How do I access binary data via python registry?

Question

The data in the registry key looks like:

Name  Type        Value
Data  REG_BINARY 60 D0 DB 9E 2D 47 Cf 01 

The data represent 8 bytes (QWORD little endian) filetime value. So why they chose to use binary rather than REG_QWORD is anyones guess.

If the python 2.7 code I can see the data value has been located and a value object contains the key information such as

print "***", value64.name(), value64.value_type(), value64.value

*** Data 3 <bound method RegistryValue.value of <Registry.Registry.RegistryValue object at 0x7f2d500b3990>>

The name 'Data' is correct and the value_type of 3 means REG_BINARY so that is correct.

The documentation to the python.registry (assuming I have the right doc) is

https://github.com/williballenthin/python-registry/blob/master/documentation/registry.html

However I am can't figure out what methods/functions have been provided to process binary data.

Because I know this binary data will always be 8 bytes I'm tempted to cast the object pointer to a QWORD (double) pointer and get the value directly but I'm not sure the object points to the data or how I would do this in python anyway.

Any pointers appreciated.

Answer 1

I figured out the type of the value64.value() was a 'str' so then I used simple character indexing to reference each of the 8 bytes and converted the value to a float.

def bin_to_longlong(binval):
    return ord(binval[7])*(2**56) + ord(binval[6])*(2**48) + ord(binval[5])*(2**40) + ord(binval[4])*(2**32) + \
        ord(binval[3])*(2**24) + ord(binval[2])*(2**16) + ord(binval[1])*(2**8) + ord(binval[0])

Code by me.

which can be tidied up by using struct.unpack like so:

return struct.unpack('<Q', binval)[0] # '<Q' little endian long long

And converted the float (filetime value) to a date.

EPOCH_AS_FILETIME = 116444736000000000  # January 1, 1970 as MS file time
HUNDREDS_OF_NANOSECONDS = 10000000
def filetime_to_dt(ft):
    return datetime.fromtimestamp((ft - EPOCH_AS_FILETIME) / HUNDREDS_OF_NANOSECONDS)

Code from : https://gist.github.com/Mostafa-Hamdy-Elgiar/9714475f1b3bc224ea063af81566d873

Like so :

value64date = filetime_to_dt(bin_to_longlong(value64.value()))

Now hopefully someone can show me how to do that elegantly in python!