[Libguestfs] [PATCH] Add read support for "big data" blocks to hivex
Hilko Bengen
bengen at hilluzination.de
Mon Jun 24 09:49:01 UTC 2013
I think I ought to add some notes that should go into the commit
message:
For "big data" values, the data is split into multiple blocks.
References to these sub-blocks are kept in a list whose structure seems
to be identical to a value list.
A "db" record contains information on the number of sub-blocks and a
pointer to the list. It is referenced by the vk record.
I came across this when comparing the contents of HKLM\SOFTWARE hives
from Windows7 systems and finding that hivex_value_value would only give
me identical first 12 bytes for certain records though the data size had
changed. If one runs hivexsh with debug messages enabled, it gives a
warning when listing these values, for example:
SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate> lsval
[...]
hivex_value_value: warning: declared data length is longer than the block it is in (data 0x28b9b60, data len 115347, block len 16)
"EncodedCtl"=hex(3):64,62,08,00,70,8b,8b,02,00,b2,00,00
Cheers,
-Hilko
More information about the Libguestfs
mailing list