diff --git a/trunk/mainwindow.cpp b/trunk/mainwindow.cpp index d56ebc2..63f9d54 100644 --- a/trunk/mainwindow.cpp +++ b/trunk/mainwindow.cpp @@ -1,576 +1,584 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #ifndef FRED_REPORT_TEMPLATE_DIR #ifndef __MINGW32__ #define FRED_REPORT_TEMPLATE_DIR "/usr/share/fred/report_templates/" #else #define FRED_REPORT_TEMPLATE_DIR ".\\report_templates\\" #endif #endif #include #include #include #include #include #include #include #include "mainwindow.h" #include "ui_mainwindow.h" #include "dlgabout.h" #include "dlgkeydetails.h" #include "dlgreportchooser.h" #include "dlgreportviewer.h" #include "dlgsearch.h" #include "compileinfo.h" /******************************************************************************* * Public ******************************************************************************/ MainWindow::MainWindow(ArgParser *p_arg_parser) : QMainWindow(0), ui(new Ui::MainWindow) { ui->setupUi(this); // Initialize private vars this->p_args=p_arg_parser; this->p_hive=new RegistryHive(this); this->is_hive_open=false; this->p_reg_node_tree_model=NULL; this->p_reg_node_tree_model_proxy=NULL; this->p_reg_key_table_model=NULL; this->p_search_thread=NULL; this->search_result_widgets.clear(); // Check for ~/.fred config dir this->CheckUserConfigDir(); // Set main window size int cur_screen=QApplication::desktop()->screenNumber(this); int window_width= QApplication::desktop()->availableGeometry(cur_screen).width()*0.5; int window_height= QApplication::desktop()->availableGeometry(cur_screen).height()*0.5; int window_x= (QApplication::desktop()->availableGeometry(cur_screen).width()/2)- (window_width/2); int window_y= (QApplication::desktop()->availableGeometry(cur_screen).height()/2)- (window_height/2); this->setGeometry(window_x, window_y, window_width, window_height); // Create widgets this->p_horizontal_splitter=new QSplitter(); this->p_horizontal_splitter->setOrientation(Qt::Horizontal); this->p_node_tree=new RegistryNodeTree(this->p_horizontal_splitter); this->p_vertical_splitter=new QSplitter(this->p_horizontal_splitter); this->p_vertical_splitter->setOrientation(Qt::Vertical); this->p_key_table=new RegistryKeyTable(this->p_vertical_splitter); this->p_tab_widget=new TabWidget(this->p_vertical_splitter); this->p_hex_edit_widget=new HexEditWidget(); // Add hexedit page to tab_widget this->p_tab_widget->addTab(this->p_hex_edit_widget,tr("Hex viewer")); // Add widgets to their splitters this->p_vertical_splitter->addWidget(this->p_key_table); this->p_vertical_splitter->addWidget(this->p_tab_widget); this->p_horizontal_splitter->addWidget(this->p_node_tree); this->p_horizontal_splitter->addWidget(this->p_vertical_splitter); // Set stretch factors QSizePolicy node_tree_policy=this->p_node_tree->sizePolicy(); node_tree_policy.setHorizontalStretch(1); node_tree_policy.setVerticalStretch(100); this->p_node_tree->setSizePolicy(node_tree_policy); QSizePolicy vertical_splitter_policy=this->p_vertical_splitter->sizePolicy(); vertical_splitter_policy.setHorizontalStretch(4); vertical_splitter_policy.setVerticalStretch(100); this->p_vertical_splitter->setSizePolicy(vertical_splitter_policy); QSizePolicy key_table_policy=this->p_key_table->sizePolicy(); key_table_policy.setVerticalStretch(5); key_table_policy.setHorizontalStretch(100); this->p_key_table->setSizePolicy(key_table_policy); QSizePolicy tab_widget_policy=this->p_tab_widget->sizePolicy(); tab_widget_policy.setVerticalStretch(2); tab_widget_policy.setHorizontalStretch(200); this->p_tab_widget->setSizePolicy(tab_widget_policy); // Connect signals this->connect(this->p_node_tree, SIGNAL(clicked(QModelIndex)), this, SLOT(SlotNodeTreeClicked(QModelIndex))); this->connect(this->p_node_tree, SIGNAL(activated(QModelIndex)), this, SLOT(SlotNodeTreeClicked(QModelIndex))); this->connect(this->p_node_tree, SIGNAL(CurrentItemChanged(QModelIndex)), this, SLOT(SlotNodeTreeClicked(QModelIndex))); this->connect(this->p_key_table, SIGNAL(clicked(QModelIndex)), this, SLOT(SlotKeyTableClicked(QModelIndex))); this->connect(this->p_key_table, SIGNAL(doubleClicked(QModelIndex)), this, SLOT(SlotKeyTableDoubleClicked(QModelIndex))); this->connect(this->p_key_table, SIGNAL(CurrentItemChanged(QModelIndex)), this, SLOT(SlotKeyTableClicked(QModelIndex))); this->connect(this->p_tab_widget, SIGNAL(tabCloseRequested(int)), this, SLOT(SlotTabCloseButtonClicked(int))); // Add central widget this->setCentralWidget(this->p_horizontal_splitter); this->centralWidget()->setContentsMargins(4,4,4,0); // Set window title this->UpdateWindowTitle(); // Set last open location to home dir this->last_open_location=QDir::homePath(); // Load report templates this->p_reports=new Reports(); - // Load reports from system wide include dir - this->p_reports->LoadReportTemplates(FRED_REPORT_TEMPLATE_DIR); - // Load user's report templates - this->p_reports->LoadReportTemplates(QDir::homePath() - .append(QDir::separator()) - .append(".fred") - .append(QDir::separator()) - .append("report_templates")); + this->ReloadReportTemplates(); // Finally, react on some command line arguments if(this->p_args->IsSet("maximized")) { this->setWindowState(Qt::WindowMaximized); } if(this->p_args->IsSet("fullscreen")) { this->setWindowState(Qt::WindowFullScreen); } if(this->p_args->IsSet("hive-file")) { this->OpenHive(this->p_args->GetArgVal("hive-file")); } } MainWindow::~MainWindow() { if(this->is_hive_open) { this->p_hive->Close(); } delete ui; } /******************************************************************************* * Private slots ******************************************************************************/ void MainWindow::on_action_Quit_triggered() { qApp->exit(); } void MainWindow::on_action_Open_hive_triggered() { QString hive_file=""; hive_file=QFileDialog::getOpenFileName(this, tr("Open registry hive"), this->last_open_location, tr("All files (*)")); if(hive_file=="") return; this->OpenHive(hive_file); } void MainWindow::on_action_Close_hive_triggered() { if(this->is_hive_open) { // Remove search results while(this->p_tab_widget->count()>1) { this->p_tab_widget->removeTab(this->p_tab_widget->count()-1); delete this->search_result_widgets.at(this->p_tab_widget->count()-1); this->search_result_widgets.removeLast(); } // Delete models if(this->p_reg_node_tree_model!=NULL) { this->p_node_tree->setModel(NULL); delete this->p_reg_node_tree_model_proxy; delete this->p_reg_node_tree_model; this->p_reg_node_tree_model_proxy=NULL; this->p_reg_node_tree_model=NULL; } if(this->p_reg_key_table_model!=NULL) { this->p_key_table->setModel(NULL); delete this->p_reg_key_table_model; this->p_reg_key_table_model=NULL; } // Remove any data from hex edit and data interpreter this->p_hex_edit_widget->SetData(QByteArray()); this->p_hex_edit_widget->setEnabled(false); // Close hive this->p_hive->Close(); this->is_hive_open=false; this->ui->action_Close_hive->setEnabled(false); this->ui->ActionSearch->setEnabled(false); this->ui->MenuReports->setEnabled(false); this->UpdateWindowTitle(); } } void MainWindow::on_actionAbout_Qt_triggered() { QMessageBox::aboutQt(this,tr("About Qt")); } void MainWindow::on_actionAbout_fred_triggered() { DlgAbout dlg_about(this); dlg_about.exec(); } void MainWindow::on_ActionSearch_triggered() { DlgSearch dlg_search(this); if(dlg_search.exec()==QDialog::Accepted) { // Create search thread and connect needed signals/slots this->p_search_thread=new ThreadSearch(this); // Add new search widget to tabwidget and to internal widget list SearchResultWidget *p_search_widget= new SearchResultWidget(this->p_tab_widget); p_search_widget->setEnabled(false); this->search_result_widgets.append(p_search_widget); this->connect(p_search_widget, SIGNAL(doubleClicked(QModelIndex)), this, SLOT(SlotSearchResultWidgetDoubleClicked(QModelIndex))); this->p_tab_widget->addTab(p_search_widget,tr("Search results"),true); this->p_tab_widget->setCurrentIndex(this->p_tab_widget->count()-1); // Connect search thread to result widget this->connect(this->p_search_thread, SIGNAL(SignalFoundMatch(ThreadSearch::eMatchType, QString,QString,QString)), p_search_widget, SLOT(SlotFoundMatch(ThreadSearch::eMatchType, QString,QString,QString))); this->connect(this->p_search_thread, SIGNAL(finished()), this, SLOT(SlotSearchFinished())); this->connect(this->p_search_thread, SIGNAL(finished()), p_search_widget, SLOT(SlotSearchFinished())); // Start searching this->ui->ActionSearch->setEnabled(false); p_search_thread->Search(this->p_hive->Filename(), dlg_search.Keywords(), dlg_search.SearchNodeNames(), dlg_search.SearchKeyNames(), dlg_search.SearchKeyValues()); } } void MainWindow::on_ActionGenerateReport_triggered() { DlgReportChooser dlg_repchooser(this->p_reports, this->p_hive->HiveTypeToString( this->p_hive->HiveType()), this); if(dlg_repchooser.exec()==QDialog::Accepted) { QList selected_reports; // Get selected report selected_reports=dlg_repchooser.GetSelectedReports(); if(selected_reports.isEmpty()) return; // Generate report(s) QString report_result=""; if(this->p_reports->GenerateReport(this->p_hive, selected_reports, report_result, false)) { // Report generation was successfull, show reports DlgReportViewer *p_dlg_report_view=new DlgReportViewer(report_result, this); p_dlg_report_view->exec(); delete p_dlg_report_view; } else { // TODO: Inform user qDebug()<<"ERROR: "<p_reg_node_tree_model_proxy->mapToSource(index); // Built node path node_path=this->p_reg_node_tree_model->GetNodePath(index); // Create table model and attach it to the table view if(this->p_reg_key_table_model!=NULL) { // If a previous model was set, delete it and clear hexedit etc... this->p_key_table->setModel(NULL); delete this->p_reg_key_table_model; this->p_hex_edit_widget->SetData(QByteArray()); } this->p_reg_key_table_model=new RegistryKeyTableModel(this->p_hive,node_path); this->p_key_table->setModel(this->p_reg_key_table_model); // Set focus back to nodetree to be able to navigate with keyboard this->p_node_tree->setFocus(); } void MainWindow::SlotKeyTableClicked(QModelIndex index) { if(!index.isValid()) return; this->selected_key_value= this->p_reg_key_table_model->data(this->p_reg_key_table_model-> index(index.row(),2), RegistryKeyTableModel:: AdditionalRoles_GetRawData) .toByteArray(); this->p_hex_edit_widget->SetData(this->selected_key_value); // Set focus back to nodetree to be able to navigate with keyboard this->p_key_table->setFocus(); } void MainWindow::SlotKeyTableDoubleClicked(QModelIndex index) { Q_UNUSED(index); /* QModelIndex key_index; QModelIndex node_index; QStringList nodes; QString key_name; QString key_type; QByteArray key_value; if(!index.isValid()) return; // Get key name, type and value key_index=this->p_reg_key_table_model->index(index.row(),0); key_name=this->p_reg_key_table_model->data(key_index,Qt::DisplayRole) .toString(); key_index=this->p_reg_key_table_model->index(index.row(),1); key_type=this->p_reg_key_table_model->data(key_index,Qt::DisplayRole) .toString();ThreadSearch key_index=this->p_reg_key_table_model->index(index.row(),2); key_value=this->p_reg_key_table_model->data(key_index, RegistryKeyTableModel:: AdditionalRoles_GetRawData) .toByteArray(); // Get current node node_index=this->p_node_tree->currentIndex(); //Built node path nodes.clear(); nodes.append(this->p_reg_node_tree_model-> data(node_index,Qt::DisplayRole).toString()); while(this->p_reg_node_tree_model->parent(node_index)!=QModelIndex()) { // Prepend all parent nodes node_index=this->p_reg_node_tree_model->parent(node_index); nodes.prepend(this->p_reg_node_tree_model-> data(node_index,Qt::DisplayRole).toString()); } DlgKeyDetails dlg_key_details(this); dlg_key_details.SetValues(nodes,key_name,key_type,key_value); dlg_key_details.exec(); */ } void MainWindow::SlotSearchFinished() { delete this->p_search_thread; this->p_search_thread=NULL; this->ui->ActionSearch->setEnabled(true); // Enable result widget this->search_result_widgets.last()->setEnabled(true); } void MainWindow::SlotSearchResultWidgetDoubleClicked(QModelIndex index) { SearchResultWidget *p_sender; QString path; QString match_type; QString value; QString key=""; int i; if(!index.isValid()) return; // Get pointer to sender p_sender=(SearchResultWidget*)QObject::sender(); // Get path and matchtype path=p_sender->item(index.row(),0)->text(); match_type=p_sender->item(index.row(),1)->text(); value=p_sender->item(index.row(),2)->text(); if(match_type==tr("Node name")) { // Node name is not part of path. Add it if(path=="\\") path.append(value); else path.append("\\").append(value); } else if(match_type==tr("Key name")) { // Key name is stored in value key=value; } else if(match_type==tr("Key value")) { // Key name is part of path. Save and remove it QStringList nodes=path.split("\\",QString::SkipEmptyParts); key=nodes.at(nodes.count()-1); // Remove \ from path path.chop(key.length()+1); } // Expand treeview to correct node QList indexes= this->p_reg_node_tree_model->GetIndexListOf(path); for(i=0;ip_reg_node_tree_model_proxy-> mapFromSource(indexes.at(i))); this->p_node_tree->expand(indexes.at(i)); } if(indexes.count()>0) { // Scroll to last expanded node, select it and update widgets this->p_node_tree->scrollTo(indexes.at(indexes.count()-1), QAbstractItemView::PositionAtCenter); this->p_node_tree->selectionModel()->clear(); this->p_node_tree->selectionModel()-> select(indexes.at(indexes.count()-1), QItemSelectionModel::Select); // TODO: This does not work!! this->SlotNodeTreeClicked(indexes.at(indexes.count()-1)); } // Select correct key if search matched on keay name / value if(key!="") { int row=this->p_reg_key_table_model->GetKeyRow(key); this->p_key_table->clearSelection(); this->p_key_table->scrollTo(this->p_reg_key_table_model->index(row,0), QAbstractItemView::PositionAtCenter); this->p_key_table->selectRow(row); this->SlotKeyTableClicked(this->p_reg_key_table_model->index(row,0)); } } void MainWindow::SlotTabCloseButtonClicked(int index) { // Delete tab widget and remove tab this->p_tab_widget->removeTab(index); delete this->search_result_widgets.at(index-1); this->search_result_widgets.removeAt(index-1); } /******************************************************************************* * Private ******************************************************************************/ void MainWindow::CheckUserConfigDir() { QString user_config_dir=QDir::homePath() .append(QDir::separator()) .append(".fred"); if(!QDir(user_config_dir).exists()) { // User config dir does not exists, try to create it if(!QDir().mkpath(user_config_dir)) { // TODO: Maybe warn user return; } user_config_dir.append(QDir::separator()).append("report_templates"); if(!QDir().mkpath(user_config_dir)) { // TODO: Maybe warn user return; } } } void MainWindow::UpdateWindowTitle(QString filename) { if(filename=="") { this->setWindowTitle(QString("%1 v%2").arg(APP_TITLE,APP_VERSION)); } else { this->setWindowTitle(QString("%1 v%2 - %3").arg(APP_TITLE, APP_VERSION, filename.toLocal8Bit() .constData())); } } void MainWindow::OpenHive(QString hive_file) { // Update last open location this->last_open_location=hive_file.left(hive_file. lastIndexOf(QDir::separator())); // If another hive is currently open, close it if(this->is_hive_open) this->on_action_Close_hive_triggered(); // Try to open hive if(!this->p_hive->Open(hive_file)) { QMessageBox::critical(this, tr("Error opening hive file"), tr("Unable to open file '%1'").arg(hive_file)); return; } // Create tree model & proxy this->p_reg_node_tree_model=new RegistryNodeTreeModel(this->p_hive); this->p_reg_node_tree_model_proxy=new RegistryNodeTreeModelProxy(this); //this->p_reg_node_tree_model_proxy->setDynamicSortFilter(true); this->p_reg_node_tree_model_proxy-> setSourceModel(this->p_reg_node_tree_model); this->p_node_tree->setModel(this->p_reg_node_tree_model_proxy); this->is_hive_open=true; this->ui->action_Close_hive->setEnabled(true); this->ui->ActionSearch->setEnabled(true); this->ui->MenuReports->setEnabled(true); // Enable data interpreter this->p_hex_edit_widget->setEnabled(true); this->UpdateWindowTitle(hive_file); } + +void MainWindow::ReloadReportTemplates() { + // Load reports from system wide include dir + this->p_reports->LoadReportTemplates(FRED_REPORT_TEMPLATE_DIR); + // Load user's report templates + this->p_reports->LoadReportTemplates(QDir::homePath() + .append(QDir::separator()) + .append(".fred") + .append(QDir::separator()) + .append("report_templates")); +} + +void MainWindow::on_ActionReloadReportTemplates_triggered() { + this->ReloadReportTemplates(); +} diff --git a/trunk/mainwindow.h b/trunk/mainwindow.h index 7e6f779..370f819 100644 --- a/trunk/mainwindow.h +++ b/trunk/mainwindow.h @@ -1,122 +1,125 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #ifndef MAINWINDOW_H #define MAINWINDOW_H #include #include #include #include #include #include #include #include #include #include "argparser.h" #include "registryhive.h" #include "registrynodetree.h" #include "registrynodetreemodel.h" #include "registrynodetreemodelproxy.h" #include "registrykeytable.h" #include "registrykeytablemodel.h" #include "hexeditwidget.h" #include "reports.h" #include "threadsearch.h" #include "searchresultwidget.h" #include "tabwidget.h" namespace Ui { class MainWindow; } class MainWindow : public QMainWindow { Q_OBJECT public: explicit MainWindow(ArgParser *p_arg_parser); ~MainWindow(); private slots: void on_action_Quit_triggered(); void on_action_Open_hive_triggered(); void on_action_Close_hive_triggered(); void on_actionAbout_Qt_triggered(); void on_actionAbout_fred_triggered(); void on_ActionSearch_triggered(); void on_ActionGenerateReport_triggered(); void SlotNodeTreeClicked(QModelIndex index); void SlotKeyTableClicked(QModelIndex index); void SlotKeyTableDoubleClicked(QModelIndex index); void SlotSearchFinished(); void SlotSearchResultWidgetDoubleClicked(QModelIndex index); void SlotTabCloseButtonClicked(int index); + void on_ActionReloadReportTemplates_triggered(); + private: Ui::MainWindow *ui; ArgParser *p_args; QString last_open_location; RegistryHive *p_hive; bool is_hive_open; QByteArray selected_key_value; QList search_result_widgets; // Models RegistryNodeTreeModel *p_reg_node_tree_model; RegistryNodeTreeModelProxy *p_reg_node_tree_model_proxy; RegistryKeyTableModel *p_reg_key_table_model; // Widgets etc... RegistryNodeTree *p_node_tree; RegistryKeyTable *p_key_table; TabWidget *p_tab_widget; HexEditWidget *p_hex_edit_widget; QSplitter *p_horizontal_splitter; QSplitter *p_vertical_splitter; Reports *p_reports; // Threads ThreadSearch *p_search_thread; /* * CheckUserConfigDir * * Checks for and possibly creates the ~/.fred directory */ void CheckUserConfigDir(); /* * UpdateWindowTitle * * Updates the window title */ void UpdateWindowTitle(QString filename=""); /* * OpenHive * * Open a registry hive */ void OpenHive(QString hive_file); + void ReloadReportTemplates(); }; #endif // MAINWINDOW_H diff --git a/trunk/manual/ECMAScript_additions_reference.odt b/trunk/manual/ECMAScript_additions_reference.odt index 47011e8..a4473c4 100644 Binary files a/trunk/manual/ECMAScript_additions_reference.odt and b/trunk/manual/ECMAScript_additions_reference.odt differ diff --git a/trunk/registrykeytable.cpp b/trunk/registrykeytable.cpp index d028496..ae4acc2 100644 --- a/trunk/registrykeytable.cpp +++ b/trunk/registrykeytable.cpp @@ -1,146 +1,145 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #include "registrykeytable.h" #include #include #include RegistryKeyTable::RegistryKeyTable(QWidget *p_parent) : QTableView(p_parent) { // Configure widget this->setSelectionMode(QAbstractItemView::SingleSelection); this->setSelectionBehavior(QAbstractItemView::SelectRows); this->setAutoScroll(false); this->setHorizontalScrollMode(QAbstractItemView::ScrollPerPixel); this->verticalHeader()->setHidden(true); this->setTextElideMode(Qt::ElideNone); // Create context menu this->p_menu_copy=new QMenu(tr("Copy"),this); this->p_action_copy_key_name=new QAction(tr("Key name"), this->p_menu_copy); this->p_menu_copy->addAction(this->p_action_copy_key_name); this->connect(this->p_action_copy_key_name, SIGNAL(triggered()), this, SLOT(SlotCopyKeyName())); this->p_action_copy_key_value=new QAction(tr("Key value"), this->p_menu_copy); this->p_menu_copy->addAction(this->p_action_copy_key_value); this->connect(this->p_action_copy_key_value, SIGNAL(triggered()), this, SLOT(SlotCopyKeyValue())); } RegistryKeyTable::~RegistryKeyTable() { // Delete context menu delete this->p_action_copy_key_name; delete this->p_action_copy_key_value; delete this->p_menu_copy; } void RegistryKeyTable::setModel(QAbstractItemModel *p_model) { QTableView::setModel(p_model); // Resize table rows / columns to fit data this->resizeColumnsToContents(); this->resizeRowsToContents(); this->horizontalHeader()->stretchLastSection(); if(p_model!=NULL && p_model->rowCount()>0) { // Select first table item this->selectRow(0); } } /* void RegistryKeyTable::selectRow(QString key_name) { int i; this->clearSelection(); for(i=0;imodel()->rowCount();i++) { if(this->model()) } } */ int RegistryKeyTable::sizeHintForColumn(int column) const { int size_hint=-1; int i=0; int item_width=0; QFontMetrics fm(this->fontMetrics()); QModelIndex idx; if(this->model()==NULL) return -1; // Find string that needs the most amount of space idx=this->model()->index(i,column); while(idx.isValid()) { item_width=fm.width(this->model()->data(idx).toString())+10; if(item_width>size_hint) size_hint=item_width; idx=this->model()->index(++i,column); } return size_hint; } void RegistryKeyTable::contextMenuEvent(QContextMenuEvent *p_event) { // Only show context menu when a row is selected - if(this->selectedIndexes().count()!=4) return; + if(this->selectedIndexes().count()!=3) return; // Only show context menu when user clicked on selected row if(!(this->indexAt(p_event->pos())==this->selectedIndexes().at(0) || this->indexAt(p_event->pos())==this->selectedIndexes().at(1) || - this->indexAt(p_event->pos())==this->selectedIndexes().at(2) || - this->indexAt(p_event->pos())==this->selectedIndexes().at(3))) + this->indexAt(p_event->pos())==this->selectedIndexes().at(2))) { return; } // Emit a click signal emit(this->clicked(this->indexAt(p_event->pos()))); // Create context menu and add actions QMenu context_menu(this); context_menu.addMenu(this->p_menu_copy); context_menu.exec(p_event->globalPos()); } void RegistryKeyTable::currentChanged(const QModelIndex ¤t, const QModelIndex &previous) { // Call parent class's currentChanged first QTableView::currentChanged(current,previous); // Now emit our signal QModelIndex current_item=QModelIndex(current); emit(RegistryKeyTable::CurrentItemChanged(current_item)); } void RegistryKeyTable::SlotCopyKeyName() { QApplication::clipboard()-> setText(this->selectedIndexes().at(0).data().toString(), QClipboard::Clipboard); } void RegistryKeyTable::SlotCopyKeyValue() { QApplication::clipboard()-> setText(this->selectedIndexes().at(2).data().toString(), QClipboard::Clipboard); } diff --git a/trunk/registrynodetree.cpp b/trunk/registrynodetree.cpp index aa8277b..9b4723a 100644 --- a/trunk/registrynodetree.cpp +++ b/trunk/registrynodetree.cpp @@ -1,134 +1,135 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #include "registrynodetree.h" #include "registrynodetreemodel.h" #include #include #include RegistryNodeTree::RegistryNodeTree(QWidget *p_parent) : QTreeView(p_parent) { // Configure widget this->setTextElideMode(Qt::ElideNone); this->setSelectionMode(QAbstractItemView::SingleSelection); this->setSelectionBehavior(QAbstractItemView::SelectRows); this->sortByColumn(0,Qt::AscendingOrder); this->setSortingEnabled(true); // Create context menu this->p_menu_copy=new QMenu(tr("Copy"),this); this->p_action_copy_node_name=new QAction(tr("Node name"), this->p_menu_copy); this->p_menu_copy->addAction(this->p_action_copy_node_name); this->connect(this->p_action_copy_node_name, SIGNAL(triggered()), this, SLOT(SlotCopyNodeName())); this->p_action_copy_node_path=new QAction(tr("Node path"), this->p_menu_copy); this->p_menu_copy->addAction(this->p_action_copy_node_path); this->connect(this->p_action_copy_node_path, SIGNAL(triggered()), this, SLOT(SlotCopyNodePath())); } RegistryNodeTree::~RegistryNodeTree() { // Delete context menu delete this->p_action_copy_node_name; delete this->p_action_copy_node_path; delete this->p_menu_copy; } void RegistryNodeTree::setModel(QAbstractItemModel *p_model) { // Assign model to view QTreeView::setModel(p_model); this->header()->setResizeMode(0,QHeaderView::ResizeToContents); this->header()->setStretchLastSection(true); if(p_model!=NULL && p_model->index(0,0).isValid()) { // Select first tree item this->setCurrentIndex(p_model->index(0,0)); } } void RegistryNodeTree::contextMenuEvent(QContextMenuEvent *p_event) { // Only show context menu when a node is selected - if(this->selectedIndexes().count()!=1) return; + if(this->selectedIndexes().count()!=2) return; // Only show context menu when user clicked on selected row + // TODO: Does not work when clicking on column 2 if(this->indexAt(p_event->pos())!=this->selectedIndexes().at(0)) return; // Emit a click signal emit(this->clicked(this->indexAt(p_event->pos()))); // Create context menu and add actions QMenu context_menu(this); context_menu.addMenu(this->p_menu_copy); context_menu.exec(p_event->globalPos()); } void RegistryNodeTree::keyPressEvent(QKeyEvent *p_event) { // Only react if a node is selected and user pressed Key_Left if(this->selectedIndexes().count()==1 && p_event->key()==Qt::Key_Left) { QModelIndex cur_index=this->selectedIndexes().at(0); if(this->model()->hasChildren(cur_index) && this->isExpanded(cur_index)) { // Current node is expanded. Only collapse this one this->collapse(cur_index); return; } if(!cur_index.parent().isValid()) { // Do no try to collapse anything above root node return; } this->collapse(cur_index.parent()); this->setCurrentIndex(cur_index.parent()); return; } // If we didn't handle the key event, let our parent handle it QTreeView::keyPressEvent(p_event); } void RegistryNodeTree::currentChanged(const QModelIndex ¤t, const QModelIndex &previous) { // Call parent class's currentChanged first QTreeView::currentChanged(current,previous); // Now emit our signal QModelIndex current_item=QModelIndex(current); emit(RegistryNodeTree::CurrentItemChanged(current_item)); } void RegistryNodeTree::SlotCopyNodeName() { QApplication::clipboard()-> setText(this->selectedIndexes().at(0).data().toString(), QClipboard::Clipboard); } void RegistryNodeTree::SlotCopyNodePath() { QString path=((RegistryNodeTreeModel*)(this->model()))-> GetNodePath(this->selectedIndexes().at(0)); QApplication::clipboard()->setText(path,QClipboard::Clipboard); } diff --git a/trunk/registrynodetreemodel.cpp b/trunk/registrynodetreemodel.cpp index b6a0e8a..6f429d1 100644 --- a/trunk/registrynodetreemodel.cpp +++ b/trunk/registrynodetreemodel.cpp @@ -1,226 +1,229 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #include "registrynodetreemodel.h" #include #include #include #include #include RegistryNodeTreeModel::RegistryNodeTreeModel(RegistryHive *p_hive, QObject *p_parent) : QAbstractItemModel(p_parent) { // Create root node. It's values will be used as header values. this->p_root_node=new RegistryNode(QList()<SetupModelData(p_hive,this->p_root_node); } RegistryNodeTreeModel::~RegistryNodeTreeModel() { delete this->p_root_node; } QVariant RegistryNodeTreeModel::data(const QModelIndex &index, int role) const { if(!index.isValid()) return QVariant(); if(role!=Qt::DisplayRole) return QVariant(); RegistryNode *p_node=static_cast(index.internalPointer()); switch(role) { case Qt::DisplayRole: { switch(index.column()) { case RegistryNodeTreeModel::ColumnContent_NodeName: { return p_node->Data(index.column()); break; } case RegistryNodeTreeModel::ColumnContent_NodeModTime: { QDateTime date_time; bool ok=false; date_time.setTimeSpec(Qt::UTC); date_time.setTime_t(RegistryHive::FiletimeToUnixtime( p_node->Data(index.column()).toLongLong(&ok))); if(ok) return date_time.toString("yyyy/MM/dd hh:mm:ss"); else return tr("Unknown"); break; } default: { return QVariant(); } } break; } default: { return QVariant(); } } + + // Control will never reach this, but in order to stop g++ complaining... + return QVariant(); } Qt::ItemFlags RegistryNodeTreeModel::flags(const QModelIndex &index) const { if(!index.isValid()) return 0; return Qt::ItemIsEnabled | Qt::ItemIsSelectable; } QVariant RegistryNodeTreeModel::headerData(int section, Qt::Orientation orientation, int role) const { // Only horizontal header is supported if(orientation!=Qt::Horizontal) return QVariant(); switch(role) { case Qt::TextAlignmentRole: // Handle text alignment return Qt::AlignCenter; break; case Qt::DisplayRole: // Header text return this->p_root_node->Data(section); break; default: return QVariant(); } } QModelIndex RegistryNodeTreeModel::index(int row, int column, const QModelIndex &parent) const { if(!this->hasIndex(row,column,parent)) return QModelIndex(); RegistryNode *p_parent_node; if(!parent.isValid()) { p_parent_node=this->p_root_node; } else { p_parent_node=static_cast(parent.internalPointer()); } RegistryNode *p_child_node=p_parent_node->Child(row); if(p_child_node) { return this->createIndex(row,column,p_child_node); } else { return QModelIndex(); } } QModelIndex RegistryNodeTreeModel::parent(const QModelIndex &index) const { if(!index.isValid()) return QModelIndex(); RegistryNode *p_child_node= static_cast(index.internalPointer()); RegistryNode *p_parent_node=p_child_node->Parent(); if(p_parent_node==this->p_root_node) { return QModelIndex(); } else { return this->createIndex(p_parent_node->Row(),0,p_parent_node); } } int RegistryNodeTreeModel::rowCount(const QModelIndex &parent) const { if(parent.column()>0) return 0; RegistryNode *p_parent_node; if(!parent.isValid()) { p_parent_node=this->p_root_node; } else { p_parent_node=static_cast(parent.internalPointer()); } return p_parent_node->ChildCount(); } int RegistryNodeTreeModel::columnCount(const QModelIndex &parent) const { Q_UNUSED(parent); return 2; } QList RegistryNodeTreeModel::GetIndexListOf(QString path) const { RegistryNode *p_parent_node=this->p_root_node; QList ret; QStringList nodes=path.split("\\",QString::SkipEmptyParts); bool found=false; // Create a list of all index's that form the supplied path ret.clear(); for(int i=0;iChildCount();ii++) { if(p_parent_node->Child(ii)->Data(0)==nodes.at(i)) { ret.append(this->createIndex(ii,0,p_parent_node->Child(ii))); p_parent_node=p_parent_node->Child(ii); found=true; break; } } // Break when last child node was found if(found && i==nodes.count()-1) break; // Return an empty list when a child node wasn't found else if(!found) return QList(); } return ret; } QString RegistryNodeTreeModel::GetNodePath(QModelIndex child_index) const { QString path; // Get current node name path=this->data(child_index,Qt::DisplayRole).toString().prepend("\\"); // Build node path by prepending all parent nodes names while(this->parent(child_index)!=QModelIndex()) { child_index=this->parent(child_index); path.prepend(this->data(child_index, Qt::DisplayRole).toString().prepend("\\")); } return path; } void RegistryNodeTreeModel::SetupModelData(RegistryHive *p_hive, RegistryNode *p_parent, int hive_node) { QMap hive_children; RegistryNode *p_node; int64_t key_mod_time; // Get all sub nodes of current hive node if(hive_node) hive_children=p_hive->GetNodes(hive_node); else hive_children=p_hive->GetNodes("\\"); if(hive_children.isEmpty()) return; // Recursivly iterate over all sub nodes QMapIterator i(hive_children); while(i.hasNext()) { i.next(); key_mod_time=p_hive->GetNodeModTime(i.value()); // TODO: Maybe we have to call GetErrorMsg in case an error occured p_node=new RegistryNode(QList()<AppendChild(p_node); this->SetupModelData(p_hive,p_node,i.value()); } } diff --git a/trunk/report_templates/NTUSER_Autoruns.qs b/trunk/report_templates/NTUSER_Autoruns.qs index 5ac0949..f0a40a0 100644 --- a/trunk/report_templates/NTUSER_Autoruns.qs +++ b/trunk/report_templates/NTUSER_Autoruns.qs @@ -1,61 +1,61 @@ function fred_report_info() { var info={report_cat : "NTUSER", report_name : "Autoruns", report_author : "Gillen Daniel", report_desc : "Dump autorun keys", fred_api : 2, hive : "NTUSER" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ListAutoruns(autorun_path,autorun_key) { println("

"); println(" "+autorun_key+"
"); var run_keys=GetRegistryKeys(autorun_path+autorun_key); if(IsValid(run_keys) && run_keys.length>0) { println(" "); print_table_row("Name","Executable"); for(var i=0;i"); } else { println("         None"); } println("

"); } function fred_report_html() { var val; - println(""); - println(" User Autoruns"); - println(" "); +// println(""); +// println(" User Autoruns"); +// println(" "); println("

User Autoruns

"); // Run ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","Run"); // RunOnce ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnce"); // RunOnceEx ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnceEx"); // TODO: There might be a Run under WindowsNT\CurrentVersion\Run too! - println(""); +// println(""); } diff --git a/trunk/report_templates/NTUSER_LaunchedApplications.qs b/trunk/report_templates/NTUSER_LaunchedApplications.qs index b90bdf8..1e4bb61 100644 --- a/trunk/report_templates/NTUSER_LaunchedApplications.qs +++ b/trunk/report_templates/NTUSER_LaunchedApplications.qs @@ -1,111 +1,111 @@ function fred_report_info() { var info={report_cat : "NTUSER", report_name : "Launched applications", report_author : "Gillen Daniel", report_desc : "Dump IE launched applications", fred_api : 2, hive : "NTUSER" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function PrintTableRow(cell01,cell02,cell03) { println("
"); } function Rot13Decode(val) { var ret=""; for(var i=0;i64 && decoded<91) || (decoded>96 && decoded<123)) { if((decoded-13)<65 || (decoded>96 && (decoded-13)<97)) { decoded=(decoded-13)+26; } else { if(decoded>96 && (decoded-13)<97) { decoded+=13; } else { decoded-=13; } } ret+=String.fromCharCode(decoded); } else { ret+=val[i]; } } return ret; } function PrintUserAssistEntry(key,val,os) { var run_count; var last_run; switch(os) { case "winxp": run_count=RegistryKeyValueToVariant(val.value,"uint32",4); break; case "win7": run_count=RegistryKeyValueToVariant(val.value,"uint32",4,0,1); last_run=RegistryKeyValueToVariant(val.value,"filetime",60); break; } PrintTableRow(key,run_count,last_run); } function fred_report_html() { - println(""); - println(" Launched Applications"); - println(" "); +// println(""); +// println(" Launched Applications"); +// println(" "); println("

Launched applications

"); // First, we need to find the correct GUID for the current Windows version var path; var apps; var os; // Windows XP os="winxp"; path="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{5E6AB780-7743-11CF-A12B-00AA004AE837}\\Count"; apps=GetRegistryKeys(path); // TODO: Determine GUIDs for Vista / Win8 if(!IsValid(apps)) { // Windows 7 os="win7"; path="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count"; apps=GetRegistryKeys(path); } if(IsValid(apps)) { if(apps.length!=0) { println("

"); println("

",cell01,"",cell02,"",cell03,"
"); println(" "); for(var i=0;i"); println("

"); } else { println("

"); println(" The list of launched applications is empty."); println("

"); } } else { println("

"); println(" This registry hive does not contain a list of launched applications!"); println("

"); } } diff --git a/trunk/report_templates/NTUSER_RecentDocs.qs b/trunk/report_templates/NTUSER_RecentDocs.qs index bcac514..32228fe 100644 --- a/trunk/report_templates/NTUSER_RecentDocs.qs +++ b/trunk/report_templates/NTUSER_RecentDocs.qs @@ -1,54 +1,54 @@ function fred_report_info() { var info={report_cat : "NTUSER", report_name : "Recent documents", report_author : "Gillen Daniel", report_desc : "Dump recent docs", fred_api : 2, hive : "NTUSER" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function fred_report_html() { - println(""); - println(" Recent Documents"); - println(" "); +// println(""); +// println(" Recent Documents"); +// println(" "); println("

Recent documents

"); // Get list of recent docs var recent_docs=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs","MRUListEx"); if(IsValid(recent_docs)) { // Iterate over all recent docs var i=0; var runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i); if(Number(runlist)!=0xffffffff) { println("

"); println("

ApplicationRun countLast run
"); while(Number(runlist)!=0xffffffff) { var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs",runlist.toString(10)); println(" "); i+=4; runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i); } println("
",RegistryKeyValueToVariant(entry.value,"utf16",0),"
"); println("

"); } else { println("

"); println(" The list of recent documents is empty."); println("

"); } } else { println("

"); println(" This registry hive does not contain a list of recent documents!"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/NTUSER_TypedUrls.qs b/trunk/report_templates/NTUSER_TypedUrls.qs index bbd6b51..f5c4e1c 100644 --- a/trunk/report_templates/NTUSER_TypedUrls.qs +++ b/trunk/report_templates/NTUSER_TypedUrls.qs @@ -1,49 +1,49 @@ function fred_report_info() { var info={report_cat : "NTUSER", report_name : "Typed URLs", report_author : "Gillen Daniel", report_desc : "Dump typed URLs", fred_api : 2, hive : "NTUSER" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function fred_report_html() { - println(""); - println(" Typed Urls"); - println(" "); +// println(""); +// println(" Typed Urls"); +// println(" "); println("

Typed urls

"); // Iterate over all typed urls var typed_urls=GetRegistryKeys("\\Software\\Microsoft\\Internet Explorer\\TypedURLs"); if(IsValid(typed_urls)) { if(typed_urls.length!=0) { println("

"); println(" "); for(var i=0;i"); } println("
",RegistryKeyValueToString(val.value,val.type),"
"); println("

"); } else { println("

"); println(" The list of typed urls is empty."); println("

"); } } else { println("

"); println(" This registry hive does not contain a list of typed urls!"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs b/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs index 68614b7..fe97c28 100644 --- a/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs +++ b/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs @@ -1,54 +1,54 @@ function fred_report_info() { var info={report_cat : "NTUSER", report_name : "Windows 7 search keywords", report_author : "Gillen Daniel", report_desc : "Dump Windows 7 search keywords", fred_api : 2, hive : "NTUSER" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function fred_report_html() { - println(""); - println(" Document And Folder Search Keywords"); - println(" "); +// println(""); +// println(" Document And Folder Search Keywords"); +// println(" "); println("

Document and folder search keywords

"); // Get list of search keys var mrulist=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery","MRUListEx"); if(IsValid(mrulist)) { // Iterate over all items var i=0; var runlist=RegistryKeyValueToVariant(mrulist.value,"uint32",i); if(Number(runlist)!=0xffffffff) { println("

"); println(" "); while(Number(runlist)!=0xffffffff) { var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery",runlist.toString(10)); println(" "); i+=4; runlist=RegistryKeyValueToVariant(mrulist.value,"uint32",i); } println("
",RegistryKeyValueToVariant(entry.value,"utf16",0),"
"); println("

"); } else { println("

"); println(" The list of document and search keywords is empty."); println("

"); } } else { println("

"); println(" This registry hive does not contain a list of document and folder search keywords!"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs b/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs index 864b46f..947a9c6 100644 --- a/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs +++ b/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs @@ -1,49 +1,49 @@ function fred_report_info() { var info={report_cat : "NTUSER", report_name : "Windows 7 typed paths", report_author : "Gillen Daniel", report_desc : "Dump Windows 7 typed paths", fred_api : 2, hive : "NTUSER" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function fred_report_html() { - println(""); - println(" Typed Paths"); - println(" "); +// println(""); +// println(" Typed Paths"); +// println(" "); println("

Typed paths

"); // Iterate over all typed paths var urls=GetRegistryKeys("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"); if(IsValid(urls)) { if(urls.length!=0) { println("

"); println(" "); for(var i=0;i"); } println("
",RegistryKeyValueToString(val.value,val.type),"
"); println("

"); } else { println("

"); println(" The list of typed paths is empty."); println("

"); } } else { println("

"); println(" This registry hive does not contain a list of typed paths!"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs b/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs index ac9bb6b..c52547b 100644 --- a/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs +++ b/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs @@ -1,48 +1,48 @@ function fred_report_info() { var info={report_cat : "NTUSER", report_name : "Windows Live accounts", report_author : "Gillen Daniel", report_desc : "Dump Windows Live accounts", fred_api : 2, hive : "NTUSER" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function fred_report_html() { - println(""); - println(" Windows Live Accounts"); - println(" "); +// println(""); +// println(" Windows Live Accounts"); +// println(" "); println("

Windows live accounts

"); // Iterate over all contacts var accounts=GetRegistryKeys("\\Software\\Microsoft\\Windows Live Contacts\\Database"); if(IsValid(accounts)) { println("

"); println(" "); for(var i=0;i"); } accounts=GetRegistryKeys("\\Software\\Microsoft\\Windows Live Contacts\\Me"); for(var i=0;i"); } println("
",accounts[i],"",RegistryKeyValueToString(val.value,val.type),"
",accounts[i],"",RegistryKeyValueToString(val.value,val.type),"
"); println("

"); } else { println("

"); println(" This registry hive does not contain a list of Windows Live Accounts!"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SAM_UserAccounts.qs b/trunk/report_templates/SAM_UserAccounts.qs index a78ec0c..f3ee71c 100644 --- a/trunk/report_templates/SAM_UserAccounts.qs +++ b/trunk/report_templates/SAM_UserAccounts.qs @@ -1,109 +1,109 @@ function fred_report_info() { var info={report_cat : "SAM", report_name : "User accounts", report_author : "Gillen Daniel", report_desc : "Dump Windows user accounts", fred_api : 2, hive : "SAM" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function print_v_info(v_key_value,info_name,str_off) { var offset=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off))+0x0cc; var len=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off+4))/2; if(len>0) print_table_row(info_name,RegistryKeyValueToVariant(v_key_value,"utf16",offset,len)); } function fred_report_html() { // See http://windowsir.blogspot.com/2006/08/getting-user-info-from-image.html - println(""); - println(" User Accounts"); - println(" "); +// println(""); +// println(" User Accounts"); +// println(" "); println("

User accounts

"); // Iterate over all user names var user_names=GetRegistryNodes("\\SAM\\Domains\\Account\\Users\\Names"); if(IsValid(user_names)) { for(var i=0;i"); // Print user name println(" ",user_names[i],"
"); println(" "); // Get user rid stored in "default" key var user_rid=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\Names\\",user_names[i]),""); user_rid=RegistryKeyTypeToString(user_rid.type); println(" "); // RegistryKeyTypeToString returns the rid prepended with "0x". We have to remove that for further processing user_rid=String(user_rid).substr(2); // Get user's V key and print various infos var v_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"V"); print_v_info(v_key.value,"Full name:",0x18); print_v_info(v_key.value,"Comment:",0x24); print_v_info(v_key.value,"Home directory:",0x48); print_v_info(v_key.value,"Home directory drive:",0x54); print_v_info(v_key.value,"Logon script path:",0x60); print_v_info(v_key.value,"Profile path:",0x6c); // Get user's F key and print various infos var f_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"F"); print_table_row("Last login time:",RegistryKeyValueToVariant(f_key.value,"filetime",8)); print_table_row("Last pw change:",RegistryKeyValueToVariant(f_key.value,"filetime",24)); print_table_row("Last failed login:",RegistryKeyValueToVariant(f_key.value,"filetime",40)); print_table_row("Account expires:",RegistryKeyValueToVariant(f_key.value,"filetime",32)); print_table_row("Total logins:",RegistryKeyValueToVariant(f_key.value,"uint16",66)); print_table_row("Failed logins:",RegistryKeyValueToVariant(f_key.value,"uint16",64)); var acc_flags=Number(RegistryKeyValueToVariant(f_key.value,"uint16",56)); print(" "); // Get password hint if available var hint=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"UserPasswordHint"); if(typeof hint !== 'undefined') { // Append missing trailing utf16 zero byte hint.value.appendByte(0); hint.value.appendByte(0); print_table_row("Password hint:",RegistryKeyValueToVariant(hint.value,"utf16")); } // TODO: User group membership println("
RID:",Number(user_rid).toString(10)," (",user_rid,")","
Account flags:"); if(acc_flags&0x0001) print("Disabled "); if(acc_flags&0x0002) print("HomeDirReq "); if(acc_flags&0x0004) print("PwNotReq "); if(acc_flags&0x0008) print("TempDupAcc "); // I don't think this would be useful to show //if(acc_flags&0x0010) print("NormUserAcc "); if(acc_flags&0x0020) print("MnsAcc "); if(acc_flags&0x0040) print("DomTrustAcc "); if(acc_flags&0x0080) print("WksTrustAcc "); if(acc_flags&0x0100) print("SrvTrustAcc "); if(acc_flags&0x0200) print("NoPwExpiry "); if(acc_flags&0x0400) print("AccAutoLock "); print(" (",acc_flags,")"); println("
"); println("

"); } } else { println("

"); println(" Unable to enumerate users!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SOFTWARE_Autoruns.qs b/trunk/report_templates/SOFTWARE_Autoruns.qs index 20661b8..d335d70 100644 --- a/trunk/report_templates/SOFTWARE_Autoruns.qs +++ b/trunk/report_templates/SOFTWARE_Autoruns.qs @@ -1,61 +1,61 @@ function fred_report_info() { var info={report_cat : "SOFTWARE", report_name : "Autoruns", report_author : "Gillen Daniel", report_desc : "Dump autoruns", fred_api : 2, hive : "SOFTWARE" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ListAutoruns(autorun_path,autorun_key) { println("

"); println(" "+autorun_key+"
"); var run_keys=GetRegistryKeys(autorun_path+autorun_key); if(IsValid(run_keys) && run_keys.length>0) { println(" "); print_table_row("Name","Executable"); for(var i=0;i"); } else { println("         None"); } println("

"); } function fred_report_html() { var val; - println(""); - println(" System Autoruns"); - println(" "); +// println(""); +// println(" System Autoruns"); +// println(" "); println("

System Autoruns

"); // Run ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","Run"); // RunOnce ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnce"); // RunOnceEx ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnceEx"); // TODO: There might be a Run under WindowsNT\CurrentVersion\Run too! - println(""); +// println(""); } diff --git a/trunk/report_templates/SOFTWARE_ProfileList.qs b/trunk/report_templates/SOFTWARE_ProfileList.qs index 52447bc..435e7e0 100644 --- a/trunk/report_templates/SOFTWARE_ProfileList.qs +++ b/trunk/report_templates/SOFTWARE_ProfileList.qs @@ -1,56 +1,56 @@ function fred_report_info() { var info={report_cat : "SOFTWARE", report_name : "Profile list", report_author : "Gillen Daniel", report_desc : "Dump profile list", fred_api : 2, hive : "SOFTWARE" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println("
"); } function fred_report_html() { var val; - println(""); - println(" Profile List"); - println(" "); +// println(""); +// println(" Profile List"); +// println(" "); println("

Profile List

"); var profile_list=GetRegistryNodes("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList"); if(IsValid(profile_list) && profile_list.length>0) { for(var i=0;i"); println(" "+profile_list[i]+"
"); println("
",cell01,"",cell02,"
"); // Get profile image path val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileImagePath"); print_table_row("Profile image path:",IsValid(val) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); // Get last load time (Saved as 2 dwords. Another "good" idea of M$ ;-)) var loadtime_low=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileLoadTimeLow"); var loadtime_high=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileLoadTimeHigh"); print_table_row("Profile load time:",(IsValid(loadtime_low) && IsValid(loadtime_high)) ? RegistryKeyValueToVariant(loadtime_low.value.append(loadtime_high.value),"filetime",0) : "n/a"); // TODO: There is more to decode under \\Microsoft\\Windows NT\\CurrentVersion\\ProfileList println("
"); println("

"); } println(" "); } else { println("         None"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SOFTWARE_WindowsVersion.qs b/trunk/report_templates/SOFTWARE_WindowsVersion.qs index 0871460..0a06fb3 100644 --- a/trunk/report_templates/SOFTWARE_WindowsVersion.qs +++ b/trunk/report_templates/SOFTWARE_WindowsVersion.qs @@ -1,109 +1,109 @@ function fred_report_info() { var info={report_cat : "SOFTWARE", report_name : "Windows version", report_author : "Gillen Daniel", report_desc : "Dump Windows version info", fred_api : 2, hive : "SOFTWARE" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function DecodeProductKey(arr) { //ProductKey is base24 encoded var keychars=new Array("B","C","D","F","G","H","J","K","M","P","Q","R","T","V","W","X","Y","2","3","4","6","7","8","9"); var key=new Array(30); var ret=""; var ncur; if(arr.length<66) return ret; arr=arr.mid(52,15); for(var ilbyte=24;ilbyte>=0;ilbyte--) { ncur=0; for(var ilkeybyte=14;ilkeybyte>=0;ilkeybyte--) { ncur=ncur*256^arr[ilkeybyte]; arr[ilkeybyte]=ncur/24; ncur%=24; } ret=keychars[ncur]+ret; if(ilbyte%5==0 && ilbyte!=0) ret="-"+ret; } return ret; } function fred_report_html() { - println(""); - println(" Windows version info"); - println(" "); +// println(""); +// println(" Windows version info"); +// println(" "); println("

Windows version info

"); // Windows version sp and build info var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","ProductName"); if(IsValid(val)) { println("

"); println(" "); print(" "); // Build string var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","BuildLab"); print_table_row("Build string:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); // Extended build string var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","BuildLabEx"); print_table_row("Extended build string:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); // Install date var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","InstallDate"); print_table_row("Install date:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime") : "n/a"); // Owner and Organization info var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","RegisteredOwner"); print_table_row("Registered owner:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","RegisteredOrganization"); print_table_row("Registered organization:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); // Windows ID / Key var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","ProductId"); print_table_row("Product ID:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","DigitalProductId"); if(IsValid(val)) { var key=DecodeProductKey(val.value); if(key!="BBBBB-BBBBB-BBBBB-BBBBB-BBBBB") print_table_row("Product Key:",key); else print_table_row("Product Key:","n/a (Probably a volume license key was used)"); } else print_table_row("Product Key:","n/a"); // Install directory / Source directory var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","PathName"); print_table_row("Install path:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","SourcePath"); print_table_row("Source path:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); println("
Windows version:",RegistryKeyValueToString(val.value,val.type)); var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","CSDVersion"); if(IsValid(val)) { print(" ",RegistryKeyValueToString(val.value,val.type)); } var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","CurrentBuildNumber"); if(IsValid(val)) { print(" build ",RegistryKeyValueToString(val.value,val.type)); } println("
"); println("

"); } else { println("

"); println(" Unable to get product name!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SYSTEM_ShutdownTime.qs b/trunk/report_templates/SYSTEM_BackupRestore.qs similarity index 54% copy from trunk/report_templates/SYSTEM_ShutdownTime.qs copy to trunk/report_templates/SYSTEM_BackupRestore.qs index 4a3ecf1..9501ff2 100644 --- a/trunk/report_templates/SYSTEM_ShutdownTime.qs +++ b/trunk/report_templates/SYSTEM_BackupRestore.qs @@ -1,57 +1,65 @@ function fred_report_info() { var info={report_cat : "SYSTEM", - report_name : "Shutdown time", + report_name : "Backup / Restore settings", report_author : "Gillen Daniel", - report_desc : "Dump last known shutdown time", + report_desc : "Dump files / directories not to snapshot / backup and registry keys not to restore", fred_api : 2, hive : "SYSTEM" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } +function ListValues(root_key) { + var values=GetRegistryKeys(root_key); + if(IsValid(values)) { + println("

"); + println(" "); + for(var i=0;i"); + println("

"); + } else { + println(" None"); + } +} + function fred_report_html() { var val; - println(""); - println(" Last known shutdown time"); - println(" "); - println("

Last known shutdown time

"); + println("

Backup / Restore settings

"); // Get current controlset var cur_controlset=GetRegistryKeyValue("\\Select","Current"); if(IsValid(cur_controlset)) { cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type); // Current holds a DWORD value, thus we get a string like 0x00000000, but // control sets are referenced only with the last 3 digits. cur_controlset="ControlSet"+String(cur_controlset).substr(7,3); - - println("

"); - println("

"); - - print_table_row("Active control set:",cur_controlset); - - // Shutdown time - val=GetRegistryKeyValue(cur_controlset+"\\Control\\Windows","ShutdownTime"); - print_table_row("Shutdown time:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"filetime") : "Unknown"); - - println("
"); - println("
"); - println("

"); + + println(" Directories / files not to back up in Volume Shadow Copies"); + ListValues(cur_controlset+"\\Control\\BackupRestore\\FilesNotToSnapshot"); + println(" Directories / files not to back up or restore by backup apps"); + ListValues(cur_controlset+"\\Control\\BackupRestore\\FilesNotToBackup"); + println(" Registry nodes or values not to restore by backup apps"); + ListValues(cur_controlset+"\\Control\\BackupRestore\\KeysNotToRestore"); } else { println("

"); println(" Unable to determine current control set!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - - println(""); } diff --git a/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs b/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs index 5943e14..7a6dac4 100644 --- a/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs +++ b/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs @@ -1,141 +1,141 @@ function fred_report_info() { var info={report_cat : "SYSTEM", report_name : "Current network settings", report_author : "Gillen Daniel", report_desc : "Dump current network settings", fred_api : 2, hive : "SYSTEM" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ZeroPad(number,padlen) { var ret=number.toString(10); if(!padlen || ret.length>=padlen) return ret; return Math.pow(10,padlen-ret.length).toString().slice(1)+ret; } function fred_report_html() { // See Appendix A: TCP/IP Configuration Parameters: // http://technet.microsoft.com/de-de/library/cc739819%28v=WS.10%29.aspx var val; - println(""); - println(" Current Network Settings (Tcp/Ip)"); - println(" "); +// println(""); +// println(" Current Network Settings (Tcp/Ip)"); +// println(" "); println("

Current network settings (Tcp/Ip)

"); // Get current controlset var cur_controlset=GetRegistryKeyValue("\\Select","Current"); if(IsValid(cur_controlset)) { cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type); // Current holds a DWORD value, thus we get a string like 0x00000000, but // control sets are referenced by its decimal representation. cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3) println("

"); println(" "); print_table_row("Active control set:",cur_controlset); // Computer name val=GetRegistryKeyValue(cur_controlset+"\\Control\\ComputerName\\ComputerName","ComputerName"); print_table_row("Computer name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); println("
"); println("
"); // Iterate over all available network adapters var adapters=GetRegistryNodes(cur_controlset+"\\Services\\Tcpip\\Parameters\\Adapters"); for(var i=0;i",RegistryKeyValueToString(val.value,val.type),""); } else { - println(" ",adapters[i]); + println(" ",adapters[i],""); } // Get settings node var adapter_settings_node=GetRegistryKeyValue(cur_controlset+"\\Services\\Tcpip\\Parameters\\Adapters\\"+adapters[i],"IpConfig"); adapter_settings_node=RegistryKeyValueToVariant(adapter_settings_node.value,"utf16",0); println(" "); //print_table_row("Adapter id:",adapters[i]); // Get configuration mode val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"EnableDHCP"); val=Number(RegistryKeyValueToString(val.value,val.type)); if(val) { // DHCP enabled print_table_row("Configuration mode:","DHCP"); // DHCP server val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpServer"); print_table_row("Last used DHCP server:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); // IP address val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpIPAddress"); print_table_row("IP address:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); // Subnet mask val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpSubnetMask"); print_table_row("Subnet mask:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); // Nameserver(s) val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpNameServer"); print_table_row("Nameserver(s):",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); // Domain val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpDomain"); print_table_row("Domain:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); // Default gw val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpDefaultGateway"); print_table_row("Default gateway:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); // Lease obtained val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"LeaseObtainedTime"); print_table_row("Lease obtained:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : ""); // Lease valid until val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"LeaseTerminatesTime"); print_table_row("Lease terminates:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : ""); } else { print_table_row("Configuration mode:","Manual"); // IP address val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"IPAddress"); print_table_row("IP address:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); // Subnet mask val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"SubnetMask"); print_table_row("Subnet mask:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); // Nameserver val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"NameServer"); print_table_row("Nameserver:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); // Domain val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"Domain"); print_table_row("Domain:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); // Default gw val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DefaultGateway"); print_table_row("Default gateway:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); } // TODO: Check for EnableSecurityFilters, TCPAllowedPorts and UDPAllowedPorts to get firewall status. println("
"); println("
"); // TODO: Get persistent routes from \ControlSet001\Services\Tcpip\Parameters\PersistentRoutes } println("

"); } else { println("

"); println(" Unable to determine current control set!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SYSTEM_Services.qs b/trunk/report_templates/SYSTEM_Services.qs index 54e85c7..4344e66 100644 --- a/trunk/report_templates/SYSTEM_Services.qs +++ b/trunk/report_templates/SYSTEM_Services.qs @@ -1,111 +1,111 @@ function fred_report_info() { var info={report_cat : "SYSTEM", report_name : "Services", report_author : "Gillen Daniel", report_desc : "Dump services", fred_api : 2, hive : "SYSTEM" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function ZeroPad(number,padlen) { var ret=number.toString(10); if(!padlen || ret.length>=padlen) return ret; return Math.pow(10,padlen-ret.length).toString().slice(1)+ret; } function PrintTableRow(cell01,cell02,cell03,cell04,cell05) { println(" ",cell01,"",cell02,"",cell03,"",cell04,"",cell05,""); } function ListService(service_node) { // Service name var name=GetRegistryKeyValue(service_node,"DisplayName"); name=(IsValid(name)) ? RegistryKeyValueToString(name.value,name.type) : "Unknwon"; // Service group var group=GetRegistryKeyValue(service_node,"Group"); group=(IsValid(group)) ? RegistryKeyValueToString(group.value,group.type) : ""; // Service exe var image=GetRegistryKeyValue(service_node,"ImagePath"); image=(IsValid(image)) ? RegistryKeyValueToString(image.value,image.type) : "Unknwon"; // Start var start=GetRegistryKeyValue(service_node,"Start"); start=(IsValid(start)) ? RegistryKeyValueToString(start.value,start.type) : -1; switch(Number(start)) { case 0: start="Boot"; break; case 1: start="System"; break; case 2: start="Automatic"; break; case 3: start="Manual"; break; case 4: start="Disabled"; break; default: start="Unknown"; } // Description var desc=GetRegistryKeyValue(service_node,"Description"); desc=(IsValid(desc)) ? RegistryKeyValueToString(desc.value,desc.type) : ""; PrintTableRow(name,group,start,image,desc) } function fred_report_html() { var val; - println(""); - println(" Services"); - println(" "); +// println(""); +// println(" Services"); +// println(" "); println("

Services

"); // Get current controlset var cur_controlset=GetRegistryKeyValue("\\Select","Current"); if(IsValid(cur_controlset)) { cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type); // Current holds a DWORD value, thus we get a string like 0x00000000, but // control sets are referenced by its decimal representation. cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3) // Get list of possible services var services=GetRegistryNodes(cur_controlset+"\\Services"); if(IsValid(services)) { println("

"); println(" "); println(" "); for(var i=0;i"); println("

"); } else { println("

"); println(" This registry hive does not contain any services!
"); println("

"); } } else { println("

"); println(" Unable to determine current control set!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SYSTEM_ShutdownTime.qs b/trunk/report_templates/SYSTEM_ShutdownTime.qs index 4a3ecf1..443552b 100644 --- a/trunk/report_templates/SYSTEM_ShutdownTime.qs +++ b/trunk/report_templates/SYSTEM_ShutdownTime.qs @@ -1,57 +1,57 @@ function fred_report_info() { var info={report_cat : "SYSTEM", report_name : "Shutdown time", report_author : "Gillen Daniel", report_desc : "Dump last known shutdown time", fred_api : 2, hive : "SYSTEM" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println("
"); } function fred_report_html() { var val; - println(""); - println(" Last known shutdown time"); - println(" "); +// println(""); +// println(" Last known shutdown time"); +// println(" "); println("

Last known shutdown time

"); // Get current controlset var cur_controlset=GetRegistryKeyValue("\\Select","Current"); if(IsValid(cur_controlset)) { cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type); // Current holds a DWORD value, thus we get a string like 0x00000000, but // control sets are referenced only with the last 3 digits. cur_controlset="ControlSet"+String(cur_controlset).substr(7,3); println("

"); println("

NameGroupStartupImage pathDescription
",cell01,"",cell02,"
"); print_table_row("Active control set:",cur_controlset); // Shutdown time val=GetRegistryKeyValue(cur_controlset+"\\Control\\Windows","ShutdownTime"); print_table_row("Shutdown time:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"filetime") : "Unknown"); println("
"); println("
"); println("

"); } else { println("

"); println(" Unable to determine current control set!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SYSTEM_SystemTimeInfo.qs b/trunk/report_templates/SYSTEM_SystemTimeInfo.qs index 17b166f..588a14a 100644 --- a/trunk/report_templates/SYSTEM_SystemTimeInfo.qs +++ b/trunk/report_templates/SYSTEM_SystemTimeInfo.qs @@ -1,122 +1,122 @@ function fred_report_info() { var info={report_cat : "SYSTEM", report_name : "System time info", report_author : "Gillen Daniel", report_desc : "Dump system time info", fred_api : 2, hive : "SYSTEM" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ToUTC(num) { var retnum=new Number(num); if(retnum&0x80000000) { retnum=((0xFFFFFFFF-retnum)+1)/60; return "UTC+"+Number(retnum).toString(10); } else { retnum=retnum/60; if(retnum!=0) return "UTC-"+Number(retnum).toString(10); else return "UTC+"+Number(retnum).toString(10); } } function ZeroPad(number,padlen) { var ret=number.toString(10); if(!padlen || ret.length>=padlen) return ret; return Math.pow(10,padlen-ret.length).toString().slice(1)+ret; } function fred_report_html() { var val; - println(""); - println(" System Time Info"); - println(" "); - println("

System time info (",cur_controlset,")

"); +// println(""); +// println(" System Time Info"); +// println(" "); + println("

System time info

"); // Get current controlset var cur_controlset=GetRegistryKeyValue("\\Select","Current"); if(IsValid(cur_controlset)) { cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type); // Current holds a DWORD value, thus we get a string like 0x00000000, but // control sets are referenced by its decimal representation. cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3) println("

"); println(" Time zone info"); println(" "); // Active time bias val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","ActiveTimeBias"); print_table_row("Active time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a"); // Std. tz name and bias val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardName"); print_table_row("Std. time zone name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardBias"); print_table_row("Std. time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a"); // Daylight tz name and bias val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightName"); print_table_row("Daylight time zone name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightBias"); print_table_row("Daylight time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a"); println("
"); println("
"); println(" W32Time service info"); println(" "); // Get W32Time service settings val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time","Start"); if(IsValid(val)) { print(" "); // If service is enabled, get ntp server if(Number(val)<4) { val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time\\Parameters","NtpServer"); print_table_row("NTP server(s):",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); } } else print_table_row("Startup method:","n/a"); println("
Startup method:"); val=RegistryKeyValueToString(val.value,val.type); switch(Number(val)) { case 0: print("Boot"); break; case 1: print("System"); break; case 2: print("Automatic"); break; case 3: print("Manual"); break; case 4: print("Disabled"); break; default: print("Unknown"); } println("
"); println("

"); } else { println("

"); println(" Unable to determine current control set!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs index 3ed2517..e7cded4 100644 --- a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs +++ b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs @@ -1,150 +1,150 @@ function fred_report_info() { var info={report_cat : "SYSTEM", report_name : "USB storage devices", report_author : "Gillen Daniel", report_desc : "Dump USB storage devices", fred_api : 2, hive : "SYSTEM" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ZeroPad(number,padlen) { var ret=number.toString(10); if(!padlen || ret.length>=padlen) return ret; return Math.pow(10,padlen-ret.length).toString().slice(1)+ret; } function fred_report_html() { // TODO: There is more here. Check http://www.forensicswiki.org/wiki/USB_History_Viewing var val; - println(""); - println(" USB Storage Devices"); - println(" "); +// println(""); +// println(" USB Storage Devices"); +// println(" "); println("

USB storage devices

"); // Preload MountedDevices to possibly identify mount points of USB storage devices var mnt_keys=GetRegistryKeys("\\MountedDevices"); var mnt_values=new Array(); if(IsValid(mnt_keys)) { for(var i=0;i"); println(" Settings
"); println(" "); // Are USB storage devices enabled? // http://www.forensicmag.com/article/windows-7-registry-forensics-part-5 // Is this true for WinXP etc.. ??? var val=GetRegistryKeyValue(cur_controlset+"\\services\\USBSTOR","Start"); if(IsValid(val)) { val=RegistryKeyValueToString(val.value,val.type); val=parseInt(String(val).substr(2,8),10); switch(val) { case 3: print_table_row("Storage driver enabled:","Yes"); break; case 4: print_table_row("Storage driver enabled:","No"); break; default: print_table_row("Storage driver enabled:","Unknown"); } } else { print_table_row("Storage driver enabled:","Unknown"); } println("
"); println("

"); println("

"); println(" Devices
"); var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR"); if(IsValid(storage_roots)) { for(var i=0;i",storage_roots[i],"
"); + println(" ",storage_roots[i],"
"); var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]); for(ii=0;ii"); // If the second character of the unique instance ID is a '&', then the ID was // generated by the system, as the device did not have a serial number. if(String(storage_subroots[ii]).charAt(1)=="&") print_table_row("Unique ID:",storage_subroots[ii]+" (Generated by system)"); else print_table_row("Unique ID:",storage_subroots[ii]); val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"Class"); print_table_row("Class:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"DeviceDesc"); print_table_row("Device description:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"FriendlyName"); print_table_row("Friendly name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"ParentIdPrefix"); if(IsValid(val)) { // Windows XP uses the ParentId to link to MountedDevices var parent_id=RegistryKeyValueToString(val.value,val.type); print_table_row("Parent ID prefix:",parent_id); // Find mount point(s) print(" Mount point(s):"); var br=0; for(var iii=0;iii"); else br=1; print(mnt_keys[iii]); } } if(br==0) print("n/a"); println(""); } else { // Since Vista, Unique IDs are used // Find mount point(s) print(" Mount point(s):"); var br=0; for(var iii=0;iii"); else br=1; print(mnt_keys[iii]); } } if(br==0) print("n/a"); println(""); } println(" "); println("
"); } } } else { println(" This registry hive does not contain a list of attached USB storage devices!"); } println("

"); } else { println("

"); println(" Unable to determine current control set!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - println(""); +// println(""); }