[Libguestfs] [PATCH] hivex: Add byte runs for nodes and values
Richard W.M. Jones
rjones at redhat.com
Thu Sep 1 21:25:48 UTC 2011
On Wed, Aug 31, 2011 at 04:34:30PM -0700, Alex Nelson wrote:
> This patch adds byte run reporters for node and value metadata in the
> hivexml program. Each byte run represents the offset and length of a
> data structure within the hive, one per node, and one or two per value
> depending on the length of the value data. In order to add this
> metadata reporting, the following changes were put in place:
Yes, in principle, but I need to study the patch in more detail.
I think this patch would be better (and much easier to review) if
split up into a patch series. See this patch series which added a
comparable set of API changes to the libguestfs API:
https://www.redhat.com/archives/libguestfs/2011-July/thread.html#00030
Out of interest, why do forensics people care about these file
offsets?
Also, can registry keys contain \0 bytes? It seems the value_key_len
function is unnecessary if they don't (since it would always return
the same as strlen).
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
More information about the Libguestfs
mailing list