public static void LogMatchingEntry(RegistryEntry entry, string matching_field)
{
SQLiteCommand command = DatabaseManager.Connection.CreateCommand();
command.CommandText = DBStringFormatter.GetMatchingEntryInsertStatement(entry, matching_field, AnalysisRunLogger.CurrentRunID);
command.ExecuteNonQuery();
Console.WriteLine("MATCH: " + command.CommandText);
main_window.MainApp.Analyzer.NumMatchingEntries += 1;
}
public static string GetMatchingEntryInsertStatement(RegistryEntry entry, string matching_field, int run_id)
{
string entry_key_name = string.Format(@"{0}", entry.KeyName);
entry_key_name = FieldClean(entry_key_name);
string entry_value = string.Format(@"{0}", entry.Value);
entry_value = FieldClean(entry_value);
string entry_location = string.Format(@"{0}", entry.RegistryLocation);
entry_location = FieldClean(entry_location);
string insert_str = string.Format("INSERT INTO MATCHING_ENTRIES (RUN_ID, KEY_NAME, VALUE, LOCATION, MATCHING_FIELD) VALUES ({0}, \"{1}\", \"{2}\", \"{3}\", \"{4}\")",
run_id, entry_key_name, entry_value, entry_location, matching_field);
return(insert_str);
}
public static string GetEntryInsertStatement(RegistryEntry entry, int run_id)
{
string entry_key_name = string.Format(@"{0}", entry.KeyName);
entry_key_name = FieldClean(entry_key_name);
string entry_value = string.Format(@"{0}", entry.Value);
entry_value = FieldClean(entry_value);
string entry_location = string.Format(@"{0}", entry.RegistryLocation);
entry_location = FieldClean(entry_location);
string entry_str = string.Format("INSERT INTO {0} (RUN_ID, KEY_NAME, VALUE, LOCATION) VALUES ({1},\"{2}\",\"{3}\",\"{4}\");",
"ENTRIES", run_id, entry_key_name, entry_value, entry_location);
return(entry_str);
}
public static void LogEntry(RegistryEntry entry)
{
}
private void RecursivelyCollectKeyLevelData(RegistryKey key)
{
string[] sub_key_names = key.GetSubKeyNames();
string[] value_names = key.GetValueNames();
foreach (string vn in value_names)
{
string string_value = key.GetValue(vn).ToString();// deped
var value_kind = key.GetValueKind(vn);
Console.WriteLine(value_kind);
if (value_kind == RegistryValueKind.Binary)
{
var value = (byte[])key.GetValue(vn);
string_value = BitConverter.ToString(value);
string_value = string_value.Replace("-", "");
}
RegistryEntry entry = new RegistryEntry();
entry.KeyName = vn;
entry.Value = string_value;
entry.RegistryLocation = key.ToString();
RegistryEntries.Add(entry);
analyzer.NumEntriesRecorded += 1;
analyzer.ActiveRegistryLocation = entry.RegistryLocation;
analyzer.ActiveRegistryValue = string_value;
List <string> matching_fields = analyzer.CheckValueMatch(string_value);
if (matching_fields.Count != 0)
{
foreach (string mtf in matching_fields)
{
EntryLogger.LogMatchingEntry(entry, mtf);
MatchingRegistryEntries.Add(entry);
}
}
matching_fields = analyzer.CheckValueMatch(vn);
if (matching_fields.Count != 0)
{
foreach (string mtf in matching_fields)
{
EntryLogger.LogMatchingEntry(entry, mtf);
MatchingRegistryEntries.Add(entry);
}
}
matching_fields = analyzer.CheckValueMatch(entry.RegistryLocation);
if (matching_fields.Count != 0)
{
foreach (string mtf in matching_fields)
{
EntryLogger.LogMatchingEntry(entry, mtf);
MatchingRegistryEntries.Add(entry);
}
}
}
foreach (string sub_k in sub_key_names)
{
try
{
RegistryKey sk = key.OpenSubKey(sub_k, false);
RecursivelyCollectKeyLevelData(sk);
}
catch (SecurityException ex)
{
string no_access_location = sub_k.ToString();
InaccessibleEntries.Add(no_access_location);
}
}
}
