[30] | 1 | /* |
---|
| 2 | * Branched from Samba project, Subversion repository version #6903: |
---|
[84] | 3 | * http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/include/regfio.h?rev=6903&view=auto |
---|
[30] | 4 | * |
---|
| 5 | * Unix SMB/CIFS implementation. |
---|
| 6 | * Windows NT registry I/O library |
---|
| 7 | * |
---|
[132] | 8 | * Copyright (C) 2005-2009 Timothy D. Morgan |
---|
[30] | 9 | * Copyright (C) 2005 Gerald (Jerry) Carter |
---|
| 10 | * |
---|
| 11 | * This program is free software; you can redistribute it and/or modify |
---|
| 12 | * it under the terms of the GNU General Public License as published by |
---|
| 13 | * the Free Software Foundation; version 2 of the License. |
---|
| 14 | * |
---|
| 15 | * This program is distributed in the hope that it will be useful, |
---|
| 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 18 | * GNU General Public License for more details. |
---|
| 19 | * |
---|
| 20 | * You should have received a copy of the GNU General Public License |
---|
| 21 | * along with this program; if not, write to the Free Software |
---|
| 22 | * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
---|
| 23 | * |
---|
| 24 | * $Id: regfi.h 132 2009-01-11 21:44:33Z tim $ |
---|
| 25 | */ |
---|
| 26 | |
---|
| 27 | /************************************************************ |
---|
| 28 | * Most of this information was obtained from |
---|
| 29 | * http://www.wednesday.demon.co.uk/dosreg.html |
---|
| 30 | * Thanks Nigel! |
---|
| 31 | ***********************************************************/ |
---|
| 32 | |
---|
[78] | 33 | #ifndef _REGFI_H |
---|
| 34 | #define _REGFI_H |
---|
[30] | 35 | |
---|
[31] | 36 | #include <stdlib.h> |
---|
| 37 | #include <stdio.h> |
---|
[30] | 38 | #include <stdbool.h> |
---|
[31] | 39 | #include <string.h> |
---|
[30] | 40 | #include <errno.h> |
---|
[31] | 41 | #include <time.h> |
---|
[30] | 42 | #include <fcntl.h> |
---|
| 43 | #include <sys/stat.h> |
---|
| 44 | #include <sys/types.h> |
---|
| 45 | #include <unistd.h> |
---|
| 46 | #include <assert.h> |
---|
| 47 | |
---|
| 48 | #include "smb_deps.h" |
---|
[132] | 49 | #include "winsec.h" |
---|
[78] | 50 | #include "void_stack.h" |
---|
[99] | 51 | #include "range_list.h" |
---|
[108] | 52 | #include "lru_cache.h" |
---|
[30] | 53 | |
---|
| 54 | /******************************************************************************/ |
---|
| 55 | /* Macros */ |
---|
| 56 | |
---|
[32] | 57 | /* Registry data types */ |
---|
| 58 | #define REG_NONE 0 |
---|
| 59 | #define REG_SZ 1 |
---|
| 60 | #define REG_EXPAND_SZ 2 |
---|
| 61 | #define REG_BINARY 3 |
---|
| 62 | #define REG_DWORD 4 |
---|
[54] | 63 | #define REG_DWORD_LE 4 /* DWORD, little endian */ |
---|
| 64 | #define REG_DWORD_BE 5 /* DWORD, big endian */ |
---|
[32] | 65 | #define REG_LINK 6 |
---|
| 66 | #define REG_MULTI_SZ 7 |
---|
| 67 | #define REG_RESOURCE_LIST 8 |
---|
| 68 | #define REG_FULL_RESOURCE_DESCRIPTOR 9 |
---|
| 69 | #define REG_RESOURCE_REQUIREMENTS_LIST 10 |
---|
[72] | 70 | #define REG_QWORD 11 /* 64-bit little endian */ |
---|
| 71 | /* XXX: Has MS defined a REG_QWORD_BE? */ |
---|
[32] | 72 | /* Not a real type in the registry */ |
---|
[81] | 73 | #define REG_KEY 0x7FFFFFFF |
---|
[32] | 74 | |
---|
[116] | 75 | #define REGF_BLOCKSIZE 0x1000 |
---|
| 76 | #define REGF_ALLOC_BLOCK 0x1000 /* Minimum allocation unit for HBINs */ |
---|
| 77 | #define REGF_MAX_DEPTH 512 |
---|
[30] | 78 | |
---|
| 79 | /* header sizes for various records */ |
---|
[116] | 80 | #define REGF_MAGIC_SIZE 4 |
---|
| 81 | #define HBIN_MAGIC_SIZE 4 |
---|
| 82 | #define HBIN_HEADER_REC_SIZE 0x20 |
---|
| 83 | #define REC_HDR_SIZE 2 |
---|
[30] | 84 | |
---|
[116] | 85 | #define REGF_OFFSET_NONE 0xffffffff |
---|
| 86 | #define REGFI_NK_MIN_LENGTH 0x4C |
---|
| 87 | #define REGFI_VK_MIN_LENGTH 0x14 |
---|
| 88 | #define REGFI_SK_MIN_LENGTH 0x14 |
---|
[127] | 89 | #define REGFI_SUBKEY_LIST_MIN_LEN 0x4 |
---|
[30] | 90 | |
---|
[116] | 91 | /* Constants used for validation */ |
---|
[125] | 92 | /* XXX: Can we add clock resolution validation as well as range? It has |
---|
| 93 | * been reported that Windows timestamps are never more than a |
---|
| 94 | * certain granularity (250ms?), which could be used to help |
---|
| 95 | * eliminate false positives. Would need to validate this and |
---|
| 96 | * perhaps conservatively implement a check. |
---|
| 97 | */ |
---|
[116] | 98 | /* Minimum time is Jan 1, 1990 00:00:00 */ |
---|
| 99 | #define REGFI_MTIME_MIN_HIGH 0x01B41E6D |
---|
| 100 | #define REGFI_MTIME_MIN_LOW 0x26F98000 |
---|
| 101 | /* Maximum time is Jan 1, 2290 00:00:00 |
---|
| 102 | * (We hope no one is using Windows by then...) |
---|
| 103 | */ |
---|
| 104 | #define REGFI_MTIME_MAX_HIGH 0x03047543 |
---|
| 105 | #define REGFI_MTIME_MAX_LOW 0xC80A4000 |
---|
[30] | 106 | |
---|
[116] | 107 | |
---|
[30] | 108 | /* Flags for the vk records */ |
---|
[116] | 109 | #define VK_FLAG_NAME_PRESENT 0x0001 |
---|
| 110 | #define VK_DATA_IN_OFFSET 0x80000000 |
---|
| 111 | #define VK_MAX_DATA_LENGTH 1024*1024 |
---|
[30] | 112 | |
---|
[116] | 113 | /* NK record types */ |
---|
| 114 | #define NK_TYPE_LINKKEY 0x0010 |
---|
| 115 | #define NK_TYPE_NORMALKEY 0x0020 |
---|
[128] | 116 | #define NK_TYPE_ROOTKEY1 0x002c |
---|
| 117 | #define NK_TYPE_ROOTKEY2 0x00ac |
---|
[125] | 118 | /* XXX: Unknown type that shows up in Vista registries */ |
---|
[121] | 119 | #define NK_TYPE_UNKNOWN1 0x1020 |
---|
[30] | 120 | |
---|
| 121 | |
---|
| 122 | /* HBIN block */ |
---|
[97] | 123 | typedef struct regf_hbin |
---|
| 124 | { |
---|
[53] | 125 | uint32 file_off; /* my offset in the registry file */ |
---|
[84] | 126 | uint32 ref_count; /* how many active records are pointing to this |
---|
[54] | 127 | * block (not used currently) |
---|
| 128 | */ |
---|
[84] | 129 | |
---|
[53] | 130 | uint32 first_hbin_off; /* offset from first hbin block */ |
---|
[97] | 131 | uint32 block_size; /* block size of this block |
---|
| 132 | * Should be a multiple of 4096 (0x1000) |
---|
[54] | 133 | */ |
---|
[99] | 134 | uint32 next_block; /* relative offset to next block. |
---|
| 135 | * NOTE: This value may be unreliable! |
---|
[97] | 136 | */ |
---|
| 137 | |
---|
| 138 | uint8 magic[HBIN_MAGIC_SIZE]; /* "hbin" */ |
---|
[30] | 139 | } REGF_HBIN; |
---|
| 140 | |
---|
[97] | 141 | |
---|
[127] | 142 | /* Subkey List -- list of key offsets and hashed names for consistency */ |
---|
[97] | 143 | typedef struct |
---|
| 144 | { |
---|
[53] | 145 | uint32 nk_off; |
---|
[104] | 146 | uint32 hash; |
---|
[127] | 147 | } REGF_SUBKEY_LIST_ELEM; |
---|
[30] | 148 | |
---|
[97] | 149 | |
---|
| 150 | typedef struct |
---|
| 151 | { |
---|
[104] | 152 | uint32 offset; /* Real offset of this record's cell in the file */ |
---|
| 153 | uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */ |
---|
[127] | 154 | uint32 num_keys; |
---|
| 155 | REGF_SUBKEY_LIST_ELEM* elements; |
---|
[53] | 156 | |
---|
[104] | 157 | uint8 magic[REC_HDR_SIZE]; |
---|
[127] | 158 | } REGF_SUBKEY_LIST; |
---|
[30] | 159 | |
---|
[97] | 160 | |
---|
[30] | 161 | /* Key Value */ |
---|
[97] | 162 | typedef struct |
---|
| 163 | { |
---|
[101] | 164 | uint32 offset; /* Real offset of this record's cell in the file */ |
---|
| 165 | uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */ |
---|
| 166 | |
---|
[84] | 167 | REGF_HBIN* hbin; /* pointer to HBIN record (in memory) containing |
---|
[54] | 168 | * this nk record |
---|
| 169 | */ |
---|
[101] | 170 | uint8* data; |
---|
| 171 | uint16 name_length; |
---|
[84] | 172 | char* valuename; |
---|
[53] | 173 | uint32 hbin_off; /* offset from beginning of this hbin block */ |
---|
| 174 | |
---|
| 175 | uint32 data_size; |
---|
[101] | 176 | uint32 data_off; /* offset of data cell (virtual) */ |
---|
[53] | 177 | uint32 type; |
---|
[101] | 178 | uint8 magic[REC_HDR_SIZE]; |
---|
[53] | 179 | uint16 flag; |
---|
[101] | 180 | uint16 unknown1; |
---|
[111] | 181 | bool data_in_offset; |
---|
[30] | 182 | } REGF_VK_REC; |
---|
| 183 | |
---|
| 184 | |
---|
| 185 | /* Key Security */ |
---|
| 186 | struct _regf_sk_rec; |
---|
| 187 | |
---|
[97] | 188 | typedef struct _regf_sk_rec |
---|
| 189 | { |
---|
[111] | 190 | uint32 offset; /* Real file offset of this record */ |
---|
| 191 | uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */ |
---|
| 192 | |
---|
[84] | 193 | SEC_DESC* sec_desc; |
---|
[53] | 194 | uint32 hbin_off; /* offset from beginning of this hbin block */ |
---|
| 195 | |
---|
[54] | 196 | uint32 sk_off; /* offset parsed from NK record used as a key |
---|
| 197 | * to lookup reference to this SK record |
---|
| 198 | */ |
---|
[53] | 199 | |
---|
| 200 | uint32 prev_sk_off; |
---|
| 201 | uint32 next_sk_off; |
---|
| 202 | uint32 ref_count; |
---|
[102] | 203 | uint32 desc_size; /* size of security descriptor */ |
---|
| 204 | uint16 unknown_tag; |
---|
| 205 | uint8 magic[REC_HDR_SIZE]; |
---|
[30] | 206 | } REGF_SK_REC; |
---|
| 207 | |
---|
[81] | 208 | |
---|
[104] | 209 | /* Key Name */ |
---|
| 210 | typedef struct |
---|
[97] | 211 | { |
---|
[99] | 212 | uint32 offset; /* Real offset of this record's cell in the file */ |
---|
| 213 | uint32 cell_size; /* Actual or estimated length of the cell. |
---|
| 214 | * Always in multiples of 8. |
---|
| 215 | */ |
---|
[84] | 216 | |
---|
| 217 | /* link in the other records here */ |
---|
[101] | 218 | REGF_VK_REC** values; |
---|
[127] | 219 | REGF_SUBKEY_LIST* subkeys; |
---|
[53] | 220 | |
---|
| 221 | /* header information */ |
---|
[112] | 222 | uint16 key_type; |
---|
[101] | 223 | uint8 magic[REC_HDR_SIZE]; |
---|
[53] | 224 | NTTIME mtime; |
---|
[99] | 225 | uint16 name_length; |
---|
| 226 | uint16 classname_length; |
---|
[84] | 227 | char* classname; |
---|
| 228 | char* keyname; |
---|
[125] | 229 | uint32 parent_off; /* pointer to parent key */ |
---|
| 230 | uint32 classname_off; |
---|
[53] | 231 | |
---|
| 232 | /* max lengths */ |
---|
[54] | 233 | uint32 max_bytes_subkeyname; /* max subkey name * 2 */ |
---|
| 234 | uint32 max_bytes_subkeyclassname; /* max subkey classname length (as if) */ |
---|
| 235 | uint32 max_bytes_valuename; /* max valuename * 2 */ |
---|
| 236 | uint32 max_bytes_value; /* max value data size */ |
---|
[53] | 237 | |
---|
| 238 | /* unknowns */ |
---|
[99] | 239 | uint32 unknown1; |
---|
| 240 | uint32 unknown2; |
---|
| 241 | uint32 unknown3; |
---|
[54] | 242 | uint32 unk_index; /* nigel says run time index ? */ |
---|
[53] | 243 | |
---|
| 244 | /* children */ |
---|
| 245 | uint32 num_subkeys; |
---|
[127] | 246 | uint32 subkeys_off; /* offset of subkey list that points to NK records */ |
---|
[53] | 247 | uint32 num_values; |
---|
| 248 | uint32 values_off; /* value lists which point to VK records */ |
---|
[127] | 249 | uint32 sk_off; /* offset to SK record */ |
---|
[30] | 250 | } REGF_NK_REC; |
---|
| 251 | |
---|
[81] | 252 | |
---|
[97] | 253 | |
---|
[30] | 254 | /* REGF block */ |
---|
[97] | 255 | typedef struct |
---|
| 256 | { |
---|
[53] | 257 | /* run time information */ |
---|
[54] | 258 | int fd; /* file descriptor */ |
---|
[97] | 259 | /* For sanity checking (not part of the registry header) */ |
---|
| 260 | uint32 file_length; |
---|
[84] | 261 | void* mem_ctx; /* memory context for run-time file access information */ |
---|
[99] | 262 | |
---|
| 263 | /* Experimental hbin lists */ |
---|
| 264 | range_list* hbins; |
---|
| 265 | |
---|
[108] | 266 | /* file format information */ |
---|
[97] | 267 | uint8 magic[REGF_MAGIC_SIZE];/* "regf" */ |
---|
[84] | 268 | NTTIME mtime; |
---|
[54] | 269 | uint32 data_offset; /* offset to record in the first (or any?) |
---|
| 270 | * hbin block |
---|
| 271 | */ |
---|
[53] | 272 | uint32 last_block; /* offset to last hbin block in file */ |
---|
[97] | 273 | |
---|
| 274 | uint32 checksum; /* Stored checksum. */ |
---|
| 275 | uint32 computed_checksum; /* Our own calculation of the checksum. |
---|
| 276 | * (XOR of bytes 0x0000 - 0x01FB) |
---|
| 277 | */ |
---|
[53] | 278 | |
---|
[97] | 279 | /* unknown data structure values */ |
---|
[53] | 280 | uint32 unknown1; |
---|
| 281 | uint32 unknown2; |
---|
| 282 | uint32 unknown3; |
---|
| 283 | uint32 unknown4; |
---|
| 284 | uint32 unknown5; |
---|
| 285 | uint32 unknown6; |
---|
[97] | 286 | uint32 unknown7; |
---|
[53] | 287 | } REGF_FILE; |
---|
[30] | 288 | |
---|
| 289 | |
---|
[97] | 290 | |
---|
| 291 | typedef struct |
---|
| 292 | { |
---|
[78] | 293 | REGF_FILE* f; |
---|
[80] | 294 | void_stack* key_positions; |
---|
[109] | 295 | lru_cache* sk_recs; |
---|
[80] | 296 | REGF_NK_REC* cur_key; |
---|
[78] | 297 | uint32 cur_subkey; |
---|
| 298 | uint32 cur_value; |
---|
| 299 | } REGFI_ITERATOR; |
---|
| 300 | |
---|
[80] | 301 | |
---|
[97] | 302 | typedef struct |
---|
| 303 | { |
---|
[80] | 304 | REGF_NK_REC* nk; |
---|
| 305 | uint32 cur_subkey; |
---|
| 306 | /* We could store a cur_value here as well, but didn't see |
---|
| 307 | * the use in it right now. |
---|
| 308 | */ |
---|
| 309 | } REGFI_ITER_POSITION; |
---|
| 310 | |
---|
| 311 | |
---|
[54] | 312 | /******************************************************************************/ |
---|
[30] | 313 | /* Function Declarations */ |
---|
[99] | 314 | /* Main API */ |
---|
[84] | 315 | const char* regfi_type_val2str(unsigned int val); |
---|
| 316 | int regfi_type_str2val(const char* str); |
---|
[32] | 317 | |
---|
[84] | 318 | char* regfi_get_sacl(SEC_DESC* sec_desc); |
---|
| 319 | char* regfi_get_dacl(SEC_DESC* sec_desc); |
---|
| 320 | char* regfi_get_owner(SEC_DESC* sec_desc); |
---|
| 321 | char* regfi_get_group(SEC_DESC* sec_desc); |
---|
[53] | 322 | |
---|
[110] | 323 | REGF_FILE* regfi_open(const char* filename); |
---|
[84] | 324 | int regfi_close(REGF_FILE* r); |
---|
[30] | 325 | |
---|
[84] | 326 | REGFI_ITERATOR* regfi_iterator_new(REGF_FILE* fh); |
---|
| 327 | void regfi_iterator_free(REGFI_ITERATOR* i); |
---|
| 328 | bool regfi_iterator_down(REGFI_ITERATOR* i); |
---|
| 329 | bool regfi_iterator_up(REGFI_ITERATOR* i); |
---|
| 330 | bool regfi_iterator_to_root(REGFI_ITERATOR* i); |
---|
[30] | 331 | |
---|
[84] | 332 | bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, |
---|
| 333 | const char* subkey_name); |
---|
| 334 | bool regfi_iterator_walk_path(REGFI_ITERATOR* i, |
---|
| 335 | const char** path); |
---|
| 336 | const REGF_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i); |
---|
[109] | 337 | const REGF_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i); |
---|
[84] | 338 | const REGF_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i); |
---|
| 339 | const REGF_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i); |
---|
| 340 | const REGF_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i); |
---|
[80] | 341 | |
---|
[84] | 342 | bool regfi_iterator_find_value(REGFI_ITERATOR* i, |
---|
| 343 | const char* value_name); |
---|
| 344 | const REGF_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i); |
---|
| 345 | const REGF_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i); |
---|
| 346 | const REGF_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i); |
---|
[80] | 347 | |
---|
[127] | 348 | |
---|
| 349 | /********************************************************/ |
---|
| 350 | /* Middle-layer structure caching, loading, and linking */ |
---|
| 351 | /********************************************************/ |
---|
| 352 | REGF_HBIN* regfi_lookup_hbin(REGF_FILE* file, uint32 offset); |
---|
| 353 | |
---|
| 354 | REGF_NK_REC* regfi_load_key(REGF_FILE* file, uint32 offset, bool strict); |
---|
| 355 | |
---|
| 356 | REGF_SUBKEY_LIST* regfi_load_subkeylist(REGF_FILE* file, uint32 offset, |
---|
| 357 | uint32 num_keys, uint32 max_size, |
---|
| 358 | bool strict); |
---|
| 359 | |
---|
| 360 | REGF_VK_REC** regfi_load_valuelist(REGF_FILE* file, uint32 offset, |
---|
| 361 | uint32 num_values, uint32 max_size, |
---|
| 362 | bool strict); |
---|
| 363 | |
---|
| 364 | REGF_SUBKEY_LIST* regfi_merge_subkeylists(uint16 num_lists, |
---|
| 365 | REGF_SUBKEY_LIST** lists, |
---|
| 366 | bool strict); |
---|
| 367 | |
---|
[99] | 368 | /************************************/ |
---|
| 369 | /* Low-layer data structure access */ |
---|
| 370 | /************************************/ |
---|
| 371 | REGF_FILE* regfi_parse_regf(int fd, bool strict); |
---|
| 372 | REGF_HBIN* regfi_parse_hbin(REGF_FILE* file, uint32 offset, |
---|
[110] | 373 | bool strict); |
---|
[80] | 374 | |
---|
[99] | 375 | |
---|
| 376 | /* regfi_parse_nk: Parses an NK record. |
---|
| 377 | * |
---|
| 378 | * Arguments: |
---|
| 379 | * f -- the registry file structure |
---|
| 380 | * offset -- the offset of the cell (not the record) to be parsed. |
---|
| 381 | * max_size -- the maximum size the NK cell could be. (for validation) |
---|
| 382 | * strict -- if true, rejects any malformed records. Otherwise, |
---|
| 383 | * tries to minimally validate integrity. |
---|
| 384 | * Returns: |
---|
| 385 | * A newly allocated NK record structure, or NULL on failure. |
---|
| 386 | */ |
---|
| 387 | REGF_NK_REC* regfi_parse_nk(REGF_FILE* file, uint32 offset, |
---|
| 388 | uint32 max_size, bool strict); |
---|
| 389 | |
---|
[101] | 390 | REGF_VK_REC* regfi_parse_vk(REGF_FILE* file, uint32 offset, |
---|
| 391 | uint32 max_size, bool strict); |
---|
[103] | 392 | |
---|
[101] | 393 | uint8* regfi_parse_data(REGF_FILE* file, uint32 offset, |
---|
[131] | 394 | uint32 length, uint32 max_size, bool strict); |
---|
[97] | 395 | |
---|
[111] | 396 | REGF_SK_REC* regfi_parse_sk(REGF_FILE* file, uint32 offset, uint32 max_size, bool strict); |
---|
| 397 | |
---|
[110] | 398 | range_list* regfi_parse_unalloc_cells(REGF_FILE* file); |
---|
[101] | 399 | |
---|
[111] | 400 | bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len, |
---|
| 401 | uint32* cell_length, bool* unalloc); |
---|
| 402 | |
---|
[126] | 403 | char* regfi_parse_classname(REGF_FILE* file, uint32 offset, |
---|
[131] | 404 | uint16* name_length, uint32 max_size, bool strict); |
---|
[126] | 405 | |
---|
[127] | 406 | |
---|
| 407 | /* Private Functions */ |
---|
| 408 | REGF_NK_REC* regfi_rootkey(REGF_FILE* file); |
---|
| 409 | void regfi_key_free(REGF_NK_REC* nk); |
---|
| 410 | void regfi_subkeylist_free(REGF_SUBKEY_LIST* list); |
---|
| 411 | uint32 regfi_read(int fd, uint8* buf, uint32* length); |
---|
| 412 | |
---|
| 413 | |
---|
[78] | 414 | #endif /* _REGFI_H */ |
---|