[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libguestfs] [PATCH 4/13] hivex: page 'offset_next' field is really 'page_size'.



-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
>From 9bfb450519680670125ac1af78d85d77aa8b8708 Mon Sep 17 00:00:00 2001
From: Richard Jones <rjones redhat com>
Date: Mon, 18 Jan 2010 15:24:16 +0000
Subject: [PATCH 04/13] hivex: page 'offset_next' field is really 'page_size'.

The documentation, as usual, is contradictory.  However this
field is definitely the page size in all observed registries.
Furthermore the following field marked 'unknown' is always
zero, although this contradicts what the sentinelchicken.com
paper says.
---
 hivex/hivex.c |   16 ++++++++--------
 1 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/hivex/hivex.c b/hivex/hivex.c
index 365f328..cb6c772 100644
--- a/hivex/hivex.c
+++ b/hivex/hivex.c
@@ -168,7 +168,7 @@ struct ntreg_header {
 struct ntreg_hbin_page {
   char magic[4];                /* "hbin" */
   uint32_t offset_first;        /* offset from 1st block */
-  uint32_t offset_next;         /* offset of next (relative to this) */
+  uint32_t page_size;           /* size of this page (multiple of 4KB) */
   char unknown[20];
   /* Linked list of blocks follows here. */
 } __attribute__((__packed__));
@@ -403,7 +403,7 @@ hivex_open (const char *filename, int flags)
    */
   size_t off;
   struct ntreg_hbin_page *page;
-  for (off = 0x1000; off < h->size; off += le32toh (page->offset_next)) {
+  for (off = 0x1000; off < h->size; off += le32toh (page->page_size)) {
     if (off >= h->endpages)
       break;
 
@@ -418,17 +418,17 @@ hivex_open (const char *filename, int flags)
       goto error;
     }
 
-    size_t page_size = le32toh (page->offset_next);
+    size_t page_size = le32toh (page->page_size);
     if (h->msglvl >= 2)
       fprintf (stderr, "hivex_open: page at 0x%zx, size %zu\n", off, page_size);
     pages++;
     if (page_size < smallest_page) smallest_page = page_size;
     if (page_size > largest_page) largest_page = page_size;
 
-    if (le32toh (page->offset_next) <= sizeof (struct ntreg_hbin_page) ||
-        (le32toh (page->offset_next) & 3) != 0) {
-      fprintf (stderr, "hivex: %s: pagesize %d at %zu, bad registry\n",
-               filename, le32toh (page->offset_next), off);
+    if (page_size <= sizeof (struct ntreg_hbin_page) ||
+        (page_size & 0x0fff) != 0) {
+      fprintf (stderr, "hivex: %s: page size %zu at 0x%zx, bad registry\n",
+               filename, page_size, off);
       errno = ENOTSUP;
       goto error;
     }
@@ -438,7 +438,7 @@ hivex_open (const char *filename, int flags)
     struct ntreg_hbin_block *block;
     size_t seg_len;
     for (blkoff = off + 0x20;
-         blkoff < off + le32toh (page->offset_next);
+         blkoff < off + page_size;
          blkoff += seg_len) {
       blocks++;
 
-- 
1.6.5.2


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]