嘗試動態使用正則表達式 findall 來獲取注冊表項。 如何將 append 單轉義為正則表達式字符串？

Question

test_str = Monitor for deletion of Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers. Monitor for changes made to Windows Registry keys and or values related to services and startup programs that correspond to security tools such as HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender.

for path_found in iocs_found['windows_path']:
   path_found = path_found.replace('\\', '\\\\')
   print(path_found)
   regex_pattern = f"[A-Z]+(?:{path_found})" 
   matches = re.findall(regex_pattern, test_str)
   print(matches)
   print('\n')

打印語句是：

M:\SOFTWARE\Microsoft\AMSI\Providers。

['HKLM:\SOFTWARE\Microsoft\AMSI\Providers.']

M:\SOFTWARE\Policies\Microsoft\Windows

['HKLM:\SOFTWARE\Policies\Microsoft\Windows']

兩個問題：

1. 如何更改我的正則表達式代碼，以便HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows變為HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender
2. 如何將新的正則表達式添加到當前的動態正則表達式中，以免出現雙重轉義？

請幫忙。

Answer 1

對於您在上面顯示的特定輸入，模式HKLM:\\.*?(?=\.)應該可以工作：

test_str = "Monitor for deletion of Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers. Monitor for changes made to Windows Registry keys and or values related to services and startup programs that correspond to security tools such as HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender."
matches = re.findall(r'HKLM:\\.*?(?=\.)', test_str)
print(matches)

這打印：

['HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers',
 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender']