Add DateTimeTicks and OLE Support to BinConvert#103
Add DateTimeTicks and OLE Support to BinConvert#103EricZimmerman merged 1 commit intoEricZimmerman:masterfrom
Conversation
AndrewRathbun
left a comment
AndrewRathbun
left a comment
There was a problem hiding this comment.
Looks good to me. Will pass to @EricZimmerman for merging
|
@EricZimmerman bump |
|
@AndrewRathbun @EricZimmerman whilst this is getting reviewed can we also have a new version of https://github.com/EricZimmerman/Registry created and integrated into RECmd so we can take advantage of the |
|
1.5.2 nuget pushed |
|
recmd updated (net4 and net9) what else needs done? |
|
I think that is almost it on the RECmd side. We will need to disable the ApplicationSettingsContainer plugin when we implement the rules in DFIRBatch etc but that is an extra line in the rule files per rule so that should be fine. I will test it now to make sure it is working right. Also noticed the latest registry plugins are not included in the RECmd zip ATM. |
|
recmd should be available as an update now. gonna kill net6 soon i figured youd test the plugin on your side with RECmd updated and then ill push all the plugins after rebuilding with the new nuget package |
|
I rebuilt the ApplicationSettingsContainer plugin and it works in RECmd with the value data fields actually populating. Will still have to disable it though for targeting individual values in DFIRBatch but validated that DisablePlugin: true in the values I am targeting fixes this easily so it will be safe to bundle this. Also gives us flexibility to create a map dumping all settings.dat values for research for example. Changes committed including the DateTimeTicks and integrated ApplicationSettingsContainer support work as expected. |
|
Okay so at this point I can rebuild all the plugins and we should be good to go? |
|
Yep sounds good to me |
|
im gonna make a push to get all this stuff updated tomorrow |
|
building and pushing all new plugins now |
|
I can see the new ones in RECmd now. Registry Explorers will also need updating. I did notice that the ApplicationSettingsContainer one is not included in RECmd and that is fine if that is purposely done. For Registry Explorer it should be included for the extra timestamp parsing. |
|
maybe it w as renamed improperly. i asked for someone to fix the sln file, no one did, so i accepted the incoming version in the PR there is certainly a new plugin in there tho Re will be soon as i have to rebuild that with a new version of the controls |
|
Yeah the new plugin appears to be DsrmAdminLogonBehaviour as you say there must be something wrong with the sln file. In order to compile this I actually modified the RegistryPlugins.Test/RegistryPlugins.Test.csproj section and added a line in there to compile it to save me the hassle 😂 |
|
If another PR wants to be done correcting all of that stuff to get it to whatever name you do want it named, I'm all for it |
|
I don’t think it is a name problem I think the plugin just wasn’t included at all in the sln so the commit I made there should make it compile hopefully |
|
added to RECmd |
|
Looks good on my end. Compiled ApplicationSettingsContainer plugin works the same as my test version so looks like that fix worked. Just need to do Registry Explorer and we should be good. |
|
Registry explorer updated with nuget changes and all plugins |
|
Looks good on my end. Confirmed the changes have fed in nicely with the Registry library settings.dat ApplicationSettingsContainer parsing working alongside the ApplicationSettingsContainer plugin for the individual UTC timestamps |
3 participants
Description
Adds DateTime.Ticks and Automation Date OLE2.0 Support with OLE support ported over from the Registry Explorer Data Interpreter.
Checklist:
Please replace every instance of
[ ]with[X]OR click on the checkboxes after you submit your PR- [ ] I have generated a uniqueGUIDfor my Batch file(s)- [ ] I have tested and validated the new Batch file(s) against test data and achieved the desired output- [ ] I have placed the Batch file(s) within the.\RECmd\BatchExamplesdirectory- [ ] I have set or updated the version of my Batch file(s)- [ ] I have made an attempt to document the artifacts within the Batch file(s)- [ ] I have consulted the Guide/Template to ensure my Map(s) follow the same formatThank you for your submission and for contributing to the DFIR community!