From 3dfef0cd64ab2a444561e158ed48c2a339cd9304 Mon Sep 17 00:00:00 2001 From: reece394 <31659691+reece394@users.noreply.github.com> Date: Thu, 22 Aug 2024 17:47:27 +0100 Subject: [PATCH] Add SYSTEMTIME Support to BinConvert --- RECmd/Program.cs | 51 +++++++++++++++++++++++++++++++++++++++++++++++- RECmd/ReBatch.cs | 3 ++- 2 files changed, 52 insertions(+), 2 deletions(-) diff --git a/RECmd/Program.cs b/RECmd/Program.cs index b7b1e40..bff638e 100644 --- a/RECmd/Program.cs +++ b/RECmd/Program.cs @@ -2334,7 +2334,31 @@ private static BatchCsvOut BuildBatchCsvOut(RegistryKey regKey, Key key, string rebOut.ValueData = regVal.ValueData; } - break; + break; + case Key.BinConvert.Systemtime: + try + { + int index = 0; + int int16_1 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, index); + int int16_2 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 2 + index); + int int16_3 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 4 + index); + int int16_4 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 6 + index); + int int16_5 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 8 + index); + int int16_6 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 10 + index); + int int16_7 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 12 + index); + int int16_8 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 14 + index); + + var st = new DateTimeOffset(new DateTime(int16_1, int16_2, int16_4, int16_5, int16_6, int16_7, int16_8, DateTimeKind.Utc)).ToUniversalTime().ToString(); + rebOut.ValueData = st; + + } + catch (Exception) + { + Log.Warning("Error converting to SYSTEMTIME. Using bytes instead!"); + rebOut.ValueData = regVal.ValueData; + } + + break; default: rebOut.ValueData = regVal.ValueData; break; @@ -2374,6 +2398,31 @@ private static BatchCsvOut BuildBatchCsvOut(RegistryKey regKey, Key key, string Log.Warning("Error converting to FILETIME. Using bytes instead!"); rebOut.ValueData = regVal.ValueData; } + + break; + + case Key.BinConvert.Systemtime: + try + { + int index = 0; + int int16_1 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, index); + int int16_2 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 2 + index); + int int16_3 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 4 + index); + int int16_4 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 6 + index); + int int16_5 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 8 + index); + int int16_6 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 10 + index); + int int16_7 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 12 + index); + int int16_8 = (int)BitConverter.ToInt16(regVal.ValueDataRaw, 14 + index); + + var st = new DateTimeOffset(new DateTime(int16_1, int16_2, int16_4, int16_5, int16_6, int16_7, int16_8, DateTimeKind.Utc)).ToUniversalTime().ToString(); + rebOut.ValueData = st; + + } + catch (Exception) + { + Log.Warning("Error converting to SYSTEMTIME. Using bytes instead!"); + rebOut.ValueData = regVal.ValueData; + } break; } diff --git a/RECmd/ReBatch.cs b/RECmd/ReBatch.cs index e241704..cd22ac0 100644 --- a/RECmd/ReBatch.cs +++ b/RECmd/ReBatch.cs @@ -29,7 +29,8 @@ public enum BinConvert Filetime = 1, [Description("IPv4 address")] Ip = 2, [Description("DWord to Epoch")] Epoch = 3, - [Description("Binary to SID")] Sid = 4 + [Description("Binary to SID")] Sid = 4, + [Description("128 bit Windows SYSTEMTIME")] Systemtime = 5 } public enum HiveType_