/// <summary> /// Read Windows 2k3/Vista/2k8 Shim Cache entry formats. /// </summary> /// <param name="data"></param> /// <param name="is32Bit"></param> /// <returns></returns> private static List <Hit> ReadNt5Entries(byte[] data, bool is32Bit) { List <Hit> hits = new List <Hit>(); UInt32 entrySize = is32Bit == true ? Global.NT5_2_ENTRY_SIZE32 : Global.NT5_2_ENTRY_SIZE64; UInt32 numEntries = BitConverter.ToUInt32(data.Slice(4, 8), 0); bool containsFileSize = false; // On Windows Server 2008/Vista, the filesize is swapped out of this structure with two 4-byte flags. // Check to see if any of the values in "dwFileSizeLow" are larger than 2-bits. This indicates the entry contained file sizes. for (UInt32 index = Global.CACHE_HEADER_SIZE_NT5_2; index < (numEntries * entrySize); index += entrySize) { byte[] temp = data.Slice(index, (index + entrySize)); CacheEntryNt5 ce = new CacheEntryNt5(is32Bit, containsFileSize); ce.Update(temp); if (ce.FileSizeLow > 3) { containsFileSize = true; break; } } // Now grab all the data in the value. for (UInt32 index = Global.CACHE_HEADER_SIZE_NT5_2; index < (numEntries * entrySize); index += entrySize) { byte[] temp = data.Slice(index, (index + entrySize)); CacheEntryNt5 ce = new CacheEntryNt5(is32Bit, containsFileSize); ce.Update(temp); string path = Encoding.Unicode.GetString(data.Slice(ce.Offset, ce.Offset + ce.Length));//.decode('utf-16le','replace').encode('utf-8') path = path.Replace("\\??\\", string.Empty); // It contains file data. if (containsFileSize == true) { hits.Add(new Hit(Global.CacheType.CacheEntryNt5, ce.DateTime, DateTime.MinValue, path, ce.FileSizeLow, "N/A")); } else { hits.Add(new Hit(Global.CacheType.CacheEntryNt5, ce.DateTime, DateTime.MinValue, path, 0, ce.ProcessExec.ToString())); } } return(hits); }
/// <summary> /// Read Windows 2k3/Vista/2k8 Shim Cache entry formats. /// </summary> /// <param name="data"></param> /// <param name="is32Bit"></param> /// <returns></returns> private static List<Hit> ReadNt5Entries(byte[] data, bool is32Bit) { List<Hit> hits = new List<Hit>(); UInt32 entrySize = is32Bit == true ? Global.NT5_2_ENTRY_SIZE32 : Global.NT5_2_ENTRY_SIZE64; UInt32 numEntries = BitConverter.ToUInt32(data.Slice(4, 8), 0); bool containsFileSize = false; // On Windows Server 2008/Vista, the filesize is swapped out of this structure with two 4-byte flags. // Check to see if any of the values in "dwFileSizeLow" are larger than 2-bits. This indicates the entry contained file sizes. for (UInt32 index = Global.CACHE_HEADER_SIZE_NT5_2; index < (numEntries * entrySize); index += entrySize) { byte[] temp = data.Slice(index, (index + entrySize)); CacheEntryNt5 ce = new CacheEntryNt5(is32Bit, containsFileSize); ce.Update(temp); if (ce.FileSizeLow > 3) { containsFileSize = true; break; } } // Now grab all the data in the value. for (UInt32 index = Global.CACHE_HEADER_SIZE_NT5_2; index < (numEntries * entrySize); index += entrySize) { byte[] temp = data.Slice(index, (index + entrySize)); CacheEntryNt5 ce = new CacheEntryNt5(is32Bit, containsFileSize); ce.Update(temp); string path = Encoding.Unicode.GetString(data.Slice(ce.Offset, ce.Offset + ce.Length));//.decode('utf-16le','replace').encode('utf-8') path = path.Replace("\\??\\", string.Empty); // It contains file data. if (containsFileSize == true) { hits.Add(new Hit(Global.CacheType.CacheEntryNt5, ce.DateTime, DateTime.MinValue, path, ce.FileSizeLow, "N/A")); } else { hits.Add(new Hit(Global.CacheType.CacheEntryNt5, ce.DateTime, DateTime.MinValue, path, 0, ce.ProcessExec.ToString())); } } return hits; }