add sys.write_reg() function to eldritch

docs/_docs/user-guide/eldritch.md

@@ -817,7 +817,107 @@ sys.shell("ls /nofile")
 }
 ```
 
----
+### sys.write_reg_hex
+
+`sys.write_reg_hex(reghive: str, regpath: str, regname: str, regtype: str, regvalue: str) -> Bool`
+
+The <b>sys.write_reg_hex</b> method returns `True` if registry values are written to the requested registry path and accepts a hexstring as the value argument. 
+An example is below:
+
+```python
+$> sys.write_reg_hex("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_SZ","deadbeef")
+True
+$> sys.write_reg_hex("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_BINARY","deadbeef")
+True
+$> sys.write_reg_hex("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_NONE","deadbeef")
+True
+$> sys.write_reg_hex("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_EXPAND_SZ","deadbeef")
+True
+$> sys.write_reg_hex("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_DWORD","deadbeef")
+True
+$> sys.write_reg_hex("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_DWORD_BIG_ENDIAN","deadbeef")
+True
+$> sys.write_reg_hex("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_LINK","deadbeef")
+True
+$> sys.write_reg_hex("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_MULTI_SZ","dead,beef") 
+True
+$> sys.write_reg_hex("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_RESOURCE_LIST","deadbeef")
+True
+$> sys.write_reg_hex("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_FULL_RESOURCE_DESCRIPTOR","deadbeef")
+True
+$> sys.write_reg_hex("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_RESOURCE_REQUIREMENTS_LIST","deadbeef")
+True
+$> sys.write_reg_hex("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_QWORD","deadbeefdeadbeef") 
+True
+```
+
+### sys.write_reg_int
+
+`sys.write_reg_int(reghive: str, regpath: str, regname: str, regtype: str, regvalue: int) -> Bool`
+
+The <b>sys.write_reg_int</b> method returns `True` if registry values are written to the requested registry path and accepts an integer as the value argument.
+An example is below:
+
+```python
+$> sys.write_reg_int("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_SZ",12345678)
+True
+$> sys.write_reg_int("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_BINARY",12345678)
+True
+$> sys.write_reg_int("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_NONE",12345678)
+True
+$> sys.write_reg_int("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_EXPAND_SZ",12345678)
+True
+$> sys.write_reg_int("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_DWORD",12345678)
+True
+$> sys.write_reg_int("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_DWORD_BIG_ENDIAN",12345678)
+True
+$> sys.write_reg_int("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_LINK",12345678)
+True
+$> sys.write_reg_int("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_MULTI_SZ",12345678) 
+True
+$> sys.write_reg_int("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_RESOURCE_LIST",12345678)
+True
+$> sys.write_reg_int("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_FULL_RESOURCE_DESCRIPTOR",12345678)
+True
+$> sys.write_reg_int("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_RESOURCE_REQUIREMENTS_LIST",12345678)
+True
+$> sys.write_reg_int("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_QWORD",12345678) 
+True
+```
+
+### sys.write_reg_str
+
+`sys.write_reg_str(reghive: str, regpath: str, regname: str, regtype: str, regvalue: str) -> Bool`
+
+The <b>sys.write_reg_str</b> method returns `True` if registry values are written to the requested registry path and accepts a string as the value argument. 
+An example is below:
+
+```python
+$> sys.write_reg_str("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_SZ","BAR1")
+True
+$> sys.write_reg_str("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_BINARY","DEADBEEF")
+True
+$> sys.write_reg_str("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_NONE","DEADBEEF")
+True
+$> sys.write_reg_str("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_EXPAND_SZ","BAR2")
+True
+$> sys.write_reg_str("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_DWORD","12345678")
+True
+$> sys.write_reg_str("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_DWORD_BIG_ENDIAN","12345678")
+True
+$> sys.write_reg_str("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_LINK","A PLAIN STRING")
+True
+$> sys.write_reg_str("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_MULTI_SZ","BAR1,BAR2,BAR3") 
+True
+$> sys.write_reg_str("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_RESOURCE_LIST","DEADBEEF")
+True
+$> sys.write_reg_str("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_FULL_RESOURCE_DESCRIPTOR","DEADBEEF")
+True
+$> sys.write_reg_str("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_RESOURCE_REQUIREMENTS_LIST","DEADBEEF")
+True
+$> sys.write_reg_str("HKEY_CURRENT_USER","SOFTWARE\\TEST1","FOO1","REG_QWORD","1234567812345678") 
+True
+```
 
 ## Time
 

implants/Cargo.toml

@@ -25,6 +25,7 @@ eval = "0.4.3"
 flate2 = "1.0.24"
 gazebo = "0.8.1"
 graphql_client = "0.12.0"
+hex = "0.4.2"
 hex-literal = "0.4.1"
 httptest = "0.15.4"
 hyper = { version = "1", features = ["full"] }
@@ -68,7 +69,7 @@ tokio = "1.19.1"
 tokio-stream = "0.1.9"
 tokio-test = "*"
 tonic = { git = "https://github.com/hyperium/tonic.git", rev = "07e4ee1" }
-uuid = "1.3.0"
+uuid = "1.5.0"
 which = "4.4.2"
 whoami = "1.3.0"
 windows-sys = "0.45.0"

implants/lib/eldritch/Cargo.toml

@@ -20,6 +20,7 @@ derive_more = { workspace = true }
 eval = { workspace = true }
 flate2 = { workspace = true }
 gazebo = { workspace = true }
+hex = { workspace = true }
 hex-literal = { workspace = true }
 ipnetwork = { workspace = true }
 md5 = { workspace = true }
@@ -67,3 +68,4 @@ pnet = { workspace = true }
 
 [dev-dependencies]
 httptest = { workspace = true }
+uuid = { workspace = true, features = ["v4"] }

implants/lib/eldritch/src/lib.rs

@@ -223,7 +223,7 @@ mod tests {
             r#"
 dir(file) == ["append", "compress", "copy", "download", "exists", "hash", "is_dir", "is_file", "list", "mkdir", "moveto", "read", "remove", "replace", "replace_all", "template", "timestomp", "write"]
 dir(process) == ["info", "kill", "list", "name", "netstat"]
-dir(sys) == ["dll_inject", "dll_reflect", "exec", "get_env", "get_ip", "get_os", "get_pid", "get_reg", "get_user", "hostname", "is_linux", "is_macos", "is_windows", "shell"]
+dir(sys) == ["dll_inject", "dll_reflect", "exec", "get_env", "get_ip", "get_os", "get_pid", "get_reg", "get_user", "hostname", "is_linux", "is_macos", "is_windows", "shell", "write_reg_hex", "write_reg_int", "write_reg_str"]
 dir(pivot) == ["arp_scan", "bind_proxy", "ncat", "port_forward", "port_scan", "smb_exec", "ssh_copy", "ssh_exec", "ssh_password_spray"]
 dir(assets) == ["copy","list","read","read_binary"]
 dir(crypto) == ["aes_decrypt_file", "aes_encrypt_file", "decode_b64", "encode_b64", "from_json", "hash_file", "to_json"]

implants/lib/eldritch/src/sys.rs

@@ -12,6 +12,9 @@ mod is_linux_impl;
 mod is_macos_impl;
 mod is_windows_impl;
 mod shell_impl;
+mod write_reg_str_impl;
+mod write_reg_int_impl;
+mod write_reg_hex_impl;
 
 use allocative::Allocative;
 use derive_more::Display;
@@ -126,4 +129,16 @@ fn methods(builder: &mut MethodsBuilder) {
         if false { println!("Ignore unused this var. _this isn't allowed by starlark. {:?}", this); }
         get_reg_impl::get_reg(starlark_heap, reghiv, regpth)
     }
+    fn write_reg_str(this:  SysLibrary, reghiv: String, regpth: String, regname: String, regtype: String, regvalue: String) ->  anyhow::Result<bool> {
+        if false { println!("Ignore unused this var. _this isn't allowed by starlark. {:?}", this); }
+        write_reg_str_impl::write_reg_str(reghiv, regpth, regname, regtype, regvalue)
+    }
+    fn write_reg_int(this:  SysLibrary, reghiv: String, regpth: String, regname: String, regtype: String, regvalue: u32) ->  anyhow::Result<bool> {
+        if false { println!("Ignore unused this var. _this isn't allowed by starlark. {:?}", this); }
+        write_reg_int_impl::write_reg_int(reghiv, regpth, regname, regtype, regvalue)
+    }
+    fn write_reg_hex(this:  SysLibrary, reghiv: String, regpth: String, regname: String, regtype: String, regvalue: String) ->  anyhow::Result<bool> {
+        if false { println!("Ignore unused this var. _this isn't allowed by starlark. {:?}", this); }
+        write_reg_hex_impl::write_reg_hex(reghiv, regpth, regname, regtype, regvalue)
+    }
 }

implants/lib/eldritch/src/sys/get_reg_impl.rs

@@ -60,26 +60,26 @@ mod tests {
         const_frozen_string,
         values::{Heap, Value},
     };
+    use uuid::Uuid;
+    use winreg::{{enums::*}, RegKey};
 
     #[test]
     fn test_get_reg() -> anyhow::Result<()> {
-        use winreg::{enums::HKEY_CURRENT_USER, RegKey};
+
         let binding = Heap::new();
+        let id = Uuid::new_v4();
         //Write something into temp regkey...
         let hkcu = RegKey::predef(HKEY_CURRENT_USER);
-        let (nkey, _ndisp) = hkcu.create_subkey("SOFTWARE\\TEST1")?;
+        let (nkey, _ndisp) = hkcu.create_subkey(format!("SOFTWARE\\{}",id.to_string()).to_string())?;
         nkey.set_value("FOO", &"BAR")?;
 
-        let ares = get_reg(
-            &binding,
-            "HKEY_CURRENT_USER".to_string(),
-            "SOFTWARE\\TEST1".to_string(),
-        );
-        let val2: Value<'_> = ares?.get(const_frozen_string!("FOO").to_value())?.unwrap();
+        let ares = get_reg(&binding, "HKEY_CURRENT_USER".to_string(), format!("SOFTWARE\\{}",id.to_string()).to_string());
+        let val2 : Value<'_> = ares?.get(const_frozen_string!("FOO").to_value())?.unwrap();
         //delete temp regkey
-        nkey.delete_value("Foo")?;
+        hkcu.delete_subkey(format!("SOFTWARE\\{}",id.to_string()).to_string())?;
 
         assert_eq!(val2.unpack_str().unwrap(), "BAR");
+
 
         Ok(())
     }