RECmd icon indicating copy to clipboard operation
RECmd copied to clipboard
verified publisher icon EricZimmerman

System.IndexOutOfRangeException when running rla.exe

Open mischw opened this issue 1 year ago • 7 comments

RECmd version 2.0.0.0

rla version 2.0.0.0

Describe the bug I am trying to run rla.exe on the NTUSER.DAT of the Administrator account. While processing with rla.exe I get an error System.IndexOutOfRangeException. I also tried to run RECmd.exe which does not produce such message. Here are the logs:

.\rla.exe -f ..\Administrator_Profile\NTUSER.DAT --out ..\out\ --debug --trace

[13:27:01.013 INF] rla version 2.0.0.0

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/RECmd

Note: Enclose all strings containing spaces with double quotes

[13:27:01.024 INF] Command line: -f ..\Administrator_Profile\NTUSER.DAT --out ..\out\ --debug --trace


[13:27:01.025 INF] Processing hive ..\Administrator_Profile\NTUSER.DAT
[13:27:01.035 DBG] Got hive header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[13:27:01.039 DBG] Got transaction log header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[13:27:01.046 DBG] Got transaction log header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[13:27:01.046 WRN] Dropping ..\Administrator_Profile\ntuser.dat.LOG2 because the log's header.PrimarySequenceNumber is less than the hive's header.SecondarySequenceNumber
[13:27:01.047 INF] Single log file available: ..\Administrator_Profile\ntuser.dat.LOG1
[13:27:01.048 INF] Replaying log file: ..\Administrator_Profile\ntuser.dat.LOG1
[13:27:01.050 INF] At least one transaction log was applied. Sequence numbers have been updated to 0x007E. New Checksum: 0xDF9139FB
[13:27:01.052 ERR] There was an error: Index was outside the bounds of the array.
System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at rla.Program.DoWork(String f, String d, String out, Boolean ca, Boolean cn, Boolean nop, Boolean debug, Boolean trace)

[13:27:01.059 INF] Total processing time: 0.034 seconds

RECmd log:

.\RECmd.exe -f ..\Administrator_Profile\NTUSER.DAT --sk TEST123 --debug --trace

[2024-07-27 13:31:16.3148702 INF] RECmd version 2.0.0.0

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/RECmd

Note: Enclose all strings containing spaces (and all RegEx) with double quotes

[2024-07-27 13:31:16.3245568 INF] Command line: -f ..\Administrator_Profile\NTUSER.DAT --sk TEST123 --debug --trace

[2024-07-27 13:31:16.3265901 DBG] Loading plugin C:\Users\user\Desktop\RECmd\Plugins\RegistryPlugin.7-ZipHistory.dll
[...]

[2024-07-27 13:31:16.3502531 INF] Processing hive ..\Administrator_Profile\NTUSER.DAT
[2024-07-27 13:31:16.3603351 DBG] Got hive header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[2024-07-27 13:31:16.3640695 DBG] Got transaction log header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[2024-07-27 13:31:16.3694608 DBG] Got transaction log header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[2024-07-27 13:31:16.3694747 WRN] Dropping ..\Administrator_Profile\ntuser.dat.LOG2 because the log's header.PrimarySequenceNumber is less than the hive's header.SecondarySequenceNumber
[2024-07-27 13:31:16.3696209 INF] Single log file available: ..\Administrator_Profile\ntuser.dat.LOG1
[2024-07-27 13:31:16.3696366 INF] Replaying log file: ..\Administrator_Profile\ntuser.dat.LOG1
[2024-07-27 13:31:16.3712693 INF] At least one transaction log was applied. Sequence numbers have been updated to 0x007E. New Checksum: 0xDF9139FB
[2024-07-27 13:31:16.3712913 DBG] Got hive header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[2024-07-27 13:31:16.3759540 DBG] Header length is smaller than the size of the file.
[2024-07-27 13:31:16.3793292 VRB] Processing hbin at relative offset 0x0 (Absolute offset: 0x1000)

[...]

[2024-07-27 13:31:16.4953274 VRB] Processing hbin at relative offset 0x5E000 (Absolute offset: 0x5F000)
[2024-07-27 13:31:16.4955824 WRN] hbin header incorrect at absolute offset 0x60000!!! Percent done: 75,00 %
[2024-07-27 13:31:16.4956122 DBG] Initial processing complete. Building tree...
[2024-07-27 13:31:16.4962702 DBG] Found root node! Getting subkeys...
[2024-07-27 13:31:16.4964104 DBG] Created root node object. Getting subkeys.
[2024-07-27 13:31:16.5132608 DBG] Hive processing complete!
[2024-07-27 13:31:16.5134652 WRN] Extra, non-zero data found beyond hive length! Check for erroneous data starting at 0x60000!
[2024-07-27 13:31:16.5175140 DBG] Associating deleted keys and values...
[2024-07-27 13:31:16.5186046 DBG] Building tree of key/subkeys for deleted keys
[2024-07-27 13:31:16.5187849 DBG] Associating top level deleted keys to active Registry keys
[2024-07-27 13:31:16.5189370 DBG] Iterating unreferenced VK records
[2024-07-27 13:31:16.5190543 DBG] Flushing record lists...

[2024-07-27 13:31:16.5219721 INF] 	Nothing found

To Reproduce I took the NTUSER.DAT from the DC01 Image from here if you want to reproduce.

Expected behavior I wanted rla.exe to write a clean NTUSER.DAT to ..\out\ for further processing.

mischw avatar Jul 27 '24 11:07 mischw