Changeset 165
- Timestamp:
- 12/11/09 22:13:27 (15 years ago)
- Location:
- trunk
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/include/regfi.h
r162 r165 96 96 #define REG_KEY 0x7FFFFFFF 97 97 98 #define REGFI_OFFSET_NONE 0xffffffff 99 100 101 /* This maximum depth is described here: 102 * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx 103 */ 98 104 #define REGFI_MAX_DEPTH 512 99 #define REGFI_OFFSET_NONE 0xffffffff 100 101 /* XXX: This is totally arbitrary right now. */ 105 106 /* This limit defines the maximum number of levels deep that ri subkey list 107 * trees can go. 108 */ 109 /* XXX: This is totally arbitrary right now. 110 * The actual limit may need to be discovered by experimentation. 111 */ 102 112 #define REGFI_MAX_SUBKEY_DEPTH 255 113 103 114 104 115 /* Header sizes and magic number lengths for various records */ … … 475 486 476 487 477 /* XXX: Should move all caching (SK records, HBINs, NKs, etc) to a single478 * structure, probably REGFI_FILE. Once key caching is in place,479 * convert key_positions stack to store just key offsets rather than480 * whole keys.481 */482 488 typedef struct _regfi_iterator 483 489 { -
trunk/lib/regfi.c
r162 r165 988 988 return NULL; 989 989 990 /* XXX: Registry value names are supposedly limited to 16383 characters 991 * according to: 992 * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx 993 * Might want to emit a warning if this is exceeded. 994 * It is expected that "characters" could be variable width. 995 * Also, it may be useful to use this information to limit false positives 996 * when recovering deleted VK records. 997 */ 998 990 999 from_encoding = (ret_val->flags & REGFI_VK_FLAG_ASCIINAME) 991 1000 ? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE; … … 1076 1085 } 1077 1086 1087 /* XXX: Registry key names are supposedly limited to 255 characters according to: 1088 * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx 1089 * Might want to emit a warning if this is exceeded. 1090 * It is expected that "characters" could be variable width. 1091 * Also, it may be useful to use this information to limit false positives 1092 * when recovering deleted NK records. 1093 */ 1078 1094 from_encoding = (nk->flags & REGFI_NK_FLAG_ASCIINAME) 1079 1095 ? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE; … … 2606 2622 2607 2623 /* Microsoft's documentation indicates that "available memory" is 2608 * the limit on value sizes. Annoying. We limit it to 1M which 2609 * should rarely be exceeded, unless the file is corrupt or 2610 * malicious. For more info, see: 2611 * http://msdn2.microsoft.com/en-us/library/ms724872.aspx 2624 * the limit on value sizes for the more recent registry format version. 2625 * This is not only annoying, but it's probably also incorrect, since clearly 2626 * value data sizes are limited to 2^31 (high bit used as a flag) and even 2627 * with big data records, the apparent max size is: 2628 * 16344 * 2^16 = 1071104040 (~1GB). 2629 * 2630 * We choose to limit it to 1M which was the limit in older versions and 2631 * should rarely be exceeded unless the file is corrupt or malicious. 2632 * For more info, see: 2633 * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx 2612 2634 */ 2613 2635 /* XXX: add way to skip this check at user discression. */
Note: See TracChangeset
for help on using the changeset viewer.