//------------------------------------------------------------------------------
BOOL registry_syskey_file(HK_F_OPEN *hks, char*sk, unsigned int sk_size)
{
char cJD[SZ_PART_SYSKEY]="",
cSkew1[SZ_PART_SYSKEY]="",
cGBG[SZ_PART_SYSKEY]="",
cData[SZ_PART_SYSKEY]="";
if(Readnk_Class(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position,
"ControlSet001\\Control\\Lsa\\JD", NULL, cJD, SZ_PART_SYSKEY)==FALSE) return FALSE;
if(Readnk_Class(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position,
"ControlSet001\\Control\\Lsa\\Skew1", NULL, cSkew1, SZ_PART_SYSKEY)==FALSE) return FALSE;
if(Readnk_Class(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position,
"ControlSet001\\Control\\Lsa\\GBG", NULL, cGBG, SZ_PART_SYSKEY)==FALSE) return FALSE;
if(Readnk_Class(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position,
"ControlSet001\\Control\\Lsa\\Data", NULL, cData, SZ_PART_SYSKEY)==FALSE) return FALSE;
//traitement
return SyskeyExtract(cJD, cSkew1, cGBG, cData, sk, sk_size);
}
//------------------------------------------------------------------------------
void ReadArboRawRegFile(HK_F_OPEN *hks, HBIN_CELL_NK_HEADER *nk_h, char *reg_file, HTREEITEM hparent, char *parent, char *root, HANDLE hlv, HANDLE htv)
{
//get first root, if valide ?
if (nk_h == NULL)return;
//read all nk
char tmp_key[MAX_PATH], tmp_root[MAX_PATH], tmp_parent[MAX_PATH];
DWORD i,nbSubKey = GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, 0, NULL, 0);
for (i=0;i<nbSubKey;i++)
{
if(GetSubNK(hks->buffer, hks->taille_fic, nk_h, hks->position, i, tmp_key, MAX_PATH))
{
snprintf(tmp_parent,MAX_PATH,"%s%s\\",parent,tmp_key);
snprintf(tmp_root,MAX_PATH,"%s\\%s",root,tmp_key);
ReadArboRawRegFile(hks,
GetSubNKtonk(hks->buffer, hks->taille_fic, nk_h, hks->position, i),
reg_file,
AddItemTreeViewImg(htv,tmp_key, hparent,ICON_DIRECTORY_REG),
tmp_parent,
tmp_root,
hlv, htv);
}
}
//init
LINE_ITEM lv_line[DLG_REG_LV_NB_COLUMN];
char parent_key_update[DATE_SIZE_MAX];
char Owner_SID[MAX_PATH];
char tmp_value_trv[MAX_PATH];
DWORD nbSubValue, type;
strncpy(lv_line[0].c,reg_file,MAX_LINE_SIZE);
strncpy(lv_line[1].c,parent,MAX_LINE_SIZE);
lv_line[7].c[0] = 0; //deleted = no view in this state
lv_line[8].c[0] = 0;
//read nk infos :)
Readnk_Infos(hks->buffer,hks->taille_fic, (hks->pos_fhbin), hks->position,
NULL, nk_h, parent_key_update, DATE_SIZE_MAX, NULL, 0,Owner_SID, MAX_PATH);
Readnk_Class(hks->buffer, hks->taille_fic, (hks->pos_fhbin)+HBIN_HEADER_SIZE, hks->position,
NULL, nk_h, lv_line[8].c, MAX_PATH);
//read all vk
nbSubValue = GetValueData(hks->buffer,hks->taille_fic, nk_h, (hks->pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
for (i=0;i<nbSubValue;i++)
{
type = GetValueData(hks->buffer,hks->taille_fic, nk_h, (hks->pos_fhbin)+HBIN_HEADER_SIZE, i,lv_line[2].c,MAX_LINE_SIZE,lv_line[3].c,MAX_LINE_SIZE);
switch(type)
{
case 0x00000001:
strcpy(lv_line[4].c,"REG_SZ");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_TXT_REG);
break;
case 0x00000002:
strcpy(lv_line[4].c,"REG_EXPAND_SZ");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_TXT_REG);
break;
case 0x00000003:
strcpy(lv_line[4].c,"REG_BINARY");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_BIN_REG);
break;
case 0x00000004:
case 0x00000005:
strcpy(lv_line[4].c,"REG_DWORD");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_DWORD_REG);
break;
case 0x00000006:
strcpy(lv_line[4].c,"REG_LINK");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_BIN_REG);
break;
case 0x00000007:
strcpy(lv_line[4].c,"REG_MULTI_SZ");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_TXT_REG);
break;
case 0x0000000A:
strcpy(lv_line[4].c,"REG_RESOURCE_REQUIREMENTS_LIST");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_BIN_REG);
break;
case 0x0000000b:
strcpy(lv_line[4].c,"REG_QWORD");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_DWORD_REG);
break;
default:
if (type == 0x00000000)
{
strcpy(lv_line[4].c,"REG_NONE");
snprintf(tmp_value_trv,MAX_PATH,"%s=%s",lv_line[2].c,lv_line[3].c);
}else
{
strcpy(lv_line[4].c,"UNKNOW");
snprintf(tmp_value_trv,MAX_PATH,"%s=(type:0x%08X)%s",lv_line[2].c,type,lv_line[3].c);
}
AddItemTreeViewImg(htv,tmp_value_trv, hparent,ICON_FILE_UNKNOW_REG);
break;
}
//add to lstv
strcpy(lv_line[5].c,parent_key_update);
strcpy(lv_line[6].c,Owner_SID);
AddToLVRegBin(hlv, lv_line, DLG_REG_LV_NB_COLUMN);
}
//no value : only directory
if (nbSubValue < 1 && nk_h->nb_subkeys <1)
{
lv_line[2].c[0] = 0;
lv_line[3].c[0] = 0;
lv_line[4].c[0] = 0;
strcpy(lv_line[5].c,parent_key_update);
strcpy(lv_line[6].c,Owner_SID);
AddToLVRegBin(hlv, lv_line, DLG_REG_LV_NB_COLUMN);
}
DWORD nb = ListView_GetItemCount(hlv);
if (nb % 1000 == 0)
{
char tmp[MAX_PATH];
snprintf(tmp,MAX_PATH,"Loading... %lu keys",nb);
SendMessage(GetDlgItem(h_reg,STB),SB_SETTEXT,0, (LPARAM)tmp);
}
}
