similar to: [PATCH 5/7] hivex: Add offset-&-length function for long value data

This patch adds value_data_cell_offset to the hivex ABI, to report the hive space used for long (>4 bytes) value data. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 12 +++++++++ lib/hivex.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 0 deletions(-) diff --git a/generator/generator.ml

This patch adds value_data_cell_offset to the hivex ABI, to report the hive space used for long (>4 bytes) value data. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 12 +++++++++ lib/hivex.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 0 deletions(-) diff --git a/generator/generator.ml

This patch adds byte run reporters for node and value metadata in the hivexml program. Each byte run represents the offset and length of a data structure within the hive, one per node, and one or two per value depending on the length of the value data. In order to add this metadata reporting, the following changes were put in place: * Split value_key function into value_key and value_key_len. *

This patch adds hivex_node_struct_length and hivex_value_struct_length to the hivex ABI, to report the amount of hive space used for each stored structure. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 12 ++++++++++++ lib/hivex.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 0 deletions(-) diff --git

This function breaks the value name calculation out so the name does not need to be fetched and immediately thrown away when one only needs the name. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 11 +++++++++++ lib/hivex.c | 37 ++++++++++++++++++++++++++----------- 2 files changed, 37 insertions(+), 11 deletions(-) diff --git

This patch adds value_byte_runs and node_byte_runs. Each byte run represents the offset and length of a data structure within the hive, one per node, and one or two per value depending on the length of the value data. These byte run functions also add additional data sanity checks as a hive is being parsed, mainly checking that a node address actually points to a node, and similarly for values.

This patch adds value_byte_runs and node_byte_runs. Each byte run represents the offset and length of a data structure within the hive, one per node, and one or two per value depending on the length of the value data. These byte run functions also add additional data sanity checks as a hive is being parsed, mainly checking that a node address actually points to a node, and similarly for values.

I'm not entirely sure the generator/generator.ml changes are as correct as they could be. I'm not very familiar with Caml. The hivex_node_set_value call builds up a list of hive_set_values by walking the existing values at the node, adding or replacing the passed hive_set_value as necessary, then shoving the list at hivex_node_set_values. Not included: Perl or OCaml binding glue.

On Sun, Jun 23, 2013 at 08:52:05PM +0200, Hilko Bengen wrote: > --- > lib/hivex.c | 81 +++++++++++++++++++++++++++++++++++++++++++++++++------------ > 1 file changed, 66 insertions(+), 15 deletions(-) > > diff --git a/lib/hivex.c b/lib/hivex.c > index efc27f8..e3c1e05 100644 > --- a/lib/hivex.c > +++ b/lib/hivex.c > @@ -208,6 +208,19 @@ struct ntreg_sk_record { >

Added Perl binding glue and a simple test along the lines of present tests. (And again: I'm not on the list, please CC me on replies. Thanks!) --- generator/generator.ml | 62 +++++++++++++++++++++++++++++++-- lib/hivex.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++ perl/t/201-setvalue.t | 54 ++++++++++++++++++++++++++++ 3 files changed, 203 insertions(+), 3

--- lib/hivex.c | 81 +++++++++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 66 insertions(+), 15 deletions(-) diff --git a/lib/hivex.c b/lib/hivex.c index efc27f8..e3c1e05 100644 --- a/lib/hivex.c +++ b/lib/hivex.c @@ -208,6 +208,19 @@ struct ntreg_sk_record { char sec_desc[1]; /* security info follows */ } __attribute__((__packed__)); +struct

Large values are split into multiple blocks. References to these sub-blocks are kept in a list whose structure seems to be identical to a value list. A "db" record contains information on the number of sub-blocks and a pointer to the list. It is referenced by the vk record. I came across this when comparing the contents of HKLM\SOFTWARE hives from Windows7 systems and finding that

As a follow-up to node_nr_children discussed in "hivex lib: Add function hivex_node_num_children", I've also created the function node_nr_values, which just returns the number of values of a node (primarily for optimization purposes). I hope I've done it correctly so that a follow-up commit is unneeded. The git tree is here: https://github.com/kupiakos/hivex/tree/node_nr_values

Hi Rich, I find it more readable (and safer to review) to avoid lines longer than 80 columns. When reviewing changes that wrap, I've noticed that it is harder to spot certain types of mistakes in the wrapped portion of a long line. >From 930118b380b35bb33e7719b0eb2ab6b31fa2d7e4 Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering at redhat.com> Date: Wed, 13 Apr 2011 16:08:57

Round 3 -- this time with working OCaml bindings. (I'm not on the list, please copy me on replies, thanks.) --- generator/generator.ml | 77 ++++++++++++++++++++++++++++++++++++++++- lib/hivex.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++ perl/t/201-setvalue.t | 54 ++++++++++++++++++++++++++++ 3 files changed, 219 insertions(+), 2 deletions(-) create mode 100644

Hilko, forwarding this to the mailing list. Please post patches over there. Rich. ----- Forwarded message ----- Date: Wed, 21 Jul 2010 17:09:53 +0200 From: Hilko Bengen Subject: patch: non-ASCII characters in node names Hi Richard, I was a little bit surprised when a colleague claimed that key and value names in the registry could contain non-ASCII characters. I created keys and values

This is, hopefully, a full fix for handling of li-records. See: https://bugzilla.redhat.com/show_bug.cgi?id=717583 https://bugzilla.redhat.com/show_bug.cgi?id=987463 Rich.

* Richard W.M. Jones: > diff --git a/lib/hivex.c b/lib/hivex.c > index e3c1e05..9351ac5 100644 > --- a/lib/hivex.c > +++ b/lib/hivex.c > @@ -1471,7 +1471,7 @@ hivex_value_value (hive_h *h, hive_value_h value, > if (h->msglvl >= 2) > fprintf (stderr, "hivex_value_value: warning: big data block is not " > "valid

The infrastructure for modified-time reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). This patch adds to the hivex ABI: * int64_t hivex_last_modified (hive_h *) * int64_t hivex_node_timestamp (hive_h *,

--- lib/write.c | 49 ++++++++++++++++++++++++++++++++++--------------- 1 file changed, 34 insertions(+), 15 deletions(-) diff --git a/lib/write.c b/lib/write.c index dbb8292..72b1f8a 100644 --- a/lib/write.c +++ b/lib/write.c @@ -608,9 +608,17 @@ hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name) return 0; } + size_t recoded_name_len; + int use_utf16 = 0; +