search for: hivex_open

Displaying 20 results from an estimated 80 matches for "hivex_open".

2017 Feb 17
4
[PATCH libguestfs 0/2] Use unsafe flag when reading (but NOT writing) hives.
Map the HIVEX_OPEN_UNSAFE flag into the libguestfs API and use it in various places. Rich.
2017 Feb 15
2
Re: [PATCH v2 1/2] lib: change how hbin sections are read.
On Tue, Feb 14, 2017 at 12:05:20PM -0500, Dawid Zamirski wrote: > * hivex_open: when looping over hbin sections (aka pages), handle a > case where following hbin section may not begin at exactly at the end > of previous one. If this happens, scan the page section until next > one is found and validate it by checking declared offset with actual > one - if t...
2017 Feb 08
4
[PATCH 0/2] hivex: handle corrupted hives better
Hello, The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be
2017 Feb 14
4
[PATCH v2 0/2] hivex: handle corrupted hives better
The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be looking at
2017 Feb 15
2
Re: [PATCH v2 1/2] lib: change how hbin sections are read.
On Wed, Feb 15, 2017 at 01:48:29PM -0500, Dawid Zamirski wrote: > On Wed, 2017-02-15 at 16:54 +0000, Richard W.M. Jones wrote: > > On Tue, Feb 14, 2017 at 12:05:20PM -0500, Dawid Zamirski wrote: > > > * hivex_open: when looping over hbin sections (aka pages), handle a > > >   case where following hbin section may not begin at exactly at the > > > end > > >   of previous one. If this happens, scan the page section until > > > next > > >   one is found and validate...
2017 Feb 15
2
[PATCH v3 0/2] hivex: handle corrupted hives better
The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be looking at
2011 Dec 13
1
[hivex] [PATCH 1/2] hivex: Expose hive major and minor version
.../* 1 */ - uint32_t minor_ver; /* 3 */ + uint32_t minor_ver; /* Seen as 3 in XP, 5 in Vista */ uint32_t unknown5; /* 0 */ uint32_t unknown6; /* 1 */ uint32_t offset; /* offset of root key record - 4KB */ @@ -303,7 +303,7 @@ hivex_open (const char *filename, int flags) } /* Check major version. */ - uint32_t major_ver = le32toh (h->hdr->major_ver); + int32_t major_ver = hivex_major_version (h); if (major_ver != 1) { fprintf (stderr, "hivex: %s: hive file major version %" PRIu32 &quo...
2017 Feb 08
0
[PATCH 1/2] lib: change how hbin sections are read.
* hivex_open: when looping over hbin sections (aka pages), handle a case where following hbin section may not begin at exactly at the end of previous one. If this happens, scan the page section until next one is found and validate it by checking declared offset with actual one - if they match, all is go...
2017 Feb 14
0
[PATCH v2 1/2] lib: change how hbin sections are read.
* hivex_open: when looping over hbin sections (aka pages), handle a case where following hbin section may not begin at exactly at the end of previous one. If this happens, scan the page section until next one is found and validate it by checking declared offset with actual one - if they match, all is go...
2017 Feb 15
0
[PATCH v3 1/2] lib: change how hbin sections are read.
* hivex_open: when looping over hbin sections (aka pages), handle a case where following hbin section may not begin at exactly at the end of previous one. If this happens, scan the page section until next one is found and validate it by checking declared offset with actual one - if they match, all is go...
2017 Feb 15
0
Re: [PATCH v2 1/2] lib: change how hbin sections are read.
On Wed, 2017-02-15 at 16:54 +0000, Richard W.M. Jones wrote: > On Tue, Feb 14, 2017 at 12:05:20PM -0500, Dawid Zamirski wrote: > > * hivex_open: when looping over hbin sections (aka pages), handle a > >   case where following hbin section may not begin at exactly at the > > end > >   of previous one. If this happens, scan the page section until > > next > >   one is found and validate it by checking declared o...
2014 Oct 22
0
[PATCH] tests: c-api: add $datadir and $databuilddir
...shortdesc = "upload base64-encoded data to file"; @@ -10708,7 +10708,7 @@ C<guestfs_xfs_growfs> calls." }; optional = Some "hivex"; tests = [ InitScratchFS, Always, TestRun ( - [["upload"; "$srcdir/../data/minimal"; "/hivex_open"]; + [["upload"; "$datadir/minimal"; "/hivex_open"]; ["hivex_open"; "/hivex_open"; ""; ""; "false"]; ["hivex_root"]; (* in this hive, it returns 0x1020 *) ["hivex...
2017 Feb 14
2
Re: [PATCH 2/2] lib: allow to walk registry with corrupted blocks
On Wed, Feb 08, 2017 at 04:36:31PM -0500, Dawid Zamirski wrote: > There are some corrupted registry files that have invalid hbin cells > but are still readable. This patch makes the following changes: > > * hivex_open - do not abort with complete failure if we run across a > block with invalid size (unless it's the root block). Instead just > log the event, and move on. This will allow open hives that have > apparent invalid blocks but the ones of potential interest might be > perfectly a...
2017 Feb 15
0
Re: [PATCH v2 1/2] lib: change how hbin sections are read.
...Wed, 2017-02-15 at 18:52 +0000, Richard W.M. Jones wrote: > On Wed, Feb 15, 2017 at 01:48:29PM -0500, Dawid Zamirski wrote: > > On Wed, 2017-02-15 at 16:54 +0000, Richard W.M. Jones wrote: > > > On Tue, Feb 14, 2017 at 12:05:20PM -0500, Dawid Zamirski wrote: > > > > * hivex_open: when looping over hbin sections (aka pages), > > > > handle a > > > >   case where following hbin section may not begin at exactly at > > > > the > > > > end > > > >   of previous one. If this happens, scan the page section until > &gt...
2017 Feb 16
6
[PATCH v4 0/5] hivex: handle corrupted hives better.
...the caller might be looking at keys that are perfectly readable/writable (e.g. to identify Windows version from HKLM/Software/Microsoft/Windows NT/CurrentVersion) and other "corrupted" and irrelevant keys might prevent one from doing so. Changes in v4: * rebase on current master * add HIVEX_OPEN_UNSAFE flag to be used as a guard to enable changes made in these series. This is because heuristic approach is not guaranteed to be always accurate/safe nor is tolerating corrupted blocks when traversing nodes. It's better to have this behavior optional. * make the "hbin&quot...
2011 Sep 03
1
Patch to build hivex lib on Windows
Hi I'm just posting this here in case someone is interested in building hivex on Windows (mingw32). The attached patch allows building the lib but not the tools (hivexsh etc..) as there are some more problems to solve. In short terms, this patch replaces file i/o functions and mmap(), munmap() with their win32api pendants. cu -- Unix _IS_ user friendly - it's just selective about
2016 Feb 03
0
[PATCH 2/3] daemon: glob: add option for not returning dirs with trailing slash
...guestfs_gobject_headers= \ include/guestfs-gobject/optargs-disk_create.h \ include/guestfs-gobject/optargs-e2fsck.h \ include/guestfs-gobject/optargs-fstrim.h \ + include/guestfs-gobject/optargs-glob_expand.h \ include/guestfs-gobject/optargs-grep.h \ include/guestfs-gobject/optargs-hivex_open.h \ include/guestfs-gobject/optargs-inspect_get_icon.h \ @@ -154,6 +155,7 @@ guestfs_gobject_sources= \ src/optargs-disk_create.c \ src/optargs-e2fsck.c \ src/optargs-fstrim.c \ + src/optargs-glob_expand.c \ src/optargs-grep.c \ src/optargs-hivex_open.c \ src/optargs-inspect_g...
2011 Jul 07
2
hivex patch to solve device or resource busy error when access Windows directory while open system hive
I have found a strange issue related to hivex/ntfs-3g. After opening a system hive on a volume mounted by ntfs-3g, any access to the Windows directory results device or resource busy error. The patch below fix it by closing the hive file handle in hivex_open() call in the writable path because the handle never been used after its content been read into memory. --- hivex-1.2.5.orig/lib/hivex.c 2011-04-13 06:04:49.000000000 -0700 +++ hivex-1.2.5/lib/hivex.c 2011-07-07 09:10:06.927429068 -0700 @@ -321,6 +321,8 @@ if (full_read (h->fd, h->...
2011 Aug 10
1
[PATCH] Report last-modified time of hive root and nodes
...(&tt, &time_tm) == NULL) { + fprintf (stderr, "filetime_to_8601: Error running gmtime_r on timestamp (decimal hundreds of ns: %" PRIu64 ").\n", windows_ticks); + return -1; + } + strftime(buf, bufsize, "%FT%TZ", &time_tm); + return 0; +} + #define HIVEX_OPEN_MSGLVL_MASK (HIVEX_OPEN_VERBOSE|HIVEX_OPEN_DEBUG) +#define TIMESTAMP_BUF_LEN 32 hive_h * hivex_open (const char *filename, int flags) @@ -359,6 +348,15 @@ hivex_open (const char *filename, int flags) goto error; } + /* Last-modified time. */ + h->last_modified = (char *) calloc(1...
2014 Oct 30
0
Re: [libhivex] Undefined behavior when accessing invalid (too small) registry hives
...at this in the morning. > > > > Thanks, > > > > Rich. > > Thanks, Rich. > As far as I can tell, the only sanity checks in the initial loading > of a registry hive are the magic bits (“regf”), major_ver = 1, and > the checksum match. > > When calling hivex_open with a file under 4 bytes, you run into the > out-of-bounds access when comparing against the magic bits; pass in > a file 4 bytes long with “regf” correctly set, you’ll get an > out-of-bounds access to major_ver; pass in a file truncated at 0x18 > (major_ver, set to 1), and you’ll get...