|
regfi
|
Functions | |
| REGFI_NK * | regfi_parse_nk (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
| Parses an NK record at the specified offset. More... | |
| REGFI_SUBKEY_LIST * | regfi_parse_subkeylist (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
| Parses a single cell containing a subkey-list record. More... | |
| REGFI_VK * | regfi_parse_vk (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
| Parses a VK (value) record at the specified offset. More... | |
| REGFI_SK * | regfi_parse_sk (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
| Parses an SK (security) record at the specified offset. More... | |
| range_list * | regfi_parse_unalloc_cells (REGFI_FILE *file) |
| Retrieves information on all cells in the registry hive which are currently in the unallocated status. More... | |
| bool | regfi_parse_cell (REGFI_RAW_FILE *file_cb, uint32_t offset, uint8_t *hdr, uint32_t hdr_len, uint32_t *cell_length, bool *unalloc) |
| Helper function to parse a cell. More... | |
| uint8_t * | regfi_parse_classname (REGFI_FILE *file, uint32_t offset, uint16_t *name_length, uint32_t max_size, bool strict) |
| Parses a classname cell. More... | |
| REGFI_BUFFER | regfi_parse_data (REGFI_FILE *file, uint32_t offset, uint32_t length, bool strict) |
| Parses a single-cell data record. More... | |
| REGFI_BUFFER | regfi_parse_little_data (REGFI_FILE *file, uint32_t voffset, uint32_t length, bool strict) |
| Parses a "little data" record which is stored entirely within the provided virtual offset. More... | |
| REGFI_NK* regfi_parse_nk | ( | REGFI_FILE * | file, |
| uint32_t | offset, | ||
| uint32_t | max_size, | ||
| bool | strict | ||
| ) |
Parses an NK record at the specified offset.
| file | the registry file structure |
| offset | the offset of the cell (not the record) to be parsed. |
| max_size | the maximum size the NK cell could be. (for validation) |
| strict | if true, rejects any malformed records. Otherwise, tries to minimally validate integrity. |
| REGFI_SUBKEY_LIST* regfi_parse_subkeylist | ( | REGFI_FILE * | file, |
| uint32_t | offset, | ||
| uint32_t | max_size, | ||
| bool | strict | ||
| ) |
Parses a single cell containing a subkey-list record.
XXX: finish documenting
| REGFI_VK* regfi_parse_vk | ( | REGFI_FILE * | file, |
| uint32_t | offset, | ||
| uint32_t | max_size, | ||
| bool | strict | ||
| ) |
Parses a VK (value) record at the specified offset.
XXX: finish documenting
| REGFI_SK* regfi_parse_sk | ( | REGFI_FILE * | file, |
| uint32_t | offset, | ||
| uint32_t | max_size, | ||
| bool | strict | ||
| ) |
Parses an SK (security) record at the specified offset.
XXX: finish documenting
| range_list* regfi_parse_unalloc_cells | ( | REGFI_FILE * | file | ) |
Retrieves information on all cells in the registry hive which are currently in the unallocated status.
The unallocated status is determined based soley on the cell length sign.
XXX: finish documenting
References range_list_new().
| bool regfi_parse_cell | ( | REGFI_RAW_FILE * | file_cb, |
| uint32_t | offset, | ||
| uint8_t * | hdr, | ||
| uint32_t | hdr_len, | ||
| uint32_t * | cell_length, | ||
| bool * | unalloc | ||
| ) |
Helper function to parse a cell.
XXX: finish documenting
| uint8_t* regfi_parse_classname | ( | REGFI_FILE * | file, |
| uint32_t | offset, | ||
| uint16_t * | name_length, | ||
| uint32_t | max_size, | ||
| bool | strict | ||
| ) |
Parses a classname cell.
XXX: finish documenting
| REGFI_BUFFER regfi_parse_data | ( | REGFI_FILE * | file, |
| uint32_t | offset, | ||
| uint32_t | length, | ||
| bool | strict | ||
| ) |
Parses a single-cell data record.
XXX: finish documenting
| REGFI_BUFFER regfi_parse_little_data | ( | REGFI_FILE * | file, |
| uint32_t | voffset, | ||
| uint32_t | length, | ||
| bool | strict | ||
| ) |
Parses a "little data" record which is stored entirely within the provided virtual offset.
XXX: finish documenting
1.9.1