Changeset 980
- Timestamp:
- 11/07/07 12:52:13 (1 year ago)
- Files:
-
- honeyclient/branches/exp/xeno-realtime_integrity/Capture2/capture-client-xeno-mod/RegistryMonitor.cpp (modified) (5 diffs)
- honeyclient/branches/exp/xeno-realtime_integrity/Capture2/capture-client-xeno-mod/install/CaptureBAT.exe (modified) (previous)
- honeyclient/branches/exp/xeno-realtime_integrity/Capture2/capture-client-xeno-mod/install/CaptureFileMonitor.sys (modified) (previous)
- honeyclient/branches/exp/xeno-realtime_integrity/Capture2/capture-client-xeno-mod/install/CaptureProcessMonitor.sys (modified) (previous)
- honeyclient/branches/exp/xeno-realtime_integrity/Capture2/capture-client-xeno-mod/install/CaptureRegistryMonitor.sys (modified) (previous)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
honeyclient/branches/exp/xeno-realtime_integrity/Capture2/capture-client-xeno-mod/RegistryMonitor.cpp
r881 r980 263 263 convertTimefieldsToString(e->time, szTempTime, 256); 264 264 wstring time = szTempTime; 265 266 265 //Handle all the post-processing to format the data 267 266 wchar_t szTemp[256]; … … 270 269 vector<wstring> extraData; 271 270 extraData.push_back(processIdString); 272 extraData.push_back(e->valueName); 273 271 if(e->valueNameLength > 0){ 272 extraData.push_back(e->valueName); 273 } 274 else{ 275 extraData.push_back(L""); 276 } 274 277 275 278 //MS description of data types: … … 282 285 case REG_SZ: 283 286 extraData.push_back(L"REG_SZ"); 284 extraData.push_back((wchar_t *)registryData); 285 break; 287 if(registryData != NULL){ 288 extraData.push_back((wchar_t *)registryData); 289 } 290 else{ 291 extraData.push_back(L""); 292 } 293 break; 286 294 case REG_EXPAND_SZ: 287 295 extraData.push_back(L"REG_EXPAND_SZ"); 288 extraData.push_back((wchar_t *)registryData); 296 if(registryData != NULL){ 297 extraData.push_back((wchar_t *)registryData); 298 } 299 else{ 300 extraData.push_back(L""); 301 } 289 302 break; 290 303 case REG_BINARY: 291 304 extraData.push_back(L"REG_BINARY"); 292 for(DWORD n = 0; n < e->dataLengthB; n++){ 293 swprintf(szTemp, L"%x", registryData[n]); 294 other.append(szTemp); 295 } 296 extraData.push_back(other); 305 if(registryData != NULL){ 306 for(DWORD n = 0; n < e->dataLengthB; n++){ 307 swprintf(szTemp, L"%x", registryData[n]); 308 other.append(szTemp); 309 } 310 extraData.push_back(other); 311 } 312 else{ 313 extraData.push_back(L""); 314 } 297 315 break; 298 316 case REG_DWORD: 299 317 extraData.push_back(L"REG_DWORD"); 300 swprintf_s(szTemp, 256, L"%lx", ((DWORD *)registryData)[0]); 301 extraData.push_back(szTemp); 318 if(registryData != NULL){ 319 swprintf_s(szTemp, 256, L"%lx", ((DWORD *)registryData)[0]); 320 extraData.push_back(szTemp); 321 } 322 else{ 323 extraData.push_back(L""); 324 } 302 325 break; 303 326 //TODO: Untested 304 327 case REG_DWORD_BIG_ENDIAN: 305 328 extraData.push_back(L"REG_DWORD_BIG_ENDIAN"); 306 swprintf_s(szTemp, 256, L"%x%x%x%x", registryData[0],registryData[1],registryData[2],registryData[3]); 307 extraData.push_back(szTemp); 329 if(registryData != NULL){ 330 swprintf_s(szTemp, 256, L"%x%x%x%x", registryData[0],registryData[1],registryData[2],registryData[3]); 331 extraData.push_back(szTemp); 332 } 333 else{ 334 extraData.push_back(L""); 335 } 308 336 break; 309 337 //From MS: "A Unicode string naming a symbolic link." … … 311 339 case REG_LINK: 312 340 extraData.push_back(L"REG_LINK"); 313 extraData.push_back((wchar_t *)registryData); 341 if(registryData != NULL){ 342 extraData.push_back((wchar_t *)registryData); 343 } 344 else{ 345 extraData.push_back(L""); 346 } 314 347 break; 315 348 //TODO: regedit won't let me make a string,empty string, string, but that … … 318 351 case REG_MULTI_SZ: 319 352 extraData.push_back(L"REG_MULTI_SZ"); 320 while(((wchar_t *)registryData)[0] != '\0' ){ 321 other.append((wchar_t *)registryData); 322 other.append(L"-|-"); 323 tmp_len = wcsnlen((wchar_t *)registryData, 512); //This doesn't count the null char in the length 324 registryData = (BYTE *)((wchar_t *)registryData + (tmp_len + 1)); 325 } 326 extraData.push_back(other); 353 if(registryData != NULL){ 354 while(((wchar_t *)registryData)[0] != '\0' ){ 355 other.append((wchar_t *)registryData); 356 other.append(L"-|-"); 357 tmp_len = wcsnlen((wchar_t *)registryData, 512); //This doesn't count the null char in the length 358 registryData = (BYTE *)((wchar_t *)registryData + (tmp_len + 1)); 359 } 360 extraData.push_back(other); 361 } 362 else{ 363 extraData.push_back(L""); 364 } 327 365 break; 328 366 //TODO: Untested, "A series of nested arrays..." 329 367 case REG_RESOURCE_LIST: 330 368 extraData.push_back(L"REG_RESOURCE_LIST"); 331 extraData.push_back(L"FILL IN"); 369 if(registryData != NULL){ 370 extraData.push_back(L"FILL IN"); 371 } 372 else{ 373 extraData.push_back(L""); 374 } 332 375 break; 333 376 //TODO: Untested, "A series of nested arrays..." 334 377 case REG_FULL_RESOURCE_DESCRIPTOR: 335 378 extraData.push_back(L"REG_FULL_RESOURCE_DESCRIPTOR"); 336 extraData.push_back(L"FILL IN"); 379 if(registryData != NULL){ 380 extraData.push_back(L"FILL IN"); 381 } 382 else{ 383 extraData.push_back(L""); 384 } 337 385 break; 338 386 //TODO: Untested, "A series of nested arrays..." 339 387 case REG_RESOURCE_REQUIREMENTS_LIST: 340 388 extraData.push_back(L"REG_RESOURCE_REQUIREMENTS_LIST"); 341 extraData.push_back(L"FILL IN"); 389 if(registryData != NULL){ 390 extraData.push_back(L"FILL IN"); 391 } 392 else{ 393 extraData.push_back(L""); 394 } 342 395 break; 343 396 case REG_QWORD_LITTLE_ENDIAN: 344 397 extraData.push_back(L"REG_QWORD"); 345 swprintf_s(szTemp, 256, L"%lx%lx", ((DWORD *)registryData)[0],((DWORD *)registryData)[1]); 346 extraData.push_back(szTemp); 398 if(registryData != NULL){ 399 swprintf_s(szTemp, 256, L"%lx%lx", ((DWORD *)registryData)[0],((DWORD *)registryData)[1]); 400 extraData.push_back(szTemp); 401 } 402 else{ 403 extraData.push_back(L""); 404 } 347 405 break; 348 406 default: 349 407 extraData.push_back(L"UNKNOWN TYPE!"); 350 swprintf_s(szTemp, 256, L"%ld", e->dataType); 351 extraData.push_back(szTemp); 408 if(registryData != NULL){ 409 swprintf_s(szTemp, 256, L"%ld", e->dataType); 410 extraData.push_back(szTemp); 411 } 412 else{ 413 extraData.push_back(L""); 414 } 352 415 break; 353 416 }
