Why I love RegRipper

Yes, yes, I know…you’re probably thinking, “you wrote it, dude”, and while that’s true, that’s not the reason why I really love RegRipper. Yes, it’s my “baby”, but there’s so much more to it than that. For me, it’s about flexibility and utility. At the beginning of 2020, there was an issue with the core Perl module that RegRipper is built on…all of the time stamps were coming back as all zeros. So, I tracked down the individual line of code in the specific module, and changed it…then recompiled the EXEs and updated the Github repo. Boom. Done. I’ve written plugins during investigations, based on new things I found, and I’ve turned around working plugins in under an hour for folks who’ve reached out with a concise request and sample data. When I’ve seen something on social media, or something as a result of engaging in a CTF, I can tweak RegRipper; add a plugin, add capability, extend current functionality, etc. Updates are pretty easy. Yes, yes…I know what you’re going to say…”…but you wrote it.” Yes, I did…but more importantly, I’m passionate about it. I see far too few folks in the industry who know anything about the Registry, so when I see something on social media, I’ll try to imagine how what’s talked about could be used maliciously, and write a plugin.