[Libguestfs] [PATCH] hivex: Add byte runs for nodes and values
Alex Nelson
ajnelson at cs.ucsc.edu
Thu Sep 1 21:33:26 UTC 2011
Hi Rich,
I'd be happy to split it into a series of patches. I understand, it's a lot to review at once.
As one example of why the file offsets are important, it lets an analyst point at a particular point in a file and say "There's where the string is, and here are the parents, and note that it's (un)allocated." Registries, for example, appear to copy allocated data whenever holes open up, so it's possible for a value to appear in multiple places and overwrite things.
As another example, if somebody needs to analyze a subset of the registry, the offset could give the person a starting point.
Registry keys can contain 0 bytes; when looking with a hex editor, I found that the remaining space in a cell, if just a few bytes, is null-filled. However, if the name goes right to the end of a cell, without room for a null, then there's no null byte and the next cell just starts right next to the last character.
--Alex
On Sep 1, 2011, at 14:25 , Richard W.M. Jones wrote:
> On Wed, Aug 31, 2011 at 04:34:30PM -0700, Alex Nelson wrote:
>> This patch adds byte run reporters for node and value metadata in the
>> hivexml program. Each byte run represents the offset and length of a
>> data structure within the hive, one per node, and one or two per value
>> depending on the length of the value data. In order to add this
>> metadata reporting, the following changes were put in place:
>
> Yes, in principle, but I need to study the patch in more detail.
>
> I think this patch would be better (and much easier to review) if
> split up into a patch series. See this patch series which added a
> comparable set of API changes to the libguestfs API:
>
> https://www.redhat.com/archives/libguestfs/2011-July/thread.html#00030
>
> Out of interest, why do forensics people care about these file
> offsets?
>
> Also, can registry keys contain \0 bytes? It seems the value_key_len
> function is unnecessary if they don't (since it would always return
> the same as strlen).
>
> Rich.
>
> --
> Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
> libguestfs lets you edit virtual machines. Supports shell scripting,
> bindings from many languages. http://libguestfs.org
More information about the Libguestfs
mailing list