source: releases/release-0.1/src/reglookup.c@ 293

Last change on this file since 293 was 17, checked in by tim, 20 years ago

moved project under trunk. (I am a subversion newbie.)
  • Property svn:keywords set to Id
File size: 51.3 KB
Line 
1/*
2 * $Id: reglookup.c 17 2005-06-04 22:08:03Z tim $
3 *
4 * A utility to read a Windows NT/2K etc registry file.
5 *
6 * This code was taken from Richard Sharpe''s editreg utility, in the
7 * Samba CVS tree. It has since been simplified and turned into a
8 * strictly read-only utility.
9 *
10 * Copyright (C) 2005 Timothy D. Morgan
11 * Copyright (C) 2002 Richard Sharpe, rsharpe@richardsharpe.com
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation; version 2 of the License.
16 *
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 */
26
27/*************************************************************************
28
29 A note from Richard Sharpe:
30 Many of the ideas in here come from other people and software.
31 I first looked in Wine in misc/registry.c and was also influenced by
32 http://www.wednesday.demon.co.uk/dosreg.html
33
34 Which seems to contain comments from someone else. I reproduce them here
35 incase the site above disappears. It actually comes from
36 http://home.eunet.no/~pnordahl/ntpasswd/WinReg.txt.
37
38 NOTE: the comments he refers to have been moved to doc/winntreg.txt
39
40**************************************************************************/
41
42
43#include <stdio.h>
44#include <stdlib.h>
45#include <stdbool.h>
46#include <errno.h>
47#include <assert.h>
48#include <sys/types.h>
49#include <sys/stat.h>
50#include <unistd.h>
51#include <sys/mman.h>
52#include <strings.h>
53#include <string.h>
54#include <fcntl.h>
55
56#define False 0
57#define True 1
58#define REG_KEY_LIST_SIZE 10
59
60/*
61 * Structures for dealing with the on-disk format of the registry
62 */
63
64#define IVAL(buf) ((unsigned int) \
65 (unsigned int)*((unsigned char *)(buf)+3)<<24| \
66 (unsigned int)*((unsigned char *)(buf)+2)<<16| \
67 (unsigned int)*((unsigned char *)(buf)+1)<<8| \
68 (unsigned int)*((unsigned char *)(buf)+0))
69
70#define SVAL(buf) ((unsigned short) \
71 (unsigned short)*((unsigned char *)(buf)+1)<<8| \
72 (unsigned short)*((unsigned char *)(buf)+0))
73
74#define CVAL(buf) ((unsigned char)*((unsigned char *)(buf)))
75
76#define SIVAL(buf, val) \
77 ((((unsigned char *)(buf))[0])=(unsigned char)((val)&0xFF),\
78 (((unsigned char *)(buf))[1])=(unsigned char)(((val)>>8)&0xFF),\
79 (((unsigned char *)(buf))[2])=(unsigned char)(((val)>>16)&0xFF),\
80 (((unsigned char *)(buf))[3])=(unsigned char)((val)>>24))
81
82#define SSVAL(buf, val) \
83 ((((unsigned char *)(buf))[0])=(unsigned char)((val)&0xFF),\
84 (((unsigned char *)(buf))[1])=(unsigned char)((val)>>8))
85
86static int verbose = 0;
87static int print_security = 0;
88static int full_print = 0;
89static const char *def_owner_sid_str = NULL;
90
91/*
92 * These definitions are for the in-memory registry structure.
93 * It is a tree structure that mimics what you see with tools like regedit
94 */
95
96/*
97 * DateTime struct for Windows
98 */
99
100typedef struct date_time_s {
101 unsigned int low, high;
102} NTTIME;
103
104/*
105 * Definition of a Key. It has a name, classname, date/time last modified,
106 * sub-keys, values, and a security descriptor
107 */
108
109#define REG_ROOT_KEY 1
110#define REG_SUB_KEY 2
111#define REG_SYM_LINK 3
112
113typedef struct key_sec_desc_s KEY_SEC_DESC;
114
115typedef struct reg_key_s {
116 char *name; /* Name of the key */
117 char *class_name;
118 int type; /* One of REG_ROOT_KEY or REG_SUB_KEY */
119 NTTIME last_mod; /* Time last modified */
120 struct reg_key_s *owner;
121 struct key_list_s *sub_keys;
122 struct val_list_s *values;
123 KEY_SEC_DESC *security;
124 unsigned int offset; /* Offset of the record in the file */
125} REG_KEY;
126
127/*
128 * The KEY_LIST struct lists sub-keys.
129 */
130
131typedef struct key_list_s {
132 int key_count;
133 int max_keys;
134 REG_KEY *keys[1];
135} KEY_LIST;
136
137typedef struct val_key_s {
138 char *name;
139 int has_name;
140 int data_type;
141 int data_len;
142 void *data_blk; /* Might want a separate block */
143} VAL_KEY;
144
145typedef struct val_list_s {
146 int val_count;
147 int max_vals;
148 VAL_KEY *vals[1];
149} VAL_LIST;
150
151#ifndef MAXSUBAUTHS
152#define MAXSUBAUTHS 15
153#endif
154
155typedef struct sid_s {
156 unsigned char ver, auths;
157 unsigned char auth[6];
158 unsigned int sub_auths[MAXSUBAUTHS];
159} sid_t;
160
161typedef struct ace_struct_s {
162 unsigned char type, flags;
163 unsigned int perms; /* Perhaps a better def is in order */
164 sid_t *trustee;
165} ACE;
166
167typedef struct acl_struct_s {
168 unsigned short rev, refcnt;
169 unsigned short num_aces;
170 ACE *aces[1];
171} ACL;
172
173typedef struct sec_desc_s {
174 unsigned int rev, type;
175 sid_t *owner, *group;
176 ACL *sacl, *dacl;
177} SEC_DESC;
178
179#define SEC_DESC_NON 0
180#define SEC_DESC_RES 1
181#define SEC_DESC_OCU 2
182#define SEC_DESC_NBK 3
183typedef struct sk_struct SK_HDR;
184struct key_sec_desc_s {
185 struct key_sec_desc_s *prev, *next;
186 int ref_cnt;
187 int state;
188 int offset;
189 SK_HDR *sk_hdr; /* This means we must keep the registry in memory */
190 SEC_DESC *sec_desc;
191};
192
193/*
194 * All of the structures below actually have a four-byte length before them
195 * which always seems to be negative. The following macro retrieves that
196 * size as an integer
197 */
198
199#define BLK_SIZE(b) ((int)*(int *)(((int *)b)-1))
200
201typedef unsigned int DWORD;
202typedef unsigned short WORD;
203
204#define REG_REGF_ID 0x66676572
205
206typedef struct regf_block {
207 DWORD REGF_ID; /* regf */
208 DWORD uk1;
209 DWORD uk2;
210 DWORD tim1, tim2;
211 DWORD uk3; /* 1 */
212 DWORD uk4; /* 3 */
213 DWORD uk5; /* 0 */
214 DWORD uk6; /* 1 */
215 DWORD first_key; /* offset */
216 unsigned int dblk_size;
217 DWORD uk7[116]; /* 1 */
218 DWORD chksum;
219} REGF_HDR;
220
221typedef struct hbin_sub_struct {
222 DWORD dblocksize;
223 char data[1];
224} HBIN_SUB_HDR;
225
226#define REG_HBIN_ID 0x6E696268
227
228typedef struct hbin_struct {
229 DWORD HBIN_ID; /* hbin */
230 DWORD off_from_first;
231 DWORD off_to_next;
232 DWORD uk1;
233 DWORD uk2;
234 DWORD uk3;
235 DWORD uk4;
236 DWORD blk_size;
237 HBIN_SUB_HDR hbin_sub_hdr;
238} HBIN_HDR;
239
240#define REG_NK_ID 0x6B6E
241
242typedef struct nk_struct {
243 WORD NK_ID;
244 WORD type;
245 DWORD t1, t2;
246 DWORD uk1;
247 DWORD own_off;
248 DWORD subk_num;
249 DWORD uk2;
250 DWORD lf_off;
251 DWORD uk3;
252 DWORD val_cnt;
253 DWORD val_off;
254 DWORD sk_off;
255 DWORD clsnam_off;
256 DWORD unk4[4];
257 DWORD unk5;
258 WORD nam_len;
259 WORD clsnam_len;
260 char key_nam[1]; /* Actual length determined by nam_len */
261} NK_HDR;
262
263#define REG_SK_ID 0x6B73
264
265struct sk_struct {
266 WORD SK_ID;
267 WORD uk1;
268 DWORD prev_off;
269 DWORD next_off;
270 DWORD ref_cnt;
271 DWORD rec_size;
272 char sec_desc[1];
273};
274
275typedef struct ace_struct {
276 unsigned char type;
277 unsigned char flags;
278 unsigned short length;
279 unsigned int perms;
280 sid_t trustee;
281} REG_ACE;
282
283typedef struct acl_struct {
284 WORD rev;
285 WORD size;
286 DWORD num_aces;
287 REG_ACE *aces; /* One or more ACEs */
288} REG_ACL;
289
290typedef struct sec_desc_rec {
291 WORD rev;
292 WORD type;
293 DWORD owner_off;
294 DWORD group_off;
295 DWORD sacl_off;
296 DWORD dacl_off;
297} REG_SEC_DESC;
298
299typedef struct hash_struct {
300 DWORD nk_off;
301 char hash[4];
302} HASH_REC;
303
304#define REG_LF_ID 0x666C
305
306typedef struct lf_struct {
307 WORD LF_ID;
308 WORD key_count;
309 struct hash_struct hr[1]; /* Array of hash records, depending on key_count */
310} LF_HDR;
311
312typedef DWORD VL_TYPE[1]; /* Value list is an array of vk rec offsets */
313
314#define REG_VK_ID 0x6B76
315
316typedef struct vk_struct {
317 WORD VK_ID;
318 WORD nam_len;
319 DWORD dat_len; /* If top-bit set, offset contains the data */
320 DWORD dat_off;
321 DWORD dat_type;
322 WORD flag; /* =1, has name, else no name (=Default). */
323 WORD unk1;
324 char dat_name[1]; /* Name starts here ... */
325} VK_HDR;
326
327#define REG_TYPE_DELETE -1
328#define REG_TYPE_NONE 0
329#define REG_TYPE_REGSZ 1
330#define REG_TYPE_EXPANDSZ 2
331#define REG_TYPE_BIN 3
332#define REG_TYPE_DWORD 4
333#define REG_TYPE_MULTISZ 7
334/* Not a real type in the registry */
335#define REG_TYPE_KEY 255
336
337typedef struct _val_str {
338 unsigned int val;
339 const char * str;
340} VAL_STR;
341
342/* A map of sk offsets in the regf to KEY_SEC_DESCs for quick lookup etc */
343typedef struct sk_map_s {
344 int sk_off;
345 KEY_SEC_DESC *key_sec_desc;
346} SK_MAP;
347
348/*
349 * This structure keeps track of the output format of the registry
350 */
351#define REG_OUTBLK_HDR 1
352#define REG_OUTBLK_HBIN 2
353
354typedef struct hbin_blk_s {
355 int type, size;
356 struct hbin_blk_s *next;
357 char *data; /* The data block */
358 unsigned int file_offset; /* Offset in file */
359 unsigned int free_space; /* Amount of free space in block */
360 unsigned int fsp_off; /* Start of free space in block */
361 int complete, stored;
362} HBIN_BLK;
363
364/*
365 * This structure keeps all the registry stuff in one place
366 */
367typedef struct regf_struct_s {
368 int reg_type;
369 char *regfile_name, *outfile_name;
370 int fd;
371 struct stat sbuf;
372 char *base;
373 int modified;
374 NTTIME last_mod_time;
375 REG_KEY *root; /* Root of the tree for this file */
376 int sk_count, sk_map_size;
377 SK_MAP *sk_map;
378 const char *owner_sid_str;
379 SEC_DESC *def_sec_desc;
380 /*
381 * These next pointers point to the blocks used to contain the
382 * keys when we are preparing to write them to a file
383 */
384 HBIN_BLK *blk_head, *blk_tail, *free_space;
385} REGF;
386
387
388/* Function prototypes */
389
390static int nt_val_list_iterator(REGF *regf, REG_KEY *key_tree, int bf,
391 char *path, int terminal);
392static int nt_key_iterator(REGF *regf, REG_KEY *key_tree, int bf,
393 const char *path);
394static REG_KEY *nt_find_key_by_name(REG_KEY *tree, char *key);
395static int print_key(const char *path, char *name, char *class_name, int root,
396 int terminal, int vals, char* newline);
397static int print_val(const char *path, char *val_name, int val_type,
398 int data_len, void *data_blk, int terminal, int first,
399 int last);
400
401static int print_sec(SEC_DESC *sec_desc);
402
403
404/* Globals */
405
406char* prefix_filter = "";
407int type_filter = 0;
408bool type_filter_enabled = false;
409
410
411unsigned int str_is_prefix(const char* p, const char* s)
412{
413 const char* cp;
414 const char* cs;
415
416 cs = s;
417 for(cp=p; (*cp) != '\0'; cp++)
418 {
419 if((*cp)!=(*cs))
420 return 0;
421 cs++;
422 }
423
424 return 1;
425}
426
427
428/* Returns a newly malloc()ed string which contains original buffer,
429 * except for non-printable or special characters are quoted in hex
430 * with the syntax '\xQQ' where QQ is the hex ascii value of the quoted
431 * character. A null terminator is added, as only ascii, not binary,
432 * is returned.
433 */
434static
435char* quote_buffer(const unsigned char* str, char* special, unsigned int len)
436{
437 unsigned int i;
438 unsigned int num_written=0;
439 unsigned int out_len = sizeof(char)*len+1;
440 char* ret_val = malloc(out_len);
441
442 if(ret_val == NULL)
443 return NULL;
444
445 for(i=0; i<len; i++)
446 {
447 if(str[i] < 32 || str[i] > 126 || strchr(special, str[i]) != NULL)
448 {
449 out_len += 3;
450 /* XXX: may not be the most efficient way of getting enough memory. */
451 ret_val = realloc(ret_val, out_len);
452 if(ret_val == NULL)
453 break;
454 num_written += snprintf(ret_val+num_written, (out_len)-num_written,
455 "\\x%.2X", str[i]);
456 }
457 else
458 ret_val[num_written++] = str[i];
459 }
460 ret_val[num_written] = '\0';
461
462 return ret_val;
463}
464
465
466/* Returns a newly malloc()ed string which contains original string,
467 * except for non-printable or special characters are quoted in hex
468 * with the syntax '\xQQ' where QQ is the hex ascii value of the quoted
469 * character.
470 */
471static
472char* quote_string(const char* str, char* special)
473{
474 unsigned int len = strlen(str);
475 char* ret_val = quote_buffer((const unsigned char*)str, special, len);
476
477 return ret_val;
478}
479
480
481
482/*
483 * Iterate over the keys, depth first, calling a function for each key
484 * and indicating if it is terminal or non-terminal and if it has values.
485 *
486 * In addition, for each value in the list, call a value list function
487 */
488
489static
490int nt_val_list_iterator(REGF *regf, REG_KEY *key_tree, int bf, char *path,
491 int terminal)
492{
493 int i;
494 VAL_LIST* val_list = key_tree->values;
495
496 for (i=0; i<val_list->val_count; i++)
497 {
498 /*XXX: print_key() is doing nothing right now, can probably be removed. */
499 if (!print_key(path, key_tree->name,
500 key_tree->class_name,
501 (key_tree->type == REG_ROOT_KEY),
502 (key_tree->sub_keys == NULL),
503 (key_tree->values?(key_tree->values->val_count):0),
504 "\n") ||
505 !print_val(path, val_list->vals[i]->name,val_list->vals[i]->data_type,
506 val_list->vals[i]->data_len, val_list->vals[i]->data_blk,
507 terminal,
508 (i == 0),
509 (i == val_list->val_count)))
510 { return 0; }
511 }
512
513 return 1;
514}
515
516static
517int nt_key_list_iterator(REGF *regf, KEY_LIST *key_list, int bf,
518 const char *path)
519{
520 int i;
521
522 if (!key_list)
523 return 1;
524
525 for (i=0; i < key_list->key_count; i++)
526 {
527 if (!nt_key_iterator(regf, key_list->keys[i], bf, path))
528 return 0;
529 }
530 return 1;
531}
532
533static
534int nt_key_iterator(REGF *regf, REG_KEY *key_tree, int bf,
535 const char *path)
536{
537 int path_len = strlen(path);
538 char *new_path;
539
540 if (!regf || !key_tree)
541 return -1;
542
543 new_path = (char *)malloc(path_len + 1 + strlen(key_tree->name) + 1);
544 if (!new_path)
545 return 0; /* Errors? */
546 new_path[0] = '\0';
547 strcat(new_path, path);
548 strcat(new_path, key_tree->name);
549 strcat(new_path, "/");
550
551 /* List the key first, then the values, then the sub-keys */
552 /*printf("prefix_filter: %s, path: %s\n", prefix_filter, path);*/
553 if (str_is_prefix(prefix_filter, new_path))
554 {
555 if (!type_filter_enabled || (type_filter == REG_TYPE_KEY))
556 printf("%s%s:KEY\n", path, key_tree->name);
557
558 /*XXX: print_key() is doing nothing right now, can probably be removed. */
559 if (!print_key(path, key_tree->name,
560 key_tree->class_name,
561 (key_tree->type == REG_ROOT_KEY),
562 (key_tree->sub_keys == NULL),
563 (key_tree->values?(key_tree->values->val_count):0),
564 "\n"))
565 { return 0; }
566
567 /*
568 * If we have a security print routine, call it
569 * If the security print routine returns false, stop.
570 */
571 if (key_tree->security && !print_sec(key_tree->security->sec_desc))
572 return 0;
573 }
574
575 /*
576 * Now, iterate through the values in the val_list
577 */
578 if (key_tree->values &&
579 !nt_val_list_iterator(regf, key_tree, bf, new_path,
580 (key_tree->values!=NULL)))
581 {
582 free(new_path);
583 return 0;
584 }
585
586 /*
587 * Now, iterate through the keys in the key list
588 */
589 if (key_tree->sub_keys &&
590 !nt_key_list_iterator(regf, key_tree->sub_keys, bf,
591 new_path))
592 {
593 free(new_path);
594 return 0;
595 }
596
597 free(new_path);
598 return 1;
599}
600
601
602/*
603 * Find key by name in a list ...
604 * Take the first component and search for that in the list
605 */
606static
607REG_KEY *nt_find_key_in_list_by_name(KEY_LIST *list, char *key)
608{
609 int i;
610 REG_KEY *res = NULL;
611
612 if (!list || !key || !*key) return NULL;
613
614 for (i = 0; i < list->key_count; i++)
615 if ((res = nt_find_key_by_name(list->keys[i], key)))
616 return res;
617
618 return NULL;
619}
620
621
622/*
623 * Find key by name in a tree ... We will assume absolute names here, but we
624 * need the root of the tree ...
625 */
626static REG_KEY* nt_find_key_by_name(REG_KEY* tree, char* key)
627{
628 char* lname = NULL;
629 char* c1;
630 char* c2;
631 REG_KEY* tmp;
632
633 if (!tree || !key || !*key)
634 return NULL;
635
636 lname = strdup(key);
637 if (!lname)
638 return NULL;
639
640 /*
641 * Make sure that the first component is correct ...
642 */
643 c1 = lname;
644 c2 = strchr(c1, '/');
645 if (c2)
646 { /* Split here ... */
647 *c2 = 0;
648 c2++;
649 }
650
651 if (strcmp(c1, tree->name) != 0)
652 {
653 if (lname)
654 free(lname);
655 return NULL;
656 }
657
658 if (c2)
659 {
660 tmp = nt_find_key_in_list_by_name(tree->sub_keys, c2);
661 free(lname);
662 return tmp;
663 }
664 else
665 {
666 if (lname)
667 free(lname);
668 return tree;
669 }
670
671 return NULL;
672}
673
674/* Make, delete keys */
675static
676int nt_delete_val_key(VAL_KEY *val_key)
677{
678
679 if (val_key) {
680 if (val_key->name) free(val_key->name);
681 if (val_key->data_blk) free(val_key->data_blk);
682 free(val_key);
683 };
684 return 1;
685}
686
687
688/*
689 * Add a key to the tree ... We walk down the components matching until
690 * we don't find any. There must be a match on the first component ...
691 * We return the key structure for the final component as that is
692 * often where we want to add values ...
693 */
694
695/*
696 * Convert a string of the form S-1-5-x[-y-z-r] to a SID
697 */
698/* MIGHT COME IN HANDY LATER.
699static
700int sid_string_to_sid(sid_t **sid, const char *sid_str)
701{
702 int i = 0;
703 unsigned int auth;
704 const char *lstr;
705
706 *sid = (sid_t *)malloc(sizeof(sid_t));
707 if (!*sid) return 0;
708
709 memset(*sid, 0, sizeof(sid_t));
710
711 if (strncmp(sid_str, "S-1-5", 5)) {
712 fprintf(stderr, "Does not conform to S-1-5...: %s\n", sid_str);
713 return 0;
714 }
715
716//We only allow strings of form S-1-5...
717
718 (*sid)->ver = 1;
719 (*sid)->auth[5] = 5;
720
721 lstr = sid_str + 5;
722
723 while (1)
724 {
725 if (!lstr || !lstr[0] || sscanf(lstr, "-%u", &auth) == 0)
726 {
727 if (i < 1)
728 {
729 fprintf(stderr, "Not of form -d-d...: %s, %u\n", lstr, i);
730 return 0;
731 }
732 (*sid)->auths=i;
733 return 1;
734 }
735
736 (*sid)->sub_auths[i] = auth;
737 i++;
738 lstr = strchr(lstr + 1, '-');
739 }
740
741 return 1;
742}
743*/
744
745
746/*
747 * We will implement inheritence that is based on what the parent's SEC_DESC
748 * says, but the Owner and Group SIDs can be overwridden from the command line
749 * and additional ACEs can be applied from the command line etc.
750 */
751static
752KEY_SEC_DESC *nt_inherit_security(REG_KEY *key)
753{
754
755 if (!key) return NULL;
756 return key->security;
757}
758
759/*
760 * Add a sub-key
761 */
762static
763REG_KEY *nt_add_reg_key_list(REGF *regf, REG_KEY *key, char * name, int create)
764{
765 int i;
766 REG_KEY *ret = NULL, *tmp = NULL;
767 KEY_LIST *list;
768 char *lname, *c1, *c2;
769
770 if (!key || !name || !*name) return NULL;
771
772 list = key->sub_keys;
773 if (!list) { /* Create an empty list */
774
775 list = (KEY_LIST *)malloc(sizeof(KEY_LIST) + (REG_KEY_LIST_SIZE - 1) * sizeof(REG_KEY *));
776 list->key_count = 0;
777 list->max_keys = REG_KEY_LIST_SIZE;
778
779 }
780
781 lname = strdup(name);
782 if (!lname) return NULL;
783
784 c1 = lname;
785 c2 = strchr(c1, '/');
786 if (c2) { /* Split here ... */
787 *c2 = 0;
788 c2++;
789 }
790
791 for (i = 0; i < list->key_count; i++) {
792 if (strcmp(list->keys[i]->name, c1) == 0) {
793 ret = nt_add_reg_key_list(regf, list->keys[i], c2, create);
794 free(lname);
795 return ret;
796 }
797 }
798
799 /*
800 * If we reach here we could not find the the first component
801 * so create it ...
802 */
803
804 if (list->key_count < list->max_keys){
805 list->key_count++;
806 }
807 else { /* Create more space in the list ... */
808 if (!(list = (KEY_LIST *)realloc(list, sizeof(KEY_LIST) +
809 (list->max_keys + REG_KEY_LIST_SIZE - 1)
810 * sizeof(REG_KEY *))))
811 goto error;
812
813 list->max_keys += REG_KEY_LIST_SIZE;
814 list->key_count++;
815 }
816
817 /*
818 * add the new key at the new slot
819 * XXX: Sort the list someday
820 */
821
822 /*
823 * We want to create the key, and then do the rest
824 */
825
826 tmp = (REG_KEY *)malloc(sizeof(REG_KEY));
827
828 memset(tmp, 0, sizeof(REG_KEY));
829
830 tmp->name = strdup(c1);
831 if (!tmp->name) goto error;
832 tmp->owner = key;
833 tmp->type = REG_SUB_KEY;
834 /*
835 * Next, pull security from the parent, but override with
836 * anything passed in on the command line
837 */
838 tmp->security = nt_inherit_security(key);
839
840 list->keys[list->key_count - 1] = tmp;
841
842 if (c2) {
843 ret = nt_add_reg_key_list(regf, key, c2, True);
844 }
845
846 if (lname) free(lname);
847
848 return ret;
849
850 error:
851 if (tmp) free(tmp);
852 if (lname) free(lname);
853 return NULL;
854}
855
856
857/*
858 * Load and unload a registry file.
859 *
860 * Load, loads it into memory as a tree, while unload sealizes/flattens it
861 */
862
863/*
864 * Get the starting record for NT Registry file
865 */
866
867/*
868 * Where we keep all the regf stuff for one registry.
869 * This is the structure that we use to tie the in memory tree etc
870 * together. By keeping separate structs, we can operate on different
871 * registries at the same time.
872 * Currently, the SK_MAP is an array of mapping structure.
873 * Since we only need this on input and output, we fill in the structure
874 * as we go on input. On output, we know how many SK items we have, so
875 * we can allocate the structure as we need to.
876 * If you add stuff here that is dynamically allocated, add the
877 * appropriate free statements below.
878 */
879
880#define REGF_REGTYPE_NONE 0
881#define REGF_REGTYPE_NT 1
882#define REGF_REGTYPE_W9X 2
883
884#define TTTONTTIME(r, t1, t2) (r)->last_mod_time.low = (t1); \
885 (r)->last_mod_time.high = (t2);
886
887#define REGF_HDR_BLKSIZ 0x1000
888
889#define OFF(f) ((f) + REGF_HDR_BLKSIZ + 4)
890#define LOCN(base, f) ((base) + OFF(f))
891
892const VAL_STR reg_type_names[] = {
893 { REG_TYPE_REGSZ, "SZ" },
894 { REG_TYPE_EXPANDSZ, "EXPAND_SZ" },
895 { REG_TYPE_BIN, "BIN" },
896 { REG_TYPE_DWORD, "DWORD" },
897 { REG_TYPE_MULTISZ, "MULTI_SZ" },
898 { REG_TYPE_KEY, "KEY" },
899 { 0, NULL },
900};
901
902
903static
904const char *val_to_str(unsigned int val, const VAL_STR *val_array)
905{
906 int i;
907
908 if (!val_array)
909 return NULL;
910
911 for(i=0; val_array[i].val && val_array[i].str; i++)
912 if (val_array[i].val == val)
913 return val_array[i].str;
914
915 return NULL;
916}
917
918
919/* Returns 0 on error */
920static
921int str_to_val(const char* str, const VAL_STR *val_array)
922{
923 int i;
924
925 if (!val_array)
926 return 0;
927
928 for(i=0; val_array[i].val && val_array[i].str; i++)
929 if (strcmp(val_array[i].str, str) == 0)
930 return val_array[i].val;
931
932 return 0;
933}
934
935
936/*
937 * Convert from UniCode to Ascii ... Does not take into account other lang
938 * Restrict by ascii_max if > 0
939 */
940static
941int uni_to_ascii(unsigned char *uni, unsigned char *ascii, int ascii_max,
942 int uni_max)
943{
944 int i = 0;
945
946 while (i < ascii_max && (uni[i*2] || uni[i*2+1]))
947 {
948 if (uni_max > 0 && (i*2) >= uni_max) break;
949 ascii[i] = uni[i*2];
950 i++;
951 }
952 ascii[i] = '\0';
953
954 return i;
955}
956
957/*
958 * Convert a data value to a string for display
959 */
960static
961unsigned char* data_to_ascii(unsigned char *datap, int len, int type)
962{
963 unsigned char *asciip;
964 unsigned int i;
965 unsigned short num_nulls;
966 unsigned char* ascii;
967 unsigned char* cur_str;
968 unsigned char* cur_ascii;
969 char* cur_quoted;
970 unsigned int cur_str_len;
971 unsigned int ascii_max, cur_str_max;
972 unsigned int str_rem, cur_str_rem, alen;
973
974 switch (type)
975 {
976 case REG_TYPE_REGSZ:
977 if (verbose)
978 fprintf(stderr, "Len: %d\n", len);
979
980 ascii_max = sizeof(char)*len;
981 ascii = malloc(ascii_max+4);
982 if(ascii == NULL)
983 return NULL;
984
985 /* XXX: This has to be fixed. It has to be UNICODE */
986 uni_to_ascii(datap, ascii, len, ascii_max);
987 return ascii;
988 break;
989
990 case REG_TYPE_EXPANDSZ:
991 ascii_max = sizeof(char)*len;
992 ascii = malloc(ascii_max+2);
993 if(ascii == NULL)
994 return NULL;
995
996 uni_to_ascii(datap, ascii, len, ascii_max);
997 return ascii;
998 break;
999
1000 case REG_TYPE_BIN:
1001 ascii = (unsigned char*)quote_buffer(datap, "\\", len);
1002 return ascii;
1003 break;
1004
1005 case REG_TYPE_DWORD:
1006 ascii_max = sizeof(char)*10;
1007 ascii = malloc(ascii_max+1);
1008 if(ascii == NULL)
1009 return NULL;
1010
1011 if (*(int *)datap == 0)
1012 snprintf((char*)ascii, ascii_max, "0");
1013 else
1014 snprintf((char*)ascii, ascii_max, "0x%x", *(int *)datap);
1015 return ascii;
1016 break;
1017
1018 case REG_TYPE_MULTISZ:
1019 ascii_max = sizeof(char)*len*4;
1020 cur_str_max = sizeof(char)*len+1;
1021 cur_str = malloc(cur_str_max);
1022 cur_ascii = malloc(cur_str_max);
1023 ascii = malloc(ascii_max+4);
1024 if(ascii == NULL)
1025 return NULL;
1026
1027 /* Reads until it reaches 4 consecutive NULLs,
1028 * which is two nulls in unicode, or until it reaches len, or until we
1029 * run out of buffer. The latter should never happen, but we shouldn't
1030 * trust our file to have the right lengths/delimiters.
1031 */
1032 asciip = ascii;
1033 num_nulls = 0;
1034 str_rem = ascii_max;
1035 cur_str_rem = cur_str_max;
1036 cur_str_len = 0;
1037
1038 for(i=0; (i < len) && str_rem > 0; i++)
1039 {
1040 *(cur_str+cur_str_len) = *(datap+i);
1041 if(*(cur_str+cur_str_len) == 0)
1042 num_nulls++;
1043 else
1044 num_nulls = 0;
1045 cur_str_len++;
1046
1047 if(num_nulls == 2)
1048 {
1049 uni_to_ascii(cur_str, cur_ascii, cur_str_max, 0);
1050 /* XXX: Should backslashes be quoted as well? */
1051 cur_quoted = quote_string((char*)cur_ascii, "|");
1052 alen = snprintf((char*)asciip, str_rem, "%s", cur_quoted);
1053 asciip += alen;
1054 str_rem -= alen;
1055 free(cur_quoted);
1056
1057 if(*(datap+i+1) == 0 && *(datap+i+2) == 0)
1058 break;
1059 else
1060 {
1061 alen = snprintf((char*)asciip, str_rem, "%c", '|');
1062 asciip += alen;
1063 str_rem -= alen;
1064 memset(cur_str, 0, cur_str_max);
1065 cur_str_len = 0;
1066 num_nulls = 0;
1067 /* To eliminate leading nulls in subsequent strings. */
1068 i++;
1069 }
1070 }
1071 }
1072 *asciip = 0;
1073 return ascii;
1074 break;
1075
1076 default:
1077 return NULL;
1078 break;
1079 }
1080
1081 return NULL;
1082}
1083
1084static
1085REG_KEY *nt_get_key_tree(REGF *regf, NK_HDR *nk_hdr, int size, REG_KEY *parent);
1086
1087static
1088int nt_set_regf_input_file(REGF *regf, char *filename)
1089{
1090 return ((regf->regfile_name = strdup(filename)) != NULL);
1091}
1092
1093
1094/* Create a regf structure and init it */
1095
1096static
1097REGF *nt_create_regf(void)
1098{
1099 REGF *tmp = (REGF *)malloc(sizeof(REGF));
1100 if (!tmp) return tmp;
1101 memset(tmp, 0, sizeof(REGF));
1102 tmp->owner_sid_str = def_owner_sid_str;
1103 return tmp;
1104}
1105
1106
1107/* Get the header of the registry. Return a pointer to the structure
1108 * If the mmap'd area has not been allocated, then mmap the input file
1109 */
1110static
1111REGF_HDR *nt_get_regf_hdr(REGF *regf)
1112{
1113 if (!regf)
1114 return NULL; /* What about errors */
1115
1116 if (!regf->regfile_name)
1117 return NULL; /* What about errors */
1118
1119 if (!regf->base) { /* Try to mmap etc the file */
1120
1121 if ((regf->fd = open(regf->regfile_name, O_RDONLY, 0000)) <0) {
1122 return NULL; /* What about errors? */
1123 }
1124
1125 if (fstat(regf->fd, &regf->sbuf) < 0) {
1126 return NULL;
1127 }
1128
1129 regf->base = mmap(0, regf->sbuf.st_size, PROT_READ, MAP_SHARED, regf->fd, 0);
1130
1131 if ((int)regf->base == 1) {
1132 fprintf(stderr, "Could not mmap file: %s, %s\n", regf->regfile_name,
1133 strerror(errno));
1134 return NULL;
1135 }
1136 }
1137
1138 /*
1139 * At this point, regf->base != NULL, and we should be able to read the
1140 * header
1141 */
1142
1143 assert(regf->base != NULL);
1144
1145 return (REGF_HDR *)regf->base;
1146}
1147
1148/*
1149 * Validate a regf header
1150 * For now, do nothing, but we should check the checksum
1151 */
1152static
1153int valid_regf_hdr(REGF_HDR *regf_hdr)
1154{
1155 if (!regf_hdr) return 0;
1156
1157 return 1;
1158}
1159
1160/*
1161 * Process an SK header ...
1162 * Every time we see a new one, add it to the map. Otherwise, just look it up.
1163 * We will do a simple linear search for the moment, since many KEYs have the
1164 * same security descriptor.
1165 * We allocate the map in increments of 10 entries.
1166 */
1167
1168/*
1169 * Create a new entry in the map, and increase the size of the map if needed
1170 */
1171static
1172SK_MAP *alloc_sk_map_entry(REGF *regf, KEY_SEC_DESC *tmp, int sk_off)
1173{
1174 if (!regf->sk_map) { /* Allocate a block of 10 */
1175 regf->sk_map = (SK_MAP *)malloc(sizeof(SK_MAP) * 10);
1176 if (!regf->sk_map) {
1177 free(tmp);
1178 return NULL;
1179 }
1180 regf->sk_map_size = 10;
1181 regf->sk_count = 1;
1182 (regf->sk_map)[0].sk_off = sk_off;
1183 (regf->sk_map)[0].key_sec_desc = tmp;
1184 }
1185 else { /* Simply allocate a new slot, unless we have to expand the list */
1186 int ndx = regf->sk_count;
1187 if (regf->sk_count >= regf->sk_map_size) {
1188 regf->sk_map = (SK_MAP *)realloc(regf->sk_map,
1189 (regf->sk_map_size + 10)*sizeof(SK_MAP));
1190 if (!regf->sk_map) {
1191 free(tmp);
1192 return NULL;
1193 }
1194 /*
1195 * ndx already points at the first entry of the new block
1196 */
1197 regf->sk_map_size += 10;
1198 }
1199 (regf->sk_map)[ndx].sk_off = sk_off;
1200 (regf->sk_map)[ndx].key_sec_desc = tmp;
1201 regf->sk_count++;
1202 }
1203 return regf->sk_map;
1204}
1205
1206/*
1207 * Search for a KEY_SEC_DESC in the sk_map, but don't create one if not
1208 * found
1209 */
1210static
1211KEY_SEC_DESC *lookup_sec_key(SK_MAP *sk_map, int count, int sk_off)
1212{
1213 int i;
1214
1215 if (!sk_map) return NULL;
1216
1217 for (i = 0; i < count; i++) {
1218
1219 if (sk_map[i].sk_off == sk_off)
1220 return sk_map[i].key_sec_desc;
1221
1222 }
1223
1224 return NULL;
1225
1226}
1227
1228/*
1229 * Allocate a KEY_SEC_DESC if we can't find one in the map
1230 */
1231static
1232KEY_SEC_DESC *lookup_create_sec_key(REGF *regf, SK_MAP *sk_map, int sk_off)
1233{
1234 KEY_SEC_DESC *tmp = lookup_sec_key(regf->sk_map, regf->sk_count, sk_off);
1235
1236 if (tmp) {
1237 return tmp;
1238 }
1239 else { /* Allocate a new one */
1240 tmp = (KEY_SEC_DESC *)malloc(sizeof(KEY_SEC_DESC));
1241 if (!tmp) {
1242 return NULL;
1243 }
1244 memset(tmp, 0, sizeof(KEY_SEC_DESC)); /* Neatly sets offset to 0 */
1245 tmp->state = SEC_DESC_RES;
1246 if (!alloc_sk_map_entry(regf, tmp, sk_off)) {
1247 return NULL;
1248 }
1249 return tmp;
1250 }
1251}
1252
1253/*
1254 * Allocate storage and duplicate a SID
1255 * We could allocate the SID to be only the size needed, but I am too lazy.
1256 */
1257static
1258sid_t *dup_sid(sid_t *sid)
1259{
1260 sid_t *tmp = (sid_t *)malloc(sizeof(sid_t));
1261 int i;
1262
1263 if (!tmp) return NULL;
1264 tmp->ver = sid->ver;
1265 tmp->auths = sid->auths;
1266 for (i=0; i<6; i++) {
1267 tmp->auth[i] = sid->auth[i];
1268 }
1269 for (i=0; i<tmp->auths&&i<MAXSUBAUTHS; i++) {
1270 tmp->sub_auths[i] = sid->sub_auths[i];
1271 }
1272 return tmp;
1273}
1274
1275/*
1276 * Allocate space for an ACE and duplicate the registry encoded one passed in
1277 */
1278static
1279ACE *dup_ace(REG_ACE *ace)
1280{
1281 ACE *tmp = NULL;
1282
1283 tmp = (ACE *)malloc(sizeof(ACE));
1284
1285 if (!tmp)
1286 return NULL;
1287
1288 tmp->type = CVAL(&ace->type);
1289 tmp->flags = CVAL(&ace->flags);
1290 tmp->perms = IVAL(&ace->perms);
1291 tmp->trustee = dup_sid(&ace->trustee);
1292 return tmp;
1293}
1294
1295/*
1296 * Allocate space for an ACL and duplicate the registry encoded one passed in
1297 */
1298static
1299ACL *dup_acl(REG_ACL *acl)
1300{
1301 ACL *tmp = NULL;
1302 REG_ACE* ace;
1303 int i, num_aces;
1304
1305 num_aces = IVAL(&acl->num_aces);
1306
1307 tmp = (ACL *)malloc(sizeof(ACL) + (num_aces - 1)*sizeof(ACE *));
1308 if (!tmp) return NULL;
1309
1310 tmp->num_aces = num_aces;
1311 tmp->refcnt = 1;
1312 tmp->rev = SVAL(&acl->rev);
1313 if (verbose) fprintf(stdout, "ACL: refcnt: %u, rev: %u\n", tmp->refcnt,
1314 tmp->rev);
1315 ace = (REG_ACE *)&acl->aces;
1316 for (i=0; i<num_aces; i++) {
1317 tmp->aces[i] = dup_ace(ace);
1318 ace = (REG_ACE *)((char *)ace + SVAL(&ace->length));
1319 /* XXX: should handle NULLs returned from dup_ace() */
1320 }
1321
1322 return tmp;
1323}
1324
1325static
1326SEC_DESC *process_sec_desc(REGF *regf, REG_SEC_DESC *sec_desc)
1327{
1328 SEC_DESC *tmp = NULL;
1329
1330 tmp = (SEC_DESC *)malloc(sizeof(SEC_DESC));
1331
1332 if (!tmp) {
1333 return NULL;
1334 }
1335
1336 tmp->rev = SVAL(&sec_desc->rev);
1337 tmp->type = SVAL(&sec_desc->type);
1338 if (verbose) fprintf(stdout, "SEC_DESC Rev: %0X, Type: %0X\n",
1339 tmp->rev, tmp->type);
1340 if (verbose) fprintf(stdout, "SEC_DESC Owner Off: %0X\n",
1341 IVAL(&sec_desc->owner_off));
1342 if (verbose) fprintf(stdout, "SEC_DESC Group Off: %0X\n",
1343 IVAL(&sec_desc->group_off));
1344 if (verbose) fprintf(stdout, "SEC_DESC DACL Off: %0X\n",
1345 IVAL(&sec_desc->dacl_off));
1346 tmp->owner = dup_sid((sid_t *)((char *)sec_desc + IVAL(&sec_desc->owner_off)));
1347 if (!tmp->owner) {
1348 free(tmp);
1349 return NULL;
1350 }
1351 tmp->group = dup_sid((sid_t *)((char *)sec_desc + IVAL(&sec_desc->group_off)));
1352 if (!tmp->group) {
1353 free(tmp);
1354 return NULL;
1355 }
1356
1357 /* Now pick up the SACL and DACL */
1358
1359 if (sec_desc->sacl_off)
1360 tmp->sacl = dup_acl((REG_ACL *)((char *)sec_desc + IVAL(&sec_desc->sacl_off)));
1361 else
1362 tmp->sacl = NULL;
1363
1364 if (sec_desc->dacl_off)
1365 tmp->dacl = dup_acl((REG_ACL *)((char *)sec_desc + IVAL(&sec_desc->dacl_off)));
1366 else
1367 tmp->dacl = NULL;
1368
1369 return tmp;
1370}
1371
1372static
1373KEY_SEC_DESC *process_sk(REGF *regf, SK_HDR *sk_hdr, int sk_off, int size)
1374{
1375 KEY_SEC_DESC *tmp = NULL;
1376 int sk_next_off, sk_prev_off, sk_size;
1377 REG_SEC_DESC *sec_desc;
1378
1379 if (!sk_hdr) return NULL;
1380
1381 if (SVAL(&sk_hdr->SK_ID) != REG_SK_ID) {
1382 fprintf(stderr, "Unrecognized SK Header ID: %08X, %s\n", (int)sk_hdr,
1383 regf->regfile_name);
1384 return NULL;
1385 }
1386
1387 if (-size < (sk_size = IVAL(&sk_hdr->rec_size))) {
1388 fprintf(stderr, "Incorrect SK record size: %d vs %d. %s\n",
1389 -size, sk_size, regf->regfile_name);
1390 return NULL;
1391 }
1392
1393 /*
1394 * Now, we need to look up the SK Record in the map, and return it
1395 * Since the map contains the SK_OFF mapped to KEY_SEC_DESC, we can
1396 * use that
1397 */
1398
1399 if (regf->sk_map &&
1400 ((tmp = lookup_sec_key(regf->sk_map, regf->sk_count, sk_off)) != NULL)
1401 && (tmp->state == SEC_DESC_OCU)) {
1402 tmp->ref_cnt++;
1403 return tmp;
1404 }
1405
1406 /* Here, we have an item in the map that has been reserved, or tmp==NULL. */
1407
1408 assert(tmp == NULL || (tmp && tmp->state != SEC_DESC_NON));
1409
1410 /*
1411 * Now, allocate a KEY_SEC_DESC, and parse the structure here, and add the
1412 * new KEY_SEC_DESC to the mapping structure, since the offset supplied is
1413 * the actual offset of structure. The same offset will be used by
1414 * all future references to this structure
1415 * We could put all this unpleasantness in a function.
1416 */
1417
1418 if (!tmp) {
1419 tmp = (KEY_SEC_DESC *)malloc(sizeof(KEY_SEC_DESC));
1420 if (!tmp) return NULL;
1421 memset(tmp, 0, sizeof(KEY_SEC_DESC));
1422
1423 /*
1424 * Allocate an entry in the SK_MAP ...
1425 * We don't need to free tmp, because that is done for us if the
1426 * sm_map entry can't be expanded when we need more space in the map.
1427 */
1428
1429 if (!alloc_sk_map_entry(regf, tmp, sk_off)) {
1430 return NULL;
1431 }
1432 }
1433
1434 tmp->ref_cnt++;
1435 tmp->state = SEC_DESC_OCU;
1436
1437 /*
1438 * Now, process the actual sec desc and plug the values in
1439 */
1440
1441 sec_desc = (REG_SEC_DESC *)&sk_hdr->sec_desc[0];
1442 tmp->sec_desc = process_sec_desc(regf, sec_desc);
1443
1444 /*
1445 * Now forward and back links. Here we allocate an entry in the sk_map
1446 * if it does not exist, and mark it reserved
1447 */
1448
1449 sk_prev_off = IVAL(&sk_hdr->prev_off);
1450 tmp->prev = lookup_create_sec_key(regf, regf->sk_map, sk_prev_off);
1451 assert(tmp->prev != NULL);
1452 sk_next_off = IVAL(&sk_hdr->next_off);
1453 tmp->next = lookup_create_sec_key(regf, regf->sk_map, sk_next_off);
1454 assert(tmp->next != NULL);
1455
1456 return tmp;
1457}
1458
1459/*
1460 * Process a VK header and return a value
1461 */
1462static
1463VAL_KEY *process_vk(REGF *regf, VK_HDR *vk_hdr, int size)
1464{
1465 char val_name[1024];
1466 int nam_len, dat_len, flag, dat_type, dat_off, vk_id;
1467 const char *val_type;
1468 VAL_KEY *tmp = NULL;
1469
1470 if (!vk_hdr) return NULL;
1471
1472 if ((vk_id = SVAL(&vk_hdr->VK_ID)) != REG_VK_ID) {
1473 fprintf(stderr, "Unrecognized VK header ID: %0X, block: %0X, %s\n",
1474 vk_id, (int)vk_hdr, regf->regfile_name);
1475 return NULL;
1476 }
1477
1478 nam_len = SVAL(&vk_hdr->nam_len);
1479 val_name[nam_len] = '\0';
1480 flag = SVAL(&vk_hdr->flag);
1481 dat_type = IVAL(&vk_hdr->dat_type);
1482 dat_len = IVAL(&vk_hdr->dat_len); /* If top bit, offset contains data */
1483 dat_off = IVAL(&vk_hdr->dat_off);
1484
1485 tmp = (VAL_KEY *)malloc(sizeof(VAL_KEY));
1486 if (!tmp) {
1487 goto error;
1488 }
1489 memset(tmp, 0, sizeof(VAL_KEY));
1490 tmp->has_name = flag;
1491 tmp->data_type = dat_type;
1492
1493 if (flag & 0x01) {
1494 strncpy(val_name, vk_hdr->dat_name, nam_len);
1495 tmp->name = strdup(val_name);
1496 if (!tmp->name) {
1497 goto error;
1498 }
1499 }
1500 else
1501 strncpy(val_name, "<No Name>", 10);
1502
1503 /*
1504 * Allocate space and copy the data as a BLOB
1505 */
1506
1507 if (dat_len) {
1508
1509 char *dtmp = (char *)malloc(dat_len&0x7FFFFFFF);
1510
1511 if (!dtmp) {
1512 goto error;
1513 }
1514
1515 tmp->data_blk = dtmp;
1516
1517 if ((dat_len&0x80000000) == 0)
1518 { /* The data is pointed to by the offset */
1519 char *dat_ptr = LOCN(regf->base, dat_off);
1520 memcpy(dtmp, dat_ptr, dat_len);
1521 }
1522 else { /* The data is in the offset or type */
1523 /*
1524 * XXX:
1525 * Some registry files seem to have wierd fields. If top bit is set,
1526 * but len is 0, the type seems to be the value ...
1527 * Not sure how to handle this last type for the moment ...
1528 */
1529 dat_len = dat_len & 0x7FFFFFFF;
1530 memcpy(dtmp, &dat_off, dat_len);
1531 }
1532
1533 tmp->data_len = dat_len;
1534 }
1535
1536 val_type = val_to_str(dat_type, reg_type_names);
1537
1538 /*
1539 * We need to save the data area as well
1540 */
1541 if (verbose)
1542 fprintf(stdout, " %s : %s : \n", val_name, val_type);
1543
1544 return tmp;
1545
1546 error:
1547 if (tmp) nt_delete_val_key(tmp);
1548 return NULL;
1549
1550}
1551
1552/*
1553 * Process a VL Header and return a list of values
1554 */
1555static
1556VAL_LIST *process_vl(REGF *regf, VL_TYPE vl, int count, int size)
1557{
1558 int i, vk_off;
1559 VK_HDR *vk_hdr;
1560 VAL_LIST *tmp = NULL;
1561
1562 if (!vl) return NULL;
1563
1564 if (-size < (count+1)*sizeof(int)){
1565 fprintf(stderr, "Error in VL header format. Size less than space required. %d\n", -size);
1566 return NULL;
1567 }
1568
1569 tmp = (VAL_LIST *)malloc(sizeof(VAL_LIST) + (count - 1) * sizeof(VAL_KEY *));
1570 if (!tmp) {
1571 goto error;
1572 }
1573
1574 for (i=0; i<count; i++) {
1575 vk_off = IVAL(&vl[i]);
1576 vk_hdr = (VK_HDR *)LOCN(regf->base, vk_off);
1577 tmp->vals[i] = process_vk(regf, vk_hdr, BLK_SIZE(vk_hdr));
1578 if (!tmp->vals[i]){
1579 goto error;
1580 }
1581 }
1582
1583 tmp->val_count = count;
1584 tmp->max_vals = count;
1585
1586 return tmp;
1587
1588 error:
1589 /* XXX: free the partially allocated structure */
1590 return NULL;
1591}
1592
1593/*
1594 * Process an LF Header and return a list of sub-keys
1595 */
1596static
1597KEY_LIST *process_lf(REGF *regf, LF_HDR *lf_hdr, int size, REG_KEY *parent)
1598{
1599 int count, i, nk_off;
1600 unsigned int lf_id;
1601 KEY_LIST *tmp;
1602
1603 if (!lf_hdr) return NULL;
1604
1605 if ((lf_id = SVAL(&lf_hdr->LF_ID)) != REG_LF_ID) {
1606 fprintf(stderr, "Unrecognized LF Header format: %0X, Block: %0X, %s.\n",
1607 lf_id, (int)lf_hdr, regf->regfile_name);
1608 return NULL;
1609 }
1610
1611 assert(size < 0);
1612
1613 count = SVAL(&lf_hdr->key_count);
1614 if (verbose)
1615 fprintf(stdout, "Key Count: %u\n", count);
1616 if (count <= 0) return NULL;
1617
1618 /* Now, we should allocate a KEY_LIST struct and fill it in ... */
1619
1620 tmp = (KEY_LIST *)malloc(sizeof(KEY_LIST) + (count - 1) * sizeof(REG_KEY *));
1621 if (!tmp) {
1622 goto error;
1623 }
1624
1625 tmp->key_count = count;
1626 tmp->max_keys = count;
1627
1628 for (i=0; i<count; i++) {
1629 NK_HDR *nk_hdr;
1630
1631 nk_off = IVAL(&lf_hdr->hr[i].nk_off);
1632 if (verbose)
1633 fprintf(stdout, "NK Offset: %0X\n", nk_off);
1634 nk_hdr = (NK_HDR *)LOCN(regf->base, nk_off);
1635 tmp->keys[i] = nt_get_key_tree(regf, nk_hdr, BLK_SIZE(nk_hdr), parent);
1636 if (!tmp->keys[i]) {
1637 goto error;
1638 }
1639 }
1640
1641 return tmp;
1642
1643 error:
1644 /*if (tmp) nt_delete_key_list(tmp, False);*/
1645 return NULL;
1646}
1647
1648
1649/*
1650 * This routine is passed an NK_HDR pointer and retrieves the entire tree
1651 * from there down. It returns a REG_KEY *.
1652 */
1653static
1654REG_KEY *nt_get_key_tree(REGF *regf, NK_HDR *nk_hdr, int size, REG_KEY *parent)
1655{
1656 REG_KEY *tmp = NULL, *own;
1657 int name_len, clsname_len, lf_off, val_off, val_count, sk_off, own_off;
1658 unsigned int nk_id;
1659 LF_HDR *lf_hdr;
1660 VL_TYPE *vl;
1661 SK_HDR *sk_hdr;
1662 char key_name[1024];
1663 unsigned char cls_name[1024];
1664
1665 if (!nk_hdr) return NULL;
1666
1667 if ((nk_id = SVAL(&nk_hdr->NK_ID)) != REG_NK_ID) {
1668 fprintf(stderr, "Unrecognized NK Header format: %08X, Block: %0X. %s\n",
1669 nk_id, (int)nk_hdr, regf->regfile_name);
1670 return NULL;
1671 }
1672
1673 assert(size < 0);
1674
1675 name_len = SVAL(&nk_hdr->nam_len);
1676 clsname_len = SVAL(&nk_hdr->clsnam_len);
1677
1678 /*
1679 * The value of -size should be ge
1680 * (sizeof(NK_HDR) - 1 + name_len)
1681 * The -1 accounts for the fact that we included the first byte of
1682 * the name in the structure. clsname_len is the length of the thing
1683 * pointed to by clsnam_off
1684 */
1685
1686 if (-size < (sizeof(NK_HDR) - 1 + name_len)) {
1687 fprintf(stderr, "Incorrect NK_HDR size: %d, %0X\n", -size, (int)nk_hdr);
1688 fprintf(stderr, "Sizeof NK_HDR: %d, name_len %d, clsname_len %d\n",
1689 sizeof(NK_HDR), name_len, clsname_len);
1690 /*return NULL;*/
1691 }
1692
1693 if (verbose) fprintf(stdout, "NK HDR: Name len: %d, class name len: %d\n",
1694 name_len, clsname_len);
1695
1696 /* Fish out the key name and process the LF list */
1697
1698 assert(name_len < sizeof(key_name));
1699
1700 /* Allocate the key struct now */
1701 tmp = (REG_KEY *)malloc(sizeof(REG_KEY));
1702 if (!tmp) return tmp;
1703 memset(tmp, 0, sizeof(REG_KEY));
1704
1705 tmp->type = (SVAL(&nk_hdr->type)==0x2C?REG_ROOT_KEY:REG_SUB_KEY);
1706
1707 strncpy(key_name, nk_hdr->key_nam, name_len);
1708 key_name[name_len] = '\0';
1709
1710 if (verbose) fprintf(stdout, "Key name: %s\n", key_name);
1711
1712 tmp->name = strdup(key_name);
1713 if (!tmp->name) {
1714 goto error;
1715 }
1716
1717 /*
1718 * Fish out the class name, it is in UNICODE, while the key name is
1719 * ASCII :-)
1720 */
1721
1722 if (clsname_len)
1723 { /* Just print in Ascii for now */
1724 unsigned char *clsnamep;
1725 unsigned int clsnam_off;
1726
1727 clsnam_off = IVAL(&nk_hdr->clsnam_off);
1728 clsnamep = (unsigned char*)LOCN(regf->base, clsnam_off);
1729 if (verbose) fprintf(stdout, "Class Name Offset: %0X\n", clsnam_off);
1730
1731 memset(cls_name, 0, clsname_len);
1732 uni_to_ascii(clsnamep, cls_name, sizeof(cls_name), clsname_len);
1733
1734 /*
1735 * XXX:
1736 * I am keeping class name as an ascii string for the moment.
1737 * That means it needs to be converted on output.
1738 * It will also piss off people who need Unicode/UTF-8 strings. Sorry.
1739 */
1740 tmp->class_name = strdup((char*)cls_name);
1741 if (!tmp->class_name) {
1742 goto error;
1743 }
1744
1745 if (verbose) fprintf(stdout, " Class Name: %s\n", cls_name);
1746
1747 }
1748
1749 /*
1750 * Process the owner offset ...
1751 */
1752 own_off = IVAL(&nk_hdr->own_off);
1753 own = (REG_KEY *)LOCN(regf->base, own_off);
1754 if (verbose)
1755 fprintf(stdout, "Owner Offset: %0X\n", own_off);
1756
1757 if (verbose)
1758 fprintf(stdout, " Owner locn: %0X, Our locn: %0X\n",
1759 (unsigned int)own, (unsigned int)nk_hdr);
1760
1761 /*
1762 * We should verify that the owner field is correct ...
1763 * for now, we don't worry ...
1764 */
1765 tmp->owner = parent;
1766
1767 /*
1768 * If there are any values, process them here
1769 */
1770
1771 val_count = IVAL(&nk_hdr->val_cnt);
1772 if (verbose)
1773 fprintf(stdout, "Val Count: %d\n", val_count);
1774 if (val_count)
1775 {
1776 val_off = IVAL(&nk_hdr->val_off);
1777 vl = (VL_TYPE *)LOCN(regf->base, val_off);
1778 if (verbose)
1779 fprintf(stdout, "Val List Offset: %0X\n", val_off);
1780
1781 tmp->values = process_vl(regf, *vl, val_count, BLK_SIZE(vl));
1782 if (!tmp->values) {
1783 goto error;
1784 }
1785
1786 }
1787
1788 /*
1789 * Also handle the SK header ...
1790 */
1791
1792 sk_off = IVAL(&nk_hdr->sk_off);
1793 sk_hdr = (SK_HDR *)LOCN(regf->base, sk_off);
1794 if (verbose)
1795 fprintf(stdout, "SK Offset: %0X\n", sk_off);
1796
1797 if (sk_off != -1) {
1798
1799 tmp->security = process_sk(regf, sk_hdr, sk_off, BLK_SIZE(sk_hdr));
1800
1801 }
1802
1803 lf_off = IVAL(&nk_hdr->lf_off);
1804 if (verbose)
1805 fprintf(stdout, "SubKey list offset: %0X\n", lf_off);
1806
1807 /*
1808 * No more subkeys if lf_off == -1
1809 */
1810 if (lf_off != -1)
1811 {
1812 lf_hdr = (LF_HDR *)LOCN(regf->base, lf_off);
1813
1814 tmp->sub_keys = process_lf(regf, lf_hdr, BLK_SIZE(lf_hdr), tmp);
1815 if (!tmp->sub_keys)
1816 goto error;
1817 }
1818
1819 return tmp;
1820
1821 error:
1822 /*if (tmp) nt_delete_reg_key(tmp, False);*/
1823 return NULL;
1824}
1825
1826static
1827int nt_load_registry(REGF *regf)
1828{
1829 REGF_HDR *regf_hdr;
1830 unsigned int regf_id, hbin_id;
1831 HBIN_HDR *hbin_hdr;
1832 NK_HDR *first_key;
1833
1834 /* Get the header */
1835
1836 if ((regf_hdr = nt_get_regf_hdr(regf)) == NULL) {
1837 return -1;
1838 }
1839
1840 /* Now process that header and start to read the rest in */
1841
1842 if ((regf_id = IVAL(&regf_hdr->REGF_ID)) != REG_REGF_ID) {
1843 fprintf(stderr, "Unrecognized NT registry header id: %0X, %s\n",
1844 regf_id, regf->regfile_name);
1845 return -1;
1846 }
1847
1848 /*
1849 * Validate the header ...
1850 */
1851 if (!valid_regf_hdr(regf_hdr)) {
1852 fprintf(stderr, "Registry file header does not validate: %s\n",
1853 regf->regfile_name);
1854 return -1;
1855 }
1856
1857 /* Update the last mod date, and then go get the first NK record and on */
1858
1859 TTTONTTIME(regf, IVAL(&regf_hdr->tim1), IVAL(&regf_hdr->tim2));
1860
1861 /*
1862 * The hbin hdr seems to be just uninteresting garbage. Check that
1863 * it is there, but that is all.
1864 */
1865
1866 hbin_hdr = (HBIN_HDR *)(regf->base + REGF_HDR_BLKSIZ);
1867
1868 if ((hbin_id = IVAL(&hbin_hdr->HBIN_ID)) != REG_HBIN_ID) {
1869 fprintf(stderr, "Unrecognized registry hbin hdr ID: %0X, %s\n",
1870 hbin_id, regf->regfile_name);
1871 return -1;
1872 }
1873
1874 /*
1875 * Get a pointer to the first key from the hreg_hdr
1876 */
1877
1878 if (verbose)
1879 fprintf(stdout, "First Key: %0X\n", IVAL(&regf_hdr->first_key));
1880
1881 first_key = (NK_HDR *)LOCN(regf->base, IVAL(&regf_hdr->first_key));
1882 if (verbose) fprintf(stdout, "First Key Offset: %0X\n",
1883 IVAL(&regf_hdr->first_key));
1884
1885 if (verbose) fprintf(stdout, "Data Block Size: %d\n",
1886 IVAL(&regf_hdr->dblk_size));
1887
1888 if (verbose) fprintf(stdout, "Offset to next hbin block: %0X\n",
1889 IVAL(&hbin_hdr->off_to_next));
1890
1891 if (verbose) fprintf(stdout, "HBIN block size: %0X\n",
1892 IVAL(&hbin_hdr->blk_size));
1893
1894 /*
1895 * Now, get the registry tree by processing that NK recursively
1896 */
1897
1898 regf->root = nt_get_key_tree(regf, first_key, BLK_SIZE(first_key), NULL);
1899
1900 assert(regf->root != NULL);
1901
1902 /*
1903 * Unmap the registry file, as we might want to read in another
1904 * tree etc.
1905 */
1906
1907 if (regf->base) munmap(regf->base, regf->sbuf.st_size);
1908 regf->base = NULL;
1909 close(regf->fd); /* Ignore the error :-) */
1910
1911 return 1;
1912}
1913
1914
1915/*
1916 * Routines to parse a REGEDIT4 file
1917 *
1918 * The file consists of:
1919 *
1920 * REGEDIT4
1921 * \[[-]key-path\]\n
1922 * <value-spec>*
1923 *
1924 * Format:
1925 * [cmd:]name=type:value
1926 *
1927 * cmd = a|d|c|add|delete|change|as|ds|cs
1928 *
1929 * There can be more than one key-path and value-spec.
1930 *
1931 * Since we want to support more than one type of file format, we
1932 * construct a command-file structure that keeps info about the command file
1933 */
1934
1935#define FMT_UNREC -1
1936#define FMT_REGEDIT4 0
1937#define FMT_EDITREG1_1 1
1938
1939#define FMT_STRING_REGEDIT4 "REGEDIT4"
1940#define FMT_STRING_EDITREG1_0 "EDITREG1.0"
1941
1942#define CMD_NONE 0
1943#define CMD_ADD_KEY 1
1944#define CMD_DEL_KEY 2
1945
1946#define CMD_KEY 1
1947#define CMD_VAL 2
1948
1949typedef struct val_spec_list {
1950 struct val_spec_list *next;
1951 char *name;
1952 int type;
1953 char *val; /* Kept as a char string, really? */
1954} VAL_SPEC_LIST;
1955
1956typedef struct command_s {
1957 int cmd;
1958 char *key;
1959 int val_count;
1960 VAL_SPEC_LIST *val_spec_list, *val_spec_last;
1961} CMD;
1962
1963typedef struct cmd_line {
1964 int len, line_len;
1965 char *line;
1966} CMD_LINE;
1967
1968
1969
1970#define INIT_ALLOC 10
1971
1972
1973/* prints a key */
1974static
1975int print_key(const char *path, char *name, char *class_name, int root,
1976 int terminal, int vals, char* newline)
1977{
1978 if (full_print)
1979 fprintf(stdout, "%s%s/%s", path, name, newline);
1980
1981 return 1;
1982}
1983
1984/*
1985 * Sec Desc print functions
1986 */
1987static
1988void print_type(unsigned char type)
1989{
1990 switch (type) {
1991 case 0x00:
1992 fprintf(stdout, " ALLOW");
1993 break;
1994 case 0x01:
1995 fprintf(stdout, " DENY");
1996 break;
1997 case 0x02:
1998 fprintf(stdout, " AUDIT");
1999 break;
2000 case 0x03:
2001 fprintf(stdout, " ALARM");
2002 break;
2003 case 0x04:
2004 fprintf(stdout, "ALLOW CPD");
2005 break;
2006 case 0x05:
2007 fprintf(stdout, "OBJ ALLOW");
2008 break;
2009 case 0x06:
2010 fprintf(stdout, " OBJ DENY");
2011 break;
2012 default:
2013 fprintf(stdout, " UNKNOWN");
2014 break;
2015 }
2016}
2017
2018static
2019void print_flags(unsigned char flags)
2020{
2021 char flg_output[21];
2022 int some = 0;
2023
2024 flg_output[0] = 0;
2025 if (!flags) {
2026 fprintf(stdout, " ");
2027 return;
2028 }
2029 if (flags & 0x01) {
2030 if (some) strcat(flg_output, ",");
2031 some = 1;
2032 strcat(flg_output, "OI");
2033 }
2034 if (flags & 0x02) {
2035 if (some) strcat(flg_output, ",");
2036 some = 1;
2037 strcat(flg_output, "CI");
2038 }
2039 if (flags & 0x04) {
2040 if (some) strcat(flg_output, ",");
2041 some = 1;
2042 strcat(flg_output, "NP");
2043 }
2044 if (flags & 0x08) {
2045 if (some) strcat(flg_output, ",");
2046 some = 1;
2047 strcat(flg_output, "IO");
2048 }
2049 if (flags & 0x10) {
2050 if (some) strcat(flg_output, ",");
2051 some = 1;
2052 strcat(flg_output, "IA");
2053 }
2054 if (flags == 0xF) {
2055 if (some) strcat(flg_output, ",");
2056 some = 1;
2057 strcat(flg_output, "VI");
2058 }
2059 fprintf(stdout, " %s", flg_output);
2060}
2061
2062static
2063void print_perms(int perms)
2064{
2065 fprintf(stdout, " %8X", perms);
2066}
2067
2068static
2069void print_sid(sid_t *sid)
2070{
2071 int i, comps = sid->auths;
2072 fprintf(stdout, "S-%u-%u", sid->ver, sid->auth[5]);
2073
2074 for (i = 0; i < comps; i++)
2075 fprintf(stdout, "-%u", sid->sub_auths[i]);
2076
2077 /*fprintf(stdout, "\n");*/
2078}
2079
2080static
2081void print_acl(ACL *acl, const char *prefix)
2082{
2083 int i;
2084
2085 for (i = 0; i < acl->num_aces; i++) {
2086 fprintf(stdout, ";;%s", prefix);
2087 print_type(acl->aces[i]->type);
2088 print_flags(acl->aces[i]->flags);
2089 print_perms(acl->aces[i]->perms);
2090 fprintf(stdout, " ");
2091 print_sid(acl->aces[i]->trustee);
2092 }
2093}
2094
2095static
2096int print_sec(SEC_DESC *sec_desc)
2097{
2098 if (!print_security) return 1;
2099 fprintf(stdout, ";; SECURITY\n");
2100 fprintf(stdout, ";; Owner: ");
2101 print_sid(sec_desc->owner);
2102 fprintf(stdout, ";; Group: ");
2103 print_sid(sec_desc->group);
2104 if (sec_desc->sacl) {
2105 fprintf(stdout, ";; SACL:\n");
2106 print_acl(sec_desc->sacl, " ");
2107 }
2108 if (sec_desc->dacl) {
2109 fprintf(stdout, ";; DACL:\n");
2110 print_acl(sec_desc->dacl, " ");
2111 }
2112 return 1;
2113}
2114
2115/*
2116 * Value print function here ...
2117 */
2118static
2119int print_val(const char *path, char *val_name, int val_type, int data_len,
2120 void *data_blk, int terminal, int first, int last)
2121{
2122 unsigned char* data_asc;
2123 char* new_path;
2124 const char* str_type;
2125
2126 if(!val_name)
2127 val_name = "";
2128 if(!path)
2129 path = "";
2130
2131 new_path = (char *)malloc(strlen(path)+ strlen(val_name) + 1);
2132 if (!new_path)
2133 return 0; /* Errors? */
2134 new_path[0] = '\0';
2135 strcat(new_path, path);
2136 strcat(new_path, val_name);
2137
2138 if (str_is_prefix(prefix_filter, new_path))
2139 {
2140 if (!type_filter_enabled || (type_filter == val_type))
2141 {
2142 if(!val_name)
2143 val_name = "<No Name>";
2144
2145 str_type = val_to_str(val_type,reg_type_names);
2146 if(!str_type)
2147 str_type = "";
2148
2149 data_asc = data_to_ascii((unsigned char *)data_blk, data_len, val_type);
2150 fprintf(stdout, "%s:%s=%s\n", new_path, str_type, data_asc);
2151
2152 free(data_asc);
2153 }
2154 }
2155
2156 free(new_path);
2157 return 1;
2158}
2159
2160static
2161void usage(void)
2162{
2163 fprintf(stderr, "Usage: readreg [-f<PREFIX_FILTER>] [-t<TYPE_FILTER>] "
2164 "[-v] [-s] <REGISTRY_FILE>\n");
2165 /* XXX: replace version string with Subversion tag? */
2166 fprintf(stderr, "Version: 0.1\n");
2167 fprintf(stderr, "\n\t-v\t sets verbose mode.");
2168 fprintf(stderr, "\n\t-f\t a simple prefix filter.");
2169 fprintf(stderr, "\n\t-t\t restrict results to a specific type.");
2170 fprintf(stderr, "\n\t-s\t prints security descriptors.");
2171 fprintf(stderr, "\n");
2172}
2173
2174
2175int main(int argc, char *argv[])
2176{
2177 REGF *regf;
2178 extern char *optarg;
2179 extern int optind;
2180 int opt;
2181 int regf_opt = 1;
2182
2183 if (argc < 2)
2184 {
2185 usage();
2186 exit(1);
2187 }
2188
2189 /*
2190 * Now, process the arguments
2191 */
2192
2193 while ((opt = getopt(argc, argv, "svf:t:o:c:")) != EOF)
2194 {
2195 switch (opt)
2196 {
2197 case 'f':
2198 /*full_print = 1;*/
2199 prefix_filter = strdup(optarg);
2200 regf_opt++;
2201 break;
2202
2203 case 't':
2204 type_filter = str_to_val(optarg, reg_type_names);
2205 type_filter_enabled = true;
2206 regf_opt++;
2207 break;
2208
2209 case 's':
2210 print_security++;
2211 /*full_print++;*/
2212 regf_opt++;
2213 break;
2214
2215 case 'v':
2216 verbose++;
2217 regf_opt++;
2218 break;
2219
2220 default:
2221 usage();
2222 exit(1);
2223 break;
2224 }
2225 }
2226
2227 /*
2228 * We only want to complain about the lack of a default owner SID if
2229 * we need one. This approximates that need
2230 */
2231 if (!def_owner_sid_str) {
2232 def_owner_sid_str = "S-1-5-21-1-2-3-4";
2233 if (verbose)
2234 fprintf(stderr, "Warning, default owner SID not set. Setting to %s\n",
2235 def_owner_sid_str);
2236 }
2237
2238 if ((regf = nt_create_regf()) == NULL)
2239 {
2240 fprintf(stderr, "Could not create registry object: %s\n", strerror(errno));
2241 exit(2);
2242 }
2243
2244 if (regf_opt < argc)
2245 { /* We have a registry file */
2246 if (!nt_set_regf_input_file(regf, argv[regf_opt]))
2247 {
2248 fprintf(stderr, "Could not set name of registry file: %s, %s\n",
2249 argv[regf_opt], strerror(errno));
2250 exit(3);
2251 }
2252
2253 /* Now, open it, and bring it into memory :-) */
2254 if (nt_load_registry(regf) < 0)
2255 {
2256 fprintf(stderr, "Could not load registry: %s\n", argv[1]);
2257 exit(4);
2258 }
2259 }
2260
2261 /*
2262 * At this point, we should have a registry in memory and should be able
2263 * to iterate over it.
2264 */
2265 nt_key_iterator(regf, regf->root, 0, "");
2266
2267 return 0;
2268}
Note: See TracBrowser for help on using the repository browser.