예제 #1
0
        internal UserAssist(ValueKey vk, byte[] bytes)
        {
            Path = Decode(vk.Name);

            byte[] data = vk.GetData(bytes);

            RunCount = BitConverter.ToUInt32(data, 0x04);
            FocusTime = BitConverter.ToUInt32(data, 0x0C);
            LastExecutionTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(data, 0x03C));
        }
        internal ValueKey[] GetValues(byte[] bytes)
        {
            if (this.NumberOfValues > 0)
            {
                ValuesList list = new ValuesList(NativeMethods.GetSubArray(bytes, (uint)this.ValuesListOffset, (uint)Math.Abs(BitConverter.ToInt32(bytes, this.ValuesListOffset))), this.NumberOfValues);

                ValueKey[] vkArray = new ValueKey[list.Offset.Length];

                for (int i = 0; i < list.Offset.Length; i++)
                {
                    int size = Math.Abs(BitConverter.ToInt32(bytes, (int)list.Offset[i]));
                    vkArray[i] = new ValueKey(NativeMethods.GetSubArray(bytes, list.Offset[i], (uint)size), this.HivePath, this.Name);
                }

                return(vkArray);
            }

            return(null);
        }
예제 #3
0
        internal ValueKey[] GetValues(byte[] bytes)
        {
            if (NumberOfValues > 0)
            {
                ValuesList list = new ValuesList(Util.GetSubArray(bytes, (uint)ValuesListOffset, (uint)Math.Abs(BitConverter.ToInt32(bytes, ValuesListOffset))), NumberOfValues);

                ValueKey[] vkArray = new ValueKey[list.Offset.Length];

                for (int i = 0; i < list.Offset.Length; i++)
                {
                    int size = Math.Abs(BitConverter.ToInt32(bytes, (int)list.Offset[i]));
                    vkArray[i] = new ValueKey(Util.GetSubArray(bytes, list.Offset[i], (uint)size), HivePath, Name);
                }

                return(vkArray);
            }

            throw new Exception(string.Format("The key '{0}' has no associated values", this.FullName));
        }
예제 #4
0
        internal static byte[] Get(byte[] bytes, ValueKey vk)
        {
            List <byte> contents = new List <byte>();

            byte[] dataBytes = PowerForensics.Helper.GetSubArray(bytes, (int)vk.DataOffset, Math.Abs(BitConverter.ToInt32(bytes, (int)vk.DataOffset)));

            short offsetCount  = BitConverter.ToInt16(dataBytes, 0x06);
            uint  offsetOffset = BitConverter.ToUInt32(dataBytes, 0x08) + RegistryHeader.HBINOFFSET;

            byte[] offsetBytes = Helper.GetSubArray(bytes, (int)offsetOffset, Math.Abs(BitConverter.ToInt32(bytes, (int)offsetOffset)));

            for (short i = 1; i <= offsetCount; i++)
            {
                uint segmentOffset = BitConverter.ToUInt32(offsetBytes, i * 0x04) + RegistryHeader.HBINOFFSET;
                contents.AddRange(Helper.GetSubArray(bytes, (int)segmentOffset + 0x04, Math.Abs(BitConverter.ToInt32(bytes, (int)segmentOffset)) - 0x08));
            }

            byte[] b = contents.ToArray();
            return(Helper.GetSubArray(b, 0x00, b.Length));
        }
        internal ValueKey[] GetValues(byte[] bytes)
        {
            if (this.NumberOfValues > 0)
            {
                ValuesList list = new ValuesList(NativeMethods.GetSubArray(bytes, (uint)this.ValuesListOffset, (uint)Math.Abs(BitConverter.ToInt32(bytes, this.ValuesListOffset))), this.NumberOfValues);

                ValueKey[] vkArray = new ValueKey[list.Offset.Length];

                for (int i = 0; i < list.Offset.Length; i++)
                {
                    int size = Math.Abs(BitConverter.ToInt32(bytes, (int)list.Offset[i]));
                    vkArray[i] = new ValueKey(NativeMethods.GetSubArray(bytes, list.Offset[i], (uint)size), this.HivePath, this.Name);
                }

                return vkArray;
            }

            return null;
        }
예제 #6
0
        internal ValueKey[] GetValues(byte[] bytes)
        {
            if (NumberOfValues > 0)
            {
                ValuesList list = new ValuesList(Util.GetSubArray(bytes, (uint)ValuesListOffset, (uint)Math.Abs(BitConverter.ToInt32(bytes, ValuesListOffset))), NumberOfValues);

                ValueKey[] vkArray = new ValueKey[list.Offset.Length];

                for (int i = 0; i < list.Offset.Length; i++)
                {
                    int size = Math.Abs(BitConverter.ToInt32(bytes, (int)list.Offset[i]));
                    vkArray[i] = new ValueKey(Util.GetSubArray(bytes, list.Offset[i], (uint)size), HivePath, Name);
                }

                return vkArray;
            }

            throw new Exception(string.Format("The key '{0}' has no associated values", this.FullName));
        }
예제 #7
0
 internal TrustRecord(byte[] bytes, string user, ValueKey vk)
 {
     User = user;
     Path = vk.Name;
     TrustTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00));
 }
예제 #8
0
 internal OutlookCatalog(string user, ValueKey vk)
 {
     User = user;
     Path = vk.Name;
 }
예제 #9
0
        private UserAssist(string user, ValueKey vk, byte[] bytes)
        {
            User = user;
            ImagePath = Decode(vk.Name);

            byte[] data = (byte[])vk.GetData(bytes);
            RunCount = BitConverter.ToUInt32(data, 0x04);
            FocusTime = BitConverter.ToUInt32(data, 0x0C);            
            LastExecutionTimeUtc = DateTime.FromFileTimeUtc(BitConverter.ToInt64(data, 0x03C));
        }
예제 #10
0
        internal static byte[] Get(byte[] bytes, ValueKey vk)
        {
            List<byte> contents = new List<byte>();
            
            byte[] dataBytes = PowerForensics.Helper.GetSubArray(bytes, (int)vk.DataOffset, Math.Abs(BitConverter.ToInt32(bytes, (int)vk.DataOffset)));

            short offsetCount = BitConverter.ToInt16(dataBytes, 0x06);
            uint offsetOffset = BitConverter.ToUInt32(dataBytes, 0x08) + RegistryHeader.HBINOFFSET;

            byte[] offsetBytes = Helper.GetSubArray(bytes, (int)offsetOffset, Math.Abs(BitConverter.ToInt32(bytes, (int)offsetOffset)));

            for (short i = 1; i <= offsetCount; i++)
            {
                uint segmentOffset = BitConverter.ToUInt32(offsetBytes, i * 0x04) + RegistryHeader.HBINOFFSET;
                contents.AddRange(Helper.GetSubArray(bytes, (int)segmentOffset + 0x04, Math.Abs(BitConverter.ToInt32(bytes, (int)segmentOffset)) - 0x08));
            }

            byte[] b = contents.ToArray();
            return Helper.GetSubArray(b, 0x00, b.Length);
        }
예제 #11
0
 internal RunKey(string location, ValueKey vk)
 {
     AutoRunLocation = location;
     Name = vk.Name;
     ImagePath = (string)vk.GetData();
 }
예제 #12
0
 private OutlookCatalog(string user, ValueKey vk)
 {
     User = user;
     Path = vk.Name;
 }