unsigned int HashTable<T>::GetInsertPos(char const *_key) const
{
unsigned int index = HashFunc(_key);
// Test if the target slot is empty, if not increment until we
// find an empty one
while (m_keys[index] != NULL)
{
if(stricmp(m_keys[index], _key) == 0)
{
AppDebugOut( "GetInsertPos critical error : trying to insert key '%s'\n", _key );
DumpKeys();
AppAbort("Error with HashTable");
}
index++;
index &= m_mask;
m_numCollisions++;
}
return index;
}
int
_CRTAPI1
main(
int argc,
char *argv[]
)
{
ULONG n;
char *s;
LONG Error;
PWSTR RegistryPath;
InitCommonCode( CtrlCHandler,
"REGDMP",
"[-s] [-o outputWidth] registryPath",
"-s specifies summary output. Value names, type and first line of data\n"
"\n"
"registryPath specifies where to start dumping. Valid prefix names for\n"
" easy access to well known parts of the registry are:\n"
"\n"
" HKEY_LOCAL_MACHINE -> \\Registry\\Machine\n"
" HKEY_USERS -> \\Registry\\Users\n"
" HKEY_CURRENT_USER -> \\Registry\\Users\\...\n"
" USER: -> HKEY_CURRENT_USER"
"\n"
"If REGDMP detects any REG_SZ or REG_EXPAND_SZ that is missing the\n"
"trailing null character, it will prefix the value string with the\n"
"following text: (*** MISSING TRAILING NULL CHARACTER ***)\n"
"The REGFIND tool can be used to clean these up, as this is a common\n"
"programming error.\n"
);
RegistryPath = NULL;
while (--argc) {
s = *++argv;
if (*s == '-' || *s == '/') {
while (*++s) {
switch( tolower( *s ) ) {
case 'f':
FullPathOutput = TRUE;
break;
case 's':
SummaryOutput = TRUE;
break;
default:
CommonSwitchProcessing( &argc, &argv, *s );
break;
}
}
}
else
if (RegistryPath == NULL) {
RegistryPath = GetArgAsUnicode( s );
}
else {
Usage( "May only specify one registry path to dump", 0 );
}
}
Error = RTConnectToRegistry( MachineName,
HiveFileName,
HiveRootName,
Win95Path,
Win95UserPath,
&RegistryPath,
&RegistryContext
);
if (Error != NO_ERROR) {
FatalError( "Unable to access registry specifed (%u)", Error, 0 );
}
DumpKeys( RegistryContext.HiveRootHandle, RegistryPath, RegistryPath, 0 );
RTDisconnectFromRegistry( &RegistryContext );
return 0;
}
void
DumpKeys(
HKEY ParentKeyHandle,
PWSTR KeyName,
PWSTR FullPath,
ULONG Depth
)
{
LONG Error;
HKEY KeyHandle;
ULONG SubKeyIndex;
WCHAR SubKeyName[ MAX_PATH ];
ULONG SubKeyNameLength;
WCHAR ComputeFullPath[ MAX_PATH ];
FILETIME LastWriteTime;
Error = RTOpenKey( &RegistryContext,
ParentKeyHandle,
KeyName,
MAXIMUM_ALLOWED,
REG_OPTION_OPEN_LINK,
&KeyHandle
);
if (Error != NO_ERROR) {
if (Depth == 0) {
FatalError( "Unable to open key '%ws' (%u)\n",
(ULONG)KeyName,
(ULONG)Error
);
}
return;
}
//
// Print name of node we are about to dump out
//
if (!FullPathOutput) {
RTFormatKeyName( (PREG_OUTPUT_ROUTINE)fprintf, stdout, Depth * IndentMultiple, KeyName );
RTFormatKeySecurity( (PREG_OUTPUT_ROUTINE)fprintf, stdout, KeyHandle, NULL );
printf( "\n" );
}
//
// Print out node's values
//
if (FullPathOutput)
DumpValues( KeyHandle, FullPath, 0 );
else
DumpValues( KeyHandle, KeyName, Depth + 1 );
//
// Enumerate node's children and apply ourselves to each one
//
for (SubKeyIndex = 0; TRUE; SubKeyIndex++) {
SubKeyNameLength = sizeof( SubKeyName );
Error = RTEnumerateKey( &RegistryContext,
KeyHandle,
SubKeyIndex,
&LastWriteTime,
&SubKeyNameLength,
SubKeyName
);
if (Error != NO_ERROR) {
if (Error != ERROR_NO_MORE_ITEMS && Error != ERROR_ACCESS_DENIED) {
fprintf( stderr,
"RTEnumerateKey( %ws ) failed (%u), skipping\n",
KeyName,
Error
);
}
break;
}
if (FullPathOutput) {
wcscpy(ComputeFullPath, FullPath);
wcscat(ComputeFullPath, L"\\");
wcscat(ComputeFullPath, SubKeyName);
}
DumpKeys( KeyHandle, SubKeyName, ComputeFullPath, Depth + 1 );
}
RTCloseKey( &RegistryContext, KeyHandle );
return;
}
BOOL Scan4Key(BYTE *PrivateKeyClient_01, BYTE *PrivateKeyClient_02, BYTE *PrivateKeyClient_03, BYTE *PrivateKeyClient_04)
{
DWORD i;
DWORD Limit = 0x80000000; //0xC0000000 : 0x80000000;
MEMORY_BASIC_INFORMATION MemInfo;
HANDLE hProc = GetCurrentProcess();
SIZE_T sRet;
DWORD PageCount;
DWORD j, k;
//BYTE *bData = NULL;
struct CKey *ckey = NULL;
BYTE PageBuffer[0x1000];
SIZE_T BytesRead = 0;
//DWORD OldProtect;
i = 0x2389000;
for (i = 0x0; i < Limit; i++)
{
sRet = VirtualQueryEx(hProc, (LPCVOID)i, &MemInfo, sizeof(MemInfo));
if (sRet == 0 || MemInfo.State == MEM_FREE || MemInfo.State == MEM_RESERVE || (MemInfo.Protect & PAGE_READONLY) != 0 || (MemInfo.Protect & PAGE_GUARD) != 0 ||
(MemInfo.Protect & PAGE_EXECUTE) != 0 || (MemInfo.Protect & PAGE_NOACCESS) != 0)
{
if (sRet == 0)
{
i += 0x1000;
}
else
{
i += MemInfo.RegionSize;
}
continue;
}
PageCount = MemInfo.RegionSize / 0x1000;
for (j = 0; j < PageCount; j++)
{
/*sRet = VirtualQueryEx(hProc, (LPCVOID)(i + j * 0x1000), &MemInfo, sizeof(MemInfo));
if ((MemInfo.Protect & PAGE_READONLY) != 0 || (MemInfo.Protect & PAGE_GUARD) != 0)
continue;*/
//if (!VirtualProtect((LPVOID)(i + j * 0x1000), 0x1000, PAGE_EXECUTE_READWRITE, &OldProtect))
//continue;
//printf("Working on %08X\n", (LPVOID)(i + j * 0x1000));
//Sleep(10);
if (ReadProcessMemory(hProc, (LPCVOID)(i + j * 0x1000), PageBuffer, sizeof(PageBuffer), &BytesRead) && BytesRead != 0)
{
//memcpy_s(PageBuffer, sizeof(PageBuffer), (LPVOID)(i + j * 0x1000), 1);
//Sleep(10);
for (k = 0; k < (0x1000 - SIZE_PATTERN_KEY); k++)
{
ckey = (struct CKey *)(PageBuffer + k);
if (ckey->dwKeyPubSize_01 == 0x80 && ckey->dwKeyPrivSize_01 == 0x14 &&
ckey->dwKeyPubSize_02 == 0x80 && ckey->dwKeyPrivSize_02 == 0x14 &&
ckey->dwKeyPubSize_03 == 0x80 && ckey->dwKeyPrivSize_03 == 0x14 &&
ckey->dwKeyPubSize_04 == 0x80 && ckey->dwKeyPrivSize_04 == 0x14 &&
ckey->dwKeyPubSize_05 == 0x80 && ckey->dwKeyPrivSize_05 == 0x14)
{
dbg_msg("[+] FOUND at %08X!\n", (DWORD)(i + j * 0x1000));
DumpKeys(ckey);
memcpy(PrivateKeyClient_01, ckey->bKeyPriv_01, 0x14);
memcpy(PrivateKeyClient_02, ckey->bKeyPriv_02, 0x14);
memcpy(PrivateKeyClient_03, ckey->bKeyPriv_03, 0x14);
memcpy(PrivateKeyClient_04, ckey->bKeyPriv_04, 0x14);
return TRUE;
}
//bData += 1;
}
//VirtualProtect((LPVOID)(i + j * 0x1000), 0x1000, OldProtect, &OldProtect);
}
}
i += 0x1000 * PageCount;
}
return FALSE;
}