source: releases/0.12.0/lib/regfi.c@ 286

Last change on this file since 286 was 179, checked in by tim, 15 years ago

fixed a bug in time validation that improves recovery rates
  • Property svn:keywords set to Id
File size: 89.6 KB
RevLine 
[30]1/*
[169]2 * Copyright (C) 2005-2010 Timothy D. Morgan
[30]3 * Copyright (C) 2005 Gerald (Jerry) Carter
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
[111]7 * the Free Software Foundation; version 3 of the License.
[30]8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
[161]16 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
[30]17 *
18 * $Id: regfi.c 179 2010-03-13 18:00:15Z tim $
19 */
20
[169]21/**
22 * @file
23 *
24 * Windows NT (and later) read-only registry library
25 *
26 * See @ref regfi.h for more information.
27 *
28 * Branched from Samba project Subversion repository, version #7470:
29 * http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
30 *
31 * Since then, it has been heavily rewritten, simplified, and improved.
32 */
[168]33
[147]34#include "regfi.h"
[30]35
36
[32]37/* Registry types mapping */
[78]38const unsigned int regfi_num_reg_types = 12;
39static const char* regfi_type_names[] =
[65]40 {"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]41 "MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]42
[161]43const char* regfi_encoding_names[] =
44 {"US-ASCII//TRANSLIT", "UTF-8//TRANSLIT", "UTF-16LE//TRANSLIT"};
[32]45
[135]46
47/******************************************************************************
48 ******************************************************************************/
[168]49void regfi_add_message(REGFI_FILE* file, uint16_t msg_type, const char* fmt, ...)
[135]50{
[136]51 /* XXX: This function is not particularly efficient,
[135]52 * but then it is mostly used during errors.
53 */
[168]54 uint32_t buf_size, buf_used;
[136]55 char* new_msg;
56 va_list args;
[135]57
[138]58 if((file->msg_mask & msg_type) != 0)
59 {
60 if(file->last_message == NULL)
61 buf_used = 0;
62 else
63 buf_used = strlen(file->last_message);
64
65 buf_size = buf_used+strlen(fmt)+160;
66 new_msg = realloc(file->last_message, buf_size);
67 if(new_msg == NULL)
68 /* XXX: should we report this? */
69 return;
[135]70
[138]71 switch (msg_type)
72 {
73 case REGFI_MSG_INFO:
74 strcpy(new_msg+buf_used, "INFO: ");
75 buf_used += 6;
76 break;
77 case REGFI_MSG_WARN:
78 strcpy(new_msg+buf_used, "WARN: ");
79 buf_used += 6;
80 break;
81 case REGFI_MSG_ERROR:
82 strcpy(new_msg+buf_used, "ERROR: ");
83 buf_used += 7;
84 break;
85 }
[136]86
[138]87 va_start(args, fmt);
88 vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args);
89 va_end(args);
90 strncat(new_msg, "\n", buf_size-1);
91
92 file->last_message = new_msg;
93 }
[135]94}
95
96
97/******************************************************************************
98 ******************************************************************************/
[136]99char* regfi_get_messages(REGFI_FILE* file)
[135]100{
101 char* ret_val = file->last_message;
102 file->last_message = NULL;
103
104 return ret_val;
105}
106
107
[168]108void regfi_set_message_mask(REGFI_FILE* file, uint16_t mask)
[138]109{
110 file->msg_mask = mask;
111}
112
113
[161]114/******************************************************************************
115 * Returns NULL for an invalid e
116 *****************************************************************************/
117static const char* regfi_encoding_int2str(REGFI_ENCODING e)
118{
119 if(e < REGFI_NUM_ENCODINGS)
120 return regfi_encoding_names[e];
121
122 return NULL;
123}
124
125
126/******************************************************************************
127 * Returns NULL for an invalid val
128 *****************************************************************************/
[78]129const char* regfi_type_val2str(unsigned int val)
[32]130{
[61]131 if(val == REG_KEY)
132 return "KEY";
133
[78]134 if(val >= regfi_num_reg_types)
[61]135 return NULL;
136
[78]137 return regfi_type_names[val];
[32]138}
139
140
[161]141/******************************************************************************
142 * Returns -1 on error
143 *****************************************************************************/
[78]144int regfi_type_str2val(const char* str)
[32]145{
146 int i;
147
[61]148 if(strcmp("KEY", str) == 0)
149 return REG_KEY;
[32]150
[78]151 for(i=0; i < regfi_num_reg_types; i++)
152 if (strcmp(regfi_type_names[i], str) == 0)
[61]153 return i;
154
155 if(strcmp("DWORD_LE", str) == 0)
156 return REG_DWORD_LE;
157
158 return -1;
[32]159}
160
161
[135]162/* Security descriptor formatting functions */
[53]163
[168]164const char* regfi_ace_type2str(uint8_t type)
[53]165{
166 static const char* map[7]
167 = {"ALLOW", "DENY", "AUDIT", "ALARM",
168 "ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
169 if(type < 7)
170 return map[type];
171 else
172 /* XXX: would be nice to return the unknown integer value.
173 * However, as it is a const string, it can't be free()ed later on,
174 * so that would need to change.
175 */
176 return "UNKNOWN";
177}
178
179
[76]180/* XXX: need a better reference on the meaning of each flag. */
181/* For more info, see:
182 * http://msdn2.microsoft.com/en-us/library/aa772242.aspx
183 */
[168]184char* regfi_ace_flags2str(uint8_t flags)
[53]185{
[76]186 static const char* flag_map[32] =
[87]187 { "OI", /* Object Inherit */
188 "CI", /* Container Inherit */
189 "NP", /* Non-Propagate */
190 "IO", /* Inherit Only */
191 "IA", /* Inherited ACE */
[76]192 NULL,
193 NULL,
194 NULL,
195 };
[53]196
[76]197 char* ret_val = malloc(35*sizeof(char));
198 char* fo = ret_val;
[168]199 uint32_t i;
200 uint8_t f;
[76]201
202 if(ret_val == NULL)
[53]203 return NULL;
204
[76]205 fo[0] = '\0';
[53]206 if (!flags)
[76]207 return ret_val;
[53]208
[76]209 for(i=0; i < 8; i++)
210 {
211 f = (1<<i);
212 if((flags & f) && (flag_map[i] != NULL))
213 {
214 strcpy(fo, flag_map[i]);
215 fo += strlen(flag_map[i]);
216 *(fo++) = ' ';
217 flags ^= f;
218 }
[53]219 }
[76]220
221 /* Any remaining unknown flags are added at the end in hex. */
222 if(flags != 0)
223 sprintf(fo, "0x%.2X ", flags);
224
225 /* Chop off the last space if we've written anything to ret_val */
226 if(fo != ret_val)
227 fo[-1] = '\0';
228
229 return ret_val;
[53]230}
231
232
[168]233char* regfi_ace_perms2str(uint32_t perms)
[53]234{
[168]235 uint32_t i, p;
[76]236 /* This is more than is needed by a fair margin. */
237 char* ret_val = malloc(350*sizeof(char));
238 char* r = ret_val;
239
240 /* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
241 * For more information, see:
242 * http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
243 * http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
244 */
245 static const char* perm_map[32] =
246 {/* object-specific permissions (registry keys, in this case) */
247 "QRY_VAL", /* KEY_QUERY_VALUE */
248 "SET_VAL", /* KEY_SET_VALUE */
249 "CREATE_KEY", /* KEY_CREATE_SUB_KEY */
250 "ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
251 "NOTIFY", /* KEY_NOTIFY */
252 "CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
253 NULL,
254 NULL,
255 "WOW64_64", /* KEY_WOW64_64KEY */
256 "WOW64_32", /* KEY_WOW64_32KEY */
257 NULL,
258 NULL,
259 NULL,
260 NULL,
261 NULL,
262 NULL,
263 /* standard access rights */
264 "DELETE", /* DELETE */
265 "R_CONT", /* READ_CONTROL */
266 "W_DAC", /* WRITE_DAC */
267 "W_OWNER", /* WRITE_OWNER */
268 "SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
269 NULL,
270 NULL,
271 NULL,
272 /* other generic */
273 "SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
274 "MAX_ALLWD", /* MAXIMUM_ALLOWED */
275 NULL,
276 NULL,
277 "GEN_A", /* GENERIC_ALL */
278 "GEN_X", /* GENERIC_EXECUTE */
279 "GEN_W", /* GENERIC_WRITE */
280 "GEN_R", /* GENERIC_READ */
281 };
282
283
[53]284 if(ret_val == NULL)
285 return NULL;
286
[76]287 r[0] = '\0';
288 for(i=0; i < 32; i++)
289 {
290 p = (1<<i);
291 if((perms & p) && (perm_map[i] != NULL))
292 {
293 strcpy(r, perm_map[i]);
294 r += strlen(perm_map[i]);
295 *(r++) = ' ';
296 perms ^= p;
297 }
298 }
299
300 /* Any remaining unknown permission bits are added at the end in hex. */
301 if(perms != 0)
302 sprintf(r, "0x%.8X ", perms);
[53]303
[76]304 /* Chop off the last space if we've written anything to ret_val */
305 if(r != ret_val)
306 r[-1] = '\0';
307
[53]308 return ret_val;
309}
310
311
[134]312char* regfi_sid2str(WINSEC_DOM_SID* sid)
[53]313{
[168]314 uint32_t i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
315 uint32_t left = size;
316 uint8_t comps = sid->num_auths;
[53]317 char* ret_val = malloc(size);
318
319 if(ret_val == NULL)
320 return NULL;
321
[134]322 if(comps > WINSEC_MAX_SUBAUTHS)
323 comps = WINSEC_MAX_SUBAUTHS;
[53]324
325 left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
326
327 for (i = 0; i < comps; i++)
328 left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
329
330 return ret_val;
331}
332
333
[134]334char* regfi_get_acl(WINSEC_ACL* acl)
[53]335{
[168]336 uint32_t i, extra, size = 0;
[53]337 const char* type_str;
338 char* flags_str;
339 char* perms_str;
340 char* sid_str;
[61]341 char* ace_delim = "";
[53]342 char* ret_val = NULL;
[61]343 char* tmp_val = NULL;
344 bool failed = false;
[53]345 char field_delim = ':';
346
[61]347 for (i = 0; i < acl->num_aces && !failed; i++)
[53]348 {
[134]349 sid_str = regfi_sid2str(acl->aces[i]->trustee);
350 type_str = regfi_ace_type2str(acl->aces[i]->type);
351 perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask);
352 flags_str = regfi_ace_flags2str(acl->aces[i]->flags);
[53]353
[61]354 if(flags_str != NULL && perms_str != NULL
355 && type_str != NULL && sid_str != NULL)
356 {
357 /* XXX: this is slow */
358 extra = strlen(sid_str) + strlen(type_str)
[136]359 + strlen(perms_str) + strlen(flags_str) + 5;
[61]360 tmp_val = realloc(ret_val, size+extra);
[53]361
[61]362 if(tmp_val == NULL)
363 {
364 free(ret_val);
[136]365 ret_val = NULL;
[61]366 failed = true;
367 }
368 else
369 {
370 ret_val = tmp_val;
[148]371 size += sprintf(ret_val+size, "%s%s%c%s%c%s%c%s",
372 ace_delim,sid_str,
373 field_delim,type_str,
374 field_delim,perms_str,
375 field_delim,flags_str);
[61]376 ace_delim = "|";
377 }
378 }
379 else
380 failed = true;
381
382 if(sid_str != NULL)
383 free(sid_str);
384 if(sid_str != NULL)
385 free(perms_str);
386 if(sid_str != NULL)
387 free(flags_str);
[53]388 }
389
390 return ret_val;
391}
392
393
[134]394char* regfi_get_sacl(WINSEC_DESC *sec_desc)
[53]395{
396 if (sec_desc->sacl)
[78]397 return regfi_get_acl(sec_desc->sacl);
[53]398 else
399 return NULL;
400}
401
402
[134]403char* regfi_get_dacl(WINSEC_DESC *sec_desc)
[53]404{
405 if (sec_desc->dacl)
[78]406 return regfi_get_acl(sec_desc->dacl);
[53]407 else
408 return NULL;
409}
410
411
[134]412char* regfi_get_owner(WINSEC_DESC *sec_desc)
[53]413{
[78]414 return regfi_sid2str(sec_desc->owner_sid);
[53]415}
416
417
[134]418char* regfi_get_group(WINSEC_DESC *sec_desc)
[53]419{
[78]420 return regfi_sid2str(sec_desc->grp_sid);
[53]421}
422
423
[101]424/*****************************************************************************
425 * This function is just like read(2), except that it continues to
426 * re-try reading from the file descriptor if EINTR or EAGAIN is received.
427 * regfi_read will attempt to read length bytes from fd and write them to buf.
428 *
429 * On success, 0 is returned. Upon failure, an errno code is returned.
430 *
431 * The number of bytes successfully read is returned through the length
432 * parameter by reference. If both the return value and length parameter are
433 * returned as 0, then EOF was encountered immediately
434 *****************************************************************************/
[168]435uint32_t regfi_read(int fd, uint8_t* buf, uint32_t* length)
[101]436{
[168]437 uint32_t rsize = 0;
438 uint32_t rret = 0;
[101]439
440 do
441 {
442 rret = read(fd, buf + rsize, *length - rsize);
443 if(rret > 0)
444 rsize += rret;
445 }while(*length - rsize > 0
446 && (rret > 0 || (rret == -1 && (errno == EAGAIN || errno == EINTR))));
447
448 *length = rsize;
449 if (rret == -1 && errno != EINTR && errno != EAGAIN)
450 return errno;
451
452 return 0;
453}
454
455
456/*****************************************************************************
457 *
458 *****************************************************************************/
[168]459bool regfi_parse_cell(int fd, uint32_t offset, uint8_t* hdr, uint32_t hdr_len,
460 uint32_t* cell_length, bool* unalloc)
[101]461{
[168]462 uint32_t length;
463 int32_t raw_length;
464 uint8_t tmp[4];
[101]465
466 if(lseek(fd, offset, SEEK_SET) == -1)
467 return false;
468
469 length = 4;
470 if((regfi_read(fd, tmp, &length) != 0) || length != 4)
471 return false;
472 raw_length = IVALS(tmp, 0);
473
474 if(raw_length < 0)
475 {
476 (*cell_length) = raw_length*(-1);
477 (*unalloc) = false;
478 }
479 else
480 {
481 (*cell_length) = raw_length;
482 (*unalloc) = true;
483 }
484
[103]485 if(*cell_length - 4 < hdr_len)
486 return false;
487
488 if(hdr_len > 0)
489 {
490 length = hdr_len;
491 if((regfi_read(fd, hdr, &length) != 0) || length != hdr_len)
492 return false;
493 }
494
[101]495 return true;
496}
497
498
[157]499/******************************************************************************
[106]500 * Given an offset and an hbin, is the offset within that hbin?
501 * The offset is a virtual file offset.
[157]502 ******************************************************************************/
[168]503static bool regfi_offset_in_hbin(const REGFI_HBIN* hbin, uint32_t voffset)
[30]504{
[106]505 if(!hbin)
[31]506 return false;
[106]507
[145]508 if((voffset > hbin->first_hbin_off)
509 && (voffset < (hbin->first_hbin_off + hbin->block_size)))
[31]510 return true;
[30]511
[31]512 return false;
[30]513}
514
515
[106]516
[157]517/******************************************************************************
518 * Provide a physical offset and receive the correpsonding HBIN
[106]519 * block for it. NULL if one doesn't exist.
[157]520 ******************************************************************************/
[168]521const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32_t offset)
[30]522{
[157]523 return (const REGFI_HBIN*)range_list_find_data(file->hbins, offset);
[30]524}
525
526
[157]527/******************************************************************************
528 * Calculate the largest possible cell size given a physical offset.
529 * Largest size is based on the HBIN the offset is currently a member of.
530 * Returns negative values on error.
531 * (Since cells can only be ~2^31 in size, this works out.)
532 ******************************************************************************/
[168]533int32_t regfi_calc_maxsize(REGFI_FILE* file, uint32_t offset)
[157]534{
535 const REGFI_HBIN* hbin = regfi_lookup_hbin(file, offset);
536 if(hbin == NULL)
537 return -1;
[139]538
[157]539 return (hbin->block_size + hbin->file_off) - offset;
540}
541
542
[139]543/******************************************************************************
544 ******************************************************************************/
[168]545REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32_t offset,
546 uint32_t num_keys, uint32_t max_size,
[139]547 bool strict)
[127]548{
[135]549 REGFI_SUBKEY_LIST* ret_val;
[134]550
[139]551 ret_val = regfi_load_subkeylist_aux(file, offset, max_size, strict,
552 REGFI_MAX_SUBKEY_DEPTH);
[143]553 if(ret_val == NULL)
554 {
555 regfi_add_message(file, REGFI_MSG_WARN, "Failed to load subkey list at"
556 " offset 0x%.8X.", offset);
557 return NULL;
558 }
[139]559
560 if(num_keys != ret_val->num_keys)
561 {
562 /* Not sure which should be authoritative, the number from the
563 * NK record, or the number in the subkey list. Just emit a warning for
564 * now if they don't match.
565 */
566 regfi_add_message(file, REGFI_MSG_WARN, "Number of subkeys listed in parent"
567 " (%d) did not match number found in subkey list/tree (%d)"
568 " while parsing subkey list/tree at offset 0x%.8X.",
569 num_keys, ret_val->num_keys, offset);
570 }
571
572 return ret_val;
573}
574
575
576/******************************************************************************
577 ******************************************************************************/
[168]578REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32_t offset,
579 uint32_t max_size, bool strict,
580 uint8_t depth_left)
[139]581{
582 REGFI_SUBKEY_LIST* ret_val;
583 REGFI_SUBKEY_LIST** sublists;
[168]584 uint32_t i, num_sublists, off;
585 int32_t sublist_maxsize;
[139]586
587 if(depth_left == 0)
588 {
589 regfi_add_message(file, REGFI_MSG_WARN, "Maximum depth reached"
590 " while parsing subkey list/tree at offset 0x%.8X.",
591 offset);
[127]592 return NULL;
[139]593 }
[134]594
[139]595 ret_val = regfi_parse_subkeylist(file, offset, max_size, strict);
[134]596 if(ret_val == NULL)
597 return NULL;
[139]598
599 if(ret_val->recursive_type)
[127]600 {
[139]601 num_sublists = ret_val->num_children;
[150]602 sublists = (REGFI_SUBKEY_LIST**)malloc(num_sublists
[139]603 * sizeof(REGFI_SUBKEY_LIST*));
604 for(i=0; i < num_sublists; i++)
[127]605 {
[139]606 off = ret_val->elements[i].offset + REGFI_REGF_SIZE;
[157]607
608 sublist_maxsize = regfi_calc_maxsize(file, off);
609 if(sublist_maxsize < 0)
[139]610 sublists[i] = NULL;
611 else
[157]612 sublists[i] = regfi_load_subkeylist_aux(file, off, sublist_maxsize,
613 strict, depth_left-1);
[127]614 }
[150]615 talloc_free(ret_val);
[134]616
[139]617 return regfi_merge_subkeylists(num_sublists, sublists, strict);
[127]618 }
[30]619
[127]620 return ret_val;
621}
622
623
[139]624/******************************************************************************
625 ******************************************************************************/
[168]626REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32_t offset,
627 uint32_t max_size, bool strict)
[30]628{
[135]629 REGFI_SUBKEY_LIST* ret_val;
[168]630 uint32_t i, cell_length, length, elem_size, read_len;
631 uint8_t* elements = NULL;
632 uint8_t buf[REGFI_SUBKEY_LIST_MIN_LEN];
[104]633 bool unalloc;
[139]634 bool recursive_type;
[30]635
[127]636 if(!regfi_parse_cell(file->fd, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN,
[104]637 &cell_length, &unalloc))
[139]638 {
639 regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while "
640 "parsing subkey-list at offset 0x%.8X.", offset);
[104]641 return NULL;
[139]642 }
[30]643
[116]644 if(cell_length > max_size)
645 {
[139]646 regfi_add_message(file, REGFI_MSG_WARN, "Cell size longer than max_size"
647 " while parsing subkey-list at offset 0x%.8X.", offset);
[116]648 if(strict)
649 return NULL;
650 cell_length = max_size & 0xFFFFFFF8;
651 }
[30]652
[139]653 recursive_type = false;
[127]654 if(buf[0] == 'r' && buf[1] == 'i')
[104]655 {
[139]656 recursive_type = true;
[168]657 elem_size = sizeof(uint32_t);
[104]658 }
[139]659 else if(buf[0] == 'l' && buf[1] == 'i')
[168]660 elem_size = sizeof(uint32_t);
[134]661 else if((buf[0] == 'l') && (buf[1] == 'f' || buf[1] == 'h'))
[135]662 elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM);
[134]663 else
664 {
[139]665 regfi_add_message(file, REGFI_MSG_ERROR, "Unknown magic number"
666 " (0x%.2X, 0x%.2X) encountered while parsing"
667 " subkey-list at offset 0x%.8X.", buf[0], buf[1], offset);
[134]668 return NULL;
669 }
670
[150]671 ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[127]672 if(ret_val == NULL)
673 return NULL;
674
675 ret_val->offset = offset;
676 ret_val->cell_size = cell_length;
[104]677 ret_val->magic[0] = buf[0];
678 ret_val->magic[1] = buf[1];
[139]679 ret_val->recursive_type = recursive_type;
680 ret_val->num_children = SVAL(buf, 0x2);
[101]681
[139]682 if(!recursive_type)
683 ret_val->num_keys = ret_val->num_children;
[101]684
[139]685 length = elem_size*ret_val->num_children;
[168]686 if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32_t) < length)
[134]687 {
[139]688 regfi_add_message(file, REGFI_MSG_WARN, "Number of elements too large for"
689 " cell while parsing subkey-list at offset 0x%.8X.",
690 offset);
691 if(strict)
[150]692 goto fail;
[168]693 length = cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32_t);
[134]694 }
[30]695
[150]696 ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
697 ret_val->num_children);
[127]698 if(ret_val->elements == NULL)
[150]699 goto fail;
[30]700
[168]701 elements = (uint8_t*)malloc(length);
[139]702 if(elements == NULL)
[150]703 goto fail;
[30]704
[150]705 read_len = length;
706 if(regfi_read(file->fd, elements, &read_len) != 0 || read_len != length)
707 goto fail;
[30]708
[168]709 if(elem_size == sizeof(uint32_t))
[104]710 {
[139]711 for (i=0; i < ret_val->num_children; i++)
[134]712 {
[139]713 ret_val->elements[i].offset = IVAL(elements, i*elem_size);
[134]714 ret_val->elements[i].hash = 0;
715 }
[104]716 }
[134]717 else
718 {
[139]719 for (i=0; i < ret_val->num_children; i++)
[134]720 {
[139]721 ret_val->elements[i].offset = IVAL(elements, i*elem_size);
722 ret_val->elements[i].hash = IVAL(elements, i*elem_size+4);
[134]723 }
724 }
[139]725 free(elements);
[30]726
[104]727 return ret_val;
[150]728
729 fail:
730 if(elements != NULL)
731 free(elements);
732 talloc_free(ret_val);
733 return NULL;
[30]734}
735
736
[139]737/*******************************************************************
738 *******************************************************************/
[168]739REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16_t num_lists,
[139]740 REGFI_SUBKEY_LIST** lists,
741 bool strict)
742{
[168]743 uint32_t i,j,k;
[139]744 REGFI_SUBKEY_LIST* ret_val;
[102]745
[139]746 if(lists == NULL)
747 return NULL;
[150]748 ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[139]749
750 if(ret_val == NULL)
751 return NULL;
752
753 /* Obtain total number of elements */
754 ret_val->num_keys = 0;
755 for(i=0; i < num_lists; i++)
756 {
757 if(lists[i] != NULL)
758 ret_val->num_keys += lists[i]->num_children;
759 }
760 ret_val->num_children = ret_val->num_keys;
761
762 if(ret_val->num_keys > 0)
763 {
[150]764 ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
765 ret_val->num_keys);
[139]766 k=0;
767
768 if(ret_val->elements != NULL)
769 {
770 for(i=0; i < num_lists; i++)
771 {
772 if(lists[i] != NULL)
773 {
774 for(j=0; j < lists[i]->num_keys; j++)
775 {
[150]776 ret_val->elements[k].hash = lists[i]->elements[j].hash;
777 ret_val->elements[k++].offset = lists[i]->elements[j].offset;
[139]778 }
779 }
780 }
781 }
782 }
783
784 for(i=0; i < num_lists; i++)
785 regfi_subkeylist_free(lists[i]);
786 free(lists);
787
788 return ret_val;
789}
790
791
[147]792/******************************************************************************
793 *
794 ******************************************************************************/
[168]795REGFI_SK_REC* regfi_parse_sk(REGFI_FILE* file, uint32_t offset, uint32_t max_size,
[147]796 bool strict)
[30]797{
[135]798 REGFI_SK_REC* ret_val;
[168]799 uint8_t* sec_desc_buf = NULL;
800 uint32_t cell_length, length;
801 uint8_t sk_header[REGFI_SK_MIN_LENGTH];
[102]802 bool unalloc = false;
[30]803
[102]804 if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH,
805 &cell_length, &unalloc))
[137]806 {
[138]807 regfi_add_message(file, REGFI_MSG_WARN, "Could not parse SK record cell"
[137]808 " at offset 0x%.8X.", offset);
[102]809 return NULL;
[137]810 }
[102]811
812 if(sk_header[0] != 's' || sk_header[1] != 'k')
[137]813 {
[138]814 regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
815 " SK record at offset 0x%.8X.", offset);
[102]816 return NULL;
[137]817 }
818
[147]819 ret_val = talloc(NULL, REGFI_SK_REC);
[102]820 if(ret_val == NULL)
821 return NULL;
[30]822
[102]823 ret_val->offset = offset;
[116]824 /* XXX: Is there a way to be more conservative (shorter) with
825 * cell length when cell is unallocated?
[111]826 */
[102]827 ret_val->cell_size = cell_length;
[30]828
[102]829 if(ret_val->cell_size > max_size)
830 ret_val->cell_size = max_size & 0xFFFFFFF8;
831 if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
[157]832 || (strict && (ret_val->cell_size & 0x00000007) != 0))
[102]833 {
[138]834 regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size found while"
835 " parsing SK record at offset 0x%.8X.", offset);
[147]836 goto fail;
[102]837 }
[30]838
[102]839 ret_val->magic[0] = sk_header[0];
840 ret_val->magic[1] = sk_header[1];
[30]841
[102]842 ret_val->unknown_tag = SVAL(sk_header, 0x2);
843 ret_val->prev_sk_off = IVAL(sk_header, 0x4);
844 ret_val->next_sk_off = IVAL(sk_header, 0x8);
845 ret_val->ref_count = IVAL(sk_header, 0xC);
846 ret_val->desc_size = IVAL(sk_header, 0x10);
[30]847
[157]848 if((ret_val->prev_sk_off & 0x00000007) != 0
849 || (ret_val->next_sk_off & 0x00000007) != 0)
[140]850 {
851 regfi_add_message(file, REGFI_MSG_WARN, "SK record's next/previous offsets"
852 " are not a multiple of 8 while parsing SK record at"
853 " offset 0x%.8X.", offset);
[147]854 goto fail;
[140]855 }
856
[102]857 if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
858 {
[140]859 regfi_add_message(file, REGFI_MSG_WARN, "Security descriptor too large for"
[138]860 " cell while parsing SK record at offset 0x%.8X.",
861 offset);
[147]862 goto fail;
[102]863 }
[30]864
[168]865 sec_desc_buf = (uint8_t*)malloc(ret_val->desc_size);
[147]866 if(sec_desc_buf == NULL)
867 goto fail;
[102]868
[134]869 length = ret_val->desc_size;
870 if(regfi_read(file->fd, sec_desc_buf, &length) != 0
871 || length != ret_val->desc_size)
872 {
[138]873 regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read security"
874 " descriptor while parsing SK record at offset 0x%.8X.",
875 offset);
[147]876 goto fail;
[134]877 }
[102]878
[147]879 if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf,
880 ret_val->desc_size)))
[134]881 {
[138]882 regfi_add_message(file, REGFI_MSG_ERROR, "Failed to parse security"
883 " descriptor while parsing SK record at offset 0x%.8X.",
884 offset);
[147]885 goto fail;
[134]886 }
[147]887
[134]888 free(sec_desc_buf);
[147]889 return ret_val;
[134]890
[147]891 fail:
892 if(sec_desc_buf != NULL)
893 free(sec_desc_buf);
894 talloc_free(ret_val);
895 return NULL;
[30]896}
897
898
[168]899REGFI_VALUE_LIST* regfi_parse_valuelist(REGFI_FILE* file, uint32_t offset,
900 uint32_t num_values, bool strict)
[111]901{
[145]902 REGFI_VALUE_LIST* ret_val;
[168]903 uint32_t i, cell_length, length, read_len;
[111]904 bool unalloc;
[30]905
[111]906 if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
[137]907 {
[138]908 regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read cell header"
[137]909 " while parsing value list at offset 0x%.8X.", offset);
[111]910 return NULL;
[137]911 }
[111]912
[157]913 if((cell_length & 0x00000007) != 0)
[111]914 {
[145]915 regfi_add_message(file, REGFI_MSG_WARN, "Cell length not a multiple of 8"
916 " while parsing value list at offset 0x%.8X.", offset);
[111]917 if(strict)
918 return NULL;
919 cell_length = cell_length & 0xFFFFFFF8;
920 }
[145]921
[168]922 if((num_values * sizeof(uint32_t)) > cell_length-sizeof(uint32_t))
[137]923 {
[140]924 regfi_add_message(file, REGFI_MSG_WARN, "Too many values found"
[137]925 " while parsing value list at offset 0x%.8X.", offset);
[145]926 if(strict)
927 return NULL;
[168]928 num_values = cell_length/sizeof(uint32_t) - sizeof(uint32_t);
[137]929 }
[111]930
[168]931 read_len = num_values*sizeof(uint32_t);
[150]932 ret_val = talloc(NULL, REGFI_VALUE_LIST);
[111]933 if(ret_val == NULL)
934 return NULL;
935
[150]936 ret_val->elements = (REGFI_VALUE_LIST_ELEM*)talloc_size(ret_val, read_len);
[145]937 if(ret_val->elements == NULL)
938 {
[150]939 talloc_free(ret_val);
[145]940 return NULL;
941 }
942 ret_val->num_values = num_values;
943
[111]944 length = read_len;
[168]945 if((regfi_read(file->fd, (uint8_t*)ret_val->elements, &length) != 0)
[145]946 || length != read_len)
[111]947 {
[138]948 regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read value pointers"
[137]949 " while parsing value list at offset 0x%.8X.", offset);
[150]950 talloc_free(ret_val);
[111]951 return NULL;
952 }
953
954 for(i=0; i < num_values; i++)
955 {
956 /* Fix endianness */
[145]957 ret_val->elements[i] = IVAL(&ret_val->elements[i], 0);
[111]958
959 /* Validate the first num_values values to ensure they make sense */
960 if(strict)
961 {
[145]962 /* XXX: Need to revisit this file length check when we start dealing
963 * with partial files. */
964 if((ret_val->elements[i] + REGFI_REGF_SIZE > file->file_length)
[157]965 || ((ret_val->elements[i] & 0x00000007) != 0))
[111]966 {
[145]967 regfi_add_message(file, REGFI_MSG_WARN, "Invalid value pointer"
[138]968 " (0x%.8X) found while parsing value list at offset"
[145]969 " 0x%.8X.", ret_val->elements[i], offset);
[150]970 talloc_free(ret_val);
[111]971 return NULL;
972 }
973 }
974 }
975
976 return ret_val;
977}
978
979
[172]980void regfi_interpret_valuename(REGFI_FILE* file, REGFI_VK_REC* vk,
[162]981 REGFI_ENCODING output_encoding, bool strict)
[30]982{
[165]983 /* XXX: Registry value names are supposedly limited to 16383 characters
984 * according to:
985 * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
986 * Might want to emit a warning if this is exceeded.
987 * It is expected that "characters" could be variable width.
988 * Also, it may be useful to use this information to limit false positives
989 * when recovering deleted VK records.
990 */
[172]991 int32_t tmp_size;
992 REGFI_ENCODING from_encoding = (vk->flags & REGFI_VK_FLAG_ASCIINAME)
[162]993 ? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
[151]994
[162]995 if(from_encoding == output_encoding)
996 {
[172]997 vk->valuename_raw = talloc_realloc(vk, vk->valuename_raw,
998 uint8_t, vk->name_length+1);
999 vk->valuename_raw[vk->name_length] = '\0';
1000 vk->valuename = (char*)vk->valuename_raw;
[162]1001 }
1002 else
1003 {
[172]1004 vk->valuename = talloc_array(vk, char, vk->name_length+1);
1005 if(vk->valuename == NULL)
[162]1006 {
[172]1007 regfi_free_value(vk);
1008 return;
[162]1009 }
1010
1011 tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
1012 regfi_encoding_int2str(output_encoding),
[172]1013 vk->valuename_raw, vk->valuename,
1014 vk->name_length, vk->name_length+1);
[162]1015 if(tmp_size < 0)
1016 {
1017 regfi_add_message(file, REGFI_MSG_WARN, "Error occurred while converting"
1018 " valuename to encoding %s. Error message: %s",
1019 regfi_encoding_int2str(output_encoding),
1020 strerror(-tmp_size));
[172]1021 talloc_free(vk->valuename);
1022 vk->valuename = NULL;
[162]1023 }
1024 }
[172]1025}
[162]1026
[172]1027
1028/******************************************************************************
1029 ******************************************************************************/
1030REGFI_VK_REC* regfi_load_value(REGFI_FILE* file, uint32_t offset,
1031 REGFI_ENCODING output_encoding, bool strict)
1032{
1033 REGFI_VK_REC* ret_val = NULL;
1034 int32_t max_size;
1035
1036 max_size = regfi_calc_maxsize(file, offset);
1037 if(max_size < 0)
1038 return NULL;
1039
1040 ret_val = regfi_parse_vk(file, offset, max_size, strict);
1041 if(ret_val == NULL)
1042 return NULL;
1043
1044 regfi_interpret_valuename(file, ret_val, output_encoding, strict);
1045
[103]1046 return ret_val;
[30]1047}
1048
1049
[145]1050/******************************************************************************
1051 * If !strict, the list may contain NULLs, VK records may point to NULL.
1052 ******************************************************************************/
[168]1053REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32_t offset,
1054 uint32_t num_values, uint32_t max_size,
[145]1055 bool strict)
1056{
[168]1057 uint32_t usable_num_values;
[30]1058
[168]1059 if((num_values+1) * sizeof(uint32_t) > max_size)
[145]1060 {
1061 regfi_add_message(file, REGFI_MSG_WARN, "Number of values indicated by"
1062 " parent key (%d) would cause cell to straddle HBIN"
1063 " boundary while loading value list at offset"
1064 " 0x%.8X.", num_values, offset);
1065 if(strict)
1066 return NULL;
[168]1067 usable_num_values = max_size/sizeof(uint32_t) - sizeof(uint32_t);
[145]1068 }
1069 else
1070 usable_num_values = num_values;
1071
1072 return regfi_parse_valuelist(file, offset, usable_num_values, strict);
1073}
1074
1075
[172]1076void regfi_interpret_keyname(REGFI_FILE* file, REGFI_NK_REC* nk,
[161]1077 REGFI_ENCODING output_encoding, bool strict)
[30]1078{
[165]1079 /* XXX: Registry key names are supposedly limited to 255 characters according to:
1080 * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
1081 * Might want to emit a warning if this is exceeded.
1082 * It is expected that "characters" could be variable width.
1083 * Also, it may be useful to use this information to limit false positives
1084 * when recovering deleted NK records.
1085 */
[172]1086 int32_t tmp_size;
1087 REGFI_ENCODING from_encoding = (nk->flags & REGFI_NK_FLAG_ASCIINAME)
[161]1088 ? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
[172]1089
[161]1090 if(from_encoding == output_encoding)
1091 {
[168]1092 nk->keyname_raw = talloc_realloc(nk, nk->keyname_raw, uint8_t, nk->name_length+1);
[161]1093 nk->keyname_raw[nk->name_length] = '\0';
1094 nk->keyname = (char*)nk->keyname_raw;
1095 }
1096 else
1097 {
1098 nk->keyname = talloc_array(nk, char, nk->name_length+1);
1099 if(nk->keyname == NULL)
1100 {
1101 regfi_free_key(nk);
[172]1102 return;
[161]1103 }
1104
1105 tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
1106 regfi_encoding_int2str(output_encoding),
1107 nk->keyname_raw, nk->keyname,
1108 nk->name_length, nk->name_length+1);
1109 if(tmp_size < 0)
1110 {
1111 regfi_add_message(file, REGFI_MSG_WARN, "Error occurred while converting"
1112 " keyname to encoding %s. Error message: %s",
1113 regfi_encoding_int2str(output_encoding),
1114 strerror(-tmp_size));
1115 talloc_free(nk->keyname);
1116 nk->keyname = NULL;
1117 }
1118 }
[172]1119}
[161]1120
1121
[172]1122/******************************************************************************
1123 *
1124 ******************************************************************************/
1125REGFI_NK_REC* regfi_load_key(REGFI_FILE* file, uint32_t offset,
1126 REGFI_ENCODING output_encoding, bool strict)
1127{
1128 REGFI_NK_REC* nk;
1129 uint32_t off;
1130 int32_t max_size;
1131
1132 max_size = regfi_calc_maxsize(file, offset);
1133 if (max_size < 0)
1134 return NULL;
1135
1136 /* get the initial nk record */
1137 if((nk = regfi_parse_nk(file, offset, max_size, true)) == NULL)
1138 {
1139 regfi_add_message(file, REGFI_MSG_ERROR, "Could not load NK record at"
1140 " offset 0x%.8X.", offset);
1141 return NULL;
1142 }
1143
1144 regfi_interpret_keyname(file, nk, output_encoding, strict);
1145
[146]1146 /* get value list */
[135]1147 if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
[32]1148 {
[157]1149 off = nk->values_off + REGFI_REGF_SIZE;
1150 max_size = regfi_calc_maxsize(file, off);
1151 if(max_size < 0)
[32]1152 {
[105]1153 if(strict)
[32]1154 {
[150]1155 regfi_free_key(nk);
[99]1156 return NULL;
[31]1157 }
[105]1158 else
1159 nk->values = NULL;
[133]1160
[31]1161 }
[105]1162 else
[103]1163 {
[157]1164 nk->values = regfi_load_valuelist(file, off, nk->num_values,
1165 max_size, true);
[145]1166 if(nk->values == NULL)
[105]1167 {
[145]1168 regfi_add_message(file, REGFI_MSG_WARN, "Could not load value list"
1169 " for NK record at offset 0x%.8X.", offset);
1170 if(strict)
1171 {
[150]1172 regfi_free_key(nk);
[145]1173 return NULL;
1174 }
[105]1175 }
[150]1176 talloc_steal(nk, nk->values);
[103]1177 }
[31]1178 }
[105]1179
[146]1180 /* now get subkey list */
[135]1181 if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE))
[32]1182 {
[157]1183 off = nk->subkeys_off + REGFI_REGF_SIZE;
1184 max_size = regfi_calc_maxsize(file, off);
1185 if(max_size < 0)
[32]1186 {
[105]1187 if(strict)
[32]1188 {
[150]1189 regfi_free_key(nk);
[99]1190 return NULL;
[31]1191 }
[105]1192 else
1193 nk->subkeys = NULL;
[31]1194 }
[105]1195 else
[104]1196 {
[134]1197 nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys,
[157]1198 max_size, true);
[134]1199
[105]1200 if(nk->subkeys == NULL)
1201 {
[140]1202 regfi_add_message(file, REGFI_MSG_WARN, "Could not load subkey list"
1203 " while parsing NK record at offset 0x%.8X.", offset);
[105]1204 nk->num_subkeys = 0;
1205 }
[150]1206 talloc_steal(nk, nk->subkeys);
[104]1207 }
[31]1208 }
[30]1209
[99]1210 return nk;
[30]1211}
1212
[32]1213
[102]1214/******************************************************************************
1215 ******************************************************************************/
[168]1216const REGFI_SK_REC* regfi_load_sk(REGFI_FILE* file, uint32_t offset, bool strict)
[146]1217{
1218 REGFI_SK_REC* ret_val = NULL;
[168]1219 int32_t max_size;
[147]1220 void* failure_ptr = NULL;
1221
[146]1222 /* First look if we have already parsed it */
1223 ret_val = (REGFI_SK_REC*)lru_cache_find(file->sk_cache, &offset, 4);
1224
1225 /* Bail out if we have previously cached a parse failure at this offset. */
1226 if(ret_val == (void*)REGFI_OFFSET_NONE)
1227 return NULL;
1228
1229 if(ret_val == NULL)
1230 {
[157]1231 max_size = regfi_calc_maxsize(file, offset);
1232 if(max_size < 0)
[146]1233 return NULL;
1234
[157]1235 ret_val = regfi_parse_sk(file, offset, max_size, strict);
[146]1236 if(ret_val == NULL)
1237 { /* Cache the parse failure and bail out. */
[147]1238 failure_ptr = talloc(NULL, uint32_t);
1239 if(failure_ptr == NULL)
1240 return NULL;
1241 *(uint32_t*)failure_ptr = REGFI_OFFSET_NONE;
1242 lru_cache_update(file->sk_cache, &offset, 4, failure_ptr);
[146]1243 return NULL;
1244 }
1245
1246 lru_cache_update(file->sk_cache, &offset, 4, ret_val);
1247 }
1248
1249 return ret_val;
1250}
1251
1252
1253
1254/******************************************************************************
1255 ******************************************************************************/
[161]1256REGFI_NK_REC* regfi_find_root_nk(REGFI_FILE* file, const REGFI_HBIN* hbin,
1257 REGFI_ENCODING output_encoding)
[30]1258{
[135]1259 REGFI_NK_REC* nk = NULL;
[168]1260 uint32_t cell_length;
1261 uint32_t cur_offset = hbin->file_off+REGFI_HBIN_HEADER_SIZE;
1262 uint32_t hbin_end = hbin->file_off+hbin->block_size;
[158]1263 bool unalloc;
[30]1264
[158]1265 while(cur_offset < hbin_end)
[32]1266 {
[158]1267 if(!regfi_parse_cell(file->fd, cur_offset, NULL, 0, &cell_length, &unalloc))
1268 {
1269 regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell at offset"
1270 " 0x%.8X while searching for root key.", cur_offset);
1271 return NULL;
1272 }
[102]1273
[158]1274 if(!unalloc)
[102]1275 {
[161]1276 nk = regfi_load_key(file, cur_offset, output_encoding, true);
[102]1277 if(nk != NULL)
1278 {
[161]1279 if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]1280 return nk;
[102]1281 }
[31]1282 }
[30]1283
[158]1284 cur_offset += cell_length;
[31]1285 }
[32]1286
[158]1287 return NULL;
[30]1288}
1289
1290
[166]1291/******************************************************************************
1292 ******************************************************************************/
[135]1293REGFI_FILE* regfi_open(const char* filename)
[30]1294{
[166]1295 REGFI_FILE* ret_val;
[97]1296 int fd;
[30]1297
[97]1298 /* open an existing file */
[143]1299 if ((fd = open(filename, REGFI_OPEN_FLAGS)) == -1)
[97]1300 {
[143]1301 /* fprintf(stderr, "regfi_open: failure to open %s (%s)\n", filename, strerror(errno));*/
[31]1302 return NULL;
1303 }
[166]1304
1305 ret_val = regfi_alloc(fd);
1306
1307 if(ret_val == NULL)
1308 close(fd);
1309
1310 return ret_val;
1311}
1312
1313
1314/******************************************************************************
1315 ******************************************************************************/
1316REGFI_FILE* regfi_alloc(int fd)
1317{
1318 struct stat sbuf;
1319 REGFI_FILE* rb;
1320 REGFI_HBIN* hbin = NULL;
[168]1321 uint32_t hbin_off, file_length, cache_secret;
[166]1322 bool rla;
1323
[137]1324 /* Determine file length. Must be at least big enough
1325 * for the header and one hbin.
1326 */
1327 if (fstat(fd, &sbuf) == -1)
1328 return NULL;
1329 file_length = sbuf.st_size;
1330 if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC)
1331 return NULL;
1332
[166]1333 /* Read file header */
[97]1334 if ((rb = regfi_parse_regf(fd, true)) == NULL)
1335 {
[166]1336 /* fprintf(stderr, "regfi_alloc: Failed to read initial REGF block\n"); */
[31]1337 return NULL;
1338 }
[137]1339 rb->file_length = file_length;
1340
[99]1341 rb->hbins = range_list_new();
[110]1342 if(rb->hbins == NULL)
[99]1343 {
[166]1344 /* fprintf(stderr, "regfi_alloc: Failed to create HBIN list.\n"); */
[150]1345 talloc_free(rb);
[99]1346 return NULL;
1347 }
[150]1348 talloc_steal(rb, rb->hbins);
1349
[106]1350 rla = true;
[135]1351 hbin_off = REGFI_REGF_SIZE;
[110]1352 hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]1353 while(hbin && rla)
1354 {
[137]1355 rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
[148]1356 if(rla)
1357 talloc_steal(rb->hbins, hbin);
[106]1358 hbin_off = hbin->file_off + hbin->block_size;
[110]1359 hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]1360 }
1361
[146]1362 /* This secret isn't very secret, but we don't need a good one. This
1363 * secret is just designed to prevent someone from trying to blow our
1364 * caching and make things slow.
1365 */
1366 cache_secret = 0x15DEAD05^time(NULL)^(getpid()<<16);
1367
1368 /* Cache an unlimited number of SK records. Typically there are very few. */
[150]1369 rb->sk_cache = lru_cache_create_ctx(rb, 0, cache_secret, true);
[146]1370
[138]1371 /* Default message mask */
1372 rb->msg_mask = REGFI_MSG_ERROR|REGFI_MSG_WARN;
1373
[31]1374 /* success */
1375 return rb;
[30]1376}
1377
1378
[148]1379/******************************************************************************
1380 ******************************************************************************/
[166]1381int regfi_close(REGFI_FILE* file)
[30]1382{
[31]1383 int fd;
[30]1384
[31]1385 /* nothing to do if there is no open file */
[99]1386 if ((file == NULL) || (file->fd == -1))
1387 return 0;
[30]1388
[31]1389 fd = file->fd;
1390 file->fd = -1;
[148]1391
[166]1392 regfi_free(file);
[106]1393
[166]1394 return close(fd);
1395}
[148]1396
[166]1397
1398/******************************************************************************
1399 ******************************************************************************/
1400void regfi_free(REGFI_FILE *file)
1401{
1402 if(file->last_message != NULL)
[167]1403 free(file->last_message);
[166]1404
[150]1405 talloc_free(file);
[30]1406}
1407
1408
[80]1409/******************************************************************************
[158]1410 * First checks the offset given by the file header, then checks the
1411 * rest of the file if that fails.
[148]1412 ******************************************************************************/
[161]1413REGFI_NK_REC* regfi_rootkey(REGFI_FILE* file, REGFI_ENCODING output_encoding)
[30]1414{
[135]1415 REGFI_NK_REC* nk = NULL;
[146]1416 REGFI_HBIN* hbin;
[168]1417 uint32_t root_offset, i, num_hbins;
[99]1418
1419 if(!file)
[31]1420 return NULL;
[99]1421
[158]1422 root_offset = file->root_cell+REGFI_REGF_SIZE;
[161]1423 nk = regfi_load_key(file, root_offset, output_encoding, true);
[158]1424 if(nk != NULL)
1425 {
[161]1426 if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]1427 return nk;
1428 }
1429
1430 regfi_add_message(file, REGFI_MSG_WARN, "File header indicated root key at"
1431 " location 0x%.8X, but no root key found."
1432 " Searching rest of file...", root_offset);
1433
1434 /* If the file header gives bad info, scan through the file one HBIN
1435 * block at a time looking for an NK record with a root key type.
[146]1436 */
[107]1437 num_hbins = range_list_size(file->hbins);
[158]1438 for(i=0; i < num_hbins && nk == NULL; i++)
[99]1439 {
[135]1440 hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data;
[161]1441 nk = regfi_find_root_nk(file, hbin, output_encoding);
[31]1442 }
[30]1443
[80]1444 return nk;
[30]1445}
1446
1447
[80]1448/******************************************************************************
1449 *****************************************************************************/
[150]1450void regfi_free_key(REGFI_NK_REC* nk)
[30]1451{
[127]1452 regfi_subkeylist_free(nk->subkeys);
[150]1453 talloc_free(nk);
1454}
[127]1455
[80]1456
[150]1457/******************************************************************************
1458 *****************************************************************************/
1459void regfi_free_value(REGFI_VK_REC* vk)
1460{
1461 talloc_free(vk);
[80]1462}
1463
1464
1465/******************************************************************************
1466 *****************************************************************************/
[135]1467void regfi_subkeylist_free(REGFI_SUBKEY_LIST* list)
[127]1468{
1469 if(list != NULL)
1470 {
[150]1471 talloc_free(list);
[127]1472 }
1473}
1474
1475
1476/******************************************************************************
1477 *****************************************************************************/
[161]1478REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* file,
1479 REGFI_ENCODING output_encoding)
[80]1480{
[135]1481 REGFI_NK_REC* root;
[161]1482 REGFI_ITERATOR* ret_val;
1483
1484 if(output_encoding != REGFI_ENCODING_UTF8
1485 && output_encoding != REGFI_ENCODING_ASCII)
1486 {
1487 regfi_add_message(file, REGFI_MSG_ERROR, "Invalid output_encoding supplied"
1488 " in creation of regfi iterator.");
1489 return NULL;
1490 }
1491
1492 ret_val = talloc(NULL, REGFI_ITERATOR);
[80]1493 if(ret_val == NULL)
1494 return NULL;
1495
[161]1496 root = regfi_rootkey(file, output_encoding);
[80]1497 if(root == NULL)
1498 {
[150]1499 talloc_free(ret_val);
[80]1500 return NULL;
1501 }
1502
[135]1503 ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH);
[80]1504 if(ret_val->key_positions == NULL)
1505 {
[150]1506 talloc_free(ret_val);
[80]1507 return NULL;
1508 }
[150]1509 talloc_steal(ret_val, ret_val->key_positions);
[80]1510
[159]1511 ret_val->f = file;
[80]1512 ret_val->cur_key = root;
1513 ret_val->cur_subkey = 0;
1514 ret_val->cur_value = 0;
[161]1515 ret_val->string_encoding = output_encoding;
1516
[80]1517 return ret_val;
1518}
1519
1520
1521/******************************************************************************
1522 *****************************************************************************/
1523void regfi_iterator_free(REGFI_ITERATOR* i)
1524{
[150]1525 talloc_free(i);
[80]1526}
1527
1528
1529
1530/******************************************************************************
1531 *****************************************************************************/
1532/* XXX: some way of indicating reason for failure should be added. */
1533bool regfi_iterator_down(REGFI_ITERATOR* i)
1534{
[135]1535 REGFI_NK_REC* subkey;
[80]1536 REGFI_ITER_POSITION* pos;
1537
[150]1538 pos = talloc(i->key_positions, REGFI_ITER_POSITION);
[80]1539 if(pos == NULL)
1540 return false;
1541
[135]1542 subkey = (REGFI_NK_REC*)regfi_iterator_cur_subkey(i);
[80]1543 if(subkey == NULL)
1544 {
[150]1545 talloc_free(pos);
[80]1546 return false;
1547 }
1548
1549 pos->nk = i->cur_key;
1550 pos->cur_subkey = i->cur_subkey;
1551 if(!void_stack_push(i->key_positions, pos))
1552 {
[150]1553 talloc_free(pos);
1554 regfi_free_key(subkey);
[80]1555 return false;
1556 }
[150]1557 talloc_steal(i, subkey);
[80]1558
1559 i->cur_key = subkey;
1560 i->cur_subkey = 0;
1561 i->cur_value = 0;
1562
1563 return true;
1564}
1565
1566
1567/******************************************************************************
1568 *****************************************************************************/
1569bool regfi_iterator_up(REGFI_ITERATOR* i)
1570{
1571 REGFI_ITER_POSITION* pos;
1572
1573 pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
1574 if(pos == NULL)
1575 return false;
1576
[150]1577 regfi_free_key(i->cur_key);
[80]1578 i->cur_key = pos->nk;
1579 i->cur_subkey = pos->cur_subkey;
1580 i->cur_value = 0;
[150]1581 talloc_free(pos);
[80]1582
1583 return true;
1584}
1585
1586
1587/******************************************************************************
1588 *****************************************************************************/
1589bool regfi_iterator_to_root(REGFI_ITERATOR* i)
1590{
1591 while(regfi_iterator_up(i))
1592 continue;
1593
1594 return true;
1595}
1596
1597
1598/******************************************************************************
1599 *****************************************************************************/
1600bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
1601{
[135]1602 REGFI_NK_REC* subkey;
[80]1603 bool found = false;
[168]1604 uint32_t old_subkey = i->cur_subkey;
[133]1605
[80]1606 if(subkey_name == NULL)
1607 return false;
1608
1609 /* XXX: this alloc/free of each sub key might be a bit excessive */
[135]1610 subkey = (REGFI_NK_REC*)regfi_iterator_first_subkey(i);
[80]1611 while((subkey != NULL) && (found == false))
1612 {
1613 if(subkey->keyname != NULL
1614 && strcasecmp(subkey->keyname, subkey_name) == 0)
1615 found = true;
[82]1616 else
1617 {
[150]1618 regfi_free_key(subkey);
[135]1619 subkey = (REGFI_NK_REC*)regfi_iterator_next_subkey(i);
[82]1620 }
[80]1621 }
1622
1623 if(found == false)
1624 {
1625 i->cur_subkey = old_subkey;
1626 return false;
1627 }
1628
[150]1629 regfi_free_key(subkey);
[80]1630 return true;
1631}
1632
1633
1634/******************************************************************************
1635 *****************************************************************************/
1636bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
1637{
[168]1638 uint32_t x;
[80]1639 if(path == NULL)
1640 return false;
1641
1642 for(x=0;
1643 ((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
1644 && regfi_iterator_down(i));
1645 x++)
1646 { continue; }
1647
1648 if(path[x] == NULL)
1649 return true;
1650
1651 /* XXX: is this the right number of times? */
1652 for(; x > 0; x--)
1653 regfi_iterator_up(i);
1654
1655 return false;
1656}
1657
1658
1659/******************************************************************************
1660 *****************************************************************************/
[135]1661const REGFI_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]1662{
1663 return i->cur_key;
1664}
1665
1666
1667/******************************************************************************
1668 *****************************************************************************/
[135]1669const REGFI_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i)
[109]1670{
[146]1671 if(i->cur_key == NULL || i->cur_key->sk_off == REGFI_OFFSET_NONE)
[109]1672 return NULL;
1673
[146]1674 return regfi_load_sk(i->f, i->cur_key->sk_off + REGFI_REGF_SIZE, true);
[109]1675}
1676
1677
1678/******************************************************************************
1679 *****************************************************************************/
[150]1680REGFI_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]1681{
1682 i->cur_subkey = 0;
1683 return regfi_iterator_cur_subkey(i);
1684}
1685
1686
1687/******************************************************************************
1688 *****************************************************************************/
[150]1689REGFI_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]1690{
[168]1691 uint32_t nk_offset;
[80]1692
[31]1693 /* see if there is anything left to report */
[135]1694 if (!(i->cur_key) || (i->cur_key->subkeys_off==REGFI_OFFSET_NONE)
[80]1695 || (i->cur_subkey >= i->cur_key->num_subkeys))
[31]1696 return NULL;
[30]1697
[139]1698 nk_offset = i->cur_key->subkeys->elements[i->cur_subkey].offset;
[133]1699
[161]1700 return regfi_load_key(i->f, nk_offset+REGFI_REGF_SIZE, i->string_encoding,
1701 true);
[30]1702}
[80]1703
1704
1705/******************************************************************************
1706 *****************************************************************************/
1707/* XXX: some way of indicating reason for failure should be added. */
[150]1708REGFI_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]1709{
[150]1710 REGFI_NK_REC* subkey;
[80]1711
1712 i->cur_subkey++;
1713 subkey = regfi_iterator_cur_subkey(i);
1714
1715 if(subkey == NULL)
1716 i->cur_subkey--;
1717
1718 return subkey;
1719}
1720
1721
1722/******************************************************************************
1723 *****************************************************************************/
1724bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
1725{
[150]1726 REGFI_VK_REC* cur;
[80]1727 bool found = false;
[168]1728 uint32_t old_value = i->cur_value;
[80]1729
1730 /* XXX: cur->valuename can be NULL in the registry.
1731 * Should we allow for a way to search for that?
1732 */
1733 if(value_name == NULL)
1734 return false;
1735
1736 cur = regfi_iterator_first_value(i);
1737 while((cur != NULL) && (found == false))
1738 {
1739 if((cur->valuename != NULL)
1740 && (strcasecmp(cur->valuename, value_name) == 0))
1741 found = true;
[95]1742 else
[150]1743 {
1744 regfi_free_value(cur);
[95]1745 cur = regfi_iterator_next_value(i);
[150]1746 }
[80]1747 }
[167]1748
1749 if(found == false)
1750 {
1751 i->cur_value = old_value;
1752 return false;
1753 }
[80]1754
[167]1755 regfi_free_value(cur);
1756 return true;
[80]1757}
1758
1759
1760/******************************************************************************
1761 *****************************************************************************/
[150]1762REGFI_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]1763{
1764 i->cur_value = 0;
1765 return regfi_iterator_cur_value(i);
1766}
1767
1768
1769/******************************************************************************
1770 *****************************************************************************/
[150]1771REGFI_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]1772{
[150]1773 REGFI_VK_REC* ret_val = NULL;
[168]1774 uint32_t voffset;
[80]1775
[145]1776 if(i->cur_key->values != NULL && i->cur_key->values->elements != NULL)
1777 {
1778 if(i->cur_value < i->cur_key->values->num_values)
1779 {
1780 voffset = i->cur_key->values->elements[i->cur_value];
[162]1781 ret_val = regfi_load_value(i->f, voffset+REGFI_REGF_SIZE,
1782 i->string_encoding, true);
[145]1783 }
1784 }
1785
[80]1786 return ret_val;
1787}
1788
1789
1790/******************************************************************************
1791 *****************************************************************************/
[150]1792REGFI_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]1793{
[150]1794 REGFI_VK_REC* ret_val;
[80]1795
1796 i->cur_value++;
1797 ret_val = regfi_iterator_cur_value(i);
1798 if(ret_val == NULL)
1799 i->cur_value--;
1800
1801 return ret_val;
1802}
[97]1803
1804
[159]1805/******************************************************************************
1806 *****************************************************************************/
[160]1807REGFI_CLASSNAME* regfi_iterator_fetch_classname(REGFI_ITERATOR* i,
1808 const REGFI_NK_REC* key)
1809{
1810 REGFI_CLASSNAME* ret_val;
[168]1811 uint8_t* raw;
[160]1812 char* interpreted;
[168]1813 uint32_t offset;
1814 int32_t conv_size, max_size;
1815 uint16_t parse_length;
[160]1816
1817 if(key->classname_off == REGFI_OFFSET_NONE || key->classname_length == 0)
1818 return NULL;
1819
1820 offset = key->classname_off + REGFI_REGF_SIZE;
1821 max_size = regfi_calc_maxsize(i->f, offset);
1822 if(max_size <= 0)
1823 return NULL;
1824
1825 parse_length = key->classname_length;
1826 raw = regfi_parse_classname(i->f, offset, &parse_length, max_size, true);
1827
1828 if(raw == NULL)
1829 {
1830 regfi_add_message(i->f, REGFI_MSG_WARN, "Could not parse class"
1831 " name at offset 0x%.8X for key record at offset 0x%.8X.",
1832 offset, key->offset);
1833 return NULL;
1834 }
1835
1836 ret_val = talloc(NULL, REGFI_CLASSNAME);
1837 if(ret_val == NULL)
1838 return NULL;
1839
1840 ret_val->raw = raw;
1841 ret_val->size = parse_length;
1842 talloc_steal(ret_val, raw);
1843
1844 interpreted = talloc_array(NULL, char, parse_length);
1845
[161]1846 conv_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
1847 regfi_encoding_int2str(i->string_encoding),
[160]1848 raw, interpreted,
1849 parse_length, parse_length);
1850 if(conv_size < 0)
1851 {
1852 regfi_add_message(i->f, REGFI_MSG_WARN, "Error occurred while"
1853 " converting classname to charset %s. Error message: %s",
1854 i->string_encoding, strerror(-conv_size));
1855 talloc_free(interpreted);
1856 ret_val->interpreted = NULL;
1857 }
1858 else
1859 {
1860 interpreted = talloc_realloc(NULL, interpreted, char, conv_size);
1861 ret_val->interpreted = interpreted;
1862 talloc_steal(ret_val, interpreted);
1863 }
1864
1865 return ret_val;
1866}
1867
1868
1869/******************************************************************************
1870 *****************************************************************************/
[159]1871REGFI_DATA* regfi_iterator_fetch_data(REGFI_ITERATOR* i,
1872 const REGFI_VK_REC* value)
1873{
1874 REGFI_DATA* ret_val = NULL;
1875 REGFI_BUFFER raw_data;
1876
1877 if(value->data_size != 0)
1878 {
1879 raw_data = regfi_load_data(i->f, value->data_off, value->data_size,
1880 value->data_in_offset, true);
1881 if(raw_data.buf == NULL)
1882 {
1883 regfi_add_message(i->f, REGFI_MSG_WARN, "Could not parse data record"
1884 " while parsing VK record at offset 0x%.8X.",
1885 value->offset);
1886 }
1887 else
1888 {
1889 ret_val = regfi_buffer_to_data(raw_data);
1890
1891 if(ret_val == NULL)
1892 {
1893 regfi_add_message(i->f, REGFI_MSG_WARN, "Error occurred in converting"
1894 " data buffer to data structure while interpreting "
1895 "data for VK record at offset 0x%.8X.",
1896 value->offset);
1897 talloc_free(raw_data.buf);
1898 return NULL;
1899 }
1900
1901 if(!regfi_interpret_data(i->f, i->string_encoding, value->type, ret_val))
1902 {
1903 regfi_add_message(i->f, REGFI_MSG_INFO, "Error occurred while"
1904 " interpreting data for VK record at offset 0x%.8X.",
1905 value->offset);
1906 }
1907 }
1908 }
1909
1910 return ret_val;
1911}
1912
1913
1914/******************************************************************************
1915 *****************************************************************************/
[160]1916void regfi_free_classname(REGFI_CLASSNAME* classname)
1917{
1918 talloc_free(classname);
1919}
1920
1921/******************************************************************************
1922 *****************************************************************************/
[159]1923void regfi_free_data(REGFI_DATA* data)
1924{
1925 talloc_free(data);
1926}
1927
1928
1929/******************************************************************************
1930 *****************************************************************************/
1931REGFI_DATA* regfi_buffer_to_data(REGFI_BUFFER raw_data)
1932{
1933 REGFI_DATA* ret_val;
1934
1935 if(raw_data.buf == NULL)
1936 return NULL;
1937
1938 ret_val = talloc(NULL, REGFI_DATA);
1939 if(ret_val == NULL)
1940 return NULL;
1941
1942 talloc_steal(ret_val, raw_data.buf);
1943 ret_val->raw = raw_data.buf;
1944 ret_val->size = raw_data.len;
1945 ret_val->interpreted_size = 0;
1946 ret_val->interpreted.qword = 0;
1947
1948 return ret_val;
1949}
1950
1951
1952/******************************************************************************
1953 *****************************************************************************/
[161]1954bool regfi_interpret_data(REGFI_FILE* file, REGFI_ENCODING string_encoding,
[168]1955 uint32_t type, REGFI_DATA* data)
[159]1956{
[168]1957 uint8_t** tmp_array;
1958 uint8_t* tmp_str;
1959 int32_t tmp_size;
1960 uint32_t i, j, array_size;
[159]1961
1962 if(data == NULL)
1963 return false;
1964
1965 switch (type)
1966 {
1967 case REG_SZ:
1968 case REG_EXPAND_SZ:
1969 /* REG_LINK is a symbolic link, stored as a unicode string. */
1970 case REG_LINK:
[168]1971 tmp_str = talloc_array(NULL, uint8_t, data->size);
[159]1972 if(tmp_str == NULL)
1973 {
1974 data->interpreted.string = NULL;
1975 data->interpreted_size = 0;
1976 return false;
1977 }
1978
[161]1979 tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
1980 regfi_encoding_int2str(string_encoding),
[159]1981 data->raw, (char*)tmp_str,
1982 data->size, data->size);
1983 if(tmp_size < 0)
1984 {
1985 regfi_add_message(file, REGFI_MSG_INFO, "Error occurred while"
1986 " converting data of type %d to %s. Error message: %s",
1987 type, string_encoding, strerror(-tmp_size));
1988 talloc_free(tmp_str);
1989 data->interpreted.string = NULL;
1990 data->interpreted_size = 0;
1991 return false;
1992 }
1993
[168]1994 tmp_str = talloc_realloc(NULL, tmp_str, uint8_t, tmp_size);
[159]1995 data->interpreted.string = tmp_str;
1996 data->interpreted_size = tmp_size;
1997 talloc_steal(data, tmp_str);
1998 break;
1999
2000 case REG_DWORD:
2001 if(data->size < 4)
2002 {
2003 data->interpreted.dword = 0;
2004 data->interpreted_size = 0;
2005 return false;
2006 }
2007 data->interpreted.dword = IVAL(data->raw, 0);
2008 data->interpreted_size = 4;
2009 break;
2010
2011 case REG_DWORD_BE:
2012 if(data->size < 4)
2013 {
2014 data->interpreted.dword_be = 0;
2015 data->interpreted_size = 0;
2016 return false;
2017 }
2018 data->interpreted.dword_be = RIVAL(data->raw, 0);
2019 data->interpreted_size = 4;
2020 break;
2021
2022 case REG_QWORD:
2023 if(data->size < 8)
2024 {
2025 data->interpreted.qword = 0;
2026 data->interpreted_size = 0;
2027 return false;
2028 }
2029 data->interpreted.qword =
[168]2030 (uint64_t)IVAL(data->raw, 0) + (((uint64_t)IVAL(data->raw, 4))<<32);
[159]2031 data->interpreted_size = 8;
2032 break;
2033
2034 case REG_MULTI_SZ:
[168]2035 tmp_str = talloc_array(NULL, uint8_t, data->size);
[159]2036 if(tmp_str == NULL)
2037 {
2038 data->interpreted.multiple_string = NULL;
2039 data->interpreted_size = 0;
2040 return false;
2041 }
2042
2043 /* Attempt to convert entire string from UTF-16LE to output encoding,
2044 * then parse and quote fields individually.
2045 */
[161]2046 tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
2047 regfi_encoding_int2str(string_encoding),
[159]2048 data->raw, (char*)tmp_str,
2049 data->size, data->size);
2050 if(tmp_size < 0)
2051 {
2052 regfi_add_message(file, REGFI_MSG_INFO, "Error occurred while"
2053 " converting data of type %d to %s. Error message: %s",
2054 type, string_encoding, strerror(-tmp_size));
2055 talloc_free(tmp_str);
2056 data->interpreted.multiple_string = NULL;
2057 data->interpreted_size = 0;
2058 return false;
2059 }
2060
2061 array_size = tmp_size+1;
[168]2062 tmp_array = talloc_array(NULL, uint8_t*, array_size);
[159]2063 if(tmp_array == NULL)
2064 {
2065 talloc_free(tmp_str);
2066 data->interpreted.string = NULL;
2067 data->interpreted_size = 0;
2068 return false;
2069 }
2070
2071 tmp_array[0] = tmp_str;
2072 for(i=0,j=1; i < tmp_size && j < array_size-1; i++)
2073 {
2074 if(tmp_str[i] == '\0' && (i+1 < tmp_size))
2075 tmp_array[j++] = tmp_str+i+1;
2076 }
2077 tmp_array[j] = NULL;
[168]2078 tmp_array = talloc_realloc(NULL, tmp_array, uint8_t*, j+1);
[159]2079 data->interpreted.multiple_string = tmp_array;
2080 /* XXX: how meaningful is this? should we store number of strings instead? */
2081 data->interpreted_size = tmp_size;
2082 talloc_steal(tmp_array, tmp_str);
2083 talloc_steal(data, tmp_array);
2084 break;
2085
2086 /* XXX: Dont know how to interpret these yet, just treat as binary */
2087 case REG_NONE:
2088 data->interpreted.none = data->raw;
2089 data->interpreted_size = data->size;
2090 break;
2091
2092 case REG_RESOURCE_LIST:
2093 data->interpreted.resource_list = data->raw;
2094 data->interpreted_size = data->size;
2095 break;
2096
2097 case REG_FULL_RESOURCE_DESCRIPTOR:
2098 data->interpreted.full_resource_descriptor = data->raw;
2099 data->interpreted_size = data->size;
2100 break;
2101
2102 case REG_RESOURCE_REQUIREMENTS_LIST:
2103 data->interpreted.resource_requirements_list = data->raw;
2104 data->interpreted_size = data->size;
2105 break;
2106
2107 case REG_BINARY:
2108 data->interpreted.binary = data->raw;
2109 data->interpreted_size = data->size;
2110 break;
2111
2112 default:
2113 data->interpreted.qword = 0;
2114 data->interpreted_size = 0;
2115 return false;
2116 }
2117
2118 data->type = type;
2119 return true;
2120}
2121
2122
[166]2123/******************************************************************************
[159]2124 * Convert from UTF-16LE to specified character set.
2125 * On error, returns a negative errno code.
[166]2126 *****************************************************************************/
[168]2127int32_t regfi_conv_charset(const char* input_charset, const char* output_charset,
2128 uint8_t* input, char* output,
2129 uint32_t input_len, uint32_t output_max)
[159]2130{
2131 iconv_t conv_desc;
2132 char* inbuf = (char*)input;
2133 char* outbuf = output;
2134 size_t in_len = (size_t)input_len;
2135 size_t out_len = (size_t)(output_max-1);
2136 int ret;
2137
[161]2138 /* XXX: Consider creating a couple of conversion descriptors earlier,
2139 * storing them on an iterator so they don't have to be recreated
2140 * each time.
2141 */
2142
[159]2143 /* Set up conversion descriptor. */
[161]2144 conv_desc = iconv_open(output_charset, input_charset);
[159]2145
2146 ret = iconv(conv_desc, &inbuf, &in_len, &outbuf, &out_len);
2147 if(ret == -1)
2148 {
2149 iconv_close(conv_desc);
2150 return -errno;
2151 }
2152 *outbuf = '\0';
2153
2154 iconv_close(conv_desc);
2155 return output_max-out_len-1;
2156}
2157
2158
2159
2160/*******************************************************************
[97]2161 * Computes the checksum of the registry file header.
[159]2162 * buffer must be at least the size of a regf header (4096 bytes).
[97]2163 *******************************************************************/
[168]2164static uint32_t regfi_compute_header_checksum(uint8_t* buffer)
[97]2165{
[168]2166 uint32_t checksum, x;
[97]2167 int i;
2168
2169 /* XOR of all bytes 0x0000 - 0x01FB */
2170
2171 checksum = x = 0;
2172
2173 for ( i=0; i<0x01FB; i+=4 ) {
2174 x = IVAL(buffer, i );
2175 checksum ^= x;
2176 }
2177
2178 return checksum;
2179}
2180
2181
2182/*******************************************************************
[116]2183 * XXX: Add way to return more detailed error information.
[97]2184 *******************************************************************/
[135]2185REGFI_FILE* regfi_parse_regf(int fd, bool strict)
[97]2186{
[168]2187 uint8_t file_header[REGFI_REGF_SIZE];
2188 uint32_t length;
[135]2189 REGFI_FILE* ret_val;
[97]2190
[150]2191 ret_val = talloc(NULL, REGFI_FILE);
[97]2192 if(ret_val == NULL)
2193 return NULL;
2194
2195 ret_val->fd = fd;
[150]2196 ret_val->sk_cache = NULL;
2197 ret_val->last_message = NULL;
2198 ret_val->hbins = NULL;
2199
[135]2200 length = REGFI_REGF_SIZE;
[150]2201 if((regfi_read(fd, file_header, &length)) != 0 || length != REGFI_REGF_SIZE)
2202 goto fail;
2203
[97]2204 ret_val->checksum = IVAL(file_header, 0x1FC);
2205 ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
2206 if (strict && (ret_val->checksum != ret_val->computed_checksum))
[150]2207 goto fail;
[97]2208
[135]2209 memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE);
[150]2210 if(memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0)
[97]2211 {
[150]2212 if(strict)
2213 goto fail;
2214 regfi_add_message(ret_val, REGFI_MSG_WARN, "Magic number mismatch "
2215 "(%.2X %.2X %.2X %.2X) while parsing hive header",
[151]2216 ret_val->magic[0], ret_val->magic[1],
[150]2217 ret_val->magic[2], ret_val->magic[3]);
[97]2218 }
[151]2219 ret_val->sequence1 = IVAL(file_header, 0x4);
2220 ret_val->sequence2 = IVAL(file_header, 0x8);
[97]2221 ret_val->mtime.low = IVAL(file_header, 0xC);
2222 ret_val->mtime.high = IVAL(file_header, 0x10);
[151]2223 ret_val->major_version = IVAL(file_header, 0x14);
2224 ret_val->minor_version = IVAL(file_header, 0x18);
2225 ret_val->type = IVAL(file_header, 0x1C);
2226 ret_val->format = IVAL(file_header, 0x20);
2227 ret_val->root_cell = IVAL(file_header, 0x24);
[97]2228 ret_val->last_block = IVAL(file_header, 0x28);
2229
[151]2230 ret_val->cluster = IVAL(file_header, 0x2C);
[97]2231
[151]2232 memcpy(ret_val->file_name, file_header+0x30, REGFI_REGF_NAME_SIZE);
2233
2234 /* XXX: Should we add a warning if these uuid parsers fail? Can they? */
2235 ret_val->rm_id = winsec_parse_uuid(ret_val, file_header+0x70, 16);
2236 ret_val->log_id = winsec_parse_uuid(ret_val, file_header+0x80, 16);
2237 ret_val->flags = IVAL(file_header, 0x90);
2238 ret_val->tm_id = winsec_parse_uuid(ret_val, file_header+0x94, 16);
2239 ret_val->guid_signature = IVAL(file_header, 0xa4);
2240
2241 memcpy(ret_val->reserved1, file_header+0xa8, REGFI_REGF_RESERVED1_SIZE);
2242 memcpy(ret_val->reserved2, file_header+0x200, REGFI_REGF_RESERVED2_SIZE);
2243
2244 ret_val->thaw_tm_id = winsec_parse_uuid(ret_val, file_header+0xFC8, 16);
2245 ret_val->thaw_rm_id = winsec_parse_uuid(ret_val, file_header+0xFD8, 16);
2246 ret_val->thaw_log_id = winsec_parse_uuid(ret_val, file_header+0xFE8, 16);
[152]2247 ret_val->boot_type = IVAL(file_header, 0xFF8);
2248 ret_val->boot_recover = IVAL(file_header, 0xFFC);
[151]2249
[97]2250 return ret_val;
[150]2251
2252 fail:
2253 talloc_free(ret_val);
2254 return NULL;
[97]2255}
2256
2257
2258
[148]2259/******************************************************************************
[97]2260 * Given real file offset, read and parse the hbin at that location
[110]2261 * along with it's associated cells.
[148]2262 ******************************************************************************/
[168]2263REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32_t offset, bool strict)
[97]2264{
[135]2265 REGFI_HBIN *hbin;
[168]2266 uint8_t hbin_header[REGFI_HBIN_HEADER_SIZE];
2267 uint32_t length;
[99]2268
2269 if(offset >= file->file_length)
2270 return NULL;
[97]2271
2272 if(lseek(file->fd, offset, SEEK_SET) == -1)
[137]2273 {
[138]2274 regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]2275 " while parsing hbin at offset 0x%.8X.", offset);
[97]2276 return NULL;
[137]2277 }
[97]2278
[135]2279 length = REGFI_HBIN_HEADER_SIZE;
[97]2280 if((regfi_read(file->fd, hbin_header, &length) != 0)
[135]2281 || length != REGFI_HBIN_HEADER_SIZE)
[97]2282 return NULL;
2283
2284 if(lseek(file->fd, offset, SEEK_SET) == -1)
[137]2285 {
[138]2286 regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]2287 " while parsing hbin at offset 0x%.8X.", offset);
[97]2288 return NULL;
[137]2289 }
[97]2290
[148]2291 hbin = talloc(NULL, REGFI_HBIN);
2292 if(hbin == NULL)
[99]2293 return NULL;
2294 hbin->file_off = offset;
2295
[97]2296 memcpy(hbin->magic, hbin_header, 4);
2297 if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
[99]2298 {
[138]2299 regfi_add_message(file, REGFI_MSG_INFO, "Magic number mismatch "
2300 "(%.2X %.2X %.2X %.2X) while parsing hbin at offset"
2301 " 0x%.8X.", hbin->magic[0], hbin->magic[1],
2302 hbin->magic[2], hbin->magic[3], offset);
[148]2303 talloc_free(hbin);
[97]2304 return NULL;
[99]2305 }
[97]2306
2307 hbin->first_hbin_off = IVAL(hbin_header, 0x4);
2308 hbin->block_size = IVAL(hbin_header, 0x8);
2309 /* this should be the same thing as hbin->block_size but just in case */
2310 hbin->next_block = IVAL(hbin_header, 0x1C);
2311
2312
2313 /* Ensure the block size is a multiple of 0x1000 and doesn't run off
2314 * the end of the file.
2315 */
[116]2316 /* XXX: This may need to be relaxed for dealing with
2317 * partial or corrupt files.
2318 */
[97]2319 if((offset + hbin->block_size > file->file_length)
2320 || (hbin->block_size & 0xFFFFF000) != hbin->block_size)
[99]2321 {
[138]2322 regfi_add_message(file, REGFI_MSG_ERROR, "The hbin offset is not aligned"
[137]2323 " or runs off the end of the file"
2324 " while parsing hbin at offset 0x%.8X.", offset);
[148]2325 talloc_free(hbin);
[97]2326 return NULL;
[99]2327 }
[97]2328
2329 return hbin;
2330}
2331
2332
[126]2333/*******************************************************************
2334 *******************************************************************/
[168]2335REGFI_NK_REC* regfi_parse_nk(REGFI_FILE* file, uint32_t offset,
2336 uint32_t max_size, bool strict)
[99]2337{
[168]2338 uint8_t nk_header[REGFI_NK_MIN_LENGTH];
[135]2339 REGFI_NK_REC* ret_val;
[168]2340 uint32_t length,cell_length;
[101]2341 bool unalloc = false;
[99]2342
[101]2343 if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH,
2344 &cell_length, &unalloc))
[137]2345 {
[138]2346 regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]2347 " while parsing NK record at offset 0x%.8X.", offset);
2348 return NULL;
2349 }
2350
[99]2351 /* A bit of validation before bothering to allocate memory */
[101]2352 if((nk_header[0x0] != 'n') || (nk_header[0x1] != 'k'))
[135]2353 {
[138]2354 regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
2355 " NK record at offset 0x%.8X.", offset);
[99]2356 return NULL;
[135]2357 }
[99]2358
[150]2359 ret_val = talloc(NULL, REGFI_NK_REC);
[99]2360 if(ret_val == NULL)
[135]2361 {
[138]2362 regfi_add_message(file, REGFI_MSG_ERROR, "Failed to allocate memory while"
[137]2363 " parsing NK record at offset 0x%.8X.", offset);
[99]2364 return NULL;
[135]2365 }
[99]2366
[150]2367 ret_val->values = NULL;
2368 ret_val->subkeys = NULL;
[99]2369 ret_val->offset = offset;
[101]2370 ret_val->cell_size = cell_length;
2371
[99]2372 if(ret_val->cell_size > max_size)
2373 ret_val->cell_size = max_size & 0xFFFFFFF8;
2374 if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
[157]2375 || (strict && (ret_val->cell_size & 0x00000007) != 0))
[99]2376 {
[140]2377 regfi_add_message(file, REGFI_MSG_WARN, "A length check failed while"
[138]2378 " parsing NK record at offset 0x%.8X.", offset);
[150]2379 talloc_free(ret_val);
[99]2380 return NULL;
2381 }
2382
[101]2383 ret_val->magic[0] = nk_header[0x0];
2384 ret_val->magic[1] = nk_header[0x1];
[161]2385 ret_val->flags = SVAL(nk_header, 0x2);
[152]2386
[161]2387 if((ret_val->flags & ~REGFI_NK_KNOWN_FLAGS) != 0)
[99]2388 {
[152]2389 regfi_add_message(file, REGFI_MSG_WARN, "Unknown key flags (0x%.4X) while"
[138]2390 " parsing NK record at offset 0x%.8X.",
[161]2391 (ret_val->flags & ~REGFI_NK_KNOWN_FLAGS), offset);
[99]2392 }
[101]2393
2394 ret_val->mtime.low = IVAL(nk_header, 0x4);
2395 ret_val->mtime.high = IVAL(nk_header, 0x8);
[116]2396 /* If the key is unallocated and the MTIME is earlier than Jan 1, 1990
2397 * or later than Jan 1, 2290, we consider this a bad key. This helps
2398 * weed out some false positives during deleted data recovery.
2399 */
2400 if(unalloc
[179]2401 && (ret_val->mtime.high < REGFI_MTIME_MIN_HIGH
2402 || ret_val->mtime.high > REGFI_MTIME_MAX_HIGH))
2403 {
2404 talloc_free(ret_val);
[116]2405 return NULL;
[179]2406 }
[116]2407
[101]2408 ret_val->unknown1 = IVAL(nk_header, 0xC);
2409 ret_val->parent_off = IVAL(nk_header, 0x10);
2410 ret_val->num_subkeys = IVAL(nk_header, 0x14);
2411 ret_val->unknown2 = IVAL(nk_header, 0x18);
2412 ret_val->subkeys_off = IVAL(nk_header, 0x1C);
2413 ret_val->unknown3 = IVAL(nk_header, 0x20);
2414 ret_val->num_values = IVAL(nk_header, 0x24);
2415 ret_val->values_off = IVAL(nk_header, 0x28);
2416 ret_val->sk_off = IVAL(nk_header, 0x2C);
2417 ret_val->classname_off = IVAL(nk_header, 0x30);
[99]2418
[101]2419 ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
2420 ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
2421 ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
2422 ret_val->max_bytes_value = IVAL(nk_header, 0x40);
2423 ret_val->unk_index = IVAL(nk_header, 0x44);
[99]2424
[101]2425 ret_val->name_length = SVAL(nk_header, 0x48);
2426 ret_val->classname_length = SVAL(nk_header, 0x4A);
[161]2427 ret_val->keyname = NULL;
[99]2428
2429 if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
[101]2430 {
2431 if(strict)
2432 {
[138]2433 regfi_add_message(file, REGFI_MSG_ERROR, "Contents too large for cell"
[137]2434 " while parsing NK record at offset 0x%.8X.", offset);
[150]2435 talloc_free(ret_val);
[101]2436 return NULL;
2437 }
2438 else
2439 ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
2440 }
2441 else if (unalloc)
2442 { /* Truncate cell_size if it's much larger than the apparent total record length. */
2443 /* Round up to the next multiple of 8 */
2444 length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
2445 if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
2446 length+=8;
[99]2447
[101]2448 /* If cell_size is still greater, truncate. */
2449 if(length < ret_val->cell_size)
2450 ret_val->cell_size = length;
2451 }
2452
[168]2453 ret_val->keyname_raw = talloc_array(ret_val, uint8_t, ret_val->name_length);
[161]2454 if(ret_val->keyname_raw == NULL)
[99]2455 {
[150]2456 talloc_free(ret_val);
[99]2457 return NULL;
2458 }
2459
2460 /* Don't need to seek, should be at the right offset */
2461 length = ret_val->name_length;
[168]2462 if((regfi_read(file->fd, (uint8_t*)ret_val->keyname_raw, &length) != 0)
[99]2463 || length != ret_val->name_length)
2464 {
[138]2465 regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read key name"
[137]2466 " while parsing NK record at offset 0x%.8X.", offset);
[150]2467 talloc_free(ret_val);
[99]2468 return NULL;
2469 }
2470
[126]2471 return ret_val;
2472}
2473
2474
[168]2475uint8_t* regfi_parse_classname(REGFI_FILE* file, uint32_t offset,
2476 uint16_t* name_length, uint32_t max_size, bool strict)
[126]2477{
[168]2478 uint8_t* ret_val = NULL;
2479 uint32_t length;
2480 uint32_t cell_length;
[126]2481 bool unalloc = false;
2482
[135]2483 if(*name_length > 0 && offset != REGFI_OFFSET_NONE
[157]2484 && (offset & 0x00000007) == 0)
[131]2485 {
[126]2486 if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
[137]2487 {
[138]2488 regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]2489 " while parsing class name at offset 0x%.8X.", offset);
[126]2490 return NULL;
[137]2491 }
[126]2492
[157]2493 if((cell_length & 0x0000007) != 0)
[137]2494 {
[138]2495 regfi_add_message(file, REGFI_MSG_ERROR, "Cell length not a multiple of 8"
[137]2496 " while parsing class name at offset 0x%.8X.", offset);
[131]2497 return NULL;
[137]2498 }
2499
[131]2500 if(cell_length > max_size)
[125]2501 {
[138]2502 regfi_add_message(file, REGFI_MSG_WARN, "Cell stretches past hbin "
2503 "boundary while parsing class name at offset 0x%.8X.",
2504 offset);
[126]2505 if(strict)
2506 return NULL;
[131]2507 cell_length = max_size;
[126]2508 }
[131]2509
2510 if((cell_length - 4) < *name_length)
2511 {
[138]2512 regfi_add_message(file, REGFI_MSG_WARN, "Class name is larger than"
2513 " cell_length while parsing class name at offset"
2514 " 0x%.8X.", offset);
[131]2515 if(strict)
2516 return NULL;
2517 *name_length = cell_length - 4;
2518 }
[126]2519
[168]2520 ret_val = talloc_array(NULL, uint8_t, *name_length);
[126]2521 if(ret_val != NULL)
2522 {
2523 length = *name_length;
[160]2524 if((regfi_read(file->fd, ret_val, &length) != 0)
[126]2525 || length != *name_length)
[125]2526 {
[138]2527 regfi_add_message(file, REGFI_MSG_ERROR, "Could not read class name"
[137]2528 " while parsing class name at offset 0x%.8X.", offset);
[150]2529 talloc_free(ret_val);
[126]2530 return NULL;
[125]2531 }
2532 }
2533 }
2534
[99]2535 return ret_val;
2536}
2537
2538
[152]2539/******************************************************************************
2540*******************************************************************************/
[168]2541REGFI_VK_REC* regfi_parse_vk(REGFI_FILE* file, uint32_t offset,
2542 uint32_t max_size, bool strict)
[97]2543{
[135]2544 REGFI_VK_REC* ret_val;
[168]2545 uint8_t vk_header[REGFI_VK_MIN_LENGTH];
2546 uint32_t raw_data_size, length, cell_length;
[101]2547 bool unalloc = false;
[97]2548
[101]2549 if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH,
2550 &cell_length, &unalloc))
[137]2551 {
[138]2552 regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]2553 " while parsing VK record at offset 0x%.8X.", offset);
[101]2554 return NULL;
[137]2555 }
[111]2556
[150]2557 ret_val = talloc(NULL, REGFI_VK_REC);
[101]2558 if(ret_val == NULL)
2559 return NULL;
2560
2561 ret_val->offset = offset;
2562 ret_val->cell_size = cell_length;
[150]2563 ret_val->valuename = NULL;
[162]2564 ret_val->valuename_raw = NULL;
[150]2565
[101]2566 if(ret_val->cell_size > max_size)
2567 ret_val->cell_size = max_size & 0xFFFFFFF8;
2568 if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
[157]2569 || (ret_val->cell_size & 0x00000007) != 0)
[97]2570 {
[138]2571 regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size encountered"
[137]2572 " while parsing VK record at offset 0x%.8X.", offset);
[150]2573 talloc_free(ret_val);
[101]2574 return NULL;
2575 }
[97]2576
[101]2577 ret_val->magic[0] = vk_header[0x0];
2578 ret_val->magic[1] = vk_header[0x1];
2579 if((ret_val->magic[0] != 'v') || (ret_val->magic[1] != 'k'))
2580 {
[124]2581 /* XXX: This does not account for deleted keys under Win2K which
2582 * often have this (and the name length) overwritten with
2583 * 0xFFFF.
2584 */
[138]2585 regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch"
[137]2586 " while parsing VK record at offset 0x%.8X.", offset);
[150]2587 talloc_free(ret_val);
[101]2588 return NULL;
2589 }
2590
2591 ret_val->name_length = SVAL(vk_header, 0x2);
2592 raw_data_size = IVAL(vk_header, 0x4);
[135]2593 ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET;
[157]2594 /* The data is typically stored in the offset if the size <= 4,
2595 * in which case this flag is set.
2596 */
[135]2597 ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET);
[101]2598 ret_val->data_off = IVAL(vk_header, 0x8);
2599 ret_val->type = IVAL(vk_header, 0xC);
[162]2600 ret_val->flags = SVAL(vk_header, 0x10);
[101]2601 ret_val->unknown1 = SVAL(vk_header, 0x12);
2602
[162]2603 if(ret_val->name_length > 0)
[101]2604 {
[113]2605 if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size)
[101]2606 {
[138]2607 regfi_add_message(file, REGFI_MSG_WARN, "Name too long for remaining cell"
2608 " space while parsing VK record at offset 0x%.8X.",
2609 offset);
[101]2610 if(strict)
2611 {
[150]2612 talloc_free(ret_val);
[101]2613 return NULL;
2614 }
2615 else
[113]2616 ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4;
[101]2617 }
2618
2619 /* Round up to the next multiple of 8 */
[113]2620 cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8;
2621 if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4)
2622 cell_length+=8;
[101]2623
[168]2624 ret_val->valuename_raw = talloc_array(ret_val, uint8_t, ret_val->name_length);
[162]2625 if(ret_val->valuename_raw == NULL)
[101]2626 {
[150]2627 talloc_free(ret_val);
[101]2628 return NULL;
2629 }
[113]2630
[101]2631 length = ret_val->name_length;
[168]2632 if((regfi_read(file->fd, (uint8_t*)ret_val->valuename_raw, &length) != 0)
[101]2633 || length != ret_val->name_length)
2634 {
[138]2635 regfi_add_message(file, REGFI_MSG_ERROR, "Could not read value name"
[137]2636 " while parsing VK record at offset 0x%.8X.", offset);
[150]2637 talloc_free(ret_val);
[101]2638 return NULL;
2639 }
2640 }
2641 else
[113]2642 cell_length = REGFI_VK_MIN_LENGTH + 4;
[101]2643
2644 if(unalloc)
2645 {
2646 /* If cell_size is still greater, truncate. */
[113]2647 if(cell_length < ret_val->cell_size)
2648 ret_val->cell_size = cell_length;
[101]2649 }
2650
2651 return ret_val;
[97]2652}
[101]2653
2654
[152]2655/******************************************************************************
[157]2656 *
2657 ******************************************************************************/
[168]2658REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32_t voffset,
2659 uint32_t length, bool data_in_offset,
[157]2660 bool strict)
[101]2661{
[151]2662 REGFI_BUFFER ret_val;
[168]2663 uint32_t cell_length, offset;
2664 int32_t max_size;
[101]2665 bool unalloc;
[151]2666
[159]2667 /* Microsoft's documentation indicates that "available memory" is
[165]2668 * the limit on value sizes for the more recent registry format version.
2669 * This is not only annoying, but it's probably also incorrect, since clearly
2670 * value data sizes are limited to 2^31 (high bit used as a flag) and even
2671 * with big data records, the apparent max size is:
2672 * 16344 * 2^16 = 1071104040 (~1GB).
2673 *
2674 * We choose to limit it to 1M which was the limit in older versions and
2675 * should rarely be exceeded unless the file is corrupt or malicious.
2676 * For more info, see:
2677 * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
[159]2678 */
[160]2679 /* XXX: add way to skip this check at user discression. */
2680 if(length > REGFI_VK_MAX_DATA_LENGTH)
[159]2681 {
[160]2682 regfi_add_message(file, REGFI_MSG_WARN, "Value data size %d larger than "
2683 "%d, truncating...", length, REGFI_VK_MAX_DATA_LENGTH);
2684 length = REGFI_VK_MAX_DATA_LENGTH;
[159]2685 }
2686
[145]2687 if(data_in_offset)
[157]2688 return regfi_parse_little_data(file, voffset, length, strict);
2689 else
[101]2690 {
[157]2691 offset = voffset + REGFI_REGF_SIZE;
2692 max_size = regfi_calc_maxsize(file, offset);
2693 if(max_size < 0)
[137]2694 {
[157]2695 regfi_add_message(file, REGFI_MSG_WARN, "Could not find HBIN for data"
2696 " at offset 0x%.8X.", offset);
[151]2697 goto fail;
[137]2698 }
[157]2699
[101]2700 if(!regfi_parse_cell(file->fd, offset, NULL, 0,
2701 &cell_length, &unalloc))
[137]2702 {
[138]2703 regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[137]2704 " parsing data record at offset 0x%.8X.", offset);
[151]2705 goto fail;
[137]2706 }
[111]2707
[157]2708 if((cell_length & 0x00000007) != 0)
[137]2709 {
[138]2710 regfi_add_message(file, REGFI_MSG_WARN, "Cell length not multiple of 8"
[137]2711 " while parsing data record at offset 0x%.8X.",
2712 offset);
[151]2713 goto fail;
[137]2714 }
[101]2715
[131]2716 if(cell_length > max_size)
2717 {
[145]2718 regfi_add_message(file, REGFI_MSG_WARN, "Cell extends past HBIN boundary"
2719 " while parsing data record at offset 0x%.8X.",
[137]2720 offset);
[157]2721 goto fail;
[131]2722 }
2723
[101]2724 if(cell_length - 4 < length)
2725 {
[155]2726 /* XXX: All big data records thus far have been 16 bytes long.
2727 * Should we check for this precise size instead of just
2728 * relying upon the above check?
2729 */
[152]2730 if (file->major_version >= 1 && file->minor_version >= 5)
2731 {
2732 /* Attempt to parse a big data record */
[157]2733 return regfi_load_big_data(file, offset, length, cell_length,
2734 NULL, strict);
[152]2735 }
[101]2736 else
[152]2737 {
2738 regfi_add_message(file, REGFI_MSG_WARN, "Data length (0x%.8X) larger than"
2739 " remaining cell length (0x%.8X)"
2740 " while parsing data record at offset 0x%.8X.",
2741 length, cell_length - 4, offset);
2742 if(strict)
2743 goto fail;
2744 else
2745 length = cell_length - 4;
2746 }
[101]2747 }
2748
[157]2749 ret_val = regfi_parse_data(file, offset, length, strict);
[101]2750 }
2751
2752 return ret_val;
[151]2753
2754 fail:
2755 ret_val.buf = NULL;
2756 ret_val.len = 0;
2757 return ret_val;
[101]2758}
[110]2759
2760
[152]2761/******************************************************************************
[157]2762 * Parses the common case data records stored in a single cell.
2763 ******************************************************************************/
[168]2764REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32_t offset,
2765 uint32_t length, bool strict)
[157]2766{
2767 REGFI_BUFFER ret_val;
[168]2768 uint32_t read_length;
[157]2769
2770 ret_val.buf = NULL;
2771 ret_val.len = 0;
2772
2773 if(lseek(file->fd, offset+4, SEEK_SET) == -1)
2774 {
2775 regfi_add_message(file, REGFI_MSG_WARN, "Could not seek while "
2776 "reading data at offset 0x%.8X.", offset);
2777 return ret_val;
2778 }
2779
[168]2780 if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL)
[157]2781 return ret_val;
2782 ret_val.len = length;
2783
2784 read_length = length;
2785 if((regfi_read(file->fd, ret_val.buf, &read_length) != 0)
2786 || read_length != length)
2787 {
2788 regfi_add_message(file, REGFI_MSG_ERROR, "Could not read data block while"
2789 " parsing data record at offset 0x%.8X.", offset);
2790 talloc_free(ret_val.buf);
2791 ret_val.buf = NULL;
2792 ret_val.buf = 0;
2793 }
2794
2795 return ret_val;
2796}
2797
2798
2799
2800/******************************************************************************
2801 *
2802 ******************************************************************************/
[168]2803REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32_t voffset,
2804 uint32_t length, bool strict)
[157]2805{
[173]2806 uint8_t i;
[157]2807 REGFI_BUFFER ret_val;
2808
2809 ret_val.buf = NULL;
2810 ret_val.len = 0;
2811
2812 if(length > 4)
2813 {
2814 regfi_add_message(file, REGFI_MSG_ERROR, "Data in offset but length > 4"
2815 " while parsing data record. (voffset=0x%.8X, length=%d)",
2816 voffset, length);
2817 return ret_val;
2818 }
2819
[168]2820 if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL)
[157]2821 return ret_val;
2822 ret_val.len = length;
2823
2824 for(i = 0; i < length; i++)
[168]2825 ret_val.buf[i] = (uint8_t)((voffset >> i*8) & 0xFF);
[157]2826
2827 return ret_val;
2828}
2829
2830/******************************************************************************
[152]2831*******************************************************************************/
[168]2832REGFI_BUFFER regfi_parse_big_data_header(REGFI_FILE* file, uint32_t offset,
2833 uint32_t max_size, bool strict)
[152]2834{
2835 REGFI_BUFFER ret_val;
[168]2836 uint32_t cell_length;
[152]2837 bool unalloc;
[157]2838
2839 /* XXX: do something with unalloc? */
[168]2840 ret_val.buf = (uint8_t*)talloc_array(NULL, uint8_t, REGFI_BIG_DATA_MIN_LENGTH);
[157]2841 if(ret_val.buf == NULL)
[152]2842 goto fail;
2843
[157]2844 if(REGFI_BIG_DATA_MIN_LENGTH > max_size)
2845 {
2846 regfi_add_message(file, REGFI_MSG_WARN, "Big data header exceeded max_size "
2847 "while parsing big data header at offset 0x%.8X.",offset);
2848 goto fail;
2849 }
2850
2851 if(!regfi_parse_cell(file->fd, offset, ret_val.buf, REGFI_BIG_DATA_MIN_LENGTH,
[152]2852 &cell_length, &unalloc))
2853 {
2854 regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[157]2855 " parsing big data header at offset 0x%.8X.", offset);
[152]2856 goto fail;
2857 }
[157]2858
2859 if((ret_val.buf[0] != 'd') || (ret_val.buf[1] != 'b'))
[152]2860 {
2861 regfi_add_message(file, REGFI_MSG_WARN, "Unknown magic number"
2862 " (0x%.2X, 0x%.2X) encountered while parsing"
[157]2863 " big data header at offset 0x%.8X.",
2864 ret_val.buf[0], ret_val.buf[1], offset);
[152]2865 goto fail;
2866 }
2867
[157]2868 ret_val.len = REGFI_BIG_DATA_MIN_LENGTH;
2869 return ret_val;
2870
2871 fail:
2872 if(ret_val.buf != NULL)
2873 {
2874 talloc_free(ret_val.buf);
2875 ret_val.buf = NULL;
2876 }
2877 ret_val.len = 0;
2878 return ret_val;
2879}
2880
2881
2882
2883/******************************************************************************
2884 *
2885 ******************************************************************************/
[168]2886uint32_t* regfi_parse_big_data_indirect(REGFI_FILE* file, uint32_t offset,
2887 uint16_t num_chunks, bool strict)
[157]2888{
[168]2889 uint32_t* ret_val;
2890 uint32_t indirect_length;
2891 int32_t max_size;
2892 uint16_t i;
[157]2893 bool unalloc;
2894
2895 /* XXX: do something with unalloc? */
2896
2897 max_size = regfi_calc_maxsize(file, offset);
[168]2898 if((max_size < 0) || (num_chunks*sizeof(uint32_t) + 4 > max_size))
[157]2899 return NULL;
2900
[168]2901 ret_val = (uint32_t*)talloc_array(NULL, uint32_t, num_chunks);
[157]2902 if(ret_val == NULL)
[152]2903 goto fail;
2904
[168]2905 if(!regfi_parse_cell(file->fd, offset, (uint8_t*)ret_val,
2906 num_chunks*sizeof(uint32_t),
[152]2907 &indirect_length, &unalloc))
2908 {
2909 regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
2910 " parsing big data indirect record at offset 0x%.8X.",
2911 offset);
2912 goto fail;
2913 }
[157]2914
2915 /* Convert pointers to proper endianess, verify they are aligned. */
2916 for(i=0; i<num_chunks; i++)
[152]2917 {
[168]2918 ret_val[i] = IVAL(ret_val, i*sizeof(uint32_t));
[157]2919 if((ret_val[i] & 0x00000007) != 0)
2920 goto fail;
[152]2921 }
[157]2922
2923 return ret_val;
[152]2924
[157]2925 fail:
2926 if(ret_val != NULL)
2927 talloc_free(ret_val);
2928 return NULL;
2929}
2930
2931
2932/******************************************************************************
2933 * Arguments:
2934 * file --
2935 * offsets -- list of virtual offsets.
2936 * num_chunks --
2937 * strict --
2938 *
2939 * Returns:
2940 * A range_list with physical offsets and complete lengths
2941 * (including cell headers) of associated cells.
2942 * No data in range_list elements.
2943 ******************************************************************************/
[168]2944range_list* regfi_parse_big_data_cells(REGFI_FILE* file, uint32_t* offsets,
2945 uint16_t num_chunks, bool strict)
[157]2946{
[168]2947 uint32_t cell_length, chunk_offset;
[157]2948 range_list* ret_val;
[168]2949 uint16_t i;
[157]2950 bool unalloc;
2951
2952 /* XXX: do something with unalloc? */
2953 ret_val = range_list_new();
2954 if(ret_val == NULL)
2955 goto fail;
2956
[166]2957 for(i=0; i<num_chunks; i++)
[152]2958 {
[157]2959 chunk_offset = offsets[i]+REGFI_REGF_SIZE;
2960 if(!regfi_parse_cell(file->fd, chunk_offset, NULL, 0,
2961 &cell_length, &unalloc))
[152]2962 {
2963 regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
2964 " parsing big data chunk at offset 0x%.8X.",
2965 chunk_offset);
[157]2966 goto fail;
[152]2967 }
2968
[157]2969 if(!range_list_add(ret_val, chunk_offset, cell_length, NULL))
2970 goto fail;
2971 }
2972
2973 return ret_val;
2974
2975 fail:
2976 if(ret_val != NULL)
2977 range_list_free(ret_val);
2978 return NULL;
2979}
2980
2981
2982/******************************************************************************
2983*******************************************************************************/
2984REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file,
[168]2985 uint32_t offset, uint32_t data_length,
2986 uint32_t cell_length, range_list* used_ranges,
[157]2987 bool strict)
2988{
2989 REGFI_BUFFER ret_val;
[168]2990 uint16_t num_chunks, i;
2991 uint32_t read_length, data_left, tmp_len, indirect_offset;
2992 uint32_t* indirect_ptrs = NULL;
[157]2993 REGFI_BUFFER bd_header;
2994 range_list* bd_cells = NULL;
2995 const range_list_element* cell_info;
2996
2997 ret_val.buf = NULL;
2998
2999 /* XXX: Add better error/warning messages */
3000
3001 bd_header = regfi_parse_big_data_header(file, offset, cell_length, strict);
3002 if(bd_header.buf == NULL)
3003 goto fail;
3004
3005 /* Keep track of used space for use by reglookup-recover */
3006 if(used_ranges != NULL)
3007 if(!range_list_add(used_ranges, offset, cell_length, NULL))
3008 goto fail;
3009
3010 num_chunks = SVAL(bd_header.buf, 0x2);
3011 indirect_offset = IVAL(bd_header.buf, 0x4) + REGFI_REGF_SIZE;
3012 talloc_free(bd_header.buf);
3013
3014 indirect_ptrs = regfi_parse_big_data_indirect(file, indirect_offset,
3015 num_chunks, strict);
3016 if(indirect_ptrs == NULL)
3017 goto fail;
3018
3019 if(used_ranges != NULL)
3020 if(!range_list_add(used_ranges, indirect_offset, num_chunks*4+4, NULL))
3021 goto fail;
3022
3023 if((ret_val.buf = talloc_array(NULL, uint8_t, data_length)) == NULL)
3024 goto fail;
3025 data_left = data_length;
3026
3027 bd_cells = regfi_parse_big_data_cells(file, indirect_ptrs, num_chunks, strict);
3028 if(bd_cells == NULL)
3029 goto fail;
3030
3031 talloc_free(indirect_ptrs);
3032 indirect_ptrs = NULL;
3033
3034 for(i=0; (i<num_chunks) && (data_left>0); i++)
3035 {
3036 cell_info = range_list_get(bd_cells, i);
3037 if(cell_info == NULL)
3038 goto fail;
3039
3040 /* XXX: This should be "cell_info->length-4" to account for the 4 byte cell
[154]3041 * length. However, it has been observed that some (all?) chunks
3042 * have an additional 4 bytes of 0 at the end of their cells that
3043 * isn't part of the data, so we're trimming that off too.
[157]3044 * Perhaps it's just an 8 byte alignment requirement...
[154]3045 */
[157]3046 if(cell_info->length - 8 >= data_left)
3047 {
3048 if(i+1 != num_chunks)
3049 {
3050 regfi_add_message(file, REGFI_MSG_WARN, "Left over chunks detected "
3051 "while constructing big data at offset 0x%.8X "
3052 "(chunk offset 0x%.8X).", offset, cell_info->offset);
3053 }
[152]3054 read_length = data_left;
[157]3055 }
[152]3056 else
[157]3057 read_length = cell_info->length - 8;
[152]3058
[157]3059
3060 if(read_length > regfi_calc_maxsize(file, cell_info->offset))
3061 {
3062 regfi_add_message(file, REGFI_MSG_WARN, "A chunk exceeded the maxsize "
3063 "while constructing big data at offset 0x%.8X "
3064 "(chunk offset 0x%.8X).", offset, cell_info->offset);
3065 goto fail;
3066 }
3067
[168]3068 if(lseek(file->fd, cell_info->offset+sizeof(uint32_t), SEEK_SET) == -1)
[157]3069 {
3070 regfi_add_message(file, REGFI_MSG_WARN, "Could not seek to chunk while "
3071 "constructing big data at offset 0x%.8X "
3072 "(chunk offset 0x%.8X).", offset, cell_info->offset);
3073 goto fail;
3074 }
3075
3076 tmp_len = read_length;
[152]3077 if(regfi_read(file->fd, ret_val.buf+(data_length-data_left),
[157]3078 &read_length) != 0 || (read_length != tmp_len))
[152]3079 {
3080 regfi_add_message(file, REGFI_MSG_WARN, "Could not read data chunk while"
[157]3081 " constructing big data at offset 0x%.8X"
3082 " (chunk offset 0x%.8X).", offset, cell_info->offset);
3083 goto fail;
[152]3084 }
3085
[157]3086 if(used_ranges != NULL)
3087 if(!range_list_add(used_ranges, cell_info->offset,cell_info->length,NULL))
3088 goto fail;
3089
[152]3090 data_left -= read_length;
3091 }
[157]3092 range_list_free(bd_cells);
3093
[152]3094 ret_val.len = data_length-data_left;
3095 return ret_val;
3096
3097 fail:
[157]3098 if(ret_val.buf != NULL)
3099 talloc_free(ret_val.buf);
3100 if(indirect_ptrs != NULL)
3101 talloc_free(indirect_ptrs);
3102 if(bd_cells != NULL)
3103 range_list_free(bd_cells);
[152]3104 ret_val.buf = NULL;
3105 ret_val.len = 0;
3106 return ret_val;
3107}
3108
3109
[135]3110range_list* regfi_parse_unalloc_cells(REGFI_FILE* file)
[110]3111{
3112 range_list* ret_val;
[135]3113 REGFI_HBIN* hbin;
[110]3114 const range_list_element* hbins_elem;
[168]3115 uint32_t i, num_hbins, curr_off, cell_len;
[110]3116 bool is_unalloc;
3117
3118 ret_val = range_list_new();
3119 if(ret_val == NULL)
3120 return NULL;
3121
3122 num_hbins = range_list_size(file->hbins);
3123 for(i=0; i<num_hbins; i++)
3124 {
3125 hbins_elem = range_list_get(file->hbins, i);
3126 if(hbins_elem == NULL)
3127 break;
[135]3128 hbin = (REGFI_HBIN*)hbins_elem->data;
[110]3129
[135]3130 curr_off = REGFI_HBIN_HEADER_SIZE;
[110]3131 while(curr_off < hbin->block_size)
3132 {
3133 if(!regfi_parse_cell(file->fd, hbin->file_off+curr_off, NULL, 0,
3134 &cell_len, &is_unalloc))
3135 break;
3136
[157]3137 if((cell_len == 0) || ((cell_len & 0x00000007) != 0))
[140]3138 {
3139 regfi_add_message(file, REGFI_MSG_ERROR, "Bad cell length encountered"
3140 " while parsing unallocated cells at offset 0x%.8X.",
3141 hbin->file_off+curr_off);
[110]3142 break;
[140]3143 }
3144
[110]3145 /* for some reason the record_size of the last record in
3146 an hbin block can extend past the end of the block
3147 even though the record fits within the remaining
3148 space....aaarrrgggghhhhhh */
3149 if(curr_off + cell_len >= hbin->block_size)
3150 cell_len = hbin->block_size - curr_off;
3151
3152 if(is_unalloc)
3153 range_list_add(ret_val, hbin->file_off+curr_off,
3154 cell_len, NULL);
3155
3156 curr_off = curr_off+cell_len;
3157 }
3158 }
3159
3160 return ret_val;
3161}
[168]3162
3163
3164/* From lib/time.c */
3165
3166/****************************************************************************
3167 Put a 8 byte filetime from a time_t
3168 This takes real GMT as input and converts to kludge-GMT
3169****************************************************************************/
3170void regfi_unix2nt_time(REGFI_NTTIME *nt, time_t t)
3171{
3172 double d;
3173
3174 if (t==0)
3175 {
3176 nt->low = 0;
3177 nt->high = 0;
3178 return;
3179 }
3180
3181 if (t == TIME_T_MAX)
3182 {
3183 nt->low = 0xffffffff;
3184 nt->high = 0x7fffffff;
3185 return;
3186 }
3187
3188 if (t == -1)
3189 {
3190 nt->low = 0xffffffff;
3191 nt->high = 0xffffffff;
3192 return;
3193 }
3194
3195 /* this converts GMT to kludge-GMT */
3196 /* XXX: This was removed due to difficult dependency requirements.
3197 * So far, times appear to be correct without this adjustment, but
3198 * that may be proven wrong with adequate testing.
3199 */
3200 /* t -= TimeDiff(t) - get_serverzone(); */
3201
3202 d = (double)(t);
3203 d += TIME_FIXUP_CONSTANT;
3204 d *= 1.0e7;
3205
3206 nt->high = (uint32_t)(d * (1.0/(4.0*(double)(1<<30))));
3207 nt->low = (uint32_t)(d - ((double)nt->high)*4.0*(double)(1<<30));
3208}
3209
3210
3211/****************************************************************************
3212 Interpret an 8 byte "filetime" structure to a time_t
3213 It's originally in "100ns units since jan 1st 1601"
3214
3215 An 8 byte value of 0xffffffffffffffff will be returned as (time_t)0.
3216
3217 It appears to be kludge-GMT (at least for file listings). This means
3218 its the GMT you get by taking a localtime and adding the
3219 serverzone. This is NOT the same as GMT in some cases. This routine
3220 converts this to real GMT.
3221****************************************************************************/
3222time_t regfi_nt2unix_time(const REGFI_NTTIME* nt)
3223{
3224 double d;
3225 time_t ret;
3226 /* The next two lines are a fix needed for the
3227 broken SCO compiler. JRA. */
3228 time_t l_time_min = TIME_T_MIN;
3229 time_t l_time_max = TIME_T_MAX;
3230
3231 if (nt->high == 0 || (nt->high == 0xffffffff && nt->low == 0xffffffff))
3232 return(0);
3233
3234 d = ((double)nt->high)*4.0*(double)(1<<30);
3235 d += (nt->low&0xFFF00000);
3236 d *= 1.0e-7;
3237
3238 /* now adjust by 369 years to make the secs since 1970 */
3239 d -= TIME_FIXUP_CONSTANT;
3240
3241 if (d <= l_time_min)
3242 return (l_time_min);
3243
3244 if (d >= l_time_max)
3245 return (l_time_max);
3246
3247 ret = (time_t)(d+0.5);
3248
3249 /* this takes us from kludge-GMT to real GMT */
3250 /* XXX: This was removed due to difficult dependency requirements.
3251 * So far, times appear to be correct without this adjustment, but
3252 * that may be proven wrong with adequate testing.
3253 */
3254 /*
3255 ret -= get_serverzone();
3256 ret += LocTimeDiff(ret);
3257 */
3258
3259 return(ret);
3260}
3261
3262/* End of stuff from lib/time.c */
Note: See TracBrowser for help on using the repository browser.