README
¶
Golang Hivex bindings
Golang bindings for hivex.
Minimum hivex version is 1.3.14
Basic usage
package main
import (
"fmt"
"log"
"os"
"path/filepath"
hivex "github.com/gabriel-samfira/go-hivex"
)
func main() {
gopath := os.Getenv("GOPATH")
// There are a few test hives inside the package
// Feel free to use your own
hivePath := filepath.Join(
gopath,
"src/github.com/gabriel-samfira/go-hivex",
"testdata",
"rlenvalue_test_hive")
// If you plan to write to the hive, replace hivex.READ
// with hivex.WRITE. You may also enable verbose, debug or
// unsafe (hivex.WRITE | hivex.DEBUG | hivex.UNSAFE)
hive, err := hivex.NewHivex(hivePath, hivex.READ)
if err != nil {
log.Fatal(err)
}
root, err := hive.Root()
if err != nil {
log.Fatal(err)
}
// Get a child node called ModerateValueParent
child, err := hive.NodeGetChild(root, "ModerateValueParent")
if err != nil {
log.Fatal(err)
}
// child will hold an int64 representing the offset of the node
fmt.Println(child)
// fetch the name of the Node
childName, err := hive.NodeName(child)
if err != nil {
log.Fatal(err)
}
// print out the name (should be "ModerateValueParent")
fmt.Println(childName)
// Get the value offset of a key called "33Bytes" that lives in
// \\ModerateValueParent
valueOffset, err := hive.NodeGetValue(child, "33Bytes")
if err != nil {
log.Fatal(err)
}
// Get the actual value of that key. It should be a REG_BINARY (3)
// with a value of 0123456789ABCDEF0123456789ABCDEF0
valType, value, err := hive.ValueValue(valueOffset)
if err != nil {
log.Fatal(err)
}
fmt.Println(valType, string(value))
}
Tests
The image files were shamelessly copied from the hivex package, and tests are based on the same tests in that package for the various other bindings.
$ go test github.com/gabriel-samfira/go-hivex/...
Documentation
¶
Index ¶
- Constants
- type HiveValue
- type Hivex
- func (h *Hivex) Close() error
- func (h *Hivex) Commit() (int, error)
- func (h *Hivex) LastModified() (int64, error)
- func (h *Hivex) NodeAddChild(parent int64, name string) (int64, error)
- func (h *Hivex) NodeChildren(node int64) ([]int64, error)
- func (h *Hivex) NodeDeleteChild(node int64) (int, error)
- func (h *Hivex) NodeGetChild(node int64, name string) (int64, error)
- func (h *Hivex) NodeGetValue(node int64, name string) (int64, error)
- func (h *Hivex) NodeName(node int64) (string, error)
- func (h *Hivex) NodeNameLen(node int64) (int64, error)
- func (h *Hivex) NodeNrChildren(node int64) (int64, error)
- func (h *Hivex) NodeNrValues(node int64) (int64, error)
- func (h *Hivex) NodeParent(node int64) (int64, error)
- func (h *Hivex) NodeSetValue(node int64, value HiveValue) (int, error)
- func (h *Hivex) NodeSetValues(node int64, values []HiveValue) (int, error)
- func (h *Hivex) NodeStructLength(node int64) (int64, error)
- func (h *Hivex) NodeTimestamp(node int64) (int64, error)
- func (h *Hivex) NodeValueDataCellOffset(value int64) (length, offset int64, err error)
- func (h *Hivex) NodeValueDword(value int64) (int32, error)
- func (h *Hivex) NodeValueKey(value int64) (string, error)
- func (h *Hivex) NodeValueKeyLen(value int64) (int64, error)
- func (h *Hivex) NodeValueQword(value int64) (int64, error)
- func (h *Hivex) NodeValueStructLength(value int64) (int64, error)
- func (h *Hivex) NodeValueType(value int64) (valueType, length int64, err error)
- func (h *Hivex) NodeValues(node int64) ([]int64, error)
- func (h *Hivex) Root() (int64, error)
- func (h *Hivex) ValueMultipleStrings(value int64) ([]string, error)
- func (h *Hivex) ValueString(value int64) (string, error)
- func (h *Hivex) ValueValue(value int64) (valType int64, valueBytes []byte, err error)
Constants ¶
View Source
const ( // READ opens the hive as readonly READ = 0 // VERBOSE instructs hivex to open the registry hive verbosely VERBOSE = C.HIVEX_OPEN_VERBOSE // DEBUG enables debug DEBUG = C.HIVEX_OPEN_DEBUG // WRITE opens the hive in write mode WRITE = C.HIVEX_OPEN_WRITE // UNSAFE enables heuristics to allow read/write of corrupted hives UNSAFE = C.HIVEX_OPEN_UNSAFE )
View Source
const ( // RegNone just a key without a value RegNone = C.hive_t_REG_NONE // RegSz a Windows string (encoding is unknown, but often UTF16-LE) RegSz = C.hive_t_REG_SZ // RegExpandSz a Windows string that contains %env% // (environment variable expansion) RegExpandSz = C.hive_t_REG_EXPAND_SZ // RegBinary a blob of binary RegBinary = C.hive_t_REG_BINARY // RegDword (32 bit integer), big endian RegDword = C.hive_t_REG_DWORD // RegDwordBigEndian (32 bit integer), big endian RegDwordBigEndian = C.hive_t_REG_DWORD_BIG_ENDIAN // RegLink Symbolic link to another part of the registry tree RegLink = C.hive_t_REG_LINK // RegMultiSz Multiple Windows strings. // See http://blogs.msdn.com/oldnewthing/archive/2009/10/08/9904646.aspx RegMultiSz = C.hive_t_REG_MULTI_SZ // RegResourceList resource list RegResourceList = C.hive_t_REG_RESOURCE_LIST // RegFullResourceDescriptor resource descriptor RegFullResourceDescriptor = C.hive_t_REG_FULL_RESOURCE_DESCRIPTOR // RegResourceRequirementsList resouce requirements list RegResourceRequirementsList = C.hive_t_REG_RESOURCE_REQUIREMENTS_LIST // RegQword (64 bit integer), unspecified endianness but usually little endian RegQword = C.hive_t_REG_QWORD )
Constants copied over from hivex
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Hivex ¶
type Hivex struct {
// contains filtered or unexported fields
}
Hivex implements the hivex bindings in go
func (*Hivex) LastModified ¶
LastModified returns the last modified time for this hive
func (*Hivex) NodeAddChild ¶
NodeAddChild adds a new node child
func (*Hivex) NodeChildren ¶
NodeChildren returns a list of node children
func (*Hivex) NodeDeleteChild ¶
NodeDeleteChild deletes a child node
func (*Hivex) NodeGetChild ¶
NodeGetChild gets a particular child of this node
func (*Hivex) NodeGetValue ¶
NodeGetValue gets the value of a node
func (*Hivex) NodeNameLen ¶
NodeNameLen returns the node name length
func (*Hivex) NodeNrChildren ¶
NodeNrChildren returns the number of child nodes
func (*Hivex) NodeNrValues ¶
NodeNrValues gets the nr of values of a node
func (*Hivex) NodeParent ¶
NodeParent returns the parent node
func (*Hivex) NodeSetValue ¶
NodeSetValue sets the value on one node
func (*Hivex) NodeSetValues ¶
NodeSetValues sets values on a node
func (*Hivex) NodeStructLength ¶
NodeStructLength returns the node struct length
func (*Hivex) NodeTimestamp ¶
NodeTimestamp returns the node timestamp
func (*Hivex) NodeValueDataCellOffset ¶
NodeValueDataCellOffset returns the length and the offset of the data cell
func (*Hivex) NodeValueDword ¶
NodeValueDword returns the DWORD value
func (*Hivex) NodeValueKey ¶
NodeValueKey returns the value key
func (*Hivex) NodeValueKeyLen ¶
NodeValueKeyLen returns the value key length
func (*Hivex) NodeValueQword ¶
NodeValueQword returns the QWORD value
func (*Hivex) NodeValueStructLength ¶
NodeValueStructLength returns the length of the value struct
func (*Hivex) NodeValueType ¶
NodeValueType returns the value type
func (*Hivex) NodeValues ¶
NodeValues returns a list of values set for this node
func (*Hivex) ValueMultipleStrings ¶
ValueMultipleStrings returns a list of strings (REG_SZ_MULTI)
func (*Hivex) ValueString ¶
ValueString returns the value as a string (REG_SZ)
Source Files
Click to show internal directories.
Click to hide internal directories.