public static void LogMatchingEntry(RegistryEntry entry, string matching_field) { SQLiteCommand command = DatabaseManager.Connection.CreateCommand(); command.CommandText = DBStringFormatter.GetMatchingEntryInsertStatement(entry, matching_field, AnalysisRunLogger.CurrentRunID); command.ExecuteNonQuery(); Console.WriteLine("MATCH: " + command.CommandText); main_window.MainApp.Analyzer.NumMatchingEntries += 1; }
public static string GetMatchingEntryInsertStatement(RegistryEntry entry, string matching_field, int run_id) { string entry_key_name = string.Format(@"{0}", entry.KeyName); entry_key_name = FieldClean(entry_key_name); string entry_value = string.Format(@"{0}", entry.Value); entry_value = FieldClean(entry_value); string entry_location = string.Format(@"{0}", entry.RegistryLocation); entry_location = FieldClean(entry_location); string insert_str = string.Format("INSERT INTO MATCHING_ENTRIES (RUN_ID, KEY_NAME, VALUE, LOCATION, MATCHING_FIELD) VALUES ({0}, \"{1}\", \"{2}\", \"{3}\", \"{4}\")", run_id, entry_key_name, entry_value, entry_location, matching_field); return(insert_str); }
public static string GetEntryInsertStatement(RegistryEntry entry, int run_id) { string entry_key_name = string.Format(@"{0}", entry.KeyName); entry_key_name = FieldClean(entry_key_name); string entry_value = string.Format(@"{0}", entry.Value); entry_value = FieldClean(entry_value); string entry_location = string.Format(@"{0}", entry.RegistryLocation); entry_location = FieldClean(entry_location); string entry_str = string.Format("INSERT INTO {0} (RUN_ID, KEY_NAME, VALUE, LOCATION) VALUES ({1},\"{2}\",\"{3}\",\"{4}\");", "ENTRIES", run_id, entry_key_name, entry_value, entry_location); return(entry_str); }
public static void LogEntry(RegistryEntry entry) { }
private void RecursivelyCollectKeyLevelData(RegistryKey key) { string[] sub_key_names = key.GetSubKeyNames(); string[] value_names = key.GetValueNames(); foreach (string vn in value_names) { string string_value = key.GetValue(vn).ToString();// deped var value_kind = key.GetValueKind(vn); Console.WriteLine(value_kind); if (value_kind == RegistryValueKind.Binary) { var value = (byte[])key.GetValue(vn); string_value = BitConverter.ToString(value); string_value = string_value.Replace("-", ""); } RegistryEntry entry = new RegistryEntry(); entry.KeyName = vn; entry.Value = string_value; entry.RegistryLocation = key.ToString(); RegistryEntries.Add(entry); analyzer.NumEntriesRecorded += 1; analyzer.ActiveRegistryLocation = entry.RegistryLocation; analyzer.ActiveRegistryValue = string_value; List <string> matching_fields = analyzer.CheckValueMatch(string_value); if (matching_fields.Count != 0) { foreach (string mtf in matching_fields) { EntryLogger.LogMatchingEntry(entry, mtf); MatchingRegistryEntries.Add(entry); } } matching_fields = analyzer.CheckValueMatch(vn); if (matching_fields.Count != 0) { foreach (string mtf in matching_fields) { EntryLogger.LogMatchingEntry(entry, mtf); MatchingRegistryEntries.Add(entry); } } matching_fields = analyzer.CheckValueMatch(entry.RegistryLocation); if (matching_fields.Count != 0) { foreach (string mtf in matching_fields) { EntryLogger.LogMatchingEntry(entry, mtf); MatchingRegistryEntries.Add(entry); } } } foreach (string sub_k in sub_key_names) { try { RegistryKey sk = key.OpenSubKey(sub_k, false); RecursivelyCollectKeyLevelData(sk); } catch (SecurityException ex) { string no_access_location = sub_k.ToString(); InaccessibleEntries.Add(no_access_location); } } }