feat: user hives

ForensicRS · Nov 26, 2023 · dd4f9fa · dd4f9fa
1 parent 642661b
commit dd4f9fa
Show file tree

Hide file tree

Showing 15 changed files with 329 additions and 109 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 /target
 /Cargo.lock
-/.cargo
+/.cargo
+/.vscode
diff --git a/artifacts/C/Users/SuperSecretAdmin/NTUSER.DAT b/artifacts/C/Users/SuperSecretAdmin/NTUSER.DAT
diff --git a/artifacts/C/Windows/.gitignore b/artifacts/C/Windows/.gitignore
@@ -0,0 +1,2 @@
+SOFTWARE
+SYSTEM
diff --git a/artifacts/SAM b/artifacts/SAM
diff --git a/artifacts/SAM.LOG1 b/artifacts/SAM.LOG1
diff --git a/artifacts/SAM.LOG2 b/artifacts/SAM.LOG2
diff --git a/artifacts/SECURITY b/artifacts/SECURITY
diff --git a/artifacts/SECURITY.LOG1 b/artifacts/SECURITY.LOG1
diff --git a/artifacts/SECURITY.LOG2 b/artifacts/SECURITY.LOG2
diff --git a/src/cell.rs b/src/cell.rs
@@ -589,10 +589,28 @@ impl From<&KeyValueCellPacked> for KeyValueCell {
 impl InvalidCell {
     pub fn into_reg_sz_extended(&self) -> String {
         let s: &[u16] = unsafe { std::slice::from_raw_parts(self.content.as_ptr() as *const _, self.content.len()/2) };
-        String::from_utf16_lossy(s)
+        let first_zero = match s.iter().rev().position(|&v| v == 0) {
+            Some(v) => s.len() - v,
+            None => s.len()
+        };
+        let last_zero = match s[0..first_zero].iter().rev().position(|&v| v != 0) {
+            Some(v) => first_zero - v,
+            None => s.len()
+        };
+        let ret = String::from_utf16_lossy(&s[..last_zero]);
+        ret
     }
     pub fn into_reg_sz_ascii(&self) -> String {
-        String::from_utf8_lossy(&self.content).to_string()
+        let first_zero = match self.content.iter().rev().position(|&v| v == 0) {
+            Some(v) => self.content.len() - v,
+            None => self.content.len()
+        };
+        let last_zero = match self.content[0..first_zero].iter().rev().position(|&v| v != 0) {
+            Some(v) => first_zero - v,
+            None => self.content.len()
+        };
+        let ret = String::from_utf8_lossy(&self.content[..last_zero]).to_string();
+        ret
     }
     pub fn into_dword(&self) -> u32 {
         if self.content.len() != 4 {

diff --git a/src/cell_cache.rs b/src/cell_cache.rs
@@ -17,6 +17,7 @@ pub struct CachedCell {
 }
 
 impl CachedCell {
+    #[allow(unused)]
     pub fn new(cell : HiveCell) -> Self {
         Self {
             cell,

diff --git a/src/hive.rs b/src/hive.rs
@@ -304,7 +304,7 @@ pub fn read_cells(data : &[u8], bin_offset : u64) -> ForensicResult<Vec<HiveCell
         let cell_data = &data[offset..offset + cell_len];
         let cell = match read_cell(cell_data, bin_offset + offset as u64) {
             Ok(v) => v,
-            Err(e) => {
+            Err(_e) => {
                 offset = offset + cell_len;
                 continue;
             }
@@ -374,6 +374,57 @@ mod tst {
         let mut i = 0;
         let mut offset = 4096 + base_block.root_cell_offset as u64 - 32;
 
+        loop {
+            if offset >= base_block.hive_bins_data_size.into() {
+                break;
+            }
+            i = i+1;
+            sec_file.seek(std::io::SeekFrom::Start(offset)).unwrap();
+            let hive_bin = read_hive_bin_at_file_position(&mut sec_file).unwrap();
+            let cells = read_cells(&hive_bin.1, offset - 4064 - base_block.root_cell_offset as u64).unwrap();
+            println!("{:?}", cells);
+            offset += hive_bin.0.size as u64;
+        }
+    }
+
+    #[test]
+    #[ignore]
+    fn can_read_software_hive_data() {
+        init_tst();
+        let mut fs = init_virtual_fs();
+        let mut sec_file = read_software_hive(&mut fs);
+        let base_block = read_base_block(&mut sec_file).unwrap();
+        assert_no_notifications();
+        // Position to 4096 + offset -32 (header)
+
+        let mut i = 0;
+        let mut offset = 4096 + base_block.root_cell_offset as u64 - 32;
+
+        loop {
+            if offset >= base_block.hive_bins_data_size.into() {
+                break;
+            }
+            i = i+1;
+            sec_file.seek(std::io::SeekFrom::Start(offset)).unwrap();
+            let hive_bin = read_hive_bin_at_file_position(&mut sec_file).unwrap();
+            let cells = read_cells(&hive_bin.1, offset - 4064 - base_block.root_cell_offset as u64).unwrap();
+            println!("{:?}", cells);
+            offset += hive_bin.0.size as u64;
+        }
+    }
+
+    #[test]
+    fn can_read_supersecretadmin_hive_data() {
+        init_tst();
+        let mut fs = init_virtual_fs();
+        let mut sec_file = read_supersecretadmin_hive(&mut fs);
+        let base_block = read_base_block(&mut sec_file).unwrap();
+        assert_no_notifications();
+        // Position to 4096 + offset -32 (header)
+
+        let mut i = 0;
+        let mut offset = 4096 + base_block.root_cell_offset as u64 - 32;
+
         loop {
             if offset >= base_block.hive_bins_data_size.into() {
                 break;
-Original file line number
+Diff line change
@@ Expand Up / @@ -17,6 +17,7 @@ pub struct CachedCell { @@
     }
     impl CachedCell {
+        #[allow(unused)]
         pub fn new(cell : HiveCell) -> Self {
             Self {
                 cell,
@@ Expand Down @@