regfi
|
Windows NT (and later) read-only registry library. More...
Go to the source code of this file.
Data Structures | |
struct | REGFI_LOG |
struct | REGFI_HBIN |
HBIN block information. More... | |
struct | REGFI_SUBKEY_LIST_ELEM |
struct | REGFI_SUBKEY_LIST |
Subkey-list structure. More... | |
struct | REGFI_VALUE_LIST |
Value-list structure. More... | |
struct | REGFI_CLASSNAME |
Class name structure (used in storing SysKeys) More... | |
struct | REGFI_DATA |
Data record structure. More... | |
union | REGFI_DATA::_regfi_data_interpreted |
These items represent interpreted versions of the REGFI_DATA::raw field. More... | |
struct | REGFI_VK |
Value structure. More... | |
struct | REGFI_SK |
Security structure. More... | |
struct | REGFI_NK |
Key structure. More... | |
struct | REGFI_RAW_FILE |
struct | REGFI_FILE |
Registry hive file data structure. More... | |
struct | REGFI_ITER_POSITION |
struct | REGFI_ITERATOR |
Registry hive iterator. More... | |
struct | REGFI_BUFFER |
General purpose buffer with stored length. More... | |
Functions | |
const char * | regfi_version () |
Returns the current regfi library version. More... | |
REGFI_FILE * | regfi_alloc (int fd, REGFI_ENCODING output_encoding) |
Parses file headers of an already open registry hive file and allocates related structures for further parsing. More... | |
REGFI_FILE * | regfi_alloc_cb (REGFI_RAW_FILE *file_cb, REGFI_ENCODING output_encoding) |
Parses file headers returned by supplied callback functions. More... | |
void | regfi_free (REGFI_FILE *file) |
Frees a hive's data structures without closing the underlying file. More... | |
char * | regfi_log_get_str () |
Get errors, warnings, and/or verbose information relating to processing of the given registry file. More... | |
bool | regfi_log_set_mask (uint16_t mask) |
Set the verbosity level of messages generated by the library for the current thread. More... | |
const REGFI_NK * | regfi_get_rootkey (REGFI_FILE *file) |
Fetches a hive's root key. More... | |
void | regfi_free_record (REGFI_FILE *file, const void *record) |
Frees a record previously returned by one of the API functions. More... | |
const void * | regfi_reference_record (REGFI_FILE *file, const void *record) |
Increments reference count on record. More... | |
uint32_t | regfi_fetch_num_subkeys (const REGFI_NK *key) |
Retrieves number of subkeys referenced by this key. More... | |
uint32_t | regfi_fetch_num_values (const REGFI_NK *key) |
Retrieves number of values referenced by this key. More... | |
const REGFI_CLASSNAME * | regfi_fetch_classname (REGFI_FILE *file, const REGFI_NK *key) |
Retrieves classname for a given key. More... | |
const REGFI_SK * | regfi_fetch_sk (REGFI_FILE *file, const REGFI_NK *key) |
Returns the SK (security) record referenced by the supplied key. More... | |
const REGFI_SK * | regfi_next_sk (REGFI_FILE *file, const REGFI_SK *sk) |
Returns the next SK (security) record referenced by the supplied SK record. More... | |
const REGFI_SK * | regfi_prev_sk (REGFI_FILE *file, const REGFI_SK *sk) |
Returns the previous SK (security) record referenced by the supplied SK record. More... | |
const REGFI_DATA * | regfi_fetch_data (REGFI_FILE *file, const REGFI_VK *value) |
Retrieves data for a given value. More... | |
bool | regfi_find_subkey (REGFI_FILE *file, const REGFI_NK *key, const char *name, uint32_t *index) |
Locates a specific subkey of a given key. More... | |
bool | regfi_find_value (REGFI_FILE *file, const REGFI_NK *key, const char *name, uint32_t *index) |
Locates a specific value of a given key. More... | |
const REGFI_NK * | regfi_get_subkey (REGFI_FILE *file, const REGFI_NK *key, uint32_t index) |
Retrieves a specific subkey of a given key. More... | |
const REGFI_VK * | regfi_get_value (REGFI_FILE *file, const REGFI_NK *key, uint32_t index) |
Retrieves a specific value of a given key. More... | |
const REGFI_NK * | regfi_get_parentkey (REGFI_FILE *file, const REGFI_NK *key) |
Uses a key's parent_off reference to retrieve it's parent. More... | |
REGFI_ITERATOR * | regfi_iterator_new (REGFI_FILE *file) |
Creates a new iterator for the provided registry file. More... | |
void | regfi_iterator_free (REGFI_ITERATOR *i) |
Frees a registry file iterator previously created by regfi_iterator_new. More... | |
bool | regfi_iterator_down (REGFI_ITERATOR *i) |
Traverse deeper into the registry tree at the current subkey. More... | |
bool | regfi_iterator_up (REGFI_ITERATOR *i) |
Traverse up to the current key's parent key. More... | |
bool | regfi_iterator_to_root (REGFI_ITERATOR *i) |
Traverse up to the root key of the hive. More... | |
bool | regfi_iterator_descend (REGFI_ITERATOR *i, const char **path) |
Traverse down multiple levels in the registry hive. More... | |
const REGFI_NK * | regfi_iterator_cur_key (REGFI_ITERATOR *i) |
Returns the currently referenced key. More... | |
bool | regfi_iterator_first_subkey (REGFI_ITERATOR *i) |
Sets the internal subkey index to the first subkey referenced by the current key. More... | |
const REGFI_NK * | regfi_iterator_cur_subkey (REGFI_ITERATOR *i) |
Returns the currently indexed subkey. More... | |
bool | regfi_iterator_next_subkey (REGFI_ITERATOR *i) |
Increments the internal subkey index to the next key in the subkey-list. More... | |
bool | regfi_iterator_find_subkey (REGFI_ITERATOR *i, const char *name) |
Searches for a subkey with a given name under the current key. More... | |
bool | regfi_iterator_first_value (REGFI_ITERATOR *i) |
Sets the internal value index to the first value referenced by the current key. More... | |
const REGFI_VK * | regfi_iterator_cur_value (REGFI_ITERATOR *i) |
Returns the currently indexed value. More... | |
bool | regfi_iterator_next_value (REGFI_ITERATOR *i) |
Increments the internal value index to the next value in the value-list. More... | |
bool | regfi_iterator_find_value (REGFI_ITERATOR *i, const char *name) |
Searches for a value with a given name under the current key. More... | |
const REGFI_NK ** | regfi_iterator_ancestry (REGFI_ITERATOR *i) |
Returns the current key and all parent keys as a list of NK records. More... | |
REGFI_NK * | regfi_load_key (REGFI_FILE *file, uint32_t offset, bool strict) |
Loads a key and associated data structures given a file offset. More... | |
REGFI_VK * | regfi_load_value (REGFI_FILE *file, uint32_t offset, bool strict) |
Loads a value at a given file offset alng with associated data structures. More... | |
REGFI_SUBKEY_LIST * | regfi_load_subkeylist (REGFI_FILE *file, uint32_t offset, uint32_t num_keys, uint32_t max_size, bool strict) |
Loads a logical subkey list in its entirety which may span multiple records. More... | |
REGFI_VALUE_LIST * | regfi_load_valuelist (REGFI_FILE *file, uint32_t offset, uint32_t num_values, uint32_t max_size, bool strict) |
Loads a valuelist. More... | |
REGFI_BUFFER | regfi_load_data (REGFI_FILE *file, uint32_t voffset, uint32_t length, bool data_in_offset, bool strict) |
Loads a data record which may be contained in the virtual offset, in a single cell, or in multiple cells through big data records. More... | |
REGFI_BUFFER | regfi_load_big_data (REGFI_FILE *file, uint32_t offset, uint32_t data_length, uint32_t cell_length, range_list *used_ranges, bool strict) |
Loads the data associated with a big data record at the specified offset. More... | |
bool | regfi_interpret_data (REGFI_FILE *file, uint32_t type, REGFI_DATA *data) |
Given raw data, attempts to interpret the data based on a specified registry data type. More... | |
const REGFI_SK * | regfi_load_sk (REGFI_FILE *file, uint32_t offset, bool strict) |
Loads an "sk" security record at the specified offset. More... | |
const REGFI_HBIN * | regfi_lookup_hbin (REGFI_FILE *file, uint32_t offset) |
Retrieves the HBIN data structure stored at the specified offset. More... | |
REGFI_NK * | regfi_parse_nk (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
Parses an NK record at the specified offset. More... | |
REGFI_SUBKEY_LIST * | regfi_parse_subkeylist (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
Parses a single cell containing a subkey-list record. More... | |
REGFI_VK * | regfi_parse_vk (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
Parses a VK (value) record at the specified offset. More... | |
REGFI_SK * | regfi_parse_sk (REGFI_FILE *file, uint32_t offset, uint32_t max_size, bool strict) |
Parses an SK (security) record at the specified offset. More... | |
range_list * | regfi_parse_unalloc_cells (REGFI_FILE *file) |
Retrieves information on all cells in the registry hive which are currently in the unallocated status. More... | |
bool | regfi_parse_cell (REGFI_RAW_FILE *file_cb, uint32_t offset, uint8_t *hdr, uint32_t hdr_len, uint32_t *cell_length, bool *unalloc) |
Helper function to parse a cell. More... | |
uint8_t * | regfi_parse_classname (REGFI_FILE *file, uint32_t offset, uint16_t *name_length, uint32_t max_size, bool strict) |
Parses a classname cell. More... | |
REGFI_BUFFER | regfi_parse_data (REGFI_FILE *file, uint32_t offset, uint32_t length, bool strict) |
Parses a single-cell data record. More... | |
REGFI_BUFFER | regfi_parse_little_data (REGFI_FILE *file, uint32_t voffset, uint32_t length, bool strict) |
Parses a "little data" record which is stored entirely within the provided virtual offset. More... | |
Windows NT (and later) read-only registry library.
This library is intended for use in digital forensics investigations, but is likely useful in other applications.
Branched from Samba project Subversion repository, version #6903: http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/include/regfio.h?rev=6903&view=auto
Since then, it has been heavily rewritten, simplified, and improved.