Displaying 20 results from an estimated 37 matches for "seg_len".
Did you mean:
cseg_len
2018 Jul 23
3
[hivex PATCH] Re-allocating unused blocks before assigning new blocks
Hello Richard
As discussed in the IRC channel, when merging a moderately large reg
file (~35MB) to a hiv file (~118 MB); hivex generates a huge hiv file
(~580 MB). These changes address that by creating a list of unallocated
blocks and reassigning unused blocks. I used
https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md
as a reference for the
2013 Nov 25
1
[PATCH 3/3, take 2] lib: Add support for creating nodes (keys) and values with UTF-16LE-encoded names
...ar* recoded_name = _hivex_encode_string (name, &recoded_name_len, &use_utf16);
+ if (recoded_name == NULL) {
+ SET_ERRNO (EINVAL, "malformed name");
+ return 0;
+ }
+
/* Create the new nk-record. */
static const char nk_id[2] = { 'n', 'k' };
- size_t seg_len = sizeof (struct ntreg_nk_record) + strlen (name);
+ size_t seg_len = sizeof (struct ntreg_nk_record) + recoded_name_len;
hive_node_h nkoffset = allocate_block (h, seg_len, nk_id);
if (nkoffset == 0)
return 0;
@@ -619,14 +627,18 @@ hivex_node_add_child (hive_h *h, hive_node_h parent, co...
2011 Apr 13
1
[PATCH hivex] maint: split long lines
...fprintf (stderr, "hivex: %s: trailing garbage at end of file "
+ "(at 0x%zx, after %zu pages)\n",
filename, off, pages);
errno = ENOTSUP;
goto error;
@@ -453,7 +454,8 @@ hivex_open (const char *filename, int flags)
int used;
seg_len = block_len (h, blkoff, &used);
if (seg_len <= 4 || (seg_len & 3) != 0) {
- fprintf (stderr, "hivex: %s: block size %" PRIu32 " at 0x%zx, bad registry\n",
+ fprintf (stderr, "hivex: %s: block size %" PRIu32 " at 0x%zx,"
+ &qu...
2013 Jul 25
19
[PATCH hivex 00/19] Fix read/write handling of li-records.
This is, hopefully, a full fix for handling of li-records.
See:
https://bugzilla.redhat.com/show_bug.cgi?id=717583
https://bugzilla.redhat.com/show_bug.cgi?id=987463
Rich.
2013 Nov 25
3
Re: [PATCH 3/3] lib: Add support for creating nodes (keys) and values with UTF-16LE-encoded names
...(name, &recoded_name_len, &use_utf16);
> + if (recoded_name == NULL) {
> + SET_ERRNO (EINVAL, "malformed name");
> + return 0;
> + }
> +
> /* Create the new nk-record. */
> static const char nk_id[2] = { 'n', 'k' };
> - size_t seg_len = sizeof (struct ntreg_nk_record) + strlen (name);
> + size_t seg_len = sizeof (struct ntreg_nk_record) + recoded_name_len;
> hive_node_h nkoffset = allocate_block (h, seg_len, nk_id);
> if (nkoffset == 0)
> return 0;
> @@ -619,14 +627,18 @@ hivex_node_add_child (hive_h *...
2013 Jun 23
3
[PATCH] Add read support for "big data" blocks to hivex
...15 deletions(-)
diff --git a/lib/hivex.c b/lib/hivex.c
index efc27f8..e3c1e05 100644
--- a/lib/hivex.c
+++ b/lib/hivex.c
@@ -208,6 +208,19 @@ struct ntreg_sk_record {
char sec_desc[1]; /* security info follows */
} __attribute__((__packed__));
+struct ntreg_db_record {
+ int32_t seg_len; /* length (always -ve because used) */
+ char id[2]; /* "db" */
+ uint16_t nr_blocks;
+ uint32_t blocklist_offset;
+ uint32_t unknown1;
+} __attribute__((__packed__));
+
+struct ntreg_db_block {
+ int32_t seg_len;
+ char data[1];
+} __attribute__((__p...
2014 Jan 13
1
[PATCH 2/7 take 2] lib: Use vk->len for string conversion
...o UTF-8 is
- * necessary. However we do need to nul-terminate the string.
- */
- errno = 0;
- size_t len = hivex_value_key_len (h, value);
- if (len == 0 && errno != 0)
- return NULL;
size_t flags = le16toh (vk->flags);
+ size_t len = le16toh (vk->name_len);
+
+ size_t seg_len = block_len (h, value, NULL);
+ if (sizeof (struct ntreg_vk_record) + len - 1 > seg_len) {
+ SET_ERRNO (EFAULT, "key length is too long (%zu, %zu)", len, seg_len);
+ return 0;
+ }
if (flags & 0x01) {
return _hivex_windows_latin1_to_utf8 (vk->name, len);
} else...
2017 Feb 14
2
Re: [PATCH 2/2] lib: allow to walk registry with corrupted blocks
...-
> 2 files changed, 14 insertions(+), 10 deletions(-)
>
> diff --git a/lib/handle.c b/lib/handle.c
> index 1e122ea..9be3b5f 100644
> --- a/lib/handle.c
> +++ b/lib/handle.c
> @@ -300,10 +300,15 @@ hivex_open (const char *filename, int flags)
> int used;
> seg_len = block_len (h, blkoff, &used);
> if (seg_len <= 4 || (seg_len & 3) != 0) {
> - SET_ERRNO (ENOTSUP,
> - "%s: block size %" PRIi32 " at 0x%zx, bad registry",
> - filename, le32toh (block->seg_len), blkoff...
2013 Nov 24
4
[PATCH 1/3] lib: Further generalize iconv wrapper function.
---
lib/hivex-internal.h | 8 +++++---
lib/utf16.c | 11 +++++++----
2 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/lib/hivex-internal.h b/lib/hivex-internal.h
index 4135f58..64fd49a 100644
--- a/lib/hivex-internal.h
+++ b/lib/hivex-internal.h
@@ -268,11 +268,13 @@ extern size_t * _hivex_return_offset_list (offset_list *list);
extern void _hivex_print_offset_list
2014 Jan 13
3
Re: [PATCH 2/7] lib: Use vk->len for string conversion
...ize_t len = hivex_value_key_len (h, value);
> - if (len == 0 && errno != 0)
> - return NULL;
> size_t flags = le16toh (vk->flags);
> + size_t len = le16toh (vk->name_len);
I think this effectively removes a check. hivex_value_key_len
contains this code:
size_t seg_len = block_len (h, value, NULL);
if (sizeof (struct ntreg_vk_record) + len - 1 > seg_len) {
SET_ERRNO (EFAULT, "key length is too long (%zu, %zu)", len, seg_len);
return 0;
}
but after this change, this would no longer be run, so it would be
possible to overrun the registry,...
2013 Nov 24
0
[PATCH 3/3] lib: Add support for creating nodes (keys) and values with UTF-16LE-encoded names
...ar* recoded_name = _hivex_encode_string (name, &recoded_name_len, &use_utf16);
+ if (recoded_name == NULL) {
+ SET_ERRNO (EINVAL, "malformed name");
+ return 0;
+ }
+
/* Create the new nk-record. */
static const char nk_id[2] = { 'n', 'k' };
- size_t seg_len = sizeof (struct ntreg_nk_record) + strlen (name);
+ size_t seg_len = sizeof (struct ntreg_nk_record) + recoded_name_len;
hive_node_h nkoffset = allocate_block (h, seg_len, nk_id);
if (nkoffset == 0)
return 0;
@@ -619,14 +627,18 @@ hivex_node_add_child (hive_h *h, hive_node_h parent, co...
2017 Feb 08
4
[PATCH 0/2] hivex: handle corrupted hives better
Hello,
The following patches address issues when dealing with hives that have
corrupted data in them but are otherwise readable/writable. Those were
found on some rather rare Windows installations that seem to work fine
but current hivex fails to even open.
Those patches change hivex to simply log and ignore such "corrupted"
regions instead of aborting because the caller might be
2013 Jun 25
2
Re: [PATCH] Add read support for "big data" blocks to hivex
...ock is not "
> "valid (db block 0x%zx, block list 0x%zx, data block 0x%zx)\
> - data_offset, blocklist_offset, subblock_offset);
> + data_offset, blocklist_offset, (size_t) subblock_offset);
> }
> int32_t seg_len = block_len(h, subblock_offset, NULL);
> struct ntreg_db_block *subblock =
>
> to make it compile without warnings.
Yeah, so I'll just make subblock_offset a size_t, like all the other
offset values.
> With that addition, * ACK *.
I'll post a slightly updated version,...
2017 Feb 08
0
[PATCH 2/2] lib: allow to walk registry with corrupted blocks
...3 +++++++++----
lib/node.c | 11 +++++------
2 files changed, 14 insertions(+), 10 deletions(-)
diff --git a/lib/handle.c b/lib/handle.c
index 1e122ea..9be3b5f 100644
--- a/lib/handle.c
+++ b/lib/handle.c
@@ -300,10 +300,15 @@ hivex_open (const char *filename, int flags)
int used;
seg_len = block_len (h, blkoff, &used);
if (seg_len <= 4 || (seg_len & 3) != 0) {
- SET_ERRNO (ENOTSUP,
- "%s: block size %" PRIi32 " at 0x%zx, bad registry",
- filename, le32toh (block->seg_len), blkoff);
- goto err...
2011 Sep 02
1
[PATCH 4/7] hivex: Add metadata length functions for nodes and values
...+ return 0;
+ }
+
+ struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
+ size_t name_len = le16toh (nk->name_len);
+ /* -1 to avoid double-counting the first name character */
+ size_t ret = name_len + sizeof (struct ntreg_nk_record) - 1;
+ int used;
+ size_t seg_len = block_len (h, node, &used);
+ if (ret > seg_len) {
+ if (h->msglvl >= 2)
+ fprintf (stderr, "hivex_node_struct_length: returning EFAULT because"
+ " node name is too long (%zu, %zu)\n", name_len, seg_len);
+ errno = EFAULT;
+ return 0;...
2011 Sep 02
1
[PATCH 2/7] hivex: Split value_key function into value_key and value_key_len
...we do need to nul-terminate the string.
- */
-
/* vk->name_len is unsigned, 16 bit, so this is safe ... However
* we have to make sure the length doesn't exceed the block length.
*/
- size_t len = le16toh (vk->name_len);
+ size_t ret = le16toh (vk->name_len);
size_t seg_len = block_len (h, value, NULL);
- if (sizeof (struct ntreg_vk_record) + len - 1 > seg_len) {
+ if (sizeof (struct ntreg_vk_record) + ret - 1 > seg_len) {
if (h->msglvl >= 2)
- fprintf (stderr, "hivex_value_key: returning EFAULT"
+ fprintf (stderr, "hivex_va...
2013 Jun 25
0
Re: [PATCH] Add read support for "big data" blocks to hivex
...ib/hivex.c
> index efc27f8..e3c1e05 100644
> --- a/lib/hivex.c
> +++ b/lib/hivex.c
> @@ -208,6 +208,19 @@ struct ntreg_sk_record {
> char sec_desc[1]; /* security info follows */
> } __attribute__((__packed__));
>
> +struct ntreg_db_record {
> + int32_t seg_len; /* length (always -ve because used) */
> + char id[2]; /* "db" */
> + uint16_t nr_blocks;
> + uint32_t blocklist_offset;
> + uint32_t unknown1;
> +} __attribute__((__packed__));
> +
> +struct ntreg_db_block {
> + int32_t seg_len...
2010 Feb 05
13
[PATCH 01/14] hivexsh: Document some peculiarities of the "cd" command.
---
hivex/hivexsh.pod | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/hivex/hivexsh.pod b/hivex/hivexsh.pod
index 277e3ae..9336798 100644
--- a/hivex/hivexsh.pod
+++ b/hivex/hivexsh.pod
@@ -100,7 +100,14 @@ or even:
Path elements (node names) are matched case insensitively, and
characters like space, C<*>, and C<?> have I<no> special
2017 Feb 15
2
[PATCH v3 0/2] hivex: handle corrupted hives better
The following patches address issues when dealing with hives that have
corrupted data in them but are otherwise readable/writable. Those were
found on some rather rare Windows installations that seem to work fine
but current hivex fails to even open.
Those patches change hivex to simply log and ignore such "corrupted"
regions instead of aborting because the caller might be looking at
2014 Jan 08
5
hivex: Make node names and value names with embedded null characters accessible
On Windows, there exist at least two APIs for dealing with the
Registry: The Win32 API (RegCreateKeyA, RegCreateKeyW, etc.) works
with null-terminated ASCII or UTF-16 strings. The native API
(ZwCreateKey, etc.), on the other hand works with UTF-16 strings that
are stored as buffers+length and may contain null characters. Malware
authors have been relying on the Win32 API's inability to