search for: hive_h

...x, bad registry\n", + fprintf (stderr, "hivex: %s: block size %" PRIu32 " at 0x%zx," + " bad registry\n", filename, le32toh (block->seg_len), blkoff); errno = ENOTSUP; goto error; @@ -586,7 +588,8 @@ hivex_node_name (hive_h *h, hive_node_h node) size_t seg_len = block_len (h, node, NULL); if (sizeof (struct ntreg_nk_record) + len - 1 > seg_len) { if (h->msglvl >= 2) - fprintf (stderr, "hivex_node_name: returning EFAULT because node name is too long (%zu, %zu)\n", + fprintf (stde...

Hi, Here is one trivial initialization fix and another patch to convert a huge macro to an inline function. The result of the expansion would show up in an assertion which triggered a -Woverlength-strings warning. Peter Wu (2): Fix garbage return value on error Fix overly long assertion string lib/hivex-internal.h | 28 ++++++++++++++++------------ lib/node.c | 18

...ime reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). Some of the code changes necessary include: * Exposing the hive_h structure in the hivex header file (via generator.ml) * Adding an additional argument to the node_start function, which should cause no complications since the change is specific to the C API. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 44...

...as brought to my attention that dumping a registry hive causes a lot of time spent in disk I/O activity because iconv_open() and iconv_close() are called for every key. Every iconv_open() call causes /usr/lib/.../gconv/$ENCODING.so to be opened and mapped. The iconv_t handles are now cached in the hive_h struct; they are opened on-demand and re-used. On my ~10 year old Lenovo T60, I have seen 57% savings in the overal runtime of running hivexregedit --export windows-8-enterprise-software.hive '\\' --- lib/handle.c | 43 ++++++++++++++++++++++++++++++++++++++++++- lib/hivex-in...

...changed, 96 insertions(+), 9 deletions(-) diff --git a/xml/hivexml.c b/xml/hivexml.c index 54d9049..a4bc7eb 100644 --- a/xml/hivexml.c +++ b/xml/hivexml.c @@ -210,11 +210,40 @@ filetime_to_8601 (int64_t windows_ticks) return ret; } +#define BYTE_RUN_BUF_LEN 32 + +static int +node_byte_runs (hive_h *h, void *writer_v, hive_node_h node) +{ + xmlTextWriterPtr writer = (xmlTextWriterPtr) writer_v; + char buf[1+BYTE_RUN_BUF_LEN]; + errno = 0; + size_t node_struct_length = hivex_node_struct_length (h, node); + if (errno) { + if (errno == EINVAL) { + fprintf (stderr, "node_byte_ru...

...n that dumping a registry hive causes a > lot of time spent in disk I/O activity because iconv_open() and > iconv_close() are called for every key. Every iconv_open() call causes > /usr/lib/.../gconv/$ENCODING.so to be opened and mapped. > > The iconv_t handles are now cached in the hive_h struct; they are > opened on-demand and re-used. > > On my ~10 year old Lenovo T60, I have seen 57% savings in the overal > runtime of running > > hivexregedit --export windows-8-enterprise-software.hive '\\' > --- > lib/handle.c | 43 ++++++++++++++++++...

...xml.c | 18 +++++++++- 3 files changed, 112 insertions(+), 4 deletions(-) diff --git a/generator/generator.ml b/generator/generator.ml index 31478cd..36615f7 100755 --- a/generator/generator.ml +++ b/generator/generator.ml @@ -772,6 +772,7 @@ struct hivex_visitor { int (*value_none) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value); int (*value_other) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value); int (*value_any) (hive_h *, void *opaque, hive_node_h,...

...as brought to my attention that dumping a registry hive causes a lot of time spent in disk I/O activity because iconv_open() and iconv_close() are called for every key. Every iconv_open() call causes /usr/lib/.../gconv/$ENCODING.so to be opened and mapped. The iconv_t handles are now cached in the hive_h struct; they are opened on-demand and re-used. On my ~10 year old Lenovo T60, I have seen 57% savings in the overal runtime of running hivexregedit --export windows-8-enterprise-software.hive '\\' --- bootstrap | 1 + configure.ac | 2 ++ lib/Makefile.am |...

Hi Rich, While I was looking at hivex today I ran coverity on it. It spotted one problem but missed a similar one nearby. The following are from Hivex.xs: (generated by generator.ml) void node_set_values (h, node, values) hive_h *h; int node; pl_set_values values = unpack_pl_set_values (ST(2)); PREINIT: int r; PPCODE: r = hivex_node_set_values (h, node, values.nr_values, values.values, 0); free (values.values); if (r == -1) croak ("%s: %s", "node_set_values",...

This is, hopefully, a full fix for handling of li-records. See: https://bugzilla.redhat.com/show_bug.cgi?id=717583 https://bugzilla.redhat.com/show_bug.cgi?id=987463 Rich.

...s changed, 95 insertions(+), 9 deletions(-) diff --git a/xml/hivexml.c b/xml/hivexml.c index d38e9d4..6591c98 100644 --- a/xml/hivexml.c +++ b/xml/hivexml.c @@ -210,6 +210,34 @@ filetime_to_8601 (int64_t windows_ticks) return ret; } +#define BYTE_RUN_BUF_LEN 32 + +static int +node_byte_runs (hive_h *h, void *writer_v, hive_node_h node) +{ + xmlTextWriterPtr writer = (xmlTextWriterPtr) writer_v; + char buf[1+BYTE_RUN_BUF_LEN]; + errno = 0; + size_t node_struct_length = hivex_node_struct_length (h, node); + if (errno) { + if (errno == EINVAL) { + fprintf (stderr, "node_byte_ru...

...421 100755 --- a/generator/generator.ml +++ b/generator/generator.ml @@ -45,11 +45,14 @@ and ret = | RErr (* 0 = ok, -1 = error *) | RErrDispose (* Disposes handle, see hivex_close. *) | RHive (* Returns a hive_h or NULL. *) + | RSize (* Returns size_t or 0. *) | RNode (* Returns hive_node_h or 0. *) | RNodeNotFound (* See hivex_node_get_child. *) | RNodeList (* Returns hive_node_h* or NULL....

...); + if (!is_printable) { + fprintf (stderr, "encoding_recommendation: Non-printable character found at data index %zu (c=%i)\n", i, data[i]); + break; + } + } + + return is_printable ? "none" : "base64"; +} + +static int +safe_print_string_attribute (hive_h *h, void *writer_v, const char *attr_name, const char *attr_encoding, const char *attr_data) +{ + int ret = 0; + char *encoding_to_use = NULL; + if (attr_name && attr_data && attr_encoding) { + xmlTextWriterPtr writer = (xmlTextWriterPtr) writer_v; + encoding_to_use = encod...

...;; + "value_value", (RLenTypeVal, [AHive; AValue "val"]), "return data length, data type and data of a value", "\ diff --git a/lib/hivex.c b/lib/hivex.c index 61177d3..d8ffa63 100644 --- a/lib/hivex.c +++ b/lib/hivex.c @@ -585,6 +585,30 @@ hivex_root (hive_h *h) return ret; } +size_t +hivex_node_struct_length (hive_h *h, hive_node_h node) +{ + if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) { + errno = EINVAL; + return 0; + } + + struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node); + size...

--- lib/write.c | 50 +++++++++++++++++++++++++++++++++++--------------- 1 file changed, 35 insertions(+), 15 deletions(-) diff --git a/lib/write.c b/lib/write.c index dbb8292..8c4dd8e 100644 --- a/lib/write.c +++ b/lib/write.c @@ -608,9 +608,17 @@ hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name) return 0; } + size_t recoded_name_len; + int use_utf16 = 0; + char* recoded_name = _hivex_encode_string (name, &recoded_name_len, &use_utf16); + if (recoded_name == NULL) { + SET_ERRNO (EINVAL, "malformed name"); + retu...

...on <ajnelson at cs.ucsc.edu> --- xml/hivexml.c | 42 ++++++++++++++++++++++++++++++++++-------- 1 files changed, 34 insertions(+), 8 deletions(-) diff --git a/xml/hivexml.c b/xml/hivexml.c index d38e9d4..1a75593 100644 --- a/xml/hivexml.c +++ b/xml/hivexml.c @@ -247,6 +247,32 @@ node_end (hive_h *h, void *writer_v, hive_node_h node, const char *name) return 0; } +/* + * Hive type names retrieved from: + * https://secure.wikimedia.org/wikipedia/en/wiki/Windows_Registry#Keys_and_values + * (Retrieved 2011-10-09) + * Caller should not free return value. + */ +static char * +value_type...

...ff-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- xml/hivexml.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) diff --git a/xml/hivexml.c b/xml/hivexml.c index f29c80c..4789dbc 100644 --- a/xml/hivexml.c +++ b/xml/hivexml.c @@ -199,6 +199,7 @@ node_start (hive_h *h, void *writer_v, hive_node_h node, const char *name) { int64_t last_modified; char *timebuf; + int ret = 0; xmlTextWriterPtr writer = (xmlTextWriterPtr) writer_v; XML_CHECK (xmlTextWriterStartElement, (writer, BAD_CAST "node")); @@ -278,7 +279,9 @@ value_string (hive_h...

...b/write.c | 49 ++++++++++++++++++++++++++++++++++--------------- > 1 file changed, 34 insertions(+), 15 deletions(-) > > diff --git a/lib/write.c b/lib/write.c > index dbb8292..72b1f8a 100644 > --- a/lib/write.c > +++ b/lib/write.c > @@ -608,9 +608,17 @@ hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name) > return 0; > } > > + size_t recoded_name_len; > + int use_utf16 = 0; > + char* recoded_name = _hivex_encode_string (name, &recoded_name_len, &use_utf16); > + if (recoded_name == NULL) { > + SET_ERRNO (EINVAL...

...s_utf16_to_utf8 (/* const */ char *input, size_t len); +static char *windows_latin1_to_utf8 (/* const */ char *input, size_t len); static size_t utf16_string_len_in_bytes (const char *str); static size_t utf16_string_len_in_bytes_max (const char *str, size_t len); @@ -177,7 +178,8 @@ block_len (hive_h *h, size_t blkoff, int *used) struct ntreg_nk_record { int32_t seg_len; /* length (always -ve because used) */ char id[2]; /* "nk" */ - uint16_t flags; + uint16_t flags; /* bit 5 set: latin1 + bit 5 cl...

--- lib/hivex-internal.h | 8 +++++--- lib/utf16.c | 11 +++++++---- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/lib/hivex-internal.h b/lib/hivex-internal.h index 4135f58..64fd49a 100644 --- a/lib/hivex-internal.h +++ b/lib/hivex-internal.h @@ -268,11 +268,13 @@ extern size_t * _hivex_return_offset_list (offset_list *list); extern void _hivex_print_offset_list