[Libguestfs] Hivex - Trailing garbage at the end of hive file

Richard W.M. Jones rjones at redhat.com
Wed Oct 9 09:22:08 UTC 2013


On Tue, Oct 08, 2013 at 11:16:05PM +0000, Subramanian, Hari wrote:
> Hi Rich,
> 
> I'm still working on validating whether the trailing zeroes were
> introduced by hivex or by windows (though I highly doubt it's hivex). But
> since it's part of a more complex workflow which is not that easy to
> modify, it's still a work in progress
> 
> In the meanwhile, I wanted to be sure that ignoring the condition when
> hivex saw these trailing zeroes was the right solution. I applied the
> following patch to hivex. Not sure if this is what you had in mind
> 
> [ec2-user at ip-10-66-218-126 hivex-1.3.8]$ diff handle.c handle-mod.c
> 222,226c222,223
> < SET_ERRNO (ENOTSUP,
> < "%s: trailing garbage at end of file "
> < "(at 0x%zx, after %zu pages)",
> < filename, off, pages);
> < goto error;
> ---
> > printf("hivex: %s: trailing garbage at end of file (at 0x%zx, after %zu
> >pages)\n", filename, off, pages);
> > break;
> 
> 
> I wanted to understand the behavior of hivex when we wrote to the end of
> the hive file (added a new entry under ControlSet001\services). When I do
> that I get the following error
> 
> badsys-1-win-add-reg\ControlSet001\services> ls
> hivex: _hivex_get_children: returning EFAULT because: subkey_lf is not a
> valid block (0x780020)
> ls: Bad address

This is not a good sign at all.  It indicates a corrupt hive because a
pointer in the hive points (probably) beyond the end of the hive.  I
would guess the hive has been truncated.

> Obviously the add/modify was not successful. But regedit parsed the hive
> successfully.

Depending on how you used Windows regedit, it might not visit the
corrupted part of the hive, or it might just ignore the corruption.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top




More information about the Libguestfs mailing list