User Autoruns

diff --git a/trunk/datareporter.cpp b/trunk/datareporter.cpp index b547870..42dd36f 100644 --- a/trunk/datareporter.cpp +++ b/trunk/datareporter.cpp @@ -1,200 +1,201 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #include "datareporter.h" #include #include #include #include DataReporter::DataReporter() { this->report_templates.clear(); //this->p_report_engine=new DataReporterEngine(); } DataReporter::~DataReporter() { //delete this->p_report_engine; qDeleteAll(this->report_templates); } void DataReporter::LoadReportTemplates(QString dir) { QString report_template=""; int i=0; int ii=0; bool found=false; QString report_category=""; QString report_name=""; ReportTemplate *p_report; // Get all template files in report_templates directory QDir report_dir(dir); QStringList found_report_templates=report_dir. entryList(QStringList()<<"*.qs"); for(i=0;i_.qs) report_category=found_report_templates.value(i).left( found_report_templates.value(i).indexOf("_")); report_name=found_report_templates.value(i).mid( found_report_templates.value(i).indexOf("_")+1); report_name=report_name.left(report_name.lastIndexOf(".")); // Check if a report with the same category/name was already added found=false; for(ii=0;iireport_templates.count();ii++) { if(this->report_templates.at(ii)->Category()==report_category && this->report_templates.at(ii)->Name()==report_name) { found=true; break; } } if(!found) { // Add report to list - p_report=new ReportTemplate(report_category, + p_report=new ReportTemplate(report_template, + report_category, report_name, - report_template); + "","",""); this->report_templates.append(p_report); } else { // Update report entry p_report=this->report_templates.at(ii); p_report->SetFile(report_template); } } } QStringList DataReporter::GetAvailableReportCategories() { QStringList ret; QString cat; int i=0; ret.clear(); for(i=0;ireport_templates.count();i++) { cat=this->report_templates.value(i)->Category(); if(!ret.contains(cat)) ret.append(cat); } ret.sort(); return ret; } QStringList DataReporter::GetAvailableReports(QString category) { QStringList ret; QString cat; int i=0; ret.clear(); for(i=0;ireport_templates.count();i++) { cat=this->report_templates.value(i)->Category(); if(cat==category) ret.append(this->report_templates.value(i)->Name()); } ret.sort(); return ret; } QString DataReporter::GenerateReport(RegistryHive *p_hive, QString report_category, QString report_name) { int i=0; ReportTemplate *p_report; // Search report template for(i=0;ireport_templates.count();i++) { p_report=this->report_templates.value(i); if(p_report->Category()!=report_category || p_report->Name()!=report_name) { continue; } // Report template was found, now generate report and return result return this->GenerateReport(p_hive,p_report->File()); } // Report template couldn't be found QMessageBox::critical(0, "Report engine error", QString("Unable to find report with name '%1' in category '%2'!") .arg(report_name) .arg(report_category)); return QString(); } QString DataReporter::GenerateReport(RegistryHive *p_hive, QString report_template, bool console_mode) { QString report_code; // Init data reporter engine DataReporterEngine engine(p_hive); QScriptValue hive_value=engine.newQObject(p_hive); engine.globalObject().setProperty("RegistryHive",hive_value); // Open report template QFile template_file(report_template); if(!template_file.open(QIODevice::ReadOnly | QIODevice::Text)) { if(!console_mode) { QMessageBox::critical(0, "Report engine error", QString("Couldn't open report template file '%1'!") .arg(report_template)); } else { printf("ERROR: Couldn't open report template file '%s'!\n", report_template.toAscii().constData()); } return QString(); } // Read template file QTextStream in(&template_file); while(!in.atEnd()) report_code.append(in.readLine()).append("\n"); // Close report template file template_file.close(); // Execute report template script QScriptValue report_result=engine.evaluate(report_code,report_template); if (report_result.isError() || engine.hasUncaughtException()) { if(!console_mode) { QMessageBox::critical(0, "Report engine error", QString::fromLatin1("File: %0\n Line: %1\nError: %2") .arg(report_template) .arg(report_result.property("lineNumber") .toInt32()) .arg(report_result.toString())); } else { printf("ERROR: %s:%u: %s\n", report_template.toAscii().constData(), report_result.property("lineNumber").toInt32(), report_result.toString().toAscii().constData()); } return QString(); } return engine.report_content; } diff --git a/trunk/datareporterengine.cpp b/trunk/datareporterengine.cpp index f9e3bb9..b798439 100644 --- a/trunk/datareporterengine.cpp +++ b/trunk/datareporterengine.cpp @@ -1,374 +1,378 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #include "datareporterengine.h" #include #include #include #include #include #include DataReporterEngine::DataReporterEngine(RegistryHive *p_hive) : QScriptEngine() { // Init vars this->p_registry_hive=p_hive; this->report_content=""; // Add our constants this->globalObject().setProperty("ENGINE_API_VERSION", this->api_version, QScriptValue::ReadOnly| QScriptValue::Undeletable); + this->globalObject().setProperty("HIVE_FILE", + this->p_registry_hive->Filename(), + QScriptValue::ReadOnly| + QScriptValue::Undeletable); // Add our types to engine qScriptRegisterMetaType(this, this->RegistryKeyValueToScript, this->RegistryKeyValueFromScript); this->p_type_byte_array=new ByteArray(this); this->globalObject().setProperty("ByteArray", this->p_type_byte_array->constructor()); // Add our functions // print QScriptValue func_print=this->newFunction(this->Print); this->globalObject().setProperty("print",func_print); // println QScriptValue func_println=this->newFunction(this->PrintLn); this->globalObject().setProperty("println",func_println); // GetRegistryNodes QScriptValue func_get_nodes=this->newFunction(this->GetRegistryNodes,1); func_get_nodes.setData(this->newQObject(this->p_registry_hive)); this->globalObject().setProperty("GetRegistryNodes",func_get_nodes); // GetRegistryKeys QScriptValue func_get_keys=this->newFunction(this->GetRegistryKeys,1); func_get_keys.setData(this->newQObject(this->p_registry_hive)); this->globalObject().setProperty("GetRegistryKeys",func_get_keys); // GetRegistryKeyValue QScriptValue func_get_key_value=this->newFunction(this->GetRegistryKeyValue, 2); func_get_key_value.setData(this->newQObject(this->p_registry_hive)); this->globalObject().setProperty("GetRegistryKeyValue",func_get_key_value); // GetRegistryNodeModTime QScriptValue func_get_node_modt= this->newFunction(this->GetRegistryNodeModTime,1); func_get_node_modt.setData(this->newQObject(this->p_registry_hive)); this->globalObject().setProperty("GetRegistryNodeModTime",func_get_node_modt); // RegistryKeyValueToString QScriptValue func_value_to_string= this->newFunction(this->RegistryKeyValueToString,2); this->globalObject().setProperty("RegistryKeyValueToString", func_value_to_string); // RegistryKeyValueToVariant QScriptValue func_value_to_variant= this->newFunction(this->RegistryKeyValueToVariant); this->globalObject().setProperty("RegistryKeyValueToVariant", func_value_to_variant); // RegistryKeyTypeToString QScriptValue func_type_to_string= this->newFunction(this->RegistryKeyTypeToString,1); this->globalObject().setProperty("RegistryKeyTypeToString", func_type_to_string); } DataReporterEngine::~DataReporterEngine() { delete this->p_type_byte_array; } QScriptValue DataReporterEngine::Print(QScriptContext *context, QScriptEngine *engine) { int i; QString content; // Append all arguments to content for(i=0;iargumentCount();++i) { //if(i>0) content.append(" "); content.append(context->argument(i).toString()); } //QScriptValue calleeData=context->callee().data(); //DataReporterEngine *engine= // qobject_cast(calleeData.toQObject()); qobject_cast(engine)->report_content.append(content); return engine->undefinedValue(); } QScriptValue DataReporterEngine::PrintLn(QScriptContext *context, QScriptEngine *engine) { int i; QString content; // Append all arguments to content for(i=0;iargumentCount();++i) { //if(i>0) content.append(" "); content.append(context->argument(i).toString()); } qobject_cast(engine)-> report_content.append(content).append("\n"); return engine->undefinedValue(); } /* * GetRegistryNodes */ QScriptValue DataReporterEngine::GetRegistryNodes(QScriptContext *context, QScriptEngine *engine) { QScriptValue calleeData; RegistryHive *p_hive; QMap nodes; QScriptValue ret_nodes; int ii=0; // This function needs one argument, parent node path if(context->argumentCount()!=1) return engine->undefinedValue(); // Get calle data (Pointer to RegistryHive class) calleeData=context->callee().data(); p_hive=qobject_cast(calleeData.toQObject()); // Get nodes nodes=p_hive->GetNodes(context->argument(0).toString()); if(p_hive->Error()) { // Clear error state p_hive->GetErrorMsg(); return engine->undefinedValue(); } // Build script array ret_nodes=engine->newArray(nodes.count()); QMapIterator i(nodes); while(i.hasNext()) { i.next(); ret_nodes.setProperty(ii++,QScriptValue(i.key())); } return ret_nodes; } /* * GetRegistryKeys */ QScriptValue DataReporterEngine::GetRegistryKeys(QScriptContext *context, QScriptEngine *engine) { QScriptValue calleeData; RegistryHive *p_hive; QMap keys; QScriptValue ret_keys; int ii=0; // This function needs one argument, parent node path if(context->argumentCount()!=1) return engine->undefinedValue(); // Get calle data (Pointer to RegistryHive class) calleeData=context->callee().data(); p_hive=qobject_cast(calleeData.toQObject()); // Get keys keys=p_hive->GetKeys(context->argument(0).toString()); if(p_hive->Error()) { // Clear error state p_hive->GetErrorMsg(); return engine->undefinedValue(); } //qDebug(QString("P: %1 A: %2").arg(context->argument(0).toString()).arg(keys.count()).toAscii().constData()); // Build script array ret_keys=engine->newArray(keys.count()); QMapIterator i(keys); while(i.hasNext()) { i.next(); ret_keys.setProperty(ii++,QScriptValue(i.key())); } return ret_keys; } /* * RegistryKeyValueToScript */ QScriptValue DataReporterEngine::RegistryKeyValueToScript(QScriptEngine *engine, const s_RegistryKeyValue &s) { QScriptValue obj=engine->newObject(); obj.setProperty("type",s.type); obj.setProperty("length",s.length); ByteArray *p_byte_array=new ByteArray(engine); obj.setProperty("value",p_byte_array->newInstance(s.value)); return obj; } /* * RegistryKeyValueFromScriptValue */ void DataReporterEngine::RegistryKeyValueFromScript(const QScriptValue &obj, s_RegistryKeyValue &s) { s.type=obj.property("type").toInt32(); s.length=obj.property("length").toInt32(); // TODO: Don't know if this works, but it probably does ;) s.value=qvariant_cast(obj.property("value").data().toVariant()); } QScriptValue DataReporterEngine::GetRegistryKeyValue(QScriptContext *context, QScriptEngine *engine) { QScriptValue calleeData; RegistryHive *p_hive; QByteArray key_value; int key_type=0; size_t key_length=0; s_RegistryKeyValue script_key_value; // This function needs two arguments, key path and key name if(context->argumentCount()!=2) return engine->undefinedValue(); // Get calle data (Pointer to RegistryHive class) calleeData=context->callee().data(); p_hive=qobject_cast(calleeData.toQObject()); // Get key value key_value=p_hive->GetKeyValue(context->argument(0).toString(), context->argument(1).toString(), &key_type, &key_length); if(p_hive->Error()) { // Get error message to clear error state p_hive->GetErrorMsg(); // printf("\nError: %s\n",p_hive->GetErrorMsg().toAscii().constData()); return engine->undefinedValue(); } // Save key value to s_RegistryKeyValue struct script_key_value.type=key_type; script_key_value.length=key_length; script_key_value.value=key_value; return DataReporterEngine::RegistryKeyValueToScript(engine,script_key_value); } QScriptValue DataReporterEngine::RegistryKeyValueToString( QScriptContext *context, QScriptEngine *engine) { QByteArray key_value; QString ret=""; // This function needs two arguments, key value and value type if(context->argumentCount()!=2) return engine->undefinedValue(); // Cast ByteArray argument to QByteArray and convert key_value=qvariant_cast(context->argument(0).data().toVariant()); ret=RegistryHive::KeyValueToString(key_value, context->argument(1).toInt32()); return engine->newVariant(ret); } QScriptValue DataReporterEngine::RegistryKeyValueToVariant( QScriptContext *context, QScriptEngine *engine) { int offset=0; int length=-1; bool little_endian=true; QByteArray key_value; QString format=""; QString ret=""; // This function needs at least two arguments, key value and variant type, // and may have three optional arguments, offset, length and little_endian if(context->argumentCount()<2 || context->argumentCount()>5) { return engine->undefinedValue(); } if(context->argumentCount()==3) { offset=context->argument(2).toInt32(); } if(context->argumentCount()==4) { offset=context->argument(2).toInt32(); length=context->argument(3).toInt32(); } if(context->argumentCount()==5) { offset=context->argument(2).toInt32(); length=context->argument(3).toInt32(); little_endian=(context->argument(4).toInt32()==1); } // Cast ByteArray argument to QByteArray key_value=qvariant_cast(context->argument(0).data().toVariant()); format=context->argument(1).toString(); ret=RegistryHive::KeyValueToString(key_value,format,offset,length,little_endian); return engine->newVariant(ret); } QScriptValue DataReporterEngine::RegistryKeyTypeToString( QScriptContext *context, QScriptEngine *engine) { QString ret=""; // This function needs one argument, key type if(context->argumentCount()!=1) return engine->undefinedValue(); ret=RegistryHive::KeyTypeToString(context->argument(0).toInt32()); return engine->newVariant(ret); } QScriptValue DataReporterEngine::GetRegistryNodeModTime( QScriptContext *context, QScriptEngine *engine) { QScriptValue calleeData; RegistryHive *p_hive; int64_t mod_time=0; // This function needs one argument, node path if(context->argumentCount()!=1) return engine->undefinedValue(); // Get calle data (Pointer to RegistryHive class) calleeData=context->callee().data(); p_hive=qobject_cast(calleeData.toQObject()); mod_time=p_hive->GetNodeModTime(context->argument(0).toString()); if(p_hive->Error()) { // Get error message to clear error state p_hive->GetErrorMsg(); return engine->undefinedValue(); } QDateTime date_time; date_time.setTimeSpec(Qt::UTC); date_time.setTime_t(RegistryHive::FiletimeToUnixtime(mod_time)); return engine->newVariant(date_time.toString("yyyy/MM/dd hh:mm:ss")); } diff --git a/trunk/dlgreportchooser.cpp b/trunk/dlgreportchooser.cpp new file mode 100644 index 0000000..223fb92 --- /dev/null +++ b/trunk/dlgreportchooser.cpp @@ -0,0 +1,94 @@ +/******************************************************************************* +* fred Copyright (c) 2011-2013 by Gillen Daniel * +* * +* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * +* with special feautures useful during forensic analysis. * +* * +* This program is free software: you can redistribute it and/or modify it * +* under the terms of the GNU General Public License as published by the Free * +* Software Foundation, either version 3 of the License, or (at your option) * +* any later version. * +* * +* This program is distributed in the hope that it will be useful, but WITHOUT * +* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * +* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * +* more details. * +* * +* You should have received a copy of the GNU General Public License along with * +* this program. If not, see . * +*******************************************************************************/ + +#include "dlgreportchooser.h" +#include "ui_dlgreportchooser.h" + +#include +#include +#include + +DlgReportChooser::DlgReportChooser(Reports *p_reps, QWidget *p_parent) + : QDialog(p_parent), ui(new Ui::DlgReportChooser) +{ + QTreeWidgetItem *p_category; + QTreeWidgetItem *p_category_report; + + this->ui->setupUi(this); + + // Save values for later use + this->p_reports=p_reps; + + // Populate tree with reports + QStringList report_cats=this->p_reports->GetAvailableReportCategories(); + QListIterator cat_it(report_cats); + QString cur_cat; + while(cat_it.hasNext()) { + cur_cat=cat_it.next(); + p_category=new QTreeWidgetItem(this->ui->TrReports); + p_category->setText(0,cur_cat); + QStringList reports=this->p_reports->GetAvailableReports(cur_cat); + QListIterator rep_it(reports); + while(rep_it.hasNext()) { + p_category_report=new QTreeWidgetItem(p_category); + p_category_report->setText(0,rep_it.next()); + p_category_report->setFlags(Qt::ItemIsEnabled| + Qt::ItemIsSelectable| + Qt::ItemIsUserCheckable); + p_category_report->setCheckState(0,Qt::Unchecked); + } + } +} + +DlgReportChooser::~DlgReportChooser() { + delete this->ui; +} + +void DlgReportChooser::changeEvent(QEvent *e) { + QDialog::changeEvent(e); + switch (e->type()) { + case QEvent::LanguageChange: + this->ui->retranslateUi(this); + break; + default: + break; + } +} + +void DlgReportChooser::on_BtnCancel_clicked() { + this->reject(); +} + +void DlgReportChooser::on_TrReports_currentItemChanged(QTreeWidgetItem *current, + QTreeWidgetItem *previous) +{ + QString category,name; + + if(current->parent()==NULL) return; + + category=current->parent()->text(0); + name=current->text(0); + QMap report_infos= + this->p_reports->GetReportInfo(category,name); + this->ui->LblAuthor->setText(tr("Author: %1") + .arg(report_infos["report_author"])); + this->ui->LblDesc->setText(tr("Description:\n\n %1") + .arg(report_infos["report_desc"])); +} diff --git a/trunk/reporttemplate.h b/trunk/dlgreportchooser.h similarity index 72% copy from trunk/reporttemplate.h copy to trunk/dlgreportchooser.h index 23ae59a..8751723 100644 --- a/trunk/reporttemplate.h +++ b/trunk/dlgreportchooser.h @@ -1,46 +1,53 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ -#ifndef REPORTTEMPLATE_H -#define REPORTTEMPLATE_H +#ifndef DLGREPORTCHOOSER_H +#define DLGREPORTCHOOSER_H -#include +#include "reports.h" + +#include +#include + +namespace Ui { + class DlgReportChooser; +} + +class DlgReportChooser : public QDialog { + Q_OBJECT -class ReportTemplate { public: - ReportTemplate(QString report_category, - QString report_name, - QString report_template_file); + explicit DlgReportChooser(Reports *p_reps, QWidget *p_parent=0); + ~DlgReportChooser(); + + protected: + void changeEvent(QEvent *e); - void SetCategory(QString new_category); - void SetName(QString new_name); - void SetFile(QString new_file); + private slots: + void on_BtnCancel_clicked(); - QString Category(); - QString Name(); - QString File(); + void on_TrReports_currentItemChanged(QTreeWidgetItem *current, QTreeWidgetItem *previous); private: - QString category; - QString name; - QString template_file; + Ui::DlgReportChooser *ui; + Reports *p_reports; }; -#endif // REPORTTEMPLATE_H +#endif // DLGREPORTCHOOSER_H diff --git a/trunk/dlgreportchooser.ui b/trunk/dlgreportchooser.ui new file mode 100644 index 0000000..6e4877d --- /dev/null +++ b/trunk/dlgreportchooser.ui @@ -0,0 +1,125 @@ + + + DlgReportChooser + + + + 0 + 0 + 400 + 300 + + + + Generate report + + + + :/icons/resources/fred.png:/icons/resources/fred.png + + + + + + + + Available reports + + + + 6 + + + 0 + + + + + true + + + + 1 + + + + + + + + + + + Report details + + + + + + + + + + + + + + + + + + + + Qt::Vertical + + + + 20 + 40 + + + + + + + + + + + + + + + &Cancel + + + + + + + Qt::Horizontal + + + + 40 + 20 + + + + + + + + &Generate + + + + + + + + + + + + diff --git a/trunk/fred.pro b/trunk/fred.pro index 481722b..4ef941c 100644 --- a/trunk/fred.pro +++ b/trunk/fred.pro @@ -1,119 +1,126 @@ #******************************************************************************* # fred Copyright (c) 2011-2013 by Gillen Daniel * # * # Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * # with special feautures useful during forensic analysis. * # * # This program is free software: you can redistribute it and/or modify it * # under the terms of the GNU General Public License as published by the Free * # Software Foundation, either version 3 of the License, or (at your option) * # any later version. * # * # This program is distributed in the hope that it will be useful, but WITHOUT * # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * # more details. * # * # You should have received a copy of the GNU General Public License along with * # this program. If not, see . * #******************************************************************************/ # Generate compileinfo.h system(bash compileinfo.sh > compileinfo.h) #compileinfo.target = compileinfo.h #compileinfo.commands = $$PWD/compileinfo.sh > compileinfo.h #QMAKE_EXTRA_TARGETS += compileinfo #PRE_TARGETDEPS += compileinfo.h # Build fred QMAKE_CXXFLAGS += -Wall QT += core \ gui \ script \ webkit CONFIG += console TARGET = fred TEMPLATE = app SOURCES += main.cpp\ mainwindow.cpp \ registrynode.cpp \ registrynodetreemodel.cpp \ registrykey.cpp \ registrykeytablemodel.cpp \ dlgabout.cpp \ dlgkeydetails.cpp \ qhexedit/qhexedit_p.cpp \ qhexedit/qhexedit.cpp \ reporttemplate.cpp \ datareporter.cpp \ datareporterengine.cpp \ registryhive.cpp \ qtscript_types/bytearray.cpp \ qtscript_types/bytearrayprototype.cpp \ qtscript_types/bytearrayiterator.cpp \ dlgreportviewer.cpp \ registrykeytable.cpp \ registrynodetree.cpp \ dlgsearch.cpp \ threadsearch.cpp \ searchresultwidget.cpp \ tabwidget.cpp \ argparser.cpp \ datainterpretertable.cpp \ datainterpreterwidget.cpp \ hexeditwidget.cpp \ settings.cpp \ searchresulttabledelegate.cpp \ - registrynodetreemodelproxy.cpp + registrynodetreemodelproxy.cpp \ + reports.cpp \ + reportengine.cpp \ + dlgreportchooser.cpp HEADERS += mainwindow.h \ registrynode.h \ registrynodetreemodel.h \ registrykey.h \ registrykeytablemodel.h \ dlgabout.h \ dlgkeydetails.h \ qhexedit/qhexedit_p.h \ qhexedit/qhexedit.h \ reporttemplate.h \ datareporter.h \ datareporterengine.h \ registryhive.h \ qtscript_types/bytearray.h \ qtscript_types/bytearrayprototype.h \ qtscript_types/bytearrayiterator.h \ dlgreportviewer.h \ registrykeytable.h \ registrynodetree.h \ dlgsearch.h \ threadsearch.h \ searchresultwidget.h \ tabwidget.h \ argparser.h \ datainterpretertable.h \ datainterpreterwidget.h \ hexeditwidget.h \ settings.h \ searchresulttabledelegate.h \ - registrynodetreemodelproxy.h + registrynodetreemodelproxy.h \ + reports.h \ + reportengine.h \ + dlgreportchooser.h FORMS += mainwindow.ui \ dlgabout.ui \ dlgkeydetails.ui \ dlgreportviewer.ui \ - dlgsearch.ui + dlgsearch.ui \ + dlgreportchooser.ui #LIBS += -lhivex LIBS += $$PWD/hivex/lib/.libs/libhivex.a #DEFINES += __STDC_FORMAT_MACROS RESOURCES += fred.qrc RC_FILE = fred.rc ICON = resources/fred.icns diff --git a/trunk/mainwindow.cpp b/trunk/mainwindow.cpp index 8fca0ca..7ddfe45 100644 --- a/trunk/mainwindow.cpp +++ b/trunk/mainwindow.cpp @@ -1,574 +1,599 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #ifndef FRED_REPORT_TEMPLATE_DIR #ifndef __MINGW32__ #define FRED_REPORT_TEMPLATE_DIR "/usr/share/fred/report_templates/" #else #define FRED_REPORT_TEMPLATE_DIR ".\\report_templates\\" #endif #endif #include #include #include #include #include #include #include "mainwindow.h" #include "ui_mainwindow.h" #include "dlgabout.h" #include "dlgkeydetails.h" +#include "dlgreportchooser.h" #include "dlgreportviewer.h" #include "dlgsearch.h" #include "compileinfo.h" MainWindow::MainWindow(ArgParser *p_arg_parser) : QMainWindow(0), ui(new Ui::MainWindow) { ui->setupUi(this); // Initialize private vars this->p_args=p_arg_parser; this->p_hive=new RegistryHive(this); this->is_hive_open=false; this->p_reg_node_tree_model=NULL; this->p_reg_node_tree_model_proxy=NULL; this->p_reg_key_table_model=NULL; this->p_search_thread=NULL; this->search_result_widgets.clear(); // Check for ~/.fred config dir this->CheckUserConfigDir(); // Set main window size int cur_screen=QApplication::desktop()->screenNumber(this); int window_width= QApplication::desktop()->availableGeometry(cur_screen).width()*0.5; int window_height= QApplication::desktop()->availableGeometry(cur_screen).height()*0.5; int window_x= (QApplication::desktop()->availableGeometry(cur_screen).width()/2)- (window_width/2); int window_y= (QApplication::desktop()->availableGeometry(cur_screen).height()/2)- (window_height/2); this->setGeometry(window_x, window_y, window_width, window_height); // Create widgets this->p_horizontal_splitter=new QSplitter(); this->p_horizontal_splitter->setOrientation(Qt::Horizontal); this->p_node_tree=new RegistryNodeTree(this->p_horizontal_splitter); this->p_vertical_splitter=new QSplitter(this->p_horizontal_splitter); this->p_vertical_splitter->setOrientation(Qt::Vertical); this->p_key_table=new RegistryKeyTable(this->p_vertical_splitter); this->p_tab_widget=new TabWidget(this->p_vertical_splitter); this->p_hex_edit_widget=new HexEditWidget(); // Add hexedit page to tab_widget this->p_tab_widget->addTab(this->p_hex_edit_widget,tr("Hex viewer")); // Add widgets to their splitters this->p_vertical_splitter->addWidget(this->p_key_table); this->p_vertical_splitter->addWidget(this->p_tab_widget); this->p_horizontal_splitter->addWidget(this->p_node_tree); this->p_horizontal_splitter->addWidget(this->p_vertical_splitter); // Set stretch factors QSizePolicy node_tree_policy=this->p_node_tree->sizePolicy(); node_tree_policy.setHorizontalStretch(1); node_tree_policy.setVerticalStretch(100); this->p_node_tree->setSizePolicy(node_tree_policy); QSizePolicy vertical_splitter_policy=this->p_vertical_splitter->sizePolicy(); vertical_splitter_policy.setHorizontalStretch(4); vertical_splitter_policy.setVerticalStretch(100); this->p_vertical_splitter->setSizePolicy(vertical_splitter_policy); QSizePolicy key_table_policy=this->p_key_table->sizePolicy(); key_table_policy.setVerticalStretch(5); key_table_policy.setHorizontalStretch(100); this->p_key_table->setSizePolicy(key_table_policy); QSizePolicy tab_widget_policy=this->p_tab_widget->sizePolicy(); tab_widget_policy.setVerticalStretch(2); tab_widget_policy.setHorizontalStretch(200); this->p_tab_widget->setSizePolicy(tab_widget_policy); // Connect signals this->connect(this->p_node_tree, SIGNAL(clicked(QModelIndex)), this, SLOT(SlotNodeTreeClicked(QModelIndex))); this->connect(this->p_node_tree, SIGNAL(activated(QModelIndex)), this, SLOT(SlotNodeTreeClicked(QModelIndex))); this->connect(this->p_node_tree, SIGNAL(CurrentItemChanged(QModelIndex)), this, SLOT(SlotNodeTreeClicked(QModelIndex))); this->connect(this->p_key_table, SIGNAL(clicked(QModelIndex)), this, SLOT(SlotKeyTableClicked(QModelIndex))); this->connect(this->p_key_table, SIGNAL(doubleClicked(QModelIndex)), this, SLOT(SlotKeyTableDoubleClicked(QModelIndex))); this->connect(this->p_key_table, SIGNAL(CurrentItemChanged(QModelIndex)), this, SLOT(SlotKeyTableClicked(QModelIndex))); this->connect(this->p_tab_widget, SIGNAL(tabCloseRequested(int)), this, SLOT(SlotTabCloseButtonClicked(int))); // Add central widget this->setCentralWidget(this->p_horizontal_splitter); this->centralWidget()->setContentsMargins(4,4,4,0); // Set window title this->UpdateWindowTitle(); // Set last open location to home dir this->last_open_location=QDir::homePath(); - // Load report templates and update menu +/* + // Load report templates this->p_data_reporter=new DataReporter(); // Load reports from system wide include dir this->p_data_reporter->LoadReportTemplates(FRED_REPORT_TEMPLATE_DIR); // Load user's report templates this->p_data_reporter->LoadReportTemplates(QDir::homePath() .append(QDir::separator()) .append(".fred") .append(QDir::separator()) .append("report_templates")); this->UpdateDataReporterMenu(); +*/ + + // Load report templates + this->p_reports=new Reports(); + // Load reports from system wide include dir + this->p_reports->LoadReportTemplates(FRED_REPORT_TEMPLATE_DIR); + // Load user's report templates + this->p_reports->LoadReportTemplates(QDir::homePath() + .append(QDir::separator()) + .append(".fred") + .append(QDir::separator()) + .append("report_templates")); // Finally, react on some command line arguments if(this->p_args->IsSet("maximized")) { this->setWindowState(Qt::WindowMaximized); } if(this->p_args->IsSet("fullscreen")) { this->setWindowState(Qt::WindowFullScreen); } if(this->p_args->IsSet("hive-file")) { this->OpenHive(this->p_args->GetArgVal("hive-file")); } } MainWindow::~MainWindow() { if(this->is_hive_open) { this->p_hive->Close(); } delete ui; } void MainWindow::on_action_Quit_triggered() { qApp->exit(); } void MainWindow::on_action_Open_hive_triggered() { QString hive_file=""; hive_file=QFileDialog::getOpenFileName(this, tr("Open registry hive"), this->last_open_location, tr("All files (*)")); if(hive_file=="") return; this->OpenHive(hive_file); } void MainWindow::on_action_Close_hive_triggered() { if(this->is_hive_open) { // Remove search results while(this->p_tab_widget->count()>1) { this->p_tab_widget->removeTab(this->p_tab_widget->count()-1); delete this->search_result_widgets.at(this->p_tab_widget->count()-1); this->search_result_widgets.removeLast(); } // Delete models if(this->p_reg_node_tree_model!=NULL) { this->p_node_tree->setModel(NULL); delete this->p_reg_node_tree_model_proxy; delete this->p_reg_node_tree_model; this->p_reg_node_tree_model_proxy=NULL; this->p_reg_node_tree_model=NULL; } if(this->p_reg_key_table_model!=NULL) { this->p_key_table->setModel(NULL); delete this->p_reg_key_table_model; this->p_reg_key_table_model=NULL; } // Remove any data from hex edit and data interpreter this->p_hex_edit_widget->SetData(QByteArray()); this->p_hex_edit_widget->setEnabled(false); // Close hive this->p_hive->Close(); this->is_hive_open=false; this->ui->action_Close_hive->setEnabled(false); this->ui->ActionSearch->setEnabled(false); this->ui->MenuReports->setEnabled(false); this->UpdateWindowTitle(); } } void MainWindow::on_actionAbout_Qt_triggered() { QMessageBox::aboutQt(this,tr("About Qt")); } void MainWindow::on_actionAbout_fred_triggered() { DlgAbout dlg_about(this); dlg_about.exec(); } void MainWindow::on_ActionSearch_triggered() { DlgSearch dlg_search(this); if(dlg_search.exec()==QDialog::Accepted) { // Create search thread and connect needed signals/slots this->p_search_thread=new ThreadSearch(this); // Add new search widget to tabwidget and to internal widget list SearchResultWidget *p_search_widget= new SearchResultWidget(this->p_tab_widget); p_search_widget->setEnabled(false); this->search_result_widgets.append(p_search_widget); this->connect(p_search_widget, SIGNAL(doubleClicked(QModelIndex)), this, SLOT(SlotSearchResultWidgetDoubleClicked(QModelIndex))); this->p_tab_widget->addTab(p_search_widget,tr("Search results"),true); this->p_tab_widget->setCurrentIndex(this->p_tab_widget->count()-1); // Connect search thread to result widget this->connect(this->p_search_thread, SIGNAL(SignalFoundMatch(ThreadSearch::eMatchType, QString,QString,QString)), p_search_widget, SLOT(SlotFoundMatch(ThreadSearch::eMatchType, QString,QString,QString))); this->connect(this->p_search_thread, SIGNAL(finished()), this, SLOT(SlotSearchFinished())); this->connect(this->p_search_thread, SIGNAL(finished()), p_search_widget, SLOT(SlotSearchFinished())); // Start searching this->ui->ActionSearch->setEnabled(false); p_search_thread->Search(this->p_hive->Filename(), dlg_search.Keywords(), dlg_search.SearchNodeNames(), dlg_search.SearchKeyNames(), dlg_search.SearchKeyValues()); } } void MainWindow::SlotNodeTreeClicked(QModelIndex index) { QString node_path; if(!index.isValid()) return; // Map proxy index to tree model index index=this->p_reg_node_tree_model_proxy->mapToSource(index); // Built node path node_path=this->p_reg_node_tree_model->GetNodePath(index); // Create table model and attach it to the table view if(this->p_reg_key_table_model!=NULL) { // If a previous model was set, delete it and clear hexedit etc... this->p_key_table->setModel(NULL); delete this->p_reg_key_table_model; this->p_hex_edit_widget->SetData(QByteArray()); } this->p_reg_key_table_model=new RegistryKeyTableModel(this->p_hive,node_path); this->p_key_table->setModel(this->p_reg_key_table_model); // Set focus back to nodetree to be able to navigate with keyboard this->p_node_tree->setFocus(); } void MainWindow::SlotKeyTableDoubleClicked(QModelIndex index) { Q_UNUSED(index); /* QModelIndex key_index; QModelIndex node_index; QStringList nodes; QString key_name; QString key_type; QByteArray key_value; if(!index.isValid()) return; // Get key name, type and value key_index=this->p_reg_key_table_model->index(index.row(),0); key_name=this->p_reg_key_table_model->data(key_index,Qt::DisplayRole) .toString(); key_index=this->p_reg_key_table_model->index(index.row(),1); key_type=this->p_reg_key_table_model->data(key_index,Qt::DisplayRole) .toString();ThreadSearch key_index=this->p_reg_key_table_model->index(index.row(),2); key_value=this->p_reg_key_table_model->data(key_index, RegistryKeyTableModel:: AdditionalRoles_GetRawData) .toByteArray(); // Get current node node_index=this->p_node_tree->currentIndex(); //Built node path nodes.clear(); nodes.append(this->p_reg_node_tree_model-> data(node_index,Qt::DisplayRole).toString()); while(this->p_reg_node_tree_model->parent(node_index)!=QModelIndex()) { // Prepend all parent nodes node_index=this->p_reg_node_tree_model->parent(node_index); nodes.prepend(this->p_reg_node_tree_model-> data(node_index,Qt::DisplayRole).toString()); } DlgKeyDetails dlg_key_details(this); dlg_key_details.SetValues(nodes,key_name,key_type,key_value); dlg_key_details.exec(); */ } void MainWindow::SlotKeyTableClicked(QModelIndex index) { if(!index.isValid()) return; this->selected_key_value= this->p_reg_key_table_model->data(this->p_reg_key_table_model-> index(index.row(),2), RegistryKeyTableModel:: AdditionalRoles_GetRawData) .toByteArray(); this->p_hex_edit_widget->SetData(this->selected_key_value); // Set focus back to nodetree to be able to navigate with keyboard this->p_key_table->setFocus(); } +/* void MainWindow::SlotReportClicked() { // Get report category and name from sender and it's parent QString category=((QMenu*)((QAction*)QObject::sender())->parent())->title(); QString report=((QAction*)QObject::sender())->text(); // Generate report QString report_content=this->p_data_reporter->GenerateReport(this->p_hive, category, report); // Show result in report viewer if(report_content!=QString()) { DlgReportViewer *p_dlg_report_view=new DlgReportViewer(report_content,this); p_dlg_report_view->exec(); delete p_dlg_report_view; } else { // TODO: Something went wrong! } } +*/ void MainWindow::SlotSearchFinished() { delete this->p_search_thread; this->p_search_thread=NULL; this->ui->ActionSearch->setEnabled(true); // Enable result widget this->search_result_widgets.last()->setEnabled(true); } void MainWindow::SlotSearchResultWidgetDoubleClicked(QModelIndex index) { SearchResultWidget *p_sender; QString path; QString match_type; QString value; QString key=""; int i; if(!index.isValid()) return; // Get pointer to sender p_sender=(SearchResultWidget*)QObject::sender(); // Get path and matchtype path=p_sender->item(index.row(),0)->text(); match_type=p_sender->item(index.row(),1)->text(); value=p_sender->item(index.row(),2)->text(); if(match_type==tr("Node name")) { // Node name is not part of path. Add it if(path=="\\") path.append(value); else path.append("\\").append(value); } else if(match_type==tr("Key name")) { // Key name is stored in value key=value; } else if(match_type==tr("Key value")) { // Key name is part of path. Save and remove it QStringList nodes=path.split("\\",QString::SkipEmptyParts); key=nodes.at(nodes.count()-1); // Remove \ from path path.chop(key.length()+1); } // Expand treeview to correct node QList indexes= this->p_reg_node_tree_model->GetIndexListOf(path); for(i=0;ip_reg_node_tree_model_proxy-> mapFromSource(indexes.at(i))); this->p_node_tree->expand(indexes.at(i)); } if(indexes.count()>0) { // Scroll to last expanded node, select it and update widgets this->p_node_tree->scrollTo(indexes.at(indexes.count()-1), QAbstractItemView::PositionAtCenter); this->p_node_tree->selectionModel()->clear(); this->p_node_tree->selectionModel()-> select(indexes.at(indexes.count()-1), QItemSelectionModel::Select); // TODO: This does not work!! this->SlotNodeTreeClicked(indexes.at(indexes.count()-1)); } // Select correct key if search matched on keay name / value if(key!="") { int row=this->p_reg_key_table_model->GetKeyRow(key); this->p_key_table->clearSelection(); this->p_key_table->scrollTo(this->p_reg_key_table_model->index(row,0), QAbstractItemView::PositionAtCenter); this->p_key_table->selectRow(row); this->SlotKeyTableClicked(this->p_reg_key_table_model->index(row,0)); } } void MainWindow::SlotTabCloseButtonClicked(int index) { // Delete tab widget and remove tab this->p_tab_widget->removeTab(index); delete this->search_result_widgets.at(index-1); this->search_result_widgets.removeAt(index-1); } void MainWindow::CheckUserConfigDir() { QString user_config_dir=QDir::homePath() .append(QDir::separator()) .append(".fred"); if(!QDir(user_config_dir).exists()) { // User config dir does not exists, try to create it if(!QDir().mkpath(user_config_dir)) { // TODO: Maybe warn user return; } user_config_dir.append(QDir::separator()).append("report_templates"); if(!QDir().mkpath(user_config_dir)) { // TODO: Maybe warn user return; } } } void MainWindow::UpdateWindowTitle(QString filename) { if(filename=="") { this->setWindowTitle(QString("%1 v%2").arg(APP_TITLE,APP_VERSION)); } else { this->setWindowTitle(QString("%1 v%2 - %3").arg(APP_TITLE, APP_VERSION, filename.toLocal8Bit() .constData())); } } +/* void MainWindow::UpdateDataReporterMenu() { int i=0,ii=0; QMenu *p_category_entry; QAction *p_report_entry; QStringList categories=this->p_data_reporter->GetAvailableReportCategories(); QStringList reports; for(i=0;iui->MenuReports->addMenu(categories.value(i)); // Now add category reports reports=this->p_data_reporter->GetAvailableReports(categories.value(i)); for(ii=0;iiaddAction(p_report_entry); this->connect(p_report_entry, SIGNAL(triggered()), this, SLOT(SlotReportClicked())); } } } +*/ void MainWindow::OpenHive(QString hive_file) { // Update last open location this->last_open_location=hive_file.left(hive_file. lastIndexOf(QDir::separator())); // If another hive is currently open, close it if(this->is_hive_open) this->on_action_Close_hive_triggered(); // Try to open hive if(!this->p_hive->Open(hive_file)) { QMessageBox::critical(this, tr("Error opening hive file"), tr("Unable to open file '%1'").arg(hive_file)); return; } // Create tree model & proxy this->p_reg_node_tree_model=new RegistryNodeTreeModel(this->p_hive); this->p_reg_node_tree_model_proxy=new RegistryNodeTreeModelProxy(this); //this->p_reg_node_tree_model_proxy->setDynamicSortFilter(true); this->p_reg_node_tree_model_proxy-> setSourceModel(this->p_reg_node_tree_model); this->p_node_tree->setModel(this->p_reg_node_tree_model_proxy); this->is_hive_open=true; this->ui->action_Close_hive->setEnabled(true); this->ui->ActionSearch->setEnabled(true); this->ui->MenuReports->setEnabled(true); // Enable data interpreter this->p_hex_edit_widget->setEnabled(true); this->UpdateWindowTitle(hive_file); } + +void MainWindow::on_ActionGenerateReport_triggered() { + DlgReportChooser dlg_repchooser(this->p_reports,this); + if(dlg_repchooser.exec()==QDialog::Accepted) { + + } +} diff --git a/trunk/mainwindow.h b/trunk/mainwindow.h index d14ccc8..38de0c8 100644 --- a/trunk/mainwindow.h +++ b/trunk/mainwindow.h @@ -1,127 +1,131 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #ifndef MAINWINDOW_H #define MAINWINDOW_H #include #include #include #include #include #include #include #include #include #include "argparser.h" #include "registryhive.h" #include "registrynodetree.h" #include "registrynodetreemodel.h" #include "registrynodetreemodelproxy.h" #include "registrykeytable.h" #include "registrykeytablemodel.h" #include "hexeditwidget.h" -#include "datareporter.h" +//#include "datareporter.h" +#include "reports.h" #include "threadsearch.h" #include "searchresultwidget.h" #include "tabwidget.h" namespace Ui { class MainWindow; } class MainWindow : public QMainWindow { Q_OBJECT public: explicit MainWindow(ArgParser *p_arg_parser); ~MainWindow(); private slots: void on_action_Quit_triggered(); void on_action_Open_hive_triggered(); void on_action_Close_hive_triggered(); void on_actionAbout_Qt_triggered(); void on_actionAbout_fred_triggered(); void on_ActionSearch_triggered(); void SlotNodeTreeClicked(QModelIndex index); void SlotKeyTableClicked(QModelIndex index); void SlotKeyTableDoubleClicked(QModelIndex index); - void SlotReportClicked(); +// void SlotReportClicked(); void SlotSearchFinished(); void SlotSearchResultWidgetDoubleClicked(QModelIndex index); void SlotTabCloseButtonClicked(int index); -private: + void on_ActionGenerateReport_triggered(); + + private: Ui::MainWindow *ui; ArgParser *p_args; QString last_open_location; RegistryHive *p_hive; bool is_hive_open; QByteArray selected_key_value; QList search_result_widgets; // Models RegistryNodeTreeModel *p_reg_node_tree_model; RegistryNodeTreeModelProxy *p_reg_node_tree_model_proxy; RegistryKeyTableModel *p_reg_key_table_model; // Widgets etc... RegistryNodeTree *p_node_tree; RegistryKeyTable *p_key_table; TabWidget *p_tab_widget; HexEditWidget *p_hex_edit_widget; QSplitter *p_horizontal_splitter; QSplitter *p_vertical_splitter; - DataReporter *p_data_reporter; +// DataReporter *p_data_reporter; + Reports *p_reports; // Threads ThreadSearch *p_search_thread; /* * CheckUserConfigDir * * Checks for and possibly creates the ~/.fred directory */ void CheckUserConfigDir(); /* * UpdateWindowTitle * * Updates the window title */ void UpdateWindowTitle(QString filename=""); /* * UpdateDataReporterMenu * */ - void UpdateDataReporterMenu(); +// void UpdateDataReporterMenu(); /* * OpenHive * * Open a registry hive */ void OpenHive(QString hive_file); }; #endif // MAINWINDOW_H diff --git a/trunk/mainwindow.ui b/trunk/mainwindow.ui index 3732138..4fe3b89 100644 --- a/trunk/mainwindow.ui +++ b/trunk/mainwindow.ui @@ -1,139 +1,154 @@ MainWindow 0 0 508 317 0 0 0 0 MainWindow :/icons/resources/fred.png:/icons/resources/fred.png 0 0 508 27 &File &Help false &Reports + + &Edit &Open hive Ctrl+O false Close hive &Quit Ctrl+Q About Qt About fred false &Search Ctrl+S false &Preferences + + + true + + + Generate report + + + + + Reload report templates + + diff --git a/trunk/report_templates/NTUSER_Autoruns.qs b/trunk/report_templates/NTUSER_Autoruns.qs index d166110..5ac0949 100644 --- a/trunk/report_templates/NTUSER_Autoruns.qs +++ b/trunk/report_templates/NTUSER_Autoruns.qs @@ -1,49 +1,61 @@ +function fred_report_info() { + var info={report_cat : "NTUSER", + report_name : "Autoruns", + report_author : "Gillen Daniel", + report_desc : "Dump autorun keys", + fred_api : 2, + hive : "NTUSER" + }; + return info; +} + function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ListAutoruns(autorun_path,autorun_key) { println("

"); println(" "+autorun_key+"
"); var run_keys=GetRegistryKeys(autorun_path+autorun_key); if(IsValid(run_keys) && run_keys.length>0) { println(" "); print_table_row("Name","Executable"); for(var i=0;i"); } else { println(" None"); } println("
"); } -// Global vars -var val; +function fred_report_html() { + var val; -println(""); -println(" User Autoruns"); -println(" "); -println("
User Autoruns
"); + println(""); + println(" User Autoruns"); + println(" "); + println("
User Autoruns
"); -// Run -ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","Run"); + // Run + ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","Run"); -// RunOnce -ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnce"); + // RunOnce + ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnce"); -// RunOnceEx -ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnceEx"); + // RunOnceEx + ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnceEx"); -// TODO: There might be a Run under WindowsNT\CurrentVersion\Run too! + // TODO: There might be a Run under WindowsNT\CurrentVersion\Run too! -println(""); + println(""); +} diff --git a/trunk/report_templates/NTUSER_LaunchedApplications.qs b/trunk/report_templates/NTUSER_LaunchedApplications.qs index 92a51a3..b90bdf8 100644 --- a/trunk/report_templates/NTUSER_LaunchedApplications.qs +++ b/trunk/report_templates/NTUSER_LaunchedApplications.qs @@ -1,101 +1,111 @@ +function fred_report_info() { + var info={report_cat : "NTUSER", + report_name : "Launched applications", + report_author : "Gillen Daniel", + report_desc : "Dump IE launched applications", + fred_api : 2, + hive : "NTUSER" + }; + return info; +} + function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function PrintTableRow(cell01,cell02,cell03) { println(" "); } function Rot13Decode(val) { var ret=""; for(var i=0;i64 && decoded<91) || (decoded>96 && decoded<123)) { if((decoded-13)<65 || (decoded>96 && (decoded-13)<97)) { decoded=(decoded-13)+26; } else { if(decoded>96 && (decoded-13)<97) { decoded+=13; } else { decoded-=13; } } ret+=String.fromCharCode(decoded); } else { ret+=val[i]; } } return ret; } function PrintUserAssistEntry(key,val,os) { var run_count; var last_run; switch(os) { case "winxp": run_count=RegistryKeyValueToVariant(val.value,"uint32",4); break; case "win7": run_count=RegistryKeyValueToVariant(val.value,"uint32",4,0,1); last_run=RegistryKeyValueToVariant(val.value,"filetime",60); break; } PrintTableRow(key,run_count,last_run); } -println(""); -println(" Launched Applications"); -println(" "); -println("
Launched applications
"); - -// First, we need to find the correct GUID for the current Windows version -var path; -var apps; -var os; +function fred_report_html() { + println(""); + println(" Launched Applications"); + println(" "); + println("
Launched applications
"); -// Windows XP -os="winxp"; -path="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{5E6AB780-7743-11CF-A12B-00AA004AE837}\\Count"; -apps=GetRegistryKeys(path); + // First, we need to find the correct GUID for the current Windows version + var path; + var apps; + var os; -// TODO: Determine GUIDs for Vista / Win8 - -if(!IsValid(apps)) { - // Windows 7 - os="win7"; - path="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count"; + // Windows XP + os="winxp"; + path="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{5E6AB780-7743-11CF-A12B-00AA004AE837}\\Count"; apps=GetRegistryKeys(path); -} + // TODO: Determine GUIDs for Vista / Win8 + if(!IsValid(apps)) { + // Windows 7 + os="win7"; + path="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count"; + apps=GetRegistryKeys(path); + } + if(IsValid(apps)) { + if(apps.length!=0) { + println("
"); + println("
",cell01," ",cell02," ",cell03,"
"); + println(" "); -if(IsValid(apps)) { - if(apps.length!=0) { - println("
"); - println("
Application Run count Last run
"); - println(" "); + for(var i=0;i"); + println("
"); + } else { + println("
"); + println(" The list of launched applications is empty."); + println("
"); } - - println("
Application Run count Last run
"); - println("

"); } else { println("

"); - println(" The list of launched applications is empty."); + println(" This registry hive does not contain a list of launched applications!"); println("

"); } -} else { - println("

"); - println(" This registry hive does not contain a list of launched applications!"); - println("

"); } diff --git a/trunk/report_templates/NTUSER_RecentDocs.qs b/trunk/report_templates/NTUSER_RecentDocs.qs index 112669d..bcac514 100644 --- a/trunk/report_templates/NTUSER_RecentDocs.qs +++ b/trunk/report_templates/NTUSER_RecentDocs.qs @@ -1,41 +1,54 @@ +function fred_report_info() { + var info={report_cat : "NTUSER", + report_name : "Recent documents", + report_author : "Gillen Daniel", + report_desc : "Dump recent docs", + fred_api : 2, + hive : "NTUSER" + }; + return info; +} + function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } -println(""); -println(" Recent Documents"); -println(" "); -println("

Recent documents

"); +function fred_report_html() { + println(""); + println(" Recent Documents"); + println(" "); + println("

Recent documents

"); -// Get list of recent docs -var recent_docs=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs","MRUListEx"); -if(IsValid(recent_docs)) { - // Iterate over all recent docs - var i=0; - var runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i); - if(Number(runlist)!=0xffffffff) { - println("

"); - println(" "); + // Get list of recent docs + var recent_docs=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs","MRUListEx"); + if(IsValid(recent_docs)) { + // Iterate over all recent docs + var i=0; + var runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i); + if(Number(runlist)!=0xffffffff) { + println("
"); + println("
"); - while(Number(runlist)!=0xffffffff) { - var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs",runlist.toString(10)); - println(" "); - i+=4; - runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i); - } + while(Number(runlist)!=0xffffffff) { + var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs",runlist.toString(10)); + println(" "); + i+=4; + runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i); + } - println("
",RegistryKeyValueToVariant(entry.value,"utf16",0),"
",RegistryKeyValueToVariant(entry.value,"utf16",0),"
"); - println("

"); + println(" "); + println("

"); + } else { + println("

"); + println(" The list of recent documents is empty."); + println("

"); + } } else { println("

"); - println(" The list of recent documents is empty."); + println(" This registry hive does not contain a list of recent documents!"); println("

"); } -} else { - println("

"); - println(" This registry hive does not contain a list of recent documents!"); - println("

"); -} -println(""); + println(""); +} diff --git a/trunk/report_templates/NTUSER_TypedUrls.qs b/trunk/report_templates/NTUSER_TypedUrls.qs index b581da7..bbd6b51 100644 --- a/trunk/report_templates/NTUSER_TypedUrls.qs +++ b/trunk/report_templates/NTUSER_TypedUrls.qs @@ -1,36 +1,49 @@ +function fred_report_info() { + var info={report_cat : "NTUSER", + report_name : "Typed URLs", + report_author : "Gillen Daniel", + report_desc : "Dump typed URLs", + fred_api : 2, + hive : "NTUSER" + }; + return info; +} + function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } -println(""); -println(" Typed Urls"); -println(" "); -println("

Typed urls

"); +function fred_report_html() { + println(""); + println(" Typed Urls"); + println(" "); + println("

Typed urls

"); -// Iterate over all typed urls -var typed_urls=GetRegistryKeys("\\Software\\Microsoft\\Internet Explorer\\TypedURLs"); -if(IsValid(typed_urls)) { - if(typed_urls.length!=0) { - println("

"); - println(" "); + // Iterate over all typed urls + var typed_urls=GetRegistryKeys("\\Software\\Microsoft\\Internet Explorer\\TypedURLs"); + if(IsValid(typed_urls)) { + if(typed_urls.length!=0) { + println("
"); + println("
"); - for(var i=0;i"); - } + for(var i=0;i"); + } - println("
",RegistryKeyValueToString(val.value,val.type),"
",RegistryKeyValueToString(val.value,val.type),"
"); - println("

"); + println(" "); + println("

"); + } else { + println("

"); + println(" The list of typed urls is empty."); + println("

"); + } } else { println("

"); - println(" The list of typed urls is empty."); + println(" This registry hive does not contain a list of typed urls!"); println("

"); } -} else { - println("

"); - println(" This registry hive does not contain a list of typed urls!"); - println("

"); -} -println(""); + println(""); +} diff --git a/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs b/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs index effaa23..68614b7 100644 --- a/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs +++ b/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs @@ -1,41 +1,54 @@ +function fred_report_info() { + var info={report_cat : "NTUSER", + report_name : "Windows 7 search keywords", + report_author : "Gillen Daniel", + report_desc : "Dump Windows 7 search keywords", + fred_api : 2, + hive : "NTUSER" + }; + return info; +} + function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } -println(""); -println(" Document And Folder Search Keywords"); -println(" "); -println("

Document and folder search keywords

"); +function fred_report_html() { + println(""); + println(" Document And Folder Search Keywords"); + println(" "); + println("

Document and folder search keywords

"); -// Get list of search keys -var mrulist=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery","MRUListEx"); -if(IsValid(mrulist)) { - // Iterate over all items - var i=0; - var runlist=RegistryKeyValueToVariant(mrulist.value,"uint32",i); - if(Number(runlist)!=0xffffffff) { - println("

"); - println(" "); + // Get list of search keys + var mrulist=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery","MRUListEx"); + if(IsValid(mrulist)) { + // Iterate over all items + var i=0; + var runlist=RegistryKeyValueToVariant(mrulist.value,"uint32",i); + if(Number(runlist)!=0xffffffff) { + println("
"); + println("
"); - while(Number(runlist)!=0xffffffff) { - var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery",runlist.toString(10)); - println(" "); - i+=4; - runlist=RegistryKeyValueToVariant(mrulist.value,"uint32",i); - } + while(Number(runlist)!=0xffffffff) { + var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery",runlist.toString(10)); + println(" "); + i+=4; + runlist=RegistryKeyValueToVariant(mrulist.value,"uint32",i); + } - println("
",RegistryKeyValueToVariant(entry.value,"utf16",0),"
",RegistryKeyValueToVariant(entry.value,"utf16",0),"
"); - println("

"); + println(" "); + println("

"); + } else { + println("

"); + println(" The list of document and search keywords is empty."); + println("

"); + } } else { println("

"); - println(" The list of document and search keywords is empty."); + println(" This registry hive does not contain a list of document and folder search keywords!"); println("

"); } -} else { - println("

"); - println(" This registry hive does not contain a list of document and folder search keywords!"); - println("

"); -} -println(""); + println(""); +} diff --git a/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs b/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs index 4411897..864b46f 100644 --- a/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs +++ b/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs @@ -1,36 +1,49 @@ +function fred_report_info() { + var info={report_cat : "NTUSER", + report_name : "Windows 7 typed paths", + report_author : "Gillen Daniel", + report_desc : "Dump Windows 7 typed paths", + fred_api : 2, + hive : "NTUSER" + }; + return info; +} + function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } -println(""); -println(" Typed Paths"); -println(" "); -println("

Typed paths

"); +function fred_report_html() { + println(""); + println(" Typed Paths"); + println(" "); + println("

Typed paths

"); -// Iterate over all typed paths -var urls=GetRegistryKeys("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"); -if(IsValid(urls)) { - if(urls.length!=0) { - println("

"); - println(" "); + // Iterate over all typed paths + var urls=GetRegistryKeys("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"); + if(IsValid(urls)) { + if(urls.length!=0) { + println("
"); + println("
"); - for(var i=0;i"); - } + for(var i=0;i"); + } - println("
",RegistryKeyValueToString(val.value,val.type),"
",RegistryKeyValueToString(val.value,val.type),"
"); - println("

"); + println(" "); + println("

"); + } else { + println("

"); + println(" The list of typed paths is empty."); + println("

"); + } } else { println("

"); - println(" The list of typed paths is empty."); + println(" This registry hive does not contain a list of typed paths!"); println("

"); } -} else { - println("

"); - println(" This registry hive does not contain a list of typed paths!"); - println("

"); -} -println(""); + println(""); +} diff --git a/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs b/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs index 0a78998..ac9bb6b 100644 --- a/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs +++ b/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs @@ -1,35 +1,48 @@ +function fred_report_info() { + var info={report_cat : "NTUSER", + report_name : "Windows Live accounts", + report_author : "Gillen Daniel", + report_desc : "Dump Windows Live accounts", + fred_api : 2, + hive : "NTUSER" + }; + return info; +} + function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } -println(""); -println(" Windows Live Accounts"); -println(" "); -println("

Windows live accounts

"); +function fred_report_html() { + println(""); + println(" Windows Live Accounts"); + println(" "); + println("

Windows live accounts

"); -// Iterate over all contacts -var accounts=GetRegistryKeys("\\Software\\Microsoft\\Windows Live Contacts\\Database"); -if(IsValid(accounts)) { - println("

"); - println(" "); + // Iterate over all contacts + var accounts=GetRegistryKeys("\\Software\\Microsoft\\Windows Live Contacts\\Database"); + if(IsValid(accounts)) { + println("
"); + println("
"); - for(var i=0;i"); - } - accounts=GetRegistryKeys("\\Software\\Microsoft\\Windows Live Contacts\\Me"); - for(var i=0;i"); + for(var i=0;i"); + } + accounts=GetRegistryKeys("\\Software\\Microsoft\\Windows Live Contacts\\Me"); + for(var i=0;i"); + } + + println("
",accounts[i]," ",RegistryKeyValueToString(val.value,val.type),"
",accounts[i]," ",RegistryKeyValueToString(val.value,val.type),"
",accounts[i]," ",RegistryKeyValueToString(val.value,val.type),"
",accounts[i]," ",RegistryKeyValueToString(val.value,val.type),"
"); + println("

"); + } else { + println("

"); + println(" This registry hive does not contain a list of Windows Live Accounts!"); + println("

"); } - println(" "); - println("

"); -} else { - println("

"); - println(" This registry hive does not contain a list of Windows Live Accounts!"); - println("

"); + println(""); } - -println(""); diff --git a/trunk/report_templates/SAM_UserAccounts.qs b/trunk/report_templates/SAM_UserAccounts.qs index 9ba427f..a78ec0c 100644 --- a/trunk/report_templates/SAM_UserAccounts.qs +++ b/trunk/report_templates/SAM_UserAccounts.qs @@ -1,97 +1,109 @@ -// See http://windowsir.blogspot.com/2006/08/getting-user-info-from-image.html +function fred_report_info() { + var info={report_cat : "SAM", + report_name : "User accounts", + report_author : "Gillen Daniel", + report_desc : "Dump Windows user accounts", + fred_api : 2, + hive : "SAM" + }; + return info; +} function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function print_v_info(v_key_value,info_name,str_off) { var offset=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off))+0x0cc; var len=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off+4))/2; if(len>0) print_table_row(info_name,RegistryKeyValueToVariant(v_key_value,"utf16",offset,len)); } -println(""); -println(" User Accounts"); -println(" "); -println("

User accounts

"); +function fred_report_html() { + // See http://windowsir.blogspot.com/2006/08/getting-user-info-from-image.html + println(""); + println(" User Accounts"); + println(" "); + println("

User accounts

"); -// Iterate over all user names -var user_names=GetRegistryNodes("\\SAM\\Domains\\Account\\Users\\Names"); -if(IsValid(user_names)) { - for(var i=0;i"); + // Iterate over all user names + var user_names=GetRegistryNodes("\\SAM\\Domains\\Account\\Users\\Names"); + if(IsValid(user_names)) { + for(var i=0;i"); - // Print user name - println(" ",user_names[i],"
"); + // Print user name + println(" ",user_names[i],"
"); - println(" "); + println("

"); - // Get user rid stored in "default" key - var user_rid=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\Names\\",user_names[i]),""); - user_rid=RegistryKeyTypeToString(user_rid.type); - println(" "); + // Get user rid stored in "default" key + var user_rid=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\Names\\",user_names[i]),""); + user_rid=RegistryKeyTypeToString(user_rid.type); + println(" "); - // RegistryKeyTypeToString returns the rid prepended with "0x". We have to remove that for further processing - user_rid=String(user_rid).substr(2); + // RegistryKeyTypeToString returns the rid prepended with "0x". We have to remove that for further processing + user_rid=String(user_rid).substr(2); - // Get user's V key and print various infos - var v_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"V"); - print_v_info(v_key.value,"Full name:",0x18); - print_v_info(v_key.value,"Comment:",0x24); - print_v_info(v_key.value,"Home directory:",0x48); - print_v_info(v_key.value,"Home directory drive:",0x54); - print_v_info(v_key.value,"Logon script path:",0x60); - print_v_info(v_key.value,"Profile path:",0x6c); + // Get user's V key and print various infos + var v_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"V"); + print_v_info(v_key.value,"Full name:",0x18); + print_v_info(v_key.value,"Comment:",0x24); + print_v_info(v_key.value,"Home directory:",0x48); + print_v_info(v_key.value,"Home directory drive:",0x54); + print_v_info(v_key.value,"Logon script path:",0x60); + print_v_info(v_key.value,"Profile path:",0x6c); - // Get user's F key and print various infos - var f_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"F"); - print_table_row("Last login time:",RegistryKeyValueToVariant(f_key.value,"filetime",8)); - print_table_row("Last pw change:",RegistryKeyValueToVariant(f_key.value,"filetime",24)); - print_table_row("Last failed login:",RegistryKeyValueToVariant(f_key.value,"filetime",40)); - print_table_row("Account expires:",RegistryKeyValueToVariant(f_key.value,"filetime",32)); - print_table_row("Total logins:",RegistryKeyValueToVariant(f_key.value,"uint16",66)); - print_table_row("Failed logins:",RegistryKeyValueToVariant(f_key.value,"uint16",64)); - var acc_flags=Number(RegistryKeyValueToVariant(f_key.value,"uint16",56)); - print(" "); + // Get user's F key and print various infos + var f_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"F"); + print_table_row("Last login time:",RegistryKeyValueToVariant(f_key.value,"filetime",8)); + print_table_row("Last pw change:",RegistryKeyValueToVariant(f_key.value,"filetime",24)); + print_table_row("Last failed login:",RegistryKeyValueToVariant(f_key.value,"filetime",40)); + print_table_row("Account expires:",RegistryKeyValueToVariant(f_key.value,"filetime",32)); + print_table_row("Total logins:",RegistryKeyValueToVariant(f_key.value,"uint16",66)); + print_table_row("Failed logins:",RegistryKeyValueToVariant(f_key.value,"uint16",64)); + var acc_flags=Number(RegistryKeyValueToVariant(f_key.value,"uint16",56)); + print(" "); - // Get password hint if available - var hint=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"UserPasswordHint"); - if(typeof hint !== 'undefined') { - // Append missing trailing utf16 zero byte - hint.value.appendByte(0); - hint.value.appendByte(0); - print_table_row("Password hint:",RegistryKeyValueToVariant(hint.value,"utf16")); - } + // Get password hint if available + var hint=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"UserPasswordHint"); + if(typeof hint !== 'undefined') { + // Append missing trailing utf16 zero byte + hint.value.appendByte(0); + hint.value.appendByte(0); + print_table_row("Password hint:",RegistryKeyValueToVariant(hint.value,"utf16")); + } - // TODO: User group membership + // TODO: User group membership - println("

RID:	",Number(user_rid).toString(10)," (",user_rid,")","
RID:	",Number(user_rid).toString(10)," (",user_rid,")","
Account flags:	"); - if(acc_flags&0x0001) print("Disabled "); - if(acc_flags&0x0002) print("HomeDirReq "); - if(acc_flags&0x0004) print("PwNotReq "); - if(acc_flags&0x0008) print("TempDupAcc "); - // I don't think this would be useful to show - //if(acc_flags&0x0010) print("NormUserAcc "); - if(acc_flags&0x0020) print("MnsAcc "); - if(acc_flags&0x0040) print("DomTrustAcc "); - if(acc_flags&0x0080) print("WksTrustAcc "); - if(acc_flags&0x0100) print("SrvTrustAcc "); - if(acc_flags&0x0200) print("NoPwExpiry "); - if(acc_flags&0x0400) print("AccAutoLock "); - print(" (",acc_flags,")"); - println("
Account flags:	"); + if(acc_flags&0x0001) print("Disabled "); + if(acc_flags&0x0002) print("HomeDirReq "); + if(acc_flags&0x0004) print("PwNotReq "); + if(acc_flags&0x0008) print("TempDupAcc "); + // I don't think this would be useful to show + //if(acc_flags&0x0010) print("NormUserAcc "); + if(acc_flags&0x0020) print("MnsAcc "); + if(acc_flags&0x0040) print("DomTrustAcc "); + if(acc_flags&0x0080) print("WksTrustAcc "); + if(acc_flags&0x0100) print("SrvTrustAcc "); + if(acc_flags&0x0200) print("NoPwExpiry "); + if(acc_flags&0x0400) print("AccAutoLock "); + print(" (",acc_flags,")"); + println("

"); - println("

"); + println(" "); + println("

"); + } + } else { + println("

"); + println(" Unable to enumerate users!
"); + println(" Are you sure you are running this report against the correct registry hive?"); + println("

"); } -} else { - println("

"); - println(" Unable to enumerate users!
"); - println(" Are you sure you are running this report against the correct registry hive?"); - println("

"); -} -println(""); + println(""); +} diff --git a/trunk/report_templates/SOFTWARE_Autoruns.qs b/trunk/report_templates/SOFTWARE_Autoruns.qs index 11e259d..20661b8 100644 --- a/trunk/report_templates/SOFTWARE_Autoruns.qs +++ b/trunk/report_templates/SOFTWARE_Autoruns.qs @@ -1,49 +1,61 @@ +function fred_report_info() { + var info={report_cat : "SOFTWARE", + report_name : "Autoruns", + report_author : "Gillen Daniel", + report_desc : "Dump autoruns", + fred_api : 2, + hive : "SOFTWARE" + }; + return info; +} + function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ListAutoruns(autorun_path,autorun_key) { println("

"); println(" "+autorun_key+"
"); var run_keys=GetRegistryKeys(autorun_path+autorun_key); if(IsValid(run_keys) && run_keys.length>0) { println(" "); print_table_row("Name","Executable"); for(var i=0;i"); } else { println(" None"); } println("
"); } -// Global vars -var val; +function fred_report_html() { + var val; -println(""); -println(" System Autoruns"); -println(" "); -println("
System Autoruns
"); + println(""); + println(" System Autoruns"); + println(" "); + println("
System Autoruns
"); -// Run -ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","Run"); + // Run + ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","Run"); -// RunOnce -ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnce"); + // RunOnce + ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnce"); -// RunOnceEx -ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnceEx"); + // RunOnceEx + ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnceEx"); -// TODO: There might be a Run under WindowsNT\CurrentVersion\Run too! + // TODO: There might be a Run under WindowsNT\CurrentVersion\Run too! -println(""); + println(""); +} diff --git a/trunk/report_templates/SOFTWARE_ProfileList.qs b/trunk/report_templates/SOFTWARE_ProfileList.qs index 211ac49..52447bc 100644 --- a/trunk/report_templates/SOFTWARE_ProfileList.qs +++ b/trunk/report_templates/SOFTWARE_ProfileList.qs @@ -1,44 +1,56 @@ +function fred_report_info() { + var info={report_cat : "SOFTWARE", + report_name : "Profile list", + report_author : "Gillen Daniel", + report_desc : "Dump profile list", + fred_api : 2, + hive : "SOFTWARE" + }; + return info; +} + function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" "); } -// Global vars -var val; +function fred_report_html() { + var val; -println(""); -println(" Profile List"); -println(" "); -println("
Profile List
"); + println(""); + println(" Profile List"); + println(" "); + println("
Profile List
"); -var profile_list=GetRegistryNodes("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList"); -if(IsValid(profile_list) && profile_list.length>0) { - for(var i=0;i"); - println(" "+profile_list[i]+"
"); - println("
",cell01," ",cell02,"
"); + var profile_list=GetRegistryNodes("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList"); + if(IsValid(profile_list) && profile_list.length>0) { + for(var i=0;i"); + println(" "+profile_list[i]+"
"); + println("
"); - // Get profile image path - val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileImagePath"); - print_table_row("Profile image path:",IsValid(val) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); + // Get profile image path + val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileImagePath"); + print_table_row("Profile image path:",IsValid(val) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); - // Get last load time (Saved as 2 dwords. Another "good" idea of M$ ;-)) - var loadtime_low=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileLoadTimeLow"); - var loadtime_high=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileLoadTimeHigh"); - print_table_row("Profile load time:",(IsValid(loadtime_low) && IsValid(loadtime_high)) ? RegistryKeyValueToVariant(loadtime_low.value.append(loadtime_high.value),"filetime",0) : "n/a"); + // Get last load time (Saved as 2 dwords. Another "good" idea of M$ ;-)) + var loadtime_low=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileLoadTimeLow"); + var loadtime_high=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileLoadTimeHigh"); + print_table_row("Profile load time:",(IsValid(loadtime_low) && IsValid(loadtime_high)) ? RegistryKeyValueToVariant(loadtime_low.value.append(loadtime_high.value),"filetime",0) : "n/a"); - // TODO: There is more to decode under \\Microsoft\\Windows NT\\CurrentVersion\\ProfileList + // TODO: There is more to decode under \\Microsoft\\Windows NT\\CurrentVersion\\ProfileList + println("
"); + println("

"); + } println(" "); - println("

"); + } else { + println(" None"); } - println(" "); -} else { - println(" None"); -} -println(""); + println(""); +} diff --git a/trunk/report_templates/SOFTWARE_WindowsVersion.qs b/trunk/report_templates/SOFTWARE_WindowsVersion.qs index 8a09d4a..0871460 100644 --- a/trunk/report_templates/SOFTWARE_WindowsVersion.qs +++ b/trunk/report_templates/SOFTWARE_WindowsVersion.qs @@ -1,96 +1,109 @@ +function fred_report_info() { + var info={report_cat : "SOFTWARE", + report_name : "Windows version", + report_author : "Gillen Daniel", + report_desc : "Dump Windows version info", + fred_api : 2, + hive : "SOFTWARE" + }; + return info; +} + function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function DecodeProductKey(arr) { //ProductKey is base24 encoded var keychars=new Array("B","C","D","F","G","H","J","K","M","P","Q","R","T","V","W","X","Y","2","3","4","6","7","8","9"); var key=new Array(30); var ret=""; var ncur; if(arr.length<66) return ret; arr=arr.mid(52,15); for(var ilbyte=24;ilbyte>=0;ilbyte--) { ncur=0; for(var ilkeybyte=14;ilkeybyte>=0;ilkeybyte--) { ncur=ncur*256^arr[ilkeybyte]; arr[ilkeybyte]=ncur/24; ncur%=24; } ret=keychars[ncur]+ret; if(ilbyte%5==0 && ilbyte!=0) ret="-"+ret; } return ret; } -println(""); -println(" Windows version info"); -println(" "); -println("

Windows version info

"); +function fred_report_html() { + println(""); + println(" Windows version info"); + println(" "); + println("

Windows version info

"); -// Windows version sp and build info -var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","ProductName"); -if(IsValid(val)) { - println("

"); - println(" "); - - print(" "); - // Build string - var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","BuildLab"); - print_table_row("Build string:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); - // Extended build string - var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","BuildLabEx"); - print_table_row("Extended build string:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); + println("
"); + println("
Windows version: ",RegistryKeyValueToString(val.value,val.type)); - var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","CSDVersion"); + // Windows version sp and build info + var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","ProductName"); if(IsValid(val)) { - print(" ",RegistryKeyValueToString(val.value,val.type)); - } - var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","CurrentBuildNumber"); - if(IsValid(val)) { - print(" build ",RegistryKeyValueToString(val.value,val.type)); - } - println("
"); - // Install date - var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","InstallDate"); - print_table_row("Install date:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime") : "n/a"); + print(" "); + // Build string + var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","BuildLab"); + print_table_row("Build string:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); + // Extended build string + var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","BuildLabEx"); + print_table_row("Extended build string:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); - // Owner and Organization info - var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","RegisteredOwner"); - print_table_row("Registered owner:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); - var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","RegisteredOrganization"); - print_table_row("Registered organization:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); + // Install date + var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","InstallDate"); + print_table_row("Install date:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime") : "n/a"); - // Windows ID / Key - var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","ProductId"); - print_table_row("Product ID:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); - var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","DigitalProductId"); - if(IsValid(val)) { - var key=DecodeProductKey(val.value); - if(key!="BBBBB-BBBBB-BBBBB-BBBBB-BBBBB") print_table_row("Product Key:",key); - else print_table_row("Product Key:","n/a (Probably a volume license key was used)"); - } else print_table_row("Product Key:","n/a"); + // Owner and Organization info + var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","RegisteredOwner"); + print_table_row("Registered owner:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); + var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","RegisteredOrganization"); + print_table_row("Registered organization:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); - // Install directory / Source directory - var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","PathName"); - print_table_row("Install path:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); - var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","SourcePath"); - print_table_row("Source path:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); + // Windows ID / Key + var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","ProductId"); + print_table_row("Product ID:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); + var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","DigitalProductId"); + if(IsValid(val)) { + var key=DecodeProductKey(val.value); + if(key!="BBBBB-BBBBB-BBBBB-BBBBB-BBBBB") print_table_row("Product Key:",key); + else print_table_row("Product Key:","n/a (Probably a volume license key was used)"); + } else print_table_row("Product Key:","n/a"); - println("
Windows version: ",RegistryKeyValueToString(val.value,val.type)); + var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","CSDVersion"); + if(IsValid(val)) { + print(" ",RegistryKeyValueToString(val.value,val.type)); + } + var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","CurrentBuildNumber"); + if(IsValid(val)) { + print(" build ",RegistryKeyValueToString(val.value,val.type)); + } + println("
"); - println("

"); -} else { - println("

"); - println(" Unable to get product name!
"); - println(" Are you sure you are running this report against the correct registry hive?"); - println("

"); -} + // Install directory / Source directory + var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","PathName"); + print_table_row("Install path:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); + var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","SourcePath"); + print_table_row("Source path:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); -println(""); + println(" "); + println("

"); + } else { + println("

"); + println(" Unable to get product name!
"); + println(" Are you sure you are running this report against the correct registry hive?"); + println("

"); + } + + println(""); +} diff --git a/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs b/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs index 1edcdcb..5943e14 100644 --- a/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs +++ b/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs @@ -1,130 +1,141 @@ -// See Appendix A: TCP/IP Configuration Parameters: -// http://technet.microsoft.com/de-de/library/cc739819%28v=WS.10%29.aspx +function fred_report_info() { + var info={report_cat : "SYSTEM", + report_name : "Current network settings", + report_author : "Gillen Daniel", + report_desc : "Dump current network settings", + fred_api : 2, + hive : "SYSTEM" + }; + return info; +} function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ZeroPad(number,padlen) { var ret=number.toString(10); if(!padlen || ret.length>=padlen) return ret; return Math.pow(10,padlen-ret.length).toString().slice(1)+ret; } -// Global vars -var val; - -println(""); -println(" Current Network Settings (Tcp/Ip)"); -println(" "); -println("

Current network settings (Tcp/Ip)

"); - -// Get current controlset -var cur_controlset=GetRegistryKeyValue("\\Select","Current"); -if(IsValid(cur_controlset)) { - cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type); - // Current holds a DWORD value, thus we get a string like 0x00000000, but - // control sets are referenced by its decimal representation. - cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3) - - println("

"); - println(" "); - print_table_row("Active control set:",cur_controlset); - - // Computer name - val=GetRegistryKeyValue(cur_controlset+"\\Control\\ComputerName\\ComputerName","ComputerName"); - print_table_row("Computer name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); - - println("
"); - println("
"); - - // Iterate over all available network adapters - var adapters=GetRegistryNodes(cur_controlset+"\\Services\\Tcpip\\Parameters\\Adapters"); - for(var i=0;i"); + println(" Current Network Settings (Tcp/Ip)"); + println(" "); + println("

Current network settings (Tcp/Ip)

"); + + // Get current controlset + var cur_controlset=GetRegistryKeyValue("\\Select","Current"); + if(IsValid(cur_controlset)) { + cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type); + // Current holds a DWORD value, thus we get a string like 0x00000000, but + // control sets are referenced by its decimal representation. + cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3) + + println("

"); println(" "); - //print_table_row("Adapter id:",adapters[i]); - - // Get configuration mode - val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"EnableDHCP"); - val=Number(RegistryKeyValueToString(val.value,val.type)); - if(val) { - // DHCP enabled - print_table_row("Configuration mode:","DHCP"); - // DHCP server - val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpServer"); - print_table_row("Last used DHCP server:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); - // IP address - val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpIPAddress"); - print_table_row("IP address:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); - // Subnet mask - val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpSubnetMask"); - print_table_row("Subnet mask:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); - // Nameserver(s) - val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpNameServer"); - print_table_row("Nameserver(s):",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); - // Domain - val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpDomain"); - print_table_row("Domain:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); - // Default gw - val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpDefaultGateway"); - print_table_row("Default gateway:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); - // Lease obtained - val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"LeaseObtainedTime"); - print_table_row("Lease obtained:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : ""); - // Lease valid until - val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"LeaseTerminatesTime"); - print_table_row("Lease terminates:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : ""); - } else { - print_table_row("Configuration mode:","Manual"); - // IP address - val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"IPAddress"); - print_table_row("IP address:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); - // Subnet mask - val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"SubnetMask"); - print_table_row("Subnet mask:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); - // Nameserver - val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"NameServer"); - print_table_row("Nameserver:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); - // Domain - val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"Domain"); - print_table_row("Domain:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); - // Default gw - val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DefaultGateway"); - print_table_row("Default gateway:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); - } + print_table_row("Active control set:",cur_controlset); - // TODO: Check for EnableSecurityFilters, TCPAllowedPorts and UDPAllowedPorts to get firewall status. + // Computer name + val=GetRegistryKeyValue(cur_controlset+"\\Control\\ComputerName\\ComputerName","ComputerName"); + print_table_row("Computer name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); println("
"); println("
"); - // TODO: Get persistent routes from \ControlSet001\Services\Tcpip\Parameters\PersistentRoutes + // Iterate over all available network adapters + var adapters=GetRegistryNodes(cur_controlset+"\\Services\\Tcpip\\Parameters\\Adapters"); + for(var i=0;i"); + //print_table_row("Adapter id:",adapters[i]); + + // Get configuration mode + val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"EnableDHCP"); + val=Number(RegistryKeyValueToString(val.value,val.type)); + if(val) { + // DHCP enabled + print_table_row("Configuration mode:","DHCP"); + // DHCP server + val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpServer"); + print_table_row("Last used DHCP server:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); + // IP address + val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpIPAddress"); + print_table_row("IP address:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); + // Subnet mask + val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpSubnetMask"); + print_table_row("Subnet mask:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); + // Nameserver(s) + val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpNameServer"); + print_table_row("Nameserver(s):",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); + // Domain + val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpDomain"); + print_table_row("Domain:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); + // Default gw + val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpDefaultGateway"); + print_table_row("Default gateway:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); + // Lease obtained + val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"LeaseObtainedTime"); + print_table_row("Lease obtained:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : ""); + // Lease valid until + val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"LeaseTerminatesTime"); + print_table_row("Lease terminates:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : ""); + } else { + print_table_row("Configuration mode:","Manual"); + // IP address + val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"IPAddress"); + print_table_row("IP address:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); + // Subnet mask + val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"SubnetMask"); + print_table_row("Subnet mask:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); + // Nameserver + val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"NameServer"); + print_table_row("Nameserver:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); + // Domain + val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"Domain"); + print_table_row("Domain:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); + // Default gw + val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DefaultGateway"); + print_table_row("Default gateway:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); + } + + // TODO: Check for EnableSecurityFilters, TCPAllowedPorts and UDPAllowedPorts to get firewall status. + + println(" "); + println("
"); + + // TODO: Get persistent routes from \ControlSet001\Services\Tcpip\Parameters\PersistentRoutes + } + println("

"); + } else { + println("

"); + println(" Unable to determine current control set!
"); + println(" Are you sure you are running this report against the correct registry hive?"); + println("

"); } - println("

"); -} else { - println("

"); - println(" Unable to determine current control set!
"); - println(" Are you sure you are running this report against the correct registry hive?"); - println("

"); -} -println(""); + println(""); +} diff --git a/trunk/report_templates/SYSTEM_Services.qs b/trunk/report_templates/SYSTEM_Services.qs index 8be6d94..54e85c7 100644 --- a/trunk/report_templates/SYSTEM_Services.qs +++ b/trunk/report_templates/SYSTEM_Services.qs @@ -1,99 +1,111 @@ +function fred_report_info() { + var info={report_cat : "SYSTEM", + report_name : "Services", + report_author : "Gillen Daniel", + report_desc : "Dump services", + fred_api : 2, + hive : "SYSTEM" + }; + return info; +} + function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function ZeroPad(number,padlen) { var ret=number.toString(10); if(!padlen || ret.length>=padlen) return ret; return Math.pow(10,padlen-ret.length).toString().slice(1)+ret; } function PrintTableRow(cell01,cell02,cell03,cell04,cell05) { println(" ",cell01,"",cell02,"",cell03,"",cell04,"",cell05,""); } function ListService(service_node) { // Service name var name=GetRegistryKeyValue(service_node,"DisplayName"); name=(IsValid(name)) ? RegistryKeyValueToString(name.value,name.type) : "Unknwon"; // Service group var group=GetRegistryKeyValue(service_node,"Group"); group=(IsValid(group)) ? RegistryKeyValueToString(group.value,group.type) : ""; // Service exe var image=GetRegistryKeyValue(service_node,"ImagePath"); image=(IsValid(image)) ? RegistryKeyValueToString(image.value,image.type) : "Unknwon"; // Start var start=GetRegistryKeyValue(service_node,"Start"); start=(IsValid(start)) ? RegistryKeyValueToString(start.value,start.type) : -1; switch(Number(start)) { case 0: start="Boot"; break; case 1: start="System"; break; case 2: start="Automatic"; break; case 3: start="Manual"; break; case 4: start="Disabled"; break; default: start="Unknown"; } // Description var desc=GetRegistryKeyValue(service_node,"Description"); desc=(IsValid(desc)) ? RegistryKeyValueToString(desc.value,desc.type) : ""; PrintTableRow(name,group,start,image,desc) } -// Global vars -var val; +function fred_report_html() { + var val; -println(""); -println(" Services"); -println(" "); -println("

Services

"); + println(""); + println(" Services"); + println(" "); + println("

Services

"); -// Get current controlset -var cur_controlset=GetRegistryKeyValue("\\Select","Current"); -if(IsValid(cur_controlset)) { - cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type); - // Current holds a DWORD value, thus we get a string like 0x00000000, but - // control sets are referenced by its decimal representation. - cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3) + // Get current controlset + var cur_controlset=GetRegistryKeyValue("\\Select","Current"); + if(IsValid(cur_controlset)) { + cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type); + // Current holds a DWORD value, thus we get a string like 0x00000000, but + // control sets are referenced by its decimal representation. + cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3) - // Get list of possible services - var services=GetRegistryNodes(cur_controlset+"\\Services"); - if(IsValid(services)) { - println("

"); - println(" "); - println(" "); - for(var i=0;i"); + println("
Name Group Startup Image path Description
"); + println(" "); + for(var i=0;i"); + println("
"); + } else { + println("
"); + println(" This registry hive does not contain any services!
"); + println("
"); } - println("
Name Group Startup Image path Description
"); - println("

"); } else { println("

"); - println(" This registry hive does not contain any services!
"); + println(" Unable to determine current control set!
"); + println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } -} else { - println("

"); - println(" Unable to determine current control set!
"); - println(" Are you sure you are running this report against the correct registry hive?"); - println("

"); -} -println(""); + println(""); +} diff --git a/trunk/report_templates/SYSTEM_ShutdownTime.qs b/trunk/report_templates/SYSTEM_ShutdownTime.qs index 23ffbe9..4a3ecf1 100644 --- a/trunk/report_templates/SYSTEM_ShutdownTime.qs +++ b/trunk/report_templates/SYSTEM_ShutdownTime.qs @@ -1,45 +1,57 @@ +function fred_report_info() { + var info={report_cat : "SYSTEM", + report_name : "Shutdown time", + report_author : "Gillen Daniel", + report_desc : "Dump last known shutdown time", + fred_api : 2, + hive : "SYSTEM" + }; + return info; +} + function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } -// Global vars -var val; - -println(""); -println(" Last known shutdown time"); -println(" "); -println("

Last known shutdown time

"); - -// Get current controlset -var cur_controlset=GetRegistryKeyValue("\\Select","Current"); -if(IsValid(cur_controlset)) { - cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type); - // Current holds a DWORD value, thus we get a string like 0x00000000, but - // control sets are referenced only with the last 3 digits. - cur_controlset="ControlSet"+String(cur_controlset).substr(7,3); - - println("

"); - println(" "); - - print_table_row("Active control set:",cur_controlset); - - // Shutdown time - val=GetRegistryKeyValue(cur_controlset+"\\Control\\Windows","ShutdownTime"); - print_table_row("Shutdown time:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"filetime") : "Unknown"); - - println("
"); - println("
"); - println("

"); -} else { - println("

"); - println(" Unable to determine current control set!
"); - println(" Are you sure you are running this report against the correct registry hive?"); - println("

"); +function fred_report_html() { + var val; + + println(""); + println(" Last known shutdown time"); + println(" "); + println("

Last known shutdown time

"); + + // Get current controlset + var cur_controlset=GetRegistryKeyValue("\\Select","Current"); + if(IsValid(cur_controlset)) { + cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type); + // Current holds a DWORD value, thus we get a string like 0x00000000, but + // control sets are referenced only with the last 3 digits. + cur_controlset="ControlSet"+String(cur_controlset).substr(7,3); + + println("

"); + println(" "); + + print_table_row("Active control set:",cur_controlset); + + // Shutdown time + val=GetRegistryKeyValue(cur_controlset+"\\Control\\Windows","ShutdownTime"); + print_table_row("Shutdown time:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"filetime") : "Unknown"); + + println("
"); + println("
"); + println("

"); + } else { + println("

"); + println(" Unable to determine current control set!
"); + println(" Are you sure you are running this report against the correct registry hive?"); + println("

"); + } + + println(""); } - -println(""); diff --git a/trunk/report_templates/SYSTEM_SystemTimeInfo.qs b/trunk/report_templates/SYSTEM_SystemTimeInfo.qs index e1dbd96..17b166f 100644 --- a/trunk/report_templates/SYSTEM_SystemTimeInfo.qs +++ b/trunk/report_templates/SYSTEM_SystemTimeInfo.qs @@ -1,110 +1,122 @@ +function fred_report_info() { + var info={report_cat : "SYSTEM", + report_name : "System time info", + report_author : "Gillen Daniel", + report_desc : "Dump system time info", + fred_api : 2, + hive : "SYSTEM" + }; + return info; +} + function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ToUTC(num) { var retnum=new Number(num); if(retnum&0x80000000) { retnum=((0xFFFFFFFF-retnum)+1)/60; return "UTC+"+Number(retnum).toString(10); } else { retnum=retnum/60; if(retnum!=0) return "UTC-"+Number(retnum).toString(10); else return "UTC+"+Number(retnum).toString(10); } } function ZeroPad(number,padlen) { var ret=number.toString(10); if(!padlen || ret.length>=padlen) return ret; return Math.pow(10,padlen-ret.length).toString().slice(1)+ret; } -// Global vars -var val; +function fred_report_html() { + var val; -println(""); -println(" System Time Info"); -println(" "); -println("

System time info (",cur_controlset,")

"); + println(""); + println(" System Time Info"); + println(" "); + println("

System time info (",cur_controlset,")

"); - println(" Time zone info"); - println(" "); + println("
"); + println(" Time zone info"); + println("
"); - // Active time bias - val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","ActiveTimeBias"); - print_table_row("Active time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a"); + // Active time bias + val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","ActiveTimeBias"); + print_table_row("Active time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a"); - // Std. tz name and bias - val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardName"); - print_table_row("Std. time zone name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); - val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardBias"); - print_table_row("Std. time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a"); + // Std. tz name and bias + val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardName"); + print_table_row("Std. time zone name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); + val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardBias"); + print_table_row("Std. time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a"); - // Daylight tz name and bias - val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightName"); - print_table_row("Daylight time zone name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); - val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightBias"); - print_table_row("Daylight time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a"); + // Daylight tz name and bias + val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightName"); + print_table_row("Daylight time zone name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); + val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightBias"); + print_table_row("Daylight time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a"); - println("
"); - println("
"); - println(" W32Time service info"); - println(" "); + println("
"); + println("
"); + println(" W32Time service info"); + println(" "); - // Get W32Time service settings - val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time","Start"); - if(IsValid(val)) { - print(" "); - // If service is enabled, get ntp server - if(Number(val)<4) { - val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time\\Parameters","NtpServer"); - print_table_row("NTP server(s):",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); - } - } else print_table_row("Startup method:","n/a"); + // Get W32Time service settings + val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time","Start"); + if(IsValid(val)) { + print(" "); + // If service is enabled, get ntp server + if(Number(val)<4) { + val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time\\Parameters","NtpServer"); + print_table_row("NTP server(s):",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); + } + } else print_table_row("Startup method:","n/a"); - println("
Startup method: "); - val=RegistryKeyValueToString(val.value,val.type); - switch(Number(val)) { - case 0: - print("Boot"); - break; - case 1: - print("System"); - break; - case 2: - print("Automatic"); - break; - case 3: - print("Manual"); - break; - case 4: - print("Disabled"); - break; - default: - print("Unknown"); - } - println("
Startup method: "); + val=RegistryKeyValueToString(val.value,val.type); + switch(Number(val)) { + case 0: + print("Boot"); + break; + case 1: + print("System"); + break; + case 2: + print("Automatic"); + break; + case 3: + print("Manual"); + break; + case 4: + print("Disabled"); + break; + default: + print("Unknown"); + } + println("
"); - println("

"); -} else { - println("

"); - println(" Unable to determine current control set!
"); - println(" Are you sure you are running this report against the correct registry hive?"); - println("

"); -} + println(" "); + println("

"); + } else { + println("

"); + println(" Unable to determine current control set!
"); + println(" Are you sure you are running this report against the correct registry hive?"); + println("

"); + } -println(""); + println(""); +} diff --git a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs index 9cd16f3..3ed2517 100644 --- a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs +++ b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs @@ -1,139 +1,150 @@ -// TODO: There is more here. Check http://www.forensicswiki.org/wiki/USB_History_Viewing +function fred_report_info() { + var info={report_cat : "SYSTEM", + report_name : "USB storage devices", + report_author : "Gillen Daniel", + report_desc : "Dump USB storage devices", + fred_api : 2, + hive : "SYSTEM" + }; + return info; +} function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ZeroPad(number,padlen) { var ret=number.toString(10); if(!padlen || ret.length>=padlen) return ret; return Math.pow(10,padlen-ret.length).toString().slice(1)+ret; } -// Global vars -var val; +function fred_report_html() { + // TODO: There is more here. Check http://www.forensicswiki.org/wiki/USB_History_Viewing + var val; -println(""); -println(" USB Storage Devices"); -println(" "); -println("

USB storage devices

"); + println(""); + println(" USB Storage Devices"); + println(" "); + println("

USB storage devices

"); -// Preload MountedDevices to possibly identify mount points of USB storage devices -var mnt_keys=GetRegistryKeys("\\MountedDevices"); -var mnt_values=new Array(); -if(IsValid(mnt_keys)) { - for(var i=0;i"); - println(" Settings
"); - println(" "); + println("

"); + println(" Settings
"); + println("

"); - // Are USB storage devices enabled? - // http://www.forensicmag.com/article/windows-7-registry-forensics-part-5 - // Is this true for WinXP etc.. ??? - var val=GetRegistryKeyValue(cur_controlset+"\\services\\USBSTOR","Start"); - if(IsValid(val)) { - val=RegistryKeyValueToString(val.value,val.type); - val=parseInt(String(val).substr(2,8),10); - switch(val) { - case 3: - print_table_row("Storage driver enabled:","Yes"); - break; - case 4: - print_table_row("Storage driver enabled:","No"); - break; - default: - print_table_row("Storage driver enabled:","Unknown"); + // Are USB storage devices enabled? + // http://www.forensicmag.com/article/windows-7-registry-forensics-part-5 + // Is this true for WinXP etc.. ??? + var val=GetRegistryKeyValue(cur_controlset+"\\services\\USBSTOR","Start"); + if(IsValid(val)) { + val=RegistryKeyValueToString(val.value,val.type); + val=parseInt(String(val).substr(2,8),10); + switch(val) { + case 3: + print_table_row("Storage driver enabled:","Yes"); + break; + case 4: + print_table_row("Storage driver enabled:","No"); + break; + default: + print_table_row("Storage driver enabled:","Unknown"); + } + } else { + print_table_row("Storage driver enabled:","Unknown"); } - } else { - print_table_row("Storage driver enabled:","Unknown"); - } - println("

"); - println("

"); - println(" Devices
"); + println(" "); + println("

"); + println("

"); + println(" Devices
"); - var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR"); - if(IsValid(storage_roots)) { - for(var i=0;i",storage_roots[i],"
"); - var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]); - for(ii=0;ii"); - // If the second character of the unique instance ID is a '&', then the ID was - // generated by the system, as the device did not have a serial number. - if(String(storage_subroots[ii]).charAt(1)=="&") print_table_row("Unique ID:",storage_subroots[ii]+" (Generated by system)"); - else print_table_row("Unique ID:",storage_subroots[ii]); + var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR"); + if(IsValid(storage_roots)) { + for(var i=0;i",storage_roots[i],"
"); + var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]); + for(ii=0;ii"); + // If the second character of the unique instance ID is a '&', then the ID was + // generated by the system, as the device did not have a serial number. + if(String(storage_subroots[ii]).charAt(1)=="&") print_table_row("Unique ID:",storage_subroots[ii]+" (Generated by system)"); + else print_table_row("Unique ID:",storage_subroots[ii]); - val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"Class"); - print_table_row("Class:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); - val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"DeviceDesc"); - print_table_row("Device description:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); - val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"FriendlyName"); - print_table_row("Friendly name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); - val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"ParentIdPrefix"); - if(IsValid(val)) { - // Windows XP uses the ParentId to link to MountedDevices - var parent_id=RegistryKeyValueToString(val.value,val.type); - print_table_row("Parent ID prefix:",parent_id); - // Find mount point(s) - print(" Mount point(s):"); - var br=0; - for(var iii=0;iii"); - else br=1; - print(mnt_keys[iii]); + val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"Class"); + print_table_row("Class:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); + val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"DeviceDesc"); + print_table_row("Device description:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); + val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"FriendlyName"); + print_table_row("Friendly name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); + val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"ParentIdPrefix"); + if(IsValid(val)) { + // Windows XP uses the ParentId to link to MountedDevices + var parent_id=RegistryKeyValueToString(val.value,val.type); + print_table_row("Parent ID prefix:",parent_id); + // Find mount point(s) + print(" Mount point(s):"); + var br=0; + for(var iii=0;iii"); + else br=1; + print(mnt_keys[iii]); + } } - } - if(br==0) print("n/a"); - println(""); - } else { - // Since Vista, Unique IDs are used - // Find mount point(s) - print(" Mount point(s):"); - var br=0; - for(var iii=0;iii"); - else br=1; - print(mnt_keys[iii]); + if(br==0) print("n/a"); + println(""); + } else { + // Since Vista, Unique IDs are used + // Find mount point(s) + print(" Mount point(s):"); + var br=0; + for(var iii=0;iii"); + else br=1; + print(mnt_keys[iii]); + } } + if(br==0) print("n/a"); + println(""); } - if(br==0) print("n/a"); - println(""); + println(" "); + println("
"); } - println(" "); - println("
"); } + } else { + println(" This registry hive does not contain a list of attached USB storage devices!"); } + println("

"); } else { - println(" This registry hive does not contain a list of attached USB storage devices!"); + println("

"); + println(" Unable to determine current control set!
"); + println(" Are you sure you are running this report against the correct registry hive?"); + println("

"); } - println("

"); -} else { - println("

"); - println(" Unable to determine current control set!
"); - println(" Are you sure you are running this report against the correct registry hive?"); - println("

"); -} -println(""); + println(""); +} diff --git a/trunk/datareporterengine.cpp b/trunk/reportengine.cpp similarity index 70% copy from trunk/datareporterengine.cpp copy to trunk/reportengine.cpp index f9e3bb9..638b60f 100644 --- a/trunk/datareporterengine.cpp +++ b/trunk/reportengine.cpp @@ -1,374 +1,446 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ -#include "datareporterengine.h" +#include "reportengine.h" -#include -#include -#include -#include +#include +#include #include -#include +#include -DataReporterEngine::DataReporterEngine(RegistryHive *p_hive) : QScriptEngine() { +/******************************************************************************* + * Public + ******************************************************************************/ + +ReportEngine::ReportEngine(RegistryHive *p_hive) : QScriptEngine() { // Init vars this->p_registry_hive=p_hive; this->report_content=""; // Add our constants this->globalObject().setProperty("ENGINE_API_VERSION", - this->api_version, + FRED_REPORTENGINE_API_VERSION, QScriptValue::ReadOnly| QScriptValue::Undeletable); - +/* + this->globalObject().setProperty("HIVE_FILE", + this->p_registry_hive->Filename(), + QScriptValue::ReadOnly| + QScriptValue::Undeletable); +*/ // Add our types to engine qScriptRegisterMetaType(this, this->RegistryKeyValueToScript, this->RegistryKeyValueFromScript); this->p_type_byte_array=new ByteArray(this); this->globalObject().setProperty("ByteArray", this->p_type_byte_array->constructor()); // Add our functions // print QScriptValue func_print=this->newFunction(this->Print); this->globalObject().setProperty("print",func_print); // println QScriptValue func_println=this->newFunction(this->PrintLn); this->globalObject().setProperty("println",func_println); // GetRegistryNodes QScriptValue func_get_nodes=this->newFunction(this->GetRegistryNodes,1); func_get_nodes.setData(this->newQObject(this->p_registry_hive)); this->globalObject().setProperty("GetRegistryNodes",func_get_nodes); // GetRegistryKeys QScriptValue func_get_keys=this->newFunction(this->GetRegistryKeys,1); func_get_keys.setData(this->newQObject(this->p_registry_hive)); this->globalObject().setProperty("GetRegistryKeys",func_get_keys); // GetRegistryKeyValue QScriptValue func_get_key_value=this->newFunction(this->GetRegistryKeyValue, 2); func_get_key_value.setData(this->newQObject(this->p_registry_hive)); this->globalObject().setProperty("GetRegistryKeyValue",func_get_key_value); // GetRegistryNodeModTime QScriptValue func_get_node_modt= this->newFunction(this->GetRegistryNodeModTime,1); func_get_node_modt.setData(this->newQObject(this->p_registry_hive)); this->globalObject().setProperty("GetRegistryNodeModTime",func_get_node_modt); // RegistryKeyValueToString QScriptValue func_value_to_string= this->newFunction(this->RegistryKeyValueToString,2); this->globalObject().setProperty("RegistryKeyValueToString", func_value_to_string); // RegistryKeyValueToVariant QScriptValue func_value_to_variant= this->newFunction(this->RegistryKeyValueToVariant); this->globalObject().setProperty("RegistryKeyValueToVariant", func_value_to_variant); // RegistryKeyTypeToString QScriptValue func_type_to_string= this->newFunction(this->RegistryKeyTypeToString,1); this->globalObject().setProperty("RegistryKeyTypeToString", func_type_to_string); } -DataReporterEngine::~DataReporterEngine() { +ReportEngine::~ReportEngine() { delete this->p_type_byte_array; } -QScriptValue DataReporterEngine::Print(QScriptContext *context, - QScriptEngine *engine) +/* + * GetReportTemplateInfo + */ +QMap ReportEngine::GetReportTemplateInfo(QString file) { + // Open report template file + QFile template_file(file); + if(!template_file.open(QIODevice::ReadOnly | QIODevice::Text)) { + QMap error_msg; + error_msg["error"]=QString("Couldn't open report template file '%1'!") + .arg(file); + return error_msg; + } + + // Read template file and close it + QString report_code; + QTextStream in(&template_file); + while(!in.atEnd()) report_code.append(in.readLine()).append("\n"); + template_file.close(); + + // Evaluate report template script + QScriptValue report_result=this->evaluate(report_code,file); + if (report_result.isError() || this->hasUncaughtException()) { + QMap error_msg; + error_msg["error"]=QString("File: %1\n Line: %2\nError: %3") + .arg(file) + .arg(report_result.property("lineNumber").toInt32()) + .arg(report_result.toString()); + return error_msg; + } + + // Try to call the fred_report_info script function and return result + QScriptValue fred_report_info_func= + this->globalObject().property("fred_report_info"); + if(!fred_report_info_func.isFunction()) { + QMap error_msg; + error_msg["error"]= + QString("Report template '%1' does not have a fred_report_info function!") + .arg(file) + .arg(report_result.property("lineNumber").toInt32()) + .arg(report_result.toString()); + return error_msg; + } + QScriptValue fred_report_info_res=fred_report_info_func.call(); + // TODO: Maybe do more checking on return value + return fred_report_info_res.toVariant().toMap(); +} + +/******************************************************************************* + * Public Slots + ******************************************************************************/ + +/******************************************************************************* + * Private + ******************************************************************************/ + +/* + * Print + */ +QScriptValue ReportEngine::Print(QScriptContext *context, + QScriptEngine *engine) { int i; QString content; // Append all arguments to content for(i=0;iargumentCount();++i) { //if(i>0) content.append(" "); content.append(context->argument(i).toString()); } - //QScriptValue calleeData=context->callee().data(); - //DataReporterEngine *engine= - // qobject_cast(calleeData.toQObject()); - qobject_cast(engine)->report_content.append(content); + qobject_cast(engine)->report_content.append(content); return engine->undefinedValue(); } -QScriptValue DataReporterEngine::PrintLn(QScriptContext *context, - QScriptEngine *engine) +/* + * PrintLn + */ +QScriptValue ReportEngine::PrintLn(QScriptContext *context, + QScriptEngine *engine) { int i; QString content; // Append all arguments to content for(i=0;iargumentCount();++i) { //if(i>0) content.append(" "); content.append(context->argument(i).toString()); } - qobject_cast(engine)-> + qobject_cast(engine)-> report_content.append(content).append("\n"); return engine->undefinedValue(); } /* * GetRegistryNodes */ -QScriptValue DataReporterEngine::GetRegistryNodes(QScriptContext *context, - QScriptEngine *engine) +QScriptValue ReportEngine::GetRegistryNodes(QScriptContext *context, + QScriptEngine *engine) { QScriptValue calleeData; RegistryHive *p_hive; QMap nodes; QScriptValue ret_nodes; int ii=0; // This function needs one argument, parent node path if(context->argumentCount()!=1) return engine->undefinedValue(); // Get calle data (Pointer to RegistryHive class) calleeData=context->callee().data(); p_hive=qobject_cast(calleeData.toQObject()); // Get nodes nodes=p_hive->GetNodes(context->argument(0).toString()); if(p_hive->Error()) { // Clear error state p_hive->GetErrorMsg(); return engine->undefinedValue(); } // Build script array ret_nodes=engine->newArray(nodes.count()); QMapIterator i(nodes); while(i.hasNext()) { i.next(); ret_nodes.setProperty(ii++,QScriptValue(i.key())); } return ret_nodes; } /* * GetRegistryKeys */ -QScriptValue DataReporterEngine::GetRegistryKeys(QScriptContext *context, - QScriptEngine *engine) +QScriptValue ReportEngine::GetRegistryKeys(QScriptContext *context, + QScriptEngine *engine) { QScriptValue calleeData; RegistryHive *p_hive; QMap keys; QScriptValue ret_keys; int ii=0; // This function needs one argument, parent node path if(context->argumentCount()!=1) return engine->undefinedValue(); // Get calle data (Pointer to RegistryHive class) calleeData=context->callee().data(); p_hive=qobject_cast(calleeData.toQObject()); // Get keys keys=p_hive->GetKeys(context->argument(0).toString()); if(p_hive->Error()) { // Clear error state p_hive->GetErrorMsg(); return engine->undefinedValue(); } - //qDebug(QString("P: %1 A: %2").arg(context->argument(0).toString()).arg(keys.count()).toAscii().constData()); - // Build script array ret_keys=engine->newArray(keys.count()); QMapIterator i(keys); while(i.hasNext()) { i.next(); ret_keys.setProperty(ii++,QScriptValue(i.key())); } return ret_keys; } /* * RegistryKeyValueToScript */ -QScriptValue DataReporterEngine::RegistryKeyValueToScript(QScriptEngine *engine, - const - s_RegistryKeyValue - &s) +QScriptValue ReportEngine::RegistryKeyValueToScript(QScriptEngine *engine, + const s_RegistryKeyValue &s) { QScriptValue obj=engine->newObject(); obj.setProperty("type",s.type); obj.setProperty("length",s.length); ByteArray *p_byte_array=new ByteArray(engine); obj.setProperty("value",p_byte_array->newInstance(s.value)); return obj; } /* * RegistryKeyValueFromScriptValue */ -void DataReporterEngine::RegistryKeyValueFromScript(const QScriptValue &obj, - s_RegistryKeyValue &s) +void ReportEngine::RegistryKeyValueFromScript(const QScriptValue &obj, + s_RegistryKeyValue &s) { s.type=obj.property("type").toInt32(); s.length=obj.property("length").toInt32(); // TODO: Don't know if this works, but it probably does ;) s.value=qvariant_cast(obj.property("value").data().toVariant()); } -QScriptValue DataReporterEngine::GetRegistryKeyValue(QScriptContext *context, - QScriptEngine *engine) +/* + * GetRegistryKeyValue + */ +QScriptValue ReportEngine::GetRegistryKeyValue(QScriptContext *context, + QScriptEngine *engine) { QScriptValue calleeData; RegistryHive *p_hive; QByteArray key_value; int key_type=0; size_t key_length=0; s_RegistryKeyValue script_key_value; // This function needs two arguments, key path and key name if(context->argumentCount()!=2) return engine->undefinedValue(); // Get calle data (Pointer to RegistryHive class) calleeData=context->callee().data(); p_hive=qobject_cast(calleeData.toQObject()); // Get key value key_value=p_hive->GetKeyValue(context->argument(0).toString(), context->argument(1).toString(), &key_type, &key_length); if(p_hive->Error()) { // Get error message to clear error state p_hive->GetErrorMsg(); // printf("\nError: %s\n",p_hive->GetErrorMsg().toAscii().constData()); return engine->undefinedValue(); } // Save key value to s_RegistryKeyValue struct script_key_value.type=key_type; script_key_value.length=key_length; script_key_value.value=key_value; - return DataReporterEngine::RegistryKeyValueToScript(engine,script_key_value); + return ReportEngine::RegistryKeyValueToScript(engine,script_key_value); } -QScriptValue DataReporterEngine::RegistryKeyValueToString( - QScriptContext *context, - QScriptEngine *engine) +/* + * RegistryKeyValueToString + */ +QScriptValue ReportEngine::RegistryKeyValueToString(QScriptContext *context, + QScriptEngine *engine) { QByteArray key_value; QString ret=""; // This function needs two arguments, key value and value type if(context->argumentCount()!=2) return engine->undefinedValue(); // Cast ByteArray argument to QByteArray and convert key_value=qvariant_cast(context->argument(0).data().toVariant()); ret=RegistryHive::KeyValueToString(key_value, context->argument(1).toInt32()); return engine->newVariant(ret); } -QScriptValue DataReporterEngine::RegistryKeyValueToVariant( - QScriptContext *context, - QScriptEngine *engine) +/* + * RegistryKeyValueToVariant + */ +QScriptValue ReportEngine::RegistryKeyValueToVariant(QScriptContext *context, + QScriptEngine *engine) { int offset=0; int length=-1; bool little_endian=true; QByteArray key_value; QString format=""; QString ret=""; // This function needs at least two arguments, key value and variant type, // and may have three optional arguments, offset, length and little_endian if(context->argumentCount()<2 || context->argumentCount()>5) { return engine->undefinedValue(); } if(context->argumentCount()==3) { offset=context->argument(2).toInt32(); } if(context->argumentCount()==4) { offset=context->argument(2).toInt32(); length=context->argument(3).toInt32(); } if(context->argumentCount()==5) { offset=context->argument(2).toInt32(); length=context->argument(3).toInt32(); little_endian=(context->argument(4).toInt32()==1); } // Cast ByteArray argument to QByteArray key_value=qvariant_cast(context->argument(0).data().toVariant()); format=context->argument(1).toString(); ret=RegistryHive::KeyValueToString(key_value,format,offset,length,little_endian); return engine->newVariant(ret); } -QScriptValue DataReporterEngine::RegistryKeyTypeToString( - QScriptContext *context, - QScriptEngine *engine) +/* + * RegistryKeyTypeToString + */ +QScriptValue ReportEngine::RegistryKeyTypeToString(QScriptContext *context, + QScriptEngine *engine) { QString ret=""; // This function needs one argument, key type if(context->argumentCount()!=1) return engine->undefinedValue(); ret=RegistryHive::KeyTypeToString(context->argument(0).toInt32()); return engine->newVariant(ret); } -QScriptValue DataReporterEngine::GetRegistryNodeModTime( - QScriptContext *context, - QScriptEngine *engine) +/* + * GetRegistryNodeModTime + */ +QScriptValue ReportEngine::GetRegistryNodeModTime(QScriptContext *context, + QScriptEngine *engine) { QScriptValue calleeData; RegistryHive *p_hive; int64_t mod_time=0; // This function needs one argument, node path if(context->argumentCount()!=1) return engine->undefinedValue(); // Get calle data (Pointer to RegistryHive class) calleeData=context->callee().data(); p_hive=qobject_cast(calleeData.toQObject()); mod_time=p_hive->GetNodeModTime(context->argument(0).toString()); if(p_hive->Error()) { // Get error message to clear error state p_hive->GetErrorMsg(); return engine->undefinedValue(); } QDateTime date_time; date_time.setTimeSpec(Qt::UTC); date_time.setTime_t(RegistryHive::FiletimeToUnixtime(mod_time)); return engine->newVariant(date_time.toString("yyyy/MM/dd hh:mm:ss")); } diff --git a/trunk/reportengine.h b/trunk/reportengine.h new file mode 100644 index 0000000..b1bfd10 --- /dev/null +++ b/trunk/reportengine.h @@ -0,0 +1,81 @@ +/******************************************************************************* +* fred Copyright (c) 2011-2013 by Gillen Daniel * +* * +* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * +* with special feautures useful during forensic analysis. * +* * +* This program is free software: you can redistribute it and/or modify it * +* under the terms of the GNU General Public License as published by the Free * +* Software Foundation, either version 3 of the License, or (at your option) * +* any later version. * +* * +* This program is distributed in the hope that it will be useful, but WITHOUT * +* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * +* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * +* more details. * +* * +* You should have received a copy of the GNU General Public License along with * +* this program. If not, see . * +*******************************************************************************/ + +#ifndef REPORTENGINE_H +#define REPORTENGINE_H + +#include +#include +#include +#include +#include +#include +#include + +#include "registryhive.h" +#include "qtscript_types/bytearray.h" + +#define FRED_REPORTENGINE_API_VERSION 2 + +class ReportEngine : public QScriptEngine { + Q_OBJECT + + public: + struct s_RegistryKeyValue { + int type; + int length; + QByteArray value; + }; + + RegistryHive *p_registry_hive; + QString report_content; + + ReportEngine(RegistryHive *p_hive); + ~ReportEngine(); + QMap GetReportTemplateInfo(QString file); + + private: + ByteArray *p_type_byte_array; + + static QScriptValue Print(QScriptContext *context, QScriptEngine *engine); + static QScriptValue PrintLn(QScriptContext *context, QScriptEngine *engine); + static QScriptValue GetRegistryNodes(QScriptContext *context, + QScriptEngine *engine); + static QScriptValue GetRegistryKeys(QScriptContext *context, + QScriptEngine *engine); + static QScriptValue RegistryKeyValueToScript(QScriptEngine *engine, + const s_RegistryKeyValue &s); + static void RegistryKeyValueFromScript(const QScriptValue &obj, + s_RegistryKeyValue &s); + static QScriptValue GetRegistryKeyValue(QScriptContext *context, + QScriptEngine *engine); + static QScriptValue RegistryKeyValueToString(QScriptContext *context, + QScriptEngine *engine); + static QScriptValue RegistryKeyValueToVariant(QScriptContext *context, + QScriptEngine *engine); + static QScriptValue RegistryKeyTypeToString(QScriptContext *context, + QScriptEngine *engine); + static QScriptValue GetRegistryNodeModTime(QScriptContext *context, + QScriptEngine *engine); +}; + +Q_DECLARE_METATYPE(ReportEngine::s_RegistryKeyValue) + +#endif // REPORTENGINE_H diff --git a/trunk/reports.cpp b/trunk/reports.cpp new file mode 100644 index 0000000..2f673e8 --- /dev/null +++ b/trunk/reports.cpp @@ -0,0 +1,161 @@ +/******************************************************************************* +* fred Copyright (c) 2011-2013 by Gillen Daniel * +* * +* Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * +* with special feautures useful during forensic analysis. * +* * +* This program is free software: you can redistribute it and/or modify it * +* under the terms of the GNU General Public License as published by the Free * +* Software Foundation, either version 3 of the License, or (at your option) * +* any later version. * +* * +* This program is distributed in the hope that it will be useful, but WITHOUT * +* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * +* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * +* more details. * +* * +* You should have received a copy of the GNU General Public License along with * +* this program. If not, see . * +*******************************************************************************/ + +#include "reports.h" + +#include +#include +#include + +#include + +Reports::Reports() { + this->p_engine=new ReportEngine(NULL); + this->report_templates.clear(); +} + +Reports::~Reports() { + qDeleteAll(this->report_templates); + delete this->p_engine; +} + +void Reports::LoadReportTemplates(QString dir) { + QString report_template=""; + QString report_category,report_name,report_author,report_desc,report_hive; + bool found; + int i; + ReportTemplate *p_report; + + // Get all template files in report_templates directory + QDir report_dir(dir); + QStringList found_report_templates=report_dir. + entryList(QStringList()<<"*.qs"); + + QListIterator it(found_report_templates); + while(it.hasNext()) { + // Build path to template file + report_template=report_dir.path(); + report_template.append(QDir::separator()); + report_template.append(it.next()); + + // Get report info + QMap report_info=this->p_engine-> + GetReportTemplateInfo(report_template); + if(report_info.contains("error")) { + // TODO: Inform user + qDebug()<<"Error in report '"< + FRED_REPORTENGINE_API_VERSION) + { + // TODO: Inform user + qDebug()<<"Report '"<report_templates.count();i++) { + if(this->report_templates.at(i)->Category()==report_category && + this->report_templates.at(i)->Name()==report_name) + { + found=true; + break; + } + } + + // Add to or update report template list + if(!found) { + // Add report to list + p_report=new ReportTemplate(report_template, + report_category, + report_name, + report_author, + report_desc, + report_hive); + this->report_templates.append(p_report); + } else { + // Update report entry + p_report=this->report_templates.at(i); + p_report->SetFile(report_template); + p_report->SetAuthor(report_author); + p_report->SetDescription(report_desc); + } + } +} + +QStringList Reports::GetAvailableReportCategories() { + QStringList ret; + QString cat; + int i; + + ret.clear(); + for(i=0;ireport_templates.count();i++) { + cat=this->report_templates.value(i)->Category(); + if(!ret.contains(cat)) ret.append(cat); + } + ret.sort(); + + return ret; +} + + +QStringList Reports::GetAvailableReports(QString category) { + QStringList ret; + QString cat; + int i=0; + + ret.clear(); + for(i=0;ireport_templates.count();i++) { + cat=this->report_templates.value(i)->Category(); + if(cat==category) ret.append(this->report_templates.value(i)->Name()); + } + ret.sort(); + + return ret; +} + +QMap Reports::GetReportInfo(QString category, QString name) { + QMap ret; + int i=0; + + // Search requested report + for(i=0;ireport_templates.count();i++) { + if(this->report_templates.value(i)->Category()==category && + this->report_templates.value(i)->Name()==name) + { + ret["report_author"]=this->report_templates.value(i)->Author(); + ret["report_desc"]=this->report_templates.value(i)->Description(); + break; + } + } + + return ret; +} diff --git a/trunk/reporttemplate.h b/trunk/reports.h similarity index 66% copy from trunk/reporttemplate.h copy to trunk/reports.h index 23ae59a..397b89e 100644 --- a/trunk/reporttemplate.h +++ b/trunk/reports.h @@ -1,46 +1,54 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ -#ifndef REPORTTEMPLATE_H -#define REPORTTEMPLATE_H +#ifndef REPORTS_H +#define REPORTS_H +#include "reporttemplate.h" +#include "reportengine.h" + +#include +#include #include -class ReportTemplate { +class Reports { public: - ReportTemplate(QString report_category, - QString report_name, - QString report_template_file); - - void SetCategory(QString new_category); - void SetName(QString new_name); - void SetFile(QString new_file); + Reports(); + ~Reports(); - QString Category(); - QString Name(); - QString File(); + void LoadReportTemplates(QString dir); + QStringList GetAvailableReportCategories(); + QStringList GetAvailableReports(QString category); + QMap GetReportInfo(QString category, QString name); +/* + QString GenerateReport(RegistryHive *p_hive, + QString report_category, + QString report_name); + QString GenerateReport(RegistryHive *p_hive, + QString report_template, + bool console_mode=false); +*/ private: - QString category; - QString name; - QString template_file; + QList report_templates; + ReportEngine *p_engine; }; -#endif // REPORTTEMPLATE_H +#endif // REPORTS_H diff --git a/trunk/reporttemplate.cpp b/trunk/reporttemplate.cpp index 03b4438..507d831 100644 --- a/trunk/reporttemplate.cpp +++ b/trunk/reporttemplate.cpp @@ -1,54 +1,84 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #include "reporttemplate.h" -ReportTemplate::ReportTemplate(QString report_category, +ReportTemplate::ReportTemplate(QString report_template_file, + QString report_category, QString report_name, - QString report_template_file) + QString report_author, + QString report_desc, + QString report_hive) { + this->template_file=report_template_file; this->category=report_category; this->name=report_name; - this->template_file=report_template_file; + this->author=report_author; + this->description=report_desc; + this->hive=report_hive; +} + +void ReportTemplate::SetFile(QString new_file) { + this->template_file=new_file; } void ReportTemplate::SetCategory(QString new_category) { this->category=new_category; } void ReportTemplate::SetName(QString new_name) { this->name=new_name; } -void ReportTemplate::SetFile(QString new_file) { - this->template_file=new_file; +void ReportTemplate::SetAuthor(QString new_author) { + this->author=new_author; +} + +void ReportTemplate::SetDescription(QString new_desc) { + this->description=new_desc; +} + +void ReportTemplate::SetHive(QString new_hive) { + this->hive=new_hive; +} + +QString ReportTemplate::ReportTemplate::File() { + return this->template_file; } QString ReportTemplate::ReportTemplate::Category() { return this->category; } QString ReportTemplate::ReportTemplate::Name() { return this->name; } -QString ReportTemplate::ReportTemplate::File() { - return this->template_file; +QString ReportTemplate::ReportTemplate::Author() { + return this->author; +} + +QString ReportTemplate::ReportTemplate::Description() { + return this->description; +} + +QString ReportTemplate::ReportTemplate::Hive() { + return this->hive; } diff --git a/trunk/reporttemplate.h b/trunk/reporttemplate.h index 23ae59a..2a3fba1 100644 --- a/trunk/reporttemplate.h +++ b/trunk/reporttemplate.h @@ -1,46 +1,58 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #ifndef REPORTTEMPLATE_H #define REPORTTEMPLATE_H #include class ReportTemplate { public: - ReportTemplate(QString report_category, + ReportTemplate(QString report_template_file, + QString report_category, QString report_name, - QString report_template_file); + QString report_author, + QString report_desc, + QString report_hive); + void SetFile(QString new_file); void SetCategory(QString new_category); void SetName(QString new_name); - void SetFile(QString new_file); + void SetAuthor(QString new_author); + void SetDescription(QString new_desc); + void SetHive(QString new_hive); + QString File(); QString Category(); QString Name(); - QString File(); + QString Author(); + QString Description(); + QString Hive(); private: + QString template_file; QString category; QString name; - QString template_file; + QString author; + QString description; + QString hive; }; #endif // REPORTTEMPLATE_H

",accounts[i],"	",RegistryKeyValueToString(val.value,val.type),"
",accounts[i],"	",RegistryKeyValueToString(val.value,val.type),"
",accounts[i],"	",RegistryKeyValueToString(val.value,val.type),"
",accounts[i],"	",RegistryKeyValueToString(val.value,val.type),"

Startup method:	"); - val=RegistryKeyValueToString(val.value,val.type); - switch(Number(val)) { - case 0: - print("Boot"); - break; - case 1: - print("System"); - break; - case 2: - print("Automatic"); - break; - case 3: - print("Manual"); - break; - case 4: - print("Disabled"); - break; - default: - print("Unknown"); - } - println("
Startup method:	"); + val=RegistryKeyValueToString(val.value,val.type); + switch(Number(val)) { + case 0: + print("Boot"); + break; + case 1: + print("System"); + break; + case 2: + print("Automatic"); + break; + case 3: + print("Manual"); + break; + case 4: + print("Disabled"); + break; + default: + print("Unknown"); + } + println("