1 | /* |
---|
2 | * $Id: $ |
---|
3 | * |
---|
4 | * This code was taken from Richard Sharpe''s editreg utility, in the |
---|
5 | * Samba CVS tree. It has since been simplified and turned into a |
---|
6 | * strictly read-only utility. |
---|
7 | * |
---|
8 | * Copyright (C) 2005 Timothy D. Morgan |
---|
9 | * Copyright (C) 2002 Richard Sharpe, rsharpe@richardsharpe.com |
---|
10 | * |
---|
11 | * This program is free software; you can redistribute it and/or modify |
---|
12 | * it under the terms of the GNU General Public License as published by |
---|
13 | * the Free Software Foundation; either version 2 of the License, or |
---|
14 | * (at your option) any later version. |
---|
15 | * |
---|
16 | * This program is distributed in the hope that it will be useful, |
---|
17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
19 | * GNU General Public License for more details. |
---|
20 | * |
---|
21 | * You should have received a copy of the GNU General Public License |
---|
22 | * along with this program; if not, write to the Free Software |
---|
23 | * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
---|
24 | */ |
---|
25 | |
---|
26 | /************************************************************************* |
---|
27 | |
---|
28 | A utility to edit a Windows NT/2K etc registry file. |
---|
29 | |
---|
30 | Many of the ideas in here come from other people and software. |
---|
31 | I first looked in Wine in misc/registry.c and was also influenced by |
---|
32 | http://www.wednesday.demon.co.uk/dosreg.html |
---|
33 | |
---|
34 | Which seems to contain comments from someone else. I reproduce them here |
---|
35 | incase the site above disappears. It actually comes from |
---|
36 | http://home.eunet.no/~pnordahl/ntpasswd/WinReg.txt. |
---|
37 | |
---|
38 | The goal here is to read the registry into memory, manipulate it, and then |
---|
39 | write it out if it was changed by any actions of the user. |
---|
40 | |
---|
41 | The windows NT registry has 2 different blocks, where one can occur many |
---|
42 | times... |
---|
43 | |
---|
44 | the "regf"-Block |
---|
45 | ================ |
---|
46 | |
---|
47 | "regf" is obviosly the abbreviation for "Registry file". "regf" is the |
---|
48 | signature of the header-block which is always 4kb in size, although only |
---|
49 | the first 64 bytes seem to be used and a checksum is calculated over |
---|
50 | the first 0x200 bytes only! |
---|
51 | |
---|
52 | Offset Size Contents |
---|
53 | 0x00000000 D-Word ID: ASCII-"regf" = 0x66676572 |
---|
54 | 0x00000004 D-Word ???? //see struct REGF |
---|
55 | 0x00000008 D-Word ???? Always the same value as at 0x00000004 |
---|
56 | 0x0000000C Q-Word last modify date in WinNT date-format |
---|
57 | 0x00000014 D-Word 1 |
---|
58 | 0x00000018 D-Word 3 |
---|
59 | 0x0000001C D-Word 0 |
---|
60 | 0x00000020 D-Word 1 |
---|
61 | 0x00000024 D-Word Offset of 1st key record |
---|
62 | 0x00000028 D-Word Size of the data-blocks (Filesize-4kb) |
---|
63 | 0x0000002C D-Word 1 |
---|
64 | 0x000001FC D-Word Sum of all D-Words from 0x00000000 to |
---|
65 | 0x000001FB //XOR of all words. Nigel |
---|
66 | |
---|
67 | I have analyzed more registry files (from multiple machines running |
---|
68 | NT 4.0 german version) and could not find an explanation for the values |
---|
69 | marked with ???? the rest of the first 4kb page is not important... |
---|
70 | |
---|
71 | the "hbin"-Block |
---|
72 | ================ |
---|
73 | I dont know what "hbin" stands for, but this block is always a multiple |
---|
74 | of 4kb in size. |
---|
75 | |
---|
76 | Inside these hbin-blocks the different records are placed. The memory- |
---|
77 | management looks like a C-compiler heap management to me... |
---|
78 | |
---|
79 | hbin-Header |
---|
80 | =========== |
---|
81 | Offset Size Contents |
---|
82 | 0x0000 D-Word ID: ASCII-"hbin" = 0x6E696268 |
---|
83 | 0x0004 D-Word Offset from the 1st hbin-Block |
---|
84 | 0x0008 D-Word Offset to the next hbin-Block |
---|
85 | 0x001C D-Word Block-size |
---|
86 | |
---|
87 | The values in 0x0008 and 0x001C should be the same, so I dont know |
---|
88 | if they are correct or swapped... |
---|
89 | |
---|
90 | From offset 0x0020 inside a hbin-block data is stored with the following |
---|
91 | format: |
---|
92 | |
---|
93 | Offset Size Contents |
---|
94 | 0x0000 D-Word Data-block size //this size must be a |
---|
95 | multiple of 8. Nigel |
---|
96 | 0x0004 ???? Data |
---|
97 | |
---|
98 | If the size field is negative (bit 31 set), the corresponding block |
---|
99 | is free and has a size of -blocksize! |
---|
100 | |
---|
101 | That does not seem to be true. All block lengths seem to be negative! |
---|
102 | (Richard Sharpe) |
---|
103 | |
---|
104 | The data is stored as one record per block. Block size is a multiple |
---|
105 | of 4 and the last block reaches the next hbin-block, leaving no room. |
---|
106 | |
---|
107 | (That also seems incorrect, in that the block size if a multiple of 8. |
---|
108 | That is, the block, including the 4 byte header, is always a multiple of |
---|
109 | 8 bytes. Richard Sharpe.) |
---|
110 | |
---|
111 | Records in the hbin-blocks |
---|
112 | ========================== |
---|
113 | |
---|
114 | nk-Record |
---|
115 | |
---|
116 | The nk-record can be treated as a kombination of tree-record and |
---|
117 | key-record of the win 95 registry. |
---|
118 | |
---|
119 | lf-Record |
---|
120 | |
---|
121 | The lf-record is the counterpart to the RGKN-record (the |
---|
122 | hash-function) |
---|
123 | |
---|
124 | vk-Record |
---|
125 | |
---|
126 | The vk-record consists information to a single value. |
---|
127 | |
---|
128 | sk-Record |
---|
129 | |
---|
130 | sk (? Security Key ?) is the ACL of the registry. |
---|
131 | |
---|
132 | Value-Lists |
---|
133 | |
---|
134 | The value-lists contain information about which values are inside a |
---|
135 | sub-key and dont have a header. |
---|
136 | |
---|
137 | Datas |
---|
138 | |
---|
139 | The datas of the registry are (like the value-list) stored without a |
---|
140 | header. |
---|
141 | |
---|
142 | All offset-values are relative to the first hbin-block and point to the |
---|
143 | block-size field of the record-entry. to get the file offset, you have to add |
---|
144 | the header size (4kb) and the size field (4 bytes)... |
---|
145 | |
---|
146 | the nk-Record |
---|
147 | ============= |
---|
148 | Offset Size Contents |
---|
149 | 0x0000 Word ID: ASCII-"nk" = 0x6B6E |
---|
150 | 0x0002 Word for the root-key: 0x2C, otherwise 0x20 //key symbolic links 0x10. Nigel |
---|
151 | 0x0004 Q-Word write-date/time in windows nt notation |
---|
152 | 0x0010 D-Word Offset of Owner/Parent key |
---|
153 | 0x0014 D-Word number of sub-Keys |
---|
154 | 0x001C D-Word Offset of the sub-key lf-Records |
---|
155 | 0x0024 D-Word number of values |
---|
156 | 0x0028 D-Word Offset of the Value-List |
---|
157 | 0x002C D-Word Offset of the sk-Record |
---|
158 | |
---|
159 | 0x0030 D-Word Offset of the Class-Name //see NK structure for the use of these fields. Nigel |
---|
160 | 0x0044 D-Word Unused (data-trash) //some kind of run time index. Does not appear to be important. Nigel |
---|
161 | 0x0048 Word name-length |
---|
162 | 0x004A Word class-name length |
---|
163 | 0x004C ???? key-name |
---|
164 | |
---|
165 | the Value-List |
---|
166 | ============== |
---|
167 | Offset Size Contents |
---|
168 | 0x0000 D-Word Offset 1st Value |
---|
169 | 0x0004 D-Word Offset 2nd Value |
---|
170 | 0x???? D-Word Offset nth Value |
---|
171 | |
---|
172 | To determine the number of values, you have to look at the owner-nk-record! |
---|
173 | |
---|
174 | Der vk-Record |
---|
175 | ============= |
---|
176 | Offset Size Contents |
---|
177 | 0x0000 Word ID: ASCII-"vk" = 0x6B76 |
---|
178 | 0x0002 Word name length |
---|
179 | 0x0004 D-Word length of the data //if top bit is set when offset contains data. Nigel |
---|
180 | 0x0008 D-Word Offset of Data |
---|
181 | 0x000C D-Word Type of value |
---|
182 | 0x0010 Word Flag |
---|
183 | 0x0012 Word Unused (data-trash) |
---|
184 | 0x0014 ???? Name |
---|
185 | |
---|
186 | If bit 0 of the flag-word is set, a name is present, otherwise the value has no name (=default) |
---|
187 | |
---|
188 | If the data-size is lower 5, the data-offset value is used to store the data itself! |
---|
189 | |
---|
190 | The data-types |
---|
191 | ============== |
---|
192 | Wert Beteutung |
---|
193 | 0x0001 RegSZ: character string (in UNICODE!) |
---|
194 | 0x0002 ExpandSZ: string with "%var%" expanding (UNICODE!) |
---|
195 | 0x0003 RegBin: raw-binary value |
---|
196 | 0x0004 RegDWord: Dword |
---|
197 | 0x0007 RegMultiSZ: multiple strings, seperated with 0 |
---|
198 | (UNICODE!) |
---|
199 | |
---|
200 | The "lf"-record |
---|
201 | =============== |
---|
202 | Offset Size Contents |
---|
203 | 0x0000 Word ID: ASCII-"lf" = 0x666C |
---|
204 | 0x0002 Word number of keys |
---|
205 | 0x0004 ???? Hash-Records |
---|
206 | |
---|
207 | Hash-Record |
---|
208 | =========== |
---|
209 | Offset Size Contents |
---|
210 | 0x0000 D-Word Offset of corresponding "nk"-Record |
---|
211 | 0x0004 D-Word ASCII: the first 4 characters of the key-name, padded with 0-s. Case sensitiv! |
---|
212 | |
---|
213 | Keep in mind, that the value at 0x0004 is used for checking the data-consistency! If you change the |
---|
214 | key-name you have to change the hash-value too! |
---|
215 | |
---|
216 | //These hashrecords must be sorted low to high within the lf record. Nigel. |
---|
217 | |
---|
218 | The "sk"-block |
---|
219 | ============== |
---|
220 | (due to the complexity of the SAM-info, not clear jet) |
---|
221 | (This is just a self-relative security descriptor in the data. R Sharpe.) |
---|
222 | |
---|
223 | |
---|
224 | Offset Size Contents |
---|
225 | 0x0000 Word ID: ASCII-"sk" = 0x6B73 |
---|
226 | 0x0002 Word Unused |
---|
227 | 0x0004 D-Word Offset of previous "sk"-Record |
---|
228 | 0x0008 D-Word Offset of next "sk"-Record |
---|
229 | 0x000C D-Word usage-counter |
---|
230 | 0x0010 D-Word Size of "sk"-record in bytes |
---|
231 | ???? //standard self |
---|
232 | relative security desciptor. Nigel |
---|
233 | ???? ???? Security and auditing settings... |
---|
234 | ???? |
---|
235 | |
---|
236 | The usage counter counts the number of references to this |
---|
237 | "sk"-record. You can use one "sk"-record for the entire registry! |
---|
238 | |
---|
239 | Windows nt date/time format |
---|
240 | =========================== |
---|
241 | The time-format is a 64-bit integer which is incremented every |
---|
242 | 0,0000001 seconds by 1 (I dont know how accurate it really is!) |
---|
243 | It starts with 0 at the 1st of january 1601 0:00! All values are |
---|
244 | stored in GMT time! The time-zone is important to get the real |
---|
245 | time! |
---|
246 | |
---|
247 | Common values for win95 and win-nt |
---|
248 | ================================== |
---|
249 | Offset values marking an "end of list", are either 0 or -1 (0xFFFFFFFF). |
---|
250 | If a value has no name (length=0, flag(bit 0)=0), it is treated as the |
---|
251 | "Default" entry... |
---|
252 | If a value has no data (length=0), it is displayed as empty. |
---|
253 | |
---|
254 | simplyfied win-3.?? registry: |
---|
255 | ============================= |
---|
256 | |
---|
257 | +-----------+ |
---|
258 | | next rec. |---+ +----->+------------+ |
---|
259 | | first sub | | | | Usage cnt. | |
---|
260 | | name | | +-->+------------+ | | length | |
---|
261 | | value | | | | next rec. | | | text |------->+-------+ |
---|
262 | +-----------+ | | | name rec. |--+ +------------+ | xxxxx | |
---|
263 | +------------+ | | value rec. |-------->+------------+ +-------+ |
---|
264 | v | +------------+ | Usage cnt. | |
---|
265 | +-----------+ | | length | |
---|
266 | | next rec. | | | text |------->+-------+ |
---|
267 | | first sub |------+ +------------+ | xxxxx | |
---|
268 | | name | +-------+ |
---|
269 | | value | |
---|
270 | +-----------+ |
---|
271 | |
---|
272 | Greatly simplyfied structure of the nt-registry: |
---|
273 | ================================================ |
---|
274 | |
---|
275 | +---------------------------------------------------------------+ |
---|
276 | | | |
---|
277 | v | |
---|
278 | +---------+ +---------->+-----------+ +----->+---------+ | |
---|
279 | | "nk" | | | lf-rec. | | | nk-rec. | | |
---|
280 | | ID | | | # of keys | | | parent |---+ |
---|
281 | | Date | | | 1st key |--+ | .... | |
---|
282 | | parent | | +-----------+ +---------+ |
---|
283 | | suk-keys|-----+ |
---|
284 | | values |--------------------->+----------+ |
---|
285 | | SK-rec. |---------------+ | 1. value |--> +----------+ |
---|
286 | | class |--+ | +----------+ | vk-rec. | |
---|
287 | +---------+ | | | .... | |
---|
288 | v | | data |--> +-------+ |
---|
289 | +------------+ | +----------+ | xxxxx | |
---|
290 | | Class name | | +-------+ |
---|
291 | +------------+ | |
---|
292 | v |
---|
293 | +---------+ +---------+ |
---|
294 | +----->| next sk |--->| Next sk |--+ |
---|
295 | | +---| prev sk |<---| prev sk | | |
---|
296 | | | | .... | | ... | | |
---|
297 | | | +---------+ +---------+ | |
---|
298 | | | ^ | |
---|
299 | | | | | |
---|
300 | | +--------------------+ | |
---|
301 | +----------------------------------+ |
---|
302 | |
---|
303 | --------------------------------------------------------------------------- |
---|
304 | |
---|
305 | Hope this helps.... (Although it was *fun* for me to uncover this things, |
---|
306 | it took me several sleepless nights ;) |
---|
307 | |
---|
308 | B.D. |
---|
309 | |
---|
310 | *************************************************************************/ |
---|
311 | |
---|
312 | #include <stdio.h> |
---|
313 | #include <stdlib.h> |
---|
314 | #include <errno.h> |
---|
315 | #include <assert.h> |
---|
316 | #include <sys/types.h> |
---|
317 | #include <sys/stat.h> |
---|
318 | #include <unistd.h> |
---|
319 | #include <sys/mman.h> |
---|
320 | #include <strings.h> |
---|
321 | #include <string.h> |
---|
322 | #include <fcntl.h> |
---|
323 | |
---|
324 | #define False 0 |
---|
325 | #define True 1 |
---|
326 | #define REG_KEY_LIST_SIZE 10 |
---|
327 | |
---|
328 | /* |
---|
329 | * Structures for dealing with the on-disk format of the registry |
---|
330 | */ |
---|
331 | |
---|
332 | #define IVAL(buf) ((unsigned int) \ |
---|
333 | (unsigned int)*((unsigned char *)(buf)+3)<<24| \ |
---|
334 | (unsigned int)*((unsigned char *)(buf)+2)<<16| \ |
---|
335 | (unsigned int)*((unsigned char *)(buf)+1)<<8| \ |
---|
336 | (unsigned int)*((unsigned char *)(buf)+0)) |
---|
337 | |
---|
338 | #define SVAL(buf) ((unsigned short) \ |
---|
339 | (unsigned short)*((unsigned char *)(buf)+1)<<8| \ |
---|
340 | (unsigned short)*((unsigned char *)(buf)+0)) |
---|
341 | |
---|
342 | #define CVAL(buf) ((unsigned char)*((unsigned char *)(buf))) |
---|
343 | |
---|
344 | #define SIVAL(buf, val) \ |
---|
345 | ((((unsigned char *)(buf))[0])=(unsigned char)((val)&0xFF),\ |
---|
346 | (((unsigned char *)(buf))[1])=(unsigned char)(((val)>>8)&0xFF),\ |
---|
347 | (((unsigned char *)(buf))[2])=(unsigned char)(((val)>>16)&0xFF),\ |
---|
348 | (((unsigned char *)(buf))[3])=(unsigned char)((val)>>24)) |
---|
349 | |
---|
350 | #define SSVAL(buf, val) \ |
---|
351 | ((((unsigned char *)(buf))[0])=(unsigned char)((val)&0xFF),\ |
---|
352 | (((unsigned char *)(buf))[1])=(unsigned char)((val)>>8)) |
---|
353 | |
---|
354 | static int verbose = 0; |
---|
355 | static int print_security = 0; |
---|
356 | static int full_print = 0; |
---|
357 | static const char *def_owner_sid_str = NULL; |
---|
358 | |
---|
359 | /* |
---|
360 | * These definitions are for the in-memory registry structure. |
---|
361 | * It is a tree structure that mimics what you see with tools like regedit |
---|
362 | */ |
---|
363 | |
---|
364 | /* |
---|
365 | * DateTime struct for Windows |
---|
366 | */ |
---|
367 | |
---|
368 | typedef struct date_time_s { |
---|
369 | unsigned int low, high; |
---|
370 | } NTTIME; |
---|
371 | |
---|
372 | /* |
---|
373 | * Definition of a Key. It has a name, classname, date/time last modified, |
---|
374 | * sub-keys, values, and a security descriptor |
---|
375 | */ |
---|
376 | |
---|
377 | #define REG_ROOT_KEY 1 |
---|
378 | #define REG_SUB_KEY 2 |
---|
379 | #define REG_SYM_LINK 3 |
---|
380 | |
---|
381 | typedef struct key_sec_desc_s KEY_SEC_DESC; |
---|
382 | |
---|
383 | typedef struct reg_key_s { |
---|
384 | char *name; /* Name of the key */ |
---|
385 | char *class_name; |
---|
386 | int type; /* One of REG_ROOT_KEY or REG_SUB_KEY */ |
---|
387 | NTTIME last_mod; /* Time last modified */ |
---|
388 | struct reg_key_s *owner; |
---|
389 | struct key_list_s *sub_keys; |
---|
390 | struct val_list_s *values; |
---|
391 | KEY_SEC_DESC *security; |
---|
392 | unsigned int offset; /* Offset of the record in the file */ |
---|
393 | } REG_KEY; |
---|
394 | |
---|
395 | /* |
---|
396 | * The KEY_LIST struct lists sub-keys. |
---|
397 | */ |
---|
398 | |
---|
399 | typedef struct key_list_s { |
---|
400 | int key_count; |
---|
401 | int max_keys; |
---|
402 | REG_KEY *keys[1]; |
---|
403 | } KEY_LIST; |
---|
404 | |
---|
405 | typedef struct val_key_s { |
---|
406 | char *name; |
---|
407 | int has_name; |
---|
408 | int data_type; |
---|
409 | int data_len; |
---|
410 | void *data_blk; /* Might want a separate block */ |
---|
411 | } VAL_KEY; |
---|
412 | |
---|
413 | typedef struct val_list_s { |
---|
414 | int val_count; |
---|
415 | int max_vals; |
---|
416 | VAL_KEY *vals[1]; |
---|
417 | } VAL_LIST; |
---|
418 | |
---|
419 | #ifndef MAXSUBAUTHS |
---|
420 | #define MAXSUBAUTHS 15 |
---|
421 | #endif |
---|
422 | |
---|
423 | typedef struct sid_s { |
---|
424 | unsigned char ver, auths; |
---|
425 | unsigned char auth[6]; |
---|
426 | unsigned int sub_auths[MAXSUBAUTHS]; |
---|
427 | } sid_t; |
---|
428 | |
---|
429 | typedef struct ace_struct_s { |
---|
430 | unsigned char type, flags; |
---|
431 | unsigned int perms; /* Perhaps a better def is in order */ |
---|
432 | sid_t *trustee; |
---|
433 | } ACE; |
---|
434 | |
---|
435 | typedef struct acl_struct_s { |
---|
436 | unsigned short rev, refcnt; |
---|
437 | unsigned short num_aces; |
---|
438 | ACE *aces[1]; |
---|
439 | } ACL; |
---|
440 | |
---|
441 | typedef struct sec_desc_s { |
---|
442 | unsigned int rev, type; |
---|
443 | sid_t *owner, *group; |
---|
444 | ACL *sacl, *dacl; |
---|
445 | } SEC_DESC; |
---|
446 | |
---|
447 | #define SEC_DESC_NON 0 |
---|
448 | #define SEC_DESC_RES 1 |
---|
449 | #define SEC_DESC_OCU 2 |
---|
450 | #define SEC_DESC_NBK 3 |
---|
451 | typedef struct sk_struct SK_HDR; |
---|
452 | struct key_sec_desc_s { |
---|
453 | struct key_sec_desc_s *prev, *next; |
---|
454 | int ref_cnt; |
---|
455 | int state; |
---|
456 | int offset; |
---|
457 | SK_HDR *sk_hdr; /* This means we must keep the registry in memory */ |
---|
458 | SEC_DESC *sec_desc; |
---|
459 | }; |
---|
460 | |
---|
461 | /* |
---|
462 | * All of the structures below actually have a four-byte length before them |
---|
463 | * which always seems to be negative. The following macro retrieves that |
---|
464 | * size as an integer |
---|
465 | */ |
---|
466 | |
---|
467 | #define BLK_SIZE(b) ((int)*(int *)(((int *)b)-1)) |
---|
468 | |
---|
469 | typedef unsigned int DWORD; |
---|
470 | typedef unsigned short WORD; |
---|
471 | |
---|
472 | #define REG_REGF_ID 0x66676572 |
---|
473 | |
---|
474 | typedef struct regf_block { |
---|
475 | DWORD REGF_ID; /* regf */ |
---|
476 | DWORD uk1; |
---|
477 | DWORD uk2; |
---|
478 | DWORD tim1, tim2; |
---|
479 | DWORD uk3; /* 1 */ |
---|
480 | DWORD uk4; /* 3 */ |
---|
481 | DWORD uk5; /* 0 */ |
---|
482 | DWORD uk6; /* 1 */ |
---|
483 | DWORD first_key; /* offset */ |
---|
484 | unsigned int dblk_size; |
---|
485 | DWORD uk7[116]; /* 1 */ |
---|
486 | DWORD chksum; |
---|
487 | } REGF_HDR; |
---|
488 | |
---|
489 | typedef struct hbin_sub_struct { |
---|
490 | DWORD dblocksize; |
---|
491 | char data[1]; |
---|
492 | } HBIN_SUB_HDR; |
---|
493 | |
---|
494 | #define REG_HBIN_ID 0x6E696268 |
---|
495 | |
---|
496 | typedef struct hbin_struct { |
---|
497 | DWORD HBIN_ID; /* hbin */ |
---|
498 | DWORD off_from_first; |
---|
499 | DWORD off_to_next; |
---|
500 | DWORD uk1; |
---|
501 | DWORD uk2; |
---|
502 | DWORD uk3; |
---|
503 | DWORD uk4; |
---|
504 | DWORD blk_size; |
---|
505 | HBIN_SUB_HDR hbin_sub_hdr; |
---|
506 | } HBIN_HDR; |
---|
507 | |
---|
508 | #define REG_NK_ID 0x6B6E |
---|
509 | |
---|
510 | typedef struct nk_struct { |
---|
511 | WORD NK_ID; |
---|
512 | WORD type; |
---|
513 | DWORD t1, t2; |
---|
514 | DWORD uk1; |
---|
515 | DWORD own_off; |
---|
516 | DWORD subk_num; |
---|
517 | DWORD uk2; |
---|
518 | DWORD lf_off; |
---|
519 | DWORD uk3; |
---|
520 | DWORD val_cnt; |
---|
521 | DWORD val_off; |
---|
522 | DWORD sk_off; |
---|
523 | DWORD clsnam_off; |
---|
524 | DWORD unk4[4]; |
---|
525 | DWORD unk5; |
---|
526 | WORD nam_len; |
---|
527 | WORD clsnam_len; |
---|
528 | char key_nam[1]; /* Actual length determined by nam_len */ |
---|
529 | } NK_HDR; |
---|
530 | |
---|
531 | #define REG_SK_ID 0x6B73 |
---|
532 | |
---|
533 | struct sk_struct { |
---|
534 | WORD SK_ID; |
---|
535 | WORD uk1; |
---|
536 | DWORD prev_off; |
---|
537 | DWORD next_off; |
---|
538 | DWORD ref_cnt; |
---|
539 | DWORD rec_size; |
---|
540 | char sec_desc[1]; |
---|
541 | }; |
---|
542 | |
---|
543 | typedef struct ace_struct { |
---|
544 | unsigned char type; |
---|
545 | unsigned char flags; |
---|
546 | unsigned short length; |
---|
547 | unsigned int perms; |
---|
548 | sid_t trustee; |
---|
549 | } REG_ACE; |
---|
550 | |
---|
551 | typedef struct acl_struct { |
---|
552 | WORD rev; |
---|
553 | WORD size; |
---|
554 | DWORD num_aces; |
---|
555 | REG_ACE *aces; /* One or more ACEs */ |
---|
556 | } REG_ACL; |
---|
557 | |
---|
558 | typedef struct sec_desc_rec { |
---|
559 | WORD rev; |
---|
560 | WORD type; |
---|
561 | DWORD owner_off; |
---|
562 | DWORD group_off; |
---|
563 | DWORD sacl_off; |
---|
564 | DWORD dacl_off; |
---|
565 | } REG_SEC_DESC; |
---|
566 | |
---|
567 | typedef struct hash_struct { |
---|
568 | DWORD nk_off; |
---|
569 | char hash[4]; |
---|
570 | } HASH_REC; |
---|
571 | |
---|
572 | #define REG_LF_ID 0x666C |
---|
573 | |
---|
574 | typedef struct lf_struct { |
---|
575 | WORD LF_ID; |
---|
576 | WORD key_count; |
---|
577 | struct hash_struct hr[1]; /* Array of hash records, depending on key_count */ |
---|
578 | } LF_HDR; |
---|
579 | |
---|
580 | typedef DWORD VL_TYPE[1]; /* Value list is an array of vk rec offsets */ |
---|
581 | |
---|
582 | #define REG_VK_ID 0x6B76 |
---|
583 | |
---|
584 | typedef struct vk_struct { |
---|
585 | WORD VK_ID; |
---|
586 | WORD nam_len; |
---|
587 | DWORD dat_len; /* If top-bit set, offset contains the data */ |
---|
588 | DWORD dat_off; |
---|
589 | DWORD dat_type; |
---|
590 | WORD flag; /* =1, has name, else no name (=Default). */ |
---|
591 | WORD unk1; |
---|
592 | char dat_name[1]; /* Name starts here ... */ |
---|
593 | } VK_HDR; |
---|
594 | |
---|
595 | #define REG_TYPE_DELETE -1 |
---|
596 | #define REG_TYPE_NONE 0 |
---|
597 | #define REG_TYPE_REGSZ 1 |
---|
598 | #define REG_TYPE_EXPANDSZ 2 |
---|
599 | #define REG_TYPE_BIN 3 |
---|
600 | #define REG_TYPE_DWORD 4 |
---|
601 | #define REG_TYPE_MULTISZ 7 |
---|
602 | |
---|
603 | typedef struct _val_str { |
---|
604 | unsigned int val; |
---|
605 | const char * str; |
---|
606 | } VAL_STR; |
---|
607 | |
---|
608 | /* A map of sk offsets in the regf to KEY_SEC_DESCs for quick lookup etc */ |
---|
609 | typedef struct sk_map_s { |
---|
610 | int sk_off; |
---|
611 | KEY_SEC_DESC *key_sec_desc; |
---|
612 | } SK_MAP; |
---|
613 | |
---|
614 | /* |
---|
615 | * This structure keeps track of the output format of the registry |
---|
616 | */ |
---|
617 | #define REG_OUTBLK_HDR 1 |
---|
618 | #define REG_OUTBLK_HBIN 2 |
---|
619 | |
---|
620 | typedef struct hbin_blk_s { |
---|
621 | int type, size; |
---|
622 | struct hbin_blk_s *next; |
---|
623 | char *data; /* The data block */ |
---|
624 | unsigned int file_offset; /* Offset in file */ |
---|
625 | unsigned int free_space; /* Amount of free space in block */ |
---|
626 | unsigned int fsp_off; /* Start of free space in block */ |
---|
627 | int complete, stored; |
---|
628 | } HBIN_BLK; |
---|
629 | |
---|
630 | /* |
---|
631 | * This structure keeps all the registry stuff in one place |
---|
632 | */ |
---|
633 | typedef struct regf_struct_s { |
---|
634 | int reg_type; |
---|
635 | char *regfile_name, *outfile_name; |
---|
636 | int fd; |
---|
637 | struct stat sbuf; |
---|
638 | char *base; |
---|
639 | int modified; |
---|
640 | NTTIME last_mod_time; |
---|
641 | REG_KEY *root; /* Root of the tree for this file */ |
---|
642 | int sk_count, sk_map_size; |
---|
643 | SK_MAP *sk_map; |
---|
644 | const char *owner_sid_str; |
---|
645 | SEC_DESC *def_sec_desc; |
---|
646 | /* |
---|
647 | * These next pointers point to the blocks used to contain the |
---|
648 | * keys when we are preparing to write them to a file |
---|
649 | */ |
---|
650 | HBIN_BLK *blk_head, *blk_tail, *free_space; |
---|
651 | } REGF; |
---|
652 | |
---|
653 | |
---|
654 | /* Function prototypes */ |
---|
655 | |
---|
656 | static int nt_val_list_iterator(REGF *regf, REG_KEY *key_tree, int bf, |
---|
657 | char *path, int terminal, |
---|
658 | const char* filter_prefix); |
---|
659 | static int nt_key_iterator(REGF *regf, REG_KEY *key_tree, int bf, |
---|
660 | const char *path, const char* filter_prefix); |
---|
661 | static REG_KEY *nt_find_key_by_name(REG_KEY *tree, char *key); |
---|
662 | static int print_key(const char *path, char *name, char *class_name, int root, |
---|
663 | int terminal, int vals, char* newline); |
---|
664 | static int print_val(const char *path, char *val_name, int val_type, |
---|
665 | int data_len, void *data_blk, int terminal, int first, |
---|
666 | int last); |
---|
667 | |
---|
668 | static |
---|
669 | int print_sec(SEC_DESC *sec_desc); |
---|
670 | |
---|
671 | unsigned int str_is_prefix(const char* p, const char* s) |
---|
672 | { |
---|
673 | const char* cp; |
---|
674 | const char* cs; |
---|
675 | |
---|
676 | cs = s; |
---|
677 | for(cp=p; (*cp) != '\0'; cp++) |
---|
678 | { |
---|
679 | if((*cp)!=(*cs)) |
---|
680 | return 0; |
---|
681 | cs++; |
---|
682 | } |
---|
683 | |
---|
684 | return 1; |
---|
685 | } |
---|
686 | |
---|
687 | |
---|
688 | /* |
---|
689 | * Iterate over the keys, depth first, calling a function for each key |
---|
690 | * and indicating if it is terminal or non-terminal and if it has values. |
---|
691 | * |
---|
692 | * In addition, for each value in the list, call a value list function |
---|
693 | */ |
---|
694 | |
---|
695 | static |
---|
696 | int nt_val_list_iterator(REGF *regf, REG_KEY *key_tree, int bf, char *path, |
---|
697 | int terminal, const char* filter_prefix) |
---|
698 | { |
---|
699 | int i; |
---|
700 | VAL_LIST* val_list = key_tree->values; |
---|
701 | |
---|
702 | if (str_is_prefix(filter_prefix, path)) |
---|
703 | { |
---|
704 | for (i=0; i<val_list->val_count; i++) |
---|
705 | { |
---|
706 | /*XXX: print_key() is doing nothing right now, can probably be removed. */ |
---|
707 | if (!print_key(path, key_tree->name, |
---|
708 | key_tree->class_name, |
---|
709 | (key_tree->type == REG_ROOT_KEY), |
---|
710 | (key_tree->sub_keys == NULL), |
---|
711 | (key_tree->values?(key_tree->values->val_count):0), |
---|
712 | "\n") || |
---|
713 | !print_val(path, val_list->vals[i]->name,val_list->vals[i]->data_type, |
---|
714 | val_list->vals[i]->data_len, val_list->vals[i]->data_blk, |
---|
715 | terminal, |
---|
716 | (i == 0), |
---|
717 | (i == val_list->val_count))) |
---|
718 | { return 0; } |
---|
719 | } |
---|
720 | } |
---|
721 | |
---|
722 | return 1; |
---|
723 | } |
---|
724 | |
---|
725 | static |
---|
726 | int nt_key_list_iterator(REGF *regf, KEY_LIST *key_list, int bf, |
---|
727 | const char *path, const char* filter_prefix) |
---|
728 | { |
---|
729 | int i; |
---|
730 | |
---|
731 | if (!key_list) |
---|
732 | return 1; |
---|
733 | |
---|
734 | for (i=0; i < key_list->key_count; i++) |
---|
735 | { |
---|
736 | if (!nt_key_iterator(regf, key_list->keys[i], bf, path, filter_prefix)) |
---|
737 | return 0; |
---|
738 | } |
---|
739 | return 1; |
---|
740 | } |
---|
741 | |
---|
742 | static |
---|
743 | int nt_key_iterator(REGF *regf, REG_KEY *key_tree, int bf, |
---|
744 | const char *path, const char* filter_prefix) |
---|
745 | { |
---|
746 | int path_len = strlen(path); |
---|
747 | char *new_path; |
---|
748 | |
---|
749 | if (!regf || !key_tree) |
---|
750 | return -1; |
---|
751 | |
---|
752 | /* List the key first, then the values, then the sub-keys */ |
---|
753 | /*printf("filter_prefix: %s, path: %s\n", filter_prefix, path);*/ |
---|
754 | if (str_is_prefix(filter_prefix, path)) |
---|
755 | { |
---|
756 | /*XXX: print_key() is doing nothing right now, can probably be removed. */ |
---|
757 | if (!print_key(path, key_tree->name, |
---|
758 | key_tree->class_name, |
---|
759 | (key_tree->type == REG_ROOT_KEY), |
---|
760 | (key_tree->sub_keys == NULL), |
---|
761 | (key_tree->values?(key_tree->values->val_count):0), |
---|
762 | "\n")) |
---|
763 | { return 0; } |
---|
764 | |
---|
765 | /* |
---|
766 | * If we have a security print routine, call it |
---|
767 | * If the security print routine returns false, stop. |
---|
768 | */ |
---|
769 | if (key_tree->security && !print_sec(key_tree->security->sec_desc)) |
---|
770 | return 0; |
---|
771 | } |
---|
772 | |
---|
773 | new_path = (char *)malloc(path_len + 1 + strlen(key_tree->name) + 1); |
---|
774 | if (!new_path) |
---|
775 | return 0; /* Errors? */ |
---|
776 | new_path[0] = '\0'; |
---|
777 | strcat(new_path, path); |
---|
778 | strcat(new_path, key_tree->name); |
---|
779 | strcat(new_path, "\\"); |
---|
780 | |
---|
781 | /* |
---|
782 | * Now, iterate through the values in the val_list |
---|
783 | */ |
---|
784 | if (key_tree->values && |
---|
785 | !nt_val_list_iterator(regf, key_tree, bf, new_path, |
---|
786 | (key_tree->values!=NULL), filter_prefix)) |
---|
787 | { |
---|
788 | free(new_path); |
---|
789 | return 0; |
---|
790 | } |
---|
791 | |
---|
792 | /* |
---|
793 | * Now, iterate through the keys in the key list |
---|
794 | */ |
---|
795 | if (key_tree->sub_keys && |
---|
796 | !nt_key_list_iterator(regf, key_tree->sub_keys, bf, |
---|
797 | new_path, filter_prefix)) |
---|
798 | { |
---|
799 | free(new_path); |
---|
800 | return 0; |
---|
801 | } |
---|
802 | |
---|
803 | free(new_path); |
---|
804 | return 1; |
---|
805 | } |
---|
806 | |
---|
807 | |
---|
808 | /* |
---|
809 | * Find key by name in a list ... |
---|
810 | * Take the first component and search for that in the list |
---|
811 | */ |
---|
812 | static |
---|
813 | REG_KEY *nt_find_key_in_list_by_name(KEY_LIST *list, char *key) |
---|
814 | { |
---|
815 | int i; |
---|
816 | REG_KEY *res = NULL; |
---|
817 | |
---|
818 | if (!list || !key || !*key) return NULL; |
---|
819 | |
---|
820 | for (i = 0; i < list->key_count; i++) |
---|
821 | if ((res = nt_find_key_by_name(list->keys[i], key))) |
---|
822 | return res; |
---|
823 | |
---|
824 | return NULL; |
---|
825 | } |
---|
826 | |
---|
827 | |
---|
828 | /* |
---|
829 | * Find key by name in a tree ... We will assume absolute names here, but we |
---|
830 | * need the root of the tree ... |
---|
831 | */ |
---|
832 | static REG_KEY* nt_find_key_by_name(REG_KEY* tree, char* key) |
---|
833 | { |
---|
834 | char* lname = NULL; |
---|
835 | char* c1; |
---|
836 | char* c2; |
---|
837 | REG_KEY* tmp; |
---|
838 | |
---|
839 | if (!tree || !key || !*key) |
---|
840 | return NULL; |
---|
841 | |
---|
842 | lname = strdup(key); |
---|
843 | if (!lname) |
---|
844 | return NULL; |
---|
845 | |
---|
846 | /* |
---|
847 | * Make sure that the first component is correct ... |
---|
848 | */ |
---|
849 | c1 = lname; |
---|
850 | c2 = strchr(c1, '\\'); |
---|
851 | if (c2) |
---|
852 | { /* Split here ... */ |
---|
853 | *c2 = 0; |
---|
854 | c2++; |
---|
855 | } |
---|
856 | |
---|
857 | if (strcmp(c1, tree->name) != 0) |
---|
858 | { |
---|
859 | if (lname) |
---|
860 | free(lname); |
---|
861 | return NULL; |
---|
862 | } |
---|
863 | |
---|
864 | if (c2) |
---|
865 | { |
---|
866 | tmp = nt_find_key_in_list_by_name(tree->sub_keys, c2); |
---|
867 | free(lname); |
---|
868 | return tmp; |
---|
869 | } |
---|
870 | else |
---|
871 | { |
---|
872 | if (lname) |
---|
873 | free(lname); |
---|
874 | return tree; |
---|
875 | } |
---|
876 | |
---|
877 | return NULL; |
---|
878 | } |
---|
879 | |
---|
880 | /* Make, delete keys */ |
---|
881 | static |
---|
882 | int nt_delete_val_key(VAL_KEY *val_key) |
---|
883 | { |
---|
884 | |
---|
885 | if (val_key) { |
---|
886 | if (val_key->name) free(val_key->name); |
---|
887 | if (val_key->data_blk) free(val_key->data_blk); |
---|
888 | free(val_key); |
---|
889 | }; |
---|
890 | return 1; |
---|
891 | } |
---|
892 | |
---|
893 | |
---|
894 | /* |
---|
895 | * Add a key to the tree ... We walk down the components matching until |
---|
896 | * we don't find any. There must be a match on the first component ... |
---|
897 | * We return the key structure for the final component as that is |
---|
898 | * often where we want to add values ... |
---|
899 | */ |
---|
900 | |
---|
901 | /* |
---|
902 | * Convert a string of the form S-1-5-x[-y-z-r] to a SID |
---|
903 | */ |
---|
904 | /* MIGHT COME IN HANDY LATER. |
---|
905 | static |
---|
906 | int sid_string_to_sid(sid_t **sid, const char *sid_str) |
---|
907 | { |
---|
908 | int i = 0; |
---|
909 | unsigned int auth; |
---|
910 | const char *lstr; |
---|
911 | |
---|
912 | *sid = (sid_t *)malloc(sizeof(sid_t)); |
---|
913 | if (!*sid) return 0; |
---|
914 | |
---|
915 | memset(*sid, 0, sizeof(sid_t)); |
---|
916 | |
---|
917 | if (strncmp(sid_str, "S-1-5", 5)) { |
---|
918 | fprintf(stderr, "Does not conform to S-1-5...: %s\n", sid_str); |
---|
919 | return 0; |
---|
920 | } |
---|
921 | |
---|
922 | //We only allow strings of form S-1-5... |
---|
923 | |
---|
924 | (*sid)->ver = 1; |
---|
925 | (*sid)->auth[5] = 5; |
---|
926 | |
---|
927 | lstr = sid_str + 5; |
---|
928 | |
---|
929 | while (1) |
---|
930 | { |
---|
931 | if (!lstr || !lstr[0] || sscanf(lstr, "-%u", &auth) == 0) |
---|
932 | { |
---|
933 | if (i < 1) |
---|
934 | { |
---|
935 | fprintf(stderr, "Not of form -d-d...: %s, %u\n", lstr, i); |
---|
936 | return 0; |
---|
937 | } |
---|
938 | (*sid)->auths=i; |
---|
939 | return 1; |
---|
940 | } |
---|
941 | |
---|
942 | (*sid)->sub_auths[i] = auth; |
---|
943 | i++; |
---|
944 | lstr = strchr(lstr + 1, '-'); |
---|
945 | } |
---|
946 | |
---|
947 | return 1; |
---|
948 | } |
---|
949 | */ |
---|
950 | |
---|
951 | |
---|
952 | /* |
---|
953 | * We will implement inheritence that is based on what the parent's SEC_DESC |
---|
954 | * says, but the Owner and Group SIDs can be overwridden from the command line |
---|
955 | * and additional ACEs can be applied from the command line etc. |
---|
956 | */ |
---|
957 | static |
---|
958 | KEY_SEC_DESC *nt_inherit_security(REG_KEY *key) |
---|
959 | { |
---|
960 | |
---|
961 | if (!key) return NULL; |
---|
962 | return key->security; |
---|
963 | } |
---|
964 | |
---|
965 | /* |
---|
966 | * Add a sub-key |
---|
967 | */ |
---|
968 | static |
---|
969 | REG_KEY *nt_add_reg_key_list(REGF *regf, REG_KEY *key, char * name, int create) |
---|
970 | { |
---|
971 | int i; |
---|
972 | REG_KEY *ret = NULL, *tmp = NULL; |
---|
973 | KEY_LIST *list; |
---|
974 | char *lname, *c1, *c2; |
---|
975 | |
---|
976 | if (!key || !name || !*name) return NULL; |
---|
977 | |
---|
978 | list = key->sub_keys; |
---|
979 | if (!list) { /* Create an empty list */ |
---|
980 | |
---|
981 | list = (KEY_LIST *)malloc(sizeof(KEY_LIST) + (REG_KEY_LIST_SIZE - 1) * sizeof(REG_KEY *)); |
---|
982 | list->key_count = 0; |
---|
983 | list->max_keys = REG_KEY_LIST_SIZE; |
---|
984 | |
---|
985 | } |
---|
986 | |
---|
987 | lname = strdup(name); |
---|
988 | if (!lname) return NULL; |
---|
989 | |
---|
990 | c1 = lname; |
---|
991 | c2 = strchr(c1, '\\'); |
---|
992 | if (c2) { /* Split here ... */ |
---|
993 | *c2 = 0; |
---|
994 | c2++; |
---|
995 | } |
---|
996 | |
---|
997 | for (i = 0; i < list->key_count; i++) { |
---|
998 | if (strcmp(list->keys[i]->name, c1) == 0) { |
---|
999 | ret = nt_add_reg_key_list(regf, list->keys[i], c2, create); |
---|
1000 | free(lname); |
---|
1001 | return ret; |
---|
1002 | } |
---|
1003 | } |
---|
1004 | |
---|
1005 | /* |
---|
1006 | * If we reach here we could not find the the first component |
---|
1007 | * so create it ... |
---|
1008 | */ |
---|
1009 | |
---|
1010 | if (list->key_count < list->max_keys){ |
---|
1011 | list->key_count++; |
---|
1012 | } |
---|
1013 | else { /* Create more space in the list ... */ |
---|
1014 | if (!(list = (KEY_LIST *)realloc(list, sizeof(KEY_LIST) + |
---|
1015 | (list->max_keys + REG_KEY_LIST_SIZE - 1) |
---|
1016 | * sizeof(REG_KEY *)))) |
---|
1017 | goto error; |
---|
1018 | |
---|
1019 | list->max_keys += REG_KEY_LIST_SIZE; |
---|
1020 | list->key_count++; |
---|
1021 | } |
---|
1022 | |
---|
1023 | /* |
---|
1024 | * add the new key at the new slot |
---|
1025 | * FIXME: Sort the list someday |
---|
1026 | */ |
---|
1027 | |
---|
1028 | /* |
---|
1029 | * We want to create the key, and then do the rest |
---|
1030 | */ |
---|
1031 | |
---|
1032 | tmp = (REG_KEY *)malloc(sizeof(REG_KEY)); |
---|
1033 | |
---|
1034 | memset(tmp, 0, sizeof(REG_KEY)); |
---|
1035 | |
---|
1036 | tmp->name = strdup(c1); |
---|
1037 | if (!tmp->name) goto error; |
---|
1038 | tmp->owner = key; |
---|
1039 | tmp->type = REG_SUB_KEY; |
---|
1040 | /* |
---|
1041 | * Next, pull security from the parent, but override with |
---|
1042 | * anything passed in on the command line |
---|
1043 | */ |
---|
1044 | tmp->security = nt_inherit_security(key); |
---|
1045 | |
---|
1046 | list->keys[list->key_count - 1] = tmp; |
---|
1047 | |
---|
1048 | if (c2) { |
---|
1049 | ret = nt_add_reg_key_list(regf, key, c2, True); |
---|
1050 | } |
---|
1051 | |
---|
1052 | if (lname) free(lname); |
---|
1053 | |
---|
1054 | return ret; |
---|
1055 | |
---|
1056 | error: |
---|
1057 | if (tmp) free(tmp); |
---|
1058 | if (lname) free(lname); |
---|
1059 | return NULL; |
---|
1060 | } |
---|
1061 | |
---|
1062 | |
---|
1063 | /* |
---|
1064 | * Load and unload a registry file. |
---|
1065 | * |
---|
1066 | * Load, loads it into memory as a tree, while unload sealizes/flattens it |
---|
1067 | */ |
---|
1068 | |
---|
1069 | /* |
---|
1070 | * Get the starting record for NT Registry file |
---|
1071 | */ |
---|
1072 | |
---|
1073 | /* |
---|
1074 | * Where we keep all the regf stuff for one registry. |
---|
1075 | * This is the structure that we use to tie the in memory tree etc |
---|
1076 | * together. By keeping separate structs, we can operate on different |
---|
1077 | * registries at the same time. |
---|
1078 | * Currently, the SK_MAP is an array of mapping structure. |
---|
1079 | * Since we only need this on input and output, we fill in the structure |
---|
1080 | * as we go on input. On output, we know how many SK items we have, so |
---|
1081 | * we can allocate the structure as we need to. |
---|
1082 | * If you add stuff here that is dynamically allocated, add the |
---|
1083 | * appropriate free statements below. |
---|
1084 | */ |
---|
1085 | |
---|
1086 | #define REGF_REGTYPE_NONE 0 |
---|
1087 | #define REGF_REGTYPE_NT 1 |
---|
1088 | #define REGF_REGTYPE_W9X 2 |
---|
1089 | |
---|
1090 | #define TTTONTTIME(r, t1, t2) (r)->last_mod_time.low = (t1); \ |
---|
1091 | (r)->last_mod_time.high = (t2); |
---|
1092 | |
---|
1093 | #define REGF_HDR_BLKSIZ 0x1000 |
---|
1094 | |
---|
1095 | #define OFF(f) ((f) + REGF_HDR_BLKSIZ + 4) |
---|
1096 | #define LOCN(base, f) ((base) + OFF(f)) |
---|
1097 | |
---|
1098 | const VAL_STR reg_type_names[] = { |
---|
1099 | { REG_TYPE_REGSZ, "REG_SZ" }, |
---|
1100 | { REG_TYPE_EXPANDSZ, "REG_EXPAND_SZ" }, |
---|
1101 | { REG_TYPE_BIN, "REG_BIN" }, |
---|
1102 | { REG_TYPE_DWORD, "REG_DWORD" }, |
---|
1103 | { REG_TYPE_MULTISZ, "REG_MULTI_SZ" }, |
---|
1104 | { 0, NULL }, |
---|
1105 | }; |
---|
1106 | |
---|
1107 | static |
---|
1108 | const char *val_to_str(unsigned int val, const VAL_STR *val_array) |
---|
1109 | { |
---|
1110 | int i = 0; |
---|
1111 | |
---|
1112 | if (!val_array) return NULL; |
---|
1113 | |
---|
1114 | while (val_array[i].val && val_array[i].str) { |
---|
1115 | |
---|
1116 | if (val_array[i].val == val) return val_array[i].str; |
---|
1117 | i++; |
---|
1118 | |
---|
1119 | } |
---|
1120 | |
---|
1121 | return NULL; |
---|
1122 | |
---|
1123 | } |
---|
1124 | |
---|
1125 | /* |
---|
1126 | * Convert from UniCode to Ascii ... Does not take into account other lang |
---|
1127 | * Restrict by ascii_max if > 0 |
---|
1128 | */ |
---|
1129 | static |
---|
1130 | int uni_to_ascii(unsigned char *uni, unsigned char *ascii, int ascii_max, |
---|
1131 | int uni_max) |
---|
1132 | { |
---|
1133 | int i = 0; |
---|
1134 | |
---|
1135 | while (i < ascii_max && (uni[i*2] || uni[i*2+1])) |
---|
1136 | { |
---|
1137 | if (uni_max > 0 && (i*2) >= uni_max) break; |
---|
1138 | ascii[i] = uni[i*2]; |
---|
1139 | i++; |
---|
1140 | } |
---|
1141 | ascii[i] = '\0'; |
---|
1142 | |
---|
1143 | return i; |
---|
1144 | } |
---|
1145 | |
---|
1146 | /* |
---|
1147 | * Convert a data value to a string for display |
---|
1148 | */ |
---|
1149 | static |
---|
1150 | unsigned char* data_to_ascii(unsigned char *datap, int len, int type) |
---|
1151 | { |
---|
1152 | unsigned char *asciip; |
---|
1153 | unsigned int i; |
---|
1154 | unsigned short num_nulls; |
---|
1155 | unsigned char* ascii; |
---|
1156 | unsigned int ascii_max; |
---|
1157 | int str_rem; |
---|
1158 | |
---|
1159 | switch (type) |
---|
1160 | { |
---|
1161 | case REG_TYPE_REGSZ: |
---|
1162 | if (verbose) |
---|
1163 | fprintf(stderr, "Len: %d\n", len); |
---|
1164 | |
---|
1165 | ascii_max = sizeof(char)*len; |
---|
1166 | ascii = malloc(ascii_max+4); |
---|
1167 | if(ascii == NULL) |
---|
1168 | return NULL; |
---|
1169 | |
---|
1170 | /* FIXME. This has to be fixed. It has to be UNICODE */ |
---|
1171 | uni_to_ascii(datap, ascii, len, ascii_max); |
---|
1172 | return ascii; |
---|
1173 | break; |
---|
1174 | |
---|
1175 | case REG_TYPE_EXPANDSZ: |
---|
1176 | ascii_max = sizeof(char)*len; |
---|
1177 | ascii = malloc(ascii_max+2); |
---|
1178 | if(ascii == NULL) |
---|
1179 | return NULL; |
---|
1180 | |
---|
1181 | uni_to_ascii(datap, ascii, len, ascii_max); |
---|
1182 | return ascii; |
---|
1183 | break; |
---|
1184 | |
---|
1185 | case REG_TYPE_BIN: |
---|
1186 | ascii_max = sizeof(char)*len*3; |
---|
1187 | ascii = malloc(ascii_max+4); |
---|
1188 | if(ascii == NULL) |
---|
1189 | return NULL; |
---|
1190 | |
---|
1191 | asciip = ascii; |
---|
1192 | for (i=0; (i<len)&&(i+1)*3<ascii_max; i++) { |
---|
1193 | int str_rem = ascii_max - ((int)asciip - (int)ascii); |
---|
1194 | asciip += snprintf((char*)asciip, str_rem, "%02x", |
---|
1195 | *(unsigned char *)(datap+i)); |
---|
1196 | if (i < len && str_rem > 0) |
---|
1197 | *asciip = ' '; asciip++; |
---|
1198 | } |
---|
1199 | *asciip = '\0'; |
---|
1200 | return ascii; |
---|
1201 | break; |
---|
1202 | |
---|
1203 | case REG_TYPE_DWORD: |
---|
1204 | ascii_max = sizeof(char)*10; |
---|
1205 | ascii = malloc(ascii_max+1); |
---|
1206 | if(ascii == NULL) |
---|
1207 | return NULL; |
---|
1208 | |
---|
1209 | if (*(int *)datap == 0) |
---|
1210 | snprintf((char*)ascii, ascii_max, "0"); |
---|
1211 | else |
---|
1212 | snprintf((char*)ascii, ascii_max, "0x%x", *(int *)datap); |
---|
1213 | return ascii; |
---|
1214 | break; |
---|
1215 | |
---|
1216 | case REG_TYPE_MULTISZ: |
---|
1217 | ascii_max = sizeof(char)*len*4; |
---|
1218 | ascii = malloc(ascii_max+4); |
---|
1219 | if(ascii == NULL) |
---|
1220 | return NULL; |
---|
1221 | |
---|
1222 | /* Reads until it reaches 4 consecutive NULLs, |
---|
1223 | * which is two nulls in unicode, or until it reaches len, or until we |
---|
1224 | * run out of buffer. The latter should never happen, but we shouldn't |
---|
1225 | * trust our file to have the right lengths/delimiters. |
---|
1226 | */ |
---|
1227 | asciip = ascii; |
---|
1228 | num_nulls = 0; |
---|
1229 | str_rem = ascii_max; |
---|
1230 | for(i=0; (i < len) && (num_nulls < 4) && str_rem > 0; i++) |
---|
1231 | { |
---|
1232 | asciip += snprintf((char*)asciip, str_rem, "%02x ", |
---|
1233 | *(unsigned char *)(datap+i)); |
---|
1234 | str_rem -= 3; |
---|
1235 | if(*(datap+i) == 0) |
---|
1236 | num_nulls++; |
---|
1237 | else |
---|
1238 | num_nulls = 0; |
---|
1239 | } |
---|
1240 | *asciip = '\0'; |
---|
1241 | return ascii; |
---|
1242 | break; |
---|
1243 | |
---|
1244 | default: |
---|
1245 | return NULL; |
---|
1246 | break; |
---|
1247 | } |
---|
1248 | |
---|
1249 | return NULL; |
---|
1250 | } |
---|
1251 | |
---|
1252 | static |
---|
1253 | REG_KEY *nt_get_key_tree(REGF *regf, NK_HDR *nk_hdr, int size, REG_KEY *parent); |
---|
1254 | |
---|
1255 | static |
---|
1256 | int nt_set_regf_input_file(REGF *regf, char *filename) |
---|
1257 | { |
---|
1258 | return ((regf->regfile_name = strdup(filename)) != NULL); |
---|
1259 | } |
---|
1260 | |
---|
1261 | |
---|
1262 | /* Create a regf structure and init it */ |
---|
1263 | |
---|
1264 | static |
---|
1265 | REGF *nt_create_regf(void) |
---|
1266 | { |
---|
1267 | REGF *tmp = (REGF *)malloc(sizeof(REGF)); |
---|
1268 | if (!tmp) return tmp; |
---|
1269 | memset(tmp, 0, sizeof(REGF)); |
---|
1270 | tmp->owner_sid_str = def_owner_sid_str; |
---|
1271 | return tmp; |
---|
1272 | } |
---|
1273 | |
---|
1274 | |
---|
1275 | /* Get the header of the registry. Return a pointer to the structure |
---|
1276 | * If the mmap'd area has not been allocated, then mmap the input file |
---|
1277 | */ |
---|
1278 | static |
---|
1279 | REGF_HDR *nt_get_regf_hdr(REGF *regf) |
---|
1280 | { |
---|
1281 | if (!regf) |
---|
1282 | return NULL; /* What about errors */ |
---|
1283 | |
---|
1284 | if (!regf->regfile_name) |
---|
1285 | return NULL; /* What about errors */ |
---|
1286 | |
---|
1287 | if (!regf->base) { /* Try to mmap etc the file */ |
---|
1288 | |
---|
1289 | if ((regf->fd = open(regf->regfile_name, O_RDONLY, 0000)) <0) { |
---|
1290 | return NULL; /* What about errors? */ |
---|
1291 | } |
---|
1292 | |
---|
1293 | if (fstat(regf->fd, ®f->sbuf) < 0) { |
---|
1294 | return NULL; |
---|
1295 | } |
---|
1296 | |
---|
1297 | regf->base = mmap(0, regf->sbuf.st_size, PROT_READ, MAP_SHARED, regf->fd, 0); |
---|
1298 | |
---|
1299 | if ((int)regf->base == 1) { |
---|
1300 | fprintf(stderr, "Could not mmap file: %s, %s\n", regf->regfile_name, |
---|
1301 | strerror(errno)); |
---|
1302 | return NULL; |
---|
1303 | } |
---|
1304 | } |
---|
1305 | |
---|
1306 | /* |
---|
1307 | * At this point, regf->base != NULL, and we should be able to read the |
---|
1308 | * header |
---|
1309 | */ |
---|
1310 | |
---|
1311 | assert(regf->base != NULL); |
---|
1312 | |
---|
1313 | return (REGF_HDR *)regf->base; |
---|
1314 | } |
---|
1315 | |
---|
1316 | /* |
---|
1317 | * Validate a regf header |
---|
1318 | * For now, do nothing, but we should check the checksum |
---|
1319 | */ |
---|
1320 | static |
---|
1321 | int valid_regf_hdr(REGF_HDR *regf_hdr) |
---|
1322 | { |
---|
1323 | if (!regf_hdr) return 0; |
---|
1324 | |
---|
1325 | return 1; |
---|
1326 | } |
---|
1327 | |
---|
1328 | /* |
---|
1329 | * Process an SK header ... |
---|
1330 | * Every time we see a new one, add it to the map. Otherwise, just look it up. |
---|
1331 | * We will do a simple linear search for the moment, since many KEYs have the |
---|
1332 | * same security descriptor. |
---|
1333 | * We allocate the map in increments of 10 entries. |
---|
1334 | */ |
---|
1335 | |
---|
1336 | /* |
---|
1337 | * Create a new entry in the map, and increase the size of the map if needed |
---|
1338 | */ |
---|
1339 | static |
---|
1340 | SK_MAP *alloc_sk_map_entry(REGF *regf, KEY_SEC_DESC *tmp, int sk_off) |
---|
1341 | { |
---|
1342 | if (!regf->sk_map) { /* Allocate a block of 10 */ |
---|
1343 | regf->sk_map = (SK_MAP *)malloc(sizeof(SK_MAP) * 10); |
---|
1344 | if (!regf->sk_map) { |
---|
1345 | free(tmp); |
---|
1346 | return NULL; |
---|
1347 | } |
---|
1348 | regf->sk_map_size = 10; |
---|
1349 | regf->sk_count = 1; |
---|
1350 | (regf->sk_map)[0].sk_off = sk_off; |
---|
1351 | (regf->sk_map)[0].key_sec_desc = tmp; |
---|
1352 | } |
---|
1353 | else { /* Simply allocate a new slot, unless we have to expand the list */ |
---|
1354 | int ndx = regf->sk_count; |
---|
1355 | if (regf->sk_count >= regf->sk_map_size) { |
---|
1356 | regf->sk_map = (SK_MAP *)realloc(regf->sk_map, |
---|
1357 | (regf->sk_map_size + 10)*sizeof(SK_MAP)); |
---|
1358 | if (!regf->sk_map) { |
---|
1359 | free(tmp); |
---|
1360 | return NULL; |
---|
1361 | } |
---|
1362 | /* |
---|
1363 | * ndx already points at the first entry of the new block |
---|
1364 | */ |
---|
1365 | regf->sk_map_size += 10; |
---|
1366 | } |
---|
1367 | (regf->sk_map)[ndx].sk_off = sk_off; |
---|
1368 | (regf->sk_map)[ndx].key_sec_desc = tmp; |
---|
1369 | regf->sk_count++; |
---|
1370 | } |
---|
1371 | return regf->sk_map; |
---|
1372 | } |
---|
1373 | |
---|
1374 | /* |
---|
1375 | * Search for a KEY_SEC_DESC in the sk_map, but don't create one if not |
---|
1376 | * found |
---|
1377 | */ |
---|
1378 | static |
---|
1379 | KEY_SEC_DESC *lookup_sec_key(SK_MAP *sk_map, int count, int sk_off) |
---|
1380 | { |
---|
1381 | int i; |
---|
1382 | |
---|
1383 | if (!sk_map) return NULL; |
---|
1384 | |
---|
1385 | for (i = 0; i < count; i++) { |
---|
1386 | |
---|
1387 | if (sk_map[i].sk_off == sk_off) |
---|
1388 | return sk_map[i].key_sec_desc; |
---|
1389 | |
---|
1390 | } |
---|
1391 | |
---|
1392 | return NULL; |
---|
1393 | |
---|
1394 | } |
---|
1395 | |
---|
1396 | /* |
---|
1397 | * Allocate a KEY_SEC_DESC if we can't find one in the map |
---|
1398 | */ |
---|
1399 | static |
---|
1400 | KEY_SEC_DESC *lookup_create_sec_key(REGF *regf, SK_MAP *sk_map, int sk_off) |
---|
1401 | { |
---|
1402 | KEY_SEC_DESC *tmp = lookup_sec_key(regf->sk_map, regf->sk_count, sk_off); |
---|
1403 | |
---|
1404 | if (tmp) { |
---|
1405 | return tmp; |
---|
1406 | } |
---|
1407 | else { /* Allocate a new one */ |
---|
1408 | tmp = (KEY_SEC_DESC *)malloc(sizeof(KEY_SEC_DESC)); |
---|
1409 | if (!tmp) { |
---|
1410 | return NULL; |
---|
1411 | } |
---|
1412 | memset(tmp, 0, sizeof(KEY_SEC_DESC)); /* Neatly sets offset to 0 */ |
---|
1413 | tmp->state = SEC_DESC_RES; |
---|
1414 | if (!alloc_sk_map_entry(regf, tmp, sk_off)) { |
---|
1415 | return NULL; |
---|
1416 | } |
---|
1417 | return tmp; |
---|
1418 | } |
---|
1419 | } |
---|
1420 | |
---|
1421 | /* |
---|
1422 | * Allocate storage and duplicate a SID |
---|
1423 | * We could allocate the SID to be only the size needed, but I am too lazy. |
---|
1424 | */ |
---|
1425 | static |
---|
1426 | sid_t *dup_sid(sid_t *sid) |
---|
1427 | { |
---|
1428 | sid_t *tmp = (sid_t *)malloc(sizeof(sid_t)); |
---|
1429 | int i; |
---|
1430 | |
---|
1431 | if (!tmp) return NULL; |
---|
1432 | tmp->ver = sid->ver; |
---|
1433 | tmp->auths = sid->auths; |
---|
1434 | for (i=0; i<6; i++) { |
---|
1435 | tmp->auth[i] = sid->auth[i]; |
---|
1436 | } |
---|
1437 | for (i=0; i<tmp->auths&&i<MAXSUBAUTHS; i++) { |
---|
1438 | tmp->sub_auths[i] = sid->sub_auths[i]; |
---|
1439 | } |
---|
1440 | return tmp; |
---|
1441 | } |
---|
1442 | |
---|
1443 | /* |
---|
1444 | * Allocate space for an ACE and duplicate the registry encoded one passed in |
---|
1445 | */ |
---|
1446 | static |
---|
1447 | ACE *dup_ace(REG_ACE *ace) |
---|
1448 | { |
---|
1449 | ACE *tmp = NULL; |
---|
1450 | |
---|
1451 | tmp = (ACE *)malloc(sizeof(ACE)); |
---|
1452 | |
---|
1453 | if (!tmp) return NULL; |
---|
1454 | |
---|
1455 | tmp->type = CVAL(&ace->type); |
---|
1456 | tmp->flags = CVAL(&ace->flags); |
---|
1457 | tmp->perms = IVAL(&ace->perms); |
---|
1458 | tmp->trustee = dup_sid(&ace->trustee); |
---|
1459 | return tmp; |
---|
1460 | } |
---|
1461 | |
---|
1462 | /* |
---|
1463 | * Allocate space for an ACL and duplicate the registry encoded one passed in |
---|
1464 | */ |
---|
1465 | static |
---|
1466 | ACL *dup_acl(REG_ACL *acl) |
---|
1467 | { |
---|
1468 | ACL *tmp = NULL; |
---|
1469 | REG_ACE* ace; |
---|
1470 | int i, num_aces; |
---|
1471 | |
---|
1472 | num_aces = IVAL(&acl->num_aces); |
---|
1473 | |
---|
1474 | tmp = (ACL *)malloc(sizeof(ACL) + (num_aces - 1)*sizeof(ACE *)); |
---|
1475 | if (!tmp) return NULL; |
---|
1476 | |
---|
1477 | tmp->num_aces = num_aces; |
---|
1478 | tmp->refcnt = 1; |
---|
1479 | tmp->rev = SVAL(&acl->rev); |
---|
1480 | if (verbose) fprintf(stdout, "ACL: refcnt: %u, rev: %u\n", tmp->refcnt, |
---|
1481 | tmp->rev); |
---|
1482 | ace = (REG_ACE *)&acl->aces; |
---|
1483 | for (i=0; i<num_aces; i++) { |
---|
1484 | tmp->aces[i] = dup_ace(ace); |
---|
1485 | ace = (REG_ACE *)((char *)ace + SVAL(&ace->length)); |
---|
1486 | /* XXX: FIXME, should handle malloc errors */ |
---|
1487 | } |
---|
1488 | |
---|
1489 | return tmp; |
---|
1490 | } |
---|
1491 | |
---|
1492 | static |
---|
1493 | SEC_DESC *process_sec_desc(REGF *regf, REG_SEC_DESC *sec_desc) |
---|
1494 | { |
---|
1495 | SEC_DESC *tmp = NULL; |
---|
1496 | |
---|
1497 | tmp = (SEC_DESC *)malloc(sizeof(SEC_DESC)); |
---|
1498 | |
---|
1499 | if (!tmp) { |
---|
1500 | return NULL; |
---|
1501 | } |
---|
1502 | |
---|
1503 | tmp->rev = SVAL(&sec_desc->rev); |
---|
1504 | tmp->type = SVAL(&sec_desc->type); |
---|
1505 | if (verbose) fprintf(stdout, "SEC_DESC Rev: %0X, Type: %0X\n", |
---|
1506 | tmp->rev, tmp->type); |
---|
1507 | if (verbose) fprintf(stdout, "SEC_DESC Owner Off: %0X\n", |
---|
1508 | IVAL(&sec_desc->owner_off)); |
---|
1509 | if (verbose) fprintf(stdout, "SEC_DESC Group Off: %0X\n", |
---|
1510 | IVAL(&sec_desc->group_off)); |
---|
1511 | if (verbose) fprintf(stdout, "SEC_DESC DACL Off: %0X\n", |
---|
1512 | IVAL(&sec_desc->dacl_off)); |
---|
1513 | tmp->owner = dup_sid((sid_t *)((char *)sec_desc + IVAL(&sec_desc->owner_off))); |
---|
1514 | if (!tmp->owner) { |
---|
1515 | free(tmp); |
---|
1516 | return NULL; |
---|
1517 | } |
---|
1518 | tmp->group = dup_sid((sid_t *)((char *)sec_desc + IVAL(&sec_desc->group_off))); |
---|
1519 | if (!tmp->group) { |
---|
1520 | free(tmp); |
---|
1521 | return NULL; |
---|
1522 | } |
---|
1523 | |
---|
1524 | /* Now pick up the SACL and DACL */ |
---|
1525 | |
---|
1526 | if (sec_desc->sacl_off) |
---|
1527 | tmp->sacl = dup_acl((REG_ACL *)((char *)sec_desc + IVAL(&sec_desc->sacl_off))); |
---|
1528 | else |
---|
1529 | tmp->sacl = NULL; |
---|
1530 | |
---|
1531 | if (sec_desc->dacl_off) |
---|
1532 | tmp->dacl = dup_acl((REG_ACL *)((char *)sec_desc + IVAL(&sec_desc->dacl_off))); |
---|
1533 | else |
---|
1534 | tmp->dacl = NULL; |
---|
1535 | |
---|
1536 | return tmp; |
---|
1537 | } |
---|
1538 | |
---|
1539 | static |
---|
1540 | KEY_SEC_DESC *process_sk(REGF *regf, SK_HDR *sk_hdr, int sk_off, int size) |
---|
1541 | { |
---|
1542 | KEY_SEC_DESC *tmp = NULL; |
---|
1543 | int sk_next_off, sk_prev_off, sk_size; |
---|
1544 | REG_SEC_DESC *sec_desc; |
---|
1545 | |
---|
1546 | if (!sk_hdr) return NULL; |
---|
1547 | |
---|
1548 | if (SVAL(&sk_hdr->SK_ID) != REG_SK_ID) { |
---|
1549 | fprintf(stderr, "Unrecognized SK Header ID: %08X, %s\n", (int)sk_hdr, |
---|
1550 | regf->regfile_name); |
---|
1551 | return NULL; |
---|
1552 | } |
---|
1553 | |
---|
1554 | if (-size < (sk_size = IVAL(&sk_hdr->rec_size))) { |
---|
1555 | fprintf(stderr, "Incorrect SK record size: %d vs %d. %s\n", |
---|
1556 | -size, sk_size, regf->regfile_name); |
---|
1557 | return NULL; |
---|
1558 | } |
---|
1559 | |
---|
1560 | /* |
---|
1561 | * Now, we need to look up the SK Record in the map, and return it |
---|
1562 | * Since the map contains the SK_OFF mapped to KEY_SEC_DESC, we can |
---|
1563 | * use that |
---|
1564 | */ |
---|
1565 | |
---|
1566 | if (regf->sk_map && |
---|
1567 | ((tmp = lookup_sec_key(regf->sk_map, regf->sk_count, sk_off)) != NULL) |
---|
1568 | && (tmp->state == SEC_DESC_OCU)) { |
---|
1569 | tmp->ref_cnt++; |
---|
1570 | return tmp; |
---|
1571 | } |
---|
1572 | |
---|
1573 | /* Here, we have an item in the map that has been reserved, or tmp==NULL. */ |
---|
1574 | |
---|
1575 | assert(tmp == NULL || (tmp && tmp->state != SEC_DESC_NON)); |
---|
1576 | |
---|
1577 | /* |
---|
1578 | * Now, allocate a KEY_SEC_DESC, and parse the structure here, and add the |
---|
1579 | * new KEY_SEC_DESC to the mapping structure, since the offset supplied is |
---|
1580 | * the actual offset of structure. The same offset will be used by |
---|
1581 | * all future references to this structure |
---|
1582 | * We could put all this unpleasantness in a function. |
---|
1583 | */ |
---|
1584 | |
---|
1585 | if (!tmp) { |
---|
1586 | tmp = (KEY_SEC_DESC *)malloc(sizeof(KEY_SEC_DESC)); |
---|
1587 | if (!tmp) return NULL; |
---|
1588 | memset(tmp, 0, sizeof(KEY_SEC_DESC)); |
---|
1589 | |
---|
1590 | /* |
---|
1591 | * Allocate an entry in the SK_MAP ... |
---|
1592 | * We don't need to free tmp, because that is done for us if the |
---|
1593 | * sm_map entry can't be expanded when we need more space in the map. |
---|
1594 | */ |
---|
1595 | |
---|
1596 | if (!alloc_sk_map_entry(regf, tmp, sk_off)) { |
---|
1597 | return NULL; |
---|
1598 | } |
---|
1599 | } |
---|
1600 | |
---|
1601 | tmp->ref_cnt++; |
---|
1602 | tmp->state = SEC_DESC_OCU; |
---|
1603 | |
---|
1604 | /* |
---|
1605 | * Now, process the actual sec desc and plug the values in |
---|
1606 | */ |
---|
1607 | |
---|
1608 | sec_desc = (REG_SEC_DESC *)&sk_hdr->sec_desc[0]; |
---|
1609 | tmp->sec_desc = process_sec_desc(regf, sec_desc); |
---|
1610 | |
---|
1611 | /* |
---|
1612 | * Now forward and back links. Here we allocate an entry in the sk_map |
---|
1613 | * if it does not exist, and mark it reserved |
---|
1614 | */ |
---|
1615 | |
---|
1616 | sk_prev_off = IVAL(&sk_hdr->prev_off); |
---|
1617 | tmp->prev = lookup_create_sec_key(regf, regf->sk_map, sk_prev_off); |
---|
1618 | assert(tmp->prev != NULL); |
---|
1619 | sk_next_off = IVAL(&sk_hdr->next_off); |
---|
1620 | tmp->next = lookup_create_sec_key(regf, regf->sk_map, sk_next_off); |
---|
1621 | assert(tmp->next != NULL); |
---|
1622 | |
---|
1623 | return tmp; |
---|
1624 | } |
---|
1625 | |
---|
1626 | /* |
---|
1627 | * Process a VK header and return a value |
---|
1628 | */ |
---|
1629 | static |
---|
1630 | VAL_KEY *process_vk(REGF *regf, VK_HDR *vk_hdr, int size) |
---|
1631 | { |
---|
1632 | char val_name[1024]; |
---|
1633 | int nam_len, dat_len, flag, dat_type, dat_off, vk_id; |
---|
1634 | const char *val_type; |
---|
1635 | VAL_KEY *tmp = NULL; |
---|
1636 | |
---|
1637 | if (!vk_hdr) return NULL; |
---|
1638 | |
---|
1639 | if ((vk_id = SVAL(&vk_hdr->VK_ID)) != REG_VK_ID) { |
---|
1640 | fprintf(stderr, "Unrecognized VK header ID: %0X, block: %0X, %s\n", |
---|
1641 | vk_id, (int)vk_hdr, regf->regfile_name); |
---|
1642 | return NULL; |
---|
1643 | } |
---|
1644 | |
---|
1645 | nam_len = SVAL(&vk_hdr->nam_len); |
---|
1646 | val_name[nam_len] = '\0'; |
---|
1647 | flag = SVAL(&vk_hdr->flag); |
---|
1648 | dat_type = IVAL(&vk_hdr->dat_type); |
---|
1649 | dat_len = IVAL(&vk_hdr->dat_len); /* If top bit, offset contains data */ |
---|
1650 | dat_off = IVAL(&vk_hdr->dat_off); |
---|
1651 | |
---|
1652 | tmp = (VAL_KEY *)malloc(sizeof(VAL_KEY)); |
---|
1653 | if (!tmp) { |
---|
1654 | goto error; |
---|
1655 | } |
---|
1656 | memset(tmp, 0, sizeof(VAL_KEY)); |
---|
1657 | tmp->has_name = flag; |
---|
1658 | tmp->data_type = dat_type; |
---|
1659 | |
---|
1660 | if (flag & 0x01) { |
---|
1661 | strncpy(val_name, vk_hdr->dat_name, nam_len); |
---|
1662 | tmp->name = strdup(val_name); |
---|
1663 | if (!tmp->name) { |
---|
1664 | goto error; |
---|
1665 | } |
---|
1666 | } |
---|
1667 | else |
---|
1668 | strncpy(val_name, "<No Name>", 10); |
---|
1669 | |
---|
1670 | /* |
---|
1671 | * Allocate space and copy the data as a BLOB |
---|
1672 | */ |
---|
1673 | |
---|
1674 | if (dat_len) { |
---|
1675 | |
---|
1676 | char *dtmp = (char *)malloc(dat_len&0x7FFFFFFF); |
---|
1677 | |
---|
1678 | if (!dtmp) { |
---|
1679 | goto error; |
---|
1680 | } |
---|
1681 | |
---|
1682 | tmp->data_blk = dtmp; |
---|
1683 | |
---|
1684 | if ((dat_len&0x80000000) == 0) |
---|
1685 | { /* The data is pointed to by the offset */ |
---|
1686 | char *dat_ptr = LOCN(regf->base, dat_off); |
---|
1687 | /* XXX: replace with memcpy */ |
---|
1688 | bcopy(dat_ptr, dtmp, dat_len); |
---|
1689 | } |
---|
1690 | else { /* The data is in the offset or type */ |
---|
1691 | /* |
---|
1692 | * FIXME. |
---|
1693 | * Some registry files seem to have wierd fields. If top bit is set, |
---|
1694 | * but len is 0, the type seems to be the value ... |
---|
1695 | * Not sure how to handle this last type for the moment ... |
---|
1696 | */ |
---|
1697 | dat_len = dat_len & 0x7FFFFFFF; |
---|
1698 | /* XXX: replace with memcpy */ |
---|
1699 | bcopy(&dat_off, dtmp, dat_len); |
---|
1700 | } |
---|
1701 | |
---|
1702 | tmp->data_len = dat_len; |
---|
1703 | } |
---|
1704 | |
---|
1705 | val_type = val_to_str(dat_type, reg_type_names); |
---|
1706 | |
---|
1707 | /* |
---|
1708 | * We need to save the data area as well |
---|
1709 | */ |
---|
1710 | if (verbose) |
---|
1711 | fprintf(stdout, " %s : %s : \n", val_name, val_type); |
---|
1712 | |
---|
1713 | return tmp; |
---|
1714 | |
---|
1715 | error: |
---|
1716 | if (tmp) nt_delete_val_key(tmp); |
---|
1717 | return NULL; |
---|
1718 | |
---|
1719 | } |
---|
1720 | |
---|
1721 | /* |
---|
1722 | * Process a VL Header and return a list of values |
---|
1723 | */ |
---|
1724 | static |
---|
1725 | VAL_LIST *process_vl(REGF *regf, VL_TYPE vl, int count, int size) |
---|
1726 | { |
---|
1727 | int i, vk_off; |
---|
1728 | VK_HDR *vk_hdr; |
---|
1729 | VAL_LIST *tmp = NULL; |
---|
1730 | |
---|
1731 | if (!vl) return NULL; |
---|
1732 | |
---|
1733 | if (-size < (count+1)*sizeof(int)){ |
---|
1734 | fprintf(stderr, "Error in VL header format. Size less than space required. %d\n", -size); |
---|
1735 | return NULL; |
---|
1736 | } |
---|
1737 | |
---|
1738 | tmp = (VAL_LIST *)malloc(sizeof(VAL_LIST) + (count - 1) * sizeof(VAL_KEY *)); |
---|
1739 | if (!tmp) { |
---|
1740 | goto error; |
---|
1741 | } |
---|
1742 | |
---|
1743 | for (i=0; i<count; i++) { |
---|
1744 | vk_off = IVAL(&vl[i]); |
---|
1745 | vk_hdr = (VK_HDR *)LOCN(regf->base, vk_off); |
---|
1746 | tmp->vals[i] = process_vk(regf, vk_hdr, BLK_SIZE(vk_hdr)); |
---|
1747 | if (!tmp->vals[i]){ |
---|
1748 | goto error; |
---|
1749 | } |
---|
1750 | } |
---|
1751 | |
---|
1752 | tmp->val_count = count; |
---|
1753 | tmp->max_vals = count; |
---|
1754 | |
---|
1755 | return tmp; |
---|
1756 | |
---|
1757 | error: |
---|
1758 | /* XXX: FIXME, free the partially allocated structure */ |
---|
1759 | return NULL; |
---|
1760 | } |
---|
1761 | |
---|
1762 | /* |
---|
1763 | * Process an LF Header and return a list of sub-keys |
---|
1764 | */ |
---|
1765 | static |
---|
1766 | KEY_LIST *process_lf(REGF *regf, LF_HDR *lf_hdr, int size, REG_KEY *parent) |
---|
1767 | { |
---|
1768 | int count, i, nk_off; |
---|
1769 | unsigned int lf_id; |
---|
1770 | KEY_LIST *tmp; |
---|
1771 | |
---|
1772 | if (!lf_hdr) return NULL; |
---|
1773 | |
---|
1774 | if ((lf_id = SVAL(&lf_hdr->LF_ID)) != REG_LF_ID) { |
---|
1775 | fprintf(stderr, "Unrecognized LF Header format: %0X, Block: %0X, %s.\n", |
---|
1776 | lf_id, (int)lf_hdr, regf->regfile_name); |
---|
1777 | return NULL; |
---|
1778 | } |
---|
1779 | |
---|
1780 | assert(size < 0); |
---|
1781 | |
---|
1782 | count = SVAL(&lf_hdr->key_count); |
---|
1783 | if (verbose) |
---|
1784 | fprintf(stdout, "Key Count: %u\n", count); |
---|
1785 | if (count <= 0) return NULL; |
---|
1786 | |
---|
1787 | /* Now, we should allocate a KEY_LIST struct and fill it in ... */ |
---|
1788 | |
---|
1789 | tmp = (KEY_LIST *)malloc(sizeof(KEY_LIST) + (count - 1) * sizeof(REG_KEY *)); |
---|
1790 | if (!tmp) { |
---|
1791 | goto error; |
---|
1792 | } |
---|
1793 | |
---|
1794 | tmp->key_count = count; |
---|
1795 | tmp->max_keys = count; |
---|
1796 | |
---|
1797 | for (i=0; i<count; i++) { |
---|
1798 | NK_HDR *nk_hdr; |
---|
1799 | |
---|
1800 | nk_off = IVAL(&lf_hdr->hr[i].nk_off); |
---|
1801 | if (verbose) |
---|
1802 | fprintf(stdout, "NK Offset: %0X\n", nk_off); |
---|
1803 | nk_hdr = (NK_HDR *)LOCN(regf->base, nk_off); |
---|
1804 | tmp->keys[i] = nt_get_key_tree(regf, nk_hdr, BLK_SIZE(nk_hdr), parent); |
---|
1805 | if (!tmp->keys[i]) { |
---|
1806 | goto error; |
---|
1807 | } |
---|
1808 | } |
---|
1809 | |
---|
1810 | return tmp; |
---|
1811 | |
---|
1812 | error: |
---|
1813 | /*if (tmp) nt_delete_key_list(tmp, False);*/ |
---|
1814 | return NULL; |
---|
1815 | } |
---|
1816 | |
---|
1817 | |
---|
1818 | /* |
---|
1819 | * This routine is passed an NK_HDR pointer and retrieves the entire tree |
---|
1820 | * from there down. It returns a REG_KEY *. |
---|
1821 | */ |
---|
1822 | static |
---|
1823 | REG_KEY *nt_get_key_tree(REGF *regf, NK_HDR *nk_hdr, int size, REG_KEY *parent) |
---|
1824 | { |
---|
1825 | REG_KEY *tmp = NULL, *own; |
---|
1826 | int name_len, clsname_len, lf_off, val_off, val_count, sk_off, own_off; |
---|
1827 | unsigned int nk_id; |
---|
1828 | LF_HDR *lf_hdr; |
---|
1829 | VL_TYPE *vl; |
---|
1830 | SK_HDR *sk_hdr; |
---|
1831 | char key_name[1024]; |
---|
1832 | unsigned char cls_name[1024]; |
---|
1833 | |
---|
1834 | if (!nk_hdr) return NULL; |
---|
1835 | |
---|
1836 | if ((nk_id = SVAL(&nk_hdr->NK_ID)) != REG_NK_ID) { |
---|
1837 | fprintf(stderr, "Unrecognized NK Header format: %08X, Block: %0X. %s\n", |
---|
1838 | nk_id, (int)nk_hdr, regf->regfile_name); |
---|
1839 | return NULL; |
---|
1840 | } |
---|
1841 | |
---|
1842 | assert(size < 0); |
---|
1843 | |
---|
1844 | name_len = SVAL(&nk_hdr->nam_len); |
---|
1845 | clsname_len = SVAL(&nk_hdr->clsnam_len); |
---|
1846 | |
---|
1847 | /* |
---|
1848 | * The value of -size should be ge |
---|
1849 | * (sizeof(NK_HDR) - 1 + name_len) |
---|
1850 | * The -1 accounts for the fact that we included the first byte of |
---|
1851 | * the name in the structure. clsname_len is the length of the thing |
---|
1852 | * pointed to by clsnam_off |
---|
1853 | */ |
---|
1854 | |
---|
1855 | if (-size < (sizeof(NK_HDR) - 1 + name_len)) { |
---|
1856 | fprintf(stderr, "Incorrect NK_HDR size: %d, %0X\n", -size, (int)nk_hdr); |
---|
1857 | fprintf(stderr, "Sizeof NK_HDR: %d, name_len %d, clsname_len %d\n", |
---|
1858 | sizeof(NK_HDR), name_len, clsname_len); |
---|
1859 | /*return NULL;*/ |
---|
1860 | } |
---|
1861 | |
---|
1862 | if (verbose) fprintf(stdout, "NK HDR: Name len: %d, class name len: %d\n", |
---|
1863 | name_len, clsname_len); |
---|
1864 | |
---|
1865 | /* Fish out the key name and process the LF list */ |
---|
1866 | |
---|
1867 | assert(name_len < sizeof(key_name)); |
---|
1868 | |
---|
1869 | /* Allocate the key struct now */ |
---|
1870 | tmp = (REG_KEY *)malloc(sizeof(REG_KEY)); |
---|
1871 | if (!tmp) return tmp; |
---|
1872 | memset(tmp, 0, sizeof(REG_KEY)); |
---|
1873 | |
---|
1874 | tmp->type = (SVAL(&nk_hdr->type)==0x2C?REG_ROOT_KEY:REG_SUB_KEY); |
---|
1875 | |
---|
1876 | strncpy(key_name, nk_hdr->key_nam, name_len); |
---|
1877 | key_name[name_len] = '\0'; |
---|
1878 | |
---|
1879 | if (verbose) fprintf(stdout, "Key name: %s\n", key_name); |
---|
1880 | |
---|
1881 | tmp->name = strdup(key_name); |
---|
1882 | if (!tmp->name) { |
---|
1883 | goto error; |
---|
1884 | } |
---|
1885 | |
---|
1886 | /* |
---|
1887 | * Fish out the class name, it is in UNICODE, while the key name is |
---|
1888 | * ASCII :-) |
---|
1889 | */ |
---|
1890 | |
---|
1891 | if (clsname_len) |
---|
1892 | { /* Just print in Ascii for now */ |
---|
1893 | unsigned char *clsnamep; |
---|
1894 | unsigned int clsnam_off; |
---|
1895 | |
---|
1896 | clsnam_off = IVAL(&nk_hdr->clsnam_off); |
---|
1897 | clsnamep = (unsigned char*)LOCN(regf->base, clsnam_off); |
---|
1898 | if (verbose) fprintf(stdout, "Class Name Offset: %0X\n", clsnam_off); |
---|
1899 | |
---|
1900 | memset(cls_name, 0, clsname_len); |
---|
1901 | uni_to_ascii(clsnamep, cls_name, sizeof(cls_name), clsname_len); |
---|
1902 | |
---|
1903 | /* |
---|
1904 | * I am keeping class name as an ascii string for the moment. |
---|
1905 | * That means it needs to be converted on output. |
---|
1906 | * It will also piss off people who need Unicode/UTF-8 strings. Sorry. |
---|
1907 | * XXX: FIXME |
---|
1908 | */ |
---|
1909 | tmp->class_name = strdup((char*)cls_name); |
---|
1910 | if (!tmp->class_name) { |
---|
1911 | goto error; |
---|
1912 | } |
---|
1913 | |
---|
1914 | if (verbose) fprintf(stdout, " Class Name: %s\n", cls_name); |
---|
1915 | |
---|
1916 | } |
---|
1917 | |
---|
1918 | /* |
---|
1919 | * Process the owner offset ... |
---|
1920 | */ |
---|
1921 | own_off = IVAL(&nk_hdr->own_off); |
---|
1922 | own = (REG_KEY *)LOCN(regf->base, own_off); |
---|
1923 | if (verbose) |
---|
1924 | fprintf(stdout, "Owner Offset: %0X\n", own_off); |
---|
1925 | |
---|
1926 | if (verbose) |
---|
1927 | fprintf(stdout, " Owner locn: %0X, Our locn: %0X\n", |
---|
1928 | (unsigned int)own, (unsigned int)nk_hdr); |
---|
1929 | |
---|
1930 | /* |
---|
1931 | * We should verify that the owner field is correct ... |
---|
1932 | * for now, we don't worry ... |
---|
1933 | */ |
---|
1934 | tmp->owner = parent; |
---|
1935 | |
---|
1936 | /* |
---|
1937 | * If there are any values, process them here |
---|
1938 | */ |
---|
1939 | |
---|
1940 | val_count = IVAL(&nk_hdr->val_cnt); |
---|
1941 | if (verbose) |
---|
1942 | fprintf(stdout, "Val Count: %d\n", val_count); |
---|
1943 | if (val_count) |
---|
1944 | { |
---|
1945 | val_off = IVAL(&nk_hdr->val_off); |
---|
1946 | vl = (VL_TYPE *)LOCN(regf->base, val_off); |
---|
1947 | if (verbose) |
---|
1948 | fprintf(stdout, "Val List Offset: %0X\n", val_off); |
---|
1949 | |
---|
1950 | tmp->values = process_vl(regf, *vl, val_count, BLK_SIZE(vl)); |
---|
1951 | if (!tmp->values) { |
---|
1952 | goto error; |
---|
1953 | } |
---|
1954 | |
---|
1955 | } |
---|
1956 | |
---|
1957 | /* |
---|
1958 | * Also handle the SK header ... |
---|
1959 | */ |
---|
1960 | |
---|
1961 | sk_off = IVAL(&nk_hdr->sk_off); |
---|
1962 | sk_hdr = (SK_HDR *)LOCN(regf->base, sk_off); |
---|
1963 | if (verbose) |
---|
1964 | fprintf(stdout, "SK Offset: %0X\n", sk_off); |
---|
1965 | |
---|
1966 | if (sk_off != -1) { |
---|
1967 | |
---|
1968 | tmp->security = process_sk(regf, sk_hdr, sk_off, BLK_SIZE(sk_hdr)); |
---|
1969 | |
---|
1970 | } |
---|
1971 | |
---|
1972 | lf_off = IVAL(&nk_hdr->lf_off); |
---|
1973 | if (verbose) |
---|
1974 | fprintf(stdout, "SubKey list offset: %0X\n", lf_off); |
---|
1975 | |
---|
1976 | /* |
---|
1977 | * No more subkeys if lf_off == -1 |
---|
1978 | */ |
---|
1979 | if (lf_off != -1) |
---|
1980 | { |
---|
1981 | lf_hdr = (LF_HDR *)LOCN(regf->base, lf_off); |
---|
1982 | |
---|
1983 | tmp->sub_keys = process_lf(regf, lf_hdr, BLK_SIZE(lf_hdr), tmp); |
---|
1984 | if (!tmp->sub_keys) |
---|
1985 | goto error; |
---|
1986 | } |
---|
1987 | |
---|
1988 | return tmp; |
---|
1989 | |
---|
1990 | error: |
---|
1991 | /*if (tmp) nt_delete_reg_key(tmp, False);*/ |
---|
1992 | return NULL; |
---|
1993 | } |
---|
1994 | |
---|
1995 | static |
---|
1996 | int nt_load_registry(REGF *regf) |
---|
1997 | { |
---|
1998 | REGF_HDR *regf_hdr; |
---|
1999 | unsigned int regf_id, hbin_id; |
---|
2000 | HBIN_HDR *hbin_hdr; |
---|
2001 | NK_HDR *first_key; |
---|
2002 | |
---|
2003 | /* Get the header */ |
---|
2004 | |
---|
2005 | if ((regf_hdr = nt_get_regf_hdr(regf)) == NULL) { |
---|
2006 | return -1; |
---|
2007 | } |
---|
2008 | |
---|
2009 | /* Now process that header and start to read the rest in */ |
---|
2010 | |
---|
2011 | if ((regf_id = IVAL(®f_hdr->REGF_ID)) != REG_REGF_ID) { |
---|
2012 | fprintf(stderr, "Unrecognized NT registry header id: %0X, %s\n", |
---|
2013 | regf_id, regf->regfile_name); |
---|
2014 | return -1; |
---|
2015 | } |
---|
2016 | |
---|
2017 | /* |
---|
2018 | * Validate the header ... |
---|
2019 | */ |
---|
2020 | if (!valid_regf_hdr(regf_hdr)) { |
---|
2021 | fprintf(stderr, "Registry file header does not validate: %s\n", |
---|
2022 | regf->regfile_name); |
---|
2023 | return -1; |
---|
2024 | } |
---|
2025 | |
---|
2026 | /* Update the last mod date, and then go get the first NK record and on */ |
---|
2027 | |
---|
2028 | TTTONTTIME(regf, IVAL(®f_hdr->tim1), IVAL(®f_hdr->tim2)); |
---|
2029 | |
---|
2030 | /* |
---|
2031 | * The hbin hdr seems to be just uninteresting garbage. Check that |
---|
2032 | * it is there, but that is all. |
---|
2033 | */ |
---|
2034 | |
---|
2035 | hbin_hdr = (HBIN_HDR *)(regf->base + REGF_HDR_BLKSIZ); |
---|
2036 | |
---|
2037 | if ((hbin_id = IVAL(&hbin_hdr->HBIN_ID)) != REG_HBIN_ID) { |
---|
2038 | fprintf(stderr, "Unrecognized registry hbin hdr ID: %0X, %s\n", |
---|
2039 | hbin_id, regf->regfile_name); |
---|
2040 | return -1; |
---|
2041 | } |
---|
2042 | |
---|
2043 | /* |
---|
2044 | * Get a pointer to the first key from the hreg_hdr |
---|
2045 | */ |
---|
2046 | |
---|
2047 | if (verbose) |
---|
2048 | fprintf(stdout, "First Key: %0X\n", IVAL(®f_hdr->first_key)); |
---|
2049 | |
---|
2050 | first_key = (NK_HDR *)LOCN(regf->base, IVAL(®f_hdr->first_key)); |
---|
2051 | if (verbose) fprintf(stdout, "First Key Offset: %0X\n", |
---|
2052 | IVAL(®f_hdr->first_key)); |
---|
2053 | |
---|
2054 | if (verbose) fprintf(stdout, "Data Block Size: %d\n", |
---|
2055 | IVAL(®f_hdr->dblk_size)); |
---|
2056 | |
---|
2057 | if (verbose) fprintf(stdout, "Offset to next hbin block: %0X\n", |
---|
2058 | IVAL(&hbin_hdr->off_to_next)); |
---|
2059 | |
---|
2060 | if (verbose) fprintf(stdout, "HBIN block size: %0X\n", |
---|
2061 | IVAL(&hbin_hdr->blk_size)); |
---|
2062 | |
---|
2063 | /* |
---|
2064 | * Now, get the registry tree by processing that NK recursively |
---|
2065 | */ |
---|
2066 | |
---|
2067 | regf->root = nt_get_key_tree(regf, first_key, BLK_SIZE(first_key), NULL); |
---|
2068 | |
---|
2069 | assert(regf->root != NULL); |
---|
2070 | |
---|
2071 | /* |
---|
2072 | * Unmap the registry file, as we might want to read in another |
---|
2073 | * tree etc. |
---|
2074 | */ |
---|
2075 | |
---|
2076 | if (regf->base) munmap(regf->base, regf->sbuf.st_size); |
---|
2077 | regf->base = NULL; |
---|
2078 | close(regf->fd); /* Ignore the error :-) */ |
---|
2079 | |
---|
2080 | return 1; |
---|
2081 | } |
---|
2082 | |
---|
2083 | |
---|
2084 | /* |
---|
2085 | * Routines to parse a REGEDIT4 file |
---|
2086 | * |
---|
2087 | * The file consists of: |
---|
2088 | * |
---|
2089 | * REGEDIT4 |
---|
2090 | * \[[-]key-path\]\n |
---|
2091 | * <value-spec>* |
---|
2092 | * |
---|
2093 | * Format: |
---|
2094 | * [cmd:]name=type:value |
---|
2095 | * |
---|
2096 | * cmd = a|d|c|add|delete|change|as|ds|cs |
---|
2097 | * |
---|
2098 | * There can be more than one key-path and value-spec. |
---|
2099 | * |
---|
2100 | * Since we want to support more than one type of file format, we |
---|
2101 | * construct a command-file structure that keeps info about the command file |
---|
2102 | */ |
---|
2103 | |
---|
2104 | #define FMT_UNREC -1 |
---|
2105 | #define FMT_REGEDIT4 0 |
---|
2106 | #define FMT_EDITREG1_1 1 |
---|
2107 | |
---|
2108 | #define FMT_STRING_REGEDIT4 "REGEDIT4" |
---|
2109 | #define FMT_STRING_EDITREG1_0 "EDITREG1.0" |
---|
2110 | |
---|
2111 | #define CMD_NONE 0 |
---|
2112 | #define CMD_ADD_KEY 1 |
---|
2113 | #define CMD_DEL_KEY 2 |
---|
2114 | |
---|
2115 | #define CMD_KEY 1 |
---|
2116 | #define CMD_VAL 2 |
---|
2117 | |
---|
2118 | typedef struct val_spec_list { |
---|
2119 | struct val_spec_list *next; |
---|
2120 | char *name; |
---|
2121 | int type; |
---|
2122 | char *val; /* Kept as a char string, really? */ |
---|
2123 | } VAL_SPEC_LIST; |
---|
2124 | |
---|
2125 | typedef struct command_s { |
---|
2126 | int cmd; |
---|
2127 | char *key; |
---|
2128 | int val_count; |
---|
2129 | VAL_SPEC_LIST *val_spec_list, *val_spec_last; |
---|
2130 | } CMD; |
---|
2131 | |
---|
2132 | typedef struct cmd_line { |
---|
2133 | int len, line_len; |
---|
2134 | char *line; |
---|
2135 | } CMD_LINE; |
---|
2136 | |
---|
2137 | |
---|
2138 | |
---|
2139 | #define INIT_ALLOC 10 |
---|
2140 | |
---|
2141 | |
---|
2142 | /* prints a key */ |
---|
2143 | static |
---|
2144 | int print_key(const char *path, char *name, char *class_name, int root, |
---|
2145 | int terminal, int vals, char* newline) |
---|
2146 | { |
---|
2147 | if (full_print) |
---|
2148 | fprintf(stdout, "%s%s\\%s", path, name, newline); |
---|
2149 | |
---|
2150 | return 1; |
---|
2151 | } |
---|
2152 | |
---|
2153 | /* |
---|
2154 | * Sec Desc print functions |
---|
2155 | */ |
---|
2156 | static |
---|
2157 | void print_type(unsigned char type) |
---|
2158 | { |
---|
2159 | switch (type) { |
---|
2160 | case 0x00: |
---|
2161 | fprintf(stdout, " ALLOW"); |
---|
2162 | break; |
---|
2163 | case 0x01: |
---|
2164 | fprintf(stdout, " DENY"); |
---|
2165 | break; |
---|
2166 | case 0x02: |
---|
2167 | fprintf(stdout, " AUDIT"); |
---|
2168 | break; |
---|
2169 | case 0x03: |
---|
2170 | fprintf(stdout, " ALARM"); |
---|
2171 | break; |
---|
2172 | case 0x04: |
---|
2173 | fprintf(stdout, "ALLOW CPD"); |
---|
2174 | break; |
---|
2175 | case 0x05: |
---|
2176 | fprintf(stdout, "OBJ ALLOW"); |
---|
2177 | break; |
---|
2178 | case 0x06: |
---|
2179 | fprintf(stdout, " OBJ DENY"); |
---|
2180 | break; |
---|
2181 | default: |
---|
2182 | fprintf(stdout, " UNKNOWN"); |
---|
2183 | break; |
---|
2184 | } |
---|
2185 | } |
---|
2186 | |
---|
2187 | static |
---|
2188 | void print_flags(unsigned char flags) |
---|
2189 | { |
---|
2190 | char flg_output[21]; |
---|
2191 | int some = 0; |
---|
2192 | |
---|
2193 | flg_output[0] = 0; |
---|
2194 | if (!flags) { |
---|
2195 | fprintf(stdout, " "); |
---|
2196 | return; |
---|
2197 | } |
---|
2198 | if (flags & 0x01) { |
---|
2199 | if (some) strcat(flg_output, ","); |
---|
2200 | some = 1; |
---|
2201 | strcat(flg_output, "OI"); |
---|
2202 | } |
---|
2203 | if (flags & 0x02) { |
---|
2204 | if (some) strcat(flg_output, ","); |
---|
2205 | some = 1; |
---|
2206 | strcat(flg_output, "CI"); |
---|
2207 | } |
---|
2208 | if (flags & 0x04) { |
---|
2209 | if (some) strcat(flg_output, ","); |
---|
2210 | some = 1; |
---|
2211 | strcat(flg_output, "NP"); |
---|
2212 | } |
---|
2213 | if (flags & 0x08) { |
---|
2214 | if (some) strcat(flg_output, ","); |
---|
2215 | some = 1; |
---|
2216 | strcat(flg_output, "IO"); |
---|
2217 | } |
---|
2218 | if (flags & 0x10) { |
---|
2219 | if (some) strcat(flg_output, ","); |
---|
2220 | some = 1; |
---|
2221 | strcat(flg_output, "IA"); |
---|
2222 | } |
---|
2223 | if (flags == 0xF) { |
---|
2224 | if (some) strcat(flg_output, ","); |
---|
2225 | some = 1; |
---|
2226 | strcat(flg_output, "VI"); |
---|
2227 | } |
---|
2228 | fprintf(stdout, " %s", flg_output); |
---|
2229 | } |
---|
2230 | |
---|
2231 | static |
---|
2232 | void print_perms(int perms) |
---|
2233 | { |
---|
2234 | fprintf(stdout, " %8X", perms); |
---|
2235 | } |
---|
2236 | |
---|
2237 | static |
---|
2238 | void print_sid(sid_t *sid) |
---|
2239 | { |
---|
2240 | int i, comps = sid->auths; |
---|
2241 | fprintf(stdout, "S-%u-%u", sid->ver, sid->auth[5]); |
---|
2242 | |
---|
2243 | for (i = 0; i < comps; i++) |
---|
2244 | fprintf(stdout, "-%u", sid->sub_auths[i]); |
---|
2245 | |
---|
2246 | /*fprintf(stdout, "\n");*/ |
---|
2247 | } |
---|
2248 | |
---|
2249 | static |
---|
2250 | void print_acl(ACL *acl, const char *prefix) |
---|
2251 | { |
---|
2252 | int i; |
---|
2253 | |
---|
2254 | for (i = 0; i < acl->num_aces; i++) { |
---|
2255 | fprintf(stdout, ";;%s", prefix); |
---|
2256 | print_type(acl->aces[i]->type); |
---|
2257 | print_flags(acl->aces[i]->flags); |
---|
2258 | print_perms(acl->aces[i]->perms); |
---|
2259 | fprintf(stdout, " "); |
---|
2260 | print_sid(acl->aces[i]->trustee); |
---|
2261 | } |
---|
2262 | } |
---|
2263 | |
---|
2264 | static |
---|
2265 | int print_sec(SEC_DESC *sec_desc) |
---|
2266 | { |
---|
2267 | if (!print_security) return 1; |
---|
2268 | fprintf(stdout, ";; SECURITY\n"); |
---|
2269 | fprintf(stdout, ";; Owner: "); |
---|
2270 | print_sid(sec_desc->owner); |
---|
2271 | fprintf(stdout, ";; Group: "); |
---|
2272 | print_sid(sec_desc->group); |
---|
2273 | if (sec_desc->sacl) { |
---|
2274 | fprintf(stdout, ";; SACL:\n"); |
---|
2275 | print_acl(sec_desc->sacl, " "); |
---|
2276 | } |
---|
2277 | if (sec_desc->dacl) { |
---|
2278 | fprintf(stdout, ";; DACL:\n"); |
---|
2279 | print_acl(sec_desc->dacl, " "); |
---|
2280 | } |
---|
2281 | return 1; |
---|
2282 | } |
---|
2283 | |
---|
2284 | /* |
---|
2285 | * Value print function here ... |
---|
2286 | */ |
---|
2287 | static |
---|
2288 | int print_val(const char *path, char *val_name, int val_type, int data_len, |
---|
2289 | void *data_blk, int terminal, int first, int last) |
---|
2290 | { |
---|
2291 | unsigned char* data_asc; |
---|
2292 | |
---|
2293 | if(!val_name) |
---|
2294 | val_name = "<No Name>"; |
---|
2295 | |
---|
2296 | fprintf(stdout, "%s", path); |
---|
2297 | data_asc = data_to_ascii((unsigned char *)data_blk, data_len, val_type); |
---|
2298 | fprintf(stdout, "%s:%s=%s\n", val_name, val_to_str(val_type, reg_type_names), |
---|
2299 | data_asc); |
---|
2300 | |
---|
2301 | free(data_asc); |
---|
2302 | return 1; |
---|
2303 | } |
---|
2304 | |
---|
2305 | static |
---|
2306 | void usage(void) |
---|
2307 | { |
---|
2308 | fprintf(stderr, "Usage: readreg [-f<filterprefix>] [-v] [-p] [-k] [-s]" |
---|
2309 | "<registryfile>\n"); |
---|
2310 | fprintf(stderr, "Version: 0.1\n\n"); |
---|
2311 | fprintf(stderr, "\n\t-v\t sets verbose mode"); |
---|
2312 | fprintf(stderr, "\n\t-f\t a simple prefix filter."); |
---|
2313 | fprintf(stderr, "\n\t-p\t prints the registry"); |
---|
2314 | fprintf(stderr, "\n\t-s\t prints security descriptors"); |
---|
2315 | fprintf(stderr, "\n"); |
---|
2316 | } |
---|
2317 | |
---|
2318 | |
---|
2319 | int main(int argc, char *argv[]) |
---|
2320 | { |
---|
2321 | REGF *regf; |
---|
2322 | extern char *optarg; |
---|
2323 | extern int optind; |
---|
2324 | int opt; |
---|
2325 | int regf_opt = 1; |
---|
2326 | char* filter_prefix = ""; |
---|
2327 | |
---|
2328 | if (argc < 2) |
---|
2329 | { |
---|
2330 | usage(); |
---|
2331 | exit(1); |
---|
2332 | } |
---|
2333 | |
---|
2334 | /* |
---|
2335 | * Now, process the arguments |
---|
2336 | */ |
---|
2337 | |
---|
2338 | while ((opt = getopt(argc, argv, "svkf:o:c:")) != EOF) |
---|
2339 | { |
---|
2340 | switch (opt) |
---|
2341 | { |
---|
2342 | case 'f': |
---|
2343 | /*full_print = 1;*/ |
---|
2344 | filter_prefix = strdup(optarg); |
---|
2345 | regf_opt++; |
---|
2346 | break; |
---|
2347 | |
---|
2348 | case 's': |
---|
2349 | print_security++; |
---|
2350 | full_print++; |
---|
2351 | regf_opt++; |
---|
2352 | break; |
---|
2353 | |
---|
2354 | case 'v': |
---|
2355 | verbose++; |
---|
2356 | regf_opt++; |
---|
2357 | break; |
---|
2358 | |
---|
2359 | case 'k': |
---|
2360 | regf_opt++; |
---|
2361 | break; |
---|
2362 | |
---|
2363 | default: |
---|
2364 | usage(); |
---|
2365 | exit(1); |
---|
2366 | break; |
---|
2367 | } |
---|
2368 | } |
---|
2369 | |
---|
2370 | /* |
---|
2371 | * We only want to complain about the lack of a default owner SID if |
---|
2372 | * we need one. This approximates that need |
---|
2373 | */ |
---|
2374 | if (!def_owner_sid_str) { |
---|
2375 | def_owner_sid_str = "S-1-5-21-1-2-3-4"; |
---|
2376 | if (verbose) |
---|
2377 | fprintf(stderr, "Warning, default owner SID not set. Setting to %s\n", |
---|
2378 | def_owner_sid_str); |
---|
2379 | } |
---|
2380 | |
---|
2381 | if ((regf = nt_create_regf()) == NULL) |
---|
2382 | { |
---|
2383 | fprintf(stderr, "Could not create registry object: %s\n", strerror(errno)); |
---|
2384 | exit(2); |
---|
2385 | } |
---|
2386 | |
---|
2387 | if (regf_opt < argc) |
---|
2388 | { /* We have a registry file */ |
---|
2389 | if (!nt_set_regf_input_file(regf, argv[regf_opt])) |
---|
2390 | { |
---|
2391 | fprintf(stderr, "Could not set name of registry file: %s, %s\n", |
---|
2392 | argv[regf_opt], strerror(errno)); |
---|
2393 | exit(3); |
---|
2394 | } |
---|
2395 | |
---|
2396 | /* Now, open it, and bring it into memory :-) */ |
---|
2397 | if (nt_load_registry(regf) < 0) |
---|
2398 | { |
---|
2399 | fprintf(stderr, "Could not load registry: %s\n", argv[1]); |
---|
2400 | exit(4); |
---|
2401 | } |
---|
2402 | } |
---|
2403 | |
---|
2404 | /* |
---|
2405 | * At this point, we should have a registry in memory and should be able |
---|
2406 | * to iterate over it. |
---|
2407 | */ |
---|
2408 | nt_key_iterator(regf, regf->root, 0, "", filter_prefix); |
---|
2409 | |
---|
2410 | /* XXX: debugging; remove me. */ |
---|
2411 | printf("%d,%d,%d\n", |
---|
2412 | str_is_prefix("foo", "foobar"), |
---|
2413 | str_is_prefix("", "xyz"), |
---|
2414 | str_is_prefix("foo", "foo")); |
---|
2415 | |
---|
2416 | return 0; |
---|
2417 | } |
---|