def find_subkey(self, parent, key_name): if self.root is None: self.setup() key = NTRegistryCell.load_data_from_offset(self.reader, parent.offset_lf_stable, self.is_file) for offset in key.get_key_offsets(key_name): rec = NTRegistryCell.load_data_from_offset(self.reader,offset, self.is_file) if rec.name == key_name: return rec return None
def read(reader): hbin = NTRegistryHbin() hbin.parse_header_buffer(reader) cell = NTRegistryCell.read(reader) hbin.cells.append(cell) while cell.size != 0: cell = NTRegistryCell.read(reader) hbin.cells.append(cell) return hbin
def enum_key(self, key_path, throw = True): if self.root is None: self.setup() names = [] key = self.find_key(key_path, throw) if key.subkey_cnt_stable > 0: rec = NTRegistryCell.load_data_from_offset(self.reader,key.offset_lf_stable, self.is_file) for hash_rec in rec.hash_records: subkey = NTRegistryCell.load_data_from_offset(self.reader,hash_rec.offset_nk, self.is_file) names.append(subkey.name) return names
def get_value(self, value_path, throw=True): if self.root is None: self.setup() key_path = ntpath.dirname(value_path) value_name = ntpath.basename(value_path) key = self.find_key(key_path, throw) if key is None: return None if key.value_cnt <= 0: return None vl = ValueList.load_data_from_offset(self.reader, key.offset_value_list, key.value_cnt + 1) for record_offset in vl.record_offsets: block = NTRegistryCell.load_data_from_offset( self.reader, record_offset) if not block: continue if block.flag == 0: if value_name == 'default': return (block.value_type, block.load_data(self.reader)) elif value_name == block.name.decode(): return (block.value_type, block.load_data(self.reader)) raise Exception('Could not find %s' % value_path)
def read(reader): hbin = NTRegistryHbin() hbin.magic = reader.read(4) hbin.offset_first = int.from_bytes(reader.read(4), 'little', signed=False) hbin.offset_next = int.from_bytes(reader.read(4), 'little', signed=False) hbin.block_size = int.from_bytes(reader.read(4), 'little', signed=False) reader.read(16) cell = NTRegistryCell.read(reader) hbin.cells.append(cell) while cell.size != 0: cell = NTRegistryCell.read(reader) hbin.cells.append(cell) return hbin
def list_values(self, key): if self.root is None: self.setup() values = [] if key.value_cnt <= 0: return values vl = ValueList.load_data_from_offset(self.reader, key.offset_value_list, key.value_cnt + 1) for record_offset in vl.record_offsets: block = NTRegistryCell.load_data_from_offset( self.reader, record_offset) if not block: continue if block.flag == 0: values.append(b'default') else: values.append(block.name) return values
def list_values(self, key): if self.root is None: self.setup() values = [] if key.value_cnt <= 0: return values vl = ValueList.load_data_from_offset(self.reader, key.offset_value_list, key.value_cnt + 1, self.is_file) for record_offset in vl.record_offsets: if record_offset < 0: #print('Skipping value because offset smaller than 0! %s ' % record_offset) continue block = NTRegistryCell.load_data_from_offset(self.reader, record_offset, self.is_file) if not block: continue if block.flag == 0: values.append(b'default') else: values.append(block.name) return values
def __load_cell_from_offset(self, offset, nk_partial=False): if offset not in self.__cells_lookup: cell = NTRegistryCell.load_data_from_offset(self.reader, offset, self.is_file, nk_partial=False) self.__cells_lookup[offset] = cell return self.__cells_lookup[offset]