1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
/* hivex - Windows Registry "hive" extraction library.
* Copyright (C) 2009 Red Hat Inc.
* Derived from code by Petter Nordahl-Hagen under a compatible license:
* Copyright (c) 1997-2007 Petter Nordahl-Hagen.
* Derived from code by Markus Stephany under a compatible license:
* Copyright (c)2000-2004, Markus Stephany.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation;
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* See file LICENSE for the full license.
*/
#ifndef HIVEX_H_
#define HIVEX_H_
#ifdef __cplusplus
extern "C" {
#endif
/* NOTE: This API is documented in the man page hivex(3). */
typedef struct hive_h hive_h;
typedef size_t hive_node_h;
typedef size_t hive_value_h;
enum hive_type {
/* Just a key without a value. */
hive_t_none = 0,
/* A UTF-16 Windows string. */
hive_t_string = 1,
/* A UTF-16 Windows string that contains %env% (environment variable
* substitutions).
*/
hive_t_expand_string = 2,
/* A blob of binary. */
hive_t_binary = 3,
/* Two ways to encode DWORDs (32 bit words). The first is little-endian. */
hive_t_dword = 4,
hive_t_dword_be = 5,
/* Symbolic link, we think to another part of the registry tree. */
hive_t_link = 6,
/* Multiple UTF-16 Windows strings, each separated by zero byte. See:
* http://blogs.msdn.com/oldnewthing/archive/2009/10/08/9904646.aspx
*/
hive_t_multiple_strings = 7,
/* These three are unknown. */
hive_t_resource_list = 8,
hive_t_full_resource_description = 9,
hive_t_resource_requirements_list = 10,
/* A QWORD (64 bit word). This is stored in the file little-endian. */
hive_t_qword = 11
};
typedef enum hive_type hive_type;
#define HIVEX_OPEN_VERBOSE 1
#define HIVEX_OPEN_DEBUG 2
#define HIVEX_OPEN_MSGLVL_MASK 3
extern hive_h *hivex_open (const char *filename, int flags);
extern int hivex_close (hive_h *h);
extern hive_node_h hivex_root (hive_h *h);
extern char *hivex_node_name (hive_h *h, hive_node_h node);
extern hive_node_h *hivex_node_children (hive_h *h, hive_node_h node);
extern hive_node_h hivex_node_get_child (hive_h *h, hive_node_h node, const char *name);
extern hive_node_h hivex_node_parent (hive_h *h, hive_node_h node);
extern hive_value_h *hivex_node_values (hive_h *h, hive_node_h node);
extern hive_value_h hivex_node_get_value (hive_h *h, hive_node_h node, const char *key);
extern char *hivex_value_key (hive_h *h, hive_value_h value);
extern int hivex_value_type (hive_h *h, hive_value_h value, hive_type *t, size_t *len);
extern char *hivex_value_value (hive_h *h, hive_value_h value, hive_type *t, size_t *len);
extern char *hivex_value_string (hive_h *h, hive_value_h value);
extern char **hivex_value_multiple_strings (hive_h *h, hive_value_h value);
extern int32_t hivex_value_dword (hive_h *h, hive_value_h value);
extern int64_t hivex_value_qword (hive_h *h, hive_value_h value);
struct hivex_visitor {
int (*node_start) (hive_h *, void *opaque, hive_node_h, const char *name);
int (*node_end) (hive_h *, void *opaque, hive_node_h, const char *name);
int (*value_string) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *str);
int (*value_multiple_strings) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, char **argv);
int (*value_string_invalid_utf16) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *str);
int (*value_dword) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, int32_t);
int (*value_qword) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, int64_t);
int (*value_binary) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value);
int (*value_none) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value);
int (*value_other) (hive_h *, void *opaque, hive_node_h, hive_value_h, hive_type t, size_t len, const char *key, const char *value);
};
#define HIVEX_VISIT_SKIP_BAD 1
extern int hivex_visit (hive_h *h, const struct hivex_visitor *visitor, size_t len, void *opaque, int flags);
extern int hivex_visit_node (hive_h *h, hive_node_h node, const struct hivex_visitor *visitor, size_t len, void *opaque, int flags);
#ifdef __cplusplus
}
#endif
#endif /* HIVEX_H_ */
|
