[mmc01]

I read file and try to add function name as key of dict and value is value of dict. It not add all value and key to dict. This is my code.

    

for i in data['behavior']['processes'][3]['calls']:
    

    t0 = i['api']
    t1 = i['arguments']

    search_lst = open("clicker_out.txt", "r" ,  encoding="utf8")

    for line in search_lst:
        if t0 in line:
            
            if((key1 in t1.keys())):    
                all_arg_dict[t0] = t1[key1]

            elif((key2 in t1.keys())):
                all_arg_dict[t0] = t1[key2]

            elif((key3 in t1.keys())):   
                all_arg_dict[t0] = t1[key3]

    search_lst.close()

for k,v in all_arg_dict.items():

    print(v)

When I run this code it show like this

C:\Windows\system32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Roaming\RefreshProcName
HKEY_CURRENT_USER\System\CurrentControlSet\Control\NetTrace\Session
C:\Windows\system32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\Roaming
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
C:\Windows\System32\EAPQEC.DLL

It's not correct because if I print at key3 link this.

            elif((key3 in t1.keys())):   
                    all_arg_dict[t0] = t1[key3]
                    print(t1[key3])

It show many value like this.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\nshwfp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\dhcpclient
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\wshelper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\nshhttp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\fwcfg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\authfwcfg
C:\Windows\system32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\netiohlp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\whhelper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\hnetmon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\dot3cfg
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ldap\LdapClientIntegrity
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ldap\UseOldHostResolutionOrder
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ldap\UseHostnameAsAlias
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\napmontr
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\nshipsec
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\nettrace
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\WcnNetsh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\p2pnetsh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\wlancfg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\wwancfg
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\iphlpsvc\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\config\Connectivity_Platform_Enabled

How to add all value to dictionary?

This post has been edited by mmc01: 11 January 2017 - 11:43 AM

[astonecipher]

Why are you reading the registry?

[mmc01]

I read registry from file for analysis in my thesis . I'm not read directly on my computer.