Context Navigation

source: trunk/lib/regfi.c @ 97

Last change on this file since 97 was 97, checked in by tim, 16 years ago
begun the work of rewriting the lowest layer parsing routines
Property svn:keywords set to `Id`
File size: 44.8 KB

Rev	Line
[30]	1	/*
	2	* Branched from Samba project Subversion repository, version #7470:
[84]	3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
[30]	4	*
	5	* Unix SMB/CIFS implementation.
	6	* Windows NT registry I/O library
	7	*
[97]	8	* Copyright (C) 2005-2008 Timothy D. Morgan
[30]	9	* Copyright (C) 2005 Gerald (Jerry) Carter
	10	*
	11	* This program is free software; you can redistribute it and/or modify
	12	* it under the terms of the GNU General Public License as published by
	13	* the Free Software Foundation; version 2 of the License.
	14	*
	15	* This program is distributed in the hope that it will be useful,
	16	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	* GNU General Public License for more details.
	19	*
	20	* You should have received a copy of the GNU General Public License
	21	* along with this program; if not, write to the Free Software
	22	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	23	*
	24	* $Id: regfi.c 97 2008-02-27 01:04:14Z tim $
	25	*/
	26
[81]	27	#include "../include/regfi.h"
[30]	28
	29
[32]	30	/* Registry types mapping */
[78]	31	const unsigned int regfi_num_reg_types = 12;
	32	static const char* regfi_type_names[] =
[65]	33	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]	34	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]	35
[32]	36
	37	/* Returns NULL on error */
[78]	38	const char* regfi_type_val2str(unsigned int val)
[32]	39	{
[61]	40	if(val == REG_KEY)
	41	return "KEY";
	42
[78]	43	if(val >= regfi_num_reg_types)
[61]	44	return NULL;
	45
[78]	46	return regfi_type_names[val];
[32]	47	}
	48
	49
[61]	50	/* Returns -1 on error */
[78]	51	int regfi_type_str2val(const char* str)
[32]	52	{
	53	int i;
	54
[61]	55	if(strcmp("KEY", str) == 0)
	56	return REG_KEY;
[32]	57
[78]	58	for(i=0; i < regfi_num_reg_types; i++)
	59	if (strcmp(regfi_type_names[i], str) == 0)
[61]	60	return i;
	61
	62	if(strcmp("DWORD_LE", str) == 0)
	63	return REG_DWORD_LE;
	64
	65	return -1;
[32]	66	}
	67
	68
[53]	69	/* Security descriptor parsing functions */
	70
[78]	71	const char* regfi_ace_type2str(uint8 type)
[53]	72	{
	73	static const char* map[7]
	74	= {"ALLOW", "DENY", "AUDIT", "ALARM",
	75	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
	76	if(type < 7)
	77	return map[type];
	78	else
	79	/* XXX: would be nice to return the unknown integer value.
	80	* However, as it is a const string, it can't be free()ed later on,
	81	* so that would need to change.
	82	*/
	83	return "UNKNOWN";
	84	}
	85
	86
[76]	87	/* XXX: need a better reference on the meaning of each flag. */
	88	/* For more info, see:
	89	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
	90	*/
[78]	91	char* regfi_ace_flags2str(uint8 flags)
[53]	92	{
[76]	93	static const char* flag_map[32] =
[87]	94	{ "OI", /* Object Inherit */
	95	"CI", /* Container Inherit */
	96	"NP", /* Non-Propagate */
	97	"IO", /* Inherit Only */
	98	"IA", /* Inherited ACE */
[76]	99	NULL,
	100	NULL,
	101	NULL,
	102	};
[53]	103
[76]	104	char* ret_val = malloc(35*sizeof(char));
	105	char* fo = ret_val;
	106	uint32 i;
	107	uint8 f;
	108
	109	if(ret_val == NULL)
[53]	110	return NULL;
	111
[76]	112	fo[0] = '\0';
[53]	113	if (!flags)
[76]	114	return ret_val;
[53]	115
[76]	116	for(i=0; i < 8; i++)
	117	{
	118	f = (1<<i);
	119	if((flags & f) && (flag_map[i] != NULL))
	120	{
	121	strcpy(fo, flag_map[i]);
	122	fo += strlen(flag_map[i]);
	123	*(fo++) = ' ';
	124	flags ^= f;
	125	}
[53]	126	}
[76]	127
	128	/* Any remaining unknown flags are added at the end in hex. */
	129	if(flags != 0)
	130	sprintf(fo, "0x%.2X ", flags);
	131
	132	/* Chop off the last space if we've written anything to ret_val */
	133	if(fo != ret_val)
	134	fo[-1] = '\0';
	135
	136	/* XXX: what was this old VI flag for??
	137	XXX: Is this check right? 0xF == 1\|2\|4\|8, which makes it redundant...
[53]	138	if (flags == 0xF) {
	139	if (some) strcat(flg_output, " ");
	140	some = 1;
	141	strcat(flg_output, "VI");
	142	}
[76]	143	*/
[53]	144
[76]	145	return ret_val;
[53]	146	}
	147
	148
[78]	149	char* regfi_ace_perms2str(uint32 perms)
[53]	150	{
[76]	151	uint32 i, p;
	152	/* This is more than is needed by a fair margin. */
	153	char* ret_val = malloc(350*sizeof(char));
	154	char* r = ret_val;
	155
	156	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
	157	* For more information, see:
	158	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
	159	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
	160	*/
	161	static const char* perm_map[32] =
	162	{/* object-specific permissions (registry keys, in this case) */
	163	"QRY_VAL", /* KEY_QUERY_VALUE */
	164	"SET_VAL", /* KEY_SET_VALUE */
	165	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
	166	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
	167	"NOTIFY", /* KEY_NOTIFY */
	168	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
	169	NULL,
	170	NULL,
	171	"WOW64_64", /* KEY_WOW64_64KEY */
	172	"WOW64_32", /* KEY_WOW64_32KEY */
	173	NULL,
	174	NULL,
	175	NULL,
	176	NULL,
	177	NULL,
	178	NULL,
	179	/* standard access rights */
	180	"DELETE", /* DELETE */
	181	"R_CONT", /* READ_CONTROL */
	182	"W_DAC", /* WRITE_DAC */
	183	"W_OWNER", /* WRITE_OWNER */
	184	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
	185	NULL,
	186	NULL,
	187	NULL,
	188	/* other generic */
	189	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
	190	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
	191	NULL,
	192	NULL,
	193	"GEN_A", /* GENERIC_ALL */
	194	"GEN_X", /* GENERIC_EXECUTE */
	195	"GEN_W", /* GENERIC_WRITE */
	196	"GEN_R", /* GENERIC_READ */
	197	};
	198
	199
[53]	200	if(ret_val == NULL)
	201	return NULL;
	202
[76]	203	r[0] = '\0';
	204	for(i=0; i < 32; i++)
	205	{
	206	p = (1<<i);
	207	if((perms & p) && (perm_map[i] != NULL))
	208	{
	209	strcpy(r, perm_map[i]);
	210	r += strlen(perm_map[i]);
	211	*(r++) = ' ';
	212	perms ^= p;
	213	}
	214	}
	215
	216	/* Any remaining unknown permission bits are added at the end in hex. */
	217	if(perms != 0)
	218	sprintf(r, "0x%.8X ", perms);
[53]	219
[76]	220	/* Chop off the last space if we've written anything to ret_val */
	221	if(r != ret_val)
	222	r[-1] = '\0';
	223
[53]	224	return ret_val;
	225	}
	226
	227
[78]	228	char* regfi_sid2str(DOM_SID* sid)
[53]	229	{
	230	uint32 i, size = MAXSUBAUTHS*11 + 24;
	231	uint32 left = size;
	232	uint8 comps = sid->num_auths;
	233	char* ret_val = malloc(size);
	234
	235	if(ret_val == NULL)
	236	return NULL;
	237
	238	if(comps > MAXSUBAUTHS)
	239	comps = MAXSUBAUTHS;
	240
	241	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
	242
	243	for (i = 0; i < comps; i++)
	244	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
	245
	246	return ret_val;
	247	}
	248
	249
[78]	250	char* regfi_get_acl(SEC_ACL* acl)
[53]	251	{
	252	uint32 i, extra, size = 0;
	253	const char* type_str;
	254	char* flags_str;
	255	char* perms_str;
	256	char* sid_str;
[61]	257	char* ace_delim = "";
[53]	258	char* ret_val = NULL;
[61]	259	char* tmp_val = NULL;
	260	bool failed = false;
[53]	261	char field_delim = ':';
	262
[61]	263	for (i = 0; i < acl->num_aces && !failed; i++)
[53]	264	{
[78]	265	sid_str = regfi_sid2str(&acl->ace[i].trustee);
	266	type_str = regfi_ace_type2str(acl->ace[i].type);
	267	perms_str = regfi_ace_perms2str(acl->ace[i].info.mask);
	268	flags_str = regfi_ace_flags2str(acl->ace[i].flags);
[53]	269
[61]	270	if(flags_str != NULL && perms_str != NULL
	271	&& type_str != NULL && sid_str != NULL)
	272	{
	273	/* XXX: this is slow */
	274	extra = strlen(sid_str) + strlen(type_str)
	275	+ strlen(perms_str) + strlen(flags_str)+5;
	276	tmp_val = realloc(ret_val, size+extra);
[53]	277
[61]	278	if(tmp_val == NULL)
	279	{
	280	free(ret_val);
	281	failed = true;
	282	}
	283	else
	284	{
	285	ret_val = tmp_val;
	286	size += snprintf(ret_val+size, extra, "%s%s%c%s%c%s%c%s",
	287	ace_delim,sid_str,
	288	field_delim,type_str,
	289	field_delim,perms_str,
	290	field_delim,flags_str);
	291	ace_delim = "\|";
	292	}
	293	}
	294	else
	295	failed = true;
	296
	297	if(sid_str != NULL)
	298	free(sid_str);
	299	if(sid_str != NULL)
	300	free(perms_str);
	301	if(sid_str != NULL)
	302	free(flags_str);
[53]	303	}
	304
	305	return ret_val;
	306	}
	307
	308
[78]	309	char* regfi_get_sacl(SEC_DESC *sec_desc)
[53]	310	{
	311	if (sec_desc->sacl)
[78]	312	return regfi_get_acl(sec_desc->sacl);
[53]	313	else
	314	return NULL;
	315	}
	316
	317
[78]	318	char* regfi_get_dacl(SEC_DESC *sec_desc)
[53]	319	{
	320	if (sec_desc->dacl)
[78]	321	return regfi_get_acl(sec_desc->dacl);
[53]	322	else
	323	return NULL;
	324	}
	325
	326
[78]	327	char* regfi_get_owner(SEC_DESC *sec_desc)
[53]	328	{
[78]	329	return regfi_sid2str(sec_desc->owner_sid);
[53]	330	}
	331
	332
[78]	333	char* regfi_get_group(SEC_DESC *sec_desc)
[53]	334	{
[78]	335	return regfi_sid2str(sec_desc->grp_sid);
[53]	336	}
	337
	338
	339
[30]	340	/*******************************************************************
[31]	341	*******************************************************************/
[33]	342	static bool prs_nk_rec( const char desc, prs_struct ps,
	343	int depth, REGF_NK_REC *nk )
[30]	344	{
[31]	345	uint16 class_length, name_length;
	346	uint32 start;
	347	uint32 data_size, start_off, end_off;
	348	uint32 unknown_off = REGF_OFFSET_NONE;
[30]	349
[31]	350	nk->hbin_off = ps->data_offset;
	351	start = nk->hbin_off;
[30]	352
[31]	353	depth++;
[30]	354
[33]	355	/* back up and get the data_size */
[31]	356	if ( !prs_set_offset( ps, ps->data_offset-sizeof(uint32)) )
	357	return false;
	358	start_off = ps->data_offset;
	359	if ( !prs_uint32( "rec_size", ps, depth, &nk->rec_size ))
	360	return false;
[30]	361
[84]	362	if (!prs_uint8s("header", ps, depth, nk->header, sizeof(nk->header)))
[31]	363	return false;
[30]	364
[31]	365	if ( !prs_uint16( "key_type", ps, depth, &nk->key_type ))
	366	return false;
	367	if ( !smb_io_time( "mtime", &nk->mtime, ps, depth ))
	368	return false;
[30]	369
[31]	370	if ( !prs_set_offset( ps, start+0x0010 ) )
	371	return false;
	372	if ( !prs_uint32( "parent_off", ps, depth, &nk->parent_off ))
	373	return false;
	374	if ( !prs_uint32( "num_subkeys", ps, depth, &nk->num_subkeys ))
	375	return false;
[30]	376
[31]	377	if ( !prs_set_offset( ps, start+0x001c ) )
	378	return false;
	379	if ( !prs_uint32( "subkeys_off", ps, depth, &nk->subkeys_off ))
	380	return false;
	381	if ( !prs_uint32( "unknown_off", ps, depth, &unknown_off) )
	382	return false;
[30]	383
[31]	384	if ( !prs_set_offset( ps, start+0x0024 ) )
	385	return false;
	386	if ( !prs_uint32( "num_values", ps, depth, &nk->num_values ))
	387	return false;
	388	if ( !prs_uint32( "values_off", ps, depth, &nk->values_off ))
	389	return false;
	390	if ( !prs_uint32( "sk_off", ps, depth, &nk->sk_off ))
	391	return false;
	392	if ( !prs_uint32( "classname_off", ps, depth, &nk->classname_off ))
	393	return false;
[30]	394
[33]	395	if (!prs_uint32("max_bytes_subkeyname", ps, depth, &nk->max_bytes_subkeyname))
[31]	396	return false;
[33]	397	if ( !prs_uint32( "max_bytes_subkeyclassname", ps,
	398	depth, &nk->max_bytes_subkeyclassname))
	399	{ return false; }
[31]	400	if ( !prs_uint32( "max_bytes_valuename", ps, depth, &nk->max_bytes_valuename))
	401	return false;
	402	if ( !prs_uint32( "max_bytes_value", ps, depth, &nk->max_bytes_value))
	403	return false;
	404	if ( !prs_uint32( "unknown index", ps, depth, &nk->unk_index))
	405	return false;
[30]	406
[31]	407	name_length = nk->keyname ? strlen(nk->keyname) : 0 ;
	408	class_length = nk->classname ? strlen(nk->classname) : 0 ;
	409	if ( !prs_uint16( "name_length", ps, depth, &name_length ))
	410	return false;
	411	if ( !prs_uint16( "class_length", ps, depth, &class_length ))
	412	return false;
[30]	413
[33]	414	if ( class_length )
	415	{
[80]	416	/* XXX: why isn't this parsed? */
[31]	417	;;
	418	}
[30]	419
[33]	420	if ( name_length )
	421	{
	422	if(ps->io && !(nk->keyname = (char*)zcalloc(sizeof(char), name_length+1)))
[31]	423	return false;
[30]	424
[84]	425	if(!prs_uint8s("name", ps, depth, (uint8*)nk->keyname, name_length))
[31]	426	return false;
[30]	427
[53]	428	if(ps->io)
[31]	429	nk->keyname[name_length] = '\0';
	430	}
[30]	431
[31]	432	end_off = ps->data_offset;
[30]	433
[33]	434	/* data_size must be divisible by 8 and large enough to hold
	435	the original record */
[30]	436
[31]	437	data_size = ((start_off - end_off) & 0xfffffff8 );
[33]	438	/*if ( data_size > nk->rec_size )
	439	DEBUG(10,("Encountered reused record (0x%x < 0x%x)\n", data_size, nk->rec_size));*/
[30]	440
[31]	441	return true;
[30]	442	}
	443
	444
	445	/*******************************************************************
	446	Input a randon offset and receive the correpsonding HBIN
	447	block for it
	448	*******************************************************************/
	449	static bool hbin_contains_offset( REGF_HBIN *hbin, uint32 offset )
	450	{
[31]	451	if ( !hbin )
	452	return false;
[30]	453
[31]	454	if ( (offset > hbin->first_hbin_off) && (offset < (hbin->first_hbin_off+hbin->block_size)) )
	455	return true;
[30]	456
[31]	457	return false;
[30]	458	}
	459
	460
	461	/*******************************************************************
	462	Input a randon offset and receive the correpsonding HBIN
	463	block for it
	464	*******************************************************************/
	465	static REGF_HBIN* lookup_hbin_block( REGF_FILE *file, uint32 offset )
	466	{
[31]	467	REGF_HBIN *hbin = NULL;
	468	uint32 block_off;
[30]	469
[31]	470	/* start with the open list */
[30]	471
[31]	472	for ( hbin=file->block_list; hbin; hbin=hbin->next ) {
	473	/* DEBUG(10,("lookup_hbin_block: address = 0x%x [0x%x]\n", hbin->file_off, (uint32)hbin ));*/
	474	if ( hbin_contains_offset( hbin, offset ) )
	475	return hbin;
	476	}
[30]	477
[31]	478	if ( !hbin ) {
	479	/* start at the beginning */
[30]	480
[31]	481	block_off = REGF_BLOCKSIZE;
	482	do {
	483	/* cleanup before the next round */
	484	if ( hbin )
	485	{
	486	if(hbin->ps.is_dynamic)
	487	SAFE_FREE(hbin->ps.data_p);
	488	hbin->ps.is_dynamic = false;
	489	hbin->ps.buffer_size = 0;
	490	hbin->ps.data_offset = 0;
	491	}
[30]	492
[97]	493	hbin = regfi_parse_hbin(file, block_off, true, false);
[30]	494
[31]	495	if ( hbin )
	496	block_off = hbin->file_off + hbin->block_size;
[30]	497
[31]	498	} while ( hbin && !hbin_contains_offset( hbin, offset ) );
	499	}
[30]	500
[31]	501	if ( hbin )
[80]	502	/* XXX: this kind of caching needs to be re-evaluated */
[31]	503	DLIST_ADD( file->block_list, hbin );
[30]	504
[31]	505	return hbin;
[30]	506	}
	507
	508
	509	/*******************************************************************
[31]	510	*******************************************************************/
[30]	511	static bool prs_hash_rec( const char desc, prs_struct ps, int depth, REGF_HASH_REC *hash )
	512	{
[31]	513	depth++;
[30]	514
[31]	515	if ( !prs_uint32( "nk_off", ps, depth, &hash->nk_off ))
	516	return false;
[84]	517	if ( !prs_uint8s("keycheck", ps, depth, hash->keycheck, sizeof( hash->keycheck )) )
[31]	518	return false;
[30]	519
[31]	520	return true;
[30]	521	}
	522
	523
	524	/*******************************************************************
[31]	525	*******************************************************************/
[53]	526	static bool hbin_prs_lf_records(const char desc, REGF_HBIN hbin,
	527	int depth, REGF_NK_REC *nk)
[30]	528	{
[31]	529	int i;
	530	REGF_LF_REC *lf = &nk->subkeys;
	531	uint32 data_size, start_off, end_off;
[30]	532
[31]	533	depth++;
[30]	534
[31]	535	/* check if we have anything to do first */
[30]	536
[31]	537	if ( nk->num_subkeys == 0 )
	538	return true;
[30]	539
[31]	540	/* move to the LF record */
[30]	541
[97]	542	if ( !prs_set_offset( &hbin->ps, nk->subkeys_off + HBIN_MAGIC_SIZE - hbin->first_hbin_off ) )
[31]	543	return false;
[30]	544
[31]	545	/* backup and get the data_size */
[30]	546
[31]	547	if ( !prs_set_offset( &hbin->ps, hbin->ps.data_offset-sizeof(uint32)) )
	548	return false;
	549	start_off = hbin->ps.data_offset;
	550	if ( !prs_uint32( "rec_size", &hbin->ps, depth, &lf->rec_size ))
	551	return false;
[30]	552
[84]	553	if(!prs_uint8s("header", &hbin->ps, depth,
[53]	554	lf->header, sizeof(lf->header)))
[31]	555	return false;
[30]	556
[31]	557	if ( !prs_uint16( "num_keys", &hbin->ps, depth, &lf->num_keys))
	558	return false;
[30]	559
[31]	560	if ( hbin->ps.io ) {
	561	if ( !(lf->hashes = (REGF_HASH_REC*)zcalloc(sizeof(REGF_HASH_REC), lf->num_keys )) )
	562	return false;
	563	}
[30]	564
[31]	565	for ( i=0; i<lf->num_keys; i++ ) {
	566	if ( !prs_hash_rec( "hash_rec", &hbin->ps, depth, &lf->hashes[i] ) )
	567	return false;
	568	}
[30]	569
[31]	570	end_off = hbin->ps.data_offset;
[30]	571
[31]	572	/* data_size must be divisible by 8 and large enough to hold the original record */
[30]	573
[31]	574	data_size = ((start_off - end_off) & 0xfffffff8 );
[33]	575	/* if ( data_size > lf->rec_size )*/
[31]	576	/DEBUG(10,("Encountered reused record (0x%x < 0x%x)\n", data_size, lf->rec_size));/
[30]	577
[31]	578	return true;
[30]	579	}
	580
	581
	582	/*******************************************************************
[31]	583	*******************************************************************/
[30]	584	static bool hbin_prs_sk_rec( const char desc, REGF_HBIN hbin, int depth, REGF_SK_REC *sk )
	585	{
[31]	586	prs_struct *ps = &hbin->ps;
	587	uint16 tag = 0xFFFF;
	588	uint32 data_size, start_off, end_off;
[30]	589
	590
[31]	591	depth++;
[30]	592
[97]	593	if ( !prs_set_offset( &hbin->ps, sk->sk_off + HBIN_MAGIC_SIZE - hbin->first_hbin_off ) )
[31]	594	return false;
[30]	595
[31]	596	/* backup and get the data_size */
[30]	597
[31]	598	if ( !prs_set_offset( &hbin->ps, hbin->ps.data_offset-sizeof(uint32)) )
	599	return false;
	600	start_off = hbin->ps.data_offset;
	601	if ( !prs_uint32( "rec_size", &hbin->ps, depth, &sk->rec_size ))
	602	return false;
[30]	603
[84]	604	if (!prs_uint8s("header", ps, depth, sk->header, sizeof(sk->header)))
[31]	605	return false;
	606	if ( !prs_uint16( "tag", ps, depth, &tag))
	607	return false;
[30]	608
[31]	609	if ( !prs_uint32( "prev_sk_off", ps, depth, &sk->prev_sk_off))
	610	return false;
	611	if ( !prs_uint32( "next_sk_off", ps, depth, &sk->next_sk_off))
	612	return false;
	613	if ( !prs_uint32( "ref_count", ps, depth, &sk->ref_count))
	614	return false;
	615	if ( !prs_uint32( "size", ps, depth, &sk->size))
	616	return false;
[30]	617
[31]	618	if ( !sec_io_desc( "sec_desc", &sk->sec_desc, ps, depth ))
	619	return false;
[30]	620
[31]	621	end_off = hbin->ps.data_offset;
[30]	622
[31]	623	/* data_size must be divisible by 8 and large enough to hold the original record */
[30]	624
[31]	625	data_size = ((start_off - end_off) & 0xfffffff8 );
[33]	626	/* if ( data_size > sk->rec_size )*/
[31]	627	/DEBUG(10,("Encountered reused record (0x%x < 0x%x)\n", data_size, sk->rec_size));/
[30]	628
[31]	629	return true;
[30]	630	}
	631
	632
	633	/*******************************************************************
[31]	634	*******************************************************************/
[30]	635	static bool hbin_prs_vk_rec( const char desc, REGF_HBIN hbin, int depth,
	636	REGF_VK_REC vk, REGF_FILE file )
	637	{
[31]	638	uint32 offset;
	639	uint16 name_length;
	640	prs_struct *ps = &hbin->ps;
	641	uint32 data_size, start_off, end_off;
[30]	642
[31]	643	depth++;
[30]	644
[31]	645	/* backup and get the data_size */
[30]	646
[31]	647	if ( !prs_set_offset( &hbin->ps, hbin->ps.data_offset-sizeof(uint32)) )
	648	return false;
	649	start_off = hbin->ps.data_offset;
	650	if ( !prs_uint32( "rec_size", &hbin->ps, depth, &vk->rec_size ))
	651	return false;
[30]	652
[84]	653	if ( !prs_uint8s("header", ps, depth, vk->header, sizeof( vk->header )) )
[31]	654	return false;
[30]	655
[31]	656	if ( !hbin->ps.io )
	657	name_length = strlen(vk->valuename);
[30]	658
[31]	659	if ( !prs_uint16( "name_length", ps, depth, &name_length ))
	660	return false;
	661	if ( !prs_uint32( "data_size", ps, depth, &vk->data_size ))
	662	return false;
	663	if ( !prs_uint32( "data_off", ps, depth, &vk->data_off ))
	664	return false;
	665	if ( !prs_uint32( "type", ps, depth, &vk->type))
	666	return false;
	667	if ( !prs_uint16( "flag", ps, depth, &vk->flag))
	668	return false;
[30]	669
[31]	670	offset = ps->data_offset;
	671	offset += 2; /* skip 2 bytes */
	672	prs_set_offset( ps, offset );
[30]	673
[31]	674	/* get the name */
[30]	675
[31]	676	if ( vk->flag&VK_FLAG_NAME_PRESENT ) {
[30]	677
[31]	678	if ( hbin->ps.io ) {
	679	if ( !(vk->valuename = (char*)zcalloc(sizeof(char), name_length+1 )))
	680	return false;
	681	}
[84]	682	if ( !prs_uint8s("name", ps, depth,
[53]	683	(uint8*)vk->valuename, name_length) )
[31]	684	return false;
	685	}
[30]	686
[31]	687	end_off = hbin->ps.data_offset;
[30]	688
[31]	689	/* get the data if necessary */
[30]	690
[32]	691	if ( vk->data_size != 0 )
	692	{
[31]	693	/* the data is stored in the offset if the size <= 4 */
[32]	694	if ( !(vk->data_size & VK_DATA_IN_OFFSET) )
	695	{
[31]	696	REGF_HBIN *hblock = hbin;
	697	uint32 data_rec_size;
[30]	698
[32]	699	if ( hbin->ps.io )
	700	{
[31]	701	if ( !(vk->data = (uint8*)zcalloc(sizeof(uint8), vk->data_size) ) )
	702	return false;
	703	}
[30]	704
[31]	705	/* this data can be in another hbin */
[32]	706	if ( !hbin_contains_offset( hbin, vk->data_off ) )
	707	{
[31]	708	if ( !(hblock = lookup_hbin_block( file, vk->data_off )) )
	709	return false;
	710	}
[32]	711	if (!(prs_set_offset(&hblock->ps,
	712	(vk->data_off
[97]	713	+ HBIN_MAGIC_SIZE
[32]	714	- hblock->first_hbin_off)
	715	- sizeof(uint32))))
	716	{ return false; }
[30]	717
[32]	718	if ( !hblock->ps.io )
	719	{
[31]	720	data_rec_size = ( (vk->data_size+sizeof(uint32)) & 0xfffffff8 ) + 8;
	721	data_rec_size = ( data_rec_size - 1 ) ^ 0xFFFFFFFF;
	722	}
	723	if ( !prs_uint32( "data_rec_size", &hblock->ps, depth, &data_rec_size ))
	724	return false;
[84]	725	if(!prs_uint8s("data", &hblock->ps, depth,
[32]	726	vk->data, vk->data_size))
[31]	727	return false;
[30]	728
[31]	729	}
[32]	730	else
	731	{
	732	if(!(vk->data = zcalloc(sizeof(uint8), 4)))
[31]	733	return false;
	734	SIVAL( vk->data, 0, vk->data_off );
	735	}
[30]	736
[31]	737	}
[30]	738
[31]	739	/* data_size must be divisible by 8 and large enough to hold the original record */
[30]	740
[31]	741	data_size = ((start_off - end_off ) & 0xfffffff8 );
[77]	742	/* XXX: should probably print a warning here */
[32]	743	/*if ( data_size != vk->rec_size )
	744	DEBUG(10,("prs_vk_rec: data_size check failed (0x%x < 0x%x)\n", data_size, vk->rec_size));*/
[30]	745
[31]	746	return true;
[30]	747	}
	748
	749
	750	/*******************************************************************
	751	read a VK record which is contained in the HBIN block stored
	752	in the prs_struct *ps.
	753	*******************************************************************/
[32]	754	static bool hbin_prs_vk_records(const char desc, REGF_HBIN hbin,
	755	int depth, REGF_NK_REC nk, REGF_FILE file)
[30]	756	{
[31]	757	int i;
	758	uint32 record_size;
[30]	759
[31]	760	depth++;
[80]	761
[31]	762	/* check if we have anything to do first */
[32]	763	if(nk->num_values == 0)
[31]	764	return true;
[80]	765
[32]	766	if(hbin->ps.io)
	767	{
	768	if (!(nk->values = (REGF_VK_REC*)zcalloc(sizeof(REGF_VK_REC),
	769	nk->num_values )))
[31]	770	return false;
	771	}
[80]	772
[31]	773	/* convert the offset to something relative to this HBIN block */
[32]	774	if (!prs_set_offset(&hbin->ps,
	775	nk->values_off
[97]	776	+ HBIN_MAGIC_SIZE
[32]	777	- hbin->first_hbin_off
	778	- sizeof(uint32)))
	779	{ return false; }
[30]	780
[32]	781	if ( !hbin->ps.io )
	782	{
[31]	783	record_size = ( ( nk->num_values * sizeof(uint32) ) & 0xfffffff8 ) + 8;
	784	record_size = (record_size - 1) ^ 0xFFFFFFFF;
	785	}
[30]	786
[31]	787	if ( !prs_uint32( "record_size", &hbin->ps, depth, &record_size ) )
	788	return false;
[80]	789
[32]	790	for ( i=0; i<nk->num_values; i++ )
	791	{
[31]	792	if ( !prs_uint32( "vk_off", &hbin->ps, depth, &nk->values[i].rec_off ) )
	793	return false;
	794	}
[30]	795
[32]	796	for ( i=0; i<nk->num_values; i++ )
	797	{
[31]	798	REGF_HBIN *sub_hbin = hbin;
	799	uint32 new_offset;
[30]	800
[32]	801	if ( !hbin_contains_offset( hbin, nk->values[i].rec_off ) )
	802	{
[31]	803	sub_hbin = lookup_hbin_block( file, nk->values[i].rec_off );
[32]	804	if ( !sub_hbin )
	805	{
[31]	806	/*DEBUG(0,("hbin_prs_vk_records: Failed to find HBIN block containing offset [0x%x]\n",
	807	nk->values[i].hbin_off));*/
	808	return false;
	809	}
	810	}
[80]	811
[32]	812	new_offset = nk->values[i].rec_off
[97]	813	+ HBIN_MAGIC_SIZE
[32]	814	- sub_hbin->first_hbin_off;
	815
	816	if (!prs_set_offset(&sub_hbin->ps, new_offset))
[31]	817	return false;
[32]	818	if (!hbin_prs_vk_rec("vk_rec", sub_hbin, depth, &nk->values[i], file))
[31]	819	return false;
	820	}
[30]	821
[31]	822	return true;
[30]	823	}
	824
	825
	826	/*******************************************************************
[31]	827	*******************************************************************/
[30]	828	static REGF_SK_REC* find_sk_record_by_offset( REGF_FILE *file, uint32 offset )
	829	{
[31]	830	REGF_SK_REC *p_sk;
[80]	831
[31]	832	for ( p_sk=file->sec_desc_list; p_sk; p_sk=p_sk->next ) {
	833	if ( p_sk->sk_off == offset )
	834	return p_sk;
	835	}
[80]	836
[31]	837	return NULL;
[30]	838	}
	839
[32]	840
[30]	841	/*******************************************************************
[31]	842	*******************************************************************/
[30]	843	static REGF_SK_REC* find_sk_record_by_sec_desc( REGF_FILE file, SEC_DESC sd )
	844	{
[31]	845	REGF_SK_REC *p;
[30]	846
[31]	847	for ( p=file->sec_desc_list; p; p=p->next ) {
	848	if ( sec_desc_equal( p->sec_desc, sd ) )
	849	return p;
	850	}
[30]	851
[31]	852	/* failure */
[30]	853
[31]	854	return NULL;
[30]	855	}
	856
[32]	857
[30]	858	/*******************************************************************
[31]	859	*******************************************************************/
[30]	860	static bool hbin_prs_key( REGF_FILE file, REGF_HBIN hbin, REGF_NK_REC *nk )
	861	{
[31]	862	int depth = 0;
	863	REGF_HBIN *sub_hbin;
[80]	864
[31]	865	depth++;
[30]	866
[31]	867	/* get the initial nk record */
[33]	868	if (!prs_nk_rec("nk_rec", &hbin->ps, depth, nk))
[31]	869	return false;
[30]	870
[31]	871	/* fill in values */
[32]	872	if ( nk->num_values && (nk->values_off!=REGF_OFFSET_NONE) )
	873	{
[31]	874	sub_hbin = hbin;
[32]	875	if ( !hbin_contains_offset( hbin, nk->values_off ) )
	876	{
[31]	877	sub_hbin = lookup_hbin_block( file, nk->values_off );
[32]	878	if ( !sub_hbin )
	879	{
[31]	880	/*DEBUG(0,("hbin_prs_key: Failed to find HBIN block containing value_list_offset [0x%x]\n",
	881	nk->values_off));*/
	882	return false;
	883	}
	884	}
[30]	885
[32]	886	if(!hbin_prs_vk_records("vk_rec", sub_hbin, depth, nk, file))
[31]	887	return false;
	888	}
[30]	889
[31]	890	/* now get subkeys */
[32]	891	if ( nk->num_subkeys && (nk->subkeys_off!=REGF_OFFSET_NONE) )
	892	{
[31]	893	sub_hbin = hbin;
[32]	894	if ( !hbin_contains_offset( hbin, nk->subkeys_off ) )
	895	{
[31]	896	sub_hbin = lookup_hbin_block( file, nk->subkeys_off );
[32]	897	if ( !sub_hbin )
	898	{
[31]	899	/*DEBUG(0,("hbin_prs_key: Failed to find HBIN block containing subkey_offset [0x%x]\n",
	900	nk->subkeys_off));*/
	901	return false;
	902	}
	903	}
[30]	904
[32]	905	if (!hbin_prs_lf_records("lf_rec", sub_hbin, depth, nk))
[31]	906	return false;
	907	}
[30]	908
[31]	909	/* get the to the security descriptor. First look if we have already parsed it */
[30]	910
[32]	911	if ((nk->sk_off!=REGF_OFFSET_NONE)
	912	&& !(nk->sec_desc = find_sk_record_by_offset( file, nk->sk_off )))
	913	{
[31]	914	sub_hbin = hbin;
[32]	915	if (!hbin_contains_offset(hbin, nk->sk_off))
	916	{
[31]	917	sub_hbin = lookup_hbin_block( file, nk->sk_off );
	918	if ( !sub_hbin ) {
	919	/*DEBUG(0,("hbin_prs_key: Failed to find HBIN block containing sk_offset [0x%x]\n",
	920	nk->subkeys_off));*/
	921	return false;
	922	}
	923	}
[30]	924
[31]	925	if ( !(nk->sec_desc = (REGF_SK_REC*)zalloc(sizeof(REGF_SK_REC) )) )
	926	return false;
	927	nk->sec_desc->sk_off = nk->sk_off;
	928	if ( !hbin_prs_sk_rec( "sk_rec", sub_hbin, depth, nk->sec_desc ))
	929	return false;
[30]	930
[31]	931	/* add to the list of security descriptors (ref_count has been read from the files) */
[30]	932
[31]	933	nk->sec_desc->sk_off = nk->sk_off;
[80]	934	/* XXX: this kind of caching needs to be re-evaluated */
[31]	935	DLIST_ADD( file->sec_desc_list, nk->sec_desc );
	936	}
[30]	937
[31]	938	return true;
[30]	939	}
	940
[32]	941
[30]	942	/*******************************************************************
[31]	943	*******************************************************************/
[30]	944	static bool next_record( REGF_HBIN hbin, const char hdr, bool *eob )
	945	{
[53]	946	uint8 header[REC_HDR_SIZE] = "";
[31]	947	uint32 record_size;
	948	uint32 curr_off, block_size;
	949	bool found = false;
	950	prs_struct *ps = &hbin->ps;
[30]	951
[31]	952	curr_off = ps->data_offset;
	953	if ( curr_off == 0 )
[97]	954	prs_set_offset( ps, HBIN_HEADER_REC_SIZE+4 );
[30]	955
[31]	956	/* assume that the current offset is at the reacord header
	957	and we need to backup to read the record size */
	958	curr_off -= sizeof(uint32);
[30]	959
[31]	960	block_size = ps->buffer_size;
	961	record_size = 0;
[32]	962	while ( !found )
	963	{
[31]	964	curr_off = curr_off+record_size;
	965	if ( curr_off >= block_size )
	966	break;
[30]	967
[31]	968	if ( !prs_set_offset( &hbin->ps, curr_off) )
	969	return false;
[30]	970
[31]	971	if ( !prs_uint32( "record_size", ps, 0, &record_size ) )
	972	return false;
[84]	973	if ( !prs_uint8s("header", ps, 0, header, REC_HDR_SIZE ) )
[31]	974	return false;
[30]	975
[31]	976	if ( record_size & 0x80000000 ) {
	977	/* absolute_value(record_size) */
	978	record_size = (record_size ^ 0xffffffff) + 1;
	979	}
[30]	980
[31]	981	if ( memcmp( header, hdr, REC_HDR_SIZE ) == 0 ) {
	982	found = true;
	983	curr_off += sizeof(uint32);
	984	}
	985	}
[30]	986
[31]	987	/* mark prs_struct as done ( at end ) if no more SK records */
[32]	988	/* mark end-of-block as true */
	989	if ( !found )
[31]	990	{
	991	prs_set_offset( &hbin->ps, hbin->ps.buffer_size );
	992	*eob = true;
	993	return false;
	994	}
[32]	995
	996	if (!prs_set_offset(ps, curr_off))
[31]	997	return false;
[30]	998
[31]	999	return true;
[30]	1000	}
	1001
	1002
	1003	/*******************************************************************
[31]	1004	*******************************************************************/
[32]	1005	static bool next_nk_record(REGF_FILE file, REGF_HBIN hbin,
	1006	REGF_NK_REC nk, bool eob)
[30]	1007	{
[32]	1008	if (next_record(hbin, "nk", eob)
	1009	&& hbin_prs_key(file, hbin, nk))
[31]	1010	return true;
[30]	1011
[31]	1012	return false;
[30]	1013	}
	1014
	1015
	1016	/*******************************************************************
[97]	1017	* Open the registry file and then read in the REGF block to get the
	1018	* first hbin offset.
	1019	*******************************************************************/
	1020	REGF_FILE* regfi_open(const char* filename)
[30]	1021	{
[97]	1022	REGF_FILE* rb;
	1023	int fd;
[31]	1024	int flags = O_RDONLY;
[30]	1025
[97]	1026	/* open an existing file */
	1027	if ((fd = open(filename, flags)) == -1)
	1028	{
[78]	1029	/* DEBUG(0,("regfi_open: failure to open %s (%s)\n", filename, strerror(errno)));*/
[31]	1030	return NULL;
	1031	}
[30]	1032
[31]	1033	/* read in an existing file */
[97]	1034	if ((rb = regfi_parse_regf(fd, true)) == NULL)
	1035	{
[78]	1036	/* DEBUG(0,("regfi_open: Failed to read initial REGF block\n"));*/
[97]	1037	close(fd);
[31]	1038	return NULL;
	1039	}
[30]	1040
[31]	1041	/* success */
	1042	return rb;
[30]	1043	}
	1044
	1045
	1046	/*******************************************************************
[80]	1047	XXX: should this be nuked?
[31]	1048	*******************************************************************/
[78]	1049	static void regfi_mem_free( REGF_FILE *file )
[30]	1050	{
[31]	1051	/* free any zalloc()'d memory */
[30]	1052
	1053	/* if ( file && file->mem_ctx )
[31]	1054	free(file->mem_ctx);
[30]	1055	*/
	1056	}
	1057
	1058
	1059	/*******************************************************************
[31]	1060	*******************************************************************/
[78]	1061	int regfi_close( REGF_FILE *file )
[30]	1062	{
[31]	1063	int fd;
[30]	1064
[78]	1065	regfi_mem_free( file );
[30]	1066
[31]	1067	/* nothing to do if there is no open file */
[30]	1068
[31]	1069	if ( !file \|\| (file->fd == -1) )
	1070	return 0;
[30]	1071
[31]	1072	fd = file->fd;
	1073	file->fd = -1;
	1074	SAFE_FREE( file );
[30]	1075
[31]	1076	return close( fd );
[30]	1077	}
	1078
	1079
[80]	1080	/******************************************************************************
	1081	* There should be only one root key in the registry file based
	1082	* on my experience. --jerry
	1083	*****************************************************************************/
[78]	1084	REGF_NK_REC* regfi_rootkey( REGF_FILE *file )
[30]	1085	{
[31]	1086	REGF_NK_REC *nk;
	1087	REGF_HBIN *hbin;
	1088	uint32 offset = REGF_BLOCKSIZE;
	1089	bool found = false;
	1090	bool eob;
[30]	1091
[31]	1092	if ( !file )
	1093	return NULL;
[30]	1094
[31]	1095	if ( !(nk = (REGF_NK_REC*)zalloc(sizeof(REGF_NK_REC) )) ) {
[78]	1096	/DEBUG(0,("regfi_rootkey: zalloc() failed!\n"));/
[31]	1097	return NULL;
	1098	}
[30]	1099
[31]	1100	/* scan through the file on HBIN block at a time looking
	1101	for an NK record with a type == 0x002c.
	1102	Normally this is the first nk record in the first hbin
	1103	block (but I'm not assuming that for now) */
[30]	1104
[97]	1105	while ( (hbin = regfi_parse_hbin(file, offset, true, false)) ) {
[31]	1106	eob = false;
[30]	1107
[31]	1108	while ( !eob) {
	1109	if ( next_nk_record( file, hbin, nk, &eob ) ) {
	1110	if ( nk->key_type == NK_TYPE_ROOTKEY ) {
	1111	found = true;
	1112	break;
	1113	}
	1114	}
	1115	if(hbin->ps.is_dynamic)
	1116	SAFE_FREE(hbin->ps.data_p);
	1117	hbin->ps.is_dynamic = false;
	1118	hbin->ps.buffer_size = 0;
	1119	hbin->ps.data_offset = 0;
	1120	}
[30]	1121
[31]	1122	if ( found )
	1123	break;
[30]	1124
[31]	1125	offset += hbin->block_size;
	1126	}
[30]	1127
[31]	1128	if ( !found ) {
[78]	1129	/DEBUG(0,("regfi_rootkey: corrupt registry file ? No root key record located\n"));/
[31]	1130	return NULL;
	1131	}
[30]	1132
[80]	1133	/* XXX: this kind of caching needs to be re-evaluated */
[31]	1134	DLIST_ADD( file->block_list, hbin );
[30]	1135
[80]	1136	return nk;
[30]	1137	}
	1138
	1139
[80]	1140	/******************************************************************************
	1141	*****************************************************************************/
	1142	void regfi_key_free(REGF_NK_REC* nk)
[30]	1143	{
[80]	1144	uint32 i;
	1145
	1146	if((nk->values != NULL) && (nk->values_off!=REGF_OFFSET_NONE))
	1147	{
	1148	for(i=0; i < nk->num_values; i++)
[81]	1149	{
	1150	if(nk->values[i].valuename != NULL)
	1151	free(nk->values[i].valuename);
	1152	if(nk->values[i].data != NULL)
	1153	free(nk->values[i].data);
	1154	}
[80]	1155	free(nk->values);
	1156	}
[30]	1157
[80]	1158	if(nk->keyname != NULL)
	1159	free(nk->keyname);
	1160	if(nk->classname != NULL)
	1161	free(nk->classname);
	1162
	1163	/* XXX: not freeing hbin because these are cached. This needs to be reviewed. */
	1164	/* XXX: not freeing sec_desc because these are cached. This needs to be reviewed. */
	1165	free(nk);
	1166	}
	1167
	1168
	1169	/******************************************************************************
	1170	*****************************************************************************/
	1171	REGFI_ITERATOR* regfi_iterator_new(REGF_FILE* fh)
	1172	{
	1173	REGF_NK_REC* root;
	1174	REGFI_ITERATOR* ret_val = (REGFI_ITERATOR*)malloc(sizeof(REGFI_ITERATOR));
	1175	if(ret_val == NULL)
	1176	return NULL;
	1177
[81]	1178	root = regfi_rootkey(fh);
[80]	1179	if(root == NULL)
	1180	{
	1181	free(ret_val);
	1182	return NULL;
	1183	}
	1184
	1185	ret_val->key_positions = void_stack_new(REGF_MAX_DEPTH);
	1186	if(ret_val->key_positions == NULL)
	1187	{
	1188	free(ret_val);
	1189	free(root);
	1190	return NULL;
	1191	}
	1192
	1193	ret_val->f = fh;
	1194	ret_val->cur_key = root;
	1195	ret_val->cur_subkey = 0;
	1196	ret_val->cur_value = 0;
	1197
	1198	return ret_val;
	1199	}
	1200
	1201
	1202	/******************************************************************************
	1203	*****************************************************************************/
	1204	void regfi_iterator_free(REGFI_ITERATOR* i)
	1205	{
	1206	REGFI_ITER_POSITION* cur;
	1207
	1208	if(i->cur_key != NULL)
	1209	regfi_key_free(i->cur_key);
	1210
	1211	while((cur = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions)) != NULL)
	1212	{
	1213	regfi_key_free(cur->nk);
	1214	free(cur);
	1215	}
	1216
	1217	free(i);
	1218	}
	1219
	1220
	1221
	1222	/******************************************************************************
	1223	*****************************************************************************/
	1224	/* XXX: some way of indicating reason for failure should be added. */
	1225	bool regfi_iterator_down(REGFI_ITERATOR* i)
	1226	{
	1227	REGF_NK_REC* subkey;
	1228	REGFI_ITER_POSITION* pos;
	1229
	1230	pos = (REGFI_ITER_POSITION*)malloc(sizeof(REGFI_ITER_POSITION));
	1231	if(pos == NULL)
	1232	return false;
	1233
[84]	1234	subkey = (REGF_NK_REC*)regfi_iterator_cur_subkey(i);
[80]	1235	if(subkey == NULL)
	1236	{
	1237	free(pos);
	1238	return false;
	1239	}
	1240
	1241	pos->nk = i->cur_key;
	1242	pos->cur_subkey = i->cur_subkey;
	1243	if(!void_stack_push(i->key_positions, pos))
	1244	{
	1245	free(pos);
	1246	regfi_key_free(subkey);
	1247	return false;
	1248	}
	1249
	1250	i->cur_key = subkey;
	1251	i->cur_subkey = 0;
	1252	i->cur_value = 0;
	1253
	1254	return true;
	1255	}
	1256
	1257
	1258	/******************************************************************************
	1259	*****************************************************************************/
	1260	bool regfi_iterator_up(REGFI_ITERATOR* i)
	1261	{
	1262	REGFI_ITER_POSITION* pos;
	1263
	1264	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
	1265	if(pos == NULL)
	1266	return false;
	1267
	1268	regfi_key_free(i->cur_key);
	1269	i->cur_key = pos->nk;
	1270	i->cur_subkey = pos->cur_subkey;
	1271	i->cur_value = 0;
	1272	free(pos);
	1273
	1274	return true;
	1275	}
	1276
	1277
	1278	/******************************************************************************
	1279	*****************************************************************************/
	1280	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
	1281	{
	1282	while(regfi_iterator_up(i))
	1283	continue;
	1284
	1285	return true;
	1286	}
	1287
	1288
	1289	/******************************************************************************
	1290	*****************************************************************************/
	1291	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
	1292	{
	1293	REGF_NK_REC* subkey;
	1294	bool found = false;
	1295	uint32 old_subkey = i->cur_subkey;
	1296
	1297	if(subkey_name == NULL)
	1298	return false;
	1299
	1300	/* XXX: this alloc/free of each sub key might be a bit excessive */
[84]	1301	subkey = (REGF_NK_REC*)regfi_iterator_first_subkey(i);
[80]	1302	while((subkey != NULL) && (found == false))
	1303	{
	1304	if(subkey->keyname != NULL
	1305	&& strcasecmp(subkey->keyname, subkey_name) == 0)
	1306	found = true;
[82]	1307	else
	1308	{
	1309	regfi_key_free(subkey);
[84]	1310	subkey = (REGF_NK_REC*)regfi_iterator_next_subkey(i);
[82]	1311	}
[80]	1312	}
	1313
	1314	if(found == false)
	1315	{
	1316	i->cur_subkey = old_subkey;
	1317	return false;
	1318	}
	1319
[82]	1320	regfi_key_free(subkey);
[80]	1321	return true;
	1322	}
	1323
	1324
	1325	/******************************************************************************
	1326	*****************************************************************************/
	1327	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
	1328	{
	1329	uint32 x;
	1330	if(path == NULL)
	1331	return false;
	1332
	1333	for(x=0;
	1334	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
	1335	&& regfi_iterator_down(i));
	1336	x++)
	1337	{ continue; }
	1338
	1339	if(path[x] == NULL)
	1340	return true;
	1341
	1342	/* XXX: is this the right number of times? */
	1343	for(; x > 0; x--)
	1344	regfi_iterator_up(i);
	1345
	1346	return false;
	1347	}
	1348
	1349
	1350	/******************************************************************************
	1351	*****************************************************************************/
[84]	1352	const REGF_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]	1353	{
	1354	return i->cur_key;
	1355	}
	1356
	1357
	1358	/******************************************************************************
	1359	*****************************************************************************/
[84]	1360	const REGF_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]	1361	{
	1362	i->cur_subkey = 0;
	1363	return regfi_iterator_cur_subkey(i);
	1364	}
	1365
	1366
	1367	/******************************************************************************
	1368	*****************************************************************************/
[84]	1369	const REGF_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]	1370	{
	1371	REGF_NK_REC* subkey;
	1372	REGF_HBIN* hbin;
	1373	uint32 nk_offset;
	1374
[31]	1375	/* see if there is anything left to report */
[80]	1376	if (!(i->cur_key) \|\| (i->cur_key->subkeys_off==REGF_OFFSET_NONE)
	1377	\|\| (i->cur_subkey >= i->cur_key->num_subkeys))
[31]	1378	return NULL;
[30]	1379
[80]	1380	nk_offset = i->cur_key->subkeys.hashes[i->cur_subkey].nk_off;
	1381
[31]	1382	/* find the HBIN block which should contain the nk record */
[80]	1383	hbin = lookup_hbin_block(i->f, nk_offset);
	1384	if(!hbin)
[31]	1385	{
[80]	1386	/* XXX: should print out some kind of error message every time here */
[31]	1387	/*DEBUG(0,("hbin_prs_key: Failed to find HBIN block containing offset [0x%x]\n",
[80]	1388	i->cur_key->subkeys.hashes[i->cur_subkey].nk_off));*/
[31]	1389	return NULL;
	1390	}
[78]	1391
[32]	1392	if(!prs_set_offset(&hbin->ps,
[97]	1393	HBIN_MAGIC_SIZE + nk_offset - hbin->first_hbin_off))
[31]	1394	return NULL;
[30]	1395
[32]	1396	if(!(subkey = (REGF_NK_REC*)zalloc(sizeof(REGF_NK_REC))))
[31]	1397	return NULL;
[30]	1398
[80]	1399	if(!hbin_prs_key(i->f, hbin, subkey))
	1400	{
	1401	regfi_key_free(subkey);
[31]	1402	return NULL;
[80]	1403	}
[32]	1404
[31]	1405	return subkey;
[30]	1406	}
[80]	1407
	1408
	1409	/******************************************************************************
	1410	*****************************************************************************/
	1411	/* XXX: some way of indicating reason for failure should be added. */
[84]	1412	const REGF_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]	1413	{
[84]	1414	const REGF_NK_REC* subkey;
[80]	1415
	1416	i->cur_subkey++;
	1417	subkey = regfi_iterator_cur_subkey(i);
	1418
	1419	if(subkey == NULL)
	1420	i->cur_subkey--;
	1421
	1422	return subkey;
	1423	}
	1424
	1425
	1426	/******************************************************************************
	1427	*****************************************************************************/
	1428	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
	1429	{
[84]	1430	const REGF_VK_REC* cur;
[80]	1431	bool found = false;
	1432
	1433	/* XXX: cur->valuename can be NULL in the registry.
	1434	* Should we allow for a way to search for that?
	1435	*/
	1436	if(value_name == NULL)
	1437	return false;
	1438
	1439	cur = regfi_iterator_first_value(i);
	1440	while((cur != NULL) && (found == false))
	1441	{
	1442	if((cur->valuename != NULL)
	1443	&& (strcasecmp(cur->valuename, value_name) == 0))
	1444	found = true;
[95]	1445	else
	1446	cur = regfi_iterator_next_value(i);
[80]	1447	}
	1448
[94]	1449	return found;
[80]	1450	}
	1451
	1452
	1453	/******************************************************************************
	1454	*****************************************************************************/
[84]	1455	const REGF_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]	1456	{
	1457	i->cur_value = 0;
	1458	return regfi_iterator_cur_value(i);
	1459	}
	1460
	1461
	1462	/******************************************************************************
	1463	*****************************************************************************/
[84]	1464	const REGF_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]	1465	{
	1466	REGF_VK_REC* ret_val = NULL;
	1467	if(i->cur_value < i->cur_key->num_values)
[81]	1468	ret_val = &(i->cur_key->values[i->cur_value]);
[80]	1469
	1470	return ret_val;
	1471	}
	1472
	1473
	1474	/******************************************************************************
	1475	*****************************************************************************/
[84]	1476	const REGF_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]	1477	{
[84]	1478	const REGF_VK_REC* ret_val;
[80]	1479
	1480	i->cur_value++;
	1481	ret_val = regfi_iterator_cur_value(i);
	1482	if(ret_val == NULL)
	1483	i->cur_value--;
	1484
	1485	return ret_val;
	1486	}
[97]	1487
	1488
	1489
	1490	/****************/
	1491	/* Experimental */
	1492	/****************/
	1493	/*
	1494	typedef struct {
	1495	uint32 offset;
	1496	uint32 size;
	1497	} REGFI_CELL_INFO;
	1498
	1499	typedef struct {
	1500	uint32 count
	1501	REGFI_CELL_INFO** cells;
	1502	} REGFI_CELL_LIST;
	1503	*/
	1504
	1505
	1506	/*******************************************************************
	1507	* Computes the checksum of the registry file header.
	1508	* buffer must be at least the size of an regf header (4096 bytes).
	1509	*******************************************************************/
	1510	static uint32 regfi_compute_header_checksum(uint8* buffer)
	1511	{
	1512	uint32 checksum, x;
	1513	int i;
	1514
	1515	/* XOR of all bytes 0x0000 - 0x01FB */
	1516
	1517	checksum = x = 0;
	1518
	1519	for ( i=0; i<0x01FB; i+=4 ) {
	1520	x = IVAL(buffer, i );
	1521	checksum ^= x;
	1522	}
	1523
	1524	return checksum;
	1525	}
	1526
	1527
	1528	/*******************************************************************
	1529	* TODO: add way to return more detailed error information.
	1530	*******************************************************************/
	1531	REGF_FILE* regfi_parse_regf(int fd, bool strict)
	1532	{
	1533	uint8 file_header[REGF_BLOCKSIZE];
	1534	uint32 ret, length;
	1535	uint32 file_length;
	1536	struct stat sbuf;
	1537	REGF_FILE* ret_val;
	1538
	1539	/* Determine file length. Must be at least big enough
	1540	* for the header and one hbin.
	1541	*/
	1542	if (fstat(fd, &sbuf) == -1)
	1543	return NULL;
	1544	file_length = sbuf.st_size;
	1545	if(file_length < REGF_BLOCKSIZE+REGF_ALLOC_BLOCK)
	1546	return NULL;
	1547
	1548	ret_val = (REGF_FILE*)zalloc(sizeof(REGF_FILE));
	1549	if(ret_val == NULL)
	1550	return NULL;
	1551
	1552	ret_val->fd = fd;
	1553	ret_val->file_length = file_length;
	1554
	1555	length = REGF_BLOCKSIZE;
	1556	if((ret = regfi_read(fd, file_header, &length)) != 0
	1557	\|\| length != REGF_BLOCKSIZE)
	1558	{
	1559	free(ret_val);
	1560	return NULL;
	1561	}
	1562
	1563	ret_val->checksum = IVAL(file_header, 0x1FC);
	1564	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
	1565	if (strict && (ret_val->checksum != ret_val->computed_checksum))
	1566	{
	1567	free(ret_val);
	1568	return NULL;
	1569	}
	1570
	1571	memcpy(ret_val->magic, file_header, 4);
	1572	if(strict && (memcmp(ret_val->magic, "regf", 4) != 0))
	1573	{
	1574	free(ret_val);
	1575	return NULL;
	1576	}
	1577
	1578	ret_val->unknown1 = IVAL(file_header, 0x4);
	1579	ret_val->unknown2 = IVAL(file_header, 0x8);
	1580
	1581	ret_val->mtime.low = IVAL(file_header, 0xC);
	1582	ret_val->mtime.high = IVAL(file_header, 0x10);
	1583
	1584	ret_val->unknown3 = IVAL(file_header, 0x14);
	1585	ret_val->unknown4 = IVAL(file_header, 0x18);
	1586	ret_val->unknown5 = IVAL(file_header, 0x1C);
	1587	ret_val->unknown6 = IVAL(file_header, 0x20);
	1588
	1589	ret_val->data_offset = IVAL(file_header, 0x24);
	1590	ret_val->last_block = IVAL(file_header, 0x28);
	1591
	1592	ret_val->unknown7 = IVAL(file_header, 0x2C);
	1593
	1594	return ret_val;
	1595	}
	1596
	1597
	1598
	1599	/*******************************************************************
	1600	* Given real file offset, read and parse the hbin at that location
	1601	* along with it's associated cells. If save_unalloc is true, a list
	1602	* of unallocated cell offsets will be stored in TODO.
	1603	*******************************************************************/
	1604	/* TODO: Need a way to return types of errors. Also need to free
	1605	* the hbin/ps when an error occurs.
	1606	*/
	1607	REGF_HBIN* regfi_parse_hbin(REGF_FILE* file, uint32 offset,
	1608	bool strict, bool save_unalloc)
	1609	{
	1610	REGF_HBIN *hbin;
	1611	uint8 hbin_header[HBIN_HEADER_REC_SIZE];
	1612	uint32 length, curr_off;
	1613	int32 cell_len;
	1614	bool is_unalloc;
	1615
	1616	if(!(hbin = (REGF_HBIN*)zalloc(sizeof(REGF_HBIN))))
	1617	return NULL;
	1618	hbin->file_off = offset;
	1619
	1620	if(lseek(file->fd, offset, SEEK_SET) == -1)
	1621	return NULL;
	1622
	1623	length = HBIN_HEADER_REC_SIZE;
	1624	if((regfi_read(file->fd, hbin_header, &length) != 0)
	1625	\|\| length != HBIN_HEADER_REC_SIZE)
	1626	return NULL;
	1627
	1628	if(lseek(file->fd, offset, SEEK_SET) == -1)
	1629	return NULL;
	1630
	1631	memcpy(hbin->magic, hbin_header, 4);
	1632	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
	1633	return NULL;
	1634
	1635	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
	1636	hbin->block_size = IVAL(hbin_header, 0x8);
	1637	/* this should be the same thing as hbin->block_size but just in case */
	1638	hbin->next_block = IVAL(hbin_header, 0x1C);
	1639
	1640
	1641	/* TODO: This check is this more of a way to determine if they are ever
	1642	* not the same than to really do sanity checking. This may need
	1643	* to be changed or removed once these fields are better understood. */
	1644	if(strict && (hbin->block_size != hbin->next_block))
	1645	{
	1646	fprintf(stderr, "DEBUG: hbin->block_size != hbin->next_block\n");
	1647	return NULL;
	1648	}
	1649
	1650
	1651	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
	1652	* the end of the file.
	1653	*/
	1654	/* TODO: This may need to be relaxed for dealing with
	1655	* partial or corrupt files. */
	1656	if((offset + hbin->block_size > file->file_length)
	1657	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
	1658	return NULL;
	1659
	1660
	1661	/* TODO: need to get rid of this, but currently lots depends on the
	1662	* ps structure.
	1663	*/
	1664	if(!prs_init(&hbin->ps, hbin->block_size, file->mem_ctx, UNMARSHALL))
	1665	return NULL;
	1666	length = hbin->block_size;
	1667	if((regfi_read(file->fd, (uint8*)hbin->ps.data_p, &length) != 0)
	1668	\|\| length != hbin->block_size)
	1669	return NULL;
	1670
	1671
	1672	if(save_unalloc)
	1673	{
	1674	is_unalloc = false;
	1675	cell_len = 0;
	1676	curr_off = HBIN_HEADER_REC_SIZE;
	1677	while ( curr_off < hbin->block_size )
	1678	{
	1679	cell_len = IVALS(hbin->ps.data_p, curr_off);
	1680
	1681	if(cell_len > 0)
	1682	is_unalloc = true;
	1683	else
	1684	cell_len = -1*cell_len;
	1685
	1686	if((cell_len == 0) \|\| ((cell_len & 0xFFFFFFFC) != cell_len))
	1687	/* TODO: should report an error here. */
	1688	break;
	1689
	1690	/* for some reason the record_size of the last record in
	1691	an hbin block can extend past the end of the block
	1692	even though the record fits within the remaining
	1693	space....aaarrrgggghhhhhh */
	1694	if(curr_off + cell_len >= hbin->block_size)
	1695	cell_len = hbin->block_size - curr_off;
	1696
	1697	if(is_unalloc)
	1698	/* TODO: save cell info */
	1699
	1700	curr_off = curr_off+cell_len;
	1701	}
	1702	}
	1703
	1704	/* TODO: need to get rid of this, but currently lots depends on the
	1705	* ps structure.
	1706	*/
	1707	if(!prs_set_offset(&hbin->ps, file->data_offset+HBIN_MAGIC_SIZE))
	1708	return NULL;
	1709
	1710	return hbin;
	1711	}
	1712
	1713
	1714	/*****************************************************************************
	1715	* This function is just like read(2), except that it continues to
	1716	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
	1717	* regfi_read will attempt to read length bytes from fd and write them to buf.
	1718	*
	1719	* On success, 0 is returned. Upon failure, an errno code is returned.
	1720	*
	1721	* The number of bytes successfully read is returned through the length
	1722	* parameter by reference. If both the return value and length parameter are
	1723	* returned as 0, then EOF was encountered immediately
	1724	*****************************************************************************/
	1725	uint32 regfi_read(int fd, uint8* buf, uint32* length)
	1726	{
	1727	uint32 rsize = 0;
	1728	uint32 rret = 0;
	1729
	1730	do
	1731	{
	1732	rret = read(fd, buf + rsize, *length - rsize);
	1733	if(rret > 0)
	1734	rsize += rret;
	1735	}while(*length - rsize > 0
	1736	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
	1737
	1738	*length = rsize;
	1739	if (rret == -1 && errno != EINTR && errno != EAGAIN)
	1740	return errno;
	1741
	1742	return 0;
	1743	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: