BOOL CTriggerScanList::Scan () { CLogFile log; for (DWORD dw = 0 ; dw < m_dwCount ; dw++) { log.Format("Scanning trigger %d\n" ,dw); if (!((m_pData[dw]))->Scan()) { log.Write("Scan returned an error\n"); return FALSE; } log.Write("Scan completed OK\n"); } return TRUE; }
/* ** Special comparison handling for applications */ BOOL CTriggerScannerApp::Test(CUpdateFile & file) { CLogFile log; log.Write("CTriggerScannerApp::Test\n"); BOOL bResult = FALSE; DWORD dw; // at this time we only scan for changes ASSERT(m_nOpCode == opChanged); // can only monitor changes if we have previous results if (!m_pDataOld || (0 == m_pDataOld->GetCount())) { log.Write("CTriggerScannerApp::Test <No previous results found>\n"); return FALSE; } // create an update category - in case we need it CUpdateCat cat; cat.SetType (m_strEventName, CUpdateCat::regApp, ""); log.Write("CTriggerScannerApp::Test <checking for applications being added>\n"); // run through all app names collected at latest scan... for (dw = 0 ; dw < m_pDataNew->GetCount() ; dw++) { CString strAppName = (*m_pDataNew)[dw].GetKey(); log.Format("CTriggerScannerApp::Test <Checking for %s>\n",strAppName); // was it there in the last scan? if ((DWORD)-1 == m_pDataOld->FindKey(strAppName)) { log.Format("CTriggerScannerApp::Test <%s has been added>\n",strAppName); cat.Add (CUpdateItem("Application Added", strAppName)); bResult = TRUE; } } // now repeat the process the other way round to find deleted apps log.Write("CTriggerScannerApp::Test <checking for applications being removed>\n"); for (dw = 0 ; dw < m_pDataOld->GetCount() ; dw++) { CString strAppName = ((*m_pDataOld)[dw]).GetKey(); log.Format("CTriggerScannerApp::Test <Checking for %s>\n",strAppName); // ís it still there in the latest scan? if ((DWORD)-1 == m_pDataNew->FindKey(strAppName)) { log.Format("CTriggerScannerApp::Test <%s has been removed>\n",strAppName); cat.Add (CUpdateItem("Application Removed", strAppName)); bResult = TRUE; } } // were any changes found ? if (bResult) { log.Write("CTriggerScannerApp::Test <Changes were detected>\n"); file.Add(cat); } return bResult; }
// // Detect // ====== // // This is the main detection function. // The purpose of this function is // // 1> Call the Detect function of the CApplicationSerials object to recover possible product IDs // 2> Scan various Windows registry keys looking for installed applications // 3> Match the entries recovered in (2) with any serial numbers recovered by (1) and store them // int CApplicationInstanceList::Detect(CAuditScannerConfiguration* pAuditScannerConfiguration) { try { CLogFile log; log.Write("CApplicationInstanceList::Detect in"); // Ensure that the list is empty _listApplicationInstances.Empty(); // Save the pointer to the scanner configuration file object as we may need this later _pAuditScannerConfiguration = pAuditScannerConfiguration; // Call the application serials detection function as this will perform a preliminary scan of the // windows registry looking for potential serial number / product id fields _applicationSerials.Detect(pAuditScannerConfiguration); //_applicationSerials.Dump(); // 8.3.4 - CMD - Commented out as a diagnostic only // Open the Softare uninstall key under HKLM and scan it HKEY hKey; LONG result; result = RegOpenKeyEx (HKEY_LOCAL_MACHINE, UNINSTALLKEY, 0, KEY_READ, &hKey); if (ERROR_SUCCESS == result) { ScanUninstallKey (hKey); RegCloseKey (hKey); } else { log.Format("Failed to open HKLM %s [1], Reason : %d", UNINSTALLKEY, result); } result = RegOpenKeyEx (HKEY_LOCAL_MACHINE, UNINSTALLKEY, 0, KEY_READ | KEY_WOW64_64KEY, &hKey); if (ERROR_SUCCESS == result) { ScanUninstallKey (hKey); RegCloseKey (hKey); } else { log.Format("Failed to open HKLM %s [2], Reason : %d", UNINSTALLKEY, result); } // repeat with the USER hive... result = RegOpenKeyEx (HKEY_CURRENT_USER, UNINSTALLKEY, 0, KEY_READ, &hKey); if (ERROR_SUCCESS == result) { ScanUninstallKey (hKey); RegCloseKey (hKey); } else { log.Format("Failed to open HKCU %s, Reason : %d", UNINSTALLKEY, result); } // Scan Windows\Installer key result = RegOpenKeyEx (HKEY_LOCAL_MACHINE, WINDOWS_INSTALLERKEY, 0, KEY_READ, &hKey); if (ERROR_SUCCESS == result) { ScanWindowsInstaller (hKey); RegCloseKey (hKey); } else { log.Format("Failed to open HKLM %s [2], Reason : %d", WINDOWS_INSTALLERKEY, result); } // Odds and ends ScanExceptions(); //log.Write("processing each application"); // Iterate through the applications detected by the above and attempt to recover any serial number for (DWORD dw=0; dw<_listApplicationInstances.GetCount(); dw++) { CApplicationInstance* pApplicationInstance = &_listApplicationInstances[dw]; CApplicationSerial* pThisSerial = NULL; // no need to attempt this for Internet Explorer if (pApplicationInstance->Name() == "Internet Explorer") continue; // If the installed application specified a GUID then scan the list of serial numbers looking // for an entry with the same GUID. If we find one then we can recover the serial number from there if (pApplicationInstance->Guid() != "") { pThisSerial = _applicationSerials.ContainsIdentifier(pApplicationInstance->Guid()); } // If we have still not found a serial number and we have recovered the application name then try // scanning the serial numbers list for the named application and recover any serial number found if ((pThisSerial == NULL) && (pApplicationInstance->Name() != "")) pThisSerial = _applicationSerials.ContainsApplication(pApplicationInstance->Name()); // If we have now identified a serial number then copy the details into our application instance if (pThisSerial != NULL) { pThisSerial->Matched(TRUE); pApplicationInstance->Serial(*pThisSerial); } } } catch (CException *pEx) { throw pEx;; } return 0; }