BOOL CTriggerScanList::Scan ()
{
CLogFile log;
for (DWORD dw = 0 ; dw < m_dwCount ; dw++)
{
log.Format("Scanning trigger %d\n" ,dw);
if (!((m_pData[dw]))->Scan())
{
log.Write("Scan returned an error\n");
return FALSE;
}
log.Write("Scan completed OK\n");
}
return TRUE;
}
/*
** Special comparison handling for applications
*/
BOOL CTriggerScannerApp::Test(CUpdateFile & file)
{
CLogFile log;
log.Write("CTriggerScannerApp::Test\n");
BOOL bResult = FALSE;
DWORD dw;
// at this time we only scan for changes
ASSERT(m_nOpCode == opChanged);
// can only monitor changes if we have previous results
if (!m_pDataOld || (0 == m_pDataOld->GetCount()))
{
log.Write("CTriggerScannerApp::Test <No previous results found>\n");
return FALSE;
}
// create an update category - in case we need it
CUpdateCat cat;
cat.SetType (m_strEventName, CUpdateCat::regApp, "");
log.Write("CTriggerScannerApp::Test <checking for applications being added>\n");
// run through all app names collected at latest scan...
for (dw = 0 ; dw < m_pDataNew->GetCount() ; dw++)
{
CString strAppName = (*m_pDataNew)[dw].GetKey();
log.Format("CTriggerScannerApp::Test <Checking for %s>\n",strAppName);
// was it there in the last scan?
if ((DWORD)-1 == m_pDataOld->FindKey(strAppName))
{
log.Format("CTriggerScannerApp::Test <%s has been added>\n",strAppName);
cat.Add (CUpdateItem("Application Added", strAppName));
bResult = TRUE;
}
}
// now repeat the process the other way round to find deleted apps
log.Write("CTriggerScannerApp::Test <checking for applications being removed>\n");
for (dw = 0 ; dw < m_pDataOld->GetCount() ; dw++)
{
CString strAppName = ((*m_pDataOld)[dw]).GetKey();
log.Format("CTriggerScannerApp::Test <Checking for %s>\n",strAppName);
// ís it still there in the latest scan?
if ((DWORD)-1 == m_pDataNew->FindKey(strAppName))
{
log.Format("CTriggerScannerApp::Test <%s has been removed>\n",strAppName);
cat.Add (CUpdateItem("Application Removed", strAppName));
bResult = TRUE;
}
}
// were any changes found ?
if (bResult)
{
log.Write("CTriggerScannerApp::Test <Changes were detected>\n");
file.Add(cat);
}
return bResult;
}
//
// Detect
// ======
//
// This is the main detection function.
// The purpose of this function is
//
// 1> Call the Detect function of the CApplicationSerials object to recover possible product IDs
// 2> Scan various Windows registry keys looking for installed applications
// 3> Match the entries recovered in (2) with any serial numbers recovered by (1) and store them
//
int CApplicationInstanceList::Detect(CAuditScannerConfiguration* pAuditScannerConfiguration)
{
try
{
CLogFile log;
log.Write("CApplicationInstanceList::Detect in");
// Ensure that the list is empty
_listApplicationInstances.Empty();
// Save the pointer to the scanner configuration file object as we may need this later
_pAuditScannerConfiguration = pAuditScannerConfiguration;
// Call the application serials detection function as this will perform a preliminary scan of the
// windows registry looking for potential serial number / product id fields
_applicationSerials.Detect(pAuditScannerConfiguration);
//_applicationSerials.Dump(); // 8.3.4 - CMD - Commented out as a diagnostic only
// Open the Softare uninstall key under HKLM and scan it
HKEY hKey;
LONG result;
result = RegOpenKeyEx (HKEY_LOCAL_MACHINE, UNINSTALLKEY, 0, KEY_READ, &hKey);
if (ERROR_SUCCESS == result)
{
ScanUninstallKey (hKey);
RegCloseKey (hKey);
}
else
{
log.Format("Failed to open HKLM %s [1], Reason : %d", UNINSTALLKEY, result);
}
result = RegOpenKeyEx (HKEY_LOCAL_MACHINE, UNINSTALLKEY, 0, KEY_READ | KEY_WOW64_64KEY, &hKey);
if (ERROR_SUCCESS == result)
{
ScanUninstallKey (hKey);
RegCloseKey (hKey);
}
else
{
log.Format("Failed to open HKLM %s [2], Reason : %d", UNINSTALLKEY, result);
}
// repeat with the USER hive...
result = RegOpenKeyEx (HKEY_CURRENT_USER, UNINSTALLKEY, 0, KEY_READ, &hKey);
if (ERROR_SUCCESS == result)
{
ScanUninstallKey (hKey);
RegCloseKey (hKey);
}
else
{
log.Format("Failed to open HKCU %s, Reason : %d", UNINSTALLKEY, result);
}
// Scan Windows\Installer key
result = RegOpenKeyEx (HKEY_LOCAL_MACHINE, WINDOWS_INSTALLERKEY, 0, KEY_READ, &hKey);
if (ERROR_SUCCESS == result)
{
ScanWindowsInstaller (hKey);
RegCloseKey (hKey);
}
else
{
log.Format("Failed to open HKLM %s [2], Reason : %d", WINDOWS_INSTALLERKEY, result);
}
// Odds and ends
ScanExceptions();
//log.Write("processing each application");
// Iterate through the applications detected by the above and attempt to recover any serial number
for (DWORD dw=0; dw<_listApplicationInstances.GetCount(); dw++)
{
CApplicationInstance* pApplicationInstance = &_listApplicationInstances[dw];
CApplicationSerial* pThisSerial = NULL;
// no need to attempt this for Internet Explorer
if (pApplicationInstance->Name() == "Internet Explorer")
continue;
// If the installed application specified a GUID then scan the list of serial numbers looking
// for an entry with the same GUID. If we find one then we can recover the serial number from there
if (pApplicationInstance->Guid() != "")
{
pThisSerial = _applicationSerials.ContainsIdentifier(pApplicationInstance->Guid());
}
// If we have still not found a serial number and we have recovered the application name then try
// scanning the serial numbers list for the named application and recover any serial number found
if ((pThisSerial == NULL) && (pApplicationInstance->Name() != ""))
pThisSerial = _applicationSerials.ContainsApplication(pApplicationInstance->Name());
// If we have now identified a serial number then copy the details into our application instance
if (pThisSerial != NULL)
{
pThisSerial->Matched(TRUE);
pApplicationInstance->Serial(*pThisSerial);
}
}
}
catch (CException *pEx)
{
throw pEx;;
}
return 0;
}
