1 | /* |
---|
2 | * Branched from Samba project Subversion repository, version #7470: |
---|
3 | * http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto |
---|
4 | * |
---|
5 | * Windows NT (and later) registry parsing library |
---|
6 | * |
---|
7 | * Copyright (C) 2005-2009 Timothy D. Morgan |
---|
8 | * Copyright (C) 2005 Gerald (Jerry) Carter |
---|
9 | * |
---|
10 | * This program is free software; you can redistribute it and/or modify |
---|
11 | * it under the terms of the GNU General Public License as published by |
---|
12 | * the Free Software Foundation; version 3 of the License. |
---|
13 | * |
---|
14 | * This program is distributed in the hope that it will be useful, |
---|
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
17 | * GNU General Public License for more details. |
---|
18 | * |
---|
19 | * You should have received a copy of the GNU General Public License |
---|
20 | * along with this program; if not, write to the Free Software |
---|
21 | * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
---|
22 | * |
---|
23 | * $Id: regfi.c 138 2009-02-08 19:53:48Z tim $ |
---|
24 | */ |
---|
25 | |
---|
26 | #include "../include/regfi.h" |
---|
27 | |
---|
28 | |
---|
29 | /* Registry types mapping */ |
---|
30 | const unsigned int regfi_num_reg_types = 12; |
---|
31 | static const char* regfi_type_names[] = |
---|
32 | {"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK", |
---|
33 | "MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"}; |
---|
34 | |
---|
35 | |
---|
36 | |
---|
37 | /****************************************************************************** |
---|
38 | ******************************************************************************/ |
---|
39 | void regfi_add_message(REGFI_FILE* file, uint16 msg_type, const char* fmt, ...) |
---|
40 | { |
---|
41 | /* XXX: This function is not particularly efficient, |
---|
42 | * but then it is mostly used during errors. |
---|
43 | */ |
---|
44 | uint32 buf_size, buf_used; |
---|
45 | char* new_msg; |
---|
46 | va_list args; |
---|
47 | |
---|
48 | if((file->msg_mask & msg_type) != 0) |
---|
49 | { |
---|
50 | if(file->last_message == NULL) |
---|
51 | buf_used = 0; |
---|
52 | else |
---|
53 | buf_used = strlen(file->last_message); |
---|
54 | |
---|
55 | buf_size = buf_used+strlen(fmt)+160; |
---|
56 | new_msg = realloc(file->last_message, buf_size); |
---|
57 | if(new_msg == NULL) |
---|
58 | /* XXX: should we report this? */ |
---|
59 | return; |
---|
60 | |
---|
61 | switch (msg_type) |
---|
62 | { |
---|
63 | case REGFI_MSG_INFO: |
---|
64 | strcpy(new_msg+buf_used, "INFO: "); |
---|
65 | buf_used += 6; |
---|
66 | break; |
---|
67 | case REGFI_MSG_WARN: |
---|
68 | strcpy(new_msg+buf_used, "WARN: "); |
---|
69 | buf_used += 6; |
---|
70 | break; |
---|
71 | case REGFI_MSG_ERROR: |
---|
72 | strcpy(new_msg+buf_used, "ERROR: "); |
---|
73 | buf_used += 7; |
---|
74 | break; |
---|
75 | } |
---|
76 | |
---|
77 | va_start(args, fmt); |
---|
78 | vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args); |
---|
79 | va_end(args); |
---|
80 | strncat(new_msg, "\n", buf_size-1); |
---|
81 | |
---|
82 | file->last_message = new_msg; |
---|
83 | } |
---|
84 | } |
---|
85 | |
---|
86 | |
---|
87 | /****************************************************************************** |
---|
88 | ******************************************************************************/ |
---|
89 | char* regfi_get_messages(REGFI_FILE* file) |
---|
90 | { |
---|
91 | char* ret_val = file->last_message; |
---|
92 | file->last_message = NULL; |
---|
93 | |
---|
94 | return ret_val; |
---|
95 | } |
---|
96 | |
---|
97 | |
---|
98 | void regfi_set_message_mask(REGFI_FILE* file, uint16 mask) |
---|
99 | { |
---|
100 | file->msg_mask = mask; |
---|
101 | } |
---|
102 | |
---|
103 | |
---|
104 | /* Returns NULL on error */ |
---|
105 | const char* regfi_type_val2str(unsigned int val) |
---|
106 | { |
---|
107 | if(val == REG_KEY) |
---|
108 | return "KEY"; |
---|
109 | |
---|
110 | if(val >= regfi_num_reg_types) |
---|
111 | return NULL; |
---|
112 | |
---|
113 | return regfi_type_names[val]; |
---|
114 | } |
---|
115 | |
---|
116 | |
---|
117 | /* Returns -1 on error */ |
---|
118 | int regfi_type_str2val(const char* str) |
---|
119 | { |
---|
120 | int i; |
---|
121 | |
---|
122 | if(strcmp("KEY", str) == 0) |
---|
123 | return REG_KEY; |
---|
124 | |
---|
125 | for(i=0; i < regfi_num_reg_types; i++) |
---|
126 | if (strcmp(regfi_type_names[i], str) == 0) |
---|
127 | return i; |
---|
128 | |
---|
129 | if(strcmp("DWORD_LE", str) == 0) |
---|
130 | return REG_DWORD_LE; |
---|
131 | |
---|
132 | return -1; |
---|
133 | } |
---|
134 | |
---|
135 | |
---|
136 | /* Security descriptor formatting functions */ |
---|
137 | |
---|
138 | const char* regfi_ace_type2str(uint8 type) |
---|
139 | { |
---|
140 | static const char* map[7] |
---|
141 | = {"ALLOW", "DENY", "AUDIT", "ALARM", |
---|
142 | "ALLOW CPD", "OBJ ALLOW", "OBJ DENY"}; |
---|
143 | if(type < 7) |
---|
144 | return map[type]; |
---|
145 | else |
---|
146 | /* XXX: would be nice to return the unknown integer value. |
---|
147 | * However, as it is a const string, it can't be free()ed later on, |
---|
148 | * so that would need to change. |
---|
149 | */ |
---|
150 | return "UNKNOWN"; |
---|
151 | } |
---|
152 | |
---|
153 | |
---|
154 | /* XXX: need a better reference on the meaning of each flag. */ |
---|
155 | /* For more info, see: |
---|
156 | * http://msdn2.microsoft.com/en-us/library/aa772242.aspx |
---|
157 | */ |
---|
158 | char* regfi_ace_flags2str(uint8 flags) |
---|
159 | { |
---|
160 | static const char* flag_map[32] = |
---|
161 | { "OI", /* Object Inherit */ |
---|
162 | "CI", /* Container Inherit */ |
---|
163 | "NP", /* Non-Propagate */ |
---|
164 | "IO", /* Inherit Only */ |
---|
165 | "IA", /* Inherited ACE */ |
---|
166 | NULL, |
---|
167 | NULL, |
---|
168 | NULL, |
---|
169 | }; |
---|
170 | |
---|
171 | char* ret_val = malloc(35*sizeof(char)); |
---|
172 | char* fo = ret_val; |
---|
173 | uint32 i; |
---|
174 | uint8 f; |
---|
175 | |
---|
176 | if(ret_val == NULL) |
---|
177 | return NULL; |
---|
178 | |
---|
179 | fo[0] = '\0'; |
---|
180 | if (!flags) |
---|
181 | return ret_val; |
---|
182 | |
---|
183 | for(i=0; i < 8; i++) |
---|
184 | { |
---|
185 | f = (1<<i); |
---|
186 | if((flags & f) && (flag_map[i] != NULL)) |
---|
187 | { |
---|
188 | strcpy(fo, flag_map[i]); |
---|
189 | fo += strlen(flag_map[i]); |
---|
190 | *(fo++) = ' '; |
---|
191 | flags ^= f; |
---|
192 | } |
---|
193 | } |
---|
194 | |
---|
195 | /* Any remaining unknown flags are added at the end in hex. */ |
---|
196 | if(flags != 0) |
---|
197 | sprintf(fo, "0x%.2X ", flags); |
---|
198 | |
---|
199 | /* Chop off the last space if we've written anything to ret_val */ |
---|
200 | if(fo != ret_val) |
---|
201 | fo[-1] = '\0'; |
---|
202 | |
---|
203 | /* XXX: what was this old VI flag for?? |
---|
204 | XXX: Is this check right? 0xF == 1|2|4|8, which makes it redundant... |
---|
205 | if (flags == 0xF) { |
---|
206 | if (some) strcat(flg_output, " "); |
---|
207 | some = 1; |
---|
208 | strcat(flg_output, "VI"); |
---|
209 | } |
---|
210 | */ |
---|
211 | |
---|
212 | return ret_val; |
---|
213 | } |
---|
214 | |
---|
215 | |
---|
216 | char* regfi_ace_perms2str(uint32 perms) |
---|
217 | { |
---|
218 | uint32 i, p; |
---|
219 | /* This is more than is needed by a fair margin. */ |
---|
220 | char* ret_val = malloc(350*sizeof(char)); |
---|
221 | char* r = ret_val; |
---|
222 | |
---|
223 | /* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits. |
---|
224 | * For more information, see: |
---|
225 | * http://msdn2.microsoft.com/en-gb/library/aa374892.aspx |
---|
226 | * http://msdn2.microsoft.com/en-gb/library/ms724878.aspx |
---|
227 | */ |
---|
228 | static const char* perm_map[32] = |
---|
229 | {/* object-specific permissions (registry keys, in this case) */ |
---|
230 | "QRY_VAL", /* KEY_QUERY_VALUE */ |
---|
231 | "SET_VAL", /* KEY_SET_VALUE */ |
---|
232 | "CREATE_KEY", /* KEY_CREATE_SUB_KEY */ |
---|
233 | "ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */ |
---|
234 | "NOTIFY", /* KEY_NOTIFY */ |
---|
235 | "CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */ |
---|
236 | NULL, |
---|
237 | NULL, |
---|
238 | "WOW64_64", /* KEY_WOW64_64KEY */ |
---|
239 | "WOW64_32", /* KEY_WOW64_32KEY */ |
---|
240 | NULL, |
---|
241 | NULL, |
---|
242 | NULL, |
---|
243 | NULL, |
---|
244 | NULL, |
---|
245 | NULL, |
---|
246 | /* standard access rights */ |
---|
247 | "DELETE", /* DELETE */ |
---|
248 | "R_CONT", /* READ_CONTROL */ |
---|
249 | "W_DAC", /* WRITE_DAC */ |
---|
250 | "W_OWNER", /* WRITE_OWNER */ |
---|
251 | "SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */ |
---|
252 | NULL, |
---|
253 | NULL, |
---|
254 | NULL, |
---|
255 | /* other generic */ |
---|
256 | "SYS_SEC", /* ACCESS_SYSTEM_SECURITY */ |
---|
257 | "MAX_ALLWD", /* MAXIMUM_ALLOWED */ |
---|
258 | NULL, |
---|
259 | NULL, |
---|
260 | "GEN_A", /* GENERIC_ALL */ |
---|
261 | "GEN_X", /* GENERIC_EXECUTE */ |
---|
262 | "GEN_W", /* GENERIC_WRITE */ |
---|
263 | "GEN_R", /* GENERIC_READ */ |
---|
264 | }; |
---|
265 | |
---|
266 | |
---|
267 | if(ret_val == NULL) |
---|
268 | return NULL; |
---|
269 | |
---|
270 | r[0] = '\0'; |
---|
271 | for(i=0; i < 32; i++) |
---|
272 | { |
---|
273 | p = (1<<i); |
---|
274 | if((perms & p) && (perm_map[i] != NULL)) |
---|
275 | { |
---|
276 | strcpy(r, perm_map[i]); |
---|
277 | r += strlen(perm_map[i]); |
---|
278 | *(r++) = ' '; |
---|
279 | perms ^= p; |
---|
280 | } |
---|
281 | } |
---|
282 | |
---|
283 | /* Any remaining unknown permission bits are added at the end in hex. */ |
---|
284 | if(perms != 0) |
---|
285 | sprintf(r, "0x%.8X ", perms); |
---|
286 | |
---|
287 | /* Chop off the last space if we've written anything to ret_val */ |
---|
288 | if(r != ret_val) |
---|
289 | r[-1] = '\0'; |
---|
290 | |
---|
291 | return ret_val; |
---|
292 | } |
---|
293 | |
---|
294 | |
---|
295 | char* regfi_sid2str(WINSEC_DOM_SID* sid) |
---|
296 | { |
---|
297 | uint32 i, size = WINSEC_MAX_SUBAUTHS*11 + 24; |
---|
298 | uint32 left = size; |
---|
299 | uint8 comps = sid->num_auths; |
---|
300 | char* ret_val = malloc(size); |
---|
301 | |
---|
302 | if(ret_val == NULL) |
---|
303 | return NULL; |
---|
304 | |
---|
305 | if(comps > WINSEC_MAX_SUBAUTHS) |
---|
306 | comps = WINSEC_MAX_SUBAUTHS; |
---|
307 | |
---|
308 | left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]); |
---|
309 | |
---|
310 | for (i = 0; i < comps; i++) |
---|
311 | left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]); |
---|
312 | |
---|
313 | return ret_val; |
---|
314 | } |
---|
315 | |
---|
316 | |
---|
317 | char* regfi_get_acl(WINSEC_ACL* acl) |
---|
318 | { |
---|
319 | uint32 i, extra, size = 0; |
---|
320 | const char* type_str; |
---|
321 | char* flags_str; |
---|
322 | char* perms_str; |
---|
323 | char* sid_str; |
---|
324 | char* ace_delim = ""; |
---|
325 | char* ret_val = NULL; |
---|
326 | char* tmp_val = NULL; |
---|
327 | bool failed = false; |
---|
328 | char field_delim = ':'; |
---|
329 | |
---|
330 | for (i = 0; i < acl->num_aces && !failed; i++) |
---|
331 | { |
---|
332 | sid_str = regfi_sid2str(acl->aces[i]->trustee); |
---|
333 | type_str = regfi_ace_type2str(acl->aces[i]->type); |
---|
334 | perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask); |
---|
335 | flags_str = regfi_ace_flags2str(acl->aces[i]->flags); |
---|
336 | |
---|
337 | if(flags_str != NULL && perms_str != NULL |
---|
338 | && type_str != NULL && sid_str != NULL) |
---|
339 | { |
---|
340 | /* XXX: this is slow */ |
---|
341 | extra = strlen(sid_str) + strlen(type_str) |
---|
342 | + strlen(perms_str) + strlen(flags_str) + 5; |
---|
343 | tmp_val = realloc(ret_val, size+extra); |
---|
344 | |
---|
345 | if(tmp_val == NULL) |
---|
346 | { |
---|
347 | free(ret_val); |
---|
348 | ret_val = NULL; |
---|
349 | failed = true; |
---|
350 | } |
---|
351 | else |
---|
352 | { |
---|
353 | ret_val = tmp_val; |
---|
354 | size += snprintf(ret_val+size, extra, "%s%s%c%s%c%s%c%s", |
---|
355 | ace_delim,sid_str, |
---|
356 | field_delim,type_str, |
---|
357 | field_delim,perms_str, |
---|
358 | field_delim,flags_str); |
---|
359 | ace_delim = "|"; |
---|
360 | } |
---|
361 | } |
---|
362 | else |
---|
363 | failed = true; |
---|
364 | |
---|
365 | if(sid_str != NULL) |
---|
366 | free(sid_str); |
---|
367 | if(sid_str != NULL) |
---|
368 | free(perms_str); |
---|
369 | if(sid_str != NULL) |
---|
370 | free(flags_str); |
---|
371 | } |
---|
372 | |
---|
373 | return ret_val; |
---|
374 | } |
---|
375 | |
---|
376 | |
---|
377 | char* regfi_get_sacl(WINSEC_DESC *sec_desc) |
---|
378 | { |
---|
379 | if (sec_desc->sacl) |
---|
380 | return regfi_get_acl(sec_desc->sacl); |
---|
381 | else |
---|
382 | return NULL; |
---|
383 | } |
---|
384 | |
---|
385 | |
---|
386 | char* regfi_get_dacl(WINSEC_DESC *sec_desc) |
---|
387 | { |
---|
388 | if (sec_desc->dacl) |
---|
389 | return regfi_get_acl(sec_desc->dacl); |
---|
390 | else |
---|
391 | return NULL; |
---|
392 | } |
---|
393 | |
---|
394 | |
---|
395 | char* regfi_get_owner(WINSEC_DESC *sec_desc) |
---|
396 | { |
---|
397 | return regfi_sid2str(sec_desc->owner_sid); |
---|
398 | } |
---|
399 | |
---|
400 | |
---|
401 | char* regfi_get_group(WINSEC_DESC *sec_desc) |
---|
402 | { |
---|
403 | return regfi_sid2str(sec_desc->grp_sid); |
---|
404 | } |
---|
405 | |
---|
406 | |
---|
407 | /***************************************************************************** |
---|
408 | * This function is just like read(2), except that it continues to |
---|
409 | * re-try reading from the file descriptor if EINTR or EAGAIN is received. |
---|
410 | * regfi_read will attempt to read length bytes from fd and write them to buf. |
---|
411 | * |
---|
412 | * On success, 0 is returned. Upon failure, an errno code is returned. |
---|
413 | * |
---|
414 | * The number of bytes successfully read is returned through the length |
---|
415 | * parameter by reference. If both the return value and length parameter are |
---|
416 | * returned as 0, then EOF was encountered immediately |
---|
417 | *****************************************************************************/ |
---|
418 | uint32 regfi_read(int fd, uint8* buf, uint32* length) |
---|
419 | { |
---|
420 | uint32 rsize = 0; |
---|
421 | uint32 rret = 0; |
---|
422 | |
---|
423 | do |
---|
424 | { |
---|
425 | rret = read(fd, buf + rsize, *length - rsize); |
---|
426 | if(rret > 0) |
---|
427 | rsize += rret; |
---|
428 | }while(*length - rsize > 0 |
---|
429 | && (rret > 0 || (rret == -1 && (errno == EAGAIN || errno == EINTR)))); |
---|
430 | |
---|
431 | *length = rsize; |
---|
432 | if (rret == -1 && errno != EINTR && errno != EAGAIN) |
---|
433 | return errno; |
---|
434 | |
---|
435 | return 0; |
---|
436 | } |
---|
437 | |
---|
438 | |
---|
439 | /***************************************************************************** |
---|
440 | * |
---|
441 | *****************************************************************************/ |
---|
442 | bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len, |
---|
443 | uint32* cell_length, bool* unalloc) |
---|
444 | { |
---|
445 | uint32 length; |
---|
446 | int32 raw_length; |
---|
447 | uint8 tmp[4]; |
---|
448 | |
---|
449 | if(lseek(fd, offset, SEEK_SET) == -1) |
---|
450 | return false; |
---|
451 | |
---|
452 | length = 4; |
---|
453 | if((regfi_read(fd, tmp, &length) != 0) || length != 4) |
---|
454 | return false; |
---|
455 | raw_length = IVALS(tmp, 0); |
---|
456 | |
---|
457 | if(raw_length < 0) |
---|
458 | { |
---|
459 | (*cell_length) = raw_length*(-1); |
---|
460 | (*unalloc) = false; |
---|
461 | } |
---|
462 | else |
---|
463 | { |
---|
464 | (*cell_length) = raw_length; |
---|
465 | (*unalloc) = true; |
---|
466 | } |
---|
467 | |
---|
468 | if(*cell_length - 4 < hdr_len) |
---|
469 | return false; |
---|
470 | |
---|
471 | if(hdr_len > 0) |
---|
472 | { |
---|
473 | length = hdr_len; |
---|
474 | if((regfi_read(fd, hdr, &length) != 0) || length != hdr_len) |
---|
475 | return false; |
---|
476 | } |
---|
477 | |
---|
478 | return true; |
---|
479 | } |
---|
480 | |
---|
481 | |
---|
482 | /******************************************************************* |
---|
483 | * Given an offset and an hbin, is the offset within that hbin? |
---|
484 | * The offset is a virtual file offset. |
---|
485 | *******************************************************************/ |
---|
486 | static bool regfi_offset_in_hbin(REGFI_HBIN* hbin, uint32 offset) |
---|
487 | { |
---|
488 | if(!hbin) |
---|
489 | return false; |
---|
490 | |
---|
491 | if((offset > hbin->first_hbin_off) |
---|
492 | && (offset < (hbin->first_hbin_off + hbin->block_size))) |
---|
493 | return true; |
---|
494 | |
---|
495 | return false; |
---|
496 | } |
---|
497 | |
---|
498 | |
---|
499 | |
---|
500 | /******************************************************************* |
---|
501 | * Provide a virtual offset and receive the correpsonding HBIN |
---|
502 | * block for it. NULL if one doesn't exist. |
---|
503 | *******************************************************************/ |
---|
504 | REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32 offset) |
---|
505 | { |
---|
506 | return (REGFI_HBIN*)range_list_find_data(file->hbins, offset+REGFI_REGF_SIZE); |
---|
507 | } |
---|
508 | |
---|
509 | |
---|
510 | /******************************************************************* |
---|
511 | *******************************************************************/ |
---|
512 | REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16 num_lists, |
---|
513 | REGFI_SUBKEY_LIST** lists, |
---|
514 | bool strict) |
---|
515 | { |
---|
516 | uint32 i,j,k; |
---|
517 | REGFI_SUBKEY_LIST* ret_val; |
---|
518 | |
---|
519 | if(lists == NULL) |
---|
520 | return NULL; |
---|
521 | ret_val = (REGFI_SUBKEY_LIST*)zalloc(sizeof(REGFI_SUBKEY_LIST)); |
---|
522 | |
---|
523 | if(ret_val == NULL) |
---|
524 | return NULL; |
---|
525 | |
---|
526 | /* Obtain total number of elements */ |
---|
527 | ret_val->num_keys = 0; |
---|
528 | for(i=0; i < num_lists; i++) |
---|
529 | { |
---|
530 | if(lists[i] == NULL) |
---|
531 | { |
---|
532 | free(ret_val); |
---|
533 | free(lists); |
---|
534 | return NULL; |
---|
535 | } |
---|
536 | ret_val->num_keys += lists[i]->num_keys; |
---|
537 | } |
---|
538 | |
---|
539 | if(ret_val->num_keys > 0) |
---|
540 | { |
---|
541 | ret_val->elements = |
---|
542 | (REGFI_SUBKEY_LIST_ELEM*)zalloc(sizeof(REGFI_SUBKEY_LIST_ELEM) |
---|
543 | * ret_val->num_keys); |
---|
544 | k=0; |
---|
545 | |
---|
546 | if(ret_val->elements != NULL) |
---|
547 | { |
---|
548 | for(i=0; i<num_lists; i++) |
---|
549 | for(j=0; j<lists[i]->num_keys; j++) |
---|
550 | { |
---|
551 | ret_val->elements[k].hash=lists[i]->elements[j].hash; |
---|
552 | ret_val->elements[k++].nk_off=lists[i]->elements[j].nk_off; |
---|
553 | } |
---|
554 | } |
---|
555 | } |
---|
556 | |
---|
557 | for(i=0; i < num_lists; i++) |
---|
558 | regfi_subkeylist_free(lists[i]); |
---|
559 | free(lists); |
---|
560 | |
---|
561 | return ret_val; |
---|
562 | } |
---|
563 | |
---|
564 | |
---|
565 | |
---|
566 | /******************************************************************* |
---|
567 | *******************************************************************/ |
---|
568 | REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32 offset, |
---|
569 | uint32 num_keys, uint32 max_size, |
---|
570 | bool strict) |
---|
571 | { |
---|
572 | REGFI_SUBKEY_LIST* ret_val; |
---|
573 | REGFI_SUBKEY_LIST** sublists; |
---|
574 | REGFI_HBIN* sublist_hbin; |
---|
575 | uint32 i, cell_length, length, num_sublists, off, max_length, elem_size; |
---|
576 | uint8* hashes; |
---|
577 | uint8 buf[REGFI_SUBKEY_LIST_MIN_LEN]; |
---|
578 | bool unalloc; |
---|
579 | |
---|
580 | if(!regfi_parse_cell(file->fd, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN, |
---|
581 | &cell_length, &unalloc)) |
---|
582 | return NULL; |
---|
583 | |
---|
584 | if(cell_length > max_size) |
---|
585 | { |
---|
586 | if(strict) |
---|
587 | return NULL; |
---|
588 | cell_length = max_size & 0xFFFFFFF8; |
---|
589 | } |
---|
590 | |
---|
591 | if(buf[0] == 'r' && buf[1] == 'i') |
---|
592 | { |
---|
593 | num_sublists = SVAL(buf, 0x2); |
---|
594 | |
---|
595 | /* XXX: check cell_length vs num_sublists vs max_length */ |
---|
596 | length = num_sublists*sizeof(uint32); |
---|
597 | hashes = (uint8*)zalloc(length); |
---|
598 | if(hashes == NULL) |
---|
599 | return NULL; |
---|
600 | |
---|
601 | if(regfi_read(file->fd, hashes, &length) != 0 |
---|
602 | || length != num_sublists*sizeof(uint32)) |
---|
603 | { |
---|
604 | free(hashes); |
---|
605 | return NULL; |
---|
606 | } |
---|
607 | |
---|
608 | sublists = (REGFI_SUBKEY_LIST**)zalloc(num_sublists*sizeof(REGFI_SUBKEY_LIST*)); |
---|
609 | for(i=0; i < num_sublists; i++) |
---|
610 | { |
---|
611 | off = IVAL(hashes, i*4)+REGFI_REGF_SIZE; |
---|
612 | sublist_hbin = regfi_lookup_hbin(file, IVAL(hashes, i*4)); |
---|
613 | max_length = sublist_hbin->block_size + sublist_hbin->file_off - off; |
---|
614 | |
---|
615 | /* XXX: Need to add a recursion depth limit of some kind. */ |
---|
616 | sublists[i] = regfi_load_subkeylist(file, off, 0, max_length, strict); |
---|
617 | } |
---|
618 | free(hashes); |
---|
619 | |
---|
620 | return regfi_merge_subkeylists(num_sublists, sublists, strict); |
---|
621 | } |
---|
622 | |
---|
623 | if(buf[0] == 'l' && buf[1] == 'i') |
---|
624 | elem_size = sizeof(uint32); |
---|
625 | else if((buf[0] == 'l') && (buf[1] == 'f' || buf[1] == 'h')) |
---|
626 | elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM); |
---|
627 | else |
---|
628 | { |
---|
629 | /* fprintf(stderr, "DEBUG: lf->header=%c%c\n", buf[0], buf[1]);*/ |
---|
630 | return NULL; |
---|
631 | } |
---|
632 | |
---|
633 | ret_val = (REGFI_SUBKEY_LIST*)zalloc(sizeof(REGFI_SUBKEY_LIST)); |
---|
634 | if(ret_val == NULL) |
---|
635 | return NULL; |
---|
636 | |
---|
637 | ret_val->offset = offset; |
---|
638 | ret_val->cell_size = cell_length; |
---|
639 | ret_val->magic[0] = buf[0]; |
---|
640 | ret_val->magic[1] = buf[1]; |
---|
641 | |
---|
642 | ret_val->num_keys = SVAL(buf, 0x2); |
---|
643 | if(num_keys != ret_val->num_keys) |
---|
644 | { |
---|
645 | /* Not sure which should be authoritative, the number from the |
---|
646 | * NK record, or the number in the subkey list. Go with the larger |
---|
647 | * of the two to ensure all keys are found, since in 'ri' records, |
---|
648 | * there is no authoritative parent count for a leaf subkey list. |
---|
649 | * Note the length checks on the cell later ensure that there won't |
---|
650 | * be any critical errors. |
---|
651 | */ |
---|
652 | if(num_keys < ret_val->num_keys) |
---|
653 | num_keys = ret_val->num_keys; |
---|
654 | else |
---|
655 | ret_val->num_keys = num_keys; |
---|
656 | } |
---|
657 | |
---|
658 | if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32) |
---|
659 | < ret_val->num_keys*elem_size) |
---|
660 | { |
---|
661 | free(ret_val); |
---|
662 | return NULL; |
---|
663 | } |
---|
664 | |
---|
665 | length = elem_size*ret_val->num_keys; |
---|
666 | ret_val->elements |
---|
667 | = (REGFI_SUBKEY_LIST_ELEM*)zalloc(ret_val->num_keys |
---|
668 | * sizeof(REGFI_SUBKEY_LIST_ELEM)); |
---|
669 | if(ret_val->elements == NULL) |
---|
670 | { |
---|
671 | free(ret_val); |
---|
672 | return NULL; |
---|
673 | } |
---|
674 | |
---|
675 | hashes = (uint8*)zalloc(length); |
---|
676 | if(hashes == NULL) |
---|
677 | { |
---|
678 | free(ret_val->elements); |
---|
679 | free(ret_val); |
---|
680 | return NULL; |
---|
681 | } |
---|
682 | |
---|
683 | if(regfi_read(file->fd, hashes, &length) != 0 |
---|
684 | || length != elem_size*ret_val->num_keys) |
---|
685 | { |
---|
686 | free(ret_val->elements); |
---|
687 | free(ret_val); |
---|
688 | return NULL; |
---|
689 | } |
---|
690 | |
---|
691 | if(buf[0] == 'l' && buf[1] == 'i') |
---|
692 | { |
---|
693 | for (i=0; i < ret_val->num_keys; i++) |
---|
694 | { |
---|
695 | ret_val->elements[i].nk_off = IVAL(hashes, i*elem_size); |
---|
696 | ret_val->elements[i].hash = 0; |
---|
697 | } |
---|
698 | } |
---|
699 | else |
---|
700 | { |
---|
701 | for (i=0; i < ret_val->num_keys; i++) |
---|
702 | { |
---|
703 | ret_val->elements[i].nk_off = IVAL(hashes, i*elem_size); |
---|
704 | ret_val->elements[i].hash = IVAL(hashes, i*elem_size+4); |
---|
705 | } |
---|
706 | } |
---|
707 | free(hashes); |
---|
708 | |
---|
709 | return ret_val; |
---|
710 | } |
---|
711 | |
---|
712 | |
---|
713 | |
---|
714 | /******************************************************************* |
---|
715 | *******************************************************************/ |
---|
716 | REGFI_SK_REC* regfi_parse_sk(REGFI_FILE* file, uint32 offset, uint32 max_size, bool strict) |
---|
717 | { |
---|
718 | REGFI_SK_REC* ret_val; |
---|
719 | uint8* sec_desc_buf; |
---|
720 | uint32 cell_length, length; |
---|
721 | /*prs_struct ps;*/ |
---|
722 | uint8 sk_header[REGFI_SK_MIN_LENGTH]; |
---|
723 | bool unalloc = false; |
---|
724 | |
---|
725 | if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH, |
---|
726 | &cell_length, &unalloc)) |
---|
727 | { |
---|
728 | regfi_add_message(file, REGFI_MSG_WARN, "Could not parse SK record cell" |
---|
729 | " at offset 0x%.8X.", offset); |
---|
730 | return NULL; |
---|
731 | } |
---|
732 | |
---|
733 | if(sk_header[0] != 's' || sk_header[1] != 'k') |
---|
734 | { |
---|
735 | regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing" |
---|
736 | " SK record at offset 0x%.8X.", offset); |
---|
737 | return NULL; |
---|
738 | } |
---|
739 | |
---|
740 | ret_val = (REGFI_SK_REC*)zalloc(sizeof(REGFI_SK_REC)); |
---|
741 | if(ret_val == NULL) |
---|
742 | return NULL; |
---|
743 | |
---|
744 | ret_val->offset = offset; |
---|
745 | /* XXX: Is there a way to be more conservative (shorter) with |
---|
746 | * cell length when cell is unallocated? |
---|
747 | */ |
---|
748 | ret_val->cell_size = cell_length; |
---|
749 | |
---|
750 | if(ret_val->cell_size > max_size) |
---|
751 | ret_val->cell_size = max_size & 0xFFFFFFF8; |
---|
752 | if((ret_val->cell_size < REGFI_SK_MIN_LENGTH) |
---|
753 | || (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8))) |
---|
754 | { |
---|
755 | regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size found while" |
---|
756 | " parsing SK record at offset 0x%.8X.", offset); |
---|
757 | free(ret_val); |
---|
758 | return NULL; |
---|
759 | } |
---|
760 | |
---|
761 | ret_val->magic[0] = sk_header[0]; |
---|
762 | ret_val->magic[1] = sk_header[1]; |
---|
763 | |
---|
764 | /* XXX: Can additional validation be added here? */ |
---|
765 | ret_val->unknown_tag = SVAL(sk_header, 0x2); |
---|
766 | ret_val->prev_sk_off = IVAL(sk_header, 0x4); |
---|
767 | ret_val->next_sk_off = IVAL(sk_header, 0x8); |
---|
768 | ret_val->ref_count = IVAL(sk_header, 0xC); |
---|
769 | ret_val->desc_size = IVAL(sk_header, 0x10); |
---|
770 | |
---|
771 | if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size) |
---|
772 | { |
---|
773 | regfi_add_message(file, REGFI_MSG_ERROR, "Security descriptor too large for" |
---|
774 | " cell while parsing SK record at offset 0x%.8X.", |
---|
775 | offset); |
---|
776 | free(ret_val); |
---|
777 | return NULL; |
---|
778 | } |
---|
779 | |
---|
780 | sec_desc_buf = (uint8*)zalloc(ret_val->desc_size); |
---|
781 | if(ret_val == NULL) |
---|
782 | { |
---|
783 | free(ret_val); |
---|
784 | return NULL; |
---|
785 | } |
---|
786 | |
---|
787 | length = ret_val->desc_size; |
---|
788 | if(regfi_read(file->fd, sec_desc_buf, &length) != 0 |
---|
789 | || length != ret_val->desc_size) |
---|
790 | { |
---|
791 | regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read security" |
---|
792 | " descriptor while parsing SK record at offset 0x%.8X.", |
---|
793 | offset); |
---|
794 | free(ret_val); |
---|
795 | return NULL; |
---|
796 | } |
---|
797 | |
---|
798 | if(!(ret_val->sec_desc = winsec_parse_desc(sec_desc_buf, ret_val->desc_size))) |
---|
799 | { |
---|
800 | regfi_add_message(file, REGFI_MSG_ERROR, "Failed to parse security" |
---|
801 | " descriptor while parsing SK record at offset 0x%.8X.", |
---|
802 | offset); |
---|
803 | free(sec_desc_buf); |
---|
804 | free(ret_val); |
---|
805 | return NULL; |
---|
806 | } |
---|
807 | free(sec_desc_buf); |
---|
808 | |
---|
809 | |
---|
810 | return ret_val; |
---|
811 | } |
---|
812 | |
---|
813 | |
---|
814 | uint32* regfi_parse_valuelist(REGFI_FILE* file, uint32 offset, |
---|
815 | uint32 num_values, bool strict) |
---|
816 | { |
---|
817 | uint32* ret_val; |
---|
818 | uint32 i, cell_length, length, read_len; |
---|
819 | bool unalloc; |
---|
820 | |
---|
821 | if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc)) |
---|
822 | { |
---|
823 | regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read cell header" |
---|
824 | " while parsing value list at offset 0x%.8X.", offset); |
---|
825 | return NULL; |
---|
826 | } |
---|
827 | |
---|
828 | if(cell_length != (cell_length & 0xFFFFFFF8)) |
---|
829 | { |
---|
830 | if(strict) |
---|
831 | return NULL; |
---|
832 | cell_length = cell_length & 0xFFFFFFF8; |
---|
833 | } |
---|
834 | if((num_values * sizeof(uint32)) > cell_length-sizeof(uint32)) |
---|
835 | { |
---|
836 | regfi_add_message(file, REGFI_MSG_ERROR, "Too many values found" |
---|
837 | " while parsing value list at offset 0x%.8X.", offset); |
---|
838 | return NULL; |
---|
839 | } |
---|
840 | |
---|
841 | read_len = num_values*sizeof(uint32); |
---|
842 | ret_val = (uint32*)malloc(read_len); |
---|
843 | if(ret_val == NULL) |
---|
844 | return NULL; |
---|
845 | |
---|
846 | length = read_len; |
---|
847 | if((regfi_read(file->fd, (uint8*)ret_val, &length) != 0) || length != read_len) |
---|
848 | { |
---|
849 | regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read value pointers" |
---|
850 | " while parsing value list at offset 0x%.8X.", offset); |
---|
851 | free(ret_val); |
---|
852 | return NULL; |
---|
853 | } |
---|
854 | |
---|
855 | for(i=0; i < num_values; i++) |
---|
856 | { |
---|
857 | /* Fix endianness */ |
---|
858 | ret_val[i] = IVAL(&ret_val[i], 0); |
---|
859 | |
---|
860 | /* Validate the first num_values values to ensure they make sense */ |
---|
861 | if(strict) |
---|
862 | { |
---|
863 | if((ret_val[i] + REGFI_REGF_SIZE > file->file_length) |
---|
864 | || ((ret_val[i] & 0xFFFFFFF8) != ret_val[i])) |
---|
865 | { |
---|
866 | regfi_add_message(file, REGFI_MSG_ERROR, "Invalid value pointer" |
---|
867 | " (0x%.8X) found while parsing value list at offset" |
---|
868 | " 0x%.8X.", ret_val[i], offset); |
---|
869 | free(ret_val); |
---|
870 | return NULL; |
---|
871 | } |
---|
872 | } |
---|
873 | } |
---|
874 | |
---|
875 | return ret_val; |
---|
876 | } |
---|
877 | |
---|
878 | |
---|
879 | |
---|
880 | /****************************************************************************** |
---|
881 | * If !strict, the list may contain NULLs, VK records may point to NULL. |
---|
882 | ******************************************************************************/ |
---|
883 | REGFI_VK_REC** regfi_load_valuelist(REGFI_FILE* file, uint32 offset, |
---|
884 | uint32 num_values, uint32 max_size, |
---|
885 | bool strict) |
---|
886 | { |
---|
887 | REGFI_VK_REC** ret_val; |
---|
888 | REGFI_HBIN* hbin; |
---|
889 | uint32 i, vk_offset, vk_max_length, usable_num_values; |
---|
890 | uint32* voffsets; |
---|
891 | |
---|
892 | if((num_values+1) * sizeof(uint32) > max_size) |
---|
893 | { |
---|
894 | if(strict) |
---|
895 | return NULL; |
---|
896 | usable_num_values = max_size/sizeof(uint32) - sizeof(uint32); |
---|
897 | } |
---|
898 | else |
---|
899 | usable_num_values = num_values; |
---|
900 | |
---|
901 | voffsets = regfi_parse_valuelist(file, offset, usable_num_values, strict); |
---|
902 | if(voffsets == NULL) |
---|
903 | return NULL; |
---|
904 | |
---|
905 | ret_val = (REGFI_VK_REC**)zalloc(sizeof(REGFI_VK_REC*) * usable_num_values); |
---|
906 | if(ret_val == NULL) |
---|
907 | { |
---|
908 | free(voffsets); |
---|
909 | return NULL; |
---|
910 | } |
---|
911 | |
---|
912 | for(i=0; i < usable_num_values; i++) |
---|
913 | { |
---|
914 | hbin = regfi_lookup_hbin(file, voffsets[i]); |
---|
915 | if(!hbin) |
---|
916 | { |
---|
917 | free(voffsets); |
---|
918 | free(ret_val); |
---|
919 | return NULL; |
---|
920 | } |
---|
921 | |
---|
922 | vk_offset = voffsets[i] + REGFI_REGF_SIZE; |
---|
923 | vk_max_length = hbin->block_size + hbin->file_off - vk_offset; |
---|
924 | ret_val[i] = regfi_parse_vk(file, vk_offset, vk_max_length, strict); |
---|
925 | if(ret_val[i] == NULL) |
---|
926 | { /* If we're being strict, throw out the whole list. |
---|
927 | * Otherwise, let it be NULL. |
---|
928 | */ |
---|
929 | if(strict) |
---|
930 | { |
---|
931 | free(voffsets); |
---|
932 | free(ret_val); |
---|
933 | return NULL; |
---|
934 | } |
---|
935 | } |
---|
936 | } |
---|
937 | |
---|
938 | free(voffsets); |
---|
939 | return ret_val; |
---|
940 | } |
---|
941 | |
---|
942 | |
---|
943 | |
---|
944 | /******************************************************************* |
---|
945 | * XXX: Need to add full key caching using a |
---|
946 | * custom cache structure. |
---|
947 | *******************************************************************/ |
---|
948 | REGFI_NK_REC* regfi_load_key(REGFI_FILE* file, uint32 offset, bool strict) |
---|
949 | { |
---|
950 | REGFI_HBIN* hbin; |
---|
951 | REGFI_HBIN* sub_hbin; |
---|
952 | REGFI_NK_REC* nk; |
---|
953 | uint32 max_length, off; |
---|
954 | |
---|
955 | hbin = regfi_lookup_hbin(file, offset-REGFI_REGF_SIZE); |
---|
956 | if (hbin == NULL) |
---|
957 | return NULL; |
---|
958 | |
---|
959 | /* get the initial nk record */ |
---|
960 | max_length = hbin->block_size + hbin->file_off - offset; |
---|
961 | if ((nk = regfi_parse_nk(file, offset, max_length, true)) == NULL) |
---|
962 | { |
---|
963 | regfi_add_message(file, REGFI_MSG_ERROR, "Could not load NK record at" |
---|
964 | " offset 0x%.8X.", offset); |
---|
965 | return NULL; |
---|
966 | } |
---|
967 | |
---|
968 | /* fill in values */ |
---|
969 | if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE)) |
---|
970 | { |
---|
971 | sub_hbin = hbin; |
---|
972 | if(!regfi_offset_in_hbin(hbin, nk->values_off)) |
---|
973 | sub_hbin = regfi_lookup_hbin(file, nk->values_off); |
---|
974 | |
---|
975 | if(sub_hbin == NULL) |
---|
976 | { |
---|
977 | if(strict) |
---|
978 | { |
---|
979 | free(nk); |
---|
980 | return NULL; |
---|
981 | } |
---|
982 | else |
---|
983 | nk->values = NULL; |
---|
984 | |
---|
985 | } |
---|
986 | else |
---|
987 | { |
---|
988 | off = nk->values_off + REGFI_REGF_SIZE; |
---|
989 | max_length = sub_hbin->block_size + sub_hbin->file_off - off; |
---|
990 | nk->values = regfi_load_valuelist(file, off, nk->num_values, max_length, |
---|
991 | true); |
---|
992 | if(strict && nk->values == NULL) |
---|
993 | { |
---|
994 | regfi_add_message(file, REGFI_MSG_ERROR, "Could not load value list" |
---|
995 | " for NK record at offset 0x%.8X.", |
---|
996 | offset); |
---|
997 | free(nk); |
---|
998 | return NULL; |
---|
999 | } |
---|
1000 | |
---|
1001 | } |
---|
1002 | } |
---|
1003 | |
---|
1004 | /* now get subkeys */ |
---|
1005 | if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE)) |
---|
1006 | { |
---|
1007 | sub_hbin = hbin; |
---|
1008 | if(!regfi_offset_in_hbin(hbin, nk->subkeys_off)) |
---|
1009 | sub_hbin = regfi_lookup_hbin(file, nk->subkeys_off); |
---|
1010 | |
---|
1011 | if (sub_hbin == NULL) |
---|
1012 | { |
---|
1013 | if(strict) |
---|
1014 | { |
---|
1015 | regfi_key_free(nk); |
---|
1016 | return NULL; |
---|
1017 | } |
---|
1018 | else |
---|
1019 | nk->subkeys = NULL; |
---|
1020 | } |
---|
1021 | else |
---|
1022 | { |
---|
1023 | off = nk->subkeys_off + REGFI_REGF_SIZE; |
---|
1024 | max_length = sub_hbin->block_size + sub_hbin->file_off - off; |
---|
1025 | nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys, |
---|
1026 | max_length, true); |
---|
1027 | |
---|
1028 | if(nk->subkeys == NULL) |
---|
1029 | { |
---|
1030 | /* XXX: Should we free the key and bail out here instead? |
---|
1031 | * During nonstrict? |
---|
1032 | */ |
---|
1033 | nk->num_subkeys = 0; |
---|
1034 | } |
---|
1035 | } |
---|
1036 | } |
---|
1037 | |
---|
1038 | return nk; |
---|
1039 | } |
---|
1040 | |
---|
1041 | |
---|
1042 | /****************************************************************************** |
---|
1043 | ******************************************************************************/ |
---|
1044 | static bool regfi_find_root_nk(REGFI_FILE* file, uint32 offset, uint32 hbin_size, |
---|
1045 | uint32* root_offset) |
---|
1046 | { |
---|
1047 | uint8 tmp[4]; |
---|
1048 | int32 record_size; |
---|
1049 | uint32 length, hbin_offset = 0; |
---|
1050 | REGFI_NK_REC* nk = NULL; |
---|
1051 | bool found = false; |
---|
1052 | |
---|
1053 | for(record_size=0; !found && (hbin_offset < hbin_size); ) |
---|
1054 | { |
---|
1055 | if(lseek(file->fd, offset+hbin_offset, SEEK_SET) == -1) |
---|
1056 | return false; |
---|
1057 | |
---|
1058 | length = 4; |
---|
1059 | if((regfi_read(file->fd, tmp, &length) != 0) || length != 4) |
---|
1060 | return false; |
---|
1061 | record_size = IVALS(tmp, 0); |
---|
1062 | |
---|
1063 | if(record_size < 0) |
---|
1064 | { |
---|
1065 | record_size = record_size*(-1); |
---|
1066 | nk = regfi_parse_nk(file, offset+hbin_offset, hbin_size-hbin_offset, true); |
---|
1067 | if(nk != NULL) |
---|
1068 | { |
---|
1069 | if((nk->key_type == REGFI_NK_TYPE_ROOTKEY1) |
---|
1070 | || (nk->key_type == REGFI_NK_TYPE_ROOTKEY2)) |
---|
1071 | { |
---|
1072 | found = true; |
---|
1073 | *root_offset = nk->offset; |
---|
1074 | } |
---|
1075 | free(nk); |
---|
1076 | } |
---|
1077 | } |
---|
1078 | |
---|
1079 | hbin_offset += record_size; |
---|
1080 | } |
---|
1081 | |
---|
1082 | return found; |
---|
1083 | } |
---|
1084 | |
---|
1085 | |
---|
1086 | /******************************************************************* |
---|
1087 | * Open the registry file and then read in the REGF block to get the |
---|
1088 | * first hbin offset. |
---|
1089 | *******************************************************************/ |
---|
1090 | REGFI_FILE* regfi_open(const char* filename) |
---|
1091 | { |
---|
1092 | struct stat sbuf; |
---|
1093 | REGFI_FILE* rb; |
---|
1094 | REGFI_HBIN* hbin = NULL; |
---|
1095 | uint32 hbin_off, file_length; |
---|
1096 | int fd; |
---|
1097 | bool rla; |
---|
1098 | |
---|
1099 | /* open an existing file */ |
---|
1100 | if ((fd = open(filename, O_RDONLY)) == -1) |
---|
1101 | { |
---|
1102 | /* DEBUG(0,("regfi_open: failure to open %s (%s)\n", filename, strerror(errno)));*/ |
---|
1103 | return NULL; |
---|
1104 | } |
---|
1105 | |
---|
1106 | /* Determine file length. Must be at least big enough |
---|
1107 | * for the header and one hbin. |
---|
1108 | */ |
---|
1109 | if (fstat(fd, &sbuf) == -1) |
---|
1110 | return NULL; |
---|
1111 | file_length = sbuf.st_size; |
---|
1112 | if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC) |
---|
1113 | return NULL; |
---|
1114 | |
---|
1115 | /* read in an existing file */ |
---|
1116 | if ((rb = regfi_parse_regf(fd, true)) == NULL) |
---|
1117 | { |
---|
1118 | /* DEBUG(0,("regfi_open: Failed to read initial REGF block\n"));*/ |
---|
1119 | close(fd); |
---|
1120 | return NULL; |
---|
1121 | } |
---|
1122 | rb->file_length = file_length; |
---|
1123 | |
---|
1124 | rb->hbins = range_list_new(); |
---|
1125 | if(rb->hbins == NULL) |
---|
1126 | { |
---|
1127 | range_list_free(rb->hbins); |
---|
1128 | close(fd); |
---|
1129 | free(rb); |
---|
1130 | return NULL; |
---|
1131 | } |
---|
1132 | |
---|
1133 | rla = true; |
---|
1134 | hbin_off = REGFI_REGF_SIZE; |
---|
1135 | hbin = regfi_parse_hbin(rb, hbin_off, true); |
---|
1136 | while(hbin && rla) |
---|
1137 | { |
---|
1138 | rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin); |
---|
1139 | hbin_off = hbin->file_off + hbin->block_size; |
---|
1140 | hbin = regfi_parse_hbin(rb, hbin_off, true); |
---|
1141 | } |
---|
1142 | |
---|
1143 | /* Default message mask */ |
---|
1144 | rb->msg_mask = REGFI_MSG_ERROR|REGFI_MSG_WARN; |
---|
1145 | |
---|
1146 | /* success */ |
---|
1147 | return rb; |
---|
1148 | } |
---|
1149 | |
---|
1150 | |
---|
1151 | /******************************************************************* |
---|
1152 | *******************************************************************/ |
---|
1153 | int regfi_close( REGFI_FILE *file ) |
---|
1154 | { |
---|
1155 | int fd; |
---|
1156 | uint32 i; |
---|
1157 | |
---|
1158 | /* nothing to do if there is no open file */ |
---|
1159 | if ((file == NULL) || (file->fd == -1)) |
---|
1160 | return 0; |
---|
1161 | |
---|
1162 | fd = file->fd; |
---|
1163 | file->fd = -1; |
---|
1164 | for(i=0; i < range_list_size(file->hbins); i++) |
---|
1165 | free(range_list_get(file->hbins, i)->data); |
---|
1166 | range_list_free(file->hbins); |
---|
1167 | |
---|
1168 | free(file); |
---|
1169 | |
---|
1170 | return close(fd); |
---|
1171 | } |
---|
1172 | |
---|
1173 | |
---|
1174 | /****************************************************************************** |
---|
1175 | * There should be only *one* root key in the registry file based |
---|
1176 | * on my experience. --jerry |
---|
1177 | *****************************************************************************/ |
---|
1178 | REGFI_NK_REC* regfi_rootkey(REGFI_FILE *file) |
---|
1179 | { |
---|
1180 | REGFI_NK_REC* nk = NULL; |
---|
1181 | REGFI_HBIN* hbin; |
---|
1182 | uint32 root_offset, i, num_hbins; |
---|
1183 | |
---|
1184 | if(!file) |
---|
1185 | return NULL; |
---|
1186 | |
---|
1187 | /* Scan through the file one HBIN block at a time looking |
---|
1188 | for an NK record with a type == 0x002c. |
---|
1189 | Normally this is the first nk record in the first hbin |
---|
1190 | block (but I'm not assuming that for now) */ |
---|
1191 | |
---|
1192 | num_hbins = range_list_size(file->hbins); |
---|
1193 | for(i=0; i < num_hbins; i++) |
---|
1194 | { |
---|
1195 | hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data; |
---|
1196 | if(regfi_find_root_nk(file, hbin->file_off+REGFI_HBIN_HEADER_SIZE, |
---|
1197 | hbin->block_size-REGFI_HBIN_HEADER_SIZE, &root_offset)) |
---|
1198 | { |
---|
1199 | nk = regfi_load_key(file, root_offset, true); |
---|
1200 | break; |
---|
1201 | } |
---|
1202 | } |
---|
1203 | |
---|
1204 | return nk; |
---|
1205 | } |
---|
1206 | |
---|
1207 | |
---|
1208 | /****************************************************************************** |
---|
1209 | *****************************************************************************/ |
---|
1210 | void regfi_key_free(REGFI_NK_REC* nk) |
---|
1211 | { |
---|
1212 | uint32 i; |
---|
1213 | |
---|
1214 | if((nk->values != NULL) && (nk->values_off!=REGFI_OFFSET_NONE)) |
---|
1215 | { |
---|
1216 | for(i=0; i < nk->num_values; i++) |
---|
1217 | { |
---|
1218 | if(nk->values[i]->valuename != NULL) |
---|
1219 | free(nk->values[i]->valuename); |
---|
1220 | if(nk->values[i]->data != NULL) |
---|
1221 | free(nk->values[i]->data); |
---|
1222 | free(nk->values[i]); |
---|
1223 | } |
---|
1224 | free(nk->values); |
---|
1225 | } |
---|
1226 | |
---|
1227 | regfi_subkeylist_free(nk->subkeys); |
---|
1228 | |
---|
1229 | if(nk->keyname != NULL) |
---|
1230 | free(nk->keyname); |
---|
1231 | if(nk->classname != NULL) |
---|
1232 | free(nk->classname); |
---|
1233 | |
---|
1234 | /* XXX: not freeing sec_desc because these are cached. This needs to be reviewed. */ |
---|
1235 | free(nk); |
---|
1236 | } |
---|
1237 | |
---|
1238 | |
---|
1239 | /****************************************************************************** |
---|
1240 | *****************************************************************************/ |
---|
1241 | void regfi_subkeylist_free(REGFI_SUBKEY_LIST* list) |
---|
1242 | { |
---|
1243 | if(list != NULL) |
---|
1244 | { |
---|
1245 | free(list->elements); |
---|
1246 | free(list); |
---|
1247 | } |
---|
1248 | } |
---|
1249 | |
---|
1250 | |
---|
1251 | /****************************************************************************** |
---|
1252 | *****************************************************************************/ |
---|
1253 | REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* fh) |
---|
1254 | { |
---|
1255 | REGFI_NK_REC* root; |
---|
1256 | REGFI_ITERATOR* ret_val = (REGFI_ITERATOR*)malloc(sizeof(REGFI_ITERATOR)); |
---|
1257 | if(ret_val == NULL) |
---|
1258 | return NULL; |
---|
1259 | |
---|
1260 | root = regfi_rootkey(fh); |
---|
1261 | if(root == NULL) |
---|
1262 | { |
---|
1263 | free(ret_val); |
---|
1264 | return NULL; |
---|
1265 | } |
---|
1266 | |
---|
1267 | ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH); |
---|
1268 | if(ret_val->key_positions == NULL) |
---|
1269 | { |
---|
1270 | free(ret_val); |
---|
1271 | free(root); |
---|
1272 | return NULL; |
---|
1273 | } |
---|
1274 | |
---|
1275 | /* This secret isn't very secret, but we don't need a good one. This |
---|
1276 | * secret is just designed to prevent someone from trying to blow our |
---|
1277 | * caching and make things slow. |
---|
1278 | */ |
---|
1279 | ret_val->sk_recs = lru_cache_create(127, 0x15DEAD05^time(NULL) |
---|
1280 | ^(getpid()<<16)^(getppid()<<8), |
---|
1281 | true); |
---|
1282 | |
---|
1283 | ret_val->f = fh; |
---|
1284 | ret_val->cur_key = root; |
---|
1285 | ret_val->cur_subkey = 0; |
---|
1286 | ret_val->cur_value = 0; |
---|
1287 | |
---|
1288 | return ret_val; |
---|
1289 | } |
---|
1290 | |
---|
1291 | |
---|
1292 | /****************************************************************************** |
---|
1293 | *****************************************************************************/ |
---|
1294 | void regfi_iterator_free(REGFI_ITERATOR* i) |
---|
1295 | { |
---|
1296 | REGFI_ITER_POSITION* cur; |
---|
1297 | |
---|
1298 | if(i->cur_key != NULL) |
---|
1299 | regfi_key_free(i->cur_key); |
---|
1300 | |
---|
1301 | while((cur = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions)) != NULL) |
---|
1302 | { |
---|
1303 | regfi_key_free(cur->nk); |
---|
1304 | free(cur); |
---|
1305 | } |
---|
1306 | |
---|
1307 | lru_cache_destroy(i->sk_recs); |
---|
1308 | |
---|
1309 | free(i); |
---|
1310 | } |
---|
1311 | |
---|
1312 | |
---|
1313 | |
---|
1314 | /****************************************************************************** |
---|
1315 | *****************************************************************************/ |
---|
1316 | /* XXX: some way of indicating reason for failure should be added. */ |
---|
1317 | bool regfi_iterator_down(REGFI_ITERATOR* i) |
---|
1318 | { |
---|
1319 | REGFI_NK_REC* subkey; |
---|
1320 | REGFI_ITER_POSITION* pos; |
---|
1321 | |
---|
1322 | pos = (REGFI_ITER_POSITION*)malloc(sizeof(REGFI_ITER_POSITION)); |
---|
1323 | if(pos == NULL) |
---|
1324 | return false; |
---|
1325 | |
---|
1326 | subkey = (REGFI_NK_REC*)regfi_iterator_cur_subkey(i); |
---|
1327 | if(subkey == NULL) |
---|
1328 | { |
---|
1329 | free(pos); |
---|
1330 | return false; |
---|
1331 | } |
---|
1332 | |
---|
1333 | pos->nk = i->cur_key; |
---|
1334 | pos->cur_subkey = i->cur_subkey; |
---|
1335 | if(!void_stack_push(i->key_positions, pos)) |
---|
1336 | { |
---|
1337 | free(pos); |
---|
1338 | regfi_key_free(subkey); |
---|
1339 | return false; |
---|
1340 | } |
---|
1341 | |
---|
1342 | i->cur_key = subkey; |
---|
1343 | i->cur_subkey = 0; |
---|
1344 | i->cur_value = 0; |
---|
1345 | |
---|
1346 | return true; |
---|
1347 | } |
---|
1348 | |
---|
1349 | |
---|
1350 | /****************************************************************************** |
---|
1351 | *****************************************************************************/ |
---|
1352 | bool regfi_iterator_up(REGFI_ITERATOR* i) |
---|
1353 | { |
---|
1354 | REGFI_ITER_POSITION* pos; |
---|
1355 | |
---|
1356 | pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions); |
---|
1357 | if(pos == NULL) |
---|
1358 | return false; |
---|
1359 | |
---|
1360 | regfi_key_free(i->cur_key); |
---|
1361 | i->cur_key = pos->nk; |
---|
1362 | i->cur_subkey = pos->cur_subkey; |
---|
1363 | i->cur_value = 0; |
---|
1364 | free(pos); |
---|
1365 | |
---|
1366 | return true; |
---|
1367 | } |
---|
1368 | |
---|
1369 | |
---|
1370 | /****************************************************************************** |
---|
1371 | *****************************************************************************/ |
---|
1372 | bool regfi_iterator_to_root(REGFI_ITERATOR* i) |
---|
1373 | { |
---|
1374 | while(regfi_iterator_up(i)) |
---|
1375 | continue; |
---|
1376 | |
---|
1377 | return true; |
---|
1378 | } |
---|
1379 | |
---|
1380 | |
---|
1381 | /****************************************************************************** |
---|
1382 | *****************************************************************************/ |
---|
1383 | bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name) |
---|
1384 | { |
---|
1385 | REGFI_NK_REC* subkey; |
---|
1386 | bool found = false; |
---|
1387 | uint32 old_subkey = i->cur_subkey; |
---|
1388 | |
---|
1389 | if(subkey_name == NULL) |
---|
1390 | return false; |
---|
1391 | |
---|
1392 | /* XXX: this alloc/free of each sub key might be a bit excessive */ |
---|
1393 | subkey = (REGFI_NK_REC*)regfi_iterator_first_subkey(i); |
---|
1394 | while((subkey != NULL) && (found == false)) |
---|
1395 | { |
---|
1396 | if(subkey->keyname != NULL |
---|
1397 | && strcasecmp(subkey->keyname, subkey_name) == 0) |
---|
1398 | found = true; |
---|
1399 | else |
---|
1400 | { |
---|
1401 | regfi_key_free(subkey); |
---|
1402 | subkey = (REGFI_NK_REC*)regfi_iterator_next_subkey(i); |
---|
1403 | } |
---|
1404 | } |
---|
1405 | |
---|
1406 | if(found == false) |
---|
1407 | { |
---|
1408 | i->cur_subkey = old_subkey; |
---|
1409 | return false; |
---|
1410 | } |
---|
1411 | |
---|
1412 | regfi_key_free(subkey); |
---|
1413 | return true; |
---|
1414 | } |
---|
1415 | |
---|
1416 | |
---|
1417 | /****************************************************************************** |
---|
1418 | *****************************************************************************/ |
---|
1419 | bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path) |
---|
1420 | { |
---|
1421 | uint32 x; |
---|
1422 | if(path == NULL) |
---|
1423 | return false; |
---|
1424 | |
---|
1425 | for(x=0; |
---|
1426 | ((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x]) |
---|
1427 | && regfi_iterator_down(i)); |
---|
1428 | x++) |
---|
1429 | { continue; } |
---|
1430 | |
---|
1431 | if(path[x] == NULL) |
---|
1432 | return true; |
---|
1433 | |
---|
1434 | /* XXX: is this the right number of times? */ |
---|
1435 | for(; x > 0; x--) |
---|
1436 | regfi_iterator_up(i); |
---|
1437 | |
---|
1438 | return false; |
---|
1439 | } |
---|
1440 | |
---|
1441 | |
---|
1442 | /****************************************************************************** |
---|
1443 | *****************************************************************************/ |
---|
1444 | const REGFI_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i) |
---|
1445 | { |
---|
1446 | return i->cur_key; |
---|
1447 | } |
---|
1448 | |
---|
1449 | |
---|
1450 | /****************************************************************************** |
---|
1451 | *****************************************************************************/ |
---|
1452 | const REGFI_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i) |
---|
1453 | { |
---|
1454 | REGFI_SK_REC* ret_val = NULL; |
---|
1455 | REGFI_HBIN* hbin; |
---|
1456 | uint32 max_length, off; |
---|
1457 | |
---|
1458 | if(i->cur_key == NULL) |
---|
1459 | return NULL; |
---|
1460 | |
---|
1461 | /* First look if we have already parsed it */ |
---|
1462 | if((i->cur_key->sk_off!=REGFI_OFFSET_NONE) |
---|
1463 | && !(ret_val =(REGFI_SK_REC*)lru_cache_find(i->sk_recs, |
---|
1464 | &i->cur_key->sk_off, 4))) |
---|
1465 | { |
---|
1466 | hbin = regfi_lookup_hbin(i->f, i->cur_key->sk_off); |
---|
1467 | |
---|
1468 | if(hbin == NULL) |
---|
1469 | return NULL; |
---|
1470 | |
---|
1471 | off = i->cur_key->sk_off + REGFI_REGF_SIZE; |
---|
1472 | max_length = hbin->block_size + hbin->file_off - off; |
---|
1473 | ret_val = regfi_parse_sk(i->f, off, max_length, true); |
---|
1474 | if(ret_val == NULL) |
---|
1475 | return NULL; |
---|
1476 | |
---|
1477 | ret_val->sk_off = i->cur_key->sk_off; |
---|
1478 | lru_cache_update(i->sk_recs, &i->cur_key->sk_off, 4, ret_val); |
---|
1479 | } |
---|
1480 | |
---|
1481 | return ret_val; |
---|
1482 | } |
---|
1483 | |
---|
1484 | |
---|
1485 | |
---|
1486 | /****************************************************************************** |
---|
1487 | *****************************************************************************/ |
---|
1488 | const REGFI_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i) |
---|
1489 | { |
---|
1490 | i->cur_subkey = 0; |
---|
1491 | return regfi_iterator_cur_subkey(i); |
---|
1492 | } |
---|
1493 | |
---|
1494 | |
---|
1495 | /****************************************************************************** |
---|
1496 | *****************************************************************************/ |
---|
1497 | const REGFI_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i) |
---|
1498 | { |
---|
1499 | uint32 nk_offset; |
---|
1500 | |
---|
1501 | /* see if there is anything left to report */ |
---|
1502 | if (!(i->cur_key) || (i->cur_key->subkeys_off==REGFI_OFFSET_NONE) |
---|
1503 | || (i->cur_subkey >= i->cur_key->num_subkeys)) |
---|
1504 | return NULL; |
---|
1505 | |
---|
1506 | nk_offset = i->cur_key->subkeys->elements[i->cur_subkey].nk_off; |
---|
1507 | |
---|
1508 | return regfi_load_key(i->f, nk_offset+REGFI_REGF_SIZE, true); |
---|
1509 | } |
---|
1510 | |
---|
1511 | |
---|
1512 | /****************************************************************************** |
---|
1513 | *****************************************************************************/ |
---|
1514 | /* XXX: some way of indicating reason for failure should be added. */ |
---|
1515 | const REGFI_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i) |
---|
1516 | { |
---|
1517 | const REGFI_NK_REC* subkey; |
---|
1518 | |
---|
1519 | i->cur_subkey++; |
---|
1520 | subkey = regfi_iterator_cur_subkey(i); |
---|
1521 | |
---|
1522 | if(subkey == NULL) |
---|
1523 | i->cur_subkey--; |
---|
1524 | |
---|
1525 | return subkey; |
---|
1526 | } |
---|
1527 | |
---|
1528 | |
---|
1529 | /****************************************************************************** |
---|
1530 | *****************************************************************************/ |
---|
1531 | bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name) |
---|
1532 | { |
---|
1533 | const REGFI_VK_REC* cur; |
---|
1534 | bool found = false; |
---|
1535 | |
---|
1536 | /* XXX: cur->valuename can be NULL in the registry. |
---|
1537 | * Should we allow for a way to search for that? |
---|
1538 | */ |
---|
1539 | if(value_name == NULL) |
---|
1540 | return false; |
---|
1541 | |
---|
1542 | cur = regfi_iterator_first_value(i); |
---|
1543 | while((cur != NULL) && (found == false)) |
---|
1544 | { |
---|
1545 | if((cur->valuename != NULL) |
---|
1546 | && (strcasecmp(cur->valuename, value_name) == 0)) |
---|
1547 | found = true; |
---|
1548 | else |
---|
1549 | cur = regfi_iterator_next_value(i); |
---|
1550 | } |
---|
1551 | |
---|
1552 | return found; |
---|
1553 | } |
---|
1554 | |
---|
1555 | |
---|
1556 | /****************************************************************************** |
---|
1557 | *****************************************************************************/ |
---|
1558 | const REGFI_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i) |
---|
1559 | { |
---|
1560 | i->cur_value = 0; |
---|
1561 | return regfi_iterator_cur_value(i); |
---|
1562 | } |
---|
1563 | |
---|
1564 | |
---|
1565 | /****************************************************************************** |
---|
1566 | *****************************************************************************/ |
---|
1567 | const REGFI_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i) |
---|
1568 | { |
---|
1569 | REGFI_VK_REC* ret_val = NULL; |
---|
1570 | if(i->cur_value < i->cur_key->num_values) |
---|
1571 | ret_val = i->cur_key->values[i->cur_value]; |
---|
1572 | |
---|
1573 | return ret_val; |
---|
1574 | } |
---|
1575 | |
---|
1576 | |
---|
1577 | /****************************************************************************** |
---|
1578 | *****************************************************************************/ |
---|
1579 | const REGFI_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i) |
---|
1580 | { |
---|
1581 | const REGFI_VK_REC* ret_val; |
---|
1582 | |
---|
1583 | i->cur_value++; |
---|
1584 | ret_val = regfi_iterator_cur_value(i); |
---|
1585 | if(ret_val == NULL) |
---|
1586 | i->cur_value--; |
---|
1587 | |
---|
1588 | return ret_val; |
---|
1589 | } |
---|
1590 | |
---|
1591 | |
---|
1592 | |
---|
1593 | /******************************************************************* |
---|
1594 | * Computes the checksum of the registry file header. |
---|
1595 | * buffer must be at least the size of an regf header (4096 bytes). |
---|
1596 | *******************************************************************/ |
---|
1597 | static uint32 regfi_compute_header_checksum(uint8* buffer) |
---|
1598 | { |
---|
1599 | uint32 checksum, x; |
---|
1600 | int i; |
---|
1601 | |
---|
1602 | /* XOR of all bytes 0x0000 - 0x01FB */ |
---|
1603 | |
---|
1604 | checksum = x = 0; |
---|
1605 | |
---|
1606 | for ( i=0; i<0x01FB; i+=4 ) { |
---|
1607 | x = IVAL(buffer, i ); |
---|
1608 | checksum ^= x; |
---|
1609 | } |
---|
1610 | |
---|
1611 | return checksum; |
---|
1612 | } |
---|
1613 | |
---|
1614 | |
---|
1615 | /******************************************************************* |
---|
1616 | * XXX: Add way to return more detailed error information. |
---|
1617 | *******************************************************************/ |
---|
1618 | REGFI_FILE* regfi_parse_regf(int fd, bool strict) |
---|
1619 | { |
---|
1620 | uint8 file_header[REGFI_REGF_SIZE]; |
---|
1621 | uint32 length; |
---|
1622 | REGFI_FILE* ret_val; |
---|
1623 | |
---|
1624 | ret_val = (REGFI_FILE*)zalloc(sizeof(REGFI_FILE)); |
---|
1625 | if(ret_val == NULL) |
---|
1626 | return NULL; |
---|
1627 | |
---|
1628 | ret_val->fd = fd; |
---|
1629 | |
---|
1630 | length = REGFI_REGF_SIZE; |
---|
1631 | if((regfi_read(fd, file_header, &length)) != 0 |
---|
1632 | || length != REGFI_REGF_SIZE) |
---|
1633 | { |
---|
1634 | free(ret_val); |
---|
1635 | return NULL; |
---|
1636 | } |
---|
1637 | |
---|
1638 | ret_val->checksum = IVAL(file_header, 0x1FC); |
---|
1639 | ret_val->computed_checksum = regfi_compute_header_checksum(file_header); |
---|
1640 | if (strict && (ret_val->checksum != ret_val->computed_checksum)) |
---|
1641 | { |
---|
1642 | free(ret_val); |
---|
1643 | return NULL; |
---|
1644 | } |
---|
1645 | |
---|
1646 | memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE); |
---|
1647 | if(strict && (memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0)) |
---|
1648 | { |
---|
1649 | free(ret_val); |
---|
1650 | return NULL; |
---|
1651 | } |
---|
1652 | |
---|
1653 | ret_val->unknown1 = IVAL(file_header, 0x4); |
---|
1654 | ret_val->unknown2 = IVAL(file_header, 0x8); |
---|
1655 | |
---|
1656 | ret_val->mtime.low = IVAL(file_header, 0xC); |
---|
1657 | ret_val->mtime.high = IVAL(file_header, 0x10); |
---|
1658 | |
---|
1659 | ret_val->unknown3 = IVAL(file_header, 0x14); |
---|
1660 | ret_val->unknown4 = IVAL(file_header, 0x18); |
---|
1661 | ret_val->unknown5 = IVAL(file_header, 0x1C); |
---|
1662 | ret_val->unknown6 = IVAL(file_header, 0x20); |
---|
1663 | |
---|
1664 | ret_val->data_offset = IVAL(file_header, 0x24); |
---|
1665 | ret_val->last_block = IVAL(file_header, 0x28); |
---|
1666 | |
---|
1667 | ret_val->unknown7 = IVAL(file_header, 0x2C); |
---|
1668 | |
---|
1669 | return ret_val; |
---|
1670 | } |
---|
1671 | |
---|
1672 | |
---|
1673 | |
---|
1674 | /******************************************************************* |
---|
1675 | * Given real file offset, read and parse the hbin at that location |
---|
1676 | * along with it's associated cells. |
---|
1677 | *******************************************************************/ |
---|
1678 | /* XXX: Need a way to return types of errors. |
---|
1679 | */ |
---|
1680 | REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32 offset, bool strict) |
---|
1681 | { |
---|
1682 | REGFI_HBIN *hbin; |
---|
1683 | uint8 hbin_header[REGFI_HBIN_HEADER_SIZE]; |
---|
1684 | uint32 length; |
---|
1685 | |
---|
1686 | if(offset >= file->file_length) |
---|
1687 | return NULL; |
---|
1688 | |
---|
1689 | if(lseek(file->fd, offset, SEEK_SET) == -1) |
---|
1690 | { |
---|
1691 | regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed" |
---|
1692 | " while parsing hbin at offset 0x%.8X.", offset); |
---|
1693 | return NULL; |
---|
1694 | } |
---|
1695 | |
---|
1696 | length = REGFI_HBIN_HEADER_SIZE; |
---|
1697 | if((regfi_read(file->fd, hbin_header, &length) != 0) |
---|
1698 | || length != REGFI_HBIN_HEADER_SIZE) |
---|
1699 | return NULL; |
---|
1700 | |
---|
1701 | if(lseek(file->fd, offset, SEEK_SET) == -1) |
---|
1702 | { |
---|
1703 | regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed" |
---|
1704 | " while parsing hbin at offset 0x%.8X.", offset); |
---|
1705 | return NULL; |
---|
1706 | } |
---|
1707 | |
---|
1708 | if(!(hbin = (REGFI_HBIN*)zalloc(sizeof(REGFI_HBIN)))) |
---|
1709 | return NULL; |
---|
1710 | hbin->file_off = offset; |
---|
1711 | |
---|
1712 | memcpy(hbin->magic, hbin_header, 4); |
---|
1713 | if(strict && (memcmp(hbin->magic, "hbin", 4) != 0)) |
---|
1714 | { |
---|
1715 | regfi_add_message(file, REGFI_MSG_INFO, "Magic number mismatch " |
---|
1716 | "(%.2X %.2X %.2X %.2X) while parsing hbin at offset" |
---|
1717 | " 0x%.8X.", hbin->magic[0], hbin->magic[1], |
---|
1718 | hbin->magic[2], hbin->magic[3], offset); |
---|
1719 | free(hbin); |
---|
1720 | return NULL; |
---|
1721 | } |
---|
1722 | |
---|
1723 | hbin->first_hbin_off = IVAL(hbin_header, 0x4); |
---|
1724 | hbin->block_size = IVAL(hbin_header, 0x8); |
---|
1725 | /* this should be the same thing as hbin->block_size but just in case */ |
---|
1726 | hbin->next_block = IVAL(hbin_header, 0x1C); |
---|
1727 | |
---|
1728 | |
---|
1729 | /* Ensure the block size is a multiple of 0x1000 and doesn't run off |
---|
1730 | * the end of the file. |
---|
1731 | */ |
---|
1732 | /* XXX: This may need to be relaxed for dealing with |
---|
1733 | * partial or corrupt files. |
---|
1734 | */ |
---|
1735 | if((offset + hbin->block_size > file->file_length) |
---|
1736 | || (hbin->block_size & 0xFFFFF000) != hbin->block_size) |
---|
1737 | { |
---|
1738 | regfi_add_message(file, REGFI_MSG_ERROR, "The hbin offset is not aligned" |
---|
1739 | " or runs off the end of the file" |
---|
1740 | " while parsing hbin at offset 0x%.8X.", offset); |
---|
1741 | free(hbin); |
---|
1742 | return NULL; |
---|
1743 | } |
---|
1744 | |
---|
1745 | return hbin; |
---|
1746 | } |
---|
1747 | |
---|
1748 | |
---|
1749 | /******************************************************************* |
---|
1750 | *******************************************************************/ |
---|
1751 | REGFI_NK_REC* regfi_parse_nk(REGFI_FILE* file, uint32 offset, |
---|
1752 | uint32 max_size, bool strict) |
---|
1753 | { |
---|
1754 | uint8 nk_header[REGFI_NK_MIN_LENGTH]; |
---|
1755 | REGFI_HBIN *hbin; |
---|
1756 | REGFI_NK_REC* ret_val; |
---|
1757 | uint32 length,cell_length; |
---|
1758 | uint32 class_offset, class_maxsize; |
---|
1759 | bool unalloc = false; |
---|
1760 | |
---|
1761 | if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH, |
---|
1762 | &cell_length, &unalloc)) |
---|
1763 | { |
---|
1764 | regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header" |
---|
1765 | " while parsing NK record at offset 0x%.8X.", offset); |
---|
1766 | return NULL; |
---|
1767 | } |
---|
1768 | |
---|
1769 | /* A bit of validation before bothering to allocate memory */ |
---|
1770 | if((nk_header[0x0] != 'n') || (nk_header[0x1] != 'k')) |
---|
1771 | { |
---|
1772 | regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing" |
---|
1773 | " NK record at offset 0x%.8X.", offset); |
---|
1774 | return NULL; |
---|
1775 | } |
---|
1776 | |
---|
1777 | ret_val = (REGFI_NK_REC*)zalloc(sizeof(REGFI_NK_REC)); |
---|
1778 | if(ret_val == NULL) |
---|
1779 | { |
---|
1780 | regfi_add_message(file, REGFI_MSG_ERROR, "Failed to allocate memory while" |
---|
1781 | " parsing NK record at offset 0x%.8X.", offset); |
---|
1782 | return NULL; |
---|
1783 | } |
---|
1784 | |
---|
1785 | ret_val->offset = offset; |
---|
1786 | ret_val->cell_size = cell_length; |
---|
1787 | |
---|
1788 | if(ret_val->cell_size > max_size) |
---|
1789 | ret_val->cell_size = max_size & 0xFFFFFFF8; |
---|
1790 | if((ret_val->cell_size < REGFI_NK_MIN_LENGTH) |
---|
1791 | || (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8))) |
---|
1792 | { |
---|
1793 | regfi_add_message(file, REGFI_MSG_ERROR, "A length check failed while" |
---|
1794 | " parsing NK record at offset 0x%.8X.", offset); |
---|
1795 | free(ret_val); |
---|
1796 | return NULL; |
---|
1797 | } |
---|
1798 | |
---|
1799 | ret_val->magic[0] = nk_header[0x0]; |
---|
1800 | ret_val->magic[1] = nk_header[0x1]; |
---|
1801 | ret_val->key_type = SVAL(nk_header, 0x2); |
---|
1802 | if((ret_val->key_type != REGFI_NK_TYPE_NORMALKEY) |
---|
1803 | && (ret_val->key_type != REGFI_NK_TYPE_ROOTKEY1) |
---|
1804 | && (ret_val->key_type != REGFI_NK_TYPE_ROOTKEY2) |
---|
1805 | && (ret_val->key_type != REGFI_NK_TYPE_LINKKEY) |
---|
1806 | && (ret_val->key_type != REGFI_NK_TYPE_UNKNOWN1) |
---|
1807 | && (ret_val->key_type != REGFI_NK_TYPE_UNKNOWN2) |
---|
1808 | && (ret_val->key_type != REGFI_NK_TYPE_UNKNOWN3)) |
---|
1809 | { |
---|
1810 | regfi_add_message(file, REGFI_MSG_WARN, "Unknown key type (0x%.4X) while" |
---|
1811 | " parsing NK record at offset 0x%.8X.", |
---|
1812 | ret_val->key_type, offset); |
---|
1813 | } |
---|
1814 | |
---|
1815 | ret_val->mtime.low = IVAL(nk_header, 0x4); |
---|
1816 | ret_val->mtime.high = IVAL(nk_header, 0x8); |
---|
1817 | /* If the key is unallocated and the MTIME is earlier than Jan 1, 1990 |
---|
1818 | * or later than Jan 1, 2290, we consider this a bad key. This helps |
---|
1819 | * weed out some false positives during deleted data recovery. |
---|
1820 | */ |
---|
1821 | if(unalloc |
---|
1822 | && ((ret_val->mtime.high < REGFI_MTIME_MIN_HIGH |
---|
1823 | && ret_val->mtime.low < REGFI_MTIME_MIN_LOW) |
---|
1824 | || (ret_val->mtime.high > REGFI_MTIME_MAX_HIGH |
---|
1825 | && ret_val->mtime.low > REGFI_MTIME_MAX_LOW))) |
---|
1826 | return NULL; |
---|
1827 | |
---|
1828 | ret_val->unknown1 = IVAL(nk_header, 0xC); |
---|
1829 | ret_val->parent_off = IVAL(nk_header, 0x10); |
---|
1830 | ret_val->num_subkeys = IVAL(nk_header, 0x14); |
---|
1831 | ret_val->unknown2 = IVAL(nk_header, 0x18); |
---|
1832 | ret_val->subkeys_off = IVAL(nk_header, 0x1C); |
---|
1833 | ret_val->unknown3 = IVAL(nk_header, 0x20); |
---|
1834 | ret_val->num_values = IVAL(nk_header, 0x24); |
---|
1835 | ret_val->values_off = IVAL(nk_header, 0x28); |
---|
1836 | ret_val->sk_off = IVAL(nk_header, 0x2C); |
---|
1837 | ret_val->classname_off = IVAL(nk_header, 0x30); |
---|
1838 | |
---|
1839 | ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34); |
---|
1840 | ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38); |
---|
1841 | ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C); |
---|
1842 | ret_val->max_bytes_value = IVAL(nk_header, 0x40); |
---|
1843 | ret_val->unk_index = IVAL(nk_header, 0x44); |
---|
1844 | |
---|
1845 | ret_val->name_length = SVAL(nk_header, 0x48); |
---|
1846 | ret_val->classname_length = SVAL(nk_header, 0x4A); |
---|
1847 | |
---|
1848 | |
---|
1849 | if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size) |
---|
1850 | { |
---|
1851 | if(strict) |
---|
1852 | { |
---|
1853 | regfi_add_message(file, REGFI_MSG_ERROR, "Contents too large for cell" |
---|
1854 | " while parsing NK record at offset 0x%.8X.", offset); |
---|
1855 | free(ret_val); |
---|
1856 | return NULL; |
---|
1857 | } |
---|
1858 | else |
---|
1859 | ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH; |
---|
1860 | } |
---|
1861 | else if (unalloc) |
---|
1862 | { /* Truncate cell_size if it's much larger than the apparent total record length. */ |
---|
1863 | /* Round up to the next multiple of 8 */ |
---|
1864 | length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8; |
---|
1865 | if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH) |
---|
1866 | length+=8; |
---|
1867 | |
---|
1868 | /* If cell_size is still greater, truncate. */ |
---|
1869 | if(length < ret_val->cell_size) |
---|
1870 | ret_val->cell_size = length; |
---|
1871 | } |
---|
1872 | |
---|
1873 | ret_val->keyname = (char*)zalloc(sizeof(char)*(ret_val->name_length+1)); |
---|
1874 | if(ret_val->keyname == NULL) |
---|
1875 | { |
---|
1876 | free(ret_val); |
---|
1877 | return NULL; |
---|
1878 | } |
---|
1879 | |
---|
1880 | /* Don't need to seek, should be at the right offset */ |
---|
1881 | length = ret_val->name_length; |
---|
1882 | if((regfi_read(file->fd, (uint8*)ret_val->keyname, &length) != 0) |
---|
1883 | || length != ret_val->name_length) |
---|
1884 | { |
---|
1885 | regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read key name" |
---|
1886 | " while parsing NK record at offset 0x%.8X.", offset); |
---|
1887 | free(ret_val->keyname); |
---|
1888 | free(ret_val); |
---|
1889 | return NULL; |
---|
1890 | } |
---|
1891 | ret_val->keyname[ret_val->name_length] = '\0'; |
---|
1892 | |
---|
1893 | if(ret_val->classname_off != REGFI_OFFSET_NONE) |
---|
1894 | { |
---|
1895 | hbin = regfi_lookup_hbin(file, ret_val->classname_off); |
---|
1896 | if(hbin) |
---|
1897 | { |
---|
1898 | class_offset = ret_val->classname_off+REGFI_REGF_SIZE; |
---|
1899 | class_maxsize = hbin->block_size + hbin->file_off - class_offset; |
---|
1900 | ret_val->classname |
---|
1901 | = regfi_parse_classname(file, class_offset, &ret_val->classname_length, |
---|
1902 | class_maxsize, strict); |
---|
1903 | } |
---|
1904 | else |
---|
1905 | { |
---|
1906 | ret_val->classname = NULL; |
---|
1907 | regfi_add_message(file, REGFI_MSG_WARN, "Could not find hbin for class" |
---|
1908 | " name while parsing NK record at offset 0x%.8X.", |
---|
1909 | offset); |
---|
1910 | } |
---|
1911 | /* XXX: Should add this back and make it more strict? |
---|
1912 | if(strict && ret_val->classname == NULL) |
---|
1913 | return NULL; |
---|
1914 | */ |
---|
1915 | } |
---|
1916 | |
---|
1917 | return ret_val; |
---|
1918 | } |
---|
1919 | |
---|
1920 | |
---|
1921 | char* regfi_parse_classname(REGFI_FILE* file, uint32 offset, |
---|
1922 | uint16* name_length, uint32 max_size, bool strict) |
---|
1923 | { |
---|
1924 | char* ret_val = NULL; |
---|
1925 | uint32 length; |
---|
1926 | uint32 cell_length; |
---|
1927 | bool unalloc = false; |
---|
1928 | |
---|
1929 | if(*name_length > 0 && offset != REGFI_OFFSET_NONE |
---|
1930 | && offset == (offset & 0xFFFFFFF8)) |
---|
1931 | { |
---|
1932 | if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc)) |
---|
1933 | { |
---|
1934 | regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header" |
---|
1935 | " while parsing class name at offset 0x%.8X.", offset); |
---|
1936 | return NULL; |
---|
1937 | } |
---|
1938 | |
---|
1939 | if((cell_length & 0xFFFFFFF8) != cell_length) |
---|
1940 | { |
---|
1941 | regfi_add_message(file, REGFI_MSG_ERROR, "Cell length not a multiple of 8" |
---|
1942 | " while parsing class name at offset 0x%.8X.", offset); |
---|
1943 | return NULL; |
---|
1944 | } |
---|
1945 | |
---|
1946 | if(cell_length > max_size) |
---|
1947 | { |
---|
1948 | regfi_add_message(file, REGFI_MSG_WARN, "Cell stretches past hbin " |
---|
1949 | "boundary while parsing class name at offset 0x%.8X.", |
---|
1950 | offset); |
---|
1951 | if(strict) |
---|
1952 | return NULL; |
---|
1953 | cell_length = max_size; |
---|
1954 | } |
---|
1955 | |
---|
1956 | if((cell_length - 4) < *name_length) |
---|
1957 | { |
---|
1958 | regfi_add_message(file, REGFI_MSG_WARN, "Class name is larger than" |
---|
1959 | " cell_length while parsing class name at offset" |
---|
1960 | " 0x%.8X.", offset); |
---|
1961 | if(strict) |
---|
1962 | return NULL; |
---|
1963 | *name_length = cell_length - 4; |
---|
1964 | } |
---|
1965 | |
---|
1966 | ret_val = (char*)zalloc(*name_length); |
---|
1967 | if(ret_val != NULL) |
---|
1968 | { |
---|
1969 | length = *name_length; |
---|
1970 | if((regfi_read(file->fd, (uint8*)ret_val, &length) != 0) |
---|
1971 | || length != *name_length) |
---|
1972 | { |
---|
1973 | regfi_add_message(file, REGFI_MSG_ERROR, "Could not read class name" |
---|
1974 | " while parsing class name at offset 0x%.8X.", offset); |
---|
1975 | free(ret_val); |
---|
1976 | return NULL; |
---|
1977 | } |
---|
1978 | } |
---|
1979 | } |
---|
1980 | |
---|
1981 | return ret_val; |
---|
1982 | } |
---|
1983 | |
---|
1984 | |
---|
1985 | /******************************************************************* |
---|
1986 | *******************************************************************/ |
---|
1987 | REGFI_VK_REC* regfi_parse_vk(REGFI_FILE* file, uint32 offset, |
---|
1988 | uint32 max_size, bool strict) |
---|
1989 | { |
---|
1990 | REGFI_VK_REC* ret_val; |
---|
1991 | REGFI_HBIN *hbin; |
---|
1992 | uint8 vk_header[REGFI_VK_MIN_LENGTH]; |
---|
1993 | uint32 raw_data_size, length, cell_length; |
---|
1994 | uint32 data_offset, data_maxsize; |
---|
1995 | bool unalloc = false; |
---|
1996 | |
---|
1997 | if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH, |
---|
1998 | &cell_length, &unalloc)) |
---|
1999 | { |
---|
2000 | regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header" |
---|
2001 | " while parsing VK record at offset 0x%.8X.", offset); |
---|
2002 | return NULL; |
---|
2003 | } |
---|
2004 | |
---|
2005 | ret_val = (REGFI_VK_REC*)zalloc(sizeof(REGFI_VK_REC)); |
---|
2006 | if(ret_val == NULL) |
---|
2007 | return NULL; |
---|
2008 | |
---|
2009 | ret_val->offset = offset; |
---|
2010 | ret_val->cell_size = cell_length; |
---|
2011 | |
---|
2012 | if(ret_val->cell_size > max_size) |
---|
2013 | ret_val->cell_size = max_size & 0xFFFFFFF8; |
---|
2014 | if((ret_val->cell_size < REGFI_VK_MIN_LENGTH) |
---|
2015 | || ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)) |
---|
2016 | { |
---|
2017 | regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size encountered" |
---|
2018 | " while parsing VK record at offset 0x%.8X.", offset); |
---|
2019 | free(ret_val); |
---|
2020 | return NULL; |
---|
2021 | } |
---|
2022 | |
---|
2023 | ret_val->magic[0] = vk_header[0x0]; |
---|
2024 | ret_val->magic[1] = vk_header[0x1]; |
---|
2025 | if((ret_val->magic[0] != 'v') || (ret_val->magic[1] != 'k')) |
---|
2026 | { |
---|
2027 | /* XXX: This does not account for deleted keys under Win2K which |
---|
2028 | * often have this (and the name length) overwritten with |
---|
2029 | * 0xFFFF. |
---|
2030 | */ |
---|
2031 | regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch" |
---|
2032 | " while parsing VK record at offset 0x%.8X.", offset); |
---|
2033 | free(ret_val); |
---|
2034 | return NULL; |
---|
2035 | } |
---|
2036 | |
---|
2037 | ret_val->name_length = SVAL(vk_header, 0x2); |
---|
2038 | raw_data_size = IVAL(vk_header, 0x4); |
---|
2039 | ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET; |
---|
2040 | ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET); |
---|
2041 | ret_val->data_off = IVAL(vk_header, 0x8); |
---|
2042 | ret_val->type = IVAL(vk_header, 0xC); |
---|
2043 | ret_val->flag = SVAL(vk_header, 0x10); |
---|
2044 | ret_val->unknown1 = SVAL(vk_header, 0x12); |
---|
2045 | |
---|
2046 | if(ret_val->flag & REGFI_VK_FLAG_NAME_PRESENT) |
---|
2047 | { |
---|
2048 | if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size) |
---|
2049 | { |
---|
2050 | regfi_add_message(file, REGFI_MSG_WARN, "Name too long for remaining cell" |
---|
2051 | " space while parsing VK record at offset 0x%.8X.", |
---|
2052 | offset); |
---|
2053 | if(strict) |
---|
2054 | { |
---|
2055 | free(ret_val); |
---|
2056 | return NULL; |
---|
2057 | } |
---|
2058 | else |
---|
2059 | ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4; |
---|
2060 | } |
---|
2061 | |
---|
2062 | /* Round up to the next multiple of 8 */ |
---|
2063 | cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8; |
---|
2064 | if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) |
---|
2065 | cell_length+=8; |
---|
2066 | |
---|
2067 | ret_val->valuename = (char*)zalloc(sizeof(char)*(ret_val->name_length+1)); |
---|
2068 | if(ret_val->valuename == NULL) |
---|
2069 | { |
---|
2070 | free(ret_val); |
---|
2071 | return NULL; |
---|
2072 | } |
---|
2073 | |
---|
2074 | length = ret_val->name_length; |
---|
2075 | if((regfi_read(file->fd, (uint8*)ret_val->valuename, &length) != 0) |
---|
2076 | || length != ret_val->name_length) |
---|
2077 | { |
---|
2078 | regfi_add_message(file, REGFI_MSG_ERROR, "Could not read value name" |
---|
2079 | " while parsing VK record at offset 0x%.8X.", offset); |
---|
2080 | free(ret_val->valuename); |
---|
2081 | free(ret_val); |
---|
2082 | return NULL; |
---|
2083 | } |
---|
2084 | ret_val->valuename[ret_val->name_length] = '\0'; |
---|
2085 | |
---|
2086 | } |
---|
2087 | else |
---|
2088 | cell_length = REGFI_VK_MIN_LENGTH + 4; |
---|
2089 | |
---|
2090 | if(unalloc) |
---|
2091 | { |
---|
2092 | /* If cell_size is still greater, truncate. */ |
---|
2093 | if(cell_length < ret_val->cell_size) |
---|
2094 | ret_val->cell_size = cell_length; |
---|
2095 | } |
---|
2096 | |
---|
2097 | if(ret_val->data_size == 0) |
---|
2098 | ret_val->data = NULL; |
---|
2099 | else |
---|
2100 | { |
---|
2101 | if(ret_val->data_in_offset) |
---|
2102 | { |
---|
2103 | ret_val->data = regfi_parse_data(file, ret_val->data_off, |
---|
2104 | raw_data_size, 4, strict); |
---|
2105 | } |
---|
2106 | else |
---|
2107 | { |
---|
2108 | hbin = regfi_lookup_hbin(file, ret_val->data_off); |
---|
2109 | if(hbin) |
---|
2110 | { |
---|
2111 | data_offset = ret_val->data_off+REGFI_REGF_SIZE; |
---|
2112 | data_maxsize = hbin->block_size + hbin->file_off - data_offset; |
---|
2113 | ret_val->data = regfi_parse_data(file, data_offset, raw_data_size, |
---|
2114 | data_maxsize, strict); |
---|
2115 | |
---|
2116 | } |
---|
2117 | else |
---|
2118 | { |
---|
2119 | regfi_add_message(file, REGFI_MSG_WARN, "Could not find hbin for data" |
---|
2120 | " while parsing VK record at offset 0x%.8X.", offset); |
---|
2121 | ret_val->data = NULL; |
---|
2122 | } |
---|
2123 | } |
---|
2124 | |
---|
2125 | if(ret_val->data == NULL) |
---|
2126 | { |
---|
2127 | regfi_add_message(file, REGFI_MSG_WARN, "Could not parse data record" |
---|
2128 | " while parsing VK record at offset 0x%.8X.", offset); |
---|
2129 | } |
---|
2130 | } |
---|
2131 | |
---|
2132 | return ret_val; |
---|
2133 | } |
---|
2134 | |
---|
2135 | |
---|
2136 | uint8* regfi_parse_data(REGFI_FILE* file, uint32 offset, uint32 length, |
---|
2137 | uint32 max_size, bool strict) |
---|
2138 | { |
---|
2139 | uint8* ret_val; |
---|
2140 | uint32 read_length, cell_length; |
---|
2141 | uint8 i; |
---|
2142 | bool unalloc; |
---|
2143 | |
---|
2144 | /* The data is typically stored in the offset if the size <= 4 */ |
---|
2145 | if (length & REGFI_VK_DATA_IN_OFFSET) |
---|
2146 | { |
---|
2147 | length = length & ~REGFI_VK_DATA_IN_OFFSET; |
---|
2148 | if(length > 4) |
---|
2149 | { |
---|
2150 | regfi_add_message(file, REGFI_MSG_ERROR, "Data in offset but length > 4" |
---|
2151 | " while parsing data record at offset 0x%.8X.", |
---|
2152 | offset); |
---|
2153 | return NULL; |
---|
2154 | } |
---|
2155 | |
---|
2156 | if((ret_val = (uint8*)zalloc(sizeof(uint8)*length)) == NULL) |
---|
2157 | return NULL; |
---|
2158 | |
---|
2159 | for(i = 0; i < length; i++) |
---|
2160 | ret_val[i] = (uint8)((offset >> i*8) & 0xFF); |
---|
2161 | } |
---|
2162 | else |
---|
2163 | { |
---|
2164 | if(!regfi_parse_cell(file->fd, offset, NULL, 0, |
---|
2165 | &cell_length, &unalloc)) |
---|
2166 | { |
---|
2167 | regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while" |
---|
2168 | " parsing data record at offset 0x%.8X.", offset); |
---|
2169 | return NULL; |
---|
2170 | } |
---|
2171 | |
---|
2172 | if((cell_length & 0xFFFFFFF8) != cell_length) |
---|
2173 | { |
---|
2174 | regfi_add_message(file, REGFI_MSG_WARN, "Cell length not multiple of 8" |
---|
2175 | " while parsing data record at offset 0x%.8X.", |
---|
2176 | offset); |
---|
2177 | return NULL; |
---|
2178 | } |
---|
2179 | |
---|
2180 | if(cell_length > max_size) |
---|
2181 | { |
---|
2182 | regfi_add_message(file, REGFI_MSG_WARN, "Cell extends past hbin boundary" |
---|
2183 | " while parsing data record at offset 0x%.8X.", |
---|
2184 | offset); |
---|
2185 | if(strict) |
---|
2186 | return NULL; |
---|
2187 | else |
---|
2188 | cell_length = max_size; |
---|
2189 | } |
---|
2190 | |
---|
2191 | if(cell_length - 4 < length) |
---|
2192 | { |
---|
2193 | /* XXX: This strict condition has been triggered in multiple registries. |
---|
2194 | * Not sure the cause, but the data length values are very large, |
---|
2195 | * such as 53392. |
---|
2196 | */ |
---|
2197 | regfi_add_message(file, REGFI_MSG_WARN, "Data length (0x%.8X) larger than" |
---|
2198 | " remaining cell length (0x%.8X)" |
---|
2199 | " while parsing data record at offset 0x%.8X.", |
---|
2200 | length, cell_length - 4, offset); |
---|
2201 | if(strict) |
---|
2202 | return NULL; |
---|
2203 | else |
---|
2204 | length = cell_length - 4; |
---|
2205 | } |
---|
2206 | |
---|
2207 | if((ret_val = (uint8*)zalloc(sizeof(uint8)*length)) == NULL) |
---|
2208 | return NULL; |
---|
2209 | |
---|
2210 | read_length = length; |
---|
2211 | if((regfi_read(file->fd, ret_val, &read_length) != 0) |
---|
2212 | || read_length != length) |
---|
2213 | { |
---|
2214 | regfi_add_message(file, REGFI_MSG_ERROR, "Could not read data block while" |
---|
2215 | " parsing data record at offset 0x%.8X.", offset); |
---|
2216 | free(ret_val); |
---|
2217 | return NULL; |
---|
2218 | } |
---|
2219 | } |
---|
2220 | |
---|
2221 | return ret_val; |
---|
2222 | } |
---|
2223 | |
---|
2224 | |
---|
2225 | range_list* regfi_parse_unalloc_cells(REGFI_FILE* file) |
---|
2226 | { |
---|
2227 | range_list* ret_val; |
---|
2228 | REGFI_HBIN* hbin; |
---|
2229 | const range_list_element* hbins_elem; |
---|
2230 | uint32 i, num_hbins, curr_off, cell_len; |
---|
2231 | bool is_unalloc; |
---|
2232 | |
---|
2233 | ret_val = range_list_new(); |
---|
2234 | if(ret_val == NULL) |
---|
2235 | return NULL; |
---|
2236 | |
---|
2237 | num_hbins = range_list_size(file->hbins); |
---|
2238 | for(i=0; i<num_hbins; i++) |
---|
2239 | { |
---|
2240 | hbins_elem = range_list_get(file->hbins, i); |
---|
2241 | if(hbins_elem == NULL) |
---|
2242 | break; |
---|
2243 | hbin = (REGFI_HBIN*)hbins_elem->data; |
---|
2244 | |
---|
2245 | curr_off = REGFI_HBIN_HEADER_SIZE; |
---|
2246 | while(curr_off < hbin->block_size) |
---|
2247 | { |
---|
2248 | if(!regfi_parse_cell(file->fd, hbin->file_off+curr_off, NULL, 0, |
---|
2249 | &cell_len, &is_unalloc)) |
---|
2250 | break; |
---|
2251 | |
---|
2252 | if((cell_len == 0) || ((cell_len & 0xFFFFFFF8) != cell_len)) |
---|
2253 | /* XXX: should report an error here. */ |
---|
2254 | break; |
---|
2255 | |
---|
2256 | /* for some reason the record_size of the last record in |
---|
2257 | an hbin block can extend past the end of the block |
---|
2258 | even though the record fits within the remaining |
---|
2259 | space....aaarrrgggghhhhhh */ |
---|
2260 | if(curr_off + cell_len >= hbin->block_size) |
---|
2261 | cell_len = hbin->block_size - curr_off; |
---|
2262 | |
---|
2263 | if(is_unalloc) |
---|
2264 | range_list_add(ret_val, hbin->file_off+curr_off, |
---|
2265 | cell_len, NULL); |
---|
2266 | |
---|
2267 | curr_off = curr_off+cell_len; |
---|
2268 | } |
---|
2269 | } |
---|
2270 | |
---|
2271 | return ret_val; |
---|
2272 | } |
---|