//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_setting(LPVOID lParam)
{
//init
char file[MAX_PATH];
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Registry_Settings\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"type_id\";\"description_id\";\"parent_key_update\";\"session_id\";\r\n");
#endif
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
//verify
Scan_registry_setting_file(db_scan,file);
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}else Scan_registry_setting_local(db_scan); //local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_deletedKey(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
char file[MAX_PATH];
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Registry_Deleted_Key\";\"source\";\"key\";\"value\";\"data\";\"type\";\"sid\";\"last_update\";\"session_id\";\r\n");
#endif
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
Scan_registry_deletedKey_file(file, session_id, db);
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
void GetUserGroupFRF(DWORD userRID, char *group, DWORD size_max_group)
{
char file[MAX_PATH];
HK_F_OPEN hks;
group[0] = 0;
//get all file on by on on test if ok or not
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
//if (file[0] == 0 /*|| !(Contient(file,"SECURITY") || Contient(file,"security"))*/) continue;
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
//get group
GetUserGroupFromRegFile(userRID, group, size_max_group, &hks, "SAM\\Domains\\Builtin\\Aliases");
GetUserGroupFromRegFile(userRID, group, size_max_group, &hks, "SAM\\Domains\\Account\\Aliases");
CloseRegFiletoMem(&hks);
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_path(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
char file[MAX_PATH];
HK_F_OPEN hks;
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Registry_Path\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"user\";\"rid\";\"sid\";\"parent_key_update\";\"session_id\";\r\n");
#endif
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL && start_scan)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
//enum all class open/edit/print values
EnumPath_file(&hks,"Classes","shell\\open\\command",session_id,db, FALSE);
//Enum envs
EnumPath_file(&hks,"Environment","",session_id,db, TRUE);
//all applications
EnumPath_file(&hks,"Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db, FALSE);
EnumPath_file(&hks,"Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db, FALSE);
CloseRegFiletoMem(&hks);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}else
{
//enum all class open/edit/print values
EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Classes","shell\\open\\command",session_id,db);
//Enum envs
EnumPath_local(HKEY_USERS,"HKEY_USERS","","Environment",session_id,db);
//all applications
EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db);
EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db);
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_mru(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
char file[MAX_PATH];
FORMAT_CALBAK_READ_INFO fcri;
fcri.type = SQLITE_REGISTRY_TYPE_MRU;
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Registry_MRU\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"description_id\";\"user\";\"rid\";\"sid\";\"parent_key_update\";\"session_id\";\r\n");
#endif
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL && start_scan)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks_mru, file))
{
sqlite3_exec(db, "SELECT hkey,search_key,value,value_type,type_id,description_id FROM extract_registry_mru_request;", callback_sqlite_registry_mru_file, &fcri, NULL);
CloseRegFiletoMem(&hks_mru);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}else
{
sqlite3_exec(db, "SELECT hkey,key,value,value_type,type_id,description_id FROM extract_registry_mru_request;", callback_sqlite_registry_mru_local, &fcri, NULL);
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_service(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
char file[MAX_PATH];
HK_F_OPEN hks;
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Registry_Service\";\"file\";\"hk\";\"key\";\"name\";\"state_id\";\"path\";\"type_id\";\"last_update\";\"session_id\";\"description\";\r\n");
#endif
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
Scan_registry_service_file(&hks,"ControlSet001\\Services", session_id, db);
Scan_registry_service_file(&hks,"ControlSet002\\Services", session_id, db);
Scan_registry_service_file(&hks,"ControlSet003\\Services", session_id, db);
Scan_registry_service_file(&hks,"ControlSet004\\Services", session_id, db);
CloseRegFiletoMem(&hks);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}else Scan_registry_service_local("SYSTEM\\CurrentControlSet\\Services\\",db, session_id);
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
DWORD WINAPI Scan_share(LPVOID lParam)
{
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Share\";\"file\";\"share\";\"path\";\"description\";\"type\";\"connexion\";\"session_id\";\r\n");
#endif
if (!LOCAL_SCAN)
{
//get in registry files
char file[MAX_PATH];
HK_F_OPEN hks;
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
EnumShare(&hks, session_id, db, "ControlSet001\\Services\\LanmanServer\\Shares");
EnumShare(&hks, session_id, db, "ControlSet002\\Services\\LanmanServer\\Shares");
EnumShare(&hks, session_id, db, "ControlSet003\\Services\\LanmanServer\\Shares");
EnumShare(&hks, session_id, db, "ControlSet004\\Services\\LanmanServer\\Shares");
CloseRegFiletoMem(&hks);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}else
{
//init
HMODULE hDLL = LoadLibrary("NETAPI32.dll");
if (hDLL == NULL)return 0;
typedef NET_API_STATUS (WINAPI *NETAPIBUFFERFREE)(LPVOID Buffer);
NETAPIBUFFERFREE NetApiBufferFree = (NETAPIBUFFERFREE) GetProcAddress(hDLL,"NetApiBufferFree");
typedef NET_API_STATUS (WINAPI *NETSHAREENUM)(LPWSTR servername, DWORD level, LPBYTE* bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, LPDWORD resume_handle);
NETSHAREENUM NetShareEnum = (NETSHAREENUM) GetProcAddress(hDLL,"NetShareEnum");
if (NetApiBufferFree != NULL && NetShareEnum != NULL )
{
NET_API_STATUS res;
PSHARE_INFO_502 buffer,p;
DWORD nb=0,tr=0,i;
char share[DEFAULT_TMP_SIZE], path[MAX_PATH], description[MAX_PATH], type[DEFAULT_TMP_SIZE], connexion[DEFAULT_TMP_SIZE];
do
{
res = NetShareEnum (0, 502, (LPBYTE *) &buffer,MAX_PREFERRED_LENGTH, &nb, &tr,0);
if(res != ERROR_SUCCESS && res != ERROR_MORE_DATA)break;
for(i=1,p=buffer;i<=nb;i++,p++)
{
snprintf(share,DEFAULT_TMP_SIZE,"%S",p->shi502_netname);
snprintf(path,MAX_PATH,"%S",p->shi502_path);
snprintf(description,MAX_PATH,"%S",p->shi502_remark);
switch(p->shi502_type)
{
case STYPE_DISKTREE: strncpy(type,"DISKTREE",DEFAULT_TMP_SIZE);break;
case STYPE_PRINTQ: strncpy(type,"PRINT",DEFAULT_TMP_SIZE);break;
case STYPE_DEVICE: strncpy(type,"DEVICE",DEFAULT_TMP_SIZE);break;
case STYPE_IPC: strncpy(type,"IPC",DEFAULT_TMP_SIZE);break;
case STYPE_SPECIAL: strncpy(type,"SPECIAL",DEFAULT_TMP_SIZE);break;
case 0x40000000: strncpy(type,"TEMPORARY",DEFAULT_TMP_SIZE);break;
case -2147483645: strncpy(type,"RPC",DEFAULT_TMP_SIZE);break;
default : snprintf(type,DEFAULT_TMP_SIZE,"UNKNOW (%lu)",p->shi502_type);break;
}
if (p->shi502_max_uses==-1)
snprintf(connexion,DEFAULT_TMP_SIZE,"%lu/-",p->shi502_current_uses);
else snprintf(connexion,DEFAULT_TMP_SIZE,"%lu/%lu",p->shi502_current_uses,p->shi502_max_uses);
convertStringToSQL(path, MAX_PATH);
convertStringToSQL(description, MAX_PATH);
addSharetoDB("",share, path, description, type, connexion, session_id, db);
}
}while(res==ERROR_MORE_DATA);
}
FreeLibrary(hDLL);
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_user(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
char file[MAX_PATH], file_SAM[MAX_PATH]="";
HK_F_OPEN hks;
char sk[MAX_PATH]="";
char computer[DEFAULT_TMP_SIZE]="";
BOOL ok_computer = FALSE;
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
charToLowChar(file);
//check for SAM files
if ((Contient(file,"sam")) && file_SAM[0] == 0)
{
strcpy(file_SAM,file);
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
continue;
}
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
//get syskey
registry_syskey_file(&hks, sk, MAX_PATH);
if (!ok_computer)
{
char tmp[DEFAULT_TMP_SIZE]="";
Readnk_Value(hks.buffer, hks.taille_fic, (hks.pos_fhbin)+HBIN_HEADER_SIZE, hks.position, "ControlSet001\\Control\\ComputerName\\ComputerName", NULL,"ComputerName", tmp, DEFAULT_TMP_SIZE);
if (tmp[0]!=0)
{
strcpy(computer,tmp);
ok_computer = TRUE;
}
}
Scan_registry_user_file(&hks, db, session_id,computer);
CloseRegFiletoMem(&hks);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
//SAM file in last
if (file_SAM[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks, file_SAM))
{
Scan_registry_user_file(&hks, db, session_id,computer);
CloseRegFiletoMem(&hks);
}
}
}else Scan_registry_user_local(db, session_id);
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
//format : http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format
DWORD WINAPI Scan_prefetch(LPVOID lParam)
{
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Prefetch\";\"file\";\"path\";\"create_time\";\"last_update\";\"last_access\";\"count\";\"exec\";\"session_id\";\"depend\";\r\n");
#endif
//check if local or not :)
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
if (hitem!=NULL || !LOCAL_SCAN || WINE_OS)
{
if(!SQLITE_FULL_SPEED)sqlite3_exec(db,"BEGIN TRANSACTION;", NULL, NULL, NULL);
char tmp_file_pref[MAX_PATH],ext[MAX_PATH];
while(hitem!=NULL)
{
tmp_file_pref[0] = 0;
ext[0] = 0;
GetTextFromTrv(hitem, tmp_file_pref, MAX_PATH);
if (!strcmp("pf",extractExtFromFile(charToLowChar(tmp_file_pref), ext, MAX_PATH)))
PfCheck(session_id, db, tmp_file_pref);
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db,"END TRANSACTION;", NULL, NULL, NULL);
h_thread_test[(unsigned int)lParam] = 0;
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
return 0;
}
//init
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
//get system path
char path[MAX_PATH] ="%WINDIR%\\Prefetch\\*.pf";
ReplaceEnv("WINDIR",path,MAX_PATH);
char path_f[MAX_PATH];
WIN32_FIND_DATA data;
HANDLE hfic = FindFirstFile(path, &data);
if (hfic != INVALID_HANDLE_VALUE)
{
do
{
if((data.cFileName[0] == '.' && (data.cFileName[1] == 0 || data.cFileName[1] == '.')) || (data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)){}
else
{
strncpy(path_f,path,MAX_PATH);
path_f[strlen(path_f)-4]=0;
strncat(path_f,data.cFileName,MAX_PATH);
strncat(path_f,"\0",MAX_PATH);
PfCheck(session_id, db, path_f);
}
}while(FindNextFile (hfic,&data) && start_scan);
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
DWORD WINAPI Scan_chrome_history(LPVOID lParam)
{
FORMAT_CALBAK_READ_INFO data;
//get child
HTREEITEM hitem = NULL;
if (!CONSOL_ONLY)hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
if ((hitem == NULL && LOCAL_SCAN) || CONSOL_ONLY)
{
//get path of all profils users
//HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY CleTmp = 0;
if (RegOpenKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\",&CleTmp)==ERROR_SUCCESS)
{
DWORD i, nbSubKey=0, key_size;
sqlite3 *db_tmp;
char tmp_key[MAX_PATH], tmp_key_path[MAX_PATH];
if (RegQueryInfoKey (CleTmp,0,0,0,&nbSubKey,0,0,0,0,0,0,0)==ERROR_SUCCESS)
{
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"file\";\"parameter\";\"date\";\"id_language_description\";\"session_id\";\"data\";\r\n");
#endif
//get subkey
for(i=0;i<nbSubKey;i++)
{
key_size = MAX_PATH;
tmp_key[0] = 0;
if (RegEnumKeyEx (CleTmp,i,tmp_key,&key_size,0,0,0,0)==ERROR_SUCCESS)
{
//generate the key path
snprintf(tmp_key_path,MAX_PATH,"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\%s\\",tmp_key);
//get profil path
if (ReadValue(HKEY_LOCAL_MACHINE,tmp_key_path,"ProfileImagePath",tmp_key, MAX_PATH))
{
//verify the path if %systemdrive%
ReplaceEnv("SYSTEMDRIVE",tmp_key,MAX_PATH);
//search file in this path
snprintf(tmp_key_path,MAX_PATH,"%s\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\*.*",tmp_key);
WIN32_FIND_DATA wfd;
HANDLE hfic = FindFirstFile(tmp_key_path, &wfd);
if (hfic != INVALID_HANDLE_VALUE)
{
do
{
if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY){}else
{
if(wfd.cFileName[0] == '.' && (wfd.cFileName[1] == 0 || wfd.cFileName[1] == '.')){}
else
{
//test all files
snprintf(tmp_file_chrome,MAX_PATH,"%s\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\%s",tmp_key,wfd.cFileName);
//test to open file
if (sqlite3_open(tmp_file_chrome, &db_tmp) == SQLITE_OK)
{
for (data.type =0;data.type <nb_sql_CHROME && start_scan;data.type = data.type+1)
{
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
sqlite3_exec(db_tmp, sql_CHROME[data.type].sql, callback_sqlite_chrome, &data, NULL);
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
}
sqlite3_close(db_tmp);
}
}
}
}while(FindNextFile (hfic,&wfd));
}
}
}
}
}
RegCloseKey(CleTmp);
}
}else
{
sqlite3 *db_tmp;
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Chrome\";\"file\";\"parameter\";\"date\";\"id_language_description\";\"session_id\";\"data\";\r\n");
#endif
while(hitem!=NULL)
{
//get item txt
GetTextFromTrv(hitem, tmp_file_chrome, MAX_PATH);
//test to open file
if (sqlite3_open(tmp_file_chrome, &db_tmp) == SQLITE_OK)
{
for (data.type =0;data.type <nb_sql_CHROME && start_scan;data.type = data.type+1)
{
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
sqlite3_exec(db_tmp, sql_CHROME[data.type].sql, callback_sqlite_chrome, &data, NULL);
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
}
sqlite3_close(db_tmp);
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}
if (!CONSOL_ONLY)check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
