Libguestfs - Mar 2014 - Hivex3: Saving values - always string

Hallo,

I working on GUI interface for users to manipulate Windows Registry. For 
that I choose to use really excellent library hivex3. Just now I'm 
performing same test to see, if everything is saved correctly.

Most of things work really well, but there is problem with saving some 
values and his types.

Description of problem:

For saving values is used function : node_set_values or node_set_value
This function take 3 arguments, node name, value type and value. It 
seems that this function accept for value only strings (any other type 
throw error). The problem lay when I want save values differed then 
string. For example:

value1 = { "key": "TEST_DWORD2(150)", "t": 4,
"value": "150" }

Result is saving value "150" not like DWORD but like STRING ->
0x313530,
which is not valid DWORD value for Win Regedit.
This same is with saving binary values, binary or hex is handle like string.

So is there any way how to force library to take this type correctly?

I'm using:

hivex3 - 1.3.7
python - 2.7.5

Thanks for any advice

On Tue, Mar 04, 2014 at 02:38:01PM +0100, Martin Klíma wrote:
[..]
> Hallo,
Hello.  Just a note that the library is called "hivex".  The
"(3)"
printed after the name is a Unix convention that means it is in
section 3 of the manual, containing libraries:

https://en.wikipedia.org/wiki/Man_page#Manual_sections
> I working on GUI interface for users to manipulate Windows Registry.
> For that I choose to use really excellent library hivex3. Just now
> I'm performing same test to see, if everything is saved correctly.
> 
> Most of things work really well, but there is problem with saving
> some values and his types.
> 
> Description of problem:
> 
> For saving values is used function : node_set_values or node_set_value
> This function take 3 arguments, node name, value type and value. It
> seems that this function accept for value only strings (any other
> type throw error). The problem lay when I want save values differed
> then string. For example:
It's a little confusing.  The value is indeed a string (in Python) but
in fact it's a binary object that is stored directly into the
registry.  If you want to store a 32 bit integer (DWORD), you have to
encode that as a little-endian binary blob and put it in value.

Python has a module called 'struct' which you can use to do this
encoding (and decoding when you're pulling numbers out).

See the attached program which shows you how to use it.
> value1 = { "key": "TEST_DWORD2(150)", "t": 4,
"value": "150" }
> 
> Result is saving value "150" not like DWORD but like STRING ->
> 0x313530, which is not valid DWORD value for Win Regedit.
> This same is with saving binary values, binary or hex is handle like
string.
Right, as this is setting the value field to a binary value 0x00303531,
that's assuming that Windows is able to read it at all since it has
the wrong length (3 bytes).

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v

--jI8keyz6grp/JLjh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="value.py"

#!/usr/bin/python

import sys
import os
import struct
import hivex

h = hivex.Hivex ("windows-2003-server-system", write = True)
assert h

root = h.root ()
assert root

# Get \WPA\PnP node
node = h.node_get_child (root, "WPA")
node = h.node_get_child (node, "PnP")

# Get 'seed' which is a dword value.
val = h.node_get_value (node, "seed")
data = h.value_value (val)
print "\\WPA\\PnP\\seed:"
print "type =", data[0]
print ("val = 0x%x" % struct.unpack ("<I", data[1]))

# Set the dword value.
new_value = struct.pack ("<I", 0x12345678)
value = { "key": "seed", "t" : data[0],
"value" : new_value }
h.node_set_value (node, value)

# Print new value.
val = h.node_get_value (node, "seed")
data = h.value_value (val)
print "\\WPA\\PnP\\seed:"
print "type =", data[0]
print ("val = 0x%x" % struct.unpack ("<I", data[1]))

--jI8keyz6grp/JLjh--

Hello,

thanks for answer, it works pretty good.

I'm still little bit confused about saving binary values. I understand 
that there can be risk, to write wrong sequence of bites to hive but in 
regular MS Regedit this posibility is and when someone really know what 
he does, it should be able to change bites directly.

So how achieve that with hivex? I noticed that hivex return binary data 
in hex string, function   - "\xa5\xc6", but how to save this data
back?
Should it be row binary string? "100001" or also some string with 
specific coding? or hexadecimal values? I can't figure it out...



On 4.3.2014 15:44, Richard W.M. Jones wrote:
> On Tue, Mar 04, 2014 at 02:38:01PM +0100, Martin Klíma wrote:
> [..]
>> Hallo,
> Hello.  Just a note that the library is called "hivex".  The
"(3)"
> printed after the name is a Unix convention that means it is in
> section 3 of the manual, containing libraries:
>
> https://en.wikipedia.org/wiki/Man_page#Manual_sections
>
>> I working on GUI interface for users to manipulate Windows Registry.
>> For that I choose to use really excellent library hivex3. Just now
>> I'm performing same test to see, if everything is saved correctly.
>>
>> Most of things work really well, but there is problem with saving
>> some values and his types.
>>
>> Description of problem:
>>
>> For saving values is used function : node_set_values or node_set_value
>> This function take 3 arguments, node name, value type and value. It
>> seems that this function accept for value only strings (any other
>> type throw error). The problem lay when I want save values differed
>> then string. For example:
> It's a little confusing.  The value is indeed a string (in Python) but
> in fact it's a binary object that is stored directly into the
> registry.  If you want to store a 32 bit integer (DWORD), you have to
> encode that as a little-endian binary blob and put it in value.
>
> Python has a module called 'struct' which you can use to do this
> encoding (and decoding when you're pulling numbers out).
>
> See the attached program which shows you how to use it.
>
>> value1 = { "key": "TEST_DWORD2(150)",
"t": 4, "value": "150" }
>>
>> Result is saving value "150" not like DWORD but like STRING
->
>> 0x313530, which is not valid DWORD value for Win Regedit.
>> This same is with saving binary values, binary or hex is handle like
string.
> Right, as this is setting the value field to a binary value 0x00303531,
> that's assuming that Windows is able to read it at all since it has
> the wrong length (3 bytes).
>
> Rich.
>