I've also updated the registry tools yet again, to fix some bugs and add new functionality, and also made some enhancements to volshell. You can read about the changes below:
Changes to VolReg:
- New command hivedump: dump keys and timestamps (and optionally value data) from all hives to a CSV file.
- Many improvements to robustness and error handling when reading key and value data.
- When checking the registry hive names, catch exceptions and try to continue anyway (reported by chris).
- A new command, dis, is available. If distorm is installed, it will disassemble bytes from a given memory address as x86 code.
- db no longer rounds length to a multiple of 4.
- Use a single profile object throughout all commands (speed improvement)
- dt can now overlay an arbitrary structure at an address, for example: dt('_EPROCESS', 0x81234567)