예제 #1
0
        public Windows7(byte[] rawBytes, bool is32Bit, string computerName)
        {
            Entries = new List<CacheEntry>();

            var index = 4;

            var cacheItems = BitConverter.ToUInt32(rawBytes, index);

            index = 128;

            var position = 0;

            if ((is32Bit))
            {
                while (index <= rawBytes.Length)
                {
                    try
                    {
                        var ce = new CacheEntry();

                        ce.ComputerName = computerName;

                        ce.PathSize = BitConverter.ToUInt16(rawBytes, index);
                        index += 2;

                        var maxPathSize = BitConverter.ToUInt16(rawBytes, index);
                        index += 2;


                        var pathOffset = BitConverter.ToInt32(rawBytes, index);
                        index += 4;

                        ce.LastModifiedTimeLocal =
                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index));

                        ce.LastModifiedTimeUTC =
                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
                        index += 8;

                        // skip 4 unknown (insertion flags?)
                        var Flag = BitConverter.ToInt32(rawBytes, index);
                        Flag = Flag & 2;
                        if (Flag == 2)
                            ce.Flag = "Executed";
                        index += 4;

                        // skip 4 unknown (shim flags?)
                        index += 4;

                        var ceDataSize = BitConverter.ToUInt32(rawBytes, index);
                        index += 4;

                        var dataOffset = BitConverter.ToUInt32(rawBytes, index);
                        index += 4;

                        ce.Path = Encoding.Unicode.GetString(rawBytes, pathOffset, ce.PathSize);

                        ce.CacheEntryPosition = position;
                        Entries.Add(ce);
                        position += 1;

                        if (Entries.Count == cacheItems)
                        {
                            break;
                        }
                    }
                    catch (Exception ex)
                    {
                        //TODO Report this
                        Debug.WriteLine(ex.Message);
                        //take what we can get
                        break;
                    }
                }
            }
            else
            {
                while (index <= rawBytes.Length)
                {
                    try
                    {
                        var ce = new CacheEntry();

                        ce.ComputerName = computerName;

                        ce.PathSize = BitConverter.ToUInt16(rawBytes, index);
                        index += 2;

                        var maxPathSize = BitConverter.ToUInt16(rawBytes, index);
                        index += 2;

                        // skip 4 unknown (padding)
                        index += 4;

                        var pathOffset = BitConverter.ToInt64(rawBytes, index);
                        index += 8;

                        ce.LastModifiedTimeLocal =
                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index));

                        ce.LastModifiedTimeUTC =
                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
                        index += 8;

                        // skip 4 unknown (insertion flags?)
                        var Flag = BitConverter.ToInt32(rawBytes, index);
                        Flag = Flag & 2;
                        if(Flag == 2)
                            ce.Flag = "Executed";
                        index += 4;

                        // skip 4 unknown (shim flags?)
                        index += 4;

                        var ceDataSize = BitConverter.ToUInt64(rawBytes, index);
                        index += 8;

                        var dataOffset = BitConverter.ToUInt64(rawBytes, index);
                        index += 8;

                        ce.Path = Encoding.Unicode.GetString(rawBytes, (int) pathOffset, ce.PathSize);

                        ce.CacheEntryPosition = position;
                        Entries.Add(ce);
                        position += 1;

                        if (Entries.Count == cacheItems)
                        {
                            break;
                        }
                    }
                    catch (Exception ex)
                    {
                        //TODO Report this
                        //take what we can get
                        break;
                    }
                }
            }
        }
예제 #2
0
        public WindowsXP(byte[] rawBytes, bool is32Bit, string computerName)
        {
            Entries = new List<CacheEntry>();

            var index = 4;

            var cacheItems = BitConverter.ToUInt32(rawBytes, index);
            index += 4;

            var lruArrauEntries = BitConverter.ToUInt32(rawBytes, index);
            index += 4;

            index = 400;

            var position = 0;

            if ((is32Bit))
            {
                while (index <= rawBytes.Length)
                {
                    try
                    {
                        var ce = new CacheEntry();

                        ce.PathSize = 528;

                        ce.Path = Encoding.Unicode.GetString(rawBytes, index, ce.PathSize).Replace('\0', ' ').Trim();
                        index += 528;

                        ce.LastModifiedTimeLocal =
                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index));

                        ce.LastModifiedTimeUTC =
                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
                        index += 8;

                        var fileSize = BitConverter.ToUInt64(rawBytes, index);
                        index += 8;

                        //                        ce.LastModifiedTimeUTC =
                        //                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
                        //this is last update time, its not reported yet
                        index += 8;

                        if (ce.LastModifiedTimeUTC.Year == 1601)
                        {
                            break;
                        }

                        ce.CacheEntryPosition = position;
                        Entries.Add(ce);
                        position += 1;

                        if (Entries.Count == cacheItems)
                        {
                            break;
                        }
                    }
                    catch (Exception ex)
                    {
                        //TODO Report this
                        //take what we can get
                        break;
                    }
                }
            }
            else
            {

                throw new Exception("64 bit XP support not available. send the hive to [email protected] so support can be added");
                while (index <= rawBytes.Length)
                {
                    try
                    {
                        var ce = new CacheEntry();

                        ce.PathSize = BitConverter.ToUInt16(rawBytes, index);
                        index += 2;

                        var maxPathSize = BitConverter.ToUInt16(rawBytes, index);
                        index += 2;


                        var pathOffset = BitConverter.ToInt32(rawBytes, index);
                        index += 4;

                        ce.LastModifiedTimeUTC =
                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
                        index += 8;

                        // skip 4 unknown (insertion flags?)
                        index += 4;

                        // skip 4 unknown (shim flags?)
                        index += 4;

                        var ceDataSize = BitConverter.ToUInt32(rawBytes, index);
                        index += 4;

                        var dataOffset = BitConverter.ToUInt32(rawBytes, index);
                        index += 4;

                        ce.Path = Encoding.Unicode.GetString(rawBytes, pathOffset, ce.PathSize);

                        if (ce.LastModifiedTimeUTC.Year == 1601)
                        {
                            break;
                        }

                        ce.CacheEntryPosition = position;
                        Entries.Add(ce);
                        position += 1;



                        if (Entries.Count == cacheItems)
                        {
                            break;
                        }
                    }
                    catch (Exception ex)
                    {
                        //TODO Report this
                        Debug.WriteLine(ex.Message);
                        //take what we can get
                        break;
                    }
                }

               
            }
        }
예제 #3
0
        public Windows8x(byte[] rawBytes, AppCompatCache.OperatingSystemVersion os, string computerName)
        {
            Entries = new List<CacheEntry>();

            var index = 128;

            var signature = "00ts";

            if (os == AppCompatCache.OperatingSystemVersion.Windows81_Windows2012R2)
            {
                signature = "10ts";
            }

            var position = 0;

            while (index <= rawBytes.Length)
            {
                try
                {
                    var ce = new CacheEntry
                    {
                        Signature = Encoding.ASCII.GetString(rawBytes, index, 4)
                    };

                    if (ce.Signature != signature)
                    {
                        break;
                    }

                    ce.ComputerName = computerName;

                    index += 4;

                    // skip 4 unknown
                    index += 4;

                    var ceDataSize = BitConverter.ToUInt32(rawBytes, index);
                    index += 4;

                    ce.PathSize = BitConverter.ToUInt16(rawBytes, index);
                    index += 2;

                    ce.Path = Encoding.Unicode.GetString(rawBytes, index, ce.PathSize);
                    index += ce.PathSize;

                    // skip 4 unknown (insertion flags?)
                    var Flag = BitConverter.ToInt32(rawBytes, index);
                    Flag = Flag & 2;
                    if (Flag == 2)
                        ce.Flag = "Executed";
                    index += 4;

                    // skip 4 unknown (shim flags?)
                    index += 4;

                    // skip 2 unknown
                    index += 2;

                    ce.LastModifiedTimeLocal =
                        DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index));

                    ce.LastModifiedTimeUTC =
                        DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();

                    index += 8;

                    ce.DataSize = BitConverter.ToInt32(rawBytes, index);
                    index += 4;

                    ce.Data = rawBytes.Skip(index).Take(ce.DataSize).ToArray();
                    index += ce.DataSize;

                    ce.CacheEntryPosition = position;

                    Entries.Add(ce);
                    position += 1;
                }
                catch (Exception ex)
                {
                    //TODO report this
                    //take what we can get
                    break;
                }
            }
        }
예제 #4
0
        public Windows10(byte[] rawBytes, int controlSet)
        {
            Entries = new List <CacheEntry>();

            ExpectedEntries = 0;

            var offsetToRecords = BitConverter.ToInt32(rawBytes, 0);

            ExpectedEntries = BitConverter.ToInt32(rawBytes, 0x24);

            if (offsetToRecords == 0x34)
            {
                ExpectedEntries = BitConverter.ToInt32(rawBytes, 0x28);
            }

            var index = offsetToRecords;

            ControlSet = controlSet;

            EntryCount = -1;

            var position = 0;

            while (index < rawBytes.Length)
            {
                try
                {
                    var ce = new CacheEntry
                    {
                        Signature = Encoding.ASCII.GetString(rawBytes, index, 4)
                    };

                    if (ce.Signature != "10ts")
                    {
                        break;
                    }

                    index += 4;

                    // skip 4 unknown
                    index += 4;

                    var ceDataSize = BitConverter.ToUInt32(rawBytes, index);
                    index += 4;

                    ce.PathSize = BitConverter.ToUInt16(rawBytes, index);
                    index      += 2;
                    ce.Path     = Encoding.Unicode.GetString(rawBytes, index, ce.PathSize).Replace(@"\??\", "");
                    index      += ce.PathSize;

                    ce.LastModifiedTimeUTC =
                        DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
                    index += 8;

                    ce.DataSize = BitConverter.ToInt32(rawBytes, index);
                    index      += 4;

                    ce.Data = rawBytes.Skip(index).Take(ce.DataSize).ToArray();
                    index  += ce.DataSize;

                    ce.Executed = AppCompatCache.Execute.NA;

                    ce.ControlSet         = controlSet;
                    ce.CacheEntryPosition = position;

                    Entries.Add(ce);
                    position += 1;
                }
                catch (Exception ex)
                {
                    var _log = LogManager.GetCurrentClassLogger();
                    _log.Error($"Error parsing cache entry. Position: {position} Index: {index}, Error: {ex.Message} ");
                    //TODO Report this
                    //take what we can get
                    break;
                }
            }
        }
예제 #5
0
        public Windows8x(byte[] rawBytes, AppCompatCache.OperatingSystemVersion os, int controlSet, string computerName)
        {
            Entries = new List <CacheEntry>();

            var index = 128;

            var signature = "00ts";

            ControlSet = controlSet;

            EntryCount = -1;

            if (os == AppCompatCache.OperatingSystemVersion.Windows81_Windows2012R2)
            {
                signature = "10ts";
            }

            var position = 0;

            while (index < rawBytes.Length)
            {
                try
                {
                    var ce = new CacheEntry
                    {
                        Signature = Encoding.ASCII.GetString(rawBytes, index, 4)
                    };

                    if (ce.Signature != signature)
                    {
                        break;
                    }

                    ce.ComputerName = computerName;

                    index += 4;

                    // skip 4 unknown
                    index += 4;

                    var ceDataSize = BitConverter.ToUInt32(rawBytes, index);
                    index += 4;

                    ce.PathSize = BitConverter.ToUInt16(rawBytes, index);
                    index      += 2;

                    ce.Path = Encoding.Unicode.GetString(rawBytes, index, ce.PathSize).Replace(@"\??\", "");
                    index  += ce.PathSize;

                    var packageLen = BitConverter.ToUInt16(rawBytes, index);
                    index += 2;
                    //skip package data
                    index += packageLen;

                    // skip 4 unknown (insertion flags?)
                    ce.InsertFlags = (AppCompatCache.InsertFlag)BitConverter.ToInt32(rawBytes, index);
                    index         += 4;

                    // skip 4 unknown (shim flags?)
                    index += 4;

                    ce.LastModified =
                        DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index));

                    ce.TimeZone = ce.LastModified.ToString("zzz");

                    index += 8;

                    ce.DataSize = BitConverter.ToInt32(rawBytes, index);
                    index      += 4;

                    ce.Data = rawBytes.Skip(index).Take(ce.DataSize).ToArray();
                    index  += ce.DataSize;

                    if ((ce.InsertFlags & AppCompatCache.InsertFlag.Executed) == AppCompatCache.InsertFlag.Executed)
                    {
                        ce.Flag = AppCompatCache.Execute.Executed;
                    }
                    else
                    {
                        ce.Flag = AppCompatCache.Execute.Unknown;
                    }

                    ce.ControlSet    = controlSet;
                    ce.EntryPosition = position;
                    Entries.Add(ce);
                    position += 1;
                }
                catch (Exception ex)
                {
                    //TODO report this
                    //take what we can get
                    Console.Error.WriteLine($"Error parsing cache entry. Position: {position} Index: {index}, Error: {ex.Message} ");
                    break;
                }
            }
        }
예제 #6
0
        public Windows8x(byte[] rawBytes, AppCompatCache.OperatingSystemVersion os)
        {
            Entries = new List <CacheEntry>();

            var index = 128;

            var signature = "00ts";

            if (os == AppCompatCache.OperatingSystemVersion.Windows81_Windows2012R2)
            {
                signature = "10ts";
            }

            var position = 0;

            while (index <= rawBytes.Length)
            {
                try
                {
                    var ce = new CacheEntry
                    {
                        Signature = Encoding.ASCII.GetString(rawBytes, index, 4)
                    };

                    if (ce.Signature != signature)
                    {
                        break;
                    }

                    index += 4;

                    // skip 4 unknown
                    index += 4;

                    var ceDataSize = BitConverter.ToUInt32(rawBytes, index);
                    index += 4;

                    ce.PathSize = BitConverter.ToUInt16(rawBytes, index);
                    index      += 2;

                    ce.Path = Encoding.Unicode.GetString(rawBytes, index, ce.PathSize);
                    index  += ce.PathSize;

                    // skip 4 unknown (insertion flags?)
                    index += 4;

                    // skip 4 unknown (shim flags?)
                    index += 4;

                    // skip 2 unknown
                    index += 2;

                    ce.LastModifiedTimeUTC =
                        DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();

                    index += 8;

                    ce.DataSize = BitConverter.ToInt32(rawBytes, index);
                    index      += 4;

                    ce.Data = rawBytes.Skip(index).Take(ce.DataSize).ToArray();
                    index  += ce.DataSize;

                    ce.CacheEntryPosition = position;

                    Entries.Add(ce);
                    position += 1;
                }
                catch (Exception ex)
                {
                    //TODO report this
                    //take what we can get
                    break;
                }
            }
        }
예제 #7
0
        public Windows10(byte[] rawBytes, string computerName)
        {
            Entries = new List<CacheEntry>();

            var index = 48;

            var position = 0;

            while (index <= rawBytes.Length)
            {
                try
                {
                    var ce = new CacheEntry
                    {
                        Signature = Encoding.ASCII.GetString(rawBytes, index, 4)
                    };

                    if (ce.Signature != "10ts")
                    {
                        break;
                    }

                    ce.ComputerName = computerName;

                    index += 4;

                    // skip 4 unknown
                    index += 4;

                    var ceDataSize = BitConverter.ToUInt32(rawBytes, index);
                    index += 4;

                    ce.PathSize = BitConverter.ToUInt16(rawBytes, index);
                    index += 2;
                    ce.Path = Encoding.Unicode.GetString(rawBytes, index, ce.PathSize);
                    index += ce.PathSize;

                    ce.LastModifiedTimeLocal =
                        DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index));

                    ce.LastModifiedTimeUTC =
                        DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
                    index += 8;

                    ce.DataSize = BitConverter.ToInt32(rawBytes, index);
                    index += 4;

                    ce.Data = rawBytes.Skip(index).Take(ce.DataSize).ToArray();
                    index += ce.DataSize;

                    ce.CacheEntryPosition = position;
                    
                    Entries.Add(ce);
                    position += 1;
                }
                catch (Exception ex)
                {
                    //TODO Report this
                    //take what we can get
                    break;
                }
            }
        }
예제 #8
0
        public WindowsXP(byte[] rawBytes, bool is32Bit, int controlSet)
        {
            Entries = new List <CacheEntry>();

            var index = 4;

            ControlSet = controlSet;

            EntryCount = BitConverter.ToInt32(rawBytes, index);
            index     += 4;

            var lruArrauEntries = BitConverter.ToUInt32(rawBytes, index);

            index += 4;

            index = 400;

            var position = 0;

            var log1 = LogManager.GetCurrentClassLogger();

            log1.Debug($@"**** 32 bit system?: {is32Bit}");

            log1.Debug($@"**** EntryCount found: {EntryCount}");

            if (EntryCount == 0)
            {
                return;
            }

            if (is32Bit)
            {
                while (index < rawBytes.Length)
                {
                    try
                    {
                        log1.Debug($@"**** At index position: {index}");

                        var ce = new CacheEntry {
                            PathSize = 528
                        };


                        ce.Path = Encoding.Unicode.GetString(rawBytes, index, ce.PathSize).Split('\0').First().Replace('\0', ' ').Trim().Replace(@"\??\", "");
                        index  += 528;

                        ce.LastModifiedTimeUTC =
                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
                        index += 8;

                        var fileSize = BitConverter.ToUInt64(rawBytes, index);
                        index += 8;

                        //                        ce.LastModifiedTimeUTC =
                        //                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
                        //this is last update time, its not reported yet
                        index += 8;

                        if (ce.LastModifiedTimeUTC.Year == 1601)
                        {
                            break;
                        }

                        ce.CacheEntryPosition = position;
                        ce.ControlSet         = controlSet;

                        ce.Executed = AppCompatCache.Execute.NA;

                        log1.Debug($@"**** Adding cache entry for '{ce.Path}' to Entries");

                        Entries.Add(ce);
                        position += 1;

                        if (Entries.Count == EntryCount)
                        {
                            break;
                        }
                    }
                    catch (Exception ex)
                    {
                        var _log = LogManager.GetCurrentClassLogger();
                        _log.Error(
                            $"Error parsing cache entry. Position: {position} Index: {index}, Error: {ex.Message} ");
                        //TODO Report this
                        if (Entries.Count < EntryCount)
                        {
                            throw;
                        }
                        //take what we can get
                        break;
                    }
                }
            }
            else
            {
                throw new Exception(
                          "64 bit XP support not available. send the hive to [email protected] so support can be added");
//                while (index < rawBytes.Length)
//                {
//                    try
//                    {
//                        var ce = new CacheEntry {PathSize = BitConverter.ToUInt16(rawBytes, index)};
//
//                        index += 2;
//
//                        var maxPathSize = BitConverter.ToUInt16(rawBytes, index);
//                        index += 2;
//
//
//                        var pathOffset = BitConverter.ToInt32(rawBytes, index);
//                        index += 4;
//
//                        ce.LastModifiedTimeUTC =
//                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
//                        index += 8;
//
//                        // skip 4 unknown (insertion flags?)
//                        index += 4;
//
//                        // skip 4 unknown (shim flags?)
//                        index += 4;
//
//                        var ceDataSize = BitConverter.ToUInt32(rawBytes, index);
//                        index += 4;
//
//                        var dataOffset = BitConverter.ToUInt32(rawBytes, index);
//                        index += 4;
//
//                        ce.Path = Encoding.Unicode.GetString(rawBytes, pathOffset, ce.PathSize);
//
//                        if (ce.LastModifiedTimeUTC.Year == 1601)
//                        {
//                            break;
//                        }
//
//                        ce.CacheEntryPosition = position;
//                        Entries.Add(ce);
//                        position += 1;
//
//
//                        if (Entries.Count == EntryCount)
//                        {
//                            break;
//                        }
//                    }
//                    catch (Exception ex)
//                    {
//                        //TODO Report this
//                        Debug.WriteLine(ex.Message);
//                        //take what we can get
//                        break;
//                    }
//                }
            }
        }
예제 #9
0
        public VistaWin2k3Win2k8(byte[] rawBytes, bool is32Bit, int controlSet)
        {
            Entries = new List <CacheEntry>();

            var index = 4;

            ControlSet = controlSet;

            EntryCount = BitConverter.ToInt32(rawBytes, index);

            index = 8;

            var position = 0;

            if (EntryCount == 0)
            {
                return;;
            }

            if (is32Bit)
            {
                while (index < rawBytes.Length)
                {
                    try
                    {
                        var ce = new CacheEntry();

                        ce.PathSize = BitConverter.ToUInt16(rawBytes, index);
                        index      += 2;

                        var maxPathSize = BitConverter.ToUInt16(rawBytes, index);
                        index += 2;


                        var pathOffset = BitConverter.ToInt32(rawBytes, index);
                        index += 4;

                        ce.LastModifiedTimeUTC =
                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
                        index += 8;

                        // skip 4 unknown (insertion flags?)
                        ce.InsertFlags = (AppCompatCache.InsertFlag)BitConverter.ToInt32(rawBytes, index);
                        index         += 4;

                        // skip 4 unknown (shim flags?)
                        index += 4;

                        ce.Path = Encoding.Unicode.GetString(rawBytes, pathOffset, ce.PathSize).Replace(@"\??\", "");

//                        if ((ce.InsertFlags & AppCompatCache.InsertFlag.Executed) == AppCompatCache.InsertFlag.Executed)
//                        {
//                            ce.Executed = AppCompatCache.Execute.Yes;
//                        }
//                        else
//                        {
//                            ce.Executed = AppCompatCache.Execute.No;
//                        }

                        ce.Executed = AppCompatCache.Execute.NA;

                        ce.CacheEntryPosition = position;
                        ce.ControlSet         = controlSet;
                        Entries.Add(ce);
                        position += 1;

                        if (Entries.Count == EntryCount)
                        {
                            break;
                        }
                    }
                    catch (Exception ex)
                    {
                        var _log = LogManager.GetCurrentClassLogger();
                        _log.Error(
                            $"Error parsing cache entry. Position: {position} Index: {index}, Error: {ex.Message} ");

                        if (Entries.Count < EntryCount)
                        {
                            throw;
                        }

                        //TODO Report this
                        Debug.WriteLine(ex.Message);
                        //take what we can get
                        break;
                    }
                }
            }
            else
            {
                while (index < rawBytes.Length)
                {
                    try
                    {
                        var ce1 = new CacheEntry();

                        ce1.PathSize = BitConverter.ToUInt16(rawBytes, index);
                        index       += 2;

                        var maxPathSize = BitConverter.ToUInt16(rawBytes, index);
                        index += 2;

                        // skip 4 unknown (padding)
                        index += 4;

                        var pathOffset = BitConverter.ToInt64(rawBytes, index);
                        index += 8;

                        ce1.LastModifiedTimeUTC =
                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
                        index += 8;

                        // skip 4 unknown (insertion flags?)
                        ce1.InsertFlags = (AppCompatCache.InsertFlag)BitConverter.ToInt32(rawBytes, index);
                        index          += 4;

                        // skip 4 unknown (shim flags?)
                        index += 4;

//                        var ceDataSize = BitConverter.ToUInt64(rawBytes, index);
//                        index += 8;
//
//                        var dataOffset = BitConverter.ToUInt64(rawBytes, index);
//                        index += 8;

                        ce1.Path = Encoding.Unicode.GetString(rawBytes, (int)pathOffset, ce1.PathSize).Replace(@"\??\", "");

                        if ((ce1.InsertFlags & AppCompatCache.InsertFlag.Executed) == AppCompatCache.InsertFlag.Executed)
                        {
                            ce1.Executed = AppCompatCache.Execute.Yes;
                        }
                        else
                        {
                            ce1.Executed = AppCompatCache.Execute.No;
                        }

                        ce1.CacheEntryPosition = position;
                        ce1.ControlSet         = controlSet;
                        Entries.Add(ce1);
                        position += 1;

                        if (Entries.Count == EntryCount)
                        {
                            break;
                        }
                    }
                    catch (Exception ex)
                    {
                        var _log = LogManager.GetCurrentClassLogger();
                        _log.Error(
                            $"Error parsing cache entry. Position: {position} Index: {index}, Error: {ex.Message} ");
                        //TODO Report this
                        if (Entries.Count < EntryCount)
                        {
                            throw;
                        }
                        //take what we can get
                        break;
                    }
                }
            }
        }
예제 #10
0
        public Windows7(byte[] rawBytes, bool is32Bit)
        {
            Entries = new List <CacheEntry>();

            var index = 4;

            var cacheItems = BitConverter.ToUInt32(rawBytes, index);

            index = 128;

            var position = 0;

            if (is32Bit)
            {
                while (index <= rawBytes.Length)
                {
                    try
                    {
                        var ce = new CacheEntry();

                        ce.PathSize = BitConverter.ToUInt16(rawBytes, index);
                        index      += 2;

                        var maxPathSize = BitConverter.ToUInt16(rawBytes, index);
                        index += 2;


                        var pathOffset = BitConverter.ToInt32(rawBytes, index);
                        index += 4;

                        ce.LastModifiedTimeUTC =
                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
                        index += 8;

                        // skip 4 unknown (insertion flags?)
                        index += 4;

                        // skip 4 unknown (shim flags?)
                        index += 4;

                        var ceDataSize = BitConverter.ToUInt32(rawBytes, index);
                        index += 4;

                        var dataOffset = BitConverter.ToUInt32(rawBytes, index);
                        index += 4;

                        ce.Path = Encoding.Unicode.GetString(rawBytes, pathOffset, ce.PathSize);

                        ce.CacheEntryPosition = position;
                        Entries.Add(ce);
                        position += 1;

                        if (Entries.Count == cacheItems)
                        {
                            break;
                        }
                    }
                    catch (Exception ex)
                    {
                        //TODO Report this
                        Debug.WriteLine(ex.Message);
                        //take what we can get
                        break;
                    }
                }
            }
            else
            {
                while (index <= rawBytes.Length)
                {
                    try
                    {
                        var ce = new CacheEntry();

                        ce.PathSize = BitConverter.ToUInt16(rawBytes, index);
                        index      += 2;

                        var maxPathSize = BitConverter.ToUInt16(rawBytes, index);
                        index += 2;

                        // skip 4 unknown (padding)
                        index += 4;

                        var pathOffset = BitConverter.ToInt64(rawBytes, index);
                        index += 8;

                        ce.LastModifiedTimeUTC =
                            DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
                        index += 8;

                        // skip 4 unknown (insertion flags?)
                        index += 4;

                        // skip 4 unknown (shim flags?)
                        index += 4;

                        var ceDataSize = BitConverter.ToUInt64(rawBytes, index);
                        index += 8;

                        var dataOffset = BitConverter.ToUInt64(rawBytes, index);
                        index += 8;

                        ce.Path = Encoding.Unicode.GetString(rawBytes, (int)pathOffset, ce.PathSize);

                        ce.CacheEntryPosition = position;
                        Entries.Add(ce);
                        position += 1;

                        if (Entries.Count == cacheItems)
                        {
                            break;
                        }
                    }
                    catch (Exception ex)
                    {
                        //TODO Report this
                        //take what we can get
                        break;
                    }
                }
            }
        }