README
¶
regffs
Read Windows registry files (regf) as io/fs.FS.
Example
func main() {
f, _ := os.Open("testdata/SYSTEM")
// init file system
fsys, _ := regffs.New(f)
// print all paths
b, _ := fs.ReadFile(fsys, "ControlSet001/Control/ComputerName/ComputerName/ComputerName")
s, _ := regffs.DecodeRegSz(b)
fmt.Println(s)
// Output: WKS-WIN732BITA
}
License
testdata is from https://github.com/log2timeline/plaso and therefore licenced
under Apache License 2.0. The remaining files are MIT licensed.
Documentation
¶
Overview ¶
Example ¶
package main
import (
"fmt"
"github.com/forensicanalysis/regffs"
"io/fs"
"os"
)
func main() {
f, _ := os.Open("testdata/SYSTEM")
// init file system
fsys, _ := regffs.New(f)
// print all paths
b, _ := fs.ReadFile(fsys, "ControlSet001/Control/ComputerName/ComputerName/ComputerName")
s, _ := regffs.DecodeRegSz(b)
fmt.Println(s)
}
Output: WKS-WIN732BITA
Index ¶
- Variables
- func DecodeRegSz(b []byte) (string, error)
- func DecodeUTF16(b []byte) (string, error)
- type File
- func (f *File) Close() error
- func (f *File) Info() (fs.FileInfo, error)
- func (f *File) IsDir() bool
- func (f *File) ModTime() time.Time
- func (f *File) Mode() fs.FileMode
- func (f *File) Name() string
- func (f *File) Read(i []byte) (int, error)
- func (f *File) ReadDir(n int) ([]fs.DirEntry, error)
- func (f *File) Size() int64
- func (f *File) Stat() (fs.FileInfo, error)
- func (f *File) Sys() interface{}
- func (f *File) Type() fs.FileMode
- type FileHeader
- func (k *FileHeader) BootRecover() (value uint32)
- func (k *FileHeader) BootType() (value uint32)
- func (k *FileHeader) Checksum() (value uint32)
- func (k *FileHeader) ClusteringFactor() (value uint32)
- func (k *FileHeader) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
- func (k *FileHeader) Format() (value uint32)
- func (k *FileHeader) HeaderType() (value uint32)
- func (k *FileHeader) HiveBinsDataSize() (value uint32)
- func (k *FileHeader) LastModificationDateAndTime() (value *Filetime)
- func (k *FileHeader) MajorVersion() (value uint32)
- func (k *FileHeader) MinorVersion() (value uint32)
- func (k *FileHeader) Parent() *Regf
- func (k *FileHeader) PrimarySequenceNumber() (value uint32)
- func (k *FileHeader) Reserved() (value []byte)
- func (k *FileHeader) Root() *Regf
- func (k *FileHeader) RootKeyOffset() (value uint32)
- func (k *FileHeader) SecondarySequenceNumber() (value uint32)
- func (k *FileHeader) Signature() (value []byte)
- func (k *FileHeader) Unknown1() (value []byte)
- func (k *FileHeader) Unknown2() (value []byte)
- type Filetime
- type HiveBin
- type HiveBinCell
- func (k *HiveBinCell) CellSize() (value int64)
- func (k *HiveBinCell) CellSizeRaw() (value int32)
- func (k *HiveBinCell) Data() (value KSYDecoder)
- func (k *HiveBinCell) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
- func (k *HiveBinCell) Identifier() (value []byte)
- func (k *HiveBinCell) IsAllocated() (value bool)
- func (k *HiveBinCell) Parent() *HiveBin
- func (k *HiveBinCell) Root() *Regf
- type HiveBinHeader
- func (k *HiveBinHeader) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
- func (k *HiveBinHeader) Offset() (value uint32)
- func (k *HiveBinHeader) Parent() *HiveBin
- func (k *HiveBinHeader) Root() *Regf
- func (k *HiveBinHeader) Signature() (value []byte)
- func (k *HiveBinHeader) Size() (value uint32)
- func (k *HiveBinHeader) Timestamp() (value *Filetime)
- func (k *HiveBinHeader) Unknown1() (value uint32)
- func (k *HiveBinHeader) Unknown2() (value uint32)
- func (k *HiveBinHeader) Unknown4() (value uint32)
- type KSYDecoder
- type LhLfItem
- type LiItem
- type NamedKey
- func (k *NamedKey) ClassNameOffset() (value uint32)
- func (k *NamedKey) ClassNameSize() (value uint16)
- func (k *NamedKey) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
- func (k *NamedKey) Flags() (value uint16)
- func (k *NamedKey) KeyNameSize() (value uint16)
- func (k *NamedKey) LargestSubKeyClassNameSize() (value uint32)
- func (k *NamedKey) LargestSubKeyNameSize() (value uint32)
- func (k *NamedKey) LargestValueDataSize() (value uint32)
- func (k *NamedKey) LargestValueNameSize() (value uint32)
- func (k *NamedKey) LastKeyWrittenDateAndTime() (value *Filetime)
- func (k *NamedKey) NumberOfSubKeys() (value uint32)
- func (k *NamedKey) NumberOfValues() (value uint32)
- func (k *NamedKey) NumberOfVolatileSubKeys() (value uint32)
- func (k *NamedKey) Parent() *HiveBinCell
- func (k *NamedKey) ParentKeyOffset() (value uint32)
- func (k *NamedKey) Root() *Regf
- func (k *NamedKey) SecurityKeyOffset() (value uint32)
- func (k *NamedKey) SubKeysListOffset() (value uint32)
- func (k *NamedKey) Unknown1() (value uint32)
- func (k *NamedKey) Unknown2() (value uint32)
- func (k *NamedKey) UnknownString() (value []byte)
- func (k *NamedKey) UnknownStringSize() (value uint16)
- func (k *NamedKey) ValuesListOffset() (value uint32)
- type Regf
- type Regffs
- type RiItem
- type SubKeyListLhLf
- type SubKeyListLi
- type SubKeyListRi
- type SubKeyListSk
- func (k *SubKeyListSk) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
- func (k *SubKeyListSk) NextSecurityKeyOffset() (value uint32)
- func (k *SubKeyListSk) Parent() *HiveBinCell
- func (k *SubKeyListSk) PreviousSecurityKeyOffset() (value uint32)
- func (k *SubKeyListSk) ReferenceCount() (value uint32)
- func (k *SubKeyListSk) Root() *Regf
- func (k *SubKeyListSk) Unknown1() (value uint16)
- type SubKeyListVk
- func (k *SubKeyListVk) DataOffset() (value uint32)
- func (k *SubKeyListVk) DataSize() (value uint32)
- func (k *SubKeyListVk) DataType() (value uint32)
- func (k *SubKeyListVk) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
- func (k *SubKeyListVk) Flags() (value uint16)
- func (k *SubKeyListVk) Padding() (value uint16)
- func (k *SubKeyListVk) Parent() *HiveBinCell
- func (k *SubKeyListVk) Root() *Regf
- func (k *SubKeyListVk) ValueName() (value []byte)
- func (k *SubKeyListVk) ValueNameSize() (value uint16)
Examples ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var DataTypeEnum = struct { RegDwordBigEndian uint32 RegLink uint32 RegResourceList uint32 RegFullResourceDescriptor uint32 RegResourceRequirementsList uint32 RegQword uint32 RegNone uint32 RegExpandSz uint32 RegBinary uint32 RegDword uint32 RegMultiSz uint32 RegSz uint32 }{ RegSz: 1, RegExpandSz: 2, RegBinary: 3, RegDword: 4, RegMultiSz: 7, RegNone: 0, RegDwordBigEndian: 5, RegLink: 6, RegResourceList: 8, RegFullResourceDescriptor: 9, RegResourceRequirementsList: 10, RegQword: 11, }
View Source
var FileFormat = struct { DirectMemoryLoad uint32 }{ DirectMemoryLoad: 1, }
View Source
var FileType = struct { TransactionLog uint32 Normal uint32 }{ Normal: 0, TransactionLog: 1, }
View Source
var NkFlags = struct { Unknown1 uint16 KeyHiveExit uint16 KeyHiveEntry uint16 KeyNoDelete uint16 KeyPrefefHandle uint16 KeyVirtMirrored uint16 KeyVirtTarget uint16 KeyVirtualStore uint16 KeyIsVolatile uint16 KeySymLink uint16 KeyCompName uint16 Unknown2 uint16 }{ KeyCompName: 32, Unknown2: 16384, KeyIsVolatile: 1, KeySymLink: 16, KeyNoDelete: 8, KeyPrefefHandle: 64, KeyVirtMirrored: 128, KeyVirtTarget: 256, KeyVirtualStore: 512, Unknown1: 4096, KeyHiveExit: 2, KeyHiveEntry: 4, }
View Source
var VkFlags = struct { ValueCompName uint16 }{ ValueCompName: 1, }
Functions ¶
func DecodeRegSz ¶
func DecodeUTF16 ¶
Types ¶
type FileHeader ¶
type FileHeader struct {
// contains filtered or unexported fields
}
func (*FileHeader) BootRecover ¶
func (k *FileHeader) BootRecover() (value uint32)
func (*FileHeader) BootType ¶
func (k *FileHeader) BootType() (value uint32)
func (*FileHeader) Checksum ¶
func (k *FileHeader) Checksum() (value uint32)
func (*FileHeader) ClusteringFactor ¶
func (k *FileHeader) ClusteringFactor() (value uint32)
func (*FileHeader) Decode ¶
func (k *FileHeader) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*FileHeader) Format ¶
func (k *FileHeader) Format() (value uint32)
func (*FileHeader) HeaderType ¶
func (k *FileHeader) HeaderType() (value uint32)
func (*FileHeader) HiveBinsDataSize ¶
func (k *FileHeader) HiveBinsDataSize() (value uint32)
func (*FileHeader) LastModificationDateAndTime ¶
func (k *FileHeader) LastModificationDateAndTime() (value *Filetime)
func (*FileHeader) MajorVersion ¶
func (k *FileHeader) MajorVersion() (value uint32)
func (*FileHeader) MinorVersion ¶
func (k *FileHeader) MinorVersion() (value uint32)
func (*FileHeader) Parent ¶
func (k *FileHeader) Parent() *Regf
func (*FileHeader) PrimarySequenceNumber ¶
func (k *FileHeader) PrimarySequenceNumber() (value uint32)
func (*FileHeader) Reserved ¶
func (k *FileHeader) Reserved() (value []byte)
func (*FileHeader) Root ¶
func (k *FileHeader) Root() *Regf
func (*FileHeader) RootKeyOffset ¶
func (k *FileHeader) RootKeyOffset() (value uint32)
func (*FileHeader) SecondarySequenceNumber ¶
func (k *FileHeader) SecondarySequenceNumber() (value uint32)
func (*FileHeader) Signature ¶
func (k *FileHeader) Signature() (value []byte)
func (*FileHeader) Unknown1 ¶
func (k *FileHeader) Unknown1() (value []byte)
func (*FileHeader) Unknown2 ¶
func (k *FileHeader) Unknown2() (value []byte)
type Filetime ¶
type Filetime struct {
// contains filtered or unexported fields
}
func (*Filetime) Decode ¶
func (k *Filetime) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*Filetime) Parent ¶
func (k *Filetime) Parent() *FileHeader
type HiveBin ¶
type HiveBin struct {
// contains filtered or unexported fields
}
func (*HiveBin) Cells ¶
func (k *HiveBin) Cells() (value []HiveBinCell)
func (*HiveBin) Decode ¶
func (k *HiveBin) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*HiveBin) Header ¶
func (k *HiveBin) Header() (value *HiveBinHeader)
type HiveBinCell ¶
type HiveBinCell struct {
// contains filtered or unexported fields
}
func (*HiveBinCell) CellSize ¶
func (k *HiveBinCell) CellSize() (value int64)
func (*HiveBinCell) CellSizeRaw ¶
func (k *HiveBinCell) CellSizeRaw() (value int32)
func (*HiveBinCell) Data ¶
func (k *HiveBinCell) Data() (value KSYDecoder)
func (*HiveBinCell) Decode ¶
func (k *HiveBinCell) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*HiveBinCell) Identifier ¶
func (k *HiveBinCell) Identifier() (value []byte)
func (*HiveBinCell) IsAllocated ¶
func (k *HiveBinCell) IsAllocated() (value bool)
func (*HiveBinCell) Parent ¶
func (k *HiveBinCell) Parent() *HiveBin
func (*HiveBinCell) Root ¶
func (k *HiveBinCell) Root() *Regf
type HiveBinHeader ¶
type HiveBinHeader struct {
// contains filtered or unexported fields
}
func (*HiveBinHeader) Decode ¶
func (k *HiveBinHeader) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*HiveBinHeader) Offset ¶
func (k *HiveBinHeader) Offset() (value uint32)
func (*HiveBinHeader) Parent ¶
func (k *HiveBinHeader) Parent() *HiveBin
func (*HiveBinHeader) Root ¶
func (k *HiveBinHeader) Root() *Regf
func (*HiveBinHeader) Signature ¶
func (k *HiveBinHeader) Signature() (value []byte)
func (*HiveBinHeader) Size ¶
func (k *HiveBinHeader) Size() (value uint32)
func (*HiveBinHeader) Timestamp ¶
func (k *HiveBinHeader) Timestamp() (value *Filetime)
func (*HiveBinHeader) Unknown1 ¶
func (k *HiveBinHeader) Unknown1() (value uint32)
func (*HiveBinHeader) Unknown2 ¶
func (k *HiveBinHeader) Unknown2() (value uint32)
func (*HiveBinHeader) Unknown4 ¶
func (k *HiveBinHeader) Unknown4() (value uint32)
type KSYDecoder ¶
type KSYDecoder interface {
Decode(io.ReadSeeker, ...interface{}) error
}
type LhLfItem ¶
type LhLfItem struct {
// contains filtered or unexported fields
}
func (*LhLfItem) Decode ¶
func (k *LhLfItem) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*LhLfItem) NamedKeyOffset ¶
func (*LhLfItem) Parent ¶
func (k *LhLfItem) Parent() *SubKeyListLhLf
type LiItem ¶
type LiItem struct {
// contains filtered or unexported fields
}
func (*LiItem) Decode ¶
func (k *LiItem) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*LiItem) NamedKeyOffset ¶
func (*LiItem) Parent ¶
func (k *LiItem) Parent() *SubKeyListLi
type NamedKey ¶
type NamedKey struct {
// contains filtered or unexported fields
}
func (*NamedKey) ClassNameOffset ¶
func (*NamedKey) ClassNameSize ¶
func (*NamedKey) Decode ¶
func (k *NamedKey) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*NamedKey) KeyNameSize ¶
func (*NamedKey) LargestSubKeyClassNameSize ¶
func (*NamedKey) LargestSubKeyNameSize ¶
func (*NamedKey) LargestValueDataSize ¶
func (*NamedKey) LargestValueNameSize ¶
func (*NamedKey) LastKeyWrittenDateAndTime ¶
func (*NamedKey) NumberOfSubKeys ¶
func (*NamedKey) NumberOfValues ¶
func (*NamedKey) NumberOfVolatileSubKeys ¶
func (*NamedKey) Parent ¶
func (k *NamedKey) Parent() *HiveBinCell
func (*NamedKey) ParentKeyOffset ¶
func (*NamedKey) SecurityKeyOffset ¶
func (*NamedKey) SubKeysListOffset ¶
func (*NamedKey) UnknownString ¶
func (*NamedKey) UnknownStringSize ¶
func (*NamedKey) ValuesListOffset ¶
type Regf ¶
type Regf struct {
// contains filtered or unexported fields
}
This spec allows to parse files used by Microsoft Windows family of
operating systems to store parts of its "registry". "Registry" is a hierarchical database that is used to store system settings (global configuration, per-user, per-application configuration, etc).
Typically, registry files are stored in:
* System-wide: several files in `%SystemRoot%\System32\Config\` * User-wide:
- `%USERPROFILE%\Ntuser.dat`
- `%USERPROFILE%\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat` (localized, Windows 2000, Server 2003 and Windows XP)
- `%USERPROFILE%\AppData\Local\Microsoft\Windows\Usrclass.dat` (non-localized, Windows Vista and later)
Note that one typically can't access files directly on a mounted filesystem with a running Windows OS.
func (*Regf) Decode ¶
func (k *Regf) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*Regf) Header ¶
func (k *Regf) Header() (value *FileHeader)
type RiItem ¶
type RiItem struct {
// contains filtered or unexported fields
}
func (*RiItem) Decode ¶
func (k *RiItem) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*RiItem) Parent ¶
func (k *RiItem) Parent() *SubKeyListRi
func (*RiItem) SubKeyListOffset ¶
type SubKeyListLhLf ¶
type SubKeyListLhLf struct {
// contains filtered or unexported fields
}
func (*SubKeyListLhLf) Count ¶
func (k *SubKeyListLhLf) Count() (value uint16)
func (*SubKeyListLhLf) Decode ¶
func (k *SubKeyListLhLf) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*SubKeyListLhLf) Items ¶
func (k *SubKeyListLhLf) Items() (value []LhLfItem)
func (*SubKeyListLhLf) Parent ¶
func (k *SubKeyListLhLf) Parent() *HiveBinCell
func (*SubKeyListLhLf) Root ¶
func (k *SubKeyListLhLf) Root() *Regf
type SubKeyListLi ¶
type SubKeyListLi struct {
// contains filtered or unexported fields
}
func (*SubKeyListLi) Count ¶
func (k *SubKeyListLi) Count() (value uint16)
func (*SubKeyListLi) Decode ¶
func (k *SubKeyListLi) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*SubKeyListLi) Items ¶
func (k *SubKeyListLi) Items() (value []LiItem)
func (*SubKeyListLi) Parent ¶
func (k *SubKeyListLi) Parent() *HiveBinCell
func (*SubKeyListLi) Root ¶
func (k *SubKeyListLi) Root() *Regf
type SubKeyListRi ¶
type SubKeyListRi struct {
// contains filtered or unexported fields
}
func (*SubKeyListRi) Count ¶
func (k *SubKeyListRi) Count() (value uint16)
func (*SubKeyListRi) Decode ¶
func (k *SubKeyListRi) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*SubKeyListRi) Items ¶
func (k *SubKeyListRi) Items() (value []RiItem)
func (*SubKeyListRi) Parent ¶
func (k *SubKeyListRi) Parent() *HiveBinCell
func (*SubKeyListRi) Root ¶
func (k *SubKeyListRi) Root() *Regf
type SubKeyListSk ¶
type SubKeyListSk struct {
// contains filtered or unexported fields
}
func (*SubKeyListSk) Decode ¶
func (k *SubKeyListSk) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*SubKeyListSk) NextSecurityKeyOffset ¶
func (k *SubKeyListSk) NextSecurityKeyOffset() (value uint32)
func (*SubKeyListSk) Parent ¶
func (k *SubKeyListSk) Parent() *HiveBinCell
func (*SubKeyListSk) PreviousSecurityKeyOffset ¶
func (k *SubKeyListSk) PreviousSecurityKeyOffset() (value uint32)
func (*SubKeyListSk) ReferenceCount ¶
func (k *SubKeyListSk) ReferenceCount() (value uint32)
func (*SubKeyListSk) Root ¶
func (k *SubKeyListSk) Root() *Regf
func (*SubKeyListSk) Unknown1 ¶
func (k *SubKeyListSk) Unknown1() (value uint16)
type SubKeyListVk ¶
type SubKeyListVk struct {
// contains filtered or unexported fields
}
func (*SubKeyListVk) DataOffset ¶
func (k *SubKeyListVk) DataOffset() (value uint32)
func (*SubKeyListVk) DataSize ¶
func (k *SubKeyListVk) DataSize() (value uint32)
func (*SubKeyListVk) DataType ¶
func (k *SubKeyListVk) DataType() (value uint32)
func (*SubKeyListVk) Decode ¶
func (k *SubKeyListVk) Decode(reader io.ReadSeeker, ancestors ...interface{}) (err error)
func (*SubKeyListVk) Flags ¶
func (k *SubKeyListVk) Flags() (value uint16)
func (*SubKeyListVk) Padding ¶
func (k *SubKeyListVk) Padding() (value uint16)
func (*SubKeyListVk) Parent ¶
func (k *SubKeyListVk) Parent() *HiveBinCell
func (*SubKeyListVk) Root ¶
func (k *SubKeyListVk) Root() *Regf
func (*SubKeyListVk) ValueName ¶
func (k *SubKeyListVk) ValueName() (value []byte)
func (*SubKeyListVk) ValueNameSize ¶
func (k *SubKeyListVk) ValueNameSize() (value uint16)
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.