2012-06-29 05:18:28 +00:00
|
|
|
# -*- coding: binary -*-
|
2012-01-11 00:45:24 +00:00
|
|
|
require_relative "regf"
|
|
|
|
require_relative "nodekey"
|
|
|
|
|
|
|
|
module Rex
|
|
|
|
module Registry
|
|
|
|
|
|
|
|
class Hive
|
2013-08-30 21:28:33 +00:00
|
|
|
attr_accessor :root_key, :hive_regf, :hive_name
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
def initialize(hivepath)
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
hive_blob = open(hivepath, "rb") { |io| io.read }
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
@hive_regf = RegfBlock.new(hive_blob)
|
|
|
|
return nil if !@hive_regf.root_key_offset
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
@root_key = NodeKey.new(hive_blob, 0x1000 + @hive_regf.root_key_offset)
|
|
|
|
return nil if !@root_key.lf_record
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
keys = []
|
|
|
|
root_key.lf_record.children.each do |key|
|
|
|
|
keys << key.name
|
|
|
|
end
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
if keys.include? "LastKnownGoodRecovery"
|
|
|
|
@hive_name = "SYSTEM"
|
|
|
|
elsif keys.include? "Microsoft"
|
|
|
|
@hive_name = "SOFTWARE"
|
|
|
|
elsif keys.include? "Environment"
|
|
|
|
@hive_name = "NTUSER.DAT"
|
|
|
|
elsif keys.include? "SAM"
|
|
|
|
@hive_name = "SAM"
|
|
|
|
elsif keys.include? "Policy"
|
|
|
|
@hive_name = "SECURITY"
|
|
|
|
else
|
|
|
|
@hive_name = "UNKNOWN"
|
|
|
|
end
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
end
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
def relative_query(path)
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
if path == "" || path == "\\"
|
|
|
|
return @root_key
|
|
|
|
end
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
current_child = nil
|
|
|
|
paths = path.split("\\")
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
return if !@root_key.lf_record
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
@root_key.lf_record.children.each do |child|
|
|
|
|
next if child.name.downcase != paths[1].downcase
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
current_child = child
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
if paths.length == 2
|
|
|
|
current_child.full_path = path
|
|
|
|
return current_child
|
|
|
|
end
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
2.upto(paths.length) do |i|
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
if i == paths.length
|
|
|
|
current_child.full_path = path
|
|
|
|
return current_child
|
|
|
|
else
|
|
|
|
if current_child.lf_record && current_child.lf_record.children
|
|
|
|
current_child.lf_record.children.each do |c|
|
|
|
|
next if c.name.downcase != paths[i].downcase
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
current_child = c
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
break
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
return if !current_child
|
2012-01-16 23:54:33 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
current_child.full_path = path
|
|
|
|
return current_child
|
|
|
|
end
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
def value_query(path)
|
|
|
|
if path == "" || path == "\\"
|
|
|
|
return nil
|
|
|
|
end
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
paths = path.split("\\")
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
return if !@root_key.lf_record
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
@root_key.lf_record.children.each do |root_child|
|
|
|
|
next if root_child.name.downcase != paths[1].downcase
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
current_child = root_child
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
if paths.length == 2
|
|
|
|
return nil
|
|
|
|
end
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
2.upto(paths.length - 1) do |i|
|
|
|
|
next if !current_child.lf_record
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
current_child.lf_record.children.each do |c|
|
|
|
|
next if c.name != paths[i]
|
|
|
|
current_child = c
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
break
|
|
|
|
end
|
|
|
|
end
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
if !current_child.value_list || current_child.value_list.values.length == 0
|
|
|
|
return nil
|
|
|
|
end
|
2012-01-11 00:45:24 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
current_child.value_list.values.each do |value|
|
|
|
|
next if value.name.downcase != paths[paths.length - 1].downcase
|
2012-02-03 23:01:35 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
value.full_path = path
|
|
|
|
return value
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2012-01-11 00:45:24 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|