예제 #1
0
        public void ProcessValues(RegistryKey key)
        {
            _values.Clear();
            Errors.Clear();

            var namesKey = key.SubKeys.SingleOrDefault(t => t.KeyName == "Names");

            var nameMap = new Dictionary<int, DateTimeOffset>();

            if (namesKey == null)
            {
                return;
            }

            foreach (var registryKey in namesKey.SubKeys)
            {
                if (nameMap.ContainsKey((int) registryKey.Values.First().VKRecord.DataTypeRaw))
                {
                    continue;
                }
                nameMap.Add((int) registryKey.Values.First().VKRecord.DataTypeRaw, registryKey.LastWriteTime.Value);
            }

            foreach (var key1 in key.SubKeys)
            {
                if (key1.KeyName == "Names")
                {
                    continue;
                }

                try
                {
                    var fVal = key1.Values.SingleOrDefault(t => t.ValueName == "F");

                    var userId = 0;
                    var invalidLogins = 0;
                    var totalLogins = 0;
                    DateTimeOffset? lastLoginTime = null;
                    DateTimeOffset? lastPwChangeTime = null;
                    DateTimeOffset? acctExpiresTime = null;
                    DateTimeOffset? lastIncorrectPwTime = null;

                    if (fVal != null)
                    {
                        userId = BitConverter.ToInt32(fVal.ValueDataRaw, 0x30);
                        invalidLogins = BitConverter.ToInt16(fVal.ValueDataRaw, 0x40);
                        totalLogins = BitConverter.ToInt16(fVal.ValueDataRaw, 0x42);

                        var tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x8));
                        if (tempTime.Year > 1700)
                        {
                            lastLoginTime = tempTime.ToUniversalTime();
                        }

                        tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x18));
                        if (tempTime.Year > 1700)
                        {
                            lastPwChangeTime = tempTime.ToUniversalTime();
                        }

                        tempTime = DateTimeOffset.MinValue;

                        try
                        {
                            tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x20));
                        }
                        catch (Exception)
                        {
                        }

                        if (tempTime.Year > 1700)
                        {
                            acctExpiresTime = tempTime.ToUniversalTime();
                        }

                        tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x28));
                        if (tempTime.Year > 1700)
                        {
                            lastIncorrectPwTime = tempTime.ToUniversalTime();
                        }
                    }

                    var vVal = key1.Values.SingleOrDefault(t => t.ValueName == "V");

                    var offToName = BitConverter.ToInt32(vVal.ValueDataRaw, 0xc) + 0xCC;
                    var nameLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0xc + 4);
                    var name1 = Encoding.Unicode.GetString(vVal.ValueDataRaw, offToName, nameLen);

                    var offToFull = BitConverter.ToInt32(vVal.ValueDataRaw, 0x18) + 0xCC;
                    var fullLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0x18 + 4);
                    var full1 = Encoding.Unicode.GetString(vVal.ValueDataRaw, offToFull, fullLen);

                    var offToComment = BitConverter.ToInt32(vVal.ValueDataRaw, 0x24) + 0xCC;
                    var commentLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0x24 + 4);
                    var comment = Encoding.Unicode.GetString(vVal.ValueDataRaw, offToComment, commentLen);

                    var offToUserComment = BitConverter.ToInt32(vVal.ValueDataRaw, 0x30) + 0xCC;
                    var userCommentLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0x30 + 4);
                    var userComment = Encoding.Unicode.GetString(vVal.ValueDataRaw, offToUserComment, userCommentLen);

                    var offHomeDir = BitConverter.ToInt32(vVal.ValueDataRaw, 0x48) + 0xCC;
                    var homeDirLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0x48 + 4);
                    var homeDir = Encoding.Unicode.GetString(vVal.ValueDataRaw, offHomeDir, homeDirLen);

                    var createdOn = nameMap[userId];

                    var u = new UserOut(userId, invalidLogins, totalLogins, lastLoginTime, lastPwChangeTime,
                        lastIncorrectPwTime, acctExpiresTime, name1, full1, comment, userComment, homeDir, createdOn);

                    _values.Add(u);
                }
                catch (Exception ex)
                {
                    Errors.Add($"Error processing user account: {ex.Message}");
                }

                if (Errors.Count > 0)
                {
                    AlertMessage = "Errors detected. See Errors information in lower right corner of plugin window";
                }
            }
        }
예제 #2
0
        public void ProcessValues(RegistryKey key)
        {
            _values.Clear();
            Errors.Clear();
            Groups.Clear();

            var namesKey = key.SubKeys.SingleOrDefault(t => t.KeyName == "Names");

            var nameMap = new Dictionary <int, DateTimeOffset>();

            if (namesKey == null)
            {
                return;
            }

            GetGroups(key);

            foreach (var registryKey in namesKey.SubKeys)
            {
                if (registryKey.Values.Count == 0)
                {
                    continue;
                }
                if (nameMap.ContainsKey((int)registryKey.Values.First().VkRecord.DataTypeRaw))
                {
                    continue;
                }
                nameMap.Add((int)registryKey.Values.First().VkRecord.DataTypeRaw, registryKey.LastWriteTime.Value);
            }

            foreach (var key1 in key.SubKeys)
            {
                if (key1.KeyName == "Names")
                {
                    continue;
                }

                try
                {
                    var fVal = key1.Values.SingleOrDefault(t => t.ValueName == "F");

                    var            userId              = 0;
                    var            invalidLogins       = 0;
                    var            totalLogins         = 0;
                    DateTimeOffset?lastLoginTime       = null;
                    DateTimeOffset?lastPwChangeTime    = null;
                    DateTimeOffset?acctExpiresTime     = null;
                    DateTimeOffset?lastIncorrectPwTime = null;
                    var            parsedAccountFlags  = AccountFlags.None;

                    if (fVal != null)
                    {
                        userId        = BitConverter.ToInt32(fVal.ValueDataRaw, 0x30);
                        invalidLogins = BitConverter.ToInt16(fVal.ValueDataRaw, 0x40);
                        totalLogins   = BitConverter.ToInt16(fVal.ValueDataRaw, 0x42);

                        var tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x8));
                        if (tempTime.Year > 1700)
                        {
                            lastLoginTime = tempTime.ToUniversalTime();
                        }

                        tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x18));
                        if (tempTime.Year > 1700)
                        {
                            lastPwChangeTime = tempTime.ToUniversalTime();
                        }

                        tempTime = DateTimeOffset.MinValue;

                        try
                        {
                            tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x20));
                        }
                        catch (Exception)
                        {
                        }

                        if (tempTime.Year > 1700)
                        {
                            acctExpiresTime = tempTime.ToUniversalTime();
                        }

                        tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x28));
                        if (tempTime.Year > 1700)
                        {
                            lastIncorrectPwTime = tempTime.ToUniversalTime();
                        }

                        if (fVal.ValueDataRaw.Length >= 0x38)
                        {
                            parsedAccountFlags = (AccountFlags)BitConverter.ToInt16(fVal.ValueDataRaw, 0x38);
                        }
                    }

                    var vVal = key1.Values.SingleOrDefault(t => t.ValueName == "V");

                    if (vVal != null)
                    {
                        var offToName = BitConverter.ToInt32(vVal.ValueDataRaw, 0xc) + 0xCC;
                        var nameLen   = BitConverter.ToInt32(vVal.ValueDataRaw, 0xc + 4);
                        var name1     = Encoding.Unicode.GetString(vVal.ValueDataRaw, offToName, nameLen);

                        var offToFull = BitConverter.ToInt32(vVal.ValueDataRaw, 0x18) + 0xCC;
                        var fullLen   = BitConverter.ToInt32(vVal.ValueDataRaw, 0x18 + 4);
                        var full1     = Encoding.Unicode.GetString(vVal.ValueDataRaw, offToFull, fullLen);

                        var offToComment = BitConverter.ToInt32(vVal.ValueDataRaw, 0x24) + 0xCC;
                        var commentLen   = BitConverter.ToInt32(vVal.ValueDataRaw, 0x24 + 4);
                        var comment      = Encoding.Unicode.GetString(vVal.ValueDataRaw, offToComment, commentLen);

                        var offToUserComment = BitConverter.ToInt32(vVal.ValueDataRaw, 0x30) + 0xCC;
                        var userCommentLen   = BitConverter.ToInt32(vVal.ValueDataRaw, 0x30 + 4);
                        var userComment      =
                            Encoding.Unicode.GetString(vVal.ValueDataRaw, offToUserComment, userCommentLen);

                        var offHomeDir = BitConverter.ToInt32(vVal.ValueDataRaw, 0x48) + 0xCC;
                        var homeDirLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0x48 + 4);
                        var homeDir    = Encoding.Unicode.GetString(vVal.ValueDataRaw, offHomeDir, homeDirLen);

                        var createdOn = nameMap[userId];

                        var groups = GetGroupsForUser(userId);

                        var hint = string.Empty;

                        var hintVal = key1.Values.SingleOrDefault(t => t.ValueName == "UserPasswordHint");

                        if (hintVal != null)
                        {
                            hint = Encoding.Unicode.GetString(hintVal.ValueDataRaw);
                        }


                        var u = new UserOut(userId, invalidLogins, totalLogins, lastLoginTime, lastPwChangeTime,
                                            lastIncorrectPwTime, acctExpiresTime, name1, full1, comment, userComment, homeDir,
                                            createdOn, groups, hint, parsedAccountFlags);

                        u.BatchValueName = vVal.ValueName;
                        u.BatchKeyPath   = key1.KeyPath;

                        _values.Add(u);
                    }
                }
                catch (Exception ex)
                {
                    Errors.Add($"Error processing user account: {ex.Message}");
                }

                if (Errors.Count > 0)
                {
                    AlertMessage = "Errors detected. See Errors information in lower right corner of plugin window";
                }
            }
        }