Libguestfs - May 2011 - [PATCH (for discussion)] New hivexhextostring tool.

The idea here is that you can pipe the output of virt-win-reg or
hivexregedit --export through this program in order to display the
strings more simply.

Instead of:

$ virt-win-reg --export ...
[\ATI Technologies\Install\South Bridge\ATI_AHCI_RAID]
"DisplayName"=hex(1):41,00,4d,00,44,00,20,00,41,00,48,00,43,00,49,00,20,00,52,00,41,00,49,00,44,00,00,00

you get:

$ virt-win-reg --export ... | hivexhextostring
[\ATI Technologies\Install\South Bridge\ATI_AHCI_RAID]
"DisplayName"=str(1):"AMD AHCI RAID^@"

However there are fundamental problems that make this a best effort
process: there is no string encoding information in the registry, and
the actual strings there are in a random set of encodings, mostly
UTF-16LE, some ASCII or UTF-8, and a few in DOS codepoint encodings.
Since there's no way to tell the encoding of a string, this tool
doesn't get it right all the time.

So it's good for viewing registry keys, but it doesn't preserve the
fidelity of strings.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top
-------------- next part --------------
>From fbba0e840cc205c24f254318138a21166d7e0363 Mon Sep 17 00:00:00 2001
From: Richard W.M. Jones <rjones at redhat.com>
Date: Mon, 16 May 2011 14:14:10 +0100
Subject: [PATCH] New hivexhextostring tool.

---
 .gitignore               |    2 +
 regedit/Makefile.am      |   30 +++++++++--
 regedit/hivexhextostring |  129 ++++++++++++++++++++++++++++++++++++++++++++++
 regedit/hivexregedit     |    1 +
 4 files changed, 158 insertions(+), 4 deletions(-)
 create mode 100755 regedit/hivexhextostring

diff --git a/.gitignore b/.gitignore
index 5984892..ed8feb7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,6 +27,7 @@ hivex.pc
 hivex-*.tar.gz
 html/hivex.3.html
 html/hivexget.1.html
+html/hivexhextostring.1.html
 html/hivexml.1.html
 html/hivexregedit.1.html
 html/hivexsh.1.html
@@ -97,6 +98,7 @@ po/remove-potcdate.sin
 python/*.pyc
 python/hivex-py.c
 python/hivex.py
+regedit/hivexhextostring.1
 regedit/hivexregedit.1
 sh/*.1
 sh/hivexsh
diff --git a/regedit/Makefile.am b/regedit/Makefile.am
index 4353ee8..dd1cc78 100644
--- a/regedit/Makefile.am
+++ b/regedit/Makefile.am
@@ -1,5 +1,5 @@
 # hivex
-# Copyright (C) 2010 Red Hat Inc.
+# Copyright (C) 2010-2011 Red Hat Inc.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -17,11 +17,16 @@
 
 EXTRA_DIST = \
 	hivexregedit \
+	hivexhextostring \
 	run-locally
 
-bin_SCRIPTS = hivexregedit
+bin_SCRIPTS = \
+	hivexregedit \
+	hivexhextostring
 
-man_MANS = hivexregedit.1
+man_MANS = \
+	hivexregedit.1 \
+	hivexhextostring.1
 
 hivexregedit.1: hivexregedit
 	$(POD2MAN) \
@@ -31,8 +36,17 @@ hivexregedit.1: hivexregedit
 	  --release "$(PACKAGE_NAME)-$(PACKAGE_VERSION)" \
 	  $< > $@-t; mv $@-t $@
 
+hivexhextostring.1: hivexhextostring
+	$(POD2MAN) \
+	  --section 1 \
+	  -c "Windows Registry" \
+	  --name "hivexhextostring" \
+	  --release "$(PACKAGE_NAME)-$(PACKAGE_VERSION)" \
+	  $< > $@-t; mv $@-t $@
+
 noinst_DATA = \
-	$(top_builddir)/html/hivexregedit.1.html
+	$(top_builddir)/html/hivexregedit.1.html \
+	$(top_builddir)/html/hivexhextostring.1.html
 
 $(top_builddir)/html/hivexregedit.1.html: hivexregedit
 	mkdir -p $(top_builddir)/html
@@ -42,4 +56,12 @@ $(top_builddir)/html/hivexregedit.1.html: hivexregedit
 	  --outfile html/hivexregedit.1.html \
 	  regedit/hivexregedit
 
+$(top_builddir)/html/hivexhextostring.1.html: hivexhextostring
+	mkdir -p $(top_builddir)/html
+	cd $(top_builddir) && pod2html \
+	  --css 'pod.css' \
+	  --htmldir html \
+	  --outfile html/hivexhextostring.1.html \
+	  regedit/hivexhextostring
+
 CLEANFILES = $(man_MANS)
diff --git a/regedit/hivexhextostring b/regedit/hivexhextostring
new file mode 100755
index 0000000..1c1128f
--- /dev/null
+++ b/regedit/hivexhextostring
@@ -0,0 +1,129 @@
+#!/usr/bin/perl -w
+# Copyright (C) 2011 Red Hat Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+use warnings;
+use strict;
+
+use Encode;
+use Pod::Usage;
+use Getopt::Long;
+
+binmode STDOUT, ":utf8";
+
+=encoding utf8
+
+=head1 NAME
+
+hivexhextostring - Convert hex to string in hivexregedit and virt-win-reg
output
+
+=head1 SYNOPSIS
+
+ hivexregedit --export ... | hivexhextostring | less
+
+ virt-win-reg ... | hivexhextostring | less
+
+=head1 DESCRIPTION
+
+This tool is a handy filter for converting the hex(N):... UTF-16LE
+sequences in the output of L<hivexregedit(1)> and
L<virt-win-reg(1)>
+into printable strings.
+
+While this is useful for viewing parts of the registry, I<it does not
+preserve fidelity> of strings (which is the reason we use the hex
+encoding in the first place).  Therefore you should not use this tool
+to produce output that is consumed by another program.  For more
+information on this subject see L<Win::Hivex::Regedit(3)/ENCODING
STRINGS>.
+
+=head1 NOTES
+
+=over 4
+
+=item Final NUL character is preserved
+
+Registry strings may or may not contain a final zero codepoint
+(usually encoded as two zero bytes because most Windows Registry
+strings are stored as UTF-16LE).  This tool preserves this final
+character if it exists, which is technically correct but not
+consistent with what other tools do.
+
+=item Assumes UTF-16LE
+
+This tool assumes the strings are encoded as UTF-16LE, and will
+produce garbage for strings which are not.  The Registry itself
+contains no indication of encoding.
+
+=back
+
+=head1 OPTIONS
+
+=over 4
+
+=cut
+
+my $help;
+
+=item B<--help>
+
+Display help.
+
+=back
+
+=cut
+
+GetOptions ("help|?" => \$help) or pod2usage (2);
+pod2usage (1) if $help;
+
+while (<>) {
+    s{hex\((\d+)\):(\S+)}{
+        my $t = $1;
+        $_ = $2;
+        s,\,,,g;
+        "str($t):\"" . decode (utf16le => pack
("H*", $_)). "\""
+    }eg;
+    print;
+}
+
+=head1 SEE ALSO
+
+L<hivexregedit(1)>,
+L<virt-win-reg(1)>,
+L<Win::Hivex::Regedit(3)>,
+L<Win::Hivex(3)>,
+L<hivexsh(1)>,
+L<http://libguestfs.org/>.
+
+=head1 AUTHOR
+
+Richard W.M. Jones L<http://people.redhat.com/~rjones/>
+
+=head1 COPYRIGHT
+
+Copyright (C) 2011 Red Hat Inc.
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
diff --git a/regedit/hivexregedit b/regedit/hivexregedit
index 966f725..da352be 100755
--- a/regedit/hivexregedit
+++ b/regedit/hivexregedit
@@ -282,6 +282,7 @@ if ($merge) {                   # --merge (reg_import)
 L<virt-win-reg(1)>,
 L<Win::Hivex::Regedit(3)>,
 L<Win::Hivex(3)>,
+L<hivexhextostring(1)>,
 L<hivexsh(1)>,
 L<dos2unix(1)>,
 L<unix2dos(1)>,
-- 
1.7.5

I don't think this patch is good, please ignore.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v