def mr_pc4_sc1_1(buffer, filesize):
# utilize the CFTT's hive class
hive = cftt_hive(buffer)
# get the current version
header_o = hive.get_header(0)
header_m = hive.get_header(0)
# change the minor version value
if header_m.minor_version == 3:
header_m.minor_version = 5
elif header_m.minor_version == 5:
header_m.minor_version = 3
# update the checksum value
header_m.checksum = xor32_checksum(bytearray(header_m))
# build manipulated item list (m_list)
m_list = []
m_item = {}
m_item['offset'] = 0 # start of the hive header
m_item['data'] = bytearray(header_m)
m_item['info'] = "[original version] %d.%d (@ 0x%08X) --> [manipulated version] %d.%d (@ 0x%08X)\n" \
% (header_o.major_version, header_o.minor_version, 0x14,
header_m.major_version, header_m.minor_version, 0x14)
m_item['info'] += "[original checksum] 0x%08X (@ 0x%08X) --> [manipulated checksum] 0x%08X (@ 0x%08X)" \
% (header_o.checksum, 0x1FC,
header_m.checksum, 0x1FC)
m_list.append(m_item)
return m_list
def mr_pc1_sc6_3(buffer, filesize):
# utilize the CFTT's hive class
hive = cftt_hive(buffer)
# get the offset of root cell (0x24 from the beginning of hive file)
header = hive.get_header(0)
offset = hive.calc_hive_offset(header.root_cell_offset)
# goto the root cell
root_cell = hive.get_nk(offset)
# get the 1st subkey offset of the original root key cell
offset = hive.calc_hive_offset(root_cell['base'].subkey_list_cell_offset)
sl_cell = hive.get_sl(offset)
# traverse all subkeys
stack = list(reversed(sl_cell['offsets']))
nk_cell = None
vk_cell = None
found = False
while (1):
if len(stack) == 0: break
nk_cell = hive.get_nk(hive.calc_hive_offset(stack.pop()))
sl_cell = hive.get_sl(
hive.calc_hive_offset(nk_cell['base'].subkey_list_cell_offset))
if nk_cell['base'].number_of_values > 0:
# goto the value-list cell offset
offset = hive.calc_hive_offset(
nk_cell['base'].value_list_cell_offset)
vl_cell = hive.get_vl(offset)
for offset in vl_cell['offsets']:
vk_cell = hive.get_vk(hive.calc_hive_offset(offset))
data_size = vk_cell['base'].data_size
if data_size & 0x80000000 == 0x80000000:
data_size = data_size & 0x7FFFFFFF
# [condition] select a value cell which has BINARY type data (<= 16,344)
if (4 < data_size and data_size <= 16344) and \
vk_cell['base'].data_type == 0x00000003: # REG_BINARY
found = True
break
if found is True:
break
stack.extend(list(reversed(sl_cell['offsets'])))
if nk_cell is None or vk_cell is None or found is False:
return []
# build manipulated item list (m_list)
m_list = []
m_item = {}
m_item[
'offset'] = vk_cell['self'] + 0x0C # 'data cell offset' in the vk cell
edited_value = 0x00000000 # set to zero
m_item['data'] = edited_value.to_bytes(4, byteorder='little')
m_item['info'] = "[original offset] 0x%08X (@ 0x%08X) --> [manipulated offset] 0x%08X (@ 0x%08X)" \
% (vk_cell['base'].data_cell_offset, m_item['offset'], edited_value, m_item['offset'])
m_item['info'] += "\n[Target 'vk_cell']\n: {}\n".format(vk_cell)
m_list.append(m_item)
return m_list
def mr_pc1_sc1_1(buffer, filesize):
# utilize the CFTT's hive class
hive = cftt_hive(buffer)
# get the offset of root cell (0x24 from the beginning of hive file)
header = hive.get_header(0)
offset = hive.calc_hive_offset(header.root_cell_offset)
# goto the root cell
root_cell = hive.get_nk(offset)
# get the subkey-list cell of the root key cell
offset = hive.calc_hive_offset(root_cell['base'].subkey_list_cell_offset)
sl_cell = hive.get_sl(offset)
if len(sl_cell['offsets']) == 0:
return []
# build manipulated item list (m_list)
m_list = []
m_item = {}
m_item['offset'] = 0x24 # 'root key offset' in the hive header
edited_value = sl_cell['offsets'][0]
m_item['data'] = edited_value.to_bytes(4, byteorder='little')
m_item['info'] = "[original offset] 0x%08X (@ 0x%08X) --> [manipulated offset] 0x%08X (@ 0x%08X)" \
% (header.root_cell_offset, m_item['offset'], edited_value, m_item['offset'])
m_list.append(m_item)
return m_list
def mr_pc1_sc5_1(buffer, filesize):
# utilize the CFTT's hive class
hive = cftt_hive(buffer)
# get the offset of root cell (0x24 from the beginning of hive file)
header = hive.get_header(0)
offset = hive.calc_hive_offset(header.root_cell_offset)
# goto the root cell
root_cell = hive.get_nk(offset)
# get the 1st subkey offset of the original root key cell
offset = hive.calc_hive_offset(root_cell['base'].subkey_list_cell_offset)
sl_cell = hive.get_sl(offset)
# traverse all subkeys
stack = list(reversed(sl_cell['offsets']))
nk_cell = None
while (1):
if len(stack) == 0: break
nk_cell = hive.get_nk(hive.calc_hive_offset(stack.pop()))
sl_cell = hive.get_sl(
hive.calc_hive_offset(nk_cell['base'].subkey_list_cell_offset))
# [condition] select a key cell stored at the 1st subkey offset of the root key
if nk_cell is not None or \
nk_cell['base'].number_of_values > 0:
break
stack.extend(list(reversed(sl_cell['offsets'])))
if nk_cell is None:
return []
# goto the value-list cell offset
offset = hive.calc_hive_offset(nk_cell['base'].value_list_cell_offset)
vl_cell = hive.get_vl(offset)
if nk_cell['base'].number_of_values != len(vl_cell['offsets']):
print("Abnormal value is detected.")
# [condition] select the 1st value offset of a selected key
vk_cell = hive.get_vk(hive.calc_hive_offset(vl_cell['offsets'][0]))
if vk_cell['base'].value_name_size <= 0:
return []
# build manipulated item list (m_list)
m_list = []
m_item = {}
m_item[
'offset'] = vk_cell['self'] + 0x06 # 'value name size' in the vk cell
edited_value = int((vk_cell['base'].value_name_size + 1) / BASE_ADJUST)
m_item['data'] = edited_value.to_bytes(2, byteorder='little')
m_item['info'] = "[original size] 0x%08X (@ 0x%08X) --> [manipulated size] 0x%08X (@ 0x%08X)" \
% (vk_cell['base'].value_name_size, m_item['offset'], edited_value, m_item['offset'])
m_item['info'] += "\n[Target 'vk_cell']\n: {}\n".format(vk_cell)
m_list.append(m_item)
return m_list
def mr_pc5_sc2_1(buffer, filesize):
# utilize the CFTT's hive class
hive = cftt_hive(buffer)
# get the offset of root cell (0x24 from the beginning of hive file)
header = hive.get_header(0)
offset = hive.calc_hive_offset(header.root_cell_offset)
# goto the root cell
root_cell = hive.get_nk(offset)
# get the 1st subkey offset of the original root key cell
offset = hive.calc_hive_offset(root_cell['base'].subkey_list_cell_offset)
sl_cell = hive.get_sl(offset)
# traverse all subkeys
stack = list(reversed(sl_cell['offsets']))
nk_cell = None
vk_cell = None
found = False
while (1):
if len(stack) == 0: break
nk_cell = hive.get_nk(hive.calc_hive_offset(stack.pop()))
sl_cell = hive.get_sl(
hive.calc_hive_offset(nk_cell['base'].subkey_list_cell_offset))
if nk_cell['base'].number_of_values > 0:
# goto the value-list cell offset
offset = hive.calc_hive_offset(
nk_cell['base'].value_list_cell_offset)
vl_cell = hive.get_vl(offset)
for offset in vl_cell['offsets']:
vk_cell = hive.get_vk(hive.calc_hive_offset(offset))
# [condition] select a value which has an UNICODE value name
if vk_cell['base'].value_name_size > 0 and \
vk_cell['base'].flags & FLAG_VK_ASCII != FLAG_VK_ASCII:
found = True
break
if found is True:
break
stack.extend(list(reversed(sl_cell['offsets'])))
if nk_cell is None or vk_cell is None or found is False:
return []
# build manipulated item list (m_list)
m_list = []
m_item = {}
m_item['offset'] = vk_cell['self'] + 0x14 # 'flags' in the vk cell
edited_value = vk_cell['base'].flags | FLAG_VK_ASCII # UNICODE -> ASCII
m_item['data'] = edited_value.to_bytes(2, byteorder='little')
m_item['info'] = "[original flags] 0x%04X (@ 0x%08X) --> [manipulated flags] 0x%04X (@ 0x%08X)" \
% (vk_cell['base'].flags, m_item['offset'], edited_value, m_item['offset'])
m_item['info'] += "\n[Target 'vk_cell']\n: {}\n".format(vk_cell)
m_list.append(m_item)
return m_list
def mr_pc1_sc4_3(buffer, filesize):
# utilize the CFTT's hive class
hive = cftt_hive(buffer)
# get the offset of root cell (0x24 from the beginning of hive file)
header = hive.get_header(0)
offset = hive.calc_hive_offset(header.root_cell_offset)
# goto the root cell
root_cell = hive.get_nk(offset)
# get the 1st subkey offset of the original root key cell
offset = hive.calc_hive_offset(root_cell['base'].subkey_list_cell_offset)
sl_cell = hive.get_sl(offset)
# traverse all subkeys
stack = list(reversed(sl_cell['offsets']))
nk_cell = None
while (1):
if len(stack) == 0: break
nk_cell = hive.get_nk(hive.calc_hive_offset(stack.pop()))
sl_cell = hive.get_sl(
hive.calc_hive_offset(nk_cell['base'].subkey_list_cell_offset))
# [condition] select a key cell which has at least BASE_COUNT values
if nk_cell['base'].number_of_values >= BASE_COUNT:
break
stack.extend(list(reversed(sl_cell['offsets'])))
if nk_cell is None or \
nk_cell['base'].number_of_values == 0:
return []
# goto the value-list cell offset
offset = hive.calc_hive_offset(nk_cell['base'].value_list_cell_offset)
vl_cell = hive.get_vl(offset)
if nk_cell['base'].number_of_values != len(vl_cell['offsets']):
print("Abnormal value is detected.")
# build manipulated item list (m_list)
m_list = []
count = nk_cell['base'].number_of_values
for i in range(count - BASE_ADJUST, count):
m_item = {}
# 'value offsets' in the value-list cell
m_item['offset'] = vl_cell['self'] + 0x04 + i * 4
edited_value = 0x00000000 # set NULL bytes
m_item['data'] = edited_value.to_bytes(4, byteorder='little')
m_item['info'] = "[original offset] 0x%08X (@ 0x%08X) --> [manipulated offset] 0x%08X (@ 0x%08X)" \
% (vl_cell['offsets'][i], m_item['offset'], edited_value, m_item['offset'])
m_list.append(m_item)
return m_list
def mr_pc2_sc1_1(buffer, filesize):
# utilize the CFTT's hive class
hive = cftt_hive(buffer)
# get the offset of root cell (0x24 from the beginning of hive file)
header = hive.get_header(0)
offset = hive.calc_hive_offset(header.root_cell_offset)
# goto the root cell
root_cell = hive.get_nk(offset)
# get the 1st subkey offset of the original root key cell
offset = hive.calc_hive_offset(root_cell['base'].subkey_list_cell_offset)
sl_cell = hive.get_sl(offset)
# traverse all subkeys
stack = list(reversed(sl_cell['offsets']))
nk_cell = None
while (1):
if len(stack) == 0: break
nk_cell = hive.get_nk(hive.calc_hive_offset(stack.pop()))
sl_cell = hive.get_sl(
hive.calc_hive_offset(nk_cell['base'].subkey_list_cell_offset))
# [condition] select a key cell (except root) which has subkeys
if (nk_cell['base'].number_of_subkeys > 0) and \
(nk_cell['base'].flags & FLAG_NK_ROOT != FLAG_NK_ROOT):
break
stack.extend(list(reversed(sl_cell['offsets'])))
if nk_cell is None or \
nk_cell['base'].number_of_subkeys == 0 or \
len(sl_cell['offsets']) == 0:
return []
# build manipulated item list (m_list)
m_list = []
m_item = {}
# 'the last subkey offset' in the subkey-list cell
count = nk_cell['base'].number_of_subkeys
m_item['offset'] = sl_cell['self'] + 0x08 + (count - 1) * sl_cell['jump']
edited_value = nk_cell['base'].parent_key_cell_offset # creating a loop
m_item['data'] = edited_value.to_bytes(4, byteorder='little')
m_item['info'] = "[original offset] 0x%08X (@ 0x%08X) --> [manipulated offset] 0x%08X (@ 0x%08X)" \
% (sl_cell['offsets'][count-1], m_item['offset'], edited_value, m_item['offset'])
m_item['info'] += "\n[Target 'nk_cell']\n: {}\n".format(nk_cell)
m_list.append(m_item)
return m_list
def mr_pc1_sc4_2(buffer, filesize):
# utilize the CFTT's hive class
hive = cftt_hive(buffer)
# get the offset of root cell (0x24 from the beginning of hive file)
header = hive.get_header(0)
offset = hive.calc_hive_offset(header.root_cell_offset)
# goto the root cell
root_cell = hive.get_nk(offset)
# get the 1st subkey offset of the original root key cell
offset = hive.calc_hive_offset(root_cell['base'].subkey_list_cell_offset)
sl_cell = hive.get_sl(offset)
# traverse all subkeys
stack = list(reversed(sl_cell['offsets']))
nk_cell = None
while (1):
if len(stack) == 0: break
nk_cell = hive.get_nk(hive.calc_hive_offset(stack.pop()))
sl_cell = hive.get_sl(
hive.calc_hive_offset(nk_cell['base'].subkey_list_cell_offset))
# [condition] select a key cell which has at least BASE_COUNT values
if nk_cell['base'].number_of_values >= BASE_COUNT:
break
stack.extend(list(reversed(sl_cell['offsets'])))
if nk_cell is None or \
nk_cell['base'].number_of_values == 0:
return []
# goto the value-list cell offset
offset = hive.calc_hive_offset(nk_cell['base'].value_list_cell_offset)
vl_cell = hive.get_vl(offset)
# build manipulated item list (m_list)
m_list = []
m_item = {}
m_item['offset'] = vl_cell['self'] # 'cell size' in the value-list cell
edited_value = -(-vl_cell['base'].cell_size - BASE_ADJUST * 4)
m_item['data'] = edited_value.to_bytes(4, byteorder='little', signed=True)
m_item['info'] = "[original size] 0x%08X (@ 0x%08X) --> [manipulated size] 0x%08X (@ 0x%08X)" \
% (-vl_cell['base'].cell_size, m_item['offset'], -edited_value, m_item['offset'])
m_item['info'] += "\n[Target 'nk_cell']\n: {}\n".format(nk_cell)
m_list.append(m_item)
return m_list
def mr_pc1_sc3_3(buffer, filesize):
# utilize the CFTT's hive class
hive = cftt_hive(buffer)
# get the offset of root cell (0x24 from the beginning of hive file)
header = hive.get_header(0)
offset = hive.calc_hive_offset(header.root_cell_offset)
# goto the root cell
root_cell = hive.get_nk(offset)
# get the subkey-list cell of the root key cell
offset = hive.calc_hive_offset(root_cell['base'].subkey_list_cell_offset)
sl_cell = hive.get_sl(offset)
# traverse all keys and their subkeys
stack = list(reversed(sl_cell['offsets']))
nk_cell = None
while (1):
if len(stack) == 0: break
nk_cell = hive.get_nk(hive.calc_hive_offset(stack.pop()))
sl_cell = hive.get_sl(hive.calc_hive_offset(nk_cell['base'].subkey_list_cell_offset))
# [condition] select a key cell which has at least BASE_COUNT subkeys
if nk_cell['base'].number_of_subkeys >= BASE_COUNT:
break
stack.extend(list(reversed(sl_cell['offsets'])))
if nk_cell is None or \
nk_cell['base'].number_of_subkeys == 0 or \
len(sl_cell['offsets']) == 0:
return []
# build manipulated item list (m_list)
m_list = []
m_item = {}
m_item['offset'] = sl_cell['self'] + 0x06 # 'number of subkeys' in the subkey-list cell
edited_value = sl_cell['base'].number_of_subkeys - BASE_ADJUST
m_item['data'] = edited_value.to_bytes(2, byteorder='little')
m_item['info'] = "[original count] 0x%04X (@ 0x%08X) --> [manipulated count] 0x%04X (@ 0x%08X)" \
% (sl_cell['base'].number_of_subkeys, m_item['offset'], edited_value, m_item['offset'])
m_item['info']+= "\n[Target 'nk_cell']\n: {}\n".format(nk_cell)
m_list.append(m_item)
return m_list
def mr_pc5_sc1_1(buffer, filesize):
# utilize the CFTT's hive class
hive = cftt_hive(buffer)
# get the offset of root cell (0x24 from the beginning of hive file)
header = hive.get_header(0)
offset = hive.calc_hive_offset(header.root_cell_offset)
# goto the root cell
root_cell = hive.get_nk(offset)
# get the subkey-list cell of the root key cell
offset = hive.calc_hive_offset(root_cell['base'].subkey_list_cell_offset)
sl_cell = hive.get_sl(offset)
# traverse all subkeys
stack = list(reversed(sl_cell['offsets']))
nk_cell = None
while (1):
if len(stack) == 0: break
nk_cell = hive.get_nk(hive.calc_hive_offset(stack.pop()))
sl_cell = hive.get_sl(
hive.calc_hive_offset(nk_cell['base'].subkey_list_cell_offset))
# [condition] select a key which has an UNICODE key name
if nk_cell['base'].flags & FLAG_NK_ASCII != FLAG_NK_ASCII:
break
stack.extend(list(reversed(sl_cell['offsets'])))
if nk_cell is None:
return []
# build manipulated item list (m_list)
m_list = []
m_item = {}
m_item['offset'] = nk_cell['self'] + 0x06 # 'flags' in the nk cell
edited_value = nk_cell['base'].flags | FLAG_NK_ASCII # UNICODE -> ASCII
m_item['data'] = edited_value.to_bytes(2, byteorder='little')
m_item['info'] = "[original flags] 0x%04X (@ 0x%08X) --> [manipulated flags] 0x%04X (@ 0x%08X)" \
% (nk_cell['base'].flags, m_item['offset'], edited_value, m_item['offset'])
m_item['info'] += "\n[Target 'nk_cell']\n: {}\n".format(nk_cell)
m_list.append(m_item)
return m_list