applocker_parser/parse.py at master · JJK96/applocker_parser · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import json
import binascii
import re
from pathlib import Path

import argparse
parser = argparse.ArgumentParser()
parser.add_argument("dump", help="GPOHound JSON dump")
parser.add_argument("-o", "--output", help="Output directory", default="applocker")
args = parser.parse_args()

dir = Path(args.output)
dir.mkdir(exist_ok=True)

with open(args.dump, "r") as f:
    gpohound = json.load(f)

def applocker_policies(policies):
    for id, contents in policies['policies'].items():
        try:
            for k, v in contents['Machine']['registry.pol'].items():
                if "SrpV2" in k:
                    yield id, k, v
        except KeyError:
            continue

def parse_policy(bytes):
    bytes = binascii.unhexlify("000" + bytes[2:])[::-1]
    xml = bytes.decode('utf-16le')
    return xml

for gpo_id, k, v in applocker_policies(gpohound):
    if v['Type'] == "REG_SZ":
        res = re.search(r"\\([^\\]+)\\Value", k)
        id = res.group(1)
        policy_xml = parse_policy(v['Data'])
        comment = f"<!-- {k} from GPO {gpo_id} -->\n"
        with open(dir / (id+".xml"), "w") as f:
            f.write(comment + policy_xml)