struct DWORD Int; wstring String; } Data; CHAR RBRACKET[2] <hidden=true>; } REGISTRY_RECORD <comment=RegistryRecordComment>; string DataValueTypeComment( DWORD type ) { string comment = ""; switch ( type ) { case REG_SZ : comment = "REG_SZ"; break; @@ -48,20 +49,20 @@ string DataValueTypeComment( DWORD type ) case REG_MULTI_SZ : comment = "REG_MULTI_SZ"; break; default : comment = "UNKNOWN_TYPE"; break; } return comment; } string RegistryRecordComment( REGISTRY_RECORD &record ) { string comment; uchar tempBuffer[ sizeof(record) ]; ReadBytes( tempBuffer, startof(record), sizeof(record) ); string result; ChecksumAlgArrayStr( CHECKSUM_CRC32, result, tempBuffer, sizeof(record)); if(WStrnicmp(record.ValueName, "**Del.", 6) == 0 ) { SPrintf(comment, "ValueName '%s' will be deleted from '%s'. CRC=%s", SubStr(record.ValueName, 6), record.Key, result); @@ -88,7 +89,7 @@ string RegistryRecordComment( REGISTRY_RECORD &record ) } else if(record.Type == REG_DWORD) { SPrintf(comment, "%s:%s = (REG_DWORD) %d. CRC=%s", record.Key, record.ValueName, record.Data.Int, result); } else if(record.Type == REG_SZ) { @@ -110,35 +111,93 @@ string RegistryRecordComment( REGISTRY_RECORD &record ) { SPrintf(comment, "%s:%s (%s)", record.Key, record.ValueName, result); } return comment; } BigEndian(); DWORD REGFILE_SIGNATURE; LittleEndian(); DWORD REGISTRY_FILE_VERSION; if (REGFILE_SIGNATURE !=0x50526567 || REGISTRY_FILE_VERSION != 0x01 ) { Warning( "File is not Registry Policy File Format Version 1. Template stopped." ); return -1; } local int records = 0; while( !FEof() ) { REGISTRY_RECORD record; records++; } local int i; local string regCmdPrefix = "REG ADD \"HKLM\\"; local string regCmdPrefixDel = "REG DELETE \"HKLM\\"; for (i=0; i < records; i++) { if(WStrnicmp(record[i].ValueName, "**Del.", 6) == 0 ) { Printf("%s%s\" /v %s /f", regCmdPrefixDel, record[i].Key, StrDel(record[i].ValueName,0,6)); // Printf("ValueName '%s' will be deleted from '%s'", SubStr(record[i].ValueName, 6), record[i].Key); } else if(WStrnicmp(record[i].ValueName, "**DeleteValues", 14) == 0 ) { Printf("ValueNames '%s' will be deleted from '%s'", SubStr(record[i].ValueName, 14), record[i].Key); } else if(WStrnicmp(record[i].ValueName, "**DelVals", 9) == 0 ) { Printf("%s%s\" /va /f", regCmdPrefixDel, record[i].Key); // Printf("All ValueNames under '%s' will be deleted", record[i].Key); } else if(WStrnicmp(record[i].ValueName, "**DeleteKeys", 12) == 0 ) { Printf("Keys '%s' under '%s' will be deleted", SubStr(record[i].ValueName, 12), record[i].Key); } else if(WStrnicmp(record[i].ValueName, "**SecureKey=0", 13) == 0 ) { Printf("The DACL on '%s' will be reset to align with the root's DACL", record[i].Key); } else if(WStrnicmp(record[i].ValueName, "**SecureKey=1", 13) == 0 ) { Printf("The DACL on '%s' will be set as follows: Administrators, SYSTEM = Full; Users = Read Only", record[i].Key); } else if(record[i].Type == REG_DWORD) { Printf("%s%s\" /v %s /t REG_DWORD /d %d /f", regCmdPrefix, record[i].Key, record[i].ValueName, record[i].Data.Int); } else if(record[i].Type == REG_SZ) { Printf("%s%s\" /v %s /t REG_SZ /d \"%s\" /f", regCmdPrefix, record[i].Key, record[i].ValueName, record[i].Data.String); } else if(record[i].Type == REG_EXPAND_SZ) { Printf("%s%s\" /v %s /t REG_EXPAND_SZ /d \"%s\" /f", regCmdPrefix, record[i].Key, record[i].ValueName, record[i].Data.String); } else if(record[i].Type == REG_BINARY) { Printf("%s%s\" /v %s /t REG_BINARY /d %s /f", regCmdPrefix, record[i].Key, record[i].ValueName); } else if(record[i].Type == REG_MULTI_SZ) { Printf("WARNING: Unsupported '%s%s' /v '%s' /t REG_MULTI_SZ /d %s", regCndPrefix, record[i].Key, record[i].ValueName); } else { Printf("WARNING: Unsupported '%s:%s' Type = (%d)", record[i].Key, record[i].ValueName, record[i].Type); } Printf("\n"); // Printf("%s\\%s\n", record[i].Key, record[i].ValueName); } -
Feb 3, 2014 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,144 @@ // // 010 Editor v4.0.3d Binary Template // // File: RegistryPolicyFileTemplate.bt // Author: Blake Frantz (blakefrantz at gmail dot com) // Revision: 1.0, Last Updated on 6 Mar 2013. // Purpose: Parse registry.pol files. // See http://msdn.microsoft.com/en-us/library/windows/desktop/aa374407(v=vs.85).aspx // const DWORD REG_SZ = 1; const DWORD REG_EXPAND_SZ = 2; const DWORD REG_BINARY = 3; const DWORD REG_DWORD = 4; const DWORD REG_MULTI_SZ = 7; typedef struct { CHAR LBRACKET[2] <hidden=true>; wstring Key; SHORT seperator0 <hidden=true>; wstring ValueName; SHORT seperator1 <hidden=true>; DWORD Type <comment=DataValueTypeComment>; SHORT seperator2 <hidden=true>; DWORD DataSize; SHORT seperator3 <hidden=true>; union { UBYTE Raw[DataSize]; DWORD Int; wstring String; } Data; CHAR RBRACKET[2] <hidden=true>; } REGISTRY_RECORD <comment=RegistryRecordComment>; string DataValueTypeComment( DWORD type ) { string comment = ""; switch ( type ) { case REG_SZ : comment = "REG_SZ"; break; case REG_EXPAND_SZ: comment = "REG_EXPAND_SZ"; break; case REG_BINARY : comment = "REG_BINARY"; break; case REG_DWORD : comment = "REG_DWORD"; break; case REG_MULTI_SZ : comment = "REG_MULTI_SZ"; break; default : comment = "UNKNOWN_TYPE"; break; } return comment; } string RegistryRecordComment( REGISTRY_RECORD &record ) { string comment; uchar tempBuffer[ sizeof(record) ]; ReadBytes( tempBuffer, startof(record), sizeof(record) ); string result; ChecksumAlgArrayStr( CHECKSUM_CRC32, result, tempBuffer, sizeof(record)); if(WStrnicmp(record.ValueName, "**Del.", 6) == 0 ) { SPrintf(comment, "ValueName '%s' will be deleted from '%s'. CRC=%s", SubStr(record.ValueName, 6), record.Key, result); } else if(WStrnicmp(record.ValueName, "**DeleteValues", 14) == 0 ) { SPrintf(comment, "ValueNames '%s' will be deleted from '%s'. CRC=%s", SubStr(record.ValueName, 14), record.Key, result); } else if(WStrnicmp(record.ValueName, "**DelVals", 9) == 0 ) { SPrintf(comment, "All ValueNames under '%s' will be deleted. CRC=%s", record.Key, result); } else if(WStrnicmp(record.ValueName, "**DeleteKeys", 12) == 0 ) { SPrintf(comment, "Keys '%s' under '%s' will be deleted. CRC=%s", SubStr(record.ValueName, 12), record.Key, result); } else if(WStrnicmp(record.ValueName, "**SecureKey=0", 13) == 0 ) { SPrintf(comment, "The DACL on '%s' will be reset to align with the root's DACL. CRC=%s", record.Key, result); } else if(WStrnicmp(record.ValueName, "**SecureKey=1", 13) == 0 ) { SPrintf(comment, "The DACL on '%s' will be set as follows: Administrators, SYSTEM = Full; Users = Read Only. CRC=%s", record.Key, result); } else if(record.Type == REG_DWORD) { SPrintf(comment, "%s:%s = (REG_DWORD) %d. CRC=%s", record.Key, record.ValueName, record.Data.Int, result); } else if(record.Type == REG_SZ) { SPrintf(comment, "%s:%s = (REG_SZ) '%s'. CRC=%s", record.Key, record.ValueName, record.Data.String, result); } else if(record.Type == REG_EXPAND_SZ) { SPrintf(comment, "%s:%s = (REG_EXPAND_SZ) ... CRC=%s", record.Key, record.ValueName, result); } else if(record.Type == REG_BINARY) { SPrintf(comment, "%s:%s = (REG_BINARY) ... CRC=%s", record.Key, record.ValueName, result); } else if(record.Type == REG_MULTI_SZ) { SPrintf(comment, "%s:%s = (REG_MULTI_SZ) ... CRC=%s", record.Key, record.ValueName, result); } else { SPrintf(comment, "%s:%s (%s)", record.Key, record.ValueName, result); } return comment; } BigEndian(); DWORD REGFILE_SIGNATURE; LittleEndian(); DWORD REGISTRY_FILE_VERSION; if (REGFILE_SIGNATURE !=0x50526567 || REGISTRY_FILE_VERSION != 0x01 ) { Warning( "File is not Registry Policy File Format Version 1. Template stopped." ); return -1; } local int records = 0; while( !FEof() ) { REGISTRY_RECORD record; records++; } local int i; for (i=0; i < records; i++) { Printf("%s\\%s\n", record[i].Key, record[i].ValueName); }