search for: 7f4cc3c

--- lib/value.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/value.c b/lib/value.c index c4e21ec..f222b41 100644 --- a/lib/value.c +++ b/lib/value.c @@ -334,7 +334,7 @@ hivex_value_value (hive_h *h, hive_value_h value, /* Arbitrarily limit the length that we will read. */ if (len > HIVEX_MAX_VALUE_LEN) { SET_ERRNO (ERANGE, "data length >

--- lib/hivex-internal.h | 1 + lib/utf16.c | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/lib/hivex-internal.h b/lib/hivex-internal.h index 6bc8638..7f4cc3c 100644 --- a/lib/hivex-internal.h +++ b/lib/hivex-internal.h @@ -277,6 +277,7 @@ extern char * _hivex_recode (const char *input_encoding, _hivex_recode ("LATIN1", _input, _len, "UTF-8", NULL) extern char* _hivex_encode_string(const char *str, size_t *size, int *utf16); exte...

I actually encountered a binary value with 1033680 bytes. --- lib/hivex-internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/hivex-internal.h b/lib/hivex-internal.h index 7f4cc3c..bfd24c8 100644 --- a/lib/hivex-internal.h +++ b/lib/hivex-internal.h @@ -321,7 +321,7 @@ extern int _hivex_get_values (hive_h *h, hive_node_h node, hive_value_h **values /* These limits are in place to stop really stupid stuff and/or exploits. */ #define HIVEX_MAX_SUBKEYS 15000 #define HI...

On Windows, there exist at least two APIs for dealing with the Registry: The Win32 API (RegCreateKeyA, RegCreateKeyW, etc.) works with null-terminated ASCII or UTF-16 strings. The native API (ZwCreateKey, etc.), on the other hand works with UTF-16 strings that are stored as buffers+length and may contain null characters. Malware authors have been relying on the Win32 API's inability to