//------------------------------------------------------------------------------
void GetUserGroupFRF(DWORD userRID, char *group, DWORD size_max_group)
{
char file[MAX_PATH];
HK_F_OPEN hks;
group[0] = 0;
//get all file on by on on test if ok or not
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
//if (file[0] == 0 /*|| !(Contient(file,"SECURITY") || Contient(file,"security"))*/) continue;
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
//get group
GetUserGroupFromRegFile(userRID, group, size_max_group, &hks, "SAM\\Domains\\Builtin\\Aliases");
GetUserGroupFromRegFile(userRID, group, size_max_group, &hks, "SAM\\Domains\\Account\\Aliases");
CloseRegFiletoMem(&hks);
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_path(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
char file[MAX_PATH];
HK_F_OPEN hks;
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Registry_Path\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"user\";\"rid\";\"sid\";\"parent_key_update\";\"session_id\";\r\n");
#endif
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL && start_scan)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
//enum all class open/edit/print values
EnumPath_file(&hks,"Classes","shell\\open\\command",session_id,db, FALSE);
//Enum envs
EnumPath_file(&hks,"Environment","",session_id,db, TRUE);
//all applications
EnumPath_file(&hks,"Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db, FALSE);
EnumPath_file(&hks,"Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db, FALSE);
CloseRegFiletoMem(&hks);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}else
{
//enum all class open/edit/print values
EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Classes","shell\\open\\command",session_id,db);
//Enum envs
EnumPath_local(HKEY_USERS,"HKEY_USERS","","Environment",session_id,db);
//all applications
EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db);
EnumPath_local(HKEY_LOCAL_MACHINE,"HKEY_LOCAL_MACHINE","SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\App Paths","",session_id,db);
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
void Scan_registry_setting_file(sqlite3 *db, char *file)
{
//Open file and init datas !
if(OpenRegFiletoMem(&local_hks, file))
{
FORMAT_CALBAK_READ_INFO fcri;
fcri.type = SQLITE_REGISTRY_TYPE_SETTINGS;
sqlite3_exec(db, "SELECT hkey,search_key,value,value_type,type_id,description_id FROM extract_registry_settings_request;", callback_sqlite_registry_file, &fcri, NULL);
//syskey
char sk[MAX_PATH]="";
if(registry_syskey_file(&local_hks, sk, MAX_PATH))
{
addRegistrySettingstoDB(local_hks.file, "", "ControlSet001\\Control\\Lsa\\JD,Skew1,GBG,Data","", sk, "100", SYSKEY_STRING_DEF, "", current_session_id, db_scan);
}
CloseRegFiletoMem(&local_hks);
}
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_mru(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
char file[MAX_PATH];
FORMAT_CALBAK_READ_INFO fcri;
fcri.type = SQLITE_REGISTRY_TYPE_MRU;
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Registry_MRU\";\"file\";\"hk\";\"key\";\"value\";\"data\";\"description_id\";\"user\";\"rid\";\"sid\";\"parent_key_update\";\"session_id\";\r\n");
#endif
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL && start_scan)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks_mru, file))
{
sqlite3_exec(db, "SELECT hkey,search_key,value,value_type,type_id,description_id FROM extract_registry_mru_request;", callback_sqlite_registry_mru_file, &fcri, NULL);
CloseRegFiletoMem(&hks_mru);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}else
{
sqlite3_exec(db, "SELECT hkey,key,value,value_type,type_id,description_id FROM extract_registry_mru_request;", callback_sqlite_registry_mru_local, &fcri, NULL);
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_service(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
char file[MAX_PATH];
HK_F_OPEN hks;
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Registry_Service\";\"file\";\"hk\";\"key\";\"name\";\"state_id\";\"path\";\"type_id\";\"last_update\";\"session_id\";\"description\";\r\n");
#endif
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
Scan_registry_service_file(&hks,"ControlSet001\\Services", session_id, db);
Scan_registry_service_file(&hks,"ControlSet002\\Services", session_id, db);
Scan_registry_service_file(&hks,"ControlSet003\\Services", session_id, db);
Scan_registry_service_file(&hks,"ControlSet004\\Services", session_id, db);
CloseRegFiletoMem(&hks);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}else Scan_registry_service_local("SYSTEM\\CurrentControlSet\\Services\\",db, session_id);
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
void GetRegFile(char *reg_file, HTREEITEM hparent, char *parent, BOOL recovery_mode, HANDLE hlv, HANDLE htv)
{
if (reg_file[0] == 0) return;
//load a binary file to TreeView and ListView
if (recovery_mode)
{
GetRecoveryRegFile(reg_file, hparent, parent, hlv, htv);
TreeView_SortChildren(htv,hparent,TRUE);
}else
{
//simple mode
HK_F_OPEN hks_tmp;
if(OpenRegFiletoMem(&hks_tmp, reg_file))
{
ReadArboRawRegFile(&hks_tmp, (HBIN_CELL_NK_HEADER *)(hks_tmp.buffer+hks_tmp.position), reg_file, hparent, parent,"\\", hlv, htv);
CloseRegFiletoMem(&hks_tmp);
}
TreeView_SortChildren(htv,hparent,TRUE);
}
}
//------------------------------------------------------------------------------
DWORD WINAPI Scan_share(LPVOID lParam)
{
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
#ifdef CMD_LINE_ONLY_NO_DB
printf("\"Share\";\"file\";\"share\";\"path\";\"description\";\"type\";\"connexion\";\"session_id\";\r\n");
#endif
if (!LOCAL_SCAN)
{
//get in registry files
char file[MAX_PATH];
HK_F_OPEN hks;
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
EnumShare(&hks, session_id, db, "ControlSet001\\Services\\LanmanServer\\Shares");
EnumShare(&hks, session_id, db, "ControlSet002\\Services\\LanmanServer\\Shares");
EnumShare(&hks, session_id, db, "ControlSet003\\Services\\LanmanServer\\Shares");
EnumShare(&hks, session_id, db, "ControlSet004\\Services\\LanmanServer\\Shares");
CloseRegFiletoMem(&hks);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
}else
{
//init
HMODULE hDLL = LoadLibrary("NETAPI32.dll");
if (hDLL == NULL)return 0;
typedef NET_API_STATUS (WINAPI *NETAPIBUFFERFREE)(LPVOID Buffer);
NETAPIBUFFERFREE NetApiBufferFree = (NETAPIBUFFERFREE) GetProcAddress(hDLL,"NetApiBufferFree");
typedef NET_API_STATUS (WINAPI *NETSHAREENUM)(LPWSTR servername, DWORD level, LPBYTE* bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, LPDWORD resume_handle);
NETSHAREENUM NetShareEnum = (NETSHAREENUM) GetProcAddress(hDLL,"NetShareEnum");
if (NetApiBufferFree != NULL && NetShareEnum != NULL )
{
NET_API_STATUS res;
PSHARE_INFO_502 buffer,p;
DWORD nb=0,tr=0,i;
char share[DEFAULT_TMP_SIZE], path[MAX_PATH], description[MAX_PATH], type[DEFAULT_TMP_SIZE], connexion[DEFAULT_TMP_SIZE];
do
{
res = NetShareEnum (0, 502, (LPBYTE *) &buffer,MAX_PREFERRED_LENGTH, &nb, &tr,0);
if(res != ERROR_SUCCESS && res != ERROR_MORE_DATA)break;
for(i=1,p=buffer;i<=nb;i++,p++)
{
snprintf(share,DEFAULT_TMP_SIZE,"%S",p->shi502_netname);
snprintf(path,MAX_PATH,"%S",p->shi502_path);
snprintf(description,MAX_PATH,"%S",p->shi502_remark);
switch(p->shi502_type)
{
case STYPE_DISKTREE: strncpy(type,"DISKTREE",DEFAULT_TMP_SIZE);break;
case STYPE_PRINTQ: strncpy(type,"PRINT",DEFAULT_TMP_SIZE);break;
case STYPE_DEVICE: strncpy(type,"DEVICE",DEFAULT_TMP_SIZE);break;
case STYPE_IPC: strncpy(type,"IPC",DEFAULT_TMP_SIZE);break;
case STYPE_SPECIAL: strncpy(type,"SPECIAL",DEFAULT_TMP_SIZE);break;
case 0x40000000: strncpy(type,"TEMPORARY",DEFAULT_TMP_SIZE);break;
case -2147483645: strncpy(type,"RPC",DEFAULT_TMP_SIZE);break;
default : snprintf(type,DEFAULT_TMP_SIZE,"UNKNOW (%lu)",p->shi502_type);break;
}
if (p->shi502_max_uses==-1)
snprintf(connexion,DEFAULT_TMP_SIZE,"%lu/-",p->shi502_current_uses);
else snprintf(connexion,DEFAULT_TMP_SIZE,"%lu/%lu",p->shi502_current_uses,p->shi502_max_uses);
convertStringToSQL(path, MAX_PATH);
convertStringToSQL(description, MAX_PATH);
addSharetoDB("",share, path, description, type, connexion, session_id, db);
}
}while(res==ERROR_MORE_DATA);
}
FreeLibrary(hDLL);
}
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_user(LPVOID lParam)
{
//init
sqlite3 *db = (sqlite3 *)db_scan;
unsigned int session_id = current_session_id;
char file[MAX_PATH], file_SAM[MAX_PATH]="";
HK_F_OPEN hks;
char sk[MAX_PATH]="";
char computer[DEFAULT_TMP_SIZE]="";
BOOL ok_computer = FALSE;
//files or local
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
if (hitem!=NULL || !LOCAL_SCAN) //files
{
while(hitem!=NULL)
{
file[0] = 0;
GetTextFromTrv(hitem, file, MAX_PATH);
if (file[0] != 0)
{
charToLowChar(file);
//check for SAM files
if ((Contient(file,"sam")) && file_SAM[0] == 0)
{
strcpy(file_SAM,file);
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
continue;
}
//open file + verify
if(OpenRegFiletoMem(&hks, file))
{
//get syskey
registry_syskey_file(&hks, sk, MAX_PATH);
if (!ok_computer)
{
char tmp[DEFAULT_TMP_SIZE]="";
Readnk_Value(hks.buffer, hks.taille_fic, (hks.pos_fhbin)+HBIN_HEADER_SIZE, hks.position, "ControlSet001\\Control\\ComputerName\\ComputerName", NULL,"ComputerName", tmp, DEFAULT_TMP_SIZE);
if (tmp[0]!=0)
{
strcpy(computer,tmp);
ok_computer = TRUE;
}
}
Scan_registry_user_file(&hks, db, session_id,computer);
CloseRegFiletoMem(&hks);
}
}
hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
}
//SAM file in last
if (file_SAM[0] != 0)
{
//open file + verify
if(OpenRegFiletoMem(&hks, file_SAM))
{
Scan_registry_user_file(&hks, db, session_id,computer);
CloseRegFiletoMem(&hks);
}
}
}else Scan_registry_user_local(db, session_id);
if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
h_thread_test[(unsigned int)lParam] = 0;
return 0;
}