Page MenuHomePhabricator
Files F6780516

No OneTemporary
Actions

Size
15 KB
Referenced Files
None
Subscribers
None

View Options

diff --git a/trunk/fred.pro b/trunk/fred.pro
index 0117df8..2102e5c 100644
--- a/trunk/fred.pro
+++ b/trunk/fred.pro
@@ -1,106 +1,105 @@
#*******************************************************************************
# fred Copyright (c) 2011 by Gillen Daniel <gillen.dan@pinguin.lu> *
# *
# Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor *
# with special feautures useful during forensic analysis. *
# *
# This program is free software: you can redistribute it and/or modify it *
# under the terms of the GNU General Public License as published by the Free *
# Software Foundation, either version 3 of the License, or (at your option) *
# any later version. *
# *
# This program is distributed in the hope that it will be useful, but WITHOUT *
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
# more details. *
# *
# You should have received a copy of the GNU General Public License along with *
# this program. If not, see <http://www.gnu.org/licenses/>. *
#******************************************************************************/
# Generate compileinfo.h
system(bash compileinfo.sh > compileinfo.h)
#compileinfo.target = compileinfo.h
#compileinfo.commands = $$PWD/compileinfo.sh > compileinfo.h
#QMAKE_EXTRA_TARGETS += compileinfo
#PRE_TARGETDEPS += compileinfo.h
# Build fred
QMAKE_CXXFLAGS += -Wall
QT += core \
gui \
script \
webkit
TARGET = fred
TEMPLATE = app
SOURCES += main.cpp\
mainwindow.cpp \
registrynode.cpp \
registrynodetreemodel.cpp \
registrykey.cpp \
registrykeytablemodel.cpp \
dlgabout.cpp \
dlgkeydetails.cpp \
qhexedit/qhexedit_p.cpp \
qhexedit/qhexedit.cpp \
datainterpreter.cpp \
reporttemplate.cpp \
datareporter.cpp \
datareporterengine.cpp \
registryhive.cpp \
qtscript_types/bytearray.cpp \
qtscript_types/bytearrayprototype.cpp \
qtscript_types/bytearrayiterator.cpp \
dlgreportviewer.cpp \
registrykeytable.cpp \
registrynodetree.cpp \
dlgsearch.cpp \
threadsearch.cpp \
searchresultwidget.cpp \
tabwidget.cpp
HEADERS += mainwindow.h \
registrynode.h \
registrynodetreemodel.h \
registrykey.h \
registrykeytablemodel.h \
dlgabout.h \
dlgkeydetails.h \
qhexedit/qhexedit_p.h \
qhexedit/qhexedit.h \
datainterpreter.h \
reporttemplate.h \
datareporter.h \
datareporterengine.h \
registryhive.h \
qtscript_types/bytearray.h \
qtscript_types/bytearrayprototype.h \
qtscript_types/bytearrayiterator.h \
dlgreportviewer.h \
registrykeytable.h \
registrynodetree.h \
dlgsearch.h \
threadsearch.h \
searchresultwidget.h \
tabwidget.h
FORMS += mainwindow.ui \
dlgabout.ui \
dlgkeydetails.ui \
dlgreportviewer.ui \
dlgsearch.ui
#LIBS += -lhivex
LIBS += $$PWD/hivex/lib/.libs/libhivex.a \
- -liconv
#DEFINES += __STDC_FORMAT_MACROS
RESOURCES += fred.qrc
RC_FILE = fred.rc
ICON = resources/fred.icns
diff --git a/trunk/qtscript_types/bytearrayprototype.cpp b/trunk/qtscript_types/bytearrayprototype.cpp
index dca2279..1edfb07 100644
--- a/trunk/qtscript_types/bytearrayprototype.cpp
+++ b/trunk/qtscript_types/bytearrayprototype.cpp
@@ -1,93 +1,98 @@
/*******************************************************************************
* Copyright (c) 2011 by Gillen Daniel <gillen.dan@pinguin.lu> *
* *
* Derived from code by Nokia Corporation and/or its subsidiary(-ies) under a *
* compatible license: *
* *
* Copyright (C) 2009 Nokia Corporation and/or its subsidiary(-ies). *
* All rights reserved. *
* *
* This program is free software: you can redistribute it and/or modify it *
* under the terms of the GNU General Public License as published by the Free *
* Software Foundation, either version 3 of the License, or (at your option) *
* any later version. *
* *
* This program is distributed in the hope that it will be useful, but WITHOUT *
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
* more details. *
* *
* You should have received a copy of the GNU General Public License along with *
* this program. If not, see <http://www.gnu.org/licenses/>. *
*******************************************************************************/
#include "bytearrayprototype.h"
#include <QtScript/QScriptEngine>
Q_DECLARE_METATYPE(QByteArray*)
ByteArrayPrototype::ByteArrayPrototype(QObject *p_parent) : QObject(p_parent) {}
ByteArrayPrototype::~ByteArrayPrototype() {}
QByteArray *ByteArrayPrototype::thisByteArray() const {
return qscriptvalue_cast<QByteArray*>(thisObject().data());
}
void ByteArrayPrototype::chop(int n) {
thisByteArray()->chop(n);
}
bool ByteArrayPrototype::equals(const QByteArray &other) {
return *thisByteArray()==other;
}
QByteArray ByteArrayPrototype::left(int len) const {
return thisByteArray()->left(len);
}
QByteArray ByteArrayPrototype::mid(int pos, int len) const {
return thisByteArray()->mid(pos,len);
}
QScriptValue ByteArrayPrototype::remove(int pos, int len) {
thisByteArray()->remove(pos,len);
return thisObject();
}
+QScriptValue ByteArrayPrototype::appendByte(char byte) const {
+ thisByteArray()->append(byte);
+ return thisObject();
+}
+
QByteArray ByteArrayPrototype::right(int len) const {
return thisByteArray()->right(len);
}
QByteArray ByteArrayPrototype::simplified() const {
return thisByteArray()->simplified();
}
QByteArray ByteArrayPrototype::toBase64() const {
return thisByteArray()->toBase64();
}
QByteArray ByteArrayPrototype::toLower() const {
return thisByteArray()->toLower();
}
QByteArray ByteArrayPrototype::toUpper() const {
return thisByteArray()->toUpper();
}
QByteArray ByteArrayPrototype::trimmed() const {
return thisByteArray()->trimmed();
}
void ByteArrayPrototype::truncate(int pos) {
thisByteArray()->truncate(pos);
}
QString ByteArrayPrototype::toLatin1String() const {
return QString::fromLatin1(*thisByteArray());
}
QScriptValue ByteArrayPrototype::valueOf() const {
return thisObject().data();
}
diff --git a/trunk/qtscript_types/bytearrayprototype.h b/trunk/qtscript_types/bytearrayprototype.h
index adc2a5e..f55f61d 100644
--- a/trunk/qtscript_types/bytearrayprototype.h
+++ b/trunk/qtscript_types/bytearrayprototype.h
@@ -1,60 +1,61 @@
/*******************************************************************************
* Copyright (c) 2011 by Gillen Daniel <gillen.dan@pinguin.lu> *
* *
* Derived from code by Nokia Corporation and/or its subsidiary(-ies) under a *
* compatible license: *
* *
* Copyright (C) 2009 Nokia Corporation and/or its subsidiary(-ies). *
* All rights reserved. *
* *
* This program is free software: you can redistribute it and/or modify it *
* under the terms of the GNU General Public License as published by the Free *
* Software Foundation, either version 3 of the License, or (at your option) *
* any later version. *
* *
* This program is distributed in the hope that it will be useful, but WITHOUT *
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
* more details. *
* *
* You should have received a copy of the GNU General Public License along with *
* this program. If not, see <http://www.gnu.org/licenses/>. *
*******************************************************************************/
#ifndef BYTEARRAYPROTOTYPE_H
#define BYTEARRAYPROTOTYPE_H
#include <QByteArray>
#include <QObject>
#include <QtScript/QScriptable>
#include <QtScript/QScriptValue>
class ByteArrayPrototype : public QObject, public QScriptable {
Q_OBJECT
-
+
public:
ByteArrayPrototype(QObject *p_parent=0);
~ByteArrayPrototype();
public slots:
void chop(int n);
bool equals(const QByteArray &other);
QByteArray left(int len) const;
QByteArray mid(int pos, int len = -1) const;
QScriptValue remove(int pos, int len);
+ QScriptValue appendByte(char byte) const;
QByteArray right(int len) const;
QByteArray simplified() const;
QByteArray toBase64() const;
QByteArray toLower() const;
QByteArray toUpper() const;
QByteArray trimmed() const;
void truncate(int pos);
QString toLatin1String() const;
QScriptValue valueOf() const;
private:
QByteArray *thisByteArray() const;
};
#endif // BYTEARRAYPROTOTYPE_H
diff --git a/trunk/report_templates/SAM_UserAccounts.qs b/trunk/report_templates/SAM_UserAccounts.qs
index 94a9616..7ae130a 100644
--- a/trunk/report_templates/SAM_UserAccounts.qs
+++ b/trunk/report_templates/SAM_UserAccounts.qs
@@ -1,81 +1,84 @@
// See http://windowsir.blogspot.com/2006/08/getting-user-info-from-image.html
function print_table_row(cell01,cell02) {
println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
}
function print_v_info(v_key_value,info_name,str_off) {
var offset=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off))+0x0cc;
var len=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off+4))/2;
if(len>0) print_table_row(info_name,RegistryKeyValueToVariant(v_key_value,"utf16",offset,len));
}
println("<html>");
println(" <head><title>User Accounts</title></head>");
println(" <body style=\"font-size:12\">");
println(" <h2>User accounts</h2>");
// Iterate over all user names
var user_names=GetRegistryNodes("\\SAM\\Domains\\Account\\Users\\Names");
for(var i=0;i<user_names.length;i++) {
println(" <p style=\"font-size:12; white-space:nowrap\">");
// Print user name
println(" <u>",user_names[i],"</u><br />");
println(" <table style=\"margin-left:20px; font-size:12\">");
// Get user rid stored in "default" key
var user_rid=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\Names\\",user_names[i]),"");
user_rid=RegistryKeyTypeToString(user_rid.type);
println(" <tr><td>RID:</td><td>",Number(user_rid).toString(10)," (",user_rid,")","</td></tr>");
// RegistryKeyTypeToString returns the rid prepended with "0x". We have to remove that for further processing
user_rid=String(user_rid).substr(2);
// Get user's V key and print various infos
var v_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"V");
print_v_info(v_key.value,"Full name:",0x18);
print_v_info(v_key.value,"Comment:",0x24);
print_v_info(v_key.value,"Home directory:",0x48);
print_v_info(v_key.value,"Home directory drive:",0x54);
print_v_info(v_key.value,"Logon script path:",0x60);
print_v_info(v_key.value,"Profile path:",0x6c);
// Get user's F key and print various infos
var f_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"F");
print_table_row("Last login time:",RegistryKeyValueToVariant(f_key.value,"filetime",8));
print_table_row("Last pw change:",RegistryKeyValueToVariant(f_key.value,"filetime",24));
print_table_row("Last failed login:",RegistryKeyValueToVariant(f_key.value,"filetime",40));
print_table_row("Account expires:",RegistryKeyValueToVariant(f_key.value,"filetime",32));
print_table_row("Total logins:",RegistryKeyValueToVariant(f_key.value,"uint16",66));
print_table_row("Failed logins:",RegistryKeyValueToVariant(f_key.value,"uint16",64));
var acc_flags=Number(RegistryKeyValueToVariant(f_key.value,"uint16",56));
print(" <tr><td>Account flags:</td><td>");
if(acc_flags&0x0001) print("Disabled ");
if(acc_flags&0x0002) print("HomeDirReq ");
if(acc_flags&0x0004) print("PwNotReq ");
if(acc_flags&0x0008) print("TempDupAcc ");
// I don't think this would be useful to show
//if(acc_flags&0x0010) print("NormUserAcc ");
if(acc_flags&0x0020) print("MnsAcc ");
if(acc_flags&0x0040) print("DomTrustAcc ");
if(acc_flags&0x0080) print("WksTrustAcc ");
if(acc_flags&0x0100) print("SrvTrustAcc ");
if(acc_flags&0x0200) print("NoPwExpiry ");
if(acc_flags&0x0400) print("AccAutoLock ");
println("</td></tr>");
// Get password hint if available
var hint=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"UserPasswordHint");
if(typeof hint !== 'undefined') {
- print_table_row("Password hint:",RegistryKeyValueToVariant(hint.value,"utf16",0));
+ // Append missing trailing utf16 zero byte
+ hint.value.appendByte(0);
+ hint.value.appendByte(0);
+ print_table_row("Password hint:",RegistryKeyValueToVariant(hint.value,"utf16"));
}
// TODO: User group membership
println(" </table>");
println(" </p>");
}
println("</html>");

File Metadata

Mime Type
text/x-diff
Expires
Tue, Sep 16, 1:31 PM (21 h, 46 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
1319070
Default Alt Text
(15 KB)

Event Timeline