Re: [Libguestfs] [PATCH] hivex: Add byte runs for nodes and values
Hi Rich,
I'd be happy to split it into a series of patches. I understand, it's a lot to
review at once.
As one example of why the file offsets are important, it lets an analyst point at a
particular point in a file and say "There's where the string is, and here are the
parents, and note that it's (un)allocated." Registries, for example, appear to
copy allocated data whenever holes open up, so it's possible for a value to appear in
multiple places and overwrite things.
As another example, if somebody needs to analyze a subset of the registry, the offset
could give the person a starting point.
Registry keys can contain 0 bytes; when looking with a hex editor, I found that the
remaining space in a cell, if just a few bytes, is null-filled. However, if the name goes
right to the end of a cell, without room for a null, then there's no null byte and the
next cell just starts right next to the last character.
--Alex
On Sep 1, 2011, at 14:25 , Richard W.M. Jones wrote:
On Wed, Aug 31, 2011 at 04:34:30PM -0700, Alex Nelson wrote:
> This patch adds byte run reporters for node and value metadata in the
> hivexml program. Each byte run represents the offset and length of a
> data structure within the hive, one per node, and one or two per value
> depending on the length of the value data. In order to add this
> metadata reporting, the following changes were put in place:
Yes, in principle, but I need to study the patch in more detail.
I think this patch would be better (and much easier to review) if
split up into a patch series. See this patch series which added a
comparable set of API changes to the libguestfs API:
https://www.redhat.com/archives/libguestfs/2011-July/thread.html#00030
Out of interest, why do forensics people care about these file
offsets?
Also, can registry keys contain \0 bytes? It seems the value_key_len
function is unnecessary if they don't (since it would always return
the same as strlen).
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org