File: RegParser.h

package info (click to toggle)
sleuthkit 4.12.1%2Bdfsg-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 18,608 kB
  • sloc: ansic: 143,795; cpp: 52,225; java: 37,892; xml: 2,416; python: 1,076; perl: 874; makefile: 439; sh: 184
file content (59 lines) | stat: -rwxr-xr-x 2,066 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
 
/*
** The Sleuth Kit
**
** Brian Carrier [carrier <at> sleuthkit [dot] org]
** Copyright (c) 2010-2019 Brian Carrier.  All Rights reserved
**
** This software is distributed under the Common Public License 1.0
**
*/

#pragma once

#include "rejistry++\include\librejistry++.h"
#include "RegHiveType.h"
#include "tsk/tsk_tools_i.h"
#include "RegKey.h"
#include "RegVal.h"

 /**
  * RegParser - a registry parser that uses the Rejistry++ library to search
  * the registry for keys/values.
  */
class RegParser {
public:
    RegParser(const RegHiveType::Enum aHiveType);
    RegParser(const std::wstring &filePath);
    ~RegParser();

    virtual int loadHive(TSK_FS_FILE *aHiveFile, RegHiveType::Enum aHiveType);

    // get the root key
    virtual int getRootKey(RegKey &aKey);

    // get the subkey for the given key name
    virtual int getKey(const std::wstring &keyName, RegKey &aKey);

    //returns all subkeys of given key
    virtual int getSubKeys(const std::wstring &keyName, std::vector<std::wstring> &subKeysList);
    virtual int getSubKeys(const std::wstring &keyName, std::vector<RegKey *> &subKeysList);

    // return the data for the given named value
    virtual int getValue(const std::wstring &keyName, const std::wstring &valName, RegVal &val);
    virtual int getValue(const RegKey *startKey, const std::wstring &subpathName, const std::wstring &valName, RegVal &val);

    // return all values for the given key
    virtual int getValues(const std::wstring &keyName, std::vector<RegVal *> &valList);
    virtual int getValues(const RegKey *startKey, const std::wstring &subpathName, std::vector<RegVal *> &valList);

private:
    Rejistry::RegistryHive *m_registryHive;
    Rejistry::RegistryKey *m_rootKey;

    std::vector<std::wstring> splitKeyName(const std::wstring &keyName) const;
    const Rejistry::RegistryKey *findKey(const std::wstring &keyName, const Rejistry::RegistryKey *startingKey = NULL) const;

    RegParser() = delete;
    RegParser(const RegParser &) = delete;
    RegParser& operator=(const RegParser&) = delete;
};