summaryrefslogtreecommitdiffstats
path: root/hivex/hivex.h
blob: f4ce83401aa90592f6929f05650d1bc0db9fdf99 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
/* hivex - Windows Registry "hive" extraction library.
 * Copyright (C) 2009 Red Hat Inc.
 * Derived from code by Petter Nordahl-Hagen under a compatible license:
 *   Copyright (c) 1997-2007 Petter Nordahl-Hagen.
 * Derived from code by Markus Stephany under a compatible license:
 *   Copyright (c)2000-2004, Markus Stephany.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation;
 * version 2.1 of the License.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * See file LICENSE for the full license.
 */

#ifndef HIVEX_H_
#define HIVEX_H_

#ifdef __cplusplus
extern "C" {
#endif

/* NOTE: This API is documented in the man page hivex(3). */

typedef struct hive_h hive_h;
typedef size_t hive_node_h;
typedef size_t hive_value_h;

enum hive_type {
  /* Just a key without a value. */
  hive_t_none = 0,

  /* A UTF-16 Windows string. */
  hive_t_string = 1,

  /* A UTF-16 Windows string that contains %env% (environment variable
   * substitutions).
   */
  hive_t_expand_string = 2,

  /* A blob of binary. */
  hive_t_binary = 3,

  /* Two ways to encode DWORDs (32 bit words).  The first is little-endian. */
  hive_t_dword = 4,
  hive_t_dword_be = 5,

  /* Symbolic link, we think to another part of the registry tree. */
  hive_t_link = 6,

  /* Multiple UTF-16 Windows strings, each separated by zero byte.  See:
   * http://blogs.msdn.com/oldnewthing/archive/2009/10/08/9904646.aspx
   */
  hive_t_multiple_strings = 7,

  /* These three are unknown. */
  hive_t_resource_list = 8,
  hive_t_full_resource_description = 9,
  hive_t_resource_requirements_list = 10,

  /* A QWORD (64 bit word).  This is stored in the file little-endian. */
  hive_t_qword = 11
};

typedef enum hive_type hive_type;

/* Bitmask of flags passed to hivex_open. */
#define HIVEX_OPEN_VERBOSE      1
#define HIVEX_OPEN_DEBUG        2
#define HIVEX_OPEN_MSGLVL_MASK  (HIVEX_OPEN_VERBOSE|HIVEX_OPEN_DEBUG)
#define HIVEX_OPEN_WRITE        4

extern hive_h *hivex_open (const char *filename, int flags);
extern int hivex_close (hive_h *h);
extern hive_node_h hivex_root (hive_h *h);
extern char *hivex_node_name (hive_h *h, hive_node_h node);
extern hive_node_h *hivex_node_children (hive_h *h, hive_node_h node);
extern hive_node_h hivex_node_get_child (hive_h *h, hive_node_h node, const char *name);
extern hive_node_h hivex_node_parent (hive_h *h, hive_node_h node);
extern hive_value_h *hivex_node_values (hive_h *h, hive_node_h node);
extern hive_value_h hivex_node_get_value (hive_h *h, hive_node_h node, const char *key);
extern char *hivex_value_key (hive_h *h, hive_value_h value);
extern int hivex_value_type (hive_h *h, hive_value_h value, hive_type *t, size_t *len);
extern char *hivex_value_value (hive_h *h, hive_value_h value, hive_type *t, size_t *len);
extern char *hivex_value_string (hive_h *h, hive_value_h value);
extern char **hivex_value_multiple_strings (hive_h *h, hive_value_h value);
extern int32_t hivex_value_dword (hive_h *h, hive_value_h value);
extern int64_t hivex_value_qword (hive_h *h, hive_value_h value);
struct hivex_visitor {
  int (*node_start) (hive_h *, void *opaque, hive_node_h, const char *name);
  int (*node_end) (hive_h *, void *opaque, hive_node_h, const char *name);
  int (*value_string) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *str);
  int (*value_multiple_strings) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, char **argv);
  int (*value_string_invalid_utf16) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *str);
  int (*value_dword) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, int32_t);
  int (*value_qword) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, int64_t);
  int (*value_binary) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value);
  int (*value_none) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value);
  int (*value_other) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value);
  int (*value_any) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value);
};

#define HIVEX_VISIT_SKIP_BAD 1

extern int hivex_visit (hive_h *h, const struct hivex_visitor *visitor, size_t len, void *opaque, int flags);
extern int hivex_visit_node (hive_h *h, hive_node_h node, const struct hivex_visitor *visitor, size_t len, void *opaque, int flags);

extern int hivex_commit (hive_h *h, const char *filename, int flags);
extern hive_node_h hivex_node_add_child (hive_h *h, hive_node_h parent, const char *name);
extern int hivex_node_delete_child (hive_h *h, hive_node_h node);

struct hive_set_value {
  char *key;
  hive_type t;
  size_t len;
  char *value;
};
typedef struct hive_set_value hive_set_value;

extern int hivex_node_set_values (hive_h *h, hive_node_h node, size_t nr_values, const hive_set_value *values, int flags);

#ifdef __cplusplus
}
#endif

#endif /* HIVEX_H_ */