source: releases/0.9.0/src/reglookup-recover.c@ 293

Last change on this file since 293 was 121, checked in by tim, 17 years ago

fixed minor path/type filter bug in reglookup
misc code cleanups
  • Property svn:keywords set to Id
File size: 22.6 KB
Line 
1/*
2 * This program attempts to recover deleted data structures in a registry hive.
3 *
4 * Copyright (C) 2008 Timothy D. Morgan
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; version 3 of the License.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
18 *
19 * $Id: reglookup-recover.c 121 2008-08-09 17:22:26Z tim $
20 */
21
22#include <stdio.h>
23#include <stdlib.h>
24#include <sysexits.h>
25
26#include "../include/regfi.h"
27#include "../include/range_list.h"
28#include "../include/lru_cache.h"
29
30
31/* Globals, influenced by command line parameters */
32bool print_verbose = false;
33bool print_security = false;
34bool print_header = true;
35bool print_leftover = false;
36bool print_parsedraw = false;
37char* registry_file = NULL;
38
39#include "common.c"
40
41
42char* getQuotedData(int fd, uint32 offset, uint32 length)
43{
44 uint8* buf;
45 char* quoted_buf;
46 uint32 len;
47
48 if((lseek(fd, offset, SEEK_SET)) == -1)
49 return NULL;
50
51 buf = (uint8*)malloc(length);
52 if(buf == NULL)
53 return NULL;
54
55 len = length;
56 if((regfi_read(fd, buf, &length) != 0) || length != len)
57 {
58 free(buf);
59 return NULL;
60 }
61
62 quoted_buf = quote_buffer(buf, length, common_special_chars);
63 free(buf);
64
65 return quoted_buf;
66}
67
68
69void printKey(REGF_FILE* f, REGF_NK_REC* nk, const char* prefix)
70{
71 char mtime[20];
72 time_t tmp_time[1];
73 struct tm* tmp_time_s = NULL;
74 char* quoted_name = NULL;
75 char* quoted_raw = "";
76
77 *tmp_time = nt_time_to_unix(&nk->mtime);
78 tmp_time_s = gmtime(tmp_time);
79 strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s);
80
81 quoted_name = quote_string(nk->keyname, key_special_chars);
82 if (quoted_name == NULL)
83 {
84 quoted_name = malloc(1*sizeof(char));
85 if(quoted_name == NULL)
86 bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
87 quoted_name[0] = '\0';
88
89 fprintf(stderr, "WARNING: NULL key name in NK record at offset %.8X.\n",
90 nk->offset);
91 }
92
93 if(print_parsedraw)
94 quoted_raw = getQuotedData(f->fd, nk->offset, nk->cell_size);
95
96 printf("%.8X,%.8X,KEY,%s,%s,%s,%d,,,,,,,,%s\n", nk->offset, nk->cell_size,
97 prefix, quoted_name, mtime, nk->num_values, quoted_raw);
98
99 if(print_parsedraw)
100 free(quoted_raw);
101}
102
103
104void printValue(REGF_FILE* f, const REGF_VK_REC* vk, const char* prefix)
105{
106 char* quoted_value = NULL;
107 char* quoted_name = NULL;
108 char* quoted_raw = "";
109 char* conv_error = NULL;
110 const char* str_type = NULL;
111 uint32 size = vk->data_size;
112
113 /* Microsoft's documentation indicates that "available memory" is
114 * the limit on value sizes. Annoying. We limit it to 1M which
115 * should rarely be exceeded, unless the file is corrupt or
116 * malicious. For more info, see:
117 * http://msdn2.microsoft.com/en-us/library/ms724872.aspx
118 */
119 /* XXX: Should probably do something different here for this tool.
120 * Also, It would be really nice if this message somehow included the
121 * name of the current value we're having trouble with, since
122 * stderr/stdout don't always sync nicely.
123 */
124 if(size > VK_MAX_DATA_LENGTH)
125 {
126 fprintf(stderr, "WARNING: value data size %d larger than "
127 "%d, truncating...\n", size, VK_MAX_DATA_LENGTH);
128 size = VK_MAX_DATA_LENGTH;
129 }
130
131 quoted_name = quote_string(vk->valuename, key_special_chars);
132 if (quoted_name == NULL)
133 { /* Value names are NULL when we're looking at the "(default)" value.
134 * Currently we just return a 0-length string to try an eliminate
135 * ambiguity with a literal "(default)" value. The data type of a line
136 * in the output allows one to differentiate between the parent key and
137 * this value.
138 */
139 quoted_name = malloc(1*sizeof(char));
140 if(quoted_name == NULL)
141 bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
142 quoted_name[0] = '\0';
143 }
144
145 quoted_value = data_to_ascii(vk->data, size, vk->type, &conv_error);
146 if(quoted_value == NULL)
147 {
148 quoted_value = malloc(1*sizeof(char));
149 if(quoted_value == NULL)
150 bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
151 quoted_value[0] = '\0';
152
153 if(conv_error == NULL)
154 fprintf(stderr, "WARNING: Could not quote value for '%s/%s'. "
155 "Memory allocation failure likely.\n", prefix, quoted_name);
156 else if(print_verbose)
157 fprintf(stderr, "WARNING: Could not quote value for '%s/%s'. "
158 "Returned error: %s\n", prefix, quoted_name, conv_error);
159 }
160 /* XXX: should these always be printed? */
161 else if(conv_error != NULL && print_verbose)
162 fprintf(stderr, "VERBOSE: While quoting value for '%s/%s', "
163 "warning returned: %s\n", prefix, quoted_name, conv_error);
164
165
166 if(print_parsedraw)
167 quoted_raw = getQuotedData(f->fd, vk->offset, vk->cell_size);
168
169 str_type = regfi_type_val2str(vk->type);
170 if(str_type == NULL)
171 printf("%.8X,%.8X,VALUE,%s,%s,,,0x%.8X,%s,%d,,,,,%s\n",
172 vk->offset, vk->cell_size, prefix, quoted_name,
173 vk->type, quoted_value, vk->data_size, quoted_raw);
174 else
175 printf("%.8X,%.8X,VALUE,%s,%s,,,%s,%s,%d,,,,,%s\n",
176 vk->offset, vk->cell_size, prefix, quoted_name,
177 str_type, quoted_value, vk->data_size, quoted_raw);
178
179 if(print_parsedraw)
180 free(quoted_raw);
181 if(quoted_value != NULL)
182 free(quoted_value);
183 if(quoted_name != NULL)
184 free(quoted_name);
185 if(conv_error != NULL)
186 free(conv_error);
187}
188
189
190void printSK(REGF_FILE* f, REGF_SK_REC* sk)
191{
192 char* quoted_raw = NULL;
193 char* empty_str = "";
194 char* owner = regfi_get_owner(sk->sec_desc);
195 char* group = regfi_get_group(sk->sec_desc);
196 char* sacl = regfi_get_sacl(sk->sec_desc);
197 char* dacl = regfi_get_dacl(sk->sec_desc);
198
199 if(print_parsedraw)
200 quoted_raw = getQuotedData(f->fd, sk->offset, sk->cell_size);
201
202 if(owner == NULL)
203 owner = empty_str;
204 if(group == NULL)
205 group = empty_str;
206 if(sacl == NULL)
207 sacl = empty_str;
208 if(dacl == NULL)
209 dacl = empty_str;
210
211 printf("%.8X,%.8X,SK,,,,,,,,%s,%s,%s,%s,%s\n", sk->offset, sk->cell_size,
212 owner, group, sacl, dacl, quoted_raw);
213
214 if(owner != empty_str)
215 free(owner);
216 if(group != empty_str)
217 free(group);
218 if(sacl != empty_str)
219 free(sacl);
220 if(dacl != empty_str)
221 free(dacl);
222
223 if(print_parsedraw)
224 free(quoted_raw);
225}
226
227
228int printCell(REGF_FILE* f, uint32 offset)
229{
230 char* quoted_buf;
231 uint32 cell_length;
232 bool unalloc;
233
234 if(!regfi_parse_cell(f->fd, offset, NULL, 0, &cell_length, &unalloc))
235 return 1;
236
237 quoted_buf = getQuotedData(f->fd, offset, cell_length);
238 if(quoted_buf == NULL)
239 return 2;
240
241 printf("%.8X,%.8X,RAW,,,,,,,,,,,,%s\n", offset, cell_length, quoted_buf);
242
243 free(quoted_buf);
244 return 0;
245}
246
247
248/* This function returns a properly quoted parent path or partial parent
249 * path for a given key. Returns NULL on error, "" if no path was available.
250 * Paths returned must be free()d.
251 */
252/* XXX: This is not terribly efficient, as it may reparse many keys
253 * repeatedly. Should try to add caching. Also, piecing the path
254 * together is slow and redundant.
255 */
256char* getParentPath(REGF_FILE* f, REGF_NK_REC* nk)
257{
258 void_stack* path_stack = void_stack_new(REGF_MAX_DEPTH);
259 REGF_HBIN* hbin;
260 REGF_NK_REC* cur_ancestor;
261 char* ret_val;
262 char* path_element;
263 char* tmp_str;
264 uint32 virt_offset, i, stack_size, ret_val_size, ret_val_left, element_size;
265 uint32 max_length;
266
267 /* The path_stack size limit should guarantee that we don't recurse forever. */
268 virt_offset = nk->parent_off;
269 while(virt_offset != REGF_OFFSET_NONE)
270 {
271 hbin = regfi_lookup_hbin(f, virt_offset);
272 if(hbin == NULL)
273 virt_offset = REGF_OFFSET_NONE;
274 else
275 {
276 max_length = hbin->block_size + hbin->file_off
277 - (virt_offset+REGF_BLOCKSIZE);
278 cur_ancestor = regfi_parse_nk(f, virt_offset+REGF_BLOCKSIZE,
279 max_length, true);
280 if(cur_ancestor == NULL)
281 virt_offset = REGF_OFFSET_NONE;
282 else
283 {
284 if(cur_ancestor->key_type == NK_TYPE_ROOTKEY)
285 virt_offset = REGF_OFFSET_NONE;
286 else
287 virt_offset = cur_ancestor->parent_off;
288
289 path_element = quote_string(cur_ancestor->keyname, key_special_chars);
290 if(path_element == NULL || !void_stack_push(path_stack, path_element))
291 {
292 free(cur_ancestor->keyname);
293 free(cur_ancestor);
294 void_stack_free_deep(path_stack);
295 return NULL;
296 }
297
298 regfi_key_free(cur_ancestor);
299 }
300 }
301 }
302
303 stack_size = void_stack_size(path_stack);
304 ret_val_size = 16*stack_size;
305 if(ret_val_size == 0)
306 ret_val_size = 1;
307 ret_val_left = ret_val_size;
308 ret_val = malloc(ret_val_size);
309 if(ret_val == NULL)
310 {
311 void_stack_free_deep(path_stack);
312 return NULL;
313 }
314 ret_val[0] = '\0';
315
316 for(i=0; i<stack_size; i++)
317 {
318 path_element = void_stack_pop(path_stack);
319 element_size = strlen(path_element);
320 if(ret_val_left < element_size+2)
321 {
322 ret_val_size += element_size+16;
323 ret_val_left += element_size+16;
324 tmp_str = (char*)realloc(ret_val, ret_val_size);
325 if(tmp_str == NULL)
326 {
327 free(ret_val);
328 void_stack_free_deep(path_stack);
329 return NULL;
330 }
331 ret_val = tmp_str;
332 }
333
334 ret_val_left -= snprintf(ret_val+ret_val_size-ret_val_left,ret_val_left, "/%s", path_element);
335 free(path_element);
336 }
337 void_stack_free(path_stack);
338
339 return ret_val;
340}
341
342
343static void usage(void)
344{
345 fprintf(stderr, "Usage: reglookup-recover [options] <REGISTRY_FILE>\n");
346 fprintf(stderr, "Version: %s\n", REGLOOKUP_VERSION);
347 fprintf(stderr, "Options:\n");
348 fprintf(stderr, "\t-v\t sets verbose mode.\n");
349 fprintf(stderr, "\t-h\t enables header row. (default)\n");
350 fprintf(stderr, "\t-H\t disables header row.\n");
351 fprintf(stderr, "\t-l\t enables leftover(raw) cell output.\n");
352 fprintf(stderr, "\t-L\t disables leftover(raw) cell output. (default)\n");
353 fprintf(stderr, "\t-r\t enables raw cell output for parsed cells.\n");
354 fprintf(stderr, "\t-R\t disables raw cell output for parsed cells. (default)\n");
355 fprintf(stderr, "\n");
356}
357
358
359bool removeRange(range_list* rl, uint32 offset, uint32 length)
360{
361 int32 rm_idx;
362 const range_list_element* cur_elem;
363
364 rm_idx = range_list_find(rl, offset);
365 if(rm_idx < 0)
366 {
367 fprintf(stderr, "DEBUG: removeRange: rm_idx < 0; (%d)\n", rm_idx);
368 return false;
369 }
370
371 cur_elem = range_list_get(rl, rm_idx);
372 if(cur_elem == NULL)
373 {
374 fprintf(stderr, "DEBUG: removeRange: cur_elem == NULL. rm_idx=%d\n", rm_idx);
375 return false;
376 }
377
378 if(offset > cur_elem->offset)
379 {
380 if(!range_list_split_element(rl, rm_idx, offset))
381 {
382 fprintf(stderr, "DEBUG: removeRange: first split failed\n");
383 return false;
384 }
385 rm_idx++;
386 cur_elem = range_list_get(rl, rm_idx);
387 if(cur_elem == NULL)
388 {
389 fprintf(stderr,
390 "DEBUG: removeRange: cur_elem == NULL after first split. rm_idx=%d\n",
391 rm_idx);
392 return false;
393 }
394 }
395
396 if(offset+length < cur_elem->offset+cur_elem->length)
397 {
398 if(!range_list_split_element(rl, rm_idx, offset+length))
399 {
400 fprintf(stderr, "DEBUG: removeRange: second split failed\n");
401 return false;
402 }
403 }
404
405 if(!range_list_remove(rl, rm_idx))
406 {
407 fprintf(stderr, "DEBUG: removeRange: remove failed\n");
408 return false;
409 }
410
411 return true;
412}
413
414
415/* NOTE: unalloc_keys should be an empty range_list. */
416int extractKeys(REGF_FILE* f,
417 range_list* unalloc_cells,
418 range_list* unalloc_keys)
419{
420 const range_list_element* cur_elem;
421 REGF_NK_REC* key;
422 uint32 i, j;
423
424 for(i=0; i < range_list_size(unalloc_cells); i++)
425 {
426 cur_elem = range_list_get(unalloc_cells, i);
427 for(j=0; cur_elem->length > REGFI_NK_MIN_LENGTH
428 && j <= cur_elem->length-REGFI_NK_MIN_LENGTH; j+=8)
429 {
430 key = regfi_parse_nk(f, cur_elem->offset+j,
431 cur_elem->length-j, false);
432 if(key != NULL)
433 {
434 if(!range_list_add(unalloc_keys, key->offset,
435 key->cell_size, key))
436 {
437 fprintf(stderr, "ERROR: Couldn't add key to unalloc_keys.\n");
438 return 20;
439 }
440 j+=key->cell_size-8;
441 }
442 }
443 }
444
445 for(i=0; i<range_list_size(unalloc_keys); i++)
446 {
447 cur_elem = range_list_get(unalloc_keys, i);
448 if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
449 return 30;
450 }
451
452 return 0;
453}
454
455
456int extractValueLists(REGF_FILE* f,
457 range_list* unalloc_cells,
458 range_list* unalloc_keys)
459{
460 REGF_NK_REC* nk;
461 REGF_HBIN* hbin;
462 const range_list_element* cur_elem;
463 uint32 i, j, num_keys, off, values_length, max_length;
464
465 num_keys=range_list_size(unalloc_keys);
466 for(i=0; i<num_keys; i++)
467 {
468 cur_elem = range_list_get(unalloc_keys, i);
469 if(cur_elem == NULL)
470 return 10;
471 nk = cur_elem->data;
472
473 if(nk->num_values && (nk->values_off!=REGF_OFFSET_NONE))
474 {
475 hbin = regfi_lookup_hbin(f, nk->values_off);
476
477 if(hbin != NULL)
478 {
479 off = nk->values_off + REGF_BLOCKSIZE;
480 max_length = hbin->block_size + hbin->file_off - off;
481 /* XXX: This is a hack. We parse all value-lists, VK records,
482 * and data records without regard for current allocation status.
483 * On the off chance that such a record correctly parsed but is
484 * actually a reallocated structure used by something else, we
485 * simply prune it after the fact. Would be faster to check this
486 * up front somehow.
487 */
488 nk->values = regfi_load_valuelist(f, off, nk->num_values, max_length,
489 false);
490 values_length = (nk->num_values+1)*sizeof(uint32);
491 if(values_length != (values_length & 0xFFFFFFF8))
492 values_length = (values_length & 0xFFFFFFF8) + 8;
493
494 if(nk->values != NULL)
495 {
496 if(!range_list_has_range(unalloc_cells, off, values_length))
497 { /* We've parsed a values-list which isn't in the unallocated list,
498 * so prune it.
499 */
500 for(j=0; j<nk->num_values; j++)
501 {
502 if(nk->values[j] != NULL)
503 {
504 if(nk->values[j]->data != NULL)
505 free(nk->values[j]->data);
506 free(nk->values[j]);
507 }
508 }
509 free(nk->values);
510 nk->values = NULL;
511 }
512 else
513 { /* Values-list was recovered. Remove from unalloc_cells and
514 * inspect values.
515 */
516 if(!removeRange(unalloc_cells, off, values_length))
517 return 20;
518
519 for(j=0; j < nk->num_values; j++)
520 {
521 if(nk->values[j] != NULL)
522 {
523 if(!range_list_has_range(unalloc_cells, nk->values[j]->offset,
524 nk->values[j]->cell_size))
525 { /* We've parsed a value which isn't in the unallocated list,
526 * so prune it.
527 */
528 if(nk->values[j]->data != NULL)
529 free(nk->values[j]->data);
530 free(nk->values[j]);
531 nk->values[j] = NULL;
532 }
533 else
534 {
535 /* A VK record was recovered. Remove from unalloc_cells
536 * and inspect data.
537 */
538 if(!removeRange(unalloc_cells, nk->values[j]->offset,
539 nk->values[j]->cell_size))
540 return 21;
541
542 /* Don't bother pruning or removing from unalloc_cells if
543 * there is no data, or it is stored in the offset.
544 */
545 if(nk->values[j]->data != NULL && !nk->values[j]->data_in_offset)
546 {
547 off = nk->values[j]->data_off+REGF_BLOCKSIZE;
548 if(!range_list_has_range(unalloc_cells, off,
549 nk->values[j]->data_size))
550 { /* We've parsed a data cell which isn't in the unallocated
551 * list, so prune it.
552 */
553 free(nk->values[j]->data);
554 nk->values[j]->data = NULL;
555 }
556 else
557 { /*A data record was recovered. Remove from unalloc_cells.*/
558 if(!removeRange(unalloc_cells, off,
559 nk->values[j]->data_size))
560 return 22;
561 }
562 }
563 }
564 }
565 }
566 }
567 }
568 }
569 }
570 }
571
572 return 0;
573}
574
575
576/* NOTE: unalloc_values should be an empty range_list. */
577int extractValues(REGF_FILE* f,
578 range_list* unalloc_cells,
579 range_list* unalloc_values)
580{
581 const range_list_element* cur_elem;
582 REGF_VK_REC* vk;
583 uint32 i, j, off;
584
585 for(i=0; i < range_list_size(unalloc_cells); i++)
586 {
587 cur_elem = range_list_get(unalloc_cells, i);
588 for(j=0; j <= cur_elem->length; j+=8)
589 {
590 vk = regfi_parse_vk(f, cur_elem->offset+j,
591 cur_elem->length-j, false);
592 if(vk != NULL)
593 {
594 if(!range_list_add(unalloc_values, vk->offset,
595 vk->cell_size, vk))
596 {
597 fprintf(stderr, "ERROR: Couldn't add value to unalloc_values.\n");
598 return 20;
599 }
600 j+=vk->cell_size-8;
601 }
602 }
603 }
604
605 /* Remove value ranges from the unalloc_cells before we continue. */
606 for(i=0; i<range_list_size(unalloc_values); i++)
607 {
608 cur_elem = range_list_get(unalloc_values, i);
609 if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
610 return 30;
611 }
612
613 /* Now see if the data associated with each value is intact */
614 for(i=0; i<range_list_size(unalloc_values); i++)
615 {
616 cur_elem = range_list_get(unalloc_values, i);
617 vk = (REGF_VK_REC*)cur_elem->data;
618 if(vk == NULL)
619 return 40;
620
621 if(vk->data != NULL && !vk->data_in_offset)
622 {
623 off = vk->data_off+REGF_BLOCKSIZE;
624 if(!range_list_has_range(unalloc_cells, off, vk->data_size))
625 { /* We've parsed a data cell which isn't in the unallocated
626 * list, so prune it.
627 */
628 free(vk->data);
629 vk->data = NULL;
630 }
631 else
632 { /*A data record was recovered. Remove from unalloc_cells.*/
633 if(!removeRange(unalloc_cells, off, vk->data_size))
634 return 50;
635 }
636 }
637 }
638
639 return 0;
640}
641
642
643/* NOTE: unalloc_sks should be an empty range_list. */
644int extractSKs(REGF_FILE* f,
645 range_list* unalloc_cells,
646 range_list* unalloc_sks)
647{
648 const range_list_element* cur_elem;
649 REGF_SK_REC* sk;
650 uint32 i, j;
651
652 for(i=0; i < range_list_size(unalloc_cells); i++)
653 {
654 cur_elem = range_list_get(unalloc_cells, i);
655 for(j=0; j <= cur_elem->length; j+=8)
656 {
657 sk = regfi_parse_sk(f, cur_elem->offset+j,
658 cur_elem->length-j, false);
659 if(sk != NULL)
660 {
661 if(!range_list_add(unalloc_sks, sk->offset,
662 sk->cell_size, sk))
663 {
664 fprintf(stderr, "ERROR: Couldn't add sk to unalloc_sks.\n");
665 return 20;
666 }
667 j+=sk->cell_size-8;
668 }
669 }
670 }
671
672 for(i=0; i<range_list_size(unalloc_sks); i++)
673 {
674 cur_elem = range_list_get(unalloc_sks, i);
675 if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
676 return 30;
677 }
678
679 return 0;
680}
681
682
683int main(int argc, char** argv)
684{
685 REGF_FILE* f;
686 const range_list_element* cur_elem;
687 range_list* unalloc_cells;
688 range_list* unalloc_keys;
689 range_list* unalloc_values;
690 range_list* unalloc_sks;
691 char** parent_paths;
692 char* tmp_name;
693 char* tmp_path;
694 REGF_NK_REC* tmp_key;
695 REGF_VK_REC* tmp_value;
696 uint32 argi, arge, i, j, ret, num_unalloc_keys;
697 /* uint32 test_offset;*/
698
699 /* Process command line arguments */
700 if(argc < 2)
701 {
702 usage();
703 bailOut(EX_USAGE, "ERROR: Requires at least one argument.\n");
704 }
705
706 arge = argc-1;
707 for(argi = 1; argi < arge; argi++)
708 {
709 if (strcmp("-v", argv[argi]) == 0)
710 print_verbose = true;
711 else if (strcmp("-h", argv[argi]) == 0)
712 print_header = true;
713 else if (strcmp("-H", argv[argi]) == 0)
714 print_header = false;
715 else if (strcmp("-l", argv[argi]) == 0)
716 print_leftover = true;
717 else if (strcmp("-L", argv[argi]) == 0)
718 print_leftover = false;
719 else if (strcmp("-r", argv[argi]) == 0)
720 print_parsedraw = true;
721 else if (strcmp("-R", argv[argi]) == 0)
722 print_parsedraw = false;
723 else
724 {
725 usage();
726 fprintf(stderr, "ERROR: Unrecognized option: %s\n", argv[argi]);
727 bailOut(EX_USAGE, "");
728 }
729 }
730 /*test_offset = strtol(argv[argi++], NULL, 16);*/
731
732 if((registry_file = strdup(argv[argi])) == NULL)
733 bailOut(EX_OSERR, "ERROR: Memory allocation problem.\n");
734
735 f = regfi_open(registry_file);
736 if(f == NULL)
737 {
738 fprintf(stderr, "ERROR: Couldn't open registry file: %s\n", registry_file);
739 bailOut(EX_NOINPUT, "");
740 }
741
742 if(print_header)
743 printf("OFFSET,REC_LENGTH,REC_TYPE,PATH,NAME,"
744 "NK_MTIME,NK_NVAL,VK_TYPE,VK_VALUE,VK_DATA_LEN,"
745 "SK_OWNER,SK_GROUP,SK_SACL,SK_DACL,RAW_CELL\n");
746
747 unalloc_cells = regfi_parse_unalloc_cells(f);
748 if(unalloc_cells == NULL)
749 {
750 fprintf(stderr, "ERROR: Could not obtain list of unallocated cells.\n");
751 return 1;
752 }
753
754 unalloc_keys = range_list_new();
755 if(unalloc_keys == NULL)
756 return 10;
757
758 unalloc_values = range_list_new();
759 if(unalloc_values == NULL)
760 return 10;
761
762 unalloc_sks = range_list_new();
763 if(unalloc_sks == NULL)
764 return 10;
765
766 ret = extractKeys(f, unalloc_cells, unalloc_keys);
767 if(ret != 0)
768 {
769 fprintf(stderr, "ERROR: extractKeys() failed with %d.\n", ret);
770 return ret;
771 }
772
773 ret = extractValueLists(f, unalloc_cells, unalloc_keys);
774 if(ret != 0)
775 {
776 fprintf(stderr, "ERROR: extractValueLists() failed with %d.\n", ret);
777 return ret;
778 }
779
780 /* Carve any orphan values and associated data */
781 ret = extractValues(f, unalloc_cells, unalloc_values);
782 if(ret != 0)
783 {
784 fprintf(stderr, "ERROR: extractValues() failed with %d.\n", ret);
785 return ret;
786 }
787
788 /* Carve any SK records */
789 ret = extractSKs(f, unalloc_cells, unalloc_sks);
790 if(ret != 0)
791 {
792 fprintf(stderr, "ERROR: extractSKs() failed with %d.\n", ret);
793 return ret;
794 }
795
796 /* Now that we're done carving, associate recovered keys with parents,
797 * if at all possible.
798 */
799 num_unalloc_keys = range_list_size(unalloc_keys);
800 parent_paths = (char**)malloc(sizeof(char*)*num_unalloc_keys);
801 if(parent_paths == NULL)
802 return 10;
803
804 for(i=0; i < num_unalloc_keys; i++)
805 {
806 cur_elem = range_list_get(unalloc_keys, i);
807 tmp_key = (REGF_NK_REC*)cur_elem->data;
808
809 if(tmp_key == NULL)
810 return 20;
811
812 parent_paths[i] = getParentPath(f, tmp_key);
813 if(parent_paths[i] == NULL)
814 return 20;
815 }
816
817 /* Now start the output */
818
819 for(i=0; i < num_unalloc_keys; i++)
820 {
821 cur_elem = range_list_get(unalloc_keys, i);
822 tmp_key = (REGF_NK_REC*)cur_elem->data;
823
824 printKey(f, tmp_key, parent_paths[i]);
825 if(tmp_key->num_values > 0 && tmp_key->values != NULL)
826 {
827 tmp_name = quote_string(tmp_key->keyname, key_special_chars);
828 tmp_path = (char*)malloc(strlen(parent_paths[i])+strlen(tmp_name)+2);
829 if(tmp_path == NULL)
830 return 10;
831 sprintf(tmp_path, "%s/%s", parent_paths[i], tmp_name);
832 for(j=0; j < tmp_key->num_values; j++)
833 {
834 tmp_value = tmp_key->values[j];
835 if(tmp_value != NULL)
836 printValue(f, tmp_value, tmp_path);
837 }
838 free(tmp_path);
839 free(tmp_name);
840 free(parent_paths[i]);
841 }
842 }
843 free(parent_paths);
844
845 /* Print out orphaned values */
846 for(i=0; i < range_list_size(unalloc_values); i++)
847 {
848 cur_elem = range_list_get(unalloc_values, i);
849 tmp_value = (REGF_VK_REC*)cur_elem->data;
850
851 printValue(f, tmp_value, "");
852 }
853
854 if(print_leftover)
855 {
856 for(i=0; i < range_list_size(unalloc_cells); i++)
857 {
858 cur_elem = range_list_get(unalloc_cells, i);
859 printCell(f, cur_elem->offset);
860 }
861 }
862
863 return 0;
864}
Note: See TracBrowser for help on using the repository browser.