public static Object getFromRegistry(Object key)
{
if (instance == null)
{
instance = new Registry();
}
return instance.registry[key];
}
public static void addToRegistry(Object key, Object value)
{
if (instance == null)
{
instance = new Registry();
}
instance.registry.Add(key, value);
}
static void Main(string[] args)
{
var app = new Registry();
app.Start();
}
/// <summary>
///
/// </summary>
/// <param name="args"></param>
static void Main(string[] args)
{
try
{
Assembly assembly = Assembly.GetExecutingAssembly();
AssemblyName assemblyName = assembly.GetName();
Console.WriteLine(Environment.NewLine + "shimcacheparser v" + assemblyName.Version.ToString(3) + Environment.NewLine);
Options options = new Options();
if (CommandLineParser.Default.ParseArguments(args, options) == false)
{
return;
}
if (IsValidSortValue(options) == false)
{
Console.WriteLine("Invalid sort parameter value (-s)");
return;
}
if (File.Exists(options.File) == false)
{
Console.WriteLine("The registry file does not exist");
return;
}
Registry.Registry registry = new Registry.Registry(options.File);
RegistryKey rootKey = registry.Root;
foreach (RegistryKey subKey in rootKey.SubKeys())
{
if (subKey.Name.IndexOf("ControlSet", StringComparison.InvariantCultureIgnoreCase) == -1)
{
continue;
}
try
{
List<Hit> hits = new List<Hit>();
RegistryKey regKeySessionManager = registry.Open(string.Format(@"{0}\Control\Session Manager", subKey.Name));
if (regKeySessionManager == null)
{
continue;
}
foreach (RegistryKey subKeySessionManager in regKeySessionManager.SubKeys())
{
//@"ControlSet001\Control\Session Manager\AppCompatibility\AppCompatCache"
//@"ControlSet001\Control\Session Manager\AppCompatCache\AppCompatCache"
if (subKeySessionManager.Name.IndexOf("AppCompatibility", StringComparison.InvariantCultureIgnoreCase) == -1 &
subKeySessionManager.Name.IndexOf("AppCompatCache", StringComparison.InvariantCultureIgnoreCase) == -1)
{
continue;
}
RegistryValue regVal = subKeySessionManager.Value("AppCompatCache");
if (regVal == null)
{
continue;
}
byte[] data = (byte[])regVal.Value;
// Data size less than minimum header size.
if (data.Length < 16)
{
continue;
}
UInt32 magic = BitConverter.ToUInt32(data.Slice(0, 4), 0);
// Determine which version we are working with
switch (magic)
{
case Global.WINXP_MAGIC32: // This is WinXP cache data
Console.WriteLine("[+] Found 32bit Windows XP Shim Cache data...");
hits = ReadWinXpEntries(data);
break;
case Global.CACHE_MAGIC_NT5_2: // This is a Windows 2k3/Vista/2k8 Shim Cache format,
// Shim Cache types can come in 32-bit or 64-bit formats. We can determine this because 64-bit entries are serialized with u_int64 pointers.
// This means that in a 64-bit entry, valid UNICODE_STRING sizes are followed by a NULL DWORD. Check for this here.
UInt16 testSizeNt5 = BitConverter.ToUInt16(data.Slice(8, 10), 0);
UInt16 testMaxSizeNt5 = BitConverter.ToUInt16(data.Slice(10, 12), 0);
UInt32 testTempNt5 = BitConverter.ToUInt32(data.Slice(12, 16), 0);
if ((testMaxSizeNt5 - testSizeNt5 == 2) & (testTempNt5 == 0))
{
Console.WriteLine("[+] Found 64bit Windows 2k3/Vista/2k8 Shim Cache data...");
hits = ReadNt5Entries(data, false);
}
else
{
Console.WriteLine("[+] Found 32bit Windows 2k3/Vista/2k8 Shim Cache data...");
hits = ReadNt5Entries(data, true);
}
break;
case Global.CACHE_MAGIC_NT6_1: // This is a Windows 7/2k8-R2 Shim Cache.
// Shim Cache types can come in 32-bit or 64-bit formats. We can determine this because 64-bit entries are serialized with u_int64 pointers.
// This means that in a 64-bit entry, valid UNICODE_STRING sizes are followed by a NULL DWORD. Check for this here.
UInt16 testSizeNt6 = BitConverter.ToUInt16(data.Slice(Global.CACHE_HEADER_SIZE_NT6_1, Global.CACHE_HEADER_SIZE_NT6_1 + 2), 0);
UInt16 testMaxSizeNt6 = BitConverter.ToUInt16(data.Slice(Global.CACHE_HEADER_SIZE_NT6_1 + 2, Global.CACHE_HEADER_SIZE_NT6_1 + 4), 0);
UInt32 testTempNt6 = BitConverter.ToUInt32(data.Slice(Global.CACHE_HEADER_SIZE_NT6_1 + 4, Global.CACHE_HEADER_SIZE_NT6_1 + 8), 0);
if ((testMaxSizeNt6 - testSizeNt6 == 2) & (testTempNt6 == 0))
{
Console.WriteLine("[+] Found 64bit Windows 7/2k8-R2 Shim Cache data...");
hits = ReadNt6Entries(data, false);
}
else
{
Console.WriteLine("[+] Found 32bit Windows 7/2k8-R2 Shim Cache data...");
hits = ReadNt6Entries(data, true);
}
break;
default:
Console.WriteLine(string.Format("[-] Got an unrecognized magic value of {0}... bailing... ", magic));
return;
}
}
PrintHits(options, hits);
}
catch (Exception ex)
{
Console.WriteLine("An error occurred: " + ex.Message);
}
}
}
catch (Exception ex)
{
Console.WriteLine("An error occurred: " + ex.Message);
}
}
/// <summary>
///
/// </summary>
/// <param name="args"></param>
static void Main(string[] args)
{
try
{
Assembly assembly = Assembly.GetExecutingAssembly();
AssemblyName assemblyName = assembly.GetName();
Console.WriteLine(Environment.NewLine + "shimcacheparser v" + assemblyName.Version.ToString(3) + Environment.NewLine);
Options options = new Options();
if (CommandLineParser.Default.ParseArguments(args, options) == false)
{
return;
}
if (IsValidSortValue(options) == false)
{
Console.WriteLine("Invalid sort parameter value (-s)");
return;
}
if (File.Exists(options.File) == false)
{
Console.WriteLine("The registry file does not exist");
return;
}
Registry.Registry registry = new Registry.Registry(options.File);
RegistryKey rootKey = registry.Root;
foreach (RegistryKey subKey in rootKey.SubKeys())
{
if (subKey.Name.IndexOf("ControlSet", StringComparison.InvariantCultureIgnoreCase) == -1)
{
continue;
}
try
{
List <Hit> hits = new List <Hit>();
RegistryKey regKeySessionManager = registry.Open(string.Format(@"{0}\Control\Session Manager", subKey.Name));
if (regKeySessionManager == null)
{
continue;
}
foreach (RegistryKey subKeySessionManager in regKeySessionManager.SubKeys())
{
//@"ControlSet001\Control\Session Manager\AppCompatibility\AppCompatCache"
//@"ControlSet001\Control\Session Manager\AppCompatCache\AppCompatCache"
if (subKeySessionManager.Name.IndexOf("AppCompatibility", StringComparison.InvariantCultureIgnoreCase) == -1 &
subKeySessionManager.Name.IndexOf("AppCompatCache", StringComparison.InvariantCultureIgnoreCase) == -1)
{
continue;
}
RegistryValue regVal = subKeySessionManager.Value("AppCompatCache");
if (regVal == null)
{
continue;
}
byte[] data = (byte[])regVal.Value;
// Data size less than minimum header size.
if (data.Length < 16)
{
continue;
}
UInt32 magic = BitConverter.ToUInt32(data.Slice(0, 4), 0);
// Determine which version we are working with
switch (magic)
{
case Global.WINXP_MAGIC32: // This is WinXP cache data
Console.WriteLine("[+] Found 32bit Windows XP Shim Cache data...");
hits = ReadWinXpEntries(data);
break;
case Global.CACHE_MAGIC_NT5_2: // This is a Windows 2k3/Vista/2k8 Shim Cache format,
// Shim Cache types can come in 32-bit or 64-bit formats. We can determine this because 64-bit entries are serialized with u_int64 pointers.
// This means that in a 64-bit entry, valid UNICODE_STRING sizes are followed by a NULL DWORD. Check for this here.
UInt16 testSizeNt5 = BitConverter.ToUInt16(data.Slice(8, 10), 0);
UInt16 testMaxSizeNt5 = BitConverter.ToUInt16(data.Slice(10, 12), 0);
UInt32 testTempNt5 = BitConverter.ToUInt32(data.Slice(12, 16), 0);
if ((testMaxSizeNt5 - testSizeNt5 == 2) & (testTempNt5 == 0))
{
Console.WriteLine("[+] Found 64bit Windows 2k3/Vista/2k8 Shim Cache data...");
hits = ReadNt5Entries(data, false);
}
else
{
Console.WriteLine("[+] Found 32bit Windows 2k3/Vista/2k8 Shim Cache data...");
hits = ReadNt5Entries(data, true);
}
break;
case Global.CACHE_MAGIC_NT6_1: // This is a Windows 7/2k8-R2 Shim Cache.
// Shim Cache types can come in 32-bit or 64-bit formats. We can determine this because 64-bit entries are serialized with u_int64 pointers.
// This means that in a 64-bit entry, valid UNICODE_STRING sizes are followed by a NULL DWORD. Check for this here.
UInt16 testSizeNt6 = BitConverter.ToUInt16(data.Slice(Global.CACHE_HEADER_SIZE_NT6_1, Global.CACHE_HEADER_SIZE_NT6_1 + 2), 0);
UInt16 testMaxSizeNt6 = BitConverter.ToUInt16(data.Slice(Global.CACHE_HEADER_SIZE_NT6_1 + 2, Global.CACHE_HEADER_SIZE_NT6_1 + 4), 0);
UInt32 testTempNt6 = BitConverter.ToUInt32(data.Slice(Global.CACHE_HEADER_SIZE_NT6_1 + 4, Global.CACHE_HEADER_SIZE_NT6_1 + 8), 0);
if ((testMaxSizeNt6 - testSizeNt6 == 2) & (testTempNt6 == 0))
{
Console.WriteLine("[+] Found 64bit Windows 7/2k8-R2 Shim Cache data...");
hits = ReadNt6Entries(data, false);
}
else
{
Console.WriteLine("[+] Found 32bit Windows 7/2k8-R2 Shim Cache data...");
hits = ReadNt6Entries(data, true);
}
break;
default:
Console.WriteLine(string.Format("[-] Got an unrecognized magic value of {0}... bailing... ", magic));
return;
}
}
PrintHits(options, hits);
}
catch (Exception ex)
{
Console.WriteLine("An error occurred: " + ex.Message);
}
}
}
catch (Exception ex)
{
Console.WriteLine("An error occurred: " + ex.Message);
}
}
