Windows 10 creators update breaks parser #14
Comments
|
you can get the ISO for creators update here |
|
@EricZimmerman Do you know how the fields in the header are shifted? Is there simply a new 32bit field appended to the existing header, or inserted somewhere in the middle? |
|
once you shift 4 bytes, everything else parsed the same. I haven't seen any other changes in my initial round of testing and coding for what is inside the record itself. I didn't break down or try to track down the new 4 bytes as of yet. there is a counter in there for the # of entries, but that has been in both formats in my code, I added a check for the version (first 4 bytes) and adjusted the initial offset based on whether it was 0x30 or 0x34. nothing else needed to be changed for all my unit tests to pass |
|
I do have screenshots of the old and new format on the blog post, so it may drop right out from those. i pull the expected entry count but do not do much with the other stuff. |
|
this is the offset that would do it WIN10_STATS_SIZE = 0x30 https://github.com/mandiant/ShimCacheParser/blob/master/ShimCacheParser.py#L59 |
|
@EricZimmerman do you have a creator's update hive/appcompat value you can share? |
|
when you fall into the possible windows 10 case, just set WIN10_STATS_SIZE to be equal to the 32-bit int at the start of the data. once that is set everything else will work as is |
|
PR #19 should resolve this. Because it's a quick fix, I continued with the script's current method of hard-coding the relevant value. -- |
|
Noticed that @EricZimmerman referenced this issue in another project. Eric, this one can be closed. |
due to changes in the binary data in creators update, code to handle windows 10 needs to be updated.
if first 4 bytes == 0x30, handle as is, if == 0x34, need to index into the data 4 more bytes. Everything after that works the same way
More detail here:
https://binaryforay.blogspot.com/2017/03/windows-10-creators-update-vs-shimcache.html
The text was updated successfully, but these errors were encountered: