Class: Rex::Registry::NodeKey

Inherits:

Object

• Object
• Rex::Registry::NodeKey

Defined in:

lib/rex/registry/nodekey.rb

Instance Attribute Summary

• #class_name_data ⇒ Object

  Returns the value of attribute class_name_data.

• #class_name_length ⇒ Object

  Returns the value of attribute class_name_length.

• #class_name_offset ⇒ Object

  Returns the value of attribute class_name_offset.

• #full_path ⇒ Object

  Returns the value of attribute full_path.

• #lf_record ⇒ Object

  Returns the value of attribute lf_record.

• #lf_record_offset ⇒ Object

  Returns the value of attribute lf_record_offset.

• #name ⇒ Object

  Returns the value of attribute name.

• #name_length ⇒ Object

  Returns the value of attribute name_length.

• #parent_offset ⇒ Object

  Returns the value of attribute parent_offset.

• #readable_timestamp ⇒ Object

  Returns the value of attribute readable_timestamp.

• #security_key_offset ⇒ Object

  Returns the value of attribute security_key_offset.

• #subkeys_count ⇒ Object

  Returns the value of attribute subkeys_count.

• #timestamp ⇒ Object

  Returns the value of attribute timestamp.

• #value_count ⇒ Object

  Returns the value of attribute value_count.

• #value_list ⇒ Object

  Returns the value of attribute value_list.

• #value_list_offset ⇒ Object

  Returns the value of attribute value_list_offset.

Instance Method Summary

• #initialize(hive, offset) ⇒ NodeKey constructor

  A new instance of NodeKey.

Constructor Details

#initialize(hive, offset) ⇒ NodeKey

Returns a new instance of NodeKey.

# File 'lib/rex/registry/nodekey.rb', line 15

def initialize(hive, offset)

  offset = offset + 0x04

  nk_header = hive[offset, 2]
  nk_type = hive[offset+0x02, 2]

  if nk_header !~ /nk/
    return
  end

  @timestamp = hive[offset+0x04, 8].unpack('Q').first
  @parent_offset = hive[offset+0x10, 4].unpack('V').first
  @subkeys_count = hive[offset+0x14, 4].unpack('V').first
  @lf_record_offset = hive[offset+0x1c, 4].unpack('V').first
  @value_count = hive[offset+0x24, 4].unpack('V').first
  @value_list_offset = hive[offset+0x28, 4].unpack('V').first
  @security_key_offset = hive[offset+0x2c, 4].unpack('V').first
  @class_name_offset = hive[offset+0x30, 4].unpack('V').first
  @name_length = hive[offset+0x48, 2].unpack('C').first
  @class_name_length = hive[offset+0x4a, 2].unpack('C').first
  @name = hive[offset+0x4c, @name_length].to_s

  windows_time = @timestamp
  unix_time = windows_time/10000000-11644473600
  ruby_time = Time.at(unix_time)

  @readable_timestamp = ruby_time

  @lf_record = LFBlock.new(hive, @lf_record_offset + 0x1000) if @lf_record_offset != -1
  @value_list = ValueList.new(hive, @value_list_offset + 0x1000, @value_count) if @value_list_offset != -1

  @class_name_data = hive[@class_name_offset + 0x04 + 0x1000, @class_name_length]

end

Instance Attribute Details

#class_name_data ⇒ Object

Returns the value of attribute class_name_data.

# File 'lib/rex/registry/nodekey.rb', line 13

def class_name_data
  @class_name_data
end

#class_name_length ⇒ Object

Returns the value of attribute class_name_length.

# File 'lib/rex/registry/nodekey.rb', line 12

def class_name_length
  @class_name_length
end

#class_name_offset ⇒ Object

Returns the value of attribute class_name_offset.

# File 'lib/rex/registry/nodekey.rb', line 12

def class_name_offset
  @class_name_offset
end

#full_path ⇒ Object

Returns the value of attribute full_path.

# File 'lib/rex/registry/nodekey.rb', line 12

def full_path
  @full_path
end

#lf_record ⇒ Object

Returns the value of attribute lf_record.

# File 'lib/rex/registry/nodekey.rb', line 13

def lf_record
  @lf_record
end

#lf_record_offset ⇒ Object

Returns the value of attribute lf_record_offset.

# File 'lib/rex/registry/nodekey.rb', line 10

def lf_record_offset
  @lf_record_offset
end

#name ⇒ Object

Returns the value of attribute name.

# File 'lib/rex/registry/nodekey.rb', line 13

def name
  @name
end

#name_length ⇒ Object

Returns the value of attribute name_length.

# File 'lib/rex/registry/nodekey.rb', line 12

def name_length
  @name_length
end

#parent_offset ⇒ Object

Returns the value of attribute parent_offset.

# File 'lib/rex/registry/nodekey.rb', line 10

def parent_offset
  @parent_offset
end

#readable_timestamp ⇒ Object

Returns the value of attribute readable_timestamp.

# File 'lib/rex/registry/nodekey.rb', line 13

def readable_timestamp
  @readable_timestamp
end

#security_key_offset ⇒ Object

Returns the value of attribute security_key_offset.

# File 'lib/rex/registry/nodekey.rb', line 11

def security_key_offset
  @security_key_offset
end

#subkeys_count ⇒ Object

Returns the value of attribute subkeys_count.

# File 'lib/rex/registry/nodekey.rb', line 10

def subkeys_count
  @subkeys_count
end

#timestamp ⇒ Object

Returns the value of attribute timestamp.

# File 'lib/rex/registry/nodekey.rb', line 10

def timestamp
  @timestamp
end

#value_count ⇒ Object

Returns the value of attribute value_count.

# File 'lib/rex/registry/nodekey.rb', line 11

def value_count
  @value_count
end

#value_list ⇒ Object

Returns the value of attribute value_list.

# File 'lib/rex/registry/nodekey.rb', line 13

def value_list
  @value_list
end

#value_list_offset ⇒ Object

Returns the value of attribute value_list_offset.

# File 'lib/rex/registry/nodekey.rb', line 11

def value_list_offset
  @value_list_offset
end