Registry icon indicating copy to clipboard operation
Registry copied to clipboard
verified publisher icon EricZimmerman

The library doesn't recover some deleted keys and values

Open msuhanov opened this issue 3 years ago • 1 comments

Hello.

The bug is here: https://github.com/EricZimmerman/Registry/blob/1a301f3f237e81cbd2738e444c30e10c76214286/Registry/Other/HBinRecord.cs#L325

If the remainingData.Length - actualStart < size condition is met, the deleted item isn't processed. This condition can be true for a valid deleted key/value if its cell has been merged with a preceding one and then the resulting cell is split to hold a subkeys list, so the deleted key/value goes to the slack of this list (i.e., stored after its last item).

Here is an example (this is the SYSTEM hive file from the 2018 Lone Wolf Scenario, without transaction log files applied): hex

The remnant cell size field for the deleted key in question, which value is 0x00000178, is too large for the cell containing the subkeys list (the actualStart value plus the size value point beyond the end of the cell).

Registry Explorer 2.0.0.0 doesn't recover that key: RE

The same key can be recovered using yarp: yarp

msuhanov avatar Aug 18 '22 13:08 msuhanov

ill see what i can do. thanks for the write up and test data

EricZimmerman avatar Aug 18 '22 13:08 EricZimmerman