|
pyregfi
|
Registry value (metadata) More...
Public Member Functions | |
| def | fetch_data |
| Retrieves the Value's data according to advertised type. | |
| def | fetch_raw_data |
| Retrieves raw representation of Value's data. | |
Static Public Attributes | |
| tuple | name_raw = (b"...") |
| The raw Value name as an uninterpreted bytearray. | |
| string | name = "..." |
| The name of the Value as a (unicode) string. | |
| int | offset = 0xCAFEBABE |
| The absolute file offset of the Value record's cell in the Hive file. | |
| int | data_size = 0xCAFEBABE |
| The length of data advertised in the VK record. | |
| type = DATA_TYPES.NONE | |
| An integer which represents the data type for this Value's data Typically this value is one of 12 types defined in DATA_TYPES, but in some cases (the SAM hive) it may be used for other purposes. | |
| int | flags = 0x10110001 |
| The VK record's flags field. | |
Registry value (metadata)
These represent registry values (REGFI_VK records) and provide access to their associated data.
| def pyregfi.Value.fetch_data | ( | self | ) |
Retrieves the Value's data according to advertised type.
Data is loaded from its cell(s) and then interpreted based on the data type recorded in the Value. It is not uncommon for data to be stored with the wrong type or even with invalid types. If you have difficulty obtaining desired data here, use fetch_raw_data().
| string | for SZ, EXPAND_SZ, and LINK |
| int | for DWORD, DWORD_BE, and QWORD |
| list(string) | for MULTI_SZ |
| bytearray | for NONE, BINARY, RESOURCE_LIST, FULL_RESOURCE_DESCRIPTOR, and RESOURCE_REQUIREMENTS_LIST |
| def pyregfi.Value.fetch_raw_data | ( | self | ) |
Retrieves raw representation of Value's data.
1.7.4
