public SAMHive(RegistryHive hive)
{
_hive = hive;
base.Filepath = this.Filepath;
base.RootKey = this.RootKey;
base.WasExported = this.WasExported;
}
public static RegistryHive GetTypedHive(string filename)
{
RegistryHive hive = new RegistryHive(filename);
try
{
foreach (NodeKey key in hive.RootKey.ChildNodes)
{
if (key.Name == "Select")
{
return new SYSTEMHive(hive);
}
else if (key.Name == "SAM")
{
return new SAMHive(hive);
}
else if (key.Name == "Microsoft")
{
return new SOFTWAREHive(hive);
}
else if (key.Name == "Policy")
{
return new SECURITYHive(hive);
}
}
}
catch
{
return new GenericHive(hive);
}
return new GenericHive(hive);
}
public RegistryReader(RegistryHive hive)
: base(Gtk.WindowType.Toplevel)
{
this.Build ();
this.SetSizeRequest(1024,768);
VBox _vbox = new VBox(true, 5);
ScrolledWindow sw = new ScrolledWindow();
_tv= new TreeView();
sw.Add(_tv);
_vbox.Add(sw);
TreeViewColumn paths = new TreeViewColumn();
paths.Title = "Registry Keys";
CellRendererText keyCell = new CellRendererText();
paths.PackStart(keyCell, true);
TreeViewColumn obj = new TreeViewColumn();
_tv.AppendColumn(obj);
_tv.AppendColumn(paths);
paths.AddAttribute(keyCell, "text", 0);
_store = new TreeStore(typeof(string), typeof(object));
_root = _store.AppendValues(hive.RootKey.Name, hive.RootKey);
AddChildrenToView(hive.RootKey, _store, _root);
_tv.Model = _store;
_tv.RowActivated += HandleRowActivated;
this.Add(_vbox);
this.ShowAll();
}
public SAMHive(string filename)
: base(filename)
{
_hive = this;
}
public SOFTWAREHive(string filename)
: base(filename)
{
_hive = this;
}
public GenericHive(string filename)
: base(filename)
{
_hive = this;
}
void OpenFile(object sender, EventArgs e)
{
FileChooserDialog fc = new FileChooserDialog("Choose the registry hive or event log to open",
this,
FileChooserAction.Open,
"Cancel",ResponseType.Cancel,
"Open",ResponseType.Accept);
if (fc.Run() == (int)ResponseType.Accept)
{
string file = fc.Filename;
Console.WriteLine("Reading: " + file);
using (FileStream stream = File.OpenRead(file))
{
using (BinaryReader reader = new BinaryReader(stream))
{
byte[] h = reader.ReadBytes(10);
if (h[0] == 'r' && h[1] == 'e' && h[2] == 'g' && h[3] == 'f')
{
RegistryHive hive = new RegistryHive(file);
TreeView tv = new TreeView();
_vbox.Add(tv);
TreeViewColumn paths = new TreeViewColumn();
paths.Title = "Registry Keys";
CellRendererText keyCell = new CellRendererText();
paths.PackStart(keyCell, true);
TreeViewColumn values = new TreeViewColumn();
values.Title = "Registry Values";
CellRendererText valuesCell = new CellRendererText();
values.PackStart(valuesCell, true);
tv.AppendColumn(paths);
tv.AppendColumn(values);
paths.AddAttribute(keyCell, "text", 0);
values.AddAttribute(valuesCell, "text", 1);
TreeStore store = new TreeStore(typeof(string), typeof(string));
TreeIter root = store.AppendValues(hive.RootKey.Name);
AddChildrenToView(hive.RootKey, store, root);
tv.Model = store;
}
else if (h[4] == 'L' && h[5] == 'f' && h[6] == 'L' && h[7] == 'e')
{
LegacyEventLog log = new LegacyEventLog(file);
TreeView tv = new TreeView();
_vbox.Add(tv);
CellRendererText twText = new CellRendererText();
TreeViewColumn timeWritten = new TreeViewColumn();
timeWritten.Title = "Time Written";
timeWritten.PackStart(twText, true);
timeWritten.AddAttribute(twText, "text", 0);
CellRendererText tgText = new CellRendererText();
TreeViewColumn timeGenerated = new TreeViewColumn();
timeGenerated.Title = "Time Generated";
timeGenerated.PackStart(tgText, true);
timeGenerated.AddAttribute(tgText, "text", 1);
CellRendererText snText = new CellRendererText();
TreeViewColumn sourceName = new TreeViewColumn();
sourceName.Title = "Source Name";
sourceName.PackStart(snText, true);
sourceName.AddAttribute(snText, "text", 2);
CellRendererText cnText = new CellRendererText();
TreeViewColumn computerName = new TreeViewColumn();
computerName.Title = "Computer Name";
computerName.PackStart(cnText, true);
computerName.AddAttribute(cnText, "text", 3);
CellRendererText sText = new CellRendererText();
TreeViewColumn strings = new TreeViewColumn();
strings.Title = "Strings";
strings.PackStart(sText, true);
strings.AddAttribute(sText, "text", 4);
tv.AppendColumn(timeWritten);
tv.AppendColumn(timeGenerated);
tv.AppendColumn(sourceName);
tv.AppendColumn(computerName);
tv.AppendColumn(strings);
TreeStore store = new TreeStore(typeof(string),typeof(string),typeof(string),typeof(string),typeof(string));
foreach (LegacyLogItem item in log.Items)
store.AppendValues(item.TimeWritten.ToString(), item.TimeGenerated.ToString(), item.SourceName, item.ComputerName, item.Strings);
tv.Model = store;
}
else if (h[0] == 'E' && h[1] == 'l' && h[2] == 'f' && h[3] == 'F' && h[4] == 'i' && h[5] == 'l' && h[6] == 'e')
{
EventLog log = new EventLog(fc.Filename);
}
else throw new Exception("Unsupported Format.");
}
}
this.ShowAll();
}
fc.Destroy();
}
public SECURITYHive(string filename)
: base(filename)
{
_hive = this;
}