search for: seg_len

Hello Richard As discussed in the IRC channel, when merging a moderately large reg file (~35MB) to a hiv file (~118 MB); hivex generates a huge hiv file (~580 MB). These changes address that by creating a list of unallocated blocks and reassigning unused blocks. I used https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md as a reference for the

...ar* recoded_name = _hivex_encode_string (name, &recoded_name_len, &use_utf16); + if (recoded_name == NULL) { + SET_ERRNO (EINVAL, "malformed name"); + return 0; + } + /* Create the new nk-record. */ static const char nk_id[2] = { 'n', 'k' }; - size_t seg_len = sizeof (struct ntreg_nk_record) + strlen (name); + size_t seg_len = sizeof (struct ntreg_nk_record) + recoded_name_len; hive_node_h nkoffset = allocate_block (h, seg_len, nk_id); if (nkoffset == 0) return 0; @@ -619,14 +627,18 @@ hivex_node_add_child (hive_h *h, hive_node_h parent, co...

...fprintf (stderr, "hivex: %s: trailing garbage at end of file " + "(at 0x%zx, after %zu pages)\n", filename, off, pages); errno = ENOTSUP; goto error; @@ -453,7 +454,8 @@ hivex_open (const char *filename, int flags) int used; seg_len = block_len (h, blkoff, &used); if (seg_len <= 4 || (seg_len & 3) != 0) { - fprintf (stderr, "hivex: %s: block size %" PRIu32 " at 0x%zx, bad registry\n", + fprintf (stderr, "hivex: %s: block size %" PRIu32 " at 0x%zx," + &qu...

This is, hopefully, a full fix for handling of li-records. See: https://bugzilla.redhat.com/show_bug.cgi?id=717583 https://bugzilla.redhat.com/show_bug.cgi?id=987463 Rich.

...(name, &recoded_name_len, &use_utf16); > + if (recoded_name == NULL) { > + SET_ERRNO (EINVAL, "malformed name"); > + return 0; > + } > + > /* Create the new nk-record. */ > static const char nk_id[2] = { 'n', 'k' }; > - size_t seg_len = sizeof (struct ntreg_nk_record) + strlen (name); > + size_t seg_len = sizeof (struct ntreg_nk_record) + recoded_name_len; > hive_node_h nkoffset = allocate_block (h, seg_len, nk_id); > if (nkoffset == 0) > return 0; > @@ -619,14 +627,18 @@ hivex_node_add_child (hive_h *...

...15 deletions(-) diff --git a/lib/hivex.c b/lib/hivex.c index efc27f8..e3c1e05 100644 --- a/lib/hivex.c +++ b/lib/hivex.c @@ -208,6 +208,19 @@ struct ntreg_sk_record { char sec_desc[1]; /* security info follows */ } __attribute__((__packed__)); +struct ntreg_db_record { + int32_t seg_len; /* length (always -ve because used) */ + char id[2]; /* "db" */ + uint16_t nr_blocks; + uint32_t blocklist_offset; + uint32_t unknown1; +} __attribute__((__packed__)); + +struct ntreg_db_block { + int32_t seg_len; + char data[1]; +} __attribute__((__p...

...o UTF-8 is - * necessary. However we do need to nul-terminate the string. - */ - errno = 0; - size_t len = hivex_value_key_len (h, value); - if (len == 0 && errno != 0) - return NULL; size_t flags = le16toh (vk->flags); + size_t len = le16toh (vk->name_len); + + size_t seg_len = block_len (h, value, NULL); + if (sizeof (struct ntreg_vk_record) + len - 1 > seg_len) { + SET_ERRNO (EFAULT, "key length is too long (%zu, %zu)", len, seg_len); + return 0; + } if (flags & 0x01) { return _hivex_windows_latin1_to_utf8 (vk->name, len); } else...

...- > 2 files changed, 14 insertions(+), 10 deletions(-) > > diff --git a/lib/handle.c b/lib/handle.c > index 1e122ea..9be3b5f 100644 > --- a/lib/handle.c > +++ b/lib/handle.c > @@ -300,10 +300,15 @@ hivex_open (const char *filename, int flags) > int used; > seg_len = block_len (h, blkoff, &used); > if (seg_len <= 4 || (seg_len & 3) != 0) { > - SET_ERRNO (ENOTSUP, > - "%s: block size %" PRIi32 " at 0x%zx, bad registry", > - filename, le32toh (block->seg_len), blkoff...

--- lib/hivex-internal.h | 8 +++++--- lib/utf16.c | 11 +++++++---- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/lib/hivex-internal.h b/lib/hivex-internal.h index 4135f58..64fd49a 100644 --- a/lib/hivex-internal.h +++ b/lib/hivex-internal.h @@ -268,11 +268,13 @@ extern size_t * _hivex_return_offset_list (offset_list *list); extern void _hivex_print_offset_list

...ize_t len = hivex_value_key_len (h, value); > - if (len == 0 && errno != 0) > - return NULL; > size_t flags = le16toh (vk->flags); > + size_t len = le16toh (vk->name_len); I think this effectively removes a check. hivex_value_key_len contains this code: size_t seg_len = block_len (h, value, NULL); if (sizeof (struct ntreg_vk_record) + len - 1 > seg_len) { SET_ERRNO (EFAULT, "key length is too long (%zu, %zu)", len, seg_len); return 0; } but after this change, this would no longer be run, so it would be possible to overrun the registry,...

...ar* recoded_name = _hivex_encode_string (name, &recoded_name_len, &use_utf16); + if (recoded_name == NULL) { + SET_ERRNO (EINVAL, "malformed name"); + return 0; + } + /* Create the new nk-record. */ static const char nk_id[2] = { 'n', 'k' }; - size_t seg_len = sizeof (struct ntreg_nk_record) + strlen (name); + size_t seg_len = sizeof (struct ntreg_nk_record) + recoded_name_len; hive_node_h nkoffset = allocate_block (h, seg_len, nk_id); if (nkoffset == 0) return 0; @@ -619,14 +627,18 @@ hivex_node_add_child (hive_h *h, hive_node_h parent, co...

Hello, The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be

...ock is not " > "valid (db block 0x%zx, block list 0x%zx, data block 0x%zx)\ > - data_offset, blocklist_offset, subblock_offset); > + data_offset, blocklist_offset, (size_t) subblock_offset); > } > int32_t seg_len = block_len(h, subblock_offset, NULL); > struct ntreg_db_block *subblock = > > to make it compile without warnings. Yeah, so I'll just make subblock_offset a size_t, like all the other offset values. > With that addition, * ACK *. I'll post a slightly updated version,...

...3 +++++++++---- lib/node.c | 11 +++++------ 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/lib/handle.c b/lib/handle.c index 1e122ea..9be3b5f 100644 --- a/lib/handle.c +++ b/lib/handle.c @@ -300,10 +300,15 @@ hivex_open (const char *filename, int flags) int used; seg_len = block_len (h, blkoff, &used); if (seg_len <= 4 || (seg_len & 3) != 0) { - SET_ERRNO (ENOTSUP, - "%s: block size %" PRIi32 " at 0x%zx, bad registry", - filename, le32toh (block->seg_len), blkoff); - goto err...

...+ return 0; + } + + struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node); + size_t name_len = le16toh (nk->name_len); + /* -1 to avoid double-counting the first name character */ + size_t ret = name_len + sizeof (struct ntreg_nk_record) - 1; + int used; + size_t seg_len = block_len (h, node, &used); + if (ret > seg_len) { + if (h->msglvl >= 2) + fprintf (stderr, "hivex_node_struct_length: returning EFAULT because" + " node name is too long (%zu, %zu)\n", name_len, seg_len); + errno = EFAULT; + return 0;...

...we do need to nul-terminate the string. - */ - /* vk->name_len is unsigned, 16 bit, so this is safe ... However * we have to make sure the length doesn't exceed the block length. */ - size_t len = le16toh (vk->name_len); + size_t ret = le16toh (vk->name_len); size_t seg_len = block_len (h, value, NULL); - if (sizeof (struct ntreg_vk_record) + len - 1 > seg_len) { + if (sizeof (struct ntreg_vk_record) + ret - 1 > seg_len) { if (h->msglvl >= 2) - fprintf (stderr, "hivex_value_key: returning EFAULT" + fprintf (stderr, "hivex_va...

...ib/hivex.c > index efc27f8..e3c1e05 100644 > --- a/lib/hivex.c > +++ b/lib/hivex.c > @@ -208,6 +208,19 @@ struct ntreg_sk_record { > char sec_desc[1]; /* security info follows */ > } __attribute__((__packed__)); > > +struct ntreg_db_record { > + int32_t seg_len; /* length (always -ve because used) */ > + char id[2]; /* "db" */ > + uint16_t nr_blocks; > + uint32_t blocklist_offset; > + uint32_t unknown1; > +} __attribute__((__packed__)); > + > +struct ntreg_db_block { > + int32_t seg_len...

--- hivex/hivexsh.pod | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) diff --git a/hivex/hivexsh.pod b/hivex/hivexsh.pod index 277e3ae..9336798 100644 --- a/hivex/hivexsh.pod +++ b/hivex/hivexsh.pod @@ -100,7 +100,14 @@ or even: Path elements (node names) are matched case insensitively, and characters like space, C<*>, and C<?> have I<no> special

The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be looking at

On Windows, there exist at least two APIs for dealing with the Registry: The Win32 API (RegCreateKeyA, RegCreateKeyW, etc.) works with null-terminated ASCII or UTF-16 strings. The native API (ZwCreateKey, etc.), on the other hand works with UTF-16 strings that are stored as buffers+length and may contain null characters. Malware authors have been relying on the Win32 API's inability to