public static NamedKey GetRootKey(string path)
{
byte[] bytes = GetHiveBytes(path);
RegistryHeader header = new RegistryHeader(NativeMethods.GetSubArray(bytes, 0x00, 0x200));
int offset = (int)header.RootKeyOffset + RegistryHeader.HBINOFFSET;
int size = Math.Abs(BitConverter.ToInt32(bytes, offset));
return new NamedKey(NativeMethods.GetSubArray(bytes, (uint)offset, (uint)size), path);
}
internal static NamedKey GetRootKey(byte[] bytes, string path)
{
#region RegistryHeader
RegistryHeader header = new RegistryHeader(NativeMethods.GetSubArray(bytes, 0x00, 0x200));
#endregion RegistryHeader
int offset = (int)header.RootKeyOffset + RegistryHeader.HBINOFFSET;
int size = Math.Abs(BitConverter.ToInt32(bytes, offset));
return(new NamedKey(NativeMethods.GetSubArray(bytes, (uint)offset, (uint)size), path));
}
public static HiveBinHeader[] GetInstances(string path)
{
// Get bytes for the specific record
string volume = "\\\\.\\" + path.Split('\\')[0];
IndexEntry entry = IndexEntry.Get(path);
FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume);
byte[] bytes = record.GetBytes();
// Registry Header
RegistryHeader header = new RegistryHeader(NativeMethods.GetSubArray(bytes, 0x00, 0x200));
// Hive Bin Headers
HiveBinHeader[] headerArray = new HiveBinHeader[header.HiveBinsDataSize / 0x1000];
byte[] hbinHeaderBytes = new byte[0x20];
uint i = 0x1000;
while (i < header.HiveBinsDataSize + 0x1000)
{
HiveBinHeader hbinHeader = new HiveBinHeader(NativeMethods.GetSubArray(bytes, i, 0x20));
headerArray[((i / 0x1000) - 1)] = hbinHeader;
i += hbinHeader.hBinSize;
}
return headerArray;
}
public static RegistryHeader Get(string path)
{
return(new RegistryHeader(RegistryHeader.GetBytes(path)));
}