Error with usrClass.dat hive

[muteb]

Hi Jan,

Sometimes I face an error with this hive "usrclass.dat" and I tried to trouble shoot it but I couldn't spot the actual error.

Here is the printout error of the terminal once executed:

thread 'main' panicked at 'called Result::unwrap() on an Err value: Custom { pos: 0x0, err: Any { .. } }', C:\Users\user\Documents\rust\nt-hive2\src\hive\hive_struct.rs:246:48
stack backtrace:
0: rust_begin_unwind
at /rustc/897e37553bba8b42751c67658967889d11ecd120/library\std\src/panicking.rs:584:5
1: core::panicking::panic_fmt
at /rustc/897e37553bba8b42751c67658967889d11ecd120/library\core\src/panicking.rs:142:14
2: core::result::unwrap_failed
at /rustc/897e37553bba8b42751c67658967889d11ecd120/library\core\src/result.rs:1785:5
3: core::result::Result<T,E>::unwrap
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src/result.rs:1107:23
4: nt_hive2::hive::hive_struct::Hive<B,nt_hive2::hive::hive_status::CleanHive>::read_structure
at .\src\hive\hive_struct.rs:246:33
5: nt_hive2::nk::KeyNode::read_subkeys::{{closure}}
at .\src\nk.rs:204:44
6: core::iter::adapters::map::map_try_fold::{{closure}}
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\iter\adapters/map.rs:91:28
7: core::iter::traits::iterator::Iterator::try_fold
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\iter\traits/iterator.rs:2238:21
8: <core::iter::adapters::map::Map<I,F> as core::iter::traits::iterator::Iterator>::try_fold
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\iter\adapters/map.rs:117:9
9: <core::iter::adapters::GenericShunt<I,R> as core::iter::traits::iterator::Iterator>::try_fold
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\iter\adapters/mod.rs:195:9
10: core::iter::traits::iterator::Iterator::try_for_each
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\iter\traits/iterator.rs:2299:9
11: <core::iter::adapters::GenericShunt<I,R> as core::iter::traits::iterator::Iterator>::next
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\iter\adapters/mod.rs:178:9
12: alloc::vec::Vec<T,A>::extend_desugared
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec/mod.rs:2749:35
13: <alloc::vec::Vec<T,A> as alloc::vec::spec_extend::SpecExtend<T,I>>::spec_extend
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec/spec_extend.rs:18:9
14: <alloc::vec::Vec as alloc::vec::spec_from_iter_nested::SpecFromIterNested<T,I>>::from_iter
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec/spec_from_iter_nested.rs:43:9
15: <alloc::vec::Vec as alloc::vec::spec_from_iter::SpecFromIter<T,I>>::from_iter
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec/spec_from_iter.rs:33:9
16: <alloc::vec::Vec as core::iter::traits::collect::FromIterator>::from_iter
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\alloc\src\vec/mod.rs:2649:9
17: core::iter::traits::iterator::Iterator::collect
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\iter\traits/iterator.rs:1836:9
18: <core::result::Result<V,E> as core::iter::traits::collect::FromIterator<core::result::Result<A,E>>>::from_iter::{{closure}}
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src/result.rs:2072:49
19: core::iter::adapters::try_process
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\iter\adapters/mod.rs:164:17
20: <core::result::Result<V,E> as core::iter::traits::collect::FromIterator<core::result::Result<A,E>>>::from_iter
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src/result.rs:2072:9
21: core::iter::traits::iterator::Iterator::collect
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\iter\traits/iterator.rs:1836:9
22: nt_hive2::nk::KeyNode::read_subkeys
at .\src\nk.rs:203:46
23: nt_hive2::nk::KeyNode::subkeys
at .\src\nk.rs:160:22
24: nt_hive2::main
at .\src\main.rs:13:15
25: core::ops::function::FnOnce::call_once
at /rustc/897e37553bba8b42751c67658967889d11ecd120\library\core\src\ops/function.rs:248:5
note: Some details are omitted, run with RUST_BACKTRACE=full for a verbose backtrace.

[janstarke]

Hello,

could you please provide a sample file which causes this error to me?

Regards, Jan

[janstarke]

I created a branch for this issue and added a more usable error message in read_structure()

[muteb]

Hi Jan,

well, it only happens on my own use windows 11 system and afraid that I can't share the file as it might have private info.

I will try to simulate the same machine on a vm and hopefully I can catch such error.

[muteb]

Hi Jan,
Upon troubleshooting the error, I identified the offset at which the error initiates. When this offset is passed to the Cell struct "hive_struct.rs:246:48", the app crashes with previous error. I have successfully dumped 256 bytes of data starting from the identified offset and attached the relevant file herewith.
3509136.zip

Keep in mind I dumped 256 and I believe the nk ends at 0050h. I hope this helps and thanks in advance

[janstarke]

I tried to write a test case using the data you provided. Unfortunately this is not working, because the field KeyNode::key_values_list tries to read data at other parts of the registry file. So, to write a test, I'd need a complete hive file

What does nt_hive2 print when you try to parse your file with the modified code that I commited in the branch 10-error-with-usrclassdat-hive? There should be a more descriptive error message

[muteb]

Yes, I tried it and still giving me the same error pos:0x0, however,I printed out the error in line 253 hive_struct.rs and it then jumped to the hex editor to see the actual values. The values are all zeros as showing on the attached picture

Error while reading from offset 00359b90: Custom { pos: 0x0, err: Any { .. } }<<
thread 'main' panicked at 'called Result::unwrap() on an Err value: Custom { pos: 0x0, err: Any { .. } }', src\testerror.rs:14:43
stack backtrace:
0: rust_begin_unwind
at /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library\std\src/panicking.rs:593:5
1: core::panicking::panic_fmt
at /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library\core\src/panicking.rs:67:14
2: core::result::unwrap_failed
at /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be/library\core\src/result.rs:1651:5
3: core::result::Result<T,E>::unwrap
at /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be\library\core\src/result.rs:1076:23
4: nt_hive2::testerror
at .\src\testerror.rs:14:15
5: core::ops::function::FnOnce::call_once
at /rustc/5680fa18feaa87f3ff04063800aec256c3d4b4be\library\core\src\ops/function.rs:250:5
note: Some details are omitted, run with RUST_BACKTRACE=full for a verbose backtrace.

[janstarke]

I'm not happy with the error reporting code, which obviously does not help us in isolating the problem. So I added a new log output in hive_struct.rs:

nt-hive2/src/hive/hive_struct.rs

Lines 257 to 259 in 78c3112

	if let Some(custom) = why.custom_err::<anyhow::Error>() {
	log::error!("custom error was {custom}");
	}

There seems to be that an error has occurred somewhere else and has been wrapped in a BinRead::Error and we could not obtain the wrapped information until now.

Can you please check if my change made a difference with your data?

[janstarke]

I investigated a little more and I assume that your test data contains an invalid key name:

The error occurs when we try to decode the bytes:

nt-hive2/src/util.rs

Lines 21 to 29 in 12280bc

	if had_errors {
	//println!("unable to decode bytes {raw_string:?} into string");
	Err(binread::error::Error::Custom {
	pos: ro.offset,
	err: Box::new(format!(
	"unable to decode bytes {raw_string:?} into string at offset 0x{:08x}",
	ro.offset
	)),
	})

So, the question is: How should we handle non-printable strings? I added a test case and the class BinaryString as proof of concept about how we could handle this. What do you think?

[muteb]

I believe the class BinaryString is very interesting and well handled non-printable strings. it handled my case and fix the issue. I can't add more to what you have done. thanks alot. Out of courtesy, what hex editor are you using?

[janstarke]

Thanks for your feedback. I will incorporate the changes into main as soon as I'm back from my current trip.

In this case, I was using ImHex (https://github.com/WerWolv/ImHex), because it helps me to parse binary data visually.

Regards, Jan