Page MenuHomePhabricator
Files F4410851

No OneTemporary
Actions

Size
194 KB
Referenced Files
None
Subscribers
None

View Options

diff --git a/trunk/datareporter.cpp b/trunk/datareporter.cpp
index b547870..42dd36f 100644
--- a/trunk/datareporter.cpp
+++ b/trunk/datareporter.cpp
@@ -1,200 +1,201 @@
/*******************************************************************************
* fred Copyright (c) 2011-2013 by Gillen Daniel <gillen.dan@pinguin.lu> *
* *
* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor *
* with special feautures useful during forensic analysis. *
* *
* This program is free software: you can redistribute it and/or modify it *
* under the terms of the GNU General Public License as published by the Free *
* Software Foundation, either version 3 of the License, or (at your option) *
* any later version. *
* *
* This program is distributed in the hope that it will be useful, but WITHOUT *
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
* more details. *
* *
* You should have received a copy of the GNU General Public License along with *
* this program. If not, see <http://www.gnu.org/licenses/>. *
*******************************************************************************/
#include "datareporter.h"
#include <QDir>
#include <QTextStream>
#include <QtScript/QScriptEngine>
#include <QMessageBox>
DataReporter::DataReporter() {
this->report_templates.clear();
//this->p_report_engine=new DataReporterEngine();
}
DataReporter::~DataReporter() {
//delete this->p_report_engine;
qDeleteAll(this->report_templates);
}
void DataReporter::LoadReportTemplates(QString dir) {
QString report_template="";
int i=0;
int ii=0;
bool found=false;
QString report_category="";
QString report_name="";
ReportTemplate *p_report;
// Get all template files in report_templates directory
QDir report_dir(dir);
QStringList found_report_templates=report_dir.
entryList(QStringList()<<"*.qs");
for(i=0;i<found_report_templates.count();i++) {
// Build complete path to template file
report_template=report_dir.path();
report_template.append(QDir::separator());
report_template.append(found_report_templates.value(i));
// Extract report category and name from file name (<category>_<name>.qs)
report_category=found_report_templates.value(i).left(
found_report_templates.value(i).indexOf("_"));
report_name=found_report_templates.value(i).mid(
found_report_templates.value(i).indexOf("_")+1);
report_name=report_name.left(report_name.lastIndexOf("."));
// Check if a report with the same category/name was already added
found=false;
for(ii=0;ii<this->report_templates.count();ii++) {
if(this->report_templates.at(ii)->Category()==report_category &&
this->report_templates.at(ii)->Name()==report_name)
{
found=true;
break;
}
}
if(!found) {
// Add report to list
- p_report=new ReportTemplate(report_category,
+ p_report=new ReportTemplate(report_template,
+ report_category,
report_name,
- report_template);
+ "","","");
this->report_templates.append(p_report);
} else {
// Update report entry
p_report=this->report_templates.at(ii);
p_report->SetFile(report_template);
}
}
}
QStringList DataReporter::GetAvailableReportCategories() {
QStringList ret;
QString cat;
int i=0;
ret.clear();
for(i=0;i<this->report_templates.count();i++) {
cat=this->report_templates.value(i)->Category();
if(!ret.contains(cat)) ret.append(cat);
}
ret.sort();
return ret;
}
QStringList DataReporter::GetAvailableReports(QString category) {
QStringList ret;
QString cat;
int i=0;
ret.clear();
for(i=0;i<this->report_templates.count();i++) {
cat=this->report_templates.value(i)->Category();
if(cat==category) ret.append(this->report_templates.value(i)->Name());
}
ret.sort();
return ret;
}
QString DataReporter::GenerateReport(RegistryHive *p_hive,
QString report_category,
QString report_name)
{
int i=0;
ReportTemplate *p_report;
// Search report template
for(i=0;i<this->report_templates.count();i++) {
p_report=this->report_templates.value(i);
if(p_report->Category()!=report_category || p_report->Name()!=report_name) {
continue;
}
// Report template was found, now generate report and return result
return this->GenerateReport(p_hive,p_report->File());
}
// Report template couldn't be found
QMessageBox::critical(0,
"Report engine error",
QString("Unable to find report with name '%1' in category '%2'!")
.arg(report_name)
.arg(report_category));
return QString();
}
QString DataReporter::GenerateReport(RegistryHive *p_hive,
QString report_template,
bool console_mode)
{
QString report_code;
// Init data reporter engine
DataReporterEngine engine(p_hive);
QScriptValue hive_value=engine.newQObject(p_hive);
engine.globalObject().setProperty("RegistryHive",hive_value);
// Open report template
QFile template_file(report_template);
if(!template_file.open(QIODevice::ReadOnly | QIODevice::Text)) {
if(!console_mode) {
QMessageBox::critical(0,
"Report engine error",
QString("Couldn't open report template file '%1'!")
.arg(report_template));
} else {
printf("ERROR: Couldn't open report template file '%s'!\n",
report_template.toAscii().constData());
}
return QString();
}
// Read template file
QTextStream in(&template_file);
while(!in.atEnd()) report_code.append(in.readLine()).append("\n");
// Close report template file
template_file.close();
// Execute report template script
QScriptValue report_result=engine.evaluate(report_code,report_template);
if (report_result.isError() || engine.hasUncaughtException()) {
if(!console_mode) {
QMessageBox::critical(0,
"Report engine error",
QString::fromLatin1("File: %0\n Line: %1\nError: %2")
.arg(report_template)
.arg(report_result.property("lineNumber")
.toInt32())
.arg(report_result.toString()));
} else {
printf("ERROR: %s:%u: %s\n",
report_template.toAscii().constData(),
report_result.property("lineNumber").toInt32(),
report_result.toString().toAscii().constData());
}
return QString();
}
return engine.report_content;
}
diff --git a/trunk/datareporterengine.cpp b/trunk/datareporterengine.cpp
index f9e3bb9..b798439 100644
--- a/trunk/datareporterengine.cpp
+++ b/trunk/datareporterengine.cpp
@@ -1,374 +1,378 @@
/*******************************************************************************
* fred Copyright (c) 2011-2013 by Gillen Daniel <gillen.dan@pinguin.lu> *
* *
* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor *
* with special feautures useful during forensic analysis. *
* *
* This program is free software: you can redistribute it and/or modify it *
* under the terms of the GNU General Public License as published by the Free *
* Software Foundation, either version 3 of the License, or (at your option) *
* any later version. *
* *
* This program is distributed in the hope that it will be useful, but WITHOUT *
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
* more details. *
* *
* You should have received a copy of the GNU General Public License along with *
* this program. If not, see <http://www.gnu.org/licenses/>. *
*******************************************************************************/
#include "datareporterengine.h"
#include <QString>
#include <QMap>
#include <QMapIterator>
#include <QStringList>
#include <QDateTime>
#include <stdio.h>
DataReporterEngine::DataReporterEngine(RegistryHive *p_hive) : QScriptEngine() {
// Init vars
this->p_registry_hive=p_hive;
this->report_content="";
// Add our constants
this->globalObject().setProperty("ENGINE_API_VERSION",
this->api_version,
QScriptValue::ReadOnly|
QScriptValue::Undeletable);
+ this->globalObject().setProperty("HIVE_FILE",
+ this->p_registry_hive->Filename(),
+ QScriptValue::ReadOnly|
+ QScriptValue::Undeletable);
// Add our types to engine
qScriptRegisterMetaType<s_RegistryKeyValue>(this,
this->RegistryKeyValueToScript,
this->RegistryKeyValueFromScript);
this->p_type_byte_array=new ByteArray(this);
this->globalObject().setProperty("ByteArray",
this->p_type_byte_array->constructor());
// Add our functions
// print
QScriptValue func_print=this->newFunction(this->Print);
this->globalObject().setProperty("print",func_print);
// println
QScriptValue func_println=this->newFunction(this->PrintLn);
this->globalObject().setProperty("println",func_println);
// GetRegistryNodes
QScriptValue func_get_nodes=this->newFunction(this->GetRegistryNodes,1);
func_get_nodes.setData(this->newQObject(this->p_registry_hive));
this->globalObject().setProperty("GetRegistryNodes",func_get_nodes);
// GetRegistryKeys
QScriptValue func_get_keys=this->newFunction(this->GetRegistryKeys,1);
func_get_keys.setData(this->newQObject(this->p_registry_hive));
this->globalObject().setProperty("GetRegistryKeys",func_get_keys);
// GetRegistryKeyValue
QScriptValue func_get_key_value=this->newFunction(this->GetRegistryKeyValue,
2);
func_get_key_value.setData(this->newQObject(this->p_registry_hive));
this->globalObject().setProperty("GetRegistryKeyValue",func_get_key_value);
// GetRegistryNodeModTime
QScriptValue func_get_node_modt=
this->newFunction(this->GetRegistryNodeModTime,1);
func_get_node_modt.setData(this->newQObject(this->p_registry_hive));
this->globalObject().setProperty("GetRegistryNodeModTime",func_get_node_modt);
// RegistryKeyValueToString
QScriptValue func_value_to_string=
this->newFunction(this->RegistryKeyValueToString,2);
this->globalObject().setProperty("RegistryKeyValueToString",
func_value_to_string);
// RegistryKeyValueToVariant
QScriptValue func_value_to_variant=
this->newFunction(this->RegistryKeyValueToVariant);
this->globalObject().setProperty("RegistryKeyValueToVariant",
func_value_to_variant);
// RegistryKeyTypeToString
QScriptValue func_type_to_string=
this->newFunction(this->RegistryKeyTypeToString,1);
this->globalObject().setProperty("RegistryKeyTypeToString",
func_type_to_string);
}
DataReporterEngine::~DataReporterEngine() {
delete this->p_type_byte_array;
}
QScriptValue DataReporterEngine::Print(QScriptContext *context,
QScriptEngine *engine)
{
int i;
QString content;
// Append all arguments to content
for(i=0;i<context->argumentCount();++i) {
//if(i>0) content.append(" ");
content.append(context->argument(i).toString());
}
//QScriptValue calleeData=context->callee().data();
//DataReporterEngine *engine=
// qobject_cast<DataReporterEngine*>(calleeData.toQObject());
qobject_cast<DataReporterEngine*>(engine)->report_content.append(content);
return engine->undefinedValue();
}
QScriptValue DataReporterEngine::PrintLn(QScriptContext *context,
QScriptEngine *engine)
{
int i;
QString content;
// Append all arguments to content
for(i=0;i<context->argumentCount();++i) {
//if(i>0) content.append(" ");
content.append(context->argument(i).toString());
}
qobject_cast<DataReporterEngine*>(engine)->
report_content.append(content).append("\n");
return engine->undefinedValue();
}
/*
* GetRegistryNodes
*/
QScriptValue DataReporterEngine::GetRegistryNodes(QScriptContext *context,
QScriptEngine *engine)
{
QScriptValue calleeData;
RegistryHive *p_hive;
QMap<QString,int> nodes;
QScriptValue ret_nodes;
int ii=0;
// This function needs one argument, parent node path
if(context->argumentCount()!=1) return engine->undefinedValue();
// Get calle data (Pointer to RegistryHive class)
calleeData=context->callee().data();
p_hive=qobject_cast<RegistryHive*>(calleeData.toQObject());
// Get nodes
nodes=p_hive->GetNodes(context->argument(0).toString());
if(p_hive->Error()) {
// Clear error state
p_hive->GetErrorMsg();
return engine->undefinedValue();
}
// Build script array
ret_nodes=engine->newArray(nodes.count());
QMapIterator<QString,int> i(nodes);
while(i.hasNext()) {
i.next();
ret_nodes.setProperty(ii++,QScriptValue(i.key()));
}
return ret_nodes;
}
/*
* GetRegistryKeys
*/
QScriptValue DataReporterEngine::GetRegistryKeys(QScriptContext *context,
QScriptEngine *engine)
{
QScriptValue calleeData;
RegistryHive *p_hive;
QMap<QString,int> keys;
QScriptValue ret_keys;
int ii=0;
// This function needs one argument, parent node path
if(context->argumentCount()!=1) return engine->undefinedValue();
// Get calle data (Pointer to RegistryHive class)
calleeData=context->callee().data();
p_hive=qobject_cast<RegistryHive*>(calleeData.toQObject());
// Get keys
keys=p_hive->GetKeys(context->argument(0).toString());
if(p_hive->Error()) {
// Clear error state
p_hive->GetErrorMsg();
return engine->undefinedValue();
}
//qDebug(QString("P: %1 A: %2").arg(context->argument(0).toString()).arg(keys.count()).toAscii().constData());
// Build script array
ret_keys=engine->newArray(keys.count());
QMapIterator<QString,int> i(keys);
while(i.hasNext()) {
i.next();
ret_keys.setProperty(ii++,QScriptValue(i.key()));
}
return ret_keys;
}
/*
* RegistryKeyValueToScript
*/
QScriptValue DataReporterEngine::RegistryKeyValueToScript(QScriptEngine *engine,
const
s_RegistryKeyValue
&s)
{
QScriptValue obj=engine->newObject();
obj.setProperty("type",s.type);
obj.setProperty("length",s.length);
ByteArray *p_byte_array=new ByteArray(engine);
obj.setProperty("value",p_byte_array->newInstance(s.value));
return obj;
}
/*
* RegistryKeyValueFromScriptValue
*/
void DataReporterEngine::RegistryKeyValueFromScript(const QScriptValue &obj,
s_RegistryKeyValue &s)
{
s.type=obj.property("type").toInt32();
s.length=obj.property("length").toInt32();
// TODO: Don't know if this works, but it probably does ;)
s.value=qvariant_cast<QByteArray>(obj.property("value").data().toVariant());
}
QScriptValue DataReporterEngine::GetRegistryKeyValue(QScriptContext *context,
QScriptEngine *engine)
{
QScriptValue calleeData;
RegistryHive *p_hive;
QByteArray key_value;
int key_type=0;
size_t key_length=0;
s_RegistryKeyValue script_key_value;
// This function needs two arguments, key path and key name
if(context->argumentCount()!=2) return engine->undefinedValue();
// Get calle data (Pointer to RegistryHive class)
calleeData=context->callee().data();
p_hive=qobject_cast<RegistryHive*>(calleeData.toQObject());
// Get key value
key_value=p_hive->GetKeyValue(context->argument(0).toString(),
context->argument(1).toString(),
&key_type,
&key_length);
if(p_hive->Error()) {
// Get error message to clear error state
p_hive->GetErrorMsg();
// printf("\nError: %s\n",p_hive->GetErrorMsg().toAscii().constData());
return engine->undefinedValue();
}
// Save key value to s_RegistryKeyValue struct
script_key_value.type=key_type;
script_key_value.length=key_length;
script_key_value.value=key_value;
return DataReporterEngine::RegistryKeyValueToScript(engine,script_key_value);
}
QScriptValue DataReporterEngine::RegistryKeyValueToString(
QScriptContext *context,
QScriptEngine *engine)
{
QByteArray key_value;
QString ret="";
// This function needs two arguments, key value and value type
if(context->argumentCount()!=2) return engine->undefinedValue();
// Cast ByteArray argument to QByteArray and convert
key_value=qvariant_cast<QByteArray>(context->argument(0).data().toVariant());
ret=RegistryHive::KeyValueToString(key_value,
context->argument(1).toInt32());
return engine->newVariant(ret);
}
QScriptValue DataReporterEngine::RegistryKeyValueToVariant(
QScriptContext *context,
QScriptEngine *engine)
{
int offset=0;
int length=-1;
bool little_endian=true;
QByteArray key_value;
QString format="";
QString ret="";
// This function needs at least two arguments, key value and variant type,
// and may have three optional arguments, offset, length and little_endian
if(context->argumentCount()<2 || context->argumentCount()>5) {
return engine->undefinedValue();
}
if(context->argumentCount()==3) {
offset=context->argument(2).toInt32();
}
if(context->argumentCount()==4) {
offset=context->argument(2).toInt32();
length=context->argument(3).toInt32();
}
if(context->argumentCount()==5) {
offset=context->argument(2).toInt32();
length=context->argument(3).toInt32();
little_endian=(context->argument(4).toInt32()==1);
}
// Cast ByteArray argument to QByteArray
key_value=qvariant_cast<QByteArray>(context->argument(0).data().toVariant());
format=context->argument(1).toString();
ret=RegistryHive::KeyValueToString(key_value,format,offset,length,little_endian);
return engine->newVariant(ret);
}
QScriptValue DataReporterEngine::RegistryKeyTypeToString(
QScriptContext *context,
QScriptEngine *engine)
{
QString ret="";
// This function needs one argument, key type
if(context->argumentCount()!=1) return engine->undefinedValue();
ret=RegistryHive::KeyTypeToString(context->argument(0).toInt32());
return engine->newVariant(ret);
}
QScriptValue DataReporterEngine::GetRegistryNodeModTime(
QScriptContext *context,
QScriptEngine *engine)
{
QScriptValue calleeData;
RegistryHive *p_hive;
int64_t mod_time=0;
// This function needs one argument, node path
if(context->argumentCount()!=1) return engine->undefinedValue();
// Get calle data (Pointer to RegistryHive class)
calleeData=context->callee().data();
p_hive=qobject_cast<RegistryHive*>(calleeData.toQObject());
mod_time=p_hive->GetNodeModTime(context->argument(0).toString());
if(p_hive->Error()) {
// Get error message to clear error state
p_hive->GetErrorMsg();
return engine->undefinedValue();
}
QDateTime date_time;
date_time.setTimeSpec(Qt::UTC);
date_time.setTime_t(RegistryHive::FiletimeToUnixtime(mod_time));
return engine->newVariant(date_time.toString("yyyy/MM/dd hh:mm:ss"));
}
diff --git a/trunk/dlgreportchooser.cpp b/trunk/dlgreportchooser.cpp
new file mode 100644
index 0000000..223fb92
--- /dev/null
+++ b/trunk/dlgreportchooser.cpp
@@ -0,0 +1,94 @@
+/*******************************************************************************
+* fred Copyright (c) 2011-2013 by Gillen Daniel <gillen.dan@pinguin.lu> *
+* *
+* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor *
+* with special feautures useful during forensic analysis. *
+* *
+* This program is free software: you can redistribute it and/or modify it *
+* under the terms of the GNU General Public License as published by the Free *
+* Software Foundation, either version 3 of the License, or (at your option) *
+* any later version. *
+* *
+* This program is distributed in the hope that it will be useful, but WITHOUT *
+* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
+* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
+* more details. *
+* *
+* You should have received a copy of the GNU General Public License along with *
+* this program. If not, see <http://www.gnu.org/licenses/>. *
+*******************************************************************************/
+
+#include "dlgreportchooser.h"
+#include "ui_dlgreportchooser.h"
+
+#include <QString>
+#include <QStringList>
+#include <QListIterator>
+
+DlgReportChooser::DlgReportChooser(Reports *p_reps, QWidget *p_parent)
+ : QDialog(p_parent), ui(new Ui::DlgReportChooser)
+{
+ QTreeWidgetItem *p_category;
+ QTreeWidgetItem *p_category_report;
+
+ this->ui->setupUi(this);
+
+ // Save values for later use
+ this->p_reports=p_reps;
+
+ // Populate tree with reports
+ QStringList report_cats=this->p_reports->GetAvailableReportCategories();
+ QListIterator<QString> cat_it(report_cats);
+ QString cur_cat;
+ while(cat_it.hasNext()) {
+ cur_cat=cat_it.next();
+ p_category=new QTreeWidgetItem(this->ui->TrReports);
+ p_category->setText(0,cur_cat);
+ QStringList reports=this->p_reports->GetAvailableReports(cur_cat);
+ QListIterator<QString> rep_it(reports);
+ while(rep_it.hasNext()) {
+ p_category_report=new QTreeWidgetItem(p_category);
+ p_category_report->setText(0,rep_it.next());
+ p_category_report->setFlags(Qt::ItemIsEnabled|
+ Qt::ItemIsSelectable|
+ Qt::ItemIsUserCheckable);
+ p_category_report->setCheckState(0,Qt::Unchecked);
+ }
+ }
+}
+
+DlgReportChooser::~DlgReportChooser() {
+ delete this->ui;
+}
+
+void DlgReportChooser::changeEvent(QEvent *e) {
+ QDialog::changeEvent(e);
+ switch (e->type()) {
+ case QEvent::LanguageChange:
+ this->ui->retranslateUi(this);
+ break;
+ default:
+ break;
+ }
+}
+
+void DlgReportChooser::on_BtnCancel_clicked() {
+ this->reject();
+}
+
+void DlgReportChooser::on_TrReports_currentItemChanged(QTreeWidgetItem *current,
+ QTreeWidgetItem *previous)
+{
+ QString category,name;
+
+ if(current->parent()==NULL) return;
+
+ category=current->parent()->text(0);
+ name=current->text(0);
+ QMap<QString,QString> report_infos=
+ this->p_reports->GetReportInfo(category,name);
+ this->ui->LblAuthor->setText(tr("Author: %1")
+ .arg(report_infos["report_author"]));
+ this->ui->LblDesc->setText(tr("Description:\n\n %1")
+ .arg(report_infos["report_desc"]));
+}
diff --git a/trunk/reporttemplate.h b/trunk/dlgreportchooser.h
similarity index 72%
copy from trunk/reporttemplate.h
copy to trunk/dlgreportchooser.h
index 23ae59a..8751723 100644
--- a/trunk/reporttemplate.h
+++ b/trunk/dlgreportchooser.h
@@ -1,46 +1,53 @@
/*******************************************************************************
* fred Copyright (c) 2011-2013 by Gillen Daniel <gillen.dan@pinguin.lu> *
* *
* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor *
* with special feautures useful during forensic analysis. *
* *
* This program is free software: you can redistribute it and/or modify it *
* under the terms of the GNU General Public License as published by the Free *
* Software Foundation, either version 3 of the License, or (at your option) *
* any later version. *
* *
* This program is distributed in the hope that it will be useful, but WITHOUT *
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
* more details. *
* *
* You should have received a copy of the GNU General Public License along with *
* this program. If not, see <http://www.gnu.org/licenses/>. *
*******************************************************************************/
-#ifndef REPORTTEMPLATE_H
-#define REPORTTEMPLATE_H
+#ifndef DLGREPORTCHOOSER_H
+#define DLGREPORTCHOOSER_H
-#include <QString>
+#include "reports.h"
+
+#include <QDialog>
+#include <QTreeWidgetItem>
+
+namespace Ui {
+ class DlgReportChooser;
+}
+
+class DlgReportChooser : public QDialog {
+ Q_OBJECT
-class ReportTemplate {
public:
- ReportTemplate(QString report_category,
- QString report_name,
- QString report_template_file);
+ explicit DlgReportChooser(Reports *p_reps, QWidget *p_parent=0);
+ ~DlgReportChooser();
+
+ protected:
+ void changeEvent(QEvent *e);
- void SetCategory(QString new_category);
- void SetName(QString new_name);
- void SetFile(QString new_file);
+ private slots:
+ void on_BtnCancel_clicked();
- QString Category();
- QString Name();
- QString File();
+ void on_TrReports_currentItemChanged(QTreeWidgetItem *current, QTreeWidgetItem *previous);
private:
- QString category;
- QString name;
- QString template_file;
+ Ui::DlgReportChooser *ui;
+ Reports *p_reports;
};
-#endif // REPORTTEMPLATE_H
+#endif // DLGREPORTCHOOSER_H
diff --git a/trunk/dlgreportchooser.ui b/trunk/dlgreportchooser.ui
new file mode 100644
index 0000000..6e4877d
--- /dev/null
+++ b/trunk/dlgreportchooser.ui
@@ -0,0 +1,125 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<ui version="4.0">
+ <class>DlgReportChooser</class>
+ <widget class="QDialog" name="DlgReportChooser">
+ <property name="geometry">
+ <rect>
+ <x>0</x>
+ <y>0</y>
+ <width>400</width>
+ <height>300</height>
+ </rect>
+ </property>
+ <property name="windowTitle">
+ <string>Generate report</string>
+ </property>
+ <property name="windowIcon">
+ <iconset resource="fred.qrc">
+ <normaloff>:/icons/resources/fred.png</normaloff>:/icons/resources/fred.png</iconset>
+ </property>
+ <layout class="QVBoxLayout" name="verticalLayout">
+ <item>
+ <layout class="QHBoxLayout" name="horizontalLayout">
+ <item>
+ <widget class="QGroupBox" name="groupBox">
+ <property name="title">
+ <string>Available reports</string>
+ </property>
+ <layout class="QVBoxLayout" name="verticalLayout_3">
+ <property name="spacing">
+ <number>6</number>
+ </property>
+ <property name="leftMargin">
+ <number>0</number>
+ </property>
+ <item>
+ <widget class="QTreeWidget" name="TrReports">
+ <property name="headerHidden">
+ <bool>true</bool>
+ </property>
+ <column>
+ <property name="text">
+ <string notr="true">1</string>
+ </property>
+ </column>
+ </widget>
+ </item>
+ </layout>
+ </widget>
+ </item>
+ <item>
+ <widget class="QGroupBox" name="groupBox_2">
+ <property name="title">
+ <string>Report details</string>
+ </property>
+ <layout class="QVBoxLayout" name="verticalLayout_4">
+ <item>
+ <widget class="QLabel" name="LblAuthor">
+ <property name="text">
+ <string/>
+ </property>
+ </widget>
+ </item>
+ <item>
+ <widget class="QLabel" name="LblDesc">
+ <property name="text">
+ <string/>
+ </property>
+ </widget>
+ </item>
+ <item>
+ <spacer name="verticalSpacer">
+ <property name="orientation">
+ <enum>Qt::Vertical</enum>
+ </property>
+ <property name="sizeHint" stdset="0">
+ <size>
+ <width>20</width>
+ <height>40</height>
+ </size>
+ </property>
+ </spacer>
+ </item>
+ </layout>
+ </widget>
+ </item>
+ </layout>
+ </item>
+ <item>
+ <layout class="QHBoxLayout" name="horizontalLayout_2">
+ <item>
+ <widget class="QPushButton" name="BtnCancel">
+ <property name="text">
+ <string>&amp;Cancel</string>
+ </property>
+ </widget>
+ </item>
+ <item>
+ <spacer name="horizontalSpacer">
+ <property name="orientation">
+ <enum>Qt::Horizontal</enum>
+ </property>
+ <property name="sizeHint" stdset="0">
+ <size>
+ <width>40</width>
+ <height>20</height>
+ </size>
+ </property>
+ </spacer>
+ </item>
+ <item>
+ <widget class="QPushButton" name="BtnGenerate">
+ <property name="text">
+ <string>&amp;Generate</string>
+ </property>
+ </widget>
+ </item>
+ </layout>
+ </item>
+ </layout>
+ </widget>
+ <resources>
+ <include location="fred.qrc"/>
+ </resources>
+ <connections/>
+</ui>
diff --git a/trunk/fred.pro b/trunk/fred.pro
index 481722b..4ef941c 100644
--- a/trunk/fred.pro
+++ b/trunk/fred.pro
@@ -1,119 +1,126 @@
#*******************************************************************************
# fred Copyright (c) 2011-2013 by Gillen Daniel <gillen.dan@pinguin.lu> *
# *
# Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor *
# with special feautures useful during forensic analysis. *
# *
# This program is free software: you can redistribute it and/or modify it *
# under the terms of the GNU General Public License as published by the Free *
# Software Foundation, either version 3 of the License, or (at your option) *
# any later version. *
# *
# This program is distributed in the hope that it will be useful, but WITHOUT *
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
# more details. *
# *
# You should have received a copy of the GNU General Public License along with *
# this program. If not, see <http://www.gnu.org/licenses/>. *
#******************************************************************************/
# Generate compileinfo.h
system(bash compileinfo.sh > compileinfo.h)
#compileinfo.target = compileinfo.h
#compileinfo.commands = $$PWD/compileinfo.sh > compileinfo.h
#QMAKE_EXTRA_TARGETS += compileinfo
#PRE_TARGETDEPS += compileinfo.h
# Build fred
QMAKE_CXXFLAGS += -Wall
QT += core \
gui \
script \
webkit
CONFIG += console
TARGET = fred
TEMPLATE = app
SOURCES += main.cpp\
mainwindow.cpp \
registrynode.cpp \
registrynodetreemodel.cpp \
registrykey.cpp \
registrykeytablemodel.cpp \
dlgabout.cpp \
dlgkeydetails.cpp \
qhexedit/qhexedit_p.cpp \
qhexedit/qhexedit.cpp \
reporttemplate.cpp \
datareporter.cpp \
datareporterengine.cpp \
registryhive.cpp \
qtscript_types/bytearray.cpp \
qtscript_types/bytearrayprototype.cpp \
qtscript_types/bytearrayiterator.cpp \
dlgreportviewer.cpp \
registrykeytable.cpp \
registrynodetree.cpp \
dlgsearch.cpp \
threadsearch.cpp \
searchresultwidget.cpp \
tabwidget.cpp \
argparser.cpp \
datainterpretertable.cpp \
datainterpreterwidget.cpp \
hexeditwidget.cpp \
settings.cpp \
searchresulttabledelegate.cpp \
- registrynodetreemodelproxy.cpp
+ registrynodetreemodelproxy.cpp \
+ reports.cpp \
+ reportengine.cpp \
+ dlgreportchooser.cpp
HEADERS += mainwindow.h \
registrynode.h \
registrynodetreemodel.h \
registrykey.h \
registrykeytablemodel.h \
dlgabout.h \
dlgkeydetails.h \
qhexedit/qhexedit_p.h \
qhexedit/qhexedit.h \
reporttemplate.h \
datareporter.h \
datareporterengine.h \
registryhive.h \
qtscript_types/bytearray.h \
qtscript_types/bytearrayprototype.h \
qtscript_types/bytearrayiterator.h \
dlgreportviewer.h \
registrykeytable.h \
registrynodetree.h \
dlgsearch.h \
threadsearch.h \
searchresultwidget.h \
tabwidget.h \
argparser.h \
datainterpretertable.h \
datainterpreterwidget.h \
hexeditwidget.h \
settings.h \
searchresulttabledelegate.h \
- registrynodetreemodelproxy.h
+ registrynodetreemodelproxy.h \
+ reports.h \
+ reportengine.h \
+ dlgreportchooser.h
FORMS += mainwindow.ui \
dlgabout.ui \
dlgkeydetails.ui \
dlgreportviewer.ui \
- dlgsearch.ui
+ dlgsearch.ui \
+ dlgreportchooser.ui
#LIBS += -lhivex
LIBS += $$PWD/hivex/lib/.libs/libhivex.a
#DEFINES += __STDC_FORMAT_MACROS
RESOURCES += fred.qrc
RC_FILE = fred.rc
ICON = resources/fred.icns
diff --git a/trunk/mainwindow.cpp b/trunk/mainwindow.cpp
index 8fca0ca..7ddfe45 100644
--- a/trunk/mainwindow.cpp
+++ b/trunk/mainwindow.cpp
@@ -1,574 +1,599 @@
/*******************************************************************************
* fred Copyright (c) 2011-2013 by Gillen Daniel <gillen.dan@pinguin.lu> *
* *
* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor *
* with special feautures useful during forensic analysis. *
* *
* This program is free software: you can redistribute it and/or modify it *
* under the terms of the GNU General Public License as published by the Free *
* Software Foundation, either version 3 of the License, or (at your option) *
* any later version. *
* *
* This program is distributed in the hope that it will be useful, but WITHOUT *
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
* more details. *
* *
* You should have received a copy of the GNU General Public License along with *
* this program. If not, see <http://www.gnu.org/licenses/>. *
*******************************************************************************/
#ifndef FRED_REPORT_TEMPLATE_DIR
#ifndef __MINGW32__
#define FRED_REPORT_TEMPLATE_DIR "/usr/share/fred/report_templates/"
#else
#define FRED_REPORT_TEMPLATE_DIR ".\\report_templates\\"
#endif
#endif
#include <QFileDialog>
#include <QMessageBox>
#include <QStringList>
#include <QDesktopWidget>
#include <QDir>
#include <QSplitter>
#include "mainwindow.h"
#include "ui_mainwindow.h"
#include "dlgabout.h"
#include "dlgkeydetails.h"
+#include "dlgreportchooser.h"
#include "dlgreportviewer.h"
#include "dlgsearch.h"
#include "compileinfo.h"
MainWindow::MainWindow(ArgParser *p_arg_parser) :
QMainWindow(0), ui(new Ui::MainWindow)
{
ui->setupUi(this);
// Initialize private vars
this->p_args=p_arg_parser;
this->p_hive=new RegistryHive(this);
this->is_hive_open=false;
this->p_reg_node_tree_model=NULL;
this->p_reg_node_tree_model_proxy=NULL;
this->p_reg_key_table_model=NULL;
this->p_search_thread=NULL;
this->search_result_widgets.clear();
// Check for ~/.fred config dir
this->CheckUserConfigDir();
// Set main window size
int cur_screen=QApplication::desktop()->screenNumber(this);
int window_width=
QApplication::desktop()->availableGeometry(cur_screen).width()*0.5;
int window_height=
QApplication::desktop()->availableGeometry(cur_screen).height()*0.5;
int window_x=
(QApplication::desktop()->availableGeometry(cur_screen).width()/2)-
(window_width/2);
int window_y=
(QApplication::desktop()->availableGeometry(cur_screen).height()/2)-
(window_height/2);
this->setGeometry(window_x,
window_y,
window_width,
window_height);
// Create widgets
this->p_horizontal_splitter=new QSplitter();
this->p_horizontal_splitter->setOrientation(Qt::Horizontal);
this->p_node_tree=new RegistryNodeTree(this->p_horizontal_splitter);
this->p_vertical_splitter=new QSplitter(this->p_horizontal_splitter);
this->p_vertical_splitter->setOrientation(Qt::Vertical);
this->p_key_table=new RegistryKeyTable(this->p_vertical_splitter);
this->p_tab_widget=new TabWidget(this->p_vertical_splitter);
this->p_hex_edit_widget=new HexEditWidget();
// Add hexedit page to tab_widget
this->p_tab_widget->addTab(this->p_hex_edit_widget,tr("Hex viewer"));
// Add widgets to their splitters
this->p_vertical_splitter->addWidget(this->p_key_table);
this->p_vertical_splitter->addWidget(this->p_tab_widget);
this->p_horizontal_splitter->addWidget(this->p_node_tree);
this->p_horizontal_splitter->addWidget(this->p_vertical_splitter);
// Set stretch factors
QSizePolicy node_tree_policy=this->p_node_tree->sizePolicy();
node_tree_policy.setHorizontalStretch(1);
node_tree_policy.setVerticalStretch(100);
this->p_node_tree->setSizePolicy(node_tree_policy);
QSizePolicy vertical_splitter_policy=this->p_vertical_splitter->sizePolicy();
vertical_splitter_policy.setHorizontalStretch(4);
vertical_splitter_policy.setVerticalStretch(100);
this->p_vertical_splitter->setSizePolicy(vertical_splitter_policy);
QSizePolicy key_table_policy=this->p_key_table->sizePolicy();
key_table_policy.setVerticalStretch(5);
key_table_policy.setHorizontalStretch(100);
this->p_key_table->setSizePolicy(key_table_policy);
QSizePolicy tab_widget_policy=this->p_tab_widget->sizePolicy();
tab_widget_policy.setVerticalStretch(2);
tab_widget_policy.setHorizontalStretch(200);
this->p_tab_widget->setSizePolicy(tab_widget_policy);
// Connect signals
this->connect(this->p_node_tree,
SIGNAL(clicked(QModelIndex)),
this,
SLOT(SlotNodeTreeClicked(QModelIndex)));
this->connect(this->p_node_tree,
SIGNAL(activated(QModelIndex)),
this,
SLOT(SlotNodeTreeClicked(QModelIndex)));
this->connect(this->p_node_tree,
SIGNAL(CurrentItemChanged(QModelIndex)),
this,
SLOT(SlotNodeTreeClicked(QModelIndex)));
this->connect(this->p_key_table,
SIGNAL(clicked(QModelIndex)),
this,
SLOT(SlotKeyTableClicked(QModelIndex)));
this->connect(this->p_key_table,
SIGNAL(doubleClicked(QModelIndex)),
this,
SLOT(SlotKeyTableDoubleClicked(QModelIndex)));
this->connect(this->p_key_table,
SIGNAL(CurrentItemChanged(QModelIndex)),
this,
SLOT(SlotKeyTableClicked(QModelIndex)));
this->connect(this->p_tab_widget,
SIGNAL(tabCloseRequested(int)),
this,
SLOT(SlotTabCloseButtonClicked(int)));
// Add central widget
this->setCentralWidget(this->p_horizontal_splitter);
this->centralWidget()->setContentsMargins(4,4,4,0);
// Set window title
this->UpdateWindowTitle();
// Set last open location to home dir
this->last_open_location=QDir::homePath();
- // Load report templates and update menu
+/*
+ // Load report templates
this->p_data_reporter=new DataReporter();
// Load reports from system wide include dir
this->p_data_reporter->LoadReportTemplates(FRED_REPORT_TEMPLATE_DIR);
// Load user's report templates
this->p_data_reporter->LoadReportTemplates(QDir::homePath()
.append(QDir::separator())
.append(".fred")
.append(QDir::separator())
.append("report_templates"));
this->UpdateDataReporterMenu();
+*/
+
+ // Load report templates
+ this->p_reports=new Reports();
+ // Load reports from system wide include dir
+ this->p_reports->LoadReportTemplates(FRED_REPORT_TEMPLATE_DIR);
+ // Load user's report templates
+ this->p_reports->LoadReportTemplates(QDir::homePath()
+ .append(QDir::separator())
+ .append(".fred")
+ .append(QDir::separator())
+ .append("report_templates"));
// Finally, react on some command line arguments
if(this->p_args->IsSet("maximized")) {
this->setWindowState(Qt::WindowMaximized);
}
if(this->p_args->IsSet("fullscreen")) {
this->setWindowState(Qt::WindowFullScreen);
}
if(this->p_args->IsSet("hive-file")) {
this->OpenHive(this->p_args->GetArgVal("hive-file"));
}
}
MainWindow::~MainWindow() {
if(this->is_hive_open) {
this->p_hive->Close();
}
delete ui;
}
void MainWindow::on_action_Quit_triggered() {
qApp->exit();
}
void MainWindow::on_action_Open_hive_triggered() {
QString hive_file="";
hive_file=QFileDialog::getOpenFileName(this,
tr("Open registry hive"),
this->last_open_location,
tr("All files (*)"));
if(hive_file=="") return;
this->OpenHive(hive_file);
}
void MainWindow::on_action_Close_hive_triggered() {
if(this->is_hive_open) {
// Remove search results
while(this->p_tab_widget->count()>1) {
this->p_tab_widget->removeTab(this->p_tab_widget->count()-1);
delete this->search_result_widgets.at(this->p_tab_widget->count()-1);
this->search_result_widgets.removeLast();
}
// Delete models
if(this->p_reg_node_tree_model!=NULL) {
this->p_node_tree->setModel(NULL);
delete this->p_reg_node_tree_model_proxy;
delete this->p_reg_node_tree_model;
this->p_reg_node_tree_model_proxy=NULL;
this->p_reg_node_tree_model=NULL;
}
if(this->p_reg_key_table_model!=NULL) {
this->p_key_table->setModel(NULL);
delete this->p_reg_key_table_model;
this->p_reg_key_table_model=NULL;
}
// Remove any data from hex edit and data interpreter
this->p_hex_edit_widget->SetData(QByteArray());
this->p_hex_edit_widget->setEnabled(false);
// Close hive
this->p_hive->Close();
this->is_hive_open=false;
this->ui->action_Close_hive->setEnabled(false);
this->ui->ActionSearch->setEnabled(false);
this->ui->MenuReports->setEnabled(false);
this->UpdateWindowTitle();
}
}
void MainWindow::on_actionAbout_Qt_triggered() {
QMessageBox::aboutQt(this,tr("About Qt"));
}
void MainWindow::on_actionAbout_fred_triggered() {
DlgAbout dlg_about(this);
dlg_about.exec();
}
void MainWindow::on_ActionSearch_triggered() {
DlgSearch dlg_search(this);
if(dlg_search.exec()==QDialog::Accepted) {
// Create search thread and connect needed signals/slots
this->p_search_thread=new ThreadSearch(this);
// Add new search widget to tabwidget and to internal widget list
SearchResultWidget *p_search_widget=
new SearchResultWidget(this->p_tab_widget);
p_search_widget->setEnabled(false);
this->search_result_widgets.append(p_search_widget);
this->connect(p_search_widget,
SIGNAL(doubleClicked(QModelIndex)),
this,
SLOT(SlotSearchResultWidgetDoubleClicked(QModelIndex)));
this->p_tab_widget->addTab(p_search_widget,tr("Search results"),true);
this->p_tab_widget->setCurrentIndex(this->p_tab_widget->count()-1);
// Connect search thread to result widget
this->connect(this->p_search_thread,
SIGNAL(SignalFoundMatch(ThreadSearch::eMatchType,
QString,QString,QString)),
p_search_widget,
SLOT(SlotFoundMatch(ThreadSearch::eMatchType,
QString,QString,QString)));
this->connect(this->p_search_thread,
SIGNAL(finished()),
this,
SLOT(SlotSearchFinished()));
this->connect(this->p_search_thread,
SIGNAL(finished()),
p_search_widget,
SLOT(SlotSearchFinished()));
// Start searching
this->ui->ActionSearch->setEnabled(false);
p_search_thread->Search(this->p_hive->Filename(),
dlg_search.Keywords(),
dlg_search.SearchNodeNames(),
dlg_search.SearchKeyNames(),
dlg_search.SearchKeyValues());
}
}
void MainWindow::SlotNodeTreeClicked(QModelIndex index) {
QString node_path;
if(!index.isValid()) return;
// Map proxy index to tree model index
index=this->p_reg_node_tree_model_proxy->mapToSource(index);
// Built node path
node_path=this->p_reg_node_tree_model->GetNodePath(index);
// Create table model and attach it to the table view
if(this->p_reg_key_table_model!=NULL) {
// If a previous model was set, delete it and clear hexedit etc...
this->p_key_table->setModel(NULL);
delete this->p_reg_key_table_model;
this->p_hex_edit_widget->SetData(QByteArray());
}
this->p_reg_key_table_model=new RegistryKeyTableModel(this->p_hive,node_path);
this->p_key_table->setModel(this->p_reg_key_table_model);
// Set focus back to nodetree to be able to navigate with keyboard
this->p_node_tree->setFocus();
}
void MainWindow::SlotKeyTableDoubleClicked(QModelIndex index) {
Q_UNUSED(index);
/*
QModelIndex key_index;
QModelIndex node_index;
QStringList nodes;
QString key_name;
QString key_type;
QByteArray key_value;
if(!index.isValid()) return;
// Get key name, type and value
key_index=this->p_reg_key_table_model->index(index.row(),0);
key_name=this->p_reg_key_table_model->data(key_index,Qt::DisplayRole)
.toString();
key_index=this->p_reg_key_table_model->index(index.row(),1);
key_type=this->p_reg_key_table_model->data(key_index,Qt::DisplayRole)
.toString();ThreadSearch
key_index=this->p_reg_key_table_model->index(index.row(),2);
key_value=this->p_reg_key_table_model->data(key_index,
RegistryKeyTableModel::
AdditionalRoles_GetRawData)
.toByteArray();
// Get current node
node_index=this->p_node_tree->currentIndex();
//Built node path
nodes.clear();
nodes.append(this->p_reg_node_tree_model->
data(node_index,Qt::DisplayRole).toString());
while(this->p_reg_node_tree_model->parent(node_index)!=QModelIndex()) {
// Prepend all parent nodes
node_index=this->p_reg_node_tree_model->parent(node_index);
nodes.prepend(this->p_reg_node_tree_model->
data(node_index,Qt::DisplayRole).toString());
}
DlgKeyDetails dlg_key_details(this);
dlg_key_details.SetValues(nodes,key_name,key_type,key_value);
dlg_key_details.exec();
*/
}
void MainWindow::SlotKeyTableClicked(QModelIndex index) {
if(!index.isValid()) return;
this->selected_key_value=
this->p_reg_key_table_model->data(this->p_reg_key_table_model->
index(index.row(),2),
RegistryKeyTableModel::
AdditionalRoles_GetRawData)
.toByteArray();
this->p_hex_edit_widget->SetData(this->selected_key_value);
// Set focus back to nodetree to be able to navigate with keyboard
this->p_key_table->setFocus();
}
+/*
void MainWindow::SlotReportClicked() {
// Get report category and name from sender and it's parent
QString category=((QMenu*)((QAction*)QObject::sender())->parent())->title();
QString report=((QAction*)QObject::sender())->text();
// Generate report
QString report_content=this->p_data_reporter->GenerateReport(this->p_hive,
category,
report);
// Show result in report viewer
if(report_content!=QString()) {
DlgReportViewer *p_dlg_report_view=new DlgReportViewer(report_content,this);
p_dlg_report_view->exec();
delete p_dlg_report_view;
} else {
// TODO: Something went wrong!
}
}
+*/
void MainWindow::SlotSearchFinished() {
delete this->p_search_thread;
this->p_search_thread=NULL;
this->ui->ActionSearch->setEnabled(true);
// Enable result widget
this->search_result_widgets.last()->setEnabled(true);
}
void MainWindow::SlotSearchResultWidgetDoubleClicked(QModelIndex index) {
SearchResultWidget *p_sender;
QString path;
QString match_type;
QString value;
QString key="";
int i;
if(!index.isValid()) return;
// Get pointer to sender
p_sender=(SearchResultWidget*)QObject::sender();
// Get path and matchtype
path=p_sender->item(index.row(),0)->text();
match_type=p_sender->item(index.row(),1)->text();
value=p_sender->item(index.row(),2)->text();
if(match_type==tr("Node name")) {
// Node name is not part of path. Add it
if(path=="\\") path.append(value);
else path.append("\\").append(value);
} else if(match_type==tr("Key name")) {
// Key name is stored in value
key=value;
} else if(match_type==tr("Key value")) {
// Key name is part of path. Save and remove it
QStringList nodes=path.split("\\",QString::SkipEmptyParts);
key=nodes.at(nodes.count()-1);
// Remove \<key name> from path
path.chop(key.length()+1);
}
// Expand treeview to correct node
QList<QModelIndex> indexes=
this->p_reg_node_tree_model->GetIndexListOf(path);
for(i=0;i<indexes.count();i++) {
indexes.replace(i,this->p_reg_node_tree_model_proxy->
mapFromSource(indexes.at(i)));
this->p_node_tree->expand(indexes.at(i));
}
if(indexes.count()>0) {
// Scroll to last expanded node, select it and update widgets
this->p_node_tree->scrollTo(indexes.at(indexes.count()-1),
QAbstractItemView::PositionAtCenter);
this->p_node_tree->selectionModel()->clear();
this->p_node_tree->selectionModel()->
select(indexes.at(indexes.count()-1),
QItemSelectionModel::Select);
// TODO: This does not work!!
this->SlotNodeTreeClicked(indexes.at(indexes.count()-1));
}
// Select correct key if search matched on keay name / value
if(key!="") {
int row=this->p_reg_key_table_model->GetKeyRow(key);
this->p_key_table->clearSelection();
this->p_key_table->scrollTo(this->p_reg_key_table_model->index(row,0),
QAbstractItemView::PositionAtCenter);
this->p_key_table->selectRow(row);
this->SlotKeyTableClicked(this->p_reg_key_table_model->index(row,0));
}
}
void MainWindow::SlotTabCloseButtonClicked(int index) {
// Delete tab widget and remove tab
this->p_tab_widget->removeTab(index);
delete this->search_result_widgets.at(index-1);
this->search_result_widgets.removeAt(index-1);
}
void MainWindow::CheckUserConfigDir() {
QString user_config_dir=QDir::homePath()
.append(QDir::separator())
.append(".fred");
if(!QDir(user_config_dir).exists()) {
// User config dir does not exists, try to create it
if(!QDir().mkpath(user_config_dir)) {
// TODO: Maybe warn user
return;
}
user_config_dir.append(QDir::separator()).append("report_templates");
if(!QDir().mkpath(user_config_dir)) {
// TODO: Maybe warn user
return;
}
}
}
void MainWindow::UpdateWindowTitle(QString filename) {
if(filename=="") {
this->setWindowTitle(QString("%1 v%2").arg(APP_TITLE,APP_VERSION));
} else {
this->setWindowTitle(QString("%1 v%2 - %3").arg(APP_TITLE,
APP_VERSION,
filename.toLocal8Bit()
.constData()));
}
}
+/*
void MainWindow::UpdateDataReporterMenu() {
int i=0,ii=0;
QMenu *p_category_entry;
QAction *p_report_entry;
QStringList categories=this->p_data_reporter->GetAvailableReportCategories();
QStringList reports;
for(i=0;i<categories.count();i++) {
// First create category submenu
p_category_entry=this->ui->MenuReports->addMenu(categories.value(i));
// Now add category reports
reports=this->p_data_reporter->GetAvailableReports(categories.value(i));
for(ii=0;ii<reports.count();ii++) {
p_report_entry=new QAction(reports.value(ii),p_category_entry);
p_category_entry->addAction(p_report_entry);
this->connect(p_report_entry,
SIGNAL(triggered()),
this,
SLOT(SlotReportClicked()));
}
}
}
+*/
void MainWindow::OpenHive(QString hive_file) {
// Update last open location
this->last_open_location=hive_file.left(hive_file.
lastIndexOf(QDir::separator()));
// If another hive is currently open, close it
if(this->is_hive_open) this->on_action_Close_hive_triggered();
// Try to open hive
if(!this->p_hive->Open(hive_file)) {
QMessageBox::critical(this,
tr("Error opening hive file"),
tr("Unable to open file '%1'").arg(hive_file));
return;
}
// Create tree model & proxy
this->p_reg_node_tree_model=new RegistryNodeTreeModel(this->p_hive);
this->p_reg_node_tree_model_proxy=new RegistryNodeTreeModelProxy(this);
//this->p_reg_node_tree_model_proxy->setDynamicSortFilter(true);
this->p_reg_node_tree_model_proxy->
setSourceModel(this->p_reg_node_tree_model);
this->p_node_tree->setModel(this->p_reg_node_tree_model_proxy);
this->is_hive_open=true;
this->ui->action_Close_hive->setEnabled(true);
this->ui->ActionSearch->setEnabled(true);
this->ui->MenuReports->setEnabled(true);
// Enable data interpreter
this->p_hex_edit_widget->setEnabled(true);
this->UpdateWindowTitle(hive_file);
}
+
+void MainWindow::on_ActionGenerateReport_triggered() {
+ DlgReportChooser dlg_repchooser(this->p_reports,this);
+ if(dlg_repchooser.exec()==QDialog::Accepted) {
+
+ }
+}
diff --git a/trunk/mainwindow.h b/trunk/mainwindow.h
index d14ccc8..38de0c8 100644
--- a/trunk/mainwindow.h
+++ b/trunk/mainwindow.h
@@ -1,127 +1,131 @@
/*******************************************************************************
* fred Copyright (c) 2011-2013 by Gillen Daniel <gillen.dan@pinguin.lu> *
* *
* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor *
* with special feautures useful during forensic analysis. *
* *
* This program is free software: you can redistribute it and/or modify it *
* under the terms of the GNU General Public License as published by the Free *
* Software Foundation, either version 3 of the License, or (at your option) *
* any later version. *
* *
* This program is distributed in the hope that it will be useful, but WITHOUT *
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
* more details. *
* *
* You should have received a copy of the GNU General Public License along with *
* this program. If not, see <http://www.gnu.org/licenses/>. *
*******************************************************************************/
#ifndef MAINWINDOW_H
#define MAINWINDOW_H
#include <QMainWindow>
#include <QWidget>
#include <QLabel>
#include <QTabWidget>
#include <QVBoxLayout>
#include <QSplitter>
#include <QString>
#include <QByteArray>
#include <hivex.h>
#include "argparser.h"
#include "registryhive.h"
#include "registrynodetree.h"
#include "registrynodetreemodel.h"
#include "registrynodetreemodelproxy.h"
#include "registrykeytable.h"
#include "registrykeytablemodel.h"
#include "hexeditwidget.h"
-#include "datareporter.h"
+//#include "datareporter.h"
+#include "reports.h"
#include "threadsearch.h"
#include "searchresultwidget.h"
#include "tabwidget.h"
namespace Ui {
class MainWindow;
}
class MainWindow : public QMainWindow {
Q_OBJECT
public:
explicit MainWindow(ArgParser *p_arg_parser);
~MainWindow();
private slots:
void on_action_Quit_triggered();
void on_action_Open_hive_triggered();
void on_action_Close_hive_triggered();
void on_actionAbout_Qt_triggered();
void on_actionAbout_fred_triggered();
void on_ActionSearch_triggered();
void SlotNodeTreeClicked(QModelIndex index);
void SlotKeyTableClicked(QModelIndex index);
void SlotKeyTableDoubleClicked(QModelIndex index);
- void SlotReportClicked();
+// void SlotReportClicked();
void SlotSearchFinished();
void SlotSearchResultWidgetDoubleClicked(QModelIndex index);
void SlotTabCloseButtonClicked(int index);
-private:
+ void on_ActionGenerateReport_triggered();
+
+ private:
Ui::MainWindow *ui;
ArgParser *p_args;
QString last_open_location;
RegistryHive *p_hive;
bool is_hive_open;
QByteArray selected_key_value;
QList<SearchResultWidget*> search_result_widgets;
// Models
RegistryNodeTreeModel *p_reg_node_tree_model;
RegistryNodeTreeModelProxy *p_reg_node_tree_model_proxy;
RegistryKeyTableModel *p_reg_key_table_model;
// Widgets etc...
RegistryNodeTree *p_node_tree;
RegistryKeyTable *p_key_table;
TabWidget *p_tab_widget;
HexEditWidget *p_hex_edit_widget;
QSplitter *p_horizontal_splitter;
QSplitter *p_vertical_splitter;
- DataReporter *p_data_reporter;
+// DataReporter *p_data_reporter;
+ Reports *p_reports;
// Threads
ThreadSearch *p_search_thread;
/*
* CheckUserConfigDir
*
* Checks for and possibly creates the ~/.fred directory
*/
void CheckUserConfigDir();
/*
* UpdateWindowTitle
*
* Updates the window title
*/
void UpdateWindowTitle(QString filename="");
/*
* UpdateDataReporterMenu
*
*/
- void UpdateDataReporterMenu();
+// void UpdateDataReporterMenu();
/*
* OpenHive
*
* Open a registry hive
*/
void OpenHive(QString hive_file);
};
#endif // MAINWINDOW_H
diff --git a/trunk/mainwindow.ui b/trunk/mainwindow.ui
index 3732138..4fe3b89 100644
--- a/trunk/mainwindow.ui
+++ b/trunk/mainwindow.ui
@@ -1,139 +1,154 @@
<?xml version="1.0" encoding="UTF-8"?>
<ui version="4.0">
<class>MainWindow</class>
<widget class="QMainWindow" name="MainWindow">
<property name="geometry">
<rect>
<x>0</x>
<y>0</y>
<width>508</width>
<height>317</height>
</rect>
</property>
<property name="minimumSize">
<size>
<width>0</width>
<height>0</height>
</size>
</property>
<property name="baseSize">
<size>
<width>0</width>
<height>0</height>
</size>
</property>
<property name="windowTitle">
<string>MainWindow</string>
</property>
<property name="windowIcon">
<iconset resource="fred.qrc">
<normaloff>:/icons/resources/fred.png</normaloff>:/icons/resources/fred.png</iconset>
</property>
<widget class="QWidget" name="MainWidget"/>
<widget class="QMenuBar" name="menuBar">
<property name="geometry">
<rect>
<x>0</x>
<y>0</y>
<width>508</width>
<height>27</height>
</rect>
</property>
<widget class="QMenu" name="MenuFile">
<property name="title">
<string>&amp;File</string>
</property>
<addaction name="action_Open_hive"/>
<addaction name="action_Close_hive"/>
<addaction name="separator"/>
<addaction name="action_Quit"/>
</widget>
<widget class="QMenu" name="MenuHelp">
<property name="title">
<string>&amp;Help</string>
</property>
<addaction name="actionAbout_Qt"/>
<addaction name="actionAbout_fred"/>
</widget>
<widget class="QMenu" name="MenuReports">
<property name="enabled">
<bool>false</bool>
</property>
<property name="title">
<string>&amp;Reports</string>
</property>
+ <addaction name="ActionGenerateReport"/>
+ <addaction name="ActionReloadReportTemplates"/>
</widget>
<widget class="QMenu" name="MenuEdit">
<property name="title">
<string>&amp;Edit</string>
</property>
<addaction name="ActionSearch"/>
<addaction name="separator"/>
<addaction name="ActionPreferences"/>
</widget>
<addaction name="MenuFile"/>
<addaction name="MenuEdit"/>
<addaction name="MenuReports"/>
<addaction name="MenuHelp"/>
</widget>
<widget class="QStatusBar" name="StatusBar"/>
<action name="action_Open_hive">
<property name="text">
<string>&amp;Open hive</string>
</property>
<property name="shortcut">
<string>Ctrl+O</string>
</property>
</action>
<action name="action_Close_hive">
<property name="enabled">
<bool>false</bool>
</property>
<property name="text">
<string>Close hive</string>
</property>
</action>
<action name="action_Quit">
<property name="text">
<string>&amp;Quit</string>
</property>
<property name="shortcut">
<string>Ctrl+Q</string>
</property>
</action>
<action name="actionAbout_Qt">
<property name="text">
<string>About Qt</string>
</property>
</action>
<action name="actionAbout_fred">
<property name="text">
<string>About fred</string>
</property>
</action>
<action name="ActionSearch">
<property name="enabled">
<bool>false</bool>
</property>
<property name="text">
<string>&amp;Search</string>
</property>
<property name="shortcut">
<string>Ctrl+S</string>
</property>
</action>
<action name="ActionPreferences">
<property name="enabled">
<bool>false</bool>
</property>
<property name="text">
<string>&amp;Preferences</string>
</property>
</action>
+ <action name="ActionGenerateReport">
+ <property name="enabled">
+ <bool>true</bool>
+ </property>
+ <property name="text">
+ <string>Generate report</string>
+ </property>
+ </action>
+ <action name="ActionReloadReportTemplates">
+ <property name="text">
+ <string>Reload report templates</string>
+ </property>
+ </action>
</widget>
<layoutdefault spacing="6" margin="11"/>
<resources>
<include location="fred.qrc"/>
</resources>
<connections/>
</ui>
diff --git a/trunk/report_templates/NTUSER_Autoruns.qs b/trunk/report_templates/NTUSER_Autoruns.qs
index d166110..5ac0949 100644
--- a/trunk/report_templates/NTUSER_Autoruns.qs
+++ b/trunk/report_templates/NTUSER_Autoruns.qs
@@ -1,49 +1,61 @@
+function fred_report_info() {
+ var info={report_cat : "NTUSER",
+ report_name : "Autoruns",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump autorun keys",
+ fred_api : 2,
+ hive : "NTUSER"
+ };
+ return info;
+}
+
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
function print_table_row(cell01,cell02) {
println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
}
function ListAutoruns(autorun_path,autorun_key) {
println(" <p style=\"font-size:12; white-space:nowrap\">");
println(" <u>"+autorun_key+"</u><br />");
var run_keys=GetRegistryKeys(autorun_path+autorun_key);
if(IsValid(run_keys) && run_keys.length>0) {
println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
print_table_row("<b>Name</b>","<b>Executable</b>");
for(var i=0;i<run_keys.length;i++) {
var val=GetRegistryKeyValue(autorun_path+autorun_key,run_keys[i]);
print_table_row(run_keys[i],RegistryKeyValueToString(val.value,val.type));
}
println(" </table>");
} else {
println(" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;None");
}
println(" </p>");
}
-// Global vars
-var val;
+function fred_report_html() {
+ var val;
-println("<html>");
-println(" <head><title>User Autoruns</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>User Autoruns</h2>");
+ println("<html>");
+ println(" <head><title>User Autoruns</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>User Autoruns</h2>");
-// Run
-ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","Run");
+ // Run
+ ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","Run");
-// RunOnce
-ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnce");
+ // RunOnce
+ ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnce");
-// RunOnceEx
-ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnceEx");
+ // RunOnceEx
+ ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnceEx");
-// TODO: There might be a Run under WindowsNT\CurrentVersion\Run too!
+ // TODO: There might be a Run under WindowsNT\CurrentVersion\Run too!
-println("</html>");
+ println("</html>");
+}
diff --git a/trunk/report_templates/NTUSER_LaunchedApplications.qs b/trunk/report_templates/NTUSER_LaunchedApplications.qs
index 92a51a3..b90bdf8 100644
--- a/trunk/report_templates/NTUSER_LaunchedApplications.qs
+++ b/trunk/report_templates/NTUSER_LaunchedApplications.qs
@@ -1,101 +1,111 @@
+function fred_report_info() {
+ var info={report_cat : "NTUSER",
+ report_name : "Launched applications",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump IE launched applications",
+ fred_api : 2,
+ hive : "NTUSER"
+ };
+ return info;
+}
+
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
function PrintTableRow(cell01,cell02,cell03) {
println(" <tr><td style=\"white-space:nowrap\">",cell01,"</td><td style=\"padding:2px; white-space:nowrap\">",cell02,"</td><td style=\"padding:2px; white-space:nowrap\">",cell03,"</td></tr>");
}
function Rot13Decode(val) {
var ret="";
for(var i=0;i<val.length;i++) {
var decoded=val.charCodeAt(i);
if((decoded>64 && decoded<91) || (decoded>96 && decoded<123)) {
if((decoded-13)<65 || (decoded>96 && (decoded-13)<97)) {
decoded=(decoded-13)+26;
} else {
if(decoded>96 && (decoded-13)<97) {
decoded+=13;
} else {
decoded-=13;
}
}
ret+=String.fromCharCode(decoded);
} else {
ret+=val[i];
}
}
return ret;
}
function PrintUserAssistEntry(key,val,os) {
var run_count;
var last_run;
switch(os) {
case "winxp":
run_count=RegistryKeyValueToVariant(val.value,"uint32",4);
break;
case "win7":
run_count=RegistryKeyValueToVariant(val.value,"uint32",4,0,1);
last_run=RegistryKeyValueToVariant(val.value,"filetime",60);
break;
}
PrintTableRow(key,run_count,last_run);
}
-println("<html>");
-println(" <head><title>Launched Applications</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>Launched applications</h2>");
-
-// First, we need to find the correct GUID for the current Windows version
-var path;
-var apps;
-var os;
+function fred_report_html() {
+ println("<html>");
+ println(" <head><title>Launched Applications</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>Launched applications</h2>");
-// Windows XP
-os="winxp";
-path="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{5E6AB780-7743-11CF-A12B-00AA004AE837}\\Count";
-apps=GetRegistryKeys(path);
+ // First, we need to find the correct GUID for the current Windows version
+ var path;
+ var apps;
+ var os;
-// TODO: Determine GUIDs for Vista / Win8
-
-if(!IsValid(apps)) {
- // Windows 7
- os="win7";
- path="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count";
+ // Windows XP
+ os="winxp";
+ path="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{5E6AB780-7743-11CF-A12B-00AA004AE837}\\Count";
apps=GetRegistryKeys(path);
-}
+ // TODO: Determine GUIDs for Vista / Win8
+ if(!IsValid(apps)) {
+ // Windows 7
+ os="win7";
+ path="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count";
+ apps=GetRegistryKeys(path);
+ }
+ if(IsValid(apps)) {
+ if(apps.length!=0) {
+ println(" <p style=\"font-size:12\">");
+ println(" <table style=\"margin-left:20px; font-size:12\">");
+ println(" <tr><td><b>Application</b></td><td style=\"padding:2px\"><b>Run count</b></td><td style=\"padding:2px\"><b>Last run</b></td></tr>");
-if(IsValid(apps)) {
- if(apps.length!=0) {
- println(" <p style=\"font-size:12\">");
- println(" <table style=\"margin-left:20px; font-size:12\">");
- println(" <tr><td><b>Application</b></td><td style=\"padding:2px\"><b>Run count</b></td><td style=\"padding:2px\"><b>Last run</b></td></tr>");
+ for(var i=0;i<apps.length;i++) {
+ var val=GetRegistryKeyValue(path,apps[i]);
+ PrintUserAssistEntry(Rot13Decode(apps[i]),val,os);
+ }
- for(var i=0;i<apps.length;i++) {
- var val=GetRegistryKeyValue(path,apps[i]);
- PrintUserAssistEntry(Rot13Decode(apps[i]),val,os);
+ println(" </table>");
+ println(" </p>");
+ } else {
+ println(" <p><font color='red'>");
+ println(" The list of launched applications is empty.");
+ println(" </font></p>");
}
-
- println(" </table>");
- println(" </p>");
} else {
println(" <p><font color='red'>");
- println(" The list of launched applications is empty.");
+ println(" This registry hive does not contain a list of launched applications!");
println(" </font></p>");
}
-} else {
- println(" <p><font color='red'>");
- println(" This registry hive does not contain a list of launched applications!");
- println(" </font></p>");
}
diff --git a/trunk/report_templates/NTUSER_RecentDocs.qs b/trunk/report_templates/NTUSER_RecentDocs.qs
index 112669d..bcac514 100644
--- a/trunk/report_templates/NTUSER_RecentDocs.qs
+++ b/trunk/report_templates/NTUSER_RecentDocs.qs
@@ -1,41 +1,54 @@
+function fred_report_info() {
+ var info={report_cat : "NTUSER",
+ report_name : "Recent documents",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump recent docs",
+ fred_api : 2,
+ hive : "NTUSER"
+ };
+ return info;
+}
+
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
-println("<html>");
-println(" <head><title>Recent Documents</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>Recent documents</h2>");
+function fred_report_html() {
+ println("<html>");
+ println(" <head><title>Recent Documents</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>Recent documents</h2>");
-// Get list of recent docs
-var recent_docs=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs","MRUListEx");
-if(IsValid(recent_docs)) {
- // Iterate over all recent docs
- var i=0;
- var runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i);
- if(Number(runlist)!=0xffffffff) {
- println(" <p style=\"font-size:12\">");
- println(" <table style=\"margin-left:20px; font-size:12\">");
+ // Get list of recent docs
+ var recent_docs=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs","MRUListEx");
+ if(IsValid(recent_docs)) {
+ // Iterate over all recent docs
+ var i=0;
+ var runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i);
+ if(Number(runlist)!=0xffffffff) {
+ println(" <p style=\"font-size:12\">");
+ println(" <table style=\"margin-left:20px; font-size:12\">");
- while(Number(runlist)!=0xffffffff) {
- var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs",runlist.toString(10));
- println(" <tr><td style=\"white-space:nowrap\">",RegistryKeyValueToVariant(entry.value,"utf16",0),"</td></tr>");
- i+=4;
- runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i);
- }
+ while(Number(runlist)!=0xffffffff) {
+ var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs",runlist.toString(10));
+ println(" <tr><td style=\"white-space:nowrap\">",RegistryKeyValueToVariant(entry.value,"utf16",0),"</td></tr>");
+ i+=4;
+ runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i);
+ }
- println(" </table>");
- println(" </p>");
+ println(" </table>");
+ println(" </p>");
+ } else {
+ println(" <p><font color='red'>");
+ println(" The list of recent documents is empty.");
+ println(" </font></p>");
+ }
} else {
println(" <p><font color='red'>");
- println(" The list of recent documents is empty.");
+ println(" This registry hive does not contain a list of recent documents!");
println(" </font></p>");
}
-} else {
- println(" <p><font color='red'>");
- println(" This registry hive does not contain a list of recent documents!");
- println(" </font></p>");
-}
-println("</html>");
+ println("</html>");
+}
diff --git a/trunk/report_templates/NTUSER_TypedUrls.qs b/trunk/report_templates/NTUSER_TypedUrls.qs
index b581da7..bbd6b51 100644
--- a/trunk/report_templates/NTUSER_TypedUrls.qs
+++ b/trunk/report_templates/NTUSER_TypedUrls.qs
@@ -1,36 +1,49 @@
+function fred_report_info() {
+ var info={report_cat : "NTUSER",
+ report_name : "Typed URLs",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump typed URLs",
+ fred_api : 2,
+ hive : "NTUSER"
+ };
+ return info;
+}
+
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
-println("<html>");
-println(" <head><title>Typed Urls</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>Typed urls</h2>");
+function fred_report_html() {
+ println("<html>");
+ println(" <head><title>Typed Urls</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>Typed urls</h2>");
-// Iterate over all typed urls
-var typed_urls=GetRegistryKeys("\\Software\\Microsoft\\Internet Explorer\\TypedURLs");
-if(IsValid(typed_urls)) {
- if(typed_urls.length!=0) {
- println(" <p style=\"font-size:12\">");
- println(" <table style=\"margin-left:20px; font-size:12\">");
+ // Iterate over all typed urls
+ var typed_urls=GetRegistryKeys("\\Software\\Microsoft\\Internet Explorer\\TypedURLs");
+ if(IsValid(typed_urls)) {
+ if(typed_urls.length!=0) {
+ println(" <p style=\"font-size:12\">");
+ println(" <table style=\"margin-left:20px; font-size:12\">");
- for(var i=0;i<typed_urls.length;i++) {
- var val=GetRegistryKeyValue("\\Software\\Microsoft\\Internet Explorer\\TypedURLs",typed_urls[i]);
- println(" <tr><td style=\"white-space:nowrap\">",RegistryKeyValueToString(val.value,val.type),"</td></tr>");
- }
+ for(var i=0;i<typed_urls.length;i++) {
+ var val=GetRegistryKeyValue("\\Software\\Microsoft\\Internet Explorer\\TypedURLs",typed_urls[i]);
+ println(" <tr><td style=\"white-space:nowrap\">",RegistryKeyValueToString(val.value,val.type),"</td></tr>");
+ }
- println(" </table>");
- println(" </p>");
+ println(" </table>");
+ println(" </p>");
+ } else {
+ println(" <p><font color='red'>");
+ println(" The list of typed urls is empty.");
+ println(" </font></p>");
+ }
} else {
println(" <p><font color='red'>");
- println(" The list of typed urls is empty.");
+ println(" This registry hive does not contain a list of typed urls!");
println(" </font></p>");
}
-} else {
- println(" <p><font color='red'>");
- println(" This registry hive does not contain a list of typed urls!");
- println(" </font></p>");
-}
-println("</html>");
+ println("</html>");
+}
diff --git a/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs b/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs
index effaa23..68614b7 100644
--- a/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs
+++ b/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs
@@ -1,41 +1,54 @@
+function fred_report_info() {
+ var info={report_cat : "NTUSER",
+ report_name : "Windows 7 search keywords",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump Windows 7 search keywords",
+ fred_api : 2,
+ hive : "NTUSER"
+ };
+ return info;
+}
+
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
-println("<html>");
-println(" <head><title>Document And Folder Search Keywords</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>Document and folder search keywords</h2>");
+function fred_report_html() {
+ println("<html>");
+ println(" <head><title>Document And Folder Search Keywords</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>Document and folder search keywords</h2>");
-// Get list of search keys
-var mrulist=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery","MRUListEx");
-if(IsValid(mrulist)) {
- // Iterate over all items
- var i=0;
- var runlist=RegistryKeyValueToVariant(mrulist.value,"uint32",i);
- if(Number(runlist)!=0xffffffff) {
- println(" <p style=\"font-size:12\">");
- println(" <table style=\"margin-left:20px; font-size:12\">");
+ // Get list of search keys
+ var mrulist=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery","MRUListEx");
+ if(IsValid(mrulist)) {
+ // Iterate over all items
+ var i=0;
+ var runlist=RegistryKeyValueToVariant(mrulist.value,"uint32",i);
+ if(Number(runlist)!=0xffffffff) {
+ println(" <p style=\"font-size:12\">");
+ println(" <table style=\"margin-left:20px; font-size:12\">");
- while(Number(runlist)!=0xffffffff) {
- var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery",runlist.toString(10));
- println(" <tr><td style=\"white-space:nowrap\">",RegistryKeyValueToVariant(entry.value,"utf16",0),"</td></tr>");
- i+=4;
- runlist=RegistryKeyValueToVariant(mrulist.value,"uint32",i);
- }
+ while(Number(runlist)!=0xffffffff) {
+ var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery",runlist.toString(10));
+ println(" <tr><td style=\"white-space:nowrap\">",RegistryKeyValueToVariant(entry.value,"utf16",0),"</td></tr>");
+ i+=4;
+ runlist=RegistryKeyValueToVariant(mrulist.value,"uint32",i);
+ }
- println(" </table>");
- println(" </p>");
+ println(" </table>");
+ println(" </p>");
+ } else {
+ println(" <p><font color='red'>");
+ println(" The list of document and search keywords is empty.");
+ println(" </font></p>");
+ }
} else {
println(" <p><font color='red'>");
- println(" The list of document and search keywords is empty.");
+ println(" This registry hive does not contain a list of document and folder search keywords!");
println(" </font></p>");
}
-} else {
- println(" <p><font color='red'>");
- println(" This registry hive does not contain a list of document and folder search keywords!");
- println(" </font></p>");
-}
-println("</html>");
+ println("</html>");
+}
diff --git a/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs b/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs
index 4411897..864b46f 100644
--- a/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs
+++ b/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs
@@ -1,36 +1,49 @@
+function fred_report_info() {
+ var info={report_cat : "NTUSER",
+ report_name : "Windows 7 typed paths",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump Windows 7 typed paths",
+ fred_api : 2,
+ hive : "NTUSER"
+ };
+ return info;
+}
+
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
-println("<html>");
-println(" <head><title>Typed Paths</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>Typed paths</h2>");
+function fred_report_html() {
+ println("<html>");
+ println(" <head><title>Typed Paths</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>Typed paths</h2>");
-// Iterate over all typed paths
-var urls=GetRegistryKeys("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths");
-if(IsValid(urls)) {
- if(urls.length!=0) {
- println(" <p style=\"font-size:12\">");
- println(" <table style=\"margin-left:20px; font-size:12\">");
+ // Iterate over all typed paths
+ var urls=GetRegistryKeys("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths");
+ if(IsValid(urls)) {
+ if(urls.length!=0) {
+ println(" <p style=\"font-size:12\">");
+ println(" <table style=\"margin-left:20px; font-size:12\">");
- for(var i=0;i<urls.length;i++) {
- var val=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths",urls[i]);
- println(" <tr><td style=\"white-space:nowrap\">",RegistryKeyValueToString(val.value,val.type),"</td></tr>");
- }
+ for(var i=0;i<urls.length;i++) {
+ var val=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths",urls[i]);
+ println(" <tr><td style=\"white-space:nowrap\">",RegistryKeyValueToString(val.value,val.type),"</td></tr>");
+ }
- println(" </table>");
- println(" </p>");
+ println(" </table>");
+ println(" </p>");
+ } else {
+ println(" <p><font color='red'>");
+ println(" The list of typed paths is empty.");
+ println(" </font></p>");
+ }
} else {
println(" <p><font color='red'>");
- println(" The list of typed paths is empty.");
+ println(" This registry hive does not contain a list of typed paths!");
println(" </font></p>");
}
-} else {
- println(" <p><font color='red'>");
- println(" This registry hive does not contain a list of typed paths!");
- println(" </font></p>");
-}
-println("</html>");
+ println("</html>");
+}
diff --git a/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs b/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs
index 0a78998..ac9bb6b 100644
--- a/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs
+++ b/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs
@@ -1,35 +1,48 @@
+function fred_report_info() {
+ var info={report_cat : "NTUSER",
+ report_name : "Windows Live accounts",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump Windows Live accounts",
+ fred_api : 2,
+ hive : "NTUSER"
+ };
+ return info;
+}
+
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
-println("<html>");
-println(" <head><title>Windows Live Accounts</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>Windows live accounts</h2>");
+function fred_report_html() {
+ println("<html>");
+ println(" <head><title>Windows Live Accounts</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>Windows live accounts</h2>");
-// Iterate over all contacts
-var accounts=GetRegistryKeys("\\Software\\Microsoft\\Windows Live Contacts\\Database");
-if(IsValid(accounts)) {
- println(" <p style=\"font-size:12\">");
- println(" <table style=\"margin-left:20px; font-size:12\">");
+ // Iterate over all contacts
+ var accounts=GetRegistryKeys("\\Software\\Microsoft\\Windows Live Contacts\\Database");
+ if(IsValid(accounts)) {
+ println(" <p style=\"font-size:12\">");
+ println(" <table style=\"margin-left:20px; font-size:12\">");
- for(var i=0;i<accounts.length;i++) {
- var val=GetRegistryKeyValue("\\Software\\Microsoft\\Windows Live Contacts\\Database",accounts[i]);
- println(" <tr><td>",accounts[i],"</td><td>",RegistryKeyValueToString(val.value,val.type),"</td></tr>");
- }
- accounts=GetRegistryKeys("\\Software\\Microsoft\\Windows Live Contacts\\Me");
- for(var i=0;i<accounts.length;i++) {
- var val=GetRegistryKeyValue("\\Software\\Microsoft\\Windows Live Contacts\\Me",accounts[i]);
- println(" <tr><td>",accounts[i],"</td><td>",RegistryKeyValueToString(val.value,val.type),"</td></tr>");
+ for(var i=0;i<accounts.length;i++) {
+ var val=GetRegistryKeyValue("\\Software\\Microsoft\\Windows Live Contacts\\Database",accounts[i]);
+ println(" <tr><td>",accounts[i],"</td><td>",RegistryKeyValueToString(val.value,val.type),"</td></tr>");
+ }
+ accounts=GetRegistryKeys("\\Software\\Microsoft\\Windows Live Contacts\\Me");
+ for(var i=0;i<accounts.length;i++) {
+ var val=GetRegistryKeyValue("\\Software\\Microsoft\\Windows Live Contacts\\Me",accounts[i]);
+ println(" <tr><td>",accounts[i],"</td><td>",RegistryKeyValueToString(val.value,val.type),"</td></tr>");
+ }
+
+ println(" </table>");
+ println(" </p>");
+ } else {
+ println(" <p><font color='red'>");
+ println(" This registry hive does not contain a list of Windows Live Accounts!");
+ println(" </font></p>");
}
- println(" </table>");
- println(" </p>");
-} else {
- println(" <p><font color='red'>");
- println(" This registry hive does not contain a list of Windows Live Accounts!");
- println(" </font></p>");
+ println("</html>");
}
-
-println("</html>");
diff --git a/trunk/report_templates/SAM_UserAccounts.qs b/trunk/report_templates/SAM_UserAccounts.qs
index 9ba427f..a78ec0c 100644
--- a/trunk/report_templates/SAM_UserAccounts.qs
+++ b/trunk/report_templates/SAM_UserAccounts.qs
@@ -1,97 +1,109 @@
-// See http://windowsir.blogspot.com/2006/08/getting-user-info-from-image.html
+function fred_report_info() {
+ var info={report_cat : "SAM",
+ report_name : "User accounts",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump Windows user accounts",
+ fred_api : 2,
+ hive : "SAM"
+ };
+ return info;
+}
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
function print_table_row(cell01,cell02) {
println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
}
function print_v_info(v_key_value,info_name,str_off) {
var offset=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off))+0x0cc;
var len=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off+4))/2;
if(len>0) print_table_row(info_name,RegistryKeyValueToVariant(v_key_value,"utf16",offset,len));
}
-println("<html>");
-println(" <head><title>User Accounts</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>User accounts</h2>");
+function fred_report_html() {
+ // See http://windowsir.blogspot.com/2006/08/getting-user-info-from-image.html
+ println("<html>");
+ println(" <head><title>User Accounts</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>User accounts</h2>");
-// Iterate over all user names
-var user_names=GetRegistryNodes("\\SAM\\Domains\\Account\\Users\\Names");
-if(IsValid(user_names)) {
- for(var i=0;i<user_names.length;i++) {
- println(" <p style=\"font-size:12; white-space:nowrap\">");
+ // Iterate over all user names
+ var user_names=GetRegistryNodes("\\SAM\\Domains\\Account\\Users\\Names");
+ if(IsValid(user_names)) {
+ for(var i=0;i<user_names.length;i++) {
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
- // Print user name
- println(" <u>",user_names[i],"</u><br />");
+ // Print user name
+ println(" <u>",user_names[i],"</u><br />");
- println(" <table style=\"margin-left:20px; font-size:12\">");
+ println(" <table style=\"margin-left:20px; font-size:12\">");
- // Get user rid stored in "default" key
- var user_rid=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\Names\\",user_names[i]),"");
- user_rid=RegistryKeyTypeToString(user_rid.type);
- println(" <tr><td>RID:</td><td>",Number(user_rid).toString(10)," (",user_rid,")","</td></tr>");
+ // Get user rid stored in "default" key
+ var user_rid=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\Names\\",user_names[i]),"");
+ user_rid=RegistryKeyTypeToString(user_rid.type);
+ println(" <tr><td>RID:</td><td>",Number(user_rid).toString(10)," (",user_rid,")","</td></tr>");
- // RegistryKeyTypeToString returns the rid prepended with "0x". We have to remove that for further processing
- user_rid=String(user_rid).substr(2);
+ // RegistryKeyTypeToString returns the rid prepended with "0x". We have to remove that for further processing
+ user_rid=String(user_rid).substr(2);
- // Get user's V key and print various infos
- var v_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"V");
- print_v_info(v_key.value,"Full name:",0x18);
- print_v_info(v_key.value,"Comment:",0x24);
- print_v_info(v_key.value,"Home directory:",0x48);
- print_v_info(v_key.value,"Home directory drive:",0x54);
- print_v_info(v_key.value,"Logon script path:",0x60);
- print_v_info(v_key.value,"Profile path:",0x6c);
+ // Get user's V key and print various infos
+ var v_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"V");
+ print_v_info(v_key.value,"Full name:",0x18);
+ print_v_info(v_key.value,"Comment:",0x24);
+ print_v_info(v_key.value,"Home directory:",0x48);
+ print_v_info(v_key.value,"Home directory drive:",0x54);
+ print_v_info(v_key.value,"Logon script path:",0x60);
+ print_v_info(v_key.value,"Profile path:",0x6c);
- // Get user's F key and print various infos
- var f_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"F");
- print_table_row("Last login time:",RegistryKeyValueToVariant(f_key.value,"filetime",8));
- print_table_row("Last pw change:",RegistryKeyValueToVariant(f_key.value,"filetime",24));
- print_table_row("Last failed login:",RegistryKeyValueToVariant(f_key.value,"filetime",40));
- print_table_row("Account expires:",RegistryKeyValueToVariant(f_key.value,"filetime",32));
- print_table_row("Total logins:",RegistryKeyValueToVariant(f_key.value,"uint16",66));
- print_table_row("Failed logins:",RegistryKeyValueToVariant(f_key.value,"uint16",64));
- var acc_flags=Number(RegistryKeyValueToVariant(f_key.value,"uint16",56));
- print(" <tr><td>Account flags:</td><td>");
- if(acc_flags&0x0001) print("Disabled ");
- if(acc_flags&0x0002) print("HomeDirReq ");
- if(acc_flags&0x0004) print("PwNotReq ");
- if(acc_flags&0x0008) print("TempDupAcc ");
- // I don't think this would be useful to show
- //if(acc_flags&0x0010) print("NormUserAcc ");
- if(acc_flags&0x0020) print("MnsAcc ");
- if(acc_flags&0x0040) print("DomTrustAcc ");
- if(acc_flags&0x0080) print("WksTrustAcc ");
- if(acc_flags&0x0100) print("SrvTrustAcc ");
- if(acc_flags&0x0200) print("NoPwExpiry ");
- if(acc_flags&0x0400) print("AccAutoLock ");
- print(" (",acc_flags,")");
- println("</td></tr>");
+ // Get user's F key and print various infos
+ var f_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"F");
+ print_table_row("Last login time:",RegistryKeyValueToVariant(f_key.value,"filetime",8));
+ print_table_row("Last pw change:",RegistryKeyValueToVariant(f_key.value,"filetime",24));
+ print_table_row("Last failed login:",RegistryKeyValueToVariant(f_key.value,"filetime",40));
+ print_table_row("Account expires:",RegistryKeyValueToVariant(f_key.value,"filetime",32));
+ print_table_row("Total logins:",RegistryKeyValueToVariant(f_key.value,"uint16",66));
+ print_table_row("Failed logins:",RegistryKeyValueToVariant(f_key.value,"uint16",64));
+ var acc_flags=Number(RegistryKeyValueToVariant(f_key.value,"uint16",56));
+ print(" <tr><td>Account flags:</td><td>");
+ if(acc_flags&0x0001) print("Disabled ");
+ if(acc_flags&0x0002) print("HomeDirReq ");
+ if(acc_flags&0x0004) print("PwNotReq ");
+ if(acc_flags&0x0008) print("TempDupAcc ");
+ // I don't think this would be useful to show
+ //if(acc_flags&0x0010) print("NormUserAcc ");
+ if(acc_flags&0x0020) print("MnsAcc ");
+ if(acc_flags&0x0040) print("DomTrustAcc ");
+ if(acc_flags&0x0080) print("WksTrustAcc ");
+ if(acc_flags&0x0100) print("SrvTrustAcc ");
+ if(acc_flags&0x0200) print("NoPwExpiry ");
+ if(acc_flags&0x0400) print("AccAutoLock ");
+ print(" (",acc_flags,")");
+ println("</td></tr>");
- // Get password hint if available
- var hint=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"UserPasswordHint");
- if(typeof hint !== 'undefined') {
- // Append missing trailing utf16 zero byte
- hint.value.appendByte(0);
- hint.value.appendByte(0);
- print_table_row("Password hint:",RegistryKeyValueToVariant(hint.value,"utf16"));
- }
+ // Get password hint if available
+ var hint=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"UserPasswordHint");
+ if(typeof hint !== 'undefined') {
+ // Append missing trailing utf16 zero byte
+ hint.value.appendByte(0);
+ hint.value.appendByte(0);
+ print_table_row("Password hint:",RegistryKeyValueToVariant(hint.value,"utf16"));
+ }
- // TODO: User group membership
+ // TODO: User group membership
- println(" </table>");
- println(" </p>");
+ println(" </table>");
+ println(" </p>");
+ }
+ } else {
+ println(" <p><font color='red'>");
+ println(" Unable to enumerate users!<br />");
+ println(" Are you sure you are running this report against the correct registry hive?");
+ println(" </font></p>");
}
-} else {
- println(" <p><font color='red'>");
- println(" Unable to enumerate users!<br />");
- println(" Are you sure you are running this report against the correct registry hive?");
- println(" </font></p>");
-}
-println("</html>");
+ println("</html>");
+}
diff --git a/trunk/report_templates/SOFTWARE_Autoruns.qs b/trunk/report_templates/SOFTWARE_Autoruns.qs
index 11e259d..20661b8 100644
--- a/trunk/report_templates/SOFTWARE_Autoruns.qs
+++ b/trunk/report_templates/SOFTWARE_Autoruns.qs
@@ -1,49 +1,61 @@
+function fred_report_info() {
+ var info={report_cat : "SOFTWARE",
+ report_name : "Autoruns",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump autoruns",
+ fred_api : 2,
+ hive : "SOFTWARE"
+ };
+ return info;
+}
+
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
function print_table_row(cell01,cell02) {
println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
}
function ListAutoruns(autorun_path,autorun_key) {
println(" <p style=\"font-size:12; white-space:nowrap\">");
println(" <u>"+autorun_key+"</u><br />");
var run_keys=GetRegistryKeys(autorun_path+autorun_key);
if(IsValid(run_keys) && run_keys.length>0) {
println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
print_table_row("<b>Name</b>","<b>Executable</b>");
for(var i=0;i<run_keys.length;i++) {
var val=GetRegistryKeyValue(autorun_path+autorun_key,run_keys[i]);
print_table_row(run_keys[i],RegistryKeyValueToString(val.value,val.type));
}
println(" </table>");
} else {
println(" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;None");
}
println(" </p>");
}
-// Global vars
-var val;
+function fred_report_html() {
+ var val;
-println("<html>");
-println(" <head><title>System Autoruns</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>System Autoruns</h2>");
+ println("<html>");
+ println(" <head><title>System Autoruns</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>System Autoruns</h2>");
-// Run
-ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","Run");
+ // Run
+ ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","Run");
-// RunOnce
-ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnce");
+ // RunOnce
+ ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnce");
-// RunOnceEx
-ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnceEx");
+ // RunOnceEx
+ ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnceEx");
-// TODO: There might be a Run under WindowsNT\CurrentVersion\Run too!
+ // TODO: There might be a Run under WindowsNT\CurrentVersion\Run too!
-println("</html>");
+ println("</html>");
+}
diff --git a/trunk/report_templates/SOFTWARE_ProfileList.qs b/trunk/report_templates/SOFTWARE_ProfileList.qs
index 211ac49..52447bc 100644
--- a/trunk/report_templates/SOFTWARE_ProfileList.qs
+++ b/trunk/report_templates/SOFTWARE_ProfileList.qs
@@ -1,44 +1,56 @@
+function fred_report_info() {
+ var info={report_cat : "SOFTWARE",
+ report_name : "Profile list",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump profile list",
+ fred_api : 2,
+ hive : "SOFTWARE"
+ };
+ return info;
+}
+
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
function print_table_row(cell01,cell02) {
println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
}
-// Global vars
-var val;
+function fred_report_html() {
+ var val;
-println("<html>");
-println(" <head><title>Profile List</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>Profile List</h2>");
+ println("<html>");
+ println(" <head><title>Profile List</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>Profile List</h2>");
-var profile_list=GetRegistryNodes("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList");
-if(IsValid(profile_list) && profile_list.length>0) {
- for(var i=0;i<profile_list.length;i++) {
- println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <u>"+profile_list[i]+"</u><br />");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
+ var profile_list=GetRegistryNodes("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList");
+ if(IsValid(profile_list) && profile_list.length>0) {
+ for(var i=0;i<profile_list.length;i++) {
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <u>"+profile_list[i]+"</u><br />");
+ println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
- // Get profile image path
- val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileImagePath");
- print_table_row("Profile image path:",IsValid(val) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
+ // Get profile image path
+ val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileImagePath");
+ print_table_row("Profile image path:",IsValid(val) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
- // Get last load time (Saved as 2 dwords. Another "good" idea of M$ ;-))
- var loadtime_low=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileLoadTimeLow");
- var loadtime_high=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileLoadTimeHigh");
- print_table_row("Profile load time:",(IsValid(loadtime_low) && IsValid(loadtime_high)) ? RegistryKeyValueToVariant(loadtime_low.value.append(loadtime_high.value),"filetime",0) : "n/a");
+ // Get last load time (Saved as 2 dwords. Another "good" idea of M$ ;-))
+ var loadtime_low=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileLoadTimeLow");
+ var loadtime_high=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileLoadTimeHigh");
+ print_table_row("Profile load time:",(IsValid(loadtime_low) && IsValid(loadtime_high)) ? RegistryKeyValueToVariant(loadtime_low.value.append(loadtime_high.value),"filetime",0) : "n/a");
- // TODO: There is more to decode under \\Microsoft\\Windows NT\\CurrentVersion\\ProfileList
+ // TODO: There is more to decode under \\Microsoft\\Windows NT\\CurrentVersion\\ProfileList
+ println(" </table>");
+ println(" </p>");
+ }
println(" </table>");
- println(" </p>");
+ } else {
+ println(" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;None");
}
- println(" </table>");
-} else {
- println(" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;None");
-}
-println("</html>");
+ println("</html>");
+}
diff --git a/trunk/report_templates/SOFTWARE_WindowsVersion.qs b/trunk/report_templates/SOFTWARE_WindowsVersion.qs
index 8a09d4a..0871460 100644
--- a/trunk/report_templates/SOFTWARE_WindowsVersion.qs
+++ b/trunk/report_templates/SOFTWARE_WindowsVersion.qs
@@ -1,96 +1,109 @@
+function fred_report_info() {
+ var info={report_cat : "SOFTWARE",
+ report_name : "Windows version",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump Windows version info",
+ fred_api : 2,
+ hive : "SOFTWARE"
+ };
+ return info;
+}
+
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
function print_table_row(cell01,cell02) {
println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
}
function DecodeProductKey(arr) {
//ProductKey is base24 encoded
var keychars=new Array("B","C","D","F","G","H","J","K","M","P","Q","R","T","V","W","X","Y","2","3","4","6","7","8","9");
var key=new Array(30);
var ret="";
var ncur;
if(arr.length<66) return ret;
arr=arr.mid(52,15);
for(var ilbyte=24;ilbyte>=0;ilbyte--) {
ncur=0;
for(var ilkeybyte=14;ilkeybyte>=0;ilkeybyte--) {
ncur=ncur*256^arr[ilkeybyte];
arr[ilkeybyte]=ncur/24;
ncur%=24;
}
ret=keychars[ncur]+ret;
if(ilbyte%5==0 && ilbyte!=0) ret="-"+ret;
}
return ret;
}
-println("<html>");
-println(" <head><title>Windows version info</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>Windows version info</h2>");
+function fred_report_html() {
+ println("<html>");
+ println(" <head><title>Windows version info</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>Windows version info</h2>");
-// Windows version sp and build info
-var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","ProductName");
-if(IsValid(val)) {
- println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
-
- print(" <tr><td>Windows version:</td><td>",RegistryKeyValueToString(val.value,val.type));
- var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","CSDVersion");
+ // Windows version sp and build info
+ var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","ProductName");
if(IsValid(val)) {
- print(" ",RegistryKeyValueToString(val.value,val.type));
- }
- var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","CurrentBuildNumber");
- if(IsValid(val)) {
- print(" build ",RegistryKeyValueToString(val.value,val.type));
- }
- println("</td></tr>");
- // Build string
- var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","BuildLab");
- print_table_row("Build string:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
- // Extended build string
- var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","BuildLabEx");
- print_table_row("Extended build string:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
- // Install date
- var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","InstallDate");
- print_table_row("Install date:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime") : "n/a");
+ print(" <tr><td>Windows version:</td><td>",RegistryKeyValueToString(val.value,val.type));
+ var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","CSDVersion");
+ if(IsValid(val)) {
+ print(" ",RegistryKeyValueToString(val.value,val.type));
+ }
+ var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","CurrentBuildNumber");
+ if(IsValid(val)) {
+ print(" build ",RegistryKeyValueToString(val.value,val.type));
+ }
+ println("</td></tr>");
+ // Build string
+ var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","BuildLab");
+ print_table_row("Build string:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
+ // Extended build string
+ var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","BuildLabEx");
+ print_table_row("Extended build string:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
- // Owner and Organization info
- var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","RegisteredOwner");
- print_table_row("Registered owner:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
- var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","RegisteredOrganization");
- print_table_row("Registered organization:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
+ // Install date
+ var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","InstallDate");
+ print_table_row("Install date:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime") : "n/a");
- // Windows ID / Key
- var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","ProductId");
- print_table_row("Product ID:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
- var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","DigitalProductId");
- if(IsValid(val)) {
- var key=DecodeProductKey(val.value);
- if(key!="BBBBB-BBBBB-BBBBB-BBBBB-BBBBB") print_table_row("Product Key:",key);
- else print_table_row("Product Key:","n/a (Probably a volume license key was used)");
- } else print_table_row("Product Key:","n/a");
+ // Owner and Organization info
+ var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","RegisteredOwner");
+ print_table_row("Registered owner:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
+ var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","RegisteredOrganization");
+ print_table_row("Registered organization:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
- // Install directory / Source directory
- var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","PathName");
- print_table_row("Install path:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
- var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","SourcePath");
- print_table_row("Source path:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
+ // Windows ID / Key
+ var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","ProductId");
+ print_table_row("Product ID:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
+ var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","DigitalProductId");
+ if(IsValid(val)) {
+ var key=DecodeProductKey(val.value);
+ if(key!="BBBBB-BBBBB-BBBBB-BBBBB-BBBBB") print_table_row("Product Key:",key);
+ else print_table_row("Product Key:","n/a (Probably a volume license key was used)");
+ } else print_table_row("Product Key:","n/a");
- println(" </table>");
- println(" </p>");
-} else {
- println(" <p><font color='red'>");
- println(" Unable to get product name!<br />");
- println(" Are you sure you are running this report against the correct registry hive?");
- println(" </font></p>");
-}
+ // Install directory / Source directory
+ var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","PathName");
+ print_table_row("Install path:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
+ var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","SourcePath");
+ print_table_row("Source path:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
-println("</html>");
+ println(" </table>");
+ println(" </p>");
+ } else {
+ println(" <p><font color='red'>");
+ println(" Unable to get product name!<br />");
+ println(" Are you sure you are running this report against the correct registry hive?");
+ println(" </font></p>");
+ }
+
+ println("</html>");
+}
diff --git a/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs b/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs
index 1edcdcb..5943e14 100644
--- a/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs
+++ b/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs
@@ -1,130 +1,141 @@
-// See Appendix A: TCP/IP Configuration Parameters:
-// http://technet.microsoft.com/de-de/library/cc739819%28v=WS.10%29.aspx
+function fred_report_info() {
+ var info={report_cat : "SYSTEM",
+ report_name : "Current network settings",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump current network settings",
+ fred_api : 2,
+ hive : "SYSTEM"
+ };
+ return info;
+}
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
function print_table_row(cell01,cell02) {
println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
}
function ZeroPad(number,padlen) {
var ret=number.toString(10);
if(!padlen || ret.length>=padlen) return ret;
return Math.pow(10,padlen-ret.length).toString().slice(1)+ret;
}
-// Global vars
-var val;
-
-println("<html>");
-println(" <head><title>Current Network Settings (Tcp/Ip)</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>Current network settings (Tcp/Ip)</h2>");
-
-// Get current controlset
-var cur_controlset=GetRegistryKeyValue("\\Select","Current");
-if(IsValid(cur_controlset)) {
- cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
- // Current holds a DWORD value, thus we get a string like 0x00000000, but
- // control sets are referenced by its decimal representation.
- cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3)
-
- println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
- print_table_row("Active control set:",cur_controlset);
-
- // Computer name
- val=GetRegistryKeyValue(cur_controlset+"\\Control\\ComputerName\\ComputerName","ComputerName");
- print_table_row("Computer name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
-
- println(" </table>");
- println(" <br />");
-
- // Iterate over all available network adapters
- var adapters=GetRegistryNodes(cur_controlset+"\\Services\\Tcpip\\Parameters\\Adapters");
- for(var i=0;i<adapters.length;i++) {
- // Try to get a human readable name
- // According to http://technet.microsoft.com/de-de/library/cc780532%28v=ws.10%29.aspx
- // the {4D36E972-E325-11CE-BFC1-08002BE10318} key name might be (and hopefully is) static :)
- val=GetRegistryKeyValue(cur_controlset+"\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\"+adapters[i]+"\\Connection","Name");
- if(IsValid(val)) {
- println(" ",RegistryKeyValueToString(val.value,val.type));
- } else {
- println(" ",adapters[i]);
- }
-
- // Get settings node
- var adapter_settings_node=GetRegistryKeyValue(cur_controlset+"\\Services\\Tcpip\\Parameters\\Adapters\\"+adapters[i],"IpConfig");
- adapter_settings_node=RegistryKeyValueToVariant(adapter_settings_node.value,"utf16",0);
-
+function fred_report_html() {
+ // See Appendix A: TCP/IP Configuration Parameters:
+ // http://technet.microsoft.com/de-de/library/cc739819%28v=WS.10%29.aspx
+ var val;
+
+ println("<html>");
+ println(" <head><title>Current Network Settings (Tcp/Ip)</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>Current network settings (Tcp/Ip)</h2>");
+
+ // Get current controlset
+ var cur_controlset=GetRegistryKeyValue("\\Select","Current");
+ if(IsValid(cur_controlset)) {
+ cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
+ // Current holds a DWORD value, thus we get a string like 0x00000000, but
+ // control sets are referenced by its decimal representation.
+ cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3)
+
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
- //print_table_row("Adapter id:",adapters[i]);
-
- // Get configuration mode
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"EnableDHCP");
- val=Number(RegistryKeyValueToString(val.value,val.type));
- if(val) {
- // DHCP enabled
- print_table_row("Configuration mode:","DHCP");
- // DHCP server
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpServer");
- print_table_row("Last used DHCP server:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
- // IP address
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpIPAddress");
- print_table_row("IP address:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
- // Subnet mask
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpSubnetMask");
- print_table_row("Subnet mask:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
- // Nameserver(s)
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpNameServer");
- print_table_row("Nameserver(s):",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
- // Domain
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpDomain");
- print_table_row("Domain:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
- // Default gw
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpDefaultGateway");
- print_table_row("Default gateway:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
- // Lease obtained
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"LeaseObtainedTime");
- print_table_row("Lease obtained:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : "");
- // Lease valid until
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"LeaseTerminatesTime");
- print_table_row("Lease terminates:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : "");
- } else {
- print_table_row("Configuration mode:","Manual");
- // IP address
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"IPAddress");
- print_table_row("IP address:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
- // Subnet mask
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"SubnetMask");
- print_table_row("Subnet mask:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
- // Nameserver
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"NameServer");
- print_table_row("Nameserver:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
- // Domain
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"Domain");
- print_table_row("Domain:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
- // Default gw
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DefaultGateway");
- print_table_row("Default gateway:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
- }
+ print_table_row("Active control set:",cur_controlset);
- // TODO: Check for EnableSecurityFilters, TCPAllowedPorts and UDPAllowedPorts to get firewall status.
+ // Computer name
+ val=GetRegistryKeyValue(cur_controlset+"\\Control\\ComputerName\\ComputerName","ComputerName");
+ print_table_row("Computer name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
println(" </table>");
println(" <br />");
- // TODO: Get persistent routes from \ControlSet001\Services\Tcpip\Parameters\PersistentRoutes
+ // Iterate over all available network adapters
+ var adapters=GetRegistryNodes(cur_controlset+"\\Services\\Tcpip\\Parameters\\Adapters");
+ for(var i=0;i<adapters.length;i++) {
+ // Try to get a human readable name
+ // According to http://technet.microsoft.com/de-de/library/cc780532%28v=ws.10%29.aspx
+ // the {4D36E972-E325-11CE-BFC1-08002BE10318} key name might be (and hopefully is) static :)
+ val=GetRegistryKeyValue(cur_controlset+"\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\"+adapters[i]+"\\Connection","Name");
+ if(IsValid(val)) {
+ println(" ",RegistryKeyValueToString(val.value,val.type));
+ } else {
+ println(" ",adapters[i]);
+ }
+
+ // Get settings node
+ var adapter_settings_node=GetRegistryKeyValue(cur_controlset+"\\Services\\Tcpip\\Parameters\\Adapters\\"+adapters[i],"IpConfig");
+ adapter_settings_node=RegistryKeyValueToVariant(adapter_settings_node.value,"utf16",0);
+
+ println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
+ //print_table_row("Adapter id:",adapters[i]);
+
+ // Get configuration mode
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"EnableDHCP");
+ val=Number(RegistryKeyValueToString(val.value,val.type));
+ if(val) {
+ // DHCP enabled
+ print_table_row("Configuration mode:","DHCP");
+ // DHCP server
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpServer");
+ print_table_row("Last used DHCP server:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ // IP address
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpIPAddress");
+ print_table_row("IP address:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ // Subnet mask
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpSubnetMask");
+ print_table_row("Subnet mask:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ // Nameserver(s)
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpNameServer");
+ print_table_row("Nameserver(s):",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ // Domain
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpDomain");
+ print_table_row("Domain:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ // Default gw
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpDefaultGateway");
+ print_table_row("Default gateway:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
+ // Lease obtained
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"LeaseObtainedTime");
+ print_table_row("Lease obtained:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : "");
+ // Lease valid until
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"LeaseTerminatesTime");
+ print_table_row("Lease terminates:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : "");
+ } else {
+ print_table_row("Configuration mode:","Manual");
+ // IP address
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"IPAddress");
+ print_table_row("IP address:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
+ // Subnet mask
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"SubnetMask");
+ print_table_row("Subnet mask:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
+ // Nameserver
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"NameServer");
+ print_table_row("Nameserver:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
+ // Domain
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"Domain");
+ print_table_row("Domain:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ // Default gw
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DefaultGateway");
+ print_table_row("Default gateway:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
+ }
+
+ // TODO: Check for EnableSecurityFilters, TCPAllowedPorts and UDPAllowedPorts to get firewall status.
+
+ println(" </table>");
+ println(" <br />");
+
+ // TODO: Get persistent routes from \ControlSet001\Services\Tcpip\Parameters\PersistentRoutes
+ }
+ println(" </p>");
+ } else {
+ println(" <p><font color='red'>");
+ println(" Unable to determine current control set!<br />");
+ println(" Are you sure you are running this report against the correct registry hive?");
+ println(" </font></p>");
}
- println(" </p>");
-} else {
- println(" <p><font color='red'>");
- println(" Unable to determine current control set!<br />");
- println(" Are you sure you are running this report against the correct registry hive?");
- println(" </font></p>");
-}
-println("</html>");
+ println("</html>");
+}
diff --git a/trunk/report_templates/SYSTEM_Services.qs b/trunk/report_templates/SYSTEM_Services.qs
index 8be6d94..54e85c7 100644
--- a/trunk/report_templates/SYSTEM_Services.qs
+++ b/trunk/report_templates/SYSTEM_Services.qs
@@ -1,99 +1,111 @@
+function fred_report_info() {
+ var info={report_cat : "SYSTEM",
+ report_name : "Services",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump services",
+ fred_api : 2,
+ hive : "SYSTEM"
+ };
+ return info;
+}
+
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
function ZeroPad(number,padlen) {
var ret=number.toString(10);
if(!padlen || ret.length>=padlen) return ret;
return Math.pow(10,padlen-ret.length).toString().slice(1)+ret;
}
function PrintTableRow(cell01,cell02,cell03,cell04,cell05) {
println(" <tr><td style=\"padding:2px\">",cell01,"</td><td style=\"padding:2px\">",cell02,"</td><td style=\"padding:2px\">",cell03,"</td><td style=\"padding:2px\">",cell04,"</td><td style=\"padding:2px\">",cell05,"</td></tr>");
}
function ListService(service_node) {
// Service name
var name=GetRegistryKeyValue(service_node,"DisplayName");
name=(IsValid(name)) ? RegistryKeyValueToString(name.value,name.type) : "Unknwon";
// Service group
var group=GetRegistryKeyValue(service_node,"Group");
group=(IsValid(group)) ? RegistryKeyValueToString(group.value,group.type) : "";
// Service exe
var image=GetRegistryKeyValue(service_node,"ImagePath");
image=(IsValid(image)) ? RegistryKeyValueToString(image.value,image.type) : "Unknwon";
// Start
var start=GetRegistryKeyValue(service_node,"Start");
start=(IsValid(start)) ? RegistryKeyValueToString(start.value,start.type) : -1;
switch(Number(start)) {
case 0:
start="Boot";
break;
case 1:
start="System";
break;
case 2:
start="Automatic";
break;
case 3:
start="Manual";
break;
case 4:
start="Disabled";
break;
default:
start="Unknown";
}
// Description
var desc=GetRegistryKeyValue(service_node,"Description");
desc=(IsValid(desc)) ? RegistryKeyValueToString(desc.value,desc.type) : "";
PrintTableRow(name,group,start,image,desc)
}
-// Global vars
-var val;
+function fred_report_html() {
+ var val;
-println("<html>");
-println(" <head><title>Services</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>Services</h2>");
+ println("<html>");
+ println(" <head><title>Services</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>Services</h2>");
-// Get current controlset
-var cur_controlset=GetRegistryKeyValue("\\Select","Current");
-if(IsValid(cur_controlset)) {
- cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
- // Current holds a DWORD value, thus we get a string like 0x00000000, but
- // control sets are referenced by its decimal representation.
- cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3)
+ // Get current controlset
+ var cur_controlset=GetRegistryKeyValue("\\Select","Current");
+ if(IsValid(cur_controlset)) {
+ cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
+ // Current holds a DWORD value, thus we get a string like 0x00000000, but
+ // control sets are referenced by its decimal representation.
+ cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3)
- // Get list of possible services
- var services=GetRegistryNodes(cur_controlset+"\\Services");
- if(IsValid(services)) {
- println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
- println(" <tr><td style=\"padding:2px\"><b>Name</b></td><td style=\"padding:2px\"><b>Group</b></td><td><b>Startup</b></td><td style=\"padding:2px\"><b>Image path</b></td><td style=\"padding:2px\"><b>Description</b></td></tr>");
- for(var i=0;i<services.length;i++) {
- // Get service type
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+services[i],"Type");
- if(!IsValid(val)) continue;
- val=RegistryKeyValueToString(val.value,val.type);
- if(Number(val)!=16 && Number(val)!=32) continue;
- ListService(cur_controlset+"\\Services\\"+services[i]);
+ // Get list of possible services
+ var services=GetRegistryNodes(cur_controlset+"\\Services");
+ if(IsValid(services)) {
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
+ println(" <tr><td style=\"padding:2px\"><b>Name</b></td><td style=\"padding:2px\"><b>Group</b></td><td><b>Startup</b></td><td style=\"padding:2px\"><b>Image path</b></td><td style=\"padding:2px\"><b>Description</b></td></tr>");
+ for(var i=0;i<services.length;i++) {
+ // Get service type
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+services[i],"Type");
+ if(!IsValid(val)) continue;
+ val=RegistryKeyValueToString(val.value,val.type);
+ if(Number(val)!=16 && Number(val)!=32) continue;
+ ListService(cur_controlset+"\\Services\\"+services[i]);
+ }
+ println(" </table>");
+ println(" </p>");
+ } else {
+ println(" <p><font color='red'>");
+ println(" This registry hive does not contain any services!<br />");
+ println(" </font></p>");
}
- println(" </table>");
- println(" </p>");
} else {
println(" <p><font color='red'>");
- println(" This registry hive does not contain any services!<br />");
+ println(" Unable to determine current control set!<br />");
+ println(" Are you sure you are running this report against the correct registry hive?");
println(" </font></p>");
}
-} else {
- println(" <p><font color='red'>");
- println(" Unable to determine current control set!<br />");
- println(" Are you sure you are running this report against the correct registry hive?");
- println(" </font></p>");
-}
-println("</html>");
+ println("</html>");
+}
diff --git a/trunk/report_templates/SYSTEM_ShutdownTime.qs b/trunk/report_templates/SYSTEM_ShutdownTime.qs
index 23ffbe9..4a3ecf1 100644
--- a/trunk/report_templates/SYSTEM_ShutdownTime.qs
+++ b/trunk/report_templates/SYSTEM_ShutdownTime.qs
@@ -1,45 +1,57 @@
+function fred_report_info() {
+ var info={report_cat : "SYSTEM",
+ report_name : "Shutdown time",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump last known shutdown time",
+ fred_api : 2,
+ hive : "SYSTEM"
+ };
+ return info;
+}
+
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
function print_table_row(cell01,cell02) {
println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
}
-// Global vars
-var val;
-
-println("<html>");
-println(" <head><title>Last known shutdown time</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>Last known shutdown time</h2>");
-
-// Get current controlset
-var cur_controlset=GetRegistryKeyValue("\\Select","Current");
-if(IsValid(cur_controlset)) {
- cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
- // Current holds a DWORD value, thus we get a string like 0x00000000, but
- // control sets are referenced only with the last 3 digits.
- cur_controlset="ControlSet"+String(cur_controlset).substr(7,3);
-
- println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
-
- print_table_row("Active control set:",cur_controlset);
-
- // Shutdown time
- val=GetRegistryKeyValue(cur_controlset+"\\Control\\Windows","ShutdownTime");
- print_table_row("Shutdown time:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"filetime") : "Unknown");
-
- println(" </table>");
- println(" <br />");
- println(" </p>");
-} else {
- println(" <p><font color='red'>");
- println(" Unable to determine current control set!<br />");
- println(" Are you sure you are running this report against the correct registry hive?");
- println(" </font></p>");
+function fred_report_html() {
+ var val;
+
+ println("<html>");
+ println(" <head><title>Last known shutdown time</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>Last known shutdown time</h2>");
+
+ // Get current controlset
+ var cur_controlset=GetRegistryKeyValue("\\Select","Current");
+ if(IsValid(cur_controlset)) {
+ cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
+ // Current holds a DWORD value, thus we get a string like 0x00000000, but
+ // control sets are referenced only with the last 3 digits.
+ cur_controlset="ControlSet"+String(cur_controlset).substr(7,3);
+
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
+
+ print_table_row("Active control set:",cur_controlset);
+
+ // Shutdown time
+ val=GetRegistryKeyValue(cur_controlset+"\\Control\\Windows","ShutdownTime");
+ print_table_row("Shutdown time:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"filetime") : "Unknown");
+
+ println(" </table>");
+ println(" <br />");
+ println(" </p>");
+ } else {
+ println(" <p><font color='red'>");
+ println(" Unable to determine current control set!<br />");
+ println(" Are you sure you are running this report against the correct registry hive?");
+ println(" </font></p>");
+ }
+
+ println("</html>");
}
-
-println("</html>");
diff --git a/trunk/report_templates/SYSTEM_SystemTimeInfo.qs b/trunk/report_templates/SYSTEM_SystemTimeInfo.qs
index e1dbd96..17b166f 100644
--- a/trunk/report_templates/SYSTEM_SystemTimeInfo.qs
+++ b/trunk/report_templates/SYSTEM_SystemTimeInfo.qs
@@ -1,110 +1,122 @@
+function fred_report_info() {
+ var info={report_cat : "SYSTEM",
+ report_name : "System time info",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump system time info",
+ fred_api : 2,
+ hive : "SYSTEM"
+ };
+ return info;
+}
+
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
function print_table_row(cell01,cell02) {
println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
}
function ToUTC(num) {
var retnum=new Number(num);
if(retnum&0x80000000) {
retnum=((0xFFFFFFFF-retnum)+1)/60;
return "UTC+"+Number(retnum).toString(10);
} else {
retnum=retnum/60;
if(retnum!=0) return "UTC-"+Number(retnum).toString(10);
else return "UTC+"+Number(retnum).toString(10);
}
}
function ZeroPad(number,padlen) {
var ret=number.toString(10);
if(!padlen || ret.length>=padlen) return ret;
return Math.pow(10,padlen-ret.length).toString().slice(1)+ret;
}
-// Global vars
-var val;
+function fred_report_html() {
+ var val;
-println("<html>");
-println(" <head><title>System Time Info</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>System time info (",cur_controlset,")</h2>");
+ println("<html>");
+ println(" <head><title>System Time Info</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>System time info (",cur_controlset,")</h2>");
-// Get current controlset
-var cur_controlset=GetRegistryKeyValue("\\Select","Current");
-if(IsValid(cur_controlset)) {
- cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
- // Current holds a DWORD value, thus we get a string like 0x00000000, but
- // control sets are referenced by its decimal representation.
- cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3)
+ // Get current controlset
+ var cur_controlset=GetRegistryKeyValue("\\Select","Current");
+ if(IsValid(cur_controlset)) {
+ cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
+ // Current holds a DWORD value, thus we get a string like 0x00000000, but
+ // control sets are referenced by its decimal representation.
+ cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3)
- println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <u>Time zone info</u>");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <u>Time zone info</u>");
+ println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
- // Active time bias
- val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","ActiveTimeBias");
- print_table_row("Active time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a");
+ // Active time bias
+ val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","ActiveTimeBias");
+ print_table_row("Active time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a");
- // Std. tz name and bias
- val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardName");
- print_table_row("Std. time zone name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
- val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardBias");
- print_table_row("Std. time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a");
+ // Std. tz name and bias
+ val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardName");
+ print_table_row("Std. time zone name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
+ val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardBias");
+ print_table_row("Std. time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a");
- // Daylight tz name and bias
- val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightName");
- print_table_row("Daylight time zone name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
- val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightBias");
- print_table_row("Daylight time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a");
+ // Daylight tz name and bias
+ val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightName");
+ print_table_row("Daylight time zone name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
+ val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightBias");
+ print_table_row("Daylight time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a");
- println(" </table>");
- println(" <br />");
- println(" <u>W32Time service info</u>");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
+ println(" </table>");
+ println(" <br />");
+ println(" <u>W32Time service info</u>");
+ println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
- // Get W32Time service settings
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time","Start");
- if(IsValid(val)) {
- print(" <tr><td>Startup method:</td><td>");
- val=RegistryKeyValueToString(val.value,val.type);
- switch(Number(val)) {
- case 0:
- print("Boot");
- break;
- case 1:
- print("System");
- break;
- case 2:
- print("Automatic");
- break;
- case 3:
- print("Manual");
- break;
- case 4:
- print("Disabled");
- break;
- default:
- print("Unknown");
- }
- println("</td></tr>");
- // If service is enabled, get ntp server
- if(Number(val)<4) {
- val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time\\Parameters","NtpServer");
- print_table_row("NTP server(s):",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
- }
- } else print_table_row("Startup method:","n/a");
+ // Get W32Time service settings
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time","Start");
+ if(IsValid(val)) {
+ print(" <tr><td>Startup method:</td><td>");
+ val=RegistryKeyValueToString(val.value,val.type);
+ switch(Number(val)) {
+ case 0:
+ print("Boot");
+ break;
+ case 1:
+ print("System");
+ break;
+ case 2:
+ print("Automatic");
+ break;
+ case 3:
+ print("Manual");
+ break;
+ case 4:
+ print("Disabled");
+ break;
+ default:
+ print("Unknown");
+ }
+ println("</td></tr>");
+ // If service is enabled, get ntp server
+ if(Number(val)<4) {
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time\\Parameters","NtpServer");
+ print_table_row("NTP server(s):",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
+ }
+ } else print_table_row("Startup method:","n/a");
- println(" </table>");
- println(" </p>");
-} else {
- println(" <p><font color='red'>");
- println(" Unable to determine current control set!<br />");
- println(" Are you sure you are running this report against the correct registry hive?");
- println(" </font></p>");
-}
+ println(" </table>");
+ println(" </p>");
+ } else {
+ println(" <p><font color='red'>");
+ println(" Unable to determine current control set!<br />");
+ println(" Are you sure you are running this report against the correct registry hive?");
+ println(" </font></p>");
+ }
-println("</html>");
+ println("</html>");
+}
diff --git a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
index 9cd16f3..3ed2517 100644
--- a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
+++ b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
@@ -1,139 +1,150 @@
-// TODO: There is more here. Check http://www.forensicswiki.org/wiki/USB_History_Viewing
+function fred_report_info() {
+ var info={report_cat : "SYSTEM",
+ report_name : "USB storage devices",
+ report_author : "Gillen Daniel",
+ report_desc : "Dump USB storage devices",
+ fred_api : 2,
+ hive : "SYSTEM"
+ };
+ return info;
+}
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
function print_table_row(cell01,cell02) {
println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
}
function ZeroPad(number,padlen) {
var ret=number.toString(10);
if(!padlen || ret.length>=padlen) return ret;
return Math.pow(10,padlen-ret.length).toString().slice(1)+ret;
}
-// Global vars
-var val;
+function fred_report_html() {
+ // TODO: There is more here. Check http://www.forensicswiki.org/wiki/USB_History_Viewing
+ var val;
-println("<html>");
-println(" <head><title>USB Storage Devices</title></head>");
-println(" <body style=\"font-size:12\">");
-println(" <h2>USB storage devices</h2>");
+ println("<html>");
+ println(" <head><title>USB Storage Devices</title></head>");
+ println(" <body style=\"font-size:12\">");
+ println(" <h2>USB storage devices</h2>");
-// Preload MountedDevices to possibly identify mount points of USB storage devices
-var mnt_keys=GetRegistryKeys("\\MountedDevices");
-var mnt_values=new Array();
-if(IsValid(mnt_keys)) {
- for(var i=0;i<mnt_keys.length;i++) {
- val=GetRegistryKeyValue("\\MountedDevices",mnt_keys[i]);
- mnt_values[i]=RegistryKeyValueToVariant(val.value,"utf16");
+ // Preload MountedDevices to possibly identify mount points of USB storage devices
+ var mnt_keys=GetRegistryKeys("\\MountedDevices");
+ var mnt_values=new Array();
+ if(IsValid(mnt_keys)) {
+ for(var i=0;i<mnt_keys.length;i++) {
+ val=GetRegistryKeyValue("\\MountedDevices",mnt_keys[i]);
+ mnt_values[i]=RegistryKeyValueToVariant(val.value,"utf16");
+ }
}
-}
-// Get current controlset
-var cur_controlset=GetRegistryKeyValue("\\Select","Current");
-if(IsValid(cur_controlset)) {
- cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
- // Current holds a DWORD value, thus we get a string like 0x00000000, but
- // control sets are referenced by its decimal representation.
- cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3)
+ // Get current controlset
+ var cur_controlset=GetRegistryKeyValue("\\Select","Current");
+ if(IsValid(cur_controlset)) {
+ cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
+ // Current holds a DWORD value, thus we get a string like 0x00000000, but
+ // control sets are referenced by its decimal representation.
+ cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3)
- println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <u>Settings</u><br />");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <u>Settings</u><br />");
+ println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
- // Are USB storage devices enabled?
- // http://www.forensicmag.com/article/windows-7-registry-forensics-part-5
- // Is this true for WinXP etc.. ???
- var val=GetRegistryKeyValue(cur_controlset+"\\services\\USBSTOR","Start");
- if(IsValid(val)) {
- val=RegistryKeyValueToString(val.value,val.type);
- val=parseInt(String(val).substr(2,8),10);
- switch(val) {
- case 3:
- print_table_row("Storage driver enabled:","Yes");
- break;
- case 4:
- print_table_row("Storage driver enabled:","No");
- break;
- default:
- print_table_row("Storage driver enabled:","Unknown");
+ // Are USB storage devices enabled?
+ // http://www.forensicmag.com/article/windows-7-registry-forensics-part-5
+ // Is this true for WinXP etc.. ???
+ var val=GetRegistryKeyValue(cur_controlset+"\\services\\USBSTOR","Start");
+ if(IsValid(val)) {
+ val=RegistryKeyValueToString(val.value,val.type);
+ val=parseInt(String(val).substr(2,8),10);
+ switch(val) {
+ case 3:
+ print_table_row("Storage driver enabled:","Yes");
+ break;
+ case 4:
+ print_table_row("Storage driver enabled:","No");
+ break;
+ default:
+ print_table_row("Storage driver enabled:","Unknown");
+ }
+ } else {
+ print_table_row("Storage driver enabled:","Unknown");
}
- } else {
- print_table_row("Storage driver enabled:","Unknown");
- }
- println(" </table>");
- println(" </p>");
- println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <u>Devices</u><br />");
+ println(" </table>");
+ println(" </p>");
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <u>Devices</u><br />");
- var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR");
- if(IsValid(storage_roots)) {
- for(var i=0;i<storage_roots.length;i++) {
- println(" <u>",storage_roots[i],"</u><br />");
- var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
- for(ii=0;ii<storage_subroots.length;ii++) {
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
- // If the second character of the unique instance ID is a '&', then the ID was
- // generated by the system, as the device did not have a serial number.
- if(String(storage_subroots[ii]).charAt(1)=="&") print_table_row("Unique ID:",storage_subroots[ii]+" (Generated by system)");
- else print_table_row("Unique ID:",storage_subroots[ii]);
+ var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR");
+ if(IsValid(storage_roots)) {
+ for(var i=0;i<storage_roots.length;i++) {
+ println(" <u>",storage_roots[i],"</u><br />");
+ var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
+ for(ii=0;ii<storage_subroots.length;ii++) {
+ println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
+ // If the second character of the unique instance ID is a '&', then the ID was
+ // generated by the system, as the device did not have a serial number.
+ if(String(storage_subroots[ii]).charAt(1)=="&") print_table_row("Unique ID:",storage_subroots[ii]+" (Generated by system)");
+ else print_table_row("Unique ID:",storage_subroots[ii]);
- val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"Class");
- print_table_row("Class:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
- val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"DeviceDesc");
- print_table_row("Device description:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
- val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"FriendlyName");
- print_table_row("Friendly name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
- val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"ParentIdPrefix");
- if(IsValid(val)) {
- // Windows XP uses the ParentId to link to MountedDevices
- var parent_id=RegistryKeyValueToString(val.value,val.type);
- print_table_row("Parent ID prefix:",parent_id);
- // Find mount point(s)
- print(" <tr><td>Mount point(s):</td><td>");
- var br=0;
- for(var iii=0;iii<mnt_keys.length;iii++) {
- if(String(mnt_values[iii]).indexOf("#"+parent_id+"&")!=-1) {
- if(br==1) print("<br />");
- else br=1;
- print(mnt_keys[iii]);
+ val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"Class");
+ print_table_row("Class:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"DeviceDesc");
+ print_table_row("Device description:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"FriendlyName");
+ print_table_row("Friendly name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"ParentIdPrefix");
+ if(IsValid(val)) {
+ // Windows XP uses the ParentId to link to MountedDevices
+ var parent_id=RegistryKeyValueToString(val.value,val.type);
+ print_table_row("Parent ID prefix:",parent_id);
+ // Find mount point(s)
+ print(" <tr><td>Mount point(s):</td><td>");
+ var br=0;
+ for(var iii=0;iii<mnt_keys.length;iii++) {
+ if(String(mnt_values[iii]).indexOf("#"+parent_id+"&")!=-1) {
+ if(br==1) print("<br />");
+ else br=1;
+ print(mnt_keys[iii]);
+ }
}
- }
- if(br==0) print("n/a");
- println("</td></tr>");
- } else {
- // Since Vista, Unique IDs are used
- // Find mount point(s)
- print(" <tr><td>Mount point(s):</td><td>");
- var br=0;
- for(var iii=0;iii<mnt_keys.length;iii++) {
- if(String(mnt_values[iii]).indexOf("#"+storage_subroots[ii]+"#")!=-1) {
- if(br==1) print("<br />");
- else br=1;
- print(mnt_keys[iii]);
+ if(br==0) print("n/a");
+ println("</td></tr>");
+ } else {
+ // Since Vista, Unique IDs are used
+ // Find mount point(s)
+ print(" <tr><td>Mount point(s):</td><td>");
+ var br=0;
+ for(var iii=0;iii<mnt_keys.length;iii++) {
+ if(String(mnt_values[iii]).indexOf("#"+storage_subroots[ii]+"#")!=-1) {
+ if(br==1) print("<br />");
+ else br=1;
+ print(mnt_keys[iii]);
+ }
}
+ if(br==0) print("n/a");
+ println("</td></tr>");
}
- if(br==0) print("n/a");
- println("</td></tr>");
+ println(" </table>");
+ println(" <br />");
}
- println(" </table>");
- println(" <br />");
}
+ } else {
+ println(" <font color='red'>This registry hive does not contain a list of attached USB storage devices!</font>");
}
+ println(" </p>");
} else {
- println(" <font color='red'>This registry hive does not contain a list of attached USB storage devices!</font>");
+ println(" <p><font color='red'>");
+ println(" Unable to determine current control set!<br />");
+ println(" Are you sure you are running this report against the correct registry hive?");
+ println(" </font></p>");
}
- println(" </p>");
-} else {
- println(" <p><font color='red'>");
- println(" Unable to determine current control set!<br />");
- println(" Are you sure you are running this report against the correct registry hive?");
- println(" </font></p>");
-}
-println("</html>");
+ println("</html>");
+}
diff --git a/trunk/datareporterengine.cpp b/trunk/reportengine.cpp
similarity index 70%
copy from trunk/datareporterengine.cpp
copy to trunk/reportengine.cpp
index f9e3bb9..638b60f 100644
--- a/trunk/datareporterengine.cpp
+++ b/trunk/reportengine.cpp
@@ -1,374 +1,446 @@
/*******************************************************************************
* fred Copyright (c) 2011-2013 by Gillen Daniel <gillen.dan@pinguin.lu> *
* *
* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor *
* with special feautures useful during forensic analysis. *
* *
* This program is free software: you can redistribute it and/or modify it *
* under the terms of the GNU General Public License as published by the Free *
* Software Foundation, either version 3 of the License, or (at your option) *
* any later version. *
* *
* This program is distributed in the hope that it will be useful, but WITHOUT *
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
* more details. *
* *
* You should have received a copy of the GNU General Public License along with *
* this program. If not, see <http://www.gnu.org/licenses/>. *
*******************************************************************************/
-#include "datareporterengine.h"
+#include "reportengine.h"
-#include <QString>
-#include <QMap>
-#include <QMapIterator>
-#include <QStringList>
+#include <QFile>
+#include <QTextStream>
#include <QDateTime>
-#include <stdio.h>
+#include <QtDebug>
-DataReporterEngine::DataReporterEngine(RegistryHive *p_hive) : QScriptEngine() {
+/*******************************************************************************
+ * Public
+ ******************************************************************************/
+
+ReportEngine::ReportEngine(RegistryHive *p_hive) : QScriptEngine() {
// Init vars
this->p_registry_hive=p_hive;
this->report_content="";
// Add our constants
this->globalObject().setProperty("ENGINE_API_VERSION",
- this->api_version,
+ FRED_REPORTENGINE_API_VERSION,
QScriptValue::ReadOnly|
QScriptValue::Undeletable);
-
+/*
+ this->globalObject().setProperty("HIVE_FILE",
+ this->p_registry_hive->Filename(),
+ QScriptValue::ReadOnly|
+ QScriptValue::Undeletable);
+*/
// Add our types to engine
qScriptRegisterMetaType<s_RegistryKeyValue>(this,
this->RegistryKeyValueToScript,
this->RegistryKeyValueFromScript);
this->p_type_byte_array=new ByteArray(this);
this->globalObject().setProperty("ByteArray",
this->p_type_byte_array->constructor());
// Add our functions
// print
QScriptValue func_print=this->newFunction(this->Print);
this->globalObject().setProperty("print",func_print);
// println
QScriptValue func_println=this->newFunction(this->PrintLn);
this->globalObject().setProperty("println",func_println);
// GetRegistryNodes
QScriptValue func_get_nodes=this->newFunction(this->GetRegistryNodes,1);
func_get_nodes.setData(this->newQObject(this->p_registry_hive));
this->globalObject().setProperty("GetRegistryNodes",func_get_nodes);
// GetRegistryKeys
QScriptValue func_get_keys=this->newFunction(this->GetRegistryKeys,1);
func_get_keys.setData(this->newQObject(this->p_registry_hive));
this->globalObject().setProperty("GetRegistryKeys",func_get_keys);
// GetRegistryKeyValue
QScriptValue func_get_key_value=this->newFunction(this->GetRegistryKeyValue,
2);
func_get_key_value.setData(this->newQObject(this->p_registry_hive));
this->globalObject().setProperty("GetRegistryKeyValue",func_get_key_value);
// GetRegistryNodeModTime
QScriptValue func_get_node_modt=
this->newFunction(this->GetRegistryNodeModTime,1);
func_get_node_modt.setData(this->newQObject(this->p_registry_hive));
this->globalObject().setProperty("GetRegistryNodeModTime",func_get_node_modt);
// RegistryKeyValueToString
QScriptValue func_value_to_string=
this->newFunction(this->RegistryKeyValueToString,2);
this->globalObject().setProperty("RegistryKeyValueToString",
func_value_to_string);
// RegistryKeyValueToVariant
QScriptValue func_value_to_variant=
this->newFunction(this->RegistryKeyValueToVariant);
this->globalObject().setProperty("RegistryKeyValueToVariant",
func_value_to_variant);
// RegistryKeyTypeToString
QScriptValue func_type_to_string=
this->newFunction(this->RegistryKeyTypeToString,1);
this->globalObject().setProperty("RegistryKeyTypeToString",
func_type_to_string);
}
-DataReporterEngine::~DataReporterEngine() {
+ReportEngine::~ReportEngine() {
delete this->p_type_byte_array;
}
-QScriptValue DataReporterEngine::Print(QScriptContext *context,
- QScriptEngine *engine)
+/*
+ * GetReportTemplateInfo
+ */
+QMap<QString,QVariant> ReportEngine::GetReportTemplateInfo(QString file) {
+ // Open report template file
+ QFile template_file(file);
+ if(!template_file.open(QIODevice::ReadOnly | QIODevice::Text)) {
+ QMap<QString,QVariant> error_msg;
+ error_msg["error"]=QString("Couldn't open report template file '%1'!")
+ .arg(file);
+ return error_msg;
+ }
+
+ // Read template file and close it
+ QString report_code;
+ QTextStream in(&template_file);
+ while(!in.atEnd()) report_code.append(in.readLine()).append("\n");
+ template_file.close();
+
+ // Evaluate report template script
+ QScriptValue report_result=this->evaluate(report_code,file);
+ if (report_result.isError() || this->hasUncaughtException()) {
+ QMap<QString,QVariant> error_msg;
+ error_msg["error"]=QString("File: %1\n Line: %2\nError: %3")
+ .arg(file)
+ .arg(report_result.property("lineNumber").toInt32())
+ .arg(report_result.toString());
+ return error_msg;
+ }
+
+ // Try to call the fred_report_info script function and return result
+ QScriptValue fred_report_info_func=
+ this->globalObject().property("fred_report_info");
+ if(!fred_report_info_func.isFunction()) {
+ QMap<QString,QVariant> error_msg;
+ error_msg["error"]=
+ QString("Report template '%1' does not have a fred_report_info function!")
+ .arg(file)
+ .arg(report_result.property("lineNumber").toInt32())
+ .arg(report_result.toString());
+ return error_msg;
+ }
+ QScriptValue fred_report_info_res=fred_report_info_func.call();
+ // TODO: Maybe do more checking on return value
+ return fred_report_info_res.toVariant().toMap();
+}
+
+/*******************************************************************************
+ * Public Slots
+ ******************************************************************************/
+
+/*******************************************************************************
+ * Private
+ ******************************************************************************/
+
+/*
+ * Print
+ */
+QScriptValue ReportEngine::Print(QScriptContext *context,
+ QScriptEngine *engine)
{
int i;
QString content;
// Append all arguments to content
for(i=0;i<context->argumentCount();++i) {
//if(i>0) content.append(" ");
content.append(context->argument(i).toString());
}
- //QScriptValue calleeData=context->callee().data();
- //DataReporterEngine *engine=
- // qobject_cast<DataReporterEngine*>(calleeData.toQObject());
- qobject_cast<DataReporterEngine*>(engine)->report_content.append(content);
+ qobject_cast<ReportEngine*>(engine)->report_content.append(content);
return engine->undefinedValue();
}
-QScriptValue DataReporterEngine::PrintLn(QScriptContext *context,
- QScriptEngine *engine)
+/*
+ * PrintLn
+ */
+QScriptValue ReportEngine::PrintLn(QScriptContext *context,
+ QScriptEngine *engine)
{
int i;
QString content;
// Append all arguments to content
for(i=0;i<context->argumentCount();++i) {
//if(i>0) content.append(" ");
content.append(context->argument(i).toString());
}
- qobject_cast<DataReporterEngine*>(engine)->
+ qobject_cast<ReportEngine*>(engine)->
report_content.append(content).append("\n");
return engine->undefinedValue();
}
/*
* GetRegistryNodes
*/
-QScriptValue DataReporterEngine::GetRegistryNodes(QScriptContext *context,
- QScriptEngine *engine)
+QScriptValue ReportEngine::GetRegistryNodes(QScriptContext *context,
+ QScriptEngine *engine)
{
QScriptValue calleeData;
RegistryHive *p_hive;
QMap<QString,int> nodes;
QScriptValue ret_nodes;
int ii=0;
// This function needs one argument, parent node path
if(context->argumentCount()!=1) return engine->undefinedValue();
// Get calle data (Pointer to RegistryHive class)
calleeData=context->callee().data();
p_hive=qobject_cast<RegistryHive*>(calleeData.toQObject());
// Get nodes
nodes=p_hive->GetNodes(context->argument(0).toString());
if(p_hive->Error()) {
// Clear error state
p_hive->GetErrorMsg();
return engine->undefinedValue();
}
// Build script array
ret_nodes=engine->newArray(nodes.count());
QMapIterator<QString,int> i(nodes);
while(i.hasNext()) {
i.next();
ret_nodes.setProperty(ii++,QScriptValue(i.key()));
}
return ret_nodes;
}
/*
* GetRegistryKeys
*/
-QScriptValue DataReporterEngine::GetRegistryKeys(QScriptContext *context,
- QScriptEngine *engine)
+QScriptValue ReportEngine::GetRegistryKeys(QScriptContext *context,
+ QScriptEngine *engine)
{
QScriptValue calleeData;
RegistryHive *p_hive;
QMap<QString,int> keys;
QScriptValue ret_keys;
int ii=0;
// This function needs one argument, parent node path
if(context->argumentCount()!=1) return engine->undefinedValue();
// Get calle data (Pointer to RegistryHive class)
calleeData=context->callee().data();
p_hive=qobject_cast<RegistryHive*>(calleeData.toQObject());
// Get keys
keys=p_hive->GetKeys(context->argument(0).toString());
if(p_hive->Error()) {
// Clear error state
p_hive->GetErrorMsg();
return engine->undefinedValue();
}
- //qDebug(QString("P: %1 A: %2").arg(context->argument(0).toString()).arg(keys.count()).toAscii().constData());
-
// Build script array
ret_keys=engine->newArray(keys.count());
QMapIterator<QString,int> i(keys);
while(i.hasNext()) {
i.next();
ret_keys.setProperty(ii++,QScriptValue(i.key()));
}
return ret_keys;
}
/*
* RegistryKeyValueToScript
*/
-QScriptValue DataReporterEngine::RegistryKeyValueToScript(QScriptEngine *engine,
- const
- s_RegistryKeyValue
- &s)
+QScriptValue ReportEngine::RegistryKeyValueToScript(QScriptEngine *engine,
+ const s_RegistryKeyValue &s)
{
QScriptValue obj=engine->newObject();
obj.setProperty("type",s.type);
obj.setProperty("length",s.length);
ByteArray *p_byte_array=new ByteArray(engine);
obj.setProperty("value",p_byte_array->newInstance(s.value));
return obj;
}
/*
* RegistryKeyValueFromScriptValue
*/
-void DataReporterEngine::RegistryKeyValueFromScript(const QScriptValue &obj,
- s_RegistryKeyValue &s)
+void ReportEngine::RegistryKeyValueFromScript(const QScriptValue &obj,
+ s_RegistryKeyValue &s)
{
s.type=obj.property("type").toInt32();
s.length=obj.property("length").toInt32();
// TODO: Don't know if this works, but it probably does ;)
s.value=qvariant_cast<QByteArray>(obj.property("value").data().toVariant());
}
-QScriptValue DataReporterEngine::GetRegistryKeyValue(QScriptContext *context,
- QScriptEngine *engine)
+/*
+ * GetRegistryKeyValue
+ */
+QScriptValue ReportEngine::GetRegistryKeyValue(QScriptContext *context,
+ QScriptEngine *engine)
{
QScriptValue calleeData;
RegistryHive *p_hive;
QByteArray key_value;
int key_type=0;
size_t key_length=0;
s_RegistryKeyValue script_key_value;
// This function needs two arguments, key path and key name
if(context->argumentCount()!=2) return engine->undefinedValue();
// Get calle data (Pointer to RegistryHive class)
calleeData=context->callee().data();
p_hive=qobject_cast<RegistryHive*>(calleeData.toQObject());
// Get key value
key_value=p_hive->GetKeyValue(context->argument(0).toString(),
context->argument(1).toString(),
&key_type,
&key_length);
if(p_hive->Error()) {
// Get error message to clear error state
p_hive->GetErrorMsg();
// printf("\nError: %s\n",p_hive->GetErrorMsg().toAscii().constData());
return engine->undefinedValue();
}
// Save key value to s_RegistryKeyValue struct
script_key_value.type=key_type;
script_key_value.length=key_length;
script_key_value.value=key_value;
- return DataReporterEngine::RegistryKeyValueToScript(engine,script_key_value);
+ return ReportEngine::RegistryKeyValueToScript(engine,script_key_value);
}
-QScriptValue DataReporterEngine::RegistryKeyValueToString(
- QScriptContext *context,
- QScriptEngine *engine)
+/*
+ * RegistryKeyValueToString
+ */
+QScriptValue ReportEngine::RegistryKeyValueToString(QScriptContext *context,
+ QScriptEngine *engine)
{
QByteArray key_value;
QString ret="";
// This function needs two arguments, key value and value type
if(context->argumentCount()!=2) return engine->undefinedValue();
// Cast ByteArray argument to QByteArray and convert
key_value=qvariant_cast<QByteArray>(context->argument(0).data().toVariant());
ret=RegistryHive::KeyValueToString(key_value,
context->argument(1).toInt32());
return engine->newVariant(ret);
}
-QScriptValue DataReporterEngine::RegistryKeyValueToVariant(
- QScriptContext *context,
- QScriptEngine *engine)
+/*
+ * RegistryKeyValueToVariant
+ */
+QScriptValue ReportEngine::RegistryKeyValueToVariant(QScriptContext *context,
+ QScriptEngine *engine)
{
int offset=0;
int length=-1;
bool little_endian=true;
QByteArray key_value;
QString format="";
QString ret="";
// This function needs at least two arguments, key value and variant type,
// and may have three optional arguments, offset, length and little_endian
if(context->argumentCount()<2 || context->argumentCount()>5) {
return engine->undefinedValue();
}
if(context->argumentCount()==3) {
offset=context->argument(2).toInt32();
}
if(context->argumentCount()==4) {
offset=context->argument(2).toInt32();
length=context->argument(3).toInt32();
}
if(context->argumentCount()==5) {
offset=context->argument(2).toInt32();
length=context->argument(3).toInt32();
little_endian=(context->argument(4).toInt32()==1);
}
// Cast ByteArray argument to QByteArray
key_value=qvariant_cast<QByteArray>(context->argument(0).data().toVariant());
format=context->argument(1).toString();
ret=RegistryHive::KeyValueToString(key_value,format,offset,length,little_endian);
return engine->newVariant(ret);
}
-QScriptValue DataReporterEngine::RegistryKeyTypeToString(
- QScriptContext *context,
- QScriptEngine *engine)
+/*
+ * RegistryKeyTypeToString
+ */
+QScriptValue ReportEngine::RegistryKeyTypeToString(QScriptContext *context,
+ QScriptEngine *engine)
{
QString ret="";
// This function needs one argument, key type
if(context->argumentCount()!=1) return engine->undefinedValue();
ret=RegistryHive::KeyTypeToString(context->argument(0).toInt32());
return engine->newVariant(ret);
}
-QScriptValue DataReporterEngine::GetRegistryNodeModTime(
- QScriptContext *context,
- QScriptEngine *engine)
+/*
+ * GetRegistryNodeModTime
+ */
+QScriptValue ReportEngine::GetRegistryNodeModTime(QScriptContext *context,
+ QScriptEngine *engine)
{
QScriptValue calleeData;
RegistryHive *p_hive;
int64_t mod_time=0;
// This function needs one argument, node path
if(context->argumentCount()!=1) return engine->undefinedValue();
// Get calle data (Pointer to RegistryHive class)
calleeData=context->callee().data();
p_hive=qobject_cast<RegistryHive*>(calleeData.toQObject());
mod_time=p_hive->GetNodeModTime(context->argument(0).toString());
if(p_hive->Error()) {
// Get error message to clear error state
p_hive->GetErrorMsg();
return engine->undefinedValue();
}
QDateTime date_time;
date_time.setTimeSpec(Qt::UTC);
date_time.setTime_t(RegistryHive::FiletimeToUnixtime(mod_time));
return engine->newVariant(date_time.toString("yyyy/MM/dd hh:mm:ss"));
}
diff --git a/trunk/reportengine.h b/trunk/reportengine.h
new file mode 100644
index 0000000..b1bfd10
--- /dev/null
+++ b/trunk/reportengine.h
@@ -0,0 +1,81 @@
+/*******************************************************************************
+* fred Copyright (c) 2011-2013 by Gillen Daniel <gillen.dan@pinguin.lu> *
+* *
+* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor *
+* with special feautures useful during forensic analysis. *
+* *
+* This program is free software: you can redistribute it and/or modify it *
+* under the terms of the GNU General Public License as published by the Free *
+* Software Foundation, either version 3 of the License, or (at your option) *
+* any later version. *
+* *
+* This program is distributed in the hope that it will be useful, but WITHOUT *
+* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
+* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
+* more details. *
+* *
+* You should have received a copy of the GNU General Public License along with *
+* this program. If not, see <http://www.gnu.org/licenses/>. *
+*******************************************************************************/
+
+#ifndef REPORTENGINE_H
+#define REPORTENGINE_H
+
+#include <QObject>
+#include <QtScript/QScriptEngine>
+#include <QtScript/QScriptValue>
+#include <QtScript/QScriptContext>
+#include <QString>
+#include <QVariant>
+#include <QMap>
+
+#include "registryhive.h"
+#include "qtscript_types/bytearray.h"
+
+#define FRED_REPORTENGINE_API_VERSION 2
+
+class ReportEngine : public QScriptEngine {
+ Q_OBJECT
+
+ public:
+ struct s_RegistryKeyValue {
+ int type;
+ int length;
+ QByteArray value;
+ };
+
+ RegistryHive *p_registry_hive;
+ QString report_content;
+
+ ReportEngine(RegistryHive *p_hive);
+ ~ReportEngine();
+ QMap<QString,QVariant> GetReportTemplateInfo(QString file);
+
+ private:
+ ByteArray *p_type_byte_array;
+
+ static QScriptValue Print(QScriptContext *context, QScriptEngine *engine);
+ static QScriptValue PrintLn(QScriptContext *context, QScriptEngine *engine);
+ static QScriptValue GetRegistryNodes(QScriptContext *context,
+ QScriptEngine *engine);
+ static QScriptValue GetRegistryKeys(QScriptContext *context,
+ QScriptEngine *engine);
+ static QScriptValue RegistryKeyValueToScript(QScriptEngine *engine,
+ const s_RegistryKeyValue &s);
+ static void RegistryKeyValueFromScript(const QScriptValue &obj,
+ s_RegistryKeyValue &s);
+ static QScriptValue GetRegistryKeyValue(QScriptContext *context,
+ QScriptEngine *engine);
+ static QScriptValue RegistryKeyValueToString(QScriptContext *context,
+ QScriptEngine *engine);
+ static QScriptValue RegistryKeyValueToVariant(QScriptContext *context,
+ QScriptEngine *engine);
+ static QScriptValue RegistryKeyTypeToString(QScriptContext *context,
+ QScriptEngine *engine);
+ static QScriptValue GetRegistryNodeModTime(QScriptContext *context,
+ QScriptEngine *engine);
+};
+
+Q_DECLARE_METATYPE(ReportEngine::s_RegistryKeyValue)
+
+#endif // REPORTENGINE_H
diff --git a/trunk/reports.cpp b/trunk/reports.cpp
new file mode 100644
index 0000000..2f673e8
--- /dev/null
+++ b/trunk/reports.cpp
@@ -0,0 +1,161 @@
+/*******************************************************************************
+* fred Copyright (c) 2011-2013 by Gillen Daniel <gillen.dan@pinguin.lu> *
+* *
+* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor *
+* with special feautures useful during forensic analysis. *
+* *
+* This program is free software: you can redistribute it and/or modify it *
+* under the terms of the GNU General Public License as published by the Free *
+* Software Foundation, either version 3 of the License, or (at your option) *
+* any later version. *
+* *
+* This program is distributed in the hope that it will be useful, but WITHOUT *
+* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
+* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
+* more details. *
+* *
+* You should have received a copy of the GNU General Public License along with *
+* this program. If not, see <http://www.gnu.org/licenses/>. *
+*******************************************************************************/
+
+#include "reports.h"
+
+#include <QListIterator>
+#include <QDir>
+#include <QMap>
+
+#include <QDebug>
+
+Reports::Reports() {
+ this->p_engine=new ReportEngine(NULL);
+ this->report_templates.clear();
+}
+
+Reports::~Reports() {
+ qDeleteAll(this->report_templates);
+ delete this->p_engine;
+}
+
+void Reports::LoadReportTemplates(QString dir) {
+ QString report_template="";
+ QString report_category,report_name,report_author,report_desc,report_hive;
+ bool found;
+ int i;
+ ReportTemplate *p_report;
+
+ // Get all template files in report_templates directory
+ QDir report_dir(dir);
+ QStringList found_report_templates=report_dir.
+ entryList(QStringList()<<"*.qs");
+
+ QListIterator<QString> it(found_report_templates);
+ while(it.hasNext()) {
+ // Build path to template file
+ report_template=report_dir.path();
+ report_template.append(QDir::separator());
+ report_template.append(it.next());
+
+ // Get report info
+ QMap<QString,QVariant> report_info=this->p_engine->
+ GetReportTemplateInfo(report_template);
+ if(report_info.contains("error")) {
+ // TODO: Inform user
+ qDebug()<<"Error in report '"<<report_template<<"'\n"
+ <<report_info["error"].toString();
+ continue;
+ }
+
+ // Make sure report is compatible with current API
+ if(report_info.value("fred_api",QVariant(0)).toInt()>
+ FRED_REPORTENGINE_API_VERSION)
+ {
+ // TODO: Inform user
+ qDebug()<<"Report '"<<report_template<<"' is not compatible with current API!";
+ }
+
+ // Extract info values. If a value isn't present, it will be set to ""
+ report_category=report_info.value("report_cat").toString();
+ report_name=report_info.value("report_name").toString();
+ report_author=report_info.value("report_author").toString();
+ report_desc=report_info.value("report_desc").toString();
+ report_hive=report_info.value("report_hive").toString();
+
+ // Check if a report with the same category and name was already added
+ found=false;
+ for(i=0;i<this->report_templates.count();i++) {
+ if(this->report_templates.at(i)->Category()==report_category &&
+ this->report_templates.at(i)->Name()==report_name)
+ {
+ found=true;
+ break;
+ }
+ }
+
+ // Add to or update report template list
+ if(!found) {
+ // Add report to list
+ p_report=new ReportTemplate(report_template,
+ report_category,
+ report_name,
+ report_author,
+ report_desc,
+ report_hive);
+ this->report_templates.append(p_report);
+ } else {
+ // Update report entry
+ p_report=this->report_templates.at(i);
+ p_report->SetFile(report_template);
+ p_report->SetAuthor(report_author);
+ p_report->SetDescription(report_desc);
+ }
+ }
+}
+
+QStringList Reports::GetAvailableReportCategories() {
+ QStringList ret;
+ QString cat;
+ int i;
+
+ ret.clear();
+ for(i=0;i<this->report_templates.count();i++) {
+ cat=this->report_templates.value(i)->Category();
+ if(!ret.contains(cat)) ret.append(cat);
+ }
+ ret.sort();
+
+ return ret;
+}
+
+
+QStringList Reports::GetAvailableReports(QString category) {
+ QStringList ret;
+ QString cat;
+ int i=0;
+
+ ret.clear();
+ for(i=0;i<this->report_templates.count();i++) {
+ cat=this->report_templates.value(i)->Category();
+ if(cat==category) ret.append(this->report_templates.value(i)->Name());
+ }
+ ret.sort();
+
+ return ret;
+}
+
+QMap<QString,QString> Reports::GetReportInfo(QString category, QString name) {
+ QMap<QString,QString> ret;
+ int i=0;
+
+ // Search requested report
+ for(i=0;i<this->report_templates.count();i++) {
+ if(this->report_templates.value(i)->Category()==category &&
+ this->report_templates.value(i)->Name()==name)
+ {
+ ret["report_author"]=this->report_templates.value(i)->Author();
+ ret["report_desc"]=this->report_templates.value(i)->Description();
+ break;
+ }
+ }
+
+ return ret;
+}
diff --git a/trunk/reporttemplate.h b/trunk/reports.h
similarity index 66%
copy from trunk/reporttemplate.h
copy to trunk/reports.h
index 23ae59a..397b89e 100644
--- a/trunk/reporttemplate.h
+++ b/trunk/reports.h
@@ -1,46 +1,54 @@
/*******************************************************************************
* fred Copyright (c) 2011-2013 by Gillen Daniel <gillen.dan@pinguin.lu> *
* *
* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor *
* with special feautures useful during forensic analysis. *
* *
* This program is free software: you can redistribute it and/or modify it *
* under the terms of the GNU General Public License as published by the Free *
* Software Foundation, either version 3 of the License, or (at your option) *
* any later version. *
* *
* This program is distributed in the hope that it will be useful, but WITHOUT *
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
* more details. *
* *
* You should have received a copy of the GNU General Public License along with *
* this program. If not, see <http://www.gnu.org/licenses/>. *
*******************************************************************************/
-#ifndef REPORTTEMPLATE_H
-#define REPORTTEMPLATE_H
+#ifndef REPORTS_H
+#define REPORTS_H
+#include "reporttemplate.h"
+#include "reportengine.h"
+
+#include <QList>
+#include <QMap>
#include <QString>
-class ReportTemplate {
+class Reports {
public:
- ReportTemplate(QString report_category,
- QString report_name,
- QString report_template_file);
-
- void SetCategory(QString new_category);
- void SetName(QString new_name);
- void SetFile(QString new_file);
+ Reports();
+ ~Reports();
- QString Category();
- QString Name();
- QString File();
+ void LoadReportTemplates(QString dir);
+ QStringList GetAvailableReportCategories();
+ QStringList GetAvailableReports(QString category);
+ QMap<QString,QString> GetReportInfo(QString category, QString name);
+/*
+ QString GenerateReport(RegistryHive *p_hive,
+ QString report_category,
+ QString report_name);
+ QString GenerateReport(RegistryHive *p_hive,
+ QString report_template,
+ bool console_mode=false);
+*/
private:
- QString category;
- QString name;
- QString template_file;
+ QList<ReportTemplate*> report_templates;
+ ReportEngine *p_engine;
};
-#endif // REPORTTEMPLATE_H
+#endif // REPORTS_H
diff --git a/trunk/reporttemplate.cpp b/trunk/reporttemplate.cpp
index 03b4438..507d831 100644
--- a/trunk/reporttemplate.cpp
+++ b/trunk/reporttemplate.cpp
@@ -1,54 +1,84 @@
/*******************************************************************************
* fred Copyright (c) 2011-2013 by Gillen Daniel <gillen.dan@pinguin.lu> *
* *
* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor *
* with special feautures useful during forensic analysis. *
* *
* This program is free software: you can redistribute it and/or modify it *
* under the terms of the GNU General Public License as published by the Free *
* Software Foundation, either version 3 of the License, or (at your option) *
* any later version. *
* *
* This program is distributed in the hope that it will be useful, but WITHOUT *
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
* more details. *
* *
* You should have received a copy of the GNU General Public License along with *
* this program. If not, see <http://www.gnu.org/licenses/>. *
*******************************************************************************/
#include "reporttemplate.h"
-ReportTemplate::ReportTemplate(QString report_category,
+ReportTemplate::ReportTemplate(QString report_template_file,
+ QString report_category,
QString report_name,
- QString report_template_file)
+ QString report_author,
+ QString report_desc,
+ QString report_hive)
{
+ this->template_file=report_template_file;
this->category=report_category;
this->name=report_name;
- this->template_file=report_template_file;
+ this->author=report_author;
+ this->description=report_desc;
+ this->hive=report_hive;
+}
+
+void ReportTemplate::SetFile(QString new_file) {
+ this->template_file=new_file;
}
void ReportTemplate::SetCategory(QString new_category) {
this->category=new_category;
}
void ReportTemplate::SetName(QString new_name) {
this->name=new_name;
}
-void ReportTemplate::SetFile(QString new_file) {
- this->template_file=new_file;
+void ReportTemplate::SetAuthor(QString new_author) {
+ this->author=new_author;
+}
+
+void ReportTemplate::SetDescription(QString new_desc) {
+ this->description=new_desc;
+}
+
+void ReportTemplate::SetHive(QString new_hive) {
+ this->hive=new_hive;
+}
+
+QString ReportTemplate::ReportTemplate::File() {
+ return this->template_file;
}
QString ReportTemplate::ReportTemplate::Category() {
return this->category;
}
QString ReportTemplate::ReportTemplate::Name() {
return this->name;
}
-QString ReportTemplate::ReportTemplate::File() {
- return this->template_file;
+QString ReportTemplate::ReportTemplate::Author() {
+ return this->author;
+}
+
+QString ReportTemplate::ReportTemplate::Description() {
+ return this->description;
+}
+
+QString ReportTemplate::ReportTemplate::Hive() {
+ return this->hive;
}
diff --git a/trunk/reporttemplate.h b/trunk/reporttemplate.h
index 23ae59a..2a3fba1 100644
--- a/trunk/reporttemplate.h
+++ b/trunk/reporttemplate.h
@@ -1,46 +1,58 @@
/*******************************************************************************
* fred Copyright (c) 2011-2013 by Gillen Daniel <gillen.dan@pinguin.lu> *
* *
* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor *
* with special feautures useful during forensic analysis. *
* *
* This program is free software: you can redistribute it and/or modify it *
* under the terms of the GNU General Public License as published by the Free *
* Software Foundation, either version 3 of the License, or (at your option) *
* any later version. *
* *
* This program is distributed in the hope that it will be useful, but WITHOUT *
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or *
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for *
* more details. *
* *
* You should have received a copy of the GNU General Public License along with *
* this program. If not, see <http://www.gnu.org/licenses/>. *
*******************************************************************************/
#ifndef REPORTTEMPLATE_H
#define REPORTTEMPLATE_H
#include <QString>
class ReportTemplate {
public:
- ReportTemplate(QString report_category,
+ ReportTemplate(QString report_template_file,
+ QString report_category,
QString report_name,
- QString report_template_file);
+ QString report_author,
+ QString report_desc,
+ QString report_hive);
+ void SetFile(QString new_file);
void SetCategory(QString new_category);
void SetName(QString new_name);
- void SetFile(QString new_file);
+ void SetAuthor(QString new_author);
+ void SetDescription(QString new_desc);
+ void SetHive(QString new_hive);
+ QString File();
QString Category();
QString Name();
- QString File();
+ QString Author();
+ QString Description();
+ QString Hive();
private:
+ QString template_file;
QString category;
QString name;
- QString template_file;
+ QString author;
+ QString description;
+ QString hive;
};
#endif // REPORTTEMPLATE_H

File Metadata

Mime Type
text/x-diff
Expires
Wed, Apr 2, 10:19 AM (9 h, 2 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
1218950
Default Alt Text
(194 KB)

Event Timeline