//----------------------------------------------------------------
int FileContient(char * file, char *chaine)
{
int ret = -1;
HANDLE hfile = CreateFile(file,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0);
if (hfile != INVALID_HANDLE_VALUE)
{
DWORD dw =0, filesz = 0;
filesz = GetFileSize(hfile,NULL);
if (filesz > 0)
{
char *datas = malloc(filesz+1);
if (datas != NULL)
{
if (ReadFile(hfile, datas, filesz, &dw, 0))
{
if(Contient(charToLowChar(datas), charToLowChar(chaine)) > -1) ret = TRUE;
else ret = FALSE;
}
free(datas);
}
}
CloseHandle(hfile);
}
return ret;
}
//------------------------------------------------------------------------------
//file registry part
//------------------------------------------------------------------------------
int GetRegistryOs(HK_F_OPEN *hks)
{
char currentOS[MAX_PATH]="";
if (Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, "microsoft\\windows nt\\currentversion", NULL,"ProductName", currentOS, MAX_PATH))
{
if (Contient(currentOS,GUIDE_REG_OS_2000) ||
Contient(currentOS,GUIDE_REG_OS_XP_32b) ||
Contient(currentOS,GUIDE_REG_OS_2003_32b) ||
Contient(currentOS,GUIDE_REG_OS_VISTA_32b) ||
Contient(currentOS,GUIDE_REG_OS_7_32b) ||
Contient(currentOS,GUIDE_REG_OS_2008_32b) ||
Contient(currentOS,GUIDE_REG_OS_8_32b))return TRUE;
else return FALSE;
}
return -1;
}
//------------------------------------------------------------------------------
BOOL isWine()
{
HKEY CleTmp=0;
if (RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Wine",&CleTmp)==ERROR_SUCCESS)
{
RegCloseKey(CleTmp);
return TRUE;
}
//deuxième cas
char tmp[MAX_PATH]="";
if(ReadValue(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug","Debugger",tmp, MAX_PATH))
{
if (Contient(tmp,"winedbg"))
{
return TRUE;
}
}
return FALSE;
}
//----------------------------------------------------------------
void CheckFiles(DWORD iitem, char *remote_name, char *file)
{
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,"DEBUG","files:CheckFiles START",remote_name);
#endif
char tmp_path[LINE_SIZE]="";
WIN32_FIND_DATA data;
if (file[0] == ':')
{
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,(char*)"DEBUG (CheckFiles) FORMAT \":\"",file,(char*)remote_name);
#endif
char s_sha[SHA256_SIZE]="",s_md5[MAX_PATH]="", s_size[MAX_PATH]="";
long long int size = -1;
//format= :size on octets:MD5 hash: SHA256 hash:
char *c = file+1; //pass ':'******':')return;
while (*c && *c != ':')
{
*d++ = *c++;
}
*d = 0;
size = atol(s_size);
if (size < 1 )size = -1;
//MD5
d = s_md5;
c++;//pass ':'******':')
{
while (*c && *c != ':')
{
*d++ = *c++;
}
*d = 0;
}
//SHA
d = s_sha;
c++;//pass ':'******':')
{
*d++ = *c++;
}
*d = 0;
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,(char*)"DEBUG (CheckFiles)",remote_name,(char*)"");
#endif
CheckRecursivFilesFromSizeAndEM(iitem, remote_name, size, s_md5, s_sha, TRUE, file);
return;
}else if (file[0] == ';')
{
//verify if the file have txt
//format:
//;fichier.txt;127.0.0.1;
char *c = file+1; //pass ';'
if (*c == ';')return;
char filename[MAX_PATH]="", chaine[MAX_PATH]="";
char *d = filename;
while (*c && *c != ';')
{
*d++ = *c++;
}
*d = 0;
d = chaine;
c++;//pass ';'
if (*c != ';')
{
while (*c && *c != ';')
{
*d++ = *c++;
}
*d = 0;
}
CheckFileDatas(iitem, remote_name, filename, chaine);
return;
}
//check if file have % or ending with /
long int position = Contient(file, "%");
if (position > -1)
{
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,(char*)"DEBUG (CheckFiles) FORMAT \"%\"",file,(char*)remote_name);
#endif
//format : Windows\system32\%\host
//loop on the same function
char /*tmp_remote_name[LINE_SIZE],*/tmp_file[LINE_SIZE],tmp[LINE_SIZE];
snprintf(tmp_file,LINE_SIZE,"%s",&file[position+1]);
if (file[position] == '\\' || file[position] == '/')position--;
if (file[position] == '%')position--;
//if (file[position] == '\\' || file[position] == '/')position--;
strncpy(tmp,file,LINE_SIZE);
tmp[position] = 0;
//snprintf(tmp_remote_name,LINE_SIZE,"%s\\%s",remote_name,tmp);
//snprintf(tmp_remote_name,LINE_SIZE,"%s\\",remote_name);
//get all directory with recursivité
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,(char*)"DEBUG (CheckFiles)",remote_name,(char*)tmp_file);
#endif
CheckRecursivFiles(iitem, remote_name, tmp_file, TRUE);
}else
{
if (file[strlen(file)-1] == '\\' || file[strlen(file)-1] == '/') //directory
{
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,(char*)"DEBUG (CheckFiles) FORMAT \"Directory\"",file,(char*)remote_name);
#endif
//enumerate all file in the directory and sub directory
char tmp_file[LINE_SIZE];
strncpy(tmp_file,file,LINE_SIZE);
tmp_file[strlen(tmp_file)-1] = 0;
snprintf(tmp_path,LINE_SIZE,"%s\\%s",remote_name,tmp_file);
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,(char*)"DEBUG (CheckFiles)",tmp_path,(char*)"");
#endif
CheckRecursivFiles(iitem, tmp_path, NULL, TRUE);
}else
{
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,(char*)"DEBUG (CheckFiles) FORMAT \"File\"",file,(char*)remote_name);
#endif
//default
snprintf(tmp_path,LINE_SIZE,"%s\\%s",remote_name,file);
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,(char*)"DEBUG (CheckFiles) GetFileAttributes \"File\"",tmp_path,(char*)"");
#endif
if (GetFileAttributes(tmp_path) != INVALID_FILE_ATTRIBUTES)
{
//file exist + date
HANDLE hfind = FindFirstFile(tmp_path, &data);
if (hfind != INVALID_HANDLE_VALUE)
{
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,(char*)"DEBUG (CheckFiles)",tmp_path,(char*)"");
#endif
CheckFile(iitem, tmp_path, &data,file);
FindClose(hfind);
}
}
}
}
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,"DEBUG","files:CheckFiles END",remote_name);
#endif
}
//------------------------------------------------------------------------------
void AddItemFiletoTreeView(HANDLE htv, char *lowcase_file, char *path, char *global_path)
{
//get extension
char ext[MAX_PATH], tmp_path[MAX_PATH];
if (extractExtFromFile(lowcase_file, ext, MAX_PATH))
{
if (strcmp(ext,"lnk")==0)
{
if (global_path != NULL)
AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_FILES]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_FILES]);
}
check_treeview(htrv_test, H_tests[INDEX_FILE_NK], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_FILE], TRV_STATE_CHECK);
}else if (strcmp(ext,"log")==0 ||
strcmp(ext,"evt")==0 ||
strcmp(ext,"evtx")==0) //logs
{
if (global_path != NULL)
AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]);
}
check_treeview(htrv_test, H_tests[INDEX_LOG], TRV_STATE_CHECK);
}else if (strcmp(lowcase_file,"security.dat")==0 ||
strcmp(lowcase_file,"ntuser.dat")==0 || (Contient(lowcase_file,"ntuser")>0 && strcmp(ext,"dat")==0) ||
strcmp(lowcase_file,"settings.dat")==0 || (startWith(lowcase_file,"settings_") && strcmp(ext,"dat")==0) || //win8
strcmp(lowcase_file,"usrclass.dat")==0 || (Contient(lowcase_file,"usrclass")>0 && strcmp(ext,"dat")==0) ||
strcmp(lowcase_file,"classes.dat")==0 || (Contient(lowcase_file,"classes")>0 && strcmp(ext,"dat")==0)) //registry
{
if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
}
check_treeview(htrv_test, H_tests[INDEX_LAN], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_ENV], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_SHARE], TRV_STATE_CHECK);
unsigned int i;
for (i = INDEX_REG_CONF;i<=INDEX_REG_FIREWALL;i++)
{
check_treeview(htrv_test, H_tests[i], TRV_STATE_CHECK);
}
}else if (strcmp(ext,"db")==0 || //android
strcmp(ext,"sqlite")==0 || //firefox
strcmp(ext,"dat")==0 || //ie
strcmp(lowcase_file,"index.dat")==0 || (startWith(lowcase_file,"index_") && strcmp(ext,"dat")==0) ||
strcmp(lowcase_file,"ntds.dit")==0 || (startWith(lowcase_file,"ntds_") && strcmp(ext,"dit")==0)) //applications
{
if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
}
check_treeview(htrv_test, H_tests[INDEX_ANDROID], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_NAV_CHROME], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_NAV_FIREFOX], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_NAV_IE], TRV_STATE_CHECK);
}else if (!strcmp(ext,"pf")) //prefetch
{
if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
}
check_treeview(htrv_test, H_tests[INDEX_PREFETCH], TRV_STATE_CHECK);
}else if (!strcmp(ext,"job")) //prefetch
{
if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
}
check_treeview(htrv_test, H_tests[INDEX_TASK], TRV_STATE_CHECK);
}
}else
{
if (strcmp(lowcase_file,"sam")==0 ||
strcmp(lowcase_file,"software")==0 ||
strcmp(lowcase_file,"system")==0 ||
strcmp(lowcase_file,"default")==0 ||
strcmp(lowcase_file,"hardware")==0 ||
strcmp(lowcase_file,"security")==0 ||
strcmp(lowcase_file,"bcd-template")==0|| //win8
strcmp(lowcase_file,"components")==0 || //win8
strcmp(lowcase_file,"drivers")==0 || //win8
strcmp(lowcase_file,"bbi")==0 || //win8
strcmp(lowcase_file,"elam")==0 || //win8
strcmp(lowcase_file,"fp")==0 || //win8
startWith(lowcase_file,"sam_") ||
startWith(lowcase_file,"software_") ||
startWith(lowcase_file,"system_") ||
startWith(lowcase_file,"default_") ||
startWith(lowcase_file,"hardware_") ||
startWith(lowcase_file,"security_") ||
startWith(lowcase_file,"bcd-template_")|| //win8
startWith(lowcase_file,"components_") || //win8
startWith(lowcase_file,"drivers_") || //win8
startWith(lowcase_file,"bbi_") || //win8
startWith(lowcase_file,"elam_") || //win8
startWith(lowcase_file,"fp_")) //win8
{
if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
}
check_treeview(htrv_test, H_tests[INDEX_LAN], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_ENV], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_SHARE], TRV_STATE_CHECK);
unsigned int i;
for (i = INDEX_REG_CONF;i<=INDEX_REG_FIREWALL;i++)
{
check_treeview(htrv_test, H_tests[i], TRV_STATE_CHECK);
}
}else if (strcmp(lowcase_file,"archived history")==0 || //chrome
strcmp(lowcase_file,"history")==0 ||
strcmp(lowcase_file,"cookies")==0 ||
strcmp(lowcase_file,"default")==0 ||
strcmp(lowcase_file,"login data")==0 ||
strcmp(lowcase_file,"top sites")==0 ||
strcmp(lowcase_file,"web data")==0)
{
if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
}
check_treeview(htrv_test, H_tests[INDEX_NAV_CHROME], TRV_STATE_CHECK);
}
}
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_user(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
char file[MAX_PATH], file_SAM[MAX_PATH]="";
HK_F_OPEN hks;
char sk[MAX_PATH]="";
char computer[DEFAULT_TMP_SIZE]="";
BOOL ok_computer = FALSE;
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
charToLowChar(file);
//check for SAM files
if ((Contient(file,"sam")) && file_SAM[0] == 0)
{
strcpy(file_SAM,file);
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
continue;
}
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
//get syskey
registry_syskey_file(&hks, sk, MAX_PATH);
if (!ok_computer)
{
char tmp[DEFAULT_TMP_SIZE]="";
Readnk_Value(hks.buffer, hks.taille_fic, (hks.pos_fhbin)+HBIN_HEADER_SIZE, hks.position, "ControlSet001\\Control\\ComputerName\\ComputerName", NULL,"ComputerName", tmp, DEFAULT_TMP_SIZE);
if (tmp[0]!=0)
{
strcpy(computer,tmp);
ok_computer = TRUE;
}
}
Scan_registry_user_file(&hks, db, session_id,computer);
CloseRegFiletoMem(&hks);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
//SAM file in last
if (file_SAM[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks, file_SAM))
{
Scan_registry_user_file(&hks, db, session_id,computer);
CloseRegFiletoMem(&hks);
}
}
}else Scan_registry_user_local(db, session_id);
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
BOOL TestUserDataFromSAM_V(USERS_INFOS *User_infos, char *buffer, char *computer)
{
//init
User_infos->name[0] = 0;
User_infos->RID[0] = 0;
User_infos->SID[0] = 0;
User_infos->group[0] = 0;
User_infos->type[0] = 0;
User_infos->description[0] = 0;
User_infos->pwdump_pwd_raw_format[0] = 0;
User_infos->pwdump_pwd_format[0] = 0;
//get datas
BOOL ret = FALSE;
char tmp[MAX_PATH],tmp2[MAX_PATH],tmp3[MAX_PATH];
unsigned long int size_total = strlen(buffer);
if (size_total < 350)return FALSE;
//possibilité aussi de chercher :
//chercher dans la chaine la chaine suivante : 000001020000000520000000200200000102000000052000000020020000
//+Nom(Wildstring) + 0000 + Description + 0100/0102/FFFF
//--name
//emplacement du nom (taille de la strcuturitem[10].c[0]=0;e d'entête + emplacement)
//0x0C
tmp[0] = buffer[30];
tmp[1] = buffer[31];
tmp[2] = buffer[28];
tmp[3] = buffer[29];
tmp[4] = buffer[26];
tmp[5] = buffer[27];
tmp[6] = buffer[24];
tmp[7] = buffer[25];
unsigned int of_name = (204+ HTDF(tmp,8))*2;
//lecture de la taille du nom sur 1 int = 4octets
//0x10 = taille nom user
tmp[0] = buffer[38];
tmp[1] = buffer[39];
tmp[2] = buffer[36];
tmp[3] = buffer[37];
tmp[4] = buffer[34];
tmp[5] = buffer[35];
tmp[6] = buffer[32];
tmp[7] = buffer[33];
unsigned int taille_nom = HTDF(tmp,8)/2;
//-- nom complet
//emplacement de la description (taille de la strcuture d'entête + emplacement)
//0x18
tmp[0] = buffer[54];
tmp[1] = buffer[55];
tmp[2] = buffer[52];
tmp[3] = buffer[53];
tmp[4] = buffer[50];
tmp[5] = buffer[51];
tmp[6] = buffer[48];
tmp[7] = buffer[49];
unsigned int of_full_name = (204+ HTDF(tmp,8))*2;
//lecture de la taille du nom complet sur 1 int = 4octets
//0x1C = taille du nom complet
tmp[0] = buffer[62];
tmp[1] = buffer[63];
tmp[2] = buffer[60];
tmp[3] = buffer[61];
tmp[4] = buffer[58];
tmp[5] = buffer[59];
tmp[6] = buffer[56];
tmp[7] = buffer[57];
unsigned int taille_full_name = HTDF(tmp,8)/2;
//--description
//emplacement de la description (taille de la strcuture d'entête + emplacement)
//0x24
tmp[0] = buffer[78];
tmp[1] = buffer[79];
tmp[2] = buffer[76];
tmp[3] = buffer[77];
tmp[4] = buffer[74];
tmp[5] = buffer[75];
tmp[6] = buffer[72];
tmp[7] = buffer[73];
unsigned int of_description = (204+ HTDF(tmp,8))*2;
//lecture de la taille de la description sur 1 int = 4octets
//0x28 = taille de description
tmp[0] = buffer[86];
tmp[1] = buffer[87];
tmp[2] = buffer[84];
tmp[3] = buffer[85];
tmp[4] = buffer[82];
tmp[5] = buffer[83];
tmp[6] = buffer[80];
tmp[7] = buffer[81];
unsigned int taille_description = HTDF(tmp,8)/2;
//password hash
//-- LM PASSWORD
//0x9C
tmp[0] = buffer[318];
tmp[1] = buffer[319];
tmp[2] = buffer[316];
tmp[3] = buffer[317];
tmp[4] = buffer[314];
tmp[5] = buffer[315];
tmp[6] = buffer[312];
tmp[7] = buffer[313];
unsigned int of_lmpw = (204+ HTDF(tmp,8))*2;
//0xA0
tmp[0] = buffer[326];
tmp[1] = buffer[327];
tmp[2] = buffer[324];
tmp[3] = buffer[325];
tmp[4] = buffer[322];
tmp[5] = buffer[323];
tmp[6] = buffer[320];
tmp[7] = buffer[321];
unsigned int taille_lmpw = HTDF(tmp,8)*2;
//-- NT PASSWORD
//0xA8
tmp[0] = buffer[342];
tmp[1] = buffer[343];
tmp[2] = buffer[340];
tmp[3] = buffer[341];
tmp[4] = buffer[338];
tmp[5] = buffer[339];
tmp[6] = buffer[336];
tmp[7] = buffer[337];
unsigned int of_ntpw = (204+ HTDF(tmp,8))*2;
//0xAC
tmp[0] = buffer[350];
tmp[1] = buffer[351];
tmp[2] = buffer[348];
tmp[3] = buffer[349];
tmp[4] = buffer[346];
tmp[5] = buffer[347];
tmp[6] = buffer[344];
tmp[7] = buffer[345];
unsigned int taille_ntpw = HTDF(tmp,8)*2;
//---results---
//name
if ((taille_nom>0) && (taille_nom<size_total) && (of_name>0) && (of_name<size_total))
{
tmp[0] = 0;
tmp2[0] = 0;
strncpy(tmp,(char*)(buffer+of_name),MAX_PATH);
SHexaToString(tmp,tmp2,MAX_PATH);
if (taille_nom<MAX_PATH)tmp2[taille_nom]=0;
else tmp2[MAX_PATH-1]=0;
if (computer[0] == 0)strncpy(User_infos->name,tmp2,MAX_PATH);
else snprintf(User_infos->name,MAX_PATH,"%s\\%s",computer,tmp2);
ret = TRUE;
}
//lecture de la description (fullname)
if ((taille_full_name>0) && (taille_full_name<size_total) && (of_full_name>0) && (of_full_name<size_total))
{
tmp[0] = 0;
tmp2[0] = 0;
strncpy(tmp,(char*)(buffer+of_full_name),MAX_PATH);
SHexaToString(tmp,tmp2,MAX_PATH);
if (taille_full_name<MAX_PATH)tmp2[taille_full_name]=0;
else tmp2[MAX_PATH-1]=0;
ret = TRUE;
}else tmp2[0] = 0;
//lecture de la description (comment)
if ((taille_description>0) && (taille_description<size_total) && (of_description>0) && (of_description<size_total))
{
tmp[0] = 0;
tmp3[0] = 0;
strncpy(tmp,(char*)(buffer+of_description),MAX_PATH);
SHexaToString(tmp,tmp3,MAX_PATH);
if (taille_description<MAX_PATH)tmp3[taille_description]=0;
else tmp3[MAX_PATH-1]=0;
if (tmp2[0] != 0)snprintf(User_infos->description,MAX_PATH,"(%s) %s",tmp2,tmp3);
else snprintf(User_infos->description,MAX_PATH,"%s",tmp3);
ret = TRUE;
}else if ((taille_full_name>0) && (tmp2[0] != 0)) snprintf(User_infos->description,MAX_PATH,"(%s)",tmp2);
//type
if (((buffer[8]=='B') || (buffer[8]=='b')) && ((buffer[9]=='C') || (buffer[9]=='c')))snprintf(User_infos->type,MAX_PATH,"2 : %s",cps[TXT_MSG_ADMIN].c);
else if (((buffer[8]=='B') || (buffer[8]=='b')) && (buffer[9]=='0'))snprintf(User_infos->type,MAX_PATH,"0 : %s",cps[TXT_MSG_GUEST].c);
else if (((buffer[8]=='D') || (buffer[8]=='d')) && (buffer[9]=='4'))snprintf(User_infos->type,MAX_PATH,"1 : %s",cps[TXT_MSG_USER].c);
else snprintf(User_infos->type,MAX_PATH,"0x%c%c : %s",buffer[8],buffer[9],cps[TXT_MSG_UNK].c);
//SID+RID
//SID : après 12 octets donc 24 caractères + dernière clée : 2o donc 4caractères : 2400 4400 0200 0105 0000 0000 0005 1500 0000
//fin : 0000
//SID = col3
tmp3[0] = 0;
unsigned long int type_id = 0, type_id2=0, last_id=0;
unsigned long int i = Contient(buffer,"2400440002000105000000000005"); // 1500 0000 = 21 le SID de début
if ((i>0) && (i<(strlen(buffer)-40)))
{
//création du SID : 4o-4o-4o-4o-4o
sprintf(tmp,"%c%c%c%c%c%c%c%c",buffer[i+6],buffer[i+7],buffer[i+4],buffer[i+5],buffer[i+2],buffer[i+3],buffer[i],buffer[i+1]);
type_id = HTD(tmp);
snprintf(tmp2,MAX_PATH,"S-1-5-%lu",type_id);
strcpy(tmp3,tmp2);
sprintf(tmp,"%c%c%c%c%c%c%c%c",buffer[i+14],buffer[i+15],buffer[i+12],buffer[i+13],buffer[i+10],buffer[i+11],buffer[i+8],buffer[i+9]);
type_id2 = HTD(tmp);
snprintf(tmp2,MAX_PATH,"-%lu",type_id2);
strncat(tmp3,tmp2,MAX_PATH);
sprintf(tmp,"%c%c%c%c%c%c%c%c",buffer[i+22],buffer[i+23],buffer[i+20],buffer[i+21],buffer[i+18],buffer[i+19],buffer[i+16],buffer[i+17]);
snprintf(tmp2,MAX_PATH,"-%lu",HTD(tmp));
strncat(tmp3,tmp2,MAX_PATH);
sprintf(tmp,"%c%c%c%c%c%c%c%c",buffer[i+30],buffer[i+31],buffer[i+28],buffer[i+29],buffer[i+26],buffer[i+27],buffer[i+24],buffer[i+25]);
snprintf(tmp2,MAX_PATH,"-%lu",HTD(tmp));
strncat(tmp3,tmp2,MAX_PATH);
sprintf(tmp,"%c%c%c%c%c%c%c%c",buffer[i+38],buffer[i+39],buffer[i+36],buffer[i+37],buffer[i+34],buffer[i+35],buffer[i+32],buffer[i+33]);
last_id = HTD(tmp);
snprintf(tmp2,MAX_PATH,"-%lu",last_id);
strncat(tmp3,tmp2,MAX_PATH);
strncat(tmp3,"\0",MAX_PATH);
strncpy(User_infos->SID,tmp3,MAX_PATH);
snprintf(User_infos->RID,MAX_PATH,"%05lu",last_id);
//descriptions infos +
switch (type_id)
{
case 1: strncat(User_infos->description," Rights : Dialup\0",MAX_PATH);
case 2: strncat(User_infos->description," Rights : Network\0",MAX_PATH);
case 3: strncat(User_infos->description," Rights : Batch\0",MAX_PATH);
case 4: strncat(User_infos->description," Rights : Interative\0",MAX_PATH);
case 5: strncat(User_infos->description," Rights : Driver\0",MAX_PATH);
case 6: strncat(User_infos->description," Rights : Service\0",MAX_PATH);
case 7: strncat(User_infos->description," Rights : Anonymous logon\0",MAX_PATH);
case 8: strncat(User_infos->description," Rights : Proxy\0",MAX_PATH);
case 9: strncat(User_infos->description," Rights : Entreprise domain controllers\0",MAX_PATH);
case 10: strncat(User_infos->description," Rights : Self\0",MAX_PATH);
case 11: strncat(User_infos->description," Rights : Authenticated Users\0",MAX_PATH);
case 12: strncat(User_infos->description," Rights : Restricted\0",MAX_PATH);
case 13: strncat(User_infos->description," Rights : Terminal server user\0",MAX_PATH);
case 14: strncat(User_infos->description," Rights : Remote interactive logon\0",MAX_PATH);
case 15: strncat(User_infos->description," Rights : This Organization\0",MAX_PATH);
case 18: strncat(User_infos->description," Rights : System\0",MAX_PATH);
case 19: strncat(User_infos->description," Rights : Local service\0",MAX_PATH);
case 20: strncat(User_infos->description," Rights : Network service\0",MAX_PATH);
case 21:
switch(last_id)
{
case 500 : strncat(User_infos->description," Rights : Local Administrator\0",MAX_PATH);break;
case 501 : strncat(User_infos->description," Rights : Local Guest\0",MAX_PATH);break;
case 502 : strncat(User_infos->description," Rights : Krbtgt\0",MAX_PATH);break;
case 512 : strncat(User_infos->description," Rights : Domain Admins\0",MAX_PATH);break;
case 513 : strncat(User_infos->description," Rights : Domain Users\0",MAX_PATH);break;
case 514 : strncat(User_infos->description," Rights : Domain Guests\0",MAX_PATH);break;
case 515 : strncat(User_infos->description," Rights : Domain Computers\0",MAX_PATH);break;
case 516 : strncat(User_infos->description," Rights : Domain Controllers\0",MAX_PATH);break;
case 517 : strncat(User_infos->description," Rights : Cert Publishers\0",MAX_PATH);break;
case 518 : strncat(User_infos->description," Rights : Schema Admins\0",MAX_PATH);break;
case 519 : strncat(User_infos->description," Rights : Enterprise Admins\0",MAX_PATH);break;
case 520 : strncat(User_infos->description," Rights : Group Policy Creator Owners\0",MAX_PATH);break;
case 553 : strncat(User_infos->description," Rights : RAS and IAS Servers\0",MAX_PATH);break;
}
break;
case 32:
switch(last_id)
{
case 544 : strncat(User_infos->description," Rights : Administrators\0",MAX_PATH);break;
case 545 : strncat(User_infos->description," Rights : Users\0",MAX_PATH);break;
case 546 : strncat(User_infos->description," Rights : Guests\0",MAX_PATH);break;
case 547 : strncat(User_infos->description," Rights : Power Users\0",MAX_PATH);break;
case 548 : strncat(User_infos->description," Rights : Account Operators\0",MAX_PATH);break;
case 549 : strncat(User_infos->description," Rights : Server Operators\0",MAX_PATH);break;
case 550 : strncat(User_infos->description," Rights : Print Operators\0",MAX_PATH);break;
case 551 : strncat(User_infos->description," Rights : Backup Operators\0",MAX_PATH);break;
case 552 : strncat(User_infos->description," Rights : Replicator \0",MAX_PATH);break;
case 554 : strncat(User_infos->description," Rights : Pre-Windows 2000 Compatible Access\0",MAX_PATH);break;
case 555 : strncat(User_infos->description," Rights : Remote Desktop Users\0",MAX_PATH);break;
case 556 : strncat(User_infos->description," Rights : Network Configuration Operators\0",MAX_PATH);break;
case 557 : strncat(User_infos->description," Rights : Incoming Forest Trust Builders\0",MAX_PATH);break;
case 558 : strncat(User_infos->description," Rights : Performance Monitor Users\0",MAX_PATH);break;
case 559 : strncat(User_infos->description," Rights : Performance Log Users\0",MAX_PATH);break;
case 560 : strncat(User_infos->description," Rights : Windows Authorization Access Group\0",MAX_PATH);break;
case 561 : strncat(User_infos->description," Rights : Terminal Server License Servers\0",MAX_PATH);break;
}
break;
case 64:
switch(last_id)
{
case 10 : strncat(User_infos->description," Rights : NTLM Authentication\0",MAX_PATH);break;
case 14 : strncat(User_infos->description," Rights : SChannel Authentication\0",MAX_PATH);break;
case 21 : strncat(User_infos->description," Rights : Digest Authentication\0",MAX_PATH);break;
}
break;
}
ret = TRUE;
}
//hash NT::LM
if (ret)
{
tmp2[0]=0;
tmp3[0]=0;
//8 => 4 size of separator
if ((taille_lmpw > 8) && (of_lmpw>0) && ((of_lmpw + 8+ taille_lmpw)<=size_total))
{
strncpy(tmp2,buffer+of_lmpw+8,MAX_PATH);
tmp2[32]=0;
}else strcpy(tmp2,"NO PASSWORD*********************");//LM
if ((taille_ntpw > 8) && (of_ntpw>0) && ((of_ntpw + taille_ntpw)<=size_total))
{
strncpy(tmp3,buffer+(of_ntpw+8),MAX_PATH);
tmp3[32]=0;
}else strcpy(tmp3,"NO PASSWORD*********************");//NT
if ((tmp2[0]!=0) && (tmp3[0]!=0))
{
//pwdump format
//<user>:<id>:<lanman pw>:<NT pw>:comment:homedir:
//snprintf(item[10].c,MAX_PATH,"%s:%lu:%s:%s:::",item[2].c,last_id,tmp2,tmp3);
snprintf(User_infos->pwdump_pwd_raw_format,MAX_PATH,":%s:%s",tmp2,tmp3);
}
}
return ret;
}
//------------------------------------------------------------------------------
void reg_read_enum_MRUNvalues(HKEY hk,char *chkey,char *key,char *exclu,char* description_id,unsigned int session_id, sqlite3 *db)
{
HKEY CleTmp;
if (RegOpenKey(hk,key,&CleTmp)!=ERROR_SUCCESS)return;
DWORD nbValue,i,j;
FILETIME last_update;
if (RegQueryInfoKey (CleTmp,0,0,0,0,0,0,&nbValue,0,0,0,&last_update)!=ERROR_SUCCESS)
{
RegCloseKey(CleTmp);
return;
}
//get date
char parent_key_update[DATE_SIZE_MAX] = "";
filetimeToString_GMT(last_update, parent_key_update, DATE_SIZE_MAX);
//read USER + RID + SID
char tmp[MAX_PATH];
char user[MAX_PATH], RID[MAX_PATH], sid[MAX_PATH];
GetRegistryKeyOwner(CleTmp, user, RID, sid, MAX_PATH);
//enum values
char value[MAX_PATH], data[MAX_PATH];
DWORD valueSize,dataSize,type;
for (i=0;i<nbValue && start_scan;i++)
{
valueSize = MAX_PATH;
dataSize = MAX_PATH;
value[0] = 0;
data[0] = 0;
type = 0;
if (RegEnumValue (CleTmp,i,(LPTSTR)value,(LPDWORD)&valueSize,0,(LPDWORD)&type,(LPBYTE)data,(LPDWORD)&dataSize)==ERROR_SUCCESS)
{
if (Contient(charToLowChar(value),exclu))
{
switch(type)
{
case REG_EXPAND_SZ:
case REG_SZ:
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(data, MAX_PATH);
addRegistryMRUtoDB("",chkey,key,value,data,description_id,user,RID,sid,parent_key_update,session_id,db);break;
case REG_BINARY:
case REG_LINK:
snprintf(tmp,MAX_PATH,"%S",data);
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_PATH);
addRegistryMRUtoDB("",chkey,key,value,tmp,description_id,user,RID,sid,parent_key_update,session_id,db);break;
case REG_MULTI_SZ:
for (j=0;j<dataSize;j++)
{
if (data[j] == 0)data[j]=';';
}
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(data, MAX_PATH);
addRegistryMRUtoDB("",chkey,key,value,data,description_id,user,RID,sid,parent_key_update,session_id,db);break;
}
}
}
}
RegCloseKey(CleTmp);
}
//------------------------------------------------------------------------------
int callback_sqlite_registry_mru_file(void *datas, int argc, char **argv, char **azColName)
{
FORMAT_CALBAK_TYPE *type = datas;
unsigned int session_id = current_session_id;
char tmp[MAX_LINE_SIZE];
switch(type->type)
{
case SQLITE_REGISTRY_TYPE_MRU:
{
switch(atoi(argv[3]))//value_type
{
case TYPE_VALUE_STRING:
case TYPE_VALUE_WSTRING:
if (Readnk_Value(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,
argv[1], NULL, argv[2], tmp, MAX_LINE_SIZE))
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
argv[1], NULL, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//save
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],argv[2],tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
break;
case TYPE_ENUM_STRING_RVALUE://all string under one key
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
char value[MAX_PATH];
DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (i=0;i<nbSubValue && start_scan;i++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
//if (strcmp(charToLowChar(value),argv[2]) != 0)
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
case TYPE_ENUM_STRING_VALUE://list of all string in a directory and exclude "value"
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
char value[MAX_PATH];
DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (i=0;i<nbSubValue && start_scan;i++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
//if (strcmp(charToLowChar(value),argv[2]) != 0)
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
case TYPE_ENUM_STRING_NVALUE://list of all string in a directory with "value"
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
char value[MAX_PATH];
DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (i=0;i<nbSubValue && start_scan;i++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
if (Contient(charToLowChar(value),argv[2]))
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
case TYPE_ENUM_STRING_WVALUE:
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
char value[MAX_PATH],data[MAX_LINE_SIZE];
DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
DWORD sz_value = MAX_LINE_SIZE;
for (i=0;i<nbSubValue && start_scan;i++)
{
sz_value = MAX_LINE_SIZE;
if (GetBinaryValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,&sz_value))
{
//save
convertStringToSQL(value, MAX_PATH);
snprintf(data,MAX_LINE_SIZE,"%S",tmp);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,data,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
break;
case TYPE_ENUM_SUBNK_DATE:
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
//get values
char value[MAX_PATH], tmp_key[MAX_PATH];
DWORD i, nbSubnk = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0);
for (i=0;i<nbSubnk && start_scan;i++)
{
if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i, value, MAX_PATH))
{
snprintf(tmp_key,MAX_PATH,"%s\\%s",argv[1],value);
HBIN_CELL_NK_HEADER *nk_ht = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key);
if (nk_ht!=NULL)
{
//key update
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_ht, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//save
convertStringToSQL(tmp_key, MAX_PATH);
addRegistryMRUtoDB(hks_mru.file,"",tmp_key,"","",argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
case TYPE_DBL_ENUM_VALUE:
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h==NULL)break;
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="", data[MAX_PATH];
HBIN_CELL_NK_HEADER *nk_ht, *nk_ht2;
//get values
char value2[MAX_PATH],value[MAX_PATH], tmp_key2[MAX_PATH], tmp_key[MAX_PATH];
DWORD i,j, nbSubnk2, nbSubnk = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0);
for (i=0;i<nbSubnk && start_scan;i++)
{
if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i, value, MAX_PATH))
{
snprintf(tmp_key,MAX_PATH,"%s\\%s\\AVGeneral\\cRecentFiles",argv[1],value);
nk_ht = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key);
nbSubnk2 = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_ht, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0);
for (j=0;j<nbSubnk2 && start_scan;j++)
{
if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_ht, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, j, value2, MAX_PATH))
{
snprintf(tmp_key2,MAX_PATH,"%s\\%s",tmp_key,value2);
nk_ht2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key2);
//datas
if(Readnk_Value(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position, NULL, nk_ht2, argv[2],
data, MAX_PATH))
{
//key update
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_ht2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//save
convertStringToSQL(data, MAX_PATH);
addRegistryMRUtoDB(hks_mru.file,"",tmp_key2,argv[2],data,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
}
break;
case TYPE_ENUM_STRING_RRVALUE://all string under thow key + key
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h == NULL)return 0;
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
char value[MAX_PATH];
char tmp_key[MAX_PATH], tmp_key2[MAX_PATH], key_path[MAX_PATH];
HBIN_CELL_NK_HEADER *nk_h_tmp, *nk_h_tmp2;
DWORD i,j,k, nbSubValue,nbSubKey2,nbSubKey = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, 0, NULL, 0);
for (i=0;i<nbSubKey && start_scan;i++)
{
if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i, tmp_key, MAX_PATH))
{
//get nk of key :)
nk_h_tmp = GetSubNKtonk(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i);
if (nk_h_tmp == NULL)continue;
nbSubKey2 = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h_tmp, hks_mru.position, 0, NULL, 0);
for (j=0;j<nbSubKey2 && start_scan;j++)
{
if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h_tmp, hks_mru.position, j, tmp_key2, MAX_PATH))
{
//get nk of key :)
snprintf(key_path,MAX_PATH,"%s\\%s\\%s\\%s",argv[1],tmp_key,tmp_key2,argv[2]);
nk_h_tmp2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,key_path);
if (nk_h_tmp2 == NULL)continue;
//key update
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h_tmp2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (k=0;k<nbSubValue;k++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, k,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",key_path,value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
}
}
break;
case TYPE_ENUM_STRING_R_VALUE://all string under one key + key
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h == NULL)return 0;
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
char value[MAX_PATH];
char tmp_key[MAX_PATH], key_path[MAX_PATH];
HBIN_CELL_NK_HEADER *nk_h_tmp, *nk_h_tmp2;
DWORD i,k, nbSubValue,nbSubKey = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, 0, NULL, 0);
for (i=0;i<nbSubKey && start_scan;i++)
{
if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i, tmp_key, MAX_PATH))
{
//get nk of key :)
nk_h_tmp = GetSubNKtonk(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i);
if (nk_h_tmp == NULL)continue;
snprintf(key_path,MAX_PATH,"%s\\%s\\%s",argv[1],tmp_key,argv[2]);
nk_h_tmp2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,key_path);
if (nk_h_tmp2 == NULL)continue;
//key update
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h_tmp2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (k=0;k<nbSubValue;k++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, k,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",key_path,value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
}
}break;
}
return 0;
}