//------------------------------------------------------------------------------ void Scan_registry_setting_file(sqlite3 *db, char *file) { //Open file and init datas ! if(OpenRegFiletoMem(&local_hks, file)) { FORMAT_CALBAK_READ_INFO fcri; fcri.type = SQLITE_REGISTRY_TYPE_SETTINGS; sqlite3_exec(db, "SELECT hkey,search_key,value,value_type,type_id,description_id FROM extract_registry_settings_request;", callback_sqlite_registry_file, &fcri, NULL); //syskey char sk[MAX_PATH]=""; if(registry_syskey_file(&local_hks, sk, MAX_PATH)) { addRegistrySettingstoDB(local_hks.file, "", "ControlSet001\\Control\\Lsa\\JD,Skew1,GBG,Data","", sk, "100", SYSKEY_STRING_DEF, "", current_session_id, db_scan); } CloseRegFiletoMem(&local_hks); } }
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------ DWORD WINAPI Scan_registry_user(LPVOID lParam) { //init sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; char file[MAX_PATH], file_SAM[MAX_PATH]=""; HK_F_OPEN hks; char sk[MAX_PATH]=""; char computer[DEFAULT_TMP_SIZE]=""; BOOL ok_computer = FALSE; //files or local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { charToLowChar(file); //check for SAM files if ((Contient(file,"sam")) && file_SAM[0] == 0) { strcpy(file_SAM,file); hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); continue; } //open file + verify if(OpenRegFiletoMem(&hks, file)) { //get syskey registry_syskey_file(&hks, sk, MAX_PATH); if (!ok_computer) { char tmp[DEFAULT_TMP_SIZE]=""; Readnk_Value(hks.buffer, hks.taille_fic, (hks.pos_fhbin)+HBIN_HEADER_SIZE, hks.position, "ControlSet001\\Control\\ComputerName\\ComputerName", NULL,"ComputerName", tmp, DEFAULT_TMP_SIZE); if (tmp[0]!=0) { strcpy(computer,tmp); ok_computer = TRUE; } } Scan_registry_user_file(&hks, db, session_id,computer); CloseRegFiletoMem(&hks); } } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } //SAM file in last if (file_SAM[0] != 0) { //open file + verify if(OpenRegFiletoMem(&hks, file_SAM)) { Scan_registry_user_file(&hks, db, session_id,computer); CloseRegFiletoMem(&hks); } } }else Scan_registry_user_local(db, session_id); if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }