|
regfi
|
|
regfi
|
Functions | |
| REGFI_NK * | regfi_parse_nk (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
| Parses an NK record at the specified offset. | |
| REGFI_SUBKEY_LIST * | regfi_parse_subkeylist (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
| Parses a single cell containing a subkey-list record. | |
| REGFI_VK * | regfi_parse_vk (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
| Parses a VK (value) record at the specified offset. | |
| REGFI_SK * | regfi_parse_sk (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
| Parses an SK (security) record at the specified offset. | |
| range_list * | regfi_parse_unalloc_cells (REGFI_FILE *file) |
| Retrieves information on all cells in the registry hive which are currently in the unallocated status. | |
| bool | regfi_parse_cell (REGFI_RAW_FILE *file_cb, uint32_t offset, uint8_t *hdr, uint32_t hdr_len, uint32_t *cell_length, bool *unalloc) |
| Helper function to parse a cell. | |
| uint8_t * | regfi_parse_classname (REGFI_FILE *file, uint32_t offset, uint16_t *name_length, uint32_t max_size, bool strict) |
| Parses a classname cell. | |
| REGFI_BUFFER | regfi_parse_data (REGFI_FILE *file, uint32_t offset, uint32_t length, bool strict) |
| Parses a single-cell data record. | |
| REGFI_BUFFER | regfi_parse_little_data (REGFI_FILE *file, uint32_t voffset, uint32_t length, bool strict) |
| Parses a "little data" record which is stored entirely within the provided virtual offset. | |
| REGFI_NK* regfi_parse_nk | ( | REGFI_FILE * | file, |
| uint32_t | offset, | ||
| uint32_t | max_size, | ||
| bool | strict | ||
| ) |
Parses an NK record at the specified offset.
| file | the registry file structure |
| offset | the offset of the cell (not the record) to be parsed. |
| max_size | the maximum size the NK cell could be. (for validation) |
| strict | if true, rejects any malformed records. Otherwise, tries to minimally validate integrity. |
References REGFI_NK::cell_size, REGFI_NK::classname_length, REGFI_NK::classname_off, REGFI_NK::flags, REGFI_NK::magic, REGFI_NK::mtime, REGFI_NK::name, REGFI_NK::name_length, REGFI_NK::name_raw, REGFI_NK::num_subkeys, REGFI_NK::num_values, REGFI_NK::offset, REGFI_NK::parent_off, regfi_parse_cell(), REGFI_NK::sk_off, REGFI_NK::subkeys, REGFI_NK::subkeys_off, REGFI_NK::values, and REGFI_NK::values_off.
Referenced by regfi_load_key().
| REGFI_SUBKEY_LIST* regfi_parse_subkeylist | ( | REGFI_FILE * | file, |
| uint32_t | offset, | ||
| uint32_t | max_size, | ||
| bool | strict | ||
| ) |
Parses a single cell containing a subkey-list record.
XXX: finish documenting
References regfi_parse_cell().
| REGFI_VK* regfi_parse_vk | ( | REGFI_FILE * | file, |
| uint32_t | offset, | ||
| uint32_t | max_size, | ||
| bool | strict | ||
| ) |
Parses a VK (value) record at the specified offset.
XXX: finish documenting
References REGFI_VK::cell_size, REGFI_VK::data_in_offset, REGFI_VK::data_off, REGFI_VK::data_size, REGFI_VK::flags, REGFI_VK::magic, REGFI_VK::name, REGFI_VK::name_length, REGFI_VK::name_raw, REGFI_VK::offset, regfi_parse_cell(), and REGFI_VK::type.
Referenced by regfi_load_value().
| REGFI_SK* regfi_parse_sk | ( | REGFI_FILE * | file, |
| uint32_t | offset, | ||
| uint32_t | max_size, | ||
| bool | strict | ||
| ) |
Parses an SK (security) record at the specified offset.
XXX: finish documenting
References REGFI_SK::cell_size, REGFI_SK::desc_size, REGFI_SK::magic, REGFI_SK::next_sk_off, REGFI_SK::offset, REGFI_SK::prev_sk_off, REGFI_SK::ref_count, regfi_parse_cell(), REGFI_SK::sec_desc, and winsec_parse_desc().
Referenced by regfi_load_sk().
| range_list* regfi_parse_unalloc_cells | ( | REGFI_FILE * | file | ) |
Retrieves information on all cells in the registry hive which are currently in the unallocated status.
The unallocated status is determined based soley on the cell length sign.
XXX: finish documenting
References REGFI_HBIN::block_size, REGFI_HBIN::file_off, range_list_add(), range_list_free(), range_list_get(), range_list_new(), range_list_size(), and regfi_parse_cell().
| bool regfi_parse_cell | ( | REGFI_RAW_FILE * | file_cb, |
| uint32_t | offset, | ||
| uint8_t * | hdr, | ||
| uint32_t | hdr_len, | ||
| uint32_t * | cell_length, | ||
| bool * | unalloc | ||
| ) |
Helper function to parse a cell.
XXX: finish documenting
Referenced by regfi_load_data(), regfi_parse_classname(), regfi_parse_nk(), regfi_parse_sk(), regfi_parse_subkeylist(), regfi_parse_unalloc_cells(), and regfi_parse_vk().
| uint8_t* regfi_parse_classname | ( | REGFI_FILE * | file, |
| uint32_t | offset, | ||
| uint16_t * | name_length, | ||
| uint32_t | max_size, | ||
| bool | strict | ||
| ) |
Parses a classname cell.
XXX: finish documenting
References regfi_parse_cell().
Referenced by regfi_fetch_classname().
| REGFI_BUFFER regfi_parse_data | ( | REGFI_FILE * | file, |
| uint32_t | offset, | ||
| uint32_t | length, | ||
| bool | strict | ||
| ) |
| REGFI_BUFFER regfi_parse_little_data | ( | REGFI_FILE * | file, |
| uint32_t | voffset, | ||
| uint32_t | length, | ||
| bool | strict | ||
| ) |
Parses a "little data" record which is stored entirely within the provided virtual offset.
XXX: finish documenting
Referenced by regfi_load_data().
1.7.4
