How to use the regipy.registry.NKRecord function in regipy

To help you get started, we’ve selected a few regipy examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github mkorman90 / regipy / regipy_tests / tests.py View on Github external
def test_parse_root_key(ntuser_hive):
    registry_hive = RegistryHive(ntuser_hive)

    assert isinstance(registry_hive, RegistryHive)
    assert isinstance(registry_hive.root, NKRecord)
    assert registry_hive.root.name == 'CMI-CreateHive{6A1C4018-979D-4291-A7DC-7AED1C75B67C}'
    assert registry_hive.root.subkey_count == 11
    assert dict(registry_hive.root.header) == {
        'access_bits': b'\x00\x00\x00\x00',
        'class_name_offset': 4294967295,
        'class_name_size': 0,
        'flags': {
            'KEY_COMP_NAME': True,
            'KEY_HIVE_ENTRY': True,
            'KEY_HIVE_EXIT': False,
            'KEY_NO_DELETE': True,
            'KEY_PREDEF_HANDLE': False,
            'KEY_SYM_LINK': False,
            'KEY_VOLATILE': False
        },
        'key_name_size': 52,
github mkorman90 / regipy / regipy / registry.py View on Github external
if signature in [HASH_LEAF_SIGNATURE, FAST_LEAF_SIGNATURE]:
            subkeys = LF_LH_SK_ELEMENT.parse_stream(stream)
        elif signature == LEAF_INDEX_SIGNATURE:
            subkeys = INDEX_LEAF.parse_stream(stream)
        else:
            raise RegistryParsingException(f'Expected a known signature, got: {signature} at offset {stream.tell()}')

        for subkey in subkeys.elements:
            stream.seek(REGF_HEADER_SIZE + subkey.key_node_offset)

            # This cell should always be allocated, therefor we expect a negative size
            cell_size = Int32sl.parse_stream(stream) * -1

            # We read to this offset and skip 2 bytes, because that is the cell size we just read
            nk_cell = Cell(cell_type='nk', offset=stream.tell() + 2, size=cell_size)
            nk_record = NKRecord(cell=nk_cell, stream=stream)
            yield nk_record
github mkorman90 / regipy / regipy / registry.py View on Github external
this is actually a HKCU hive, starting from HKCU/Software
        """

        self.partial_hive_path = None
        self.hive_type = None

        with open(hive_path, 'rb') as f:
            self._stream = BytesIO(f.read())

        with boomerang_stream(self._stream) as s:
            self.header = REGF_HEADER.parse_stream(s)

            # Get the first cell in root HBin, which is the root NKRecord:
            root_hbin = self.get_hbin_at_offset()
            root_hbin_cell = next(root_hbin.iter_cells(s))
            self.root = NKRecord(root_hbin_cell, s)
        self.name = self.header.file_name

        if hive_type:
            if hive_type.lower() in SUPPORTED_HIVE_TYPES:
                self.hive_type = hive_type
            else:
                raise UnidentifiedHiveException(f'{hive_type} is not a supported hive type: '
                                                f'only the following are supported: {SUPPORTED_HIVE_TYPES}')
        else:
            try:
                self.hive_type = identify_hive_type(self.name)
            except UnidentifiedHiveException:
                logger.info(f'Hive type for {hive_path} was not identified: {self.name}')

        if partial_hive_path:
            self.partial_hive_path = partial_hive_path
github mkorman90 / regipy / regipy / registry.py View on Github external
def get_key(self, key_name):
        if not self.subkey_count:
            raise NoRegistrySubkeysException('No subkeys for {}'.format(self.header.key_name_string))

        for subkey in self.iter_subkeys():
            # This should not happen
            if not isinstance(subkey, NKRecord):
                raise RegipyGeneralException(f'Unknown record type: {subkey}')

            if subkey.name.upper() == key_name.upper():
                return subkey