Rejistry updates#37
Merged
jayaramcs merged 10 commits intoSleuthKitLabs:develop-4.14from Mar 23, 2026
Merged
Conversation
Replace raw pointer typedefs with std::unique_ptr for SubkeyListRecord, ValueListRecord, DBRecord, and DBIndirectRecord. All Cell factory methods now use make_unique. Callers no longer manually delete these returned records. Also fixes a logic bug in NKRecord::getSubkeyList() where the early-return for empty subkey count was missing the return keyword, causing fall-through to an invalid offset read. Initialize previously uninitialized member variables in BinaryBlock, Buffer, and DirectSubkeyListRecord. Remove orphaned LIRecordPtr typedef from LIRecord. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
c->getSubkeyList() returns unique_ptr by value (already an rvalue), so std::move is a no-op. Also remove now-unused <utility> include. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Clarify which methods return unique_ptr (no caller cleanup needed) vs raw pointers where the caller is responsible for freeing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Consistent with prior member initialization fixes across the library. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Member
Author
|
This PR is to take in changes from sleuthkit#3447 and address comments and fix other memory leaks. |
Member
Author
|
I am generally good with this PR but we should have Ann review and I'd like to do some comparisons on registry output before and after before we merge this. |
Forensic data may not be properly null-terminated. After parsing null-delimited strings, capture any trailing data that lacks a double-null terminator by padding for wchar_t alignment and appending a null terminator before constructing the wstring. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The offset parameter now correctly refers to the destination buffer offset rather than the source buffer offset, matching the original Java ByteBuffer.get(byte[], int, int) contract. Fixed validation checks and memcpy accordingly.
crayy8
commented
Mar 18, 2026
Wrap printVKRecord and printNKRecord in try/catch so a single malformed record does not abort enumeration. Add hive synchronization status output to processRegistryFile. Improve exception messages with function context prefixes.
Member
Author
|
This looks good to me now. For testing I used the registry hive samples from Registry Explorer. I then ran our test exe rejistry.exe that is built as part of our project that enumerates all of the key data we parse. I diffed the data from 4.14 version and this new version. The only differences were due to a fix that was made in this PR. @APriestman if you can give this a quick review when you have time. |
APriestman
approved these changes
Mar 19, 2026
Member
Author
|
After this PR is merged we should close out sleuthkit#3447 and push this to the public repo |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.