Documentation ¶
Index ¶
- Constants
- func DebugPrint(fmt_str string, v ...interface{})
- func ParseArray_byte(profile *RegistryProfile, reader io.ReaderAt, offset int64, count int) []byte
- func ParseArray_uint32(profile *RegistryProfile, reader io.ReaderAt, offset int64, count int) []uint32
- func ParseInt32(reader io.ReaderAt, offset int64) int32
- func ParseInt64(reader io.ReaderAt, offset int64) int64
- func ParseSafeArray_byte(reader io.ReaderAt, offset int64, count int) []byte
- func ParseSafeArray_uint32(reader io.ReaderAt, offset int64, count int) []uint32
- func ParseTerminatedUTF16String(reader io.ReaderAt, offset int64) string
- func ParseUTF16String(reader io.ReaderAt, offset int64, length int64) string
- func ParseUint16(reader io.ReaderAt, offset int64) uint16
- func ParseUint32(reader io.ReaderAt, offset int64) uint32
- func ParseUint64(reader io.ReaderAt, offset int64) uint64
- func ParseUint8(reader io.ReaderAt, offset int64) byte
- func RecoverHive(hive *os.File, logFiles ...*os.File) (*os.File, error)
- func RegTypeToString(reg_type uint32) string
- func SplitComponents(path string) []string
- func UTF16BytesToUTF8(b []byte, o binary.ByteOrder) string
- type CHILD_LIST
- type CM_BIG_DATA
- type CM_KEY_INDEX
- type CM_KEY_INDEX_FAST
- type CM_KEY_INDEX_FAST_ELEMENT
- type CM_KEY_NODE
- func (self *CM_KEY_NODE) ChildHiveReference() *HCELL
- func (self *CM_KEY_NODE) Class() uint32
- func (self *CM_KEY_NODE) ClassLength() uint16
- func (self *CM_KEY_NODE) Debug() uint64
- func (self *CM_KEY_NODE) Flags() uint16
- func (self *CM_KEY_NODE) LastWriteTime() *FileTime
- func (self *CM_KEY_NODE) MaxClassLen() uint32
- func (self *CM_KEY_NODE) MaxNameLen() uint64
- func (self *CM_KEY_NODE) MaxValueDataLen() uint32
- func (self *CM_KEY_NODE) MaxValueNameLen() uint32
- func (self *CM_KEY_NODE) Name() string
- func (self *CM_KEY_NODE) NameLength() uint16
- func (self *CM_KEY_NODE) Parent() uint32
- func (self *CM_KEY_NODE) Security() uint32
- func (self *CM_KEY_NODE) Signature() uint16
- func (self *CM_KEY_NODE) Size() int
- func (self *CM_KEY_NODE) Spare() uint32
- func (self *CM_KEY_NODE) SubKeyCounts() []uint32
- func (self *CM_KEY_NODE) SubKeyLists() []uint32
- func (self *CM_KEY_NODE) Subkeys() []*CM_KEY_NODE
- func (self *CM_KEY_NODE) UserFlags() uint64
- func (self *CM_KEY_NODE) ValueList() *CHILD_LIST
- func (self *CM_KEY_NODE) Values() []*CM_KEY_VALUE
- func (self *CM_KEY_NODE) VirtControlFlags() uint64
- func (self *CM_KEY_NODE) WorkVar() uint32
- type CM_KEY_VALUE
- func (self *CM_KEY_VALUE) Data() uint32
- func (self *CM_KEY_VALUE) DataLength() uint32
- func (self *CM_KEY_VALUE) DataSize() int64
- func (self *CM_KEY_VALUE) Flags() uint16
- func (self *CM_KEY_VALUE) Name() string
- func (self *CM_KEY_VALUE) NameLength() uint16
- func (self *CM_KEY_VALUE) Signature() uint16
- func (self *CM_KEY_VALUE) Size() int
- func (self *CM_KEY_VALUE) Spare() uint16
- func (self *CM_KEY_VALUE) Type() uint32
- func (self *CM_KEY_VALUE) TypeString() string
- func (self *CM_KEY_VALUE) ValueData() *ValueData
- func (self *CM_KEY_VALUE) ValueName() string
- type DirtyPage
- type FileTime
- type GUID
- type HBASE_BLOCK
- func (self *HBASE_BLOCK) BootRecover() uint32
- func (self *HBASE_BLOCK) BootType() uint32
- func (self *HBASE_BLOCK) CheckSum() uint32
- func (self *HBASE_BLOCK) Cluster() uint32
- func (self *HBASE_BLOCK) FileName() string
- func (self *HBASE_BLOCK) Flags() uint32
- func (self *HBASE_BLOCK) Format() uint32
- func (self *HBASE_BLOCK) GuidSignature() uint32
- func (self *HBASE_BLOCK) HiveBin() *HBIN
- func (self *HBASE_BLOCK) Length() uint32
- func (self *HBASE_BLOCK) LogId() *GUID
- func (self *HBASE_BLOCK) Major() uint32
- func (self *HBASE_BLOCK) Minor() uint32
- func (self *HBASE_BLOCK) Reserved1() []uint32
- func (self *HBASE_BLOCK) Reserved2() []uint32
- func (self *HBASE_BLOCK) RmId() *GUID
- func (self *HBASE_BLOCK) RootCell() uint32
- func (self *HBASE_BLOCK) Sequence1() uint32
- func (self *HBASE_BLOCK) Sequence2() uint32
- func (self *HBASE_BLOCK) Signature() uint32
- func (self *HBASE_BLOCK) Size() int
- func (self *HBASE_BLOCK) ThawLogId() *GUID
- func (self *HBASE_BLOCK) ThawRmId() *GUID
- func (self *HBASE_BLOCK) ThawTmId() *GUID
- func (self *HBASE_BLOCK) TimeStamp() *FileTime
- func (self *HBASE_BLOCK) TmId() *GUID
- func (self *HBASE_BLOCK) Type() uint32
- type HBIN
- type HCELL
- func (self *HCELL) Allocated() bool
- func (self *HCELL) Data() []byte
- func (self *HCELL) DataSize() uint32
- func (self *HCELL) KeyIndex() *CM_KEY_INDEX
- func (self *HCELL) KeyIndexFast() *CM_KEY_INDEX_FAST
- func (self *HCELL) KeyNode() *CM_KEY_NODE
- func (self *HCELL) KeyValue() *CM_KEY_VALUE
- func (self *HCELL) Next() uint32
- func (self *HCELL) NextCell() *HCELL
- func (self *HCELL) Payload() int64
- func (self *HCELL) Signature() uint16
- func (self *HCELL) Size() int
- type HIVE_DIRTY_PAGE_REF
- type HIVE_LOG_ENTRY
- func (self *HIVE_LOG_ENTRY) DirtyPageRefs() []*HIVE_DIRTY_PAGE_REF
- func (self *HIVE_LOG_ENTRY) DirtyPagesCount() uint32
- func (self *HIVE_LOG_ENTRY) Flags() uint32
- func (self HIVE_LOG_ENTRY) GetDirtyPages() []*DirtyPage
- func (self *HIVE_LOG_ENTRY) Hash1() uint64
- func (self *HIVE_LOG_ENTRY) Hash2() uint64
- func (self *HIVE_LOG_ENTRY) HiveBinsDataSize() uint32
- func (self *HIVE_LOG_ENTRY) LogEntrySize() uint32
- func (self *HIVE_LOG_ENTRY) SequenceNumber() uint32
- func (self *HIVE_LOG_ENTRY) Signature() uint32
- func (self *HIVE_LOG_ENTRY) Size() int
- type LARGE_INTEGER
- type Registry
- type RegistryProfile
- func (self *RegistryProfile) CHILD_LIST(reader io.ReaderAt, offset int64) *CHILD_LIST
- func (self *RegistryProfile) CM_BIG_DATA(reader io.ReaderAt, offset int64) *CM_BIG_DATA
- func (self *RegistryProfile) CM_KEY_INDEX(reader io.ReaderAt, offset int64) *CM_KEY_INDEX
- func (self *RegistryProfile) CM_KEY_INDEX_FAST(reader io.ReaderAt, offset int64) *CM_KEY_INDEX_FAST
- func (self *RegistryProfile) CM_KEY_INDEX_FAST_ELEMENT(reader io.ReaderAt, offset int64) *CM_KEY_INDEX_FAST_ELEMENT
- func (self *RegistryProfile) CM_KEY_NODE(reader io.ReaderAt, offset int64) *CM_KEY_NODE
- func (self *RegistryProfile) CM_KEY_VALUE(reader io.ReaderAt, offset int64) *CM_KEY_VALUE
- func (self *RegistryProfile) FileTime(reader io.ReaderAt, offset int64) *FileTime
- func (self *RegistryProfile) GUID(reader io.ReaderAt, offset int64) *GUID
- func (self *RegistryProfile) HBASE_BLOCK(reader io.ReaderAt, offset int64) *HBASE_BLOCK
- func (self *RegistryProfile) HBIN(reader io.ReaderAt, offset int64) *HBIN
- func (self *RegistryProfile) HCELL(reader io.ReaderAt, offset int64) *HCELL
- func (self *RegistryProfile) HIVE_DIRTY_PAGE_REF(reader io.ReaderAt, offset int64) *HIVE_DIRTY_PAGE_REF
- func (self *RegistryProfile) HIVE_LOG_ENTRY(reader io.ReaderAt, offset int64) *HIVE_LOG_ENTRY
- func (self *RegistryProfile) LARGE_INTEGER(reader io.ReaderAt, offset int64) *LARGE_INTEGER
- func (self *RegistryProfile) UnicodeString(reader io.ReaderAt, offset int64) *UnicodeString
- type UnicodeString
- type ValueData
Constants ¶
const ( REG_NONE = 0x00000000 REG_SZ = 0x00000001 REG_EXPAND_SZ = 0x00000002 REG_BINARY = 0x00000003 REG_DWORD = 0x00000004 REG_DWORD_LITTLE_ENDIAN = 0x00000004 REG_DWORD_BIG_ENDIAN = 0x00000005 REG_LINK = 0x00000006 REG_MULTI_SZ = 0x00000007 REG_RESOURCE_LIST = 0x00000008 REG_FULL_RESOURCE_DESCRIPTOR = 0x00000009 REG_RESOURCE_REQUIREMENTS_LIST = 0x0000000a REG_QWORD = 0x0000000b REG_UNKNOWN = 0xffffffff )
Variables ¶
This section is empty.
Functions ¶
func DebugPrint ¶
func DebugPrint(fmt_str string, v ...interface{})
func ParseArray_byte ¶
func ParseArray_uint32 ¶
func ParseSafeArray_byte ¶
func ParseSafeArray_uint32 ¶
func ParseUTF16String ¶
func RecoverHive ¶
RecoverHive copies the hive to another file and applies the dirty pages from the log files.
Returns a File object pointing to the recovered Hive. The caller is responsible for deleting the recovered hive file.
func RegTypeToString ¶
func SplitComponents ¶
Types ¶
type CHILD_LIST ¶
type CHILD_LIST struct { Reader io.ReaderAt Offset int64 Profile *RegistryProfile }
func (*CHILD_LIST) Count ¶
func (self *CHILD_LIST) Count() uint32
func (*CHILD_LIST) List ¶
func (self *CHILD_LIST) List() uint32
func (*CHILD_LIST) Size ¶
func (self *CHILD_LIST) Size() int
type CM_BIG_DATA ¶
type CM_BIG_DATA struct { Reader io.ReaderAt Offset int64 Profile *RegistryProfile }
func (*CM_BIG_DATA) Count ¶
func (self *CM_BIG_DATA) Count() uint16
func (*CM_BIG_DATA) List ¶
func (self *CM_BIG_DATA) List() uint32
func (*CM_BIG_DATA) Signature ¶
func (self *CM_BIG_DATA) Signature() uint16
func (*CM_BIG_DATA) Size ¶
func (self *CM_BIG_DATA) Size() int
type CM_KEY_INDEX ¶
type CM_KEY_INDEX struct { Reader io.ReaderAt Offset int64 Profile *RegistryProfile }
func (*CM_KEY_INDEX) Count ¶
func (self *CM_KEY_INDEX) Count() uint16
func (*CM_KEY_INDEX) List ¶
func (self *CM_KEY_INDEX) List() []uint32
func (*CM_KEY_INDEX) Signature ¶
func (self *CM_KEY_INDEX) Signature() uint16
func (*CM_KEY_INDEX) Size ¶
func (self *CM_KEY_INDEX) Size() int
func (*CM_KEY_INDEX) Subkeys ¶
func (self *CM_KEY_INDEX) Subkeys() []*CM_KEY_NODE
Extract subkeys from the index.
type CM_KEY_INDEX_FAST ¶
type CM_KEY_INDEX_FAST struct { Reader io.ReaderAt Offset int64 Profile *RegistryProfile }
func (*CM_KEY_INDEX_FAST) Count ¶
func (self *CM_KEY_INDEX_FAST) Count() uint16
func (*CM_KEY_INDEX_FAST) List ¶
func (self *CM_KEY_INDEX_FAST) List() []*CM_KEY_INDEX_FAST_ELEMENT
func (*CM_KEY_INDEX_FAST) Signature ¶
func (self *CM_KEY_INDEX_FAST) Signature() uint16
func (*CM_KEY_INDEX_FAST) Size ¶
func (self *CM_KEY_INDEX_FAST) Size() int
func (*CM_KEY_INDEX_FAST) Subkeys ¶
func (self *CM_KEY_INDEX_FAST) Subkeys() []*CM_KEY_NODE
Extract all subkeys stored in the fast index.
type CM_KEY_INDEX_FAST_ELEMENT ¶
type CM_KEY_INDEX_FAST_ELEMENT struct { Reader io.ReaderAt Offset int64 Profile *RegistryProfile }
func ParseArray_CM_KEY_INDEX_FAST_ELEMENT ¶
func ParseArray_CM_KEY_INDEX_FAST_ELEMENT(profile *RegistryProfile, reader io.ReaderAt, offset int64, count int) []*CM_KEY_INDEX_FAST_ELEMENT
func ParseSafeArray_CM_KEY_INDEX_FAST_ELEMENT ¶
func ParseSafeArray_CM_KEY_INDEX_FAST_ELEMENT(profile *RegistryProfile, reader io.ReaderAt, offset int64, count int) []*CM_KEY_INDEX_FAST_ELEMENT
func (*CM_KEY_INDEX_FAST_ELEMENT) Index ¶
func (self *CM_KEY_INDEX_FAST_ELEMENT) Index() uint32
func (*CM_KEY_INDEX_FAST_ELEMENT) NodeOffset ¶
func (self *CM_KEY_INDEX_FAST_ELEMENT) NodeOffset() uint32
func (*CM_KEY_INDEX_FAST_ELEMENT) Size ¶
func (self *CM_KEY_INDEX_FAST_ELEMENT) Size() int
type CM_KEY_NODE ¶
type CM_KEY_NODE struct { Reader io.ReaderAt Offset int64 Profile *RegistryProfile }
func (*CM_KEY_NODE) ChildHiveReference ¶
func (self *CM_KEY_NODE) ChildHiveReference() *HCELL
func (*CM_KEY_NODE) Class ¶
func (self *CM_KEY_NODE) Class() uint32
func (*CM_KEY_NODE) ClassLength ¶
func (self *CM_KEY_NODE) ClassLength() uint16
func (*CM_KEY_NODE) Debug ¶
func (self *CM_KEY_NODE) Debug() uint64
func (*CM_KEY_NODE) Flags ¶
func (self *CM_KEY_NODE) Flags() uint16
func (*CM_KEY_NODE) LastWriteTime ¶
func (self *CM_KEY_NODE) LastWriteTime() *FileTime
func (*CM_KEY_NODE) MaxClassLen ¶
func (self *CM_KEY_NODE) MaxClassLen() uint32
func (*CM_KEY_NODE) MaxNameLen ¶
func (self *CM_KEY_NODE) MaxNameLen() uint64
func (*CM_KEY_NODE) MaxValueDataLen ¶
func (self *CM_KEY_NODE) MaxValueDataLen() uint32
func (*CM_KEY_NODE) MaxValueNameLen ¶
func (self *CM_KEY_NODE) MaxValueNameLen() uint32
func (*CM_KEY_NODE) Name ¶
func (self *CM_KEY_NODE) Name() string
The name of the a key. This does not include the full path through its parents.
func (*CM_KEY_NODE) NameLength ¶
func (self *CM_KEY_NODE) NameLength() uint16
func (*CM_KEY_NODE) Parent ¶
func (self *CM_KEY_NODE) Parent() uint32
func (*CM_KEY_NODE) Security ¶
func (self *CM_KEY_NODE) Security() uint32
func (*CM_KEY_NODE) Signature ¶
func (self *CM_KEY_NODE) Signature() uint16
func (*CM_KEY_NODE) Size ¶
func (self *CM_KEY_NODE) Size() int
func (*CM_KEY_NODE) Spare ¶
func (self *CM_KEY_NODE) Spare() uint32
func (*CM_KEY_NODE) SubKeyCounts ¶
func (self *CM_KEY_NODE) SubKeyCounts() []uint32
func (*CM_KEY_NODE) SubKeyLists ¶
func (self *CM_KEY_NODE) SubKeyLists() []uint32
func (*CM_KEY_NODE) Subkeys ¶
func (self *CM_KEY_NODE) Subkeys() []*CM_KEY_NODE
This is a convenience method for enumerating the subkeys of a CM_KEY_NODE. Each _CM_KEY_NODE can point to a number of different types of index nodes. This method deals with the different types of indexes and just returns a list of subkeys regardless of the type of indexes.
func (*CM_KEY_NODE) UserFlags ¶
func (self *CM_KEY_NODE) UserFlags() uint64
func (*CM_KEY_NODE) ValueList ¶
func (self *CM_KEY_NODE) ValueList() *CHILD_LIST
func (*CM_KEY_NODE) Values ¶
func (self *CM_KEY_NODE) Values() []*CM_KEY_VALUE
A convenience method for extracting the Values contained under a key.
func (*CM_KEY_NODE) VirtControlFlags ¶
func (self *CM_KEY_NODE) VirtControlFlags() uint64
func (*CM_KEY_NODE) WorkVar ¶
func (self *CM_KEY_NODE) WorkVar() uint32
type CM_KEY_VALUE ¶
type CM_KEY_VALUE struct { Reader io.ReaderAt Offset int64 Profile *RegistryProfile }
func (*CM_KEY_VALUE) Data ¶
func (self *CM_KEY_VALUE) Data() uint32
func (*CM_KEY_VALUE) DataLength ¶
func (self *CM_KEY_VALUE) DataLength() uint32
func (*CM_KEY_VALUE) DataSize ¶
func (self *CM_KEY_VALUE) DataSize() int64
func (*CM_KEY_VALUE) Flags ¶
func (self *CM_KEY_VALUE) Flags() uint16
func (*CM_KEY_VALUE) Name ¶
func (self *CM_KEY_VALUE) Name() string
func (*CM_KEY_VALUE) NameLength ¶
func (self *CM_KEY_VALUE) NameLength() uint16
func (*CM_KEY_VALUE) Signature ¶
func (self *CM_KEY_VALUE) Signature() uint16
func (*CM_KEY_VALUE) Size ¶
func (self *CM_KEY_VALUE) Size() int
func (*CM_KEY_VALUE) Spare ¶
func (self *CM_KEY_VALUE) Spare() uint16
func (*CM_KEY_VALUE) Type ¶
func (self *CM_KEY_VALUE) Type() uint32
func (*CM_KEY_VALUE) TypeString ¶
func (self *CM_KEY_VALUE) TypeString() string
Convert the registry type to a string.
func (*CM_KEY_VALUE) ValueData ¶
func (self *CM_KEY_VALUE) ValueData() *ValueData
Parse out the data from the value into a Go ValueData type.
func (*CM_KEY_VALUE) ValueName ¶
func (self *CM_KEY_VALUE) ValueName() string
The name of this value (empty string means default value).
type FileTime ¶
A FileTime object is a timestamp in windows filetime format.
func (*FileTime) DebugString ¶
type HBASE_BLOCK ¶
type HBASE_BLOCK struct { Reader io.ReaderAt Offset int64 Profile *RegistryProfile }
func (*HBASE_BLOCK) BootRecover ¶
func (self *HBASE_BLOCK) BootRecover() uint32
func (*HBASE_BLOCK) BootType ¶
func (self *HBASE_BLOCK) BootType() uint32
func (*HBASE_BLOCK) CheckSum ¶
func (self *HBASE_BLOCK) CheckSum() uint32
func (*HBASE_BLOCK) Cluster ¶
func (self *HBASE_BLOCK) Cluster() uint32
func (*HBASE_BLOCK) FileName ¶
func (self *HBASE_BLOCK) FileName() string
func (*HBASE_BLOCK) Flags ¶
func (self *HBASE_BLOCK) Flags() uint32
func (*HBASE_BLOCK) Format ¶
func (self *HBASE_BLOCK) Format() uint32
func (*HBASE_BLOCK) GuidSignature ¶
func (self *HBASE_BLOCK) GuidSignature() uint32
func (*HBASE_BLOCK) HiveBin ¶
func (self *HBASE_BLOCK) HiveBin() *HBIN
HBASE_BLOCK is the file header block at the start of the registry file.
func (*HBASE_BLOCK) Length ¶
func (self *HBASE_BLOCK) Length() uint32
func (*HBASE_BLOCK) LogId ¶
func (self *HBASE_BLOCK) LogId() *GUID
func (*HBASE_BLOCK) Major ¶
func (self *HBASE_BLOCK) Major() uint32
func (*HBASE_BLOCK) Minor ¶
func (self *HBASE_BLOCK) Minor() uint32
func (*HBASE_BLOCK) Reserved1 ¶
func (self *HBASE_BLOCK) Reserved1() []uint32
func (*HBASE_BLOCK) Reserved2 ¶
func (self *HBASE_BLOCK) Reserved2() []uint32
func (*HBASE_BLOCK) RmId ¶
func (self *HBASE_BLOCK) RmId() *GUID
func (*HBASE_BLOCK) RootCell ¶
func (self *HBASE_BLOCK) RootCell() uint32
func (*HBASE_BLOCK) Sequence1 ¶
func (self *HBASE_BLOCK) Sequence1() uint32
func (*HBASE_BLOCK) Sequence2 ¶
func (self *HBASE_BLOCK) Sequence2() uint32
func (*HBASE_BLOCK) Signature ¶
func (self *HBASE_BLOCK) Signature() uint32
func (*HBASE_BLOCK) Size ¶
func (self *HBASE_BLOCK) Size() int
func (*HBASE_BLOCK) ThawLogId ¶
func (self *HBASE_BLOCK) ThawLogId() *GUID
func (*HBASE_BLOCK) ThawRmId ¶
func (self *HBASE_BLOCK) ThawRmId() *GUID
func (*HBASE_BLOCK) ThawTmId ¶
func (self *HBASE_BLOCK) ThawTmId() *GUID
func (*HBASE_BLOCK) TimeStamp ¶
func (self *HBASE_BLOCK) TimeStamp() *FileTime
func (*HBASE_BLOCK) TmId ¶
func (self *HBASE_BLOCK) TmId() *GUID
func (*HBASE_BLOCK) Type ¶
func (self *HBASE_BLOCK) Type() uint32
type HBIN ¶
type HBIN struct { Reader io.ReaderAt Offset int64 Profile *RegistryProfile }
func (*HBIN) FileOffset ¶
type HCELL ¶
type HCELL struct { Reader io.ReaderAt Offset int64 Profile *RegistryProfile }
func (*HCELL) KeyIndex ¶
func (self *HCELL) KeyIndex() *CM_KEY_INDEX
If the HCELL contains a CM_KEY_INDEX (ri or li node) then this method returns it. Otherwise it returns nil.
func (*HCELL) KeyIndexFast ¶
func (self *HCELL) KeyIndexFast() *CM_KEY_INDEX_FAST
If the HCELL contains a CM_KEY_INDEX_FAST (lf or lh node) then this method returns it. Otherwise it returns nil.
func (*HCELL) KeyNode ¶
func (self *HCELL) KeyNode() *CM_KEY_NODE
If the HCELL contains a CM_KEY_NODE (nk node) then this method returns it. Otherwise it returns nil.
func (*HCELL) KeyValue ¶
func (self *HCELL) KeyValue() *CM_KEY_VALUE
If the HCELL contains a CM_KEY_VALUE (vk node) then this method returns it. Otherwise it returns nil.
type HIVE_DIRTY_PAGE_REF ¶
type HIVE_DIRTY_PAGE_REF struct { Reader io.ReaderAt Offset int64 Profile *RegistryProfile }
func ParseArray_HIVE_DIRTY_PAGE_REF ¶
func ParseArray_HIVE_DIRTY_PAGE_REF(profile *RegistryProfile, reader io.ReaderAt, offset int64, count int) []*HIVE_DIRTY_PAGE_REF
func (*HIVE_DIRTY_PAGE_REF) PageOffset ¶
func (self *HIVE_DIRTY_PAGE_REF) PageOffset() uint32
func (*HIVE_DIRTY_PAGE_REF) PageSize ¶
func (self *HIVE_DIRTY_PAGE_REF) PageSize() uint32
func (*HIVE_DIRTY_PAGE_REF) Size ¶
func (self *HIVE_DIRTY_PAGE_REF) Size() int
type HIVE_LOG_ENTRY ¶
type HIVE_LOG_ENTRY struct { Reader io.ReaderAt Offset int64 Profile *RegistryProfile }
func (*HIVE_LOG_ENTRY) DirtyPageRefs ¶
func (self *HIVE_LOG_ENTRY) DirtyPageRefs() []*HIVE_DIRTY_PAGE_REF
func (*HIVE_LOG_ENTRY) DirtyPagesCount ¶
func (self *HIVE_LOG_ENTRY) DirtyPagesCount() uint32
func (*HIVE_LOG_ENTRY) Flags ¶
func (self *HIVE_LOG_ENTRY) Flags() uint32
func (HIVE_LOG_ENTRY) GetDirtyPages ¶
func (self HIVE_LOG_ENTRY) GetDirtyPages() []*DirtyPage
func (*HIVE_LOG_ENTRY) Hash1 ¶
func (self *HIVE_LOG_ENTRY) Hash1() uint64
func (*HIVE_LOG_ENTRY) Hash2 ¶
func (self *HIVE_LOG_ENTRY) Hash2() uint64
func (*HIVE_LOG_ENTRY) HiveBinsDataSize ¶
func (self *HIVE_LOG_ENTRY) HiveBinsDataSize() uint32
func (*HIVE_LOG_ENTRY) LogEntrySize ¶
func (self *HIVE_LOG_ENTRY) LogEntrySize() uint32
func (*HIVE_LOG_ENTRY) SequenceNumber ¶
func (self *HIVE_LOG_ENTRY) SequenceNumber() uint32
func (*HIVE_LOG_ENTRY) Signature ¶
func (self *HIVE_LOG_ENTRY) Signature() uint32
func (*HIVE_LOG_ENTRY) Size ¶
func (self *HIVE_LOG_ENTRY) Size() int
type LARGE_INTEGER ¶
type LARGE_INTEGER struct { Reader io.ReaderAt Offset int64 Profile *RegistryProfile }
func (*LARGE_INTEGER) HighPart ¶
func (self *LARGE_INTEGER) HighPart() int32
func (*LARGE_INTEGER) LowPart ¶
func (self *LARGE_INTEGER) LowPart() uint32
func (*LARGE_INTEGER) QuadPart ¶
func (self *LARGE_INTEGER) QuadPart() int64
func (*LARGE_INTEGER) Size ¶
func (self *LARGE_INTEGER) Size() int
type Registry ¶
type Registry struct { Reader io.ReaderAt Profile *RegistryProfile BaseBlock *HBASE_BLOCK }
Model a registry hive with this object.
func (*Registry) OpenKey ¶
func (self *Registry) OpenKey(key_path string) *CM_KEY_NODE
A helper method to open a key by path.
type RegistryProfile ¶
type RegistryProfile struct { Off_HIVE_DIRTY_PAGE_REF_PageOffset int64 Off_HIVE_DIRTY_PAGE_REF_PageSize int64 Off_HIVE_LOG_ENTRY_Signature int64 Off_HIVE_LOG_ENTRY_LogEntrySize int64 Off_HIVE_LOG_ENTRY_Flags int64 Off_HIVE_LOG_ENTRY_SequenceNumber int64 Off_HIVE_LOG_ENTRY_HiveBinsDataSize int64 Off_HIVE_LOG_ENTRY_DirtyPagesCount int64 Off_HIVE_LOG_ENTRY_Hash1 int64 Off_HIVE_LOG_ENTRY_Hash2 int64 Off_HIVE_LOG_ENTRY_DirtyPageRefs int64 Off_CHILD_LIST_Count int64 Off_CHILD_LIST_List int64 Off_CM_BIG_DATA_Count int64 Off_CM_BIG_DATA_List int64 Off_CM_BIG_DATA_Signature int64 Off_CM_KEY_INDEX_Count int64 Off_CM_KEY_INDEX_List int64 Off_CM_KEY_INDEX_Signature int64 Off_CM_KEY_INDEX_FAST_Count int64 Off_CM_KEY_INDEX_FAST_List int64 Off_CM_KEY_INDEX_FAST_Signature int64 Off_CM_KEY_INDEX_FAST_ELEMENT_NodeOffset int64 Off_CM_KEY_INDEX_FAST_ELEMENT_Index int64 Off_CM_KEY_NODE_ChildHiveReference int64 Off_CM_KEY_NODE_Class int64 Off_CM_KEY_NODE_ClassLength int64 Off_CM_KEY_NODE_Debug int64 Off_CM_KEY_NODE_Flags int64 Off_CM_KEY_NODE_LastWriteTime int64 Off_CM_KEY_NODE_MaxClassLen int64 Off_CM_KEY_NODE_MaxNameLen int64 Off_CM_KEY_NODE_MaxValueDataLen int64 Off_CM_KEY_NODE_MaxValueNameLen int64 Off_CM_KEY_NODE__Name int64 Off_CM_KEY_NODE_NameLength int64 Off_CM_KEY_NODE_Parent int64 Off_CM_KEY_NODE_Security int64 Off_CM_KEY_NODE_Signature int64 Off_CM_KEY_NODE_Spare int64 Off_CM_KEY_NODE_SubKeyCounts int64 Off_CM_KEY_NODE_SubKeyLists int64 Off_CM_KEY_NODE_UserFlags int64 Off_CM_KEY_NODE_ValueList int64 Off_CM_KEY_NODE_VirtControlFlags int64 Off_CM_KEY_NODE_WorkVar int64 Off_CM_KEY_VALUE_Data int64 Off_CM_KEY_VALUE_DataLength int64 Off_CM_KEY_VALUE_Flags int64 Off_CM_KEY_VALUE_Name int64 Off_CM_KEY_VALUE_NameLength int64 Off_CM_KEY_VALUE_Signature int64 Off_CM_KEY_VALUE_Spare int64 Off_CM_KEY_VALUE_Type int64 Off_GUID_Data1 int64 Off_GUID_Data2 int64 Off_GUID_Data3 int64 Off_GUID_Data4 int64 Off_HBASE_BLOCK_BootRecover int64 Off_HBASE_BLOCK_BootType int64 Off_HBASE_BLOCK_CheckSum int64 Off_HBASE_BLOCK_Cluster int64 Off_HBASE_BLOCK_FileName int64 Off_HBASE_BLOCK_Flags int64 Off_HBASE_BLOCK_Format int64 Off_HBASE_BLOCK_GuidSignature int64 Off_HBASE_BLOCK_Length int64 Off_HBASE_BLOCK_LogId int64 Off_HBASE_BLOCK_Major int64 Off_HBASE_BLOCK_Minor int64 Off_HBASE_BLOCK_Reserved1 int64 Off_HBASE_BLOCK_Reserved2 int64 Off_HBASE_BLOCK_RmId int64 Off_HBASE_BLOCK_RootCell int64 Off_HBASE_BLOCK_Sequence1 int64 Off_HBASE_BLOCK_Sequence2 int64 Off_HBASE_BLOCK_Signature int64 Off_HBASE_BLOCK_ThawLogId int64 Off_HBASE_BLOCK_ThawRmId int64 Off_HBASE_BLOCK_ThawTmId int64 Off_HBASE_BLOCK_TimeStamp int64 Off_HBASE_BLOCK_TmId int64 Off_HBASE_BLOCK_Type int64 Off_HBIN_FileOffset int64 Off_HBIN_Reserved1 int64 Off_HBIN_Signature int64 Off_HBIN_HbinSize int64 Off_HBIN_Spare int64 Off_HBIN_TimeStamp int64 Off_HCELL_Next int64 Off_HCELL_Signature int64 Off_HCELL_Data int64 Off_LARGE_INTEGER_HighPart int64 Off_LARGE_INTEGER_LowPart int64 Off_LARGE_INTEGER_QuadPart int64 }
func NewRegistryProfile ¶
func NewRegistryProfile() *RegistryProfile
func (*RegistryProfile) CHILD_LIST ¶
func (self *RegistryProfile) CHILD_LIST(reader io.ReaderAt, offset int64) *CHILD_LIST
func (*RegistryProfile) CM_BIG_DATA ¶
func (self *RegistryProfile) CM_BIG_DATA(reader io.ReaderAt, offset int64) *CM_BIG_DATA
func (*RegistryProfile) CM_KEY_INDEX ¶
func (self *RegistryProfile) CM_KEY_INDEX(reader io.ReaderAt, offset int64) *CM_KEY_INDEX
func (*RegistryProfile) CM_KEY_INDEX_FAST ¶
func (self *RegistryProfile) CM_KEY_INDEX_FAST(reader io.ReaderAt, offset int64) *CM_KEY_INDEX_FAST
func (*RegistryProfile) CM_KEY_INDEX_FAST_ELEMENT ¶
func (self *RegistryProfile) CM_KEY_INDEX_FAST_ELEMENT(reader io.ReaderAt, offset int64) *CM_KEY_INDEX_FAST_ELEMENT
func (*RegistryProfile) CM_KEY_NODE ¶
func (self *RegistryProfile) CM_KEY_NODE(reader io.ReaderAt, offset int64) *CM_KEY_NODE
func (*RegistryProfile) CM_KEY_VALUE ¶
func (self *RegistryProfile) CM_KEY_VALUE(reader io.ReaderAt, offset int64) *CM_KEY_VALUE
func (*RegistryProfile) FileTime ¶
func (self *RegistryProfile) FileTime(reader io.ReaderAt, offset int64) *FileTime
func (*RegistryProfile) GUID ¶
func (self *RegistryProfile) GUID(reader io.ReaderAt, offset int64) *GUID
func (*RegistryProfile) HBASE_BLOCK ¶
func (self *RegistryProfile) HBASE_BLOCK(reader io.ReaderAt, offset int64) *HBASE_BLOCK
func (*RegistryProfile) HBIN ¶
func (self *RegistryProfile) HBIN(reader io.ReaderAt, offset int64) *HBIN
func (*RegistryProfile) HCELL ¶
func (self *RegistryProfile) HCELL(reader io.ReaderAt, offset int64) *HCELL
func (*RegistryProfile) HIVE_DIRTY_PAGE_REF ¶
func (self *RegistryProfile) HIVE_DIRTY_PAGE_REF(reader io.ReaderAt, offset int64) *HIVE_DIRTY_PAGE_REF
func (*RegistryProfile) HIVE_LOG_ENTRY ¶
func (self *RegistryProfile) HIVE_LOG_ENTRY(reader io.ReaderAt, offset int64) *HIVE_LOG_ENTRY
func (*RegistryProfile) LARGE_INTEGER ¶
func (self *RegistryProfile) LARGE_INTEGER(reader io.ReaderAt, offset int64) *LARGE_INTEGER
func (*RegistryProfile) UnicodeString ¶
func (self *RegistryProfile) UnicodeString(reader io.ReaderAt, offset int64) *UnicodeString
type UnicodeString ¶
type UnicodeString struct {
Value string
}
UTF16 null terminated string.
func (*UnicodeString) DebugString ¶
func (self *UnicodeString) DebugString() string
func (*UnicodeString) GoString ¶
func (self *UnicodeString) GoString() string
type ValueData ¶
type ValueData struct { // REG_SZ etc. Type uint32 // Filled in for REG_SZ etc. String string // Filled in for REG_MULTI_SZ MultiSz []string // Filled in for integer types Uint64 uint64 // The original encoded data. For BINARY_SZ this is the only // field filled. Data []byte // If an error occurs during parsing this will contain the // error object. Error error }
A Registry Value may represent a number of different data types depending on its Type field. This struct contains the various Go types that are represented. Many of the registry types are converted to the most closely matching Go types. The original binary data is also attached in the Data field.