# BAM parser **Description:** A parser for the Background Activity Moderator (BAM) registry keys, designed with ScreenSharing use cases in mind. While the core parsing logic is partly visible (semi-open-source), many of the built-in generic detection rules are proprietary. **Features:** * Parses BAM entries from the registry, correcting paths from `\Device\HarddiskVolume` format to standard drive letters. * Retrieves the last run time of the file and indicates if it occurred within the current user logon session. * Performs digital signature checks (Authenticode/Catalog) for each existing executable file found in BAM entries. * Applies numerous generic detection rules (heuristics) to flag potentially suspicious entries based on characteristics common to cheats and malware. * Checks for file replacement patterns using USN Journal data for each file path. * Provides filtering options within the GUI (e.g., show only unsigned, only flagged, only in-instance). * Highlights entries associated with file replacements in red. **Usage Notes & Caveats:** * Flags from 1-3 generics hitting a single file should not lead to immediate conclusions; manual verification is recommended. * The developer notes that some generics (A2, F-series) might have occasional false positives but are kept to maximize detection. * Allows copying the path of a selected cell using `Ctrl + Left Click`. **Usage:** Useful for analyzing program execution evidence stored in the BAM keys, providing context like execution time, signature status, and heuristic flags for suspicious patterns, aiding in quick identification of potentially malicious executables. **Link:** `https://github.com/spokwn/BAM-parser` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://itzicehere.gitbook.io/redlotusguide/screenshare-tools/spoks-tools/bam-parser.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.