Parse unicode characters in shellbags

Parse Unicode characters in shellbags
2025-07-06 21:00:22 +00:00 · 2021-08-27 02:12:17 -04:00 · 2021-08-27 02:12:17 -04:00 · db1f0e020d
commit db1f0e020d
parent 7605aa897c
5 changed files with 63 additions and 18 deletions
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ShellBagParser.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ShellBagParser.java
@ -22,10 +22,12 @@
 package org.sleuthkit.autopsy.recentactivity;

 import java.io.BufferedReader;
-import java.io.FileReader;
 import java.io.File;
+import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
@ -63,7 +65,7 @@ class ShellBagParser {

        ShellBagParser sbparser = new ShellBagParser();

-        try (BufferedReader reader = new BufferedReader(new FileReader(regfile))) {
+        try (BufferedReader reader = new BufferedReader(new InputStreamReader(new FileInputStream(regfile), StandardCharsets.UTF_8))) {
            String line = reader.readLine();
            while (line != null) {
                line = line.trim();
--- a/thirdparty/rr-full/plugins/shellbags.pl
+++ b/thirdparty/rr-full/plugins/shellbags.pl
@ -42,6 +42,7 @@
 package shellbags;
 use strict;
 use Time::Local;
+use Encode::Unicode;

 my %config = (hive          => "USRCLASS\.DAT",
 							hivemask      => 32,
@ -858,13 +859,12 @@ sub parseFolderEntry {
 	
 		my $str = substr($data,$ofs,length($data) - 30);
 		my $longname = (split(/\00\00/,$str,2))[0];
-		$longname =~ s/\00//g;
 	
 		if ($longname ne "") {
-			$item{name} = $longname;
+			$item{name} = _uniToAscii($longname);
 		}
 		else {
-			$item{name} = $shortname;
+			$item{name} = _uniToAscii($shortname);
 		}
 	}
 	return %item;
@ -957,7 +957,7 @@ sub parseFolderEntry2 {
 	
 	$item{name} = (split(/\00\00/,$str,2))[0];
 	$item{name} =~ s/\13\20/\2D\00/;
-	$item{name} =~ s/\00//g;
+	$item{name} = _uniToAscii($item{name});
 	
 	return %item;
 }
@ -1119,4 +1119,14 @@ sub getNum48 {
 	}
 }

+#---------------------------------------------------------------------
+# _uniToAscii()
+#---------------------------------------------------------------------
+sub _uniToAscii {
+  my $str = $_[0];
+  Encode::from_to($str,'UTF-16LE','utf8');
+  $str = Encode::decode_utf8($str);
+  return $str;
+}
+
 1;
--- a/thirdparty/rr-full/plugins/shellbags_test.pl
+++ b/thirdparty/rr-full/plugins/shellbags_test.pl
@ -8,6 +8,7 @@
 #-----------------------------------------------------------
 package shellbags_test;
 use strict;
+use Encode::Unicode;

 require 'shellitems.pl';

@ -411,12 +412,22 @@ sub parseFolderItem {
 	$longname =~ s/\x00//g;
 	
 	if ($longname ne "") {
-		$item{name} = $longname;
+		$item{name} = _uniToAscii($longname);
 	}
 	else {
-		$item{name} = $shortname;
+		$item{name} = _uniToAscii($shortname);
 	}
 	return %item;
 }

+#---------------------------------------------------------------------
+# _uniToAscii()
+#---------------------------------------------------------------------
+sub _uniToAscii {
+  my $str = $_[0];
+  Encode::from_to($str,'UTF-16LE','utf8');
+  $str = Encode::decode_utf8($str);
+  return $str;
+}
+
 1;
--- a/thirdparty/rr-full/plugins/shellbags_xp.pl
+++ b/thirdparty/rr-full/plugins/shellbags_xp.pl
@ -36,6 +36,7 @@
 package shellbags_xp;
 use strict;
 use Time::Local;
+use Encode::Unicode;

 my %config = (hive          => "NTUSER\.DAT",
 							hivemask      => 32,
@ -779,10 +780,10 @@ sub parseFolderEntry {
 	$longname =~ s/\x00//g;
 	
 	if ($longname ne "") {
-		$item{name} = $longname;
+		$item{name} = _uniToAscii($longname);
 	}
 	else {
-		$item{name} = $shortname;
+		$item{name} = _uniToAscii($shortname);
 	}
 	return %item;
 }
@ -871,7 +872,7 @@ sub parseFolderEntry2 {
 	
 	$item{name} = (split(/\x00\x00/,$str,2))[0];
 	$item{name} =~ s/\x13\x20/\x2D\x00/;
-	$item{name} =~ s/\x00//g;
+	$item{name} = _uniToAscii($item{name});
 	
 	return %item;
 }
@ -931,4 +932,14 @@ sub printData {
 	return @display;
 }

+#---------------------------------------------------------------------
+# _uniToAscii()
+#---------------------------------------------------------------------
+sub _uniToAscii {
+  my $str = $_[0];
+  Encode::from_to($str,'UTF-16LE','utf8');
+  $str = Encode::decode_utf8($str);
+  return $str;
+}
+
 1;
--- a/thirdparty/rr-full/shellitems.pl
+++ b/thirdparty/rr-full/shellitems.pl
@ -27,6 +27,7 @@
 # Author: H. Carvey, keydet89@yahoo.com
 #-----------------------------------------------------------
 use Time::Local;
+use Encode::Unicode;

 my %guids = ("{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}" => "Action Center",
    "{7a979262-40ce-46ff-aeee-7884ac3b6136}" => "Add Hardware",
@ -634,10 +635,10 @@ sub parseFolderEntry {
 	$longname =~ s/\x00//g;
 	
 	if ($longname ne "") {
-		$item{name} = $longname;
+		$item{name} = _uniToAscii($longname);
 	}
 	else {
-		$item{name} = $shortname;
+		$item{name} = _uniToAscii($shortname);
 	}
 	return %item;
 }
@ -716,7 +717,7 @@ sub parseFolderEntry2 {
 		
 	$item{name} = (split(/\x00\x00/,$str,2))[0];
 	$item{name} =~ s/\x13\x20/\x2D\x00/;
-	$item{name} =~ s/\x00//g;
+	$item{name} = _uniToAscii($item{name});
 	
 	return %item;
 }
@ -837,4 +838,14 @@ sub getNum48 {
 	}
 }

+#---------------------------------------------------------------------
+# _uniToAscii()
+#---------------------------------------------------------------------
+sub _uniToAscii {
+  my $str = $_[0];
+  Encode::from_to($str,'UTF-16LE','utf8');
+  $str = Encode::decode_utf8($str);
+  return $str;
+}
+
 1;