metasploit-framework/lib/rex/registry/valuekey.rb

module Rex
module Registry

class ValueKey

	attr_accessor :name_length, :length_of_data, :data_offset, :full_path
	attr_accessor :value_type, :readable_value_type, :name, :value

	def initialize(hive, offset)
		offset = offset + 4

		vk_header = hive[offset, 2]
		
		if vk_header !~ /vk/
			puts "no vk at offset #{offset}"
			return
		end

		@name_length = hive[offset+0x02, 2].unpack('c').first
		@length_of_data = hive[offset+0x04, 4].unpack('l').first
		@data_offset = hive[offset+ 0x08, 4].unpack('l').first
		@value_type = hive[offset+0x0C, 4].unpack('c').first

		if @value_type == 1
			@readable_value_type = "Unicode character string"
		elsif @value_type == 2
			@readable_value_type = "Unicode string with %VAR% expanding"
		elsif @value_type == 3
			@readable_value_type = "Raw binary value"
		elsif @value_type == 4
			@readable_value_type = "Dword"
		elsif @value_type == 7
			@readable_value_type = "Multiple unicode strings separated with '\\x00'"
		end		

		flag = hive[offset+0x10, 2].unpack('c').first
		
		if flag == 0
			@name = "Default"
		else
			@name = hive[offset+0x14, @name_length].to_s
		end

		@value = ValueKeyData.new(hive, @data_offset, @length_of_data, @value_type, offset)
	end
end

class ValueKeyData

	attr_accessor :data	

	def initialize(hive, offset, length, datatype, parent_offset)
		offset = offset + 4

		#If the data-size is lower than 5, the data-offset value is used to store
		#the data itself!
		if length < 5
			@data = hive[parent_offset + 0x08, 4]
		else 
			@data = hive[offset + 0x1000, length]
		end
	end
end

end
end
registry stuff 2012-01-11 00:45:24 +00:00			`module Rex`
			`module Registry`

			`class ValueKey`

			`attr_accessor :name_length, :length_of_data, :data_offset, :full_path`
			`attr_accessor :value_type, :readable_value_type, :name, :value`

			`def initialize(hive, offset)`
			`offset = offset + 4`

			`vk_header = hive[offset, 2]`

			`if vk_header !~ /vk/`
			`puts "no vk at offset #{offset}"`
			`return`
			`end`

			`@name_length = hive[offset+0x02, 2].unpack('c').first`
			`@length_of_data = hive[offset+0x04, 4].unpack('l').first`
			`@data_offset = hive[offset+ 0x08, 4].unpack('l').first`
			`@value_type = hive[offset+0x0C, 4].unpack('c').first`

			`if @value_type == 1`
			`@readable_value_type = "Unicode character string"`
			`elsif @value_type == 2`
			`@readable_value_type = "Unicode string with %VAR% expanding"`
			`elsif @value_type == 3`
			`@readable_value_type = "Raw binary value"`
			`elsif @value_type == 4`
			`@readable_value_type = "Dword"`
			`elsif @value_type == 7`
			`@readable_value_type = "Multiple unicode strings separated with '\\x00'"`
			`end`

			`flag = hive[offset+0x10, 2].unpack('c').first`

			`if flag == 0`
			`@name = "Default"`
			`else`
			`@name = hive[offset+0x14, @name_length].to_s`
			`end`

			`@value = ValueKeyData.new(hive, @data_offset, @length_of_data, @value_type, offset)`
			`end`
			`end`

			`class ValueKeyData`

			`attr_accessor :data`

			`def initialize(hive, offset, length, datatype, parent_offset)`
			`offset = offset + 4`

			`#If the data-size is lower than 5, the data-offset value is used to store`
			`#the data itself!`
			`if length < 5`
			`@data = hive[parent_offset + 0x08, 4]`
			`else`
			`@data = hive[offset + 0x1000, length]`
			`end`
			`end`
			`end`

			`end`
			`end`