Changeset 268 for trunk/python/pyregfi


Ignore:
Timestamp:
07/10/11 14:09:35 (13 years ago)
Author:
tim
Message:

fixed some problems interpreting key/value names

Location:
trunk/python/pyregfi
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/python/pyregfi/__init__.py

    r267 r268  
    514514    name = "..."
    515515   
     516    ## The string encoding used to store the Key's name ("ascii" or "utf-16-le")
     517    name_encoding = "ascii"
     518
    516519    ## The absolute file offset of the Key record's cell in the Hive file
    517520    offset = 0xCAFEBABE
     
    535538            if not ret_val:
    536539                ret_val = self.name_raw
     540                if ret_val != None:
     541                    ret_val = ret_val.decode(self.name_encoding, 'replace')
    537542            else:
    538543                ret_val = ret_val.decode('utf-8', 'replace')
    539544               
     545        elif name == "name_encoding":
     546            flags = super(Key, self).__getattr__("flags")
     547            if (flags & structures.REGFI_NK_FLAG_ASCIINAME) > 0:
     548                ret_val = "ascii"
     549            ret_val = "utf-16-le"
     550
    540551        elif name == "name_raw":
    541552            ret_val = super(Key, self).__getattr__(name)
    542553            length = super(Key, self).__getattr__('name_length')
    543554            ret_val = _buffer2bytearray(ret_val, length)
    544        
     555
    545556        elif name == "modified":
    546557            ret_val = regfi.regfi_nt2unix_time(self._base.contents.mtime)
     
    617628    name = "..."
    618629   
     630    ## The string encoding used to store the Value's name ("ascii" or "utf-16-le")
     631    name_encoding = "ascii"
     632
    619633    ## The absolute file offset of the Value record's cell in the Hive file
    620634    offset = 0xCAFEBABE
     
    702716            if not ret_val:
    703717                ret_val = self.name_raw
     718                if ret_val != None:
     719                    ret_val = ret_val.decode(self.name_encoding, 'replace')
    704720            else:
    705721                ret_val = ret_val.decode('utf-8', 'replace')
     722
     723        elif name == "name_encoding":
     724            flags = super(Key, self).__getattr__("flags")
     725            if (flags & structures.REGFI_VK_FLAG_ASCIINAME) > 0:
     726                ret_val = "ascii"
     727            ret_val = "utf-16-le"
    706728
    707729        elif name == "name_raw":
     
    11061128    def current_path(self):
    11071129        ancestry = self.ancestry()
    1108         return [str(a.name) for a in ancestry]
     1130        return [a.name for a in ancestry]
    11091131
    11101132
    11111133# Freeing symbols defined for the sake of documentation
    1112 del Value.name,Value.name_raw,Value.offset,Value.data_size,Value.type,Value.flags
    1113 del Key.name,Key.name_raw,Key.offset,Key.modified,Key.flags
     1134del Value.name,Value.name_encoding,Value.name_raw,Value.offset,Value.data_size,Value.type,Value.flags
     1135del Key.name,Key.name_encoding,Key.name_raw,Key.offset,Key.modified,Key.flags
    11141136del Hive.root,Hive.modified,Hive.sequence1,Hive.sequence2,Hive.major_version,Hive.minor_version
    11151137del Security.ref_count,Security.offset,Security.descriptor
  • trunk/python/pyregfi/structures.py

    r261 r268  
    3535REGFI_ENCODING = c_uint32
    3636REGFI_ENCODING_UTF8 = REGFI_ENCODING(1)
     37
     38REGFI_NK_FLAG_ASCIINAME = 0x0020
     39REGFI_VK_FLAG_ASCIINAME = 0x0001
    3740
    3841REGFI_DATA_TYPE = c_uint32
Note: See TracChangeset for help on using the changeset viewer.