Skip to content
/ regexplore Public

Regexplore is a Volatility plugin designed to mimic the functionality of the Registry Explorer plugins in EZsuite

18 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0xHasanM/regexplore

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

50 Commits
__pycache__
__pycache__
 
 
registryplugins
registryplugins
 
 
README.md
README.md
 
 
__init__.py
__init__.py
 
 
regexplore.py
regexplore.py
 
 

Repository files navigation

Regexplore

Regexplore is a Volatility plugin designed to mimic the functionality of the Registry Explorer plugins in EZsuite and regripper plugins in volatility. It allows users to list different types of registry information in memory, such as runkeys, connected devices, and more.

Usage

  1. Place the plugin folder in Volatility volatility3/volatility3/framework/plugins/windows/registry.

  2. Run the plugin using the command python vol.py windows.registry.regexplore -h to display the available options and commands.

image

Available Commands

regplg parameter

  • run_all: export all information in csv files to be feed to splunk, or TimeLineExplorer
  • MountedDevices: Displays mounted devices including GUIDs and device information
  • AmcacheInventoryApplication: Amcache-InventoryApplication
  • AmcacheInventoryApplicationFile: Amcache-InventoryApplicationFile
  • AmcacheInventoryApplicationShortcut: Amcache-InventoryApplicationShortcut
  • AmcacheInventoryDeviceContainer: Amcache-InventoryApplicationDeviceContainer
  • AmcacheInventoryDevicePnp: Amcache-InventoryApplicationDevicePnp
  • AmcacheInventoryDriverBinary: Amcache-InventoryApplicationDriverBinary
  • AppCompatCache: Tracks application compatibility. The cache data tracks file path, size, and last modified time. In some cases, an executed flag is also available.
  • AppPaths: AppPaths Information
  • BamDam: Extracts program information and last run times from bam and dam keys
  • services: Lists the services that are automatically started when the system boots up (to-do)
  • devices: Lists the connected devices on the system (to-do)
  • userassist: Lists the programs that have been run by the user (to-do)
  • mru: Lists the most recently used files and applications (to-do)
  • uninstall: Lists the programs that have been uninstalled on the system (to-do)
  • network: Lists the network information and connections on the system (to-do)
  • html: html output (to-do)

hive parameter

  • SYSTEM: run all plugins related to SYSTEM hive and extract information in respective csv files.
  • SOFTWARE: run all plugins related to SOFTWARE hive and extract information in respective csv files.
  • Amcache: run all plugins related to Amcache hive and extract information in respective csv files.
  • NTUSER: run all plugins related to NTUSER.dat hive and extract information in respective csv files.

Contributing

If you find any issues or have suggestions for new features, please feel free to create an issue or submit a pull request. We appreciate your contributions and recommendations to improve the Regexplore plugin!

About

Regexplore is a Volatility plugin designed to mimic the functionality of the Registry Explorer plugins in EZsuite

Resources

Readme
Activity

Stars

18 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages