public void actionPerformed(AnActionEvent e) {
final RegistryValue rv = myModel.getRegistryValue(myTable.getSelectedRow());
rv.resetToDefault();
myModel.fireTableCellUpdated(myTable.getSelectedRow(), 0);
myModel.fireTableCellUpdated(myTable.getSelectedRow(), 1);
myModel.fireTableCellUpdated(myTable.getSelectedRow(), 2);
revaliateActions();
}
@Override
public void update(AnActionEvent e) {
e.getPresentation().setEnabled(!myTable.isEditing() && myTable.getSelectedRow() >= 0);
e.getPresentation().setText("Revert to Default");
e.getPresentation().setIcon(IconLoader.getIcon("/general/remove.png"));
if (e.getPresentation().isEnabled()) {
final RegistryValue rv = myModel.getRegistryValue(myTable.getSelectedRow());
e.getPresentation().setEnabled(rv.isChangedFromDefault());
}
}
@Override
public boolean stopCellEditing() {
if (myValue != null) {
if (myValue.isBoolean()) {
myValue.setValue(myCheckBox.isSelected());
} else {
myValue.setValue(myField.getText().trim());
}
}
revaliateActions();
return super.stopCellEditing();
}
public Object getValueAt(int rowIndex, int columnIndex) {
RegistryValue value = getRegistryValue(rowIndex);
switch (columnIndex) {
case 0:
return "";
case 1:
return value.getKey();
case 2:
return value.asString();
default:
return value;
}
}
@NotNull
@Override
public Component getTableCellRendererComponent(
@NotNull JTable table,
Object value,
boolean isSelected,
boolean hasFocus,
int row,
int column) {
final RegistryValue v = ((MyTableModel) table.getModel()).getRegistryValue(row);
myLabel.setIcon(null);
myLabel.setText(null);
myLabel.setHorizontalAlignment(SwingConstants.LEFT);
Color fg = isSelected ? table.getSelectionForeground() : table.getForeground();
Color bg = isSelected ? table.getSelectionBackground() : table.getBackground();
if (v != null) {
switch (column) {
case 0:
myLabel.setIcon(v.isRestartRequired() ? RESTART_ICON : null);
myLabel.setHorizontalAlignment(SwingConstants.CENTER);
break;
case 1:
myLabel.setText(v.getKey());
break;
case 2:
if (v.asColor(null) != null) {
myLabel.setIcon(createColoredIcon(v.asColor(null)));
} else if (v.isBoolean()) {
final JCheckBox box = new JCheckBox();
box.setSelected(v.asBoolean());
box.setBackground(bg);
return box;
} else {
myLabel.setText(v.asString());
}
}
myLabel.setOpaque(true);
myLabel.setFont(
myLabel.getFont().deriveFont(v.isChangedFromDefault() ? Font.BOLD : Font.PLAIN));
myLabel.setForeground(fg);
myLabel.setBackground(bg);
}
return myLabel;
}
@Nullable
public Component getTableCellEditorComponent(
JTable table, Object value, boolean isSelected, int row, int column) {
myValue = ((MyTableModel) table.getModel()).getRegistryValue(row);
if (myValue.asColor(null) != null) {
final Color color =
ColorChooser.chooseColor(
table, "Choose color", ((RegistryValue) value).asColor(Color.WHITE));
if (color != null) {
myValue.setValue(color.getRed() + "," + color.getGreen() + "," + color.getBlue());
}
return null;
} else if (myValue.isBoolean()) {
myCheckBox.setSelected(myValue.asBoolean());
myCheckBox.setBackground(table.getBackground());
return myCheckBox;
} else {
myField.setText(myValue.asString());
myField.setBorder(null);
myField.selectAll();
return myField;
}
}
/**
* Test the Registry object against one registry file.
*
* @param a_regInfo The registry file
* @return Result of the test
*/
private ObservableResult testRegistryFile(RegistryFileInfo a_regInfo) {
try {
RegistryKey root = openRegistry(a_regInfo.tempFileName);
RegistryKey result = findKey(root, obj.getKey().getValue().toString());
if (result == null) {
// Take another shot looking for the key minus the first part of the path (sometimes the
// hive file name is here). This should only happen if the hive name started
// with "HKEY"
if ((obj.getHive() != null)
&& obj.getHive().getValue().toString().startsWith("HKEY")) { // NON-NLS
String[] parts = obj.getKey().getValue().toString().split("\\\\");
String newKey = "";
for (int i = 1; i < parts.length; i++) {
if (newKey.length() > 0) {
newKey += "\\";
}
newKey += parts[i];
}
result = findKey(root, newKey);
}
if (result == null) {
return new ObservableResult(
id,
"RegistryObject: Could not find key " + obj.getKey().getValue(), // NON-NLS
spacing,
ObservableResult.ObservableState.FALSE,
null);
}
}
if ((obj.getValues() == null) || (obj.getValues().getValues().isEmpty())) {
// No values to test
List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
artData.add(
new StixArtifactData(a_regInfo.abstractFile.getId(), id, "Registry")); // NON-NLS
return new ObservableResult(
id,
"RegistryObject: Found key " + obj.getKey().getValue(), // NON-NLS
spacing,
ObservableResult.ObservableState.TRUE,
artData);
}
// Test all the values
for (org.mitre.cybox.objects.RegistryValueType stixRegValue : obj.getValues().getValues()) {
try {
for (RegistryValue valFromFile : result.getValueList()) {
// Test if the name field matches (if present)
boolean nameSuccess = true; // True if the name matches or isn't present
if (stixRegValue.getName() != null) {
try {
nameSuccess = compareStringObject(stixRegValue.getName(), valFromFile.getName());
} catch (UnsupportedEncodingException ex) {
nameSuccess = false;
}
}
boolean valueSuccess = true;
if (nameSuccess && (stixRegValue.getData() != null)) {
switch (valFromFile.getValueType()) {
case REG_SZ:
case REG_EXPAND_SZ:
try {
valueSuccess =
compareStringObject(
stixRegValue.getData(), valFromFile.getValue().getAsString());
} catch (UnsupportedEncodingException ex) {
valueSuccess = false;
}
break;
case REG_DWORD:
case REG_BIG_ENDIAN:
case REG_QWORD:
// Only support "equals" for now.
if ((stixRegValue.getData().getCondition() == null)
|| (stixRegValue.getData().getCondition() == ConditionTypeEnum.EQUALS)) {
// Try to convert the STIX string to a long
try {
long stixValue = Long.decode(stixRegValue.getData().getValue().toString());
try {
valueSuccess = (stixValue == valFromFile.getValue().getAsNumber());
} catch (UnsupportedEncodingException ex) {
valueSuccess = false;
}
} catch (NumberFormatException ex) {
// We probably weren't looking at a numeric field to begin with,
// so getting this exception isn't really an error.
valueSuccess = false;
}
} else {
valueSuccess = false;
}
break;
default:
// Nothing to do here. These are the types we don't handle:
// REG_BIN, REG_FULL_RESOURCE_DESCRIPTOR, REG_LINK, REG_MULTI_SZ, REG_NONE,
// REG_RESOURCE_LIST, REG_RESOURCE_REQUIREMENTS_LIST
}
}
if (nameSuccess && valueSuccess) {
// Found a match for all values
List<StixArtifactData> artData = new ArrayList<StixArtifactData>();
artData.add(
new StixArtifactData(a_regInfo.abstractFile.getId(), id, "Registry")); // NON-NLS
return new ObservableResult(
id,
"RegistryObject: Found key "
+ obj.getKey().getValue() // NON-NLS
+ " and value "
+ stixRegValue.getName().getValue().toString() // NON-NLS
+ " = "
+ stixRegValue.getData().getValue().toString(),
spacing,
ObservableResult.ObservableState.TRUE,
artData);
}
}
} catch (Exception ex) {
// Broad catch here becase the registry parser can create all kinds of exceptions beyond
// what it reports.
return new ObservableResult(
id,
"RegistryObject: Exception during evaluation: " + ex.getLocalizedMessage(), // NON-NLS
spacing,
ObservableResult.ObservableState.INDETERMINATE,
null);
}
}
} catch (TskCoreException ex) {
return new ObservableResult(
id,
"RegistryObject: Exception during evaluation: " + ex.getLocalizedMessage(), // NON-NLS
spacing,
ObservableResult.ObservableState.INDETERMINATE,
null);
}
return new ObservableResult(
id,
"RegistryObject: Not done", // NON-NLS
spacing,
ObservableResult.ObservableState.INDETERMINATE,
null);
}