Skip to content

Commit

Permalink
Merge pull request #65 from reece394/master
Browse files Browse the repository at this point in the history 
Add SYSTEMTIME Support to BinConvert
  • Loading branch information
@EricZimmerman
EricZimmerman authored Sep 3, 2024
2 parents f353ea4 + 3dfef0c commit 5cdd091
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 2 deletions.
51 changes: 50 additions & 1 deletion RECmd/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2336,7 +2336,31 @@ private static BatchCsvOut BuildBatchCsvOut(RegistryKey regKey, Key key, string
rebOut.ValueData = regVal.ValueData;
}

break;
break;
case Key.BinConvert.Systemtime:
try
{
int index = 0;
int int16_1 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, index);
int int16_2 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 2 + index);
int int16_3 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 4 + index);
int int16_4 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 6 + index);
int int16_5 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 8 + index);
int int16_6 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 10 + index);
int int16_7 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 12 + index);
int int16_8 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 14 + index);

var st = new DateTimeOffset(new DateTime(int16_1, int16_2, int16_4, int16_5, int16_6, int16_7, int16_8, DateTimeKind.Utc)).ToUniversalTime().ToString();
rebOut.ValueData = st;

}
catch (Exception)
{
Log.Warning("Error converting to SYSTEMTIME. Using bytes instead!");
rebOut.ValueData = regVal.ValueData;
}

break;
default:
rebOut.ValueData = regVal.ValueData;
break;
Expand Down Expand Up @@ -2376,6 +2400,31 @@ private static BatchCsvOut BuildBatchCsvOut(RegistryKey regKey, Key key, string
Log.Warning("Error converting to FILETIME. Using bytes instead!");
rebOut.ValueData = regVal.ValueData;
}

break;

case Key.BinConvert.Systemtime:
try
{
int index = 0;
int int16_1 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, index);
int int16_2 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 2 + index);
int int16_3 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 4 + index);
int int16_4 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 6 + index);
int int16_5 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 8 + index);
int int16_6 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 10 + index);
int int16_7 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 12 + index);
int int16_8 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 14 + index);

var st = new DateTimeOffset(new DateTime(int16_1, int16_2, int16_4, int16_5, int16_6, int16_7, int16_8, DateTimeKind.Utc)).ToUniversalTime().ToString();
rebOut.ValueData = st;

}
catch (Exception)
{
Log.Warning("Error converting to SYSTEMTIME. Using bytes instead!");
rebOut.ValueData = regVal.ValueData;
}

break;
}
Expand Down
3 changes: 2 additions & 1 deletion RECmd/ReBatch.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ public enum BinConvert
Filetime = 1,
[Description("IPv4 address")] Ip = 2,
[Description("DWord to Epoch")] Epoch = 3,
[Description("Binary to SID")] Sid = 4
[Description("Binary to SID")] Sid = 4,
[Description("128 bit Windows SYSTEMTIME")] Systemtime = 5
}

public enum HiveType_
Expand Down

0 comments on commit 5cdd091

Please sign in to comment.