hivex.git
14 years agohivex: Implement deleting child nodes.
Richard Jones [Wed, 3 Feb 2010 18:10:38 +0000 (18:10 +0000)]
hivex: Implement deleting child nodes.

14 years agohivex: Add flags argument to internal get_children() function.
Richard Jones [Thu, 4 Feb 2010 13:24:27 +0000 (13:24 +0000)]
hivex: Add flags argument to internal get_children() function.

When we later call get_children to visit the intermediate
ri/lf/lh records, we have already deleted the subkey nk-records,
so checking that those nk-records are still valid is not very
helpful.

This commit adds a flag to turn these checks off.

14 years agohivex: Don't die on valid registries which have bad declared data lengths.
Richard Jones [Thu, 4 Feb 2010 13:26:04 +0000 (13:26 +0000)]
hivex: Don't die on valid registries which have bad declared data lengths.

Some apparently valid registries contain value data length
declarations which exceed the allocated block size for the
value.

Previously the code would return EFAULT for such registries.
However since these appear to be otherwise valid registries,
turn this into a warning and just use the allocated block size
as the data length (in other words, truncate the value).

14 years agohivex: Minimal registry example.
Richard Jones [Wed, 3 Feb 2010 18:09:52 +0000 (18:09 +0000)]
hivex: Minimal registry example.

This is the smallest registry you can make and still have it
load correctly in Windows regedit.

14 years agohivexsh: Add 'setval' and 'commit' commands.
Richard Jones [Wed, 3 Feb 2010 18:04:31 +0000 (18:04 +0000)]
hivexsh: Add 'setval' and 'commit' commands.

This adds the 'setval' and 'commit' commands to the hivex shell.

Also adds some example scripts showing use of these.

14 years agohivex: Begin implementation of writing to hives.
Richard Jones [Wed, 3 Feb 2010 17:59:03 +0000 (17:59 +0000)]
hivex: Begin implementation of writing to hives.

This implements hivex_node_set_values which is used to
delete the (key, value) pairs at a node and optionally
replace them with a new set.

This also implements hivex_commit which is used to commit
changes to hives back to disk.

14 years agohivex: Add HIVEX_OPEN_WRITE flag to allow hive to be opened for writing.
Richard Jones [Mon, 18 Jan 2010 11:08:56 +0000 (11:08 +0000)]
hivex: Add HIVEX_OPEN_WRITE flag to allow hive to be opened for writing.

If this flag is omitted (as in the case for all existing callers)
then the hive is still opened read-only.

We add a 'writable' flag to the hive handle, and we change the way
that the hive file (data) is stored.  The data is still mmapped if
the file is opened read-only, since that is more efficient and allows
us to handle larger hives.  However if we need to write to the file
then we have to read it all into memory, since if we had to extend the
file we need to realloc that data.

Note the manpage section L</WRITING TO HIVE FILES> comes in a later
commit.

14 years agoTools for analyzing and reverse engineering hive files.
Richard Jones [Wed, 3 Feb 2010 17:35:53 +0000 (17:35 +0000)]
Tools for analyzing and reverse engineering hive files.

This commit is not of general interest.  It contains the tools which
I used to reverse engineer the hive format and to test changes.
Keeping these with the rest of the code is useful in case in future
we encounter a hive file that we fail to modify.

Note that the tools are not compiled by default.  You have to compile
each explicitly with:

  make -C hivex/tools <toolname>.opt

You will also need ocaml-extlib-devel and ocaml-bitstring-devel.

14 years agohivexsh: Change some exit(1) -> exit(EXIT_FAILURE)
Richard Jones [Wed, 3 Feb 2010 17:52:05 +0000 (17:52 +0000)]
hivexsh: Change some exit(1) -> exit(EXIT_FAILURE)

14 years agohivexsh: Only print final \n when interactive.
Richard Jones [Wed, 3 Feb 2010 17:50:51 +0000 (17:50 +0000)]
hivexsh: Only print final \n when interactive.

When hivexsh was called non-interactively, it would print an
annoying extra line.  Only print this line if we are being
used interactively.

14 years agohivexsh: Change handling of prompt argument to rl_gets()
Richard Jones [Wed, 3 Feb 2010 17:48:37 +0000 (17:48 +0000)]
hivexsh: Change handling of prompt argument to rl_gets()

Make the result of isatty into a global variable (is_tty).

Change the rl_gets() function so it takes the prompt string
instead of a "display prompt?" flag.  rl_gets() then consults
the global to find out if it should display the prompt at all.

14 years agoDocument that this flag is clear for default keys.
Richard Jones [Wed, 3 Feb 2010 17:45:20 +0000 (17:45 +0000)]
Document that this flag is clear for default keys.

14 years agoMisc documentation and gitignore update.
Richard Jones [Wed, 3 Feb 2010 17:44:39 +0000 (17:44 +0000)]
Misc documentation and gitignore update.

14 years agoMove htole*/le*toh macros into a separate header file.
Richard Jones [Wed, 3 Feb 2010 17:41:15 +0000 (17:41 +0000)]
Move htole*/le*toh macros into a separate header file.

This allows us to reuse these macros in hivexsh later.

14 years agohivex: Reimplement hivexget as a simple shell script.
Richard Jones [Fri, 29 Jan 2010 19:12:34 +0000 (19:12 +0000)]
hivex: Reimplement hivexget as a simple shell script.

hivexget is currently a large C program.  Now that we have hivexsh
(the shell) we can reimplement hivexget as a simple bash script that
calls out to hivexsh.

14 years agohivex: Add 'hivexsh' program (shell for navigating registry hives).
Richard Jones [Fri, 29 Jan 2010 12:18:30 +0000 (12:18 +0000)]
hivex: Add 'hivexsh' program (shell for navigating registry hives).

14 years agoSet locale in C programs so l10n works (RHBZ#559962).
Richard Jones [Fri, 29 Jan 2010 14:56:13 +0000 (14:56 +0000)]
Set locale in C programs so l10n works (RHBZ#559962).

This commit adds the calls to setlocale &c to all of the current
C programs.

It also adds l10n support to hivexget and hivexml which lacked them
previously.

To test this, try:

LANG=pa_IN.UTF-8 guestfish --cmd-help

(You can only do this test after installing the package, or at
least the 'pa.mo' mo-file in the correct place).

14 years agohivex: Const-correctness fix on header_checksum (thanks Jim Meyering).
Richard Jones [Thu, 28 Jan 2010 17:39:06 +0000 (17:39 +0000)]
hivex: Const-correctness fix on header_checksum (thanks Jim Meyering).

14 years agohivex: Update some previously unknown nk-record fields.
Richard Jones [Thu, 28 Jan 2010 16:25:19 +0000 (16:25 +0000)]
hivex: Update some previously unknown nk-record fields.

Update these fields with what we found out from reverse engineering
the file.  Also bring the unknownX field names into line with
visualizer.ml.

14 years agohivex: Fix calculation of block size for vk data blocks.
Richard Jones [Thu, 21 Jan 2010 17:07:42 +0000 (17:07 +0000)]
hivex: Fix calculation of block size for vk data blocks.

14 years agohivex: Display incorrect block size as unsigned in an error message.
Richard Jones [Thu, 21 Jan 2010 17:07:21 +0000 (17:07 +0000)]
hivex: Display incorrect block size as unsigned in an error message.

14 years agohivex: display bad block offset in hex
Richard Jones [Thu, 21 Jan 2010 16:19:49 +0000 (16:19 +0000)]
hivex: display bad block offset in hex

14 years agohivex: hive type in vk-record is an unsigned 32 bit int
Richard Jones [Thu, 21 Jan 2010 16:19:26 +0000 (16:19 +0000)]
hivex: hive type in vk-record is an unsigned 32 bit int

14 years agohivex: Add missing le32toh conversion around field access.
Richard Jones [Tue, 19 Jan 2010 15:21:06 +0000 (15:21 +0000)]
hivex: Add missing le32toh conversion around field access.

This was missing.  It only worked because we test on a little
endian platform.

14 years agohivex: Clarify some more fields.
Richard Jones [Tue, 19 Jan 2010 15:20:36 +0000 (15:20 +0000)]
hivex: Clarify some more fields.

Taken from sentinelchicken.com documentation.

14 years agohivex: Modify children/values functions to return intermediate blocks.
Richard Jones [Tue, 19 Jan 2010 12:22:10 +0000 (12:22 +0000)]
hivex: Modify children/values functions to return intermediate blocks.

Modify the functions that return child subnodes and values so they
can also be used to return a list of the intermediate blocks.  This
is so we can delete those intermediate blocks (in a later commit).

We also introduce an offset_list structure which is used for collecting
lists of offsets, ie. lists of nodes, values or blocks.

Note that this commit should not change the semantics of the code.

14 years agohivex: Add value_any callback to the visitor.
Richard Jones [Tue, 19 Jan 2010 10:06:00 +0000 (10:06 +0000)]
hivex: Add value_any callback to the visitor.

The visitor currently contains lots of value_* callbacks, such as
value_string which is called back when the value has type string.

This is fine but it makes it complicated to deal with the case where
you just want to see 'a value', and don't care about its type.

The value_any callback allows visitors to see values generically.

14 years agohivex: Move header checksum code into a function.
Richard Jones [Mon, 18 Jan 2010 17:56:13 +0000 (17:56 +0000)]
hivex: Move header checksum code into a function.

This function can be reused later.

14 years agohivex: page 'offset_next' field is really 'page_size'.
Richard Jones [Mon, 18 Jan 2010 15:24:16 +0000 (15:24 +0000)]
hivex: page 'offset_next' field is really 'page_size'.

The documentation, as usual, is contradictory.  However this
field is definitely the page size in all observed registries.
Furthermore the following field marked 'unknown' is always
zero, although this contradicts what the sentinelchicken.com
paper says.

14 years agohivex: Collect more statistics about registries.
Richard Jones [Mon, 18 Jan 2010 14:14:40 +0000 (14:14 +0000)]
hivex: Collect more statistics about registries.

14 years agohivex: Store filename in hive handle.
Richard Jones [Mon, 18 Jan 2010 10:58:06 +0000 (10:58 +0000)]
hivex: Store filename in hive handle.

14 years agohivex: Various improvements in header parsing, thanks to better documentation.
Richard Jones [Fri, 15 Jan 2010 14:06:32 +0000 (14:06 +0000)]
hivex: Various improvements in header parsing, thanks to better documentation.

14 years agohivex: Print header fields. Print all offsets in hex (in debug output).
Richard Jones [Fri, 15 Jan 2010 12:42:02 +0000 (12:42 +0000)]
hivex: Print header fields.  Print all offsets in hex (in debug output).

14 years agohivex: Reenable checksum calculations, but don't check result.
Richard Jones [Fri, 15 Jan 2010 12:41:34 +0000 (12:41 +0000)]
hivex: Reenable checksum calculations, but don't check result.

14 years agohivex: Update documentation.
Richard Jones [Fri, 15 Jan 2010 12:40:56 +0000 (12:40 +0000)]
hivex: Update documentation.

14 years agohivex: Send all debug messages to stderr.
Richard Jones [Thu, 14 Jan 2010 16:46:13 +0000 (16:46 +0000)]
hivex: Send all debug messages to stderr.

14 years agohivex: Remove stray debugging message.
Richard Jones [Thu, 14 Jan 2010 16:45:59 +0000 (16:45 +0000)]
hivex: Remove stray debugging message.

14 years agohivex: Documentation: Add environment variables section.
Richard Jones [Thu, 14 Jan 2010 16:29:47 +0000 (16:29 +0000)]
hivex: Documentation: Add environment variables section.

14 years agohivex: Whitespace change.
Richard Jones [Thu, 14 Jan 2010 16:29:40 +0000 (16:29 +0000)]
hivex: Whitespace change.

14 years agohivex: Move STR* macros into C file.
Richard Jones [Thu, 14 Jan 2010 16:21:47 +0000 (16:21 +0000)]
hivex: Move STR* macros into C file.

Don't pollute the public header file with these macros.

14 years agohivex: Small updates to the documentation.
Richard Jones [Thu, 14 Jan 2010 13:26:46 +0000 (13:26 +0000)]
hivex: Small updates to the documentation.

14 years agomaint: use EXIT_* symbol (not constant, 2) to indicate key/path not found
Jim Meyering [Fri, 20 Nov 2009 11:18:06 +0000 (12:18 +0100)]
maint: use EXIT_* symbol (not constant, 2) to indicate key/path not found

* hivex/hivexget.c (EXIT_NOT_FOUND): Define.
(main): Use exit (EXIT_NOT_FOUND), not "exit (2)".

14 years agomaint: use EXIT_SUCCESS and EXIT_FAILURE, not 0 and 1 to exit
Jim Meyering [Fri, 20 Nov 2009 11:09:42 +0000 (12:09 +0100)]
maint: use EXIT_SUCCESS and EXIT_FAILURE, not 0 and 1 to exit

Convert all uses automatically, via these two commands:
git grep -l '\<exit *(1)' \
  | grep -vEf .x-sc_prohibit_magic_number_exit \
  | xargs --no-run-if-empty \
    perl -pi -e 's/\b(exit ?)\(1\)/$1(EXIT_FAILURE)/'
git grep -l '\<exit *(0)' \
  | grep -vEf .x-sc_prohibit_magic_number_exit \
  | xargs --no-run-if-empty \
  perl -pi -e 's/\b(exit ?)\(0\)/$1(EXIT_SUCCESS)/'
* .x-sc_prohibit_magic_number_exit: New file.

Edit (RWMJ): Don't change Java code.

14 years agouse STREQ, not strcmp: part 1
Jim Meyering [Mon, 9 Nov 2009 13:30:11 +0000 (14:30 +0100)]
use STREQ, not strcmp: part 1

git grep -l 'strcmp *([^=]*== *0'|xargs \
  perl -pi -e 's/\bstrcmp( *\(.*?\)) *== *0/STREQ$1/g'

14 years agochange strncmp() == 0 to STREQLEN()
Jim Meyering [Mon, 9 Nov 2009 13:26:21 +0000 (14:26 +0100)]
change strncmp() == 0 to STREQLEN()

git grep -l 'strncmp *([^=]*== *0'|xargs \
  perl -pi -e 's/\bstrncmp( *\(.*?\)) *== *0\b/STREQLEN$1/g'

14 years agoconvert uses of strcasecmp to STRCASEEQ
Jim Meyering [Mon, 9 Nov 2009 12:58:42 +0000 (13:58 +0100)]
convert uses of strcasecmp to STRCASEEQ

git grep -l 'strcasecmp *([^=]*== *0'| xargs \
  perl -pi -e 's/\bstrcasecmp( *\(.*?\)) *== *0/STRCASEEQ$1/'

14 years agodefine STREQ, STRNEQ, STREQLEN, STRCASEQ, etc.
Jim Meyering [Mon, 9 Nov 2009 18:50:22 +0000 (19:50 +0100)]
define STREQ, STRNEQ, STREQLEN, STRCASEQ, etc.

* src/guestfs.h: Define STREQ and company.
* daemon/daemon.h: Likewise.
* hivex/hivex.h: Likewise.

14 years agoindent with spaces, not TABs
Jim Meyering [Mon, 9 Nov 2009 14:14:53 +0000 (15:14 +0100)]
indent with spaces, not TABs

* HACKING: Expand indentation TABs.
* configure.ac: Likewise.
* daemon/daemon.h: Likewise.
* daemon/guestfsd.c: Likewise.
* fuse/guestmount.c: Likewise.
* hivex/LICENSE: Likewise.
* src/generator.ml: Likewise.
* tools/virt-win-reg: Likewise.

14 years agoplacate 'make syntax-check'
Jim Meyering [Mon, 9 Nov 2009 14:08:09 +0000 (15:08 +0100)]
placate 'make syntax-check'

* hivex/hivex.c: Remove unused "#include <assert.h>".

14 years agohivex: fail upon integer overflow
Jim Meyering [Tue, 3 Nov 2009 17:55:21 +0000 (18:55 +0100)]
hivex: fail upon integer overflow

* hivex/hivex.c (windows_utf16_to_utf8): Avoid overflow and a
potential infloop.

14 years agohivex: Check unchecked calloc (Jim Meyering).
Richard Jones [Wed, 4 Nov 2009 11:33:29 +0000 (11:33 +0000)]
hivex: Check unchecked calloc (Jim Meyering).

14 years agoAdd HTML documentation to website.
Richard Jones [Thu, 29 Oct 2009 20:33:27 +0000 (20:33 +0000)]
Add HTML documentation to website.

14 years agoFix misspelling in previous commit.
Richard Jones [Thu, 29 Oct 2009 18:46:46 +0000 (18:46 +0000)]
Fix misspelling in previous commit.

14 years agoRHEL 5: Also add le{16,64}toh functions
Richard Jones [Thu, 29 Oct 2009 18:36:12 +0000 (18:36 +0000)]
RHEL 5: Also add le{16,64}toh functions

14 years agoRHEL 5: Detect endianness functions and supply them.
Richard Jones [Thu, 29 Oct 2009 17:54:48 +0000 (17:54 +0000)]
RHEL 5: Detect endianness functions and supply them.

14 years agoPrepare for version 1.0.75.
Richard Jones [Thu, 29 Oct 2009 16:44:09 +0000 (16:44 +0000)]
Prepare for version 1.0.75.

14 years agoSupport for Windows Registry.
Richard Jones [Fri, 19 Feb 2010 14:33:40 +0000 (14:33 +0000)]
Support for Windows Registry.

In hivex/:  This mini-library allows us to extract Windows
Registry binary files ("hives").

There are also two tools: hivexml converts a hive to a
self-describing XML format.  hivexget can be used to extract
single subkeys from a hive.