hivex.git
14 years agoPrepare for version 1.2.1.
Richard Jones [Tue, 30 Mar 2010 15:42:50 +0000 (16:42 +0100)]
Prepare for version 1.2.1.

14 years agohivexregedit: Low-level tool for merging and export in regedit format.
Richard Jones [Fri, 26 Mar 2010 11:46:44 +0000 (11:46 +0000)]
hivexregedit: Low-level tool for merging and export in regedit format.

14 years agoWin::Hivex::Regedit module for importing and exporting regedit format files.
Richard Jones [Thu, 25 Mar 2010 12:03:36 +0000 (12:03 +0000)]
Win::Hivex::Regedit module for importing and exporting regedit format files.

14 years agohivexsh: '-f' option takes an argument (found by Marko Myllynen).
Richard Jones [Tue, 30 Mar 2010 10:56:29 +0000 (11:56 +0100)]
hivexsh: '-f' option takes an argument (found by Marko Myllynen).

14 years agoZero all new block allocations.
Richard Jones [Mon, 29 Mar 2010 21:51:12 +0000 (22:51 +0100)]
Zero all new block allocations.

Make sure all new block allocations (from allocate_block)
are zeroed.  It can happen that junk from previous hive pages
can end up in new block allocations, if the hive previously
shrank.

(Thanks to Marko Myllynen for finding an example where this
happened).

14 years agoIncrease HIVEX_MAX_VALUES from 1000 to 10000.
Richard Jones [Mon, 29 Mar 2010 21:23:25 +0000 (22:23 +0100)]
Increase HIVEX_MAX_VALUES from 1000 to 10000.

I was sent a genuine Windows XP hive by Marko Myllynen which
had a key with > 1000 values attached.

14 years agoIncrease HIVEX_MAX_SUBKEYS to 15000.
Richard Jones [Fri, 26 Mar 2010 13:49:25 +0000 (13:49 +0000)]
Increase HIVEX_MAX_SUBKEYS to 15000.

Windows 7 registry has a hive key which contains 11908 subkeys,
larger than the existing limit (10000).  The key is:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners

14 years agohivex: Add debugging message when returning ERANGE error.
Richard Jones [Fri, 26 Mar 2010 13:48:24 +0000 (13:48 +0000)]
hivex: Add debugging message when returning ERANGE error.

14 years agohivexsh: Fix building of HTML-format manpages.
Richard Jones [Fri, 26 Mar 2010 11:47:20 +0000 (11:47 +0000)]
hivexsh: Fix building of HTML-format manpages.

14 years agoperl: Fix $h->value_value method when returning an empty value.
Richard Jones [Thu, 25 Mar 2010 19:39:07 +0000 (19:39 +0000)]
perl: Fix $h->value_value method when returning an empty value.

Previously this didn't correctly return an empty registry
value.  In this case the length argument to newSVpv would
be 0 which tells Perl to try to calculate the length (we
want newSVpvn instead).

14 years agoFix generation of po/POTFILES.in.
Richard Jones [Thu, 25 Mar 2010 12:02:42 +0000 (12:02 +0000)]
Fix generation of po/POTFILES.in.

Contains some obsolete code copied in from libguestfs, and we
need to exclude Perl 'blib' files.

14 years agoperl: Small fix to 006-pod-coverage test.
Richard Jones [Thu, 25 Mar 2010 12:01:34 +0000 (12:01 +0000)]
perl: Small fix to 006-pod-coverage test.

Some code copied over from libguestfs, fixed.

14 years agoperl: Fix $h->value_type and $h->value_value methods.
Richard Jones [Thu, 25 Mar 2010 11:57:35 +0000 (11:57 +0000)]
perl: Fix $h->value_type and $h->value_value methods.

These were passing the type & len arguments the wrong way round
to the C function, resulting in data corruption in the returned
values.

14 years agoFix documentation for Win::Hivex->open
Richard Jones [Mon, 8 Mar 2010 17:44:43 +0000 (17:44 +0000)]
Fix documentation for Win::Hivex->open

14 years agoRHEL 5: Fixes for old version of OCaml in EPEL 5.
Richard Jones [Mon, 1 Mar 2010 17:44:00 +0000 (17:44 +0000)]
RHEL 5: Fixes for old version of OCaml in EPEL 5.

14 years agoPrepare for version 1.2.0. 1.2.0
Richard Jones [Mon, 1 Mar 2010 13:50:33 +0000 (13:50 +0000)]
Prepare for version 1.2.0.

Fix hivexsh_SOURCES.

Update PO files.

14 years agoUpdate Spanish translations (RHBZ#569178).
Daniel Cabrera [Mon, 1 Mar 2010 09:39:54 +0000 (09:39 +0000)]
Update Spanish translations (RHBZ#569178).

14 years agoUpdate PO files.
Richard Jones [Mon, 1 Mar 2010 09:37:22 +0000 (09:37 +0000)]
Update PO files.

14 years agoUpdate Polish translations (RHBZ#502533).
Piotr Drąg [Mon, 1 Mar 2010 09:36:37 +0000 (09:36 +0000)]
Update Polish translations (RHBZ#502533).

14 years agoNO Python bindings - ran out of time.
Richard W.M. Jones [Fri, 26 Feb 2010 21:56:09 +0000 (21:56 +0000)]
NO Python bindings - ran out of time.

This commit disables parts of the build related to Python
and notes in the README that we didn't have time to finish
Python bindings.

14 years agogenerator: Perl bindings.
Richard W.M. Jones [Fri, 26 Feb 2010 11:29:09 +0000 (11:29 +0000)]
generator: Perl bindings.

This also adds a small test suite for the Perl bindings.

14 years agogenerator: Clarify LGPLv2 boilerplate.
Richard W.M. Jones [Thu, 25 Feb 2010 22:14:10 +0000 (22:14 +0000)]
generator: Clarify LGPLv2 boilerplate.

14 years agoMore documentation in README file.
Richard W.M. Jones [Thu, 25 Feb 2010 22:05:51 +0000 (22:05 +0000)]
More documentation in README file.

14 years agohivexsh: Fix compilation on 32 bit machines.
Richard W.M. Jones [Fri, 26 Feb 2010 11:50:35 +0000 (11:50 +0000)]
hivexsh: Fix compilation on 32 bit machines.

14 years agoRemove bogus msgstr from kn.po.
Richard Jones [Thu, 25 Feb 2010 20:02:57 +0000 (20:02 +0000)]
Remove bogus msgstr from kn.po.

14 years agogenerator: Add OCaml bindings.
Richard Jones [Tue, 23 Feb 2010 12:27:19 +0000 (12:27 +0000)]
generator: Add OCaml bindings.

Also we tighten up the definition of hivex_close (it disposes of handles)
and hivex_node_get_child (unusual "not found" non-error condition).

This also adds tests of the OCaml bindings.

14 years agoAdd build framework for OCaml, Perl, Python bindings.
Richard Jones [Tue, 23 Feb 2010 10:36:51 +0000 (10:36 +0000)]
Add build framework for OCaml, Perl, Python bindings.

(No bindings are actually built, this just adds the build, test
and generator framework for them).

14 years agoconfigure: Comment out Ruby, Java, Haskell detection.
Richard Jones [Tue, 23 Feb 2010 10:28:14 +0000 (10:28 +0000)]
configure: Comment out Ruby, Java, Haskell detection.

We will not be implementing bindings for Ruby, Java or Haskell
unless someone pitches in to do the work.  Therefore comment out
the code which detects these languages in the configure script.

(This leaves OCaml, Perl, Python, which we will be writing
bindings for).

14 years agoCreate separate toplevel directories for hivexsh and hivexml.
Richard Jones [Wed, 24 Feb 2010 18:20:49 +0000 (18:20 +0000)]
Create separate toplevel directories for hivexsh and hivexml.

14 years agoRename hivex/ -> lib/
Richard Jones [Wed, 24 Feb 2010 17:57:01 +0000 (17:57 +0000)]
Rename hivex/ -> lib/

14 years agoMove test images to images/ and add a large, generated test image.
Richard Jones [Wed, 24 Feb 2010 17:30:37 +0000 (17:30 +0000)]
Move test images to images/ and add a large, generated test image.

Previously we had one minimal test image.  This was located in
hivex/t (a subdirectory of the main library).

This adds a large, procedurally generated test image.  Because
this needs to be built using hivex code, and because subdirectories
are built before the parent directory by automake, we have to
also move the directory location to a top-level directory called
images/.

14 years agoAdded Kannada translation (RHBZ#567860).
Shankar Prasad [Wed, 24 Feb 2010 10:35:24 +0000 (10:35 +0000)]
Added Kannada translation (RHBZ#567860).

14 years agohivex: Fix allocations that may move C heap buffer.
Richard Jones [Tue, 23 Feb 2010 19:08:41 +0000 (19:08 +0000)]
hivex: Fix allocations that may move C heap buffer.

When heavily extending existing hive files, the malloc-allocated
in-memory copy of the hive may be moved when we reallocate it
(to increase its size).  However we didn't adjust existing
pointers to cope with this, so sometimes you could get a segfault.

This patch fixes the issue by adjusting pointers as necessary
after calling (directly or indirectly) to the allocate_block
function.

With this patch I was able to allocate 10,000's of blocks in
a deeply nested hive structure without any problems being reported
by valgrind.

14 years agoLink gnulib in to the hivex library, not end-user programs.
Richard Jones [Tue, 23 Feb 2010 11:32:53 +0000 (11:32 +0000)]
Link gnulib in to the hivex library, not end-user programs.

Gnulib should be statically linked into the hivex library, so
it gets included into end-user programs automatically.  Otherwise
end-user programs would have to link explicitly with gnulib.

14 years agogenerator: More minor formatting adjustments to POD documentation.
Richard Jones [Mon, 22 Feb 2010 22:42:24 +0000 (22:42 +0000)]
generator: More minor formatting adjustments to POD documentation.

14 years agogenerator: Minor adjustments to the C POD documentation.
Richard Jones [Mon, 22 Feb 2010 22:38:36 +0000 (22:38 +0000)]
generator: Minor adjustments to the C POD documentation.

14 years agoAdd a generator for generating bindings to other languages.
Richard Jones [Mon, 22 Feb 2010 16:30:12 +0000 (16:30 +0000)]
Add a generator for generating bindings to other languages.

At the moment the generator just generates the C header file
and C POD documentation.  This just so we can compare the existing
hand-written code with the generated code to make sure that our
description of the API within the generator is correct.

14 years agoRemove bogus reference to src/ directory which no longer exists.
Richard Jones [Mon, 22 Feb 2010 17:17:16 +0000 (17:17 +0000)]
Remove bogus reference to src/ directory which no longer exists.

14 years agoUpdate copyright notice and change libguestfs to hivex.
Richard Jones [Mon, 22 Feb 2010 17:16:44 +0000 (17:16 +0000)]
Update copyright notice and change libguestfs to hivex.

14 years agoVersion 1.1.2 1.1.2
Richard Jones [Mon, 22 Feb 2010 11:52:01 +0000 (11:52 +0000)]
Version 1.1.2

14 years agoInstall hivex.h in $includedir.
Richard Jones [Mon, 22 Feb 2010 11:28:57 +0000 (11:28 +0000)]
Install hivex.h in $includedir.

14 years agoVersion 1.1.1. 1.1.1
Richard Jones [Mon, 22 Feb 2010 10:43:20 +0000 (10:43 +0000)]
Version 1.1.1.

Also some minor fixes to the build system.

14 years agoMove README, LICENSE files to the toplevel directory.
Richard Jones [Fri, 19 Feb 2010 17:34:45 +0000 (17:34 +0000)]
Move README, LICENSE files to the toplevel directory.

14 years agognulib: Remove some unused modules.
Richard Jones [Fri, 19 Feb 2010 17:30:05 +0000 (17:30 +0000)]
gnulib: Remove some unused modules.

14 years agoVersion 1.1.0 1.1.0
Richard Jones [Fri, 19 Feb 2010 16:41:05 +0000 (16:41 +0000)]
Version 1.1.0

14 years agopo: Import pofiles and various build fixes.
Richard Jones [Fri, 19 Feb 2010 16:50:39 +0000 (16:50 +0000)]
po: Import pofiles and various build fixes.

14 years agoSort and complete m4/.gitignore file.
Richard Jones [Fri, 19 Feb 2010 16:40:32 +0000 (16:40 +0000)]
Sort and complete m4/.gitignore file.

14 years agoAdd gettext.h, omitted from earlier import.
Richard Jones [Fri, 19 Feb 2010 16:36:36 +0000 (16:36 +0000)]
Add gettext.h, omitted from earlier import.

14 years agognulib: Include xstrtol, xstrtoll modules.
Richard Jones [Fri, 19 Feb 2010 16:35:25 +0000 (16:35 +0000)]
gnulib: Include xstrtol, xstrtoll modules.

These were omitted from the earlier code import from libguestfs.

14 years agoAdd html/ directory, include POD CSS.
Richard Jones [Fri, 19 Feb 2010 16:35:04 +0000 (16:35 +0000)]
Add html/ directory, include POD CSS.

14 years agohivexsh: Print hex bytes >= 0x80 correctly.
Richard Jones [Fri, 19 Feb 2010 13:51:07 +0000 (13:51 +0000)]
hivexsh: Print hex bytes >= 0x80 correctly.

These were being interpreted as signed chars, and thus printed
as "ffffff80" etc.

14 years agoRemove some unused variables.
Richard Jones [Mon, 15 Feb 2010 15:55:38 +0000 (15:55 +0000)]
Remove some unused variables.

Since we have to compile with -Wno-unused-variables, we don't
spot unused variables in code.  I found these by compiling the
code in Ubuntu.

14 years agoAdd scripts to EXTRA_DIST.
Richard Jones [Fri, 5 Feb 2010 18:01:18 +0000 (18:01 +0000)]
Add scripts to EXTRA_DIST.

14 years agohivex: example6: Don't double backslashes.
Richard Jones [Fri, 5 Feb 2010 15:12:09 +0000 (15:12 +0000)]
hivex: example6: Don't double backslashes.

14 years agohivex: example6: Hypothetical addition of keys for viostor.
Richard Jones [Fri, 5 Feb 2010 15:05:36 +0000 (15:05 +0000)]
hivex: example6: Hypothetical addition of keys for viostor.

14 years agohivex: Fix handling of inline VKs.
Richard Jones [Fri, 5 Feb 2010 14:50:19 +0000 (14:50 +0000)]
hivex: Fix handling of inline VKs.

14 years agohivexsh: Set correct type for 'expandstring' values.
Richard Jones [Fri, 5 Feb 2010 13:47:32 +0000 (13:47 +0000)]
hivexsh: Set correct type for 'expandstring' values.

14 years agohivex: Documentation and cleanups.
Richard Jones [Fri, 5 Feb 2010 12:59:43 +0000 (12:59 +0000)]
hivex: Documentation and cleanups.

14 years agohivex: Make limits into macros.
Richard Jones [Fri, 5 Feb 2010 12:59:18 +0000 (12:59 +0000)]
hivex: Make limits into macros.

14 years agohivexsh: Remove unused variable.
Richard Jones [Fri, 5 Feb 2010 12:57:53 +0000 (12:57 +0000)]
hivexsh: Remove unused variable.

This removes an unused variable left over by
commit ab608f3948d903af64e814b2e67949a1a71d93a4.

14 years agohivex: Complete the implementation of adding child nodes.
Richard Jones [Thu, 4 Feb 2010 16:33:18 +0000 (16:33 +0000)]
hivex: Complete the implementation of adding child nodes.

14 years agohivex: More debugging around nk 'unknown2' field.
Richard Jones [Thu, 4 Feb 2010 18:42:58 +0000 (18:42 +0000)]
hivex: More debugging around nk 'unknown2' field.

14 years agohivex: Check hash fields in lf/lh records.
Richard Jones [Thu, 4 Feb 2010 17:59:11 +0000 (17:59 +0000)]
hivex: Check hash fields in lf/lh records.

14 years agohivexsh: del command: Fix error message.
Richard Jones [Thu, 4 Feb 2010 16:32:22 +0000 (16:32 +0000)]
hivexsh: del command: Fix error message.

14 years agohivexsh: lsval: Remove stray quotation mark.
Richard Jones [Thu, 4 Feb 2010 16:31:55 +0000 (16:31 +0000)]
hivexsh: lsval: Remove stray quotation mark.

14 years agohivexsh: cd command: fix error handling
Richard Jones [Thu, 4 Feb 2010 16:31:09 +0000 (16:31 +0000)]
hivexsh: cd command: fix error handling

The error behaviour of hivex_node_get_child is subtle, so the 'cd'
command wouldn't always report errors correctly.  This fixes it.

14 years agohivex: allocate_block should update valid block bitmap.
Richard Jones [Thu, 4 Feb 2010 16:29:32 +0000 (16:29 +0000)]
hivex: allocate_block should update valid block bitmap.

The internal allocate_block() function wasn't updating the bitmap,
so if you revisited a block which you had allocated in the same
session, you could get an EFAULT error.

14 years agohivex: More debug messages.
Richard Jones [Thu, 4 Feb 2010 16:29:11 +0000 (16:29 +0000)]
hivex: More debug messages.

14 years agohivex: Documentation update.
Richard Jones [Thu, 4 Feb 2010 16:28:26 +0000 (16:28 +0000)]
hivex: Documentation update.

ntreg_lf_record can have id "lf" (old-style hashes) or "lh" (new-
style hashes).

14 years agohivex: Some missing le32toh endianness conversions.
Richard Jones [Thu, 4 Feb 2010 16:27:58 +0000 (16:27 +0000)]
hivex: Some missing le32toh endianness conversions.

14 years agohivexsh: Document some peculiarities of the "cd" command.
Richard Jones [Thu, 4 Feb 2010 14:12:04 +0000 (14:12 +0000)]
hivexsh: Document some peculiarities of the "cd" command.

14 years agohivex: Implement deleting child nodes.
Richard Jones [Wed, 3 Feb 2010 18:10:38 +0000 (18:10 +0000)]
hivex: Implement deleting child nodes.

14 years agohivex: Add flags argument to internal get_children() function.
Richard Jones [Thu, 4 Feb 2010 13:24:27 +0000 (13:24 +0000)]
hivex: Add flags argument to internal get_children() function.

When we later call get_children to visit the intermediate
ri/lf/lh records, we have already deleted the subkey nk-records,
so checking that those nk-records are still valid is not very
helpful.

This commit adds a flag to turn these checks off.

14 years agohivex: Don't die on valid registries which have bad declared data lengths.
Richard Jones [Thu, 4 Feb 2010 13:26:04 +0000 (13:26 +0000)]
hivex: Don't die on valid registries which have bad declared data lengths.

Some apparently valid registries contain value data length
declarations which exceed the allocated block size for the
value.

Previously the code would return EFAULT for such registries.
However since these appear to be otherwise valid registries,
turn this into a warning and just use the allocated block size
as the data length (in other words, truncate the value).

14 years agohivex: Minimal registry example.
Richard Jones [Wed, 3 Feb 2010 18:09:52 +0000 (18:09 +0000)]
hivex: Minimal registry example.

This is the smallest registry you can make and still have it
load correctly in Windows regedit.

14 years agohivexsh: Add 'setval' and 'commit' commands.
Richard Jones [Wed, 3 Feb 2010 18:04:31 +0000 (18:04 +0000)]
hivexsh: Add 'setval' and 'commit' commands.

This adds the 'setval' and 'commit' commands to the hivex shell.

Also adds some example scripts showing use of these.

14 years agohivex: Begin implementation of writing to hives.
Richard Jones [Wed, 3 Feb 2010 17:59:03 +0000 (17:59 +0000)]
hivex: Begin implementation of writing to hives.

This implements hivex_node_set_values which is used to
delete the (key, value) pairs at a node and optionally
replace them with a new set.

This also implements hivex_commit which is used to commit
changes to hives back to disk.

14 years agohivex: Add HIVEX_OPEN_WRITE flag to allow hive to be opened for writing.
Richard Jones [Mon, 18 Jan 2010 11:08:56 +0000 (11:08 +0000)]
hivex: Add HIVEX_OPEN_WRITE flag to allow hive to be opened for writing.

If this flag is omitted (as in the case for all existing callers)
then the hive is still opened read-only.

We add a 'writable' flag to the hive handle, and we change the way
that the hive file (data) is stored.  The data is still mmapped if
the file is opened read-only, since that is more efficient and allows
us to handle larger hives.  However if we need to write to the file
then we have to read it all into memory, since if we had to extend the
file we need to realloc that data.

Note the manpage section L</WRITING TO HIVE FILES> comes in a later
commit.

14 years agoTools for analyzing and reverse engineering hive files.
Richard Jones [Wed, 3 Feb 2010 17:35:53 +0000 (17:35 +0000)]
Tools for analyzing and reverse engineering hive files.

This commit is not of general interest.  It contains the tools which
I used to reverse engineer the hive format and to test changes.
Keeping these with the rest of the code is useful in case in future
we encounter a hive file that we fail to modify.

Note that the tools are not compiled by default.  You have to compile
each explicitly with:

  make -C hivex/tools <toolname>.opt

You will also need ocaml-extlib-devel and ocaml-bitstring-devel.

14 years agohivexsh: Change some exit(1) -> exit(EXIT_FAILURE)
Richard Jones [Wed, 3 Feb 2010 17:52:05 +0000 (17:52 +0000)]
hivexsh: Change some exit(1) -> exit(EXIT_FAILURE)

14 years agohivexsh: Only print final \n when interactive.
Richard Jones [Wed, 3 Feb 2010 17:50:51 +0000 (17:50 +0000)]
hivexsh: Only print final \n when interactive.

When hivexsh was called non-interactively, it would print an
annoying extra line.  Only print this line if we are being
used interactively.

14 years agohivexsh: Change handling of prompt argument to rl_gets()
Richard Jones [Wed, 3 Feb 2010 17:48:37 +0000 (17:48 +0000)]
hivexsh: Change handling of prompt argument to rl_gets()

Make the result of isatty into a global variable (is_tty).

Change the rl_gets() function so it takes the prompt string
instead of a "display prompt?" flag.  rl_gets() then consults
the global to find out if it should display the prompt at all.

14 years agoDocument that this flag is clear for default keys.
Richard Jones [Wed, 3 Feb 2010 17:45:20 +0000 (17:45 +0000)]
Document that this flag is clear for default keys.

14 years agoMisc documentation and gitignore update.
Richard Jones [Wed, 3 Feb 2010 17:44:39 +0000 (17:44 +0000)]
Misc documentation and gitignore update.

14 years agoMove htole*/le*toh macros into a separate header file.
Richard Jones [Wed, 3 Feb 2010 17:41:15 +0000 (17:41 +0000)]
Move htole*/le*toh macros into a separate header file.

This allows us to reuse these macros in hivexsh later.

14 years agohivex: Reimplement hivexget as a simple shell script.
Richard Jones [Fri, 29 Jan 2010 19:12:34 +0000 (19:12 +0000)]
hivex: Reimplement hivexget as a simple shell script.

hivexget is currently a large C program.  Now that we have hivexsh
(the shell) we can reimplement hivexget as a simple bash script that
calls out to hivexsh.

14 years agohivex: Add 'hivexsh' program (shell for navigating registry hives).
Richard Jones [Fri, 29 Jan 2010 12:18:30 +0000 (12:18 +0000)]
hivex: Add 'hivexsh' program (shell for navigating registry hives).

14 years agoSet locale in C programs so l10n works (RHBZ#559962).
Richard Jones [Fri, 29 Jan 2010 14:56:13 +0000 (14:56 +0000)]
Set locale in C programs so l10n works (RHBZ#559962).

This commit adds the calls to setlocale &c to all of the current
C programs.

It also adds l10n support to hivexget and hivexml which lacked them
previously.

To test this, try:

LANG=pa_IN.UTF-8 guestfish --cmd-help

(You can only do this test after installing the package, or at
least the 'pa.mo' mo-file in the correct place).

14 years agohivex: Const-correctness fix on header_checksum (thanks Jim Meyering).
Richard Jones [Thu, 28 Jan 2010 17:39:06 +0000 (17:39 +0000)]
hivex: Const-correctness fix on header_checksum (thanks Jim Meyering).

14 years agohivex: Update some previously unknown nk-record fields.
Richard Jones [Thu, 28 Jan 2010 16:25:19 +0000 (16:25 +0000)]
hivex: Update some previously unknown nk-record fields.

Update these fields with what we found out from reverse engineering
the file.  Also bring the unknownX field names into line with
visualizer.ml.

14 years agohivex: Fix calculation of block size for vk data blocks.
Richard Jones [Thu, 21 Jan 2010 17:07:42 +0000 (17:07 +0000)]
hivex: Fix calculation of block size for vk data blocks.

14 years agohivex: Display incorrect block size as unsigned in an error message.
Richard Jones [Thu, 21 Jan 2010 17:07:21 +0000 (17:07 +0000)]
hivex: Display incorrect block size as unsigned in an error message.

14 years agohivex: display bad block offset in hex
Richard Jones [Thu, 21 Jan 2010 16:19:49 +0000 (16:19 +0000)]
hivex: display bad block offset in hex

14 years agohivex: hive type in vk-record is an unsigned 32 bit int
Richard Jones [Thu, 21 Jan 2010 16:19:26 +0000 (16:19 +0000)]
hivex: hive type in vk-record is an unsigned 32 bit int

14 years agohivex: Add missing le32toh conversion around field access.
Richard Jones [Tue, 19 Jan 2010 15:21:06 +0000 (15:21 +0000)]
hivex: Add missing le32toh conversion around field access.

This was missing.  It only worked because we test on a little
endian platform.

14 years agohivex: Clarify some more fields.
Richard Jones [Tue, 19 Jan 2010 15:20:36 +0000 (15:20 +0000)]
hivex: Clarify some more fields.

Taken from sentinelchicken.com documentation.

14 years agohivex: Modify children/values functions to return intermediate blocks.
Richard Jones [Tue, 19 Jan 2010 12:22:10 +0000 (12:22 +0000)]
hivex: Modify children/values functions to return intermediate blocks.

Modify the functions that return child subnodes and values so they
can also be used to return a list of the intermediate blocks.  This
is so we can delete those intermediate blocks (in a later commit).

We also introduce an offset_list structure which is used for collecting
lists of offsets, ie. lists of nodes, values or blocks.

Note that this commit should not change the semantics of the code.

14 years agohivex: Add value_any callback to the visitor.
Richard Jones [Tue, 19 Jan 2010 10:06:00 +0000 (10:06 +0000)]
hivex: Add value_any callback to the visitor.

The visitor currently contains lots of value_* callbacks, such as
value_string which is called back when the value has type string.

This is fine but it makes it complicated to deal with the case where
you just want to see 'a value', and don't care about its type.

The value_any callback allows visitors to see values generically.

14 years agohivex: Move header checksum code into a function.
Richard Jones [Mon, 18 Jan 2010 17:56:13 +0000 (17:56 +0000)]
hivex: Move header checksum code into a function.

This function can be reused later.

14 years agohivex: page 'offset_next' field is really 'page_size'.
Richard Jones [Mon, 18 Jan 2010 15:24:16 +0000 (15:24 +0000)]
hivex: page 'offset_next' field is really 'page_size'.

The documentation, as usual, is contradictory.  However this
field is definitely the page size in all observed registries.
Furthermore the following field marked 'unknown' is always
zero, although this contradicts what the sentinelchicken.com
paper says.