source: releases/0.12.0/src/reglookup.c@ 286

Last change on this file since 286 was 172, checked in by tim, 15 years ago

reorganized name interpretation code to correct issues in reglookup-recover
  • Property svn:keywords set to Id
File size: 17.2 KB
Line 
1/*
2 * A utility to read a Windows NT and later registry files.
3 *
4 * Copyright (C) 2005-2010 Timothy D. Morgan
5 * Copyright (C) 2010 Tobias Mueller (portions of '-i' code)
6 * Copyright (C) 2002 Richard Sharpe, rsharpe@richardsharpe.com
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; version 3 of the License.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 *
21 * $Id: reglookup.c 172 2010-03-08 03:04:34Z tim $
22 */
23
24
25#include <stdlib.h>
26#include <stdio.h>
27#include <string.h>
28#include <strings.h>
29#include <time.h>
30#include "regfi.h"
31#include "void_stack.h"
32
33/* Globals, influenced by command line parameters */
34bool print_value_mtime = false;
35bool print_verbose = false;
36bool print_security = false;
37bool print_header = true;
38bool path_filter_enabled = false;
39bool type_filter_enabled = false;
40char* path_filter = NULL;
41int type_filter;
42char* registry_file = NULL;
43
44/* Other globals */
45REGFI_FILE* f;
46
47
48/* XXX: A hack to share some functions with reglookup-recover.c.
49 * Should move these into a proper library at some point.
50 */
51#include "common.c"
52
53
54void printValue(REGFI_ITERATOR* iter, const REGFI_VK_REC* vk, char* prefix)
55{
56 REGFI_DATA* data;
57 char* quoted_value = NULL;
58 char* quoted_name = NULL;
59 char* conv_error = NULL;
60 const char* str_type = NULL;
61 char mtime[20];
62 time_t tmp_time[1];
63 struct tm* tmp_time_s = NULL;
64
65 quoted_name = get_quoted_valuename(vk);
66 if (quoted_name == NULL)
67 { /* Value names are NULL when we're looking at the "(default)" value.
68 * Currently we just return a 0-length string to try an eliminate
69 * ambiguity with a literal "(default)" value. The data type of a line
70 * in the output allows one to differentiate between the parent key and
71 * this value.
72 */
73 quoted_name = malloc(1*sizeof(char));
74 if(quoted_name == NULL)
75 bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n");
76 quoted_name[0] = '\0';
77 }
78
79 data = regfi_iterator_fetch_data(iter, vk);
80
81 printMsgs(iter->f);
82 if(data != NULL)
83 {
84 quoted_value = data_to_ascii(data, &conv_error);
85 if(quoted_value == NULL)
86 {
87 if(conv_error == NULL)
88 fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
89 "Memory allocation failure likely.\n", prefix, quoted_name);
90 else
91 fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
92 "Returned error: %s\n", prefix, quoted_name, conv_error);
93 }
94 else if(conv_error != NULL)
95 fprintf(stderr, "WARN: While quoting value for '%s/%s', "
96 "warning returned: %s\n", prefix, quoted_name, conv_error);
97 regfi_free_data(data);
98 }
99
100 if(print_value_mtime)
101 {
102 *tmp_time = regfi_nt2unix_time(&iter->cur_key->mtime);
103 tmp_time_s = gmtime(tmp_time);
104 strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s);
105 }
106 else
107 mtime[0] = '\0';
108
109 str_type = regfi_type_val2str(vk->type);
110 if(print_security)
111 {
112 if(str_type == NULL)
113 printf("%s/%s,0x%.8X,%s,%s,,,,\n", prefix, quoted_name,
114 vk->type, quoted_value, mtime);
115 else
116 printf("%s/%s,%s,%s,%s,,,,\n", prefix, quoted_name,
117 str_type, quoted_value, mtime);
118 }
119 else
120 {
121 if(str_type == NULL)
122 printf("%s/%s,0x%.8X,%s,%s\n", prefix, quoted_name,
123 vk->type, quoted_value, mtime);
124 else
125 printf("%s/%s,%s,%s,%s\n", prefix, quoted_name,
126 str_type, quoted_value, mtime);
127 }
128
129 if(quoted_value != NULL)
130 free(quoted_value);
131 if(quoted_name != NULL)
132 free(quoted_name);
133 if(conv_error != NULL)
134 free(conv_error);
135}
136
137
138char** splitPath(const char* s)
139{
140 char** ret_val;
141 const char* cur = s;
142 char* next = NULL;
143 char* copy;
144 uint32_t ret_cur = 0;
145
146 ret_val = (char**)malloc((REGFI_MAX_DEPTH+1+1)*sizeof(char**));
147 if (ret_val == NULL)
148 return NULL;
149 ret_val[0] = NULL;
150
151 /* We return a well-formed, 0-length, path even when input is icky. */
152 if (s == NULL)
153 return ret_val;
154
155 while((next = strchr(cur, '/')) != NULL)
156 {
157 if ((next-cur) > 0)
158 {
159 copy = (char*)malloc((next-cur+1)*sizeof(char));
160 if(copy == NULL)
161 bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Memory allocation problem.\n");
162
163 memcpy(copy, cur, next-cur);
164 copy[next-cur] = '\0';
165 ret_val[ret_cur++] = copy;
166 if(ret_cur < (REGFI_MAX_DEPTH+1+1))
167 ret_val[ret_cur] = NULL;
168 else
169 bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: Registry maximum depth exceeded.\n");
170 }
171 cur = next+1;
172 }
173
174 /* Grab last element, if path doesn't end in '/'. */
175 if(strlen(cur) > 0)
176 {
177 copy = strdup(cur);
178 ret_val[ret_cur++] = copy;
179 if(ret_cur < (REGFI_MAX_DEPTH+1+1))
180 ret_val[ret_cur] = NULL;
181 else
182 bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: Registry maximum depth exceeded.\n");
183 }
184
185 return ret_val;
186}
187
188
189void freePath(char** path)
190{
191 uint32_t i;
192
193 if(path == NULL)
194 return;
195
196 for(i=0; path[i] != NULL; i++)
197 free(path[i]);
198
199 free(path);
200}
201
202
203/* Returns a quoted path from an iterator's stack */
204char* iter2Path(REGFI_ITERATOR* i)
205{
206 const REGFI_ITER_POSITION* cur;
207 const REGFI_NK_REC* tmp_key;
208 uint32_t buf_left = 127;
209 uint32_t buf_len = buf_left+1;
210 uint32_t name_len = 0;
211 uint32_t grow_amt;
212 char* buf;
213 char* new_buf;
214 char* name;
215 void_stack_iterator* iter;
216
217 buf = (char*)malloc((buf_len)*sizeof(char));
218 if (buf == NULL)
219 return NULL;
220 buf[0] = '\0';
221
222 iter = void_stack_iterator_new(i->key_positions);
223 if (iter == NULL)
224 {
225 free(buf);
226 return NULL;
227 }
228
229 /* skip root element */
230 if(void_stack_size(i->key_positions) < 1)
231 {
232 buf[0] = '/';
233 buf[1] = '\0';
234 return buf;
235 }
236 cur = void_stack_iterator_next(iter);
237
238 do
239 {
240 cur = void_stack_iterator_next(iter);
241 if (cur == NULL)
242 tmp_key = i->cur_key;
243 else
244 tmp_key = cur->nk;
245
246 name = get_quoted_keyname(tmp_key);
247
248 buf[buf_len-buf_left-1] = '/';
249 buf_left -= 1;
250 name_len = strlen(name);
251 if(name_len+1 > buf_left)
252 {
253 grow_amt = (uint32_t)(buf_len/2);
254 buf_len += name_len+1+grow_amt-buf_left;
255 if((new_buf = realloc(buf, buf_len)) == NULL)
256 {
257 free(name);
258 free(buf);
259 free(iter);
260 return NULL;
261 }
262 buf = new_buf;
263 buf_left = grow_amt + name_len + 1;
264 }
265 strncpy(buf+(buf_len-buf_left-1), name, name_len);
266 buf_left -= name_len;
267 buf[buf_len-buf_left-1] = '\0';
268 free(name);
269 } while(cur != NULL);
270
271 return buf;
272}
273
274
275void printValueList(REGFI_ITERATOR* iter, char* prefix)
276{
277 REGFI_VK_REC* value;
278
279 value = regfi_iterator_first_value(iter);
280 while(value != NULL)
281 {
282 if(!type_filter_enabled || (value->type == type_filter))
283 printValue(iter, value, prefix);
284 regfi_free_value(value);
285 value = regfi_iterator_next_value(iter);
286 printMsgs(iter->f);
287 }
288}
289
290
291void printKey(REGFI_ITERATOR* iter, char* full_path)
292{
293 static char empty_str[1] = "";
294 char* owner = NULL;
295 char* group = NULL;
296 char* sacl = NULL;
297 char* dacl = NULL;
298 char* quoted_classname;
299 char mtime[20];
300 time_t tmp_time[1];
301 struct tm* tmp_time_s = NULL;
302 const REGFI_SK_REC* sk;
303 const REGFI_NK_REC* k = regfi_iterator_cur_key(iter);
304 REGFI_CLASSNAME* classname;
305
306 *tmp_time = regfi_nt2unix_time(&k->mtime);
307 tmp_time_s = gmtime(tmp_time);
308 strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s);
309
310 if(print_security && (sk=regfi_iterator_cur_sk(iter)))
311 {
312 owner = regfi_get_owner(sk->sec_desc);
313 group = regfi_get_group(sk->sec_desc);
314 sacl = regfi_get_sacl(sk->sec_desc);
315 dacl = regfi_get_dacl(sk->sec_desc);
316 if(owner == NULL)
317 owner = empty_str;
318 if(group == NULL)
319 group = empty_str;
320 if(sacl == NULL)
321 sacl = empty_str;
322 if(dacl == NULL)
323 dacl = empty_str;
324
325 classname = regfi_iterator_fetch_classname(iter, k);
326 printMsgs(iter->f);
327 if(classname != NULL)
328 {
329 if(classname->interpreted == NULL)
330 {
331 fprintf(stderr, "WARN: Could not convert class name"
332 " charset for key '%s'. Quoting raw...\n", full_path);
333 quoted_classname = quote_buffer(classname->raw, classname->size,
334 key_special_chars);
335 }
336 else
337 quoted_classname = quote_string(classname->interpreted,
338 key_special_chars);
339
340 if(quoted_classname == NULL)
341 {
342 fprintf(stderr, "ERROR: Could not quote classname"
343 " for key '%s' due to unknown error.\n", full_path);
344 quoted_classname = empty_str;
345 }
346 }
347 else
348 quoted_classname = empty_str;
349 regfi_free_classname(classname);
350
351 printMsgs(iter->f);
352 printf("%s,KEY,,%s,%s,%s,%s,%s,%s\n", full_path, mtime,
353 owner, group, sacl, dacl, quoted_classname);
354
355 if(owner != empty_str)
356 free(owner);
357 if(group != empty_str)
358 free(group);
359 if(sacl != empty_str)
360 free(sacl);
361 if(dacl != empty_str)
362 free(dacl);
363 if(quoted_classname != empty_str)
364 free(quoted_classname);
365 }
366 else
367 printf("%s,KEY,,%s\n", full_path, mtime);
368}
369
370
371void printKeyTree(REGFI_ITERATOR* iter)
372{
373 const REGFI_NK_REC* root = NULL;
374 const REGFI_NK_REC* cur = NULL;
375 REGFI_NK_REC* sub = NULL;
376 char* path = NULL;
377 int key_type = regfi_type_str2val("KEY");
378 bool print_this = true;
379
380 root = cur = regfi_iterator_cur_key(iter);
381 sub = regfi_iterator_first_subkey(iter);
382 printMsgs(iter->f);
383
384 if(root == NULL)
385 bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: root cannot be NULL.\n");
386
387 do
388 {
389 if(print_this)
390 {
391 path = iter2Path(iter);
392 if(path == NULL)
393 bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not construct iterator's path.\n");
394
395 if(!type_filter_enabled || (key_type == type_filter))
396 printKey(iter, path);
397 if(!type_filter_enabled || (key_type != type_filter))
398 printValueList(iter, path);
399
400 free(path);
401 }
402
403 if(sub == NULL)
404 {
405 if(cur != root)
406 {
407 /* We're done with this sub-tree, going up and hitting other branches. */
408 if(!regfi_iterator_up(iter))
409 {
410 printMsgs(iter->f);
411 bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: could not traverse iterator upward.\n");
412 }
413
414 cur = regfi_iterator_cur_key(iter);
415 if(cur == NULL)
416 {
417 printMsgs(iter->f);
418 bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: unexpected NULL for key.\n");
419 }
420
421 sub = regfi_iterator_next_subkey(iter);
422 }
423 print_this = false;
424 }
425 else
426 { /* We have unexplored sub-keys.
427 * Let's move down and print this first sub-tree out.
428 */
429 if(!regfi_iterator_down(iter))
430 {
431 printMsgs(iter->f);
432 bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: could not traverse iterator downward.\n");
433 }
434
435 cur = regfi_iterator_cur_key(iter);
436 regfi_free_key(sub);
437 sub = regfi_iterator_first_subkey(iter);
438 print_this = true;
439 }
440 printMsgs(iter->f);
441 } while(!((cur == root) && (sub == NULL)));
442
443 if(print_verbose)
444 fprintf(stderr, "INFO: Finished printing key tree.\n");
445}
446
447
448/* XXX: What if there is BOTH a value AND a key with that name??
449 * What if there are multiple keys/values with the same name??
450 */
451/*
452 * Returns 0 if path was not found.
453 * Returns 1 if path was found as value.
454 * Returns 2 if path was found as key.
455 * Returns less than 0 on other error.
456 */
457int retrievePath(REGFI_ITERATOR* iter, char** path)
458{
459 REGFI_VK_REC* value;
460 char* tmp_path_joined;
461 const char** tmp_path;
462 uint32_t i;
463
464 if(path == NULL)
465 return -1;
466
467 /* One extra for any value at the end, and one more for NULL */
468 tmp_path = (const char**)malloc(sizeof(const char**)*(REGFI_MAX_DEPTH+1+1));
469 if(tmp_path == NULL)
470 return -2;
471
472 /* Strip any potential value name at end of path */
473 for(i=0;
474 (path[i] != NULL) && (path[i+1] != NULL) && (i < REGFI_MAX_DEPTH+1);
475 i++)
476 { tmp_path[i] = path[i]; }
477 tmp_path[i] = NULL;
478
479 if(print_verbose)
480 fprintf(stderr, "INFO: Attempting to retrieve specified path: %s\n",
481 path_filter);
482
483 /* Special check for '/' path filter */
484 if(path[0] == NULL)
485 {
486 if(print_verbose)
487 fprintf(stderr, "INFO: Found final path element as root key.\n");
488 free(tmp_path);
489 return 2;
490 }
491
492 if(!regfi_iterator_walk_path(iter, tmp_path))
493 {
494 printMsgs(iter->f);
495 free(tmp_path);
496 return 0;
497 }
498
499 if(regfi_iterator_find_value(iter, path[i]))
500 {
501 if(print_verbose)
502 fprintf(stderr, "INFO: Found final path element as value.\n");
503
504 value = regfi_iterator_cur_value(iter);
505 printMsgs(iter->f);
506 tmp_path_joined = iter2Path(iter);
507
508 if((value == NULL) || (tmp_path_joined == NULL))
509 bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Unexpected error before printValue.\n");
510
511 if(!type_filter_enabled || (value->type == type_filter))
512 printValue(iter, value, tmp_path_joined);
513
514 regfi_free_value(value);
515 free(tmp_path);
516 free(tmp_path_joined);
517 return 1;
518 }
519 else if(regfi_iterator_find_subkey(iter, path[i]))
520 {
521 printMsgs(iter->f);
522 if(print_verbose)
523 fprintf(stderr, "INFO: Found final path element as key.\n");
524
525 if(!regfi_iterator_down(iter))
526 {
527 printMsgs(iter->f);
528 bailOut(REGLOOKUP_EXIT_DATAERR, "ERROR: Unexpected error on traversing path filter key.\n");
529 }
530
531 return 2;
532 }
533 printMsgs(iter->f);
534
535 if(print_verbose)
536 fprintf(stderr, "INFO: Could not find last element of path.\n");
537
538 return 0;
539}
540
541
542static void usage(void)
543{
544 fprintf(stderr, "Usage: reglookup [-v] [-s]"
545 " [-p <PATH_FILTER>] [-t <TYPE_FILTER>]"
546 " <REGISTRY_FILE>\n");
547 fprintf(stderr, "Version: %s\n", REGLOOKUP_VERSION);
548 fprintf(stderr, "Options:\n");
549 fprintf(stderr, "\t-v\t sets verbose mode.\n");
550 fprintf(stderr, "\t-h\t enables header row. (default)\n");
551 fprintf(stderr, "\t-H\t disables header row.\n");
552 fprintf(stderr, "\t-s\t enables security descriptor output.\n");
553 fprintf(stderr, "\t-S\t disables security descriptor output. (default)\n");
554 fprintf(stderr, "\t-p\t restrict output to elements below this path.\n");
555 fprintf(stderr, "\t-t\t restrict results to this specific data type.\n");
556 fprintf(stderr, "\t-i\t includes parent key modification times with child values.\n");
557 fprintf(stderr, "\n");
558}
559
560
561int main(int argc, char** argv)
562{
563 char** path = NULL;
564 REGFI_ITERATOR* iter;
565 int retr_path_ret;
566 uint32_t argi, arge;
567
568 /* Process command line arguments */
569 if(argc < 2)
570 {
571 usage();
572 bailOut(REGLOOKUP_EXIT_USAGE, "ERROR: Requires at least one argument.\n");
573 }
574
575 arge = argc-1;
576 for(argi = 1; argi < arge; argi++)
577 {
578 if (strcmp("-p", argv[argi]) == 0)
579 {
580 if(++argi >= arge)
581 {
582 usage();
583 bailOut(REGLOOKUP_EXIT_USAGE, "ERROR: '-p' option requires parameter.\n");
584 }
585 if((path_filter = strdup(argv[argi])) == NULL)
586 bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Memory allocation problem.\n");
587
588 path_filter_enabled = true;
589 }
590 else if (strcmp("-t", argv[argi]) == 0)
591 {
592 if(++argi >= arge)
593 {
594 usage();
595 bailOut(REGLOOKUP_EXIT_USAGE, "ERROR: '-t' option requires parameter.\n");
596 }
597 if((type_filter = regfi_type_str2val(argv[argi])) < 0)
598 {
599 fprintf(stderr, "ERROR: Invalid type specified: %s.\n", argv[argi]);
600 bailOut(REGLOOKUP_EXIT_USAGE, "");
601 }
602 type_filter_enabled = true;
603 }
604 else if (strcmp("-h", argv[argi]) == 0)
605 print_header = true;
606 else if (strcmp("-H", argv[argi]) == 0)
607 print_header = false;
608 else if (strcmp("-s", argv[argi]) == 0)
609 print_security = true;
610 else if (strcmp("-S", argv[argi]) == 0)
611 print_security = false;
612 else if (strcmp("-v", argv[argi]) == 0)
613 print_verbose = true;
614 else if (strcmp("-i", argv[argi]) == 0)
615 print_value_mtime = true;
616 else
617 {
618 usage();
619 fprintf(stderr, "ERROR: Unrecognized option: %s\n", argv[argi]);
620 bailOut(REGLOOKUP_EXIT_USAGE, "");
621 }
622 }
623 if((registry_file = strdup(argv[argi])) == NULL)
624 bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Memory allocation problem.\n");
625
626 f = regfi_open(registry_file);
627 if(f == NULL)
628 {
629 fprintf(stderr, "ERROR: Couldn't open registry file: %s\n", registry_file);
630 bailOut(REGLOOKUP_EXIT_NOINPUT, "");
631 }
632
633 if(print_verbose)
634 regfi_set_message_mask(f, REGFI_MSG_INFO|REGFI_MSG_WARN|REGFI_MSG_ERROR);
635
636 /* XXX: add command line option to choose output encoding */
637 iter = regfi_iterator_new(f, REGFI_ENCODING_ASCII);
638 if(iter == NULL)
639 {
640 printMsgs(f);
641 bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Couldn't create registry iterator.\n");
642 }
643
644 if(print_header)
645 {
646 if(print_security)
647 printf("PATH,TYPE,VALUE,MTIME,OWNER,GROUP,SACL,DACL,CLASS\n");
648 else
649 printf("PATH,TYPE,VALUE,MTIME\n");
650 }
651
652 if(path_filter_enabled && path_filter != NULL)
653 path = splitPath(path_filter);
654
655 if(path != NULL)
656 {
657 retr_path_ret = retrievePath(iter, path);
658 printMsgs(iter->f);
659 freePath(path);
660
661 if(retr_path_ret == 0)
662 fprintf(stderr, "WARN: Specified path '%s' not found.\n", path_filter);
663 else if (retr_path_ret == 2)
664 printKeyTree(iter);
665 else if(retr_path_ret < 0)
666 {
667 fprintf(stderr, "ERROR: retrievePath() returned %d.\n",
668 retr_path_ret);
669 bailOut(REGLOOKUP_EXIT_DATAERR,
670 "ERROR: Unknown error occurred in retrieving path.\n");
671 }
672 }
673 else
674 printKeyTree(iter);
675
676 regfi_iterator_free(iter);
677 regfi_close(f);
678
679 return 0;
680}
Note: See TracBrowser for help on using the repository browser.