Context Navigation

source: trunk/lib/regfi.c @ 103

Last change on this file since 103 was 103, checked in by tim, 16 years ago
rewrote value list parsing routine
Property svn:keywords set to `Id`
File size: 45.6 KB

Rev	Line
[30]	1	/*
	2	* Branched from Samba project Subversion repository, version #7470:
[84]	3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
[30]	4	*
	5	* Unix SMB/CIFS implementation.
	6	* Windows NT registry I/O library
	7	*
[97]	8	* Copyright (C) 2005-2008 Timothy D. Morgan
[30]	9	* Copyright (C) 2005 Gerald (Jerry) Carter
	10	*
	11	* This program is free software; you can redistribute it and/or modify
	12	* it under the terms of the GNU General Public License as published by
	13	* the Free Software Foundation; version 2 of the License.
	14	*
	15	* This program is distributed in the hope that it will be useful,
	16	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	* GNU General Public License for more details.
	19	*
	20	* You should have received a copy of the GNU General Public License
	21	* along with this program; if not, write to the Free Software
	22	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	23	*
	24	* $Id: regfi.c 103 2008-04-03 19:45:41Z tim $
	25	*/
	26
[81]	27	#include "../include/regfi.h"
[30]	28
	29
[32]	30	/* Registry types mapping */
[78]	31	const unsigned int regfi_num_reg_types = 12;
	32	static const char* regfi_type_names[] =
[65]	33	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]	34	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]	35
[32]	36
	37	/* Returns NULL on error */
[78]	38	const char* regfi_type_val2str(unsigned int val)
[32]	39	{
[61]	40	if(val == REG_KEY)
	41	return "KEY";
	42
[78]	43	if(val >= regfi_num_reg_types)
[61]	44	return NULL;
	45
[78]	46	return regfi_type_names[val];
[32]	47	}
	48
	49
[61]	50	/* Returns -1 on error */
[78]	51	int regfi_type_str2val(const char* str)
[32]	52	{
	53	int i;
	54
[61]	55	if(strcmp("KEY", str) == 0)
	56	return REG_KEY;
[32]	57
[78]	58	for(i=0; i < regfi_num_reg_types; i++)
	59	if (strcmp(regfi_type_names[i], str) == 0)
[61]	60	return i;
	61
	62	if(strcmp("DWORD_LE", str) == 0)
	63	return REG_DWORD_LE;
	64
	65	return -1;
[32]	66	}
	67
	68
[53]	69	/* Security descriptor parsing functions */
	70
[78]	71	const char* regfi_ace_type2str(uint8 type)
[53]	72	{
	73	static const char* map[7]
	74	= {"ALLOW", "DENY", "AUDIT", "ALARM",
	75	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
	76	if(type < 7)
	77	return map[type];
	78	else
	79	/* XXX: would be nice to return the unknown integer value.
	80	* However, as it is a const string, it can't be free()ed later on,
	81	* so that would need to change.
	82	*/
	83	return "UNKNOWN";
	84	}
	85
	86
[76]	87	/* XXX: need a better reference on the meaning of each flag. */
	88	/* For more info, see:
	89	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
	90	*/
[78]	91	char* regfi_ace_flags2str(uint8 flags)
[53]	92	{
[76]	93	static const char* flag_map[32] =
[87]	94	{ "OI", /* Object Inherit */
	95	"CI", /* Container Inherit */
	96	"NP", /* Non-Propagate */
	97	"IO", /* Inherit Only */
	98	"IA", /* Inherited ACE */
[76]	99	NULL,
	100	NULL,
	101	NULL,
	102	};
[53]	103
[76]	104	char* ret_val = malloc(35*sizeof(char));
	105	char* fo = ret_val;
	106	uint32 i;
	107	uint8 f;
	108
	109	if(ret_val == NULL)
[53]	110	return NULL;
	111
[76]	112	fo[0] = '\0';
[53]	113	if (!flags)
[76]	114	return ret_val;
[53]	115
[76]	116	for(i=0; i < 8; i++)
	117	{
	118	f = (1<<i);
	119	if((flags & f) && (flag_map[i] != NULL))
	120	{
	121	strcpy(fo, flag_map[i]);
	122	fo += strlen(flag_map[i]);
	123	*(fo++) = ' ';
	124	flags ^= f;
	125	}
[53]	126	}
[76]	127
	128	/* Any remaining unknown flags are added at the end in hex. */
	129	if(flags != 0)
	130	sprintf(fo, "0x%.2X ", flags);
	131
	132	/* Chop off the last space if we've written anything to ret_val */
	133	if(fo != ret_val)
	134	fo[-1] = '\0';
	135
	136	/* XXX: what was this old VI flag for??
	137	XXX: Is this check right? 0xF == 1\|2\|4\|8, which makes it redundant...
[53]	138	if (flags == 0xF) {
	139	if (some) strcat(flg_output, " ");
	140	some = 1;
	141	strcat(flg_output, "VI");
	142	}
[76]	143	*/
[53]	144
[76]	145	return ret_val;
[53]	146	}
	147
	148
[78]	149	char* regfi_ace_perms2str(uint32 perms)
[53]	150	{
[76]	151	uint32 i, p;
	152	/* This is more than is needed by a fair margin. */
	153	char* ret_val = malloc(350*sizeof(char));
	154	char* r = ret_val;
	155
	156	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
	157	* For more information, see:
	158	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
	159	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
	160	*/
	161	static const char* perm_map[32] =
	162	{/* object-specific permissions (registry keys, in this case) */
	163	"QRY_VAL", /* KEY_QUERY_VALUE */
	164	"SET_VAL", /* KEY_SET_VALUE */
	165	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
	166	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
	167	"NOTIFY", /* KEY_NOTIFY */
	168	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
	169	NULL,
	170	NULL,
	171	"WOW64_64", /* KEY_WOW64_64KEY */
	172	"WOW64_32", /* KEY_WOW64_32KEY */
	173	NULL,
	174	NULL,
	175	NULL,
	176	NULL,
	177	NULL,
	178	NULL,
	179	/* standard access rights */
	180	"DELETE", /* DELETE */
	181	"R_CONT", /* READ_CONTROL */
	182	"W_DAC", /* WRITE_DAC */
	183	"W_OWNER", /* WRITE_OWNER */
	184	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
	185	NULL,
	186	NULL,
	187	NULL,
	188	/* other generic */
	189	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
	190	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
	191	NULL,
	192	NULL,
	193	"GEN_A", /* GENERIC_ALL */
	194	"GEN_X", /* GENERIC_EXECUTE */
	195	"GEN_W", /* GENERIC_WRITE */
	196	"GEN_R", /* GENERIC_READ */
	197	};
	198
	199
[53]	200	if(ret_val == NULL)
	201	return NULL;
	202
[76]	203	r[0] = '\0';
	204	for(i=0; i < 32; i++)
	205	{
	206	p = (1<<i);
	207	if((perms & p) && (perm_map[i] != NULL))
	208	{
	209	strcpy(r, perm_map[i]);
	210	r += strlen(perm_map[i]);
	211	*(r++) = ' ';
	212	perms ^= p;
	213	}
	214	}
	215
	216	/* Any remaining unknown permission bits are added at the end in hex. */
	217	if(perms != 0)
	218	sprintf(r, "0x%.8X ", perms);
[53]	219
[76]	220	/* Chop off the last space if we've written anything to ret_val */
	221	if(r != ret_val)
	222	r[-1] = '\0';
	223
[53]	224	return ret_val;
	225	}
	226
	227
[78]	228	char* regfi_sid2str(DOM_SID* sid)
[53]	229	{
	230	uint32 i, size = MAXSUBAUTHS*11 + 24;
	231	uint32 left = size;
	232	uint8 comps = sid->num_auths;
	233	char* ret_val = malloc(size);
	234
	235	if(ret_val == NULL)
	236	return NULL;
	237
	238	if(comps > MAXSUBAUTHS)
	239	comps = MAXSUBAUTHS;
	240
	241	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
	242
	243	for (i = 0; i < comps; i++)
	244	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
	245
	246	return ret_val;
	247	}
	248
	249
[78]	250	char* regfi_get_acl(SEC_ACL* acl)
[53]	251	{
	252	uint32 i, extra, size = 0;
	253	const char* type_str;
	254	char* flags_str;
	255	char* perms_str;
	256	char* sid_str;
[61]	257	char* ace_delim = "";
[53]	258	char* ret_val = NULL;
[61]	259	char* tmp_val = NULL;
	260	bool failed = false;
[53]	261	char field_delim = ':';
	262
[61]	263	for (i = 0; i < acl->num_aces && !failed; i++)
[53]	264	{
[78]	265	sid_str = regfi_sid2str(&acl->ace[i].trustee);
	266	type_str = regfi_ace_type2str(acl->ace[i].type);
	267	perms_str = regfi_ace_perms2str(acl->ace[i].info.mask);
	268	flags_str = regfi_ace_flags2str(acl->ace[i].flags);
[53]	269
[61]	270	if(flags_str != NULL && perms_str != NULL
	271	&& type_str != NULL && sid_str != NULL)
	272	{
	273	/* XXX: this is slow */
	274	extra = strlen(sid_str) + strlen(type_str)
	275	+ strlen(perms_str) + strlen(flags_str)+5;
	276	tmp_val = realloc(ret_val, size+extra);
[53]	277
[61]	278	if(tmp_val == NULL)
	279	{
	280	free(ret_val);
	281	failed = true;
	282	}
	283	else
	284	{
	285	ret_val = tmp_val;
	286	size += snprintf(ret_val+size, extra, "%s%s%c%s%c%s%c%s",
	287	ace_delim,sid_str,
	288	field_delim,type_str,
	289	field_delim,perms_str,
	290	field_delim,flags_str);
	291	ace_delim = "\|";
	292	}
	293	}
	294	else
	295	failed = true;
	296
	297	if(sid_str != NULL)
	298	free(sid_str);
	299	if(sid_str != NULL)
	300	free(perms_str);
	301	if(sid_str != NULL)
	302	free(flags_str);
[53]	303	}
	304
	305	return ret_val;
	306	}
	307
	308
[78]	309	char* regfi_get_sacl(SEC_DESC *sec_desc)
[53]	310	{
	311	if (sec_desc->sacl)
[78]	312	return regfi_get_acl(sec_desc->sacl);
[53]	313	else
	314	return NULL;
	315	}
	316
	317
[78]	318	char* regfi_get_dacl(SEC_DESC *sec_desc)
[53]	319	{
	320	if (sec_desc->dacl)
[78]	321	return regfi_get_acl(sec_desc->dacl);
[53]	322	else
	323	return NULL;
	324	}
	325
	326
[78]	327	char* regfi_get_owner(SEC_DESC *sec_desc)
[53]	328	{
[78]	329	return regfi_sid2str(sec_desc->owner_sid);
[53]	330	}
	331
	332
[78]	333	char* regfi_get_group(SEC_DESC *sec_desc)
[53]	334	{
[78]	335	return regfi_sid2str(sec_desc->grp_sid);
[53]	336	}
	337
	338
[101]	339	/*****************************************************************************
	340	* This function is just like read(2), except that it continues to
	341	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
	342	* regfi_read will attempt to read length bytes from fd and write them to buf.
	343	*
	344	* On success, 0 is returned. Upon failure, an errno code is returned.
	345	*
	346	* The number of bytes successfully read is returned through the length
	347	* parameter by reference. If both the return value and length parameter are
	348	* returned as 0, then EOF was encountered immediately
	349	*****************************************************************************/
	350	uint32 regfi_read(int fd, uint8* buf, uint32* length)
	351	{
	352	uint32 rsize = 0;
	353	uint32 rret = 0;
	354
	355	do
	356	{
	357	rret = read(fd, buf + rsize, *length - rsize);
	358	if(rret > 0)
	359	rsize += rret;
	360	}while(*length - rsize > 0
	361	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
	362
	363	*length = rsize;
	364	if (rret == -1 && errno != EINTR && errno != EAGAIN)
	365	return errno;
	366
	367	return 0;
	368	}
	369
	370
	371	/*****************************************************************************
	372	*
	373	*****************************************************************************/
	374	static bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len,
	375	uint32* cell_length, bool* unalloc)
	376	{
	377	uint32 length;
	378	int32 raw_length;
	379	uint8 tmp[4];
	380
	381	if(lseek(fd, offset, SEEK_SET) == -1)
	382	return false;
	383
	384	length = 4;
	385	if((regfi_read(fd, tmp, &length) != 0) \|\| length != 4)
	386	return false;
	387	raw_length = IVALS(tmp, 0);
	388
	389	if(raw_length < 0)
	390	{
	391	(cell_length) = raw_length(-1);
	392	(*unalloc) = false;
	393	}
	394	else
	395	{
	396	(*cell_length) = raw_length;
	397	(*unalloc) = true;
	398	}
	399
[103]	400	if(*cell_length - 4 < hdr_len)
	401	return false;
	402
	403	if(hdr_len > 0)
	404	{
	405	length = hdr_len;
	406	if((regfi_read(fd, hdr, &length) != 0) \|\| length != hdr_len)
	407	return false;
	408	}
	409
[101]	410	return true;
	411	}
	412
	413
[30]	414	/*******************************************************************
[101]	415	Input a random offset and receive the correpsonding HBIN
[30]	416	block for it
	417	*******************************************************************/
	418	static bool hbin_contains_offset( REGF_HBIN *hbin, uint32 offset )
	419	{
[31]	420	if ( !hbin )
	421	return false;
[30]	422
[31]	423	if ( (offset > hbin->first_hbin_off) && (offset < (hbin->first_hbin_off+hbin->block_size)) )
	424	return true;
[30]	425
[31]	426	return false;
[30]	427	}
	428
	429
	430	/*******************************************************************
[102]	431	Input a random offset and receive the correpsonding HBIN
[30]	432	block for it
	433	*******************************************************************/
	434	static REGF_HBIN* lookup_hbin_block( REGF_FILE *file, uint32 offset )
	435	{
[31]	436	REGF_HBIN *hbin = NULL;
	437	uint32 block_off;
[30]	438
[31]	439	/* start with the open list */
[30]	440
[31]	441	for ( hbin=file->block_list; hbin; hbin=hbin->next ) {
	442	/* DEBUG(10,("lookup_hbin_block: address = 0x%x [0x%x]\n", hbin->file_off, (uint32)hbin ));*/
	443	if ( hbin_contains_offset( hbin, offset ) )
	444	return hbin;
	445	}
[30]	446
[31]	447	if ( !hbin ) {
	448	/* start at the beginning */
[30]	449
[31]	450	block_off = REGF_BLOCKSIZE;
	451	do {
	452	/* cleanup before the next round */
	453	if ( hbin )
	454	{
	455	if(hbin->ps.is_dynamic)
	456	SAFE_FREE(hbin->ps.data_p);
	457	hbin->ps.is_dynamic = false;
	458	hbin->ps.buffer_size = 0;
	459	hbin->ps.data_offset = 0;
	460	}
[30]	461
[97]	462	hbin = regfi_parse_hbin(file, block_off, true, false);
[30]	463
[31]	464	if ( hbin )
	465	block_off = hbin->file_off + hbin->block_size;
[30]	466
[31]	467	} while ( hbin && !hbin_contains_offset( hbin, offset ) );
	468	}
[30]	469
[31]	470	if ( hbin )
[80]	471	/* XXX: this kind of caching needs to be re-evaluated */
[31]	472	DLIST_ADD( file->block_list, hbin );
[30]	473
[31]	474	return hbin;
[30]	475	}
	476
	477
	478	/*******************************************************************
[31]	479	*******************************************************************/
[30]	480	static bool prs_hash_rec( const char desc, prs_struct ps, int depth, REGF_HASH_REC *hash )
	481	{
[31]	482	depth++;
[30]	483
[31]	484	if ( !prs_uint32( "nk_off", ps, depth, &hash->nk_off ))
	485	return false;
[84]	486	if ( !prs_uint8s("keycheck", ps, depth, hash->keycheck, sizeof( hash->keycheck )) )
[31]	487	return false;
[30]	488
[31]	489	return true;
[30]	490	}
	491
	492
	493	/*******************************************************************
[31]	494	*******************************************************************/
[53]	495	static bool hbin_prs_lf_records(const char desc, REGF_HBIN hbin,
	496	int depth, REGF_NK_REC *nk)
[30]	497	{
[31]	498	int i;
	499	REGF_LF_REC *lf = &nk->subkeys;
	500	uint32 data_size, start_off, end_off;
[30]	501
[31]	502	depth++;
[30]	503
[31]	504	/* check if we have anything to do first */
[30]	505
[31]	506	if ( nk->num_subkeys == 0 )
	507	return true;
[30]	508
[31]	509	/* move to the LF record */
[30]	510
[97]	511	if ( !prs_set_offset( &hbin->ps, nk->subkeys_off + HBIN_MAGIC_SIZE - hbin->first_hbin_off ) )
[31]	512	return false;
[30]	513
[31]	514	/* backup and get the data_size */
[30]	515
[31]	516	if ( !prs_set_offset( &hbin->ps, hbin->ps.data_offset-sizeof(uint32)) )
	517	return false;
	518	start_off = hbin->ps.data_offset;
[99]	519	if ( !prs_uint32( "cell_size", &hbin->ps, depth, &lf->cell_size ))
[31]	520	return false;
[30]	521
[84]	522	if(!prs_uint8s("header", &hbin->ps, depth,
[53]	523	lf->header, sizeof(lf->header)))
[31]	524	return false;
[101]	525
	526	/fprintf(stdout, "DEBUG: lf->header=%c%c\n", lf->header[0], lf->header[1]);/
	527
[31]	528	if ( !prs_uint16( "num_keys", &hbin->ps, depth, &lf->num_keys))
	529	return false;
[30]	530
[31]	531	if ( hbin->ps.io ) {
	532	if ( !(lf->hashes = (REGF_HASH_REC*)zcalloc(sizeof(REGF_HASH_REC), lf->num_keys )) )
	533	return false;
	534	}
[30]	535
[31]	536	for ( i=0; i<lf->num_keys; i++ ) {
	537	if ( !prs_hash_rec( "hash_rec", &hbin->ps, depth, &lf->hashes[i] ) )
	538	return false;
	539	}
[30]	540
[31]	541	end_off = hbin->ps.data_offset;
[30]	542
[31]	543	/* data_size must be divisible by 8 and large enough to hold the original record */
[30]	544
[31]	545	data_size = ((start_off - end_off) & 0xfffffff8 );
[99]	546	/* if ( data_size > lf->cell_size )*/
	547	/DEBUG(10,("Encountered reused record (0x%x < 0x%x)\n", data_size, lf->cell_size));/
[30]	548
[31]	549	return true;
[30]	550	}
	551
	552
[102]	553
[30]	554	/*******************************************************************
[31]	555	*******************************************************************/
[102]	556	REGF_SK_REC* regfi_parse_sk(REGF_FILE* file, uint32 offset, uint32 max_size, bool strict)
[30]	557	{
[102]	558	REGF_SK_REC* ret_val;
	559	uint32 cell_length, length;
	560	prs_struct ps;
	561	uint8 sk_header[REGFI_SK_MIN_LENGTH];
	562	bool unalloc = false;
[30]	563
	564
[102]	565	if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH,
	566	&cell_length, &unalloc))
	567	return NULL;
	568
	569	if(sk_header[0] != 's' \|\| sk_header[1] != 'k')
	570	return NULL;
	571
	572	ret_val = (REGF_SK_REC*)zalloc(sizeof(REGF_SK_REC));
	573	if(ret_val == NULL)
	574	return NULL;
[30]	575
[102]	576	ret_val->offset = offset;
	577	ret_val->cell_size = cell_length;
[30]	578
[102]	579	if(ret_val->cell_size > max_size)
	580	ret_val->cell_size = max_size & 0xFFFFFFF8;
	581	if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
	582	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
	583	{
	584	free(ret_val);
	585	return NULL;
	586	}
[30]	587
	588
[102]	589	ret_val->magic[0] = sk_header[0];
	590	ret_val->magic[1] = sk_header[1];
[30]	591
[102]	592	ret_val->unknown_tag = SVAL(sk_header, 0x2);
	593	ret_val->prev_sk_off = IVAL(sk_header, 0x4);
	594	ret_val->next_sk_off = IVAL(sk_header, 0x8);
	595	ret_val->ref_count = IVAL(sk_header, 0xC);
	596	ret_val->desc_size = IVAL(sk_header, 0x10);
[30]	597
[102]	598	if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
	599	{
	600	free(ret_val);
	601	return NULL;
	602	}
[30]	603
[102]	604	/* TODO: need to get rid of this, but currently the security descriptor
	605	* code depends on the ps structure.
	606	*/
	607	if(!prs_init(&ps, ret_val->desc_size, NULL, UNMARSHALL))
	608	{
	609	free(ret_val);
	610	return NULL;
	611	}
[30]	612
[102]	613	length = ret_val->desc_size;
	614	if(regfi_read(file->fd, (uint8*)ps.data_p, &length) != 0
	615	\|\| length != ret_val->desc_size)
	616	{
	617	free(ret_val);
	618	return NULL;
	619	}
[30]	620
[102]	621	if (!sec_io_desc("sec_desc", &ret_val->sec_desc, &ps, 0))
	622	{
	623	free(ret_val);
	624	return NULL;
	625	}
	626
	627	free(ps.data_p);
	628
	629	return ret_val;
[30]	630	}
	631
	632
	633
[103]	634	/******************************************************************************
	635	*
	636	******************************************************************************/
	637	REGF_VK_REC** regfi_load_valuelist(REGF_FILE* file, uint32 offset,
	638	uint32 num_values)
[30]	639	{
[103]	640	REGF_VK_REC** ret_val;
[101]	641	REGF_HBIN* sub_hbin;
[103]	642	uint8* buf;
	643	uint32 i, cell_length, vk_raw_offset, vk_offset, vk_max_length, buf_len;
	644	bool unalloc;
[30]	645
[103]	646	buf_len = sizeof(uint8) * 4 * num_values;
	647	buf = (uint8*)zalloc(buf_len);
	648	if(buf == NULL)
	649	return NULL;
	650
	651	if(!regfi_parse_cell(file->fd, offset, buf, buf_len, &cell_length, &unalloc))
[32]	652	{
[103]	653	free(buf);
	654	return NULL;
[31]	655	}
[30]	656
[103]	657	ret_val = (REGF_VK_REC*)zalloc(sizeof(REGF_VK_REC) * num_values);
	658	if(ret_val == NULL)
	659	{
	660	free(buf);
	661	return NULL;
[31]	662	}
[103]	663
	664	for (i=0; i < num_values; i++)
[32]	665	{
[103]	666	vk_raw_offset = IVAL(buf, i*4);
[101]	667
[103]	668	sub_hbin = lookup_hbin_block(file, vk_raw_offset);
	669	if (!sub_hbin)
[32]	670	{
[103]	671	free(buf);
	672	free(ret_val);
	673	return NULL;
[31]	674	}
[103]	675
[101]	676	vk_offset = vk_raw_offset + REGF_BLOCKSIZE;
	677	vk_max_length = sub_hbin->block_size - vk_offset + sizeof(uint32);
[103]	678	ret_val[i] = regfi_parse_vk(file, vk_offset, vk_max_length, true);
	679	if(ret_val[i] == NULL)
	680	{
	681	free(buf);
	682	free(ret_val);
	683	return NULL;
	684	}
[31]	685	}
[30]	686
[103]	687	free(buf);
	688	return ret_val;
[30]	689	}
	690
	691
	692	/*******************************************************************
[31]	693	*******************************************************************/
[30]	694	static REGF_SK_REC* find_sk_record_by_offset( REGF_FILE *file, uint32 offset )
	695	{
[31]	696	REGF_SK_REC *p_sk;
[80]	697
[31]	698	for ( p_sk=file->sec_desc_list; p_sk; p_sk=p_sk->next ) {
	699	if ( p_sk->sk_off == offset )
	700	return p_sk;
	701	}
[80]	702
[31]	703	return NULL;
[30]	704	}
	705
[32]	706
[30]	707	/*******************************************************************
[31]	708	*******************************************************************/
[30]	709	static REGF_SK_REC* find_sk_record_by_sec_desc( REGF_FILE file, SEC_DESC sd )
	710	{
[31]	711	REGF_SK_REC *p;
[30]	712
[31]	713	for ( p=file->sec_desc_list; p; p=p->next ) {
	714	if ( sec_desc_equal( p->sec_desc, sd ) )
	715	return p;
	716	}
[30]	717
[31]	718	/* failure */
[30]	719
[31]	720	return NULL;
[30]	721	}
	722
[32]	723
[30]	724	/*******************************************************************
[31]	725	*******************************************************************/
[99]	726	static REGF_NK_REC* hbin_prs_key(REGF_FILE file, REGF_HBIN hbin)
[30]	727	{
[99]	728	REGF_HBIN* sub_hbin;
	729	REGF_NK_REC* nk;
	730	uint32 nk_cell_offset;
	731	uint32 nk_max_length;
[102]	732	uint32 sk_max_length;
[31]	733	int depth = 0;
[99]	734
[31]	735	depth++;
[30]	736
[31]	737	/* get the initial nk record */
[99]	738	nk_cell_offset = hbin->file_off + hbin->ps.data_offset - sizeof(uint32);
	739	nk_max_length = hbin->block_size - hbin->ps.data_offset + sizeof(uint32);
	740	if ((nk = regfi_parse_nk(file, nk_cell_offset, nk_max_length, true)) == NULL)
[101]	741	{
	742	fprintf(stderr, "DEBUG: regfi_parse_nk returned NULL!\n");
[99]	743	return NULL;
[101]	744	}
[30]	745
[31]	746	/* fill in values */
[32]	747	if ( nk->num_values && (nk->values_off!=REGF_OFFSET_NONE) )
	748	{
[31]	749	sub_hbin = hbin;
[32]	750	if ( !hbin_contains_offset( hbin, nk->values_off ) )
	751	{
[31]	752	sub_hbin = lookup_hbin_block( file, nk->values_off );
[32]	753	if ( !sub_hbin )
	754	{
[31]	755	/*DEBUG(0,("hbin_prs_key: Failed to find HBIN block containing value_list_offset [0x%x]\n",
	756	nk->values_off));*/
[99]	757	return NULL;
[31]	758	}
	759	}
[103]	760
	761	nk->values = regfi_load_valuelist(file, nk->values_off+REGF_BLOCKSIZE,
	762	nk->num_values);
	763	if(nk->values == NULL)
	764	{
	765	printf("values borked!\n");
[99]	766	return NULL;
[103]	767	}
[31]	768	}
[30]	769
[31]	770	/* now get subkeys */
[32]	771	if ( nk->num_subkeys && (nk->subkeys_off!=REGF_OFFSET_NONE) )
	772	{
[31]	773	sub_hbin = hbin;
[32]	774	if ( !hbin_contains_offset( hbin, nk->subkeys_off ) )
	775	{
[31]	776	sub_hbin = lookup_hbin_block( file, nk->subkeys_off );
[32]	777	if ( !sub_hbin )
	778	{
[31]	779	/*DEBUG(0,("hbin_prs_key: Failed to find HBIN block containing subkey_offset [0x%x]\n",
	780	nk->subkeys_off));*/
[99]	781	return NULL;
[31]	782	}
	783	}
[103]	784
[32]	785	if (!hbin_prs_lf_records("lf_rec", sub_hbin, depth, nk))
[99]	786	return NULL;
[31]	787	}
[30]	788
[102]	789	/* get the security descriptor. First look if we have already parsed it */
[103]	790	if ((nk->sk_off!=REGF_OFFSET_NONE)
[32]	791	&& !(nk->sec_desc = find_sk_record_by_offset( file, nk->sk_off )))
	792	{
[31]	793	sub_hbin = hbin;
[32]	794	if (!hbin_contains_offset(hbin, nk->sk_off))
	795	{
[31]	796	sub_hbin = lookup_hbin_block( file, nk->sk_off );
[99]	797	if ( !sub_hbin )
	798	{
	799	free(nk);
[31]	800	/*DEBUG(0,("hbin_prs_key: Failed to find HBIN block containing sk_offset [0x%x]\n",
	801	nk->subkeys_off));*/
[99]	802	return NULL;
[31]	803	}
	804	}
[99]	805
[102]	806	sk_max_length = sub_hbin->block_size - (nk->sk_off - sub_hbin->first_hbin_off);
	807	nk->sec_desc = regfi_parse_sk(file, nk->sk_off + REGF_BLOCKSIZE,
	808	sk_max_length, true);
	809	if(nk->sec_desc == NULL)
[99]	810	return NULL;
[31]	811	nk->sec_desc->sk_off = nk->sk_off;
[30]	812
[31]	813	/* add to the list of security descriptors (ref_count has been read from the files) */
[80]	814	/* XXX: this kind of caching needs to be re-evaluated */
[31]	815	DLIST_ADD( file->sec_desc_list, nk->sec_desc );
	816	}
[99]	817
	818	return nk;
[30]	819	}
	820
[32]	821
[102]	822	/******************************************************************************
	823
	824	******************************************************************************/
	825	static bool regfi_find_root_nk(REGF_FILE* file, uint32 offset, uint32 hbin_size,
	826	uint32* root_offset)
[30]	827	{
[102]	828	uint8 tmp[4];
	829	int32 record_size;
	830	uint32 length, hbin_offset = 0;
	831	REGF_NK_REC* nk = NULL;
[31]	832	bool found = false;
[30]	833
[102]	834	for(record_size=0; !found && (hbin_offset < hbin_size); )
[32]	835	{
[102]	836	if(lseek(file->fd, offset+hbin_offset, SEEK_SET) == -1)
[31]	837	return false;
[102]	838
	839	length = 4;
	840	if((regfi_read(file->fd, tmp, &length) != 0) \|\| length != 4)
[31]	841	return false;
[102]	842	record_size = IVALS(tmp, 0);
[30]	843
[102]	844	if(record_size < 0)
	845	{
	846	record_size = record_size*(-1);
	847	nk = regfi_parse_nk(file, offset+hbin_offset, hbin_size-hbin_offset, true);
	848	if(nk != NULL)
	849	{
	850	if(nk->key_type == NK_TYPE_ROOTKEY)
	851	{
	852	found = true;
	853	*root_offset = nk->offset;
	854	}
	855	free(nk);
	856	}
[31]	857	}
[30]	858
[102]	859	hbin_offset += record_size;
[31]	860	}
[32]	861
[102]	862	return found;
[30]	863	}
	864
	865
	866	/*******************************************************************
[97]	867	* Open the registry file and then read in the REGF block to get the
	868	* first hbin offset.
	869	*******************************************************************/
	870	REGF_FILE* regfi_open(const char* filename)
[30]	871	{
[97]	872	REGF_FILE* rb;
	873	int fd;
[31]	874	int flags = O_RDONLY;
[30]	875
[97]	876	/* open an existing file */
	877	if ((fd = open(filename, flags)) == -1)
	878	{
[78]	879	/* DEBUG(0,("regfi_open: failure to open %s (%s)\n", filename, strerror(errno)));*/
[31]	880	return NULL;
	881	}
[99]	882
[31]	883	/* read in an existing file */
[97]	884	if ((rb = regfi_parse_regf(fd, true)) == NULL)
	885	{
[78]	886	/* DEBUG(0,("regfi_open: Failed to read initial REGF block\n"));*/
[97]	887	close(fd);
[31]	888	return NULL;
	889	}
[99]	890
	891	rb->hbins = range_list_new();
	892	rb->unalloc_cells = range_list_new();
	893	if((rb->hbins == NULL) \|\| (rb->unalloc_cells == NULL))
	894	{
	895	close(fd);
	896	free(rb);
	897	return NULL;
	898	}
	899
[31]	900	/* success */
	901	return rb;
[30]	902	}
	903
	904
	905	/*******************************************************************
[31]	906	*******************************************************************/
[78]	907	int regfi_close( REGF_FILE *file )
[30]	908	{
[31]	909	int fd;
[30]	910
[31]	911	/* nothing to do if there is no open file */
[99]	912	if ((file == NULL) \|\| (file->fd == -1))
	913	return 0;
[30]	914
[31]	915	fd = file->fd;
	916	file->fd = -1;
[99]	917	range_list_free(file->hbins);
	918	range_list_free(file->unalloc_cells);
	919	free(file);
[30]	920
[31]	921	return close( fd );
[30]	922	}
	923
	924
[80]	925	/******************************************************************************
	926	* There should be only one root key in the registry file based
	927	* on my experience. --jerry
	928	*****************************************************************************/
[102]	929	REGF_NK_REC* regfi_rootkey(REGF_FILE *file)
[30]	930	{
[102]	931	REGF_NK_REC* nk = NULL;
	932	REGF_HBIN* hbin;
	933	uint32 offset = REGF_BLOCKSIZE;
	934	uint32 root_offset;
[99]	935
	936	if(!file)
[31]	937	return NULL;
[99]	938
[102]	939	/* Scan through the file one HBIN block at a time looking
[31]	940	for an NK record with a type == 0x002c.
	941	Normally this is the first nk record in the first hbin
	942	block (but I'm not assuming that for now) */
[102]	943
[99]	944	while((hbin = regfi_parse_hbin(file, offset, true, false)))
	945	{
[102]	946	if(regfi_find_root_nk(file, hbin->file_off+HBIN_HEADER_REC_SIZE,
	947	hbin->block_size-HBIN_HEADER_REC_SIZE, &root_offset))
[99]	948	{
[102]	949	if(!prs_set_offset(&hbin->ps, root_offset + 4
	950	- hbin->first_hbin_off - REGF_BLOCKSIZE))
	951	return NULL;
	952
	953	nk = hbin_prs_key(file, hbin);
	954	break;
[31]	955	}
[30]	956
[31]	957	offset += hbin->block_size;
	958	}
[30]	959
[80]	960	return nk;
[30]	961	}
	962
	963
[80]	964	/******************************************************************************
	965	*****************************************************************************/
	966	void regfi_key_free(REGF_NK_REC* nk)
[30]	967	{
[80]	968	uint32 i;
	969
	970	if((nk->values != NULL) && (nk->values_off!=REGF_OFFSET_NONE))
	971	{
	972	for(i=0; i < nk->num_values; i++)
[81]	973	{
[101]	974	if(nk->values[i]->valuename != NULL)
	975	free(nk->values[i]->valuename);
	976	if(nk->values[i]->data != NULL)
	977	free(nk->values[i]->data);
	978	free(nk->values[i]);
[81]	979	}
[80]	980	free(nk->values);
	981	}
[30]	982
[80]	983	if(nk->keyname != NULL)
	984	free(nk->keyname);
	985	if(nk->classname != NULL)
	986	free(nk->classname);
	987
	988	/* XXX: not freeing hbin because these are cached. This needs to be reviewed. */
	989	/* XXX: not freeing sec_desc because these are cached. This needs to be reviewed. */
	990	free(nk);
	991	}
	992
	993
	994	/******************************************************************************
	995	*****************************************************************************/
	996	REGFI_ITERATOR* regfi_iterator_new(REGF_FILE* fh)
	997	{
	998	REGF_NK_REC* root;
	999	REGFI_ITERATOR* ret_val = (REGFI_ITERATOR*)malloc(sizeof(REGFI_ITERATOR));
	1000	if(ret_val == NULL)
	1001	return NULL;
	1002
[81]	1003	root = regfi_rootkey(fh);
[80]	1004	if(root == NULL)
	1005	{
	1006	free(ret_val);
	1007	return NULL;
	1008	}
	1009
	1010	ret_val->key_positions = void_stack_new(REGF_MAX_DEPTH);
	1011	if(ret_val->key_positions == NULL)
	1012	{
	1013	free(ret_val);
	1014	free(root);
	1015	return NULL;
	1016	}
	1017
	1018	ret_val->f = fh;
	1019	ret_val->cur_key = root;
	1020	ret_val->cur_subkey = 0;
	1021	ret_val->cur_value = 0;
	1022
	1023	return ret_val;
	1024	}
	1025
	1026
	1027	/******************************************************************************
	1028	*****************************************************************************/
	1029	void regfi_iterator_free(REGFI_ITERATOR* i)
	1030	{
	1031	REGFI_ITER_POSITION* cur;
	1032
	1033	if(i->cur_key != NULL)
	1034	regfi_key_free(i->cur_key);
	1035
	1036	while((cur = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions)) != NULL)
	1037	{
	1038	regfi_key_free(cur->nk);
	1039	free(cur);
	1040	}
	1041
	1042	free(i);
	1043	}
	1044
	1045
	1046
	1047	/******************************************************************************
	1048	*****************************************************************************/
	1049	/* XXX: some way of indicating reason for failure should be added. */
	1050	bool regfi_iterator_down(REGFI_ITERATOR* i)
	1051	{
	1052	REGF_NK_REC* subkey;
	1053	REGFI_ITER_POSITION* pos;
	1054
	1055	pos = (REGFI_ITER_POSITION*)malloc(sizeof(REGFI_ITER_POSITION));
	1056	if(pos == NULL)
	1057	return false;
	1058
[84]	1059	subkey = (REGF_NK_REC*)regfi_iterator_cur_subkey(i);
[80]	1060	if(subkey == NULL)
	1061	{
	1062	free(pos);
	1063	return false;
	1064	}
	1065
	1066	pos->nk = i->cur_key;
	1067	pos->cur_subkey = i->cur_subkey;
	1068	if(!void_stack_push(i->key_positions, pos))
	1069	{
	1070	free(pos);
	1071	regfi_key_free(subkey);
	1072	return false;
	1073	}
	1074
	1075	i->cur_key = subkey;
	1076	i->cur_subkey = 0;
	1077	i->cur_value = 0;
	1078
	1079	return true;
	1080	}
	1081
	1082
	1083	/******************************************************************************
	1084	*****************************************************************************/
	1085	bool regfi_iterator_up(REGFI_ITERATOR* i)
	1086	{
	1087	REGFI_ITER_POSITION* pos;
	1088
	1089	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
	1090	if(pos == NULL)
	1091	return false;
	1092
	1093	regfi_key_free(i->cur_key);
	1094	i->cur_key = pos->nk;
	1095	i->cur_subkey = pos->cur_subkey;
	1096	i->cur_value = 0;
	1097	free(pos);
	1098
	1099	return true;
	1100	}
	1101
	1102
	1103	/******************************************************************************
	1104	*****************************************************************************/
	1105	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
	1106	{
	1107	while(regfi_iterator_up(i))
	1108	continue;
	1109
	1110	return true;
	1111	}
	1112
	1113
	1114	/******************************************************************************
	1115	*****************************************************************************/
	1116	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
	1117	{
	1118	REGF_NK_REC* subkey;
	1119	bool found = false;
	1120	uint32 old_subkey = i->cur_subkey;
	1121
	1122	if(subkey_name == NULL)
	1123	return false;
	1124
	1125	/* XXX: this alloc/free of each sub key might be a bit excessive */
[84]	1126	subkey = (REGF_NK_REC*)regfi_iterator_first_subkey(i);
[80]	1127	while((subkey != NULL) && (found == false))
	1128	{
	1129	if(subkey->keyname != NULL
	1130	&& strcasecmp(subkey->keyname, subkey_name) == 0)
	1131	found = true;
[82]	1132	else
	1133	{
	1134	regfi_key_free(subkey);
[84]	1135	subkey = (REGF_NK_REC*)regfi_iterator_next_subkey(i);
[82]	1136	}
[80]	1137	}
	1138
	1139	if(found == false)
	1140	{
	1141	i->cur_subkey = old_subkey;
	1142	return false;
	1143	}
	1144
[82]	1145	regfi_key_free(subkey);
[80]	1146	return true;
	1147	}
	1148
	1149
	1150	/******************************************************************************
	1151	*****************************************************************************/
	1152	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
	1153	{
	1154	uint32 x;
	1155	if(path == NULL)
	1156	return false;
	1157
	1158	for(x=0;
	1159	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
	1160	&& regfi_iterator_down(i));
	1161	x++)
	1162	{ continue; }
	1163
	1164	if(path[x] == NULL)
	1165	return true;
	1166
	1167	/* XXX: is this the right number of times? */
	1168	for(; x > 0; x--)
	1169	regfi_iterator_up(i);
	1170
	1171	return false;
	1172	}
	1173
	1174
	1175	/******************************************************************************
	1176	*****************************************************************************/
[84]	1177	const REGF_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]	1178	{
	1179	return i->cur_key;
	1180	}
	1181
	1182
	1183	/******************************************************************************
	1184	*****************************************************************************/
[84]	1185	const REGF_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]	1186	{
	1187	i->cur_subkey = 0;
	1188	return regfi_iterator_cur_subkey(i);
	1189	}
	1190
	1191
	1192	/******************************************************************************
	1193	*****************************************************************************/
[84]	1194	const REGF_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]	1195	{
	1196	REGF_NK_REC* subkey;
	1197	REGF_HBIN* hbin;
	1198	uint32 nk_offset;
	1199
[31]	1200	/* see if there is anything left to report */
[80]	1201	if (!(i->cur_key) \|\| (i->cur_key->subkeys_off==REGF_OFFSET_NONE)
	1202	\|\| (i->cur_subkey >= i->cur_key->num_subkeys))
[31]	1203	return NULL;
[30]	1204
[80]	1205	nk_offset = i->cur_key->subkeys.hashes[i->cur_subkey].nk_off;
	1206
[31]	1207	/* find the HBIN block which should contain the nk record */
[80]	1208	hbin = lookup_hbin_block(i->f, nk_offset);
	1209	if(!hbin)
[31]	1210	{
[80]	1211	/* XXX: should print out some kind of error message every time here */
[31]	1212	/*DEBUG(0,("hbin_prs_key: Failed to find HBIN block containing offset [0x%x]\n",
[80]	1213	i->cur_key->subkeys.hashes[i->cur_subkey].nk_off));*/
[31]	1214	return NULL;
	1215	}
[78]	1216
[32]	1217	if(!prs_set_offset(&hbin->ps,
[97]	1218	HBIN_MAGIC_SIZE + nk_offset - hbin->first_hbin_off))
[31]	1219	return NULL;
[30]	1220
[99]	1221	if((subkey = hbin_prs_key(i->f, hbin)) == NULL)
[31]	1222	return NULL;
[30]	1223
[31]	1224	return subkey;
[30]	1225	}
[80]	1226
	1227
	1228	/******************************************************************************
	1229	*****************************************************************************/
	1230	/* XXX: some way of indicating reason for failure should be added. */
[84]	1231	const REGF_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]	1232	{
[84]	1233	const REGF_NK_REC* subkey;
[80]	1234
	1235	i->cur_subkey++;
	1236	subkey = regfi_iterator_cur_subkey(i);
	1237
	1238	if(subkey == NULL)
	1239	i->cur_subkey--;
	1240
	1241	return subkey;
	1242	}
	1243
	1244
	1245	/******************************************************************************
	1246	*****************************************************************************/
	1247	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
	1248	{
[84]	1249	const REGF_VK_REC* cur;
[80]	1250	bool found = false;
	1251
	1252	/* XXX: cur->valuename can be NULL in the registry.
	1253	* Should we allow for a way to search for that?
	1254	*/
	1255	if(value_name == NULL)
	1256	return false;
	1257
	1258	cur = regfi_iterator_first_value(i);
	1259	while((cur != NULL) && (found == false))
	1260	{
	1261	if((cur->valuename != NULL)
	1262	&& (strcasecmp(cur->valuename, value_name) == 0))
	1263	found = true;
[95]	1264	else
	1265	cur = regfi_iterator_next_value(i);
[80]	1266	}
	1267
[94]	1268	return found;
[80]	1269	}
	1270
	1271
	1272	/******************************************************************************
	1273	*****************************************************************************/
[84]	1274	const REGF_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]	1275	{
	1276	i->cur_value = 0;
	1277	return regfi_iterator_cur_value(i);
	1278	}
	1279
	1280
	1281	/******************************************************************************
	1282	*****************************************************************************/
[84]	1283	const REGF_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]	1284	{
	1285	REGF_VK_REC* ret_val = NULL;
	1286	if(i->cur_value < i->cur_key->num_values)
[101]	1287	ret_val = i->cur_key->values[i->cur_value];
[80]	1288
	1289	return ret_val;
	1290	}
	1291
	1292
	1293	/******************************************************************************
	1294	*****************************************************************************/
[84]	1295	const REGF_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]	1296	{
[84]	1297	const REGF_VK_REC* ret_val;
[80]	1298
	1299	i->cur_value++;
	1300	ret_val = regfi_iterator_cur_value(i);
	1301	if(ret_val == NULL)
	1302	i->cur_value--;
	1303
	1304	return ret_val;
	1305	}
[97]	1306
	1307
	1308
	1309	/****************/
	1310	/* Experimental */
	1311	/****************/
	1312	/*
	1313	typedef struct {
	1314	uint32 offset;
	1315	uint32 size;
	1316	} REGFI_CELL_INFO;
	1317
	1318	typedef struct {
	1319	uint32 count
	1320	REGFI_CELL_INFO** cells;
	1321	} REGFI_CELL_LIST;
	1322	*/
	1323
	1324
	1325	/*******************************************************************
	1326	* Computes the checksum of the registry file header.
	1327	* buffer must be at least the size of an regf header (4096 bytes).
	1328	*******************************************************************/
	1329	static uint32 regfi_compute_header_checksum(uint8* buffer)
	1330	{
	1331	uint32 checksum, x;
	1332	int i;
	1333
	1334	/* XOR of all bytes 0x0000 - 0x01FB */
	1335
	1336	checksum = x = 0;
	1337
	1338	for ( i=0; i<0x01FB; i+=4 ) {
	1339	x = IVAL(buffer, i );
	1340	checksum ^= x;
	1341	}
	1342
	1343	return checksum;
	1344	}
	1345
	1346
	1347	/*******************************************************************
	1348	* TODO: add way to return more detailed error information.
	1349	*******************************************************************/
	1350	REGF_FILE* regfi_parse_regf(int fd, bool strict)
	1351	{
	1352	uint8 file_header[REGF_BLOCKSIZE];
[102]	1353	uint32 length;
[97]	1354	uint32 file_length;
	1355	struct stat sbuf;
	1356	REGF_FILE* ret_val;
	1357
	1358	/* Determine file length. Must be at least big enough
	1359	* for the header and one hbin.
	1360	*/
	1361	if (fstat(fd, &sbuf) == -1)
	1362	return NULL;
	1363	file_length = sbuf.st_size;
	1364	if(file_length < REGF_BLOCKSIZE+REGF_ALLOC_BLOCK)
	1365	return NULL;
	1366
	1367	ret_val = (REGF_FILE*)zalloc(sizeof(REGF_FILE));
	1368	if(ret_val == NULL)
	1369	return NULL;
	1370
	1371	ret_val->fd = fd;
	1372	ret_val->file_length = file_length;
	1373
	1374	length = REGF_BLOCKSIZE;
[102]	1375	if((regfi_read(fd, file_header, &length)) != 0
[97]	1376	\|\| length != REGF_BLOCKSIZE)
	1377	{
	1378	free(ret_val);
	1379	return NULL;
	1380	}
	1381
	1382	ret_val->checksum = IVAL(file_header, 0x1FC);
	1383	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
	1384	if (strict && (ret_val->checksum != ret_val->computed_checksum))
	1385	{
	1386	free(ret_val);
	1387	return NULL;
	1388	}
	1389
	1390	memcpy(ret_val->magic, file_header, 4);
	1391	if(strict && (memcmp(ret_val->magic, "regf", 4) != 0))
	1392	{
	1393	free(ret_val);
	1394	return NULL;
	1395	}
	1396
	1397	ret_val->unknown1 = IVAL(file_header, 0x4);
	1398	ret_val->unknown2 = IVAL(file_header, 0x8);
	1399
	1400	ret_val->mtime.low = IVAL(file_header, 0xC);
	1401	ret_val->mtime.high = IVAL(file_header, 0x10);
	1402
	1403	ret_val->unknown3 = IVAL(file_header, 0x14);
	1404	ret_val->unknown4 = IVAL(file_header, 0x18);
	1405	ret_val->unknown5 = IVAL(file_header, 0x1C);
	1406	ret_val->unknown6 = IVAL(file_header, 0x20);
	1407
	1408	ret_val->data_offset = IVAL(file_header, 0x24);
	1409	ret_val->last_block = IVAL(file_header, 0x28);
	1410
	1411	ret_val->unknown7 = IVAL(file_header, 0x2C);
	1412
	1413	return ret_val;
	1414	}
	1415
	1416
	1417
	1418	/*******************************************************************
	1419	* Given real file offset, read and parse the hbin at that location
	1420	* along with it's associated cells. If save_unalloc is true, a list
	1421	* of unallocated cell offsets will be stored in TODO.
	1422	*******************************************************************/
	1423	/* TODO: Need a way to return types of errors. Also need to free
	1424	* the hbin/ps when an error occurs.
	1425	*/
	1426	REGF_HBIN* regfi_parse_hbin(REGF_FILE* file, uint32 offset,
	1427	bool strict, bool save_unalloc)
	1428	{
	1429	REGF_HBIN *hbin;
	1430	uint8 hbin_header[HBIN_HEADER_REC_SIZE];
	1431	uint32 length, curr_off;
	1432	int32 cell_len;
	1433	bool is_unalloc;
[99]	1434
	1435	if(offset >= file->file_length)
	1436	return NULL;
[97]	1437
	1438	if(lseek(file->fd, offset, SEEK_SET) == -1)
	1439	return NULL;
	1440
	1441	length = HBIN_HEADER_REC_SIZE;
	1442	if((regfi_read(file->fd, hbin_header, &length) != 0)
	1443	\|\| length != HBIN_HEADER_REC_SIZE)
	1444	return NULL;
	1445
[99]	1446
[97]	1447	if(lseek(file->fd, offset, SEEK_SET) == -1)
	1448	return NULL;
	1449
[99]	1450	if(!(hbin = (REGF_HBIN*)zalloc(sizeof(REGF_HBIN))))
	1451	return NULL;
	1452	hbin->file_off = offset;
	1453
[97]	1454	memcpy(hbin->magic, hbin_header, 4);
	1455	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
[99]	1456	{
	1457	free(hbin);
[97]	1458	return NULL;
[99]	1459	}
[97]	1460
	1461	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
	1462	hbin->block_size = IVAL(hbin_header, 0x8);
	1463	/* this should be the same thing as hbin->block_size but just in case */
	1464	hbin->next_block = IVAL(hbin_header, 0x1C);
	1465
	1466
	1467	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
	1468	* the end of the file.
	1469	*/
	1470	/* TODO: This may need to be relaxed for dealing with
	1471	* partial or corrupt files. */
	1472	if((offset + hbin->block_size > file->file_length)
	1473	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
[99]	1474	{
	1475	free(hbin);
[97]	1476	return NULL;
[99]	1477	}
[97]	1478
	1479	/* TODO: need to get rid of this, but currently lots depends on the
	1480	* ps structure.
	1481	*/
	1482	if(!prs_init(&hbin->ps, hbin->block_size, file->mem_ctx, UNMARSHALL))
[99]	1483	{
	1484	free(hbin);
[97]	1485	return NULL;
[99]	1486	}
[97]	1487	length = hbin->block_size;
	1488	if((regfi_read(file->fd, (uint8*)hbin->ps.data_p, &length) != 0)
	1489	\|\| length != hbin->block_size)
[99]	1490	{
	1491	free(hbin);
[97]	1492	return NULL;
[99]	1493	}
[97]	1494
	1495
	1496	if(save_unalloc)
	1497	{
	1498	cell_len = 0;
	1499	curr_off = HBIN_HEADER_REC_SIZE;
	1500	while ( curr_off < hbin->block_size )
	1501	{
[99]	1502	is_unalloc = false;
[97]	1503	cell_len = IVALS(hbin->ps.data_p, curr_off);
	1504	if(cell_len > 0)
	1505	is_unalloc = true;
	1506	else
	1507	cell_len = -1*cell_len;
	1508
	1509	if((cell_len == 0) \|\| ((cell_len & 0xFFFFFFFC) != cell_len))
	1510	/* TODO: should report an error here. */
	1511	break;
	1512
	1513	/* for some reason the record_size of the last record in
	1514	an hbin block can extend past the end of the block
	1515	even though the record fits within the remaining
	1516	space....aaarrrgggghhhhhh */
	1517	if(curr_off + cell_len >= hbin->block_size)
	1518	cell_len = hbin->block_size - curr_off;
	1519
	1520	if(is_unalloc)
[99]	1521	range_list_add(file->unalloc_cells, hbin->file_off+curr_off,
	1522	cell_len, NULL);
[97]	1523
	1524	curr_off = curr_off+cell_len;
	1525	}
	1526	}
	1527
	1528	/* TODO: need to get rid of this, but currently lots depends on the
	1529	* ps structure.
	1530	*/
	1531	if(!prs_set_offset(&hbin->ps, file->data_offset+HBIN_MAGIC_SIZE))
	1532	return NULL;
	1533
	1534	return hbin;
	1535	}
	1536
	1537
[101]	1538
[99]	1539	REGF_NK_REC* regfi_parse_nk(REGF_FILE* file, uint32 offset,
	1540	uint32 max_size, bool strict)
	1541	{
	1542	uint8 nk_header[REGFI_NK_MIN_LENGTH];
	1543	REGF_NK_REC* ret_val;
	1544	uint32 length;
[101]	1545	uint32 cell_length;
	1546	bool unalloc = false;
[99]	1547
[101]	1548	if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH,
	1549	&cell_length, &unalloc))
	1550	return NULL;
[99]	1551
	1552	/* A bit of validation before bothering to allocate memory */
[101]	1553	if((nk_header[0x0] != 'n') \|\| (nk_header[0x1] != 'k'))
	1554	{
	1555	/* TODO: deal with subkey-lists that reference other subkey-lists. */
[103]	1556	printf("DEBUG: magic check failed! \"%c%c\"\n", nk_header[0x0], nk_header[0x1]);
[99]	1557	return NULL;
[101]	1558	}
[99]	1559
	1560	ret_val = (REGF_NK_REC*)zalloc(sizeof(REGF_NK_REC));
	1561	if(ret_val == NULL)
	1562	return NULL;
	1563
	1564	ret_val->offset = offset;
[101]	1565	ret_val->cell_size = cell_length;
	1566
[99]	1567	if(ret_val->cell_size > max_size)
	1568	ret_val->cell_size = max_size & 0xFFFFFFF8;
	1569	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
	1570	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
	1571	{
	1572	free(ret_val);
	1573	return NULL;
	1574	}
	1575
[101]	1576	ret_val->magic[0] = nk_header[0x0];
	1577	ret_val->magic[1] = nk_header[0x1];
	1578	ret_val->key_type = SVAL(nk_header, 0x2);
	1579	if((ret_val->key_type != NK_TYPE_NORMALKEY)
	1580	&& (ret_val->key_type != NK_TYPE_ROOTKEY)
	1581	&& (ret_val->key_type != NK_TYPE_LINKKEY)
	1582	&& (ret_val->key_type != NK_TYPE_UNKNOWN1))
[99]	1583	{
	1584	free(ret_val);
	1585	return NULL;
	1586	}
[101]	1587
	1588	ret_val->mtime.low = IVAL(nk_header, 0x4);
	1589	ret_val->mtime.high = IVAL(nk_header, 0x8);
[99]	1590
[101]	1591	ret_val->unknown1 = IVAL(nk_header, 0xC);
	1592	ret_val->parent_off = IVAL(nk_header, 0x10);
	1593	ret_val->num_subkeys = IVAL(nk_header, 0x14);
	1594	ret_val->unknown2 = IVAL(nk_header, 0x18);
	1595	ret_val->subkeys_off = IVAL(nk_header, 0x1C);
	1596	ret_val->unknown3 = IVAL(nk_header, 0x20);
	1597	ret_val->num_values = IVAL(nk_header, 0x24);
	1598	ret_val->values_off = IVAL(nk_header, 0x28);
	1599	ret_val->sk_off = IVAL(nk_header, 0x2C);
[99]	1600	/* TODO: currently we do nothing with class names. Need to investigate. */
[101]	1601	ret_val->classname_off = IVAL(nk_header, 0x30);
[99]	1602
[101]	1603	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
	1604	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
	1605	ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
	1606	ret_val->max_bytes_value = IVAL(nk_header, 0x40);
	1607	ret_val->unk_index = IVAL(nk_header, 0x44);
[99]	1608
[101]	1609	ret_val->name_length = SVAL(nk_header, 0x48);
	1610	ret_val->classname_length = SVAL(nk_header, 0x4A);
[99]	1611
	1612	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
[101]	1613	{
	1614	if(strict)
	1615	{
	1616	free(ret_val);
	1617	return NULL;
	1618	}
	1619	else
	1620	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
	1621	}
	1622	else if (unalloc)
	1623	{ /* Truncate cell_size if it's much larger than the apparent total record length. */
	1624	/* Round up to the next multiple of 8 */
	1625	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
	1626	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
	1627	length+=8;
[99]	1628
[101]	1629	/* If cell_size is still greater, truncate. */
	1630	if(length < ret_val->cell_size)
	1631	ret_val->cell_size = length;
	1632	}
	1633
[99]	1634	ret_val->keyname = (char)zalloc(sizeof(char)(ret_val->name_length+1));
	1635	if(ret_val->keyname == NULL)
	1636	{
	1637	free(ret_val);
	1638	return NULL;
	1639	}
	1640
	1641	/* Don't need to seek, should be at the right offset */
	1642	length = ret_val->name_length;
[101]	1643	if((regfi_read(file->fd, (uint8*)ret_val->keyname, &length) != 0)
[99]	1644	\|\| length != ret_val->name_length)
	1645	{
	1646	free(ret_val->keyname);
	1647	free(ret_val);
	1648	return NULL;
	1649	}
	1650	ret_val->keyname[ret_val->name_length] = '\0';
	1651
	1652	return ret_val;
	1653	}
	1654
	1655
	1656
[101]	1657	/*******************************************************************
	1658	*******************************************************************/
	1659	REGF_VK_REC* regfi_parse_vk(REGF_FILE* file, uint32 offset,
	1660	uint32 max_size, bool strict)
[97]	1661	{
[101]	1662	REGF_VK_REC* ret_val;
	1663	uint8 vk_header[REGFI_VK_MIN_LENGTH];
	1664	uint32 raw_data_size, length, cell_length;
	1665	bool unalloc = false;
[97]	1666
[101]	1667	if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH,
	1668	&cell_length, &unalloc))
	1669	return NULL;
	1670
	1671	ret_val = (REGF_VK_REC*)zalloc(sizeof(REGF_VK_REC));
	1672	if(ret_val == NULL)
	1673	return NULL;
	1674
	1675	ret_val->offset = offset;
	1676	ret_val->cell_size = cell_length;
	1677
	1678	if(ret_val->cell_size > max_size)
	1679	ret_val->cell_size = max_size & 0xFFFFFFF8;
	1680	if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
	1681	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
[97]	1682	{
[101]	1683	free(ret_val);
	1684	return NULL;
	1685	}
[97]	1686
[101]	1687	ret_val->magic[0] = vk_header[0x0];
	1688	ret_val->magic[1] = vk_header[0x1];
	1689	if((ret_val->magic[0] != 'v') \|\| (ret_val->magic[1] != 'k'))
	1690	{
	1691	free(ret_val);
	1692	return NULL;
	1693	}
	1694
	1695	ret_val->name_length = SVAL(vk_header, 0x2);
	1696	raw_data_size = IVAL(vk_header, 0x4);
	1697	ret_val->data_size = raw_data_size & ~VK_DATA_IN_OFFSET;
	1698	ret_val->data_off = IVAL(vk_header, 0x8);
	1699	ret_val->type = IVAL(vk_header, 0xC);
	1700	ret_val->flag = SVAL(vk_header, 0x10);
	1701	ret_val->unknown1 = SVAL(vk_header, 0x12);
	1702
	1703	if(ret_val->flag & VK_FLAG_NAME_PRESENT)
	1704	{
	1705	if(ret_val->name_length + REGFI_VK_MIN_LENGTH > ret_val->cell_size)
	1706	{
	1707	if(strict)
	1708	{
	1709	free(ret_val);
	1710	return NULL;
	1711	}
	1712	else
	1713	ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH;
	1714	}
	1715
	1716	/* Round up to the next multiple of 8 */
	1717	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
	1718	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
	1719	length+=8;
	1720
	1721	ret_val->valuename = (char)zalloc(sizeof(char)(ret_val->name_length+1));
	1722	if(ret_val->valuename == NULL)
	1723	{
	1724	free(ret_val);
	1725	return NULL;
	1726	}
	1727
	1728	/* Don't need to seek, should be at the right offset */
	1729	length = ret_val->name_length;
	1730	if((regfi_read(file->fd, (uint8*)ret_val->valuename, &length) != 0)
	1731	\|\| length != ret_val->name_length)
	1732	{
	1733	free(ret_val->valuename);
	1734	free(ret_val);
	1735	return NULL;
	1736	}
	1737	ret_val->valuename[ret_val->name_length] = '\0';
	1738	}
	1739	else
	1740	length = REGFI_VK_MIN_LENGTH;
	1741
	1742	if(unalloc)
	1743	{
	1744	/* If cell_size is still greater, truncate. */
	1745	if(length < ret_val->cell_size)
	1746	ret_val->cell_size = length;
	1747	}
	1748
	1749	if(ret_val->data_size == 0)
	1750	ret_val->data = NULL;
	1751	else
	1752	{
	1753	ret_val->data = regfi_parse_data(file, ret_val->data_off+REGF_BLOCKSIZE,
	1754	raw_data_size, strict);
	1755	if(strict && (ret_val->data == NULL))
	1756	{
	1757	free(ret_val->valuename);
	1758	free(ret_val);
	1759	return NULL;
	1760	}
	1761	}
	1762
	1763	return ret_val;
[97]	1764	}
[101]	1765
	1766
	1767	uint8* regfi_parse_data(REGF_FILE* file, uint32 offset, uint32 length, bool strict)
	1768	{
	1769	uint8* ret_val;
	1770	uint32 read_length, cell_length;
[102]	1771	uint8 i;
[101]	1772	bool unalloc;
	1773
	1774	/* The data is stored in the offset if the size <= 4 */
[102]	1775	if (length & VK_DATA_IN_OFFSET)
[101]	1776	{
	1777	length = length & ~VK_DATA_IN_OFFSET;
	1778	if(length > 4)
	1779	return NULL;
	1780
	1781	if((ret_val = (uint8)zalloc(sizeof(uint8)length)) == NULL)
	1782	return NULL;
[102]	1783
	1784	offset = offset - REGF_BLOCKSIZE;
	1785	for(i = 0; i < length; i++)
	1786	ret_val[i] = (uint8)((offset >> i*8) & 0xFF);
[101]	1787	}
	1788	else
	1789	{
	1790	if(!regfi_parse_cell(file->fd, offset, NULL, 0,
	1791	&cell_length, &unalloc))
	1792	return NULL;
	1793
	1794	if(cell_length < 8 \|\| ((cell_length & 0xFFFFFFF8) != cell_length))
	1795	return NULL;
	1796
	1797	if(cell_length - 4 < length)
	1798	{
	1799	if(strict)
	1800	return NULL;
	1801	else
	1802	length = cell_length - 4;
	1803	}
	1804
	1805	/* TODO: There is currently no check to ensure the data
	1806	* cell doesn't cross HBIN boundary.
	1807	*/
	1808
	1809	if((ret_val = (uint8)zalloc(sizeof(uint8)length)) == NULL)
	1810	return NULL;
	1811
	1812	read_length = length;
	1813	if((regfi_read(file->fd, ret_val, &read_length) != 0)
	1814	\|\| read_length != length)
	1815	{
	1816	free(ret_val);
	1817	return NULL;
	1818	}
	1819	}
	1820
	1821	return ret_val;
	1822	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: