| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Also this adds a regression test so we don't break it in future.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The infrastructure for modified-time reporting has been essentially
unused. These changes report the registry time by treating the
time fields as Windows filetime fields stored in little-Endian
(which means they can be treated as a single 64-bit little-Endian
integer).
This patch adds to the hivex ABI:
* int64_t hivex_last_modified (hive_h *)
* int64_t hivex_node_timestamp (hive_h *, hive_node_h)
These two functions return the hive's last-modified time and
a particular node's last-modified time, respectively. Credit
to Richard Jones for the ABI suggestion, and for the tip on
Microsoft's filetime time span.
hivexml employs these two functions to produce mtime elements
for a hive and all of its nodes, producing ISO-8601 formatted
time.
Signed-off-by: Alex Nelson <ajnelson@cs.ucsc.edu>
A lot of code cleanup by RWMJ.
|
| |
|
|
| |
A couple of fixes by RWMJ so it still works in the same directory case.
|
| |
|
|
|
| |
Since the file has been completely read into memory, there is no
reason to keep the file descriptor open.
|
| | |
|
| |
|
|
|
|
| |
* lib/byte_conversions.h: Remove #ifdef HAVE_BYTESWAP_H guard.
With gnulib, we're guaranteed to have that header file.
* bootstrap (modules): Use the byteswap module.
|
| |
|
|
|
|
|
|
| |
now that we're using gnulib's fcntl module, which ensures
that we use a conforming <fcntl.h>.
* lib/hivex.c (O_CLOEXEC): Remove definition.
* bootstrap (modules): Add fcntl for its guaranteed definition
of O_CLOEXEC.
|
| |
|
|
|
| |
* lib/hivex.c (hivex_node_set_value): Remove unnecessary
test-before-free.
|
| |
|
|
|
|
|
|
|
|
| |
Previously we returned errno == ENOKEY. However this was an
unfortunate choice of error code since it is not defined in POSIX. As
a result it is missing on several platforms.
HIVEX_NO_KEY is defined as ENOKEY on platforms where this symbol
exists (thus maintaining backwards ABI compatibility), and defined as
another POSIX error code otherwise.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Richard W.M. Jones:
> > Both size_t and int are 32 bit values. An endianess issue, maybe?
> I guess it might be. We're supposed to be doing le32toh / be32toh
> everywhere as appropriate, but we might be missing one. The code is
> mainly tested on little endian arches.
Found it.
Now "make check" completes successfully on Sparc and PowerPC.
|
| |
|
|
| |
* lib/hivex.c: Split lines longer than 80 columns.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If hivex_value_multiple_strings was given a value which had an odd
length or if the data in the value was unterminated,
hivex_value_multiple_strings could read uninitialized data.
Potentially (although very unlikely) this could cause a
non-exploitable segfault in the calling program.
|
| |
|
|
|
| |
If the length of the buffer is not even, then this would read a byte
of uninitialized data. Fix the length check to avoid this.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In real registries, often the length declared in the header does not
match the length of the block. In this case hivex_value_value would
only allocate a value with a size which is the shorter of the two
length values, which is correct and safe.
However user code could do:
buf = hivex_value_value (h, v, &t, &len);
memcpy (somewhere, buf, len);
which would copy uninitialized data.
If hivex_value_value truncates a value like this, we also need to
return the shorter length to the user as well.
|
| |
|
|
|
|
| |
The previous commit b71b88f588f8660935a7d462e97b84aa2d669249 attempted
to fix this, but got the test the wrong way round so the length would
never be shorter.
|
| |
|
|
| |
Found using valgrind.
|
| | |
|
| |
|
|
|
| |
Thanks to Hilko Bengen for characterizing the issue and
providing an initial version of this patch.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Make sure all new block allocations (from allocate_block)
are zeroed. It can happen that junk from previous hive pages
can end up in new block allocations, if the hive previously
shrank.
(Thanks to Marko Myllynen for finding an example where this
happened).
|
| |
|
|
|
| |
I was sent a genuine Windows XP hive by Marko Myllynen which
had a key with > 1000 values attached.
|
| |
|
|
|
|
| |
Windows 7 registry has a hive key which contains 11908 subkeys,
larger than the existing limit (10000). The key is:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners
|
| | |
|
| | |
|
| |
|
