예제 #1
0
        internal static string[] GetUserHiveInstances(string volume)
        {
            List <string> userHiveList = new List <string>();

            IndexEntry[] entries = null;

            try
            {
                entries = IndexEntry.GetInstances(Helper.GetVolumeLetter(volume) + @"\Users");
            }
            catch
            {
                try
                {
                    entries = IndexEntry.GetInstances(Helper.GetVolumeLetter(volume) + @"\Documents and Settings");
                }
                catch
                {
                    throw new Exception("Could not locate User Registry Hives.");
                }
            }

            foreach (IndexEntry e in entries)
            {
                try
                {
                    userHiveList.Add(IndexEntry.Get(e.FullName + @"\NTUSER.DAT").FullName);
                }
                catch
                {
                }
            }

            return(userHiveList.ToArray());
        }
예제 #2
0
        /// <summary>
        /// The ProcessRecord method calls ManagementClass.GetInstances()
        /// method to iterate through each BindingObject on each system specified.
        /// </summary>
        protected override void ProcessRecord()
        {
            // Determine Volume Name
            string volume = @"\\.\" + path.Split('\\')[0];

            int indexNumber = 0;

            if (ParameterSetName == "Path")
            {
                IndexEntry indexEntry = IndexEntry.Get(path);
                indexNumber = (int)indexEntry.RecordNumber;
            }
            else
            {
                indexNumber = index;
            }

            FileRecord record = FileRecord.Get(volume, indexNumber, true);

            byte[] fileBytes = record.GetBytes();

            // Open file for writing
            FileStream streamToWrite = new FileStream(destination, System.IO.FileMode.Create, System.IO.FileAccess.Write);

            // Writes a block of bytes to this stream using data from a byte array.
            streamToWrite.Write(fileBytes, 0, fileBytes.Length);
            // Close file stream
            streamToWrite.Close();
        }
예제 #3
0
        public static HiveBinHeader[] GetInstances(string path)
        {
            // Get bytes for the specific record
            string     volume = "\\\\.\\" + path.Split('\\')[0];
            IndexEntry entry  = IndexEntry.Get(path);
            FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume);

            byte[] bytes = record.GetBytes();

            // Registry Header
            RegistryHeader header = new RegistryHeader(NativeMethods.GetSubArray(bytes, 0x00, 0x200));

            // Hive Bin Headers
            HiveBinHeader[] headerArray     = new HiveBinHeader[header.HiveBinsDataSize / 0x1000];
            byte[]          hbinHeaderBytes = new byte[0x20];
            uint            i = 0x1000;

            while (i < header.HiveBinsDataSize + 0x1000)
            {
                HiveBinHeader hbinHeader = new HiveBinHeader(NativeMethods.GetSubArray(bytes, i, 0x20));
                headerArray[((i / 0x1000) - 1)] = hbinHeader;
                i += hbinHeader.hBinSize;
            }

            return(headerArray);
        }
예제 #4
0
        internal static ScheduledJob Get(string path)
        {
            string     volume = "\\\\.\\" + path.Split('\\')[0];
            IndexEntry index  = IndexEntry.Get(path);
            FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, (int)index.RecordNumber), volume, true);

            return(new ScheduledJob(record.GetBytes()));
        }
예제 #5
0
        public static byte[] GetHiveBytes(string path)
        {
            // Get bytes for the specific record
            string     volume = "\\\\.\\" + path.Split('\\')[0];
            IndexEntry entry  = IndexEntry.Get(path);
            FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume, true);

            return(record.GetBytes());
        }
예제 #6
0
        public static byte[] GetBytes(string path)
        {
            // Get bytes for the specific record
            string     volume = "\\\\.\\" + path.Split('\\')[0];
            IndexEntry entry  = IndexEntry.Get(path);
            FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume);

            byte[] bytes = record.GetBytes();

            // Registry Header
            return(NativeMethods.GetSubArray(bytes, 0x00, 0x200));
        }
예제 #7
0
        protected override void ProcessRecord()
        {
            if (ParameterSetName == "Path")
            {
                IndexEntry entry = IndexEntry.Get(filePath);

                FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume);

                if (record.Attribute != null)
                {
                    foreach (Attr attr in record.Attribute)
                    {
                        if (attr.Name == Attr.ATTR_TYPE.DATA)
                        {
                            //if (attr.NameString != "")
                            if (attr.NameString.Length > 0)
                            {
                                WriteObject(new AlternateDataStream(record.FullName, record.Name, attr.NameString));
                            }
                        }
                    }
                }
            }
            else
            {
                FileRecord[] records = FileRecord.GetInstances(volume);

                foreach (FileRecord record in records)
                {
                    if (record.Attribute != null)
                    {
                        foreach (Attr attr in record.Attribute)
                        {
                            if (attr.Name == Attr.ATTR_TYPE.DATA)
                            {
                                //if (attr.NameString != "")
                                if (attr.NameString.Length > 0)
                                {
                                    WriteObject(new AlternateDataStream(record.FullName, record.Name, attr.NameString));
                                }
                            }
                        }
                    }
                }
            }
        } // ProcessRecord
예제 #8
0
        public static Prefetch Get(string filePath)
        {
            // Get volume path from filePath
            string volume = @"\\.\" + filePath.Split('\\')[0];

            // Get a handle to the volume
            IntPtr hVolume = NativeMethods.getHandle(volume);

            // Get MFT Index for specified file
            int index = (int)(IndexEntry.Get(filePath)).RecordNumber;

            // Get bytes for specific Prefetch file
            byte[] fileBytes = new FileRecord(FileRecord.GetRecordBytes(volume, index), volume, true).GetBytes();

            try
            {
                // Return a Prefetch object for the Prefetch file stored at filePath
                return(new Prefetch(fileBytes));
            }
            catch
            {
                throw new Exception("Error parsing Prefetch file");
            }
        }
 /// <summary>
 ///
 /// </summary>
 protected override void ProcessRecord()
 {
     WriteObject(IndexEntry.Get(path).RecordNumber);
 }
예제 #10
0
        protected override void ProcessRecord()
        {
            int indexNo = 0;

            byte[] contentArray = null;

            #region Encoding

            System.Text.Encoding contentEncoding = System.Text.Encoding.Default;
            bool asBytes = false;

            if (this.MyInvocation.BoundParameters.ContainsKey("Encoding"))
            {
                if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Ascii)
                {
                    contentEncoding = System.Text.Encoding.ASCII;
                }
                else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.BigEndianUnicode)
                {
                    contentEncoding = System.Text.Encoding.BigEndianUnicode;
                }
                else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Byte)
                {
                    asBytes = true;
                }
                else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.String)
                {
                    contentEncoding = System.Text.Encoding.Unicode;
                }
                else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Unicode)
                {
                    contentEncoding = System.Text.Encoding.Unicode;
                }
                else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Unknown)
                {
                    asBytes = true;
                }
                else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.UTF7)
                {
                    contentEncoding = System.Text.Encoding.UTF7;
                }
                else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.UTF8)
                {
                    contentEncoding = System.Text.Encoding.UTF8;
                }
            }

            #endregion Encoding

            if (this.MyInvocation.BoundParameters.ContainsKey("Path"))
            {
                string volLetter = filePath.Split('\\')[0];
                string volume    = @"\\.\" + volLetter;
                indexNo      = (int)IndexEntry.Get(filePath).RecordNumber;
                contentArray = new FileRecord(FileRecord.GetRecordBytes(volume, indexNo), volume, true).GetBytes();
            }

            else if (this.MyInvocation.BoundParameters.ContainsKey("IndexNumber"))
            {
                NativeMethods.getVolumeName(ref volume);
                contentArray = new FileRecord(FileRecord.GetRecordBytes(volume, index), volume, true).GetBytes();
            }

            if (asBytes)
            {
                WriteObject(contentArray);
            }
            else
            {
                string[] outputArray = contentEncoding.GetString(contentArray).Split('\n');

                if (this.MyInvocation.BoundParameters.ContainsKey("TotalCount") && this.MyInvocation.BoundParameters.ContainsKey("Tail"))
                {
                    throw new InvalidOperationException("The parameters TotalCount and Tail cannot be used together. Please specify only one parameter.");
                }
                else if (this.MyInvocation.BoundParameters.ContainsKey("TotalCount"))
                {
                    for (int i = 0; (i < totalCount) && (i < outputArray.Length); i++)
                    {
                        WriteObject(outputArray[i]);
                    }
                }
                else if (this.MyInvocation.BoundParameters.ContainsKey("Tail"))
                {
                    for (long i = tail; (i > 0); i--)
                    {
                        if (i > outputArray.Length)
                        {
                            i = outputArray.Length;
                        }

                        WriteObject(outputArray[outputArray.Length - i]);
                    }
                }
                else
                {
                    WriteObject(outputArray);
                }
            }
        } // ProcessRecord