/// <summary> /// Performs the parsing of the cache entry data /// </summary> public void Update(byte[] data) { using (MemoryStream memoryStream = new MemoryStream(data)) { memoryStream.Seek(0, SeekOrigin.Begin); // No size size values are included in these entries, so search for utf-16 terminator. int[] ret = data.Slice(0, 0 + (Global.MAX_PATH + 8)).Locate(new byte[] { 00, 00 }); if (ret.Length == 0) { return; } string path = Encoding.Unicode.GetString(data.Slice(0, (UInt32)(0 + ret[0] + 1))); path = path.Replace("\\??\\", string.Empty); if (path.Trim().Length == 0) { return; } Path = path; UInt32 entryOffset = 0 + Global.MAX_PATH + 8; memoryStream.Seek(entryOffset, SeekOrigin.Begin); try { UInt32 lowDateTime = StreamReaderHelper.ReadUInt32(memoryStream); UInt32 highDateTime = StreamReaderHelper.ReadUInt32(memoryStream); long hFT2 = (((long)highDateTime) << 32) + lowDateTime; ModDateTime = DateTime.FromFileTimeUtc(hFT2); } catch (Exception) { ModDateTime = DateTime.MinValue; } FileSize = StreamReaderHelper.ReadUInt64(memoryStream); if (FileSize == 0) { return; } try { UInt32 lowDateTime = StreamReaderHelper.ReadUInt32(memoryStream); UInt32 highDateTime = StreamReaderHelper.ReadUInt32(memoryStream); long hFT2 = (((long)highDateTime) << 32) + lowDateTime; ExecDateTime = DateTime.FromFileTimeUtc(hFT2); } catch (Exception) { ExecDateTime = DateTime.MinValue; } } }
/// <summary> /// Performs the parsing of the cache entry data /// </summary> public void Update(byte[] data) { using (MemoryStream memoryStream = new MemoryStream(data)) { memoryStream.Seek(0, SeekOrigin.Begin); if (Is32Bit == true) { Length = StreamReaderHelper.ReadUInt16(memoryStream); MaxLength = StreamReaderHelper.ReadUInt16(memoryStream); Offset = StreamReaderHelper.ReadUInt32(memoryStream); try { UInt32 lowDateTime = StreamReaderHelper.ReadUInt32(memoryStream); UInt32 highDateTime = StreamReaderHelper.ReadUInt32(memoryStream); long hFT2 = (((long)highDateTime) << 32) + lowDateTime; DateTime = DateTime.FromFileTimeUtc(hFT2); } catch (Exception) { DateTime = DateTime.MinValue; } FileFlags = StreamReaderHelper.ReadUInt32(memoryStream); Flags = StreamReaderHelper.ReadUInt32(memoryStream); BlobSize = StreamReaderHelper.ReadUInt32(memoryStream); BlobOffset = StreamReaderHelper.ReadUInt32(memoryStream); } else { Length = StreamReaderHelper.ReadUInt16(memoryStream); MaxLength = StreamReaderHelper.ReadUInt16(memoryStream); memoryStream.Seek(4, SeekOrigin.Current); Offset = StreamReaderHelper.ReadUInt64(memoryStream); try { UInt32 lowDateTime = StreamReaderHelper.ReadUInt32(memoryStream); UInt32 highDateTime = StreamReaderHelper.ReadUInt32(memoryStream); long hFT2 = (((long)highDateTime) << 32) + lowDateTime; DateTime = DateTime.FromFileTimeUtc(hFT2); } catch (Exception) { DateTime = DateTime.MinValue; } FileFlags = StreamReaderHelper.ReadUInt32(memoryStream); Flags = StreamReaderHelper.ReadUInt32(memoryStream); BlobSize = StreamReaderHelper.ReadUInt64(memoryStream); BlobOffset = StreamReaderHelper.ReadUInt64(memoryStream); } } // Test to see if the file may have been executed. if ((FileFlags & Global.CSRSS_FLAG) == Global.CSRSS_FLAG) { ProcessExec = true; } else { ProcessExec = false; } }
/// <summary> /// Performs the parsing of the cache entry data /// </summary> public void Update(byte[] data) { using (MemoryStream memoryStream = new MemoryStream(data)) { memoryStream.Seek(0, SeekOrigin.Begin); Length = StreamReaderHelper.ReadUInt16(memoryStream); MaxLength = StreamReaderHelper.ReadUInt16(memoryStream); if (Is32Bit == true) { Offset = StreamReaderHelper.ReadUInt32(memoryStream); try { UInt32 lowDateTime = StreamReaderHelper.ReadUInt32(memoryStream); UInt32 highDateTime = StreamReaderHelper.ReadUInt32(memoryStream); long hFT2 = (((long)highDateTime) << 32) + lowDateTime; DateTime = DateTime.FromFileTimeUtc(hFT2); } catch (Exception) { DateTime = DateTime.MinValue; } FileSizeLow = StreamReaderHelper.ReadUInt32(memoryStream); FileSizeHigh = StreamReaderHelper.ReadUInt32(memoryStream); } else { memoryStream.Seek(4, SeekOrigin.Current); Offset = StreamReaderHelper.ReadUInt64(memoryStream); try { UInt32 lowDateTime = StreamReaderHelper.ReadUInt32(memoryStream); UInt32 highDateTime = StreamReaderHelper.ReadUInt32(memoryStream); long hFT2 = (((long)highDateTime) << 32) + lowDateTime; DateTime = DateTime.FromFileTimeUtc(hFT2); } catch (Exception) { DateTime = DateTime.MinValue; } FileSizeLow = StreamReaderHelper.ReadUInt32(memoryStream); FileSizeHigh = StreamReaderHelper.ReadUInt32(memoryStream); } } // It contains file data. if (_containsFileSize == false) { // Check the CSRSS flag. if ((FileSizeLow & Global.CSRSS_FLAG) == Global.CSRSS_FLAG) { ProcessExec = true; } else { ProcessExec = false; } } }