search for: hivex_value_qword

I recenetly came across a Windows XP image, where one REG_QWORD value (HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\0\0\ExecTime) would be displayed by hivexsh but hivex_value_qword() would return -1. It turned out that the data length of this value was 16 bytes instead of 8. There is no problem in simply interpreting the first 4 (DWORD) or 8 (QWORD) bytes -- if there are enough bytes to be interpreted. --- lib/hivex.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(...

On Wed, Jun 19, 2013 at 06:57:33PM +0200, Hilko Bengen wrote: > I recenetly came across a Windows XP image, where one REG_QWORD value > (HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\0\0\ExecTime) > would be displayed by hivexsh but hivex_value_qword() would return -1. > > It turned out that the data length of this value was 16 bytes instead > of 8. > > There is no problem in simply interpreting the first 4 (DWORD) or > 8 (QWORD) bytes -- if there are enough bytes to be interpreted. Yeah .. turns out that the type field in...

* Richard W.M. Jones: > ACK to this patch as it only affects the deprecated hivex_value_dword > and hivex_value_qword functions, making them a little bit more useful. I didn't see anything about those functions being "deprecated". What did I miss? Cheers, -Hilko

...http://libguestfs.org/download/hivex/ Git repo: http://git.annexia.org/?p=hivex.git;a=summary Fedora pkg: http://koji.fedoraproject.org/koji/taskinfo?taskID=3267857 This release mainly contains bug fixes. - Allow building in a separate subdirectory (Hilko Bengen). - Fix OCaml bindings for hivex_value_qword (Alex Nelson). - Don't hold the file descriptor open when hive is opened for writing (Michael Huang). - Various code cleanups (Jim Meyering). - Fix build on Perl 5.14. - Fix installation of the OCaml bindings. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.r...

--- generator/generator.ml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/generator/generator.ml b/generator/generator.ml index 31478cd..de911f1 100755 --- a/generator/generator.ml +++ b/generator/generator.ml @@ -1771,7 +1771,7 @@ static void raise_closed (const char *) Noreturn; pr " rv = copy_type_value (r, len, t);\n"; pr "

...es[i], t, len, key, i32) == -1) + vtor->value_dword (h, opaque, node, values[i], + t, len, key, i32) == -1) goto error; break; } @@ -1647,7 +1678,8 @@ hivex__visit_node (hive_h *h, hive_node_h node, case hive_t_qword: { int64_t i64 = hivex_value_qword (h, values[i]); if (vtor->value_qword && - vtor->value_qword (h, opaque, node, values[i], t, len, key, i64) == -1) + vtor->value_qword (h, opaque, node, values[i], + t, len, key, i64) == -1) goto error; break; } @@...

This is, hopefully, a full fix for handling of li-records. See: https://bugzilla.redhat.com/show_bug.cgi?id=717583 https://bugzilla.redhat.com/show_bug.cgi?id=987463 Rich.