search for: hivex_open

Map the HIVEX_OPEN_UNSAFE flag into the libguestfs API and use it in various places. Rich.

On Tue, Feb 14, 2017 at 12:05:20PM -0500, Dawid Zamirski wrote: > * hivex_open: when looping over hbin sections (aka pages), handle a > case where following hbin section may not begin at exactly at the end > of previous one. If this happens, scan the page section until next > one is found and validate it by checking declared offset with actual > one - if t...

Hello, The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be

The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be looking at

On Wed, Feb 15, 2017 at 01:48:29PM -0500, Dawid Zamirski wrote: > On Wed, 2017-02-15 at 16:54 +0000, Richard W.M. Jones wrote: > > On Tue, Feb 14, 2017 at 12:05:20PM -0500, Dawid Zamirski wrote: > > > * hivex_open: when looping over hbin sections (aka pages), handle a > > >   case where following hbin section may not begin at exactly at the > > > end > > >   of previous one. If this happens, scan the page section until > > > next > > >   one is found and validate...

The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be looking at

.../* 1 */ - uint32_t minor_ver; /* 3 */ + uint32_t minor_ver; /* Seen as 3 in XP, 5 in Vista */ uint32_t unknown5; /* 0 */ uint32_t unknown6; /* 1 */ uint32_t offset; /* offset of root key record - 4KB */ @@ -303,7 +303,7 @@ hivex_open (const char *filename, int flags) } /* Check major version. */ - uint32_t major_ver = le32toh (h->hdr->major_ver); + int32_t major_ver = hivex_major_version (h); if (major_ver != 1) { fprintf (stderr, "hivex: %s: hive file major version %" PRIu32 &quo...

* hivex_open: when looping over hbin sections (aka pages), handle a case where following hbin section may not begin at exactly at the end of previous one. If this happens, scan the page section until next one is found and validate it by checking declared offset with actual one - if they match, all is go...

* hivex_open: when looping over hbin sections (aka pages), handle a case where following hbin section may not begin at exactly at the end of previous one. If this happens, scan the page section until next one is found and validate it by checking declared offset with actual one - if they match, all is go...

* hivex_open: when looping over hbin sections (aka pages), handle a case where following hbin section may not begin at exactly at the end of previous one. If this happens, scan the page section until next one is found and validate it by checking declared offset with actual one - if they match, all is go...

On Wed, 2017-02-15 at 16:54 +0000, Richard W.M. Jones wrote: > On Tue, Feb 14, 2017 at 12:05:20PM -0500, Dawid Zamirski wrote: > > * hivex_open: when looping over hbin sections (aka pages), handle a > >   case where following hbin section may not begin at exactly at the > > end > >   of previous one. If this happens, scan the page section until > > next > >   one is found and validate it by checking declared o...

...shortdesc = "upload base64-encoded data to file"; @@ -10708,7 +10708,7 @@ C<guestfs_xfs_growfs> calls." }; optional = Some "hivex"; tests = [ InitScratchFS, Always, TestRun ( - [["upload"; "$srcdir/../data/minimal"; "/hivex_open"]; + [["upload"; "$datadir/minimal"; "/hivex_open"]; ["hivex_open"; "/hivex_open"; ""; ""; "false"]; ["hivex_root"]; (* in this hive, it returns 0x1020 *) ["hivex...

On Wed, Feb 08, 2017 at 04:36:31PM -0500, Dawid Zamirski wrote: > There are some corrupted registry files that have invalid hbin cells > but are still readable. This patch makes the following changes: > > * hivex_open - do not abort with complete failure if we run across a > block with invalid size (unless it's the root block). Instead just > log the event, and move on. This will allow open hives that have > apparent invalid blocks but the ones of potential interest might be > perfectly a...

...Wed, 2017-02-15 at 18:52 +0000, Richard W.M. Jones wrote: > On Wed, Feb 15, 2017 at 01:48:29PM -0500, Dawid Zamirski wrote: > > On Wed, 2017-02-15 at 16:54 +0000, Richard W.M. Jones wrote: > > > On Tue, Feb 14, 2017 at 12:05:20PM -0500, Dawid Zamirski wrote: > > > > * hivex_open: when looping over hbin sections (aka pages), > > > > handle a > > > >   case where following hbin section may not begin at exactly at > > > > the > > > > end > > > >   of previous one. If this happens, scan the page section until > &gt...

...the caller might be looking at keys that are perfectly readable/writable (e.g. to identify Windows version from HKLM/Software/Microsoft/Windows NT/CurrentVersion) and other "corrupted" and irrelevant keys might prevent one from doing so. Changes in v4: * rebase on current master * add HIVEX_OPEN_UNSAFE flag to be used as a guard to enable changes made in these series. This is because heuristic approach is not guaranteed to be always accurate/safe nor is tolerating corrupted blocks when traversing nodes. It's better to have this behavior optional. * make the "hbin&quot...

Hi I'm just posting this here in case someone is interested in building hivex on Windows (mingw32). The attached patch allows building the lib but not the tools (hivexsh etc..) as there are some more problems to solve. In short terms, this patch replaces file i/o functions and mmap(), munmap() with their win32api pendants. cu -- Unix _IS_ user friendly - it's just selective about

...guestfs_gobject_headers= \ include/guestfs-gobject/optargs-disk_create.h \ include/guestfs-gobject/optargs-e2fsck.h \ include/guestfs-gobject/optargs-fstrim.h \ + include/guestfs-gobject/optargs-glob_expand.h \ include/guestfs-gobject/optargs-grep.h \ include/guestfs-gobject/optargs-hivex_open.h \ include/guestfs-gobject/optargs-inspect_get_icon.h \ @@ -154,6 +155,7 @@ guestfs_gobject_sources= \ src/optargs-disk_create.c \ src/optargs-e2fsck.c \ src/optargs-fstrim.c \ + src/optargs-glob_expand.c \ src/optargs-grep.c \ src/optargs-hivex_open.c \ src/optargs-inspect_g...

I have found a strange issue related to hivex/ntfs-3g. After opening a system hive on a volume mounted by ntfs-3g, any access to the Windows directory results device or resource busy error. The patch below fix it by closing the hive file handle in hivex_open() call in the writable path because the handle never been used after its content been read into memory. --- hivex-1.2.5.orig/lib/hivex.c 2011-04-13 06:04:49.000000000 -0700 +++ hivex-1.2.5/lib/hivex.c 2011-07-07 09:10:06.927429068 -0700 @@ -321,6 +321,8 @@ if (full_read (h->fd, h->...

...(&tt, &time_tm) == NULL) { + fprintf (stderr, "filetime_to_8601: Error running gmtime_r on timestamp (decimal hundreds of ns: %" PRIu64 ").\n", windows_ticks); + return -1; + } + strftime(buf, bufsize, "%FT%TZ", &time_tm); + return 0; +} + #define HIVEX_OPEN_MSGLVL_MASK (HIVEX_OPEN_VERBOSE|HIVEX_OPEN_DEBUG) +#define TIMESTAMP_BUF_LEN 32 hive_h * hivex_open (const char *filename, int flags) @@ -359,6 +348,15 @@ hivex_open (const char *filename, int flags) goto error; } + /* Last-modified time. */ + h->last_modified = (char *) calloc(1...

...at this in the morning. > > > > Thanks, > > > > Rich. > > Thanks, Rich. > As far as I can tell, the only sanity checks in the initial loading > of a registry hive are the magic bits (“regf”), major_ver = 1, and > the checksum match. > > When calling hivex_open with a file under 4 bytes, you run into the > out-of-bounds access when comparing against the magic bits; pass in > a file 4 bytes long with “regf” correctly set, you’ll get an > out-of-bounds access to major_ver; pass in a file truncated at 0x18 > (major_ver, set to 1), and you’ll get...