mirror of https://github.com/x64dbg/btparser
282 lines
7.5 KiB
Plaintext
282 lines
7.5 KiB
Plaintext
1:
|
|
2:
|
|
3:
|
|
4:
|
|
5:
|
|
6:
|
|
7:
|
|
8:
|
|
9:
|
|
10: LittleEndian ( ) ;
|
|
11:
|
|
12:
|
|
13: typedef struct {
|
|
14:
|
|
15: char HeaderSignature [ 4 ] < fgcolor = cBlack , bgcolor = 0xFF00 > ;
|
|
16: int PrimarySequenceNumber ;
|
|
17: int SecondarySequenceNumber ;
|
|
18: FILETIME LastWriteTime < fgcolor = cBlack , bgcolor = 0xDFF4FF > ;
|
|
19: int MajorVersion < fgcolor = cBlack , bgcolor = cLtRed > ;
|
|
20: int MinorVersion < fgcolor = cBlack , bgcolor = cRed > ;
|
|
21: int FileType ;
|
|
22: int Unknown ;
|
|
23: int RootKeyOffset < fgcolor = cBlack , bgcolor = cLtBlue > ;
|
|
24: int HbinTotalSize < fgcolor = cBlack , bgcolor = cPurple , format = hex > ;
|
|
25: int Unknown2 ;
|
|
26: wchar_t EmbeddedFilename [ 32 ] < fgcolor = cBlack , bgcolor = cLtGreen > ;
|
|
27: char Unknown3 [ 396 ] ;
|
|
28: int Checksum ;
|
|
29:
|
|
30: } REGISTRYHEADER < size = 4096 > ;
|
|
31:
|
|
32: typedef struct ( int recordSize ) {
|
|
33: int Size ;
|
|
34: char Signature [ 2 ] < fgcolor = cBlack , bgcolor = 0xFF10 > ;
|
|
35: short Flags < format = binary > ;
|
|
36: FILETIME LastWriteTime < fgcolor = cBlack , bgcolor = 0xDFF4FF > ;
|
|
37: int Spare ;
|
|
38: int ParentCellOffset ;
|
|
39: int SubkeyCountStable < fgcolor = cBlack , bgcolor = cLtBlue > ;
|
|
40: int SubkeyCountVolatile ;
|
|
41: int SubkeyListOffsetStable < fgcolor = cBlack , bgcolor = cLtBlue > ;
|
|
42: int SubkeyListOffsetVolatile ;
|
|
43: int ValueCount < fgcolor = cWhite , bgcolor = cDkGray > ;
|
|
44: int ValuelistOffset < fgcolor = cBlack , bgcolor = cGray > ;
|
|
45: int SecurityKeyOffset ;
|
|
46: int ClassOffset ;
|
|
47: short MaxNameLength ;
|
|
48: byte UserVirtFlags ;
|
|
49: byte Debug ;
|
|
50: int MaxClassLength ;
|
|
51: int MaxValueNameLength ;
|
|
52: int MaxValueDataLength ;
|
|
53: int WorkVar ;
|
|
54: short NameLength < fgcolor = cBlack , bgcolor = cAqua > ;
|
|
55: short ClassLength ;
|
|
56: char Name [ NameLength ] < fgcolor = cBlack , bgcolor = cLtAqua > ;
|
|
57: local int PaddingSize = recordSize - 0x50 - NameLength ;
|
|
58: if ( PaddingSize > 0 )
|
|
59: {
|
|
60: char Padding [ recordSize - 0x50 - NameLength ] ;
|
|
61: }
|
|
62:
|
|
63:
|
|
64: } NKCELL < read = ReadNKCell , optimize = false > ;
|
|
65:
|
|
66: string ReadNKCell ( NKCELL & nk )
|
|
67: {
|
|
68: return nk . Name ;
|
|
69: }
|
|
70:
|
|
71: typedef struct ( int recordSize ) {
|
|
72: int Size ;
|
|
73: char Signature [ 2 ] < fgcolor = cBlack , bgcolor = 0xFF10 > ;
|
|
74: short NameLength < fgcolor = cBlack , bgcolor = cAqua > ;
|
|
75: int DataLength ;
|
|
76: int DataOffset ;
|
|
77: int Type ;
|
|
78: short Flags < format = binary > ;
|
|
79: short Spare ;
|
|
80: if ( NameLength > 0 )
|
|
81: {
|
|
82: char Name [ NameLength ] < fgcolor = cBlack , bgcolor = cLtAqua > ;
|
|
83: }
|
|
84: local int PaddingSize = recordSize - 0x18 - NameLength ;
|
|
85: if ( PaddingSize > 0 )
|
|
86: {
|
|
87: char Padding [ recordSize - 0x18 - NameLength ] ;
|
|
88: }
|
|
89:
|
|
90: } VKCELL < read = ReadVKCell , optimize = false > ;
|
|
91:
|
|
92: string ReadVKCell ( VKCELL & vk )
|
|
93: {
|
|
94: if ( vk . NameLength > 0 )
|
|
95: {
|
|
96: return vk . Name ;
|
|
97: }
|
|
98: else
|
|
99: {
|
|
100: return "(Default)" ;
|
|
101: }
|
|
102: }
|
|
103:
|
|
104:
|
|
105: typedef struct ( int recordSize ) {
|
|
106: byte AceType ;
|
|
107: byte AceFlags ;
|
|
108: short AceSize ;
|
|
109: int Mask < format = binary > ;
|
|
110: char SID [ AceSize - 8 ] ;
|
|
111:
|
|
112: } ACE < optimize = false > ;
|
|
113:
|
|
114: typedef struct ( int recordSize ) {
|
|
115: byte AclRevision ;
|
|
116: byte Sbz1 ;
|
|
117: short AclSize ;
|
|
118: short AceCount ;
|
|
119: short Sbz2 ;
|
|
120: if ( AclSize > 0 )
|
|
121: {
|
|
122: local int aceSize = 0 ;
|
|
123: local int i ;
|
|
124: for ( i = 0 ; i < AceCount ; i ++ )
|
|
125: {
|
|
126: aceSize = ReadInt ( FTell ( ) + 2 ) ;
|
|
127: ACE Ace ( aceSize ) ;
|
|
128: }
|
|
129: }
|
|
130:
|
|
131: } ACL < optimize = false > ;
|
|
132:
|
|
133: typedef struct ( int recordSize ) {
|
|
134: byte Revision ;
|
|
135: byte Spare ;
|
|
136: short ControlFlag < format = binary > ;
|
|
137: int OffsetToOwner ;
|
|
138: int OffsetToGroup ;
|
|
139: int OffsetToSACL ;
|
|
140: int OffsetToDACL ;
|
|
141:
|
|
142: local int sizeSACL = OffsetToDACL - OffsetToSACL ;
|
|
143: local int sizeDACL = OffsetToOwner - OffsetToDACL ;
|
|
144: local int sizeOwnerSid = OffsetToGroup - OffsetToOwner ;
|
|
145: local int sizeGroupSid = recordSize - OffsetToGroup ;
|
|
146:
|
|
147: if ( ( ControlFlag & 0x10 ) == 0x10 )
|
|
148: {
|
|
149: ACL SACL ( sizeSACL ) ;
|
|
150: }
|
|
151: if ( ( ControlFlag & 0x4 ) == 0x4 )
|
|
152: {
|
|
153: ACL DACL ( sizeDACL ) ;
|
|
154: }
|
|
155: char OwnerSID [ sizeOwnerSid ] ;
|
|
156: char GroupSID [ sizeGroupSid ] ;
|
|
157: } DESCRIPTOR < optimize = false > ;
|
|
158:
|
|
159: typedef struct ( int recordSize ) {
|
|
160: int Size ;
|
|
161: char Signature [ 2 ] < fgcolor = cBlack , bgcolor = 0xFF10 > ;
|
|
162: short Reserved ;
|
|
163: int Flink ;
|
|
164: int Blink ;
|
|
165: int ReferenceCount ;
|
|
166: int DescriptorLength ;
|
|
167: if ( DescriptorLength )
|
|
168: {
|
|
169: DESCRIPTOR Descriptor ( DescriptorLength ) ;
|
|
170: }
|
|
171:
|
|
172: local int PaddingSize = recordSize - 0x18 - DescriptorLength ;
|
|
173: if ( PaddingSize > 0 )
|
|
174: {
|
|
175: char Padding [ recordSize - 0x18 - DescriptorLength ] ;
|
|
176: }
|
|
177:
|
|
178: } SKCELL < optimize = false > ;
|
|
179:
|
|
180: typedef struct {
|
|
181: int Offset ;
|
|
182: char Hash [ 4 ] ;
|
|
183:
|
|
184: } LXOFFSET < optimize = false > ;
|
|
185:
|
|
186: typedef struct ( int recordSize ) {
|
|
187: int Size ;
|
|
188: char Signature [ 2 ] < fgcolor = cBlack , bgcolor = 0xFF10 > ;
|
|
189: short NumberOfOffsets ;
|
|
190: if ( NumberOfOffsets > 0 )
|
|
191: {
|
|
192: LXOFFSET offsets [ NumberOfOffsets ] ;
|
|
193: }
|
|
194:
|
|
195: local int PaddingSize = recordSize - 8 - ( 8 * NumberOfOffsets ) ;
|
|
196: if ( PaddingSize > 0 )
|
|
197: {
|
|
198: char Padding [ recordSize - 8 - ( 8 * NumberOfOffsets ) ] ;
|
|
199: }
|
|
200:
|
|
201: } LXLIST < optimize = false > ;
|
|
202:
|
|
203: typedef struct ( int recordSize ) {
|
|
204: int Size ;
|
|
205: char Signature [ 2 ] < fgcolor = cBlack , bgcolor = 0xFF10 > ;
|
|
206: short NumberOfOffsets ;
|
|
207: LXOFFSET offsets [ NumberOfOffsets ] ;
|
|
208:
|
|
209: } LILIST < optimize = false > ;
|
|
210:
|
|
211: typedef struct {
|
|
212: char HbinSignature [ 4 ] < fgcolor = cBlack , bgcolor = 0xFF10 > ;
|
|
213: int RelativeOffset ;
|
|
214: int SizeOfHbin ;
|
|
215: int Unknown1 ;
|
|
216: int Unknown2 ;
|
|
217: FILETIME Timestamp < fgcolor = cBlack , bgcolor = 0xDFF4FF > ;
|
|
218: int unknown3 ;
|
|
219:
|
|
220: local string sig ;
|
|
221:
|
|
222: local int index = 0 ;
|
|
223:
|
|
224: local int cellSize = ReadInt ( FTell ( ) ) ;
|
|
225:
|
|
226: while ( index < SizeOfHbin )
|
|
227: {
|
|
228: sig = GetCellSignature ( ) ;
|
|
229:
|
|
230: cellSize = ReadInt ( FTell ( ) ) ;
|
|
231:
|
|
232: if ( cellSize == 0 )
|
|
233: {
|
|
234: break ;
|
|
235: }
|
|
236:
|
|
237: switch ( sig )
|
|
238: {
|
|
239: case "nk" : NKCELL nk ( Abs ( cellSize ) ) ; break ;
|
|
240: case "sk" : SKCELL sk ( Abs ( cellSize ) ) ; break ;
|
|
241: case "vk" : VKCELL vk ( Abs ( cellSize ) ) ; break ;
|
|
242: case "li" : LILIST li ( Abs ( cellSize ) ) ; break ;
|
|
243: case "lf" : LXLIST lf ( Abs ( cellSize ) ) ; break ;
|
|
244: case "lh" : LXLIST lh ( Abs ( cellSize ) ) ; break ;
|
|
245: default :
|
|
246:
|
|
247: FSkip ( Abs ( cellSize ) ) ;
|
|
248: }
|
|
249:
|
|
250: index += Abs ( cellSize ) ;
|
|
251: }
|
|
252:
|
|
253: } HBINRECORD < size = SizeHbinRecord , optimize = false > ;
|
|
254:
|
|
255: int SizeHbinRecord ( HBINRECORD & r )
|
|
256: {
|
|
257: return ReadInt ( startof ( r ) + 8 ) ;
|
|
258: }
|
|
259:
|
|
260: char [ ] GetCellSignature ( )
|
|
261: {
|
|
262:
|
|
263: return ReadString ( FTell ( ) + 4 , 2 ) ;
|
|
264: }
|
|
265:
|
|
266: REGISTRYHEADER Header < bgcolor = cLtPurple > ;
|
|
267:
|
|
268: local int indexPosition = FTell ( ) ;
|
|
269:
|
|
270: local int indexPosStart = indexPosition ;
|
|
271:
|
|
272: local int absoluteEndPosition = Header . HbinTotalSize + 0x1000 ;
|
|
273:
|
|
274: while ( indexPosition < absoluteEndPosition )
|
|
275: {
|
|
276: HBINRECORD Hbin ;
|
|
277:
|
|
278: indexPosition += Hbin . SizeOfHbin ;
|
|
279: }
|
|
280:
|
|
281:
|
|
282: tok_eof |