dissect.regf.regf

Module Contents

Classes

RegistryHive

NamedKey

KeyValue

ValueList

IndexRoot

IndexLeaf

HashLeaf

FastLeaf

Functions

decode_name

try_decode_sz

parse_value

read_null_terminated_wstring

Adapted function to read null terminated wide strings.

hashname

xor32_crc

Attributes

log

dissect.regf.regf.log
class dissect.regf.regf.RegistryHive(fh: BinaryIO)
fh
header
filename
hbin_offset = 4096
cell
root() IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue
read_cell_data(offset: int) bytes
read_cell(offset: int) IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue
parse_cell_data(data: bytes) IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue
open(path: str) IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue
walk() collections.abc.Iterator[tuple[int, bool, NamedKey | bytes]]
class dissect.regf.regf.NamedKey(hive: RegistryHive, data: bytes)
hive
nk
class_name = None
name
__repr__() str
property path: str
property timestamp: datetime.datetime
property subkey_list: IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue | None
subkeys() collections.abc.Iterator[IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue]
subkey(name: str) IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue
values() collections.abc.Iterator[KeyValue]
value(name: str) KeyValue
class dissect.regf.regf.KeyValue(hive: RegistryHive, data: bytes)
hive
kv
__repr__() str
property type: int
property data: bytes
property value: int | str | list[str] | bytes
class dissect.regf.regf.ValueList(hive: RegistryHive, data: bytes, count: int)
hive
__iter__() collections.abc.Iterator[KeyValue]
class dissect.regf.regf.IndexRoot(hive: RegistryHive, data: bytes)
hive
ir
__iter__() collections.abc.Iterator[IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue]
property num_elements: int
subkey(name: str) IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue | None
class dissect.regf.regf.IndexLeaf(hive: RegistryHive, data: bytes)
hive
il
__iter__() collections.abc.Iterator[IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue]
property num_elements: int
subkey(name: str) IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue | None
class dissect.regf.regf.HashLeaf(hive: RegistryHive, data: bytes)
hive
hl
__iter__() collections.abc.Iterator[IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue]
property num_elements: int
subkey(name: str) IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue | None
class dissect.regf.regf.FastLeaf(hive: RegistryHive, data: bytes)
hive
fl
__iter__() collections.abc.Iterator[IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue]
property num_elements: int
subkey(name: str) IndexLeaf | FastLeaf | HashLeaf | IndexRoot | NamedKey | KeyValue | None
dissect.regf.regf.decode_name(blob: bytes, size: int, is_comp_name: bool) str
dissect.regf.regf.try_decode_sz(data: bytes) str
dissect.regf.regf.parse_value(data_type: int, data: bytes) int | str | list[str] | bytes
dissect.regf.regf.read_null_terminated_wstring(stream: BinaryIO, encoding: str = 'utf-16-le') str

Adapted function to read null terminated wide strings.

The cstruct way raises EOFError when the end of the stream is reached. This is fine, but not what we want for this particular implementation.

dissect.regf.regf.hashname(name: str) int
dissect.regf.regf.xor32_crc(data: bytes) int