Changeset 151 for trunk/include
- Timestamp:
- 03/04/09 16:14:09 (16 years ago)
- File:
-
- 1 edited
-
trunk/include/regfi.h (modified) (6 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/include/regfi.h
r150 r151 95 95 #define REGFI_REGF_SIZE 0x1000 /* "regf" header block size */ 96 96 #define REGFI_REGF_MAGIC_SIZE 4 97 #define REGFI_REGF_NAME_SIZE 64 98 99 #define REGFI_REGF_RESERVED1_SIZE 340 100 #define REGFI_REGF_RESERVED2_SIZE 3528 101 97 102 #define REGFI_HBIN_MAGIC_SIZE 4 98 103 #define REGFI_CELL_MAGIC_SIZE 2 … … 337 342 /********************************/ 338 343 uint8 magic[REGFI_REGF_MAGIC_SIZE];/* "regf" */ 344 345 /* These sequence numbers should match if 346 * the hive was properly synced to disk. 347 */ 348 uint32 sequence1; 349 uint32 sequence2; 350 339 351 NTTIME mtime; 340 uint32 data_offset; /* offset to record in the first (or any?) 341 * hbin block 342 */ 343 uint32 last_block; /* offset to last hbin block in file */ 344 345 uint32 checksum; /* Stored checksum. */ 346 uint32 computed_checksum; /* Our own calculation of the checksum. 347 * (XOR of bytes 0x0000 - 0x01FB) 348 */ 349 350 /* XXX: Some of these we have some clues about (major/minor version, etc). 351 * Should verify and update names accordingly. 352 */ 353 /* unknown data structure values */ 354 uint32 unknown1; 355 uint32 unknown2; 356 uint32 unknown3; 357 uint32 unknown4; 358 uint32 unknown5; 359 uint32 unknown6; 360 uint32 unknown7; 352 uint32 major_version; /* XXX: Unverified. Set to 1 in all known hives */ 353 uint32 minor_version; /* XXX: Unverified. Set to 3 or 5 in all known hives */ 354 uint32 type; /* XXX: Unverified. Set to 0 in all known hives */ 355 uint32 format; /* XXX: Unverified. Set to 1 in all known hives */ 356 357 uint32 root_cell; /* Offset to root cell in the first (or any?) hbin block */ 358 uint32 last_block; /* Offset to last hbin block in file 359 * (or length of file minus header?) */ 360 361 uint32 cluster; /* XXX: Unverified. Set to 1 in all known hives */ 362 363 /* Matches hive's base file name. Stored in UTF-16LE */ 364 uint8 file_name[REGFI_REGF_NAME_SIZE]; 365 366 WINSEC_UUID* rm_id; /* XXX: Unverified. */ 367 WINSEC_UUID* log_id; /* XXX: Unverified. */ 368 WINSEC_UUID* tm_id; /* XXX: Unverified. */ 369 uint32 flags; /* XXX: Unverified. */ 370 uint32 guid_signature; /* XXX: Unverified. */ 371 372 uint32 checksum; /* Stored checksum from file */ 373 uint32 computed_checksum; /* Our own calculation of the checksum. 374 * (XOR of bytes 0x0000 - 0x01FB) */ 375 376 WINSEC_UUID* thaw_tm_id; /* XXX: Unverified. */ 377 WINSEC_UUID* thaw_rm_id; /* XXX: Unverified. */ 378 WINSEC_UUID* thaw_log_id; /* XXX: Unverified. */ 379 uint32 boot_type; /* XXX: Unverified. */ 380 uint32 boot_recover; /* XXX: Unverified. */ 381 382 /* This seems to include random junk. Possibly unsanitized memory left over 383 * from when header block was written. For instance, chunks of nk records 384 * can be found, though often it's all 0s. */ 385 uint8 reserved1[REGFI_REGF_RESERVED1_SIZE]; 386 387 /* This is likely reserved and unusued currently. (Should be all 0s.) 388 * Included here for easier access in looking for hidden data 389 * or doing research. */ 390 uint8 reserved2[REGFI_REGF_RESERVED2_SIZE]; 391 361 392 } REGFI_FILE; 362 393 … … 367 398 * whole keys. 368 399 */ 369 typedef struct 400 typedef struct _regfi_iterator 370 401 { 371 402 REGFI_FILE* f; … … 377 408 378 409 379 typedef struct 410 typedef struct _regfi_iter_position 380 411 { 381 412 REGFI_NK_REC* nk; … … 385 416 */ 386 417 } REGFI_ITER_POSITION; 418 419 420 typedef struct _regfi_buffer 421 { 422 uint8* buf; 423 uint32_t len; 424 } REGFI_BUFFER; 387 425 388 426 … … 478 516 uint32 max_size, bool strict); 479 517 480 uint8*regfi_parse_data(REGFI_FILE* file,518 REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, 481 519 uint32 data_type, uint32 offset, 482 520 uint32 length, uint32 max_size,
Note: See TracChangeset
for help on using the changeset viewer.