//---------------------------------------------------------------- int FileContient(char * file, char *chaine) { int ret = -1; HANDLE hfile = CreateFile(file,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0); if (hfile != INVALID_HANDLE_VALUE) { DWORD dw =0, filesz = 0; filesz = GetFileSize(hfile,NULL); if (filesz > 0) { char *datas = malloc(filesz+1); if (datas != NULL) { if (ReadFile(hfile, datas, filesz, &dw, 0)) { if(Contient(charToLowChar(datas), charToLowChar(chaine)) > -1) ret = TRUE; else ret = FALSE; } free(datas); } } CloseHandle(hfile); } return ret; }
//------------------------------------------------------------------------------ char *extractExtFromFile(char *file, char *ext, unsigned int ext_size_max) { char *c = file; ext[0] = 0; while(*c++); while(*c!='\\' && *c!='/' && *c!='.' && c>file)c--; if (*c == '.') { c++; strncpy(ext,c,ext_size_max); charToLowChar(ext); return ext; }else return NULL; }
//------------------------------------------------------------------------------ void scan_file(char *path, HANDLE htv) { WIN32_FIND_DATA data; char tmp_path[MAX_PATH], file[MAX_PATH]; snprintf(tmp_path,MAX_PATH,"%s*.*",path); HANDLE hfic = FindFirstFile(tmp_path, &data); if (hfic == INVALID_HANDLE_VALUE)return; do { // return if(data.cFileName[0] == '.' && (data.cFileName[1] == 0 || data.cFileName[1] == '.')){} else if (data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { snprintf(tmp_path,MAX_PATH,"%s%s\\",path,data.cFileName); scan_file(tmp_path, htv); }else //file { strncpy(file,data.cFileName,MAX_PATH); AddItemFiletoTreeView(htv, charToLowChar(file), path, NULL); } }while(FindNextFile (hfic,&data)); }
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------ DWORD WINAPI Scan_registry_user(LPVOID lParam) { //init sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; char file[MAX_PATH], file_SAM[MAX_PATH]=""; HK_F_OPEN hks; char sk[MAX_PATH]=""; char computer[DEFAULT_TMP_SIZE]=""; BOOL ok_computer = FALSE; //files or local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { charToLowChar(file); //check for SAM files if ((Contient(file,"sam")) && file_SAM[0] == 0) { strcpy(file_SAM,file); hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); continue; } //open file + verify if(OpenRegFiletoMem(&hks, file)) { //get syskey registry_syskey_file(&hks, sk, MAX_PATH); if (!ok_computer) { char tmp[DEFAULT_TMP_SIZE]=""; Readnk_Value(hks.buffer, hks.taille_fic, (hks.pos_fhbin)+HBIN_HEADER_SIZE, hks.position, "ControlSet001\\Control\\ComputerName\\ComputerName", NULL,"ComputerName", tmp, DEFAULT_TMP_SIZE); if (tmp[0]!=0) { strcpy(computer,tmp); ok_computer = TRUE; } } Scan_registry_user_file(&hks, db, session_id,computer); CloseRegFiletoMem(&hks); } } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } //SAM file in last if (file_SAM[0] != 0) { //open file + verify if(OpenRegFiletoMem(&hks, file_SAM)) { Scan_registry_user_file(&hks, db, session_id,computer); CloseRegFiletoMem(&hks); } } }else Scan_registry_user_local(db, session_id); if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ //format : http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format DWORD WINAPI Scan_prefetch(LPVOID lParam) { sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Prefetch\";\"file\";\"path\";\"create_time\";\"last_update\";\"last_access\";\"count\";\"exec\";\"session_id\";\"depend\";\r\n"); #endif //check if local or not :) HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); if (hitem!=NULL || !LOCAL_SCAN || WINE_OS) { if(!SQLITE_FULL_SPEED)sqlite3_exec(db,"BEGIN TRANSACTION;", NULL, NULL, NULL); char tmp_file_pref[MAX_PATH],ext[MAX_PATH]; while(hitem!=NULL) { tmp_file_pref[0] = 0; ext[0] = 0; GetTextFromTrv(hitem, tmp_file_pref, MAX_PATH); if (!strcmp("pf",extractExtFromFile(charToLowChar(tmp_file_pref), ext, MAX_PATH))) PfCheck(session_id, db, tmp_file_pref); hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } if(!SQLITE_FULL_SPEED)sqlite3_exec(db,"END TRANSACTION;", NULL, NULL, NULL); h_thread_test[(unsigned int)lParam] = 0; check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan return 0; } //init if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); //get system path char path[MAX_PATH] ="%WINDIR%\\Prefetch\\*.pf"; ReplaceEnv("WINDIR",path,MAX_PATH); char path_f[MAX_PATH]; WIN32_FIND_DATA data; HANDLE hfic = FindFirstFile(path, &data); if (hfic != INVALID_HANDLE_VALUE) { do { if((data.cFileName[0] == '.' && (data.cFileName[1] == 0 || data.cFileName[1] == '.')) || (data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)){} else { strncpy(path_f,path,MAX_PATH); path_f[strlen(path_f)-4]=0; strncat(path_f,data.cFileName,MAX_PATH); strncat(path_f,"\0",MAX_PATH); PfCheck(session_id, db, path_f); } }while(FindNextFile (hfic,&data) && start_scan); } if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ void reg_read_enum_MRUNvalues(HKEY hk,char *chkey,char *key,char *exclu,char* description_id,unsigned int session_id, sqlite3 *db) { HKEY CleTmp; if (RegOpenKey(hk,key,&CleTmp)!=ERROR_SUCCESS)return; DWORD nbValue,i,j; FILETIME last_update; if (RegQueryInfoKey (CleTmp,0,0,0,0,0,0,&nbValue,0,0,0,&last_update)!=ERROR_SUCCESS) { RegCloseKey(CleTmp); return; } //get date char parent_key_update[DATE_SIZE_MAX] = ""; filetimeToString_GMT(last_update, parent_key_update, DATE_SIZE_MAX); //read USER + RID + SID char tmp[MAX_PATH]; char user[MAX_PATH], RID[MAX_PATH], sid[MAX_PATH]; GetRegistryKeyOwner(CleTmp, user, RID, sid, MAX_PATH); //enum values char value[MAX_PATH], data[MAX_PATH]; DWORD valueSize,dataSize,type; for (i=0;i<nbValue && start_scan;i++) { valueSize = MAX_PATH; dataSize = MAX_PATH; value[0] = 0; data[0] = 0; type = 0; if (RegEnumValue (CleTmp,i,(LPTSTR)value,(LPDWORD)&valueSize,0,(LPDWORD)&type,(LPBYTE)data,(LPDWORD)&dataSize)==ERROR_SUCCESS) { if (Contient(charToLowChar(value),exclu)) { switch(type) { case REG_EXPAND_SZ: case REG_SZ: convertStringToSQL(value, MAX_PATH); convertStringToSQL(data, MAX_PATH); addRegistryMRUtoDB("",chkey,key,value,data,description_id,user,RID,sid,parent_key_update,session_id,db);break; case REG_BINARY: case REG_LINK: snprintf(tmp,MAX_PATH,"%S",data); convertStringToSQL(value, MAX_PATH); convertStringToSQL(tmp, MAX_PATH); addRegistryMRUtoDB("",chkey,key,value,tmp,description_id,user,RID,sid,parent_key_update,session_id,db);break; case REG_MULTI_SZ: for (j=0;j<dataSize;j++) { if (data[j] == 0)data[j]=';'; } convertStringToSQL(value, MAX_PATH); convertStringToSQL(data, MAX_PATH); addRegistryMRUtoDB("",chkey,key,value,data,description_id,user,RID,sid,parent_key_update,session_id,db);break; } } } } RegCloseKey(CleTmp); }
//------------------------------------------------------------------------------ int callback_sqlite_registry_mru_file(void *datas, int argc, char **argv, char **azColName) { FORMAT_CALBAK_TYPE *type = datas; unsigned int session_id = current_session_id; char tmp[MAX_LINE_SIZE]; switch(type->type) { case SQLITE_REGISTRY_TYPE_MRU: { switch(atoi(argv[3]))//value_type { case TYPE_VALUE_STRING: case TYPE_VALUE_WSTRING: if (Readnk_Value(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position, argv[1], NULL, argv[2], tmp, MAX_LINE_SIZE)) { //key update char parent_key_update[DATE_SIZE_MAX]=""; char RID[MAX_PATH]="", sid[MAX_PATH]=""; Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position, argv[1], NULL, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH); //save convertStringToSQL(tmp, MAX_LINE_SIZE); addRegistryMRUtoDB(hks_mru.file,"",argv[1],argv[2],tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan); } break; case TYPE_ENUM_STRING_RVALUE://all string under one key { HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]); if (nk_h!=NULL) { //key update char parent_key_update[DATE_SIZE_MAX]=""; char RID[MAX_PATH]="", sid[MAX_PATH]=""; Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position, NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH); //get values char value[MAX_PATH]; DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0); for (i=0;i<nbSubValue && start_scan;i++) { if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE)) { //if (strcmp(charToLowChar(value),argv[2]) != 0) { //save convertStringToSQL(value, MAX_PATH); convertStringToSQL(tmp, MAX_LINE_SIZE); addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan); } } } } } break; case TYPE_ENUM_STRING_VALUE://list of all string in a directory and exclude "value" { HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]); if (nk_h!=NULL) { //key update char parent_key_update[DATE_SIZE_MAX]=""; char RID[MAX_PATH]="", sid[MAX_PATH]=""; Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position, NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH); //get values char value[MAX_PATH]; DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0); for (i=0;i<nbSubValue && start_scan;i++) { if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE)) { //if (strcmp(charToLowChar(value),argv[2]) != 0) { //save convertStringToSQL(value, MAX_PATH); convertStringToSQL(tmp, MAX_LINE_SIZE); addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan); } } } } } break; case TYPE_ENUM_STRING_NVALUE://list of all string in a directory with "value" { HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]); if (nk_h!=NULL) { //key update char parent_key_update[DATE_SIZE_MAX]=""; char RID[MAX_PATH]="", sid[MAX_PATH]=""; Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position, NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH); //get values char value[MAX_PATH]; DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0); for (i=0;i<nbSubValue && start_scan;i++) { if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE)) { if (Contient(charToLowChar(value),argv[2])) { //save convertStringToSQL(value, MAX_PATH); convertStringToSQL(tmp, MAX_LINE_SIZE); addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan); } } } } } break; case TYPE_ENUM_STRING_WVALUE: { HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]); if (nk_h!=NULL) { //key update char parent_key_update[DATE_SIZE_MAX]=""; char RID[MAX_PATH]="", sid[MAX_PATH]=""; Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position, NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH); //get values char value[MAX_PATH],data[MAX_LINE_SIZE]; DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0); DWORD sz_value = MAX_LINE_SIZE; for (i=0;i<nbSubValue && start_scan;i++) { sz_value = MAX_LINE_SIZE; if (GetBinaryValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,&sz_value)) { //save convertStringToSQL(value, MAX_PATH); snprintf(data,MAX_LINE_SIZE,"%S",tmp); convertStringToSQL(tmp, MAX_LINE_SIZE); addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,data,argv[5],"",RID,sid,parent_key_update,session_id,db_scan); } } } } break; case TYPE_ENUM_SUBNK_DATE: { HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]); if (nk_h!=NULL) { char parent_key_update[DATE_SIZE_MAX]=""; char RID[MAX_PATH]="", sid[MAX_PATH]=""; //get values char value[MAX_PATH], tmp_key[MAX_PATH]; DWORD i, nbSubnk = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0); for (i=0;i<nbSubnk && start_scan;i++) { if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i, value, MAX_PATH)) { snprintf(tmp_key,MAX_PATH,"%s\\%s",argv[1],value); HBIN_CELL_NK_HEADER *nk_ht = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key); if (nk_ht!=NULL) { //key update Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position, NULL, nk_ht, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH); //save convertStringToSQL(tmp_key, MAX_PATH); addRegistryMRUtoDB(hks_mru.file,"",tmp_key,"","",argv[5],"",RID,sid,parent_key_update,session_id,db_scan); } } } } } break; case TYPE_DBL_ENUM_VALUE: { HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]); if (nk_h==NULL)break; char parent_key_update[DATE_SIZE_MAX]=""; char RID[MAX_PATH]="", sid[MAX_PATH]="", data[MAX_PATH]; HBIN_CELL_NK_HEADER *nk_ht, *nk_ht2; //get values char value2[MAX_PATH],value[MAX_PATH], tmp_key2[MAX_PATH], tmp_key[MAX_PATH]; DWORD i,j, nbSubnk2, nbSubnk = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0); for (i=0;i<nbSubnk && start_scan;i++) { if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i, value, MAX_PATH)) { snprintf(tmp_key,MAX_PATH,"%s\\%s\\AVGeneral\\cRecentFiles",argv[1],value); nk_ht = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key); nbSubnk2 = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_ht, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0); for (j=0;j<nbSubnk2 && start_scan;j++) { if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_ht, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, j, value2, MAX_PATH)) { snprintf(tmp_key2,MAX_PATH,"%s\\%s",tmp_key,value2); nk_ht2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key2); //datas if(Readnk_Value(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position, NULL, nk_ht2, argv[2], data, MAX_PATH)) { //key update Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position, NULL, nk_ht2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH); //save convertStringToSQL(data, MAX_PATH); addRegistryMRUtoDB(hks_mru.file,"",tmp_key2,argv[2],data,argv[5],"",RID,sid,parent_key_update,session_id,db_scan); } } } } } } break; case TYPE_ENUM_STRING_RRVALUE://all string under thow key + key { HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]); if (nk_h == NULL)return 0; char parent_key_update[DATE_SIZE_MAX]=""; char RID[MAX_PATH]="", sid[MAX_PATH]=""; char value[MAX_PATH]; char tmp_key[MAX_PATH], tmp_key2[MAX_PATH], key_path[MAX_PATH]; HBIN_CELL_NK_HEADER *nk_h_tmp, *nk_h_tmp2; DWORD i,j,k, nbSubValue,nbSubKey2,nbSubKey = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, 0, NULL, 0); for (i=0;i<nbSubKey && start_scan;i++) { if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i, tmp_key, MAX_PATH)) { //get nk of key :) nk_h_tmp = GetSubNKtonk(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i); if (nk_h_tmp == NULL)continue; nbSubKey2 = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h_tmp, hks_mru.position, 0, NULL, 0); for (j=0;j<nbSubKey2 && start_scan;j++) { if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h_tmp, hks_mru.position, j, tmp_key2, MAX_PATH)) { //get nk of key :) snprintf(key_path,MAX_PATH,"%s\\%s\\%s\\%s",argv[1],tmp_key,tmp_key2,argv[2]); nk_h_tmp2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,key_path); if (nk_h_tmp2 == NULL)continue; //key update Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position, NULL, nk_h_tmp2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH); //get values nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0); for (k=0;k<nbSubValue;k++) { if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, k,value,MAX_PATH,tmp,MAX_LINE_SIZE)) { //save convertStringToSQL(value, MAX_PATH); convertStringToSQL(tmp, MAX_LINE_SIZE); addRegistryMRUtoDB(hks_mru.file,"",key_path,value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan); } } } } } } } break; case TYPE_ENUM_STRING_R_VALUE://all string under one key + key { HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]); if (nk_h == NULL)return 0; char parent_key_update[DATE_SIZE_MAX]=""; char RID[MAX_PATH]="", sid[MAX_PATH]=""; char value[MAX_PATH]; char tmp_key[MAX_PATH], key_path[MAX_PATH]; HBIN_CELL_NK_HEADER *nk_h_tmp, *nk_h_tmp2; DWORD i,k, nbSubValue,nbSubKey = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, 0, NULL, 0); for (i=0;i<nbSubKey && start_scan;i++) { if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i, tmp_key, MAX_PATH)) { //get nk of key :) nk_h_tmp = GetSubNKtonk(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i); if (nk_h_tmp == NULL)continue; snprintf(key_path,MAX_PATH,"%s\\%s\\%s",argv[1],tmp_key,argv[2]); nk_h_tmp2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,key_path); if (nk_h_tmp2 == NULL)continue; //key update Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position, NULL, nk_h_tmp2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH); //get values nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0); for (k=0;k<nbSubValue;k++) { if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, k,value,MAX_PATH,tmp,MAX_LINE_SIZE)) { //save convertStringToSQL(value, MAX_PATH); convertStringToSQL(tmp, MAX_LINE_SIZE); addRegistryMRUtoDB(hks_mru.file,"",key_path,value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan); } } } } } break; } }break; } return 0; }