/// <summary>
/// Read Windows 2k3/Vista/2k8 Shim Cache entry formats.
/// </summary>
/// <param name="data"></param>
/// <param name="is32Bit"></param>
/// <returns></returns>
private static List <Hit> ReadNt5Entries(byte[] data, bool is32Bit)
{
List <Hit> hits = new List <Hit>();
UInt32 entrySize = is32Bit == true ? Global.NT5_2_ENTRY_SIZE32 : Global.NT5_2_ENTRY_SIZE64;
UInt32 numEntries = BitConverter.ToUInt32(data.Slice(4, 8), 0);
bool containsFileSize = false;
// On Windows Server 2008/Vista, the filesize is swapped out of this structure with two 4-byte flags.
// Check to see if any of the values in "dwFileSizeLow" are larger than 2-bits. This indicates the entry contained file sizes.
for (UInt32 index = Global.CACHE_HEADER_SIZE_NT5_2; index < (numEntries * entrySize); index += entrySize)
{
byte[] temp = data.Slice(index, (index + entrySize));
CacheEntryNt5 ce = new CacheEntryNt5(is32Bit, containsFileSize);
ce.Update(temp);
if (ce.FileSizeLow > 3)
{
containsFileSize = true;
break;
}
}
// Now grab all the data in the value.
for (UInt32 index = Global.CACHE_HEADER_SIZE_NT5_2; index < (numEntries * entrySize); index += entrySize)
{
byte[] temp = data.Slice(index, (index + entrySize));
CacheEntryNt5 ce = new CacheEntryNt5(is32Bit, containsFileSize);
ce.Update(temp);
string path = Encoding.Unicode.GetString(data.Slice(ce.Offset, ce.Offset + ce.Length));//.decode('utf-16le','replace').encode('utf-8')
path = path.Replace("\\??\\", string.Empty);
// It contains file data.
if (containsFileSize == true)
{
hits.Add(new Hit(Global.CacheType.CacheEntryNt5, ce.DateTime, DateTime.MinValue, path, ce.FileSizeLow, "N/A"));
}
else
{
hits.Add(new Hit(Global.CacheType.CacheEntryNt5, ce.DateTime, DateTime.MinValue, path, 0, ce.ProcessExec.ToString()));
}
}
return(hits);
}
/// <summary>
/// Read Windows 2k3/Vista/2k8 Shim Cache entry formats.
/// </summary>
/// <param name="data"></param>
/// <param name="is32Bit"></param>
/// <returns></returns>
private static List<Hit> ReadNt5Entries(byte[] data, bool is32Bit)
{
List<Hit> hits = new List<Hit>();
UInt32 entrySize = is32Bit == true ? Global.NT5_2_ENTRY_SIZE32 : Global.NT5_2_ENTRY_SIZE64;
UInt32 numEntries = BitConverter.ToUInt32(data.Slice(4, 8), 0);
bool containsFileSize = false;
// On Windows Server 2008/Vista, the filesize is swapped out of this structure with two 4-byte flags.
// Check to see if any of the values in "dwFileSizeLow" are larger than 2-bits. This indicates the entry contained file sizes.
for (UInt32 index = Global.CACHE_HEADER_SIZE_NT5_2; index < (numEntries * entrySize); index += entrySize)
{
byte[] temp = data.Slice(index, (index + entrySize));
CacheEntryNt5 ce = new CacheEntryNt5(is32Bit, containsFileSize);
ce.Update(temp);
if (ce.FileSizeLow > 3)
{
containsFileSize = true;
break;
}
}
// Now grab all the data in the value.
for (UInt32 index = Global.CACHE_HEADER_SIZE_NT5_2; index < (numEntries * entrySize); index += entrySize)
{
byte[] temp = data.Slice(index, (index + entrySize));
CacheEntryNt5 ce = new CacheEntryNt5(is32Bit, containsFileSize);
ce.Update(temp);
string path = Encoding.Unicode.GetString(data.Slice(ce.Offset, ce.Offset + ce.Length));//.decode('utf-16le','replace').encode('utf-8')
path = path.Replace("\\??\\", string.Empty);
// It contains file data.
if (containsFileSize == true)
{
hits.Add(new Hit(Global.CacheType.CacheEntryNt5, ce.DateTime, DateTime.MinValue, path, ce.FileSizeLow, "N/A"));
}
else
{
hits.Add(new Hit(Global.CacheType.CacheEntryNt5, ce.DateTime, DateTime.MinValue, path, 0, ce.ProcessExec.ToString()));
}
}
return hits;
}
