diff --git a/trunk/fred.pro b/trunk/fred.pro index 0117df8..2102e5c 100644 --- a/trunk/fred.pro +++ b/trunk/fred.pro @@ -1,106 +1,105 @@ #******************************************************************************* # fred Copyright (c) 2011 by Gillen Daniel * # * # Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * # with special feautures useful during forensic analysis. * # * # This program is free software: you can redistribute it and/or modify it * # under the terms of the GNU General Public License as published by the Free * # Software Foundation, either version 3 of the License, or (at your option) * # any later version. * # * # This program is distributed in the hope that it will be useful, but WITHOUT * # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * # more details. * # * # You should have received a copy of the GNU General Public License along with * # this program. If not, see . * #******************************************************************************/ # Generate compileinfo.h system(bash compileinfo.sh > compileinfo.h) #compileinfo.target = compileinfo.h #compileinfo.commands = $$PWD/compileinfo.sh > compileinfo.h #QMAKE_EXTRA_TARGETS += compileinfo #PRE_TARGETDEPS += compileinfo.h # Build fred QMAKE_CXXFLAGS += -Wall QT += core \ gui \ script \ webkit TARGET = fred TEMPLATE = app SOURCES += main.cpp\ mainwindow.cpp \ registrynode.cpp \ registrynodetreemodel.cpp \ registrykey.cpp \ registrykeytablemodel.cpp \ dlgabout.cpp \ dlgkeydetails.cpp \ qhexedit/qhexedit_p.cpp \ qhexedit/qhexedit.cpp \ datainterpreter.cpp \ reporttemplate.cpp \ datareporter.cpp \ datareporterengine.cpp \ registryhive.cpp \ qtscript_types/bytearray.cpp \ qtscript_types/bytearrayprototype.cpp \ qtscript_types/bytearrayiterator.cpp \ dlgreportviewer.cpp \ registrykeytable.cpp \ registrynodetree.cpp \ dlgsearch.cpp \ threadsearch.cpp \ searchresultwidget.cpp \ tabwidget.cpp HEADERS += mainwindow.h \ registrynode.h \ registrynodetreemodel.h \ registrykey.h \ registrykeytablemodel.h \ dlgabout.h \ dlgkeydetails.h \ qhexedit/qhexedit_p.h \ qhexedit/qhexedit.h \ datainterpreter.h \ reporttemplate.h \ datareporter.h \ datareporterengine.h \ registryhive.h \ qtscript_types/bytearray.h \ qtscript_types/bytearrayprototype.h \ qtscript_types/bytearrayiterator.h \ dlgreportviewer.h \ registrykeytable.h \ registrynodetree.h \ dlgsearch.h \ threadsearch.h \ searchresultwidget.h \ tabwidget.h FORMS += mainwindow.ui \ dlgabout.ui \ dlgkeydetails.ui \ dlgreportviewer.ui \ dlgsearch.ui #LIBS += -lhivex LIBS += $$PWD/hivex/lib/.libs/libhivex.a \ - -liconv #DEFINES += __STDC_FORMAT_MACROS RESOURCES += fred.qrc RC_FILE = fred.rc ICON = resources/fred.icns diff --git a/trunk/qtscript_types/bytearrayprototype.cpp b/trunk/qtscript_types/bytearrayprototype.cpp index dca2279..1edfb07 100644 --- a/trunk/qtscript_types/bytearrayprototype.cpp +++ b/trunk/qtscript_types/bytearrayprototype.cpp @@ -1,93 +1,98 @@ /******************************************************************************* * Copyright (c) 2011 by Gillen Daniel * * * * Derived from code by Nokia Corporation and/or its subsidiary(-ies) under a * * compatible license: * * * * Copyright (C) 2009 Nokia Corporation and/or its subsidiary(-ies). * * All rights reserved. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #include "bytearrayprototype.h" #include Q_DECLARE_METATYPE(QByteArray*) ByteArrayPrototype::ByteArrayPrototype(QObject *p_parent) : QObject(p_parent) {} ByteArrayPrototype::~ByteArrayPrototype() {} QByteArray *ByteArrayPrototype::thisByteArray() const { return qscriptvalue_cast(thisObject().data()); } void ByteArrayPrototype::chop(int n) { thisByteArray()->chop(n); } bool ByteArrayPrototype::equals(const QByteArray &other) { return *thisByteArray()==other; } QByteArray ByteArrayPrototype::left(int len) const { return thisByteArray()->left(len); } QByteArray ByteArrayPrototype::mid(int pos, int len) const { return thisByteArray()->mid(pos,len); } QScriptValue ByteArrayPrototype::remove(int pos, int len) { thisByteArray()->remove(pos,len); return thisObject(); } +QScriptValue ByteArrayPrototype::appendByte(char byte) const { + thisByteArray()->append(byte); + return thisObject(); +} + QByteArray ByteArrayPrototype::right(int len) const { return thisByteArray()->right(len); } QByteArray ByteArrayPrototype::simplified() const { return thisByteArray()->simplified(); } QByteArray ByteArrayPrototype::toBase64() const { return thisByteArray()->toBase64(); } QByteArray ByteArrayPrototype::toLower() const { return thisByteArray()->toLower(); } QByteArray ByteArrayPrototype::toUpper() const { return thisByteArray()->toUpper(); } QByteArray ByteArrayPrototype::trimmed() const { return thisByteArray()->trimmed(); } void ByteArrayPrototype::truncate(int pos) { thisByteArray()->truncate(pos); } QString ByteArrayPrototype::toLatin1String() const { return QString::fromLatin1(*thisByteArray()); } QScriptValue ByteArrayPrototype::valueOf() const { return thisObject().data(); } diff --git a/trunk/qtscript_types/bytearrayprototype.h b/trunk/qtscript_types/bytearrayprototype.h index adc2a5e..f55f61d 100644 --- a/trunk/qtscript_types/bytearrayprototype.h +++ b/trunk/qtscript_types/bytearrayprototype.h @@ -1,60 +1,61 @@ /******************************************************************************* * Copyright (c) 2011 by Gillen Daniel * * * * Derived from code by Nokia Corporation and/or its subsidiary(-ies) under a * * compatible license: * * * * Copyright (C) 2009 Nokia Corporation and/or its subsidiary(-ies). * * All rights reserved. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #ifndef BYTEARRAYPROTOTYPE_H #define BYTEARRAYPROTOTYPE_H #include #include #include #include class ByteArrayPrototype : public QObject, public QScriptable { Q_OBJECT - + public: ByteArrayPrototype(QObject *p_parent=0); ~ByteArrayPrototype(); public slots: void chop(int n); bool equals(const QByteArray &other); QByteArray left(int len) const; QByteArray mid(int pos, int len = -1) const; QScriptValue remove(int pos, int len); + QScriptValue appendByte(char byte) const; QByteArray right(int len) const; QByteArray simplified() const; QByteArray toBase64() const; QByteArray toLower() const; QByteArray toUpper() const; QByteArray trimmed() const; void truncate(int pos); QString toLatin1String() const; QScriptValue valueOf() const; private: QByteArray *thisByteArray() const; }; #endif // BYTEARRAYPROTOTYPE_H diff --git a/trunk/report_templates/SAM_UserAccounts.qs b/trunk/report_templates/SAM_UserAccounts.qs index 94a9616..7ae130a 100644 --- a/trunk/report_templates/SAM_UserAccounts.qs +++ b/trunk/report_templates/SAM_UserAccounts.qs @@ -1,81 +1,84 @@ // See http://windowsir.blogspot.com/2006/08/getting-user-info-from-image.html function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function print_v_info(v_key_value,info_name,str_off) { var offset=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off))+0x0cc; var len=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off+4))/2; if(len>0) print_table_row(info_name,RegistryKeyValueToVariant(v_key_value,"utf16",offset,len)); } println(""); println(" User Accounts"); println(" "); println("

User accounts

"); // Iterate over all user names var user_names=GetRegistryNodes("\\SAM\\Domains\\Account\\Users\\Names"); for(var i=0;i"); // Print user name println(" ",user_names[i],"
"); println(" "); // Get user rid stored in "default" key var user_rid=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\Names\\",user_names[i]),""); user_rid=RegistryKeyTypeToString(user_rid.type); println(" "); // RegistryKeyTypeToString returns the rid prepended with "0x". We have to remove that for further processing user_rid=String(user_rid).substr(2); // Get user's V key and print various infos var v_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"V"); print_v_info(v_key.value,"Full name:",0x18); print_v_info(v_key.value,"Comment:",0x24); print_v_info(v_key.value,"Home directory:",0x48); print_v_info(v_key.value,"Home directory drive:",0x54); print_v_info(v_key.value,"Logon script path:",0x60); print_v_info(v_key.value,"Profile path:",0x6c); // Get user's F key and print various infos var f_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"F"); print_table_row("Last login time:",RegistryKeyValueToVariant(f_key.value,"filetime",8)); print_table_row("Last pw change:",RegistryKeyValueToVariant(f_key.value,"filetime",24)); print_table_row("Last failed login:",RegistryKeyValueToVariant(f_key.value,"filetime",40)); print_table_row("Account expires:",RegistryKeyValueToVariant(f_key.value,"filetime",32)); print_table_row("Total logins:",RegistryKeyValueToVariant(f_key.value,"uint16",66)); print_table_row("Failed logins:",RegistryKeyValueToVariant(f_key.value,"uint16",64)); var acc_flags=Number(RegistryKeyValueToVariant(f_key.value,"uint16",56)); print(" "); // Get password hint if available var hint=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"UserPasswordHint"); if(typeof hint !== 'undefined') { - print_table_row("Password hint:",RegistryKeyValueToVariant(hint.value,"utf16",0)); + // Append missing trailing utf16 zero byte + hint.value.appendByte(0); + hint.value.appendByte(0); + print_table_row("Password hint:",RegistryKeyValueToVariant(hint.value,"utf16")); } // TODO: User group membership println("
RID:",Number(user_rid).toString(10)," (",user_rid,")","
Account flags:"); if(acc_flags&0x0001) print("Disabled "); if(acc_flags&0x0002) print("HomeDirReq "); if(acc_flags&0x0004) print("PwNotReq "); if(acc_flags&0x0008) print("TempDupAcc "); // I don't think this would be useful to show //if(acc_flags&0x0010) print("NormUserAcc "); if(acc_flags&0x0020) print("MnsAcc "); if(acc_flags&0x0040) print("DomTrustAcc "); if(acc_flags&0x0080) print("WksTrustAcc "); if(acc_flags&0x0100) print("SrvTrustAcc "); if(acc_flags&0x0200) print("NoPwExpiry "); if(acc_flags&0x0400) print("AccAutoLock "); println("
"); println("

"); } println("");