public static Object getFromRegistry(Object key) { if (instance == null) { instance = new Registry(); } return instance.registry[key]; }
public static void addToRegistry(Object key, Object value) { if (instance == null) { instance = new Registry(); } instance.registry.Add(key, value); }
static void Main(string[] args) { var app = new Registry(); app.Start(); }
/// <summary> /// /// </summary> /// <param name="args"></param> static void Main(string[] args) { try { Assembly assembly = Assembly.GetExecutingAssembly(); AssemblyName assemblyName = assembly.GetName(); Console.WriteLine(Environment.NewLine + "shimcacheparser v" + assemblyName.Version.ToString(3) + Environment.NewLine); Options options = new Options(); if (CommandLineParser.Default.ParseArguments(args, options) == false) { return; } if (IsValidSortValue(options) == false) { Console.WriteLine("Invalid sort parameter value (-s)"); return; } if (File.Exists(options.File) == false) { Console.WriteLine("The registry file does not exist"); return; } Registry.Registry registry = new Registry.Registry(options.File); RegistryKey rootKey = registry.Root; foreach (RegistryKey subKey in rootKey.SubKeys()) { if (subKey.Name.IndexOf("ControlSet", StringComparison.InvariantCultureIgnoreCase) == -1) { continue; } try { List<Hit> hits = new List<Hit>(); RegistryKey regKeySessionManager = registry.Open(string.Format(@"{0}\Control\Session Manager", subKey.Name)); if (regKeySessionManager == null) { continue; } foreach (RegistryKey subKeySessionManager in regKeySessionManager.SubKeys()) { //@"ControlSet001\Control\Session Manager\AppCompatibility\AppCompatCache" //@"ControlSet001\Control\Session Manager\AppCompatCache\AppCompatCache" if (subKeySessionManager.Name.IndexOf("AppCompatibility", StringComparison.InvariantCultureIgnoreCase) == -1 & subKeySessionManager.Name.IndexOf("AppCompatCache", StringComparison.InvariantCultureIgnoreCase) == -1) { continue; } RegistryValue regVal = subKeySessionManager.Value("AppCompatCache"); if (regVal == null) { continue; } byte[] data = (byte[])regVal.Value; // Data size less than minimum header size. if (data.Length < 16) { continue; } UInt32 magic = BitConverter.ToUInt32(data.Slice(0, 4), 0); // Determine which version we are working with switch (magic) { case Global.WINXP_MAGIC32: // This is WinXP cache data Console.WriteLine("[+] Found 32bit Windows XP Shim Cache data..."); hits = ReadWinXpEntries(data); break; case Global.CACHE_MAGIC_NT5_2: // This is a Windows 2k3/Vista/2k8 Shim Cache format, // Shim Cache types can come in 32-bit or 64-bit formats. We can determine this because 64-bit entries are serialized with u_int64 pointers. // This means that in a 64-bit entry, valid UNICODE_STRING sizes are followed by a NULL DWORD. Check for this here. UInt16 testSizeNt5 = BitConverter.ToUInt16(data.Slice(8, 10), 0); UInt16 testMaxSizeNt5 = BitConverter.ToUInt16(data.Slice(10, 12), 0); UInt32 testTempNt5 = BitConverter.ToUInt32(data.Slice(12, 16), 0); if ((testMaxSizeNt5 - testSizeNt5 == 2) & (testTempNt5 == 0)) { Console.WriteLine("[+] Found 64bit Windows 2k3/Vista/2k8 Shim Cache data..."); hits = ReadNt5Entries(data, false); } else { Console.WriteLine("[+] Found 32bit Windows 2k3/Vista/2k8 Shim Cache data..."); hits = ReadNt5Entries(data, true); } break; case Global.CACHE_MAGIC_NT6_1: // This is a Windows 7/2k8-R2 Shim Cache. // Shim Cache types can come in 32-bit or 64-bit formats. We can determine this because 64-bit entries are serialized with u_int64 pointers. // This means that in a 64-bit entry, valid UNICODE_STRING sizes are followed by a NULL DWORD. Check for this here. UInt16 testSizeNt6 = BitConverter.ToUInt16(data.Slice(Global.CACHE_HEADER_SIZE_NT6_1, Global.CACHE_HEADER_SIZE_NT6_1 + 2), 0); UInt16 testMaxSizeNt6 = BitConverter.ToUInt16(data.Slice(Global.CACHE_HEADER_SIZE_NT6_1 + 2, Global.CACHE_HEADER_SIZE_NT6_1 + 4), 0); UInt32 testTempNt6 = BitConverter.ToUInt32(data.Slice(Global.CACHE_HEADER_SIZE_NT6_1 + 4, Global.CACHE_HEADER_SIZE_NT6_1 + 8), 0); if ((testMaxSizeNt6 - testSizeNt6 == 2) & (testTempNt6 == 0)) { Console.WriteLine("[+] Found 64bit Windows 7/2k8-R2 Shim Cache data..."); hits = ReadNt6Entries(data, false); } else { Console.WriteLine("[+] Found 32bit Windows 7/2k8-R2 Shim Cache data..."); hits = ReadNt6Entries(data, true); } break; default: Console.WriteLine(string.Format("[-] Got an unrecognized magic value of {0}... bailing... ", magic)); return; } } PrintHits(options, hits); } catch (Exception ex) { Console.WriteLine("An error occurred: " + ex.Message); } } } catch (Exception ex) { Console.WriteLine("An error occurred: " + ex.Message); } }
/// <summary> /// /// </summary> /// <param name="args"></param> static void Main(string[] args) { try { Assembly assembly = Assembly.GetExecutingAssembly(); AssemblyName assemblyName = assembly.GetName(); Console.WriteLine(Environment.NewLine + "shimcacheparser v" + assemblyName.Version.ToString(3) + Environment.NewLine); Options options = new Options(); if (CommandLineParser.Default.ParseArguments(args, options) == false) { return; } if (IsValidSortValue(options) == false) { Console.WriteLine("Invalid sort parameter value (-s)"); return; } if (File.Exists(options.File) == false) { Console.WriteLine("The registry file does not exist"); return; } Registry.Registry registry = new Registry.Registry(options.File); RegistryKey rootKey = registry.Root; foreach (RegistryKey subKey in rootKey.SubKeys()) { if (subKey.Name.IndexOf("ControlSet", StringComparison.InvariantCultureIgnoreCase) == -1) { continue; } try { List <Hit> hits = new List <Hit>(); RegistryKey regKeySessionManager = registry.Open(string.Format(@"{0}\Control\Session Manager", subKey.Name)); if (regKeySessionManager == null) { continue; } foreach (RegistryKey subKeySessionManager in regKeySessionManager.SubKeys()) { //@"ControlSet001\Control\Session Manager\AppCompatibility\AppCompatCache" //@"ControlSet001\Control\Session Manager\AppCompatCache\AppCompatCache" if (subKeySessionManager.Name.IndexOf("AppCompatibility", StringComparison.InvariantCultureIgnoreCase) == -1 & subKeySessionManager.Name.IndexOf("AppCompatCache", StringComparison.InvariantCultureIgnoreCase) == -1) { continue; } RegistryValue regVal = subKeySessionManager.Value("AppCompatCache"); if (regVal == null) { continue; } byte[] data = (byte[])regVal.Value; // Data size less than minimum header size. if (data.Length < 16) { continue; } UInt32 magic = BitConverter.ToUInt32(data.Slice(0, 4), 0); // Determine which version we are working with switch (magic) { case Global.WINXP_MAGIC32: // This is WinXP cache data Console.WriteLine("[+] Found 32bit Windows XP Shim Cache data..."); hits = ReadWinXpEntries(data); break; case Global.CACHE_MAGIC_NT5_2: // This is a Windows 2k3/Vista/2k8 Shim Cache format, // Shim Cache types can come in 32-bit or 64-bit formats. We can determine this because 64-bit entries are serialized with u_int64 pointers. // This means that in a 64-bit entry, valid UNICODE_STRING sizes are followed by a NULL DWORD. Check for this here. UInt16 testSizeNt5 = BitConverter.ToUInt16(data.Slice(8, 10), 0); UInt16 testMaxSizeNt5 = BitConverter.ToUInt16(data.Slice(10, 12), 0); UInt32 testTempNt5 = BitConverter.ToUInt32(data.Slice(12, 16), 0); if ((testMaxSizeNt5 - testSizeNt5 == 2) & (testTempNt5 == 0)) { Console.WriteLine("[+] Found 64bit Windows 2k3/Vista/2k8 Shim Cache data..."); hits = ReadNt5Entries(data, false); } else { Console.WriteLine("[+] Found 32bit Windows 2k3/Vista/2k8 Shim Cache data..."); hits = ReadNt5Entries(data, true); } break; case Global.CACHE_MAGIC_NT6_1: // This is a Windows 7/2k8-R2 Shim Cache. // Shim Cache types can come in 32-bit or 64-bit formats. We can determine this because 64-bit entries are serialized with u_int64 pointers. // This means that in a 64-bit entry, valid UNICODE_STRING sizes are followed by a NULL DWORD. Check for this here. UInt16 testSizeNt6 = BitConverter.ToUInt16(data.Slice(Global.CACHE_HEADER_SIZE_NT6_1, Global.CACHE_HEADER_SIZE_NT6_1 + 2), 0); UInt16 testMaxSizeNt6 = BitConverter.ToUInt16(data.Slice(Global.CACHE_HEADER_SIZE_NT6_1 + 2, Global.CACHE_HEADER_SIZE_NT6_1 + 4), 0); UInt32 testTempNt6 = BitConverter.ToUInt32(data.Slice(Global.CACHE_HEADER_SIZE_NT6_1 + 4, Global.CACHE_HEADER_SIZE_NT6_1 + 8), 0); if ((testMaxSizeNt6 - testSizeNt6 == 2) & (testTempNt6 == 0)) { Console.WriteLine("[+] Found 64bit Windows 7/2k8-R2 Shim Cache data..."); hits = ReadNt6Entries(data, false); } else { Console.WriteLine("[+] Found 32bit Windows 7/2k8-R2 Shim Cache data..."); hits = ReadNt6Entries(data, true); } break; default: Console.WriteLine(string.Format("[-] Got an unrecognized magic value of {0}... bailing... ", magic)); return; } } PrintHits(options, hits); } catch (Exception ex) { Console.WriteLine("An error occurred: " + ex.Message); } } } catch (Exception ex) { Console.WriteLine("An error occurred: " + ex.Message); } }