Changeset 101 for trunk/include/regfi.h


Ignore:
Timestamp:
03/28/08 20:46:37 (16 years ago)
Author:
tim
Message:

rewrote VK record and data cell parsing

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/include/regfi.h

    r99 r101  
    66 * Windows NT registry I/O library
    77 *
    8  * Copyright (C) 2005-2007 Timothy D. Morgan
     8 * Copyright (C) 2005-2008 Timothy D. Morgan
    99 * Copyright (C) 2005 Gerald (Jerry) Carter
    1010 *
     
    8484
    8585#define REGF_OFFSET_NONE        0xffffffff
    86 #define REGFI_NK_MIN_LENGTH     0x50
     86#define REGFI_NK_MIN_LENGTH     0x4C
     87#define REGFI_VK_MIN_LENGTH     0x14
    8788
    8889/* Flags for the vk records */
     
    9798#define NK_TYPE_NORMALKEY       0x0020
    9899#define NK_TYPE_ROOTKEY         0x002c
     100  /* TODO: Unknown type that shows up in Vista registries */
     101#define NK_TYPE_UNKNOWN1         0x1020
    99102
    100103#define HBIN_STORE_REF(x, y) { x->hbin = y; y->ref_count++ };
     
    152155typedef struct
    153156{
     157  uint32 offset;        /* Real offset of this record's cell in the file */
     158  uint32 cell_size;     /* ((start_offset - end_offset) & 0xfffffff8) */
     159
    154160  REGF_HBIN* hbin;      /* pointer to HBIN record (in memory) containing
    155161                         * this nk record
    156162                         */
     163  uint8* data;
     164  uint16 name_length;
    157165  char*  valuename;
    158   uint8* data;
    159166  uint32 hbin_off;      /* offset from beginning of this hbin block */
    160   uint32 cell_size;     /* ((start_offset - end_offset) & 0xfffffff8) */
    161   uint32 rec_off;       /* offset stored in the value list */
    162167 
    163168  uint32 data_size;
    164   uint32 data_off;
     169  uint32 data_off;      /* offset of data cell (virtual) */
    165170  uint32 type;
    166   uint8  header[REC_HDR_SIZE];
     171  uint8  magic[REC_HDR_SIZE];
    167172  uint16 flag;
     173  uint16 unknown1;
    168174} REGF_VK_REC;
    169175
     
    204210
    205211  /* link in the other records here */
    206   REGF_VK_REC* values;
     212  REGF_VK_REC** values;
    207213  REGF_SK_REC* sec_desc;
    208214  REGF_LF_REC subkeys;
     
    211217  /* XXX: should we be looking for types other than the root key type? */
    212218  uint16 key_type;     
    213   uint8  header[REC_HDR_SIZE];
     219  uint8  magic[REC_HDR_SIZE];
    214220  NTTIME mtime;
    215221  uint16 name_length;
     
    374380/****************/
    375381
     382REGF_VK_REC* regfi_parse_vk(REGF_FILE* file, uint32 offset,
     383                            uint32 max_size, bool strict);
     384uint8* regfi_parse_data(REGF_FILE* file, uint32 offset,
     385                        uint32 length, bool strict);
     386
    376387
    377388#endif  /* _REGFI_H */
Note: See TracChangeset for help on using the changeset viewer.