Context Navigation

regfi.c@ 293

Last change on this file since 293 was 140, checked in by tim, 16 years ago

Misc error message changes.

Added and removed some comments.

Updated TODO list.

Property svn:keywords set to Id

File size: 61.4 KB

Line
1	/*
2	* Branched from Samba project Subversion repository, version #7470:
3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
4	*
5	* Windows NT (and later) registry parsing library
6	*
7	* Copyright (C) 2005-2009 Timothy D. Morgan
8	* Copyright (C) 2005 Gerald (Jerry) Carter
9	*
10	* This program is free software; you can redistribute it and/or modify
11	* it under the terms of the GNU General Public License as published by
12	* the Free Software Foundation; version 3 of the License.
13	*
14	* This program is distributed in the hope that it will be useful,
15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	* GNU General Public License for more details.
18	*
19	* You should have received a copy of the GNU General Public License
20	* along with this program; if not, write to the Free Software
21	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22	*
23	* $Id: regfi.c 140 2009-02-09 19:53:39Z tim $
24	*/
25
26	#include "../include/regfi.h"
27
28
29	/* Registry types mapping */
30	const unsigned int regfi_num_reg_types = 12;
31	static const char* regfi_type_names[] =
32	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
33	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
34
35
36
37	/******************************************************************************
38	******************************************************************************/
39	void regfi_add_message(REGFI_FILE* file, uint16 msg_type, const char* fmt, ...)
40	{
41	/* XXX: This function is not particularly efficient,
42	* but then it is mostly used during errors.
43	*/
44	uint32 buf_size, buf_used;
45	char* new_msg;
46	va_list args;
47
48	if((file->msg_mask & msg_type) != 0)
49	{
50	if(file->last_message == NULL)
51	buf_used = 0;
52	else
53	buf_used = strlen(file->last_message);
54
55	buf_size = buf_used+strlen(fmt)+160;
56	new_msg = realloc(file->last_message, buf_size);
57	if(new_msg == NULL)
58	/* XXX: should we report this? */
59	return;
60
61	switch (msg_type)
62	{
63	case REGFI_MSG_INFO:
64	strcpy(new_msg+buf_used, "INFO: ");
65	buf_used += 6;
66	break;
67	case REGFI_MSG_WARN:
68	strcpy(new_msg+buf_used, "WARN: ");
69	buf_used += 6;
70	break;
71	case REGFI_MSG_ERROR:
72	strcpy(new_msg+buf_used, "ERROR: ");
73	buf_used += 7;
74	break;
75	}
76
77	va_start(args, fmt);
78	vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args);
79	va_end(args);
80	strncat(new_msg, "\n", buf_size-1);
81
82	file->last_message = new_msg;
83	}
84	}
85
86
87	/******************************************************************************
88	******************************************************************************/
89	char* regfi_get_messages(REGFI_FILE* file)
90	{
91	char* ret_val = file->last_message;
92	file->last_message = NULL;
93
94	return ret_val;
95	}
96
97
98	void regfi_set_message_mask(REGFI_FILE* file, uint16 mask)
99	{
100	file->msg_mask = mask;
101	}
102
103
104	/* Returns NULL on error */
105	const char* regfi_type_val2str(unsigned int val)
106	{
107	if(val == REG_KEY)
108	return "KEY";
109
110	if(val >= regfi_num_reg_types)
111	return NULL;
112
113	return regfi_type_names[val];
114	}
115
116
117	/* Returns -1 on error */
118	int regfi_type_str2val(const char* str)
119	{
120	int i;
121
122	if(strcmp("KEY", str) == 0)
123	return REG_KEY;
124
125	for(i=0; i < regfi_num_reg_types; i++)
126	if (strcmp(regfi_type_names[i], str) == 0)
127	return i;
128
129	if(strcmp("DWORD_LE", str) == 0)
130	return REG_DWORD_LE;
131
132	return -1;
133	}
134
135
136	/* Security descriptor formatting functions */
137
138	const char* regfi_ace_type2str(uint8 type)
139	{
140	static const char* map[7]
141	= {"ALLOW", "DENY", "AUDIT", "ALARM",
142	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
143	if(type < 7)
144	return map[type];
145	else
146	/* XXX: would be nice to return the unknown integer value.
147	* However, as it is a const string, it can't be free()ed later on,
148	* so that would need to change.
149	*/
150	return "UNKNOWN";
151	}
152
153
154	/* XXX: need a better reference on the meaning of each flag. */
155	/* For more info, see:
156	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
157	*/
158	char* regfi_ace_flags2str(uint8 flags)
159	{
160	static const char* flag_map[32] =
161	{ "OI", /* Object Inherit */
162	"CI", /* Container Inherit */
163	"NP", /* Non-Propagate */
164	"IO", /* Inherit Only */
165	"IA", /* Inherited ACE */
166	NULL,
167	NULL,
168	NULL,
169	};
170
171	char* ret_val = malloc(35*sizeof(char));
172	char* fo = ret_val;
173	uint32 i;
174	uint8 f;
175
176	if(ret_val == NULL)
177	return NULL;
178
179	fo[0] = '\0';
180	if (!flags)
181	return ret_val;
182
183	for(i=0; i < 8; i++)
184	{
185	f = (1<<i);
186	if((flags & f) && (flag_map[i] != NULL))
187	{
188	strcpy(fo, flag_map[i]);
189	fo += strlen(flag_map[i]);
190	*(fo++) = ' ';
191	flags ^= f;
192	}
193	}
194
195	/* Any remaining unknown flags are added at the end in hex. */
196	if(flags != 0)
197	sprintf(fo, "0x%.2X ", flags);
198
199	/* Chop off the last space if we've written anything to ret_val */
200	if(fo != ret_val)
201	fo[-1] = '\0';
202
203	return ret_val;
204	}
205
206
207	char* regfi_ace_perms2str(uint32 perms)
208	{
209	uint32 i, p;
210	/* This is more than is needed by a fair margin. */
211	char* ret_val = malloc(350*sizeof(char));
212	char* r = ret_val;
213
214	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
215	* For more information, see:
216	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
217	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
218	*/
219	static const char* perm_map[32] =
220	{/* object-specific permissions (registry keys, in this case) */
221	"QRY_VAL", /* KEY_QUERY_VALUE */
222	"SET_VAL", /* KEY_SET_VALUE */
223	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
224	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
225	"NOTIFY", /* KEY_NOTIFY */
226	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
227	NULL,
228	NULL,
229	"WOW64_64", /* KEY_WOW64_64KEY */
230	"WOW64_32", /* KEY_WOW64_32KEY */
231	NULL,
232	NULL,
233	NULL,
234	NULL,
235	NULL,
236	NULL,
237	/* standard access rights */
238	"DELETE", /* DELETE */
239	"R_CONT", /* READ_CONTROL */
240	"W_DAC", /* WRITE_DAC */
241	"W_OWNER", /* WRITE_OWNER */
242	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
243	NULL,
244	NULL,
245	NULL,
246	/* other generic */
247	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
248	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
249	NULL,
250	NULL,
251	"GEN_A", /* GENERIC_ALL */
252	"GEN_X", /* GENERIC_EXECUTE */
253	"GEN_W", /* GENERIC_WRITE */
254	"GEN_R", /* GENERIC_READ */
255	};
256
257
258	if(ret_val == NULL)
259	return NULL;
260
261	r[0] = '\0';
262	for(i=0; i < 32; i++)
263	{
264	p = (1<<i);
265	if((perms & p) && (perm_map[i] != NULL))
266	{
267	strcpy(r, perm_map[i]);
268	r += strlen(perm_map[i]);
269	*(r++) = ' ';
270	perms ^= p;
271	}
272	}
273
274	/* Any remaining unknown permission bits are added at the end in hex. */
275	if(perms != 0)
276	sprintf(r, "0x%.8X ", perms);
277
278	/* Chop off the last space if we've written anything to ret_val */
279	if(r != ret_val)
280	r[-1] = '\0';
281
282	return ret_val;
283	}
284
285
286	char* regfi_sid2str(WINSEC_DOM_SID* sid)
287	{
288	uint32 i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
289	uint32 left = size;
290	uint8 comps = sid->num_auths;
291	char* ret_val = malloc(size);
292
293	if(ret_val == NULL)
294	return NULL;
295
296	if(comps > WINSEC_MAX_SUBAUTHS)
297	comps = WINSEC_MAX_SUBAUTHS;
298
299	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
300
301	for (i = 0; i < comps; i++)
302	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
303
304	return ret_val;
305	}
306
307
308	char* regfi_get_acl(WINSEC_ACL* acl)
309	{
310	uint32 i, extra, size = 0;
311	const char* type_str;
312	char* flags_str;
313	char* perms_str;
314	char* sid_str;
315	char* ace_delim = "";
316	char* ret_val = NULL;
317	char* tmp_val = NULL;
318	bool failed = false;
319	char field_delim = ':';
320
321	for (i = 0; i < acl->num_aces && !failed; i++)
322	{
323	sid_str = regfi_sid2str(acl->aces[i]->trustee);
324	type_str = regfi_ace_type2str(acl->aces[i]->type);
325	perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask);
326	flags_str = regfi_ace_flags2str(acl->aces[i]->flags);
327
328	if(flags_str != NULL && perms_str != NULL
329	&& type_str != NULL && sid_str != NULL)
330	{
331	/* XXX: this is slow */
332	extra = strlen(sid_str) + strlen(type_str)
333	+ strlen(perms_str) + strlen(flags_str) + 5;
334	tmp_val = realloc(ret_val, size+extra);
335
336	if(tmp_val == NULL)
337	{
338	free(ret_val);
339	ret_val = NULL;
340	failed = true;
341	}
342	else
343	{
344	ret_val = tmp_val;
345	size += snprintf(ret_val+size, extra, "%s%s%c%s%c%s%c%s",
346	ace_delim,sid_str,
347	field_delim,type_str,
348	field_delim,perms_str,
349	field_delim,flags_str);
350	ace_delim = "\|";
351	}
352	}
353	else
354	failed = true;
355
356	if(sid_str != NULL)
357	free(sid_str);
358	if(sid_str != NULL)
359	free(perms_str);
360	if(sid_str != NULL)
361	free(flags_str);
362	}
363
364	return ret_val;
365	}
366
367
368	char* regfi_get_sacl(WINSEC_DESC *sec_desc)
369	{
370	if (sec_desc->sacl)
371	return regfi_get_acl(sec_desc->sacl);
372	else
373	return NULL;
374	}
375
376
377	char* regfi_get_dacl(WINSEC_DESC *sec_desc)
378	{
379	if (sec_desc->dacl)
380	return regfi_get_acl(sec_desc->dacl);
381	else
382	return NULL;
383	}
384
385
386	char* regfi_get_owner(WINSEC_DESC *sec_desc)
387	{
388	return regfi_sid2str(sec_desc->owner_sid);
389	}
390
391
392	char* regfi_get_group(WINSEC_DESC *sec_desc)
393	{
394	return regfi_sid2str(sec_desc->grp_sid);
395	}
396
397
398	/*****************************************************************************
399	* This function is just like read(2), except that it continues to
400	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
401	* regfi_read will attempt to read length bytes from fd and write them to buf.
402	*
403	* On success, 0 is returned. Upon failure, an errno code is returned.
404	*
405	* The number of bytes successfully read is returned through the length
406	* parameter by reference. If both the return value and length parameter are
407	* returned as 0, then EOF was encountered immediately
408	*****************************************************************************/
409	uint32 regfi_read(int fd, uint8* buf, uint32* length)
410	{
411	uint32 rsize = 0;
412	uint32 rret = 0;
413
414	do
415	{
416	rret = read(fd, buf + rsize, *length - rsize);
417	if(rret > 0)
418	rsize += rret;
419	}while(*length - rsize > 0
420	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
421
422	*length = rsize;
423	if (rret == -1 && errno != EINTR && errno != EAGAIN)
424	return errno;
425
426	return 0;
427	}
428
429
430	/*****************************************************************************
431	*
432	*****************************************************************************/
433	bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len,
434	uint32* cell_length, bool* unalloc)
435	{
436	uint32 length;
437	int32 raw_length;
438	uint8 tmp[4];
439
440	if(lseek(fd, offset, SEEK_SET) == -1)
441	return false;
442
443	length = 4;
444	if((regfi_read(fd, tmp, &length) != 0) \|\| length != 4)
445	return false;
446	raw_length = IVALS(tmp, 0);
447
448	if(raw_length < 0)
449	{
450	(cell_length) = raw_length(-1);
451	(*unalloc) = false;
452	}
453	else
454	{
455	(*cell_length) = raw_length;
456	(*unalloc) = true;
457	}
458
459	if(*cell_length - 4 < hdr_len)
460	return false;
461
462	if(hdr_len > 0)
463	{
464	length = hdr_len;
465	if((regfi_read(fd, hdr, &length) != 0) \|\| length != hdr_len)
466	return false;
467	}
468
469	return true;
470	}
471
472
473	/*******************************************************************
474	* Given an offset and an hbin, is the offset within that hbin?
475	* The offset is a virtual file offset.
476	*******************************************************************/
477	static bool regfi_offset_in_hbin(REGFI_HBIN* hbin, uint32 offset)
478	{
479	if(!hbin)
480	return false;
481
482	if((offset > hbin->first_hbin_off)
483	&& (offset < (hbin->first_hbin_off + hbin->block_size)))
484	return true;
485
486	return false;
487	}
488
489
490
491	/*******************************************************************
492	* Provide a virtual offset and receive the correpsonding HBIN
493	* block for it. NULL if one doesn't exist.
494	*******************************************************************/
495	REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32 offset)
496	{
497	return (REGFI_HBIN*)range_list_find_data(file->hbins, offset+REGFI_REGF_SIZE);
498	}
499
500
501
502	/******************************************************************************
503	******************************************************************************/
504	REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32 offset,
505	uint32 num_keys, uint32 max_size,
506	bool strict)
507	{
508	REGFI_SUBKEY_LIST* ret_val;
509
510	ret_val = regfi_load_subkeylist_aux(file, offset, max_size, strict,
511	REGFI_MAX_SUBKEY_DEPTH);
512
513	if(num_keys != ret_val->num_keys)
514	{
515	/* Not sure which should be authoritative, the number from the
516	* NK record, or the number in the subkey list. Just emit a warning for
517	* now if they don't match.
518	*/
519	regfi_add_message(file, REGFI_MSG_WARN, "Number of subkeys listed in parent"
520	" (%d) did not match number found in subkey list/tree (%d)"
521	" while parsing subkey list/tree at offset 0x%.8X.",
522	num_keys, ret_val->num_keys, offset);
523	}
524
525	return ret_val;
526	}
527
528
529	/******************************************************************************
530	******************************************************************************/
531	REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32 offset,
532	uint32 max_size, bool strict,
533	uint8 depth_left)
534	{
535	REGFI_SUBKEY_LIST* ret_val;
536	REGFI_SUBKEY_LIST** sublists;
537	REGFI_HBIN* sublist_hbin;
538	uint32 i, num_sublists, off, max_length;
539
540	if(depth_left == 0)
541	{
542	regfi_add_message(file, REGFI_MSG_WARN, "Maximum depth reached"
543	" while parsing subkey list/tree at offset 0x%.8X.",
544	offset);
545	return NULL;
546	}
547
548	ret_val = regfi_parse_subkeylist(file, offset, max_size, strict);
549	if(ret_val == NULL)
550	return NULL;
551
552	if(ret_val->recursive_type)
553	{
554	num_sublists = ret_val->num_children;
555	sublists = (REGFI_SUBKEY_LIST**)zalloc(num_sublists
556	* sizeof(REGFI_SUBKEY_LIST*));
557	for(i=0; i < num_sublists; i++)
558	{
559	off = ret_val->elements[i].offset + REGFI_REGF_SIZE;
560	sublist_hbin = regfi_lookup_hbin(file, ret_val->elements[i].offset);
561	if(sublist_hbin == NULL)
562	sublists[i] = NULL;
563	else
564	{
565	max_length = sublist_hbin->block_size + sublist_hbin->file_off - off;
566	sublists[i] = regfi_load_subkeylist_aux(file, off, max_length, strict,
567	depth_left-1);
568	}
569	}
570	free(ret_val);
571
572	return regfi_merge_subkeylists(num_sublists, sublists, strict);
573	}
574
575	return ret_val;
576	}
577
578
579	/******************************************************************************
580	******************************************************************************/
581	REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32 offset,
582	uint32 max_size, bool strict)
583	{
584	REGFI_SUBKEY_LIST* ret_val;
585	uint32 i, cell_length, length, elem_size;
586	uint8* elements;
587	uint8 buf[REGFI_SUBKEY_LIST_MIN_LEN];
588	bool unalloc;
589	bool recursive_type;
590
591	if(!regfi_parse_cell(file->fd, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN,
592	&cell_length, &unalloc))
593	{
594	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while "
595	"parsing subkey-list at offset 0x%.8X.", offset);
596	return NULL;
597	}
598
599	if(cell_length > max_size)
600	{
601	regfi_add_message(file, REGFI_MSG_WARN, "Cell size longer than max_size"
602	" while parsing subkey-list at offset 0x%.8X.", offset);
603	if(strict)
604	return NULL;
605	cell_length = max_size & 0xFFFFFFF8;
606	}
607
608	recursive_type = false;
609	if(buf[0] == 'r' && buf[1] == 'i')
610	{
611	recursive_type = true;
612	elem_size = sizeof(uint32);
613	}
614	else if(buf[0] == 'l' && buf[1] == 'i')
615	elem_size = sizeof(uint32);
616	else if((buf[0] == 'l') && (buf[1] == 'f' \|\| buf[1] == 'h'))
617	elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM);
618	else
619	{
620	regfi_add_message(file, REGFI_MSG_ERROR, "Unknown magic number"
621	" (0x%.2X, 0x%.2X) encountered while parsing"
622	" subkey-list at offset 0x%.8X.", buf[0], buf[1], offset);
623	return NULL;
624	}
625
626	ret_val = (REGFI_SUBKEY_LIST*)zalloc(sizeof(REGFI_SUBKEY_LIST));
627	if(ret_val == NULL)
628	return NULL;
629
630	ret_val->offset = offset;
631	ret_val->cell_size = cell_length;
632	ret_val->magic[0] = buf[0];
633	ret_val->magic[1] = buf[1];
634	ret_val->recursive_type = recursive_type;
635	ret_val->num_children = SVAL(buf, 0x2);
636
637	if(!recursive_type)
638	ret_val->num_keys = ret_val->num_children;
639
640	length = elem_size*ret_val->num_children;
641	if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32) < length)
642	{
643	regfi_add_message(file, REGFI_MSG_WARN, "Number of elements too large for"
644	" cell while parsing subkey-list at offset 0x%.8X.",
645	offset);
646	if(strict)
647	{
648	free(ret_val);
649	return NULL;
650	}
651	length = cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32);
652	}
653
654	ret_val->elements
655	= (REGFI_SUBKEY_LIST_ELEM*)zalloc(ret_val->num_children
656	* sizeof(REGFI_SUBKEY_LIST_ELEM));
657	if(ret_val->elements == NULL)
658	{
659	free(ret_val);
660	return NULL;
661	}
662
663	elements = (uint8*)zalloc(length);
664	if(elements == NULL)
665	{
666	free(ret_val->elements);
667	free(ret_val);
668	return NULL;
669	}
670
671	if(regfi_read(file->fd, elements, &length) != 0
672	\|\| length != elem_size*ret_val->num_children)
673	{
674	free(ret_val->elements);
675	free(ret_val);
676	return NULL;
677	}
678
679	if(elem_size == sizeof(uint32))
680	{
681	for (i=0; i < ret_val->num_children; i++)
682	{
683	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
684	ret_val->elements[i].hash = 0;
685	}
686	}
687	else
688	{
689	for (i=0; i < ret_val->num_children; i++)
690	{
691	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
692	ret_val->elements[i].hash = IVAL(elements, i*elem_size+4);
693	}
694	}
695	free(elements);
696
697	return ret_val;
698	}
699
700
701	/*******************************************************************
702	*******************************************************************/
703	REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16 num_lists,
704	REGFI_SUBKEY_LIST** lists,
705	bool strict)
706	{
707	uint32 i,j,k;
708	REGFI_SUBKEY_LIST* ret_val;
709
710	if(lists == NULL)
711	return NULL;
712	ret_val = (REGFI_SUBKEY_LIST*)zalloc(sizeof(REGFI_SUBKEY_LIST));
713
714	if(ret_val == NULL)
715	return NULL;
716
717	/* Obtain total number of elements */
718	ret_val->num_keys = 0;
719	for(i=0; i < num_lists; i++)
720	{
721	if(lists[i] != NULL)
722	ret_val->num_keys += lists[i]->num_children;
723	}
724	ret_val->num_children = ret_val->num_keys;
725
726	if(ret_val->num_keys > 0)
727	{
728	ret_val->elements =
729	(REGFI_SUBKEY_LIST_ELEM*)zalloc(sizeof(REGFI_SUBKEY_LIST_ELEM)
730	* ret_val->num_keys);
731	k=0;
732
733	if(ret_val->elements != NULL)
734	{
735	for(i=0; i < num_lists; i++)
736	{
737	if(lists[i] != NULL)
738	{
739	for(j=0; j < lists[i]->num_keys; j++)
740	{
741	ret_val->elements[k].hash=lists[i]->elements[j].hash;
742	ret_val->elements[k++].offset=lists[i]->elements[j].offset;
743	}
744	}
745	}
746	}
747	}
748
749	for(i=0; i < num_lists; i++)
750	regfi_subkeylist_free(lists[i]);
751	free(lists);
752
753	return ret_val;
754	}
755
756
757	/*******************************************************************
758	*******************************************************************/
759	REGFI_SK_REC* regfi_parse_sk(REGFI_FILE* file, uint32 offset, uint32 max_size, bool strict)
760	{
761	REGFI_SK_REC* ret_val;
762	uint8* sec_desc_buf;
763	uint32 cell_length, length;
764	/prs_struct ps;/
765	uint8 sk_header[REGFI_SK_MIN_LENGTH];
766	bool unalloc = false;
767
768	if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH,
769	&cell_length, &unalloc))
770	{
771	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse SK record cell"
772	" at offset 0x%.8X.", offset);
773	return NULL;
774	}
775
776	if(sk_header[0] != 's' \|\| sk_header[1] != 'k')
777	{
778	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
779	" SK record at offset 0x%.8X.", offset);
780	return NULL;
781	}
782
783	ret_val = (REGFI_SK_REC*)zalloc(sizeof(REGFI_SK_REC));
784	if(ret_val == NULL)
785	return NULL;
786
787	ret_val->offset = offset;
788	/* XXX: Is there a way to be more conservative (shorter) with
789	* cell length when cell is unallocated?
790	*/
791	ret_val->cell_size = cell_length;
792
793	if(ret_val->cell_size > max_size)
794	ret_val->cell_size = max_size & 0xFFFFFFF8;
795	if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
796	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
797	{
798	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size found while"
799	" parsing SK record at offset 0x%.8X.", offset);
800	free(ret_val);
801	return NULL;
802	}
803
804	ret_val->magic[0] = sk_header[0];
805	ret_val->magic[1] = sk_header[1];
806
807	ret_val->unknown_tag = SVAL(sk_header, 0x2);
808	ret_val->prev_sk_off = IVAL(sk_header, 0x4);
809	ret_val->next_sk_off = IVAL(sk_header, 0x8);
810	ret_val->ref_count = IVAL(sk_header, 0xC);
811	ret_val->desc_size = IVAL(sk_header, 0x10);
812
813	if(ret_val->prev_sk_off != (ret_val->prev_sk_off & 0xFFFFFFF8)
814	\|\| ret_val->next_sk_off != (ret_val->next_sk_off & 0xFFFFFFF8))
815	{
816	regfi_add_message(file, REGFI_MSG_WARN, "SK record's next/previous offsets"
817	" are not a multiple of 8 while parsing SK record at"
818	" offset 0x%.8X.", offset);
819	free(ret_val);
820	return NULL;
821	}
822
823	if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
824	{
825	regfi_add_message(file, REGFI_MSG_WARN, "Security descriptor too large for"
826	" cell while parsing SK record at offset 0x%.8X.",
827	offset);
828	free(ret_val);
829	return NULL;
830	}
831
832	sec_desc_buf = (uint8*)zalloc(ret_val->desc_size);
833	if(ret_val == NULL)
834	{
835	free(ret_val);
836	return NULL;
837	}
838
839	length = ret_val->desc_size;
840	if(regfi_read(file->fd, sec_desc_buf, &length) != 0
841	\|\| length != ret_val->desc_size)
842	{
843	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read security"
844	" descriptor while parsing SK record at offset 0x%.8X.",
845	offset);
846	free(ret_val);
847	return NULL;
848	}
849
850	if(!(ret_val->sec_desc = winsec_parse_desc(sec_desc_buf, ret_val->desc_size)))
851	{
852	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to parse security"
853	" descriptor while parsing SK record at offset 0x%.8X.",
854	offset);
855	free(sec_desc_buf);
856	free(ret_val);
857	return NULL;
858	}
859	free(sec_desc_buf);
860
861
862	return ret_val;
863	}
864
865
866	uint32* regfi_parse_valuelist(REGFI_FILE* file, uint32 offset,
867	uint32 num_values, bool strict)
868	{
869	uint32* ret_val;
870	uint32 i, cell_length, length, read_len;
871	bool unalloc;
872
873	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
874	{
875	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read cell header"
876	" while parsing value list at offset 0x%.8X.", offset);
877	return NULL;
878	}
879
880	if(cell_length != (cell_length & 0xFFFFFFF8))
881	{
882	if(strict)
883	return NULL;
884	cell_length = cell_length & 0xFFFFFFF8;
885	}
886	if((num_values * sizeof(uint32)) > cell_length-sizeof(uint32))
887	{
888	regfi_add_message(file, REGFI_MSG_WARN, "Too many values found"
889	" while parsing value list at offset 0x%.8X.", offset);
890	/* XXX: During non-strict, should reduce num_values appropriately and
891	* continue instead of bailing out.
892	*/
893	return NULL;
894	}
895
896	read_len = num_values*sizeof(uint32);
897	ret_val = (uint32*)malloc(read_len);
898	if(ret_val == NULL)
899	return NULL;
900
901	length = read_len;
902	if((regfi_read(file->fd, (uint8*)ret_val, &length) != 0) \|\| length != read_len)
903	{
904	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read value pointers"
905	" while parsing value list at offset 0x%.8X.", offset);
906	free(ret_val);
907	return NULL;
908	}
909
910	for(i=0; i < num_values; i++)
911	{
912	/* Fix endianness */
913	ret_val[i] = IVAL(&ret_val[i], 0);
914
915	/* Validate the first num_values values to ensure they make sense */
916	if(strict)
917	{
918	if((ret_val[i] + REGFI_REGF_SIZE > file->file_length)
919	\|\| ((ret_val[i] & 0xFFFFFFF8) != ret_val[i]))
920	{
921	regfi_add_message(file, REGFI_MSG_ERROR, "Invalid value pointer"
922	" (0x%.8X) found while parsing value list at offset"
923	" 0x%.8X.", ret_val[i], offset);
924	free(ret_val);
925	return NULL;
926	}
927	}
928	}
929
930	return ret_val;
931	}
932
933
934
935	/******************************************************************************
936	* If !strict, the list may contain NULLs, VK records may point to NULL.
937	******************************************************************************/
938	REGFI_VK_REC** regfi_load_valuelist(REGFI_FILE* file, uint32 offset,
939	uint32 num_values, uint32 max_size,
940	bool strict)
941	{
942	REGFI_VK_REC** ret_val;
943	REGFI_HBIN* hbin;
944	uint32 i, vk_offset, vk_max_length, usable_num_values;
945	uint32* voffsets;
946
947	if((num_values+1) * sizeof(uint32) > max_size)
948	{
949	if(strict)
950	return NULL;
951	usable_num_values = max_size/sizeof(uint32) - sizeof(uint32);
952	}
953	else
954	usable_num_values = num_values;
955
956	voffsets = regfi_parse_valuelist(file, offset, usable_num_values, strict);
957	if(voffsets == NULL)
958	return NULL;
959
960	ret_val = (REGFI_VK_REC*)zalloc(sizeof(REGFI_VK_REC) * usable_num_values);
961	if(ret_val == NULL)
962	{
963	free(voffsets);
964	return NULL;
965	}
966
967	for(i=0; i < usable_num_values; i++)
968	{
969	hbin = regfi_lookup_hbin(file, voffsets[i]);
970	if(!hbin)
971	{
972	free(voffsets);
973	free(ret_val);
974	return NULL;
975	}
976
977	vk_offset = voffsets[i] + REGFI_REGF_SIZE;
978	vk_max_length = hbin->block_size + hbin->file_off - vk_offset;
979	ret_val[i] = regfi_parse_vk(file, vk_offset, vk_max_length, strict);
980	if(ret_val[i] == NULL)
981	{ /* If we're being strict, throw out the whole list.
982	* Otherwise, let it be NULL.
983	*/
984	if(strict)
985	{
986	free(voffsets);
987	free(ret_val);
988	return NULL;
989	}
990	}
991	}
992
993	free(voffsets);
994	return ret_val;
995	}
996
997
998
999	/*******************************************************************
1000	* XXX: Need to add full key caching using a
1001	* custom cache structure.
1002	*******************************************************************/
1003	REGFI_NK_REC* regfi_load_key(REGFI_FILE* file, uint32 offset, bool strict)
1004	{
1005	REGFI_HBIN* hbin;
1006	REGFI_HBIN* sub_hbin;
1007	REGFI_NK_REC* nk;
1008	uint32 max_length, off;
1009
1010	hbin = regfi_lookup_hbin(file, offset-REGFI_REGF_SIZE);
1011	if (hbin == NULL)
1012	return NULL;
1013
1014	/* get the initial nk record */
1015	max_length = hbin->block_size + hbin->file_off - offset;
1016	if ((nk = regfi_parse_nk(file, offset, max_length, true)) == NULL)
1017	{
1018	regfi_add_message(file, REGFI_MSG_ERROR, "Could not load NK record at"
1019	" offset 0x%.8X.", offset);
1020	return NULL;
1021	}
1022
1023	/* fill in values */
1024	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
1025	{
1026	sub_hbin = hbin;
1027	if(!regfi_offset_in_hbin(hbin, nk->values_off))
1028	sub_hbin = regfi_lookup_hbin(file, nk->values_off);
1029
1030	if(sub_hbin == NULL)
1031	{
1032	if(strict)
1033	{
1034	free(nk);
1035	return NULL;
1036	}
1037	else
1038	nk->values = NULL;
1039
1040	}
1041	else
1042	{
1043	off = nk->values_off + REGFI_REGF_SIZE;
1044	max_length = sub_hbin->block_size + sub_hbin->file_off - off;
1045	nk->values = regfi_load_valuelist(file, off, nk->num_values, max_length,
1046	true);
1047	if(strict && nk->values == NULL)
1048	{
1049	regfi_add_message(file, REGFI_MSG_ERROR, "Could not load value list"
1050	" for NK record at offset 0x%.8X.",
1051	offset);
1052	free(nk);
1053	return NULL;
1054	}
1055
1056	}
1057	}
1058
1059	/* now get subkeys */
1060	if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE))
1061	{
1062	sub_hbin = hbin;
1063	if(!regfi_offset_in_hbin(hbin, nk->subkeys_off))
1064	sub_hbin = regfi_lookup_hbin(file, nk->subkeys_off);
1065
1066	if (sub_hbin == NULL)
1067	{
1068	if(strict)
1069	{
1070	regfi_key_free(nk);
1071	return NULL;
1072	}
1073	else
1074	nk->subkeys = NULL;
1075	}
1076	else
1077	{
1078	off = nk->subkeys_off + REGFI_REGF_SIZE;
1079	max_length = sub_hbin->block_size + sub_hbin->file_off - off;
1080	nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys,
1081	max_length, true);
1082
1083	if(nk->subkeys == NULL)
1084	{
1085	regfi_add_message(file, REGFI_MSG_WARN, "Could not load subkey list"
1086	" while parsing NK record at offset 0x%.8X.", offset);
1087	nk->num_subkeys = 0;
1088	}
1089	}
1090	}
1091
1092	return nk;
1093	}
1094
1095
1096	/******************************************************************************
1097	******************************************************************************/
1098	static bool regfi_find_root_nk(REGFI_FILE* file, uint32 offset, uint32 hbin_size,
1099	uint32* root_offset)
1100	{
1101	uint8 tmp[4];
1102	int32 record_size;
1103	uint32 length, hbin_offset = 0;
1104	REGFI_NK_REC* nk = NULL;
1105	bool found = false;
1106
1107	for(record_size=0; !found && (hbin_offset < hbin_size); )
1108	{
1109	if(lseek(file->fd, offset+hbin_offset, SEEK_SET) == -1)
1110	return false;
1111
1112	length = 4;
1113	if((regfi_read(file->fd, tmp, &length) != 0) \|\| length != 4)
1114	return false;
1115	record_size = IVALS(tmp, 0);
1116
1117	if(record_size < 0)
1118	{
1119	record_size = record_size*(-1);
1120	nk = regfi_parse_nk(file, offset+hbin_offset, hbin_size-hbin_offset, true);
1121	if(nk != NULL)
1122	{
1123	if((nk->key_type == REGFI_NK_TYPE_ROOTKEY1)
1124	\|\| (nk->key_type == REGFI_NK_TYPE_ROOTKEY2))
1125	{
1126	found = true;
1127	*root_offset = nk->offset;
1128	}
1129	free(nk);
1130	}
1131	}
1132
1133	hbin_offset += record_size;
1134	}
1135
1136	return found;
1137	}
1138
1139
1140	/*******************************************************************
1141	* Open the registry file and then read in the REGF block to get the
1142	* first hbin offset.
1143	*******************************************************************/
1144	REGFI_FILE* regfi_open(const char* filename)
1145	{
1146	struct stat sbuf;
1147	REGFI_FILE* rb;
1148	REGFI_HBIN* hbin = NULL;
1149	uint32 hbin_off, file_length;
1150	int fd;
1151	bool rla;
1152
1153	/* open an existing file */
1154	if ((fd = open(filename, O_RDONLY)) == -1)
1155	{
1156	/* DEBUG(0,("regfi_open: failure to open %s (%s)\n", filename, strerror(errno)));*/
1157	return NULL;
1158	}
1159
1160	/* Determine file length. Must be at least big enough
1161	* for the header and one hbin.
1162	*/
1163	if (fstat(fd, &sbuf) == -1)
1164	return NULL;
1165	file_length = sbuf.st_size;
1166	if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC)
1167	return NULL;
1168
1169	/* read in an existing file */
1170	if ((rb = regfi_parse_regf(fd, true)) == NULL)
1171	{
1172	/* DEBUG(0,("regfi_open: Failed to read initial REGF block\n"));*/
1173	close(fd);
1174	return NULL;
1175	}
1176	rb->file_length = file_length;
1177
1178	rb->hbins = range_list_new();
1179	if(rb->hbins == NULL)
1180	{
1181	range_list_free(rb->hbins);
1182	close(fd);
1183	free(rb);
1184	return NULL;
1185	}
1186
1187	rla = true;
1188	hbin_off = REGFI_REGF_SIZE;
1189	hbin = regfi_parse_hbin(rb, hbin_off, true);
1190	while(hbin && rla)
1191	{
1192	rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
1193	hbin_off = hbin->file_off + hbin->block_size;
1194	hbin = regfi_parse_hbin(rb, hbin_off, true);
1195	}
1196
1197	/* Default message mask */
1198	rb->msg_mask = REGFI_MSG_ERROR\|REGFI_MSG_WARN;
1199
1200	/* success */
1201	return rb;
1202	}
1203
1204
1205	/*******************************************************************
1206	*******************************************************************/
1207	int regfi_close( REGFI_FILE *file )
1208	{
1209	int fd;
1210	uint32 i;
1211
1212	/* nothing to do if there is no open file */
1213	if ((file == NULL) \|\| (file->fd == -1))
1214	return 0;
1215
1216	fd = file->fd;
1217	file->fd = -1;
1218	for(i=0; i < range_list_size(file->hbins); i++)
1219	free(range_list_get(file->hbins, i)->data);
1220	range_list_free(file->hbins);
1221
1222	free(file);
1223
1224	return close(fd);
1225	}
1226
1227
1228	/******************************************************************************
1229	* There should be only one root key in the registry file based
1230	* on my experience. --jerry
1231	*****************************************************************************/
1232	REGFI_NK_REC* regfi_rootkey(REGFI_FILE *file)
1233	{
1234	REGFI_NK_REC* nk = NULL;
1235	REGFI_HBIN* hbin;
1236	uint32 root_offset, i, num_hbins;
1237
1238	if(!file)
1239	return NULL;
1240
1241	/* Scan through the file one HBIN block at a time looking
1242	for an NK record with a type == 0x002c.
1243	Normally this is the first nk record in the first hbin
1244	block (but I'm not assuming that for now) */
1245
1246	num_hbins = range_list_size(file->hbins);
1247	for(i=0; i < num_hbins; i++)
1248	{
1249	hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data;
1250	if(regfi_find_root_nk(file, hbin->file_off+REGFI_HBIN_HEADER_SIZE,
1251	hbin->block_size-REGFI_HBIN_HEADER_SIZE, &root_offset))
1252	{
1253	nk = regfi_load_key(file, root_offset, true);
1254	break;
1255	}
1256	}
1257
1258	return nk;
1259	}
1260
1261
1262	/******************************************************************************
1263	*****************************************************************************/
1264	void regfi_key_free(REGFI_NK_REC* nk)
1265	{
1266	uint32 i;
1267
1268	if((nk->values != NULL) && (nk->values_off!=REGFI_OFFSET_NONE))
1269	{
1270	for(i=0; i < nk->num_values; i++)
1271	{
1272	if(nk->values[i]->valuename != NULL)
1273	free(nk->values[i]->valuename);
1274	if(nk->values[i]->data != NULL)
1275	free(nk->values[i]->data);
1276	free(nk->values[i]);
1277	}
1278	free(nk->values);
1279	}
1280
1281	regfi_subkeylist_free(nk->subkeys);
1282
1283	if(nk->keyname != NULL)
1284	free(nk->keyname);
1285	if(nk->classname != NULL)
1286	free(nk->classname);
1287
1288	/* XXX: not freeing sec_desc because these are cached. This needs to be reviewed. */
1289	free(nk);
1290	}
1291
1292
1293	/******************************************************************************
1294	*****************************************************************************/
1295	void regfi_subkeylist_free(REGFI_SUBKEY_LIST* list)
1296	{
1297	if(list != NULL)
1298	{
1299	free(list->elements);
1300	free(list);
1301	}
1302	}
1303
1304
1305	/******************************************************************************
1306	*****************************************************************************/
1307	REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* fh)
1308	{
1309	REGFI_NK_REC* root;
1310	REGFI_ITERATOR* ret_val = (REGFI_ITERATOR*)malloc(sizeof(REGFI_ITERATOR));
1311	if(ret_val == NULL)
1312	return NULL;
1313
1314	root = regfi_rootkey(fh);
1315	if(root == NULL)
1316	{
1317	free(ret_val);
1318	return NULL;
1319	}
1320
1321	ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH);
1322	if(ret_val->key_positions == NULL)
1323	{
1324	free(ret_val);
1325	free(root);
1326	return NULL;
1327	}
1328
1329	/* This secret isn't very secret, but we don't need a good one. This
1330	* secret is just designed to prevent someone from trying to blow our
1331	* caching and make things slow.
1332	*/
1333	ret_val->sk_recs = lru_cache_create(127, 0x15DEAD05^time(NULL)
1334	^(getpid()<<16)^(getppid()<<8),
1335	true);
1336
1337	ret_val->f = fh;
1338	ret_val->cur_key = root;
1339	ret_val->cur_subkey = 0;
1340	ret_val->cur_value = 0;
1341
1342	return ret_val;
1343	}
1344
1345
1346	/******************************************************************************
1347	*****************************************************************************/
1348	void regfi_iterator_free(REGFI_ITERATOR* i)
1349	{
1350	REGFI_ITER_POSITION* cur;
1351
1352	if(i->cur_key != NULL)
1353	regfi_key_free(i->cur_key);
1354
1355	while((cur = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions)) != NULL)
1356	{
1357	regfi_key_free(cur->nk);
1358	free(cur);
1359	}
1360
1361	lru_cache_destroy(i->sk_recs);
1362
1363	free(i);
1364	}
1365
1366
1367
1368	/******************************************************************************
1369	*****************************************************************************/
1370	/* XXX: some way of indicating reason for failure should be added. */
1371	bool regfi_iterator_down(REGFI_ITERATOR* i)
1372	{
1373	REGFI_NK_REC* subkey;
1374	REGFI_ITER_POSITION* pos;
1375
1376	pos = (REGFI_ITER_POSITION*)malloc(sizeof(REGFI_ITER_POSITION));
1377	if(pos == NULL)
1378	return false;
1379
1380	subkey = (REGFI_NK_REC*)regfi_iterator_cur_subkey(i);
1381	if(subkey == NULL)
1382	{
1383	free(pos);
1384	return false;
1385	}
1386
1387	pos->nk = i->cur_key;
1388	pos->cur_subkey = i->cur_subkey;
1389	if(!void_stack_push(i->key_positions, pos))
1390	{
1391	free(pos);
1392	regfi_key_free(subkey);
1393	return false;
1394	}
1395
1396	i->cur_key = subkey;
1397	i->cur_subkey = 0;
1398	i->cur_value = 0;
1399
1400	return true;
1401	}
1402
1403
1404	/******************************************************************************
1405	*****************************************************************************/
1406	bool regfi_iterator_up(REGFI_ITERATOR* i)
1407	{
1408	REGFI_ITER_POSITION* pos;
1409
1410	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
1411	if(pos == NULL)
1412	return false;
1413
1414	regfi_key_free(i->cur_key);
1415	i->cur_key = pos->nk;
1416	i->cur_subkey = pos->cur_subkey;
1417	i->cur_value = 0;
1418	free(pos);
1419
1420	return true;
1421	}
1422
1423
1424	/******************************************************************************
1425	*****************************************************************************/
1426	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
1427	{
1428	while(regfi_iterator_up(i))
1429	continue;
1430
1431	return true;
1432	}
1433
1434
1435	/******************************************************************************
1436	*****************************************************************************/
1437	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
1438	{
1439	REGFI_NK_REC* subkey;
1440	bool found = false;
1441	uint32 old_subkey = i->cur_subkey;
1442
1443	if(subkey_name == NULL)
1444	return false;
1445
1446	/* XXX: this alloc/free of each sub key might be a bit excessive */
1447	subkey = (REGFI_NK_REC*)regfi_iterator_first_subkey(i);
1448	while((subkey != NULL) && (found == false))
1449	{
1450	if(subkey->keyname != NULL
1451	&& strcasecmp(subkey->keyname, subkey_name) == 0)
1452	found = true;
1453	else
1454	{
1455	regfi_key_free(subkey);
1456	subkey = (REGFI_NK_REC*)regfi_iterator_next_subkey(i);
1457	}
1458	}
1459
1460	if(found == false)
1461	{
1462	i->cur_subkey = old_subkey;
1463	return false;
1464	}
1465
1466	regfi_key_free(subkey);
1467	return true;
1468	}
1469
1470
1471	/******************************************************************************
1472	*****************************************************************************/
1473	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
1474	{
1475	uint32 x;
1476	if(path == NULL)
1477	return false;
1478
1479	for(x=0;
1480	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
1481	&& regfi_iterator_down(i));
1482	x++)
1483	{ continue; }
1484
1485	if(path[x] == NULL)
1486	return true;
1487
1488	/* XXX: is this the right number of times? */
1489	for(; x > 0; x--)
1490	regfi_iterator_up(i);
1491
1492	return false;
1493	}
1494
1495
1496	/******************************************************************************
1497	*****************************************************************************/
1498	const REGFI_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
1499	{
1500	return i->cur_key;
1501	}
1502
1503
1504	/******************************************************************************
1505	*****************************************************************************/
1506	const REGFI_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i)
1507	{
1508	REGFI_SK_REC* ret_val = NULL;
1509	REGFI_HBIN* hbin;
1510	uint32 max_length, off;
1511
1512	if(i->cur_key == NULL)
1513	return NULL;
1514
1515	/* First look if we have already parsed it */
1516	if((i->cur_key->sk_off!=REGFI_OFFSET_NONE)
1517	&& !(ret_val =(REGFI_SK_REC*)lru_cache_find(i->sk_recs,
1518	&i->cur_key->sk_off, 4)))
1519	{
1520	hbin = regfi_lookup_hbin(i->f, i->cur_key->sk_off);
1521
1522	if(hbin == NULL)
1523	return NULL;
1524
1525	off = i->cur_key->sk_off + REGFI_REGF_SIZE;
1526	max_length = hbin->block_size + hbin->file_off - off;
1527	ret_val = regfi_parse_sk(i->f, off, max_length, true);
1528	if(ret_val == NULL)
1529	return NULL;
1530
1531	ret_val->sk_off = i->cur_key->sk_off;
1532	lru_cache_update(i->sk_recs, &i->cur_key->sk_off, 4, ret_val);
1533	}
1534
1535	return ret_val;
1536	}
1537
1538
1539
1540	/******************************************************************************
1541	*****************************************************************************/
1542	const REGFI_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
1543	{
1544	i->cur_subkey = 0;
1545	return regfi_iterator_cur_subkey(i);
1546	}
1547
1548
1549	/******************************************************************************
1550	*****************************************************************************/
1551	const REGFI_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
1552	{
1553	uint32 nk_offset;
1554
1555	/* see if there is anything left to report */
1556	if (!(i->cur_key) \|\| (i->cur_key->subkeys_off==REGFI_OFFSET_NONE)
1557	\|\| (i->cur_subkey >= i->cur_key->num_subkeys))
1558	return NULL;
1559
1560	nk_offset = i->cur_key->subkeys->elements[i->cur_subkey].offset;
1561
1562	return regfi_load_key(i->f, nk_offset+REGFI_REGF_SIZE, true);
1563	}
1564
1565
1566	/******************************************************************************
1567	*****************************************************************************/
1568	/* XXX: some way of indicating reason for failure should be added. */
1569	const REGFI_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
1570	{
1571	const REGFI_NK_REC* subkey;
1572
1573	i->cur_subkey++;
1574	subkey = regfi_iterator_cur_subkey(i);
1575
1576	if(subkey == NULL)
1577	i->cur_subkey--;
1578
1579	return subkey;
1580	}
1581
1582
1583	/******************************************************************************
1584	*****************************************************************************/
1585	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
1586	{
1587	const REGFI_VK_REC* cur;
1588	bool found = false;
1589
1590	/* XXX: cur->valuename can be NULL in the registry.
1591	* Should we allow for a way to search for that?
1592	*/
1593	if(value_name == NULL)
1594	return false;
1595
1596	cur = regfi_iterator_first_value(i);
1597	while((cur != NULL) && (found == false))
1598	{
1599	if((cur->valuename != NULL)
1600	&& (strcasecmp(cur->valuename, value_name) == 0))
1601	found = true;
1602	else
1603	cur = regfi_iterator_next_value(i);
1604	}
1605
1606	return found;
1607	}
1608
1609
1610	/******************************************************************************
1611	*****************************************************************************/
1612	const REGFI_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
1613	{
1614	i->cur_value = 0;
1615	return regfi_iterator_cur_value(i);
1616	}
1617
1618
1619	/******************************************************************************
1620	*****************************************************************************/
1621	const REGFI_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
1622	{
1623	REGFI_VK_REC* ret_val = NULL;
1624	if(i->cur_value < i->cur_key->num_values)
1625	ret_val = i->cur_key->values[i->cur_value];
1626
1627	return ret_val;
1628	}
1629
1630
1631	/******************************************************************************
1632	*****************************************************************************/
1633	const REGFI_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
1634	{
1635	const REGFI_VK_REC* ret_val;
1636
1637	i->cur_value++;
1638	ret_val = regfi_iterator_cur_value(i);
1639	if(ret_val == NULL)
1640	i->cur_value--;
1641
1642	return ret_val;
1643	}
1644
1645
1646
1647	/*******************************************************************
1648	* Computes the checksum of the registry file header.
1649	* buffer must be at least the size of an regf header (4096 bytes).
1650	*******************************************************************/
1651	static uint32 regfi_compute_header_checksum(uint8* buffer)
1652	{
1653	uint32 checksum, x;
1654	int i;
1655
1656	/* XOR of all bytes 0x0000 - 0x01FB */
1657
1658	checksum = x = 0;
1659
1660	for ( i=0; i<0x01FB; i+=4 ) {
1661	x = IVAL(buffer, i );
1662	checksum ^= x;
1663	}
1664
1665	return checksum;
1666	}
1667
1668
1669	/*******************************************************************
1670	* XXX: Add way to return more detailed error information.
1671	*******************************************************************/
1672	REGFI_FILE* regfi_parse_regf(int fd, bool strict)
1673	{
1674	uint8 file_header[REGFI_REGF_SIZE];
1675	uint32 length;
1676	REGFI_FILE* ret_val;
1677
1678	ret_val = (REGFI_FILE*)zalloc(sizeof(REGFI_FILE));
1679	if(ret_val == NULL)
1680	return NULL;
1681
1682	ret_val->fd = fd;
1683
1684	length = REGFI_REGF_SIZE;
1685	if((regfi_read(fd, file_header, &length)) != 0
1686	\|\| length != REGFI_REGF_SIZE)
1687	{
1688	free(ret_val);
1689	return NULL;
1690	}
1691
1692	ret_val->checksum = IVAL(file_header, 0x1FC);
1693	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
1694	if (strict && (ret_val->checksum != ret_val->computed_checksum))
1695	{
1696	free(ret_val);
1697	return NULL;
1698	}
1699
1700	memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE);
1701	if(strict && (memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0))
1702	{
1703	free(ret_val);
1704	return NULL;
1705	}
1706
1707	ret_val->unknown1 = IVAL(file_header, 0x4);
1708	ret_val->unknown2 = IVAL(file_header, 0x8);
1709
1710	ret_val->mtime.low = IVAL(file_header, 0xC);
1711	ret_val->mtime.high = IVAL(file_header, 0x10);
1712
1713	ret_val->unknown3 = IVAL(file_header, 0x14);
1714	ret_val->unknown4 = IVAL(file_header, 0x18);
1715	ret_val->unknown5 = IVAL(file_header, 0x1C);
1716	ret_val->unknown6 = IVAL(file_header, 0x20);
1717
1718	ret_val->data_offset = IVAL(file_header, 0x24);
1719	ret_val->last_block = IVAL(file_header, 0x28);
1720
1721	ret_val->unknown7 = IVAL(file_header, 0x2C);
1722
1723	return ret_val;
1724	}
1725
1726
1727
1728	/*******************************************************************
1729	* Given real file offset, read and parse the hbin at that location
1730	* along with it's associated cells.
1731	*******************************************************************/
1732	/* XXX: Need a way to return types of errors.
1733	*/
1734	REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32 offset, bool strict)
1735	{
1736	REGFI_HBIN *hbin;
1737	uint8 hbin_header[REGFI_HBIN_HEADER_SIZE];
1738	uint32 length;
1739
1740	if(offset >= file->file_length)
1741	return NULL;
1742
1743	if(lseek(file->fd, offset, SEEK_SET) == -1)
1744	{
1745	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
1746	" while parsing hbin at offset 0x%.8X.", offset);
1747	return NULL;
1748	}
1749
1750	length = REGFI_HBIN_HEADER_SIZE;
1751	if((regfi_read(file->fd, hbin_header, &length) != 0)
1752	\|\| length != REGFI_HBIN_HEADER_SIZE)
1753	return NULL;
1754
1755	if(lseek(file->fd, offset, SEEK_SET) == -1)
1756	{
1757	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
1758	" while parsing hbin at offset 0x%.8X.", offset);
1759	return NULL;
1760	}
1761
1762	if(!(hbin = (REGFI_HBIN*)zalloc(sizeof(REGFI_HBIN))))
1763	return NULL;
1764	hbin->file_off = offset;
1765
1766	memcpy(hbin->magic, hbin_header, 4);
1767	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
1768	{
1769	regfi_add_message(file, REGFI_MSG_INFO, "Magic number mismatch "
1770	"(%.2X %.2X %.2X %.2X) while parsing hbin at offset"
1771	" 0x%.8X.", hbin->magic[0], hbin->magic[1],
1772	hbin->magic[2], hbin->magic[3], offset);
1773	free(hbin);
1774	return NULL;
1775	}
1776
1777	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
1778	hbin->block_size = IVAL(hbin_header, 0x8);
1779	/* this should be the same thing as hbin->block_size but just in case */
1780	hbin->next_block = IVAL(hbin_header, 0x1C);
1781
1782
1783	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
1784	* the end of the file.
1785	*/
1786	/* XXX: This may need to be relaxed for dealing with
1787	* partial or corrupt files.
1788	*/
1789	if((offset + hbin->block_size > file->file_length)
1790	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
1791	{
1792	regfi_add_message(file, REGFI_MSG_ERROR, "The hbin offset is not aligned"
1793	" or runs off the end of the file"
1794	" while parsing hbin at offset 0x%.8X.", offset);
1795	free(hbin);
1796	return NULL;
1797	}
1798
1799	return hbin;
1800	}
1801
1802
1803	/*******************************************************************
1804	*******************************************************************/
1805	REGFI_NK_REC* regfi_parse_nk(REGFI_FILE* file, uint32 offset,
1806	uint32 max_size, bool strict)
1807	{
1808	uint8 nk_header[REGFI_NK_MIN_LENGTH];
1809	REGFI_HBIN *hbin;
1810	REGFI_NK_REC* ret_val;
1811	uint32 length,cell_length;
1812	uint32 class_offset, class_maxsize;
1813	bool unalloc = false;
1814
1815	if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH,
1816	&cell_length, &unalloc))
1817	{
1818	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
1819	" while parsing NK record at offset 0x%.8X.", offset);
1820	return NULL;
1821	}
1822
1823	/* A bit of validation before bothering to allocate memory */
1824	if((nk_header[0x0] != 'n') \|\| (nk_header[0x1] != 'k'))
1825	{
1826	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
1827	" NK record at offset 0x%.8X.", offset);
1828	return NULL;
1829	}
1830
1831	ret_val = (REGFI_NK_REC*)zalloc(sizeof(REGFI_NK_REC));
1832	if(ret_val == NULL)
1833	{
1834	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to allocate memory while"
1835	" parsing NK record at offset 0x%.8X.", offset);
1836	return NULL;
1837	}
1838
1839	ret_val->offset = offset;
1840	ret_val->cell_size = cell_length;
1841
1842	if(ret_val->cell_size > max_size)
1843	ret_val->cell_size = max_size & 0xFFFFFFF8;
1844	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
1845	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
1846	{
1847	regfi_add_message(file, REGFI_MSG_WARN, "A length check failed while"
1848	" parsing NK record at offset 0x%.8X.", offset);
1849	free(ret_val);
1850	return NULL;
1851	}
1852
1853	ret_val->magic[0] = nk_header[0x0];
1854	ret_val->magic[1] = nk_header[0x1];
1855	ret_val->key_type = SVAL(nk_header, 0x2);
1856	if((ret_val->key_type != REGFI_NK_TYPE_NORMALKEY)
1857	&& (ret_val->key_type != REGFI_NK_TYPE_ROOTKEY1)
1858	&& (ret_val->key_type != REGFI_NK_TYPE_ROOTKEY2)
1859	&& (ret_val->key_type != REGFI_NK_TYPE_LINKKEY)
1860	&& (ret_val->key_type != REGFI_NK_TYPE_UNKNOWN1)
1861	&& (ret_val->key_type != REGFI_NK_TYPE_UNKNOWN2)
1862	&& (ret_val->key_type != REGFI_NK_TYPE_UNKNOWN3))
1863	{
1864	regfi_add_message(file, REGFI_MSG_WARN, "Unknown key type (0x%.4X) while"
1865	" parsing NK record at offset 0x%.8X.",
1866	ret_val->key_type, offset);
1867	}
1868
1869	ret_val->mtime.low = IVAL(nk_header, 0x4);
1870	ret_val->mtime.high = IVAL(nk_header, 0x8);
1871	/* If the key is unallocated and the MTIME is earlier than Jan 1, 1990
1872	* or later than Jan 1, 2290, we consider this a bad key. This helps
1873	* weed out some false positives during deleted data recovery.
1874	*/
1875	if(unalloc
1876	&& ((ret_val->mtime.high < REGFI_MTIME_MIN_HIGH
1877	&& ret_val->mtime.low < REGFI_MTIME_MIN_LOW)
1878	\|\| (ret_val->mtime.high > REGFI_MTIME_MAX_HIGH
1879	&& ret_val->mtime.low > REGFI_MTIME_MAX_LOW)))
1880	return NULL;
1881
1882	ret_val->unknown1 = IVAL(nk_header, 0xC);
1883	ret_val->parent_off = IVAL(nk_header, 0x10);
1884	ret_val->num_subkeys = IVAL(nk_header, 0x14);
1885	ret_val->unknown2 = IVAL(nk_header, 0x18);
1886	ret_val->subkeys_off = IVAL(nk_header, 0x1C);
1887	ret_val->unknown3 = IVAL(nk_header, 0x20);
1888	ret_val->num_values = IVAL(nk_header, 0x24);
1889	ret_val->values_off = IVAL(nk_header, 0x28);
1890	ret_val->sk_off = IVAL(nk_header, 0x2C);
1891	ret_val->classname_off = IVAL(nk_header, 0x30);
1892
1893	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
1894	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
1895	ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
1896	ret_val->max_bytes_value = IVAL(nk_header, 0x40);
1897	ret_val->unk_index = IVAL(nk_header, 0x44);
1898
1899	ret_val->name_length = SVAL(nk_header, 0x48);
1900	ret_val->classname_length = SVAL(nk_header, 0x4A);
1901
1902
1903	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
1904	{
1905	if(strict)
1906	{
1907	regfi_add_message(file, REGFI_MSG_ERROR, "Contents too large for cell"
1908	" while parsing NK record at offset 0x%.8X.", offset);
1909	free(ret_val);
1910	return NULL;
1911	}
1912	else
1913	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
1914	}
1915	else if (unalloc)
1916	{ /* Truncate cell_size if it's much larger than the apparent total record length. */
1917	/* Round up to the next multiple of 8 */
1918	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
1919	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
1920	length+=8;
1921
1922	/* If cell_size is still greater, truncate. */
1923	if(length < ret_val->cell_size)
1924	ret_val->cell_size = length;
1925	}
1926
1927	ret_val->keyname = (char)zalloc(sizeof(char)(ret_val->name_length+1));
1928	if(ret_val->keyname == NULL)
1929	{
1930	free(ret_val);
1931	return NULL;
1932	}
1933
1934	/* Don't need to seek, should be at the right offset */
1935	length = ret_val->name_length;
1936	if((regfi_read(file->fd, (uint8*)ret_val->keyname, &length) != 0)
1937	\|\| length != ret_val->name_length)
1938	{
1939	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read key name"
1940	" while parsing NK record at offset 0x%.8X.", offset);
1941	free(ret_val->keyname);
1942	free(ret_val);
1943	return NULL;
1944	}
1945	ret_val->keyname[ret_val->name_length] = '\0';
1946
1947	if(ret_val->classname_off != REGFI_OFFSET_NONE)
1948	{
1949	hbin = regfi_lookup_hbin(file, ret_val->classname_off);
1950	if(hbin)
1951	{
1952	class_offset = ret_val->classname_off+REGFI_REGF_SIZE;
1953	class_maxsize = hbin->block_size + hbin->file_off - class_offset;
1954	ret_val->classname
1955	= regfi_parse_classname(file, class_offset, &ret_val->classname_length,
1956	class_maxsize, strict);
1957	}
1958	else
1959	{
1960	ret_val->classname = NULL;
1961	regfi_add_message(file, REGFI_MSG_WARN, "Could not find hbin for class"
1962	" name while parsing NK record at offset 0x%.8X.",
1963	offset);
1964	}
1965
1966	if(ret_val->classname == NULL)
1967	{
1968	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse class"
1969	" name while parsing NK record at offset 0x%.8X.",
1970	offset);
1971	return NULL;
1972	}
1973	}
1974
1975	return ret_val;
1976	}
1977
1978
1979	char* regfi_parse_classname(REGFI_FILE* file, uint32 offset,
1980	uint16* name_length, uint32 max_size, bool strict)
1981	{
1982	char* ret_val = NULL;
1983	uint32 length;
1984	uint32 cell_length;
1985	bool unalloc = false;
1986
1987	if(*name_length > 0 && offset != REGFI_OFFSET_NONE
1988	&& offset == (offset & 0xFFFFFFF8))
1989	{
1990	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
1991	{
1992	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
1993	" while parsing class name at offset 0x%.8X.", offset);
1994	return NULL;
1995	}
1996
1997	if((cell_length & 0xFFFFFFF8) != cell_length)
1998	{
1999	regfi_add_message(file, REGFI_MSG_ERROR, "Cell length not a multiple of 8"
2000	" while parsing class name at offset 0x%.8X.", offset);
2001	return NULL;
2002	}
2003
2004	if(cell_length > max_size)
2005	{
2006	regfi_add_message(file, REGFI_MSG_WARN, "Cell stretches past hbin "
2007	"boundary while parsing class name at offset 0x%.8X.",
2008	offset);
2009	if(strict)
2010	return NULL;
2011	cell_length = max_size;
2012	}
2013
2014	if((cell_length - 4) < *name_length)
2015	{
2016	regfi_add_message(file, REGFI_MSG_WARN, "Class name is larger than"
2017	" cell_length while parsing class name at offset"
2018	" 0x%.8X.", offset);
2019	if(strict)
2020	return NULL;
2021	*name_length = cell_length - 4;
2022	}
2023
2024	ret_val = (char)zalloc(name_length);
2025	if(ret_val != NULL)
2026	{
2027	length = *name_length;
2028	if((regfi_read(file->fd, (uint8*)ret_val, &length) != 0)
2029	\|\| length != *name_length)
2030	{
2031	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read class name"
2032	" while parsing class name at offset 0x%.8X.", offset);
2033	free(ret_val);
2034	return NULL;
2035	}
2036	}
2037	}
2038
2039	return ret_val;
2040	}
2041
2042
2043	/*******************************************************************
2044	*******************************************************************/
2045	REGFI_VK_REC* regfi_parse_vk(REGFI_FILE* file, uint32 offset,
2046	uint32 max_size, bool strict)
2047	{
2048	REGFI_VK_REC* ret_val;
2049	REGFI_HBIN *hbin;
2050	uint8 vk_header[REGFI_VK_MIN_LENGTH];
2051	uint32 raw_data_size, length, cell_length;
2052	uint32 data_offset, data_maxsize;
2053	bool unalloc = false;
2054
2055	if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH,
2056	&cell_length, &unalloc))
2057	{
2058	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
2059	" while parsing VK record at offset 0x%.8X.", offset);
2060	return NULL;
2061	}
2062
2063	ret_val = (REGFI_VK_REC*)zalloc(sizeof(REGFI_VK_REC));
2064	if(ret_val == NULL)
2065	return NULL;
2066
2067	ret_val->offset = offset;
2068	ret_val->cell_size = cell_length;
2069
2070	if(ret_val->cell_size > max_size)
2071	ret_val->cell_size = max_size & 0xFFFFFFF8;
2072	if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
2073	\|\| ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8))
2074	{
2075	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size encountered"
2076	" while parsing VK record at offset 0x%.8X.", offset);
2077	free(ret_val);
2078	return NULL;
2079	}
2080
2081	ret_val->magic[0] = vk_header[0x0];
2082	ret_val->magic[1] = vk_header[0x1];
2083	if((ret_val->magic[0] != 'v') \|\| (ret_val->magic[1] != 'k'))
2084	{
2085	/* XXX: This does not account for deleted keys under Win2K which
2086	* often have this (and the name length) overwritten with
2087	* 0xFFFF.
2088	*/
2089	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch"
2090	" while parsing VK record at offset 0x%.8X.", offset);
2091	free(ret_val);
2092	return NULL;
2093	}
2094
2095	ret_val->name_length = SVAL(vk_header, 0x2);
2096	raw_data_size = IVAL(vk_header, 0x4);
2097	ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET;
2098	ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET);
2099	ret_val->data_off = IVAL(vk_header, 0x8);
2100	ret_val->type = IVAL(vk_header, 0xC);
2101	ret_val->flag = SVAL(vk_header, 0x10);
2102	ret_val->unknown1 = SVAL(vk_header, 0x12);
2103
2104	if(ret_val->flag & REGFI_VK_FLAG_NAME_PRESENT)
2105	{
2106	if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size)
2107	{
2108	regfi_add_message(file, REGFI_MSG_WARN, "Name too long for remaining cell"
2109	" space while parsing VK record at offset 0x%.8X.",
2110	offset);
2111	if(strict)
2112	{
2113	free(ret_val);
2114	return NULL;
2115	}
2116	else
2117	ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4;
2118	}
2119
2120	/* Round up to the next multiple of 8 */
2121	cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8;
2122	if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4)
2123	cell_length+=8;
2124
2125	ret_val->valuename = (char)zalloc(sizeof(char)(ret_val->name_length+1));
2126	if(ret_val->valuename == NULL)
2127	{
2128	free(ret_val);
2129	return NULL;
2130	}
2131
2132	length = ret_val->name_length;
2133	if((regfi_read(file->fd, (uint8*)ret_val->valuename, &length) != 0)
2134	\|\| length != ret_val->name_length)
2135	{
2136	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read value name"
2137	" while parsing VK record at offset 0x%.8X.", offset);
2138	free(ret_val->valuename);
2139	free(ret_val);
2140	return NULL;
2141	}
2142	ret_val->valuename[ret_val->name_length] = '\0';
2143
2144	}
2145	else
2146	cell_length = REGFI_VK_MIN_LENGTH + 4;
2147
2148	if(unalloc)
2149	{
2150	/* If cell_size is still greater, truncate. */
2151	if(cell_length < ret_val->cell_size)
2152	ret_val->cell_size = cell_length;
2153	}
2154
2155	if(ret_val->data_size == 0)
2156	ret_val->data = NULL;
2157	else
2158	{
2159	if(ret_val->data_in_offset)
2160	{
2161	ret_val->data = regfi_parse_data(file, ret_val->data_off,
2162	raw_data_size, 4, strict);
2163	}
2164	else
2165	{
2166	hbin = regfi_lookup_hbin(file, ret_val->data_off);
2167	if(hbin)
2168	{
2169	data_offset = ret_val->data_off+REGFI_REGF_SIZE;
2170	data_maxsize = hbin->block_size + hbin->file_off - data_offset;
2171	ret_val->data = regfi_parse_data(file, data_offset, raw_data_size,
2172	data_maxsize, strict);
2173
2174	}
2175	else
2176	{
2177	regfi_add_message(file, REGFI_MSG_WARN, "Could not find hbin for data"
2178	" while parsing VK record at offset 0x%.8X.", offset);
2179	ret_val->data = NULL;
2180	}
2181	}
2182
2183	if(ret_val->data == NULL)
2184	{
2185	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse data record"
2186	" while parsing VK record at offset 0x%.8X.", offset);
2187	}
2188	}
2189
2190	return ret_val;
2191	}
2192
2193
2194	uint8* regfi_parse_data(REGFI_FILE* file, uint32 offset, uint32 length,
2195	uint32 max_size, bool strict)
2196	{
2197	uint8* ret_val;
2198	uint32 read_length, cell_length;
2199	uint8 i;
2200	bool unalloc;
2201
2202	/* The data is typically stored in the offset if the size <= 4 */
2203	if (length & REGFI_VK_DATA_IN_OFFSET)
2204	{
2205	length = length & ~REGFI_VK_DATA_IN_OFFSET;
2206	if(length > 4)
2207	{
2208	regfi_add_message(file, REGFI_MSG_ERROR, "Data in offset but length > 4"
2209	" while parsing data record at offset 0x%.8X.",
2210	offset);
2211	return NULL;
2212	}
2213
2214	if((ret_val = (uint8)zalloc(sizeof(uint8)length)) == NULL)
2215	return NULL;
2216
2217	for(i = 0; i < length; i++)
2218	ret_val[i] = (uint8)((offset >> i*8) & 0xFF);
2219	}
2220	else
2221	{
2222	if(!regfi_parse_cell(file->fd, offset, NULL, 0,
2223	&cell_length, &unalloc))
2224	{
2225	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
2226	" parsing data record at offset 0x%.8X.", offset);
2227	return NULL;
2228	}
2229
2230	if((cell_length & 0xFFFFFFF8) != cell_length)
2231	{
2232	regfi_add_message(file, REGFI_MSG_WARN, "Cell length not multiple of 8"
2233	" while parsing data record at offset 0x%.8X.",
2234	offset);
2235	return NULL;
2236	}
2237
2238	if(cell_length > max_size)
2239	{
2240	regfi_add_message(file, REGFI_MSG_WARN, "Cell extends past hbin boundary"
2241	" while parsing data record at offset 0x%.8X.",
2242	offset);
2243	if(strict)
2244	return NULL;
2245	else
2246	cell_length = max_size;
2247	}
2248
2249	if(cell_length - 4 < length)
2250	{
2251	/* XXX: This strict condition has been triggered in multiple registries.
2252	* Not sure the cause, but the data length values are very large,
2253	* such as 53392.
2254	*/
2255	regfi_add_message(file, REGFI_MSG_WARN, "Data length (0x%.8X) larger than"
2256	" remaining cell length (0x%.8X)"
2257	" while parsing data record at offset 0x%.8X.",
2258	length, cell_length - 4, offset);
2259	if(strict)
2260	return NULL;
2261	else
2262	length = cell_length - 4;
2263	}
2264
2265	if((ret_val = (uint8)zalloc(sizeof(uint8)length)) == NULL)
2266	return NULL;
2267
2268	read_length = length;
2269	if((regfi_read(file->fd, ret_val, &read_length) != 0)
2270	\|\| read_length != length)
2271	{
2272	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read data block while"
2273	" parsing data record at offset 0x%.8X.", offset);
2274	free(ret_val);
2275	return NULL;
2276	}
2277	}
2278
2279	return ret_val;
2280	}
2281
2282
2283	range_list* regfi_parse_unalloc_cells(REGFI_FILE* file)
2284	{
2285	range_list* ret_val;
2286	REGFI_HBIN* hbin;
2287	const range_list_element* hbins_elem;
2288	uint32 i, num_hbins, curr_off, cell_len;
2289	bool is_unalloc;
2290
2291	ret_val = range_list_new();
2292	if(ret_val == NULL)
2293	return NULL;
2294
2295	num_hbins = range_list_size(file->hbins);
2296	for(i=0; i<num_hbins; i++)
2297	{
2298	hbins_elem = range_list_get(file->hbins, i);
2299	if(hbins_elem == NULL)
2300	break;
2301	hbin = (REGFI_HBIN*)hbins_elem->data;
2302
2303	curr_off = REGFI_HBIN_HEADER_SIZE;
2304	while(curr_off < hbin->block_size)
2305	{
2306	if(!regfi_parse_cell(file->fd, hbin->file_off+curr_off, NULL, 0,
2307	&cell_len, &is_unalloc))
2308	break;
2309
2310	if((cell_len == 0) \|\| ((cell_len & 0xFFFFFFF8) != cell_len))
2311	{
2312	regfi_add_message(file, REGFI_MSG_ERROR, "Bad cell length encountered"
2313	" while parsing unallocated cells at offset 0x%.8X.",
2314	hbin->file_off+curr_off);
2315	break;
2316	}
2317
2318	/* for some reason the record_size of the last record in
2319	an hbin block can extend past the end of the block
2320	even though the record fits within the remaining
2321	space....aaarrrgggghhhhhh */
2322	if(curr_off + cell_len >= hbin->block_size)
2323	cell_len = hbin->block_size - curr_off;
2324
2325	if(is_unalloc)
2326	range_list_add(ret_val, hbin->file_off+curr_off,
2327	cell_len, NULL);
2328
2329	curr_off = curr_off+cell_len;
2330	}
2331	}
2332
2333	return ret_val;
2334	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: releases/0.10.0/lib/regfi.c@ 293

Download in other formats: