similar to: [Hivex] [PATCH] Correct 32-bit to 64-bit call

RLenValue is similar to RLenType, though with one less argument. This required adding additional conversion functions for several languages' bindings. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 78 insertions(+), 0 deletions(-) diff --git a/generator/generator.ml

Hi, When an integer argument is passed as value, node_set_value segfaults. Reproducer is at the end of this message The backtrace points at hivex-py.c, function get_value. While obj is non-NULL, `bytes = PyUnicode_AsUTF8String (obj);` returns NULL. Kind regards, Peter https://lekensteyn.nl #!/usr/bin/env python3 import hivex, sys h = hivex.Hivex(sys.argv[1]) print(h) val = {

Hi, This patch series is based on a prior patch[1], splitting off changes as requested and incorporating feedback from Richard Jones. It introduces type validation to avoid segmentation faults (instead, it reports an exception) and fixes handling of the bytes type in Python 3. Major changes since that series: - Drop newly introduced support for integer types for DWORD/QWORDS - Reject Unicode

RLenValue is similar to RLenType, though with one less argument. This required adding additional conversion functions for several languages' bindings. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 78 insertions(+), 0 deletions(-) diff --git a/generator/generator.ml

This patch adds byte run reporters for node and value metadata in the hivexml program. Each byte run represents the offset and length of a data structure within the hive, one per node, and one or two per value depending on the length of the value data. In order to add this metadata reporting, the following changes were put in place: * Split value_key function into value_key and value_key_len. *

Round 3 -- this time with working OCaml bindings. (I'm not on the list, please copy me on replies, thanks.) --- generator/generator.ml | 77 ++++++++++++++++++++++++++++++++++++++++- lib/hivex.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++ perl/t/201-setvalue.t | 54 ++++++++++++++++++++++++++++ 3 files changed, 219 insertions(+), 2 deletions(-) create mode 100644

The infrastructure for modified-time reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). This patch adds the node_mtime function to the visitor API. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> ---

On Windows, there exist at least two APIs for dealing with the Registry: The Win32 API (RegCreateKeyA, RegCreateKeyW, etc.) works with null-terminated ASCII or UTF-16 strings. The native API (ZwCreateKey, etc.), on the other hand works with UTF-16 strings that are stored as buffers+length and may contain null characters. Malware authors have been relying on the Win32 API's inability to

Hi, I have been working on a Python application that uses hivex. Meanwhile I have encountered some Python bindings issues which could be fixed. The next issue I see now is about the value_value function. This is briefly documented as: "return data length, data type and data of a value". For Perl, Python and OCaml, this is not true. A tuple is returned for both without the length

I'm not entirely sure the generator/generator.ml changes are as correct as they could be. I'm not very familiar with Caml. The hivex_node_set_value call builds up a list of hive_set_values by walking the existing values at the node, adding or replacing the passed hive_set_value as necessary, then shoving the list at hivex_node_set_values. Not included: Perl or OCaml binding glue.

The major and minor version were being reported in a debug message. This patch adds the version information to the ABI and reports with hivexml. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 10 ++++++++++ lib/hivex.c | 32 +++++++++++++++++++++++++++----- xml/hivexml.c | 24 ++++++++++++++++++++++++ 3 files changed, 61

The infrastructure for modified-time reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). Some of the code changes necessary include: * Exposing the hive_h structure in the hivex header file (via generator.ml) *

Added Perl binding glue and a simple test along the lines of present tests. (And again: I'm not on the list, please CC me on replies. Thanks!) --- generator/generator.ml | 62 +++++++++++++++++++++++++++++++-- lib/hivex.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++ perl/t/201-setvalue.t | 54 ++++++++++++++++++++++++++++ 3 files changed, 203 insertions(+), 3

This patch adds value_byte_runs and node_byte_runs. Each byte run represents the offset and length of a data structure within the hive, one per node, and one or two per value depending on the length of the value data. These byte run functions also add additional data sanity checks as a hive is being parsed, mainly checking that a node address actually points to a node, and similarly for values.

Before this patch, Python would segfault once you pass a non-string key or value to node_set_value. It was also not possible to set bytes on Python 3 as Unicode was assumed (Python 2 was not affected by this). This patch fixes recognition of bytes for Python 3, but in addition it recognizes ints (includes 'long' in Python 2) for DWORD (LE + BE) and QWORDs. For this purpose, a new field

Hi, While working on Debian packages of hivex 1.2.5, I came across a test failure for the Python bindings with Python 2.7 on the i386 architecture. (The tests ran fine on amd64.) ,---- | $ make -C python check | make[1]: Entering directory `/home/bengen/src/deb/hivex/hivex.git/python' | 010-import.py | 020-open.py | 021-close.py | 200-write.py | python: hivex-py.c:52: get_handle: Assertion

--- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 6785037..203f34f 100644 --- a/configure.ac +++ b/configure.ac @@ -329,8 +329,8 @@ AS_IF([test "x$enable_python" != "xno"], AC_MSG_CHECKING([for Python extension suffix (PEP-3149)]) if test -z "$PYTHON_EXT_SUFFIX"; then

(renaming subject as I am partially getting off-topic) On Sunday 10 August 2014 16:26:07 Richard W.M. Jones wrote: > > The next issue I see now is about the value_value function. This is > > briefly documented as: "return data length, data type and data of a > > value". > > > > For Perl, Python and OCaml, this is not true. A tuple is returned > >

Hello all, I am in the process of adding a new return type for the hivex ABI, and I found what I think is an error. I'm not sure, because I don't understand the OCaml binding data structures. Can somebody inform me if the patch below actually corrects a problem? --Alex --- generator/generator.ml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git

This patch adds value_data_cell_offset to the hivex ABI, to report the hive space used for long (>4 bytes) value data. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 12 +++++++++ lib/hivex.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 0 deletions(-) diff --git a/generator/generator.ml