//https://github.com/libyal/winreg-kb/wiki/Application-Compatibility-Cache-key
        //https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf

        // added computerName argument
        private void Init(byte[] rawBytes, bool is32, string computerName)
        {
            IAppCompatCache appCache = null;
            OperatingSystem = OperatingSystemVersion.Unknown;

            string signature;

            //TODO check minimum length of rawBytes and throw exception if not enough data

            signature = Encoding.ASCII.GetString(rawBytes, 128, 4);

            if (signature == "\u0018\0\0\0" || signature == "Y\0\0\0")
            {

                OperatingSystem = OperatingSystemVersion.WindowsXP;
                appCache = new WindowsXP(rawBytes, is32, computerName);
            }
            else if ((signature == "00ts"))
            {
                OperatingSystem = OperatingSystemVersion.Windows80_Windows2012;
                appCache = new Windows8x(rawBytes, OperatingSystem, computerName);
            }
            else if (signature == "10ts")
            {
                OperatingSystem = OperatingSystemVersion.Windows81_Windows2012R2;
                appCache = new Windows8x(rawBytes, OperatingSystem, computerName);
            }
            else
            {
                //is it windows 10?
                signature = Encoding.ASCII.GetString(rawBytes, 48, 4);
                if ((signature == "10ts"))
                {
                    OperatingSystem = OperatingSystemVersion.Windows10;
                    appCache = new Windows10(rawBytes, computerName);
                }
                else
                {
                    //win7
                    if (rawBytes[0] == 0xee & rawBytes[1] == 0xf & rawBytes[2] == 0xdc & rawBytes[3] == 0xba)
                    {

                        if (is32)
                        {
                            OperatingSystem = OperatingSystemVersion.Windows7x86;
                        }
                        else
                        {
                            OperatingSystem = OperatingSystemVersion.Windows7x64_Windows2008R2;
                        }

                        appCache = new Windows7(rawBytes, is32, computerName);
                    }
                }
            }

            Cache = appCache;
        }
        //https://github.com/libyal/winreg-kb/wiki/Application-Compatibility-Cache-key
        //https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf

        private void Init(byte[] rawBytes, bool is32)
        {
            IAppCompatCache appCache = null;

            OperatingSystem = OperatingSystemVersion.Unknown;

            string signature;

            //TODO check minimum length of rawBytes and throw exception if not enough data

            signature = Encoding.ASCII.GetString(rawBytes, 128, 4);

            if (signature == "\u0018\0\0\0" || signature == "Y\0\0\0")
            {
                OperatingSystem = OperatingSystemVersion.WindowsXP;
                appCache        = new WindowsXP(rawBytes, is32);
            }
            else if (signature == "00ts")
            {
                OperatingSystem = OperatingSystemVersion.Windows80_Windows2012;
                appCache        = new Windows8x(rawBytes, OperatingSystem);
            }
            else if (signature == "10ts")
            {
                OperatingSystem = OperatingSystemVersion.Windows81_Windows2012R2;
                appCache        = new Windows8x(rawBytes, OperatingSystem);
            }
            else
            {
                //is it windows 10?
                signature = Encoding.ASCII.GetString(rawBytes, 48, 4);
                if (signature == "10ts")
                {
                    OperatingSystem = OperatingSystemVersion.Windows10;
                    appCache        = new Windows10(rawBytes);
                }
                else
                {
                    //win7
                    if (rawBytes[0] == 0xee & rawBytes[1] == 0xf & rawBytes[2] == 0xdc & rawBytes[3] == 0xba)
                    {
                        if (is32)
                        {
                            OperatingSystem = OperatingSystemVersion.Windows7x86;
                        }
                        else
                        {
                            OperatingSystem = OperatingSystemVersion.Windows7x64_Windows2008R2;
                        }

                        appCache = new Windows7(rawBytes, is32);
                    }
                }
            }

            Cache = appCache;
        }
Exemple #3
0
        //https://github.com/libyal/winreg-kb/wiki/Application-Compatibility-Cache-key
        //https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf

        private IAppCompatCache Init(byte[] rawBytes, bool is32, int controlSet)
        {
            IAppCompatCache appCache = null;

            OperatingSystem = OperatingSystemVersion.Unknown;

            string signature;


            var sigNum = BitConverter.ToUInt32(rawBytes, 0);


            //TODO check minimum length of rawBytes and throw exception if not enough data

            signature = Encoding.ASCII.GetString(rawBytes, 128, 4);

            var log1 = LogManager.GetCurrentClassLogger();

            log1.Debug($@"**** Signature {signature}, Sig num 0x{sigNum:X}");

            if (sigNum == 0xDEADBEEF) //DEADBEEF, WinXp
            {
                OperatingSystem = OperatingSystemVersion.WindowsXP;

                log1.Debug(@"**** Processing XP hive");

                appCache = new WindowsXP(rawBytes, is32, controlSet);
            }
            else if (sigNum == 0xbadc0ffe)
            {
                OperatingSystem = OperatingSystemVersion.WindowsVistaWin2k3Win2k8;
                appCache        = new VistaWin2k3Win2k8(rawBytes, is32, controlSet);
            }
            else if (sigNum == 0xBADC0FEE) //BADC0FEE, Win7
            {
                if (is32)
                {
                    OperatingSystem = OperatingSystemVersion.Windows7x86;
                }
                else
                {
                    OperatingSystem = OperatingSystemVersion.Windows7x64_Windows2008R2;
                }

                appCache = new Windows7(rawBytes, is32, controlSet);
            }

            else if (signature == "00ts")
            {
                OperatingSystem = OperatingSystemVersion.Windows80_Windows2012;
                appCache        = new Windows8x(rawBytes, OperatingSystem, controlSet);
            }
            else if (signature == "10ts")
            {
                OperatingSystem = OperatingSystemVersion.Windows81_Windows2012R2;
                appCache        = new Windows8x(rawBytes, OperatingSystem, controlSet);
            }
            else
            {
                //is it windows 10?

                var offsetToEntries = BitConverter.ToInt32(rawBytes, 0);

                OperatingSystem = OperatingSystemVersion.Windows10;

                if (offsetToEntries == 0x34)
                {
                    OperatingSystem = OperatingSystemVersion.Windows10Creators;
                }

                signature = Encoding.ASCII.GetString(rawBytes, offsetToEntries, 4);
                if (signature == "10ts")
                {
                    appCache = new Windows10(rawBytes, controlSet);
                }
            }

            if (appCache == null)
            {
                throw new Exception("Unable to determine operating system! Please send the hive to [email protected]");
            }


            return(appCache);
        }