dissect.regf.c_regf
¶
Module Contents¶
- dissect.regf.c_regf.c_regf_def = Multiline-String¶
Show Value
""" struct REGF_HEADER { uint32 signature; uint32 primary_sequence; uint32 secondary_sequence; uint64 last_modification_time; uint32 major_version; uint32 minor_version; uint32 file_type; uint32 file_format; uint32 root_key_offset; uint32 hive_bin_size; uint32 clustering_factor; char filename[64]; char reserved[396]; uint32 checksum; }; struct HBIN_HEADER { uint32 signature; uint32 offset; uint32 size; uint64 reserved; uint64 last_modification_time; uint32 spare; }; struct NK_FLAGS { uint16 Volatile:1; uint16 HiveExit:1; uint16 HiveEntry:1; uint16 NoDelete:1; uint16 SymLink:1; uint16 CompName:1; uint16 PredefinedHandle:1; uint16 VirtualSource:1; uint16 VirtualTarget:1; uint16 VirtualStore:1; uint16 a:1; uint16 b:1; uint16 c:1; uint16 d:1; uint16 e:1; uint16 f:1; }; struct NAMED_KEY { char signature[2]; NK_FLAGS flags; uint64 last_written; uint32 access_bits; uint32 parent_key_offset; uint32 num_subkeys; uint32 num_volatile_subkeys; uint32 subkey_list_offset; uint32 volatile_subkey_list_offset; uint32 num_values; uint32 value_list_offset; uint32 security_key_offset; uint32 class_name_offset; uint32 largest_subkey_name_size; uint32 largest_subkey_classname_size; uint32 largest_value_name_size; uint32 largest_value_data_size; uint32 workvar; uint16 key_name_size; uint16 class_name_size; }; struct HASH_LEAF_ENTRY { uint32 key_node_offset; uint32 name_hash; }; struct HASH_LEAF { uint16 signature; uint16 num_elements; HASH_LEAF_ENTRY entries[num_elements]; }; struct FAST_LEAF_ENTRY { uint32 key_node_offset; char name_hint[4]; }; struct FAST_LEAF { uint16 signature; uint16 num_elements; FAST_LEAF_ENTRY entries[num_elements]; }; struct INDEX_ROOT { uint16 signature; uint16 num_elements; uint32 entries[num_elements]; }; struct INDEX_LEAF { uint16 signature; uint16 num_elements; uint32 entries[num_elements]; }; struct KEY_VALUE_FLAGS { uint16 CompName:1; uint16 Tombstone:1; }; struct KEY_VALUE { uint16 signature; uint16 name_length; uint32 data_size; uint32 data_offset; uint32 data_type; KEY_VALUE_FLAGS flags; uint16 spare; }; struct KEY_SECURITY { uint16 signature; uint16 reserved; uint32 flink; uint32 blink; uint32 reference_count; uint32 security_descriptor_size; char security_descriptor[security_descriptor_size]; }; struct BIG_DATA { uint16 signature; uint16 num_segments; uint32 segment_list_offset; uint32 a; }; """
- dissect.regf.c_regf.c_regf¶
- dissect.regf.c_regf.REG_NONE = 0¶
- dissect.regf.c_regf.REG_SZ = 1¶
- dissect.regf.c_regf.REG_EXPAND_SZ = 2¶
- dissect.regf.c_regf.REG_BINARY = 3¶
- dissect.regf.c_regf.REG_DWORD = 4¶
- dissect.regf.c_regf.REG_DWORD_BIG_ENDIAN = 5¶
- dissect.regf.c_regf.REG_LINK = 6¶
- dissect.regf.c_regf.REG_MULTI_SZ = 7¶
- dissect.regf.c_regf.REG_RESOURCE_LIST = 8¶
- dissect.regf.c_regf.REG_FULL_RESOURCE_DESCRIPTOR = 9¶
- dissect.regf.c_regf.REG_RESOURCE_REQUIREMENTS_LIST = 10¶
- dissect.regf.c_regf.REG_QWORD = 11¶