//------------------------------------------------------------------------------ DWORD WINAPI Scan_registry_deletedKey(LPVOID lParam) { //init sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; char file[MAX_PATH]; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Registry_Deleted_Key\";\"source\";\"key\";\"value\";\"data\";\"type\";\"sid\";\"last_update\";\"session_id\";\r\n"); #endif //files or local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { Scan_registry_deletedKey_file(file, session_id, db); } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } } if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------ DWORD WINAPI Scan_registry_setting(LPVOID lParam) { //init char file[MAX_PATH]; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Registry_Settings\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"type_id\";\"description_id\";\"parent_key_update\";\"session_id\";\r\n"); #endif //files or local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { //verify Scan_registry_setting_file(db_scan,file); } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } }else Scan_registry_setting_local(db_scan); //local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK); h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------ DWORD WINAPI Scan_registry_path(LPVOID lParam) { //init sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; char file[MAX_PATH]; HK_F_OPEN hks; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Registry_Path\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"user\";\"rid\";\"sid\";\"parent_key_update\";\"session_id\";\r\n"); #endif //files or local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL && start_scan) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { //open file + verify if(OpenRegFiletoMem(&hks, file)) { //enum all class open/edit/print values EnumPath_file(&hks,"Classes","shell\\open\\command",session_id,db, FALSE); //Enum envs EnumPath_file(&hks,"Environment","",session_id,db, TRUE); //all applications EnumPath_file(&hks,"Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db, FALSE); EnumPath_file(&hks,"Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db, FALSE); CloseRegFiletoMem(&hks); } } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } }else { //enum all class open/edit/print values EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Classes","shell\\open\\command",session_id,db); //Enum envs EnumPath_local(HKEY_USERS,"HKEY_USERS","","Environment",session_id,db); //all applications EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db); EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db); } if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------ DWORD WINAPI Scan_registry_mru(LPVOID lParam) { //init sqlite3 *db = (sqlite3 *)db_scan; char file[MAX_PATH]; FORMAT_CALBAK_READ_INFO fcri; fcri.type = SQLITE_REGISTRY_TYPE_MRU; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Registry_MRU\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"description_id\";\"user\";\"rid\";\"sid\";\"parent_key_update\";\"session_id\";\r\n"); #endif //files or local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL && start_scan) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { //open file + verify if(OpenRegFiletoMem(&hks_mru, file)) { sqlite3_exec(db, "SELECT hkey,search_key,value,value_type,type_id,description_id FROM extract_registry_mru_request;", callback_sqlite_registry_mru_file, &fcri, NULL); CloseRegFiletoMem(&hks_mru); } } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } }else { sqlite3_exec(db, "SELECT hkey,key,value,value_type,type_id,description_id FROM extract_registry_mru_request;", callback_sqlite_registry_mru_local, &fcri, NULL); } if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------ DWORD WINAPI Scan_registry_service(LPVOID lParam) { //init sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; char file[MAX_PATH]; HK_F_OPEN hks; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Registry_Service\";\"file\";\"hk\";\"key\";\"name\";\"state_id\";\"path\";\"type_id\";\"last_update\";\"session_id\";\"description\";\r\n"); #endif //files or local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { //open file + verify if(OpenRegFiletoMem(&hks, file)) { Scan_registry_service_file(&hks,"ControlSet001\\Services", session_id, db); Scan_registry_service_file(&hks,"ControlSet002\\Services", session_id, db); Scan_registry_service_file(&hks,"ControlSet003\\Services", session_id, db); Scan_registry_service_file(&hks,"ControlSet004\\Services", session_id, db); CloseRegFiletoMem(&hks); } } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } }else Scan_registry_service_local("SYSTEM\\CurrentControlSet\\Services\\",db, session_id); if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ DWORD WINAPI Scan_route(LPVOID lParam) { //check if local or not :) if (!LOCAL_SCAN) { h_thread_test[(unsigned int)lParam] = 0; check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan return 0; } #ifdef CMD_LINE_ONLY_NO_DB printf("\"Route\";\"destination\";\"netmask\";\"gateway\";\"metric\";\"session_id\";\r\n"); #endif //init sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; //load route table); HANDLE hDLL = LoadLibrary( "IPHLPAPI.DLL" ); if (!hDLL) return 0; //declaration load function typedef DWORD (WINAPI *GETIPFORWARDTABLE)(PMIB_IPFORWARDTABLE pIpForwardTable, PULONG pdwSize, BOOL bOrder); GETIPFORWARDTABLE GetIpForwardTable = (GETIPFORWARDTABLE) GetProcAddress(hDLL,"GetIpForwardTable"); if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); if (GetIpForwardTable!= NULL) { //load all table PMIB_IPFORWARDTABLE pIpForwardTable = (MIB_IPFORWARDTABLE*) HeapAlloc(GetProcessHeap(), 0, (sizeof(MIB_IPFORWARDTABLE))); if (pIpForwardTable != NULL) { //alloc memory DWORD i, dwSize = 0; if (GetIpForwardTable(pIpForwardTable, &dwSize, 0) == ERROR_INSUFFICIENT_BUFFER) { HeapFree(GetProcessHeap(), 0,pIpForwardTable); pIpForwardTable = (MIB_IPFORWARDTABLE*) HeapAlloc(GetProcessHeap(), 0,dwSize); if (pIpForwardTable == NULL) { FreeLibrary(hDLL); return 0; } } //get datas if (GetIpForwardTable(pIpForwardTable, &dwSize, 0) == NO_ERROR) { struct in_addr IpAddr_dst; struct in_addr IpAddr_msk; struct in_addr IpAddr_hop; char destination[IP_SIZE_MAX]; char netmask[IP_SIZE_MAX]; char gateway[IP_SIZE_MAX]; for (i = 0; i < (int) pIpForwardTable->dwNumEntries; i++) { IpAddr_dst.S_un.S_addr = (u_long) pIpForwardTable->table[i].dwForwardDest; snprintf(destination,IP_SIZE_MAX,"%s",inet_ntoa(IpAddr_dst)); IpAddr_msk.S_un.S_addr = (u_long) pIpForwardTable->table[i].dwForwardMask; snprintf(netmask,IP_SIZE_MAX,"%s",inet_ntoa(IpAddr_msk)); IpAddr_hop.S_un.S_addr = (u_long) pIpForwardTable->table[i].dwForwardNextHop; snprintf(gateway,IP_SIZE_MAX,"%s",inet_ntoa(IpAddr_hop)); addRoutetoDB(destination, netmask, gateway, pIpForwardTable->table[i].dwForwardMetric1,session_id,db); } } HeapFree(GetProcessHeap(), 0,pIpForwardTable); } } //free FreeLibrary(hDLL); if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ void AddItemFiletoTreeView(HANDLE htv, char *lowcase_file, char *path, char *global_path) { //get extension char ext[MAX_PATH], tmp_path[MAX_PATH]; if (extractExtFromFile(lowcase_file, ext, MAX_PATH)) { if (strcmp(ext,"lnk")==0) { if (global_path != NULL) AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_FILES]); else { snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file); AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_FILES]); } check_treeview(htrv_test, H_tests[INDEX_FILE_NK], TRV_STATE_CHECK); check_treeview(htrv_test, H_tests[INDEX_FILE], TRV_STATE_CHECK); }else if (strcmp(ext,"log")==0 || strcmp(ext,"evt")==0 || strcmp(ext,"evtx")==0) //logs { if (global_path != NULL) AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]); else { snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file); AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]); } check_treeview(htrv_test, H_tests[INDEX_LOG], TRV_STATE_CHECK); }else if (strcmp(lowcase_file,"security.dat")==0 || strcmp(lowcase_file,"ntuser.dat")==0 || (Contient(lowcase_file,"ntuser")>0 && strcmp(ext,"dat")==0) || strcmp(lowcase_file,"settings.dat")==0 || (startWith(lowcase_file,"settings_") && strcmp(ext,"dat")==0) || //win8 strcmp(lowcase_file,"usrclass.dat")==0 || (Contient(lowcase_file,"usrclass")>0 && strcmp(ext,"dat")==0) || strcmp(lowcase_file,"classes.dat")==0 || (Contient(lowcase_file,"classes")>0 && strcmp(ext,"dat")==0)) //registry { if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); else { snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file); AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); } check_treeview(htrv_test, H_tests[INDEX_LAN], TRV_STATE_CHECK); check_treeview(htrv_test, H_tests[INDEX_ENV], TRV_STATE_CHECK); check_treeview(htrv_test, H_tests[INDEX_SHARE], TRV_STATE_CHECK); unsigned int i; for (i = INDEX_REG_CONF;i<=INDEX_REG_FIREWALL;i++) { check_treeview(htrv_test, H_tests[i], TRV_STATE_CHECK); } }else if (strcmp(ext,"db")==0 || //android strcmp(ext,"sqlite")==0 || //firefox strcmp(ext,"dat")==0 || //ie strcmp(lowcase_file,"index.dat")==0 || (startWith(lowcase_file,"index_") && strcmp(ext,"dat")==0) || strcmp(lowcase_file,"ntds.dit")==0 || (startWith(lowcase_file,"ntds_") && strcmp(ext,"dit")==0)) //applications { if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); else { snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file); AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); } check_treeview(htrv_test, H_tests[INDEX_ANDROID], TRV_STATE_CHECK); check_treeview(htrv_test, H_tests[INDEX_NAV_CHROME], TRV_STATE_CHECK); check_treeview(htrv_test, H_tests[INDEX_NAV_FIREFOX], TRV_STATE_CHECK); check_treeview(htrv_test, H_tests[INDEX_NAV_IE], TRV_STATE_CHECK); }else if (!strcmp(ext,"pf")) //prefetch { if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); else { snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file); AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); } check_treeview(htrv_test, H_tests[INDEX_PREFETCH], TRV_STATE_CHECK); }else if (!strcmp(ext,"job")) //prefetch { if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); else { snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file); AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); } check_treeview(htrv_test, H_tests[INDEX_TASK], TRV_STATE_CHECK); } }else { if (strcmp(lowcase_file,"sam")==0 || strcmp(lowcase_file,"software")==0 || strcmp(lowcase_file,"system")==0 || strcmp(lowcase_file,"default")==0 || strcmp(lowcase_file,"hardware")==0 || strcmp(lowcase_file,"security")==0 || strcmp(lowcase_file,"bcd-template")==0|| //win8 strcmp(lowcase_file,"components")==0 || //win8 strcmp(lowcase_file,"drivers")==0 || //win8 strcmp(lowcase_file,"bbi")==0 || //win8 strcmp(lowcase_file,"elam")==0 || //win8 strcmp(lowcase_file,"fp")==0 || //win8 startWith(lowcase_file,"sam_") || startWith(lowcase_file,"software_") || startWith(lowcase_file,"system_") || startWith(lowcase_file,"default_") || startWith(lowcase_file,"hardware_") || startWith(lowcase_file,"security_") || startWith(lowcase_file,"bcd-template_")|| //win8 startWith(lowcase_file,"components_") || //win8 startWith(lowcase_file,"drivers_") || //win8 startWith(lowcase_file,"bbi_") || //win8 startWith(lowcase_file,"elam_") || //win8 startWith(lowcase_file,"fp_")) //win8 { if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); else { snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file); AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); } check_treeview(htrv_test, H_tests[INDEX_LAN], TRV_STATE_CHECK); check_treeview(htrv_test, H_tests[INDEX_ENV], TRV_STATE_CHECK); check_treeview(htrv_test, H_tests[INDEX_SHARE], TRV_STATE_CHECK); unsigned int i; for (i = INDEX_REG_CONF;i<=INDEX_REG_FIREWALL;i++) { check_treeview(htrv_test, H_tests[i], TRV_STATE_CHECK); } }else if (strcmp(lowcase_file,"archived history")==0 || //chrome strcmp(lowcase_file,"history")==0 || strcmp(lowcase_file,"cookies")==0 || strcmp(lowcase_file,"default")==0 || strcmp(lowcase_file,"login data")==0 || strcmp(lowcase_file,"top sites")==0 || strcmp(lowcase_file,"web data")==0) { if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); else { snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file); AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); } check_treeview(htrv_test, H_tests[INDEX_NAV_CHROME], TRV_STATE_CHECK); } } }
//------------------------------------------------------------------------------ //http://msdn.microsoft.com/en-us/library/windows/desktop/ms649016%28v=vs.85%29.aspx DWORD WINAPI Scan_clipboard(LPVOID lParam) { //check if local or not :) if (!LOCAL_SCAN) { h_thread_test[(unsigned int)lParam] = 0; check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan return 0; } //db sqlite3 *db = (sqlite3 *)db_scan; if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); //lecture du contenu du presse papier et extraction if (OpenClipboard(0)) { char description[MAX_LINE_SIZE], format[DEFAULT_TMP_SIZE], data[MAX_LINE_SIZE],user[NB_USERNAME_SIZE+1]=""; unsigned int session_id = current_session_id; HGLOBAL hMem; //user DWORD s=NB_USERNAME_SIZE; GetUserName(user,&s); int nb_items = CountClipboardFormats(); if (nb_items > 0) { unsigned int uFormat = EnumClipboardFormats(0); #ifdef CMD_LINE_ONLY_NO_DB printf("\"Clipboard\";\"format\";\"code\";\"description\";\"user\";\"session_id\";\"data\";\r\n"); #endif // CMD_LINE_ONLY_NO_DB while (uFormat && start_scan && GetLastError() == ERROR_SUCCESS && --nb_items>0) { //check if ok if (IsClipboardFormatAvailable(uFormat) == FALSE) { uFormat = EnumClipboardFormats(uFormat); continue; } description[0] = 0; data[0]= 0; if (GetClipboardFormatName(uFormat, description, MAX_LINE_SIZE) != 0) { hMem = GetClipboardData(uFormat); if (hMem != NULL) { switch(uFormat) { case CF_TEXT: //format strncpy(format,"CF_TEXT",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Text",DEFAULT_TMP_SIZE); //datas strncpy(data,GlobalLock(hMem),MAX_LINE_SIZE); convertStringToSQL(data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case CF_BITMAP: //format strncpy(format,"CF_BITMAP",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Bitmap Picture",DEFAULT_TMP_SIZE); //do in bitmap to hexa SaveBitmapToHexaStr((HBITMAP)hMem , data, MAX_LINE_SIZE); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case CF_METAFILEPICT: //format strncpy(format,"CF_METAFILEPICT",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Meta-File Picture",DEFAULT_TMP_SIZE); //datas DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); GlobalUnlock(hMem); break; case CF_SYLK: //format strncpy(format,"CF_SYLK",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Microsoft Symbolic Link (SYLK) data",DEFAULT_TMP_SIZE); //datas snprintf(data,MAX_LINE_SIZE,"%s",(char*)GlobalLock(hMem)); convertStringToSQL(data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case CF_OEMTEXT: //format strncpy(format,"CF_OEMTEXT",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Text (OEM)",DEFAULT_TMP_SIZE); //datas strncpy(data,GlobalLock(hMem),MAX_LINE_SIZE); convertStringToSQL(data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case CF_DIB: //format strncpy(format,"CF_DIB",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"DIB Bitmap Picture",DEFAULT_TMP_SIZE); //datas DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case CF_DIF: //format strncpy(format,"CF_DIF",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Software Arts' Data Interchange information",DEFAULT_TMP_SIZE); //datas DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case CF_TIFF: //format strncpy(format,"CF_TIFF",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Tagged Image File Format (TIFF) Picture",DEFAULT_TMP_SIZE); //datas DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case CF_PALETTE: //format strncpy(format,"CF_PALETTE",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Colour Palette",DEFAULT_TMP_SIZE); //datas DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case CF_PENDATA: //format strncpy(format,"CF_PENDATA",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Pen Data",DEFAULT_TMP_SIZE); //datas DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case CF_UNICODETEXT: //format strncpy(format,"CF_UNICODETEXT",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Text Unicode",DEFAULT_TMP_SIZE); //datas snprintf(data,MAX_LINE_SIZE,"%S",GlobalLock(hMem)); convertStringToSQL(data, MAX_LINE_SIZE);h_thread_test[(unsigned int)lParam] = 0; GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case CF_RIFF: //format strncpy(format,"CF_RIFF",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"RIFF Audio data",DEFAULT_TMP_SIZE); //datas DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case CF_WAVE: //format strncpy(format,"CF_WAVE",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Wave File",DEFAULT_TMP_SIZE); //datas DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case CF_ENHMETAFILE: //format strncpy(format,"CF_ENHMETAFILE",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Enhanced Meta-File Picture",DEFAULT_TMP_SIZE); //datas DWORD dwSize = GetEnhMetaFileBits((HENHMETAFILE)hMem, 0, NULL); if (dwSize > 0) { LPBYTE buffer = (LPBYTE)malloc(dwSize); if (buffer != NULL) { if (GetEnhMetaFileBits((HENHMETAFILE)hMem, dwSize, buffer)!=0) { DatatoHexa(buffer, dwSize, data, MAX_LINE_SIZE); } free(buffer); } } addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case CF_HDROP: { //format strncpy(format,"CF_HDROP",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"File List",DEFAULT_TMP_SIZE); HDROP H_DropInfo = (HDROP)hMem; char tmp[MAX_PATH]; DWORD i,nb_path = DragQueryFile(H_DropInfo, 0xFFFFFFFF, tmp, MAX_PATH); long int s2 =MAX_LINE_SIZE; for (i=0;i<nb_path;i++) { //traitement des données ^^ DragQueryFile(H_DropInfo, i, tmp, MAX_PATH); //add if (s2>0) { snprintf(data+strlen(data),s,"%s\r\n",tmp); //strncpy(data+strlen(data),tmp,s); s2-=strlen(data); } } convertStringToSQL(data, MAX_LINE_SIZE); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); } break; case CF_LOCALE: //format strncpy(format,"CF_LOCALE",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Text Locale Identifier",DEFAULT_TMP_SIZE); //datas snprintf(data,MAX_LINE_SIZE,"0x%X",(unsigned int)GlobalLock(hMem)); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case 17: //CF_DIBV5 //format strncpy(format,"CF_DIBV5",DEFAULT_TMP_SIZE); //datas DatatoHexa(GlobalLock(hMem), sizeof(BITMAPV5HEADER), data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case 49155: //format strncpy(format,"UNKNOW",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"OwnerLink",DEFAULT_TMP_SIZE); //datas strncpy(data,GlobalLock(hMem),MAX_LINE_SIZE); convertStringToSQL(data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case 49156: //format strncpy(format,"UNKNOW",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Native Bitmap Picture",DEFAULT_TMP_SIZE); //datas DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case 49158: //format strncpy(format,"UNKNOW",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"FileName",DEFAULT_TMP_SIZE); //datas strncpy(data,GlobalLock(hMem),MAX_LINE_SIZE); convertStringToSQL(data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case 49159: //format strncpy(format,"UNKNOW",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"FileNameW",DEFAULT_TMP_SIZE); //datas snprintf(data,MAX_LINE_SIZE,"%S",GlobalLock(hMem)); convertStringToSQL(data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; case 49298: //format strncpy(format,"UNKNOW",DEFAULT_TMP_SIZE); if (description[0]==0)strncpy(description,"Rich Text Format",DEFAULT_TMP_SIZE); //datas snprintf(data,MAX_LINE_SIZE,"%s",(char*)GlobalLock(hMem)); convertStringToSQL(data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; default: //format strncpy(format,"UNKNOW",DEFAULT_TMP_SIZE); //datas DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE); GlobalUnlock(hMem); addClipboardtoDB(format, uFormat, description, data, user, session_id, db); break; } } } uFormat = EnumClipboardFormats(uFormat); } } CloseClipboard(); } if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ DWORD WINAPI Scan_share(LPVOID lParam) { sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); #ifdef CMD_LINE_ONLY_NO_DB printf("\"Share\";\"file\";\"share\";\"path\";\"description\";\"type\";\"connexion\";\"session_id\";\r\n"); #endif if (!LOCAL_SCAN) { //get in registry files char file[MAX_PATH]; HK_F_OPEN hks; HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); while(hitem!=NULL) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { //open file + verify if(OpenRegFiletoMem(&hks, file)) { EnumShare(&hks, session_id, db, "ControlSet001\\Services\\LanmanServer\\Shares"); EnumShare(&hks, session_id, db, "ControlSet002\\Services\\LanmanServer\\Shares"); EnumShare(&hks, session_id, db, "ControlSet003\\Services\\LanmanServer\\Shares"); EnumShare(&hks, session_id, db, "ControlSet004\\Services\\LanmanServer\\Shares"); CloseRegFiletoMem(&hks); } } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } }else { //init HMODULE hDLL = LoadLibrary("NETAPI32.dll"); if (hDLL == NULL)return 0; typedef NET_API_STATUS (WINAPI *NETAPIBUFFERFREE)(LPVOID Buffer); NETAPIBUFFERFREE NetApiBufferFree = (NETAPIBUFFERFREE) GetProcAddress(hDLL,"NetApiBufferFree"); typedef NET_API_STATUS (WINAPI *NETSHAREENUM)(LPWSTR servername, DWORD level, LPBYTE* bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, LPDWORD resume_handle); NETSHAREENUM NetShareEnum = (NETSHAREENUM) GetProcAddress(hDLL,"NetShareEnum"); if (NetApiBufferFree != NULL && NetShareEnum != NULL ) { NET_API_STATUS res; PSHARE_INFO_502 buffer,p; DWORD nb=0,tr=0,i; char share[DEFAULT_TMP_SIZE], path[MAX_PATH], description[MAX_PATH], type[DEFAULT_TMP_SIZE], connexion[DEFAULT_TMP_SIZE]; do { res = NetShareEnum (0, 502, (LPBYTE *) &buffer,MAX_PREFERRED_LENGTH, &nb, &tr,0); if(res != ERROR_SUCCESS && res != ERROR_MORE_DATA)break; for(i=1,p=buffer;i<=nb;i++,p++) { snprintf(share,DEFAULT_TMP_SIZE,"%S",p->shi502_netname); snprintf(path,MAX_PATH,"%S",p->shi502_path); snprintf(description,MAX_PATH,"%S",p->shi502_remark); switch(p->shi502_type) { case STYPE_DISKTREE: strncpy(type,"DISKTREE",DEFAULT_TMP_SIZE);break; case STYPE_PRINTQ: strncpy(type,"PRINT",DEFAULT_TMP_SIZE);break; case STYPE_DEVICE: strncpy(type,"DEVICE",DEFAULT_TMP_SIZE);break; case STYPE_IPC: strncpy(type,"IPC",DEFAULT_TMP_SIZE);break; case STYPE_SPECIAL: strncpy(type,"SPECIAL",DEFAULT_TMP_SIZE);break; case 0x40000000: strncpy(type,"TEMPORARY",DEFAULT_TMP_SIZE);break; case -2147483645: strncpy(type,"RPC",DEFAULT_TMP_SIZE);break; default : snprintf(type,DEFAULT_TMP_SIZE,"UNKNOW (%lu)",p->shi502_type);break; } if (p->shi502_max_uses==-1) snprintf(connexion,DEFAULT_TMP_SIZE,"%lu/-",p->shi502_current_uses); else snprintf(connexion,DEFAULT_TMP_SIZE,"%lu/%lu",p->shi502_current_uses,p->shi502_max_uses); convertStringToSQL(path, MAX_PATH); convertStringToSQL(description, MAX_PATH); addSharetoDB("",share, path, description, type, connexion, session_id, db); } }while(res==ERROR_MORE_DATA); } FreeLibrary(hDLL); } if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------ DWORD WINAPI Scan_registry_user(LPVOID lParam) { //init sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; char file[MAX_PATH], file_SAM[MAX_PATH]=""; HK_F_OPEN hks; char sk[MAX_PATH]=""; char computer[DEFAULT_TMP_SIZE]=""; BOOL ok_computer = FALSE; //files or local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { charToLowChar(file); //check for SAM files if ((Contient(file,"sam")) && file_SAM[0] == 0) { strcpy(file_SAM,file); hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); continue; } //open file + verify if(OpenRegFiletoMem(&hks, file)) { //get syskey registry_syskey_file(&hks, sk, MAX_PATH); if (!ok_computer) { char tmp[DEFAULT_TMP_SIZE]=""; Readnk_Value(hks.buffer, hks.taille_fic, (hks.pos_fhbin)+HBIN_HEADER_SIZE, hks.position, "ControlSet001\\Control\\ComputerName\\ComputerName", NULL,"ComputerName", tmp, DEFAULT_TMP_SIZE); if (tmp[0]!=0) { strcpy(computer,tmp); ok_computer = TRUE; } } Scan_registry_user_file(&hks, db, session_id,computer); CloseRegFiletoMem(&hks); } } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } //SAM file in last if (file_SAM[0] != 0) { //open file + verify if(OpenRegFiletoMem(&hks, file_SAM)) { Scan_registry_user_file(&hks, db, session_id,computer); CloseRegFiletoMem(&hks); } } }else Scan_registry_user_local(db, session_id); if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ //format : http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format DWORD WINAPI Scan_prefetch(LPVOID lParam) { sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Prefetch\";\"file\";\"path\";\"create_time\";\"last_update\";\"last_access\";\"count\";\"exec\";\"session_id\";\"depend\";\r\n"); #endif //check if local or not :) HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); if (hitem!=NULL || !LOCAL_SCAN || WINE_OS) { if(!SQLITE_FULL_SPEED)sqlite3_exec(db,"BEGIN TRANSACTION;", NULL, NULL, NULL); char tmp_file_pref[MAX_PATH],ext[MAX_PATH]; while(hitem!=NULL) { tmp_file_pref[0] = 0; ext[0] = 0; GetTextFromTrv(hitem, tmp_file_pref, MAX_PATH); if (!strcmp("pf",extractExtFromFile(charToLowChar(tmp_file_pref), ext, MAX_PATH))) PfCheck(session_id, db, tmp_file_pref); hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } if(!SQLITE_FULL_SPEED)sqlite3_exec(db,"END TRANSACTION;", NULL, NULL, NULL); h_thread_test[(unsigned int)lParam] = 0; check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan return 0; } //init if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); //get system path char path[MAX_PATH] ="%WINDIR%\\Prefetch\\*.pf"; ReplaceEnv("WINDIR",path,MAX_PATH); char path_f[MAX_PATH]; WIN32_FIND_DATA data; HANDLE hfic = FindFirstFile(path, &data); if (hfic != INVALID_HANDLE_VALUE) { do { if((data.cFileName[0] == '.' && (data.cFileName[1] == 0 || data.cFileName[1] == '.')) || (data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)){} else { strncpy(path_f,path,MAX_PATH); path_f[strlen(path_f)-4]=0; strncat(path_f,data.cFileName,MAX_PATH); strncat(path_f,"\0",MAX_PATH); PfCheck(session_id, db, path_f); } }while(FindNextFile (hfic,&data) && start_scan); } if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ DWORD WINAPI Scan_dns(LPVOID lParam) { unsigned int local_id = (unsigned int)lParam; //check if local or not :) if (!LOCAL_SCAN || WINE_OS) { h_thread_test[local_id] = 0; check_treeview(htrv_test, H_tests[local_id], TRV_STATE_UNCHECK);//db_scan return 0; } //init if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; //make file directory char file[MAX_PATH]=""; char ip[IPV6_SIZE_MAX],name[MAX_PATH]; snprintf(file,MAX_PATH,"%s\\WINDOWS\\system32\\drivers\\etc\\hosts",getenv("SYSTEMDRIVE")); #ifdef CMD_LINE_ONLY_NO_DB printf("\"DNS\";\"file\";\"ip\";\"name\";\"last_file_update\";\"malware_check\";\"session_id\";\r\n"); #endif // CMD_LINE_ONLY_NO_DB //open host file and read all hosts HANDLE Hfic = CreateFile(file,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0); if (Hfic != INVALID_HANDLE_VALUE) { DWORD taille_fic = GetFileSize(Hfic,NULL); if (taille_fic != INVALID_FILE_SIZE) { char *buffer = (char *) HeapAlloc(GetProcessHeap(), 0, taille_fic+1); if (buffer != NULL) { //get last update char last_file_update[DATE_SIZE_MAX]=""; FILETIME LastWriteTime; if(GetFileTime(Hfic,NULL,NULL,&LastWriteTime))filetimeToString_GMT(LastWriteTime, last_file_update, DATE_SIZE_MAX); //read data line by line DWORD copiee; char lines[MAX_PATH]; if (ReadFile(Hfic, buffer, taille_fic,&copiee,0)) { char *r = buffer; char *s,*c; while (*r) { //read line memset(lines,0,MAX_PATH); strncpy(lines,r,MAX_PATH); s = lines; while (*s && *s != '\r')s++; *s = 0; r = r+strlen(lines)+2; //comment or not :) if (lines[0]!='#' && strlen(lines) > 8) { //get IP strncpy(ip,lines,IPV6_SIZE_MAX); c = ip; while (*c && *c != ' ' && *c!= '\t' && (*c == '.' || *c == ':' || (*c<='9' && *c>='0')))c++; if (*c) { *c = 0; //get name c = lines+strlen(ip); while (*c && (*c == ' ' || *c == '\t'))c++; memset(name,0,MAX_PATH); strncpy(name,c,MAX_PATH); addHosttoDB(file, ip, name, last_file_update,session_id,db); } } } } HeapFree(GetProcessHeap(), 0, buffer); } } CloseHandle(Hfic); } //get cache HMODULE hDLL = LoadLibrary( "DNSAPI.DLL" ); if (!hDLL) return 0; //function //typedef int(*DNS_GET_CACHE_DATA_TABLE)(PDNS_RECORD*); typedef int(WINAPI *DNS_GET_CACHE_DATA_TABLE)(PDNS_RECORD); DNS_GET_CACHE_DATA_TABLE DnsGetCacheDataTable = (DNS_GET_CACHE_DATA_TABLE)GetProcAddress(hDLL,"DnsGetCacheDataTable"); if (DnsGetCacheDataTable != NULL) { PDNS_RECORD pcache = NULL; DNS_RECORD* dnsRecords = NULL, *dnsr; IN_ADDR ipAddress; char last_file_update[DATE_SIZE_MAX]=""; if (DnsGetCacheDataTable(&pcache) == TRUE) { PDNS_RECORD cache = pcache; while (cache) { memset(name,0,MAX_PATH); snprintf(name,MAX_PATH,"%S",cache->pName); if (name[0] != 0) { //get IP + TTL if(DnsQuery(name,DNS_TYPE_A,0,NULL,&dnsRecords,NULL) == ERROR_SUCCESS) { dnsr = dnsRecords; while (dnsr != NULL) { ipAddress.S_un.S_addr = dnsr->Data.A.IpAddress; if (inet_ntoa(ipAddress) != NULL) { snprintf(ip,IP_SIZE_MAX,"%s",inet_ntoa(ipAddress)); snprintf(last_file_update,DATE_SIZE_MAX,"%lu (s)",dnsr->dwTtl); addHosttoDB("", ip, name, last_file_update,session_id,db); } dnsr = dnsr->pNext; } //free DnsRecordListFree(dnsRecords,DnsFreeRecordList); } } cache = cache->pNext; } } } FreeLibrary(hDLL); if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[local_id], TRV_STATE_UNCHECK);//db_scan h_thread_test[local_id] = 0; return 0; }
//------------------------------------------------------------------------------ DWORD WINAPI Scan_chrome_history(LPVOID lParam) { FORMAT_CALBAK_READ_INFO data; //get child HTREEITEM hitem = NULL; if (!CONSOL_ONLY)hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); if ((hitem == NULL && LOCAL_SCAN) || CONSOL_ONLY) { //get path of all profils users //HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList HKEY CleTmp = 0; if (RegOpenKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\",&CleTmp)==ERROR_SUCCESS) { DWORD i, nbSubKey=0, key_size; sqlite3 *db_tmp; char tmp_key[MAX_PATH], tmp_key_path[MAX_PATH]; if (RegQueryInfoKey (CleTmp,0,0,0,&nbSubKey,0,0,0,0,0,0,0)==ERROR_SUCCESS) { #ifdef CMD_LINE_ONLY_NO_DB printf("\"file\";\"parameter\";\"date\";\"id_language_description\";\"session_id\";\"data\";\r\n"); #endif //get subkey for(i=0;i<nbSubKey;i++) { key_size = MAX_PATH; tmp_key[0] = 0; if (RegEnumKeyEx (CleTmp,i,tmp_key,&key_size,0,0,0,0)==ERROR_SUCCESS) { //generate the key path snprintf(tmp_key_path,MAX_PATH,"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\%s\\",tmp_key); //get profil path if (ReadValue(HKEY_LOCAL_MACHINE,tmp_key_path,"ProfileImagePath",tmp_key, MAX_PATH)) { //verify the path if %systemdrive% ReplaceEnv("SYSTEMDRIVE",tmp_key,MAX_PATH); //search file in this path snprintf(tmp_key_path,MAX_PATH,"%s\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\*.*",tmp_key); WIN32_FIND_DATA wfd; HANDLE hfic = FindFirstFile(tmp_key_path, &wfd); if (hfic != INVALID_HANDLE_VALUE) { do { if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY){}else { if(wfd.cFileName[0] == '.' && (wfd.cFileName[1] == 0 || wfd.cFileName[1] == '.')){} else { //test all files snprintf(tmp_file_chrome,MAX_PATH,"%s\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\%s",tmp_key,wfd.cFileName); //test to open file if (sqlite3_open(tmp_file_chrome, &db_tmp) == SQLITE_OK) { for (data.type =0;data.type <nb_sql_CHROME && start_scan;data.type = data.type+1) { if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); sqlite3_exec(db_tmp, sql_CHROME[data.type].sql, callback_sqlite_chrome, &data, NULL); if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); } sqlite3_close(db_tmp); } } } }while(FindNextFile (hfic,&wfd)); } } } } } RegCloseKey(CleTmp); } }else { sqlite3 *db_tmp; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Chrome\";\"file\";\"parameter\";\"date\";\"id_language_description\";\"session_id\";\"data\";\r\n"); #endif while(hitem!=NULL) { //get item txt GetTextFromTrv(hitem, tmp_file_chrome, MAX_PATH); //test to open file if (sqlite3_open(tmp_file_chrome, &db_tmp) == SQLITE_OK) { for (data.type =0;data.type <nb_sql_CHROME && start_scan;data.type = data.type+1) { if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); sqlite3_exec(db_tmp, sql_CHROME[data.type].sql, callback_sqlite_chrome, &data, NULL); if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); } sqlite3_close(db_tmp); } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } } if (!CONSOL_ONLY)check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ BOOL CALLBACK DialogProc_conf(HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) { switch(message) { case WM_COMMAND: if (HIWORD(wParam) == BN_CLICKED) { switch(LOWORD(wParam)) { case BT_START: if (start_scan) CreateThread(NULL,0,StopGUIScan,0,0,0); else { //init start_scan = TRUE; //local or not ? if(TreeView_GetCount(htrv_files) > NB_MX_TYPE_FILES_TITLE)LOCAL_SCAN = FALSE; else LOCAL_SCAN = TRUE; //read state ! if (IsDlgButtonChecked(h_conf,BT_ACL_FILE_CHK)==BST_CHECKED)FILE_ACL=TRUE; else FILE_ACL=FALSE; if (IsDlgButtonChecked(h_conf,BT_ADS_FILE_CHK)==BST_CHECKED)FILE_ADS=TRUE; else FILE_ADS=FALSE; if (IsDlgButtonChecked(h_conf,BT_SHA_FILE_CHK)==BST_CHECKED)FILE_SHA=TRUE; else FILE_SHA=FALSE; if (IsDlgButtonChecked(h_conf,BT_UTC_CHK)==BST_CHECKED)UTC_TIME=TRUE; else UTC_TIME=FALSE; if (IsDlgButtonChecked(h_conf,BT_MAGIC_CHK)==BST_CHECKED)enable_magic=TRUE; else enable_magic=FALSE; if (IsDlgButtonChecked(h_conf,BT_RA_CHK)==BST_CHECKED)enable_remote=TRUE; else enable_remote=FALSE; if (Ischeck_treeview(htrv_test, H_tests[INDEX_FILE_NK]))enable_LNK= TRUE; else enable_LNK= FALSE; EnableWindow(htrv_files,FALSE); EnableWindow(GetDlgItem((HWND)h_conf,BT_ACL_FILE_CHK),FALSE); EnableWindow(GetDlgItem((HWND)h_conf,BT_ADS_FILE_CHK),FALSE); EnableWindow(GetDlgItem((HWND)h_conf,BT_SHA_FILE_CHK),FALSE); EnableWindow(GetDlgItem((HWND)h_conf,BT_UTC_CHK),FALSE); EnableWindow(GetDlgItem((HWND)h_conf,BT_MAGIC_CHK),FALSE); EnableWindow(GetDlgItem((HWND)h_conf,BT_RA_CHK),FALSE); if(TreeView_GetCount(htrv_files) > NB_MX_TYPE_FILES_TITLE)LOCAL_SCAN = FALSE; else LOCAL_SCAN = TRUE; //create new session and select it ! SendMessage(hCombo_session, CB_RESETCONTENT,0,0); FORMAT_CALBAK_READ_INFO fcri; fcri.type = TYPE_SQL_ADD_SESSION; SQLITE_WriteData(&fcri, SQLITE_LOCAL_BDD); //start h_thread_scan = CreateThread(NULL,0,GUIScan,0,0,0); SetWindowText(GetDlgItem((HWND)h_conf,BT_START),cps[TXT_BT_STOP].c); } break; //---------------------------------------- case POPUP_TRV_FILES_ADD_FILE: { char files[MAX_LINE_DBSIZE]=""; memset(files,0,MAX_LINE_DBSIZE); OPENFILENAME ofn; ZeroMemory(&ofn, sizeof(OPENFILENAME)); ofn.lStructSize = sizeof(OPENFILENAME); ofn.hwndOwner = h_conf; ofn.lpstrFile = files; ofn.nMaxFile = MAX_LINE_DBSIZE; ofn.lpstrFilter = "*.* \0*.*\0" "*.log\0*.log\0" "*.evt\0*.evt\0" "*.evtx\0*.evtx\0" "*.db\0*.db\0" "*.sqlite\0*.sqlite\0" "*.dat\0*.dat\0" "*.pf\0*.pf\0" "*.job\0*.job\0" "ntds.dit\0ntds.dit\0" "sam\0sam\0" "system\0system\0" "software\0software\0" "security\0security\0" "default\0default\0" "hardware\0hardware\0"; ofn.nFilterIndex = 1; ofn.Flags =/*OFN_FILEMUSTEXIST |*/ OFN_OVERWRITEPROMPT | OFN_ALLOWMULTISELECT|OFN_EXPLORER|OFN_SHOWHELP; ofn.lpstrDefExt ="*.*"; if (GetOpenFileName(&ofn)==TRUE) { //firt is path char path[MAX_PATH],totalpath[MAX_PATH]; strncpy(path,files,MAX_PATH); //after file name char *p = files+strlen(files)+1; if (*p == 0)FileToTreeView(path); while (*p) { snprintf(totalpath,MAX_PATH,"%s\\%s",path,p); FileToTreeView(totalpath); p = p+strlen(p)+1; } //tri and clean CleanTreeViewFiles(htrv_files); //expend des branches SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_FILES]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); } } break; case POPUP_TRV_FILES_ADD_PATH: { BROWSEINFO browser; LPITEMIDLIST lip; char path[MAX_PATH] = ""; browser.hwndOwner = h_conf; browser.pidlRoot = 0; browser.lpfn = 0; browser.iImage = 0; browser.lParam = 0; browser.ulFlags = BIF_NEWDIALOGSTYLE; browser.pszDisplayName = path; browser.lpszTitle = ""; lip = SHBrowseForFolder(&browser); if (lip != NULL) { if (SHGetPathFromIDList(lip,path)) { FileToTreeView(path); //tri and clean CleanTreeViewFiles(htrv_files); //expend all SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_FILES]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); } } } break; case POPUP_TRV_FILES_UP: { //get selection + parent HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files,TVM_GETNEXTITEM,(WPARAM)TVGN_CARET, (LPARAM)0); HTREEITEM hparent = (HTREEITEM)SendMessage(htrv_files,TVM_GETNEXTITEM,(WPARAM)TVGN_PARENT, (LPARAM)hitem); //get txt char tmp[MAX_PATH]; GetItemTreeView(hitem,htrv_files,tmp, MAX_PATH); //add item if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_LOGS])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); else if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_FILES])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]); else if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_FILES]); else if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_APPLI])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); //remove item SendMessage(htrv_files,TVM_DELETEITEM,(WPARAM)0, (LPARAM)hitem); //expend all SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_FILES]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); } break; case POPUP_TRV_FILES_DOWN: { //get selection + parent HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files,TVM_GETNEXTITEM,(WPARAM)TVGN_CARET, (LPARAM)0); HTREEITEM hparent = (HTREEITEM)SendMessage(htrv_files,TVM_GETNEXTITEM,(WPARAM)TVGN_PARENT, (LPARAM)hitem); //get txt char tmp[MAX_PATH]; GetItemTreeView(hitem,htrv_files,tmp, MAX_PATH); //add item if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_LOGS])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_FILES]); else if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_FILES])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); else if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); else if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_APPLI])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]); //remove item SendMessage(htrv_files,TVM_DELETEITEM,(WPARAM)0, (LPARAM)hitem); //expend all SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_FILES]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); } break; case POPUP_TRV_FILES_REMOVE_ITEMS:TreeView_DeleteItem(htrv_files, (HTREEITEM)SendMessage(htrv_files,TVM_GETNEXTITEM,(WPARAM)TVGN_CARET, (LPARAM)0));break; case POPUP_TRV_FILES_CLEAN_ALL: SendMessage(htrv_files,TVM_DELETEITEM,(WPARAM)0, (LPARAM)TVI_ROOT); check_childs_treeview(htrv_test, FALSE); TRV_HTREEITEM_CONF[FILES_TITLE_LOGS] = AddItemTreeView(htrv_files,cps[TXT_FILE_AUDIT].c, TVI_ROOT); TRV_HTREEITEM_CONF[FILES_TITLE_FILES] = AddItemTreeView(htrv_files,cps[TXT_FILE_REP].c, TVI_ROOT); TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY] = AddItemTreeView(htrv_files,cps[TXT_FILE_REGISTRY].c, TVI_ROOT); TRV_HTREEITEM_CONF[FILES_TITLE_APPLI] = AddItemTreeView(htrv_files,cps[TXT_FILE_APPLI].c, TVI_ROOT); break; case POPUP_TRV_FILES_OPEN_PATH: { //get item txt char path[MAX_PATH]; TVITEM tvitem; tvitem.mask = TVIF_HANDLE|TVIF_TEXT; tvitem.hItem = (HTREEITEM)SendMessage(htrv_files,TVM_GETNEXTITEM,(WPARAM)TVGN_CARET, (LPARAM)0); tvitem.cchTextMax = MAX_PATH; tvitem.pszText = path; if (SendMessage(htrv_files,TVM_GETITEM,(WPARAM)0, (LPARAM)&tvitem)) { //directory or file if(isDirectory(path))ShellExecute(h_main, "explore", path, NULL,NULL,SW_SHOW); else { //extract char *c = path; while (*c++); while (*c != '\\')c--; c++; *c=0; ShellExecute(h_main, "explore", path, NULL,NULL,SW_SHOW); } } } break; case POPUP_TRV_FILES_AUTO_SEARCH: if (B_AUTOSEARCH) { B_AUTOSEARCH = FALSE; DWORD IDThread; GetExitCodeThread(h_AUTOSEARCH,&IDThread); TerminateThread(h_AUTOSEARCH,IDThread); //clean results unsigned int i; for (i=0;i<NB_MX_TYPE_FILES_TITLE;i++) { //tri SendMessage(htrv_files,TVM_SORTCHILDREN, TRUE,(LPARAM)TRV_HTREEITEM_CONF[i]); SupDoublon(htrv_files,TRV_HTREEITEM_CONF[i]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[i]); } }else { B_AUTOSEARCH = TRUE; h_AUTOSEARCH = CreateThread(NULL,0,AutoSearchFiles,0,0,0); } break; case POPUP_TRV_FILES_AUTO_SEARCH_PATH: if (B_AUTOSEARCH) { B_AUTOSEARCH = FALSE; DWORD IDThread; GetExitCodeThread(h_AUTOSEARCH,&IDThread); TerminateThread(h_AUTOSEARCH,IDThread); //clean results unsigned int i; for (i=0;i<NB_MX_TYPE_FILES_TITLE;i++) { //tri SendMessage(htrv_files,TVM_SORTCHILDREN, TRUE,(LPARAM)TRV_HTREEITEM_CONF[i]); SupDoublon(htrv_files,TRV_HTREEITEM_CONF[i]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[i]); } }else { BROWSEINFO browser; LPITEMIDLIST lip; char path[MAX_PATH] = ""; browser.hwndOwner = h_conf; browser.pidlRoot = 0; browser.lpfn = 0; browser.iImage = 0; browser.lParam = 0; browser.ulFlags = BIF_NEWDIALOGSTYLE; browser.pszDisplayName = path; browser.lpszTitle = ""; lip = SHBrowseForFolder(&browser); if (lip != NULL) { if (SHGetPathFromIDList(lip,path)) { strncat(path,"\\\0",MAX_PATH); B_AUTOSEARCH = TRUE; h_AUTOSEARCH = CreateThread(NULL,0,AutoSearchFiles,path,0,0); } } } break; case POPUP_TRV_FILES_SAVE_LIST: { char file[MAX_PATH]=""; OPENFILENAME ofn; ZeroMemory(&ofn, sizeof(OPENFILENAME)); ofn.lStructSize = sizeof(OPENFILENAME); ofn.hwndOwner = h_conf; ofn.lpstrFile = file; ofn.nMaxFile = MAX_PATH; ofn.lpstrFilter ="*.txt \0*.txt\0*.csv\0*.csv\0"; ofn.nFilterIndex = 1; ofn.Flags =OFN_PATHMUSTEXIST | OFN_HIDEREADONLY | OFN_OVERWRITEPROMPT; ofn.lpstrDefExt =".txt\0"; if (GetSaveFileName(&ofn)==TRUE) { if (ofn.nFilterIndex == 2) SaveTRV(htrv_files, file, SAVE_TYPE_CSV); else SaveTRV(htrv_files, file, SAVE_TYPE_TXT); } } break; case POPUP_TRV_FILES_LOAD_LIST: { char file[MAX_LINE_SIZE]=""; memset(file,0,MAX_LINE_SIZE); OPENFILENAME ofn; ZeroMemory(&ofn, sizeof(OPENFILENAME)); ofn.lStructSize = sizeof(OPENFILENAME); ofn.hwndOwner = h_conf; ofn.lpstrFile = file; ofn.nMaxFile = MAX_LINE_SIZE; ofn.lpstrFilter = "*.* \0*.*\0" "*.txt\0*.txt\0" "*.csv\0*.csv\0"; ofn.nFilterIndex = 1; ofn.Flags =/*OFN_FILEMUSTEXIST |*/ OFN_OVERWRITEPROMPT | OFN_ALLOWMULTISELECT|OFN_EXPLORER|OFN_SHOWHELP; ofn.lpstrDefExt ="*.*"; if (GetOpenFileName(&ofn)==TRUE) { loadFile_test(file, ofn.nFilterIndex); } } break; case POPUP_TRV_CHECK_ALL:check_childs_treeview(htrv_test, TRUE);break; case POPUP_TRV_UNCHECK_ALL:check_childs_treeview(htrv_test, FALSE);break; case POPUP_TRV_STOP_TEST: { //get item index int index = GetTrvItemIndex((HTREEITEM)SendMessage(htrv_test,TVM_GETNEXTITEM,(WPARAM)TVGN_CARET, (LPARAM)0), htrv_test); if (index < NB_TESTS) { //kill the thread DWORD IDThread; GetExitCodeThread(h_thread_test[index],&IDThread); TerminateThread(h_thread_test[index],IDThread); h_thread_test[index] = 0; check_treeview(htrv_test, H_tests[index], TRV_STATE_UNCHECK); } } break; } } break; case WM_NOTIFY: /*if (((LPNMHDR)lParam)->code == LVN_COLUMNCLICK) { TRI_PROCESS_VIEW = !TRI_PROCESS_VIEW; c_Tri(((LPNMHDR)lParam)->hwndFrom,((LPNMLISTVIEW)lParam)->iSubItem,TRI_PROCESS_VIEW); }else */if (((LPNMHDR)lParam)->code == NM_CLICK && ((LPNMHDR)lParam)->hwndFrom == htrv_test) { //selected item and state TV_HITTESTINFO Struct; POINT pt; GetCursorPos(&pt); ScreenToClient(htrv_test, &pt); Struct.pt = pt; HTREEITEM hItemSelect = TreeView_HitTest(htrv_test, &Struct); if (hItemSelect != NULL) { if (Struct.flags == TVHT_ONITEMSTATEICON)TreeView_SelectItem(htrv_test,hItemSelect); else//check case { if (Ischeck_treeview(htrv_test, hItemSelect))check_treeview(htrv_test, hItemSelect, TRV_STATE_CHECK); else check_treeview(htrv_test, hItemSelect, TRV_STATE_UNCHECK); } } } break; case WM_CONTEXTMENU://popup menu if ((HWND)wParam == htrv_test) { //select trv item TV_HITTESTINFO tvh_info; tvh_info.pt.x = LOWORD(lParam); tvh_info.pt.y = HIWORD(lParam); ScreenToClient(htrv_test, &(tvh_info.pt)); HTREEITEM hItemSelect = TreeView_HitTest(htrv_test, &tvh_info); if (hItemSelect != 0)TreeView_SelectItem(htrv_test,hItemSelect); //popup HMENU hmenu; if ((hmenu = LoadMenu(hinst, MAKEINTRESOURCE(POPUP_TRV_TEST)))!= NULL) { //set text !!! ModifyMenu(hmenu,POPUP_TRV_CHECK_ALL ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_CHECK_ALL ,cps[TXT_POPUP_CHECK_ALL].c); ModifyMenu(hmenu,POPUP_TRV_UNCHECK_ALL ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_UNCHECK_ALL ,cps[TXT_POPUP_UNCHECK_ALL].c); HTREEITEM item = (HTREEITEM)SendMessage(htrv_test,TVM_GETNEXTITEM,(WPARAM)TVGN_CARET, (LPARAM)0); BOOL check = Ischeck_treeview(htrv_test, item); if (start_scan && (item!=NULL) && check && (h_thread_test[GetTrvItemIndex(item, htrv_test)]!=NULL)) { ModifyMenu(hmenu,POPUP_TRV_STOP_TEST ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_STOP_TEST ,cps[TXT_POPUP_STOP_TEST].c); }else { RemoveMenu(hmenu,POPUP_TRV_STOP_TEST,MF_BYCOMMAND); RemoveMenu(GetSubMenu(hmenu, 0),2,MF_BYPOSITION); } //affichage du popup menu POINT pos; if (GetCursorPos(&pos)!=0) { TrackPopupMenuEx(GetSubMenu(hmenu, 0), 0, pos.x, pos.y,hwnd, NULL); }else TrackPopupMenuEx(GetSubMenu(hmenu, 0), 0, GET_X_LPARAM(lParam), GET_Y_LPARAM(lParam),hwnd, NULL); DestroyMenu(hmenu); } }else if ((HWND)wParam == htrv_files) { //select trv item TV_HITTESTINFO tvh_info; tvh_info.pt.x = LOWORD(lParam); tvh_info.pt.y = HIWORD(lParam); ScreenToClient(htrv_files, &(tvh_info.pt)); HTREEITEM hItemSelect = TreeView_HitTest(htrv_files, &tvh_info); if (hItemSelect != NULL)TreeView_SelectItem(htrv_files,hItemSelect); //popup HMENU hmenu; if ((hmenu = LoadMenu(hinst, MAKEINTRESOURCE(POPUP_TRV_FILES)))!= NULL) { //set text !!! ModifyMenu(hmenu,POPUP_TRV_FILES_ADD_FILE ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_ADD_FILE ,cps[TXT_POPUP_ADD_FILE].c); ModifyMenu(hmenu,POPUP_TRV_FILES_ADD_PATH ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_ADD_PATH ,cps[TXT_POPUP_ADD_PATH].c); if (B_AUTOSEARCH) { RemoveMenu(hmenu,POPUP_TRV_FILES_AUTO_SEARCH_PATH ,MF_BYCOMMAND); ModifyMenu(hmenu,POPUP_TRV_FILES_AUTO_SEARCH ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_AUTO_SEARCH ,cps[TXT_POPUP_AUTO_SEARCH_STOP].c); }else { ModifyMenu(hmenu,POPUP_TRV_FILES_AUTO_SEARCH ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_AUTO_SEARCH ,cps[TXT_POPUP_AUTO_SEARCH].c); ModifyMenu(hmenu,POPUP_TRV_FILES_AUTO_SEARCH_PATH ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_AUTO_SEARCH_PATH ,cps[TXT_POPUP_AUTO_SEARCH_PATH].c); } if (SendMessage(htrv_files,TVM_GETCOUNT,(WPARAM)0,(LPARAM)0) > 4) { ModifyMenu(hmenu,POPUP_TRV_FILES_UP ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_UP ,cps[TXT_POPUP_UP].c); ModifyMenu(hmenu,POPUP_TRV_FILES_DOWN ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_DOWN ,cps[TXT_POPUP_DOWN].c); ModifyMenu(hmenu,POPUP_TRV_FILES_REMOVE_ITEMS ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_REMOVE_ITEMS ,cps[TXT_POPUP_REMOVE_ITEMS].c); ModifyMenu(hmenu,POPUP_TRV_FILES_CLEAN_ALL ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_CLEAN_ALL ,cps[TXT_POPUP_CLEAN_ALL].c); ModifyMenu(hmenu,POPUP_TRV_FILES_OPEN_PATH ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_OPEN_PATH ,cps[TXT_POPUP_OPEN_PATH].c); ModifyMenu(hmenu,POPUP_TRV_FILES_SAVE_LIST ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_SAVE_LIST ,cps[TXT_POPUP_SAVE_LIST].c); }else { RemoveMenu(GetSubMenu(hmenu,0),2 ,MF_BYPOSITION); RemoveMenu(hmenu,POPUP_TRV_FILES_UP ,MF_BYCOMMAND); RemoveMenu(hmenu,POPUP_TRV_FILES_DOWN ,MF_BYCOMMAND); RemoveMenu(hmenu,POPUP_TRV_FILES_REMOVE_ITEMS ,MF_BYCOMMAND); RemoveMenu(hmenu,POPUP_TRV_FILES_CLEAN_ALL ,MF_BYCOMMAND); RemoveMenu(hmenu,POPUP_TRV_FILES_OPEN_PATH ,MF_BYCOMMAND); RemoveMenu(hmenu,POPUP_TRV_FILES_SAVE_LIST ,MF_BYCOMMAND); } //affichage du popup menu POINT pos; if (GetCursorPos(&pos)!=0) { TrackPopupMenuEx(GetSubMenu(hmenu, 0), 0, pos.x, pos.y,hwnd, NULL); }else TrackPopupMenuEx(GetSubMenu(hmenu, 0), 0, GET_X_LPARAM(lParam), GET_Y_LPARAM(lParam),hwnd, NULL); DestroyMenu(hmenu); } } break; case WM_DROPFILES://gestion du drag and drop de fichier ^^ { if (B_AUTOSEARCH)break; HDROP H_DropInfo=(HDROP)wParam; char tmp[MAX_PATH]; DWORD i,nb_path = DragQueryFile(H_DropInfo, 0xFFFFFFFF, tmp, MAX_PATH); for (i=0;i<nb_path;i++) { //get data DragQueryFile(H_DropInfo, i, tmp, MAX_PATH); //add FileToTreeView(tmp); } DragFinish(H_DropInfo); //tri and clean CleanTreeViewFiles(htrv_files); //expend des branches SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_FILES]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); } break; case WM_INITDIALOG: //add language correction SetWindowText(GetDlgItem(hwnd,BT_ACL_FILE_CHK),cps[TXT_CHECK_ACL].c); SetWindowText(GetDlgItem(hwnd,BT_SHA_FILE_CHK),cps[TXT_CHECK_SHA].c); SetWindowText(GetDlgItem(hwnd,BT_ADS_FILE_CHK),cps[TXT_CHECK_ADS].c); SetWindowText(GetDlgItem(hwnd,BT_START),cps[TXT_BT_START].c); SetWindowText(GetDlgItem(hwnd,GRP_CONF),cps[TXT_GRP_CONF].c); //check all tests CheckDlgButton(hwnd,BT_ACL_FILE_CHK,BST_CHECKED); CheckDlgButton(hwnd,BT_ADS_FILE_CHK,BST_CHECKED); CheckDlgButton(hwnd,BT_UTC_CHK,BST_CHECKED); //add icon SendMessage(hwnd, WM_SETICON, ICON_BIG, (LPARAM)LoadIcon(GetModuleHandle(0), MAKEINTRESOURCE(ICON_APP))); //add files owners htrv_files = GetDlgItem(hwnd,TRV_FILES); SendMessage(htrv_files,CBEM_SETIMAGELIST,0,(LPARAM)H_ImagList_icon); TRV_HTREEITEM_CONF[FILES_TITLE_LOGS] = AddItemTreeView(htrv_files,cps[TXT_FILE_AUDIT].c, TVI_ROOT); TRV_HTREEITEM_CONF[FILES_TITLE_FILES] = AddItemTreeView(htrv_files,cps[TXT_FILE_REP].c, TVI_ROOT); TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY] = AddItemTreeView(htrv_files,cps[TXT_FILE_REGISTRY].c, TVI_ROOT); TRV_HTREEITEM_CONF[FILES_TITLE_APPLI] = AddItemTreeView(htrv_files,cps[TXT_FILE_APPLI].c, TVI_ROOT); //add list of test //get all tests in list of rubriques htrv_test = GetDlgItem(hwnd,TRV_TEST); unsigned int i; NB_TESTS = SendMessage(hlstbox, LB_GETCOUNT,0,0); char tmp[DEFAULT_TMP_SIZE]; for (i=0;i<NB_TESTS;i++) { if (SendMessage(hlstbox, LB_GETTEXTLEN,i,0) < DEFAULT_TMP_SIZE) { tmp[0] = 0; if(SendMessage(hlstbox, LB_GETTEXT,i,(LPARAM)tmp) > 0) { //add item H_tests[i] = AddItemTreeView(htrv_test,tmp, TVI_ROOT); } } } break; case WM_SIZE: { unsigned int mWidth = LOWORD(lParam); unsigned int mHeight = HIWORD(lParam); //controle de la taille minimum if ((mWidth<800) || (mHeight<600)) { RECT Rect; GetWindowRect(hwnd, &Rect); MoveWindow(hwnd,Rect.left,Rect.top,800+20,600+64,TRUE); }else { MoveWindow(GetDlgItem(hwnd,TRV_FILES),0,0,mWidth/2,mHeight-27,TRUE); MoveWindow(GetDlgItem(hwnd,TRV_TEST),mWidth/2+2,0,(mWidth/2)-2,mHeight-167,TRUE); MoveWindow(GetDlgItem(hwnd,GRP_CONF),mWidth/2+2,mHeight-165,(mWidth/2)-2,98,TRUE); MoveWindow(GetDlgItem(hwnd,BT_ACL_FILE_CHK),mWidth/2+20,mHeight-148,(mWidth/2)-40,17,TRUE); MoveWindow(GetDlgItem(hwnd,BT_ADS_FILE_CHK),mWidth/2+20,mHeight-128,(mWidth/2)-40,17,TRUE); MoveWindow(GetDlgItem(hwnd,BT_SHA_FILE_CHK),mWidth/2+20,mHeight-108,(mWidth/2)-40,17,TRUE); MoveWindow(GetDlgItem(hwnd,BT_UTC_CHK),mWidth/2+20,mHeight-88,(mWidth/4)-40,17,TRUE); MoveWindow(GetDlgItem(hwnd,BT_RA_CHK),mWidth*3/4+20,mHeight-108,(mWidth*1/4)-40,17,TRUE); MoveWindow(GetDlgItem(hwnd,BT_MAGIC_CHK),mWidth*3/4+20,mHeight-88,(mWidth*1/4)-40,17,TRUE); MoveWindow(GetDlgItem(hwnd,BT_START),mWidth/2+2,mHeight-64,(mWidth/2)-2,38,TRUE); MoveWindow(GetDlgItem(hwnd,DLG_CONF_SB),0,mHeight-25,mWidth,25,TRUE); } InvalidateRect(hwnd, NULL, TRUE); } break; case WM_CLOSE: { //if in stop case if ((start_scan == FALSE) && (stop_scan == TRUE)) { sqlite3_close(db_scan); CloseWindow(hwnd); PostQuitMessage(0); } //kill all threads unsigned int i; DWORD IDThread; for (i=0;i<NB_TESTS;i++) { GetExitCodeThread(h_thread_test[i],&IDThread); TerminateThread(h_thread_test[i],IDThread); } GetExitCodeThread(h_thread_scan,&IDThread); TerminateThread(h_thread_scan,IDThread); ShowWindow (h_main, SW_SHOW); UpdateWindow(h_main); EndDialog(hwnd, 0); } break; } return 0; }