private static Shimcache[] GetBADC0FEE(byte[] bytes, string arch) { int offset = 0x80; int count = BitConverter.ToInt32(bytes, 0x04); Shimcache[] shimcacheArray = new Shimcache[count]; if (arch == "x86") { for (int i = 0; i < count; i++) { string path = Encoding.Unicode.GetString(bytes, BitConverter.ToInt32(bytes, offset + 0x04), BitConverter.ToInt16(bytes, offset)); DateTime lastModifiedTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(bytes, offset + 0x08)); shimcacheArray[i] = new Shimcache(path, lastModifiedTime, 0, new DateTime(0)); offset += 0x20; } } else { for (int i = 0; i < count; i++) { string path = Encoding.Unicode.GetString(bytes, BitConverter.ToInt32(bytes, offset + 0x08), BitConverter.ToInt16(bytes, offset)); DateTime lastModifiedTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(bytes, offset + 0x10)); shimcacheArray[i] = new Shimcache(path, lastModifiedTime, 0, new DateTime(0)); offset += 0x30; } } return(shimcacheArray); }
private static Shimcache[] GetDEADBEEF(byte[] bytes) { int offset = 0x190; int count = BitConverter.ToInt32(bytes, 0x04); Shimcache[] shimcacheArray = new Shimcache[count]; for (int i = 0; i < count; i++) { string path = Encoding.Unicode.GetString(bytes, offset, 0x210).Split('\0')[0]; DateTime lastModifiedTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(bytes, offset + 0x210)); ulong size = BitConverter.ToUInt64(bytes, offset + 0x218); DateTime lastUpTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(bytes, offset + 0x220)); shimcacheArray[i] = new Shimcache(path, lastModifiedTime, size, lastUpTime); offset += 0x228; } return(shimcacheArray); }
/// <summary> /// /// </summary> /// <param name="volume"></param> /// <returns></returns> public static Shimcache[] GetInstances(string volume) { Helper.getVolumeName(ref volume); return(Shimcache.GetInstancesByPath(Helper.GetVolumeLetter(volume) + @"\Windows\system32\config\SYSTEM")); }