[Plugins] plugins20130418 一覧
plugins20130418
| プラグイン名 | 処理内容 |
|---|---|
| acmru.pl | Gets contents of user's ACMru key |
| adoberdr.pl | Parse Adobe Reader MRU keys |
| aim.pl | Gets info from the AOL Instant Messenger (not AIM) install |
| all | |
| all-all | |
| aports.pl | Extracts the install path for SmartLine Inc. Active Ports. |
| appcertdlls.pl | Get entries from AppCertDlls key |
| appcompatcache.pl | Parse files from System hive Shim Cache |
| appcompatcache_tln.pl | |
| appcompatflags.pl | This is a list of applications configured to run in compatibility mode. |
| appinitdlls.pl | Gets contents of AppInit_DLLs value |
| applets.pl | Windows\CurrentVersion\Applets Recent File List values |
| applets_tln.pl | |
| apppaths.pl | "Gets contents of App Paths subkeys from the Software hivediplaying the EXE name and path" |
| appspecific.pl | Gets contents of user's Intellipoint\\AppSpecific subkeys |
| ares.pl | Gets contents of user's Software/Ares key |
| arpcache.pl | Retrieves CurrentVersion\App Management\ARPCache entries |
| assoc.pl | Get list of file ext associations |
| attachmgr.pl | Checks user's keys that manage the Attachment Manager functionality |
| auditfail.pl | Get CrashOnAuditFail value |
| auditpol.pl | Get audit policy from the Security hive file |
| autoendtasks.pl | Automatically end a non-responsive task |
| autorun.pl | Gets autorun settings |
| backuprestore.pl | " Gets the contents of the FilesNotToSnapshot KeysNotToRestore and FilesNotToBackup keys" |
| bagtest.pl | "banner no change to the version number" |
| bagtest2.pl | "banner no change to the version number" |
| banner.pl | Get HKLM\SOFTWARE.. Logon Banner Values |
| baseline.pl | "Scans a hive file checking sizes of binary value data" |
| bho.pl | Gets Browser Helper Objects from Software hive |
| bitbucket.pl | Get HKLM\\..\\BitBucket keys\\values |
| bitbucket_user.pl | TEST - Get user BitBucket values |
| brisv.pl | Plugin to detect the presence of Trojan.Brisv.A |
| btconfig.pl | Determines BlueTooth devices 'seen' by BroadComm drivers |
| bthport.pl | Gets Bluetooth-connected devices from System hive |
| cain.pl | Extracts details for Cain & Abel by oxid.it |
| ccleaner.pl | Gets CCleaner User Settings |
| clampi.pl | Checks keys/values set by new version of Trojan.Clampi |
| clampitm.pl | Checks keys/values set by new version of Trojan.Clampi |
| clsid.pl | Get list of CLSID/registered classes |
| cmd_shell.pl | Gets shell open cmds for various file types |
| cmd_shell_u.pl | Gets shell open cmds for various file types from USRCLASS\.DAT |
| cmdproc.pl | Checks key for files to autostart from cmd.exe |
| codeid.pl | Get DefaultLevel value from CodeIdentifiers key |
| comdlg32.pl | Gets contents of user's ComDlg32 key |
| comdlg32a.pl | Gets contents of user's ComDlg32 key |
| compatassist.pl | Checks user's Compatibility Assistant\\Persisted values |
| compdesc.pl | Gets contents of user's ComputerDescriptions key |
| compname.pl | Gets ComputerName and Hostname values from System hive |
| controlpanel.pl | Vista ControlPanel key seems to contain some interesting info about the user's activities... |
| cpldontload.pl | Gets contents of user's Control Panel don't load key |
| crashcontrol.pl | Get crash control information |
| crashdump.pl | Gets crashdump settings from System hive |
| ctrlpnl.pl | Get Control Panel info from Software hive |
| ddm.pl | Get DDM data from Control Subkey |
| decaf.pl | Extracts the EULA value for DECAF. |
| defbrowser.pl | Gets default browser setting from HKLM |
| dependency_walker.pl | Extracts Recent File List for Dependency Walker. |
| devclass.pl | Get USB device info from the DeviceClasses keys in the System hive |
| dfrg.pl | Gets content of Dfrg BootOptim. key |
| diag_sr.pl | Get Diag\\SystemRestore values and data |
| direct.pl | Searches Direct* keys for MostRecentApplication subkeys |
| direct_tln.pl | |
| disablelastaccess.pl | Get NTFSDisableLastAccessUpdate value |
| disablesr.pl | Gets the value that turns System Restore either on or off |
| dllsearch.pl | Get crash control information |
| dnschanger.pl | Check for indication of DNSChanger infection. |
| domains.pl | Gets contents Internet Settings\ZoneMap\Domains key |
| drivers32.pl | Get values from the Drivers32 key |
| drwatson.pl | Gets Dr. Watson settings from Software hive |
| emdmgmt.pl | Gets contents of EMDMgmt subkeys and values |
| environment.pl | Extracts user's Environment paths from NTUSER.DAT |
| esent.pl | Get ESENT\\Process key contents |
| eventlog.pl | Get EventLog configuration info |
| eventlogs.pl | Gets Event Log settings from System hive |
| fileexts.pl | Get user FileExts values |
| filehistory.pl | Get filehistory settings |
| filesnottosnapshot.pl | Get FilesNotToSnapshot key contents |
| findexes.pl | Scans a hive file looking for binary value data that contains MZ |
| fw_config.pl | Gets the Windows Firewall config from the System hive |
| gauss.pl | Checks Reliability key for TimeStampforUI value |
| gthist.pl | Gets Google Toolbar Search History |
| gtwhitelist.pl | Gets Google Toolbar whitelist values |
| haven_and_hearth.pl | Extracts the username and savedtoken for Haven & Hearth. |
| hibernate.pl | Check hibernation status |
| ide.pl | Get IDE device info from the System hive file |
| ie_main.pl | Gets values beneath user's Internet Explorer\\Main key |
| ie_settings.pl | Gets IE settings |
| ie_version.pl | Get IE version and build |
| iejava.pl | hecks NTUSER for status of kill bit for IE Java ActiveX control |
| iexplore.pl | Get Main Key contents from HKCU\\Software\\Microsoft\\Internet Explorer |
| imagedev.pl | |
| imagefile.pl | Checks IFEO subkeys for Debugger/CWDIllegalInDllSearch values |
| init_dlls.pl | Check for odd **pInit_Dlls keys |
| inprocserver.pl | Checks CLSID InProcServer32 values for indications of ZeroAccess infection |
| inprocserver_u.pl | Checks CLSID InProcServer32 values for indications of ZeroAccess infection |
| installedcomp.pl | Get info about Installed Components/StubPath |
| installer.pl | Determines product install information |
| internet_explorer_cu.pl | Get HKCU information on Internet Explorer |
| internet_settings_cu.pl | Get HKCU information on Internet Settings |
| itempos.pl | Shell/Bags/1/Desktop ItemPos* value parsing; Win7 NTUSER\.DAT hives |
| javafx.pl | Gets contents of user's JavaFX key |
| javasoft.pl | Gets contents of JavaSoft/UseJava2IExplorer value |
| kb950582.pl | Gets autorun settings from HKLM hive |
| kbdcrash.pl | Checks to see if system is config to crash via keyboard |
| landesk.pl | Get list of programs monitored by LANDESK from Software hive file |
| landesk_tln.pl | |
| legacy.pl | Lists LEGACY_* entries in Enum\\Root key |
| legacy_tln.pl | |
| licenses.pl | Get contents of HKLM/Software/Licenses key |
| listsoft.pl | Lists contents of user's Software key |
| liveContactsGUID.pl | Gets user Windows Live Messenger GUIDs |
| load.pl | Gets load and run values from user hive |
| logon_xp_run.pl | Autostart - Get XP user logon Run key contents from NTUSER.DAT hive |
| logonusername.pl | Get user's Logon User Name value |
| lsa_packages.pl | Lists various *Packages key contents beneath LSA key |
| lsasecrets.pl | TEST - Get update times for LSA Secrets |
| macaddr.pl | Attempt to locate MAC address in either Software or System hive files |
| menuorder.pl | Gets contents of user's MenuOrder subkeys |
| mmc.pl | Get contents of user's MMC\Recent File List key |
| mmc_tln.pl | |
| mmo.pl | Checks NTUSER for Multimedia\\Other values [malware] |
| mndmru.pl | Get contents of user's Map Network Drive MRU |
| mndmru_tln.pl | |
| mountdev.pl | Return contents of System hive MountedDevices key |
| mountdev2.pl | Return contents of System hive MountedDevices key |
| mountdev3.pl | Return contents of System hive MountedDevices key |
| mp2.pl | Gets user's MountPoints2 key contents |
| mp3.pl | Gets user's MountPoints2 key contents |
| mpmru.pl | Gets user's Media Player RecentFileList values |
| mrt.pl | Check to see if Malicious Software Removal Tool has been run |
| msis.pl | Determine MSI packages installed on the system |
| mspaper.pl | Gets images listed in user's MSPaper key |
| muicache.pl | Gets EXEs from user's MUICache key |
| nero.pl | Gets contents of Ahead\Nero Recent File List subkeys |
| netassist.pl | Check for Firefox Extensions. |
| network.pl | Gets info from System\\Control\\Network GUIDs |
| networkcards.pl | Get NetworkCards |
| networklist.pl | Collects network info from Vista+ NetworkList key |
| networklist_tln.pl | |
| networkuid.pl | Gets Network key UID value |
| nic.pl | Gets NIC info from System hive |
| nic2.pl | Gets NIC info from System hive |
| nic_mst2.pl | Gets NICs from System hive; looks for MediaType = 2 |
| nolmhash.pl | Gets NoLMHash value |
| notify.pl | Get Notify subkey entries |
| ntuser | |
| ntuser-all | |
| ntusernetwork.pl | Returns contents of user's Network subkeys |
| odysseus.pl | Extract registry keys for Odysseus by bindshell.net. |
| officedocs.pl | Gets contents of user's Office doc MRU keys |
| officedocs2010.pl | Gets contents of user's Office doc MRU keys |
| officedocs2010_tln.pl | |
| oisc.pl | Gets contents of user's Office Internet Server Cache |
| olsearch.pl | Gets contents of user's OutLook Searches |
| osversion.pl | Checks for OSVersion value |
| osversion_tln.pl | |
| outlook.pl | Gets user's Outlook settings |
| outlook2.pl | Gets MAPI (Outlook) settings *BETA* |
| pagefile.pl | Get info on pagefile(s) |
| phdet.pl | Check for a Phdet infection |
| photos.pl | Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives |
| polacdms.pl | Get local machine SID from Security hive |
| policies_u.pl | Get values from the user's Policies key |
| port_dev.pl | Parses Windows Portable Devices key (Vista) |
| prefetch.pl | Gets the the Prefetch Parameters |
| printermru.pl | Gets user's Printer Wizard MRU listing |
| printers.pl | Get user's printers |
| privoxy.pl | Extracts the install path for Privoxy. |
| product.pl | Get installed product info |
| productpolicy.pl | Parse ProductPolicy value (Vista & Win2008 ONLY) |
| producttype.pl | Queries System hive for Windows Product info |
| profilelist.pl | Get content of ProfileList key |
| proxysettings.pl | Gets contents of user's Proxy Settings |
| pstools.pl | Displays the content for PsTools EULA Agreements |
| publishingwizard.pl | Extract AddNetPlace\LocationMRU for Microsoft Publishing Wizard |
| putty.pl | Extracts the saved SshHostKeys for PuTTY. |
| rdphint.pl | Gets hosts logged onto via RDP and the Domain\Username |
| rdpport.pl | Queries System hive for RDP Port |
| realplayer6.pl | Gets user's RealPlayer v6 MostRecentClips(Default) values |
| realvnc.pl | Gets user's RealVNC MRU listing |
| recentdocs.pl | Gets contents of user's RecentDocs key |
| regback.pl | List all tasks along with logfile name and last written date/time |
| regtime.pl | Dumps entire hive - all keys sorted by LastWrite time |
| regtime_tln.pl | |
| removdev.pl | Parses Windows Portable Devices key (Vista) |
| renocide.pl | Check for Renocide malware |
| rootkit_revealer.pl | Extracts the EULA value for Sysinternals Rootkit Revealer. |
| routes.pl | Get persistent routes |
| runmru.pl | Gets contents of user's RunMRU key |
| runmru_tln.pl | |
| safeboot.pl | Check SafeBoot entries |
| sam | |
| sam-all | |
| samparse.pl | Parse SAM file for user & group mbrshp info |
| samparse_tln.pl | |
| scanwithav.pl | "Checks ScanWithAV value in Software hive per KB 883260" |
| schedagent.pl | Get SchedulingAgent key contents |
| secctr.pl | Get data from Security Center key |
| security | |
| security-all | |
| securityproviders.pl | Gets SecurityProvider value from System hive |
| services.pl | Lists services/drivers in Services key by LastWrite times |
| sevenzip.pl | Gets records of histories from 7-Zip keys |
| sfc.pl | Get SFC values |
| shares.pl | Get list of shares from System hive file |
| shc.pl | Gets SHC entries from user hive |
| shellbags.pl | Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives |
| shellbags_tln.pl | |
| shellexec.pl | Gets ShellExecuteHooks from Software hive |
| shellext.pl | Gets Shell Extensions from Software hive |
| shellfolders.pl | Retrieve user Shell Folders values |
| shelloverlay.pl | Gets ShellIconOverlayIdentifiers values |
| shutdown.pl | Gets ShutdownTime value from System hive |
| shutdowncount.pl | Retrieves ShutDownCount value |
| skype.pl | Gets data user's Skype key |
| snapshot.pl | Check ActiveX comp kill bit; Access Snapshot |
| snapshot_viewer.pl | Extracts Recent File List for Microsoft Snapshot Viewer. |
| soft_run.pl | Get autostart key contents from Software hive |
| soft_runplus.pl | "Autostart - get Run RunOnce and RunServices key contents from Software hive" |
| software | |
| software-all | |
| specaccts.pl | Gets contents of SpecialAccounts\\UserList key |
| spp_clients.pl | Determines volumes monitored by VSS |
| sql_lastconnect.pl | MDAC cache of successful connections |
| ssh_host_keys.pl | extract stored Putty and WinSCP host keys |
| ssid.pl | Get WZCSVC SSID Info |
| startmenuinternetapps_cu.pl | Start Menu Internet Applications info current user |
| startmenuinternetapps_lm.pl | Start Menu Internet Applications info |
| startpage.pl | Gets contents of user's StartPage key |
| stillimage.pl | Get info on StillImage devices |
| streammru.pl | streammru |
| streams.pl | Parse Streams and StreamsMRU entries |
| svc.pl | Lists services/drivers in Services key by LastWrite times (short format) |
| svc2.pl | Lists Services key contents by LastWrite times (CSV) |
| svc_plus.pl | Lists services/drivers in Services key by LastWrite times in a short format with warnings for type mismatches |
| svcdll.pl | Lists Services keys with ServiceDll values |
| svchost.pl | Get entries from SvcHost key |
| sysinternals.pl | Checks for SysInternals apps keys |
| sysinternals_tln.pl | |
| system | |
| system-all | |
| systemindex.pl | Gets systemindex\\..\\Paths info from Windows Search key |
| taskman.pl | Gets Taskman from HKLM\\..\\Winlogon |
| termcert.pl | Gets Terminal Server certificate |
| termserv.pl | Gets Terminal Server values from System hive |
| timezone.pl | Get TimeZoneInformation key contents |
| tracing.pl | Gets list of apps that can be traced |
| tracing_tln.pl | |
| trappoll.pl | "Get TrapPollTimeMilliSecs value if found" |
| trustrecords.pl | Gets user's Office 2010 TrustRecords values |
| trustrecords_tln.pl | |
| tsclient.pl | Displays contents of user's Terminal Server Client\Default key |
| tsclient_tln.pl | |
| typedpaths.pl | Gets contents of user's typedpaths key |
| typedpaths_tln.pl | |
| typedurls.pl | Returns contents of user's TypedURLs key. |
| typedurls_tln.pl | |
| typedurlstime.pl | Returns contents of user's TypedURLsTime key. |
| typedurlstime_tln.pl | |
| uac.pl | Get Select User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| uninstall.pl | Gets contents of Uninstall keys (64- & 32-bit) from Software hive |
| uninstall_tln.pl | |
| unreadmail.pl | Gets contents of Unreadmail key |
| updates.txt | |
| urlzone.pl | |
| usb.pl | Get USB device info |
| usbdevices.pl | Parses Enum\\USB key for devices |
| usbstor.pl | Get USBStor key info |
| usbstor2.pl | Get USBStor key info; csv output |
| usbstor3.pl | Get USBStor key info |
| user_run.pl | Autostart - get Run key contents from NTUSER.DAT hive |
| user_runplus.pl | "Autostart - get Run RunOnce and RunServices keys contents from NTUSER.DAT hive" |
| user_win.pl | |
| userassist.pl | Displays contents of UserAssist subkeys |
| userassist2.pl | Displays contents of UserAssist subkeys |
| userassist_tln.pl | |
| userinfo.pl | Gets contents of MS Office UserInfo values |
| userinit.pl | Gets UserInit value |
| userlocsvc.pl | Displays contents of User Location Service\Client key |
| usrclass-all | |
| virut.pl | Detect Virut artifacts |
| vista_bitbucket.pl | Get BitBucket settings from Vista via NTUSER\.DAT |
| vista_comdlg32.pl | Gets contents of Vista user's ComDlg32 key |
| vista_wireless.pl | Get Vista Wireless Info |
| vmplayer.pl | Extracts full filepath for recent VMware Player VM images. |
| vmware_vsphere_client.pl | Extract recent connections list for VMware vSphere Client. |
| vnchooksapplicationprefs.pl | Get VNCHooks Application Prefs list |
| vncviewer.pl | Get VNCViewer system list |
| volinfocache.pl | Gets VolumeInfoCache from Windows Search key |
| wallpaper.pl | Parses Wallpaper MRU Entries |
| warcraft3.pl | Extract usernames for Warcraft 3. |
| wbem.pl | Get contents of WBEM\\WDM key |
| win7_ua.pl | Get Win7 UserAssist data |
| win_cv.pl | Get & display the contents of the Windows\\CurrentVersion key |
| winbackup.pl | Get Windows Backup |
| winlivemail.pl | Get & display the contents of the Windows Live Mail key |
| winlivemsn.pl | Windows Live Messenger parser |
| winlogon.pl | Get values from the WinLogon key |
| winlogon_u.pl | Get values from the user's WinLogon key |
| winnt_cv.pl | Get & display the contents of the Windows NT\\CurrentVersion key |
| winrar.pl | Get WinRAR\ArcHistory entries |
| winrar_tln.pl | |
| winscp_sessions.pl | Extracts WinSCP stored session data |
| winver.pl | Get Windows version |
| winvnc.pl | Extracts the encrypted password for WinVNC. |
| winzip.pl | Get WinZip extract and filemenu values |
| wordwheelquery.pl | Gets contents of user's WordWheelQuery key |
| wpdbusenum.pl | Get WpdBusEnumRoot subkey info |
| xpedition.pl | Queries System hive for XP Edition info |
| yahoo_cu.pl | Yahoo Messenger parser |
| yahoo_lm.pl | Yahoo Messenger parser (HKLM) |
