Context Navigation

source: trunk/lib/regfi.c @ 107

Last change on this file since 107 was 107, checked in by tim, 16 years ago

removed redundant hbin parsing

added flags parameter to regfi_open

Property svn:keywords set to Id

File size: 45.1 KB

Rev	Line
[30]	1	/*
	2	* Branched from Samba project Subversion repository, version #7470:
[84]	3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
[30]	4	*
	5	* Unix SMB/CIFS implementation.
	6	* Windows NT registry I/O library
	7	*
[97]	8	* Copyright (C) 2005-2008 Timothy D. Morgan
[30]	9	* Copyright (C) 2005 Gerald (Jerry) Carter
	10	*
	11	* This program is free software; you can redistribute it and/or modify
	12	* it under the terms of the GNU General Public License as published by
	13	* the Free Software Foundation; version 2 of the License.
	14	*
	15	* This program is distributed in the hope that it will be useful,
	16	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	* GNU General Public License for more details.
	19	*
	20	* You should have received a copy of the GNU General Public License
	21	* along with this program; if not, write to the Free Software
	22	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	23	*
	24	* $Id: regfi.c 107 2008-04-18 04:51:21Z tim $
	25	*/
	26
[81]	27	#include "../include/regfi.h"
[30]	28
	29
[32]	30	/* Registry types mapping */
[78]	31	const unsigned int regfi_num_reg_types = 12;
	32	static const char* regfi_type_names[] =
[65]	33	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]	34	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]	35
[32]	36
	37	/* Returns NULL on error */
[78]	38	const char* regfi_type_val2str(unsigned int val)
[32]	39	{
[61]	40	if(val == REG_KEY)
	41	return "KEY";
	42
[78]	43	if(val >= regfi_num_reg_types)
[61]	44	return NULL;
	45
[78]	46	return regfi_type_names[val];
[32]	47	}
	48
	49
[61]	50	/* Returns -1 on error */
[78]	51	int regfi_type_str2val(const char* str)
[32]	52	{
	53	int i;
	54
[61]	55	if(strcmp("KEY", str) == 0)
	56	return REG_KEY;
[32]	57
[78]	58	for(i=0; i < regfi_num_reg_types; i++)
	59	if (strcmp(regfi_type_names[i], str) == 0)
[61]	60	return i;
	61
	62	if(strcmp("DWORD_LE", str) == 0)
	63	return REG_DWORD_LE;
	64
	65	return -1;
[32]	66	}
	67
	68
[53]	69	/* Security descriptor parsing functions */
	70
[78]	71	const char* regfi_ace_type2str(uint8 type)
[53]	72	{
	73	static const char* map[7]
	74	= {"ALLOW", "DENY", "AUDIT", "ALARM",
	75	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
	76	if(type < 7)
	77	return map[type];
	78	else
	79	/* XXX: would be nice to return the unknown integer value.
	80	* However, as it is a const string, it can't be free()ed later on,
	81	* so that would need to change.
	82	*/
	83	return "UNKNOWN";
	84	}
	85
	86
[76]	87	/* XXX: need a better reference on the meaning of each flag. */
	88	/* For more info, see:
	89	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
	90	*/
[78]	91	char* regfi_ace_flags2str(uint8 flags)
[53]	92	{
[76]	93	static const char* flag_map[32] =
[87]	94	{ "OI", /* Object Inherit */
	95	"CI", /* Container Inherit */
	96	"NP", /* Non-Propagate */
	97	"IO", /* Inherit Only */
	98	"IA", /* Inherited ACE */
[76]	99	NULL,
	100	NULL,
	101	NULL,
	102	};
[53]	103
[76]	104	char* ret_val = malloc(35*sizeof(char));
	105	char* fo = ret_val;
	106	uint32 i;
	107	uint8 f;
	108
	109	if(ret_val == NULL)
[53]	110	return NULL;
	111
[76]	112	fo[0] = '\0';
[53]	113	if (!flags)
[76]	114	return ret_val;
[53]	115
[76]	116	for(i=0; i < 8; i++)
	117	{
	118	f = (1<<i);
	119	if((flags & f) && (flag_map[i] != NULL))
	120	{
	121	strcpy(fo, flag_map[i]);
	122	fo += strlen(flag_map[i]);
	123	*(fo++) = ' ';
	124	flags ^= f;
	125	}
[53]	126	}
[76]	127
	128	/* Any remaining unknown flags are added at the end in hex. */
	129	if(flags != 0)
	130	sprintf(fo, "0x%.2X ", flags);
	131
	132	/* Chop off the last space if we've written anything to ret_val */
	133	if(fo != ret_val)
	134	fo[-1] = '\0';
	135
	136	/* XXX: what was this old VI flag for??
	137	XXX: Is this check right? 0xF == 1\|2\|4\|8, which makes it redundant...
[53]	138	if (flags == 0xF) {
	139	if (some) strcat(flg_output, " ");
	140	some = 1;
	141	strcat(flg_output, "VI");
	142	}
[76]	143	*/
[53]	144
[76]	145	return ret_val;
[53]	146	}
	147
	148
[78]	149	char* regfi_ace_perms2str(uint32 perms)
[53]	150	{
[76]	151	uint32 i, p;
	152	/* This is more than is needed by a fair margin. */
	153	char* ret_val = malloc(350*sizeof(char));
	154	char* r = ret_val;
	155
	156	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
	157	* For more information, see:
	158	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
	159	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
	160	*/
	161	static const char* perm_map[32] =
	162	{/* object-specific permissions (registry keys, in this case) */
	163	"QRY_VAL", /* KEY_QUERY_VALUE */
	164	"SET_VAL", /* KEY_SET_VALUE */
	165	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
	166	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
	167	"NOTIFY", /* KEY_NOTIFY */
	168	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
	169	NULL,
	170	NULL,
	171	"WOW64_64", /* KEY_WOW64_64KEY */
	172	"WOW64_32", /* KEY_WOW64_32KEY */
	173	NULL,
	174	NULL,
	175	NULL,
	176	NULL,
	177	NULL,
	178	NULL,
	179	/* standard access rights */
	180	"DELETE", /* DELETE */
	181	"R_CONT", /* READ_CONTROL */
	182	"W_DAC", /* WRITE_DAC */
	183	"W_OWNER", /* WRITE_OWNER */
	184	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
	185	NULL,
	186	NULL,
	187	NULL,
	188	/* other generic */
	189	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
	190	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
	191	NULL,
	192	NULL,
	193	"GEN_A", /* GENERIC_ALL */
	194	"GEN_X", /* GENERIC_EXECUTE */
	195	"GEN_W", /* GENERIC_WRITE */
	196	"GEN_R", /* GENERIC_READ */
	197	};
	198
	199
[53]	200	if(ret_val == NULL)
	201	return NULL;
	202
[76]	203	r[0] = '\0';
	204	for(i=0; i < 32; i++)
	205	{
	206	p = (1<<i);
	207	if((perms & p) && (perm_map[i] != NULL))
	208	{
	209	strcpy(r, perm_map[i]);
	210	r += strlen(perm_map[i]);
	211	*(r++) = ' ';
	212	perms ^= p;
	213	}
	214	}
	215
	216	/* Any remaining unknown permission bits are added at the end in hex. */
	217	if(perms != 0)
	218	sprintf(r, "0x%.8X ", perms);
[53]	219
[76]	220	/* Chop off the last space if we've written anything to ret_val */
	221	if(r != ret_val)
	222	r[-1] = '\0';
	223
[53]	224	return ret_val;
	225	}
	226
	227
[78]	228	char* regfi_sid2str(DOM_SID* sid)
[53]	229	{
	230	uint32 i, size = MAXSUBAUTHS*11 + 24;
	231	uint32 left = size;
	232	uint8 comps = sid->num_auths;
	233	char* ret_val = malloc(size);
	234
	235	if(ret_val == NULL)
	236	return NULL;
	237
	238	if(comps > MAXSUBAUTHS)
	239	comps = MAXSUBAUTHS;
	240
	241	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
	242
	243	for (i = 0; i < comps; i++)
	244	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
	245
	246	return ret_val;
	247	}
	248
	249
[78]	250	char* regfi_get_acl(SEC_ACL* acl)
[53]	251	{
	252	uint32 i, extra, size = 0;
	253	const char* type_str;
	254	char* flags_str;
	255	char* perms_str;
	256	char* sid_str;
[61]	257	char* ace_delim = "";
[53]	258	char* ret_val = NULL;
[61]	259	char* tmp_val = NULL;
	260	bool failed = false;
[53]	261	char field_delim = ':';
	262
[61]	263	for (i = 0; i < acl->num_aces && !failed; i++)
[53]	264	{
[78]	265	sid_str = regfi_sid2str(&acl->ace[i].trustee);
	266	type_str = regfi_ace_type2str(acl->ace[i].type);
	267	perms_str = regfi_ace_perms2str(acl->ace[i].info.mask);
	268	flags_str = regfi_ace_flags2str(acl->ace[i].flags);
[53]	269
[61]	270	if(flags_str != NULL && perms_str != NULL
	271	&& type_str != NULL && sid_str != NULL)
	272	{
	273	/* XXX: this is slow */
	274	extra = strlen(sid_str) + strlen(type_str)
	275	+ strlen(perms_str) + strlen(flags_str)+5;
	276	tmp_val = realloc(ret_val, size+extra);
[53]	277
[61]	278	if(tmp_val == NULL)
	279	{
	280	free(ret_val);
	281	failed = true;
	282	}
	283	else
	284	{
	285	ret_val = tmp_val;
	286	size += snprintf(ret_val+size, extra, "%s%s%c%s%c%s%c%s",
	287	ace_delim,sid_str,
	288	field_delim,type_str,
	289	field_delim,perms_str,
	290	field_delim,flags_str);
	291	ace_delim = "\|";
	292	}
	293	}
	294	else
	295	failed = true;
	296
	297	if(sid_str != NULL)
	298	free(sid_str);
	299	if(sid_str != NULL)
	300	free(perms_str);
	301	if(sid_str != NULL)
	302	free(flags_str);
[53]	303	}
	304
	305	return ret_val;
	306	}
	307
	308
[78]	309	char* regfi_get_sacl(SEC_DESC *sec_desc)
[53]	310	{
	311	if (sec_desc->sacl)
[78]	312	return regfi_get_acl(sec_desc->sacl);
[53]	313	else
	314	return NULL;
	315	}
	316
	317
[78]	318	char* regfi_get_dacl(SEC_DESC *sec_desc)
[53]	319	{
	320	if (sec_desc->dacl)
[78]	321	return regfi_get_acl(sec_desc->dacl);
[53]	322	else
	323	return NULL;
	324	}
	325
	326
[78]	327	char* regfi_get_owner(SEC_DESC *sec_desc)
[53]	328	{
[78]	329	return regfi_sid2str(sec_desc->owner_sid);
[53]	330	}
	331
	332
[78]	333	char* regfi_get_group(SEC_DESC *sec_desc)
[53]	334	{
[78]	335	return regfi_sid2str(sec_desc->grp_sid);
[53]	336	}
	337
	338
[101]	339	/*****************************************************************************
	340	* This function is just like read(2), except that it continues to
	341	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
	342	* regfi_read will attempt to read length bytes from fd and write them to buf.
	343	*
	344	* On success, 0 is returned. Upon failure, an errno code is returned.
	345	*
	346	* The number of bytes successfully read is returned through the length
	347	* parameter by reference. If both the return value and length parameter are
	348	* returned as 0, then EOF was encountered immediately
	349	*****************************************************************************/
	350	uint32 regfi_read(int fd, uint8* buf, uint32* length)
	351	{
	352	uint32 rsize = 0;
	353	uint32 rret = 0;
	354
	355	do
	356	{
	357	rret = read(fd, buf + rsize, *length - rsize);
	358	if(rret > 0)
	359	rsize += rret;
	360	}while(*length - rsize > 0
	361	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
	362
	363	*length = rsize;
	364	if (rret == -1 && errno != EINTR && errno != EAGAIN)
	365	return errno;
	366
	367	return 0;
	368	}
	369
	370
	371	/*****************************************************************************
	372	*
	373	*****************************************************************************/
	374	static bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len,
	375	uint32* cell_length, bool* unalloc)
	376	{
	377	uint32 length;
	378	int32 raw_length;
	379	uint8 tmp[4];
	380
	381	if(lseek(fd, offset, SEEK_SET) == -1)
	382	return false;
	383
	384	length = 4;
	385	if((regfi_read(fd, tmp, &length) != 0) \|\| length != 4)
	386	return false;
	387	raw_length = IVALS(tmp, 0);
	388
	389	if(raw_length < 0)
	390	{
	391	(cell_length) = raw_length(-1);
	392	(*unalloc) = false;
	393	}
	394	else
	395	{
	396	(*cell_length) = raw_length;
	397	(*unalloc) = true;
	398	}
	399
[103]	400	if(*cell_length - 4 < hdr_len)
	401	return false;
	402
	403	if(hdr_len > 0)
	404	{
	405	length = hdr_len;
	406	if((regfi_read(fd, hdr, &length) != 0) \|\| length != hdr_len)
	407	return false;
	408	}
	409
[101]	410	return true;
	411	}
	412
	413
[30]	414	/*******************************************************************
[106]	415	* Given an offset and an hbin, is the offset within that hbin?
	416	* The offset is a virtual file offset.
	417	*******************************************************************/
	418	static bool regfi_offset_in_hbin(REGF_HBIN* hbin, uint32 offset)
[30]	419	{
[106]	420	if(!hbin)
[31]	421	return false;
[106]	422
	423	if((offset > hbin->first_hbin_off)
	424	&& (offset < (hbin->first_hbin_off + hbin->block_size)))
[31]	425	return true;
[30]	426
[31]	427	return false;
[30]	428	}
	429
	430
[106]	431
[30]	432	/*******************************************************************
[106]	433	* Given a virtual offset, and receive the correpsonding HBIN
	434	* block for it. NULL if one doesn't exist.
	435	*******************************************************************/
	436	static REGF_HBIN* regfi_lookup_hbin(REGF_FILE* file, uint32 offset)
[30]	437	{
[106]	438	return (REGF_HBIN*)range_list_find_data(file->hbins, offset+REGF_BLOCKSIZE);
[30]	439	}
	440
	441
	442
	443	/*******************************************************************
[105]	444	TODO: not currently validating against max_size
[31]	445	*******************************************************************/
[104]	446	REGF_HASH_LIST* regfi_load_hashlist(REGF_FILE* file, uint32 offset,
[105]	447	uint32 num_keys, uint32 max_size,
	448	bool strict)
[30]	449	{
[104]	450	REGF_HASH_LIST* ret_val;
	451	uint32 i, cell_length, length;
	452	uint8* hashes;
	453	uint8 buf[REGFI_HASH_LIST_MIN_LENGTH];
	454	bool unalloc;
[30]	455
[104]	456	if(!regfi_parse_cell(file->fd, offset, buf, REGFI_HASH_LIST_MIN_LENGTH,
	457	&cell_length, &unalloc))
	458	return NULL;
[30]	459
[104]	460	ret_val = (REGF_HASH_LIST*)zalloc(sizeof(REGF_HASH_LIST));
	461	if(ret_val == NULL)
	462	return NULL;
[30]	463
[104]	464	ret_val->offset = offset;
	465	ret_val->cell_size = cell_length;
[30]	466
[104]	467	if((buf[0] != 'l' \|\| buf[1] != 'f') && (buf[0] != 'l' \|\| buf[1] != 'h')
	468	&& (buf[0] != 'r' \|\| buf[1] != 'i'))
	469	{
	470	/printf("DEBUG: lf->header=%c%c\n", buf[0], buf[1]);/
	471	free(ret_val);
	472	return NULL;
	473	}
[30]	474
[104]	475	if(buf[0] == 'r' && buf[1] == 'i')
	476	{
	477	fprintf(stderr, "WARNING: ignoring encountered \"ri\" record.\n");
	478	free(ret_val);
	479	return NULL;
	480	}
[30]	481
[104]	482	ret_val->magic[0] = buf[0];
	483	ret_val->magic[1] = buf[1];
[101]	484
[104]	485	ret_val->num_keys = SVAL(buf, 0x2);
	486	if(num_keys != ret_val->num_keys)
	487	{
	488	if(strict)
	489	{
	490	free(ret_val);
	491	return NULL;
	492	}
	493	/* TODO: Not sure which should be authoritative, the number from the
	494	* NK record, or the number in the hash list. Go with the larger
	495	* of the two to ensure all keys are found. Note the length checks
	496	* on the cell later ensure that there won't be any critical errors.
	497	*/
	498	if(num_keys < ret_val->num_keys)
	499	num_keys = ret_val->num_keys;
	500	else
	501	ret_val->num_keys = num_keys;
	502	}
[101]	503
[104]	504	if(cell_length - REGFI_HASH_LIST_MIN_LENGTH - sizeof(uint32)
	505	< ret_val->num_keys*sizeof(REGF_HASH_LIST_ELEM))
	506	return NULL;
[30]	507
[104]	508	length = sizeof(REGF_HASH_LIST_ELEM)*ret_val->num_keys;
	509	ret_val->hashes = (REGF_HASH_LIST_ELEM*)zalloc(length);
	510	if(ret_val->hashes == NULL)
	511	{
	512	free(ret_val);
	513	return NULL;
[31]	514	}
[30]	515
[104]	516	hashes = (uint8*)zalloc(length);
	517	if(hashes == NULL)
	518	{
	519	free(ret_val->hashes);
	520	free(ret_val);
	521	return NULL;
[31]	522	}
[30]	523
[104]	524	if(regfi_read(file->fd, hashes, &length) != 0
	525	\|\| length != sizeof(REGF_HASH_LIST_ELEM)*ret_val->num_keys)
	526	{
	527	free(ret_val->hashes);
	528	free(ret_val);
	529	return NULL;
	530	}
[30]	531
[104]	532	for (i=0; i < ret_val->num_keys; i++)
	533	{
	534	ret_val->hashes[i].nk_off = IVAL(hashes, i*sizeof(REGF_HASH_LIST_ELEM));
	535	ret_val->hashes[i].hash = IVAL(hashes, i*sizeof(REGF_HASH_LIST_ELEM)+4);
	536	}
	537	free(hashes);
[30]	538
[104]	539	return ret_val;
[30]	540	}
	541
	542
[102]	543
[30]	544	/*******************************************************************
[31]	545	*******************************************************************/
[102]	546	REGF_SK_REC* regfi_parse_sk(REGF_FILE* file, uint32 offset, uint32 max_size, bool strict)
[30]	547	{
[102]	548	REGF_SK_REC* ret_val;
	549	uint32 cell_length, length;
	550	prs_struct ps;
	551	uint8 sk_header[REGFI_SK_MIN_LENGTH];
	552	bool unalloc = false;
[30]	553
	554
[102]	555	if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH,
	556	&cell_length, &unalloc))
	557	return NULL;
	558
	559	if(sk_header[0] != 's' \|\| sk_header[1] != 'k')
	560	return NULL;
	561
	562	ret_val = (REGF_SK_REC*)zalloc(sizeof(REGF_SK_REC));
	563	if(ret_val == NULL)
	564	return NULL;
[30]	565
[102]	566	ret_val->offset = offset;
	567	ret_val->cell_size = cell_length;
[30]	568
[102]	569	if(ret_val->cell_size > max_size)
	570	ret_val->cell_size = max_size & 0xFFFFFFF8;
	571	if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
	572	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
	573	{
	574	free(ret_val);
	575	return NULL;
	576	}
[30]	577
	578
[102]	579	ret_val->magic[0] = sk_header[0];
	580	ret_val->magic[1] = sk_header[1];
[30]	581
[102]	582	ret_val->unknown_tag = SVAL(sk_header, 0x2);
	583	ret_val->prev_sk_off = IVAL(sk_header, 0x4);
	584	ret_val->next_sk_off = IVAL(sk_header, 0x8);
	585	ret_val->ref_count = IVAL(sk_header, 0xC);
	586	ret_val->desc_size = IVAL(sk_header, 0x10);
[30]	587
[102]	588	if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
	589	{
	590	free(ret_val);
	591	return NULL;
	592	}
[30]	593
[102]	594	/* TODO: need to get rid of this, but currently the security descriptor
	595	* code depends on the ps structure.
	596	*/
	597	if(!prs_init(&ps, ret_val->desc_size, NULL, UNMARSHALL))
	598	{
	599	free(ret_val);
	600	return NULL;
	601	}
[30]	602
[102]	603	length = ret_val->desc_size;
	604	if(regfi_read(file->fd, (uint8*)ps.data_p, &length) != 0
	605	\|\| length != ret_val->desc_size)
	606	{
	607	free(ret_val);
	608	return NULL;
	609	}
[30]	610
[102]	611	if (!sec_io_desc("sec_desc", &ret_val->sec_desc, &ps, 0))
	612	{
	613	free(ret_val);
	614	return NULL;
	615	}
	616
	617	free(ps.data_p);
	618
	619	return ret_val;
[30]	620	}
	621
	622
	623
[103]	624	/******************************************************************************
[105]	625	TODO: not currently validating against max_size.
[103]	626	******************************************************************************/
	627	REGF_VK_REC** regfi_load_valuelist(REGF_FILE* file, uint32 offset,
[105]	628	uint32 num_values, uint32 max_size,
	629	bool strict)
[30]	630	{
[103]	631	REGF_VK_REC** ret_val;
[101]	632	REGF_HBIN* sub_hbin;
[103]	633	uint8* buf;
	634	uint32 i, cell_length, vk_raw_offset, vk_offset, vk_max_length, buf_len;
	635	bool unalloc;
[30]	636
[103]	637	buf_len = sizeof(uint8) * 4 * num_values;
	638	buf = (uint8*)zalloc(buf_len);
	639	if(buf == NULL)
	640	return NULL;
	641
	642	if(!regfi_parse_cell(file->fd, offset, buf, buf_len, &cell_length, &unalloc))
[32]	643	{
[103]	644	free(buf);
	645	return NULL;
[31]	646	}
[30]	647
[103]	648	ret_val = (REGF_VK_REC*)zalloc(sizeof(REGF_VK_REC) * num_values);
	649	if(ret_val == NULL)
	650	{
	651	free(buf);
	652	return NULL;
[31]	653	}
[103]	654
	655	for (i=0; i < num_values; i++)
[32]	656	{
[103]	657	vk_raw_offset = IVAL(buf, i*4);
[101]	658
[106]	659	sub_hbin = regfi_lookup_hbin(file, vk_raw_offset);
[103]	660	if (!sub_hbin)
[32]	661	{
[103]	662	free(buf);
	663	free(ret_val);
	664	return NULL;
[31]	665	}
[103]	666
[101]	667	vk_offset = vk_raw_offset + REGF_BLOCKSIZE;
	668	vk_max_length = sub_hbin->block_size - vk_offset + sizeof(uint32);
[103]	669	ret_val[i] = regfi_parse_vk(file, vk_offset, vk_max_length, true);
	670	if(ret_val[i] == NULL)
	671	{
	672	free(buf);
	673	free(ret_val);
	674	return NULL;
	675	}
[31]	676	}
[30]	677
[103]	678	free(buf);
	679	return ret_val;
[30]	680	}
	681
	682
	683	/*******************************************************************
[31]	684	*******************************************************************/
[30]	685	static REGF_SK_REC* find_sk_record_by_offset( REGF_FILE *file, uint32 offset )
	686	{
[31]	687	REGF_SK_REC *p_sk;
[80]	688
[31]	689	for ( p_sk=file->sec_desc_list; p_sk; p_sk=p_sk->next ) {
	690	if ( p_sk->sk_off == offset )
	691	return p_sk;
	692	}
[80]	693
[31]	694	return NULL;
[30]	695	}
	696
[32]	697
[30]	698	/*******************************************************************
[31]	699	*******************************************************************/
[30]	700	static REGF_SK_REC* find_sk_record_by_sec_desc( REGF_FILE file, SEC_DESC sd )
	701	{
[31]	702	REGF_SK_REC *p;
[30]	703
[31]	704	for ( p=file->sec_desc_list; p; p=p->next ) {
	705	if ( sec_desc_equal( p->sec_desc, sd ) )
	706	return p;
	707	}
[30]	708
[31]	709	/* failure */
[30]	710
[31]	711	return NULL;
[30]	712	}
	713
[32]	714
[30]	715	/*******************************************************************
[106]	716	* TODO: Need to add full key and SK record caching using a
	717	* custom cache structure.
[31]	718	*******************************************************************/
[105]	719	REGF_NK_REC* regfi_load_key(REGF_FILE *file, uint32 offset, bool strict)
[30]	720	{
[105]	721	REGF_HBIN* hbin;
[99]	722	REGF_HBIN* sub_hbin;
	723	REGF_NK_REC* nk;
[105]	724	uint32 max_length, off;
[99]	725
[106]	726	hbin = regfi_lookup_hbin(file, offset-REGF_BLOCKSIZE);
[105]	727	if (hbin == NULL)
	728	return NULL;
[30]	729
[31]	730	/* get the initial nk record */
[105]	731	max_length = hbin->block_size + hbin->file_off - offset;
	732	if ((nk = regfi_parse_nk(file, offset, max_length, true)) == NULL)
[99]	733	return NULL;
[30]	734
[31]	735	/* fill in values */
[105]	736	if(nk->num_values && (nk->values_off!=REGF_OFFSET_NONE))
[32]	737	{
[31]	738	sub_hbin = hbin;
[106]	739	if(!regfi_offset_in_hbin(hbin, nk->values_off))
	740	sub_hbin = regfi_lookup_hbin(file, nk->values_off);
[105]	741
	742	if(sub_hbin == NULL)
[32]	743	{
[105]	744	if(strict)
[32]	745	{
[105]	746	free(nk);
[99]	747	return NULL;
[31]	748	}
[105]	749	else
	750	nk->values = NULL;
[31]	751	}
[105]	752	else
[103]	753	{
[105]	754	off = nk->values_off + REGF_BLOCKSIZE;
	755	max_length = sub_hbin->block_size + sub_hbin->file_off - off;
	756	nk->values = regfi_load_valuelist(file, off, nk->num_values, max_length,
	757	true);
	758	if(strict && nk->values == NULL)
	759	{
	760	free(nk);
	761	return NULL;
	762	}
[103]	763	}
[31]	764	}
[105]	765
[31]	766	/* now get subkeys */
[105]	767	if(nk->num_subkeys && (nk->subkeys_off != REGF_OFFSET_NONE))
[32]	768	{
[31]	769	sub_hbin = hbin;
[106]	770	if(!regfi_offset_in_hbin(hbin, nk->subkeys_off))
	771	sub_hbin = regfi_lookup_hbin(file, nk->subkeys_off);
[105]	772
	773	if (sub_hbin == NULL)
[32]	774	{
[105]	775	if(strict)
[32]	776	{
[105]	777	free(nk);
	778	/* TODO: need convenient way to free nk->values deeply in all cases. */
[99]	779	return NULL;
[31]	780	}
[105]	781	else
	782	nk->subkeys = NULL;
[31]	783	}
[105]	784	else
[104]	785	{
[105]	786	off = nk->subkeys_off + REGF_BLOCKSIZE;
	787	max_length = sub_hbin->block_size + sub_hbin->file_off - off;
	788	nk->subkeys = regfi_load_hashlist(file, off, nk->num_subkeys,
	789	max_length, true);
	790	if(nk->subkeys == NULL)
	791	{
	792	/* TODO: temporary hack to get around 'ri' records */
	793	nk->num_subkeys = 0;
	794	}
[104]	795	}
[31]	796	}
[30]	797
[102]	798	/* get the security descriptor. First look if we have already parsed it */
[105]	799	if((nk->sk_off!=REGF_OFFSET_NONE)
	800	&& !(nk->sec_desc = find_sk_record_by_offset( file, nk->sk_off )))
[32]	801	{
[31]	802	sub_hbin = hbin;
[106]	803	if(!regfi_offset_in_hbin(hbin, nk->sk_off))
	804	sub_hbin = regfi_lookup_hbin(file, nk->sk_off);
[105]	805
	806	if(sub_hbin == NULL)
[32]	807	{
[105]	808	free(nk);
	809	/* TODO: need convenient way to free nk->values and nk->subkeys deeply
	810	* in all cases.
	811	*/
	812	return NULL;
[31]	813	}
[105]	814
	815	off = nk->sk_off + REGF_BLOCKSIZE;
	816	max_length = sub_hbin->block_size + sub_hbin->file_off - off;
	817	nk->sec_desc = regfi_parse_sk(file, off, max_length, true);
	818	if(strict && nk->sec_desc == NULL)
	819	{
	820	free(nk);
	821	/* TODO: need convenient way to free nk->values and nk->subkeys deeply
	822	* in all cases.
	823	*/
[99]	824	return NULL;
[105]	825	}
[31]	826	nk->sec_desc->sk_off = nk->sk_off;
[105]	827
[31]	828	/* add to the list of security descriptors (ref_count has been read from the files) */
[80]	829	/* XXX: this kind of caching needs to be re-evaluated */
[31]	830	DLIST_ADD( file->sec_desc_list, nk->sec_desc );
	831	}
[99]	832
	833	return nk;
[30]	834	}
	835
[32]	836
[102]	837	/******************************************************************************
	838
	839	******************************************************************************/
	840	static bool regfi_find_root_nk(REGF_FILE* file, uint32 offset, uint32 hbin_size,
	841	uint32* root_offset)
[30]	842	{
[102]	843	uint8 tmp[4];
	844	int32 record_size;
	845	uint32 length, hbin_offset = 0;
	846	REGF_NK_REC* nk = NULL;
[31]	847	bool found = false;
[30]	848
[102]	849	for(record_size=0; !found && (hbin_offset < hbin_size); )
[32]	850	{
[102]	851	if(lseek(file->fd, offset+hbin_offset, SEEK_SET) == -1)
[31]	852	return false;
[102]	853
	854	length = 4;
	855	if((regfi_read(file->fd, tmp, &length) != 0) \|\| length != 4)
[31]	856	return false;
[102]	857	record_size = IVALS(tmp, 0);
[30]	858
[102]	859	if(record_size < 0)
	860	{
	861	record_size = record_size*(-1);
	862	nk = regfi_parse_nk(file, offset+hbin_offset, hbin_size-hbin_offset, true);
	863	if(nk != NULL)
	864	{
	865	if(nk->key_type == NK_TYPE_ROOTKEY)
	866	{
	867	found = true;
	868	*root_offset = nk->offset;
	869	}
	870	free(nk);
	871	}
[31]	872	}
[30]	873
[102]	874	hbin_offset += record_size;
[31]	875	}
[32]	876
[102]	877	return found;
[30]	878	}
	879
	880
	881	/*******************************************************************
[97]	882	* Open the registry file and then read in the REGF block to get the
	883	* first hbin offset.
	884	*******************************************************************/
[107]	885	REGF_FILE* regfi_open(const char* filename, uint32 flags)
[30]	886	{
[97]	887	REGF_FILE* rb;
[106]	888	REGF_HBIN* hbin = NULL;
	889	uint32 hbin_off;
[97]	890	int fd;
[107]	891	bool rla, save_unalloc = false;
[30]	892
[107]	893	if(flags & REGFI_FLAG_SAVE_UNALLOC)
	894	save_unalloc = true;
	895
[97]	896	/* open an existing file */
[107]	897	if ((fd = open(filename, O_RDONLY)) == -1)
[97]	898	{
[78]	899	/* DEBUG(0,("regfi_open: failure to open %s (%s)\n", filename, strerror(errno)));*/
[31]	900	return NULL;
	901	}
[99]	902
[31]	903	/* read in an existing file */
[97]	904	if ((rb = regfi_parse_regf(fd, true)) == NULL)
	905	{
[78]	906	/* DEBUG(0,("regfi_open: Failed to read initial REGF block\n"));*/
[97]	907	close(fd);
[31]	908	return NULL;
	909	}
[99]	910
	911	rb->hbins = range_list_new();
	912	rb->unalloc_cells = range_list_new();
	913	if((rb->hbins == NULL) \|\| (rb->unalloc_cells == NULL))
	914	{
[106]	915	range_list_free(rb->hbins);
	916	range_list_free(rb->unalloc_cells);
[99]	917	close(fd);
	918	free(rb);
	919	return NULL;
	920	}
	921
[106]	922	rla = true;
	923	hbin_off = REGF_BLOCKSIZE;
[107]	924	hbin = regfi_parse_hbin(rb, hbin_off, true, save_unalloc);
[106]	925	while(hbin && rla)
	926	{
	927	hbin_off = hbin->file_off + hbin->block_size;
	928	rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
[107]	929	hbin = regfi_parse_hbin(rb, hbin_off, true, save_unalloc);
[106]	930	}
	931
[31]	932	/* success */
	933	return rb;
[30]	934	}
	935
	936
	937	/*******************************************************************
[31]	938	*******************************************************************/
[78]	939	int regfi_close( REGF_FILE *file )
[30]	940	{
[31]	941	int fd;
[106]	942	uint32 i;
[30]	943
[31]	944	/* nothing to do if there is no open file */
[99]	945	if ((file == NULL) \|\| (file->fd == -1))
	946	return 0;
[30]	947
[31]	948	fd = file->fd;
	949	file->fd = -1;
[106]	950	for(i=0; i < range_list_size(file->hbins); i++)
	951	free(range_list_get(file->hbins, i)->data);
[99]	952	range_list_free(file->hbins);
[106]	953
	954	for(i=0; i < range_list_size(file->unalloc_cells); i++)
	955	free(range_list_get(file->unalloc_cells, i)->data);
[99]	956	range_list_free(file->unalloc_cells);
[106]	957
[99]	958	free(file);
[30]	959
[106]	960	return close(fd);
[30]	961	}
	962
	963
[80]	964	/******************************************************************************
	965	* There should be only one root key in the registry file based
	966	* on my experience. --jerry
	967	*****************************************************************************/
[102]	968	REGF_NK_REC* regfi_rootkey(REGF_FILE *file)
[30]	969	{
[102]	970	REGF_NK_REC* nk = NULL;
	971	REGF_HBIN* hbin;
[107]	972	uint32 root_offset, i, num_hbins;
[99]	973
	974	if(!file)
[31]	975	return NULL;
[99]	976
[102]	977	/* Scan through the file one HBIN block at a time looking
[31]	978	for an NK record with a type == 0x002c.
	979	Normally this is the first nk record in the first hbin
	980	block (but I'm not assuming that for now) */
[102]	981
[107]	982	num_hbins = range_list_size(file->hbins);
	983	for(i=0; i < num_hbins; i++)
[99]	984	{
[107]	985	hbin = (REGF_HBIN*)range_list_get(file->hbins, i)->data;
[102]	986	if(regfi_find_root_nk(file, hbin->file_off+HBIN_HEADER_REC_SIZE,
	987	hbin->block_size-HBIN_HEADER_REC_SIZE, &root_offset))
[99]	988	{
[105]	989	nk = regfi_load_key(file, root_offset, true);
[102]	990	break;
[31]	991	}
	992	}
[30]	993
[80]	994	return nk;
[30]	995	}
	996
	997
[80]	998	/******************************************************************************
	999	*****************************************************************************/
	1000	void regfi_key_free(REGF_NK_REC* nk)
[30]	1001	{
[80]	1002	uint32 i;
	1003
	1004	if((nk->values != NULL) && (nk->values_off!=REGF_OFFSET_NONE))
	1005	{
	1006	for(i=0; i < nk->num_values; i++)
[81]	1007	{
[101]	1008	if(nk->values[i]->valuename != NULL)
	1009	free(nk->values[i]->valuename);
	1010	if(nk->values[i]->data != NULL)
	1011	free(nk->values[i]->data);
	1012	free(nk->values[i]);
[81]	1013	}
[80]	1014	free(nk->values);
	1015	}
[30]	1016
[80]	1017	if(nk->keyname != NULL)
	1018	free(nk->keyname);
	1019	if(nk->classname != NULL)
	1020	free(nk->classname);
	1021
	1022	/* XXX: not freeing hbin because these are cached. This needs to be reviewed. */
	1023	/* XXX: not freeing sec_desc because these are cached. This needs to be reviewed. */
	1024	free(nk);
	1025	}
	1026
	1027
	1028	/******************************************************************************
	1029	*****************************************************************************/
	1030	REGFI_ITERATOR* regfi_iterator_new(REGF_FILE* fh)
	1031	{
	1032	REGF_NK_REC* root;
	1033	REGFI_ITERATOR* ret_val = (REGFI_ITERATOR*)malloc(sizeof(REGFI_ITERATOR));
	1034	if(ret_val == NULL)
	1035	return NULL;
	1036
[81]	1037	root = regfi_rootkey(fh);
[80]	1038	if(root == NULL)
	1039	{
	1040	free(ret_val);
	1041	return NULL;
	1042	}
	1043
	1044	ret_val->key_positions = void_stack_new(REGF_MAX_DEPTH);
	1045	if(ret_val->key_positions == NULL)
	1046	{
	1047	free(ret_val);
	1048	free(root);
	1049	return NULL;
	1050	}
	1051
	1052	ret_val->f = fh;
	1053	ret_val->cur_key = root;
	1054	ret_val->cur_subkey = 0;
	1055	ret_val->cur_value = 0;
	1056
	1057	return ret_val;
	1058	}
	1059
	1060
	1061	/******************************************************************************
	1062	*****************************************************************************/
	1063	void regfi_iterator_free(REGFI_ITERATOR* i)
	1064	{
	1065	REGFI_ITER_POSITION* cur;
	1066
	1067	if(i->cur_key != NULL)
	1068	regfi_key_free(i->cur_key);
	1069
	1070	while((cur = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions)) != NULL)
	1071	{
	1072	regfi_key_free(cur->nk);
	1073	free(cur);
	1074	}
	1075
	1076	free(i);
	1077	}
	1078
	1079
	1080
	1081	/******************************************************************************
	1082	*****************************************************************************/
	1083	/* XXX: some way of indicating reason for failure should be added. */
	1084	bool regfi_iterator_down(REGFI_ITERATOR* i)
	1085	{
	1086	REGF_NK_REC* subkey;
	1087	REGFI_ITER_POSITION* pos;
	1088
	1089	pos = (REGFI_ITER_POSITION*)malloc(sizeof(REGFI_ITER_POSITION));
	1090	if(pos == NULL)
	1091	return false;
	1092
[84]	1093	subkey = (REGF_NK_REC*)regfi_iterator_cur_subkey(i);
[80]	1094	if(subkey == NULL)
	1095	{
	1096	free(pos);
	1097	return false;
	1098	}
	1099
	1100	pos->nk = i->cur_key;
	1101	pos->cur_subkey = i->cur_subkey;
	1102	if(!void_stack_push(i->key_positions, pos))
	1103	{
	1104	free(pos);
	1105	regfi_key_free(subkey);
	1106	return false;
	1107	}
	1108
	1109	i->cur_key = subkey;
	1110	i->cur_subkey = 0;
	1111	i->cur_value = 0;
	1112
	1113	return true;
	1114	}
	1115
	1116
	1117	/******************************************************************************
	1118	*****************************************************************************/
	1119	bool regfi_iterator_up(REGFI_ITERATOR* i)
	1120	{
	1121	REGFI_ITER_POSITION* pos;
	1122
	1123	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
	1124	if(pos == NULL)
	1125	return false;
	1126
	1127	regfi_key_free(i->cur_key);
	1128	i->cur_key = pos->nk;
	1129	i->cur_subkey = pos->cur_subkey;
	1130	i->cur_value = 0;
	1131	free(pos);
	1132
	1133	return true;
	1134	}
	1135
	1136
	1137	/******************************************************************************
	1138	*****************************************************************************/
	1139	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
	1140	{
	1141	while(regfi_iterator_up(i))
	1142	continue;
	1143
	1144	return true;
	1145	}
	1146
	1147
	1148	/******************************************************************************
	1149	*****************************************************************************/
	1150	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
	1151	{
	1152	REGF_NK_REC* subkey;
	1153	bool found = false;
	1154	uint32 old_subkey = i->cur_subkey;
	1155
	1156	if(subkey_name == NULL)
	1157	return false;
	1158
	1159	/* XXX: this alloc/free of each sub key might be a bit excessive */
[84]	1160	subkey = (REGF_NK_REC*)regfi_iterator_first_subkey(i);
[80]	1161	while((subkey != NULL) && (found == false))
	1162	{
	1163	if(subkey->keyname != NULL
	1164	&& strcasecmp(subkey->keyname, subkey_name) == 0)
	1165	found = true;
[82]	1166	else
	1167	{
	1168	regfi_key_free(subkey);
[84]	1169	subkey = (REGF_NK_REC*)regfi_iterator_next_subkey(i);
[82]	1170	}
[80]	1171	}
	1172
	1173	if(found == false)
	1174	{
	1175	i->cur_subkey = old_subkey;
	1176	return false;
	1177	}
	1178
[82]	1179	regfi_key_free(subkey);
[80]	1180	return true;
	1181	}
	1182
	1183
	1184	/******************************************************************************
	1185	*****************************************************************************/
	1186	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
	1187	{
	1188	uint32 x;
	1189	if(path == NULL)
	1190	return false;
	1191
	1192	for(x=0;
	1193	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
	1194	&& regfi_iterator_down(i));
	1195	x++)
	1196	{ continue; }
	1197
	1198	if(path[x] == NULL)
	1199	return true;
	1200
	1201	/* XXX: is this the right number of times? */
	1202	for(; x > 0; x--)
	1203	regfi_iterator_up(i);
	1204
	1205	return false;
	1206	}
	1207
	1208
	1209	/******************************************************************************
	1210	*****************************************************************************/
[84]	1211	const REGF_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]	1212	{
	1213	return i->cur_key;
	1214	}
	1215
	1216
	1217	/******************************************************************************
	1218	*****************************************************************************/
[84]	1219	const REGF_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]	1220	{
	1221	i->cur_subkey = 0;
	1222	return regfi_iterator_cur_subkey(i);
	1223	}
	1224
	1225
	1226	/******************************************************************************
	1227	*****************************************************************************/
[84]	1228	const REGF_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]	1229	{
	1230	uint32 nk_offset;
	1231
[31]	1232	/* see if there is anything left to report */
[80]	1233	if (!(i->cur_key) \|\| (i->cur_key->subkeys_off==REGF_OFFSET_NONE)
	1234	\|\| (i->cur_subkey >= i->cur_key->num_subkeys))
[31]	1235	return NULL;
[30]	1236
[104]	1237	nk_offset = i->cur_key->subkeys->hashes[i->cur_subkey].nk_off;
[78]	1238
[105]	1239	return regfi_load_key(i->f, nk_offset+REGF_BLOCKSIZE, true);
[30]	1240	}
[80]	1241
	1242
	1243	/******************************************************************************
	1244	*****************************************************************************/
	1245	/* XXX: some way of indicating reason for failure should be added. */
[84]	1246	const REGF_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]	1247	{
[84]	1248	const REGF_NK_REC* subkey;
[80]	1249
	1250	i->cur_subkey++;
	1251	subkey = regfi_iterator_cur_subkey(i);
	1252
	1253	if(subkey == NULL)
	1254	i->cur_subkey--;
	1255
	1256	return subkey;
	1257	}
	1258
	1259
	1260	/******************************************************************************
	1261	*****************************************************************************/
	1262	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
	1263	{
[84]	1264	const REGF_VK_REC* cur;
[80]	1265	bool found = false;
	1266
	1267	/* XXX: cur->valuename can be NULL in the registry.
	1268	* Should we allow for a way to search for that?
	1269	*/
	1270	if(value_name == NULL)
	1271	return false;
	1272
	1273	cur = regfi_iterator_first_value(i);
	1274	while((cur != NULL) && (found == false))
	1275	{
	1276	if((cur->valuename != NULL)
	1277	&& (strcasecmp(cur->valuename, value_name) == 0))
	1278	found = true;
[95]	1279	else
	1280	cur = regfi_iterator_next_value(i);
[80]	1281	}
	1282
[94]	1283	return found;
[80]	1284	}
	1285
	1286
	1287	/******************************************************************************
	1288	*****************************************************************************/
[84]	1289	const REGF_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]	1290	{
	1291	i->cur_value = 0;
	1292	return regfi_iterator_cur_value(i);
	1293	}
	1294
	1295
	1296	/******************************************************************************
	1297	*****************************************************************************/
[84]	1298	const REGF_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]	1299	{
	1300	REGF_VK_REC* ret_val = NULL;
	1301	if(i->cur_value < i->cur_key->num_values)
[101]	1302	ret_val = i->cur_key->values[i->cur_value];
[80]	1303
	1304	return ret_val;
	1305	}
	1306
	1307
	1308	/******************************************************************************
	1309	*****************************************************************************/
[84]	1310	const REGF_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]	1311	{
[84]	1312	const REGF_VK_REC* ret_val;
[80]	1313
	1314	i->cur_value++;
	1315	ret_val = regfi_iterator_cur_value(i);
	1316	if(ret_val == NULL)
	1317	i->cur_value--;
	1318
	1319	return ret_val;
	1320	}
[97]	1321
	1322
	1323
	1324	/*******************************************************************
	1325	* Computes the checksum of the registry file header.
	1326	* buffer must be at least the size of an regf header (4096 bytes).
	1327	*******************************************************************/
	1328	static uint32 regfi_compute_header_checksum(uint8* buffer)
	1329	{
	1330	uint32 checksum, x;
	1331	int i;
	1332
	1333	/* XOR of all bytes 0x0000 - 0x01FB */
	1334
	1335	checksum = x = 0;
	1336
	1337	for ( i=0; i<0x01FB; i+=4 ) {
	1338	x = IVAL(buffer, i );
	1339	checksum ^= x;
	1340	}
	1341
	1342	return checksum;
	1343	}
	1344
	1345
	1346	/*******************************************************************
	1347	* TODO: add way to return more detailed error information.
	1348	*******************************************************************/
	1349	REGF_FILE* regfi_parse_regf(int fd, bool strict)
	1350	{
	1351	uint8 file_header[REGF_BLOCKSIZE];
[102]	1352	uint32 length;
[97]	1353	uint32 file_length;
	1354	struct stat sbuf;
	1355	REGF_FILE* ret_val;
	1356
	1357	/* Determine file length. Must be at least big enough
	1358	* for the header and one hbin.
	1359	*/
	1360	if (fstat(fd, &sbuf) == -1)
	1361	return NULL;
	1362	file_length = sbuf.st_size;
	1363	if(file_length < REGF_BLOCKSIZE+REGF_ALLOC_BLOCK)
	1364	return NULL;
	1365
	1366	ret_val = (REGF_FILE*)zalloc(sizeof(REGF_FILE));
	1367	if(ret_val == NULL)
	1368	return NULL;
	1369
	1370	ret_val->fd = fd;
	1371	ret_val->file_length = file_length;
	1372
	1373	length = REGF_BLOCKSIZE;
[102]	1374	if((regfi_read(fd, file_header, &length)) != 0
[97]	1375	\|\| length != REGF_BLOCKSIZE)
	1376	{
	1377	free(ret_val);
	1378	return NULL;
	1379	}
	1380
	1381	ret_val->checksum = IVAL(file_header, 0x1FC);
	1382	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
	1383	if (strict && (ret_val->checksum != ret_val->computed_checksum))
	1384	{
	1385	free(ret_val);
	1386	return NULL;
	1387	}
	1388
	1389	memcpy(ret_val->magic, file_header, 4);
	1390	if(strict && (memcmp(ret_val->magic, "regf", 4) != 0))
	1391	{
	1392	free(ret_val);
	1393	return NULL;
	1394	}
	1395
	1396	ret_val->unknown1 = IVAL(file_header, 0x4);
	1397	ret_val->unknown2 = IVAL(file_header, 0x8);
	1398
	1399	ret_val->mtime.low = IVAL(file_header, 0xC);
	1400	ret_val->mtime.high = IVAL(file_header, 0x10);
	1401
	1402	ret_val->unknown3 = IVAL(file_header, 0x14);
	1403	ret_val->unknown4 = IVAL(file_header, 0x18);
	1404	ret_val->unknown5 = IVAL(file_header, 0x1C);
	1405	ret_val->unknown6 = IVAL(file_header, 0x20);
	1406
	1407	ret_val->data_offset = IVAL(file_header, 0x24);
	1408	ret_val->last_block = IVAL(file_header, 0x28);
	1409
	1410	ret_val->unknown7 = IVAL(file_header, 0x2C);
	1411
	1412	return ret_val;
	1413	}
	1414
	1415
	1416
	1417	/*******************************************************************
	1418	* Given real file offset, read and parse the hbin at that location
	1419	* along with it's associated cells. If save_unalloc is true, a list
	1420	* of unallocated cell offsets will be stored in TODO.
	1421	*******************************************************************/
	1422	/* TODO: Need a way to return types of errors. Also need to free
	1423	* the hbin/ps when an error occurs.
	1424	*/
	1425	REGF_HBIN* regfi_parse_hbin(REGF_FILE* file, uint32 offset,
	1426	bool strict, bool save_unalloc)
	1427	{
	1428	REGF_HBIN *hbin;
	1429	uint8 hbin_header[HBIN_HEADER_REC_SIZE];
	1430	uint32 length, curr_off;
[105]	1431	uint32 cell_len;
[97]	1432	bool is_unalloc;
[99]	1433
	1434	if(offset >= file->file_length)
	1435	return NULL;
[97]	1436
	1437	if(lseek(file->fd, offset, SEEK_SET) == -1)
	1438	return NULL;
	1439
	1440	length = HBIN_HEADER_REC_SIZE;
	1441	if((regfi_read(file->fd, hbin_header, &length) != 0)
	1442	\|\| length != HBIN_HEADER_REC_SIZE)
	1443	return NULL;
	1444
[99]	1445
[97]	1446	if(lseek(file->fd, offset, SEEK_SET) == -1)
	1447	return NULL;
	1448
[99]	1449	if(!(hbin = (REGF_HBIN*)zalloc(sizeof(REGF_HBIN))))
	1450	return NULL;
	1451	hbin->file_off = offset;
	1452
[97]	1453	memcpy(hbin->magic, hbin_header, 4);
	1454	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
[99]	1455	{
	1456	free(hbin);
[97]	1457	return NULL;
[99]	1458	}
[97]	1459
	1460	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
	1461	hbin->block_size = IVAL(hbin_header, 0x8);
	1462	/* this should be the same thing as hbin->block_size but just in case */
	1463	hbin->next_block = IVAL(hbin_header, 0x1C);
	1464
	1465
	1466	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
	1467	* the end of the file.
	1468	*/
	1469	/* TODO: This may need to be relaxed for dealing with
	1470	* partial or corrupt files. */
	1471	if((offset + hbin->block_size > file->file_length)
	1472	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
[99]	1473	{
	1474	free(hbin);
[97]	1475	return NULL;
[99]	1476	}
[97]	1477
	1478	if(save_unalloc)
	1479	{
	1480	curr_off = HBIN_HEADER_REC_SIZE;
[105]	1481	while(curr_off < hbin->block_size)
[97]	1482	{
[105]	1483	if(!regfi_parse_cell(file->fd, hbin->file_off+curr_off, NULL, 0,
	1484	&cell_len, &is_unalloc))
	1485	break;
[97]	1486
	1487	if((cell_len == 0) \|\| ((cell_len & 0xFFFFFFFC) != cell_len))
	1488	/* TODO: should report an error here. */
	1489	break;
	1490
	1491	/* for some reason the record_size of the last record in
	1492	an hbin block can extend past the end of the block
	1493	even though the record fits within the remaining
	1494	space....aaarrrgggghhhhhh */
	1495	if(curr_off + cell_len >= hbin->block_size)
	1496	cell_len = hbin->block_size - curr_off;
	1497
	1498	if(is_unalloc)
[99]	1499	range_list_add(file->unalloc_cells, hbin->file_off+curr_off,
	1500	cell_len, NULL);
[97]	1501
	1502	curr_off = curr_off+cell_len;
	1503	}
	1504	}
	1505
	1506	return hbin;
	1507	}
	1508
	1509
[101]	1510
[99]	1511	REGF_NK_REC* regfi_parse_nk(REGF_FILE* file, uint32 offset,
	1512	uint32 max_size, bool strict)
	1513	{
	1514	uint8 nk_header[REGFI_NK_MIN_LENGTH];
	1515	REGF_NK_REC* ret_val;
	1516	uint32 length;
[101]	1517	uint32 cell_length;
	1518	bool unalloc = false;
[99]	1519
[101]	1520	if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH,
	1521	&cell_length, &unalloc))
	1522	return NULL;
[99]	1523
	1524	/* A bit of validation before bothering to allocate memory */
[101]	1525	if((nk_header[0x0] != 'n') \|\| (nk_header[0x1] != 'k'))
	1526	{
	1527	/* TODO: deal with subkey-lists that reference other subkey-lists. */
[103]	1528	printf("DEBUG: magic check failed! \"%c%c\"\n", nk_header[0x0], nk_header[0x1]);
[99]	1529	return NULL;
[101]	1530	}
[99]	1531
	1532	ret_val = (REGF_NK_REC*)zalloc(sizeof(REGF_NK_REC));
	1533	if(ret_val == NULL)
	1534	return NULL;
	1535
	1536	ret_val->offset = offset;
[101]	1537	ret_val->cell_size = cell_length;
	1538
[99]	1539	if(ret_val->cell_size > max_size)
	1540	ret_val->cell_size = max_size & 0xFFFFFFF8;
	1541	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
	1542	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
	1543	{
	1544	free(ret_val);
	1545	return NULL;
	1546	}
	1547
[101]	1548	ret_val->magic[0] = nk_header[0x0];
	1549	ret_val->magic[1] = nk_header[0x1];
	1550	ret_val->key_type = SVAL(nk_header, 0x2);
	1551	if((ret_val->key_type != NK_TYPE_NORMALKEY)
	1552	&& (ret_val->key_type != NK_TYPE_ROOTKEY)
	1553	&& (ret_val->key_type != NK_TYPE_LINKKEY)
	1554	&& (ret_val->key_type != NK_TYPE_UNKNOWN1))
[99]	1555	{
	1556	free(ret_val);
	1557	return NULL;
	1558	}
[101]	1559
	1560	ret_val->mtime.low = IVAL(nk_header, 0x4);
	1561	ret_val->mtime.high = IVAL(nk_header, 0x8);
[99]	1562
[101]	1563	ret_val->unknown1 = IVAL(nk_header, 0xC);
	1564	ret_val->parent_off = IVAL(nk_header, 0x10);
	1565	ret_val->num_subkeys = IVAL(nk_header, 0x14);
	1566	ret_val->unknown2 = IVAL(nk_header, 0x18);
	1567	ret_val->subkeys_off = IVAL(nk_header, 0x1C);
	1568	ret_val->unknown3 = IVAL(nk_header, 0x20);
	1569	ret_val->num_values = IVAL(nk_header, 0x24);
	1570	ret_val->values_off = IVAL(nk_header, 0x28);
	1571	ret_val->sk_off = IVAL(nk_header, 0x2C);
[99]	1572	/* TODO: currently we do nothing with class names. Need to investigate. */
[101]	1573	ret_val->classname_off = IVAL(nk_header, 0x30);
[99]	1574
[101]	1575	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
	1576	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
	1577	ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
	1578	ret_val->max_bytes_value = IVAL(nk_header, 0x40);
	1579	ret_val->unk_index = IVAL(nk_header, 0x44);
[99]	1580
[101]	1581	ret_val->name_length = SVAL(nk_header, 0x48);
	1582	ret_val->classname_length = SVAL(nk_header, 0x4A);
[99]	1583
	1584	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
[101]	1585	{
	1586	if(strict)
	1587	{
	1588	free(ret_val);
	1589	return NULL;
	1590	}
	1591	else
	1592	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
	1593	}
	1594	else if (unalloc)
	1595	{ /* Truncate cell_size if it's much larger than the apparent total record length. */
	1596	/* Round up to the next multiple of 8 */
	1597	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
	1598	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
	1599	length+=8;
[99]	1600
[101]	1601	/* If cell_size is still greater, truncate. */
	1602	if(length < ret_val->cell_size)
	1603	ret_val->cell_size = length;
	1604	}
	1605
[99]	1606	ret_val->keyname = (char)zalloc(sizeof(char)(ret_val->name_length+1));
	1607	if(ret_val->keyname == NULL)
	1608	{
	1609	free(ret_val);
	1610	return NULL;
	1611	}
	1612
	1613	/* Don't need to seek, should be at the right offset */
	1614	length = ret_val->name_length;
[101]	1615	if((regfi_read(file->fd, (uint8*)ret_val->keyname, &length) != 0)
[99]	1616	\|\| length != ret_val->name_length)
	1617	{
	1618	free(ret_val->keyname);
	1619	free(ret_val);
	1620	return NULL;
	1621	}
	1622	ret_val->keyname[ret_val->name_length] = '\0';
	1623
	1624	return ret_val;
	1625	}
	1626
	1627
	1628
[101]	1629	/*******************************************************************
	1630	*******************************************************************/
	1631	REGF_VK_REC* regfi_parse_vk(REGF_FILE* file, uint32 offset,
	1632	uint32 max_size, bool strict)
[97]	1633	{
[101]	1634	REGF_VK_REC* ret_val;
	1635	uint8 vk_header[REGFI_VK_MIN_LENGTH];
	1636	uint32 raw_data_size, length, cell_length;
	1637	bool unalloc = false;
[97]	1638
[101]	1639	if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH,
	1640	&cell_length, &unalloc))
	1641	return NULL;
	1642
	1643	ret_val = (REGF_VK_REC*)zalloc(sizeof(REGF_VK_REC));
	1644	if(ret_val == NULL)
	1645	return NULL;
	1646
	1647	ret_val->offset = offset;
	1648	ret_val->cell_size = cell_length;
	1649
	1650	if(ret_val->cell_size > max_size)
	1651	ret_val->cell_size = max_size & 0xFFFFFFF8;
	1652	if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
	1653	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
[97]	1654	{
[101]	1655	free(ret_val);
	1656	return NULL;
	1657	}
[97]	1658
[101]	1659	ret_val->magic[0] = vk_header[0x0];
	1660	ret_val->magic[1] = vk_header[0x1];
	1661	if((ret_val->magic[0] != 'v') \|\| (ret_val->magic[1] != 'k'))
	1662	{
	1663	free(ret_val);
	1664	return NULL;
	1665	}
	1666
	1667	ret_val->name_length = SVAL(vk_header, 0x2);
	1668	raw_data_size = IVAL(vk_header, 0x4);
	1669	ret_val->data_size = raw_data_size & ~VK_DATA_IN_OFFSET;
	1670	ret_val->data_off = IVAL(vk_header, 0x8);
	1671	ret_val->type = IVAL(vk_header, 0xC);
	1672	ret_val->flag = SVAL(vk_header, 0x10);
	1673	ret_val->unknown1 = SVAL(vk_header, 0x12);
	1674
	1675	if(ret_val->flag & VK_FLAG_NAME_PRESENT)
	1676	{
	1677	if(ret_val->name_length + REGFI_VK_MIN_LENGTH > ret_val->cell_size)
	1678	{
	1679	if(strict)
	1680	{
	1681	free(ret_val);
	1682	return NULL;
	1683	}
	1684	else
	1685	ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH;
	1686	}
	1687
	1688	/* Round up to the next multiple of 8 */
	1689	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
	1690	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
	1691	length+=8;
	1692
	1693	ret_val->valuename = (char)zalloc(sizeof(char)(ret_val->name_length+1));
	1694	if(ret_val->valuename == NULL)
	1695	{
	1696	free(ret_val);
	1697	return NULL;
	1698	}
	1699
	1700	/* Don't need to seek, should be at the right offset */
	1701	length = ret_val->name_length;
	1702	if((regfi_read(file->fd, (uint8*)ret_val->valuename, &length) != 0)
	1703	\|\| length != ret_val->name_length)
	1704	{
	1705	free(ret_val->valuename);
	1706	free(ret_val);
	1707	return NULL;
	1708	}
	1709	ret_val->valuename[ret_val->name_length] = '\0';
	1710	}
	1711	else
	1712	length = REGFI_VK_MIN_LENGTH;
	1713
	1714	if(unalloc)
	1715	{
	1716	/* If cell_size is still greater, truncate. */
	1717	if(length < ret_val->cell_size)
	1718	ret_val->cell_size = length;
	1719	}
	1720
	1721	if(ret_val->data_size == 0)
	1722	ret_val->data = NULL;
	1723	else
	1724	{
	1725	ret_val->data = regfi_parse_data(file, ret_val->data_off+REGF_BLOCKSIZE,
	1726	raw_data_size, strict);
	1727	if(strict && (ret_val->data == NULL))
	1728	{
	1729	free(ret_val->valuename);
	1730	free(ret_val);
	1731	return NULL;
	1732	}
	1733	}
	1734
	1735	return ret_val;
[97]	1736	}
[101]	1737
	1738
	1739	uint8* regfi_parse_data(REGF_FILE* file, uint32 offset, uint32 length, bool strict)
	1740	{
	1741	uint8* ret_val;
	1742	uint32 read_length, cell_length;
[102]	1743	uint8 i;
[101]	1744	bool unalloc;
	1745
	1746	/* The data is stored in the offset if the size <= 4 */
[102]	1747	if (length & VK_DATA_IN_OFFSET)
[101]	1748	{
	1749	length = length & ~VK_DATA_IN_OFFSET;
	1750	if(length > 4)
	1751	return NULL;
	1752
	1753	if((ret_val = (uint8)zalloc(sizeof(uint8)length)) == NULL)
	1754	return NULL;
[102]	1755
	1756	offset = offset - REGF_BLOCKSIZE;
	1757	for(i = 0; i < length; i++)
	1758	ret_val[i] = (uint8)((offset >> i*8) & 0xFF);
[101]	1759	}
	1760	else
	1761	{
	1762	if(!regfi_parse_cell(file->fd, offset, NULL, 0,
	1763	&cell_length, &unalloc))
	1764	return NULL;
	1765
	1766	if(cell_length < 8 \|\| ((cell_length & 0xFFFFFFF8) != cell_length))
	1767	return NULL;
	1768
	1769	if(cell_length - 4 < length)
	1770	{
	1771	if(strict)
	1772	return NULL;
	1773	else
	1774	length = cell_length - 4;
	1775	}
	1776
	1777	/* TODO: There is currently no check to ensure the data
	1778	* cell doesn't cross HBIN boundary.
	1779	*/
	1780
	1781	if((ret_val = (uint8)zalloc(sizeof(uint8)length)) == NULL)
	1782	return NULL;
	1783
	1784	read_length = length;
	1785	if((regfi_read(file->fd, ret_val, &read_length) != 0)
	1786	\|\| read_length != length)
	1787	{
	1788	free(ret_val);
	1789	return NULL;
	1790	}
	1791	}
	1792
	1793	return ret_val;
	1794	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: