search

EricZimmerman / Registry

Full featured, offline Registry parser in C#
MIT License
220 stars 52 forks source link

Support for containerized registry hives? #23

Closed mickderks closed 1 year ago

mickderks commented 1 year ago

I've been dealing with windows-based docker containers. These basically use registry hive layers for each container image layer to support changes to the registry for individual layers, with the eventual container having a final registry to deal with.

While trying to diff containers I was dealing with the registry hives for individual container image layers, and was hoping I could use this library to inspect them. Unfortunately, right now loading (the final layer's) hives seems to be missing the root element, so I can only assume there's no support for these kinds of hive files.

Getting an example hive file can be done by getting a windows-based container image, saving its contents, and inspecting the resulting .tar files.

If you have a working docker for windows install it's fairly easy to make an example. Given a folder with an .msi installer file (which is my use case, and pretty reliable for putting things into the registry) and the following Dockerfile;

FROM mcr.microsoft.com/windows/servercore:ltsc2022
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
COPY . ./tools/
RUN Start-Process './unknown.msi' '/log C:\tools\install.log' -PassThru | Wait-Process;

Provided that folder is the working directory;

docker build -t registryhive:test

followed by docker save registryhive:test -o image.tar

will (eventually) result in an image.tar file in that directory. tar -xf image.tar will extract the tar file.

Now look at manifest.json to find the last layer (file path contains hashes unique to the image), and extract that layer's layer.tar file to get a Files and Hives directory. The Hives directory contains several files that can be loaded into regedit, but unfortunately not this library.

I apologize for not including example hive files. I'm unfortunately dealing with multiple machines and network restrictions, and don't have the ability to run this stuff right now.

I don't know much about the file format, or how any of it is implemented. I did come across this source that seemed pretty detailed.

EricZimmerman commented 1 year ago

No plans to support this, at least at this time.

mickderks commented 1 year ago

No matter how simple something is to use, there will always be an idiot that messes it up.

I didn't call ParseHive, and after doing so everything seems to work just fine.

I apologise for wasting your time.