update to use binary reader convenience

methods more

Author: brandonprry

ch11_reading_offline_hives/NodeKey.cs

@@ -44,24 +44,24 @@ private void ReadNodeStructure(BinaryReader hive) {
 
 			hive.BaseStream.Position += 4; 
 
-			this.ParentOffset = BitConverter.ToInt32(hive.ReadBytes (4),0);
-			this.SubkeysCount = BitConverter.ToInt32(hive.ReadBytes (4),0);
+			this.ParentOffset = hive.ReadInt32 ();
+			this.SubkeysCount = hive.ReadInt32();
 
 			hive.BaseStream.Position += 4;
 
-			this.LFRecordOffset = BitConverter.ToInt32(hive.ReadBytes (4),0);
+			this.LFRecordOffset = hive.ReadInt32 ();
 
 			hive.BaseStream.Position += 4;
 
-			this.ValuesCount = BitConverter.ToInt32(hive.ReadBytes (4),0);
-			this.ValueListOffset = BitConverter.ToInt32(hive.ReadBytes (4),0);
-			this.SecurityKeyOffset = BitConverter.ToInt32(hive.ReadBytes (4),0);
-			this.ClassnameOffset = BitConverter.ToInt32(hive.ReadBytes (4),0);
+			this.ValuesCount = hive.ReadInt32 ();
+			this.ValueListOffset = hive.ReadInt32 ();
+			this.SecurityKeyOffset = hive.ReadInt32 ();
+			this.ClassnameOffset = hive.ReadInt32 ();
 
-			hive.BaseStream.Position += (startingOffset + 0x0044) - hive.BaseStream.Position;
+			hive.BaseStream.Position += (startingOffset + 68) - hive.BaseStream.Position;
 
-			this.NameLength = BitConverter.ToInt16(hive.ReadBytes (2),0);
-			this.ClassnameLength = BitConverter.ToInt16(hive.ReadBytes (2),0);
+			this.NameLength = hive.ReadInt16 ();
+			this.ClassnameLength = hive.ReadInt16 ();
 
 			buf = hive.ReadBytes(this.NameLength);
 			this.Name = System.Text.Encoding.UTF8.GetString(buf);
@@ -77,11 +77,11 @@ private void ReadChildrenNodes(BinaryReader hive) {
 
 				//ri
 				if (buf [0] == 0x72 && buf [1] == 0x69) {
-					int count = BitConverter.ToInt16(hive.ReadBytes(2),0);
+					int count = hive.ReadInt16 ();
 
 					for (int i = 0; i < count; i++) {
 						long pos = hive.BaseStream.Position;
-						int offset = BitConverter.ToInt32 (hive.ReadBytes (4), 0);
+						int offset = hive.ReadInt32 ();
 						hive.BaseStream.Position =  4096 + offset + 4;
 						buf = hive.ReadBytes(2);
 
@@ -102,13 +102,13 @@ private void ReadChildrenNodes(BinaryReader hive) {
 		}
 
 		private void ParseChildNodes(BinaryReader hive){
-			int count = BitConverter.ToInt16(hive.ReadBytes(2),0);
+			int count = hive.ReadInt16 ();
 			long topOfList = hive.BaseStream.Position;
 
 			for (int i = 0; i < count; i++)
 			{
 				hive.BaseStream.Position = topOfList + (i*8);
-				int newoffset = BitConverter.ToInt32(hive.ReadBytes(4),0);
+				int newoffset = hive.ReadInt32 ();
 				hive.BaseStream.Position += 4;
 				//byte[] check = hive.ReadBytes(4);
 				hive.BaseStream.Position = 4096 + newoffset + 4;
@@ -128,7 +128,7 @@ private void ReadChildValues(BinaryReader hive) {
 				for (int i = 0; i < this.ValuesCount; i++)
 				{
 					hive.BaseStream.Position = 4096 + this.ValueListOffset + 4 + (i*4);
-					int offset = BitConverter.ToInt32(hive.ReadBytes(4), 0);
+					int offset = hive.ReadInt32 ();
 					hive.BaseStream.Position = 4096 + offset + 4;
 					this.ChildValues.Add(new ValueKey(hive));
 				}

ch11_reading_offline_hives/RegistryHive.cs

@@ -23,12 +23,15 @@ public RegistryHive(string file)
 
 					reader.ReadBytes(8);
 					buf = reader.ReadBytes(8);
-					
-					long timestamp = BitConverter.ToInt64(buf, 0);
+					//Array.Reverse(buf);
+					long timestamp = BitConverter.ToInt64 (buf, 0);
+					//long timestamp = reader.ReadInt64 ();
+					DateTime time = DateTime.FromBinary (timestamp);
+
 					this.WasExported = (timestamp == 0) ? true : false;
 
 					//fast-forward
-					reader.BaseStream.Position += (0x1000 + 0x20 + 4)-reader.BaseStream.Position;
+					reader.BaseStream.Position += (4096 + 32 + 4)-reader.BaseStream.Position;
 
 					this.RootKey = new NodeKey(reader);
 				}

ch11_reading_offline_hives/ValueKey.cs

@@ -13,10 +13,9 @@ public ValueKey (BinaryReader hive)
 			if (buf[0] != 0x76 && buf[1] != 0x6b)
 				throw new NotSupportedException("Bad vk header");
 
-			buf = hive.ReadBytes(2);
-			
-			this.NameLength = BitConverter.ToInt16(buf,0);
-			this.DataLength = BitConverter.ToInt32(hive.ReadBytes(4),0);
+			this.NameLength = hive.ReadInt16();
+			this.DataLength = hive.ReadInt32 ();
+			//this.DataLength = BitConverter.ToInt32(hive.ReadBytes(4),0);
 
 			byte[] databuf = hive.ReadBytes(4);
 
@@ -30,7 +29,7 @@ public ValueKey (BinaryReader hive)
 				this.Data = databuf;
 			else
 			{
-				hive.BaseStream.Position = 0x1000 + BitConverter.ToInt32(databuf, 0) + 0x04;
+				hive.BaseStream.Position = 4096 + BitConverter.ToInt32 (databuf, 0) + 4;
 				this.Data = hive.ReadBytes(this.DataLength);
 			}
 		}

ch11_reading_offline_hives/ch11_reading_offline_hives.csproj

@@ -16,8 +16,9 @@
     <DefineConstants>DEBUG;</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
-    <Externalconsole>true</Externalconsole>
     <PlatformTarget>x86</PlatformTarget>
+    <Commandlineparameters>/Users/bperry/system.hive</Commandlineparameters>
+    <ConsolePause>false</ConsolePause>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|x86' ">
     <DebugType>full</DebugType>