search for: ntreg_vk_record

--- lib/value.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/value.c b/lib/value.c index 65404d7..7b2e9d3 100644 --- a/lib/value.c +++ b/lib/value.c @@ -207,14 +207,14 @@ hivex_value_key (hive_h *h, hive_value_h value) struct ntreg_vk_record *vk = (struct ntreg_vk_record *) ((char *) h->addr + value); - /* AFAIK the key is always plain ASCII, so no conversion to UTF-8 is - * necessary. However we do need to nul-terminate the string. - */ - errno = 0; - size_t len = hivex_value_key_len (h, value); - if (len == 0 &...

...* -hivex_value_key (hive_h *h, hive_value_h value) +size_t +hivex_value_key_len (hive_h *h, hive_value_h value) { if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) { errno = EINVAL; @@ -1199,23 +1199,38 @@ hivex_value_key (hive_h *h, hive_value_h value) struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value); - /* AFAIK the key is always plain ASCII, so no conversion to UTF-8 is - * necessary. However we do need to nul-terminate the string. - */ - /* vk->name_len is unsigned, 16 bit, so this is safe ... However * we have to make s...

...lib/value.c | 8 +------- > 1 file changed, 1 insertion(+), 7 deletions(-) > > diff --git a/lib/value.c b/lib/value.c > index 65404d7..e700c84 100644 > --- a/lib/value.c > +++ b/lib/value.c > @@ -207,14 +207,8 @@ hivex_value_key (hive_h *h, hive_value_h value) > struct ntreg_vk_record *vk = > (struct ntreg_vk_record *) ((char *) h->addr + value); > > - /* AFAIK the key is always plain ASCII, so no conversion to UTF-8 is > - * necessary. However we do need to nul-terminate the string. > - */ > - errno = 0; > - size_t len = hivex_value_key_le...

...en); return nkoffset; } @@ -942,7 +954,12 @@ hivex_node_set_values (hive_h *h, hive_node_h node, for (i = 0; i < nr_values; ++i) { /* Allocate vk record to store this (key, value) pair. */ static const char vk_id[2] = { 'v', 'k' }; - seg_len = sizeof (struct ntreg_vk_record) + strlen (values[i].key); + size_t name_len = strlen (values[i].key); + size_t recoded_name_len; + int use_utf16; + char* recoded_name = _hivex_encode_string (values[i].key, &recoded_name_len, + &use_utf16); + seg_len = sizeof (s...

...; } > @@ -942,7 +954,12 @@ hivex_node_set_values (hive_h *h, hive_node_h node, > for (i = 0; i < nr_values; ++i) { > /* Allocate vk record to store this (key, value) pair. */ > static const char vk_id[2] = { 'v', 'k' }; > - seg_len = sizeof (struct ntreg_vk_record) + strlen (values[i].key); > + size_t name_len = strlen (values[i].key); > + size_t recoded_name_len; > + int use_utf16; > + char* recoded_name = _hivex_encode_string (values[i].key, &recoded_name_len, > + &use_utf16);...

--- lib/hivex-internal.h | 8 +++++--- lib/utf16.c | 11 +++++++---- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/lib/hivex-internal.h b/lib/hivex-internal.h index 4135f58..64fd49a 100644 --- a/lib/hivex-internal.h +++ b/lib/hivex-internal.h @@ -268,11 +268,13 @@ extern size_t * _hivex_return_offset_list (offset_list *list); extern void _hivex_print_offset_list

...en); return nkoffset; } @@ -942,7 +954,12 @@ hivex_node_set_values (hive_h *h, hive_node_h node, for (i = 0; i < nr_values; ++i) { /* Allocate vk record to store this (key, value) pair. */ static const char vk_id[2] = { 'v', 'k' }; - seg_len = sizeof (struct ntreg_vk_record) + strlen (values[i].key); + size_t name_len = strlen (values[i].key); + size_t recoded_name_len; + int use_utf16; + char* recoded_name = _hivex_encode_string (values[i].key, &recoded_name_len, + &use_utf16); + seg_len = sizeof (s...

...r * -hivex_value_key (hive_h *h, hive_value_h value) +size_t +hivex_value_struct_length (hive_h *h, hive_value_h value) { + size_t key_len = hivex_value_key_len (h, value); + if (errno) + return 0; + /* -1 to avoid double-counting the first name character */ + return key_len + sizeof (struct ntreg_vk_record) - 1; +} + +size_t +hivex_value_key_len (hive_h *h, hive_value_h value) { if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) { errno = EINVAL; @@ -1199,24 +1232,39 @@ hivex_value_key (hive_h *h, hive_value_h value) struct ntreg_vk_record *vk = (struct ntreg_vk_...

--- lib/value.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/lib/value.c b/lib/value.c index 65404d7..e700c84 100644 --- a/lib/value.c +++ b/lib/value.c @@ -207,14 +207,8 @@ hivex_value_key (hive_h *h, hive_value_h value) struct ntreg_vk_record *vk = (struct ntreg_vk_record *) ((char *) h->addr + value); - /* AFAIK the key is always plain ASCII, so no conversion to UTF-8 is - * necessary. However we do need to nul-terminate the string. - */ - errno = 0; - size_t len = hivex_value_key_len (h, value); - if (len == 0 &...

...et (hive_h *h, hive_value_h value, size_t *len) +{ + if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) { + errno = EINVAL; + return 0; + } + + if (h->msglvl >= 2) + fprintf (stderr, "hivex_value_data_cell_offset: value=0x%zx\n", value); + struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value); + + size_t data_len; + int is_inline; + + data_len = le32toh (vk->data_len); + is_inline = !!(data_len & 0x80000000); + data_len &= 0x7fffffff; + + if (h->msglvl >= 2) + fprintf (stderr, "hivex_value_data_cell_off...

...et (hive_h *h, hive_value_h value, size_t *len) +{ + if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) { + errno = EINVAL; + return 0; + } + + if (h->msglvl >= 2) + fprintf (stderr, "hivex_value_data_cell_offset: value=0x%zx\n", value); + struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value); + + size_t data_len; + int is_inline; + + data_len = le32toh (vk->data_len); + is_inline = !!(data_len & 0x80000000); + data_len &= 0x7fffffff; + + if (h->msglvl >= 2) + fprintf (stderr, "hivex_value_data_cell_off...

...ive_h *h, hive_value_h value, hive_type *t, size_t *len) return 0; } +hive_value_h +hivex_value_data_cell_offset (hive_h *h, hive_value_h value, size_t *len) +{ + if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) { + errno = EINVAL; + return 0; + } + + struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value); + + size_t data_len; + int is_inline; + + data_len = le32toh (vk->data_len); + is_inline = !!(data_len & 0x80000000); + data_len &= 0x7fffffff; + + if (is_inline && data_len > 4) { + errno = ENOTSUP; + return 0...

...(hive_h *h, hive_node_h node, const char *key) } size_t +hivex_value_struct_length (hive_h *h, hive_value_h value) { + size_t key_len = hivex_value_key_len (h, value); + if (errno) + return 0; + /* -1 to avoid double-counting the first name character */ + return key_len + sizeof (struct ntreg_vk_record) - 1; +} + +size_t hivex_value_key_len (hive_h *h, hive_value_h value) { if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) { -- 1.7.6

This is, hopefully, a full fix for handling of li-records. See: https://bugzilla.redhat.com/show_bug.cgi?id=717583 https://bugzilla.redhat.com/show_bug.cgi?id=987463 Rich.

..._h node, const char *key) char * hivex_value_key (hive_h *h, hive_value_h value) { + iconv_t ic; if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) { errno = EINVAL; return 0; @@ -1120,10 +1119,6 @@ hivex_value_key (hive_h *h, hive_value_h value) struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value); - /* AFAIK the key is always plain ASCII, so no conversion to UTF-8 is - * necessary. However we do need to nul-terminate the string. - */ - /* vk->name_len is unsigned, 16 bit, so this is safe ... However * we have to make s...

--- images/README | 14 ++++++++++++ images/mkzero/Makefile | 9 ++++++++ images/mkzero/mkzero.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++ images/special | Bin 0 -> 8192 bytes 4 files changed, 82 insertions(+) create mode 100644 images/mkzero/Makefile create mode 100644 images/mkzero/mkzero.c create mode 100644 images/special diff --git a/images/README

On Windows, there exist at least two APIs for dealing with the Registry: The Win32 API (RegCreateKeyA, RegCreateKeyW, etc.) works with null-terminated ASCII or UTF-16 strings. The native API (ZwCreateKey, etc.), on the other hand works with UTF-16 strings that are stored as buffers+length and may contain null characters. Malware authors have been relying on the Win32 API's inability to

...name_len; int use_utf16; - char* recoded_name = _hivex_encode_string (values[i].key, &recoded_name_len, + char* recoded_name = _hivex_encode_string (h, values[i].key, &recoded_name_len, &use_utf16); seg_len = sizeof (struct ntreg_vk_record) + recoded_name_len; size_t vk_offs = allocate_block (h, seg_len, vk_id); -- 2.11.0

...se_utf16; > - char* recoded_name = _hivex_encode_string (values[i].key, &recoded_name_len, > + char* recoded_name = _hivex_encode_string (h, values[i].key, &recoded_name_len, > &use_utf16); > seg_len = sizeof (struct ntreg_vk_record) + recoded_name_len; > size_t vk_offs = allocate_block (h, seg_len, vk_id); The rest looks OK. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machine...

...name_len; int use_utf16; - char* recoded_name = _hivex_encode_string (values[i].key, &recoded_name_len, + char* recoded_name = _hivex_encode_string (h, values[i].key, &recoded_name_len, &use_utf16); seg_len = sizeof (struct ntreg_vk_record) + recoded_name_len; size_t vk_offs = allocate_block (h, seg_len, vk_id); diff --git a/m4/.gitignore b/m4/.gitignore index 05ca27c..a19035c 100644 --- a/m4/.gitignore +++ b/m4/.gitignore @@ -138,3 +138,5 @@ /xalloc.m4 /xsize.m4 /xstrtol.m4 +/thread.m4 +/yield.m4 -- 2.11.0