Windows version info

diff --git a/trunk/datareporter.cpp b/trunk/datareporter.cpp index b994245..cdea365 100644 --- a/trunk/datareporter.cpp +++ b/trunk/datareporter.cpp @@ -1,137 +1,155 @@ /******************************************************************************* * fred Copyright (c) 2011 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ -#include - #include "datareporter.h" -#include "reporttemplatexmlhandler.h" + +#include +#include +#include +#include DataReporter::DataReporter() { this->report_templates.clear(); + //this->p_report_engine=new DataReporterEngine(); } DataReporter::~DataReporter() { + //delete this->p_report_engine; qDeleteAll(this->report_templates); } void DataReporter::LoadReportTemplates() { QString report_template=""; - QXmlSimpleReader xml_parser; int i=0; + QString report_category=""; + QString report_name=""; ReportTemplate *p_report; + // Get all template files in report_templates directory QDir report_dir("../trunk/report_templates/"); - QStringList found_report_templates=report_dir.entryList(QStringList()<<"*.fred"); + QStringList found_report_templates=report_dir. + entryList(QStringList()<<"*.js"); for(i=0;iGetReportCategory(), - p_report_handler->GetReportName(), - report_template); - this->report_templates.append(p_report); - } else { - qDebug("Error loading template"); - } - - delete p_report_handler; - delete p_xml_file; - delete p_report_template_file; + // Extract report category and name from file name (_.js) + report_category=found_report_templates.value(i).left( + found_report_templates.value(i).indexOf("_")); + report_name=found_report_templates.value(i).mid( + found_report_templates.value(i).indexOf("_")+1); + report_name=report_name.left(report_name.lastIndexOf(".")-1); + + // Add report to list + p_report=new ReportTemplate(report_category, + report_name, + report_template); + this->report_templates.append(p_report); } } QStringList DataReporter::GetAvailableReportCategories() { QStringList ret; QString cat; int i=0; ret.clear(); for(i=0;ireport_templates.count();i++) { cat=this->report_templates.value(i)->Category(); if(!ret.contains(cat)) ret.append(cat); } - ret.sort(); return ret; } QStringList DataReporter::GetAvailableReports(QString category) { QStringList ret; QString cat; int i=0; ret.clear(); for(i=0;ireport_templates.count();i++) { cat=this->report_templates.value(i)->Category(); if(cat==category) ret.append(this->report_templates.value(i)->Name()); } - ret.sort(); return ret; } -QString DataReporter::GenerateReport(hive_h *hhive, +QString DataReporter::GenerateReport(RegistryHive *p_hive, QString report_category, QString report_name) { - QString ret=QString(); int i=0; - QXmlSimpleReader xml_parser; ReportTemplate *p_report; + DataReporterEngine engine(p_hive); + QString report_code; + //ReportData report_data; for(i=0;ireport_templates.count();i++) { p_report=this->report_templates.value(i); if(p_report->Category()!=report_category || p_report->Name()!=report_name) { continue; } - QFile *p_template_file=new QFile(p_report->File()); - QXmlInputSource *p_xml_input=new QXmlInputSource(p_template_file); - ReportTemplateXmlHandler *p_report_handler= - new ReportTemplateXmlHandler(hhive,false); - - xml_parser.setContentHandler(p_report_handler); - xml_parser.setErrorHandler(p_report_handler); - if(xml_parser.parse(p_xml_input)) { - ret=p_report_handler->ReportData(); - } else { - qDebug("Error loading template"); + QScriptValue hive_value=engine.newQObject(p_hive); + engine.globalObject().setProperty("RegistryHive",hive_value); + //QScriptValue return_value=engine.newQObject(&report_data); + //engine.globalObject().setProperty("ReportData",return_value); + + // Open report template + QFile template_file(p_report->File()); + if(!template_file.open(QIODevice::ReadOnly | QIODevice::Text)) { + qDebug("Couldn't open file '%s'",p_report->File().toAscii().constData()); + break; + } + // Read template file + QTextStream in(&template_file); + while(!in.atEnd()) { + report_code.append(in.readLine()); } + // Close report template file + template_file.close(); + + QScriptValue report_result=engine.evaluate(report_code,p_report->File()); + + if (report_result.isError()) { + QMessageBox::critical(0, + "Hello Script", + QString::fromLatin1("%0:%1: %2") + .arg(p_report->File()) + .arg(report_result.property("lineNumber").toInt32()) + .arg(report_result.toString())); + break; + } + - delete p_report_handler; - delete p_xml_input; - delete p_template_file; + if(engine.hasUncaughtException()) qDebug("Exception in processing!"); break; } - return ret; + return engine.report_content; } diff --git a/trunk/datareporter.h b/trunk/datareporter.h index 92f06c2..2bac96f 100644 --- a/trunk/datareporter.h +++ b/trunk/datareporter.h @@ -1,47 +1,48 @@ /******************************************************************************* * fred Copyright (c) 2011 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #ifndef DATAREPORTER_H #define DATAREPORTER_H #include -#include - #include "reporttemplate.h" +#include "datareporterengine.h" +#include "registryhive.h" class DataReporter { public: DataReporter(); ~DataReporter(); void LoadReportTemplates(); QStringList GetAvailableReportCategories(); QStringList GetAvailableReports(QString category); - QString GenerateReport(hive_h *hhive, + QString GenerateReport(RegistryHive *p_hive, QString report_category, QString report_name); private: QList report_templates; + //DataReporterEngine *p_report_engine; }; #endif // DATAREPORTER_H diff --git a/trunk/datareporterengine.cpp b/trunk/datareporterengine.cpp index 6a89589..0543710 100644 --- a/trunk/datareporterengine.cpp +++ b/trunk/datareporterengine.cpp @@ -1,7 +1,196 @@ +/******************************************************************************* +* fred Copyright (c) 2011 by Gillen Daniel * +* * +* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * +* with special feautures useful during forensic analysis. * +* * +* This program is free software: you can redistribute it and/or modify it * +* under the terms of the GNU General Public License as published by the Free * +* Software Foundation, either version 3 of the License, or (at your option) * +* any later version. * +* * +* This program is distributed in the hope that it will be useful, but WITHOUT * +* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * +* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * +* more details. * +* * +* You should have received a copy of the GNU General Public License along with * +* this program. If not, see . * +*******************************************************************************/ + #include "datareporterengine.h" -DataReporterEngine::DataReporterEngine(QObject *p_parent) - : QScriptEngine(p_parent) +#include + +DataReporterEngine::DataReporterEngine(RegistryHive *p_hive) : QScriptEngine() { + // Init vars + this->p_registry_hive=p_hive; + this->report_content=""; + + // Add our types to engine + qScriptRegisterMetaType(this, + this->RegistryKeyValueToScript, + this->RegistryKeyValueFromScript); + this->p_type_byte_array=new ByteArray(this); + this->globalObject().setProperty("ByteArray", + this->p_type_byte_array->constructor()); + + // Add our functions + // print + QScriptValue func_print=this->newFunction(this->Print); + this->globalObject().setProperty("print",func_print); + // println + QScriptValue func_println=this->newFunction(this->PrintLn); + this->globalObject().setProperty("println",func_println); + // GetRegistryKeyValue + QScriptValue func_get_key_value=this->newFunction(this->GetRegistryKeyValue); + func_get_key_value.setData(this->newQObject(this->p_registry_hive)); + this->globalObject().setProperty("GetRegistryKeyValue",func_get_key_value); + // RegistryKeyValueToString + QScriptValue func_value_to_string= + this->newFunction(this->RegistryKeyValueToString); + this->globalObject().setProperty("RegistryKeyValueToString", + func_value_to_string); + // RegistryKeyTypeToString + QScriptValue func_type_to_string= + this->newFunction(this->RegistryKeyTypeToString); + this->globalObject().setProperty("RegistryKeyTypeToString", + func_type_to_string); +} + +DataReporterEngine::~DataReporterEngine() { + delete this->p_type_byte_array; +} + +QScriptValue DataReporterEngine::Print(QScriptContext *context, + QScriptEngine *engine) +{ + int i; + QString content; + + // Append all arguments to content + for(i=0;iargumentCount();++i) { + if(i>0) content.append(" "); + content.append(context->argument(i).toString()); + } + + //QScriptValue calleeData=context->callee().data(); + //DataReporterEngine *engine= + // qobject_cast(calleeData.toQObject()); + qobject_cast(engine)->report_content.append(content); + + return engine->undefinedValue(); +} + +QScriptValue DataReporterEngine::PrintLn(QScriptContext *context, + QScriptEngine *engine) +{ + int i; + QString content; + + // Append all arguments to content + for(i=0;iargumentCount();++i) { + if(i>0) content.append(" "); + content.append(context->argument(i).toString()); + } + + qobject_cast(engine)-> + report_content.append(content).append("\n"); + + return engine->undefinedValue(); +} + +/* + * RegistryKeyValueToScript + */ +QScriptValue DataReporterEngine::RegistryKeyValueToScript(QScriptEngine *engine, + const + s_RegistryKeyValue + &s) { + QScriptValue obj=engine->newObject(); + obj.setProperty("type",s.type); + obj.setProperty("length",s.length); + ByteArray *p_byte_array=new ByteArray(engine); + obj.setProperty("value",p_byte_array->newInstance(s.value)); + return obj; +} + +/* + * RegistryKeyValueFromScriptValue + */ +void DataReporterEngine::RegistryKeyValueFromScript(const QScriptValue &obj, + s_RegistryKeyValue &s) +{ + s.type=obj.property("type").toInt32(); + s.length=obj.property("length").toInt32(); + // TODO: Don't know if this works + s.value=obj.property("value").toVariant().toByteArray(); +} + +QScriptValue DataReporterEngine::GetRegistryKeyValue(QScriptContext *context, + QScriptEngine *engine) +{ + QScriptValue calleeData; + RegistryHive *p_hive; + QByteArray key_value; + int key_type=0; + size_t key_length=0; + s_RegistryKeyValue script_key_value; + + // This function needs two arguments, key path and key name + if(context->argumentCount()!=2) return engine->undefinedValue(); + + // Get calle data (Pointer to RegistryHive class) + calleeData=context->callee().data(); + p_hive=qobject_cast(calleeData.toQObject()); + + // Get key value + key_value=p_hive->GetKeyValue(context->argument(0).toString(), + context->argument(1).toString(), + &key_type, + &key_length); + if(p_hive->Error() || key_length==-1) { + // Get error message ro clear error state + p_hive->GetErrorMsg(); + return engine->undefinedValue(); + } + + // Save key value to s_RegistryKeyValue struct + script_key_value.type=key_type; + script_key_value.length=key_length; + script_key_value.value=key_value; + return DataReporterEngine::RegistryKeyValueToScript(engine,script_key_value); +} + +QScriptValue DataReporterEngine::RegistryKeyValueToString( + QScriptContext *context, + QScriptEngine *engine) +{ + QByteArray key_value; + QString ret=""; + + // This function needs two arguments, key value and value type + if(context->argumentCount()!=2) return engine->undefinedValue(); + + // TODO: Does not work!! + //key_value=qscriptvalue_cast(context->argument(0)); + key_value=context->argument(0).toVariant().toByteArray(); + ret=RegistryHive::KeyValueToString(key_value, + hive_t_REG_SZ /*context->argument(1).toInteger()*/); + + qDebug("Type: %u Sring: %c", + context->argument(1).toInteger(), + ret.toAscii().constData()); + + return engine->newVariant(ret); +} + +QScriptValue DataReporterEngine::RegistryKeyTypeToString( + QScriptContext *context, + QScriptEngine *engine) +{ + // This function needs one arguments, key type + if(context->argumentCount()!=2) return engine->undefinedValue(); } diff --git a/trunk/datareporterengine.h b/trunk/datareporterengine.h index fed2ea9..2bf7ee6 100644 --- a/trunk/datareporterengine.h +++ b/trunk/datareporterengine.h @@ -1,15 +1,68 @@ +/******************************************************************************* +* fred Copyright (c) 2011 by Gillen Daniel * +* * +* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * +* with special feautures useful during forensic analysis. * +* * +* This program is free software: you can redistribute it and/or modify it * +* under the terms of the GNU General Public License as published by the Free * +* Software Foundation, either version 3 of the License, or (at your option) * +* any later version. * +* * +* This program is distributed in the hope that it will be useful, but WITHOUT * +* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * +* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * +* more details. * +* * +* You should have received a copy of the GNU General Public License along with * +* this program. If not, see . * +*******************************************************************************/ + #ifndef DATAREPORTERENGINE_H #define DATAREPORTERENGINE_H +#include +#include #include +#include +#include + +#include "registryhive.h" +#include "qtscript_types/bytearray.h" class DataReporterEngine : public QScriptEngine { + Q_OBJECT + public: - DataReporterEngine(QObject *p_parent=0); + struct s_RegistryKeyValue { + int type; + int length; + QByteArray value; + }; + RegistryHive *p_registry_hive; + QString report_content; + DataReporterEngine(RegistryHive *p_hive); + ~DataReporterEngine(); + private: + ByteArray *p_type_byte_array; + static QScriptValue Print(QScriptContext *context, QScriptEngine *engine); + static QScriptValue PrintLn(QScriptContext *context, QScriptEngine *engine); + static QScriptValue RegistryKeyValueToScript(QScriptEngine *engine, + const s_RegistryKeyValue &s); + static void RegistryKeyValueFromScript(const QScriptValue &obj, + s_RegistryKeyValue &s); + static QScriptValue GetRegistryKeyValue(QScriptContext *context, + QScriptEngine *engine); + static QScriptValue RegistryKeyValueToString(QScriptContext *context, + QScriptEngine *engine); + static QScriptValue RegistryKeyTypeToString(QScriptContext *context, + QScriptEngine *engine); }; +Q_DECLARE_METATYPE(DataReporterEngine::s_RegistryKeyValue) + #endif // DATAREPORTERENGINE_H diff --git a/trunk/datareporter.h b/trunk/dlgreportviewer.cpp similarity index 72% copy from trunk/datareporter.h copy to trunk/dlgreportviewer.cpp index 92f06c2..2eeccde 100644 --- a/trunk/datareporter.h +++ b/trunk/dlgreportviewer.cpp @@ -1,47 +1,50 @@ /******************************************************************************* * fred Copyright (c) 2011 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ -#ifndef DATAREPORTER_H -#define DATAREPORTER_H - -#include - -#include - -#include "reporttemplate.h" - -class DataReporter { - public: - DataReporter(); - ~DataReporter(); - - void LoadReportTemplates(); - QStringList GetAvailableReportCategories(); - QStringList GetAvailableReports(QString category); - - QString GenerateReport(hive_h *hhive, - QString report_category, - QString report_name); - - private: - QList report_templates; -}; - -#endif // DATAREPORTER_H +#include "dlgreportviewer.h" +#include "ui_dlgreportviewer.h" + +#include + +DlgReportViewer::DlgReportViewer(QString &report_data, QWidget *p_parent) + : QDialog(p_parent), ui(new Ui::DlgReportViewer) +{ + ui->setupUi(this); + this->ui->WebView->setHtml(report_data); +} + +DlgReportViewer::~DlgReportViewer() { + delete ui; +} + +void DlgReportViewer::changeEvent(QEvent *e) { + QDialog::changeEvent(e); + switch(e->type()) { + case QEvent::LanguageChange: + ui->retranslateUi(this); + break; + default: + break; + } +} + +void DlgReportViewer::on_BtnClose_clicked() { + this->accept(); +} diff --git a/trunk/datareporter.h b/trunk/dlgreportviewer.h similarity index 74% copy from trunk/datareporter.h copy to trunk/dlgreportviewer.h index 92f06c2..4a8c7e9 100644 --- a/trunk/datareporter.h +++ b/trunk/dlgreportviewer.h @@ -1,47 +1,48 @@ /******************************************************************************* * fred Copyright (c) 2011 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ -#ifndef DATAREPORTER_H -#define DATAREPORTER_H +#ifndef DLGREPORTVIEWER_H +#define DLGREPORTVIEWER_H -#include +#include -#include +namespace Ui { + class DlgReportViewer; +} -#include "reporttemplate.h" +class DlgReportViewer : public QDialog { + Q_OBJECT -class DataReporter { public: - DataReporter(); - ~DataReporter(); + explicit DlgReportViewer(QString &report_data, + QWidget *p_parent=0); + ~DlgReportViewer(); - void LoadReportTemplates(); - QStringList GetAvailableReportCategories(); - QStringList GetAvailableReports(QString category); + protected: + void changeEvent(QEvent *e); - QString GenerateReport(hive_h *hhive, - QString report_category, - QString report_name); + private slots: + void on_BtnClose_clicked(); - private: - QList report_templates; +private: + Ui::DlgReportViewer *ui; }; -#endif // DATAREPORTER_H +#endif // DLGREPORTVIEWER_H diff --git a/trunk/dlgreportviewer.ui b/trunk/dlgreportviewer.ui new file mode 100644 index 0000000..344233e --- /dev/null +++ b/trunk/dlgreportviewer.ui @@ -0,0 +1,44 @@ + + + DlgReportViewer + + + + 0 + 0 + 627 + 466 + + + + Dialog + + + + + + + about:blank + + + + + + + + &Close + + + + + + + + QWebView + QWidget +

QtWebKit/QWebView

+ + + + + diff --git a/trunk/fred.pro b/trunk/fred.pro index a752ecb..934bb59 100644 --- a/trunk/fred.pro +++ b/trunk/fred.pro @@ -1,72 +1,80 @@ #******************************************************************************* # fred Copyright (c) 2011 by Gillen Daniel * # * # Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * # with special feautures useful during forensic analysis. * # * # This program is free software: you can redistribute it and/or modify it * # under the terms of the GNU General Public License as published by the Free * # Software Foundation, either version 3 of the License, or (at your option) * # any later version. * # * # This program is distributed in the hope that it will be useful, but WITHOUT * # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * # more details. * # * # You should have received a copy of the GNU General Public License along with * # this program. If not, see . * #******************************************************************************/ system(bash compileinfo.sh > compileinfo.h) QT += core \ gui \ xml \ - script + script \ + webkit TARGET = fred TEMPLATE = app SOURCES += main.cpp\ mainwindow.cpp \ registrynode.cpp \ registrynodetreemodel.cpp \ registrykey.cpp \ registrykeytablemodel.cpp \ dlgabout.cpp \ dlgkeydetails.cpp \ qhexedit/qhexedit_p.cpp \ qhexedit/qhexedit.cpp \ datainterpreter.cpp \ - reporttemplatexmlhandler.cpp \ reporttemplate.cpp \ datareporter.cpp \ datareporterengine.cpp \ - registryhive.cpp + registryhive.cpp \ + qtscript_types/bytearray.cpp \ + qtscript_types/bytearrayprototype.cpp \ + qtscript_types/bytearrayiterator.cpp \ + dlgreportviewer.cpp HEADERS += mainwindow.h \ registrynode.h \ registrynodetreemodel.h \ registrykey.h \ registrykeytablemodel.h \ dlgabout.h \ dlgkeydetails.h \ qhexedit/qhexedit_p.h \ qhexedit/qhexedit.h \ datainterpreter.h \ - reporttemplatexmlhandler.h \ reporttemplate.h \ datareporter.h \ datareporterengine.h \ - registryhive.h + registryhive.h \ + qtscript_types/bytearray.h \ + qtscript_types/bytearrayprototype.h \ + qtscript_types/bytearrayiterator.h \ + dlgreportviewer.h FORMS += mainwindow.ui \ dlgabout.ui \ - dlgkeydetails.ui + dlgkeydetails.ui \ + dlgreportviewer.ui LIBS += -lhivex RESOURCES += fred.qrc diff --git a/trunk/mainwindow.cpp b/trunk/mainwindow.cpp index cb53e66..a02557a 100644 --- a/trunk/mainwindow.cpp +++ b/trunk/mainwindow.cpp @@ -1,509 +1,458 @@ /******************************************************************************* * fred Copyright (c) 2011 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #include #include #include #include #include #include #include "mainwindow.h" #include "ui_mainwindow.h" #include "dlgabout.h" #include "dlgkeydetails.h" +#include "dlgreportviewer.h" #include "compileinfo.h" MainWindow::MainWindow(QWidget *parent) : QMainWindow(parent), ui(new Ui::MainWindow) { ui->setupUi(this); // Initialize private vars - this->hhive=NULL; + this->p_hive=new RegistryHive(this); this->is_hive_open=false; this->p_reg_node_tree_model=NULL; this->p_reg_key_table_model=NULL; // Set main window size int cur_screen=QApplication::desktop()->screenNumber(this); int window_width= QApplication::desktop()->availableGeometry(cur_screen).width()*0.5; int window_height= QApplication::desktop()->availableGeometry(cur_screen).height()*0.5; int window_x= (QApplication::desktop()->availableGeometry(cur_screen).width()/2)- (window_width/2); int window_y= (QApplication::desktop()->availableGeometry(cur_screen).height()/2)- (window_height/2); this->setGeometry(window_x, window_y, window_width, window_height); // Create widgets this->p_horizontal_splitter=new QSplitter(); this->p_horizontal_splitter->setOrientation(Qt::Horizontal); this->p_node_tree=new QTreeView(this->p_horizontal_splitter); this->p_node_tree->setHeaderHidden(true); this->p_vertical_splitter=new QSplitter(this->p_horizontal_splitter); this->p_vertical_splitter->setOrientation(Qt::Vertical); this->p_key_table=new QTableView(this->p_vertical_splitter); this->p_key_table->setSelectionBehavior(QAbstractItemView::SelectRows); this->p_horizontal_splitter2=new QSplitter(this->p_vertical_splitter); this->p_horizontal_splitter2->setOrientation(Qt::Horizontal); this->p_hex_edit_widget=new QWidget(this->p_horizontal_splitter2); this->p_hex_edit_layout=new QVBoxLayout(this->p_hex_edit_widget); this->p_hex_edit_layout->setContentsMargins(0,0,0,0); this->p_hex_edit=new QHexEdit(); this->p_hex_edit->setReadOnly(true); this->p_hex_edit_status_bar=new QLabel(); this->p_data_interpreter=new DataInterpreter(this->p_horizontal_splitter2); // Make sure hex viewer font is monospaced. QFont mono_font("Monospace"); mono_font.setStyleHint(QFont::TypeWriter); this->p_hex_edit->setFont(mono_font); // Lay out widgets this->p_hex_edit_layout->addWidget(this->p_hex_edit); this->p_hex_edit_layout->addWidget(this->p_hex_edit_status_bar); this->p_horizontal_splitter2->addWidget(this->p_hex_edit_widget); this->p_horizontal_splitter2->addWidget(this->p_data_interpreter); this->p_vertical_splitter->addWidget(this->p_key_table); this->p_vertical_splitter->addWidget(this->p_horizontal_splitter2); this->p_horizontal_splitter->addWidget(this->p_node_tree); this->p_horizontal_splitter->addWidget(this->p_vertical_splitter); // Set stretch factors QSizePolicy node_tree_policy=this->p_node_tree->sizePolicy(); node_tree_policy.setHorizontalStretch(1); node_tree_policy.setVerticalStretch(100); this->p_node_tree->setSizePolicy(node_tree_policy); QSizePolicy vertical_splitter_policy=this->p_vertical_splitter->sizePolicy(); vertical_splitter_policy.setHorizontalStretch(4); vertical_splitter_policy.setVerticalStretch(100); this->p_vertical_splitter->setSizePolicy(vertical_splitter_policy); QSizePolicy key_table_policy=this->p_key_table->sizePolicy(); key_table_policy.setVerticalStretch(5); key_table_policy.setHorizontalStretch(100); this->p_key_table->setSizePolicy(key_table_policy); QSizePolicy hex_edit_widget_policy=this->p_hex_edit_widget->sizePolicy(); hex_edit_widget_policy.setVerticalStretch(2); hex_edit_widget_policy.setHorizontalStretch(200); this->p_hex_edit_widget->setSizePolicy(hex_edit_widget_policy); QSizePolicy data_interpreter_policy=this->p_data_interpreter->sizePolicy(); data_interpreter_policy.setVerticalStretch(2); data_interpreter_policy.setHorizontalStretch(0); this->p_data_interpreter->setSizePolicy(data_interpreter_policy); // Connect signals this->connect(this->p_node_tree, SIGNAL(clicked(QModelIndex)), this, SLOT(SlotNodeTreeClicked(QModelIndex))); this->connect(this->p_node_tree, SIGNAL(activated(QModelIndex)), this, SLOT(SlotNodeTreeClicked(QModelIndex))); - this->connect(this->p_key_table, + this->connect(this->p_key_table /*->selectionModel()*/, + /* SIGNAL(selectionChanged(QItemSelection,QItemSelection)) */ SIGNAL(clicked(QModelIndex)), this, SLOT(SlotKeyTableClicked(QModelIndex))); this->connect(this->p_key_table, SIGNAL(doubleClicked(QModelIndex)), this, SLOT(SlotKeyTableDoubleClicked(QModelIndex))); this->connect(this->p_hex_edit, SIGNAL(currentAddressChanged(int)), this, SLOT(SlotHexEditAddressChanged(int))); // Add central widget this->setContentsMargins(4,4,4,0); this->setCentralWidget(this->p_horizontal_splitter); // Set window title this->UpdateWindowTitle(); // Set last open location to home dir this->last_open_location=QDir::homePath(); // Load report templates and update menu this->p_data_reporter=new DataReporter(); this->p_data_reporter->LoadReportTemplates(); this->UpdateDataReporterMenu(); } MainWindow::~MainWindow() { if(this->is_hive_open) { - hivex_close(this->hhive); + this->p_hive->Close(); } delete ui; } void MainWindow::on_action_Quit_triggered() { qApp->exit(); } void MainWindow::on_action_Open_hive_triggered() { QString hive_file=""; hive_file=QFileDialog::getOpenFileName(this, tr("Open registry hive"), this->last_open_location, tr("All files (*)")); if(hive_file=="") return; // Update last open location this->last_open_location=hive_file.left(hive_file. lastIndexOf(QDir::separator())); // If another hive is currently open, close it if(this->is_hive_open) this->on_action_Close_hive_triggered(); // Try to open hive - this->hhive=hivex_open(hive_file.toAscii().constData(),0); - if(this->hhive==NULL) { + if(!this->p_hive->Open(hive_file)) { QMessageBox::critical(this, tr("Error opening hive file"), tr("Unable to open file '%1'").arg(hive_file)); return; } // Create tree model - hive_node_h root_node=hivex_root(hhive); - if(root_node==0) { - QMessageBox::critical(this, - tr("Error opening hive file"), - tr("This hive seems to have no root node!") - .arg(hive_file)); - return; - } this->p_reg_node_tree_model= - new RegistryNodeTreeModel(this->hhive, - root_node); + new RegistryNodeTreeModel(this->p_hive); this->p_node_tree->setModel(this->p_reg_node_tree_model); this->is_hive_open=true; this->ui->action_Close_hive->setEnabled(true); this->ui->MenuReports->setEnabled(true); this->UpdateWindowTitle(hive_file); } void MainWindow::on_action_Close_hive_triggered() { if(this->is_hive_open) { // Delete models if(this->p_reg_node_tree_model!=NULL) { delete this->p_reg_node_tree_model; this->p_reg_node_tree_model=NULL; } if(this->p_reg_key_table_model!=NULL) { delete this->p_reg_key_table_model; this->p_reg_key_table_model=NULL; } // Remove any data from hex edit and data interpreter this->p_hex_edit->setData(QByteArray()); this->p_hex_edit_status_bar->setText(""); this->p_data_interpreter->ClearValues(); // Close hive - hivex_close(this->hhive); + this->p_hive->Close(); this->is_hive_open=false; this->ui->action_Close_hive->setEnabled(false); this->ui->MenuReports->setEnabled(false); this->UpdateWindowTitle(); } } void MainWindow::on_actionAbout_Qt_triggered() { QMessageBox::aboutQt(this,tr("About Qt")); } void MainWindow::on_actionAbout_fred_triggered() { DlgAbout dlg_about(this); dlg_about.exec(); } void MainWindow::SlotNodeTreeClicked(QModelIndex index) { - QStringList nodes; + QString node_path; //Built node path - nodes.clear(); - nodes.append(this->p_reg_node_tree_model-> - data(index,Qt::DisplayRole).toString()); + node_path.clear(); + node_path=this->p_reg_node_tree_model->data(index,Qt::DisplayRole) + .toString().prepend("\\"); while(this->p_reg_node_tree_model->parent(index)!=QModelIndex()) { // Prepend all parent nodes index=this->p_reg_node_tree_model->parent(index); - nodes.prepend(this->p_reg_node_tree_model-> - data(index,Qt::DisplayRole).toString()); - } - - // Get hive_node handle for current node - hive_node_h hive_node=hivex_root(this->hhive); - QString cur_node; - for(QStringList::iterator it=nodes.begin();it!=nodes.end();++it) { - cur_node=*it; - hive_node=hivex_node_get_child(this->hhive, - hive_node, - cur_node.toAscii().constData()); + node_path.prepend(this->p_reg_node_tree_model->data(index,Qt::DisplayRole) + .toString().prepend("\\")); } // Create table model and attach it to the table view if(this->p_reg_key_table_model!=NULL) delete this->p_reg_key_table_model; - this->p_reg_key_table_model=new RegistryKeyTableModel(this->hhive, - hive_node); + this->p_reg_key_table_model=new RegistryKeyTableModel(this->p_hive,node_path); this->p_key_table->setModel(this->p_reg_key_table_model); // Resize table rows / columns to fit data this->p_key_table->resizeColumnsToContents(); this->p_key_table->horizontalHeader()->stretchLastSection(); } void MainWindow::SlotKeyTableDoubleClicked(QModelIndex index) { + /* QModelIndex key_index; QModelIndex node_index; QStringList nodes; QString key_name; QString key_type; QByteArray key_value; if(!index.isValid()) return; // Get key name, type and value key_index=this->p_reg_key_table_model->index(index.row(),0); key_name=this->p_reg_key_table_model->data(key_index,Qt::DisplayRole) .toString(); key_index=this->p_reg_key_table_model->index(index.row(),1); key_type=this->p_reg_key_table_model->data(key_index,Qt::DisplayRole) .toString(); key_index=this->p_reg_key_table_model->index(index.row(),2); key_value=this->p_reg_key_table_model->data(key_index, RegistryKeyTableModel:: AdditionalRoles_GetRawData) .toByteArray(); // Get current node node_index=this->p_node_tree->currentIndex(); //Built node path nodes.clear(); nodes.append(this->p_reg_node_tree_model-> data(node_index,Qt::DisplayRole).toString()); while(this->p_reg_node_tree_model->parent(node_index)!=QModelIndex()) { // Prepend all parent nodes node_index=this->p_reg_node_tree_model->parent(node_index); nodes.prepend(this->p_reg_node_tree_model-> data(node_index,Qt::DisplayRole).toString()); } DlgKeyDetails dlg_key_details(this); dlg_key_details.SetValues(nodes,key_name,key_type,key_value); dlg_key_details.exec(); + */ } void MainWindow::SlotKeyTableClicked(QModelIndex index) { if(!index.isValid()) return; this->selected_key_value= this->p_reg_key_table_model->data(this->p_reg_key_table_model-> index(index.row(),2), RegistryKeyTableModel:: AdditionalRoles_GetRawData) .toByteArray(); this->p_hex_edit->setData(this->selected_key_value); } void MainWindow::SlotHexEditAddressChanged(int hex_offset) { // Update hex edit status bar this->p_hex_edit_status_bar-> setText(QString().sprintf("Byte offset: 0x%04X (%u)",hex_offset,hex_offset)); // Update data interpreter this->UpdateDataInterpreter(hex_offset); } void MainWindow::SlotReportClicked() { // Get report category and name from sender and it's parent QString category=((QMenu*)((QAction*)QObject::sender())->parent())->title(); QString report=((QAction*)QObject::sender())->text(); - QString report_content=this->p_data_reporter->GenerateReport(this->hhive, + QString report_content=this->p_data_reporter->GenerateReport(this->p_hive, category, report); - QMessageBox::information(this,report,report_content); - + DlgReportViewer dlg_report_view(report_content,this); + dlg_report_view.exec(); } void MainWindow::UpdateWindowTitle(QString filename) { if(filename=="") { this->setWindowTitle(QString().sprintf("%s v%s",APP_TITLE,APP_VERSION)); } else { this->setWindowTitle(QString().sprintf("%s v%s - %s", APP_TITLE, APP_VERSION, filename.toLocal8Bit().constData())); } } void MainWindow::UpdateDataInterpreter(int hex_offset) { QDateTime date_time; const char *p_data; int remaining_data_len; // Remove all old values from data interpreter this->p_data_interpreter->ClearValues(); // Calculate how many bytes are remainig after current offset remaining_data_len=this->selected_key_value.size()-hex_offset; if(!remaining_data_len>0) { // Nothing to show return; } // Get pointer to data at current offset p_data=this->selected_key_value.constData(); p_data+=hex_offset; #define rotl32(x,n) (((x) << n) | ((x) >> (32 - n))) //#define rotr32(x,n) (((x) >> n) | ((x) << (32 - n))) #define rotl64(x,n) (((x) << n) | ((x) >> (64 - n))) //#define rotr64(x,n) (((x) >> n) | ((x) << (64 - n))) if(remaining_data_len>=1) { this->p_data_interpreter->AddValue("int8:", QString().sprintf("%d", *(int8_t*)p_data)); this->p_data_interpreter->AddValue("uint8:", QString().sprintf("%u", *(uint8_t*)p_data)); } if(remaining_data_len>=2) { this->p_data_interpreter->AddValue("int16:", QString().sprintf("%d", *(int16_t*)p_data)); this->p_data_interpreter->AddValue("uint16:", QString().sprintf("%u", *(uint16_t*)p_data)); } if(remaining_data_len>=4) { this->p_data_interpreter->AddValue("int32:", QString().sprintf("%d", *(int32_t*)p_data)); this->p_data_interpreter->AddValue("uint32:", QString().sprintf("%d", *(uint32_t*)p_data)); date_time.setTime_t(*(uint32_t*)p_data); this->p_data_interpreter->AddValue("Unixtime:", date_time. toString("yyyy/MM/dd hh:mm:ss")); } if(remaining_data_len>=8) { this->p_data_interpreter->AddValue("int64:", QString().sprintf("%d", *(int64_t*)p_data)); this->p_data_interpreter->AddValue("uint64:", QString().sprintf("%d", *(uint64_t*)p_data)); date_time.setTime_t((*(uint64_t*)p_data-116444736000000000)/10000000); this->p_data_interpreter->AddValue("Win64time:", date_time. toString("yyyy/MM/dd hh:mm:ss")); } #undef rotl32 #undef rotl64 } void MainWindow::UpdateDataReporterMenu() { int i=0,ii=0; QMenu *p_category_entry; QAction *p_report_entry; QStringList categories=this->p_data_reporter->GetAvailableReportCategories(); QStringList reports; for(i=0;iui->MenuReports->addMenu(categories.value(i)); // Now add category reports reports=this->p_data_reporter->GetAvailableReports(categories.value(i)); for(ii=0;iiaddAction(p_report_entry); this->connect(p_report_entry, SIGNAL(triggered()), this, SLOT(SlotReportClicked())); } } } - -/* -void MainWindow::LoadReportTemplates() { - //#include - - QString report_template=""; - QXmlSimpleReader xml_parser; - - qDebug("Loading report templates..."); - - QDir report_dir("../trunk/report_templates/"); - QStringList report_templates=report_dir.entryList(QStringList()<<"*.fred"); - int i=0; - - for(i=0;i * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #ifndef MAINWINDOW_H #define MAINWINDOW_H #include #include +#include "registryhive.h" #include "registrynodetreemodel.h" #include "registrykeytablemodel.h" #include "qhexedit/qhexedit.h" #include "datainterpreter.h" #include "datareporter.h" namespace Ui { class MainWindow; } class MainWindow : public QMainWindow { Q_OBJECT public: explicit MainWindow(QWidget *parent = 0); ~MainWindow(); private slots: void on_action_Quit_triggered(); void on_action_Open_hive_triggered(); void on_action_Close_hive_triggered(); void on_actionAbout_Qt_triggered(); void on_actionAbout_fred_triggered(); void SlotNodeTreeClicked(QModelIndex index); void SlotKeyTableClicked(QModelIndex index); void SlotKeyTableDoubleClicked(QModelIndex index); void SlotHexEditAddressChanged(int hex_offset); void SlotReportClicked(); private: Ui::MainWindow *ui; QString last_open_location; - hive_h *hhive; + RegistryHive *p_hive; bool is_hive_open; RegistryNodeTreeModel *p_reg_node_tree_model; RegistryKeyTableModel *p_reg_key_table_model; QByteArray selected_key_value; // Widgets etc... QTreeView *p_node_tree; QTableView *p_key_table; QWidget *p_hex_edit_widget; QHexEdit *p_hex_edit; QLabel *p_hex_edit_status_bar; DataInterpreter *p_data_interpreter; QVBoxLayout *p_hex_edit_layout; QSplitter *p_horizontal_splitter; QSplitter *p_horizontal_splitter2; QSplitter *p_vertical_splitter; DataReporter *p_data_reporter; /* * UpdateWindowTitle * * Updates the window title */ void UpdateWindowTitle(QString filename=""); /* * UpdateDataInterpreter * * Update data interpreter */ void UpdateDataInterpreter(int hex_offset); /* * UpdateDataReporterMenu * */ void UpdateDataReporterMenu(); }; #endif // MAINWINDOW_H diff --git a/trunk/qhexedit/qhexedit_p.cpp b/trunk/qhexedit/qhexedit_p.cpp index 23a6f80..3988385 100644 --- a/trunk/qhexedit/qhexedit_p.cpp +++ b/trunk/qhexedit/qhexedit_p.cpp @@ -1,454 +1,455 @@ /******************************************************************************* * qhexedit Copyright (c) 2011 by Gillen Daniel * * * * Simple hex editor widget for Qt. * * * * Derived from code by Simon Winfried under a compatible license: * * Copyright (c) 2010 by Simon Winfried * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #include #include "qhexedit_p.h" const int HEXCHARS_IN_LINE = 47; const int GAP_ADR_HEX = 10; const int GAP_HEX_ASCII = 16; const int BYTES_PER_LINE = 16; QHexEditPrivate::QHexEditPrivate(QScrollArea *parent) : QWidget(parent) { _scrollArea = parent; setAddressWidth(4); setAddressOffset(0); setAddressArea(true); setAsciiArea(true); setHighlighting(true); setOverwriteMode(true); setAddressAreaColor(QColor(Qt::lightGray).lighter(110)); setHighlightingColor(QColor(Qt::yellow).lighter(160)); this->setReadOnly(true); setFont(QFont("Mono", 10)); connect(&_cursorTimer, SIGNAL(timeout()), this, SLOT(updateCursor())); _cursorTimer.setInterval(500); - _cursorTimer.start(); setFocusPolicy(Qt::StrongFocus); _size = -1; } void QHexEditPrivate::setAddressOffset(int offset) { _addressOffset = offset; adjust(); } int QHexEditPrivate::addressOffset() { return _addressOffset; } void QHexEditPrivate::setData(const QByteArray &data) { - _data = data; - _originalData = data; - adjust(); - setCursorPos(0); - setFocus(); + if(!data.isNull() && !data.isEmpty()) this->_cursorTimer.start(); + else this->_cursorTimer.stop(); + this->_data = data; + this->_originalData = data; + this->adjust(); + this->setCursorPos(0); + this->setFocus(); } QByteArray QHexEditPrivate::data() { return _data; } void QHexEditPrivate::setAddressAreaColor(const QColor &color) { _addressAreaColor = color; update(); } QColor QHexEditPrivate::addressAreaColor() { return _addressAreaColor; } void QHexEditPrivate::setHighlightingColor(const QColor &color) { _highlightingColor = color; update(); } QColor QHexEditPrivate::highlightingColor() { return _highlightingColor; } void QHexEditPrivate::setOverwriteMode(bool overwriteMode) { if (overwriteMode != _overwriteMode) { emit overwriteModeChanged(overwriteMode); _overwriteMode = overwriteMode; adjust(); } } bool QHexEditPrivate::overwriteMode() { return _overwriteMode; } void QHexEditPrivate::setReadOnly(bool read_only) { this->_readOnly=read_only; } bool QHexEditPrivate::readOnly() { return this->_readOnly; } void QHexEditPrivate::insert(int i, const QByteArray & ba) { _data.insert(i, ba); _originalData.insert(i, ba); } void QHexEditPrivate::insert(int i, char ch) { _data.insert(i, ch); _originalData.insert(i, ch); } void QHexEditPrivate::remove(int index, int len) { _data.remove(index, len); _originalData.remove(index, len); } void QHexEditPrivate::setAddressArea(bool addressArea) { _addressArea = addressArea; adjust(); setCursorPos(_cursorPosition); } void QHexEditPrivate::setAddressWidth(int addressWidth) { if ((addressWidth >= 0) and (addressWidth<=6)) { _addressNumbers = addressWidth; adjust(); setCursorPos(_cursorPosition); } } void QHexEditPrivate::setAsciiArea(bool asciiArea) { _asciiArea = asciiArea; adjust(); } void QHexEditPrivate::setFont(const QFont &font) { QWidget::setFont(font); adjust(); } void QHexEditPrivate::setHighlighting(bool mode) { _highlighting = mode; update(); } void QHexEditPrivate::keyPressEvent(QKeyEvent *event) { bool down = false; int charX = (_cursorX - _xPosHex) / _charWidth; int posX = (charX / 3) * 2 + (charX % 3); int posBa = (_cursorY / _charHeight) * BYTES_PER_LINE + posX / 2; int key = int(event->text()[0].toAscii()); if (!this->_readOnly && ((key>='0' && key<='9') || (key>='a' && key <= 'f'))) { // insert char if (_overwriteMode == false) if ((charX % 3) == 0) { insert(posBa, char(0)); adjust(); } if (_data.size() > 0) { QByteArray hexValue = _data.mid(posBa, 1).toHex(); if ((charX % 3) == 0) hexValue[0] = key; else hexValue[1] = key; _data.replace(posBa, 1, QByteArray().fromHex(hexValue)); emit dataChanged(); setCursorPos(_cursorPosition + 1); down = true; } } // delete char if (!this->_readOnly && event->matches(QKeySequence::Delete)) { remove(posBa); } if (!this->_readOnly && event->key() == Qt::Key_Backspace) { remove(posBa - 1); setCursorPos(_cursorPosition - 2); } // handle other function keys if(!this->_readOnly && event->key() == Qt::Key_Insert) { setOverwriteMode(!_overwriteMode); setCursorPos(_cursorPosition); } if (event->matches(QKeySequence::MoveToNextChar)) { setCursorPos(_cursorPosition + 1); down = true; } if (event->matches(QKeySequence::MoveToPreviousChar)) setCursorPos(_cursorPosition - 1); if (event->matches(QKeySequence::MoveToStartOfLine)) setCursorPos(_cursorPosition - (_cursorPosition % (2 * BYTES_PER_LINE))); if (event->matches(QKeySequence::MoveToEndOfLine)) setCursorPos(_cursorPosition | (2 * BYTES_PER_LINE -1)); if (event->matches(QKeySequence::MoveToPreviousLine)) setCursorPos(_cursorPosition - (2 * BYTES_PER_LINE)); if (event->matches(QKeySequence::MoveToPreviousPage)) setCursorPos(_cursorPosition - (((_scrollArea->viewport()->height() / _charHeight) - 1) * 2 * BYTES_PER_LINE)); if (event->matches(QKeySequence::MoveToStartOfDocument)) setCursorPos(0); if (event->matches(QKeySequence::MoveToNextLine)) { setCursorPos(_cursorPosition + (2 * BYTES_PER_LINE)); down = true; } if (event->matches(QKeySequence::MoveToEndOfDocument)) { setCursorPos(_data.size() * 2); down = true; } if (event->matches(QKeySequence::MoveToNextPage)) { setCursorPos(_cursorPosition + (((_scrollArea->viewport()->height() / _charHeight) - 1) * 2 * BYTES_PER_LINE)); down = true; } // when we move downwards, we have to go a little further if (down) _scrollArea->ensureVisible(_cursorX, _cursorY, 3, 3 + _charHeight); else _scrollArea->ensureVisible(_cursorX, _cursorY, 3, 3); update(); } void QHexEditPrivate::mousePressEvent(QMouseEvent * event) { setCursorPos(event->pos()); } void QHexEditPrivate::paintEvent(QPaintEvent *event) { QPainter painter(this); // draw some patterns if needed painter.fillRect(event->rect(), this->palette().color(QPalette::Base)); if (_addressArea) painter.fillRect(QRect(_xPosAdr, event->rect().top(), _xPosHex - GAP_ADR_HEX + 2, height()), _addressAreaColor); if (_asciiArea) { int linePos = _xPosAscii - (GAP_HEX_ASCII / 2); painter.setPen(Qt::gray); painter.drawLine(linePos, event->rect().top(), linePos, height()); } painter.setPen(this->palette().color(QPalette::WindowText)); // calc position int firstLineIdx = ((event->rect().top()/ _charHeight) - _charHeight) * BYTES_PER_LINE; if (firstLineIdx < 0) firstLineIdx = 0; int lastLineIdx = ((event->rect().bottom() / _charHeight) + _charHeight) * BYTES_PER_LINE; if (lastLineIdx > _data.size()) lastLineIdx = _data.size(); int yPosStart = ((firstLineIdx) / BYTES_PER_LINE) * _charHeight + _charHeight; // paint address area if (_addressArea) { for (int lineIdx = firstLineIdx, yPos = yPosStart; lineIdx < lastLineIdx; lineIdx += BYTES_PER_LINE, yPos +=_charHeight) { QString address = QString("%1") .arg(lineIdx + _addressOffset, _realAddressNumbers, 16, QChar('0')); painter.drawText(_xPosAdr, yPos, address); } } // paint hex area QByteArray hexBa(_data.mid(firstLineIdx, lastLineIdx - firstLineIdx + 1).toHex()); QBrush highLighted = QBrush(_highlightingColor); painter.setBackground(highLighted); painter.setBackgroundMode(Qt::TransparentMode); for (int lineIdx = firstLineIdx, yPos = yPosStart; lineIdx < lastLineIdx; lineIdx += BYTES_PER_LINE, yPos +=_charHeight) { QByteArray hex; int xPos = _xPosHex; for (int colIdx = 0; ((lineIdx + colIdx) < _data.size() and (colIdx < BYTES_PER_LINE)); colIdx++) { // hilight diff bytes if (_highlighting) { int posBa = lineIdx + colIdx; if (posBa >= _originalData.size()) painter.setBackgroundMode(Qt::TransparentMode); else if (_data[posBa] == _originalData[posBa]) painter.setBackgroundMode(Qt::TransparentMode); else painter.setBackgroundMode(Qt::OpaqueMode); } // render hex value if (colIdx == 0) { hex = hexBa.mid((lineIdx - firstLineIdx) * 2, 2); painter.drawText(xPos, yPos, hex); xPos += 2 * _charWidth; } else { hex = hexBa.mid((lineIdx + colIdx - firstLineIdx) * 2, 2).prepend(" "); painter.drawText(xPos, yPos, hex); xPos += 3 * _charWidth; } } } painter.setBackgroundMode(Qt::TransparentMode); // paint ascii area if (_asciiArea) { for (int lineIdx = firstLineIdx, yPos = yPosStart; lineIdx < lastLineIdx; lineIdx += BYTES_PER_LINE, yPos +=_charHeight) { QByteArray ascii = _data.mid(lineIdx, BYTES_PER_LINE); for (int idx=0; idx < ascii.size(); idx++) if (((char)ascii[idx] < 0x20) or ((char)ascii[idx] > 0x7e)) ascii[idx] = '.'; painter.drawText(_xPosAscii, yPos, ascii); } } // paint cursor - if (_blink) + if (_blink && !this->_data.isNull() && !this->_data.isEmpty()) { if (_overwriteMode) painter.fillRect(_cursorX, _cursorY + _charHeight - 2, _charWidth, 2, this->palette().color(QPalette::WindowText)); else painter.fillRect(_cursorX, _cursorY, 2, _charHeight, this->palette().color(QPalette::WindowText)); } if (_size != _data.size()) { _size = _data.size(); emit currentSizeChanged(_size); } } void QHexEditPrivate::setCursorPos(int position) { // delete cursor _blink = false; update(); // cursor in range? if (_overwriteMode) { if (position > (_data.size() * 2 - 1)) position = _data.size() * 2 - 1; } else { if (position > (_data.size() * 2)) position = _data.size() * 2; } if (position < 0) position = 0; // calc position _cursorPosition = position; _cursorY = (position / (2 * BYTES_PER_LINE)) * _charHeight + 4; int x = (position % (2 * BYTES_PER_LINE)); _cursorX = (((x / 2) * 3) + (x % 2)) * _charWidth + _xPosHex; // immiadately draw cursor _blink = true; update(); emit currentAddressChanged(_cursorPosition/2); } void QHexEditPrivate::setCursorPos(QPoint pos) { // find char under cursor if ((pos.x() >= _xPosHex) and (pos.x() < (_xPosHex + HEXCHARS_IN_LINE * _charWidth))) { int x = (pos.x() - _xPosHex) / _charWidth; if ((x % 3) == 0) x = (x / 3) * 2; else x = ((x / 3) * 2) + 1; int y = (pos.y() / _charHeight) * 2 * BYTES_PER_LINE; setCursorPos(x + y); } } void QHexEditPrivate::updateCursor() { if (_blink) _blink = false; else _blink = true; update(_cursorX, _cursorY, _charWidth, _charHeight); } void QHexEditPrivate::adjust() { _charWidth = fontMetrics().width(QLatin1Char('9')); _charHeight = fontMetrics().height(); // is addressNumbers wide enought? QString test = QString("%1") .arg(_data.size() + _addressOffset, _addressNumbers, 16, QChar('0')); _realAddressNumbers = test.size(); _xPosAdr = 0; if (_addressArea) _xPosHex = _realAddressNumbers *_charWidth + GAP_ADR_HEX; else _xPosHex = 0; _xPosAscii = _xPosHex + HEXCHARS_IN_LINE * _charWidth + GAP_HEX_ASCII; // tell QAbstractScollbar, how big we are setMinimumHeight(((_data.size()/16 + 1) * _charHeight) + 3); setMinimumWidth(_xPosAscii + (BYTES_PER_LINE * _charWidth)); update(); } diff --git a/trunk/qtscript_types/bytearray.cpp b/trunk/qtscript_types/bytearray.cpp new file mode 100644 index 0000000..0986ab6 --- /dev/null +++ b/trunk/qtscript_types/bytearray.cpp @@ -0,0 +1,179 @@ +/******************************************************************************* +* Copyright (c) 2011 by Gillen Daniel * +* * +* Derived from code by Nokia Corporation and/or its subsidiary(-ies) under a * +* compatible license: * +* * +* Copyright (C) 2009 Nokia Corporation and/or its subsidiary(-ies). * +* All rights reserved. * +* * +* This program is free software: you can redistribute it and/or modify it * +* under the terms of the GNU General Public License as published by the Free * +* Software Foundation, either version 3 of the License, or (at your option) * +* any later version. * +* * +* This program is distributed in the hope that it will be useful, but WITHOUT * +* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * +* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * +* more details. * +* * +* You should have received a copy of the GNU General Public License along with * +* this program. If not, see . * +*******************************************************************************/ + +#include + +#include "bytearray.h" +#include "bytearrayiterator.h" +#include "bytearrayprototype.h" + +#include + +Q_DECLARE_METATYPE(QByteArray*) +Q_DECLARE_METATYPE(ByteArray*) + +static qint32 toArrayIndex(const QString &str) { + QByteArray bytes = str.toUtf8(); + char *eptr; + + quint32 pos = strtoul(bytes.constData(), &eptr, 10); + if((eptr == bytes.constData() + bytes.size()) && + (QByteArray::number(pos) == bytes)) + { + return pos; + } + + return -1; +} + +ByteArray::ByteArray(QScriptEngine *engine) + : QObject(engine), QScriptClass(engine) +{ + qScriptRegisterMetaType(engine, + this->toScriptValue, + this->fromScriptValue); + + length=engine->toStringHandle(QLatin1String("length")); + + this->proto=engine->newQObject(new ByteArrayPrototype(this), + QScriptEngine::QtOwnership, + QScriptEngine::SkipMethodsInEnumeration | + QScriptEngine::ExcludeSuperClassMethods | + QScriptEngine::ExcludeSuperClassProperties); + QScriptValue global=engine->globalObject(); + this->proto.setPrototype(global.property("Object").property("prototype")); + + this->ctor=engine->newFunction(construct); + this->ctor.setData(qScriptValueFromValue(engine,this)); +} + +ByteArray::~ByteArray() {} + +QScriptClass::QueryFlags ByteArray::queryProperty(const QScriptValue &object, + const QScriptString &name, + QueryFlags flags, + uint *id) +{ + QByteArray *ba=qscriptvalue_cast(object.data()); + + if(!ba) return 0; + if(name!=length) { + qint32 pos=toArrayIndex(name); + if(pos==-1) return 0; + *id=pos; + if((flags & HandlesReadAccess) && (pos>=ba->size())) + flags &= ~HandlesReadAccess; + } + + return flags; +} + +QScriptValue ByteArray::property(const QScriptValue &object, + const QScriptString &name, + uint id) +{ + QByteArray *ba=qscriptvalue_cast(object.data()); + if(!ba) return QScriptValue(); + if(name==length) return ba->length(); + else { + qint32 pos=id; + if((pos < 0) || (pos >= ba->size())) return QScriptValue(); + return uint(ba->at(pos)) & 255; + } + + return QScriptValue(); +} + +void ByteArray::setProperty(QScriptValue &object, + const QScriptString &name, + uint id, + const QScriptValue &value) +{ + QByteArray *ba=qscriptvalue_cast(object.data()); + if(!ba) return; + if(name==length) ba->resize(value.toInt32()); + else { + qint32 pos=id; + if(pos<0) return; + if(ba->size()<=pos) ba->resize(pos + 1); + (*ba)[pos]=char(value.toInt32()); + } +} + +QScriptValue::PropertyFlags ByteArray::propertyFlags(const QScriptValue &object, + const QScriptString &name, + uint id) +{ + Q_UNUSED(object); + Q_UNUSED(id); + + if(name==length) { + return QScriptValue::Undeletable | QScriptValue::SkipInEnumeration; + } + return QScriptValue::Undeletable; +} + +QScriptClassPropertyIterator *ByteArray::newIterator(const QScriptValue &object) +{ + return new ByteArrayIterator(object); +} + +QString ByteArray::name() const { + return QLatin1String("ByteArray"); +} + +QScriptValue ByteArray::prototype() const { + return this->proto; +} + +QScriptValue ByteArray::constructor() { + return this->ctor; +} + +QScriptValue ByteArray::newInstance(int size) { + return newInstance(QByteArray(size,0)); +} + +QScriptValue ByteArray::newInstance(const QByteArray &ba) { + QScriptValue data=engine()->newVariant(qVariantFromValue(ba)); + return engine()->newObject(this,data); +} + +QScriptValue ByteArray::construct(QScriptContext *ctx, QScriptEngine *) { + ByteArray *cls=qscriptvalue_cast(ctx->callee().data()); + if(!cls) return QScriptValue(); + int size=ctx->argument(0).toInt32(); + return cls->newInstance(size); +} + +QScriptValue ByteArray::toScriptValue(QScriptEngine *eng, const QByteArray &ba) +{ + QScriptValue ctor=eng->globalObject().property("ByteArray"); + ByteArray *cls=qscriptvalue_cast(ctor.data()); + if(!cls) return eng->newVariant(qVariantFromValue(ba)); + return cls->newInstance(ba); +} + +void ByteArray::fromScriptValue(const QScriptValue &obj, QByteArray &ba) { + ba=qscriptvalue_cast(obj.data()); +} diff --git a/trunk/qtscript_types/bytearray.h b/trunk/qtscript_types/bytearray.h new file mode 100644 index 0000000..56f859c --- /dev/null +++ b/trunk/qtscript_types/bytearray.h @@ -0,0 +1,74 @@ +/******************************************************************************* +* Copyright (c) 2011 by Gillen Daniel * +* * +* Derived from code by Nokia Corporation and/or its subsidiary(-ies) under a * +* compatible license: * +* * +* Copyright (C) 2009 Nokia Corporation and/or its subsidiary(-ies). * +* All rights reserved. * +* * +* This program is free software: you can redistribute it and/or modify it * +* under the terms of the GNU General Public License as published by the Free * +* Software Foundation, either version 3 of the License, or (at your option) * +* any later version. * +* * +* This program is distributed in the hope that it will be useful, but WITHOUT * +* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * +* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * +* more details. * +* * +* You should have received a copy of the GNU General Public License along with * +* this program. If not, see . * +*******************************************************************************/ + +// Description: http://cs.karelia.ru/~aborod/doc/qt/script-customclass.html + +#ifndef BYTEARRAY_H +#define BYTEARRAY_H + +#include +#include +#include + +class ByteArray : public QObject, public QScriptClass { + public: + ByteArray(QScriptEngine *engine); + ~ByteArray(); + + QScriptValue constructor(); + + QScriptValue newInstance(int size = 0); + QScriptValue newInstance(const QByteArray &ba); + + QueryFlags queryProperty(const QScriptValue &object, + const QScriptString &name, + QueryFlags flags, + uint *id); + QScriptValue property(const QScriptValue &object, + const QScriptString &name, + uint id); + void setProperty(QScriptValue &object, + const QScriptString &name, + uint id, + const QScriptValue &value); + QScriptValue::PropertyFlags propertyFlags(const QScriptValue &object, + const QScriptString &name, + uint id); + QScriptClassPropertyIterator *newIterator(const QScriptValue &object); + + QString name() const; + + QScriptValue prototype() const; + + private: + static QScriptValue construct(QScriptContext *ctx, QScriptEngine *eng); + + static QScriptValue toScriptValue(QScriptEngine *eng, const QByteArray &ba); + static void fromScriptValue(const QScriptValue &obj, QByteArray &ba); + + QScriptString length; + QScriptValue proto; + QScriptValue ctor; +}; + +#endif // BYTEARRAY_H diff --git a/trunk/qtscript_types/bytearrayiterator.cpp b/trunk/qtscript_types/bytearrayiterator.cpp new file mode 100644 index 0000000..8ef3069 --- /dev/null +++ b/trunk/qtscript_types/bytearrayiterator.cpp @@ -0,0 +1,74 @@ +/******************************************************************************* +* Copyright (c) 2011 by Gillen Daniel * +* * +* Derived from code by Nokia Corporation and/or its subsidiary(-ies) under a * +* compatible license: * +* * +* Copyright (C) 2009 Nokia Corporation and/or its subsidiary(-ies). * +* All rights reserved. * +* * +* This program is free software: you can redistribute it and/or modify it * +* under the terms of the GNU General Public License as published by the Free * +* Software Foundation, either version 3 of the License, or (at your option) * +* any later version. * +* * +* This program is distributed in the hope that it will be useful, but WITHOUT * +* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * +* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * +* more details. * +* * +* You should have received a copy of the GNU General Public License along with * +* this program. If not, see . * +*******************************************************************************/ + +#include "bytearrayiterator.h" + +#include + +Q_DECLARE_METATYPE(QByteArray*) + +ByteArrayIterator::ByteArrayIterator(const QScriptValue &object) + : QScriptClassPropertyIterator(object) +{ + toFront(); +} + +ByteArrayIterator::~ByteArrayIterator() {} + +bool ByteArrayIterator::hasNext() const { + QByteArray *ba=qscriptvalue_cast(object().data()); + return m_indexsize(); +} + +void ByteArrayIterator::next() { + m_last=m_index; + ++m_index; +} + +bool ByteArrayIterator::hasPrevious() const { + return(m_index>0); +} + +void ByteArrayIterator::previous() { + --m_index; + m_last=m_index; +} + +void ByteArrayIterator::toFront() { + m_index=0; + m_last=-1; +} + +void ByteArrayIterator::toBack() { + QByteArray *ba=qscriptvalue_cast(object().data()); + m_index=ba->size(); + m_last=-1; +} + +QScriptString ByteArrayIterator::name() const { + return QScriptString(); +} + +uint ByteArrayIterator::id() const { + return m_last; +} diff --git a/trunk/datareporter.h b/trunk/qtscript_types/bytearrayiterator.h similarity index 58% copy from trunk/datareporter.h copy to trunk/qtscript_types/bytearrayiterator.h index 92f06c2..3574ea8 100644 --- a/trunk/datareporter.h +++ b/trunk/qtscript_types/bytearrayiterator.h @@ -1,47 +1,51 @@ /******************************************************************************* -* fred Copyright (c) 2011 by Gillen Daniel * +* Copyright (c) 2011 by Gillen Daniel * * * -* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * -* with special feautures useful during forensic analysis. * +* Derived from code by Nokia Corporation and/or its subsidiary(-ies) under a * +* compatible license: * +* * +* Copyright (C) 2009 Nokia Corporation and/or its subsidiary(-ies). * +* All rights reserved. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ -#ifndef DATAREPORTER_H -#define DATAREPORTER_H +#ifndef BYTEARRAYITERATOR_H +#define BYTEARRAYITERATOR_H -#include +#include -#include +class ByteArrayIterator : public QScriptClassPropertyIterator { + public: + ByteArrayIterator(const QScriptValue &object); + ~ByteArrayIterator(); -#include "reporttemplate.h" + bool hasNext() const; + void next(); -class DataReporter { - public: - DataReporter(); - ~DataReporter(); + bool hasPrevious() const; + void previous(); - void LoadReportTemplates(); - QStringList GetAvailableReportCategories(); - QStringList GetAvailableReports(QString category); + void toFront(); + void toBack(); - QString GenerateReport(hive_h *hhive, - QString report_category, - QString report_name); + QScriptString name() const; + uint id() const; private: - QList report_templates; + int m_index; + int m_last; }; -#endif // DATAREPORTER_H +#endif // BYTEARRAYITERATOR_H diff --git a/trunk/qtscript_types/bytearrayprototype.cpp b/trunk/qtscript_types/bytearrayprototype.cpp new file mode 100644 index 0000000..dca2279 --- /dev/null +++ b/trunk/qtscript_types/bytearrayprototype.cpp @@ -0,0 +1,93 @@ +/******************************************************************************* +* Copyright (c) 2011 by Gillen Daniel * +* * +* Derived from code by Nokia Corporation and/or its subsidiary(-ies) under a * +* compatible license: * +* * +* Copyright (C) 2009 Nokia Corporation and/or its subsidiary(-ies). * +* All rights reserved. * +* * +* This program is free software: you can redistribute it and/or modify it * +* under the terms of the GNU General Public License as published by the Free * +* Software Foundation, either version 3 of the License, or (at your option) * +* any later version. * +* * +* This program is distributed in the hope that it will be useful, but WITHOUT * +* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * +* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * +* more details. * +* * +* You should have received a copy of the GNU General Public License along with * +* this program. If not, see . * +*******************************************************************************/ + +#include "bytearrayprototype.h" +#include + +Q_DECLARE_METATYPE(QByteArray*) + +ByteArrayPrototype::ByteArrayPrototype(QObject *p_parent) : QObject(p_parent) {} + +ByteArrayPrototype::~ByteArrayPrototype() {} + +QByteArray *ByteArrayPrototype::thisByteArray() const { + return qscriptvalue_cast(thisObject().data()); +} + +void ByteArrayPrototype::chop(int n) { + thisByteArray()->chop(n); +} + +bool ByteArrayPrototype::equals(const QByteArray &other) { + return *thisByteArray()==other; +} + +QByteArray ByteArrayPrototype::left(int len) const { + return thisByteArray()->left(len); +} + +QByteArray ByteArrayPrototype::mid(int pos, int len) const { + return thisByteArray()->mid(pos,len); +} + +QScriptValue ByteArrayPrototype::remove(int pos, int len) { + thisByteArray()->remove(pos,len); + return thisObject(); +} + +QByteArray ByteArrayPrototype::right(int len) const { + return thisByteArray()->right(len); +} + +QByteArray ByteArrayPrototype::simplified() const { + return thisByteArray()->simplified(); +} + +QByteArray ByteArrayPrototype::toBase64() const { + return thisByteArray()->toBase64(); +} + +QByteArray ByteArrayPrototype::toLower() const { + return thisByteArray()->toLower(); +} + +QByteArray ByteArrayPrototype::toUpper() const { + return thisByteArray()->toUpper(); +} + +QByteArray ByteArrayPrototype::trimmed() const { + return thisByteArray()->trimmed(); +} + +void ByteArrayPrototype::truncate(int pos) { + thisByteArray()->truncate(pos); +} + +QString ByteArrayPrototype::toLatin1String() const { + return QString::fromLatin1(*thisByteArray()); +} + +QScriptValue ByteArrayPrototype::valueOf() const { + return thisObject().data(); +} + diff --git a/trunk/qtscript_types/bytearrayprototype.h b/trunk/qtscript_types/bytearrayprototype.h new file mode 100644 index 0000000..adc2a5e --- /dev/null +++ b/trunk/qtscript_types/bytearrayprototype.h @@ -0,0 +1,60 @@ +/******************************************************************************* +* Copyright (c) 2011 by Gillen Daniel * +* * +* Derived from code by Nokia Corporation and/or its subsidiary(-ies) under a * +* compatible license: * +* * +* Copyright (C) 2009 Nokia Corporation and/or its subsidiary(-ies). * +* All rights reserved. * +* * +* This program is free software: you can redistribute it and/or modify it * +* under the terms of the GNU General Public License as published by the Free * +* Software Foundation, either version 3 of the License, or (at your option) * +* any later version. * +* * +* This program is distributed in the hope that it will be useful, but WITHOUT * +* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * +* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * +* more details. * +* * +* You should have received a copy of the GNU General Public License along with * +* this program. If not, see . * +*******************************************************************************/ + +#ifndef BYTEARRAYPROTOTYPE_H +#define BYTEARRAYPROTOTYPE_H + +#include +#include +#include +#include + +class ByteArrayPrototype : public QObject, public QScriptable { + Q_OBJECT + + public: + ByteArrayPrototype(QObject *p_parent=0); + ~ByteArrayPrototype(); + + public slots: + void chop(int n); + bool equals(const QByteArray &other); + QByteArray left(int len) const; + QByteArray mid(int pos, int len = -1) const; + QScriptValue remove(int pos, int len); + QByteArray right(int len) const; + QByteArray simplified() const; + QByteArray toBase64() const; + QByteArray toLower() const; + QByteArray toUpper() const; + QByteArray trimmed() const; + void truncate(int pos); + QString toLatin1String() const; + QScriptValue valueOf() const; + + private: + QByteArray *thisByteArray() const; +}; + +#endif // BYTEARRAYPROTOTYPE_H + diff --git a/trunk/registryhive.cpp b/trunk/registryhive.cpp index 9bdc439..b50b46f 100644 --- a/trunk/registryhive.cpp +++ b/trunk/registryhive.cpp @@ -1,7 +1,459 @@ +/******************************************************************************* +* fred Copyright (c) 2011 by Gillen Daniel * +* * +* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * +* with special feautures useful during forensic analysis. * +* * +* This program is free software: you can redistribute it and/or modify it * +* under the terms of the GNU General Public License as published by the Free * +* Software Foundation, either version 3 of the License, or (at your option) * +* any later version. * +* * +* This program is distributed in the hope that it will be useful, but WITHOUT * +* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * +* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * +* more details. * +* * +* You should have received a copy of the GNU General Public License along with * +* this program. If not, see . * +*******************************************************************************/ + #include "registryhive.h" -RegistryHive::RegistryHive(QObject *p_parent) - : QObject(p_parent) +#include + +#include + +/* + * RegistryHive + */ +RegistryHive::RegistryHive(QObject *p_parent) : QObject(p_parent) { + this->erro_msg=""; + this->is_error=false; + this->hive_file=""; + this->p_hive=NULL; + this->is_hive_open=false; +} + +/* + * ~RegistryHive + */ +RegistryHive::~RegistryHive() { + if(this->is_hive_open) this->Close(); +} + +/* + * Error + */ +bool RegistryHive::Error() { + return this->is_error; +} + +/* + * GetErrorMsg + */ +QString RegistryHive::GetErrorMsg() { + QString msg=this->erro_msg; + this->erro_msg=""; + this->is_error=false; + return msg; +} + +/* + * Open + */ +bool RegistryHive::Open(QString file, bool read_only) { + if(this->is_hive_open) return false; + + // Open hive file + this->p_hive=hivex_open(file.toAscii().constData(), + read_only ? 0 : HIVEX_OPEN_WRITE); + if(this->p_hive==NULL) return false; + + // Set local vars + this->hive_file=file; + this->is_hive_open=true; + + return true; +} + +/* + * Close + */ +bool RegistryHive::Close(bool commit_changes) { + if(this->is_hive_open) { + if(commit_changes) { + // Commit changes before closing hive. + // TODO: Maybe it would be more secure to commit changes to a new file and + // then move it over the original one. + hivex_commit(this->p_hive,NULL,0); + } + + // As hivex_close will _ALWAYS_ free the handle, we don't need the following + // values anymore + this->hive_file=""; + this->is_hive_open=false; + + // Close hive + if(hivex_close(this->p_hive)!=0) return false; + } + return true; +} + +/* + * GetNodes + */ +QMap RegistryHive::GetNodes(QString path) { + hive_node_h parent_node; + + // Get handle to last node in path + if(!this->GetNodeHandle(path,&parent_node)) return QMap(); + + // Get and return nodes + return this->GetNodesHelper(parent_node); +} + +/* + * GetNodes + */ +QMap RegistryHive::GetNodes(int parent_node) { + if(parent_node==0) { + this->SetError(tr("Invalid parent node handle specified!")); + return QMap(); + } + + // Get and return nodes + return this->GetNodesHelper(parent_node); +} + +/* + * GetKeys + */ +QMap RegistryHive::GetKeys(QString path) { + hive_node_h parent_node; + + // Get handle to last node in path + if(!this->GetNodeHandle(path,&parent_node)) return QMap(); + + // Get and return keys + return this->GetKeysHelper(parent_node); +} + +/* + * GetKeys + */ +QMap RegistryHive::GetKeys(int parent_node) { + if(parent_node==0) { + this->SetError(tr("Invalid parent node handle specified!")); + return QMap(); + } + + // Get and return keys + return this->GetKeysHelper(parent_node); +} + +/* + * GetKeyValue + */ +QByteArray RegistryHive::GetKeyValue(QString path, + QString key, + int *p_value_type, + size_t *p_value_len) +{ + hive_node_h parent_node; + hive_value_h hive_key; + + // Get handle to last node in path + if(!this->GetNodeHandle(path,&parent_node)) return QByteArray(); + + // Get key handle + hive_key=hivex_node_get_value(this->p_hive, + parent_node,key.toAscii().constData()); + if(hive_key==0) { + this->SetError(tr("Unable to get key handle!")); + *p_value_len=-1; + return QByteArray(); + } + + // Get and return key value + return this->GetKeyValueHelper(hive_key,p_value_type,p_value_len); +} + +/* + * GetKeyValue + */ +QByteArray RegistryHive::GetKeyValue(int hive_key, + int *p_value_type, + size_t *p_value_len) { + if(hive_key==0) { + this->SetError(tr("Invalid key handle specified!")); + *p_value_type=-1; + return QByteArray(); + } + + // Get and return key value + return this->GetKeyValueHelper(hive_key,p_value_type,p_value_len); +} + +/* + * KeyValueToString + */ +QString RegistryHive::KeyValueToString(QByteArray &value, int value_type) { + QString ret=""; + int i=0; + + #define ToHexStr() { \ + for(i=0;ierro_msg=msg; + this->is_error=true; +} + +/* + * GetNodeHandle + */ +bool RegistryHive::GetNodeHandle(QString &path, hive_node_h *p_node) { + QStringList nodes; + int i=0; + + // Get root node handle + *p_node=hivex_root(this->p_hive); + if(*p_node==0) { + this->SetError(tr("Unable to get root node!")); + return false; + } + + if(path!="\\") { + // If we aren't listing the root node, we have to get a handle to the + // last node in the path. Split path into nodes + nodes=path.split('\\',QString::SkipEmptyParts); + + // Iterate to the correct parent node + for(i=0;ip_hive, + *p_node, + nodes.value(i).toAscii().constData()); + if(*p_node==0) { + this->SetError(tr("Unable to find node '%1'!").arg(nodes.value(i))); + return false; + } + } + } + + return true; +} + +/* + * GetNodesHelper + */ +QMap RegistryHive::GetNodesHelper(hive_node_h parent_node) { + QMap keys; + char *p_name; + int i=0; + + // Get child nodes + hive_node_h *child_nodes=hivex_node_children(this->p_hive,parent_node); + if(child_nodes==NULL) { + this->SetError( + tr("Unable to enumerate child nodes!")); + return QMap(); + } + + // Build result + keys.clear(); + i=0; + while(child_nodes[i]) { + p_name=hivex_node_name(this->p_hive,child_nodes[i]); + if(p_name==NULL) { + this->SetError(tr("Unable to get node name!")); + free(child_nodes); + return QMap(); + } + keys.insert(QString(p_name),(int)child_nodes[i]); + free(p_name); + i++; + } + free(child_nodes); + + return keys; +} + +/* + * GetKeysHelper + */ +QMap RegistryHive::GetKeysHelper(hive_node_h parent_node) { + QMap keys; + char *p_name; + int i=0; + + // Get child keys + hive_value_h *p_keys=hivex_node_values(this->p_hive,parent_node); + if(p_keys==NULL) { + this->SetError( + tr("Unable to enumerate child keys!")); + return QMap(); + } + + // Build result list + keys.clear(); + i=0; + while(p_keys[i]) { + p_name=hivex_value_key(this->p_hive,p_keys[i]); + if(p_name==NULL) { + this->SetError(tr("Unable to get key name!")); + return QMap(); + } + keys.insert(QString(p_name),p_keys[i]); + free(p_name); + i++; + } + free(p_keys); + + return keys; +} + +QByteArray RegistryHive::GetKeyValueHelper(hive_value_h hive_key, + int *p_value_type, + size_t *p_value_len) +{ + QByteArray key_value; + char *p_key_value; + + p_key_value=hivex_value_value(this->p_hive, + hive_key, + (hive_type*)p_value_type, + p_value_len); + if(p_key_value==NULL) { + this->SetError(tr("Unable to get key value!")); + *p_value_type=-1; + return QByteArray(); + } + + // Feed QByteArray and free p_key_value + key_value=QByteArray(p_key_value,*p_value_len); + free(p_key_value); + return key_value; } diff --git a/trunk/registryhive.h b/trunk/registryhive.h index 6209422..dde94a5 100644 --- a/trunk/registryhive.h +++ b/trunk/registryhive.h @@ -1,20 +1,73 @@ +/******************************************************************************* +* fred Copyright (c) 2011 by Gillen Daniel * +* * +* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * +* with special feautures useful during forensic analysis. * +* * +* This program is free software: you can redistribute it and/or modify it * +* under the terms of the GNU General Public License as published by the Free * +* Software Foundation, either version 3 of the License, or (at your option) * +* any later version. * +* * +* This program is distributed in the hope that it will be useful, but WITHOUT * +* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * +* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * +* more details. * +* * +* You should have received a copy of the GNU General Public License along with * +* this program. If not, see . * +*******************************************************************************/ + #ifndef REGISTRYHIVE_H #define REGISTRYHIVE_H #include +#include #include class RegistryHive : public QObject { Q_OBJECT public: explicit RegistryHive(QObject *p_parent=0); + ~RegistryHive(); + + bool Error(); + QString GetErrorMsg(); + + bool Open(QString file, bool read_only=true); + bool Close(bool commit_changes=false); + + QMap GetNodes(QString path="\\"); + QMap GetNodes(int parent_node=0); + QMap GetKeys(QString path="\\"); + QMap GetKeys(int parent_node=0); + QByteArray GetKeyValue(QString path, + QString key, + int *p_value_type, + size_t *p_value_len); + QByteArray GetKeyValue(int hive_key, + int *p_value_type, + size_t *p_value_len); + static QString KeyValueToString(QByteArray &value, int value_type); + static QString KeyTypeToString(int value_type); - signals: + private: + QString erro_msg; + bool is_error; + QString hive_file; + hive_h *p_hive; + bool is_hive_open; - public slots: + void SetError(QString msg); + bool GetNodeHandle(QString &path, hive_node_h *p_node); + QMap GetNodesHelper(hive_node_h parent_node); + QMap GetKeysHelper(hive_node_h parent_node); + QByteArray GetKeyValueHelper(hive_value_h hive_key, + int *p_value_type, + size_t *p_value_len); }; #endif // REGISTRYHIVE_H diff --git a/trunk/registrykeytablemodel.cpp b/trunk/registrykeytablemodel.cpp index ba591fe..107af1e 100644 --- a/trunk/registrykeytablemodel.cpp +++ b/trunk/registrykeytablemodel.cpp @@ -1,310 +1,293 @@ /******************************************************************************* * fred Copyright (c) 2011 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #include "registrykeytablemodel.h" #include -RegistryKeyTableModel::RegistryKeyTableModel(hive_h *hhive, - hive_node_h hive_node, +RegistryKeyTableModel::RegistryKeyTableModel(RegistryHive *p_hive, + QString node_path, QObject *p_parent) : QAbstractTableModel(p_parent) { // Create the "root" key. It's values will be used for as header values. this->p_keys=new RegistryKey(QList()<< tr("Key")<SetupModelData(hhive,hive_node); + this->SetupModelData(p_hive,node_path); } RegistryKeyTableModel::~RegistryKeyTableModel() { delete this->p_keys; } QVariant RegistryKeyTableModel::data(const QModelIndex &index, int role) const { bool ok; if(!index.isValid()) return QVariant(); RegistryKey *p_key=static_cast(index.internalPointer()); switch(role) { case Qt::DisplayRole: { switch(index.column()) { case RegistryKeyTableModel::ColumnContent_KeyName: { return p_key->Data(index.column()); break; } case RegistryKeyTableModel::ColumnContent_KeyType: { int value_type=p_key->Data(index.column()).toInt(&ok); if(!ok) return QVariant(); return this->TypeToString(value_type); break; } case RegistryKeyTableModel::ColumnContent_KeyValue: { // Get index to value type QModelIndex type_index=this->index(index.row(), RegistryKeyTableModel:: ColumnContent_KeyType); // Get value type int value_type=this->data(type_index, RegistryKeyTableModel:: AdditionalRoles_GetRawData).toInt(&ok); if(!ok) return QVariant(); // Return value converted to human readeable string QByteArray value_array=p_key->Data(index.column()).toByteArray(); return this->ValueToString(value_array,value_type); break; } default: return QVariant(); } break; } case RegistryKeyTableModel::AdditionalRoles_GetRawData: { return p_key->Data(index.column()); break; } default: return QVariant(); } - - /* - if(role!=Qt::DisplayRole) return QVariant(); - - RegistryKey *p_key=static_cast(index.internalPointer()); - - return p_key->Data(index.column()); - */ } Qt::ItemFlags RegistryKeyTableModel::flags(const QModelIndex &index) const { if(!index.isValid()) return 0; return Qt::ItemIsEnabled | Qt::ItemIsSelectable; } QVariant RegistryKeyTableModel::headerData(int section, Qt::Orientation orientation, int role) const { // Only horizontal header is supported if(orientation!=Qt::Horizontal) return QVariant(); switch(role) { case Qt::TextAlignmentRole: // Handle text alignment if(section==2) return Qt::AlignLeft; else return Qt::AlignCenter; break; case Qt::DisplayRole: // Header text return this->p_keys->Data(section); break; default: return QVariant(); } } QModelIndex RegistryKeyTableModel::index(int row, int column, const QModelIndex &parent) const { if(!this->hasIndex(row,column,parent)) return QModelIndex(); RegistryKey *p_key=this->p_keys->Key(row); return this->createIndex(row,column,p_key); } int RegistryKeyTableModel::rowCount(const QModelIndex &parent) const { // According to Qt doc, when parent in TableModel is valid, we should return 0 if(parent.isValid()) return 0; // Get and return row count from the keys list return this->p_keys->RowCount(); } int RegistryKeyTableModel::columnCount(const QModelIndex &parent) const { // According to Qt doc, when parent in TableModel is valid, we should return 0 if(parent.isValid()) return 0; // There are always 3 columns return 3; } -void RegistryKeyTableModel::SetupModelData(hive_h *hhive, - hive_node_h hive_node) +void RegistryKeyTableModel::SetupModelData(RegistryHive *p_hive, + QString &node_path) { - int i=0; + QMap node_keys; RegistryKey *p_key; - char *p_key_name; - char *key_value; + QByteArray key_value; int key_value_type; size_t key_value_len; - // Get all (key,value) pairs for current node - hive_value_h *node_keys=hivex_node_values(hhive,hive_node); - if(node_keys==NULL) return; - - // Add all (key,value) pairs to the key list - while(node_keys[i]) { - // Get key name - p_key_name=hivex_value_key(hhive,node_keys[i]); - if(p_key_name==NULL) continue; - // Get key value and type - key_value=hivex_value_value(hhive, - node_keys[i], - (hive_type*)&key_value_type, - &key_value_len); - if(key_value==NULL) continue; - - // Add infos to key list + // Get all keys for current node + node_keys=p_hive->GetKeys(node_path); + if(node_keys.isEmpty()) return; + + // Add all keys to list + QMapIterator i(node_keys); + while(i.hasNext()) { + i.next(); + key_value=p_hive->GetKeyValue(i.value(), + &key_value_type, + &key_value_len); + if(p_hive->GetErrorMsg()!="") continue; p_key=new RegistryKey(QList()<< - QString(strlen(p_key_name) ? - p_key_name : "(default)")<< + QString(i.key().length() ? i.key() : "(default)")<< QVariant(key_value_type)<< - QByteArray(key_value,key_value_len)); + key_value); this->p_keys->Append(p_key); - i++; } - free(node_keys); } QString RegistryKeyTableModel::ValueToString(QByteArray &value, int value_type) const { QString ret=""; int i=0; #define ToHexStr() { \ for(i=0;i * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #ifndef REGISTRYKEYTABLEMODEL_H #define REGISTRYKEYTABLEMODEL_H #include #include "registrykey.h" - -#include +#include "registryhive.h" class RegistryKeyTableModel : public QAbstractTableModel { Q_OBJECT public: enum AdditionalRoles { AdditionalRoles_GetRawData=Qt::UserRole }; - RegistryKeyTableModel(hive_h *hhive, - hive_node_h hive_node, + RegistryKeyTableModel(RegistryHive *p_hive, + QString node_path, QObject *p_parent=0); ~RegistryKeyTableModel(); QVariant data(const QModelIndex &index, int role) const; Qt::ItemFlags flags(const QModelIndex &index) const; QVariant headerData(int section, Qt::Orientation orientation, int role=Qt::DisplayRole) const; QModelIndex index(int row, int column, const QModelIndex &parent=QModelIndex()) const; int rowCount(const QModelIndex &parent=QModelIndex()) const; int columnCount(const QModelIndex &parent=QModelIndex()) const; private: enum ColumnContent { ColumnContent_KeyName=0, ColumnContent_KeyType, ColumnContent_KeyValue }; RegistryKey *p_keys; - void SetupModelData(hive_h *hhive, hive_node_h hive_node); + void SetupModelData(RegistryHive *p_hive, QString &node_path); QString ValueToString(QByteArray &value, int value_type) const; QString TypeToString(int value_type) const; }; #endif // REGISTRYKEYTABLEMODEL_H diff --git a/trunk/registrynodetreemodel.cpp b/trunk/registrynodetreemodel.cpp index 5b76508..078d5ac 100644 --- a/trunk/registrynodetreemodel.cpp +++ b/trunk/registrynodetreemodel.cpp @@ -1,140 +1,138 @@ /******************************************************************************* * fred Copyright (c) 2011 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #include "registrynodetreemodel.h" #include -RegistryNodeTreeModel::RegistryNodeTreeModel(hive_h *hhive, - hive_node_h hive_root_node, +RegistryNodeTreeModel::RegistryNodeTreeModel(RegistryHive *p_hive, QObject *p_parent) : QAbstractItemModel(p_parent) { - Q_UNUSED(p_parent); + // Create root node this->p_root_node=new RegistryNode("ROOT"); - this->SetupModelData(hhive, - hive_root_node, - this->p_root_node); + // Build node list + this->SetupModelData(p_hive,this->p_root_node); } RegistryNodeTreeModel::~RegistryNodeTreeModel() { delete this->p_root_node; } QVariant RegistryNodeTreeModel::data(const QModelIndex &index, int role) const { if(!index.isValid()) return QVariant(); if(role!=Qt::DisplayRole) return QVariant(); RegistryNode *p_node=static_cast(index.internalPointer()); return p_node->data(); } Qt::ItemFlags RegistryNodeTreeModel::flags(const QModelIndex &index) const { if(!index.isValid()) return 0; return Qt::ItemIsEnabled | Qt::ItemIsSelectable; } QVariant RegistryNodeTreeModel::headerData(int section, Qt::Orientation orientation, int role) const { Q_UNUSED(section); if(orientation==Qt::Horizontal && role==Qt::DisplayRole) { return QVariant("Registry key folders"); } else { return QVariant(); } } QModelIndex RegistryNodeTreeModel::index(int row, int column, const QModelIndex &parent) const { if(!this->hasIndex(row,column,parent)) return QModelIndex(); RegistryNode *p_parent_node; if(!parent.isValid()) { p_parent_node=this->p_root_node; } else { p_parent_node=static_cast(parent.internalPointer()); } RegistryNode *p_child_node=p_parent_node->child(row); if(p_child_node) { return this->createIndex(row,column,p_child_node); } else { return QModelIndex(); } } QModelIndex RegistryNodeTreeModel::parent(const QModelIndex &index) const { if(!index.isValid()) return QModelIndex(); RegistryNode *p_child_node= static_cast(index.internalPointer()); RegistryNode *p_parent_node=p_child_node->parent(); if(p_parent_node==this->p_root_node) { return QModelIndex(); } else { return this->createIndex(p_parent_node->row(),0,p_parent_node); } } int RegistryNodeTreeModel::rowCount(const QModelIndex &parent) const { if(parent.column()>0) return 0; RegistryNode *p_parent_node; if(!parent.isValid()) { p_parent_node=this->p_root_node; } else { p_parent_node=static_cast(parent.internalPointer()); } return p_parent_node->childCount(); } int RegistryNodeTreeModel::columnCount(const QModelIndex &parent) const { Q_UNUSED(parent); return 1; } -void RegistryNodeTreeModel::SetupModelData(hive_h *hhive, - hive_node_h hive_node, - RegistryNode *p_parent) +void RegistryNodeTreeModel::SetupModelData(RegistryHive *p_hive, + RegistryNode *p_parent, + int hive_node) { - int i=0; + QMap hive_children; RegistryNode *p_node; // Get all sub nodes of current hive node - hive_node_h *p_hive_children=hivex_node_children(hhive,hive_node); - if(p_hive_children==NULL) return; + if(hive_node) hive_children=p_hive->GetNodes(hive_node); + else hive_children=p_hive->GetNodes("\\"); + if(hive_children.isEmpty()) return; // Recursivly iterate over all sub nodes - while(p_hive_children[i]) { - p_node=new RegistryNode(QString(hivex_node_name(hhive,p_hive_children[i])), - p_parent); + QMapIterator i(hive_children); + while(i.hasNext()) { + i.next(); + p_node=new RegistryNode(i.key(),p_parent); p_parent->AppendChild(p_node); - this->SetupModelData(hhive,p_hive_children[i],p_node); - i++; + this->SetupModelData(p_hive,p_node,i.value()); } - free(p_hive_children); } diff --git a/trunk/registrynodetreemodel.h b/trunk/registrynodetreemodel.h index 63fa1b6..941407f 100644 --- a/trunk/registrynodetreemodel.h +++ b/trunk/registrynodetreemodel.h @@ -1,58 +1,56 @@ /******************************************************************************* * fred Copyright (c) 2011 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #ifndef REGISTRYNODETREEMODEL_H #define REGISTRYNODETREEMODEL_H #include #include "registrynode.h" - -#include +#include "registryhive.h" class RegistryNodeTreeModel : public QAbstractItemModel { Q_OBJECT public: - RegistryNodeTreeModel(hive_h *hhive, - hive_node_h hive_root_node, - QObject *p_parent=0); + RegistryNodeTreeModel(RegistryHive *p_hive, QObject *p_parent=0); ~RegistryNodeTreeModel(); QVariant data(const QModelIndex &index, int role) const; Qt::ItemFlags flags(const QModelIndex &index) const; QVariant headerData(int section, Qt::Orientation orientation, int role=Qt::DisplayRole) const; QModelIndex index(int row, int column, const QModelIndex &parent=QModelIndex()) const; QModelIndex parent(const QModelIndex &index) const; int rowCount(const QModelIndex &parent=QModelIndex()) const; int columnCount(const QModelIndex &parent=QModelIndex()) const; private: - void SetupModelData(hive_h *hhive, - hive_node_h hive_node, - RegistryNode *p_parent); RegistryNode *p_root_node; + + void SetupModelData(RegistryHive *p_hive, + RegistryNode *p_parent, + int hive_node=0); }; #endif // REGISTRYNODETREEMODEL_H diff --git a/trunk/report_templates/SAM_UserAccounts.fred b/trunk/report_templates/SAM_UserAccounts.fred deleted file mode 100644 index 101db46..0000000 --- a/trunk/report_templates/SAM_UserAccounts.fred +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - diff --git a/trunk/report_templates/SOFTWARE_WindowsVersion.js b/trunk/report_templates/SOFTWARE_WindowsVersion.js new file mode 100644 index 0000000..b27cc88 --- /dev/null +++ b/trunk/report_templates/SOFTWARE_WindowsVersion.js @@ -0,0 +1,19 @@ +println(""); +println(" Windows version info"); +println(" "); +println("

Windows version info

"); +println("

"); + +var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","ProductName"); +var value_len=val.length; +print("ProductVersion: "); +println(RegistryKeyValueToString(val.value,val.type)); + + +//for(var i=0;i<(val.length-1);i+=2) { +// print(String.fromCharCode(val.value[i])); +//} + +println("

"); +println(""); + diff --git a/trunk/reporttemplatexmlhandler.cpp b/trunk/reporttemplatexmlhandler.cpp deleted file mode 100644 index 8137f7d..0000000 --- a/trunk/reporttemplatexmlhandler.cpp +++ /dev/null @@ -1,209 +0,0 @@ -/******************************************************************************* -* fred Copyright (c) 2011 by Gillen Daniel * -* * -* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * -* with special feautures useful during forensic analysis. * -* * -* This program is free software: you can redistribute it and/or modify it * -* under the terms of the GNU General Public License as published by the Free * -* Software Foundation, either version 3 of the License, or (at your option) * -* any later version. * -* * -* This program is distributed in the hope that it will be useful, but WITHOUT * -* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * -* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * -* more details. * -* * -* You should have received a copy of the GNU General Public License along with * -* this program. If not, see . * -*******************************************************************************/ - -#include - -#include "reporttemplatexmlhandler.h" - -ReportTemplateXmlHandler::ReportTemplateXmlHandler(hive_h *hive_handle, - bool only_get_info) - : QXmlDefaultHandler() -{ - this->hhive=hive_handle; - this->get_info=only_get_info; -} - -ReportTemplateXmlHandler::~ReportTemplateXmlHandler() { - qDeleteAll(this->report_data); -} - -bool ReportTemplateXmlHandler::startDocument() { - this->report_category=""; - this->report_name=""; - this->report_content=""; - this->report_data.clear(); - return true; -} - -bool ReportTemplateXmlHandler::startElement(const QString &namespaceURI, - const QString &localName, - const QString &qName, - const QXmlAttributes &atts) -{ - Q_UNUSED(namespaceURI); - Q_UNUSED(localName); - int i=0; - bool ok; - - // If we should only extract report info... - if(this->get_info) { - if(qName=="report") { - this->report_category=atts.value(QString("category")); - this->report_name=atts.value(QString("name")); - } - return true; - } - - // Check element - if(qName=="foreach") { - ok=this->ProcessForEach(atts.value(QString("path")), - atts.value(QString("vars")), - hivex_root(this->hhive)); - if(!ok) return false; - } else if (qName=="paragraph") { - - } else if (qName=="value") { - - } - - /* - qDebug("%s",QString("--> %3").arg(qName).toAscii().constData()); - for(i=0;i Name: '%1'', Value: '%2'").arg(atts.qName(i),atts.value(i)).toAscii().constData()); - } - */ - - return true; -} - -bool ReportTemplateXmlHandler::endElement(const QString &namespaceURI, - const QString &localName, - const QString &qName) -{ - Q_UNUSED(namespaceURI); - Q_UNUSED(localName); - if(this->get_info) return true; - - if(qName=="foreach") { - - } else if (qName=="paragraph") { - - } else if (qName=="value") { - - } - - return true; -} - -bool ReportTemplateXmlHandler::error(const QXmlParseException &exception) { - qDebug("error: %u: %s",exception.lineNumber(),exception.message().toAscii().constData()); - return false; -} - -bool ReportTemplateXmlHandler::fatalError(const QXmlParseException &exception) { - qDebug("fatalerror: %u: %s",exception.lineNumber(),exception.message().toAscii().constData()); - return false; -} - -QString ReportTemplateXmlHandler::GetReportCategory() { - return this->report_category; -} - -QString ReportTemplateXmlHandler::GetReportName() { - return this->report_name; -} - -QString ReportTemplateXmlHandler::ReportData() { - return QString(); -} - -bool ReportTemplateXmlHandler::ProcessForEach(QString path, - QString vars, - hive_node_h cur_hive_node, - bool iterate) { - int i=0,ii=0; - bool ok; - - if(!iterate) { - QStringList nodes=path.split('/'); - if(cur_hive_node==0) return false; - - for(i=0;ihhive, - cur_hive_node, - nodes.value(i).toAscii(). - constData()); - if(cur_hive_node==0) return false; - } else { - QString new_path=""; - for(ii=i+1;iiProcessForEach(new_path,vars,cur_hive_node,true); - if(!ok) return false; - } - } - } else { - hive_node_h *p_child_nodes=hivex_node_children(this->hhive,cur_hive_node); - i=0; - while(p_child_nodes[i]) { - // Save iterator node - ReportTemplateData *p_data; - char *p_node_name=hivex_node_name(this->hhive,p_child_nodes[i]); - // TODO: Check for NULL value - p_data->vars.append(p_node_name); - // TODO: Add custom vars - QStringList var_pairs=vars.split(';'); - for(ii=0;iihhive, - cur_hive_node, - var_name.toAscii().constData()); - - if(var_type=="type") { - char *data=hivex_value_value(this->hhive,hive_key,(hive_type*)&type,&len); - var_content=QString().sprintf("%08u",type); - - qDebug("Save var '%s' with content '%08u'",var_name.toAscii().constData(),type); - - free(data); - } else if(var_type=="value") { - char *data=hivex_value_value(this->hhive,hive_key,(hive_type*)&type,&len); - var_content=QByteArray(data); - } - } - - - this->report_data.append(p_data); - i++; - } - free(p_child_nodes); - } - - return true; -} - -bool ReportTemplateXmlHandler::ProcessParagraph() { - return true; -} - -bool ReportTemplateXmlHandler::ProcessValue() { - return true; -} diff --git a/trunk/reporttemplatexmlhandler.h b/trunk/reporttemplatexmlhandler.h deleted file mode 100644 index 17b9b00..0000000 --- a/trunk/reporttemplatexmlhandler.h +++ /dev/null @@ -1,81 +0,0 @@ -/******************************************************************************* -* fred Copyright (c) 2011 by Gillen Daniel * -* * -* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * -* with special feautures useful during forensic analysis. * -* * -* This program is free software: you can redistribute it and/or modify it * -* under the terms of the GNU General Public License as published by the Free * -* Software Foundation, either version 3 of the License, or (at your option) * -* any later version. * -* * -* This program is distributed in the hope that it will be useful, but WITHOUT * -* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * -* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * -* more details. * -* * -* You should have received a copy of the GNU General Public License along with * -* this program. If not, see . * -*******************************************************************************/ - -#ifndef REPORTTEMPLATEXMLHANDLER_H -#define REPORTTEMPLATEXMLHANDLER_H - -#include -#include - -#include - -class ReportTemplateData { - public: - ReportTemplateData() { - this->vars.clear(); - this->data.clear(); - } - ~ReportTemplateData() { - qDeleteAll(this->data); - } - - QList vars; - QList data; -}; - -class ReportTemplateXmlHandler : public QXmlDefaultHandler { - - public: - explicit ReportTemplateXmlHandler(hive_h *hive_handle=NULL, - bool only_get_info=true); - ~ReportTemplateXmlHandler(); - - bool startDocument(); - bool startElement(const QString &namespaceURI, - const QString &localName, - const QString &qName, - const QXmlAttributes &atts); - bool endElement(const QString &namespaceURI, - const QString &localName, - const QString &qName); - bool error(const QXmlParseException &exception); - bool fatalError(const QXmlParseException &exception); - - QString GetReportCategory(); - QString GetReportName(); - QString ReportData(); - - private: - hive_h *hhive; - bool get_info; - QString report_category; - QString report_name; - QString report_content; - QList report_data; - - bool ProcessForEach(QString path, - QString vars, - hive_node_h cur_hive_node, - bool iterate=false); - bool ProcessParagraph(); - bool ProcessValue(); -}; - -#endif // REPORTTEMPLATEXMLHANDLER_H