source: trunk/lib/regfi.c@ 218

Last change on this file since 218 was 215, checked in by tim, 14 years ago

improvements to smoketest script, additional test case
added a function to get a key's parent in both regfi and pyregfi
bug fixes
  • Property svn:keywords set to Id
File size: 100.6 KB
RevLine 
[30]1/*
[169]2 * Copyright (C) 2005-2010 Timothy D. Morgan
[30]3 * Copyright (C) 2005 Gerald (Jerry) Carter
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
[111]7 * the Free Software Foundation; version 3 of the License.
[30]8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
[161]16 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
[30]17 *
18 * $Id: regfi.c 215 2011-03-28 01:46:11Z tim $
19 */
20
[169]21/**
22 * @file
23 *
24 * Windows NT (and later) read-only registry library
25 *
26 * See @ref regfi.h for more information.
27 *
28 * Branched from Samba project Subversion repository, version #7470:
29 * http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
30 *
31 * Since then, it has been heavily rewritten, simplified, and improved.
32 */
[168]33
[147]34#include "regfi.h"
[30]35
36
[32]37/* Registry types mapping */
[78]38const unsigned int regfi_num_reg_types = 12;
39static const char* regfi_type_names[] =
[65]40 {"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]41 "MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]42
[161]43const char* regfi_encoding_names[] =
44 {"US-ASCII//TRANSLIT", "UTF-8//TRANSLIT", "UTF-16LE//TRANSLIT"};
[32]45
[135]46
[185]47/* Ensures regfi_init runs only once */
48static pthread_once_t regfi_init_once = PTHREAD_ONCE_INIT;
[182]49
[185]50
51
[135]52/******************************************************************************
53 ******************************************************************************/
[185]54void regfi_log_free(void* ptr)
[135]55{
[185]56 REGFI_LOG* log_info = (REGFI_LOG*)ptr;
57
58 if(log_info->messages != NULL)
59 free(log_info->messages);
60
61 talloc_free(log_info);
62}
63
64
65/******************************************************************************
66 ******************************************************************************/
67void regfi_init()
68{
69 int err;
70 if((err = pthread_key_create(&regfi_log_key, regfi_log_free)) != 0)
71 fprintf(stderr, "ERROR: key_create: %s\n", strerror(err));
72 errno = err;
73}
74
75
76/******************************************************************************
77 ******************************************************************************/
78REGFI_LOG* regfi_log_new()
79{
80 int err;
[182]81 REGFI_LOG* log_info = talloc(NULL, REGFI_LOG);
82 if(log_info == NULL)
[185]83 return NULL;
[182]84
[185]85 log_info->msg_mask = REGFI_DEFAULT_LOG_MASK;
[182]86 log_info->messages = NULL;
87
[185]88 pthread_once(&regfi_init_once, regfi_init);
[182]89
[185]90 if((err = pthread_setspecific(regfi_log_key, log_info)) != 0)
[182]91 {
[185]92 fprintf(stderr, "ERROR: setspecific: %s\n", strerror(err));
[182]93 goto fail;
94 }
95
[185]96 return log_info;
[182]97
98 fail:
99 talloc_free(log_info);
[185]100 errno = err;
101 return NULL;
[182]102}
103
104
105/******************************************************************************
106 ******************************************************************************/
107void regfi_log_add(uint16_t msg_type, const char* fmt, ...)
108{
109 /* XXX: Switch internal storage over to a linked list or stack.
110 * Then add a regfi_log_get function that returns the list in some
111 * convenient, user-friendly data structure. regfi_log_get_str should
112 * stick around and will simply smush the list into a big string when
113 * it's called, rather than having messages smushed when they're first
114 * written to the log.
[135]115 */
[168]116 uint32_t buf_size, buf_used;
[136]117 char* new_msg;
[182]118 REGFI_LOG* log_info;
[136]119 va_list args;
[135]120
[185]121 log_info = (REGFI_LOG*)pthread_getspecific(regfi_log_key);
122 if(log_info == NULL && (log_info = regfi_log_new()) == NULL)
[182]123 return;
124
[185]125 if((log_info->msg_mask & msg_type) == 0)
126 return;
127
[182]128 if(log_info->messages == NULL)
129 buf_used = 0;
130 else
131 buf_used = strlen(log_info->messages);
132
133 buf_size = buf_used+strlen(fmt)+160;
134 new_msg = realloc(log_info->messages, buf_size);
135 if(new_msg == NULL)
136 /* XXX: should we report this? */
137 return;
138
139 switch (msg_type)
[138]140 {
[182]141 case REGFI_LOG_INFO:
142 strcpy(new_msg+buf_used, "INFO: ");
143 buf_used += 6;
144 break;
145 case REGFI_LOG_WARN:
146 strcpy(new_msg+buf_used, "WARN: ");
147 buf_used += 6;
148 break;
149 case REGFI_LOG_ERROR:
150 strcpy(new_msg+buf_used, "ERROR: ");
151 buf_used += 7;
152 break;
[138]153 }
[182]154
155 va_start(args, fmt);
156 vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args);
157 va_end(args);
158 strncat(new_msg, "\n", buf_size-1);
159
160 log_info->messages = new_msg;
[135]161}
162
163
164/******************************************************************************
165 ******************************************************************************/
[182]166char* regfi_log_get_str()
[135]167{
[182]168 char* ret_val;
[185]169 REGFI_LOG* log_info = (REGFI_LOG*)pthread_getspecific(regfi_log_key);
170 if(log_info == NULL && (log_info = regfi_log_new()) == NULL)
[182]171 return NULL;
[185]172
[182]173 ret_val = log_info->messages;
174 log_info->messages = NULL;
175
[135]176 return ret_val;
177}
178
179
[182]180/******************************************************************************
181 ******************************************************************************/
[185]182bool regfi_log_set_mask(uint16_t msg_mask)
[138]183{
[185]184 REGFI_LOG* log_info = (REGFI_LOG*)pthread_getspecific(regfi_log_key);
185 if(log_info == NULL && (log_info = regfi_log_new()) == NULL)
186 {
187 return false;
188 }
[182]189
190 log_info->msg_mask = msg_mask;
[185]191 return true;
[138]192}
193
194
[161]195/******************************************************************************
196 * Returns NULL for an invalid e
197 *****************************************************************************/
198static const char* regfi_encoding_int2str(REGFI_ENCODING e)
199{
200 if(e < REGFI_NUM_ENCODINGS)
201 return regfi_encoding_names[e];
202
203 return NULL;
204}
205
206
207/******************************************************************************
208 * Returns NULL for an invalid val
209 *****************************************************************************/
[78]210const char* regfi_type_val2str(unsigned int val)
[32]211{
[61]212 if(val == REG_KEY)
213 return "KEY";
214
[78]215 if(val >= regfi_num_reg_types)
[61]216 return NULL;
217
[78]218 return regfi_type_names[val];
[32]219}
220
221
[161]222/******************************************************************************
223 * Returns -1 on error
224 *****************************************************************************/
[78]225int regfi_type_str2val(const char* str)
[32]226{
227 int i;
228
[61]229 if(strcmp("KEY", str) == 0)
230 return REG_KEY;
[32]231
[78]232 for(i=0; i < regfi_num_reg_types; i++)
233 if (strcmp(regfi_type_names[i], str) == 0)
[61]234 return i;
235
236 if(strcmp("DWORD_LE", str) == 0)
237 return REG_DWORD_LE;
238
239 return -1;
[32]240}
241
242
[135]243/* Security descriptor formatting functions */
[53]244
[168]245const char* regfi_ace_type2str(uint8_t type)
[53]246{
247 static const char* map[7]
248 = {"ALLOW", "DENY", "AUDIT", "ALARM",
249 "ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
250 if(type < 7)
251 return map[type];
252 else
253 /* XXX: would be nice to return the unknown integer value.
254 * However, as it is a const string, it can't be free()ed later on,
255 * so that would need to change.
256 */
257 return "UNKNOWN";
258}
259
260
[76]261/* XXX: need a better reference on the meaning of each flag. */
262/* For more info, see:
263 * http://msdn2.microsoft.com/en-us/library/aa772242.aspx
264 */
[168]265char* regfi_ace_flags2str(uint8_t flags)
[53]266{
[76]267 static const char* flag_map[32] =
[87]268 { "OI", /* Object Inherit */
269 "CI", /* Container Inherit */
270 "NP", /* Non-Propagate */
271 "IO", /* Inherit Only */
272 "IA", /* Inherited ACE */
[76]273 NULL,
274 NULL,
275 NULL,
276 };
[53]277
[76]278 char* ret_val = malloc(35*sizeof(char));
279 char* fo = ret_val;
[168]280 uint32_t i;
281 uint8_t f;
[76]282
283 if(ret_val == NULL)
[53]284 return NULL;
285
[76]286 fo[0] = '\0';
[53]287 if (!flags)
[76]288 return ret_val;
[53]289
[76]290 for(i=0; i < 8; i++)
291 {
292 f = (1<<i);
293 if((flags & f) && (flag_map[i] != NULL))
294 {
295 strcpy(fo, flag_map[i]);
296 fo += strlen(flag_map[i]);
297 *(fo++) = ' ';
298 flags ^= f;
299 }
[53]300 }
[76]301
302 /* Any remaining unknown flags are added at the end in hex. */
303 if(flags != 0)
304 sprintf(fo, "0x%.2X ", flags);
305
306 /* Chop off the last space if we've written anything to ret_val */
307 if(fo != ret_val)
308 fo[-1] = '\0';
309
310 return ret_val;
[53]311}
312
313
[168]314char* regfi_ace_perms2str(uint32_t perms)
[53]315{
[168]316 uint32_t i, p;
[76]317 /* This is more than is needed by a fair margin. */
318 char* ret_val = malloc(350*sizeof(char));
319 char* r = ret_val;
320
321 /* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
322 * For more information, see:
323 * http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
324 * http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
325 */
326 static const char* perm_map[32] =
327 {/* object-specific permissions (registry keys, in this case) */
328 "QRY_VAL", /* KEY_QUERY_VALUE */
329 "SET_VAL", /* KEY_SET_VALUE */
330 "CREATE_KEY", /* KEY_CREATE_SUB_KEY */
331 "ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
332 "NOTIFY", /* KEY_NOTIFY */
333 "CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
334 NULL,
335 NULL,
336 "WOW64_64", /* KEY_WOW64_64KEY */
337 "WOW64_32", /* KEY_WOW64_32KEY */
338 NULL,
339 NULL,
340 NULL,
341 NULL,
342 NULL,
343 NULL,
344 /* standard access rights */
345 "DELETE", /* DELETE */
346 "R_CONT", /* READ_CONTROL */
347 "W_DAC", /* WRITE_DAC */
348 "W_OWNER", /* WRITE_OWNER */
349 "SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
350 NULL,
351 NULL,
352 NULL,
353 /* other generic */
354 "SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
355 "MAX_ALLWD", /* MAXIMUM_ALLOWED */
356 NULL,
357 NULL,
358 "GEN_A", /* GENERIC_ALL */
359 "GEN_X", /* GENERIC_EXECUTE */
360 "GEN_W", /* GENERIC_WRITE */
361 "GEN_R", /* GENERIC_READ */
362 };
363
364
[53]365 if(ret_val == NULL)
366 return NULL;
367
[76]368 r[0] = '\0';
369 for(i=0; i < 32; i++)
370 {
371 p = (1<<i);
372 if((perms & p) && (perm_map[i] != NULL))
373 {
374 strcpy(r, perm_map[i]);
375 r += strlen(perm_map[i]);
376 *(r++) = ' ';
377 perms ^= p;
378 }
379 }
380
381 /* Any remaining unknown permission bits are added at the end in hex. */
382 if(perms != 0)
383 sprintf(r, "0x%.8X ", perms);
[53]384
[76]385 /* Chop off the last space if we've written anything to ret_val */
386 if(r != ret_val)
387 r[-1] = '\0';
388
[53]389 return ret_val;
390}
391
392
[134]393char* regfi_sid2str(WINSEC_DOM_SID* sid)
[53]394{
[168]395 uint32_t i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
396 uint32_t left = size;
397 uint8_t comps = sid->num_auths;
[53]398 char* ret_val = malloc(size);
399
400 if(ret_val == NULL)
401 return NULL;
402
[134]403 if(comps > WINSEC_MAX_SUBAUTHS)
404 comps = WINSEC_MAX_SUBAUTHS;
[53]405
406 left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
407
408 for (i = 0; i < comps; i++)
409 left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
410
411 return ret_val;
412}
413
414
[134]415char* regfi_get_acl(WINSEC_ACL* acl)
[53]416{
[168]417 uint32_t i, extra, size = 0;
[53]418 const char* type_str;
419 char* flags_str;
420 char* perms_str;
421 char* sid_str;
[61]422 char* ace_delim = "";
[53]423 char* ret_val = NULL;
[61]424 char* tmp_val = NULL;
425 bool failed = false;
[53]426 char field_delim = ':';
427
[61]428 for (i = 0; i < acl->num_aces && !failed; i++)
[53]429 {
[134]430 sid_str = regfi_sid2str(acl->aces[i]->trustee);
431 type_str = regfi_ace_type2str(acl->aces[i]->type);
432 perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask);
433 flags_str = regfi_ace_flags2str(acl->aces[i]->flags);
[53]434
[61]435 if(flags_str != NULL && perms_str != NULL
436 && type_str != NULL && sid_str != NULL)
437 {
438 /* XXX: this is slow */
439 extra = strlen(sid_str) + strlen(type_str)
[136]440 + strlen(perms_str) + strlen(flags_str) + 5;
[61]441 tmp_val = realloc(ret_val, size+extra);
[53]442
[61]443 if(tmp_val == NULL)
444 {
445 free(ret_val);
[136]446 ret_val = NULL;
[61]447 failed = true;
448 }
449 else
450 {
451 ret_val = tmp_val;
[148]452 size += sprintf(ret_val+size, "%s%s%c%s%c%s%c%s",
453 ace_delim,sid_str,
454 field_delim,type_str,
455 field_delim,perms_str,
456 field_delim,flags_str);
[61]457 ace_delim = "|";
458 }
459 }
460 else
461 failed = true;
462
463 if(sid_str != NULL)
464 free(sid_str);
465 if(sid_str != NULL)
466 free(perms_str);
467 if(sid_str != NULL)
468 free(flags_str);
[53]469 }
470
471 return ret_val;
472}
473
474
[134]475char* regfi_get_sacl(WINSEC_DESC *sec_desc)
[53]476{
477 if (sec_desc->sacl)
[78]478 return regfi_get_acl(sec_desc->sacl);
[53]479 else
480 return NULL;
481}
482
483
[134]484char* regfi_get_dacl(WINSEC_DESC *sec_desc)
[53]485{
486 if (sec_desc->dacl)
[78]487 return regfi_get_acl(sec_desc->dacl);
[53]488 else
489 return NULL;
490}
491
492
[134]493char* regfi_get_owner(WINSEC_DESC *sec_desc)
[53]494{
[78]495 return regfi_sid2str(sec_desc->owner_sid);
[53]496}
497
498
[134]499char* regfi_get_group(WINSEC_DESC *sec_desc)
[53]500{
[78]501 return regfi_sid2str(sec_desc->grp_sid);
[53]502}
503
504
[180]505bool regfi_read_lock(REGFI_FILE* file, pthread_rwlock_t* lock, const char* context)
506{
507 int lock_ret = pthread_rwlock_rdlock(lock);
508 if(lock_ret != 0)
509 {
[182]510 regfi_log_add(REGFI_LOG_ERROR, "Error obtaining read lock in"
[180]511 "%s due to: %s\n", context, strerror(lock_ret));
512 return false;
513 }
514
515 return true;
516}
517
518
519bool regfi_write_lock(REGFI_FILE* file, pthread_rwlock_t* lock, const char* context)
520{
521 int lock_ret = pthread_rwlock_wrlock(lock);
522 if(lock_ret != 0)
523 {
[182]524 regfi_log_add(REGFI_LOG_ERROR, "Error obtaining write lock in"
[180]525 "%s due to: %s\n", context, strerror(lock_ret));
526 return false;
527 }
528
529 return true;
530}
531
532
533bool regfi_rw_unlock(REGFI_FILE* file, pthread_rwlock_t* lock, const char* context)
534{
535 int lock_ret = pthread_rwlock_unlock(lock);
536 if(lock_ret != 0)
537 {
[182]538 regfi_log_add(REGFI_LOG_ERROR, "Error releasing lock in"
[180]539 "%s due to: %s\n", context, strerror(lock_ret));
540 return false;
541 }
542
543 return true;
544}
545
546
547bool regfi_lock(REGFI_FILE* file, pthread_mutex_t* lock, const char* context)
548{
549 int lock_ret = pthread_mutex_lock(lock);
550 if(lock_ret != 0)
551 {
[182]552 regfi_log_add(REGFI_LOG_ERROR, "Error obtaining mutex lock in"
[180]553 "%s due to: %s\n", context, strerror(lock_ret));
554 return false;
555 }
556
557 return true;
558}
559
560
561bool regfi_unlock(REGFI_FILE* file, pthread_mutex_t* lock, const char* context)
562{
563 int lock_ret = pthread_mutex_unlock(lock);
564 if(lock_ret != 0)
565 {
[182]566 regfi_log_add(REGFI_LOG_ERROR, "Error releasing mutex lock in"
[180]567 "%s due to: %s\n", context, strerror(lock_ret));
568 return false;
569 }
570
571 return true;
572}
573
574
[178]575off_t regfi_raw_seek(REGFI_RAW_FILE* self, off_t offset, int whence)
576{
577 return lseek(*(int*)self->state, offset, whence);
578}
579
580ssize_t regfi_raw_read(REGFI_RAW_FILE* self, void* buf, size_t count)
581{
582 return read(*(int*)self->state, buf, count);
583}
584
585
[101]586/*****************************************************************************
[178]587 * Convenience function to wrap up the ugly callback stuff
588 *****************************************************************************/
589off_t regfi_seek(REGFI_RAW_FILE* file_cb, off_t offset, int whence)
590{
591 return file_cb->seek(file_cb, offset, whence);
592}
593
594
595/*****************************************************************************
[101]596 * This function is just like read(2), except that it continues to
597 * re-try reading from the file descriptor if EINTR or EAGAIN is received.
[178]598 * regfi_read will attempt to read length bytes from the file and write them to
599 * buf.
[101]600 *
601 * On success, 0 is returned. Upon failure, an errno code is returned.
602 *
603 * The number of bytes successfully read is returned through the length
604 * parameter by reference. If both the return value and length parameter are
605 * returned as 0, then EOF was encountered immediately
606 *****************************************************************************/
[178]607uint32_t regfi_read(REGFI_RAW_FILE* file_cb, uint8_t* buf, uint32_t* length)
[101]608{
[168]609 uint32_t rsize = 0;
610 uint32_t rret = 0;
[101]611
612 do
613 {
[178]614 rret = file_cb->read(file_cb, buf + rsize, *length - rsize);
[101]615 if(rret > 0)
616 rsize += rret;
617 }while(*length - rsize > 0
618 && (rret > 0 || (rret == -1 && (errno == EAGAIN || errno == EINTR))));
619
620 *length = rsize;
621 if (rret == -1 && errno != EINTR && errno != EAGAIN)
622 return errno;
623
624 return 0;
625}
626
627
628/*****************************************************************************
629 *
630 *****************************************************************************/
[178]631bool regfi_parse_cell(REGFI_RAW_FILE* file_cb, uint32_t offset, uint8_t* hdr,
632 uint32_t hdr_len, uint32_t* cell_length, bool* unalloc)
[101]633{
[168]634 uint32_t length;
635 int32_t raw_length;
636 uint8_t tmp[4];
[101]637
[178]638 if(regfi_seek(file_cb, offset, SEEK_SET) == -1)
[101]639 return false;
640
641 length = 4;
[178]642 if((regfi_read(file_cb, tmp, &length) != 0) || length != 4)
[101]643 return false;
644 raw_length = IVALS(tmp, 0);
645
646 if(raw_length < 0)
647 {
648 (*cell_length) = raw_length*(-1);
649 (*unalloc) = false;
650 }
651 else
652 {
653 (*cell_length) = raw_length;
654 (*unalloc) = true;
655 }
656
[103]657 if(*cell_length - 4 < hdr_len)
658 return false;
659
660 if(hdr_len > 0)
661 {
662 length = hdr_len;
[178]663 if((regfi_read(file_cb, hdr, &length) != 0) || length != hdr_len)
[103]664 return false;
665 }
666
[101]667 return true;
668}
669
670
[157]671/******************************************************************************
[106]672 * Given an offset and an hbin, is the offset within that hbin?
673 * The offset is a virtual file offset.
[157]674 ******************************************************************************/
[168]675static bool regfi_offset_in_hbin(const REGFI_HBIN* hbin, uint32_t voffset)
[30]676{
[106]677 if(!hbin)
[31]678 return false;
[106]679
[145]680 if((voffset > hbin->first_hbin_off)
681 && (voffset < (hbin->first_hbin_off + hbin->block_size)))
[31]682 return true;
[30]683
[31]684 return false;
[30]685}
686
687
[106]688
[157]689/******************************************************************************
690 * Provide a physical offset and receive the correpsonding HBIN
[106]691 * block for it. NULL if one doesn't exist.
[157]692 ******************************************************************************/
[168]693const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32_t offset)
[30]694{
[157]695 return (const REGFI_HBIN*)range_list_find_data(file->hbins, offset);
[30]696}
697
698
[157]699/******************************************************************************
700 * Calculate the largest possible cell size given a physical offset.
701 * Largest size is based on the HBIN the offset is currently a member of.
702 * Returns negative values on error.
703 * (Since cells can only be ~2^31 in size, this works out.)
704 ******************************************************************************/
[168]705int32_t regfi_calc_maxsize(REGFI_FILE* file, uint32_t offset)
[157]706{
707 const REGFI_HBIN* hbin = regfi_lookup_hbin(file, offset);
708 if(hbin == NULL)
709 return -1;
[139]710
[157]711 return (hbin->block_size + hbin->file_off) - offset;
712}
713
714
[139]715/******************************************************************************
716 ******************************************************************************/
[168]717REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32_t offset,
718 uint32_t num_keys, uint32_t max_size,
[139]719 bool strict)
[127]720{
[135]721 REGFI_SUBKEY_LIST* ret_val;
[134]722
[139]723 ret_val = regfi_load_subkeylist_aux(file, offset, max_size, strict,
724 REGFI_MAX_SUBKEY_DEPTH);
[143]725 if(ret_val == NULL)
726 {
[182]727 regfi_log_add(REGFI_LOG_WARN, "Failed to load subkey list at"
[143]728 " offset 0x%.8X.", offset);
729 return NULL;
730 }
[139]731
732 if(num_keys != ret_val->num_keys)
733 {
734 /* Not sure which should be authoritative, the number from the
735 * NK record, or the number in the subkey list. Just emit a warning for
736 * now if they don't match.
737 */
[182]738 regfi_log_add(REGFI_LOG_WARN, "Number of subkeys listed in parent"
[139]739 " (%d) did not match number found in subkey list/tree (%d)"
740 " while parsing subkey list/tree at offset 0x%.8X.",
741 num_keys, ret_val->num_keys, offset);
742 }
743
744 return ret_val;
745}
746
747
748/******************************************************************************
749 ******************************************************************************/
[168]750REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32_t offset,
751 uint32_t max_size, bool strict,
752 uint8_t depth_left)
[139]753{
754 REGFI_SUBKEY_LIST* ret_val;
755 REGFI_SUBKEY_LIST** sublists;
[168]756 uint32_t i, num_sublists, off;
757 int32_t sublist_maxsize;
[139]758
759 if(depth_left == 0)
760 {
[182]761 regfi_log_add(REGFI_LOG_WARN, "Maximum depth reached"
[139]762 " while parsing subkey list/tree at offset 0x%.8X.",
763 offset);
[127]764 return NULL;
[139]765 }
[134]766
[139]767 ret_val = regfi_parse_subkeylist(file, offset, max_size, strict);
[134]768 if(ret_val == NULL)
769 return NULL;
[139]770
771 if(ret_val->recursive_type)
[127]772 {
[139]773 num_sublists = ret_val->num_children;
[150]774 sublists = (REGFI_SUBKEY_LIST**)malloc(num_sublists
[139]775 * sizeof(REGFI_SUBKEY_LIST*));
776 for(i=0; i < num_sublists; i++)
[127]777 {
[139]778 off = ret_val->elements[i].offset + REGFI_REGF_SIZE;
[157]779
780 sublist_maxsize = regfi_calc_maxsize(file, off);
781 if(sublist_maxsize < 0)
[139]782 sublists[i] = NULL;
783 else
[157]784 sublists[i] = regfi_load_subkeylist_aux(file, off, sublist_maxsize,
785 strict, depth_left-1);
[127]786 }
[150]787 talloc_free(ret_val);
[134]788
[139]789 return regfi_merge_subkeylists(num_sublists, sublists, strict);
[127]790 }
[30]791
[127]792 return ret_val;
793}
794
795
[139]796/******************************************************************************
797 ******************************************************************************/
[168]798REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32_t offset,
799 uint32_t max_size, bool strict)
[30]800{
[135]801 REGFI_SUBKEY_LIST* ret_val;
[168]802 uint32_t i, cell_length, length, elem_size, read_len;
803 uint8_t* elements = NULL;
804 uint8_t buf[REGFI_SUBKEY_LIST_MIN_LEN];
[104]805 bool unalloc;
[139]806 bool recursive_type;
[30]807
[186]808 if(!regfi_lock(file, &file->cb_lock, "regfi_parse_subkeylist"))
[180]809 goto fail;
810
[178]811 if(!regfi_parse_cell(file->cb, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN,
[104]812 &cell_length, &unalloc))
[139]813 {
[182]814 regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while "
[139]815 "parsing subkey-list at offset 0x%.8X.", offset);
[180]816 goto fail_locked;
[139]817 }
[30]818
[116]819 if(cell_length > max_size)
820 {
[182]821 regfi_log_add(REGFI_LOG_WARN, "Cell size longer than max_size"
[139]822 " while parsing subkey-list at offset 0x%.8X.", offset);
[116]823 if(strict)
[180]824 goto fail_locked;
[116]825 cell_length = max_size & 0xFFFFFFF8;
826 }
[30]827
[139]828 recursive_type = false;
[127]829 if(buf[0] == 'r' && buf[1] == 'i')
[104]830 {
[139]831 recursive_type = true;
[168]832 elem_size = sizeof(uint32_t);
[104]833 }
[139]834 else if(buf[0] == 'l' && buf[1] == 'i')
[203]835 {
[168]836 elem_size = sizeof(uint32_t);
[203]837 }
[134]838 else if((buf[0] == 'l') && (buf[1] == 'f' || buf[1] == 'h'))
[135]839 elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM);
[134]840 else
841 {
[182]842 regfi_log_add(REGFI_LOG_ERROR, "Unknown magic number"
[139]843 " (0x%.2X, 0x%.2X) encountered while parsing"
844 " subkey-list at offset 0x%.8X.", buf[0], buf[1], offset);
[180]845 goto fail_locked;
[134]846 }
847
[150]848 ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[127]849 if(ret_val == NULL)
[180]850 goto fail_locked;
[127]851
852 ret_val->offset = offset;
853 ret_val->cell_size = cell_length;
[104]854 ret_val->magic[0] = buf[0];
855 ret_val->magic[1] = buf[1];
[139]856 ret_val->recursive_type = recursive_type;
857 ret_val->num_children = SVAL(buf, 0x2);
[101]858
[139]859 if(!recursive_type)
860 ret_val->num_keys = ret_val->num_children;
[101]861
[139]862 length = elem_size*ret_val->num_children;
[168]863 if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32_t) < length)
[134]864 {
[182]865 regfi_log_add(REGFI_LOG_WARN, "Number of elements too large for"
[139]866 " cell while parsing subkey-list at offset 0x%.8X.",
867 offset);
868 if(strict)
[180]869 goto fail_locked;
[168]870 length = cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32_t);
[134]871 }
[30]872
[150]873 ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
874 ret_val->num_children);
[127]875 if(ret_val->elements == NULL)
[180]876 goto fail_locked;
[30]877
[168]878 elements = (uint8_t*)malloc(length);
[139]879 if(elements == NULL)
[180]880 goto fail_locked;
[30]881
[150]882 read_len = length;
[178]883 if(regfi_read(file->cb, elements, &read_len) != 0 || read_len!=length)
[180]884 goto fail_locked;
[30]885
[186]886 if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_subkeylist"))
[180]887 goto fail;
888
[168]889 if(elem_size == sizeof(uint32_t))
[104]890 {
[139]891 for (i=0; i < ret_val->num_children; i++)
[134]892 {
[139]893 ret_val->elements[i].offset = IVAL(elements, i*elem_size);
[134]894 ret_val->elements[i].hash = 0;
895 }
[104]896 }
[134]897 else
898 {
[139]899 for (i=0; i < ret_val->num_children; i++)
[134]900 {
[139]901 ret_val->elements[i].offset = IVAL(elements, i*elem_size);
902 ret_val->elements[i].hash = IVAL(elements, i*elem_size+4);
[134]903 }
904 }
[139]905 free(elements);
[30]906
[104]907 return ret_val;
[150]908
[180]909 fail_locked:
[186]910 regfi_unlock(file, &file->cb_lock, "regfi_parse_subkeylist");
[150]911 fail:
912 if(elements != NULL)
913 free(elements);
914 talloc_free(ret_val);
915 return NULL;
[30]916}
917
918
[139]919/*******************************************************************
920 *******************************************************************/
[168]921REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16_t num_lists,
[139]922 REGFI_SUBKEY_LIST** lists,
923 bool strict)
924{
[168]925 uint32_t i,j,k;
[139]926 REGFI_SUBKEY_LIST* ret_val;
[102]927
[139]928 if(lists == NULL)
929 return NULL;
[150]930 ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[139]931
932 if(ret_val == NULL)
933 return NULL;
934
935 /* Obtain total number of elements */
936 ret_val->num_keys = 0;
937 for(i=0; i < num_lists; i++)
938 {
939 if(lists[i] != NULL)
940 ret_val->num_keys += lists[i]->num_children;
941 }
942 ret_val->num_children = ret_val->num_keys;
943
944 if(ret_val->num_keys > 0)
945 {
[150]946 ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
947 ret_val->num_keys);
[139]948 k=0;
949
950 if(ret_val->elements != NULL)
951 {
952 for(i=0; i < num_lists; i++)
953 {
954 if(lists[i] != NULL)
955 {
956 for(j=0; j < lists[i]->num_keys; j++)
957 {
[150]958 ret_val->elements[k].hash = lists[i]->elements[j].hash;
959 ret_val->elements[k++].offset = lists[i]->elements[j].offset;
[139]960 }
961 }
962 }
963 }
964 }
965
966 for(i=0; i < num_lists; i++)
[184]967 talloc_free(lists[i]);
[139]968 free(lists);
969
970 return ret_val;
971}
972
973
[147]974/******************************************************************************
975 *
976 ******************************************************************************/
[203]977REGFI_SK* regfi_parse_sk(REGFI_FILE* file, uint32_t offset, uint32_t max_size,
[147]978 bool strict)
[30]979{
[203]980 REGFI_SK* ret_val = NULL;
[168]981 uint8_t* sec_desc_buf = NULL;
982 uint32_t cell_length, length;
983 uint8_t sk_header[REGFI_SK_MIN_LENGTH];
[102]984 bool unalloc = false;
[30]985
[186]986 if(!regfi_lock(file, &file->cb_lock, "regfi_parse_sk"))
[180]987 goto fail;
988
[178]989 if(!regfi_parse_cell(file->cb, offset, sk_header, REGFI_SK_MIN_LENGTH,
[102]990 &cell_length, &unalloc))
[137]991 {
[182]992 regfi_log_add(REGFI_LOG_WARN, "Could not parse SK record cell"
[137]993 " at offset 0x%.8X.", offset);
[180]994 goto fail_locked;
[137]995 }
[102]996
997 if(sk_header[0] != 's' || sk_header[1] != 'k')
[137]998 {
[182]999 regfi_log_add(REGFI_LOG_WARN, "Magic number mismatch in parsing"
[138]1000 " SK record at offset 0x%.8X.", offset);
[180]1001 goto fail_locked;
[137]1002 }
1003
[203]1004 ret_val = talloc(NULL, REGFI_SK);
[102]1005 if(ret_val == NULL)
[180]1006 goto fail_locked;
[30]1007
[102]1008 ret_val->offset = offset;
[116]1009 /* XXX: Is there a way to be more conservative (shorter) with
1010 * cell length when cell is unallocated?
[111]1011 */
[102]1012 ret_val->cell_size = cell_length;
[30]1013
[102]1014 if(ret_val->cell_size > max_size)
1015 ret_val->cell_size = max_size & 0xFFFFFFF8;
1016 if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
[157]1017 || (strict && (ret_val->cell_size & 0x00000007) != 0))
[102]1018 {
[182]1019 regfi_log_add(REGFI_LOG_WARN, "Invalid cell size found while"
[138]1020 " parsing SK record at offset 0x%.8X.", offset);
[180]1021 goto fail_locked;
[102]1022 }
[30]1023
[102]1024 ret_val->magic[0] = sk_header[0];
1025 ret_val->magic[1] = sk_header[1];
[30]1026
[102]1027 ret_val->unknown_tag = SVAL(sk_header, 0x2);
1028 ret_val->prev_sk_off = IVAL(sk_header, 0x4);
1029 ret_val->next_sk_off = IVAL(sk_header, 0x8);
1030 ret_val->ref_count = IVAL(sk_header, 0xC);
1031 ret_val->desc_size = IVAL(sk_header, 0x10);
[30]1032
[157]1033 if((ret_val->prev_sk_off & 0x00000007) != 0
1034 || (ret_val->next_sk_off & 0x00000007) != 0)
[140]1035 {
[182]1036 regfi_log_add(REGFI_LOG_WARN, "SK record's next/previous offsets"
[140]1037 " are not a multiple of 8 while parsing SK record at"
1038 " offset 0x%.8X.", offset);
[180]1039 goto fail_locked;
[140]1040 }
1041
[102]1042 if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
1043 {
[182]1044 regfi_log_add(REGFI_LOG_WARN, "Security descriptor too large for"
[138]1045 " cell while parsing SK record at offset 0x%.8X.",
1046 offset);
[180]1047 goto fail_locked;
[102]1048 }
[30]1049
[168]1050 sec_desc_buf = (uint8_t*)malloc(ret_val->desc_size);
[147]1051 if(sec_desc_buf == NULL)
[180]1052 goto fail_locked;
[102]1053
[134]1054 length = ret_val->desc_size;
[178]1055 if(regfi_read(file->cb, sec_desc_buf, &length) != 0
[134]1056 || length != ret_val->desc_size)
1057 {
[182]1058 regfi_log_add(REGFI_LOG_ERROR, "Failed to read security"
[138]1059 " descriptor while parsing SK record at offset 0x%.8X.",
1060 offset);
[180]1061 goto fail_locked;
[134]1062 }
[102]1063
[186]1064 if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_sk"))
[180]1065 goto fail;
1066
[147]1067 if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf,
1068 ret_val->desc_size)))
[134]1069 {
[182]1070 regfi_log_add(REGFI_LOG_ERROR, "Failed to parse security"
[138]1071 " descriptor while parsing SK record at offset 0x%.8X.",
1072 offset);
[147]1073 goto fail;
[134]1074 }
[147]1075
[134]1076 free(sec_desc_buf);
[147]1077 return ret_val;
[134]1078
[180]1079 fail_locked:
[186]1080 regfi_unlock(file, &file->cb_lock, "regfi_parse_sk");
[147]1081 fail:
1082 if(sec_desc_buf != NULL)
1083 free(sec_desc_buf);
1084 talloc_free(ret_val);
1085 return NULL;
[30]1086}
1087
1088
[168]1089REGFI_VALUE_LIST* regfi_parse_valuelist(REGFI_FILE* file, uint32_t offset,
1090 uint32_t num_values, bool strict)
[111]1091{
[145]1092 REGFI_VALUE_LIST* ret_val;
[168]1093 uint32_t i, cell_length, length, read_len;
[111]1094 bool unalloc;
[30]1095
[186]1096 if(!regfi_lock(file, &file->cb_lock, "regfi_parse_valuelist"))
[180]1097 goto fail;
1098
[178]1099 if(!regfi_parse_cell(file->cb, offset, NULL, 0, &cell_length, &unalloc))
[137]1100 {
[182]1101 regfi_log_add(REGFI_LOG_ERROR, "Failed to read cell header"
[137]1102 " while parsing value list at offset 0x%.8X.", offset);
[180]1103 goto fail_locked;
[137]1104 }
[111]1105
[157]1106 if((cell_length & 0x00000007) != 0)
[111]1107 {
[182]1108 regfi_log_add(REGFI_LOG_WARN, "Cell length not a multiple of 8"
[145]1109 " while parsing value list at offset 0x%.8X.", offset);
[111]1110 if(strict)
[180]1111 goto fail_locked;
[111]1112 cell_length = cell_length & 0xFFFFFFF8;
1113 }
[145]1114
[168]1115 if((num_values * sizeof(uint32_t)) > cell_length-sizeof(uint32_t))
[137]1116 {
[182]1117 regfi_log_add(REGFI_LOG_WARN, "Too many values found"
[137]1118 " while parsing value list at offset 0x%.8X.", offset);
[145]1119 if(strict)
[180]1120 goto fail_locked;
[168]1121 num_values = cell_length/sizeof(uint32_t) - sizeof(uint32_t);
[137]1122 }
[111]1123
[168]1124 read_len = num_values*sizeof(uint32_t);
[150]1125 ret_val = talloc(NULL, REGFI_VALUE_LIST);
[111]1126 if(ret_val == NULL)
[180]1127 goto fail_locked;
[111]1128
[150]1129 ret_val->elements = (REGFI_VALUE_LIST_ELEM*)talloc_size(ret_val, read_len);
[145]1130 if(ret_val->elements == NULL)
[180]1131 goto fail_locked;
1132
[206]1133 ret_val->offset = offset;
1134 ret_val->cell_size = cell_length;
[145]1135 ret_val->num_values = num_values;
1136
[111]1137 length = read_len;
[178]1138 if((regfi_read(file->cb, (uint8_t*)ret_val->elements, &length) != 0)
[145]1139 || length != read_len)
[111]1140 {
[182]1141 regfi_log_add(REGFI_LOG_ERROR, "Failed to read value pointers"
[137]1142 " while parsing value list at offset 0x%.8X.", offset);
[180]1143 goto fail_locked;
[111]1144 }
1145
[186]1146 if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_valuelist"))
[180]1147 goto fail;
1148
[111]1149 for(i=0; i < num_values; i++)
1150 {
1151 /* Fix endianness */
[145]1152 ret_val->elements[i] = IVAL(&ret_val->elements[i], 0);
[111]1153
1154 /* Validate the first num_values values to ensure they make sense */
1155 if(strict)
1156 {
[145]1157 /* XXX: Need to revisit this file length check when we start dealing
1158 * with partial files. */
1159 if((ret_val->elements[i] + REGFI_REGF_SIZE > file->file_length)
[157]1160 || ((ret_val->elements[i] & 0x00000007) != 0))
[111]1161 {
[182]1162 regfi_log_add(REGFI_LOG_WARN, "Invalid value pointer"
[138]1163 " (0x%.8X) found while parsing value list at offset"
[145]1164 " 0x%.8X.", ret_val->elements[i], offset);
[180]1165 goto fail;
[111]1166 }
1167 }
1168 }
1169
1170 return ret_val;
[180]1171
1172 fail_locked:
[186]1173 regfi_unlock(file, &file->cb_lock, "regfi_parse_valuelist");
[180]1174 fail:
1175 talloc_free(ret_val);
1176 return NULL;
[111]1177}
1178
[206]1179/* XXX: should give this boolean return type to indicate errors */
[203]1180void regfi_interpret_valuename(REGFI_FILE* file, REGFI_VK* vk,
[162]1181 REGFI_ENCODING output_encoding, bool strict)
[30]1182{
[165]1183 /* XXX: Registry value names are supposedly limited to 16383 characters
1184 * according to:
1185 * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
1186 * Might want to emit a warning if this is exceeded.
1187 * It is expected that "characters" could be variable width.
1188 * Also, it may be useful to use this information to limit false positives
1189 * when recovering deleted VK records.
1190 */
[172]1191 int32_t tmp_size;
1192 REGFI_ENCODING from_encoding = (vk->flags & REGFI_VK_FLAG_ASCIINAME)
[162]1193 ? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
[151]1194
[162]1195 if(from_encoding == output_encoding)
1196 {
[206]1197 vk->name_raw[vk->name_length] = '\0';
1198 vk->name = (char*)vk->name_raw;
[162]1199 }
1200 else
1201 {
[206]1202 vk->name = talloc_array(vk, char, vk->name_length+1);
1203 if(vk->name == NULL)
[172]1204 return;
[162]1205
1206 tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
1207 regfi_encoding_int2str(output_encoding),
[206]1208 vk->name_raw, vk->name,
[172]1209 vk->name_length, vk->name_length+1);
[162]1210 if(tmp_size < 0)
1211 {
[182]1212 regfi_log_add(REGFI_LOG_WARN, "Error occurred while converting"
[206]1213 " value name to encoding %s. Error message: %s",
[162]1214 regfi_encoding_int2str(output_encoding),
1215 strerror(-tmp_size));
[206]1216 talloc_free(vk->name);
1217 vk->name = NULL;
[162]1218 }
1219 }
[172]1220}
[162]1221
[172]1222
1223/******************************************************************************
1224 ******************************************************************************/
[203]1225REGFI_VK* regfi_load_value(REGFI_FILE* file, uint32_t offset,
[206]1226 REGFI_ENCODING output_encoding, bool strict)
[172]1227{
[203]1228 REGFI_VK* ret_val = NULL;
[172]1229 int32_t max_size;
1230
1231 max_size = regfi_calc_maxsize(file, offset);
1232 if(max_size < 0)
1233 return NULL;
1234
1235 ret_val = regfi_parse_vk(file, offset, max_size, strict);
1236 if(ret_val == NULL)
1237 return NULL;
1238
1239 regfi_interpret_valuename(file, ret_val, output_encoding, strict);
1240
[103]1241 return ret_val;
[30]1242}
1243
1244
[145]1245/******************************************************************************
1246 * If !strict, the list may contain NULLs, VK records may point to NULL.
1247 ******************************************************************************/
[168]1248REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32_t offset,
1249 uint32_t num_values, uint32_t max_size,
[145]1250 bool strict)
1251{
[168]1252 uint32_t usable_num_values;
[30]1253
[168]1254 if((num_values+1) * sizeof(uint32_t) > max_size)
[145]1255 {
[182]1256 regfi_log_add(REGFI_LOG_WARN, "Number of values indicated by"
[145]1257 " parent key (%d) would cause cell to straddle HBIN"
1258 " boundary while loading value list at offset"
1259 " 0x%.8X.", num_values, offset);
1260 if(strict)
1261 return NULL;
[168]1262 usable_num_values = max_size/sizeof(uint32_t) - sizeof(uint32_t);
[145]1263 }
1264 else
1265 usable_num_values = num_values;
1266
1267 return regfi_parse_valuelist(file, offset, usable_num_values, strict);
1268}
1269
1270
[206]1271/* XXX: should give this boolean return type to indicate errors */
[203]1272void regfi_interpret_keyname(REGFI_FILE* file, REGFI_NK* nk,
[161]1273 REGFI_ENCODING output_encoding, bool strict)
[30]1274{
[165]1275 /* XXX: Registry key names are supposedly limited to 255 characters according to:
1276 * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
1277 * Might want to emit a warning if this is exceeded.
1278 * It is expected that "characters" could be variable width.
1279 * Also, it may be useful to use this information to limit false positives
1280 * when recovering deleted NK records.
1281 */
[172]1282 int32_t tmp_size;
1283 REGFI_ENCODING from_encoding = (nk->flags & REGFI_NK_FLAG_ASCIINAME)
[161]1284 ? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
[172]1285
[161]1286 if(from_encoding == output_encoding)
1287 {
[206]1288 nk->name_raw[nk->name_length] = '\0';
1289 nk->name = (char*)nk->name_raw;
[161]1290 }
1291 else
1292 {
[206]1293 nk->name = talloc_array(nk, char, nk->name_length+1);
1294 if(nk->name == NULL)
[172]1295 return;
[161]1296
[206]1297 memset(nk->name,0,nk->name_length+1);
1298
[161]1299 tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
1300 regfi_encoding_int2str(output_encoding),
[206]1301 nk->name_raw, nk->name,
[161]1302 nk->name_length, nk->name_length+1);
1303 if(tmp_size < 0)
1304 {
[182]1305 regfi_log_add(REGFI_LOG_WARN, "Error occurred while converting"
[206]1306 " key name to encoding %s. Error message: %s",
[161]1307 regfi_encoding_int2str(output_encoding),
1308 strerror(-tmp_size));
[206]1309 talloc_free(nk->name);
1310 nk->name = NULL;
[161]1311 }
1312 }
[172]1313}
[161]1314
1315
[172]1316/******************************************************************************
1317 *
1318 ******************************************************************************/
[203]1319REGFI_NK* regfi_load_key(REGFI_FILE* file, uint32_t offset,
[206]1320 REGFI_ENCODING output_encoding, bool strict)
[172]1321{
[203]1322 REGFI_NK* nk;
[172]1323 uint32_t off;
1324 int32_t max_size;
1325
1326 max_size = regfi_calc_maxsize(file, offset);
1327 if (max_size < 0)
1328 return NULL;
1329
1330 /* get the initial nk record */
1331 if((nk = regfi_parse_nk(file, offset, max_size, true)) == NULL)
1332 {
[182]1333 regfi_log_add(REGFI_LOG_ERROR, "Could not load NK record at"
1334 " offset 0x%.8X.", offset);
[172]1335 return NULL;
1336 }
1337
1338 regfi_interpret_keyname(file, nk, output_encoding, strict);
1339
[146]1340 /* get value list */
[135]1341 if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
[32]1342 {
[157]1343 off = nk->values_off + REGFI_REGF_SIZE;
1344 max_size = regfi_calc_maxsize(file, off);
1345 if(max_size < 0)
[32]1346 {
[105]1347 if(strict)
[32]1348 {
[184]1349 talloc_free(nk);
[99]1350 return NULL;
[31]1351 }
[105]1352 else
1353 nk->values = NULL;
[133]1354
[31]1355 }
[105]1356 else
[103]1357 {
[157]1358 nk->values = regfi_load_valuelist(file, off, nk->num_values,
1359 max_size, true);
[145]1360 if(nk->values == NULL)
[105]1361 {
[182]1362 regfi_log_add(REGFI_LOG_WARN, "Could not load value list"
1363 " for NK record at offset 0x%.8X.", offset);
[145]1364 if(strict)
1365 {
[184]1366 talloc_free(nk);
[145]1367 return NULL;
1368 }
[105]1369 }
[181]1370 talloc_steal(nk, nk->values);
[103]1371 }
[31]1372 }
[105]1373
[146]1374 /* now get subkey list */
[135]1375 if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE))
[32]1376 {
[157]1377 off = nk->subkeys_off + REGFI_REGF_SIZE;
1378 max_size = regfi_calc_maxsize(file, off);
1379 if(max_size < 0)
[32]1380 {
[105]1381 if(strict)
[32]1382 {
[184]1383 talloc_free(nk);
[99]1384 return NULL;
[31]1385 }
[105]1386 else
1387 nk->subkeys = NULL;
[31]1388 }
[105]1389 else
[104]1390 {
[134]1391 nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys,
[157]1392 max_size, true);
[134]1393
[105]1394 if(nk->subkeys == NULL)
1395 {
[182]1396 regfi_log_add(REGFI_LOG_WARN, "Could not load subkey list"
1397 " while parsing NK record at offset 0x%.8X.", offset);
[105]1398 nk->num_subkeys = 0;
1399 }
[181]1400 talloc_steal(nk, nk->subkeys);
[104]1401 }
[31]1402 }
[30]1403
[99]1404 return nk;
[30]1405}
1406
[32]1407
[102]1408/******************************************************************************
1409 ******************************************************************************/
[203]1410const REGFI_SK* regfi_load_sk(REGFI_FILE* file, uint32_t offset, bool strict)
[146]1411{
[203]1412 REGFI_SK* ret_val = NULL;
[168]1413 int32_t max_size;
[147]1414 void* failure_ptr = NULL;
1415
[184]1416 max_size = regfi_calc_maxsize(file, offset);
1417 if(max_size < 0)
1418 return NULL;
1419
1420 if(file->sk_cache == NULL)
1421 return regfi_parse_sk(file, offset, max_size, strict);
1422
[186]1423 if(!regfi_lock(file, &file->sk_lock, "regfi_load_sk"))
[180]1424 return NULL;
1425
[146]1426 /* First look if we have already parsed it */
[203]1427 ret_val = (REGFI_SK*)lru_cache_find(file->sk_cache, &offset, 4);
[146]1428
1429 /* Bail out if we have previously cached a parse failure at this offset. */
1430 if(ret_val == (void*)REGFI_OFFSET_NONE)
1431 return NULL;
1432
1433 if(ret_val == NULL)
1434 {
[157]1435 ret_val = regfi_parse_sk(file, offset, max_size, strict);
[146]1436 if(ret_val == NULL)
1437 { /* Cache the parse failure and bail out. */
[147]1438 failure_ptr = talloc(NULL, uint32_t);
1439 if(failure_ptr == NULL)
1440 return NULL;
1441 *(uint32_t*)failure_ptr = REGFI_OFFSET_NONE;
1442 lru_cache_update(file->sk_cache, &offset, 4, failure_ptr);
[184]1443
1444 /* Let the cache be the only owner of this */
1445 talloc_unlink(NULL, failure_ptr);
[146]1446 return NULL;
1447 }
1448 }
1449
[186]1450 if(!regfi_unlock(file, &file->sk_lock, "regfi_load_sk"))
[184]1451 {
1452 talloc_unlink(NULL, ret_val);
[180]1453 return NULL;
[184]1454 }
[180]1455
[146]1456 return ret_val;
1457}
1458
1459
1460
1461/******************************************************************************
1462 ******************************************************************************/
[203]1463REGFI_NK* regfi_find_root_nk(REGFI_FILE* file, const REGFI_HBIN* hbin,
[206]1464 REGFI_ENCODING output_encoding)
[30]1465{
[203]1466 REGFI_NK* nk = NULL;
[168]1467 uint32_t cell_length;
1468 uint32_t cur_offset = hbin->file_off+REGFI_HBIN_HEADER_SIZE;
1469 uint32_t hbin_end = hbin->file_off+hbin->block_size;
[158]1470 bool unalloc;
[30]1471
[158]1472 while(cur_offset < hbin_end)
[32]1473 {
[180]1474
[186]1475 if(!regfi_lock(file, &file->cb_lock, "regfi_find_root_nk"))
[180]1476 return NULL;
1477
[178]1478 if(!regfi_parse_cell(file->cb, cur_offset, NULL, 0, &cell_length, &unalloc))
[158]1479 {
[182]1480 regfi_log_add(REGFI_LOG_WARN, "Could not parse cell at offset"
1481 " 0x%.8X while searching for root key.", cur_offset);
[158]1482 return NULL;
1483 }
[180]1484
[186]1485 if(!regfi_unlock(file, &file->cb_lock, "regfi_find_root_nk"))
[180]1486 return NULL;
1487
[158]1488 if(!unalloc)
[102]1489 {
[161]1490 nk = regfi_load_key(file, cur_offset, output_encoding, true);
[102]1491 if(nk != NULL)
1492 {
[161]1493 if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]1494 return nk;
[102]1495 }
[31]1496 }
[30]1497
[158]1498 cur_offset += cell_length;
[31]1499 }
[32]1500
[158]1501 return NULL;
[30]1502}
1503
1504
[178]1505
[166]1506/******************************************************************************
1507 ******************************************************************************/
[206]1508REGFI_FILE* regfi_alloc(int fd, REGFI_ENCODING output_encoding)
[30]1509{
[166]1510 REGFI_FILE* ret_val;
[178]1511 REGFI_RAW_FILE* file_cb = talloc(NULL, REGFI_RAW_FILE);
1512 if(file_cb == NULL)
[31]1513 return NULL;
[166]1514
[178]1515 file_cb->state = (void*)talloc(file_cb, int);
1516 if(file_cb->state == NULL)
1517 goto fail;
1518 *(int*)file_cb->state = fd;
1519
1520 file_cb->cur_off = 0;
1521 file_cb->size = 0;
1522 file_cb->read = &regfi_raw_read;
1523 file_cb->seek = &regfi_raw_seek;
1524
[206]1525 ret_val = regfi_alloc_cb(file_cb, output_encoding);
[166]1526 if(ret_val == NULL)
[178]1527 goto fail;
[166]1528
[178]1529 /* In this case, we want file_cb to be freed when ret_val is */
[181]1530 talloc_steal(ret_val, file_cb);
[166]1531 return ret_val;
[178]1532
1533 fail:
1534 talloc_free(file_cb);
1535 return NULL;
[166]1536}
1537
1538
[186]1539/******************************************************************************
1540 ******************************************************************************/
1541int regfi_free_cb(void* f)
1542{
1543 REGFI_FILE* file = (REGFI_FILE*)f;
[178]1544
[186]1545 pthread_mutex_destroy(&file->cb_lock);
1546 pthread_rwlock_destroy(&file->hbins_lock);
1547 pthread_mutex_destroy(&file->sk_lock);
1548
1549 return 0;
1550}
1551
1552
1553/******************************************************************************
1554 ******************************************************************************/
[206]1555REGFI_FILE* regfi_alloc_cb(REGFI_RAW_FILE* file_cb,
1556 REGFI_ENCODING output_encoding)
[166]1557{
1558 REGFI_FILE* rb;
1559 REGFI_HBIN* hbin = NULL;
[178]1560 uint32_t hbin_off, cache_secret;
1561 int32_t file_length;
[166]1562 bool rla;
1563
[178]1564 /* Determine file length. Must be at least big enough for the header
1565 * and one hbin.
[137]1566 */
[178]1567 file_length = file_cb->seek(file_cb, 0, SEEK_END);
[137]1568 if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC)
[182]1569 {
1570 regfi_log_add(REGFI_LOG_ERROR, "File length (%d) too short to contain a"
1571 " header and at least one HBIN.", file_length);
[137]1572 return NULL;
[182]1573 }
[178]1574 file_cb->seek(file_cb, 0, SEEK_SET);
[137]1575
[206]1576 if(output_encoding != REGFI_ENCODING_UTF8
1577 && output_encoding != REGFI_ENCODING_ASCII)
1578 {
1579 regfi_log_add(REGFI_LOG_ERROR, "Invalid output_encoding supplied"
1580 " in creation of regfi iterator.");
1581 return NULL;
1582 }
1583
[166]1584 /* Read file header */
[203]1585 if ((rb = regfi_parse_regf(file_cb, false)) == NULL)
[97]1586 {
[182]1587 regfi_log_add(REGFI_LOG_ERROR, "Failed to read REGF block.");
[31]1588 return NULL;
1589 }
[203]1590 rb->file_length = file_length;
[178]1591 rb->cb = file_cb;
[206]1592 rb->string_encoding = output_encoding;
[137]1593
[186]1594 if(pthread_mutex_init(&rb->cb_lock, NULL) != 0)
[182]1595 {
1596 regfi_log_add(REGFI_LOG_ERROR, "Failed to create cb_lock mutex.");
[180]1597 goto fail;
[182]1598 }
[180]1599
[186]1600 if(pthread_rwlock_init(&rb->hbins_lock, NULL) != 0)
[182]1601 {
1602 regfi_log_add(REGFI_LOG_ERROR, "Failed to create hbins_lock rwlock.");
[180]1603 goto fail;
[182]1604 }
[180]1605
[186]1606 if(pthread_mutex_init(&rb->sk_lock, NULL) != 0)
[182]1607 {
1608 regfi_log_add(REGFI_LOG_ERROR, "Failed to create sk_lock mutex.");
[180]1609 goto fail;
[182]1610 }
[180]1611
[99]1612 rb->hbins = range_list_new();
[110]1613 if(rb->hbins == NULL)
[182]1614 {
1615 regfi_log_add(REGFI_LOG_ERROR, "Failed to create HBIN range_list.");
[180]1616 goto fail;
[182]1617 }
[181]1618 talloc_steal(rb, rb->hbins);
[150]1619
[106]1620 rla = true;
[135]1621 hbin_off = REGFI_REGF_SIZE;
[110]1622 hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]1623 while(hbin && rla)
1624 {
[137]1625 rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
[148]1626 if(rla)
[181]1627 talloc_steal(rb->hbins, hbin);
[180]1628
[106]1629 hbin_off = hbin->file_off + hbin->block_size;
[110]1630 hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]1631 }
1632
[146]1633 /* This secret isn't very secret, but we don't need a good one. This
1634 * secret is just designed to prevent someone from trying to blow our
1635 * caching and make things slow.
1636 */
1637 cache_secret = 0x15DEAD05^time(NULL)^(getpid()<<16);
1638
[184]1639 if(REGFI_CACHE_SK)
1640 rb->sk_cache = lru_cache_create_ctx(rb, 64, cache_secret, true);
1641 else
1642 rb->sk_cache = NULL;
[146]1643
[31]1644 /* success */
[186]1645 talloc_set_destructor(rb, regfi_free_cb);
[31]1646 return rb;
[180]1647
1648 fail:
[186]1649 pthread_mutex_destroy(&rb->cb_lock);
1650 pthread_rwlock_destroy(&rb->hbins_lock);
1651 pthread_mutex_destroy(&rb->sk_lock);
[180]1652
1653 range_list_free(rb->hbins);
1654 talloc_free(rb);
1655 return NULL;
[30]1656}
1657
1658
[148]1659/******************************************************************************
1660 ******************************************************************************/
[186]1661void regfi_free(REGFI_FILE* file)
[166]1662{
[186]1663 /* Callback handles cleanup side effects */
[150]1664 talloc_free(file);
[30]1665}
1666
1667
[80]1668/******************************************************************************
[158]1669 * First checks the offset given by the file header, then checks the
1670 * rest of the file if that fails.
[148]1671 ******************************************************************************/
[215]1672const REGFI_NK* regfi_get_rootkey(REGFI_FILE* file)
[30]1673{
[203]1674 REGFI_NK* nk = NULL;
[146]1675 REGFI_HBIN* hbin;
[168]1676 uint32_t root_offset, i, num_hbins;
[99]1677
1678 if(!file)
[31]1679 return NULL;
[99]1680
[158]1681 root_offset = file->root_cell+REGFI_REGF_SIZE;
[206]1682 nk = regfi_load_key(file, root_offset, file->string_encoding, true);
[158]1683 if(nk != NULL)
1684 {
[161]1685 if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]1686 return nk;
1687 }
1688
[182]1689 regfi_log_add(REGFI_LOG_WARN, "File header indicated root key at"
1690 " location 0x%.8X, but no root key found."
1691 " Searching rest of file...", root_offset);
[158]1692
1693 /* If the file header gives bad info, scan through the file one HBIN
1694 * block at a time looking for an NK record with a root key type.
[146]1695 */
[180]1696
[215]1697 if(!regfi_read_lock(file, &file->hbins_lock, "regfi_get_rootkey"))
[180]1698 return NULL;
1699
[107]1700 num_hbins = range_list_size(file->hbins);
[158]1701 for(i=0; i < num_hbins && nk == NULL; i++)
[99]1702 {
[135]1703 hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data;
[206]1704 nk = regfi_find_root_nk(file, hbin, file->string_encoding);
[31]1705 }
[30]1706
[215]1707 if(!regfi_rw_unlock(file, &file->hbins_lock, "regfi_get_rootkey"))
[180]1708 return NULL;
1709
[80]1710 return nk;
[30]1711}
1712
1713
[80]1714/******************************************************************************
1715 *****************************************************************************/
[184]1716void regfi_free_record(const void* record)
[30]1717{
[184]1718 talloc_unlink(NULL, (void*)record);
[150]1719}
[127]1720
[80]1721
1722
[207]1723
[80]1724/******************************************************************************
1725 *****************************************************************************/
[207]1726uint32_t regfi_fetch_num_subkeys(const REGFI_NK* key)
1727{
1728 uint32_t num_in_list = 0;
[215]1729 if(key == NULL)
1730 return 0;
1731
[207]1732 if(key->subkeys != NULL)
1733 num_in_list = key->subkeys->num_keys;
1734
1735 if(num_in_list != key->num_subkeys)
1736 {
1737 regfi_log_add(REGFI_LOG_INFO, "Key at offset 0x%.8X contains %d keys in its"
1738 " subkey list but reports %d should be available.",
1739 key->offset, num_in_list, key->num_subkeys);
1740 return (num_in_list < key->num_subkeys)?num_in_list:key->num_subkeys;
1741 }
1742
1743 return num_in_list;
1744}
1745
1746
1747/******************************************************************************
1748 *****************************************************************************/
1749uint32_t regfi_fetch_num_values(const REGFI_NK* key)
1750{
1751 uint32_t num_in_list = 0;
[215]1752 if(key == NULL)
1753 return 0;
1754
[207]1755 if(key->values != NULL)
1756 num_in_list = key->values->num_values;
1757
1758 if(num_in_list != key->num_values)
1759 {
1760 regfi_log_add(REGFI_LOG_INFO, "Key at offset 0x%.8X contains %d values in"
1761 " its value list but reports %d should be available.",
1762 key->offset, num_in_list, key->num_values);
1763 return (num_in_list < key->num_values)?num_in_list:key->num_values;
1764 }
1765
1766 return num_in_list;
1767}
1768
1769
1770/******************************************************************************
1771 *****************************************************************************/
[206]1772REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* file)
[80]1773{
[203]1774 REGFI_NK* root;
[161]1775 REGFI_ITERATOR* ret_val;
1776
1777 ret_val = talloc(NULL, REGFI_ITERATOR);
[80]1778 if(ret_val == NULL)
1779 return NULL;
1780
[215]1781 root = (REGFI_NK*)regfi_get_rootkey(file);
[80]1782 if(root == NULL)
1783 {
[150]1784 talloc_free(ret_val);
[80]1785 return NULL;
1786 }
[181]1787 ret_val->cur_key = root;
[213]1788 talloc_reparent(NULL, ret_val, root);
[80]1789
[135]1790 ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH);
[80]1791 if(ret_val->key_positions == NULL)
1792 {
[150]1793 talloc_free(ret_val);
[80]1794 return NULL;
1795 }
[181]1796 talloc_steal(ret_val, ret_val->key_positions);
[80]1797
[159]1798 ret_val->f = file;
[80]1799 ret_val->cur_subkey = 0;
1800 ret_val->cur_value = 0;
[161]1801
[80]1802 return ret_val;
1803}
1804
1805
1806/******************************************************************************
1807 *****************************************************************************/
1808void regfi_iterator_free(REGFI_ITERATOR* i)
1809{
[150]1810 talloc_free(i);
[80]1811}
1812
1813
1814
1815/******************************************************************************
1816 *****************************************************************************/
1817/* XXX: some way of indicating reason for failure should be added. */
1818bool regfi_iterator_down(REGFI_ITERATOR* i)
1819{
[203]1820 REGFI_NK* subkey;
[80]1821 REGFI_ITER_POSITION* pos;
1822
[150]1823 pos = talloc(i->key_positions, REGFI_ITER_POSITION);
[80]1824 if(pos == NULL)
1825 return false;
1826
[203]1827 subkey = (REGFI_NK*)regfi_iterator_cur_subkey(i);
[80]1828 if(subkey == NULL)
1829 {
[150]1830 talloc_free(pos);
[80]1831 return false;
1832 }
1833
1834 pos->nk = i->cur_key;
1835 pos->cur_subkey = i->cur_subkey;
1836 if(!void_stack_push(i->key_positions, pos))
1837 {
[150]1838 talloc_free(pos);
[184]1839 talloc_unlink(NULL, subkey);
[80]1840 return false;
1841 }
[213]1842 talloc_reparent(NULL, i, subkey);
[80]1843
1844 i->cur_key = subkey;
1845 i->cur_subkey = 0;
1846 i->cur_value = 0;
1847
1848 return true;
1849}
1850
1851
1852/******************************************************************************
1853 *****************************************************************************/
1854bool regfi_iterator_up(REGFI_ITERATOR* i)
1855{
1856 REGFI_ITER_POSITION* pos;
1857
1858 pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
1859 if(pos == NULL)
1860 return false;
1861
[184]1862 talloc_unlink(i, i->cur_key);
[80]1863 i->cur_key = pos->nk;
1864 i->cur_subkey = pos->cur_subkey;
1865 i->cur_value = 0;
[150]1866 talloc_free(pos);
[80]1867
1868 return true;
1869}
1870
1871
1872/******************************************************************************
1873 *****************************************************************************/
1874bool regfi_iterator_to_root(REGFI_ITERATOR* i)
1875{
1876 while(regfi_iterator_up(i))
1877 continue;
1878
1879 return true;
1880}
1881
1882
1883/******************************************************************************
1884 *****************************************************************************/
[207]1885bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* name)
[80]1886{
[207]1887 uint32_t new_index;
[133]1888
[207]1889 if(regfi_find_subkey(i->f, i->cur_key, name, &new_index))
[80]1890 {
[207]1891 i->cur_subkey = new_index;
1892 return true;
[80]1893 }
1894
[207]1895 return false;
[80]1896}
1897
1898
1899/******************************************************************************
1900 *****************************************************************************/
1901bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
1902{
[168]1903 uint32_t x;
[80]1904 if(path == NULL)
1905 return false;
1906
1907 for(x=0;
1908 ((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
1909 && regfi_iterator_down(i));
1910 x++)
1911 { continue; }
1912
1913 if(path[x] == NULL)
[215]1914 {
[80]1915 return true;
[215]1916 }
1917
[80]1918 /* XXX: is this the right number of times? */
1919 for(; x > 0; x--)
1920 regfi_iterator_up(i);
1921
1922 return false;
1923}
1924
1925
1926/******************************************************************************
1927 *****************************************************************************/
[203]1928const REGFI_NK* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]1929{
[213]1930 talloc_reference(NULL, i->cur_key);
[80]1931 return i->cur_key;
1932}
1933
1934
1935/******************************************************************************
1936 *****************************************************************************/
[206]1937const REGFI_SK* regfi_fetch_sk(REGFI_FILE* file, const REGFI_NK* key)
[109]1938{
[206]1939 if(key == NULL || key->sk_off == REGFI_OFFSET_NONE)
[109]1940 return NULL;
1941
[206]1942 return regfi_load_sk(file, key->sk_off + REGFI_REGF_SIZE, true);
[109]1943}
1944
1945
1946/******************************************************************************
1947 *****************************************************************************/
[199]1948bool regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]1949{
1950 i->cur_subkey = 0;
[199]1951
1952 return ((i->cur_key != NULL) && (i->cur_key->subkeys_off!=REGFI_OFFSET_NONE)
[207]1953 && (i->cur_subkey < regfi_fetch_num_subkeys(i->cur_key)));
[80]1954}
1955
1956
1957/******************************************************************************
1958 *****************************************************************************/
[203]1959const REGFI_NK* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]1960{
[207]1961 return regfi_get_subkey(i->f, i->cur_key, i->cur_subkey);
[30]1962}
[80]1963
1964
1965/******************************************************************************
1966 *****************************************************************************/
[199]1967bool regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]1968{
1969 i->cur_subkey++;
1970
[199]1971 return ((i->cur_key != NULL) && (i->cur_key->subkeys_off!=REGFI_OFFSET_NONE)
[207]1972 && (i->cur_subkey < regfi_fetch_num_subkeys(i->cur_key)));
[80]1973}
1974
1975
1976/******************************************************************************
1977 *****************************************************************************/
[207]1978bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* name)
[80]1979{
[207]1980 uint32_t new_index;
[80]1981
[207]1982 if(regfi_find_value(i->f, i->cur_key, name, &new_index))
[80]1983 {
[207]1984 i->cur_value = new_index;
1985 return true;
[80]1986 }
1987
[207]1988 return false;
[80]1989}
1990
1991
1992/******************************************************************************
1993 *****************************************************************************/
[199]1994bool regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]1995{
1996 i->cur_value = 0;
[199]1997 return (i->cur_key->values != NULL && i->cur_key->values->elements != NULL
[207]1998 && (i->cur_value < regfi_fetch_num_values(i->cur_key)));
[80]1999}
2000
2001
2002/******************************************************************************
2003 *****************************************************************************/
[203]2004const REGFI_VK* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]2005{
[207]2006 return regfi_get_value(i->f, i->cur_key, i->cur_value);
[80]2007}
2008
2009
2010/******************************************************************************
2011 *****************************************************************************/
[199]2012bool regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]2013{
2014 i->cur_value++;
[199]2015 return (i->cur_key->values != NULL && i->cur_key->values->elements != NULL
[207]2016 && (i->cur_value < regfi_fetch_num_values(i->cur_key)));
[80]2017}
[97]2018
2019
[159]2020/******************************************************************************
2021 *****************************************************************************/
[206]2022const REGFI_CLASSNAME* regfi_fetch_classname(REGFI_FILE* file,
2023 const REGFI_NK* key)
[160]2024{
2025 REGFI_CLASSNAME* ret_val;
[168]2026 uint8_t* raw;
[160]2027 char* interpreted;
[168]2028 uint32_t offset;
2029 int32_t conv_size, max_size;
2030 uint16_t parse_length;
[160]2031
2032 if(key->classname_off == REGFI_OFFSET_NONE || key->classname_length == 0)
2033 return NULL;
2034
2035 offset = key->classname_off + REGFI_REGF_SIZE;
[206]2036 max_size = regfi_calc_maxsize(file, offset);
[160]2037 if(max_size <= 0)
2038 return NULL;
2039
2040 parse_length = key->classname_length;
[206]2041 raw = regfi_parse_classname(file, offset, &parse_length, max_size, true);
[160]2042
2043 if(raw == NULL)
2044 {
[182]2045 regfi_log_add(REGFI_LOG_WARN, "Could not parse class"
2046 " name at offset 0x%.8X for key record at offset 0x%.8X.",
2047 offset, key->offset);
[160]2048 return NULL;
2049 }
2050
2051 ret_val = talloc(NULL, REGFI_CLASSNAME);
2052 if(ret_val == NULL)
2053 return NULL;
2054
[206]2055 ret_val->offset = offset;
[160]2056 ret_val->raw = raw;
2057 ret_val->size = parse_length;
[181]2058 talloc_steal(ret_val, raw);
[160]2059
2060 interpreted = talloc_array(NULL, char, parse_length);
2061
[161]2062 conv_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
[206]2063 regfi_encoding_int2str(file->string_encoding),
[160]2064 raw, interpreted,
2065 parse_length, parse_length);
2066 if(conv_size < 0)
2067 {
[182]2068 regfi_log_add(REGFI_LOG_WARN, "Error occurred while"
2069 " converting classname to charset %s. Error message: %s",
[206]2070 file->string_encoding, strerror(-conv_size));
[160]2071 talloc_free(interpreted);
2072 ret_val->interpreted = NULL;
2073 }
2074 else
2075 {
2076 interpreted = talloc_realloc(NULL, interpreted, char, conv_size);
2077 ret_val->interpreted = interpreted;
[181]2078 talloc_steal(ret_val, interpreted);
[160]2079 }
2080
2081 return ret_val;
2082}
2083
2084
2085/******************************************************************************
2086 *****************************************************************************/
[206]2087const REGFI_DATA* regfi_fetch_data(REGFI_FILE* file,
2088 const REGFI_VK* value)
[159]2089{
2090 REGFI_DATA* ret_val = NULL;
2091 REGFI_BUFFER raw_data;
2092
2093 if(value->data_size != 0)
2094 {
[206]2095 raw_data = regfi_load_data(file, value->data_off, value->data_size,
[209]2096 value->data_in_offset, true);
[159]2097 if(raw_data.buf == NULL)
2098 {
[182]2099 regfi_log_add(REGFI_LOG_WARN, "Could not parse data record"
2100 " while parsing VK record at offset 0x%.8X.",
2101 value->offset);
[159]2102 }
2103 else
2104 {
2105 ret_val = regfi_buffer_to_data(raw_data);
2106
2107 if(ret_val == NULL)
2108 {
[182]2109 regfi_log_add(REGFI_LOG_WARN, "Error occurred in converting"
2110 " data buffer to data structure while interpreting "
2111 "data for VK record at offset 0x%.8X.",
2112 value->offset);
[159]2113 talloc_free(raw_data.buf);
2114 return NULL;
2115 }
2116
[206]2117 if(!regfi_interpret_data(file, file->string_encoding,
2118 value->type, ret_val))
[159]2119 {
[182]2120 regfi_log_add(REGFI_LOG_INFO, "Error occurred while"
2121 " interpreting data for VK record at offset 0x%.8X.",
2122 value->offset);
[159]2123 }
2124 }
2125 }
2126
2127 return ret_val;
2128}
2129
2130
[207]2131
[159]2132/******************************************************************************
2133 *****************************************************************************/
[207]2134bool regfi_find_subkey(REGFI_FILE* file, const REGFI_NK* key,
2135 const char* name, uint32_t* index)
2136{
2137 const REGFI_NK* cur;
2138 uint32_t i;
2139 uint32_t num_subkeys = regfi_fetch_num_subkeys(key);
2140 bool found = false;
2141
2142 /* XXX: cur->name can be NULL in the registry.
2143 * Should we allow for a way to search for that?
2144 */
2145 if(name == NULL)
2146 return false;
2147
2148 for(i=0; (i < num_subkeys) && (found == false); i++)
2149 {
2150 cur = regfi_get_subkey(file, key, i);
2151 if(cur == NULL)
2152 return false;
2153
2154 if((cur->name != NULL)
2155 && (strcasecmp(cur->name, name) == 0))
2156 {
2157 found = true;
2158 *index = i;
2159 }
2160
2161 regfi_free_record(cur);
2162 }
2163
2164 return found;
2165}
2166
2167
2168
2169/******************************************************************************
2170 *****************************************************************************/
2171bool regfi_find_value(REGFI_FILE* file, const REGFI_NK* key,
2172 const char* name, uint32_t* index)
2173{
2174 const REGFI_VK* cur;
2175 uint32_t i;
2176 uint32_t num_values = regfi_fetch_num_values(key);
2177 bool found = false;
2178
2179 /* XXX: cur->name can be NULL in the registry.
2180 * Should we allow for a way to search for that?
2181 */
2182 if(name == NULL)
2183 return false;
2184
2185 for(i=0; (i < num_values) && (found == false); i++)
2186 {
2187 cur = regfi_get_value(file, key, i);
2188 if(cur == NULL)
2189 return false;
2190
2191 if((cur->name != NULL)
2192 && (strcasecmp(cur->name, name) == 0))
2193 {
2194 found = true;
2195 *index = i;
2196 }
2197
2198 regfi_free_record(cur);
2199 }
2200
2201 return found;
2202}
2203
2204
2205
2206/******************************************************************************
2207 *****************************************************************************/
2208const REGFI_NK* regfi_get_subkey(REGFI_FILE* file, const REGFI_NK* key,
2209 uint32_t index)
2210{
2211 if(index < regfi_fetch_num_subkeys(key))
2212 {
2213 return regfi_load_key(file,
2214 key->subkeys->elements[index].offset+REGFI_REGF_SIZE,
2215 file->string_encoding, true);
2216 }
2217
2218 return NULL;
2219}
2220
2221
2222/******************************************************************************
2223 *****************************************************************************/
2224const REGFI_VK* regfi_get_value(REGFI_FILE* file, const REGFI_NK* key,
2225 uint32_t index)
2226{
2227 if(index < regfi_fetch_num_values(key))
2228 {
2229 return regfi_load_value(file,
2230 key->values->elements[index]+REGFI_REGF_SIZE,
2231 file->string_encoding, true);
2232 }
2233
2234 return NULL;
2235}
2236
2237
[215]2238
[207]2239/******************************************************************************
2240 *****************************************************************************/
[215]2241const REGFI_NK* regfi_get_parentkey(REGFI_FILE* file, const REGFI_NK* key)
2242{
2243 if(key != NULL && key->parent_off != REGFI_OFFSET_NONE)
2244 {
2245 /* fprintf(stderr, "key->parent_off=%.8X\n", key->parent_off);*/
2246 return regfi_load_key(file,
2247 key->parent_off+REGFI_REGF_SIZE,
2248 file->string_encoding, true);
2249 }
2250
2251 return NULL;
2252}
2253
2254
2255
2256/******************************************************************************
2257 *****************************************************************************/
[159]2258REGFI_DATA* regfi_buffer_to_data(REGFI_BUFFER raw_data)
2259{
2260 REGFI_DATA* ret_val;
2261
2262 if(raw_data.buf == NULL)
2263 return NULL;
2264
2265 ret_val = talloc(NULL, REGFI_DATA);
2266 if(ret_val == NULL)
2267 return NULL;
2268
[181]2269 talloc_steal(ret_val, raw_data.buf);
[159]2270 ret_val->raw = raw_data.buf;
2271 ret_val->size = raw_data.len;
2272 ret_val->interpreted_size = 0;
2273 ret_val->interpreted.qword = 0;
2274
2275 return ret_val;
2276}
2277
2278
2279/******************************************************************************
2280 *****************************************************************************/
[161]2281bool regfi_interpret_data(REGFI_FILE* file, REGFI_ENCODING string_encoding,
[168]2282 uint32_t type, REGFI_DATA* data)
[159]2283{
[168]2284 uint8_t** tmp_array;
2285 uint8_t* tmp_str;
2286 int32_t tmp_size;
2287 uint32_t i, j, array_size;
[159]2288
2289 if(data == NULL)
2290 return false;
2291
2292 switch (type)
2293 {
2294 case REG_SZ:
2295 case REG_EXPAND_SZ:
2296 /* REG_LINK is a symbolic link, stored as a unicode string. */
2297 case REG_LINK:
[168]2298 tmp_str = talloc_array(NULL, uint8_t, data->size);
[159]2299 if(tmp_str == NULL)
2300 {
2301 data->interpreted.string = NULL;
2302 data->interpreted_size = 0;
2303 return false;
2304 }
2305
[161]2306 tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
2307 regfi_encoding_int2str(string_encoding),
[159]2308 data->raw, (char*)tmp_str,
2309 data->size, data->size);
2310 if(tmp_size < 0)
2311 {
[182]2312 regfi_log_add(REGFI_LOG_INFO, "Error occurred while"
[193]2313 " converting data of type %d to %d. Error message: %s",
[182]2314 type, string_encoding, strerror(-tmp_size));
[159]2315 talloc_free(tmp_str);
2316 data->interpreted.string = NULL;
2317 data->interpreted_size = 0;
2318 return false;
2319 }
2320
[168]2321 tmp_str = talloc_realloc(NULL, tmp_str, uint8_t, tmp_size);
[159]2322 data->interpreted.string = tmp_str;
2323 data->interpreted_size = tmp_size;
[181]2324 talloc_steal(data, tmp_str);
[159]2325 break;
2326
2327 case REG_DWORD:
2328 if(data->size < 4)
2329 {
2330 data->interpreted.dword = 0;
2331 data->interpreted_size = 0;
2332 return false;
2333 }
2334 data->interpreted.dword = IVAL(data->raw, 0);
2335 data->interpreted_size = 4;
2336 break;
2337
2338 case REG_DWORD_BE:
2339 if(data->size < 4)
2340 {
2341 data->interpreted.dword_be = 0;
2342 data->interpreted_size = 0;
2343 return false;
2344 }
2345 data->interpreted.dword_be = RIVAL(data->raw, 0);
2346 data->interpreted_size = 4;
2347 break;
2348
2349 case REG_QWORD:
2350 if(data->size < 8)
2351 {
2352 data->interpreted.qword = 0;
2353 data->interpreted_size = 0;
2354 return false;
2355 }
2356 data->interpreted.qword =
[168]2357 (uint64_t)IVAL(data->raw, 0) + (((uint64_t)IVAL(data->raw, 4))<<32);
[159]2358 data->interpreted_size = 8;
2359 break;
2360
2361 case REG_MULTI_SZ:
[168]2362 tmp_str = talloc_array(NULL, uint8_t, data->size);
[159]2363 if(tmp_str == NULL)
2364 {
2365 data->interpreted.multiple_string = NULL;
2366 data->interpreted_size = 0;
2367 return false;
2368 }
2369
2370 /* Attempt to convert entire string from UTF-16LE to output encoding,
2371 * then parse and quote fields individually.
2372 */
[161]2373 tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
2374 regfi_encoding_int2str(string_encoding),
[159]2375 data->raw, (char*)tmp_str,
2376 data->size, data->size);
2377 if(tmp_size < 0)
2378 {
[182]2379 regfi_log_add(REGFI_LOG_INFO, "Error occurred while"
2380 " converting data of type %d to %s. Error message: %s",
2381 type, string_encoding, strerror(-tmp_size));
[159]2382 talloc_free(tmp_str);
2383 data->interpreted.multiple_string = NULL;
2384 data->interpreted_size = 0;
2385 return false;
2386 }
2387
2388 array_size = tmp_size+1;
[168]2389 tmp_array = talloc_array(NULL, uint8_t*, array_size);
[159]2390 if(tmp_array == NULL)
2391 {
2392 talloc_free(tmp_str);
2393 data->interpreted.string = NULL;
2394 data->interpreted_size = 0;
2395 return false;
2396 }
2397
2398 tmp_array[0] = tmp_str;
2399 for(i=0,j=1; i < tmp_size && j < array_size-1; i++)
2400 {
[209]2401 if(tmp_str[i] == '\0' && (i+1 < tmp_size) && tmp_str[i+1] != '\0')
[159]2402 tmp_array[j++] = tmp_str+i+1;
2403 }
2404 tmp_array[j] = NULL;
[168]2405 tmp_array = talloc_realloc(NULL, tmp_array, uint8_t*, j+1);
[159]2406 data->interpreted.multiple_string = tmp_array;
2407 /* XXX: how meaningful is this? should we store number of strings instead? */
2408 data->interpreted_size = tmp_size;
[181]2409 talloc_steal(tmp_array, tmp_str);
2410 talloc_steal(data, tmp_array);
[159]2411 break;
2412
2413 /* XXX: Dont know how to interpret these yet, just treat as binary */
2414 case REG_NONE:
2415 data->interpreted.none = data->raw;
2416 data->interpreted_size = data->size;
2417 break;
2418
2419 case REG_RESOURCE_LIST:
2420 data->interpreted.resource_list = data->raw;
2421 data->interpreted_size = data->size;
2422 break;
2423
2424 case REG_FULL_RESOURCE_DESCRIPTOR:
2425 data->interpreted.full_resource_descriptor = data->raw;
2426 data->interpreted_size = data->size;
2427 break;
2428
2429 case REG_RESOURCE_REQUIREMENTS_LIST:
2430 data->interpreted.resource_requirements_list = data->raw;
2431 data->interpreted_size = data->size;
2432 break;
2433
2434 case REG_BINARY:
2435 data->interpreted.binary = data->raw;
2436 data->interpreted_size = data->size;
2437 break;
2438
2439 default:
2440 data->interpreted.qword = 0;
2441 data->interpreted_size = 0;
2442 return false;
2443 }
2444
2445 data->type = type;
2446 return true;
2447}
2448
2449
[166]2450/******************************************************************************
[159]2451 * Convert from UTF-16LE to specified character set.
2452 * On error, returns a negative errno code.
[166]2453 *****************************************************************************/
[168]2454int32_t regfi_conv_charset(const char* input_charset, const char* output_charset,
[206]2455 uint8_t* input, char* output,
2456 uint32_t input_len, uint32_t output_max)
[159]2457{
2458 iconv_t conv_desc;
2459 char* inbuf = (char*)input;
2460 char* outbuf = output;
2461 size_t in_len = (size_t)input_len;
2462 size_t out_len = (size_t)(output_max-1);
2463 int ret;
2464
[161]2465 /* XXX: Consider creating a couple of conversion descriptors earlier,
2466 * storing them on an iterator so they don't have to be recreated
2467 * each time.
2468 */
2469
[159]2470 /* Set up conversion descriptor. */
[161]2471 conv_desc = iconv_open(output_charset, input_charset);
[159]2472
2473 ret = iconv(conv_desc, &inbuf, &in_len, &outbuf, &out_len);
2474 if(ret == -1)
2475 {
2476 iconv_close(conv_desc);
2477 return -errno;
2478 }
2479 *outbuf = '\0';
2480
2481 iconv_close(conv_desc);
2482 return output_max-out_len-1;
2483}
2484
2485
2486
2487/*******************************************************************
[97]2488 * Computes the checksum of the registry file header.
[159]2489 * buffer must be at least the size of a regf header (4096 bytes).
[97]2490 *******************************************************************/
[168]2491static uint32_t regfi_compute_header_checksum(uint8_t* buffer)
[97]2492{
[168]2493 uint32_t checksum, x;
[97]2494 int i;
2495
2496 /* XOR of all bytes 0x0000 - 0x01FB */
2497
2498 checksum = x = 0;
2499
2500 for ( i=0; i<0x01FB; i+=4 ) {
2501 x = IVAL(buffer, i );
2502 checksum ^= x;
2503 }
2504
2505 return checksum;
2506}
2507
2508
2509/*******************************************************************
2510 *******************************************************************/
[178]2511REGFI_FILE* regfi_parse_regf(REGFI_RAW_FILE* file_cb, bool strict)
[97]2512{
[168]2513 uint8_t file_header[REGFI_REGF_SIZE];
2514 uint32_t length;
[135]2515 REGFI_FILE* ret_val;
[97]2516
[150]2517 ret_val = talloc(NULL, REGFI_FILE);
[97]2518 if(ret_val == NULL)
2519 return NULL;
2520
[150]2521 ret_val->sk_cache = NULL;
2522 ret_val->hbins = NULL;
[178]2523
[135]2524 length = REGFI_REGF_SIZE;
[178]2525 if((regfi_read(file_cb, file_header, &length)) != 0
2526 || length != REGFI_REGF_SIZE)
[182]2527 {
2528 regfi_log_add(REGFI_LOG_WARN, "Read failed while parsing REGF structure.");
[150]2529 goto fail;
[182]2530 }
2531
[97]2532 ret_val->checksum = IVAL(file_header, 0x1FC);
2533 ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
2534 if (strict && (ret_val->checksum != ret_val->computed_checksum))
[182]2535 {
2536 regfi_log_add(REGFI_LOG_WARN, "Stored header checksum (%.8X) did not equal"
2537 " computed checksum (%.8X).",
2538 ret_val->checksum, ret_val->computed_checksum);
2539 if(strict)
2540 goto fail;
2541 }
[97]2542
[135]2543 memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE);
[150]2544 if(memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0)
[97]2545 {
[182]2546 regfi_log_add(REGFI_LOG_ERROR, "Magic number mismatch "
2547 "(%.2X %.2X %.2X %.2X) while parsing hive header",
2548 ret_val->magic[0], ret_val->magic[1],
2549 ret_val->magic[2], ret_val->magic[3]);
2550 goto fail;
[97]2551 }
[178]2552
[151]2553 ret_val->sequence1 = IVAL(file_header, 0x4);
2554 ret_val->sequence2 = IVAL(file_header, 0x8);
[97]2555 ret_val->mtime.low = IVAL(file_header, 0xC);
2556 ret_val->mtime.high = IVAL(file_header, 0x10);
[151]2557 ret_val->major_version = IVAL(file_header, 0x14);
2558 ret_val->minor_version = IVAL(file_header, 0x18);
2559 ret_val->type = IVAL(file_header, 0x1C);
2560 ret_val->format = IVAL(file_header, 0x20);
2561 ret_val->root_cell = IVAL(file_header, 0x24);
[97]2562 ret_val->last_block = IVAL(file_header, 0x28);
[151]2563 ret_val->cluster = IVAL(file_header, 0x2C);
[97]2564
[151]2565 memcpy(ret_val->file_name, file_header+0x30, REGFI_REGF_NAME_SIZE);
2566
2567 /* XXX: Should we add a warning if these uuid parsers fail? Can they? */
2568 ret_val->rm_id = winsec_parse_uuid(ret_val, file_header+0x70, 16);
2569 ret_val->log_id = winsec_parse_uuid(ret_val, file_header+0x80, 16);
2570 ret_val->flags = IVAL(file_header, 0x90);
2571 ret_val->tm_id = winsec_parse_uuid(ret_val, file_header+0x94, 16);
2572 ret_val->guid_signature = IVAL(file_header, 0xa4);
2573
2574 memcpy(ret_val->reserved1, file_header+0xa8, REGFI_REGF_RESERVED1_SIZE);
2575 memcpy(ret_val->reserved2, file_header+0x200, REGFI_REGF_RESERVED2_SIZE);
2576
2577 ret_val->thaw_tm_id = winsec_parse_uuid(ret_val, file_header+0xFC8, 16);
2578 ret_val->thaw_rm_id = winsec_parse_uuid(ret_val, file_header+0xFD8, 16);
2579 ret_val->thaw_log_id = winsec_parse_uuid(ret_val, file_header+0xFE8, 16);
[152]2580 ret_val->boot_type = IVAL(file_header, 0xFF8);
2581 ret_val->boot_recover = IVAL(file_header, 0xFFC);
[151]2582
[97]2583 return ret_val;
[150]2584
2585 fail:
2586 talloc_free(ret_val);
2587 return NULL;
[97]2588}
2589
2590
2591
[148]2592/******************************************************************************
[97]2593 * Given real file offset, read and parse the hbin at that location
[110]2594 * along with it's associated cells.
[148]2595 ******************************************************************************/
[168]2596REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32_t offset, bool strict)
[97]2597{
[181]2598 REGFI_HBIN* hbin = NULL;
[168]2599 uint8_t hbin_header[REGFI_HBIN_HEADER_SIZE];
2600 uint32_t length;
[99]2601
2602 if(offset >= file->file_length)
[180]2603 goto fail;
2604
[186]2605 if(!regfi_lock(file, &file->cb_lock, "regfi_parse_hbin"))
[180]2606 goto fail;
[97]2607
[178]2608 if(regfi_seek(file->cb, offset, SEEK_SET) == -1)
[137]2609 {
[182]2610 regfi_log_add(REGFI_LOG_ERROR, "Seek failed"
2611 " while parsing hbin at offset 0x%.8X.", offset);
[180]2612 goto fail_locked;
[137]2613 }
[97]2614
[135]2615 length = REGFI_HBIN_HEADER_SIZE;
[178]2616 if((regfi_read(file->cb, hbin_header, &length) != 0)
[135]2617 || length != REGFI_HBIN_HEADER_SIZE)
[182]2618 {
2619 regfi_log_add(REGFI_LOG_ERROR, "Read failed"
2620 " while parsing hbin at offset 0x%.8X.", offset);
[180]2621 goto fail_locked;
[182]2622 }
[97]2623
[186]2624 if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_hbin"))
[180]2625 goto fail;
[97]2626
[148]2627 hbin = talloc(NULL, REGFI_HBIN);
2628 if(hbin == NULL)
[180]2629 goto fail;
[99]2630 hbin->file_off = offset;
2631
[97]2632 memcpy(hbin->magic, hbin_header, 4);
2633 if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
[99]2634 {
[182]2635 /* This always seems to happen at the end of a file, so we make it an INFO
2636 * message, rather than something more serious.
2637 */
2638 regfi_log_add(REGFI_LOG_INFO, "Magic number mismatch "
2639 "(%.2X %.2X %.2X %.2X) while parsing hbin at offset"
2640 " 0x%.8X.", hbin->magic[0], hbin->magic[1],
2641 hbin->magic[2], hbin->magic[3], offset);
[180]2642 goto fail;
[99]2643 }
[97]2644
2645 hbin->first_hbin_off = IVAL(hbin_header, 0x4);
2646 hbin->block_size = IVAL(hbin_header, 0x8);
[182]2647 /* this should be the same thing as hbin->block_size, but just in case */
[97]2648 hbin->next_block = IVAL(hbin_header, 0x1C);
2649
2650
2651 /* Ensure the block size is a multiple of 0x1000 and doesn't run off
2652 * the end of the file.
2653 */
[116]2654 /* XXX: This may need to be relaxed for dealing with
2655 * partial or corrupt files.
2656 */
[97]2657 if((offset + hbin->block_size > file->file_length)
2658 || (hbin->block_size & 0xFFFFF000) != hbin->block_size)
[99]2659 {
[182]2660 regfi_log_add(REGFI_LOG_ERROR, "The hbin offset is not aligned"
2661 " or runs off the end of the file"
2662 " while parsing hbin at offset 0x%.8X.", offset);
[180]2663 goto fail;
[99]2664 }
[97]2665
2666 return hbin;
[180]2667
2668 fail_locked:
[186]2669 regfi_unlock(file, &file->cb_lock, "regfi_parse_hbin");
[180]2670 fail:
2671 talloc_free(hbin);
2672 return NULL;
[97]2673}
2674
2675
[126]2676/*******************************************************************
2677 *******************************************************************/
[203]2678REGFI_NK* regfi_parse_nk(REGFI_FILE* file, uint32_t offset,
2679 uint32_t max_size, bool strict)
[99]2680{
[168]2681 uint8_t nk_header[REGFI_NK_MIN_LENGTH];
[203]2682 REGFI_NK* ret_val;
[168]2683 uint32_t length,cell_length;
[101]2684 bool unalloc = false;
[99]2685
[203]2686 ret_val = talloc(NULL, REGFI_NK);
[180]2687 if(ret_val == NULL)
2688 {
[182]2689 regfi_log_add(REGFI_LOG_ERROR, "Failed to allocate memory while"
2690 " parsing NK record at offset 0x%.8X.", offset);
[180]2691 goto fail;
2692 }
2693
[186]2694 if(!regfi_lock(file, &file->cb_lock, "regfi_parse_nk"))
[180]2695 goto fail;
2696
[178]2697 if(!regfi_parse_cell(file->cb, offset, nk_header, REGFI_NK_MIN_LENGTH,
[101]2698 &cell_length, &unalloc))
[137]2699 {
[182]2700 regfi_log_add(REGFI_LOG_WARN, "Could not parse cell header"
2701 " while parsing NK record at offset 0x%.8X.", offset);
[180]2702 goto fail_locked;
[137]2703 }
2704
[101]2705 if((nk_header[0x0] != 'n') || (nk_header[0x1] != 'k'))
[135]2706 {
[182]2707 regfi_log_add(REGFI_LOG_WARN, "Magic number mismatch in parsing"
2708 " NK record at offset 0x%.8X.", offset);
[180]2709 goto fail_locked;
[135]2710 }
[99]2711
[150]2712 ret_val->values = NULL;
2713 ret_val->subkeys = NULL;
[99]2714 ret_val->offset = offset;
[101]2715 ret_val->cell_size = cell_length;
2716
[99]2717 if(ret_val->cell_size > max_size)
2718 ret_val->cell_size = max_size & 0xFFFFFFF8;
2719 if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
[157]2720 || (strict && (ret_val->cell_size & 0x00000007) != 0))
[99]2721 {
[182]2722 regfi_log_add(REGFI_LOG_WARN, "A length check failed while"
2723 " parsing NK record at offset 0x%.8X.", offset);
[180]2724 goto fail_locked;
[99]2725 }
2726
[101]2727 ret_val->magic[0] = nk_header[0x0];
2728 ret_val->magic[1] = nk_header[0x1];
[161]2729 ret_val->flags = SVAL(nk_header, 0x2);
[152]2730
[161]2731 if((ret_val->flags & ~REGFI_NK_KNOWN_FLAGS) != 0)
[99]2732 {
[182]2733 regfi_log_add(REGFI_LOG_WARN, "Unknown key flags (0x%.4X) while"
2734 " parsing NK record at offset 0x%.8X.",
2735 (ret_val->flags & ~REGFI_NK_KNOWN_FLAGS), offset);
[99]2736 }
[101]2737
2738 ret_val->mtime.low = IVAL(nk_header, 0x4);
2739 ret_val->mtime.high = IVAL(nk_header, 0x8);
[116]2740 /* If the key is unallocated and the MTIME is earlier than Jan 1, 1990
2741 * or later than Jan 1, 2290, we consider this a bad key. This helps
2742 * weed out some false positives during deleted data recovery.
2743 */
2744 if(unalloc
[178]2745 && (ret_val->mtime.high < REGFI_MTIME_MIN_HIGH
2746 || ret_val->mtime.high > REGFI_MTIME_MAX_HIGH))
[180]2747 { goto fail_locked; }
[116]2748
[101]2749 ret_val->unknown1 = IVAL(nk_header, 0xC);
2750 ret_val->parent_off = IVAL(nk_header, 0x10);
2751 ret_val->num_subkeys = IVAL(nk_header, 0x14);
2752 ret_val->unknown2 = IVAL(nk_header, 0x18);
2753 ret_val->subkeys_off = IVAL(nk_header, 0x1C);
2754 ret_val->unknown3 = IVAL(nk_header, 0x20);
2755 ret_val->num_values = IVAL(nk_header, 0x24);
2756 ret_val->values_off = IVAL(nk_header, 0x28);
2757 ret_val->sk_off = IVAL(nk_header, 0x2C);
2758 ret_val->classname_off = IVAL(nk_header, 0x30);
[99]2759
[101]2760 ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
2761 ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
2762 ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
2763 ret_val->max_bytes_value = IVAL(nk_header, 0x40);
2764 ret_val->unk_index = IVAL(nk_header, 0x44);
[99]2765
[101]2766 ret_val->name_length = SVAL(nk_header, 0x48);
2767 ret_val->classname_length = SVAL(nk_header, 0x4A);
[206]2768 ret_val->name = NULL;
[99]2769
2770 if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
[101]2771 {
2772 if(strict)
2773 {
[182]2774 regfi_log_add(REGFI_LOG_ERROR, "Contents too large for cell"
2775 " while parsing NK record at offset 0x%.8X.", offset);
[180]2776 goto fail_locked;
[101]2777 }
2778 else
2779 ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
2780 }
2781 else if (unalloc)
2782 { /* Truncate cell_size if it's much larger than the apparent total record length. */
2783 /* Round up to the next multiple of 8 */
2784 length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
2785 if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
2786 length+=8;
[99]2787
[101]2788 /* If cell_size is still greater, truncate. */
2789 if(length < ret_val->cell_size)
2790 ret_val->cell_size = length;
2791 }
2792
[206]2793 /* +1 to length in case we decided to use this directly as a string later */
2794 ret_val->name_raw = talloc_array(ret_val, uint8_t, ret_val->name_length+1);
2795 if(ret_val->name_raw == NULL)
[180]2796 goto fail_locked;
[99]2797
2798 /* Don't need to seek, should be at the right offset */
2799 length = ret_val->name_length;
[206]2800 if((regfi_read(file->cb, (uint8_t*)ret_val->name_raw, &length) != 0)
[99]2801 || length != ret_val->name_length)
2802 {
[182]2803 regfi_log_add(REGFI_LOG_ERROR, "Failed to read key name"
2804 " while parsing NK record at offset 0x%.8X.", offset);
[180]2805 goto fail_locked;
[99]2806 }
2807
[186]2808 if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_nk"))
[180]2809 goto fail;
2810
[126]2811 return ret_val;
[180]2812
2813 fail_locked:
[186]2814 regfi_unlock(file, &file->cb_lock, "regfi_parse_nk");
[180]2815 fail:
2816 talloc_free(ret_val);
2817 return NULL;
[126]2818}
2819
2820
[168]2821uint8_t* regfi_parse_classname(REGFI_FILE* file, uint32_t offset,
[206]2822 uint16_t* name_length, uint32_t max_size, bool strict)
[126]2823{
[168]2824 uint8_t* ret_val = NULL;
2825 uint32_t length;
2826 uint32_t cell_length;
[126]2827 bool unalloc = false;
2828
[180]2829 if(*name_length <= 0 || offset == REGFI_OFFSET_NONE
2830 || (offset & 0x00000007) != 0)
2831 { goto fail; }
2832
[186]2833 if(!regfi_lock(file, &file->cb_lock, "regfi_parse_classname"))
[180]2834 goto fail;
2835
2836 if(!regfi_parse_cell(file->cb, offset, NULL, 0, &cell_length, &unalloc))
[131]2837 {
[182]2838 regfi_log_add(REGFI_LOG_WARN, "Could not parse cell header"
2839 " while parsing class name at offset 0x%.8X.", offset);
[180]2840 goto fail_locked;
2841 }
2842
2843 if((cell_length & 0x0000007) != 0)
2844 {
[182]2845 regfi_log_add(REGFI_LOG_ERROR, "Cell length not a multiple of 8"
2846 " while parsing class name at offset 0x%.8X.", offset);
[180]2847 goto fail_locked;
2848 }
2849
2850 if(cell_length > max_size)
2851 {
[182]2852 regfi_log_add(REGFI_LOG_WARN, "Cell stretches past hbin "
2853 "boundary while parsing class name at offset 0x%.8X.",
2854 offset);
[180]2855 if(strict)
2856 goto fail_locked;
2857 cell_length = max_size;
2858 }
2859
2860 if((cell_length - 4) < *name_length)
2861 {
[182]2862 regfi_log_add(REGFI_LOG_WARN, "Class name is larger than"
2863 " cell_length while parsing class name at offset"
2864 " 0x%.8X.", offset);
[180]2865 if(strict)
2866 goto fail_locked;
2867 *name_length = cell_length - 4;
2868 }
2869
2870 ret_val = talloc_array(NULL, uint8_t, *name_length);
2871 if(ret_val != NULL)
2872 {
2873 length = *name_length;
2874 if((regfi_read(file->cb, ret_val, &length) != 0)
2875 || length != *name_length)
[137]2876 {
[182]2877 regfi_log_add(REGFI_LOG_ERROR, "Could not read class name"
2878 " while parsing class name at offset 0x%.8X.", offset);
[180]2879 goto fail_locked;
[137]2880 }
[180]2881 }
[126]2882
[186]2883 if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_classname"))
[180]2884 goto fail;
[137]2885
[180]2886 return ret_val;
[131]2887
[180]2888 fail_locked:
[186]2889 regfi_unlock(file, &file->cb_lock, "regfi_parse_classname");
[180]2890 fail:
2891 talloc_free(ret_val);
2892 return NULL;
[99]2893}
2894
2895
[152]2896/******************************************************************************
2897*******************************************************************************/
[203]2898REGFI_VK* regfi_parse_vk(REGFI_FILE* file, uint32_t offset,
[168]2899 uint32_t max_size, bool strict)
[97]2900{
[203]2901 REGFI_VK* ret_val;
[168]2902 uint8_t vk_header[REGFI_VK_MIN_LENGTH];
2903 uint32_t raw_data_size, length, cell_length;
[101]2904 bool unalloc = false;
[97]2905
[203]2906 ret_val = talloc(NULL, REGFI_VK);
[180]2907 if(ret_val == NULL)
2908 goto fail;
2909
[186]2910 if(!regfi_lock(file, &file->cb_lock, "regfi_parse_nk"))
[180]2911 goto fail;
2912
[178]2913 if(!regfi_parse_cell(file->cb, offset, vk_header, REGFI_VK_MIN_LENGTH,
[101]2914 &cell_length, &unalloc))
[137]2915 {
[182]2916 regfi_log_add(REGFI_LOG_WARN, "Could not parse cell header"
2917 " while parsing VK record at offset 0x%.8X.", offset);
[180]2918 goto fail_locked;
[137]2919 }
[111]2920
[101]2921 ret_val->offset = offset;
2922 ret_val->cell_size = cell_length;
[206]2923 ret_val->name = NULL;
2924 ret_val->name_raw = NULL;
[150]2925
[101]2926 if(ret_val->cell_size > max_size)
2927 ret_val->cell_size = max_size & 0xFFFFFFF8;
2928 if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
[157]2929 || (ret_val->cell_size & 0x00000007) != 0)
[97]2930 {
[182]2931 regfi_log_add(REGFI_LOG_WARN, "Invalid cell size encountered"
2932 " while parsing VK record at offset 0x%.8X.", offset);
[180]2933 goto fail_locked;
[101]2934 }
[97]2935
[101]2936 ret_val->magic[0] = vk_header[0x0];
2937 ret_val->magic[1] = vk_header[0x1];
2938 if((ret_val->magic[0] != 'v') || (ret_val->magic[1] != 'k'))
2939 {
[124]2940 /* XXX: This does not account for deleted keys under Win2K which
2941 * often have this (and the name length) overwritten with
2942 * 0xFFFF.
2943 */
[182]2944 regfi_log_add(REGFI_LOG_WARN, "Magic number mismatch"
2945 " while parsing VK record at offset 0x%.8X.", offset);
[180]2946 goto fail_locked;
[101]2947 }
2948
2949 ret_val->name_length = SVAL(vk_header, 0x2);
2950 raw_data_size = IVAL(vk_header, 0x4);
[135]2951 ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET;
[157]2952 /* The data is typically stored in the offset if the size <= 4,
2953 * in which case this flag is set.
2954 */
[135]2955 ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET);
[101]2956 ret_val->data_off = IVAL(vk_header, 0x8);
2957 ret_val->type = IVAL(vk_header, 0xC);
[162]2958 ret_val->flags = SVAL(vk_header, 0x10);
[101]2959 ret_val->unknown1 = SVAL(vk_header, 0x12);
2960
[162]2961 if(ret_val->name_length > 0)
[101]2962 {
[113]2963 if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size)
[101]2964 {
[182]2965 regfi_log_add(REGFI_LOG_WARN, "Name too long for remaining cell"
2966 " space while parsing VK record at offset 0x%.8X.",
2967 offset);
[101]2968 if(strict)
[180]2969 goto fail_locked;
[101]2970 else
[113]2971 ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4;
[101]2972 }
2973
2974 /* Round up to the next multiple of 8 */
[113]2975 cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8;
2976 if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4)
2977 cell_length+=8;
[101]2978
[206]2979 /* +1 to length in case we decided to use this directly as a string later */
2980 ret_val->name_raw = talloc_array(ret_val, uint8_t, ret_val->name_length+1);
2981 if(ret_val->name_raw == NULL)
[180]2982 goto fail_locked;
[113]2983
[101]2984 length = ret_val->name_length;
[206]2985 if((regfi_read(file->cb, (uint8_t*)ret_val->name_raw, &length) != 0)
[101]2986 || length != ret_val->name_length)
2987 {
[182]2988 regfi_log_add(REGFI_LOG_ERROR, "Could not read value name"
2989 " while parsing VK record at offset 0x%.8X.", offset);
[180]2990 goto fail_locked;
[101]2991 }
2992 }
2993 else
[113]2994 cell_length = REGFI_VK_MIN_LENGTH + 4;
[101]2995
[186]2996 if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_nk"))
[180]2997 goto fail;
2998
[101]2999 if(unalloc)
3000 {
3001 /* If cell_size is still greater, truncate. */
[113]3002 if(cell_length < ret_val->cell_size)
3003 ret_val->cell_size = cell_length;
[101]3004 }
3005
3006 return ret_val;
[180]3007
3008 fail_locked:
[186]3009 regfi_unlock(file, &file->cb_lock, "regfi_parse_vk");
[180]3010 fail:
3011 talloc_free(ret_val);
3012 return NULL;
[97]3013}
[101]3014
3015
[152]3016/******************************************************************************
[157]3017 *
3018 ******************************************************************************/
[168]3019REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32_t voffset,
3020 uint32_t length, bool data_in_offset,
[157]3021 bool strict)
[101]3022{
[151]3023 REGFI_BUFFER ret_val;
[168]3024 uint32_t cell_length, offset;
3025 int32_t max_size;
[101]3026 bool unalloc;
[151]3027
[159]3028 /* Microsoft's documentation indicates that "available memory" is
[165]3029 * the limit on value sizes for the more recent registry format version.
3030 * This is not only annoying, but it's probably also incorrect, since clearly
3031 * value data sizes are limited to 2^31 (high bit used as a flag) and even
3032 * with big data records, the apparent max size is:
3033 * 16344 * 2^16 = 1071104040 (~1GB).
3034 *
3035 * We choose to limit it to 1M which was the limit in older versions and
3036 * should rarely be exceeded unless the file is corrupt or malicious.
3037 * For more info, see:
3038 * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
[159]3039 */
[160]3040 /* XXX: add way to skip this check at user discression. */
3041 if(length > REGFI_VK_MAX_DATA_LENGTH)
[159]3042 {
[182]3043 regfi_log_add(REGFI_LOG_WARN, "Value data size %d larger than "
3044 "%d, truncating...", length, REGFI_VK_MAX_DATA_LENGTH);
[160]3045 length = REGFI_VK_MAX_DATA_LENGTH;
[159]3046 }
3047
[145]3048 if(data_in_offset)
[157]3049 return regfi_parse_little_data(file, voffset, length, strict);
3050 else
[101]3051 {
[157]3052 offset = voffset + REGFI_REGF_SIZE;
3053 max_size = regfi_calc_maxsize(file, offset);
3054 if(max_size < 0)
[137]3055 {
[182]3056 regfi_log_add(REGFI_LOG_WARN, "Could not find HBIN for data"
3057 " at offset 0x%.8X.", offset);
[151]3058 goto fail;
[137]3059 }
[157]3060
[186]3061 if(!regfi_lock(file, &file->cb_lock, "regfi_load_data"))
[180]3062 goto fail;
3063
[178]3064 if(!regfi_parse_cell(file->cb, offset, NULL, 0,
[101]3065 &cell_length, &unalloc))
[137]3066 {
[182]3067 regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while"
3068 " parsing data record at offset 0x%.8X.", offset);
[180]3069 goto fail_locked;
[137]3070 }
[111]3071
[186]3072 if(!regfi_unlock(file, &file->cb_lock, "regfi_load_data"))
[180]3073 goto fail;
3074
[157]3075 if((cell_length & 0x00000007) != 0)
[137]3076 {
[182]3077 regfi_log_add(REGFI_LOG_WARN, "Cell length not multiple of 8"
3078 " while parsing data record at offset 0x%.8X.",
3079 offset);
[151]3080 goto fail;
[137]3081 }
[101]3082
[131]3083 if(cell_length > max_size)
3084 {
[182]3085 regfi_log_add(REGFI_LOG_WARN, "Cell extends past HBIN boundary"
3086 " while parsing data record at offset 0x%.8X.",
3087 offset);
[157]3088 goto fail;
[131]3089 }
3090
[101]3091 if(cell_length - 4 < length)
3092 {
[155]3093 /* XXX: All big data records thus far have been 16 bytes long.
3094 * Should we check for this precise size instead of just
3095 * relying upon the above check?
3096 */
[152]3097 if (file->major_version >= 1 && file->minor_version >= 5)
3098 {
3099 /* Attempt to parse a big data record */
[157]3100 return regfi_load_big_data(file, offset, length, cell_length,
3101 NULL, strict);
[152]3102 }
[101]3103 else
[152]3104 {
[182]3105 regfi_log_add(REGFI_LOG_WARN, "Data length (0x%.8X) larger than"
3106 " remaining cell length (0x%.8X)"
3107 " while parsing data record at offset 0x%.8X.",
3108 length, cell_length - 4, offset);
[152]3109 if(strict)
3110 goto fail;
3111 else
3112 length = cell_length - 4;
3113 }
[101]3114 }
3115
[157]3116 ret_val = regfi_parse_data(file, offset, length, strict);
[101]3117 }
3118
3119 return ret_val;
[151]3120
[180]3121 fail_locked:
[186]3122 regfi_unlock(file, &file->cb_lock, "regfi_load_data");
[151]3123 fail:
3124 ret_val.buf = NULL;
3125 ret_val.len = 0;
3126 return ret_val;
[101]3127}
[110]3128
3129
[152]3130/******************************************************************************
[157]3131 * Parses the common case data records stored in a single cell.
3132 ******************************************************************************/
[168]3133REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32_t offset,
3134 uint32_t length, bool strict)
[157]3135{
3136 REGFI_BUFFER ret_val;
[168]3137 uint32_t read_length;
[157]3138
3139 ret_val.buf = NULL;
3140 ret_val.len = 0;
3141
[180]3142 if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL)
3143 goto fail;
3144 ret_val.len = length;
3145
[186]3146 if(!regfi_lock(file, &file->cb_lock, "regfi_parse_data"))
[180]3147 goto fail;
3148
[178]3149 if(regfi_seek(file->cb, offset+4, SEEK_SET) == -1)
[157]3150 {
[182]3151 regfi_log_add(REGFI_LOG_WARN, "Could not seek while "
3152 "reading data at offset 0x%.8X.", offset);
[180]3153 goto fail_locked;
[157]3154 }
3155
3156 read_length = length;
[178]3157 if((regfi_read(file->cb, ret_val.buf, &read_length) != 0)
[157]3158 || read_length != length)
3159 {
[182]3160 regfi_log_add(REGFI_LOG_ERROR, "Could not read data block while"
3161 " parsing data record at offset 0x%.8X.", offset);
[180]3162 goto fail_locked;
[157]3163 }
3164
[186]3165 if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_data"))
[180]3166 goto fail;
3167
[157]3168 return ret_val;
[180]3169
3170 fail_locked:
[186]3171 regfi_unlock(file, &file->cb_lock, "regfi_parse_data");
[180]3172 fail:
3173 talloc_free(ret_val.buf);
3174 ret_val.buf = NULL;
3175 ret_val.buf = 0;
3176 return ret_val;
[157]3177}
3178
3179
3180
3181/******************************************************************************
3182 *
3183 ******************************************************************************/
[168]3184REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32_t voffset,
3185 uint32_t length, bool strict)
[157]3186{
[173]3187 uint8_t i;
[157]3188 REGFI_BUFFER ret_val;
3189
3190 ret_val.buf = NULL;
3191 ret_val.len = 0;
3192
3193 if(length > 4)
3194 {
[182]3195 regfi_log_add(REGFI_LOG_ERROR, "Data in offset but length > 4"
3196 " while parsing data record. (voffset=0x%.8X, length=%d)",
3197 voffset, length);
[157]3198 return ret_val;
3199 }
3200
[168]3201 if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL)
[157]3202 return ret_val;
3203 ret_val.len = length;
3204
3205 for(i = 0; i < length; i++)
[168]3206 ret_val.buf[i] = (uint8_t)((voffset >> i*8) & 0xFF);
[157]3207
3208 return ret_val;
3209}
3210
3211/******************************************************************************
[152]3212*******************************************************************************/
[168]3213REGFI_BUFFER regfi_parse_big_data_header(REGFI_FILE* file, uint32_t offset,
3214 uint32_t max_size, bool strict)
[152]3215{
3216 REGFI_BUFFER ret_val;
[168]3217 uint32_t cell_length;
[152]3218 bool unalloc;
[157]3219
3220 /* XXX: do something with unalloc? */
[168]3221 ret_val.buf = (uint8_t*)talloc_array(NULL, uint8_t, REGFI_BIG_DATA_MIN_LENGTH);
[157]3222 if(ret_val.buf == NULL)
[152]3223 goto fail;
3224
[157]3225 if(REGFI_BIG_DATA_MIN_LENGTH > max_size)
3226 {
[182]3227 regfi_log_add(REGFI_LOG_WARN, "Big data header exceeded max_size "
3228 "while parsing big data header at offset 0x%.8X.",offset);
[157]3229 goto fail;
3230 }
3231
[186]3232 if(!regfi_lock(file, &file->cb_lock, "regfi_parse_big_data_header"))
[180]3233 goto fail;
3234
3235
[178]3236 if(!regfi_parse_cell(file->cb, offset, ret_val.buf, REGFI_BIG_DATA_MIN_LENGTH,
[152]3237 &cell_length, &unalloc))
3238 {
[182]3239 regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while"
3240 " parsing big data header at offset 0x%.8X.", offset);
[180]3241 goto fail_locked;
[152]3242 }
[157]3243
[186]3244 if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_header"))
[180]3245 goto fail;
3246
[157]3247 if((ret_val.buf[0] != 'd') || (ret_val.buf[1] != 'b'))
[152]3248 {
[182]3249 regfi_log_add(REGFI_LOG_WARN, "Unknown magic number"
3250 " (0x%.2X, 0x%.2X) encountered while parsing"
3251 " big data header at offset 0x%.8X.",
3252 ret_val.buf[0], ret_val.buf[1], offset);
[152]3253 goto fail;
3254 }
3255
[157]3256 ret_val.len = REGFI_BIG_DATA_MIN_LENGTH;
3257 return ret_val;
3258
[180]3259 fail_locked:
[186]3260 regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_header");
[157]3261 fail:
[180]3262 talloc_free(ret_val.buf);
3263 ret_val.buf = NULL;
[157]3264 ret_val.len = 0;
3265 return ret_val;
3266}
3267
3268
3269
3270/******************************************************************************
3271 *
3272 ******************************************************************************/
[168]3273uint32_t* regfi_parse_big_data_indirect(REGFI_FILE* file, uint32_t offset,
3274 uint16_t num_chunks, bool strict)
[157]3275{
[168]3276 uint32_t* ret_val;
3277 uint32_t indirect_length;
3278 int32_t max_size;
3279 uint16_t i;
[157]3280 bool unalloc;
3281
3282 /* XXX: do something with unalloc? */
3283
3284 max_size = regfi_calc_maxsize(file, offset);
[168]3285 if((max_size < 0) || (num_chunks*sizeof(uint32_t) + 4 > max_size))
[157]3286 return NULL;
3287
[168]3288 ret_val = (uint32_t*)talloc_array(NULL, uint32_t, num_chunks);
[157]3289 if(ret_val == NULL)
[152]3290 goto fail;
3291
[186]3292 if(!regfi_lock(file, &file->cb_lock, "regfi_parse_big_data_indirect"))
[180]3293 goto fail;
3294
[178]3295 if(!regfi_parse_cell(file->cb, offset, (uint8_t*)ret_val,
[168]3296 num_chunks*sizeof(uint32_t),
[152]3297 &indirect_length, &unalloc))
3298 {
[182]3299 regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while"
3300 " parsing big data indirect record at offset 0x%.8X.",
3301 offset);
[180]3302 goto fail_locked;
[152]3303 }
[157]3304
[186]3305 if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_indirect"))
[180]3306 goto fail;
3307
[157]3308 /* Convert pointers to proper endianess, verify they are aligned. */
3309 for(i=0; i<num_chunks; i++)
[152]3310 {
[168]3311 ret_val[i] = IVAL(ret_val, i*sizeof(uint32_t));
[157]3312 if((ret_val[i] & 0x00000007) != 0)
3313 goto fail;
[152]3314 }
[157]3315
3316 return ret_val;
[152]3317
[180]3318 fail_locked:
[186]3319 regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_indirect");
[157]3320 fail:
[180]3321 talloc_free(ret_val);
[157]3322 return NULL;
3323}
3324
3325
3326/******************************************************************************
3327 * Arguments:
3328 * file --
3329 * offsets -- list of virtual offsets.
3330 * num_chunks --
3331 * strict --
3332 *
3333 * Returns:
3334 * A range_list with physical offsets and complete lengths
3335 * (including cell headers) of associated cells.
3336 * No data in range_list elements.
3337 ******************************************************************************/
[168]3338range_list* regfi_parse_big_data_cells(REGFI_FILE* file, uint32_t* offsets,
3339 uint16_t num_chunks, bool strict)
[157]3340{
[168]3341 uint32_t cell_length, chunk_offset;
[157]3342 range_list* ret_val;
[168]3343 uint16_t i;
[157]3344 bool unalloc;
3345
3346 /* XXX: do something with unalloc? */
3347 ret_val = range_list_new();
3348 if(ret_val == NULL)
3349 goto fail;
3350
[166]3351 for(i=0; i<num_chunks; i++)
[152]3352 {
[186]3353 if(!regfi_lock(file, &file->cb_lock, "regfi_parse_big_data_cells"))
[180]3354 goto fail;
3355
[157]3356 chunk_offset = offsets[i]+REGFI_REGF_SIZE;
[178]3357 if(!regfi_parse_cell(file->cb, chunk_offset, NULL, 0,
[157]3358 &cell_length, &unalloc))
[152]3359 {
[182]3360 regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while"
3361 " parsing big data chunk at offset 0x%.8X.",
3362 chunk_offset);
[180]3363 goto fail_locked;
[152]3364 }
3365
[186]3366 if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_cells"))
[180]3367 goto fail;
3368
[157]3369 if(!range_list_add(ret_val, chunk_offset, cell_length, NULL))
3370 goto fail;
3371 }
3372
3373 return ret_val;
3374
[180]3375 fail_locked:
[186]3376 regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_cells");
[157]3377 fail:
3378 if(ret_val != NULL)
3379 range_list_free(ret_val);
3380 return NULL;
3381}
3382
3383
3384/******************************************************************************
3385*******************************************************************************/
3386REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file,
[168]3387 uint32_t offset, uint32_t data_length,
3388 uint32_t cell_length, range_list* used_ranges,
[157]3389 bool strict)
3390{
3391 REGFI_BUFFER ret_val;
[168]3392 uint16_t num_chunks, i;
3393 uint32_t read_length, data_left, tmp_len, indirect_offset;
3394 uint32_t* indirect_ptrs = NULL;
[157]3395 REGFI_BUFFER bd_header;
3396 range_list* bd_cells = NULL;
3397 const range_list_element* cell_info;
3398
3399 ret_val.buf = NULL;
3400
3401 /* XXX: Add better error/warning messages */
3402
3403 bd_header = regfi_parse_big_data_header(file, offset, cell_length, strict);
3404 if(bd_header.buf == NULL)
3405 goto fail;
3406
3407 /* Keep track of used space for use by reglookup-recover */
3408 if(used_ranges != NULL)
3409 if(!range_list_add(used_ranges, offset, cell_length, NULL))
3410 goto fail;
3411
3412 num_chunks = SVAL(bd_header.buf, 0x2);
3413 indirect_offset = IVAL(bd_header.buf, 0x4) + REGFI_REGF_SIZE;
3414 talloc_free(bd_header.buf);
3415
3416 indirect_ptrs = regfi_parse_big_data_indirect(file, indirect_offset,
3417 num_chunks, strict);
3418 if(indirect_ptrs == NULL)
3419 goto fail;
3420
3421 if(used_ranges != NULL)
3422 if(!range_list_add(used_ranges, indirect_offset, num_chunks*4+4, NULL))
3423 goto fail;
3424
3425 if((ret_val.buf = talloc_array(NULL, uint8_t, data_length)) == NULL)
3426 goto fail;
3427 data_left = data_length;
3428
3429 bd_cells = regfi_parse_big_data_cells(file, indirect_ptrs, num_chunks, strict);
3430 if(bd_cells == NULL)
3431 goto fail;
3432
3433 talloc_free(indirect_ptrs);
3434 indirect_ptrs = NULL;
3435
3436 for(i=0; (i<num_chunks) && (data_left>0); i++)
3437 {
3438 cell_info = range_list_get(bd_cells, i);
3439 if(cell_info == NULL)
3440 goto fail;
3441
3442 /* XXX: This should be "cell_info->length-4" to account for the 4 byte cell
[154]3443 * length. However, it has been observed that some (all?) chunks
3444 * have an additional 4 bytes of 0 at the end of their cells that
3445 * isn't part of the data, so we're trimming that off too.
[157]3446 * Perhaps it's just an 8 byte alignment requirement...
[154]3447 */
[157]3448 if(cell_info->length - 8 >= data_left)
3449 {
3450 if(i+1 != num_chunks)
3451 {
[182]3452 regfi_log_add(REGFI_LOG_WARN, "Left over chunks detected "
3453 "while constructing big data at offset 0x%.8X "
3454 "(chunk offset 0x%.8X).", offset, cell_info->offset);
[157]3455 }
[152]3456 read_length = data_left;
[157]3457 }
[152]3458 else
[157]3459 read_length = cell_info->length - 8;
[152]3460
[157]3461
3462 if(read_length > regfi_calc_maxsize(file, cell_info->offset))
3463 {
[182]3464 regfi_log_add(REGFI_LOG_WARN, "A chunk exceeded the maxsize "
3465 "while constructing big data at offset 0x%.8X "
3466 "(chunk offset 0x%.8X).", offset, cell_info->offset);
[157]3467 goto fail;
3468 }
3469
[186]3470 if(!regfi_lock(file, &file->cb_lock, "regfi_load_big_data"))
[180]3471 goto fail;
3472
[178]3473 if(regfi_seek(file->cb, cell_info->offset+sizeof(uint32_t), SEEK_SET) == -1)
[157]3474 {
[182]3475 regfi_log_add(REGFI_LOG_WARN, "Could not seek to chunk while "
3476 "constructing big data at offset 0x%.8X "
3477 "(chunk offset 0x%.8X).", offset, cell_info->offset);
[180]3478 goto fail_locked;
[157]3479 }
3480
3481 tmp_len = read_length;
[178]3482 if(regfi_read(file->cb, ret_val.buf+(data_length-data_left),
[157]3483 &read_length) != 0 || (read_length != tmp_len))
[152]3484 {
[182]3485 regfi_log_add(REGFI_LOG_WARN, "Could not read data chunk while"
3486 " constructing big data at offset 0x%.8X"
3487 " (chunk offset 0x%.8X).", offset, cell_info->offset);
[180]3488 goto fail_locked;
[152]3489 }
3490
[186]3491 if(!regfi_unlock(file, &file->cb_lock, "regfi_load_big_data"))
[180]3492 goto fail;
3493
[157]3494 if(used_ranges != NULL)
3495 if(!range_list_add(used_ranges, cell_info->offset,cell_info->length,NULL))
3496 goto fail;
3497
[152]3498 data_left -= read_length;
3499 }
[157]3500 range_list_free(bd_cells);
3501
[152]3502 ret_val.len = data_length-data_left;
3503 return ret_val;
3504
[180]3505 fail_locked:
[186]3506 regfi_unlock(file, &file->cb_lock, "regfi_load_big_data");
[152]3507 fail:
[180]3508 talloc_free(ret_val.buf);
3509 talloc_free(indirect_ptrs);
[157]3510 if(bd_cells != NULL)
3511 range_list_free(bd_cells);
[152]3512 ret_val.buf = NULL;
3513 ret_val.len = 0;
3514 return ret_val;
3515}
3516
3517
[135]3518range_list* regfi_parse_unalloc_cells(REGFI_FILE* file)
[110]3519{
3520 range_list* ret_val;
[135]3521 REGFI_HBIN* hbin;
[110]3522 const range_list_element* hbins_elem;
[168]3523 uint32_t i, num_hbins, curr_off, cell_len;
[110]3524 bool is_unalloc;
3525
3526 ret_val = range_list_new();
3527 if(ret_val == NULL)
3528 return NULL;
3529
[186]3530 if(!regfi_read_lock(file, &file->hbins_lock, "regfi_parse_unalloc_cells"))
[180]3531 {
3532 range_list_free(ret_val);
3533 return NULL;
3534 }
3535
[110]3536 num_hbins = range_list_size(file->hbins);
3537 for(i=0; i<num_hbins; i++)
3538 {
3539 hbins_elem = range_list_get(file->hbins, i);
3540 if(hbins_elem == NULL)
3541 break;
[135]3542 hbin = (REGFI_HBIN*)hbins_elem->data;
[110]3543
[135]3544 curr_off = REGFI_HBIN_HEADER_SIZE;
[110]3545 while(curr_off < hbin->block_size)
3546 {
[186]3547 if(!regfi_lock(file, &file->cb_lock, "regfi_parse_unalloc_cells"))
[180]3548 break;
3549
[178]3550 if(!regfi_parse_cell(file->cb, hbin->file_off+curr_off, NULL, 0,
[110]3551 &cell_len, &is_unalloc))
[180]3552 {
[186]3553 regfi_unlock(file, &file->cb_lock, "regfi_parse_unalloc_cells");
[110]3554 break;
[180]3555 }
3556
[186]3557 if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_unalloc_cells"))
[180]3558 break;
3559
[157]3560 if((cell_len == 0) || ((cell_len & 0x00000007) != 0))
[140]3561 {
[182]3562 regfi_log_add(REGFI_LOG_ERROR, "Bad cell length encountered"
3563 " while parsing unallocated cells at offset 0x%.8X.",
3564 hbin->file_off+curr_off);
[110]3565 break;
[140]3566 }
3567
[110]3568 /* for some reason the record_size of the last record in
3569 an hbin block can extend past the end of the block
3570 even though the record fits within the remaining
3571 space....aaarrrgggghhhhhh */
3572 if(curr_off + cell_len >= hbin->block_size)
3573 cell_len = hbin->block_size - curr_off;
3574
3575 if(is_unalloc)
3576 range_list_add(ret_val, hbin->file_off+curr_off,
3577 cell_len, NULL);
3578
3579 curr_off = curr_off+cell_len;
3580 }
3581 }
3582
[186]3583 if(!regfi_rw_unlock(file, &file->hbins_lock, "regfi_parse_unalloc_cells"))
[180]3584 {
3585 range_list_free(ret_val);
3586 return NULL;
3587 }
3588
[110]3589 return ret_val;
3590}
[168]3591
3592
3593/* From lib/time.c */
3594
3595/****************************************************************************
3596 Put a 8 byte filetime from a time_t
3597 This takes real GMT as input and converts to kludge-GMT
3598****************************************************************************/
3599void regfi_unix2nt_time(REGFI_NTTIME *nt, time_t t)
3600{
3601 double d;
3602
3603 if (t==0)
3604 {
3605 nt->low = 0;
3606 nt->high = 0;
3607 return;
3608 }
3609
3610 if (t == TIME_T_MAX)
3611 {
3612 nt->low = 0xffffffff;
3613 nt->high = 0x7fffffff;
3614 return;
3615 }
3616
3617 if (t == -1)
3618 {
3619 nt->low = 0xffffffff;
3620 nt->high = 0xffffffff;
3621 return;
3622 }
3623
3624 /* this converts GMT to kludge-GMT */
3625 /* XXX: This was removed due to difficult dependency requirements.
3626 * So far, times appear to be correct without this adjustment, but
3627 * that may be proven wrong with adequate testing.
3628 */
3629 /* t -= TimeDiff(t) - get_serverzone(); */
3630
3631 d = (double)(t);
3632 d += TIME_FIXUP_CONSTANT;
3633 d *= 1.0e7;
3634
3635 nt->high = (uint32_t)(d * (1.0/(4.0*(double)(1<<30))));
3636 nt->low = (uint32_t)(d - ((double)nt->high)*4.0*(double)(1<<30));
3637}
3638
3639
3640/****************************************************************************
3641 Interpret an 8 byte "filetime" structure to a time_t
3642 It's originally in "100ns units since jan 1st 1601"
3643
3644 An 8 byte value of 0xffffffffffffffff will be returned as (time_t)0.
3645
3646 It appears to be kludge-GMT (at least for file listings). This means
3647 its the GMT you get by taking a localtime and adding the
3648 serverzone. This is NOT the same as GMT in some cases. This routine
3649 converts this to real GMT.
3650****************************************************************************/
3651time_t regfi_nt2unix_time(const REGFI_NTTIME* nt)
3652{
3653 double d;
3654 time_t ret;
3655 /* The next two lines are a fix needed for the
3656 broken SCO compiler. JRA. */
3657 time_t l_time_min = TIME_T_MIN;
3658 time_t l_time_max = TIME_T_MAX;
3659
3660 if (nt->high == 0 || (nt->high == 0xffffffff && nt->low == 0xffffffff))
3661 return(0);
3662
3663 d = ((double)nt->high)*4.0*(double)(1<<30);
3664 d += (nt->low&0xFFF00000);
3665 d *= 1.0e-7;
3666
3667 /* now adjust by 369 years to make the secs since 1970 */
3668 d -= TIME_FIXUP_CONSTANT;
3669
3670 if (d <= l_time_min)
3671 return (l_time_min);
3672
3673 if (d >= l_time_max)
3674 return (l_time_max);
3675
3676 ret = (time_t)(d+0.5);
3677
3678 /* this takes us from kludge-GMT to real GMT */
3679 /* XXX: This was removed due to difficult dependency requirements.
3680 * So far, times appear to be correct without this adjustment, but
3681 * that may be proven wrong with adequate testing.
3682 */
3683 /*
3684 ret -= get_serverzone();
3685 ret += LocTimeDiff(ret);
3686 */
3687
3688 return(ret);
3689}
3690
3691/* End of stuff from lib/time.c */
Note: See TracBrowser for help on using the repository browser.