Context Navigation

source: trunk/include/regfi.h @ 115

Last change on this file since 115 was 112, checked in by tim, 17 years ago
added path resolution to reglookup-recover
Property svn:keywords set to `Id`
File size: 11.9 KB

Rev	Line
[30]	1	/*
	2	* Branched from Samba project, Subversion repository version #6903:
[84]	3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/include/regfio.h?rev=6903&view=auto
[30]	4	*
	5	* Unix SMB/CIFS implementation.
	6	* Windows NT registry I/O library
	7	*
[101]	8	* Copyright (C) 2005-2008 Timothy D. Morgan
[30]	9	* Copyright (C) 2005 Gerald (Jerry) Carter
	10	*
	11	* This program is free software; you can redistribute it and/or modify
	12	* it under the terms of the GNU General Public License as published by
	13	* the Free Software Foundation; version 2 of the License.
	14	*
	15	* This program is distributed in the hope that it will be useful,
	16	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	* GNU General Public License for more details.
	19	*
	20	* You should have received a copy of the GNU General Public License
	21	* along with this program; if not, write to the Free Software
	22	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	23	*
	24	* $Id: regfi.h 112 2008-05-04 00:22:50Z tim $
	25	*/
	26
	27	/************************************************************
	28	* Most of this information was obtained from
	29	* http://www.wednesday.demon.co.uk/dosreg.html
	30	* Thanks Nigel!
	31	***********************************************************/
	32
[78]	33	#ifndef _REGFI_H
	34	#define _REGFI_H
[30]	35
[31]	36	#include <stdlib.h>
	37	#include <stdio.h>
[30]	38	#include <stdbool.h>
[31]	39	#include <string.h>
[30]	40	#include <errno.h>
[31]	41	#include <time.h>
[30]	42	#include <fcntl.h>
	43	#include <sys/stat.h>
	44	#include <sys/types.h>
	45	#include <unistd.h>
	46	#include <assert.h>
	47
	48	#include "smb_deps.h"
[78]	49	#include "void_stack.h"
[99]	50	#include "range_list.h"
[108]	51	#include "lru_cache.h"
[30]	52
	53	/******************************************************************************/
	54	/* Macros */
	55
[32]	56	/* Registry data types */
	57	#define REG_NONE 0
	58	#define REG_SZ 1
	59	#define REG_EXPAND_SZ 2
	60	#define REG_BINARY 3
	61	#define REG_DWORD 4
[54]	62	#define REG_DWORD_LE 4 /* DWORD, little endian */
	63	#define REG_DWORD_BE 5 /* DWORD, big endian */
[32]	64	#define REG_LINK 6
	65	#define REG_MULTI_SZ 7
	66	#define REG_RESOURCE_LIST 8
	67	#define REG_FULL_RESOURCE_DESCRIPTOR 9
	68	#define REG_RESOURCE_REQUIREMENTS_LIST 10
[72]	69	#define REG_QWORD 11 /* 64-bit little endian */
	70	/* XXX: Has MS defined a REG_QWORD_BE? */
[32]	71	/* Not a real type in the registry */
[81]	72	#define REG_KEY 0x7FFFFFFF
[32]	73
[30]	74	#define REGF_BLOCKSIZE 0x1000
[97]	75	#define REGF_ALLOC_BLOCK 0x1000 /* Minimum allocation unit for hbins */
[78]	76	#define REGF_MAX_DEPTH 512
[30]	77
	78	/* header sizes for various records */
	79
[97]	80	#define REGF_MAGIC_SIZE 4
	81	#define HBIN_MAGIC_SIZE 4
	82	#define HBIN_HEADER_REC_SIZE 0x20
[30]	83	#define REC_HDR_SIZE 2
	84
	85	#define REGF_OFFSET_NONE 0xffffffff
[101]	86	#define REGFI_NK_MIN_LENGTH 0x4C
	87	#define REGFI_VK_MIN_LENGTH 0x14
[102]	88	#define REGFI_SK_MIN_LENGTH 0x14
[104]	89	#define REGFI_HASH_LIST_MIN_LENGTH 0x4
[30]	90
	91	/* Flags for the vk records */
	92
	93	#define VK_FLAG_NAME_PRESENT 0x0001
	94	#define VK_DATA_IN_OFFSET 0x80000000
[77]	95	#define VK_MAX_DATA_LENGTH 1024*1024
[30]	96
	97	/* NK record macros */
	98
	99	#define NK_TYPE_LINKKEY 0x0010
	100	#define NK_TYPE_NORMALKEY 0x0020
	101	#define NK_TYPE_ROOTKEY 0x002c
[101]	102	/* TODO: Unknown type that shows up in Vista registries */
	103	#define NK_TYPE_UNKNOWN1 0x1020
[30]	104
[54]	105	#define HBIN_STORE_REF(x, y) { x->hbin = y; y->ref_count++ };
	106	/* if the count == 0; we can clean up */
	107	#define HBIN_REMOVE_REF(x, y){ x->hbin = NULL; y->ref_count-- };
[30]	108
	109
	110	/* HBIN block */
[97]	111	typedef struct regf_hbin
	112	{
[53]	113	uint32 file_off; /* my offset in the registry file */
[84]	114	uint32 ref_count; /* how many active records are pointing to this
[54]	115	* block (not used currently)
	116	*/
[84]	117
[53]	118	uint32 first_hbin_off; /* offset from first hbin block */
[97]	119	uint32 block_size; /* block size of this block
	120	* Should be a multiple of 4096 (0x1000)
[54]	121	*/
[99]	122	uint32 next_block; /* relative offset to next block.
	123	* NOTE: This value may be unreliable!
[97]	124	*/
	125
	126	uint8 magic[HBIN_MAGIC_SIZE]; /* "hbin" */
[30]	127	} REGF_HBIN;
	128
[97]	129
	130	/* Hash List -- list of key offsets and hashed names for consistency */
	131	typedef struct
	132	{
[53]	133	uint32 nk_off;
[104]	134	uint32 hash;
	135	} REGF_HASH_LIST_ELEM;
[30]	136
[97]	137
	138	typedef struct
	139	{
[104]	140	uint32 offset; /* Real offset of this record's cell in the file */
	141	uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */
[84]	142	REGF_HBIN* hbin; /* pointer to HBIN record (in memory) containing
[54]	143	* this nk record
	144	*/
	145	uint32 hbin_off; /* offset from beginning of this hbin block */
[104]	146	REGF_HASH_LIST_ELEM* hashes;
[53]	147
[104]	148	uint8 magic[REC_HDR_SIZE];
[53]	149	uint16 num_keys;
[104]	150	} REGF_HASH_LIST;
[30]	151
[97]	152
[30]	153	/* Key Value */
[97]	154	typedef struct
	155	{
[101]	156	uint32 offset; /* Real offset of this record's cell in the file */
	157	uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */
	158
[84]	159	REGF_HBIN* hbin; /* pointer to HBIN record (in memory) containing
[54]	160	* this nk record
	161	*/
[101]	162	uint8* data;
	163	uint16 name_length;
[84]	164	char* valuename;
[53]	165	uint32 hbin_off; /* offset from beginning of this hbin block */
	166
	167	uint32 data_size;
[101]	168	uint32 data_off; /* offset of data cell (virtual) */
[53]	169	uint32 type;
[101]	170	uint8 magic[REC_HDR_SIZE];
[53]	171	uint16 flag;
[101]	172	uint16 unknown1;
[111]	173	bool data_in_offset;
[30]	174	} REGF_VK_REC;
	175
	176
	177	/* Key Security */
	178	struct _regf_sk_rec;
	179
[97]	180	typedef struct _regf_sk_rec
	181	{
[111]	182	uint32 offset; /* Real file offset of this record */
	183	uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */
	184
[84]	185	SEC_DESC* sec_desc;
[53]	186	uint32 hbin_off; /* offset from beginning of this hbin block */
	187
[54]	188	uint32 sk_off; /* offset parsed from NK record used as a key
	189	* to lookup reference to this SK record
	190	*/
[53]	191
	192	uint32 prev_sk_off;
	193	uint32 next_sk_off;
	194	uint32 ref_count;
[102]	195	uint32 desc_size; /* size of security descriptor */
	196	uint16 unknown_tag;
	197	uint8 magic[REC_HDR_SIZE];
[30]	198	} REGF_SK_REC;
	199
[81]	200
[104]	201	/* Key Name */
	202	typedef struct
[97]	203	{
[99]	204	uint32 offset; /* Real offset of this record's cell in the file */
	205	uint32 cell_size; /* Actual or estimated length of the cell.
	206	* Always in multiples of 8.
	207	*/
[84]	208
	209	/* link in the other records here */
[101]	210	REGF_VK_REC** values;
[104]	211	REGF_HASH_LIST* subkeys;
[53]	212
	213	/* header information */
[84]	214	/* XXX: should we be looking for types other than the root key type? */
[112]	215	uint16 key_type;
[101]	216	uint8 magic[REC_HDR_SIZE];
[53]	217	NTTIME mtime;
[99]	218	uint16 name_length;
	219	uint16 classname_length;
[84]	220	char* classname;
	221	char* keyname;
[53]	222	uint32 parent_off; /* back pointer in registry hive */
	223	uint32 classname_off;
	224
	225	/* max lengths */
[54]	226	uint32 max_bytes_subkeyname; /* max subkey name * 2 */
	227	uint32 max_bytes_subkeyclassname; /* max subkey classname length (as if) */
	228	uint32 max_bytes_valuename; /* max valuename * 2 */
	229	uint32 max_bytes_value; /* max value data size */
[53]	230
	231	/* unknowns */
[99]	232	uint32 unknown1;
	233	uint32 unknown2;
	234	uint32 unknown3;
[54]	235	uint32 unk_index; /* nigel says run time index ? */
[53]	236
	237	/* children */
	238	uint32 num_subkeys;
	239	uint32 subkeys_off; /* hash records that point to NK records */
	240	uint32 num_values;
	241	uint32 values_off; /* value lists which point to VK records */
[97]	242	uint32 sk_off; /* offset to SK record */
[30]	243	} REGF_NK_REC;
	244
[81]	245
[97]	246
[30]	247	/* REGF block */
[97]	248	typedef struct
	249	{
[53]	250	/* run time information */
[54]	251	int fd; /* file descriptor */
[97]	252	/* For sanity checking (not part of the registry header) */
	253	uint32 file_length;
[84]	254	void* mem_ctx; /* memory context for run-time file access information */
[99]	255
	256	/* Experimental hbin lists */
	257	range_list* hbins;
	258
[108]	259	/* file format information */
[97]	260	uint8 magic[REGF_MAGIC_SIZE];/* "regf" */
[84]	261	NTTIME mtime;
[54]	262	uint32 data_offset; /* offset to record in the first (or any?)
	263	* hbin block
	264	*/
[53]	265	uint32 last_block; /* offset to last hbin block in file */
[97]	266
	267	uint32 checksum; /* Stored checksum. */
	268	uint32 computed_checksum; /* Our own calculation of the checksum.
	269	* (XOR of bytes 0x0000 - 0x01FB)
	270	*/
[53]	271
[97]	272	/* unknown data structure values */
[53]	273	uint32 unknown1;
	274	uint32 unknown2;
	275	uint32 unknown3;
	276	uint32 unknown4;
	277	uint32 unknown5;
	278	uint32 unknown6;
[97]	279	uint32 unknown7;
[53]	280	} REGF_FILE;
[30]	281
	282
[97]	283
	284	typedef struct
	285	{
[78]	286	REGF_FILE* f;
[80]	287	void_stack* key_positions;
[109]	288	lru_cache* sk_recs;
[80]	289	REGF_NK_REC* cur_key;
[78]	290	uint32 cur_subkey;
	291	uint32 cur_value;
	292	} REGFI_ITERATOR;
	293
[80]	294
[97]	295	typedef struct
	296	{
[80]	297	REGF_NK_REC* nk;
	298	uint32 cur_subkey;
	299	/* We could store a cur_value here as well, but didn't see
	300	* the use in it right now.
	301	*/
	302	} REGFI_ITER_POSITION;
	303
	304
[54]	305	/******************************************************************************/
[30]	306	/* Function Declarations */
[99]	307	/* Main API */
[84]	308	const char* regfi_type_val2str(unsigned int val);
	309	int regfi_type_str2val(const char* str);
[32]	310
[84]	311	char* regfi_get_sacl(SEC_DESC* sec_desc);
	312	char* regfi_get_dacl(SEC_DESC* sec_desc);
	313	char* regfi_get_owner(SEC_DESC* sec_desc);
	314	char* regfi_get_group(SEC_DESC* sec_desc);
[53]	315
[110]	316	REGF_FILE* regfi_open(const char* filename);
[84]	317	int regfi_close(REGF_FILE* r);
[30]	318
[84]	319	REGFI_ITERATOR* regfi_iterator_new(REGF_FILE* fh);
	320	void regfi_iterator_free(REGFI_ITERATOR* i);
	321	bool regfi_iterator_down(REGFI_ITERATOR* i);
	322	bool regfi_iterator_up(REGFI_ITERATOR* i);
	323	bool regfi_iterator_to_root(REGFI_ITERATOR* i);
[30]	324
[84]	325	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i,
	326	const char* subkey_name);
	327	bool regfi_iterator_walk_path(REGFI_ITERATOR* i,
	328	const char** path);
	329	const REGF_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i);
[109]	330	const REGF_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i);
[84]	331	const REGF_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i);
	332	const REGF_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i);
	333	const REGF_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i);
[80]	334
[84]	335	bool regfi_iterator_find_value(REGFI_ITERATOR* i,
	336	const char* value_name);
	337	const REGF_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i);
	338	const REGF_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i);
	339	const REGF_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i);
[80]	340
[99]	341	/************************************/
	342	/* Low-layer data structure access */
	343	/************************************/
	344	REGF_FILE* regfi_parse_regf(int fd, bool strict);
	345	REGF_HBIN* regfi_parse_hbin(REGF_FILE* file, uint32 offset,
[110]	346	bool strict);
[80]	347
[99]	348
	349	/* regfi_parse_nk: Parses an NK record.
	350	*
	351	* Arguments:
	352	* f -- the registry file structure
	353	* offset -- the offset of the cell (not the record) to be parsed.
	354	* max_size -- the maximum size the NK cell could be. (for validation)
	355	* strict -- if true, rejects any malformed records. Otherwise,
	356	* tries to minimally validate integrity.
	357	* Returns:
	358	* A newly allocated NK record structure, or NULL on failure.
	359	*/
	360	REGF_NK_REC* regfi_parse_nk(REGF_FILE* file, uint32 offset,
	361	uint32 max_size, bool strict);
	362
	363
[84]	364	/* Private Functions */
	365	REGF_NK_REC* regfi_rootkey(REGF_FILE* file);
	366	void regfi_key_free(REGF_NK_REC* nk);
[99]	367	uint32 regfi_read(int fd, uint8* buf, uint32* length);
[78]	368
[84]	369
[97]	370
	371	/****************/
	372	/* Experimental */
	373	/****************/
[105]	374	REGF_NK_REC* regfi_load_key(REGF_FILE* file, uint32 offset, bool strict);
	375
[104]	376	REGF_HASH_LIST* regfi_load_hashlist(REGF_FILE* file, uint32 offset,
[105]	377	uint32 num_keys, uint32 max_size,
	378	bool strict);
[97]	379
[103]	380	REGF_VK_REC** regfi_load_valuelist(REGF_FILE* file, uint32 offset,
[105]	381	uint32 num_values, uint32 max_size,
	382	bool strict);
[103]	383
[101]	384	REGF_VK_REC* regfi_parse_vk(REGF_FILE* file, uint32 offset,
	385	uint32 max_size, bool strict);
[103]	386
[101]	387	uint8* regfi_parse_data(REGF_FILE* file, uint32 offset,
	388	uint32 length, bool strict);
[97]	389
[111]	390	REGF_SK_REC* regfi_parse_sk(REGF_FILE* file, uint32 offset, uint32 max_size, bool strict);
	391
[110]	392	range_list* regfi_parse_unalloc_cells(REGF_FILE* file);
[101]	393
[111]	394	REGF_HBIN* regfi_lookup_hbin(REGF_FILE* file, uint32 offset);
	395
	396	bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len,
	397	uint32* cell_length, bool* unalloc);
	398
[78]	399	#endif /* _REGFI_H */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: