Example #1
0
        // GetBootKey
        // Extract the SYSTEM hive boot key.
        public static Byte[] GetBootKey(RegistryHive systemHive)
        {
            // determine the default control set used by the system
            ValueKey controlSet = null;

            try
            {
                controlSet = GetValueKey(systemHive, "Select\\Default");
            }
            catch (HiveTraversalException)
            {
                throw new HiveParserLibException(
                          "Failed to locate information required for boot key extraction; " +
                          "ensure the specified file is the SYSTEM hive and it is not corrupt");
            }

            Int32 cs = BitConverter.ToInt32(controlSet.Data, 0);

            // the loop below constructs the scrambled boot key
            StringBuilder scrambledKey = new StringBuilder();

            foreach (String key in new String[] { "JD", "Skew1", "GBG", "Data" })
            {
                NodeKey nk = GetNodeKey(systemHive, "ControlSet00" + cs + "\\Control\\Lsa\\" + key);

                for (Int32 i = 0; i < nk.ClassnameLength && i < 8; ++i)
                {
                    scrambledKey.Append((Char)nk.ClassnameData[i * 2]);
                }
            }

            Byte[] skey       = StringToByteArray(scrambledKey.ToString());
            Byte[] descramble = new Byte[]
            {
                0x8, 0x5, 0x4, 0x2, 0xB, 0x9, 0xD, 0x3,
                0x0, 0x6, 0x1, 0xC, 0xE, 0xA, 0xF, 0x7
            };

            // construct the boot key
            Byte[] bootkey = new Byte[16];
            for (Int32 i = 0; i < bootkey.Length; ++i)
            {
                bootkey[i] = skey[descramble[i]];
            }

            return(bootkey);
        }
Example #2
0
        // GetNodeKey
        // Get NodeKey object by path.
        public static NodeKey GetNodeKey(RegistryHive hive, String path)
        {
            NodeKey node = hive.RootKey;

            String[] paths = path.Split('\\');

            foreach (String ch in paths)
            {
                if (String.IsNullOrEmpty(ch))
                {
                    break;
                }

                // reset flag for this path element
                Boolean found = false;

                // iterate over the children of the current node,
                // searching for the node with name of current path element
                foreach (NodeKey child in node.ChildNodes)
                {
                    if (child.Name == ch)
                    {
                        // drop to next lower level in hierarchy
                        node  = child;
                        found = true;
                        break;
                    }
                }

                if (found)
                {
                    continue;
                }
                else
                {
                    throw new HiveTraversalException("No Child Found With Name: " + ch);
                }
            }

            return(node);
        }
Example #3
0
        private void ParseChildNodes(BinaryReader hive)
        {
            Int16 count     = hive.ReadInt16();
            Int64 topOfList = hive.BaseStream.Position;

            for (Int16 i = 0; i < count; ++i)
            {
                hive.BaseStream.Position = topOfList + (8 * i);
                Int32 newOffset = hive.ReadInt32();

                // skip metadata
                hive.BaseStream.Position += 4;
                hive.BaseStream.Position  = 4096 + newOffset + 4;

                NodeKey nk = new NodeKey(hive)
                {
                    ParentNodeKey = this
                };
                this.ChildNodes.Add(nk);
            }

            hive.BaseStream.Position = topOfList + (8 * count);
        }