Context Navigation

source: trunk/lib/regfi.c @ 161

Last change on this file since 161 was 161, checked in by tim, 14 years ago
added support for UTF-16LE key names
Property svn:keywords set to `Id`
File size: 83.5 KB

Rev	Line
[30]	1	/*
	2	* Branched from Samba project Subversion repository, version #7470:
[84]	3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
[30]	4	*
[134]	5	* Windows NT (and later) registry parsing library
[30]	6	*
[132]	7	* Copyright (C) 2005-2009 Timothy D. Morgan
[30]	8	* Copyright (C) 2005 Gerald (Jerry) Carter
	9	*
	10	* This program is free software; you can redistribute it and/or modify
	11	* it under the terms of the GNU General Public License as published by
[111]	12	* the Free Software Foundation; version 3 of the License.
[30]	13	*
	14	* This program is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	17	* GNU General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU General Public License
	20	* along with this program; if not, write to the Free Software
[161]	21	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
[30]	22	*
	23	* $Id: regfi.c 161 2009-12-07 17:01:22Z tim $
	24	*/
	25
[147]	26	#include "regfi.h"
[30]	27
	28
[32]	29	/* Registry types mapping */
[78]	30	const unsigned int regfi_num_reg_types = 12;
	31	static const char* regfi_type_names[] =
[65]	32	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]	33	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]	34
[161]	35	const char* regfi_encoding_names[] =
	36	{"US-ASCII//TRANSLIT", "UTF-8//TRANSLIT", "UTF-16LE//TRANSLIT"};
[32]	37
[135]	38
	39	/******************************************************************************
	40	******************************************************************************/
[138]	41	void regfi_add_message(REGFI_FILE* file, uint16 msg_type, const char* fmt, ...)
[135]	42	{
[136]	43	/* XXX: This function is not particularly efficient,
[135]	44	* but then it is mostly used during errors.
	45	*/
[136]	46	uint32 buf_size, buf_used;
	47	char* new_msg;
	48	va_list args;
[135]	49
[138]	50	if((file->msg_mask & msg_type) != 0)
	51	{
	52	if(file->last_message == NULL)
	53	buf_used = 0;
	54	else
	55	buf_used = strlen(file->last_message);
	56
	57	buf_size = buf_used+strlen(fmt)+160;
	58	new_msg = realloc(file->last_message, buf_size);
	59	if(new_msg == NULL)
	60	/* XXX: should we report this? */
	61	return;
[135]	62
[138]	63	switch (msg_type)
	64	{
	65	case REGFI_MSG_INFO:
	66	strcpy(new_msg+buf_used, "INFO: ");
	67	buf_used += 6;
	68	break;
	69	case REGFI_MSG_WARN:
	70	strcpy(new_msg+buf_used, "WARN: ");
	71	buf_used += 6;
	72	break;
	73	case REGFI_MSG_ERROR:
	74	strcpy(new_msg+buf_used, "ERROR: ");
	75	buf_used += 7;
	76	break;
	77	}
[136]	78
[138]	79	va_start(args, fmt);
	80	vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args);
	81	va_end(args);
	82	strncat(new_msg, "\n", buf_size-1);
	83
	84	file->last_message = new_msg;
	85	}
[135]	86	}
	87
	88
	89	/******************************************************************************
	90	******************************************************************************/
[136]	91	char* regfi_get_messages(REGFI_FILE* file)
[135]	92	{
	93	char* ret_val = file->last_message;
	94	file->last_message = NULL;
	95
	96	return ret_val;
	97	}
	98
	99
[138]	100	void regfi_set_message_mask(REGFI_FILE* file, uint16 mask)
	101	{
	102	file->msg_mask = mask;
	103	}
	104
	105
[161]	106	/******************************************************************************
	107	* Returns NULL for an invalid e
	108	*****************************************************************************/
	109	static const char* regfi_encoding_int2str(REGFI_ENCODING e)
	110	{
	111	if(e < REGFI_NUM_ENCODINGS)
	112	return regfi_encoding_names[e];
	113
	114	return NULL;
	115	}
	116
	117
	118	/******************************************************************************
	119	* Returns NULL for an invalid val
	120	*****************************************************************************/
[78]	121	const char* regfi_type_val2str(unsigned int val)
[32]	122	{
[61]	123	if(val == REG_KEY)
	124	return "KEY";
	125
[78]	126	if(val >= regfi_num_reg_types)
[61]	127	return NULL;
	128
[78]	129	return regfi_type_names[val];
[32]	130	}
	131
	132
[161]	133	/******************************************************************************
	134	* Returns -1 on error
	135	*****************************************************************************/
[78]	136	int regfi_type_str2val(const char* str)
[32]	137	{
	138	int i;
	139
[61]	140	if(strcmp("KEY", str) == 0)
	141	return REG_KEY;
[32]	142
[78]	143	for(i=0; i < regfi_num_reg_types; i++)
	144	if (strcmp(regfi_type_names[i], str) == 0)
[61]	145	return i;
	146
	147	if(strcmp("DWORD_LE", str) == 0)
	148	return REG_DWORD_LE;
	149
	150	return -1;
[32]	151	}
	152
	153
[135]	154	/* Security descriptor formatting functions */
[53]	155
[78]	156	const char* regfi_ace_type2str(uint8 type)
[53]	157	{
	158	static const char* map[7]
	159	= {"ALLOW", "DENY", "AUDIT", "ALARM",
	160	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
	161	if(type < 7)
	162	return map[type];
	163	else
	164	/* XXX: would be nice to return the unknown integer value.
	165	* However, as it is a const string, it can't be free()ed later on,
	166	* so that would need to change.
	167	*/
	168	return "UNKNOWN";
	169	}
	170
	171
[76]	172	/* XXX: need a better reference on the meaning of each flag. */
	173	/* For more info, see:
	174	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
	175	*/
[78]	176	char* regfi_ace_flags2str(uint8 flags)
[53]	177	{
[76]	178	static const char* flag_map[32] =
[87]	179	{ "OI", /* Object Inherit */
	180	"CI", /* Container Inherit */
	181	"NP", /* Non-Propagate */
	182	"IO", /* Inherit Only */
	183	"IA", /* Inherited ACE */
[76]	184	NULL,
	185	NULL,
	186	NULL,
	187	};
[53]	188
[76]	189	char* ret_val = malloc(35*sizeof(char));
	190	char* fo = ret_val;
	191	uint32 i;
	192	uint8 f;
	193
	194	if(ret_val == NULL)
[53]	195	return NULL;
	196
[76]	197	fo[0] = '\0';
[53]	198	if (!flags)
[76]	199	return ret_val;
[53]	200
[76]	201	for(i=0; i < 8; i++)
	202	{
	203	f = (1<<i);
	204	if((flags & f) && (flag_map[i] != NULL))
	205	{
	206	strcpy(fo, flag_map[i]);
	207	fo += strlen(flag_map[i]);
	208	*(fo++) = ' ';
	209	flags ^= f;
	210	}
[53]	211	}
[76]	212
	213	/* Any remaining unknown flags are added at the end in hex. */
	214	if(flags != 0)
	215	sprintf(fo, "0x%.2X ", flags);
	216
	217	/* Chop off the last space if we've written anything to ret_val */
	218	if(fo != ret_val)
	219	fo[-1] = '\0';
	220
	221	return ret_val;
[53]	222	}
	223
	224
[78]	225	char* regfi_ace_perms2str(uint32 perms)
[53]	226	{
[76]	227	uint32 i, p;
	228	/* This is more than is needed by a fair margin. */
	229	char* ret_val = malloc(350*sizeof(char));
	230	char* r = ret_val;
	231
	232	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
	233	* For more information, see:
	234	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
	235	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
	236	*/
	237	static const char* perm_map[32] =
	238	{/* object-specific permissions (registry keys, in this case) */
	239	"QRY_VAL", /* KEY_QUERY_VALUE */
	240	"SET_VAL", /* KEY_SET_VALUE */
	241	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
	242	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
	243	"NOTIFY", /* KEY_NOTIFY */
	244	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
	245	NULL,
	246	NULL,
	247	"WOW64_64", /* KEY_WOW64_64KEY */
	248	"WOW64_32", /* KEY_WOW64_32KEY */
	249	NULL,
	250	NULL,
	251	NULL,
	252	NULL,
	253	NULL,
	254	NULL,
	255	/* standard access rights */
	256	"DELETE", /* DELETE */
	257	"R_CONT", /* READ_CONTROL */
	258	"W_DAC", /* WRITE_DAC */
	259	"W_OWNER", /* WRITE_OWNER */
	260	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
	261	NULL,
	262	NULL,
	263	NULL,
	264	/* other generic */
	265	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
	266	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
	267	NULL,
	268	NULL,
	269	"GEN_A", /* GENERIC_ALL */
	270	"GEN_X", /* GENERIC_EXECUTE */
	271	"GEN_W", /* GENERIC_WRITE */
	272	"GEN_R", /* GENERIC_READ */
	273	};
	274
	275
[53]	276	if(ret_val == NULL)
	277	return NULL;
	278
[76]	279	r[0] = '\0';
	280	for(i=0; i < 32; i++)
	281	{
	282	p = (1<<i);
	283	if((perms & p) && (perm_map[i] != NULL))
	284	{
	285	strcpy(r, perm_map[i]);
	286	r += strlen(perm_map[i]);
	287	*(r++) = ' ';
	288	perms ^= p;
	289	}
	290	}
	291
	292	/* Any remaining unknown permission bits are added at the end in hex. */
	293	if(perms != 0)
	294	sprintf(r, "0x%.8X ", perms);
[53]	295
[76]	296	/* Chop off the last space if we've written anything to ret_val */
	297	if(r != ret_val)
	298	r[-1] = '\0';
	299
[53]	300	return ret_val;
	301	}
	302
	303
[134]	304	char* regfi_sid2str(WINSEC_DOM_SID* sid)
[53]	305	{
[134]	306	uint32 i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
[53]	307	uint32 left = size;
	308	uint8 comps = sid->num_auths;
	309	char* ret_val = malloc(size);
	310
	311	if(ret_val == NULL)
	312	return NULL;
	313
[134]	314	if(comps > WINSEC_MAX_SUBAUTHS)
	315	comps = WINSEC_MAX_SUBAUTHS;
[53]	316
	317	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
	318
	319	for (i = 0; i < comps; i++)
	320	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
	321
	322	return ret_val;
	323	}
	324
	325
[134]	326	char* regfi_get_acl(WINSEC_ACL* acl)
[53]	327	{
	328	uint32 i, extra, size = 0;
	329	const char* type_str;
	330	char* flags_str;
	331	char* perms_str;
	332	char* sid_str;
[61]	333	char* ace_delim = "";
[53]	334	char* ret_val = NULL;
[61]	335	char* tmp_val = NULL;
	336	bool failed = false;
[53]	337	char field_delim = ':';
	338
[61]	339	for (i = 0; i < acl->num_aces && !failed; i++)
[53]	340	{
[134]	341	sid_str = regfi_sid2str(acl->aces[i]->trustee);
	342	type_str = regfi_ace_type2str(acl->aces[i]->type);
	343	perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask);
	344	flags_str = regfi_ace_flags2str(acl->aces[i]->flags);
[53]	345
[61]	346	if(flags_str != NULL && perms_str != NULL
	347	&& type_str != NULL && sid_str != NULL)
	348	{
	349	/* XXX: this is slow */
	350	extra = strlen(sid_str) + strlen(type_str)
[136]	351	+ strlen(perms_str) + strlen(flags_str) + 5;
[61]	352	tmp_val = realloc(ret_val, size+extra);
[53]	353
[61]	354	if(tmp_val == NULL)
	355	{
	356	free(ret_val);
[136]	357	ret_val = NULL;
[61]	358	failed = true;
	359	}
	360	else
	361	{
	362	ret_val = tmp_val;
[148]	363	size += sprintf(ret_val+size, "%s%s%c%s%c%s%c%s",
	364	ace_delim,sid_str,
	365	field_delim,type_str,
	366	field_delim,perms_str,
	367	field_delim,flags_str);
[61]	368	ace_delim = "\|";
	369	}
	370	}
	371	else
	372	failed = true;
	373
	374	if(sid_str != NULL)
	375	free(sid_str);
	376	if(sid_str != NULL)
	377	free(perms_str);
	378	if(sid_str != NULL)
	379	free(flags_str);
[53]	380	}
	381
	382	return ret_val;
	383	}
	384
	385
[134]	386	char* regfi_get_sacl(WINSEC_DESC *sec_desc)
[53]	387	{
	388	if (sec_desc->sacl)
[78]	389	return regfi_get_acl(sec_desc->sacl);
[53]	390	else
	391	return NULL;
	392	}
	393
	394
[134]	395	char* regfi_get_dacl(WINSEC_DESC *sec_desc)
[53]	396	{
	397	if (sec_desc->dacl)
[78]	398	return regfi_get_acl(sec_desc->dacl);
[53]	399	else
	400	return NULL;
	401	}
	402
	403
[134]	404	char* regfi_get_owner(WINSEC_DESC *sec_desc)
[53]	405	{
[78]	406	return regfi_sid2str(sec_desc->owner_sid);
[53]	407	}
	408
	409
[134]	410	char* regfi_get_group(WINSEC_DESC *sec_desc)
[53]	411	{
[78]	412	return regfi_sid2str(sec_desc->grp_sid);
[53]	413	}
	414
	415
[101]	416	/*****************************************************************************
	417	* This function is just like read(2), except that it continues to
	418	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
	419	* regfi_read will attempt to read length bytes from fd and write them to buf.
	420	*
	421	* On success, 0 is returned. Upon failure, an errno code is returned.
	422	*
	423	* The number of bytes successfully read is returned through the length
	424	* parameter by reference. If both the return value and length parameter are
	425	* returned as 0, then EOF was encountered immediately
	426	*****************************************************************************/
	427	uint32 regfi_read(int fd, uint8* buf, uint32* length)
	428	{
	429	uint32 rsize = 0;
	430	uint32 rret = 0;
	431
	432	do
	433	{
	434	rret = read(fd, buf + rsize, *length - rsize);
	435	if(rret > 0)
	436	rsize += rret;
	437	}while(*length - rsize > 0
	438	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
	439
	440	*length = rsize;
	441	if (rret == -1 && errno != EINTR && errno != EAGAIN)
	442	return errno;
	443
	444	return 0;
	445	}
	446
	447
	448	/*****************************************************************************
	449	*
	450	*****************************************************************************/
[111]	451	bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len,
	452	uint32* cell_length, bool* unalloc)
[101]	453	{
	454	uint32 length;
	455	int32 raw_length;
	456	uint8 tmp[4];
	457
	458	if(lseek(fd, offset, SEEK_SET) == -1)
	459	return false;
	460
	461	length = 4;
	462	if((regfi_read(fd, tmp, &length) != 0) \|\| length != 4)
	463	return false;
	464	raw_length = IVALS(tmp, 0);
	465
	466	if(raw_length < 0)
	467	{
	468	(cell_length) = raw_length(-1);
	469	(*unalloc) = false;
	470	}
	471	else
	472	{
	473	(*cell_length) = raw_length;
	474	(*unalloc) = true;
	475	}
	476
[103]	477	if(*cell_length - 4 < hdr_len)
	478	return false;
	479
	480	if(hdr_len > 0)
	481	{
	482	length = hdr_len;
	483	if((regfi_read(fd, hdr, &length) != 0) \|\| length != hdr_len)
	484	return false;
	485	}
	486
[101]	487	return true;
	488	}
	489
	490
[157]	491	/******************************************************************************
[106]	492	* Given an offset and an hbin, is the offset within that hbin?
	493	* The offset is a virtual file offset.
[157]	494	******************************************************************************/
[146]	495	static bool regfi_offset_in_hbin(const REGFI_HBIN* hbin, uint32 voffset)
[30]	496	{
[106]	497	if(!hbin)
[31]	498	return false;
[106]	499
[145]	500	if((voffset > hbin->first_hbin_off)
	501	&& (voffset < (hbin->first_hbin_off + hbin->block_size)))
[31]	502	return true;
[30]	503
[31]	504	return false;
[30]	505	}
	506
	507
[106]	508
[157]	509	/******************************************************************************
	510	* Provide a physical offset and receive the correpsonding HBIN
[106]	511	* block for it. NULL if one doesn't exist.
[157]	512	******************************************************************************/
	513	const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32 offset)
[30]	514	{
[157]	515	return (const REGFI_HBIN*)range_list_find_data(file->hbins, offset);
[30]	516	}
	517
	518
[157]	519	/******************************************************************************
	520	* Calculate the largest possible cell size given a physical offset.
	521	* Largest size is based on the HBIN the offset is currently a member of.
	522	* Returns negative values on error.
	523	* (Since cells can only be ~2^31 in size, this works out.)
	524	******************************************************************************/
	525	int32 regfi_calc_maxsize(REGFI_FILE* file, uint32 offset)
	526	{
	527	const REGFI_HBIN* hbin = regfi_lookup_hbin(file, offset);
	528	if(hbin == NULL)
	529	return -1;
[139]	530
[157]	531	return (hbin->block_size + hbin->file_off) - offset;
	532	}
	533
	534
[139]	535	/******************************************************************************
	536	******************************************************************************/
	537	REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32 offset,
	538	uint32 num_keys, uint32 max_size,
	539	bool strict)
[127]	540	{
[135]	541	REGFI_SUBKEY_LIST* ret_val;
[134]	542
[139]	543	ret_val = regfi_load_subkeylist_aux(file, offset, max_size, strict,
	544	REGFI_MAX_SUBKEY_DEPTH);
[143]	545	if(ret_val == NULL)
	546	{
	547	regfi_add_message(file, REGFI_MSG_WARN, "Failed to load subkey list at"
	548	" offset 0x%.8X.", offset);
	549	return NULL;
	550	}
[139]	551
	552	if(num_keys != ret_val->num_keys)
	553	{
	554	/* Not sure which should be authoritative, the number from the
	555	* NK record, or the number in the subkey list. Just emit a warning for
	556	* now if they don't match.
	557	*/
	558	regfi_add_message(file, REGFI_MSG_WARN, "Number of subkeys listed in parent"
	559	" (%d) did not match number found in subkey list/tree (%d)"
	560	" while parsing subkey list/tree at offset 0x%.8X.",
	561	num_keys, ret_val->num_keys, offset);
	562	}
	563
	564	return ret_val;
	565	}
	566
	567
	568	/******************************************************************************
	569	******************************************************************************/
	570	REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32 offset,
	571	uint32 max_size, bool strict,
	572	uint8 depth_left)
	573	{
	574	REGFI_SUBKEY_LIST* ret_val;
	575	REGFI_SUBKEY_LIST** sublists;
[157]	576	uint32 i, num_sublists, off;
	577	int32 sublist_maxsize;
[139]	578
	579	if(depth_left == 0)
	580	{
	581	regfi_add_message(file, REGFI_MSG_WARN, "Maximum depth reached"
	582	" while parsing subkey list/tree at offset 0x%.8X.",
	583	offset);
[127]	584	return NULL;
[139]	585	}
[134]	586
[139]	587	ret_val = regfi_parse_subkeylist(file, offset, max_size, strict);
[134]	588	if(ret_val == NULL)
	589	return NULL;
[139]	590
	591	if(ret_val->recursive_type)
[127]	592	{
[139]	593	num_sublists = ret_val->num_children;
[150]	594	sublists = (REGFI_SUBKEY_LIST**)malloc(num_sublists
[139]	595	* sizeof(REGFI_SUBKEY_LIST*));
	596	for(i=0; i < num_sublists; i++)
[127]	597	{
[139]	598	off = ret_val->elements[i].offset + REGFI_REGF_SIZE;
[157]	599
	600	sublist_maxsize = regfi_calc_maxsize(file, off);
	601	if(sublist_maxsize < 0)
[139]	602	sublists[i] = NULL;
	603	else
[157]	604	sublists[i] = regfi_load_subkeylist_aux(file, off, sublist_maxsize,
	605	strict, depth_left-1);
[127]	606	}
[150]	607	talloc_free(ret_val);
[134]	608
[139]	609	return regfi_merge_subkeylists(num_sublists, sublists, strict);
[127]	610	}
[30]	611
[127]	612	return ret_val;
	613	}
	614
	615
[139]	616	/******************************************************************************
	617	******************************************************************************/
	618	REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32 offset,
	619	uint32 max_size, bool strict)
[30]	620	{
[135]	621	REGFI_SUBKEY_LIST* ret_val;
[150]	622	uint32 i, cell_length, length, elem_size, read_len;
	623	uint8* elements = NULL;
[127]	624	uint8 buf[REGFI_SUBKEY_LIST_MIN_LEN];
[104]	625	bool unalloc;
[139]	626	bool recursive_type;
[30]	627
[127]	628	if(!regfi_parse_cell(file->fd, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN,
[104]	629	&cell_length, &unalloc))
[139]	630	{
	631	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while "
	632	"parsing subkey-list at offset 0x%.8X.", offset);
[104]	633	return NULL;
[139]	634	}
[30]	635
[116]	636	if(cell_length > max_size)
	637	{
[139]	638	regfi_add_message(file, REGFI_MSG_WARN, "Cell size longer than max_size"
	639	" while parsing subkey-list at offset 0x%.8X.", offset);
[116]	640	if(strict)
	641	return NULL;
	642	cell_length = max_size & 0xFFFFFFF8;
	643	}
[30]	644
[139]	645	recursive_type = false;
[127]	646	if(buf[0] == 'r' && buf[1] == 'i')
[104]	647	{
[139]	648	recursive_type = true;
	649	elem_size = sizeof(uint32);
[104]	650	}
[139]	651	else if(buf[0] == 'l' && buf[1] == 'i')
[134]	652	elem_size = sizeof(uint32);
	653	else if((buf[0] == 'l') && (buf[1] == 'f' \|\| buf[1] == 'h'))
[135]	654	elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM);
[134]	655	else
	656	{
[139]	657	regfi_add_message(file, REGFI_MSG_ERROR, "Unknown magic number"
	658	" (0x%.2X, 0x%.2X) encountered while parsing"
	659	" subkey-list at offset 0x%.8X.", buf[0], buf[1], offset);
[134]	660	return NULL;
	661	}
	662
[150]	663	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[127]	664	if(ret_val == NULL)
	665	return NULL;
	666
	667	ret_val->offset = offset;
	668	ret_val->cell_size = cell_length;
[104]	669	ret_val->magic[0] = buf[0];
	670	ret_val->magic[1] = buf[1];
[139]	671	ret_val->recursive_type = recursive_type;
	672	ret_val->num_children = SVAL(buf, 0x2);
[101]	673
[139]	674	if(!recursive_type)
	675	ret_val->num_keys = ret_val->num_children;
[101]	676
[139]	677	length = elem_size*ret_val->num_children;
	678	if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32) < length)
[134]	679	{
[139]	680	regfi_add_message(file, REGFI_MSG_WARN, "Number of elements too large for"
	681	" cell while parsing subkey-list at offset 0x%.8X.",
	682	offset);
	683	if(strict)
[150]	684	goto fail;
[139]	685	length = cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32);
[134]	686	}
[30]	687
[150]	688	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
	689	ret_val->num_children);
[127]	690	if(ret_val->elements == NULL)
[150]	691	goto fail;
[30]	692
[150]	693	elements = (uint8*)malloc(length);
[139]	694	if(elements == NULL)
[150]	695	goto fail;
[30]	696
[150]	697	read_len = length;
	698	if(regfi_read(file->fd, elements, &read_len) != 0 \|\| read_len != length)
	699	goto fail;
[30]	700
[139]	701	if(elem_size == sizeof(uint32))
[104]	702	{
[139]	703	for (i=0; i < ret_val->num_children; i++)
[134]	704	{
[139]	705	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
[134]	706	ret_val->elements[i].hash = 0;
	707	}
[104]	708	}
[134]	709	else
	710	{
[139]	711	for (i=0; i < ret_val->num_children; i++)
[134]	712	{
[139]	713	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
	714	ret_val->elements[i].hash = IVAL(elements, i*elem_size+4);
[134]	715	}
	716	}
[139]	717	free(elements);
[30]	718
[104]	719	return ret_val;
[150]	720
	721	fail:
	722	if(elements != NULL)
	723	free(elements);
	724	talloc_free(ret_val);
	725	return NULL;
[30]	726	}
	727
	728
[139]	729	/*******************************************************************
	730	*******************************************************************/
	731	REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16 num_lists,
	732	REGFI_SUBKEY_LIST** lists,
	733	bool strict)
	734	{
	735	uint32 i,j,k;
	736	REGFI_SUBKEY_LIST* ret_val;
[102]	737
[139]	738	if(lists == NULL)
	739	return NULL;
[150]	740	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[139]	741
	742	if(ret_val == NULL)
	743	return NULL;
	744
	745	/* Obtain total number of elements */
	746	ret_val->num_keys = 0;
	747	for(i=0; i < num_lists; i++)
	748	{
	749	if(lists[i] != NULL)
	750	ret_val->num_keys += lists[i]->num_children;
	751	}
	752	ret_val->num_children = ret_val->num_keys;
	753
	754	if(ret_val->num_keys > 0)
	755	{
[150]	756	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
	757	ret_val->num_keys);
[139]	758	k=0;
	759
	760	if(ret_val->elements != NULL)
	761	{
	762	for(i=0; i < num_lists; i++)
	763	{
	764	if(lists[i] != NULL)
	765	{
	766	for(j=0; j < lists[i]->num_keys; j++)
	767	{
[150]	768	ret_val->elements[k].hash = lists[i]->elements[j].hash;
	769	ret_val->elements[k++].offset = lists[i]->elements[j].offset;
[139]	770	}
	771	}
	772	}
	773	}
	774	}
	775
	776	for(i=0; i < num_lists; i++)
	777	regfi_subkeylist_free(lists[i]);
	778	free(lists);
	779
	780	return ret_val;
	781	}
	782
	783
[147]	784	/******************************************************************************
	785	*
	786	******************************************************************************/
	787	REGFI_SK_REC* regfi_parse_sk(REGFI_FILE* file, uint32 offset, uint32 max_size,
	788	bool strict)
[30]	789	{
[135]	790	REGFI_SK_REC* ret_val;
[147]	791	uint8* sec_desc_buf = NULL;
[102]	792	uint32 cell_length, length;
	793	uint8 sk_header[REGFI_SK_MIN_LENGTH];
	794	bool unalloc = false;
[30]	795
[102]	796	if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH,
	797	&cell_length, &unalloc))
[137]	798	{
[138]	799	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse SK record cell"
[137]	800	" at offset 0x%.8X.", offset);
[102]	801	return NULL;
[137]	802	}
[102]	803
	804	if(sk_header[0] != 's' \|\| sk_header[1] != 'k')
[137]	805	{
[138]	806	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
	807	" SK record at offset 0x%.8X.", offset);
[102]	808	return NULL;
[137]	809	}
	810
[147]	811	ret_val = talloc(NULL, REGFI_SK_REC);
[102]	812	if(ret_val == NULL)
	813	return NULL;
[30]	814
[102]	815	ret_val->offset = offset;
[116]	816	/* XXX: Is there a way to be more conservative (shorter) with
	817	* cell length when cell is unallocated?
[111]	818	*/
[102]	819	ret_val->cell_size = cell_length;
[30]	820
[102]	821	if(ret_val->cell_size > max_size)
	822	ret_val->cell_size = max_size & 0xFFFFFFF8;
	823	if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
[157]	824	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
[102]	825	{
[138]	826	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size found while"
	827	" parsing SK record at offset 0x%.8X.", offset);
[147]	828	goto fail;
[102]	829	}
[30]	830
[102]	831	ret_val->magic[0] = sk_header[0];
	832	ret_val->magic[1] = sk_header[1];
[30]	833
[102]	834	ret_val->unknown_tag = SVAL(sk_header, 0x2);
	835	ret_val->prev_sk_off = IVAL(sk_header, 0x4);
	836	ret_val->next_sk_off = IVAL(sk_header, 0x8);
	837	ret_val->ref_count = IVAL(sk_header, 0xC);
	838	ret_val->desc_size = IVAL(sk_header, 0x10);
[30]	839
[157]	840	if((ret_val->prev_sk_off & 0x00000007) != 0
	841	\|\| (ret_val->next_sk_off & 0x00000007) != 0)
[140]	842	{
	843	regfi_add_message(file, REGFI_MSG_WARN, "SK record's next/previous offsets"
	844	" are not a multiple of 8 while parsing SK record at"
	845	" offset 0x%.8X.", offset);
[147]	846	goto fail;
[140]	847	}
	848
[102]	849	if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
	850	{
[140]	851	regfi_add_message(file, REGFI_MSG_WARN, "Security descriptor too large for"
[138]	852	" cell while parsing SK record at offset 0x%.8X.",
	853	offset);
[147]	854	goto fail;
[102]	855	}
[30]	856
[147]	857	sec_desc_buf = (uint8*)malloc(ret_val->desc_size);
	858	if(sec_desc_buf == NULL)
	859	goto fail;
[102]	860
[134]	861	length = ret_val->desc_size;
	862	if(regfi_read(file->fd, sec_desc_buf, &length) != 0
	863	\|\| length != ret_val->desc_size)
	864	{
[138]	865	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read security"
	866	" descriptor while parsing SK record at offset 0x%.8X.",
	867	offset);
[147]	868	goto fail;
[134]	869	}
[102]	870
[147]	871	if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf,
	872	ret_val->desc_size)))
[134]	873	{
[138]	874	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to parse security"
	875	" descriptor while parsing SK record at offset 0x%.8X.",
	876	offset);
[147]	877	goto fail;
[134]	878	}
[147]	879
[134]	880	free(sec_desc_buf);
[147]	881	return ret_val;
[134]	882
[147]	883	fail:
	884	if(sec_desc_buf != NULL)
	885	free(sec_desc_buf);
	886	talloc_free(ret_val);
	887	return NULL;
[30]	888	}
	889
	890
[145]	891	REGFI_VALUE_LIST* regfi_parse_valuelist(REGFI_FILE* file, uint32 offset,
	892	uint32 num_values, bool strict)
[111]	893	{
[145]	894	REGFI_VALUE_LIST* ret_val;
[111]	895	uint32 i, cell_length, length, read_len;
	896	bool unalloc;
[30]	897
[111]	898	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
[137]	899	{
[138]	900	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read cell header"
[137]	901	" while parsing value list at offset 0x%.8X.", offset);
[111]	902	return NULL;
[137]	903	}
[111]	904
[157]	905	if((cell_length & 0x00000007) != 0)
[111]	906	{
[145]	907	regfi_add_message(file, REGFI_MSG_WARN, "Cell length not a multiple of 8"
	908	" while parsing value list at offset 0x%.8X.", offset);
[111]	909	if(strict)
	910	return NULL;
	911	cell_length = cell_length & 0xFFFFFFF8;
	912	}
[145]	913
[111]	914	if((num_values * sizeof(uint32)) > cell_length-sizeof(uint32))
[137]	915	{
[140]	916	regfi_add_message(file, REGFI_MSG_WARN, "Too many values found"
[137]	917	" while parsing value list at offset 0x%.8X.", offset);
[145]	918	if(strict)
	919	return NULL;
	920	num_values = cell_length/sizeof(uint32) - sizeof(uint32);
[137]	921	}
[111]	922
	923	read_len = num_values*sizeof(uint32);
[150]	924	ret_val = talloc(NULL, REGFI_VALUE_LIST);
[111]	925	if(ret_val == NULL)
	926	return NULL;
	927
[150]	928	ret_val->elements = (REGFI_VALUE_LIST_ELEM*)talloc_size(ret_val, read_len);
[145]	929	if(ret_val->elements == NULL)
	930	{
[150]	931	talloc_free(ret_val);
[145]	932	return NULL;
	933	}
	934	ret_val->num_values = num_values;
	935
[111]	936	length = read_len;
[145]	937	if((regfi_read(file->fd, (uint8*)ret_val->elements, &length) != 0)
	938	\|\| length != read_len)
[111]	939	{
[138]	940	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read value pointers"
[137]	941	" while parsing value list at offset 0x%.8X.", offset);
[150]	942	talloc_free(ret_val);
[111]	943	return NULL;
	944	}
	945
	946	for(i=0; i < num_values; i++)
	947	{
	948	/* Fix endianness */
[145]	949	ret_val->elements[i] = IVAL(&ret_val->elements[i], 0);
[111]	950
	951	/* Validate the first num_values values to ensure they make sense */
	952	if(strict)
	953	{
[145]	954	/* XXX: Need to revisit this file length check when we start dealing
	955	* with partial files. */
	956	if((ret_val->elements[i] + REGFI_REGF_SIZE > file->file_length)
[157]	957	\|\| ((ret_val->elements[i] & 0x00000007) != 0))
[111]	958	{
[145]	959	regfi_add_message(file, REGFI_MSG_WARN, "Invalid value pointer"
[138]	960	" (0x%.8X) found while parsing value list at offset"
[145]	961	" 0x%.8X.", ret_val->elements[i], offset);
[150]	962	talloc_free(ret_val);
[111]	963	return NULL;
	964	}
	965	}
	966	}
	967
	968	return ret_val;
	969	}
	970
	971
	972
[103]	973	/******************************************************************************
	974	******************************************************************************/
[150]	975	REGFI_VK_REC* regfi_load_value(REGFI_FILE* file, uint32 offset, bool strict)
[30]	976	{
[145]	977	REGFI_VK_REC* ret_val = NULL;
[157]	978	int32 max_size;
[30]	979
[157]	980	max_size = regfi_calc_maxsize(file, offset);
	981	if(max_size < 0)
[103]	982	return NULL;
[145]	983
[157]	984	ret_val = regfi_parse_vk(file, offset, max_size, strict);
[103]	985	if(ret_val == NULL)
	986	return NULL;
[145]	987
[159]	988	/* XXX: convert valuename to proper encoding if necessary */
[151]	989
[103]	990	return ret_val;
[30]	991	}
	992
	993
[145]	994	/******************************************************************************
	995	* If !strict, the list may contain NULLs, VK records may point to NULL.
	996	******************************************************************************/
	997	REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32 offset,
[146]	998	uint32 num_values, uint32 max_size,
[145]	999	bool strict)
	1000	{
	1001	uint32 usable_num_values;
[30]	1002
[145]	1003	if((num_values+1) * sizeof(uint32) > max_size)
	1004	{
	1005	regfi_add_message(file, REGFI_MSG_WARN, "Number of values indicated by"
	1006	" parent key (%d) would cause cell to straddle HBIN"
	1007	" boundary while loading value list at offset"
	1008	" 0x%.8X.", num_values, offset);
	1009	if(strict)
	1010	return NULL;
	1011	usable_num_values = max_size/sizeof(uint32) - sizeof(uint32);
	1012	}
	1013	else
	1014	usable_num_values = num_values;
	1015
	1016	return regfi_parse_valuelist(file, offset, usable_num_values, strict);
	1017	}
	1018
	1019
	1020
[146]	1021	/******************************************************************************
	1022	*
	1023	******************************************************************************/
[161]	1024	REGFI_NK_REC* regfi_load_key(REGFI_FILE* file, uint32 offset,
	1025	REGFI_ENCODING output_encoding, bool strict)
[30]	1026	{
[135]	1027	REGFI_NK_REC* nk;
[157]	1028	uint32 off;
[161]	1029	int32 max_size, tmp_size;
	1030	REGFI_ENCODING from_encoding;
[99]	1031
[157]	1032	max_size = regfi_calc_maxsize(file, offset);
	1033	if (max_size < 0)
[105]	1034	return NULL;
[30]	1035
[31]	1036	/* get the initial nk record */
[157]	1037	if((nk = regfi_parse_nk(file, offset, max_size, true)) == NULL)
[135]	1038	{
[138]	1039	regfi_add_message(file, REGFI_MSG_ERROR, "Could not load NK record at"
[137]	1040	" offset 0x%.8X.", offset);
[99]	1041	return NULL;
[135]	1042	}
[30]	1043
[161]	1044	from_encoding = (nk->flags & REGFI_NK_FLAG_ASCIINAME)
	1045	? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
	1046
	1047	if(from_encoding == output_encoding)
	1048	{
	1049	nk->keyname_raw = talloc_realloc(nk, nk->keyname_raw, uint8, nk->name_length+1);
	1050	nk->keyname_raw[nk->name_length] = '\0';
	1051	nk->keyname = (char*)nk->keyname_raw;
	1052	}
	1053	else
	1054	{
	1055	nk->keyname = talloc_array(nk, char, nk->name_length+1);
	1056	if(nk->keyname == NULL)
	1057	{
	1058	regfi_free_key(nk);
	1059	return NULL;
	1060	}
	1061
	1062	tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
	1063	regfi_encoding_int2str(output_encoding),
	1064	nk->keyname_raw, nk->keyname,
	1065	nk->name_length, nk->name_length+1);
	1066	if(tmp_size < 0)
	1067	{
	1068	regfi_add_message(file, REGFI_MSG_WARN, "Error occurred while converting"
	1069	" keyname to encoding %s. Error message: %s",
	1070	regfi_encoding_int2str(output_encoding),
	1071	strerror(-tmp_size));
	1072	talloc_free(nk->keyname);
	1073	nk->keyname = NULL;
	1074	}
	1075	}
	1076
	1077
[146]	1078	/* get value list */
[135]	1079	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
[32]	1080	{
[157]	1081	off = nk->values_off + REGFI_REGF_SIZE;
	1082	max_size = regfi_calc_maxsize(file, off);
	1083	if(max_size < 0)
[32]	1084	{
[105]	1085	if(strict)
[32]	1086	{
[150]	1087	regfi_free_key(nk);
[99]	1088	return NULL;
[31]	1089	}
[105]	1090	else
	1091	nk->values = NULL;
[133]	1092
[31]	1093	}
[105]	1094	else
[103]	1095	{
[157]	1096	nk->values = regfi_load_valuelist(file, off, nk->num_values,
	1097	max_size, true);
[145]	1098	if(nk->values == NULL)
[105]	1099	{
[145]	1100	regfi_add_message(file, REGFI_MSG_WARN, "Could not load value list"
	1101	" for NK record at offset 0x%.8X.", offset);
	1102	if(strict)
	1103	{
[150]	1104	regfi_free_key(nk);
[145]	1105	return NULL;
	1106	}
[105]	1107	}
[150]	1108	talloc_steal(nk, nk->values);
[103]	1109	}
[31]	1110	}
[105]	1111
[146]	1112	/* now get subkey list */
[135]	1113	if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE))
[32]	1114	{
[157]	1115	off = nk->subkeys_off + REGFI_REGF_SIZE;
	1116	max_size = regfi_calc_maxsize(file, off);
	1117	if(max_size < 0)
[32]	1118	{
[105]	1119	if(strict)
[32]	1120	{
[150]	1121	regfi_free_key(nk);
[99]	1122	return NULL;
[31]	1123	}
[105]	1124	else
	1125	nk->subkeys = NULL;
[31]	1126	}
[105]	1127	else
[104]	1128	{
[134]	1129	nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys,
[157]	1130	max_size, true);
[134]	1131
[105]	1132	if(nk->subkeys == NULL)
	1133	{
[140]	1134	regfi_add_message(file, REGFI_MSG_WARN, "Could not load subkey list"
	1135	" while parsing NK record at offset 0x%.8X.", offset);
[105]	1136	nk->num_subkeys = 0;
	1137	}
[150]	1138	talloc_steal(nk, nk->subkeys);
[104]	1139	}
[31]	1140	}
[30]	1141
[99]	1142	return nk;
[30]	1143	}
	1144
[32]	1145
[102]	1146	/******************************************************************************
	1147	******************************************************************************/
[146]	1148	const REGFI_SK_REC* regfi_load_sk(REGFI_FILE* file, uint32 offset, bool strict)
	1149	{
	1150	REGFI_SK_REC* ret_val = NULL;
[157]	1151	int32 max_size;
[147]	1152	void* failure_ptr = NULL;
	1153
[146]	1154	/* First look if we have already parsed it */
	1155	ret_val = (REGFI_SK_REC*)lru_cache_find(file->sk_cache, &offset, 4);
	1156
	1157	/* Bail out if we have previously cached a parse failure at this offset. */
	1158	if(ret_val == (void*)REGFI_OFFSET_NONE)
	1159	return NULL;
	1160
	1161	if(ret_val == NULL)
	1162	{
[157]	1163	max_size = regfi_calc_maxsize(file, offset);
	1164	if(max_size < 0)
[146]	1165	return NULL;
	1166
[157]	1167	ret_val = regfi_parse_sk(file, offset, max_size, strict);
[146]	1168	if(ret_val == NULL)
	1169	{ /* Cache the parse failure and bail out. */
[147]	1170	failure_ptr = talloc(NULL, uint32_t);
	1171	if(failure_ptr == NULL)
	1172	return NULL;
	1173	(uint32_t)failure_ptr = REGFI_OFFSET_NONE;
	1174	lru_cache_update(file->sk_cache, &offset, 4, failure_ptr);
[146]	1175	return NULL;
	1176	}
	1177
	1178	lru_cache_update(file->sk_cache, &offset, 4, ret_val);
	1179	}
	1180
	1181	return ret_val;
	1182	}
	1183
	1184
	1185
	1186	/******************************************************************************
	1187	******************************************************************************/
[161]	1188	REGFI_NK_REC* regfi_find_root_nk(REGFI_FILE* file, const REGFI_HBIN* hbin,
	1189	REGFI_ENCODING output_encoding)
[30]	1190	{
[135]	1191	REGFI_NK_REC* nk = NULL;
[158]	1192	uint32 cell_length;
	1193	uint32 cur_offset = hbin->file_off+REGFI_HBIN_HEADER_SIZE;
	1194	uint32 hbin_end = hbin->file_off+hbin->block_size;
	1195	bool unalloc;
[30]	1196
[158]	1197	while(cur_offset < hbin_end)
[32]	1198	{
[158]	1199	if(!regfi_parse_cell(file->fd, cur_offset, NULL, 0, &cell_length, &unalloc))
	1200	{
	1201	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell at offset"
	1202	" 0x%.8X while searching for root key.", cur_offset);
	1203	return NULL;
	1204	}
[102]	1205
[158]	1206	if(!unalloc)
[102]	1207	{
[161]	1208	nk = regfi_load_key(file, cur_offset, output_encoding, true);
[102]	1209	if(nk != NULL)
	1210	{
[161]	1211	if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]	1212	return nk;
[102]	1213	}
[31]	1214	}
[30]	1215
[158]	1216	cur_offset += cell_length;
[31]	1217	}
[32]	1218
[158]	1219	return NULL;
[30]	1220	}
	1221
	1222
	1223	/*******************************************************************
[97]	1224	* Open the registry file and then read in the REGF block to get the
	1225	* first hbin offset.
	1226	*******************************************************************/
[135]	1227	REGFI_FILE* regfi_open(const char* filename)
[30]	1228	{
[137]	1229	struct stat sbuf;
[135]	1230	REGFI_FILE* rb;
	1231	REGFI_HBIN* hbin = NULL;
[146]	1232	uint32 hbin_off, file_length, cache_secret;
[97]	1233	int fd;
[110]	1234	bool rla;
[30]	1235
[97]	1236	/* open an existing file */
[143]	1237	if ((fd = open(filename, REGFI_OPEN_FLAGS)) == -1)
[97]	1238	{
[143]	1239	/* fprintf(stderr, "regfi_open: failure to open %s (%s)\n", filename, strerror(errno));*/
[31]	1240	return NULL;
	1241	}
[99]	1242
[137]	1243	/* Determine file length. Must be at least big enough
	1244	* for the header and one hbin.
	1245	*/
	1246	if (fstat(fd, &sbuf) == -1)
	1247	return NULL;
	1248	file_length = sbuf.st_size;
	1249	if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC)
	1250	return NULL;
	1251
[31]	1252	/* read in an existing file */
[97]	1253	if ((rb = regfi_parse_regf(fd, true)) == NULL)
	1254	{
[143]	1255	/* fprintf(stderr, "regfi_open: Failed to read initial REGF block\n"); */
[97]	1256	close(fd);
[31]	1257	return NULL;
	1258	}
[137]	1259	rb->file_length = file_length;
	1260
[99]	1261	rb->hbins = range_list_new();
[110]	1262	if(rb->hbins == NULL)
[99]	1263	{
[143]	1264	/* fprintf(stderr, "regfi_open: Failed to create HBIN list.\n"); */
[99]	1265	close(fd);
[150]	1266	talloc_free(rb);
[99]	1267	return NULL;
	1268	}
[150]	1269	talloc_steal(rb, rb->hbins);
	1270
[106]	1271	rla = true;
[135]	1272	hbin_off = REGFI_REGF_SIZE;
[110]	1273	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1274	while(hbin && rla)
	1275	{
[137]	1276	rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
[148]	1277	if(rla)
	1278	talloc_steal(rb->hbins, hbin);
[106]	1279	hbin_off = hbin->file_off + hbin->block_size;
[110]	1280	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1281	}
	1282
[146]	1283	/* This secret isn't very secret, but we don't need a good one. This
	1284	* secret is just designed to prevent someone from trying to blow our
	1285	* caching and make things slow.
	1286	*/
	1287	cache_secret = 0x15DEAD05^time(NULL)^(getpid()<<16);
	1288
	1289	/* Cache an unlimited number of SK records. Typically there are very few. */
[150]	1290	rb->sk_cache = lru_cache_create_ctx(rb, 0, cache_secret, true);
[146]	1291
[138]	1292	/* Default message mask */
	1293	rb->msg_mask = REGFI_MSG_ERROR\|REGFI_MSG_WARN;
	1294
[31]	1295	/* success */
	1296	return rb;
[30]	1297	}
	1298
	1299
[148]	1300	/******************************************************************************
	1301	******************************************************************************/
[146]	1302	int regfi_close(REGFI_FILE *file)
[30]	1303	{
[31]	1304	int fd;
[30]	1305
[31]	1306	/* nothing to do if there is no open file */
[99]	1307	if ((file == NULL) \|\| (file->fd == -1))
	1308	return 0;
[30]	1309
[31]	1310	fd = file->fd;
	1311	file->fd = -1;
[148]	1312
[99]	1313	range_list_free(file->hbins);
[106]	1314
[146]	1315	if(file->sk_cache != NULL)
	1316	lru_cache_destroy(file->sk_cache);
[148]	1317
[150]	1318	talloc_free(file);
[106]	1319	return close(fd);
[30]	1320	}
	1321
	1322
[80]	1323	/******************************************************************************
[158]	1324	* First checks the offset given by the file header, then checks the
	1325	* rest of the file if that fails.
[148]	1326	******************************************************************************/
[161]	1327	REGFI_NK_REC* regfi_rootkey(REGFI_FILE* file, REGFI_ENCODING output_encoding)
[30]	1328	{
[135]	1329	REGFI_NK_REC* nk = NULL;
[146]	1330	REGFI_HBIN* hbin;
	1331	uint32 root_offset, i, num_hbins;
[99]	1332
	1333	if(!file)
[31]	1334	return NULL;
[99]	1335
[158]	1336	root_offset = file->root_cell+REGFI_REGF_SIZE;
[161]	1337	nk = regfi_load_key(file, root_offset, output_encoding, true);
[158]	1338	if(nk != NULL)
	1339	{
[161]	1340	if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]	1341	return nk;
	1342	}
	1343
	1344	regfi_add_message(file, REGFI_MSG_WARN, "File header indicated root key at"
	1345	" location 0x%.8X, but no root key found."
	1346	" Searching rest of file...", root_offset);
	1347
	1348	/* If the file header gives bad info, scan through the file one HBIN
	1349	* block at a time looking for an NK record with a root key type.
[146]	1350	*/
[107]	1351	num_hbins = range_list_size(file->hbins);
[158]	1352	for(i=0; i < num_hbins && nk == NULL; i++)
[99]	1353	{
[135]	1354	hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data;
[161]	1355	nk = regfi_find_root_nk(file, hbin, output_encoding);
[31]	1356	}
[30]	1357
[80]	1358	return nk;
[30]	1359	}
	1360
	1361
[80]	1362	/******************************************************************************
	1363	*****************************************************************************/
[150]	1364	void regfi_free_key(REGFI_NK_REC* nk)
[30]	1365	{
[127]	1366	regfi_subkeylist_free(nk->subkeys);
[150]	1367	talloc_free(nk);
	1368	}
[127]	1369
[80]	1370
[150]	1371	/******************************************************************************
	1372	*****************************************************************************/
	1373	void regfi_free_value(REGFI_VK_REC* vk)
	1374	{
	1375	talloc_free(vk);
[80]	1376	}
	1377
	1378
	1379	/******************************************************************************
	1380	*****************************************************************************/
[135]	1381	void regfi_subkeylist_free(REGFI_SUBKEY_LIST* list)
[127]	1382	{
	1383	if(list != NULL)
	1384	{
[150]	1385	talloc_free(list);
[127]	1386	}
	1387	}
	1388
	1389
	1390	/******************************************************************************
	1391	*****************************************************************************/
[161]	1392	REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* file,
	1393	REGFI_ENCODING output_encoding)
[80]	1394	{
[135]	1395	REGFI_NK_REC* root;
[161]	1396	REGFI_ITERATOR* ret_val;
	1397
	1398	if(output_encoding != REGFI_ENCODING_UTF8
	1399	&& output_encoding != REGFI_ENCODING_ASCII)
	1400	{
	1401	regfi_add_message(file, REGFI_MSG_ERROR, "Invalid output_encoding supplied"
	1402	" in creation of regfi iterator.");
	1403	return NULL;
	1404	}
	1405
	1406	ret_val = talloc(NULL, REGFI_ITERATOR);
[80]	1407	if(ret_val == NULL)
	1408	return NULL;
	1409
[161]	1410	root = regfi_rootkey(file, output_encoding);
[80]	1411	if(root == NULL)
	1412	{
[150]	1413	talloc_free(ret_val);
[80]	1414	return NULL;
	1415	}
	1416
[135]	1417	ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH);
[80]	1418	if(ret_val->key_positions == NULL)
	1419	{
[150]	1420	talloc_free(ret_val);
[80]	1421	return NULL;
	1422	}
[150]	1423	talloc_steal(ret_val, ret_val->key_positions);
[80]	1424
[159]	1425	ret_val->f = file;
[80]	1426	ret_val->cur_key = root;
	1427	ret_val->cur_subkey = 0;
	1428	ret_val->cur_value = 0;
[161]	1429	ret_val->string_encoding = output_encoding;
	1430
[80]	1431	return ret_val;
	1432	}
	1433
	1434
	1435	/******************************************************************************
	1436	*****************************************************************************/
	1437	void regfi_iterator_free(REGFI_ITERATOR* i)
	1438	{
[150]	1439	talloc_free(i);
[80]	1440	}
	1441
	1442
	1443
	1444	/******************************************************************************
	1445	*****************************************************************************/
	1446	/* XXX: some way of indicating reason for failure should be added. */
	1447	bool regfi_iterator_down(REGFI_ITERATOR* i)
	1448	{
[135]	1449	REGFI_NK_REC* subkey;
[80]	1450	REGFI_ITER_POSITION* pos;
	1451
[150]	1452	pos = talloc(i->key_positions, REGFI_ITER_POSITION);
[80]	1453	if(pos == NULL)
	1454	return false;
	1455
[135]	1456	subkey = (REGFI_NK_REC*)regfi_iterator_cur_subkey(i);
[80]	1457	if(subkey == NULL)
	1458	{
[150]	1459	talloc_free(pos);
[80]	1460	return false;
	1461	}
	1462
	1463	pos->nk = i->cur_key;
	1464	pos->cur_subkey = i->cur_subkey;
	1465	if(!void_stack_push(i->key_positions, pos))
	1466	{
[150]	1467	talloc_free(pos);
	1468	regfi_free_key(subkey);
[80]	1469	return false;
	1470	}
[150]	1471	talloc_steal(i, subkey);
[80]	1472
	1473	i->cur_key = subkey;
	1474	i->cur_subkey = 0;
	1475	i->cur_value = 0;
	1476
	1477	return true;
	1478	}
	1479
	1480
	1481	/******************************************************************************
	1482	*****************************************************************************/
	1483	bool regfi_iterator_up(REGFI_ITERATOR* i)
	1484	{
	1485	REGFI_ITER_POSITION* pos;
	1486
	1487	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
	1488	if(pos == NULL)
	1489	return false;
	1490
[150]	1491	regfi_free_key(i->cur_key);
[80]	1492	i->cur_key = pos->nk;
	1493	i->cur_subkey = pos->cur_subkey;
	1494	i->cur_value = 0;
[150]	1495	talloc_free(pos);
[80]	1496
	1497	return true;
	1498	}
	1499
	1500
	1501	/******************************************************************************
	1502	*****************************************************************************/
	1503	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
	1504	{
	1505	while(regfi_iterator_up(i))
	1506	continue;
	1507
	1508	return true;
	1509	}
	1510
	1511
	1512	/******************************************************************************
	1513	*****************************************************************************/
	1514	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
	1515	{
[135]	1516	REGFI_NK_REC* subkey;
[80]	1517	bool found = false;
	1518	uint32 old_subkey = i->cur_subkey;
[133]	1519
[80]	1520	if(subkey_name == NULL)
	1521	return false;
	1522
	1523	/* XXX: this alloc/free of each sub key might be a bit excessive */
[135]	1524	subkey = (REGFI_NK_REC*)regfi_iterator_first_subkey(i);
[80]	1525	while((subkey != NULL) && (found == false))
	1526	{
	1527	if(subkey->keyname != NULL
	1528	&& strcasecmp(subkey->keyname, subkey_name) == 0)
	1529	found = true;
[82]	1530	else
	1531	{
[150]	1532	regfi_free_key(subkey);
[135]	1533	subkey = (REGFI_NK_REC*)regfi_iterator_next_subkey(i);
[82]	1534	}
[80]	1535	}
	1536
	1537	if(found == false)
	1538	{
	1539	i->cur_subkey = old_subkey;
	1540	return false;
	1541	}
	1542
[150]	1543	regfi_free_key(subkey);
[80]	1544	return true;
	1545	}
	1546
	1547
	1548	/******************************************************************************
	1549	*****************************************************************************/
	1550	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
	1551	{
	1552	uint32 x;
	1553	if(path == NULL)
	1554	return false;
	1555
	1556	for(x=0;
	1557	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
	1558	&& regfi_iterator_down(i));
	1559	x++)
	1560	{ continue; }
	1561
	1562	if(path[x] == NULL)
	1563	return true;
	1564
	1565	/* XXX: is this the right number of times? */
	1566	for(; x > 0; x--)
	1567	regfi_iterator_up(i);
	1568
	1569	return false;
	1570	}
	1571
	1572
	1573	/******************************************************************************
	1574	*****************************************************************************/
[135]	1575	const REGFI_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]	1576	{
	1577	return i->cur_key;
	1578	}
	1579
	1580
	1581	/******************************************************************************
	1582	*****************************************************************************/
[135]	1583	const REGFI_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i)
[109]	1584	{
[146]	1585	if(i->cur_key == NULL \|\| i->cur_key->sk_off == REGFI_OFFSET_NONE)
[109]	1586	return NULL;
	1587
[146]	1588	return regfi_load_sk(i->f, i->cur_key->sk_off + REGFI_REGF_SIZE, true);
[109]	1589	}
	1590
	1591
	1592	/******************************************************************************
	1593	*****************************************************************************/
[150]	1594	REGFI_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]	1595	{
	1596	i->cur_subkey = 0;
	1597	return regfi_iterator_cur_subkey(i);
	1598	}
	1599
	1600
	1601	/******************************************************************************
	1602	*****************************************************************************/
[150]	1603	REGFI_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]	1604	{
	1605	uint32 nk_offset;
	1606
[31]	1607	/* see if there is anything left to report */
[135]	1608	if (!(i->cur_key) \|\| (i->cur_key->subkeys_off==REGFI_OFFSET_NONE)
[80]	1609	\|\| (i->cur_subkey >= i->cur_key->num_subkeys))
[31]	1610	return NULL;
[30]	1611
[139]	1612	nk_offset = i->cur_key->subkeys->elements[i->cur_subkey].offset;
[133]	1613
[161]	1614	return regfi_load_key(i->f, nk_offset+REGFI_REGF_SIZE, i->string_encoding,
	1615	true);
[30]	1616	}
[80]	1617
	1618
	1619	/******************************************************************************
	1620	*****************************************************************************/
	1621	/* XXX: some way of indicating reason for failure should be added. */
[150]	1622	REGFI_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]	1623	{
[150]	1624	REGFI_NK_REC* subkey;
[80]	1625
	1626	i->cur_subkey++;
	1627	subkey = regfi_iterator_cur_subkey(i);
	1628
	1629	if(subkey == NULL)
	1630	i->cur_subkey--;
	1631
	1632	return subkey;
	1633	}
	1634
	1635
	1636	/******************************************************************************
	1637	*****************************************************************************/
	1638	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
	1639	{
[150]	1640	REGFI_VK_REC* cur;
[80]	1641	bool found = false;
	1642
	1643	/* XXX: cur->valuename can be NULL in the registry.
	1644	* Should we allow for a way to search for that?
	1645	*/
	1646	if(value_name == NULL)
	1647	return false;
	1648
	1649	cur = regfi_iterator_first_value(i);
	1650	while((cur != NULL) && (found == false))
	1651	{
	1652	if((cur->valuename != NULL)
	1653	&& (strcasecmp(cur->valuename, value_name) == 0))
	1654	found = true;
[95]	1655	else
[150]	1656	{
	1657	regfi_free_value(cur);
[95]	1658	cur = regfi_iterator_next_value(i);
[150]	1659	}
[80]	1660	}
	1661
[94]	1662	return found;
[80]	1663	}
	1664
	1665
	1666	/******************************************************************************
	1667	*****************************************************************************/
[150]	1668	REGFI_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]	1669	{
	1670	i->cur_value = 0;
	1671	return regfi_iterator_cur_value(i);
	1672	}
	1673
	1674
	1675	/******************************************************************************
	1676	*****************************************************************************/
[150]	1677	REGFI_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]	1678	{
[150]	1679	REGFI_VK_REC* ret_val = NULL;
[145]	1680	uint32 voffset;
[80]	1681
[145]	1682	if(i->cur_key->values != NULL && i->cur_key->values->elements != NULL)
	1683	{
	1684	if(i->cur_value < i->cur_key->values->num_values)
	1685	{
	1686	voffset = i->cur_key->values->elements[i->cur_value];
	1687	ret_val = regfi_load_value(i->f, voffset+REGFI_REGF_SIZE, true);
	1688	}
	1689	}
	1690
[80]	1691	return ret_val;
	1692	}
	1693
	1694
	1695	/******************************************************************************
	1696	*****************************************************************************/
[150]	1697	REGFI_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]	1698	{
[150]	1699	REGFI_VK_REC* ret_val;
[80]	1700
	1701	i->cur_value++;
	1702	ret_val = regfi_iterator_cur_value(i);
	1703	if(ret_val == NULL)
	1704	i->cur_value--;
	1705
	1706	return ret_val;
	1707	}
[97]	1708
	1709
[159]	1710	/******************************************************************************
	1711	*****************************************************************************/
[160]	1712	REGFI_CLASSNAME* regfi_iterator_fetch_classname(REGFI_ITERATOR* i,
	1713	const REGFI_NK_REC* key)
	1714	{
	1715	REGFI_CLASSNAME* ret_val;
	1716	uint8* raw;
	1717	char* interpreted;
	1718	uint32 offset;
	1719	int32 conv_size, max_size;
	1720	uint16 parse_length;
	1721
	1722	if(key->classname_off == REGFI_OFFSET_NONE \|\| key->classname_length == 0)
	1723	return NULL;
	1724
	1725	offset = key->classname_off + REGFI_REGF_SIZE;
	1726	max_size = regfi_calc_maxsize(i->f, offset);
	1727	if(max_size <= 0)
	1728	return NULL;
	1729
	1730	parse_length = key->classname_length;
	1731	raw = regfi_parse_classname(i->f, offset, &parse_length, max_size, true);
	1732
	1733	if(raw == NULL)
	1734	{
	1735	regfi_add_message(i->f, REGFI_MSG_WARN, "Could not parse class"
	1736	" name at offset 0x%.8X for key record at offset 0x%.8X.",
	1737	offset, key->offset);
	1738	return NULL;
	1739	}
	1740
	1741	ret_val = talloc(NULL, REGFI_CLASSNAME);
	1742	if(ret_val == NULL)
	1743	return NULL;
	1744
	1745	ret_val->raw = raw;
	1746	ret_val->size = parse_length;
	1747	talloc_steal(ret_val, raw);
	1748
	1749	interpreted = talloc_array(NULL, char, parse_length);
	1750
[161]	1751	conv_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	1752	regfi_encoding_int2str(i->string_encoding),
[160]	1753	raw, interpreted,
	1754	parse_length, parse_length);
	1755	if(conv_size < 0)
	1756	{
	1757	regfi_add_message(i->f, REGFI_MSG_WARN, "Error occurred while"
	1758	" converting classname to charset %s. Error message: %s",
	1759	i->string_encoding, strerror(-conv_size));
	1760	talloc_free(interpreted);
	1761	ret_val->interpreted = NULL;
	1762	}
	1763	else
	1764	{
	1765	interpreted = talloc_realloc(NULL, interpreted, char, conv_size);
	1766	ret_val->interpreted = interpreted;
	1767	talloc_steal(ret_val, interpreted);
	1768	}
	1769
	1770	return ret_val;
	1771	}
	1772
	1773
	1774	/******************************************************************************
	1775	*****************************************************************************/
[159]	1776	REGFI_DATA* regfi_iterator_fetch_data(REGFI_ITERATOR* i,
	1777	const REGFI_VK_REC* value)
	1778	{
	1779	REGFI_DATA* ret_val = NULL;
	1780	REGFI_BUFFER raw_data;
	1781
	1782	if(value->data_size != 0)
	1783	{
	1784	raw_data = regfi_load_data(i->f, value->data_off, value->data_size,
	1785	value->data_in_offset, true);
	1786	if(raw_data.buf == NULL)
	1787	{
	1788	regfi_add_message(i->f, REGFI_MSG_WARN, "Could not parse data record"
	1789	" while parsing VK record at offset 0x%.8X.",
	1790	value->offset);
	1791	}
	1792	else
	1793	{
	1794	ret_val = regfi_buffer_to_data(raw_data);
	1795
	1796	if(ret_val == NULL)
	1797	{
	1798	regfi_add_message(i->f, REGFI_MSG_WARN, "Error occurred in converting"
	1799	" data buffer to data structure while interpreting "
	1800	"data for VK record at offset 0x%.8X.",
	1801	value->offset);
	1802	talloc_free(raw_data.buf);
	1803	return NULL;
	1804	}
	1805
	1806	if(!regfi_interpret_data(i->f, i->string_encoding, value->type, ret_val))
	1807	{
	1808	regfi_add_message(i->f, REGFI_MSG_INFO, "Error occurred while"
	1809	" interpreting data for VK record at offset 0x%.8X.",
	1810	value->offset);
	1811	}
	1812	}
	1813	}
	1814
	1815	return ret_val;
	1816	}
	1817
	1818
	1819	/******************************************************************************
	1820	*****************************************************************************/
[160]	1821	void regfi_free_classname(REGFI_CLASSNAME* classname)
	1822	{
	1823	talloc_free(classname);
	1824	}
	1825
	1826	/******************************************************************************
	1827	*****************************************************************************/
[159]	1828	void regfi_free_data(REGFI_DATA* data)
	1829	{
	1830	talloc_free(data);
	1831	}
	1832
	1833
	1834	/******************************************************************************
	1835	*****************************************************************************/
	1836	REGFI_DATA* regfi_buffer_to_data(REGFI_BUFFER raw_data)
	1837	{
	1838	REGFI_DATA* ret_val;
	1839
	1840	if(raw_data.buf == NULL)
	1841	return NULL;
	1842
	1843	ret_val = talloc(NULL, REGFI_DATA);
	1844	if(ret_val == NULL)
	1845	return NULL;
	1846
	1847	talloc_steal(ret_val, raw_data.buf);
	1848	ret_val->raw = raw_data.buf;
	1849	ret_val->size = raw_data.len;
	1850	ret_val->interpreted_size = 0;
	1851	ret_val->interpreted.qword = 0;
	1852
	1853	return ret_val;
	1854	}
	1855
	1856
	1857	/******************************************************************************
	1858	*****************************************************************************/
[161]	1859	bool regfi_interpret_data(REGFI_FILE* file, REGFI_ENCODING string_encoding,
[159]	1860	uint32 type, REGFI_DATA* data)
	1861	{
	1862	uint8** tmp_array;
	1863	uint8* tmp_str;
	1864	int32 tmp_size;
	1865	uint32 i, j, array_size;
	1866
	1867	if(data == NULL)
	1868	return false;
	1869
	1870	switch (type)
	1871	{
	1872	case REG_SZ:
	1873	case REG_EXPAND_SZ:
	1874	/* REG_LINK is a symbolic link, stored as a unicode string. */
	1875	case REG_LINK:
	1876	tmp_str = talloc_array(NULL, uint8, data->size);
	1877	if(tmp_str == NULL)
	1878	{
	1879	data->interpreted.string = NULL;
	1880	data->interpreted_size = 0;
	1881	return false;
	1882	}
	1883
[161]	1884	tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	1885	regfi_encoding_int2str(string_encoding),
[159]	1886	data->raw, (char*)tmp_str,
	1887	data->size, data->size);
	1888	if(tmp_size < 0)
	1889	{
	1890	regfi_add_message(file, REGFI_MSG_INFO, "Error occurred while"
	1891	" converting data of type %d to %s. Error message: %s",
	1892	type, string_encoding, strerror(-tmp_size));
	1893	talloc_free(tmp_str);
	1894	data->interpreted.string = NULL;
	1895	data->interpreted_size = 0;
	1896	return false;
	1897	}
	1898
	1899	tmp_str = talloc_realloc(NULL, tmp_str, uint8, tmp_size);
	1900	data->interpreted.string = tmp_str;
	1901	data->interpreted_size = tmp_size;
	1902	talloc_steal(data, tmp_str);
	1903	break;
	1904
	1905	case REG_DWORD:
	1906	if(data->size < 4)
	1907	{
	1908	data->interpreted.dword = 0;
	1909	data->interpreted_size = 0;
	1910	return false;
	1911	}
	1912	data->interpreted.dword = IVAL(data->raw, 0);
	1913	data->interpreted_size = 4;
	1914	break;
	1915
	1916	case REG_DWORD_BE:
	1917	if(data->size < 4)
	1918	{
	1919	data->interpreted.dword_be = 0;
	1920	data->interpreted_size = 0;
	1921	return false;
	1922	}
	1923	data->interpreted.dword_be = RIVAL(data->raw, 0);
	1924	data->interpreted_size = 4;
	1925	break;
	1926
	1927	case REG_QWORD:
	1928	if(data->size < 8)
	1929	{
	1930	data->interpreted.qword = 0;
	1931	data->interpreted_size = 0;
	1932	return false;
	1933	}
	1934	data->interpreted.qword =
	1935	(uint64)IVAL(data->raw, 0) + (((uint64)IVAL(data->raw, 4))<<32);
	1936	data->interpreted_size = 8;
	1937	break;
	1938
	1939	case REG_MULTI_SZ:
	1940	tmp_str = talloc_array(NULL, uint8, data->size);
	1941	if(tmp_str == NULL)
	1942	{
	1943	data->interpreted.multiple_string = NULL;
	1944	data->interpreted_size = 0;
	1945	return false;
	1946	}
	1947
	1948	/* Attempt to convert entire string from UTF-16LE to output encoding,
	1949	* then parse and quote fields individually.
	1950	*/
[161]	1951	tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	1952	regfi_encoding_int2str(string_encoding),
[159]	1953	data->raw, (char*)tmp_str,
	1954	data->size, data->size);
	1955	if(tmp_size < 0)
	1956	{
	1957	regfi_add_message(file, REGFI_MSG_INFO, "Error occurred while"
	1958	" converting data of type %d to %s. Error message: %s",
	1959	type, string_encoding, strerror(-tmp_size));
	1960	talloc_free(tmp_str);
	1961	data->interpreted.multiple_string = NULL;
	1962	data->interpreted_size = 0;
	1963	return false;
	1964	}
	1965
	1966	array_size = tmp_size+1;
	1967	tmp_array = talloc_array(NULL, uint8*, array_size);
	1968	if(tmp_array == NULL)
	1969	{
	1970	talloc_free(tmp_str);
	1971	data->interpreted.string = NULL;
	1972	data->interpreted_size = 0;
	1973	return false;
	1974	}
	1975
	1976	tmp_array[0] = tmp_str;
	1977	for(i=0,j=1; i < tmp_size && j < array_size-1; i++)
	1978	{
	1979	if(tmp_str[i] == '\0' && (i+1 < tmp_size))
	1980	tmp_array[j++] = tmp_str+i+1;
	1981	}
	1982	tmp_array[j] = NULL;
	1983	tmp_array = talloc_realloc(NULL, tmp_array, uint8*, j+1);
	1984	data->interpreted.multiple_string = tmp_array;
	1985	/* XXX: how meaningful is this? should we store number of strings instead? */
	1986	data->interpreted_size = tmp_size;
	1987	talloc_steal(tmp_array, tmp_str);
	1988	talloc_steal(data, tmp_array);
	1989	break;
	1990
	1991	/* XXX: Dont know how to interpret these yet, just treat as binary */
	1992	case REG_NONE:
	1993	data->interpreted.none = data->raw;
	1994	data->interpreted_size = data->size;
	1995	break;
	1996
	1997	case REG_RESOURCE_LIST:
	1998	data->interpreted.resource_list = data->raw;
	1999	data->interpreted_size = data->size;
	2000	break;
	2001
	2002	case REG_FULL_RESOURCE_DESCRIPTOR:
	2003	data->interpreted.full_resource_descriptor = data->raw;
	2004	data->interpreted_size = data->size;
	2005	break;
	2006
	2007	case REG_RESOURCE_REQUIREMENTS_LIST:
	2008	data->interpreted.resource_requirements_list = data->raw;
	2009	data->interpreted_size = data->size;
	2010	break;
	2011
	2012	case REG_BINARY:
	2013	data->interpreted.binary = data->raw;
	2014	data->interpreted_size = data->size;
	2015	break;
	2016
	2017	default:
	2018	data->interpreted.qword = 0;
	2019	data->interpreted_size = 0;
	2020	return false;
	2021	}
	2022
	2023	data->type = type;
	2024	return true;
	2025	}
	2026
	2027
[97]	2028	/*******************************************************************
[159]	2029	* Convert from UTF-16LE to specified character set.
	2030	* On error, returns a negative errno code.
	2031	*******************************************************************/
[161]	2032	int32 regfi_conv_charset(const char* input_charset, const char* output_charset,
[159]	2033	uint8* input, char* output,
	2034	uint32 input_len, uint32 output_max)
	2035	{
	2036	iconv_t conv_desc;
	2037	char* inbuf = (char*)input;
	2038	char* outbuf = output;
	2039	size_t in_len = (size_t)input_len;
	2040	size_t out_len = (size_t)(output_max-1);
	2041	int ret;
	2042
[161]	2043	/* XXX: Consider creating a couple of conversion descriptors earlier,
	2044	* storing them on an iterator so they don't have to be recreated
	2045	* each time.
	2046	*/
	2047
[159]	2048	/* Set up conversion descriptor. */
[161]	2049	conv_desc = iconv_open(output_charset, input_charset);
[159]	2050
	2051	ret = iconv(conv_desc, &inbuf, &in_len, &outbuf, &out_len);
	2052	if(ret == -1)
	2053	{
	2054	iconv_close(conv_desc);
	2055	return -errno;
	2056	}
	2057	*outbuf = '\0';
	2058
	2059	iconv_close(conv_desc);
	2060	return output_max-out_len-1;
	2061	}
	2062
	2063
	2064
	2065	/*******************************************************************
[97]	2066	* Computes the checksum of the registry file header.
[159]	2067	* buffer must be at least the size of a regf header (4096 bytes).
[97]	2068	*******************************************************************/
	2069	static uint32 regfi_compute_header_checksum(uint8* buffer)
	2070	{
	2071	uint32 checksum, x;
	2072	int i;
	2073
	2074	/* XOR of all bytes 0x0000 - 0x01FB */
	2075
	2076	checksum = x = 0;
	2077
	2078	for ( i=0; i<0x01FB; i+=4 ) {
	2079	x = IVAL(buffer, i );
	2080	checksum ^= x;
	2081	}
	2082
	2083	return checksum;
	2084	}
	2085
	2086
	2087	/*******************************************************************
[116]	2088	* XXX: Add way to return more detailed error information.
[97]	2089	*******************************************************************/
[135]	2090	REGFI_FILE* regfi_parse_regf(int fd, bool strict)
[97]	2091	{
[135]	2092	uint8 file_header[REGFI_REGF_SIZE];
[102]	2093	uint32 length;
[135]	2094	REGFI_FILE* ret_val;
[97]	2095
[150]	2096	ret_val = talloc(NULL, REGFI_FILE);
[97]	2097	if(ret_val == NULL)
	2098	return NULL;
	2099
	2100	ret_val->fd = fd;
[150]	2101	ret_val->sk_cache = NULL;
	2102	ret_val->last_message = NULL;
	2103	ret_val->hbins = NULL;
	2104
[135]	2105	length = REGFI_REGF_SIZE;
[150]	2106	if((regfi_read(fd, file_header, &length)) != 0 \|\| length != REGFI_REGF_SIZE)
	2107	goto fail;
	2108
[97]	2109	ret_val->checksum = IVAL(file_header, 0x1FC);
	2110	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
	2111	if (strict && (ret_val->checksum != ret_val->computed_checksum))
[150]	2112	goto fail;
[97]	2113
[135]	2114	memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE);
[150]	2115	if(memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0)
[97]	2116	{
[150]	2117	if(strict)
	2118	goto fail;
	2119	regfi_add_message(ret_val, REGFI_MSG_WARN, "Magic number mismatch "
	2120	"(%.2X %.2X %.2X %.2X) while parsing hive header",
[151]	2121	ret_val->magic[0], ret_val->magic[1],
[150]	2122	ret_val->magic[2], ret_val->magic[3]);
[97]	2123	}
[151]	2124	ret_val->sequence1 = IVAL(file_header, 0x4);
	2125	ret_val->sequence2 = IVAL(file_header, 0x8);
[97]	2126	ret_val->mtime.low = IVAL(file_header, 0xC);
	2127	ret_val->mtime.high = IVAL(file_header, 0x10);
[151]	2128	ret_val->major_version = IVAL(file_header, 0x14);
	2129	ret_val->minor_version = IVAL(file_header, 0x18);
	2130	ret_val->type = IVAL(file_header, 0x1C);
	2131	ret_val->format = IVAL(file_header, 0x20);
	2132	ret_val->root_cell = IVAL(file_header, 0x24);
[97]	2133	ret_val->last_block = IVAL(file_header, 0x28);
	2134
[151]	2135	ret_val->cluster = IVAL(file_header, 0x2C);
[97]	2136
[151]	2137	memcpy(ret_val->file_name, file_header+0x30, REGFI_REGF_NAME_SIZE);
	2138
	2139	/* XXX: Should we add a warning if these uuid parsers fail? Can they? */
	2140	ret_val->rm_id = winsec_parse_uuid(ret_val, file_header+0x70, 16);
	2141	ret_val->log_id = winsec_parse_uuid(ret_val, file_header+0x80, 16);
	2142	ret_val->flags = IVAL(file_header, 0x90);
	2143	ret_val->tm_id = winsec_parse_uuid(ret_val, file_header+0x94, 16);
	2144	ret_val->guid_signature = IVAL(file_header, 0xa4);
	2145
	2146	memcpy(ret_val->reserved1, file_header+0xa8, REGFI_REGF_RESERVED1_SIZE);
	2147	memcpy(ret_val->reserved2, file_header+0x200, REGFI_REGF_RESERVED2_SIZE);
	2148
	2149	ret_val->thaw_tm_id = winsec_parse_uuid(ret_val, file_header+0xFC8, 16);
	2150	ret_val->thaw_rm_id = winsec_parse_uuid(ret_val, file_header+0xFD8, 16);
	2151	ret_val->thaw_log_id = winsec_parse_uuid(ret_val, file_header+0xFE8, 16);
[152]	2152	ret_val->boot_type = IVAL(file_header, 0xFF8);
	2153	ret_val->boot_recover = IVAL(file_header, 0xFFC);
[151]	2154
[97]	2155	return ret_val;
[150]	2156
	2157	fail:
	2158	talloc_free(ret_val);
	2159	return NULL;
[97]	2160	}
	2161
	2162
	2163
[148]	2164	/******************************************************************************
[97]	2165	* Given real file offset, read and parse the hbin at that location
[110]	2166	* along with it's associated cells.
[148]	2167	******************************************************************************/
[135]	2168	REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32 offset, bool strict)
[97]	2169	{
[135]	2170	REGFI_HBIN *hbin;
	2171	uint8 hbin_header[REGFI_HBIN_HEADER_SIZE];
[110]	2172	uint32 length;
[99]	2173
	2174	if(offset >= file->file_length)
	2175	return NULL;
[97]	2176
	2177	if(lseek(file->fd, offset, SEEK_SET) == -1)
[137]	2178	{
[138]	2179	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]	2180	" while parsing hbin at offset 0x%.8X.", offset);
[97]	2181	return NULL;
[137]	2182	}
[97]	2183
[135]	2184	length = REGFI_HBIN_HEADER_SIZE;
[97]	2185	if((regfi_read(file->fd, hbin_header, &length) != 0)
[135]	2186	\|\| length != REGFI_HBIN_HEADER_SIZE)
[97]	2187	return NULL;
	2188
	2189	if(lseek(file->fd, offset, SEEK_SET) == -1)
[137]	2190	{
[138]	2191	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]	2192	" while parsing hbin at offset 0x%.8X.", offset);
[97]	2193	return NULL;
[137]	2194	}
[97]	2195
[148]	2196	hbin = talloc(NULL, REGFI_HBIN);
	2197	if(hbin == NULL)
[99]	2198	return NULL;
	2199	hbin->file_off = offset;
	2200
[97]	2201	memcpy(hbin->magic, hbin_header, 4);
	2202	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
[99]	2203	{
[138]	2204	regfi_add_message(file, REGFI_MSG_INFO, "Magic number mismatch "
	2205	"(%.2X %.2X %.2X %.2X) while parsing hbin at offset"
	2206	" 0x%.8X.", hbin->magic[0], hbin->magic[1],
	2207	hbin->magic[2], hbin->magic[3], offset);
[148]	2208	talloc_free(hbin);
[97]	2209	return NULL;
[99]	2210	}
[97]	2211
	2212	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
	2213	hbin->block_size = IVAL(hbin_header, 0x8);
	2214	/* this should be the same thing as hbin->block_size but just in case */
	2215	hbin->next_block = IVAL(hbin_header, 0x1C);
	2216
	2217
	2218	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
	2219	* the end of the file.
	2220	*/
[116]	2221	/* XXX: This may need to be relaxed for dealing with
	2222	* partial or corrupt files.
	2223	*/
[97]	2224	if((offset + hbin->block_size > file->file_length)
	2225	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
[99]	2226	{
[138]	2227	regfi_add_message(file, REGFI_MSG_ERROR, "The hbin offset is not aligned"
[137]	2228	" or runs off the end of the file"
	2229	" while parsing hbin at offset 0x%.8X.", offset);
[148]	2230	talloc_free(hbin);
[97]	2231	return NULL;
[99]	2232	}
[97]	2233
	2234	return hbin;
	2235	}
	2236
	2237
[126]	2238	/*******************************************************************
	2239	*******************************************************************/
[135]	2240	REGFI_NK_REC* regfi_parse_nk(REGFI_FILE* file, uint32 offset,
[158]	2241	uint32 max_size, bool strict)
[99]	2242	{
	2243	uint8 nk_header[REGFI_NK_MIN_LENGTH];
[135]	2244	REGFI_NK_REC* ret_val;
[131]	2245	uint32 length,cell_length;
[101]	2246	bool unalloc = false;
[99]	2247
[101]	2248	if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH,
	2249	&cell_length, &unalloc))
[137]	2250	{
[138]	2251	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2252	" while parsing NK record at offset 0x%.8X.", offset);
	2253	return NULL;
	2254	}
	2255
[99]	2256	/* A bit of validation before bothering to allocate memory */
[101]	2257	if((nk_header[0x0] != 'n') \|\| (nk_header[0x1] != 'k'))
[135]	2258	{
[138]	2259	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
	2260	" NK record at offset 0x%.8X.", offset);
[99]	2261	return NULL;
[135]	2262	}
[99]	2263
[150]	2264	ret_val = talloc(NULL, REGFI_NK_REC);
[99]	2265	if(ret_val == NULL)
[135]	2266	{
[138]	2267	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to allocate memory while"
[137]	2268	" parsing NK record at offset 0x%.8X.", offset);
[99]	2269	return NULL;
[135]	2270	}
[99]	2271
[150]	2272	ret_val->values = NULL;
	2273	ret_val->subkeys = NULL;
[99]	2274	ret_val->offset = offset;
[101]	2275	ret_val->cell_size = cell_length;
	2276
[99]	2277	if(ret_val->cell_size > max_size)
	2278	ret_val->cell_size = max_size & 0xFFFFFFF8;
	2279	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
[157]	2280	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
[99]	2281	{
[140]	2282	regfi_add_message(file, REGFI_MSG_WARN, "A length check failed while"
[138]	2283	" parsing NK record at offset 0x%.8X.", offset);
[150]	2284	talloc_free(ret_val);
[99]	2285	return NULL;
	2286	}
	2287
[101]	2288	ret_val->magic[0] = nk_header[0x0];
	2289	ret_val->magic[1] = nk_header[0x1];
[161]	2290	ret_val->flags = SVAL(nk_header, 0x2);
[152]	2291
[161]	2292	if((ret_val->flags & ~REGFI_NK_KNOWN_FLAGS) != 0)
[99]	2293	{
[152]	2294	regfi_add_message(file, REGFI_MSG_WARN, "Unknown key flags (0x%.4X) while"
[138]	2295	" parsing NK record at offset 0x%.8X.",
[161]	2296	(ret_val->flags & ~REGFI_NK_KNOWN_FLAGS), offset);
[99]	2297	}
[101]	2298
	2299	ret_val->mtime.low = IVAL(nk_header, 0x4);
	2300	ret_val->mtime.high = IVAL(nk_header, 0x8);
[116]	2301	/* If the key is unallocated and the MTIME is earlier than Jan 1, 1990
	2302	* or later than Jan 1, 2290, we consider this a bad key. This helps
	2303	* weed out some false positives during deleted data recovery.
	2304	*/
	2305	if(unalloc
	2306	&& ((ret_val->mtime.high < REGFI_MTIME_MIN_HIGH
	2307	&& ret_val->mtime.low < REGFI_MTIME_MIN_LOW)
	2308	\|\| (ret_val->mtime.high > REGFI_MTIME_MAX_HIGH
	2309	&& ret_val->mtime.low > REGFI_MTIME_MAX_LOW)))
	2310	return NULL;
	2311
[101]	2312	ret_val->unknown1 = IVAL(nk_header, 0xC);
	2313	ret_val->parent_off = IVAL(nk_header, 0x10);
	2314	ret_val->num_subkeys = IVAL(nk_header, 0x14);
	2315	ret_val->unknown2 = IVAL(nk_header, 0x18);
	2316	ret_val->subkeys_off = IVAL(nk_header, 0x1C);
	2317	ret_val->unknown3 = IVAL(nk_header, 0x20);
	2318	ret_val->num_values = IVAL(nk_header, 0x24);
	2319	ret_val->values_off = IVAL(nk_header, 0x28);
	2320	ret_val->sk_off = IVAL(nk_header, 0x2C);
	2321	ret_val->classname_off = IVAL(nk_header, 0x30);
[99]	2322
[101]	2323	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
	2324	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
	2325	ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
	2326	ret_val->max_bytes_value = IVAL(nk_header, 0x40);
	2327	ret_val->unk_index = IVAL(nk_header, 0x44);
[99]	2328
[101]	2329	ret_val->name_length = SVAL(nk_header, 0x48);
	2330	ret_val->classname_length = SVAL(nk_header, 0x4A);
[161]	2331	ret_val->keyname = NULL;
[99]	2332
	2333	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
[101]	2334	{
	2335	if(strict)
	2336	{
[138]	2337	regfi_add_message(file, REGFI_MSG_ERROR, "Contents too large for cell"
[137]	2338	" while parsing NK record at offset 0x%.8X.", offset);
[150]	2339	talloc_free(ret_val);
[101]	2340	return NULL;
	2341	}
	2342	else
	2343	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
	2344	}
	2345	else if (unalloc)
	2346	{ /* Truncate cell_size if it's much larger than the apparent total record length. */
	2347	/* Round up to the next multiple of 8 */
	2348	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
	2349	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
	2350	length+=8;
[99]	2351
[101]	2352	/* If cell_size is still greater, truncate. */
	2353	if(length < ret_val->cell_size)
	2354	ret_val->cell_size = length;
	2355	}
	2356
[161]	2357	ret_val->keyname_raw = talloc_array(ret_val, uint8, ret_val->name_length);
	2358	if(ret_val->keyname_raw == NULL)
[99]	2359	{
[150]	2360	talloc_free(ret_val);
[99]	2361	return NULL;
	2362	}
	2363
	2364	/* Don't need to seek, should be at the right offset */
	2365	length = ret_val->name_length;
[161]	2366	if((regfi_read(file->fd, (uint8*)ret_val->keyname_raw, &length) != 0)
[99]	2367	\|\| length != ret_val->name_length)
	2368	{
[138]	2369	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read key name"
[137]	2370	" while parsing NK record at offset 0x%.8X.", offset);
[150]	2371	talloc_free(ret_val);
[99]	2372	return NULL;
	2373	}
	2374
[126]	2375	return ret_val;
	2376	}
	2377
	2378
[160]	2379	uint8* regfi_parse_classname(REGFI_FILE* file, uint32 offset,
	2380	uint16* name_length, uint32 max_size, bool strict)
[126]	2381	{
[160]	2382	uint8* ret_val = NULL;
[126]	2383	uint32 length;
	2384	uint32 cell_length;
	2385	bool unalloc = false;
	2386
[135]	2387	if(*name_length > 0 && offset != REGFI_OFFSET_NONE
[157]	2388	&& (offset & 0x00000007) == 0)
[131]	2389	{
[126]	2390	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
[137]	2391	{
[138]	2392	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2393	" while parsing class name at offset 0x%.8X.", offset);
[126]	2394	return NULL;
[137]	2395	}
[126]	2396
[157]	2397	if((cell_length & 0x0000007) != 0)
[137]	2398	{
[138]	2399	regfi_add_message(file, REGFI_MSG_ERROR, "Cell length not a multiple of 8"
[137]	2400	" while parsing class name at offset 0x%.8X.", offset);
[131]	2401	return NULL;
[137]	2402	}
	2403
[131]	2404	if(cell_length > max_size)
[125]	2405	{
[138]	2406	regfi_add_message(file, REGFI_MSG_WARN, "Cell stretches past hbin "
	2407	"boundary while parsing class name at offset 0x%.8X.",
	2408	offset);
[126]	2409	if(strict)
	2410	return NULL;
[131]	2411	cell_length = max_size;
[126]	2412	}
[131]	2413
	2414	if((cell_length - 4) < *name_length)
	2415	{
[138]	2416	regfi_add_message(file, REGFI_MSG_WARN, "Class name is larger than"
	2417	" cell_length while parsing class name at offset"
	2418	" 0x%.8X.", offset);
[131]	2419	if(strict)
	2420	return NULL;
	2421	*name_length = cell_length - 4;
	2422	}
[126]	2423
[160]	2424	ret_val = talloc_array(NULL, uint8, *name_length);
[126]	2425	if(ret_val != NULL)
	2426	{
	2427	length = *name_length;
[160]	2428	if((regfi_read(file->fd, ret_val, &length) != 0)
[126]	2429	\|\| length != *name_length)
[125]	2430	{
[138]	2431	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read class name"
[137]	2432	" while parsing class name at offset 0x%.8X.", offset);
[150]	2433	talloc_free(ret_val);
[126]	2434	return NULL;
[125]	2435	}
	2436	}
	2437	}
	2438
[99]	2439	return ret_val;
	2440	}
	2441
	2442
[152]	2443	/******************************************************************************
	2444	*******************************************************************************/
[135]	2445	REGFI_VK_REC* regfi_parse_vk(REGFI_FILE* file, uint32 offset,
[145]	2446	uint32 max_size, bool strict)
[97]	2447	{
[135]	2448	REGFI_VK_REC* ret_val;
[101]	2449	uint8 vk_header[REGFI_VK_MIN_LENGTH];
	2450	uint32 raw_data_size, length, cell_length;
	2451	bool unalloc = false;
[97]	2452
[101]	2453	if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH,
	2454	&cell_length, &unalloc))
[137]	2455	{
[138]	2456	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2457	" while parsing VK record at offset 0x%.8X.", offset);
[101]	2458	return NULL;
[137]	2459	}
[111]	2460
[150]	2461	ret_val = talloc(NULL, REGFI_VK_REC);
[101]	2462	if(ret_val == NULL)
	2463	return NULL;
	2464
	2465	ret_val->offset = offset;
	2466	ret_val->cell_size = cell_length;
[150]	2467	ret_val->data = NULL;
	2468	ret_val->valuename = NULL;
	2469
[101]	2470	if(ret_val->cell_size > max_size)
	2471	ret_val->cell_size = max_size & 0xFFFFFFF8;
	2472	if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
[157]	2473	\|\| (ret_val->cell_size & 0x00000007) != 0)
[97]	2474	{
[138]	2475	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size encountered"
[137]	2476	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2477	talloc_free(ret_val);
[101]	2478	return NULL;
	2479	}
[97]	2480
[101]	2481	ret_val->magic[0] = vk_header[0x0];
	2482	ret_val->magic[1] = vk_header[0x1];
	2483	if((ret_val->magic[0] != 'v') \|\| (ret_val->magic[1] != 'k'))
	2484	{
[124]	2485	/* XXX: This does not account for deleted keys under Win2K which
	2486	* often have this (and the name length) overwritten with
	2487	* 0xFFFF.
	2488	*/
[138]	2489	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch"
[137]	2490	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2491	talloc_free(ret_val);
[101]	2492	return NULL;
	2493	}
	2494
	2495	ret_val->name_length = SVAL(vk_header, 0x2);
	2496	raw_data_size = IVAL(vk_header, 0x4);
[135]	2497	ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET;
[157]	2498	/* The data is typically stored in the offset if the size <= 4,
	2499	* in which case this flag is set.
	2500	*/
[135]	2501	ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET);
[101]	2502	ret_val->data_off = IVAL(vk_header, 0x8);
	2503	ret_val->type = IVAL(vk_header, 0xC);
	2504	ret_val->flag = SVAL(vk_header, 0x10);
	2505	ret_val->unknown1 = SVAL(vk_header, 0x12);
	2506
[135]	2507	if(ret_val->flag & REGFI_VK_FLAG_NAME_PRESENT)
[101]	2508	{
[113]	2509	if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size)
[101]	2510	{
[138]	2511	regfi_add_message(file, REGFI_MSG_WARN, "Name too long for remaining cell"
	2512	" space while parsing VK record at offset 0x%.8X.",
	2513	offset);
[101]	2514	if(strict)
	2515	{
[150]	2516	talloc_free(ret_val);
[101]	2517	return NULL;
	2518	}
	2519	else
[113]	2520	ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4;
[101]	2521	}
	2522
	2523	/* Round up to the next multiple of 8 */
[113]	2524	cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8;
	2525	if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4)
	2526	cell_length+=8;
[101]	2527
[150]	2528	ret_val->valuename = talloc_array(ret_val, char, ret_val->name_length+1);
[101]	2529	if(ret_val->valuename == NULL)
	2530	{
[150]	2531	talloc_free(ret_val);
[101]	2532	return NULL;
	2533	}
[113]	2534
[101]	2535	length = ret_val->name_length;
	2536	if((regfi_read(file->fd, (uint8*)ret_val->valuename, &length) != 0)
	2537	\|\| length != ret_val->name_length)
	2538	{
[138]	2539	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read value name"
[137]	2540	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2541	talloc_free(ret_val);
[101]	2542	return NULL;
	2543	}
	2544	ret_val->valuename[ret_val->name_length] = '\0';
[133]	2545
[101]	2546	}
	2547	else
[113]	2548	cell_length = REGFI_VK_MIN_LENGTH + 4;
[101]	2549
	2550	if(unalloc)
	2551	{
	2552	/* If cell_size is still greater, truncate. */
[113]	2553	if(cell_length < ret_val->cell_size)
	2554	ret_val->cell_size = cell_length;
[101]	2555	}
	2556
	2557	return ret_val;
[97]	2558	}
[101]	2559
	2560
[152]	2561	/******************************************************************************
[157]	2562	*
	2563	******************************************************************************/
[159]	2564	REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32 voffset,
[157]	2565	uint32 length, bool data_in_offset,
	2566	bool strict)
[101]	2567	{
[151]	2568	REGFI_BUFFER ret_val;
[157]	2569	uint32 cell_length, offset;
	2570	int32 max_size;
[101]	2571	bool unalloc;
[151]	2572
[159]	2573	/* Microsoft's documentation indicates that "available memory" is
	2574	* the limit on value sizes. Annoying. We limit it to 1M which
	2575	* should rarely be exceeded, unless the file is corrupt or
	2576	* malicious. For more info, see:
	2577	* http://msdn2.microsoft.com/en-us/library/ms724872.aspx
	2578	*/
[160]	2579	/* XXX: add way to skip this check at user discression. */
	2580	if(length > REGFI_VK_MAX_DATA_LENGTH)
[159]	2581	{
[160]	2582	regfi_add_message(file, REGFI_MSG_WARN, "Value data size %d larger than "
	2583	"%d, truncating...", length, REGFI_VK_MAX_DATA_LENGTH);
	2584	length = REGFI_VK_MAX_DATA_LENGTH;
[159]	2585	}
	2586
[145]	2587	if(data_in_offset)
[157]	2588	return regfi_parse_little_data(file, voffset, length, strict);
	2589	else
[101]	2590	{
[157]	2591	offset = voffset + REGFI_REGF_SIZE;
	2592	max_size = regfi_calc_maxsize(file, offset);
	2593	if(max_size < 0)
[137]	2594	{
[157]	2595	regfi_add_message(file, REGFI_MSG_WARN, "Could not find HBIN for data"
	2596	" at offset 0x%.8X.", offset);
[151]	2597	goto fail;
[137]	2598	}
[157]	2599
[101]	2600	if(!regfi_parse_cell(file->fd, offset, NULL, 0,
	2601	&cell_length, &unalloc))
[137]	2602	{
[138]	2603	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[137]	2604	" parsing data record at offset 0x%.8X.", offset);
[151]	2605	goto fail;
[137]	2606	}
[111]	2607
[157]	2608	if((cell_length & 0x00000007) != 0)
[137]	2609	{
[138]	2610	regfi_add_message(file, REGFI_MSG_WARN, "Cell length not multiple of 8"
[137]	2611	" while parsing data record at offset 0x%.8X.",
	2612	offset);
[151]	2613	goto fail;
[137]	2614	}
[101]	2615
[131]	2616	if(cell_length > max_size)
	2617	{
[145]	2618	regfi_add_message(file, REGFI_MSG_WARN, "Cell extends past HBIN boundary"
	2619	" while parsing data record at offset 0x%.8X.",
[137]	2620	offset);
[157]	2621	goto fail;
[131]	2622	}
	2623
[101]	2624	if(cell_length - 4 < length)
	2625	{
[155]	2626	/* XXX: All big data records thus far have been 16 bytes long.
	2627	* Should we check for this precise size instead of just
	2628	* relying upon the above check?
	2629	*/
[152]	2630	if (file->major_version >= 1 && file->minor_version >= 5)
	2631	{
	2632	/* Attempt to parse a big data record */
[157]	2633	return regfi_load_big_data(file, offset, length, cell_length,
	2634	NULL, strict);
[152]	2635	}
[101]	2636	else
[152]	2637	{
	2638	regfi_add_message(file, REGFI_MSG_WARN, "Data length (0x%.8X) larger than"
	2639	" remaining cell length (0x%.8X)"
	2640	" while parsing data record at offset 0x%.8X.",
	2641	length, cell_length - 4, offset);
	2642	if(strict)
	2643	goto fail;
	2644	else
	2645	length = cell_length - 4;
	2646	}
[101]	2647	}
	2648
[157]	2649	ret_val = regfi_parse_data(file, offset, length, strict);
[101]	2650	}
	2651
	2652	return ret_val;
[151]	2653
	2654	fail:
	2655	ret_val.buf = NULL;
	2656	ret_val.len = 0;
	2657	return ret_val;
[101]	2658	}
[110]	2659
	2660
[152]	2661	/******************************************************************************
[157]	2662	* Parses the common case data records stored in a single cell.
	2663	******************************************************************************/
	2664	REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32 offset,
	2665	uint32 length, bool strict)
	2666	{
	2667	REGFI_BUFFER ret_val;
	2668	uint32 read_length;
	2669
	2670	ret_val.buf = NULL;
	2671	ret_val.len = 0;
	2672
	2673	if(lseek(file->fd, offset+4, SEEK_SET) == -1)
	2674	{
	2675	regfi_add_message(file, REGFI_MSG_WARN, "Could not seek while "
	2676	"reading data at offset 0x%.8X.", offset);
	2677	return ret_val;
	2678	}
	2679
[159]	2680	if((ret_val.buf = talloc_array(NULL, uint8, length)) == NULL)
[157]	2681	return ret_val;
	2682	ret_val.len = length;
	2683
	2684	read_length = length;
	2685	if((regfi_read(file->fd, ret_val.buf, &read_length) != 0)
	2686	\|\| read_length != length)
	2687	{
	2688	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read data block while"
	2689	" parsing data record at offset 0x%.8X.", offset);
	2690	talloc_free(ret_val.buf);
	2691	ret_val.buf = NULL;
	2692	ret_val.buf = 0;
	2693	}
	2694
	2695	return ret_val;
	2696	}
	2697
	2698
	2699
	2700	/******************************************************************************
	2701	*
	2702	******************************************************************************/
	2703	REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32 voffset,
	2704	uint32 length, bool strict)
	2705	{
	2706	REGFI_BUFFER ret_val;
	2707	uint8 i;
	2708
	2709	ret_val.buf = NULL;
	2710	ret_val.len = 0;
	2711
	2712	if(length > 4)
	2713	{
	2714	regfi_add_message(file, REGFI_MSG_ERROR, "Data in offset but length > 4"
	2715	" while parsing data record. (voffset=0x%.8X, length=%d)",
	2716	voffset, length);
	2717	return ret_val;
	2718	}
	2719
[159]	2720	if((ret_val.buf = talloc_array(NULL, uint8, length)) == NULL)
[157]	2721	return ret_val;
	2722	ret_val.len = length;
	2723
	2724	for(i = 0; i < length; i++)
	2725	ret_val.buf[i] = (uint8)((voffset >> i*8) & 0xFF);
	2726
	2727	return ret_val;
	2728	}
	2729
	2730	/******************************************************************************
[152]	2731	*******************************************************************************/
[157]	2732	REGFI_BUFFER regfi_parse_big_data_header(REGFI_FILE* file, uint32 offset,
	2733	uint32 max_size, bool strict)
[152]	2734	{
	2735	REGFI_BUFFER ret_val;
[157]	2736	uint32 cell_length;
[152]	2737	bool unalloc;
[157]	2738
	2739	/* XXX: do something with unalloc? */
	2740	ret_val.buf = (uint8*)talloc_array(NULL, uint8, REGFI_BIG_DATA_MIN_LENGTH);
	2741	if(ret_val.buf == NULL)
[152]	2742	goto fail;
	2743
[157]	2744	if(REGFI_BIG_DATA_MIN_LENGTH > max_size)
	2745	{
	2746	regfi_add_message(file, REGFI_MSG_WARN, "Big data header exceeded max_size "
	2747	"while parsing big data header at offset 0x%.8X.",offset);
	2748	goto fail;
	2749	}
	2750
	2751	if(!regfi_parse_cell(file->fd, offset, ret_val.buf, REGFI_BIG_DATA_MIN_LENGTH,
[152]	2752	&cell_length, &unalloc))
	2753	{
	2754	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[157]	2755	" parsing big data header at offset 0x%.8X.", offset);
[152]	2756	goto fail;
	2757	}
[157]	2758
	2759	if((ret_val.buf[0] != 'd') \|\| (ret_val.buf[1] != 'b'))
[152]	2760	{
	2761	regfi_add_message(file, REGFI_MSG_WARN, "Unknown magic number"
	2762	" (0x%.2X, 0x%.2X) encountered while parsing"
[157]	2763	" big data header at offset 0x%.8X.",
	2764	ret_val.buf[0], ret_val.buf[1], offset);
[152]	2765	goto fail;
	2766	}
	2767
[157]	2768	ret_val.len = REGFI_BIG_DATA_MIN_LENGTH;
	2769	return ret_val;
	2770
	2771	fail:
	2772	if(ret_val.buf != NULL)
	2773	{
	2774	talloc_free(ret_val.buf);
	2775	ret_val.buf = NULL;
	2776	}
	2777	ret_val.len = 0;
	2778	return ret_val;
	2779	}
	2780
	2781
	2782
	2783	/******************************************************************************
	2784	*
	2785	******************************************************************************/
	2786	uint32* regfi_parse_big_data_indirect(REGFI_FILE* file, uint32 offset,
	2787	uint16 num_chunks, bool strict)
	2788	{
	2789	uint32* ret_val;
	2790	uint32 indirect_length;
	2791	int32 max_size;
	2792	uint16 i;
	2793	bool unalloc;
	2794
	2795	/* XXX: do something with unalloc? */
	2796
	2797	max_size = regfi_calc_maxsize(file, offset);
	2798	if((max_size < 0) \|\| (num_chunks*sizeof(uint32) + 4 > max_size))
	2799	return NULL;
	2800
	2801	ret_val = (uint32*)talloc_array(NULL, uint32, num_chunks);
	2802	if(ret_val == NULL)
[152]	2803	goto fail;
	2804
[157]	2805	if(!regfi_parse_cell(file->fd, offset, (uint8*)ret_val,
[152]	2806	num_chunks*sizeof(uint32),
	2807	&indirect_length, &unalloc))
	2808	{
	2809	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
	2810	" parsing big data indirect record at offset 0x%.8X.",
	2811	offset);
	2812	goto fail;
	2813	}
[157]	2814
	2815	/* Convert pointers to proper endianess, verify they are aligned. */
	2816	for(i=0; i<num_chunks; i++)
[152]	2817	{
[157]	2818	ret_val[i] = IVAL(ret_val, i*sizeof(uint32));
	2819	if((ret_val[i] & 0x00000007) != 0)
	2820	goto fail;
[152]	2821	}
[157]	2822
	2823	return ret_val;
[152]	2824
[157]	2825	fail:
	2826	if(ret_val != NULL)
	2827	talloc_free(ret_val);
	2828	return NULL;
	2829	}
	2830
	2831
	2832	/******************************************************************************
	2833	* Arguments:
	2834	* file --
	2835	* offsets -- list of virtual offsets.
	2836	* num_chunks --
	2837	* strict --
	2838	*
	2839	* Returns:
	2840	* A range_list with physical offsets and complete lengths
	2841	* (including cell headers) of associated cells.
	2842	* No data in range_list elements.
	2843	******************************************************************************/
	2844	range_list* regfi_parse_big_data_cells(REGFI_FILE* file, uint32* offsets,
	2845	uint16 num_chunks, bool strict)
	2846	{
	2847	uint32 cell_length, chunk_offset, data_left;
	2848	range_list* ret_val;
	2849	uint16 i;
	2850	bool unalloc;
	2851
	2852	/* XXX: do something with unalloc? */
	2853	ret_val = range_list_new();
	2854	if(ret_val == NULL)
	2855	goto fail;
	2856
[152]	2857	for(i=0; (i<num_chunks) && (data_left>0); i++)
	2858	{
[157]	2859	chunk_offset = offsets[i]+REGFI_REGF_SIZE;
	2860	if(!regfi_parse_cell(file->fd, chunk_offset, NULL, 0,
	2861	&cell_length, &unalloc))
[152]	2862	{
	2863	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
	2864	" parsing big data chunk at offset 0x%.8X.",
	2865	chunk_offset);
[157]	2866	goto fail;
[152]	2867	}
	2868
[157]	2869	if(!range_list_add(ret_val, chunk_offset, cell_length, NULL))
	2870	goto fail;
	2871	}
	2872
	2873	return ret_val;
	2874
	2875	fail:
	2876	if(ret_val != NULL)
	2877	range_list_free(ret_val);
	2878	return NULL;
	2879	}
	2880
	2881
	2882	/******************************************************************************
	2883	*******************************************************************************/
	2884	REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file,
	2885	uint32 offset, uint32 data_length,
	2886	uint32 cell_length, range_list* used_ranges,
	2887	bool strict)
	2888	{
	2889	REGFI_BUFFER ret_val;
	2890	uint16 num_chunks, i;
	2891	uint32 read_length, data_left, tmp_len, indirect_offset;
	2892	uint32* indirect_ptrs = NULL;
	2893	REGFI_BUFFER bd_header;
	2894	range_list* bd_cells = NULL;
	2895	const range_list_element* cell_info;
	2896
	2897	ret_val.buf = NULL;
	2898
	2899	/* XXX: Add better error/warning messages */
	2900
	2901	bd_header = regfi_parse_big_data_header(file, offset, cell_length, strict);
	2902	if(bd_header.buf == NULL)
	2903	goto fail;
	2904
	2905	/* Keep track of used space for use by reglookup-recover */
	2906	if(used_ranges != NULL)
	2907	if(!range_list_add(used_ranges, offset, cell_length, NULL))
	2908	goto fail;
	2909
	2910	num_chunks = SVAL(bd_header.buf, 0x2);
	2911	indirect_offset = IVAL(bd_header.buf, 0x4) + REGFI_REGF_SIZE;
	2912	talloc_free(bd_header.buf);
	2913
	2914	indirect_ptrs = regfi_parse_big_data_indirect(file, indirect_offset,
	2915	num_chunks, strict);
	2916	if(indirect_ptrs == NULL)
	2917	goto fail;
	2918
	2919	if(used_ranges != NULL)
	2920	if(!range_list_add(used_ranges, indirect_offset, num_chunks*4+4, NULL))
	2921	goto fail;
	2922
	2923	if((ret_val.buf = talloc_array(NULL, uint8_t, data_length)) == NULL)
	2924	goto fail;
	2925	data_left = data_length;
	2926
	2927	bd_cells = regfi_parse_big_data_cells(file, indirect_ptrs, num_chunks, strict);
	2928	if(bd_cells == NULL)
	2929	goto fail;
	2930
	2931	talloc_free(indirect_ptrs);
	2932	indirect_ptrs = NULL;
	2933
	2934	for(i=0; (i<num_chunks) && (data_left>0); i++)
	2935	{
	2936	cell_info = range_list_get(bd_cells, i);
	2937	if(cell_info == NULL)
	2938	goto fail;
	2939
	2940	/* XXX: This should be "cell_info->length-4" to account for the 4 byte cell
[154]	2941	* length. However, it has been observed that some (all?) chunks
	2942	* have an additional 4 bytes of 0 at the end of their cells that
	2943	* isn't part of the data, so we're trimming that off too.
[157]	2944	* Perhaps it's just an 8 byte alignment requirement...
[154]	2945	*/
[157]	2946	if(cell_info->length - 8 >= data_left)
	2947	{
	2948	if(i+1 != num_chunks)
	2949	{
	2950	regfi_add_message(file, REGFI_MSG_WARN, "Left over chunks detected "
	2951	"while constructing big data at offset 0x%.8X "
	2952	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	2953	}
[152]	2954	read_length = data_left;
[157]	2955	}
[152]	2956	else
[157]	2957	read_length = cell_info->length - 8;
[152]	2958
[157]	2959
	2960	if(read_length > regfi_calc_maxsize(file, cell_info->offset))
	2961	{
	2962	regfi_add_message(file, REGFI_MSG_WARN, "A chunk exceeded the maxsize "
	2963	"while constructing big data at offset 0x%.8X "
	2964	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	2965	goto fail;
	2966	}
	2967
	2968	if(lseek(file->fd, cell_info->offset+sizeof(uint32), SEEK_SET) == -1)
	2969	{
	2970	regfi_add_message(file, REGFI_MSG_WARN, "Could not seek to chunk while "
	2971	"constructing big data at offset 0x%.8X "
	2972	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	2973	goto fail;
	2974	}
	2975
	2976	tmp_len = read_length;
[152]	2977	if(regfi_read(file->fd, ret_val.buf+(data_length-data_left),
[157]	2978	&read_length) != 0 \|\| (read_length != tmp_len))
[152]	2979	{
	2980	regfi_add_message(file, REGFI_MSG_WARN, "Could not read data chunk while"
[157]	2981	" constructing big data at offset 0x%.8X"
	2982	" (chunk offset 0x%.8X).", offset, cell_info->offset);
	2983	goto fail;
[152]	2984	}
	2985
[157]	2986	if(used_ranges != NULL)
	2987	if(!range_list_add(used_ranges, cell_info->offset,cell_info->length,NULL))
	2988	goto fail;
	2989
[152]	2990	data_left -= read_length;
	2991	}
[157]	2992	range_list_free(bd_cells);
	2993
[152]	2994	ret_val.len = data_length-data_left;
	2995	return ret_val;
	2996
	2997	fail:
[157]	2998	if(ret_val.buf != NULL)
	2999	talloc_free(ret_val.buf);
	3000	if(indirect_ptrs != NULL)
	3001	talloc_free(indirect_ptrs);
	3002	if(bd_cells != NULL)
	3003	range_list_free(bd_cells);
[152]	3004	ret_val.buf = NULL;
	3005	ret_val.len = 0;
	3006	return ret_val;
	3007	}
	3008
	3009
[135]	3010	range_list* regfi_parse_unalloc_cells(REGFI_FILE* file)
[110]	3011	{
	3012	range_list* ret_val;
[135]	3013	REGFI_HBIN* hbin;
[110]	3014	const range_list_element* hbins_elem;
	3015	uint32 i, num_hbins, curr_off, cell_len;
	3016	bool is_unalloc;
	3017
	3018	ret_val = range_list_new();
	3019	if(ret_val == NULL)
	3020	return NULL;
	3021
	3022	num_hbins = range_list_size(file->hbins);
	3023	for(i=0; i<num_hbins; i++)
	3024	{
	3025	hbins_elem = range_list_get(file->hbins, i);
	3026	if(hbins_elem == NULL)
	3027	break;
[135]	3028	hbin = (REGFI_HBIN*)hbins_elem->data;
[110]	3029
[135]	3030	curr_off = REGFI_HBIN_HEADER_SIZE;
[110]	3031	while(curr_off < hbin->block_size)
	3032	{
	3033	if(!regfi_parse_cell(file->fd, hbin->file_off+curr_off, NULL, 0,
	3034	&cell_len, &is_unalloc))
	3035	break;
	3036
[157]	3037	if((cell_len == 0) \|\| ((cell_len & 0x00000007) != 0))
[140]	3038	{
	3039	regfi_add_message(file, REGFI_MSG_ERROR, "Bad cell length encountered"
	3040	" while parsing unallocated cells at offset 0x%.8X.",
	3041	hbin->file_off+curr_off);
[110]	3042	break;
[140]	3043	}
	3044
[110]	3045	/* for some reason the record_size of the last record in
	3046	an hbin block can extend past the end of the block
	3047	even though the record fits within the remaining
	3048	space....aaarrrgggghhhhhh */
	3049	if(curr_off + cell_len >= hbin->block_size)
	3050	cell_len = hbin->block_size - curr_off;
	3051
	3052	if(is_unalloc)
	3053	range_list_add(ret_val, hbin->file_off+curr_off,
	3054	cell_len, NULL);
	3055
	3056	curr_off = curr_off+cell_len;
	3057	}
	3058	}
	3059
	3060	return ret_val;
	3061	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: