Contents

# -*- coding: binary -*-
module Rex
module Registry

class ValueKey

	attr_accessor :name_length, :length_of_data, :data_offset, :full_path
	attr_accessor :value_type, :readable_value_type, :name, :value

	def initialize(hive, offset)
		offset = offset + 4

		vk_header = hive[offset, 2]

		if vk_header !~ /vk/
			puts "no vk at offset #{offset}"
			return
		end

		@name_length = hive[offset+0x02, 2].unpack('c').first
		@length_of_data = hive[offset+0x04, 4].unpack('l').first
		@data_offset = hive[offset+ 0x08, 4].unpack('l').first
		@value_type = hive[offset+0x0C, 4].unpack('c').first

		if @value_type == 1
			@readable_value_type = "Unicode character string"
		elsif @value_type == 2
			@readable_value_type = "Unicode string with %VAR% expanding"
		elsif @value_type == 3
			@readable_value_type = "Raw binary value"
		elsif @value_type == 4
			@readable_value_type = "Dword"
		elsif @value_type == 7
			@readable_value_type = "Multiple unicode strings separated with '\\x00'"
		end

		flag = hive[offset+0x10, 2].unpack('c').first

		if flag == 0
			@name = "Default"
		else
			@name = hive[offset+0x14, @name_length].to_s
		end

		@value = ValueKeyData.new(hive, @data_offset, @length_of_data, @value_type, offset)
	end
end

class ValueKeyData

	attr_accessor :data

	def initialize(hive, offset, length, datatype, parent_offset)
		offset = offset + 4

		#If the data-size is lower than 5, the data-offset value is used to store
		#the data itself!
		if length < 5
			@data = hive[parent_offset + 0x08, 4]
		else
			@data = hive[offset + 0x1000, length]
		end
	end
end

end
end

Version data entries

2 entries across 2 versions & 1 rubygems

Version	Path
librex-0.0.68	lib/rex/registry/valuekey.rb
librex-0.0.66	lib/rex/registry/valuekey.rb