public static RunKey[] GetInstances(string volume) { Helper.getVolumeName(ref volume); List<RunKey> list = new List<RunKey>(); try { list.AddRange(Get(Helper.GetVolumeLetter(volume) + @"\Windows\system32\config\SOFTWARE")); } catch { } foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume)) { try { list.AddRange(Get(hivePath)); } catch { } } return list.ToArray(); }
public static RunKey[] Get(string hivePath) { List<string> Keys = new List<string>(); string AutoRunLocation = null; if(RegistryHelper.isCorrectHive(hivePath, "SOFTWARE")) { Keys.AddRange(new string[] { @"Microsoft\Windows\CurrentVersion\Run", @"Microsoft\Windows\CurrentVersion\RunOnce", @"Wow6432Node\Microsoft\Windows\CurrentVersion\Run" }); AutoRunLocation = @"HKLM\SOFTWARE\"; } else if(RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT")) { Keys.AddRange(new string[] { @"Software\Microsoft\Windows\CurrentVersion\Run", @"Software\Microsoft\Windows\CurrentVersion\RunOnce" }); AutoRunLocation = @"USER\" + RegistryHelper.GetUserHiveOwner(hivePath) + "\\"; } else { throw new Exception("Invalid SOFTWARE or NTUSER.DAT hive provided."); } byte[] bytes = RegistryHelper.GetHiveBytes(hivePath); List<RunKey> runList = new List<RunKey>(); foreach(string key in Keys) { try { NamedKey run = NamedKey.Get(bytes, hivePath, key); if (run.NumberOfValues > 0) { foreach (ValueKey vk in run.GetValues(bytes)) { runList.Add(new RunKey(AutoRunLocation + key, vk)); } } } catch { } } return runList.ToArray(); }
public static TrustRecord[] GetInstances(string volume) { List<TrustRecord> list = new List<TrustRecord>(); foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume)) { try { list.AddRange(Get(hivePath)); } catch { } } return list.ToArray(); }
public static OutlookCatalog[] GetInstances(string volume) { List<OutlookCatalog> list = new List<OutlookCatalog>(); foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume)) { try { list.AddRange(Get(hivePath)); } catch { } } return list.ToArray(); }
public static FileMRU[] GetInstances(string volume) { Helper.getVolumeName(ref volume); List<FileMRU> list = new List<FileMRU>(); foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume)) { try { list.AddRange(Get(hivePath)); } catch { } } return list.ToArray(); }
private static NamedKey[] GetInstances(byte[] bytes, NamedKey nk, bool recurse) { List<NamedKey> keyList = new List<NamedKey>(); foreach(NamedKey subkey in nk.GetSubKeys(bytes, nk.FullName)) { keyList.Add(subkey); if (subkey.NumberOfSubKeys > 0) { keyList.AddRange(GetInstances(bytes, subkey, true)); } } return keyList.ToArray(); }
internal static byte[] Get(byte[] bytes, ValueKey vk) { List<byte> contents = new List<byte>(); byte[] dataBytes = PowerForensics.Helper.GetSubArray(bytes, (int)vk.DataOffset, Math.Abs(BitConverter.ToInt32(bytes, (int)vk.DataOffset))); short offsetCount = BitConverter.ToInt16(dataBytes, 0x06); uint offsetOffset = BitConverter.ToUInt32(dataBytes, 0x08) + RegistryHeader.HBINOFFSET; byte[] offsetBytes = Helper.GetSubArray(bytes, (int)offsetOffset, Math.Abs(BitConverter.ToInt32(bytes, (int)offsetOffset))); for (short i = 1; i <= offsetCount; i++) { uint segmentOffset = BitConverter.ToUInt32(offsetBytes, i * 0x04) + RegistryHeader.HBINOFFSET; contents.AddRange(Helper.GetSubArray(bytes, (int)segmentOffset + 0x04, Math.Abs(BitConverter.ToInt32(bytes, (int)segmentOffset)) - 0x08)); } byte[] b = contents.ToArray(); return Helper.GetSubArray(b, 0x00, b.Length); }