metasploit-framework/lib/rex/registry/nodekey.rb

# -*- coding: binary -*-
require_relative "lfkey"
require_relative "valuelist"

module Rex
module Registry

class NodeKey

	attr_accessor :timestamp, :parent_offset, :subkeys_count, :lf_record_offset
	attr_accessor :value_count, :value_list_offset, :security_key_offset
	attr_accessor :class_name_offset, :name_length, :class_name_length, :full_path
	attr_accessor :name, :lf_record, :value_list, :class_name_data, :readable_timestamp

	def initialize(hive, offset)

		offset = offset + 0x04

		nk_header = hive[offset, 2]
		nk_type = hive[offset+0x02, 2]

		if nk_header !~ /nk/
			return
		end

		@timestamp = hive[offset+0x04, 8].unpack('q').first
		@parent_offset = hive[offset+0x10, 4].unpack('l').first
		@subkeys_count = hive[offset+0x14, 4].unpack('l').first
		@lf_record_offset = hive[offset+0x1c, 4].unpack('l').first
		@value_count = hive[offset+0x24, 4].unpack('l').first
		@value_list_offset = hive[offset+0x28, 4].unpack('l').first
		@security_key_offset = hive[offset+0x2c, 4].unpack('l').first
		@class_name_offset = hive[offset+0x30, 4].unpack('l').first
		@name_length = hive[offset+0x48, 2].unpack('c').first
		@class_name_length = hive[offset+0x4a, 2].unpack('c').first
		@name = hive[offset+0x4c, @name_length].to_s

		windows_time = @timestamp
		unix_time = windows_time/10000000-11644473600
		ruby_time = Time.at(unix_time)

		@readable_timestamp = ruby_time

		@lf_record = LFBlock.new(hive, @lf_record_offset + 0x1000) if @lf_record_offset != -1
		@value_list = ValueList.new(hive, @value_list_offset + 0x1000, @value_count) if @value_list_offset != -1

		@class_name_data = hive[@class_name_offset + 0x04 + 0x1000, @class_name_length]

	end

end

end
end
Mark all libraries as defaulting to 8-bit strings 2012-06-29 05:18:28 +00:00			`# -- coding: binary --`
registry stuff 2012-01-11 00:45:24 +00:00			`require_relative "lfkey"`
			`require_relative "valuelist"`

			`module Rex`
			`module Registry`

			`class NodeKey`

			`attr_accessor :timestamp, :parent_offset, :subkeys_count, :lf_record_offset`
			`attr_accessor :value_count, :value_list_offset, :security_key_offset`
			`attr_accessor :class_name_offset, :name_length, :class_name_length, :full_path`
			`attr_accessor :name, :lf_record, :value_list, :class_name_data, :readable_timestamp`

Whitespace cleanup 2012-05-24 23:10:26 +00:00			`def initialize(hive, offset)`
registry stuff 2012-01-11 00:45:24 +00:00
Whitespace cleanup 2012-05-24 23:10:26 +00:00			`offset = offset + 0x04`
registry stuff 2012-01-11 00:45:24 +00:00
			`nk_header = hive[offset, 2]`
			`nk_type = hive[offset+0x02, 2]`

Whitespace cleanup 2012-05-24 23:10:26 +00:00			`if nk_header !~ /nk/`
registry stuff 2012-01-11 00:45:24 +00:00			`return`
			`end`
Whitespace cleanup 2012-05-24 23:10:26 +00:00
registry stuff 2012-01-11 00:45:24 +00:00			`@timestamp = hive[offset+0x04, 8].unpack('q').first`
			`@parent_offset = hive[offset+0x10, 4].unpack('l').first`
			`@subkeys_count = hive[offset+0x14, 4].unpack('l').first`
			`@lf_record_offset = hive[offset+0x1c, 4].unpack('l').first`
			`@value_count = hive[offset+0x24, 4].unpack('l').first`
			`@value_list_offset = hive[offset+0x28, 4].unpack('l').first`
			`@security_key_offset = hive[offset+0x2c, 4].unpack('l').first`
			`@class_name_offset = hive[offset+0x30, 4].unpack('l').first`
			`@name_length = hive[offset+0x48, 2].unpack('c').first`
			`@class_name_length = hive[offset+0x4a, 2].unpack('c').first`
			`@name = hive[offset+0x4c, @name_length].to_s`

hard tabs 2012-04-03 02:42:51 +00:00			`windows_time = @timestamp`
			`unix_time = windows_time/10000000-11644473600`
Whitespace cleanup 2012-05-24 23:10:26 +00:00			`ruby_time = Time.at(unix_time)`
registry stuff 2012-01-11 00:45:24 +00:00
			`@readable_timestamp = ruby_time`

Whitespace cleanup 2012-05-24 23:10:26 +00:00			`@lf_record = LFBlock.new(hive, @lf_record_offset + 0x1000) if @lf_record_offset != -1`
registry stuff 2012-01-11 00:45:24 +00:00			`@value_list = ValueList.new(hive, @value_list_offset + 0x1000, @value_count) if @value_list_offset != -1`
Whitespace cleanup 2012-05-24 23:10:26 +00:00
Adding bperry's various and sundry regex fixes [Closes #109] Squashed commit of the following: commit 692568d02fbfd547ef2d05ad9887427fc53f8abb Author: Brandon Perry <bperry.volatile@gmail.com> Date: Mon Jan 16 12:34:35 2012 -0600 small get_everything fix commit 5b29a310601b6658ffb74a4922b52bc5b3f864fb Author: Brandon Perry <bperry.volatile@gmail.com> Date: Mon Jan 16 12:31:31 2012 -0600 regex fixes commit a565ade7f4fe42fb5d070d04ac1ba4e65c98d8b8 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 16:39:29 2012 -0600 registry.rb in lib/rex commit 3609313ea357884480750948a9b0cc6514dcfcc2 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 16:32:06 2012 -0600 boot key fixed commit e591ed1815b01b3e535b517c73470ad9984fe8c7 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 15:53:21 2012 -0600 fixes commit 3598f3482eea2845baead71310d6192e105b6074 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sat Jan 14 13:47:29 2012 -0600 stuff commit 8a8d0dfda603d3697b54bd852f131795259f9c28 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Fri Jan 13 22:57:30 2012 -0600 reg fixes commit fcfb51bb64b2d8ee6a28722bbf1998be47145b90 Merge: 2c7cfde 24aaf85 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Fri Jan 13 21:54:45 2012 -0600 Merge remote-tracking branch 'upstream/master' commit 2c7cfdef41d9cdcce563c4d623c1c3585170d1fe Author: Brandon Perry <bperry.volatile@gmail.com> Date: Tue Jan 10 19:16:37 2012 -0600 typo 2012-01-16 23:54:33 +00:00			`@class_name_data = hive[@class_name_offset + 0x04 + 0x1000, @class_name_length]`

registry stuff 2012-01-11 00:45:24 +00:00			`end`

			`end`

			`end`
			`end`