Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/0xhasanm/regexplore

Regexplore is a Volatility plugin designed to mimic the functionality of the Registry Explorer plugins in EZsuite
https://github.com/0xhasanm/regexplore

Last synced: 3 months ago
JSON representation

Regexplore is a Volatility plugin designed to mimic the functionality of the Registry Explorer plugins in EZsuite

Host: GitHub
URL: https://github.com/0xhasanm/regexplore
Owner: 0xHasanM
Created: 2023-03-18T22:53:45.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2023-03-31T02:59:59.000Z (over 1 year ago)
Last Synced: 2024-06-15T09:35:00.761Z (5 months ago)
Language: Python
Homepage:
Size: 114 KB
Stars: 18
Watchers: 1
Forks: 3
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-ChatGPT-repositories - regexplore - Regexplore is a Volatility plugin designed to mimic the functionality of the Registry Explorer plugins in EZsuite (Browser-extensions)

README

# Regexplore

Regexplore is a Volatility plugin designed to mimic the functionality of the Registry Explorer plugins in EZsuite and regripper plugins in volatility. It allows users to list different types of registry information in memory, such as runkeys, connected devices, and more.

## Usage

1. Place the plugin folder in Volatility `volatility3/volatility3/framework/plugins/windows/registry`.

2. Run the plugin using the command `python vol.py windows.registry.regexplore -h` to display the available options and commands.

![image](https://user-images.githubusercontent.com/51376376/227634534-0801b47a-95be-45a9-ba1b-20e8954da444.png)

## Available Commands

### regplg parameter
- `run_all`: export all information in csv files to be feed to splunk, or TimeLineExplorer
- `MountedDevices`: Displays mounted devices including GUIDs and device information
- `AmcacheInventoryApplication`: Amcache-InventoryApplication
- `AmcacheInventoryApplicationFile`: Amcache-InventoryApplicationFile
- `AmcacheInventoryApplicationShortcut`: Amcache-InventoryApplicationShortcut
- `AmcacheInventoryDeviceContainer`: Amcache-InventoryApplicationDeviceContainer
- `AmcacheInventoryDevicePnp`: Amcache-InventoryApplicationDevicePnp
- `AmcacheInventoryDriverBinary`: Amcache-InventoryApplicationDriverBinary
- `AppCompatCache`: Tracks application compatibility. The cache data tracks file path, size, and last modified time. In some cases, an executed flag is also available.
- `AppPaths`: AppPaths Information
- `BamDam`: Extracts program information and last run times from bam and dam keys
- `services`: Lists the services that are automatically started when the system boots up (to-do)
- `devices`: Lists the connected devices on the system (to-do)
- `userassist`: Lists the programs that have been run by the user (to-do)
- `mru`: Lists the most recently used files and applications (to-do)
- `uninstall`: Lists the programs that have been uninstalled on the system (to-do)
- `network`: Lists the network information and connections on the system (to-do)
- `html`: html output (to-do)

### hive parameter
- `SYSTEM`: run all plugins related to SYSTEM hive and extract information in respective csv files.
- `SOFTWARE`: run all plugins related to SOFTWARE hive and extract information in respective csv files.
- `Amcache`: run all plugins related to Amcache hive and extract information in respective csv files.
- `NTUSER`: run all plugins related to NTUSER.dat hive and extract information in respective csv files.

## Contributing

If you find any issues or have suggestions for new features, please feel free to create an issue or submit a pull request. We appreciate your contributions and recommendations to improve the Regexplore plugin!