metasploit-framework/lib/rex/registry/valuekey.rb

68 lines
1.6 KiB
Ruby
Raw Normal View History

# -*- coding: binary -*-
2012-01-11 00:45:24 +00:00
module Rex
module Registry
class ValueKey
2013-08-30 21:28:33 +00:00
attr_accessor :name_length, :length_of_data, :data_offset, :full_path
attr_accessor :value_type, :readable_value_type, :name, :value
2012-01-11 00:45:24 +00:00
2013-08-30 21:28:33 +00:00
def initialize(hive, offset)
offset = offset + 4
2012-01-11 00:45:24 +00:00
2013-08-30 21:28:33 +00:00
vk_header = hive[offset, 2]
2012-05-24 23:10:26 +00:00
2013-08-30 21:28:33 +00:00
if vk_header !~ /vk/
puts "no vk at offset #{offset}"
return
end
2012-01-11 00:45:24 +00:00
2013-08-30 21:28:33 +00:00
@name_length = hive[offset+0x02, 2].unpack('c').first
@length_of_data = hive[offset+0x04, 4].unpack('l').first
@data_offset = hive[offset+ 0x08, 4].unpack('l').first
@value_type = hive[offset+0x0C, 4].unpack('c').first
2012-01-11 00:45:24 +00:00
2013-08-30 21:28:33 +00:00
if @value_type == 1
@readable_value_type = "Unicode character string"
elsif @value_type == 2
@readable_value_type = "Unicode string with %VAR% expanding"
elsif @value_type == 3
@readable_value_type = "Raw binary value"
elsif @value_type == 4
@readable_value_type = "Dword"
elsif @value_type == 7
@readable_value_type = "Multiple unicode strings separated with '\\x00'"
end
2012-01-11 00:45:24 +00:00
2013-08-30 21:28:33 +00:00
flag = hive[offset+0x10, 2].unpack('c').first
2012-05-24 23:10:26 +00:00
2013-08-30 21:28:33 +00:00
if flag == 0
@name = "Default"
else
@name = hive[offset+0x14, @name_length].to_s
end
2012-01-11 00:45:24 +00:00
2013-08-30 21:28:33 +00:00
@value = ValueKeyData.new(hive, @data_offset, @length_of_data, @value_type, offset)
end
2012-01-11 00:45:24 +00:00
end
class ValueKeyData
2013-08-30 21:28:33 +00:00
attr_accessor :data
2012-01-11 00:45:24 +00:00
2013-08-30 21:28:33 +00:00
def initialize(hive, offset, length, datatype, parent_offset)
offset = offset + 4
2012-01-11 00:45:24 +00:00
2013-08-30 21:28:33 +00:00
#If the data-size is lower than 5, the data-offset value is used to store
#the data itself!
if length < 5
@data = hive[parent_offset + 0x08, 4]
else
@data = hive[offset + 0x1000, length]
end
end
2012-01-11 00:45:24 +00:00
end
end
end