search for: ntreg_nk_record

..._encode_string (name, &recoded_name_len, &use_utf16); + if (recoded_name == NULL) { + SET_ERRNO (EINVAL, "malformed name"); + return 0; + } + /* Create the new nk-record. */ static const char nk_id[2] = { 'n', 'k' }; - size_t seg_len = sizeof (struct ntreg_nk_record) + strlen (name); + size_t seg_len = sizeof (struct ntreg_nk_record) + recoded_name_len; hive_node_h nkoffset = allocate_block (h, seg_len, nk_id); if (nkoffset == 0) return 0; @@ -619,14 +627,18 @@ hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name) struct ntreg...

--- lib/hivex-internal.h | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/lib/hivex-internal.h b/lib/hivex-internal.h index f391b98..d7ce339 100644 --- a/lib/hivex-internal.h +++ b/lib/hivex-internal.h @@ -125,7 +125,19 @@ struct ntreg_hbin_block { struct ntreg_nk_record { int32_t seg_len; /* length (always -ve because used) */ char id[2]; /* "nk" */ - uint16_t flags; + uint16_t flags; /* bit 1: HiveExit + bit 2: HiveEntry == root key +...

...len, &use_utf16); > + if (recoded_name == NULL) { > + SET_ERRNO (EINVAL, "malformed name"); > + return 0; > + } > + > /* Create the new nk-record. */ > static const char nk_id[2] = { 'n', 'k' }; > - size_t seg_len = sizeof (struct ntreg_nk_record) + strlen (name); > + size_t seg_len = sizeof (struct ntreg_nk_record) + recoded_name_len; > hive_node_h nkoffset = allocate_block (h, seg_len, nk_id); > if (nkoffset == 0) > return 0; > @@ -619,14 +627,18 @@ hivex_node_add_child (hive_h *h, hive_node_h parent, const char...

--- lib/hivex-internal.h | 8 +++++--- lib/utf16.c | 11 +++++++---- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/lib/hivex-internal.h b/lib/hivex-internal.h index 4135f58..64fd49a 100644 --- a/lib/hivex-internal.h +++ b/lib/hivex-internal.h @@ -268,11 +268,13 @@ extern size_t * _hivex_return_offset_list (offset_list *list); extern void _hivex_print_offset_list

...4 --- a/lib/hivex.c +++ b/lib/hivex.c @@ -585,6 +585,30 @@ hivex_root (hive_h *h) return ret; } +size_t +hivex_node_struct_length (hive_h *h, hive_node_h node) +{ + if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) { + errno = EINVAL; + return 0; + } + + struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node); + size_t name_len = le16toh (nk->name_len); + /* -1 to avoid double-counting the first name character */ + size_t ret = name_len + sizeof (struct ntreg_nk_record) - 1; + int used; + size_t seg_len = block_len (h, node, &used); + if...

...e has any children, you must find every child with hivex_node_children, which is a relatively expensive operation. So, I have created a function called hivex_node_num_children that isolates the first few lines of hivex_node_children to simply return the number of child nodes a node has by accessing ntreg_nk_record->nr_subkeys. I'm a bit of a newer developer, so I'm not incredibly familiar with the patching process through mailing lists, nor do I have any history with libguestfs. Please let me know if I am doing anything wrong or what can be improved. This is the git branch: https://github.com/ku...

..._encode_string (name, &recoded_name_len, &use_utf16); + if (recoded_name == NULL) { + SET_ERRNO (EINVAL, "malformed name"); + return 0; + } + /* Create the new nk-record. */ static const char nk_id[2] = { 'n', 'k' }; - size_t seg_len = sizeof (struct ntreg_nk_record) + strlen (name); + size_t seg_len = sizeof (struct ntreg_nk_record) + recoded_name_len; hive_node_h nkoffset = allocate_block (h, seg_len, nk_id); if (nkoffset == 0) return 0; @@ -619,14 +627,18 @@ hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name) struct ntreg...

This is, hopefully, a full fix for handling of li-records. See: https://bugzilla.redhat.com/show_bug.cgi?id=717583 https://bugzilla.redhat.com/show_bug.cgi?id=987463 Rich.

...e_t len); +static char *windows_latin1_to_utf8 (/* const */ char *input, size_t len); static size_t utf16_string_len_in_bytes (const char *str); static size_t utf16_string_len_in_bytes_max (const char *str, size_t len); @@ -177,7 +178,8 @@ block_len (hive_h *h, size_t blkoff, int *used) struct ntreg_nk_record { int32_t seg_len; /* length (always -ve because used) */ char id[2]; /* "nk" */ - uint16_t flags; + uint16_t flags; /* bit 5 set: latin1 + bit 5 clr: UTF-16 */ char timestamp[8]; uint32_t unknown...

..._h *h, hive_node_h node, const char *key) } size_t +hivex_node_nr_values (hive_h *h, hive_node_h node) +{ + if (!IS_VALID_BLOCK (h, node) || !block_id_eq (h, node, "nk")) { + SET_ERRNO (EINVAL, "invalid block or not an 'nk' block"); + return 0; + } + + struct ntreg_nk_record *nk = + (struct ntreg_nk_record *) ((char *) h->addr + node); + + size_t nr_values = le32toh (nk->nr_values); + + return nr_values; +} + +size_t hivex_value_struct_length (hive_h *h, hive_value_h value) { size_t key_len; Regards, - Kevin Haroldsen (kupiakos)

[This email is either empty or too large to be displayed at this time]

...har magic[4]; /* "regf" */ uint32_t sequence1; uint32_t sequence2; - char last_modified[8]; + int64_t last_modified; uint32_t major_ver; /* 1 */ uint32_t minor_ver; /* 3 */ uint32_t unknown5; /* 0 */ @@ -173,7 +174,7 @@ struct ntreg_nk_record { int32_t seg_len; /* length (always -ve because used) */ char id[2]; /* "nk" */ uint16_t flags; - char timestamp[8]; + int64_t timestamp; uint32_t unknown1; uint32_t parent; /* offset of owner/parent */ uint32_t nr_subkeys;...

...ar magic[4]; /* "regf" */ uint32_t sequence1; uint32_t sequence2; - char last_modified[8]; + uint64_t last_modified; uint32_t major_ver; /* 1 */ uint32_t minor_ver; /* 3 */ uint32_t unknown5; /* 0 */ @@ -173,7 +135,7 @@ struct ntreg_nk_record { int32_t seg_len; /* length (always -ve because used) */ char id[2]; /* "nk" */ uint16_t flags; - char timestamp[8]; + uint64_t timestamp; uint32_t unknown1; uint32_t parent; /* offset of owner/parent */ uint32_t nr_subkeys;...

...t; at 0x%zx," + " bad registry\n", filename, le32toh (block->seg_len), blkoff); errno = ENOTSUP; goto error; @@ -586,7 +588,8 @@ hivex_node_name (hive_h *h, hive_node_h node) size_t seg_len = block_len (h, node, NULL); if (sizeof (struct ntreg_nk_record) + len - 1 > seg_len) { if (h->msglvl >= 2) - fprintf (stderr, "hivex_node_name: returning EFAULT because node name is too long (%zu, %zu)\n", + fprintf (stderr, "hivex_node_name: returning EFAULT because node name" + " is too long (%zu, %zu)\...

...ar magic[4]; /* "regf" */ uint32_t sequence1; uint32_t sequence2; - char last_modified[8]; + uint64_t last_modified; uint32_t major_ver; /* 1 */ uint32_t minor_ver; /* 3 */ uint32_t unknown5; /* 0 */ @@ -173,7 +175,7 @@ struct ntreg_nk_record { int32_t seg_len; /* length (always -ve because used) */ char id[2]; /* "nk" */ uint16_t flags; - char timestamp[8]; + uint64_t timestamp; uint32_t unknown1; uint32_t parent; /* offset of owner/parent */ uint32_t nr_subkeys;...

--- hivex/hivexsh.pod | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) diff --git a/hivex/hivexsh.pod b/hivex/hivexsh.pod index 277e3ae..9336798 100644 --- a/hivex/hivexsh.pod +++ b/hivex/hivexsh.pod @@ -100,7 +100,14 @@ or even: Path elements (node names) are matched case insensitively, and characters like space, C<*>, and C<?> have I<no> special

On Windows, there exist at least two APIs for dealing with the Registry: The Win32 API (RegCreateKeyA, RegCreateKeyW, etc.) works with null-terminated ASCII or UTF-16 strings. The native API (ZwCreateKey, etc.), on the other hand works with UTF-16 strings that are stored as buffers+length and may contain null characters. Malware authors have been relying on the Win32 API's inability to

...4 --- a/lib/hivex.c +++ b/lib/hivex.c @@ -585,6 +585,30 @@ hivex_root (hive_h *h) return ret; } +size_t +hivex_node_struct_length (hive_h *h, hive_node_h node) +{ + if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) { + errno = EINVAL; + return 0; + } + + struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node); + size_t name_len = le16toh (nk->name_len); + /* -1 to avoid double-counting the first name character */ + size_t ret = name_len + sizeof (struct ntreg_nk_record) - 1; + int used; + size_t seg_len = block_len (h, node, &used); + if...

Hi, Here is one trivial initialization fix and another patch to convert a huge macro to an inline function. The result of the expansion would show up in an assertion which triggered a -Woverlength-strings warning. Peter Wu (2): Fix garbage return value on error Fix overly long assertion string lib/hivex-internal.h | 28 ++++++++++++++++------------ lib/node.c | 18