|
regfi
|
|
regfi
|
Windows NT (and later) read-only registry library. More...
Go to the source code of this file.
Data Structures | |
| struct | REGFI_LOG |
| struct | REGFI_HBIN |
| HBIN block information. More... | |
| struct | REGFI_SUBKEY_LIST_ELEM |
| struct | REGFI_SUBKEY_LIST |
| Subkey-list structure. More... | |
| struct | REGFI_VALUE_LIST |
| Value-list structure. More... | |
| struct | REGFI_CLASSNAME |
| Class name structure (used in storing SysKeys) More... | |
| struct | REGFI_DATA |
| Data record structure. More... | |
| union | REGFI_DATA::_regfi_data_interpreted |
| These items represent interpreted versions of the REGFI_DATA::raw field. More... | |
| struct | REGFI_VK |
| Value structure. More... | |
| struct | REGFI_SK |
| Security structure. More... | |
| struct | REGFI_NK |
| Key structure. More... | |
| struct | REGFI_RAW_FILE |
| struct | REGFI_FILE |
| Registry hive file data structure. More... | |
| struct | REGFI_ITER_POSITION |
| struct | REGFI_ITERATOR |
| Registry hive iterator. More... | |
| struct | REGFI_BUFFER |
| General purpose buffer with stored length. More... | |
Functions | |
| const char * | regfi_version () |
| Returns the current regfi library version. | |
| REGFI_FILE * | regfi_alloc (int fd, REGFI_ENCODING output_encoding) |
| Parses file headers of an already open registry hive file and allocates related structures for further parsing. | |
| REGFI_FILE * | regfi_alloc_cb (REGFI_RAW_FILE *file_cb, REGFI_ENCODING output_encoding) |
| Parses file headers returned by supplied callback functions. | |
| void | regfi_free (REGFI_FILE *file) |
| Frees a hive's data structures without closing the underlying file. | |
| char * | regfi_log_get_str () |
| Get errors, warnings, and/or verbose information relating to processing of the given registry file. | |
| bool | regfi_log_set_mask (uint16_t mask) |
| Set the verbosity level of messages generated by the library for the current thread. | |
| const REGFI_NK * | regfi_get_rootkey (REGFI_FILE *file) |
| Fetches a hive's root key. | |
| void | regfi_free_record (REGFI_FILE *file, const void *record) |
| Frees a record previously returned by one of the API functions. | |
| const void * | regfi_reference_record (REGFI_FILE *file, const void *record) |
| Increments reference count on record. | |
| uint32_t | regfi_fetch_num_subkeys (const REGFI_NK *key) |
| Retrieves number of subkeys referenced by this key. | |
| uint32_t | regfi_fetch_num_values (const REGFI_NK *key) |
| Retrieves number of values referenced by this key. | |
| const REGFI_CLASSNAME * | regfi_fetch_classname (REGFI_FILE *file, const REGFI_NK *key) |
| Retrieves classname for a given key. | |
| const REGFI_SK * | regfi_fetch_sk (REGFI_FILE *file, const REGFI_NK *key) |
| Returns the SK (security) record referenced by the supplied key. | |
| const REGFI_SK * | regfi_next_sk (REGFI_FILE *file, const REGFI_SK *sk) |
| Returns the next SK (security) record referenced by the supplied SK record. | |
| const REGFI_SK * | regfi_prev_sk (REGFI_FILE *file, const REGFI_SK *sk) |
| Returns the previous SK (security) record referenced by the supplied SK record. | |
| const REGFI_DATA * | regfi_fetch_data (REGFI_FILE *file, const REGFI_VK *value) |
| Retrieves data for a given value. | |
| bool | regfi_find_subkey (REGFI_FILE *file, const REGFI_NK *key, const char *name, uint32_t *index) |
| Locates a specific subkey of a given key. | |
| bool | regfi_find_value (REGFI_FILE *file, const REGFI_NK *key, const char *name, uint32_t *index) |
| Locates a specific value of a given key. | |
| const REGFI_NK * | regfi_get_subkey (REGFI_FILE *file, const REGFI_NK *key, uint32_t index) |
| Retrieves a specific subkey of a given key. | |
| const REGFI_VK * | regfi_get_value (REGFI_FILE *file, const REGFI_NK *key, uint32_t index) |
| Retrieves a specific value of a given key. | |
| const REGFI_NK * | regfi_get_parentkey (REGFI_FILE *file, const REGFI_NK *key) |
| Uses a key's parent_off reference to retrieve it's parent. | |
| REGFI_ITERATOR * | regfi_iterator_new (REGFI_FILE *file) |
| Creates a new iterator for the provided registry file. | |
| void | regfi_iterator_free (REGFI_ITERATOR *i) |
| Frees a registry file iterator previously created by regfi_iterator_new. | |
| bool | regfi_iterator_down (REGFI_ITERATOR *i) |
| Traverse deeper into the registry tree at the current subkey. | |
| bool | regfi_iterator_up (REGFI_ITERATOR *i) |
| Traverse up to the current key's parent key. | |
| bool | regfi_iterator_to_root (REGFI_ITERATOR *i) |
| Traverse up to the root key of the hive. | |
| bool | regfi_iterator_descend (REGFI_ITERATOR *i, const char **path) |
| Traverse down multiple levels in the registry hive. | |
| const REGFI_NK * | regfi_iterator_cur_key (REGFI_ITERATOR *i) |
| Returns the currently referenced key. | |
| bool | regfi_iterator_first_subkey (REGFI_ITERATOR *i) |
| Sets the internal subkey index to the first subkey referenced by the current key. | |
| const REGFI_NK * | regfi_iterator_cur_subkey (REGFI_ITERATOR *i) |
| Returns the currently indexed subkey. | |
| bool | regfi_iterator_next_subkey (REGFI_ITERATOR *i) |
| Increments the internal subkey index to the next key in the subkey-list. | |
| bool | regfi_iterator_find_subkey (REGFI_ITERATOR *i, const char *name) |
| Searches for a subkey with a given name under the current key. | |
| bool | regfi_iterator_first_value (REGFI_ITERATOR *i) |
| Sets the internal value index to the first value referenced by the current key. | |
| const REGFI_VK * | regfi_iterator_cur_value (REGFI_ITERATOR *i) |
| Returns the currently indexed value. | |
| bool | regfi_iterator_next_value (REGFI_ITERATOR *i) |
| Increments the internal value index to the next value in the value-list. | |
| bool | regfi_iterator_find_value (REGFI_ITERATOR *i, const char *name) |
| Searches for a value with a given name under the current key. | |
| const REGFI_NK ** | regfi_iterator_ancestry (REGFI_ITERATOR *i) |
| Returns the current key and all parent keys as a list of NK records. | |
| REGFI_NK * | regfi_load_key (REGFI_FILE *file, uint32_t offset, bool strict) |
| Loads a key and associated data structures given a file offset. | |
| REGFI_VK * | regfi_load_value (REGFI_FILE *file, uint32_t offset, bool strict) |
| Loads a value at a given file offset alng with associated data structures. | |
| REGFI_SUBKEY_LIST * | regfi_load_subkeylist (REGFI_FILE *file, uint32_t offset, uint32_t num_keys, uint32_t max_size, bool strict) |
| Loads a logical subkey list in its entirety which may span multiple records. | |
| REGFI_VALUE_LIST * | regfi_load_valuelist (REGFI_FILE *file, uint32_t offset, uint32_t num_values, uint32_t max_size, bool strict) |
| Loads a valuelist. | |
| REGFI_BUFFER | regfi_load_data (REGFI_FILE *file, uint32_t voffset, uint32_t length, bool data_in_offset, bool strict) |
| Loads a data record which may be contained in the virtual offset, in a single cell, or in multiple cells through big data records. | |
| REGFI_BUFFER | regfi_load_big_data (REGFI_FILE *file, uint32_t offset, uint32_t data_length, uint32_t cell_length, range_list *used_ranges, bool strict) |
| Loads the data associated with a big data record at the specified offset. | |
| bool | regfi_interpret_data (REGFI_FILE *file, uint32_t type, REGFI_DATA *data) |
| Given raw data, attempts to interpret the data based on a specified registry data type. | |
| const REGFI_SK * | regfi_load_sk (REGFI_FILE *file, uint32_t offset, bool strict) |
| Loads an "sk" security record at the specified offset. | |
| const REGFI_HBIN * | regfi_lookup_hbin (REGFI_FILE *file, uint32_t offset) |
| Retrieves the HBIN data structure stored at the specified offset. | |
| REGFI_NK * | regfi_parse_nk (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
| Parses an NK record at the specified offset. | |
| REGFI_SUBKEY_LIST * | regfi_parse_subkeylist (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
| Parses a single cell containing a subkey-list record. | |
| REGFI_VK * | regfi_parse_vk (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
| Parses a VK (value) record at the specified offset. | |
| REGFI_SK * | regfi_parse_sk (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
| Parses an SK (security) record at the specified offset. | |
| range_list * | regfi_parse_unalloc_cells (REGFI_FILE *file) |
| Retrieves information on all cells in the registry hive which are currently in the unallocated status. | |
| bool | regfi_parse_cell (REGFI_RAW_FILE *file_cb, uint32_t offset, uint8_t *hdr, uint32_t hdr_len, uint32_t *cell_length, bool *unalloc) |
| Helper function to parse a cell. | |
| uint8_t * | regfi_parse_classname (REGFI_FILE *file, uint32_t offset, uint16_t *name_length, uint32_t max_size, bool strict) |
| Parses a classname cell. | |
| REGFI_BUFFER | regfi_parse_data (REGFI_FILE *file, uint32_t offset, uint32_t length, bool strict) |
| Parses a single-cell data record. | |
| REGFI_BUFFER | regfi_parse_little_data (REGFI_FILE *file, uint32_t voffset, uint32_t length, bool strict) |
| Parses a "little data" record which is stored entirely within the provided virtual offset. | |
Windows NT (and later) read-only registry library.
This library is intended for use in digital forensics investigations, but is likely useful in other applications.
Branched from Samba project Subversion repository, version #6903: http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/include/regfio.h?rev=6903&view=auto
Since then, it has been heavily rewritten, simplified, and improved.
1.7.4
