Changeset 170 for trunk

Timestamp:

03/05/10 23:40:25 (15 years ago)

Author:

tim

Message:

merged Tobias Mueller's patch with some changes
updated version number

Location:

trunk

Files:

• bin/reglookup-timeline (modified) (4 diffs)
• doc/reglookup.1.docbook (modified) (2 diffs)
• src/common.c (modified) (1 diff)
• src/reglookup.c (modified) (6 diffs)

trunk/bin/reglookup-timeline

@@ -5 +5 @@
 # timelines for investigations.
 #
-# Copyright (C) 2005-2007 Timothy D. Morgan
+# Copyright (C) 2005-2007,2010 Timothy D. Morgan
 #
 # This program is free software; you can redistribute it and/or modify
@@ -25 +25 @@
 usage()
 {
-  echo "Usage: $0 [-H] <REGISTRY_FILE> [<REGISTRY_FILE> ...]" 1>&2
+  echo "Usage: $0 [-H] [-V] <REGISTRY_FILE> [<REGISTRY_FILE> ...]" 1>&2
   echo "   -H  Omit header line" 1>&2
+  echo "   -V  Include values with parent timestamps" 1>&2
 }
 
@@ -41 +42 @@
 fi
 
+OPTS='-t KEY'
+if [ "$1" = "-V" ]; then
+  OPTS='-i'
+  shift
+fi
+
 if [ "$PRINT_HEADER" = "true" ]; then
   echo "MTIME,FILE,PATH"
@@ -46 +53 @@
 
 for F in $@; do
-  reglookup -t KEY -H "$F" | awk -F',' '{ printf "%s,'"$F"',%s\n",$4,$1; }'
+  reglookup $OPTS -H "$F" | awk -F',' '{ printf "%s,'"$F"',%s\n",$4,$1; }'
 done | sort

trunk/doc/reglookup.1.docbook

@@ -1 @@
-<?xml version="1.0" encoding="UTF-8"?>
+???<?xml version="1.0" encoding="UTF-8"?>
 <refentry id='reglookup.1'>
   <!--  $Id$ -->
@@ -82 +82 @@
           <para>
             Enables the printing of a column header row. (default)
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+    
+    <variablelist remap='IP'>
+      <varlistentry>
+        <term>
+          <option>-i</option>
+        </term>
+        <listitem>
+          <para>
+            Printed values inherit the timestamp of their parent key, which is
+            printed along with them.  Note that this timestamp is not
+            necessarily meaningful for any given value values because timestamps
+            are saved on keys only and you cannot tell which value has been
+            modified since a change to any value of a given key would update the
+            time stamp.
           </para>
         </listitem>

trunk/src/common.c

@@ -29 +29 @@
 const char* common_special_chars = ",\"\\";
 
-#define REGLOOKUP_VERSION "0.11.0"
+#define REGLOOKUP_VERSION "0.12.0"
 
 #define REGLOOKUP_EXIT_OK       0

trunk/src/reglookup.c

@@ -2 +2 @@
  * A utility to read a Windows NT and later registry files.
  *
- * Copyright (C) 2005-2009 Timothy D. Morgan
+ * Copyright (C) 2005-2010 Timothy D. Morgan
+ * Copyright (C) 2010 Tobias Mueller (portions of '-i' code)
  * Copyright (C) 2002 Richard Sharpe, rsharpe@richardsharpe.com
  *
@@ -31 +32 @@
 
 /* Globals, influenced by command line parameters */
+bool print_value_mtime = false;
 bool print_verbose = false;
 bool print_security = false;
@@ -57 +59 @@
   char* conv_error = NULL;
   const char* str_type = NULL;
+  char mtime[20];
+  time_t tmp_time[1];
+  struct tm* tmp_time_s = NULL;
 
   if(vk->valuename == NULL)
@@ -97 +102 @@
   }
 
+  if(print_value_mtime)
+  {
+    *tmp_time = regfi_nt2unix_time(&iter->cur_key->mtime);
+    tmp_time_s = gmtime(tmp_time);
+    strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s);
+  }
+  else
+    mtime[0] = '\0';
+
   str_type = regfi_type_val2str(vk->type);
   if(print_security)
   {
     if(str_type == NULL)
-      printf("%s/%s,0x%.8X,%s,,,,,\n", prefix, quoted_name,
-             vk->type, quoted_value);
-    else
-      printf("%s/%s,%s,%s,,,,,\n", prefix, quoted_name,
-             str_type, quoted_value);
+      printf("%s/%s,0x%.8X,%s,%s,,,,\n", prefix, quoted_name,
+             vk->type, quoted_value, mtime);
+    else
+      printf("%s/%s,%s,%s,%s,,,,\n", prefix, quoted_name,
+             str_type, quoted_value, mtime);
   }
   else
   {
     if(str_type == NULL)
-      printf("%s/%s,0x%.8X,%s,\n", prefix, quoted_name,
-             vk->type, quoted_value);
-    else
-      printf("%s/%s,%s,%s,\n", prefix, quoted_name,
-             str_type, quoted_value);
+      printf("%s/%s,0x%.8X,%s,%s\n", prefix, quoted_name,
+             vk->type, quoted_value, mtime);
+    else
+      printf("%s/%s,%s,%s,%s\n", prefix, quoted_name,
+             str_type, quoted_value, mtime);
   }
 
@@ -548 +562 @@
   fprintf(stderr, "\t-p\t restrict output to elements below this path.\n");
   fprintf(stderr, "\t-t\t restrict results to this specific data type.\n");
+  fprintf(stderr, "\t-i\t includes parent key modification times with child values.\n");
   fprintf(stderr, "\n");
 }
@@ -605 +620 @@
     else if (strcmp("-v", argv[argi]) == 0)
       print_verbose = true;
+    else if (strcmp("-i", argv[argi]) == 0)
+      print_value_mtime = true;
     else
     {