| | |
- __builtin__.object
-
- RegistryBlock
-
- HBINBlock
- HBINCell
-
- ValuesList
- REGFBlock
- Record
-
- DBIndirectBlock
- DBRecord
- DataRecord
- NKRecord
- SKRecord
- SubkeyList
-
- DirectSubkeyList
-
- LFRecord
- LHRecord
- LIRecord
- RIRecord
- VKRecord
- exceptions.Exception(exceptions.BaseException)
-
- RegistryException
-
- ParseException
- RegistryStructureDoesNotExist
- UnknownTypeException
class DBIndirectBlock(Record) |
| |
The DBIndirect block is a list of offsets to DataRecords with data
size up to 0x3fd8.
|
| |
- Method resolution order:
- DBIndirectBlock
- Record
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block. This should be an HBINCell.
- __str__(self)
- large_data(self, length)
- Get the data pointed to by the indirect block. It may be large.
Return a byte array.
Methods inherited from Record:
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class DBRecord(Record) |
| |
A DBRecord is a large data block, which is not thoroughly documented.
Its similar to an inode in the Ext file systems.
|
| |
- Method resolution order:
- DBRecord
- Record
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block. This should be an HBINCell.
- __str__(self)
- large_data(self, length)
- Get the data described by the DBRecord. It may be large.
Return a byte array.
Methods inherited from Record:
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class DataRecord(Record) |
| |
A DataRecord is a HBINCell that does not contain any further structural data, but
may contain, for example, the values pointed to by a VKRecord.
|
| |
- Method resolution order:
- DataRecord
- Record
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block. This should be an HBINCell.
- __str__(self)
Methods inherited from Record:
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class DirectSubkeyList(SubkeyList) |
| | |
- Method resolution order:
- DirectSubkeyList
- SubkeyList
- Record
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block. The parent of a SubkeyList SHOULD be a NKRecord.
- __str__(self)
- keys(self)
- A generator that yields the NKRecords referenced by this list.
Methods inherited from Record:
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class HBINBlock(RegistryBlock) |
| |
An HBINBlock is the basic allocation block of the Windows Registry.
It has a length of 0x1000.
|
| |
- Method resolution order:
- HBINBlock
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block. The parent of the first HBINBlock
should be the REGFBlock, and the parents of other HBINBlocks should be the preceeding
HBINBlocks.
- __str__(self)
- cells(self)
- Get a generator that yields each HBINCell contained in this HBIN.
- first_hbin(self)
- Get the first HBINBlock.
- has_next(self)
- Does another HBINBlock exist after this one?
- next(self)
- Get the next HBIN after this one.
Note: This will blindly attempts to create it regardless of if it exists.
- records(self)
- A generator that yields each HBINCell contained in this HBIN.
These are not necessarily in use, or linked to, from the root key.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class HBINCell(RegistryBlock) |
| |
HBIN data cell. An HBINBlock is continuously filled with HBINCell structures.
The general structure is the length of the block, followed by a blob of data.
|
| |
- Method resolution order:
- HBINCell
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block.
- __str__(self)
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
- child(self)
- Make a _guess_ as to the contents of this structure and
return an instance of that class, or just a DataRecord
otherwise.
- data_id(self)
- Get the ID string of the data block of this HBINCell.
- data_offset(self)
- Get the absolute offset of the data block of this HBINCell.
- is_free(self)
- Is the cell free?
- next(self)
- Returns the next HBINCell, which is located immediately after this.
Note: This will always return an HBINCell starting at the next location
whether or not the buffer is large enough. The calling function should
check the offset of the next HBINCell to ensure it does not overrun the
HBIN buffer.
- offset(self)
- Accessor for absolute offset of this HBINCell.
- raw_data(self)
- Get the raw data from the buffer contained by this HBINCell.
- size(self)
- Size of this cell, as an unsigned integer.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class LFRecord(DirectSubkeyList) |
| |
The LFRecord is a simple structure containing a list of offsets/pointers to subkey NKRecords.
The LFRecord also contains a hash for the name of the subkey pointed to by the offset, which enables
more efficient seaching of the Registry tree.
|
| |
- Method resolution order:
- LFRecord
- DirectSubkeyList
- SubkeyList
- Record
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block. The parent of a SubkeyList SHOULD be a NKRecord.
- __str__(self)
Methods inherited from DirectSubkeyList:
- keys(self)
- A generator that yields the NKRecords referenced by this list.
Methods inherited from Record:
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class LHRecord(DirectSubkeyList) |
| |
The LHRecord is a simple structure containing a list of offsets/pointers to subkey NKRecords.
The LHRecord also contains a hash for the name of the subkey pointed to by the offset, which enables
more efficient seaching of the Registry tree.
The LHRecord is analogous to the LFRecord, but it uses a different hashing function.
|
| |
- Method resolution order:
- LHRecord
- DirectSubkeyList
- SubkeyList
- Record
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block. The parent of a SubkeyList SHOULD be a NKRecord.
- __str__(self)
Methods inherited from DirectSubkeyList:
- keys(self)
- A generator that yields the NKRecords referenced by this list.
Methods inherited from Record:
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class LIRecord(SubkeyList) |
| | |
- Method resolution order:
- LIRecord
- SubkeyList
- Record
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- __str__(self)
- keys(self)
Methods inherited from Record:
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class NKRecord(Record) |
| |
The NKRecord defines the tree-like structure of the Windows Registry.
It contains pointers/offsets to the ValueList (values associated with the given record), and
to subkeys.
|
| |
- Method resolution order:
- NKRecord
- Record
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block. This should be a HBINCell.
- __str__(self)
- classname(self)
- If this has a classname, get it as a string. Otherwise, return the empty string.
- has_classname(self)
- Does this have a classname?
- has_parent_key(self)
- Is there a parent key? There should always be a parent key, unless
this is a root key (see is_root())
- is_root(self)
- Is this a root key?
- name(self)
- Return the registry key name as a string.
- parent_key(self)
- Get the parent_key, which will be an NKRecord.
- path(self)
- Return the full path of the registry key as a string.
- sk_record(self)
- Get the security descriptor associated with this NKRecord as an SKRecord.
- subkey_list(self)
- Get the subkeys of this key as a descendant of SubkeyList.
Raises RegistryStructureDoesNotExists if this NKRecord does not have any subkeys.
See NKRecord.subkey_number() to check for the existance of subkeys.
- subkey_number(self)
- Get the number of subkeys of this key.
- timestamp(self)
- Get the modified timestamp as a Python datetime.
- values_list(self)
- Get the values as a ValuesList.
Raises RegistryStructureDoesNotExist if this NKRecord has no values.
- values_number(self)
- Get the number of values associated with this NKRecord/Key.
Methods inherited from Record:
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class REGFBlock(RegistryBlock) |
| |
The Windows Registry file header. This block has a length of 4k, although
only the first 0x200 bytes are generally used.
|
| |
- Method resolution order:
- REGFBlock
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block.
- first_key(self)
- hbins(self)
- A generator that enumerates all HBIN (HBINBlock) structures in this Windows Registry.
- hive_name(self)
- Get the hive name of the open Windows Registry file as a string.
- last_hbin_offset(self)
- Get the buffer offset of the last HBINBlock as an unsigned integer.
- major_version(self)
- Get the major version of the Windows Registry file format in use as an unsigned integer.
- minor_version(self)
- Get the minor version of the Windows Registry file format in use as an unsigned integer.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class RIRecord(SubkeyList) |
| | |
- Method resolution order:
- RIRecord
- SubkeyList
- Record
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Arguments:
- `buf`:
- `offset`:
- `parent`:
- __str__(self)
- keys(self)
Methods inherited from Record:
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class Record(RegistryBlock) |
| |
Abstract class for Records contained by cells in HBINs
|
| |
- Method resolution order:
- Record
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block. This SHOULD be an HBINCell.
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class RegistryBlock(__builtin__.object) |
| |
Base class for structure blocks in the Windows Registry.
A block is associated with a offset into a byte-string.
All blocks (besides the root) also have a parent member, which refers to
a RegistryBlock that contains a reference to this block, an is found at a
hierarchically superior rank. Note, by following the parent links upwards,
the root block should be accessible (aka. there should not be any loops)
|
| |
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block.
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors defined here:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class SKRecord(Record) |
| |
Security Record. Contains Windows security descriptor,
Which defines ownership and permissions for local values
and subkeys.
May be referenced by multiple NK records.
|
| |
- Method resolution order:
- SKRecord
- Record
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block. This should be an HBINCell.
- __str__(self)
Methods inherited from Record:
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class SubkeyList(Record) |
| |
A base class for use by structures recording the subkeys of Registry key.
The required overload is keys(), which is a generator for all the subkeys (NKRecords).
The SubkeyList is not meant to be used directly.
|
| |
- Method resolution order:
- SubkeyList
- Record
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block. The parent of a SubkeyList SHOULD be a NKRecord.
- __str__(self)
- keys(self)
- A generator that yields the NKRecords referenced by this list.
The base SubkeyList class returns no NKRecords, since it should not be used directly.
Methods inherited from Record:
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class VKRecord(Record) |
| |
The VKRecord holds one name-value pair. The data may be one many types, including
strings, integers, and binary data.
|
| |
- Method resolution order:
- VKRecord
- Record
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block. This should be an HBINCell.
- __str__(self)
- data(self)
- Get the data. This method will return various types based on the data type.
RegSZ:
Return a string containing the data, doing the best we can to convert it
to ASCII or UNICODE.
RegExpandSZ:
Return a string containing the data, doing the best we can to convert it
to ASCII or UNICODE. The special variables are not expanded.
RegMultiSZ:
Return a list of strings.
RegNone:
See RegBin
RegDword:
Return an unsigned integer containing the data.
RegQword:
Return an unsigned integer containing the data.
RegBin:
Return a sequence of bytes containing the binary data.
RegBigEndian:
Not currently supported. TODO.
RegLink:
Not currently supported. TODO.
RegResourceList:
Not currently supported. TODO.
RegFullResourceDescriptor:
Not currently supported. TODO.
RegResourceRequirementsList:
Not currently supported. TODO.
- data_length(self)
- Get the length of this value data.
- data_offset(self)
- Get the offset to the raw data associated with this value.
- data_type(self)
- Get the data type of this value data as an unsigned integer.
- data_type_str(self)
- Get the value data's type as a string
- has_ascii_name(self)
- Is the name of this value in the ASCII charset?
Note, this doesnt work, yet... TODO
- has_name(self)
- Has a name? or perhaps we should use '(default)'
- name(self)
- Get the name, if it exists. If not, the empty string is returned.
Methods inherited from Record:
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- offset(self)
- Equivalent to absolute_offset(0x0), which is the starting offset of this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
|
class ValuesList(HBINCell) |
| |
A ValuesList is a simple structure of fixed length pointers/offsets to VKRecords.
|
| |
- Method resolution order:
- ValuesList
- HBINCell
- RegistryBlock
- __builtin__.object
Methods defined here:
- __init__(self, buf, offset, parent, number)
- Constructor.
Arguments:
- `buf`: Byte string containing Windows Registry file.
- `offset`: The offset into the buffer at which the block starts.
- `parent`: The parent block, which links to this block. The parent of a ValuesList SHOULD be a NKRecord.
- __str__(self)
- values(self)
- A generator that yields the VKRecords referenced by this list.
Methods inherited from HBINCell:
- abs_offset_from_hbin_offset(self, offset)
- Offsets contained in HBIN cells are relative to the beginning of the first HBIN.
This converts the relative offset into an absolute offset.
- child(self)
- Make a _guess_ as to the contents of this structure and
return an instance of that class, or just a DataRecord
otherwise.
- data_id(self)
- Get the ID string of the data block of this HBINCell.
- data_offset(self)
- Get the absolute offset of the data block of this HBINCell.
- is_free(self)
- Is the cell free?
- next(self)
- Returns the next HBINCell, which is located immediately after this.
Note: This will always return an HBINCell starting at the next location
whether or not the buffer is large enough. The calling function should
check the offset of the next HBINCell to ensure it does not overrun the
HBIN buffer.
- offset(self)
- Accessor for absolute offset of this HBINCell.
- raw_data(self)
- Get the raw data from the buffer contained by this HBINCell.
- size(self)
- Size of this cell, as an unsigned integer.
Methods inherited from RegistryBlock:
- absolute_offset(self, offset)
- Get the absolute offset from an offset relative to this block
Arguments:
- `offset`: The relative offset into this block.
- parent(self)
- Get the parent block. See the class documentation for what the parent link is.
- unpack_dword(self, offset)
- Returns a little-endian DWORD (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_int(self, offset)
- Returns a little-endian signed integer (4 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_qword(self, offset)
- Returns a little-endian QWORD (8 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
- unpack_string(self, offset, length)
- Returns a string from the relative offset with the given length.
Arguments:
- `offset`: The relative offset from the start of the block.
- `length`: The length of the string.
- unpack_word(self, offset)
- Returns a little-endian WORD (2 bytes) from the relative offset.
Arguments:
- `offset`: The relative offset from the start of the block.
Data descriptors inherited from RegistryBlock:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
| |