similar to: [PATCH 1/3] Document ntreg_nk_record.flags

--- lib/hivex-internal.h | 8 +++++--- lib/utf16.c | 11 +++++++---- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/lib/hivex-internal.h b/lib/hivex-internal.h index 4135f58..64fd49a 100644 --- a/lib/hivex-internal.h +++ b/lib/hivex-internal.h @@ -268,11 +268,13 @@ extern size_t * _hivex_return_offset_list (offset_list *list); extern void _hivex_print_offset_list

It was brought to my attention that dumping a registry hive causes a lot of time spent in disk I/O activity because iconv_open() and iconv_close() are called for every key. Every iconv_open() call causes /usr/lib/.../gconv/$ENCODING.so to be opened and mapped. The iconv_t handles are now cached in the hive_h struct; they are opened on-demand and re-used. On my ~10 year old Lenovo T60, I have

--- lib/write.c | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/write.c b/lib/write.c index 8c4dd8e..384c6b2 100644 --- a/lib/write.c +++ b/lib/write.c @@ -954,7 +954,6 @@ hivex_node_set_values (hive_h *h, hive_node_h node, for (i = 0; i < nr_values; ++i) { /* Allocate vk record to store this (key, value) pair. */ static const char vk_id[2] = { 'v', 'k' }; -

--- lib/hivex-internal.h | 6 +++++- lib/node.c | 7 +------ lib/utf16.c | 5 ++--- lib/value.c | 7 +------ 4 files changed, 9 insertions(+), 16 deletions(-) diff --git a/lib/hivex-internal.h b/lib/hivex-internal.h index d7ce339..4135f58 100644 --- a/lib/hivex-internal.h +++ b/lib/hivex-internal.h @@ -268,7 +268,11 @@ extern size_t * _hivex_return_offset_list

On Windows, there exist at least two APIs for dealing with the Registry: The Win32 API (RegCreateKeyA, RegCreateKeyW, etc.) works with null-terminated ASCII or UTF-16 strings. The native API (ZwCreateKey, etc.), on the other hand works with UTF-16 strings that are stored as buffers+length and may contain null characters. Malware authors have been relying on the Win32 API's inability to

On Fri, Feb 09, 2018 at 01:52:52AM +0100, Hilko Bengen wrote: > It was brought to my attention that dumping a registry hive causes a > lot of time spent in disk I/O activity because iconv_open() and > iconv_close() are called for every key. Every iconv_open() call causes > /usr/lib/.../gconv/$ENCODING.so to be opened and mapped. > > The iconv_t handles are now cached in the

It was brought to my attention that dumping a registry hive causes a lot of time spent in disk I/O activity because iconv_open() and iconv_close() are called for every key. Every iconv_open() call causes /usr/lib/.../gconv/$ENCODING.so to be opened and mapped. The iconv_t handles are now cached in the hive_h struct; they are opened on-demand and re-used. On my ~10 year old Lenovo T60, I have

This patch assumes that iconv doesn't actually modify the input buffer, even though it is declared as char *. --- lib/hivex-internal.h | 6 +++--- lib/utf16.c | 9 +++++---- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/lib/hivex-internal.h b/lib/hivex-internal.h index 7a548c0..6bc8638 100644 --- a/lib/hivex-internal.h +++ b/lib/hivex-internal.h @@ -268,9 +268,9 @@

This is, hopefully, a full fix for handling of li-records. See: https://bugzilla.redhat.com/show_bug.cgi?id=717583 https://bugzilla.redhat.com/show_bug.cgi?id=987463 Rich.

--- lib/write.c | 50 +++++++++++++++++++++++++++++++++++--------------- 1 file changed, 35 insertions(+), 15 deletions(-) diff --git a/lib/write.c b/lib/write.c index dbb8292..8c4dd8e 100644 --- a/lib/write.c +++ b/lib/write.c @@ -608,9 +608,17 @@ hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name) return 0; } + size_t recoded_name_len; + int use_utf16 = 0; +

On Sun, Nov 24, 2013 at 11:25:53PM +0100, Hilko Bengen wrote: > --- > lib/write.c | 49 ++++++++++++++++++++++++++++++++++--------------- > 1 file changed, 34 insertions(+), 15 deletions(-) > > diff --git a/lib/write.c b/lib/write.c > index dbb8292..72b1f8a 100644 > --- a/lib/write.c > +++ b/lib/write.c > @@ -608,9 +608,17 @@ hivex_node_add_child (hive_h *h,

This patch adds hivex_node_struct_length and hivex_value_struct_length to the hivex ABI, to report the amount of hive space used for each stored structure. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 12 ++++++++++++ lib/hivex.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 0 deletions(-) diff --git

Hello, I've been working on a graphical registry hive editing tool in Qt using the hivex C library. While creating it, I noticed that in order to determine if an expansion element should be shown on a node, you have to determine if a node has any children. Currently, in order to determine if a node has any children, you must find every child with hivex_node_children, which is a relatively

--- lib/write.c | 49 ++++++++++++++++++++++++++++++++++--------------- 1 file changed, 34 insertions(+), 15 deletions(-) diff --git a/lib/write.c b/lib/write.c index dbb8292..72b1f8a 100644 --- a/lib/write.c +++ b/lib/write.c @@ -608,9 +608,17 @@ hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name) return 0; } + size_t recoded_name_len; + int use_utf16 = 0; +

This patch addresses a build failure in OS X. Running git-bisect on a straightforward build (bootstrap, autogen.sh, configure, make, make install) showed this as the "Bad commit:" 3e7c039799cddc45517350cc917eb10715f33fec The issue is that hivex-internal.h uses le32toh in a static inline function. In case `configure` doesn't find le32toh, byte_conversions.h defines it. But

Hilko, forwarding this to the mailing list. Please post patches over there. Rich. ----- Forwarded message ----- Date: Wed, 21 Jul 2010 17:09:53 +0200 From: Hilko Bengen Subject: patch: non-ASCII characters in node names Hi Richard, I was a little bit surprised when a colleague claimed that key and value names in the registry could contain non-ASCII characters. I created keys and values

As a follow-up to node_nr_children discussed in "hivex lib: Add function hivex_node_num_children", I've also created the function node_nr_values, which just returns the number of values of a node (primarily for optimization purposes). I hope I've done it correctly so that a follow-up commit is unneeded. The git tree is here: https://github.com/kupiakos/hivex/tree/node_nr_values

[This email is either empty or too large to be displayed at this time]

The infrastructure for modified-time reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). This patch adds to the hivex ABI: * int64_t hivex_last_modified (hive_h *) * int64_t hivex_node_timestamp (hive_h *,

The infrastructure for modified-time reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). Some of the code changes necessary include: * Exposing the hive_h structure in the hivex header file (via generator.ml) *