//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_deletedKey(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
char file[MAX_PATH];
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Registry_Deleted_Key\";\"source\";\"key\";\"value\";\"data\";\"type\";\"sid\";\"last_update\";\"session_id\";\r\n");
#endif
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
Scan_registry_deletedKey_file(file, session_id, db);
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_setting(LPVOID lParam)
{
//init
char file[MAX_PATH];
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Registry_Settings\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"type_id\";\"description_id\";\"parent_key_update\";\"session_id\";\r\n");
#endif
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
//verify
Scan_registry_setting_file(db_scan,file);
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}else Scan_registry_setting_local(db_scan); //local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_path(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
char file[MAX_PATH];
HK_F_OPEN hks;
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Registry_Path\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"user\";\"rid\";\"sid\";\"parent_key_update\";\"session_id\";\r\n");
#endif
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL && start_scan)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
//enum all class open/edit/print values
EnumPath_file(&hks,"Classes","shell\\open\\command",session_id,db, FALSE);
//Enum envs
EnumPath_file(&hks,"Environment","",session_id,db, TRUE);
//all applications
EnumPath_file(&hks,"Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db, FALSE);
EnumPath_file(&hks,"Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db, FALSE);
CloseRegFiletoMem(&hks);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}else
{
//enum all class open/edit/print values
EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Classes","shell\\open\\command",session_id,db);
//Enum envs
EnumPath_local(HKEY_USERS,"HKEY_USERS","","Environment",session_id,db);
//all applications
EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db);
EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db);
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_mru(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
char file[MAX_PATH];
FORMAT_CALBAK_READ_INFO fcri;
fcri.type = SQLITE_REGISTRY_TYPE_MRU;
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Registry_MRU\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"description_id\";\"user\";\"rid\";\"sid\";\"parent_key_update\";\"session_id\";\r\n");
#endif
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL && start_scan)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks_mru, file))
{
sqlite3_exec(db, "SELECT hkey,search_key,value,value_type,type_id,description_id FROM extract_registry_mru_request;", callback_sqlite_registry_mru_file, &fcri, NULL);
CloseRegFiletoMem(&hks_mru);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}else
{
sqlite3_exec(db, "SELECT hkey,key,value,value_type,type_id,description_id FROM extract_registry_mru_request;", callback_sqlite_registry_mru_local, &fcri, NULL);
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_service(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
char file[MAX_PATH];
HK_F_OPEN hks;
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Registry_Service\";\"file\";\"hk\";\"key\";\"name\";\"state_id\";\"path\";\"type_id\";\"last_update\";\"session_id\";\"description\";\r\n");
#endif
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
Scan_registry_service_file(&hks,"ControlSet001\\Services", session_id, db);
Scan_registry_service_file(&hks,"ControlSet002\\Services", session_id, db);
Scan_registry_service_file(&hks,"ControlSet003\\Services", session_id, db);
Scan_registry_service_file(&hks,"ControlSet004\\Services", session_id, db);
CloseRegFiletoMem(&hks);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}else Scan_registry_service_local("SYSTEM\\CurrentControlSet\\Services\\",db, session_id);
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
DWORD WINAPI Scan_route(LPVOID lParam)
{
//check if local or not :)
if (!LOCAL_SCAN)
{
h_thread_test[(unsigned int)lParam] = 0;
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
return 0;
}
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Route\";\"destination\";\"netmask\";\"gateway\";\"metric\";\"session_id\";\r\n");
#endif
//init
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
//load route table);
HANDLE hDLL = LoadLibrary( "IPHLPAPI.DLL" );
if (!hDLL) return 0;
//declaration load function
typedef DWORD (WINAPI *GETIPFORWARDTABLE)(PMIB_IPFORWARDTABLE pIpForwardTable, PULONG pdwSize, BOOL bOrder);
GETIPFORWARDTABLE GetIpForwardTable = (GETIPFORWARDTABLE) GetProcAddress(hDLL,"GetIpForwardTable");
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
if (GetIpForwardTable!= NULL)
{
//load all table
PMIB_IPFORWARDTABLE pIpForwardTable = (MIB_IPFORWARDTABLE*) HeapAlloc(GetProcessHeap(), 0, (sizeof(MIB_IPFORWARDTABLE)));
if (pIpForwardTable != NULL)
{
//alloc memory
DWORD i, dwSize = 0;
if (GetIpForwardTable(pIpForwardTable, &dwSize, 0) == ERROR_INSUFFICIENT_BUFFER)
{
HeapFree(GetProcessHeap(), 0,pIpForwardTable);
pIpForwardTable = (MIB_IPFORWARDTABLE*) HeapAlloc(GetProcessHeap(), 0,dwSize);
if (pIpForwardTable == NULL)
{
FreeLibrary(hDLL);
return 0;
}
}
//get datas
if (GetIpForwardTable(pIpForwardTable, &dwSize, 0) == NO_ERROR)
{
struct in_addr IpAddr_dst;
struct in_addr IpAddr_msk;
struct in_addr IpAddr_hop;
char destination[IP_SIZE_MAX];
char netmask[IP_SIZE_MAX];
char gateway[IP_SIZE_MAX];
for (i = 0; i < (int) pIpForwardTable->dwNumEntries; i++)
{
IpAddr_dst.S_un.S_addr = (u_long) pIpForwardTable->table[i].dwForwardDest;
snprintf(destination,IP_SIZE_MAX,"%s",inet_ntoa(IpAddr_dst));
IpAddr_msk.S_un.S_addr = (u_long) pIpForwardTable->table[i].dwForwardMask;
snprintf(netmask,IP_SIZE_MAX,"%s",inet_ntoa(IpAddr_msk));
IpAddr_hop.S_un.S_addr = (u_long) pIpForwardTable->table[i].dwForwardNextHop;
snprintf(gateway,IP_SIZE_MAX,"%s",inet_ntoa(IpAddr_hop));
addRoutetoDB(destination,
netmask,
gateway,
pIpForwardTable->table[i].dwForwardMetric1,session_id,db);
}
}
HeapFree(GetProcessHeap(), 0,pIpForwardTable);
}
}
//free
FreeLibrary(hDLL);
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
void AddItemFiletoTreeView(HANDLE htv, char *lowcase_file, char *path, char *global_path)
{
//get extension
char ext[MAX_PATH], tmp_path[MAX_PATH];
if (extractExtFromFile(lowcase_file, ext, MAX_PATH))
{
if (strcmp(ext,"lnk")==0)
{
if (global_path != NULL)
AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_FILES]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_FILES]);
}
check_treeview(htrv_test, H_tests[INDEX_FILE_NK], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_FILE], TRV_STATE_CHECK);
}else if (strcmp(ext,"log")==0 ||
strcmp(ext,"evt")==0 ||
strcmp(ext,"evtx")==0) //logs
{
if (global_path != NULL)
AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]);
}
check_treeview(htrv_test, H_tests[INDEX_LOG], TRV_STATE_CHECK);
}else if (strcmp(lowcase_file,"security.dat")==0 ||
strcmp(lowcase_file,"ntuser.dat")==0 || (Contient(lowcase_file,"ntuser")>0 && strcmp(ext,"dat")==0) ||
strcmp(lowcase_file,"settings.dat")==0 || (startWith(lowcase_file,"settings_") && strcmp(ext,"dat")==0) || //win8
strcmp(lowcase_file,"usrclass.dat")==0 || (Contient(lowcase_file,"usrclass")>0 && strcmp(ext,"dat")==0) ||
strcmp(lowcase_file,"classes.dat")==0 || (Contient(lowcase_file,"classes")>0 && strcmp(ext,"dat")==0)) //registry
{
if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
}
check_treeview(htrv_test, H_tests[INDEX_LAN], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_ENV], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_SHARE], TRV_STATE_CHECK);
unsigned int i;
for (i = INDEX_REG_CONF;i<=INDEX_REG_FIREWALL;i++)
{
check_treeview(htrv_test, H_tests[i], TRV_STATE_CHECK);
}
}else if (strcmp(ext,"db")==0 || //android
strcmp(ext,"sqlite")==0 || //firefox
strcmp(ext,"dat")==0 || //ie
strcmp(lowcase_file,"index.dat")==0 || (startWith(lowcase_file,"index_") && strcmp(ext,"dat")==0) ||
strcmp(lowcase_file,"ntds.dit")==0 || (startWith(lowcase_file,"ntds_") && strcmp(ext,"dit")==0)) //applications
{
if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
}
check_treeview(htrv_test, H_tests[INDEX_ANDROID], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_NAV_CHROME], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_NAV_FIREFOX], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_NAV_IE], TRV_STATE_CHECK);
}else if (!strcmp(ext,"pf")) //prefetch
{
if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
}
check_treeview(htrv_test, H_tests[INDEX_PREFETCH], TRV_STATE_CHECK);
}else if (!strcmp(ext,"job")) //prefetch
{
if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
}
check_treeview(htrv_test, H_tests[INDEX_TASK], TRV_STATE_CHECK);
}
}else
{
if (strcmp(lowcase_file,"sam")==0 ||
strcmp(lowcase_file,"software")==0 ||
strcmp(lowcase_file,"system")==0 ||
strcmp(lowcase_file,"default")==0 ||
strcmp(lowcase_file,"hardware")==0 ||
strcmp(lowcase_file,"security")==0 ||
strcmp(lowcase_file,"bcd-template")==0|| //win8
strcmp(lowcase_file,"components")==0 || //win8
strcmp(lowcase_file,"drivers")==0 || //win8
strcmp(lowcase_file,"bbi")==0 || //win8
strcmp(lowcase_file,"elam")==0 || //win8
strcmp(lowcase_file,"fp")==0 || //win8
startWith(lowcase_file,"sam_") ||
startWith(lowcase_file,"software_") ||
startWith(lowcase_file,"system_") ||
startWith(lowcase_file,"default_") ||
startWith(lowcase_file,"hardware_") ||
startWith(lowcase_file,"security_") ||
startWith(lowcase_file,"bcd-template_")|| //win8
startWith(lowcase_file,"components_") || //win8
startWith(lowcase_file,"drivers_") || //win8
startWith(lowcase_file,"bbi_") || //win8
startWith(lowcase_file,"elam_") || //win8
startWith(lowcase_file,"fp_")) //win8
{
if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
}
check_treeview(htrv_test, H_tests[INDEX_LAN], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_ENV], TRV_STATE_CHECK);
check_treeview(htrv_test, H_tests[INDEX_SHARE], TRV_STATE_CHECK);
unsigned int i;
for (i = INDEX_REG_CONF;i<=INDEX_REG_FIREWALL;i++)
{
check_treeview(htrv_test, H_tests[i], TRV_STATE_CHECK);
}
}else if (strcmp(lowcase_file,"archived history")==0 || //chrome
strcmp(lowcase_file,"history")==0 ||
strcmp(lowcase_file,"cookies")==0 ||
strcmp(lowcase_file,"default")==0 ||
strcmp(lowcase_file,"login data")==0 ||
strcmp(lowcase_file,"top sites")==0 ||
strcmp(lowcase_file,"web data")==0)
{
if (global_path != NULL)AddItemTreeView(htv,global_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
else
{
snprintf(tmp_path,MAX_PATH,"%s%s",path,lowcase_file);
AddItemTreeView(htv,tmp_path, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
}
check_treeview(htrv_test, H_tests[INDEX_NAV_CHROME], TRV_STATE_CHECK);
}
}
}
//------------------------------------------------------------------------------
//http://msdn.microsoft.com/en-us/library/windows/desktop/ms649016%28v=vs.85%29.aspx
DWORD WINAPI Scan_clipboard(LPVOID lParam)
{
//check if local or not :)
if (!LOCAL_SCAN)
{
h_thread_test[(unsigned int)lParam] = 0;
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
return 0;
}
//db
sqlite3 *db = (sqlite3 *)db_scan;
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
//lecture du contenu du presse papier et extraction
if (OpenClipboard(0))
{
char description[MAX_LINE_SIZE], format[DEFAULT_TMP_SIZE],
data[MAX_LINE_SIZE],user[NB_USERNAME_SIZE+1]="";
unsigned int session_id = current_session_id;
HGLOBAL hMem;
//user
DWORD s=NB_USERNAME_SIZE;
GetUserName(user,&s);
int nb_items = CountClipboardFormats();
if (nb_items > 0)
{
unsigned int uFormat = EnumClipboardFormats(0);
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Clipboard\";\"format\";\"code\";\"description\";\"user\";\"session_id\";\"data\";\r\n");
#endif // CMD_LINE_ONLY_NO_DB
while (uFormat && start_scan && GetLastError() == ERROR_SUCCESS && --nb_items>0)
{
//check if ok
if (IsClipboardFormatAvailable(uFormat) == FALSE)
{
uFormat = EnumClipboardFormats(uFormat);
continue;
}
description[0] = 0;
data[0]= 0;
if (GetClipboardFormatName(uFormat, description, MAX_LINE_SIZE) != 0)
{
hMem = GetClipboardData(uFormat);
if (hMem != NULL)
{
switch(uFormat)
{
case CF_TEXT:
//format
strncpy(format,"CF_TEXT",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Text",DEFAULT_TMP_SIZE);
//datas
strncpy(data,GlobalLock(hMem),MAX_LINE_SIZE);
convertStringToSQL(data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case CF_BITMAP:
//format
strncpy(format,"CF_BITMAP",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Bitmap Picture",DEFAULT_TMP_SIZE);
//do in bitmap to hexa
SaveBitmapToHexaStr((HBITMAP)hMem , data, MAX_LINE_SIZE);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case CF_METAFILEPICT:
//format
strncpy(format,"CF_METAFILEPICT",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Meta-File Picture",DEFAULT_TMP_SIZE);
//datas
DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
GlobalUnlock(hMem);
break;
case CF_SYLK:
//format
strncpy(format,"CF_SYLK",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Microsoft Symbolic Link (SYLK) data",DEFAULT_TMP_SIZE);
//datas
snprintf(data,MAX_LINE_SIZE,"%s",(char*)GlobalLock(hMem));
convertStringToSQL(data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case CF_OEMTEXT:
//format
strncpy(format,"CF_OEMTEXT",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Text (OEM)",DEFAULT_TMP_SIZE);
//datas
strncpy(data,GlobalLock(hMem),MAX_LINE_SIZE);
convertStringToSQL(data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case CF_DIB:
//format
strncpy(format,"CF_DIB",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"DIB Bitmap Picture",DEFAULT_TMP_SIZE);
//datas
DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case CF_DIF:
//format
strncpy(format,"CF_DIF",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Software Arts' Data Interchange information",DEFAULT_TMP_SIZE);
//datas
DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case CF_TIFF:
//format
strncpy(format,"CF_TIFF",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Tagged Image File Format (TIFF) Picture",DEFAULT_TMP_SIZE);
//datas
DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case CF_PALETTE:
//format
strncpy(format,"CF_PALETTE",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Colour Palette",DEFAULT_TMP_SIZE);
//datas
DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case CF_PENDATA:
//format
strncpy(format,"CF_PENDATA",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Pen Data",DEFAULT_TMP_SIZE);
//datas
DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case CF_UNICODETEXT:
//format
strncpy(format,"CF_UNICODETEXT",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Text Unicode",DEFAULT_TMP_SIZE);
//datas
snprintf(data,MAX_LINE_SIZE,"%S",GlobalLock(hMem));
convertStringToSQL(data, MAX_LINE_SIZE);h_thread_test[(unsigned int)lParam] = 0;
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case CF_RIFF:
//format
strncpy(format,"CF_RIFF",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"RIFF Audio data",DEFAULT_TMP_SIZE);
//datas
DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case CF_WAVE:
//format
strncpy(format,"CF_WAVE",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Wave File",DEFAULT_TMP_SIZE);
//datas
DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case CF_ENHMETAFILE:
//format
strncpy(format,"CF_ENHMETAFILE",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Enhanced Meta-File Picture",DEFAULT_TMP_SIZE);
//datas
DWORD dwSize = GetEnhMetaFileBits((HENHMETAFILE)hMem, 0, NULL);
if (dwSize > 0)
{
LPBYTE buffer = (LPBYTE)malloc(dwSize);
if (buffer != NULL)
{
if (GetEnhMetaFileBits((HENHMETAFILE)hMem, dwSize, buffer)!=0)
{
DatatoHexa(buffer, dwSize, data, MAX_LINE_SIZE);
}
free(buffer);
}
}
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case CF_HDROP:
{
//format
strncpy(format,"CF_HDROP",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"File List",DEFAULT_TMP_SIZE);
HDROP H_DropInfo = (HDROP)hMem;
char tmp[MAX_PATH];
DWORD i,nb_path = DragQueryFile(H_DropInfo, 0xFFFFFFFF, tmp, MAX_PATH);
long int s2 =MAX_LINE_SIZE;
for (i=0;i<nb_path;i++)
{
//traitement des données ^^
DragQueryFile(H_DropInfo, i, tmp, MAX_PATH);
//add
if (s2>0)
{
snprintf(data+strlen(data),s,"%s\r\n",tmp);
//strncpy(data+strlen(data),tmp,s);
s2-=strlen(data);
}
}
convertStringToSQL(data, MAX_LINE_SIZE);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
}
break;
case CF_LOCALE:
//format
strncpy(format,"CF_LOCALE",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Text Locale Identifier",DEFAULT_TMP_SIZE);
//datas
snprintf(data,MAX_LINE_SIZE,"0x%X",(unsigned int)GlobalLock(hMem));
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case 17: //CF_DIBV5
//format
strncpy(format,"CF_DIBV5",DEFAULT_TMP_SIZE);
//datas
DatatoHexa(GlobalLock(hMem), sizeof(BITMAPV5HEADER), data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case 49155:
//format
strncpy(format,"UNKNOW",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"OwnerLink",DEFAULT_TMP_SIZE);
//datas
strncpy(data,GlobalLock(hMem),MAX_LINE_SIZE);
convertStringToSQL(data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case 49156:
//format
strncpy(format,"UNKNOW",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Native Bitmap Picture",DEFAULT_TMP_SIZE);
//datas
DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case 49158:
//format
strncpy(format,"UNKNOW",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"FileName",DEFAULT_TMP_SIZE);
//datas
strncpy(data,GlobalLock(hMem),MAX_LINE_SIZE);
convertStringToSQL(data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case 49159:
//format
strncpy(format,"UNKNOW",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"FileNameW",DEFAULT_TMP_SIZE);
//datas
snprintf(data,MAX_LINE_SIZE,"%S",GlobalLock(hMem));
convertStringToSQL(data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
case 49298:
//format
strncpy(format,"UNKNOW",DEFAULT_TMP_SIZE);
if (description[0]==0)strncpy(description,"Rich Text Format",DEFAULT_TMP_SIZE);
//datas
snprintf(data,MAX_LINE_SIZE,"%s",(char*)GlobalLock(hMem));
convertStringToSQL(data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
default:
//format
strncpy(format,"UNKNOW",DEFAULT_TMP_SIZE);
//datas
DatatoHexa(GlobalLock(hMem), GlobalSize(hMem), data, MAX_LINE_SIZE);
GlobalUnlock(hMem);
addClipboardtoDB(format, uFormat, description, data, user, session_id, db);
break;
}
}
}
uFormat = EnumClipboardFormats(uFormat);
}
}
CloseClipboard();
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
DWORD WINAPI Scan_share(LPVOID lParam)
{
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Share\";\"file\";\"share\";\"path\";\"description\";\"type\";\"connexion\";\"session_id\";\r\n");
#endif
if (!LOCAL_SCAN)
{
//get in registry files
char file[MAX_PATH];
HK_F_OPEN hks;
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
EnumShare(&hks, session_id, db, "ControlSet001\\Services\\LanmanServer\\Shares");
EnumShare(&hks, session_id, db, "ControlSet002\\Services\\LanmanServer\\Shares");
EnumShare(&hks, session_id, db, "ControlSet003\\Services\\LanmanServer\\Shares");
EnumShare(&hks, session_id, db, "ControlSet004\\Services\\LanmanServer\\Shares");
CloseRegFiletoMem(&hks);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}else
{
//init
HMODULE hDLL = LoadLibrary("NETAPI32.dll");
if (hDLL == NULL)return 0;
typedef NET_API_STATUS (WINAPI *NETAPIBUFFERFREE)(LPVOID Buffer);
NETAPIBUFFERFREE NetApiBufferFree = (NETAPIBUFFERFREE) GetProcAddress(hDLL,"NetApiBufferFree");
typedef NET_API_STATUS (WINAPI *NETSHAREENUM)(LPWSTR servername, DWORD level, LPBYTE* bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, LPDWORD resume_handle);
NETSHAREENUM NetShareEnum = (NETSHAREENUM) GetProcAddress(hDLL,"NetShareEnum");
if (NetApiBufferFree != NULL && NetShareEnum != NULL )
{
NET_API_STATUS res;
PSHARE_INFO_502 buffer,p;
DWORD nb=0,tr=0,i;
char share[DEFAULT_TMP_SIZE], path[MAX_PATH], description[MAX_PATH], type[DEFAULT_TMP_SIZE], connexion[DEFAULT_TMP_SIZE];
do
{
res = NetShareEnum (0, 502, (LPBYTE *) &buffer,MAX_PREFERRED_LENGTH, &nb, &tr,0);
if(res != ERROR_SUCCESS && res != ERROR_MORE_DATA)break;
for(i=1,p=buffer;i<=nb;i++,p++)
{
snprintf(share,DEFAULT_TMP_SIZE,"%S",p->shi502_netname);
snprintf(path,MAX_PATH,"%S",p->shi502_path);
snprintf(description,MAX_PATH,"%S",p->shi502_remark);
switch(p->shi502_type)
{
case STYPE_DISKTREE: strncpy(type,"DISKTREE",DEFAULT_TMP_SIZE);break;
case STYPE_PRINTQ: strncpy(type,"PRINT",DEFAULT_TMP_SIZE);break;
case STYPE_DEVICE: strncpy(type,"DEVICE",DEFAULT_TMP_SIZE);break;
case STYPE_IPC: strncpy(type,"IPC",DEFAULT_TMP_SIZE);break;
case STYPE_SPECIAL: strncpy(type,"SPECIAL",DEFAULT_TMP_SIZE);break;
case 0x40000000: strncpy(type,"TEMPORARY",DEFAULT_TMP_SIZE);break;
case -2147483645: strncpy(type,"RPC",DEFAULT_TMP_SIZE);break;
default : snprintf(type,DEFAULT_TMP_SIZE,"UNKNOW (%lu)",p->shi502_type);break;
}
if (p->shi502_max_uses==-1)
snprintf(connexion,DEFAULT_TMP_SIZE,"%lu/-",p->shi502_current_uses);
else snprintf(connexion,DEFAULT_TMP_SIZE,"%lu/%lu",p->shi502_current_uses,p->shi502_max_uses);
convertStringToSQL(path, MAX_PATH);
convertStringToSQL(description, MAX_PATH);
addSharetoDB("",share, path, description, type, connexion, session_id, db);
}
}while(res==ERROR_MORE_DATA);
}
FreeLibrary(hDLL);
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_user(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
char file[MAX_PATH], file_SAM[MAX_PATH]="";
HK_F_OPEN hks;
char sk[MAX_PATH]="";
char computer[DEFAULT_TMP_SIZE]="";
BOOL ok_computer = FALSE;
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
charToLowChar(file);
//check for SAM files
if ((Contient(file,"sam")) && file_SAM[0] == 0)
{
strcpy(file_SAM,file);
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
continue;
}
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
//get syskey
registry_syskey_file(&hks, sk, MAX_PATH);
if (!ok_computer)
{
char tmp[DEFAULT_TMP_SIZE]="";
Readnk_Value(hks.buffer, hks.taille_fic, (hks.pos_fhbin)+HBIN_HEADER_SIZE, hks.position, "ControlSet001\\Control\\ComputerName\\ComputerName", NULL,"ComputerName", tmp, DEFAULT_TMP_SIZE);
if (tmp[0]!=0)
{
strcpy(computer,tmp);
ok_computer = TRUE;
}
}
Scan_registry_user_file(&hks, db, session_id,computer);
CloseRegFiletoMem(&hks);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
//SAM file in last
if (file_SAM[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks, file_SAM))
{
Scan_registry_user_file(&hks, db, session_id,computer);
CloseRegFiletoMem(&hks);
}
}
}else Scan_registry_user_local(db, session_id);
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
//format : http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format
DWORD WINAPI Scan_prefetch(LPVOID lParam)
{
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Prefetch\";\"file\";\"path\";\"create_time\";\"last_update\";\"last_access\";\"count\";\"exec\";\"session_id\";\"depend\";\r\n");
#endif
//check if local or not :)
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
if (hitem!=NULL || !LOCAL_SCAN || WINE_OS)
{
if(!SQLITE_FULL_SPEED)sqlite3_exec(db,"BEGIN TRANSACTION;", NULL, NULL, NULL);
char tmp_file_pref[MAX_PATH],ext[MAX_PATH];
while(hitem!=NULL)
{
tmp_file_pref[0] = 0;
ext[0] = 0;
GetTextFromTrv(hitem, tmp_file_pref, MAX_PATH);
if (!strcmp("pf",extractExtFromFile(charToLowChar(tmp_file_pref), ext, MAX_PATH)))
PfCheck(session_id, db, tmp_file_pref);
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db,"END TRANSACTION;", NULL, NULL, NULL);
h_thread_test[(unsigned int)lParam] = 0;
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
return 0;
}
//init
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
//get system path
char path[MAX_PATH] ="%WINDIR%\\Prefetch\\*.pf";
ReplaceEnv("WINDIR",path,MAX_PATH);
char path_f[MAX_PATH];
WIN32_FIND_DATA data;
HANDLE hfic = FindFirstFile(path, &data);
if (hfic != INVALID_HANDLE_VALUE)
{
do
{
if((data.cFileName[0] == '.' && (data.cFileName[1] == 0 || data.cFileName[1] == '.')) || (data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)){}
else
{
strncpy(path_f,path,MAX_PATH);
path_f[strlen(path_f)-4]=0;
strncat(path_f,data.cFileName,MAX_PATH);
strncat(path_f,"\0",MAX_PATH);
PfCheck(session_id, db, path_f);
}
}while(FindNextFile (hfic,&data) && start_scan);
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
DWORD WINAPI Scan_dns(LPVOID lParam)
{
unsigned int local_id = (unsigned int)lParam;
//check if local or not :)
if (!LOCAL_SCAN || WINE_OS)
{
h_thread_test[local_id] = 0;
check_treeview(htrv_test, H_tests[local_id], TRV_STATE_UNCHECK);//db_scan
return 0;
}
//init
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
//make file directory
char file[MAX_PATH]="";
char ip[IPV6_SIZE_MAX],name[MAX_PATH];
snprintf(file,MAX_PATH,"%s\\WINDOWS\\system32\\drivers\\etc\\hosts",getenv("SYSTEMDRIVE"));
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"DNS\";\"file\";\"ip\";\"name\";\"last_file_update\";\"malware_check\";\"session_id\";\r\n");
#endif // CMD_LINE_ONLY_NO_DB
//open host file and read all hosts
HANDLE Hfic = CreateFile(file,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0);
if (Hfic != INVALID_HANDLE_VALUE)
{
DWORD taille_fic = GetFileSize(Hfic,NULL);
if (taille_fic != INVALID_FILE_SIZE)
{
char *buffer = (char *) HeapAlloc(GetProcessHeap(), 0, taille_fic+1);
if (buffer != NULL)
{
//get last update
char last_file_update[DATE_SIZE_MAX]="";
FILETIME LastWriteTime;
if(GetFileTime(Hfic,NULL,NULL,&LastWriteTime))filetimeToString_GMT(LastWriteTime, last_file_update, DATE_SIZE_MAX);
//read data line by line
DWORD copiee;
char lines[MAX_PATH];
if (ReadFile(Hfic, buffer, taille_fic,&copiee,0))
{
char *r = buffer;
char *s,*c;
while (*r)
{
//read line
memset(lines,0,MAX_PATH);
strncpy(lines,r,MAX_PATH);
s = lines;
while (*s && *s != '\r')s++;
*s = 0;
r = r+strlen(lines)+2;
//comment or not :)
if (lines[0]!='#' && strlen(lines) > 8)
{
//get IP
strncpy(ip,lines,IPV6_SIZE_MAX);
c = ip;
while (*c && *c != ' ' && *c!= '\t' && (*c == '.' || *c == ':' || (*c<='9' && *c>='0')))c++;
if (*c)
{
*c = 0;
//get name
c = lines+strlen(ip);
while (*c && (*c == ' ' || *c == '\t'))c++;
memset(name,0,MAX_PATH);
strncpy(name,c,MAX_PATH);
addHosttoDB(file, ip, name, last_file_update,session_id,db);
}
}
}
}
HeapFree(GetProcessHeap(), 0, buffer);
}
}
CloseHandle(Hfic);
}
//get cache
HMODULE hDLL = LoadLibrary( "DNSAPI.DLL" );
if (!hDLL) return 0;
//function
//typedef int(*DNS_GET_CACHE_DATA_TABLE)(PDNS_RECORD*);
typedef int(WINAPI *DNS_GET_CACHE_DATA_TABLE)(PDNS_RECORD);
DNS_GET_CACHE_DATA_TABLE DnsGetCacheDataTable = (DNS_GET_CACHE_DATA_TABLE)GetProcAddress(hDLL,"DnsGetCacheDataTable");
if (DnsGetCacheDataTable != NULL)
{
PDNS_RECORD pcache = NULL;
DNS_RECORD* dnsRecords = NULL, *dnsr;
IN_ADDR ipAddress;
char last_file_update[DATE_SIZE_MAX]="";
if (DnsGetCacheDataTable(&pcache) == TRUE)
{
PDNS_RECORD cache = pcache;
while (cache)
{
memset(name,0,MAX_PATH);
snprintf(name,MAX_PATH,"%S",cache->pName);
if (name[0] != 0)
{
//get IP + TTL
if(DnsQuery(name,DNS_TYPE_A,0,NULL,&dnsRecords,NULL) == ERROR_SUCCESS)
{
dnsr = dnsRecords;
while (dnsr != NULL)
{
ipAddress.S_un.S_addr = dnsr->Data.A.IpAddress;
if (inet_ntoa(ipAddress) != NULL)
{
snprintf(ip,IP_SIZE_MAX,"%s",inet_ntoa(ipAddress));
snprintf(last_file_update,DATE_SIZE_MAX,"%lu (s)",dnsr->dwTtl);
addHosttoDB("", ip, name, last_file_update,session_id,db);
}
dnsr = dnsr->pNext;
}
//free
DnsRecordListFree(dnsRecords,DnsFreeRecordList);
}
}
cache = cache->pNext;
}
}
}
FreeLibrary(hDLL);
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[local_id], TRV_STATE_UNCHECK);//db_scan
h_thread_test[local_id] = 0;
return 0;
}
//------------------------------------------------------------------------------
DWORD WINAPI Scan_chrome_history(LPVOID lParam)
{
FORMAT_CALBAK_READ_INFO data;
//get child
HTREEITEM hitem = NULL;
if (!CONSOL_ONLY)hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
if ((hitem == NULL && LOCAL_SCAN) || CONSOL_ONLY)
{
//get path of all profils users
//HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY CleTmp = 0;
if (RegOpenKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\",&CleTmp)==ERROR_SUCCESS)
{
DWORD i, nbSubKey=0, key_size;
sqlite3 *db_tmp;
char tmp_key[MAX_PATH], tmp_key_path[MAX_PATH];
if (RegQueryInfoKey (CleTmp,0,0,0,&nbSubKey,0,0,0,0,0,0,0)==ERROR_SUCCESS)
{
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"file\";\"parameter\";\"date\";\"id_language_description\";\"session_id\";\"data\";\r\n");
#endif
//get subkey
for(i=0;i<nbSubKey;i++)
{
key_size = MAX_PATH;
tmp_key[0] = 0;
if (RegEnumKeyEx (CleTmp,i,tmp_key,&key_size,0,0,0,0)==ERROR_SUCCESS)
{
//generate the key path
snprintf(tmp_key_path,MAX_PATH,"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\%s\\",tmp_key);
//get profil path
if (ReadValue(HKEY_LOCAL_MACHINE,tmp_key_path,"ProfileImagePath",tmp_key, MAX_PATH))
{
//verify the path if %systemdrive%
ReplaceEnv("SYSTEMDRIVE",tmp_key,MAX_PATH);
//search file in this path
snprintf(tmp_key_path,MAX_PATH,"%s\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\*.*",tmp_key);
WIN32_FIND_DATA wfd;
HANDLE hfic = FindFirstFile(tmp_key_path, &wfd);
if (hfic != INVALID_HANDLE_VALUE)
{
do
{
if (wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY){}else
{
if(wfd.cFileName[0] == '.' && (wfd.cFileName[1] == 0 || wfd.cFileName[1] == '.')){}
else
{
//test all files
snprintf(tmp_file_chrome,MAX_PATH,"%s\\Local Settings\\Application Data\\Google\\Chrome\\User Data\\Default\\%s",tmp_key,wfd.cFileName);
//test to open file
if (sqlite3_open(tmp_file_chrome, &db_tmp) == SQLITE_OK)
{
for (data.type =0;data.type <nb_sql_CHROME && start_scan;data.type = data.type+1)
{
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
sqlite3_exec(db_tmp, sql_CHROME[data.type].sql, callback_sqlite_chrome, &data, NULL);
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
}
sqlite3_close(db_tmp);
}
}
}
}while(FindNextFile (hfic,&wfd));
}
}
}
}
}
RegCloseKey(CleTmp);
}
}else
{
sqlite3 *db_tmp;
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Chrome\";\"file\";\"parameter\";\"date\";\"id_language_description\";\"session_id\";\"data\";\r\n");
#endif
while(hitem!=NULL)
{
//get item txt
GetTextFromTrv(hitem, tmp_file_chrome, MAX_PATH);
//test to open file
if (sqlite3_open(tmp_file_chrome, &db_tmp) == SQLITE_OK)
{
for (data.type =0;data.type <nb_sql_CHROME && start_scan;data.type = data.type+1)
{
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
sqlite3_exec(db_tmp, sql_CHROME[data.type].sql, callback_sqlite_chrome, &data, NULL);
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
}
sqlite3_close(db_tmp);
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}
if (!CONSOL_ONLY)check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
BOOL CALLBACK DialogProc_conf(HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam)
{
switch(message)
{
case WM_COMMAND:
if (HIWORD(wParam) == BN_CLICKED)
{
switch(LOWORD(wParam))
{
case BT_START:
if (start_scan) CreateThread(NULL,0,StopGUIScan,0,0,0);
else
{
//init
start_scan = TRUE;
//local or not ?
if(TreeView_GetCount(htrv_files) > NB_MX_TYPE_FILES_TITLE)LOCAL_SCAN = FALSE;
else LOCAL_SCAN = TRUE;
//read state !
if (IsDlgButtonChecked(h_conf,BT_ACL_FILE_CHK)==BST_CHECKED)FILE_ACL=TRUE;
else FILE_ACL=FALSE;
if (IsDlgButtonChecked(h_conf,BT_ADS_FILE_CHK)==BST_CHECKED)FILE_ADS=TRUE;
else FILE_ADS=FALSE;
if (IsDlgButtonChecked(h_conf,BT_SHA_FILE_CHK)==BST_CHECKED)FILE_SHA=TRUE;
else FILE_SHA=FALSE;
if (IsDlgButtonChecked(h_conf,BT_UTC_CHK)==BST_CHECKED)UTC_TIME=TRUE;
else UTC_TIME=FALSE;
if (IsDlgButtonChecked(h_conf,BT_MAGIC_CHK)==BST_CHECKED)enable_magic=TRUE;
else enable_magic=FALSE;
if (IsDlgButtonChecked(h_conf,BT_RA_CHK)==BST_CHECKED)enable_remote=TRUE;
else enable_remote=FALSE;
if (Ischeck_treeview(htrv_test, H_tests[INDEX_FILE_NK]))enable_LNK= TRUE;
else enable_LNK= FALSE;
EnableWindow(htrv_files,FALSE);
EnableWindow(GetDlgItem((HWND)h_conf,BT_ACL_FILE_CHK),FALSE);
EnableWindow(GetDlgItem((HWND)h_conf,BT_ADS_FILE_CHK),FALSE);
EnableWindow(GetDlgItem((HWND)h_conf,BT_SHA_FILE_CHK),FALSE);
EnableWindow(GetDlgItem((HWND)h_conf,BT_UTC_CHK),FALSE);
EnableWindow(GetDlgItem((HWND)h_conf,BT_MAGIC_CHK),FALSE);
EnableWindow(GetDlgItem((HWND)h_conf,BT_RA_CHK),FALSE);
if(TreeView_GetCount(htrv_files) > NB_MX_TYPE_FILES_TITLE)LOCAL_SCAN = FALSE;
else LOCAL_SCAN = TRUE;
//create new session and select it !
SendMessage(hCombo_session, CB_RESETCONTENT,0,0);
FORMAT_CALBAK_READ_INFO fcri;
fcri.type = TYPE_SQL_ADD_SESSION;
SQLITE_WriteData(&fcri, SQLITE_LOCAL_BDD);
//start
h_thread_scan = CreateThread(NULL,0,GUIScan,0,0,0);
SetWindowText(GetDlgItem((HWND)h_conf,BT_START),cps[TXT_BT_STOP].c);
}
break;
//----------------------------------------
case POPUP_TRV_FILES_ADD_FILE:
{
char files[MAX_LINE_DBSIZE]="";
memset(files,0,MAX_LINE_DBSIZE);
OPENFILENAME ofn;
ZeroMemory(&ofn, sizeof(OPENFILENAME));
ofn.lStructSize = sizeof(OPENFILENAME);
ofn.hwndOwner = h_conf;
ofn.lpstrFile = files;
ofn.nMaxFile = MAX_LINE_DBSIZE;
ofn.lpstrFilter = "*.* \0*.*\0"
"*.log\0*.log\0"
"*.evt\0*.evt\0"
"*.evtx\0*.evtx\0"
"*.db\0*.db\0"
"*.sqlite\0*.sqlite\0"
"*.dat\0*.dat\0"
"*.pf\0*.pf\0"
"*.job\0*.job\0"
"ntds.dit\0ntds.dit\0"
"sam\0sam\0"
"system\0system\0"
"software\0software\0"
"security\0security\0"
"default\0default\0"
"hardware\0hardware\0";
ofn.nFilterIndex = 1;
ofn.Flags =/*OFN_FILEMUSTEXIST |*/ OFN_OVERWRITEPROMPT | OFN_ALLOWMULTISELECT|OFN_EXPLORER|OFN_SHOWHELP;
ofn.lpstrDefExt ="*.*";
if (GetOpenFileName(&ofn)==TRUE)
{
//firt is path
char path[MAX_PATH],totalpath[MAX_PATH];
strncpy(path,files,MAX_PATH);
//after file name
char *p = files+strlen(files)+1;
if (*p == 0)FileToTreeView(path);
while (*p)
{
snprintf(totalpath,MAX_PATH,"%s\\%s",path,p);
FileToTreeView(totalpath);
p = p+strlen(p)+1;
}
//tri and clean
CleanTreeViewFiles(htrv_files);
//expend des branches
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_FILES]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
}
}
break;
case POPUP_TRV_FILES_ADD_PATH:
{
BROWSEINFO browser;
LPITEMIDLIST lip;
char path[MAX_PATH] = "";
browser.hwndOwner = h_conf;
browser.pidlRoot = 0;
browser.lpfn = 0;
browser.iImage = 0;
browser.lParam = 0;
browser.ulFlags = BIF_NEWDIALOGSTYLE;
browser.pszDisplayName = path;
browser.lpszTitle = "";
lip = SHBrowseForFolder(&browser);
if (lip != NULL)
{
if (SHGetPathFromIDList(lip,path))
{
FileToTreeView(path);
//tri and clean
CleanTreeViewFiles(htrv_files);
//expend all
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_FILES]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
}
}
}
break;
case POPUP_TRV_FILES_UP:
{
//get selection + parent
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files,TVM_GETNEXTITEM,(WPARAM)TVGN_CARET, (LPARAM)0);
HTREEITEM hparent = (HTREEITEM)SendMessage(htrv_files,TVM_GETNEXTITEM,(WPARAM)TVGN_PARENT, (LPARAM)hitem);
//get txt
char tmp[MAX_PATH];
GetItemTreeView(hitem,htrv_files,tmp, MAX_PATH);
//add item
if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_LOGS])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
else if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_FILES])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]);
else if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_FILES]);
else if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_APPLI])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
//remove item
SendMessage(htrv_files,TVM_DELETEITEM,(WPARAM)0, (LPARAM)hitem);
//expend all
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_FILES]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
}
break;
case POPUP_TRV_FILES_DOWN:
{
//get selection + parent
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files,TVM_GETNEXTITEM,(WPARAM)TVGN_CARET, (LPARAM)0);
HTREEITEM hparent = (HTREEITEM)SendMessage(htrv_files,TVM_GETNEXTITEM,(WPARAM)TVGN_PARENT, (LPARAM)hitem);
//get txt
char tmp[MAX_PATH];
GetItemTreeView(hitem,htrv_files,tmp, MAX_PATH);
//add item
if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_LOGS])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_FILES]);
else if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_FILES])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
else if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
else if (hparent == TRV_HTREEITEM_CONF[FILES_TITLE_APPLI])AddItemTreeView(htrv_files,tmp, TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]);
//remove item
SendMessage(htrv_files,TVM_DELETEITEM,(WPARAM)0, (LPARAM)hitem);
//expend all
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_FILES]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
}
break;
case POPUP_TRV_FILES_REMOVE_ITEMS:TreeView_DeleteItem(htrv_files, (HTREEITEM)SendMessage(htrv_files,TVM_GETNEXTITEM,(WPARAM)TVGN_CARET, (LPARAM)0));break;
case POPUP_TRV_FILES_CLEAN_ALL:
SendMessage(htrv_files,TVM_DELETEITEM,(WPARAM)0, (LPARAM)TVI_ROOT);
check_childs_treeview(htrv_test, FALSE);
TRV_HTREEITEM_CONF[FILES_TITLE_LOGS] = AddItemTreeView(htrv_files,cps[TXT_FILE_AUDIT].c, TVI_ROOT);
TRV_HTREEITEM_CONF[FILES_TITLE_FILES] = AddItemTreeView(htrv_files,cps[TXT_FILE_REP].c, TVI_ROOT);
TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY] = AddItemTreeView(htrv_files,cps[TXT_FILE_REGISTRY].c, TVI_ROOT);
TRV_HTREEITEM_CONF[FILES_TITLE_APPLI] = AddItemTreeView(htrv_files,cps[TXT_FILE_APPLI].c, TVI_ROOT);
break;
case POPUP_TRV_FILES_OPEN_PATH:
{
//get item txt
char path[MAX_PATH];
TVITEM tvitem;
tvitem.mask = TVIF_HANDLE|TVIF_TEXT;
tvitem.hItem = (HTREEITEM)SendMessage(htrv_files,TVM_GETNEXTITEM,(WPARAM)TVGN_CARET, (LPARAM)0);
tvitem.cchTextMax = MAX_PATH;
tvitem.pszText = path;
if (SendMessage(htrv_files,TVM_GETITEM,(WPARAM)0, (LPARAM)&tvitem))
{
//directory or file
if(isDirectory(path))ShellExecute(h_main, "explore", path, NULL,NULL,SW_SHOW);
else
{
//extract
char *c = path;
while (*c++);
while (*c != '\\')c--;
c++;
*c=0;
ShellExecute(h_main, "explore", path, NULL,NULL,SW_SHOW);
}
}
}
break;
case POPUP_TRV_FILES_AUTO_SEARCH:
if (B_AUTOSEARCH)
{
B_AUTOSEARCH = FALSE;
DWORD IDThread;
GetExitCodeThread(h_AUTOSEARCH,&IDThread);
TerminateThread(h_AUTOSEARCH,IDThread);
//clean results
unsigned int i;
for (i=0;i<NB_MX_TYPE_FILES_TITLE;i++)
{
//tri
SendMessage(htrv_files,TVM_SORTCHILDREN, TRUE,(LPARAM)TRV_HTREEITEM_CONF[i]);
SupDoublon(htrv_files,TRV_HTREEITEM_CONF[i]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[i]);
}
}else
{
B_AUTOSEARCH = TRUE;
h_AUTOSEARCH = CreateThread(NULL,0,AutoSearchFiles,0,0,0);
}
break;
case POPUP_TRV_FILES_AUTO_SEARCH_PATH:
if (B_AUTOSEARCH)
{
B_AUTOSEARCH = FALSE;
DWORD IDThread;
GetExitCodeThread(h_AUTOSEARCH,&IDThread);
TerminateThread(h_AUTOSEARCH,IDThread);
//clean results
unsigned int i;
for (i=0;i<NB_MX_TYPE_FILES_TITLE;i++)
{
//tri
SendMessage(htrv_files,TVM_SORTCHILDREN, TRUE,(LPARAM)TRV_HTREEITEM_CONF[i]);
SupDoublon(htrv_files,TRV_HTREEITEM_CONF[i]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[i]);
}
}else
{
BROWSEINFO browser;
LPITEMIDLIST lip;
char path[MAX_PATH] = "";
browser.hwndOwner = h_conf;
browser.pidlRoot = 0;
browser.lpfn = 0;
browser.iImage = 0;
browser.lParam = 0;
browser.ulFlags = BIF_NEWDIALOGSTYLE;
browser.pszDisplayName = path;
browser.lpszTitle = "";
lip = SHBrowseForFolder(&browser);
if (lip != NULL)
{
if (SHGetPathFromIDList(lip,path))
{
strncat(path,"\\\0",MAX_PATH);
B_AUTOSEARCH = TRUE;
h_AUTOSEARCH = CreateThread(NULL,0,AutoSearchFiles,path,0,0);
}
}
}
break;
case POPUP_TRV_FILES_SAVE_LIST:
{
char file[MAX_PATH]="";
OPENFILENAME ofn;
ZeroMemory(&ofn, sizeof(OPENFILENAME));
ofn.lStructSize = sizeof(OPENFILENAME);
ofn.hwndOwner = h_conf;
ofn.lpstrFile = file;
ofn.nMaxFile = MAX_PATH;
ofn.lpstrFilter ="*.txt \0*.txt\0*.csv\0*.csv\0";
ofn.nFilterIndex = 1;
ofn.Flags =OFN_PATHMUSTEXIST | OFN_HIDEREADONLY | OFN_OVERWRITEPROMPT;
ofn.lpstrDefExt =".txt\0";
if (GetSaveFileName(&ofn)==TRUE)
{
if (ofn.nFilterIndex == 2) SaveTRV(htrv_files, file, SAVE_TYPE_CSV);
else SaveTRV(htrv_files, file, SAVE_TYPE_TXT);
}
}
break;
case POPUP_TRV_FILES_LOAD_LIST:
{
char file[MAX_LINE_SIZE]="";
memset(file,0,MAX_LINE_SIZE);
OPENFILENAME ofn;
ZeroMemory(&ofn, sizeof(OPENFILENAME));
ofn.lStructSize = sizeof(OPENFILENAME);
ofn.hwndOwner = h_conf;
ofn.lpstrFile = file;
ofn.nMaxFile = MAX_LINE_SIZE;
ofn.lpstrFilter = "*.* \0*.*\0"
"*.txt\0*.txt\0"
"*.csv\0*.csv\0";
ofn.nFilterIndex = 1;
ofn.Flags =/*OFN_FILEMUSTEXIST |*/ OFN_OVERWRITEPROMPT | OFN_ALLOWMULTISELECT|OFN_EXPLORER|OFN_SHOWHELP;
ofn.lpstrDefExt ="*.*";
if (GetOpenFileName(&ofn)==TRUE)
{
loadFile_test(file, ofn.nFilterIndex);
}
}
break;
case POPUP_TRV_CHECK_ALL:check_childs_treeview(htrv_test, TRUE);break;
case POPUP_TRV_UNCHECK_ALL:check_childs_treeview(htrv_test, FALSE);break;
case POPUP_TRV_STOP_TEST:
{
//get item index
int index = GetTrvItemIndex((HTREEITEM)SendMessage(htrv_test,TVM_GETNEXTITEM,(WPARAM)TVGN_CARET, (LPARAM)0), htrv_test);
if (index < NB_TESTS)
{
//kill the thread
DWORD IDThread;
GetExitCodeThread(h_thread_test[index],&IDThread);
TerminateThread(h_thread_test[index],IDThread);
h_thread_test[index] = 0;
check_treeview(htrv_test, H_tests[index], TRV_STATE_UNCHECK);
}
}
break;
}
}
break;
case WM_NOTIFY:
/*if (((LPNMHDR)lParam)->code == LVN_COLUMNCLICK)
{
TRI_PROCESS_VIEW = !TRI_PROCESS_VIEW;
c_Tri(((LPNMHDR)lParam)->hwndFrom,((LPNMLISTVIEW)lParam)->iSubItem,TRI_PROCESS_VIEW);
}else */if (((LPNMHDR)lParam)->code == NM_CLICK && ((LPNMHDR)lParam)->hwndFrom == htrv_test)
{
//selected item and state
TV_HITTESTINFO Struct;
POINT pt;
GetCursorPos(&pt);
ScreenToClient(htrv_test, &pt);
Struct.pt = pt;
HTREEITEM hItemSelect = TreeView_HitTest(htrv_test, &Struct);
if (hItemSelect != NULL)
{
if (Struct.flags == TVHT_ONITEMSTATEICON)TreeView_SelectItem(htrv_test,hItemSelect);
else//check case
{
if (Ischeck_treeview(htrv_test, hItemSelect))check_treeview(htrv_test, hItemSelect, TRV_STATE_CHECK);
else check_treeview(htrv_test, hItemSelect, TRV_STATE_UNCHECK);
}
}
}
break;
case WM_CONTEXTMENU://popup menu
if ((HWND)wParam == htrv_test)
{
//select trv item
TV_HITTESTINFO tvh_info;
tvh_info.pt.x = LOWORD(lParam);
tvh_info.pt.y = HIWORD(lParam);
ScreenToClient(htrv_test, &(tvh_info.pt));
HTREEITEM hItemSelect = TreeView_HitTest(htrv_test, &tvh_info);
if (hItemSelect != 0)TreeView_SelectItem(htrv_test,hItemSelect);
//popup
HMENU hmenu;
if ((hmenu = LoadMenu(hinst, MAKEINTRESOURCE(POPUP_TRV_TEST)))!= NULL)
{
//set text !!!
ModifyMenu(hmenu,POPUP_TRV_CHECK_ALL ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_CHECK_ALL ,cps[TXT_POPUP_CHECK_ALL].c);
ModifyMenu(hmenu,POPUP_TRV_UNCHECK_ALL ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_UNCHECK_ALL ,cps[TXT_POPUP_UNCHECK_ALL].c);
HTREEITEM item = (HTREEITEM)SendMessage(htrv_test,TVM_GETNEXTITEM,(WPARAM)TVGN_CARET, (LPARAM)0);
BOOL check = Ischeck_treeview(htrv_test, item);
if (start_scan && (item!=NULL) && check && (h_thread_test[GetTrvItemIndex(item, htrv_test)]!=NULL))
{
ModifyMenu(hmenu,POPUP_TRV_STOP_TEST ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_STOP_TEST ,cps[TXT_POPUP_STOP_TEST].c);
}else
{
RemoveMenu(hmenu,POPUP_TRV_STOP_TEST,MF_BYCOMMAND);
RemoveMenu(GetSubMenu(hmenu, 0),2,MF_BYPOSITION);
}
//affichage du popup menu
POINT pos;
if (GetCursorPos(&pos)!=0)
{
TrackPopupMenuEx(GetSubMenu(hmenu, 0), 0, pos.x, pos.y,hwnd, NULL);
}else TrackPopupMenuEx(GetSubMenu(hmenu, 0), 0, GET_X_LPARAM(lParam), GET_Y_LPARAM(lParam),hwnd, NULL);
DestroyMenu(hmenu);
}
}else if ((HWND)wParam == htrv_files)
{
//select trv item
TV_HITTESTINFO tvh_info;
tvh_info.pt.x = LOWORD(lParam);
tvh_info.pt.y = HIWORD(lParam);
ScreenToClient(htrv_files, &(tvh_info.pt));
HTREEITEM hItemSelect = TreeView_HitTest(htrv_files, &tvh_info);
if (hItemSelect != NULL)TreeView_SelectItem(htrv_files,hItemSelect);
//popup
HMENU hmenu;
if ((hmenu = LoadMenu(hinst, MAKEINTRESOURCE(POPUP_TRV_FILES)))!= NULL)
{
//set text !!!
ModifyMenu(hmenu,POPUP_TRV_FILES_ADD_FILE ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_ADD_FILE ,cps[TXT_POPUP_ADD_FILE].c);
ModifyMenu(hmenu,POPUP_TRV_FILES_ADD_PATH ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_ADD_PATH ,cps[TXT_POPUP_ADD_PATH].c);
if (B_AUTOSEARCH)
{
RemoveMenu(hmenu,POPUP_TRV_FILES_AUTO_SEARCH_PATH ,MF_BYCOMMAND);
ModifyMenu(hmenu,POPUP_TRV_FILES_AUTO_SEARCH ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_AUTO_SEARCH ,cps[TXT_POPUP_AUTO_SEARCH_STOP].c);
}else
{
ModifyMenu(hmenu,POPUP_TRV_FILES_AUTO_SEARCH ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_AUTO_SEARCH ,cps[TXT_POPUP_AUTO_SEARCH].c);
ModifyMenu(hmenu,POPUP_TRV_FILES_AUTO_SEARCH_PATH ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_AUTO_SEARCH_PATH ,cps[TXT_POPUP_AUTO_SEARCH_PATH].c);
}
if (SendMessage(htrv_files,TVM_GETCOUNT,(WPARAM)0,(LPARAM)0) > 4)
{
ModifyMenu(hmenu,POPUP_TRV_FILES_UP ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_UP ,cps[TXT_POPUP_UP].c);
ModifyMenu(hmenu,POPUP_TRV_FILES_DOWN ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_DOWN ,cps[TXT_POPUP_DOWN].c);
ModifyMenu(hmenu,POPUP_TRV_FILES_REMOVE_ITEMS ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_REMOVE_ITEMS ,cps[TXT_POPUP_REMOVE_ITEMS].c);
ModifyMenu(hmenu,POPUP_TRV_FILES_CLEAN_ALL ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_CLEAN_ALL ,cps[TXT_POPUP_CLEAN_ALL].c);
ModifyMenu(hmenu,POPUP_TRV_FILES_OPEN_PATH ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_OPEN_PATH ,cps[TXT_POPUP_OPEN_PATH].c);
ModifyMenu(hmenu,POPUP_TRV_FILES_SAVE_LIST ,MF_BYCOMMAND|MF_STRING ,POPUP_TRV_FILES_SAVE_LIST ,cps[TXT_POPUP_SAVE_LIST].c);
}else
{
RemoveMenu(GetSubMenu(hmenu,0),2 ,MF_BYPOSITION);
RemoveMenu(hmenu,POPUP_TRV_FILES_UP ,MF_BYCOMMAND);
RemoveMenu(hmenu,POPUP_TRV_FILES_DOWN ,MF_BYCOMMAND);
RemoveMenu(hmenu,POPUP_TRV_FILES_REMOVE_ITEMS ,MF_BYCOMMAND);
RemoveMenu(hmenu,POPUP_TRV_FILES_CLEAN_ALL ,MF_BYCOMMAND);
RemoveMenu(hmenu,POPUP_TRV_FILES_OPEN_PATH ,MF_BYCOMMAND);
RemoveMenu(hmenu,POPUP_TRV_FILES_SAVE_LIST ,MF_BYCOMMAND);
}
//affichage du popup menu
POINT pos;
if (GetCursorPos(&pos)!=0)
{
TrackPopupMenuEx(GetSubMenu(hmenu, 0), 0, pos.x, pos.y,hwnd, NULL);
}else TrackPopupMenuEx(GetSubMenu(hmenu, 0), 0, GET_X_LPARAM(lParam), GET_Y_LPARAM(lParam),hwnd, NULL);
DestroyMenu(hmenu);
}
}
break;
case WM_DROPFILES://gestion du drag and drop de fichier ^^
{
if (B_AUTOSEARCH)break;
HDROP H_DropInfo=(HDROP)wParam;
char tmp[MAX_PATH];
DWORD i,nb_path = DragQueryFile(H_DropInfo, 0xFFFFFFFF, tmp, MAX_PATH);
for (i=0;i<nb_path;i++)
{
//get data
DragQueryFile(H_DropInfo, i, tmp, MAX_PATH);
//add
FileToTreeView(tmp);
}
DragFinish(H_DropInfo);
//tri and clean
CleanTreeViewFiles(htrv_files);
//expend des branches
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_FILES]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_LOGS]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
SendMessage(htrv_files,TVM_EXPAND, TVE_EXPAND,(LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
}
break;
case WM_INITDIALOG:
//add language correction
SetWindowText(GetDlgItem(hwnd,BT_ACL_FILE_CHK),cps[TXT_CHECK_ACL].c);
SetWindowText(GetDlgItem(hwnd,BT_SHA_FILE_CHK),cps[TXT_CHECK_SHA].c);
SetWindowText(GetDlgItem(hwnd,BT_ADS_FILE_CHK),cps[TXT_CHECK_ADS].c);
SetWindowText(GetDlgItem(hwnd,BT_START),cps[TXT_BT_START].c);
SetWindowText(GetDlgItem(hwnd,GRP_CONF),cps[TXT_GRP_CONF].c);
//check all tests
CheckDlgButton(hwnd,BT_ACL_FILE_CHK,BST_CHECKED);
CheckDlgButton(hwnd,BT_ADS_FILE_CHK,BST_CHECKED);
CheckDlgButton(hwnd,BT_UTC_CHK,BST_CHECKED);
//add icon
SendMessage(hwnd, WM_SETICON, ICON_BIG, (LPARAM)LoadIcon(GetModuleHandle(0), MAKEINTRESOURCE(ICON_APP)));
//add files owners
htrv_files = GetDlgItem(hwnd,TRV_FILES);
SendMessage(htrv_files,CBEM_SETIMAGELIST,0,(LPARAM)H_ImagList_icon);
TRV_HTREEITEM_CONF[FILES_TITLE_LOGS] = AddItemTreeView(htrv_files,cps[TXT_FILE_AUDIT].c, TVI_ROOT);
TRV_HTREEITEM_CONF[FILES_TITLE_FILES] = AddItemTreeView(htrv_files,cps[TXT_FILE_REP].c, TVI_ROOT);
TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY] = AddItemTreeView(htrv_files,cps[TXT_FILE_REGISTRY].c, TVI_ROOT);
TRV_HTREEITEM_CONF[FILES_TITLE_APPLI] = AddItemTreeView(htrv_files,cps[TXT_FILE_APPLI].c, TVI_ROOT);
//add list of test
//get all tests in list of rubriques
htrv_test = GetDlgItem(hwnd,TRV_TEST);
unsigned int i;
NB_TESTS = SendMessage(hlstbox, LB_GETCOUNT,0,0);
char tmp[DEFAULT_TMP_SIZE];
for (i=0;i<NB_TESTS;i++)
{
if (SendMessage(hlstbox, LB_GETTEXTLEN,i,0) < DEFAULT_TMP_SIZE)
{
tmp[0] = 0;
if(SendMessage(hlstbox, LB_GETTEXT,i,(LPARAM)tmp) > 0)
{
//add item
H_tests[i] = AddItemTreeView(htrv_test,tmp, TVI_ROOT);
}
}
}
break;
case WM_SIZE:
{
unsigned int mWidth = LOWORD(lParam);
unsigned int mHeight = HIWORD(lParam);
//controle de la taille minimum
if ((mWidth<800) || (mHeight<600))
{
RECT Rect;
GetWindowRect(hwnd, &Rect);
MoveWindow(hwnd,Rect.left,Rect.top,800+20,600+64,TRUE);
}else
{
MoveWindow(GetDlgItem(hwnd,TRV_FILES),0,0,mWidth/2,mHeight-27,TRUE);
MoveWindow(GetDlgItem(hwnd,TRV_TEST),mWidth/2+2,0,(mWidth/2)-2,mHeight-167,TRUE);
MoveWindow(GetDlgItem(hwnd,GRP_CONF),mWidth/2+2,mHeight-165,(mWidth/2)-2,98,TRUE);
MoveWindow(GetDlgItem(hwnd,BT_ACL_FILE_CHK),mWidth/2+20,mHeight-148,(mWidth/2)-40,17,TRUE);
MoveWindow(GetDlgItem(hwnd,BT_ADS_FILE_CHK),mWidth/2+20,mHeight-128,(mWidth/2)-40,17,TRUE);
MoveWindow(GetDlgItem(hwnd,BT_SHA_FILE_CHK),mWidth/2+20,mHeight-108,(mWidth/2)-40,17,TRUE);
MoveWindow(GetDlgItem(hwnd,BT_UTC_CHK),mWidth/2+20,mHeight-88,(mWidth/4)-40,17,TRUE);
MoveWindow(GetDlgItem(hwnd,BT_RA_CHK),mWidth*3/4+20,mHeight-108,(mWidth*1/4)-40,17,TRUE);
MoveWindow(GetDlgItem(hwnd,BT_MAGIC_CHK),mWidth*3/4+20,mHeight-88,(mWidth*1/4)-40,17,TRUE);
MoveWindow(GetDlgItem(hwnd,BT_START),mWidth/2+2,mHeight-64,(mWidth/2)-2,38,TRUE);
MoveWindow(GetDlgItem(hwnd,DLG_CONF_SB),0,mHeight-25,mWidth,25,TRUE);
}
InvalidateRect(hwnd, NULL, TRUE);
}
break;
case WM_CLOSE:
{
//if in stop case
if ((start_scan == FALSE) && (stop_scan == TRUE))
{
sqlite3_close(db_scan);
CloseWindow(hwnd);
PostQuitMessage(0);
}
//kill all threads
unsigned int i;
DWORD IDThread;
for (i=0;i<NB_TESTS;i++)
{
GetExitCodeThread(h_thread_test[i],&IDThread);
TerminateThread(h_thread_test[i],IDThread);
}
GetExitCodeThread(h_thread_scan,&IDThread);
TerminateThread(h_thread_scan,IDThread);
ShowWindow (h_main, SW_SHOW);
UpdateWindow(h_main);
EndDialog(hwnd, 0);
}
break;
}
return 0;
}
