public void Win2k8Std_ShouldFindEntries() { var a = new VistaWin2k3Win2k8(Win2k8Std, false, -1); Check.That(a.Entries.Count).Equals(873); // Check.That(a.ExpectedEntries).Equals(a.Entries.Count); Check.That(a.EntryCount).Equals(873); Check.That(a.Entries[0].PathSize).IsEqualTo(164); Check.That(a.Entries[0].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.Yes); Check.That(a.Entries[0].Path).Contains("raw_agent_svc.exe"); Check.That(a.Entries[2].PathSize).IsEqualTo(62); Check.That(a.Entries[2].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.Yes); Check.That(a.Entries[2].Path).Contains("mmc.exe"); Check.That(a.Entries[5].PathSize).IsEqualTo(62); Check.That(a.Entries[5].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.No); Check.That(a.Entries[5].Path).Contains("SCW.exe"); Check.That(a.Entries[337].PathSize).IsEqualTo(148); Check.That(a.Entries[337].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.Yes); Check.That(a.Entries[337].Path).Contains("MSExchangeTransport.exe"); Check.That(a.Entries[349].PathSize).IsEqualTo(136); Check.That(a.Entries[349].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.Yes); Check.That(a.Entries[349].Path).Contains("MSExchangeFDS.exe"); }
public void run() { byte[] rawBytes = readBytes(); bool is32bit = string.IsNullOrEmpty(Environment.GetEnvironmentVariable("PROCESSOR_ARCHITEW6432")); var controlSet = getControlSet(); var operatingSystem = getWindowsVersion(rawBytes, is32bit); IAppCompatCache appCache; if (operatingSystem == OperatingSystemVersion.Windows10) { appCache = new Windows10(rawBytes, controlSet); } else if (operatingSystem == OperatingSystemVersion.Windows10Creators) { appCache = new Windows10(rawBytes, controlSet); } else if (operatingSystem == OperatingSystemVersion.Windows7x86) { appCache = new Windows7(rawBytes, is32bit, controlSet); } else if (operatingSystem == OperatingSystemVersion.Windows7x64_Windows2008R2) { appCache = new Windows7(rawBytes, is32bit, controlSet); } else if (operatingSystem == OperatingSystemVersion.Windows80_Windows2012) { var os = OperatingSystemVersion.Windows80_Windows2012; appCache = new Windows8x(rawBytes, os, controlSet); } else if (operatingSystem == OperatingSystemVersion.Windows81_Windows2012R2) { var os = OperatingSystemVersion.Windows81_Windows2012R2; appCache = new Windows8x(rawBytes, os, controlSet); } else if (operatingSystem == OperatingSystemVersion.WindowsVistaWin2k3Win2k8) { appCache = new VistaWin2k3Win2k8(rawBytes, is32bit, controlSet); } else if (operatingSystem == OperatingSystemVersion.WindowsXP) { appCache = new WindowsXP(rawBytes, is32bit, controlSet); } return; }
//https://github.com/libyal/winreg-kb/wiki/Application-Compatibility-Cache-key //https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf private IAppCompatCache Init(byte[] rawBytes, bool is32, int controlSet) { IAppCompatCache appCache = null; OperatingSystem = OperatingSystemVersion.Unknown; string signature; var sigNum = BitConverter.ToUInt32(rawBytes, 0); //TODO check minimum length of rawBytes and throw exception if not enough data signature = Encoding.ASCII.GetString(rawBytes, 128, 4); Log.Debug("**** Signature {Signature}, Sig num {SigNum}", signature, $"0x{sigNum:X}"); if (sigNum == 0xDEADBEEF) //DEADBEEF, WinXp { OperatingSystem = OperatingSystemVersion.WindowsXP; Log.Debug("**** Processing XP hive"); appCache = new WindowsXP(rawBytes, is32, controlSet); } else if (sigNum == 0xbadc0ffe) { OperatingSystem = OperatingSystemVersion.WindowsVistaWin2k3Win2k8; appCache = new VistaWin2k3Win2k8(rawBytes, is32, controlSet); } else if (sigNum == 0xBADC0FEE) //BADC0FEE, Win7 { if (is32) { OperatingSystem = OperatingSystemVersion.Windows7x86; } else { OperatingSystem = OperatingSystemVersion.Windows7x64_Windows2008R2; } appCache = new Windows7(rawBytes, is32, controlSet); } else if (signature == "00ts") { OperatingSystem = OperatingSystemVersion.Windows80_Windows2012; appCache = new Windows8x(rawBytes, OperatingSystem, controlSet); } else if (signature == "10ts") { OperatingSystem = OperatingSystemVersion.Windows81_Windows2012R2; appCache = new Windows8x(rawBytes, OperatingSystem, controlSet); } else { //is it windows 10? var offsetToEntries = BitConverter.ToInt32(rawBytes, 0); OperatingSystem = OperatingSystemVersion.Windows10; if (offsetToEntries == 0x34) { OperatingSystem = OperatingSystemVersion.Windows10Creators; } signature = Encoding.ASCII.GetString(rawBytes, offsetToEntries, 4); if (signature == "10ts") { appCache = new Windows10(rawBytes, controlSet); } } if (appCache == null) { throw new Exception( "Unable to determine operating system! Please send the hive to [email protected]"); } return(appCache); }