public static RunKey[] GetInstances(string volume)
{
Helper.getVolumeName(ref volume);
List<RunKey> list = new List<RunKey>();
try
{
list.AddRange(Get(Helper.GetVolumeLetter(volume) + @"\Windows\system32\config\SOFTWARE"));
}
catch
{
}
foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume))
{
try
{
list.AddRange(Get(hivePath));
}
catch
{
}
}
return list.ToArray();
}
public static RunKey[] Get(string hivePath)
{
List<string> Keys = new List<string>();
string AutoRunLocation = null;
if(RegistryHelper.isCorrectHive(hivePath, "SOFTWARE"))
{
Keys.AddRange(new string[] { @"Microsoft\Windows\CurrentVersion\Run", @"Microsoft\Windows\CurrentVersion\RunOnce", @"Wow6432Node\Microsoft\Windows\CurrentVersion\Run" });
AutoRunLocation = @"HKLM\SOFTWARE\";
}
else if(RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
Keys.AddRange(new string[] { @"Software\Microsoft\Windows\CurrentVersion\Run", @"Software\Microsoft\Windows\CurrentVersion\RunOnce" });
AutoRunLocation = @"USER\" + RegistryHelper.GetUserHiveOwner(hivePath) + "\\";
}
else
{
throw new Exception("Invalid SOFTWARE or NTUSER.DAT hive provided.");
}
byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
List<RunKey> runList = new List<RunKey>();
foreach(string key in Keys)
{
try
{
NamedKey run = NamedKey.Get(bytes, hivePath, key);
if (run.NumberOfValues > 0)
{
foreach (ValueKey vk in run.GetValues(bytes))
{
runList.Add(new RunKey(AutoRunLocation + key, vk));
}
}
}
catch
{
}
}
return runList.ToArray();
}
public static TrustRecord[] GetInstances(string volume)
{
List<TrustRecord> list = new List<TrustRecord>();
foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume))
{
try
{
list.AddRange(Get(hivePath));
}
catch
{
}
}
return list.ToArray();
}
public static OutlookCatalog[] GetInstances(string volume)
{
List<OutlookCatalog> list = new List<OutlookCatalog>();
foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume))
{
try
{
list.AddRange(Get(hivePath));
}
catch
{
}
}
return list.ToArray();
}
public static FileMRU[] GetInstances(string volume)
{
Helper.getVolumeName(ref volume);
List<FileMRU> list = new List<FileMRU>();
foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume))
{
try
{
list.AddRange(Get(hivePath));
}
catch
{
}
}
return list.ToArray();
}
private static NamedKey[] GetInstances(byte[] bytes, NamedKey nk, bool recurse)
{
List<NamedKey> keyList = new List<NamedKey>();
foreach(NamedKey subkey in nk.GetSubKeys(bytes, nk.FullName))
{
keyList.Add(subkey);
if (subkey.NumberOfSubKeys > 0)
{
keyList.AddRange(GetInstances(bytes, subkey, true));
}
}
return keyList.ToArray();
}
internal static byte[] Get(byte[] bytes, ValueKey vk)
{
List<byte> contents = new List<byte>();
byte[] dataBytes = PowerForensics.Helper.GetSubArray(bytes, (int)vk.DataOffset, Math.Abs(BitConverter.ToInt32(bytes, (int)vk.DataOffset)));
short offsetCount = BitConverter.ToInt16(dataBytes, 0x06);
uint offsetOffset = BitConverter.ToUInt32(dataBytes, 0x08) + RegistryHeader.HBINOFFSET;
byte[] offsetBytes = Helper.GetSubArray(bytes, (int)offsetOffset, Math.Abs(BitConverter.ToInt32(bytes, (int)offsetOffset)));
for (short i = 1; i <= offsetCount; i++)
{
uint segmentOffset = BitConverter.ToUInt32(offsetBytes, i * 0x04) + RegistryHeader.HBINOFFSET;
contents.AddRange(Helper.GetSubArray(bytes, (int)segmentOffset + 0x04, Math.Abs(BitConverter.ToInt32(bytes, (int)segmentOffset)) - 0x08));
}
byte[] b = contents.ToArray();
return Helper.GetSubArray(b, 0x00, b.Length);
}
