x64dbg
/
btparser
mirror of https://github.com/x64dbg/btparser
1
0
Fork 0
Code Releases Activity
btparser/cparser/tests/exp_lex/RegistryHive.bt

282 lines
7.5 KiB
Plaintext
Raw Normal View History

first tests (not completely verified)
2016-06-05 21:47:15 +08:00
1:
2:
3:
4:
5:
6:
7:
8:
9:
10: LittleEndian ( ) ;
11:
12:
13: typedef struct {
14:
15: char HeaderSignature [ 4 ] < fgcolor = cBlack , bgcolor = 0xFF00 > ;
16: int PrimarySequenceNumber ;
17: int SecondarySequenceNumber ;
18: FILETIME LastWriteTime < fgcolor = cBlack , bgcolor = 0xDFF4FF > ;
19: int MajorVersion < fgcolor = cBlack , bgcolor = cLtRed > ;
20: int MinorVersion < fgcolor = cBlack , bgcolor = cRed > ;
21: int FileType ;
22: int Unknown ;
23: int RootKeyOffset < fgcolor = cBlack , bgcolor = cLtBlue > ;
24: int HbinTotalSize < fgcolor = cBlack , bgcolor = cPurple , format = hex > ;
25: int Unknown2 ;
26: wchar_t EmbeddedFilename [ 32 ] < fgcolor = cBlack , bgcolor = cLtGreen > ;
27: char Unknown3 [ 396 ] ;
28: int Checksum ;
29:
30: } REGISTRYHEADER < size = 4096 > ;
31:
32: typedef struct ( int recordSize ) {
33: int Size ;
34: char Signature [ 2 ] < fgcolor = cBlack , bgcolor = 0xFF10 > ;
35: short Flags < format = binary > ;
36: FILETIME LastWriteTime < fgcolor = cBlack , bgcolor = 0xDFF4FF > ;
37: int Spare ;
38: int ParentCellOffset ;
39: int SubkeyCountStable < fgcolor = cBlack , bgcolor = cLtBlue > ;
40: int SubkeyCountVolatile ;
41: int SubkeyListOffsetStable < fgcolor = cBlack , bgcolor = cLtBlue > ;
42: int SubkeyListOffsetVolatile ;
43: int ValueCount < fgcolor = cWhite , bgcolor = cDkGray > ;
44: int ValuelistOffset < fgcolor = cBlack , bgcolor = cGray > ;
45: int SecurityKeyOffset ;
46: int ClassOffset ;
47: short MaxNameLength ;
48: byte UserVirtFlags ;
49: byte Debug ;
50: int MaxClassLength ;
51: int MaxValueNameLength ;
52: int MaxValueDataLength ;
53: int WorkVar ;
54: short NameLength < fgcolor = cBlack , bgcolor = cAqua > ;
55: short ClassLength ;
56: char Name [ NameLength ] < fgcolor = cBlack , bgcolor = cLtAqua > ;
57: local int PaddingSize = recordSize - 0x50 - NameLength ;
58: if ( PaddingSize > 0 )
59: {
60: char Padding [ recordSize - 0x50 - NameLength ] ;
61: }
62:
63:
64: } NKCELL < read = ReadNKCell , optimize = false > ;
65:
66: string ReadNKCell ( NKCELL & nk )
67: {
68: return nk . Name ;
69: }
70:
71: typedef struct ( int recordSize ) {
72: int Size ;
73: char Signature [ 2 ] < fgcolor = cBlack , bgcolor = 0xFF10 > ;
74: short NameLength < fgcolor = cBlack , bgcolor = cAqua > ;
75: int DataLength ;
76: int DataOffset ;
77: int Type ;
78: short Flags < format = binary > ;
79: short Spare ;
80: if ( NameLength > 0 )
81: {
82: char Name [ NameLength ] < fgcolor = cBlack , bgcolor = cLtAqua > ;
83: }
84: local int PaddingSize = recordSize - 0x18 - NameLength ;
85: if ( PaddingSize > 0 )
86: {
87: char Padding [ recordSize - 0x18 - NameLength ] ;
88: }
89:
90: } VKCELL < read = ReadVKCell , optimize = false > ;
91:
92: string ReadVKCell ( VKCELL & vk )
93: {
94: if ( vk . NameLength > 0 )
95: {
96: return vk . Name ;
97: }
98: else
99: {
100: return "(Default)" ;
101: }
102: }
103:
104:
105: typedef struct ( int recordSize ) {
106: byte AceType ;
107: byte AceFlags ;
108: short AceSize ;
109: int Mask < format = binary > ;
110: char SID [ AceSize - 8 ] ;
111:
112: } ACE < optimize = false > ;
113:
114: typedef struct ( int recordSize ) {
115: byte AclRevision ;
116: byte Sbz1 ;
117: short AclSize ;
118: short AceCount ;
119: short Sbz2 ;
120: if ( AclSize > 0 )
121: {
122: local int aceSize = 0 ;
123: local int i ;
124: for ( i = 0 ; i < AceCount ; i ++ )
125: {
126: aceSize = ReadInt ( FTell ( ) + 2 ) ;
127: ACE Ace ( aceSize ) ;
128: }
129: }
130:
131: } ACL < optimize = false > ;
132:
133: typedef struct ( int recordSize ) {
134: byte Revision ;
135: byte Spare ;
136: short ControlFlag < format = binary > ;
137: int OffsetToOwner ;
138: int OffsetToGroup ;
139: int OffsetToSACL ;
140: int OffsetToDACL ;
141:
142: local int sizeSACL = OffsetToDACL - OffsetToSACL ;
143: local int sizeDACL = OffsetToOwner - OffsetToDACL ;
144: local int sizeOwnerSid = OffsetToGroup - OffsetToOwner ;
145: local int sizeGroupSid = recordSize - OffsetToGroup ;
146:
147: if ( ( ControlFlag & 0x10 ) == 0x10 )
148: {
149: ACL SACL ( sizeSACL ) ;
150: }
151: if ( ( ControlFlag & 0x4 ) == 0x4 )
152: {
153: ACL DACL ( sizeDACL ) ;
154: }
155: char OwnerSID [ sizeOwnerSid ] ;
156: char GroupSID [ sizeGroupSid ] ;
157: } DESCRIPTOR < optimize = false > ;
158:
159: typedef struct ( int recordSize ) {
160: int Size ;
161: char Signature [ 2 ] < fgcolor = cBlack , bgcolor = 0xFF10 > ;
162: short Reserved ;
163: int Flink ;
164: int Blink ;
165: int ReferenceCount ;
166: int DescriptorLength ;
167: if ( DescriptorLength )
168: {
169: DESCRIPTOR Descriptor ( DescriptorLength ) ;
170: }
171:
172: local int PaddingSize = recordSize - 0x18 - DescriptorLength ;
173: if ( PaddingSize > 0 )
174: {
175: char Padding [ recordSize - 0x18 - DescriptorLength ] ;
176: }
177:
178: } SKCELL < optimize = false > ;
179:
180: typedef struct {
181: int Offset ;
182: char Hash [ 4 ] ;
183:
184: } LXOFFSET < optimize = false > ;
185:
186: typedef struct ( int recordSize ) {
187: int Size ;
188: char Signature [ 2 ] < fgcolor = cBlack , bgcolor = 0xFF10 > ;
189: short NumberOfOffsets ;
190: if ( NumberOfOffsets > 0 )
191: {
192: LXOFFSET offsets [ NumberOfOffsets ] ;
193: }
194:
195: local int PaddingSize = recordSize - 8 - ( 8 * NumberOfOffsets ) ;
196: if ( PaddingSize > 0 )
197: {
198: char Padding [ recordSize - 8 - ( 8 * NumberOfOffsets ) ] ;
199: }
200:
201: } LXLIST < optimize = false > ;
202:
203: typedef struct ( int recordSize ) {
204: int Size ;
205: char Signature [ 2 ] < fgcolor = cBlack , bgcolor = 0xFF10 > ;
206: short NumberOfOffsets ;
207: LXOFFSET offsets [ NumberOfOffsets ] ;
208:
209: } LILIST < optimize = false > ;
210:
211: typedef struct {
212: char HbinSignature [ 4 ] < fgcolor = cBlack , bgcolor = 0xFF10 > ;
213: int RelativeOffset ;
214: int SizeOfHbin ;
215: int Unknown1 ;
216: int Unknown2 ;
217: FILETIME Timestamp < fgcolor = cBlack , bgcolor = 0xDFF4FF > ;
218: int unknown3 ;
219:
220: local string sig ;
221:
222: local int index = 0 ;
223:
224: local int cellSize = ReadInt ( FTell ( ) ) ;
225:
226: while ( index < SizeOfHbin )
227: {
228: sig = GetCellSignature ( ) ;
229:
230: cellSize = ReadInt ( FTell ( ) ) ;
231:
232: if ( cellSize == 0 )
233: {
234: break ;
235: }
236:
237: switch ( sig )
238: {
239: case "nk" : NKCELL nk ( Abs ( cellSize ) ) ; break ;
240: case "sk" : SKCELL sk ( Abs ( cellSize ) ) ; break ;
241: case "vk" : VKCELL vk ( Abs ( cellSize ) ) ; break ;
242: case "li" : LILIST li ( Abs ( cellSize ) ) ; break ;
243: case "lf" : LXLIST lf ( Abs ( cellSize ) ) ; break ;
244: case "lh" : LXLIST lh ( Abs ( cellSize ) ) ; break ;
245: default :
246:
247: FSkip ( Abs ( cellSize ) ) ;
248: }
249:
250: index += Abs ( cellSize ) ;
251: }
252:
253: } HBINRECORD < size = SizeHbinRecord , optimize = false > ;
254:
255: int SizeHbinRecord ( HBINRECORD & r )
256: {
257: return ReadInt ( startof ( r ) + 8 ) ;
258: }
259:
260: char [ ] GetCellSignature ( )
261: {
262:
263: return ReadString ( FTell ( ) + 4 , 2 ) ;
264: }
265:
266: REGISTRYHEADER Header < bgcolor = cLtPurple > ;
267:
268: local int indexPosition = FTell ( ) ;
269:
270: local int indexPosStart = indexPosition ;
271:
272: local int absoluteEndPosition = Header . HbinTotalSize + 0x1000 ;
273:
274: while ( indexPosition < absoluteEndPosition )
275: {
276: HBINRECORD Hbin ;
277:
278: indexPosition += Hbin . SizeOfHbin ;
279: }
280:
281:
282: tok_eof