2011-08-24 Hilko Bengen hivex: Newer Python versions want parentheses around arguments of "print" hivex: Fix building on platforms without O_CLOEXEC such as FreeBSD hivex: Don't build static library, .so.* symlinks for Python bindings 2011-08-16 Alex Nelson hivexml: Add root attribute to the root node New feature: If the root node of the XML root is the hive root node, denote with attribute/value root="1". 2011-08-15 Richard W.M. Jones ruby: Test against locally built library. Prevent warning about unused variable in test. Fix incorrect printf format specifier in error string. hivex(3): Fix link to CSS. Version 1.3.0. Add Ruby bindings. header: Fix including just . Also this adds a regression test so we don't break it in future. 2011-08-13 Alex Nelson Report last-modified time of hive root and nodes The infrastructure for modified-time reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). This patch adds to the hivex ABI: * int64_t hivex_last_modified (hive_h *) * int64_t hivex_node_timestamp (hive_h *, hive_node_h) These two functions return the hive's last-modified time and a particular node's last-modified time, respectively. Credit to Richard Jones for the ABI suggestion, and for the tip on Microsoft's filetime time span. hivexml employs these two functions to produce mtime elements for a hive and all of its nodes, producing ISO-8601 formatted time. A lot of code cleanup by RWMJ. 2011-08-12 Richard W.M. Jones Version 1.2.8. Pushed and pulled translations from Transifex. 2011-08-12 Hilko Bengen More changes needed separate builddir This patch hopefully fixes building and installing the OCaml bindings both in-tree and out-of-tree. -Hilko More changes needed separate builddir Here's the fix for perl. Both in-tree and out-of-tree build and install worked. -Hilko 2011-08-11 Hilko Bengen hivex: A few tweaks to enable building in a separate directory A couple of fixes by RWMJ so it still works in the same directory case. 2011-08-11 Alex Nelson Correct 32-bit to 64-bit call 2011-07-22 Richard W.M. Jones perl: Fix CCFLAGS on Perl 5.14. A change to ExtUtils::CBuilder in Perl 5.14 causes CCFLAGS to completely replace, rather than appending, the C flags. The unfortunate consequence of this is that vital flags such as -D_FILE_OFFSET_BITS=64 are missing. For 32 bit code, this means you get binary-incompatible code that completely fails to load. For further analysis see: http://www.nntp.perl.org/group/perl.perl5.porters/2011/04/msg171535.html This commit changes CCFLAGS so that it appends to the existing $Config{ccflags} instead of replacing it. On earlier versions of Perl this means we get two copies of the flags, which is unfortunate but should be safe. Also, ignore MYMETA.yml file produced by Perl 5.14. 2011-07-11 Michael Huang Close the file descriptor along the writable path. Since the file has been completely read into memory, there is no reason to keep the file descriptor open. 2011-06-29 Richard W.M. Jones Sort m4/.gitignore file. 2011-06-29 Jim Meyering maint: add cfg.mk to prepare for syntax-check tests * cfg.mk: New file, to tell maint.mk which syntax-checks to skip for now, where .gnulib/ is, to exempt images/minimal from one of the tests and to exempt sh/hivexsh\.pod from another. Also exempt lib/gettext.h from sc_useless_cpp_parens. 2011-06-28 Jim Meyering maint: remove rule that generated po/POTFILES.in * Makefile.am (all-local): Remove rule. It would put many files in po/POTFILES.in that contain no translatable diagnostic. build: update gnulib submodule to latest maint: remove spaces before TAB * perl/typemap: Remove spaces-before-TAB. maint: avoid using test's -a and -o operators; they are not portable * configure.ac: use "test C1 && test C2", not "test C1 -a C2"; * autogen.sh: Likewise. * sh/hivexget: Use "test C1 || test C2", not "test C1 -o C2" maint: use "test x = x", not "test x == x" * autogen.sh: Using "test x = x" is more portable. maint: remove trailing blanks maint: remove now-unnecessary #ifdef HAVE_BYTESWAP_H guard * lib/byte_conversions.h: Remove #ifdef HAVE_BYTESWAP_H guard. With gnulib, we're guaranteed to have that header file. * bootstrap (modules): Use the byteswap module. maint: remove definition of O_CLOEXEC, ... now that we're using gnulib's fcntl module, which ensures that we use a conforming . * lib/hivex.c (O_CLOEXEC): Remove definition. * bootstrap (modules): Add fcntl for its guaranteed definition of O_CLOEXEC. maint: normalize to exactly one newline at EOF * .tx/config: Remove trailing empty line. * images/Makefile.am: Likewise. * sh/example1: Add newline at EOF. * sh/example2: Likewise. * sh/example3: Likewise. * sh/example4: Likewise. * sh/example5: Likewise. maint: update po/POTFILES.in * po/POTFILES.in: Reduce list of files with translatable messages to match reality. maint: remove definitions of PRId64 and PRIu64, ... now that we're using gnulib's inttypes module, which ensures that we use a conforming . * bootstrap (modules): Add inttypes. * generator/generator.ml (generate_perl_xs) [PRId64, PRIu64]: Don't define these symbols. Instead, ... Include . maint: remove unnecessary test-before-free * lib/hivex.c (hivex_node_set_value): Remove unnecessary test-before-free. 2011-05-17 Richard W.M. Jones ocaml: Really fix 'make install' rule. This fixes commit b8ad15031cacf910634b4f4f4632232949c4acd2 and commit f408b757b1d75429fae5fa7630a4fc5451844de7. ocaml: Set package name when installing native bindings. This fixes commit b8ad15031cacf910634b4f4f4632232949c4acd2. Version 1.2.7. Update gnulib to latest version. hivexregedit: Add --unsafe-printable-strings option. 2011-05-13 Richard W.M. Jones hivex_root: Return errno == HIVEX_NO_KEY when root key is missing. Previously we returned errno == ENOKEY. However this was an unfortunate choice of error code since it is not defined in POSIX. As a result it is missing on several platforms. HIVEX_NO_KEY is defined as ENOKEY on platforms where this symbol exists (thus maintaining backwards ABI compatibility), and defined as another POSIX error code otherwise. 2011-05-13 Hilko Bengen hivex: Fix install target for systems without native OCaml compiler ,---- | ocamlfind install \ | -ldconf ignore -destdir /build/buildd-hivex_1.2.6-1-ia64-iqcb38/hivex-1.2.6/debian/tmp/usr/lib/ocaml \ | hivex \ | META *.so *.a *.cma *.cmx *.cmxa *.cmi *.mli | Installed /build/buildd-hivex_1.2.6-1-ia64-iqcb38/hivex-1.2.6/debian/tmp/usr/lib/ocaml/hivex/hivex.mli | Installed /build/buildd-hivex_1.2.6-1-ia64-iqcb38/hivex-1.2.6/debian/tmp/usr/lib/ocaml/hivex/hivex.cmi | ocamlfind: *.cmxa: No such file or directory | make[4]: *** [install-data-hook] Error 2 `---- hivex: Remove python bytecode on "make clean" 2011-05-12 Richard W.M. Jones ocaml: Use libtool to get correct library to build OCaml tests. See this thread: https://www.redhat.com/archives/libguestfs/2011-May/thread.html#00015 Thanks to Hilko Bengen and Török Edwin for coming up with this fix. Version 1.2.6. build: Workaround broken libtool. Same as this error: https://www.redhat.com/archives/libguestfs/2011-April/msg00042.html https://www.redhat.com/archives/libguestfs/2011-May/msg00041.html We don't know why latest libtool is so obviously broken, but this works around the problem. bootstrap: Force gnulib-tool --libtool option. This forces the recent gnulib to generate a libgnu.la file. Otherwise it appears to default to --no-libtool which doesn't generate one. configure: AC_PROG_LIBTOOL -> AM_PROG_LIBTOOL. Unclear if this makes any difference. Update gnulib. 2011-05-12 Hilko Bengen hivex: Fix for endianess bug. * Richard W.M. Jones: > > Both size_t and int are 32 bit values. An endianess issue, maybe? > I guess it might be. We're supposed to be doing le32toh / be32toh > everywhere as appropriate, but we might be missing one. The code is > mainly tested on little endian arches. Found it. Now "make check" completes successfully on Sparc and PowerPC. hivex: check for presence of OCaml native compiler Only compile bytecode otherwise, avoiding ocamlfind's helpful error message "ocamlfind: Not supported in your configuration: ocamlopt" (Successfully tested on Debian/unstable on alpha) hivex: Use OCaml bytecode compiler for caml_raise_with_args check On installations where no native OCaml compiler is available, the test program can't be compiled and so we get this message: ,---- | checking for function caml_raise_with_args... not found `---- This breaks building of the OCaml bindings. ,---- | gcc -std=gnu99 -I.. -I/usr/lib/ocaml -I../ocaml -I../lib -g -O2 -fPIC -Wall -c hivex_c.c | hivex_c.c:52: error: static declaration of 'caml_raise_with_args' follows non-static declaration | /usr/lib/ocaml/caml/fail.h:30: note: previous declaration of 'caml_raise_with_args' was here | make[2]: *** [hivex_c.o] Error 1 `---- (Successfully tested on Debian/unstable on alpha) 2011-05-12 Richard W.M. Jones configure: Use Python platform-dependent site-packages. This updates commit b808c875a34e62fcdf360534f923d6030590ff44. 2011-05-09 Hilko Bengen Use Python's distutils to determine include and site-packages directories. The code has been taken from specifically ac_python_devel.m4 published at , it has turned out to be less error-prone on my Debian system. Don't rely on OCaml native compiler for tests This should make it possible to build useful OCaml bindings on architectures other than i386 and amd64 (Debian bug #589809). 2011-04-28 Richard W.M. Jones Include generator in the tarball. 2011-04-28 Hilko Bengen hivex/python fix for i386 integer size issue Hi, While working on Debian packages of hivex 1.2.5, I came across a test failure for the Python bindings with Python 2.7 on the i386 architecture. (The tests ran fine on amd64.) ,---- | $ make -C python check | make[1]: Entering directory `/home/bengen/src/deb/hivex/hivex.git/python' | 010-import.py | 020-open.py | 021-close.py | 200-write.py | python: hivex-py.c:52: get_handle: Assertion `obj' failed. `---- I narrowed this down to hivex-py.c:py_hivex_node_add_child(): The call ,---- | PyArg_ParseTuple (args, (char *) "OLs:hivex_node_add_child", | &py_h, &parent, &name) `---- results in `py_h' set to NULL, though Python's documentation claims that this cannot happen. I think this happens because `parent' is declared a `long int', but "L" in the format string corresponds to a `long long'. On amd64, they have the same size, but on i386 they don't, so the PyObject pointer is written to the wrong address. Please consider applying the patch below which just changes the format string. After regenerating hivex-py.c, I have successfully tested the 1.2.5 code base on both architectures. Cheers, -Hilko 2011-04-13 Jim Meyering maint: Split long lines. * lib/hivex.c: Split lines longer than 80 columns. 2011-04-13 Richard W.M. Jones Version 1.2.5. Updated PO files. Remove no longer used internal function utf16_string_len_in_bytes. hivex_value_multiple_strings: Don't read uninitialized data. If hivex_value_multiple_strings was given a value which had an odd length or if the data in the value was unterminated, hivex_value_multiple_strings could read uninitialized data. Potentially (although very unlikely) this could cause a non-exploitable segfault in the calling program. Handle odd-length "UTF16" strings. If the length of the buffer is not even, then this would read a byte of uninitialized data. Fix the length check to avoid this. Return real length of buffer from hivex_value_value. In real registries, often the length declared in the header does not match the length of the block. In this case hivex_value_value would only allocate a value with a size which is the shorter of the two length values, which is correct and safe. However user code could do: buf = hivex_value_value (h, v, &t, &len); memcpy (somewhere, buf, len); which would copy uninitialized data. If hivex_value_value truncates a value like this, we also need to return the shorter length to the user as well. Really fix the case where a UTF-16 string contains junk after the string. The previous commit b71b88f588f8660935a7d462e97b84aa2d669249 attempted to fix this, but got the test the wrong way round so the length would never be shorter. 2011-04-12 Richard W.M. Jones Fix use-after-free in hivex_close. Found using valgrind. 2011-04-02 Richard W.M. Jones Pull translations from Transifex. 2011-04-01 Richard W.M. Jones debian: Fix python test script for bash. 2011-03-07 Richard W.M. Jones Import hivex into transifex. http://www.transifex.net/projects/p/hivex/ 2010-12-23 Richard W.M. Jones Refresh documentation. 2010-12-16 Richard W.M. Jones ocaml: Fix segfault in Hivex.value_value binding. 2010-12-02 Richard W.M. Jones Version 1.2.4. 2010-11-28 Richard W.M. Jones Python bindings. 2010-08-27 Richard Jones Version 1.2.3. build: Don't warn about 'long long'. We have to allow this, even though it's a GCC extension. This is a port of libguestfs commit 0c0976496dafda4d172c5a7fc787d6a87d5bce8d. 2010-08-27 Geert Warrink Add Dutch translations (RHBZ#624455). 2010-08-13 Matthew Booth Add debug output to hivex_close. 2010-07-12 Richard Jones Don't try to process junk after a string value as UTF-16. Thanks to Hilko Bengen for characterizing the issue and providing an initial version of this patch. 2010-07-12 Hilko Bengen Call iconv_close along error path out of function. 2010-07-11 Richard Jones perl: Fix generated XS code for value_dword binding. Thanks to Hilko Bengen for spotting the problem. 2010-07-08 Conrad Meyer Add hivex_set_value API call, and ocaml and perl bindings, and tests. 2010-06-13 Richard Jones hivex_value_type: Returns -1 on error. Fix documentation. 2010-05-13 Richard Jones Include a test for regimport of values containing backslash chars. 2010-04-30 Richard Jones regedit: Fix documentation for CurrentControlSet (thanks Yuval Kashtan). 2010-04-28 Richard Jones Version 1.2.2. regedit: Add implicit nul-termination when importing strings. When you import a string value like: "Foo"="Bar" using Windows regedit program, implicit nul-termination is added to the value (not the key), so what is stored in the value would be something like: hex(1):42,00,61,00,72,00,00,00 where two of the trailing zero bytes come from the implicit terminator. This corrects the reg_import function so it works the same way. 2010-04-20 Richard Jones Remove checks for Test::Pod and Test::Pod::Coverage. Although these modules are optionally used by the Perl tests, they aren't necessary and won't break the build if they are not there. These modules aren't available in RHEL 5. Therefore remove these checks. 2010-04-03 Richard Jones Add a linker script to limit visibility to exported symbols. 2010-04-03 TJ Remove explicit dependency on ncurses. Spelling: reencode -> re-encode. 2010-04-02 TJ Add CLEANFILES rules. 2010-04-01 Yulia New Russian translation (RHBZ#578347). 2010-03-30 Richard Jones Update PO files. Add maintainer rule for updating the website. hivexml: Fix path so HTML documentation is generated correctly. Prepare for version 1.2.1. hivexregedit: Low-level tool for merging and export in regedit format. Win::Hivex::Regedit module for importing and exporting regedit format files. hivexsh: '-f' option takes an argument (found by Marko Myllynen). 2010-03-29 Richard Jones Zero all new block allocations. Make sure all new block allocations (from allocate_block) are zeroed. It can happen that junk from previous hive pages can end up in new block allocations, if the hive previously shrank. (Thanks to Marko Myllynen for finding an example where this happened). Increase HIVEX_MAX_VALUES from 1000 to 10000. I was sent a genuine Windows XP hive by Marko Myllynen which had a key with > 1000 values attached. 2010-03-26 Richard Jones Increase HIVEX_MAX_SUBKEYS to 15000. Windows 7 registry has a hive key which contains 11908 subkeys, larger than the existing limit (10000). The key is: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners hivex: Add debugging message when returning ERANGE error. hivexsh: Fix building of HTML-format manpages. 2010-03-25 Richard Jones perl: Fix $h->value_value method when returning an empty value. Previously this didn't correctly return an empty registry value. In this case the length argument to newSVpv would be 0 which tells Perl to try to calculate the length (we want newSVpvn instead). Fix generation of po/POTFILES.in. Contains some obsolete code copied in from libguestfs, and we need to exclude Perl 'blib' files. perl: Small fix to 006-pod-coverage test. Some code copied over from libguestfs, fixed. perl: Fix $h->value_type and $h->value_value methods. These were passing the type & len arguments the wrong way round to the C function, resulting in data corruption in the returned values. 2010-03-08 Richard Jones Fix documentation for Win::Hivex->open 2010-03-01 Richard Jones RHEL 5: Fixes for old version of OCaml in EPEL 5. Prepare for version 1.2.0. Fix hivexsh_SOURCES. Update PO files. 2010-03-01 Daniel Cabrera Update Spanish translations (RHBZ#569178). 2010-03-01 Richard Jones Update PO files. 2010-03-01 Piotr Drąg Update Polish translations (RHBZ#502533). 2010-02-26 Richard W.M. Jones NO Python bindings - ran out of time. This commit disables parts of the build related to Python and notes in the README that we didn't have time to finish Python bindings. generator: Perl bindings. This also adds a small test suite for the Perl bindings. generator: Clarify LGPLv2 boilerplate. More documentation in README file. hivexsh: Fix compilation on 32 bit machines. 2010-02-25 Richard Jones Remove bogus msgstr from kn.po. 2010-02-24 Richard Jones generator: Add OCaml bindings. Also we tighten up the definition of hivex_close (it disposes of handles) and hivex_node_get_child (unusual "not found" non-error condition). This also adds tests of the OCaml bindings. Add build framework for OCaml, Perl, Python bindings. (No bindings are actually built, this just adds the build, test and generator framework for them). configure: Comment out Ruby, Java, Haskell detection. We will not be implementing bindings for Ruby, Java or Haskell unless someone pitches in to do the work. Therefore comment out the code which detects these languages in the configure script. (This leaves OCaml, Perl, Python, which we will be writing bindings for). Create separate toplevel directories for hivexsh and hivexml. Rename hivex/ -> lib/ Move test images to images/ and add a large, generated test image. Previously we had one minimal test image. This was located in hivex/t (a subdirectory of the main library). This adds a large, procedurally generated test image. Because this needs to be built using hivex code, and because subdirectories are built before the parent directory by automake, we have to also move the directory location to a top-level directory called images/. 2010-02-24 Shankar Prasad Added Kannada translation (RHBZ#567860). 2010-02-23 Richard Jones hivex: Fix allocations that may move C heap buffer. When heavily extending existing hive files, the malloc-allocated in-memory copy of the hive may be moved when we reallocate it (to increase its size). However we didn't adjust existing pointers to cope with this, so sometimes you could get a segfault. This patch fixes the issue by adjusting pointers as necessary after calling (directly or indirectly) to the allocate_block function. With this patch I was able to allocate 10,000's of blocks in a deeply nested hive structure without any problems being reported by valgrind. Link gnulib in to the hivex library, not end-user programs. Gnulib should be statically linked into the hivex library, so it gets included into end-user programs automatically. Otherwise end-user programs would have to link explicitly with gnulib. 2010-02-22 Richard Jones generator: More minor formatting adjustments to POD documentation. generator: Minor adjustments to the C POD documentation. Add a generator for generating bindings to other languages. At the moment the generator just generates the C header file and C POD documentation. This just so we can compare the existing hand-written code with the generated code to make sure that our description of the API within the generator is correct. Remove bogus reference to src/ directory which no longer exists. Update copyright notice and change libguestfs to hivex. Version 1.1.2 Install hivex.h in $includedir. Version 1.1.1. Also some minor fixes to the build system. 2010-02-19 Richard Jones Move README, LICENSE files to the toplevel directory. gnulib: Remove some unused modules. Version 1.1.0 po: Import pofiles and various build fixes. Sort and complete m4/.gitignore file. Add gettext.h, omitted from earlier import. gnulib: Include xstrtol, xstrtoll modules. These were omitted from the earlier code import from libguestfs. Add html/ directory, include POD CSS. hivexsh: Print hex bytes >= 0x80 correctly. These were being interpreted as signed chars, and thus printed as "ffffff80" etc. Remove some unused variables. Since we have to compile with -Wno-unused-variables, we don't spot unused variables in code. I found these by compiling the code in Ubuntu. Add scripts to EXTRA_DIST. hivex: example6: Don't double backslashes. hivex: example6: Hypothetical addition of keys for viostor. hivex: Fix handling of inline VKs. hivexsh: Set correct type for 'expandstring' values. hivex: Documentation and cleanups. hivex: Make limits into macros. hivexsh: Remove unused variable. This removes an unused variable left over by commit ab608f3948d903af64e814b2e67949a1a71d93a4. hivex: Complete the implementation of adding child nodes. hivex: More debugging around nk 'unknown2' field. hivex: Check hash fields in lf/lh records. hivexsh: del command: Fix error message. hivexsh: lsval: Remove stray quotation mark. hivexsh: cd command: fix error handling The error behaviour of hivex_node_get_child is subtle, so the 'cd' command wouldn't always report errors correctly. This fixes it. hivex: allocate_block should update valid block bitmap. The internal allocate_block() function wasn't updating the bitmap, so if you revisited a block which you had allocated in the same session, you could get an EFAULT error. hivex: More debug messages. hivex: Documentation update. ntreg_lf_record can have id "lf" (old-style hashes) or "lh" (new- style hashes). hivex: Some missing le32toh endianness conversions. hivexsh: Document some peculiarities of the "cd" command. hivex: Implement deleting child nodes. hivex: Add flags argument to internal get_children() function. When we later call get_children to visit the intermediate ri/lf/lh records, we have already deleted the subkey nk-records, so checking that those nk-records are still valid is not very helpful. This commit adds a flag to turn these checks off. hivex: Don't die on valid registries which have bad declared data lengths. Some apparently valid registries contain value data length declarations which exceed the allocated block size for the value. Previously the code would return EFAULT for such registries. However since these appear to be otherwise valid registries, turn this into a warning and just use the allocated block size as the data length (in other words, truncate the value). hivex: Minimal registry example. This is the smallest registry you can make and still have it load correctly in Windows regedit. hivexsh: Add 'setval' and 'commit' commands. This adds the 'setval' and 'commit' commands to the hivex shell. Also adds some example scripts showing use of these. hivex: Begin implementation of writing to hives. This implements hivex_node_set_values which is used to delete the (key, value) pairs at a node and optionally replace them with a new set. This also implements hivex_commit which is used to commit changes to hives back to disk. hivex: Add HIVEX_OPEN_WRITE flag to allow hive to be opened for writing. If this flag is omitted (as in the case for all existing callers) then the hive is still opened read-only. We add a 'writable' flag to the hive handle, and we change the way that the hive file (data) is stored. The data is still mmapped if the file is opened read-only, since that is more efficient and allows us to handle larger hives. However if we need to write to the file then we have to read it all into memory, since if we had to extend the file we need to realloc that data. Note the manpage section L comes in a later commit. Tools for analyzing and reverse engineering hive files. This commit is not of general interest. It contains the tools which I used to reverse engineer the hive format and to test changes. Keeping these with the rest of the code is useful in case in future we encounter a hive file that we fail to modify. Note that the tools are not compiled by default. You have to compile each explicitly with: make -C hivex/tools .opt You will also need ocaml-extlib-devel and ocaml-bitstring-devel. hivexsh: Change some exit(1) -> exit(EXIT_FAILURE) hivexsh: Only print final \n when interactive. When hivexsh was called non-interactively, it would print an annoying extra line. Only print this line if we are being used interactively. hivexsh: Change handling of prompt argument to rl_gets() Make the result of isatty into a global variable (is_tty). Change the rl_gets() function so it takes the prompt string instead of a "display prompt?" flag. rl_gets() then consults the global to find out if it should display the prompt at all. Document that this flag is clear for default keys. Misc documentation and gitignore update. Move htole*/le*toh macros into a separate header file. This allows us to reuse these macros in hivexsh later. hivex: Reimplement hivexget as a simple shell script. hivexget is currently a large C program. Now that we have hivexsh (the shell) we can reimplement hivexget as a simple bash script that calls out to hivexsh. hivex: Add 'hivexsh' program (shell for navigating registry hives). Set locale in C programs so l10n works (RHBZ#559962). This commit adds the calls to setlocale &c to all of the current C programs. It also adds l10n support to hivexget and hivexml which lacked them previously. To test this, try: LANG=pa_IN.UTF-8 guestfish --cmd-help (You can only do this test after installing the package, or at least the 'pa.mo' mo-file in the correct place). hivex: Const-correctness fix on header_checksum (thanks Jim Meyering). hivex: Update some previously unknown nk-record fields. Update these fields with what we found out from reverse engineering the file. Also bring the unknownX field names into line with visualizer.ml. hivex: Fix calculation of block size for vk data blocks. hivex: Display incorrect block size as unsigned in an error message. hivex: display bad block offset in hex hivex: hive type in vk-record is an unsigned 32 bit int hivex: Add missing le32toh conversion around field access. This was missing. It only worked because we test on a little endian platform. hivex: Clarify some more fields. Taken from sentinelchicken.com documentation. hivex: Modify children/values functions to return intermediate blocks. Modify the functions that return child subnodes and values so they can also be used to return a list of the intermediate blocks. This is so we can delete those intermediate blocks (in a later commit). We also introduce an offset_list structure which is used for collecting lists of offsets, ie. lists of nodes, values or blocks. Note that this commit should not change the semantics of the code. hivex: Add value_any callback to the visitor. The visitor currently contains lots of value_* callbacks, such as value_string which is called back when the value has type string. This is fine but it makes it complicated to deal with the case where you just want to see 'a value', and don't care about its type. The value_any callback allows visitors to see values generically. hivex: Move header checksum code into a function. This function can be reused later. hivex: page 'offset_next' field is really 'page_size'. The documentation, as usual, is contradictory. However this field is definitely the page size in all observed registries. Furthermore the following field marked 'unknown' is always zero, although this contradicts what the sentinelchicken.com paper says. hivex: Collect more statistics about registries. hivex: Store filename in hive handle. hivex: Various improvements in header parsing, thanks to better documentation. hivex: Print header fields. Print all offsets in hex (in debug output). hivex: Reenable checksum calculations, but don't check result. hivex: Update documentation. hivex: Send all debug messages to stderr. hivex: Remove stray debugging message. hivex: Documentation: Add environment variables section. hivex: Whitespace change. hivex: Move STR* macros into C file. Don't pollute the public header file with these macros. hivex: Small updates to the documentation. 2010-02-19 Jim Meyering maint: use EXIT_* symbol (not constant, 2) to indicate key/path not found * hivex/hivexget.c (EXIT_NOT_FOUND): Define. (main): Use exit (EXIT_NOT_FOUND), not "exit (2)". maint: use EXIT_SUCCESS and EXIT_FAILURE, not 0 and 1 to exit Convert all uses automatically, via these two commands: git grep -l '\". 2010-02-19 Jim Meyering hivex: fail upon integer overflow * hivex/hivex.c (windows_utf16_to_utf8): Avoid overflow and a potential infloop. 2010-02-19 Richard Jones hivex: Check unchecked calloc (Jim Meyering). Add HTML documentation to website. Fix misspelling in previous commit. RHEL 5: Also add le{16,64}toh functions RHEL 5: Detect endianness functions and supply them. Prepare for version 1.0.75. Support for Windows Registry. In hivex/: This mini-library allows us to extract Windows Registry binary files ("hives"). There are also two tools: hivexml converts a hive to a self-describing XML format. hivexget can be used to extract single subkeys from a hive.