[Plugins] plugins20130418 一覧
plugins20130418
プラグイン名 | 処理内容 |
---|---|
acmru.pl | Gets contents of user's ACMru key |
adoberdr.pl | Parse Adobe Reader MRU keys |
aim.pl | Gets info from the AOL Instant Messenger (not AIM) install |
all | |
all-all | |
aports.pl | Extracts the install path for SmartLine Inc. Active Ports. |
appcertdlls.pl | Get entries from AppCertDlls key |
appcompatcache.pl | Parse files from System hive Shim Cache |
appcompatcache_tln.pl | |
appcompatflags.pl | This is a list of applications configured to run in compatibility mode. |
appinitdlls.pl | Gets contents of AppInit_DLLs value |
applets.pl | Windows\CurrentVersion\Applets Recent File List values |
applets_tln.pl | |
apppaths.pl | "Gets contents of App Paths subkeys from the Software hivediplaying the EXE name and path" |
appspecific.pl | Gets contents of user's Intellipoint\\AppSpecific subkeys |
ares.pl | Gets contents of user's Software/Ares key |
arpcache.pl | Retrieves CurrentVersion\App Management\ARPCache entries |
assoc.pl | Get list of file ext associations |
attachmgr.pl | Checks user's keys that manage the Attachment Manager functionality |
auditfail.pl | Get CrashOnAuditFail value |
auditpol.pl | Get audit policy from the Security hive file |
autoendtasks.pl | Automatically end a non-responsive task |
autorun.pl | Gets autorun settings |
backuprestore.pl | " Gets the contents of the FilesNotToSnapshot KeysNotToRestore and FilesNotToBackup keys" |
bagtest.pl | "banner no change to the version number" |
bagtest2.pl | "banner no change to the version number" |
banner.pl | Get HKLM\SOFTWARE.. Logon Banner Values |
baseline.pl | "Scans a hive file checking sizes of binary value data" |
bho.pl | Gets Browser Helper Objects from Software hive |
bitbucket.pl | Get HKLM\\..\\BitBucket keys\\values |
bitbucket_user.pl | TEST - Get user BitBucket values |
brisv.pl | Plugin to detect the presence of Trojan.Brisv.A |
btconfig.pl | Determines BlueTooth devices 'seen' by BroadComm drivers |
bthport.pl | Gets Bluetooth-connected devices from System hive |
cain.pl | Extracts details for Cain & Abel by oxid.it |
ccleaner.pl | Gets CCleaner User Settings |
clampi.pl | Checks keys/values set by new version of Trojan.Clampi |
clampitm.pl | Checks keys/values set by new version of Trojan.Clampi |
clsid.pl | Get list of CLSID/registered classes |
cmd_shell.pl | Gets shell open cmds for various file types |
cmd_shell_u.pl | Gets shell open cmds for various file types from USRCLASS\.DAT |
cmdproc.pl | Checks key for files to autostart from cmd.exe |
codeid.pl | Get DefaultLevel value from CodeIdentifiers key |
comdlg32.pl | Gets contents of user's ComDlg32 key |
comdlg32a.pl | Gets contents of user's ComDlg32 key |
compatassist.pl | Checks user's Compatibility Assistant\\Persisted values |
compdesc.pl | Gets contents of user's ComputerDescriptions key |
compname.pl | Gets ComputerName and Hostname values from System hive |
controlpanel.pl | Vista ControlPanel key seems to contain some interesting info about the user's activities... |
cpldontload.pl | Gets contents of user's Control Panel don't load key |
crashcontrol.pl | Get crash control information |
crashdump.pl | Gets crashdump settings from System hive |
ctrlpnl.pl | Get Control Panel info from Software hive |
ddm.pl | Get DDM data from Control Subkey |
decaf.pl | Extracts the EULA value for DECAF. |
defbrowser.pl | Gets default browser setting from HKLM |
dependency_walker.pl | Extracts Recent File List for Dependency Walker. |
devclass.pl | Get USB device info from the DeviceClasses keys in the System hive |
dfrg.pl | Gets content of Dfrg BootOptim. key |
diag_sr.pl | Get Diag\\SystemRestore values and data |
direct.pl | Searches Direct* keys for MostRecentApplication subkeys |
direct_tln.pl | |
disablelastaccess.pl | Get NTFSDisableLastAccessUpdate value |
disablesr.pl | Gets the value that turns System Restore either on or off |
dllsearch.pl | Get crash control information |
dnschanger.pl | Check for indication of DNSChanger infection. |
domains.pl | Gets contents Internet Settings\ZoneMap\Domains key |
drivers32.pl | Get values from the Drivers32 key |
drwatson.pl | Gets Dr. Watson settings from Software hive |
emdmgmt.pl | Gets contents of EMDMgmt subkeys and values |
environment.pl | Extracts user's Environment paths from NTUSER.DAT |
esent.pl | Get ESENT\\Process key contents |
eventlog.pl | Get EventLog configuration info |
eventlogs.pl | Gets Event Log settings from System hive |
fileexts.pl | Get user FileExts values |
filehistory.pl | Get filehistory settings |
filesnottosnapshot.pl | Get FilesNotToSnapshot key contents |
findexes.pl | Scans a hive file looking for binary value data that contains MZ |
fw_config.pl | Gets the Windows Firewall config from the System hive |
gauss.pl | Checks Reliability key for TimeStampforUI value |
gthist.pl | Gets Google Toolbar Search History |
gtwhitelist.pl | Gets Google Toolbar whitelist values |
haven_and_hearth.pl | Extracts the username and savedtoken for Haven & Hearth. |
hibernate.pl | Check hibernation status |
ide.pl | Get IDE device info from the System hive file |
ie_main.pl | Gets values beneath user's Internet Explorer\\Main key |
ie_settings.pl | Gets IE settings |
ie_version.pl | Get IE version and build |
iejava.pl | hecks NTUSER for status of kill bit for IE Java ActiveX control |
iexplore.pl | Get Main Key contents from HKCU\\Software\\Microsoft\\Internet Explorer |
imagedev.pl | |
imagefile.pl | Checks IFEO subkeys for Debugger/CWDIllegalInDllSearch values |
init_dlls.pl | Check for odd **pInit_Dlls keys |
inprocserver.pl | Checks CLSID InProcServer32 values for indications of ZeroAccess infection |
inprocserver_u.pl | Checks CLSID InProcServer32 values for indications of ZeroAccess infection |
installedcomp.pl | Get info about Installed Components/StubPath |
installer.pl | Determines product install information |
internet_explorer_cu.pl | Get HKCU information on Internet Explorer |
internet_settings_cu.pl | Get HKCU information on Internet Settings |
itempos.pl | Shell/Bags/1/Desktop ItemPos* value parsing; Win7 NTUSER\.DAT hives |
javafx.pl | Gets contents of user's JavaFX key |
javasoft.pl | Gets contents of JavaSoft/UseJava2IExplorer value |
kb950582.pl | Gets autorun settings from HKLM hive |
kbdcrash.pl | Checks to see if system is config to crash via keyboard |
landesk.pl | Get list of programs monitored by LANDESK from Software hive file |
landesk_tln.pl | |
legacy.pl | Lists LEGACY_* entries in Enum\\Root key |
legacy_tln.pl | |
licenses.pl | Get contents of HKLM/Software/Licenses key |
listsoft.pl | Lists contents of user's Software key |
liveContactsGUID.pl | Gets user Windows Live Messenger GUIDs |
load.pl | Gets load and run values from user hive |
logon_xp_run.pl | Autostart - Get XP user logon Run key contents from NTUSER.DAT hive |
logonusername.pl | Get user's Logon User Name value |
lsa_packages.pl | Lists various *Packages key contents beneath LSA key |
lsasecrets.pl | TEST - Get update times for LSA Secrets |
macaddr.pl | Attempt to locate MAC address in either Software or System hive files |
menuorder.pl | Gets contents of user's MenuOrder subkeys |
mmc.pl | Get contents of user's MMC\Recent File List key |
mmc_tln.pl | |
mmo.pl | Checks NTUSER for Multimedia\\Other values [malware] |
mndmru.pl | Get contents of user's Map Network Drive MRU |
mndmru_tln.pl | |
mountdev.pl | Return contents of System hive MountedDevices key |
mountdev2.pl | Return contents of System hive MountedDevices key |
mountdev3.pl | Return contents of System hive MountedDevices key |
mp2.pl | Gets user's MountPoints2 key contents |
mp3.pl | Gets user's MountPoints2 key contents |
mpmru.pl | Gets user's Media Player RecentFileList values |
mrt.pl | Check to see if Malicious Software Removal Tool has been run |
msis.pl | Determine MSI packages installed on the system |
mspaper.pl | Gets images listed in user's MSPaper key |
muicache.pl | Gets EXEs from user's MUICache key |
nero.pl | Gets contents of Ahead\Nero Recent File List subkeys |
netassist.pl | Check for Firefox Extensions. |
network.pl | Gets info from System\\Control\\Network GUIDs |
networkcards.pl | Get NetworkCards |
networklist.pl | Collects network info from Vista+ NetworkList key |
networklist_tln.pl | |
networkuid.pl | Gets Network key UID value |
nic.pl | Gets NIC info from System hive |
nic2.pl | Gets NIC info from System hive |
nic_mst2.pl | Gets NICs from System hive; looks for MediaType = 2 |
nolmhash.pl | Gets NoLMHash value |
notify.pl | Get Notify subkey entries |
ntuser | |
ntuser-all | |
ntusernetwork.pl | Returns contents of user's Network subkeys |
odysseus.pl | Extract registry keys for Odysseus by bindshell.net. |
officedocs.pl | Gets contents of user's Office doc MRU keys |
officedocs2010.pl | Gets contents of user's Office doc MRU keys |
officedocs2010_tln.pl | |
oisc.pl | Gets contents of user's Office Internet Server Cache |
olsearch.pl | Gets contents of user's OutLook Searches |
osversion.pl | Checks for OSVersion value |
osversion_tln.pl | |
outlook.pl | Gets user's Outlook settings |
outlook2.pl | Gets MAPI (Outlook) settings *BETA* |
pagefile.pl | Get info on pagefile(s) |
phdet.pl | Check for a Phdet infection |
photos.pl | Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives |
polacdms.pl | Get local machine SID from Security hive |
policies_u.pl | Get values from the user's Policies key |
port_dev.pl | Parses Windows Portable Devices key (Vista) |
prefetch.pl | Gets the the Prefetch Parameters |
printermru.pl | Gets user's Printer Wizard MRU listing |
printers.pl | Get user's printers |
privoxy.pl | Extracts the install path for Privoxy. |
product.pl | Get installed product info |
productpolicy.pl | Parse ProductPolicy value (Vista & Win2008 ONLY) |
producttype.pl | Queries System hive for Windows Product info |
profilelist.pl | Get content of ProfileList key |
proxysettings.pl | Gets contents of user's Proxy Settings |
pstools.pl | Displays the content for PsTools EULA Agreements |
publishingwizard.pl | Extract AddNetPlace\LocationMRU for Microsoft Publishing Wizard |
putty.pl | Extracts the saved SshHostKeys for PuTTY. |
rdphint.pl | Gets hosts logged onto via RDP and the Domain\Username |
rdpport.pl | Queries System hive for RDP Port |
realplayer6.pl | Gets user's RealPlayer v6 MostRecentClips(Default) values |
realvnc.pl | Gets user's RealVNC MRU listing |
recentdocs.pl | Gets contents of user's RecentDocs key |
regback.pl | List all tasks along with logfile name and last written date/time |
regtime.pl | Dumps entire hive - all keys sorted by LastWrite time |
regtime_tln.pl | |
removdev.pl | Parses Windows Portable Devices key (Vista) |
renocide.pl | Check for Renocide malware |
rootkit_revealer.pl | Extracts the EULA value for Sysinternals Rootkit Revealer. |
routes.pl | Get persistent routes |
runmru.pl | Gets contents of user's RunMRU key |
runmru_tln.pl | |
safeboot.pl | Check SafeBoot entries |
sam | |
sam-all | |
samparse.pl | Parse SAM file for user & group mbrshp info |
samparse_tln.pl | |
scanwithav.pl | "Checks ScanWithAV value in Software hive per KB 883260" |
schedagent.pl | Get SchedulingAgent key contents |
secctr.pl | Get data from Security Center key |
security | |
security-all | |
securityproviders.pl | Gets SecurityProvider value from System hive |
services.pl | Lists services/drivers in Services key by LastWrite times |
sevenzip.pl | Gets records of histories from 7-Zip keys |
sfc.pl | Get SFC values |
shares.pl | Get list of shares from System hive file |
shc.pl | Gets SHC entries from user hive |
shellbags.pl | Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives |
shellbags_tln.pl | |
shellexec.pl | Gets ShellExecuteHooks from Software hive |
shellext.pl | Gets Shell Extensions from Software hive |
shellfolders.pl | Retrieve user Shell Folders values |
shelloverlay.pl | Gets ShellIconOverlayIdentifiers values |
shutdown.pl | Gets ShutdownTime value from System hive |
shutdowncount.pl | Retrieves ShutDownCount value |
skype.pl | Gets data user's Skype key |
snapshot.pl | Check ActiveX comp kill bit; Access Snapshot |
snapshot_viewer.pl | Extracts Recent File List for Microsoft Snapshot Viewer. |
soft_run.pl | Get autostart key contents from Software hive |
soft_runplus.pl | "Autostart - get Run RunOnce and RunServices key contents from Software hive" |
software | |
software-all | |
specaccts.pl | Gets contents of SpecialAccounts\\UserList key |
spp_clients.pl | Determines volumes monitored by VSS |
sql_lastconnect.pl | MDAC cache of successful connections |
ssh_host_keys.pl | extract stored Putty and WinSCP host keys |
ssid.pl | Get WZCSVC SSID Info |
startmenuinternetapps_cu.pl | Start Menu Internet Applications info current user |
startmenuinternetapps_lm.pl | Start Menu Internet Applications info |
startpage.pl | Gets contents of user's StartPage key |
stillimage.pl | Get info on StillImage devices |
streammru.pl | streammru |
streams.pl | Parse Streams and StreamsMRU entries |
svc.pl | Lists services/drivers in Services key by LastWrite times (short format) |
svc2.pl | Lists Services key contents by LastWrite times (CSV) |
svc_plus.pl | Lists services/drivers in Services key by LastWrite times in a short format with warnings for type mismatches |
svcdll.pl | Lists Services keys with ServiceDll values |
svchost.pl | Get entries from SvcHost key |
sysinternals.pl | Checks for SysInternals apps keys |
sysinternals_tln.pl | |
system | |
system-all | |
systemindex.pl | Gets systemindex\\..\\Paths info from Windows Search key |
taskman.pl | Gets Taskman from HKLM\\..\\Winlogon |
termcert.pl | Gets Terminal Server certificate |
termserv.pl | Gets Terminal Server values from System hive |
timezone.pl | Get TimeZoneInformation key contents |
tracing.pl | Gets list of apps that can be traced |
tracing_tln.pl | |
trappoll.pl | "Get TrapPollTimeMilliSecs value if found" |
trustrecords.pl | Gets user's Office 2010 TrustRecords values |
trustrecords_tln.pl | |
tsclient.pl | Displays contents of user's Terminal Server Client\Default key |
tsclient_tln.pl | |
typedpaths.pl | Gets contents of user's typedpaths key |
typedpaths_tln.pl | |
typedurls.pl | Returns contents of user's TypedURLs key. |
typedurls_tln.pl | |
typedurlstime.pl | Returns contents of user's TypedURLsTime key. |
typedurlstime_tln.pl | |
uac.pl | Get Select User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
uninstall.pl | Gets contents of Uninstall keys (64- & 32-bit) from Software hive |
uninstall_tln.pl | |
unreadmail.pl | Gets contents of Unreadmail key |
updates.txt | |
urlzone.pl | |
usb.pl | Get USB device info |
usbdevices.pl | Parses Enum\\USB key for devices |
usbstor.pl | Get USBStor key info |
usbstor2.pl | Get USBStor key info; csv output |
usbstor3.pl | Get USBStor key info |
user_run.pl | Autostart - get Run key contents from NTUSER.DAT hive |
user_runplus.pl | "Autostart - get Run RunOnce and RunServices keys contents from NTUSER.DAT hive" |
user_win.pl | |
userassist.pl | Displays contents of UserAssist subkeys |
userassist2.pl | Displays contents of UserAssist subkeys |
userassist_tln.pl | |
userinfo.pl | Gets contents of MS Office UserInfo values |
userinit.pl | Gets UserInit value |
userlocsvc.pl | Displays contents of User Location Service\Client key |
usrclass-all | |
virut.pl | Detect Virut artifacts |
vista_bitbucket.pl | Get BitBucket settings from Vista via NTUSER\.DAT |
vista_comdlg32.pl | Gets contents of Vista user's ComDlg32 key |
vista_wireless.pl | Get Vista Wireless Info |
vmplayer.pl | Extracts full filepath for recent VMware Player VM images. |
vmware_vsphere_client.pl | Extract recent connections list for VMware vSphere Client. |
vnchooksapplicationprefs.pl | Get VNCHooks Application Prefs list |
vncviewer.pl | Get VNCViewer system list |
volinfocache.pl | Gets VolumeInfoCache from Windows Search key |
wallpaper.pl | Parses Wallpaper MRU Entries |
warcraft3.pl | Extract usernames for Warcraft 3. |
wbem.pl | Get contents of WBEM\\WDM key |
win7_ua.pl | Get Win7 UserAssist data |
win_cv.pl | Get & display the contents of the Windows\\CurrentVersion key |
winbackup.pl | Get Windows Backup |
winlivemail.pl | Get & display the contents of the Windows Live Mail key |
winlivemsn.pl | Windows Live Messenger parser |
winlogon.pl | Get values from the WinLogon key |
winlogon_u.pl | Get values from the user's WinLogon key |
winnt_cv.pl | Get & display the contents of the Windows NT\\CurrentVersion key |
winrar.pl | Get WinRAR\ArcHistory entries |
winrar_tln.pl | |
winscp_sessions.pl | Extracts WinSCP stored session data |
winver.pl | Get Windows version |
winvnc.pl | Extracts the encrypted password for WinVNC. |
winzip.pl | Get WinZip extract and filemenu values |
wordwheelquery.pl | Gets contents of user's WordWheelQuery key |
wpdbusenum.pl | Get WpdBusEnumRoot subkey info |
xpedition.pl | Queries System hive for XP Edition info |
yahoo_cu.pl | Yahoo Messenger parser |
yahoo_lm.pl | Yahoo Messenger parser (HKLM) |