Context Navigation

source: trunk/include/regfi.h @ 135

Last change on this file since 135 was 135, checked in by tim, 15 years ago

cleaned up regfi API

started adding debugging infrastructure, but currently broken

Property svn:keywords set to Id

File size: 14.0 KB

Line
1	/*
2	* Branched from Samba project Subversion repository, version #6903:
3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/include/regfio.h?rev=6903&view=auto
4	*
5	* Windows NT (and later) registry parsing library
6	*
7	* Copyright (C) 2005-2009 Timothy D. Morgan
8	* Copyright (C) 2005 Gerald (Jerry) Carter
9	*
10	* This program is free software; you can redistribute it and/or modify
11	* it under the terms of the GNU General Public License as published by
12	* the Free Software Foundation; version 3 of the License.
13	*
14	* This program is distributed in the hope that it will be useful,
15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	* GNU General Public License for more details.
18	*
19	* You should have received a copy of the GNU General Public License
20	* along with this program; if not, write to the Free Software
21	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22	*
23	* $Id: regfi.h 135 2009-01-21 10:27:32Z tim $
24	*/
25
26	/************************************************************
27	* Most of this information was obtained from
28	* http://www.wednesday.demon.co.uk/dosreg.html
29	* Thanks Nigel!
30	***********************************************************/
31
32	#ifndef _REGFI_H
33	#define _REGFI_H
34
35	#include <stdlib.h>
36	#include <stdio.h>
37	#include <stdbool.h>
38	#include <string.h>
39	#include <errno.h>
40	#include <time.h>
41	#include <fcntl.h>
42	#include <sys/stat.h>
43	#include <sys/types.h>
44	#include <unistd.h>
45	#include <assert.h>
46
47	#include "smb_deps.h"
48	#include "winsec.h"
49	#include "void_stack.h"
50	#include "range_list.h"
51	#include "lru_cache.h"
52
53	/******************************************************************************/
54	/* Macros */
55
56	/* Registry data types */
57	#define REG_NONE 0
58	#define REG_SZ 1
59	#define REG_EXPAND_SZ 2
60	#define REG_BINARY 3
61	#define REG_DWORD 4
62	#define REG_DWORD_LE 4 /* DWORD, little endian */
63	#define REG_DWORD_BE 5 /* DWORD, big endian */
64	#define REG_LINK 6
65	#define REG_MULTI_SZ 7
66	#define REG_RESOURCE_LIST 8
67	#define REG_FULL_RESOURCE_DESCRIPTOR 9
68	#define REG_RESOURCE_REQUIREMENTS_LIST 10
69	#define REG_QWORD 11 /* 64-bit little endian */
70	/* XXX: Has MS defined a REG_QWORD_BE? */
71	/* Not a real type in the registry */
72	#define REG_KEY 0x7FFFFFFF
73
74	#define REGFI_REGF_SIZE 0x1000 /* "regf" header block size */
75	#define REGFI_HBIN_ALLOC 0x1000 /* Minimum allocation unit for HBINs */
76	#define REGFI_MAX_DEPTH 512
77	#define REGFI_OFFSET_NONE 0xffffffff
78
79	/* Header sizes and magic number lengths for various records */
80	#define REGFI_REGF_MAGIC_SIZE 4
81	#define REGFI_HBIN_MAGIC_SIZE 4
82	#define REGFI_CELL_MAGIC_SIZE 2
83	#define REGFI_HBIN_HEADER_SIZE 0x20
84	#define REGFI_NK_MIN_LENGTH 0x4C
85	#define REGFI_VK_MIN_LENGTH 0x14
86	#define REGFI_SK_MIN_LENGTH 0x14
87	#define REGFI_SUBKEY_LIST_MIN_LEN 0x4
88
89
90	/* Constants used for validation */
91	/* XXX: Can we add clock resolution validation as well as range? It has
92	* been reported that Windows timestamps are never more than a
93	* certain granularity (250ms?), which could be used to help
94	* eliminate false positives. Would need to validate this and
95	* perhaps conservatively implement a check.
96	*/
97	/* Minimum time is Jan 1, 1990 00:00:00 */
98	#define REGFI_MTIME_MIN_HIGH 0x01B41E6D
99	#define REGFI_MTIME_MIN_LOW 0x26F98000
100	/* Maximum time is Jan 1, 2290 00:00:00
101	* (We hope no one is using Windows by then...)
102	*/
103	#define REGFI_MTIME_MAX_HIGH 0x03047543
104	#define REGFI_MTIME_MAX_LOW 0xC80A4000
105
106
107	/* Flags for the vk records */
108	#define REGFI_VK_FLAG_NAME_PRESENT 0x0001
109	#define REGFI_VK_DATA_IN_OFFSET 0x80000000
110	#define REGFI_VK_MAX_DATA_LENGTH 1024*1024
111
112	/* NK record types */
113	#define REGFI_NK_TYPE_LINKKEY 0x0010
114	#define REGFI_NK_TYPE_NORMALKEY 0x0020
115	/* XXX: Unknown key type that shows up in Vista registries */
116	#define REGFI_NK_TYPE_UNKNOWN1 0x1020
117	#define REGFI_NK_TYPE_ROOTKEY1 0x002c
118	/* XXX: Unknown root key type that shows up in Vista registries */
119	#define REGFI_NK_TYPE_ROOTKEY2 0x00ac
120
121
122	/* HBIN block */
123	typedef struct _regfi_hbin
124	{
125	uint32 file_off; /* my offset in the registry file */
126	uint32 ref_count; /* how many active records are pointing to this
127	* block (not used currently)
128	*/
129
130	uint32 first_hbin_off; /* offset from first hbin block */
131	uint32 block_size; /* block size of this block
132	* Should be a multiple of 4096 (0x1000)
133	*/
134	uint32 next_block; /* relative offset to next block.
135	* NOTE: This value may be unreliable!
136	*/
137
138	uint8 magic[REGFI_HBIN_MAGIC_SIZE]; /* "hbin" */
139	} REGFI_HBIN;
140
141
142	/* Subkey List -- list of key offsets and hashed names for consistency */
143	typedef struct
144	{
145	uint32 nk_off;
146	uint32 hash;
147	} REGFI_SUBKEY_LIST_ELEM;
148
149
150	typedef struct
151	{
152	uint32 offset; /* Real offset of this record's cell in the file */
153	uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */
154	uint32 num_keys;
155	REGFI_SUBKEY_LIST_ELEM* elements;
156
157	uint8 magic[REGFI_CELL_MAGIC_SIZE];
158	} REGFI_SUBKEY_LIST;
159
160
161	/* Key Value */
162	typedef struct
163	{
164	uint32 offset; /* Real offset of this record's cell in the file */
165	uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */
166
167	REGFI_HBIN* hbin; /* pointer to HBIN record (in memory) containing
168	* this nk record
169	*/
170	uint8* data;
171	uint16 name_length;
172	char* valuename;
173	uint32 hbin_off; /* offset from beginning of this hbin block */
174
175	uint32 data_size;
176	uint32 data_off; /* offset of data cell (virtual) */
177	uint32 type;
178	uint8 magic[REGFI_CELL_MAGIC_SIZE];
179	uint16 flag;
180	uint16 unknown1;
181	bool data_in_offset;
182	} REGFI_VK_REC;
183
184
185	/* Key Security */
186	struct _regfi_sk_rec;
187
188	typedef struct _regfi_sk_rec
189	{
190	uint32 offset; /* Real file offset of this record */
191	uint32 cell_size; /* ((start_offset - end_offset) & 0xfffffff8) */
192
193	WINSEC_DESC* sec_desc;
194	uint32 hbin_off; /* offset from beginning of this hbin block */
195
196	uint32 sk_off; /* offset parsed from NK record used as a key
197	* to lookup reference to this SK record
198	*/
199
200	uint32 prev_sk_off;
201	uint32 next_sk_off;
202	uint32 ref_count;
203	uint32 desc_size; /* size of security descriptor */
204	uint16 unknown_tag;
205	uint8 magic[REGFI_CELL_MAGIC_SIZE];
206	} REGFI_SK_REC;
207
208
209	/* Key Name */
210	typedef struct
211	{
212	uint32 offset; /* Real offset of this record's cell in the file */
213	uint32 cell_size; /* Actual or estimated length of the cell.
214	* Always in multiples of 8.
215	*/
216
217	/* link in the other records here */
218	REGFI_VK_REC** values;
219	REGFI_SUBKEY_LIST* subkeys;
220
221	/* header information */
222	uint16 key_type;
223	uint8 magic[REGFI_CELL_MAGIC_SIZE];
224	NTTIME mtime;
225	uint16 name_length;
226	uint16 classname_length;
227	char* classname;
228	char* keyname;
229	uint32 parent_off; /* pointer to parent key */
230	uint32 classname_off;
231
232	/* max lengths */
233	uint32 max_bytes_subkeyname; /* max subkey name * 2 */
234	uint32 max_bytes_subkeyclassname; /* max subkey classname length (as if) */
235	uint32 max_bytes_valuename; /* max valuename * 2 */
236	uint32 max_bytes_value; /* max value data size */
237
238	/* unknowns */
239	uint32 unknown1;
240	uint32 unknown2;
241	uint32 unknown3;
242	uint32 unk_index; /* nigel says run time index ? */
243
244	/* children */
245	uint32 num_subkeys;
246	uint32 subkeys_off; /* offset of subkey list that points to NK records */
247	uint32 num_values;
248	uint32 values_off; /* value lists which point to VK records */
249	uint32 sk_off; /* offset to SK record */
250	} REGFI_NK_REC;
251
252
253
254	/* REGF block */
255	typedef struct
256	{
257	/* Run-time information */
258	/************************/
259	int fd; /* file descriptor */
260
261	/* Experimental hbin lists */
262	range_list* hbins;
263
264	/* Error/warning/info messages returned by lower layer functions */
265	char* last_message;
266
267	/* For sanity checking (not part of the registry header) */
268	uint32 file_length;
269
270
271	/* Data parsed from file header */
272	/********************************/
273	uint8 magic[REGFI_REGF_MAGIC_SIZE];/* "regf" */
274	NTTIME mtime;
275	uint32 data_offset; /* offset to record in the first (or any?)
276	* hbin block
277	*/
278	uint32 last_block; /* offset to last hbin block in file */
279
280	uint32 checksum; /* Stored checksum. */
281	uint32 computed_checksum; /* Our own calculation of the checksum.
282	* (XOR of bytes 0x0000 - 0x01FB)
283	*/
284
285	/* unknown data structure values */
286	uint32 unknown1;
287	uint32 unknown2;
288	uint32 unknown3;
289	uint32 unknown4;
290	uint32 unknown5;
291	uint32 unknown6;
292	uint32 unknown7;
293	} REGFI_FILE;
294
295
296
297	typedef struct
298	{
299	REGFI_FILE* f;
300	void_stack* key_positions;
301	lru_cache* sk_recs;
302	REGFI_NK_REC* cur_key;
303	uint32 cur_subkey;
304	uint32 cur_value;
305	} REGFI_ITERATOR;
306
307
308	typedef struct
309	{
310	/* XXX: Should probably eliminate the storage of keys here
311	* once key caching is implemented.
312	*/
313	REGFI_NK_REC* nk;
314	uint32 cur_subkey;
315	/* We could store a cur_value here as well, but didn't see
316	* the use in it right now.
317	*/
318	} REGFI_ITER_POSITION;
319
320
321	/******************************************************************************/
322	/* Main iterator API */
323	/******************************************************************************/
324	REGFI_FILE* regfi_open(const char* filename);
325	int regfi_close(REGFI_FILE* r);
326
327	/* regfi_get_message: Get errors, warnings, and/or verbose information
328	* relating to processing of the given registry file.
329	*
330	* Arguments:
331	* file -- the structure for the registry file
332	*
333	* Returns:
334	* A newly allocated char* which must be free()d by the caller.
335	*/
336	char* regfi_get_message(REGFI_FILE* file);
337
338	REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* fh);
339	void regfi_iterator_free(REGFI_ITERATOR* i);
340	bool regfi_iterator_down(REGFI_ITERATOR* i);
341	bool regfi_iterator_up(REGFI_ITERATOR* i);
342	bool regfi_iterator_to_root(REGFI_ITERATOR* i);
343
344	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i,
345	const char* subkey_name);
346	bool regfi_iterator_walk_path(REGFI_ITERATOR* i,
347	const char** path);
348	const REGFI_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i);
349	const REGFI_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i);
350	const REGFI_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i);
351	const REGFI_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i);
352	const REGFI_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i);
353
354	bool regfi_iterator_find_value(REGFI_ITERATOR* i,
355	const char* value_name);
356	const REGFI_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i);
357	const REGFI_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i);
358	const REGFI_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i);
359
360
361	/********************************************************/
362	/* Middle-layer structure caching, loading, and linking */
363	/********************************************************/
364	REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32 offset);
365	REGFI_NK_REC* regfi_load_key(REGFI_FILE* file, uint32 offset,
366	bool strict);
367	REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32 offset,
368	uint32 num_keys, uint32 max_size,
369	bool strict);
370	REGFI_VK_REC** regfi_load_valuelist(REGFI_FILE* file, uint32 offset,
371	uint32 num_values, uint32 max_size,
372	bool strict);
373
374	/************************************/
375	/* Low-layer data structure access */
376	/************************************/
377	REGFI_FILE* regfi_parse_regf(int fd, bool strict);
378	REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32 offset,
379	bool strict);
380
381
382	/* regfi_parse_nk: Parses an NK record.
383	*
384	* Arguments:
385	* f -- the registry file structure
386	* offset -- the offset of the cell (not the record) to be parsed.
387	* max_size -- the maximum size the NK cell could be. (for validation)
388	* strict -- if true, rejects any malformed records. Otherwise,
389	* tries to minimally validate integrity.
390	* Returns:
391	* A newly allocated NK record structure, or NULL on failure.
392	*/
393	REGFI_NK_REC* regfi_parse_nk(REGFI_FILE* file, uint32 offset,
394	uint32 max_size, bool strict);
395
396	REGFI_VK_REC* regfi_parse_vk(REGFI_FILE* file, uint32 offset,
397	uint32 max_size, bool strict);
398
399	uint8* regfi_parse_data(REGFI_FILE* file, uint32 offset,
400	uint32 length, uint32 max_size,
401	bool strict);
402
403	REGFI_SK_REC* regfi_parse_sk(REGFI_FILE* file, uint32 offset,
404	uint32 max_size, bool strict);
405
406	range_list* regfi_parse_unalloc_cells(REGFI_FILE* file);
407
408	bool regfi_parse_cell(int fd, uint32 offset,
409	uint8* hdr, uint32 hdr_len,
410	uint32* cell_length, bool* unalloc);
411
412	char* regfi_parse_classname(REGFI_FILE* file, uint32 offset,
413	uint16* name_length,
414	uint32 max_size, bool strict);
415
416
417	/************************************/
418	/* Private Functions */
419	/************************************/
420	REGFI_NK_REC* regfi_rootkey(REGFI_FILE* file);
421	void regfi_key_free(REGFI_NK_REC* nk);
422	void regfi_subkeylist_free(REGFI_SUBKEY_LIST* list);
423	uint32 regfi_read(int fd, uint8* buf, uint32* length);
424
425	const char* regfi_type_val2str(unsigned int val);
426	int regfi_type_str2val(const char* str);
427
428	char* regfi_get_sacl(WINSEC_DESC* sec_desc);
429	char* regfi_get_dacl(WINSEC_DESC* sec_desc);
430	char* regfi_get_owner(WINSEC_DESC* sec_desc);
431	char* regfi_get_group(WINSEC_DESC* sec_desc);
432
433	REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16 num_lists,
434	REGFI_SUBKEY_LIST** lists,
435	bool strict);
436	void regfi_add_message(REGFI_FILE* file, const char* error);
437	#endif /* _REGFI_H */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: