| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
documentation; link hivexml against libgnu.
Since some modules (`getopt', for example) may copy files
into the build directory, `top_builddir/lib' is needed as well as
`top_srcdir/lib'. -- GNU Gnulib manual, section 2.2 Initial import
This fixes an in-tree build failure on a Debian/sid system (see
below). hivexml could be built out-of-tree, but it turned out that due
to a missing include path, in this case the system's getopt
implementation was used insted of Gnulib's.
make[2]: Entering directory `«SRCDIR»/xml'
gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -DLOCALEBASEDIR=\""/usr/local/share/locale"\" -I../gnulib/lib -I../lib -I/usr/include/libxml2 -g -O2 -MT hivexml-hivexml.o -MD -MP -MF .deps/hivexml-hivexml.Tpo -c -o hivexml-hivexml.o `test -f 'hivexml.c' || echo './'`hivexml.c
mv -f .deps/hivexml-hivexml.Tpo .deps/hivexml-hivexml.Po
/bin/bash ../libtool --tag=CC --mode=link gcc -std=gnu99 -DLOCALEBASEDIR=\""/usr/local/share/locale"\" -I../gnulib/lib -I../lib -I/usr/include/libxml2 -g -O2 -o hivexml hivexml-hivexml.o ../lib/libhivex.la -lxml2
libtool: link: gcc -std=gnu99 -DLOCALEBASEDIR=\"/usr/local/share/locale\" -I../gnulib/lib -I../lib -I/usr/include/libxml2 -g -O2 -o .libs/hivexml hivexml-hivexml.o ../lib/.libs/libhivex.so /usr/lib/libxml2.so
hivexml-hivexml.o: In function `main':
«SRCDIR»/xml/hivexml.c:96: undefined reference to `rpl_getopt'
«SRCDIR»/xml/hivexml.c:110: undefined reference to `rpl_optind'
«SRCDIR»/xml/hivexml.c:154: undefined reference to `rpl_optind'
collect2: ld returned 1 exit status
make[2]: *** [hivexml] Error 1
make[2]: Leaving directory `«SRCDIR»/xml'
|
| |
|
|
| |
(Updates by RWMJ)
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds hivex_node_struct_length and hivex_value_struct_length
to the hivex ABI, to report the amount of hive space used for each
stored structure.
Signed-off-by: Alex Nelson <ajnelson@cs.ucsc.edu>
A fix added by RWMJ.
|
| |
|
|
|
|
|
|
|
|
| |
This function breaks the value name calculation out so the name does
not need to be fetched and immediately thrown away when one only needs
the name.
Signed-off-by: Alex Nelson <ajnelson@cs.ucsc.edu>
RWMJ fixed hivex_value_key handling of errno.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Also this adds a regression test so we don't break it in future.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The infrastructure for modified-time reporting has been essentially
unused. These changes report the registry time by treating the
time fields as Windows filetime fields stored in little-Endian
(which means they can be treated as a single 64-bit little-Endian
integer).
This patch adds to the hivex ABI:
* int64_t hivex_last_modified (hive_h *)
* int64_t hivex_node_timestamp (hive_h *, hive_node_h)
These two functions return the hive's last-modified time and
a particular node's last-modified time, respectively. Credit
to Richard Jones for the ABI suggestion, and for the tip on
Microsoft's filetime time span.
hivexml employs these two functions to produce mtime elements
for a hive and all of its nodes, producing ISO-8601 formatted
time.
Signed-off-by: Alex Nelson <ajnelson@cs.ucsc.edu>
A lot of code cleanup by RWMJ.
|
| |
|
|
| |
A couple of fixes by RWMJ so it still works in the same directory case.
|
| |
|
|
|
| |
Since the file has been completely read into memory, there is no
reason to keep the file descriptor open.
|
| | |
|
| |
|
|
|
|
| |
* lib/byte_conversions.h: Remove #ifdef HAVE_BYTESWAP_H guard.
With gnulib, we're guaranteed to have that header file.
* bootstrap (modules): Use the byteswap module.
|
| |
|
|
|
|
|
|
| |
now that we're using gnulib's fcntl module, which ensures
that we use a conforming <fcntl.h>.
* lib/hivex.c (O_CLOEXEC): Remove definition.
* bootstrap (modules): Add fcntl for its guaranteed definition
of O_CLOEXEC.
|
| |
|
|
|
| |
* lib/hivex.c (hivex_node_set_value): Remove unnecessary
test-before-free.
|
| |
|
|
|
|
|
|
|
|
| |
Previously we returned errno == ENOKEY. However this was an
unfortunate choice of error code since it is not defined in POSIX. As
a result it is missing on several platforms.
HIVEX_NO_KEY is defined as ENOKEY on platforms where this symbol
exists (thus maintaining backwards ABI compatibility), and defined as
another POSIX error code otherwise.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Richard W.M. Jones:
> > Both size_t and int are 32 bit values. An endianess issue, maybe?
> I guess it might be. We're supposed to be doing le32toh / be32toh
> everywhere as appropriate, but we might be missing one. The code is
> mainly tested on little endian arches.
Found it.
Now "make check" completes successfully on Sparc and PowerPC.
|
| |
|
|
| |
* lib/hivex.c: Split lines longer than 80 columns.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If hivex_value_multiple_strings was given a value which had an odd
length or if the data in the value was unterminated,
hivex_value_multiple_strings could read uninitialized data.
Potentially (although very unlikely) this could cause a
non-exploitable segfault in the calling program.
|
| |
|
|
|
| |
If the length of the buffer is not even, then this would read a byte
of uninitialized data. Fix the length check to avoid this.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In real registries, often the length declared in the header does not
match the length of the block. In this case hivex_value_value would
only allocate a value with a size which is the shorter of the two
length values, which is correct and safe.
However user code could do:
buf = hivex_value_value (h, v, &t, &len);
memcpy (somewhere, buf, len);
which would copy uninitialized data.
If hivex_value_value truncates a value like this, we also need to
return the shorter length to the user as well.
|
| |
|
|
|
|
| |
The previous commit b71b88f588f8660935a7d462e97b84aa2d669249 attempted
to fix this, but got the test the wrong way round so the length would
never be shorter.
|
| |
|
|
| |
Found using valgrind.
|
| | |
|
| |
|
|
|
| |
Thanks to Hilko Bengen for characterizing the issue and
providing an initial version of this patch.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Make sure all new block allocations (from allocate_block)
are zeroed. It can happen that junk from previous hive pages
can end up in new block allocations, if the hive previously
shrank.
(Thanks to Marko Myllynen for finding an example where this
happened).
|
| |
|
|
|
| |
I was sent a genuine Windows XP hive by Marko Myllynen which
had a key with > 1000 values attached.
|
| |
|
|
|
|
| |
Windows 7 registry has a hive key which contains 11908 subkeys,
larger than the existing limit (10000). The key is:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners
|
| | |
|
| | |
|
| |
|
