public SAMHive(RegistryHive hive) { _hive = hive; base.Filepath = this.Filepath; base.RootKey = this.RootKey; base.WasExported = this.WasExported; }
public static RegistryHive GetTypedHive(string filename) { RegistryHive hive = new RegistryHive(filename); try { foreach (NodeKey key in hive.RootKey.ChildNodes) { if (key.Name == "Select") { return new SYSTEMHive(hive); } else if (key.Name == "SAM") { return new SAMHive(hive); } else if (key.Name == "Microsoft") { return new SOFTWAREHive(hive); } else if (key.Name == "Policy") { return new SECURITYHive(hive); } } } catch { return new GenericHive(hive); } return new GenericHive(hive); }
public RegistryReader(RegistryHive hive) : base(Gtk.WindowType.Toplevel) { this.Build (); this.SetSizeRequest(1024,768); VBox _vbox = new VBox(true, 5); ScrolledWindow sw = new ScrolledWindow(); _tv= new TreeView(); sw.Add(_tv); _vbox.Add(sw); TreeViewColumn paths = new TreeViewColumn(); paths.Title = "Registry Keys"; CellRendererText keyCell = new CellRendererText(); paths.PackStart(keyCell, true); TreeViewColumn obj = new TreeViewColumn(); _tv.AppendColumn(obj); _tv.AppendColumn(paths); paths.AddAttribute(keyCell, "text", 0); _store = new TreeStore(typeof(string), typeof(object)); _root = _store.AppendValues(hive.RootKey.Name, hive.RootKey); AddChildrenToView(hive.RootKey, _store, _root); _tv.Model = _store; _tv.RowActivated += HandleRowActivated; this.Add(_vbox); this.ShowAll(); }
public SAMHive(string filename) : base(filename) { _hive = this; }
public SOFTWAREHive(string filename) : base(filename) { _hive = this; }
public GenericHive(string filename) : base(filename) { _hive = this; }
void OpenFile(object sender, EventArgs e) { FileChooserDialog fc = new FileChooserDialog("Choose the registry hive or event log to open", this, FileChooserAction.Open, "Cancel",ResponseType.Cancel, "Open",ResponseType.Accept); if (fc.Run() == (int)ResponseType.Accept) { string file = fc.Filename; Console.WriteLine("Reading: " + file); using (FileStream stream = File.OpenRead(file)) { using (BinaryReader reader = new BinaryReader(stream)) { byte[] h = reader.ReadBytes(10); if (h[0] == 'r' && h[1] == 'e' && h[2] == 'g' && h[3] == 'f') { RegistryHive hive = new RegistryHive(file); TreeView tv = new TreeView(); _vbox.Add(tv); TreeViewColumn paths = new TreeViewColumn(); paths.Title = "Registry Keys"; CellRendererText keyCell = new CellRendererText(); paths.PackStart(keyCell, true); TreeViewColumn values = new TreeViewColumn(); values.Title = "Registry Values"; CellRendererText valuesCell = new CellRendererText(); values.PackStart(valuesCell, true); tv.AppendColumn(paths); tv.AppendColumn(values); paths.AddAttribute(keyCell, "text", 0); values.AddAttribute(valuesCell, "text", 1); TreeStore store = new TreeStore(typeof(string), typeof(string)); TreeIter root = store.AppendValues(hive.RootKey.Name); AddChildrenToView(hive.RootKey, store, root); tv.Model = store; } else if (h[4] == 'L' && h[5] == 'f' && h[6] == 'L' && h[7] == 'e') { LegacyEventLog log = new LegacyEventLog(file); TreeView tv = new TreeView(); _vbox.Add(tv); CellRendererText twText = new CellRendererText(); TreeViewColumn timeWritten = new TreeViewColumn(); timeWritten.Title = "Time Written"; timeWritten.PackStart(twText, true); timeWritten.AddAttribute(twText, "text", 0); CellRendererText tgText = new CellRendererText(); TreeViewColumn timeGenerated = new TreeViewColumn(); timeGenerated.Title = "Time Generated"; timeGenerated.PackStart(tgText, true); timeGenerated.AddAttribute(tgText, "text", 1); CellRendererText snText = new CellRendererText(); TreeViewColumn sourceName = new TreeViewColumn(); sourceName.Title = "Source Name"; sourceName.PackStart(snText, true); sourceName.AddAttribute(snText, "text", 2); CellRendererText cnText = new CellRendererText(); TreeViewColumn computerName = new TreeViewColumn(); computerName.Title = "Computer Name"; computerName.PackStart(cnText, true); computerName.AddAttribute(cnText, "text", 3); CellRendererText sText = new CellRendererText(); TreeViewColumn strings = new TreeViewColumn(); strings.Title = "Strings"; strings.PackStart(sText, true); strings.AddAttribute(sText, "text", 4); tv.AppendColumn(timeWritten); tv.AppendColumn(timeGenerated); tv.AppendColumn(sourceName); tv.AppendColumn(computerName); tv.AppendColumn(strings); TreeStore store = new TreeStore(typeof(string),typeof(string),typeof(string),typeof(string),typeof(string)); foreach (LegacyLogItem item in log.Items) store.AppendValues(item.TimeWritten.ToString(), item.TimeGenerated.ToString(), item.SourceName, item.ComputerName, item.Strings); tv.Model = store; } else if (h[0] == 'E' && h[1] == 'l' && h[2] == 'f' && h[3] == 'F' && h[4] == 'i' && h[5] == 'l' && h[6] == 'e') { EventLog log = new EventLog(fc.Filename); } else throw new Exception("Unsupported Format."); } } this.ShowAll(); } fc.Destroy(); }
public SECURITYHive(string filename) : base(filename) { _hive = this; }