regparser

package module
v0.0.0-...-2169ac0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 4, 2024 License: Apache-2.0 Imports: 14 Imported by: 7

Documentation

Index

Constants

View Source 
const (
	REG_NONE                       = 0x00000000
	REG_SZ                         = 0x00000001
	REG_EXPAND_SZ                  = 0x00000002
	REG_BINARY                     = 0x00000003
	REG_DWORD                      = 0x00000004
	REG_DWORD_LITTLE_ENDIAN        = 0x00000004
	REG_DWORD_BIG_ENDIAN           = 0x00000005
	REG_LINK                       = 0x00000006
	REG_MULTI_SZ                   = 0x00000007
	REG_RESOURCE_LIST              = 0x00000008
	REG_FULL_RESOURCE_DESCRIPTOR   = 0x00000009
	REG_RESOURCE_REQUIREMENTS_LIST = 0x0000000a
	REG_QWORD                      = 0x0000000b

	REG_UNKNOWN = 0xffffffff
)

Variables

This section is empty.

Functions

func DebugPrint 

func DebugPrint(fmt_str string, v ...interface{})

func ParseArray_byte 

func ParseArray_byte(profile *RegistryProfile, reader io.ReaderAt, offset int64, count int) []byte

func ParseArray_uint32 

func ParseArray_uint32(profile *RegistryProfile, reader io.ReaderAt, offset int64, count int) []uint32

func ParseInt32 

func ParseInt32(reader io.ReaderAt, offset int64) int32

func ParseInt64 

func ParseInt64(reader io.ReaderAt, offset int64) int64

func ParseSafeArray_byte 

func ParseSafeArray_byte(reader io.ReaderAt, offset int64, count int) []byte

func ParseSafeArray_uint32 

func ParseSafeArray_uint32(reader io.ReaderAt, offset int64, count int) []uint32

func ParseTerminatedUTF16String 

func ParseTerminatedUTF16String(reader io.ReaderAt, offset int64) string

func ParseUTF16String 

func ParseUTF16String(reader io.ReaderAt, offset int64, length int64) string

func ParseUint16 

func ParseUint16(reader io.ReaderAt, offset int64) uint16

func ParseUint32 

func ParseUint32(reader io.ReaderAt, offset int64) uint32

func ParseUint64 

func ParseUint64(reader io.ReaderAt, offset int64) uint64

func ParseUint8 

func ParseUint8(reader io.ReaderAt, offset int64) byte

func RecoverHive 

func RecoverHive(hive *os.File, logFiles ...*os.File) (*os.File, error)

RecoverHive copies the hive to another file and applies the dirty pages from the log files.

Returns a File object pointing to the recovered Hive. The caller is responsible for deleting the recovered hive file.

func RegTypeToString 

func RegTypeToString(reg_type uint32) string

func SplitComponents 

func SplitComponents(path string) []string

func UTF16BytesToUTF8 

func UTF16BytesToUTF8(b []byte, o binary.ByteOrder) string

Types

type CHILD_LIST 

type CHILD_LIST struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *RegistryProfile
}

func (*CHILD_LIST) Count 

func (self *CHILD_LIST) Count() uint32

func (*CHILD_LIST) List 

func (self *CHILD_LIST) List() uint32

func (*CHILD_LIST) Size 

func (self *CHILD_LIST) Size() int

type CM_BIG_DATA 

type CM_BIG_DATA struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *RegistryProfile
}

func (*CM_BIG_DATA) Count 

func (self *CM_BIG_DATA) Count() uint16

func (*CM_BIG_DATA) List 

func (self *CM_BIG_DATA) List() uint32

func (*CM_BIG_DATA) Signature 

func (self *CM_BIG_DATA) Signature() uint16

func (*CM_BIG_DATA) Size 

func (self *CM_BIG_DATA) Size() int

type CM_KEY_INDEX 

type CM_KEY_INDEX struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *RegistryProfile
}

func (*CM_KEY_INDEX) Count 

func (self *CM_KEY_INDEX) Count() uint16

func (*CM_KEY_INDEX) List 

func (self *CM_KEY_INDEX) List() []uint32

func (*CM_KEY_INDEX) Signature 

func (self *CM_KEY_INDEX) Signature() uint16

func (*CM_KEY_INDEX) Size 

func (self *CM_KEY_INDEX) Size() int

func (*CM_KEY_INDEX) Subkeys 

func (self *CM_KEY_INDEX) Subkeys() []*CM_KEY_NODE

Extract subkeys from the index.

type CM_KEY_INDEX_FAST 

type CM_KEY_INDEX_FAST struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *RegistryProfile
}

func (*CM_KEY_INDEX_FAST) Count 

func (self *CM_KEY_INDEX_FAST) Count() uint16

func (*CM_KEY_INDEX_FAST) List 

func (self *CM_KEY_INDEX_FAST) List() []*CM_KEY_INDEX_FAST_ELEMENT

func (*CM_KEY_INDEX_FAST) Signature 

func (self *CM_KEY_INDEX_FAST) Signature() uint16

func (*CM_KEY_INDEX_FAST) Size 

func (self *CM_KEY_INDEX_FAST) Size() int

func (*CM_KEY_INDEX_FAST) Subkeys 

func (self *CM_KEY_INDEX_FAST) Subkeys() []*CM_KEY_NODE

Extract all subkeys stored in the fast index.

type CM_KEY_INDEX_FAST_ELEMENT 

type CM_KEY_INDEX_FAST_ELEMENT struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *RegistryProfile
}

func ParseArray_CM_KEY_INDEX_FAST_ELEMENT 

func ParseArray_CM_KEY_INDEX_FAST_ELEMENT(profile *RegistryProfile, reader io.ReaderAt, offset int64, count int) []*CM_KEY_INDEX_FAST_ELEMENT

func ParseSafeArray_CM_KEY_INDEX_FAST_ELEMENT 

func ParseSafeArray_CM_KEY_INDEX_FAST_ELEMENT(profile *RegistryProfile, reader io.ReaderAt, offset int64, count int) []*CM_KEY_INDEX_FAST_ELEMENT

func (*CM_KEY_INDEX_FAST_ELEMENT) Index 

func (self *CM_KEY_INDEX_FAST_ELEMENT) Index() uint32

func (*CM_KEY_INDEX_FAST_ELEMENT) NodeOffset 

func (self *CM_KEY_INDEX_FAST_ELEMENT) NodeOffset() uint32

func (*CM_KEY_INDEX_FAST_ELEMENT) Size 

func (self *CM_KEY_INDEX_FAST_ELEMENT) Size() int

type CM_KEY_NODE 

type CM_KEY_NODE struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *RegistryProfile
}

func (*CM_KEY_NODE) ChildHiveReference 

func (self *CM_KEY_NODE) ChildHiveReference() *HCELL

func (*CM_KEY_NODE) Class 

func (self *CM_KEY_NODE) Class() uint32

func (*CM_KEY_NODE) ClassLength 

func (self *CM_KEY_NODE) ClassLength() uint16

func (*CM_KEY_NODE) Debug 

func (self *CM_KEY_NODE) Debug() uint64

func (*CM_KEY_NODE) Flags 

func (self *CM_KEY_NODE) Flags() uint16

func (*CM_KEY_NODE) LastWriteTime 

func (self *CM_KEY_NODE) LastWriteTime() *FileTime

func (*CM_KEY_NODE) MaxClassLen 

func (self *CM_KEY_NODE) MaxClassLen() uint32

func (*CM_KEY_NODE) MaxNameLen 

func (self *CM_KEY_NODE) MaxNameLen() uint64

func (*CM_KEY_NODE) MaxValueDataLen 

func (self *CM_KEY_NODE) MaxValueDataLen() uint32

func (*CM_KEY_NODE) MaxValueNameLen 

func (self *CM_KEY_NODE) MaxValueNameLen() uint32

func (*CM_KEY_NODE) Name 

func (self *CM_KEY_NODE) Name() string

The name of the a key. This does not include the full path through its parents.

func (*CM_KEY_NODE) NameLength 

func (self *CM_KEY_NODE) NameLength() uint16

func (*CM_KEY_NODE) Parent 

func (self *CM_KEY_NODE) Parent() uint32

func (*CM_KEY_NODE) Security 

func (self *CM_KEY_NODE) Security() uint32

func (*CM_KEY_NODE) Signature 

func (self *CM_KEY_NODE) Signature() uint16

func (*CM_KEY_NODE) Size 

func (self *CM_KEY_NODE) Size() int

func (*CM_KEY_NODE) Spare 

func (self *CM_KEY_NODE) Spare() uint32

func (*CM_KEY_NODE) SubKeyCounts 

func (self *CM_KEY_NODE) SubKeyCounts() []uint32

func (*CM_KEY_NODE) SubKeyLists 

func (self *CM_KEY_NODE) SubKeyLists() []uint32

func (*CM_KEY_NODE) Subkeys 

func (self *CM_KEY_NODE) Subkeys() []*CM_KEY_NODE

This is a convenience method for enumerating the subkeys of a CM_KEY_NODE. Each _CM_KEY_NODE can point to a number of different types of index nodes. This method deals with the different types of indexes and just returns a list of subkeys regardless of the type of indexes.

func (*CM_KEY_NODE) UserFlags 

func (self *CM_KEY_NODE) UserFlags() uint64

func (*CM_KEY_NODE) ValueList 

func (self *CM_KEY_NODE) ValueList() *CHILD_LIST

func (*CM_KEY_NODE) Values 

func (self *CM_KEY_NODE) Values() []*CM_KEY_VALUE

A convenience method for extracting the Values contained under a key.

func (*CM_KEY_NODE) VirtControlFlags 

func (self *CM_KEY_NODE) VirtControlFlags() uint64

func (*CM_KEY_NODE) WorkVar 

func (self *CM_KEY_NODE) WorkVar() uint32

type CM_KEY_VALUE 

type CM_KEY_VALUE struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *RegistryProfile
}

func (*CM_KEY_VALUE) Data 

func (self *CM_KEY_VALUE) Data() uint32

func (*CM_KEY_VALUE) DataLength 

func (self *CM_KEY_VALUE) DataLength() uint32

func (*CM_KEY_VALUE) DataSize 

func (self *CM_KEY_VALUE) DataSize() int64

func (*CM_KEY_VALUE) Flags 

func (self *CM_KEY_VALUE) Flags() uint16

func (*CM_KEY_VALUE) Name 

func (self *CM_KEY_VALUE) Name() string

func (*CM_KEY_VALUE) NameLength 

func (self *CM_KEY_VALUE) NameLength() uint16

func (*CM_KEY_VALUE) Signature 

func (self *CM_KEY_VALUE) Signature() uint16

func (*CM_KEY_VALUE) Size 

func (self *CM_KEY_VALUE) Size() int

func (*CM_KEY_VALUE) Spare 

func (self *CM_KEY_VALUE) Spare() uint16

func (*CM_KEY_VALUE) Type 

func (self *CM_KEY_VALUE) Type() uint32

func (*CM_KEY_VALUE) TypeString 

func (self *CM_KEY_VALUE) TypeString() string

Convert the registry type to a string.

func (*CM_KEY_VALUE) ValueData 

func (self *CM_KEY_VALUE) ValueData() *ValueData

Parse out the data from the value into a Go ValueData type.

func (*CM_KEY_VALUE) ValueName 

func (self *CM_KEY_VALUE) ValueName() string

The name of this value (empty string means default value).

type DirtyPage 

type DirtyPage struct {
	Reader     io.ReaderAt
	DataOffset int64
	PageOffset uint32
	PageSize   uint32
}

func (DirtyPage) Data 

func (self DirtyPage) Data() ([]byte, error)

type FileTime 

type FileTime struct {
	time.Time
}

A FileTime object is a timestamp in windows filetime format.

func (*FileTime) DebugString 

func (self *FileTime) DebugString() string

func (*FileTime) GoString 

func (self *FileTime) GoString() string

type GUID 

type GUID struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *RegistryProfile
}

func (*GUID) Data1 

func (self *GUID) Data1() uint32

func (*GUID) Data2 

func (self *GUID) Data2() uint16

func (*GUID) Data3 

func (self *GUID) Data3() uint16

func (*GUID) Data4 

func (self *GUID) Data4() []byte

func (*GUID) Size 

func (self *GUID) Size() int

type HBASE_BLOCK 

type HBASE_BLOCK struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *RegistryProfile
}

func (*HBASE_BLOCK) BootRecover 

func (self *HBASE_BLOCK) BootRecover() uint32

func (*HBASE_BLOCK) BootType 

func (self *HBASE_BLOCK) BootType() uint32

func (*HBASE_BLOCK) CheckSum 

func (self *HBASE_BLOCK) CheckSum() uint32

func (*HBASE_BLOCK) Cluster 

func (self *HBASE_BLOCK) Cluster() uint32

func (*HBASE_BLOCK) FileName 

func (self *HBASE_BLOCK) FileName() string

func (*HBASE_BLOCK) Flags 

func (self *HBASE_BLOCK) Flags() uint32

func (*HBASE_BLOCK) Format 

func (self *HBASE_BLOCK) Format() uint32

func (*HBASE_BLOCK) GuidSignature 

func (self *HBASE_BLOCK) GuidSignature() uint32

func (*HBASE_BLOCK) HiveBin 

func (self *HBASE_BLOCK) HiveBin() *HBIN

HBASE_BLOCK is the file header block at the start of the registry file.

func (*HBASE_BLOCK) Length 

func (self *HBASE_BLOCK) Length() uint32

func (*HBASE_BLOCK) LogId 

func (self *HBASE_BLOCK) LogId() *GUID

func (*HBASE_BLOCK) Major 

func (self *HBASE_BLOCK) Major() uint32

func (*HBASE_BLOCK) Minor 

func (self *HBASE_BLOCK) Minor() uint32

func (*HBASE_BLOCK) Reserved1 

func (self *HBASE_BLOCK) Reserved1() []uint32

func (*HBASE_BLOCK) Reserved2 

func (self *HBASE_BLOCK) Reserved2() []uint32

func (*HBASE_BLOCK) RmId 

func (self *HBASE_BLOCK) RmId() *GUID

func (*HBASE_BLOCK) RootCell 

func (self *HBASE_BLOCK) RootCell() uint32

func (*HBASE_BLOCK) Sequence1 

func (self *HBASE_BLOCK) Sequence1() uint32

func (*HBASE_BLOCK) Sequence2 

func (self *HBASE_BLOCK) Sequence2() uint32

func (*HBASE_BLOCK) Signature 

func (self *HBASE_BLOCK) Signature() uint32

func (*HBASE_BLOCK) Size 

func (self *HBASE_BLOCK) Size() int

func (*HBASE_BLOCK) ThawLogId 

func (self *HBASE_BLOCK) ThawLogId() *GUID

func (*HBASE_BLOCK) ThawRmId 

func (self *HBASE_BLOCK) ThawRmId() *GUID

func (*HBASE_BLOCK) ThawTmId 

func (self *HBASE_BLOCK) ThawTmId() *GUID

func (*HBASE_BLOCK) TimeStamp 

func (self *HBASE_BLOCK) TimeStamp() *FileTime

func (*HBASE_BLOCK) TmId 

func (self *HBASE_BLOCK) TmId() *GUID

func (*HBASE_BLOCK) Type 

func (self *HBASE_BLOCK) Type() uint32

type HBIN 

type HBIN struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *RegistryProfile
}

func (*HBIN) FileOffset 

func (self *HBIN) FileOffset() uint32

func (*HBIN) HbinSize 

func (self *HBIN) HbinSize() uint32

func (*HBIN) Reserved1 

func (self *HBIN) Reserved1() []uint32

func (*HBIN) Signature 

func (self *HBIN) Signature() uint32

func (*HBIN) Size 

func (self *HBIN) Size() int

func (*HBIN) Spare 

func (self *HBIN) Spare() uint32

func (*HBIN) TimeStamp 

func (self *HBIN) TimeStamp() *FileTime

type HCELL 

type HCELL struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *RegistryProfile
}

func (*HCELL) Allocated 

func (self *HCELL) Allocated() bool

Cells may be allocated or not.

func (*HCELL) Data 

func (self *HCELL) Data() []byte

func (*HCELL) DataSize 

func (self *HCELL) DataSize() uint32

This method returns the actual size of the cell's data payload.

func (*HCELL) KeyIndex 

func (self *HCELL) KeyIndex() *CM_KEY_INDEX

If the HCELL contains a CM_KEY_INDEX (ri or li node) then this method returns it. Otherwise it returns nil.

func (*HCELL) KeyIndexFast 

func (self *HCELL) KeyIndexFast() *CM_KEY_INDEX_FAST

If the HCELL contains a CM_KEY_INDEX_FAST (lf or lh node) then this method returns it. Otherwise it returns nil.

func (*HCELL) KeyNode 

func (self *HCELL) KeyNode() *CM_KEY_NODE

If the HCELL contains a CM_KEY_NODE (nk node) then this method returns it. Otherwise it returns nil.

func (*HCELL) KeyValue 

func (self *HCELL) KeyValue() *CM_KEY_VALUE

If the HCELL contains a CM_KEY_VALUE (vk node) then this method returns it. Otherwise it returns nil.

func (*HCELL) Next 

func (self *HCELL) Next() uint32

func (*HCELL) NextCell 

func (self *HCELL) NextCell() *HCELL

All data in the registry file is contained in cells. The HCELL struct is the main container for everything. We add many convenience methods on this structure to be able to extract the various things contained inside the cell.

func (*HCELL) Payload 

func (self *HCELL) Payload() int64

The offset of the cells payload.

func (*HCELL) Signature 

func (self *HCELL) Signature() uint16

func (*HCELL) Size 

func (self *HCELL) Size() int

type HIVE_DIRTY_PAGE_REF 

type HIVE_DIRTY_PAGE_REF struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *RegistryProfile
}

func ParseArray_HIVE_DIRTY_PAGE_REF 

func ParseArray_HIVE_DIRTY_PAGE_REF(profile *RegistryProfile, reader io.ReaderAt, offset int64, count int) []*HIVE_DIRTY_PAGE_REF

func (*HIVE_DIRTY_PAGE_REF) PageOffset 

func (self *HIVE_DIRTY_PAGE_REF) PageOffset() uint32

func (*HIVE_DIRTY_PAGE_REF) PageSize 

func (self *HIVE_DIRTY_PAGE_REF) PageSize() uint32

func (*HIVE_DIRTY_PAGE_REF) Size 

func (self *HIVE_DIRTY_PAGE_REF) Size() int

type HIVE_LOG_ENTRY 

type HIVE_LOG_ENTRY struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *RegistryProfile
}

func (*HIVE_LOG_ENTRY) DirtyPageRefs 

func (self *HIVE_LOG_ENTRY) DirtyPageRefs() []*HIVE_DIRTY_PAGE_REF

func (*HIVE_LOG_ENTRY) DirtyPagesCount 

func (self *HIVE_LOG_ENTRY) DirtyPagesCount() uint32

func (*HIVE_LOG_ENTRY) Flags 

func (self *HIVE_LOG_ENTRY) Flags() uint32

func (HIVE_LOG_ENTRY) GetDirtyPages 

func (self HIVE_LOG_ENTRY) GetDirtyPages() []*DirtyPage

func (*HIVE_LOG_ENTRY) Hash1 

func (self *HIVE_LOG_ENTRY) Hash1() uint64

func (*HIVE_LOG_ENTRY) Hash2 

func (self *HIVE_LOG_ENTRY) Hash2() uint64

func (*HIVE_LOG_ENTRY) HiveBinsDataSize 

func (self *HIVE_LOG_ENTRY) HiveBinsDataSize() uint32

func (*HIVE_LOG_ENTRY) LogEntrySize 

func (self *HIVE_LOG_ENTRY) LogEntrySize() uint32

func (*HIVE_LOG_ENTRY) SequenceNumber 

func (self *HIVE_LOG_ENTRY) SequenceNumber() uint32

func (*HIVE_LOG_ENTRY) Signature 

func (self *HIVE_LOG_ENTRY) Signature() uint32

func (*HIVE_LOG_ENTRY) Size 

func (self *HIVE_LOG_ENTRY) Size() int

type LARGE_INTEGER 

type LARGE_INTEGER struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *RegistryProfile
}

func (*LARGE_INTEGER) HighPart 

func (self *LARGE_INTEGER) HighPart() int32

func (*LARGE_INTEGER) LowPart 

func (self *LARGE_INTEGER) LowPart() uint32

func (*LARGE_INTEGER) QuadPart 

func (self *LARGE_INTEGER) QuadPart() int64

func (*LARGE_INTEGER) Size 

func (self *LARGE_INTEGER) Size() int

type Registry 

type Registry struct {
	Reader io.ReaderAt

	Profile   *RegistryProfile
	BaseBlock *HBASE_BLOCK
}

Model a registry hive with this object.

func NewRegistry 

func NewRegistry(reader io.ReaderAt) (*Registry, error)

func (*Registry) OpenKey 

func (self *Registry) OpenKey(key_path string) *CM_KEY_NODE

A helper method to open a key by path.

type RegistryProfile 

type RegistryProfile struct {
	Off_HIVE_DIRTY_PAGE_REF_PageOffset       int64
	Off_HIVE_DIRTY_PAGE_REF_PageSize         int64
	Off_HIVE_LOG_ENTRY_Signature             int64
	Off_HIVE_LOG_ENTRY_LogEntrySize          int64
	Off_HIVE_LOG_ENTRY_Flags                 int64
	Off_HIVE_LOG_ENTRY_SequenceNumber        int64
	Off_HIVE_LOG_ENTRY_HiveBinsDataSize      int64
	Off_HIVE_LOG_ENTRY_DirtyPagesCount       int64
	Off_HIVE_LOG_ENTRY_Hash1                 int64
	Off_HIVE_LOG_ENTRY_Hash2                 int64
	Off_HIVE_LOG_ENTRY_DirtyPageRefs         int64
	Off_CHILD_LIST_Count                     int64
	Off_CHILD_LIST_List                      int64
	Off_CM_BIG_DATA_Count                    int64
	Off_CM_BIG_DATA_List                     int64
	Off_CM_BIG_DATA_Signature                int64
	Off_CM_KEY_INDEX_Count                   int64
	Off_CM_KEY_INDEX_List                    int64
	Off_CM_KEY_INDEX_Signature               int64
	Off_CM_KEY_INDEX_FAST_Count              int64
	Off_CM_KEY_INDEX_FAST_List               int64
	Off_CM_KEY_INDEX_FAST_Signature          int64
	Off_CM_KEY_INDEX_FAST_ELEMENT_NodeOffset int64
	Off_CM_KEY_INDEX_FAST_ELEMENT_Index      int64
	Off_CM_KEY_NODE_ChildHiveReference       int64
	Off_CM_KEY_NODE_Class                    int64
	Off_CM_KEY_NODE_ClassLength              int64
	Off_CM_KEY_NODE_Debug                    int64
	Off_CM_KEY_NODE_Flags                    int64
	Off_CM_KEY_NODE_LastWriteTime            int64
	Off_CM_KEY_NODE_MaxClassLen              int64
	Off_CM_KEY_NODE_MaxNameLen               int64
	Off_CM_KEY_NODE_MaxValueDataLen          int64
	Off_CM_KEY_NODE_MaxValueNameLen          int64
	Off_CM_KEY_NODE__Name                    int64
	Off_CM_KEY_NODE_NameLength               int64
	Off_CM_KEY_NODE_Parent                   int64
	Off_CM_KEY_NODE_Security                 int64
	Off_CM_KEY_NODE_Signature                int64
	Off_CM_KEY_NODE_Spare                    int64
	Off_CM_KEY_NODE_SubKeyCounts             int64
	Off_CM_KEY_NODE_SubKeyLists              int64
	Off_CM_KEY_NODE_UserFlags                int64
	Off_CM_KEY_NODE_ValueList                int64
	Off_CM_KEY_NODE_VirtControlFlags         int64
	Off_CM_KEY_NODE_WorkVar                  int64
	Off_CM_KEY_VALUE_Data                    int64
	Off_CM_KEY_VALUE_DataLength              int64
	Off_CM_KEY_VALUE_Flags                   int64
	Off_CM_KEY_VALUE_Name                    int64
	Off_CM_KEY_VALUE_NameLength              int64
	Off_CM_KEY_VALUE_Signature               int64
	Off_CM_KEY_VALUE_Spare                   int64
	Off_CM_KEY_VALUE_Type                    int64
	Off_GUID_Data1                           int64
	Off_GUID_Data2                           int64
	Off_GUID_Data3                           int64
	Off_GUID_Data4                           int64
	Off_HBASE_BLOCK_BootRecover              int64
	Off_HBASE_BLOCK_BootType                 int64
	Off_HBASE_BLOCK_CheckSum                 int64
	Off_HBASE_BLOCK_Cluster                  int64
	Off_HBASE_BLOCK_FileName                 int64
	Off_HBASE_BLOCK_Flags                    int64
	Off_HBASE_BLOCK_Format                   int64
	Off_HBASE_BLOCK_GuidSignature            int64
	Off_HBASE_BLOCK_Length                   int64
	Off_HBASE_BLOCK_LogId                    int64
	Off_HBASE_BLOCK_Major                    int64
	Off_HBASE_BLOCK_Minor                    int64
	Off_HBASE_BLOCK_Reserved1                int64
	Off_HBASE_BLOCK_Reserved2                int64
	Off_HBASE_BLOCK_RmId                     int64
	Off_HBASE_BLOCK_RootCell                 int64
	Off_HBASE_BLOCK_Sequence1                int64
	Off_HBASE_BLOCK_Sequence2                int64
	Off_HBASE_BLOCK_Signature                int64
	Off_HBASE_BLOCK_ThawLogId                int64
	Off_HBASE_BLOCK_ThawRmId                 int64
	Off_HBASE_BLOCK_ThawTmId                 int64
	Off_HBASE_BLOCK_TimeStamp                int64
	Off_HBASE_BLOCK_TmId                     int64
	Off_HBASE_BLOCK_Type                     int64
	Off_HBIN_FileOffset                      int64
	Off_HBIN_Reserved1                       int64
	Off_HBIN_Signature                       int64
	Off_HBIN_HbinSize                        int64
	Off_HBIN_Spare                           int64
	Off_HBIN_TimeStamp                       int64
	Off_HCELL_Next                           int64
	Off_HCELL_Signature                      int64
	Off_HCELL_Data                           int64
	Off_LARGE_INTEGER_HighPart               int64
	Off_LARGE_INTEGER_LowPart                int64
	Off_LARGE_INTEGER_QuadPart               int64
}

func NewRegistryProfile 

func NewRegistryProfile() *RegistryProfile

func (*RegistryProfile) CHILD_LIST 

func (self *RegistryProfile) CHILD_LIST(reader io.ReaderAt, offset int64) *CHILD_LIST

func (*RegistryProfile) CM_BIG_DATA 

func (self *RegistryProfile) CM_BIG_DATA(reader io.ReaderAt, offset int64) *CM_BIG_DATA

func (*RegistryProfile) CM_KEY_INDEX 

func (self *RegistryProfile) CM_KEY_INDEX(reader io.ReaderAt, offset int64) *CM_KEY_INDEX

func (*RegistryProfile) CM_KEY_INDEX_FAST 

func (self *RegistryProfile) CM_KEY_INDEX_FAST(reader io.ReaderAt, offset int64) *CM_KEY_INDEX_FAST

func (*RegistryProfile) CM_KEY_INDEX_FAST_ELEMENT 

func (self *RegistryProfile) CM_KEY_INDEX_FAST_ELEMENT(reader io.ReaderAt, offset int64) *CM_KEY_INDEX_FAST_ELEMENT

func (*RegistryProfile) CM_KEY_NODE 

func (self *RegistryProfile) CM_KEY_NODE(reader io.ReaderAt, offset int64) *CM_KEY_NODE

func (*RegistryProfile) CM_KEY_VALUE 

func (self *RegistryProfile) CM_KEY_VALUE(reader io.ReaderAt, offset int64) *CM_KEY_VALUE

func (*RegistryProfile) FileTime 

func (self *RegistryProfile) FileTime(reader io.ReaderAt, offset int64) *FileTime

func (*RegistryProfile) GUID 

func (self *RegistryProfile) GUID(reader io.ReaderAt, offset int64) *GUID

func (*RegistryProfile) HBASE_BLOCK 

func (self *RegistryProfile) HBASE_BLOCK(reader io.ReaderAt, offset int64) *HBASE_BLOCK

func (*RegistryProfile) HBIN 

func (self *RegistryProfile) HBIN(reader io.ReaderAt, offset int64) *HBIN

func (*RegistryProfile) HCELL 

func (self *RegistryProfile) HCELL(reader io.ReaderAt, offset int64) *HCELL

func (*RegistryProfile) HIVE_DIRTY_PAGE_REF 

func (self *RegistryProfile) HIVE_DIRTY_PAGE_REF(reader io.ReaderAt, offset int64) *HIVE_DIRTY_PAGE_REF

func (*RegistryProfile) HIVE_LOG_ENTRY 

func (self *RegistryProfile) HIVE_LOG_ENTRY(reader io.ReaderAt, offset int64) *HIVE_LOG_ENTRY

func (*RegistryProfile) LARGE_INTEGER 

func (self *RegistryProfile) LARGE_INTEGER(reader io.ReaderAt, offset int64) *LARGE_INTEGER

func (*RegistryProfile) UnicodeString 

func (self *RegistryProfile) UnicodeString(reader io.ReaderAt, offset int64) *UnicodeString

type UnicodeString 

type UnicodeString struct {
	Value string
}

UTF16 null terminated string.

func (*UnicodeString) DebugString 

func (self *UnicodeString) DebugString() string

func (*UnicodeString) GoString 

func (self *UnicodeString) GoString() string

type ValueData 

type ValueData struct {
	// REG_SZ etc.
	Type uint32

	// Filled in for REG_SZ etc.
	String string

	// Filled in for REG_MULTI_SZ
	MultiSz []string

	// Filled in for integer types
	Uint64 uint64

	// The original encoded data. For BINARY_SZ this is the only
	// field filled.
	Data []byte

	// If an error occurs during parsing this will contain the
	// error object.
	Error error
}

A Registry Value may represent a number of different data types depending on its Type field. This struct contains the various Go types that are represented. Many of the registry types are converted to the most closely matching Go types. The original binary data is also attached in the Data field.

func (*ValueData) GoString 

func (self *ValueData) GoString() string

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.