Contents

# -*- coding: binary -*-
module Rex
module Registry

class ValueKey

  attr_accessor :name_length, :length_of_data, :data_offset, :full_path
  attr_accessor :value_type, :readable_value_type, :name, :value

  def initialize(hive, offset)
    offset = offset + 4

    vk_header = hive[offset, 2]

    if vk_header !~ /vk/
      puts "no vk at offset #{offset}"
      return
    end

    @name_length = hive[offset+0x02, 2].unpack('c').first
    @length_of_data = hive[offset+0x04, 4].unpack('l').first
    @data_offset = hive[offset+ 0x08, 4].unpack('l').first
    @value_type = hive[offset+0x0C, 4].unpack('c').first

    if @value_type == 1
      @readable_value_type = "Unicode character string"
    elsif @value_type == 2
      @readable_value_type = "Unicode string with %VAR% expanding"
    elsif @value_type == 3
      @readable_value_type = "Raw binary value"
    elsif @value_type == 4
      @readable_value_type = "Dword"
    elsif @value_type == 7
      @readable_value_type = "Multiple unicode strings separated with '\\x00'"
    end

    flag = hive[offset+0x10, 2].unpack('c').first

    if flag == 0
      @name = "Default"
    else
      @name = hive[offset+0x14, @name_length].to_s
    end

    @value = ValueKeyData.new(hive, @data_offset, @length_of_data, @value_type, offset)
  end
end

class ValueKeyData

  attr_accessor :data

  def initialize(hive, offset, length, datatype, parent_offset)
    offset = offset + 4

    #If the data-size is lower than 5, the data-offset value is used to store
    #the data itself!
    if length < 5
      @data = hive[parent_offset + 0x08, 4]
    else
      @data = hive[offset + 0x1000, length]
    end
  end
end

end
end

Version data entries

1 entries across 1 versions & 1 rubygems

Version	Path
librex-0.0.70	lib/rex/registry/valuekey.rb