public void Win81ShouldFindEntries() { var a = new Windows8x(Win81, AppCompatCache.AppCompatCache.OperatingSystemVersion.Windows81_Windows2012R2, -1); Check.That(a.Entries.Count).Equals(1024); Check.That(a.EntryCount).Equals(-1); Check.That(a.Entries[0].PathSize).IsEqualTo(94); Check.That(a.Entries[0].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.Yes); Check.That(a.Entries[0].Path).Contains("java.exe"); Check.That(a.Entries[2].PathSize).IsEqualTo(128); Check.That(a.Entries[2].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.Yes); Check.That(a.Entries[2].Path).Contains("SpotifyHelper.exe"); Check.That(a.Entries[8].PathSize).IsEqualTo(70); Check.That(a.Entries[8].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.Yes); Check.That(a.Entries[8].Path).Contains("dllhost.exe"); Check.That(a.Entries[1011].PathSize).IsEqualTo(98); Check.That(a.Entries[1011].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.Yes); Check.That(a.Entries[1011].Path).Contains("osTriage2.exe"); Check.That(a.Entries[1023].PathSize).IsEqualTo(170); Check.That(a.Entries[1023].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.Yes); Check.That(a.Entries[1023].Path).Contains("setup.exe"); }
public void Win80ShouldFindEntries() { var a = new Windows8x(Win80, AppCompatCache.AppCompatCache.OperatingSystemVersion.Windows80_Windows2012, -1); Check.That(a.Entries.Count).Equals(104); Check.That(a.EntryCount).Equals(-1); Check.That(a.Entries[0].PathSize).IsEqualTo(70); Check.That(a.Entries[0].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.Yes); Check.That(a.Entries[0].Path).Contains("LogonUI.exe"); Check.That(a.Entries[2].PathSize).IsEqualTo(144); Check.That(a.Entries[2].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.Yes); Check.That(a.Entries[2].Path).Contains("EditPadLite7.exe"); Check.That(a.Entries[8].PathSize).IsEqualTo(70); Check.That(a.Entries[8].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.Yes); Check.That(a.Entries[8].Path).Contains("svchost.exe"); Check.That(a.Entries[100].PathSize).IsEqualTo(76); Check.That(a.Entries[100].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.Yes); Check.That(a.Entries[100].Path).Contains("Setup.exe"); Check.That(a.Entries[101].PathSize).IsEqualTo(70); Check.That(a.Entries[101].Executed).IsEqualTo(AppCompatCache.AppCompatCache.Execute.No); Check.That(a.Entries[101].Path).Contains("WWAHost.exe"); }
public void run() { byte[] rawBytes = readBytes(); bool is32bit = string.IsNullOrEmpty(Environment.GetEnvironmentVariable("PROCESSOR_ARCHITEW6432")); var controlSet = getControlSet(); var operatingSystem = getWindowsVersion(rawBytes, is32bit); IAppCompatCache appCache; if (operatingSystem == OperatingSystemVersion.Windows10) { appCache = new Windows10(rawBytes, controlSet); } else if (operatingSystem == OperatingSystemVersion.Windows10Creators) { appCache = new Windows10(rawBytes, controlSet); } else if (operatingSystem == OperatingSystemVersion.Windows7x86) { appCache = new Windows7(rawBytes, is32bit, controlSet); } else if (operatingSystem == OperatingSystemVersion.Windows7x64_Windows2008R2) { appCache = new Windows7(rawBytes, is32bit, controlSet); } else if (operatingSystem == OperatingSystemVersion.Windows80_Windows2012) { var os = OperatingSystemVersion.Windows80_Windows2012; appCache = new Windows8x(rawBytes, os, controlSet); } else if (operatingSystem == OperatingSystemVersion.Windows81_Windows2012R2) { var os = OperatingSystemVersion.Windows81_Windows2012R2; appCache = new Windows8x(rawBytes, os, controlSet); } else if (operatingSystem == OperatingSystemVersion.WindowsVistaWin2k3Win2k8) { appCache = new VistaWin2k3Win2k8(rawBytes, is32bit, controlSet); } else if (operatingSystem == OperatingSystemVersion.WindowsXP) { appCache = new WindowsXP(rawBytes, is32bit, controlSet); } return; }
//https://github.com/libyal/winreg-kb/wiki/Application-Compatibility-Cache-key //https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf private IAppCompatCache Init(byte[] rawBytes, bool is32, int controlSet) { IAppCompatCache appCache = null; OperatingSystem = OperatingSystemVersion.Unknown; string signature; var sigNum = BitConverter.ToUInt32(rawBytes, 0); //TODO check minimum length of rawBytes and throw exception if not enough data signature = Encoding.ASCII.GetString(rawBytes, 128, 4); Log.Debug("**** Signature {Signature}, Sig num {SigNum}", signature, $"0x{sigNum:X}"); if (sigNum == 0xDEADBEEF) //DEADBEEF, WinXp { OperatingSystem = OperatingSystemVersion.WindowsXP; Log.Debug("**** Processing XP hive"); appCache = new WindowsXP(rawBytes, is32, controlSet); } else if (sigNum == 0xbadc0ffe) { OperatingSystem = OperatingSystemVersion.WindowsVistaWin2k3Win2k8; appCache = new VistaWin2k3Win2k8(rawBytes, is32, controlSet); } else if (sigNum == 0xBADC0FEE) //BADC0FEE, Win7 { if (is32) { OperatingSystem = OperatingSystemVersion.Windows7x86; } else { OperatingSystem = OperatingSystemVersion.Windows7x64_Windows2008R2; } appCache = new Windows7(rawBytes, is32, controlSet); } else if (signature == "00ts") { OperatingSystem = OperatingSystemVersion.Windows80_Windows2012; appCache = new Windows8x(rawBytes, OperatingSystem, controlSet); } else if (signature == "10ts") { OperatingSystem = OperatingSystemVersion.Windows81_Windows2012R2; appCache = new Windows8x(rawBytes, OperatingSystem, controlSet); } else { //is it windows 10? var offsetToEntries = BitConverter.ToInt32(rawBytes, 0); OperatingSystem = OperatingSystemVersion.Windows10; if (offsetToEntries == 0x34) { OperatingSystem = OperatingSystemVersion.Windows10Creators; } signature = Encoding.ASCII.GetString(rawBytes, offsetToEntries, 4); if (signature == "10ts") { appCache = new Windows10(rawBytes, controlSet); } } if (appCache == null) { throw new Exception( "Unable to determine operating system! Please send the hive to [email protected]"); } return(appCache); }
public void Win81ShouldFindEntries() { var a = new Windows8x(Win81, AppCompatCache.AppCompatCache.OperatingSystemVersion.Windows81_Windows2012R2, null); Check.That(a.Entries.Count).Equals(1024); }
public void Win80ShouldFindEntries() { var a = new Windows8x(Win80, AppCompatCache.AppCompatCache.OperatingSystemVersion.Windows80_Windows2012); Check.That(a.Entries.Count).Equals(58); }