2012-06-29 05:18:28 +00:00
|
|
|
# -*- coding: binary -*-
|
2012-01-11 00:45:24 +00:00
|
|
|
require_relative "nodekey"
|
|
|
|
|
|
|
|
module Rex
|
|
|
|
module Registry
|
|
|
|
|
|
|
|
class LFBlock
|
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
attr_accessor :number_of_keys, :hash_records, :children
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
def initialize(hive_blob, offset)
|
|
|
|
offset = offset + 4
|
|
|
|
lf_header = hive_blob[offset, 2]
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
if lf_header !~ /lf/ && lf_header !~ /lh/
|
|
|
|
return
|
|
|
|
end
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
@number_of_keys = hive_blob[offset + 0x02, 2].unpack('C').first
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
@hash_records = []
|
|
|
|
@children = []
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
hash_offset = offset + 0x04
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
1.upto(@number_of_keys) do |h|
|
2013-03-08 00:16:57 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
hash = LFHashRecord.new(hive_blob, hash_offset)
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
@hash_records << hash
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
hash_offset = hash_offset + 0x08
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
@children << NodeKey.new(hive_blob, hash.nodekey_offset + 0x1000)
|
|
|
|
end
|
|
|
|
end
|
2012-01-11 00:45:24 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
class LFHashRecord
|
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
attr_accessor :nodekey_offset, :nodekey_name_verification
|
2013-03-08 00:16:57 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
def initialize(hive_blob, offset)
|
|
|
|
@nodekey_offset = hive_blob[offset, 4].unpack('l').first
|
|
|
|
@nodekey_name_verification = hive_blob[offset+0x04, 4].to_s
|
|
|
|
end
|
2012-01-11 00:45:24 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|