def find_subkey(self, parent, key_name): if self.root is None: self.setup() key = NTRegistryCell.load_data_from_offset(self.reader, parent.offset_lf_stable, self.is_file) for offset in key.get_key_offsets(key_name): rec = NTRegistryCell.load_data_from_offset(self.reader,offset, self.is_file) if rec.name == key_name: return rec return None
def read(reader):
hbin = NTRegistryHbin()
hbin.parse_header_buffer(reader)
cell = NTRegistryCell.read(reader)
hbin.cells.append(cell)
while cell.size != 0:
cell = NTRegistryCell.read(reader)
hbin.cells.append(cell)
return hbin
def enum_key(self, key_path, throw = True): if self.root is None: self.setup() names = [] key = self.find_key(key_path, throw) if key.subkey_cnt_stable > 0: rec = NTRegistryCell.load_data_from_offset(self.reader,key.offset_lf_stable, self.is_file) for hash_rec in rec.hash_records: subkey = NTRegistryCell.load_data_from_offset(self.reader,hash_rec.offset_nk, self.is_file) names.append(subkey.name) return names
def get_value(self, value_path, throw=True):
if self.root is None:
self.setup()
key_path = ntpath.dirname(value_path)
value_name = ntpath.basename(value_path)
key = self.find_key(key_path, throw)
if key is None:
return None
if key.value_cnt <= 0:
return None
vl = ValueList.load_data_from_offset(self.reader,
key.offset_value_list,
key.value_cnt + 1)
for record_offset in vl.record_offsets:
block = NTRegistryCell.load_data_from_offset(
self.reader, record_offset)
if not block:
continue
if block.flag == 0:
if value_name == 'default':
return (block.value_type, block.load_data(self.reader))
elif value_name == block.name.decode():
return (block.value_type, block.load_data(self.reader))
raise Exception('Could not find %s' % value_path)
def read(reader):
hbin = NTRegistryHbin()
hbin.magic = reader.read(4)
hbin.offset_first = int.from_bytes(reader.read(4),
'little',
signed=False)
hbin.offset_next = int.from_bytes(reader.read(4),
'little',
signed=False)
hbin.block_size = int.from_bytes(reader.read(4),
'little',
signed=False)
reader.read(16)
cell = NTRegistryCell.read(reader)
hbin.cells.append(cell)
while cell.size != 0:
cell = NTRegistryCell.read(reader)
hbin.cells.append(cell)
return hbin
def list_values(self, key):
if self.root is None:
self.setup()
values = []
if key.value_cnt <= 0:
return values
vl = ValueList.load_data_from_offset(self.reader,
key.offset_value_list,
key.value_cnt + 1)
for record_offset in vl.record_offsets:
block = NTRegistryCell.load_data_from_offset(
self.reader, record_offset)
if not block:
continue
if block.flag == 0:
values.append(b'default')
else:
values.append(block.name)
return values
def list_values(self, key):
if self.root is None:
self.setup()
values = []
if key.value_cnt <= 0:
return values
vl = ValueList.load_data_from_offset(self.reader, key.offset_value_list, key.value_cnt + 1, self.is_file)
for record_offset in vl.record_offsets:
if record_offset < 0:
#print('Skipping value because offset smaller than 0! %s ' % record_offset)
continue
block = NTRegistryCell.load_data_from_offset(self.reader, record_offset, self.is_file)
if not block:
continue
if block.flag == 0:
values.append(b'default')
else:
values.append(block.name)
return values
def __load_cell_from_offset(self, offset, nk_partial=False): if offset not in self.__cells_lookup: cell = NTRegistryCell.load_data_from_offset(self.reader, offset, self.is_file, nk_partial=False) self.__cells_lookup[offset] = cell return self.__cells_lookup[offset]