Context Navigation

regfi.c @ 141

Last change on this file since 141 was 140, checked in by tim, 16 years ago

Misc error message changes.

Added and removed some comments.

Updated TODO list.

Property svn:keywords set to Id

File size: 61.4 KB

Rev	Line
[30]	1	/*
	2	* Branched from Samba project Subversion repository, version #7470:
[84]	3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
[30]	4	*
[134]	5	* Windows NT (and later) registry parsing library
[30]	6	*
[132]	7	* Copyright (C) 2005-2009 Timothy D. Morgan
[30]	8	* Copyright (C) 2005 Gerald (Jerry) Carter
	9	*
	10	* This program is free software; you can redistribute it and/or modify
	11	* it under the terms of the GNU General Public License as published by
[111]	12	* the Free Software Foundation; version 3 of the License.
[30]	13	*
	14	* This program is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	17	* GNU General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU General Public License
	20	* along with this program; if not, write to the Free Software
	21	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	22	*
	23	* $Id: regfi.c 140 2009-02-09 19:53:39Z tim $
	24	*/
	25
[81]	26	#include "../include/regfi.h"
[30]	27
	28
[32]	29	/* Registry types mapping */
[78]	30	const unsigned int regfi_num_reg_types = 12;
	31	static const char* regfi_type_names[] =
[65]	32	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]	33	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]	34
[32]	35
[135]	36
	37	/******************************************************************************
	38	******************************************************************************/
[138]	39	void regfi_add_message(REGFI_FILE* file, uint16 msg_type, const char* fmt, ...)
[135]	40	{
[136]	41	/* XXX: This function is not particularly efficient,
[135]	42	* but then it is mostly used during errors.
	43	*/
[136]	44	uint32 buf_size, buf_used;
	45	char* new_msg;
	46	va_list args;
[135]	47
[138]	48	if((file->msg_mask & msg_type) != 0)
	49	{
	50	if(file->last_message == NULL)
	51	buf_used = 0;
	52	else
	53	buf_used = strlen(file->last_message);
	54
	55	buf_size = buf_used+strlen(fmt)+160;
	56	new_msg = realloc(file->last_message, buf_size);
	57	if(new_msg == NULL)
	58	/* XXX: should we report this? */
	59	return;
[135]	60
[138]	61	switch (msg_type)
	62	{
	63	case REGFI_MSG_INFO:
	64	strcpy(new_msg+buf_used, "INFO: ");
	65	buf_used += 6;
	66	break;
	67	case REGFI_MSG_WARN:
	68	strcpy(new_msg+buf_used, "WARN: ");
	69	buf_used += 6;
	70	break;
	71	case REGFI_MSG_ERROR:
	72	strcpy(new_msg+buf_used, "ERROR: ");
	73	buf_used += 7;
	74	break;
	75	}
[136]	76
[138]	77	va_start(args, fmt);
	78	vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args);
	79	va_end(args);
	80	strncat(new_msg, "\n", buf_size-1);
	81
	82	file->last_message = new_msg;
	83	}
[135]	84	}
	85
	86
	87	/******************************************************************************
	88	******************************************************************************/
[136]	89	char* regfi_get_messages(REGFI_FILE* file)
[135]	90	{
	91	char* ret_val = file->last_message;
	92	file->last_message = NULL;
	93
	94	return ret_val;
	95	}
	96
	97
[138]	98	void regfi_set_message_mask(REGFI_FILE* file, uint16 mask)
	99	{
	100	file->msg_mask = mask;
	101	}
	102
	103
[32]	104	/* Returns NULL on error */
[78]	105	const char* regfi_type_val2str(unsigned int val)
[32]	106	{
[61]	107	if(val == REG_KEY)
	108	return "KEY";
	109
[78]	110	if(val >= regfi_num_reg_types)
[61]	111	return NULL;
	112
[78]	113	return regfi_type_names[val];
[32]	114	}
	115
	116
[61]	117	/* Returns -1 on error */
[78]	118	int regfi_type_str2val(const char* str)
[32]	119	{
	120	int i;
	121
[61]	122	if(strcmp("KEY", str) == 0)
	123	return REG_KEY;
[32]	124
[78]	125	for(i=0; i < regfi_num_reg_types; i++)
	126	if (strcmp(regfi_type_names[i], str) == 0)
[61]	127	return i;
	128
	129	if(strcmp("DWORD_LE", str) == 0)
	130	return REG_DWORD_LE;
	131
	132	return -1;
[32]	133	}
	134
	135
[135]	136	/* Security descriptor formatting functions */
[53]	137
[78]	138	const char* regfi_ace_type2str(uint8 type)
[53]	139	{
	140	static const char* map[7]
	141	= {"ALLOW", "DENY", "AUDIT", "ALARM",
	142	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
	143	if(type < 7)
	144	return map[type];
	145	else
	146	/* XXX: would be nice to return the unknown integer value.
	147	* However, as it is a const string, it can't be free()ed later on,
	148	* so that would need to change.
	149	*/
	150	return "UNKNOWN";
	151	}
	152
	153
[76]	154	/* XXX: need a better reference on the meaning of each flag. */
	155	/* For more info, see:
	156	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
	157	*/
[78]	158	char* regfi_ace_flags2str(uint8 flags)
[53]	159	{
[76]	160	static const char* flag_map[32] =
[87]	161	{ "OI", /* Object Inherit */
	162	"CI", /* Container Inherit */
	163	"NP", /* Non-Propagate */
	164	"IO", /* Inherit Only */
	165	"IA", /* Inherited ACE */
[76]	166	NULL,
	167	NULL,
	168	NULL,
	169	};
[53]	170
[76]	171	char* ret_val = malloc(35*sizeof(char));
	172	char* fo = ret_val;
	173	uint32 i;
	174	uint8 f;
	175
	176	if(ret_val == NULL)
[53]	177	return NULL;
	178
[76]	179	fo[0] = '\0';
[53]	180	if (!flags)
[76]	181	return ret_val;
[53]	182
[76]	183	for(i=0; i < 8; i++)
	184	{
	185	f = (1<<i);
	186	if((flags & f) && (flag_map[i] != NULL))
	187	{
	188	strcpy(fo, flag_map[i]);
	189	fo += strlen(flag_map[i]);
	190	*(fo++) = ' ';
	191	flags ^= f;
	192	}
[53]	193	}
[76]	194
	195	/* Any remaining unknown flags are added at the end in hex. */
	196	if(flags != 0)
	197	sprintf(fo, "0x%.2X ", flags);
	198
	199	/* Chop off the last space if we've written anything to ret_val */
	200	if(fo != ret_val)
	201	fo[-1] = '\0';
	202
	203	return ret_val;
[53]	204	}
	205
	206
[78]	207	char* regfi_ace_perms2str(uint32 perms)
[53]	208	{
[76]	209	uint32 i, p;
	210	/* This is more than is needed by a fair margin. */
	211	char* ret_val = malloc(350*sizeof(char));
	212	char* r = ret_val;
	213
	214	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
	215	* For more information, see:
	216	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
	217	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
	218	*/
	219	static const char* perm_map[32] =
	220	{/* object-specific permissions (registry keys, in this case) */
	221	"QRY_VAL", /* KEY_QUERY_VALUE */
	222	"SET_VAL", /* KEY_SET_VALUE */
	223	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
	224	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
	225	"NOTIFY", /* KEY_NOTIFY */
	226	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
	227	NULL,
	228	NULL,
	229	"WOW64_64", /* KEY_WOW64_64KEY */
	230	"WOW64_32", /* KEY_WOW64_32KEY */
	231	NULL,
	232	NULL,
	233	NULL,
	234	NULL,
	235	NULL,
	236	NULL,
	237	/* standard access rights */
	238	"DELETE", /* DELETE */
	239	"R_CONT", /* READ_CONTROL */
	240	"W_DAC", /* WRITE_DAC */
	241	"W_OWNER", /* WRITE_OWNER */
	242	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
	243	NULL,
	244	NULL,
	245	NULL,
	246	/* other generic */
	247	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
	248	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
	249	NULL,
	250	NULL,
	251	"GEN_A", /* GENERIC_ALL */
	252	"GEN_X", /* GENERIC_EXECUTE */
	253	"GEN_W", /* GENERIC_WRITE */
	254	"GEN_R", /* GENERIC_READ */
	255	};
	256
	257
[53]	258	if(ret_val == NULL)
	259	return NULL;
	260
[76]	261	r[0] = '\0';
	262	for(i=0; i < 32; i++)
	263	{
	264	p = (1<<i);
	265	if((perms & p) && (perm_map[i] != NULL))
	266	{
	267	strcpy(r, perm_map[i]);
	268	r += strlen(perm_map[i]);
	269	*(r++) = ' ';
	270	perms ^= p;
	271	}
	272	}
	273
	274	/* Any remaining unknown permission bits are added at the end in hex. */
	275	if(perms != 0)
	276	sprintf(r, "0x%.8X ", perms);
[53]	277
[76]	278	/* Chop off the last space if we've written anything to ret_val */
	279	if(r != ret_val)
	280	r[-1] = '\0';
	281
[53]	282	return ret_val;
	283	}
	284
	285
[134]	286	char* regfi_sid2str(WINSEC_DOM_SID* sid)
[53]	287	{
[134]	288	uint32 i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
[53]	289	uint32 left = size;
	290	uint8 comps = sid->num_auths;
	291	char* ret_val = malloc(size);
	292
	293	if(ret_val == NULL)
	294	return NULL;
	295
[134]	296	if(comps > WINSEC_MAX_SUBAUTHS)
	297	comps = WINSEC_MAX_SUBAUTHS;
[53]	298
	299	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
	300
	301	for (i = 0; i < comps; i++)
	302	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
	303
	304	return ret_val;
	305	}
	306
	307
[134]	308	char* regfi_get_acl(WINSEC_ACL* acl)
[53]	309	{
	310	uint32 i, extra, size = 0;
	311	const char* type_str;
	312	char* flags_str;
	313	char* perms_str;
	314	char* sid_str;
[61]	315	char* ace_delim = "";
[53]	316	char* ret_val = NULL;
[61]	317	char* tmp_val = NULL;
	318	bool failed = false;
[53]	319	char field_delim = ':';
	320
[61]	321	for (i = 0; i < acl->num_aces && !failed; i++)
[53]	322	{
[134]	323	sid_str = regfi_sid2str(acl->aces[i]->trustee);
	324	type_str = regfi_ace_type2str(acl->aces[i]->type);
	325	perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask);
	326	flags_str = regfi_ace_flags2str(acl->aces[i]->flags);
[53]	327
[61]	328	if(flags_str != NULL && perms_str != NULL
	329	&& type_str != NULL && sid_str != NULL)
	330	{
	331	/* XXX: this is slow */
	332	extra = strlen(sid_str) + strlen(type_str)
[136]	333	+ strlen(perms_str) + strlen(flags_str) + 5;
[61]	334	tmp_val = realloc(ret_val, size+extra);
[53]	335
[61]	336	if(tmp_val == NULL)
	337	{
	338	free(ret_val);
[136]	339	ret_val = NULL;
[61]	340	failed = true;
	341	}
	342	else
	343	{
	344	ret_val = tmp_val;
	345	size += snprintf(ret_val+size, extra, "%s%s%c%s%c%s%c%s",
	346	ace_delim,sid_str,
	347	field_delim,type_str,
	348	field_delim,perms_str,
	349	field_delim,flags_str);
	350	ace_delim = "\|";
	351	}
	352	}
	353	else
	354	failed = true;
	355
	356	if(sid_str != NULL)
	357	free(sid_str);
	358	if(sid_str != NULL)
	359	free(perms_str);
	360	if(sid_str != NULL)
	361	free(flags_str);
[53]	362	}
	363
	364	return ret_val;
	365	}
	366
	367
[134]	368	char* regfi_get_sacl(WINSEC_DESC *sec_desc)
[53]	369	{
	370	if (sec_desc->sacl)
[78]	371	return regfi_get_acl(sec_desc->sacl);
[53]	372	else
	373	return NULL;
	374	}
	375
	376
[134]	377	char* regfi_get_dacl(WINSEC_DESC *sec_desc)
[53]	378	{
	379	if (sec_desc->dacl)
[78]	380	return regfi_get_acl(sec_desc->dacl);
[53]	381	else
	382	return NULL;
	383	}
	384
	385
[134]	386	char* regfi_get_owner(WINSEC_DESC *sec_desc)
[53]	387	{
[78]	388	return regfi_sid2str(sec_desc->owner_sid);
[53]	389	}
	390
	391
[134]	392	char* regfi_get_group(WINSEC_DESC *sec_desc)
[53]	393	{
[78]	394	return regfi_sid2str(sec_desc->grp_sid);
[53]	395	}
	396
	397
[101]	398	/*****************************************************************************
	399	* This function is just like read(2), except that it continues to
	400	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
	401	* regfi_read will attempt to read length bytes from fd and write them to buf.
	402	*
	403	* On success, 0 is returned. Upon failure, an errno code is returned.
	404	*
	405	* The number of bytes successfully read is returned through the length
	406	* parameter by reference. If both the return value and length parameter are
	407	* returned as 0, then EOF was encountered immediately
	408	*****************************************************************************/
	409	uint32 regfi_read(int fd, uint8* buf, uint32* length)
	410	{
	411	uint32 rsize = 0;
	412	uint32 rret = 0;
	413
	414	do
	415	{
	416	rret = read(fd, buf + rsize, *length - rsize);
	417	if(rret > 0)
	418	rsize += rret;
	419	}while(*length - rsize > 0
	420	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
	421
	422	*length = rsize;
	423	if (rret == -1 && errno != EINTR && errno != EAGAIN)
	424	return errno;
	425
	426	return 0;
	427	}
	428
	429
	430	/*****************************************************************************
	431	*
	432	*****************************************************************************/
[111]	433	bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len,
	434	uint32* cell_length, bool* unalloc)
[101]	435	{
	436	uint32 length;
	437	int32 raw_length;
	438	uint8 tmp[4];
	439
	440	if(lseek(fd, offset, SEEK_SET) == -1)
	441	return false;
	442
	443	length = 4;
	444	if((regfi_read(fd, tmp, &length) != 0) \|\| length != 4)
	445	return false;
	446	raw_length = IVALS(tmp, 0);
	447
	448	if(raw_length < 0)
	449	{
	450	(cell_length) = raw_length(-1);
	451	(*unalloc) = false;
	452	}
	453	else
	454	{
	455	(*cell_length) = raw_length;
	456	(*unalloc) = true;
	457	}
	458
[103]	459	if(*cell_length - 4 < hdr_len)
	460	return false;
	461
	462	if(hdr_len > 0)
	463	{
	464	length = hdr_len;
	465	if((regfi_read(fd, hdr, &length) != 0) \|\| length != hdr_len)
	466	return false;
	467	}
	468
[101]	469	return true;
	470	}
	471
	472
[30]	473	/*******************************************************************
[106]	474	* Given an offset and an hbin, is the offset within that hbin?
	475	* The offset is a virtual file offset.
	476	*******************************************************************/
[135]	477	static bool regfi_offset_in_hbin(REGFI_HBIN* hbin, uint32 offset)
[30]	478	{
[106]	479	if(!hbin)
[31]	480	return false;
[106]	481
	482	if((offset > hbin->first_hbin_off)
	483	&& (offset < (hbin->first_hbin_off + hbin->block_size)))
[31]	484	return true;
[30]	485
[31]	486	return false;
[30]	487	}
	488
	489
[106]	490
[30]	491	/*******************************************************************
[135]	492	* Provide a virtual offset and receive the correpsonding HBIN
[106]	493	* block for it. NULL if one doesn't exist.
	494	*******************************************************************/
[135]	495	REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32 offset)
[30]	496	{
[135]	497	return (REGFI_HBIN*)range_list_find_data(file->hbins, offset+REGFI_REGF_SIZE);
[30]	498	}
	499
	500
[139]	501
	502	/******************************************************************************
	503	******************************************************************************/
	504	REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32 offset,
	505	uint32 num_keys, uint32 max_size,
	506	bool strict)
[127]	507	{
[135]	508	REGFI_SUBKEY_LIST* ret_val;
[134]	509
[139]	510	ret_val = regfi_load_subkeylist_aux(file, offset, max_size, strict,
	511	REGFI_MAX_SUBKEY_DEPTH);
	512
	513	if(num_keys != ret_val->num_keys)
	514	{
	515	/* Not sure which should be authoritative, the number from the
	516	* NK record, or the number in the subkey list. Just emit a warning for
	517	* now if they don't match.
	518	*/
	519	regfi_add_message(file, REGFI_MSG_WARN, "Number of subkeys listed in parent"
	520	" (%d) did not match number found in subkey list/tree (%d)"
	521	" while parsing subkey list/tree at offset 0x%.8X.",
	522	num_keys, ret_val->num_keys, offset);
	523	}
	524
	525	return ret_val;
	526	}
	527
	528
	529	/******************************************************************************
	530	******************************************************************************/
	531	REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32 offset,
	532	uint32 max_size, bool strict,
	533	uint8 depth_left)
	534	{
	535	REGFI_SUBKEY_LIST* ret_val;
	536	REGFI_SUBKEY_LIST** sublists;
	537	REGFI_HBIN* sublist_hbin;
	538	uint32 i, num_sublists, off, max_length;
	539
	540	if(depth_left == 0)
	541	{
	542	regfi_add_message(file, REGFI_MSG_WARN, "Maximum depth reached"
	543	" while parsing subkey list/tree at offset 0x%.8X.",
	544	offset);
[127]	545	return NULL;
[139]	546	}
[134]	547
[139]	548	ret_val = regfi_parse_subkeylist(file, offset, max_size, strict);
[134]	549	if(ret_val == NULL)
	550	return NULL;
[139]	551
	552	if(ret_val->recursive_type)
[127]	553	{
[139]	554	num_sublists = ret_val->num_children;
	555	sublists = (REGFI_SUBKEY_LIST**)zalloc(num_sublists
	556	* sizeof(REGFI_SUBKEY_LIST*));
	557	for(i=0; i < num_sublists; i++)
[127]	558	{
[139]	559	off = ret_val->elements[i].offset + REGFI_REGF_SIZE;
	560	sublist_hbin = regfi_lookup_hbin(file, ret_val->elements[i].offset);
	561	if(sublist_hbin == NULL)
	562	sublists[i] = NULL;
	563	else
	564	{
	565	max_length = sublist_hbin->block_size + sublist_hbin->file_off - off;
	566	sublists[i] = regfi_load_subkeylist_aux(file, off, max_length, strict,
	567	depth_left-1);
	568	}
[127]	569	}
[139]	570	free(ret_val);
[134]	571
[139]	572	return regfi_merge_subkeylists(num_sublists, sublists, strict);
[127]	573	}
[30]	574
[127]	575	return ret_val;
	576	}
	577
	578
[139]	579	/******************************************************************************
	580	******************************************************************************/
	581	REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32 offset,
	582	uint32 max_size, bool strict)
[30]	583	{
[135]	584	REGFI_SUBKEY_LIST* ret_val;
[139]	585	uint32 i, cell_length, length, elem_size;
	586	uint8* elements;
[127]	587	uint8 buf[REGFI_SUBKEY_LIST_MIN_LEN];
[104]	588	bool unalloc;
[139]	589	bool recursive_type;
[30]	590
[127]	591	if(!regfi_parse_cell(file->fd, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN,
[104]	592	&cell_length, &unalloc))
[139]	593	{
	594	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while "
	595	"parsing subkey-list at offset 0x%.8X.", offset);
[104]	596	return NULL;
[139]	597	}
[30]	598
[116]	599	if(cell_length > max_size)
	600	{
[139]	601	regfi_add_message(file, REGFI_MSG_WARN, "Cell size longer than max_size"
	602	" while parsing subkey-list at offset 0x%.8X.", offset);
[116]	603	if(strict)
	604	return NULL;
	605	cell_length = max_size & 0xFFFFFFF8;
	606	}
[30]	607
[139]	608	recursive_type = false;
[127]	609	if(buf[0] == 'r' && buf[1] == 'i')
[104]	610	{
[139]	611	recursive_type = true;
	612	elem_size = sizeof(uint32);
[104]	613	}
[139]	614	else if(buf[0] == 'l' && buf[1] == 'i')
[134]	615	elem_size = sizeof(uint32);
	616	else if((buf[0] == 'l') && (buf[1] == 'f' \|\| buf[1] == 'h'))
[135]	617	elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM);
[134]	618	else
	619	{
[139]	620	regfi_add_message(file, REGFI_MSG_ERROR, "Unknown magic number"
	621	" (0x%.2X, 0x%.2X) encountered while parsing"
	622	" subkey-list at offset 0x%.8X.", buf[0], buf[1], offset);
[134]	623	return NULL;
	624	}
	625
[135]	626	ret_val = (REGFI_SUBKEY_LIST*)zalloc(sizeof(REGFI_SUBKEY_LIST));
[127]	627	if(ret_val == NULL)
	628	return NULL;
	629
	630	ret_val->offset = offset;
	631	ret_val->cell_size = cell_length;
[104]	632	ret_val->magic[0] = buf[0];
	633	ret_val->magic[1] = buf[1];
[139]	634	ret_val->recursive_type = recursive_type;
	635	ret_val->num_children = SVAL(buf, 0x2);
[101]	636
[139]	637	if(!recursive_type)
	638	ret_val->num_keys = ret_val->num_children;
[101]	639
[139]	640	length = elem_size*ret_val->num_children;
	641	if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32) < length)
[134]	642	{
[139]	643	regfi_add_message(file, REGFI_MSG_WARN, "Number of elements too large for"
	644	" cell while parsing subkey-list at offset 0x%.8X.",
	645	offset);
	646	if(strict)
	647	{
	648	free(ret_val);
	649	return NULL;
	650	}
	651	length = cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32);
[134]	652	}
[30]	653
[134]	654	ret_val->elements
[139]	655	= (REGFI_SUBKEY_LIST_ELEM*)zalloc(ret_val->num_children
	656	* sizeof(REGFI_SUBKEY_LIST_ELEM));
[127]	657	if(ret_val->elements == NULL)
[104]	658	{
	659	free(ret_val);
	660	return NULL;
[31]	661	}
[30]	662
[139]	663	elements = (uint8*)zalloc(length);
	664	if(elements == NULL)
[104]	665	{
[127]	666	free(ret_val->elements);
[104]	667	free(ret_val);
	668	return NULL;
[31]	669	}
[30]	670
[139]	671	if(regfi_read(file->fd, elements, &length) != 0
	672	\|\| length != elem_size*ret_val->num_children)
[104]	673	{
[127]	674	free(ret_val->elements);
[104]	675	free(ret_val);
	676	return NULL;
	677	}
[30]	678
[139]	679	if(elem_size == sizeof(uint32))
[104]	680	{
[139]	681	for (i=0; i < ret_val->num_children; i++)
[134]	682	{
[139]	683	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
[134]	684	ret_val->elements[i].hash = 0;
	685	}
[104]	686	}
[134]	687	else
	688	{
[139]	689	for (i=0; i < ret_val->num_children; i++)
[134]	690	{
[139]	691	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
	692	ret_val->elements[i].hash = IVAL(elements, i*elem_size+4);
[134]	693	}
	694	}
[139]	695	free(elements);
[30]	696
[104]	697	return ret_val;
[30]	698	}
	699
	700
[139]	701	/*******************************************************************
	702	*******************************************************************/
	703	REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16 num_lists,
	704	REGFI_SUBKEY_LIST** lists,
	705	bool strict)
	706	{
	707	uint32 i,j,k;
	708	REGFI_SUBKEY_LIST* ret_val;
[102]	709
[139]	710	if(lists == NULL)
	711	return NULL;
	712	ret_val = (REGFI_SUBKEY_LIST*)zalloc(sizeof(REGFI_SUBKEY_LIST));
	713
	714	if(ret_val == NULL)
	715	return NULL;
	716
	717	/* Obtain total number of elements */
	718	ret_val->num_keys = 0;
	719	for(i=0; i < num_lists; i++)
	720	{
	721	if(lists[i] != NULL)
	722	ret_val->num_keys += lists[i]->num_children;
	723	}
	724	ret_val->num_children = ret_val->num_keys;
	725
	726	if(ret_val->num_keys > 0)
	727	{
	728	ret_val->elements =
	729	(REGFI_SUBKEY_LIST_ELEM*)zalloc(sizeof(REGFI_SUBKEY_LIST_ELEM)
	730	* ret_val->num_keys);
	731	k=0;
	732
	733	if(ret_val->elements != NULL)
	734	{
	735	for(i=0; i < num_lists; i++)
	736	{
	737	if(lists[i] != NULL)
	738	{
	739	for(j=0; j < lists[i]->num_keys; j++)
	740	{
	741	ret_val->elements[k].hash=lists[i]->elements[j].hash;
	742	ret_val->elements[k++].offset=lists[i]->elements[j].offset;
	743	}
	744	}
	745	}
	746	}
	747	}
	748
	749	for(i=0; i < num_lists; i++)
	750	regfi_subkeylist_free(lists[i]);
	751	free(lists);
	752
	753	return ret_val;
	754	}
	755
	756
[30]	757	/*******************************************************************
[31]	758	*******************************************************************/
[135]	759	REGFI_SK_REC* regfi_parse_sk(REGFI_FILE* file, uint32 offset, uint32 max_size, bool strict)
[30]	760	{
[135]	761	REGFI_SK_REC* ret_val;
[134]	762	uint8* sec_desc_buf;
[102]	763	uint32 cell_length, length;
[134]	764	/prs_struct ps;/
[102]	765	uint8 sk_header[REGFI_SK_MIN_LENGTH];
	766	bool unalloc = false;
[30]	767
[102]	768	if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH,
	769	&cell_length, &unalloc))
[137]	770	{
[138]	771	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse SK record cell"
[137]	772	" at offset 0x%.8X.", offset);
[102]	773	return NULL;
[137]	774	}
[102]	775
	776	if(sk_header[0] != 's' \|\| sk_header[1] != 'k')
[137]	777	{
[138]	778	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
	779	" SK record at offset 0x%.8X.", offset);
[102]	780	return NULL;
[137]	781	}
	782
[135]	783	ret_val = (REGFI_SK_REC*)zalloc(sizeof(REGFI_SK_REC));
[102]	784	if(ret_val == NULL)
	785	return NULL;
[30]	786
[102]	787	ret_val->offset = offset;
[116]	788	/* XXX: Is there a way to be more conservative (shorter) with
	789	* cell length when cell is unallocated?
[111]	790	*/
[102]	791	ret_val->cell_size = cell_length;
[30]	792
[102]	793	if(ret_val->cell_size > max_size)
	794	ret_val->cell_size = max_size & 0xFFFFFFF8;
	795	if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
	796	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
	797	{
[138]	798	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size found while"
	799	" parsing SK record at offset 0x%.8X.", offset);
[102]	800	free(ret_val);
	801	return NULL;
	802	}
[30]	803
[102]	804	ret_val->magic[0] = sk_header[0];
	805	ret_val->magic[1] = sk_header[1];
[30]	806
[102]	807	ret_val->unknown_tag = SVAL(sk_header, 0x2);
	808	ret_val->prev_sk_off = IVAL(sk_header, 0x4);
	809	ret_val->next_sk_off = IVAL(sk_header, 0x8);
	810	ret_val->ref_count = IVAL(sk_header, 0xC);
	811	ret_val->desc_size = IVAL(sk_header, 0x10);
[30]	812
[140]	813	if(ret_val->prev_sk_off != (ret_val->prev_sk_off & 0xFFFFFFF8)
	814	\|\| ret_val->next_sk_off != (ret_val->next_sk_off & 0xFFFFFFF8))
	815	{
	816	regfi_add_message(file, REGFI_MSG_WARN, "SK record's next/previous offsets"
	817	" are not a multiple of 8 while parsing SK record at"
	818	" offset 0x%.8X.", offset);
	819	free(ret_val);
	820	return NULL;
	821	}
	822
[102]	823	if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
	824	{
[140]	825	regfi_add_message(file, REGFI_MSG_WARN, "Security descriptor too large for"
[138]	826	" cell while parsing SK record at offset 0x%.8X.",
	827	offset);
[102]	828	free(ret_val);
	829	return NULL;
	830	}
[30]	831
[134]	832	sec_desc_buf = (uint8*)zalloc(ret_val->desc_size);
	833	if(ret_val == NULL)
[102]	834	{
	835	free(ret_val);
	836	return NULL;
	837	}
	838
[134]	839	length = ret_val->desc_size;
	840	if(regfi_read(file->fd, sec_desc_buf, &length) != 0
	841	\|\| length != ret_val->desc_size)
	842	{
[138]	843	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read security"
	844	" descriptor while parsing SK record at offset 0x%.8X.",
	845	offset);
[134]	846	free(ret_val);
	847	return NULL;
	848	}
[102]	849
[134]	850	if(!(ret_val->sec_desc = winsec_parse_desc(sec_desc_buf, ret_val->desc_size)))
	851	{
[138]	852	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to parse security"
	853	" descriptor while parsing SK record at offset 0x%.8X.",
	854	offset);
[134]	855	free(sec_desc_buf);
	856	free(ret_val);
	857	return NULL;
	858	}
	859	free(sec_desc_buf);
	860
	861
[102]	862	return ret_val;
[30]	863	}
	864
	865
[135]	866	uint32* regfi_parse_valuelist(REGFI_FILE* file, uint32 offset,
[111]	867	uint32 num_values, bool strict)
	868	{
	869	uint32* ret_val;
	870	uint32 i, cell_length, length, read_len;
	871	bool unalloc;
[30]	872
[111]	873	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
[137]	874	{
[138]	875	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read cell header"
[137]	876	" while parsing value list at offset 0x%.8X.", offset);
[111]	877	return NULL;
[137]	878	}
[111]	879
	880	if(cell_length != (cell_length & 0xFFFFFFF8))
	881	{
	882	if(strict)
	883	return NULL;
	884	cell_length = cell_length & 0xFFFFFFF8;
	885	}
	886	if((num_values * sizeof(uint32)) > cell_length-sizeof(uint32))
[137]	887	{
[140]	888	regfi_add_message(file, REGFI_MSG_WARN, "Too many values found"
[137]	889	" while parsing value list at offset 0x%.8X.", offset);
[140]	890	/* XXX: During non-strict, should reduce num_values appropriately and
	891	* continue instead of bailing out.
	892	*/
[111]	893	return NULL;
[137]	894	}
[111]	895
	896	read_len = num_values*sizeof(uint32);
	897	ret_val = (uint32*)malloc(read_len);
	898	if(ret_val == NULL)
	899	return NULL;
	900
	901	length = read_len;
	902	if((regfi_read(file->fd, (uint8*)ret_val, &length) != 0) \|\| length != read_len)
	903	{
[138]	904	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read value pointers"
[137]	905	" while parsing value list at offset 0x%.8X.", offset);
[111]	906	free(ret_val);
	907	return NULL;
	908	}
	909
	910	for(i=0; i < num_values; i++)
	911	{
	912	/* Fix endianness */
	913	ret_val[i] = IVAL(&ret_val[i], 0);
	914
	915	/* Validate the first num_values values to ensure they make sense */
	916	if(strict)
	917	{
[135]	918	if((ret_val[i] + REGFI_REGF_SIZE > file->file_length)
[111]	919	\|\| ((ret_val[i] & 0xFFFFFFF8) != ret_val[i]))
	920	{
[138]	921	regfi_add_message(file, REGFI_MSG_ERROR, "Invalid value pointer"
	922	" (0x%.8X) found while parsing value list at offset"
	923	" 0x%.8X.", ret_val[i], offset);
[111]	924	free(ret_val);
	925	return NULL;
	926	}
	927	}
	928	}
	929
	930	return ret_val;
	931	}
	932
	933
	934
[103]	935	/******************************************************************************
[116]	936	* If !strict, the list may contain NULLs, VK records may point to NULL.
[103]	937	******************************************************************************/
[135]	938	REGFI_VK_REC** regfi_load_valuelist(REGFI_FILE* file, uint32 offset,
[105]	939	uint32 num_values, uint32 max_size,
	940	bool strict)
[30]	941	{
[135]	942	REGFI_VK_REC** ret_val;
	943	REGFI_HBIN* hbin;
[116]	944	uint32 i, vk_offset, vk_max_length, usable_num_values;
[111]	945	uint32* voffsets;
[30]	946
[111]	947	if((num_values+1) * sizeof(uint32) > max_size)
[116]	948	{
	949	if(strict)
	950	return NULL;
	951	usable_num_values = max_size/sizeof(uint32) - sizeof(uint32);
	952	}
	953	else
	954	usable_num_values = num_values;
[103]	955
[116]	956	voffsets = regfi_parse_valuelist(file, offset, usable_num_values, strict);
[111]	957	if(voffsets == NULL)
[103]	958	return NULL;
[30]	959
[136]	960	ret_val = (REGFI_VK_REC*)zalloc(sizeof(REGFI_VK_REC) * usable_num_values);
[103]	961	if(ret_val == NULL)
	962	{
[111]	963	free(voffsets);
[103]	964	return NULL;
[31]	965	}
[103]	966
[116]	967	for(i=0; i < usable_num_values; i++)
[32]	968	{
[111]	969	hbin = regfi_lookup_hbin(file, voffsets[i]);
	970	if(!hbin)
[32]	971	{
[111]	972	free(voffsets);
[103]	973	free(ret_val);
	974	return NULL;
[31]	975	}
[133]	976
[135]	977	vk_offset = voffsets[i] + REGFI_REGF_SIZE;
[131]	978	vk_max_length = hbin->block_size + hbin->file_off - vk_offset;
[111]	979	ret_val[i] = regfi_parse_vk(file, vk_offset, vk_max_length, strict);
[103]	980	if(ret_val[i] == NULL)
[111]	981	{ /* If we're being strict, throw out the whole list.
	982	* Otherwise, let it be NULL.
	983	*/
	984	if(strict)
	985	{
	986	free(voffsets);
	987	free(ret_val);
	988	return NULL;
	989	}
[103]	990	}
[31]	991	}
[30]	992
[111]	993	free(voffsets);
[103]	994	return ret_val;
[30]	995	}
	996
	997
	998
	999	/*******************************************************************
[116]	1000	* XXX: Need to add full key caching using a
	1001	* custom cache structure.
[31]	1002	*******************************************************************/
[135]	1003	REGFI_NK_REC* regfi_load_key(REGFI_FILE* file, uint32 offset, bool strict)
[30]	1004	{
[135]	1005	REGFI_HBIN* hbin;
	1006	REGFI_HBIN* sub_hbin;
	1007	REGFI_NK_REC* nk;
[105]	1008	uint32 max_length, off;
[99]	1009
[135]	1010	hbin = regfi_lookup_hbin(file, offset-REGFI_REGF_SIZE);
[105]	1011	if (hbin == NULL)
	1012	return NULL;
[30]	1013
[31]	1014	/* get the initial nk record */
[105]	1015	max_length = hbin->block_size + hbin->file_off - offset;
	1016	if ((nk = regfi_parse_nk(file, offset, max_length, true)) == NULL)
[135]	1017	{
[138]	1018	regfi_add_message(file, REGFI_MSG_ERROR, "Could not load NK record at"
[137]	1019	" offset 0x%.8X.", offset);
[99]	1020	return NULL;
[135]	1021	}
[30]	1022
[31]	1023	/* fill in values */
[135]	1024	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
[32]	1025	{
[31]	1026	sub_hbin = hbin;
[106]	1027	if(!regfi_offset_in_hbin(hbin, nk->values_off))
	1028	sub_hbin = regfi_lookup_hbin(file, nk->values_off);
[105]	1029
	1030	if(sub_hbin == NULL)
[32]	1031	{
[105]	1032	if(strict)
[32]	1033	{
[105]	1034	free(nk);
[99]	1035	return NULL;
[31]	1036	}
[105]	1037	else
	1038	nk->values = NULL;
[133]	1039
[31]	1040	}
[105]	1041	else
[103]	1042	{
[135]	1043	off = nk->values_off + REGFI_REGF_SIZE;
[105]	1044	max_length = sub_hbin->block_size + sub_hbin->file_off - off;
	1045	nk->values = regfi_load_valuelist(file, off, nk->num_values, max_length,
	1046	true);
	1047	if(strict && nk->values == NULL)
	1048	{
[138]	1049	regfi_add_message(file, REGFI_MSG_ERROR, "Could not load value list"
[137]	1050	" for NK record at offset 0x%.8X.",
[135]	1051	offset);
[105]	1052	free(nk);
	1053	return NULL;
	1054	}
[133]	1055
[103]	1056	}
[31]	1057	}
[105]	1058
[31]	1059	/* now get subkeys */
[135]	1060	if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE))
[32]	1061	{
[31]	1062	sub_hbin = hbin;
[106]	1063	if(!regfi_offset_in_hbin(hbin, nk->subkeys_off))
	1064	sub_hbin = regfi_lookup_hbin(file, nk->subkeys_off);
[105]	1065
	1066	if (sub_hbin == NULL)
[32]	1067	{
[105]	1068	if(strict)
[32]	1069	{
[116]	1070	regfi_key_free(nk);
[99]	1071	return NULL;
[31]	1072	}
[105]	1073	else
	1074	nk->subkeys = NULL;
[31]	1075	}
[105]	1076	else
[104]	1077	{
[135]	1078	off = nk->subkeys_off + REGFI_REGF_SIZE;
[105]	1079	max_length = sub_hbin->block_size + sub_hbin->file_off - off;
[134]	1080	nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys,
[127]	1081	max_length, true);
[134]	1082
[105]	1083	if(nk->subkeys == NULL)
	1084	{
[140]	1085	regfi_add_message(file, REGFI_MSG_WARN, "Could not load subkey list"
	1086	" while parsing NK record at offset 0x%.8X.", offset);
[105]	1087	nk->num_subkeys = 0;
	1088	}
[104]	1089	}
[31]	1090	}
[30]	1091
[99]	1092	return nk;
[30]	1093	}
	1094
[32]	1095
[102]	1096	/******************************************************************************
	1097	******************************************************************************/
[135]	1098	static bool regfi_find_root_nk(REGFI_FILE* file, uint32 offset, uint32 hbin_size,
[102]	1099	uint32* root_offset)
[30]	1100	{
[102]	1101	uint8 tmp[4];
	1102	int32 record_size;
	1103	uint32 length, hbin_offset = 0;
[135]	1104	REGFI_NK_REC* nk = NULL;
[31]	1105	bool found = false;
[30]	1106
[102]	1107	for(record_size=0; !found && (hbin_offset < hbin_size); )
[32]	1108	{
[102]	1109	if(lseek(file->fd, offset+hbin_offset, SEEK_SET) == -1)
[31]	1110	return false;
[102]	1111
	1112	length = 4;
	1113	if((regfi_read(file->fd, tmp, &length) != 0) \|\| length != 4)
[31]	1114	return false;
[102]	1115	record_size = IVALS(tmp, 0);
[30]	1116
[102]	1117	if(record_size < 0)
	1118	{
	1119	record_size = record_size*(-1);
	1120	nk = regfi_parse_nk(file, offset+hbin_offset, hbin_size-hbin_offset, true);
	1121	if(nk != NULL)
	1122	{
[135]	1123	if((nk->key_type == REGFI_NK_TYPE_ROOTKEY1)
	1124	\|\| (nk->key_type == REGFI_NK_TYPE_ROOTKEY2))
[102]	1125	{
	1126	found = true;
	1127	*root_offset = nk->offset;
	1128	}
	1129	free(nk);
	1130	}
[31]	1131	}
[30]	1132
[102]	1133	hbin_offset += record_size;
[31]	1134	}
[32]	1135
[102]	1136	return found;
[30]	1137	}
	1138
	1139
	1140	/*******************************************************************
[97]	1141	* Open the registry file and then read in the REGF block to get the
	1142	* first hbin offset.
	1143	*******************************************************************/
[135]	1144	REGFI_FILE* regfi_open(const char* filename)
[30]	1145	{
[137]	1146	struct stat sbuf;
[135]	1147	REGFI_FILE* rb;
	1148	REGFI_HBIN* hbin = NULL;
[137]	1149	uint32 hbin_off, file_length;
[97]	1150	int fd;
[110]	1151	bool rla;
[30]	1152
[97]	1153	/* open an existing file */
[107]	1154	if ((fd = open(filename, O_RDONLY)) == -1)
[97]	1155	{
[78]	1156	/* DEBUG(0,("regfi_open: failure to open %s (%s)\n", filename, strerror(errno)));*/
[31]	1157	return NULL;
	1158	}
[99]	1159
[137]	1160	/* Determine file length. Must be at least big enough
	1161	* for the header and one hbin.
	1162	*/
	1163	if (fstat(fd, &sbuf) == -1)
	1164	return NULL;
	1165	file_length = sbuf.st_size;
	1166	if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC)
	1167	return NULL;
	1168
[31]	1169	/* read in an existing file */
[97]	1170	if ((rb = regfi_parse_regf(fd, true)) == NULL)
	1171	{
[78]	1172	/* DEBUG(0,("regfi_open: Failed to read initial REGF block\n"));*/
[97]	1173	close(fd);
[31]	1174	return NULL;
	1175	}
[137]	1176	rb->file_length = file_length;
	1177
[99]	1178	rb->hbins = range_list_new();
[110]	1179	if(rb->hbins == NULL)
[99]	1180	{
[106]	1181	range_list_free(rb->hbins);
[99]	1182	close(fd);
	1183	free(rb);
	1184	return NULL;
	1185	}
[108]	1186
[106]	1187	rla = true;
[135]	1188	hbin_off = REGFI_REGF_SIZE;
[110]	1189	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1190	while(hbin && rla)
	1191	{
[137]	1192	rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
[106]	1193	hbin_off = hbin->file_off + hbin->block_size;
[110]	1194	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1195	}
	1196
[138]	1197	/* Default message mask */
	1198	rb->msg_mask = REGFI_MSG_ERROR\|REGFI_MSG_WARN;
	1199
[31]	1200	/* success */
	1201	return rb;
[30]	1202	}
	1203
	1204
	1205	/*******************************************************************
[31]	1206	*******************************************************************/
[135]	1207	int regfi_close( REGFI_FILE *file )
[30]	1208	{
[31]	1209	int fd;
[106]	1210	uint32 i;
[30]	1211
[31]	1212	/* nothing to do if there is no open file */
[99]	1213	if ((file == NULL) \|\| (file->fd == -1))
	1214	return 0;
[30]	1215
[31]	1216	fd = file->fd;
	1217	file->fd = -1;
[106]	1218	for(i=0; i < range_list_size(file->hbins); i++)
	1219	free(range_list_get(file->hbins, i)->data);
[99]	1220	range_list_free(file->hbins);
[106]	1221
[99]	1222	free(file);
[30]	1223
[106]	1224	return close(fd);
[30]	1225	}
	1226
	1227
[80]	1228	/******************************************************************************
	1229	* There should be only one root key in the registry file based
	1230	* on my experience. --jerry
	1231	*****************************************************************************/
[135]	1232	REGFI_NK_REC* regfi_rootkey(REGFI_FILE *file)
[30]	1233	{
[135]	1234	REGFI_NK_REC* nk = NULL;
	1235	REGFI_HBIN* hbin;
[107]	1236	uint32 root_offset, i, num_hbins;
[99]	1237
	1238	if(!file)
[31]	1239	return NULL;
[99]	1240
[102]	1241	/* Scan through the file one HBIN block at a time looking
[31]	1242	for an NK record with a type == 0x002c.
	1243	Normally this is the first nk record in the first hbin
	1244	block (but I'm not assuming that for now) */
[102]	1245
[107]	1246	num_hbins = range_list_size(file->hbins);
	1247	for(i=0; i < num_hbins; i++)
[99]	1248	{
[135]	1249	hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data;
	1250	if(regfi_find_root_nk(file, hbin->file_off+REGFI_HBIN_HEADER_SIZE,
	1251	hbin->block_size-REGFI_HBIN_HEADER_SIZE, &root_offset))
[99]	1252	{
[105]	1253	nk = regfi_load_key(file, root_offset, true);
[102]	1254	break;
[31]	1255	}
	1256	}
[30]	1257
[80]	1258	return nk;
[30]	1259	}
	1260
	1261
[80]	1262	/******************************************************************************
	1263	*****************************************************************************/
[135]	1264	void regfi_key_free(REGFI_NK_REC* nk)
[30]	1265	{
[80]	1266	uint32 i;
	1267
[135]	1268	if((nk->values != NULL) && (nk->values_off!=REGFI_OFFSET_NONE))
[80]	1269	{
	1270	for(i=0; i < nk->num_values; i++)
[81]	1271	{
[101]	1272	if(nk->values[i]->valuename != NULL)
	1273	free(nk->values[i]->valuename);
	1274	if(nk->values[i]->data != NULL)
	1275	free(nk->values[i]->data);
	1276	free(nk->values[i]);
[81]	1277	}
[80]	1278	free(nk->values);
	1279	}
[30]	1280
[127]	1281	regfi_subkeylist_free(nk->subkeys);
	1282
[80]	1283	if(nk->keyname != NULL)
	1284	free(nk->keyname);
	1285	if(nk->classname != NULL)
	1286	free(nk->classname);
	1287
	1288	/* XXX: not freeing sec_desc because these are cached. This needs to be reviewed. */
	1289	free(nk);
	1290	}
	1291
	1292
	1293	/******************************************************************************
	1294	*****************************************************************************/
[135]	1295	void regfi_subkeylist_free(REGFI_SUBKEY_LIST* list)
[127]	1296	{
	1297	if(list != NULL)
	1298	{
	1299	free(list->elements);
	1300	free(list);
	1301	}
	1302	}
	1303
	1304
	1305	/******************************************************************************
	1306	*****************************************************************************/
[135]	1307	REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* fh)
[80]	1308	{
[135]	1309	REGFI_NK_REC* root;
[80]	1310	REGFI_ITERATOR* ret_val = (REGFI_ITERATOR*)malloc(sizeof(REGFI_ITERATOR));
	1311	if(ret_val == NULL)
	1312	return NULL;
	1313
[81]	1314	root = regfi_rootkey(fh);
[80]	1315	if(root == NULL)
	1316	{
	1317	free(ret_val);
	1318	return NULL;
	1319	}
	1320
[135]	1321	ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH);
[80]	1322	if(ret_val->key_positions == NULL)
	1323	{
	1324	free(ret_val);
	1325	free(root);
	1326	return NULL;
	1327	}
	1328
[116]	1329	/* This secret isn't very secret, but we don't need a good one. This
	1330	* secret is just designed to prevent someone from trying to blow our
	1331	* caching and make things slow.
	1332	*/
	1333	ret_val->sk_recs = lru_cache_create(127, 0x15DEAD05^time(NULL)
	1334	^(getpid()<<16)^(getppid()<<8),
	1335	true);
[109]	1336
[80]	1337	ret_val->f = fh;
	1338	ret_val->cur_key = root;
	1339	ret_val->cur_subkey = 0;
	1340	ret_val->cur_value = 0;
	1341
	1342	return ret_val;
	1343	}
	1344
	1345
	1346	/******************************************************************************
	1347	*****************************************************************************/
	1348	void regfi_iterator_free(REGFI_ITERATOR* i)
	1349	{
	1350	REGFI_ITER_POSITION* cur;
	1351
	1352	if(i->cur_key != NULL)
	1353	regfi_key_free(i->cur_key);
	1354
	1355	while((cur = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions)) != NULL)
	1356	{
	1357	regfi_key_free(cur->nk);
	1358	free(cur);
	1359	}
	1360
[109]	1361	lru_cache_destroy(i->sk_recs);
	1362
[80]	1363	free(i);
	1364	}
	1365
	1366
	1367
	1368	/******************************************************************************
	1369	*****************************************************************************/
	1370	/* XXX: some way of indicating reason for failure should be added. */
	1371	bool regfi_iterator_down(REGFI_ITERATOR* i)
	1372	{
[135]	1373	REGFI_NK_REC* subkey;
[80]	1374	REGFI_ITER_POSITION* pos;
	1375
	1376	pos = (REGFI_ITER_POSITION*)malloc(sizeof(REGFI_ITER_POSITION));
	1377	if(pos == NULL)
	1378	return false;
	1379
[135]	1380	subkey = (REGFI_NK_REC*)regfi_iterator_cur_subkey(i);
[80]	1381	if(subkey == NULL)
	1382	{
	1383	free(pos);
	1384	return false;
	1385	}
	1386
	1387	pos->nk = i->cur_key;
	1388	pos->cur_subkey = i->cur_subkey;
	1389	if(!void_stack_push(i->key_positions, pos))
	1390	{
	1391	free(pos);
	1392	regfi_key_free(subkey);
	1393	return false;
	1394	}
	1395
	1396	i->cur_key = subkey;
	1397	i->cur_subkey = 0;
	1398	i->cur_value = 0;
	1399
	1400	return true;
	1401	}
	1402
	1403
	1404	/******************************************************************************
	1405	*****************************************************************************/
	1406	bool regfi_iterator_up(REGFI_ITERATOR* i)
	1407	{
	1408	REGFI_ITER_POSITION* pos;
	1409
	1410	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
	1411	if(pos == NULL)
	1412	return false;
	1413
	1414	regfi_key_free(i->cur_key);
	1415	i->cur_key = pos->nk;
	1416	i->cur_subkey = pos->cur_subkey;
	1417	i->cur_value = 0;
	1418	free(pos);
	1419
	1420	return true;
	1421	}
	1422
	1423
	1424	/******************************************************************************
	1425	*****************************************************************************/
	1426	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
	1427	{
	1428	while(regfi_iterator_up(i))
	1429	continue;
	1430
	1431	return true;
	1432	}
	1433
	1434
	1435	/******************************************************************************
	1436	*****************************************************************************/
	1437	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
	1438	{
[135]	1439	REGFI_NK_REC* subkey;
[80]	1440	bool found = false;
	1441	uint32 old_subkey = i->cur_subkey;
[133]	1442
[80]	1443	if(subkey_name == NULL)
	1444	return false;
	1445
	1446	/* XXX: this alloc/free of each sub key might be a bit excessive */
[135]	1447	subkey = (REGFI_NK_REC*)regfi_iterator_first_subkey(i);
[80]	1448	while((subkey != NULL) && (found == false))
	1449	{
	1450	if(subkey->keyname != NULL
	1451	&& strcasecmp(subkey->keyname, subkey_name) == 0)
	1452	found = true;
[82]	1453	else
	1454	{
	1455	regfi_key_free(subkey);
[135]	1456	subkey = (REGFI_NK_REC*)regfi_iterator_next_subkey(i);
[82]	1457	}
[80]	1458	}
	1459
	1460	if(found == false)
	1461	{
	1462	i->cur_subkey = old_subkey;
	1463	return false;
	1464	}
	1465
[82]	1466	regfi_key_free(subkey);
[80]	1467	return true;
	1468	}
	1469
	1470
	1471	/******************************************************************************
	1472	*****************************************************************************/
	1473	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
	1474	{
	1475	uint32 x;
	1476	if(path == NULL)
	1477	return false;
	1478
	1479	for(x=0;
	1480	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
	1481	&& regfi_iterator_down(i));
	1482	x++)
	1483	{ continue; }
	1484
	1485	if(path[x] == NULL)
	1486	return true;
	1487
	1488	/* XXX: is this the right number of times? */
	1489	for(; x > 0; x--)
	1490	regfi_iterator_up(i);
	1491
	1492	return false;
	1493	}
	1494
	1495
	1496	/******************************************************************************
	1497	*****************************************************************************/
[135]	1498	const REGFI_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]	1499	{
	1500	return i->cur_key;
	1501	}
	1502
	1503
	1504	/******************************************************************************
	1505	*****************************************************************************/
[135]	1506	const REGFI_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i)
[109]	1507	{
[136]	1508	REGFI_SK_REC* ret_val = NULL;
[135]	1509	REGFI_HBIN* hbin;
[109]	1510	uint32 max_length, off;
	1511
	1512	if(i->cur_key == NULL)
	1513	return NULL;
	1514
	1515	/* First look if we have already parsed it */
[135]	1516	if((i->cur_key->sk_off!=REGFI_OFFSET_NONE)
	1517	&& !(ret_val =(REGFI_SK_REC*)lru_cache_find(i->sk_recs,
[109]	1518	&i->cur_key->sk_off, 4)))
	1519	{
	1520	hbin = regfi_lookup_hbin(i->f, i->cur_key->sk_off);
	1521
	1522	if(hbin == NULL)
	1523	return NULL;
	1524
[135]	1525	off = i->cur_key->sk_off + REGFI_REGF_SIZE;
[109]	1526	max_length = hbin->block_size + hbin->file_off - off;
	1527	ret_val = regfi_parse_sk(i->f, off, max_length, true);
	1528	if(ret_val == NULL)
	1529	return NULL;
	1530
	1531	ret_val->sk_off = i->cur_key->sk_off;
	1532	lru_cache_update(i->sk_recs, &i->cur_key->sk_off, 4, ret_val);
	1533	}
	1534
	1535	return ret_val;
	1536	}
	1537
	1538
	1539
	1540	/******************************************************************************
	1541	*****************************************************************************/
[135]	1542	const REGFI_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]	1543	{
	1544	i->cur_subkey = 0;
	1545	return regfi_iterator_cur_subkey(i);
	1546	}
	1547
	1548
	1549	/******************************************************************************
	1550	*****************************************************************************/
[135]	1551	const REGFI_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]	1552	{
	1553	uint32 nk_offset;
	1554
[31]	1555	/* see if there is anything left to report */
[135]	1556	if (!(i->cur_key) \|\| (i->cur_key->subkeys_off==REGFI_OFFSET_NONE)
[80]	1557	\|\| (i->cur_subkey >= i->cur_key->num_subkeys))
[31]	1558	return NULL;
[30]	1559
[139]	1560	nk_offset = i->cur_key->subkeys->elements[i->cur_subkey].offset;
[133]	1561
[135]	1562	return regfi_load_key(i->f, nk_offset+REGFI_REGF_SIZE, true);
[30]	1563	}
[80]	1564
	1565
	1566	/******************************************************************************
	1567	*****************************************************************************/
	1568	/* XXX: some way of indicating reason for failure should be added. */
[135]	1569	const REGFI_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]	1570	{
[135]	1571	const REGFI_NK_REC* subkey;
[80]	1572
	1573	i->cur_subkey++;
	1574	subkey = regfi_iterator_cur_subkey(i);
	1575
	1576	if(subkey == NULL)
	1577	i->cur_subkey--;
	1578
	1579	return subkey;
	1580	}
	1581
	1582
	1583	/******************************************************************************
	1584	*****************************************************************************/
	1585	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
	1586	{
[135]	1587	const REGFI_VK_REC* cur;
[80]	1588	bool found = false;
	1589
	1590	/* XXX: cur->valuename can be NULL in the registry.
	1591	* Should we allow for a way to search for that?
	1592	*/
	1593	if(value_name == NULL)
	1594	return false;
	1595
	1596	cur = regfi_iterator_first_value(i);
	1597	while((cur != NULL) && (found == false))
	1598	{
	1599	if((cur->valuename != NULL)
	1600	&& (strcasecmp(cur->valuename, value_name) == 0))
	1601	found = true;
[95]	1602	else
	1603	cur = regfi_iterator_next_value(i);
[80]	1604	}
	1605
[94]	1606	return found;
[80]	1607	}
	1608
	1609
	1610	/******************************************************************************
	1611	*****************************************************************************/
[135]	1612	const REGFI_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]	1613	{
	1614	i->cur_value = 0;
	1615	return regfi_iterator_cur_value(i);
	1616	}
	1617
	1618
	1619	/******************************************************************************
	1620	*****************************************************************************/
[135]	1621	const REGFI_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]	1622	{
[135]	1623	REGFI_VK_REC* ret_val = NULL;
[80]	1624	if(i->cur_value < i->cur_key->num_values)
[101]	1625	ret_val = i->cur_key->values[i->cur_value];
[80]	1626
	1627	return ret_val;
	1628	}
	1629
	1630
	1631	/******************************************************************************
	1632	*****************************************************************************/
[135]	1633	const REGFI_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]	1634	{
[135]	1635	const REGFI_VK_REC* ret_val;
[80]	1636
	1637	i->cur_value++;
	1638	ret_val = regfi_iterator_cur_value(i);
	1639	if(ret_val == NULL)
	1640	i->cur_value--;
	1641
	1642	return ret_val;
	1643	}
[97]	1644
	1645
	1646
	1647	/*******************************************************************
	1648	* Computes the checksum of the registry file header.
	1649	* buffer must be at least the size of an regf header (4096 bytes).
	1650	*******************************************************************/
	1651	static uint32 regfi_compute_header_checksum(uint8* buffer)
	1652	{
	1653	uint32 checksum, x;
	1654	int i;
	1655
	1656	/* XOR of all bytes 0x0000 - 0x01FB */
	1657
	1658	checksum = x = 0;
	1659
	1660	for ( i=0; i<0x01FB; i+=4 ) {
	1661	x = IVAL(buffer, i );
	1662	checksum ^= x;
	1663	}
	1664
	1665	return checksum;
	1666	}
	1667
	1668
	1669	/*******************************************************************
[116]	1670	* XXX: Add way to return more detailed error information.
[97]	1671	*******************************************************************/
[135]	1672	REGFI_FILE* regfi_parse_regf(int fd, bool strict)
[97]	1673	{
[135]	1674	uint8 file_header[REGFI_REGF_SIZE];
[102]	1675	uint32 length;
[135]	1676	REGFI_FILE* ret_val;
[97]	1677
[135]	1678	ret_val = (REGFI_FILE*)zalloc(sizeof(REGFI_FILE));
[97]	1679	if(ret_val == NULL)
	1680	return NULL;
	1681
	1682	ret_val->fd = fd;
	1683
[135]	1684	length = REGFI_REGF_SIZE;
[102]	1685	if((regfi_read(fd, file_header, &length)) != 0
[135]	1686	\|\| length != REGFI_REGF_SIZE)
[97]	1687	{
	1688	free(ret_val);
	1689	return NULL;
	1690	}
	1691
	1692	ret_val->checksum = IVAL(file_header, 0x1FC);
	1693	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
	1694	if (strict && (ret_val->checksum != ret_val->computed_checksum))
	1695	{
	1696	free(ret_val);
	1697	return NULL;
	1698	}
	1699
[135]	1700	memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE);
	1701	if(strict && (memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0))
[97]	1702	{
	1703	free(ret_val);
	1704	return NULL;
	1705	}
	1706
	1707	ret_val->unknown1 = IVAL(file_header, 0x4);
	1708	ret_val->unknown2 = IVAL(file_header, 0x8);
	1709
	1710	ret_val->mtime.low = IVAL(file_header, 0xC);
	1711	ret_val->mtime.high = IVAL(file_header, 0x10);
	1712
	1713	ret_val->unknown3 = IVAL(file_header, 0x14);
	1714	ret_val->unknown4 = IVAL(file_header, 0x18);
	1715	ret_val->unknown5 = IVAL(file_header, 0x1C);
	1716	ret_val->unknown6 = IVAL(file_header, 0x20);
	1717
	1718	ret_val->data_offset = IVAL(file_header, 0x24);
	1719	ret_val->last_block = IVAL(file_header, 0x28);
	1720
	1721	ret_val->unknown7 = IVAL(file_header, 0x2C);
	1722
	1723	return ret_val;
	1724	}
	1725
	1726
	1727
	1728	/*******************************************************************
	1729	* Given real file offset, read and parse the hbin at that location
[110]	1730	* along with it's associated cells.
[97]	1731	*******************************************************************/
[116]	1732	/* XXX: Need a way to return types of errors.
[97]	1733	*/
[135]	1734	REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32 offset, bool strict)
[97]	1735	{
[135]	1736	REGFI_HBIN *hbin;
	1737	uint8 hbin_header[REGFI_HBIN_HEADER_SIZE];
[110]	1738	uint32 length;
[99]	1739
	1740	if(offset >= file->file_length)
	1741	return NULL;
[97]	1742
	1743	if(lseek(file->fd, offset, SEEK_SET) == -1)
[137]	1744	{
[138]	1745	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]	1746	" while parsing hbin at offset 0x%.8X.", offset);
[97]	1747	return NULL;
[137]	1748	}
[97]	1749
[135]	1750	length = REGFI_HBIN_HEADER_SIZE;
[97]	1751	if((regfi_read(file->fd, hbin_header, &length) != 0)
[135]	1752	\|\| length != REGFI_HBIN_HEADER_SIZE)
[97]	1753	return NULL;
	1754
	1755	if(lseek(file->fd, offset, SEEK_SET) == -1)
[137]	1756	{
[138]	1757	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]	1758	" while parsing hbin at offset 0x%.8X.", offset);
[97]	1759	return NULL;
[137]	1760	}
[97]	1761
[135]	1762	if(!(hbin = (REGFI_HBIN*)zalloc(sizeof(REGFI_HBIN))))
[99]	1763	return NULL;
	1764	hbin->file_off = offset;
	1765
[97]	1766	memcpy(hbin->magic, hbin_header, 4);
	1767	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
[99]	1768	{
[138]	1769	regfi_add_message(file, REGFI_MSG_INFO, "Magic number mismatch "
	1770	"(%.2X %.2X %.2X %.2X) while parsing hbin at offset"
	1771	" 0x%.8X.", hbin->magic[0], hbin->magic[1],
	1772	hbin->magic[2], hbin->magic[3], offset);
[99]	1773	free(hbin);
[97]	1774	return NULL;
[99]	1775	}
[97]	1776
	1777	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
	1778	hbin->block_size = IVAL(hbin_header, 0x8);
	1779	/* this should be the same thing as hbin->block_size but just in case */
	1780	hbin->next_block = IVAL(hbin_header, 0x1C);
	1781
	1782
	1783	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
	1784	* the end of the file.
	1785	*/
[116]	1786	/* XXX: This may need to be relaxed for dealing with
	1787	* partial or corrupt files.
	1788	*/
[97]	1789	if((offset + hbin->block_size > file->file_length)
	1790	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
[99]	1791	{
[138]	1792	regfi_add_message(file, REGFI_MSG_ERROR, "The hbin offset is not aligned"
[137]	1793	" or runs off the end of the file"
	1794	" while parsing hbin at offset 0x%.8X.", offset);
[99]	1795	free(hbin);
[97]	1796	return NULL;
[99]	1797	}
[97]	1798
	1799	return hbin;
	1800	}
	1801
	1802
[126]	1803	/*******************************************************************
	1804	*******************************************************************/
[135]	1805	REGFI_NK_REC* regfi_parse_nk(REGFI_FILE* file, uint32 offset,
[99]	1806	uint32 max_size, bool strict)
	1807	{
	1808	uint8 nk_header[REGFI_NK_MIN_LENGTH];
[135]	1809	REGFI_HBIN *hbin;
	1810	REGFI_NK_REC* ret_val;
[131]	1811	uint32 length,cell_length;
	1812	uint32 class_offset, class_maxsize;
[101]	1813	bool unalloc = false;
[99]	1814
[101]	1815	if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH,
	1816	&cell_length, &unalloc))
[137]	1817	{
[138]	1818	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	1819	" while parsing NK record at offset 0x%.8X.", offset);
	1820	return NULL;
	1821	}
	1822
[99]	1823	/* A bit of validation before bothering to allocate memory */
[101]	1824	if((nk_header[0x0] != 'n') \|\| (nk_header[0x1] != 'k'))
[135]	1825	{
[138]	1826	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
	1827	" NK record at offset 0x%.8X.", offset);
[99]	1828	return NULL;
[135]	1829	}
[99]	1830
[135]	1831	ret_val = (REGFI_NK_REC*)zalloc(sizeof(REGFI_NK_REC));
[99]	1832	if(ret_val == NULL)
[135]	1833	{
[138]	1834	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to allocate memory while"
[137]	1835	" parsing NK record at offset 0x%.8X.", offset);
[99]	1836	return NULL;
[135]	1837	}
[99]	1838
	1839	ret_val->offset = offset;
[101]	1840	ret_val->cell_size = cell_length;
	1841
[99]	1842	if(ret_val->cell_size > max_size)
	1843	ret_val->cell_size = max_size & 0xFFFFFFF8;
	1844	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
	1845	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
	1846	{
[140]	1847	regfi_add_message(file, REGFI_MSG_WARN, "A length check failed while"
[138]	1848	" parsing NK record at offset 0x%.8X.", offset);
[99]	1849	free(ret_val);
	1850	return NULL;
	1851	}
	1852
[101]	1853	ret_val->magic[0] = nk_header[0x0];
	1854	ret_val->magic[1] = nk_header[0x1];
	1855	ret_val->key_type = SVAL(nk_header, 0x2);
[135]	1856	if((ret_val->key_type != REGFI_NK_TYPE_NORMALKEY)
	1857	&& (ret_val->key_type != REGFI_NK_TYPE_ROOTKEY1)
	1858	&& (ret_val->key_type != REGFI_NK_TYPE_ROOTKEY2)
	1859	&& (ret_val->key_type != REGFI_NK_TYPE_LINKKEY)
[137]	1860	&& (ret_val->key_type != REGFI_NK_TYPE_UNKNOWN1)
	1861	&& (ret_val->key_type != REGFI_NK_TYPE_UNKNOWN2)
	1862	&& (ret_val->key_type != REGFI_NK_TYPE_UNKNOWN3))
[99]	1863	{
[138]	1864	regfi_add_message(file, REGFI_MSG_WARN, "Unknown key type (0x%.4X) while"
	1865	" parsing NK record at offset 0x%.8X.",
	1866	ret_val->key_type, offset);
[99]	1867	}
[101]	1868
	1869	ret_val->mtime.low = IVAL(nk_header, 0x4);
	1870	ret_val->mtime.high = IVAL(nk_header, 0x8);
[116]	1871	/* If the key is unallocated and the MTIME is earlier than Jan 1, 1990
	1872	* or later than Jan 1, 2290, we consider this a bad key. This helps
	1873	* weed out some false positives during deleted data recovery.
	1874	*/
	1875	if(unalloc
	1876	&& ((ret_val->mtime.high < REGFI_MTIME_MIN_HIGH
	1877	&& ret_val->mtime.low < REGFI_MTIME_MIN_LOW)
	1878	\|\| (ret_val->mtime.high > REGFI_MTIME_MAX_HIGH
	1879	&& ret_val->mtime.low > REGFI_MTIME_MAX_LOW)))
	1880	return NULL;
	1881
[101]	1882	ret_val->unknown1 = IVAL(nk_header, 0xC);
	1883	ret_val->parent_off = IVAL(nk_header, 0x10);
	1884	ret_val->num_subkeys = IVAL(nk_header, 0x14);
	1885	ret_val->unknown2 = IVAL(nk_header, 0x18);
	1886	ret_val->subkeys_off = IVAL(nk_header, 0x1C);
	1887	ret_val->unknown3 = IVAL(nk_header, 0x20);
	1888	ret_val->num_values = IVAL(nk_header, 0x24);
	1889	ret_val->values_off = IVAL(nk_header, 0x28);
	1890	ret_val->sk_off = IVAL(nk_header, 0x2C);
	1891	ret_val->classname_off = IVAL(nk_header, 0x30);
[99]	1892
[101]	1893	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
	1894	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
	1895	ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
	1896	ret_val->max_bytes_value = IVAL(nk_header, 0x40);
	1897	ret_val->unk_index = IVAL(nk_header, 0x44);
[99]	1898
[101]	1899	ret_val->name_length = SVAL(nk_header, 0x48);
	1900	ret_val->classname_length = SVAL(nk_header, 0x4A);
[99]	1901
[125]	1902
[99]	1903	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
[101]	1904	{
	1905	if(strict)
	1906	{
[138]	1907	regfi_add_message(file, REGFI_MSG_ERROR, "Contents too large for cell"
[137]	1908	" while parsing NK record at offset 0x%.8X.", offset);
[101]	1909	free(ret_val);
	1910	return NULL;
	1911	}
	1912	else
	1913	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
	1914	}
	1915	else if (unalloc)
	1916	{ /* Truncate cell_size if it's much larger than the apparent total record length. */
	1917	/* Round up to the next multiple of 8 */
	1918	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
	1919	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
	1920	length+=8;
[99]	1921
[101]	1922	/* If cell_size is still greater, truncate. */
	1923	if(length < ret_val->cell_size)
	1924	ret_val->cell_size = length;
	1925	}
	1926
[99]	1927	ret_val->keyname = (char)zalloc(sizeof(char)(ret_val->name_length+1));
	1928	if(ret_val->keyname == NULL)
	1929	{
	1930	free(ret_val);
	1931	return NULL;
	1932	}
	1933
	1934	/* Don't need to seek, should be at the right offset */
	1935	length = ret_val->name_length;
[101]	1936	if((regfi_read(file->fd, (uint8*)ret_val->keyname, &length) != 0)
[99]	1937	\|\| length != ret_val->name_length)
	1938	{
[138]	1939	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read key name"
[137]	1940	" while parsing NK record at offset 0x%.8X.", offset);
[99]	1941	free(ret_val->keyname);
	1942	free(ret_val);
	1943	return NULL;
	1944	}
	1945	ret_val->keyname[ret_val->name_length] = '\0';
	1946
[135]	1947	if(ret_val->classname_off != REGFI_OFFSET_NONE)
[126]	1948	{
[131]	1949	hbin = regfi_lookup_hbin(file, ret_val->classname_off);
	1950	if(hbin)
	1951	{
[135]	1952	class_offset = ret_val->classname_off+REGFI_REGF_SIZE;
[131]	1953	class_maxsize = hbin->block_size + hbin->file_off - class_offset;
	1954	ret_val->classname
	1955	= regfi_parse_classname(file, class_offset, &ret_val->classname_length,
	1956	class_maxsize, strict);
	1957	}
	1958	else
[137]	1959	{
[131]	1960	ret_val->classname = NULL;
[138]	1961	regfi_add_message(file, REGFI_MSG_WARN, "Could not find hbin for class"
	1962	" name while parsing NK record at offset 0x%.8X.",
	1963	offset);
[137]	1964	}
[140]	1965
	1966	if(ret_val->classname == NULL)
	1967	{
	1968	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse class"
	1969	" name while parsing NK record at offset 0x%.8X.",
	1970	offset);
	1971	return NULL;
	1972	}
[126]	1973	}
[138]	1974
[126]	1975	return ret_val;
	1976	}
	1977
	1978
[135]	1979	char* regfi_parse_classname(REGFI_FILE* file, uint32 offset,
[131]	1980	uint16* name_length, uint32 max_size, bool strict)
[126]	1981	{
	1982	char* ret_val = NULL;
	1983	uint32 length;
	1984	uint32 cell_length;
	1985	bool unalloc = false;
	1986
[135]	1987	if(*name_length > 0 && offset != REGFI_OFFSET_NONE
[126]	1988	&& offset == (offset & 0xFFFFFFF8))
[131]	1989	{
[126]	1990	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
[137]	1991	{
[138]	1992	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	1993	" while parsing class name at offset 0x%.8X.", offset);
[126]	1994	return NULL;
[137]	1995	}
[126]	1996
[131]	1997	if((cell_length & 0xFFFFFFF8) != cell_length)
[137]	1998	{
[138]	1999	regfi_add_message(file, REGFI_MSG_ERROR, "Cell length not a multiple of 8"
[137]	2000	" while parsing class name at offset 0x%.8X.", offset);
[131]	2001	return NULL;
[137]	2002	}
	2003
[131]	2004	if(cell_length > max_size)
[125]	2005	{
[138]	2006	regfi_add_message(file, REGFI_MSG_WARN, "Cell stretches past hbin "
	2007	"boundary while parsing class name at offset 0x%.8X.",
	2008	offset);
[126]	2009	if(strict)
	2010	return NULL;
[131]	2011	cell_length = max_size;
[126]	2012	}
[131]	2013
	2014	if((cell_length - 4) < *name_length)
	2015	{
[138]	2016	regfi_add_message(file, REGFI_MSG_WARN, "Class name is larger than"
	2017	" cell_length while parsing class name at offset"
	2018	" 0x%.8X.", offset);
[131]	2019	if(strict)
	2020	return NULL;
	2021	*name_length = cell_length - 4;
	2022	}
[126]	2023
	2024	ret_val = (char)zalloc(name_length);
	2025	if(ret_val != NULL)
	2026	{
	2027	length = *name_length;
	2028	if((regfi_read(file->fd, (uint8*)ret_val, &length) != 0)
	2029	\|\| length != *name_length)
[125]	2030	{
[138]	2031	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read class name"
[137]	2032	" while parsing class name at offset 0x%.8X.", offset);
[126]	2033	free(ret_val);
	2034	return NULL;
[125]	2035	}
	2036	}
	2037	}
	2038
[99]	2039	return ret_val;
	2040	}
	2041
	2042
[101]	2043	/*******************************************************************
	2044	*******************************************************************/
[135]	2045	REGFI_VK_REC* regfi_parse_vk(REGFI_FILE* file, uint32 offset,
[101]	2046	uint32 max_size, bool strict)
[97]	2047	{
[135]	2048	REGFI_VK_REC* ret_val;
	2049	REGFI_HBIN *hbin;
[101]	2050	uint8 vk_header[REGFI_VK_MIN_LENGTH];
	2051	uint32 raw_data_size, length, cell_length;
[131]	2052	uint32 data_offset, data_maxsize;
[101]	2053	bool unalloc = false;
[97]	2054
[101]	2055	if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH,
	2056	&cell_length, &unalloc))
[137]	2057	{
[138]	2058	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2059	" while parsing VK record at offset 0x%.8X.", offset);
[101]	2060	return NULL;
[137]	2061	}
[111]	2062
[135]	2063	ret_val = (REGFI_VK_REC*)zalloc(sizeof(REGFI_VK_REC));
[101]	2064	if(ret_val == NULL)
	2065	return NULL;
	2066
	2067	ret_val->offset = offset;
	2068	ret_val->cell_size = cell_length;
	2069
	2070	if(ret_val->cell_size > max_size)
	2071	ret_val->cell_size = max_size & 0xFFFFFFF8;
	2072	if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
[111]	2073	\|\| ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8))
[97]	2074	{
[138]	2075	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size encountered"
[137]	2076	" while parsing VK record at offset 0x%.8X.", offset);
[101]	2077	free(ret_val);
	2078	return NULL;
	2079	}
[97]	2080
[101]	2081	ret_val->magic[0] = vk_header[0x0];
	2082	ret_val->magic[1] = vk_header[0x1];
	2083	if((ret_val->magic[0] != 'v') \|\| (ret_val->magic[1] != 'k'))
	2084	{
[124]	2085	/* XXX: This does not account for deleted keys under Win2K which
	2086	* often have this (and the name length) overwritten with
	2087	* 0xFFFF.
	2088	*/
[138]	2089	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch"
[137]	2090	" while parsing VK record at offset 0x%.8X.", offset);
[101]	2091	free(ret_val);
	2092	return NULL;
	2093	}
	2094
	2095	ret_val->name_length = SVAL(vk_header, 0x2);
	2096	raw_data_size = IVAL(vk_header, 0x4);
[135]	2097	ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET;
	2098	ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET);
[101]	2099	ret_val->data_off = IVAL(vk_header, 0x8);
	2100	ret_val->type = IVAL(vk_header, 0xC);
	2101	ret_val->flag = SVAL(vk_header, 0x10);
	2102	ret_val->unknown1 = SVAL(vk_header, 0x12);
	2103
[135]	2104	if(ret_val->flag & REGFI_VK_FLAG_NAME_PRESENT)
[101]	2105	{
[113]	2106	if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size)
[101]	2107	{
[138]	2108	regfi_add_message(file, REGFI_MSG_WARN, "Name too long for remaining cell"
	2109	" space while parsing VK record at offset 0x%.8X.",
	2110	offset);
[101]	2111	if(strict)
	2112	{
	2113	free(ret_val);
	2114	return NULL;
	2115	}
	2116	else
[113]	2117	ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4;
[101]	2118	}
	2119
	2120	/* Round up to the next multiple of 8 */
[113]	2121	cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8;
	2122	if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4)
	2123	cell_length+=8;
[101]	2124
	2125	ret_val->valuename = (char)zalloc(sizeof(char)(ret_val->name_length+1));
	2126	if(ret_val->valuename == NULL)
	2127	{
	2128	free(ret_val);
	2129	return NULL;
	2130	}
[113]	2131
[101]	2132	length = ret_val->name_length;
	2133	if((regfi_read(file->fd, (uint8*)ret_val->valuename, &length) != 0)
	2134	\|\| length != ret_val->name_length)
	2135	{
[138]	2136	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read value name"
[137]	2137	" while parsing VK record at offset 0x%.8X.", offset);
[101]	2138	free(ret_val->valuename);
	2139	free(ret_val);
	2140	return NULL;
	2141	}
	2142	ret_val->valuename[ret_val->name_length] = '\0';
[133]	2143
[101]	2144	}
	2145	else
[113]	2146	cell_length = REGFI_VK_MIN_LENGTH + 4;
[101]	2147
	2148	if(unalloc)
	2149	{
	2150	/* If cell_size is still greater, truncate. */
[113]	2151	if(cell_length < ret_val->cell_size)
	2152	ret_val->cell_size = cell_length;
[101]	2153	}
	2154
	2155	if(ret_val->data_size == 0)
	2156	ret_val->data = NULL;
	2157	else
	2158	{
[133]	2159	if(ret_val->data_in_offset)
[131]	2160	{
[136]	2161	ret_val->data = regfi_parse_data(file, ret_val->data_off,
[133]	2162	raw_data_size, 4, strict);
[131]	2163	}
	2164	else
[133]	2165	{
	2166	hbin = regfi_lookup_hbin(file, ret_val->data_off);
	2167	if(hbin)
	2168	{
[135]	2169	data_offset = ret_val->data_off+REGFI_REGF_SIZE;
[133]	2170	data_maxsize = hbin->block_size + hbin->file_off - data_offset;
	2171	ret_val->data = regfi_parse_data(file, data_offset, raw_data_size,
	2172	data_maxsize, strict);
	2173
	2174	}
	2175	else
[137]	2176	{
[138]	2177	regfi_add_message(file, REGFI_MSG_WARN, "Could not find hbin for data"
[137]	2178	" while parsing VK record at offset 0x%.8X.", offset);
[133]	2179	ret_val->data = NULL;
[137]	2180	}
[133]	2181	}
[131]	2182
[137]	2183	if(ret_val->data == NULL)
[101]	2184	{
[138]	2185	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse data record"
[137]	2186	" while parsing VK record at offset 0x%.8X.", offset);
[101]	2187	}
	2188	}
	2189
	2190	return ret_val;
[97]	2191	}
[101]	2192
	2193
[135]	2194	uint8* regfi_parse_data(REGFI_FILE* file, uint32 offset, uint32 length,
[131]	2195	uint32 max_size, bool strict)
[101]	2196	{
	2197	uint8* ret_val;
	2198	uint32 read_length, cell_length;
[102]	2199	uint8 i;
[101]	2200	bool unalloc;
	2201
[137]	2202	/* The data is typically stored in the offset if the size <= 4 */
[135]	2203	if (length & REGFI_VK_DATA_IN_OFFSET)
[101]	2204	{
[135]	2205	length = length & ~REGFI_VK_DATA_IN_OFFSET;
[101]	2206	if(length > 4)
[137]	2207	{
[138]	2208	regfi_add_message(file, REGFI_MSG_ERROR, "Data in offset but length > 4"
[137]	2209	" while parsing data record at offset 0x%.8X.",
	2210	offset);
[101]	2211	return NULL;
[137]	2212	}
[101]	2213
	2214	if((ret_val = (uint8)zalloc(sizeof(uint8)length)) == NULL)
	2215	return NULL;
[102]	2216
	2217	for(i = 0; i < length; i++)
	2218	ret_val[i] = (uint8)((offset >> i*8) & 0xFF);
[101]	2219	}
	2220	else
	2221	{
	2222	if(!regfi_parse_cell(file->fd, offset, NULL, 0,
	2223	&cell_length, &unalloc))
[137]	2224	{
[138]	2225	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[137]	2226	" parsing data record at offset 0x%.8X.", offset);
[101]	2227	return NULL;
[137]	2228	}
[111]	2229
	2230	if((cell_length & 0xFFFFFFF8) != cell_length)
[137]	2231	{
[138]	2232	regfi_add_message(file, REGFI_MSG_WARN, "Cell length not multiple of 8"
[137]	2233	" while parsing data record at offset 0x%.8X.",
	2234	offset);
[101]	2235	return NULL;
[137]	2236	}
[101]	2237
[131]	2238	if(cell_length > max_size)
	2239	{
[138]	2240	regfi_add_message(file, REGFI_MSG_WARN, "Cell extends past hbin boundary"
[137]	2241	" while parsing data record at offset 0x%.8X.",
	2242	offset);
[131]	2243	if(strict)
	2244	return NULL;
	2245	else
	2246	cell_length = max_size;
	2247	}
	2248
[101]	2249	if(cell_length - 4 < length)
	2250	{
[116]	2251	/* XXX: This strict condition has been triggered in multiple registries.
	2252	* Not sure the cause, but the data length values are very large,
	2253	* such as 53392.
[111]	2254	*/
[138]	2255	regfi_add_message(file, REGFI_MSG_WARN, "Data length (0x%.8X) larger than"
[137]	2256	" remaining cell length (0x%.8X)"
	2257	" while parsing data record at offset 0x%.8X.",
	2258	length, cell_length - 4, offset);
[101]	2259	if(strict)
	2260	return NULL;
	2261	else
	2262	length = cell_length - 4;
	2263	}
	2264
	2265	if((ret_val = (uint8)zalloc(sizeof(uint8)length)) == NULL)
	2266	return NULL;
	2267
	2268	read_length = length;
	2269	if((regfi_read(file->fd, ret_val, &read_length) != 0)
	2270	\|\| read_length != length)
	2271	{
[138]	2272	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read data block while"
[137]	2273	" parsing data record at offset 0x%.8X.", offset);
[101]	2274	free(ret_val);
	2275	return NULL;
	2276	}
	2277	}
	2278
	2279	return ret_val;
	2280	}
[110]	2281
	2282
[135]	2283	range_list* regfi_parse_unalloc_cells(REGFI_FILE* file)
[110]	2284	{
	2285	range_list* ret_val;
[135]	2286	REGFI_HBIN* hbin;
[110]	2287	const range_list_element* hbins_elem;
	2288	uint32 i, num_hbins, curr_off, cell_len;
	2289	bool is_unalloc;
	2290
	2291	ret_val = range_list_new();
	2292	if(ret_val == NULL)
	2293	return NULL;
	2294
	2295	num_hbins = range_list_size(file->hbins);
	2296	for(i=0; i<num_hbins; i++)
	2297	{
	2298	hbins_elem = range_list_get(file->hbins, i);
	2299	if(hbins_elem == NULL)
	2300	break;
[135]	2301	hbin = (REGFI_HBIN*)hbins_elem->data;
[110]	2302
[135]	2303	curr_off = REGFI_HBIN_HEADER_SIZE;
[110]	2304	while(curr_off < hbin->block_size)
	2305	{
	2306	if(!regfi_parse_cell(file->fd, hbin->file_off+curr_off, NULL, 0,
	2307	&cell_len, &is_unalloc))
	2308	break;
	2309
[113]	2310	if((cell_len == 0) \|\| ((cell_len & 0xFFFFFFF8) != cell_len))
[140]	2311	{
	2312	regfi_add_message(file, REGFI_MSG_ERROR, "Bad cell length encountered"
	2313	" while parsing unallocated cells at offset 0x%.8X.",
	2314	hbin->file_off+curr_off);
[110]	2315	break;
[140]	2316	}
	2317
[110]	2318	/* for some reason the record_size of the last record in
	2319	an hbin block can extend past the end of the block
	2320	even though the record fits within the remaining
	2321	space....aaarrrgggghhhhhh */
	2322	if(curr_off + cell_len >= hbin->block_size)
	2323	cell_len = hbin->block_size - curr_off;
	2324
	2325	if(is_unalloc)
	2326	range_list_add(ret_val, hbin->file_off+curr_off,
	2327	cell_len, NULL);
	2328
	2329	curr_off = curr_off+cell_len;
	2330	}
	2331	}
	2332
	2333	return ret_val;
	2334	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/lib/regfi.c @ 141

Download in other formats: