Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixing the regf parser #674

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fixing the regf parser #674

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4144819
Fixing the regf parser
davinci-tech May 17, 2023
3a89a10
some little editing (changing the layout, nothing important)
davinci-tech May 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 62 additions & 22 deletions windows/regf.ksy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,16 @@ doc: |

Note that one typically can't access files directly on a mounted
filesystem with a running Windows OS.
doc-ref: 'https://github.com/libyal/libregf/blob/main/documentation/Windows%20NT%20Registry%20File%20(REGF)%20format.asciidoc'
doc-ref:
- 'https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md'
- 'https://github.com/libyal/libregf/blob/master/documentation/Windows%20NT%20Registry%20File%20(REGF)%20format.asciidoc'
seq:
- id: header
size: 4096
type: file_header
- id: hive_bins
type: hive_bin
size: 4096
repeat: eos
size: header.hive_bins_data_size
type: hive_bins
types:
file_header:
seq:
Expand Down Expand Up @@ -101,26 +103,13 @@ types:
type: u4
doc: Contains number of bytes
hive_bin_cell:
-webide-representation: "{identifier}"
seq:
- id: cell_size_raw
type: s4
- id: identifier
type: str
size: 2
encoding: ascii
- id: data
size: cell_size - 2 - 4
type:
switch-on: identifier
cases:
"'nk'": named_key
"'lh'": sub_key_list_lh_lf
"'lf'": sub_key_list_lh_lf
"'li'": sub_key_list_li
"'ri'": sub_key_list_ri
"'vk'": sub_key_list_vk
"'sk'": sub_key_list_sk
- id: cell_data
size: cell_size - 4
type: cell_data

instances:
cell_size:
value: "(cell_size_raw < 0 ? -1 : +1) * cell_size_raw"
Expand All @@ -129,8 +118,32 @@ types:
value: "cell_size_raw < 0"
-webide-parse-mode: eager
types:
cell_data:
-webide-representation: "{identifier}"
seq:
- id: cell_type
type:
switch-on: identifier
cases:
"'nk'": named_key
"'lh'": sub_key_list_lh_lf
"'lf'": sub_key_list_lh_lf
"'li'": sub_key_list_li
"'ri'": sub_key_list_ri
"'vk'": sub_key_list_vk
"'sk'": sub_key_list_sk
_ : key_value_list
instances:
identifier:
type: str
encoding: ascii
size: 2
pos: 0
-webide-parse-mode: eager
named_key:
seq:
- id: signature
contents: 'nk'
- id: flags
type: u2
enum: nk_flags
Expand Down Expand Up @@ -190,6 +203,10 @@ types:
0x4000: unknown2
sub_key_list_lh_lf:
seq:
- id: signature
type: str
size: 2
encoding: ascii
- id: count
type: u2
- id: items
Expand All @@ -205,6 +222,8 @@ types:
type: u4
sub_key_list_li:
seq:
- id: signature
contents: 'li'
- id: count
type: u2
- id: items
Expand All @@ -218,6 +237,8 @@ types:
type: u4
sub_key_list_ri:
seq:
- id: signature
contents: 'ri'
- id: count
type: u2
- id: items
Expand All @@ -231,6 +252,8 @@ types:
type: u4
sub_key_list_vk:
seq:
- id: signature
contents: 'vk'
- id: value_name_size # If the value name size is 0 the value name is "(default)"
type: u2
- id: data_size
Expand Down Expand Up @@ -268,6 +291,8 @@ types:
0x0001: value_comp_name # Name is an ASCII string / Otherwise the name is an Unicode (UTF-16 little-endian) string
sub_key_list_sk:
seq:
- id: signature
contents: 'sk'
- id: unknown1
type: u2
- id: previous_security_key_offset
Expand All @@ -276,12 +301,27 @@ types:
type: u4
- id: reference_count
type: u4
key_value_list:
seq:
- id: elements
type: u4
repeat: eos
hive_bin_cells:
seq:
- id: cells
type: hive_bin_cell
repeat: eos
hive_bin:
seq:
- id: header
type: hive_bin_header
- id: cells
type: hive_bin_cell
type: hive_bin_cells
size: header.size - 32
hive_bins:
seq:
- id: hive_bins
type: hive_bin
repeat: eos
filetime:
seq:
Expand Down