Class: Rex::Registry::Hive

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/registry/hive.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(hivepath) ⇒ Hive

Returns a new instance of Hive.



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 
# File 'lib/rex/registry/hive.rb', line 11

def initialize(hivepath)

  hive_blob = open(hivepath, "rb") { |io| io.read }

  @hive_regf = RegfBlock.new(hive_blob)
  return nil if !@hive_regf.root_key_offset

  @root_key = NodeKey.new(hive_blob, 0x1000 + @hive_regf.root_key_offset)
  return nil if !@root_key.lf_record

  keys = []
  root_key.lf_record.children.each do |key|
    keys << key.name
  end

  if keys.include? "LastKnownGoodRecovery"
    @hive_name = "SYSTEM"
  elsif keys.include? "Microsoft"
    @hive_name = "SOFTWARE"
  elsif keys.include? "Environment"
    @hive_name = "NTUSER.DAT"
  elsif keys.include? "SAM"
    @hive_name = "SAM"
  elsif keys.include? "Policy"
    @hive_name = "SECURITY"
  else
    @hive_name = "UNKNOWN"
  end

end

Instance Attribute Details

#hive_nameObject

Returns the value of attribute hive_name.



9
10
11
 
# File 'lib/rex/registry/hive.rb', line 9

def hive_name
  @hive_name
end

#hive_regfObject

Returns the value of attribute hive_regf.



9
10
11
 
# File 'lib/rex/registry/hive.rb', line 9

def hive_regf
  @hive_regf
end

#root_keyObject

Returns the value of attribute root_key.



9
10
11
 
# File 'lib/rex/registry/hive.rb', line 9

def root_key
  @root_key
end

Instance Method Details

#relative_query(path) ⇒ Object 



42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
 
# File 'lib/rex/registry/hive.rb', line 42

def relative_query(path)

if path == "" || path == "\\"
  return @root_key
end

current_child = nil
paths = path.split("\\")

return if !@root_key.lf_record

@root_key.lf_record.children.each do |child|
  next if child.name.downcase != paths[1].downcase

  current_child = child

  if paths.length == 2
    current_child.full_path = path
    return current_child
  end

  2.upto(paths.length) do |i|

    if i == paths.length
      current_child.full_path = path
      return current_child
    else
      if current_child.lf_record && current_child.lf_record.children
        current_child.lf_record.children.each do |c|
          next if c.name.downcase != paths[i].downcase

          current_child = c

          break
        end
      end
    end
  end
end

return if !current_child

current_child.full_path = path
return current_child
end

#value_query(path) ⇒ Object 



88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
 
# File 'lib/rex/registry/hive.rb', line 88

def value_query(path)
    if path == "" || path == "\\"
    return nil
  end

  paths = path.split("\\")

  return if !@root_key.lf_record

  @root_key.lf_record.children.each do |root_child|
    next if root_child.name.downcase != paths[1].downcase

    current_child = root_child

    if paths.length == 2
      return nil
    end

    2.upto(paths.length - 1) do |i|
      next if !current_child.lf_record

      current_child.lf_record.children.each do |c|
        next if c.name != paths[i]
        current_child = c

        break
      end
    end

    if !current_child.value_list || current_child.value_list.values.length == 0
      return nil
    end

    current_child.value_list.values.each do |value|
      next if value.name.downcase != paths[paths.length - 1].downcase

      value.full_path = path
      return value
    end
  end
end