Struct nt_hive2::Hive

pub struct Hive<B, S>
where
    B: BinReaderExt,
    S: HiveStatus,
{
    pub data: MemOverlay<B>,
    /* private fields */
}

Represents a registry hive file.

Because most offsets in a registry hive file are relative to the start of the hive bins data, this struct provides a own Seek and Read implementation, which can work directly with those kinds of offsets. You don’t know where the hive bins data starts, because Hive knows it (this information is stored in the hive base block). To parse data from within the hive bins data, use Hive as reader and use offsets read from the hive data structures.

The structure of hive files is documented at https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md#format-of-primary-files

Fields

data: MemOverlay<B>

Implementations

impl<B, S> Hive<B, S>

where B: BinReaderExt, S: HiveStatus,

pub fn new(data: B, parse_mode: HiveParseMode) -> BinResult<Self>

creates a new Hive object. This includes parsing the HiveBaseBlock and determining the start of the hive bins data.

pub fn write_baseblock<W: Write>(&self, writer: &mut W) -> Result<()>

write the baseblock to some writer

This method ignores any patches to the base block which might be introduced by log files, because the apply_transaction_log() method takes care of the base block and handles all necessary changes

pub fn is_checksum_valid(&self) -> Option<bool>

impl<B> Hive<B, DirtyHive>

where B: BinReaderExt,

pub fn treat_hive_as_clean(self) -> Hive<B, CleanHive>

pub fn apply_transaction_log( &mut self, log: TransactionLogsEntry ) -> ApplicationResult

impl<B> Hive<B, CleanHive>

where B: BinReaderExt,

pub fn is_primary_file(&self) -> bool

pub fn enum_subkeys( &mut self, callback: fn(_: &mut Self, _: &KeyNode) -> BinResult<()> ) -> BinResult<()>

Is this really needed???

pub fn root_key_node(&mut self) -> BinResult<KeyNode>

returns the root key of this registry hive file

pub fn read_structure<T>(&mut self, offset: Offset) -> BinResult<T>

where T: BinRead<Args = ()> + From<Cell<T, ()>>,

reads a data structure from the given offset. Read the documentation of Cell for a detailled discussion

Usage

use nt_hive2::*;

let my_node: KeyNodeWithMagic = hive.read_structure(offset)?;

pub fn data_offset(&self) -> u32

returns the start of the hive bins data

pub fn root_cell_offset(&self) -> Offset

returns the offset of the root cell

pub fn find_root_celloffset(self) -> Option<Offset>

pub fn reset_cursor(&mut self) -> Result<()>

pub fn hivebins(self) -> impl Iterator<Item = HiveBin<B>>

pub fn data_size(&self) -> u32

Trait Implementations

impl<B, S> BaseBlock for Hive<B, S>

where B: BinReaderExt, S: HiveStatus,

fn base_block(&self) -> Option<&HiveBaseBlock>

impl<B> ContainsHive<B> for Hive<B, DirtyHive>

where B: BinReaderExt,

fn with_transaction_log( self, log: TransactionLog ) -> Result<HiveWithLogs<B, Self>>

impl<B, S> Debug for Hive<B, S>

where B: BinReaderExt + Debug, S: HiveStatus + Debug,

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<B> Read for Hive<B, CleanHive>

where B: BinReaderExt,

fn read(&mut self, buf: &mut [u8]) -> Result<usize>

Pull some bytes from this source into the specified buffer, returning how many bytes were read.

fn read_vectored(&mut self, bufs: &mut [IoSliceMut<'_>]) -> Result<usize, Error>

Like read, except that it reads into a slice of buffers.

fn is_read_vectored(&self) -> bool

🔬This is a nightly-only experimental API. (can_vector)

Determines if this Reader has an efficient read_vectored implementation.

fn read_to_end(&mut self, buf: &mut Vec<u8>) -> Result<usize, Error>

Read all bytes until EOF in this source, placing them into buf.

fn read_to_string(&mut self, buf: &mut String) -> Result<usize, Error>

Read all bytes until EOF in this source, appending them to buf.

fn read_exact(&mut self, buf: &mut [u8]) -> Result<(), Error>

Read the exact number of bytes required to fill buf.

fn read_buf(&mut self, buf: BorrowedCursor<'_>) -> Result<(), Error>

🔬This is a nightly-only experimental API. (read_buf)

Pull some bytes from this source into the specified buffer.

fn read_buf_exact(&mut self, cursor: BorrowedCursor<'_>) -> Result<(), Error>

🔬This is a nightly-only experimental API. (read_buf)

Read the exact number of bytes required to fill cursor.

fn by_ref(&mut self) -> &mut Self

where Self: Sized,

Creates a “by reference” adaptor for this instance of Read.

fn bytes(self) -> Bytes<Self>

where Self: Sized,

Transforms this Read instance to an Iterator over its bytes.

fn chain<R>(self, next: R) -> Chain<Self, R>

where R: Read, Self: Sized,

Creates an adapter which will chain this stream with another.

fn take(self, limit: u64) -> Take<Self>

where Self: Sized,

Creates an adapter which will read at most limit bytes from it.

impl<B> Seek for Hive<B, CleanHive>

where B: BinReaderExt,

This Seek implementation hides the base block, because the offsets used in hive files are relative to the end of the base block.

If you want to read the base block, don’t use seek() and read(), but write_baseblock() instead

fn seek(&mut self, pos: SeekFrom) -> Result<u64>

Seek to an offset, in bytes, in a stream.

fn rewind(&mut self) -> Result<(), Error>

Rewind to the beginning of a stream.

fn stream_len(&mut self) -> Result<u64, Error>

🔬This is a nightly-only experimental API. (seek_stream_len)

Returns the length of this stream (in bytes).

fn stream_position(&mut self) -> Result<u64, Error>

Returns the current seek position from the start of the stream.

fn seek_relative(&mut self, offset: i64) -> Result<(), Error>

🔬This is a nightly-only experimental API. (seek_seek_relative)

Seeks relative to the current position.