metasploit-framework/lib/rex/registry/hive.rb

require_relative "regf"
require_relative "nodekey"

module Rex
module Registry

class Hive
	attr_accessor :root_key, :hive_regf, :hive_name

	def initialize(hivepath)

		hive_blob = open(hivepath, "rb") { |io| io.read }

		@hive_regf = RegfBlock.new(hive_blob)
    return nil if !@hive_regf.root_key_offset

    @root_key = NodeKey.new(hive_blob, 0x1000 + @hive_regf.root_key_offset)
    return nil if !@root_key.lf_record

		keys = []
		root_key.lf_record.children.each do |key|
			keys << key.name
		end

		if keys.include? "LastKnownGoodRecovery"
			@hive_name = "SYSTEM"
		elsif keys.include? "Microsoft"
			@hive_name = "SOFTWARE"
		elsif keys.include? "Environment"
			@hive_name = "NTUSER.DAT"
		elsif keys.include? "SAM"
			@hive_name = "SAM"
		elsif keys.include? "Policy"
			@hive_name = "SECURITY"
		else
			@hive_name = "UNKNOWN"
		end

	end

	def relative_query(path)

		if path == "" || path == "\\"
			return @root_key
		end

		current_child = nil
		paths = path.split("\\")

		return if !@root_key.lf_record

		@root_key.lf_record.children.each do |child|
			next if child.name.downcase != paths[1].downcase

			current_child = child

			if paths.length == 2
				current_child.full_path = path
				return current_child
			end

			2.upto(paths.length) do |i|

				if i == paths.length
					current_child.full_path = path
					return current_child
				else
					if current_child.lf_record && current_child.lf_record.children
						current_child.lf_record.children.each do |c|
							next if c.name.downcase != paths[i].downcase

							current_child = c

							break
						end
					end
				end
			end
		end

		return if !current_child

		current_child.full_path = path
		return current_child
		end

		def value_query(path)
			if path == "" || path == "\\"
			return nil
		end

		paths = path.split("\\")

		return if !@root_key.lf_record

		@root_key.lf_record.children.each do |root_child|
			next if root_child.name.downcase != paths[1].downcase

			current_child = root_child

			if paths.length == 2
				return nil
			end

			2.upto(paths.length - 1) do |i|
				next if !current_child.lf_record

				current_child.lf_record.children.each do |c|
					next if c.name != paths[i]
					current_child = c

					break
				end
			end

			if !current_child.value_list || current_child.value_list.values.length == 0
				return nil
			end

			current_child.value_list.values.each do |value|
				next if value.name.downcase != paths[paths.length - 1].downcase

				value.full_path = path
				return value
			end
		end
	end
end

end
end
registry stuff 2012-01-11 00:45:24 +00:00			`require_relative "regf"`
			`require_relative "nodekey"`

			`module Rex`
			`module Registry`

			`class Hive`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00			`attr_accessor :root_key, :hive_regf, :hive_name`
registry stuff 2012-01-11 00:45:24 +00:00
			`def initialize(hivepath)`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00
			`hive_blob = open(hivepath, "rb") { \|io\| io.read }`

registry stuff 2012-01-11 00:45:24 +00:00			`@hive_regf = RegfBlock.new(hive_blob)`
silly registry typos 2012-04-03 02:33:01 +00:00			`return nil if !@hive_regf.root_key_offset`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00
silly registry typos 2012-04-03 02:33:01 +00:00			`@root_key = NodeKey.new(hive_blob, 0x1000 + @hive_regf.root_key_offset)`
			`return nil if !@root_key.lf_record`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00
silly registry typos 2012-04-03 02:33:01 +00:00			`keys = []`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00			`root_key.lf_record.children.each do \|key\|`
			`keys << key.name`
			`end`

			`if keys.include? "LastKnownGoodRecovery"`
			`@hive_name = "SYSTEM"`
			`elsif keys.include? "Microsoft"`
			`@hive_name = "SOFTWARE"`
			`elsif keys.include? "Environment"`
			`@hive_name = "NTUSER.DAT"`
			`elsif keys.include? "SAM"`
			`@hive_name = "SAM"`
			`elsif keys.include? "Policy"`
			`@hive_name = "SECURITY"`
			`else`
			`@hive_name = "UNKNOWN"`
			`end`

registry stuff 2012-01-11 00:45:24 +00:00			`end`

			`def relative_query(path)`

			`if path == "" \|\| path == "\\"`
			`return @root_key`
			`end`

			`current_child = nil`
			`paths = path.split("\\")`

Adding bperry's various and sundry regex fixes [Closes #109] Squashed commit of the following: commit 692568d02fbfd547ef2d05ad9887427fc53f8abb Author: Brandon Perry <bperry.volatile@gmail.com> Date: Mon Jan 16 12:34:35 2012 -0600 small get_everything fix commit 5b29a310601b6658ffb74a4922b52bc5b3f864fb Author: Brandon Perry <bperry.volatile@gmail.com> Date: Mon Jan 16 12:31:31 2012 -0600 regex fixes commit a565ade7f4fe42fb5d070d04ac1ba4e65c98d8b8 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 16:39:29 2012 -0600 registry.rb in lib/rex commit 3609313ea357884480750948a9b0cc6514dcfcc2 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 16:32:06 2012 -0600 boot key fixed commit e591ed1815b01b3e535b517c73470ad9984fe8c7 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 15:53:21 2012 -0600 fixes commit 3598f3482eea2845baead71310d6192e105b6074 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sat Jan 14 13:47:29 2012 -0600 stuff commit 8a8d0dfda603d3697b54bd852f131795259f9c28 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Fri Jan 13 22:57:30 2012 -0600 reg fixes commit fcfb51bb64b2d8ee6a28722bbf1998be47145b90 Merge: 2c7cfde 24aaf85 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Fri Jan 13 21:54:45 2012 -0600 Merge remote-tracking branch 'upstream/master' commit 2c7cfdef41d9cdcce563c4d623c1c3585170d1fe Author: Brandon Perry <bperry.volatile@gmail.com> Date: Tue Jan 10 19:16:37 2012 -0600 typo 2012-01-16 23:54:33 +00:00			`return if !@root_key.lf_record`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00
			`@root_key.lf_record.children.each do \|child\|`
registry stuff 2012-01-11 00:45:24 +00:00			`next if child.name.downcase != paths[1].downcase`

			`current_child = child`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00
registry stuff 2012-01-11 00:45:24 +00:00			`if paths.length == 2`
			`current_child.full_path = path`
			`return current_child`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00			`end`

registry stuff 2012-01-11 00:45:24 +00:00			`2.upto(paths.length) do \|i\|`

			`if i == paths.length`
			`current_child.full_path = path`
			`return current_child`
			`else`
Adding bperry's various and sundry regex fixes [Closes #109] Squashed commit of the following: commit 692568d02fbfd547ef2d05ad9887427fc53f8abb Author: Brandon Perry <bperry.volatile@gmail.com> Date: Mon Jan 16 12:34:35 2012 -0600 small get_everything fix commit 5b29a310601b6658ffb74a4922b52bc5b3f864fb Author: Brandon Perry <bperry.volatile@gmail.com> Date: Mon Jan 16 12:31:31 2012 -0600 regex fixes commit a565ade7f4fe42fb5d070d04ac1ba4e65c98d8b8 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 16:39:29 2012 -0600 registry.rb in lib/rex commit 3609313ea357884480750948a9b0cc6514dcfcc2 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 16:32:06 2012 -0600 boot key fixed commit e591ed1815b01b3e535b517c73470ad9984fe8c7 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 15:53:21 2012 -0600 fixes commit 3598f3482eea2845baead71310d6192e105b6074 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sat Jan 14 13:47:29 2012 -0600 stuff commit 8a8d0dfda603d3697b54bd852f131795259f9c28 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Fri Jan 13 22:57:30 2012 -0600 reg fixes commit fcfb51bb64b2d8ee6a28722bbf1998be47145b90 Merge: 2c7cfde 24aaf85 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Fri Jan 13 21:54:45 2012 -0600 Merge remote-tracking branch 'upstream/master' commit 2c7cfdef41d9cdcce563c4d623c1c3585170d1fe Author: Brandon Perry <bperry.volatile@gmail.com> Date: Tue Jan 10 19:16:37 2012 -0600 typo 2012-01-16 23:54:33 +00:00			`if current_child.lf_record && current_child.lf_record.children`
registry stuff 2012-01-11 00:45:24 +00:00			`current_child.lf_record.children.each do \|c\|`
			`next if c.name.downcase != paths[i].downcase`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00
registry stuff 2012-01-11 00:45:24 +00:00			`current_child = c`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00
registry stuff 2012-01-11 00:45:24 +00:00			`break`
			`end`
			`end`
			`end`
			`end`
			`end`

Adding bperry's various and sundry regex fixes [Closes #109] Squashed commit of the following: commit 692568d02fbfd547ef2d05ad9887427fc53f8abb Author: Brandon Perry <bperry.volatile@gmail.com> Date: Mon Jan 16 12:34:35 2012 -0600 small get_everything fix commit 5b29a310601b6658ffb74a4922b52bc5b3f864fb Author: Brandon Perry <bperry.volatile@gmail.com> Date: Mon Jan 16 12:31:31 2012 -0600 regex fixes commit a565ade7f4fe42fb5d070d04ac1ba4e65c98d8b8 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 16:39:29 2012 -0600 registry.rb in lib/rex commit 3609313ea357884480750948a9b0cc6514dcfcc2 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 16:32:06 2012 -0600 boot key fixed commit e591ed1815b01b3e535b517c73470ad9984fe8c7 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 15:53:21 2012 -0600 fixes commit 3598f3482eea2845baead71310d6192e105b6074 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sat Jan 14 13:47:29 2012 -0600 stuff commit 8a8d0dfda603d3697b54bd852f131795259f9c28 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Fri Jan 13 22:57:30 2012 -0600 reg fixes commit fcfb51bb64b2d8ee6a28722bbf1998be47145b90 Merge: 2c7cfde 24aaf85 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Fri Jan 13 21:54:45 2012 -0600 Merge remote-tracking branch 'upstream/master' commit 2c7cfdef41d9cdcce563c4d623c1c3585170d1fe Author: Brandon Perry <bperry.volatile@gmail.com> Date: Tue Jan 10 19:16:37 2012 -0600 typo 2012-01-16 23:54:33 +00:00			`return if !current_child`

registry stuff 2012-01-11 00:45:24 +00:00			`current_child.full_path = path`
			`return current_child`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00			`end`
registry stuff 2012-01-11 00:45:24 +00:00
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00			`def value_query(path)`
			`if path == "" \|\| path == "\\"`
registry stuff 2012-01-11 00:45:24 +00:00			`return nil`
			`end`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00
registry stuff 2012-01-11 00:45:24 +00:00			`paths = path.split("\\")`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00
Adding bperry's various and sundry regex fixes [Closes #109] Squashed commit of the following: commit 692568d02fbfd547ef2d05ad9887427fc53f8abb Author: Brandon Perry <bperry.volatile@gmail.com> Date: Mon Jan 16 12:34:35 2012 -0600 small get_everything fix commit 5b29a310601b6658ffb74a4922b52bc5b3f864fb Author: Brandon Perry <bperry.volatile@gmail.com> Date: Mon Jan 16 12:31:31 2012 -0600 regex fixes commit a565ade7f4fe42fb5d070d04ac1ba4e65c98d8b8 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 16:39:29 2012 -0600 registry.rb in lib/rex commit 3609313ea357884480750948a9b0cc6514dcfcc2 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 16:32:06 2012 -0600 boot key fixed commit e591ed1815b01b3e535b517c73470ad9984fe8c7 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sun Jan 15 15:53:21 2012 -0600 fixes commit 3598f3482eea2845baead71310d6192e105b6074 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Sat Jan 14 13:47:29 2012 -0600 stuff commit 8a8d0dfda603d3697b54bd852f131795259f9c28 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Fri Jan 13 22:57:30 2012 -0600 reg fixes commit fcfb51bb64b2d8ee6a28722bbf1998be47145b90 Merge: 2c7cfde 24aaf85 Author: Brandon Perry <bperry.volatile@gmail.com> Date: Fri Jan 13 21:54:45 2012 -0600 Merge remote-tracking branch 'upstream/master' commit 2c7cfdef41d9cdcce563c4d623c1c3585170d1fe Author: Brandon Perry <bperry.volatile@gmail.com> Date: Tue Jan 10 19:16:37 2012 -0600 typo 2012-01-16 23:54:33 +00:00			`return if !@root_key.lf_record`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00
registry stuff 2012-01-11 00:45:24 +00:00			`@root_key.lf_record.children.each do \|root_child\|`
			`next if root_child.name.downcase != paths[1].downcase`

			`current_child = root_child`

			`if paths.length == 2`
			`return nil`
			`end`

			`2.upto(paths.length - 1) do \|i\|`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00			`next if !current_child.lf_record`

			`current_child.lf_record.children.each do \|c\|`
			`next if c.name != paths[i]`
			`current_child = c`

			`break`
			`end`
			`end`
registry stuff 2012-01-11 00:45:24 +00:00
			`if !current_child.value_list \|\| current_child.value_list.values.length == 0`
			`return nil`
			`end`

			`current_child.value_list.values.each do \|value\|`
			`next if value.name.downcase != paths[paths.length - 1].downcase`
Squashed commit of the following: commit 69bb41a8176fb814485225e0c3b0e1c44342e652 Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:30:52 2012 +0100 indentation commit 175d230a06dc58e2123f092d39f33063efdce83d Author: matugm <matugm@gmail.com> Date: Tue Jan 31 11:13:02 2012 +0100 Changed way of finding hive names so that it works with xp hives 2012-02-03 23:01:35 +00:00
registry stuff 2012-01-11 00:45:24 +00:00			`value.full_path = path`
			`return value`
			`end`
			`end`
			`end`
			`end`

			`end`
			`end`