public static HiveBinHeader[] GetInstances(string path) { // Get bytes for the specific record string volume = "\\\\.\\" + path.Split('\\')[0]; IndexEntry entry = IndexEntry.Get(path); FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume); byte[] bytes = record.GetBytes(); // Registry Header RegistryHeader header = new RegistryHeader(NativeMethods.GetSubArray(bytes, 0x00, 0x200)); // Hive Bin Headers HiveBinHeader[] headerArray = new HiveBinHeader[header.HiveBinsDataSize / 0x1000]; byte[] hbinHeaderBytes = new byte[0x20]; uint i = 0x1000; while (i < header.HiveBinsDataSize + 0x1000) { HiveBinHeader hbinHeader = new HiveBinHeader(NativeMethods.GetSubArray(bytes, i, 0x20)); headerArray[((i / 0x1000) - 1)] = hbinHeader; i += hbinHeader.hBinSize; } return(headerArray); }
public static HiveBinHeader[] GetInstances(string path) { // Get bytes for the specific record string volume = "\\\\.\\" + path.Split('\\')[0]; IndexEntry entry = IndexEntry.Get(path); FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume); byte[] bytes = record.GetBytes(); // Registry Header RegistryHeader header = new RegistryHeader(NativeMethods.GetSubArray(bytes, 0x00, 0x200)); // Hive Bin Headers HiveBinHeader[] headerArray = new HiveBinHeader[header.HiveBinsDataSize / 0x1000]; byte[] hbinHeaderBytes = new byte[0x20]; uint i = 0x1000; while (i < header.HiveBinsDataSize + 0x1000) { HiveBinHeader hbinHeader = new HiveBinHeader(NativeMethods.GetSubArray(bytes, i, 0x20)); headerArray[((i / 0x1000) - 1)] = hbinHeader; i += hbinHeader.hBinSize; } return headerArray; }