mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-12 16:06:15 +00:00
a102b6ff90
Update the plugins with Wills PR change on the regripper repo that has not been merged as of yet. PR on Regripper repo is https://github.com/keydet89/RegRipper2.8/pull/31
136 lines
3.5 KiB
Perl
136 lines
3.5 KiB
Perl
#-----------------------------------------------------------
|
|
# arpcache.pl
|
|
# Retrieves CurrentVersion\App Management\ARPCache entries; subkeys appear
|
|
# to maintain information about paths to installed applications in the
|
|
# SlowInfoCache value(0x10 - FILETIME object, null term. string with path
|
|
# starts at 0x1c)
|
|
#
|
|
# Change history
|
|
# 20090413 - Created
|
|
#
|
|
# References
|
|
# No references, but the subkeys appear to hold information about
|
|
# installed applications; some SlowInfoCache values appear to contain
|
|
# timestamp data (FILETIME object) and/or path information. Posts on
|
|
# the Internet indicate the existence of Kazaa beneath the APRCache key,
|
|
# as well as possibly an "Outerinfo" subkey indicating that spyware is
|
|
# installed.
|
|
#
|
|
# copyright 2009 H. Carvey
|
|
#-----------------------------------------------------------
|
|
package arpcache;
|
|
use strict;
|
|
|
|
my %config = (hive => "NTUSER\.DAT",
|
|
hasShortDescr => 1,
|
|
hasDescr => 0,
|
|
hasRefs => 0,
|
|
osmask => 22,
|
|
version => 20090413);
|
|
|
|
sub getConfig{return %config}
|
|
sub getShortDescr {
|
|
return "Retrieves CurrentVersion\\App Management\\ARPCache entries";
|
|
}
|
|
sub getDescr{}
|
|
sub getRefs {}
|
|
sub getHive {return $config{hive};}
|
|
sub getVersion {return $config{version};}
|
|
|
|
my $VERSION = getVersion();
|
|
|
|
my %arpcache;
|
|
|
|
sub pluginmain {
|
|
my $class = shift;
|
|
my $ntuser = shift;
|
|
::logMsg("Launching arpcache v.".$VERSION);
|
|
::rptMsg("arpcache v.".$VERSION); # banner
|
|
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
|
|
my $reg = Parse::Win32Registry->new($ntuser);
|
|
my $root_key = $reg->get_root_key;
|
|
|
|
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache';
|
|
my $key;
|
|
if ($key = $root_key->get_subkey($key_path)) {
|
|
::rptMsg($key_path);
|
|
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
|
|
::rptMsg("");
|
|
my @subkeys = $key->get_list_of_subkeys();
|
|
if (scalar(@subkeys) > 0) {
|
|
foreach my $s (@subkeys) {
|
|
my $lw = $s->get_timestamp();
|
|
my $name = $s->get_name();
|
|
|
|
my $path;
|
|
eval {
|
|
my $i = $s->get_value("SlowInfoCache")->get_data();
|
|
$path = parsePath($i);
|
|
};
|
|
($@) ? ($name .= "|") : ($name .= "|".$path);
|
|
|
|
my $date;
|
|
eval {
|
|
my $i = $s->get_value("SlowInfoCache")->get_data();
|
|
$date = parseDate($i);
|
|
};
|
|
($@) ? ($name .= "|") : ($name .= "|".$date);
|
|
push(@{$arpcache{$lw}},$name);
|
|
}
|
|
|
|
|
|
foreach my $t (reverse sort {$a <=> $b} keys %arpcache) {
|
|
::rptMsg(gmtime($t)." (UTC)");
|
|
foreach my $item (@{$arpcache{$t}}) {
|
|
my ($name,$path,$date) = split(/\|/,$item,3);
|
|
::rptMsg(" ".$name);
|
|
my $str = $path unless ($path eq "");
|
|
$str .= " [".gmtime($date)."]" unless ($date == 0);
|
|
::rptMsg(" -> ".$str) unless ($str eq "");
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
::rptMsg($key_path." has no subkeys.");
|
|
::logMsg($key_path." has no subkeys.");
|
|
}
|
|
}
|
|
else {
|
|
::rptMsg($key_path." not found.");
|
|
::logMsg($key_path." not found.");
|
|
}
|
|
}
|
|
|
|
1;
|
|
|
|
sub parseDate {
|
|
my $data = shift;
|
|
my ($t1,$t2) = unpack("VV",substr($data,0x10,8));
|
|
return ::getTime($t1,$t2);
|
|
}
|
|
|
|
sub parsePath {
|
|
my $data = shift;
|
|
my $ofs = 0x1c;
|
|
my $tag = 1;
|
|
|
|
my $str = substr($data,$ofs,2);
|
|
if (unpack("v",$str) == 0) {
|
|
return "";
|
|
}
|
|
else {
|
|
while($tag) {
|
|
$ofs += 2;
|
|
my $i = substr($data,$ofs,2);
|
|
last unless (defined $i);
|
|
if (unpack("v",$i) == 0) {
|
|
$tag = 0;
|
|
}
|
|
else {
|
|
$str .= $i;
|
|
}
|
|
}
|
|
}
|
|
$str =~ s/\x00//g;
|
|
return $str;
|
|
} |