similar to: Problem inspecting Windows images with large registry hives

Hivex is a small, self-contained C library for reading and writing Windows Registry "hive" binary files. I'm pleased to announce version 1.3.15 which you can get from: http://download.libguestfs.org/hivex/ Highlights of this release: - Improved performance by using a cache of iconv handles, especially when dumping out large hives (Hilko Hengen). - Add the ‘hivexregedit

On Wed, Oct 29, 2014 at 10:43:59AM -0500, Mahmoud Al-Qudsi wrote: > Hello all, > > I know that one of the original design goals of libhivex was to be > resilient to corrupt, invalid, or malicious registry hives. I've > encountered some undefined behavior in libhivex when attempting to open > registry files that are too small. I'm not sure if this is a known issue >

This is part 1 (updated) and part 2 of the three part patch set to provide tools for merging Windows Registry entries in the 'regedit' textual format. https://bugzilla.redhat.com/show_bug.cgi?id=575738 Using the low-level hivexregedit tool I was able to merge the registry entries described in the following article into an existing 'system' registry hive file:

> On Nov 11, 2014, at 1:57 AM, Richard W.M. Jones <rjones@redhat.com> wrote: > > Yes I was also meaning to do that after reading lcamtuf's postings. Yup. That's the one. > I just started a run now .. Will let it run for a few days and report > any issues on the list. Thank you. Do you mind running it under valgrind to catch out-of-bound reads? Mahmoud

Hello all, I know that one of the original design goals of libhivex was to be resilient to corrupt, invalid, or malicious registry hives. I've encountered some undefined behavior in libhivex when attempting to open registry files that are too small. I'm not sure if this is a known issue per-se or not, so I figured I'd ask here on the mailing list before I jumped in and started adding

On Wed, Oct 29, 2014 at 09:26:30PM -0500, Mahmoud Al-Qudsi wrote: > On Oct 29, 2014, at 3:39 PM, Richard W.M. Jones <rjones@redhat.com> wrote: > > > >> Or is it expected that certain sanity checks would be performed prior to > >> passing along any files to libhivex? What would those checks be? > > > > No, hivex should definitely have those checks.

On Oct 29, 2014, at 3:39 PM, Richard W.M. Jones <rjones@redhat.com> wrote: > >> Or is it expected that certain sanity checks would be performed prior to >> passing along any files to libhivex? What would those checks be? > > No, hivex should definitely have those checks. > > I'll have a proper look at this in the morning. > > Thanks, > > Rich.

Trying to inspect an old OpenSuSE image, which has an empty /etc/HOSTNAME file. This causes check_hostname_unix() in inspect_fs_unix() to return -1 -- causing inspection to fail. Somewhat interestingly, if no files of interest were found, the function would return 0.....which I think doesn't cause problems upstream. It's somewhat related to this closed bug where the fix was to set the

On Friday, 17 February 2017 10:24:58 CET Richard W.M. Jones wrote: > Map the HIVEX_OPEN_UNSAFE flag into the libguestfs API and use it > in various places. The series LGTM. Should virt-win-reg in display/export mode use the unsafe mode as well? Thanks, -- Pino Toscano

Map the HIVEX_OPEN_UNSAFE flag into the libguestfs API and use it in various places. Rich.

The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be looking at

Hello, The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be

The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be looking at

More evidence this is a real bug affecting users. I still have no idea why this bug happens. Rich. ----- Forwarded message from bugzilla at redhat.com ----- Date: Tue, 05 Mar 2013 20:29:23 +0000 Subject: [Bug 916990] inspect_os: mount_ro: /dev/sda on / (options: 'ro'): mount: /dev/sda is already mounted or /sysroot busy Product: Virtualization Tools

inspect_os() shouldn't do this, but ultimately it's heuristic. As we know what the transfer device is, we can double-check the output. --- v2v/virt-v2v.pl | 18 +++++++++++++++++- 1 files changed, 17 insertions(+), 1 deletions(-) diff --git a/v2v/virt-v2v.pl b/v2v/virt-v2v.pl index fe07ae9..6e73102 100755 --- a/v2v/virt-v2v.pl +++ b/v2v/virt-v2v.pl @@ -496,11 +496,18 @@ my $g = new

The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be looking at

In windows to load .hive files there is a option in file menu "load hive". But there is no such option in wine registry menu. can wine handle .hive files?

I'm pleased to announce the next release of hivex, a library and some tools for reading and writing Windows Registry hive files. Man page: http://libguestfs.org/hivex.3.html Source: http://libguestfs.org/download/hivex/ Git repo: http://git.annexia.org/?p=hivex.git;a=summary Fedora pkg: http://koji.fedoraproject.org/koji/taskinfo?taskID=3267857 This release mainly contains bug fixes.

trace: >>> g.inspect_os() libguestfs: trace: inspect_os libguestfs: trace: umount_all libguestfs: trace: umount_all = 0 libguestfs: trace: list_devices libguestfs: trace: list_devices = ["/dev/vda"] libguestfs: trace: vfs_type "/dev/vda" libguestfs: trace: vfs_type = "" libguestfs: trace: mount_ro "/dev/vda" "/" libguestfs: trace:

There are some corrupted registry files that have invalid hbin cells but are still readable. This patch makes the following changes: * hivex_open - do not abort with complete failure if we run across a block with invalid size (unless it's the root block). Instead just log the event, and move on. This will allow open hives that have apparent invalid blocks but the ones of potential