Displaying 20 results from an estimated 1000 matches similar to: "[PATCH 0/2] hivex: handle corrupted hives better"
2017 Feb 15
2
[PATCH v3 0/2] hivex: handle corrupted hives better
The following patches address issues when dealing with hives that have
corrupted data in them but are otherwise readable/writable. Those were
found on some rather rare Windows installations that seem to work fine
but current hivex fails to even open.
Those patches change hivex to simply log and ignore such "corrupted"
regions instead of aborting because the caller might be looking at
2017 Feb 14
4
[PATCH v2 0/2] hivex: handle corrupted hives better
The following patches address issues when dealing with hives that have
corrupted data in them but are otherwise readable/writable. Those were
found on some rather rare Windows installations that seem to work fine
but current hivex fails to even open.
Those patches change hivex to simply log and ignore such "corrupted"
regions instead of aborting because the caller might be looking at
2017 Feb 16
6
[PATCH v4 0/5] hivex: handle corrupted hives better.
The following patches address issues when dealing with hives that have
corrupted data in them but are otherwise readable/writable. Those were
found on some rather rare Windows installations that seem to work fine
but current hivex fails to even open.
Those patches change hivex to simply log and ignore such "corrupted"
regions instead of aborting because the caller might be looking at
2013 Jul 25
19
[PATCH hivex 00/19] Fix read/write handling of li-records.
This is, hopefully, a full fix for handling of li-records.
See:
https://bugzilla.redhat.com/show_bug.cgi?id=717583
https://bugzilla.redhat.com/show_bug.cgi?id=987463
Rich.
2017 Feb 14
2
Re: [PATCH 2/2] lib: allow to walk registry with corrupted blocks
On Wed, Feb 08, 2017 at 04:36:31PM -0500, Dawid Zamirski wrote:
> There are some corrupted registry files that have invalid hbin cells
> but are still readable. This patch makes the following changes:
>
> * hivex_open - do not abort with complete failure if we run across a
> block with invalid size (unless it's the root block). Instead just
> log the event, and move on.
2011 Apr 13
1
[PATCH hivex] maint: split long lines
Hi Rich,
I find it more readable (and safer to review) to avoid lines
longer than 80 columns. When reviewing changes that wrap,
I've noticed that it is harder to spot certain types of mistakes
in the wrapped portion of a long line.
>From 930118b380b35bb33e7719b0eb2ab6b31fa2d7e4 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering at redhat.com>
Date: Wed, 13 Apr 2011 16:08:57
2017 Feb 08
0
[PATCH 2/2] lib: allow to walk registry with corrupted blocks
There are some corrupted registry files that have invalid hbin cells
but are still readable. This patch makes the following changes:
* hivex_open - do not abort with complete failure if we run across a
block with invalid size (unless it's the root block). Instead just
log the event, and move on. This will allow open hives that have
apparent invalid blocks but the ones of potential
2017 Feb 15
2
Re: [PATCH v2 1/2] lib: change how hbin sections are read.
On Tue, Feb 14, 2017 at 12:05:20PM -0500, Dawid Zamirski wrote:
> * hivex_open: when looping over hbin sections (aka pages), handle a
> case where following hbin section may not begin at exactly at the end
> of previous one. If this happens, scan the page section until next
> one is found and validate it by checking declared offset with actual
> one - if they match, all is
2010 Feb 05
13
[PATCH 01/14] hivexsh: Document some peculiarities of the "cd" command.
---
hivex/hivexsh.pod | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/hivex/hivexsh.pod b/hivex/hivexsh.pod
index 277e3ae..9336798 100644
--- a/hivex/hivexsh.pod
+++ b/hivex/hivexsh.pod
@@ -100,7 +100,14 @@ or even:
Path elements (node names) are matched case insensitively, and
characters like space, C<*>, and C<?> have I<no> special
2017 Feb 15
2
Re: [PATCH v2 1/2] lib: change how hbin sections are read.
On Wed, Feb 15, 2017 at 01:48:29PM -0500, Dawid Zamirski wrote:
> On Wed, 2017-02-15 at 16:54 +0000, Richard W.M. Jones wrote:
> > On Tue, Feb 14, 2017 at 12:05:20PM -0500, Dawid Zamirski wrote:
> > > * hivex_open: when looping over hbin sections (aka pages), handle a
> > > case where following hbin section may not begin at exactly at the
> > > end
> >
2014 Oct 30
4
Re: [libhivex] Undefined behavior when accessing invalid (too small) registry hives
On Oct 29, 2014, at 3:39 PM, Richard W.M. Jones <rjones@redhat.com> wrote:
>
>> Or is it expected that certain sanity checks would be performed prior to
>> passing along any files to libhivex? What would those checks be?
>
> No, hivex should definitely have those checks.
>
> I'll have a proper look at this in the morning.
>
> Thanks,
>
> Rich.
2018 Feb 09
3
[PATCH] Add a cache for iconv_t handles to hive_t
It was brought to my attention that dumping a registry hive causes a
lot of time spent in disk I/O activity because iconv_open() and
iconv_close() are called for every key. Every iconv_open() call causes
/usr/lib/.../gconv/$ENCODING.so to be opened and mapped.
The iconv_t handles are now cached in the hive_h struct; they are
opened on-demand and re-used.
On my ~10 year old Lenovo T60, I have
2013 Nov 24
4
[PATCH 1/3] lib: Further generalize iconv wrapper function.
---
lib/hivex-internal.h | 8 +++++---
lib/utf16.c | 11 +++++++----
2 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/lib/hivex-internal.h b/lib/hivex-internal.h
index 4135f58..64fd49a 100644
--- a/lib/hivex-internal.h
+++ b/lib/hivex-internal.h
@@ -268,11 +268,13 @@ extern size_t * _hivex_return_offset_list (offset_list *list);
extern void _hivex_print_offset_list
2014 Aug 07
4
[PATCH 0/2] Fix errors found by Clang static analyzer
Hi,
Here is one trivial initialization fix and another patch to convert a huge macro
to an inline function. The result of the expansion would show up in an assertion
which triggered a -Woverlength-strings warning.
Peter Wu (2):
Fix garbage return value on error
Fix overly long assertion string
lib/hivex-internal.h | 28 ++++++++++++++++------------
lib/node.c | 18
2013 Nov 25
1
[PATCH 3/3, take 2] lib: Add support for creating nodes (keys) and values with UTF-16LE-encoded names
---
lib/write.c | 50 +++++++++++++++++++++++++++++++++++---------------
1 file changed, 35 insertions(+), 15 deletions(-)
diff --git a/lib/write.c b/lib/write.c
index dbb8292..8c4dd8e 100644
--- a/lib/write.c
+++ b/lib/write.c
@@ -608,9 +608,17 @@ hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name)
return 0;
}
+ size_t recoded_name_len;
+ int use_utf16 = 0;
+
2014 Jan 08
5
hivex: Make node names and value names with embedded null characters accessible
On Windows, there exist at least two APIs for dealing with the
Registry: The Win32 API (RegCreateKeyA, RegCreateKeyW, etc.) works
with null-terminated ASCII or UTF-16 strings. The native API
(ZwCreateKey, etc.), on the other hand works with UTF-16 strings that
are stored as buffers+length and may contain null characters. Malware
authors have been relying on the Win32 API's inability to
2013 Nov 25
3
Re: [PATCH 3/3] lib: Add support for creating nodes (keys) and values with UTF-16LE-encoded names
On Sun, Nov 24, 2013 at 11:25:53PM +0100, Hilko Bengen wrote:
> ---
> lib/write.c | 49 ++++++++++++++++++++++++++++++++++---------------
> 1 file changed, 34 insertions(+), 15 deletions(-)
>
> diff --git a/lib/write.c b/lib/write.c
> index dbb8292..72b1f8a 100644
> --- a/lib/write.c
> +++ b/lib/write.c
> @@ -608,9 +608,17 @@ hivex_node_add_child (hive_h *h,
2016 Feb 14
2
hivex lib: Add function hivex_node_num_children
Hello,
I've been working on a graphical registry hive editing tool in Qt
using the hivex C library.
While creating it, I noticed that in order to determine if an
expansion element should be shown on a node, you have to determine if
a node has any children.
Currently, in order to determine if a node has any children, you must
find every child with hivex_node_children, which is a relatively
2017 Feb 08
0
[PATCH 1/2] lib: change how hbin sections are read.
* hivex_open: when looping over hbin sections (aka pages), handle a
case where following hbin section may not begin at exactly at the end
of previous one. If this happens, scan the page section until next
one is found and validate it by checking declared offset with actual
one - if they match, all is good and we can safely move on.
Rationale: there are registry hives there is some garbage
2011 Aug 10
1
[PATCH] Report last-modified time of hive root and nodes
The infrastructure for modified-time reporting has been essentially
unused. These changes report the registry time by treating the
time fields as Windows filetime fields stored in little-Endian
(which means they can be treated as a single 64-bit little-Endian
integer). Some of the code changes necessary include:
* Exposing the hive_h structure in the hivex header file (via
generator.ml)
*