Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def _parse_dirt_block(hive_path, transaction_log, hbins_data_size):
restored_hive_buffer = BytesIO(open(hive_path, 'rb').read())
recovered_dirty_pages_count = 0
dirty_vector_length = hbins_data_size // 4096
if transaction_log.read(4) != b'DIRT':
raise RegistryRecoveryException('Expected DIRT signature!')
log_file_base = 1024 # 512 + len(b'DIRT') + dirty_vector_length
primary_file_base = 4096
bitmap = transaction_log.read(dirty_vector_length)
bit_counter = 0
bitmap_offset = 0
# Tuples of offset in primary and offset in transaction log
offsets = []
while bit_counter < dirty_vector_length * 8:
is_bit_set = ((bitmap[bit_counter // 8] >> (bit_counter % 8)) & 1) != 0
if is_bit_set:
# We skip the basic block for the offsets
registry_offset = primary_file_base + (bit_counter * 512)
# Read the header of the transaction log vector and determine its type
with boomerang_stream(transaction_log) as s:
magic = s.read(4)
if magic == HVLE_TRANSACTION_LOG_MAGIC:
# This is an HvLE block
restored_hive_buffer, recovered_dirty_pages_count = _parse_hvle_block(hive_path, transaction_log, log_size,
expected_sequence_number)
elif magic == DIRT_TRANSACTION_LOG_MAGIC:
# This is an old transaction log - DIRT
hbins_data_size = registry_hive.header.hive_bins_data_size
restored_hive_buffer, recovered_dirty_pages_count = _parse_dirt_block(hive_path, transaction_log,
hbins_data_size)
else:
raise RegistryRecoveryException(f'The transaction log vector magic was not expected: {magic}')
return restored_hive_buffer, recovered_dirty_pages_count