public bool Write(string outHive)
{
if (_keys.Count == 0)
{
throw new InvalidOperationException("At least one SkeletonKey must be added before calling Write");
}
if (File.Exists(outHive))
{
File.Delete(outHive);
}
_hbin = _hbin.Concat(GetEmptyHbin(0x1000)).ToArray();
var treeKey = BuildKeyTree();
var parentOffset = ProcessSkeletonTree(treeKey); //always include keys/values for now
//mark any remaining hbin as free
var freeSize = _hbin.Length - _currentOffsetInHbin;
if (freeSize > 0)
{
BitConverter.GetBytes(freeSize).CopyTo(_hbin, _currentOffsetInHbin);
}
//work is done, get header, update rootcelloffset, adjust its length to match new hbin length, and write it out
var headerBytes = _hive.ReadBytesFromHive(0, 0x1000);
BitConverter.GetBytes(_hbin.Length).CopyTo(headerBytes, 0x28);
BitConverter.GetBytes(5).CopyTo(headerBytes, HeaderMinorVersion);
BitConverter.GetBytes(parentOffset).CopyTo(headerBytes, RootCellIndex);
//update checksum
var index = 0;
var xsum = 0;
while (index <= 0x1fb)
{
xsum ^= BitConverter.ToInt32(headerBytes, index);
index += 0x04;
}
var newcs = xsum;
BitConverter.GetBytes(newcs).CopyTo(headerBytes, CheckSumOffset);
var outBytes = headerBytes.Concat(_hbin).ToArray();
File.WriteAllBytes(outHive, outBytes);
return(true);
}
public void ShouldFindDataNode()
{
var bcd = new RegistryHive(@".\Hives\BCD");
bcd.FlushRecordListsAfterParse = false;
bcd.RecoverDeleted = true;
bcd.ParseHive();
var dnraw = bcd.ReadBytesFromHive(0x0000000000001100, 8);
var dn = new DataNode(dnraw, 0x0000000000000100);
Check.That(dn).IsNotNull();
Check.That(dn.ToString()).IsNotEmpty();
Check.That(dn.Signature).IsEmpty();
}
