Context Navigation

source: trunk/include/regfi.h @ 127

Last change on this file since 127 was 127, checked in by tim, 16 years ago
added preliminary support for 'ri' subkey lists. cleaned up regfi API a bit.
Property svn:keywords set to `Id`
File size: 12.6 KB

Line
1	/*
2	* Branched from Samba project, Subversion repository version #6903:
3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/include/regfio.h?rev=6903&view=auto
4	*
5	* Unix SMB/CIFS implementation.
6	* Windows NT registry I/O library
7	*
8	* Copyright (C) 2005-2008 Timothy D. Morgan
9	* Copyright (C) 2005 Gerald (Jerry) Carter
10	*
11	* This program is free software; you can redistribute it and/or modify
12	* it under the terms of the GNU General Public License as published by
13	* the Free Software Foundation; version 2 of the License.
14	*
15	* This program is distributed in the hope that it will be useful,
16	* but WITHOUT ANY WARRANTY; without even the implied warranty of
17	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	* GNU General Public License for more details.
19	*
20	* You should have received a copy of the GNU General Public License
21	* along with this program; if not, write to the Free Software
22	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23	*
24	* $Id: regfi.h 127 2008-09-01 23:20:50Z tim $
25	*/
26
27	/************************************************************
28	* Most of this information was obtained from
29	* http://www.wednesday.demon.co.uk/dosreg.html
30	* Thanks Nigel!
31	***********************************************************/
32
33	#ifndef _REGFI_H
34	#define _REGFI_H
35
36	#include <stdlib.h>
37	#include <stdio.h>
38	#include <stdbool.h>
39	#include <string.h>
40	#include <errno.h>
41	#include <time.h>
42	#include <fcntl.h>
43	#include <sys/stat.h>
44	#include <sys/types.h>
45	#include <unistd.h>
46	#include <assert.h>
47
48	#include "smb_deps.h"
49	#include "void_stack.h"
50	#include "range_list.h"
51	#include "lru_cache.h"
52
53	/******************************************************************************/
54	/* Macros */
55
56	/* Registry data types */
57	#define REG_NONE 0
58	#define REG_SZ 1
59	#define REG_EXPAND_SZ 2
60	#define REG_BINARY 3
61	#define REG_DWORD 4
62	#define REG_DWORD_LE 4 /* DWORD, little endian */
63	#define REG_DWORD_BE 5 /* DWORD, big endian */
64	#define REG_LINK 6
65	#define REG_MULTI_SZ 7
66	#define REG_RESOURCE_LIST 8
67	#define REG_FULL_RESOURCE_DESCRIPTOR 9
68	#define REG_RESOURCE_REQUIREMENTS_LIST 10
69	#define REG_QWORD 11 /* 64-bit little endian */
70	/* XXX: Has MS defined a REG_QWORD_BE? */
71	/* Not a real type in the registry */
72	#define REG_KEY 0x7FFFFFFF
73
74	#define REGF_BLOCKSIZE 0x1000
75	#define REGF_ALLOC_BLOCK 0x1000 /* Minimum allocation unit for HBINs */
76	#define REGF_MAX_DEPTH 512
77
78	/* header sizes for various records */
79	#define REGF_MAGIC_SIZE 4
80	#define HBIN_MAGIC_SIZE 4
81	#define HBIN_HEADER_REC_SIZE 0x20
82	#define REC_HDR_SIZE 2
83
84	#define REGF_OFFSET_NONE 0xffffffff
85	#define REGFI_NK_MIN_LENGTH 0x4C
86	#define REGFI_VK_MIN_LENGTH 0x14
87	#define REGFI_SK_MIN_LENGTH 0x14
88	#define REGFI_SUBKEY_LIST_MIN_LEN 0x4
89
90	/* Constants used for validation */
91	/* XXX: Can we add clock resolution validation as well as range? It has
92	* been reported that Windows timestamps are never more than a
93	* certain granularity (250ms?), which could be used to help
94	* eliminate false positives. Would need to validate this and
95	* perhaps conservatively implement a check.
96	*/
97	/* Minimum time is Jan 1, 1990 00:00:00 */
98	#define REGFI_MTIME_MIN_HIGH 0x01B41E6D
99	#define REGFI_MTIME_MIN_LOW 0x26F98000
100	/* Maximum time is Jan 1, 2290 00:00:00
101	* (We hope no one is using Windows by then...)
102	*/
103	#define REGFI_MTIME_MAX_HIGH 0x03047543
104	#define REGFI_MTIME_MAX_LOW 0xC80A4000
105
106
107	/* Flags for the vk records */
108	#define VK_FLAG_NAME_PRESENT 0x0001
109	#define VK_DATA_IN_OFFSET 0x80000000
110	#define VK_MAX_DATA_LENGTH 1024*1024
111
112	/* NK record types */
113	#define NK_TYPE_LINKKEY 0x0010
114	#define NK_TYPE_NORMALKEY 0x0020
115	#define NK_TYPE_ROOTKEY 0x002c
116	/* XXX: Unknown type that shows up in Vista registries */
117	#define NK_TYPE_UNKNOWN1 0x1020
118
119
120	/* HBIN block */
121	typedef struct regf_hbin
122	{
123	uint32 file_off; /* my offset in the registry file */
124	uint32 ref_count; /* how many active records are pointing to this
125	* block (not used currently)
126	*/
127
128	uint32 first_hbin_off; /* offset from first hbin block */
129	uint32 block_size; /* block size of this block
130	* Should be a multiple of 4096 (0x1000)
131	*/
132	uint32 next_block; /* relative offset to next block.
133	* NOTE: This value may be unreliable!
134	*/
135
136	uint8 magic[HBIN_MAGIC_SIZE]; /* "hbin" */
137	} REGF_HBIN;
138
139
140	/* Subkey List -- list of key offsets and hashed names for consistency */
141	typedef struct
142	{
143	uint32 nk_off;
144	uint32 hash;
145	} REGF_SUBKEY_LIST_ELEM;
146
147
148	typedef struct
149	{
150	uint32 offset; /* Real offset of this record's cell in the file */
151	uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */
152	uint32 num_keys;
153	REGF_SUBKEY_LIST_ELEM* elements;
154
155	uint8 magic[REC_HDR_SIZE];
156	} REGF_SUBKEY_LIST;
157
158
159	/* Key Value */
160	typedef struct
161	{
162	uint32 offset; /* Real offset of this record's cell in the file */
163	uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */
164
165	REGF_HBIN* hbin; /* pointer to HBIN record (in memory) containing
166	* this nk record
167	*/
168	uint8* data;
169	uint16 name_length;
170	char* valuename;
171	uint32 hbin_off; /* offset from beginning of this hbin block */
172
173	uint32 data_size;
174	uint32 data_off; /* offset of data cell (virtual) */
175	uint32 type;
176	uint8 magic[REC_HDR_SIZE];
177	uint16 flag;
178	uint16 unknown1;
179	bool data_in_offset;
180	} REGF_VK_REC;
181
182
183	/* Key Security */
184	struct _regf_sk_rec;
185
186	typedef struct _regf_sk_rec
187	{
188	uint32 offset; /* Real file offset of this record */
189	uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */
190
191	SEC_DESC* sec_desc;
192	uint32 hbin_off; /* offset from beginning of this hbin block */
193
194	uint32 sk_off; /* offset parsed from NK record used as a key
195	* to lookup reference to this SK record
196	*/
197
198	uint32 prev_sk_off;
199	uint32 next_sk_off;
200	uint32 ref_count;
201	uint32 desc_size; /* size of security descriptor */
202	uint16 unknown_tag;
203	uint8 magic[REC_HDR_SIZE];
204	} REGF_SK_REC;
205
206
207	/* Key Name */
208	typedef struct
209	{
210	uint32 offset; /* Real offset of this record's cell in the file */
211	uint32 cell_size; /* Actual or estimated length of the cell.
212	* Always in multiples of 8.
213	*/
214
215	/* link in the other records here */
216	REGF_VK_REC** values;
217	REGF_SUBKEY_LIST* subkeys;
218
219	/* header information */
220	uint16 key_type;
221	uint8 magic[REC_HDR_SIZE];
222	NTTIME mtime;
223	uint16 name_length;
224	uint16 classname_length;
225	char* classname;
226	char* keyname;
227	uint32 parent_off; /* pointer to parent key */
228	uint32 classname_off;
229
230	/* max lengths */
231	uint32 max_bytes_subkeyname; /* max subkey name * 2 */
232	uint32 max_bytes_subkeyclassname; /* max subkey classname length (as if) */
233	uint32 max_bytes_valuename; /* max valuename * 2 */
234	uint32 max_bytes_value; /* max value data size */
235
236	/* unknowns */
237	uint32 unknown1;
238	uint32 unknown2;
239	uint32 unknown3;
240	uint32 unk_index; /* nigel says run time index ? */
241
242	/* children */
243	uint32 num_subkeys;
244	uint32 subkeys_off; /* offset of subkey list that points to NK records */
245	uint32 num_values;
246	uint32 values_off; /* value lists which point to VK records */
247	uint32 sk_off; /* offset to SK record */
248	} REGF_NK_REC;
249
250
251
252	/* REGF block */
253	typedef struct
254	{
255	/* run time information */
256	int fd; /* file descriptor */
257	/* For sanity checking (not part of the registry header) */
258	uint32 file_length;
259	void* mem_ctx; /* memory context for run-time file access information */
260
261	/* Experimental hbin lists */
262	range_list* hbins;
263
264	/* file format information */
265	uint8 magic[REGF_MAGIC_SIZE];/* "regf" */
266	NTTIME mtime;
267	uint32 data_offset; /* offset to record in the first (or any?)
268	* hbin block
269	*/
270	uint32 last_block; /* offset to last hbin block in file */
271
272	uint32 checksum; /* Stored checksum. */
273	uint32 computed_checksum; /* Our own calculation of the checksum.
274	* (XOR of bytes 0x0000 - 0x01FB)
275	*/
276
277	/* unknown data structure values */
278	uint32 unknown1;
279	uint32 unknown2;
280	uint32 unknown3;
281	uint32 unknown4;
282	uint32 unknown5;
283	uint32 unknown6;
284	uint32 unknown7;
285	} REGF_FILE;
286
287
288
289	typedef struct
290	{
291	REGF_FILE* f;
292	void_stack* key_positions;
293	lru_cache* sk_recs;
294	REGF_NK_REC* cur_key;
295	uint32 cur_subkey;
296	uint32 cur_value;
297	} REGFI_ITERATOR;
298
299
300	typedef struct
301	{
302	REGF_NK_REC* nk;
303	uint32 cur_subkey;
304	/* We could store a cur_value here as well, but didn't see
305	* the use in it right now.
306	*/
307	} REGFI_ITER_POSITION;
308
309
310	/******************************************************************************/
311	/* Function Declarations */
312	/* Main API */
313	const char* regfi_type_val2str(unsigned int val);
314	int regfi_type_str2val(const char* str);
315
316	char* regfi_get_sacl(SEC_DESC* sec_desc);
317	char* regfi_get_dacl(SEC_DESC* sec_desc);
318	char* regfi_get_owner(SEC_DESC* sec_desc);
319	char* regfi_get_group(SEC_DESC* sec_desc);
320
321	REGF_FILE* regfi_open(const char* filename);
322	int regfi_close(REGF_FILE* r);
323
324	REGFI_ITERATOR* regfi_iterator_new(REGF_FILE* fh);
325	void regfi_iterator_free(REGFI_ITERATOR* i);
326	bool regfi_iterator_down(REGFI_ITERATOR* i);
327	bool regfi_iterator_up(REGFI_ITERATOR* i);
328	bool regfi_iterator_to_root(REGFI_ITERATOR* i);
329
330	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i,
331	const char* subkey_name);
332	bool regfi_iterator_walk_path(REGFI_ITERATOR* i,
333	const char** path);
334	const REGF_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i);
335	const REGF_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i);
336	const REGF_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i);
337	const REGF_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i);
338	const REGF_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i);
339
340	bool regfi_iterator_find_value(REGFI_ITERATOR* i,
341	const char* value_name);
342	const REGF_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i);
343	const REGF_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i);
344	const REGF_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i);
345
346
347	/********************************************************/
348	/* Middle-layer structure caching, loading, and linking */
349	/********************************************************/
350	REGF_HBIN* regfi_lookup_hbin(REGF_FILE* file, uint32 offset);
351
352	REGF_NK_REC* regfi_load_key(REGF_FILE* file, uint32 offset, bool strict);
353
354	REGF_SUBKEY_LIST* regfi_load_subkeylist(REGF_FILE* file, uint32 offset,
355	uint32 num_keys, uint32 max_size,
356	bool strict);
357
358	REGF_VK_REC** regfi_load_valuelist(REGF_FILE* file, uint32 offset,
359	uint32 num_values, uint32 max_size,
360	bool strict);
361
362	REGF_SUBKEY_LIST* regfi_merge_subkeylists(uint16 num_lists,
363	REGF_SUBKEY_LIST** lists,
364	bool strict);
365
366	/************************************/
367	/* Low-layer data structure access */
368	/************************************/
369	REGF_FILE* regfi_parse_regf(int fd, bool strict);
370	REGF_HBIN* regfi_parse_hbin(REGF_FILE* file, uint32 offset,
371	bool strict);
372
373
374	/* regfi_parse_nk: Parses an NK record.
375	*
376	* Arguments:
377	* f -- the registry file structure
378	* offset -- the offset of the cell (not the record) to be parsed.
379	* max_size -- the maximum size the NK cell could be. (for validation)
380	* strict -- if true, rejects any malformed records. Otherwise,
381	* tries to minimally validate integrity.
382	* Returns:
383	* A newly allocated NK record structure, or NULL on failure.
384	*/
385	REGF_NK_REC* regfi_parse_nk(REGF_FILE* file, uint32 offset,
386	uint32 max_size, bool strict);
387
388	REGF_VK_REC* regfi_parse_vk(REGF_FILE* file, uint32 offset,
389	uint32 max_size, bool strict);
390
391	uint8* regfi_parse_data(REGF_FILE* file, uint32 offset,
392	uint32 length, bool strict);
393
394	REGF_SK_REC* regfi_parse_sk(REGF_FILE* file, uint32 offset, uint32 max_size, bool strict);
395
396	range_list* regfi_parse_unalloc_cells(REGF_FILE* file);
397
398	bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len,
399	uint32* cell_length, bool* unalloc);
400
401	char* regfi_parse_classname(REGF_FILE* file, uint32 offset,
402	uint16* name_length, bool strict);
403
404
405	/* Private Functions */
406	REGF_NK_REC* regfi_rootkey(REGF_FILE* file);
407	void regfi_key_free(REGF_NK_REC* nk);
408	void regfi_subkeylist_free(REGF_SUBKEY_LIST* list);
409	uint32 regfi_read(int fd, uint8* buf, uint32* length);
410
411
412	#endif /* _REGFI_H */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: