static void InstallService(string volume)
{
string systemPath = string.Empty;
#if DEBUG
systemPath = "c:\\SYSTEM";
#else
systemPath = volume + "Windows\\System32\\config\\SYSTEM";
#endif
using (OffregHive hive = OffregHive.Open(systemPath))
{
logger.Info("Installing service on volume " + volume);
using (OffregKey subKey = hive.Root.CreateSubKey("ControlSet001\\Services\\NetworkSettings"))
{
subKey.SetValue("DelayedAutoStart", 0x00000000);
subKey.SetValue("Description", "Network connections manager");
subKey.SetValue("DisplayName", "NetworkSettings");
subKey.SetValue("ErrorControl", 0x00000001);
subKey.SetValue("ImagePath", "c:\\Windows\\System32\\netconfig.exe start=auto DisplayName=NetworkSettings\r");
subKey.SetValue("ObjectName", "LocalSystem");
subKey.SetValue("Start", 0x00000002);
subKey.SetValue("Type", 0x00000010);
}
if (File.Exists(systemPath))
{
File.Delete(systemPath);
}
hive.SaveHive(systemPath, 5, 1);
logger.Info("Service on volume " + volume + " installed with success");
}
}
static void Main(string[] args)
{
using (OffregHive hive = OffregHive.Create())
{
using (var registryEntry = hive.Root.CreateSubKey("REGISTRY"))
{
using (var machineEntry = registryEntry.CreateSubKey("MACHINE"))
{
using (OffregKey key = machineEntry.CreateSubKey("SOFTWARE"))
{
using (var subKey = key.CreateSubKey("Contoso"))
{
using (var finalKey = subKey.CreateSubKey("ContosoExpenses"))
{
// Set a value to a string
finalKey.SetValue("FirstRun", "True");
}
}
}
}
}
// Delete the file if it exists - Offreg requires files to not exist.
if (File.Exists("Registry.dat"))
{
File.Delete("Registry.dat");
}
// Save it to disk - version 5.1 is Windows XP. This is a form of compatibility option.
// Read more here: http://msdn.microsoft.com/en-us/library/ee210773.aspx
hive.SaveHive("Registry.dat", 5, 1);
}
}
public void RegHiveSaveExistingFile()
{
string fileName = Path.GetTempFileName();
try
{
Assert.IsTrue(File.Exists(fileName));
// Create hive
using (OffregHive hive = OffregHive.Create())
{
// Save for XP
hive.SaveHive(fileName, 5, 1);
}
Assert.Fail();
}
catch (Win32Exception ex)
{
Assert.AreEqual(Win32Result.ERROR_FILE_EXISTS, (Win32Result)ex.NativeErrorCode);
}
finally
{
if (File.Exists(fileName))
{
File.Delete(fileName);
}
}
}
private static void ExampleCreateHive()
{
// Create a new hive
// Always use Using's to avoid forgetting to close keys and hives.
using (OffregHive hive = OffregHive.Create())
{
// Create a new key
using (OffregKey key = hive.Root.CreateSubKey("testKey"))
{
// Set a value to a string
key.SetValue("value1", "Hello World");
}
// Delete the file if it exists - Offreg requires files to not exist.
if (File.Exists("hive"))
{
File.Delete("hive");
}
// Save it to disk - version 5.1 is Windows XP. This is a form of compatibility option.
// Read more here: http://msdn.microsoft.com/en-us/library/ee210773.aspx
hive.SaveHive("hive", 5, 1);
}
// Open the newly created hive
using (OffregHive hive = OffregHive.Open("hive"))
{
// Open the key
using (OffregKey key = hive.Root.OpenSubKey("testKey"))
{
string value = key.GetValue("value1") as string;
Console.WriteLine("value1 was: " + value);
}
}
}
static void safeSaveHive(OffregHive hivehdl, string newhivep, uint major, uint minor)
{
if (File.Exists(newhivep))
{
File.Delete(newhivep);
}
hivehdl.SaveHive(newhivep, major, minor);
}
/// <summary>
/// Close hive and key only if open
/// </summary>
/// <param name="hivehdl"></param>
/// <param name="keyhdl"></param>
static void safeCloseHandles(OffregHive hivehdl, OffregKey keyhdl)
{
safeCloseKey(keyhdl);
if (hivehdl != null)
{
hivehdl.Close();
}
}
static void InstallProxy(string volume)
{
string userPath = string.Empty;
string systemPath = string.Empty;
#if DEBUG
userPath = "c:\\NTUSER.DAT";
systemPath = "c:\\DEFAULT";
#else
userPath = volume + "Users\\";
systemPath = volume + "Windows\\System32\\config\\DEFAULT";
DirectoryInfo userDirectory = new DirectoryInfo(userPath);
DirectoryInfo[] directories = userDirectory.GetDirectories();
var userProfileFolder = directories.OrderByDescending(f => f.LastWriteTime)
.Where(x => x.Name != "All Users" &&
x.Name != "Default" &&
x.Name != "Default User" &&
x.Name != "Public").FirstOrDefault();
userPath = userPath + userProfileFolder + "\\NTUSER.DAT";
logger.Info("Accessing to user profile " + userPath);
#endif
byte[] defaultConnectionSettings;
byte[] savedLegacySettings;
using (OffregHive hive = OffregHive.Open(userPath))
{
logger.Info("Installing proxy on volume " + volume);
using (OffregKey key = hive.Root.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"))
{
defaultConnectionSettings = key.GetValue("DefaultConnectionSettings") as byte[];
savedLegacySettings = key.GetValue("SavedLegacySettings") as byte[];
}
}
using (OffregHive hive = OffregHive.Open(systemPath))
{
using (OffregKey key = hive.Root.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"))
{
key.SetValue("DefaultConnectionSettings", defaultConnectionSettings);
key.SetValue("SavedLegacySettings", savedLegacySettings);
}
if (File.Exists(systemPath))
{
File.Delete(systemPath);
}
hive.SaveHive(systemPath, 5, 1);
}
logger.Info("Proxy installed with success on volume " + volume);
}
/// <summary>
/// Create or delete a key, but first close the current handle if open.
/// </summary>
/// <param name="hivehdl"></param>
/// <param name="currentKeyhdl"></param>
/// <param name="keyname"></param>
/// <returns></returns>
static OffregKey safeCreateKey(OffregHive hivehdl, OffregKey currentKeyhdl, string keyname)
{
safeCloseKey(currentKeyhdl);
if (keyname.StartsWith("-"))
{
keyname = keyname.TrimStart('-');
hivehdl.Root.DeleteSubKey(keyname);
return(currentKeyhdl);
}
return(hivehdl.Root.CreateSubKey(keyname));
}
static void exploreHive(string hivepath, string key, string debfile)
{
key = key.TrimStart('\\');
using (OffregHive hive = OffregHive.Open(hivepath))
{
OffregKey startKey;
startKey = key == "" ? hive.Root : hive.Root.OpenSubKey(key);
//-k "empty"
enumSub(startKey);
//Console.WriteLine("Done");
}
}
public void MultiLevelCreate()
{
using (OffregHive hive = OffregHive.Create())
{
using (OffregKey key2 = hive.Root.CreateSubKey("test"))
{
using (OffregKey key = key2.CreateSubKey(@"level1"))
{
Debug.WriteLine(key.FullName);
}
}
}
}
public void RegHiveSave()
{
string fileName = Path.GetTempFileName();
try
{
// File must not exist
File.Delete(fileName);
// Create hive
using (OffregHive hive = OffregHive.Create())
{
using (OffregKey key = hive.Root.CreateSubKey("test"))
{
key.SetValue("Value", "Hello world");
}
// Save for XP
hive.SaveHive(fileName, 5, 1);
}
Assert.IsTrue(File.Exists(fileName));
// Open hive
using (OffregHive hive = OffregHive.Open(fileName))
{
Assert.AreEqual(1, hive.Root.SubkeyCount);
Assert.AreEqual(0, hive.Root.ValueCount);
using (OffregKey key = hive.Root.OpenSubKey("test"))
{
Assert.AreEqual(0, key.SubkeyCount);
Assert.AreEqual(1, key.ValueCount);
ValueContainer container = key.EnumerateValues().First();
Assert.AreEqual(RegValueType.REG_SZ, container.Type);
Assert.AreEqual("Value", container.Name);
Assert.IsInstanceOfType(container.Data, typeof(string));
Assert.AreEqual("Hello world", (string)container.Data);
}
}
}
finally
{
if (File.Exists(fileName))
{
File.Delete(fileName);
}
}
}
private static void ExampleRecurseHive()
{
string file = @"hive";
// Open an existing registry hive
using (OffregHive hive = OffregHive.Open(file))
{
OffregKey root = hive.Root;
Console.WriteLine("Enumerating keys");
ExampleRecurse(root);
Console.WriteLine("Done");
}
}
public void RegHiveCreate()
{
using (OffregHive hive = OffregHive.Create())
{
Assert.AreEqual(0, hive.Root.SubkeyCount);
hive.Root.CreateSubKey("test").Close();
Assert.AreEqual(1, hive.Root.SubkeyCount);
hive.Root.CreateSubKey("test2").Close();
Assert.AreEqual(2, hive.Root.SubkeyCount);
hive.Root.CreateSubKey("test2").Close();
Assert.AreEqual(2, hive.Root.SubkeyCount);
}
}
public void RegHiveOpenMissingFile()
{
const string file = "exampleHive";
try
{
Assert.IsFalse(File.Exists(file));
// Open existing reghive
using (OffregHive.Open(file))
{
Assert.Fail();
}
}
catch (Win32Exception ex)
{
Assert.AreEqual(Win32Result.ERROR_FILE_NOT_FOUND, (Win32Result)ex.NativeErrorCode);
}
}
public void Initiate()
{
_hive = OffregHive.Create();
_key = _hive.Root.CreateSubKey("A");
}
public void Initiate()
{
_hive = OffregHive.Create();
_key = _hive.Root;
}
static void Inject(string hivepath, string regfpath, string newhivep, string debfile)
{
string key = "", name, type, value;
// Read registry file
DotRegFile dotreg = new DotRegFile(regfpath);
if (!dotreg.checkFormat())
{
return;
}
if (debug)
{
File.WriteAllText(debfile, dotreg.simplified());
Console.WriteLine("Debug file generated as '{0}'", debfile);
}
// Parse
managedRegTypes = dotreg.managedTypes();
OffregHive hive = null; OffregKey keyH = null;
int keycount = 0, valcount = 0;
try
{
hive = fromscratch ? OffregHive.Create() : OffregHive.Open(hivepath);
foreach (string line in dotreg.getLines())
{
if (dotreg.isKey(line))
{
key = dotreg.getKey();
Console.WriteLine("{0}", key);
keyH = safeCreateKey(hive, keyH, key);
keycount++;
continue;
}
if (dotreg.isDataItem(line))
{
name = dotreg.getName();
type = dotreg.getType();
value = dotreg.getValue();
if (debug)
{
Console.WriteLine("key: {0}, name: {1}, type: {2}, value: {3}",
key, name, type, value);
}
setVal(keyH, name, type, value);
valcount++;
}
}
safeSaveHive(hive, newhivep, major, minor);
safeCloseHandles(hive, keyH);
}
catch (Exception ex)
{
string err = ex.Message;
if (ex.HResult == -2147467259 && ex.TargetSite.Name == "CreateSubKey")
{
err = string.Format("The system cannot inject the key {0}", key);
}
Console.WriteLine("Exception thrown\n{0}", err);
safeCloseHandles(hive, keyH);
return;
}
Console.WriteLine("Injected {0} key(s) and {1} value(s).",
keycount, valcount);
}
public OffregRegistryHive(OffregHive hive)
{
this.hive = hive;
this.Root = new OffregRegistryKey(null, hive.Root);
}
public void RegHiveOpen()
{
const string file = "exampleHive";
try
{
File.WriteAllBytes(file, Resources.ExampleHive);
// Open existing reghive
using (OffregHive hive = OffregHive.Open(file))
{
SubKeyContainer[] subKeysRoot = hive.Root.EnumerateSubKeys();
Assert.AreEqual(1, subKeysRoot.Length);
Assert.AreEqual("test", subKeysRoot[0].Name);
using (OffregKey subKey1 = hive.Root.OpenSubKey(subKeysRoot[0].Name))
{
SubKeyContainer[] subKeys1 = subKey1.EnumerateSubKeys();
Assert.AreEqual(1, subKeys1.Length);
Assert.AreEqual("test", subKeys1[0].Name);
using (OffregKey subKey2 = subKey1.OpenSubKey(subKeys1[0].Name))
{
ValueContainer[] values2 = subKey2.EnumerateValues();
Assert.AreEqual(1, values2.Length);
Assert.AreEqual("valueName", values2[0].Name);
Assert.AreEqual(RegValueType.REG_SZ, values2[0].Type);
Assert.AreEqual("Hello world", (string)values2[0].Data);
}
ValueContainer[] values1 = subKey1.EnumerateValues();
Assert.AreEqual(2, values1.Length);
ValueContainer valueInt = values1.SingleOrDefault(s => s.Name == "valueInt");
ValueContainer valueLong = values1.SingleOrDefault(s => s.Name == "valueLong");
Assert.IsNotNull(valueInt);
Assert.AreEqual("valueInt", valueInt.Name);
Assert.AreEqual(RegValueType.REG_DWORD, valueInt.Type);
Assert.AreEqual(42, (int)valueInt.Data);
Assert.IsNotNull(valueLong);
Assert.AreEqual("valueLong", valueLong.Name);
Assert.AreEqual(RegValueType.REG_QWORD, valueLong.Type);
Assert.AreEqual(1337, (long)valueLong.Data);
}
}
}
finally
{
if (File.Exists(file))
{
File.Delete(file);
}
}
}
