//------------------------------------------------------------------------------
void GetUserGroupFRF(DWORD userRID, char *group, DWORD size_max_group)
{
  char file[MAX_PATH];
  HK_F_OPEN hks;

  group[0] = 0;

  //get all file on by on on test if ok or not
  HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
  if (hitem!=NULL || !LOCAL_SCAN) //files
  {
    while(hitem!=NULL)
    {
      file[0] = 0;
      GetTextFromTrv(hitem, file, MAX_PATH);
      //if (file[0] == 0 /*|| !(Contient(file,"SECURITY") || Contient(file,"security"))*/) continue;

      //open file + verify
      if(OpenRegFiletoMem(&hks, file))
      {
        //get group
        GetUserGroupFromRegFile(userRID, group, size_max_group, &hks, "SAM\\Domains\\Builtin\\Aliases");
        GetUserGroupFromRegFile(userRID, group, size_max_group, &hks, "SAM\\Domains\\Account\\Aliases");
        CloseRegFiletoMem(&hks);
      }
      hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
    }
  }
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_path(LPVOID lParam)
{
  //init
  sqlite3 *db = (sqlite3 *)db_scan;
  unsigned int session_id = current_session_id;
  char file[MAX_PATH];
  HK_F_OPEN hks;

  #ifdef CMD_LINE_ONLY_NO_DB
  printf("\"Registry_Path\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"user\";\"rid\";\"sid\";\"parent_key_update\";\"session_id\";\r\n");
  #endif
  //files or local
  if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
  HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
  if (hitem!=NULL || !LOCAL_SCAN) //files
  {
    while(hitem!=NULL && start_scan)
    {
      file[0] = 0;
      GetTextFromTrv(hitem, file, MAX_PATH);
      if (file[0] != 0)
      {
        //open file + verify
        if(OpenRegFiletoMem(&hks, file))
        {
          //enum all class open/edit/print values
          EnumPath_file(&hks,"Classes","shell\\open\\command",session_id,db, FALSE);
          //Enum envs
          EnumPath_file(&hks,"Environment","",session_id,db, TRUE);
          //all applications
          EnumPath_file(&hks,"Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db, FALSE);
          EnumPath_file(&hks,"Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db, FALSE);
          CloseRegFiletoMem(&hks);
        }
      }
      hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
    }
  }else
  {
    //enum all class open/edit/print values
    EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Classes","shell\\open\\command",session_id,db);
    //Enum envs
    EnumPath_local(HKEY_USERS,"HKEY_USERS","","Environment",session_id,db);
    //all applications
    EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db);
    EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db);
  }

  if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
  check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
  h_thread_test[(unsigned int)lParam] = 0;
  return 0;
}
//------------------------------------------------------------------------------
void Scan_registry_setting_file(sqlite3 *db, char *file)
{
  //Open file and init datas !
  if(OpenRegFiletoMem(&local_hks, file))
  {
    FORMAT_CALBAK_READ_INFO fcri;
    fcri.type = SQLITE_REGISTRY_TYPE_SETTINGS;
    sqlite3_exec(db, "SELECT hkey,search_key,value,value_type,type_id,description_id FROM extract_registry_settings_request;", callback_sqlite_registry_file, &fcri, NULL);

    //syskey
    char sk[MAX_PATH]="";
    if(registry_syskey_file(&local_hks, sk, MAX_PATH))
    {
      addRegistrySettingstoDB(local_hks.file, "", "ControlSet001\\Control\\Lsa\\JD,Skew1,GBG,Data","", sk, "100", SYSKEY_STRING_DEF, "", current_session_id, db_scan);
    }

    CloseRegFiletoMem(&local_hks);
  }
}
Пример #4
0
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_mru(LPVOID lParam)
{
  //init
  sqlite3 *db = (sqlite3 *)db_scan;
  char file[MAX_PATH];
  FORMAT_CALBAK_READ_INFO fcri;
  fcri.type = SQLITE_REGISTRY_TYPE_MRU;

  #ifdef CMD_LINE_ONLY_NO_DB
  printf("\"Registry_MRU\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"description_id\";\"user\";\"rid\";\"sid\";\"parent_key_update\";\"session_id\";\r\n");
  #endif
  //files or local
  if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
  HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
  if (hitem!=NULL || !LOCAL_SCAN) //files
  {
    while(hitem!=NULL && start_scan)
    {
      file[0] = 0;
      GetTextFromTrv(hitem, file, MAX_PATH);
      if (file[0] != 0)
      {
        //open file + verify
        if(OpenRegFiletoMem(&hks_mru, file))
        {
          sqlite3_exec(db, "SELECT hkey,search_key,value,value_type,type_id,description_id FROM extract_registry_mru_request;", callback_sqlite_registry_mru_file, &fcri, NULL);

          CloseRegFiletoMem(&hks_mru);
        }
      }
      hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
    }
  }else
  {
    sqlite3_exec(db, "SELECT hkey,key,value,value_type,type_id,description_id FROM extract_registry_mru_request;", callback_sqlite_registry_mru_local, &fcri, NULL);
  }

  if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
  check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
  h_thread_test[(unsigned int)lParam] = 0;
  return 0;
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_service(LPVOID lParam)
{
  //init
  sqlite3 *db = (sqlite3 *)db_scan;
  unsigned int session_id = current_session_id;
  char file[MAX_PATH];
  HK_F_OPEN hks;
  #ifdef CMD_LINE_ONLY_NO_DB
  printf("\"Registry_Service\";\"file\";\"hk\";\"key\";\"name\";\"state_id\";\"path\";\"type_id\";\"last_update\";\"session_id\";\"description\";\r\n");
  #endif
  //files or local
  if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
  HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
  if (hitem!=NULL || !LOCAL_SCAN) //files
  {
    while(hitem!=NULL)
    {
      file[0] = 0;
      GetTextFromTrv(hitem, file, MAX_PATH);
      if (file[0] != 0)
      {
        //open file + verify
        if(OpenRegFiletoMem(&hks, file))
        {
          Scan_registry_service_file(&hks,"ControlSet001\\Services", session_id, db);
          Scan_registry_service_file(&hks,"ControlSet002\\Services", session_id, db);
          Scan_registry_service_file(&hks,"ControlSet003\\Services", session_id, db);
          Scan_registry_service_file(&hks,"ControlSet004\\Services", session_id, db);

          CloseRegFiletoMem(&hks);
        }
      }
      hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
    }
  }else Scan_registry_service_local("SYSTEM\\CurrentControlSet\\Services\\",db, session_id);

  if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
  check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
  h_thread_test[(unsigned int)lParam] = 0;
  return 0;
}
Пример #6
0
//------------------------------------------------------------------------------
void GetRegFile(char *reg_file, HTREEITEM hparent, char *parent, BOOL recovery_mode, HANDLE hlv, HANDLE htv)
{
  if (reg_file[0] == 0) return;

  //load a binary file to TreeView and ListView
  if (recovery_mode)
  {
    GetRecoveryRegFile(reg_file, hparent, parent, hlv, htv);
    TreeView_SortChildren(htv,hparent,TRUE);
  }else
  {
    //simple mode
    HK_F_OPEN hks_tmp;
    if(OpenRegFiletoMem(&hks_tmp, reg_file))
    {
      ReadArboRawRegFile(&hks_tmp, (HBIN_CELL_NK_HEADER *)(hks_tmp.buffer+hks_tmp.position), reg_file, hparent, parent,"\\", hlv, htv);
      CloseRegFiletoMem(&hks_tmp);
    }
    TreeView_SortChildren(htv,hparent,TRUE);
  }
}
Пример #7
0
//------------------------------------------------------------------------------
DWORD WINAPI Scan_share(LPVOID lParam)
{
  sqlite3 *db = (sqlite3 *)db_scan;
  unsigned int session_id = current_session_id;
  if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
  #ifdef CMD_LINE_ONLY_NO_DB
  printf("\"Share\";\"file\";\"share\";\"path\";\"description\";\"type\";\"connexion\";\"session_id\";\r\n");
  #endif
  if (!LOCAL_SCAN)
  {
    //get in registry files
    char file[MAX_PATH];
    HK_F_OPEN hks;
    HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
    while(hitem!=NULL)
    {
      file[0] = 0;
      GetTextFromTrv(hitem, file, MAX_PATH);
      if (file[0] != 0)
      {
        //open file + verify
        if(OpenRegFiletoMem(&hks, file))
        {
          EnumShare(&hks, session_id, db, "ControlSet001\\Services\\LanmanServer\\Shares");
          EnumShare(&hks, session_id, db, "ControlSet002\\Services\\LanmanServer\\Shares");
          EnumShare(&hks, session_id, db, "ControlSet003\\Services\\LanmanServer\\Shares");
          EnumShare(&hks, session_id, db, "ControlSet004\\Services\\LanmanServer\\Shares");
          CloseRegFiletoMem(&hks);
        }
      }
      hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
    }
  }else
  {
    //init
    HMODULE hDLL = LoadLibrary("NETAPI32.dll");
    if (hDLL == NULL)return 0;

    typedef NET_API_STATUS (WINAPI *NETAPIBUFFERFREE)(LPVOID Buffer);
    NETAPIBUFFERFREE NetApiBufferFree = (NETAPIBUFFERFREE) GetProcAddress(hDLL,"NetApiBufferFree");

    typedef NET_API_STATUS (WINAPI *NETSHAREENUM)(LPWSTR servername, DWORD level, LPBYTE* bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, LPDWORD resume_handle);
    NETSHAREENUM NetShareEnum = (NETSHAREENUM) GetProcAddress(hDLL,"NetShareEnum");

    if (NetApiBufferFree != NULL && NetShareEnum != NULL )
    {
      NET_API_STATUS res;
      PSHARE_INFO_502 buffer,p;
      DWORD nb=0,tr=0,i;
      char share[DEFAULT_TMP_SIZE], path[MAX_PATH], description[MAX_PATH], type[DEFAULT_TMP_SIZE], connexion[DEFAULT_TMP_SIZE];

      do
      {
        res = NetShareEnum (0, 502, (LPBYTE *) &buffer,MAX_PREFERRED_LENGTH, &nb, &tr,0);
        if(res != ERROR_SUCCESS && res != ERROR_MORE_DATA)break;

        for(i=1,p=buffer;i<=nb;i++,p++)
        {
          snprintf(share,DEFAULT_TMP_SIZE,"%S",p->shi502_netname);
          snprintf(path,MAX_PATH,"%S",p->shi502_path);
          snprintf(description,MAX_PATH,"%S",p->shi502_remark);

          switch(p->shi502_type)
          {
            case STYPE_DISKTREE:  strncpy(type,"DISKTREE",DEFAULT_TMP_SIZE);break;
            case STYPE_PRINTQ:    strncpy(type,"PRINT",DEFAULT_TMP_SIZE);break;
            case STYPE_DEVICE:    strncpy(type,"DEVICE",DEFAULT_TMP_SIZE);break;
            case STYPE_IPC:       strncpy(type,"IPC",DEFAULT_TMP_SIZE);break;
            case STYPE_SPECIAL:   strncpy(type,"SPECIAL",DEFAULT_TMP_SIZE);break;
            case 0x40000000:      strncpy(type,"TEMPORARY",DEFAULT_TMP_SIZE);break;
            case -2147483645:     strncpy(type,"RPC",DEFAULT_TMP_SIZE);break;
            default :             snprintf(type,DEFAULT_TMP_SIZE,"UNKNOW (%lu)",p->shi502_type);break;
          }

          if (p->shi502_max_uses==-1)
            snprintf(connexion,DEFAULT_TMP_SIZE,"%lu/-",p->shi502_current_uses);
          else snprintf(connexion,DEFAULT_TMP_SIZE,"%lu/%lu",p->shi502_current_uses,p->shi502_max_uses);

          convertStringToSQL(path, MAX_PATH);
          convertStringToSQL(description, MAX_PATH);
          addSharetoDB("",share, path, description, type, connexion, session_id, db);
        }
      }while(res==ERROR_MORE_DATA);
    }
    FreeLibrary(hDLL);
  }

  if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
  check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
  h_thread_test[(unsigned int)lParam] = 0;
  return 0;
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_user(LPVOID lParam)
{
  //init
  sqlite3 *db = (sqlite3 *)db_scan;
  unsigned int session_id = current_session_id;

  char file[MAX_PATH], file_SAM[MAX_PATH]="";
  HK_F_OPEN hks;

  char sk[MAX_PATH]="";

  char computer[DEFAULT_TMP_SIZE]="";
  BOOL ok_computer = FALSE;

  //files or local
  if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
  HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
  if (hitem!=NULL || !LOCAL_SCAN) //files
  {
    while(hitem!=NULL)
    {
      file[0] = 0;
      GetTextFromTrv(hitem, file, MAX_PATH);
      if (file[0] != 0)
      {
        charToLowChar(file);
        //check for SAM files
        if ((Contient(file,"sam")) && file_SAM[0] == 0)
        {
          strcpy(file_SAM,file);
          hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
          continue;
        }

        //open file + verify
        if(OpenRegFiletoMem(&hks, file))
        {
          //get syskey
          registry_syskey_file(&hks, sk, MAX_PATH);

          if (!ok_computer)
          {
            char tmp[DEFAULT_TMP_SIZE]="";
            Readnk_Value(hks.buffer, hks.taille_fic, (hks.pos_fhbin)+HBIN_HEADER_SIZE, hks.position, "ControlSet001\\Control\\ComputerName\\ComputerName", NULL,"ComputerName", tmp, DEFAULT_TMP_SIZE);

            if (tmp[0]!=0)
            {
              strcpy(computer,tmp);
              ok_computer = TRUE;
            }
          }

          Scan_registry_user_file(&hks, db, session_id,computer);

          CloseRegFiletoMem(&hks);
        }
      }
      hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
    }

    //SAM file in last
    if (file_SAM[0] != 0)
    {
      //open file + verify
      if(OpenRegFiletoMem(&hks, file_SAM))
      {
        Scan_registry_user_file(&hks, db, session_id,computer);
        CloseRegFiletoMem(&hks);
      }
    }


  }else Scan_registry_user_local(db, session_id);

  if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
  check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
  h_thread_test[(unsigned int)lParam] = 0;
  return 0;
}