Lib.rs

Parser implementations
#windows-registry #registry #windows #forensics #cybersecurity #parser #security

frnsc-hive

Implements RegistryReader from forensic-rs to access the windows registry from Hive files

by Samuel Garcés Marín

3 releases (breaking)

0.13.0 Apr 5, 2024
0.9.0 Feb 18, 2024
0.8.0 Feb 4, 2024

#1700 in Parser implementations

Download history 140/week @ 2024-02-17 26/week @ 2024-02-24 3/week @ 2024-03-02 6/week @ 2024-03-09 1/week @ 2024-03-16 109/week @ 2024-03-30 52/week @ 2024-04-06 1/week @ 2024-04-13

135 downloads per month

MIT license

135KB
3K SLoC

Hive Reader [Alpha]

crates.io documentation MIT License Rust

Open Hive registry for forensic purpouses. Uses ForensicRs framework.

Status

Still not usable, and a WIP.

https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md

Working with Hives

let mut reader = HiveRegistryReader::new();
// Add a registry key extracted from a REG file
reader.add_reg_key(r"HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System", r"Identifier", RegValue::SZ(r"AT/AT COMPATIBLE".into()));
// Now the key is mounted and can be accesses like its in a Hive
let key = reader.open_key(HKLM, r"HARDWARE\DESCRIPTION\System").unwrap();
assert_eq!(RegHiveKey::Hkey(1407374883553280), key); // Cache -1 and type 5 => Mounted
assert_eq!(RegValue::SZ(r"AT/AT COMPATIBLE".into()), reader.read_value(key, "Identifier").unwrap());
reader.close_key(key);

Dependencies

~350–590KB
~13K SLoC