//------------------------------------------------------------------------------
void GetUserGroupFromRegFile(DWORD rid, char *group, DWORD group_size_max, HK_F_OPEN *hks, char *reg_path)
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, reg_path);
if (nk_h == NULL)return;
HBIN_CELL_NK_HEADER *nk_h_tmp;
char cbuffer[MAX_LINE_SIZE], buffer[MAX_LINE_SIZE];
DWORD valueSize,i,nbSubKey = GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, 0, NULL, 0);
for (i=0;i<nbSubKey;i++)
{
//get nk of key :)
nk_h_tmp = GetSubNKtonk(hks->buffer, hks->taille_fic, nk_h, hks->position, i);
if (nk_h_tmp == NULL)continue;
//C
buffer[0] = 0;
cbuffer[0] = 0;
valueSize = MAX_LINE_SIZE;
if(ReadBinarynk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"C", buffer, &valueSize))
{
DataToHexaChar(buffer, valueSize, cbuffer, MAX_LINE_SIZE);
TraiterGroupDataFromSAM_C(cbuffer, rid, group, group_size_max);
}
}
}
//------------------------------------------------------------------------------
void Scan_registry_user_file(HK_F_OPEN *hks, sqlite3 *db, unsigned int session_id, char *computer_name)
{
DWORD userRID = 0;
USERS_INFOS User_infos;
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"RegistryUser\";\"source\";\"name\";\"RID\";\"SID\";\"grp\";\"description\";\"last_logon\";\"last_password_change\";"
"\"nb_connexion\";\"type\";\"state_id\";\"session_id\";\r\n");
#endif
//get ref key for hashs
BYTE b_f[MAX_LINE_SIZE];
Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, "SAM\\Domains\\Account", NULL,"F", b_f, MAX_LINE_SIZE);
//enum all users
//exist or not in the file ?
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, "SAM\\Domains\\Account\\Users");
if (nk_h == NULL)return;
HBIN_CELL_NK_HEADER *nk_h_tmp;
DWORD valueSize;
BOOL ok_test;
char SubKeyName[MAX_PATH];
char cbuffer[MAX_LINE_SIZE], buffer[MAX_LINE_SIZE];
DWORD i,nbSubKey = GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, 0, NULL, 0);
for (i=0;i<nbSubKey;i++)
{
ok_test = FALSE;
//for each subkey
if(GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, i, SubKeyName, MAX_PATH))
{
//get nk of key :)
nk_h_tmp = GetSubNKtonk(hks->buffer, hks->taille_fic, nk_h, hks->position, i);
if (nk_h_tmp == NULL)continue;
//F
buffer[0] = 0;
cbuffer[0] = 0;
valueSize = MAX_LINE_SIZE;
if(ReadBinarynk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"F", buffer, &valueSize))
{
DataToHexaChar(buffer, valueSize, cbuffer, MAX_LINE_SIZE);
userRID = TestUserDataFromSAM_F(&User_infos,cbuffer);
ok_test = TRUE;
}
//V
buffer[0] = 0;
cbuffer[0] = 0;
valueSize = MAX_LINE_SIZE;
if(ReadBinarynk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"V", buffer, &valueSize))
{
DataToHexaChar(buffer, valueSize, cbuffer, MAX_LINE_SIZE);
if(TestUserDataFromSAM_V(&User_infos,cbuffer,computer_name))
{
//test if rid and sid ok
userRID = HTDF(SubKeyName,8);
if(User_infos.RID[0] == 0)snprintf(User_infos.RID,MAX_PATH,"%05lu",userRID);
if(User_infos.SID[0] == 0)snprintf(User_infos.SID,MAX_PATH,"S-1-5-?-?-?-?-%lu",userRID);
}else
{
if(User_infos.RID[0] == 0 && userRID)snprintf(User_infos.RID,MAX_PATH,"%05lu",userRID);
if(User_infos.SID[0] == 0 && userRID)snprintf(User_infos.SID,MAX_PATH,"S-1-5-?-?-?-?-%lu",userRID);
}
ok_test = TRUE;
}else
{
if(User_infos.RID[0] == 0 && userRID)snprintf(User_infos.RID,MAX_PATH,"%05lu",userRID);
if(User_infos.SID[0] == 0 && userRID)snprintf(User_infos.SID,MAX_PATH,"S-1-5-?-?-?-?-%lu",userRID);
}
if (!ok_test)continue;
//get groups
if (userRID) GetUserGroupFRF(userRID, User_infos.group, MAX_PATH);
//get hashs
if(b_f[0] != 0 && _SYSKEY[0] != 0)
{
DecodeSAMHashXP(_SYSKEY,User_infos.pwdump_pwd_raw_format,userRID,User_infos.name,b_f);
}
//add user
convertStringToSQL(User_infos.description, MAX_PATH);
addRegistryUsertoDB(hks->file,User_infos.name, User_infos.RID, User_infos.SID, User_infos.group,
User_infos.description, User_infos.last_logon, User_infos.last_password_change,
User_infos.nb_connexion, User_infos.type, User_infos.state_id,session_id, db);
//add password
if (TEST_REG_PASSWORD_ENABLE)
addPasswordtoDB(hks->file, User_infos.name, User_infos.pwdump_pwd_format, User_infos.pwdump_pwd_raw_format, REG_PASSWORD_STRING_LOCAL_USER, session_id, db);
}
}
}
//------------------------------------------------------------------------------
void ReadArboRawRegFile(HK_F_OPEN *hks, HBIN_CELL_NK_HEADER *nk_h, char *reg_file, HTREEITEM hparent, char *parent, char *root, HANDLE hlv, HANDLE htv)
{
//get first root, if valide ?
if (nk_h == NULL)return;
//read all nk
char tmp_key[MAX_PATH], tmp_root[MAX_PATH], tmp_parent[MAX_PATH];
DWORD i,nbSubKey = GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, 0, NULL, 0);
for (i=0;i<nbSubKey;i++)
{
if(GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, i, tmp_key, MAX_PATH))
{
snprintf(tmp_parent,MAX_PATH,"%s%s\\",parent,tmp_key);
snprintf(tmp_root,MAX_PATH,"%s\\%s",root,tmp_key);
ReadArboRawRegFile(hks,
GetSubNKtonk(hks->buffer, hks->taille_fic, nk_h, hks->position, i),
reg_file,
AddItemTreeViewImg(htv,tmp_key, hparent,ICON_DIRECTORY_REG),
tmp_parent,
tmp_root,
hlv, htv);
}
}
//init
LINE_ITEM lv_line[DLG_REG_LV_NB_COLUMN];
char parent_key_update[DATE_SIZE_MAX];
char Owner_SID[MAX_PATH];
char tmp_value_trv[MAX_PATH];
DWORD nbSubValue, type;
strncpy(lv_line[0].c,reg_file,MAX_LINE_SIZE);
strncpy(lv_line[1].c,parent,MAX_LINE_SIZE);
lv_line[7].c[0] = 0; //deleted = no view in this state
lv_line[8].c[0] = 0;
//read nk infos :)
Readnk_Infos(hks->buffer,hks->taille_fic, (hks->pos_fhbin), hks->position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, NULL, 0,Owner_SID, MAX_PATH);
Readnk_Class(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position,
NULL, nk_h, lv_line[8].c, MAX_PATH);
//read all vk
nbSubValue = GetValueData(hks->buffer,hks->taille_fic, nk_h, (hks->pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (i=0;i<nbSubValue;i++)
{
type = GetValueData(hks->buffer,hks->taille_fic, nk_h, (hks->pos_fhbin)+HBIN_HEADER_SIZE, i,lv_line[2].c,MAX_LINE_SIZE,lv_line[3].c,MAX_LINE_SIZE);
switch(type)
{
case 0x00000001:
strcpy(lv_line[4].c,"REG_SZ");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_TXT_REG);
break;
case 0x00000002:
strcpy(lv_line[4].c,"REG_EXPAND_SZ");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_TXT_REG);
break;
case 0x00000003:
strcpy(lv_line[4].c,"REG_BINARY");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_BIN_REG);
break;
case 0x00000004:
case 0x00000005:
strcpy(lv_line[4].c,"REG_DWORD");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_DWORD_REG);
break;
case 0x00000006:
strcpy(lv_line[4].c,"REG_LINK");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_BIN_REG);
break;
case 0x00000007:
strcpy(lv_line[4].c,"REG_MULTI_SZ");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_TXT_REG);
break;
case 0x0000000A:
strcpy(lv_line[4].c,"REG_RESOURCE_REQUIREMENTS_LIST");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_BIN_REG);
break;
case 0x0000000b:
strcpy(lv_line[4].c,"REG_QWORD");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_DWORD_REG);
break;
default:
if (type == 0x00000000)
{
strcpy(lv_line[4].c,"REG_NONE");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
}else
{
strcpy(lv_line[4].c,"UNKNOW");
snprintf(tmp_value_trv,MAX_PATH,"%s=(type:0x%08X)%s",lv_line[2].c,type,lv_line[3].c);
}
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_UNKNOW_REG);
break;
}
//add to lstv
strcpy(lv_line[5].c,parent_key_update);
strcpy(lv_line[6].c,Owner_SID);
AddToLVRegBin(hlv, lv_line, DLG_REG_LV_NB_COLUMN);
}
//no value : only directory
if (nbSubValue < 1 && nk_h->nb_subkeys <1)
{
lv_line[2].c[0] = 0;
lv_line[3].c[0] = 0;
lv_line[4].c[0] = 0;
strcpy(lv_line[5].c,parent_key_update);
strcpy(lv_line[6].c,Owner_SID);
AddToLVRegBin(hlv, lv_line, DLG_REG_LV_NB_COLUMN);
}
DWORD nb = ListView_GetItemCount(hlv);
if (nb % 1000 == 0)
{
char tmp[MAX_PATH];
snprintf(tmp,MAX_PATH,"Loading... %lu keys",nb);
SendMessage(GetDlgItem(h_reg,STB),SB_SETTEXT,0, (LPARAM)tmp);
}
}
//------------------------------------------------------------------------------
int callback_sqlite_registry_mru_file(void *datas, int argc, char **argv, char **azColName)
{
FORMAT_CALBAK_TYPE *type = datas;
unsigned int session_id = current_session_id;
char tmp[MAX_LINE_SIZE];
switch(type->type)
{
case SQLITE_REGISTRY_TYPE_MRU:
{
switch(atoi(argv[3]))//value_type
{
case TYPE_VALUE_STRING:
case TYPE_VALUE_WSTRING:
if (Readnk_Value(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,
argv[1], NULL, argv[2], tmp, MAX_LINE_SIZE))
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
argv[1], NULL, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//save
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],argv[2],tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
break;
case TYPE_ENUM_STRING_RVALUE://all string under one key
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
char value[MAX_PATH];
DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (i=0;i<nbSubValue && start_scan;i++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
//if (strcmp(charToLowChar(value),argv[2]) != 0)
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
case TYPE_ENUM_STRING_VALUE://list of all string in a directory and exclude "value"
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
char value[MAX_PATH];
DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (i=0;i<nbSubValue && start_scan;i++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
//if (strcmp(charToLowChar(value),argv[2]) != 0)
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
case TYPE_ENUM_STRING_NVALUE://list of all string in a directory with "value"
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
char value[MAX_PATH];
DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (i=0;i<nbSubValue && start_scan;i++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
if (Contient(charToLowChar(value),argv[2]))
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
case TYPE_ENUM_STRING_WVALUE:
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
char value[MAX_PATH],data[MAX_LINE_SIZE];
DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
DWORD sz_value = MAX_LINE_SIZE;
for (i=0;i<nbSubValue && start_scan;i++)
{
sz_value = MAX_LINE_SIZE;
if (GetBinaryValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,&sz_value))
{
//save
convertStringToSQL(value, MAX_PATH);
snprintf(data,MAX_LINE_SIZE,"%S",tmp);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,data,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
break;
case TYPE_ENUM_SUBNK_DATE:
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
//get values
char value[MAX_PATH], tmp_key[MAX_PATH];
DWORD i, nbSubnk = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0);
for (i=0;i<nbSubnk && start_scan;i++)
{
if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i, value, MAX_PATH))
{
snprintf(tmp_key,MAX_PATH,"%s\\%s",argv[1],value);
HBIN_CELL_NK_HEADER *nk_ht = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key);
if (nk_ht!=NULL)
{
//key update
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_ht, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//save
convertStringToSQL(tmp_key, MAX_PATH);
addRegistryMRUtoDB(hks_mru.file,"",tmp_key,"","",argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
case TYPE_DBL_ENUM_VALUE:
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h==NULL)break;
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="", data[MAX_PATH];
HBIN_CELL_NK_HEADER *nk_ht, *nk_ht2;
//get values
char value2[MAX_PATH],value[MAX_PATH], tmp_key2[MAX_PATH], tmp_key[MAX_PATH];
DWORD i,j, nbSubnk2, nbSubnk = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0);
for (i=0;i<nbSubnk && start_scan;i++)
{
if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i, value, MAX_PATH))
{
snprintf(tmp_key,MAX_PATH,"%s\\%s\\AVGeneral\\cRecentFiles",argv[1],value);
nk_ht = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key);
nbSubnk2 = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_ht, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0);
for (j=0;j<nbSubnk2 && start_scan;j++)
{
if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_ht, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, j, value2, MAX_PATH))
{
snprintf(tmp_key2,MAX_PATH,"%s\\%s",tmp_key,value2);
nk_ht2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key2);
//datas
if(Readnk_Value(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position, NULL, nk_ht2, argv[2],
data, MAX_PATH))
{
//key update
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_ht2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//save
convertStringToSQL(data, MAX_PATH);
addRegistryMRUtoDB(hks_mru.file,"",tmp_key2,argv[2],data,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
}
break;
case TYPE_ENUM_STRING_RRVALUE://all string under thow key + key
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h == NULL)return 0;
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
char value[MAX_PATH];
char tmp_key[MAX_PATH], tmp_key2[MAX_PATH], key_path[MAX_PATH];
HBIN_CELL_NK_HEADER *nk_h_tmp, *nk_h_tmp2;
DWORD i,j,k, nbSubValue,nbSubKey2,nbSubKey = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, 0, NULL, 0);
for (i=0;i<nbSubKey && start_scan;i++)
{
if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i, tmp_key, MAX_PATH))
{
//get nk of key :)
nk_h_tmp = GetSubNKtonk(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i);
if (nk_h_tmp == NULL)continue;
nbSubKey2 = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h_tmp, hks_mru.position, 0, NULL, 0);
for (j=0;j<nbSubKey2 && start_scan;j++)
{
if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h_tmp, hks_mru.position, j, tmp_key2, MAX_PATH))
{
//get nk of key :)
snprintf(key_path,MAX_PATH,"%s\\%s\\%s\\%s",argv[1],tmp_key,tmp_key2,argv[2]);
nk_h_tmp2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,key_path);
if (nk_h_tmp2 == NULL)continue;
//key update
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h_tmp2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (k=0;k<nbSubValue;k++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, k,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",key_path,value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
}
}
break;
case TYPE_ENUM_STRING_R_VALUE://all string under one key + key
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h == NULL)return 0;
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
char value[MAX_PATH];
char tmp_key[MAX_PATH], key_path[MAX_PATH];
HBIN_CELL_NK_HEADER *nk_h_tmp, *nk_h_tmp2;
DWORD i,k, nbSubValue,nbSubKey = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, 0, NULL, 0);
for (i=0;i<nbSubKey && start_scan;i++)
{
if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i, tmp_key, MAX_PATH))
{
//get nk of key :)
nk_h_tmp = GetSubNKtonk(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i);
if (nk_h_tmp == NULL)continue;
snprintf(key_path,MAX_PATH,"%s\\%s\\%s",argv[1],tmp_key,argv[2]);
nk_h_tmp2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,key_path);
if (nk_h_tmp2 == NULL)continue;
//key update
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h_tmp2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (k=0;k<nbSubValue;k++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, k,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",key_path,value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
}
}break;
}
return 0;
}
//------------------------------------------------------------------------------
//file registry part
//------------------------------------------------------------------------------
void Scan_registry_service_file(HK_F_OPEN *hks, char *ckey, unsigned int session_id, sqlite3 *db)
{
//exist or not in the file ?
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, ckey);
if (nk_h == NULL)return;
char tmp_key[MAX_PATH],key_path[MAX_PATH],state[MAX_PATH];
DWORD state_id,type_id;
char lastupdate[DATE_SIZE_MAX],
name[MAX_PATH],path[MAX_PATH],description[MAX_PATH];
HBIN_CELL_NK_HEADER *nk_h_tmp;
DWORD i,nbSubKey = GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, 0, NULL, 0);
for (i=0;i<nbSubKey;i++)
{
//for each subkey
if(GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, i, tmp_key, MAX_PATH))
{
//get nk of key :)
nk_h_tmp = GetSubNKtonk(hks->buffer, hks->taille_fic, nk_h, hks->position, i);
if (nk_h_tmp == NULL)continue;
//read datas ^^
snprintf(key_path,MAX_PATH,"%s\\%s",ckey,tmp_key);
if (Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"DisplayName", name, MAX_PATH)==FALSE)
{
if (Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"Group", name, MAX_PATH)==FALSE)continue;
strncpy(name,tmp_key,MAX_PATH);
}
if(Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"Start", state, MAX_PATH))
{
if (strcmp(state,"0x00000000") == 0)state_id=210;//Kernel module : 210
else if (strcmp(state,"0x00000001") == 0)state_id=211;//Start by system : 211
else if (strcmp(state,"0x00000002") == 0)state_id=212;//Automatic start : 212
else if (strcmp(state,"0x00000003") == 0)state_id=213;//Manual start : 213
else if (strcmp(state,"0x00000004") == 0)state_id=214;//Disable : 214
else state_id=215; //Unknow : 215
}else state_id = 0;
Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"ImagePath", path, MAX_PATH);
if(Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"Description", description, MAX_PATH)==FALSE)
Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"Group", description, MAX_PATH);
Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"Type", state, MAX_PATH);
if (strcmp(state,"0x00000001") == 0) type_id = 200;//Kernel driver
else if (strcmp(state,"0x00000002") == 0)type_id = 201;//File system driver
else if (strcmp(state,"0x00000010") == 0)type_id = 202;//Own process
else if (strcmp(state,"0x00000020") == 0)type_id = 203;//Share process
else if (strcmp(state,"0x00000100") == 0)type_id = 204;//Interactive
else type_id = 215;
Readnk_Infos(hks->buffer, hks->taille_fic, (hks->pos_fhbin), hks->position, NULL, nk_h_tmp,
lastupdate, DATE_SIZE_MAX, NULL, 0, NULL, 0);
convertStringToSQL(path, MAX_PATH);
convertStringToSQL(description, MAX_PATH);
addRegistryServicetoDB(hks->file, "", key_path, name,
state_id, path, description, type_id,
lastupdate, session_id, db);
}
}
}