Context Navigation

source: trunk/lib/regfi.c @ 106

Last change on this file since 106 was 106, checked in by tim, 16 years ago
replaced linked list hbin lookup with range_list based binary search
Property svn:keywords set to `Id`
File size: 45.0 KB

Line
1	/*
2	* Branched from Samba project Subversion repository, version #7470:
3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
4	*
5	* Unix SMB/CIFS implementation.
6	* Windows NT registry I/O library
7	*
8	* Copyright (C) 2005-2008 Timothy D. Morgan
9	* Copyright (C) 2005 Gerald (Jerry) Carter
10	*
11	* This program is free software; you can redistribute it and/or modify
12	* it under the terms of the GNU General Public License as published by
13	* the Free Software Foundation; version 2 of the License.
14	*
15	* This program is distributed in the hope that it will be useful,
16	* but WITHOUT ANY WARRANTY; without even the implied warranty of
17	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	* GNU General Public License for more details.
19	*
20	* You should have received a copy of the GNU General Public License
21	* along with this program; if not, write to the Free Software
22	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23	*
24	* $Id: regfi.c 106 2008-04-18 04:16:51Z tim $
25	*/
26
27	#include "../include/regfi.h"
28
29
30	/* Registry types mapping */
31	const unsigned int regfi_num_reg_types = 12;
32	static const char* regfi_type_names[] =
33	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
34	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
35
36
37	/* Returns NULL on error */
38	const char* regfi_type_val2str(unsigned int val)
39	{
40	if(val == REG_KEY)
41	return "KEY";
42
43	if(val >= regfi_num_reg_types)
44	return NULL;
45
46	return regfi_type_names[val];
47	}
48
49
50	/* Returns -1 on error */
51	int regfi_type_str2val(const char* str)
52	{
53	int i;
54
55	if(strcmp("KEY", str) == 0)
56	return REG_KEY;
57
58	for(i=0; i < regfi_num_reg_types; i++)
59	if (strcmp(regfi_type_names[i], str) == 0)
60	return i;
61
62	if(strcmp("DWORD_LE", str) == 0)
63	return REG_DWORD_LE;
64
65	return -1;
66	}
67
68
69	/* Security descriptor parsing functions */
70
71	const char* regfi_ace_type2str(uint8 type)
72	{
73	static const char* map[7]
74	= {"ALLOW", "DENY", "AUDIT", "ALARM",
75	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
76	if(type < 7)
77	return map[type];
78	else
79	/* XXX: would be nice to return the unknown integer value.
80	* However, as it is a const string, it can't be free()ed later on,
81	* so that would need to change.
82	*/
83	return "UNKNOWN";
84	}
85
86
87	/* XXX: need a better reference on the meaning of each flag. */
88	/* For more info, see:
89	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
90	*/
91	char* regfi_ace_flags2str(uint8 flags)
92	{
93	static const char* flag_map[32] =
94	{ "OI", /* Object Inherit */
95	"CI", /* Container Inherit */
96	"NP", /* Non-Propagate */
97	"IO", /* Inherit Only */
98	"IA", /* Inherited ACE */
99	NULL,
100	NULL,
101	NULL,
102	};
103
104	char* ret_val = malloc(35*sizeof(char));
105	char* fo = ret_val;
106	uint32 i;
107	uint8 f;
108
109	if(ret_val == NULL)
110	return NULL;
111
112	fo[0] = '\0';
113	if (!flags)
114	return ret_val;
115
116	for(i=0; i < 8; i++)
117	{
118	f = (1<<i);
119	if((flags & f) && (flag_map[i] != NULL))
120	{
121	strcpy(fo, flag_map[i]);
122	fo += strlen(flag_map[i]);
123	*(fo++) = ' ';
124	flags ^= f;
125	}
126	}
127
128	/* Any remaining unknown flags are added at the end in hex. */
129	if(flags != 0)
130	sprintf(fo, "0x%.2X ", flags);
131
132	/* Chop off the last space if we've written anything to ret_val */
133	if(fo != ret_val)
134	fo[-1] = '\0';
135
136	/* XXX: what was this old VI flag for??
137	XXX: Is this check right? 0xF == 1\|2\|4\|8, which makes it redundant...
138	if (flags == 0xF) {
139	if (some) strcat(flg_output, " ");
140	some = 1;
141	strcat(flg_output, "VI");
142	}
143	*/
144
145	return ret_val;
146	}
147
148
149	char* regfi_ace_perms2str(uint32 perms)
150	{
151	uint32 i, p;
152	/* This is more than is needed by a fair margin. */
153	char* ret_val = malloc(350*sizeof(char));
154	char* r = ret_val;
155
156	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
157	* For more information, see:
158	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
159	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
160	*/
161	static const char* perm_map[32] =
162	{/* object-specific permissions (registry keys, in this case) */
163	"QRY_VAL", /* KEY_QUERY_VALUE */
164	"SET_VAL", /* KEY_SET_VALUE */
165	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
166	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
167	"NOTIFY", /* KEY_NOTIFY */
168	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
169	NULL,
170	NULL,
171	"WOW64_64", /* KEY_WOW64_64KEY */
172	"WOW64_32", /* KEY_WOW64_32KEY */
173	NULL,
174	NULL,
175	NULL,
176	NULL,
177	NULL,
178	NULL,
179	/* standard access rights */
180	"DELETE", /* DELETE */
181	"R_CONT", /* READ_CONTROL */
182	"W_DAC", /* WRITE_DAC */
183	"W_OWNER", /* WRITE_OWNER */
184	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
185	NULL,
186	NULL,
187	NULL,
188	/* other generic */
189	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
190	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
191	NULL,
192	NULL,
193	"GEN_A", /* GENERIC_ALL */
194	"GEN_X", /* GENERIC_EXECUTE */
195	"GEN_W", /* GENERIC_WRITE */
196	"GEN_R", /* GENERIC_READ */
197	};
198
199
200	if(ret_val == NULL)
201	return NULL;
202
203	r[0] = '\0';
204	for(i=0; i < 32; i++)
205	{
206	p = (1<<i);
207	if((perms & p) && (perm_map[i] != NULL))
208	{
209	strcpy(r, perm_map[i]);
210	r += strlen(perm_map[i]);
211	*(r++) = ' ';
212	perms ^= p;
213	}
214	}
215
216	/* Any remaining unknown permission bits are added at the end in hex. */
217	if(perms != 0)
218	sprintf(r, "0x%.8X ", perms);
219
220	/* Chop off the last space if we've written anything to ret_val */
221	if(r != ret_val)
222	r[-1] = '\0';
223
224	return ret_val;
225	}
226
227
228	char* regfi_sid2str(DOM_SID* sid)
229	{
230	uint32 i, size = MAXSUBAUTHS*11 + 24;
231	uint32 left = size;
232	uint8 comps = sid->num_auths;
233	char* ret_val = malloc(size);
234
235	if(ret_val == NULL)
236	return NULL;
237
238	if(comps > MAXSUBAUTHS)
239	comps = MAXSUBAUTHS;
240
241	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
242
243	for (i = 0; i < comps; i++)
244	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
245
246	return ret_val;
247	}
248
249
250	char* regfi_get_acl(SEC_ACL* acl)
251	{
252	uint32 i, extra, size = 0;
253	const char* type_str;
254	char* flags_str;
255	char* perms_str;
256	char* sid_str;
257	char* ace_delim = "";
258	char* ret_val = NULL;
259	char* tmp_val = NULL;
260	bool failed = false;
261	char field_delim = ':';
262
263	for (i = 0; i < acl->num_aces && !failed; i++)
264	{
265	sid_str = regfi_sid2str(&acl->ace[i].trustee);
266	type_str = regfi_ace_type2str(acl->ace[i].type);
267	perms_str = regfi_ace_perms2str(acl->ace[i].info.mask);
268	flags_str = regfi_ace_flags2str(acl->ace[i].flags);
269
270	if(flags_str != NULL && perms_str != NULL
271	&& type_str != NULL && sid_str != NULL)
272	{
273	/* XXX: this is slow */
274	extra = strlen(sid_str) + strlen(type_str)
275	+ strlen(perms_str) + strlen(flags_str)+5;
276	tmp_val = realloc(ret_val, size+extra);
277
278	if(tmp_val == NULL)
279	{
280	free(ret_val);
281	failed = true;
282	}
283	else
284	{
285	ret_val = tmp_val;
286	size += snprintf(ret_val+size, extra, "%s%s%c%s%c%s%c%s",
287	ace_delim,sid_str,
288	field_delim,type_str,
289	field_delim,perms_str,
290	field_delim,flags_str);
291	ace_delim = "\|";
292	}
293	}
294	else
295	failed = true;
296
297	if(sid_str != NULL)
298	free(sid_str);
299	if(sid_str != NULL)
300	free(perms_str);
301	if(sid_str != NULL)
302	free(flags_str);
303	}
304
305	return ret_val;
306	}
307
308
309	char* regfi_get_sacl(SEC_DESC *sec_desc)
310	{
311	if (sec_desc->sacl)
312	return regfi_get_acl(sec_desc->sacl);
313	else
314	return NULL;
315	}
316
317
318	char* regfi_get_dacl(SEC_DESC *sec_desc)
319	{
320	if (sec_desc->dacl)
321	return regfi_get_acl(sec_desc->dacl);
322	else
323	return NULL;
324	}
325
326
327	char* regfi_get_owner(SEC_DESC *sec_desc)
328	{
329	return regfi_sid2str(sec_desc->owner_sid);
330	}
331
332
333	char* regfi_get_group(SEC_DESC *sec_desc)
334	{
335	return regfi_sid2str(sec_desc->grp_sid);
336	}
337
338
339	/*****************************************************************************
340	* This function is just like read(2), except that it continues to
341	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
342	* regfi_read will attempt to read length bytes from fd and write them to buf.
343	*
344	* On success, 0 is returned. Upon failure, an errno code is returned.
345	*
346	* The number of bytes successfully read is returned through the length
347	* parameter by reference. If both the return value and length parameter are
348	* returned as 0, then EOF was encountered immediately
349	*****************************************************************************/
350	uint32 regfi_read(int fd, uint8* buf, uint32* length)
351	{
352	uint32 rsize = 0;
353	uint32 rret = 0;
354
355	do
356	{
357	rret = read(fd, buf + rsize, *length - rsize);
358	if(rret > 0)
359	rsize += rret;
360	}while(*length - rsize > 0
361	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
362
363	*length = rsize;
364	if (rret == -1 && errno != EINTR && errno != EAGAIN)
365	return errno;
366
367	return 0;
368	}
369
370
371	/*****************************************************************************
372	*
373	*****************************************************************************/
374	static bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len,
375	uint32* cell_length, bool* unalloc)
376	{
377	uint32 length;
378	int32 raw_length;
379	uint8 tmp[4];
380
381	if(lseek(fd, offset, SEEK_SET) == -1)
382	return false;
383
384	length = 4;
385	if((regfi_read(fd, tmp, &length) != 0) \|\| length != 4)
386	return false;
387	raw_length = IVALS(tmp, 0);
388
389	if(raw_length < 0)
390	{
391	(cell_length) = raw_length(-1);
392	(*unalloc) = false;
393	}
394	else
395	{
396	(*cell_length) = raw_length;
397	(*unalloc) = true;
398	}
399
400	if(*cell_length - 4 < hdr_len)
401	return false;
402
403	if(hdr_len > 0)
404	{
405	length = hdr_len;
406	if((regfi_read(fd, hdr, &length) != 0) \|\| length != hdr_len)
407	return false;
408	}
409
410	return true;
411	}
412
413
414	/*******************************************************************
415	* Given an offset and an hbin, is the offset within that hbin?
416	* The offset is a virtual file offset.
417	*******************************************************************/
418	static bool regfi_offset_in_hbin(REGF_HBIN* hbin, uint32 offset)
419	{
420	if(!hbin)
421	return false;
422
423	if((offset > hbin->first_hbin_off)
424	&& (offset < (hbin->first_hbin_off + hbin->block_size)))
425	return true;
426
427	return false;
428	}
429
430
431
432	/*******************************************************************
433	* Given a virtual offset, and receive the correpsonding HBIN
434	* block for it. NULL if one doesn't exist.
435	*******************************************************************/
436	static REGF_HBIN* regfi_lookup_hbin(REGF_FILE* file, uint32 offset)
437	{
438	return (REGF_HBIN*)range_list_find_data(file->hbins, offset+REGF_BLOCKSIZE);
439	}
440
441
442
443	/*******************************************************************
444	TODO: not currently validating against max_size
445	*******************************************************************/
446	REGF_HASH_LIST* regfi_load_hashlist(REGF_FILE* file, uint32 offset,
447	uint32 num_keys, uint32 max_size,
448	bool strict)
449	{
450	REGF_HASH_LIST* ret_val;
451	uint32 i, cell_length, length;
452	uint8* hashes;
453	uint8 buf[REGFI_HASH_LIST_MIN_LENGTH];
454	bool unalloc;
455
456	if(!regfi_parse_cell(file->fd, offset, buf, REGFI_HASH_LIST_MIN_LENGTH,
457	&cell_length, &unalloc))
458	return NULL;
459
460	ret_val = (REGF_HASH_LIST*)zalloc(sizeof(REGF_HASH_LIST));
461	if(ret_val == NULL)
462	return NULL;
463
464	ret_val->offset = offset;
465	ret_val->cell_size = cell_length;
466
467	if((buf[0] != 'l' \|\| buf[1] != 'f') && (buf[0] != 'l' \|\| buf[1] != 'h')
468	&& (buf[0] != 'r' \|\| buf[1] != 'i'))
469	{
470	/printf("DEBUG: lf->header=%c%c\n", buf[0], buf[1]);/
471	free(ret_val);
472	return NULL;
473	}
474
475	if(buf[0] == 'r' && buf[1] == 'i')
476	{
477	fprintf(stderr, "WARNING: ignoring encountered \"ri\" record.\n");
478	free(ret_val);
479	return NULL;
480	}
481
482	ret_val->magic[0] = buf[0];
483	ret_val->magic[1] = buf[1];
484
485	ret_val->num_keys = SVAL(buf, 0x2);
486	if(num_keys != ret_val->num_keys)
487	{
488	if(strict)
489	{
490	free(ret_val);
491	return NULL;
492	}
493	/* TODO: Not sure which should be authoritative, the number from the
494	* NK record, or the number in the hash list. Go with the larger
495	* of the two to ensure all keys are found. Note the length checks
496	* on the cell later ensure that there won't be any critical errors.
497	*/
498	if(num_keys < ret_val->num_keys)
499	num_keys = ret_val->num_keys;
500	else
501	ret_val->num_keys = num_keys;
502	}
503
504	if(cell_length - REGFI_HASH_LIST_MIN_LENGTH - sizeof(uint32)
505	< ret_val->num_keys*sizeof(REGF_HASH_LIST_ELEM))
506	return NULL;
507
508	length = sizeof(REGF_HASH_LIST_ELEM)*ret_val->num_keys;
509	ret_val->hashes = (REGF_HASH_LIST_ELEM*)zalloc(length);
510	if(ret_val->hashes == NULL)
511	{
512	free(ret_val);
513	return NULL;
514	}
515
516	hashes = (uint8*)zalloc(length);
517	if(hashes == NULL)
518	{
519	free(ret_val->hashes);
520	free(ret_val);
521	return NULL;
522	}
523
524	if(regfi_read(file->fd, hashes, &length) != 0
525	\|\| length != sizeof(REGF_HASH_LIST_ELEM)*ret_val->num_keys)
526	{
527	free(ret_val->hashes);
528	free(ret_val);
529	return NULL;
530	}
531
532	for (i=0; i < ret_val->num_keys; i++)
533	{
534	ret_val->hashes[i].nk_off = IVAL(hashes, i*sizeof(REGF_HASH_LIST_ELEM));
535	ret_val->hashes[i].hash = IVAL(hashes, i*sizeof(REGF_HASH_LIST_ELEM)+4);
536	}
537	free(hashes);
538
539	return ret_val;
540	}
541
542
543
544	/*******************************************************************
545	*******************************************************************/
546	REGF_SK_REC* regfi_parse_sk(REGF_FILE* file, uint32 offset, uint32 max_size, bool strict)
547	{
548	REGF_SK_REC* ret_val;
549	uint32 cell_length, length;
550	prs_struct ps;
551	uint8 sk_header[REGFI_SK_MIN_LENGTH];
552	bool unalloc = false;
553
554
555	if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH,
556	&cell_length, &unalloc))
557	return NULL;
558
559	if(sk_header[0] != 's' \|\| sk_header[1] != 'k')
560	return NULL;
561
562	ret_val = (REGF_SK_REC*)zalloc(sizeof(REGF_SK_REC));
563	if(ret_val == NULL)
564	return NULL;
565
566	ret_val->offset = offset;
567	ret_val->cell_size = cell_length;
568
569	if(ret_val->cell_size > max_size)
570	ret_val->cell_size = max_size & 0xFFFFFFF8;
571	if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
572	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
573	{
574	free(ret_val);
575	return NULL;
576	}
577
578
579	ret_val->magic[0] = sk_header[0];
580	ret_val->magic[1] = sk_header[1];
581
582	ret_val->unknown_tag = SVAL(sk_header, 0x2);
583	ret_val->prev_sk_off = IVAL(sk_header, 0x4);
584	ret_val->next_sk_off = IVAL(sk_header, 0x8);
585	ret_val->ref_count = IVAL(sk_header, 0xC);
586	ret_val->desc_size = IVAL(sk_header, 0x10);
587
588	if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
589	{
590	free(ret_val);
591	return NULL;
592	}
593
594	/* TODO: need to get rid of this, but currently the security descriptor
595	* code depends on the ps structure.
596	*/
597	if(!prs_init(&ps, ret_val->desc_size, NULL, UNMARSHALL))
598	{
599	free(ret_val);
600	return NULL;
601	}
602
603	length = ret_val->desc_size;
604	if(regfi_read(file->fd, (uint8*)ps.data_p, &length) != 0
605	\|\| length != ret_val->desc_size)
606	{
607	free(ret_val);
608	return NULL;
609	}
610
611	if (!sec_io_desc("sec_desc", &ret_val->sec_desc, &ps, 0))
612	{
613	free(ret_val);
614	return NULL;
615	}
616
617	free(ps.data_p);
618
619	return ret_val;
620	}
621
622
623
624	/******************************************************************************
625	TODO: not currently validating against max_size.
626	******************************************************************************/
627	REGF_VK_REC** regfi_load_valuelist(REGF_FILE* file, uint32 offset,
628	uint32 num_values, uint32 max_size,
629	bool strict)
630	{
631	REGF_VK_REC** ret_val;
632	REGF_HBIN* sub_hbin;
633	uint8* buf;
634	uint32 i, cell_length, vk_raw_offset, vk_offset, vk_max_length, buf_len;
635	bool unalloc;
636
637	buf_len = sizeof(uint8) * 4 * num_values;
638	buf = (uint8*)zalloc(buf_len);
639	if(buf == NULL)
640	return NULL;
641
642	if(!regfi_parse_cell(file->fd, offset, buf, buf_len, &cell_length, &unalloc))
643	{
644	free(buf);
645	return NULL;
646	}
647
648	ret_val = (REGF_VK_REC*)zalloc(sizeof(REGF_VK_REC) * num_values);
649	if(ret_val == NULL)
650	{
651	free(buf);
652	return NULL;
653	}
654
655	for (i=0; i < num_values; i++)
656	{
657	vk_raw_offset = IVAL(buf, i*4);
658
659	sub_hbin = regfi_lookup_hbin(file, vk_raw_offset);
660	if (!sub_hbin)
661	{
662	free(buf);
663	free(ret_val);
664	return NULL;
665	}
666
667	vk_offset = vk_raw_offset + REGF_BLOCKSIZE;
668	vk_max_length = sub_hbin->block_size - vk_offset + sizeof(uint32);
669	ret_val[i] = regfi_parse_vk(file, vk_offset, vk_max_length, true);
670	if(ret_val[i] == NULL)
671	{
672	free(buf);
673	free(ret_val);
674	return NULL;
675	}
676	}
677
678	free(buf);
679	return ret_val;
680	}
681
682
683	/*******************************************************************
684	*******************************************************************/
685	static REGF_SK_REC* find_sk_record_by_offset( REGF_FILE *file, uint32 offset )
686	{
687	REGF_SK_REC *p_sk;
688
689	for ( p_sk=file->sec_desc_list; p_sk; p_sk=p_sk->next ) {
690	if ( p_sk->sk_off == offset )
691	return p_sk;
692	}
693
694	return NULL;
695	}
696
697
698	/*******************************************************************
699	*******************************************************************/
700	static REGF_SK_REC* find_sk_record_by_sec_desc( REGF_FILE file, SEC_DESC sd )
701	{
702	REGF_SK_REC *p;
703
704	for ( p=file->sec_desc_list; p; p=p->next ) {
705	if ( sec_desc_equal( p->sec_desc, sd ) )
706	return p;
707	}
708
709	/* failure */
710
711	return NULL;
712	}
713
714
715	/*******************************************************************
716	* TODO: Need to add full key and SK record caching using a
717	* custom cache structure.
718	*******************************************************************/
719	REGF_NK_REC* regfi_load_key(REGF_FILE *file, uint32 offset, bool strict)
720	{
721	REGF_HBIN* hbin;
722	REGF_HBIN* sub_hbin;
723	REGF_NK_REC* nk;
724	uint32 max_length, off;
725
726	hbin = regfi_lookup_hbin(file, offset-REGF_BLOCKSIZE);
727	if (hbin == NULL)
728	return NULL;
729
730	/* get the initial nk record */
731	max_length = hbin->block_size + hbin->file_off - offset;
732	if ((nk = regfi_parse_nk(file, offset, max_length, true)) == NULL)
733	return NULL;
734
735	/* fill in values */
736	if(nk->num_values && (nk->values_off!=REGF_OFFSET_NONE))
737	{
738	sub_hbin = hbin;
739	if(!regfi_offset_in_hbin(hbin, nk->values_off))
740	sub_hbin = regfi_lookup_hbin(file, nk->values_off);
741
742	if(sub_hbin == NULL)
743	{
744	if(strict)
745	{
746	free(nk);
747	return NULL;
748	}
749	else
750	nk->values = NULL;
751	}
752	else
753	{
754	off = nk->values_off + REGF_BLOCKSIZE;
755	max_length = sub_hbin->block_size + sub_hbin->file_off - off;
756	nk->values = regfi_load_valuelist(file, off, nk->num_values, max_length,
757	true);
758	if(strict && nk->values == NULL)
759	{
760	free(nk);
761	return NULL;
762	}
763	}
764	}
765
766	/* now get subkeys */
767	if(nk->num_subkeys && (nk->subkeys_off != REGF_OFFSET_NONE))
768	{
769	sub_hbin = hbin;
770	if(!regfi_offset_in_hbin(hbin, nk->subkeys_off))
771	sub_hbin = regfi_lookup_hbin(file, nk->subkeys_off);
772
773	if (sub_hbin == NULL)
774	{
775	if(strict)
776	{
777	free(nk);
778	/* TODO: need convenient way to free nk->values deeply in all cases. */
779	return NULL;
780	}
781	else
782	nk->subkeys = NULL;
783	}
784	else
785	{
786	off = nk->subkeys_off + REGF_BLOCKSIZE;
787	max_length = sub_hbin->block_size + sub_hbin->file_off - off;
788	nk->subkeys = regfi_load_hashlist(file, off, nk->num_subkeys,
789	max_length, true);
790	if(nk->subkeys == NULL)
791	{
792	/* TODO: temporary hack to get around 'ri' records */
793	nk->num_subkeys = 0;
794	}
795	}
796	}
797
798	/* get the security descriptor. First look if we have already parsed it */
799	if((nk->sk_off!=REGF_OFFSET_NONE)
800	&& !(nk->sec_desc = find_sk_record_by_offset( file, nk->sk_off )))
801	{
802	sub_hbin = hbin;
803	if(!regfi_offset_in_hbin(hbin, nk->sk_off))
804	sub_hbin = regfi_lookup_hbin(file, nk->sk_off);
805
806	if(sub_hbin == NULL)
807	{
808	free(nk);
809	/* TODO: need convenient way to free nk->values and nk->subkeys deeply
810	* in all cases.
811	*/
812	return NULL;
813	}
814
815	off = nk->sk_off + REGF_BLOCKSIZE;
816	max_length = sub_hbin->block_size + sub_hbin->file_off - off;
817	nk->sec_desc = regfi_parse_sk(file, off, max_length, true);
818	if(strict && nk->sec_desc == NULL)
819	{
820	free(nk);
821	/* TODO: need convenient way to free nk->values and nk->subkeys deeply
822	* in all cases.
823	*/
824	return NULL;
825	}
826	nk->sec_desc->sk_off = nk->sk_off;
827
828	/* add to the list of security descriptors (ref_count has been read from the files) */
829	/* XXX: this kind of caching needs to be re-evaluated */
830	DLIST_ADD( file->sec_desc_list, nk->sec_desc );
831	}
832
833	return nk;
834	}
835
836
837	/******************************************************************************
838
839	******************************************************************************/
840	static bool regfi_find_root_nk(REGF_FILE* file, uint32 offset, uint32 hbin_size,
841	uint32* root_offset)
842	{
843	uint8 tmp[4];
844	int32 record_size;
845	uint32 length, hbin_offset = 0;
846	REGF_NK_REC* nk = NULL;
847	bool found = false;
848
849	for(record_size=0; !found && (hbin_offset < hbin_size); )
850	{
851	if(lseek(file->fd, offset+hbin_offset, SEEK_SET) == -1)
852	return false;
853
854	length = 4;
855	if((regfi_read(file->fd, tmp, &length) != 0) \|\| length != 4)
856	return false;
857	record_size = IVALS(tmp, 0);
858
859	if(record_size < 0)
860	{
861	record_size = record_size*(-1);
862	nk = regfi_parse_nk(file, offset+hbin_offset, hbin_size-hbin_offset, true);
863	if(nk != NULL)
864	{
865	if(nk->key_type == NK_TYPE_ROOTKEY)
866	{
867	found = true;
868	*root_offset = nk->offset;
869	}
870	free(nk);
871	}
872	}
873
874	hbin_offset += record_size;
875	}
876
877	return found;
878	}
879
880
881	/*******************************************************************
882	* Open the registry file and then read in the REGF block to get the
883	* first hbin offset.
884	*******************************************************************/
885	REGF_FILE* regfi_open(const char* filename)
886	{
887	REGF_FILE* rb;
888	REGF_HBIN* hbin = NULL;
889	uint32 hbin_off;
890	int fd;
891	int flags = O_RDONLY;
892	bool rla;
893
894	/* open an existing file */
895	if ((fd = open(filename, flags)) == -1)
896	{
897	/* DEBUG(0,("regfi_open: failure to open %s (%s)\n", filename, strerror(errno)));*/
898	return NULL;
899	}
900
901	/* read in an existing file */
902	if ((rb = regfi_parse_regf(fd, true)) == NULL)
903	{
904	/* DEBUG(0,("regfi_open: Failed to read initial REGF block\n"));*/
905	close(fd);
906	return NULL;
907	}
908
909	rb->hbins = range_list_new();
910	rb->unalloc_cells = range_list_new();
911	if((rb->hbins == NULL) \|\| (rb->unalloc_cells == NULL))
912	{
913	range_list_free(rb->hbins);
914	range_list_free(rb->unalloc_cells);
915	close(fd);
916	free(rb);
917	return NULL;
918	}
919
920	rla = true;
921	hbin_off = REGF_BLOCKSIZE;
922	hbin = regfi_parse_hbin(rb, hbin_off, true, false);
923	while(hbin && rla)
924	{
925	hbin_off = hbin->file_off + hbin->block_size;
926	rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
927	hbin = regfi_parse_hbin(rb, hbin_off, true, false);
928	}
929
930	/* success */
931	return rb;
932	}
933
934
935	/*******************************************************************
936	*******************************************************************/
937	int regfi_close( REGF_FILE *file )
938	{
939	int fd;
940	uint32 i;
941
942	/* nothing to do if there is no open file */
943	if ((file == NULL) \|\| (file->fd == -1))
944	return 0;
945
946	fd = file->fd;
947	file->fd = -1;
948	for(i=0; i < range_list_size(file->hbins); i++)
949	free(range_list_get(file->hbins, i)->data);
950	range_list_free(file->hbins);
951
952	for(i=0; i < range_list_size(file->unalloc_cells); i++)
953	free(range_list_get(file->unalloc_cells, i)->data);
954	range_list_free(file->unalloc_cells);
955
956	free(file);
957
958	return close(fd);
959	}
960
961
962	/******************************************************************************
963	* There should be only one root key in the registry file based
964	* on my experience. --jerry
965	*****************************************************************************/
966	REGF_NK_REC* regfi_rootkey(REGF_FILE *file)
967	{
968	REGF_NK_REC* nk = NULL;
969	REGF_HBIN* hbin;
970	uint32 offset = REGF_BLOCKSIZE;
971	uint32 root_offset;
972
973	if(!file)
974	return NULL;
975
976	/* Scan through the file one HBIN block at a time looking
977	for an NK record with a type == 0x002c.
978	Normally this is the first nk record in the first hbin
979	block (but I'm not assuming that for now) */
980
981	while((hbin = regfi_parse_hbin(file, offset, true, false)))
982	{
983	if(regfi_find_root_nk(file, hbin->file_off+HBIN_HEADER_REC_SIZE,
984	hbin->block_size-HBIN_HEADER_REC_SIZE, &root_offset))
985	{
986	nk = regfi_load_key(file, root_offset, true);
987	break;
988	}
989
990	offset += hbin->block_size;
991	}
992
993	return nk;
994	}
995
996
997	/******************************************************************************
998	*****************************************************************************/
999	void regfi_key_free(REGF_NK_REC* nk)
1000	{
1001	uint32 i;
1002
1003	if((nk->values != NULL) && (nk->values_off!=REGF_OFFSET_NONE))
1004	{
1005	for(i=0; i < nk->num_values; i++)
1006	{
1007	if(nk->values[i]->valuename != NULL)
1008	free(nk->values[i]->valuename);
1009	if(nk->values[i]->data != NULL)
1010	free(nk->values[i]->data);
1011	free(nk->values[i]);
1012	}
1013	free(nk->values);
1014	}
1015
1016	if(nk->keyname != NULL)
1017	free(nk->keyname);
1018	if(nk->classname != NULL)
1019	free(nk->classname);
1020
1021	/* XXX: not freeing hbin because these are cached. This needs to be reviewed. */
1022	/* XXX: not freeing sec_desc because these are cached. This needs to be reviewed. */
1023	free(nk);
1024	}
1025
1026
1027	/******************************************************************************
1028	*****************************************************************************/
1029	REGFI_ITERATOR* regfi_iterator_new(REGF_FILE* fh)
1030	{
1031	REGF_NK_REC* root;
1032	REGFI_ITERATOR* ret_val = (REGFI_ITERATOR*)malloc(sizeof(REGFI_ITERATOR));
1033	if(ret_val == NULL)
1034	return NULL;
1035
1036	root = regfi_rootkey(fh);
1037	if(root == NULL)
1038	{
1039	free(ret_val);
1040	return NULL;
1041	}
1042
1043	ret_val->key_positions = void_stack_new(REGF_MAX_DEPTH);
1044	if(ret_val->key_positions == NULL)
1045	{
1046	free(ret_val);
1047	free(root);
1048	return NULL;
1049	}
1050
1051	ret_val->f = fh;
1052	ret_val->cur_key = root;
1053	ret_val->cur_subkey = 0;
1054	ret_val->cur_value = 0;
1055
1056	return ret_val;
1057	}
1058
1059
1060	/******************************************************************************
1061	*****************************************************************************/
1062	void regfi_iterator_free(REGFI_ITERATOR* i)
1063	{
1064	REGFI_ITER_POSITION* cur;
1065
1066	if(i->cur_key != NULL)
1067	regfi_key_free(i->cur_key);
1068
1069	while((cur = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions)) != NULL)
1070	{
1071	regfi_key_free(cur->nk);
1072	free(cur);
1073	}
1074
1075	free(i);
1076	}
1077
1078
1079
1080	/******************************************************************************
1081	*****************************************************************************/
1082	/* XXX: some way of indicating reason for failure should be added. */
1083	bool regfi_iterator_down(REGFI_ITERATOR* i)
1084	{
1085	REGF_NK_REC* subkey;
1086	REGFI_ITER_POSITION* pos;
1087
1088	pos = (REGFI_ITER_POSITION*)malloc(sizeof(REGFI_ITER_POSITION));
1089	if(pos == NULL)
1090	return false;
1091
1092	subkey = (REGF_NK_REC*)regfi_iterator_cur_subkey(i);
1093	if(subkey == NULL)
1094	{
1095	free(pos);
1096	return false;
1097	}
1098
1099	pos->nk = i->cur_key;
1100	pos->cur_subkey = i->cur_subkey;
1101	if(!void_stack_push(i->key_positions, pos))
1102	{
1103	free(pos);
1104	regfi_key_free(subkey);
1105	return false;
1106	}
1107
1108	i->cur_key = subkey;
1109	i->cur_subkey = 0;
1110	i->cur_value = 0;
1111
1112	return true;
1113	}
1114
1115
1116	/******************************************************************************
1117	*****************************************************************************/
1118	bool regfi_iterator_up(REGFI_ITERATOR* i)
1119	{
1120	REGFI_ITER_POSITION* pos;
1121
1122	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
1123	if(pos == NULL)
1124	return false;
1125
1126	regfi_key_free(i->cur_key);
1127	i->cur_key = pos->nk;
1128	i->cur_subkey = pos->cur_subkey;
1129	i->cur_value = 0;
1130	free(pos);
1131
1132	return true;
1133	}
1134
1135
1136	/******************************************************************************
1137	*****************************************************************************/
1138	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
1139	{
1140	while(regfi_iterator_up(i))
1141	continue;
1142
1143	return true;
1144	}
1145
1146
1147	/******************************************************************************
1148	*****************************************************************************/
1149	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
1150	{
1151	REGF_NK_REC* subkey;
1152	bool found = false;
1153	uint32 old_subkey = i->cur_subkey;
1154
1155	if(subkey_name == NULL)
1156	return false;
1157
1158	/* XXX: this alloc/free of each sub key might be a bit excessive */
1159	subkey = (REGF_NK_REC*)regfi_iterator_first_subkey(i);
1160	while((subkey != NULL) && (found == false))
1161	{
1162	if(subkey->keyname != NULL
1163	&& strcasecmp(subkey->keyname, subkey_name) == 0)
1164	found = true;
1165	else
1166	{
1167	regfi_key_free(subkey);
1168	subkey = (REGF_NK_REC*)regfi_iterator_next_subkey(i);
1169	}
1170	}
1171
1172	if(found == false)
1173	{
1174	i->cur_subkey = old_subkey;
1175	return false;
1176	}
1177
1178	regfi_key_free(subkey);
1179	return true;
1180	}
1181
1182
1183	/******************************************************************************
1184	*****************************************************************************/
1185	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
1186	{
1187	uint32 x;
1188	if(path == NULL)
1189	return false;
1190
1191	for(x=0;
1192	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
1193	&& regfi_iterator_down(i));
1194	x++)
1195	{ continue; }
1196
1197	if(path[x] == NULL)
1198	return true;
1199
1200	/* XXX: is this the right number of times? */
1201	for(; x > 0; x--)
1202	regfi_iterator_up(i);
1203
1204	return false;
1205	}
1206
1207
1208	/******************************************************************************
1209	*****************************************************************************/
1210	const REGF_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
1211	{
1212	return i->cur_key;
1213	}
1214
1215
1216	/******************************************************************************
1217	*****************************************************************************/
1218	const REGF_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
1219	{
1220	i->cur_subkey = 0;
1221	return regfi_iterator_cur_subkey(i);
1222	}
1223
1224
1225	/******************************************************************************
1226	*****************************************************************************/
1227	const REGF_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
1228	{
1229	uint32 nk_offset;
1230
1231	/* see if there is anything left to report */
1232	if (!(i->cur_key) \|\| (i->cur_key->subkeys_off==REGF_OFFSET_NONE)
1233	\|\| (i->cur_subkey >= i->cur_key->num_subkeys))
1234	return NULL;
1235
1236	nk_offset = i->cur_key->subkeys->hashes[i->cur_subkey].nk_off;
1237
1238	return regfi_load_key(i->f, nk_offset+REGF_BLOCKSIZE, true);
1239	}
1240
1241
1242	/******************************************************************************
1243	*****************************************************************************/
1244	/* XXX: some way of indicating reason for failure should be added. */
1245	const REGF_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
1246	{
1247	const REGF_NK_REC* subkey;
1248
1249	i->cur_subkey++;
1250	subkey = regfi_iterator_cur_subkey(i);
1251
1252	if(subkey == NULL)
1253	i->cur_subkey--;
1254
1255	return subkey;
1256	}
1257
1258
1259	/******************************************************************************
1260	*****************************************************************************/
1261	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
1262	{
1263	const REGF_VK_REC* cur;
1264	bool found = false;
1265
1266	/* XXX: cur->valuename can be NULL in the registry.
1267	* Should we allow for a way to search for that?
1268	*/
1269	if(value_name == NULL)
1270	return false;
1271
1272	cur = regfi_iterator_first_value(i);
1273	while((cur != NULL) && (found == false))
1274	{
1275	if((cur->valuename != NULL)
1276	&& (strcasecmp(cur->valuename, value_name) == 0))
1277	found = true;
1278	else
1279	cur = regfi_iterator_next_value(i);
1280	}
1281
1282	return found;
1283	}
1284
1285
1286	/******************************************************************************
1287	*****************************************************************************/
1288	const REGF_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
1289	{
1290	i->cur_value = 0;
1291	return regfi_iterator_cur_value(i);
1292	}
1293
1294
1295	/******************************************************************************
1296	*****************************************************************************/
1297	const REGF_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
1298	{
1299	REGF_VK_REC* ret_val = NULL;
1300	if(i->cur_value < i->cur_key->num_values)
1301	ret_val = i->cur_key->values[i->cur_value];
1302
1303	return ret_val;
1304	}
1305
1306
1307	/******************************************************************************
1308	*****************************************************************************/
1309	const REGF_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
1310	{
1311	const REGF_VK_REC* ret_val;
1312
1313	i->cur_value++;
1314	ret_val = regfi_iterator_cur_value(i);
1315	if(ret_val == NULL)
1316	i->cur_value--;
1317
1318	return ret_val;
1319	}
1320
1321
1322
1323	/*******************************************************************
1324	* Computes the checksum of the registry file header.
1325	* buffer must be at least the size of an regf header (4096 bytes).
1326	*******************************************************************/
1327	static uint32 regfi_compute_header_checksum(uint8* buffer)
1328	{
1329	uint32 checksum, x;
1330	int i;
1331
1332	/* XOR of all bytes 0x0000 - 0x01FB */
1333
1334	checksum = x = 0;
1335
1336	for ( i=0; i<0x01FB; i+=4 ) {
1337	x = IVAL(buffer, i );
1338	checksum ^= x;
1339	}
1340
1341	return checksum;
1342	}
1343
1344
1345	/*******************************************************************
1346	* TODO: add way to return more detailed error information.
1347	*******************************************************************/
1348	REGF_FILE* regfi_parse_regf(int fd, bool strict)
1349	{
1350	uint8 file_header[REGF_BLOCKSIZE];
1351	uint32 length;
1352	uint32 file_length;
1353	struct stat sbuf;
1354	REGF_FILE* ret_val;
1355
1356	/* Determine file length. Must be at least big enough
1357	* for the header and one hbin.
1358	*/
1359	if (fstat(fd, &sbuf) == -1)
1360	return NULL;
1361	file_length = sbuf.st_size;
1362	if(file_length < REGF_BLOCKSIZE+REGF_ALLOC_BLOCK)
1363	return NULL;
1364
1365	ret_val = (REGF_FILE*)zalloc(sizeof(REGF_FILE));
1366	if(ret_val == NULL)
1367	return NULL;
1368
1369	ret_val->fd = fd;
1370	ret_val->file_length = file_length;
1371
1372	length = REGF_BLOCKSIZE;
1373	if((regfi_read(fd, file_header, &length)) != 0
1374	\|\| length != REGF_BLOCKSIZE)
1375	{
1376	free(ret_val);
1377	return NULL;
1378	}
1379
1380	ret_val->checksum = IVAL(file_header, 0x1FC);
1381	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
1382	if (strict && (ret_val->checksum != ret_val->computed_checksum))
1383	{
1384	free(ret_val);
1385	return NULL;
1386	}
1387
1388	memcpy(ret_val->magic, file_header, 4);
1389	if(strict && (memcmp(ret_val->magic, "regf", 4) != 0))
1390	{
1391	free(ret_val);
1392	return NULL;
1393	}
1394
1395	ret_val->unknown1 = IVAL(file_header, 0x4);
1396	ret_val->unknown2 = IVAL(file_header, 0x8);
1397
1398	ret_val->mtime.low = IVAL(file_header, 0xC);
1399	ret_val->mtime.high = IVAL(file_header, 0x10);
1400
1401	ret_val->unknown3 = IVAL(file_header, 0x14);
1402	ret_val->unknown4 = IVAL(file_header, 0x18);
1403	ret_val->unknown5 = IVAL(file_header, 0x1C);
1404	ret_val->unknown6 = IVAL(file_header, 0x20);
1405
1406	ret_val->data_offset = IVAL(file_header, 0x24);
1407	ret_val->last_block = IVAL(file_header, 0x28);
1408
1409	ret_val->unknown7 = IVAL(file_header, 0x2C);
1410
1411	return ret_val;
1412	}
1413
1414
1415
1416	/*******************************************************************
1417	* Given real file offset, read and parse the hbin at that location
1418	* along with it's associated cells. If save_unalloc is true, a list
1419	* of unallocated cell offsets will be stored in TODO.
1420	*******************************************************************/
1421	/* TODO: Need a way to return types of errors. Also need to free
1422	* the hbin/ps when an error occurs.
1423	*/
1424	REGF_HBIN* regfi_parse_hbin(REGF_FILE* file, uint32 offset,
1425	bool strict, bool save_unalloc)
1426	{
1427	REGF_HBIN *hbin;
1428	uint8 hbin_header[HBIN_HEADER_REC_SIZE];
1429	uint32 length, curr_off;
1430	uint32 cell_len;
1431	bool is_unalloc;
1432
1433	if(offset >= file->file_length)
1434	return NULL;
1435
1436	if(lseek(file->fd, offset, SEEK_SET) == -1)
1437	return NULL;
1438
1439	length = HBIN_HEADER_REC_SIZE;
1440	if((regfi_read(file->fd, hbin_header, &length) != 0)
1441	\|\| length != HBIN_HEADER_REC_SIZE)
1442	return NULL;
1443
1444
1445	if(lseek(file->fd, offset, SEEK_SET) == -1)
1446	return NULL;
1447
1448	if(!(hbin = (REGF_HBIN*)zalloc(sizeof(REGF_HBIN))))
1449	return NULL;
1450	hbin->file_off = offset;
1451
1452	memcpy(hbin->magic, hbin_header, 4);
1453	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
1454	{
1455	free(hbin);
1456	return NULL;
1457	}
1458
1459	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
1460	hbin->block_size = IVAL(hbin_header, 0x8);
1461	/* this should be the same thing as hbin->block_size but just in case */
1462	hbin->next_block = IVAL(hbin_header, 0x1C);
1463
1464
1465	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
1466	* the end of the file.
1467	*/
1468	/* TODO: This may need to be relaxed for dealing with
1469	* partial or corrupt files. */
1470	if((offset + hbin->block_size > file->file_length)
1471	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
1472	{
1473	free(hbin);
1474	return NULL;
1475	}
1476
1477	if(save_unalloc)
1478	{
1479	curr_off = HBIN_HEADER_REC_SIZE;
1480	while(curr_off < hbin->block_size)
1481	{
1482	if(!regfi_parse_cell(file->fd, hbin->file_off+curr_off, NULL, 0,
1483	&cell_len, &is_unalloc))
1484	break;
1485
1486	if((cell_len == 0) \|\| ((cell_len & 0xFFFFFFFC) != cell_len))
1487	/* TODO: should report an error here. */
1488	break;
1489
1490	/* for some reason the record_size of the last record in
1491	an hbin block can extend past the end of the block
1492	even though the record fits within the remaining
1493	space....aaarrrgggghhhhhh */
1494	if(curr_off + cell_len >= hbin->block_size)
1495	cell_len = hbin->block_size - curr_off;
1496
1497	if(is_unalloc)
1498	range_list_add(file->unalloc_cells, hbin->file_off+curr_off,
1499	cell_len, NULL);
1500
1501	curr_off = curr_off+cell_len;
1502	}
1503	}
1504
1505	return hbin;
1506	}
1507
1508
1509
1510	REGF_NK_REC* regfi_parse_nk(REGF_FILE* file, uint32 offset,
1511	uint32 max_size, bool strict)
1512	{
1513	uint8 nk_header[REGFI_NK_MIN_LENGTH];
1514	REGF_NK_REC* ret_val;
1515	uint32 length;
1516	uint32 cell_length;
1517	bool unalloc = false;
1518
1519	if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH,
1520	&cell_length, &unalloc))
1521	return NULL;
1522
1523	/* A bit of validation before bothering to allocate memory */
1524	if((nk_header[0x0] != 'n') \|\| (nk_header[0x1] != 'k'))
1525	{
1526	/* TODO: deal with subkey-lists that reference other subkey-lists. */
1527	printf("DEBUG: magic check failed! \"%c%c\"\n", nk_header[0x0], nk_header[0x1]);
1528	return NULL;
1529	}
1530
1531	ret_val = (REGF_NK_REC*)zalloc(sizeof(REGF_NK_REC));
1532	if(ret_val == NULL)
1533	return NULL;
1534
1535	ret_val->offset = offset;
1536	ret_val->cell_size = cell_length;
1537
1538	if(ret_val->cell_size > max_size)
1539	ret_val->cell_size = max_size & 0xFFFFFFF8;
1540	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
1541	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
1542	{
1543	free(ret_val);
1544	return NULL;
1545	}
1546
1547	ret_val->magic[0] = nk_header[0x0];
1548	ret_val->magic[1] = nk_header[0x1];
1549	ret_val->key_type = SVAL(nk_header, 0x2);
1550	if((ret_val->key_type != NK_TYPE_NORMALKEY)
1551	&& (ret_val->key_type != NK_TYPE_ROOTKEY)
1552	&& (ret_val->key_type != NK_TYPE_LINKKEY)
1553	&& (ret_val->key_type != NK_TYPE_UNKNOWN1))
1554	{
1555	free(ret_val);
1556	return NULL;
1557	}
1558
1559	ret_val->mtime.low = IVAL(nk_header, 0x4);
1560	ret_val->mtime.high = IVAL(nk_header, 0x8);
1561
1562	ret_val->unknown1 = IVAL(nk_header, 0xC);
1563	ret_val->parent_off = IVAL(nk_header, 0x10);
1564	ret_val->num_subkeys = IVAL(nk_header, 0x14);
1565	ret_val->unknown2 = IVAL(nk_header, 0x18);
1566	ret_val->subkeys_off = IVAL(nk_header, 0x1C);
1567	ret_val->unknown3 = IVAL(nk_header, 0x20);
1568	ret_val->num_values = IVAL(nk_header, 0x24);
1569	ret_val->values_off = IVAL(nk_header, 0x28);
1570	ret_val->sk_off = IVAL(nk_header, 0x2C);
1571	/* TODO: currently we do nothing with class names. Need to investigate. */
1572	ret_val->classname_off = IVAL(nk_header, 0x30);
1573
1574	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
1575	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
1576	ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
1577	ret_val->max_bytes_value = IVAL(nk_header, 0x40);
1578	ret_val->unk_index = IVAL(nk_header, 0x44);
1579
1580	ret_val->name_length = SVAL(nk_header, 0x48);
1581	ret_val->classname_length = SVAL(nk_header, 0x4A);
1582
1583	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
1584	{
1585	if(strict)
1586	{
1587	free(ret_val);
1588	return NULL;
1589	}
1590	else
1591	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
1592	}
1593	else if (unalloc)
1594	{ /* Truncate cell_size if it's much larger than the apparent total record length. */
1595	/* Round up to the next multiple of 8 */
1596	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
1597	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
1598	length+=8;
1599
1600	/* If cell_size is still greater, truncate. */
1601	if(length < ret_val->cell_size)
1602	ret_val->cell_size = length;
1603	}
1604
1605	ret_val->keyname = (char)zalloc(sizeof(char)(ret_val->name_length+1));
1606	if(ret_val->keyname == NULL)
1607	{
1608	free(ret_val);
1609	return NULL;
1610	}
1611
1612	/* Don't need to seek, should be at the right offset */
1613	length = ret_val->name_length;
1614	if((regfi_read(file->fd, (uint8*)ret_val->keyname, &length) != 0)
1615	\|\| length != ret_val->name_length)
1616	{
1617	free(ret_val->keyname);
1618	free(ret_val);
1619	return NULL;
1620	}
1621	ret_val->keyname[ret_val->name_length] = '\0';
1622
1623	return ret_val;
1624	}
1625
1626
1627
1628	/*******************************************************************
1629	*******************************************************************/
1630	REGF_VK_REC* regfi_parse_vk(REGF_FILE* file, uint32 offset,
1631	uint32 max_size, bool strict)
1632	{
1633	REGF_VK_REC* ret_val;
1634	uint8 vk_header[REGFI_VK_MIN_LENGTH];
1635	uint32 raw_data_size, length, cell_length;
1636	bool unalloc = false;
1637
1638	if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH,
1639	&cell_length, &unalloc))
1640	return NULL;
1641
1642	ret_val = (REGF_VK_REC*)zalloc(sizeof(REGF_VK_REC));
1643	if(ret_val == NULL)
1644	return NULL;
1645
1646	ret_val->offset = offset;
1647	ret_val->cell_size = cell_length;
1648
1649	if(ret_val->cell_size > max_size)
1650	ret_val->cell_size = max_size & 0xFFFFFFF8;
1651	if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
1652	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
1653	{
1654	free(ret_val);
1655	return NULL;
1656	}
1657
1658	ret_val->magic[0] = vk_header[0x0];
1659	ret_val->magic[1] = vk_header[0x1];
1660	if((ret_val->magic[0] != 'v') \|\| (ret_val->magic[1] != 'k'))
1661	{
1662	free(ret_val);
1663	return NULL;
1664	}
1665
1666	ret_val->name_length = SVAL(vk_header, 0x2);
1667	raw_data_size = IVAL(vk_header, 0x4);
1668	ret_val->data_size = raw_data_size & ~VK_DATA_IN_OFFSET;
1669	ret_val->data_off = IVAL(vk_header, 0x8);
1670	ret_val->type = IVAL(vk_header, 0xC);
1671	ret_val->flag = SVAL(vk_header, 0x10);
1672	ret_val->unknown1 = SVAL(vk_header, 0x12);
1673
1674	if(ret_val->flag & VK_FLAG_NAME_PRESENT)
1675	{
1676	if(ret_val->name_length + REGFI_VK_MIN_LENGTH > ret_val->cell_size)
1677	{
1678	if(strict)
1679	{
1680	free(ret_val);
1681	return NULL;
1682	}
1683	else
1684	ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH;
1685	}
1686
1687	/* Round up to the next multiple of 8 */
1688	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
1689	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
1690	length+=8;
1691
1692	ret_val->valuename = (char)zalloc(sizeof(char)(ret_val->name_length+1));
1693	if(ret_val->valuename == NULL)
1694	{
1695	free(ret_val);
1696	return NULL;
1697	}
1698
1699	/* Don't need to seek, should be at the right offset */
1700	length = ret_val->name_length;
1701	if((regfi_read(file->fd, (uint8*)ret_val->valuename, &length) != 0)
1702	\|\| length != ret_val->name_length)
1703	{
1704	free(ret_val->valuename);
1705	free(ret_val);
1706	return NULL;
1707	}
1708	ret_val->valuename[ret_val->name_length] = '\0';
1709	}
1710	else
1711	length = REGFI_VK_MIN_LENGTH;
1712
1713	if(unalloc)
1714	{
1715	/* If cell_size is still greater, truncate. */
1716	if(length < ret_val->cell_size)
1717	ret_val->cell_size = length;
1718	}
1719
1720	if(ret_val->data_size == 0)
1721	ret_val->data = NULL;
1722	else
1723	{
1724	ret_val->data = regfi_parse_data(file, ret_val->data_off+REGF_BLOCKSIZE,
1725	raw_data_size, strict);
1726	if(strict && (ret_val->data == NULL))
1727	{
1728	free(ret_val->valuename);
1729	free(ret_val);
1730	return NULL;
1731	}
1732	}
1733
1734	return ret_val;
1735	}
1736
1737
1738	uint8* regfi_parse_data(REGF_FILE* file, uint32 offset, uint32 length, bool strict)
1739	{
1740	uint8* ret_val;
1741	uint32 read_length, cell_length;
1742	uint8 i;
1743	bool unalloc;
1744
1745	/* The data is stored in the offset if the size <= 4 */
1746	if (length & VK_DATA_IN_OFFSET)
1747	{
1748	length = length & ~VK_DATA_IN_OFFSET;
1749	if(length > 4)
1750	return NULL;
1751
1752	if((ret_val = (uint8)zalloc(sizeof(uint8)length)) == NULL)
1753	return NULL;
1754
1755	offset = offset - REGF_BLOCKSIZE;
1756	for(i = 0; i < length; i++)
1757	ret_val[i] = (uint8)((offset >> i*8) & 0xFF);
1758	}
1759	else
1760	{
1761	if(!regfi_parse_cell(file->fd, offset, NULL, 0,
1762	&cell_length, &unalloc))
1763	return NULL;
1764
1765	if(cell_length < 8 \|\| ((cell_length & 0xFFFFFFF8) != cell_length))
1766	return NULL;
1767
1768	if(cell_length - 4 < length)
1769	{
1770	if(strict)
1771	return NULL;
1772	else
1773	length = cell_length - 4;
1774	}
1775
1776	/* TODO: There is currently no check to ensure the data
1777	* cell doesn't cross HBIN boundary.
1778	*/
1779
1780	if((ret_val = (uint8)zalloc(sizeof(uint8)length)) == NULL)
1781	return NULL;
1782
1783	read_length = length;
1784	if((regfi_read(file->fd, ret_val, &read_length) != 0)
1785	\|\| read_length != length)
1786	{
1787	free(ret_val);
1788	return NULL;
1789	}
1790	}
1791
1792	return ret_val;
1793	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: