Re: [Libguestfs] [PATCH] hivex: Add byte runs for nodes and values
On Wed, Aug 31, 2011 at 04:34:30PM -0700, Alex Nelson wrote:
This patch adds byte run reporters for node and value metadata in
the
hivexml program. Each byte run represents the offset and length of a
data structure within the hive, one per node, and one or two per value
depending on the length of the value data. In order to add this
metadata reporting, the following changes were put in place:
Yes, in principle, but I need to study the patch in more detail.
I think this patch would be better (and much easier to review) if
split up into a patch series. See this patch series which added a
comparable set of API changes to the libguestfs API:
https://www.redhat.com/archives/libguestfs/2011-July/thread.html#00030
Out of interest, why do forensics people care about these file
offsets?
Also, can registry keys contain \0 bytes? It seems the value_key_len
function is unnecessary if they don't (since it would always return
the same as strlen).
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org