Exemplo n.º 1
        private void ProcessZipFileContents(byte[] rawBytes)
            FriendlyName = "Variable: Zip file contents";

            if (rawBytes[0x28] == 0x2f || rawBytes[0x24] == 0x4e && rawBytes[0x26] == 0x2f && rawBytes[0x28] == 0x41 ||
                rawBytes[0x1c] == 0x2f || rawBytes[0x18] == 0x4e && rawBytes[0x1a] == 0x2f && rawBytes[0x1c] == 0x41)
                //we have a good date

                var zip = new ShellBagZipContents(rawBytes);
                FriendlyName   = zip.FriendlyName;
                LastAccessTime = zip.LastAccessTime;

                Value = zip.Value;
                Value = "!!! Unable to determine Value !!!";
Exemplo n.º 2
        public ShellBag0X32(byte[] rawBytes)
            FriendlyName = "File";

            ExtensionBlocks = new List<IExtensionBlock>();

            ShortName = string.Empty;

            var index = 2;

            if (rawBytes[0x28] == 0x2f || (rawBytes[0x24] == 0x4e && rawBytes[0x26] == 0x2f && rawBytes[0x28] == 0x41))
                //we have a good date

                    var zip = new ShellBagZipContents(rawBytes);
                    FriendlyName = zip.FriendlyName;
                    LastAccessTime = zip.LastAccessTime;

                    Value = zip.Value;

                catch (Exception)

            index += 1;

            //skip unknown byte
            index += 1;

            var fileSize = BitConverter.ToUInt32(rawBytes, index);

            FileSize = (int) fileSize;

            index += 4; // skip file size since always 0 for directory

            var tempBytes = new byte[4];
            Array.Copy(rawBytes, index, tempBytes, 0, 4);
            var lastmodifiedUtcRaw = tempBytes;

            LastModificationTime = Utils.ExtractDateTimeOffsetFromBytes(lastmodifiedUtcRaw);

            index += 4;

            index += 2;

            var len = 0;

            while (rawBytes[index + len] != 0x0)
                len += 1;

            tempBytes = new byte[len];
            Array.Copy(rawBytes, index, tempBytes, 0, len);

            index += len;

            var shortName = Encoding.GetEncoding(1252).GetString(tempBytes);

            ShortName = shortName;

            while (rawBytes[index] == 0x0)
                index += 1;

            //we are at extension blocks, so cut them up and process
            // here is where we need to cut up the rest into extension blocks
            var chunks = new List<byte[]>();

            while (index < rawBytes.Length)
                var subshellitemdatasize = BitConverter.ToInt16(rawBytes, index);

                if (subshellitemdatasize <= 0)

                if (subshellitemdatasize == 1)
                    //some kind of separator
                    index += 2;
                    index += subshellitemdatasize;

            foreach (var bytes in chunks)
                index = 0;

                var extsize = BitConverter.ToInt16(bytes, index);

                var signature = BitConverter.ToUInt32(bytes, 0x04);

                //TODO does this need to check if its a 0xbeef?? regex?
                var block = Utils.GetExtensionBlockFromBytes(signature, bytes);


                var beef0004 = block as Beef0004;
                if (beef0004 != null)
                    Value = beef0004.LongName;

                index += extsize;
Exemplo n.º 3
        public ShellBag0X74(byte[] rawBytes)
            FriendlyName = "Users Files Folder";

            ExtensionBlocks = new List <IExtensionBlock>();

            var index = 2;

            index += 2; // move past type  and an unknown

            var size = BitConverter.ToUInt16(rawBytes, index);

            index += 2;

            var sig74 = Encoding.GetEncoding(1252).GetString(rawBytes, index, 4);

            if (sig74 == "CF\0\0")
                if (rawBytes[0x28] == 0x2f ||
                    rawBytes[0x24] == 0x4e && rawBytes[0x26] == 0x2f && rawBytes[0x28] == 0x41)
                    //we have a good date

                    var zip = new ShellBagZipContents(rawBytes);
                    FriendlyName   = zip.FriendlyName;
                    LastAccessTime = zip.LastAccessTime;

                    Value = zip.Value;


            if (sig74 != "CFSF")
                throw new Exception($"Invalid signature! Should be CFSF but was {sig74}");

            index += 4;

            var subShellSize = BitConverter.ToUInt16(rawBytes, index);

            index += 2;

            var subClasstype = rawBytes[index];

            index += 1;

            index += 1; // skip unknown

            var filesize = BitConverter.ToUInt32(rawBytes, index);

            index += 4;

            FileSize = (int)filesize;

            var tempBytes = new byte[4];

            Array.Copy(rawBytes, index, tempBytes, 0, 4);

            index += 4;

            LastModificationTime = Utils.ExtractDateTimeOffsetFromBytes(tempBytes);

            index += 2; //skip file attribute flag

            var len = 0;

            while (rawBytes[index + len] != 0x0)
                len += 1;

            tempBytes = new byte[len];
            Array.Copy(rawBytes, index, tempBytes, 0, len);

            index += len;

            var primaryName = Encoding.GetEncoding(1252).GetString(tempBytes);

            while (rawBytes[index] == 0x0)
                index += 1;

            var delegateGuidRaw = new byte[16];

            Array.Copy(rawBytes, index, delegateGuidRaw, 0, 16);

            var delegateGuid = Utils.ExtractGuidFromShellItem(delegateGuidRaw);

            if (delegateGuid != "5e591a74-df96-48d3-8d67-1733bcee28ba")
                throw new Exception(
                          $"Delegate guid not expected value of 5e591a74-df96-48d3-8d67-1733bcee28ba. Actual value: {delegateGuid}");

            index += 16;

            var itemIdentifierGuidRaw = new byte[16];

            Array.Copy(rawBytes, index, itemIdentifierGuidRaw, 0, 16);

            var itemIdentifierGuid = Utils.ExtractGuidFromShellItem(itemIdentifierGuidRaw);

            var itemName = Utils.GetFolderNameFromGuid(itemIdentifierGuid);

            index += 16;

            //0xbeef0004 section

            //we are at extensnon blocks, so cut them up and process
            // here is where we need to cut up the rest into extension blocks
            var chunks = new List <byte[]>();

            while (index < rawBytes.Length)
                var subshellitemdatasize = BitConverter.ToInt16(rawBytes, index);

                if (subshellitemdatasize <= 0)

                if (subshellitemdatasize == 1)
                    //some kind of separator
                    index += 2;
                    index += subshellitemdatasize;

            foreach (var bytes in chunks)
                index = 0;

                var extsize = BitConverter.ToInt16(bytes, index);

                var signature = BitConverter.ToUInt32(bytes, 0x04);

                //TODO does this need to check if its a 0xbeef?? regex?
                var block = Utils.GetExtensionBlockFromBytes(signature, bytes);


                var beef0004 = block as Beef0004;
                if (beef0004 != null)
                    Value = beef0004.LongName;

                index += extsize;
Exemplo n.º 4
        public ShellBag0X31(byte[] rawBytes)
            FriendlyName = "Directory";

            ExtensionBlocks = new List <IExtensionBlock>();

            var index = 2;

            if (rawBytes[0x27] == 0x00 && rawBytes[0x28] == 0x2f && rawBytes[0x29] == 0x00 ||
                rawBytes[0x24] == 0x4e && rawBytes[0x26] == 0x2f && rawBytes[0x28] == 0x41)
                //we have a good date

                    var zip = new ShellBagZipContents(rawBytes);
                    FriendlyName   = zip.FriendlyName;
                    LastAccessTime = zip.LastAccessTime;

                    Value = zip.Value;

                catch (Exception)
                    //this isnt really this kind of entry despite our best efforts to make sure it is, so fall thru and process normally

            index += 1;

            //skip unknown byte
            index += 1;

            index += 4; // skip file size since always 0 for directory

            LastModificationTime = Utils.ExtractDateTimeOffsetFromBytes(rawBytes.Skip(index).Take(4).ToArray());

            index += 4;

            index += 2;

            var len = 0;

            var beefPos = BitConverter.ToString(rawBytes).IndexOf("04-00-EF-BE", StringComparison.InvariantCulture) / 3;

            beefPos = beefPos - 4; //add header back for beef

            var strLen = beefPos - index;

            if (rawBytes[2] == 0x35)
                len = strLen;
                while (rawBytes[index + len] != 0x0)
                    len += 1;

            var tempBytes = new byte[len];

            Array.Copy(rawBytes, index, tempBytes, 0, len);

            index += len;

            var shortName = "";

            if (rawBytes[2] == 0x35)
                shortName = Encoding.Unicode.GetString(tempBytes);
                shortName = Encoding.GetEncoding(1252).GetString(tempBytes);

            ShortName = shortName;

            Value = shortName;

            while (rawBytes[index] == 0x0)
                index += 1;

            // here is where we need to cut up the rest into extension blocks
            var chunks = new List <byte[]>();

            while (index < rawBytes.Length)
                var subshellitemdatasize = BitConverter.ToInt16(rawBytes, index);

                if (subshellitemdatasize <= 0)

                if (subshellitemdatasize == 1)
                    //some kind of separator
                    index += 2;
                    index += subshellitemdatasize;

            foreach (var bytes in chunks)
                index = 0;

                var extsize = BitConverter.ToInt16(bytes, index);

                var signature = BitConverter.ToUInt32(bytes, 0x04);

                //TODO does this need to check if its a 0xbeef?? regex?
                var block = Utils.GetExtensionBlockFromBytes(signature, bytes);

                if (block.Signature.ToString("X").StartsWith("BEEF00"))

                var beef0004 = block as Beef0004;
                if (beef0004 != null)
                    Value = beef0004.LongName;

                var beef0005 = block as Beef0005;
                if (beef0005 != null)
                    //TODO Resolve this
//                    foreach (var internalBag in beef0005.InternalBags)
//                    {
//                        ExtensionBlocks.Add(new BeefPlaceHolder(null));
//                    }

                index += extsize;
Exemplo n.º 5
        private void ProcessPropertyViewDefault(byte[] rawBytes)
            FriendlyName = "Variable: Users property view";
            var index = 10;

            var shellPropertySheetListSize = BitConverter.ToInt16(rawBytes, index);

            index += 2;

            var identifiersize = BitConverter.ToInt16(rawBytes, index);

            index += 2;

            var identifierData = new byte[identifiersize];

            Array.Copy(rawBytes, index, identifierData, 0, identifiersize);

            index += identifiersize;

            if (shellPropertySheetListSize > 0)
                var propBytes = rawBytes.Skip(index).Take(shellPropertySheetListSize).ToArray();
                var propStore = new PropertyStore(propBytes);

                PropertyStore = propStore;

                var p = propStore.Sheets.Where(t => t.PropertyNames.ContainsKey("32"));

                if (p.Any())
                    //we can now look thry prop bytes for extension blocks
                    //TODO this is a hack until we can process vectors natively

                    var extOffsets = new List <int>();
                        var regexObj    = new Regex("([0-9A-F]{2})-00-EF-BE", RegexOptions.IgnoreCase);
                        var matchResult = regexObj.Match(BitConverter.ToString(propBytes));
                        while (matchResult.Success)
                            matchResult = matchResult.NextMatch();

                        foreach (var extOffset in extOffsets)
                            var binaryOffset = extOffset / 3 - 4;
                            var exSize       = BitConverter.ToInt16(propBytes, binaryOffset);

                            var exBytes = propBytes.Skip(binaryOffset).Take(exSize).ToArray();

                            var signature1 = BitConverter.ToUInt32(exBytes, 4);

                            //Debug.WriteLine(" 0x1f bag sig: " + signature1.ToString("X8"));

                            var block1 = Utils.GetExtensionBlockFromBytes(signature1, exBytes);

                    catch (ArgumentException ex)
                        throw ex;
                        // Syntax error in the regular expression

                    //     Debug.WriteLine("Found 32 key");
                //   Debug.Write("Oh no! No property sheets!");
                // SiAuto.Main.LogWarning("Oh no! No property sheets!");

                if (rawBytes[0x28] == 0x2f ||
                    rawBytes[0x24] == 0x4e && rawBytes[0x26] == 0x2f && rawBytes[0x28] == 0x41)
                    //we have a good date

                    var zip = new ShellBagZipContents(rawBytes);
                    FriendlyName   = zip.FriendlyName;
                    LastAccessTime = zip.LastAccessTime;

                    Value = zip.Value;


                //41-75-67-4D is AugM

                if (rawBytes[4] == 0x41 && rawBytes[5] == 0x75 && rawBytes[6] == 0x67 && rawBytes[7] == 0x4D)
                    var cdb = new ShellBagCDBurn(rawBytes);

                    Value                = cdb.Value;
                    FriendlyName         = cdb.FriendlyName;
                    CreatedOnTime        = cdb.CreatedOnTime;
                    LastModificationTime = cdb.LastModificationTime;
                    LastAccessTime       = cdb.LastAccessTime;


                Debug.Write("Oh no! No property sheets!");

                Value = "!!! Unable to determine Value !!!";

            index += shellPropertySheetListSize;

            index += 2; //move past end of property sheet terminator

            if (shellPropertySheetListSize > 0 && index < rawBytes.Length)
                var extBlockSize = BitConverter.ToInt16(rawBytes, index);

                if (extBlockSize > 0)
                    //process extension blocks

                    while (extBlockSize > 0)
                        var extBytes = rawBytes.Skip(index).Take(extBlockSize).ToArray();

                        index += extBlockSize;

                        var signature1 = BitConverter.ToUInt32(extBytes, 4);

                        var block1 = Utils.GetExtensionBlockFromBytes(signature1, extBytes);


                        if (index >= rawBytes.Length)

                        extBlockSize = BitConverter.ToInt16(rawBytes, index);

//                int terminator = BitConverter.ToInt16(rawBytes, index);
//                if (terminator > 0)
//                {
//                    throw new Exception($"Expected terminator of 0, but got {terminator}");
//                }

            var valuestring = (from propertySheet in PropertyStore.Sheets
                               from propertyName in propertySheet.PropertyNames
                               where propertyName.Key == "10"
                               select propertyName.Value).FirstOrDefault();

            if (valuestring == null)
                var namesList =
                    (from propertySheet in PropertyStore.Sheets
                     from propertyName in propertySheet.PropertyNames
                     select propertyName.Value)

                valuestring = string.Join("::", namesList.ToArray());

            if (valuestring == "")
                valuestring = "No Property sheet value found";

            Value = valuestring;
Exemplo n.º 6
        public ShellBag0X2E(byte[] rawBytes)
            ExtensionBlocks = new List<IExtensionBlock>();

            var index = 0;

            var postSig = BitConverter.ToInt64(rawBytes, rawBytes.Length - 8);

            if (postSig == 0x0000ee306bfe9555)
                FriendlyName = "User profile";

                var la = Utils.ExtractDateTimeOffsetFromBytes(rawBytes.Skip(rawBytes.Length - 14).Take(4).ToArray());

                LastAccessTime = la;

                index = 10;

                var tempString = Encoding.Unicode.GetString(rawBytes.Skip(index).ToArray()).Split('\0')[0];

                Value = tempString;


            //this needs to change to be the default
            if (rawBytes[0] == 20 || rawBytes[0] == 50 || rawBytes[0] == 0x3a)

            //this needs to change to be the default
            if (rawBytes[2] == 0x53)

            //zip file contents check
            if (rawBytes[0x28] == 0x2f || (rawBytes[0x24] == 0x4e && rawBytes[0x26] == 0x2f && rawBytes[0x28] == 0x41))
                //we have a good date

                var zip = new ShellBagZipContents(rawBytes);
                FriendlyName = zip.FriendlyName;
                LastAccessTime = zip.LastAccessTime;

                Value = zip.Value;



            catch (Exception)

            //this is a different animal,

            FriendlyName = "Root folder: MPT device";

            index = 0x1e;

            var storageStringNameLen = BitConverter.ToInt32(rawBytes, index);

            index += 4;

            var storageIdStringLen = BitConverter.ToInt32(rawBytes, index);

            index += 4;

            var fileSystemNameLen = BitConverter.ToInt32(rawBytes, index);

            index = 0x28;

            var storageName = Encoding.Unicode.GetString(rawBytes, index, storageStringNameLen*2 - 2);

            index += storageStringNameLen*2;

            var storageIdName = Encoding.Unicode.GetString(rawBytes, index, storageIdStringLen*2 - 2);

            index += storageIdStringLen*2;

            Value = storageName;
Exemplo n.º 7
        private void ProcessPropertyViewDefault(byte[] rawBytes)
            FriendlyName = "Variable: Users property view";
            var index = 10;

            var shellPropertySheetListSize = BitConverter.ToInt16(rawBytes, index);

            index += 2;

            var identifiersize = BitConverter.ToInt16(rawBytes, index);

            index += 2;

            var identifierData = new byte[identifiersize];

            Array.Copy(rawBytes, index, identifierData, 0, identifiersize);

            index += identifiersize;

            if (shellPropertySheetListSize > 0)
                var propBytes = rawBytes.Skip(index).Take(shellPropertySheetListSize).ToArray();
                var propStore = new PropertyStore(propBytes);

                PropertyStore = propStore;

                var p = propStore.Sheets.Where(t => t.PropertyNames.ContainsKey("32"));

                if (p.Any())
                    //we can now look thry prop bytes for extension blocks
                    //TODO this is a hack until we can process vectors natively

                    var extOffsets = new List<int>();
                        var regexObj = new Regex("([0-9A-F]{2})-00-EF-BE", RegexOptions.IgnoreCase);
                        var matchResult = regexObj.Match(BitConverter.ToString(propBytes));
                        while (matchResult.Success)
                            matchResult = matchResult.NextMatch();

                        foreach (var extOffset in extOffsets)
                            var binaryOffset = extOffset/3 - 4;
                            var exSize = BitConverter.ToInt16(propBytes, binaryOffset);

                            var exBytes = propBytes.Skip(binaryOffset).Take(exSize).ToArray();

                            var signature1 = BitConverter.ToUInt32(exBytes, 4);

                            var block1 = Utils.GetExtensionBlockFromBytes(signature1, exBytes);

                    catch (ArgumentException ex)
                        throw ex;
                        // Syntax error in the regular expression
                if (rawBytes[0x28] == 0x2f ||
                    (rawBytes[0x24] == 0x4e && rawBytes[0x26] == 0x2f && rawBytes[0x28] == 0x41))
                    //we have a good date

                    var zip = new ShellBagZipContents(rawBytes);
                    FriendlyName = zip.FriendlyName;
                    LastAccessTime = zip.LastAccessTime;

                    Value = zip.Value;

                Debug.Write("Oh no! No property sheets!");

            index += shellPropertySheetListSize;

            index += 2; //move past end of property sheet terminator

            var rawguid = Utils.ExtractGuidFromShellItem(rawBytes.Skip(index).Take(16).ToArray());
            index += 16;

            rawguid = Utils.ExtractGuidFromShellItem(rawBytes.Skip(index).Take(16).ToArray());
            index += 16;

            var name = Utils.GetFolderNameFromGuid(rawguid);

            Value = name;

            var extBlockSize = BitConverter.ToInt16(rawBytes, index);

            if (extBlockSize > 0)
                //process extension blocks

                while (extBlockSize > 0)
                    var extBytes = rawBytes.Skip(index).Take(extBlockSize).ToArray();

                    index += extBlockSize;

                    var signature1 = BitConverter.ToUInt32(extBytes, 4);

                    var block1 = Utils.GetExtensionBlockFromBytes(signature1, extBytes);


                    extBlockSize = BitConverter.ToInt16(rawBytes, index);

            int terminator = BitConverter.ToInt16(rawBytes, index);

            if (terminator > 0)
                throw new Exception($"Expected terminator of 0, but got {terminator}");
Exemplo n.º 8
        public ShellBag0X2E(byte[] rawBytes)
            ExtensionBlocks = new List <IExtensionBlock>();

            var index = 0;

            var postSig = BitConverter.ToInt64(rawBytes, rawBytes.Length - 8);

            if (postSig == 0x0000ee306bfe9555)
                FriendlyName = "User profile";

                var la = Utils.ExtractDateTimeOffsetFromBytes(rawBytes.Skip(rawBytes.Length - 14).Take(4).ToArray());

                LastAccessTime = la;

                index = 10;

                var tempString = Encoding.Unicode.GetString(rawBytes.Skip(index).ToArray()).Split('\0')[0];

                Value = tempString;


            //this needs to change to be the default
            if (rawBytes[0] == 20 || rawBytes[0] == 50 || rawBytes[0] == 0x3a)

            //this needs to change to be the default
            if (rawBytes[2] == 0x53)

            //zip file contents check
            if (rawBytes[0x28] == 0x2f || rawBytes[0x24] == 0x4e && rawBytes[0x26] == 0x2f && rawBytes[0x28] == 0x41)
                //we have a good date

                var zip = new ShellBagZipContents(rawBytes);
                FriendlyName   = zip.FriendlyName;
                LastAccessTime = zip.LastAccessTime;

                Value = zip.Value;



            catch (Exception)

            //this is a different animal,

            FriendlyName = "Root folder: MPT device";

            index = 0x1e;

            var storageStringNameLen = BitConverter.ToInt32(rawBytes, index);

            index += 4;

            var storageIdStringLen = BitConverter.ToInt32(rawBytes, index);

            index += 4;

            var fileSystemNameLen = BitConverter.ToInt32(rawBytes, index);

            index = 0x28;

            var storageName = Encoding.Unicode.GetString(rawBytes, index, storageStringNameLen * 2 - 2);

            index += storageStringNameLen * 2;

            var storageIdName = Encoding.Unicode.GetString(rawBytes, index, storageIdStringLen * 2 - 2);

            index += storageIdStringLen * 2;

            Value = storageName;
Exemplo n.º 9
        private void ProcessPropertyViewDefault(byte[] rawBytes)
            FriendlyName = "Variable: Users property view";
            var index = 10;

            var shellPropertySheetListSize = BitConverter.ToInt16(rawBytes, index);

            index += 2;

            var identifiersize = BitConverter.ToInt16(rawBytes, index);

            index += 2;

            var identifierData = new byte[identifiersize];

            Array.Copy(rawBytes, index, identifierData, 0, identifiersize);

            index += identifiersize;

            if (shellPropertySheetListSize > 0)
                var propBytes = rawBytes.Skip(index).Take(shellPropertySheetListSize).ToArray();
                var propStore = new PropertyStore(propBytes);

                PropertyStore = propStore;

                var p = propStore.Sheets.Where(t => t.PropertyNames.ContainsKey("32"));

                if (p.Any())
                    //we can now look thry prop bytes for extension blocks
                    //TODO this is a hack until we can process vectors natively

                    var extOffsets = new List <int>();
                        var regexObj    = new Regex("([0-9A-F]{2})-00-EF-BE", RegexOptions.IgnoreCase);
                        var matchResult = regexObj.Match(BitConverter.ToString(propBytes));
                        while (matchResult.Success)
                            matchResult = matchResult.NextMatch();

                        foreach (var extOffset in extOffsets)
                            var binaryOffset = extOffset / 3 - 4;
                            var exSize       = BitConverter.ToInt16(propBytes, binaryOffset);

                            var exBytes = propBytes.Skip(binaryOffset).Take(exSize).ToArray();

                            var signature1 = BitConverter.ToUInt32(exBytes, 4);

                            var block1 = Utils.GetExtensionBlockFromBytes(signature1, exBytes);

                    catch (ArgumentException ex)
                        throw ex;
                        // Syntax error in the regular expression
                if (rawBytes[0x28] == 0x2f ||
                    rawBytes[0x24] == 0x4e && rawBytes[0x26] == 0x2f && rawBytes[0x28] == 0x41)
                    //we have a good date

                    var zip = new ShellBagZipContents(rawBytes);
                    FriendlyName   = zip.FriendlyName;
                    LastAccessTime = zip.LastAccessTime;

                    Value = zip.Value;

                Debug.Write("Oh no! No property sheets!");

            index += shellPropertySheetListSize;

            index += 2; //move past end of property sheet terminator

            var rawguid = Utils.ExtractGuidFromShellItem(rawBytes.Skip(index).Take(16).ToArray());

            index += 16;

            rawguid = Utils.ExtractGuidFromShellItem(rawBytes.Skip(index).Take(16).ToArray());
            index  += 16;

            var name = Utils.GetFolderNameFromGuid(rawguid);

            Value = name;

            var extBlockSize = BitConverter.ToInt16(rawBytes, index);

            if (extBlockSize > 0)
                //process extension blocks

                while (extBlockSize > 0)
                    var extBytes = rawBytes.Skip(index).Take(extBlockSize).ToArray();

                    index += extBlockSize;

                    var signature1 = BitConverter.ToUInt32(extBytes, 4);

                    var block1 = Utils.GetExtensionBlockFromBytes(signature1, extBytes);


                    extBlockSize = BitConverter.ToInt16(rawBytes, index);

            int terminator = BitConverter.ToInt16(rawBytes, index);

            if (terminator > 0)
                throw new Exception($"Expected terminator of 0, but got {terminator}");
Exemplo n.º 10
        public ShellBag0X31(byte[] rawBytes)
            FriendlyName = "Directory";

            ExtensionBlocks = new List<IExtensionBlock>();

            var index = 2;
            if ((rawBytes[0x27] == 0x00 && rawBytes[0x28] == 0x2f && rawBytes[0x29] == 0x00) ||
                (rawBytes[0x24] == 0x4e && rawBytes[0x26] == 0x2f && rawBytes[0x28] == 0x41))
                //we have a good date

                    var zip = new ShellBagZipContents(rawBytes);
                    FriendlyName = zip.FriendlyName;
                    LastAccessTime = zip.LastAccessTime;

                    Value = zip.Value;

                catch (Exception)
                    //this isnt really this kind of entry despite our best efforts to make sure it is, so fall thru and process normally

            index += 1;

            //skip unknown byte
            index += 1;

            index += 4; // skip file size since always 0 for directory

            LastModificationTime = Utils.ExtractDateTimeOffsetFromBytes(rawBytes.Skip(index).Take(4).ToArray());

            index += 4;

            index += 2;

            var len = 0;

            var beefPos = BitConverter.ToString(rawBytes).IndexOf("04-00-EF-BE", StringComparison.InvariantCulture)/3;
            beefPos = beefPos - 4; //add header back for beef

            var strLen = beefPos - index;

            if (rawBytes[2] == 0x35)
                len = strLen;
                while (rawBytes[index + len] != 0x0)
                    len += 1;

            var tempBytes = new byte[len];
            Array.Copy(rawBytes, index, tempBytes, 0, len);

            index += len;

            var shortName = "";

            if (rawBytes[2] == 0x35)
                shortName = Encoding.Unicode.GetString(tempBytes);
                shortName = Encoding.GetEncoding(1252).GetString(tempBytes);

            ShortName = shortName;

            Value = shortName;

            while (rawBytes[index] == 0x0)
                index += 1;

            // here is where we need to cut up the rest into extension blocks
            var chunks = new List<byte[]>();

            while (index < rawBytes.Length)
                var subshellitemdatasize = BitConverter.ToInt16(rawBytes, index);

                if (subshellitemdatasize <= 0)

                if (subshellitemdatasize == 1)
                    //some kind of separator
                    index += 2;
                    index += subshellitemdatasize;

            foreach (var bytes in chunks)
                index = 0;

                var extsize = BitConverter.ToInt16(bytes, index);

                var signature = BitConverter.ToUInt32(bytes, 0x04);

                //TODO does this need to check if its a 0xbeef?? regex?
                var block = Utils.GetExtensionBlockFromBytes(signature, bytes);

                if (block.Signature.ToString("X").StartsWith("BEEF00"))

                var beef0004 = block as Beef0004;
                if (beef0004 != null)
                    Value = beef0004.LongName;

                var beef0005 = block as Beef0005;
                if (beef0005 != null)
                    //TODO Resolve this
            //                    foreach (var internalBag in beef0005.InternalBags)
            //                    {
            //                        ExtensionBlocks.Add(new BeefPlaceHolder(null));
            //                    }

                index += extsize;
Exemplo n.º 11
        public ShellBag0X32(byte[] rawBytes)
            FriendlyName = "File";

            ExtensionBlocks = new List <IExtensionBlock>();

            ShortName = string.Empty;

            var index = 2;

            if (rawBytes[0x28] == 0x2f || rawBytes[0x24] == 0x4e && rawBytes[0x26] == 0x2f && rawBytes[0x28] == 0x41)
                //we have a good date

                    var zip = new ShellBagZipContents(rawBytes);
                    FriendlyName   = zip.FriendlyName;
                    LastAccessTime = zip.LastAccessTime;

                    Value = zip.Value;

                catch (Exception)

            index += 1;

            //skip unknown byte
            index += 1;

            var fileSize = BitConverter.ToUInt32(rawBytes, index);

            FileSize = (int)fileSize;

            index += 4; // skip file size since always 0 for directory

            var tempBytes = new byte[4];

            Array.Copy(rawBytes, index, tempBytes, 0, 4);
            var lastmodifiedUtcRaw = tempBytes;

            LastModificationTime = Utils.ExtractDateTimeOffsetFromBytes(lastmodifiedUtcRaw);

            index += 4;

            index += 2;

            var len = 0;

            while (rawBytes[index + len] != 0x0)
                len += 1;

            tempBytes = new byte[len];
            Array.Copy(rawBytes, index, tempBytes, 0, len);

            index += len;

            var shortName = CodePagesEncodingProvider.Instance.GetEncoding(1252).GetString(tempBytes);

            ShortName = shortName;

            while (rawBytes[index] == 0x0)
                index += 1;

            //we are at extension blocks, so cut them up and process
            // here is where we need to cut up the rest into extension blocks
            var chunks = new List <byte[]>();

            while (index < rawBytes.Length)
                var subshellitemdatasize = BitConverter.ToInt16(rawBytes, index);

                if (subshellitemdatasize <= 0)

                if (subshellitemdatasize == 1)
                    //some kind of separator
                    index += 2;
                    index += subshellitemdatasize;

            foreach (var bytes in chunks)
                index = 0;

                var extsize = BitConverter.ToInt16(bytes, index);

                var signature = BitConverter.ToUInt32(bytes, 0x04);

                //TODO does this need to check if its a 0xbeef?? regex?
                var block = Utils.GetExtensionBlockFromBytes(signature, bytes);


                var beef0004 = block as Beef0004;
                if (beef0004 != null)
                    Value = beef0004.LongName;

                index += extsize;
Exemplo n.º 12
        public ShellBag0X74(byte[] rawBytes)
            FriendlyName = "Users Files Folder";

            ExtensionBlocks = new List<IExtensionBlock>();

            var index = 2;

            index += 2; // move past type  and an unknown

            var size = BitConverter.ToUInt16(rawBytes, index);

            index += 2;

            var sig74 = Encoding.GetEncoding(1252).GetString(rawBytes, index, 4);

            if (sig74 == "CF\0\0")
                if (rawBytes[0x28] == 0x2f ||
                    (rawBytes[0x24] == 0x4e && rawBytes[0x26] == 0x2f && rawBytes[0x28] == 0x41))
                    //we have a good date

                    var zip = new ShellBagZipContents(rawBytes);
                    FriendlyName = zip.FriendlyName;
                    LastAccessTime = zip.LastAccessTime;

                    Value = zip.Value;


            if (sig74 != "CFSF")
                throw new Exception($"Invalid signature! Should be CFSF but was {sig74}");

            index += 4;

            var subShellSize = BitConverter.ToUInt16(rawBytes, index);
            index += 2;

            var subClasstype = rawBytes[index];
            index += 1;

            index += 1; // skip unknown

            var filesize = BitConverter.ToUInt32(rawBytes, index);

            index += 4;

            FileSize = (int) filesize;

            var tempBytes = new byte[4];
            Array.Copy(rawBytes, index, tempBytes, 0, 4);

            index += 4;

            LastModificationTime = Utils.ExtractDateTimeOffsetFromBytes(tempBytes);

            index += 2; //skip file attribute flag

            var len = 0;

            while (rawBytes[index + len] != 0x0)
                len += 1;

            tempBytes = new byte[len];
            Array.Copy(rawBytes, index, tempBytes, 0, len);

            index += len;

            var primaryName = Encoding.GetEncoding(1252).GetString(tempBytes);

            while (rawBytes[index] == 0x0)
                index += 1;

            var delegateGuidRaw = new byte[16];

            Array.Copy(rawBytes, index, delegateGuidRaw, 0, 16);

            var delegateGuid = Utils.ExtractGuidFromShellItem(delegateGuidRaw);

            if (delegateGuid != "5e591a74-df96-48d3-8d67-1733bcee28ba")
                throw new Exception(
                    $"Delegate guid not expected value of 5e591a74-df96-48d3-8d67-1733bcee28ba. Actual value: {delegateGuid}");

            index += 16;

            var itemIdentifierGuidRaw = new byte[16];
            Array.Copy(rawBytes, index, itemIdentifierGuidRaw, 0, 16);

            var itemIdentifierGuid = Utils.ExtractGuidFromShellItem(itemIdentifierGuidRaw);

            var itemName = Utils.GetFolderNameFromGuid(itemIdentifierGuid);
            index += 16;

            //0xbeef0004 section

            //we are at extensnon blocks, so cut them up and process
            // here is where we need to cut up the rest into extension blocks
            var chunks = new List<byte[]>();

            while (index < rawBytes.Length)
                var subshellitemdatasize = BitConverter.ToInt16(rawBytes, index);

                if (subshellitemdatasize <= 0)

                if (subshellitemdatasize == 1)
                    //some kind of separator
                    index += 2;
                    index += subshellitemdatasize;

            foreach (var bytes in chunks)
                index = 0;

                var extsize = BitConverter.ToInt16(bytes, index);

                var signature = BitConverter.ToUInt32(bytes, 0x04);

                //TODO does this need to check if its a 0xbeef?? regex?
                var block = Utils.GetExtensionBlockFromBytes(signature, bytes);


                var beef0004 = block as Beef0004;
                if (beef0004 != null)
                    Value = beef0004.LongName;

                index += extsize;