internal NamedKey(byte[] bytes, string hivePath) { Signature = Encoding.ASCII.GetString(bytes, 0x04, 0x02); if (Signature == "nk") { HivePath = hivePath; #region CellHeader Size = BitConverter.ToInt32(bytes, 0x00); if (Size >= 0) { Allocated = false; } else { Allocated = true; } #endregion CellHeader Flags = (NAMED_KEY_FLAGS)BitConverter.ToUInt16(bytes, 0x06); WriteTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(bytes, 0x08)); ParentKeyOffset = BitConverter.ToUInt32(bytes, 0x14) + RegistryHeader.HBINOFFSET; NumberOfSubKeys = BitConverter.ToUInt32(bytes, 0x18); NumberOfVolatileSubKeys = BitConverter.ToUInt32(bytes, 0x1C); SubKeysListOffset = BitConverter.ToInt32(bytes, 0x20) + RegistryHeader.HBINOFFSET; VolatileSubKeysListOffset = BitConverter.ToInt32(bytes, 0x24) + RegistryHeader.HBINOFFSET; NumberOfValues = BitConverter.ToUInt32(bytes, 0x28); ValuesListOffset = BitConverter.ToInt32(bytes, 0x2C) + RegistryHeader.HBINOFFSET; SecurityKeyOffset = BitConverter.ToInt32(bytes, 0x30) + RegistryHeader.HBINOFFSET; ClassNameOffset = BitConverter.ToInt32(bytes, 0x34) + RegistryHeader.HBINOFFSET; LargestSubKeyNameSize = BitConverter.ToUInt32(bytes, 0x38); LargestSubKeyClassNameSize = BitConverter.ToUInt32(bytes, 0x3C); LargestValueNameSize = BitConverter.ToUInt32(bytes, 0x40); LargestValueDataSize = BitConverter.ToUInt32(bytes, 0x44); KeyNameSize = BitConverter.ToUInt16(bytes, 0x4C); ClassNameSize = BitConverter.ToUInt16(bytes, 0x4E); #region KeyNameString if ((0x50 + KeyNameSize) <= bytes.Length) { Name = Encoding.ASCII.GetString(bytes, 0x50, Math.Abs(KeyNameSize)); } #endregion KeyNameString } else { throw new Exception("Cell is not a valid Named Key"); } }
internal NamedKey(byte[] bytes, string hivePath, string key) { Signature = Encoding.ASCII.GetString(bytes, 0x04, 0x02); if (Signature == "nk") { HivePath = hivePath; #region CellHeader Size = BitConverter.ToInt32(bytes, 0x00); if (Size >= 0) { Allocated = false; } else { Allocated = true; } #endregion CellHeader Flags = (NAMED_KEY_FLAGS)BitConverter.ToUInt16(bytes, 0x06); WriteTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(bytes, 0x08)); ParentKeyOffset = BitConverter.ToUInt32(bytes, 0x14) + RegistryHeader.HBINOFFSET; NumberOfSubKeys = BitConverter.ToUInt32(bytes, 0x18); NumberOfVolatileSubKeys = BitConverter.ToUInt32(bytes, 0x1C); SubKeysListOffset = BitConverter.ToInt32(bytes, 0x20) + RegistryHeader.HBINOFFSET; VolatileSubKeysListOffset = BitConverter.ToInt32(bytes, 0x24) + RegistryHeader.HBINOFFSET; NumberOfValues = BitConverter.ToUInt32(bytes, 0x28); ValuesListOffset = BitConverter.ToInt32(bytes, 0x2C) + RegistryHeader.HBINOFFSET; SecurityKeyOffset = BitConverter.ToInt32(bytes, 0x30) + RegistryHeader.HBINOFFSET; ClassNameOffset = BitConverter.ToInt32(bytes, 0x34) + RegistryHeader.HBINOFFSET; LargestSubKeyNameSize = BitConverter.ToUInt32(bytes, 0x38); LargestSubKeyClassNameSize = BitConverter.ToUInt32(bytes, 0x3C); LargestValueNameSize = BitConverter.ToUInt32(bytes, 0x40); LargestValueDataSize = BitConverter.ToUInt32(bytes, 0x44); KeyNameSize = BitConverter.ToUInt16(bytes, 0x4C); ClassNameSize = BitConverter.ToUInt16(bytes, 0x4E); #region KeyNameString if ((0x50 + KeyNameSize) <= bytes.Length) { Name = Encoding.ASCII.GetString(bytes, 0x50, Math.Abs(KeyNameSize)); } #endregion KeyNameString #region FullName string[] hivesplit = hivePath.Split('\\'); string hive = hivesplit[hivesplit.Length - 1]; string fullname = (key.TrimEnd('\\') + "\\" + Name).TrimStart('\\'); FullName = fullname.Replace("CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}", hive + ":"); #endregion FullName } else { throw new Exception("Cell is not a valid Named Key"); } }
internal NamedKey(byte[] bytes, string hivePath, string key) { Signature = Encoding.ASCII.GetString(bytes, 0x04, 0x02); if (Signature == "nk") { HivePath = hivePath; #region CellHeader Size = BitConverter.ToInt32(bytes, 0x00); if (Size >= 0) { Allocated = false; } else { Allocated = true; } #endregion CellHeader Flags = (NAMED_KEY_FLAGS)BitConverter.ToUInt16(bytes, 0x06); WriteTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(bytes, 0x08)); ParentKeyOffset = BitConverter.ToUInt32(bytes, 0x14) + RegistryHeader.HBINOFFSET; NumberOfSubKeys = BitConverter.ToUInt32(bytes, 0x18); NumberOfVolatileSubKeys = BitConverter.ToUInt32(bytes, 0x1C); SubKeysListOffset = BitConverter.ToInt32(bytes, 0x20) + RegistryHeader.HBINOFFSET; VolatileSubKeysListOffset = BitConverter.ToInt32(bytes, 0x24) + RegistryHeader.HBINOFFSET; NumberOfValues = BitConverter.ToUInt32(bytes, 0x28); ValuesListOffset = BitConverter.ToInt32(bytes, 0x2C) + RegistryHeader.HBINOFFSET; SecurityKeyOffset = BitConverter.ToInt32(bytes, 0x30) + RegistryHeader.HBINOFFSET; ClassNameOffset = BitConverter.ToInt32(bytes, 0x34) + RegistryHeader.HBINOFFSET; LargestSubKeyNameSize = BitConverter.ToUInt32(bytes, 0x38); LargestSubKeyClassNameSize = BitConverter.ToUInt32(bytes, 0x3C); LargestValueNameSize = BitConverter.ToUInt32(bytes, 0x40); LargestValueDataSize = BitConverter.ToUInt32(bytes, 0x44); KeyNameSize = BitConverter.ToUInt16(bytes, 0x4C); ClassNameSize = BitConverter.ToUInt16(bytes, 0x4E); #region KeyNameString if ((0x50 + KeyNameSize) <= bytes.Length) { Name = Encoding.ASCII.GetString(bytes, 0x50, Math.Abs(KeyNameSize)); } #endregion KeyNameString #region FullName string[] hivesplit = hivePath.Split('\\'); string hive = hivesplit[hivesplit.Length - 1]; string fullname = null; if (!(key.Contains(Name))) { fullname = (key + "\\" + Name).TrimStart('\\'); } else { fullname = key.TrimStart('\\'); } FullName = fullname.Replace("CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}", hive + ':'); #endregion FullName } else { throw new Exception("Cell is not a valid Named Key"); } }