Context Navigation

source: trunk/lib/regfi.c @ 100

Last change on this file since 100 was 99, checked in by tim, 17 years ago

fixed a range_list bug

replaced NK parsing routine

Property svn:keywords set to Id

File size: 44.1 KB

Rev	Line
[30]	1	/*
	2	* Branched from Samba project Subversion repository, version #7470:
[84]	3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
[30]	4	*
	5	* Unix SMB/CIFS implementation.
	6	* Windows NT registry I/O library
	7	*
[97]	8	* Copyright (C) 2005-2008 Timothy D. Morgan
[30]	9	* Copyright (C) 2005 Gerald (Jerry) Carter
	10	*
	11	* This program is free software; you can redistribute it and/or modify
	12	* it under the terms of the GNU General Public License as published by
	13	* the Free Software Foundation; version 2 of the License.
	14	*
	15	* This program is distributed in the hope that it will be useful,
	16	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	* GNU General Public License for more details.
	19	*
	20	* You should have received a copy of the GNU General Public License
	21	* along with this program; if not, write to the Free Software
	22	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	23	*
	24	* $Id: regfi.c 99 2008-03-04 00:38:48Z tim $
	25	*/
	26
[81]	27	#include "../include/regfi.h"
[30]	28
	29
[32]	30	/* Registry types mapping */
[78]	31	const unsigned int regfi_num_reg_types = 12;
	32	static const char* regfi_type_names[] =
[65]	33	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]	34	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]	35
[32]	36
	37	/* Returns NULL on error */
[78]	38	const char* regfi_type_val2str(unsigned int val)
[32]	39	{
[61]	40	if(val == REG_KEY)
	41	return "KEY";
	42
[78]	43	if(val >= regfi_num_reg_types)
[61]	44	return NULL;
	45
[78]	46	return regfi_type_names[val];
[32]	47	}
	48
	49
[61]	50	/* Returns -1 on error */
[78]	51	int regfi_type_str2val(const char* str)
[32]	52	{
	53	int i;
	54
[61]	55	if(strcmp("KEY", str) == 0)
	56	return REG_KEY;
[32]	57
[78]	58	for(i=0; i < regfi_num_reg_types; i++)
	59	if (strcmp(regfi_type_names[i], str) == 0)
[61]	60	return i;
	61
	62	if(strcmp("DWORD_LE", str) == 0)
	63	return REG_DWORD_LE;
	64
	65	return -1;
[32]	66	}
	67
	68
[53]	69	/* Security descriptor parsing functions */
	70
[78]	71	const char* regfi_ace_type2str(uint8 type)
[53]	72	{
	73	static const char* map[7]
	74	= {"ALLOW", "DENY", "AUDIT", "ALARM",
	75	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
	76	if(type < 7)
	77	return map[type];
	78	else
	79	/* XXX: would be nice to return the unknown integer value.
	80	* However, as it is a const string, it can't be free()ed later on,
	81	* so that would need to change.
	82	*/
	83	return "UNKNOWN";
	84	}
	85
	86
[76]	87	/* XXX: need a better reference on the meaning of each flag. */
	88	/* For more info, see:
	89	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
	90	*/
[78]	91	char* regfi_ace_flags2str(uint8 flags)
[53]	92	{
[76]	93	static const char* flag_map[32] =
[87]	94	{ "OI", /* Object Inherit */
	95	"CI", /* Container Inherit */
	96	"NP", /* Non-Propagate */
	97	"IO", /* Inherit Only */
	98	"IA", /* Inherited ACE */
[76]	99	NULL,
	100	NULL,
	101	NULL,
	102	};
[53]	103
[76]	104	char* ret_val = malloc(35*sizeof(char));
	105	char* fo = ret_val;
	106	uint32 i;
	107	uint8 f;
	108
	109	if(ret_val == NULL)
[53]	110	return NULL;
	111
[76]	112	fo[0] = '\0';
[53]	113	if (!flags)
[76]	114	return ret_val;
[53]	115
[76]	116	for(i=0; i < 8; i++)
	117	{
	118	f = (1<<i);
	119	if((flags & f) && (flag_map[i] != NULL))
	120	{
	121	strcpy(fo, flag_map[i]);
	122	fo += strlen(flag_map[i]);
	123	*(fo++) = ' ';
	124	flags ^= f;
	125	}
[53]	126	}
[76]	127
	128	/* Any remaining unknown flags are added at the end in hex. */
	129	if(flags != 0)
	130	sprintf(fo, "0x%.2X ", flags);
	131
	132	/* Chop off the last space if we've written anything to ret_val */
	133	if(fo != ret_val)
	134	fo[-1] = '\0';
	135
	136	/* XXX: what was this old VI flag for??
	137	XXX: Is this check right? 0xF == 1\|2\|4\|8, which makes it redundant...
[53]	138	if (flags == 0xF) {
	139	if (some) strcat(flg_output, " ");
	140	some = 1;
	141	strcat(flg_output, "VI");
	142	}
[76]	143	*/
[53]	144
[76]	145	return ret_val;
[53]	146	}
	147
	148
[78]	149	char* regfi_ace_perms2str(uint32 perms)
[53]	150	{
[76]	151	uint32 i, p;
	152	/* This is more than is needed by a fair margin. */
	153	char* ret_val = malloc(350*sizeof(char));
	154	char* r = ret_val;
	155
	156	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
	157	* For more information, see:
	158	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
	159	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
	160	*/
	161	static const char* perm_map[32] =
	162	{/* object-specific permissions (registry keys, in this case) */
	163	"QRY_VAL", /* KEY_QUERY_VALUE */
	164	"SET_VAL", /* KEY_SET_VALUE */
	165	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
	166	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
	167	"NOTIFY", /* KEY_NOTIFY */
	168	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
	169	NULL,
	170	NULL,
	171	"WOW64_64", /* KEY_WOW64_64KEY */
	172	"WOW64_32", /* KEY_WOW64_32KEY */
	173	NULL,
	174	NULL,
	175	NULL,
	176	NULL,
	177	NULL,
	178	NULL,
	179	/* standard access rights */
	180	"DELETE", /* DELETE */
	181	"R_CONT", /* READ_CONTROL */
	182	"W_DAC", /* WRITE_DAC */
	183	"W_OWNER", /* WRITE_OWNER */
	184	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
	185	NULL,
	186	NULL,
	187	NULL,
	188	/* other generic */
	189	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
	190	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
	191	NULL,
	192	NULL,
	193	"GEN_A", /* GENERIC_ALL */
	194	"GEN_X", /* GENERIC_EXECUTE */
	195	"GEN_W", /* GENERIC_WRITE */
	196	"GEN_R", /* GENERIC_READ */
	197	};
	198
	199
[53]	200	if(ret_val == NULL)
	201	return NULL;
	202
[76]	203	r[0] = '\0';
	204	for(i=0; i < 32; i++)
	205	{
	206	p = (1<<i);
	207	if((perms & p) && (perm_map[i] != NULL))
	208	{
	209	strcpy(r, perm_map[i]);
	210	r += strlen(perm_map[i]);
	211	*(r++) = ' ';
	212	perms ^= p;
	213	}
	214	}
	215
	216	/* Any remaining unknown permission bits are added at the end in hex. */
	217	if(perms != 0)
	218	sprintf(r, "0x%.8X ", perms);
[53]	219
[76]	220	/* Chop off the last space if we've written anything to ret_val */
	221	if(r != ret_val)
	222	r[-1] = '\0';
	223
[53]	224	return ret_val;
	225	}
	226
	227
[78]	228	char* regfi_sid2str(DOM_SID* sid)
[53]	229	{
	230	uint32 i, size = MAXSUBAUTHS*11 + 24;
	231	uint32 left = size;
	232	uint8 comps = sid->num_auths;
	233	char* ret_val = malloc(size);
	234
	235	if(ret_val == NULL)
	236	return NULL;
	237
	238	if(comps > MAXSUBAUTHS)
	239	comps = MAXSUBAUTHS;
	240
	241	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
	242
	243	for (i = 0; i < comps; i++)
	244	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
	245
	246	return ret_val;
	247	}
	248
	249
[78]	250	char* regfi_get_acl(SEC_ACL* acl)
[53]	251	{
	252	uint32 i, extra, size = 0;
	253	const char* type_str;
	254	char* flags_str;
	255	char* perms_str;
	256	char* sid_str;
[61]	257	char* ace_delim = "";
[53]	258	char* ret_val = NULL;
[61]	259	char* tmp_val = NULL;
	260	bool failed = false;
[53]	261	char field_delim = ':';
	262
[61]	263	for (i = 0; i < acl->num_aces && !failed; i++)
[53]	264	{
[78]	265	sid_str = regfi_sid2str(&acl->ace[i].trustee);
	266	type_str = regfi_ace_type2str(acl->ace[i].type);
	267	perms_str = regfi_ace_perms2str(acl->ace[i].info.mask);
	268	flags_str = regfi_ace_flags2str(acl->ace[i].flags);
[53]	269
[61]	270	if(flags_str != NULL && perms_str != NULL
	271	&& type_str != NULL && sid_str != NULL)
	272	{
	273	/* XXX: this is slow */
	274	extra = strlen(sid_str) + strlen(type_str)
	275	+ strlen(perms_str) + strlen(flags_str)+5;
	276	tmp_val = realloc(ret_val, size+extra);
[53]	277
[61]	278	if(tmp_val == NULL)
	279	{
	280	free(ret_val);
	281	failed = true;
	282	}
	283	else
	284	{
	285	ret_val = tmp_val;
	286	size += snprintf(ret_val+size, extra, "%s%s%c%s%c%s%c%s",
	287	ace_delim,sid_str,
	288	field_delim,type_str,
	289	field_delim,perms_str,
	290	field_delim,flags_str);
	291	ace_delim = "\|";
	292	}
	293	}
	294	else
	295	failed = true;
	296
	297	if(sid_str != NULL)
	298	free(sid_str);
	299	if(sid_str != NULL)
	300	free(perms_str);
	301	if(sid_str != NULL)
	302	free(flags_str);
[53]	303	}
	304
	305	return ret_val;
	306	}
	307
	308
[78]	309	char* regfi_get_sacl(SEC_DESC *sec_desc)
[53]	310	{
	311	if (sec_desc->sacl)
[78]	312	return regfi_get_acl(sec_desc->sacl);
[53]	313	else
	314	return NULL;
	315	}
	316
	317
[78]	318	char* regfi_get_dacl(SEC_DESC *sec_desc)
[53]	319	{
	320	if (sec_desc->dacl)
[78]	321	return regfi_get_acl(sec_desc->dacl);
[53]	322	else
	323	return NULL;
	324	}
	325
	326
[78]	327	char* regfi_get_owner(SEC_DESC *sec_desc)
[53]	328	{
[78]	329	return regfi_sid2str(sec_desc->owner_sid);
[53]	330	}
	331
	332
[78]	333	char* regfi_get_group(SEC_DESC *sec_desc)
[53]	334	{
[78]	335	return regfi_sid2str(sec_desc->grp_sid);
[53]	336	}
	337
	338
[30]	339	/*******************************************************************
	340	Input a randon offset and receive the correpsonding HBIN
	341	block for it
	342	*******************************************************************/
	343	static bool hbin_contains_offset( REGF_HBIN *hbin, uint32 offset )
	344	{
[31]	345	if ( !hbin )
	346	return false;
[30]	347
[31]	348	if ( (offset > hbin->first_hbin_off) && (offset < (hbin->first_hbin_off+hbin->block_size)) )
	349	return true;
[30]	350
[31]	351	return false;
[30]	352	}
	353
	354
	355	/*******************************************************************
	356	Input a randon offset and receive the correpsonding HBIN
	357	block for it
	358	*******************************************************************/
	359	static REGF_HBIN* lookup_hbin_block( REGF_FILE *file, uint32 offset )
	360	{
[31]	361	REGF_HBIN *hbin = NULL;
	362	uint32 block_off;
[30]	363
[31]	364	/* start with the open list */
[30]	365
[31]	366	for ( hbin=file->block_list; hbin; hbin=hbin->next ) {
	367	/* DEBUG(10,("lookup_hbin_block: address = 0x%x [0x%x]\n", hbin->file_off, (uint32)hbin ));*/
	368	if ( hbin_contains_offset( hbin, offset ) )
	369	return hbin;
	370	}
[30]	371
[31]	372	if ( !hbin ) {
	373	/* start at the beginning */
[30]	374
[31]	375	block_off = REGF_BLOCKSIZE;
	376	do {
	377	/* cleanup before the next round */
	378	if ( hbin )
	379	{
	380	if(hbin->ps.is_dynamic)
	381	SAFE_FREE(hbin->ps.data_p);
	382	hbin->ps.is_dynamic = false;
	383	hbin->ps.buffer_size = 0;
	384	hbin->ps.data_offset = 0;
	385	}
[30]	386
[97]	387	hbin = regfi_parse_hbin(file, block_off, true, false);
[30]	388
[31]	389	if ( hbin )
	390	block_off = hbin->file_off + hbin->block_size;
[30]	391
[31]	392	} while ( hbin && !hbin_contains_offset( hbin, offset ) );
	393	}
[30]	394
[31]	395	if ( hbin )
[80]	396	/* XXX: this kind of caching needs to be re-evaluated */
[31]	397	DLIST_ADD( file->block_list, hbin );
[30]	398
[31]	399	return hbin;
[30]	400	}
	401
	402
	403	/*******************************************************************
[31]	404	*******************************************************************/
[30]	405	static bool prs_hash_rec( const char desc, prs_struct ps, int depth, REGF_HASH_REC *hash )
	406	{
[31]	407	depth++;
[30]	408
[31]	409	if ( !prs_uint32( "nk_off", ps, depth, &hash->nk_off ))
	410	return false;
[84]	411	if ( !prs_uint8s("keycheck", ps, depth, hash->keycheck, sizeof( hash->keycheck )) )
[31]	412	return false;
[30]	413
[31]	414	return true;
[30]	415	}
	416
	417
	418	/*******************************************************************
[31]	419	*******************************************************************/
[53]	420	static bool hbin_prs_lf_records(const char desc, REGF_HBIN hbin,
	421	int depth, REGF_NK_REC *nk)
[30]	422	{
[31]	423	int i;
	424	REGF_LF_REC *lf = &nk->subkeys;
	425	uint32 data_size, start_off, end_off;
[30]	426
[31]	427	depth++;
[30]	428
[31]	429	/* check if we have anything to do first */
[30]	430
[31]	431	if ( nk->num_subkeys == 0 )
	432	return true;
[30]	433
[31]	434	/* move to the LF record */
[30]	435
[97]	436	if ( !prs_set_offset( &hbin->ps, nk->subkeys_off + HBIN_MAGIC_SIZE - hbin->first_hbin_off ) )
[31]	437	return false;
[30]	438
[31]	439	/* backup and get the data_size */
[30]	440
[31]	441	if ( !prs_set_offset( &hbin->ps, hbin->ps.data_offset-sizeof(uint32)) )
	442	return false;
	443	start_off = hbin->ps.data_offset;
[99]	444	if ( !prs_uint32( "cell_size", &hbin->ps, depth, &lf->cell_size ))
[31]	445	return false;
[30]	446
[84]	447	if(!prs_uint8s("header", &hbin->ps, depth,
[53]	448	lf->header, sizeof(lf->header)))
[31]	449	return false;
[30]	450
[31]	451	if ( !prs_uint16( "num_keys", &hbin->ps, depth, &lf->num_keys))
	452	return false;
[30]	453
[31]	454	if ( hbin->ps.io ) {
	455	if ( !(lf->hashes = (REGF_HASH_REC*)zcalloc(sizeof(REGF_HASH_REC), lf->num_keys )) )
	456	return false;
	457	}
[30]	458
[31]	459	for ( i=0; i<lf->num_keys; i++ ) {
	460	if ( !prs_hash_rec( "hash_rec", &hbin->ps, depth, &lf->hashes[i] ) )
	461	return false;
	462	}
[30]	463
[31]	464	end_off = hbin->ps.data_offset;
[30]	465
[31]	466	/* data_size must be divisible by 8 and large enough to hold the original record */
[30]	467
[31]	468	data_size = ((start_off - end_off) & 0xfffffff8 );
[99]	469	/* if ( data_size > lf->cell_size )*/
	470	/DEBUG(10,("Encountered reused record (0x%x < 0x%x)\n", data_size, lf->cell_size));/
[30]	471
[31]	472	return true;
[30]	473	}
	474
	475
	476	/*******************************************************************
[31]	477	*******************************************************************/
[30]	478	static bool hbin_prs_sk_rec( const char desc, REGF_HBIN hbin, int depth, REGF_SK_REC *sk )
	479	{
[31]	480	prs_struct *ps = &hbin->ps;
	481	uint16 tag = 0xFFFF;
	482	uint32 data_size, start_off, end_off;
[30]	483
	484
[31]	485	depth++;
[30]	486
[97]	487	if ( !prs_set_offset( &hbin->ps, sk->sk_off + HBIN_MAGIC_SIZE - hbin->first_hbin_off ) )
[31]	488	return false;
[30]	489
[31]	490	/* backup and get the data_size */
[30]	491
[31]	492	if ( !prs_set_offset( &hbin->ps, hbin->ps.data_offset-sizeof(uint32)) )
	493	return false;
	494	start_off = hbin->ps.data_offset;
[99]	495	if ( !prs_uint32( "cell_size", &hbin->ps, depth, &sk->cell_size ))
[31]	496	return false;
[30]	497
[84]	498	if (!prs_uint8s("header", ps, depth, sk->header, sizeof(sk->header)))
[31]	499	return false;
	500	if ( !prs_uint16( "tag", ps, depth, &tag))
	501	return false;
[30]	502
[31]	503	if ( !prs_uint32( "prev_sk_off", ps, depth, &sk->prev_sk_off))
	504	return false;
	505	if ( !prs_uint32( "next_sk_off", ps, depth, &sk->next_sk_off))
	506	return false;
	507	if ( !prs_uint32( "ref_count", ps, depth, &sk->ref_count))
	508	return false;
	509	if ( !prs_uint32( "size", ps, depth, &sk->size))
	510	return false;
[30]	511
[31]	512	if ( !sec_io_desc( "sec_desc", &sk->sec_desc, ps, depth ))
	513	return false;
[30]	514
[31]	515	end_off = hbin->ps.data_offset;
[30]	516
[31]	517	/* data_size must be divisible by 8 and large enough to hold the original record */
[30]	518
[31]	519	data_size = ((start_off - end_off) & 0xfffffff8 );
[99]	520	/* if ( data_size > sk->cell_size )*/
	521	/DEBUG(10,("Encountered reused record (0x%x < 0x%x)\n", data_size, sk->cell_size));/
[30]	522
[31]	523	return true;
[30]	524	}
	525
	526
	527	/*******************************************************************
[31]	528	*******************************************************************/
[30]	529	static bool hbin_prs_vk_rec( const char desc, REGF_HBIN hbin, int depth,
	530	REGF_VK_REC vk, REGF_FILE file )
	531	{
[31]	532	uint32 offset;
	533	uint16 name_length;
	534	prs_struct *ps = &hbin->ps;
	535	uint32 data_size, start_off, end_off;
[30]	536
[31]	537	depth++;
[30]	538
[31]	539	/* backup and get the data_size */
[30]	540
[31]	541	if ( !prs_set_offset( &hbin->ps, hbin->ps.data_offset-sizeof(uint32)) )
	542	return false;
	543	start_off = hbin->ps.data_offset;
[99]	544	if ( !prs_uint32( "cell_size", &hbin->ps, depth, &vk->cell_size ))
[31]	545	return false;
[30]	546
[84]	547	if ( !prs_uint8s("header", ps, depth, vk->header, sizeof( vk->header )) )
[31]	548	return false;
[30]	549
[31]	550	if ( !hbin->ps.io )
	551	name_length = strlen(vk->valuename);
[30]	552
[31]	553	if ( !prs_uint16( "name_length", ps, depth, &name_length ))
	554	return false;
	555	if ( !prs_uint32( "data_size", ps, depth, &vk->data_size ))
	556	return false;
	557	if ( !prs_uint32( "data_off", ps, depth, &vk->data_off ))
	558	return false;
	559	if ( !prs_uint32( "type", ps, depth, &vk->type))
	560	return false;
	561	if ( !prs_uint16( "flag", ps, depth, &vk->flag))
	562	return false;
[30]	563
[31]	564	offset = ps->data_offset;
	565	offset += 2; /* skip 2 bytes */
	566	prs_set_offset( ps, offset );
[30]	567
[31]	568	/* get the name */
[30]	569
[31]	570	if ( vk->flag&VK_FLAG_NAME_PRESENT ) {
[30]	571
[31]	572	if ( hbin->ps.io ) {
	573	if ( !(vk->valuename = (char*)zcalloc(sizeof(char), name_length+1 )))
	574	return false;
	575	}
[84]	576	if ( !prs_uint8s("name", ps, depth,
[53]	577	(uint8*)vk->valuename, name_length) )
[31]	578	return false;
	579	}
[30]	580
[31]	581	end_off = hbin->ps.data_offset;
[30]	582
[31]	583	/* get the data if necessary */
[30]	584
[32]	585	if ( vk->data_size != 0 )
	586	{
[31]	587	/* the data is stored in the offset if the size <= 4 */
[32]	588	if ( !(vk->data_size & VK_DATA_IN_OFFSET) )
	589	{
[31]	590	REGF_HBIN *hblock = hbin;
	591	uint32 data_rec_size;
[30]	592
[32]	593	if ( hbin->ps.io )
	594	{
[31]	595	if ( !(vk->data = (uint8*)zcalloc(sizeof(uint8), vk->data_size) ) )
	596	return false;
	597	}
[30]	598
[31]	599	/* this data can be in another hbin */
[32]	600	if ( !hbin_contains_offset( hbin, vk->data_off ) )
	601	{
[31]	602	if ( !(hblock = lookup_hbin_block( file, vk->data_off )) )
	603	return false;
	604	}
[32]	605	if (!(prs_set_offset(&hblock->ps,
	606	(vk->data_off
[97]	607	+ HBIN_MAGIC_SIZE
[32]	608	- hblock->first_hbin_off)
	609	- sizeof(uint32))))
	610	{ return false; }
[30]	611
[32]	612	if ( !hblock->ps.io )
	613	{
[31]	614	data_rec_size = ( (vk->data_size+sizeof(uint32)) & 0xfffffff8 ) + 8;
	615	data_rec_size = ( data_rec_size - 1 ) ^ 0xFFFFFFFF;
	616	}
	617	if ( !prs_uint32( "data_rec_size", &hblock->ps, depth, &data_rec_size ))
	618	return false;
[84]	619	if(!prs_uint8s("data", &hblock->ps, depth,
[32]	620	vk->data, vk->data_size))
[31]	621	return false;
[30]	622
[31]	623	}
[32]	624	else
	625	{
	626	if(!(vk->data = zcalloc(sizeof(uint8), 4)))
[31]	627	return false;
	628	SIVAL( vk->data, 0, vk->data_off );
	629	}
[30]	630
[31]	631	}
[30]	632
[31]	633	/* data_size must be divisible by 8 and large enough to hold the original record */
[30]	634
[31]	635	data_size = ((start_off - end_off ) & 0xfffffff8 );
[77]	636	/* XXX: should probably print a warning here */
[99]	637	/*if ( data_size != vk->cell_size )
	638	DEBUG(10,("prs_vk_rec: data_size check failed (0x%x < 0x%x)\n", data_size, vk->cell_size));*/
[30]	639
[31]	640	return true;
[30]	641	}
	642
	643
	644	/*******************************************************************
	645	read a VK record which is contained in the HBIN block stored
	646	in the prs_struct *ps.
	647	*******************************************************************/
[32]	648	static bool hbin_prs_vk_records(const char desc, REGF_HBIN hbin,
	649	int depth, REGF_NK_REC nk, REGF_FILE file)
[30]	650	{
[31]	651	int i;
	652	uint32 record_size;
[30]	653
[31]	654	depth++;
[80]	655
[31]	656	/* check if we have anything to do first */
[32]	657	if(nk->num_values == 0)
[31]	658	return true;
[80]	659
[32]	660	if(hbin->ps.io)
	661	{
	662	if (!(nk->values = (REGF_VK_REC*)zcalloc(sizeof(REGF_VK_REC),
	663	nk->num_values )))
[31]	664	return false;
	665	}
[80]	666
[31]	667	/* convert the offset to something relative to this HBIN block */
[32]	668	if (!prs_set_offset(&hbin->ps,
	669	nk->values_off
[97]	670	+ HBIN_MAGIC_SIZE
[32]	671	- hbin->first_hbin_off
	672	- sizeof(uint32)))
	673	{ return false; }
[30]	674
[32]	675	if ( !hbin->ps.io )
	676	{
[31]	677	record_size = ( ( nk->num_values * sizeof(uint32) ) & 0xfffffff8 ) + 8;
	678	record_size = (record_size - 1) ^ 0xFFFFFFFF;
	679	}
[30]	680
[31]	681	if ( !prs_uint32( "record_size", &hbin->ps, depth, &record_size ) )
	682	return false;
[80]	683
[32]	684	for ( i=0; i<nk->num_values; i++ )
	685	{
[31]	686	if ( !prs_uint32( "vk_off", &hbin->ps, depth, &nk->values[i].rec_off ) )
	687	return false;
	688	}
[30]	689
[32]	690	for ( i=0; i<nk->num_values; i++ )
	691	{
[31]	692	REGF_HBIN *sub_hbin = hbin;
	693	uint32 new_offset;
[30]	694
[32]	695	if ( !hbin_contains_offset( hbin, nk->values[i].rec_off ) )
	696	{
[31]	697	sub_hbin = lookup_hbin_block( file, nk->values[i].rec_off );
[32]	698	if ( !sub_hbin )
[31]	699	return false;
	700	}
[80]	701
[32]	702	new_offset = nk->values[i].rec_off
[97]	703	+ HBIN_MAGIC_SIZE
[32]	704	- sub_hbin->first_hbin_off;
	705
	706	if (!prs_set_offset(&sub_hbin->ps, new_offset))
[31]	707	return false;
[32]	708	if (!hbin_prs_vk_rec("vk_rec", sub_hbin, depth, &nk->values[i], file))
[31]	709	return false;
	710	}
[30]	711
[31]	712	return true;
[30]	713	}
	714
	715
	716	/*******************************************************************
[31]	717	*******************************************************************/
[30]	718	static REGF_SK_REC* find_sk_record_by_offset( REGF_FILE *file, uint32 offset )
	719	{
[31]	720	REGF_SK_REC *p_sk;
[80]	721
[31]	722	for ( p_sk=file->sec_desc_list; p_sk; p_sk=p_sk->next ) {
	723	if ( p_sk->sk_off == offset )
	724	return p_sk;
	725	}
[80]	726
[31]	727	return NULL;
[30]	728	}
	729
[32]	730
[30]	731	/*******************************************************************
[31]	732	*******************************************************************/
[30]	733	static REGF_SK_REC* find_sk_record_by_sec_desc( REGF_FILE file, SEC_DESC sd )
	734	{
[31]	735	REGF_SK_REC *p;
[30]	736
[31]	737	for ( p=file->sec_desc_list; p; p=p->next ) {
	738	if ( sec_desc_equal( p->sec_desc, sd ) )
	739	return p;
	740	}
[30]	741
[31]	742	/* failure */
[30]	743
[31]	744	return NULL;
[30]	745	}
	746
[32]	747
[30]	748	/*******************************************************************
[31]	749	*******************************************************************/
[99]	750	static REGF_NK_REC* hbin_prs_key(REGF_FILE file, REGF_HBIN hbin)
[30]	751	{
[99]	752	REGF_HBIN* sub_hbin;
	753	REGF_NK_REC* nk;
	754	uint32 nk_cell_offset;
	755	uint32 nk_max_length;
[31]	756	int depth = 0;
[99]	757
[31]	758	depth++;
[30]	759
[31]	760	/* get the initial nk record */
[99]	761	nk_cell_offset = hbin->file_off + hbin->ps.data_offset - sizeof(uint32);
	762	nk_max_length = hbin->block_size - hbin->ps.data_offset + sizeof(uint32);
	763	if ((nk = regfi_parse_nk(file, nk_cell_offset, nk_max_length, true)) == NULL)
	764	return NULL;
[30]	765
[31]	766	/* fill in values */
[32]	767	if ( nk->num_values && (nk->values_off!=REGF_OFFSET_NONE) )
	768	{
[31]	769	sub_hbin = hbin;
[32]	770	if ( !hbin_contains_offset( hbin, nk->values_off ) )
	771	{
[31]	772	sub_hbin = lookup_hbin_block( file, nk->values_off );
[32]	773	if ( !sub_hbin )
	774	{
[31]	775	/*DEBUG(0,("hbin_prs_key: Failed to find HBIN block containing value_list_offset [0x%x]\n",
	776	nk->values_off));*/
[99]	777	return NULL;
[31]	778	}
	779	}
[30]	780
[32]	781	if(!hbin_prs_vk_records("vk_rec", sub_hbin, depth, nk, file))
[99]	782	return NULL;
[31]	783	}
[30]	784
[31]	785	/* now get subkeys */
[32]	786	if ( nk->num_subkeys && (nk->subkeys_off!=REGF_OFFSET_NONE) )
	787	{
[31]	788	sub_hbin = hbin;
[32]	789	if ( !hbin_contains_offset( hbin, nk->subkeys_off ) )
	790	{
[31]	791	sub_hbin = lookup_hbin_block( file, nk->subkeys_off );
[32]	792	if ( !sub_hbin )
	793	{
[31]	794	/*DEBUG(0,("hbin_prs_key: Failed to find HBIN block containing subkey_offset [0x%x]\n",
	795	nk->subkeys_off));*/
[99]	796	return NULL;
[31]	797	}
	798	}
[30]	799
[32]	800	if (!hbin_prs_lf_records("lf_rec", sub_hbin, depth, nk))
[99]	801	return NULL;
[31]	802	}
[30]	803
[31]	804	/* get the to the security descriptor. First look if we have already parsed it */
[30]	805
[32]	806	if ((nk->sk_off!=REGF_OFFSET_NONE)
	807	&& !(nk->sec_desc = find_sk_record_by_offset( file, nk->sk_off )))
	808	{
[31]	809	sub_hbin = hbin;
[32]	810	if (!hbin_contains_offset(hbin, nk->sk_off))
	811	{
[31]	812	sub_hbin = lookup_hbin_block( file, nk->sk_off );
[99]	813	if ( !sub_hbin )
	814	{
	815	free(nk);
[31]	816	/*DEBUG(0,("hbin_prs_key: Failed to find HBIN block containing sk_offset [0x%x]\n",
	817	nk->subkeys_off));*/
[99]	818	return NULL;
[31]	819	}
	820	}
[99]	821
[31]	822	if ( !(nk->sec_desc = (REGF_SK_REC*)zalloc(sizeof(REGF_SK_REC) )) )
[99]	823	return NULL;
[31]	824	nk->sec_desc->sk_off = nk->sk_off;
	825	if ( !hbin_prs_sk_rec( "sk_rec", sub_hbin, depth, nk->sec_desc ))
[99]	826	return NULL;
[30]	827
[31]	828	/* add to the list of security descriptors (ref_count has been read from the files) */
[30]	829
[31]	830	nk->sec_desc->sk_off = nk->sk_off;
[80]	831	/* XXX: this kind of caching needs to be re-evaluated */
[31]	832	DLIST_ADD( file->sec_desc_list, nk->sec_desc );
	833	}
[99]	834
	835	return nk;
[30]	836	}
	837
[32]	838
[30]	839	/*******************************************************************
[31]	840	*******************************************************************/
[30]	841	static bool next_record( REGF_HBIN hbin, const char hdr, bool *eob )
	842	{
[53]	843	uint8 header[REC_HDR_SIZE] = "";
[31]	844	uint32 record_size;
	845	uint32 curr_off, block_size;
	846	bool found = false;
	847	prs_struct *ps = &hbin->ps;
[30]	848
[31]	849	curr_off = ps->data_offset;
	850	if ( curr_off == 0 )
[97]	851	prs_set_offset( ps, HBIN_HEADER_REC_SIZE+4 );
[30]	852
[31]	853	/* assume that the current offset is at the reacord header
	854	and we need to backup to read the record size */
	855	curr_off -= sizeof(uint32);
[30]	856
[31]	857	block_size = ps->buffer_size;
	858	record_size = 0;
[32]	859	while ( !found )
	860	{
[31]	861	curr_off = curr_off+record_size;
	862	if ( curr_off >= block_size )
	863	break;
[30]	864
[31]	865	if ( !prs_set_offset( &hbin->ps, curr_off) )
	866	return false;
[30]	867
[31]	868	if ( !prs_uint32( "record_size", ps, 0, &record_size ) )
	869	return false;
[84]	870	if ( !prs_uint8s("header", ps, 0, header, REC_HDR_SIZE ) )
[31]	871	return false;
[30]	872
[31]	873	if ( record_size & 0x80000000 ) {
	874	/* absolute_value(record_size) */
	875	record_size = (record_size ^ 0xffffffff) + 1;
	876	}
[30]	877
[31]	878	if ( memcmp( header, hdr, REC_HDR_SIZE ) == 0 ) {
	879	found = true;
	880	curr_off += sizeof(uint32);
	881	}
	882	}
[30]	883
[31]	884	/* mark prs_struct as done ( at end ) if no more SK records */
[32]	885	/* mark end-of-block as true */
	886	if ( !found )
[31]	887	{
	888	prs_set_offset( &hbin->ps, hbin->ps.buffer_size );
	889	*eob = true;
	890	return false;
	891	}
[32]	892
	893	if (!prs_set_offset(ps, curr_off))
[31]	894	return false;
[30]	895
[31]	896	return true;
[30]	897	}
	898
	899
	900	/*******************************************************************
[31]	901	*******************************************************************/
[99]	902	static REGF_NK_REC* next_nk_record(REGF_FILE file, REGF_HBIN hbin, bool *eob)
[30]	903	{
[99]	904	REGF_NK_REC* ret_val;
	905	if(next_record(hbin, "nk", eob)
	906	&& (ret_val = hbin_prs_key(file, hbin)) != NULL)
	907	return ret_val;
	908
	909	fprintf(stderr, "ACK!");
	910	return NULL;
[30]	911	}
	912
	913
	914	/*******************************************************************
[97]	915	* Open the registry file and then read in the REGF block to get the
	916	* first hbin offset.
	917	*******************************************************************/
	918	REGF_FILE* regfi_open(const char* filename)
[30]	919	{
[97]	920	REGF_FILE* rb;
	921	int fd;
[31]	922	int flags = O_RDONLY;
[30]	923
[97]	924	/* open an existing file */
	925	if ((fd = open(filename, flags)) == -1)
	926	{
[78]	927	/* DEBUG(0,("regfi_open: failure to open %s (%s)\n", filename, strerror(errno)));*/
[31]	928	return NULL;
	929	}
[99]	930
[31]	931	/* read in an existing file */
[97]	932	if ((rb = regfi_parse_regf(fd, true)) == NULL)
	933	{
[78]	934	/* DEBUG(0,("regfi_open: Failed to read initial REGF block\n"));*/
[97]	935	close(fd);
[31]	936	return NULL;
	937	}
[99]	938
	939	rb->hbins = range_list_new();
	940	rb->unalloc_cells = range_list_new();
	941	if((rb->hbins == NULL) \|\| (rb->unalloc_cells == NULL))
	942	{
	943	close(fd);
	944	free(rb);
	945	return NULL;
	946	}
	947
[31]	948	/* success */
	949	return rb;
[30]	950	}
	951
	952
	953	/*******************************************************************
[31]	954	*******************************************************************/
[78]	955	int regfi_close( REGF_FILE *file )
[30]	956	{
[31]	957	int fd;
[30]	958
[31]	959	/* nothing to do if there is no open file */
[99]	960	if ((file == NULL) \|\| (file->fd == -1))
	961	return 0;
[30]	962
[31]	963	fd = file->fd;
	964	file->fd = -1;
[99]	965	range_list_free(file->hbins);
	966	range_list_free(file->unalloc_cells);
	967	free(file);
[30]	968
[31]	969	return close( fd );
[30]	970	}
	971
	972
[80]	973	/******************************************************************************
	974	* There should be only one root key in the registry file based
	975	* on my experience. --jerry
	976	*****************************************************************************/
[78]	977	REGF_NK_REC* regfi_rootkey( REGF_FILE *file )
[30]	978	{
[31]	979	REGF_NK_REC *nk;
	980	REGF_HBIN *hbin;
	981	uint32 offset = REGF_BLOCKSIZE;
	982	bool found = false;
	983	bool eob;
[99]	984
	985	if(!file)
[31]	986	return NULL;
[99]	987
[31]	988	/* scan through the file on HBIN block at a time looking
	989	for an NK record with a type == 0x002c.
	990	Normally this is the first nk record in the first hbin
	991	block (but I'm not assuming that for now) */
[30]	992
[99]	993	while((hbin = regfi_parse_hbin(file, offset, true, false)))
	994	{
[31]	995	eob = false;
[30]	996
[99]	997	while(!eob)
	998	{
	999	if((nk = next_nk_record(file, hbin, &eob)) != NULL)
	1000	{
	1001	if ( nk->key_type == NK_TYPE_ROOTKEY )
	1002	{
[31]	1003	found = true;
	1004	break;
	1005	}
	1006	}
	1007	if(hbin->ps.is_dynamic)
	1008	SAFE_FREE(hbin->ps.data_p);
	1009	hbin->ps.is_dynamic = false;
	1010	hbin->ps.buffer_size = 0;
	1011	hbin->ps.data_offset = 0;
	1012	}
[30]	1013
[99]	1014	if(found)
[31]	1015	break;
[30]	1016
[31]	1017	offset += hbin->block_size;
	1018	}
[99]	1019
	1020	if (!found) {
[78]	1021	/DEBUG(0,("regfi_rootkey: corrupt registry file ? No root key record located\n"));/
[31]	1022	return NULL;
	1023	}
[30]	1024
[80]	1025	/* XXX: this kind of caching needs to be re-evaluated */
[31]	1026	DLIST_ADD( file->block_list, hbin );
[30]	1027
[80]	1028	return nk;
[30]	1029	}
	1030
	1031
[80]	1032	/******************************************************************************
	1033	*****************************************************************************/
	1034	void regfi_key_free(REGF_NK_REC* nk)
[30]	1035	{
[80]	1036	uint32 i;
	1037
	1038	if((nk->values != NULL) && (nk->values_off!=REGF_OFFSET_NONE))
	1039	{
	1040	for(i=0; i < nk->num_values; i++)
[81]	1041	{
	1042	if(nk->values[i].valuename != NULL)
	1043	free(nk->values[i].valuename);
	1044	if(nk->values[i].data != NULL)
	1045	free(nk->values[i].data);
	1046	}
[80]	1047	free(nk->values);
	1048	}
[30]	1049
[80]	1050	if(nk->keyname != NULL)
	1051	free(nk->keyname);
	1052	if(nk->classname != NULL)
	1053	free(nk->classname);
	1054
	1055	/* XXX: not freeing hbin because these are cached. This needs to be reviewed. */
	1056	/* XXX: not freeing sec_desc because these are cached. This needs to be reviewed. */
	1057	free(nk);
	1058	}
	1059
	1060
	1061	/******************************************************************************
	1062	*****************************************************************************/
	1063	REGFI_ITERATOR* regfi_iterator_new(REGF_FILE* fh)
	1064	{
	1065	REGF_NK_REC* root;
	1066	REGFI_ITERATOR* ret_val = (REGFI_ITERATOR*)malloc(sizeof(REGFI_ITERATOR));
	1067	if(ret_val == NULL)
	1068	return NULL;
	1069
[81]	1070	root = regfi_rootkey(fh);
[80]	1071	if(root == NULL)
	1072	{
	1073	free(ret_val);
	1074	return NULL;
	1075	}
	1076
	1077	ret_val->key_positions = void_stack_new(REGF_MAX_DEPTH);
	1078	if(ret_val->key_positions == NULL)
	1079	{
	1080	free(ret_val);
	1081	free(root);
	1082	return NULL;
	1083	}
	1084
	1085	ret_val->f = fh;
	1086	ret_val->cur_key = root;
	1087	ret_val->cur_subkey = 0;
	1088	ret_val->cur_value = 0;
	1089
	1090	return ret_val;
	1091	}
	1092
	1093
	1094	/******************************************************************************
	1095	*****************************************************************************/
	1096	void regfi_iterator_free(REGFI_ITERATOR* i)
	1097	{
	1098	REGFI_ITER_POSITION* cur;
	1099
	1100	if(i->cur_key != NULL)
	1101	regfi_key_free(i->cur_key);
	1102
	1103	while((cur = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions)) != NULL)
	1104	{
	1105	regfi_key_free(cur->nk);
	1106	free(cur);
	1107	}
	1108
	1109	free(i);
	1110	}
	1111
	1112
	1113
	1114	/******************************************************************************
	1115	*****************************************************************************/
	1116	/* XXX: some way of indicating reason for failure should be added. */
	1117	bool regfi_iterator_down(REGFI_ITERATOR* i)
	1118	{
	1119	REGF_NK_REC* subkey;
	1120	REGFI_ITER_POSITION* pos;
	1121
	1122	pos = (REGFI_ITER_POSITION*)malloc(sizeof(REGFI_ITER_POSITION));
	1123	if(pos == NULL)
	1124	return false;
	1125
[84]	1126	subkey = (REGF_NK_REC*)regfi_iterator_cur_subkey(i);
[80]	1127	if(subkey == NULL)
	1128	{
	1129	free(pos);
	1130	return false;
	1131	}
	1132
	1133	pos->nk = i->cur_key;
	1134	pos->cur_subkey = i->cur_subkey;
	1135	if(!void_stack_push(i->key_positions, pos))
	1136	{
	1137	free(pos);
	1138	regfi_key_free(subkey);
	1139	return false;
	1140	}
	1141
	1142	i->cur_key = subkey;
	1143	i->cur_subkey = 0;
	1144	i->cur_value = 0;
	1145
	1146	return true;
	1147	}
	1148
	1149
	1150	/******************************************************************************
	1151	*****************************************************************************/
	1152	bool regfi_iterator_up(REGFI_ITERATOR* i)
	1153	{
	1154	REGFI_ITER_POSITION* pos;
	1155
	1156	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
	1157	if(pos == NULL)
	1158	return false;
	1159
	1160	regfi_key_free(i->cur_key);
	1161	i->cur_key = pos->nk;
	1162	i->cur_subkey = pos->cur_subkey;
	1163	i->cur_value = 0;
	1164	free(pos);
	1165
	1166	return true;
	1167	}
	1168
	1169
	1170	/******************************************************************************
	1171	*****************************************************************************/
	1172	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
	1173	{
	1174	while(regfi_iterator_up(i))
	1175	continue;
	1176
	1177	return true;
	1178	}
	1179
	1180
	1181	/******************************************************************************
	1182	*****************************************************************************/
	1183	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
	1184	{
	1185	REGF_NK_REC* subkey;
	1186	bool found = false;
	1187	uint32 old_subkey = i->cur_subkey;
	1188
	1189	if(subkey_name == NULL)
	1190	return false;
	1191
	1192	/* XXX: this alloc/free of each sub key might be a bit excessive */
[84]	1193	subkey = (REGF_NK_REC*)regfi_iterator_first_subkey(i);
[80]	1194	while((subkey != NULL) && (found == false))
	1195	{
	1196	if(subkey->keyname != NULL
	1197	&& strcasecmp(subkey->keyname, subkey_name) == 0)
	1198	found = true;
[82]	1199	else
	1200	{
	1201	regfi_key_free(subkey);
[84]	1202	subkey = (REGF_NK_REC*)regfi_iterator_next_subkey(i);
[82]	1203	}
[80]	1204	}
	1205
	1206	if(found == false)
	1207	{
	1208	i->cur_subkey = old_subkey;
	1209	return false;
	1210	}
	1211
[82]	1212	regfi_key_free(subkey);
[80]	1213	return true;
	1214	}
	1215
	1216
	1217	/******************************************************************************
	1218	*****************************************************************************/
	1219	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
	1220	{
	1221	uint32 x;
	1222	if(path == NULL)
	1223	return false;
	1224
	1225	for(x=0;
	1226	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
	1227	&& regfi_iterator_down(i));
	1228	x++)
	1229	{ continue; }
	1230
	1231	if(path[x] == NULL)
	1232	return true;
	1233
	1234	/* XXX: is this the right number of times? */
	1235	for(; x > 0; x--)
	1236	regfi_iterator_up(i);
	1237
	1238	return false;
	1239	}
	1240
	1241
	1242	/******************************************************************************
	1243	*****************************************************************************/
[84]	1244	const REGF_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]	1245	{
	1246	return i->cur_key;
	1247	}
	1248
	1249
	1250	/******************************************************************************
	1251	*****************************************************************************/
[84]	1252	const REGF_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]	1253	{
	1254	i->cur_subkey = 0;
	1255	return regfi_iterator_cur_subkey(i);
	1256	}
	1257
	1258
	1259	/******************************************************************************
	1260	*****************************************************************************/
[84]	1261	const REGF_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]	1262	{
	1263	REGF_NK_REC* subkey;
	1264	REGF_HBIN* hbin;
	1265	uint32 nk_offset;
	1266
[31]	1267	/* see if there is anything left to report */
[80]	1268	if (!(i->cur_key) \|\| (i->cur_key->subkeys_off==REGF_OFFSET_NONE)
	1269	\|\| (i->cur_subkey >= i->cur_key->num_subkeys))
[31]	1270	return NULL;
[30]	1271
[80]	1272	nk_offset = i->cur_key->subkeys.hashes[i->cur_subkey].nk_off;
	1273
[31]	1274	/* find the HBIN block which should contain the nk record */
[80]	1275	hbin = lookup_hbin_block(i->f, nk_offset);
	1276	if(!hbin)
[31]	1277	{
[80]	1278	/* XXX: should print out some kind of error message every time here */
[31]	1279	/*DEBUG(0,("hbin_prs_key: Failed to find HBIN block containing offset [0x%x]\n",
[80]	1280	i->cur_key->subkeys.hashes[i->cur_subkey].nk_off));*/
[31]	1281	return NULL;
	1282	}
[78]	1283
[32]	1284	if(!prs_set_offset(&hbin->ps,
[97]	1285	HBIN_MAGIC_SIZE + nk_offset - hbin->first_hbin_off))
[31]	1286	return NULL;
[30]	1287
[99]	1288	if((subkey = hbin_prs_key(i->f, hbin)) == NULL)
[31]	1289	return NULL;
[30]	1290
[31]	1291	return subkey;
[30]	1292	}
[80]	1293
	1294
	1295	/******************************************************************************
	1296	*****************************************************************************/
	1297	/* XXX: some way of indicating reason for failure should be added. */
[84]	1298	const REGF_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]	1299	{
[84]	1300	const REGF_NK_REC* subkey;
[80]	1301
	1302	i->cur_subkey++;
	1303	subkey = regfi_iterator_cur_subkey(i);
	1304
	1305	if(subkey == NULL)
	1306	i->cur_subkey--;
	1307
	1308	return subkey;
	1309	}
	1310
	1311
	1312	/******************************************************************************
	1313	*****************************************************************************/
	1314	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
	1315	{
[84]	1316	const REGF_VK_REC* cur;
[80]	1317	bool found = false;
	1318
	1319	/* XXX: cur->valuename can be NULL in the registry.
	1320	* Should we allow for a way to search for that?
	1321	*/
	1322	if(value_name == NULL)
	1323	return false;
	1324
	1325	cur = regfi_iterator_first_value(i);
	1326	while((cur != NULL) && (found == false))
	1327	{
	1328	if((cur->valuename != NULL)
	1329	&& (strcasecmp(cur->valuename, value_name) == 0))
	1330	found = true;
[95]	1331	else
	1332	cur = regfi_iterator_next_value(i);
[80]	1333	}
	1334
[94]	1335	return found;
[80]	1336	}
	1337
	1338
	1339	/******************************************************************************
	1340	*****************************************************************************/
[84]	1341	const REGF_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]	1342	{
	1343	i->cur_value = 0;
	1344	return regfi_iterator_cur_value(i);
	1345	}
	1346
	1347
	1348	/******************************************************************************
	1349	*****************************************************************************/
[84]	1350	const REGF_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]	1351	{
	1352	REGF_VK_REC* ret_val = NULL;
	1353	if(i->cur_value < i->cur_key->num_values)
[81]	1354	ret_val = &(i->cur_key->values[i->cur_value]);
[80]	1355
	1356	return ret_val;
	1357	}
	1358
	1359
	1360	/******************************************************************************
	1361	*****************************************************************************/
[84]	1362	const REGF_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]	1363	{
[84]	1364	const REGF_VK_REC* ret_val;
[80]	1365
	1366	i->cur_value++;
	1367	ret_val = regfi_iterator_cur_value(i);
	1368	if(ret_val == NULL)
	1369	i->cur_value--;
	1370
	1371	return ret_val;
	1372	}
[97]	1373
	1374
	1375
	1376	/****************/
	1377	/* Experimental */
	1378	/****************/
	1379	/*
	1380	typedef struct {
	1381	uint32 offset;
	1382	uint32 size;
	1383	} REGFI_CELL_INFO;
	1384
	1385	typedef struct {
	1386	uint32 count
	1387	REGFI_CELL_INFO** cells;
	1388	} REGFI_CELL_LIST;
	1389	*/
	1390
	1391
	1392	/*******************************************************************
	1393	* Computes the checksum of the registry file header.
	1394	* buffer must be at least the size of an regf header (4096 bytes).
	1395	*******************************************************************/
	1396	static uint32 regfi_compute_header_checksum(uint8* buffer)
	1397	{
	1398	uint32 checksum, x;
	1399	int i;
	1400
	1401	/* XOR of all bytes 0x0000 - 0x01FB */
	1402
	1403	checksum = x = 0;
	1404
	1405	for ( i=0; i<0x01FB; i+=4 ) {
	1406	x = IVAL(buffer, i );
	1407	checksum ^= x;
	1408	}
	1409
	1410	return checksum;
	1411	}
	1412
	1413
	1414	/*******************************************************************
	1415	* TODO: add way to return more detailed error information.
	1416	*******************************************************************/
	1417	REGF_FILE* regfi_parse_regf(int fd, bool strict)
	1418	{
	1419	uint8 file_header[REGF_BLOCKSIZE];
	1420	uint32 ret, length;
	1421	uint32 file_length;
	1422	struct stat sbuf;
	1423	REGF_FILE* ret_val;
	1424
	1425	/* Determine file length. Must be at least big enough
	1426	* for the header and one hbin.
	1427	*/
	1428	if (fstat(fd, &sbuf) == -1)
	1429	return NULL;
	1430	file_length = sbuf.st_size;
	1431	if(file_length < REGF_BLOCKSIZE+REGF_ALLOC_BLOCK)
	1432	return NULL;
	1433
	1434	ret_val = (REGF_FILE*)zalloc(sizeof(REGF_FILE));
	1435	if(ret_val == NULL)
	1436	return NULL;
	1437
	1438	ret_val->fd = fd;
	1439	ret_val->file_length = file_length;
	1440
	1441	length = REGF_BLOCKSIZE;
	1442	if((ret = regfi_read(fd, file_header, &length)) != 0
	1443	\|\| length != REGF_BLOCKSIZE)
	1444	{
	1445	free(ret_val);
	1446	return NULL;
	1447	}
	1448
	1449	ret_val->checksum = IVAL(file_header, 0x1FC);
	1450	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
	1451	if (strict && (ret_val->checksum != ret_val->computed_checksum))
	1452	{
	1453	free(ret_val);
	1454	return NULL;
	1455	}
	1456
	1457	memcpy(ret_val->magic, file_header, 4);
	1458	if(strict && (memcmp(ret_val->magic, "regf", 4) != 0))
	1459	{
	1460	free(ret_val);
	1461	return NULL;
	1462	}
	1463
	1464	ret_val->unknown1 = IVAL(file_header, 0x4);
	1465	ret_val->unknown2 = IVAL(file_header, 0x8);
	1466
	1467	ret_val->mtime.low = IVAL(file_header, 0xC);
	1468	ret_val->mtime.high = IVAL(file_header, 0x10);
	1469
	1470	ret_val->unknown3 = IVAL(file_header, 0x14);
	1471	ret_val->unknown4 = IVAL(file_header, 0x18);
	1472	ret_val->unknown5 = IVAL(file_header, 0x1C);
	1473	ret_val->unknown6 = IVAL(file_header, 0x20);
	1474
	1475	ret_val->data_offset = IVAL(file_header, 0x24);
	1476	ret_val->last_block = IVAL(file_header, 0x28);
	1477
	1478	ret_val->unknown7 = IVAL(file_header, 0x2C);
	1479
	1480	return ret_val;
	1481	}
	1482
	1483
	1484
	1485	/*******************************************************************
	1486	* Given real file offset, read and parse the hbin at that location
	1487	* along with it's associated cells. If save_unalloc is true, a list
	1488	* of unallocated cell offsets will be stored in TODO.
	1489	*******************************************************************/
	1490	/* TODO: Need a way to return types of errors. Also need to free
	1491	* the hbin/ps when an error occurs.
	1492	*/
	1493	REGF_HBIN* regfi_parse_hbin(REGF_FILE* file, uint32 offset,
	1494	bool strict, bool save_unalloc)
	1495	{
	1496	REGF_HBIN *hbin;
	1497	uint8 hbin_header[HBIN_HEADER_REC_SIZE];
	1498	uint32 length, curr_off;
	1499	int32 cell_len;
	1500	bool is_unalloc;
[99]	1501
	1502	if(offset >= file->file_length)
	1503	return NULL;
[97]	1504
	1505	if(lseek(file->fd, offset, SEEK_SET) == -1)
	1506	return NULL;
	1507
	1508	length = HBIN_HEADER_REC_SIZE;
	1509	if((regfi_read(file->fd, hbin_header, &length) != 0)
	1510	\|\| length != HBIN_HEADER_REC_SIZE)
	1511	return NULL;
	1512
[99]	1513
[97]	1514	if(lseek(file->fd, offset, SEEK_SET) == -1)
	1515	return NULL;
	1516
[99]	1517	if(!(hbin = (REGF_HBIN*)zalloc(sizeof(REGF_HBIN))))
	1518	return NULL;
	1519	hbin->file_off = offset;
	1520
[97]	1521	memcpy(hbin->magic, hbin_header, 4);
	1522	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
[99]	1523	{
	1524	free(hbin);
[97]	1525	return NULL;
[99]	1526	}
[97]	1527
	1528	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
	1529	hbin->block_size = IVAL(hbin_header, 0x8);
	1530	/* this should be the same thing as hbin->block_size but just in case */
	1531	hbin->next_block = IVAL(hbin_header, 0x1C);
	1532
	1533
	1534	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
	1535	* the end of the file.
	1536	*/
	1537	/* TODO: This may need to be relaxed for dealing with
	1538	* partial or corrupt files. */
	1539	if((offset + hbin->block_size > file->file_length)
	1540	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
[99]	1541	{
	1542	free(hbin);
[97]	1543	return NULL;
[99]	1544	}
[97]	1545
	1546	/* TODO: need to get rid of this, but currently lots depends on the
	1547	* ps structure.
	1548	*/
	1549	if(!prs_init(&hbin->ps, hbin->block_size, file->mem_ctx, UNMARSHALL))
[99]	1550	{
	1551	free(hbin);
[97]	1552	return NULL;
[99]	1553	}
[97]	1554	length = hbin->block_size;
	1555	if((regfi_read(file->fd, (uint8*)hbin->ps.data_p, &length) != 0)
	1556	\|\| length != hbin->block_size)
[99]	1557	{
	1558	free(hbin);
[97]	1559	return NULL;
[99]	1560	}
[97]	1561
	1562
	1563	if(save_unalloc)
	1564	{
	1565	cell_len = 0;
	1566	curr_off = HBIN_HEADER_REC_SIZE;
	1567	while ( curr_off < hbin->block_size )
	1568	{
[99]	1569	is_unalloc = false;
[97]	1570	cell_len = IVALS(hbin->ps.data_p, curr_off);
	1571	if(cell_len > 0)
	1572	is_unalloc = true;
	1573	else
	1574	cell_len = -1*cell_len;
	1575
	1576	if((cell_len == 0) \|\| ((cell_len & 0xFFFFFFFC) != cell_len))
	1577	/* TODO: should report an error here. */
	1578	break;
	1579
	1580	/* for some reason the record_size of the last record in
	1581	an hbin block can extend past the end of the block
	1582	even though the record fits within the remaining
	1583	space....aaarrrgggghhhhhh */
	1584	if(curr_off + cell_len >= hbin->block_size)
	1585	cell_len = hbin->block_size - curr_off;
	1586
	1587	if(is_unalloc)
[99]	1588	range_list_add(file->unalloc_cells, hbin->file_off+curr_off,
	1589	cell_len, NULL);
[97]	1590
	1591	curr_off = curr_off+cell_len;
	1592	}
	1593	}
	1594
	1595	/* TODO: need to get rid of this, but currently lots depends on the
	1596	* ps structure.
	1597	*/
	1598	if(!prs_set_offset(&hbin->ps, file->data_offset+HBIN_MAGIC_SIZE))
	1599	return NULL;
	1600
	1601	return hbin;
	1602	}
	1603
	1604
[99]	1605	REGF_NK_REC* regfi_parse_nk(REGF_FILE* file, uint32 offset,
	1606	uint32 max_size, bool strict)
	1607	{
	1608	uint8 nk_header[REGFI_NK_MIN_LENGTH];
	1609	REGF_NK_REC* ret_val;
	1610	uint32 length;
	1611	if(lseek(file->fd, offset, SEEK_SET) == -1)
	1612	return NULL;
	1613
	1614	length = REGFI_NK_MIN_LENGTH;
	1615	if((regfi_read(file->fd, nk_header, &length) != 0)
	1616	\|\| length != REGFI_NK_MIN_LENGTH)
	1617	return NULL;
	1618
	1619	/* A bit of validation before bothering to allocate memory */
	1620	if(strict && ((nk_header[0x4] != 'n') \|\| (nk_header[0x5] != 'k')))
	1621	return NULL;
	1622
	1623	ret_val = (REGF_NK_REC*)zalloc(sizeof(REGF_NK_REC));
	1624	if(ret_val == NULL)
	1625	return NULL;
	1626
	1627	ret_val->offset = offset;
	1628	ret_val->cell_size = IVAL(nk_header, 0x0);
	1629	if(ret_val->cell_size > max_size)
	1630	ret_val->cell_size = max_size & 0xFFFFFFF8;
	1631	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
	1632	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
	1633	{
	1634	free(ret_val);
	1635	return NULL;
	1636	}
	1637
	1638	ret_val->header[0] = nk_header[0x4];
	1639	ret_val->header[1] = nk_header[0x5];
	1640	ret_val->key_type = SVAL(nk_header, 0x6);
	1641	if(strict && ((ret_val->key_type != NK_TYPE_NORMALKEY)
	1642	&& (ret_val->key_type != NK_TYPE_ROOTKEY)
	1643	&& (ret_val->key_type != NK_TYPE_LINKKEY)))
	1644	{
	1645	free(ret_val);
	1646	return NULL;
	1647	}
	1648
	1649	ret_val->mtime.low = IVAL(nk_header, 0x8);
	1650	ret_val->mtime.high = IVAL(nk_header, 0xC);
	1651
	1652	ret_val->unknown1 = IVAL(nk_header, 0x10);
	1653	ret_val->parent_off = IVAL(nk_header, 0x14);
	1654	ret_val->num_subkeys = IVAL(nk_header, 0x18);
	1655	ret_val->unknown2 = IVAL(nk_header, 0x1C);
	1656	ret_val->subkeys_off = IVAL(nk_header, 0x20);
	1657	ret_val->unknown3 = IVAL(nk_header, 0x24);
	1658	ret_val->num_values = IVAL(nk_header, 0x28);
	1659	ret_val->values_off = IVAL(nk_header, 0x2C);
	1660	ret_val->sk_off = IVAL(nk_header, 0x30);
	1661	/* TODO: currently we do nothing with class names. Need to investigate. */
	1662	ret_val->classname_off = IVAL(nk_header, 0x34);
	1663
	1664	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x38);
	1665	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x3C);
	1666	ret_val->max_bytes_valuename = IVAL(nk_header, 0x40);
	1667	ret_val->max_bytes_value = IVAL(nk_header, 0x44);
	1668	ret_val->unk_index = IVAL(nk_header, 0x48);
	1669
	1670	ret_val->name_length = SVAL(nk_header, 0x4C);
	1671	ret_val->classname_length = SVAL(nk_header, 0x4E);
	1672
	1673	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
	1674	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
	1675
	1676	ret_val->keyname = (char)zalloc(sizeof(char)(ret_val->name_length+1));
	1677	if(ret_val->keyname == NULL)
	1678	{
	1679	free(ret_val);
	1680	return NULL;
	1681	}
	1682
	1683	/* Don't need to seek, should be at the right offset */
	1684	length = ret_val->name_length;
	1685	if((regfi_read(file->fd, ret_val->keyname, &length) != 0)
	1686	\|\| length != ret_val->name_length)
	1687	{
	1688	free(ret_val->keyname);
	1689	free(ret_val);
	1690	return NULL;
	1691	}
	1692	ret_val->keyname[ret_val->name_length] = '\0';
	1693
	1694	return ret_val;
	1695	}
	1696
	1697
	1698
[97]	1699	/*****************************************************************************
	1700	* This function is just like read(2), except that it continues to
	1701	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
	1702	* regfi_read will attempt to read length bytes from fd and write them to buf.
	1703	*
	1704	* On success, 0 is returned. Upon failure, an errno code is returned.
	1705	*
	1706	* The number of bytes successfully read is returned through the length
	1707	* parameter by reference. If both the return value and length parameter are
	1708	* returned as 0, then EOF was encountered immediately
	1709	*****************************************************************************/
	1710	uint32 regfi_read(int fd, uint8* buf, uint32* length)
	1711	{
	1712	uint32 rsize = 0;
	1713	uint32 rret = 0;
	1714
	1715	do
	1716	{
	1717	rret = read(fd, buf + rsize, *length - rsize);
	1718	if(rret > 0)
	1719	rsize += rret;
	1720	}while(*length - rsize > 0
	1721	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
	1722
	1723	*length = rsize;
	1724	if (rret == -1 && errno != EINTR && errno != EAGAIN)
	1725	return errno;
	1726
	1727	return 0;
	1728	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: