3.9 Sample BTH

Office

Because the binary dump in the preceding example contains a PC, by definition it follows that the HN contains a BTH. This example uses the same binary dump form the last example to further examine the inner BTH structure (section 2.3.2). Because hidUserRoot is 0x20, this maps to the first HN allocation (section 2.3.1.1), which starts at offset 0x0C. Because the next allocation starts at offset 0x14, its size is 8 bytes.

These 8 bytes (B5 02 06 00 40 00 00 00 ) actually maps to the BTHHEADER structure (section 2.3.2.1) of this BTH. According to the information in the BTHHEADER, each record in this BTH has a 2-byte key (cbKey=2) and 6 bytes of data (cbEnt=6). It also indicates that the BTH entry table is located in HID 0x40 (hidRoot=0x00000040), and it contains leaf BTH Records (bIdxLevels=0, see section 2.3.2.3).

HID 0x40 maps to the second allocation, which spans 0x58 bytes from offset 0x14 to 0x6C (shown following). Because each record is 8 bytes (2+6), the BTH contains 11 records.

                               34 0E 02 01-A0 00 00 00 38 0E 03 00  *@...4.......8...*
 0000000000004820  00 00 00 00 F9 0F 02 01-60 00 00 00 01 30 1F 00  *........`....0..*
 0000000000004830  80 00 00 00 DF 35 03 00-89 00 00 00 E0 35 02 01  *.....5.......5..*
 0000000000004840  C0 00 00 00 E3 35 02 01-00 01 00 00 E7 35 02 01  *.....5.......5..*
 0000000000004850  E0 00 00 00 33 66 0B 00-01 00 00 00 FA 66 03 00  *....3f.......f..*
 0000000000004860  0D 00 0E 00 FF 67 03 00-00 00 00 00

Recall that the HN has 8 allocations, but so far the BTH only used accounted for 2 of them. The remaining 6 allocations are being used by the higher-level client (that is, the PC).

  
 0000000000004800  EC 00 EC BC 20 00 00 00-00 00 00 00 B5 02 06 00  *.... ...........*
 0000000000004810  40 00 00 00 34 0E 02 01-A0 00 00 00 38 0E 03 00  *@...4.......8...*
 0000000000004820  00 00 00 00 F9 0F 02 01-60 00 00 00 01 30 1F 00  *........`....0..*
 0000000000004830  80 00 00 00 DF 35 03 00-89 00 00 00 E0 35 02 01  *.....5.......5..*
 0000000000004840  C0 00 00 00 E3 35 02 01-00 01 00 00 E7 35 02 01  *.....5.......5..*
 0000000000004850  E0 00 00 00 33 66 0B 00-01 00 00 00 FA 66 03 00  *....3f.......f..*
 0000000000004860  0D 00 0E 00 FF 67 03 00-00 00 00 00 22 9D B5 0A  *.....g......"...*
 0000000000004870  DC D9 94 43 85 DE 90 AE-B0 7D 12 70 55 00 4E 00  *...C.....}.pU.N.*
 0000000000004880  49 00 43 00 4F 00 44 00-45 00 31 00 01 00 00 00  *I.C.O.D.E.1.....*
 0000000000004890  F5 5E F6 66 95 69 CC 4C-83 D1 D8 73 98 99 02 85  *.^.f.i.L...s....*
 00000000000048A0  01 00 00 00 00 00 00 00-22 9D B5 0A DC D9 94 43  *........"......C*
 00000000000048B0  85 DE 90 AE B0 7D 12 70-22 80 00 00 00 00 00 00  *.....}.p".......*
 00000000000048C0  22 9D B5 0A DC D9 94 43-85 DE 90 AE B0 7D 12 70  *"......C.....}.p*
 00000000000048D0  42 80 00 00 00 00 00 00-22 9D B5 0A DC D9 94 43  *B......."......C*
 00000000000048E0  85 DE 90 AE B0 7D 12 70-62 80 00 00 08 00 00 00  *.....}.pb.......*
 00000000000048F0  0C 00 14 00 6C 00 7C 00-8C 00 A4 00 BC 00 D4 00  *....l.|.........*
 0000000000004900  EC 00                                            *..              *
Show: