internal NetworkList(NamedKey nk, byte[] bytes) { WriteTime = nk.WriteTime; foreach (ValueKey vk in nk.GetValues(bytes)) { switch (vk.Name) { case "ProfileGuid": ProfileGuid = Encoding.Unicode.GetString(vk.GetData(bytes)); break; case "Description": Description = Encoding.Unicode.GetString(vk.GetData(bytes)); break; case "Source": Source = BitConverter.ToUInt32(vk.GetData(bytes), 0x00); break; case "DnsSuffix": DnsSuffix = Encoding.Unicode.GetString(vk.GetData(bytes)); break; case "FirstNetwork": FirstNetwork = Encoding.Unicode.GetString(vk.GetData(bytes)); break; case "DefaultGatewayMac": DefaultGatewayMac = new PhysicalAddress(vk.GetData(bytes)); break; default: break; } } }
internal static NamedKey[] GetInstances(byte[] bytes, string path, string key) { NamedKey hiveroot = RegistryHelper.GetRootKey(bytes, path); NamedKey nk = hiveroot; if (key != null) { foreach (string k in key.Split('\\')) { NamedKey startingkey = nk; foreach (NamedKey n in nk.GetSubKeys(bytes)) { if (n.Name.ToUpper() == k.ToUpper()) { nk = n; } } if (nk == startingkey) { throw new Exception(string.Format("Cannot find key '{0}' in the '{1}' hive because it does not exist.", key, path)); } } if (nk == hiveroot) { throw new Exception(string.Format("Cannot find key '{0}' in the '{1}' hive because it does not exist.", key, path)); } } return(nk.GetSubKeys(bytes)); }
internal static ValueKey Get(byte[] bytes, string path, string key, string val) { NamedKey hiveroot = RegistryHelper.GetRootKey(bytes, path); NamedKey nk = hiveroot; if (key != null) { foreach (string k in key.Split('\\')) { foreach (NamedKey n in nk.GetSubKeys(bytes)) { if (n.Name.ToUpper() == k.ToUpper()) { nk = n; } } } } ValueKey[] values = nk.GetValues(bytes); foreach (ValueKey v in values) { if (v.Name.ToUpper() == val.ToUpper()) { return(v); } } return(null); }
internal static NamedKey GetOfficeKey(byte[] bytes, string path) { string key = @"Software\Microsoft\Office"; NamedKey OfficeKey = null; try { OfficeKey = NamedKey.Get(bytes, path, key); } catch { throw new Exception(String.Format("Microsoft Office is not installed on this system")); } foreach (NamedKey nk in OfficeKey.GetSubKeys(bytes)) { if (nk.Name.Contains(@".0")) { if (nk.Name != "8.0") { return(nk); } } } throw new Exception("Could not locate the Microsoft Office registry key"); }
internal static string GetOfficeVersion(byte[] bytes, string hivePath) { NamedKey OfficeKey = null; try { OfficeKey = NamedKey.Get(bytes, hivePath, @"Software\Microsoft\Office"); } catch { throw new Exception(String.Format("Microsoft Office is not installed on this system")); } foreach (NamedKey nk in OfficeKey.GetSubKeys(bytes)) { if (nk.Name.Contains(@".0")) { if (nk.Name != "8.0") { return(nk.FullName.Split('\\')[4]); } } } throw new Exception("Could not locate the Microsoft Office registry key"); }
private WindowsVersion(byte[] bytes, NamedKey nk) { foreach (ValueKey vk in nk.GetValues(bytes)) { switch (vk.Name) { case "ProductName": ProductName = (string)vk.GetData(bytes); break; case "CurrentMajorVersionNumber": CurrentMajorVersion = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00); break; case "CurrentMinorVersionNumber": CurrentMinorVersion = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00); break; case "CurrentVersion": CurrentVersion = new Version((string)vk.GetData(bytes)); break; case "InstallTime": InstallTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00)); break; case "RegisteredOwner": RegisteredOwner = (string)vk.GetData(bytes); break; case "SystemRoot": SystemRoot = (string)vk.GetData(bytes); break; default: break; } } //ProductName = ; //CurrentVersion = ; }
private NetworkList(NamedKey nk, byte[] bytes) { WriteTimeUtc = nk.WriteTime; foreach (ValueKey vk in nk.GetValues(bytes)) { switch (vk.Name) { case "ProfileGuid": ProfileGuid = (string)vk.GetData(bytes); break; case "Description": Description = (string)vk.GetData(bytes); break; case "Source": Source = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00); break; case "DnsSuffix": DnsSuffix = (string)vk.GetData(bytes); break; case "FirstNetwork": FirstNetwork = (string)vk.GetData(bytes); break; case "DefaultGatewayMac": DefaultGatewayMac = (byte[])vk.GetData(bytes); break; default: break; } } }
public static NamedKey[] GetInstancesRecurse(string path) { byte[] bytes = RegistryHelper.GetHiveBytes(path); NamedKey hiveroot = RegistryHelper.GetRootKey(path); return(GetInstances(bytes, hiveroot, true)); }
private UserDetail(byte[] bytes, NamedKey nk) { ValueKey[] values = nk.GetValues(bytes); foreach (ValueKey vk in values) { } }
public static NamedKey[] GetInstances(string path, string key) { if (key == null) { return(NamedKey.GetInstances(RegistryHelper.GetHiveBytes(path), path)); } else { return(NamedKey.GetInstances(RegistryHelper.GetHiveBytes(path), path, key.TrimEnd('\\'))); } }
internal UserDetail(byte[] bytes, NamedKey nk) { ValueKey[] values = nk.GetValues(bytes); foreach (ValueKey vk in values) { switch (vk.Name) { } } }
internal Amcache(NamedKey nk, byte[] bytes) { /* Console.WriteLine(nk.Name); ulong FileReference = ulong.Parse(nk.Name, System.Globalization.NumberStyles.AllowHexSpecifier); byte[] filerefbytes = BitConverter.GetBytes(FileReference); SequenceNumber = (BitConverter.ToUInt16(filerefbytes, 0x06)); RecordNumber = (BitConverter.ToUInt64(filerefbytes, 0x00) & 0x0000FFFFFFFFFFFF); */ foreach (ValueKey vk in nk.GetValues(bytes)) { switch (vk.Name) { case "0": ProductName = (string)vk.GetData(bytes); break; case "1": CompanyName = (string)vk.GetData(bytes); break; case "6": FileSize = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00); break; case "c": Description = (string)vk.GetData(bytes); break; case "f": CompileTime = Util.FromUnixTime(BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00)); break; case "11": ModifiedTimeUtc = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00)); break; case "12": BornTimeUtc = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[]) vk.GetData(bytes), 0x00)); break; case "15": Path = (string)vk.GetData(bytes); break; case "17": ModifiedTime2Utc = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00)); break; case "101": string hash = (string)vk.GetData(bytes); Hash = hash.TrimStart('0'); break; default: break; } } }
private static NamedKey[] GetInstances(byte[] bytes, NamedKey nk, bool recurse) { List <NamedKey> keyList = new List <NamedKey>(); foreach (NamedKey subkey in nk.GetSubKeys(bytes)) { keyList.Add(subkey); if (subkey.NumberOfSubKeys > 0) { keyList.AddRange(GetInstances(bytes, subkey, true)); } } return(keyList.ToArray()); }
internal Amcache(NamedKey nk, byte[] bytes) { foreach(ValueKey vk in nk.GetValues(bytes)) { switch(vk.Name) { case "0": ProductName = Encoding.Unicode.GetString(vk.GetData(bytes)); break; case "1": CompanyName = Encoding.Unicode.GetString(vk.GetData(bytes)); break; case "6": FileSize = BitConverter.ToUInt32(vk.GetData(bytes), 0x00); break; case "c": Description = Encoding.Unicode.GetString(vk.GetData(bytes)); break; case "f": CompileTime = new DateTime(1970, 1, 1).AddSeconds(BitConverter.ToInt32(vk.GetData(bytes), 0x00)); break; case "11": ModifiedTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(vk.GetData(bytes), 0x00)); break; case "12": BornTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(vk.GetData(bytes), 0x00)); break; case "15": Path = Encoding.Unicode.GetString(vk.GetData(bytes)); break; case "17": ModifiedTime2 = DateTime.FromFileTimeUtc(BitConverter.ToInt64(vk.GetData(bytes), 0x00)); break; case "101": Hash = Encoding.Unicode.GetString(vk.GetData(bytes)).TrimStart('0'); break; default: break; } } }
internal static ValueKey[] GetInstances(byte[] bytes, string path, string key) { NamedKey hiveroot = RegistryHelper.GetRootKey(bytes, path); NamedKey nk = hiveroot; if (key != null) { foreach (string k in key.Split('\\')) { foreach (NamedKey n in nk.GetSubKeys(bytes)) { if (n.Name.ToUpper() == k.ToUpper()) { nk = n; } } } } return(nk.GetValues(bytes)); }
public static ValueKey Get(string path, string key, string val) { byte[] bytes = RegistryHelper.GetHiveBytes(path); NamedKey hiveroot = RegistryHelper.GetRootKey(bytes, path); NamedKey nk = hiveroot; if (key != null) { foreach (string k in key.Split('\\')) { foreach (NamedKey n in nk.GetSubKeys(bytes)) { if (n.Name.ToUpper() == k.ToUpper()) { nk = n; } } } if (nk == hiveroot) { throw new Exception(string.Format("Cannot find key '{0}' in the '{1}' hive because it does not exist.", key, path)); } } ValueKey[] values = nk.GetValues(bytes); foreach (ValueKey v in values) { if (v.Name.ToUpper() == val.ToUpper()) { return(v); } } throw new Exception(string.Format("Cannot find value '{0}' as a value of '{1}' in the '{2}' hive because it does not exist.", val, key, path)); }
internal NamedKey[] GetSubKeys(byte[] bytes) { if (NumberOfSubKeys > 0) { byte[] subKeyListBytes = Util.GetSubArray(bytes, (uint)SubKeysListOffset, (uint)Math.Abs(BitConverter.ToInt32(bytes, this.SubKeysListOffset))); string type = Encoding.ASCII.GetString(subKeyListBytes, 0x04, 0x02); List list = List.Factory(bytes, subKeyListBytes, type); NamedKey[] nkArray = new NamedKey[list.Count]; for (int i = 0; i < list.Count; i++) { int size = Math.Abs(BitConverter.ToInt32(bytes, (int)list.Offset[i])); nkArray[i] = new NamedKey(Util.GetSubArray(bytes, list.Offset[i], (uint)size), HivePath, this.FullName); } return(nkArray); } else { return(null); } }
public static NamedKey[] GetInstances(string path, string key) { byte[] bytes = Helper.GetHiveBytes(path); NamedKey hiveroot = Helper.GetRootKey(bytes, path); NamedKey nk = hiveroot; if (key != null) { foreach (string k in key.Split('\\')) { foreach (NamedKey n in nk.GetSubKeys(bytes)) { if (n.Name.ToUpper() == k.ToUpper()) { nk = n; } } } } return(nk.GetSubKeys(bytes)); }
internal WindowsVersion(NamedKey nk) { //ProductName = ; //CurrentVersion = ; }
public static ForensicTimeline Get(NamedKey input) { return new ForensicTimeline(input.WriteTime, "MACB", "REGISTRY", "", input.FullName, input.ToString()); }
public static ForensicTimeline[] GetInstances(NamedKey[] input) { List<ForensicTimeline> list = new List<ForensicTimeline>(); foreach (NamedKey nk in input) { list.Add(Get(nk)); } return list.ToArray(); }
public static NamedKey[] GetInstances(string path, string key) { return(NamedKey.GetInstances(Helper.GetHiveBytes(path), path, key)); }
private static NamedKey[] GetInstances(byte[] bytes, NamedKey nk, bool recurse) { List<NamedKey> keyList = new List<NamedKey>(); foreach(NamedKey subkey in nk.GetSubKeys(bytes, nk.FullName)) { keyList.Add(subkey); if (subkey.NumberOfSubKeys > 0) { keyList.AddRange(GetInstances(bytes, subkey, true)); } } return keyList.ToArray(); }
public static NamedKey Get(string path, string key) { return(NamedKey.Get(RegistryHelper.GetHiveBytes(path), path, key.TrimEnd('\\'))); }
internal NamedKey[] GetSubKeys(byte[] bytes) { if (this.NumberOfSubKeys > 0) { byte[] subKeyListBytes = NativeMethods.GetSubArray(bytes, (uint)this.SubKeysListOffset, (uint)Math.Abs(BitConverter.ToInt32(bytes, this.SubKeysListOffset))); string type = Encoding.ASCII.GetString(subKeyListBytes, 0x04, 0x02); List list = List.Factory(bytes, subKeyListBytes, type); NamedKey[] nkArray = new NamedKey[list.Count]; for (int i = 0; i < list.Count; i++) { int size = Math.Abs(BitConverter.ToInt32(bytes, (int)list.Offset[i])); nkArray[i] = new NamedKey(NativeMethods.GetSubArray(bytes, (uint)list.Offset[i], (uint)size), this.HivePath); } return nkArray; } else { return null; } }
internal static NamedKey[] GetInstances(byte[] bytes, string path) { NamedKey hiveroot = RegistryHelper.GetRootKey(bytes, path); return(hiveroot.GetSubKeys()); }