Saturday, April 1, 2017

RegRipper plugin to parse Foxit Reader

Foxit Reader is a popular free PDF Reader. Like any other program it keeps a file history. This is the Recent Files list shown to the user when the program is launched:

Foxit Reader stores the MRUs under the File MRU and Place MRU subkey in the NTUSER.DAT hive. They are named Item1 – Item50 and hold up to 50 of the last PDF file/path opened. Item 1 contains the most recent value while Item 50 is the oldest last. History\LastOpen contains additional details that I'll mention later.

As a test, I opened 50 different files named with numbers: I first opened a file named 01.pdf, then 02.pdf and so on up to 50.pdf.

Under History\LastOpen, Foxit Reader stores for each file some important information like the page number of the last page read, the zoom level used and the view mode. As you can notice from the picture below, the page number counter starts at "0". That means that page number "1" in a PDF file is stored as "0" in the registry.

I wrote a plugin for RegRipper to parse all these values by adapting a couple of existing plugins ( by H. Carvey and by E. Rye). The code I wrote is far from perfect since I've never programmed in Perl...but it works ;) 

My plugin can be downloaded from here.

[UPDATE 11/April/2017]: My plugin was added to the official RegRipper repository. Thanks Harlan!