COMatePLUS version 1.2

[SFSxOI]

Must admit that I am unsure why you would need to use COM automation just to retrieve values from the registry as you can do all of this without this kind of overhead?

Yes, you are absolutly correct. I needed it for a very specific project for work for testing, verifying, and proving capability, of 'back door' activities of certain methods used in a hacking case. Its a case thats going to court and one of the defenses is that it was impossible for the person to have used any method to gather information from the system without any alarms being triggered by protection software and therefore could not have comitted the crime. The protection software producer company claims their product would have detected any method, and the defense is basing part of its case on the claim from the protection software producer company. It turns out that it can be done thru WMI without triggering a warning or alarm, or logging, from the particular protection software in use.

[srod]

Must admit that I am unsure why you would need to use COM automation just to retrieve values from the registry as you can do all of this without this kind of overhead?

Yes, you are absolutly correct. I needed it for a very specific project for work for testing, verifying, and proving capability, of 'back door' activities of certain methods used in a hacking case. Its a case thats going to court and one of the defenses is that it was impossible for the person to have used any method to gather information from the system without any alarms being triggered by protection software and therefore could not have comitted the crime. It turns out that it can be done thru WMI without triggering a warning or alarm of the particular protection software in use.

So this person is busted then!

COMate aka forensics tool!

[SFSxOI]

Yep, busted

All we needed to be able to do (contracted by a law enforcement agency) was prove that it was possible and thus introduce reasonable doubt in the defense claim.

[srod]

lol, that has made my day that has!

[KIKI]

Code: Select all

IncludePath "..\"
XIncludeFile "COMatePLUS.pbi"

Define.COMateObject oReg

HKEY_CURRENT_USER = $80000001
strComputer.s = "."
strKeyPath.s = "Identities"
strValueName.s = "Last Username"

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")

oReg\Invoke("GetStringValue(" + Str(HKEY_CURRENT_USER) + ", '" + strKeyPath + "', '" + strValueName + "', " + Str(@dwValue) + " BYREF)")

Debug PeekS(dwValue, -1, #PB_Unicode)

SysFreeString_(dwValue)

oReg\Release()

Erreur on Windows XP pack 3 French and PB 4.40
strComputer.s = "."
strKeyPath.s = "Console"
strValueName.s = "ColorTable00"
Read error memoruy on peeks 2147749893

[SFSxOI]

KIKI,

Code: Select all

Define.COMateObject oReg

strComputer.s = "."
HKEY_CURRENT_USER = $80000001
strKeyPath.s = "Console"
strValueName.s = "ColorTable00"

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  oReg\Invoke("GetDWORDValue(" + Str(HKEY_CURRENT_USER) + ", '" + strKeyPath + "', '" + strValueName + "', " + Str(@dwValue) + " BYREF)")
Debug dwValue
oReg\Release()

or, in a procedure:

Code: Select all

Procedure.s GetDWORDValue(hkey.i, strKeyPath.s, strValueName.s)    
Define.COMateObject oReg
strComputer.s = "."

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  oReg\Invoke("GetDWORDValue(" + Str(hkey) + ", '" + strKeyPath + "', '" + strValueName + "', " + Str(@dwValue) + " BYREF)")
    dw_dword_value$ = Str(dwValue)
oReg\Release()

ProcedureReturn dw_dword_value$

EndProcedure

HKEY_CURRENT_USER = $80000001
Debug GetDWORDValue(HKEY_CURRENT_USER, "Console", "ColorTable00")

"ColorTable00" is a DWORD value not a REG_SZ, only string values get the PeekS treatment

and for REG_SZ,

Code: Select all

Procedure.s GetStringValuex(hkey.i, strKeyPath.s, strValueName.s)
Define.COMateObject oReg
strComputer.s = "."

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  oReg\Invoke("GetStringValue(" + Str(hkey) + ", '" + strKeyPath + "', '" + strValueName + "', " + Str(@dwValue) + " BYREF)")
    sValue$ = PeekS(dwValue, -1, #PB_Unicode)
  SysFreeString_(dwValue)
oReg\Release()

ProcedureReturn sValue$

EndProcedure

and in case anyone wants them, here are some from testing I was doing, Have not checked them all yet, only used the GetStringValue and GetDWORDValue so far, did not need the rest really but put them together just in case :

Code: Select all

#HKEY_CLASSES_ROOT = $80000000
#HKEY_CURRENT_USER = $80000001
#HKEY_LOCAL_MACHINE = $80000002
#HKEY_USERS = $80000003
#HKEY_CURRENT_CONFIG = $80000005

#KEY_QUERY_VALUE = 1
#KEY_SET_VALUE = 2
#KEY_CREATE_SUB_KEY = 4
#KEY_ENUMERATE_SUB_KEYS = 8
#KEY_NOTIFY = 16
#KEY_CREATE = 32
#DELETE = 65536
#READ_CONTROL = 131072
#WRITE_DAC = 262144
#WRITE_OWNER = 524288
#REG_ALL_Permissions = #READ_CONTROL | #KEY_SET_VALUE | #KEY_CREATE_SUB_KEY | #KEY_CREATE | #DELETE | #WRITE_DAC | #WRITE_OWNER

; gets REG_SZ
Procedure.s GetStringValue(hkey.i, strKeyPath.s, strValueName.s)

Define.COMateObject oReg
strComputer.s = "."

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  oReg\Invoke("GetStringValue(" + Str(hkey) + ", '" + strKeyPath + "', '" + strValueName + "', " + Str(@dwValue) + " BYREF)")
    sValue$ = PeekS(dwValue, -1, #PB_Unicode)
  SysFreeString_(dwValue)
oReg\Release()

ProcedureReturn sValue$

EndProcedure

; gets REG_EXPAND_SZ
Procedure.s GetExpandedStringValue(hkey.i, strKeyPath.s, strValueName.s)

Define.COMateObject oReg
strComputer.s = "."

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  oReg\Invoke("GetExpandedStringValue(" + Str(hkey) + ", '" + strKeyPath + "', '" + strValueName + "', " + Str(@dwValue) + " BYREF)")
    sValue$ = PeekS(dwValue, -1, #PB_Unicode)
  SysFreeString_(dwValue)
oReg\Release()

ProcedureReturn sValue$

EndProcedure

; gets  REG_MULTI_SZ
Procedure.s GetMultiStringValue(hkey.i, strKeyPath.s, strValueName.s)

Define.COMateObject oReg
strComputer.s = "."

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  oReg\Invoke("GetMultiStringValue(" + Str(hkey) + ", '" + strKeyPath + "', '" + strValueName + "', " + Str(@dwValue) + " BYREF)")
    sValue$ = PeekS(dwValue, -1, #PB_Unicode)
  SysFreeString_(dwValue)
oReg\Release()

ProcedureReturn sValue$

EndProcedure

; gets REG_DWORD
Procedure.s GetDWORDValue(hkey.i, strKeyPath.s, strValueName.s)    
Define.COMateObject oReg
strComputer.s = "."

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  oReg\Invoke("GetDWORDValue(" + Str(hkey) + ", '" + strKeyPath + "', '" + strValueName + "', " + Str(@dwValue) + " BYREF)")
    dw_dword_value$ = Str(dwValue)
oReg\Release()

ProcedureReturn dw_dword_value$

EndProcedure

; gets REG_QWORD
Procedure.s GetQWORDValue(hkey.i, strKeyPath.s, strValueName.s)

Define.COMateObject oReg
strComputer.s = "."

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  oReg\Invoke("GetQWORDValue(" + Str(hkey) + ", '" + strKeyPath + "', '" + strValueName + "', " + Str(@dwValue) + " BYREF)")
    sValue$ = PeekS(dwValue, -1, #PB_Unicode)
  SysFreeString_(dwValue)
oReg\Release()

ProcedureReturn sValue$

EndProcedure

Procedure CheckAccess(hkey.i, sSubKeyName.s, lRequired.s)

Define.COMateObject oReg
strComputer.s = "."

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  oReg\Invoke("CheckAccess(" + Str(hkey) + ", '" + sSubKeyName + "', '" + lRequired + "', " + Str(@dwValue) + " BYREF)")
    If dwValue = #VARIANT_TRUE
      dw_dword_value.i = #True
      Else
      dw_dword_value.i = #False
    EndIf
oReg\Release()

ProcedureReturn dw_dword_value

EndProcedure

;Debug CheckAccess(#HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winsat", Str(#REG_ALL_Permissions))

Procedure CreateKey(hkey.i, strKeyPath.s)

Define.COMateObject oReg
strComputer.s = "."

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  Ret.i = oReg\Invoke("CreateKey(" + Str(hkey) + ", '" + strKeyPath + "')")
oReg\Release()

ProcedureReturn Ret

EndProcedure

; KeyPath$ = "Software\MyKey\MySubKey"
; or....
; KeyPath$ = "Software\MyKey"
; Debug CreateKey(#HKEY_LOCAL_MACHINE, KeyPath$)

Procedure DeleteKey(hkey.i, sSubKeyName.s)

Define.COMateObject oReg
strComputer.s = "."

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  Ret.i = oReg\Invoke("DeleteKey(" + Str(hkey) + ", '" + sSubKeyName + "')")
oReg\Release()

ProcedureReturn Ret

EndProcedure
; SubKeyName$ = "Software\MyKey\MySubKey"
; or...
; SubKeyName$ = "Software\MyKey"
; Debug DeleteKey(#HKEY_LOCAL_MACHINE, SubKeyName$)

Procedure DeleteValue(hkey.i, sSubKeyName.s, sValueName.s)

Define.COMateObject oReg
strComputer.s = "."

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  Ret.i = oReg\Invoke("DeleteValue(" + Str(hkey) + ", '" + sSubKeyName + "','" + sValueName + "')")
oReg\Release()

ProcedureReturn Ret

EndProcedure

; Debug DeleteValue(#HKEY_LOCAL_MACHINE, "Software\MyKey\MySubKey", "testvalue")

; creates a DWORD and sets value
; the value is fed to procedure in non-hex
Procedure SetDWORDValue(hkey.i, sSubKeyName.s, sValueName.s, uValue)    
Define.COMateObject oReg
strComputer.s = "."

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  Ret.i = oReg\Invoke("SetDWORDValue(" + Str(hkey) + ", '" + sSubKeyName + "', '" + sValueName + "', '" + Str(uValue) + "')")
oReg\Release()

ProcedureReturn Ret

EndProcedure
; Debug SetDWORDValue(#HKEY_LOCAL_MACHINE, "Software\MyKey\MySubKey", "MyValue", 250)

; creates a QWORD and sets value
Procedure SetQWORDValue(hkey.i, sSubKeyName.s, sValueName.s, uValue.s)    
Define.COMateObject oReg
strComputer.s = "."

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  Ret.i = oReg\Invoke("SetQWORDValue(" + Str(hkey) + ", '" + sSubKeyName + "', '" + sValueName + "', '" + uValue + "')")
oReg\Release()

ProcedureReturn Ret

EndProcedure
; Debug SetQWORDValue(#HKEY_LOCAL_MACHINE, "Software\MyKey\MySubKey", "MyValue", "129069160067291106")

; creates a REG_SZ and sets value
Procedure SetStringValue(hkey.i, sSubKeyName.s, sValueName.s, sValue.s)    
Define.COMateObject oReg
strComputer.s = "."

oReg = COMate_GetObject("winmgmts:\\.\root\default:StdRegProv", "")
  Ret.i = oReg\Invoke("SetStringValue(" + Str(hkey) + ", '" + sSubKeyName + "', '" + sValueName + "', '" + sValue + "')")
oReg\Release()

ProcedureReturn Ret

EndProcedure
;Debug SetStringValue(#HKEY_LOCAL_MACHINE, "Software\MyKey\MySubKey", "MyValue", "This is my value")

[KIKI]

How can i read the property of an lnk shortcut with Comate ?
Thanks in advance

[SFSxOI]

KIKI;

I hope this helps. i'm not positive as I haven't tried yet, but I think you can use "Shell.Application". I

I did have this laying around to convert later, but it might help you get started now. This sample changes the target of a shortcut.

Code: Select all

Const ALL_USERS_DESKTOP = &H19&

Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace(ALL_USERS_DESKTOP)
Set objFolderItem = objFolder.ParseName("Accounts Payable Database.lnk")
Set objShellLink = objFolderItem.GetLink

objShellLink.Path = "\\atl-fs-01\accounting\payable.exe"
objShellLink.Save()

There is also the Win32_ShortcutFile class you can use to get info > http://msdn.microsoft.com/en-us/library ... S.85).aspx

This lists all the .lnk's on the system and some general info:

Code: Select all

XIncludeFile "COMatePLUS.pbi"

Procedure Shortcut_Lnk_Info()

Define.COMateObject objWMIService, LNKInfo
colLNKInfo.COMateEnumObject
strComputer.s = "." 

objWMIService = COMate_GetObject("winmgmts:\\" + strComputer + "\root\cimv2", "") 
If objWMIService 
  colLNKInfo = objWMIService\CreateEnumeration("ExecQuery('Select * from Win32_ShortcutFile')")
  
  If colLNKInfo 
    LNKInfo = colLNKInfo\GetNextObject() 
    While LNKInfo
      
      Debug "Caption  = " + LNKInfo\GetStringProperty("Caption")
      Debug "Description  = " + LNKInfo\GetStringProperty("Description")
      Debug "Name  = " + LNKInfo\GetStringProperty("Name")
      Debug "Path =  " + LNKInfo\GetStringProperty("Path")
      Debug "Target =  " + LNKInfo\GetStringProperty("Target")
      Debug "*********************************************************************"
                
      LNKInfo\Release() 
      LNKInfo = colLNKInfo\GetNextObject()
    Wend
    colLNKInfo\Release() 
  EndIf
  objWMIService\Release()
  Else
      MessageRequester("Error", "LNKInfo")  
EndIf

EndProcedure

Shortcut_Lnk_Info()

For creating shortcuts you can use the Invoke method of the Win32_ShortcutAction class I think, although I have not tried it > http://msdn.microsoft.com/en-us/library ... S.85).aspx

[KIKI]

Trying to execute ShortcutLink the following message appear form comateplus.pbi
Ligne 1258 Nombre entre "" sont limités à 8 caractéres
This problem won't appear in PB 4.40 the programm is executing without any problem

[KIKI]

Code: Select all

XIncludeFile #PB_Compiler_Home+"comate\comateplus.pbi"
Define.Comateobject objshell,objFolderItem,objshelllink,objfolder 
#CURRENT_USER_DESkTOP=$A
objshell = COMate_CreateObject("Shell.Application")
objfolder = objshell\GetObjectProperty("Namespace("+Str(#CURRENT_USER_DESkTOP)+")")
[b]Debug comate_getlasterrordescription()[/b]
objFolderItem = objFolder\GetPropertyref("ParseName('PLus.lnk')")
Debug comate_getlasterrordescription()
objShellLink = objFolderItem\GetObjectProperty("GetLink")
Debug objShellLink\getobjectproperty("Path")

The line 6 return the Fololowing bug :
The operation completed, but was only partially successful. (The property returned a NULL object!)
Thanks in advance

[srod]

Yes that is being returned in this case whenever the relavant file/folder cannot be located.

The following works for me (note that I have changed the value of #CURRENT_USER_DESKTOP). Change 'WinCHM.lnk' to a shortcut on your own desktop (otherwise you'll get the null return error) :

Code: Select all

IncludePath "..\"
XIncludeFile "COMatePLUS.pbi"

Define.Comateobject objshell,objFolderItem,objshelllink,objfolder 
#CURRENT_USER_DESKTOP=$10

objshell = COMate_CreateObject("Shell.Application")
If objshell 
  objfolder = objshell\GetObjectProperty("Namespace("+Str(#CURRENT_USER_DESKTOP)+" As long)")
  If objfolder
    objFolderItem = objFolder\GetObjectProperty("ParseName('WinCHM.lnk')")
    Debug comate_getlasterrordescription()
    If objFolderItem
    
      objFolderItem\Release()
    EndIf
    objfolder\Release()
  EndIf
  objshell\Release()
EndIf

**EDIT : note also the " as long". This parameter can be a string and so if passing an integer CSIDL_... constant, it would appear that you have to pad it out to 32-bits. On their own they will be passed as BYTE values by COMate which the shell object does not like for some reason!

[KIKI]

Have you seen my message with PB 4.41 RC1 ?
Trying to execute ShortcutLink the following message appear form comateplus.pbi
Ligne 1258 Nombre entre "" sont limités à 8 caractéres
This problem won't appear in PB 4.40 the programm is executing without any problem

I have also another problem with the exemple of outlook Object , after releasing the object Outlook is alway in task list

[srod]

SFSxOI's code and my code work fine here with both PB 4.4 and 4.4 RC 1.

[DoubleDutch]

I have the same error as Kiki..

This line (1258) in COMatePlus.pbi :

Code: Select all

 If *ptr\c = '-' Or *ptr\c = '+'

gives the error "Numbers between '' are limited to 8 characters.

[srod]

Which code snippet generates the error Anthony?

**EDIT : it's okay, I can reproduce the error (switch off Unicode).

****EDIT : it seems that PB 4.41 RC1 simply does not like things like 'A' in Ascii mode! I'd better post a bug report.