dissect.regf.regf

Module Contents

Classes

RegistryHive
Cell
KeyNode
ValueList
KeyValue
KeyIndex
IndexRoot
IndexLeaf
HashLeaf
FastLeaf
KeySecurity
BigData

Functions

decode_name
try_decode_sz
parse_value
read_null_terminated_wstring	Adapted function to read null terminated wide strings.
hashname
xor32_crc

Attributes

log
CellType
STABLE
VOLATILE

dissect.regf.regf.log

type dissect.regf.regf.CellType = 'IndexLeaf | FastLeaf | HashLeaf | IndexRoot | KeyNode | KeyValue'

dissect.regf.regf.STABLE = 0

dissect.regf.regf.VOLATILE = 1

class dissect.regf.regf.RegistryHive(fh: BinaryIO)

fh

header

version

filename

dirty

in_transaction

cell

root() → KeyNode

cell_data(offset: int) → bytes

parse_cell_data(data: bytes) → CellType

open(path: str) → CellType

walk() → collections.abc.Iterator[tuple[int, bool, CellType | bytes]]

class dissect.regf.regf.Cell(hive: RegistryHive, data: bytes, strict: bool = True)

__signature__ = b''

__struct__ = None

hive

cell

class dissect.regf.regf.KeyNode(hive: RegistryHive, data: bytes)

Bases: Cell

__signature__ = b'nk'

__struct__

class_name = None

name

__repr__() → str

property timestamp: datetime.datetime

property path: str

subkeys() → collections.abc.Iterator[KeyNode]

subkey(name: str) → KeyNode

values() → collections.abc.Iterator[KeyValue]

value(name: str) → KeyValue

class dissect.regf.regf.ValueList(hive: RegistryHive, data: bytes, count: int)

hive

__iter__() → collections.abc.Iterator[KeyValue]

class dissect.regf.regf.KeyValue(hive: RegistryHive, data: bytes)

Bases: Cell

__signature__ = b'vk'

__struct__

__repr__() → str

property type: int

property size: int

property is_big_value: bool

property data: bytes

property value: int | str | list[str] | bytes

class dissect.regf.regf.KeyIndex(hive: RegistryHive, data: bytes, strict: bool = True)

Bases: Cell

abstract __len__() → int

abstract __iter__() → collections.abc.Iterator[KeyNode]

property count: int

Abstractmethod:

abstract subkey(name: str) → KeyNode | None

class dissect.regf.regf.IndexRoot(hive: RegistryHive, data: bytes, strict: bool = True)

Bases: KeyIndex

__signature__ = b'ri'

__struct__

__len__() → int

__iter__() → collections.abc.Iterator[KeyNode]

property count: int

subkey(name: str) → KeyNode | None

class dissect.regf.regf.IndexLeaf(hive: RegistryHive, data: bytes, strict: bool = True)

Bases: KeyIndex

__signature__ = b'li'

__struct__

__len__() → int

__iter__() → collections.abc.Iterator[KeyNode]

property count: int

subkey(name: str) → KeyNode | None

class dissect.regf.regf.HashLeaf(hive: RegistryHive, data: bytes, strict: bool = True)

Bases: KeyIndex

__signature__ = b'lh'

__struct__

__len__() → int

__iter__() → collections.abc.Iterator[KeyNode]

property count: int

subkey(name: str) → KeyNode | None

class dissect.regf.regf.FastLeaf(hive: RegistryHive, data: bytes, strict: bool = True)

Bases: KeyIndex

__signature__ = b'lf'

__struct__

__len__() → int

__iter__() → collections.abc.Iterator[KeyNode]

property count: int

subkey(name: str) → KeyNode | None

class dissect.regf.regf.KeySecurity(hive: RegistryHive, data: bytes, strict: bool = True)

Bases: Cell

__signature__ = b'sk'

__struct__

class dissect.regf.regf.BigData(hive: RegistryHive, data: bytes, strict: bool = True)

Bases: Cell

__signature__ = b'db'

__struct__

property data: bytes

dissect.regf.regf.decode_name(blob: bytes, size: int, is_comp_name: bool) → str

dissect.regf.regf.try_decode_sz(data: bytes) → str

dissect.regf.regf.parse_value(data_type: int, data: bytes) → int | str | list[str] | bytes

dissect.regf.regf.read_null_terminated_wstring(stream: BinaryIO, encoding: str = 'utf-16-le') → str

Adapted function to read null terminated wide strings.

The cstruct way raises EOFError when the end of the stream is reached. This is fine, but not what we want for this particular implementation.

dissect.regf.regf.hashname(name: str) → int

dissect.regf.regf.xor32_crc(data: bytes) → int