Context Navigation

source: trunk/lib/regfi.c @ 126

Last change on this file since 126 was 126, checked in by tim, 16 years ago
improved validation and output of key class names, MULTI_SZ and other unicode strings, and improved warnings and other error messages.
Property svn:keywords set to `Id`
File size: 48.1 KB

Line
1	/*
2	* Branched from Samba project Subversion repository, version #7470:
3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
4	*
5	* Unix SMB/CIFS implementation.
6	* Windows NT registry parsing library
7	*
8	* Copyright (C) 2005-2008 Timothy D. Morgan
9	* Copyright (C) 2005 Gerald (Jerry) Carter
10	*
11	* This program is free software; you can redistribute it and/or modify
12	* it under the terms of the GNU General Public License as published by
13	* the Free Software Foundation; version 3 of the License.
14	*
15	* This program is distributed in the hope that it will be useful,
16	* but WITHOUT ANY WARRANTY; without even the implied warranty of
17	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	* GNU General Public License for more details.
19	*
20	* You should have received a copy of the GNU General Public License
21	* along with this program; if not, write to the Free Software
22	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23	*
24	* $Id: regfi.c 126 2008-08-19 23:31:33Z tim $
25	*/
26
27	#include "../include/regfi.h"
28
29
30	/* Registry types mapping */
31	const unsigned int regfi_num_reg_types = 12;
32	static const char* regfi_type_names[] =
33	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
34	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
35
36
37	/* Returns NULL on error */
38	const char* regfi_type_val2str(unsigned int val)
39	{
40	if(val == REG_KEY)
41	return "KEY";
42
43	if(val >= regfi_num_reg_types)
44	return NULL;
45
46	return regfi_type_names[val];
47	}
48
49
50	/* Returns -1 on error */
51	int regfi_type_str2val(const char* str)
52	{
53	int i;
54
55	if(strcmp("KEY", str) == 0)
56	return REG_KEY;
57
58	for(i=0; i < regfi_num_reg_types; i++)
59	if (strcmp(regfi_type_names[i], str) == 0)
60	return i;
61
62	if(strcmp("DWORD_LE", str) == 0)
63	return REG_DWORD_LE;
64
65	return -1;
66	}
67
68
69	/* Security descriptor parsing functions */
70
71	const char* regfi_ace_type2str(uint8 type)
72	{
73	static const char* map[7]
74	= {"ALLOW", "DENY", "AUDIT", "ALARM",
75	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
76	if(type < 7)
77	return map[type];
78	else
79	/* XXX: would be nice to return the unknown integer value.
80	* However, as it is a const string, it can't be free()ed later on,
81	* so that would need to change.
82	*/
83	return "UNKNOWN";
84	}
85
86
87	/* XXX: need a better reference on the meaning of each flag. */
88	/* For more info, see:
89	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
90	*/
91	char* regfi_ace_flags2str(uint8 flags)
92	{
93	static const char* flag_map[32] =
94	{ "OI", /* Object Inherit */
95	"CI", /* Container Inherit */
96	"NP", /* Non-Propagate */
97	"IO", /* Inherit Only */
98	"IA", /* Inherited ACE */
99	NULL,
100	NULL,
101	NULL,
102	};
103
104	char* ret_val = malloc(35*sizeof(char));
105	char* fo = ret_val;
106	uint32 i;
107	uint8 f;
108
109	if(ret_val == NULL)
110	return NULL;
111
112	fo[0] = '\0';
113	if (!flags)
114	return ret_val;
115
116	for(i=0; i < 8; i++)
117	{
118	f = (1<<i);
119	if((flags & f) && (flag_map[i] != NULL))
120	{
121	strcpy(fo, flag_map[i]);
122	fo += strlen(flag_map[i]);
123	*(fo++) = ' ';
124	flags ^= f;
125	}
126	}
127
128	/* Any remaining unknown flags are added at the end in hex. */
129	if(flags != 0)
130	sprintf(fo, "0x%.2X ", flags);
131
132	/* Chop off the last space if we've written anything to ret_val */
133	if(fo != ret_val)
134	fo[-1] = '\0';
135
136	/* XXX: what was this old VI flag for??
137	XXX: Is this check right? 0xF == 1\|2\|4\|8, which makes it redundant...
138	if (flags == 0xF) {
139	if (some) strcat(flg_output, " ");
140	some = 1;
141	strcat(flg_output, "VI");
142	}
143	*/
144
145	return ret_val;
146	}
147
148
149	char* regfi_ace_perms2str(uint32 perms)
150	{
151	uint32 i, p;
152	/* This is more than is needed by a fair margin. */
153	char* ret_val = malloc(350*sizeof(char));
154	char* r = ret_val;
155
156	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
157	* For more information, see:
158	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
159	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
160	*/
161	static const char* perm_map[32] =
162	{/* object-specific permissions (registry keys, in this case) */
163	"QRY_VAL", /* KEY_QUERY_VALUE */
164	"SET_VAL", /* KEY_SET_VALUE */
165	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
166	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
167	"NOTIFY", /* KEY_NOTIFY */
168	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
169	NULL,
170	NULL,
171	"WOW64_64", /* KEY_WOW64_64KEY */
172	"WOW64_32", /* KEY_WOW64_32KEY */
173	NULL,
174	NULL,
175	NULL,
176	NULL,
177	NULL,
178	NULL,
179	/* standard access rights */
180	"DELETE", /* DELETE */
181	"R_CONT", /* READ_CONTROL */
182	"W_DAC", /* WRITE_DAC */
183	"W_OWNER", /* WRITE_OWNER */
184	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
185	NULL,
186	NULL,
187	NULL,
188	/* other generic */
189	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
190	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
191	NULL,
192	NULL,
193	"GEN_A", /* GENERIC_ALL */
194	"GEN_X", /* GENERIC_EXECUTE */
195	"GEN_W", /* GENERIC_WRITE */
196	"GEN_R", /* GENERIC_READ */
197	};
198
199
200	if(ret_val == NULL)
201	return NULL;
202
203	r[0] = '\0';
204	for(i=0; i < 32; i++)
205	{
206	p = (1<<i);
207	if((perms & p) && (perm_map[i] != NULL))
208	{
209	strcpy(r, perm_map[i]);
210	r += strlen(perm_map[i]);
211	*(r++) = ' ';
212	perms ^= p;
213	}
214	}
215
216	/* Any remaining unknown permission bits are added at the end in hex. */
217	if(perms != 0)
218	sprintf(r, "0x%.8X ", perms);
219
220	/* Chop off the last space if we've written anything to ret_val */
221	if(r != ret_val)
222	r[-1] = '\0';
223
224	return ret_val;
225	}
226
227
228	char* regfi_sid2str(DOM_SID* sid)
229	{
230	uint32 i, size = MAXSUBAUTHS*11 + 24;
231	uint32 left = size;
232	uint8 comps = sid->num_auths;
233	char* ret_val = malloc(size);
234
235	if(ret_val == NULL)
236	return NULL;
237
238	if(comps > MAXSUBAUTHS)
239	comps = MAXSUBAUTHS;
240
241	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
242
243	for (i = 0; i < comps; i++)
244	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
245
246	return ret_val;
247	}
248
249
250	char* regfi_get_acl(SEC_ACL* acl)
251	{
252	uint32 i, extra, size = 0;
253	const char* type_str;
254	char* flags_str;
255	char* perms_str;
256	char* sid_str;
257	char* ace_delim = "";
258	char* ret_val = NULL;
259	char* tmp_val = NULL;
260	bool failed = false;
261	char field_delim = ':';
262
263	for (i = 0; i < acl->num_aces && !failed; i++)
264	{
265	sid_str = regfi_sid2str(&acl->ace[i].trustee);
266	type_str = regfi_ace_type2str(acl->ace[i].type);
267	perms_str = regfi_ace_perms2str(acl->ace[i].info.mask);
268	flags_str = regfi_ace_flags2str(acl->ace[i].flags);
269
270	if(flags_str != NULL && perms_str != NULL
271	&& type_str != NULL && sid_str != NULL)
272	{
273	/* XXX: this is slow */
274	extra = strlen(sid_str) + strlen(type_str)
275	+ strlen(perms_str) + strlen(flags_str)+5;
276	tmp_val = realloc(ret_val, size+extra);
277
278	if(tmp_val == NULL)
279	{
280	free(ret_val);
281	failed = true;
282	}
283	else
284	{
285	ret_val = tmp_val;
286	size += snprintf(ret_val+size, extra, "%s%s%c%s%c%s%c%s",
287	ace_delim,sid_str,
288	field_delim,type_str,
289	field_delim,perms_str,
290	field_delim,flags_str);
291	ace_delim = "\|";
292	}
293	}
294	else
295	failed = true;
296
297	if(sid_str != NULL)
298	free(sid_str);
299	if(sid_str != NULL)
300	free(perms_str);
301	if(sid_str != NULL)
302	free(flags_str);
303	}
304
305	return ret_val;
306	}
307
308
309	char* regfi_get_sacl(SEC_DESC *sec_desc)
310	{
311	if (sec_desc->sacl)
312	return regfi_get_acl(sec_desc->sacl);
313	else
314	return NULL;
315	}
316
317
318	char* regfi_get_dacl(SEC_DESC *sec_desc)
319	{
320	if (sec_desc->dacl)
321	return regfi_get_acl(sec_desc->dacl);
322	else
323	return NULL;
324	}
325
326
327	char* regfi_get_owner(SEC_DESC *sec_desc)
328	{
329	return regfi_sid2str(sec_desc->owner_sid);
330	}
331
332
333	char* regfi_get_group(SEC_DESC *sec_desc)
334	{
335	return regfi_sid2str(sec_desc->grp_sid);
336	}
337
338
339	/*****************************************************************************
340	* This function is just like read(2), except that it continues to
341	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
342	* regfi_read will attempt to read length bytes from fd and write them to buf.
343	*
344	* On success, 0 is returned. Upon failure, an errno code is returned.
345	*
346	* The number of bytes successfully read is returned through the length
347	* parameter by reference. If both the return value and length parameter are
348	* returned as 0, then EOF was encountered immediately
349	*****************************************************************************/
350	uint32 regfi_read(int fd, uint8* buf, uint32* length)
351	{
352	uint32 rsize = 0;
353	uint32 rret = 0;
354
355	do
356	{
357	rret = read(fd, buf + rsize, *length - rsize);
358	if(rret > 0)
359	rsize += rret;
360	}while(*length - rsize > 0
361	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
362
363	*length = rsize;
364	if (rret == -1 && errno != EINTR && errno != EAGAIN)
365	return errno;
366
367	return 0;
368	}
369
370
371	/*****************************************************************************
372	*
373	*****************************************************************************/
374	bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len,
375	uint32* cell_length, bool* unalloc)
376	{
377	uint32 length;
378	int32 raw_length;
379	uint8 tmp[4];
380
381	if(lseek(fd, offset, SEEK_SET) == -1)
382	return false;
383
384	length = 4;
385	if((regfi_read(fd, tmp, &length) != 0) \|\| length != 4)
386	return false;
387	raw_length = IVALS(tmp, 0);
388
389	if(raw_length < 0)
390	{
391	(cell_length) = raw_length(-1);
392	(*unalloc) = false;
393	}
394	else
395	{
396	(*cell_length) = raw_length;
397	(*unalloc) = true;
398	}
399
400	if(*cell_length - 4 < hdr_len)
401	return false;
402
403	if(hdr_len > 0)
404	{
405	length = hdr_len;
406	if((regfi_read(fd, hdr, &length) != 0) \|\| length != hdr_len)
407	return false;
408	}
409
410	return true;
411	}
412
413
414	/*******************************************************************
415	* Given an offset and an hbin, is the offset within that hbin?
416	* The offset is a virtual file offset.
417	*******************************************************************/
418	static bool regfi_offset_in_hbin(REGF_HBIN* hbin, uint32 offset)
419	{
420	if(!hbin)
421	return false;
422
423	if((offset > hbin->first_hbin_off)
424	&& (offset < (hbin->first_hbin_off + hbin->block_size)))
425	return true;
426
427	return false;
428	}
429
430
431
432	/*******************************************************************
433	* Given a virtual offset, and receive the correpsonding HBIN
434	* block for it. NULL if one doesn't exist.
435	*******************************************************************/
436	REGF_HBIN* regfi_lookup_hbin(REGF_FILE* file, uint32 offset)
437	{
438	return (REGF_HBIN*)range_list_find_data(file->hbins, offset+REGF_BLOCKSIZE);
439	}
440
441
442
443	/*******************************************************************
444	*******************************************************************/
445	REGF_HASH_LIST* regfi_load_hashlist(REGF_FILE* file, uint32 offset,
446	uint32 num_keys, uint32 max_size,
447	bool strict)
448	{
449	REGF_HASH_LIST* ret_val;
450	uint32 i, cell_length, length;
451	uint8* hashes;
452	uint8 buf[REGFI_HASH_LIST_MIN_LENGTH];
453	bool unalloc;
454
455	if(!regfi_parse_cell(file->fd, offset, buf, REGFI_HASH_LIST_MIN_LENGTH,
456	&cell_length, &unalloc))
457	return NULL;
458
459	ret_val = (REGF_HASH_LIST*)zalloc(sizeof(REGF_HASH_LIST));
460	if(ret_val == NULL)
461	return NULL;
462
463	ret_val->offset = offset;
464	if(cell_length > max_size)
465	{
466	if(strict)
467	return NULL;
468	cell_length = max_size & 0xFFFFFFF8;
469	}
470	ret_val->cell_size = cell_length;
471
472	if((buf[0] != 'l' \|\| buf[1] != 'f') && (buf[0] != 'l' \|\| buf[1] != 'h')
473	&& (buf[0] != 'r' \|\| buf[1] != 'i'))
474	{
475	/printf("DEBUG: lf->header=%c%c\n", buf[0], buf[1]);/
476	free(ret_val);
477	return NULL;
478	}
479
480	if(buf[0] == 'r' && buf[1] == 'i')
481	{
482	fprintf(stderr, "WARNING: ignoring encountered \"ri\" record.\n");
483	free(ret_val);
484	return NULL;
485	}
486
487	ret_val->magic[0] = buf[0];
488	ret_val->magic[1] = buf[1];
489
490	ret_val->num_keys = SVAL(buf, 0x2);
491	if(num_keys != ret_val->num_keys)
492	{
493	if(strict)
494	{
495	free(ret_val);
496	return NULL;
497	}
498	/* XXX: Not sure which should be authoritative, the number from the
499	* NK record, or the number in the hash list. Go with the larger
500	* of the two to ensure all keys are found. Note the length checks
501	* on the cell later ensure that there won't be any critical errors.
502	*/
503	if(num_keys < ret_val->num_keys)
504	num_keys = ret_val->num_keys;
505	else
506	ret_val->num_keys = num_keys;
507	}
508
509	if(cell_length - REGFI_HASH_LIST_MIN_LENGTH - sizeof(uint32)
510	< ret_val->num_keys*sizeof(REGF_HASH_LIST_ELEM))
511	return NULL;
512
513	length = sizeof(REGF_HASH_LIST_ELEM)*ret_val->num_keys;
514	ret_val->hashes = (REGF_HASH_LIST_ELEM*)zalloc(length);
515	if(ret_val->hashes == NULL)
516	{
517	free(ret_val);
518	return NULL;
519	}
520
521	hashes = (uint8*)zalloc(length);
522	if(hashes == NULL)
523	{
524	free(ret_val->hashes);
525	free(ret_val);
526	return NULL;
527	}
528
529	if(regfi_read(file->fd, hashes, &length) != 0
530	\|\| length != sizeof(REGF_HASH_LIST_ELEM)*ret_val->num_keys)
531	{
532	free(ret_val->hashes);
533	free(ret_val);
534	return NULL;
535	}
536
537	for (i=0; i < ret_val->num_keys; i++)
538	{
539	ret_val->hashes[i].nk_off = IVAL(hashes, i*sizeof(REGF_HASH_LIST_ELEM));
540	ret_val->hashes[i].hash = IVAL(hashes, i*sizeof(REGF_HASH_LIST_ELEM)+4);
541	}
542	free(hashes);
543
544	return ret_val;
545	}
546
547
548
549	/*******************************************************************
550	*******************************************************************/
551	REGF_SK_REC* regfi_parse_sk(REGF_FILE* file, uint32 offset, uint32 max_size, bool strict)
552	{
553	REGF_SK_REC* ret_val;
554	uint32 cell_length, length;
555	prs_struct ps;
556	uint8 sk_header[REGFI_SK_MIN_LENGTH];
557	bool unalloc = false;
558
559
560	if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH,
561	&cell_length, &unalloc))
562	return NULL;
563
564	if(sk_header[0] != 's' \|\| sk_header[1] != 'k')
565	return NULL;
566
567	ret_val = (REGF_SK_REC*)zalloc(sizeof(REGF_SK_REC));
568	if(ret_val == NULL)
569	return NULL;
570
571	ret_val->offset = offset;
572	/* XXX: Is there a way to be more conservative (shorter) with
573	* cell length when cell is unallocated?
574	*/
575	ret_val->cell_size = cell_length;
576
577	if(ret_val->cell_size > max_size)
578	ret_val->cell_size = max_size & 0xFFFFFFF8;
579	if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
580	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
581	{
582	free(ret_val);
583	return NULL;
584	}
585
586	ret_val->magic[0] = sk_header[0];
587	ret_val->magic[1] = sk_header[1];
588
589	/* XXX: Can additional validation be added here? */
590	ret_val->unknown_tag = SVAL(sk_header, 0x2);
591	ret_val->prev_sk_off = IVAL(sk_header, 0x4);
592	ret_val->next_sk_off = IVAL(sk_header, 0x8);
593	ret_val->ref_count = IVAL(sk_header, 0xC);
594	ret_val->desc_size = IVAL(sk_header, 0x10);
595
596	if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
597	{
598	free(ret_val);
599	return NULL;
600	}
601
602	/* XXX: need to get rid of this, but currently the security descriptor
603	* code depends on the ps structure.
604	*/
605	if(!prs_init(&ps, ret_val->desc_size, NULL, UNMARSHALL))
606	{
607	free(ret_val);
608	return NULL;
609	}
610
611	length = ret_val->desc_size;
612	if(regfi_read(file->fd, (uint8*)ps.data_p, &length) != 0
613	\|\| length != ret_val->desc_size)
614	{
615	free(ret_val);
616	return NULL;
617	}
618
619	if (!sec_io_desc("sec_desc", &ret_val->sec_desc, &ps, 0))
620	{
621	free(ret_val);
622	return NULL;
623	}
624
625	free(ps.data_p);
626
627	return ret_val;
628	}
629
630
631	uint32* regfi_parse_valuelist(REGF_FILE* file, uint32 offset,
632	uint32 num_values, bool strict)
633	{
634	uint32* ret_val;
635	uint32 i, cell_length, length, read_len;
636	bool unalloc;
637
638	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
639	return NULL;
640
641	if(cell_length != (cell_length & 0xFFFFFFF8))
642	{
643	if(strict)
644	return NULL;
645	cell_length = cell_length & 0xFFFFFFF8;
646	}
647	if((num_values * sizeof(uint32)) > cell_length-sizeof(uint32))
648	return NULL;
649
650	read_len = num_values*sizeof(uint32);
651	ret_val = (uint32*)malloc(read_len);
652	if(ret_val == NULL)
653	return NULL;
654
655	length = read_len;
656	if((regfi_read(file->fd, (uint8*)ret_val, &length) != 0) \|\| length != read_len)
657	{
658	free(ret_val);
659	return NULL;
660	}
661
662	for(i=0; i < num_values; i++)
663	{
664	/* Fix endianness */
665	ret_val[i] = IVAL(&ret_val[i], 0);
666
667	/* Validate the first num_values values to ensure they make sense */
668	if(strict)
669	{
670	if((ret_val[i] + REGF_BLOCKSIZE > file->file_length)
671	\|\| ((ret_val[i] & 0xFFFFFFF8) != ret_val[i]))
672	{
673	free(ret_val);
674	return NULL;
675	}
676	}
677	}
678
679	return ret_val;
680	}
681
682
683
684	/******************************************************************************
685	* If !strict, the list may contain NULLs, VK records may point to NULL.
686	******************************************************************************/
687	REGF_VK_REC** regfi_load_valuelist(REGF_FILE* file, uint32 offset,
688	uint32 num_values, uint32 max_size,
689	bool strict)
690	{
691	REGF_VK_REC** ret_val;
692	REGF_HBIN* hbin;
693	uint32 i, vk_offset, vk_max_length, usable_num_values;
694	uint32* voffsets;
695
696	if((num_values+1) * sizeof(uint32) > max_size)
697	{
698	if(strict)
699	return NULL;
700	usable_num_values = max_size/sizeof(uint32) - sizeof(uint32);
701	}
702	else
703	usable_num_values = num_values;
704
705	voffsets = regfi_parse_valuelist(file, offset, usable_num_values, strict);
706	if(voffsets == NULL)
707	return NULL;
708
709	ret_val = (REGF_VK_REC*)zalloc(sizeof(REGF_VK_REC) * num_values);
710	if(ret_val == NULL)
711	{
712	free(voffsets);
713	return NULL;
714	}
715
716	for(i=0; i < usable_num_values; i++)
717	{
718	hbin = regfi_lookup_hbin(file, voffsets[i]);
719	if(!hbin)
720	{
721	free(voffsets);
722	free(ret_val);
723	return NULL;
724	}
725
726	vk_offset = voffsets[i] + REGF_BLOCKSIZE;
727	vk_max_length = hbin->block_size - vk_offset + sizeof(uint32);
728	ret_val[i] = regfi_parse_vk(file, vk_offset, vk_max_length, strict);
729	if(ret_val[i] == NULL)
730	{ /* If we're being strict, throw out the whole list.
731	* Otherwise, let it be NULL.
732	*/
733	if(strict)
734	{
735	free(voffsets);
736	free(ret_val);
737	return NULL;
738	}
739	}
740	}
741
742	free(voffsets);
743	return ret_val;
744	}
745
746
747
748	/*******************************************************************
749	* XXX: Need to add full key caching using a
750	* custom cache structure.
751	*******************************************************************/
752	REGF_NK_REC* regfi_load_key(REGF_FILE* file, uint32 offset, bool strict)
753	{
754	REGF_HBIN* hbin;
755	REGF_HBIN* sub_hbin;
756	REGF_NK_REC* nk;
757	uint32 max_length, off;
758
759	hbin = regfi_lookup_hbin(file, offset-REGF_BLOCKSIZE);
760	if (hbin == NULL)
761	return NULL;
762
763	/* get the initial nk record */
764	max_length = hbin->block_size + hbin->file_off - offset;
765	if ((nk = regfi_parse_nk(file, offset, max_length, true)) == NULL)
766	return NULL;
767
768	/* fill in values */
769	if(nk->num_values && (nk->values_off!=REGF_OFFSET_NONE))
770	{
771	sub_hbin = hbin;
772	if(!regfi_offset_in_hbin(hbin, nk->values_off))
773	sub_hbin = regfi_lookup_hbin(file, nk->values_off);
774
775	if(sub_hbin == NULL)
776	{
777	if(strict)
778	{
779	free(nk);
780	return NULL;
781	}
782	else
783	nk->values = NULL;
784	}
785	else
786	{
787	off = nk->values_off + REGF_BLOCKSIZE;
788	max_length = sub_hbin->block_size + sub_hbin->file_off - off;
789	nk->values = regfi_load_valuelist(file, off, nk->num_values, max_length,
790	true);
791	if(strict && nk->values == NULL)
792	{
793	free(nk);
794	return NULL;
795	}
796	}
797	}
798
799	/* now get subkeys */
800	if(nk->num_subkeys && (nk->subkeys_off != REGF_OFFSET_NONE))
801	{
802	sub_hbin = hbin;
803	if(!regfi_offset_in_hbin(hbin, nk->subkeys_off))
804	sub_hbin = regfi_lookup_hbin(file, nk->subkeys_off);
805
806	if (sub_hbin == NULL)
807	{
808	if(strict)
809	{
810	regfi_key_free(nk);
811	return NULL;
812	}
813	else
814	nk->subkeys = NULL;
815	}
816	else
817	{
818	off = nk->subkeys_off + REGF_BLOCKSIZE;
819	max_length = sub_hbin->block_size + sub_hbin->file_off - off;
820	nk->subkeys = regfi_load_hashlist(file, off, nk->num_subkeys,
821	max_length, true);
822	if(nk->subkeys == NULL)
823	{
824	/* XXX: Temporary hack to get around 'ri' records */
825	nk->num_subkeys = 0;
826	}
827	}
828	}
829
830	return nk;
831	}
832
833
834	/******************************************************************************
835
836	******************************************************************************/
837	static bool regfi_find_root_nk(REGF_FILE* file, uint32 offset, uint32 hbin_size,
838	uint32* root_offset)
839	{
840	uint8 tmp[4];
841	int32 record_size;
842	uint32 length, hbin_offset = 0;
843	REGF_NK_REC* nk = NULL;
844	bool found = false;
845
846	for(record_size=0; !found && (hbin_offset < hbin_size); )
847	{
848	if(lseek(file->fd, offset+hbin_offset, SEEK_SET) == -1)
849	return false;
850
851	length = 4;
852	if((regfi_read(file->fd, tmp, &length) != 0) \|\| length != 4)
853	return false;
854	record_size = IVALS(tmp, 0);
855
856	if(record_size < 0)
857	{
858	record_size = record_size*(-1);
859	nk = regfi_parse_nk(file, offset+hbin_offset, hbin_size-hbin_offset, true);
860	if(nk != NULL)
861	{
862	if(nk->key_type == NK_TYPE_ROOTKEY)
863	{
864	found = true;
865	*root_offset = nk->offset;
866	}
867	free(nk);
868	}
869	}
870
871	hbin_offset += record_size;
872	}
873
874	return found;
875	}
876
877
878	/*******************************************************************
879	* Open the registry file and then read in the REGF block to get the
880	* first hbin offset.
881	*******************************************************************/
882	REGF_FILE* regfi_open(const char* filename)
883	{
884	REGF_FILE* rb;
885	REGF_HBIN* hbin = NULL;
886	uint32 hbin_off;
887	int fd;
888	bool rla;
889
890	/* open an existing file */
891	if ((fd = open(filename, O_RDONLY)) == -1)
892	{
893	/* DEBUG(0,("regfi_open: failure to open %s (%s)\n", filename, strerror(errno)));*/
894	return NULL;
895	}
896
897	/* read in an existing file */
898	if ((rb = regfi_parse_regf(fd, true)) == NULL)
899	{
900	/* DEBUG(0,("regfi_open: Failed to read initial REGF block\n"));*/
901	close(fd);
902	return NULL;
903	}
904
905	rb->hbins = range_list_new();
906	if(rb->hbins == NULL)
907	{
908	range_list_free(rb->hbins);
909	close(fd);
910	free(rb);
911	return NULL;
912	}
913
914	rla = true;
915	hbin_off = REGF_BLOCKSIZE;
916	hbin = regfi_parse_hbin(rb, hbin_off, true);
917	while(hbin && rla)
918	{
919	hbin_off = hbin->file_off + hbin->block_size;
920	rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
921	hbin = regfi_parse_hbin(rb, hbin_off, true);
922	}
923
924	/* success */
925	return rb;
926	}
927
928
929	/*******************************************************************
930	*******************************************************************/
931	int regfi_close( REGF_FILE *file )
932	{
933	int fd;
934	uint32 i;
935
936	/* nothing to do if there is no open file */
937	if ((file == NULL) \|\| (file->fd == -1))
938	return 0;
939
940	fd = file->fd;
941	file->fd = -1;
942	for(i=0; i < range_list_size(file->hbins); i++)
943	free(range_list_get(file->hbins, i)->data);
944	range_list_free(file->hbins);
945
946	free(file);
947
948	return close(fd);
949	}
950
951
952	/******************************************************************************
953	* There should be only one root key in the registry file based
954	* on my experience. --jerry
955	*****************************************************************************/
956	REGF_NK_REC* regfi_rootkey(REGF_FILE *file)
957	{
958	REGF_NK_REC* nk = NULL;
959	REGF_HBIN* hbin;
960	uint32 root_offset, i, num_hbins;
961
962	if(!file)
963	return NULL;
964
965	/* Scan through the file one HBIN block at a time looking
966	for an NK record with a type == 0x002c.
967	Normally this is the first nk record in the first hbin
968	block (but I'm not assuming that for now) */
969
970	num_hbins = range_list_size(file->hbins);
971	for(i=0; i < num_hbins; i++)
972	{
973	hbin = (REGF_HBIN*)range_list_get(file->hbins, i)->data;
974	if(regfi_find_root_nk(file, hbin->file_off+HBIN_HEADER_REC_SIZE,
975	hbin->block_size-HBIN_HEADER_REC_SIZE, &root_offset))
976	{
977	nk = regfi_load_key(file, root_offset, true);
978	break;
979	}
980	}
981
982	return nk;
983	}
984
985
986	/******************************************************************************
987	*****************************************************************************/
988	void regfi_key_free(REGF_NK_REC* nk)
989	{
990	uint32 i;
991
992	if((nk->values != NULL) && (nk->values_off!=REGF_OFFSET_NONE))
993	{
994	for(i=0; i < nk->num_values; i++)
995	{
996	if(nk->values[i]->valuename != NULL)
997	free(nk->values[i]->valuename);
998	if(nk->values[i]->data != NULL)
999	free(nk->values[i]->data);
1000	free(nk->values[i]);
1001	}
1002	free(nk->values);
1003	}
1004
1005	if(nk->keyname != NULL)
1006	free(nk->keyname);
1007	if(nk->classname != NULL)
1008	free(nk->classname);
1009
1010	/* XXX: not freeing hbin because these are cached. This needs to be reviewed. */
1011	/* XXX: not freeing sec_desc because these are cached. This needs to be reviewed. */
1012	free(nk);
1013	}
1014
1015
1016	/******************************************************************************
1017	*****************************************************************************/
1018	REGFI_ITERATOR* regfi_iterator_new(REGF_FILE* fh)
1019	{
1020	REGF_NK_REC* root;
1021	REGFI_ITERATOR* ret_val = (REGFI_ITERATOR*)malloc(sizeof(REGFI_ITERATOR));
1022	if(ret_val == NULL)
1023	return NULL;
1024
1025	root = regfi_rootkey(fh);
1026	if(root == NULL)
1027	{
1028	free(ret_val);
1029	return NULL;
1030	}
1031
1032	ret_val->key_positions = void_stack_new(REGF_MAX_DEPTH);
1033	if(ret_val->key_positions == NULL)
1034	{
1035	free(ret_val);
1036	free(root);
1037	return NULL;
1038	}
1039
1040	/* This secret isn't very secret, but we don't need a good one. This
1041	* secret is just designed to prevent someone from trying to blow our
1042	* caching and make things slow.
1043	*/
1044	ret_val->sk_recs = lru_cache_create(127, 0x15DEAD05^time(NULL)
1045	^(getpid()<<16)^(getppid()<<8),
1046	true);
1047
1048	ret_val->f = fh;
1049	ret_val->cur_key = root;
1050	ret_val->cur_subkey = 0;
1051	ret_val->cur_value = 0;
1052
1053	return ret_val;
1054	}
1055
1056
1057	/******************************************************************************
1058	*****************************************************************************/
1059	void regfi_iterator_free(REGFI_ITERATOR* i)
1060	{
1061	REGFI_ITER_POSITION* cur;
1062
1063	if(i->cur_key != NULL)
1064	regfi_key_free(i->cur_key);
1065
1066	while((cur = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions)) != NULL)
1067	{
1068	regfi_key_free(cur->nk);
1069	free(cur);
1070	}
1071
1072	lru_cache_destroy(i->sk_recs);
1073
1074	free(i);
1075	}
1076
1077
1078
1079	/******************************************************************************
1080	*****************************************************************************/
1081	/* XXX: some way of indicating reason for failure should be added. */
1082	bool regfi_iterator_down(REGFI_ITERATOR* i)
1083	{
1084	REGF_NK_REC* subkey;
1085	REGFI_ITER_POSITION* pos;
1086
1087	pos = (REGFI_ITER_POSITION*)malloc(sizeof(REGFI_ITER_POSITION));
1088	if(pos == NULL)
1089	return false;
1090
1091	subkey = (REGF_NK_REC*)regfi_iterator_cur_subkey(i);
1092	if(subkey == NULL)
1093	{
1094	free(pos);
1095	return false;
1096	}
1097
1098	pos->nk = i->cur_key;
1099	pos->cur_subkey = i->cur_subkey;
1100	if(!void_stack_push(i->key_positions, pos))
1101	{
1102	free(pos);
1103	regfi_key_free(subkey);
1104	return false;
1105	}
1106
1107	i->cur_key = subkey;
1108	i->cur_subkey = 0;
1109	i->cur_value = 0;
1110
1111	return true;
1112	}
1113
1114
1115	/******************************************************************************
1116	*****************************************************************************/
1117	bool regfi_iterator_up(REGFI_ITERATOR* i)
1118	{
1119	REGFI_ITER_POSITION* pos;
1120
1121	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
1122	if(pos == NULL)
1123	return false;
1124
1125	regfi_key_free(i->cur_key);
1126	i->cur_key = pos->nk;
1127	i->cur_subkey = pos->cur_subkey;
1128	i->cur_value = 0;
1129	free(pos);
1130
1131	return true;
1132	}
1133
1134
1135	/******************************************************************************
1136	*****************************************************************************/
1137	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
1138	{
1139	while(regfi_iterator_up(i))
1140	continue;
1141
1142	return true;
1143	}
1144
1145
1146	/******************************************************************************
1147	*****************************************************************************/
1148	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
1149	{
1150	REGF_NK_REC* subkey;
1151	bool found = false;
1152	uint32 old_subkey = i->cur_subkey;
1153
1154	if(subkey_name == NULL)
1155	return false;
1156
1157	/* XXX: this alloc/free of each sub key might be a bit excessive */
1158	subkey = (REGF_NK_REC*)regfi_iterator_first_subkey(i);
1159	while((subkey != NULL) && (found == false))
1160	{
1161	if(subkey->keyname != NULL
1162	&& strcasecmp(subkey->keyname, subkey_name) == 0)
1163	found = true;
1164	else
1165	{
1166	regfi_key_free(subkey);
1167	subkey = (REGF_NK_REC*)regfi_iterator_next_subkey(i);
1168	}
1169	}
1170
1171	if(found == false)
1172	{
1173	i->cur_subkey = old_subkey;
1174	return false;
1175	}
1176
1177	regfi_key_free(subkey);
1178	return true;
1179	}
1180
1181
1182	/******************************************************************************
1183	*****************************************************************************/
1184	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
1185	{
1186	uint32 x;
1187	if(path == NULL)
1188	return false;
1189
1190	for(x=0;
1191	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
1192	&& regfi_iterator_down(i));
1193	x++)
1194	{ continue; }
1195
1196	if(path[x] == NULL)
1197	return true;
1198
1199	/* XXX: is this the right number of times? */
1200	for(; x > 0; x--)
1201	regfi_iterator_up(i);
1202
1203	return false;
1204	}
1205
1206
1207	/******************************************************************************
1208	*****************************************************************************/
1209	const REGF_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
1210	{
1211	return i->cur_key;
1212	}
1213
1214
1215	/******************************************************************************
1216	*****************************************************************************/
1217	const REGF_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i)
1218	{
1219	REGF_SK_REC* ret_val;
1220	REGF_HBIN* hbin;
1221	uint32 max_length, off;
1222
1223	if(i->cur_key == NULL)
1224	return NULL;
1225
1226	/* First look if we have already parsed it */
1227	if((i->cur_key->sk_off!=REGF_OFFSET_NONE)
1228	&& !(ret_val =(REGF_SK_REC*)lru_cache_find(i->sk_recs,
1229	&i->cur_key->sk_off, 4)))
1230	{
1231	hbin = regfi_lookup_hbin(i->f, i->cur_key->sk_off);
1232
1233	if(hbin == NULL)
1234	return NULL;
1235
1236	off = i->cur_key->sk_off + REGF_BLOCKSIZE;
1237	max_length = hbin->block_size + hbin->file_off - off;
1238	ret_val = regfi_parse_sk(i->f, off, max_length, true);
1239	if(ret_val == NULL)
1240	return NULL;
1241
1242	ret_val->sk_off = i->cur_key->sk_off;
1243	lru_cache_update(i->sk_recs, &i->cur_key->sk_off, 4, ret_val);
1244	}
1245
1246	return ret_val;
1247	}
1248
1249
1250
1251	/******************************************************************************
1252	*****************************************************************************/
1253	const REGF_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
1254	{
1255	i->cur_subkey = 0;
1256	return regfi_iterator_cur_subkey(i);
1257	}
1258
1259
1260	/******************************************************************************
1261	*****************************************************************************/
1262	const REGF_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
1263	{
1264	uint32 nk_offset;
1265
1266	/* see if there is anything left to report */
1267	if (!(i->cur_key) \|\| (i->cur_key->subkeys_off==REGF_OFFSET_NONE)
1268	\|\| (i->cur_subkey >= i->cur_key->num_subkeys))
1269	return NULL;
1270
1271	nk_offset = i->cur_key->subkeys->hashes[i->cur_subkey].nk_off;
1272
1273	return regfi_load_key(i->f, nk_offset+REGF_BLOCKSIZE, true);
1274	}
1275
1276
1277	/******************************************************************************
1278	*****************************************************************************/
1279	/* XXX: some way of indicating reason for failure should be added. */
1280	const REGF_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
1281	{
1282	const REGF_NK_REC* subkey;
1283
1284	i->cur_subkey++;
1285	subkey = regfi_iterator_cur_subkey(i);
1286
1287	if(subkey == NULL)
1288	i->cur_subkey--;
1289
1290	return subkey;
1291	}
1292
1293
1294	/******************************************************************************
1295	*****************************************************************************/
1296	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
1297	{
1298	const REGF_VK_REC* cur;
1299	bool found = false;
1300
1301	/* XXX: cur->valuename can be NULL in the registry.
1302	* Should we allow for a way to search for that?
1303	*/
1304	if(value_name == NULL)
1305	return false;
1306
1307	cur = regfi_iterator_first_value(i);
1308	while((cur != NULL) && (found == false))
1309	{
1310	if((cur->valuename != NULL)
1311	&& (strcasecmp(cur->valuename, value_name) == 0))
1312	found = true;
1313	else
1314	cur = regfi_iterator_next_value(i);
1315	}
1316
1317	return found;
1318	}
1319
1320
1321	/******************************************************************************
1322	*****************************************************************************/
1323	const REGF_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
1324	{
1325	i->cur_value = 0;
1326	return regfi_iterator_cur_value(i);
1327	}
1328
1329
1330	/******************************************************************************
1331	*****************************************************************************/
1332	const REGF_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
1333	{
1334	REGF_VK_REC* ret_val = NULL;
1335	if(i->cur_value < i->cur_key->num_values)
1336	ret_val = i->cur_key->values[i->cur_value];
1337
1338	return ret_val;
1339	}
1340
1341
1342	/******************************************************************************
1343	*****************************************************************************/
1344	const REGF_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
1345	{
1346	const REGF_VK_REC* ret_val;
1347
1348	i->cur_value++;
1349	ret_val = regfi_iterator_cur_value(i);
1350	if(ret_val == NULL)
1351	i->cur_value--;
1352
1353	return ret_val;
1354	}
1355
1356
1357
1358	/*******************************************************************
1359	* Computes the checksum of the registry file header.
1360	* buffer must be at least the size of an regf header (4096 bytes).
1361	*******************************************************************/
1362	static uint32 regfi_compute_header_checksum(uint8* buffer)
1363	{
1364	uint32 checksum, x;
1365	int i;
1366
1367	/* XOR of all bytes 0x0000 - 0x01FB */
1368
1369	checksum = x = 0;
1370
1371	for ( i=0; i<0x01FB; i+=4 ) {
1372	x = IVAL(buffer, i );
1373	checksum ^= x;
1374	}
1375
1376	return checksum;
1377	}
1378
1379
1380	/*******************************************************************
1381	* XXX: Add way to return more detailed error information.
1382	*******************************************************************/
1383	REGF_FILE* regfi_parse_regf(int fd, bool strict)
1384	{
1385	uint8 file_header[REGF_BLOCKSIZE];
1386	uint32 length;
1387	uint32 file_length;
1388	struct stat sbuf;
1389	REGF_FILE* ret_val;
1390
1391	/* Determine file length. Must be at least big enough
1392	* for the header and one hbin.
1393	*/
1394	if (fstat(fd, &sbuf) == -1)
1395	return NULL;
1396	file_length = sbuf.st_size;
1397	if(file_length < REGF_BLOCKSIZE+REGF_ALLOC_BLOCK)
1398	return NULL;
1399
1400	ret_val = (REGF_FILE*)zalloc(sizeof(REGF_FILE));
1401	if(ret_val == NULL)
1402	return NULL;
1403
1404	ret_val->fd = fd;
1405	ret_val->file_length = file_length;
1406
1407	length = REGF_BLOCKSIZE;
1408	if((regfi_read(fd, file_header, &length)) != 0
1409	\|\| length != REGF_BLOCKSIZE)
1410	{
1411	free(ret_val);
1412	return NULL;
1413	}
1414
1415	ret_val->checksum = IVAL(file_header, 0x1FC);
1416	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
1417	if (strict && (ret_val->checksum != ret_val->computed_checksum))
1418	{
1419	free(ret_val);
1420	return NULL;
1421	}
1422
1423	memcpy(ret_val->magic, file_header, 4);
1424	if(strict && (memcmp(ret_val->magic, "regf", 4) != 0))
1425	{
1426	free(ret_val);
1427	return NULL;
1428	}
1429
1430	ret_val->unknown1 = IVAL(file_header, 0x4);
1431	ret_val->unknown2 = IVAL(file_header, 0x8);
1432
1433	ret_val->mtime.low = IVAL(file_header, 0xC);
1434	ret_val->mtime.high = IVAL(file_header, 0x10);
1435
1436	ret_val->unknown3 = IVAL(file_header, 0x14);
1437	ret_val->unknown4 = IVAL(file_header, 0x18);
1438	ret_val->unknown5 = IVAL(file_header, 0x1C);
1439	ret_val->unknown6 = IVAL(file_header, 0x20);
1440
1441	ret_val->data_offset = IVAL(file_header, 0x24);
1442	ret_val->last_block = IVAL(file_header, 0x28);
1443
1444	ret_val->unknown7 = IVAL(file_header, 0x2C);
1445
1446	return ret_val;
1447	}
1448
1449
1450
1451	/*******************************************************************
1452	* Given real file offset, read and parse the hbin at that location
1453	* along with it's associated cells.
1454	*******************************************************************/
1455	/* XXX: Need a way to return types of errors.
1456	*/
1457	REGF_HBIN* regfi_parse_hbin(REGF_FILE* file, uint32 offset, bool strict)
1458	{
1459	REGF_HBIN *hbin;
1460	uint8 hbin_header[HBIN_HEADER_REC_SIZE];
1461	uint32 length;
1462
1463	if(offset >= file->file_length)
1464	return NULL;
1465
1466	if(lseek(file->fd, offset, SEEK_SET) == -1)
1467	return NULL;
1468
1469	length = HBIN_HEADER_REC_SIZE;
1470	if((regfi_read(file->fd, hbin_header, &length) != 0)
1471	\|\| length != HBIN_HEADER_REC_SIZE)
1472	return NULL;
1473
1474
1475	if(lseek(file->fd, offset, SEEK_SET) == -1)
1476	return NULL;
1477
1478	if(!(hbin = (REGF_HBIN*)zalloc(sizeof(REGF_HBIN))))
1479	return NULL;
1480	hbin->file_off = offset;
1481
1482	memcpy(hbin->magic, hbin_header, 4);
1483	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
1484	{
1485	free(hbin);
1486	return NULL;
1487	}
1488
1489	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
1490	hbin->block_size = IVAL(hbin_header, 0x8);
1491	/* this should be the same thing as hbin->block_size but just in case */
1492	hbin->next_block = IVAL(hbin_header, 0x1C);
1493
1494
1495	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
1496	* the end of the file.
1497	*/
1498	/* XXX: This may need to be relaxed for dealing with
1499	* partial or corrupt files.
1500	*/
1501	if((offset + hbin->block_size > file->file_length)
1502	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
1503	{
1504	free(hbin);
1505	return NULL;
1506	}
1507
1508	return hbin;
1509	}
1510
1511
1512	/*******************************************************************
1513	*******************************************************************/
1514	REGF_NK_REC* regfi_parse_nk(REGF_FILE* file, uint32 offset,
1515	uint32 max_size, bool strict)
1516	{
1517	uint8 nk_header[REGFI_NK_MIN_LENGTH];
1518	REGF_NK_REC* ret_val;
1519	uint32 length;
1520	uint32 cell_length;
1521	bool unalloc = false;
1522
1523	if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH,
1524	&cell_length, &unalloc))
1525	return NULL;
1526
1527	/* A bit of validation before bothering to allocate memory */
1528	if((nk_header[0x0] != 'n') \|\| (nk_header[0x1] != 'k'))
1529	{
1530	/* XXX: Deal with subkey-lists that reference other subkey-lists
1531	* (e.g. 'ri' records).
1532	*/
1533	return NULL;
1534	}
1535
1536	ret_val = (REGF_NK_REC*)zalloc(sizeof(REGF_NK_REC));
1537	if(ret_val == NULL)
1538	return NULL;
1539
1540	ret_val->offset = offset;
1541	ret_val->cell_size = cell_length;
1542
1543	if(ret_val->cell_size > max_size)
1544	ret_val->cell_size = max_size & 0xFFFFFFF8;
1545	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
1546	\|\| (strict && ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8)))
1547	{
1548	free(ret_val);
1549	return NULL;
1550	}
1551
1552	ret_val->magic[0] = nk_header[0x0];
1553	ret_val->magic[1] = nk_header[0x1];
1554	ret_val->key_type = SVAL(nk_header, 0x2);
1555	if((ret_val->key_type != NK_TYPE_NORMALKEY)
1556	&& (ret_val->key_type != NK_TYPE_ROOTKEY)
1557	&& (ret_val->key_type != NK_TYPE_LINKKEY)
1558	&& (ret_val->key_type != NK_TYPE_UNKNOWN1))
1559	{
1560	free(ret_val);
1561	return NULL;
1562	}
1563
1564	ret_val->mtime.low = IVAL(nk_header, 0x4);
1565	ret_val->mtime.high = IVAL(nk_header, 0x8);
1566	/* If the key is unallocated and the MTIME is earlier than Jan 1, 1990
1567	* or later than Jan 1, 2290, we consider this a bad key. This helps
1568	* weed out some false positives during deleted data recovery.
1569	*/
1570	if(unalloc
1571	&& ((ret_val->mtime.high < REGFI_MTIME_MIN_HIGH
1572	&& ret_val->mtime.low < REGFI_MTIME_MIN_LOW)
1573	\|\| (ret_val->mtime.high > REGFI_MTIME_MAX_HIGH
1574	&& ret_val->mtime.low > REGFI_MTIME_MAX_LOW)))
1575	return NULL;
1576
1577	ret_val->unknown1 = IVAL(nk_header, 0xC);
1578	ret_val->parent_off = IVAL(nk_header, 0x10);
1579	ret_val->num_subkeys = IVAL(nk_header, 0x14);
1580	ret_val->unknown2 = IVAL(nk_header, 0x18);
1581	ret_val->subkeys_off = IVAL(nk_header, 0x1C);
1582	ret_val->unknown3 = IVAL(nk_header, 0x20);
1583	ret_val->num_values = IVAL(nk_header, 0x24);
1584	ret_val->values_off = IVAL(nk_header, 0x28);
1585	ret_val->sk_off = IVAL(nk_header, 0x2C);
1586	ret_val->classname_off = IVAL(nk_header, 0x30);
1587
1588	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
1589	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
1590	ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
1591	ret_val->max_bytes_value = IVAL(nk_header, 0x40);
1592	ret_val->unk_index = IVAL(nk_header, 0x44);
1593
1594	ret_val->name_length = SVAL(nk_header, 0x48);
1595	ret_val->classname_length = SVAL(nk_header, 0x4A);
1596
1597
1598	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
1599	{
1600	if(strict)
1601	{
1602	free(ret_val);
1603	return NULL;
1604	}
1605	else
1606	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
1607	}
1608	else if (unalloc)
1609	{ /* Truncate cell_size if it's much larger than the apparent total record length. */
1610	/* Round up to the next multiple of 8 */
1611	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
1612	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
1613	length+=8;
1614
1615	/* If cell_size is still greater, truncate. */
1616	if(length < ret_val->cell_size)
1617	ret_val->cell_size = length;
1618	}
1619
1620	ret_val->keyname = (char)zalloc(sizeof(char)(ret_val->name_length+1));
1621	if(ret_val->keyname == NULL)
1622	{
1623	free(ret_val);
1624	return NULL;
1625	}
1626
1627	/* Don't need to seek, should be at the right offset */
1628	length = ret_val->name_length;
1629	if((regfi_read(file->fd, (uint8*)ret_val->keyname, &length) != 0)
1630	\|\| length != ret_val->name_length)
1631	{
1632	free(ret_val->keyname);
1633	free(ret_val);
1634	return NULL;
1635	}
1636	ret_val->keyname[ret_val->name_length] = '\0';
1637
1638	if(ret_val->classname_off != REGF_OFFSET_NONE)
1639	{
1640	ret_val->classname
1641	= regfi_parse_classname(file, ret_val->classname_off+REGF_BLOCKSIZE,
1642	&ret_val->classname_length, strict);
1643	/*
1644	if(strict && ret_val->classname == NULL)
1645	return NULL;
1646	*/
1647	}
1648
1649	return ret_val;
1650	}
1651
1652
1653	/*******************************************************************/
1654	/* XXX: Not currently validating against hbin length. */
1655	/*******************************************************************/
1656	char* regfi_parse_classname(REGF_FILE* file, uint32 offset,
1657	uint16* name_length, bool strict)
1658	{
1659	char* ret_val = NULL;
1660	uint32 length;
1661	uint32 cell_length;
1662	bool unalloc = false;
1663
1664	if(*name_length > 0 && offset != REGF_OFFSET_NONE
1665	&& offset == (offset & 0xFFFFFFF8))
1666	{
1667	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
1668	return NULL;
1669
1670	if(cell_length < *name_length)
1671	{
1672	if(strict)
1673	return NULL;
1674	*name_length = cell_length & 0xFFFFFFF8;
1675	}
1676
1677	ret_val = (char)zalloc(name_length);
1678	if(ret_val != NULL)
1679	{
1680	length = *name_length;
1681	if((regfi_read(file->fd, (uint8*)ret_val, &length) != 0)
1682	\|\| length != *name_length)
1683	{
1684	free(ret_val);
1685	return NULL;
1686	}
1687
1688	/printf("==> cell_length=%d, classname_length=%d, max_bytes_subkeyclassname=%d\n", cell_length, ret_val->classname_length, ret_val->max_bytes_subkeyclassname);/
1689	}
1690	}
1691
1692	return ret_val;
1693	}
1694
1695
1696	/*******************************************************************
1697	*******************************************************************/
1698	REGF_VK_REC* regfi_parse_vk(REGF_FILE* file, uint32 offset,
1699	uint32 max_size, bool strict)
1700	{
1701	REGF_VK_REC* ret_val;
1702	uint8 vk_header[REGFI_VK_MIN_LENGTH];
1703	uint32 raw_data_size, length, cell_length;
1704	bool unalloc = false;
1705
1706	if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH,
1707	&cell_length, &unalloc))
1708	return NULL;
1709
1710	ret_val = (REGF_VK_REC*)zalloc(sizeof(REGF_VK_REC));
1711	if(ret_val == NULL)
1712	return NULL;
1713
1714	ret_val->offset = offset;
1715	ret_val->cell_size = cell_length;
1716
1717	if(ret_val->cell_size > max_size)
1718	ret_val->cell_size = max_size & 0xFFFFFFF8;
1719	if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
1720	\|\| ret_val->cell_size != (ret_val->cell_size & 0xFFFFFFF8))
1721	{
1722	free(ret_val);
1723	return NULL;
1724	}
1725
1726	ret_val->magic[0] = vk_header[0x0];
1727	ret_val->magic[1] = vk_header[0x1];
1728	if((ret_val->magic[0] != 'v') \|\| (ret_val->magic[1] != 'k'))
1729	{
1730	/* XXX: This does not account for deleted keys under Win2K which
1731	* often have this (and the name length) overwritten with
1732	* 0xFFFF.
1733	*/
1734	free(ret_val);
1735	return NULL;
1736	}
1737
1738	ret_val->name_length = SVAL(vk_header, 0x2);
1739	raw_data_size = IVAL(vk_header, 0x4);
1740	ret_val->data_size = raw_data_size & ~VK_DATA_IN_OFFSET;
1741	ret_val->data_in_offset = (bool)(raw_data_size & VK_DATA_IN_OFFSET);
1742	ret_val->data_off = IVAL(vk_header, 0x8);
1743	ret_val->type = IVAL(vk_header, 0xC);
1744	ret_val->flag = SVAL(vk_header, 0x10);
1745	ret_val->unknown1 = SVAL(vk_header, 0x12);
1746
1747	if(ret_val->flag & VK_FLAG_NAME_PRESENT)
1748	{
1749	if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size)
1750	{
1751	if(strict)
1752	{
1753	free(ret_val);
1754	return NULL;
1755	}
1756	else
1757	ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4;
1758	}
1759
1760	/* Round up to the next multiple of 8 */
1761	cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8;
1762	if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4)
1763	cell_length+=8;
1764
1765	ret_val->valuename = (char)zalloc(sizeof(char)(ret_val->name_length+1));
1766	if(ret_val->valuename == NULL)
1767	{
1768	free(ret_val);
1769	return NULL;
1770	}
1771
1772	length = ret_val->name_length;
1773	if((regfi_read(file->fd, (uint8*)ret_val->valuename, &length) != 0)
1774	\|\| length != ret_val->name_length)
1775	{
1776	free(ret_val->valuename);
1777	free(ret_val);
1778	return NULL;
1779	}
1780	ret_val->valuename[ret_val->name_length] = '\0';
1781	}
1782	else
1783	cell_length = REGFI_VK_MIN_LENGTH + 4;
1784
1785	if(unalloc)
1786	{
1787	/* If cell_size is still greater, truncate. */
1788	if(cell_length < ret_val->cell_size)
1789	ret_val->cell_size = cell_length;
1790	}
1791
1792	if(ret_val->data_size == 0)
1793	ret_val->data = NULL;
1794	else
1795	{
1796	ret_val->data = regfi_parse_data(file, ret_val->data_off+REGF_BLOCKSIZE,
1797	raw_data_size, strict);
1798	if(strict && (ret_val->data == NULL))
1799	{
1800	free(ret_val->valuename);
1801	free(ret_val);
1802	return NULL;
1803	}
1804	}
1805
1806	return ret_val;
1807	}
1808
1809
1810	uint8* regfi_parse_data(REGF_FILE* file, uint32 offset, uint32 length, bool strict)
1811	{
1812	uint8* ret_val;
1813	uint32 read_length, cell_length;
1814	uint8 i;
1815	bool unalloc;
1816
1817	/* The data is stored in the offset if the size <= 4 */
1818	if (length & VK_DATA_IN_OFFSET)
1819	{
1820	length = length & ~VK_DATA_IN_OFFSET;
1821	if(length > 4)
1822	return NULL;
1823
1824	if((ret_val = (uint8)zalloc(sizeof(uint8)length)) == NULL)
1825	return NULL;
1826
1827	offset = offset - REGF_BLOCKSIZE;
1828	for(i = 0; i < length; i++)
1829	ret_val[i] = (uint8)((offset >> i*8) & 0xFF);
1830	}
1831	else
1832	{
1833	if(!regfi_parse_cell(file->fd, offset, NULL, 0,
1834	&cell_length, &unalloc))
1835	return NULL;
1836
1837	if((cell_length & 0xFFFFFFF8) != cell_length)
1838	return NULL;
1839
1840	if(cell_length - 4 < length)
1841	{
1842	/* XXX: This strict condition has been triggered in multiple registries.
1843	* Not sure the cause, but the data length values are very large,
1844	* such as 53392.
1845	*/
1846	if(strict)
1847	return NULL;
1848	else
1849	length = cell_length - 4;
1850	}
1851
1852	/* XXX: There is currently no check to ensure the data
1853	* cell doesn't cross HBIN boundary.
1854	*/
1855
1856	if((ret_val = (uint8)zalloc(sizeof(uint8)length)) == NULL)
1857	return NULL;
1858
1859	read_length = length;
1860	if((regfi_read(file->fd, ret_val, &read_length) != 0)
1861	\|\| read_length != length)
1862	{
1863	free(ret_val);
1864	return NULL;
1865	}
1866	}
1867
1868	return ret_val;
1869	}
1870
1871
1872	range_list* regfi_parse_unalloc_cells(REGF_FILE* file)
1873	{
1874	range_list* ret_val;
1875	REGF_HBIN* hbin;
1876	const range_list_element* hbins_elem;
1877	uint32 i, num_hbins, curr_off, cell_len;
1878	bool is_unalloc;
1879
1880	ret_val = range_list_new();
1881	if(ret_val == NULL)
1882	return NULL;
1883
1884	num_hbins = range_list_size(file->hbins);
1885	for(i=0; i<num_hbins; i++)
1886	{
1887	hbins_elem = range_list_get(file->hbins, i);
1888	if(hbins_elem == NULL)
1889	break;
1890	hbin = (REGF_HBIN*)hbins_elem->data;
1891
1892	curr_off = HBIN_HEADER_REC_SIZE;
1893	while(curr_off < hbin->block_size)
1894	{
1895	if(!regfi_parse_cell(file->fd, hbin->file_off+curr_off, NULL, 0,
1896	&cell_len, &is_unalloc))
1897	break;
1898
1899	if((cell_len == 0) \|\| ((cell_len & 0xFFFFFFF8) != cell_len))
1900	/* XXX: should report an error here. */
1901	break;
1902
1903	/* for some reason the record_size of the last record in
1904	an hbin block can extend past the end of the block
1905	even though the record fits within the remaining
1906	space....aaarrrgggghhhhhh */
1907	if(curr_off + cell_len >= hbin->block_size)
1908	cell_len = hbin->block_size - curr_off;
1909
1910	if(is_unalloc)
1911	range_list_add(ret_val, hbin->file_off+curr_off,
1912	cell_len, NULL);
1913
1914	curr_off = curr_off+cell_len;
1915	}
1916	}
1917
1918	return ret_val;
1919	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: