summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.gitignore9
-rw-r--r--HACKING7
-rw-r--r--Makefile.am6
-rw-r--r--README2
-rw-r--r--configure.ac17
-rw-r--r--hivex/LICENSE506
-rw-r--r--hivex/Makefile.am141
-rw-r--r--hivex/README35
-rw-r--r--hivex/byte_conversions.h89
-rwxr-xr-xhivex/example140
-rwxr-xr-xhivex/example247
-rwxr-xr-xhivex/example353
-rwxr-xr-xhivex/example434
-rwxr-xr-xhivex/example554
-rwxr-xr-xhivex/example6126
-rw-r--r--hivex/hivex.c2557
-rw-r--r--hivex/hivex.h131
-rw-r--r--hivex/hivex.pod655
-rwxr-xr-xhivex/hivexget43
-rw-r--r--hivex/hivexget.pod95
-rw-r--r--hivex/hivexml.c345
-rw-r--r--hivex/hivexml.pod65
-rw-r--r--hivex/hivexsh.c1094
-rw-r--r--hivex/hivexsh.pod287
-rw-r--r--hivex/t/Makefile.am18
-rw-r--r--hivex/t/README9
-rwxr-xr-xhivex/t/minimalbin8192 -> 0 bytes
-rw-r--r--hivex/tools/Makefile.am56
-rw-r--r--hivex/tools/clearheaderfields.ml112
-rw-r--r--hivex/tools/counter.ml86
-rw-r--r--hivex/tools/counter.mli69
-rw-r--r--hivex/tools/fillemptyhbins.ml74
-rw-r--r--hivex/tools/truncatefile.ml112
-rw-r--r--hivex/tools/visualizer.ml984
-rw-r--r--hivex/tools/visualizer_NT_time.ml30
-rw-r--r--hivex/tools/visualizer_utils.ml163
-rw-r--r--po/POTFILES.in3
-rw-r--r--src/guestfs.pod8
-rwxr-xr-xtools/run-locally1
39 files changed, 20 insertions, 8143 deletions
diff --git a/.gitignore b/.gitignore
index 899e973c..a18908f8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -80,18 +80,9 @@ haskell/Guestfs010Launch
haskell/Guestfs050LVCreate
haskell/Guestfs.hs
*.hi
-hivex/*.1
-hivex/*.3
-hivex/hivexsh
-hivex/hivexml
-hivex/tools/*.opt
html/guestfish.1.html
html/guestfs.3.html
html/guestmount.1.html
-html/hivex.3.html
-html/hivexget.1.html
-html/hivexsh.1.html
-html/hivexml.1.html
html/recipes.html
html/virt-cat.1.html
html/virt-df.1.html
diff --git a/HACKING b/HACKING
index 7dbc360e..900980a8 100644
--- a/HACKING
+++ b/HACKING
@@ -92,9 +92,10 @@ fuse/
haskell/
Haskell bindings.
-hivex/
- Hive extraction library, for reading Windows Registry files.
- See hivex/README for more details.
+hivex/ [removed in 1.0.85]
+ This used to contain the hivex library for reading and
+ writing Windows Registry binary hive files. This is now
+ available as a separate upstream project.
images/
Some guest images to test against. These are gzipped to save
diff --git a/Makefile.am b/Makefile.am
index 0abe3dd0..c1fc85d6 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -19,7 +19,7 @@ include $(top_srcdir)/subdir-rules.mk
ACLOCAL_AMFLAGS = -I m4
-SUBDIRS = gnulib/lib hivex src daemon appliance fish po examples images \
+SUBDIRS = gnulib/lib src daemon appliance fish po examples images \
gnulib/tests capitests regressions test-tool
# NB: Must build inspector directory after perl and before ocaml.
@@ -118,10 +118,6 @@ HTMLFILES = \
html/guestfs.3.html \
html/guestfish.1.html \
html/guestmount.1.html \
- html/hivex.3.html \
- html/hivexget.1.html \
- html/hivexml.1.html \
- html/hivexsh.1.html \
html/virt-cat.1.html \
html/virt-df.1.html \
html/virt-edit.1.html \
diff --git a/README b/README
index 42e77779..8ad0d65e 100644
--- a/README
+++ b/README
@@ -52,7 +52,7 @@ Requirements
- genisoimage / mkisofs
-- libxml2
+- (Optional) hivex to build Windows Registry support
- (Optional) FUSE to build the FUSE module
diff --git a/configure.ac b/configure.ac
index 1ba449e5..744d24a6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -422,10 +422,16 @@ dnl For i18n.
AM_GNU_GETTEXT([external])
AM_GNU_GETTEXT_VERSION([0.17])
-dnl libxml2 is used by the hivex library.
-PKG_CHECK_MODULES([LIBXML2], [libxml-2.0])
-AC_SUBST([LIBXML2_CFLAGS])
-AC_SUBST([LIBXML2_LIBS])
+dnl hivex library (highly recommended).
+dnl This used to be a part of libguestfs, but was spun off into its
+dnl own separate upstream project in libguestfs 1.0.85.
+HAVE_HIVEX=yes
+PKG_CHECK_MODULES([HIVEX], [hivex],,[
+ HAVE_HIVEX=no
+ AC_MSG_WARN([Hivex library and headers are missing, so optional Windows Registry tools won't be built])])
+AM_CONDITIONAL([HAVE_HIVEX],[test "x$HAVE_HIVEX" = "xyes"])
+AC_SUBST([HIVEX_CFLAGS])
+AC_SUBST([HIVEX_LIBS])
dnl FUSE is optional to build the FUSE module.
HAVE_FUSE=yes
@@ -736,9 +742,6 @@ AC_CONFIG_FILES([Makefile
libguestfs.pc
gnulib/lib/Makefile
gnulib/tests/Makefile
- hivex/Makefile
- hivex/t/Makefile
- hivex/tools/Makefile
fuse/Makefile
ocaml/META perl/Makefile.PL])
AC_OUTPUT
diff --git a/hivex/LICENSE b/hivex/LICENSE
deleted file mode 100644
index 38dec6da..00000000
--- a/hivex/LICENSE
+++ /dev/null
@@ -1,506 +0,0 @@
-This is the license for the hivex library.
-
-----------------------------------------------------------------------
-
- GNU LESSER GENERAL PUBLIC LICENSE
- Version 2.1, February 1999
-
- Copyright (C) 1991, 1999 Free Software Foundation, Inc.
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-[This is the first released version of the Lesser GPL. It also counts
- as the successor of the GNU Library Public License, version 2, hence
- the version number 2.1.]
-
- Preamble
-
- The licenses for most software are designed to take away your
-freedom to share and change it. By contrast, the GNU General Public
-Licenses are intended to guarantee your freedom to share and change
-free software--to make sure the software is free for all its users.
-
- This license, the Lesser General Public License, applies to some
-specially designated software packages--typically libraries--of the
-Free Software Foundation and other authors who decide to use it. You
-can use it too, but we suggest you first think carefully about whether
-this license or the ordinary General Public License is the better
-strategy to use in any particular case, based on the explanations below.
-
- When we speak of free software, we are referring to freedom of use,
-not price. Our General Public Licenses are designed to make sure that
-you have the freedom to distribute copies of free software (and charge
-for this service if you wish); that you receive source code or can get
-it if you want it; that you can change the software and use pieces of
-it in new free programs; and that you are informed that you can do
-these things.
-
- To protect your rights, we need to make restrictions that forbid
-distributors to deny you these rights or to ask you to surrender these
-rights. These restrictions translate to certain responsibilities for
-you if you distribute copies of the library or if you modify it.
-
- For example, if you distribute copies of the library, whether gratis
-or for a fee, you must give the recipients all the rights that we gave
-you. You must make sure that they, too, receive or can get the source
-code. If you link other code with the library, you must provide
-complete object files to the recipients, so that they can relink them
-with the library after making changes to the library and recompiling
-it. And you must show them these terms so they know their rights.
-
- We protect your rights with a two-step method: (1) we copyright the
-library, and (2) we offer you this license, which gives you legal
-permission to copy, distribute and/or modify the library.
-
- To protect each distributor, we want to make it very clear that
-there is no warranty for the free library. Also, if the library is
-modified by someone else and passed on, the recipients should know
-that what they have is not the original version, so that the original
-author's reputation will not be affected by problems that might be
-introduced by others.
-
- Finally, software patents pose a constant threat to the existence of
-any free program. We wish to make sure that a company cannot
-effectively restrict the users of a free program by obtaining a
-restrictive license from a patent holder. Therefore, we insist that
-any patent license obtained for a version of the library must be
-consistent with the full freedom of use specified in this license.
-
- Most GNU software, including some libraries, is covered by the
-ordinary GNU General Public License. This license, the GNU Lesser
-General Public License, applies to certain designated libraries, and
-is quite different from the ordinary General Public License. We use
-this license for certain libraries in order to permit linking those
-libraries into non-free programs.
-
- When a program is linked with a library, whether statically or using
-a shared library, the combination of the two is legally speaking a
-combined work, a derivative of the original library. The ordinary
-General Public License therefore permits such linking only if the
-entire combination fits its criteria of freedom. The Lesser General
-Public License permits more lax criteria for linking other code with
-the library.
-
- We call this license the "Lesser" General Public License because it
-does Less to protect the user's freedom than the ordinary General
-Public License. It also provides other free software developers Less
-of an advantage over competing non-free programs. These disadvantages
-are the reason we use the ordinary General Public License for many
-libraries. However, the Lesser license provides advantages in certain
-special circumstances.
-
- For example, on rare occasions, there may be a special need to
-encourage the widest possible use of a certain library, so that it becomes
-a de-facto standard. To achieve this, non-free programs must be
-allowed to use the library. A more frequent case is that a free
-library does the same job as widely used non-free libraries. In this
-case, there is little to gain by limiting the free library to free
-software only, so we use the Lesser General Public License.
-
- In other cases, permission to use a particular library in non-free
-programs enables a greater number of people to use a large body of
-free software. For example, permission to use the GNU C Library in
-non-free programs enables many more people to use the whole GNU
-operating system, as well as its variant, the GNU/Linux operating
-system.
-
- Although the Lesser General Public License is Less protective of the
-users' freedom, it does ensure that the user of a program that is
-linked with the Library has the freedom and the wherewithal to run
-that program using a modified version of the Library.
-
- The precise terms and conditions for copying, distribution and
-modification follow. Pay close attention to the difference between a
-"work based on the library" and a "work that uses the library". The
-former contains code derived from the library, whereas the latter must
-be combined with the library in order to run.
-
- GNU LESSER GENERAL PUBLIC LICENSE
- TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
- 0. This License Agreement applies to any software library or other
-program which contains a notice placed by the copyright holder or
-other authorized party saying it may be distributed under the terms of
-this Lesser General Public License (also called "this License").
-Each licensee is addressed as "you".
-
- A "library" means a collection of software functions and/or data
-prepared so as to be conveniently linked with application programs
-(which use some of those functions and data) to form executables.
-
- The "Library", below, refers to any such software library or work
-which has been distributed under these terms. A "work based on the
-Library" means either the Library or any derivative work under
-copyright law: that is to say, a work containing the Library or a
-portion of it, either verbatim or with modifications and/or translated
-straightforwardly into another language. (Hereinafter, translation is
-included without limitation in the term "modification".)
-
- "Source code" for a work means the preferred form of the work for
-making modifications to it. For a library, complete source code means
-all the source code for all modules it contains, plus any associated
-interface definition files, plus the scripts used to control compilation
-and installation of the library.
-
- Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope. The act of
-running a program using the Library is not restricted, and output from
-such a program is covered only if its contents constitute a work based
-on the Library (independent of the use of the Library in a tool for
-writing it). Whether that is true depends on what the Library does
-and what the program that uses the Library does.
-
- 1. You may copy and distribute verbatim copies of the Library's
-complete source code as you receive it, in any medium, provided that
-you conspicuously and appropriately publish on each copy an
-appropriate copyright notice and disclaimer of warranty; keep intact
-all the notices that refer to this License and to the absence of any
-warranty; and distribute a copy of this License along with the
-Library.
-
- You may charge a fee for the physical act of transferring a copy,
-and you may at your option offer warranty protection in exchange for a
-fee.
-
- 2. You may modify your copy or copies of the Library or any portion
-of it, thus forming a work based on the Library, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
- a) The modified work must itself be a software library.
-
- b) You must cause the files modified to carry prominent notices
- stating that you changed the files and the date of any change.
-
- c) You must cause the whole of the work to be licensed at no
- charge to all third parties under the terms of this License.
-
- d) If a facility in the modified Library refers to a function or a
- table of data to be supplied by an application program that uses
- the facility, other than as an argument passed when the facility
- is invoked, then you must make a good faith effort to ensure that,
- in the event an application does not supply such function or
- table, the facility still operates, and performs whatever part of
- its purpose remains meaningful.
-
- (For example, a function in a library to compute square roots has
- a purpose that is entirely well-defined independent of the
- application. Therefore, Subsection 2d requires that any
- application-supplied function or table used by this function must
- be optional: if the application does not supply it, the square
- root function must still compute square roots.)
-
-These requirements apply to the modified work as a whole. If
-identifiable sections of that work are not derived from the Library,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works. But when you
-distribute the same sections as part of a whole which is a work based
-on the Library, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote
-it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Library.
-
-In addition, mere aggregation of another work not based on the Library
-with the Library (or with a work based on the Library) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
- 3. You may opt to apply the terms of the ordinary GNU General Public
-License instead of this License to a given copy of the Library. To do
-this, you must alter all the notices that refer to this License, so
-that they refer to the ordinary GNU General Public License, version 2,
-instead of to this License. (If a newer version than version 2 of the
-ordinary GNU General Public License has appeared, then you can specify
-that version instead if you wish.) Do not make any other change in
-these notices.
-
- Once this change is made in a given copy, it is irreversible for
-that copy, so the ordinary GNU General Public License applies to all
-subsequent copies and derivative works made from that copy.
-
- This option is useful when you wish to copy part of the code of
-the Library into a program that is not a library.
-
- 4. You may copy and distribute the Library (or a portion or
-derivative of it, under Section 2) in object code or executable form
-under the terms of Sections 1 and 2 above provided that you accompany
-it with the complete corresponding machine-readable source code, which
-must be distributed under the terms of Sections 1 and 2 above on a
-medium customarily used for software interchange.
-
- If distribution of object code is made by offering access to copy
-from a designated place, then offering equivalent access to copy the
-source code from the same place satisfies the requirement to
-distribute the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
- 5. A program that contains no derivative of any portion of the
-Library, but is designed to work with the Library by being compiled or
-linked with it, is called a "work that uses the Library". Such a
-work, in isolation, is not a derivative work of the Library, and
-therefore falls outside the scope of this License.
-
- However, linking a "work that uses the Library" with the Library
-creates an executable that is a derivative of the Library (because it
-contains portions of the Library), rather than a "work that uses the
-library". The executable is therefore covered by this License.
-Section 6 states terms for distribution of such executables.
-
- When a "work that uses the Library" uses material from a header file
-that is part of the Library, the object code for the work may be a
-derivative work of the Library even though the source code is not.
-Whether this is true is especially significant if the work can be
-linked without the Library, or if the work is itself a library. The
-threshold for this to be true is not precisely defined by law.
-
- If such an object file uses only numerical parameters, data
-structure layouts and accessors, and small macros and small inline
-functions (ten lines or less in length), then the use of the object
-file is unrestricted, regardless of whether it is legally a derivative
-work. (Executables containing this object code plus portions of the
-Library will still fall under Section 6.)
-
- Otherwise, if the work is a derivative of the Library, you may
-distribute the object code for the work under the terms of Section 6.
-Any executables containing that work also fall under Section 6,
-whether or not they are linked directly with the Library itself.
-
- 6. As an exception to the Sections above, you may also combine or
-link a "work that uses the Library" with the Library to produce a
-work containing portions of the Library, and distribute that work
-under terms of your choice, provided that the terms permit
-modification of the work for the customer's own use and reverse
-engineering for debugging such modifications.
-
- You must give prominent notice with each copy of the work that the
-Library is used in it and that the Library and its use are covered by
-this License. You must supply a copy of this License. If the work
-during execution displays copyright notices, you must include the
-copyright notice for the Library among them, as well as a reference
-directing the user to the copy of this License. Also, you must do one
-of these things:
-
- a) Accompany the work with the complete corresponding
- machine-readable source code for the Library including whatever
- changes were used in the work (which must be distributed under
- Sections 1 and 2 above); and, if the work is an executable linked
- with the Library, with the complete machine-readable "work that
- uses the Library", as object code and/or source code, so that the
- user can modify the Library and then relink to produce a modified
- executable containing the modified Library. (It is understood
- that the user who changes the contents of definitions files in the
- Library will not necessarily be able to recompile the application
- to use the modified definitions.)
-
- b) Use a suitable shared library mechanism for linking with the
- Library. A suitable mechanism is one that (1) uses at run time a
- copy of the library already present on the user's computer system,
- rather than copying library functions into the executable, and (2)
- will operate properly with a modified version of the library, if
- the user installs one, as long as the modified version is
- interface-compatible with the version that the work was made with.
-
- c) Accompany the work with a written offer, valid for at
- least three years, to give the same user the materials
- specified in Subsection 6a, above, for a charge no more
- than the cost of performing this distribution.
-
- d) If distribution of the work is made by offering access to copy
- from a designated place, offer equivalent access to copy the above
- specified materials from the same place.
-
- e) Verify that the user has already received a copy of these
- materials or that you have already sent this user a copy.
-
- For an executable, the required form of the "work that uses the
-Library" must include any data and utility programs needed for
-reproducing the executable from it. However, as a special exception,
-the materials to be distributed need not include anything that is
-normally distributed (in either source or binary form) with the major
-components (compiler, kernel, and so on) of the operating system on
-which the executable runs, unless that component itself accompanies
-the executable.
-
- It may happen that this requirement contradicts the license
-restrictions of other proprietary libraries that do not normally
-accompany the operating system. Such a contradiction means you cannot
-use both them and the Library together in an executable that you
-distribute.
-
- 7. You may place library facilities that are a work based on the
-Library side-by-side in a single library together with other library
-facilities not covered by this License, and distribute such a combined
-library, provided that the separate distribution of the work based on
-the Library and of the other library facilities is otherwise
-permitted, and provided that you do these two things:
-
- a) Accompany the combined library with a copy of the same work
- based on the Library, uncombined with any other library
- facilities. This must be distributed under the terms of the
- Sections above.
-
- b) Give prominent notice with the combined library of the fact
- that part of it is a work based on the Library, and explaining
- where to find the accompanying uncombined form of the same work.
-
- 8. You may not copy, modify, sublicense, link with, or distribute
-the Library except as expressly provided under this License. Any
-attempt otherwise to copy, modify, sublicense, link with, or
-distribute the Library is void, and will automatically terminate your
-rights under this License. However, parties who have received copies,
-or rights, from you under this License will not have their licenses
-terminated so long as such parties remain in full compliance.
-
- 9. You are not required to accept this License, since you have not
-signed it. However, nothing else grants you permission to modify or
-distribute the Library or its derivative works. These actions are
-prohibited by law if you do not accept this License. Therefore, by
-modifying or distributing the Library (or any work based on the
-Library), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Library or works based on it.
-
- 10. Each time you redistribute the Library (or any work based on the
-Library), the recipient automatically receives a license from the
-original licensor to copy, distribute, link with or modify the Library
-subject to these terms and conditions. You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties with
-this License.
-
- 11. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License. If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Library at all. For example, if a patent
-license would not permit royalty-free redistribution of the Library by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Library.
-
-If any portion of this section is held invalid or unenforceable under any
-particular circumstance, the balance of the section is intended to apply,
-and the section as a whole is intended to apply in other circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system which is
-implemented by public license practices. Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
- 12. If the distribution and/or use of the Library is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Library under this License may add
-an explicit geographical distribution limitation excluding those countries,
-so that distribution is permitted only in or among countries not thus
-excluded. In such case, this License incorporates the limitation as if
-written in the body of this License.
-
- 13. The Free Software Foundation may publish revised and/or new
-versions of the Lesser General Public License from time to time.
-Such new versions will be similar in spirit to the present version,
-but may differ in detail to address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Library
-specifies a version number of this License which applies to it and
-"any later version", you have the option of following the terms and
-conditions either of that version or of any later version published by
-the Free Software Foundation. If the Library does not specify a
-license version number, you may choose any version ever published by
-the Free Software Foundation.
-
- 14. If you wish to incorporate parts of the Library into other free
-programs whose distribution conditions are incompatible with these,
-write to the author to ask for permission. For software which is
-copyrighted by the Free Software Foundation, write to the Free
-Software Foundation; we sometimes make exceptions for this. Our
-decision will be guided by the two goals of preserving the free status
-of all derivatives of our free software and of promoting the sharing
-and reuse of software generally.
-
- NO WARRANTY
-
- 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
-WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
-EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
-OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
-KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
-LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
-THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
- 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
-WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
-AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
-FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
-CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
-LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
-RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
-FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
-SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
-DAMAGES.
-
- END OF TERMS AND CONDITIONS
-
- How to Apply These Terms to Your New Libraries
-
- If you develop a new library, and you want it to be of the greatest
-possible use to the public, we recommend making it free software that
-everyone can redistribute and change. You can do so by permitting
-redistribution under these terms (or, alternatively, under the terms of the
-ordinary General Public License).
-
- To apply these terms, attach the following notices to the library. It is
-safest to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least the
-"copyright" line and a pointer to where the full notice is found.
-
- <one line to give the library's name and a brief idea of what it does.>
- Copyright (C) <year> <name of author>
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Lesser General Public
- License as published by the Free Software Foundation; either
- version 2.1 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public
- License along with this library; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
-
-Also add information on how to contact you by electronic and paper mail.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the library, if
-necessary. Here is a sample; alter the names:
-
- Yoyodyne, Inc., hereby disclaims all copyright interest in the
- library `Frob' (a library for tweaking knobs) written by James Random Hacker.
-
- <signature of Ty Coon>, 1 April 1990
- Ty Coon, President of Vice
-
-That's all there is to it!
diff --git a/hivex/Makefile.am b/hivex/Makefile.am
deleted file mode 100644
index 66c5bf1d..00000000
--- a/hivex/Makefile.am
+++ /dev/null
@@ -1,141 +0,0 @@
-# libguestfs
-# Copyright (C) 2009 Red Hat Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-SUBDIRS = t tools
-
-EXTRA_DIST = \
- hivex.pod \
- hivexml.pod \
- hivexget.pod \
- hivexget \
- hivexsh.pod \
- LICENSE \
- example1 \
- example2 \
- example3 \
- example4 \
- example5 \
- example6
-
-lib_LTLIBRARIES = libhivex.la
-
-libhivex_la_SOURCES = \
- hivex.c \
- hivex.h \
- byte_conversions.h
-
-libhivex_la_LDFLAGS = -version-info 0:0:0 $(LTLIBINTL) $(LTLIBTHREAD)
-libhivex_la_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS)
-libhivex_la_CPPFLAGS = -I$(top_srcdir)/gnulib/lib
-
-bin_PROGRAMS = hivexml hivexsh
-bin_SCRIPTS = hivexget
-noinst_SCRIPTS = example1 example2 example3 example4 example5 example6
-
-hivexml_SOURCES = \
- hivexml.c
-
-hivexml_LDADD = libhivex.la $(LIBXML2_LIBS) ../gnulib/lib/libgnu.la
-hivexml_CFLAGS = \
- -I$(top_srcdir)/src \
- -DLOCALEBASEDIR=\""$(datadir)/locale"\" \
- $(LIBXML2_CFLAGS) \
- $(WARN_CFLAGS) $(WERROR_CFLAGS)
-
-hivexsh_SOURCES = \
- hivexsh.c \
- hivex.h \
- byte_conversions.h
-
-hivexsh_LDADD = libhivex.la ../gnulib/lib/libgnu.la $(LIBREADLINE)
-hivexsh_CFLAGS = \
- -I$(top_srcdir)/gnulib/lib \
- -I$(top_srcdir)/src \
- -DLOCALEBASEDIR=\""$(datadir)/locale"\" \
- $(WARN_CFLAGS) $(WERROR_CFLAGS)
-
-man_MANS = hivex.3 hivexml.1 hivexget.1 hivexsh.1
-
-hivex.3: hivex.pod
- $(POD2MAN) \
- --section 3 \
- -c "Windows Registry" \
- --name "hivex" \
- --release "$(PACKAGE_NAME)-$(PACKAGE_VERSION)" \
- $< > $@-t; mv $@-t $@
-
-hivexml.1: hivexml.pod
- $(POD2MAN) \
- --section 1 \
- -c "Windows Registry" \
- --name "hivexml" \
- --release "$(PACKAGE_NAME)-$(PACKAGE_VERSION)" \
- $< > $@-t; mv $@-t $@
-
-hivexget.1: hivexget.pod
- $(POD2MAN) \
- --section 1 \
- -c "Windows Registry" \
- --name "hivexget" \
- --release "$(PACKAGE_NAME)-$(PACKAGE_VERSION)" \
- $< > $@-t; mv $@-t $@
-
-hivexsh.1: hivexsh.pod
- $(POD2MAN) \
- --section 1 \
- -c "Windows Registry" \
- --name "hivexsh" \
- --release "$(PACKAGE_NAME)-$(PACKAGE_VERSION)" \
- $< > $@-t; mv $@-t $@
-
-noinst_DATA = \
- $(top_builddir)/html/hivex.3.html \
- $(top_builddir)/html/hivexml.1.html \
- $(top_builddir)/html/hivexget.1.html \
- $(top_builddir)/html/hivexsh.1.html
-
-$(top_builddir)/html/hivex.3.html: hivex.pod
- mkdir -p $(top_builddir)/html
- cd $(top_builddir) && pod2html \
- --css 'pod.css' \
- --htmldir html \
- --outfile html/hivex.3.html \
- hivex/hivex.pod
-
-$(top_builddir)/html/hivexml.1.html: hivexml.pod
- mkdir -p $(top_builddir)/html
- cd $(top_builddir) && pod2html \
- --css 'pod.css' \
- --htmldir html \
- --outfile html/hivexml.1.html \
- hivex/hivexml.pod
-
-$(top_builddir)/html/hivexget.1.html: hivexget.pod
- mkdir -p $(top_builddir)/html
- cd $(top_builddir) && pod2html \
- --css 'pod.css' \
- --htmldir html \
- --outfile html/hivexget.1.html \
- hivex/hivexget.pod
-
-$(top_builddir)/html/hivexsh.1.html: hivexsh.pod
- mkdir -p $(top_builddir)/html
- cd $(top_builddir) && pod2html \
- --css 'pod.css' \
- --htmldir html \
- --outfile html/hivexsh.1.html \
- hivex/hivexsh.pod
diff --git a/hivex/README b/hivex/README
deleted file mode 100644
index 3f7f0188..00000000
--- a/hivex/README
+++ /dev/null
@@ -1,35 +0,0 @@
-hivex - by Richard W.M. Jones, rjones@redhat.com
-Copyright (C) 2009-2010 Red Hat Inc.
-----------------------------------------------------------------------
-
-This is a self-contained library for reading Windows Registry "hive"
-binary files.
-
-Unlike many other tools in this area, it doesn't use the textual .REG
-format for output, because parsing that is as much trouble as parsing
-the original binary format. Instead it makes the file available
-through a C API, or there is a separate program to export the hive as
-XML.
-
-This library was derived from several sources:
-
- . NTREG registry reader/writer library by Petter Nordahl-Hagen
- (LGPL v2.1 licensed library and program)
- . http://pogostick.net/~pnh/ntpasswd/WinReg.txt
- . dumphive (a BSD-licensed Pascal program by Markus Stephany)
- . http://www.sentinelchicken.com/data/TheWindowsNTRegistryFileFormat.pdf
- . editreg program from Samba - this program was removed in later
- versions of Samba, so you have to go back in the source repository
- to find it (GPLv2+)
- . http://amnesia.gtisc.gatech.edu/~moyix/suzibandit.ltd.uk/MSc/
- . reverse engineering the format (see hivex/tools/visualizer.ml)
-
-Like NTREG, this library only attempts to read Windows NT registry
-files (ie. not Windows 3.1 or Windows 95/98/ME). See the link above
-for documentation on the older formats if you wish to read them.
-
-Unlike NTREG, this code is much more careful about handling error
-cases, corrupt and malicious registry files, and endianness.
-
-The license for this library is LGPL v2.1, but not later versions.
-For full details, see the file LICENSE in this directory.
diff --git a/hivex/byte_conversions.h b/hivex/byte_conversions.h
deleted file mode 100644
index 84e9e2de..00000000
--- a/hivex/byte_conversions.h
+++ /dev/null
@@ -1,89 +0,0 @@
-/* Useful byte conversion macros, not available on all platforms.
- * Copyright (C) 2009-2010 Red Hat Inc.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation;
- * version 2.1 of the License.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- */
-
-#ifndef hivex_byteorder_h
-#define hivex_byteorder_h
-
-#ifdef HAVE_ENDIAN_H
-#include <endian.h>
-#endif
-#ifdef HAVE_BYTESWAP_H
-#include <byteswap.h>
-#endif
-
-#if __BYTE_ORDER == __LITTLE_ENDIAN
-#ifndef be32toh
-#define be32toh(x) __bswap_32 (x)
-#endif
-#ifndef htobe32
-#define htobe32(x) __bswap_32 (x)
-#endif
-#ifndef be64toh
-#define be64toh(x) __bswap_64 (x)
-#endif
-#ifndef htobe64
-#define htobe64(x) __bswap_64 (x)
-#endif
-#ifndef le16toh
-#define le16toh(x) (x)
-#endif
-#ifndef htole16
-#define htole16(x) (x)
-#endif
-#ifndef le32toh
-#define le32toh(x) (x)
-#endif
-#ifndef htole32
-#define htole32(x) (x)
-#endif
-#ifndef le64toh
-#define le64toh(x) (x)
-#endif
-#ifndef htole64
-#define htole64(x) (x)
-#endif
-#else /* __BYTE_ORDER == __BIG_ENDIAN */
-#ifndef be32toh
-#define be32toh(x) (x)
-#endif
-#ifndef htobe32
-#define htobe32(x) (x)
-#endif
-#ifndef be64toh
-#define be64toh(x) (x)
-#endif
-#ifndef htobe64
-#define htobe64(x) (x)
-#endif
-#ifndef le16toh
-#define le16toh(x) __bswap_16 (x)
-#endif
-#ifndef htole16
-#define htole16(x) __bswap_16 (x)
-#endif
-#ifndef le32toh
-#define le32toh(x) __bswap_32 (x)
-#endif
-#ifndef htole32
-#define htole32(x) __bswap_32 (x)
-#endif
-#ifndef le64toh
-#define le64toh(x) __bswap_64 (x)
-#endif
-#ifndef htole64
-#define htole64(x) __bswap_64 (x)
-#endif
-#endif /* __BYTE_ORDER == __BIG_ENDIAN */
-
-#endif /* hivex_byteorder_h */
diff --git a/hivex/example1 b/hivex/example1
deleted file mode 100755
index 5b1313f8..00000000
--- a/hivex/example1
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/bin/bash -
-# Copyright (C) 2009-2010 Red Hat Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-set -e
-
-# Example program which loads and saves a hive.
-#
-# The intention of this example is just to check that we can do this
-# without corrupting the hive (header etc).
-#
-# NB: The copy of the hive will not be absolutely identical. The
-# sequence numbers in the header will change. If we implement the
-# last modified field in the header, then that and the checksum will
-# also change.
-
-if [ $# -ne 2 ]; then
- echo "$0 input output"
- exit 1
-fi
-
-d=`dirname $0`
-
-$d/hivexsh -w <<EOF
-load $1
-commit $2
-EOF \ No newline at end of file
diff --git a/hivex/example2 b/hivex/example2
deleted file mode 100755
index 8d275463..00000000
--- a/hivex/example2
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/bash -
-# Copyright (C) 2009-2010 Red Hat Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-set -e
-
-# Example program which modifies a hive.
-#
-# This program removes any existing (key, value) pairs at the root
-# node and replaces them with some example values.
-#
-# You can load the modified hive using another tool to see the
-# changes. eg. Using Windows regedit, select HKLM and then in the
-# File menu choose "Load Hive ...". Point to the update hive, and
-# then give a key (eg. "test1"). The modified hive will be loaded
-# under HKLM\test1 and the values can be inspected there. After
-# inspecting the changes, unload the hive using File -> Unload Hive.
-#
-# Don't replace the original Windows hive, else you'll break things :-)
-
-if [ $# -ne 0 ]; then
- echo "$0: no arguments required"
- exit 1
-fi
-
-d=`dirname $0`
-
-$d/hivexsh -w <<EOF
-load $d/t/minimal
-setval 1
-@
-string:Root
-commit /tmp/modified
-EOF \ No newline at end of file
diff --git a/hivex/example3 b/hivex/example3
deleted file mode 100755
index b482e410..00000000
--- a/hivex/example3
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/bin/bash -
-# Copyright (C) 2009-2010 Red Hat Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-set -e
-
-# Example program which modifies a hive.
-#
-# This program removes any existing (key, value) pairs at the root
-# node and replaces them with some example values.
-#
-# You can load the modified hive using another tool to see the
-# changes. eg. Using Windows regedit, select HKLM and then in the
-# File menu choose "Load Hive ...". Point to the update hive, and
-# then give a key (eg. "test1"). The modified hive will be loaded
-# under HKLM\test1 and the values can be inspected there. After
-# inspecting the changes, unload the hive using File -> Unload Hive.
-#
-# Don't replace the original Windows hive, else you'll break things :-)
-
-if [ $# -ne 0 ]; then
- echo "$0: no arguments required"
- exit 1
-fi
-
-d=`dirname $0`
-
-$d/hivexsh -w <<EOF
-load $d/t/minimal
-setval 4
-@
-string:Root
-A
-string:abcd
-B
-dword:0x12345678
-C
-string:dcbadcbadcbaabcd
-commit /tmp/modified
-EOF \ No newline at end of file
diff --git a/hivex/example4 b/hivex/example4
deleted file mode 100755
index 85fd5526..00000000
--- a/hivex/example4
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/bash -
-# Copyright (C) 2009-2010 Red Hat Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-set -e
-
-# This program deletes the whole \Microsoft tree from a software hive.
-
-if [ $# -ne 2 ]; then
- echo "$0 software software.new"
- exit 1
-fi
-
-d=`dirname $0`
-
-$d/hivexsh -w <<EOF
-load $1
-cd \Microsoft
-del
-commit $2
-EOF \ No newline at end of file
diff --git a/hivex/example5 b/hivex/example5
deleted file mode 100755
index ccf711ca..00000000
--- a/hivex/example5
+++ /dev/null
@@ -1,54 +0,0 @@
-#!/bin/bash -
-# Copyright (C) 2009-2010 Red Hat Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-set -e
-
-# This script adds a new node under \Microsoft in an existing software
-# hive.
-
-if [ $# -ne 2 ]; then
- echo "$0 software software.new"
- exit 1
-fi
-
-d=`dirname $0`
-
-$d/hivexsh -w <<EOF
-load $1
-cd \Microsoft
-add TestNode
-cd TestNode
-add Test1
-add Test2
-add Test3
-add Test4
-add Test5
-cd Test1
-setval 2
-@
-string:This is the default key of Test1
-ThisIsTest1
-dword:0x12345678
-cd ..
-cd Test5
-setval 2
-@
-string:This is the default key of Test5
-ThisIsTest5
-dword:0x87654321
-commit $2
-EOF \ No newline at end of file
diff --git a/hivex/example6 b/hivex/example6
deleted file mode 100755
index 7cb44675..00000000
--- a/hivex/example6
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/bin/bash -
-# Copyright (C) 2009-2010 Red Hat Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-set -e
-
-# Hypothetical viostor installation in a W2K3 system registry.
-
-if [ $# -ne 2 ]; then
- echo "$0 system system.new"
- exit 1
-fi
-
-d=`dirname $0`
-
-$d/hivexsh -w <<EOF
-load $1
-
-cd \ControlSet001\Control\CriticalDeviceDatabase
-
-add pci#ven_1af4&dev_1001&subsys_00000000
-cd pci#ven_1af4&dev_1001&subsys_00000000
-setval 2
-Service
-string:viostor
-ClassGUID
-string:{4D36E97B-E325-11CE-BFC1-08002BE10318}
-cd ..
-
-add pci#ven_1af4&dev_1001&subsys_00020000
-cd pci#ven_1af4&dev_1001&subsys_00020000
-setval 2
-Service
-string:viostor
-ClassGUID
-string:{4D36E97B-E325-11CE-BFC1-08002BE10318}
-cd ..
-
-add pci#ven_1af4&dev_1001&subsys_00021af4
-cd pci#ven_1af4&dev_1001&subsys_00021af4
-setval 2
-Service
-string:viostor
-ClassGUID
-string:{4D36E97B-E325-11CE-BFC1-08002BE10318}
-
-cd \ControlSet001\Services
-add viostor
-cd viostor
-setval 6
-Type
-dword:0x00000001
-Start
-dword:0x00000000
-Group
-string:SCSI miniport
-ErrorControl
-dword:0x00000001
-ImagePath
-string:system32\drivers\viostor.sys
-Tag
-dword:0x00000021
-
-add Parameters
-cd Parameters
-setval 1
-BusType
-dword:0x00000001
-
-add MaxTransferSize
-cd MaxTransferSize
-setval 3
-ParamDesc
-string:Maximum Transfer Size
-type
-string:enum
-default
-string:0
-
-add enum
-cd enum
-setval 3
-0
-string:64 KB
-1
-string:128 KB
-2
-string:256 KB
-cd ..
-
-cd ..
-
-add PnpInterface
-cd PnpInterface
-setval 1
-5
-dword:0x00000001
-cd ..
-
-cd ..
-
-add Enum
-cd Enum
-setval 3
-0
-string:PCI\VEN_1AF4&DEV_1001&SUBSYS_00021AF4&REV_00\3&13c0b0c5&0&20
-Count
-dword:0x00000001
-NextInstance
-dword:0x00000001
-
-commit $2
-EOF
diff --git a/hivex/hivex.c b/hivex/hivex.c
deleted file mode 100644
index 7d26eebd..00000000
--- a/hivex/hivex.c
+++ /dev/null
@@ -1,2557 +0,0 @@
-/* hivex - Windows Registry "hive" extraction library.
- * Copyright (C) 2009-2010 Red Hat Inc.
- * Derived from code by Petter Nordahl-Hagen under a compatible license:
- * Copyright (c) 1997-2007 Petter Nordahl-Hagen.
- * Derived from code by Markus Stephany under a compatible license:
- * Copyright (c) 2000-2004, Markus Stephany.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation;
- * version 2.1 of the License.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * See file LICENSE for the full license.
- */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <stdint.h>
-#include <stddef.h>
-#include <inttypes.h>
-#include <string.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <errno.h>
-#include <iconv.h>
-#include <sys/mman.h>
-#include <sys/stat.h>
-#include <assert.h>
-
-#include "c-ctype.h"
-#include "full-read.h"
-#include "full-write.h"
-
-#ifndef O_CLOEXEC
-#define O_CLOEXEC 0
-#endif
-
-#define STREQ(a,b) (strcmp((a),(b)) == 0)
-#define STRCASEEQ(a,b) (strcasecmp((a),(b)) == 0)
-//#define STRNEQ(a,b) (strcmp((a),(b)) != 0)
-//#define STRCASENEQ(a,b) (strcasecmp((a),(b)) != 0)
-#define STREQLEN(a,b,n) (strncmp((a),(b),(n)) == 0)
-//#define STRCASEEQLEN(a,b,n) (strncasecmp((a),(b),(n)) == 0)
-//#define STRNEQLEN(a,b,n) (strncmp((a),(b),(n)) != 0)
-//#define STRCASENEQLEN(a,b,n) (strncasecmp((a),(b),(n)) != 0)
-#define STRPREFIX(a,b) (strncmp((a),(b),strlen((b))) == 0)
-
-#include "hivex.h"
-#include "byte_conversions.h"
-
-/* These limits are in place to stop really stupid stuff and/or exploits. */
-#define HIVEX_MAX_SUBKEYS 10000
-#define HIVEX_MAX_VALUES 1000
-#define HIVEX_MAX_VALUE_LEN 1000000
-#define HIVEX_MAX_ALLOCATION 1000000
-
-static char *windows_utf16_to_utf8 (/* const */ char *input, size_t len);
-
-struct hive_h {
- char *filename;
- int fd;
- size_t size;
- int msglvl;
- int writable;
-
- /* Registry file, memory mapped if read-only, or malloc'd if writing. */
- union {
- char *addr;
- struct ntreg_header *hdr;
- };
-
- /* Use a bitmap to store which file offsets are valid (point to a
- * used block). We only need to store 1 bit per 32 bits of the file
- * (because blocks are 4-byte aligned). We found that the average
- * block size in a registry file is ~50 bytes. So roughly 1 in 12
- * bits in the bitmap will be set, making it likely a more efficient
- * structure than a hash table.
- */
- char *bitmap;
-#define BITMAP_SET(bitmap,off) (bitmap[(off)>>5] |= 1 << (((off)>>2)&7))
-#define BITMAP_CLR(bitmap,off) (bitmap[(off)>>5] &= ~ (1 << (((off)>>2)&7)))
-#define BITMAP_TST(bitmap,off) (bitmap[(off)>>5] & (1 << (((off)>>2)&7)))
-#define IS_VALID_BLOCK(h,off) \
- (((off) & 3) == 0 && \
- (off) >= 0x1000 && \
- (off) < (h)->size && \
- BITMAP_TST((h)->bitmap,(off)))
-
- /* Fields from the header, extracted from little-endianness hell. */
- size_t rootoffs; /* Root key offset (always an nk-block). */
- size_t endpages; /* Offset of end of pages. */
-
- /* For writing. */
- size_t endblocks; /* Offset to next block allocation (0
- if not allocated anything yet). */
-};
-
-/* NB. All fields are little endian. */
-struct ntreg_header {
- char magic[4]; /* "regf" */
- uint32_t sequence1;
- uint32_t sequence2;
- char last_modified[8];
- uint32_t major_ver; /* 1 */
- uint32_t minor_ver; /* 3 */
- uint32_t unknown5; /* 0 */
- uint32_t unknown6; /* 1 */
- uint32_t offset; /* offset of root key record - 4KB */
- uint32_t blocks; /* pointer AFTER last hbin in file - 4KB */
- uint32_t unknown7; /* 1 */
- /* 0x30 */
- char name[64]; /* original file name of hive */
- char unknown_guid1[16];
- char unknown_guid2[16];
- /* 0x90 */
- uint32_t unknown8;
- char unknown_guid3[16];
- uint32_t unknown9;
- /* 0xa8 */
- char unknown10[340];
- /* 0x1fc */
- uint32_t csum; /* checksum: xor of dwords 0-0x1fb. */
- /* 0x200 */
- char unknown11[3528];
- /* 0xfc8 */
- char unknown_guid4[16];
- char unknown_guid5[16];
- char unknown_guid6[16];
- uint32_t unknown12;
- uint32_t unknown13;
- /* 0x1000 */
-} __attribute__((__packed__));
-
-struct ntreg_hbin_page {
- char magic[4]; /* "hbin" */
- uint32_t offset_first; /* offset from 1st block */
- uint32_t page_size; /* size of this page (multiple of 4KB) */
- char unknown[20];
- /* Linked list of blocks follows here. */
-} __attribute__((__packed__));
-
-struct ntreg_hbin_block {
- int32_t seg_len; /* length of this block (-ve for used block) */
- char id[2]; /* the block type (eg. "nk" for nk record) */
- /* Block data follows here. */
-} __attribute__((__packed__));
-
-#define BLOCK_ID_EQ(h,offs,eqid) \
- (STREQLEN (((struct ntreg_hbin_block *)((h)->addr + (offs)))->id, (eqid), 2))
-
-static size_t
-block_len (hive_h *h, size_t blkoff, int *used)
-{
- struct ntreg_hbin_block *block;
- block = (struct ntreg_hbin_block *) (h->addr + blkoff);
-
- int32_t len = le32toh (block->seg_len);
- if (len < 0) {
- if (used) *used = 1;
- len = -len;
- } else {
- if (used) *used = 0;
- }
-
- return (size_t) len;
-}
-
-struct ntreg_nk_record {
- int32_t seg_len; /* length (always -ve because used) */
- char id[2]; /* "nk" */
- uint16_t flags;
- char timestamp[8];
- uint32_t unknown1;
- uint32_t parent; /* offset of owner/parent */
- uint32_t nr_subkeys; /* number of subkeys */
- uint32_t nr_subkeys_volatile;
- uint32_t subkey_lf; /* lf record containing list of subkeys */
- uint32_t subkey_lf_volatile;
- uint32_t nr_values; /* number of values */
- uint32_t vallist; /* value-list record */
- uint32_t sk; /* offset of sk-record */
- uint32_t classname; /* offset of classname record */
- uint16_t max_subkey_name_len; /* maximum length of a subkey name in bytes
- if the subkey was reencoded as UTF-16LE */
- uint16_t unknown2;
- uint32_t unknown3;
- uint32_t max_vk_name_len; /* maximum length of any vk name in bytes
- if the name was reencoded as UTF-16LE */
- uint32_t max_vk_data_len; /* maximum length of any vk data in bytes */
- uint32_t unknown6;
- uint16_t name_len; /* length of name */
- uint16_t classname_len; /* length of classname */
- char name[1]; /* name follows here */
-} __attribute__((__packed__));
-
-struct ntreg_lf_record {
- int32_t seg_len;
- char id[2]; /* "lf"|"lh" */
- uint16_t nr_keys; /* number of keys in this record */
- struct {
- uint32_t offset; /* offset of nk-record for this subkey */
- char hash[4]; /* hash of subkey name */
- } keys[1];
-} __attribute__((__packed__));
-
-struct ntreg_ri_record {
- int32_t seg_len;
- char id[2]; /* "ri" */
- uint16_t nr_offsets; /* number of pointers to lh records */
- uint32_t offset[1]; /* list of pointers to lh records */
-} __attribute__((__packed__));
-
-/* This has no ID header. */
-struct ntreg_value_list {
- int32_t seg_len;
- uint32_t offset[1]; /* list of pointers to vk records */
-} __attribute__((__packed__));
-
-struct ntreg_vk_record {
- int32_t seg_len; /* length (always -ve because used) */
- char id[2]; /* "vk" */
- uint16_t name_len; /* length of name */
- /* length of the data:
- * If data_len is <= 4, then it's stored inline.
- * Top bit is set to indicate inline.
- */
- uint32_t data_len;
- uint32_t data_offset; /* pointer to the data (or data if inline) */
- uint32_t data_type; /* type of the data */
- uint16_t flags; /* bit 0 set => key name ASCII,
- bit 0 clr => key name UTF-16.
- Only seen ASCII here in the wild.
- NB: this is CLEAR for default key. */
- uint16_t unknown2;
- char name[1]; /* key name follows here */
-} __attribute__((__packed__));
-
-struct ntreg_sk_record {
- int32_t seg_len; /* length (always -ve because used) */
- char id[2]; /* "sk" */
- uint16_t unknown1;
- uint32_t sk_next; /* linked into a circular list */
- uint32_t sk_prev;
- uint32_t refcount; /* reference count */
- uint32_t sec_len; /* length of security info */
- char sec_desc[1]; /* security info follows */
-} __attribute__((__packed__));
-
-static uint32_t
-header_checksum (const hive_h *h)
-{
- uint32_t *daddr = (uint32_t *) h->addr;
- size_t i;
- uint32_t sum = 0;
-
- for (i = 0; i < 0x1fc / 4; ++i) {
- sum ^= le32toh (*daddr);
- daddr++;
- }
-
- return sum;
-}
-
-hive_h *
-hivex_open (const char *filename, int flags)
-{
- hive_h *h = NULL;
-
- assert (sizeof (struct ntreg_header) == 0x1000);
- assert (offsetof (struct ntreg_header, csum) == 0x1fc);
-
- h = calloc (1, sizeof *h);
- if (h == NULL)
- goto error;
-
- h->msglvl = flags & HIVEX_OPEN_MSGLVL_MASK;
-
- const char *debug = getenv ("HIVEX_DEBUG");
- if (debug && STREQ (debug, "1"))
- h->msglvl = 2;
-
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_open: created handle %p\n", h);
-
- h->writable = !!(flags & HIVEX_OPEN_WRITE);
- h->filename = strdup (filename);
- if (h->filename == NULL)
- goto error;
-
- h->fd = open (filename, O_RDONLY | O_CLOEXEC);
- if (h->fd == -1)
- goto error;
-
- struct stat statbuf;
- if (fstat (h->fd, &statbuf) == -1)
- goto error;
-
- h->size = statbuf.st_size;
-
- if (!h->writable) {
- h->addr = mmap (NULL, h->size, PROT_READ, MAP_SHARED, h->fd, 0);
- if (h->addr == MAP_FAILED)
- goto error;
-
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_open: mapped file at %p\n", h->addr);
- } else {
- h->addr = malloc (h->size);
- if (h->addr == NULL)
- goto error;
-
- if (full_read (h->fd, h->addr, h->size) < h->size)
- goto error;
- }
-
- /* Check header. */
- if (h->hdr->magic[0] != 'r' ||
- h->hdr->magic[1] != 'e' ||
- h->hdr->magic[2] != 'g' ||
- h->hdr->magic[3] != 'f') {
- fprintf (stderr, "hivex: %s: not a Windows NT Registry hive file\n",
- filename);
- errno = ENOTSUP;
- goto error;
- }
-
- /* Check major version. */
- uint32_t major_ver = le32toh (h->hdr->major_ver);
- if (major_ver != 1) {
- fprintf (stderr,
- "hivex: %s: hive file major version %" PRIu32 " (expected 1)\n",
- filename, major_ver);
- errno = ENOTSUP;
- goto error;
- }
-
- h->bitmap = calloc (1 + h->size / 32, 1);
- if (h->bitmap == NULL)
- goto error;
-
- /* Header checksum. */
- uint32_t sum = header_checksum (h);
- if (sum != le32toh (h->hdr->csum)) {
- fprintf (stderr, "hivex: %s: bad checksum in hive header\n", filename);
- errno = EINVAL;
- goto error;
- }
-
- if (h->msglvl >= 2) {
- char *name = windows_utf16_to_utf8 (h->hdr->name, 64);
-
- fprintf (stderr,
- "hivex_open: header fields:\n"
- " file version %" PRIu32 ".%" PRIu32 "\n"
- " sequence nos %" PRIu32 " %" PRIu32 "\n"
- " (sequences nos should match if hive was synched at shutdown)\n"
- " original file name %s\n"
- " (only 32 chars are stored, name is probably truncated)\n"
- " root offset 0x%x + 0x1000\n"
- " end of last page 0x%x + 0x1000 (total file size 0x%zx)\n"
- " checksum 0x%x (calculated 0x%x)\n",
- major_ver, le32toh (h->hdr->minor_ver),
- le32toh (h->hdr->sequence1), le32toh (h->hdr->sequence2),
- name ? name : "(conversion failed)",
- le32toh (h->hdr->offset),
- le32toh (h->hdr->blocks), h->size,
- le32toh (h->hdr->csum), sum);
- free (name);
- }
-
- h->rootoffs = le32toh (h->hdr->offset) + 0x1000;
- h->endpages = le32toh (h->hdr->blocks) + 0x1000;
-
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_open: root offset = 0x%zx\n", h->rootoffs);
-
- /* We'll set this flag when we see a block with the root offset (ie.
- * the root block).
- */
- int seen_root_block = 0, bad_root_block = 0;
-
- /* Collect some stats. */
- size_t pages = 0; /* Number of hbin pages read. */
- size_t smallest_page = SIZE_MAX, largest_page = 0;
- size_t blocks = 0; /* Total number of blocks found. */
- size_t smallest_block = SIZE_MAX, largest_block = 0, blocks_bytes = 0;
- size_t used_blocks = 0; /* Total number of used blocks found. */
- size_t used_size = 0; /* Total size (bytes) of used blocks. */
-
- /* Read the pages and blocks. The aim here is to be robust against
- * corrupt or malicious registries. So we make sure the loops
- * always make forward progress. We add the address of each block
- * we read to a hash table so pointers will only reference the start
- * of valid blocks.
- */
- size_t off;
- struct ntreg_hbin_page *page;
- for (off = 0x1000; off < h->size; off += le32toh (page->page_size)) {
- if (off >= h->endpages)
- break;
-
- page = (struct ntreg_hbin_page *) (h->addr + off);
- if (page->magic[0] != 'h' ||
- page->magic[1] != 'b' ||
- page->magic[2] != 'i' ||
- page->magic[3] != 'n') {
- fprintf (stderr, "hivex: %s: trailing garbage at end of file (at 0x%zx, after %zu pages)\n",
- filename, off, pages);
- errno = ENOTSUP;
- goto error;
- }
-
- size_t page_size = le32toh (page->page_size);
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_open: page at 0x%zx, size %zu\n", off, page_size);
- pages++;
- if (page_size < smallest_page) smallest_page = page_size;
- if (page_size > largest_page) largest_page = page_size;
-
- if (page_size <= sizeof (struct ntreg_hbin_page) ||
- (page_size & 0x0fff) != 0) {
- fprintf (stderr, "hivex: %s: page size %zu at 0x%zx, bad registry\n",
- filename, page_size, off);
- errno = ENOTSUP;
- goto error;
- }
-
- /* Read the blocks in this page. */
- size_t blkoff;
- struct ntreg_hbin_block *block;
- size_t seg_len;
- for (blkoff = off + 0x20;
- blkoff < off + page_size;
- blkoff += seg_len) {
- blocks++;
-
- int is_root = blkoff == h->rootoffs;
- if (is_root)
- seen_root_block = 1;
-
- block = (struct ntreg_hbin_block *) (h->addr + blkoff);
- int used;
- seg_len = block_len (h, blkoff, &used);
- if (seg_len <= 4 || (seg_len & 3) != 0) {
- fprintf (stderr, "hivex: %s: block size %" PRIu32 " at 0x%zx, bad registry\n",
- filename, le32toh (block->seg_len), blkoff);
- errno = ENOTSUP;
- goto error;
- }
-
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_open: %s block id %d,%d at 0x%zx size %zu%s\n",
- used ? "used" : "free", block->id[0], block->id[1], blkoff,
- seg_len, is_root ? " (root)" : "");
-
- blocks_bytes += seg_len;
- if (seg_len < smallest_block) smallest_block = seg_len;
- if (seg_len > largest_block) largest_block = seg_len;
-
- if (is_root && !used)
- bad_root_block = 1;
-
- if (used) {
- used_blocks++;
- used_size += seg_len;
-
- /* Root block must be an nk-block. */
- if (is_root && (block->id[0] != 'n' || block->id[1] != 'k'))
- bad_root_block = 1;
-
- /* Note this blkoff is a valid address. */
- BITMAP_SET (h->bitmap, blkoff);
- }
- }
- }
-
- if (!seen_root_block) {
- fprintf (stderr, "hivex: %s: no root block found\n", filename);
- errno = ENOTSUP;
- goto error;
- }
-
- if (bad_root_block) {
- fprintf (stderr, "hivex: %s: bad root block (free or not nk)\n", filename);
- errno = ENOTSUP;
- goto error;
- }
-
- if (h->msglvl >= 1)
- fprintf (stderr,
- "hivex_open: successfully read Windows Registry hive file:\n"
- " pages: %zu [sml: %zu, lge: %zu]\n"
- " blocks: %zu [sml: %zu, avg: %zu, lge: %zu]\n"
- " blocks used: %zu\n"
- " bytes used: %zu\n",
- pages, smallest_page, largest_page,
- blocks, smallest_block, blocks_bytes / blocks, largest_block,
- used_blocks, used_size);
-
- return h;
-
- error:;
- int err = errno;
- if (h) {
- free (h->bitmap);
- if (h->addr && h->size && h->addr != MAP_FAILED) {
- if (!h->writable)
- munmap (h->addr, h->size);
- else
- free (h->addr);
- }
- if (h->fd >= 0)
- close (h->fd);
- free (h->filename);
- free (h);
- }
- errno = err;
- return NULL;
-}
-
-int
-hivex_close (hive_h *h)
-{
- int r;
-
- free (h->bitmap);
- if (!h->writable)
- munmap (h->addr, h->size);
- else
- free (h->addr);
- r = close (h->fd);
- free (h->filename);
- free (h);
-
- return r;
-}
-
-/*----------------------------------------------------------------------
- * Reading.
- */
-
-hive_node_h
-hivex_root (hive_h *h)
-{
- hive_node_h ret = h->rootoffs;
- if (!IS_VALID_BLOCK (h, ret)) {
- errno = ENOKEY;
- return 0;
- }
- return ret;
-}
-
-char *
-hivex_node_name (hive_h *h, hive_node_h node)
-{
- if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
- errno = EINVAL;
- return NULL;
- }
-
- struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
-
- /* AFAIK the node name is always plain ASCII, so no conversion
- * to UTF-8 is necessary. However we do need to nul-terminate
- * the string.
- */
-
- /* nk->name_len is unsigned, 16 bit, so this is safe ... However
- * we have to make sure the length doesn't exceed the block length.
- */
- size_t len = le16toh (nk->name_len);
- size_t seg_len = block_len (h, node, NULL);
- if (sizeof (struct ntreg_nk_record) + len - 1 > seg_len) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_name: returning EFAULT because node name is too long (%zu, %zu)\n",
- len, seg_len);
- errno = EFAULT;
- return NULL;
- }
-
- char *ret = malloc (len + 1);
- if (ret == NULL)
- return NULL;
- memcpy (ret, nk->name, len);
- ret[len] = '\0';
- return ret;
-}
-
-#if 0
-/* I think the documentation for the sk and classname fields in the nk
- * record is wrong, or else the offset field is in the wrong place.
- * Otherwise this makes no sense. Disabled this for now -- it's not
- * useful for reading the registry anyway.
- */
-
-hive_security_h
-hivex_node_security (hive_h *h, hive_node_h node)
-{
- if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
- errno = EINVAL;
- return 0;
- }
-
- struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
-
- hive_node_h ret = le32toh (nk->sk);
- ret += 0x1000;
- if (!IS_VALID_BLOCK (h, ret)) {
- errno = EFAULT;
- return 0;
- }
- return ret;
-}
-
-hive_classname_h
-hivex_node_classname (hive_h *h, hive_node_h node)
-{
- if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
- errno = EINVAL;
- return 0;
- }
-
- struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
-
- hive_node_h ret = le32toh (nk->classname);
- ret += 0x1000;
- if (!IS_VALID_BLOCK (h, ret)) {
- errno = EFAULT;
- return 0;
- }
- return ret;
-}
-#endif
-
-/* Structure for returning 0-terminated lists of offsets (nodes,
- * values, etc).
- */
-struct offset_list {
- size_t *offsets;
- size_t len;
- size_t alloc;
-};
-
-static void
-init_offset_list (struct offset_list *list)
-{
- list->len = 0;
- list->alloc = 0;
- list->offsets = NULL;
-}
-
-#define INIT_OFFSET_LIST(name) \
- struct offset_list name; \
- init_offset_list (&name)
-
-/* Preallocates the offset_list, but doesn't make the contents longer. */
-static int
-grow_offset_list (struct offset_list *list, size_t alloc)
-{
- assert (alloc >= list->len);
- size_t *p = realloc (list->offsets, alloc * sizeof (size_t));
- if (p == NULL)
- return -1;
- list->offsets = p;
- list->alloc = alloc;
- return 0;
-}
-
-static int
-add_to_offset_list (struct offset_list *list, size_t offset)
-{
- if (list->len >= list->alloc) {
- if (grow_offset_list (list, list->alloc ? list->alloc * 2 : 4) == -1)
- return -1;
- }
- list->offsets[list->len] = offset;
- list->len++;
- return 0;
-}
-
-static void
-free_offset_list (struct offset_list *list)
-{
- free (list->offsets);
-}
-
-static size_t *
-return_offset_list (struct offset_list *list)
-{
- if (add_to_offset_list (list, 0) == -1)
- return NULL;
- return list->offsets; /* caller frees */
-}
-
-/* Iterate over children, returning child nodes and intermediate blocks. */
-#define GET_CHILDREN_NO_CHECK_NK 1
-
-static int
-get_children (hive_h *h, hive_node_h node,
- hive_node_h **children_ret, size_t **blocks_ret,
- int flags)
-{
- if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
- errno = EINVAL;
- return -1;
- }
-
- struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
-
- size_t nr_subkeys_in_nk = le32toh (nk->nr_subkeys);
-
- INIT_OFFSET_LIST (children);
- INIT_OFFSET_LIST (blocks);
-
- /* Deal with the common "no subkeys" case quickly. */
- if (nr_subkeys_in_nk == 0)
- goto ok;
-
- /* Arbitrarily limit the number of subkeys we will ever deal with. */
- if (nr_subkeys_in_nk > HIVEX_MAX_SUBKEYS) {
- errno = ERANGE;
- goto error;
- }
-
- /* Preallocate space for the children. */
- if (grow_offset_list (&children, nr_subkeys_in_nk) == -1)
- goto error;
-
- /* The subkey_lf field can point either to an lf-record, which is
- * the common case, or if there are lots of subkeys, to an
- * ri-record.
- */
- size_t subkey_lf = le32toh (nk->subkey_lf);
- subkey_lf += 0x1000;
- if (!IS_VALID_BLOCK (h, subkey_lf)) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_children: returning EFAULT because subkey_lf is not a valid block (0x%zx)\n",
- subkey_lf);
- errno = EFAULT;
- goto error;
- }
-
- if (add_to_offset_list (&blocks, subkey_lf) == -1)
- goto error;
-
- struct ntreg_hbin_block *block =
- (struct ntreg_hbin_block *) (h->addr + subkey_lf);
-
- /* Points to lf-record? (Note, also "lh" but that is basically the
- * same as "lf" as far as we are concerned here).
- */
- if (block->id[0] == 'l' && (block->id[1] == 'f' || block->id[1] == 'h')) {
- struct ntreg_lf_record *lf = (struct ntreg_lf_record *) block;
-
- /* Check number of subkeys in the nk-record matches number of subkeys
- * in the lf-record.
- */
- size_t nr_subkeys_in_lf = le16toh (lf->nr_keys);
-
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_children: nr_subkeys_in_nk = %zu, nr_subkeys_in_lf = %zu\n",
- nr_subkeys_in_nk, nr_subkeys_in_lf);
-
- if (nr_subkeys_in_nk != nr_subkeys_in_lf) {
- errno = ENOTSUP;
- goto error;
- }
-
- size_t len = block_len (h, subkey_lf, NULL);
- if (8 + nr_subkeys_in_lf * 8 > len) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_children: returning EFAULT because too many subkeys (%zu, %zu)\n",
- nr_subkeys_in_lf, len);
- errno = EFAULT;
- goto error;
- }
-
- size_t i;
- for (i = 0; i < nr_subkeys_in_lf; ++i) {
- hive_node_h subkey = le32toh (lf->keys[i].offset);
- subkey += 0x1000;
- if (!(flags & GET_CHILDREN_NO_CHECK_NK)) {
- if (!IS_VALID_BLOCK (h, subkey)) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_children: returning EFAULT because subkey is not a valid block (0x%zx)\n",
- subkey);
- errno = EFAULT;
- goto error;
- }
- }
- if (add_to_offset_list (&children, subkey) == -1)
- goto error;
- }
- goto ok;
- }
- /* Points to ri-record? */
- else if (block->id[0] == 'r' && block->id[1] == 'i') {
- struct ntreg_ri_record *ri = (struct ntreg_ri_record *) block;
-
- size_t nr_offsets = le16toh (ri->nr_offsets);
-
- /* Count total number of children. */
- size_t i, count = 0;
- for (i = 0; i < nr_offsets; ++i) {
- hive_node_h offset = le32toh (ri->offset[i]);
- offset += 0x1000;
- if (!IS_VALID_BLOCK (h, offset)) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_children: returning EFAULT because ri-offset is not a valid block (0x%zx)\n",
- offset);
- errno = EFAULT;
- goto error;
- }
- if (!BLOCK_ID_EQ (h, offset, "lf") && !BLOCK_ID_EQ (h, offset, "lh")) {
- if (h->msglvl >= 2)
- fprintf (stderr, "get_children: returning ENOTSUP because ri-record offset does not point to lf/lh (0x%zx)\n",
- offset);
- errno = ENOTSUP;
- goto error;
- }
-
- if (add_to_offset_list (&blocks, offset) == -1)
- goto error;
-
- struct ntreg_lf_record *lf =
- (struct ntreg_lf_record *) (h->addr + offset);
-
- count += le16toh (lf->nr_keys);
- }
-
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_children: nr_subkeys_in_nk = %zu, counted = %zu\n",
- nr_subkeys_in_nk, count);
-
- if (nr_subkeys_in_nk != count) {
- errno = ENOTSUP;
- goto error;
- }
-
- /* Copy list of children. Note nr_subkeys_in_nk is limited to
- * something reasonable above.
- */
- for (i = 0; i < nr_offsets; ++i) {
- hive_node_h offset = le32toh (ri->offset[i]);
- offset += 0x1000;
- if (!IS_VALID_BLOCK (h, offset)) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_children: returning EFAULT because ri-offset is not a valid block (0x%zx)\n",
- offset);
- errno = EFAULT;
- goto error;
- }
- if (!BLOCK_ID_EQ (h, offset, "lf") && !BLOCK_ID_EQ (h, offset, "lh")) {
- if (h->msglvl >= 2)
- fprintf (stderr, "get_children: returning ENOTSUP because ri-record offset does not point to lf/lh (0x%zx)\n",
- offset);
- errno = ENOTSUP;
- goto error;
- }
-
- struct ntreg_lf_record *lf =
- (struct ntreg_lf_record *) (h->addr + offset);
-
- size_t j;
- for (j = 0; j < le16toh (lf->nr_keys); ++j) {
- hive_node_h subkey = le32toh (lf->keys[j].offset);
- subkey += 0x1000;
- if (!(flags & GET_CHILDREN_NO_CHECK_NK)) {
- if (!IS_VALID_BLOCK (h, subkey)) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_children: returning EFAULT because indirect subkey is not a valid block (0x%zx)\n",
- subkey);
- errno = EFAULT;
- goto error;
- }
- }
- if (add_to_offset_list (&children, subkey) == -1)
- goto error;
- }
- }
- goto ok;
- }
- /* else not supported, set errno and fall through */
- if (h->msglvl >= 2)
- fprintf (stderr, "get_children: returning ENOTSUP because subkey block is not lf/lh/ri (0x%zx, %d, %d)\n",
- subkey_lf, block->id[0], block->id[1]);
- errno = ENOTSUP;
- error:
- free_offset_list (&children);
- free_offset_list (&blocks);
- return -1;
-
- ok:
- *children_ret = return_offset_list (&children);
- *blocks_ret = return_offset_list (&blocks);
- if (!*children_ret || !*blocks_ret)
- goto error;
- return 0;
-}
-
-hive_node_h *
-hivex_node_children (hive_h *h, hive_node_h node)
-{
- hive_node_h *children;
- size_t *blocks;
-
- if (get_children (h, node, &children, &blocks, 0) == -1)
- return NULL;
-
- free (blocks);
- return children;
-}
-
-/* Very inefficient, but at least having a separate API call
- * allows us to make it more efficient in future.
- */
-hive_node_h
-hivex_node_get_child (hive_h *h, hive_node_h node, const char *nname)
-{
- hive_node_h *children = NULL;
- char *name = NULL;
- hive_node_h ret = 0;
-
- children = hivex_node_children (h, node);
- if (!children) goto error;
-
- size_t i;
- for (i = 0; children[i] != 0; ++i) {
- name = hivex_node_name (h, children[i]);
- if (!name) goto error;
- if (STRCASEEQ (name, nname)) {
- ret = children[i];
- break;
- }
- free (name); name = NULL;
- }
-
- error:
- free (children);
- free (name);
- return ret;
-}
-
-hive_node_h
-hivex_node_parent (hive_h *h, hive_node_h node)
-{
- if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
- errno = EINVAL;
- return 0;
- }
-
- struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
-
- hive_node_h ret = le32toh (nk->parent);
- ret += 0x1000;
- if (!IS_VALID_BLOCK (h, ret)) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_parent: returning EFAULT because parent is not a valid block (0x%zx)\n",
- ret);
- errno = EFAULT;
- return 0;
- }
- return ret;
-}
-
-static int
-get_values (hive_h *h, hive_node_h node,
- hive_value_h **values_ret, size_t **blocks_ret)
-{
- if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
- errno = EINVAL;
- return -1;
- }
-
- struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
-
- size_t nr_values = le32toh (nk->nr_values);
-
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_values: nr_values = %zu\n", nr_values);
-
- INIT_OFFSET_LIST (values);
- INIT_OFFSET_LIST (blocks);
-
- /* Deal with the common "no values" case quickly. */
- if (nr_values == 0)
- goto ok;
-
- /* Arbitrarily limit the number of values we will ever deal with. */
- if (nr_values > HIVEX_MAX_VALUES) {
- errno = ERANGE;
- goto error;
- }
-
- /* Preallocate space for the values. */
- if (grow_offset_list (&values, nr_values) == -1)
- goto error;
-
- /* Get the value list and check it looks reasonable. */
- size_t vlist_offset = le32toh (nk->vallist);
- vlist_offset += 0x1000;
- if (!IS_VALID_BLOCK (h, vlist_offset)) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_values: returning EFAULT because value list is not a valid block (0x%zx)\n",
- vlist_offset);
- errno = EFAULT;
- goto error;
- }
-
- if (add_to_offset_list (&blocks, vlist_offset) == -1)
- goto error;
-
- struct ntreg_value_list *vlist =
- (struct ntreg_value_list *) (h->addr + vlist_offset);
-
- size_t len = block_len (h, vlist_offset, NULL);
- if (4 + nr_values * 4 > len) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_values: returning EFAULT because value list is too long (%zu, %zu)\n",
- nr_values, len);
- errno = EFAULT;
- goto error;
- }
-
- size_t i;
- for (i = 0; i < nr_values; ++i) {
- hive_node_h value = vlist->offset[i];
- value += 0x1000;
- if (!IS_VALID_BLOCK (h, value)) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_values: returning EFAULT because value is not a valid block (0x%zx)\n",
- value);
- errno = EFAULT;
- goto error;
- }
- if (add_to_offset_list (&values, value) == -1)
- goto error;
- }
-
- ok:
- *values_ret = return_offset_list (&values);
- *blocks_ret = return_offset_list (&blocks);
- if (!*values_ret || !*blocks_ret)
- goto error;
- return 0;
-
- error:
- free_offset_list (&values);
- free_offset_list (&blocks);
- return -1;
-}
-
-hive_value_h *
-hivex_node_values (hive_h *h, hive_node_h node)
-{
- hive_value_h *values;
- size_t *blocks;
-
- if (get_values (h, node, &values, &blocks) == -1)
- return NULL;
-
- free (blocks);
- return values;
-}
-
-/* Very inefficient, but at least having a separate API call
- * allows us to make it more efficient in future.
- */
-hive_value_h
-hivex_node_get_value (hive_h *h, hive_node_h node, const char *key)
-{
- hive_value_h *values = NULL;
- char *name = NULL;
- hive_value_h ret = 0;
-
- values = hivex_node_values (h, node);
- if (!values) goto error;
-
- size_t i;
- for (i = 0; values[i] != 0; ++i) {
- name = hivex_value_key (h, values[i]);
- if (!name) goto error;
- if (STRCASEEQ (name, key)) {
- ret = values[i];
- break;
- }
- free (name); name = NULL;
- }
-
- error:
- free (values);
- free (name);
- return ret;
-}
-
-char *
-hivex_value_key (hive_h *h, hive_value_h value)
-{
- if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) {
- errno = EINVAL;
- return 0;
- }
-
- struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value);
-
- /* AFAIK the key is always plain ASCII, so no conversion to UTF-8 is
- * necessary. However we do need to nul-terminate the string.
- */
-
- /* vk->name_len is unsigned, 16 bit, so this is safe ... However
- * we have to make sure the length doesn't exceed the block length.
- */
- size_t len = le16toh (vk->name_len);
- size_t seg_len = block_len (h, value, NULL);
- if (sizeof (struct ntreg_vk_record) + len - 1 > seg_len) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_value_key: returning EFAULT because key length is too long (%zu, %zu)\n",
- len, seg_len);
- errno = EFAULT;
- return NULL;
- }
-
- char *ret = malloc (len + 1);
- if (ret == NULL)
- return NULL;
- memcpy (ret, vk->name, len);
- ret[len] = '\0';
- return ret;
-}
-
-int
-hivex_value_type (hive_h *h, hive_value_h value, hive_type *t, size_t *len)
-{
- if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) {
- errno = EINVAL;
- return -1;
- }
-
- struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value);
-
- if (t)
- *t = le32toh (vk->data_type);
-
- if (len) {
- *len = le32toh (vk->data_len);
- *len &= 0x7fffffff; /* top bit indicates if data is stored inline */
- }
-
- return 0;
-}
-
-char *
-hivex_value_value (hive_h *h, hive_value_h value,
- hive_type *t_rtn, size_t *len_rtn)
-{
- if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) {
- errno = EINVAL;
- return NULL;
- }
-
- struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value);
-
- hive_type t;
- size_t len;
- int is_inline;
-
- t = le32toh (vk->data_type);
-
- len = le32toh (vk->data_len);
- is_inline = !!(len & 0x80000000);
- len &= 0x7fffffff;
-
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_value_value: value=0x%zx, t=%d, len=%zu, inline=%d\n",
- value, t, len, is_inline);
-
- if (t_rtn)
- *t_rtn = t;
- if (len_rtn)
- *len_rtn = len;
-
- if (is_inline && len > 4) {
- errno = ENOTSUP;
- return NULL;
- }
-
- /* Arbitrarily limit the length that we will read. */
- if (len > HIVEX_MAX_VALUE_LEN) {
- errno = ERANGE;
- return NULL;
- }
-
- char *ret = malloc (len);
- if (ret == NULL)
- return NULL;
-
- if (is_inline) {
- memcpy (ret, (char *) &vk->data_offset, len);
- return ret;
- }
-
- size_t data_offset = le32toh (vk->data_offset);
- data_offset += 0x1000;
- if (!IS_VALID_BLOCK (h, data_offset)) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_value_value: returning EFAULT because data offset is not a valid block (0x%zx)\n",
- data_offset);
- errno = EFAULT;
- free (ret);
- return NULL;
- }
-
- /* Check that the declared size isn't larger than the block its in.
- *
- * XXX Some apparently valid registries are seen to have this,
- * so turn this into a warning and substitute the smaller length
- * instead.
- */
- size_t blen = block_len (h, data_offset, NULL);
- if (len > blen - 4 /* subtract 4 for block header */) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_value_value: warning: declared data length is longer than the block it is in (data 0x%zx, data len %zu, block len %zu)\n",
- data_offset, len, blen);
- len = blen - 4;
- }
-
- char *data = h->addr + data_offset + 4;
- memcpy (ret, data, len);
- return ret;
-}
-
-static char *
-windows_utf16_to_utf8 (/* const */ char *input, size_t len)
-{
- iconv_t ic = iconv_open ("UTF-8", "UTF-16");
- if (ic == (iconv_t) -1)
- return NULL;
-
- /* iconv(3) has an insane interface ... */
-
- /* Mostly UTF-8 will be smaller, so this is a good initial guess. */
- size_t outalloc = len;
-
- again:;
- size_t inlen = len;
- size_t outlen = outalloc;
- char *out = malloc (outlen + 1);
- if (out == NULL) {
- int err = errno;
- iconv_close (ic);
- errno = err;
- return NULL;
- }
- char *inp = input;
- char *outp = out;
-
- size_t r = iconv (ic, &inp, &inlen, &outp, &outlen);
- if (r == (size_t) -1) {
- if (errno == E2BIG) {
- size_t prev = outalloc;
- /* Try again with a larger output buffer. */
- free (out);
- outalloc *= 2;
- if (outalloc < prev)
- return NULL;
- goto again;
- }
- else {
- /* Else some conversion failure, eg. EILSEQ, EINVAL. */
- int err = errno;
- iconv_close (ic);
- free (out);
- errno = err;
- return NULL;
- }
- }
-
- *outp = '\0';
- iconv_close (ic);
-
- return out;
-}
-
-char *
-hivex_value_string (hive_h *h, hive_value_h value)
-{
- hive_type t;
- size_t len;
- char *data = hivex_value_value (h, value, &t, &len);
-
- if (data == NULL)
- return NULL;
-
- if (t != hive_t_string && t != hive_t_expand_string && t != hive_t_link) {
- free (data);
- errno = EINVAL;
- return NULL;
- }
-
- char *ret = windows_utf16_to_utf8 (data, len);
- free (data);
- if (ret == NULL)
- return NULL;
-
- return ret;
-}
-
-static void
-free_strings (char **argv)
-{
- if (argv) {
- size_t i;
-
- for (i = 0; argv[i] != NULL; ++i)
- free (argv[i]);
- free (argv);
- }
-}
-
-/* Get the length of a UTF-16 format string. Handle the string as
- * pairs of bytes, looking for the first \0\0 pair.
- */
-static size_t
-utf16_string_len_in_bytes (const char *str)
-{
- size_t ret = 0;
-
- while (str[0] || str[1]) {
- str += 2;
- ret += 2;
- }
-
- return ret;
-}
-
-/* http://blogs.msdn.com/oldnewthing/archive/2009/10/08/9904646.aspx */
-char **
-hivex_value_multiple_strings (hive_h *h, hive_value_h value)
-{
- hive_type t;
- size_t len;
- char *data = hivex_value_value (h, value, &t, &len);
-
- if (data == NULL)
- return NULL;
-
- if (t != hive_t_multiple_strings) {
- free (data);
- errno = EINVAL;
- return NULL;
- }
-
- size_t nr_strings = 0;
- char **ret = malloc ((1 + nr_strings) * sizeof (char *));
- if (ret == NULL) {
- free (data);
- return NULL;
- }
- ret[0] = NULL;
-
- char *p = data;
- size_t plen;
-
- while (p < data + len && (plen = utf16_string_len_in_bytes (p)) > 0) {
- nr_strings++;
- char **ret2 = realloc (ret, (1 + nr_strings) * sizeof (char *));
- if (ret2 == NULL) {
- free_strings (ret);
- free (data);
- return NULL;
- }
- ret = ret2;
-
- ret[nr_strings-1] = windows_utf16_to_utf8 (p, plen);
- ret[nr_strings] = NULL;
- if (ret[nr_strings-1] == NULL) {
- free_strings (ret);
- free (data);
- return NULL;
- }
-
- p += plen + 2 /* skip over UTF-16 \0\0 at the end of this string */;
- }
-
- free (data);
- return ret;
-}
-
-int32_t
-hivex_value_dword (hive_h *h, hive_value_h value)
-{
- hive_type t;
- size_t len;
- char *data = hivex_value_value (h, value, &t, &len);
-
- if (data == NULL)
- return -1;
-
- if ((t != hive_t_dword && t != hive_t_dword_be) || len != 4) {
- free (data);
- errno = EINVAL;
- return -1;
- }
-
- int32_t ret = *(int32_t*)data;
- free (data);
- if (t == hive_t_dword) /* little endian */
- ret = le32toh (ret);
- else
- ret = be32toh (ret);
-
- return ret;
-}
-
-int64_t
-hivex_value_qword (hive_h *h, hive_value_h value)
-{
- hive_type t;
- size_t len;
- char *data = hivex_value_value (h, value, &t, &len);
-
- if (data == NULL)
- return -1;
-
- if (t != hive_t_qword || len != 8) {
- free (data);
- errno = EINVAL;
- return -1;
- }
-
- int64_t ret = *(int64_t*)data;
- free (data);
- ret = le64toh (ret); /* always little endian */
-
- return ret;
-}
-
-/*----------------------------------------------------------------------
- * Visiting.
- */
-
-int
-hivex_visit (hive_h *h, const struct hivex_visitor *visitor, size_t len,
- void *opaque, int flags)
-{
- return hivex_visit_node (h, hivex_root (h), visitor, len, opaque, flags);
-}
-
-static int hivex__visit_node (hive_h *h, hive_node_h node, const struct hivex_visitor *vtor, char *unvisited, void *opaque, int flags);
-
-int
-hivex_visit_node (hive_h *h, hive_node_h node,
- const struct hivex_visitor *visitor, size_t len, void *opaque,
- int flags)
-{
- struct hivex_visitor vtor;
- memset (&vtor, 0, sizeof vtor);
-
- /* Note that len might be larger *or smaller* than the expected size. */
- size_t copysize = len <= sizeof vtor ? len : sizeof vtor;
- memcpy (&vtor, visitor, copysize);
-
- /* This bitmap records unvisited nodes, so we don't loop if the
- * registry contains cycles.
- */
- char *unvisited = malloc (1 + h->size / 32);
- if (unvisited == NULL)
- return -1;
- memcpy (unvisited, h->bitmap, 1 + h->size / 32);
-
- int r = hivex__visit_node (h, node, &vtor, unvisited, opaque, flags);
- free (unvisited);
- return r;
-}
-
-static int
-hivex__visit_node (hive_h *h, hive_node_h node,
- const struct hivex_visitor *vtor, char *unvisited,
- void *opaque, int flags)
-{
- int skip_bad = flags & HIVEX_VISIT_SKIP_BAD;
- char *name = NULL;
- hive_value_h *values = NULL;
- hive_node_h *children = NULL;
- char *key = NULL;
- char *str = NULL;
- char **strs = NULL;
- int i;
-
- /* Return -1 on all callback errors. However on internal errors,
- * check if skip_bad is set and suppress those errors if so.
- */
- int ret = -1;
-
- if (!BITMAP_TST (unvisited, node)) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex__visit_node: contains cycle: visited node 0x%zx already\n",
- node);
-
- errno = ELOOP;
- return skip_bad ? 0 : -1;
- }
- BITMAP_CLR (unvisited, node);
-
- name = hivex_node_name (h, node);
- if (!name) return skip_bad ? 0 : -1;
- if (vtor->node_start && vtor->node_start (h, opaque, node, name) == -1)
- goto error;
-
- values = hivex_node_values (h, node);
- if (!values) {
- ret = skip_bad ? 0 : -1;
- goto error;
- }
-
- for (i = 0; values[i] != 0; ++i) {
- hive_type t;
- size_t len;
-
- if (hivex_value_type (h, values[i], &t, &len) == -1) {
- ret = skip_bad ? 0 : -1;
- goto error;
- }
-
- key = hivex_value_key (h, values[i]);
- if (key == NULL) {
- ret = skip_bad ? 0 : -1;
- goto error;
- }
-
- if (vtor->value_any) {
- str = hivex_value_value (h, values[i], &t, &len);
- if (str == NULL) {
- ret = skip_bad ? 0 : -1;
- goto error;
- }
- if (vtor->value_any (h, opaque, node, values[i], t, len, key, str) == -1)
- goto error;
- free (str); str = NULL;
- }
- else {
- switch (t) {
- case hive_t_none:
- str = hivex_value_value (h, values[i], &t, &len);
- if (str == NULL) {
- ret = skip_bad ? 0 : -1;
- goto error;
- }
- if (t != hive_t_none) {
- ret = skip_bad ? 0 : -1;
- goto error;
- }
- if (vtor->value_none &&
- vtor->value_none (h, opaque, node, values[i], t, len, key, str) == -1)
- goto error;
- free (str); str = NULL;
- break;
-
- case hive_t_string:
- case hive_t_expand_string:
- case hive_t_link:
- str = hivex_value_string (h, values[i]);
- if (str == NULL) {
- if (errno != EILSEQ && errno != EINVAL) {
- ret = skip_bad ? 0 : -1;
- goto error;
- }
- if (vtor->value_string_invalid_utf16) {
- str = hivex_value_value (h, values[i], &t, &len);
- if (vtor->value_string_invalid_utf16 (h, opaque, node, values[i], t, len, key, str) == -1)
- goto error;
- free (str); str = NULL;
- }
- break;
- }
- if (vtor->value_string &&
- vtor->value_string (h, opaque, node, values[i], t, len, key, str) == -1)
- goto error;
- free (str); str = NULL;
- break;
-
- case hive_t_dword:
- case hive_t_dword_be: {
- int32_t i32 = hivex_value_dword (h, values[i]);
- if (vtor->value_dword &&
- vtor->value_dword (h, opaque, node, values[i], t, len, key, i32) == -1)
- goto error;
- break;
- }
-
- case hive_t_qword: {
- int64_t i64 = hivex_value_qword (h, values[i]);
- if (vtor->value_qword &&
- vtor->value_qword (h, opaque, node, values[i], t, len, key, i64) == -1)
- goto error;
- break;
- }
-
- case hive_t_binary:
- str = hivex_value_value (h, values[i], &t, &len);
- if (str == NULL) {
- ret = skip_bad ? 0 : -1;
- goto error;
- }
- if (t != hive_t_binary) {
- ret = skip_bad ? 0 : -1;
- goto error;
- }
- if (vtor->value_binary &&
- vtor->value_binary (h, opaque, node, values[i], t, len, key, str) == -1)
- goto error;
- free (str); str = NULL;
- break;
-
- case hive_t_multiple_strings:
- strs = hivex_value_multiple_strings (h, values[i]);
- if (strs == NULL) {
- if (errno != EILSEQ && errno != EINVAL) {
- ret = skip_bad ? 0 : -1;
- goto error;
- }
- if (vtor->value_string_invalid_utf16) {
- str = hivex_value_value (h, values[i], &t, &len);
- if (vtor->value_string_invalid_utf16 (h, opaque, node, values[i], t, len, key, str) == -1)
- goto error;
- free (str); str = NULL;
- }
- break;
- }
- if (vtor->value_multiple_strings &&
- vtor->value_multiple_strings (h, opaque, node, values[i], t, len, key, strs) == -1)
- goto error;
- free_strings (strs); strs = NULL;
- break;
-
- case hive_t_resource_list:
- case hive_t_full_resource_description:
- case hive_t_resource_requirements_list:
- default:
- str = hivex_value_value (h, values[i], &t, &len);
- if (str == NULL) {
- ret = skip_bad ? 0 : -1;
- goto error;
- }
- if (vtor->value_other &&
- vtor->value_other (h, opaque, node, values[i], t, len, key, str) == -1)
- goto error;
- free (str); str = NULL;
- break;
- }
- }
-
- free (key); key = NULL;
- }
-
- children = hivex_node_children (h, node);
- if (children == NULL) {
- ret = skip_bad ? 0 : -1;
- goto error;
- }
-
- for (i = 0; children[i] != 0; ++i) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex__visit_node: %s: visiting subkey %d (0x%zx)\n",
- name, i, children[i]);
-
- if (hivex__visit_node (h, children[i], vtor, unvisited, opaque, flags) == -1)
- goto error;
- }
-
- if (vtor->node_end && vtor->node_end (h, opaque, node, name) == -1)
- goto error;
-
- ret = 0;
-
- error:
- free (name);
- free (values);
- free (children);
- free (key);
- free (str);
- free_strings (strs);
- return ret;
-}
-
-/*----------------------------------------------------------------------
- * Writing.
- */
-
-/* Allocate an hbin (page), extending the malloc'd space if necessary,
- * and updating the hive handle fields (but NOT the hive disk header
- * -- the hive disk header is updated when we commit). This function
- * also extends the bitmap if necessary.
- *
- * 'allocation_hint' is the size of the block allocation we would like
- * to make. Normally registry blocks are very small (avg 50 bytes)
- * and are contained in standard-sized pages (4KB), but the registry
- * can support blocks which are larger than a standard page, in which
- * case it creates a page of 8KB, 12KB etc.
- *
- * Returns:
- * > 0 : offset of first usable byte of new page (after page header)
- * 0 : error (errno set)
- */
-static size_t
-allocate_page (hive_h *h, size_t allocation_hint)
-{
- /* In almost all cases this will be 1. */
- size_t nr_4k_pages =
- 1 + (allocation_hint + sizeof (struct ntreg_hbin_page) - 1) / 4096;
- assert (nr_4k_pages >= 1);
-
- /* 'extend' is the number of bytes to extend the file by. Note that
- * hives found in the wild often contain slack between 'endpages'
- * and the actual end of the file, so we don't always need to make
- * the file larger.
- */
- ssize_t extend = h->endpages + nr_4k_pages * 4096 - h->size;
-
- if (h->msglvl >= 2) {
- fprintf (stderr, "allocate_page: current endpages = 0x%zx, current size = 0x%zx\n",
- h->endpages, h->size);
- fprintf (stderr, "allocate_page: extending file by %zd bytes (<= 0 if no extension)\n",
- extend);
- }
-
- if (extend > 0) {
- size_t oldsize = h->size;
- size_t newsize = h->size + extend;
- char *newaddr = realloc (h->addr, newsize);
- if (newaddr == NULL)
- return 0;
-
- size_t oldbitmapsize = 1 + oldsize / 32;
- size_t newbitmapsize = 1 + newsize / 32;
- char *newbitmap = realloc (h->bitmap, newbitmapsize);
- if (newbitmap == NULL) {
- free (newaddr);
- return 0;
- }
-
- h->addr = newaddr;
- h->size = newsize;
- h->bitmap = newbitmap;
-
- memset (h->addr + oldsize, 0, newsize - oldsize);
- memset (h->bitmap + oldbitmapsize, 0, newbitmapsize - oldbitmapsize);
- }
-
- size_t offset = h->endpages;
- h->endpages += nr_4k_pages * 4096;
-
- if (h->msglvl >= 2)
- fprintf (stderr, "allocate_page: new endpages = 0x%zx, new size = 0x%zx\n",
- h->endpages, h->size);
-
- /* Write the hbin header. */
- struct ntreg_hbin_page *page =
- (struct ntreg_hbin_page *) (h->addr + offset);
- page->magic[0] = 'h';
- page->magic[1] = 'b';
- page->magic[2] = 'i';
- page->magic[3] = 'n';
- page->offset_first = htole32 (offset - 0x1000);
- page->page_size = htole32 (nr_4k_pages * 4096);
- memset (page->unknown, 0, sizeof (page->unknown));
-
- if (h->msglvl >= 2)
- fprintf (stderr, "allocate_page: new page at 0x%zx\n", offset);
-
- /* Offset of first usable byte after the header. */
- return offset + sizeof (struct ntreg_hbin_page);
-}
-
-/* Allocate a single block, first allocating an hbin (page) at the end
- * of the current file if necessary. NB. To keep the implementation
- * simple and more likely to be correct, we do not reuse existing free
- * blocks.
- *
- * seg_len is the size of the block (this INCLUDES the block header).
- * The header of the block is initialized to -seg_len (negative to
- * indicate used). id[2] is the block ID (type), eg. "nk" for nk-
- * record. The block bitmap is updated to show this block as valid.
- * The rest of the contents of the block will be zero.
- *
- * Returns:
- * > 0 : offset of new block
- * 0 : error (errno set)
- */
-static size_t
-allocate_block (hive_h *h, size_t seg_len, const char id[2])
-{
- if (!h->writable) {
- errno = EROFS;
- return 0;
- }
-
- if (seg_len < 4) {
- /* The caller probably forgot to include the header. Note that
- * value lists have no ID field, so seg_len == 4 would be possible
- * for them, albeit unusual.
- */
- if (h->msglvl >= 2)
- fprintf (stderr, "allocate_block: refusing too small allocation (%zu), returning ERANGE\n",
- seg_len);
- errno = ERANGE;
- return 0;
- }
-
- /* Refuse really large allocations. */
- if (seg_len > HIVEX_MAX_ALLOCATION) {
- if (h->msglvl >= 2)
- fprintf (stderr, "allocate_block: refusing large allocation (%zu), returning ERANGE\n",
- seg_len);
- errno = ERANGE;
- return 0;
- }
-
- /* Round up allocation to multiple of 8 bytes. All blocks must be
- * on an 8 byte boundary.
- */
- seg_len = (seg_len + 7) & ~7;
-
- /* Allocate a new page if necessary. */
- if (h->endblocks == 0 || h->endblocks + seg_len > h->endpages) {
- size_t newendblocks = allocate_page (h, seg_len);
- if (newendblocks == 0)
- return 0;
- h->endblocks = newendblocks;
- }
-
- size_t offset = h->endblocks;
-
- if (h->msglvl >= 2)
- fprintf (stderr, "allocate_block: new block at 0x%zx, size %zu\n",
- offset, seg_len);
-
- struct ntreg_hbin_block *blockhdr =
- (struct ntreg_hbin_block *) (h->addr + offset);
-
- blockhdr->seg_len = htole32 (- (int32_t) seg_len);
- if (id[0] && id[1] && seg_len >= sizeof (struct ntreg_hbin_block)) {
- blockhdr->id[0] = id[0];
- blockhdr->id[1] = id[1];
- }
-
- BITMAP_SET (h->bitmap, offset);
-
- h->endblocks += seg_len;
-
- /* If there is space after the last block in the last page, then we
- * have to put a dummy free block header here to mark the rest of
- * the page as free.
- */
- ssize_t rem = h->endpages - h->endblocks;
- if (rem > 0) {
- if (h->msglvl >= 2)
- fprintf (stderr, "allocate_block: marking remainder of page free starting at 0x%zx, size %zd\n",
- h->endblocks, rem);
-
- assert (rem >= 4);
-
- blockhdr = (struct ntreg_hbin_block *) (h->addr + h->endblocks);
- blockhdr->seg_len = htole32 ((int32_t) rem);
- }
-
- return offset;
-}
-
-/* 'offset' must point to a valid, used block. This function marks
- * the block unused (by updating the seg_len field) and invalidates
- * the bitmap. It does NOT do this recursively, so to avoid creating
- * unreachable used blocks, callers may have to recurse over the hive
- * structures. Also callers must ensure there are no references to
- * this block from other parts of the hive.
- */
-static void
-mark_block_unused (hive_h *h, size_t offset)
-{
- assert (h->writable);
- assert (IS_VALID_BLOCK (h, offset));
-
- if (h->msglvl >= 2)
- fprintf (stderr, "mark_block_unused: marking 0x%zx unused\n", offset);
-
- struct ntreg_hbin_block *blockhdr =
- (struct ntreg_hbin_block *) (h->addr + offset);
-
- size_t seg_len = block_len (h, offset, NULL);
- blockhdr->seg_len = htole32 (seg_len);
-
- BITMAP_CLR (h->bitmap, offset);
-}
-
-/* Delete all existing values at this node. */
-static int
-delete_values (hive_h *h, hive_node_h node)
-{
- assert (h->writable);
-
- hive_value_h *values;
- size_t *blocks;
- if (get_values (h, node, &values, &blocks) == -1)
- return -1;
-
- size_t i;
- for (i = 0; blocks[i] != 0; ++i)
- mark_block_unused (h, blocks[i]);
-
- free (blocks);
-
- for (i = 0; values[i] != 0; ++i) {
- struct ntreg_vk_record *vk =
- (struct ntreg_vk_record *) (h->addr + values[i]);
-
- size_t len;
- int is_inline;
- len = le32toh (vk->data_len);
- is_inline = !!(len & 0x80000000); /* top bit indicates is inline */
- len &= 0x7fffffff;
-
- if (!is_inline) { /* non-inline, so remove data block */
- size_t data_offset = le32toh (vk->data_offset);
- data_offset += 0x1000;
- mark_block_unused (h, data_offset);
- }
-
- /* remove vk record */
- mark_block_unused (h, values[i]);
- }
-
- free (values);
-
- struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
- nk->nr_values = htole32 (0);
- nk->vallist = htole32 (0xffffffff);
-
- return 0;
-}
-
-int
-hivex_commit (hive_h *h, const char *filename, int flags)
-{
- if (flags != 0) {
- errno = EINVAL;
- return -1;
- }
-
- if (!h->writable) {
- errno = EROFS;
- return -1;
- }
-
- filename = filename ? : h->filename;
- int fd = open (filename, O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY, 0666);
- if (fd == -1)
- return -1;
-
- /* Update the header fields. */
- uint32_t sequence = le32toh (h->hdr->sequence1);
- sequence++;
- h->hdr->sequence1 = htole32 (sequence);
- h->hdr->sequence2 = htole32 (sequence);
- /* XXX Ought to update h->hdr->last_modified. */
- h->hdr->blocks = htole32 (h->endpages - 0x1000);
-
- /* Recompute header checksum. */
- uint32_t sum = header_checksum (h);
- h->hdr->csum = htole32 (sum);
-
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_commit: new header checksum: 0x%x\n", sum);
-
- if (full_write (fd, h->addr, h->size) != h->size) {
- int err = errno;
- close (fd);
- errno = err;
- return -1;
- }
-
- if (close (fd) == -1)
- return -1;
-
- return 0;
-}
-
-/* Calculate the hash for a lf or lh record offset.
- */
-static void
-calc_hash (const char *type, const char *name, char *ret)
-{
- size_t len = strlen (name);
-
- if (STRPREFIX (type, "lf"))
- /* Old-style, not used in current registries. */
- memcpy (ret, name, len < 4 ? len : 4);
- else {
- /* New-style for lh-records. */
- size_t i, c;
- uint32_t h = 0;
- for (i = 0; i < len; ++i) {
- c = c_toupper (name[i]);
- h *= 37;
- h += c;
- }
- *((uint32_t *) ret) = htole32 (h);
- }
-}
-
-/* Create a completely new lh-record containing just the single node. */
-static size_t
-new_lh_record (hive_h *h, const char *name, hive_node_h node)
-{
- static const char id[2] = { 'l', 'h' };
- size_t seg_len = sizeof (struct ntreg_lf_record);
- size_t offset = allocate_block (h, seg_len, id);
- if (offset == 0)
- return 0;
-
- struct ntreg_lf_record *lh = (struct ntreg_lf_record *) (h->addr + offset);
- lh->nr_keys = htole16 (1);
- lh->keys[0].offset = htole32 (node - 0x1000);
- calc_hash ("lh", name, lh->keys[0].hash);
-
- return offset;
-}
-
-/* Insert node into existing lf/lh-record at position.
- * This allocates a new record and marks the old one as unused.
- */
-static size_t
-insert_lf_record (hive_h *h, size_t old_offs, size_t posn,
- const char *name, hive_node_h node)
-{
- assert (IS_VALID_BLOCK (h, old_offs));
-
- /* Work around C stupidity.
- * http://www.redhat.com/archives/libguestfs/2010-February/msg00056.html
- */
- int test = BLOCK_ID_EQ (h, old_offs, "lf") || BLOCK_ID_EQ (h, old_offs, "lh");
- assert (test);
-
- struct ntreg_lf_record *old_lf =
- (struct ntreg_lf_record *) (h->addr + old_offs);
- size_t nr_keys = le16toh (old_lf->nr_keys);
-
- nr_keys++; /* in new record ... */
-
- size_t seg_len = sizeof (struct ntreg_lf_record) + (nr_keys-1) * 8;
- size_t new_offs = allocate_block (h, seg_len, old_lf->id);
- if (new_offs == 0)
- return 0;
-
- struct ntreg_lf_record *new_lf =
- (struct ntreg_lf_record *) (h->addr + new_offs);
- new_lf->nr_keys = htole16 (nr_keys);
-
- /* Copy the keys until we reach posn, insert the new key there, then
- * copy the remaining keys.
- */
- size_t i;
- for (i = 0; i < posn; ++i)
- new_lf->keys[i] = old_lf->keys[i];
-
- new_lf->keys[i].offset = htole32 (node - 0x1000);
- calc_hash (new_lf->id, name, new_lf->keys[i].hash);
-
- for (i = posn+1; i < nr_keys; ++i)
- new_lf->keys[i] = old_lf->keys[i-1];
-
- /* Old block is unused, return new block. */
- mark_block_unused (h, old_offs);
- return new_offs;
-}
-
-/* Compare name with name in nk-record. */
-static int
-compare_name_with_nk_name (hive_h *h, const char *name, hive_node_h nk_offs)
-{
- assert (IS_VALID_BLOCK (h, nk_offs));
- assert (BLOCK_ID_EQ (h, nk_offs, "nk"));
-
- /* Name in nk is not necessarily nul-terminated. */
- char *nname = hivex_node_name (h, nk_offs);
-
- /* Unfortunately we don't have a way to return errors here. */
- if (!nname) {
- perror ("compare_name_with_nk_name");
- return 0;
- }
-
- int r = strcasecmp (name, nname);
- free (nname);
-
- return r;
-}
-
-hive_node_h
-hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name)
-{
- if (!h->writable) {
- errno = EROFS;
- return 0;
- }
-
- if (!IS_VALID_BLOCK (h, parent) || !BLOCK_ID_EQ (h, parent, "nk")) {
- errno = EINVAL;
- return 0;
- }
-
- if (name == NULL || strlen (name) == 0) {
- errno = EINVAL;
- return 0;
- }
-
- if (hivex_node_get_child (h, parent, name) != 0) {
- errno = EEXIST;
- return 0;
- }
-
- /* Create the new nk-record. */
- static const char nk_id[2] = { 'n', 'k' };
- size_t seg_len = sizeof (struct ntreg_nk_record) + strlen (name);
- hive_node_h node = allocate_block (h, seg_len, nk_id);
- if (node == 0)
- return 0;
-
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_add_child: allocated new nk-record for child at 0x%zx\n", node);
-
- struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
- nk->flags = htole16 (0x0020); /* key is ASCII. */
- nk->parent = htole32 (parent - 0x1000);
- nk->subkey_lf = htole32 (0xffffffff);
- nk->subkey_lf_volatile = htole32 (0xffffffff);
- nk->vallist = htole32 (0xffffffff);
- nk->classname = htole32 (0xffffffff);
- nk->name_len = htole16 (strlen (name));
- strcpy (nk->name, name);
-
- /* Inherit parent sk. */
- struct ntreg_nk_record *parent_nk =
- (struct ntreg_nk_record *) (h->addr + parent);
- size_t parent_sk_offset = le32toh (parent_nk->sk);
- parent_sk_offset += 0x1000;
- if (!IS_VALID_BLOCK (h, parent_sk_offset) ||
- !BLOCK_ID_EQ (h, parent_sk_offset, "sk")) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_add_child: returning EFAULT because parent sk is not a valid block (%zu)\n",
- parent_sk_offset);
- errno = EFAULT;
- return 0;
- }
- struct ntreg_sk_record *sk =
- (struct ntreg_sk_record *) (h->addr + parent_sk_offset);
- sk->refcount = htole32 (le32toh (sk->refcount) + 1);
- nk->sk = htole32 (parent_sk_offset - 0x1000);
-
- /* Inherit parent timestamp. */
- memcpy (nk->timestamp, parent_nk->timestamp, sizeof (parent_nk->timestamp));
-
- /* What I found out the hard way (not documented anywhere): the
- * subkeys in lh-records must be kept sorted. If you just add a
- * subkey in a non-sorted position (eg. just add it at the end) then
- * Windows won't see the subkey _and_ Windows will corrupt the hive
- * itself when it modifies or saves it.
- *
- * So use get_children() to get a list of intermediate
- * lf/lh-records. get_children() returns these in reading order
- * (which is sorted), so we look for the lf/lh-records in sequence
- * until we find the key name just after the one we are inserting,
- * and we insert the subkey just before it.
- *
- * The only other case is the no-subkeys case, where we have to
- * create a brand new lh-record.
- */
- hive_node_h *unused;
- size_t *blocks;
-
- if (get_children (h, parent, &unused, &blocks, 0) == -1)
- return 0;
- free (unused);
-
- size_t i, j;
- size_t nr_subkeys_in_parent_nk = le32toh (parent_nk->nr_subkeys);
- if (nr_subkeys_in_parent_nk == 0) { /* No subkeys case. */
- /* Free up any existing intermediate blocks. */
- for (i = 0; blocks[i] != 0; ++i)
- mark_block_unused (h, blocks[i]);
- size_t lh_offs = new_lh_record (h, name, node);
- if (lh_offs == 0) {
- free (blocks);
- return 0;
- }
-
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_add_child: no keys, allocated new lh-record at 0x%zx\n", lh_offs);
-
- parent_nk->subkey_lf = htole32 (lh_offs - 0x1000);
- }
- else { /* Insert subkeys case. */
- size_t old_offs = 0, new_offs = 0;
- struct ntreg_lf_record *old_lf = NULL;
-
- /* Find lf/lh key name just after the one we are inserting. */
- for (i = 0; blocks[i] != 0; ++i) {
- if (BLOCK_ID_EQ (h, blocks[i], "lf") ||
- BLOCK_ID_EQ (h, blocks[i], "lh")) {
- old_offs = blocks[i];
- old_lf = (struct ntreg_lf_record *) (h->addr + old_offs);
- for (j = 0; j < le16toh (old_lf->nr_keys); ++j) {
- hive_node_h nk_offs = le32toh (old_lf->keys[j].offset);
- nk_offs += 0x1000;
- if (compare_name_with_nk_name (h, name, nk_offs) < 0)
- goto insert_it;
- }
- }
- }
-
- /* Insert it at the end.
- * old_offs points to the last lf record, set j.
- */
- assert (old_offs != 0); /* should never happen if nr_subkeys > 0 */
- j = le16toh (old_lf->nr_keys);
-
- /* Insert it. */
- insert_it:
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_add_child: insert key in existing lh-record at 0x%zx, posn %zu\n", old_offs, j);
-
- new_offs = insert_lf_record (h, old_offs, j, name, node);
- if (new_offs == 0) {
- free (blocks);
- return 0;
- }
-
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_add_child: new lh-record at 0x%zx\n",
- new_offs);
-
- /* If the lf/lh-record was directly referenced by the parent nk,
- * then update the parent nk.
- */
- if (le32toh (parent_nk->subkey_lf) + 0x1000 == old_offs)
- parent_nk->subkey_lf = htole32 (new_offs - 0x1000);
- /* Else we have to look for the intermediate ri-record and update
- * that in-place.
- */
- else {
- for (i = 0; blocks[i] != 0; ++i) {
- if (BLOCK_ID_EQ (h, blocks[i], "ri")) {
- struct ntreg_ri_record *ri =
- (struct ntreg_ri_record *) (h->addr + blocks[i]);
- for (j = 0; j < le16toh (ri->nr_offsets); ++j)
- if (le32toh (ri->offset[j] + 0x1000) == old_offs) {
- ri->offset[j] = htole32 (new_offs - 0x1000);
- goto found_it;
- }
- }
- }
-
- /* Not found .. This is an internal error. */
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_add_child: returning ENOTSUP because could not find ri->lf link\n");
- errno = ENOTSUP;
- free (blocks);
- return 0;
-
- found_it:
- ;
- }
- }
-
- free (blocks);
-
- /* Update nr_subkeys in parent nk. */
- nr_subkeys_in_parent_nk++;
- parent_nk->nr_subkeys = htole32 (nr_subkeys_in_parent_nk);
-
- /* Update max_subkey_name_len in parent nk. */
- uint16_t max = le16toh (parent_nk->max_subkey_name_len);
- if (max < strlen (name) * 2) /* *2 because "recoded" in UTF16-LE. */
- parent_nk->max_subkey_name_len = htole16 (strlen (name) * 2);
-
- return node;
-}
-
-/* Decrement the refcount of an sk-record, and if it reaches zero,
- * unlink it from the chain and delete it.
- */
-static int
-delete_sk (hive_h *h, size_t sk_offset)
-{
- if (!IS_VALID_BLOCK (h, sk_offset) || !BLOCK_ID_EQ (h, sk_offset, "sk")) {
- if (h->msglvl >= 2)
- fprintf (stderr, "delete_sk: not an sk record: 0x%zx\n", sk_offset);
- errno = EFAULT;
- return -1;
- }
-
- struct ntreg_sk_record *sk = (struct ntreg_sk_record *) (h->addr + sk_offset);
-
- if (sk->refcount == 0) {
- if (h->msglvl >= 2)
- fprintf (stderr, "delete_sk: sk record already has refcount 0: 0x%zx\n",
- sk_offset);
- errno = EINVAL;
- return -1;
- }
-
- sk->refcount--;
-
- if (sk->refcount == 0) {
- size_t sk_prev_offset = sk->sk_prev;
- sk_prev_offset += 0x1000;
-
- size_t sk_next_offset = sk->sk_next;
- sk_next_offset += 0x1000;
-
- /* Update sk_prev/sk_next SKs, unless they both point back to this
- * cell in which case we are deleting the last SK.
- */
- if (sk_prev_offset != sk_offset && sk_next_offset != sk_offset) {
- struct ntreg_sk_record *sk_prev =
- (struct ntreg_sk_record *) (h->addr + sk_prev_offset);
- struct ntreg_sk_record *sk_next =
- (struct ntreg_sk_record *) (h->addr + sk_next_offset);
-
- sk_prev->sk_next = htole32 (sk_next_offset - 0x1000);
- sk_next->sk_prev = htole32 (sk_prev_offset - 0x1000);
- }
-
- /* Refcount is zero so really delete this block. */
- mark_block_unused (h, sk_offset);
- }
-
- return 0;
-}
-
-/* Callback from hivex_node_delete_child which is called to delete a
- * node AFTER its subnodes have been visited. The subnodes have been
- * deleted but we still have to delete any lf/lh/li/ri records and the
- * value list block and values, followed by deleting the node itself.
- */
-static int
-delete_node (hive_h *h, void *opaque, hive_node_h node, const char *name)
-{
- /* Get the intermediate blocks. The subkeys have already been
- * deleted by this point, so tell get_children() not to check for
- * validity of the nk-records.
- */
- hive_node_h *unused;
- size_t *blocks;
- if (get_children (h, node, &unused, &blocks, GET_CHILDREN_NO_CHECK_NK) == -1)
- return -1;
- free (unused);
-
- /* We don't care what's in these intermediate blocks, so we can just
- * delete them unconditionally.
- */
- size_t i;
- for (i = 0; blocks[i] != 0; ++i)
- mark_block_unused (h, blocks[i]);
-
- free (blocks);
-
- /* Delete the values in the node. */
- if (delete_values (h, node) == -1)
- return -1;
-
- struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
-
- /* If the NK references an SK, delete it. */
- size_t sk_offs = le32toh (nk->sk);
- if (sk_offs != 0xffffffff) {
- sk_offs += 0x1000;
- if (delete_sk (h, sk_offs) == -1)
- return -1;
- nk->sk = htole32 (0xffffffff);
- }
-
- /* If the NK references a classname, delete it. */
- size_t cl_offs = le32toh (nk->classname);
- if (cl_offs != 0xffffffff) {
- cl_offs += 0x1000;
- mark_block_unused (h, cl_offs);
- nk->classname = htole32 (0xffffffff);
- }
-
- /* Delete the node itself. */
- mark_block_unused (h, node);
-
- return 0;
-}
-
-int
-hivex_node_delete_child (hive_h *h, hive_node_h node)
-{
- if (!h->writable) {
- errno = EROFS;
- return -1;
- }
-
- if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
- errno = EINVAL;
- return -1;
- }
-
- if (node == hivex_root (h)) {
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_delete_child: cannot delete root node\n");
- errno = EINVAL;
- return -1;
- }
-
- hive_node_h parent = hivex_node_parent (h, node);
- if (parent == 0)
- return -1;
-
- /* Delete node and all its children and values recursively. */
- static const struct hivex_visitor visitor = { .node_end = delete_node };
- if (hivex_visit_node (h, node, &visitor, sizeof visitor, NULL, 0) == -1)
- return -1;
-
- /* Delete the link from parent to child. We need to find the lf/lh
- * record which contains the offset and remove the offset from that
- * record, then decrement the element count in that record, and
- * decrement the overall number of subkeys stored in the parent
- * node.
- */
- hive_node_h *unused;
- size_t *blocks;
- if (get_children (h, parent, &unused, &blocks, GET_CHILDREN_NO_CHECK_NK)== -1)
- return -1;
- free (unused);
-
- size_t i, j;
- for (i = 0; blocks[i] != 0; ++i) {
- struct ntreg_hbin_block *block =
- (struct ntreg_hbin_block *) (h->addr + blocks[i]);
-
- if (block->id[0] == 'l' && (block->id[1] == 'f' || block->id[1] == 'h')) {
- struct ntreg_lf_record *lf = (struct ntreg_lf_record *) block;
-
- size_t nr_subkeys_in_lf = le16toh (lf->nr_keys);
-
- for (j = 0; j < nr_subkeys_in_lf; ++j)
- if (le32toh (lf->keys[j].offset) + 0x1000 == node) {
- for (; j < nr_subkeys_in_lf - 1; ++j)
- memcpy (&lf->keys[j], &lf->keys[j+1], sizeof (lf->keys[j]));
- lf->nr_keys = htole16 (nr_subkeys_in_lf - 1);
- goto found;
- }
- }
- }
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_delete_child: could not find parent to child link\n");
- errno = ENOTSUP;
- return -1;
-
- found:;
- struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + parent);
- size_t nr_subkeys_in_nk = le32toh (nk->nr_subkeys);
- nk->nr_subkeys = htole32 (nr_subkeys_in_nk - 1);
-
- if (h->msglvl >= 2)
- fprintf (stderr, "hivex_node_delete_child: updating nr_subkeys in parent 0x%zx to %zu\n",
- parent, nr_subkeys_in_nk);
-
- return 0;
-}
-
-int
-hivex_node_set_values (hive_h *h, hive_node_h node,
- size_t nr_values, const hive_set_value *values,
- int flags)
-{
- if (!h->writable) {
- errno = EROFS;
- return -1;
- }
-
- if (!IS_VALID_BLOCK (h, node) || !BLOCK_ID_EQ (h, node, "nk")) {
- errno = EINVAL;
- return -1;
- }
-
- /* Delete all existing values. */
- if (delete_values (h, node) == -1)
- return -1;
-
- if (nr_values == 0)
- return 0;
-
- /* Allocate value list node. Value lists have no id field. */
- static const char nul_id[2] = { 0, 0 };
- size_t seg_len =
- sizeof (struct ntreg_value_list) + (nr_values - 1) * sizeof (uint32_t);
- size_t vallist_offs = allocate_block (h, seg_len, nul_id);
- if (vallist_offs == 0)
- return -1;
-
- struct ntreg_nk_record *nk = (struct ntreg_nk_record *) (h->addr + node);
- nk->nr_values = htole32 (nr_values);
- nk->vallist = htole32 (vallist_offs - 0x1000);
-
- struct ntreg_value_list *vallist =
- (struct ntreg_value_list *) (h->addr + vallist_offs);
-
- size_t i;
- for (i = 0; i < nr_values; ++i) {
- /* Allocate vk record to store this (key, value) pair. */
- static const char vk_id[2] = { 'v', 'k' };
- seg_len = sizeof (struct ntreg_vk_record) + strlen (values[i].key);
- size_t vk_offs = allocate_block (h, seg_len, vk_id);
- if (vk_offs == 0)
- return -1;
-
- vallist->offset[i] = htole32 (vk_offs - 0x1000);
-
- struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + vk_offs);
- size_t name_len = strlen (values[i].key);
- vk->name_len = htole16 (name_len);
- strcpy (vk->name, values[i].key);
- vk->data_type = htole32 (values[i].t);
- uint32_t len = values[i].len;
- if (len <= 4) /* store it inline => set MSB flag */
- len |= 0x80000000;
- vk->data_len = htole32 (len);
- vk->flags = name_len == 0 ? 0 : 1;
-
- if (values[i].len <= 4) /* store it inline */
- memcpy (&vk->data_offset, values[i].value, values[i].len);
- else {
- size_t offs = allocate_block (h, values[i].len + 4, nul_id);
- if (offs == 0)
- return -1;
- memcpy (h->addr + offs + 4, values[i].value, values[i].len);
- vk->data_offset = htole32 (offs - 0x1000);
- }
-
- if (name_len * 2 > le32toh (nk->max_vk_name_len))
- /* * 2 for UTF16-LE "reencoding" */
- nk->max_vk_name_len = htole32 (name_len * 2);
- if (values[i].len > le32toh (nk->max_vk_data_len))
- nk->max_vk_data_len = htole32 (values[i].len);
- }
-
- return 0;
-}
diff --git a/hivex/hivex.h b/hivex/hivex.h
deleted file mode 100644
index f4ce8340..00000000
--- a/hivex/hivex.h
+++ /dev/null
@@ -1,131 +0,0 @@
-/* hivex - Windows Registry "hive" extraction library.
- * Copyright (C) 2009 Red Hat Inc.
- * Derived from code by Petter Nordahl-Hagen under a compatible license:
- * Copyright (c) 1997-2007 Petter Nordahl-Hagen.
- * Derived from code by Markus Stephany under a compatible license:
- * Copyright (c)2000-2004, Markus Stephany.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation;
- * version 2.1 of the License.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * See file LICENSE for the full license.
- */
-
-#ifndef HIVEX_H_
-#define HIVEX_H_
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* NOTE: This API is documented in the man page hivex(3). */
-
-typedef struct hive_h hive_h;
-typedef size_t hive_node_h;
-typedef size_t hive_value_h;
-
-enum hive_type {
- /* Just a key without a value. */
- hive_t_none = 0,
-
- /* A UTF-16 Windows string. */
- hive_t_string = 1,
-
- /* A UTF-16 Windows string that contains %env% (environment variable
- * substitutions).
- */
- hive_t_expand_string = 2,
-
- /* A blob of binary. */
- hive_t_binary = 3,
-
- /* Two ways to encode DWORDs (32 bit words). The first is little-endian. */
- hive_t_dword = 4,
- hive_t_dword_be = 5,
-
- /* Symbolic link, we think to another part of the registry tree. */
- hive_t_link = 6,
-
- /* Multiple UTF-16 Windows strings, each separated by zero byte. See:
- * http://blogs.msdn.com/oldnewthing/archive/2009/10/08/9904646.aspx
- */
- hive_t_multiple_strings = 7,
-
- /* These three are unknown. */
- hive_t_resource_list = 8,
- hive_t_full_resource_description = 9,
- hive_t_resource_requirements_list = 10,
-
- /* A QWORD (64 bit word). This is stored in the file little-endian. */
- hive_t_qword = 11
-};
-
-typedef enum hive_type hive_type;
-
-/* Bitmask of flags passed to hivex_open. */
-#define HIVEX_OPEN_VERBOSE 1
-#define HIVEX_OPEN_DEBUG 2
-#define HIVEX_OPEN_MSGLVL_MASK (HIVEX_OPEN_VERBOSE|HIVEX_OPEN_DEBUG)
-#define HIVEX_OPEN_WRITE 4
-
-extern hive_h *hivex_open (const char *filename, int flags);
-extern int hivex_close (hive_h *h);
-extern hive_node_h hivex_root (hive_h *h);
-extern char *hivex_node_name (hive_h *h, hive_node_h node);
-extern hive_node_h *hivex_node_children (hive_h *h, hive_node_h node);
-extern hive_node_h hivex_node_get_child (hive_h *h, hive_node_h node, const char *name);
-extern hive_node_h hivex_node_parent (hive_h *h, hive_node_h node);
-extern hive_value_h *hivex_node_values (hive_h *h, hive_node_h node);
-extern hive_value_h hivex_node_get_value (hive_h *h, hive_node_h node, const char *key);
-extern char *hivex_value_key (hive_h *h, hive_value_h value);
-extern int hivex_value_type (hive_h *h, hive_value_h value, hive_type *t, size_t *len);
-extern char *hivex_value_value (hive_h *h, hive_value_h value, hive_type *t, size_t *len);
-extern char *hivex_value_string (hive_h *h, hive_value_h value);
-extern char **hivex_value_multiple_strings (hive_h *h, hive_value_h value);
-extern int32_t hivex_value_dword (hive_h *h, hive_value_h value);
-extern int64_t hivex_value_qword (hive_h *h, hive_value_h value);
-struct hivex_visitor {
- int (*node_start) (hive_h *, void *opaque, hive_node_h, const char *name);
- int (*node_end) (hive_h *, void *opaque, hive_node_h, const char *name);
- int (*value_string) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *str);
- int (*value_multiple_strings) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, char **argv);
- int (*value_string_invalid_utf16) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *str);
- int (*value_dword) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, int32_t);
- int (*value_qword) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, int64_t);
- int (*value_binary) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value);
- int (*value_none) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value);
- int (*value_other) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value);
- int (*value_any) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value);
-};
-
-#define HIVEX_VISIT_SKIP_BAD 1
-
-extern int hivex_visit (hive_h *h, const struct hivex_visitor *visitor, size_t len, void *opaque, int flags);
-extern int hivex_visit_node (hive_h *h, hive_node_h node, const struct hivex_visitor *visitor, size_t len, void *opaque, int flags);
-
-extern int hivex_commit (hive_h *h, const char *filename, int flags);
-extern hive_node_h hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name);
-extern int hivex_node_delete_child (hive_h *h, hive_node_h node);
-
-struct hive_set_value {
- char *key;
- hive_type t;
- size_t len;
- char *value;
-};
-typedef struct hive_set_value hive_set_value;
-
-extern int hivex_node_set_values (hive_h *h, hive_node_h node, size_t nr_values, const hive_set_value *values, int flags);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* HIVEX_H_ */
diff --git a/hivex/hivex.pod b/hivex/hivex.pod
deleted file mode 100644
index 275eb423..00000000
--- a/hivex/hivex.pod
+++ /dev/null
@@ -1,655 +0,0 @@
-=encoding utf8
-
-=head1 NAME
-
-hivex - Windows Registry "hive" extraction library
-
-=head1 SYNOPSIS
-
- hive_h *hivex_open (const char *filename, int flags);
- int hivex_close (hive_h *h);
-
-=head1 DESCRIPTION
-
-libhivex is a library for extracting the contents of Windows Registry
-"hive" files. It is designed to be secure against buggy or malicious
-registry files.
-
-Unlike many other tools in this area, it doesn't use the textual .REG
-format for output, because parsing that is as much trouble as parsing
-the original binary format. Instead it makes the file available
-through a C API, or there is a separate program to export the hive as
-XML (see L<hivexml(1)>), or to get individual keys (see
-L<hivexget(1)>).
-
-=head2 OPENING AND CLOSING A HIVE
-
-=over 4
-
-=item hive_h *hivex_open (const char *filename, int flags);
-
-Opens the hive named C<filename> for reading.
-
-Flags is an ORed list of the open flags (or C<0> if you don't
-want to pass any flags). These flags are defined:
-
-=over 4
-
-=item HIVEX_OPEN_VERBOSE
-
-Verbose messages.
-
-=item HIVEX_OPEN_DEBUG
-
-Very verbose messages, suitable for debugging problems in the library
-itself.
-
-This is also selected if the C<HIVEX_DEBUG> environment variable
-is set to 1.
-
-=item HIVEX_OPEN_WRITE
-
-Open the hive for writing. If omitted, the hive is read-only.
-
-See L</WRITING TO HIVE FILES>.
-
-=back
-
-C<hivex_open> returns a hive handle. On error this returns NULL and
-sets C<errno> to indicate the error.
-
-=item int hivex_close (hive_h *h);
-
-Close a hive handle and free all associated resources.
-
-Note that any uncommitted writes are I<not> committed by this call,
-but instead are lost. See L</WRITING TO HIVE FILES>.
-
-Returns 0 on success. On error this returns -1 and sets errno.
-
-=back
-
-=head2 NAVIGATING THE TREE OF HIVE SUBKEYS
-
-=over 4
-
-=item hive_node_h
-
-This is a node handle, an integer but opaque outside the library.
-Valid node handles cannot be 0. The library returns 0 in some
-situations to indicate an error.
-
-=item hive_node_h hivex_root (hive_h *h);
-
-Return root node of the hive. All valid registries must contain
-a root node.
-
-On error this returns 0 and sets errno.
-
-=item char *hivex_node_name (hive_h *h, hive_node_h node);
-
-Return the name of the node. The name is reencoded as UTF-8
-and returned as a C string.
-
-The string should be freed by the caller when it is no longer needed.
-
-Note that the name of the root node is a dummy, such as
-C<$$$PROTO.HIV> (other names are possible: it seems to depend on the
-tool or program that created the hive in the first place). You can
-only know the "real" name of the root node by knowing which registry
-file this hive originally comes from, which is knowledge that is
-outside the scope of this library.
-
-On error this returns NULL and sets errno.
-
-=item hive_node_h *hivex_node_children (hive_h *h, hive_node_h node);
-
-Return a 0-terminated array of nodes which are the subkeys
-(children) of C<node>.
-
-The array should be freed by the caller when it is no longer needed.
-
-On error this returns NULL and sets errno.
-
-=item hive_node_h hivex_node_get_child (hive_h *h, hive_node_h node, const char *name);
-
-Return the child of node with the name C<name>, if it exists.
-
-The name is matched case insensitively.
-
-If the child node does not exist, this returns 0 without
-setting errno.
-
-On error this returns 0 and sets errno.
-
-=item hive_node_h hivex_node_parent (hive_h *h, hive_node_h node);
-
-Return the parent of C<node>.
-
-On error this returns 0 and sets errno.
-
-The parent pointer of the root node in registry files that we
-have examined seems to be invalid, and so this function will
-return an error if called on the root node.
-
-=back
-
-=head2 GETTING VALUES AT A NODE
-
-The enum below describes the possible types for the value(s)
-stored at each node.
-
- enum hive_type {
- hive_t_none = 0,
- hive_t_string = 1,
- hive_t_expand_string = 2,
- hive_t_binary = 3,
- hive_t_dword = 4,
- hive_t_dword_be = 5,
- hive_t_link = 6,
- hive_t_multiple_strings = 7,
- hive_t_resource_list = 8,
- hive_t_full_resource_description = 9,
- hive_t_resource_requirements_list = 10,
- hive_t_qword = 11
- };
-
-=over 4
-
-=item hive_value_h
-
-This is a value handle, an integer but opaque outside the library.
-Valid value handles cannot be 0. The library returns 0 in some
-situations to indicate an error.
-
-=item hive_value_h *hivex_node_values (hive_h *h, hive_node_h node);
-
-Return the 0-terminated array of (key, value) pairs attached to
-this node.
-
-The array should be freed by the caller when it is no longer needed.
-
-On error this returns NULL and sets errno.
-
-=item hive_value_h hivex_node_get_value (hive_h *h, hive_node_h node, const char *key);
-
-Return the value attached to this node which has the name C<key>,
-if it exists.
-
-The key name is matched case insensitively.
-
-Note that to get the default key, you should pass the empty
-string C<""> here. The default key is often written C<"@">, but
-inside hives that has no meaning and won't give you the
-default key.
-
-If no such key exists, this returns 0 and does not set errno.
-
-On error this returns 0 and sets errno.
-
-=item char *hivex_value_key (hive_h *h, hive_value_h value);
-
-Return the key (name) of a (key, value) pair. The name
-is reencoded as UTF-8 and returned as a C string.
-
-The string should be freed by the caller when it is no longer needed.
-
-Note that this function can return a zero-length string. In the
-context of Windows Registries, this means that this value is the
-default key for this node in the tree. This is usually written
-as C<"@">.
-
-On error this returns NULL and sets errno.
-
-=item int hivex_value_type (hive_h *h, hive_value_h value, hive_type *t, size_t *len);
-
-Return the data type and length of the value in this (key, value)
-pair. See also C<hivex_value_value> which returns all this
-information, and the value itself. Also, C<hivex_value_*> functions
-below which can be used to return the value in a more useful form when
-you know the type in advance.
-
-Returns 0 on success. On error this returns -1 and sets errno.
-
-=item char *hivex_value_value (hive_h *h, hive_value_h value, hive_type *t, size_t *len);
-
-Return the value of this (key, value) pair. The value should
-be interpreted according to its type (see C<enum hive_type>).
-
-The value is returned in an array of bytes of length C<len>.
-
-The value should be freed by the caller when it is no longer needed.
-
-On error this returns NULL and sets errno.
-
-=item char *hivex_value_string (hive_h *h, hive_value_h value);
-
-If this value is a string, return the string reencoded as UTF-8
-(as a C string). This only works for values which have type
-C<hive_t_string>, C<hive_t_expand_string> or C<hive_t_link>.
-
-The string should be freed by the caller when it is no longer needed.
-
-On error this returns NULL and sets errno.
-
-=item char **hivex_value_multiple_strings (hive_h *h, hive_value_h value);
-
-If this value is a multiple-string, return the strings reencoded
-as UTF-8 (as a NULL-terminated array of C strings). This only
-works for values which have type C<hive_t_multiple_strings>.
-
-The string array and each string in it should be freed by the
-caller when they are no longer needed.
-
-On error this returns NULL and sets errno.
-
-=item int32_t hivex_value_dword (hive_h *h, hive_value_h value);
-
-If this value is a DWORD (Windows int32), return it. This only works
-for values which have type C<hive_t_dword> or C<hive_t_dword_be>.
-
-=item int64_t hivex_value_qword (hive_h *h, hive_value_h value);
-
-If this value is a QWORD (Windows int64), return it. This only
-works for values which have type C<hive_t_qword>.
-
-=back
-
-=head2 VISITING ALL NODES
-
-The visitor pattern is useful if you want to visit all nodes
-in the tree or all nodes below a certain point in the tree.
-
-First you set up your own C<struct hivex_visitor> with your
-callback functions.
-
-Each of these callback functions should return 0 on success or -1
-on error. If any callback returns -1, then the entire visit
-terminates immediately. If you don't need a callback function at
-all, set the function pointer to NULL.
-
- struct hivex_visitor {
- int (*node_start) (hive_h *, void *opaque, hive_node_h, const char *name);
- int (*node_end) (hive_h *, void *opaque, hive_node_h, const char *name);
- int (*value_string) (hive_h *, void *opaque, hive_node_h, hive_value_h,
- hive_type t, size_t len, const char *key, const char *str);
- int (*value_multiple_strings) (hive_h *, void *opaque, hive_node_h,
- hive_value_h, hive_type t, size_t len, const char *key, char **argv);
- int (*value_string_invalid_utf16) (hive_h *, void *opaque, hive_node_h,
- hive_value_h, hive_type t, size_t len, const char *key,
- const char *str);
- int (*value_dword) (hive_h *, void *opaque, hive_node_h, hive_value_h,
- hive_type t, size_t len, const char *key, int32_t);
- int (*value_qword) (hive_h *, void *opaque, hive_node_h, hive_value_h,
- hive_type t, size_t len, const char *key, int64_t);
- int (*value_binary) (hive_h *, void *opaque, hive_node_h, hive_value_h,
- hive_type t, size_t len, const char *key, const char *value);
- int (*value_none) (hive_h *, void *opaque, hive_node_h, hive_value_h,
- hive_type t, size_t len, const char *key, const char *value);
- int (*value_other) (hive_h *, void *opaque, hive_node_h, hive_value_h,
- hive_type t, size_t len, const char *key, const char *value);
- /* If value_any callback is not NULL, then the other value_*
- * callbacks are not used, and value_any is called on all values.
- */
- int (*value_any) (hive_h *, void *opaque, hive_node_h, hive_value_h,
- hive_type t, size_t len, const char *key, const char *value);
- };
-
-=over 4
-
-=item int hivex_visit (hive_h *h, const struct hivex_visitor *visitor, size_t len, void *opaque, int flags);
-
-Visit all the nodes recursively in the hive C<h>.
-
-C<visitor> should be a C<hivex_visitor> structure with callback
-fields filled in as required (unwanted callbacks can be set to
-NULL). C<len> must be the length of the 'visitor' struct (you
-should pass C<sizeof (struct hivex_visitor)> for this).
-
-This returns 0 if the whole recursive visit was completed
-successfully. On error this returns -1. If one of the callback
-functions returned an error than we don't touch errno. If the
-error was generated internally then we set errno.
-
-You can skip bad registry entries by setting C<flag> to
-C<HIVEX_VISIT_SKIP_BAD>. If this flag is not set, then a bad registry
-causes the function to return an error immediately.
-
-This function is robust if the registry contains cycles or
-pointers which are invalid or outside the registry. It detects
-these cases and returns an error.
-
-=item int hivex_visit_node (hive_h *h, hive_node_h node, const struct hivex_visitor *visitor, size_t len, void *opaque);
-
-Same as C<hivex_visit> but instead of starting out at the root, this
-starts at C<node>.
-
-=back
-
-=head2 WRITING TO HIVE FILES
-
-The hivex library supports making limited modifications to hive files.
-We have tried to implement this very conservatively in order to reduce
-the chance of corrupting your registry. However you should be careful
-and take back-ups, since Microsoft has never documented the hive
-format, and so it is possible there are nuances in the
-reverse-engineered format that we do not understand.
-
-To be able to modify a hive, you must pass the C<HIVEX_OPEN_WRITE>
-flag to C<hivex_open>, otherwise any write operation will return with
-errno C<EROFS>.
-
-The write operations shown below do not modify the on-disk file
-immediately. You must call C<hivex_commit> in order to write the
-changes to disk. If you call C<hivex_close> without committing then
-any writes are discarded.
-
-Hive files internally consist of a "memory dump" of binary blocks
-(like the C heap), and some of these blocks can be unused. The hivex
-library never reuses these unused blocks. Instead, to ensure
-robustness in the face of the partially understood on-disk format,
-hivex only allocates new blocks after the end of the file, and makes
-minimal modifications to existing structures in the file to point to
-these new blocks. This makes hivex slightly less disk-efficient than
-it could be, but disk is cheap, and registry modifications tend to be
-very small.
-
-When deleting nodes, it is possible that this library may leave
-unreachable live blocks in the hive. This is because certain parts of
-the hive disk format such as security (sk) records and big data (db)
-records and classname fields are not well understood (and not
-documented at all) and we play it safe by not attempting to modify
-them. Apart from wasting a little bit of disk space, it is not
-thought that unreachable blocks are a problem.
-
-=over 4
-
-=item int hivex_commit (hive_h *h, const char *filename, int flags);
-
-Commit (write) any changes which have been made.
-
-C<filename> is the new file to write. If C<filename == NULL> then we
-overwrite the original file (ie. the file name that was passed to
-C<hivex_open>). C<flags> is not used, always pass 0.
-
-Returns 0 on success. On error this returns -1 and sets errno.
-
-Note this does not close the hive handle. You can perform further
-operations on the hive after committing, including making more
-modifications. If you no longer wish to use the hive, call
-C<hivex_close> after this.
-
-=item hive_node_h hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name);
-
-Add a new child node named C<name> to the existing node C<parent>.
-The new child initially has no subnodes and contains no keys or
-values. The sk-record (security descriptor) is inherited from
-the parent.
-
-The parent must not have an existing child called C<name>, so if you
-want to overwrite an existing child, call C<hivex_node_delete_child>
-first.
-
-Returns the node handle. On error this returns 0 and sets errno.
-
-=item int hivex_node_delete_child (hive_h *h, hive_node_h node);
-
-Delete the node C<node>. All values at the node and all subnodes are
-deleted (recursively). The C<node> handle and the handles of all
-subnodes become invalid. You cannot delete the root node.
-
-Returns 0 on success. On error this returns -1 and sets errno.
-
-=item hive_set_value
-
-The typedef C<hive_set_value> is used in conjunction with the
-C<hivex_node_set_values> call described below.
-
- struct hive_set_value {
- char *key; /* key - a UTF-8 encoded ASCIIZ string */
- hive_type t; /* type of value field */
- size_t len; /* length of value field in bytes */
- char *value; /* value field */
- };
- typedef struct hive_set_value hive_set_value;
-
-To set the default value for a node, you have to pass C<key = "">.
-
-Note that the C<value> field is just treated as a list of bytes, and
-is stored directly in the hive. The caller has to ensure correct
-encoding and endianness, for example converting dwords to little
-endian.
-
-The correct type and encoding for values depends on the node and key
-in the registry, the version of Windows, and sometimes even changes
-between versions of Windows for the same key. We don't document it
-here. Often it's not documented at all.
-
-=item int hivex_node_set_values (hive_h *h, hive_node_h node, size_t nr_values, const hive_set_value *values, int flags);
-
-This call can be used to set all the (key, value) pairs stored in C<node>.
-
-C<node> is the node to modify. C<values> is an array of (key, value)
-pairs. There should be C<nr_values> elements in this array. C<flags>
-is not used, always pass 0.
-
-Any existing values stored at the node are discarded, and their
-C<hive_value_h> handles become invalid. Thus you can remove all
-values stored at C<node> by passing C<nr_values = 0>.
-
-Returns 0 on success. On error this returns -1 and sets errno.
-
-Note that this library does not offer a way to modify just a single
-key at a node. We don't implement a way to do this efficiently.
-
-=back
-
-=head3 WRITE OPERATIONS WHICH ARE NOT SUPPORTED
-
-=over 4
-
-=item *
-
-Changing the root node.
-
-=item *
-
-Creating a new hive file from scratch. This is impossible at present
-because not all fields in the header are understood.
-
-=item *
-
-Modifying or deleting single values at a node.
-
-=item *
-
-Modifying security key (sk) records or classnames.
-Previously we did not understand these records. However now they
-are well-understood and we could add support if it was required
-(but nothing much really uses them).
-
-=back
-
-=head1 THE STRUCTURE OF THE WINDOWS REGISTRY
-
-Note: To understand the relationship between hives and the common
-Windows Registry keys (like C<HKEY_LOCAL_MACHINE>) please see the
-Wikipedia page on the Windows Registry.
-
-The Windows Registry is split across various binary files, each
-file being known as a "hive". This library only handles a single
-hive file at a time.
-
-Hives are n-ary trees with a single root. Each node in the tree
-has a name.
-
-Each node in the tree (including non-leaf nodes) may have an
-arbitrary list of (key, value) pairs attached to it. It may
-be the case that one of these pairs has an empty key. This
-is referred to as the default key for the node.
-
-The (key, value) pairs are the place where the useful data is
-stored in the registry. The key is always a string (possibly the
-empty string for the default key). The value is a typed object
-(eg. string, int32, binary, etc.).
-
-=head2 RELATIONSHIP TO .REG FILES
-
-Although this library does not care about or deal with Windows reg
-files, it's useful to look at the relationship between the registry
-itself and reg files because they are so common.
-
-A reg file is a text representation of the registry, or part of the
-registry. The actual registry hives that Windows uses are binary
-files. There are a number of Windows and Linux tools that let you
-generate reg files, or merge reg files back into the registry hives.
-Notable amongst them is Microsoft's REGEDIT program (formerly known as
-REGEDT32).
-
-A typical reg file will contain many sections looking like this:
-
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Stack]
- "@"="Generic Stack"
- "TileInfo"="prop:System.FileCount"
- "TilePath"=str(2):"%systemroot%\\system32"
- "ThumbnailCutoff"=dword:00000000
- "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
- 6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,\
- 33,00,32,00,5c,00,73,00,65,00,61,00,72,00,63,00,68,00,66,00,\
- 6f,00,6c,00,64,00,65,00,72,00,2e,00,64,00,6c,00,6c,00,2c,00,\
- 2d,00,39,00,30,00,32,00,38,00,00,00,d8
-
-Taking this one piece at a time:
-
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Stack]
-
-This is the path to this node in the registry tree. The first part,
-C<HKEY_LOCAL_MACHINE\SOFTWARE> means that this comes from a hive
-(file) called C<SOFTWARE>. C<\Classes\Stack> is the real path part,
-starting at the root node of the C<SOFTWARE> hive.
-
-Below the node name is a list of zero or more key-value pairs. Any
-interior or leaf node in the registry may have key-value pairs
-attached.
-
- "@"="Generic Stack"
-
-This is the "default key". In reality (ie. inside the binary hive)
-the key string is the empty string. In reg files this is written as
-C<@> but this has no meaning either in the hives themselves or in this
-library. The value is a string (type 1 - see C<enum hive_type>
-above).
-
- "TileInfo"="prop:System.FileCount"
-
-This is a regular (key, value) pair, with the value being a type 1
-string. Note that inside the binary file the string is likely to be
-UTF-16 encoded. This library converts to and from UTF-8 strings
-transparently.
-
- "TilePath"=str(2):"%systemroot%\\system32"
-
-The value in this case has type 2 (expanded string) meaning that some
-%...% variables get expanded by Windows. (This library doesn't know
-or care about variable expansion).
-
- "ThumbnailCutoff"=dword:00000000
-
-The value in this case is a dword (type 4).
-
- "FriendlyTypeName"=hex(2):40,00,....
-
-This value is an expanded string (type 2) represented in the reg file
-as a series of hex bytes. In this case the string appears to be a
-UTF-16 string.
-
-=head1 NOTE ON THE USE OF ERRNO
-
-Many functions in this library set errno to indicate errors. These
-are the values of errno you may encounter (this list is not
-exhaustive):
-
-=over 4
-
-=item ENOTSUP
-
-Corrupt or unsupported Registry file format.
-
-=item ENOKEY
-
-Missing root key.
-
-=item EINVAL
-
-Passed an invalid argument to the function.
-
-=item EFAULT
-
-Followed a Registry pointer which goes outside
-the registry or outside a registry block.
-
-=item ELOOP
-
-Registry contains cycles.
-
-=item ERANGE
-
-Field in the registry out of range.
-
-=item EEXIST
-
-Registry key already exists.
-
-=item EROFS
-
-Tried to write to a registry which is not opened for writing.
-
-=back
-
-=head1 ENVIRONMENT VARIABLES
-
-=over 4
-
-=item HIVEX_DEBUG
-
-Setting HIVEX_DEBUG=1 will enable very verbose messages. This is
-useful for debugging problems with the library itself.
-
-=back
-
-=head1 SEE ALSO
-
-L<hivexml(1)>,
-L<hivexget(1)>,
-L<virt-win-reg(1)>,
-L<guestfs(3)>,
-L<http://libguestfs.org/>,
-L<virt-cat(1)>,
-L<virt-edit(1)>,
-L<http://en.wikipedia.org/wiki/Windows_Registry>.
-
-=head1 AUTHORS
-
-Richard W.M. Jones (C<rjones at redhat dot com>)
-
-=head1 COPYRIGHT
-
-Copyright (C) 2009-2010 Red Hat Inc.
-
-Derived from code by Petter Nordahl-Hagen under a compatible license:
-Copyright (C) 1997-2007 Petter Nordahl-Hagen.
-
-Derived from code by Markus Stephany under a compatible license:
-Copyright (C) 2000-2004 Markus Stephany.
-
-This library is free software; you can redistribute it and/or
-modify it under the terms of the GNU Lesser General Public
-License as published by the Free Software Foundation;
-version 2.1 of the License.
-
-This library is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-Lesser General Public License for more details.
-
-See file LICENSE for the full license.
diff --git a/hivex/hivexget b/hivex/hivexget
deleted file mode 100755
index f804d0d3..00000000
--- a/hivex/hivexget
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/bin/bash -
-# Copyright (C) 2009-2010 Red Hat Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-set -e
-
-if [ $# -lt 2 -o $# -gt 3 ]; then
- echo "hivexget hivefile path [key]"
- exit 1
-fi
-
-if [ $# -eq 2 ]; then
- hivexsh <<EOF
-load $1
-cd $2
-lsval
-exit
-EOF
-else
- key=$3
- if [ "$key" = "" ]; then
- key="@"
- fi
- hivexsh <<EOF
-load $1
-cd $2
-lsval $key
-exit
-EOF
-fi
diff --git a/hivex/hivexget.pod b/hivex/hivexget.pod
deleted file mode 100644
index 4fbac132..00000000
--- a/hivex/hivexget.pod
+++ /dev/null
@@ -1,95 +0,0 @@
-=encoding utf8
-
-=head1 NAME
-
-hivexget - Get subkey from a Windows Registry binary "hive" file
-
-=head1 SYNOPSIS
-
- hivexget hivefile '\Path\To\SubKey'
-
- hivexget hivefile '\Path\To\SubKey' name
-
-=head1 DESCRIPTION
-
-I<Note:> This is a low-level tool. For a more convenient way to
-navigate the Windows Registry in Windows virtual machines, see
-L<virt-win-reg(1)>.
-
-This program navigates through a Windows Registry binary "hive"
-file and extracts I<either> all the (key, value) data pairs
-stored in that subkey I<or> just the single named data item.
-
-In the first form:
-
- hivexget hivefile '\Path\To\SubKey'
-
-C<hivefile> is some Windows Registry binary hive, and C<\Path\To\Subkey>
-is a path within that hive. I<NB> the path is relative to the top
-of this hive, and is I<not> the full path as you would use in Windows
-(eg. C<\HKEY_LOCAL_MACHINE> is not a valid path).
-
-If the subkey exists, then the output lists all data pairs under this
-subkey, in a format compatible with C<regedit> in Windows.
-
-In the second form:
-
- hivexget hivefile '\Path\To\SubKey' name
-
-C<hivefile> and path are as above. C<name> is the name of the value
-of interest (use C<@> for the default value).
-
-The corresponding data item is printed "raw" (ie. no processing or
-escaping) except:
-
-=over 4
-
-=item 1
-
-If it's a string we will convert it from Windows UTF-16 to UTF-8, if
-this conversion is possible. The string is printed with a single
-trailing newline.
-
-=item 2
-
-If it's a multiple-string value, each string is printed on a separate
-line.
-
-=item 3
-
-If it's a numeric value, it is printed as a decimal number.
-
-=back
-
-=head1 SEE ALSO
-
-L<hivex(3)>,
-L<hivexml(1)>,
-L<hivexsh(1)>,
-L<virt-win-reg(1)>,
-L<guestfs(3)>,
-L<http://libguestfs.org/>,
-L<virt-cat(1)>,
-L<virt-edit(1)>.
-
-=head1 AUTHORS
-
-Richard W.M. Jones (C<rjones at redhat dot com>)
-
-=head1 COPYRIGHT
-
-Copyright (C) 2009 Red Hat Inc.
-
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; either version 2 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along
-with this program; if not, write to the Free Software Foundation, Inc.,
-51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
diff --git a/hivex/hivexml.c b/hivex/hivexml.c
deleted file mode 100644
index 90cb22bd..00000000
--- a/hivex/hivexml.c
+++ /dev/null
@@ -1,345 +0,0 @@
-/* hivexml - Convert Windows Registry "hive" to XML file.
- * Copyright (C) 2009 Red Hat Inc.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdint.h>
-#include <inttypes.h>
-#include <unistd.h>
-#include <errno.h>
-
-#include <libxml/xmlwriter.h>
-
-#include "hivex.h"
-
-#ifdef HAVE_GETTEXT
-#include "gettext.h"
-#define _(str) dgettext(PACKAGE, (str))
-//#define N_(str) dgettext(PACKAGE, (str))
-#else
-#define _(str) str
-//#define N_(str) str
-#endif
-
-/* Callback functions. */
-static int node_start (hive_h *, void *, hive_node_h, const char *name);
-static int node_end (hive_h *, void *, hive_node_h, const char *name);
-static int value_string (hive_h *, void *, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *str);
-static int value_multiple_strings (hive_h *, void *, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, char **argv);
-static int value_string_invalid_utf16 (hive_h *, void *, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *str);
-static int value_dword (hive_h *, void *, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, int32_t);
-static int value_qword (hive_h *, void *, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, int64_t);
-static int value_binary (hive_h *, void *, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value);
-static int value_none (hive_h *, void *, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value);
-static int value_other (hive_h *, void *, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value);
-
-static struct hivex_visitor visitor = {
- .node_start = node_start,
- .node_end = node_end,
- .value_string = value_string,
- .value_multiple_strings = value_multiple_strings,
- .value_string_invalid_utf16 = value_string_invalid_utf16,
- .value_dword = value_dword,
- .value_qword = value_qword,
- .value_binary = value_binary,
- .value_none = value_none,
- .value_other = value_other
-};
-
-#define XML_CHECK(proc, args) \
- do { \
- if ((proc args) == -1) { \
- fprintf (stderr, _("%s: failed to write XML document\n"), #proc); \
- exit (EXIT_FAILURE); \
- } \
- } while (0)
-
-int
-main (int argc, char *argv[])
-{
- setlocale (LC_ALL, "");
- bindtextdomain (PACKAGE, LOCALEBASEDIR);
- textdomain (PACKAGE);
-
- int c;
- int open_flags = 0;
- int visit_flags = 0;
-
- while ((c = getopt (argc, argv, "dk")) != EOF) {
- switch (c) {
- case 'd':
- open_flags |= HIVEX_OPEN_DEBUG;
- break;
- case 'k':
- visit_flags |= HIVEX_VISIT_SKIP_BAD;
- break;
- default:
- fprintf (stderr, "hivexml [-dk] regfile > output.xml\n");
- exit (EXIT_FAILURE);
- }
- }
-
- if (optind + 1 != argc) {
- fprintf (stderr, _("hivexml: missing name of input file\n"));
- exit (EXIT_FAILURE);
- }
-
- hive_h *h = hivex_open (argv[optind], open_flags);
- if (h == NULL) {
- perror (argv[optind]);
- exit (EXIT_FAILURE);
- }
-
- /* Note both this macro, and xmlTextWriterStartDocument leak memory. There
- * doesn't seem to be any way to recover that memory, but it's not a
- * large amount.
- */
- LIBXML_TEST_VERSION;
-
- xmlTextWriterPtr writer;
- writer = xmlNewTextWriterFilename ("/dev/stdout", 0);
- if (writer == NULL) {
- fprintf (stderr, _("xmlNewTextWriterFilename: failed to create XML writer\n"));
- exit (EXIT_FAILURE);
- }
-
- XML_CHECK (xmlTextWriterStartDocument, (writer, NULL, "utf-8", NULL));
- XML_CHECK (xmlTextWriterStartElement, (writer, BAD_CAST "hive"));
-
- if (hivex_visit (h, &visitor, sizeof visitor, writer, visit_flags) == -1) {
- perror (argv[optind]);
- exit (EXIT_FAILURE);
- }
-
- if (hivex_close (h) == -1) {
- perror (argv[optind]);
- exit (EXIT_FAILURE);
- }
-
- XML_CHECK (xmlTextWriterEndElement, (writer));
- XML_CHECK (xmlTextWriterEndDocument, (writer));
- xmlFreeTextWriter (writer);
-
- exit (EXIT_SUCCESS);
-}
-
-static int
-node_start (hive_h *h, void *writer_v, hive_node_h node, const char *name)
-{
- xmlTextWriterPtr writer = (xmlTextWriterPtr) writer_v;
- XML_CHECK (xmlTextWriterStartElement, (writer, BAD_CAST "node"));
- XML_CHECK (xmlTextWriterWriteAttribute, (writer, BAD_CAST "name", BAD_CAST name));
- return 0;
-}
-
-static int
-node_end (hive_h *h, void *writer_v, hive_node_h node, const char *name)
-{
- xmlTextWriterPtr writer = (xmlTextWriterPtr) writer_v;
- XML_CHECK (xmlTextWriterEndElement, (writer));
- return 0;
-}
-
-static void
-start_value (xmlTextWriterPtr writer,
- const char *key, const char *type, const char *encoding)
-{
- XML_CHECK (xmlTextWriterStartElement, (writer, BAD_CAST "value"));
- XML_CHECK (xmlTextWriterWriteAttribute, (writer, BAD_CAST "type", BAD_CAST type));
- if (encoding)
- XML_CHECK (xmlTextWriterWriteAttribute, (writer, BAD_CAST "encoding", BAD_CAST encoding));
- if (*key)
- XML_CHECK (xmlTextWriterWriteAttribute, (writer, BAD_CAST "key", BAD_CAST key));
- else /* default key */
- XML_CHECK (xmlTextWriterWriteAttribute, (writer, BAD_CAST "default", BAD_CAST "1"));
-}
-
-static void
-end_value (xmlTextWriterPtr writer)
-{
- XML_CHECK (xmlTextWriterEndElement, (writer));
-}
-
-static int
-value_string (hive_h *h, void *writer_v, hive_node_h node, hive_value_h value,
- hive_type t, size_t len, const char *key, const char *str)
-{
- xmlTextWriterPtr writer = (xmlTextWriterPtr) writer_v;
- const char *type;
-
- switch (t) {
- case hive_t_string: type = "string"; break;
- case hive_t_expand_string: type = "expand"; break;
- case hive_t_link: type = "link"; break;
-
- case hive_t_none:
- case hive_t_binary:
- case hive_t_dword:
- case hive_t_dword_be:
- case hive_t_multiple_strings:
- case hive_t_resource_list:
- case hive_t_full_resource_description:
- case hive_t_resource_requirements_list:
- case hive_t_qword:
- abort (); /* internal error - should not happen */
-
- default:
- type = "unknown";
- }
-
- start_value (writer, key, type, NULL);
- XML_CHECK (xmlTextWriterWriteString, (writer, BAD_CAST str));
- end_value (writer);
- return 0;
-}
-
-static int
-value_multiple_strings (hive_h *h, void *writer_v, hive_node_h node,
- hive_value_h value, hive_type t, size_t len,
- const char *key, char **argv)
-{
- xmlTextWriterPtr writer = (xmlTextWriterPtr) writer_v;
- start_value (writer, key, "string-list", NULL);
-
- size_t i;
- for (i = 0; argv[i] != NULL; ++i) {
- XML_CHECK (xmlTextWriterStartElement, (writer, BAD_CAST "string"));
- XML_CHECK (xmlTextWriterWriteString, (writer, BAD_CAST argv[i]));
- XML_CHECK (xmlTextWriterEndElement, (writer));
- }
-
- end_value (writer);
- return 0;
-}
-
-static int
-value_string_invalid_utf16 (hive_h *h, void *writer_v, hive_node_h node,
- hive_value_h value, hive_type t, size_t len,
- const char *key,
- const char *str /* original data */)
-{
- xmlTextWriterPtr writer = (xmlTextWriterPtr) writer_v;
- const char *type;
-
- switch (t) {
- case hive_t_string: type = "bad-string"; break;
- case hive_t_expand_string: type = "bad-expand"; break;
- case hive_t_link: type = "bad-link"; break;
- case hive_t_multiple_strings: type = "bad-string-list"; break;
-
- case hive_t_none:
- case hive_t_binary:
- case hive_t_dword:
- case hive_t_dword_be:
- case hive_t_resource_list:
- case hive_t_full_resource_description:
- case hive_t_resource_requirements_list:
- case hive_t_qword:
- abort (); /* internal error - should not happen */
-
- default:
- type = "unknown";
- }
-
- start_value (writer, key, type, "base64");
- XML_CHECK (xmlTextWriterWriteBase64, (writer, str, 0, len));
- end_value (writer);
-
- return 0;
-}
-
-static int
-value_dword (hive_h *h, void *writer_v, hive_node_h node, hive_value_h value,
- hive_type t, size_t len, const char *key, int32_t v)
-{
- xmlTextWriterPtr writer = (xmlTextWriterPtr) writer_v;
- start_value (writer, key, "int32", NULL);
- XML_CHECK (xmlTextWriterWriteFormatString, (writer, "%" PRIi32, v));
- end_value (writer);
- return 0;
-}
-
-static int
-value_qword (hive_h *h, void *writer_v, hive_node_h node, hive_value_h value,
- hive_type t, size_t len, const char *key, int64_t v)
-{
- xmlTextWriterPtr writer = (xmlTextWriterPtr) writer_v;
- start_value (writer, key, "int64", NULL);
- XML_CHECK (xmlTextWriterWriteFormatString, (writer, "%" PRIi64, v));
- end_value (writer);
- return 0;
-}
-
-static int
-value_binary (hive_h *h, void *writer_v, hive_node_h node, hive_value_h value,
- hive_type t, size_t len, const char *key, const char *v)
-{
- xmlTextWriterPtr writer = (xmlTextWriterPtr) writer_v;
- start_value (writer, key, "binary", "base64");
- XML_CHECK (xmlTextWriterWriteBase64, (writer, v, 0, len));
- end_value (writer);
- return 0;
-}
-
-static int
-value_none (hive_h *h, void *writer_v, hive_node_h node, hive_value_h value,
- hive_type t, size_t len, const char *key, const char *v)
-{
- xmlTextWriterPtr writer = (xmlTextWriterPtr) writer_v;
- start_value (writer, key, "none", "base64");
- if (len > 0) XML_CHECK (xmlTextWriterWriteBase64, (writer, v, 0, len));
- end_value (writer);
- return 0;
-}
-
-static int
-value_other (hive_h *h, void *writer_v, hive_node_h node, hive_value_h value,
- hive_type t, size_t len, const char *key, const char *v)
-{
- xmlTextWriterPtr writer = (xmlTextWriterPtr) writer_v;
- const char *type;
-
- switch (t) {
- case hive_t_none:
- case hive_t_binary:
- case hive_t_dword:
- case hive_t_dword_be:
- case hive_t_qword:
- case hive_t_string:
- case hive_t_expand_string:
- case hive_t_link:
- case hive_t_multiple_strings:
- abort (); /* internal error - should not happen */
-
- case hive_t_resource_list: type = "resource-list"; break;
- case hive_t_full_resource_description: type = "resource-description"; break;
- case hive_t_resource_requirements_list: type = "resource-requirements"; break;
-
- default:
- type = "unknown";
- }
-
- start_value (writer, key, type, "base64");
- if (len > 0) XML_CHECK (xmlTextWriterWriteBase64, (writer, v, 0, len));
- end_value (writer);
-
- return 0;
-}
diff --git a/hivex/hivexml.pod b/hivex/hivexml.pod
deleted file mode 100644
index d6a87b4e..00000000
--- a/hivex/hivexml.pod
+++ /dev/null
@@ -1,65 +0,0 @@
-=encoding utf8
-
-=head1 NAME
-
-hivexml - Convert Windows Registry binary "hive" into XML
-
-=head1 SYNOPSIS
-
- hivexml [-dk] hivefile > output.xml
-
-=head1 DESCRIPTION
-
-This program converts a single Windows Registry binary "hive"
-file into a self-describing XML format.
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<-d>
-
-Enable lots of debug messages. If you find a Registry file
-that this program cannot parse, please enable this option and
-post the complete output I<and> the Registry file in your
-bug report.
-
-=item B<-k>
-
-Keep going even if we find errors in the Registry file. This
-skips over any parts of the Registry that we cannot read.
-
-=back
-
-=head1 SEE ALSO
-
-L<hivex(3)>,
-L<hivexget(1)>,
-L<hivexsh(1)>,
-L<virt-win-reg(1)>,
-L<guestfs(3)>,
-L<http://libguestfs.org/>,
-L<virt-cat(1)>,
-L<virt-edit(1)>.
-
-=head1 AUTHORS
-
-Richard W.M. Jones (C<rjones at redhat dot com>)
-
-=head1 COPYRIGHT
-
-Copyright (C) 2009 Red Hat Inc.
-
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; either version 2 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along
-with this program; if not, write to the Free Software Foundation, Inc.,
-51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
diff --git a/hivex/hivexsh.c b/hivex/hivexsh.c
deleted file mode 100644
index 332b7739..00000000
--- a/hivex/hivexsh.c
+++ /dev/null
@@ -1,1094 +0,0 @@
-/* hivexsh - Hive shell.
- * Copyright (C) 2009 Red Hat Inc.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdint.h>
-#include <inttypes.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <assert.h>
-#include <errno.h>
-
-#ifdef HAVE_LIBREADLINE
-#include <readline/readline.h>
-#include <readline/history.h>
-#endif
-
-#ifdef HAVE_GETTEXT
-#include "gettext.h"
-#define _(str) dgettext(PACKAGE, (str))
-//#define N_(str) dgettext(PACKAGE, (str))
-#else
-#define _(str) str
-//#define N_(str) str
-#endif
-
-#define STREQ(a,b) (strcmp((a),(b)) == 0)
-#define STRCASEEQ(a,b) (strcasecmp((a),(b)) == 0)
-#define STRNEQ(a,b) (strcmp((a),(b)) != 0)
-//#define STRCASENEQ(a,b) (strcasecmp((a),(b)) != 0)
-//#define STREQLEN(a,b,n) (strncmp((a),(b),(n)) == 0)
-//#define STRCASEEQLEN(a,b,n) (strncasecmp((a),(b),(n)) == 0)
-//#define STRNEQLEN(a,b,n) (strncmp((a),(b),(n)) != 0)
-//#define STRCASENEQLEN(a,b,n) (strncasecmp((a),(b),(n)) != 0)
-#define STRPREFIX(a,b) (strncmp((a),(b),strlen((b))) == 0)
-
-#include "c-ctype.h"
-#include "xstrtol.h"
-
-#include "hivex.h"
-#include "byte_conversions.h"
-
-#define HIVEX_MAX_VALUES 1000
-
-static int quit = 0;
-static int is_tty;
-static hive_h *h = NULL;
-static char *prompt_string = NULL; /* Normal prompt string. */
-static char *loaded = NULL; /* Basename of loaded file, if any. */
-static hive_node_h cwd; /* Current node. */
-static int open_flags = 0; /* Flags used when loading a hive file. */
-
-static void usage (void) __attribute__((noreturn));
-static void print_node_path (hive_node_h, FILE *);
-static void set_prompt_string (void);
-static void initialize_readline (void);
-static void cleanup_readline (void);
-static void add_history_line (const char *);
-static char *rl_gets (const char *prompt_string);
-static void sort_strings (char **strings, int len);
-static int get_xdigit (char c);
-static int dispatch (char *cmd, char *args);
-static int cmd_add (char *name);
-static int cmd_cd (char *path);
-static int cmd_close (char *path);
-static int cmd_commit (char *path);
-static int cmd_del (char *args);
-static int cmd_help (char *args);
-static int cmd_load (char *hivefile);
-static int cmd_ls (char *args);
-static int cmd_lsval (char *args);
-static int cmd_setval (char *args);
-
-static void
-usage (void)
-{
- fprintf (stderr, "hivexsh [-dfw] [hivefile]\n");
- exit (EXIT_FAILURE);
-}
-
-int
-main (int argc, char *argv[])
-{
- setlocale (LC_ALL, "");
- bindtextdomain (PACKAGE, LOCALEBASEDIR);
- textdomain (PACKAGE);
-
- int c;
- const char *filename = NULL;
-
- set_prompt_string ();
-
- while ((c = getopt (argc, argv, "dfw")) != EOF) {
- switch (c) {
- case 'd':
- open_flags |= HIVEX_OPEN_DEBUG;
- break;
- case 'f':
- filename = optarg;
- break;
- case 'w':
- open_flags |= HIVEX_OPEN_WRITE;
- break;
- default:
- usage ();
- }
- }
-
- if (optind < argc) {
- if (optind + 1 != argc)
- usage ();
- if (cmd_load (argv[optind]) == -1)
- exit (EXIT_FAILURE);
- }
-
- /* -f filename parameter */
- if (filename) {
- close (0);
- if (open (filename, O_RDONLY) == -1) {
- perror (filename);
- exit (EXIT_FAILURE);
- }
- }
-
- /* Main loop. */
- is_tty = isatty (0);
- initialize_readline ();
-
- if (is_tty)
- printf (_(
-"\n"
-"Welcome to hivexsh, the hivex interactive shell for examining\n"
-"Windows Registry binary hive files.\n"
-"\n"
-"Type: 'help' for help summary\n"
-" 'quit' to quit the shell\n"
-"\n"));
-
- while (!quit) {
- char *buf = rl_gets (prompt_string);
- if (!buf) {
- quit = 1;
- if (is_tty)
- printf ("\n");
- break;
- }
-
- while (*buf && c_isspace (*buf))
- buf++;
-
- /* Ignore blank line. */
- if (!*buf) continue;
-
- /* If the next character is '#' then this is a comment. */
- if (*buf == '#') continue;
-
- /* Parsing is very simple - much simpler than guestfish. This is
- * because Registry keys often contain spaces, and we don't want
- * to bother with quoting. Therefore here we just split at the
- * first whitespace into "cmd<whitespace>arg(s)". We let the
- * command decide how to deal with arg(s), if at all.
- */
- size_t len = strcspn (buf, " \t");
-
- if (len == 0) continue;
-
- char *cmd = buf;
- char *args;
-
- if (buf[len] == '\0') {
- /* This is mostly safe. Although the cmd_* functions do sometimes
- * modify args, then shouldn't do so when args is "".
- */
- args = (char *) "";
- goto got_command;
- }
-
- buf[len] = '\0';
- args = buf + len + 1 + strspn (&buf[len+1], " \t");
-
- len = strlen (args);
- while (len > 0 && c_isspace (args[len-1])) {
- args[len-1] = '\0';
- len--;
- }
-
- got_command:
- /*printf ("command: '%s' args: '%s'\n", cmd, args)*/;
- int r = dispatch (cmd, args);
- if (!is_tty && r == -1)
- exit (EXIT_FAILURE);
- }
-
- cleanup_readline ();
- free (prompt_string);
- free (loaded);
- if (h) hivex_close (h);
- exit (0);
-}
-
-/* Set the prompt string. This is called whenever it could change, eg.
- * after loading a file or changing directory.
- */
-static void
-set_prompt_string (void)
-{
- free (prompt_string);
- prompt_string = NULL;
-
- FILE *fp;
- char *ptr;
- size_t size;
- fp = open_memstream (&ptr, &size);
- if (fp == NULL) {
- perror ("open_memstream");
- exit (EXIT_FAILURE);
- }
-
- if (h) {
- assert (loaded != NULL);
- assert (cwd != 0);
-
- fputs (loaded, fp);
- print_node_path (cwd, fp);
- }
-
- fprintf (fp, "> ");
- fclose (fp);
- prompt_string = ptr;
-}
-
-/* Print the \full\path of a node. */
-static void
-print_node_path (hive_node_h node, FILE *fp)
-{
- hive_node_h root = hivex_root (h);
-
- if (node == root) {
- fputc ('\\', fp);
- return;
- }
-
- hive_node_h parent = hivex_node_parent (h, node);
- if (parent == 0) {
- fprintf (stderr, _("hivexsh: error getting parent of node %zu\n"), node);
- return;
- }
- print_node_path (parent, fp);
-
- if (parent != root)
- fputc ('\\', fp);
-
- char *name = hivex_node_name (h, node);
- if (name == NULL) {
- fprintf (stderr, _("hivexsh: error getting node name of node %zx\n"), node);
- return;
- }
-
- fputs (name, fp);
- free (name);
-}
-
-static char *line_read = NULL;
-
-static char *
-rl_gets (const char *prompt_string)
-{
-#ifdef HAVE_LIBREADLINE
-
- if (is_tty) {
- if (line_read) {
- free (line_read);
- line_read = NULL;
- }
-
- line_read = readline (prompt_string);
-
- if (line_read && *line_read)
- add_history_line (line_read);
-
- return line_read;
- }
-
-#endif /* HAVE_LIBREADLINE */
-
- static char buf[8192];
- int len;
-
- if (is_tty)
- printf ("%s", prompt_string);
- line_read = fgets (buf, sizeof buf, stdin);
-
- if (line_read) {
- len = strlen (line_read);
- if (len > 0 && buf[len-1] == '\n') buf[len-1] = '\0';
- }
-
- return line_read;
-}
-
-#ifdef HAVE_LIBREADLINE
-static char histfile[1024];
-static int nr_history_lines = 0;
-#endif
-
-static void
-initialize_readline (void)
-{
-#ifdef HAVE_LIBREADLINE
- const char *home;
-
- home = getenv ("HOME");
- if (home) {
- snprintf (histfile, sizeof histfile, "%s/.hivexsh", home);
- using_history ();
- (void) read_history (histfile);
- }
-
- rl_readline_name = "hivexsh";
-#endif
-}
-
-static void
-cleanup_readline (void)
-{
-#ifdef HAVE_LIBREADLINE
- int fd;
-
- if (histfile[0] != '\0') {
- fd = open (histfile, O_WRONLY|O_CREAT, 0644);
- if (fd == -1) {
- perror (histfile);
- return;
- }
- close (fd);
-
- (void) append_history (nr_history_lines, histfile);
- }
-#endif
-}
-
-static void
-add_history_line (const char *line)
-{
-#ifdef HAVE_LIBREADLINE
- add_history (line);
- nr_history_lines++;
-#endif
-}
-
-static int
-compare (const void *vp1, const void *vp2)
-{
- char * const *p1 = (char * const *) vp1;
- char * const *p2 = (char * const *) vp2;
- return strcasecmp (*p1, *p2);
-}
-
-static void
-sort_strings (char **strings, int len)
-{
- qsort (strings, len, sizeof (char *), compare);
-}
-
-static int
-get_xdigit (char c)
-{
- switch (c) {
- case '0'...'9': return c - '0';
- case 'a'...'f': return c - 'a' + 10;
- case 'A'...'F': return c - 'A' + 10;
- default: return -1;
- }
-}
-
-static int
-dispatch (char *cmd, char *args)
-{
- if (STRCASEEQ (cmd, "help"))
- return cmd_help (args);
- else if (STRCASEEQ (cmd, "load"))
- return cmd_load (args);
- else if (STRCASEEQ (cmd, "exit") ||
- STRCASEEQ (cmd, "q") ||
- STRCASEEQ (cmd, "quit")) {
- quit = 1;
- return 0;
- }
-
- /* If no hive file is loaded (!h) then only the small selection of
- * commands above will work.
- */
- if (!h) {
- fprintf (stderr, _("hivexsh: you must load a hive file first using 'load hivefile'\n"));
- return -1;
- }
-
- if (STRCASEEQ (cmd, "add"))
- return cmd_add (args);
- else if (STRCASEEQ (cmd, "cd"))
- return cmd_cd (args);
- else if (STRCASEEQ (cmd, "close") || STRCASEEQ (cmd, "unload"))
- return cmd_close (args);
- else if (STRCASEEQ (cmd, "commit"))
- return cmd_commit (args);
- else if (STRCASEEQ (cmd, "del"))
- return cmd_del (args);
- else if (STRCASEEQ (cmd, "ls"))
- return cmd_ls (args);
- else if (STRCASEEQ (cmd, "lsval"))
- return cmd_lsval (args);
- else if (STRCASEEQ (cmd, "setval"))
- return cmd_setval (args);
- else {
- fprintf (stderr, _("hivexsh: unknown command '%s', use 'help' for help summary\n"),
- cmd);
- return -1;
- }
-}
-
-static int
-cmd_load (char *hivefile)
-{
- if (STREQ (hivefile, "")) {
- fprintf (stderr, _("hivexsh: load: no hive file name given to load\n"));
- return -1;
- }
-
- if (h) hivex_close (h);
- h = NULL;
-
- free (loaded);
- loaded = NULL;
-
- cwd = 0;
-
- h = hivex_open (hivefile, open_flags);
- if (h == NULL) {
- fprintf (stderr,
- _(
-"hivexsh: failed to open hive file: %s: %m\n"
-"\n"
-"If you think this file is a valid Windows binary hive file (_not_\n"
-"a regedit *.reg file) then please run this command again using the\n"
-"hivexsh option '-d' and attach the complete output _and_ the hive file\n"
-"which fails into a bug report at https://bugzilla.redhat.com/\n"
-"\n"),
- hivefile);
- return -1;
- }
-
- /* Get the basename of the file for the prompt. */
- char *p = strrchr (hivefile, '/');
- if (p)
- loaded = strdup (p+1);
- else
- loaded = strdup (hivefile);
- if (!loaded) {
- perror ("strdup");
- exit (EXIT_FAILURE);
- }
-
- cwd = hivex_root (h);
-
- set_prompt_string ();
-
- return 0;
-}
-
-static int
-cmd_close (char *args)
-{
- if (STRNEQ (args, "")) {
- fprintf (stderr, _("hivexsh: '%s' command should not be given arguments\n"),
- "close");
- return -1;
- }
-
- if (h) hivex_close (h);
- h = NULL;
-
- free (loaded);
- loaded = NULL;
-
- cwd = 0;
-
- set_prompt_string ();
-
- return 0;
-}
-
-static int
-cmd_commit (char *path)
-{
- if (STREQ (path, ""))
- path = NULL;
-
- if (hivex_commit (h, path, 0) == -1) {
- perror ("hivexsh: commit");
- return -1;
- }
-
- return 0;
-}
-
-static int
-cmd_cd (char *path)
-{
- if (STREQ (path, "")) {
- print_node_path (cwd, stdout);
- fputc ('\n', stdout);
- return 0;
- }
-
- if (path[0] == '\\' && path[1] == '\\') {
- fprintf (stderr, _("%s: %s: \\ characters in path are doubled - are you escaping the path parameter correctly?\n"), "hivexsh", path);
- return -1;
- }
-
- hive_node_h new_cwd = cwd;
- hive_node_h root = hivex_root (h);
-
- if (path[0] == '\\') {
- new_cwd = root;
- path++;
- }
-
- while (path[0]) {
- size_t len = strcspn (path, "\\");
- if (len == 0) {
- path++;
- continue;
- }
-
- char *elem = path;
- path = path[len] == '\0' ? &path[len] : &path[len+1];
- elem[len] = '\0';
-
- if (len == 1 && STREQ (elem, "."))
- continue;
-
- if (len == 2 && STREQ (elem, "..")) {
- if (new_cwd != root)
- new_cwd = hivex_node_parent (h, new_cwd);
- continue;
- }
-
- errno = 0;
- new_cwd = hivex_node_get_child (h, new_cwd, elem);
- if (new_cwd == 0) {
- if (errno)
- perror ("hivexsh: cd");
- else
- fprintf (stderr, _("hivexsh: cd: subkey '%s' not found\n"),
- elem);
- return -1;
- }
- }
-
- if (new_cwd != cwd) {
- cwd = new_cwd;
- set_prompt_string ();
- }
-
- return 0;
-}
-
-static int
-cmd_help (char *args)
-{
- printf (_(
-"Navigate through the hive's keys using the 'cd' command, as if it\n"
-"contained a filesystem, and use 'ls' to list the subkeys of the\n"
-"current key. Full documentation is in the hivexsh(1) manual page.\n"));
-
- return 0;
-}
-
-static int
-cmd_ls (char *args)
-{
- if (STRNEQ (args, "")) {
- fprintf (stderr, _("hivexsh: '%s' command should not be given arguments\n"),
- "ls");
- return -1;
- }
-
- /* Get the subkeys. */
- hive_node_h *children = hivex_node_children (h, cwd);
- if (children == NULL) {
- perror ("ls");
- return -1;
- }
-
- /* Get names for each subkey. */
- size_t len;
- for (len = 0; children[len] != 0; ++len)
- ;
-
- char **names = calloc (len, sizeof (char *));
- if (names == NULL) {
- perror ("malloc");
- exit (EXIT_FAILURE);
- }
-
- int ret = -1;
- size_t i;
- for (i = 0; i < len; ++i) {
- names[i] = hivex_node_name (h, children[i]);
- if (names[i] == NULL) {
- perror ("hivex_node_name");
- goto error;
- }
- }
-
- /* Sort the names. */
- sort_strings (names, len);
-
- for (i = 0; i < len; ++i)
- printf ("%s\n", names[i]);
-
- ret = 0;
- error:
- free (children);
- for (i = 0; i < len; ++i)
- free (names[i]);
- free (names);
- return ret;
-}
-
-static int
-cmd_lsval (char *key)
-{
- if (STRNEQ (key, "")) {
- hive_value_h value;
-
- errno = 0;
- if (STREQ (key, "@")) /* default key written as "@" */
- value = hivex_node_get_value (h, cwd, "");
- else
- value = hivex_node_get_value (h, cwd, key);
-
- if (value == 0) {
- if (errno)
- goto error;
- /* else key not found */
- fprintf (stderr, _("%s: %s: key not found\n"), "hivexsh", key);
- return -1;
- }
-
- /* Print the value. */
- hive_type t;
- size_t len;
- if (hivex_value_type (h, value, &t, &len) == -1)
- goto error;
-
- switch (t) {
- case hive_t_string:
- case hive_t_expand_string:
- case hive_t_link: {
- char *str = hivex_value_string (h, value);
- if (!str)
- goto error;
-
- puts (str); /* note: this adds a single \n character */
- free (str);
- break;
- }
-
- case hive_t_dword:
- case hive_t_dword_be: {
- int32_t j = hivex_value_dword (h, value);
- printf ("%" PRIi32 "\n", j);
- break;
- }
-
- case hive_t_qword: {
- int64_t j = hivex_value_qword (h, value);
- printf ("%" PRIi64 "\n", j);
- break;
- }
-
- case hive_t_multiple_strings: {
- char **strs = hivex_value_multiple_strings (h, value);
- if (!strs)
- goto error;
- size_t j;
- for (j = 0; strs[j] != NULL; ++j) {
- puts (strs[j]);
- free (strs[j]);
- }
- free (strs);
- break;
- }
-
- case hive_t_none:
- case hive_t_binary:
- case hive_t_resource_list:
- case hive_t_full_resource_description:
- case hive_t_resource_requirements_list:
- default: {
- char *data = hivex_value_value (h, value, &t, &len);
- if (!data)
- goto error;
-
- if (fwrite (data, 1, len, stdout) != len)
- goto error;
-
- free (data);
- break;
- }
- } /* switch */
- } else {
- /* No key specified, so print all keys in this node. We do this
- * in a format which looks like the output of regedit, although
- * this isn't a particularly useful format.
- */
- hive_value_h *values;
-
- values = hivex_node_values (h, cwd);
- if (values == NULL)
- goto error;
-
- size_t i;
- for (i = 0; values[i] != 0; ++i) {
- char *key = hivex_value_key (h, values[i]);
- if (!key) goto error;
-
- if (*key) {
- putchar ('"');
- size_t j;
- for (j = 0; key[j] != 0; ++j) {
- if (key[j] == '"' || key[j] == '\\')
- putchar ('\\');
- putchar (key[j]);
- }
- putchar ('"');
- } else
- printf ("\"@\""); /* default key in regedit files */
- putchar ('=');
- free (key);
-
- hive_type t;
- size_t len;
- if (hivex_value_type (h, values[i], &t, &len) == -1)
- goto error;
-
- switch (t) {
- case hive_t_string:
- case hive_t_expand_string:
- case hive_t_link: {
- char *str = hivex_value_string (h, values[i]);
- if (!str)
- goto error;
-
- if (t != hive_t_string)
- printf ("str(%d):", t);
- putchar ('"');
- size_t j;
- for (j = 0; str[j] != 0; ++j) {
- if (str[j] == '"' || str[j] == '\\')
- putchar ('\\');
- putchar (str[j]);
- }
- putchar ('"');
- free (str);
- break;
- }
-
- case hive_t_dword:
- case hive_t_dword_be: {
- int32_t j = hivex_value_dword (h, values[i]);
- printf ("dword:%08" PRIx32, j);
- break;
- }
-
- case hive_t_qword: /* sic */
- case hive_t_none:
- case hive_t_binary:
- case hive_t_multiple_strings:
- case hive_t_resource_list:
- case hive_t_full_resource_description:
- case hive_t_resource_requirements_list:
- default: {
- unsigned char *data =
- (unsigned char *) hivex_value_value (h, values[i], &t, &len);
- if (!data)
- goto error;
-
- printf ("hex(%d):", t);
- size_t j;
- for (j = 0; j < len; ++j) {
- if (j > 0)
- putchar (',');
- printf ("%02x", data[j]);
- }
- break;
- }
- } /* switch */
-
- putchar ('\n');
- } /* for */
-
- free (values);
- }
-
- return 0;
-
- error:
- perror ("hivexsh: lsval");
- return -1;
-}
-
-static int
-cmd_setval (char *nrvals_str)
-{
- strtol_error xerr;
-
- /* Parse number of values. */
- long nrvals;
- xerr = xstrtol (nrvals_str, NULL, 0, &nrvals, "");
- if (xerr != LONGINT_OK) {
- fprintf (stderr, _("%s: %s: invalid integer parameter (%s returned %d)\n"),
- "setval", "nrvals", "xstrtol", xerr);
- return -1;
- }
- if (nrvals < 0 || nrvals > HIVEX_MAX_VALUES) {
- fprintf (stderr, _("%s: %s: integer out of range\n"),
- "setval", "nrvals");
- return -1;
- }
-
- struct hive_set_value *values =
- calloc (nrvals, sizeof (struct hive_set_value));
- if (values == NULL) {
- perror ("calloc");
- exit (EXIT_FAILURE);
- }
-
- int ret = -1;
-
- /* Read nrvals * 2 lines of input, nrvals * (key, value) pairs, as
- * explained in the man page.
- */
- int i, j;
- for (i = 0; i < nrvals; ++i) {
- /* Read key. */
- char *buf = rl_gets (" key> ");
- if (!buf) {
- fprintf (stderr, _("hivexsh: setval: unexpected end of input\n"));
- quit = 1;
- goto error;
- }
-
- /* Note that buf will be overwritten by the next call to rl_gets. */
- if (STREQ (buf, "@"))
- values[i].key = strdup ("");
- else
- values[i].key = strdup (buf);
- if (values[i].key == NULL) {
- perror ("strdup");
- exit (EXIT_FAILURE);
- }
-
- /* Read value. */
- buf = rl_gets ("value> ");
- if (!buf) {
- fprintf (stderr, _("hivexsh: setval: unexpected end of input\n"));
- quit = 1;
- goto error;
- }
-
- if (STREQ (buf, "none")) {
- values[i].t = hive_t_none;
- values[i].len = 0;
- }
- else if (STRPREFIX (buf, "string:")) {
- buf += 7;
- values[i].t = hive_t_string;
- int nr_chars = strlen (buf);
- values[i].len = 2 * (nr_chars + 1);
- values[i].value = malloc (values[i].len);
- if (!values[i].value) {
- perror ("malloc");
- exit (EXIT_FAILURE);
- }
- for (j = 0; j <= /* sic */ nr_chars; ++j) {
- if (buf[j] & 0x80) {
- fprintf (stderr, _("hivexsh: string(utf16le): only 7 bit ASCII strings are supported for input\n"));
- goto error;
- }
- values[i].value[2*j] = buf[j];
- values[i].value[2*j+1] = '\0';
- }
- }
- else if (STRPREFIX (buf, "expandstring:")) {
- buf += 13;
- values[i].t = hive_t_expand_string;
- int nr_chars = strlen (buf);
- values[i].len = 2 * (nr_chars + 1);
- values[i].value = malloc (values[i].len);
- if (!values[i].value) {
- perror ("malloc");
- exit (EXIT_FAILURE);
- }
- for (j = 0; j <= /* sic */ nr_chars; ++j) {
- if (buf[j] & 0x80) {
- fprintf (stderr, _("hivexsh: string(utf16le): only 7 bit ASCII strings are supported for input\n"));
- goto error;
- }
- values[i].value[2*j] = buf[j];
- values[i].value[2*j+1] = '\0';
- }
- }
- else if (STRPREFIX (buf, "dword:")) {
- buf += 6;
- values[i].t = hive_t_dword;
- values[i].len = 4;
- values[i].value = malloc (4);
- if (!values[i].value) {
- perror ("malloc");
- exit (EXIT_FAILURE);
- }
- long n;
- xerr = xstrtol (buf, NULL, 0, &n, "");
- if (xerr != LONGINT_OK) {
- fprintf (stderr, _("%s: %s: invalid integer parameter (%s returned %d)\n"),
- "setval", "dword", "xstrtol", xerr);
- goto error;
- }
- if (n < 0 || n > UINT32_MAX) {
- fprintf (stderr, _("%s: %s: integer out of range\n"),
- "setval", "dword");
- goto error;
- }
- uint32_t u32 = htole32 (n);
- memcpy (values[i].value, &u32, 4);
- }
- else if (STRPREFIX (buf, "qword:")) {
- buf += 6;
- values[i].t = hive_t_qword;
- values[i].len = 8;
- values[i].value = malloc (8);
- if (!values[i].value) {
- perror ("malloc");
- exit (EXIT_FAILURE);
- }
- long long n;
- xerr = xstrtoll (buf, NULL, 0, &n, "");
- if (xerr != LONGINT_OK) {
- fprintf (stderr, _("%s: %s: invalid integer parameter (%s returned %d)\n"),
- "setval", "dword", "xstrtoll", xerr);
- goto error;
- }
-#if 0
- if (n < 0 || n > UINT64_MAX) {
- fprintf (stderr, _("%s: %s: integer out of range\n"),
- "setval", "dword");
- goto error;
- }
-#endif
- uint64_t u64 = htole64 (n);
- memcpy (values[i].value, &u64, 4);
- }
- else if (STRPREFIX (buf, "hex:")) {
- /* Read the type. */
- buf += 4;
- size_t len = strcspn (buf, ":");
- char *nextbuf;
- if (buf[len] == '\0') /* "hex:t" */
- nextbuf = &buf[len];
- else { /* "hex:t:..." */
- buf[len] = '\0';
- nextbuf = &buf[len+1];
- }
-
- long t;
- xerr = xstrtol (buf, NULL, 0, &t, "");
- if (xerr != LONGINT_OK) {
- fprintf (stderr, _("%s: %s: invalid integer parameter (%s returned %d)\n"),
- "setval", "hex", "xstrtol", xerr);
- goto error;
- }
- if (t < 0 || t > UINT32_MAX) {
- fprintf (stderr, _("%s: %s: integer out of range\n"),
- "setval", "hex");
- goto error;
- }
- values[i].t = t;
-
- /* Read the hex data. */
- buf = nextbuf;
-
- /* The allocation length is an overestimate, but it doesn't matter. */
- values[i].value = malloc (1 + strlen (buf) / 2);
- if (!values[i].value) {
- perror ("malloc");
- exit (EXIT_FAILURE);
- }
- values[i].len = 0;
-
- while (*buf) {
- int c = 0;
-
- for (j = 0; *buf && j < 2; buf++) {
- if (c_isxdigit (*buf)) { /* NB: ignore non-hex digits. */
- c <<= 4;
- c |= get_xdigit (*buf);
- j++;
- }
- }
-
- if (j == 2) values[i].value[values[i].len++] = c;
- else if (j == 1) {
- fprintf (stderr, _("hivexsh: setval: trailing garbage after hex string\n"));
- goto error;
- }
- }
- }
- else {
- fprintf (stderr,
- _("hivexsh: setval: cannot parse value string, please refer to the man page hivexsh(1) for help: %s\n"),
- buf);
- goto error;
- }
- }
-
- ret = hivex_node_set_values (h, cwd, nrvals, values, 0);
-
- error:
- /* Free values array. */
- for (i = 0; i < nrvals; ++i) {
- free (values[i].key);
- free (values[i].value);
- }
- free (values);
-
- return ret;
-}
-
-static int
-cmd_del (char *args)
-{
- if (STRNEQ (args, "")) {
- fprintf (stderr, _("hivexsh: '%s' command should not be given arguments\n"),
- "del");
- return -1;
- }
-
- if (cwd == hivex_root (h)) {
- fprintf (stderr, _("hivexsh: del: the root node cannot be deleted\n"));
- return -1;
- }
-
- hive_node_h new_cwd = hivex_node_parent (h, cwd);
-
- if (hivex_node_delete_child (h, cwd) == -1) {
- perror ("hivexsh: del");
- return -1;
- }
-
- cwd = new_cwd;
- set_prompt_string ();
- return 0;
-}
-
-static int
-cmd_add (char *name)
-{
- hive_node_h node = hivex_node_add_child (h, cwd, name);
- if (node == 0) {
- perror ("hivexsh: add");
- return -1;
- }
- return 0;
-}
diff --git a/hivex/hivexsh.pod b/hivex/hivexsh.pod
deleted file mode 100644
index a31d9e0b..00000000
--- a/hivex/hivexsh.pod
+++ /dev/null
@@ -1,287 +0,0 @@
-=encoding utf8
-
-=head1 NAME
-
-hivexsh - Windows Registry hive shell
-
-=head1 SYNOPSIS
-
- hivexsh [-options] [hivefile]
-
-=head1 DESCRIPTION
-
-This program provides a simple shell for navigating Windows Registry
-'hive' files. It uses the hivex library for access to these binary
-files.
-
-Firstly you will need to provide a hive file from a Windows operating
-system. The hive files are usually located in
-C<C:\Windows\System32\Config> and have names like C<software>,
-C<system> etc (without any file extension). For more information
-about hive files, read L<hivex(3)>. For information about downloading
-files from virtual machines, read L<virt-cat(1)> and L<guestfish(1)>.
-
-You can provide the name of the hive file to examine on the command
-line. For example:
-
- hivexsh software
-
-Or you can start C<hivexsh> without any arguments, and immediately use
-the C<load> command to load a hive:
-
- $ hivexsh
-
- Welcome to hivexsh, the hivex interactive shell for examining
- Windows Registry binary hive files.
-
- Type: 'help' for help with commands
- 'quit' to quit the shell
-
- > load software
- software\>
-
-Navigate through the hive's keys using the C<cd> command, as if it
-contained a filesystem, and use C<ls> to list the subkeys of the
-current key. Other commands are listed below.
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<-d>
-
-Enable lots of debug messages. If you find a Registry file that this
-program cannot parse, please enable this option and post the complete
-output I<and> the Registry hive file in your bug report.
-
-=item B<-f> filename
-
-Read commands from C<filename> instead of stdin. To write a hivexsh
-script, use:
-
- #!/usr/bin/hivexsh -f
-
-=item B<-w>
-
-If this option is given, then writes are allowed to the hive
-(see L</commit> command below, and the discussion of
-modifying hives in L<hivex(3)/WRITING TO HIVE FILES>).
-
-B<Important Note:> Even if you specify this option, nothing is written
-to a hive unless you call the L</commit> command. If you exit the
-shell without committing, all changes will be discarded.
-
-If this option is not given, then write commands are disabled.
-
-=back
-
-=head1 COMMANDS
-
-=over 4
-
-=item B<add> name
-
-Add a subkey named C<name> below the current node. The name may
-contain spaces and punctuation characters, and does not need to be
-quoted.
-
-The new key will have no subkeys and no values (see C<setval>).
-
-There must be no existing subkey called C<name>, or this command will
-fail. To replace an existing subkey, delete it first like this:
-
- cd name
- del
-
-=item B<cd> path
-
-Change to the subkey C<path>. Use Windows-style backslashes to
-separate path elements, and start with a backslash in order to start
-from the root of the hive. For example:
-
- cd \Classes\*
-
-moves from the root node, to the C<Classes> node, to the C<*> node.
-If you were already at the root node, you could do this instead:
-
- cd Classes\*
-
-or even:
-
- cd Classes
- cd *
-
-Path elements (node names) are matched case insensitively, and
-characters like space, C<*>, and C<?> have I<no> special significance.
-
-C<cd ..> may be used to go to the parent directory.
-
-C<cd> without any arguments prints the current path.
-
-Be careful with C<cd \> since the readline library has an undocumented
-behaviour where it will think the final backslash is a continuation
-(it reads the next line of input and appends it). Put a single space
-after the backslash.
-
-=item B<close> | B<unload>
-
-Close the currently loaded hive.
-
-If you modified the hive, all uncommitted writes are lost when you
-call this command (or if the shell exits). You have to call C<commit>
-to write changes.
-
-=item B<commit> [newfile]
-
-Commit changes to the hive. If the optional C<newfile> parameter is
-supplied, then the hive is written to that file, else the original
-file is overwritten.
-
-Note that you have to specify the C<-w> flag, otherwise no writes are
-allowed.
-
-=item B<del>
-
-Delete the current node and everything beneath it. The current
-directory is moved up one level (as if you did C<cd ..>) after
-this command.
-
-You cannot delete the root node.
-
-=item B<exit> | B<quit>
-
-Exit the shell.
-
-=item B<load> hivefile
-
-Load the binary hive named C<hivefile>. The currently loaded hive, if
-any, is closed. The current directory is changed back to the root
-node.
-
-=item B<ls>
-
-List the subkeys of the current hive Registry key. Note this command
-does not take any arguments.
-
-=item B<lsval> [key]
-
-List the (key, value) pairs of the current hive Registry key. If no
-argument is given then all pairs are displayed. If C<key> is given,
-then the value of the named key is displayed. If C<@> is given, then
-the value of the default key is displayed.
-
-=item B<setval> nrvals
-
-This command replaces all (key, value) pairs at the current node with
-the values in subsequent input. C<nrvals> is the number of values
-(ie. (key, value) pairs), and any existing values at this node are
-deleted. So C<setval 0> just deletes any values at the current node.
-
-The command reads 2 * nrvals lines of input, with each pair of
-lines of input corresponding to a key and a value to add.
-
-For example, the following setval command replaces whatever is at the
-current node with two (key, value) pairs. The default key is set to
-the UTF16-LE-encoded string "abcd". The other value is named
-"ANumber" and is a little-endian DWORD 0x12345678.
-
- setval 2
- @
- string:abcd
- ANumber
- dword:12345678
-
-The first line of each pair is the key (the special key C<@> means
-the default key, but you can also use a blank line).
-
-The second line of each pair is the value, which has a special format
-C<type:value> with possible types summarized in the table below:
-
- none No data is stored, and the type is set to 0.
-
- string:abc "abc" is stored as a UTF16-LE-encoded
- string (type 1). Note that only 7 bit
- ASCII strings are supported as input.
-
- expandstring:... Same as string but with type 2.
-
- dword:0x01234567 A DWORD (type 4) with the hex value
- 0x01234567. You can also use decimal
- or octal numbers here.
-
- qword:0x0123456789abcdef
- A QWORD (type 11) with the hex value
- 0x0123456789abcdef. You can also use
- decimal or octal numbers here.
-
- hex:<type>:<hexbytes>
- hex:1:41,00,42,00,43,00,44,00,00,00
- This is the generic way to enter any
- value. <type> is the integer value type.
- <hexbytes> is a list of pairs of hex
- digits which are treated as bytes.
- (Any non-hex-digits here are ignored,
- so you can separate bytes with commas
- or spaces if you want).
-
-=back
-
-=head1 EXAMPLE
-
- $ guestfish --ro -i Windows7
- ><fs> download win:c:\windows\system32\config\software software
- ><fs> quit
-
- $ hivexsh software
-
- Welcome to hivexsh, the hivex interactive shell for examining
- Windows Registry binary hive files.
-
- Type: 'help' for help with commands
- 'quit' to quit the shell
-
- software\> ls
- ATI Technologies
- Classes
- Clients
- Intel
- Microsoft
- ODBC
- Policies
- RegisteredApplications
- Sonic
- Wow6432Node
- software\> quit
-
-=head1 SEE ALSO
-
-L<hivex(3)>,
-L<hivexget(1)>,
-L<hivexml(1)>,
-L<virt-win-reg(1)>,
-L<guestfs(3)>,
-L<http://libguestfs.org/>,
-L<virt-cat(1)>,
-L<virt-edit(1)>.
-
-=head1 AUTHORS
-
-Richard W.M. Jones (C<rjones at redhat dot com>)
-
-=head1 COPYRIGHT
-
-Copyright (C) 2009-2010 Red Hat Inc.
-
-This program is free software; you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation; either version 2 of the License, or
-(at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along
-with this program; if not, write to the Free Software Foundation, Inc.,
-51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
diff --git a/hivex/t/Makefile.am b/hivex/t/Makefile.am
deleted file mode 100644
index 217d7caa..00000000
--- a/hivex/t/Makefile.am
+++ /dev/null
@@ -1,18 +0,0 @@
-# libguestfs
-# Copyright (C) 2009 Red Hat Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-EXTRA_DIST = minimal
diff --git a/hivex/t/README b/hivex/t/README
deleted file mode 100644
index b7e297ac..00000000
--- a/hivex/t/README
+++ /dev/null
@@ -1,9 +0,0 @@
-This directory contains tests for the hivex library.
-
-'minimal' is a valid registry containing a single root nk (with
-associated sk) which was created by chopping out everything possible
-from a Windows 2003 software hive and then doing lots of hand edits on
-the result. There is no "source" for it as such, it is just a
-hand-crafted binary blob.
-
-- Richard W.M. Jones 2010-01-23.
diff --git a/hivex/t/minimal b/hivex/t/minimal
deleted file mode 100755
index 3f4ee58c..00000000
--- a/hivex/t/minimal
+++ /dev/null
Binary files differ
diff --git a/hivex/tools/Makefile.am b/hivex/tools/Makefile.am
deleted file mode 100644
index bd8e9861..00000000
--- a/hivex/tools/Makefile.am
+++ /dev/null
@@ -1,56 +0,0 @@
-# libguestfs
-# Copyright (C) 2009 Red Hat Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-# OCaml Windows Registry visualizer. This was used while reverse
-# engineering the hive format, and is not normally compiled. If you
-# do with to compile it, you'll need ocaml-bitstring-devel and
-# ocaml-extlib-devel. Also you'll need a collection of hive files
-# from Windows machines to experiment with.
-#
-# We use '-w y' (disable unused variable warnings) because these
-# warnings aren't very reliable with heavily preprocessed code like
-# that produced by bitstring.
-
-EXTRA_DIST = \
- visualizer.ml \
- visualizer_utils.ml \
- visualizer_NT_time.ml \
- clearheaderfields.ml \
- fillemptyhbins.ml \
- truncatefile.ml \
- counter.mli \
- counter.ml
-
-visualizer.opt: counter.mli counter.ml visualizer_utils.ml visualizer_NT_time.ml visualizer.ml
- ocamlfind ocamlopt -w y \
- -package bitstring,bitstring.syntax,extlib \
- -syntax camlp4 -linkpkg $^ -o $@
-
-fillemptyhbins.opt: fillemptyhbins.ml
- ocamlfind ocamlopt -w y \
- -package bitstring,bitstring.syntax,extlib \
- -syntax camlp4 -linkpkg $^ -o $@
-
-clearheaderfields.opt: visualizer_utils.ml clearheaderfields.ml
- ocamlfind ocamlopt -w y \
- -package bitstring,bitstring.syntax,extlib \
- -syntax camlp4 -linkpkg $^ -o $@
-
-truncatefile.opt: visualizer_utils.ml truncatefile.ml
- ocamlfind ocamlopt -w y \
- -package bitstring,bitstring.syntax,extlib \
- -syntax camlp4 -linkpkg $^ -o $@
diff --git a/hivex/tools/clearheaderfields.ml b/hivex/tools/clearheaderfields.ml
deleted file mode 100644
index d0555532..00000000
--- a/hivex/tools/clearheaderfields.ml
+++ /dev/null
@@ -1,112 +0,0 @@
-(* Windows Registry reverse-engineering tool.
- * Copyright (C) 2010 Red Hat Inc.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *)
-
-open Bitstring
-open ExtString
-open Printf
-open Visualizer_utils
-
-let () =
- if Array.length Sys.argv <> 2 then (
- eprintf "Error: missing argument.
-Usage: %s hivefile
-" Sys.executable_name;
- exit 1
- )
-
-let filename = Sys.argv.(1)
-
-(* Load the file. *)
-let bits = bitstring_of_file filename
-
-(* Split into header + data at the 4KB boundary. *)
-let header, data = takebits (4096 * 8) bits, dropbits (4096 * 8) bits
-
-(* Read the header fields. *)
-let seq, last_modified, major, minor, unknown1, unknown2,
- root_key, end_pages, unknown3, fname =
- bitmatch header with
- | { "regf" : 4*8 : string;
- seq1 : 4*8 : littleendian;
- seq2 : 4*8 : littleendian;
- last_modified : 64 : bitstring;
- major : 4*8 : littleendian;
- minor : 4*8 : littleendian;
- unknown1 : 4*8 : littleendian;
- unknown2 : 4*8 : littleendian;
- root_key : 4*8 : littleendian;
- end_pages : 4*8 : littleendian;
- unknown3 : 4*8 : littleendian;
- fname : 64*8 : string;
- unknownguid1 : 16*8 : bitstring;
- unknownguid2 : 16*8 : bitstring;
- unknown4 : 4*8 : littleendian;
- unknownguid3 : 16*8 : bitstring;
- unknown5 : 4*8 : string;
- unknown6 : 340*8 : bitstring;
- csum : 4*8
- : littleendian, save_offset_to (crc_offset),
- check (assert (crc_offset = 0x1fc * 8); true);
- unknown7 : (0x1000-0x200)*8 : bitstring } ->
- seq1, last_modified, major, minor, unknown1, unknown2,
- root_key, end_pages, unknown3, fname
- | {_} -> assert false
-
-(* Create a new header, but with unknown fields cleared. Do it in
- * two parts, first creating everything up to the checksum, then
- * calculating the checksum and appending checksum and the final
- * field.
- *)
-let header =
- let zeroguid = zeroes_bitstring (16*8) in
- let before_csum =
- BITSTRING {
- "regf" : 4*8 : string;
- seq : 4*8 : littleendian;
- seq : 4*8 : littleendian;
- last_modified : 64 : bitstring;
- major : 4*8 : littleendian;
- minor : 4*8 : littleendian;
- unknown1 : 4*8 : littleendian;
- unknown2 : 4*8 : littleendian;
- root_key : 4*8 : littleendian;
- end_pages : 4*8 : littleendian;
- unknown3 : 4*8 : littleendian;
- fname : 64*8 : string;
- zeroguid : 16*8 : bitstring;
- zeroguid : 16*8 : bitstring;
- 0_l : 4*8 : littleendian;
- zeroguid : 16*8 : bitstring;
- 0_l : 4*8 : littleendian;
- zeroes_bitstring (340*8) : 340*8 : bitstring
- } in
- assert (bitstring_length before_csum = 0x1fc * 8);
- let csum = bitstring_fold_left_int32_le Int32.logxor 0_l before_csum in
- let csum_and_after =
- BITSTRING {
- csum : 4*8 : littleendian;
- zeroes_bitstring ((0x1000-0x200)*8) : (0x1000-0x200)*8 : bitstring
- } in
- let new_header = concat [before_csum; csum_and_after] in
- assert (bitstring_length header = bitstring_length new_header);
- new_header
-
-(* Write it. *)
-let () =
- let file = concat [header; data] in
- bitstring_to_file file filename
diff --git a/hivex/tools/counter.ml b/hivex/tools/counter.ml
deleted file mode 100644
index 2e44c653..00000000
--- a/hivex/tools/counter.ml
+++ /dev/null
@@ -1,86 +0,0 @@
-(* Basic counting module.
-
- Copyright (C) 2006 Merjis Ltd.
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Lesser General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public
- License along with this library; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-*)
-
-type 'a t = ('a, int ref) Hashtbl.t
-
-let create () =
- Hashtbl.create 13
-
-let get_ref counter thing =
- try
- Hashtbl.find counter thing
- with
- Not_found ->
- let r = ref 0 in
- Hashtbl.add counter thing r;
- r
-
-let incr counter thing =
- let r = get_ref counter thing in
- incr r
-
-let decr counter thing =
- let r = get_ref counter thing in
- decr r
-
-let add counter thing n =
- let r = get_ref counter thing in
- r := !r + n
-
-let sub counter thing n =
- let r = get_ref counter thing in
- r := !r - n
-
-let set counter thing n =
- let r = get_ref counter thing in
- r := n
-
-(* Don't use get_ref, to avoid unnecessarily creating 'ref 0's. *)
-let get counter thing =
- try
- !(Hashtbl.find counter thing)
- with
- Not_found -> 0
-
-(* This is a common pair of operations, worth optimising. *)
-let incr_get counter thing =
- let r = get_ref counter thing in
- Pervasives.incr r;
- !r
-
-let zero = Hashtbl.remove
-
-let read counter =
- let counts =
- Hashtbl.fold (
- fun thing r xs ->
- let r = !r in
- if r <> 0 then (r, thing) :: xs
- else xs
- ) counter [] in
- List.sort (fun (a, _) (b, _) -> compare (b : int) (a : int)) counts
-
-let length = Hashtbl.length
-
-let total counter =
- let total = ref 0 in
- Hashtbl.iter (fun _ r -> total := !total + !r) counter;
- !total
-
-let clear = Hashtbl.clear
diff --git a/hivex/tools/counter.mli b/hivex/tools/counter.mli
deleted file mode 100644
index 87610b59..00000000
--- a/hivex/tools/counter.mli
+++ /dev/null
@@ -1,69 +0,0 @@
-(** Basic counting module.
-
- Copyright (C) 2006 Merjis Ltd.
-
- This library is free software; you can redistribute it and/or
- modify it under the terms of the GNU Lesser General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
-
- This library is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public
- License along with this library; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-*)
-
-type 'a t
-(** Count items of type ['a]. *)
-
-val create : unit -> 'a t
-(** Create a new counter. *)
-
-val incr : 'a t -> 'a -> unit
-(** [incr counter thing] adds one to the count of [thing]s in [counter]. *)
-
-val decr : 'a t -> 'a -> unit
-(** [decr counter thing] subtracts one to the count of [thing]s in [counter]. *)
-
-val add : 'a t -> 'a -> int -> unit
-(** [add counter thing n] adds [n] to the count of [thing]s in [counter]. *)
-
-val sub : 'a t -> 'a -> int -> unit
-(** [sub counter thing n] subtracts [n] to the count of [thing]s in [counter]. *)
-
-val set : 'a t -> 'a -> int -> unit
-(** [set counter thing n] sets the count of [thing]s to [n]. *)
-
-val get : 'a t -> 'a -> int
-(** [get counter thing] returns the count of [thing]s. (Returns 0 for
- * [thing]s which have not been added.
- *)
-
-val incr_get : 'a t -> 'a -> int
-(** Faster form of {!Counter.incr} followed by {!Counter.get}. *)
-
-val zero : 'a t -> 'a -> unit
-(** [zero counter thing] sets the count of [thing]s to 0.
- * See also {!Counter.clear}.
- *)
-
-val read : 'a t -> (int * 'a) list
-(** [read counter] reads the frequency of each thing. They are sorted
- * with the thing appearing most frequently first. Only things occurring
- * non-zero times are returned.
- *)
-
-val length : 'a t -> int
-(** Return the number of distinct things. See also {!Counter.total} *)
-
-val total : 'a t -> int
-(** Return the number of things counted (the total number of counts).
- * See also {!Counter.length}
- *)
-
-val clear : 'a t -> unit
-(** [clear counter] zeroes all counts. *)
diff --git a/hivex/tools/fillemptyhbins.ml b/hivex/tools/fillemptyhbins.ml
deleted file mode 100644
index 14eae963..00000000
--- a/hivex/tools/fillemptyhbins.ml
+++ /dev/null
@@ -1,74 +0,0 @@
-(* Windows Registry reverse-engineering tool.
- * Copyright (C) 2010 Red Hat Inc.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *)
-
-open Bitstring
-open ExtString
-open Printf
-
-let () =
- if Array.length Sys.argv <> 3 then (
- eprintf "Error: missing argument.
-Usage: %s hivefile startoffset
-" Sys.executable_name;
- exit 1
- )
-
-let filename = Sys.argv.(1)
-let offset = int_of_string Sys.argv.(2)
-
-(* Load the file. *)
-let bits = bitstring_of_file filename
-
-(* Split into header + data at the 4KB boundary. *)
-let header, data = takebits (4096 * 8) bits, dropbits (4096 * 8) bits
-
-(* Overwrite everything after @offset, so ... *)
-let nrpages = (bitstring_length data / 8 - offset) / 4096
-let data = takebits (offset * 8) data
-
-(* Create the empty pages. They're not all the same because each
- * page contains its own page_offset.
- *)
-let pages =
- let noblock =
- let seg_len = 4096 - 32 in
- let zeroes = zeroes_bitstring ((seg_len - 4) * 8) in
- BITSTRING {
- Int32.of_int seg_len : 4*8 : littleendian;
- zeroes : (seg_len - 4) * 8 : bitstring
- } in
- let zeroes = zeroes_bitstring (20*8) in
- let rec loop page_offset i =
- if i < nrpages then (
- let page =
- BITSTRING {
- "hbin" : 4*8 : string;
- Int32.of_int page_offset : 4*8 : littleendian;
- 4096_l : 4*8 : littleendian; (* page length *)
- zeroes : 20*8 : bitstring;
- noblock : (4096 - 32) * 8 : bitstring
- } in
- page :: loop (page_offset + 4096) (i+1)
- ) else []
- in
- loop offset 0
-
-(* Write it. *)
-let () =
- let file = concat (header :: data :: pages) in
- bitstring_to_file file filename
diff --git a/hivex/tools/truncatefile.ml b/hivex/tools/truncatefile.ml
deleted file mode 100644
index b519f7a5..00000000
--- a/hivex/tools/truncatefile.ml
+++ /dev/null
@@ -1,112 +0,0 @@
-(* Windows Registry reverse-engineering tool.
- * Copyright (C) 2010 Red Hat Inc.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *)
-
-open Bitstring
-open ExtString
-open Printf
-open Visualizer_utils
-
-let () =
- if Array.length Sys.argv <> 3 then (
- eprintf "Error: missing argument.
-Usage: %s hivefile endpages
-" Sys.executable_name;
- exit 1
- )
-
-let filename = Sys.argv.(1)
-let new_end_pages = int_of_string Sys.argv.(2)
-
-(* Load the file. *)
-let bits = bitstring_of_file filename
-
-(* Split into header + data at the 4KB boundary. *)
-let header, data = takebits (4096 * 8) bits, dropbits (4096 * 8) bits
-
-(* Truncate the file data. *)
-let data = takebits (new_end_pages * 8) data
-
-(* Read the header fields. *)
-let seq, last_modified, major, minor, unknown1, unknown2,
- root_key, end_pages, unknown3, fname =
- bitmatch header with
- | { "regf" : 4*8 : string;
- seq1 : 4*8 : littleendian;
- seq2 : 4*8 : littleendian;
- last_modified : 64 : bitstring;
- major : 4*8 : littleendian;
- minor : 4*8 : littleendian;
- unknown1 : 4*8 : littleendian;
- unknown2 : 4*8 : littleendian;
- root_key : 4*8 : littleendian;
- end_pages : 4*8 : littleendian;
- unknown3 : 4*8 : littleendian;
- fname : 64*8 : string;
- unknownguid1 : 16*8 : bitstring;
- unknownguid2 : 16*8 : bitstring;
- unknown4 : 4*8 : littleendian;
- unknownguid3 : 16*8 : bitstring;
- unknown5 : 4*8 : string;
- unknown6 : 340*8 : bitstring;
- csum : 4*8
- : littleendian, save_offset_to (crc_offset),
- check (assert (crc_offset = 0x1fc * 8); true);
- unknown7 : (0x1000-0x200)*8 : bitstring } ->
- seq1, last_modified, major, minor, unknown1, unknown2,
- root_key, end_pages, unknown3, fname
- | {_} -> assert false
-
-(* Create a new header, with endpages updated. *)
-let header =
- let zeroguid = zeroes_bitstring (16*8) in
- let before_csum =
- BITSTRING {
- "regf" : 4*8 : string;
- seq : 4*8 : littleendian;
- seq : 4*8 : littleendian;
- last_modified : 64 : bitstring;
- major : 4*8 : littleendian;
- minor : 4*8 : littleendian;
- unknown1 : 4*8 : littleendian;
- unknown2 : 4*8 : littleendian;
- root_key : 4*8 : littleendian;
- Int32.of_int new_end_pages : 4*8 : littleendian;
- unknown3 : 4*8 : littleendian;
- fname : 64*8 : string;
- zeroguid : 16*8 : bitstring;
- zeroguid : 16*8 : bitstring;
- 0_l : 4*8 : littleendian;
- zeroguid : 16*8 : bitstring;
- 0_l : 4*8 : littleendian;
- zeroes_bitstring (340*8) : 340*8 : bitstring
- } in
- assert (bitstring_length before_csum = 0x1fc * 8);
- let csum = bitstring_fold_left_int32_le Int32.logxor 0_l before_csum in
- let csum_and_after =
- BITSTRING {
- csum : 4*8 : littleendian;
- zeroes_bitstring ((0x1000-0x200)*8) : (0x1000-0x200)*8 : bitstring
- } in
- let new_header = concat [before_csum; csum_and_after] in
- assert (bitstring_length header = bitstring_length new_header);
- new_header
-
-(* Write it. *)
-let () =
- let file = concat [header; data] in
- bitstring_to_file file filename
diff --git a/hivex/tools/visualizer.ml b/hivex/tools/visualizer.ml
deleted file mode 100644
index 5b7ac79d..00000000
--- a/hivex/tools/visualizer.ml
+++ /dev/null
@@ -1,984 +0,0 @@
-(* Windows Registry reverse-engineering tool.
- * Copyright (C) 2010 Red Hat Inc.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * For existing information on the registry format, please refer
- * to the following documents. Note they are both incomplete
- * and inaccurate in some respects.
- *
- * http://www.sentinelchicken.com/data/TheWindowsNTRegistryFileFormat.pdf
- * http://pogostick.net/~pnh/ntpasswd/WinReg.txt
- *)
-
-open Bitstring
-open ExtString
-open Printf
-open Visualizer_utils
-open Visualizer_NT_time
-
-let () =
- if Array.length Sys.argv <> 2 then (
- eprintf "Error: missing argument.
-Usage: %s hivefile > out
-where
- 'hivefile' is the input hive file from a Windows machine
- 'out' is an output file where we will write all the keys,
- values etc for extended debugging purposes.
-Errors, inconsistencies and unexpected fields in the hive file
-are written to stderr.
-" Sys.executable_name;
- exit 1
- )
-
-let filename = Sys.argv.(1)
-let basename = Filename.basename filename
-
-(* Load the file. *)
-let bits = bitstring_of_file filename
-
-(* Split into header + data at the 4KB boundary. *)
-let header, data = takebits (4096 * 8) bits, dropbits (4096 * 8) bits
-
-(* Define a persistent pattern which matches the header fields. By
- * using persistent patterns, we can reuse them later in the
- * program.
- *)
-let bitmatch header_fields =
- { "regf" : 4*8 : string;
- seq1 : 4*8 : littleendian;
- seq2 : 4*8 : littleendian;
- last_modified : 64
- : littleendian, bind (nt_to_time_t last_modified);
- major : 4*8 : littleendian;
- minor : 4*8 : littleendian;
-
- (* "Type". Contains 0. *)
- unknown1 : 4*8 : littleendian;
-
- (* "Format". Contains 1. *)
- unknown2 : 4*8 : littleendian;
-
- root_key : 4*8
- : littleendian, bind (get_offset root_key);
- end_pages : 4*8
- : littleendian, bind (get_offset end_pages);
-
- (* "Cluster". Contains 1. *)
- unknown3 : 4*8 : littleendian;
-
- filename : 64*8 : string;
-
- (* All three GUIDs here confirmed in Windows 7 registries. In
- * Windows <= 2003 these GUID fields seem to contain junk.
- *
- * If you write zeroes to the GUID fields, load and unload in Win7
- * REGEDIT, then Windows 7 writes some random GUIDs.
- *
- * Also (on Win7) unknownguid1 == unknownguid2. unknownguid3 is
- * different.
- *)
- unknownguid1 : 16*8 : bitstring;
- unknownguid2 : 16*8 : bitstring;
-
- (* Wrote zero to unknown4, loaded and unloaded it in Win7 REGEDIT,
- * and it still contained zero. In existing registries it seems to
- * contain random junk.
- *)
- unknown4 : 4*8 : littleendian;
- unknownguid3 : 16*8 : bitstring;
-
- (* If you write zero to unknown5, load and unload it in REGEDIT,
- * Windows 7 puts the string "rmtm" here. Existing registries also
- * seen containing this string. However on older Windows it can
- * be all zeroes.
- *)
- unknown5 : 4*8 : string;
-
- (* This seems to contain junk from other parts of the registry. I
- * wrote zeroes here, loaded and unloaded it in Win7 REGEDIT, and
- * it still contained zeroes.
- *)
- unknown6 : 340*8 : bitstring;
- csum : 4*8
- : littleendian, save_offset_to (crc_offset),
- check (assert (crc_offset = 0x1fc * 8); true);
- unknown7 : (0x1000-0x200)*8 : bitstring }
-
-let fprintf_header chan bits =
- bitmatch bits with
- | { :header_fields } ->
- fprintf chan
- "HD %6ld %6ld %s %ld.%ld %08lx %08lx %s %s %08lx %s %s %s %08lx %s %s %s %08lx %s\n"
- seq1 seq2 (print_time last_modified) major minor
- unknown1 unknown2
- (print_offset root_key) (print_offset end_pages)
- unknown3 (print_utf16 filename)
- (print_guid unknownguid1) (print_guid unknownguid2)
- unknown4 (print_guid unknownguid3) unknown5
- (print_bitstring unknown6)
- csum (print_bitstring unknown7)
-
-(* Parse the header and check it. *)
-let root_key, end_pages =
- bitmatch header with
- | { :header_fields } ->
- fprintf_header stdout header;
-
- if major <> 1_l then
- eprintf "HD hive file major <> 1 (major.minor = %ld.%ld)\n"
- major minor;
- if seq1 <> seq2 then
- eprintf "HD hive file sequence numbers should match (%ld <> %ld)\n"
- seq1 seq2;
- if unknown1 <> 0_l then
- eprintf "HD unknown1 field <> 0 (%08lx)\n" unknown1;
- if unknown2 <> 1_l then
- eprintf "HD unknown2 field <> 1 (%08lx)\n" unknown2;
- if unknown3 <> 1_l then
- eprintf "HD unknown3 field <> 1 (%08lx)\n" unknown3;
- if not (equals unknownguid1 unknownguid2) then
- eprintf "HD unknownguid1 <> unknownguid2 (%s, %s)\n"
- (print_guid unknownguid1) (print_guid unknownguid2);
- (* We think this is junk.
- if unknown4 <> 0_l then
- eprintf "HD unknown4 field <> 0 (%08lx)\n" unknown4;
- *)
- if unknown5 <> "rmtm" && unknown5 <> "\000\000\000\000" then
- eprintf "HD unknown5 field <> \"rmtm\" & <> zeroes (%s)\n" unknown5;
- (* We think this is junk.
- if not (is_zero_bitstring unknown6) then
- eprintf "HD unknown6 area is not zero (%s)\n"
- (print_bitstring unknown6);
- *)
- if not (is_zero_bitstring unknown7) then
- eprintf "HD unknown7 area is not zero (%s)\n"
- (print_bitstring unknown7);
-
- root_key, end_pages
- | {_} ->
- failwithf "%s: this doesn't look like a registry hive file\n" basename
-
-(* Define persistent patterns to match page and block fields. *)
-let bitmatch page_fields =
- { "hbin" : 4*8 : string;
- page_offset : 4*8
- : littleendian, bind (get_offset page_offset);
- page_size : 4*8
- : littleendian, check (Int32.rem page_size 4096_l = 0_l),
- bind (Int32.to_int page_size);
-
- (* In the first hbin in the file these fields contain something.
- * In subsequent hbins these fields are all zero.
- *
- * From existing hives (first hbin only):
- *
- * unknown1 unknown2 unknown5
- * 00 00 00 00 00 00 00 00 9C 77 3B 02 6A 7D CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 50 3A 15 07 B5 9B CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 57 86 90 D4 9A 58 CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 52 3F 90 9D CF 7C CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 E8 86 C1 17 BD 06 CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 4A 77 CE 7A CF 7C CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 E4 EA 23 FF 69 7D CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 50 13 BA 8D A2 9A CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 0E 07 93 13 BD 06 CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 9D 55 D0 B3 99 58 CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 46 AC FF 8B CF 7C CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 80 29 2D 02 6A 7D CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 90 8D 36 07 B5 9B CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 5C 9B 8B B8 6A 06 CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 85 9F BB 99 9A 58 CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 BE 3D 21 02 6A 7D CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 70 53 09 07 B5 9B CA 01 00 00 00 00
- * 00 00 00 00 00 00 00 00 5B 62 42 B6 9A 58 CA 01 00 00 00 00
- * 01 00 00 00 00 00 00 00 B2 46 9B 9E CF 7C CA 01 00 00 00 00
- * 01 00 00 00 00 00 00 00 CA 88 EE 1A BD 06 CA 01 00 00 00 00
- *
- * From the above we worked out that fields 3 and 4 are an NT
- * timestamp, which seems to be "last modified" (when REGEDIT
- * unloads a hive it updates this timestamp even if nothing
- * has been changed).
- *)
- unknown1 : 4*8 : littleendian; (* usually zero, occasionally 1 *)
- unknown2 : 4*8 : littleendian; (* always zero? *)
- last_modified : 64
- : littleendian,
- bind (if page_offset = 0 then nt_to_time_t last_modified
- else (
- assert (last_modified = 0_L);
- 0.
- )
- );
- (* The "B.D." document said this field contains the page size, but
- * this is not true. This misinformation has been copied to the
- * sentinelchicken documentation too.
- *)
- unknown5 : 4*8 : littleendian; (* always zero? *)
-
- (* Now the blocks in this page follow. *)
- blocks : (page_size - 32) * 8 : bitstring;
-
- rest : -1 : bitstring }
-
-let fprintf_page chan bits =
- bitmatch bits with
- | { :page_fields } ->
- fprintf chan "HB %s %08x %08lx %08lx %s %08lx\n"
- (print_offset page_offset)
- page_size unknown1 unknown2
- (if page_offset = 0 then print_time last_modified
- else string_of_float last_modified) unknown5
-
-let bitmatch block_fields =
- { seg_len : 4*8
- : littleendian, bind (Int32.to_int seg_len);
- block_data : (abs seg_len - 4) * 8 : bitstring;
- rest : -1 : bitstring }
-
-let fprintf_block chan block_offset bits =
- bitmatch bits with
- | { :block_fields } ->
- fprintf chan "BL %s %s %d\n"
- (print_offset block_offset)
- (if seg_len < 0 then "used" else "free")
- (if seg_len < 0 then -seg_len else seg_len)
-
-(* Iterate over the pages and blocks. In the process we will examine
- * each page (hbin) header. Also we will build block_list which is a
- * list of (block offset, length, used flag, data).
- *)
-let block_list = ref []
-let () =
- let rec loop_over_pages data data_offset =
- if data_offset < end_pages then (
- bitmatch data with
- | { rest : -1 : bitstring } when bitstring_length rest = 0 -> ()
-
- | { :page_fields } ->
- fprintf_page stdout data;
-
- assert (page_offset = data_offset);
-
- if data_offset = 0 then ( (* first hbin only *)
- if unknown1 <> 0_l then
- eprintf "HB %s unknown1 field <> 0 (%08lx)\n"
- (print_offset page_offset) unknown1;
- if unknown2 <> 0_l then
- eprintf "HB %s unknown2 field <> 0 (%08lx)\n"
- (print_offset page_offset) unknown2;
- if unknown5 <> 0_l then
- eprintf "HB %s unknown5 field <> 0 (%08lx)\n"
- (print_offset page_offset) unknown5
- ) else ( (* subsequent hbins *)
- if unknown1 <> 0_l || unknown2 <> 0_l || unknown5 <> 0_l then
- eprintf "HB %s unknown fields <> 0 (%08lx %08lx %08lx)\n"
- (print_offset page_offset)
- unknown1 unknown2 unknown5;
- if last_modified <> 0. then
- eprintf "HB %s last_modified <> 0. (%g)\n"
- (print_offset page_offset) last_modified
- );
-
- (* Loop over the blocks in this page. *)
- loop_over_blocks blocks (data_offset + 32);
-
- (* Loop over rest of the pages. *)
- loop_over_pages rest (data_offset + page_size)
-
- | {_} ->
- failwithf "%s: invalid hbin at offset %s\n"
- basename (print_offset data_offset)
- ) else (
- (* Reached the end of the official hbins in this file, BUT the
- * file can be larger than this and might contain stuff. What
- * does it contain after the hbins? We think just junk, but
- * we're not sure.
- *)
- if not (is_zero_bitstring data) then (
- eprintf "Junk in file after end of pages:\n";
- let rec loop data data_offset =
- bitmatch data with
- | { rest : -1 : bitstring } when bitstring_length rest = 0 -> ()
- | { :page_fields } ->
- eprintf "\tjunk hbin %s 0x%08x\n"
- (print_offset data_offset) page_size;
- loop rest (data_offset + page_size);
- | { _ } ->
- eprintf "\tother junk %s %s\n"
- (print_offset data_offset) (print_bitstring data)
- in
- loop data data_offset
- )
- )
- and loop_over_blocks blocks block_offset =
- bitmatch blocks with
- | { rest : -1 : bitstring } when bitstring_length rest = 0 -> ()
-
- | { :block_fields } ->
- assert (block_offset mod 8 = 0);
-
- fprintf_block stdout block_offset blocks;
-
- let used, seg_len =
- if seg_len < 0 then true, -seg_len else false, seg_len in
-
- let block = block_offset, (seg_len, used, block_data) in
- block_list := block :: !block_list;
-
- (* Loop over the rest of the blocks in this page. *)
- loop_over_blocks rest (block_offset + seg_len)
-
- | {_} ->
- failwithf "%s: invalid block near offset %s\n"
- basename (print_offset block_offset)
- in
- loop_over_pages data 0
-
-(* Turn the block_list into a map so we can quickly look up a block
- * from its offset.
- *)
-let block_list = !block_list
-let block_map =
- List.fold_left (
- fun map (block_offset, block) -> IntMap.add block_offset block map
- ) IntMap.empty block_list
-let lookup fn offset =
- try
- let (_, used, _) as block = IntMap.find offset block_map in
- if not used then
- failwithf "%s: %s: lookup: free block %s referenced from hive tree"
- basename fn (print_offset offset);
- block
- with Not_found ->
- failwithf "%s: %s: lookup: unknown block %s referenced from hive tree"
- basename fn (print_offset offset)
-
-(* Use this to mark blocks that we've visited. If the hive contains
- * no unreferenced blocks, then by the end this should just contain
- * free blocks.
- *)
-let mark_visited, is_not_visited, unvisited_blocks =
- let v = ref block_map in
- let mark_visited offset = v := IntMap.remove offset !v
- and is_not_visited offset = IntMap.mem offset !v
- and unvisited_blocks () = !v in
- mark_visited, is_not_visited, unvisited_blocks
-
-(* Define persistent patterns to match nk-records, vk-records and
- * sk-records, which are the record types that we especially want to
- * analyze later. Other blocks types (eg. value lists, lf-records)
- * have no "spare space" so everything is known about them and we don't
- * store these.
- *)
-let bitmatch nk_fields =
- { "nk" : 2*8 : string;
- (* Flags stored in the file as a little endian word, hence the
- * unusual ordering:
- *)
- virtmirrored : 1;
- predefinedhandle : 1; keynameascii : 1; symlinkkey : 1;
- cannotbedeleted : 1; isroot : 1; ismountpoint : 1; isvolatile : 1;
- unknownflag8000 : 1; unknownflag4000 : 1;
- unknownflag2000 : 1; unknownflag1000 : 1;
- unknownflag0800 : 1; unknownflag0400 : 1;
- virtualstore : 1; virttarget : 1;
- timestamp : 64 : littleendian, bind (nt_to_time_t timestamp);
- unknown1 : 4*8 : littleendian;
- parent : 4*8 : littleendian, bind (get_offset parent);
- nr_subkeys : 4*8 : littleendian, bind (Int32.to_int nr_subkeys);
- nr_subkeys_vol : 4*8;
- subkeys : 4*8 : littleendian, bind (get_offset subkeys);
- subkeys_vol : 4*8;
- nr_values : 4*8 : littleendian, bind (Int32.to_int nr_values);
- vallist : 4*8 : littleendian, bind (get_offset vallist);
- sk : 4*8 : littleendian, bind (get_offset sk);
- classname : 4*8 : littleendian, bind (get_offset classname);
- (* sentinelchicken.com says this is a single 32 bit field
- * containing maximum number of bytes in a subkey name, however
- * that does not seem to be correct. We think it is several
- * fields, the first being the maximum number of bytes in the
- * UTF16-LE encoded version of the subkey names, (since subkey
- * names are usually ASCII, that would be max length of names * 2).
- * This is a historical maximum, so it can be greater than the
- * current maximum name field.
- *
- * The remaining fields are often non-zero, but the purpose is
- * unknown.
- *
- * In the hives we examined the other fields had values as
- * follows:
- * userflags: 0, 2, 0xa, 0xe
- * virtcontrolflags: 0, 1
- * debug: always 0
- *)
- max_subkey_name_len : 2*8 : littleendian;
- unknown2_userflags : 4;
- unknown2_virtcontrolflags : 4;
- unknown2_debug : 8;
-
- (* sentinelchicken.com says: maximum subkey CLASSNAME length,
- * however that does not seem to be correct. In hives I looked
- * at, it has value 0, 0xc, 0x10, 0x18, 0x1a, 0x28.
- *)
- unknown3 : 4*8 : littleendian;
- (* sentinelchicken.com says: maximum number of bytes in a value
- * name, however that does not seem to be correct. We think it is
- * the maximum number of bytes in the UTF16-LE encoded version of
- * the value names (since value names are usually ASCII, that would
- * be max length of names * 2). This is a historical maximum, so
- * it can be greater than the current maximum name field.
- *)
- max_vk_name_len : 4*8 : littleendian, bind (Int32.to_int max_vk_name_len);
- (* sentinelchicken.com says: maximum value data size, and this
- * agrees with my observations. It is the largest data size (not
- * seg_len, but vk.data_len) for any value in this key. We think
- * that this field is a historical max, so eg if a maximally sized
- * value is deleted then this field is not reduced. Certainly
- * max_vk_data_len >= the measured maximum in all the hives that we
- * have observed.
- *)
- max_vk_data_len : 4*8 : littleendian, bind (Int32.to_int max_vk_data_len);
- unknown6 : 4*8 : littleendian;
- name_len : 2*8 : littleendian;
- classname_len : 2*8 : littleendian;
- name : name_len * 8 : string }
-
-let fprintf_nk chan nk =
- let (_, _, bits) = lookup "fprintf_nk" nk in
- bitmatch bits with
- | { :nk_fields } ->
- fprintf chan
- "NK %s %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s %s %08lx %s %d %ld %s %08lx %d %s %s %s %d %x %x %x %08lx %d %d %08lx %d %d %s\n"
- (print_offset nk)
- (if unknownflag8000 then "8" else ".")
- (if unknownflag4000 then "4" else ".")
- (if unknownflag2000 then "2" else ".")
- (if unknownflag1000 then "1" else ".")
- (if unknownflag0800 then "8" else ".")
- (if unknownflag0400 then "4" else ".")
- (if virtualstore then "s" else ".")
- (if virttarget then "t" else ".")
- (if virtmirrored then "m" else ".")
- (if predefinedhandle then "P" else ".")
- (if keynameascii then "A" else ".")
- (if symlinkkey then "S" else ".")
- (if cannotbedeleted then "N" else ".")
- (if isroot then "R" else ".")
- (if ismountpoint then "M" else ".")
- (if isvolatile then "V" else ".")
- (print_time timestamp)
- unknown1 (print_offset parent) nr_subkeys nr_subkeys_vol
- (print_offset subkeys) subkeys_vol
- nr_values (print_offset vallist)
- (print_offset sk) (print_offset classname)
- max_subkey_name_len
- unknown2_userflags unknown2_virtcontrolflags unknown2_debug
- unknown3 max_vk_name_len max_vk_data_len unknown6
- name_len classname_len name
-
-type data_t = Inline of bitstring | Offset of int
-let bitmatch vk_fields =
- { "vk" : 2*8 : string;
- name_len : 2*8 : littleendian;
- (* Top bit set means that the data is stored inline. In that case
- * the data length must be <= 4. The length can also be 0 (or
- * 0x80000000) if the data type is NONE.
- *)
- data_len : 4*8
- : littleendian, bind (
- let is_inline = Int32.logand data_len 0x8000_0000_l = 0x8000_0000_l in
- let data_len = Int32.to_int (Int32.logand data_len 0x7fff_ffff_l) in
- if is_inline then assert (data_len <= 4) else assert (data_len > 4);
- is_inline, data_len
- );
- (* The data itself depends on the type field.
- *
- * For REG_SZ type, the data always seems to be NUL-terminated, which
- * means because these strings are often UTF-16LE, that the string will
- * end with \0\0 bytes. The termination bytes are included in data_len.
- *
- * For REG_MULTI_SZ, see
- * http://blogs.msdn.com/oldnewthing/archive/2009/10/08/9904646.aspx
- *)
- data : 4*8
- : bitstring, bind (
- let is_inline, data_len = data_len in
- if is_inline then
- Inline (takebits (data_len*8) data)
- else (
- let offset =
- bitmatch data with { offset : 4*8 : littleendian } -> offset in
- let offset = get_offset offset in
- Offset offset
- )
- );
- t : 4*8 : littleendian, bind (Int32.to_int t);
- (* Flags, stored as a little-endian word: *)
- unknown1 : 7;
- nameisascii : 1; (* Clear for default [zero-length] name, always set
- * otherwise in registries that we found. Perhaps this
- * is really "nameisdefault" flag?
- *)
- unknown2 : 8;
- (* Unknown field, usually contains something. *)
- unknown3 : 2*8 : littleendian;
- name : name_len * 8 : string }
-
-let fprintf_vk chan vk =
- let (_, _, bits) = lookup "fprintf_vk" vk in
- bitmatch bits with
- | { :vk_fields } ->
- let real_data =
- match data with
- | Inline data -> data
- | Offset offset ->
- let (_, _, bits) = lookup "fprintf_vk (data)" offset in
- bits in
- let is_inline, data_len = data_len in
- fprintf chan "VK %s %s %s %d %s%s %s %08x %s %08x %08x\n"
- (print_offset vk)
- name (if is_inline then "inline" else "-") data_len
- (match data with
- | Inline _ -> ""
- | Offset offset -> "["^print_offset offset^"]")
- (print_bitstring real_data)
- (print_vk_type t)
- unknown1 (if nameisascii then "A" else "L")
- unknown2 unknown3
-
-let bitmatch sk_fields =
- { "sk" : 2*8 : string;
- unknown1 : 2*8 : littleendian;
- sk_next : 4*8 : littleendian, bind (get_offset sk_next);
- sk_prev : 4*8 : littleendian, bind (get_offset sk_prev);
- refcount : 4*8 : littleendian, bind (Int32.to_int refcount);
- sec_len : 4*8 : littleendian, bind (Int32.to_int sec_len);
- sec_desc : sec_len * 8 : bitstring }
-
-let fprintf_sk chan sk =
- let (_, _, bits) = lookup "fprintf_sk" sk in
- bitmatch bits with
- | { :sk_fields } ->
- fprintf chan "SK %s %04x %s %s %d %d\n"
- (print_offset sk) unknown1
- (print_offset sk_next) (print_offset sk_prev)
- refcount sec_len
- (* print_bitstring sec_desc -- suppress this *)
-
-(* Store lists of records we encounter (lists of offsets). *)
-let nk_records = ref []
-and vk_records = ref []
-and sk_records = ref []
-
-(* Functions to visit each block, starting at the root. Each block
- * that we visit is printed.
- *)
-let rec visit_nk ?(nk_is_root = false) nk =
- let (_, _, bits) = lookup "visit_nk" nk in
- mark_visited nk;
- (bitmatch bits with
- | { :nk_fields } ->
- fprintf_nk stdout nk;
-
- nk_records := nk :: !nk_records;
-
- (* Check the isroot flag is only set on the root node. *)
- assert (isroot = nk_is_root);
-
- if unknownflag8000 then
- eprintf "NK %s unknownflag8000 is set\n" (print_offset nk);
- if unknownflag4000 then
- eprintf "NK %s unknownflag4000 is set\n" (print_offset nk);
- if unknownflag2000 then
- eprintf "NK %s unknownflag2000 is set\n" (print_offset nk);
- if unknownflag1000 then
- eprintf "NK %s unknownflag1000 is set\n" (print_offset nk);
- if unknownflag0800 then
- eprintf "NK %s unknownflag0800 is set\n" (print_offset nk);
- if unknownflag0400 then
- eprintf "NK %s unknownflag0400 is set\n" (print_offset nk);
- if unknown1 <> 0_l then
- eprintf "NK %s unknown1 <> 0 (%08lx)\n" (print_offset nk) unknown1;
- if unknown2_userflags <> 0 then
- eprintf "NK %s unknown2_userflags <> 0 (%x)\n"
- (print_offset nk) unknown2_userflags;
- if unknown2_virtcontrolflags <> 0 then
- eprintf "NK %s unknown2_virtcontrolflags <> 0 (%x)\n"
- (print_offset nk) unknown2_virtcontrolflags;
- if unknown2_debug <> 0 then
- eprintf "NK %s unknown2_debug <> 0 (%x)\n"
- (print_offset nk) unknown2_debug;
- if unknown3 <> 0_l then
- eprintf "NK %s unknown3 <> 0 (%08lx)\n" (print_offset nk) unknown3;
- if unknown6 <> 0_l then
- eprintf "NK %s unknown6 <> 0 (%08lx)\n" (print_offset nk) unknown6;
-
- (* -- common, assume it's not an error
- if classname = -1 then
- eprintf "NK %s has no classname\n" (print_offset nk);
- if classname_len = 0 then
- eprintf "NK %s has zero-length classname\n" (print_offset nk);
- *)
- if sk = -1 then
- eprintf "NK %s has no sk-record\n" (print_offset nk);
- if name_len = 0 then
- eprintf "NK %s has zero-length name\n" (print_offset nk);
-
- (* Visit the values first at this node. *)
- let max_data_len, max_name_len =
- if vallist <> -1 then
- visit_vallist nr_values vallist
- else
- 0, 0 in
-
- if max_vk_data_len < max_data_len then
- eprintf "NK %s nk.max_vk_data_len (%d) < actual max data_len (%d)\n"
- (print_offset nk) max_vk_data_len max_data_len;
-
- if max_vk_name_len < max_name_len * 2 then
- eprintf "NK %s nk.max_vk_name_len (%d) < actual max name_len * 2 (%d)\n"
- (print_offset nk) max_vk_name_len (max_name_len * 2);
-
- (* Visit the subkeys of this node. *)
- if subkeys <> -1 then (
- let counted, max_name_len, _ = visit_subkeys subkeys in
-
- if counted <> nr_subkeys then
- failwithf "%s: incorrect count of subkeys (%d, counted %d) in subkey list at %s\n"
- basename nr_subkeys counted (print_offset subkeys);
-
- if max_subkey_name_len < max_name_len * 2 then
- eprintf "NK %s nk.max_subkey_name_len (%d) < actual max name_len * 2 (%d)\n"
- (print_offset nk) max_subkey_name_len (max_name_len * 2);
- );
-
- (* Visit the sk-record and classname. *)
- if sk <> -1 then
- visit_sk sk;
- if classname <> -1 then
- visit_classname classname classname_len;
-
- | {_} ->
- failwithf "%s: invalid nk block at offset %s\n"
- basename (print_offset nk)
- )
-
-and visit_vallist nr_values vallist =
- let (seg_len, _, bits) = lookup "visit_vallist" vallist in
- mark_visited vallist;
- printf "VL %s %d %d\n" (print_offset vallist) nr_values seg_len;
- visit_values_in_vallist nr_values vallist bits
-
-and visit_values_in_vallist nr_values vallist bits =
- if nr_values > 0 then (
- bitmatch bits with
- | { rest : -1 : bitstring } when bitstring_length rest = 0 ->
- assert (nr_values = 0);
- 0, 0
-
- | { value : 4*8 : littleendian, bind (get_offset value);
- rest : -1 : bitstring } ->
- let data_len, name_len = visit_vk value in
- let max_data_len, max_name_len =
- visit_values_in_vallist (nr_values-1) vallist rest in
- max max_data_len data_len, max max_name_len name_len
-
- | {_} ->
- failwithf "%s: invalid offset in value list at %s\n"
- basename (print_offset vallist)
- ) else 0, 0
-
-and visit_vk vk =
- let (_, _, bits) = lookup "visit_vk" vk in
- mark_visited vk;
-
- (bitmatch bits with
- | { :vk_fields } ->
- fprintf_vk stdout vk;
-
- let is_inline, data_len = data_len in
-
- if unknown1 <> 0 then
- eprintf "VK %s unknown1 flags set (%02x)\n"
- (print_offset vk) unknown1;
- if unknown2 <> 0 then
- eprintf "VK %s unknown2 flags set (%02x)\n"
- (print_offset vk) unknown2;
- if unknown3 <> 0 then
- eprintf "VK %s unknown3 flags set (%04x)\n"
- (print_offset vk) unknown3;
-
- (* Note this is common for default [ie. zero-length] key names. *)
- if not nameisascii && name_len > 0 then
- eprintf "VK %s has non-ASCII name flag set (name is %s)\n"
- (print_offset vk) (print_binary_string name);
-
- vk_records := vk :: !vk_records;
- (match data with
- | Inline data -> ()
- | Offset offset ->
- let _ = lookup "visit_vk (data)" offset in
- mark_visited offset
- );
-
- data_len, name_len
-
- | {_} ->
- failwithf "%s: invalid vk block at offset %s\n"
- basename (print_offset vk)
- )
-
-(* Visits subkeys, recursing through intermediate lf/lh/ri structures,
- * and returns the number of subkeys actually seen.
- *)
-and visit_subkeys subkeys =
- let (_, _, bits) = lookup "visit_subkeys" subkeys in
- mark_visited subkeys;
- (bitmatch bits with
- | { "lf" : 2*8 : string;
- len : 2*8 : littleendian; (* number of subkeys of this node *)
- rest : len*8*8 : bitstring } ->
- printf "LF %s %d\n" (print_offset subkeys) len;
- visit_subkeys_in_lf_list false subkeys len rest
-
- | { "lh" : 2*8 : string;
- len : 2*8 : littleendian; (* number of subkeys of this node *)
- rest : len*8*8 : bitstring } ->
- printf "LF %s %d\n" (print_offset subkeys) len;
- visit_subkeys_in_lf_list true subkeys len rest
-
- | { "ri" : 2*8 : string;
- len : 2*8 : littleendian;
- rest : len*4*8 : bitstring } ->
- printf "RI %s %d\n" (print_offset subkeys) len;
- visit_subkeys_in_ri_list subkeys len rest
-
- (* In theory you can have an li-record here, but we've never
- * seen one.
- *)
-
- | { "nk" : 2*8 : string } ->
- visit_nk subkeys;
- let name, name_len = name_of_nk subkeys in
- 1, name_len, name
-
- | {_} ->
- failwithf "%s: invalid subkey node found at %s\n"
- basename (print_offset subkeys)
- )
-
-and visit_subkeys_in_lf_list newstyle_hash subkeys_top len bits =
- if len > 0 then (
- bitmatch bits with
- | { rest : -1 : bitstring } when bitstring_length rest = 0 ->
- assert (len = 0);
- 0, 0, ""
-
- | { offset : 4*8 : littleendian, bind (get_offset offset);
- hash : 4*8 : bitstring;
- rest : -1 : bitstring } ->
- let c1, name_len1, name = visit_subkeys offset in
-
- check_hash offset newstyle_hash hash name;
-
- let c2, name_len2, _ =
- visit_subkeys_in_lf_list newstyle_hash subkeys_top (len-1) rest in
- c1 + c2, max name_len1 name_len2, ""
-
- | {_} ->
- failwithf "%s: invalid subkey in lf/lh list at %s\n"
- basename (print_offset subkeys_top)
- ) else 0, 0, ""
-
-and visit_subkeys_in_ri_list subkeys_top len bits =
- if len > 0 then (
- bitmatch bits with
- | { rest : -1 : bitstring } when bitstring_length rest = 0 ->
- assert (len = 0);
- 0, 0, ""
-
- | { offset : 4*8 : littleendian, bind (get_offset offset);
- rest : -1 : bitstring } ->
- let c1, name_len1, _ = visit_subkeys offset in
- let c2, name_len2, _ =
- visit_subkeys_in_ri_list subkeys_top (len-1) rest in
- c1 + c2, max name_len1 name_len2, ""
-
- | {_} ->
- failwithf "%s: invalid subkey in ri list at %s\n"
- basename (print_offset subkeys_top)
- ) else 0, 0, ""
-
-and check_hash offset newstyle_hash hash name =
- if not newstyle_hash then (
- (* Old-style lf record hash the first four bytes of the name
- * as the has.
- *)
- let len = String.length name in
- let name_bits =
- if len >= 4 then
- bitstring_of_string (String.sub name 0 4)
- else (
- let zeroes = zeroes_bitstring ((4-len)*8) in
- concat [bitstring_of_string name; zeroes]
- ) in
- if not (equals hash name_bits) then
- eprintf "LF incorrect hash for name %s, expected %s, actual %s\n"
- name (print_bitstring name_bits) (print_bitstring hash)
- ) else (
- (* New-style lh record has a proper hash. *)
- let actual = bitmatch hash with { hash : 4*8 : littleendian } -> hash in
- let h = ref 0_l in
- String.iter (
- fun c ->
- h := Int32.mul !h 37_l;
- h := Int32.add !h (Int32.of_int (Char.code (Char.uppercase c)))
- ) name;
- if actual <> !h then
- eprintf "LH incorrect hash for name %s, expected 0x%08lx, actual 0x%08lx\n"
- name !h actual
- )
-
-and name_of_nk nk =
- let (_, _, bits) = lookup "name_of_nk" nk in
- bitmatch bits with
- | { :nk_fields } -> name, name_len
-
-and visit_sk sk =
- let (_, _, bits) = lookup "visit_sk" sk in
- if is_not_visited sk then (
- mark_visited sk;
- (bitmatch bits with
- | { :sk_fields } ->
- fprintf_sk stdout sk;
-
- if unknown1 <> 0 then
- eprintf "SK %s unknown1 <> 0 (%04x)\n" (print_offset sk) unknown1;
-
- sk_records := sk :: !sk_records
-
- | {_} ->
- failwithf "%s: invalid sk-record at %s\n"
- basename (print_offset sk)
- )
- )
-
-and visit_classname classname classname_len =
- let (seg_len, _, bits) = lookup "visit_classname" classname in
- mark_visited classname;
- assert (seg_len >= classname_len);
- printf "CL %s %s\n" (print_offset classname) (print_bitstring bits)
-
-let () =
- visit_nk ~nk_is_root:true root_key
-
-(* These are immutable now. *)
-let nk_records = !nk_records
-let vk_records = !vk_records
-let sk_records = !sk_records
-
-(* So we can rapidly tell what is an nk/vk/sk offset. *)
-let nk_set =
- List.fold_left (fun set offs -> IntSet.add offs set) IntSet.empty nk_records
-let vk_set =
- List.fold_left (fun set offs -> IntSet.add offs set) IntSet.empty vk_records
-let sk_set =
- List.fold_left (fun set offs -> IntSet.add offs set) IntSet.empty sk_records
-
-(* Now after visiting all the blocks, are there any used blocks which
- * are unvisited? If there are any then that would indicate either (a)
- * that the hive contains unreferenced blocks, or (b) that there are
- * referenced blocks that we did not visit because we don't have a full
- * understanding of the hive format.
- *
- * Windows 7 registries often contain a few of these -- not clear
- * how serious they are, but don't fail here.
- *)
-let () =
- let unvisited = unvisited_blocks () in
- IntMap.iter (
- fun offset block ->
- match block with
- | (_, false, _) -> () (* ignore unused blocks *)
- | (seg_len, true, _) ->
- eprintf "used block %s (length %d) is not referenced\n"
- (print_offset offset) seg_len
- ) unvisited
-
-(* Check the SKs are:
- * (a) linked into a single circular list through the sk_prev/sk_next
- * pointers
- * (b) refcounts are correct
- *)
-let () =
- if List.length sk_records > 0 then (
- let sk0 = List.hd sk_records in (* start at any arbitrary sk *)
- (* This loop follows the chain of sk pointers until we arrive
- * back at the original, checking prev/next are consistent.
- *)
- let rec loop visited prevsk sk =
- if sk <> sk0 then (
- if not (IntSet.mem sk sk_set) then
- eprintf "SK %s not an sk-record (faulty sk_next somewhere)\n"
- (print_offset sk)
- else (
- let _, _, bits = lookup "loop sk circular list" sk in
- bitmatch bits with
- | { :sk_fields } ->
- if sk_prev <> prevsk then
- eprintf "SK %s sk_prev != previous sk (%s, %s)\n"
- (print_offset sk)
- (print_offset sk_prev) (print_offset prevsk);
- if IntSet.mem sk visited then
- eprintf "SK %s already visited (bad circular list)\n"
- (print_offset sk);
- let visited = IntSet.add sk visited in
- loop visited sk sk_next
- )
- )
- in
- let _, _, bits = lookup "start sk circular list" sk0 in
- (bitmatch bits with
- | { :sk_fields } ->
- loop IntSet.empty sk_prev sk0
- );
-
- (* For every nk-record, if it references an sk-record count that,
- * then check this matches the refcounts in the sk-records
- * themselves.
- *)
- let refcounts = Counter.create () in
- List.iter (
- fun nk ->
- let _, _, bits = lookup "sk refcounter (nk)" nk in
- (bitmatch bits with
- | { :nk_fields } ->
- Counter.incr refcounts sk
- )
- ) nk_records;
-
- List.iter (
- fun sk ->
- let _, _, bits = lookup "sk refcounter (sk)" sk in
- (bitmatch bits with
- | { :sk_fields } ->
- let actual = Counter.get refcounts sk in
- if actual <> refcount then
- eprintf "SK %s incorrect refcount (actual %d, in file %d)\n"
- (print_offset sk) actual refcount
- )
- ) sk_records
- )
diff --git a/hivex/tools/visualizer_NT_time.ml b/hivex/tools/visualizer_NT_time.ml
deleted file mode 100644
index a7521121..00000000
--- a/hivex/tools/visualizer_NT_time.ml
+++ /dev/null
@@ -1,30 +0,0 @@
-(* Windows Registry reverse-engineering tool.
- * Copyright (C) 2010 Red Hat Inc.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * For existing information on the registry format, please refer
- * to the following documents. Note they are both incomplete
- * and inaccurate in some respects.
- *)
-
-(* Convert an NT file timestamp to time_t. See:
- * http://blogs.msdn.com/oldnewthing/archive/2003/09/05/54806.aspx
- * http://support.microsoft.com/kb/167296
- *)
-let nt_to_time_t t =
- let t = Int64.sub t 116444736000000000L in
- let t = Int64.div t 10000000L in
- Int64.to_float t
diff --git a/hivex/tools/visualizer_utils.ml b/hivex/tools/visualizer_utils.ml
deleted file mode 100644
index 2f0d6b7d..00000000
--- a/hivex/tools/visualizer_utils.ml
+++ /dev/null
@@ -1,163 +0,0 @@
-(* Windows Registry reverse-engineering tool.
- * Copyright (C) 2010 Red Hat Inc.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * For existing information on the registry format, please refer
- * to the following documents. Note they are both incomplete
- * and inaccurate in some respects.
- *)
-
-open ExtString
-open Printf
-
-let failwithf fs = ksprintf failwith fs
-
-(* Useful function to convert unknown bitstring fragments into
- * printable strings.
- *)
-let rec print_bitstring bits =
- let str = Bitstring.string_of_bitstring bits in
- print_binary_string str
-and print_binary_string str =
- let rec printable = function
- | '\x00' -> "\\0" | '\x01' -> "\\1" | '\x02' -> "\\2" | '\x03' -> "\\3"
- | '\x04' -> "\\4" | '\x05' -> "\\5" | '\x06' -> "\\6" | '\x07' -> "\\7"
- | ('\x08'..'\x31' as c)
- | ('\x7f'..'\xff' as c) -> sprintf "\\x%02x" (Char.code c)
- | ('\x32'..'\x7e' as c) -> String.make 1 c
- and repeat str = function
- | n when n <= 0 -> ""
- | n -> str ^ repeat str (n-1)
- in
- let chars = String.explode str in
- let rec loop acc = function
- | [] -> List.rev acc
- | x :: xs ->
- let rec loop2 i = function
- | y :: ys when x = y -> loop2 (i+1) ys
- | ys -> i, ys
- in
- let count, ys = loop2 1 xs in
- let acc = (count, x) :: acc in
- loop acc ys
- in
- let frags = loop [] chars in
- let frags =
- List.map (function
- | (nr, x) when nr <= 4 -> repeat (printable x) nr
- | (nr, x) -> sprintf "%s<%d times>" (printable x) nr
- ) frags in
- "\"" ^ String.concat "" frags ^ "\""
-
-(* Convert an offset from the file to an offset. The only special
- * thing is that 0xffffffff in the file is used as a kind of "NULL
- * pointer". We map these null values to -1.
- *)
-let get_offset = function
- | 0xffffffff_l -> -1
- | i -> Int32.to_int i
-
-(* Print an offset. *)
-let print_offset = function
- | -1 -> "NULL"
- | i -> sprintf "@%08x" i
-
-(* Print time. *)
-let print_time t =
- let tm = Unix.gmtime t in
- sprintf "%04d-%02d-%02d %02d:%02d:%02d"
- (tm.Unix.tm_year + 1900) (tm.Unix.tm_mon + 1) tm.Unix.tm_mday
- tm.Unix.tm_hour tm.Unix.tm_min tm.Unix.tm_sec
-
-(* Print UTF16LE. *)
-let print_utf16 str =
- let n = String.length str in
- if n land 1 <> 0 then
- print_binary_string str
- else (
- let rec loop i =
- if i < n-1 then (
- let c1 = Char.code (str.[i]) in
- let c2 = Char.code (str.[i+1]) in
- if c1 <> 0 || c2 <> 0 then (
- (* Well, this doesn't print non-7bit-ASCII ... *)
- let c =
- if c2 = 0 then String.make 1 (Char.chr c1)
- else sprintf "\\u%04d" (c2 * 256 + c1) in
- c :: loop (i+2)
- ) else []
- ) else []
- in
- let frags = loop 0 in
- "L\"" ^ String.concat "" frags ^ "\""
- )
-
-(* A map of int -> anything. *)
-module IntMap = Map.Make (struct type t = int let compare = compare end)
-
-(* A set of ints. *)
-module IntSet = Set.Make (struct type t = int let compare = compare end)
-
-(* Print registry vk-record type field. *)
-let print_vk_type = function
- | 0 -> "NONE"
- | 1 -> "SZ"
- | 2 -> "EXPAND_SZ"
- | 3 -> "BINARY"
- | 4 -> "DWORD"
- | 5 -> "DWORD_BIG_ENDIAN"
- | 6 -> "LINK"
- | 7 -> "MULTI_SZ"
- | 8 -> "RESOURCE_LiST"
- | 9 -> "FULL_RESOURCE_DESCRIPTOR"
- | 10 -> "RESOURCE_REQUIREMENTS_LIST"
- | 11 -> "QWORD"
- | i -> sprintf "UNKNOWN_VK_TYPE_%d" i
-
-(* XXX We should write a more efficient version of this and
- * push it into the bitstring library.
- *)
-let is_zero_bitstring bits =
- let len = Bitstring.bitstring_length bits in
- let zeroes = Bitstring.zeroes_bitstring len in
- 0 = Bitstring.compare bits zeroes
-
-let is_zero_guid = is_zero_bitstring
-
-(* http://msdn.microsoft.com/en-us/library/aa373931(VS.85).aspx
- * Endianness of GUIDs is not clear from the MSDN documentation,
- * so this is just a guess.
- *)
-let print_guid bits =
- bitmatch bits with
- | { data1 : 4*8 : littleendian;
- data2 : 2*8 : littleendian;
- data3 : 2*8 : littleendian;
- data4_1 : 2*8 : littleendian;
- data4_2 : 6*8 : littleendian } ->
- sprintf "%08lX-%04X-%04X-%04X-%012LX" data1 data2 data3 data4_1 data4_2
- | { _ } ->
- assert false
-
-(* Fold over little-endian 32-bit integers in a bitstring. *)
-let rec bitstring_fold_left_int32_le f a bits =
- bitmatch bits with
- | { i : 4*8 : littleendian;
- rest : -1 : bitstring } ->
- bitstring_fold_left_int32_le f (f a i) rest
- | { rest : -1 : bitstring } when Bitstring.bitstring_length rest = 0 -> a
- | { _ } ->
- invalid_arg "bitstring_fold_left_int32_le: length not a multiple of 32 bits"
diff --git a/po/POTFILES.in b/po/POTFILES.in
index c6dbd032..91021062 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -80,9 +80,6 @@ fish/tilde.c
fish/time.c
fuse/dircache.c
fuse/guestmount.c
-hivex/hivex.c
-hivex/hivexml.c
-hivex/hivexsh.c
inspector/virt-inspector
java/com_redhat_et_libguestfs_GuestFS.c
ocaml/guestfs_c.c
diff --git a/src/guestfs.pod b/src/guestfs.pod
index 514db030..2e608c6e 100644
--- a/src/guestfs.pod
+++ b/src/guestfs.pod
@@ -450,10 +450,10 @@ Where we can help is in resolving the case insensitivity of paths.
For this, call C<guestfs_case_sensitive_path>.
Libguestfs also provides some help for decoding Windows Registry
-"hive" files, through the library C<libhivex> which is part of
-libguestfs. You have to locate and download the hive file(s)
-yourself, and then pass them to C<libhivex> functions. See also the
-programs L<hivexml(1)>, L<hivexget(1)> and L<virt-win-reg(1)> for more
+"hive" files, through the library C<hivex> which is part of the
+libguestfs project. You have to locate and download the hive file(s)
+yourself, and then pass them to C<hivex> functions. See also the
+programs L<hivexml(1)>, L<hivexsh(1)> and L<virt-win-reg(1)> for more
help on this issue.
=head2 USING LIBGUESTFS WITH OTHER PROGRAMMING LANGUAGES
diff --git a/tools/run-locally b/tools/run-locally
index eb55d181..cb3dca86 100755
--- a/tools/run-locally
+++ b/tools/run-locally
@@ -48,7 +48,6 @@ while(-l $path) {
# Get the absolute path of the parent directory
$path = abs_path(dirname($path).'/..');
-$ENV{PATH} = $path.'/hivex:'.$ENV{PATH};
$ENV{LD_LIBRARY_PATH} = $path.'/src/.libs';
$ENV{LIBGUESTFS_PATH} = $path.'/appliance';
$ENV{PERL5LIB} = $path.'/perl/blib/lib:'.$path.'/perl/blib/arch';