//------------------------------------------------------------------------------
int callback_sqlite_registry_file(void *datas, int argc, char **argv, char **azColName)
{
FORMAT_CALBAK_TYPE *type = datas;
unsigned int session_id = current_session_id;
char tmp[MAX_LINE_SIZE];
switch(type->type)
{
case SQLITE_REGISTRY_TYPE_SETTINGS:
{
switch(atoi(argv[3]))//value_type
{
case TYPE_VALUE_STRING:
case TYPE_VALUE_DWORD:
case TYPE_VALUE_MULTI_STRING:
if (Readnk_Value(local_hks.buffer,local_hks.taille_fic, (local_hks.pos_fhbin)+HBIN_HEADER_SIZE, local_hks.position,
argv[1], NULL, argv[2], tmp, MAX_LINE_SIZE))
{
//key update
char parent_key_update[DATE_SIZE_MAX];
Readnk_Infos(local_hks.buffer,local_hks.taille_fic, (local_hks.pos_fhbin), local_hks.position,
argv[1], NULL, parent_key_update, DATE_SIZE_MAX, NULL, 0,NULL, 0);
//save
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistrySettingstoDB(local_hks.file, "", argv[1], argv[2], tmp, argv[4], argv[5], parent_key_update, session_id, db_scan);
}
break;
case TYPE_VALUE_MULTI_WSTRING:
{
char data_read[MAX_LINE_SIZE];
DWORD pos=0, data_size_read = MAX_LINE_SIZE;
if (ReadBinarynk_Value(local_hks.buffer,local_hks.taille_fic, (local_hks.pos_fhbin)+HBIN_HEADER_SIZE, local_hks.position,
argv[1], NULL, argv[2], tmp, &data_size_read))
{
if (data_size_read)
{
//data_read
while ((pos-1)*2<data_size_read)
{
snprintf(data_read+pos,MAX_LINE_SIZE,"%S;",tmp+(pos*2-1));
pos = strlen(data_read);
}
//key update
char parent_key_update[DATE_SIZE_MAX];
Readnk_Infos(local_hks.buffer,local_hks.taille_fic, (local_hks.pos_fhbin), local_hks.position,
argv[1], NULL, parent_key_update, DATE_SIZE_MAX, NULL, 0,NULL, 0);
//save
convertStringToSQL(data_read, MAX_LINE_SIZE);
addRegistrySettingstoDB(local_hks.file, "", argv[1], argv[2], data_read, argv[4], argv[5], parent_key_update, session_id, db_scan);
}
}
}
break;
case TYPE_VALUE_FILETIME:
{
DWORD data_size = sizeof(FILETIME)+1;
FILETIME f_date;
if (ReadBinarynk_Value(local_hks.buffer,local_hks.taille_fic, (local_hks.pos_fhbin)+HBIN_HEADER_SIZE, local_hks.position,
argv[1], NULL, argv[2], (void*)&f_date, &data_size))
{
//key update
char parent_key_update[DATE_SIZE_MAX];
Readnk_Infos(local_hks.buffer,local_hks.taille_fic, (local_hks.pos_fhbin), local_hks.position,
argv[1], NULL, parent_key_update, DATE_SIZE_MAX, NULL, 0,NULL, 0);
//convert date
tmp[0] = 0;
filetimeToString_GMT(f_date, tmp, DATE_SIZE_MAX);
//save
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistrySettingstoDB(local_hks.file, "", argv[1], argv[2], tmp, argv[4], argv[5], parent_key_update, session_id, db_scan);
}
}
break;
case TYPE_VALUE_WIN_SERIAL:
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(local_hks.buffer,local_hks.taille_fic, (local_hks.pos_fhbin)+HBIN_HEADER_SIZE, local_hks.position,argv[1]);
if (nk_h!=NULL)
{
//key update
char parent_key_update[DATE_SIZE_MAX];
Readnk_Infos(local_hks.buffer,local_hks.taille_fic, (local_hks.pos_fhbin), local_hks.position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, NULL, 0,NULL, 0);
//get value
DWORD test_size = MAX_LINE_SIZE;
DWORD serial_size;
ReadBinarynk_Value(local_hks.buffer,local_hks.taille_fic, (local_hks.pos_fhbin)+HBIN_HEADER_SIZE, local_hks.position,
NULL, nk_h, argv[2], (void*)tmp, &test_size);
if (test_size>65)
{
char result[MAX_PATH]="";
char key[25] = "BCDFGHJKMPQRTVWXY2346789";
BYTE enc[MAX_PATH];
char lpszSerial[MAX_PATH];
int i,c=0,nCur=0;
for(i=52;i<=66;i++)enc[i-52] = tmp[i];
for(i=24;i>=0;i--)
{
nCur = 0;
for(c=14;c>-1;c--)
{
nCur = nCur * 256;
nCur ^= enc[c];
enc[c] = nCur / 24;
nCur %= 24;
}
lpszSerial[i] = key[nCur];
}
serial_size = 0;
for(i=0;lpszSerial[i] && (i+i/5) < 30 && MAX_PATH>serial_size;i++)
{
if(i % 5 == 0 && i>0)snprintf(result+serial_size,MAX_PATH-serial_size,"-%c",lpszSerial[i]);
else snprintf(result+serial_size,MAX_PATH-serial_size,"%c",lpszSerial[i]);
serial_size = strlen(result);
}
//save
convertStringToSQL(result, MAX_LINE_SIZE);
addRegistrySettingstoDB(local_hks.file, "", argv[1], argv[2], result, argv[4], argv[5], parent_key_update, session_id, db_scan);
}
}
}
break;
case TYPE_ENUM_STRING_VALUE:
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(local_hks.buffer,local_hks.taille_fic, (local_hks.pos_fhbin)+HBIN_HEADER_SIZE, local_hks.position,argv[1]);
if (nk_h!=NULL)
{
//key update
char parent_key_update[DATE_SIZE_MAX];
Readnk_Infos(local_hks.buffer,local_hks.taille_fic, (local_hks.pos_fhbin), local_hks.position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, NULL, 0,NULL, 0);
//get values
char value[MAX_PATH];
DWORD i, nbSubValue = GetValueData(local_hks.buffer,local_hks.taille_fic, nk_h, (local_hks.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (i=0;i<nbSubValue;i++)
{
if (GetValueData(local_hks.buffer,local_hks.taille_fic, nk_h, (local_hks.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistrySettingstoDB(local_hks.file, "", argv[1], value, tmp, argv[4], argv[5], parent_key_update, session_id, db_scan);
}
}
}
}
break;
}
}
}
return 0;
}
//------------------------------------------------------------------------------
//file registry part
//------------------------------------------------------------------------------
void EnumPath_file(HK_F_OPEN *hks, char*key_before,char *key_after,unsigned int session_id, sqlite3 *db, BOOL direct)
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks->buffer,hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position,key_before);
if (nk_h == NULL)return;
char parent_key_update[DATE_SIZE_MAX] = "";
char RID[MAX_PATH], sid[MAX_PATH];
char value[MAX_PATH], data[MAX_PATH];
char tmp_key[MAX_PATH],key_path[MAX_PATH];
HBIN_CELL_NK_HEADER *nk_h_tmp;
DWORD i,k, nbSubValue, nbSubKey;
if(direct)
{
//get nk of key :)
nk_h_tmp = GetRegistryNK(hks->buffer,hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position,key_before);
if (nk_h_tmp == NULL)return;
//key update
Readnk_Infos(hks->buffer,hks->taille_fic, (hks->pos_fhbin), hks->position,
NULL, nk_h_tmp, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
nbSubValue = GetValueData(hks->buffer,hks->taille_fic, nk_h_tmp, (hks->pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (k=0;k<nbSubValue && start_scan;k++)
{
if (GetValueData(hks->buffer,hks->taille_fic, nk_h_tmp, (hks->pos_fhbin)+HBIN_HEADER_SIZE, k,value,MAX_PATH,data,MAX_PATH))
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(data, MAX_PATH);
addRegistryPathtoDB(hks->file,"",key_before,value,data,"",RID,sid,parent_key_update,session_id,db);
}
}
}else
{
nbSubKey = GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, 0, NULL, 0);
for (i=0;i<nbSubKey && start_scan;i++)
{
//for each subkey
if(GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, i, tmp_key, MAX_PATH))
{
if (key_after!=NULL) snprintf(key_path,MAX_PATH,"%s\\%s\\%s",key_before,tmp_key,key_after);
else snprintf(key_path,MAX_PATH,"%s\\%s",key_before,tmp_key);
//get nk of key :)
nk_h_tmp = GetRegistryNK(hks->buffer,hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position,key_path);
if (nk_h_tmp == NULL)continue;
//key update
Readnk_Infos(hks->buffer,hks->taille_fic, (hks->pos_fhbin), hks->position,
NULL, nk_h_tmp, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
nbSubValue = GetValueData(hks->buffer,hks->taille_fic, nk_h_tmp, (hks->pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (k=0;k<nbSubValue && start_scan;k++)
{
if (GetValueData(hks->buffer,hks->taille_fic, nk_h_tmp, (hks->pos_fhbin)+HBIN_HEADER_SIZE, k,value,MAX_PATH,data,MAX_PATH))
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(data, MAX_PATH);
addRegistryPathtoDB(hks->file,"",key_path,value,data,"",RID,sid,parent_key_update,session_id,db);
}
}
}
}
}
}
//------------------------------------------------------------------------------
void ReadArboRawRegFile(HK_F_OPEN *hks, HBIN_CELL_NK_HEADER *nk_h, char *reg_file, HTREEITEM hparent, char *parent, char *root, HANDLE hlv, HANDLE htv)
{
//get first root, if valide ?
if (nk_h == NULL)return;
//read all nk
char tmp_key[MAX_PATH], tmp_root[MAX_PATH], tmp_parent[MAX_PATH];
DWORD i,nbSubKey = GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, 0, NULL, 0);
for (i=0;i<nbSubKey;i++)
{
if(GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, i, tmp_key, MAX_PATH))
{
snprintf(tmp_parent,MAX_PATH,"%s%s\\",parent,tmp_key);
snprintf(tmp_root,MAX_PATH,"%s\\%s",root,tmp_key);
ReadArboRawRegFile(hks,
GetSubNKtonk(hks->buffer, hks->taille_fic, nk_h, hks->position, i),
reg_file,
AddItemTreeViewImg(htv,tmp_key, hparent,ICON_DIRECTORY_REG),
tmp_parent,
tmp_root,
hlv, htv);
}
}
//init
LINE_ITEM lv_line[DLG_REG_LV_NB_COLUMN];
char parent_key_update[DATE_SIZE_MAX];
char Owner_SID[MAX_PATH];
char tmp_value_trv[MAX_PATH];
DWORD nbSubValue, type;
strncpy(lv_line[0].c,reg_file,MAX_LINE_SIZE);
strncpy(lv_line[1].c,parent,MAX_LINE_SIZE);
lv_line[7].c[0] = 0; //deleted = no view in this state
lv_line[8].c[0] = 0;
//read nk infos :)
Readnk_Infos(hks->buffer,hks->taille_fic, (hks->pos_fhbin), hks->position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, NULL, 0,Owner_SID, MAX_PATH);
Readnk_Class(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position,
NULL, nk_h, lv_line[8].c, MAX_PATH);
//read all vk
nbSubValue = GetValueData(hks->buffer,hks->taille_fic, nk_h, (hks->pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (i=0;i<nbSubValue;i++)
{
type = GetValueData(hks->buffer,hks->taille_fic, nk_h, (hks->pos_fhbin)+HBIN_HEADER_SIZE, i,lv_line[2].c,MAX_LINE_SIZE,lv_line[3].c,MAX_LINE_SIZE);
switch(type)
{
case 0x00000001:
strcpy(lv_line[4].c,"REG_SZ");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_TXT_REG);
break;
case 0x00000002:
strcpy(lv_line[4].c,"REG_EXPAND_SZ");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_TXT_REG);
break;
case 0x00000003:
strcpy(lv_line[4].c,"REG_BINARY");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_BIN_REG);
break;
case 0x00000004:
case 0x00000005:
strcpy(lv_line[4].c,"REG_DWORD");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_DWORD_REG);
break;
case 0x00000006:
strcpy(lv_line[4].c,"REG_LINK");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_BIN_REG);
break;
case 0x00000007:
strcpy(lv_line[4].c,"REG_MULTI_SZ");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_TXT_REG);
break;
case 0x0000000A:
strcpy(lv_line[4].c,"REG_RESOURCE_REQUIREMENTS_LIST");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_BIN_REG);
break;
case 0x0000000b:
strcpy(lv_line[4].c,"REG_QWORD");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_DWORD_REG);
break;
default:
if (type == 0x00000000)
{
strcpy(lv_line[4].c,"REG_NONE");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
}else
{
strcpy(lv_line[4].c,"UNKNOW");
snprintf(tmp_value_trv,MAX_PATH,"%s=(type:0x%08X)%s",lv_line[2].c,type,lv_line[3].c);
}
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_UNKNOW_REG);
break;
}
//add to lstv
strcpy(lv_line[5].c,parent_key_update);
strcpy(lv_line[6].c,Owner_SID);
AddToLVRegBin(hlv, lv_line, DLG_REG_LV_NB_COLUMN);
}
//no value : only directory
if (nbSubValue < 1 && nk_h->nb_subkeys <1)
{
lv_line[2].c[0] = 0;
lv_line[3].c[0] = 0;
lv_line[4].c[0] = 0;
strcpy(lv_line[5].c,parent_key_update);
strcpy(lv_line[6].c,Owner_SID);
AddToLVRegBin(hlv, lv_line, DLG_REG_LV_NB_COLUMN);
}
DWORD nb = ListView_GetItemCount(hlv);
if (nb % 1000 == 0)
{
char tmp[MAX_PATH];
snprintf(tmp,MAX_PATH,"Loading... %lu keys",nb);
SendMessage(GetDlgItem(h_reg,STB),SB_SETTEXT,0, (LPARAM)tmp);
}
}
//------------------------------------------------------------------------------
int callback_sqlite_registry_mru_file(void *datas, int argc, char **argv, char **azColName)
{
FORMAT_CALBAK_TYPE *type = datas;
unsigned int session_id = current_session_id;
char tmp[MAX_LINE_SIZE];
switch(type->type)
{
case SQLITE_REGISTRY_TYPE_MRU:
{
switch(atoi(argv[3]))//value_type
{
case TYPE_VALUE_STRING:
case TYPE_VALUE_WSTRING:
if (Readnk_Value(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,
argv[1], NULL, argv[2], tmp, MAX_LINE_SIZE))
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
argv[1], NULL, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//save
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],argv[2],tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
break;
case TYPE_ENUM_STRING_RVALUE://all string under one key
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
char value[MAX_PATH];
DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (i=0;i<nbSubValue && start_scan;i++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
//if (strcmp(charToLowChar(value),argv[2]) != 0)
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
case TYPE_ENUM_STRING_VALUE://list of all string in a directory and exclude "value"
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
char value[MAX_PATH];
DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (i=0;i<nbSubValue && start_scan;i++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
//if (strcmp(charToLowChar(value),argv[2]) != 0)
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
case TYPE_ENUM_STRING_NVALUE://list of all string in a directory with "value"
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
char value[MAX_PATH];
DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (i=0;i<nbSubValue && start_scan;i++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
if (Contient(charToLowChar(value),argv[2]))
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
case TYPE_ENUM_STRING_WVALUE:
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
//key update
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
char value[MAX_PATH],data[MAX_LINE_SIZE];
DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
DWORD sz_value = MAX_LINE_SIZE;
for (i=0;i<nbSubValue && start_scan;i++)
{
sz_value = MAX_LINE_SIZE;
if (GetBinaryValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,&sz_value))
{
//save
convertStringToSQL(value, MAX_PATH);
snprintf(data,MAX_LINE_SIZE,"%S",tmp);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,data,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
break;
case TYPE_ENUM_SUBNK_DATE:
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h!=NULL)
{
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
//get values
char value[MAX_PATH], tmp_key[MAX_PATH];
DWORD i, nbSubnk = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0);
for (i=0;i<nbSubnk && start_scan;i++)
{
if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i, value, MAX_PATH))
{
snprintf(tmp_key,MAX_PATH,"%s\\%s",argv[1],value);
HBIN_CELL_NK_HEADER *nk_ht = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key);
if (nk_ht!=NULL)
{
//key update
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_ht, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//save
convertStringToSQL(tmp_key, MAX_PATH);
addRegistryMRUtoDB(hks_mru.file,"",tmp_key,"","",argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
case TYPE_DBL_ENUM_VALUE:
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h==NULL)break;
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="", data[MAX_PATH];
HBIN_CELL_NK_HEADER *nk_ht, *nk_ht2;
//get values
char value2[MAX_PATH],value[MAX_PATH], tmp_key2[MAX_PATH], tmp_key[MAX_PATH];
DWORD i,j, nbSubnk2, nbSubnk = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0);
for (i=0;i<nbSubnk && start_scan;i++)
{
if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i, value, MAX_PATH))
{
snprintf(tmp_key,MAX_PATH,"%s\\%s\\AVGeneral\\cRecentFiles",argv[1],value);
nk_ht = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key);
nbSubnk2 = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_ht, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0);
for (j=0;j<nbSubnk2 && start_scan;j++)
{
if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_ht, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, j, value2, MAX_PATH))
{
snprintf(tmp_key2,MAX_PATH,"%s\\%s",tmp_key,value2);
nk_ht2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key2);
//datas
if(Readnk_Value(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position, NULL, nk_ht2, argv[2],
data, MAX_PATH))
{
//key update
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_ht2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//save
convertStringToSQL(data, MAX_PATH);
addRegistryMRUtoDB(hks_mru.file,"",tmp_key2,argv[2],data,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
}
break;
case TYPE_ENUM_STRING_RRVALUE://all string under thow key + key
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h == NULL)return 0;
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
char value[MAX_PATH];
char tmp_key[MAX_PATH], tmp_key2[MAX_PATH], key_path[MAX_PATH];
HBIN_CELL_NK_HEADER *nk_h_tmp, *nk_h_tmp2;
DWORD i,j,k, nbSubValue,nbSubKey2,nbSubKey = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, 0, NULL, 0);
for (i=0;i<nbSubKey && start_scan;i++)
{
if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i, tmp_key, MAX_PATH))
{
//get nk of key :)
nk_h_tmp = GetSubNKtonk(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i);
if (nk_h_tmp == NULL)continue;
nbSubKey2 = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h_tmp, hks_mru.position, 0, NULL, 0);
for (j=0;j<nbSubKey2 && start_scan;j++)
{
if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h_tmp, hks_mru.position, j, tmp_key2, MAX_PATH))
{
//get nk of key :)
snprintf(key_path,MAX_PATH,"%s\\%s\\%s\\%s",argv[1],tmp_key,tmp_key2,argv[2]);
nk_h_tmp2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,key_path);
if (nk_h_tmp2 == NULL)continue;
//key update
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h_tmp2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (k=0;k<nbSubValue;k++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, k,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",key_path,value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
}
}
break;
case TYPE_ENUM_STRING_R_VALUE://all string under one key + key
{
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
if (nk_h == NULL)return 0;
char parent_key_update[DATE_SIZE_MAX]="";
char RID[MAX_PATH]="", sid[MAX_PATH]="";
char value[MAX_PATH];
char tmp_key[MAX_PATH], key_path[MAX_PATH];
HBIN_CELL_NK_HEADER *nk_h_tmp, *nk_h_tmp2;
DWORD i,k, nbSubValue,nbSubKey = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, 0, NULL, 0);
for (i=0;i<nbSubKey && start_scan;i++)
{
if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i, tmp_key, MAX_PATH))
{
//get nk of key :)
nk_h_tmp = GetSubNKtonk(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i);
if (nk_h_tmp == NULL)continue;
snprintf(key_path,MAX_PATH,"%s\\%s\\%s",argv[1],tmp_key,argv[2]);
nk_h_tmp2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,key_path);
if (nk_h_tmp2 == NULL)continue;
//key update
Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
NULL, nk_h_tmp2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
//get values
nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (k=0;k<nbSubValue;k++)
{
if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, k,value,MAX_PATH,tmp,MAX_LINE_SIZE))
{
//save
convertStringToSQL(value, MAX_PATH);
convertStringToSQL(tmp, MAX_LINE_SIZE);
addRegistryMRUtoDB(hks_mru.file,"",key_path,value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
}
}
}
}
}
break;
}
}break;
}
return 0;
}
//------------------------------------------------------------------------------
//file registry part
//------------------------------------------------------------------------------
void Scan_registry_service_file(HK_F_OPEN *hks, char *ckey, unsigned int session_id, sqlite3 *db)
{
//exist or not in the file ?
HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, ckey);
if (nk_h == NULL)return;
char tmp_key[MAX_PATH],key_path[MAX_PATH],state[MAX_PATH];
DWORD state_id,type_id;
char lastupdate[DATE_SIZE_MAX],
name[MAX_PATH],path[MAX_PATH],description[MAX_PATH];
HBIN_CELL_NK_HEADER *nk_h_tmp;
DWORD i,nbSubKey = GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, 0, NULL, 0);
for (i=0;i<nbSubKey;i++)
{
//for each subkey
if(GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, i, tmp_key, MAX_PATH))
{
//get nk of key :)
nk_h_tmp = GetSubNKtonk(hks->buffer, hks->taille_fic, nk_h, hks->position, i);
if (nk_h_tmp == NULL)continue;
//read datas ^^
snprintf(key_path,MAX_PATH,"%s\\%s",ckey,tmp_key);
if (Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"DisplayName", name, MAX_PATH)==FALSE)
{
if (Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"Group", name, MAX_PATH)==FALSE)continue;
strncpy(name,tmp_key,MAX_PATH);
}
if(Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"Start", state, MAX_PATH))
{
if (strcmp(state,"0x00000000") == 0)state_id=210;//Kernel module : 210
else if (strcmp(state,"0x00000001") == 0)state_id=211;//Start by system : 211
else if (strcmp(state,"0x00000002") == 0)state_id=212;//Automatic start : 212
else if (strcmp(state,"0x00000003") == 0)state_id=213;//Manual start : 213
else if (strcmp(state,"0x00000004") == 0)state_id=214;//Disable : 214
else state_id=215; //Unknow : 215
}else state_id = 0;
Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"ImagePath", path, MAX_PATH);
if(Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"Description", description, MAX_PATH)==FALSE)
Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"Group", description, MAX_PATH);
Readnk_Value(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position, NULL, nk_h_tmp,"Type", state, MAX_PATH);
if (strcmp(state,"0x00000001") == 0) type_id = 200;//Kernel driver
else if (strcmp(state,"0x00000002") == 0)type_id = 201;//File system driver
else if (strcmp(state,"0x00000010") == 0)type_id = 202;//Own process
else if (strcmp(state,"0x00000020") == 0)type_id = 203;//Share process
else if (strcmp(state,"0x00000100") == 0)type_id = 204;//Interactive
else type_id = 215;
Readnk_Infos(hks->buffer, hks->taille_fic, (hks->pos_fhbin), hks->position, NULL, nk_h_tmp,
lastupdate, DATE_SIZE_MAX, NULL, 0, NULL, 0);
convertStringToSQL(path, MAX_PATH);
convertStringToSQL(description, MAX_PATH);
addRegistryServicetoDB(hks->file, "", key_path, name,
state_id, path, description, type_id,
lastupdate, session_id, db);
}
}
}
