metasploit-framework/lib/rex/registry/lfkey.rb

# -*- coding: binary -*-
require_relative "nodekey"

module Rex
module Registry

class LFBlock

  attr_accessor :number_of_keys, :hash_records, :children

  def initialize(hive_blob, offset)
    offset = offset + 4
    lf_header = hive_blob[offset, 2]

    if lf_header !~ /lf/ && lf_header !~ /lh/
      return
    end

    @number_of_keys = hive_blob[offset + 0x02, 2].unpack('C').first

    @hash_records = []
    @children = []

    hash_offset = offset + 0x04

    1.upto(@number_of_keys) do |h|

      hash = LFHashRecord.new(hive_blob, hash_offset)

      @hash_records << hash

      hash_offset = hash_offset + 0x08

      @children << NodeKey.new(hive_blob, hash.nodekey_offset + 0x1000)
    end
  end
end

class LFHashRecord

  attr_accessor :nodekey_offset, :nodekey_name_verification

  def initialize(hive_blob, offset)
    @nodekey_offset = hive_blob[offset, 4].unpack('V').first
    @nodekey_name_verification = hive_blob[offset+0x04, 4].to_s
  end

end

end
end
Mark all libraries as defaulting to 8-bit strings 2012-06-29 05:18:28 +00:00			`# -- coding: binary --`
registry stuff 2012-01-11 00:45:24 +00:00			`require_relative "nodekey"`

			`module Rex`
			`module Registry`

			`class LFBlock`

Retab lib 2013-08-30 21:28:33 +00:00			`attr_accessor :number_of_keys, :hash_records, :children`
registry stuff 2012-01-11 00:45:24 +00:00
Retab lib 2013-08-30 21:28:33 +00:00			`def initialize(hive_blob, offset)`
			`offset = offset + 4`
			`lf_header = hive_blob[offset, 2]`
registry stuff 2012-01-11 00:45:24 +00:00
Retab lib 2013-08-30 21:28:33 +00:00			`if lf_header !~ /lf/ && lf_header !~ /lh/`
			`return`
			`end`
registry stuff 2012-01-11 00:45:24 +00:00
Retab lib 2013-08-30 21:28:33 +00:00			`@number_of_keys = hive_blob[offset + 0x02, 2].unpack('C').first`
registry stuff 2012-01-11 00:45:24 +00:00
Retab lib 2013-08-30 21:28:33 +00:00			`@hash_records = []`
			`@children = []`
registry stuff 2012-01-11 00:45:24 +00:00
Retab lib 2013-08-30 21:28:33 +00:00			`hash_offset = offset + 0x04`
registry stuff 2012-01-11 00:45:24 +00:00
Retab lib 2013-08-30 21:28:33 +00:00			`1.upto(@number_of_keys) do \|h\|`
Whitespace at EOL 2013-03-08 00:16:57 +00:00
Retab lib 2013-08-30 21:28:33 +00:00			`hash = LFHashRecord.new(hive_blob, hash_offset)`
registry stuff 2012-01-11 00:45:24 +00:00
Retab lib 2013-08-30 21:28:33 +00:00			`@hash_records << hash`
registry stuff 2012-01-11 00:45:24 +00:00
Retab lib 2013-08-30 21:28:33 +00:00			`hash_offset = hash_offset + 0x08`
registry stuff 2012-01-11 00:45:24 +00:00
Retab lib 2013-08-30 21:28:33 +00:00			`@children << NodeKey.new(hive_blob, hash.nodekey_offset + 0x1000)`
			`end`
			`end`
registry stuff 2012-01-11 00:45:24 +00:00			`end`

			`class LFHashRecord`

Retab lib 2013-08-30 21:28:33 +00:00			`attr_accessor :nodekey_offset, :nodekey_name_verification`
Whitespace at EOL 2013-03-08 00:16:57 +00:00
Retab lib 2013-08-30 21:28:33 +00:00			`def initialize(hive_blob, offset)`
Fix improper use of host-endian or signed pack/unpack Note that there are some cases of host-endian left, these are intentional because they operate on host-local memory or services. When in doubt, please use: ``` ri pack ``` 2014-06-30 07:48:18 +00:00			`@nodekey_offset = hive_blob[offset, 4].unpack('V').first`
Retab lib 2013-08-30 21:28:33 +00:00			`@nodekey_name_verification = hive_blob[offset+0x04, 4].to_s`
			`end`
registry stuff 2012-01-11 00:45:24 +00:00
			`end`

			`end`
			`end`