//------------------------------------------------------------------------------ //------------------------------------------------------------------------------ DWORD WINAPI Scan_registry_setting(LPVOID lParam) { //init char file[MAX_PATH]; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Registry_Settings\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"type_id\";\"description_id\";\"parent_key_update\";\"session_id\";\r\n"); #endif //files or local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { //verify Scan_registry_setting_file(db_scan,file); } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } }else Scan_registry_setting_local(db_scan); //local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK); h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ DWORD WINAPI Scan_registry_deletedKey(LPVOID lParam) { //init sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; char file[MAX_PATH]; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Registry_Deleted_Key\";\"source\";\"key\";\"value\";\"data\";\"type\";\"sid\";\"last_update\";\"session_id\";\r\n"); #endif //files or local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { Scan_registry_deletedKey_file(file, session_id, db); } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } } if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ void GetUserGroupFRF(DWORD userRID, char *group, DWORD size_max_group) { char file[MAX_PATH]; HK_F_OPEN hks; group[0] = 0; //get all file on by on on test if ok or not HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); //if (file[0] == 0 /*|| !(Contient(file,"SECURITY") || Contient(file,"security"))*/) continue; //open file + verify if(OpenRegFiletoMem(&hks, file)) { //get group GetUserGroupFromRegFile(userRID, group, size_max_group, &hks, "SAM\\Domains\\Builtin\\Aliases"); GetUserGroupFromRegFile(userRID, group, size_max_group, &hks, "SAM\\Domains\\Account\\Aliases"); CloseRegFiletoMem(&hks); } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } } }
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------ DWORD WINAPI Scan_registry_path(LPVOID lParam) { //init sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; char file[MAX_PATH]; HK_F_OPEN hks; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Registry_Path\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"user\";\"rid\";\"sid\";\"parent_key_update\";\"session_id\";\r\n"); #endif //files or local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL && start_scan) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { //open file + verify if(OpenRegFiletoMem(&hks, file)) { //enum all class open/edit/print values EnumPath_file(&hks,"Classes","shell\\open\\command",session_id,db, FALSE); //Enum envs EnumPath_file(&hks,"Environment","",session_id,db, TRUE); //all applications EnumPath_file(&hks,"Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db, FALSE); EnumPath_file(&hks,"Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db, FALSE); CloseRegFiletoMem(&hks); } } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } }else { //enum all class open/edit/print values EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Classes","shell\\open\\command",session_id,db); //Enum envs EnumPath_local(HKEY_USERS,"HKEY_USERS","","Environment",session_id,db); //all applications EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db); EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db); } if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------ DWORD WINAPI Scan_registry_mru(LPVOID lParam) { //init sqlite3 *db = (sqlite3 *)db_scan; char file[MAX_PATH]; FORMAT_CALBAK_READ_INFO fcri; fcri.type = SQLITE_REGISTRY_TYPE_MRU; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Registry_MRU\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"description_id\";\"user\";\"rid\";\"sid\";\"parent_key_update\";\"session_id\";\r\n"); #endif //files or local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL && start_scan) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { //open file + verify if(OpenRegFiletoMem(&hks_mru, file)) { sqlite3_exec(db, "SELECT hkey,search_key,value,value_type,type_id,description_id FROM extract_registry_mru_request;", callback_sqlite_registry_mru_file, &fcri, NULL); CloseRegFiletoMem(&hks_mru); } } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } }else { sqlite3_exec(db, "SELECT hkey,key,value,value_type,type_id,description_id FROM extract_registry_mru_request;", callback_sqlite_registry_mru_local, &fcri, NULL); } if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------ DWORD WINAPI Scan_registry_service(LPVOID lParam) { //init sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; char file[MAX_PATH]; HK_F_OPEN hks; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Registry_Service\";\"file\";\"hk\";\"key\";\"name\";\"state_id\";\"path\";\"type_id\";\"last_update\";\"session_id\";\"description\";\r\n"); #endif //files or local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { //open file + verify if(OpenRegFiletoMem(&hks, file)) { Scan_registry_service_file(&hks,"ControlSet001\\Services", session_id, db); Scan_registry_service_file(&hks,"ControlSet002\\Services", session_id, db); Scan_registry_service_file(&hks,"ControlSet003\\Services", session_id, db); Scan_registry_service_file(&hks,"ControlSet004\\Services", session_id, db); CloseRegFiletoMem(&hks); } } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } }else Scan_registry_service_local("SYSTEM\\CurrentControlSet\\Services\\",db, session_id); if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ DWORD WINAPI Scan_share(LPVOID lParam) { sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); #ifdef CMD_LINE_ONLY_NO_DB printf("\"Share\";\"file\";\"share\";\"path\";\"description\";\"type\";\"connexion\";\"session_id\";\r\n"); #endif if (!LOCAL_SCAN) { //get in registry files char file[MAX_PATH]; HK_F_OPEN hks; HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); while(hitem!=NULL) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { //open file + verify if(OpenRegFiletoMem(&hks, file)) { EnumShare(&hks, session_id, db, "ControlSet001\\Services\\LanmanServer\\Shares"); EnumShare(&hks, session_id, db, "ControlSet002\\Services\\LanmanServer\\Shares"); EnumShare(&hks, session_id, db, "ControlSet003\\Services\\LanmanServer\\Shares"); EnumShare(&hks, session_id, db, "ControlSet004\\Services\\LanmanServer\\Shares"); CloseRegFiletoMem(&hks); } } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } }else { //init HMODULE hDLL = LoadLibrary("NETAPI32.dll"); if (hDLL == NULL)return 0; typedef NET_API_STATUS (WINAPI *NETAPIBUFFERFREE)(LPVOID Buffer); NETAPIBUFFERFREE NetApiBufferFree = (NETAPIBUFFERFREE) GetProcAddress(hDLL,"NetApiBufferFree"); typedef NET_API_STATUS (WINAPI *NETSHAREENUM)(LPWSTR servername, DWORD level, LPBYTE* bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, LPDWORD resume_handle); NETSHAREENUM NetShareEnum = (NETSHAREENUM) GetProcAddress(hDLL,"NetShareEnum"); if (NetApiBufferFree != NULL && NetShareEnum != NULL ) { NET_API_STATUS res; PSHARE_INFO_502 buffer,p; DWORD nb=0,tr=0,i; char share[DEFAULT_TMP_SIZE], path[MAX_PATH], description[MAX_PATH], type[DEFAULT_TMP_SIZE], connexion[DEFAULT_TMP_SIZE]; do { res = NetShareEnum (0, 502, (LPBYTE *) &buffer,MAX_PREFERRED_LENGTH, &nb, &tr,0); if(res != ERROR_SUCCESS && res != ERROR_MORE_DATA)break; for(i=1,p=buffer;i<=nb;i++,p++) { snprintf(share,DEFAULT_TMP_SIZE,"%S",p->shi502_netname); snprintf(path,MAX_PATH,"%S",p->shi502_path); snprintf(description,MAX_PATH,"%S",p->shi502_remark); switch(p->shi502_type) { case STYPE_DISKTREE: strncpy(type,"DISKTREE",DEFAULT_TMP_SIZE);break; case STYPE_PRINTQ: strncpy(type,"PRINT",DEFAULT_TMP_SIZE);break; case STYPE_DEVICE: strncpy(type,"DEVICE",DEFAULT_TMP_SIZE);break; case STYPE_IPC: strncpy(type,"IPC",DEFAULT_TMP_SIZE);break; case STYPE_SPECIAL: strncpy(type,"SPECIAL",DEFAULT_TMP_SIZE);break; case 0x40000000: strncpy(type,"TEMPORARY",DEFAULT_TMP_SIZE);break; case -2147483645: strncpy(type,"RPC",DEFAULT_TMP_SIZE);break; default : snprintf(type,DEFAULT_TMP_SIZE,"UNKNOW (%lu)",p->shi502_type);break; } if (p->shi502_max_uses==-1) snprintf(connexion,DEFAULT_TMP_SIZE,"%lu/-",p->shi502_current_uses); else snprintf(connexion,DEFAULT_TMP_SIZE,"%lu/%lu",p->shi502_current_uses,p->shi502_max_uses); convertStringToSQL(path, MAX_PATH); convertStringToSQL(description, MAX_PATH); addSharetoDB("",share, path, description, type, connexion, session_id, db); } }while(res==ERROR_MORE_DATA); } FreeLibrary(hDLL); } if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------ DWORD WINAPI Scan_registry_user(LPVOID lParam) { //init sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; char file[MAX_PATH], file_SAM[MAX_PATH]=""; HK_F_OPEN hks; char sk[MAX_PATH]=""; char computer[DEFAULT_TMP_SIZE]=""; BOOL ok_computer = FALSE; //files or local if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]); if (hitem!=NULL || !LOCAL_SCAN) //files { while(hitem!=NULL) { file[0] = 0; GetTextFromTrv(hitem, file, MAX_PATH); if (file[0] != 0) { charToLowChar(file); //check for SAM files if ((Contient(file,"sam")) && file_SAM[0] == 0) { strcpy(file_SAM,file); hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); continue; } //open file + verify if(OpenRegFiletoMem(&hks, file)) { //get syskey registry_syskey_file(&hks, sk, MAX_PATH); if (!ok_computer) { char tmp[DEFAULT_TMP_SIZE]=""; Readnk_Value(hks.buffer, hks.taille_fic, (hks.pos_fhbin)+HBIN_HEADER_SIZE, hks.position, "ControlSet001\\Control\\ComputerName\\ComputerName", NULL,"ComputerName", tmp, DEFAULT_TMP_SIZE); if (tmp[0]!=0) { strcpy(computer,tmp); ok_computer = TRUE; } } Scan_registry_user_file(&hks, db, session_id,computer); CloseRegFiletoMem(&hks); } } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } //SAM file in last if (file_SAM[0] != 0) { //open file + verify if(OpenRegFiletoMem(&hks, file_SAM)) { Scan_registry_user_file(&hks, db, session_id,computer); CloseRegFiletoMem(&hks); } } }else Scan_registry_user_local(db, session_id); if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ //format : http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format DWORD WINAPI Scan_prefetch(LPVOID lParam) { sqlite3 *db = (sqlite3 *)db_scan; unsigned int session_id = current_session_id; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Prefetch\";\"file\";\"path\";\"create_time\";\"last_update\";\"last_access\";\"count\";\"exec\";\"session_id\";\"depend\";\r\n"); #endif //check if local or not :) HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); if (hitem!=NULL || !LOCAL_SCAN || WINE_OS) { if(!SQLITE_FULL_SPEED)sqlite3_exec(db,"BEGIN TRANSACTION;", NULL, NULL, NULL); char tmp_file_pref[MAX_PATH],ext[MAX_PATH]; while(hitem!=NULL) { tmp_file_pref[0] = 0; ext[0] = 0; GetTextFromTrv(hitem, tmp_file_pref, MAX_PATH); if (!strcmp("pf",extractExtFromFile(charToLowChar(tmp_file_pref), ext, MAX_PATH))) PfCheck(session_id, db, tmp_file_pref); hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } if(!SQLITE_FULL_SPEED)sqlite3_exec(db,"END TRANSACTION;", NULL, NULL, NULL); h_thread_test[(unsigned int)lParam] = 0; check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan return 0; } //init if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); //get system path char path[MAX_PATH] ="%WINDIR%\\Prefetch\\*.pf"; ReplaceEnv("WINDIR",path,MAX_PATH); char path_f[MAX_PATH]; WIN32_FIND_DATA data; HANDLE hfic = FindFirstFile(path, &data); if (hfic != INVALID_HANDLE_VALUE) { do { if((data.cFileName[0] == '.' && (data.cFileName[1] == 0 || data.cFileName[1] == '.')) || (data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)){} else { strncpy(path_f,path,MAX_PATH); path_f[strlen(path_f)-4]=0; strncat(path_f,data.cFileName,MAX_PATH); strncat(path_f,"\0",MAX_PATH); PfCheck(session_id, db, path_f); } }while(FindNextFile (hfic,&data) && start_scan); } if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }
//------------------------------------------------------------------------------ DWORD WINAPI Scan_chrome_history(LPVOID lParam) { FORMAT_CALBAK_READ_INFO data; //get child HTREEITEM hitem = NULL; if (!CONSOL_ONLY)hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]); if ((hitem == NULL && LOCAL_SCAN) || CONSOL_ONLY) { //get path of all profils users //HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList HKEY CleTmp = 0; if (RegOpenKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\",&CleTmp)==ERROR_SUCCESS) { DWORD i, nbSubKey=0, key_size; sqlite3 *db_tmp; char tmp_key[MAX_PATH], tmp_key_path[MAX_PATH]; if (RegQueryInfoKey (CleTmp,0,0,0,&nbSubKey,0,0,0,0,0,0,0)==ERROR_SUCCESS) { #ifdef CMD_LINE_ONLY_NO_DB printf("\"file\";\"parameter\";\"date\";\"id_language_description\";\"session_id\";\"data\";\r\n"); #endif //get subkey for(i=0;i<nbSubKey;i++) { key_size = MAX_PATH; tmp_key[0] = 0; if (RegEnumKeyEx (CleTmp,i,tmp_key,&key_size,0,0,0,0)==ERROR_SUCCESS) { //generate the key path snprintf(tmp_key_path,MAX_PATH,"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\%s\\",tmp_key); //get profil path if (ReadValue(HKEY_LOCAL_MACHINE,tmp_key_path,"ProfileImagePath",tmp_key, MAX_PATH)) { //verify the path if %systemdrive% ReplaceEnv("SYSTEMDRIVE",tmp_key,MAX_PATH); //search file in this path snprintf(tmp_key_path,MAX_PATH,"%s\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\*.*",tmp_key); WIN32_FIND_DATA wfd; HANDLE hfic = FindFirstFile(tmp_key_path, &wfd); if (hfic != INVALID_HANDLE_VALUE) { do { if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY){}else { if(wfd.cFileName[0] == '.' && (wfd.cFileName[1] == 0 || wfd.cFileName[1] == '.')){} else { //test all files snprintf(tmp_file_chrome,MAX_PATH,"%s\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\%s",tmp_key,wfd.cFileName); //test to open file if (sqlite3_open(tmp_file_chrome, &db_tmp) == SQLITE_OK) { for (data.type =0;data.type <nb_sql_CHROME && start_scan;data.type = data.type+1) { if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); sqlite3_exec(db_tmp, sql_CHROME[data.type].sql, callback_sqlite_chrome, &data, NULL); if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); } sqlite3_close(db_tmp); } } } }while(FindNextFile (hfic,&wfd)); } } } } } RegCloseKey(CleTmp); } }else { sqlite3 *db_tmp; #ifdef CMD_LINE_ONLY_NO_DB printf("\"Chrome\";\"file\";\"parameter\";\"date\";\"id_language_description\";\"session_id\";\"data\";\r\n"); #endif while(hitem!=NULL) { //get item txt GetTextFromTrv(hitem, tmp_file_chrome, MAX_PATH); //test to open file if (sqlite3_open(tmp_file_chrome, &db_tmp) == SQLITE_OK) { for (data.type =0;data.type <nb_sql_CHROME && start_scan;data.type = data.type+1) { if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL); sqlite3_exec(db_tmp, sql_CHROME[data.type].sql, callback_sqlite_chrome, &data, NULL); if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL); } sqlite3_close(db_tmp); } hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem); } } if (!CONSOL_ONLY)check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan h_thread_test[(unsigned int)lParam] = 0; return 0; }