Merge pull request mandiant#142 from 0ssigeno/log_registry

Adding list_subkeys and create_key log
jimoyong · Apr 12, 2021 · a27d2cd · a27d2cd
2 parents 5bd9d82 + 1717a84
commit a27d2cd
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/speakeasy/winenv/api/usermode/advapi32.py b/speakeasy/winenv/api/usermode/advapi32.py
@@ -273,7 +273,7 @@ def RegEnumKeyEx(self, emu, argv, ctx={}):
                             name = name.encode('utf-8')
                         self.mem_write(lpName, name)
                         rv = windefs.ERROR_SUCCESS
-
+            self.log_registry_access(key.get_path(), "list_subkeys")
         return rv
 
     @apihook('RegCreateKey', argc=3)
@@ -297,7 +297,9 @@ def RegCreateKey(self, emu, argv, ctx={}):
                 if lpSubKey:
                     lpSubKey = self.read_mem_string(lpSubKey, cw)
                     argv[1] = lpSubKey
-                    self.emu.reg_create_key(key.get_path() + '\\' + lpSubKey)
+                    sub_key_path = key.get_path() + '\\' + lpSubKey
+                    self.emu.reg_create_key(sub_key_path)
+                    self.log_registry_access(sub_key_path, "create_key")
                 else:
                     hkey = (hkey).to_bytes(self.get_ptr_size(), 'little')
                     self.mem_write(phkResult, hkey)

diff --git a/speakeasy/winenv/api/usermode/wininet.py b/speakeasy/winenv/api/usermode/wininet.py
@@ -404,6 +404,7 @@ def InternetOpenUrl(self, emu, argv, ctx={}):
             port = 80
         else:
             port = 443
+        self.log_http(crack.netloc, port, headers=lpszHeaders)
         sess = wini.new_session(crack.netloc, port, '', '', '', defs, dwContext)
         if not sess:
             return 0