コード例 #1
0
        public ShellItem0x30(byte[] buf)
            : base(buf)
        {
            int off = 0x04;

            Flags = unpack_byte(0x03);

            FileSize        = unpack_dword(off);
            off            += 4;
            ModifiedDate    = unpack_dosdate(off);
            off            += 4;
            FileAttributes  = unpack_word(off);
            off            += 2;
            ExtensionOffset = unpack_word(Size - 2);

            if (ExtensionOffset > Size)
            {
                throw new OverrunBufferException(ExtensionOffset, Size);
            }

            if ((Type & 0x04) != 0)
            {
                ShortName = unpack_wstring(off, ExtensionOffset - off);
            }
            else
            {
                ShortName = unpack_string(off, ExtensionOffset - off);
            }

            ExtensionBlockBEEF0004 ExtensionBlock = new ExtensionBlockBEEF0004(buf, ExtensionOffset + offset);

            ExtensionBlocks.Add(ExtensionBlock);
        }
コード例 #2
0
        private void ProcessGuid(byte[] rawBytes)
        {
            FriendlyName = "Root folder: GUID";

            //TODO split this out or at least use a different icon?

            var index = 2;

            index += 2; // move past index and a single unknown value

            var rawguid1 = new byte[16];

            Array.Copy(rawBytes, index, rawguid1, 0, 16);

            var rawguid = Utils.ExtractGuidFromShellItem(rawguid1);

            var foldername = Utils.GetFolderNameFromGuid(rawguid);

            index += 16;

            if (index >= rawBytes.Length)
            {
                Value = foldername;
                return;
            }

            var size = BitConverter.ToInt16(rawBytes, index);

            if (size == 0)
            {
                index += 2;
            }

            if (size > rawBytes.Length)
            {
                Value = foldername;
                return;
            }

            //TODO this should be the looping cut up thing

            if (index < rawBytes.Length)
            {
                var signature = BitConverter.ToUInt32(rawBytes, index + 4);

                //TODO does this need to check if its a 0xbeef?? regex?
                var block = Utils.GetExtensionBlockFromBytes(signature, rawBytes.Skip(index).ToArray());

                ExtensionBlocks.Add(block);

                index += size;
            }

            Value = foldername;
        }
コード例 #3
0
ファイル: ShellItem0x74.cs プロジェクト: serspencer/SeeShells
        public ShellItem0x74(byte[] buf)
            : base(buf)
        {
            // Unknown - Empty ( 1 byte)
            // Unknown - size? - 2 bytes
            // CFSF - 4 bytes
            Signature = unpack_dword(0x06);
            // sub shell item data size - 2 bytes

            int off = 0x0A;

            SubItem = new FILEENTRY_FRAGMENT(buf, offset + off, this, 0x04);
            off    += SubItem.Size;

            off += 2; // Empty extension block?

            // 5e591a74-df96-48d3-8d67-1733bcee28ba
            DelegateItemIdentifier = unpack_guid(off);
            off += 16;
            ItemClassIdentifier = unpack_guid(off);
            off           += 16;
            ExtensionBlock = new ExtensionBlockBEEF0004(buf, offset + off);
            ExtensionBlocks.Add(ExtensionBlock);
        }
コード例 #4
0
        private void ProcessPropertyViewDefault(byte[] rawBytes)
        {
            FriendlyName = "Variable: Users property view";
            var index = 10;

            var shellPropertySheetListSize = BitConverter.ToInt16(rawBytes, index);

            index += 2;

            var identifiersize = BitConverter.ToInt16(rawBytes, index);

            index += 2;

            var identifierData = new byte[identifiersize];

            Array.Copy(rawBytes, index, identifierData, 0, identifiersize);


            index += identifiersize;

            if (shellPropertySheetListSize > 0)
            {
                var propBytes = rawBytes.Skip(index).Take(shellPropertySheetListSize).ToArray();
                var propStore = new PropertyStore(propBytes);

                PropertyStore = propStore;

                var p = propStore.Sheets.Where(t => t.PropertyNames.ContainsKey("32"));

                if (p.Any())
                {
                    //we can now look thry prop bytes for extension blocks
                    //TODO this is a hack until we can process vectors natively

                    var extOffsets = new List <int>();
                    try
                    {
                        var regexObj    = new Regex("([0-9A-F]{2})-00-EF-BE", RegexOptions.IgnoreCase);
                        var matchResult = regexObj.Match(BitConverter.ToString(propBytes));
                        while (matchResult.Success)
                        {
                            extOffsets.Add(matchResult.Index);
                            matchResult = matchResult.NextMatch();
                        }

                        foreach (var extOffset in extOffsets)
                        {
                            var binaryOffset = extOffset / 3 - 4;
                            var exSize       = BitConverter.ToInt16(propBytes, binaryOffset);

                            var exBytes = propBytes.Skip(binaryOffset).Take(exSize).ToArray();

                            var signature1 = BitConverter.ToUInt32(exBytes, 4);

                            var block1 = Utils.GetExtensionBlockFromBytes(signature1, exBytes);

                            ExtensionBlocks.Add(block1);
                        }
                    }
                    catch (ArgumentException ex)
                    {
                        throw ex;
                        // Syntax error in the regular expression
                    }
                }
            }
            else
            {
                if (rawBytes[0x28] == 0x2f ||
                    rawBytes[0x24] == 0x4e && rawBytes[0x26] == 0x2f && rawBytes[0x28] == 0x41)
                {
                    //we have a good date

                    var zip = new ShellBagZipContents(rawBytes);
                    FriendlyName   = zip.FriendlyName;
                    LastAccessTime = zip.LastAccessTime;

                    Value = zip.Value;

                    return;
                }
                Debug.Write("Oh no! No property sheets!");


                Value = "!!! Unable to determine Value !!!";
            }

            index += shellPropertySheetListSize;

            index += 2; //move past end of property sheet terminator

            var extBlockSize = BitConverter.ToInt16(rawBytes, index);

            if (extBlockSize > 0)
            {
                //process extension blocks

                while (extBlockSize > 0)
                {
                    var extBytes = rawBytes.Skip(index).Take(extBlockSize).ToArray();

                    index += extBlockSize;

                    var signature1 = BitConverter.ToUInt32(extBytes, 4);


                    var block1 = Utils.GetExtensionBlockFromBytes(signature1, extBytes);

                    ExtensionBlocks.Add(block1);


                    extBlockSize = BitConverter.ToInt16(rawBytes, index);
                }
            }

            int terminator = BitConverter.ToInt16(rawBytes, index);

            if (terminator > 0)
            {
                throw new Exception($"Expected terminator of 0, but got {terminator}");
            }

            var valuestring = (from propertySheet in PropertyStore.Sheets
                               from propertyName in propertySheet.PropertyNames
                               where propertyName.Key == "10"
                               select propertyName.Value).FirstOrDefault();

            if (valuestring == null)
            {
                var namesList =
                    (from propertySheet in PropertyStore.Sheets
                     from propertyName in propertySheet.PropertyNames
                     select propertyName.Value)
                    .ToList();

                valuestring = string.Join("::", namesList.ToArray());
            }

            if (valuestring == "")
            {
                valuestring = "No Property sheet value found";
            }

            Value = valuestring;
        }
コード例 #5
0
        private void ProcessPropertyViewGuid(byte[] rawBytes)
        {
            // this is a guid

            var index = 4;

            var dataSize = BitConverter.ToUInt16(rawBytes, index);

            index += 2;

            index += 4; // move past signature

            var propertyStoreSize = BitConverter.ToUInt16(rawBytes, index);

            index += 2;

            Trace.Assert(propertyStoreSize == 0, "propertyStoreSize size > 0!");

            var identifierSize = BitConverter.ToUInt16(rawBytes, index);

            index += 2;

            if (identifierSize > 0)
            {
                var raw00Guid = new byte[16];

                Array.Copy(rawBytes, index, raw00Guid, 0, 16);


                var preguid = Utils.ExtractGuidFromShellItem(raw00Guid);


                var tempString = Utils.GetFolderNameFromGuid(preguid);

                Value = tempString;

                index += 16;
            }

            index += 2; // skip 2 unknown in common

            if (index >= rawBytes.Length)
            {
                return;
            }

            var extBlockSize = BitConverter.ToInt16(rawBytes, index);

            if (extBlockSize > 0)
            {
                //process extension blocks

                while (extBlockSize > 0)
                {
                    var extBytes = rawBytes.Skip(index).Take(extBlockSize).ToArray();

                    index += extBlockSize;

                    var signature1 = BitConverter.ToUInt32(extBytes, 4);

                    var block1 = Utils.GetExtensionBlockFromBytes(signature1, extBytes);

                    ExtensionBlocks.Add(block1);

                    if (index >= rawBytes.Length)
                    {
                        break;
                    }
                    extBlockSize = BitConverter.ToInt16(rawBytes, index);
                }
            }
//
//            int terminator = BitConverter.ToInt16(rawBytes, index);
//
//            if (terminator > 0)
//            {
//                throw new Exception($"Expected terminator of 0, but got {terminator}");
//            }
        }
コード例 #6
0
    private void ProcessPropertyViewDefault(byte[] rawBytes)
    {
        FriendlyName = "Variable: Users property view";
        var index = 10;

        var shellPropertySheetListSize = BitConverter.ToInt16(rawBytes, index);

        index += 2;

        var identifiersize = BitConverter.ToInt16(rawBytes, index);

        index += 2;

        if (identifiersize > rawBytes.Length)
        {
            index = 0xc;

            var strs = CodePagesEncodingProvider.Instance.GetEncoding(1252).GetString(rawBytes, index, rawBytes.Length - index).Split('\0');

            var p2 = string.Join(",", strs.Skip(1).ToList());

            Value = $"{strs[0]} ({p2})";

            return;
        }

        var identifierData = new byte[identifiersize];

        Array.Copy(rawBytes, index, identifierData, 0, identifiersize);

        index += identifiersize;

        if (shellPropertySheetListSize > 0)
        {
            var propBytes = rawBytes.Skip(index).Take(shellPropertySheetListSize).ToArray();
            var propStore = new PropertyStore(propBytes);

            PropertyStore = propStore;

            var p = propStore.Sheets.Where(t => t.PropertyNames.ContainsKey("32"));

            if (p.Any())
            {
                //we can now look thry prop bytes for extension blocks
                //TODO this is a hack until we can process vectors natively

                var extOffsets = new List <int>();
                try
                {
                    var regexObj    = new Regex("([0-9A-F]{2})-00-EF-BE", RegexOptions.IgnoreCase);
                    var matchResult = regexObj.Match(BitConverter.ToString(propBytes));
                    while (matchResult.Success)
                    {
                        extOffsets.Add(matchResult.Index);
                        matchResult = matchResult.NextMatch();
                    }

                    foreach (var extOffset in extOffsets)
                    {
                        var binaryOffset = extOffset / 3 - 4;
                        var exSize       = BitConverter.ToInt16(propBytes, binaryOffset);

                        var exBytes = propBytes.Skip(binaryOffset).Take(exSize).ToArray();

                        var signature1 = BitConverter.ToUInt32(exBytes, 4);

                        //Debug.WriteLine(" 0x1f bag sig: " + signature1.ToString("X8"));

                        var block1 = Utils.GetExtensionBlockFromBytes(signature1, exBytes);

                        ExtensionBlocks.Add(block1);
                    }
                }
                catch (ArgumentException ex)
                {
                    throw ex;
                    // Syntax error in the regular expression
                }

                //     Debug.WriteLine("Found 32 key");
            }
        }
        else
        {
            //   Debug.Write("Oh no! No property sheets!");
            // SiAuto.Main.LogWarning("Oh no! No property sheets!");

            if (rawBytes[0x28] == 0x2f ||
                rawBytes[0x24] == 0x4e && rawBytes[0x26] == 0x2f && rawBytes[0x28] == 0x41)
            {
                //we have a good date

                var zip = new ShellBagZipContents(rawBytes);
                FriendlyName   = zip.FriendlyName;
                LastAccessTime = zip.LastAccessTime;

                Value = zip.Value;

                return;
            }

            //41-75-67-4D is AugM

            if (rawBytes[4] == 0x41 && rawBytes[5] == 0x75 && rawBytes[6] == 0x67 && rawBytes[7] == 0x4D)
            {
                var cdb = new ShellBagCDBurn(rawBytes);

                Value                = cdb.Value;
                FriendlyName         = cdb.FriendlyName;
                CreatedOnTime        = cdb.CreatedOnTime;
                LastModificationTime = cdb.LastModificationTime;
                LastAccessTime       = cdb.LastAccessTime;


                return;
            }


            Debug.Write("Oh no! No property sheets!");

            Value = "!!! Unable to determine Value !!!";
        }

        index += shellPropertySheetListSize;

        index += 2; //move past end of property sheet terminator

        if (shellPropertySheetListSize > 0 && index < rawBytes.Length)
        {
            var extBlockSize = BitConverter.ToInt16(rawBytes, index);

            if (extBlockSize > 0)
            {
                //process extension blocks

                while (extBlockSize > 0)
                {
                    var extBytes = rawBytes.Skip(index).Take(extBlockSize).ToArray();

                    index += extBlockSize;

                    var signature1 = BitConverter.ToUInt32(extBytes, 4);


                    var block1 = Utils.GetExtensionBlockFromBytes(signature1, extBytes);

                    ExtensionBlocks.Add(block1);

                    if (index >= rawBytes.Length)
                    {
                        break;
                    }

                    extBlockSize = BitConverter.ToInt16(rawBytes, index);
                }
            }

//                int terminator = BitConverter.ToInt16(rawBytes, index);
//
//                if (terminator > 0)
//                {
//                    throw new Exception($"Expected terminator of 0, but got {terminator}");
//                }
        }

        var valuestring = (from propertySheet in PropertyStore.Sheets
                           from propertyName in propertySheet.PropertyNames
                           where propertyName.Key == "10"
                           select propertyName.Value).FirstOrDefault();

        if (valuestring == null)
        {
            var namesList =
                (from propertySheet in PropertyStore.Sheets
                 from propertyName in propertySheet.PropertyNames
                 select propertyName.Value)
                .ToList();

            valuestring = string.Join("::", namesList.ToArray());
        }

        if (valuestring == "")
        {
            valuestring = "No Property sheet value found";
        }

        Value = valuestring;
    }
コード例 #7
0
ファイル: ShellBag0x2e.cs プロジェクト: theCanary/Lnk
        private void ProcessPropertyViewDefault(byte[] rawBytes)
        {
            FriendlyName = "Users property view";
            var index = 10;

            var shellPropertySheetListSize = BitConverter.ToInt16(rawBytes, index);


            index += 2;

            var identifiersize = BitConverter.ToInt16(rawBytes, index);


            index += 2;

            var identifierData = new byte[identifiersize];

            Array.Copy(rawBytes, index, identifierData, 0, identifiersize);

            index += identifiersize;

            if (shellPropertySheetListSize > 0)
            {
                var propBytes = rawBytes.Skip(index).Take(shellPropertySheetListSize).ToArray();
                var propStore = new PropertyStore(propBytes);

                PropertyStore = propStore;

                var p = propStore.Sheets.Where(t => t.PropertyNames.ContainsKey("32"));

                if (p.Any())
                {
                    //we can now look thry prop bytes for extension blocks
                    //TODO this is a hack until we can process vectors natively

                    var extOffsets = new List <int>();
                    try
                    {
                        var regexObj    = new Regex("([0-9A-F]{2})-00-EF-BE", RegexOptions.IgnoreCase);
                        var matchResult = regexObj.Match(BitConverter.ToString(propBytes));
                        while (matchResult.Success)
                        {
                            extOffsets.Add(matchResult.Index);
                            matchResult = matchResult.NextMatch();
                        }

                        foreach (var extOffset in extOffsets)
                        {
                            var binaryOffset = extOffset / 3 - 4;
                            var exSize       = BitConverter.ToInt16(propBytes, binaryOffset);

                            var exBytes = propBytes.Skip(binaryOffset).Take(exSize).ToArray();

                            var signature1 = BitConverter.ToUInt32(exBytes, 4);


                            var block1 = Utils.GetExtensionBlockFromBytes(signature1, exBytes);

                            ExtensionBlocks.Add(block1);
                        }
                    }
                    catch (ArgumentException)
                    {
                        // Syntax error in the regular expression
                    }
                }
            }
            else


            {
                index += shellPropertySheetListSize;
            }

            index += 2; //move past end of property sheet terminator

            var rawguid = Utils.ExtractGuidFromShellItem(rawBytes.Skip(index).Take(16).ToArray());

            index += 16;

            rawguid = Utils.ExtractGuidFromShellItem(rawBytes.Skip(index).Take(16).ToArray());
            index  += 16;

            var name = GuidMapping.GuidMapping.GetDescriptionFromGuid(rawguid);

            Value = name;

            var extBlockSize = BitConverter.ToInt16(rawBytes, index);

            if (extBlockSize > 0)
            {
                //process extension blocks

                while (extBlockSize > 0)
                {
                    var extBytes = rawBytes.Skip(index).Take(extBlockSize).ToArray();

                    index += extBlockSize;

                    var signature1 = BitConverter.ToUInt32(extBytes, 4);


                    var block1 = Utils.GetExtensionBlockFromBytes(signature1, extBytes);

                    ExtensionBlocks.Add(block1);

                    extBlockSize = BitConverter.ToInt16(rawBytes, index);
                }
            }

            int terminator = BitConverter.ToInt16(rawBytes, index);

            if (terminator > 0)
            {
                throw new Exception($"Expected terminator of 0, but got {terminator}");
            }
        }