Windows Gather Hardware Enumeration

🗓️ 14 Aug 2011 00:36:06Reported by Brandon Perry <[email protected]>Type

Enumerate PCI hardware information from the registry. Please note this script will run through registry subkeys such as: 'PCI', 'ACPI', 'ACPI_HAL', 'FDC', 'HID', 'HTREE', 'IDE', 'ISAPNP', 'LEGACY'', LPTENUM', 'PCIIDE', 'SCSI', 'STORAGE', 'SW', and 'USB'; it will take time to finish. It is recommended to run this module as a background job

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::Registry

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather Hardware Enumeration',
        'Description' => %q{
          Enumerate PCI hardware information from the registry. Please note this script
          will run through registry subkeys such as: 'PCI', 'ACPI', 'ACPI_HAL', 'FDC', 'HID',
          'HTREE', 'IDE', 'ISAPNP', 'LEGACY'', LPTENUM', 'PCIIDE', 'SCSI', 'STORAGE', 'SW',
          and 'USB'; it will take time to finish. It is recommended to run this module as a
          background job.
        },
        'License' => MSF_LICENSE,
        'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ]
      )
    )
  end

  def list
    tbl = Rex::Text::Table.new(
      'Header' => 'Device Information',
      'Indent' => 1,
      'Columns' =>
      [
        'Device Description',
        'Driver Version',
        'Class',
        'Manufacturer',
        'Extra',
      ]
    )

    keys = [
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\PCI\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\ACPI\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\ACPI_HAL\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\FDC\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\HID\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\HTREE\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\IDE\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\ISAPNP\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\LEGACY\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\LPTENUM\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\PCIIDE\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\Root\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\SCSI\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\STORAGE\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\SW\\',
      'HKLM\\SYSTEM\\ControlSet001\\Enum\\USB\\',
    ]

    keys.each do |key|
      devices = registry_enumkeys(key)

      t = []

      while (!devices.nil? && !devices.empty?)
        1.upto(3) do
          t << framework.threads.spawn("Module(#{refname})", false, devices.shift) do |device|
            next if device.nil?

            vprint_status("Enumerating #{device}")

            infos = registry_enumkeys(key + '\\' + device)
            next if infos.nil?

            infos.each do |info|
              next if info.nil?

              info_key = key + '\\' + device + '\\' + info

              desc = registry_getvaldata(info_key, 'DeviceDesc')
              mfg = registry_getvaldata(info_key, 'Mfg')
              device_class = registry_getvaldata(info_key, 'Class')
              driver_guid = registry_getvaldata(info_key, 'Driver')
              extra = ''

              if key =~ (/USB/) || key =~ (/LPTENUM/)
                extra = registry_getvaldata(info_key, 'LocationInformation')
              end

              if key =~ (/SCSI/) || key =~ (/\\IDE/) || key =~ (/ACPI\\/)
                extra = registry_getvaldata(info_key, 'FriendlyName')
              end

              desc = desc.split(';')[1] if desc =~ /^@/
              mfg = mfg.split(';')[1] if mfg =~ /^@/

              desc = '' if desc.nil?
              mfg = '' if mfg.nil?
              device_class = '' if device_class.nil?
              driver_guid = '' if driver_guid.nil?
              extra = '' if extra.nil?

              next if desc.empty? && mfg.empty?

              driver_version = ''

              if (!driver_guid.nil? || !driver_guid.empty?) && (driver_guid =~ /\\/)
                k = 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Class\\' + driver_guid
                d = registry_getvaldata(k, 'DriverVersion')
                driver_version << d if !d.nil?
              end

              done = false

              tbl.rows.each do |row|
                next unless (row[0] == desc) &&
                            (row[1] == driver_version) &&
                            (row[2] == device_class) &&
                            (row[3] == mfg) &&
                            (row[4] == extra)

                done = true
                break
              end

              tbl << [desc, driver_version, device_class, mfg, extra] if !done
            end
          end
          t.map(&:join)
        end
      end
    end

    results = tbl.to_s
    vprint_line("\n" + results)

    path = store_loot('host.hardware', 'text/plain', session, results, 'hardware.txt', 'Host Hardware')
    print_good("Results saved in: #{path}")
  end

  def run
    print_status("Enumerating hardware on #{sysinfo['Computer']}")
    begin
      list
    rescue ::Exception => e
      if e.to_s =~ /execution expired/i
        print_error('Sorry, execution expired. Module could not finish running.')
      else
        print_error("An unexpected error has occurred: #{e}:\n#{e.backtrace}")
      end
    end
  end
end

08 Feb 2023 13:47Current

6.8Medium risk

Vulners AI Score6.8

windows registry enumeration hardware pci acpi hid scsi usb background job