public bool Write(string outHive) { if (_keys.Count == 0) { throw new InvalidOperationException("At least one SkeletonKey must be added before calling Write"); } if (File.Exists(outHive)) { File.Delete(outHive); } _hbin = _hbin.Concat(GetEmptyHbin(0x1000)).ToArray(); var treeKey = BuildKeyTree(); var parentOffset = ProcessSkeletonTree(treeKey); //always include keys/values for now //mark any remaining hbin as free var freeSize = _hbin.Length - _currentOffsetInHbin; if (freeSize > 0) { BitConverter.GetBytes(freeSize).CopyTo(_hbin, _currentOffsetInHbin); } //work is done, get header, update rootcelloffset, adjust its length to match new hbin length, and write it out var headerBytes = _hive.ReadBytesFromHive(0, 0x1000); BitConverter.GetBytes(_hbin.Length).CopyTo(headerBytes, 0x28); BitConverter.GetBytes(5).CopyTo(headerBytes, HeaderMinorVersion); BitConverter.GetBytes(parentOffset).CopyTo(headerBytes, RootCellIndex); //update checksum var index = 0; var xsum = 0; while (index <= 0x1fb) { xsum ^= BitConverter.ToInt32(headerBytes, index); index += 0x04; } var newcs = xsum; BitConverter.GetBytes(newcs).CopyTo(headerBytes, CheckSumOffset); var outBytes = headerBytes.Concat(_hbin).ToArray(); File.WriteAllBytes(outHive, outBytes); return(true); }
public void ShouldFindDataNode() { var bcd = new RegistryHive(@".\Hives\BCD"); bcd.FlushRecordListsAfterParse = false; bcd.RecoverDeleted = true; bcd.ParseHive(); var dnraw = bcd.ReadBytesFromHive(0x0000000000001100, 8); var dn = new DataNode(dnraw, 0x0000000000000100); Check.That(dn).IsNotNull(); Check.That(dn.ToString()).IsNotEmpty(); Check.That(dn.Signature).IsEmpty(); }