search for: ahive

...rator/generator.ml +++ b/generator/generator.ml @@ -264,6 +264,18 @@ information, and the value itself. Also, C<hivex_value_*> functions below which can be used to return the value in a more useful form when you know the type in advance."; + "node_struct_length", (RSize, [AHive; ANode "node"]), + "return the length of a node", + "\ +Return the length of the node data structure. Returns 0 +and sets errno on error."; + + "value_struct_length", (RSize, [AHive; AValue "val"]), + "return the length of a value da...

Hi, When an integer argument is passed as value, node_set_value segfaults. Reproducer is at the end of this message The backtrace points at hivex-py.c, function get_value. While obj is non-NULL, `bytes = PyUnicode_AsUTF8String (obj);` returns NULL. Kind regards, Peter https://lekensteyn.nl #!/usr/bin/env python3 import hivex, sys h = hivex.Hivex(sys.argv[1]) print(h) val = {

Hi, This patch series is based on a prior patch[1], splitting off changes as requested and incorporating feedback from Richard Jones. It introduces type validation to avoid segmentation faults (instead, it reports an exception) and fixes handling of the bytes type in Python 3. Major changes since that series: - Drop newly introduced support for integer types for DWORD/QWORDS - Reject Unicode

...r.ml b/generator/generator.ml index be783ae..4f878ff 100755 --- a/generator/generator.ml +++ b/generator/generator.ml @@ -210,6 +210,11 @@ Return the child of node with the name C<name>, if it exists. The name is matched case insensitively."; + "node_num_children", (RSize, [AHive; ANode "node"]), + "return the number of children of a node", + "\ +Return the number of nodes as produced by C<hivex_node_children>."; + "node_parent", (RNode, [AHive; ANode "node"]), "return the parent of node",...

Hello, I've been trying to fit Arrellano-Bond model with pgmm but I am getting very strange errors. I've looked around and found no reference to them. I've specified the model in dozens of different ways, and each seems to give me a new kind of error. This leads me to believe this has to do with the way the data is specified, but I can't see anything thats wrong with. My

...83 100755 --- a/generator/generator.ml +++ b/generator/generator.ml @@ -159,6 +159,16 @@ but instead are lost. See L<hivex(3)/WRITING TO HIVE FILES>."; "\ Return root node of the hive. All valid hives must contain a root node."; + "major_version", (RInt32, [AHive]), + "return the major version of the hive", + "\ +Return major version stored in the hive header, -1 on error."; + + "minor_version", (RInt32, [AHive]), + "return the minor version of the hive", + "\ +Return minor version stored in the hive...

...3..9e53f4e 100755 --- a/generator/generator.ml +++ b/generator/generator.ml @@ -159,6 +159,12 @@ but instead are lost. See L<hivex(3)/WRITING TO HIVE FILES>."; "\ Return root node of the hive. All valid hives must contain a root node."; + "name", (RString, [AHive]), + "return the name stored in the hive header", + "\ +Return hive file name stored in the hive header, null on error. Caller +is responsible for freeing returned string."; + "major_version", (RInt32, [AHive]), "return the major version of the hive...

...ot;, "\ This call can be used to set all the (key, value) pairs -stored in C<node>. Note that this library does not offer -a way to modify just a single key at a node. +stored in C<node>. + +C<node> is the node to modify."; + + "node_set_value", (RErr, [AHive; ANode "node"; ASetValue; AUnusedFlags]), + "set a single (key, value) pair at a given node", + "\ +This call can be used to set a single (key, value) pair +stored in C<node>. C<node> is the node to modify."; ] @@ -459,6 +467,7 @@ let name_of_argt...

...2f 100755 --- a/generator/generator.ml +++ b/generator/generator.ml @@ -158,6 +158,13 @@ but instead are lost. See L<hivex(3)/WRITING TO HIVE FILES>."; "\ Return root node of the hive. All valid hives must contain a root node."; + "last_modified", (RInt64, [AHive]), + "return the modification time of the root node of the hive", + "\ +Return the modification time of the root node of the hive. The +returned value is equivalent in type and caveats as +hivex_node_timestamp."; + "node_name", (RString, [AHive; ANode "node&...

...a/generator/generator.ml +++ b/generator/generator.ml @@ -242,6 +242,12 @@ string C<\"\"> here. The default key is often written C<\"@\">, but inside hives that has no meaning and won't give you the default key."; + "node_nr_values", (RSize, [AHive; ANode "node"]), + "return the number of values attached to a node", + "\ +Return the number of (key, value) pairs attached to this node +as produced by C<hivex_node_values>."; + "value_key_len", (RSize, [AHive; AValue "val"]), &...

...ot;, "\ This call can be used to set all the (key, value) pairs -stored in C<node>. Note that this library does not offer -a way to modify just a single key at a node. +stored in C<node>. + +C<node> is the node to modify."; + + "node_set_value", (RErr, [AHive; ANode "node"; ASetValue; AUnusedFlags]), + "set a single (key, value) pair at a given node", + "\ +This call can be used to set a single (key, value) pair +stored in C<node>. C<node> is the node to modify."; ] @@ -459,6 +467,7 @@ let name_of_argt...

...or/generator.ml index 7ece245..6204ecd 100755 --- a/generator/generator.ml +++ b/generator/generator.ml @@ -273,6 +273,18 @@ Return the length of the node data structure."; "\ Return the length of the value data structure."; + "value_data_cell_offset", (RLenValue, [AHive; AValue "val"]), + "return the offset and length of a value data cell", + "\ +Return the offset and length of the value's data cell, not value cell. +E.g. if the value data were \"foobar\" then the cell length would be 10, +and the offset would be to a v...

...or/generator.ml index 85d1863..f8d9c9b 100755 --- a/generator/generator.ml +++ b/generator/generator.ml @@ -273,6 +273,18 @@ Return the length of the node data structure."; "\ Return the length of the value data structure."; + "value_data_cell_offset", (RLenValue, [AHive; AValue "val"]), + "return the offset and length of a value data cell", + "\ +Return the offset and length of the value's data cell, not value cell. +E.g. if the value data were \"foobar\" then the cell length would be 10, +and the offset would be to a v...

...generator.ml index 5a71930..b607421 100755 --- a/generator/generator.ml +++ b/generator/generator.ml @@ -276,6 +276,17 @@ and sets errno on error."; Return the length of the value data structure. Returns 0 and sets errno on error."; + "value_data_cell_offset", (RLenValue, [AHive; AValue "val"]), + "return the offset and length of a value data cell", + "\ +Return the offset and length of the value's data cell, not value cell. +E.g. if the value were \"foobar\" then the length would be 6, and the +offset would be to a value data c...

...a/generator/generator.ml +++ b/generator/generator.ml @@ -229,6 +229,17 @@ string C<\"\"> here. The default key is often written C<\"@\">, but inside hives that has no meaning and won't give you the default key."; + "value_key_len", (RSize, [AHive; AValue "val"]), + "return the length of a value's key", + "\ +Return the length of the key (name) of a (key, value) pair. The +length can legitimately be 0, so errno is the necesary mechanism +to check for errors. + +In the context of Windows Registries, a zero-...

On Windows, there exist at least two APIs for dealing with the Registry: The Win32 API (RegCreateKeyA, RegCreateKeyW, etc.) works with null-terminated ASCII or UTF-16 strings. The native API (ZwCreateKey, etc.), on the other hand works with UTF-16 strings that are stored as buffers+length and may contain null characters. Malware authors have been relying on the Win32 API's inability to

...(* See hivex_value_type. *) @@ -228,6 +231,17 @@ string C<\"\"> here. The default key is often written C<\"@\">, but inside hives that has no meaning and won't give you the default key."; + "value_key_len", (RSize, [AHive; AValue "val"]), + "return the length of a value's key", + "\ +Return the length of the key (name) of a (key, value) pair. The +length can legitimately be 0, so errno is the necesary mechanism +to check for errors. + +In the context of Windows Registries, a zero-...

...ot;, "\ This call can be used to set all the (key, value) pairs -stored in C<node>. Note that this library does not offer -a way to modify just a single key at a node. +stored in C<node>. + +C<node> is the node to modify."; + + "node_set_value", (RErr, [AHive; ANode "node"; ASetValue; AUnusedFlags]), + "set a single (key, value) pair at a given node", + "\ +This call can be used to set a single (key, value) pair +stored in C<node>. C<node> is the node to modify."; ] @@ -459,6 +467,7 @@ let name_of_argt...

--- generator/generator.ml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/generator/generator.ml b/generator/generator.ml index 31478cd..de911f1 100755 --- a/generator/generator.ml +++ b/generator/generator.ml @@ -1771,7 +1771,7 @@ static void raise_closed (const char *) Noreturn; pr " rv = copy_type_value (r, len, t);\n"; pr "

...gt;. +=item HIVEX_OPEN_UNSAFE + +Open the hive in unsafe mode that enables heuristics to handle corrupted hives. + +This may allow to read or write registry keys/values that appear intact in an +otherwise corrupted hive. Use at your own risk. + =back"; "close", (RErrDispose, [AHive]), diff --git a/lib/handle.c b/lib/handle.c index d33c1d0..a4982dd 100644 --- a/lib/handle.c +++ b/lib/handle.c @@ -83,6 +83,7 @@ hivex_open (const char *filename, int flags) DEBUG (2, "created handle %p", h); h->writable = !!(flags & HIVEX_OPEN_WRITE); + h->unsafe = !!...