-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhivex.cpp
93 lines (66 loc) · 1.72 KB
/
hivex.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
// hivex.cpp : Defines the entry point for the console application.
//
#include "hivex/hivex.h"
#include "extras/hashnodes.h"
#include "extras/printnode.h"
#include "extras/findnode.h"
#include "extras/sha1.h"
#include <string>
int total_len = 0;
void hasher(void *ctx, const unsigned char *in, unsigned long inlen)
{
sha1::SHA1* sha1 = (sha1::SHA1*)ctx;
sha1->processBytes(in, inlen);
total_len += inlen;
}
/*
Example of how to get a sample BCD hive exported:
# on Windows run:
> bcdedit /export "test.bcd"
# copy test.bcd to program folder and run:
> hivex test.bcd
*/
int main(int argc, const char** argv)
{
printf("argc: %d\n", argc);
char filename[1024];
strcpy(filename, "test.bcd"); // default
if (argc > 1)
strcpy(filename, argv[1]);
// lets get a digest for all entities in the hive (testing cross-platform/ cross)
sha1::SHA1 sha1;
hive_h* hive = hivex_open(filename, 0);
if (hive != nullptr)
{
hive_node_h root = hivex_root(hive);
// find a node and print it
auto node = findkey(hive, root, "NewStoreRoot\\Objects\\{4662f11f-cbc8-11ea-b16f-b995a37ba28c}");
if (node)
{
printf("print key\n");
printnode(hive, node);
}
// print root node and its children
printnode(hive, root,true);
// hash all nodes -> hash(size+key+value);
hashenumerate(hasher, &sha1, hive, root);
hivex_close(hive);
sha1::SHA1::digest8_t digest;
sha1.getDigestBytes(digest);
printf("\n------------------------------------------------\n");
printf("hash: ");
for (int i = 0; i < 20; ++i)
{
printf("%02x", digest[i]);
}
printf("\n");
printf("totalLen: %d\n", total_len);
printf("\n");
}
else
{
printf("usage:\n %s <path>\n", argv[0]);
return 0;
}
return 0;
}