Class: Rex::Registry::Hive

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/registry/hive.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(hivepath) ⇒ Hive

Returns a new instance of Hive.



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 
# File 'lib/rex/registry/hive.rb', line 11

def initialize(hivepath)

	hive_blob = open(hivepath, "rb") { |io| io.read }

	@hive_regf = RegfBlock.new(hive_blob)
	return nil if !@hive_regf.root_key_offset

	@root_key = NodeKey.new(hive_blob, 0x1000 + @hive_regf.root_key_offset)
	return nil if !@root_key.lf_record

	keys = []
	root_key.lf_record.children.each do |key|
		keys << key.name
	end

	if keys.include? "LastKnownGoodRecovery"
		@hive_name = "SYSTEM"
	elsif keys.include? "Microsoft"
		@hive_name = "SOFTWARE"
	elsif keys.include? "Environment"
		@hive_name = "NTUSER.DAT"
	elsif keys.include? "SAM"
		@hive_name = "SAM"
	elsif keys.include? "Policy"
		@hive_name = "SECURITY"
	else
		@hive_name = "UNKNOWN"
	end

end

Instance Attribute Details

#hive_nameObject

Returns the value of attribute hive_name.



9
10
11
 
# File 'lib/rex/registry/hive.rb', line 9

def hive_name
  @hive_name
end

#hive_regfObject

Returns the value of attribute hive_regf.



9
10
11
 
# File 'lib/rex/registry/hive.rb', line 9

def hive_regf
  @hive_regf
end

#root_keyObject

Returns the value of attribute root_key.



9
10
11
 
# File 'lib/rex/registry/hive.rb', line 9

def root_key
  @root_key
end

Instance Method Details

#relative_query(path) ⇒ Object 



42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
 
# File 'lib/rex/registry/hive.rb', line 42

def relative_query(path)

if path == "" || path == "\\"
	return @root_key
end

current_child = nil
paths = path.split("\\")

return if !@root_key.lf_record

@root_key.lf_record.children.each do |child|
	next if child.name.downcase != paths[1].downcase

	current_child = child

	if paths.length == 2
		current_child.full_path = path
		return current_child
	end

	2.upto(paths.length) do |i|

		if i == paths.length
			current_child.full_path = path
			return current_child
		else
			if current_child.lf_record && current_child.lf_record.children
				current_child.lf_record.children.each do |c|
					next if c.name.downcase != paths[i].downcase

					current_child = c

					break
				end
			end
		end
	end
end

return if !current_child

current_child.full_path = path
return current_child
end

#value_query(path) ⇒ Object 



88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
 
# File 'lib/rex/registry/hive.rb', line 88

def value_query(path)
		if path == "" || path == "\\"
		return nil
	end

	paths = path.split("\\")

	return if !@root_key.lf_record

	@root_key.lf_record.children.each do |root_child|
		next if root_child.name.downcase != paths[1].downcase

		current_child = root_child

		if paths.length == 2
			return nil
		end

		2.upto(paths.length - 1) do |i|
			next if !current_child.lf_record

			current_child.lf_record.children.each do |c|
				next if c.name != paths[i]
				current_child = c

				break
			end
		end

		if !current_child.value_list || current_child.value_list.values.length == 0
			return nil
		end

		current_child.value_list.values.each do |value|
			next if value.name.downcase != paths[paths.length - 1].downcase

			value.full_path = path
			return value
		end
	end
end