//https://github.com/libyal/winreg-kb/wiki/Application-Compatibility-Cache-key
//https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf
// added computerName argument
private void Init(byte[] rawBytes, bool is32, string computerName)
{
IAppCompatCache appCache = null;
OperatingSystem = OperatingSystemVersion.Unknown;
string signature;
//TODO check minimum length of rawBytes and throw exception if not enough data
signature = Encoding.ASCII.GetString(rawBytes, 128, 4);
if (signature == "\u0018\0\0\0" || signature == "Y\0\0\0")
{
OperatingSystem = OperatingSystemVersion.WindowsXP;
appCache = new WindowsXP(rawBytes, is32, computerName);
}
else if ((signature == "00ts"))
{
OperatingSystem = OperatingSystemVersion.Windows80_Windows2012;
appCache = new Windows8x(rawBytes, OperatingSystem, computerName);
}
else if (signature == "10ts")
{
OperatingSystem = OperatingSystemVersion.Windows81_Windows2012R2;
appCache = new Windows8x(rawBytes, OperatingSystem, computerName);
}
else
{
//is it windows 10?
signature = Encoding.ASCII.GetString(rawBytes, 48, 4);
if ((signature == "10ts"))
{
OperatingSystem = OperatingSystemVersion.Windows10;
appCache = new Windows10(rawBytes, computerName);
}
else
{
//win7
if (rawBytes[0] == 0xee & rawBytes[1] == 0xf & rawBytes[2] == 0xdc & rawBytes[3] == 0xba)
{
if (is32)
{
OperatingSystem = OperatingSystemVersion.Windows7x86;
}
else
{
OperatingSystem = OperatingSystemVersion.Windows7x64_Windows2008R2;
}
appCache = new Windows7(rawBytes, is32, computerName);
}
}
}
Cache = appCache;
}
//https://github.com/libyal/winreg-kb/wiki/Application-Compatibility-Cache-key
//https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf
private IAppCompatCache Init(byte[] rawBytes, bool is32, int controlSet)
{
IAppCompatCache appCache = null;
OperatingSystem = OperatingSystemVersion.Unknown;
string signature;
var sigNum = BitConverter.ToUInt32(rawBytes, 0);
//TODO check minimum length of rawBytes and throw exception if not enough data
signature = Encoding.ASCII.GetString(rawBytes, 128, 4);
var log1 = LogManager.GetCurrentClassLogger();
log1.Debug($@"**** Signature {signature}, Sig num 0x{sigNum:X}");
if (sigNum == 0xDEADBEEF) //DEADBEEF, WinXp
{
OperatingSystem = OperatingSystemVersion.WindowsXP;
log1.Debug(@"**** Processing XP hive");
appCache = new WindowsXP(rawBytes, is32, controlSet);
}
else if (sigNum == 0xbadc0ffe)
{
OperatingSystem = OperatingSystemVersion.WindowsVistaWin2k3Win2k8;
appCache = new VistaWin2k3Win2k8(rawBytes, is32, controlSet);
}
else if (sigNum == 0xBADC0FEE) //BADC0FEE, Win7
{
if (is32)
{
OperatingSystem = OperatingSystemVersion.Windows7x86;
}
else
{
OperatingSystem = OperatingSystemVersion.Windows7x64_Windows2008R2;
}
appCache = new Windows7(rawBytes, is32, controlSet);
}
else if (signature == "00ts")
{
OperatingSystem = OperatingSystemVersion.Windows80_Windows2012;
appCache = new Windows8x(rawBytes, OperatingSystem, controlSet);
}
else if (signature == "10ts")
{
OperatingSystem = OperatingSystemVersion.Windows81_Windows2012R2;
appCache = new Windows8x(rawBytes, OperatingSystem, controlSet);
}
else
{
//is it windows 10?
var offsetToEntries = BitConverter.ToInt32(rawBytes, 0);
OperatingSystem = OperatingSystemVersion.Windows10;
if (offsetToEntries == 0x34)
{
OperatingSystem = OperatingSystemVersion.Windows10Creators;
}
signature = Encoding.ASCII.GetString(rawBytes, offsetToEntries, 4);
if (signature == "10ts")
{
appCache = new Windows10(rawBytes, controlSet);
}
}
if (appCache == null)
{
throw new Exception("Unable to determine operating system! Please send the hive to [email protected]");
}
return(appCache);
}
// added computerName argument
private IAppCompatCache Init(byte[] rawBytes, bool is32, int controlSet, string computerName)
{
IAppCompatCache appCache = null;
OperatingSystem = OperatingSystemVersion.Unknown;
string signature;
var sigNum = BitConverter.ToUInt32(rawBytes, 0);
//TODO check minimum length of rawBytes and throw exception if not enough data
signature = Encoding.ASCII.GetString(rawBytes, 128, 4);
if (sigNum == 0xbadc0ffe) // Vista
{
OperatingSystem = OperatingSystemVersion.WindowsVistaWin2k3Win2k8;
appCache = new VistaWin2k3Win2k8(rawBytes, is32, controlSet, computerName);
}
else if (sigNum == 0xbadc0fee) // Win7
{
if (is32)
{
OperatingSystem = OperatingSystemVersion.Windows7x86;
}
else
{
OperatingSystem = OperatingSystemVersion.Windows7x64_Windows2008R2;
}
appCache = new Windows7(rawBytes, is32, controlSet, computerName);
}
else if ((signature == "00ts"))
{
OperatingSystem = OperatingSystemVersion.Windows80_Windows2012;
appCache = new Windows8x(rawBytes, OperatingSystem, controlSet, computerName);
}
else if (signature == "10ts")
{
OperatingSystem = OperatingSystemVersion.Windows81_Windows2012R2;
appCache = new Windows8x(rawBytes, OperatingSystem, controlSet, computerName);
}
else
{
//is it windows 10?
var offsetToEntries = BitConverter.ToInt32(rawBytes, 0);
OperatingSystem = OperatingSystemVersion.Windows10;
if (offsetToEntries == 0x34)
{
OperatingSystem = OperatingSystemVersion.Windows10Creators;
}
signature = Encoding.ASCII.GetString(rawBytes, offsetToEntries, 4);
if ((signature == "10ts"))
{
appCache = new Windows10(rawBytes, controlSet, computerName);
}
}
if (appCache == null)
{
throw new Exception("Unable to determine operating system...");
}
return(appCache);
}
public void Win7x86ShouldFindEntries()
{
var a = new Windows7(Win7X86, true, null);
Check.That(a.Entries.Count).Equals(91);
}
public void Win7x64ShouldFindEntries()
{
var a = new Windows7(Win7X64, false, null);
Check.That(a.Entries.Count).Equals(304);
}