Context Navigation

regfi.h @ 138

Last change on this file since 138 was 138, checked in by tim, 16 years ago

extended error message logging to allow for message type filtering

fine tuned message verbosity to more reasonable default levels for reglookup and reglookup-recover

updated related documentation

Property svn:keywords set to Id

File size: 15.2 KB

Rev	Line
[30]	1	/*
[134]	2	* Branched from Samba project Subversion repository, version #6903:
[84]	3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/include/regfio.h?rev=6903&view=auto
[30]	4	*
[134]	5	* Windows NT (and later) registry parsing library
[30]	6	*
[132]	7	* Copyright (C) 2005-2009 Timothy D. Morgan
[30]	8	* Copyright (C) 2005 Gerald (Jerry) Carter
	9	*
	10	* This program is free software; you can redistribute it and/or modify
	11	* it under the terms of the GNU General Public License as published by
[134]	12	* the Free Software Foundation; version 3 of the License.
[30]	13	*
	14	* This program is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	17	* GNU General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU General Public License
	20	* along with this program; if not, write to the Free Software
	21	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	22	*
	23	* $Id: regfi.h 138 2009-02-08 19:53:48Z tim $
	24	*/
	25
	26	/************************************************************
	27	* Most of this information was obtained from
	28	* http://www.wednesday.demon.co.uk/dosreg.html
	29	* Thanks Nigel!
	30	***********************************************************/
	31
[78]	32	#ifndef _REGFI_H
	33	#define _REGFI_H
[30]	34
[31]	35	#include <stdlib.h>
	36	#include <stdio.h>
[30]	37	#include <stdbool.h>
[136]	38	#include <stdarg.h>
[31]	39	#include <string.h>
[30]	40	#include <errno.h>
[31]	41	#include <time.h>
[30]	42	#include <fcntl.h>
	43	#include <sys/stat.h>
	44	#include <sys/types.h>
	45	#include <unistd.h>
	46	#include <assert.h>
	47
	48	#include "smb_deps.h"
[132]	49	#include "winsec.h"
[78]	50	#include "void_stack.h"
[99]	51	#include "range_list.h"
[108]	52	#include "lru_cache.h"
[30]	53
	54	/******************************************************************************/
[138]	55
	56	/* regfi library error message types */
	57	#define REGFI_MSG_INFO 0x0001
	58	#define REGFI_MSG_WARN 0x0004
	59	#define REGFI_MSG_ERROR 0x0010
	60
[32]	61	/* Registry data types */
	62	#define REG_NONE 0
	63	#define REG_SZ 1
	64	#define REG_EXPAND_SZ 2
	65	#define REG_BINARY 3
	66	#define REG_DWORD 4
[54]	67	#define REG_DWORD_LE 4 /* DWORD, little endian */
	68	#define REG_DWORD_BE 5 /* DWORD, big endian */
[32]	69	#define REG_LINK 6
	70	#define REG_MULTI_SZ 7
	71	#define REG_RESOURCE_LIST 8
	72	#define REG_FULL_RESOURCE_DESCRIPTOR 9
	73	#define REG_RESOURCE_REQUIREMENTS_LIST 10
[72]	74	#define REG_QWORD 11 /* 64-bit little endian */
	75	/* XXX: Has MS defined a REG_QWORD_BE? */
[32]	76	/* Not a real type in the registry */
[136]	77	#define REG_KEY 0x7FFFFFFF
[32]	78
[135]	79	#define REGFI_REGF_SIZE 0x1000 /* "regf" header block size */
	80	#define REGFI_HBIN_ALLOC 0x1000 /* Minimum allocation unit for HBINs */
	81	#define REGFI_MAX_DEPTH 512
	82	#define REGFI_OFFSET_NONE 0xffffffff
[30]	83
[135]	84	/* Header sizes and magic number lengths for various records */
	85	#define REGFI_REGF_MAGIC_SIZE 4
	86	#define REGFI_HBIN_MAGIC_SIZE 4
	87	#define REGFI_CELL_MAGIC_SIZE 2
	88	#define REGFI_HBIN_HEADER_SIZE 0x20
[116]	89	#define REGFI_NK_MIN_LENGTH 0x4C
	90	#define REGFI_VK_MIN_LENGTH 0x14
	91	#define REGFI_SK_MIN_LENGTH 0x14
[127]	92	#define REGFI_SUBKEY_LIST_MIN_LEN 0x4
[30]	93
[135]	94
[116]	95	/* Constants used for validation */
[125]	96	/* XXX: Can we add clock resolution validation as well as range? It has
	97	* been reported that Windows timestamps are never more than a
	98	* certain granularity (250ms?), which could be used to help
	99	* eliminate false positives. Would need to validate this and
	100	* perhaps conservatively implement a check.
	101	*/
[116]	102	/* Minimum time is Jan 1, 1990 00:00:00 */
	103	#define REGFI_MTIME_MIN_HIGH 0x01B41E6D
	104	#define REGFI_MTIME_MIN_LOW 0x26F98000
	105	/* Maximum time is Jan 1, 2290 00:00:00
	106	* (We hope no one is using Windows by then...)
	107	*/
	108	#define REGFI_MTIME_MAX_HIGH 0x03047543
	109	#define REGFI_MTIME_MAX_LOW 0xC80A4000
[30]	110
[116]	111
[30]	112	/* Flags for the vk records */
[135]	113	#define REGFI_VK_FLAG_NAME_PRESENT 0x0001
	114	#define REGFI_VK_DATA_IN_OFFSET 0x80000000
	115	#define REGFI_VK_MAX_DATA_LENGTH 1024*1024
[30]	116
[137]	117
[116]	118	/* NK record types */
[137]	119	/* XXX: This is starting to look like this is a flags field.
	120	* Need to decipher the meaning of each flag.
	121	*/
[135]	122	#define REGFI_NK_TYPE_LINKKEY 0x0010
	123	#define REGFI_NK_TYPE_NORMALKEY 0x0020
	124	/* XXX: Unknown key type that shows up in Vista registries */
	125	#define REGFI_NK_TYPE_UNKNOWN1 0x1020
[137]	126	/* XXX: Unknown key types that shows up in W2K3 registries */
	127	#define REGFI_NK_TYPE_UNKNOWN2 0x4020
	128	#define REGFI_NK_TYPE_UNKNOWN3 0x0000 /* XXX: This type seems to have UTF-16 names!!! */
[135]	129	#define REGFI_NK_TYPE_ROOTKEY1 0x002c
	130	/* XXX: Unknown root key type that shows up in Vista registries */
	131	#define REGFI_NK_TYPE_ROOTKEY2 0x00ac
[30]	132
[137]	133	#if 0
	134	/* Initial hypothesis of NK flags: */
	135	#define REGFI_NK_FLAG_LINK 0x0010
	136	/* The name will be in ASCII if this next bit is set, otherwise UTF-16LE */
	137	#define REGFI_NK_FLAG_ASCIINAME 0x0020
	138	/* These next two combine to form the "c" on both known root key types */
	139	#define REGFI_NK_FLAG_ROOT1 0x0008
	140	#define REGFI_NK_FLAG_ROOT2 0x0004
	141	/* These next two show up on normal-seeming keys in Vista and W2K3 registries */
	142	#define REGFI_NK_FLAG_UNKNOWN1 0x4000
	143	#define REGFI_NK_FLAG_UNKNOWN2 0x1000
	144	/* This next one shows up on root keys in some Vista "software" registries */
	145	#define REGFI_NK_FLAG_UNKNOWN3 0x0080
	146	#endif
[30]	147
[137]	148
	149
[30]	150	/* HBIN block */
[135]	151	typedef struct _regfi_hbin
[97]	152	{
[53]	153	uint32 file_off; /* my offset in the registry file */
[84]	154	uint32 ref_count; /* how many active records are pointing to this
[54]	155	* block (not used currently)
	156	*/
[84]	157
[53]	158	uint32 first_hbin_off; /* offset from first hbin block */
[97]	159	uint32 block_size; /* block size of this block
	160	* Should be a multiple of 4096 (0x1000)
[54]	161	*/
[99]	162	uint32 next_block; /* relative offset to next block.
	163	* NOTE: This value may be unreliable!
[97]	164	*/
	165
[135]	166	uint8 magic[REGFI_HBIN_MAGIC_SIZE]; /* "hbin" */
	167	} REGFI_HBIN;
[30]	168
[97]	169
[127]	170	/* Subkey List -- list of key offsets and hashed names for consistency */
[97]	171	typedef struct
	172	{
[53]	173	uint32 nk_off;
[104]	174	uint32 hash;
[135]	175	} REGFI_SUBKEY_LIST_ELEM;
[30]	176
[97]	177
	178	typedef struct
	179	{
[104]	180	uint32 offset; /* Real offset of this record's cell in the file */
	181	uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */
[127]	182	uint32 num_keys;
[135]	183	REGFI_SUBKEY_LIST_ELEM* elements;
[53]	184
[135]	185	uint8 magic[REGFI_CELL_MAGIC_SIZE];
	186	} REGFI_SUBKEY_LIST;
[30]	187
[97]	188
[30]	189	/* Key Value */
[97]	190	typedef struct
	191	{
[101]	192	uint32 offset; /* Real offset of this record's cell in the file */
	193	uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */
	194
[135]	195	REGFI_HBIN* hbin; /* pointer to HBIN record (in memory) containing
[54]	196	* this nk record
	197	*/
[101]	198	uint8* data;
	199	uint16 name_length;
[84]	200	char* valuename;
[53]	201	uint32 hbin_off; /* offset from beginning of this hbin block */
	202
	203	uint32 data_size;
[101]	204	uint32 data_off; /* offset of data cell (virtual) */
[53]	205	uint32 type;
[135]	206	uint8 magic[REGFI_CELL_MAGIC_SIZE];
[53]	207	uint16 flag;
[101]	208	uint16 unknown1;
[111]	209	bool data_in_offset;
[135]	210	} REGFI_VK_REC;
[30]	211
	212
	213	/* Key Security */
[135]	214	struct _regfi_sk_rec;
[30]	215
[135]	216	typedef struct _regfi_sk_rec
[97]	217	{
[111]	218	uint32 offset; /* Real file offset of this record */
	219	uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */
	220
[134]	221	WINSEC_DESC* sec_desc;
[53]	222	uint32 hbin_off; /* offset from beginning of this hbin block */
	223
[54]	224	uint32 sk_off; /* offset parsed from NK record used as a key
	225	* to lookup reference to this SK record
	226	*/
[53]	227
	228	uint32 prev_sk_off;
	229	uint32 next_sk_off;
	230	uint32 ref_count;
[102]	231	uint32 desc_size; /* size of security descriptor */
	232	uint16 unknown_tag;
[135]	233	uint8 magic[REGFI_CELL_MAGIC_SIZE];
	234	} REGFI_SK_REC;
[30]	235
[81]	236
[104]	237	/* Key Name */
	238	typedef struct
[97]	239	{
[99]	240	uint32 offset; /* Real offset of this record's cell in the file */
	241	uint32 cell_size; /* Actual or estimated length of the cell.
	242	* Always in multiples of 8.
	243	*/
[84]	244
	245	/* link in the other records here */
[135]	246	REGFI_VK_REC** values;
	247	REGFI_SUBKEY_LIST* subkeys;
[53]	248
	249	/* header information */
[112]	250	uint16 key_type;
[135]	251	uint8 magic[REGFI_CELL_MAGIC_SIZE];
[53]	252	NTTIME mtime;
[99]	253	uint16 name_length;
	254	uint16 classname_length;
[84]	255	char* classname;
	256	char* keyname;
[125]	257	uint32 parent_off; /* pointer to parent key */
	258	uint32 classname_off;
[53]	259
	260	/* max lengths */
[54]	261	uint32 max_bytes_subkeyname; /* max subkey name * 2 */
	262	uint32 max_bytes_subkeyclassname; /* max subkey classname length (as if) */
	263	uint32 max_bytes_valuename; /* max valuename * 2 */
	264	uint32 max_bytes_value; /* max value data size */
[53]	265
	266	/* unknowns */
[99]	267	uint32 unknown1;
	268	uint32 unknown2;
	269	uint32 unknown3;
[54]	270	uint32 unk_index; /* nigel says run time index ? */
[53]	271
	272	/* children */
	273	uint32 num_subkeys;
[127]	274	uint32 subkeys_off; /* offset of subkey list that points to NK records */
[53]	275	uint32 num_values;
	276	uint32 values_off; /* value lists which point to VK records */
[127]	277	uint32 sk_off; /* offset to SK record */
[135]	278	} REGFI_NK_REC;
[30]	279
[81]	280
[97]	281
[30]	282	/* REGF block */
[97]	283	typedef struct
	284	{
[135]	285	/* Run-time information */
	286	/************************/
[138]	287	/* file descriptor */
	288	int fd;
[99]	289
[138]	290	/* For sanity checking (not part of the registry header) */
	291	uint32 file_length;
	292
	293	/* Metadata about hbins */
[99]	294	range_list* hbins;
	295
[135]	296	/* Error/warning/info messages returned by lower layer functions */
	297	char* last_message;
	298
[138]	299	/* Mask for error message types that will be stored. */
	300	uint16 msg_mask;
[135]	301
	302
	303	/* Data parsed from file header */
	304	/********************************/
	305	uint8 magic[REGFI_REGF_MAGIC_SIZE];/* "regf" */
[84]	306	NTTIME mtime;
[54]	307	uint32 data_offset; /* offset to record in the first (or any?)
	308	* hbin block
	309	*/
[53]	310	uint32 last_block; /* offset to last hbin block in file */
[97]	311
	312	uint32 checksum; /* Stored checksum. */
	313	uint32 computed_checksum; /* Our own calculation of the checksum.
	314	* (XOR of bytes 0x0000 - 0x01FB)
	315	*/
[53]	316
[97]	317	/* unknown data structure values */
[53]	318	uint32 unknown1;
	319	uint32 unknown2;
	320	uint32 unknown3;
	321	uint32 unknown4;
	322	uint32 unknown5;
	323	uint32 unknown6;
[97]	324	uint32 unknown7;
[135]	325	} REGFI_FILE;
[30]	326
	327
[97]	328
	329	typedef struct
	330	{
[135]	331	REGFI_FILE* f;
[80]	332	void_stack* key_positions;
[109]	333	lru_cache* sk_recs;
[135]	334	REGFI_NK_REC* cur_key;
[78]	335	uint32 cur_subkey;
	336	uint32 cur_value;
	337	} REGFI_ITERATOR;
	338
[80]	339
[97]	340	typedef struct
	341	{
[135]	342	/* XXX: Should probably eliminate the storage of keys here
	343	* once key caching is implemented.
	344	*/
	345	REGFI_NK_REC* nk;
[80]	346	uint32 cur_subkey;
	347	/* We could store a cur_value here as well, but didn't see
	348	* the use in it right now.
	349	*/
	350	} REGFI_ITER_POSITION;
	351
	352
[54]	353	/******************************************************************************/
[135]	354	/* Main iterator API */
	355	/******************************************************************************/
	356	REGFI_FILE* regfi_open(const char* filename);
	357	int regfi_close(REGFI_FILE* r);
[32]	358
[136]	359	/* regfi_get_messages: Get errors, warnings, and/or verbose information
	360	* relating to processing of the given registry file.
[135]	361	*
	362	* Arguments:
	363	* file -- the structure for the registry file
	364	*
	365	* Returns:
	366	* A newly allocated char* which must be free()d by the caller.
	367	*/
[136]	368	char* regfi_get_messages(REGFI_FILE* file);
[138]	369	void regfi_set_message_mask(REGFI_FILE* file, uint16 mask);
[53]	370
[135]	371	REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* fh);
[84]	372	void regfi_iterator_free(REGFI_ITERATOR* i);
	373	bool regfi_iterator_down(REGFI_ITERATOR* i);
	374	bool regfi_iterator_up(REGFI_ITERATOR* i);
	375	bool regfi_iterator_to_root(REGFI_ITERATOR* i);
[30]	376
[84]	377	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i,
	378	const char* subkey_name);
	379	bool regfi_iterator_walk_path(REGFI_ITERATOR* i,
	380	const char** path);
[135]	381	const REGFI_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i);
	382	const REGFI_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i);
	383	const REGFI_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i);
	384	const REGFI_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i);
	385	const REGFI_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i);
[80]	386
[84]	387	bool regfi_iterator_find_value(REGFI_ITERATOR* i,
	388	const char* value_name);
[135]	389	const REGFI_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i);
	390	const REGFI_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i);
	391	const REGFI_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i);
[80]	392
[127]	393
	394	/********************************************************/
	395	/* Middle-layer structure caching, loading, and linking */
	396	/********************************************************/
[135]	397	REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32 offset);
	398	REGFI_NK_REC* regfi_load_key(REGFI_FILE* file, uint32 offset,
	399	bool strict);
	400	REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32 offset,
	401	uint32 num_keys, uint32 max_size,
	402	bool strict);
	403	REGFI_VK_REC** regfi_load_valuelist(REGFI_FILE* file, uint32 offset,
	404	uint32 num_values, uint32 max_size,
	405	bool strict);
[127]	406
[99]	407	/************************************/
	408	/* Low-layer data structure access */
	409	/************************************/
[135]	410	REGFI_FILE* regfi_parse_regf(int fd, bool strict);
	411	REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32 offset,
[110]	412	bool strict);
[80]	413
[99]	414
	415	/* regfi_parse_nk: Parses an NK record.
	416	*
	417	* Arguments:
	418	* f -- the registry file structure
	419	* offset -- the offset of the cell (not the record) to be parsed.
	420	* max_size -- the maximum size the NK cell could be. (for validation)
	421	* strict -- if true, rejects any malformed records. Otherwise,
	422	* tries to minimally validate integrity.
	423	* Returns:
	424	* A newly allocated NK record structure, or NULL on failure.
	425	*/
[135]	426	REGFI_NK_REC* regfi_parse_nk(REGFI_FILE* file, uint32 offset,
[99]	427	uint32 max_size, bool strict);
	428
[135]	429	REGFI_VK_REC* regfi_parse_vk(REGFI_FILE* file, uint32 offset,
	430	uint32 max_size, bool strict);
[103]	431
[135]	432	uint8* regfi_parse_data(REGFI_FILE* file, uint32 offset,
	433	uint32 length, uint32 max_size,
	434	bool strict);
[97]	435
[135]	436	REGFI_SK_REC* regfi_parse_sk(REGFI_FILE* file, uint32 offset,
	437	uint32 max_size, bool strict);
[111]	438
[135]	439	range_list* regfi_parse_unalloc_cells(REGFI_FILE* file);
[101]	440
[135]	441	bool regfi_parse_cell(int fd, uint32 offset,
	442	uint8* hdr, uint32 hdr_len,
	443	uint32* cell_length, bool* unalloc);
[111]	444
[135]	445	char* regfi_parse_classname(REGFI_FILE* file, uint32 offset,
	446	uint16* name_length,
	447	uint32 max_size, bool strict);
[126]	448
[127]	449
[135]	450	/************************************/
	451	/* Private Functions */
	452	/************************************/
	453	REGFI_NK_REC* regfi_rootkey(REGFI_FILE* file);
	454	void regfi_key_free(REGFI_NK_REC* nk);
	455	void regfi_subkeylist_free(REGFI_SUBKEY_LIST* list);
[127]	456	uint32 regfi_read(int fd, uint8* buf, uint32* length);
	457
[135]	458	const char* regfi_type_val2str(unsigned int val);
	459	int regfi_type_str2val(const char* str);
[127]	460
[135]	461	char* regfi_get_sacl(WINSEC_DESC* sec_desc);
	462	char* regfi_get_dacl(WINSEC_DESC* sec_desc);
	463	char* regfi_get_owner(WINSEC_DESC* sec_desc);
	464	char* regfi_get_group(WINSEC_DESC* sec_desc);
	465
	466	REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16 num_lists,
	467	REGFI_SUBKEY_LIST** lists,
	468	bool strict);
[138]	469	void regfi_add_message(REGFI_FILE* file, uint16 msg_type,
	470	const char* fmt, ...);
[78]	471	#endif /* _REGFI_H */

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/include/regfi.h @ 138

Download in other formats: