similar to: [PATCH] hivexml: Add root attribute to the root node

The infrastructure for modified-time reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). This patch adds to the hivex ABI: * int64_t hivex_last_modified (hive_h *) * int64_t hivex_node_timestamp (hive_h *,

Reporting value data in attributes has two advantages: * The output of hivexml breaks Python expat processing if binary data makes it out. This was observed in Software hives. * Not having child text makes room for child elements. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- xml/hivexml.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) diff

This patch adds value_byte_runs and node_byte_runs. Each byte run represents the offset and length of a data structure within the hive, one per node, and one or two per value depending on the length of the value data. These byte run functions also add additional data sanity checks as a hive is being parsed, mainly checking that a node address actually points to a node, and similarly for values.

On Tue, Jan 31, 2012 at 12:21:44PM -0500, Todd Mummert wrote: > I've made some changes to hivexml.c, that I think addresses the > invalid XML that is being generated (as of version 1.3.3). I'm only > addressing invalid XML characters in string values and string-lists. > As I saw mentioned in earlier forum messages >

The infrastructure for modified-time reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). Some of the code changes necessary include: * Exposing the hive_h structure in the hivex header file (via generator.ml) *

This patch adds value_byte_runs and node_byte_runs. Each byte run represents the offset and length of a data structure within the hive, one per node, and one or two per value depending on the length of the value data. These byte run functions also add additional data sanity checks as a hive is being parsed, mainly checking that a node address actually points to a node, and similarly for values.

This patch adds byte run reporters for node and value metadata in the hivexml program. Each byte run represents the offset and length of a data structure within the hive, one per node, and one or two per value depending on the length of the value data. In order to add this metadata reporting, the following changes were put in place: * Split value_key function into value_key and value_key_len. *

Some of the data in names and string values were being unsafely printed, causing some types of XML processors to fail (e.g. Python's Expat). This patch checks for printability of each character and outputs base64 with an encoding attribute for unsafe data. --- xml/hivexml.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 64 insertions(+), 11 deletions(-)

The major and minor version were being reported in a debug message. This patch adds the version information to the ABI and reports with hivexml. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 10 ++++++++++ lib/hivex.c | 32 +++++++++++++++++++++++++++----- xml/hivexml.c | 24 ++++++++++++++++++++++++ 3 files changed, 61

The infrastructure for modified-time reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). This patch adds the node_mtime function to the visitor API. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> ---

Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 6 ++++++ lib/hivex.c | 6 ++++++ xml/hivexml.c | 9 +++++++++ 3 files changed, 21 insertions(+), 0 deletions(-) diff --git a/generator/generator.ml b/generator/generator.ml index fc7b483..9e53f4e 100755 --- a/generator/generator.ml +++ b/generator/generator.ml @@ -159,6 +159,12

Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- xml/hivexml.c | 42 ++++++++++++++++++++++++++++++++++-------- 1 files changed, 34 insertions(+), 8 deletions(-) diff --git a/xml/hivexml.c b/xml/hivexml.c index d38e9d4..1a75593 100644 --- a/xml/hivexml.c +++ b/xml/hivexml.c @@ -247,6 +247,32 @@ node_end (hive_h *h, void *writer_v, hive_node_h node, const char *name) return 0;

This commit implements some hairy C macros to simplify XML generation. Given the target XML: <cpu mode="host-passthrough"> <model fallback="allow"/> </cpu> The old code would have looked like this: XMLERROR (-1, xmlTextWriterStartElement (xo, BAD_CAST "cpu")); XMLERROR (-1, xmlTextWriterWriteAttribute (xo, BAD_CAST

In some places when generating XML output in C code we use some clever macros: start_element ("memory") { attribute ("unit", "MiB"); string_format ("%d", g->memsize); } end_element (); This commit which is mostly refactoring moves the repeated definitions of these macros into a common header file. I also took this opportunity to change /

Since some modules (`getopt', for example) may copy files into the build directory, `top_builddir/lib' is needed as well as `top_srcdir/lib'. -- GNU Gnulib manual, section 2.2 Initial import This fixes an in-tree build failure on a Debian/sid system (see below). hivexml could be built out-of-tree, but it turned out that due to a missing include path, in this case the

--- xml/hivexml.c | 5 ++++- xml/hivexml.pod | 7 +++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/xml/hivexml.c b/xml/hivexml.c index b496bb6..8ba6594 100644 --- a/xml/hivexml.c +++ b/xml/hivexml.c @@ -95,7 +95,7 @@ main (int argc, char *argv[]) int open_flags = 0; int visit_flags = 0; - while ((c = getopt (argc, argv, "dk")) != EOF) { + while ((c =

From: "Richard W.M. Jones" <rjones at redhat.com> You can now add remote NBD drives using: ><fs> add-drive "" format:raw protocol:nbd server:localhost (Note that you also need to add port:NNNN if the server is running on a non-standard port). The corresponding qemu-nbd service can be started by doing: qemu-nbd disk.img -t This commit also adds a test. ---

Dealing with "1601-01-01T00:00:00Z" is unnecessarily awkward, especially since the value only represents a 0 found in the data. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- xml/hivexml.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/xml/hivexml.c b/xml/hivexml.c index cf11676..5030c24 100644 --- a/xml/hivexml.c +++ b/xml/hivexml.c @@

Greetings. I am new to this list. I am writing to you about hivexml. Richard Jones told me that he was considering abandoning this program. Instead, I am willing to take over maintenance of it. I am involved in computer forensics. I are in the midst of developing an XML standard to describe the Windows Registry. There are several programs that export the windows registry at XML. I have

This changeset adds byte run reporters for node and value metadata in the hivexml program. This location reporting required several new ABI functions, which required new ABI return types. One benefit to the byte run functions is additional sanity checks, which have revealed new data or parsing errors when run on M57 patents images. An example error: Image: Charlie, 2009-12-11, available at