コード例 #1
0
        public void AppCompatTestCreators()
        {
            var r = new AppCompat();

            var reg = new RegistryHive(@"D:\SynologyDrive\Registry\SYSTEM_Creators");

            reg.ParseHive();

            var key = reg.GetKey(@"ControlSet001\Control\Session Manager\AppCompatCache");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(506);

            var ff = (ValuesOut)r.Values[0];

            Check.That(ff.CacheEntryPosition).IsEqualTo(0);
            Check.That(ff.ProgramName).Contains("nvstreg.exe");
        }
コード例 #2
0
        public void AppCompatTest()
        {
            var r = new AppCompat();

            var reg = new RegistryHive(@"D:\Sync\RegistryHives\SYSTEM");

            reg.ParseHive();

            var key = reg.GetKey(@"ControlSet001\Control\Session Manager\AppCompatCache");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(1024);

            var ff = (ValuesOut)r.Values[0];

            Check.That(ff.CacheEntryPosition).IsEqualTo(0);
            Check.That(ff.ProgramName).Contains("java");
        }
コード例 #3
0
        public void DeletedFindTestValue()
        {
            var f = @"D:\!downloads\yarp-master\hives_for_tests\DeletedDataHive";
            var r = new RegistryHive(f);

            r.RecoverDeleted = true;
            r.ParseHive();

            var k = r.GetKey("123");

            Check.That(k.Values[0].VkRecord.IsFree).IsFalse();

            Check.That(k.Values.Count).IsEqualTo(2);

            Check.That(k.Values[1].VkRecord.IsFree).IsTrue();

            foreach (var keyValue in k.Values)
            {
                Debug.WriteLine(keyValue);
            }
        }
コード例 #4
0
        public void FirstFolderTest()
        {
            var r = new FirstFolder();

            var reg = new RegistryHive(@"..\..\Hives\ntuser1.dat");

            reg.ParseHive();

            var key = reg.GetKey(@"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(3);

            var ff = (FolderInfo)r.Values[0];

            Check.That(ff.MRUPosition).IsEqualTo(0);
            Check.That(ff.Executable).Contains(@"C:\Program Files (x86)\Canon\MP Navigator EX 2.0\mpnex20.exe");
        }
コード例 #5
0
        public void CidSizeTest()
        {
            var r = new CIDSizeMRU();

            var reg = new RegistryHive(@"..\..\Hives\ntuser1.dat");

            reg.ParseHive();

            var key = reg.GetKey(@"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(8);

            var ff = (CIDSizeInfo)r.Values[0];

            Check.That(ff.MRUPosition).IsEqualTo(0);
            Check.That(ff.Executable).Contains("AcroRd32.exe");
        }
コード例 #6
0
        public void AppCompatTestOneOff()
        {
            var r = new AppCompat();

            var reg = new RegistryHive(@"C:\Users\eric\Desktop\SYSTEM");

            reg.ParseHive();

            var key = reg.GetKey(@"ControlSet001\Control\Session Manager\AppCompatCache");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(325);

            var ff = (ValuesOut)r.Values[0];

            Check.That(ff.CacheEntryPosition).IsEqualTo(0);
            Check.That(ff.ProgramName).Contains("Logon");
        }
コード例 #7
0
        public void BlakeRecentDocs()
        {
            var r = new RecentDocs();

            var reg = new RegistryHive(@"D:\SynologyDrive\Registry\NTUSER_dblake.DAT");

            reg.ParseHive();

            var key = reg.GetKey(@"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(192);
            Check.That(r.Errors.Count).IsEqualTo(0);

            var ff = (RecentDoc)r.Values[0];

            Check.That(ff.ValueName).IsEqualTo("83");
            Check.That(ff.Extension).Contains("RecentDocs");
        }
コード例 #8
0
        public void SamPluginPWHint()
        {
            var r = new UserAccounts();

            var reg = new RegistryHive(@"D:\SynologyDrive\Registry\SAM_hasBigEndianDWord");

            reg.RecoverDeleted = true;
            reg.ParseHive();

            var key = reg.GetKey(@"SAM\Domains\Account\Users");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsStrictlyGreaterThan(0);
            Check.That(r.Errors.Count).IsEqualTo(0);

            var u = (UserOut)r.Values[2];

            Check.That(u.PasswordHint).Equals("G");
        }
コード例 #9
0
        public async Task <bool> IsOobeFinished()
        {
            var winVolume = await GetWindowsVolume();

            if (winVolume == null)
            {
                return(false);
            }

            var path = Path.Combine(winVolume.RootDir.Name, "Windows", "System32", "Config", "System");
            var hive = new RegistryHive(path)
            {
                RecoverDeleted = true
            };

            hive.ParseHive();

            var key = hive.GetKey("Setup");
            var val = key.Values.Single(x => x.ValueName == "OOBEInProgress");

            return(int.Parse(val.ValueData) == 0);
        }
コード例 #10
0
        public void AppCompatFlags()
        {
            var r = new AppCompatFlags();

            var reg = new RegistryHive(@"D:\Temp\SoftwareCID\Software");

            reg.ParseHive();

            var key = reg.GetKey(@"Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(37);
            Check.That(r.Errors.Count).IsEqualTo(0);

            var ff = (RegistryPlugin.AppCompatFlags.ValuesOut)r.Values[0];

            Check.That(ff.ValueName).IsEqualTo("746E9C8C08A390000004EC55A1F64D10");
            Check.That(ff.Executable).Contains("\\DEVICE");
        }
コード例 #11
0
        public void BlakeServices()
        {
            var r = new Services();

            var reg = new RegistryHive(@"D:\SynologyDrive\Registry\SYSTEM_dblake");

            reg.ParseHive();

            var key = reg.GetKey(@"ControlSet001\Services");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(553);
            Check.That(r.Errors.Count).IsEqualTo(0);

            var ff = (Service)r.Values[0];

            Check.That(ff.Name).IsEqualTo(".NET CLR Data");
            Check.That(ff.Description).IsEqualTo("");
            Check.That(ff.NameKeyLastWrite.Year).IsEqualTo(2013);

            ff = (Service)r.Values[8];

            Check.That(ff.Name).IsEqualTo("3ware");
            Check.That(ff.Description).IsEqualTo("");
            Check.That(ff.NameKeyLastWrite.Year).IsEqualTo(2013);

            ff = (Service)r.Values[263];

            Check.That(ff.Name).IsEqualTo("napagent");
            Check.That(ff.Description).IsEqualTo(@"@%SystemRoot%\system32\qagentrt.dll,-7");
            Check.That(ff.StartMode).IsEqualTo(ServiceStartMode.Manual);
            Check.That(ff.ServiceType).IsEqualTo(ServiceType.Win32ShareProcess);
            Check.That(ff.ServiceDLL).IsEqualTo(@"%SystemRoot%\system32\qagentRT.dll");
            Check.That(ff.NameKeyLastWrite.Year).IsEqualTo(2013);
        }
コード例 #12
0
        public void TaskCache()
        {
            var r = new TaskCache();



            var reg = new RegistryHive(@"D:\OneDrive\Registry\SOFTWARE_dblake");


            // var l = new List<string>();
            // l.Add(@"C:\Temp\tout\G\Users\fredr\ntuser.dat.LOG1");
            // l.Add(@"C:\Temp\tout\G\Users\fredr\ntuser.dat.LOG2");


            //      reg.ProcessTransactionLogs(l, true);


            reg.ParseHive();

            var key = reg.GetKey(@"Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks");

            Check.That(key).IsNotNull();

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);


            Debug.WriteLine(r.Values.Count);


            foreach (var rValue in r.Values)
            {
                Debug.WriteLine(rValue);
            }
        }
コード例 #13
0
        public void Syscache()
        {
            var r = new SyscacheObjectTable();

            var reg = new RegistryHive(@"D:\Temp\SoftwareCID\Syscache.hve");

            reg.ParseHive();

            var key = reg.GetKey(@"DefaultObjectStore\ObjectTablere");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(1585);
            Check.That(r.Errors.Count).IsEqualTo(0);

            var ff = (RegistryPlugin.SyscacheObjectTable.ValuesOut)r.Values[0];

            Check.That(ff.Sha1).IsEqualTo("f34bbe523cf4b187b2c27da2bcd267412301745d");
            Check.That(ff.MftEntryNumber).IsEqualTo(26442);
            Check.That(ff.MftEntryNumber).IsEqualTo(26442);
            Check.That(ff.KeyPath).IsEqualTo("DefaultObjectStore\\ObjectTable\\1");
        }
コード例 #14
0
        public void RecentApps()
        {
            var r = new RecentApps();

            var reg = new RegistryHive(@"D:\SynologyDrive\Registry\NTUSER_RecentAppsERZ.DAT");

            reg.RecoverDeleted = true;
            reg.ParseHive();

            var key = reg.GetKey(@"Software\Microsoft\Windows\CurrentVersion\Search\RecentApps");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsStrictlyGreaterThan(0);
            Check.That(r.Errors.Count).IsEqualTo(0);

            var u = (RegistryPlugin.RecentApps.ValuesOut)r.Values[2];

            Check.That(u.AppPath).Contains("chrome.exe");
            Check.That(u.RecentItems.Count).Equals(10);
            Check.That(u.RecentDocs).Contains("drivepr");
        }
コード例 #15
0
        public void BlakeUserAssist()
        {
            var r = new UserAssist();

            var reg = new RegistryHive(@"D:\SynologyDrive\Registry\NTUSER_dblake.DAT");

            reg.ParseHive();

            var key = reg.GetKey(@"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(205);
            Check.That(r.Errors.Count).IsEqualTo(0);

            var ff = (RegistryPlugin.UserAssist.ValuesOut)r.Values[1];

            Check.That(ff.RunCounter).IsEqualTo(0);
            Check.That(ff.ProgramName).IsEqualTo("Microsoft.Windows.Explorer");
            Check.That(ff.FocusCount).IsEqualTo(619);
            Check.That(ff.FocusTime).IsEqualTo("0d, 3h, 46m, 24s");
        }
コード例 #16
0
        public void BlakeOpenSavePidlMRU()
        {
            var r = new OpenSavePidlMRU();

            var reg = new RegistryHive(@"D:\SynologyDrive\Registry\NTUSER_dblake.DAT");

            reg.ParseHive();

            var key = reg.GetKey(@"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(57);
            Check.That(r.Errors.Count).IsEqualTo(0);

            var ff = (RegistryPlugin.OpenSavePidlMRU.ValuesOut)r.Values[0];

            Check.That(ff.AbsolutePath)
            .IsEqualTo(
                @"Web sites\https://asgardventurecapital.sharepoint.com\Shared Documents\Confidential Analysis Data\NETFLIX_10-K_20130201.xlsx");
            Check.That(ff.ValueName).IsEqualTo("17");
        }
コード例 #17
0
        public AppCompatCache(string filename, int controlSet, bool noLogs)
        {
            byte[] rawBytes = null;
            Caches = new List <IAppCompatCache>();

            var controlSetIds = new List <int>();

            RegistryKey subKey = null;

            var isLiveRegistry = string.IsNullOrEmpty(filename);

            if (isLiveRegistry)
            {
                var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
                var subKey2     = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache");

                if (subKey2 == null)
                {
                    subKey2 =
                        keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility");

                    if (subKey2 == null)
                    {
                        Console.WriteLine(
                            @"'CurrentControlSet\Control\Session Manager\AppCompatCache' key not found! Exiting");
                        return;
                    }
                }

                rawBytes = (byte[])subKey2.GetValue("AppCompatCache", null);

                subKey2    = keyCurrUser.OpenSubKey(@"SYSTEM\Select");
                ControlSet = (int)subKey2.GetValue("Current");

                var is32Bit = Is32Bit(filename, null);

                var cache = Init(rawBytes, is32Bit, ControlSet);

                Caches.Add(cache);

                return;
            }

            RegistryHive reg;


            Privilege[] privileges = { Privilege.EnableDelegation, Privilege.Impersonate, Privilege.Tcb };
            using (new PrivilegeEnabler(Privilege.Backup, privileges))
            {
                ControlSet = controlSet;

                if (File.Exists(filename) == false && RawCopy.Helper.RawFileExists(filename) == false)
                {
                    throw new FileNotFoundException($"File not found ({filename})!");
                }



                var dirname  = Path.GetDirectoryName(filename);
                var hiveBase = Path.GetFileName(filename);

                List <RawCopy.RawCopyReturn> rawFiles = null;

                try
                {
                    reg = new RegistryHive(filename)
                    {
                        RecoverDeleted = true
                    };
                }
                catch (IOException)
                {
                    //file is in use

                    if (RawCopy.Helper.IsAdministrator() == false)
                    {
                        throw new UnauthorizedAccessException("Administrator privileges not found!");
                    }

                    _logger.Warn($"'{filename}' is in use. Rerouting...\r\n");

                    var files = new List <string>();
                    files.Add(filename);

                    var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?").ToList();

                    var log1 = $"{dirname}\\{hiveBase}.LOG1";
                    var log2 = $"{dirname}\\{hiveBase}.LOG2";

                    if (logFiles.Count == 0)
                    {
                        if (RawCopy.Helper.RawFileExists(log1))
                        {
                            logFiles.Add(log1);
                        }
                        if (RawCopy.Helper.RawFileExists(log2))
                        {
                            logFiles.Add(log2);
                        }
                    }

                    foreach (var logFile in logFiles)
                    {
                        files.Add(logFile);
                    }

                    rawFiles = RawCopy.Helper.GetFiles(files);

                    reg = new RegistryHive(rawFiles.First().FileBytes, rawFiles.First().InputFilename);
                }

                if (reg.Header.PrimarySequenceNumber != reg.Header.SecondarySequenceNumber)
                {
                    if (string.IsNullOrEmpty(dirname))
                    {
                        dirname = ".";
                    }

                    var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?").ToList();

                    var log1 = $"{dirname}\\{hiveBase}.LOG1";
                    var log2 = $"{dirname}\\{hiveBase}.LOG2";

                    if (logFiles.Count == 0)
                    {
                        if (File.Exists(log1))
                        {
                            logFiles.Add(log1);
                        }
                        if (File.Exists(log2))
                        {
                            logFiles.Add(log2);
                        }
                    }

                    if (logFiles.Count == 0)
                    {
                        if (RawCopy.Helper.RawFileExists(log1))
                        {
                            logFiles.Add(log1);
                        }
                        if (RawCopy.Helper.RawFileExists(log2))
                        {
                            logFiles.Add(log2);
                        }
                    }

                    if (logFiles.Count == 0)
                    {
                        if (noLogs == false)
                        {
                            _logger.Warn("Registry hive is dirty and no transaction logs were found in the same directory! LOGs should have same base name as the hive. Aborting!!");
                            throw new Exception("Sequence numbers do not match and transaction logs were not found in the same directory as the hive. Aborting");
                        }
                        else
                        {
                            _logger.Warn("Registry hive is dirty and no transaction logs were found in the same directory. Data may be missing! Continuing anyways...");
                        }
                    }
                    else
                    {
                        if (noLogs == false)
                        {
                            if (rawFiles != null)
                            {
                                var lt = new List <TransactionLogFileInfo>();
                                foreach (var rawCopyReturn in rawFiles.Skip(1).ToList())
                                {
                                    var tt = new TransactionLogFileInfo(rawCopyReturn.InputFilename, rawCopyReturn.FileBytes);
                                    lt.Add(tt);
                                }

                                reg.ProcessTransactionLogs(lt, true);
                            }
                            else
                            {
                                reg.ProcessTransactionLogs(logFiles.ToList(), true);
                            }
                        }
                        else
                        {
                            _logger.Warn("Registry hive is dirty and transaction logs were found in the same directory, but --nl was provided. Data may be missing! Continuing anyways...");
                        }
                    }
                }


                reg.ParseHive();
            }

            if (controlSet == -1)
            {
                for (var i = 0; i < 10; i++)
                {
                    subKey = reg.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatCache");

                    if (subKey == null)
                    {
                        subKey = reg.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatibility");
                    }

                    if (subKey != null)
                    {
                        controlSetIds.Add(i);
                    }
                }

                if (controlSetIds.Count > 1)
                {
                    _logger.Warn(
                        $"***The following ControlSet00x keys will be exported: {string.Join(",", controlSetIds)}. Use -c to process keys individually\r\n");
                }
            }
            else
            {
                //a control set was passed in
                subKey = reg.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatCache");

                if (subKey == null)
                {
                    subKey = reg.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatibility");
                }

                if (subKey == null)
                {
                    throw new Exception($"Could not find ControlSet00{ControlSet}. Exiting");
                }

                controlSetIds.Add(ControlSet);
            }


            var is32 = Is32Bit(filename, reg);



            _logger.Debug($@"**** Found {controlSetIds.Count} ids to process");


            foreach (var id in controlSetIds)
            {
                _logger.Debug($@"**** Processing id {id}");

                //  var hive2 = new RegistryHiveOnDemand(filename);

                subKey = reg.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatCache");

                if (subKey == null)
                {
                    _logger.Debug($@"**** Initial subkey null, getting appCompatability key");
                    subKey = reg.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatibility");
                }

                _logger.Debug($@"**** Looking  AppCompatcache value");

                var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache");

                if (val != null)
                {
                    _logger.Debug($@"**** Found AppCompatcache value");
                    rawBytes = val.ValueDataRaw;
                }

                if (rawBytes == null)
                {
                    _logger.Error($@"'AppCompatCache' value not found for 'ControlSet00{id}'! Exiting");
                }

                var cache = Init(rawBytes, is32, id);

                Caches.Add(cache);
            }
        }
コード例 #18
0
        public void Adobe()
        {
            /*var f = new List<string>();
             * f.Add("D:20200618035802+05'30'");
             * f.Add("D:20200618035756+05'30'");
             * f.Add("D:20200618035751+05'30'");
             * f.Add("D:20200618035744+05'30'");
             * f.Add("D:20200618035737+05'30'");
             * f.Add("D:20200617182700-04'00'");
             * f.Add("D:20200617182636-04'00'");
             * f.Add("D:20200617223217Z");
             * f.Add("D:20200617182628-04'00'");
             * f.Add("D:20200617181449-04'00'");
             * f.Add("D:20200617181442-04'00'");
             * f.Add("D:20200617181427-04'00'");
             * f.Add("D:20200617221353Z");
             * f.Add("D:20200617221332Z");
             * f.Add("D:20200617221318Z");
             * f.Add("D:20200617230951+01'00'");
             * f.Add("D:20200617230941+01'00'");
             * f.Add("D:20200617230930+01'00'");
             * f.Add("D:20200617230922+01'00'");
             * f.Add("D:20200617230912+01'00'");
             * f.Add("D:20200617230902+01'00'");
             * f.Add("D:20200617230854+01'00'");
             * f.Add("D:20200617223156Z");
             * f.Add("D:20200617230846+01'00'");
             * f.Add("D:20200617230730+01'00'");
             * f.Add("D:20200617230724+01'00'");
             * f.Add("D:20200617230718+01'00'");
             * f.Add("D:20200617223147Z");
             * f.Add("D:20200617230712+01'00'");
             * f.Add("D:20200617230702+01'00'");
             * f.Add("D:20200617230655+01'00'");
             * f.Add("D:20200617230647+01'00'");
             * f.Add("D:20200617230640+01'00'");
             * f.Add("D:20200617230217+01'00'");
             * f.Add("D:20200617230020+01'00'");
             * f.Add("D:20200617230016+01'00'");
             * f.Add("D:20200617223137Z");
             * f.Add("D:20200617223126Z");
             * f.Add("D:20200617223024Z");
             * f.Add("D:20200617223003Z");
             *
             * foreach (var f1 in f)
             * {
             *  var start = f1.Substring(2);
             *  Console.WriteLine(start);
             *
             *  var year = start.Substring(0, 4);
             *  var month = start.Substring(4, 2);
             *  var day = start.Substring(6, 2);
             *  var hours = start.Substring(8, 2);
             *  var mins = start.Substring(10, 2);
             *  var sec = start.Substring(12, 2);
             *  var tzi = start.Substring(14);
             *  tzi = tzi.Replace("'", ":").TrimEnd(':');
             *
             *  var dateString = $"{month}/{day}/{year}";
             *  var timeString = $"{hours}:{mins}:{sec}";
             *
             *  Console.WriteLine($"{dateString} {timeString} {tzi}");
             *
             *  if (tzi.EndsWith("Z"))
             *  {
             *      tzi = "+0:00";
             *  }
             *
             *  var aaa = DateTimeOffset.ParseExact($"{dateString} {timeString} {tzi}","MM/dd/yyyy HH:mm:ss zzz",CultureInfo.InvariantCulture);
             *
             *  var dto = new DateTimeOffset(int.Parse(year),int.Parse(month),int.Parse(day),int.Parse(hours),int.Parse(mins),int.Parse(sec),TimeSpan.Zero);
             *
             *  Console.WriteLine($"dto: {dto:yyyy-MM-dd HH:mm:ss}");
             *  Console.WriteLine($"As UTC: {aaa.ToUniversalTime():yyyy-MM-dd HH:mm:ss}");
             * }*/


            var r = new Adobe();

            var reg = new RegistryHive(@"D:\Temp\Adobe_cRecentFiles_NTUSER.DAT");

            reg.ParseHive();

            var key = reg.GetKey(@"Software\Adobe");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(114);
            Check.That(r.Errors.Count).IsEqualTo(0);
        }
コード例 #19
0
        public void TerminalServers()
        {
            var r = new TerminalServerClient();

            var reg = new RegistryHive(@"D:\SynologyDrive\Registry\ALL\NTUSER.DAT");

            reg.ParseHive();

            var key = reg.GetKey(@"Software\Microsoft\Terminal Server Client");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(6);
            Check.That(r.Errors.Count).IsEqualTo(0);

            var ff = (RegistryPlugin.TerminalServerClient.ValuesOut)r.Values[0];

            Check.That(ff.MRUPosition).IsEqualTo(1);
            Check.That(ff.HostName).Contains("GOON");

            r = new TerminalServerClient();

            reg = new RegistryHive(@"D:\SynologyDrive\Registry\ALL\NTUSER3.DAT");
            reg.ParseHive();

            key = reg.GetKey(@"Software\Microsoft\Terminal Server Client");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(7);
            Check.That(r.Errors.Count).IsEqualTo(0);

            ff = (RegistryPlugin.TerminalServerClient.ValuesOut)r.Values[0];

            Check.That(ff.MRUPosition).IsEqualTo(-1);
            Check.That(ff.HostName).Contains("GOON");
            Check.That(ff.LastModified.Month).IsEqualTo(5);
            Check.That(ff.LastModified.Minute).IsEqualTo(32);
            Check.That(ff.LastModified.Second).IsEqualTo(8);
            Check.That(ff.LastModified.Day).IsEqualTo(28);


            ff = (RegistryPlugin.TerminalServerClient.ValuesOut)r.Values[3];

            Check.That(ff.MRUPosition).IsEqualTo(-1);
            Check.That(ff.HostName).Contains("SVR01");

            r = new TerminalServerClient();

            reg = new RegistryHive(@"D:\SynologyDrive\Registry\NTUSER_dblake.DAT");
            reg.ParseHive();

            key = reg.GetKey(@"Software\Microsoft\Terminal Server Client");

            Check.That(r.Values.Count).IsEqualTo(0);

            r.ProcessValues(key);

            Check.That(r.Values.Count).IsEqualTo(0);
            Check.That(r.Errors.Count).IsEqualTo(0);
        }
コード例 #20
0
ファイル: AppCompatCache.cs プロジェクト: windwave1173/CDIR-A
        public AppCompatCache(string filename, int controlSet)
        {
            byte[] rawBytes = null;
            Caches = new List <IAppCompatCache>();

            if (File.Exists(filename) == false)
            {
                throw new FileNotFoundException($"File not found ({filename})!");
            }

            var controlSetIds = new List <int>();

//            var hive = new RegistryHiveOnDemand(filename);
            var hive = new RegistryHive(filename);

            if (hive.Header.PrimarySequenceNumber != hive.Header.SecondarySequenceNumber)
            {
                var hiveBase = Path.GetFileName(filename);
                var dirname  = Path.GetDirectoryName(filename);
                if (string.IsNullOrEmpty(dirname))
                {
                    dirname = ".";
                }

                var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");

                if (logFiles.Length == 0)
                {
                    Console.WriteLine("Registry hive is dirty and no transaction logs were found. Try to parse without logs.");
                }
                else
                {
                    hive.ProcessTransactionLogs(logFiles.ToList(), true);
                }
            }

            hive.ParseHive();

            RegistryKey subKey     = hive.GetKey("Select");
            var         ControlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData);

//            ControlSet = controlSet;

            if (controlSet == -1)
            {
                for (var i = 0; i < 10; i++)
                {
                    subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatCache");

                    if (subKey == null)
                    {
                        subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatibility");
                    }

                    if (subKey != null)
                    {
                        controlSetIds.Add(i);
                    }
                }

                if (controlSetIds.Count > 1)
                {
                    Console.WriteLine($"***The following ControlSet00x keys will be exported: {string.Join(",", controlSetIds)}.\r\n");
                }
            }
            else
            {
                //a control set was passed in
                subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatCache");

                if (subKey == null)
                {
                    subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatibility");
                }

                if (subKey == null)
                {
                    throw new Exception($"Could not find ControlSet00{ControlSet}. Exiting");
                }

                controlSetIds.Add(ControlSet);
            }

            var    is32         = Is32Bit(filename);
            string computerName = ComputerName(filename);

            foreach (var id in controlSetIds)
            {
                var hive2 = new RegistryHiveOnDemand(filename);
                subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatCache");

                if (subKey == null)
                {
                    subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatibility");
                }

                var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache");

                if (val != null)
                {
                    rawBytes = val.ValueDataRaw;
                }

                if (rawBytes == null)
                {
                    throw new Exception($@"'AppCompatCache' value not found for 'ControlSet00{id}'! Exiting");
                }

                var cache = Init(rawBytes, is32, id, computerName);

                Caches.Add(cache);
            }
        }
コード例 #21
0
        public void ShouldFindRegMultiSzValues()
        {
            var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\Hives\NTUSER1.DAT");
            var key             =
                ntUser1OnDemand.GetKey(
                    @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\International\User Profile");

            Check.That(key).IsNotNull();

            var val = key.Values.Single(t => t.ValueName == "Languages");

            Check.That(val).IsNotNull();
            Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
            Check.That(val.VkRecord.ValueData).IsEqualTo("en-US");
            Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);


            var usrclassAcronis = new RegistryHive(@"..\..\Hives\Acronis_0x52_Usrclass.dat");

            usrclassAcronis.RecoverDeleted             = true;
            usrclassAcronis.FlushRecordListsAfterParse = false;
            usrclassAcronis.ParseHive();

            key =
                usrclassAcronis.GetKey(
                    @"S-1-5-21-3851833874-1800822990-1357392098-1000_Classes\Local Settings\MuiCache\12\52C64B7E");

            Check.That(key).IsNotNull();

            val = key.Values.Single(t => t.ValueName == "LanguageList");

            Check.That(val).IsNotNull();
            Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
            Check.That(val.VkRecord.ValueData).IsEqualTo("en-US en");
            Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);

            var bcd = new RegistryHive(@"..\..\Hives\BCD");

            bcd.FlushRecordListsAfterParse = false;
            bcd.RecoverDeleted             = true;
            bcd.ParseHive();

            key =
                bcd.GetKey(
                    @"System\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements\14000006");

            Check.That(key).IsNotNull();

            val = key.Values.Single(t => t.ValueName == "Element");

            Check.That(val).IsNotNull();
            Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
            Check.That(val.VkRecord.ValueData)
            .IsEqualTo("{4636856e-540f-4170-a130-a84776f4c654} {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}");
            Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(6);

            key =
                bcd.GetKey(
                    @"System\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\14000006");

            Check.That(key).IsNotNull();

            val = key.Values.Single(t => t.ValueName == "Element");

            Check.That(val).IsNotNull();
            Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
            Check.That(val.VkRecord.ValueData).IsEqualTo("{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}");
            Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(84);
        }
コード例 #22
0
        public void ExportToRegFormatSingleKey()
        {
            var samOnDemand = new RegistryHiveOnDemand(@".\Hives\SAM");
            var key         = samOnDemand.GetKey(@"SAM\Domains\Account");

            var exported = Helpers.ExportToReg(@"exportSamTest.reg", key, HiveTypeEnum.Sam, false);

            Check.That(exported).IsTrue();

            var ntUser1OnDemand = new RegistryHiveOnDemand(@".\Hives\NTUSER1.DAT");

            key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Console");

            exported = Helpers.ExportToReg(@"exportntuser1Test.reg", key, HiveTypeEnum.NtUser, false);

            Check.That(exported).IsTrue();

            var security = new RegistryHiveOnDemand(@".\Hives\SECURITY");

            key =
                security.GetKey(
                    @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Policy\Accounts\S-1-5-9");

            exported = Helpers.ExportToReg(@"exportsecTest.reg", key, HiveTypeEnum.Security, false);

            Check.That(exported).IsTrue();

            var systemOnDemand = new RegistryHiveOnDemand(@".\Hives\SYSTEM");

            key =
                systemOnDemand.GetKey(
                    @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\ControlSet001\Enum\ACPI\PNP0C02\1");

            exported = Helpers.ExportToReg(@"exportsysTest.reg", key, HiveTypeEnum.System, false);

            Check.That(exported).IsTrue();

            var usrClassFtp = new RegistryHiveOnDemand(@".\Hives\UsrClass FTP.dat");

            key = usrClassFtp.GetKey(@"S-1-5-21-2417227394-2575385136-2411922467-1105_Classes\.3g2");

            exported = Helpers.ExportToReg(@"exportusrTest.reg", key, HiveTypeEnum.UsrClass, false);

            Check.That(exported).IsTrue();

            var samDupeNameOnDemand = new RegistryHiveOnDemand(@".\Hives\SAM_DUPENAME");

            key = samDupeNameOnDemand.GetKey(@"SAM\SAM\Domains\Account\Aliases\000003E9");

            exported = Helpers.ExportToReg(@"exportotherTest.reg", key, HiveTypeEnum.Other, false);

            Check.That(exported).IsTrue();

            var usrclassDeleted = new RegistryHive(@".\Hives\UsrClassDeletedBags.dat");

            usrclassDeleted.RecoverDeleted             = true;
            usrclassDeleted.FlushRecordListsAfterParse = false;
            usrclassDeleted.ParseHive();
            key =
                usrclassDeleted.GetKey(
                    @"S-1-5-21-146151751-63468248-1215037915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1");

            exported = Helpers.ExportToReg(@"exportDeletedTest.reg", key, HiveTypeEnum.UsrClass, false);

            Check.That(exported).IsTrue();
        }
コード例 #23
0
        public AmcacheOld(string hive, bool recoverDeleted, bool noLogs)
        {
            _logger = LogManager.GetLogger("AmcacheOld");

            RegistryHive reg;

            var dirname  = Path.GetDirectoryName(hive);
            var hiveBase = Path.GetFileName(hive);

            List <RawCopy.RawCopyReturn> rawFiles = null;

            try
            {
                reg = new RegistryHive(hive)
                {
                    RecoverDeleted = true
                };
            }
            catch (IOException)
            {
                //file is in use

                if (RawCopy.Helper.IsAdministrator() == false)
                {
                    throw new UnauthorizedAccessException("Administrator privileges not found!");
                }

                _logger.Warn($"'{hive}' is in use. Rerouting...\r\n");

                var files = new List <string>();
                files.Add(hive);

                var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");

                foreach (var logFile in logFiles)
                {
                    files.Add(logFile);
                }

                rawFiles = RawCopy.Helper.GetFiles(files);

                var b = new byte[rawFiles.First().FileStream.Length];

                rawFiles.First().FileStream.Read(b, 0, (int)rawFiles.First().FileStream.Length);

                reg = new RegistryHive(b, rawFiles.First().InputFilename);
            }

            if (reg.Header.PrimarySequenceNumber != reg.Header.SecondarySequenceNumber)
            {
                if (string.IsNullOrEmpty(dirname))
                {
                    dirname = ".";
                }

                var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");
                var log      = LogManager.GetCurrentClassLogger();

                if (logFiles.Length == 0)
                {
                    if (noLogs == false)
                    {
                        log.Warn("Registry hive is dirty and no transaction logs were found in the same directory! LOGs should have same base name as the hive. Aborting!!");
                        throw new Exception("Sequence numbers do not match and transaction logs were not found in the same directory as the hive. Aborting");
                    }
                    else
                    {
                        log.Warn("Registry hive is dirty and no transaction logs were found in the same directory. Data may be missing! Continuing anyways...");
                    }
                }
                else
                {
                    if (noLogs == false)
                    {
                        if (rawFiles != null)
                        {
                            var lt = new List <TransactionLogFileInfo>();
                            foreach (var rawCopyReturn in rawFiles.Skip(1).ToList())
                            {
                                var b = new byte[rawCopyReturn.FileStream.Length];

                                rawCopyReturn.FileStream.Read(b, 0, (int)rawCopyReturn.FileStream.Length);

                                var tt = new TransactionLogFileInfo(rawCopyReturn.InputFilename, b);
                                lt.Add(tt);
                            }

                            reg.ProcessTransactionLogs(lt, true);
                        }
                        else
                        {
                            reg.ProcessTransactionLogs(logFiles.ToList(), true);
                        }
                    }
                    else
                    {
                        log.Warn("Registry hive is dirty and transaction logs were found in the same directory, but --nl was provided. Data may be missing! Continuing anyways...");
                    }
                }
            }


            reg.ParseHive();

            var fileKey     = reg.GetKey(@"Root\File");
            var programsKey = reg.GetKey(@"Root\Programs");


            UnassociatedFileEntries = new List <FileEntryOld>();
            ProgramsEntries         = new List <ProgramsEntryOld>();

            if (fileKey == null || programsKey == null)
            {
                _logger.Error("Hive does not contain a File and/or Programs key. Processing cannot continue");
                return;
            }

            //First, we get data for all the Program entries under Programs key

            _logger.Debug("Getting Programs data");

            foreach (var registryKey in programsKey.SubKeys)
            {
                var            ProgramName0    = "";
                var            ProgramVersion1 = "";
                var            Guid10          = "";
                var            UninstallGuid11 = "";
                var            Guid12          = "";
                var            Dword13         = 0;
                var            Dword14         = 0;
                var            Dword15         = 0;
                var            UnknownBytes    = new byte[0];
                long           Qword17         = 0;
                var            Dword18         = 0;
                var            VenderName2     = "";
                var            LocaleID3       = "";
                var            Dword5          = 0;
                var            InstallSource6  = "";
                var            UninstallKey7   = "";
                DateTimeOffset?EpochA          = null;
                DateTimeOffset?EpochB          = null;
                var            PathListd       = "";
                var            Guidf           = "";
                var            RawFiles        = "";

                try
                {
                    foreach (var value in registryKey.Values)
                    {
                        switch (value.ValueName)
                        {
                        case "0":
                            ProgramName0 = value.ValueData;
                            break;

                        case "1":
                            ProgramVersion1 = value.ValueData;
                            break;

                        case "2":
                            VenderName2 = value.ValueData;
                            break;

                        case "3":
                            LocaleID3 = value.ValueData;
                            break;

                        case "5":
                            Dword5 = int.Parse(value.ValueData);
                            break;

                        case "6":
                            InstallSource6 = value.ValueData;
                            break;

                        case "7":
                            UninstallKey7 = value.ValueData;
                            break;

                        case "a":
                            try
                            {
                                var seca = long.Parse(value.ValueData);
                                if (seca > 0)
                                {
                                    EpochA = DateTimeOffset.FromUnixTimeSeconds(seca).ToUniversalTime();
                                }
                            }
                            catch (Exception)
                            {
                                //sometimes the number is way too big
                            }

                            break;

                        case "b":
                            var seconds = long.Parse(value.ValueData);
                            if (seconds > 0)
                            {
                                EpochB =
                                    DateTimeOffset.FromUnixTimeSeconds(seconds).ToUniversalTime();
                            }

                            break;

                        case "d":
                            PathListd = value.ValueData;
                            break;

                        case "f":
                            Guidf = value.ValueData;
                            break;

                        case "10":
                            Guid10 = value.ValueData;
                            break;

                        case "11":
                            UninstallGuid11 = value.ValueData;
                            break;

                        case "12":
                            Guid12 = value.ValueData;
                            break;

                        case "13":
                            Dword13 = int.Parse(value.ValueData);
                            break;

                        case "14":
                            Dword13 = int.Parse(value.ValueData);
                            break;

                        case "15":
                            Dword13 = int.Parse(value.ValueData);
                            break;

                        case "16":
                            UnknownBytes = value.ValueDataRaw;
                            break;

                        case "17":
                            Qword17 = long.Parse(value.ValueData);
                            break;

                        case "18":
                            Dword18 = int.Parse(value.ValueData);
                            break;

                        case "Files":
                            RawFiles = value.ValueData;
                            break;

                        default:
                            _logger.Warn(
                                $"Unknown value name in Program at path {registryKey.KeyPath}: {value.ValueName}");
                            break;
                        }
                    }

                    var pe = new ProgramsEntryOld(ProgramName0, ProgramVersion1, VenderName2, LocaleID3, InstallSource6,
                                                  UninstallKey7, Guid10, Guid12, UninstallGuid11, Dword5, Dword13, Dword14, Dword15, UnknownBytes,
                                                  Qword17, Dword18, EpochA, EpochB, PathListd, Guidf, RawFiles, registryKey.KeyName,
                                                  registryKey.LastWriteTime.Value);

                    ProgramsEntries.Add(pe);
                }
                catch (Exception ex)
                {
                    _logger.Error($"Error parsing ProgramsEntry at {registryKey.KeyPath}. Error: {ex.Message}");
                    _logger.Error(
                        $"Please send the following text to [email protected]. \r\n\r\nKey data: {registryKey}");
                }
            }

            //For each Programs entry, add the related Files entries from Files\Volume subkey, put the rest in unassociated

            _logger.Debug("Getting Files data");

            foreach (var registryKey in fileKey.SubKeys)
            {
                //These are the guids for volumes
                foreach (var subKey in registryKey.SubKeys)
                {
                    var prodName      = "";
                    int?langId        = null;
                    var fileVerString = "";
                    var fileVerNum    = "";
                    var fileDesc      = "";
                    var compName      = "";
                    var fullPath      = "";
                    var switchBack    = "";
                    var peHash        = "";
                    var progID        = "";
                    var sha           = "";

                    long  binProdVersion   = 0;
                    ulong binFileVersion   = 0;
                    var   linkerVersion    = 0;
                    var   binType          = 0;
                    var   isLocal          = 0;
                    var   gProgramID       = 0;
                    int?  fileSize         = null;
                    int?  sizeOfImage      = null;
                    uint? peHeaderChecksum = null;

                    DateTimeOffset?created  = null;
                    DateTimeOffset?lm       = null;
                    DateTimeOffset?lmStore  = null;
                    DateTimeOffset?linkDate = null;

                    var hasLinkedProgram = false;

                    try
                    {
                        //these are the files executed from the volume
                        foreach (var keyValue in subKey.Values)
                        {
                            var keyVal = int.Parse(keyValue.ValueName, NumberStyles.HexNumber);

                            switch (keyVal)
                            {
                            case ProductName:
                                prodName = keyValue.ValueData;
                                break;

                            case CompanyName:
                                compName = keyValue.ValueData;
                                break;

                            case FileVersionNumber:
                                fileVerNum = keyValue.ValueData;
                                break;

                            case LanguageCode:
                                langId = int.Parse(keyValue.ValueData);
                                break;

                            case SwitchBackContext:
                                switchBack = keyValue.ValueData;
                                break;

                            case FileVersionString:
                                fileVerString = keyValue.ValueData;
                                break;

                            case FileSize:
                                fileSize = int.Parse(keyValue.ValueData);
                                break;

                            case SizeOfImage:
                                sizeOfImage = int.Parse(keyValue.ValueData);
                                break;

                            case PEHeaderHash:
                                peHash = keyValue.ValueData;
                                break;

                            case PEHeaderChecksum:
                                peHeaderChecksum = uint.Parse(keyValue.ValueData);
                                break;

                            case BinProductVersion:
                                binProdVersion = long.Parse(keyValue.ValueData);
                                break;

                            case BinFileVersion:
                                binFileVersion = ulong.Parse(keyValue.ValueData);
                                break;

                            case FileDescription:
                                fileDesc = keyValue.ValueData;
                                break;

                            case LinkerVersion:
                                linkerVersion = int.Parse(keyValue.ValueData);
                                break;

                            case LinkDate:
                                linkDate =
                                    DateTimeOffset.FromUnixTimeSeconds(long.Parse(keyValue.ValueData))
                                    .ToUniversalTime();
                                break;

                            case BinaryType:
                                binType = int.Parse(keyValue.ValueData);
                                break;

                            case LastModified:
                                lm = DateTimeOffset.FromFileTime(long.Parse(keyValue.ValueData)).ToUniversalTime();
                                break;

                            case Created:
                                created =
                                    DateTimeOffset.FromFileTime(long.Parse(keyValue.ValueData)).ToUniversalTime();
                                break;

                            case FullPath:
                                fullPath = keyValue.ValueData;
                                break;

                            case IsLocal:
                                isLocal = int.Parse(keyValue.ValueData);
                                break;

                            case GuessProgramID:
                                gProgramID = int.Parse(keyValue.ValueData);
                                break;

                            case LastModifiedStore:
                                lmStore = DateTimeOffset.FromFileTime(long.Parse(keyValue.ValueData))
                                          .ToUniversalTime();
                                break;

                            case ProgramID:
                                progID = keyValue.ValueData;

                                var program = ProgramsEntries.SingleOrDefault(t => t.ProgramID == progID);
                                if (program != null)
                                {
                                    hasLinkedProgram = true;
                                }

                                break;

                            case SHA1:
                                sha = keyValue.ValueData;
                                break;

                            default:
                                _logger.Warn(
                                    $"Unknown value name when processing FileEntry at path '{subKey.KeyPath}': 0x{keyVal:X}");
                                break;
                            }
                        }

                        if (fullPath.Length == 0)
                        {
                            continue;
                        }

                        TotalFileEntries += 1;

                        var fe = new FileEntryOld(prodName, progID, sha, fullPath, lmStore, registryKey.KeyName,
                                                  registryKey.LastWriteTime.Value, subKey.KeyName, subKey.LastWriteTime.Value,
                                                  isLocal, compName, langId, fileVerString, peHash, fileVerNum, fileDesc, binProdVersion,
                                                  binFileVersion,
                                                  linkerVersion, binType, switchBack, fileSize, linkDate, sizeOfImage,
                                                  lm, created, peHeaderChecksum, gProgramID, subKey.KeyName);

                        if (hasLinkedProgram)
                        {
                            var program = ProgramsEntries.SingleOrDefault(t => t.ProgramID == fe.ProgramID);
                            fe.ProgramName = program.ProgramName_0;
                            program.FileEntries.Add(fe);
                        }
                        else
                        {
                            fe.ProgramName = "Unassociated";
                            UnassociatedFileEntries.Add(fe);
                        }
                    }
                    catch (Exception ex)
                    {
                        _logger.Error($"Error parsing FileEntry at {subKey.KeyPath}. Error: {ex.Message}");
                        _logger.Error(
                            $"Please send the following text to [email protected]. \r\n\r\nKey data: {subKey}");
                    }
                }
            }
        }
コード例 #24
0
    public static bool Is32Bit(string fileName, RegistryHive reg)
    {
        if (reg == null)
        {
            if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
            {
                throw new NotSupportedException("'Filename' is required on non-Windows platforms.");
            }
            var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
            var subKey      = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\Environment");

            var val = subKey?.GetValue("PROCESSOR_ARCHITECTURE");

            if (val != null)
            {
                return(val.ToString().Equals("x86"));
            }
        }
        else
        {
            try
            {
                var subKey1 = reg.GetKey("Select");

                var currentCtlSet = int.Parse(subKey1.Values.Single(c => c.ValueName == "Current").ValueData);

                subKey1 = reg.GetKey($"ControlSet00{currentCtlSet}\\Control\\Session Manager\\Environment");

                var val = subKey1?.Values.SingleOrDefault(c => c.ValueName == "PROCESSOR_ARCHITECTURE");

                if (val != null)
                {
                    return(val.ValueData.Equals("x86"));
                }
            }
            catch (Exception)
            {
                var l = new List <string>();
                l.Add(fileName);

                var ff = Helper.GetRawFiles(l);

                var b = new byte[ff.First().FileStream.Length];

                var hive   = new RegistryHiveOnDemand(b, fileName);
                var subKey = hive.GetKey("Select");

                var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData);

                subKey = hive.GetKey($"ControlSet00{currentCtlSet}\\Control\\Session Manager\\Environment");

                var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "PROCESSOR_ARCHITECTURE");

                if (val != null)
                {
                    return(val.ValueData.Equals("x86"));
                }
            }
        }

        throw new NullReferenceException("Unable to determine CPU architecture!");
    }
コード例 #25
0
        public void ShouldFindKeyValueAndCheckProperties()
        {
            var sam = new RegistryHive(@"..\..\..\Hives\SAM");

            sam.FlushRecordListsAfterParse = false;
            sam.ParseHive();

            var key = sam.GetKey(0x418);

            Check.That(key).IsNotNull();

            Check.That(key.ToString()).IsNotEmpty();

            var val = key.Values[0];

            //TODO Need to export to reg each kind too

            Check.That(val).IsNotNull();

            Check.That(val.ValueName).IsEmpty();
            Check.That(val.ValueData).IsEmpty();
            Check.That(val.ValueSlack).IsEmpty();
            Check.That(val.ValueSlackRaw).IsEmpty();
            Check.That(val.ToString()).IsNotEmpty();
            Check.That(val.ValueName).IsEqualTo(string.Empty);
            Check.That(val.ValueType).IsEqualTo("RegNone");
            Check.That(val.ValueData).IsEmpty();
            Check.That(val.ValueSlack).IsEmpty();
            Check.That(val.VkRecord.Size).IsEqualTo(-24);
            Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x270);
            Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x1270);
            Check.That(val.VkRecord.Signature).IsEqualTo("vk");
            Check.That(val.VkRecord.IsFree).IsFalse();
            Check.That(val.VkRecord.DataLength).IsEqualTo(0x80000000);
            Check.That(val.VkRecord.OffsetToData).IsEqualTo(0);
            Check.That(val.VkRecord.NameLength).IsEqualTo(0);
            Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0);

            //This key has slack
            key = sam.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\SAM\Domains\Account\Users\000001F4");

            Check.That(key).IsNotNull();

            val = key.Values[0];

            Check.That(val).IsNotNull();

            Check.That(val.ValueName).IsNotEmpty();
            Check.That(val.ValueData).IsNotEmpty();
            Check.That(val.ValueSlack).IsNotEmpty();
            Check.That(val.ValueSlackRaw.Length).IsStrictlyGreaterThan(0);
            Check.That(val.ToString()).IsNotEmpty();

            Check.That(val.ValueName).IsEqualTo("F");
            Check.That(val.ValueData).IsNotEmpty();
            Check.That(val.ValueData.Length).IsEqualTo(239);
            Check.That(val.ValueSlack).IsNotEmpty();
            Check.That(val.ValueSlack.Length).IsEqualTo(11);
            Check.That(val.ValueSlackRaw.Length).IsEqualTo(4);
            Check.That(val.ToString()).IsNotEmpty();

            Check.That(val.ValueType).IsEqualTo("RegBinary");
            Check.That(val.ValueData).IsEqualTo("02-00-01-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-FF-FF-FF-FF-FF-FF-FF-7F-00-00-00-00-00-00-00-00-F4-01-00-00-01-02-00-00-10-02-00-00-00-00-00-00-00-00-00-00-01-00-00-00-00-00-00-00-73-00-00-00");
            Check.That(val.ValueSlack).IsEqualTo("1F-00-0F-00");
            Check.That(val.VkRecord.Size).IsEqualTo(-32);
            Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x39B8);
            Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x49B8);
            Check.That(val.VkRecord.Signature).IsEqualTo("vk");
            Check.That(val.VkRecord.IsFree).IsFalse();
            Check.That(val.VkRecord.DataLength).IsEqualTo(0x50);
            Check.That(val.VkRecord.OffsetToData).IsEqualTo(0x39D8);
            Check.That(val.VkRecord.NameLength).IsEqualTo(0x1);
            Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(1);
            Check.That(val.VkRecord.Padding.Length).IsEqualTo(7);
        }
コード例 #26
0
        public AppCompatCache(string filename, int controlSet, bool noLogs)
        {
            byte[] rawBytes = null;
            Caches = new List <IAppCompatCache>();

            var controlSetIds = new List <int>();

            RegistryKey subKey = null;

            var isLiveRegistry = string.IsNullOrEmpty(filename);

            if (isLiveRegistry)
            {
                var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
                var subKey2     = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache");

                if (subKey2 == null)
                {
                    subKey2 =
                        keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility");

                    if (subKey2 == null)
                    {
                        Console.WriteLine(
                            @"'CurrentControlSet\Control\Session Manager\AppCompatCache' key not found! Exiting");
                        return;
                    }
                }

                rawBytes = (byte[])subKey2.GetValue("AppCompatCache", null);

                subKey2    = keyCurrUser.OpenSubKey(@"SYSTEM\Select");
                ControlSet = (int)subKey2.GetValue("Current");

                var is32Bit = Is32Bit(filename);

                var cache = Init(rawBytes, is32Bit, ControlSet);

                Caches.Add(cache);

                return;
            }


            ControlSet = controlSet;

            if (File.Exists(filename) == false)
            {
                throw new FileNotFoundException($"File not found ({filename})!");
            }

            var hive = new RegistryHive(filename);

            if (hive.Header.PrimarySequenceNumber != hive.Header.SecondarySequenceNumber)
            {
                var hiveBase = Path.GetFileName(filename);

                var dirname = Path.GetDirectoryName(filename);

                if (string.IsNullOrEmpty(dirname))
                {
                    dirname = ".";
                }

                var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");

                if (logFiles.Length == 0)
                {
                    var log = LogManager.GetCurrentClassLogger();

                    if (noLogs == false)
                    {
                        log.Warn("Registry hive is dirty and no transaction logs were found in the same directory! LOGs should have same base name as the hive. Aborting!!");
                        throw new Exception("Sequence numbers do not match and transaction logs were not found in the same directory as the hive. Aborting");
                    }

                    log.Warn("Registry hive is dirty and no transaction logs were found in the same directory. Data may be missing! Continuing anyways...");
                }
                else
                {
                    hive.ProcessTransactionLogs(logFiles.ToList(), true);
                }
            }

            hive.ParseHive();


            if (controlSet == -1)
            {
                for (var i = 0; i < 10; i++)
                {
                    subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatCache");

                    if (subKey == null)
                    {
                        subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatibility");
                    }

                    if (subKey != null)
                    {
                        controlSetIds.Add(i);
                    }
                }

                if (controlSetIds.Count > 1)
                {
                    var log = LogManager.GetCurrentClassLogger();

                    log.Warn(
                        $"***The following ControlSet00x keys will be exported: {string.Join(",", controlSetIds)}. Use -c to process keys individually\r\n");
                }
            }
            else
            {
                //a control set was passed in
                subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatCache");

                if (subKey == null)
                {
                    subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatibility");
                }

                if (subKey == null)
                {
                    throw new Exception($"Could not find ControlSet00{ControlSet}. Exiting");
                }

                controlSetIds.Add(ControlSet);
            }


            var is32 = Is32Bit(filename);

            var log1 = LogManager.GetCurrentClassLogger();

            log1.Debug($@"**** Found {controlSetIds.Count} ids to process");


            foreach (var id in controlSetIds)
            {
                log1.Debug($@"**** Processing id {id}");

                var hive2 = new RegistryHiveOnDemand(filename);

                subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatCache");



                if (subKey == null)
                {
                    log1.Debug($@"**** Initial subkey null, getting appCompatability key");
                    subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatibility");
                }

                log1.Debug($@"**** Looking  AppCompatcache value");

                var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache");

                if (val != null)
                {
                    log1.Debug($@"**** Found AppCompatcache value");
                    rawBytes = val.ValueDataRaw;
                }

                if (rawBytes == null)
                {
                    var log = LogManager.GetCurrentClassLogger();

                    log.Error($@"'AppCompatCache' value not found for 'ControlSet00{id}'! Exiting");
                }

                var cache = Init(rawBytes, is32, id);

                Caches.Add(cache);
            }
        }
コード例 #27
0
ファイル: AmcacheNew.cs プロジェクト: 5l1v3r1/AmcacheParser
        public AmcacheNew(string hive, bool recoverDeleted, bool noLogs)
        {
            _logger = LogManager.GetCurrentClassLogger();

            RegistryHive reg;

            var dirname  = Path.GetDirectoryName(hive);
            var hiveBase = Path.GetFileName(hive);

            List <RawCopyReturn> rawFiles = null;

            try
            {
                reg = new RegistryHive(hive)
                {
                    RecoverDeleted = true
                };
            }
            catch (IOException)
            {
                //file is in use

                if (RawCopy.Helper.IsAdministrator() == false)
                {
                    throw new UnauthorizedAccessException("Administrator privileges not found!");
                }

                _logger.Warn($"'{hive}' is in use. Rerouting...\r\n");

                var files = new List <string>();
                files.Add(hive);

                var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");

                foreach (var logFile in logFiles)
                {
                    files.Add(logFile);
                }

                rawFiles = RawCopy.Helper.GetFiles(files);

                var b = new byte[rawFiles.First().FileStream.Length];

                rawFiles.First().FileStream.Read(b, 0, (int)rawFiles.First().FileStream.Length);

                reg = new RegistryHive(b, rawFiles.First().InputFilename);
            }

            if (reg.Header.PrimarySequenceNumber != reg.Header.SecondarySequenceNumber)
            {
                if (string.IsNullOrEmpty(dirname))
                {
                    dirname = ".";
                }

                var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");
                var log      = LogManager.GetCurrentClassLogger();

                if (logFiles.Length == 0)
                {
                    if (noLogs == false)
                    {
                        log.Warn(
                            "Registry hive is dirty and no transaction logs were found in the same directory! LOGs should have same base name as the hive. Aborting!!");
                        throw new Exception(
                                  "Sequence numbers do not match and transaction logs were not found in the same directory as the hive. Aborting");
                    }

                    log.Warn(
                        "Registry hive is dirty and no transaction logs were found in the same directory. Data may be missing! Continuing anyways...");
                }
                else
                {
                    if (noLogs == false)
                    {
                        if (rawFiles != null)
                        {
                            var lt = new List <TransactionLogFileInfo>();
                            foreach (var rawCopyReturn in rawFiles.Skip(1).ToList())
                            {
                                var b = new byte[rawCopyReturn.FileStream.Length];

                                rawCopyReturn.FileStream.Read(b, 0, (int)rawCopyReturn.FileStream.Length);

                                var tt = new TransactionLogFileInfo(rawCopyReturn.InputFilename, b);
                                lt.Add(tt);
                            }

                            reg.ProcessTransactionLogs(lt, true);
                        }
                        else
                        {
                            reg.ProcessTransactionLogs(logFiles.ToList(), true);
                        }
                    }
                    else
                    {
                        log.Warn(
                            "Registry hive is dirty and transaction logs were found in the same directory, but --nl was provided. Data may be missing! Continuing anyways...");
                    }
                }
            }


            reg.ParseHive();

            var fileKey     = reg.GetKey(@"Root\InventoryApplicationFile");
            var programsKey = reg.GetKey(@"Root\InventoryApplication");


            UnassociatedFileEntries = new List <FileEntryNew>();
            ProgramsEntries         = new List <ProgramsEntryNew>();
            DeviceContainers        = new List <DeviceContainer>();
            DevicePnps     = new List <DevicePnp>();
            DriveBinaries  = new List <DriverBinary>();
            DriverPackages = new List <DriverPackage>();
            ShortCuts      = new List <Shortcut>();

            _logger.Debug("Getting Programs data");


            if (programsKey != null)
            {
                foreach (var registryKey in programsKey.SubKeys)
                {
                    var            bundleManifestPath = string.Empty;
                    var            hiddenArp          = false;
                    var            inboxModernApp     = false;
                    DateTimeOffset?installDate        = null;
                    var            language           = 0;
                    var            manifestPath       = string.Empty;
                    var            msiPackageCode     = string.Empty;
                    var            msiProductCode     = string.Empty;
                    var            name = string.Empty;
                    var            osVersionAtInstallTime = string.Empty;
                    var            packageFullName        = string.Empty;
                    var            programId         = string.Empty;
                    var            programInstanceId = string.Empty;
                    var            publisher         = string.Empty;
                    var            registryKeyPath   = string.Empty;
                    var            rootDirPath       = string.Empty;
                    var            source            = string.Empty;
                    var            storeAppType      = string.Empty;
                    var            type                       = string.Empty;
                    var            uninstallString            = string.Empty;
                    var            version                    = string.Empty;
                    var            installDateArpLastModified = string.Empty;
                    DateTimeOffset?installDateMsi             = null;
                    var            installDateFromLinkFile    = string.Empty;
                    var            manufacturer               = string.Empty;
                    var            driverVerVersion           = string.Empty;


                    try
                    {
                        foreach (var registryKeyValue in registryKey.Values)
                        {
                            switch (registryKeyValue.ValueName)
                            {
                            case "BundleManifestPath":
                                bundleManifestPath = registryKeyValue.ValueData;
                                break;

                            case "HiddenArp":
                                hiddenArp = registryKeyValue.ValueData == "1";
                                break;

                            case "InboxModernApp":
                                inboxModernApp = registryKeyValue.ValueData == "1";
                                break;

                            case "InstallDate":
                                if (registryKeyValue.ValueData.Length > 0)
                                {
                                    // _logger.Warn($"registryKeyValue.ValueData for InstallDate as InvariantCulture: {registryKeyValue.ValueData.ToString(CultureInfo.InvariantCulture)}");
                                    var d = new DateTimeOffset(
                                        DateTime.Parse(registryKeyValue.ValueData, DateTimeFormatInfo.InvariantInfo)
                                        .Ticks,
                                        TimeSpan.Zero);
                                    installDate = d;
                                }

                                break;

                            case "Language":
                                if (registryKeyValue.ValueData.Length == 0)
                                {
                                    language = 0;
                                }
                                else
                                {
                                    language = int.Parse(registryKeyValue.ValueData);
                                }

                                break;

                            case "ManifestPath":
                                manifestPath = registryKeyValue.ValueData;
                                break;

                            case "MsiPackageCode":
                                msiPackageCode = registryKeyValue.ValueData;
                                break;

                            case "MsiProductCode":
                                msiProductCode = registryKeyValue.ValueData;
                                break;

                            case "Name":
                                name = registryKeyValue.ValueData;
                                break;

                            case "OSVersionAtInstallTime":
                                osVersionAtInstallTime = registryKeyValue.ValueData;
                                break;

                            case "PackageFullName":
                                packageFullName = registryKeyValue.ValueData;
                                break;

                            case "ProgramId":
                                programId = registryKeyValue.ValueData;
                                break;

                            case "ProgramInstanceId":
                                programInstanceId = registryKeyValue.ValueData;
                                break;

                            case "Publisher":
                                publisher = registryKeyValue.ValueData;
                                break;

                            case "RegistryKeyPath":
                                registryKeyPath = registryKeyValue.ValueData;
                                break;

                            case "RootDirPath":
                                rootDirPath = registryKeyValue.ValueData;
                                break;

                            case "Source":
                                source = registryKeyValue.ValueData;
                                break;

                            case "StoreAppType":
                                storeAppType = registryKeyValue.ValueData;
                                break;

                            case "Type":
                                type = registryKeyValue.ValueData;
                                break;

                            case "UninstallString":
                                uninstallString = registryKeyValue.ValueData;
                                break;

                            case "Version":
                                version = registryKeyValue.ValueData;
                                break;

                            case "InstallDateArpLastModified":
                                if (registryKeyValue.ValueData.Length > 0)
                                {
                                    installDateArpLastModified = registryKeyValue.ValueData;
                                }

                                break;

                            case "InstallDateMsi":
                                if (registryKeyValue.ValueData.Length > 0)
                                {
                                    // _logger.Warn($"registryKeyValue.ValueData for InstallDate as InvariantCulture: {registryKeyValue.ValueData.ToString(CultureInfo.InvariantCulture)}");
                                    var d = new DateTimeOffset(
                                        DateTime.Parse(registryKeyValue.ValueData, DateTimeFormatInfo.InvariantInfo)
                                        .Ticks,
                                        TimeSpan.Zero);
                                    installDateMsi = d;
                                }

                                break;

                            case "InstallDateFromLinkFile":
                                if (registryKeyValue.ValueData.Length > 0)
                                {
                                    installDateFromLinkFile = registryKeyValue.ValueData;
                                }

                                break;

                            case "DriverVerVersion":
                            case "BusReportedDescription":
                            case "HWID":
                            case "COMPID":
                            case "STACKID":
                            case "UpperClassFilters":
                            case "UpperFilters":
                            case "LowerFilters":
                            case "BinFileVersion":
                            case "(default)":


                                break;

                            case "Manufacturer":
                                if (registryKeyValue.ValueData.Length > 0)
                                {
                                    manufacturer = registryKeyValue.ValueData;
                                }

                                break;

                            default:
                                _logger.Warn(
                                    $"Unknown value name in InventoryApplication at path {registryKey.KeyPath}: {registryKeyValue.ValueName}");
                                break;
                            }
                        }

                        var pe = new ProgramsEntryNew(bundleManifestPath, hiddenArp, inboxModernApp, installDate,
                                                      language,
                                                      manifestPath, msiPackageCode, msiProductCode, name, osVersionAtInstallTime, packageFullName,
                                                      programId, programInstanceId, publisher, registryKeyPath, rootDirPath, source, storeAppType,
                                                      type, uninstallString, version, registryKey.LastWriteTime.Value, installDateArpLastModified,
                                                      installDateMsi, installDateFromLinkFile, manufacturer);

                        ProgramsEntries.Add(pe);
                    }
                    catch (Exception ex)
                    {
                        if (registryKey.NkRecord.IsFree == false)
                        {
                            _logger.Error($"Error parsing ProgramsEntry at {registryKey.KeyPath}. Error: {ex.Message}");
                            _logger.Error(
                                $"Please send the following text to [email protected]. \r\n\r\nKey data: {registryKey}");
                        }
                    }
                }
            }
            else
            {
                _logger.Warn("Hive does not contain a Root\\InventoryApplication key.");
            }

            _logger.Debug("Getting Files data");


            if (fileKey != null)
            {
                foreach (var subKey in fileKey.SubKeys)
                {
                    var            binaryType        = string.Empty;
                    var            binFileVersion    = string.Empty;
                    var            binProductVersion = string.Empty;
                    var            fileId            = string.Empty;
                    var            isOsComponent     = false;
                    var            isPeFile          = false;
                    var            language          = 0;
                    DateTimeOffset?linkDate          = null;
                    var            longPathHash      = string.Empty;
                    var            lowerCaseLongPath = string.Empty;
                    var            name           = string.Empty;
                    var            productName    = string.Empty;
                    var            productVersion = string.Empty;
                    var            programId      = string.Empty;
                    var            publisher      = string.Empty;
                    long           size           = 0;
                    ulong          usn            = 0;
                    var            version        = string.Empty;
                    var            description    = string.Empty;

                    var hasLinkedProgram = false;

                    try
                    {
                        foreach (var subKeyValue in subKey.Values)
                        {
                            switch (subKeyValue.ValueName)
                            {
                            case "BinaryType":
                                binaryType = subKeyValue.ValueData;
                                break;

                            case "BinFileVersion":
                                binFileVersion = subKeyValue.ValueData;
                                break;

                            case "BinProductVersion":
                                binProductVersion = subKeyValue.ValueData;
                                break;

                            case "FileId":
                                fileId = subKeyValue.ValueData;
                                break;

                            case "IsOsComponent":
                                isOsComponent = subKeyValue.ValueData == "1";
                                break;

                            case "IsPeFile":
                                isPeFile = subKeyValue.ValueData == "1";
                                break;

                            case "Language":
                                language = int.Parse(subKeyValue.ValueData);
                                break;

                            case "LinkDate":
                                if (subKeyValue.ValueData.Length > 0)
                                {
                                    var d = new DateTimeOffset(
                                        DateTime.Parse(subKeyValue.ValueData, DateTimeFormatInfo.InvariantInfo)
                                        .Ticks,
                                        TimeSpan.Zero);
                                    linkDate = d;
                                }

                                break;

                            case "LongPathHash":
                                longPathHash = subKeyValue.ValueData;
                                break;

                            case "LowerCaseLongPath":
                                lowerCaseLongPath = subKeyValue.ValueData;
                                break;

                            case "Name":
                                name = subKeyValue.ValueData;
                                break;

                            case "ProductName":
                                productName = subKeyValue.ValueData;
                                break;

                            case "ProductVersion":
                                productVersion = subKeyValue.ValueData;
                                break;

                            case "ProgramId":
                                programId = subKeyValue.ValueData;

                                var program = ProgramsEntries.SingleOrDefault(t => t.ProgramId == programId);
                                if (program != null)
                                {
                                    hasLinkedProgram = true;
                                }

                                break;

                            case "Publisher":
                                publisher = subKeyValue.ValueData;
                                break;

                            case "Size":
                                try
                                {
                                    if (subKeyValue.ValueData.StartsWith("0x"))
                                    {
                                        size = long.Parse(subKeyValue.ValueData.Replace("0x", ""),
                                                          NumberStyles.HexNumber);
                                    }
                                    else
                                    {
                                        size = long.Parse(subKeyValue.ValueData);
                                    }
                                }
                                catch (Exception e)
                                {
                                }

                                break;

                            case "BusReportedDescription":
                            case "FileSize":
                            case "Model":
                            case "Manufacturer":
                            case "ParentId":
                            case "MatchingID":
                            case "ClassGuid":
                            case "DriverName":
                            case "Enumerator":
                            case "Service":
                            case "DeviceState":
                            case "InstallState":
                            case "DriverVerVersion":
                            case "DriverPackageStrongName":
                            case "DriverVerDate":
                            case "AppxPackageRelativeId":
                            case "AppxPackageFullName":
                            case "ContainerId":
                            case "HiddenArp":
                            case "Inf":
                            case "ProblemCode":

                            case "Provider":
                            case "Class":
                                break;

                            case "Description":
                                description = subKeyValue.ValueData;
                                break;

                            case "Version":
                                version = subKeyValue.ValueData;
                                break;

                            case "Usn":
                                usn = ulong.Parse(subKeyValue.ValueData);
                                break;

                            default:
                                if (subKeyValue.VkRecord.IsFree == false)
                                {
                                    _logger.Warn(
                                        $"Unknown value name when processing FileEntry at path '{subKey.KeyPath}': {subKeyValue.ValueName}");
                                }

                                break;
                            }
                        }
                    }
                    catch (Exception ex)
                    {
                        if (subKey.NkRecord.IsFree == false)
                        {
                            _logger.Error($"Error parsing FileEntry at {subKey.KeyPath}. Error: {ex.Message}");
                            _logger.Error(
                                $"Please send the following text to [email protected]. \r\n\r\nKey data: {subKey}");
                        }
                    }

                    TotalFileEntries += 1;


                    var fe = new FileEntryNew(binaryType, binFileVersion, productVersion, fileId, isOsComponent,
                                              isPeFile,
                                              language, linkDate, longPathHash, lowerCaseLongPath, name, productName, productVersion,
                                              programId,
                                              publisher, size, version, subKey.LastWriteTime.Value, binProductVersion, usn, description);

                    if (hasLinkedProgram)
                    {
                        var program = ProgramsEntries.SingleOrDefault(t => t.ProgramId == fe.ProgramId);
                        if (program != null)
                        {
                            fe.ApplicationName = program.Name;
                            program.FileEntries.Add(fe);
                        }
                    }
                    else
                    {
                        fe.ApplicationName = "Unassociated";
                        UnassociatedFileEntries.Add(fe);
                    }
                }
            }
            else
            {
                _logger.Warn("Hive does not contain a Root\\InventoryApplicationFile key.");
            }

            _logger.Debug("Getting Shortcut data");

            var shortCutkey = reg.GetKey(@"Root\InventoryApplicationShortcut");

            if (shortCutkey != null)
            {
                foreach (var shortCutkeySubKey in shortCutkey.SubKeys)
                {
                    var lnkName = "";
                    if (shortCutkeySubKey.Values.Count > 0)
                    {
                        lnkName = shortCutkeySubKey.Values.First().ValueData;
                    }
                    ShortCuts.Add(new Shortcut(shortCutkeySubKey.KeyName, lnkName,
                                               shortCutkeySubKey.LastWriteTime.Value));
                }
            }

            _logger.Debug("Getting InventoryDeviceContainer data");


            var deviceKey = reg.GetKey(@"Root\InventoryDeviceContainer");

            if (deviceKey != null)
            {
                foreach (var deviceSubKey in deviceKey.SubKeys)
                {
                    var categories         = string.Empty;
                    var discoveryMethod    = string.Empty;
                    var friendlyName       = string.Empty;
                    var icon               = string.Empty;
                    var isActive           = false;
                    var isConnected        = false;
                    var isMachineContainer = false;
                    var isNetworked        = false;
                    var isPaired           = false;
                    var manufacturer       = string.Empty;
                    var modelId            = string.Empty;
                    var modelName          = string.Empty;
                    var modelNumber        = string.Empty;
                    var primaryCategory    = string.Empty;
                    var state              = string.Empty;

                    try
                    {
                        foreach (var keyValue in deviceSubKey.Values)
                        {
                            switch (keyValue.ValueName)
                            {
                            case "Categories":
                                categories = keyValue.ValueData;
                                break;

                            case "DiscoveryMethod":
                                discoveryMethod = keyValue.ValueData;
                                break;

                            case "FriendlyName":
                                friendlyName = keyValue.ValueData;
                                break;

                            case "Icon":
                                icon = keyValue.ValueData;
                                break;

                            case "IsActive":
                                isActive = keyValue.ValueData == "1";
                                break;

                            case "IsConnected":
                                isConnected = keyValue.ValueData == "1";
                                break;

                            case "IsMachineContainer":
                                isMachineContainer = keyValue.ValueData == "1";
                                break;

                            case "IsNetworked":
                                isNetworked = keyValue.ValueData == "1";
                                break;

                            case "IsPaired":
                                isPaired = keyValue.ValueData == "1";
                                break;

                            case "Manufacturer":
                                manufacturer = keyValue.ValueData;
                                break;

                            case "ModelId":
                                modelId = keyValue.ValueData;
                                break;

                            case "ModelName":
                                modelName = keyValue.ValueData;
                                break;

                            case "ModelNumber":
                                modelNumber = keyValue.ValueData;
                                break;

                            case "PrimaryCategory":
                                primaryCategory = keyValue.ValueData;
                                break;

                            case "State":
                                state = keyValue.ValueData;
                                break;

                            case "(default)":
                            case "Model":
                            case "BusReportedDescription":
                            case "Version":
                            case "LowerClassFilters":
                            case "ManifestPath":
                            case "UpperClassFilters":
                                break;

                            default:
                                _logger.Warn(
                                    $"Unknown value name when processing DeviceContainer at path '{deviceSubKey.KeyPath}': {keyValue.ValueName}");
                                break;
                            }
                        }

                        var dc = new DeviceContainer(deviceSubKey.KeyName, deviceSubKey.LastWriteTime.Value, categories,
                                                     discoveryMethod, friendlyName, icon, isActive, isConnected, isMachineContainer, isNetworked,
                                                     isPaired, manufacturer, modelId, modelName, modelNumber, primaryCategory, state);

                        DeviceContainers.Add(dc);
                    }
                    catch (Exception ex)
                    {
                        if (deviceSubKey.NkRecord.IsFree == false)
                        {
                            _logger.Error(
                                $"Error parsing DeviceContainer at {deviceSubKey.KeyPath}. Error: {ex.Message}");
                            _logger.Error(
                                $"Please send the following text to [email protected]. \r\n\r\nKey data: {deviceSubKey}");
                        }
                    }
                }
            }

            _logger.Debug("Getting InventoryDevicePnp data");

            var pnpKey = reg.GetKey(@"Root\InventoryDevicePnp");

            if (pnpKey != null)
            {
                foreach (var pnpsKey in pnpKey.SubKeys)
                {
                    var busReportedDescription = string.Empty;
                    var Class                   = string.Empty;
                    var classGuid               = string.Empty;
                    var compid                  = string.Empty;
                    var containerId             = string.Empty;
                    var description             = string.Empty;
                    var deviceState             = string.Empty;
                    var driverId                = string.Empty;
                    var driverName              = string.Empty;
                    var driverPackageStrongName = string.Empty;
                    var driverVerDate           = string.Empty;
                    var driverVerVersion        = string.Empty;
                    var enumerator              = string.Empty;
                    var hwid         = string.Empty;
                    var inf          = string.Empty;
                    var installState = string.Empty;
                    var manufacturer = string.Empty;
                    var matchingId   = string.Empty;
                    var model        = string.Empty;
                    var parentId     = string.Empty;
                    var problemCode  = string.Empty;
                    var provider     = string.Empty;
                    var service      = string.Empty;
                    var stackid      = string.Empty;

                    try
                    {
                        foreach (var keyValue in pnpsKey.Values)
                        {
                            switch (keyValue.ValueName)
                            {
                            case "BusReportedDescription":
                                busReportedDescription = keyValue.ValueData;
                                break;

                            case "Class":
                                Class = keyValue.ValueData;
                                break;

                            case "ClassGuid":
                                classGuid = keyValue.ValueData;
                                break;

                            case "COMPID":
                                compid = keyValue.ValueData;
                                break;

                            case "ContainerId":
                                containerId = keyValue.ValueData;
                                break;

                            case "Description":
                                description = keyValue.ValueData;
                                break;

                            case "DeviceState":
                                deviceState = keyValue.ValueData;
                                break;

                            case "DriverId":
                                driverId = keyValue.ValueData;
                                break;

                            case "DriverName":
                                driverName = keyValue.ValueData;
                                break;

                            case "DriverPackageStrongName":
                                driverPackageStrongName = keyValue.ValueData;
                                break;

                            case "DriverVerDate":
                                driverVerDate = keyValue.ValueData;
                                break;

                            case "DriverVerVersion":
                                driverVerVersion = keyValue.ValueData;
                                break;

                            case "Enumerator":
                                enumerator = keyValue.ValueData;
                                break;

                            case "HWID":
                                hwid = keyValue.ValueData;
                                break;

                            case "Inf":
                                inf = keyValue.ValueData;
                                break;

                            case "InstallState":
                                installState = keyValue.ValueData;
                                break;

                            case "LowerClassFilters":
                            case "LowerFilters":
                                break;

                            case "Manufacturer":
                                manufacturer = keyValue.ValueData;
                                break;

                            case "MatchingID":
                                matchingId = keyValue.ValueData;
                                break;

                            case "Model":
                                model = keyValue.ValueData;
                                break;

                            case "ParentId":
                                parentId = keyValue.ValueData;
                                break;

                            case "ProblemCode":
                                problemCode = keyValue.ValueData;
                                break;

                            case "Provider":
                                provider = keyValue.ValueData;
                                break;

                            case "Service":
                                service = keyValue.ValueData;
                                break;

                            case "STACKID":
                                stackid = keyValue.ValueData;
                                break;

                            case "UpperClassFilters":
                            case "UpperFilters":
                            case "ExtendedInfs":
                            case "DeviceInterfaceClasses":
                            case "(default)":
                            case "DeviceExtDriversFlightIds":
                            case "InstallDate":
                            case "FirstInstallDate":
                            case "DeviceDriverFlightId":
                                _logger.Debug($"Value: '{keyValue.ValueName}' --> {keyValue.ValueData}");
                                break;

                            default:
                                _logger.Warn(
                                    $"Unknown value name when processing DevicePnp at path '{pnpsKey.KeyPath}': {keyValue.ValueName}");
                                break;
                            }
                        }

                        var dp = new DevicePnp(pnpsKey.KeyName, pnpsKey.LastWriteTime.Value, busReportedDescription,
                                               Class, classGuid, compid, containerId, description, deviceState, driverId, driverName,
                                               driverPackageStrongName, driverVerDate, driverVerVersion, enumerator, hwid, inf,
                                               installState, manufacturer, matchingId, model, parentId, problemCode, provider, service,
                                               stackid);

                        DevicePnps.Add(dp);
                    }
                    catch (Exception ex)
                    {
                        if (pnpKey.NkRecord.IsFree == false)
                        {
                            _logger.Error($"Error parsing DevicePnp at {pnpKey.KeyPath}. Error: {ex.Message}");
                            _logger.Error(
                                $"Please send the following text to [email protected]. \r\n\r\nKey data: {pnpKey}");
                        }
                    }
                }
            }

            _logger.Debug("Getting InventoryDriverBinary data");

            var binaryKey = reg.GetKey(@"Root\InventoryDriverBinary");

            if (binaryKey != null)
            {
                foreach (var binKey in binaryKey.SubKeys)
                {
                    var            driverCheckSum          = 0;
                    var            driverCompany           = string.Empty;
                    var            driverId                = string.Empty;
                    var            driverInBox             = false;
                    var            driverIsKernelMode      = false;
                    DateTimeOffset?driverLastWriteTime     = null;
                    var            driverName              = string.Empty;
                    var            driverPackageStrongName = string.Empty;
                    var            driverSigned            = false;
                    DateTimeOffset?driverTimeStamp         = null;
                    var            driverType              = string.Empty;
                    var            driverVersion           = string.Empty;
                    var            imageSize               = 0;
                    var            inf            = string.Empty;
                    var            product        = string.Empty;
                    var            productVersion = string.Empty;
                    var            service        = string.Empty;
                    var            wdfVersion     = string.Empty;


                    try
                    {
                        foreach (var keyValue in binKey.Values)
                        {
                            switch (keyValue.ValueName)
                            {
                            case "DriverCheckSum":
                                driverCheckSum = int.Parse(keyValue.ValueData);
                                break;

                            case "DriverCompany":
                                driverCompany = keyValue.ValueData;
                                break;

                            case "DriverId":
                                driverId = keyValue.ValueData;
                                break;

                            case "DriverInBox":
                                driverInBox = keyValue.ValueData == "1";
                                break;

                            case "DriverIsKernelMode":
                                driverIsKernelMode = keyValue.ValueData == "1";
                                break;

                            case "DriverLastWriteTime":
                                if (keyValue.ValueData.Length > 0)
                                {
                                    var d = new DateTimeOffset(
                                        DateTime.Parse(keyValue.ValueData, DateTimeFormatInfo.InvariantInfo).Ticks,
                                        TimeSpan.Zero);
                                    driverLastWriteTime = d;
                                }

                                break;

                            case "DriverName":
                                driverName = keyValue.ValueData;
                                break;

                            case "DriverPackageStrongName":
                                driverPackageStrongName = keyValue.ValueData;
                                break;

                            case "DriverSigned":
                                driverSigned = keyValue.ValueData == "1";
                                break;

                            case "DriverTimeStamp":
                                //DateTimeOffset.FromUnixTimeSeconds(seca).ToUniversalTime();
                                var seca = long.Parse(keyValue.ValueData);
                                if (seca > 0)
                                {
                                    driverTimeStamp = DateTimeOffset.FromUnixTimeSeconds(seca).ToUniversalTime();
                                }

                                break;

                            case "DriverType":
                                driverType = keyValue.ValueData;
                                break;

                            case "DriverVersion":
                                driverVersion = keyValue.ValueData;
                                break;

                            case "ImageSize":
                                imageSize = int.Parse(keyValue.ValueData);
                                break;

                            case "Inf":
                                inf = keyValue.ValueData;
                                break;

                            case "Product":
                                product = keyValue.ValueData;
                                break;

                            case "ProductVersion":
                                productVersion = keyValue.ValueData;
                                break;

                            case "Service":
                                service = keyValue.ValueData;
                                break;

                            case "WdfVersion":
                                wdfVersion = keyValue.ValueData;
                                break;

                            case "(default)":
                            case "COMPID":
                            case "HWID":
                                break;

                            default:
                                _logger.Warn(
                                    $"Unknown value name when processing DriverBinary at path '{binKey.KeyPath}': {keyValue.ValueName}");
                                break;
                            }
                        }

                        var db = new DriverBinary(binKey.KeyName, binKey.LastWriteTime.Value, driverCheckSum,
                                                  driverCompany, driverId, driverInBox, driverIsKernelMode, driverLastWriteTime, driverName,
                                                  driverPackageStrongName, driverSigned, driverTimeStamp, driverType, driverVersion,
                                                  imageSize, inf, product, productVersion, service, wdfVersion);

                        DriveBinaries.Add(db);
                    }
                    catch (Exception ex)
                    {
                        if (binaryKey.NkRecord.IsFree == false)
                        {
                            _logger.Error($"Error parsing DriverBinary at {binaryKey.KeyPath}. Error: {ex.Message}");
                            _logger.Error(
                                $"Please send the following text to [email protected]. \r\n\r\nKey data: {binaryKey}");
                        }
                    }
                }
            }

            _logger.Debug("Getting InventoryDriverPackage data");

            var packaheKey = reg.GetKey(@"Root\InventoryDriverPackage");

            if (packaheKey != null)
            {
                foreach (var packKey in packaheKey.SubKeys)
                {
                    var            Class        = string.Empty;
                    var            ClassGuid    = string.Empty;
                    DateTimeOffset?Date         = null;
                    var            Directory    = string.Empty;
                    var            DriverInBox  = false;
                    var            Hwids        = string.Empty;
                    var            Inf          = string.Empty;
                    var            Provider     = string.Empty;
                    var            SubmissionId = string.Empty;
                    var            SYSFILE      = string.Empty;
                    var            Version      = string.Empty;


                    try
                    {
                        foreach (var keyValue in packKey.Values)
                        {
                            switch (keyValue.ValueName)
                            {
                            case "Class":
                                Class = keyValue.ValueData;
                                break;

                            case "ClassGuid":
                                ClassGuid = keyValue.ValueData;
                                break;

                            case "Date":
                                if (keyValue.ValueData.Length > 0)
                                {
                                    var d = new DateTimeOffset(
                                        DateTime.Parse(keyValue.ValueData, DateTimeFormatInfo.InvariantInfo).Ticks,
                                        TimeSpan.Zero);
                                    Date = d;
                                }

                                break;

                            case "Directory":
                                Directory = keyValue.ValueData;
                                break;

                            case "DriverInBox":
                                DriverInBox = keyValue.ValueData == "1";
                                break;

                            case "Hwids":
                                Hwids = keyValue.ValueData;
                                break;

                            case "Inf":
                                Inf = keyValue.ValueData;
                                break;

                            case "Provider":
                                Provider = keyValue.ValueData;
                                break;

                            case "SubmissionId":
                                SubmissionId = keyValue.ValueData;
                                break;

                            case "SYSFILE":
                                SYSFILE = keyValue.ValueData;
                                break;

                            case "Version":
                                Version = keyValue.ValueData;
                                break;

                            case "IsActive":

                                break;

                            default:
                                _logger.Warn(
                                    $"Unknown value name when processing DriverPackage at path '{packKey.KeyPath}': {keyValue.ValueName}");
                                break;
                            }
                        }

                        var dp = new DriverPackage(packKey.KeyName, packKey.LastWriteTime.Value, Class, ClassGuid,
                                                   Date, Directory, DriverInBox, Hwids, Inf, Provider, SubmissionId, SYSFILE, Version);

                        DriverPackages.Add(dp);
                    }
                    catch (Exception ex)
                    {
                        if (packaheKey.NkRecord.IsFree == false)
                        {
                            _logger.Error($"Error parsing DriverPackage at {packaheKey.KeyPath}. Error: {ex.Message}");
                            _logger.Error(
                                $"Please send the following text to [email protected]. \r\n\r\nKey data: {packaheKey}");
                        }
                    }
                }
            }
        }
コード例 #28
0
        public void ShouldFindRegQWordValues()
        {
            var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT");
            var key             = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\Windows Error Reporting");

            Check.That(key).IsNotNull();

            var val = key.Values.Single(t => t.ValueName == "LastWatsonCabUploaded");

            Check.That(val).IsNotNull();
            Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
            Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)130557640214774914);
            Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);

            key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList");

            Check.That(key).IsNotNull();

            val = key.Values.Single(t => t.ValueName == "BannedAppsLastModified");

            Check.That(val).IsNotNull();
            Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
            Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)0);
            Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);

            var usrclassAcronis = new RegistryHive(@"..\..\..\Hives\Acronis_0x52_Usrclass.dat");

            usrclassAcronis.RecoverDeleted             = true;
            usrclassAcronis.FlushRecordListsAfterParse = false;
            usrclassAcronis.ParseHive();

            key = usrclassAcronis.GetKey(@"S-1-5-21-3851833874-1800822990-1357392098-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify");

            Check.That(key).IsNotNull();

            val = key.Values.Single(t => t.ValueName == "LastAdvertisement");

            Check.That(val).IsNotNull();
            Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
            Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)130294002389413697);
            Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);

            var usrclassDeleted = new RegistryHive(@"..\..\..\Hives\UsrClassDeletedBags.dat");

            usrclassDeleted.RecoverDeleted             = true;
            usrclassDeleted.FlushRecordListsAfterParse = false;
            usrclassDeleted.ParseHive();
            key = usrclassDeleted.GetKey(@"S-1-5-21-146151751-63468248-1215037915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify");

            Check.That(key).IsNotNull();

            val = key.Values.Single(t => t.ValueName == "LastAdvertisement");

            Check.That(val).IsNotNull();
            Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
            Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)130672934390152518);
            Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);

            var ntUserSlack = new RegistryHive(@"..\..\..\Hives\NTUSER slack.DAT");

            ntUserSlack.FlushRecordListsAfterParse = false;
            ntUserSlack.ParseHive();

            key = ntUserSlack.GetKey(@"$$$PROTO.HIV\Software\Microsoft\VisualStudio\7.0\External Tools");

            Check.That(key).IsNotNull();

            val = key.Values.Single(t => t.ValueName == "LastMerge");

            Check.That(val).IsNotNull();
            Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
            Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)127257359392030000);
            Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
        }
コード例 #29
0
ファイル: Helper.cs プロジェクト: rathbuna/AmcacheParser
        public static bool IsNewFormat(string file, bool noLog)
        {
            RegistryKey  fileKey = null;
            RegistryHive reg;

            var dirname  = Path.GetDirectoryName(file);
            var hiveBase = Path.GetFileName(file);

            List <RawCopy.RawCopyReturn> rawFiles = null;

            try
            {
                try
                {
                    reg = new RegistryHive(file)
                    {
                        RecoverDeleted = true
                    };
                }
                catch (IOException)
                {
                    //file is in use

                    if (RawCopy.Helper.IsAdministrator() == false)
                    {
                        throw new UnauthorizedAccessException("Administrator privileges not found!");
                    }

                    var files = new List <string>();
                    files.Add(file);

                    var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");

                    foreach (var logFile in logFiles)
                    {
                        files.Add(logFile);
                    }

                    rawFiles = RawCopy.Helper.GetFiles(files);

                    var b = new byte[rawFiles.First().FileStream.Length];

                    rawFiles.First().FileStream.Read(b, 0, (int)rawFiles.First().FileStream.Length);

                    reg = new RegistryHive(b, rawFiles.First().InputFilename);
                }

                LogManager.DisableLogging();

                if (reg.Header.PrimarySequenceNumber != reg.Header.SecondarySequenceNumber)
                {
                    if (string.IsNullOrEmpty(dirname))
                    {
                        dirname = ".";
                    }

                    var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");

                    if (logFiles.Length == 0 || noLog)
                    {
                        var log = LogManager.GetCurrentClassLogger();

                        if (noLog == false)
                        {
                            log.Warn("Registry hive is dirty and no transaction logs were found in the same directory! LOGs should have same base name as the hive. Aborting!!");
                            throw new Exception("Sequence numbers do not match and transaction logs were not found in the same directory as the hive. Aborting");
                        }

                        log.Warn("Registry hive is dirty and no transaction logs were found in the same directory. Data may be missing! Continuing anyways...");
                    }
                    else
                    {
                        if (rawFiles != null)
                        {
                            var lt = new List <TransactionLogFileInfo>();
                            foreach (var rawCopyReturn in rawFiles.Skip(1).ToList())
                            {
                                var b = new byte[rawCopyReturn.FileStream.Length];

                                rawCopyReturn.FileStream.Read(b, 0, (int)rawCopyReturn.FileStream.Length);

                                var tt = new TransactionLogFileInfo(rawCopyReturn.InputFilename, b);
                                lt.Add(tt);
                            }

                            reg.ProcessTransactionLogs(lt, true);
                        }
                        else
                        {
                            reg.ProcessTransactionLogs(logFiles.ToList(), true);
                        }
                    }
                }


                reg.ParseHive();

                fileKey = reg.GetKey(@"Root\InventoryApplicationFile");

                LogManager.EnableLogging();
            }
            catch (Exception)
            {
                LogManager.EnableLogging();
            }

            return(fileKey != null);
        }
コード例 #30
0
        public AmcacheNew(string hive, bool recoverDeleted)
        {
            _logger = LogManager.GetCurrentClassLogger();

            var reg = new RegistryHive(hive)
            {
                RecoverDeleted = recoverDeleted
            };

            reg.ParseHive();

            var fileKey     = reg.GetKey(@"Root\InventoryApplicationFile");
            var programsKey = reg.GetKey(@"Root\InventoryApplication");


            UnassociatedFileEntries = new List <FileEntryNew>();
            ProgramsEntries         = new List <ProgramsEntryNew>();
            DeviceContainers        = new List <DeviceContainer>();
            DevicePnps     = new List <DevicePnp>();
            DriveBinaries  = new List <DriverBinary>();
            DriverPackages = new List <DriverPackage>();
            ShortCuts      = new List <Shortcut>();

            if (fileKey == null || programsKey == null)
            {
                _logger.Error(
                    "Hive does not contain a InventoryApplicationFile and/or InventoryApplication key. Processing cannot continue");
                return;
            }


            foreach (var registryKey in programsKey.SubKeys)
            {
                var            bundleManifestPath = string.Empty;
                var            hiddenArp          = false;
                var            inboxModernApp     = false;
                DateTimeOffset?installDate        = null;
                var            language           = 0;
                var            manifestPath       = string.Empty;
                var            msiPackageCode     = string.Empty;
                var            msiProductCode     = string.Empty;
                var            name = string.Empty;
                var            osVersionAtInstallTime = string.Empty;
                var            packageFullName        = string.Empty;
                var            programId         = string.Empty;
                var            programInstanceId = string.Empty;
                var            publisher         = string.Empty;
                var            registryKeyPath   = string.Empty;
                var            rootDirPath       = string.Empty;
                var            source            = string.Empty;
                var            storeAppType      = string.Empty;
                var            type            = string.Empty;
                var            uninstallString = string.Empty;
                var            version         = string.Empty;


                try
                {
                    foreach (var registryKeyValue in registryKey.Values)
                    {
                        switch (registryKeyValue.ValueName)
                        {
                        case "BundleManifestPath":
                            bundleManifestPath = registryKeyValue.ValueData;
                            break;

                        case "HiddenArp":
                            hiddenArp = registryKeyValue.ValueData == "1";
                            break;

                        case "InboxModernApp":
                            inboxModernApp = registryKeyValue.ValueData == "1";
                            break;

                        case "InstallDate":
                            if (registryKeyValue.ValueData.Length > 0)
                            {
                                var d = new DateTimeOffset(DateTime.Parse(registryKeyValue.ValueData).Ticks,
                                                           TimeSpan.Zero);
                                installDate = d;
                            }
                            break;

                        case "Language":
                            language = int.Parse(registryKeyValue.ValueData);
                            break;

                        case "ManifestPath":
                            manifestPath = registryKeyValue.ValueData;
                            break;

                        case "MsiPackageCode":
                            msiPackageCode = registryKeyValue.ValueData;
                            break;

                        case "MsiProductCode":
                            msiProductCode = registryKeyValue.ValueData;
                            break;

                        case "Name":
                            name = registryKeyValue.ValueData;
                            break;

                        case "OSVersionAtInstallTime":
                            osVersionAtInstallTime = registryKeyValue.ValueData;
                            break;

                        case "PackageFullName":
                            packageFullName = registryKeyValue.ValueData;
                            break;

                        case "ProgramId":
                            programId = registryKeyValue.ValueData;
                            break;

                        case "ProgramInstanceId":
                            programInstanceId = registryKeyValue.ValueData;
                            break;

                        case "Publisher":
                            publisher = registryKeyValue.ValueData;
                            break;

                        case "RegistryKeyPath":
                            registryKeyPath = registryKeyValue.ValueData;
                            break;

                        case "RootDirPath":
                            rootDirPath = registryKeyValue.ValueData;
                            break;

                        case "Source":
                            source = registryKeyValue.ValueData;
                            break;

                        case "StoreAppType":
                            storeAppType = registryKeyValue.ValueData;
                            break;

                        case "Type":
                            type = registryKeyValue.ValueData;
                            break;

                        case "UninstallString":
                            uninstallString = registryKeyValue.ValueData;
                            break;

                        case "Version":
                            version = registryKeyValue.ValueData;
                            break;

                        default:
                            _logger.Warn(
                                $"Unknown value name in InventoryApplication at path {registryKey.KeyPath}: {registryKeyValue.ValueName}");
                            break;
                        }
                    }

                    var pe = new ProgramsEntryNew(bundleManifestPath, hiddenArp, inboxModernApp, installDate, language,
                                                  manifestPath, msiPackageCode, msiProductCode, name, osVersionAtInstallTime, packageFullName,
                                                  programId, programInstanceId, publisher, registryKeyPath, rootDirPath, source, storeAppType,
                                                  type, uninstallString, version, registryKey.LastWriteTime.Value);

                    ProgramsEntries.Add(pe);
                }
                catch (Exception ex)
                {
                    _logger.Error($"Error parsing ProgramsEntry at {registryKey.KeyPath}. Error: {ex.Message}");
                    _logger.Error(
                        $"Please send the following text to [email protected]. \r\n\r\nKey data: {registryKey}");
                }
            }

            foreach (var subKey in fileKey.SubKeys)
            {
                var            binaryType        = string.Empty;
                var            binFileVersion    = string.Empty;
                var            binProductVersion = string.Empty;
                var            fileId            = string.Empty;
                var            isOsComponent     = false;
                var            isPeFile          = false;
                var            language          = 0;
                DateTimeOffset?linkDate          = null;
                var            longPathHash      = string.Empty;
                var            lowerCaseLongPath = string.Empty;
                var            name           = string.Empty;
                var            productName    = string.Empty;
                var            productVersion = string.Empty;
                var            programId      = string.Empty;
                var            publisher      = string.Empty;
                var            size           = 0;
                var            version        = string.Empty;

                var hasLinkedProgram = false;

                try
                {
                    foreach (var subKeyValue in subKey.Values)
                    {
                        switch (subKeyValue.ValueName)
                        {
                        case "BinaryType":
                            binaryType = subKeyValue.ValueData;
                            break;

                        case "BinFileVersion":
                            binFileVersion = subKeyValue.ValueData;
                            break;

                        case "BinProductVersion":
                            binProductVersion = subKeyValue.ValueData;
                            break;

                        case "FileId":
                            fileId = subKeyValue.ValueData;
                            break;

                        case "IsOsComponent":
                            isOsComponent = subKeyValue.ValueData == "1";
                            break;

                        case "IsPeFile":
                            isPeFile = subKeyValue.ValueData == "1";
                            break;

                        case "Language":
                            language = int.Parse(subKeyValue.ValueData);
                            break;

                        case "LinkDate":
                            if (subKeyValue.ValueData.Length > 0)
                            {
                                var d = new DateTimeOffset(DateTime.Parse(subKeyValue.ValueData).Ticks,
                                                           TimeSpan.Zero);
                                linkDate = d;
                            }


                            break;

                        case "LongPathHash":
                            longPathHash = subKeyValue.ValueData;
                            break;

                        case "LowerCaseLongPath":
                            lowerCaseLongPath = subKeyValue.ValueData;
                            break;

                        case "Name":
                            name = subKeyValue.ValueData;
                            break;

                        case "ProductName":
                            productName = subKeyValue.ValueData;
                            break;

                        case "ProductVersion":
                            productVersion = subKeyValue.ValueData;
                            break;

                        case "ProgramId":
                            programId = subKeyValue.ValueData;

                            var program = ProgramsEntries.SingleOrDefault(t => t.ProgramId == programId);
                            if (program != null)
                            {
                                hasLinkedProgram = true;
                            }
                            break;

                        case "Publisher":
                            publisher = subKeyValue.ValueData;
                            break;

                        case "Size":
                            size = int.Parse(subKeyValue.ValueData);
                            break;

                        case "Version":
                            version = subKeyValue.ValueData;
                            break;

                        default:
                            _logger.Warn(
                                $"Unknown value name when processing FileEntry at path '{subKey.KeyPath}': {subKeyValue.ValueName}");
                            break;
                        }
                    }
                }
                catch (Exception ex)
                {
                    _logger.Error($"Error parsing FileEntry at {subKey.KeyPath}. Error: {ex.Message}");
                    _logger.Error(
                        $"Please send the following text to [email protected]. \r\n\r\nKey data: {subKey}");
                }


                TotalFileEntries += 1;

                Debug.WriteLine(name);
                var fe = new FileEntryNew(binaryType, binFileVersion, productVersion, fileId, isOsComponent, isPeFile,
                                          language, linkDate, longPathHash, lowerCaseLongPath, name, productName, productVersion, programId,
                                          publisher, size, version, subKey.LastWriteTime.Value, binProductVersion);

                if (hasLinkedProgram)
                {
                    var program = ProgramsEntries.SingleOrDefault(t => t.ProgramId == fe.ProgramId);
                    fe.ApplicationName = program.Name;
                    program.FileEntries.Add(fe);
                }
                else
                {
                    fe.ApplicationName = "Unassociated";
                    UnassociatedFileEntries.Add(fe);
                }
            }


            var shortCutkey = reg.GetKey(@"Root\InventoryApplicationShortcut");

            if (shortCutkey != null)
            {
                foreach (var shortCutkeySubKey in shortCutkey.SubKeys)
                {
                    ShortCuts.Add(new Shortcut(shortCutkeySubKey.KeyName, shortCutkeySubKey.Values.First().ValueData,
                                               shortCutkeySubKey.LastWriteTime.Value));
                }
            }


            var deviceKey = reg.GetKey(@"Root\InventoryDeviceContainer");

            if (deviceKey != null)
            {
                foreach (var deviceSubKey in deviceKey.SubKeys)
                {
                    var categories         = string.Empty;
                    var discoveryMethod    = string.Empty;
                    var friendlyName       = string.Empty;
                    var icon               = string.Empty;
                    var isActive           = false;
                    var isConnected        = false;
                    var isMachineContainer = false;
                    var isNetworked        = false;
                    var isPaired           = false;
                    var manufacturer       = string.Empty;
                    var modelId            = string.Empty;
                    var modelName          = string.Empty;
                    var modelNumber        = string.Empty;
                    var primaryCategory    = string.Empty;
                    var state              = string.Empty;

                    try
                    {
                        foreach (var keyValue in deviceSubKey.Values)
                        {
                            switch (keyValue.ValueName)
                            {
                            case "Categories":
                                categories = keyValue.ValueData;
                                break;

                            case "DiscoveryMethod":
                                discoveryMethod = keyValue.ValueData;
                                break;

                            case "FriendlyName":
                                friendlyName = keyValue.ValueData;
                                break;

                            case "Icon":
                                icon = keyValue.ValueData;
                                break;

                            case "IsActive":
                                isActive = keyValue.ValueData == "1";
                                break;

                            case "IsConnected":
                                isConnected = keyValue.ValueData == "1";
                                break;

                            case "IsMachineContainer":
                                isMachineContainer = keyValue.ValueData == "1";
                                break;

                            case "IsNetworked":
                                isNetworked = keyValue.ValueData == "1";
                                break;

                            case "IsPaired":
                                isPaired = keyValue.ValueData == "1";
                                break;

                            case "Manufacturer":
                                manufacturer = keyValue.ValueData;
                                break;

                            case "ModelId":
                                modelId = keyValue.ValueData;
                                break;

                            case "ModelName":
                                modelName = keyValue.ValueData;
                                break;

                            case "ModelNumber":
                                modelNumber = keyValue.ValueData;
                                break;

                            case "PrimaryCategory":
                                primaryCategory = keyValue.ValueData;
                                break;

                            case "State":
                                state = keyValue.ValueData;
                                break;

                            default:
                                _logger.Warn(
                                    $"Unknown value name when processing DeviceContainer at path '{deviceSubKey.KeyPath}': {keyValue.ValueName}");
                                break;
                            }
                        }

                        var dc = new DeviceContainer(deviceSubKey.KeyName, deviceSubKey.LastWriteTime.Value, categories,
                                                     discoveryMethod, friendlyName, icon, isActive, isConnected, isMachineContainer, isNetworked,
                                                     isPaired, manufacturer, modelId, modelName, modelNumber, primaryCategory, state);

                        DeviceContainers.Add(dc);
                    }
                    catch (Exception ex)
                    {
                        _logger.Error($"Error parsing DeviceContainer at {deviceSubKey.KeyPath}. Error: {ex.Message}");
                        _logger.Error(
                            $"Please send the following text to [email protected]. \r\n\r\nKey data: {deviceSubKey}");
                    }
                }
            }


            var pnpKey = reg.GetKey(@"Root\InventoryDevicePnp");

            if (pnpKey != null)
            {
                foreach (var pnpsKey in pnpKey.SubKeys)
                {
                    var busReportedDescription = string.Empty;
                    var Class                   = string.Empty;
                    var classGuid               = string.Empty;
                    var compid                  = string.Empty;
                    var containerId             = string.Empty;
                    var description             = string.Empty;
                    var deviceState             = string.Empty;
                    var driverId                = string.Empty;
                    var driverName              = string.Empty;
                    var driverPackageStrongName = string.Empty;
                    var driverVerDate           = string.Empty;
                    var driverVerVersion        = string.Empty;
                    var enumerator              = string.Empty;
                    var hwid         = string.Empty;
                    var inf          = string.Empty;
                    var installState = string.Empty;
                    var manufacturer = string.Empty;
                    var matchingId   = string.Empty;
                    var model        = string.Empty;
                    var parentId     = string.Empty;
                    var problemCode  = string.Empty;
                    var provider     = string.Empty;
                    var service      = string.Empty;
                    var stackid      = string.Empty;

                    try
                    {
                        foreach (var keyValue in pnpsKey.Values)
                        {
                            switch (keyValue.ValueName)
                            {
                            case "BusReportedDescription":
                                busReportedDescription = keyValue.ValueData;
                                break;

                            case "Class":
                                Class = keyValue.ValueData;
                                break;

                            case "ClassGuid":
                                classGuid = keyValue.ValueData;
                                break;

                            case "COMPID":
                                compid = keyValue.ValueData;
                                break;

                            case "ContainerId":
                                containerId = keyValue.ValueData;
                                break;

                            case "Description":
                                description = keyValue.ValueData;
                                break;

                            case "DeviceState":
                                deviceState = keyValue.ValueData;
                                break;

                            case "DriverId":
                                driverId = keyValue.ValueData;
                                break;

                            case "DriverName":
                                driverName = keyValue.ValueData;
                                break;

                            case "DriverPackageStrongName":
                                driverPackageStrongName = keyValue.ValueData;
                                break;

                            case "DriverVerDate":
                                driverVerDate = keyValue.ValueData;
                                break;

                            case "DriverVerVersion":
                                driverVerVersion = keyValue.ValueData;
                                break;

                            case "Enumerator":
                                enumerator = keyValue.ValueData;
                                break;

                            case "HWID":
                                hwid = keyValue.ValueData;
                                break;

                            case "Inf":
                                inf = keyValue.ValueData;
                                break;

                            case "InstallState":
                                installState = keyValue.ValueData;
                                break;

                            case "LowerClassFilters":
                            case "LowerFilters":
                                break;

                            case "Manufacturer":
                                manufacturer = keyValue.ValueData;
                                break;

                            case "MatchingID":
                                matchingId = keyValue.ValueData;
                                break;

                            case "Model":
                                model = keyValue.ValueData;
                                break;

                            case "ParentId":
                                parentId = keyValue.ValueData;
                                break;

                            case "ProblemCode":
                                problemCode = keyValue.ValueData;
                                break;

                            case "Provider":
                                provider = keyValue.ValueData;
                                break;

                            case "Service":
                                service = keyValue.ValueData;
                                break;

                            case "STACKID":
                                stackid = keyValue.ValueData;
                                break;

                            case "UpperClassFilters":
                            case "UpperFilters":
                                break;

                            default:
                                _logger.Warn(
                                    $"Unknown value name when processing DevicePnp at path '{pnpsKey.KeyPath}': {keyValue.ValueName}");
                                break;
                            }
                        }

                        var dp = new DevicePnp(pnpsKey.KeyName, pnpKey.LastWriteTime.Value, busReportedDescription,
                                               Class, classGuid, compid, containerId, description, deviceState, driverId, driverName,
                                               driverPackageStrongName, driverVerDate, driverVerVersion, enumerator, hwid, inf,
                                               installState, manufacturer, matchingId, model, parentId, problemCode, provider, service,
                                               stackid);

                        DevicePnps.Add(dp);
                    }
                    catch (Exception ex)
                    {
                        _logger.Error($"Error parsing DevicePnp at {pnpKey.KeyPath}. Error: {ex.Message}");
                        _logger.Error(
                            $"Please send the following text to [email protected]. \r\n\r\nKey data: {pnpKey}");
                    }
                }
            }


            var binaryKey = reg.GetKey(@"Root\InventoryDriverBinary");

            if (binaryKey != null)
            {
                foreach (var binKey in binaryKey.SubKeys)
                {
                    var            driverCheckSum          = 0;
                    var            driverCompany           = string.Empty;
                    var            driverId                = string.Empty;
                    var            driverInBox             = false;
                    var            driverIsKernelMode      = false;
                    DateTimeOffset?driverLastWriteTime     = null;
                    var            driverName              = string.Empty;
                    var            driverPackageStrongName = string.Empty;
                    var            driverSigned            = false;
                    DateTimeOffset?driverTimeStamp         = null;
                    var            driverType              = string.Empty;
                    var            driverVersion           = string.Empty;
                    var            imageSize               = 0;
                    var            inf            = string.Empty;
                    var            product        = string.Empty;
                    var            productVersion = string.Empty;
                    var            service        = string.Empty;
                    var            wdfVersion     = string.Empty;


                    try
                    {
                        foreach (var keyValue in binKey.Values)
                        {
                            switch (keyValue.ValueName)
                            {
                            case "DriverCheckSum":
                                driverCheckSum = int.Parse(keyValue.ValueData);
                                break;

                            case "DriverCompany":
                                driverCompany = keyValue.ValueData;
                                break;

                            case "DriverId":
                                driverId = keyValue.ValueData;
                                break;

                            case "DriverInBox":
                                driverInBox = keyValue.ValueData == "1";
                                break;

                            case "DriverIsKernelMode":
                                driverIsKernelMode = keyValue.ValueData == "1";
                                break;

                            case "DriverLastWriteTime":
                                if (keyValue.ValueData.Length > 0)
                                {
                                    var d = new DateTimeOffset(DateTime.Parse(keyValue.ValueData).Ticks,
                                                               TimeSpan.Zero);
                                    driverLastWriteTime = d;
                                }

                                break;

                            case "DriverName":
                                driverName = keyValue.ValueData;
                                break;

                            case "DriverPackageStrongName":
                                driverPackageStrongName = keyValue.ValueData;
                                break;

                            case "DriverSigned":
                                driverSigned = keyValue.ValueData == "1";
                                break;

                            case "DriverTimeStamp":
                                //DateTimeOffset.FromUnixTimeSeconds(seca).ToUniversalTime();
                                var seca = long.Parse(keyValue.ValueData);
                                if (seca > 0)
                                {
                                    driverTimeStamp = DateTimeOffset.FromUnixTimeSeconds(seca).ToUniversalTime();
                                }
                                break;

                            case "DriverType":
                                driverType = keyValue.ValueData;
                                break;

                            case "DriverVersion":
                                driverVersion = keyValue.ValueData;
                                break;

                            case "ImageSize":
                                imageSize = int.Parse(keyValue.ValueData);
                                break;

                            case "Inf":
                                inf = keyValue.ValueData;
                                break;

                            case "Product":
                                product = keyValue.ValueData;
                                break;

                            case "ProductVersion":
                                productVersion = keyValue.ValueData;
                                break;

                            case "Service":
                                service = keyValue.ValueData;
                                break;

                            case "WdfVersion":
                                wdfVersion = keyValue.ValueData;
                                break;

                            default:
                                _logger.Warn(
                                    $"Unknown value name when processing DriverBinary at path '{binKey.KeyPath}': {keyValue.ValueName}");
                                break;
                            }
                        }

                        var db = new DriverBinary(binKey.KeyName, binaryKey.LastWriteTime.Value, driverCheckSum,
                                                  driverCompany, driverId, driverInBox, driverIsKernelMode, driverLastWriteTime, driverName,
                                                  driverPackageStrongName, driverSigned, driverTimeStamp, driverType, driverVersion,
                                                  imageSize, inf, product, productVersion, service, wdfVersion);

                        DriveBinaries.Add(db);
                    }
                    catch (Exception ex)
                    {
                        _logger.Error($"Error parsing DriverBinary at {binaryKey.KeyPath}. Error: {ex.Message}");
                        _logger.Error(
                            $"Please send the following text to [email protected]. \r\n\r\nKey data: {binaryKey}");
                    }
                }
            }


            var packaheKey = reg.GetKey(@"Root\InventoryDriverPackage");

            if (packaheKey != null)
            {
                foreach (var packKey in packaheKey.SubKeys)
                {
                    var            Class        = string.Empty;
                    var            ClassGuid    = string.Empty;
                    DateTimeOffset?Date         = null;
                    var            Directory    = string.Empty;
                    var            DriverInBox  = false;
                    var            Hwids        = string.Empty;
                    var            Inf          = string.Empty;
                    var            Provider     = string.Empty;
                    var            SubmissionId = string.Empty;
                    var            SYSFILE      = string.Empty;
                    var            Version      = string.Empty;


                    try
                    {
                        foreach (var keyValue in packKey.Values)
                        {
                            switch (keyValue.ValueName)
                            {
                            case "Class":
                                Class = keyValue.ValueData;
                                break;

                            case "ClassGuid":
                                ClassGuid = keyValue.ValueData;
                                break;

                            case "Date":
                                if (keyValue.ValueData.Length > 0)
                                {
                                    var d = new DateTimeOffset(DateTime.Parse(keyValue.ValueData).Ticks,
                                                               TimeSpan.Zero);
                                    Date = d;
                                }

                                break;

                            case "Directory":
                                Directory = keyValue.ValueData;
                                break;

                            case "DriverInBox":
                                DriverInBox = keyValue.ValueData == "1";
                                break;

                            case "Hwids":
                                Hwids = keyValue.ValueData;
                                break;

                            case "Inf":
                                Inf = keyValue.ValueData;
                                break;

                            case "Provider":
                                Provider = keyValue.ValueData;
                                break;

                            case "SubmissionId":
                                SubmissionId = keyValue.ValueData;
                                break;

                            case "SYSFILE":
                                SYSFILE = keyValue.ValueData;
                                break;

                            case "Version":
                                Version = keyValue.ValueData;
                                break;

                            default:
                                _logger.Warn(
                                    $"Unknown value name when processing DriverPackage at path '{packKey.KeyPath}': {keyValue.ValueName}");
                                break;
                            }
                        }

                        var dp = new DriverPackage(packKey.KeyName, packaheKey.LastWriteTime.Value, Class, ClassGuid,
                                                   Date, Directory, DriverInBox, Hwids, Inf, Provider, SubmissionId, SYSFILE, Version);

                        DriverPackages.Add(dp);
                    }
                    catch (Exception ex)
                    {
                        _logger.Error($"Error parsing DriverPackage at {packaheKey.KeyPath}. Error: {ex.Message}");
                        _logger.Error(
                            $"Please send the following text to [email protected]. \r\n\r\nKey data: {packaheKey}");
                    }
                }
            }
        }