public override void Execute()
{
Context = ShellLinkFile.Load(Filename);
Context.Header.LinkFlags &= ~LinkFlags.EnableTargetMetaData;
Context.Header.LinkFlags |= LinkFlags.ForceNoLinkTrack;
if (Context.LinkInfo != null)
{
if (Context.LinkInfo.VolumeID != null)
{
Context.LinkInfo.VolumeID.DriveSerialNumber = 0;
Context.LinkInfo.VolumeID.VolumeLabel = null;
}
if (Context.LinkInfo.CommonNetworkRelativeLink != null)
{
Context.LinkInfo.CommonNetworkRelativeLink.DeviceName = null;
Context.LinkInfo.CommonNetworkRelativeLink.NetworkProviderType = null;
}
}
var blocks = Context.ExtraDataBlocks.Where(block => !(block is TrackerDataBlock || block is PropertyStoreDataBlock)).ToList();
Context.ExtraDataBlocks = blocks;
foreach (var option in Options)
{
option.Execute(Context);
}
Context.SaveAs(Filename);
}
private void ParseJumpListA(string appid, string extension, string username, string file, string appName)
{
JumpListFile jumpListFile = new JumpListFile(false);
jumpListFile.FilePath = file;
jumpListFile.FileName = System.IO.Path.GetFileName(file);
jumpListFile.AppName = appName;
CompoundFile compoundFile = new CompoundFile(file);
CFStream cfStream = compoundFile.RootStorage.GetStream("DestList");
jumpListFile.DestListSize = cfStream.Size;
List <DestListEntry> destListEntries = ParseDestList(cfStream.GetData());
jumpListFile.DestListEntries = destListEntries;
int ii = 1;
foreach (DestListEntry destListEntry in destListEntries)
{
CFStream cfStreamJf = null;
try
{
cfStreamJf = compoundFile.RootStorage.GetStream(ii.ToString());
ShellLinkFile linkFile = ShellLinkFile.Load(cfStreamJf.GetData());
string arguments = linkFile.Arguments.ToString();
if (arguments == null)
{
arguments = "None";
}
DateTime accesstime_ = linkFile.Header.AccessTime;
string accesstime = Convert.ToDateTime(accesstime_).ToString("dd/MM/yyyy HH:mm:ss");
string writetime = linkFile.Header.WriteTime.ToString("dd/MM/yyyy HH:mm:ss");
string createtime = linkFile.Header.CreationTime.ToString("dd/MM/yyyy HH:mm:ss");
string ExeName = linkFile.LinkInfo.LocalBasePath;
string myArray = username + "," + appid + "," + appName + "," + ExeName + "," + arguments + "," + extension + "," + accesstime + "," + writetime + "," + createtime;
File.AppendAllText("FM-JLP.csv", myArray + Environment.NewLine);
if (linkFile.Header.CreationTime == DateTime.MinValue |
linkFile.Header.AccessTime == DateTime.MinValue |
linkFile.Header.WriteTime == DateTime.MinValue |
linkFile.Header.CreationTime == ShellLinkFile.WindowsEpoch |
linkFile.Header.AccessTime == ShellLinkFile.WindowsEpoch |
linkFile.Header.WriteTime == ShellLinkFile.WindowsEpoch)
{
continue;
}
if (linkFile != null)
{
JumpList jumpList = new JumpList();
jumpList.Name = destListEntry.StreamNo;
jumpList.Size = cfStreamJf.GetData().Length;
jumpList.DestListEntry = destListEntry;
jumpListFile.JumpLists.Add(jumpList);
}
}
catch { Exception ex; }
ii = ii + 1;
}
}
public override void Execute()
{
Context = ShellLinkFile.Load(Filename);
foreach (Option option in Options)
{
option.Execute(Context);
}
Console.WriteLine(Context);
}
public override void Execute()
{
Context = ShellLinkFile.Load(Filename);
foreach (var option in Options)
{
option.Execute(Context);
}
Context.SaveAs(Filename);
}
public void TestRoundTrip()
{
foreach (var file in Directory.GetFiles(_filesDirectory))
{
_testContextInstance.WriteLine("Testing {0}", file);
var slf = ShellLinkFile.Load(file);
_testContextInstance.WriteLine("{0}", slf);
var tmpFile = Path.GetTempFileName();
slf.SaveAs(tmpFile);
var slf2 = ShellLinkFile.Load(tmpFile);
Assert.AreEqual(slf.ToString(), slf2.ToString());
CompareFiles(file, tmpFile);
}
}
public void TestRoundTrip()
{
var basePath = GetType().Assembly.Location;
var filesPath = Path.Combine(Path.GetDirectoryName(basePath), "Files");
foreach (var file in Directory.GetFiles(filesPath))
{
TestContext.WriteLine("Testing {0}", file);
var slf = ShellLinkFile.Load(file);
TestContext.WriteLine("{0}", slf);
var tmpFile = Path.GetTempFileName();
slf.SaveAs(tmpFile);
var slf2 = ShellLinkFile.Load(tmpFile);
Assert.AreEqual(slf.ToString(), slf2.ToString());
CompareFiles(file, tmpFile);
}
}
/// <summary>
///
/// </summary>
/// <param name="filePath"></param>
/// <param name="path"></param>
/// <param name="type"></param>
/// <param name="info"></param>
/// <param name="sourceFile">The registry file the entry was identified from</param>
/// <param name="regModified"></param>
private void ProcessEntry(string filePath,
string path,
string type,
string info,
string sourceFile,
string serviceDisplayName,
string serviceDescription,
DateTimeOffset?regModified)
{
try
{
filePath = Text.ReplaceNulls(filePath);
AutoRunEntry autoRunEntry = new AutoRunEntry
{
Type = type,
Info = info,
Path = path,
ServiceDisplayName = serviceDisplayName,
ServiceDescription = serviceDescription,
SourceFile = sourceFile
};
autoRunEntry = Helper.GetFilePathWithNoParameters(_driveMappings, autoRunEntry, filePath);
if (autoRunEntry == null)
{
return;
}
if (autoRunEntry.FilePath.Length == 0)
{
return;
}
autoRunEntry.FileName = System.IO.Path.GetFileName(autoRunEntry.FilePath.Replace("\"", string.Empty));
if (System.IO.Path.GetExtension(autoRunEntry.FileName) == ".lnk")
{
try
{
ShellLinkFile shellLinkFile = ShellLinkFile.Load(autoRunEntry.FilePath);
autoRunEntry = new AutoRunEntry
{
Type = type,
Info = info
};
autoRunEntry.Info = filePath;
autoRunEntry = Helper.GetFilePathWithNoParameters(_driveMappings, autoRunEntry, System.IO.Path.Combine(shellLinkFile.LinkInfo.LocalBasePath, shellLinkFile.LinkInfo.CommonPathSuffix) + " " + shellLinkFile.Arguments);
autoRunEntry.Path = System.IO.Path.Combine(shellLinkFile.LinkInfo.LocalBasePath, shellLinkFile.LinkInfo.CommonPathSuffix) + " " + shellLinkFile.Arguments;
autoRunEntry.FileName = System.IO.Path.GetFileName(autoRunEntry.FilePath.Replace("\"", string.Empty));
}
catch (Exception ex)
{
_hasErrors = true;
Helper.WriteErrorToLog(ex.ToString(), filePath, autoRunEntry.FilePath, path);
}
}
if (autoRunEntry.FilePath.Length == 0)
{
Helper.WriteErrorToLog("FilePath is zero length", filePath, autoRunEntry.FilePath, path);
return;
}
Console.WriteLine(autoRunEntry.FilePath);
_entries.Add(autoRunEntry);
try
{
using (new PrivilegeEnabler(System.Diagnostics.Process.GetCurrentProcess(), Privilege.TakeOwnership))
{
FileInfo fileInfo = new FileInfo(autoRunEntry.FilePath);
FileSecurity fileSecurity = fileInfo.GetAccessControl();
fileSecurity.SetOwner(WindowsIdentity.GetCurrent().User);
File.SetAccessControl(autoRunEntry.FilePath, fileSecurity);
if (File.Exists(autoRunEntry.FilePath) == false)
{
autoRunEntry.Error = "Does Not Exist";
OnEntryFound(autoRunEntry);
return;
}
autoRunEntry.Exists = true;
autoRunEntry.FileSystemAccessed = fileInfo.LastAccessTime;
autoRunEntry.FileSystemCreated = fileInfo.CreationTime;
autoRunEntry.FileSystemModified = fileInfo.LastWriteTime;
autoRunEntry.RegistryModified = regModified;
//string output = Misc.ShellProcessWithOutput(_sigCheckPath, Global.SIGCHECK_FLAGS + "\"" + autoRunEntry.FilePath + "\"");
//autoRunEntry = Helper.ParseSigCheckOutput(autoRunEntry, output);
autoRunEntry = Helper.GetFileInformation(hashes, _sigCheckPath, autoRunEntry);
autoRunEntry.Md5 = Security.GenerateMd5HashStream(autoRunEntry.FilePath);
autoRunEntry.Sha256 = Helper.GetFileSha256Hash(autoRunEntry.FilePath);
OnEntryFound(autoRunEntry);
}
}
catch (Exception ex)
{
Helper.WriteErrorToLog(ex.ToString(), filePath, autoRunEntry.FilePath, path);
autoRunEntry.Error = "Error: " + ex.Message;
OnEntryFound(autoRunEntry);
}
}
catch (Exception ex)
{
_hasErrors = true;
Helper.WriteErrorToLog(ex.ToString(), filePath, filePath, path);
}
}
public void TestBlindRead()
{
ShellLinkFile.Load(BlindWrite());
}