Context Navigation

source: trunk/lib/regfi.c @ 166

Last change on this file since 166 was 166, checked in by tim, 14 years ago
fixed a bug in big data parsing broke up some of REGFI_FILE initialization started added more regfi API documentation
Property svn:keywords set to `Id`
File size: 86.1 KB

Line
1	/*
2	* Branched from Samba project Subversion repository, version #7470:
3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
4	*
5	* Windows NT (and later) registry parsing library
6	*
7	* Copyright (C) 2005-2009 Timothy D. Morgan
8	* Copyright (C) 2005 Gerald (Jerry) Carter
9	*
10	* This program is free software; you can redistribute it and/or modify
11	* it under the terms of the GNU General Public License as published by
12	* the Free Software Foundation; version 3 of the License.
13	*
14	* This program is distributed in the hope that it will be useful,
15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	* GNU General Public License for more details.
18	*
19	* You should have received a copy of the GNU General Public License
20	* along with this program; if not, write to the Free Software
21	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22	*
23	* $Id: regfi.c 166 2009-12-16 03:18:05Z tim $
24	*/
25
26	#include "regfi.h"
27
28
29	/* Registry types mapping */
30	const unsigned int regfi_num_reg_types = 12;
31	static const char* regfi_type_names[] =
32	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
33	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
34
35	const char* regfi_encoding_names[] =
36	{"US-ASCII//TRANSLIT", "UTF-8//TRANSLIT", "UTF-16LE//TRANSLIT"};
37
38
39	/******************************************************************************
40	******************************************************************************/
41	void regfi_add_message(REGFI_FILE* file, uint16 msg_type, const char* fmt, ...)
42	{
43	/* XXX: This function is not particularly efficient,
44	* but then it is mostly used during errors.
45	*/
46	uint32 buf_size, buf_used;
47	char* new_msg;
48	va_list args;
49
50	if((file->msg_mask & msg_type) != 0)
51	{
52	if(file->last_message == NULL)
53	buf_used = 0;
54	else
55	buf_used = strlen(file->last_message);
56
57	buf_size = buf_used+strlen(fmt)+160;
58	new_msg = realloc(file->last_message, buf_size);
59	if(new_msg == NULL)
60	/* XXX: should we report this? */
61	return;
62
63	switch (msg_type)
64	{
65	case REGFI_MSG_INFO:
66	strcpy(new_msg+buf_used, "INFO: ");
67	buf_used += 6;
68	break;
69	case REGFI_MSG_WARN:
70	strcpy(new_msg+buf_used, "WARN: ");
71	buf_used += 6;
72	break;
73	case REGFI_MSG_ERROR:
74	strcpy(new_msg+buf_used, "ERROR: ");
75	buf_used += 7;
76	break;
77	}
78
79	va_start(args, fmt);
80	vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args);
81	va_end(args);
82	strncat(new_msg, "\n", buf_size-1);
83
84	file->last_message = new_msg;
85	}
86	}
87
88
89	/******************************************************************************
90	******************************************************************************/
91	char* regfi_get_messages(REGFI_FILE* file)
92	{
93	char* ret_val = file->last_message;
94	file->last_message = NULL;
95
96	return ret_val;
97	}
98
99
100	void regfi_set_message_mask(REGFI_FILE* file, uint16 mask)
101	{
102	file->msg_mask = mask;
103	}
104
105
106	/******************************************************************************
107	* Returns NULL for an invalid e
108	*****************************************************************************/
109	static const char* regfi_encoding_int2str(REGFI_ENCODING e)
110	{
111	if(e < REGFI_NUM_ENCODINGS)
112	return regfi_encoding_names[e];
113
114	return NULL;
115	}
116
117
118	/******************************************************************************
119	* Returns NULL for an invalid val
120	*****************************************************************************/
121	const char* regfi_type_val2str(unsigned int val)
122	{
123	if(val == REG_KEY)
124	return "KEY";
125
126	if(val >= regfi_num_reg_types)
127	return NULL;
128
129	return regfi_type_names[val];
130	}
131
132
133	/******************************************************************************
134	* Returns -1 on error
135	*****************************************************************************/
136	int regfi_type_str2val(const char* str)
137	{
138	int i;
139
140	if(strcmp("KEY", str) == 0)
141	return REG_KEY;
142
143	for(i=0; i < regfi_num_reg_types; i++)
144	if (strcmp(regfi_type_names[i], str) == 0)
145	return i;
146
147	if(strcmp("DWORD_LE", str) == 0)
148	return REG_DWORD_LE;
149
150	return -1;
151	}
152
153
154	/* Security descriptor formatting functions */
155
156	const char* regfi_ace_type2str(uint8 type)
157	{
158	static const char* map[7]
159	= {"ALLOW", "DENY", "AUDIT", "ALARM",
160	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
161	if(type < 7)
162	return map[type];
163	else
164	/* XXX: would be nice to return the unknown integer value.
165	* However, as it is a const string, it can't be free()ed later on,
166	* so that would need to change.
167	*/
168	return "UNKNOWN";
169	}
170
171
172	/* XXX: need a better reference on the meaning of each flag. */
173	/* For more info, see:
174	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
175	*/
176	char* regfi_ace_flags2str(uint8 flags)
177	{
178	static const char* flag_map[32] =
179	{ "OI", /* Object Inherit */
180	"CI", /* Container Inherit */
181	"NP", /* Non-Propagate */
182	"IO", /* Inherit Only */
183	"IA", /* Inherited ACE */
184	NULL,
185	NULL,
186	NULL,
187	};
188
189	char* ret_val = malloc(35*sizeof(char));
190	char* fo = ret_val;
191	uint32 i;
192	uint8 f;
193
194	if(ret_val == NULL)
195	return NULL;
196
197	fo[0] = '\0';
198	if (!flags)
199	return ret_val;
200
201	for(i=0; i < 8; i++)
202	{
203	f = (1<<i);
204	if((flags & f) && (flag_map[i] != NULL))
205	{
206	strcpy(fo, flag_map[i]);
207	fo += strlen(flag_map[i]);
208	*(fo++) = ' ';
209	flags ^= f;
210	}
211	}
212
213	/* Any remaining unknown flags are added at the end in hex. */
214	if(flags != 0)
215	sprintf(fo, "0x%.2X ", flags);
216
217	/* Chop off the last space if we've written anything to ret_val */
218	if(fo != ret_val)
219	fo[-1] = '\0';
220
221	return ret_val;
222	}
223
224
225	char* regfi_ace_perms2str(uint32 perms)
226	{
227	uint32 i, p;
228	/* This is more than is needed by a fair margin. */
229	char* ret_val = malloc(350*sizeof(char));
230	char* r = ret_val;
231
232	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
233	* For more information, see:
234	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
235	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
236	*/
237	static const char* perm_map[32] =
238	{/* object-specific permissions (registry keys, in this case) */
239	"QRY_VAL", /* KEY_QUERY_VALUE */
240	"SET_VAL", /* KEY_SET_VALUE */
241	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
242	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
243	"NOTIFY", /* KEY_NOTIFY */
244	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
245	NULL,
246	NULL,
247	"WOW64_64", /* KEY_WOW64_64KEY */
248	"WOW64_32", /* KEY_WOW64_32KEY */
249	NULL,
250	NULL,
251	NULL,
252	NULL,
253	NULL,
254	NULL,
255	/* standard access rights */
256	"DELETE", /* DELETE */
257	"R_CONT", /* READ_CONTROL */
258	"W_DAC", /* WRITE_DAC */
259	"W_OWNER", /* WRITE_OWNER */
260	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
261	NULL,
262	NULL,
263	NULL,
264	/* other generic */
265	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
266	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
267	NULL,
268	NULL,
269	"GEN_A", /* GENERIC_ALL */
270	"GEN_X", /* GENERIC_EXECUTE */
271	"GEN_W", /* GENERIC_WRITE */
272	"GEN_R", /* GENERIC_READ */
273	};
274
275
276	if(ret_val == NULL)
277	return NULL;
278
279	r[0] = '\0';
280	for(i=0; i < 32; i++)
281	{
282	p = (1<<i);
283	if((perms & p) && (perm_map[i] != NULL))
284	{
285	strcpy(r, perm_map[i]);
286	r += strlen(perm_map[i]);
287	*(r++) = ' ';
288	perms ^= p;
289	}
290	}
291
292	/* Any remaining unknown permission bits are added at the end in hex. */
293	if(perms != 0)
294	sprintf(r, "0x%.8X ", perms);
295
296	/* Chop off the last space if we've written anything to ret_val */
297	if(r != ret_val)
298	r[-1] = '\0';
299
300	return ret_val;
301	}
302
303
304	char* regfi_sid2str(WINSEC_DOM_SID* sid)
305	{
306	uint32 i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
307	uint32 left = size;
308	uint8 comps = sid->num_auths;
309	char* ret_val = malloc(size);
310
311	if(ret_val == NULL)
312	return NULL;
313
314	if(comps > WINSEC_MAX_SUBAUTHS)
315	comps = WINSEC_MAX_SUBAUTHS;
316
317	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
318
319	for (i = 0; i < comps; i++)
320	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
321
322	return ret_val;
323	}
324
325
326	char* regfi_get_acl(WINSEC_ACL* acl)
327	{
328	uint32 i, extra, size = 0;
329	const char* type_str;
330	char* flags_str;
331	char* perms_str;
332	char* sid_str;
333	char* ace_delim = "";
334	char* ret_val = NULL;
335	char* tmp_val = NULL;
336	bool failed = false;
337	char field_delim = ':';
338
339	for (i = 0; i < acl->num_aces && !failed; i++)
340	{
341	sid_str = regfi_sid2str(acl->aces[i]->trustee);
342	type_str = regfi_ace_type2str(acl->aces[i]->type);
343	perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask);
344	flags_str = regfi_ace_flags2str(acl->aces[i]->flags);
345
346	if(flags_str != NULL && perms_str != NULL
347	&& type_str != NULL && sid_str != NULL)
348	{
349	/* XXX: this is slow */
350	extra = strlen(sid_str) + strlen(type_str)
351	+ strlen(perms_str) + strlen(flags_str) + 5;
352	tmp_val = realloc(ret_val, size+extra);
353
354	if(tmp_val == NULL)
355	{
356	free(ret_val);
357	ret_val = NULL;
358	failed = true;
359	}
360	else
361	{
362	ret_val = tmp_val;
363	size += sprintf(ret_val+size, "%s%s%c%s%c%s%c%s",
364	ace_delim,sid_str,
365	field_delim,type_str,
366	field_delim,perms_str,
367	field_delim,flags_str);
368	ace_delim = "\|";
369	}
370	}
371	else
372	failed = true;
373
374	if(sid_str != NULL)
375	free(sid_str);
376	if(sid_str != NULL)
377	free(perms_str);
378	if(sid_str != NULL)
379	free(flags_str);
380	}
381
382	return ret_val;
383	}
384
385
386	char* regfi_get_sacl(WINSEC_DESC *sec_desc)
387	{
388	if (sec_desc->sacl)
389	return regfi_get_acl(sec_desc->sacl);
390	else
391	return NULL;
392	}
393
394
395	char* regfi_get_dacl(WINSEC_DESC *sec_desc)
396	{
397	if (sec_desc->dacl)
398	return regfi_get_acl(sec_desc->dacl);
399	else
400	return NULL;
401	}
402
403
404	char* regfi_get_owner(WINSEC_DESC *sec_desc)
405	{
406	return regfi_sid2str(sec_desc->owner_sid);
407	}
408
409
410	char* regfi_get_group(WINSEC_DESC *sec_desc)
411	{
412	return regfi_sid2str(sec_desc->grp_sid);
413	}
414
415
416	/*****************************************************************************
417	* This function is just like read(2), except that it continues to
418	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
419	* regfi_read will attempt to read length bytes from fd and write them to buf.
420	*
421	* On success, 0 is returned. Upon failure, an errno code is returned.
422	*
423	* The number of bytes successfully read is returned through the length
424	* parameter by reference. If both the return value and length parameter are
425	* returned as 0, then EOF was encountered immediately
426	*****************************************************************************/
427	uint32 regfi_read(int fd, uint8* buf, uint32* length)
428	{
429	uint32 rsize = 0;
430	uint32 rret = 0;
431
432	do
433	{
434	rret = read(fd, buf + rsize, *length - rsize);
435	if(rret > 0)
436	rsize += rret;
437	}while(*length - rsize > 0
438	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
439
440	*length = rsize;
441	if (rret == -1 && errno != EINTR && errno != EAGAIN)
442	return errno;
443
444	return 0;
445	}
446
447
448	/*****************************************************************************
449	*
450	*****************************************************************************/
451	bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len,
452	uint32* cell_length, bool* unalloc)
453	{
454	uint32 length;
455	int32 raw_length;
456	uint8 tmp[4];
457
458	if(lseek(fd, offset, SEEK_SET) == -1)
459	return false;
460
461	length = 4;
462	if((regfi_read(fd, tmp, &length) != 0) \|\| length != 4)
463	return false;
464	raw_length = IVALS(tmp, 0);
465
466	if(raw_length < 0)
467	{
468	(cell_length) = raw_length(-1);
469	(*unalloc) = false;
470	}
471	else
472	{
473	(*cell_length) = raw_length;
474	(*unalloc) = true;
475	}
476
477	if(*cell_length - 4 < hdr_len)
478	return false;
479
480	if(hdr_len > 0)
481	{
482	length = hdr_len;
483	if((regfi_read(fd, hdr, &length) != 0) \|\| length != hdr_len)
484	return false;
485	}
486
487	return true;
488	}
489
490
491	/******************************************************************************
492	* Given an offset and an hbin, is the offset within that hbin?
493	* The offset is a virtual file offset.
494	******************************************************************************/
495	static bool regfi_offset_in_hbin(const REGFI_HBIN* hbin, uint32 voffset)
496	{
497	if(!hbin)
498	return false;
499
500	if((voffset > hbin->first_hbin_off)
501	&& (voffset < (hbin->first_hbin_off + hbin->block_size)))
502	return true;
503
504	return false;
505	}
506
507
508
509	/******************************************************************************
510	* Provide a physical offset and receive the correpsonding HBIN
511	* block for it. NULL if one doesn't exist.
512	******************************************************************************/
513	const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32 offset)
514	{
515	return (const REGFI_HBIN*)range_list_find_data(file->hbins, offset);
516	}
517
518
519	/******************************************************************************
520	* Calculate the largest possible cell size given a physical offset.
521	* Largest size is based on the HBIN the offset is currently a member of.
522	* Returns negative values on error.
523	* (Since cells can only be ~2^31 in size, this works out.)
524	******************************************************************************/
525	int32 regfi_calc_maxsize(REGFI_FILE* file, uint32 offset)
526	{
527	const REGFI_HBIN* hbin = regfi_lookup_hbin(file, offset);
528	if(hbin == NULL)
529	return -1;
530
531	return (hbin->block_size + hbin->file_off) - offset;
532	}
533
534
535	/******************************************************************************
536	******************************************************************************/
537	REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32 offset,
538	uint32 num_keys, uint32 max_size,
539	bool strict)
540	{
541	REGFI_SUBKEY_LIST* ret_val;
542
543	ret_val = regfi_load_subkeylist_aux(file, offset, max_size, strict,
544	REGFI_MAX_SUBKEY_DEPTH);
545	if(ret_val == NULL)
546	{
547	regfi_add_message(file, REGFI_MSG_WARN, "Failed to load subkey list at"
548	" offset 0x%.8X.", offset);
549	return NULL;
550	}
551
552	if(num_keys != ret_val->num_keys)
553	{
554	/* Not sure which should be authoritative, the number from the
555	* NK record, or the number in the subkey list. Just emit a warning for
556	* now if they don't match.
557	*/
558	regfi_add_message(file, REGFI_MSG_WARN, "Number of subkeys listed in parent"
559	" (%d) did not match number found in subkey list/tree (%d)"
560	" while parsing subkey list/tree at offset 0x%.8X.",
561	num_keys, ret_val->num_keys, offset);
562	}
563
564	return ret_val;
565	}
566
567
568	/******************************************************************************
569	******************************************************************************/
570	REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32 offset,
571	uint32 max_size, bool strict,
572	uint8 depth_left)
573	{
574	REGFI_SUBKEY_LIST* ret_val;
575	REGFI_SUBKEY_LIST** sublists;
576	uint32 i, num_sublists, off;
577	int32 sublist_maxsize;
578
579	if(depth_left == 0)
580	{
581	regfi_add_message(file, REGFI_MSG_WARN, "Maximum depth reached"
582	" while parsing subkey list/tree at offset 0x%.8X.",
583	offset);
584	return NULL;
585	}
586
587	ret_val = regfi_parse_subkeylist(file, offset, max_size, strict);
588	if(ret_val == NULL)
589	return NULL;
590
591	if(ret_val->recursive_type)
592	{
593	num_sublists = ret_val->num_children;
594	sublists = (REGFI_SUBKEY_LIST**)malloc(num_sublists
595	* sizeof(REGFI_SUBKEY_LIST*));
596	for(i=0; i < num_sublists; i++)
597	{
598	off = ret_val->elements[i].offset + REGFI_REGF_SIZE;
599
600	sublist_maxsize = regfi_calc_maxsize(file, off);
601	if(sublist_maxsize < 0)
602	sublists[i] = NULL;
603	else
604	sublists[i] = regfi_load_subkeylist_aux(file, off, sublist_maxsize,
605	strict, depth_left-1);
606	}
607	talloc_free(ret_val);
608
609	return regfi_merge_subkeylists(num_sublists, sublists, strict);
610	}
611
612	return ret_val;
613	}
614
615
616	/******************************************************************************
617	******************************************************************************/
618	REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32 offset,
619	uint32 max_size, bool strict)
620	{
621	REGFI_SUBKEY_LIST* ret_val;
622	uint32 i, cell_length, length, elem_size, read_len;
623	uint8* elements = NULL;
624	uint8 buf[REGFI_SUBKEY_LIST_MIN_LEN];
625	bool unalloc;
626	bool recursive_type;
627
628	if(!regfi_parse_cell(file->fd, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN,
629	&cell_length, &unalloc))
630	{
631	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while "
632	"parsing subkey-list at offset 0x%.8X.", offset);
633	return NULL;
634	}
635
636	if(cell_length > max_size)
637	{
638	regfi_add_message(file, REGFI_MSG_WARN, "Cell size longer than max_size"
639	" while parsing subkey-list at offset 0x%.8X.", offset);
640	if(strict)
641	return NULL;
642	cell_length = max_size & 0xFFFFFFF8;
643	}
644
645	recursive_type = false;
646	if(buf[0] == 'r' && buf[1] == 'i')
647	{
648	recursive_type = true;
649	elem_size = sizeof(uint32);
650	}
651	else if(buf[0] == 'l' && buf[1] == 'i')
652	elem_size = sizeof(uint32);
653	else if((buf[0] == 'l') && (buf[1] == 'f' \|\| buf[1] == 'h'))
654	elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM);
655	else
656	{
657	regfi_add_message(file, REGFI_MSG_ERROR, "Unknown magic number"
658	" (0x%.2X, 0x%.2X) encountered while parsing"
659	" subkey-list at offset 0x%.8X.", buf[0], buf[1], offset);
660	return NULL;
661	}
662
663	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
664	if(ret_val == NULL)
665	return NULL;
666
667	ret_val->offset = offset;
668	ret_val->cell_size = cell_length;
669	ret_val->magic[0] = buf[0];
670	ret_val->magic[1] = buf[1];
671	ret_val->recursive_type = recursive_type;
672	ret_val->num_children = SVAL(buf, 0x2);
673
674	if(!recursive_type)
675	ret_val->num_keys = ret_val->num_children;
676
677	length = elem_size*ret_val->num_children;
678	if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32) < length)
679	{
680	regfi_add_message(file, REGFI_MSG_WARN, "Number of elements too large for"
681	" cell while parsing subkey-list at offset 0x%.8X.",
682	offset);
683	if(strict)
684	goto fail;
685	length = cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32);
686	}
687
688	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
689	ret_val->num_children);
690	if(ret_val->elements == NULL)
691	goto fail;
692
693	elements = (uint8*)malloc(length);
694	if(elements == NULL)
695	goto fail;
696
697	read_len = length;
698	if(regfi_read(file->fd, elements, &read_len) != 0 \|\| read_len != length)
699	goto fail;
700
701	if(elem_size == sizeof(uint32))
702	{
703	for (i=0; i < ret_val->num_children; i++)
704	{
705	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
706	ret_val->elements[i].hash = 0;
707	}
708	}
709	else
710	{
711	for (i=0; i < ret_val->num_children; i++)
712	{
713	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
714	ret_val->elements[i].hash = IVAL(elements, i*elem_size+4);
715	}
716	}
717	free(elements);
718
719	return ret_val;
720
721	fail:
722	if(elements != NULL)
723	free(elements);
724	talloc_free(ret_val);
725	return NULL;
726	}
727
728
729	/*******************************************************************
730	*******************************************************************/
731	REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16 num_lists,
732	REGFI_SUBKEY_LIST** lists,
733	bool strict)
734	{
735	uint32 i,j,k;
736	REGFI_SUBKEY_LIST* ret_val;
737
738	if(lists == NULL)
739	return NULL;
740	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
741
742	if(ret_val == NULL)
743	return NULL;
744
745	/* Obtain total number of elements */
746	ret_val->num_keys = 0;
747	for(i=0; i < num_lists; i++)
748	{
749	if(lists[i] != NULL)
750	ret_val->num_keys += lists[i]->num_children;
751	}
752	ret_val->num_children = ret_val->num_keys;
753
754	if(ret_val->num_keys > 0)
755	{
756	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
757	ret_val->num_keys);
758	k=0;
759
760	if(ret_val->elements != NULL)
761	{
762	for(i=0; i < num_lists; i++)
763	{
764	if(lists[i] != NULL)
765	{
766	for(j=0; j < lists[i]->num_keys; j++)
767	{
768	ret_val->elements[k].hash = lists[i]->elements[j].hash;
769	ret_val->elements[k++].offset = lists[i]->elements[j].offset;
770	}
771	}
772	}
773	}
774	}
775
776	for(i=0; i < num_lists; i++)
777	regfi_subkeylist_free(lists[i]);
778	free(lists);
779
780	return ret_val;
781	}
782
783
784	/******************************************************************************
785	*
786	******************************************************************************/
787	REGFI_SK_REC* regfi_parse_sk(REGFI_FILE* file, uint32 offset, uint32 max_size,
788	bool strict)
789	{
790	REGFI_SK_REC* ret_val;
791	uint8* sec_desc_buf = NULL;
792	uint32 cell_length, length;
793	uint8 sk_header[REGFI_SK_MIN_LENGTH];
794	bool unalloc = false;
795
796	if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH,
797	&cell_length, &unalloc))
798	{
799	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse SK record cell"
800	" at offset 0x%.8X.", offset);
801	return NULL;
802	}
803
804	if(sk_header[0] != 's' \|\| sk_header[1] != 'k')
805	{
806	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
807	" SK record at offset 0x%.8X.", offset);
808	return NULL;
809	}
810
811	ret_val = talloc(NULL, REGFI_SK_REC);
812	if(ret_val == NULL)
813	return NULL;
814
815	ret_val->offset = offset;
816	/* XXX: Is there a way to be more conservative (shorter) with
817	* cell length when cell is unallocated?
818	*/
819	ret_val->cell_size = cell_length;
820
821	if(ret_val->cell_size > max_size)
822	ret_val->cell_size = max_size & 0xFFFFFFF8;
823	if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
824	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
825	{
826	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size found while"
827	" parsing SK record at offset 0x%.8X.", offset);
828	goto fail;
829	}
830
831	ret_val->magic[0] = sk_header[0];
832	ret_val->magic[1] = sk_header[1];
833
834	ret_val->unknown_tag = SVAL(sk_header, 0x2);
835	ret_val->prev_sk_off = IVAL(sk_header, 0x4);
836	ret_val->next_sk_off = IVAL(sk_header, 0x8);
837	ret_val->ref_count = IVAL(sk_header, 0xC);
838	ret_val->desc_size = IVAL(sk_header, 0x10);
839
840	if((ret_val->prev_sk_off & 0x00000007) != 0
841	\|\| (ret_val->next_sk_off & 0x00000007) != 0)
842	{
843	regfi_add_message(file, REGFI_MSG_WARN, "SK record's next/previous offsets"
844	" are not a multiple of 8 while parsing SK record at"
845	" offset 0x%.8X.", offset);
846	goto fail;
847	}
848
849	if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
850	{
851	regfi_add_message(file, REGFI_MSG_WARN, "Security descriptor too large for"
852	" cell while parsing SK record at offset 0x%.8X.",
853	offset);
854	goto fail;
855	}
856
857	sec_desc_buf = (uint8*)malloc(ret_val->desc_size);
858	if(sec_desc_buf == NULL)
859	goto fail;
860
861	length = ret_val->desc_size;
862	if(regfi_read(file->fd, sec_desc_buf, &length) != 0
863	\|\| length != ret_val->desc_size)
864	{
865	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read security"
866	" descriptor while parsing SK record at offset 0x%.8X.",
867	offset);
868	goto fail;
869	}
870
871	if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf,
872	ret_val->desc_size)))
873	{
874	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to parse security"
875	" descriptor while parsing SK record at offset 0x%.8X.",
876	offset);
877	goto fail;
878	}
879
880	free(sec_desc_buf);
881	return ret_val;
882
883	fail:
884	if(sec_desc_buf != NULL)
885	free(sec_desc_buf);
886	talloc_free(ret_val);
887	return NULL;
888	}
889
890
891	REGFI_VALUE_LIST* regfi_parse_valuelist(REGFI_FILE* file, uint32 offset,
892	uint32 num_values, bool strict)
893	{
894	REGFI_VALUE_LIST* ret_val;
895	uint32 i, cell_length, length, read_len;
896	bool unalloc;
897
898	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
899	{
900	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read cell header"
901	" while parsing value list at offset 0x%.8X.", offset);
902	return NULL;
903	}
904
905	if((cell_length & 0x00000007) != 0)
906	{
907	regfi_add_message(file, REGFI_MSG_WARN, "Cell length not a multiple of 8"
908	" while parsing value list at offset 0x%.8X.", offset);
909	if(strict)
910	return NULL;
911	cell_length = cell_length & 0xFFFFFFF8;
912	}
913
914	if((num_values * sizeof(uint32)) > cell_length-sizeof(uint32))
915	{
916	regfi_add_message(file, REGFI_MSG_WARN, "Too many values found"
917	" while parsing value list at offset 0x%.8X.", offset);
918	if(strict)
919	return NULL;
920	num_values = cell_length/sizeof(uint32) - sizeof(uint32);
921	}
922
923	read_len = num_values*sizeof(uint32);
924	ret_val = talloc(NULL, REGFI_VALUE_LIST);
925	if(ret_val == NULL)
926	return NULL;
927
928	ret_val->elements = (REGFI_VALUE_LIST_ELEM*)talloc_size(ret_val, read_len);
929	if(ret_val->elements == NULL)
930	{
931	talloc_free(ret_val);
932	return NULL;
933	}
934	ret_val->num_values = num_values;
935
936	length = read_len;
937	if((regfi_read(file->fd, (uint8*)ret_val->elements, &length) != 0)
938	\|\| length != read_len)
939	{
940	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read value pointers"
941	" while parsing value list at offset 0x%.8X.", offset);
942	talloc_free(ret_val);
943	return NULL;
944	}
945
946	for(i=0; i < num_values; i++)
947	{
948	/* Fix endianness */
949	ret_val->elements[i] = IVAL(&ret_val->elements[i], 0);
950
951	/* Validate the first num_values values to ensure they make sense */
952	if(strict)
953	{
954	/* XXX: Need to revisit this file length check when we start dealing
955	* with partial files. */
956	if((ret_val->elements[i] + REGFI_REGF_SIZE > file->file_length)
957	\|\| ((ret_val->elements[i] & 0x00000007) != 0))
958	{
959	regfi_add_message(file, REGFI_MSG_WARN, "Invalid value pointer"
960	" (0x%.8X) found while parsing value list at offset"
961	" 0x%.8X.", ret_val->elements[i], offset);
962	talloc_free(ret_val);
963	return NULL;
964	}
965	}
966	}
967
968	return ret_val;
969	}
970
971
972
973	/******************************************************************************
974	******************************************************************************/
975	REGFI_VK_REC* regfi_load_value(REGFI_FILE* file, uint32 offset,
976	REGFI_ENCODING output_encoding, bool strict)
977	{
978	REGFI_VK_REC* ret_val = NULL;
979	int32 max_size, tmp_size;
980	REGFI_ENCODING from_encoding;
981
982	max_size = regfi_calc_maxsize(file, offset);
983	if(max_size < 0)
984	return NULL;
985
986	ret_val = regfi_parse_vk(file, offset, max_size, strict);
987	if(ret_val == NULL)
988	return NULL;
989
990	/* XXX: Registry value names are supposedly limited to 16383 characters
991	* according to:
992	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
993	* Might want to emit a warning if this is exceeded.
994	* It is expected that "characters" could be variable width.
995	* Also, it may be useful to use this information to limit false positives
996	* when recovering deleted VK records.
997	*/
998
999	from_encoding = (ret_val->flags & REGFI_VK_FLAG_ASCIINAME)
1000	? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
1001
1002	if(from_encoding == output_encoding)
1003	{
1004	ret_val->valuename_raw = talloc_realloc(ret_val, ret_val->valuename_raw,
1005	uint8, ret_val->name_length+1);
1006	ret_val->valuename_raw[ret_val->name_length] = '\0';
1007	ret_val->valuename = (char*)ret_val->valuename_raw;
1008	}
1009	else
1010	{
1011	ret_val->valuename = talloc_array(ret_val, char, ret_val->name_length+1);
1012	if(ret_val->valuename == NULL)
1013	{
1014	regfi_free_value(ret_val);
1015	return NULL;
1016	}
1017
1018	tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
1019	regfi_encoding_int2str(output_encoding),
1020	ret_val->valuename_raw, ret_val->valuename,
1021	ret_val->name_length, ret_val->name_length+1);
1022	if(tmp_size < 0)
1023	{
1024	regfi_add_message(file, REGFI_MSG_WARN, "Error occurred while converting"
1025	" valuename to encoding %s. Error message: %s",
1026	regfi_encoding_int2str(output_encoding),
1027	strerror(-tmp_size));
1028	talloc_free(ret_val->valuename);
1029	ret_val->valuename = NULL;
1030	}
1031	}
1032
1033	return ret_val;
1034	}
1035
1036
1037	/******************************************************************************
1038	* If !strict, the list may contain NULLs, VK records may point to NULL.
1039	******************************************************************************/
1040	REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32 offset,
1041	uint32 num_values, uint32 max_size,
1042	bool strict)
1043	{
1044	uint32 usable_num_values;
1045
1046	if((num_values+1) * sizeof(uint32) > max_size)
1047	{
1048	regfi_add_message(file, REGFI_MSG_WARN, "Number of values indicated by"
1049	" parent key (%d) would cause cell to straddle HBIN"
1050	" boundary while loading value list at offset"
1051	" 0x%.8X.", num_values, offset);
1052	if(strict)
1053	return NULL;
1054	usable_num_values = max_size/sizeof(uint32) - sizeof(uint32);
1055	}
1056	else
1057	usable_num_values = num_values;
1058
1059	return regfi_parse_valuelist(file, offset, usable_num_values, strict);
1060	}
1061
1062
1063
1064	/******************************************************************************
1065	*
1066	******************************************************************************/
1067	REGFI_NK_REC* regfi_load_key(REGFI_FILE* file, uint32 offset,
1068	REGFI_ENCODING output_encoding, bool strict)
1069	{
1070	REGFI_NK_REC* nk;
1071	uint32 off;
1072	int32 max_size, tmp_size;
1073	REGFI_ENCODING from_encoding;
1074
1075	max_size = regfi_calc_maxsize(file, offset);
1076	if (max_size < 0)
1077	return NULL;
1078
1079	/* get the initial nk record */
1080	if((nk = regfi_parse_nk(file, offset, max_size, true)) == NULL)
1081	{
1082	regfi_add_message(file, REGFI_MSG_ERROR, "Could not load NK record at"
1083	" offset 0x%.8X.", offset);
1084	return NULL;
1085	}
1086
1087	/* XXX: Registry key names are supposedly limited to 255 characters according to:
1088	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
1089	* Might want to emit a warning if this is exceeded.
1090	* It is expected that "characters" could be variable width.
1091	* Also, it may be useful to use this information to limit false positives
1092	* when recovering deleted NK records.
1093	*/
1094	from_encoding = (nk->flags & REGFI_NK_FLAG_ASCIINAME)
1095	? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
1096
1097	if(from_encoding == output_encoding)
1098	{
1099	nk->keyname_raw = talloc_realloc(nk, nk->keyname_raw, uint8, nk->name_length+1);
1100	nk->keyname_raw[nk->name_length] = '\0';
1101	nk->keyname = (char*)nk->keyname_raw;
1102	}
1103	else
1104	{
1105	nk->keyname = talloc_array(nk, char, nk->name_length+1);
1106	if(nk->keyname == NULL)
1107	{
1108	regfi_free_key(nk);
1109	return NULL;
1110	}
1111
1112	tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
1113	regfi_encoding_int2str(output_encoding),
1114	nk->keyname_raw, nk->keyname,
1115	nk->name_length, nk->name_length+1);
1116	if(tmp_size < 0)
1117	{
1118	regfi_add_message(file, REGFI_MSG_WARN, "Error occurred while converting"
1119	" keyname to encoding %s. Error message: %s",
1120	regfi_encoding_int2str(output_encoding),
1121	strerror(-tmp_size));
1122	talloc_free(nk->keyname);
1123	nk->keyname = NULL;
1124	}
1125	}
1126
1127
1128	/* get value list */
1129	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
1130	{
1131	off = nk->values_off + REGFI_REGF_SIZE;
1132	max_size = regfi_calc_maxsize(file, off);
1133	if(max_size < 0)
1134	{
1135	if(strict)
1136	{
1137	regfi_free_key(nk);
1138	return NULL;
1139	}
1140	else
1141	nk->values = NULL;
1142
1143	}
1144	else
1145	{
1146	nk->values = regfi_load_valuelist(file, off, nk->num_values,
1147	max_size, true);
1148	if(nk->values == NULL)
1149	{
1150	regfi_add_message(file, REGFI_MSG_WARN, "Could not load value list"
1151	" for NK record at offset 0x%.8X.", offset);
1152	if(strict)
1153	{
1154	regfi_free_key(nk);
1155	return NULL;
1156	}
1157	}
1158	talloc_steal(nk, nk->values);
1159	}
1160	}
1161
1162	/* now get subkey list */
1163	if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE))
1164	{
1165	off = nk->subkeys_off + REGFI_REGF_SIZE;
1166	max_size = regfi_calc_maxsize(file, off);
1167	if(max_size < 0)
1168	{
1169	if(strict)
1170	{
1171	regfi_free_key(nk);
1172	return NULL;
1173	}
1174	else
1175	nk->subkeys = NULL;
1176	}
1177	else
1178	{
1179	nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys,
1180	max_size, true);
1181
1182	if(nk->subkeys == NULL)
1183	{
1184	regfi_add_message(file, REGFI_MSG_WARN, "Could not load subkey list"
1185	" while parsing NK record at offset 0x%.8X.", offset);
1186	nk->num_subkeys = 0;
1187	}
1188	talloc_steal(nk, nk->subkeys);
1189	}
1190	}
1191
1192	return nk;
1193	}
1194
1195
1196	/******************************************************************************
1197	******************************************************************************/
1198	const REGFI_SK_REC* regfi_load_sk(REGFI_FILE* file, uint32 offset, bool strict)
1199	{
1200	REGFI_SK_REC* ret_val = NULL;
1201	int32 max_size;
1202	void* failure_ptr = NULL;
1203
1204	/* First look if we have already parsed it */
1205	ret_val = (REGFI_SK_REC*)lru_cache_find(file->sk_cache, &offset, 4);
1206
1207	/* Bail out if we have previously cached a parse failure at this offset. */
1208	if(ret_val == (void*)REGFI_OFFSET_NONE)
1209	return NULL;
1210
1211	if(ret_val == NULL)
1212	{
1213	max_size = regfi_calc_maxsize(file, offset);
1214	if(max_size < 0)
1215	return NULL;
1216
1217	ret_val = regfi_parse_sk(file, offset, max_size, strict);
1218	if(ret_val == NULL)
1219	{ /* Cache the parse failure and bail out. */
1220	failure_ptr = talloc(NULL, uint32_t);
1221	if(failure_ptr == NULL)
1222	return NULL;
1223	(uint32_t)failure_ptr = REGFI_OFFSET_NONE;
1224	lru_cache_update(file->sk_cache, &offset, 4, failure_ptr);
1225	return NULL;
1226	}
1227
1228	lru_cache_update(file->sk_cache, &offset, 4, ret_val);
1229	}
1230
1231	return ret_val;
1232	}
1233
1234
1235
1236	/******************************************************************************
1237	******************************************************************************/
1238	REGFI_NK_REC* regfi_find_root_nk(REGFI_FILE* file, const REGFI_HBIN* hbin,
1239	REGFI_ENCODING output_encoding)
1240	{
1241	REGFI_NK_REC* nk = NULL;
1242	uint32 cell_length;
1243	uint32 cur_offset = hbin->file_off+REGFI_HBIN_HEADER_SIZE;
1244	uint32 hbin_end = hbin->file_off+hbin->block_size;
1245	bool unalloc;
1246
1247	while(cur_offset < hbin_end)
1248	{
1249	if(!regfi_parse_cell(file->fd, cur_offset, NULL, 0, &cell_length, &unalloc))
1250	{
1251	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell at offset"
1252	" 0x%.8X while searching for root key.", cur_offset);
1253	return NULL;
1254	}
1255
1256	if(!unalloc)
1257	{
1258	nk = regfi_load_key(file, cur_offset, output_encoding, true);
1259	if(nk != NULL)
1260	{
1261	if(nk->flags & REGFI_NK_FLAG_ROOT)
1262	return nk;
1263	}
1264	}
1265
1266	cur_offset += cell_length;
1267	}
1268
1269	return NULL;
1270	}
1271
1272
1273	/******************************************************************************
1274	******************************************************************************/
1275	REGFI_FILE* regfi_open(const char* filename)
1276	{
1277	REGFI_FILE* ret_val;
1278	int fd;
1279
1280	/* open an existing file */
1281	if ((fd = open(filename, REGFI_OPEN_FLAGS)) == -1)
1282	{
1283	/* fprintf(stderr, "regfi_open: failure to open %s (%s)\n", filename, strerror(errno));*/
1284	return NULL;
1285	}
1286
1287	ret_val = regfi_alloc(fd);
1288
1289	if(ret_val == NULL)
1290	close(fd);
1291
1292	return ret_val;
1293	}
1294
1295
1296	/******************************************************************************
1297	******************************************************************************/
1298	REGFI_FILE* regfi_alloc(int fd)
1299	{
1300	struct stat sbuf;
1301	REGFI_FILE* rb;
1302	REGFI_HBIN* hbin = NULL;
1303	uint32 hbin_off, file_length, cache_secret;
1304	bool rla;
1305
1306	/* Determine file length. Must be at least big enough
1307	* for the header and one hbin.
1308	*/
1309	if (fstat(fd, &sbuf) == -1)
1310	return NULL;
1311	file_length = sbuf.st_size;
1312	if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC)
1313	return NULL;
1314
1315	/* Read file header */
1316	if ((rb = regfi_parse_regf(fd, true)) == NULL)
1317	{
1318	/* fprintf(stderr, "regfi_alloc: Failed to read initial REGF block\n"); */
1319	return NULL;
1320	}
1321	rb->file_length = file_length;
1322
1323	rb->hbins = range_list_new();
1324	if(rb->hbins == NULL)
1325	{
1326	/* fprintf(stderr, "regfi_alloc: Failed to create HBIN list.\n"); */
1327	talloc_free(rb);
1328	return NULL;
1329	}
1330	talloc_steal(rb, rb->hbins);
1331
1332	rla = true;
1333	hbin_off = REGFI_REGF_SIZE;
1334	hbin = regfi_parse_hbin(rb, hbin_off, true);
1335	while(hbin && rla)
1336	{
1337	rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
1338	if(rla)
1339	talloc_steal(rb->hbins, hbin);
1340	hbin_off = hbin->file_off + hbin->block_size;
1341	hbin = regfi_parse_hbin(rb, hbin_off, true);
1342	}
1343
1344	/* This secret isn't very secret, but we don't need a good one. This
1345	* secret is just designed to prevent someone from trying to blow our
1346	* caching and make things slow.
1347	*/
1348	cache_secret = 0x15DEAD05^time(NULL)^(getpid()<<16);
1349
1350	/* Cache an unlimited number of SK records. Typically there are very few. */
1351	rb->sk_cache = lru_cache_create_ctx(rb, 0, cache_secret, true);
1352
1353	/* Default message mask */
1354	rb->msg_mask = REGFI_MSG_ERROR\|REGFI_MSG_WARN;
1355
1356	/* success */
1357	return rb;
1358	}
1359
1360
1361	/******************************************************************************
1362	******************************************************************************/
1363	int regfi_close(REGFI_FILE* file)
1364	{
1365	int fd;
1366
1367	/* nothing to do if there is no open file */
1368	if ((file == NULL) \|\| (file->fd == -1))
1369	return 0;
1370
1371	fd = file->fd;
1372	file->fd = -1;
1373
1374	regfi_free(file);
1375
1376	return close(fd);
1377	}
1378
1379
1380	/******************************************************************************
1381	******************************************************************************/
1382	void regfi_free(REGFI_FILE *file)
1383	{
1384	if(file->last_message != NULL)
1385	free(last_message);
1386
1387	talloc_free(file);
1388	}
1389
1390
1391	/******************************************************************************
1392	* First checks the offset given by the file header, then checks the
1393	* rest of the file if that fails.
1394	******************************************************************************/
1395	REGFI_NK_REC* regfi_rootkey(REGFI_FILE* file, REGFI_ENCODING output_encoding)
1396	{
1397	REGFI_NK_REC* nk = NULL;
1398	REGFI_HBIN* hbin;
1399	uint32 root_offset, i, num_hbins;
1400
1401	if(!file)
1402	return NULL;
1403
1404	root_offset = file->root_cell+REGFI_REGF_SIZE;
1405	nk = regfi_load_key(file, root_offset, output_encoding, true);
1406	if(nk != NULL)
1407	{
1408	if(nk->flags & REGFI_NK_FLAG_ROOT)
1409	return nk;
1410	}
1411
1412	regfi_add_message(file, REGFI_MSG_WARN, "File header indicated root key at"
1413	" location 0x%.8X, but no root key found."
1414	" Searching rest of file...", root_offset);
1415
1416	/* If the file header gives bad info, scan through the file one HBIN
1417	* block at a time looking for an NK record with a root key type.
1418	*/
1419	num_hbins = range_list_size(file->hbins);
1420	for(i=0; i < num_hbins && nk == NULL; i++)
1421	{
1422	hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data;
1423	nk = regfi_find_root_nk(file, hbin, output_encoding);
1424	}
1425
1426	return nk;
1427	}
1428
1429
1430	/******************************************************************************
1431	*****************************************************************************/
1432	void regfi_free_key(REGFI_NK_REC* nk)
1433	{
1434	regfi_subkeylist_free(nk->subkeys);
1435	talloc_free(nk);
1436	}
1437
1438
1439	/******************************************************************************
1440	*****************************************************************************/
1441	void regfi_free_value(REGFI_VK_REC* vk)
1442	{
1443	talloc_free(vk);
1444	}
1445
1446
1447	/******************************************************************************
1448	*****************************************************************************/
1449	void regfi_subkeylist_free(REGFI_SUBKEY_LIST* list)
1450	{
1451	if(list != NULL)
1452	{
1453	talloc_free(list);
1454	}
1455	}
1456
1457
1458	/******************************************************************************
1459	*****************************************************************************/
1460	REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* file,
1461	REGFI_ENCODING output_encoding)
1462	{
1463	REGFI_NK_REC* root;
1464	REGFI_ITERATOR* ret_val;
1465
1466	if(output_encoding != REGFI_ENCODING_UTF8
1467	&& output_encoding != REGFI_ENCODING_ASCII)
1468	{
1469	regfi_add_message(file, REGFI_MSG_ERROR, "Invalid output_encoding supplied"
1470	" in creation of regfi iterator.");
1471	return NULL;
1472	}
1473
1474	ret_val = talloc(NULL, REGFI_ITERATOR);
1475	if(ret_val == NULL)
1476	return NULL;
1477
1478	root = regfi_rootkey(file, output_encoding);
1479	if(root == NULL)
1480	{
1481	talloc_free(ret_val);
1482	return NULL;
1483	}
1484
1485	ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH);
1486	if(ret_val->key_positions == NULL)
1487	{
1488	talloc_free(ret_val);
1489	return NULL;
1490	}
1491	talloc_steal(ret_val, ret_val->key_positions);
1492
1493	ret_val->f = file;
1494	ret_val->cur_key = root;
1495	ret_val->cur_subkey = 0;
1496	ret_val->cur_value = 0;
1497	ret_val->string_encoding = output_encoding;
1498
1499	return ret_val;
1500	}
1501
1502
1503	/******************************************************************************
1504	*****************************************************************************/
1505	void regfi_iterator_free(REGFI_ITERATOR* i)
1506	{
1507	talloc_free(i);
1508	}
1509
1510
1511
1512	/******************************************************************************
1513	*****************************************************************************/
1514	/* XXX: some way of indicating reason for failure should be added. */
1515	bool regfi_iterator_down(REGFI_ITERATOR* i)
1516	{
1517	REGFI_NK_REC* subkey;
1518	REGFI_ITER_POSITION* pos;
1519
1520	pos = talloc(i->key_positions, REGFI_ITER_POSITION);
1521	if(pos == NULL)
1522	return false;
1523
1524	subkey = (REGFI_NK_REC*)regfi_iterator_cur_subkey(i);
1525	if(subkey == NULL)
1526	{
1527	talloc_free(pos);
1528	return false;
1529	}
1530
1531	pos->nk = i->cur_key;
1532	pos->cur_subkey = i->cur_subkey;
1533	if(!void_stack_push(i->key_positions, pos))
1534	{
1535	talloc_free(pos);
1536	regfi_free_key(subkey);
1537	return false;
1538	}
1539	talloc_steal(i, subkey);
1540
1541	i->cur_key = subkey;
1542	i->cur_subkey = 0;
1543	i->cur_value = 0;
1544
1545	return true;
1546	}
1547
1548
1549	/******************************************************************************
1550	*****************************************************************************/
1551	bool regfi_iterator_up(REGFI_ITERATOR* i)
1552	{
1553	REGFI_ITER_POSITION* pos;
1554
1555	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
1556	if(pos == NULL)
1557	return false;
1558
1559	regfi_free_key(i->cur_key);
1560	i->cur_key = pos->nk;
1561	i->cur_subkey = pos->cur_subkey;
1562	i->cur_value = 0;
1563	talloc_free(pos);
1564
1565	return true;
1566	}
1567
1568
1569	/******************************************************************************
1570	*****************************************************************************/
1571	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
1572	{
1573	while(regfi_iterator_up(i))
1574	continue;
1575
1576	return true;
1577	}
1578
1579
1580	/******************************************************************************
1581	*****************************************************************************/
1582	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
1583	{
1584	REGFI_NK_REC* subkey;
1585	bool found = false;
1586	uint32 old_subkey = i->cur_subkey;
1587
1588	if(subkey_name == NULL)
1589	return false;
1590
1591	/* XXX: this alloc/free of each sub key might be a bit excessive */
1592	subkey = (REGFI_NK_REC*)regfi_iterator_first_subkey(i);
1593	while((subkey != NULL) && (found == false))
1594	{
1595	if(subkey->keyname != NULL
1596	&& strcasecmp(subkey->keyname, subkey_name) == 0)
1597	found = true;
1598	else
1599	{
1600	regfi_free_key(subkey);
1601	subkey = (REGFI_NK_REC*)regfi_iterator_next_subkey(i);
1602	}
1603	}
1604
1605	if(found == false)
1606	{
1607	i->cur_subkey = old_subkey;
1608	return false;
1609	}
1610
1611	regfi_free_key(subkey);
1612	return true;
1613	}
1614
1615
1616	/******************************************************************************
1617	*****************************************************************************/
1618	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
1619	{
1620	uint32 x;
1621	if(path == NULL)
1622	return false;
1623
1624	for(x=0;
1625	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
1626	&& regfi_iterator_down(i));
1627	x++)
1628	{ continue; }
1629
1630	if(path[x] == NULL)
1631	return true;
1632
1633	/* XXX: is this the right number of times? */
1634	for(; x > 0; x--)
1635	regfi_iterator_up(i);
1636
1637	return false;
1638	}
1639
1640
1641	/******************************************************************************
1642	*****************************************************************************/
1643	const REGFI_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
1644	{
1645	return i->cur_key;
1646	}
1647
1648
1649	/******************************************************************************
1650	*****************************************************************************/
1651	const REGFI_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i)
1652	{
1653	if(i->cur_key == NULL \|\| i->cur_key->sk_off == REGFI_OFFSET_NONE)
1654	return NULL;
1655
1656	return regfi_load_sk(i->f, i->cur_key->sk_off + REGFI_REGF_SIZE, true);
1657	}
1658
1659
1660	/******************************************************************************
1661	*****************************************************************************/
1662	REGFI_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
1663	{
1664	i->cur_subkey = 0;
1665	return regfi_iterator_cur_subkey(i);
1666	}
1667
1668
1669	/******************************************************************************
1670	*****************************************************************************/
1671	REGFI_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
1672	{
1673	uint32 nk_offset;
1674
1675	/* see if there is anything left to report */
1676	if (!(i->cur_key) \|\| (i->cur_key->subkeys_off==REGFI_OFFSET_NONE)
1677	\|\| (i->cur_subkey >= i->cur_key->num_subkeys))
1678	return NULL;
1679
1680	nk_offset = i->cur_key->subkeys->elements[i->cur_subkey].offset;
1681
1682	return regfi_load_key(i->f, nk_offset+REGFI_REGF_SIZE, i->string_encoding,
1683	true);
1684	}
1685
1686
1687	/******************************************************************************
1688	*****************************************************************************/
1689	/* XXX: some way of indicating reason for failure should be added. */
1690	REGFI_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
1691	{
1692	REGFI_NK_REC* subkey;
1693
1694	i->cur_subkey++;
1695	subkey = regfi_iterator_cur_subkey(i);
1696
1697	if(subkey == NULL)
1698	i->cur_subkey--;
1699
1700	return subkey;
1701	}
1702
1703
1704	/******************************************************************************
1705	*****************************************************************************/
1706	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
1707	{
1708	REGFI_VK_REC* cur;
1709	bool found = false;
1710
1711	/* XXX: cur->valuename can be NULL in the registry.
1712	* Should we allow for a way to search for that?
1713	*/
1714	if(value_name == NULL)
1715	return false;
1716
1717	cur = regfi_iterator_first_value(i);
1718	while((cur != NULL) && (found == false))
1719	{
1720	if((cur->valuename != NULL)
1721	&& (strcasecmp(cur->valuename, value_name) == 0))
1722	found = true;
1723	else
1724	{
1725	regfi_free_value(cur);
1726	cur = regfi_iterator_next_value(i);
1727	}
1728	}
1729
1730	return found;
1731	}
1732
1733
1734	/******************************************************************************
1735	*****************************************************************************/
1736	REGFI_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
1737	{
1738	i->cur_value = 0;
1739	return regfi_iterator_cur_value(i);
1740	}
1741
1742
1743	/******************************************************************************
1744	*****************************************************************************/
1745	REGFI_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
1746	{
1747	REGFI_VK_REC* ret_val = NULL;
1748	uint32 voffset;
1749
1750	if(i->cur_key->values != NULL && i->cur_key->values->elements != NULL)
1751	{
1752	if(i->cur_value < i->cur_key->values->num_values)
1753	{
1754	voffset = i->cur_key->values->elements[i->cur_value];
1755	ret_val = regfi_load_value(i->f, voffset+REGFI_REGF_SIZE,
1756	i->string_encoding, true);
1757	}
1758	}
1759
1760	return ret_val;
1761	}
1762
1763
1764	/******************************************************************************
1765	*****************************************************************************/
1766	REGFI_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
1767	{
1768	REGFI_VK_REC* ret_val;
1769
1770	i->cur_value++;
1771	ret_val = regfi_iterator_cur_value(i);
1772	if(ret_val == NULL)
1773	i->cur_value--;
1774
1775	return ret_val;
1776	}
1777
1778
1779	/******************************************************************************
1780	*****************************************************************************/
1781	REGFI_CLASSNAME* regfi_iterator_fetch_classname(REGFI_ITERATOR* i,
1782	const REGFI_NK_REC* key)
1783	{
1784	REGFI_CLASSNAME* ret_val;
1785	uint8* raw;
1786	char* interpreted;
1787	uint32 offset;
1788	int32 conv_size, max_size;
1789	uint16 parse_length;
1790
1791	if(key->classname_off == REGFI_OFFSET_NONE \|\| key->classname_length == 0)
1792	return NULL;
1793
1794	offset = key->classname_off + REGFI_REGF_SIZE;
1795	max_size = regfi_calc_maxsize(i->f, offset);
1796	if(max_size <= 0)
1797	return NULL;
1798
1799	parse_length = key->classname_length;
1800	raw = regfi_parse_classname(i->f, offset, &parse_length, max_size, true);
1801
1802	if(raw == NULL)
1803	{
1804	regfi_add_message(i->f, REGFI_MSG_WARN, "Could not parse class"
1805	" name at offset 0x%.8X for key record at offset 0x%.8X.",
1806	offset, key->offset);
1807	return NULL;
1808	}
1809
1810	ret_val = talloc(NULL, REGFI_CLASSNAME);
1811	if(ret_val == NULL)
1812	return NULL;
1813
1814	ret_val->raw = raw;
1815	ret_val->size = parse_length;
1816	talloc_steal(ret_val, raw);
1817
1818	interpreted = talloc_array(NULL, char, parse_length);
1819
1820	conv_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
1821	regfi_encoding_int2str(i->string_encoding),
1822	raw, interpreted,
1823	parse_length, parse_length);
1824	if(conv_size < 0)
1825	{
1826	regfi_add_message(i->f, REGFI_MSG_WARN, "Error occurred while"
1827	" converting classname to charset %s. Error message: %s",
1828	i->string_encoding, strerror(-conv_size));
1829	talloc_free(interpreted);
1830	ret_val->interpreted = NULL;
1831	}
1832	else
1833	{
1834	interpreted = talloc_realloc(NULL, interpreted, char, conv_size);
1835	ret_val->interpreted = interpreted;
1836	talloc_steal(ret_val, interpreted);
1837	}
1838
1839	return ret_val;
1840	}
1841
1842
1843	/******************************************************************************
1844	*****************************************************************************/
1845	REGFI_DATA* regfi_iterator_fetch_data(REGFI_ITERATOR* i,
1846	const REGFI_VK_REC* value)
1847	{
1848	REGFI_DATA* ret_val = NULL;
1849	REGFI_BUFFER raw_data;
1850
1851	if(value->data_size != 0)
1852	{
1853	raw_data = regfi_load_data(i->f, value->data_off, value->data_size,
1854	value->data_in_offset, true);
1855	if(raw_data.buf == NULL)
1856	{
1857	regfi_add_message(i->f, REGFI_MSG_WARN, "Could not parse data record"
1858	" while parsing VK record at offset 0x%.8X.",
1859	value->offset);
1860	}
1861	else
1862	{
1863	ret_val = regfi_buffer_to_data(raw_data);
1864
1865	if(ret_val == NULL)
1866	{
1867	regfi_add_message(i->f, REGFI_MSG_WARN, "Error occurred in converting"
1868	" data buffer to data structure while interpreting "
1869	"data for VK record at offset 0x%.8X.",
1870	value->offset);
1871	talloc_free(raw_data.buf);
1872	return NULL;
1873	}
1874
1875	if(!regfi_interpret_data(i->f, i->string_encoding, value->type, ret_val))
1876	{
1877	regfi_add_message(i->f, REGFI_MSG_INFO, "Error occurred while"
1878	" interpreting data for VK record at offset 0x%.8X.",
1879	value->offset);
1880	}
1881	}
1882	}
1883
1884	return ret_val;
1885	}
1886
1887
1888	/******************************************************************************
1889	*****************************************************************************/
1890	void regfi_free_classname(REGFI_CLASSNAME* classname)
1891	{
1892	talloc_free(classname);
1893	}
1894
1895	/******************************************************************************
1896	*****************************************************************************/
1897	void regfi_free_data(REGFI_DATA* data)
1898	{
1899	talloc_free(data);
1900	}
1901
1902
1903	/******************************************************************************
1904	*****************************************************************************/
1905	REGFI_DATA* regfi_buffer_to_data(REGFI_BUFFER raw_data)
1906	{
1907	REGFI_DATA* ret_val;
1908
1909	if(raw_data.buf == NULL)
1910	return NULL;
1911
1912	ret_val = talloc(NULL, REGFI_DATA);
1913	if(ret_val == NULL)
1914	return NULL;
1915
1916	talloc_steal(ret_val, raw_data.buf);
1917	ret_val->raw = raw_data.buf;
1918	ret_val->size = raw_data.len;
1919	ret_val->interpreted_size = 0;
1920	ret_val->interpreted.qword = 0;
1921
1922	return ret_val;
1923	}
1924
1925
1926	/******************************************************************************
1927	*****************************************************************************/
1928	bool regfi_interpret_data(REGFI_FILE* file, REGFI_ENCODING string_encoding,
1929	uint32 type, REGFI_DATA* data)
1930	{
1931	uint8** tmp_array;
1932	uint8* tmp_str;
1933	int32 tmp_size;
1934	uint32 i, j, array_size;
1935
1936	if(data == NULL)
1937	return false;
1938
1939	switch (type)
1940	{
1941	case REG_SZ:
1942	case REG_EXPAND_SZ:
1943	/* REG_LINK is a symbolic link, stored as a unicode string. */
1944	case REG_LINK:
1945	tmp_str = talloc_array(NULL, uint8, data->size);
1946	if(tmp_str == NULL)
1947	{
1948	data->interpreted.string = NULL;
1949	data->interpreted_size = 0;
1950	return false;
1951	}
1952
1953	tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
1954	regfi_encoding_int2str(string_encoding),
1955	data->raw, (char*)tmp_str,
1956	data->size, data->size);
1957	if(tmp_size < 0)
1958	{
1959	regfi_add_message(file, REGFI_MSG_INFO, "Error occurred while"
1960	" converting data of type %d to %s. Error message: %s",
1961	type, string_encoding, strerror(-tmp_size));
1962	talloc_free(tmp_str);
1963	data->interpreted.string = NULL;
1964	data->interpreted_size = 0;
1965	return false;
1966	}
1967
1968	tmp_str = talloc_realloc(NULL, tmp_str, uint8, tmp_size);
1969	data->interpreted.string = tmp_str;
1970	data->interpreted_size = tmp_size;
1971	talloc_steal(data, tmp_str);
1972	break;
1973
1974	case REG_DWORD:
1975	if(data->size < 4)
1976	{
1977	data->interpreted.dword = 0;
1978	data->interpreted_size = 0;
1979	return false;
1980	}
1981	data->interpreted.dword = IVAL(data->raw, 0);
1982	data->interpreted_size = 4;
1983	break;
1984
1985	case REG_DWORD_BE:
1986	if(data->size < 4)
1987	{
1988	data->interpreted.dword_be = 0;
1989	data->interpreted_size = 0;
1990	return false;
1991	}
1992	data->interpreted.dword_be = RIVAL(data->raw, 0);
1993	data->interpreted_size = 4;
1994	break;
1995
1996	case REG_QWORD:
1997	if(data->size < 8)
1998	{
1999	data->interpreted.qword = 0;
2000	data->interpreted_size = 0;
2001	return false;
2002	}
2003	data->interpreted.qword =
2004	(uint64)IVAL(data->raw, 0) + (((uint64)IVAL(data->raw, 4))<<32);
2005	data->interpreted_size = 8;
2006	break;
2007
2008	case REG_MULTI_SZ:
2009	tmp_str = talloc_array(NULL, uint8, data->size);
2010	if(tmp_str == NULL)
2011	{
2012	data->interpreted.multiple_string = NULL;
2013	data->interpreted_size = 0;
2014	return false;
2015	}
2016
2017	/* Attempt to convert entire string from UTF-16LE to output encoding,
2018	* then parse and quote fields individually.
2019	*/
2020	tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
2021	regfi_encoding_int2str(string_encoding),
2022	data->raw, (char*)tmp_str,
2023	data->size, data->size);
2024	if(tmp_size < 0)
2025	{
2026	regfi_add_message(file, REGFI_MSG_INFO, "Error occurred while"
2027	" converting data of type %d to %s. Error message: %s",
2028	type, string_encoding, strerror(-tmp_size));
2029	talloc_free(tmp_str);
2030	data->interpreted.multiple_string = NULL;
2031	data->interpreted_size = 0;
2032	return false;
2033	}
2034
2035	array_size = tmp_size+1;
2036	tmp_array = talloc_array(NULL, uint8*, array_size);
2037	if(tmp_array == NULL)
2038	{
2039	talloc_free(tmp_str);
2040	data->interpreted.string = NULL;
2041	data->interpreted_size = 0;
2042	return false;
2043	}
2044
2045	tmp_array[0] = tmp_str;
2046	for(i=0,j=1; i < tmp_size && j < array_size-1; i++)
2047	{
2048	if(tmp_str[i] == '\0' && (i+1 < tmp_size))
2049	tmp_array[j++] = tmp_str+i+1;
2050	}
2051	tmp_array[j] = NULL;
2052	tmp_array = talloc_realloc(NULL, tmp_array, uint8*, j+1);
2053	data->interpreted.multiple_string = tmp_array;
2054	/* XXX: how meaningful is this? should we store number of strings instead? */
2055	data->interpreted_size = tmp_size;
2056	talloc_steal(tmp_array, tmp_str);
2057	talloc_steal(data, tmp_array);
2058	break;
2059
2060	/* XXX: Dont know how to interpret these yet, just treat as binary */
2061	case REG_NONE:
2062	data->interpreted.none = data->raw;
2063	data->interpreted_size = data->size;
2064	break;
2065
2066	case REG_RESOURCE_LIST:
2067	data->interpreted.resource_list = data->raw;
2068	data->interpreted_size = data->size;
2069	break;
2070
2071	case REG_FULL_RESOURCE_DESCRIPTOR:
2072	data->interpreted.full_resource_descriptor = data->raw;
2073	data->interpreted_size = data->size;
2074	break;
2075
2076	case REG_RESOURCE_REQUIREMENTS_LIST:
2077	data->interpreted.resource_requirements_list = data->raw;
2078	data->interpreted_size = data->size;
2079	break;
2080
2081	case REG_BINARY:
2082	data->interpreted.binary = data->raw;
2083	data->interpreted_size = data->size;
2084	break;
2085
2086	default:
2087	data->interpreted.qword = 0;
2088	data->interpreted_size = 0;
2089	return false;
2090	}
2091
2092	data->type = type;
2093	return true;
2094	}
2095
2096
2097	/******************************************************************************
2098	* Convert from UTF-16LE to specified character set.
2099	* On error, returns a negative errno code.
2100	*****************************************************************************/
2101	int32 regfi_conv_charset(const char* input_charset, const char* output_charset,
2102	uint8* input, char* output,
2103	uint32 input_len, uint32 output_max)
2104	{
2105	iconv_t conv_desc;
2106	char* inbuf = (char*)input;
2107	char* outbuf = output;
2108	size_t in_len = (size_t)input_len;
2109	size_t out_len = (size_t)(output_max-1);
2110	int ret;
2111
2112	/* XXX: Consider creating a couple of conversion descriptors earlier,
2113	* storing them on an iterator so they don't have to be recreated
2114	* each time.
2115	*/
2116
2117	/* Set up conversion descriptor. */
2118	conv_desc = iconv_open(output_charset, input_charset);
2119
2120	ret = iconv(conv_desc, &inbuf, &in_len, &outbuf, &out_len);
2121	if(ret == -1)
2122	{
2123	iconv_close(conv_desc);
2124	return -errno;
2125	}
2126	*outbuf = '\0';
2127
2128	iconv_close(conv_desc);
2129	return output_max-out_len-1;
2130	}
2131
2132
2133
2134	/*******************************************************************
2135	* Computes the checksum of the registry file header.
2136	* buffer must be at least the size of a regf header (4096 bytes).
2137	*******************************************************************/
2138	static uint32 regfi_compute_header_checksum(uint8* buffer)
2139	{
2140	uint32 checksum, x;
2141	int i;
2142
2143	/* XOR of all bytes 0x0000 - 0x01FB */
2144
2145	checksum = x = 0;
2146
2147	for ( i=0; i<0x01FB; i+=4 ) {
2148	x = IVAL(buffer, i );
2149	checksum ^= x;
2150	}
2151
2152	return checksum;
2153	}
2154
2155
2156	/*******************************************************************
2157	* XXX: Add way to return more detailed error information.
2158	*******************************************************************/
2159	REGFI_FILE* regfi_parse_regf(int fd, bool strict)
2160	{
2161	uint8 file_header[REGFI_REGF_SIZE];
2162	uint32 length;
2163	REGFI_FILE* ret_val;
2164
2165	ret_val = talloc(NULL, REGFI_FILE);
2166	if(ret_val == NULL)
2167	return NULL;
2168
2169	ret_val->fd = fd;
2170	ret_val->sk_cache = NULL;
2171	ret_val->last_message = NULL;
2172	ret_val->hbins = NULL;
2173
2174	length = REGFI_REGF_SIZE;
2175	if((regfi_read(fd, file_header, &length)) != 0 \|\| length != REGFI_REGF_SIZE)
2176	goto fail;
2177
2178	ret_val->checksum = IVAL(file_header, 0x1FC);
2179	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
2180	if (strict && (ret_val->checksum != ret_val->computed_checksum))
2181	goto fail;
2182
2183	memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE);
2184	if(memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0)
2185	{
2186	if(strict)
2187	goto fail;
2188	regfi_add_message(ret_val, REGFI_MSG_WARN, "Magic number mismatch "
2189	"(%.2X %.2X %.2X %.2X) while parsing hive header",
2190	ret_val->magic[0], ret_val->magic[1],
2191	ret_val->magic[2], ret_val->magic[3]);
2192	}
2193	ret_val->sequence1 = IVAL(file_header, 0x4);
2194	ret_val->sequence2 = IVAL(file_header, 0x8);
2195	ret_val->mtime.low = IVAL(file_header, 0xC);
2196	ret_val->mtime.high = IVAL(file_header, 0x10);
2197	ret_val->major_version = IVAL(file_header, 0x14);
2198	ret_val->minor_version = IVAL(file_header, 0x18);
2199	ret_val->type = IVAL(file_header, 0x1C);
2200	ret_val->format = IVAL(file_header, 0x20);
2201	ret_val->root_cell = IVAL(file_header, 0x24);
2202	ret_val->last_block = IVAL(file_header, 0x28);
2203
2204	ret_val->cluster = IVAL(file_header, 0x2C);
2205
2206	memcpy(ret_val->file_name, file_header+0x30, REGFI_REGF_NAME_SIZE);
2207
2208	/* XXX: Should we add a warning if these uuid parsers fail? Can they? */
2209	ret_val->rm_id = winsec_parse_uuid(ret_val, file_header+0x70, 16);
2210	ret_val->log_id = winsec_parse_uuid(ret_val, file_header+0x80, 16);
2211	ret_val->flags = IVAL(file_header, 0x90);
2212	ret_val->tm_id = winsec_parse_uuid(ret_val, file_header+0x94, 16);
2213	ret_val->guid_signature = IVAL(file_header, 0xa4);
2214
2215	memcpy(ret_val->reserved1, file_header+0xa8, REGFI_REGF_RESERVED1_SIZE);
2216	memcpy(ret_val->reserved2, file_header+0x200, REGFI_REGF_RESERVED2_SIZE);
2217
2218	ret_val->thaw_tm_id = winsec_parse_uuid(ret_val, file_header+0xFC8, 16);
2219	ret_val->thaw_rm_id = winsec_parse_uuid(ret_val, file_header+0xFD8, 16);
2220	ret_val->thaw_log_id = winsec_parse_uuid(ret_val, file_header+0xFE8, 16);
2221	ret_val->boot_type = IVAL(file_header, 0xFF8);
2222	ret_val->boot_recover = IVAL(file_header, 0xFFC);
2223
2224	return ret_val;
2225
2226	fail:
2227	talloc_free(ret_val);
2228	return NULL;
2229	}
2230
2231
2232
2233	/******************************************************************************
2234	* Given real file offset, read and parse the hbin at that location
2235	* along with it's associated cells.
2236	******************************************************************************/
2237	REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32 offset, bool strict)
2238	{
2239	REGFI_HBIN *hbin;
2240	uint8 hbin_header[REGFI_HBIN_HEADER_SIZE];
2241	uint32 length;
2242
2243	if(offset >= file->file_length)
2244	return NULL;
2245
2246	if(lseek(file->fd, offset, SEEK_SET) == -1)
2247	{
2248	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
2249	" while parsing hbin at offset 0x%.8X.", offset);
2250	return NULL;
2251	}
2252
2253	length = REGFI_HBIN_HEADER_SIZE;
2254	if((regfi_read(file->fd, hbin_header, &length) != 0)
2255	\|\| length != REGFI_HBIN_HEADER_SIZE)
2256	return NULL;
2257
2258	if(lseek(file->fd, offset, SEEK_SET) == -1)
2259	{
2260	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
2261	" while parsing hbin at offset 0x%.8X.", offset);
2262	return NULL;
2263	}
2264
2265	hbin = talloc(NULL, REGFI_HBIN);
2266	if(hbin == NULL)
2267	return NULL;
2268	hbin->file_off = offset;
2269
2270	memcpy(hbin->magic, hbin_header, 4);
2271	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
2272	{
2273	regfi_add_message(file, REGFI_MSG_INFO, "Magic number mismatch "
2274	"(%.2X %.2X %.2X %.2X) while parsing hbin at offset"
2275	" 0x%.8X.", hbin->magic[0], hbin->magic[1],
2276	hbin->magic[2], hbin->magic[3], offset);
2277	talloc_free(hbin);
2278	return NULL;
2279	}
2280
2281	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
2282	hbin->block_size = IVAL(hbin_header, 0x8);
2283	/* this should be the same thing as hbin->block_size but just in case */
2284	hbin->next_block = IVAL(hbin_header, 0x1C);
2285
2286
2287	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
2288	* the end of the file.
2289	*/
2290	/* XXX: This may need to be relaxed for dealing with
2291	* partial or corrupt files.
2292	*/
2293	if((offset + hbin->block_size > file->file_length)
2294	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
2295	{
2296	regfi_add_message(file, REGFI_MSG_ERROR, "The hbin offset is not aligned"
2297	" or runs off the end of the file"
2298	" while parsing hbin at offset 0x%.8X.", offset);
2299	talloc_free(hbin);
2300	return NULL;
2301	}
2302
2303	return hbin;
2304	}
2305
2306
2307	/*******************************************************************
2308	*******************************************************************/
2309	REGFI_NK_REC* regfi_parse_nk(REGFI_FILE* file, uint32 offset,
2310	uint32 max_size, bool strict)
2311	{
2312	uint8 nk_header[REGFI_NK_MIN_LENGTH];
2313	REGFI_NK_REC* ret_val;
2314	uint32 length,cell_length;
2315	bool unalloc = false;
2316
2317	if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH,
2318	&cell_length, &unalloc))
2319	{
2320	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
2321	" while parsing NK record at offset 0x%.8X.", offset);
2322	return NULL;
2323	}
2324
2325	/* A bit of validation before bothering to allocate memory */
2326	if((nk_header[0x0] != 'n') \|\| (nk_header[0x1] != 'k'))
2327	{
2328	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
2329	" NK record at offset 0x%.8X.", offset);
2330	return NULL;
2331	}
2332
2333	ret_val = talloc(NULL, REGFI_NK_REC);
2334	if(ret_val == NULL)
2335	{
2336	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to allocate memory while"
2337	" parsing NK record at offset 0x%.8X.", offset);
2338	return NULL;
2339	}
2340
2341	ret_val->values = NULL;
2342	ret_val->subkeys = NULL;
2343	ret_val->offset = offset;
2344	ret_val->cell_size = cell_length;
2345
2346	if(ret_val->cell_size > max_size)
2347	ret_val->cell_size = max_size & 0xFFFFFFF8;
2348	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
2349	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
2350	{
2351	regfi_add_message(file, REGFI_MSG_WARN, "A length check failed while"
2352	" parsing NK record at offset 0x%.8X.", offset);
2353	talloc_free(ret_val);
2354	return NULL;
2355	}
2356
2357	ret_val->magic[0] = nk_header[0x0];
2358	ret_val->magic[1] = nk_header[0x1];
2359	ret_val->flags = SVAL(nk_header, 0x2);
2360
2361	if((ret_val->flags & ~REGFI_NK_KNOWN_FLAGS) != 0)
2362	{
2363	regfi_add_message(file, REGFI_MSG_WARN, "Unknown key flags (0x%.4X) while"
2364	" parsing NK record at offset 0x%.8X.",
2365	(ret_val->flags & ~REGFI_NK_KNOWN_FLAGS), offset);
2366	}
2367
2368	ret_val->mtime.low = IVAL(nk_header, 0x4);
2369	ret_val->mtime.high = IVAL(nk_header, 0x8);
2370	/* If the key is unallocated and the MTIME is earlier than Jan 1, 1990
2371	* or later than Jan 1, 2290, we consider this a bad key. This helps
2372	* weed out some false positives during deleted data recovery.
2373	*/
2374	if(unalloc
2375	&& ((ret_val->mtime.high < REGFI_MTIME_MIN_HIGH
2376	&& ret_val->mtime.low < REGFI_MTIME_MIN_LOW)
2377	\|\| (ret_val->mtime.high > REGFI_MTIME_MAX_HIGH
2378	&& ret_val->mtime.low > REGFI_MTIME_MAX_LOW)))
2379	return NULL;
2380
2381	ret_val->unknown1 = IVAL(nk_header, 0xC);
2382	ret_val->parent_off = IVAL(nk_header, 0x10);
2383	ret_val->num_subkeys = IVAL(nk_header, 0x14);
2384	ret_val->unknown2 = IVAL(nk_header, 0x18);
2385	ret_val->subkeys_off = IVAL(nk_header, 0x1C);
2386	ret_val->unknown3 = IVAL(nk_header, 0x20);
2387	ret_val->num_values = IVAL(nk_header, 0x24);
2388	ret_val->values_off = IVAL(nk_header, 0x28);
2389	ret_val->sk_off = IVAL(nk_header, 0x2C);
2390	ret_val->classname_off = IVAL(nk_header, 0x30);
2391
2392	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
2393	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
2394	ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
2395	ret_val->max_bytes_value = IVAL(nk_header, 0x40);
2396	ret_val->unk_index = IVAL(nk_header, 0x44);
2397
2398	ret_val->name_length = SVAL(nk_header, 0x48);
2399	ret_val->classname_length = SVAL(nk_header, 0x4A);
2400	ret_val->keyname = NULL;
2401
2402	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
2403	{
2404	if(strict)
2405	{
2406	regfi_add_message(file, REGFI_MSG_ERROR, "Contents too large for cell"
2407	" while parsing NK record at offset 0x%.8X.", offset);
2408	talloc_free(ret_val);
2409	return NULL;
2410	}
2411	else
2412	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
2413	}
2414	else if (unalloc)
2415	{ /* Truncate cell_size if it's much larger than the apparent total record length. */
2416	/* Round up to the next multiple of 8 */
2417	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
2418	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
2419	length+=8;
2420
2421	/* If cell_size is still greater, truncate. */
2422	if(length < ret_val->cell_size)
2423	ret_val->cell_size = length;
2424	}
2425
2426	ret_val->keyname_raw = talloc_array(ret_val, uint8, ret_val->name_length);
2427	if(ret_val->keyname_raw == NULL)
2428	{
2429	talloc_free(ret_val);
2430	return NULL;
2431	}
2432
2433	/* Don't need to seek, should be at the right offset */
2434	length = ret_val->name_length;
2435	if((regfi_read(file->fd, (uint8*)ret_val->keyname_raw, &length) != 0)
2436	\|\| length != ret_val->name_length)
2437	{
2438	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read key name"
2439	" while parsing NK record at offset 0x%.8X.", offset);
2440	talloc_free(ret_val);
2441	return NULL;
2442	}
2443
2444	return ret_val;
2445	}
2446
2447
2448	uint8* regfi_parse_classname(REGFI_FILE* file, uint32 offset,
2449	uint16* name_length, uint32 max_size, bool strict)
2450	{
2451	uint8* ret_val = NULL;
2452	uint32 length;
2453	uint32 cell_length;
2454	bool unalloc = false;
2455
2456	if(*name_length > 0 && offset != REGFI_OFFSET_NONE
2457	&& (offset & 0x00000007) == 0)
2458	{
2459	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
2460	{
2461	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
2462	" while parsing class name at offset 0x%.8X.", offset);
2463	return NULL;
2464	}
2465
2466	if((cell_length & 0x0000007) != 0)
2467	{
2468	regfi_add_message(file, REGFI_MSG_ERROR, "Cell length not a multiple of 8"
2469	" while parsing class name at offset 0x%.8X.", offset);
2470	return NULL;
2471	}
2472
2473	if(cell_length > max_size)
2474	{
2475	regfi_add_message(file, REGFI_MSG_WARN, "Cell stretches past hbin "
2476	"boundary while parsing class name at offset 0x%.8X.",
2477	offset);
2478	if(strict)
2479	return NULL;
2480	cell_length = max_size;
2481	}
2482
2483	if((cell_length - 4) < *name_length)
2484	{
2485	regfi_add_message(file, REGFI_MSG_WARN, "Class name is larger than"
2486	" cell_length while parsing class name at offset"
2487	" 0x%.8X.", offset);
2488	if(strict)
2489	return NULL;
2490	*name_length = cell_length - 4;
2491	}
2492
2493	ret_val = talloc_array(NULL, uint8, *name_length);
2494	if(ret_val != NULL)
2495	{
2496	length = *name_length;
2497	if((regfi_read(file->fd, ret_val, &length) != 0)
2498	\|\| length != *name_length)
2499	{
2500	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read class name"
2501	" while parsing class name at offset 0x%.8X.", offset);
2502	talloc_free(ret_val);
2503	return NULL;
2504	}
2505	}
2506	}
2507
2508	return ret_val;
2509	}
2510
2511
2512	/******************************************************************************
2513	*******************************************************************************/
2514	REGFI_VK_REC* regfi_parse_vk(REGFI_FILE* file, uint32 offset,
2515	uint32 max_size, bool strict)
2516	{
2517	REGFI_VK_REC* ret_val;
2518	uint8 vk_header[REGFI_VK_MIN_LENGTH];
2519	uint32 raw_data_size, length, cell_length;
2520	bool unalloc = false;
2521
2522	if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH,
2523	&cell_length, &unalloc))
2524	{
2525	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
2526	" while parsing VK record at offset 0x%.8X.", offset);
2527	return NULL;
2528	}
2529
2530	ret_val = talloc(NULL, REGFI_VK_REC);
2531	if(ret_val == NULL)
2532	return NULL;
2533
2534	ret_val->offset = offset;
2535	ret_val->cell_size = cell_length;
2536	ret_val->data = NULL;
2537	ret_val->valuename = NULL;
2538	ret_val->valuename_raw = NULL;
2539
2540	if(ret_val->cell_size > max_size)
2541	ret_val->cell_size = max_size & 0xFFFFFFF8;
2542	if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
2543	\|\| (ret_val->cell_size & 0x00000007) != 0)
2544	{
2545	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size encountered"
2546	" while parsing VK record at offset 0x%.8X.", offset);
2547	talloc_free(ret_val);
2548	return NULL;
2549	}
2550
2551	ret_val->magic[0] = vk_header[0x0];
2552	ret_val->magic[1] = vk_header[0x1];
2553	if((ret_val->magic[0] != 'v') \|\| (ret_val->magic[1] != 'k'))
2554	{
2555	/* XXX: This does not account for deleted keys under Win2K which
2556	* often have this (and the name length) overwritten with
2557	* 0xFFFF.
2558	*/
2559	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch"
2560	" while parsing VK record at offset 0x%.8X.", offset);
2561	talloc_free(ret_val);
2562	return NULL;
2563	}
2564
2565	ret_val->name_length = SVAL(vk_header, 0x2);
2566	raw_data_size = IVAL(vk_header, 0x4);
2567	ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET;
2568	/* The data is typically stored in the offset if the size <= 4,
2569	* in which case this flag is set.
2570	*/
2571	ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET);
2572	ret_val->data_off = IVAL(vk_header, 0x8);
2573	ret_val->type = IVAL(vk_header, 0xC);
2574	ret_val->flags = SVAL(vk_header, 0x10);
2575	ret_val->unknown1 = SVAL(vk_header, 0x12);
2576
2577	if(ret_val->name_length > 0)
2578	{
2579	if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size)
2580	{
2581	regfi_add_message(file, REGFI_MSG_WARN, "Name too long for remaining cell"
2582	" space while parsing VK record at offset 0x%.8X.",
2583	offset);
2584	if(strict)
2585	{
2586	talloc_free(ret_val);
2587	return NULL;
2588	}
2589	else
2590	ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4;
2591	}
2592
2593	/* Round up to the next multiple of 8 */
2594	cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8;
2595	if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4)
2596	cell_length+=8;
2597
2598	ret_val->valuename_raw = talloc_array(ret_val, uint8, ret_val->name_length);
2599	if(ret_val->valuename_raw == NULL)
2600	{
2601	talloc_free(ret_val);
2602	return NULL;
2603	}
2604
2605	length = ret_val->name_length;
2606	if((regfi_read(file->fd, (uint8*)ret_val->valuename_raw, &length) != 0)
2607	\|\| length != ret_val->name_length)
2608	{
2609	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read value name"
2610	" while parsing VK record at offset 0x%.8X.", offset);
2611	talloc_free(ret_val);
2612	return NULL;
2613	}
2614	}
2615	else
2616	cell_length = REGFI_VK_MIN_LENGTH + 4;
2617
2618	if(unalloc)
2619	{
2620	/* If cell_size is still greater, truncate. */
2621	if(cell_length < ret_val->cell_size)
2622	ret_val->cell_size = cell_length;
2623	}
2624
2625	return ret_val;
2626	}
2627
2628
2629	/******************************************************************************
2630	*
2631	******************************************************************************/
2632	REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32 voffset,
2633	uint32 length, bool data_in_offset,
2634	bool strict)
2635	{
2636	REGFI_BUFFER ret_val;
2637	uint32 cell_length, offset;
2638	int32 max_size;
2639	bool unalloc;
2640
2641	/* Microsoft's documentation indicates that "available memory" is
2642	* the limit on value sizes for the more recent registry format version.
2643	* This is not only annoying, but it's probably also incorrect, since clearly
2644	* value data sizes are limited to 2^31 (high bit used as a flag) and even
2645	* with big data records, the apparent max size is:
2646	* 16344 * 2^16 = 1071104040 (~1GB).
2647	*
2648	* We choose to limit it to 1M which was the limit in older versions and
2649	* should rarely be exceeded unless the file is corrupt or malicious.
2650	* For more info, see:
2651	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
2652	*/
2653	/* XXX: add way to skip this check at user discression. */
2654	if(length > REGFI_VK_MAX_DATA_LENGTH)
2655	{
2656	regfi_add_message(file, REGFI_MSG_WARN, "Value data size %d larger than "
2657	"%d, truncating...", length, REGFI_VK_MAX_DATA_LENGTH);
2658	length = REGFI_VK_MAX_DATA_LENGTH;
2659	}
2660
2661	if(data_in_offset)
2662	return regfi_parse_little_data(file, voffset, length, strict);
2663	else
2664	{
2665	offset = voffset + REGFI_REGF_SIZE;
2666	max_size = regfi_calc_maxsize(file, offset);
2667	if(max_size < 0)
2668	{
2669	regfi_add_message(file, REGFI_MSG_WARN, "Could not find HBIN for data"
2670	" at offset 0x%.8X.", offset);
2671	goto fail;
2672	}
2673
2674	if(!regfi_parse_cell(file->fd, offset, NULL, 0,
2675	&cell_length, &unalloc))
2676	{
2677	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
2678	" parsing data record at offset 0x%.8X.", offset);
2679	goto fail;
2680	}
2681
2682	if((cell_length & 0x00000007) != 0)
2683	{
2684	regfi_add_message(file, REGFI_MSG_WARN, "Cell length not multiple of 8"
2685	" while parsing data record at offset 0x%.8X.",
2686	offset);
2687	goto fail;
2688	}
2689
2690	if(cell_length > max_size)
2691	{
2692	regfi_add_message(file, REGFI_MSG_WARN, "Cell extends past HBIN boundary"
2693	" while parsing data record at offset 0x%.8X.",
2694	offset);
2695	goto fail;
2696	}
2697
2698	if(cell_length - 4 < length)
2699	{
2700	/* XXX: All big data records thus far have been 16 bytes long.
2701	* Should we check for this precise size instead of just
2702	* relying upon the above check?
2703	*/
2704	if (file->major_version >= 1 && file->minor_version >= 5)
2705	{
2706	/* Attempt to parse a big data record */
2707	return regfi_load_big_data(file, offset, length, cell_length,
2708	NULL, strict);
2709	}
2710	else
2711	{
2712	regfi_add_message(file, REGFI_MSG_WARN, "Data length (0x%.8X) larger than"
2713	" remaining cell length (0x%.8X)"
2714	" while parsing data record at offset 0x%.8X.",
2715	length, cell_length - 4, offset);
2716	if(strict)
2717	goto fail;
2718	else
2719	length = cell_length - 4;
2720	}
2721	}
2722
2723	ret_val = regfi_parse_data(file, offset, length, strict);
2724	}
2725
2726	return ret_val;
2727
2728	fail:
2729	ret_val.buf = NULL;
2730	ret_val.len = 0;
2731	return ret_val;
2732	}
2733
2734
2735	/******************************************************************************
2736	* Parses the common case data records stored in a single cell.
2737	******************************************************************************/
2738	REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32 offset,
2739	uint32 length, bool strict)
2740	{
2741	REGFI_BUFFER ret_val;
2742	uint32 read_length;
2743
2744	ret_val.buf = NULL;
2745	ret_val.len = 0;
2746
2747	if(lseek(file->fd, offset+4, SEEK_SET) == -1)
2748	{
2749	regfi_add_message(file, REGFI_MSG_WARN, "Could not seek while "
2750	"reading data at offset 0x%.8X.", offset);
2751	return ret_val;
2752	}
2753
2754	if((ret_val.buf = talloc_array(NULL, uint8, length)) == NULL)
2755	return ret_val;
2756	ret_val.len = length;
2757
2758	read_length = length;
2759	if((regfi_read(file->fd, ret_val.buf, &read_length) != 0)
2760	\|\| read_length != length)
2761	{
2762	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read data block while"
2763	" parsing data record at offset 0x%.8X.", offset);
2764	talloc_free(ret_val.buf);
2765	ret_val.buf = NULL;
2766	ret_val.buf = 0;
2767	}
2768
2769	return ret_val;
2770	}
2771
2772
2773
2774	/******************************************************************************
2775	*
2776	******************************************************************************/
2777	REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32 voffset,
2778	uint32 length, bool strict)
2779	{
2780	REGFI_BUFFER ret_val;
2781	uint8 i;
2782
2783	ret_val.buf = NULL;
2784	ret_val.len = 0;
2785
2786	if(length > 4)
2787	{
2788	regfi_add_message(file, REGFI_MSG_ERROR, "Data in offset but length > 4"
2789	" while parsing data record. (voffset=0x%.8X, length=%d)",
2790	voffset, length);
2791	return ret_val;
2792	}
2793
2794	if((ret_val.buf = talloc_array(NULL, uint8, length)) == NULL)
2795	return ret_val;
2796	ret_val.len = length;
2797
2798	for(i = 0; i < length; i++)
2799	ret_val.buf[i] = (uint8)((voffset >> i*8) & 0xFF);
2800
2801	return ret_val;
2802	}
2803
2804	/******************************************************************************
2805	*******************************************************************************/
2806	REGFI_BUFFER regfi_parse_big_data_header(REGFI_FILE* file, uint32 offset,
2807	uint32 max_size, bool strict)
2808	{
2809	REGFI_BUFFER ret_val;
2810	uint32 cell_length;
2811	bool unalloc;
2812
2813	/* XXX: do something with unalloc? */
2814	ret_val.buf = (uint8*)talloc_array(NULL, uint8, REGFI_BIG_DATA_MIN_LENGTH);
2815	if(ret_val.buf == NULL)
2816	goto fail;
2817
2818	if(REGFI_BIG_DATA_MIN_LENGTH > max_size)
2819	{
2820	regfi_add_message(file, REGFI_MSG_WARN, "Big data header exceeded max_size "
2821	"while parsing big data header at offset 0x%.8X.",offset);
2822	goto fail;
2823	}
2824
2825	if(!regfi_parse_cell(file->fd, offset, ret_val.buf, REGFI_BIG_DATA_MIN_LENGTH,
2826	&cell_length, &unalloc))
2827	{
2828	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
2829	" parsing big data header at offset 0x%.8X.", offset);
2830	goto fail;
2831	}
2832
2833	if((ret_val.buf[0] != 'd') \|\| (ret_val.buf[1] != 'b'))
2834	{
2835	regfi_add_message(file, REGFI_MSG_WARN, "Unknown magic number"
2836	" (0x%.2X, 0x%.2X) encountered while parsing"
2837	" big data header at offset 0x%.8X.",
2838	ret_val.buf[0], ret_val.buf[1], offset);
2839	goto fail;
2840	}
2841
2842	ret_val.len = REGFI_BIG_DATA_MIN_LENGTH;
2843	return ret_val;
2844
2845	fail:
2846	if(ret_val.buf != NULL)
2847	{
2848	talloc_free(ret_val.buf);
2849	ret_val.buf = NULL;
2850	}
2851	ret_val.len = 0;
2852	return ret_val;
2853	}
2854
2855
2856
2857	/******************************************************************************
2858	*
2859	******************************************************************************/
2860	uint32* regfi_parse_big_data_indirect(REGFI_FILE* file, uint32 offset,
2861	uint16 num_chunks, bool strict)
2862	{
2863	uint32* ret_val;
2864	uint32 indirect_length;
2865	int32 max_size;
2866	uint16 i;
2867	bool unalloc;
2868
2869	/* XXX: do something with unalloc? */
2870
2871	max_size = regfi_calc_maxsize(file, offset);
2872	if((max_size < 0) \|\| (num_chunks*sizeof(uint32) + 4 > max_size))
2873	return NULL;
2874
2875	ret_val = (uint32*)talloc_array(NULL, uint32, num_chunks);
2876	if(ret_val == NULL)
2877	goto fail;
2878
2879	if(!regfi_parse_cell(file->fd, offset, (uint8*)ret_val,
2880	num_chunks*sizeof(uint32),
2881	&indirect_length, &unalloc))
2882	{
2883	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
2884	" parsing big data indirect record at offset 0x%.8X.",
2885	offset);
2886	goto fail;
2887	}
2888
2889	/* Convert pointers to proper endianess, verify they are aligned. */
2890	for(i=0; i<num_chunks; i++)
2891	{
2892	ret_val[i] = IVAL(ret_val, i*sizeof(uint32));
2893	if((ret_val[i] & 0x00000007) != 0)
2894	goto fail;
2895	}
2896
2897	return ret_val;
2898
2899	fail:
2900	if(ret_val != NULL)
2901	talloc_free(ret_val);
2902	return NULL;
2903	}
2904
2905
2906	/******************************************************************************
2907	* Arguments:
2908	* file --
2909	* offsets -- list of virtual offsets.
2910	* num_chunks --
2911	* strict --
2912	*
2913	* Returns:
2914	* A range_list with physical offsets and complete lengths
2915	* (including cell headers) of associated cells.
2916	* No data in range_list elements.
2917	******************************************************************************/
2918	range_list* regfi_parse_big_data_cells(REGFI_FILE* file, uint32* offsets,
2919	uint16 num_chunks, bool strict)
2920	{
2921	uint32 cell_length, chunk_offset;
2922	range_list* ret_val;
2923	uint16 i;
2924	bool unalloc;
2925
2926	/* XXX: do something with unalloc? */
2927	ret_val = range_list_new();
2928	if(ret_val == NULL)
2929	goto fail;
2930
2931	for(i=0; i<num_chunks; i++)
2932	{
2933	chunk_offset = offsets[i]+REGFI_REGF_SIZE;
2934	if(!regfi_parse_cell(file->fd, chunk_offset, NULL, 0,
2935	&cell_length, &unalloc))
2936	{
2937	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
2938	" parsing big data chunk at offset 0x%.8X.",
2939	chunk_offset);
2940	goto fail;
2941	}
2942
2943	if(!range_list_add(ret_val, chunk_offset, cell_length, NULL))
2944	goto fail;
2945	}
2946
2947	return ret_val;
2948
2949	fail:
2950	if(ret_val != NULL)
2951	range_list_free(ret_val);
2952	return NULL;
2953	}
2954
2955
2956	/******************************************************************************
2957	*******************************************************************************/
2958	REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file,
2959	uint32 offset, uint32 data_length,
2960	uint32 cell_length, range_list* used_ranges,
2961	bool strict)
2962	{
2963	REGFI_BUFFER ret_val;
2964	uint16 num_chunks, i;
2965	uint32 read_length, data_left, tmp_len, indirect_offset;
2966	uint32* indirect_ptrs = NULL;
2967	REGFI_BUFFER bd_header;
2968	range_list* bd_cells = NULL;
2969	const range_list_element* cell_info;
2970
2971	ret_val.buf = NULL;
2972
2973	/* XXX: Add better error/warning messages */
2974
2975	bd_header = regfi_parse_big_data_header(file, offset, cell_length, strict);
2976	if(bd_header.buf == NULL)
2977	goto fail;
2978
2979	/* Keep track of used space for use by reglookup-recover */
2980	if(used_ranges != NULL)
2981	if(!range_list_add(used_ranges, offset, cell_length, NULL))
2982	goto fail;
2983
2984	num_chunks = SVAL(bd_header.buf, 0x2);
2985	indirect_offset = IVAL(bd_header.buf, 0x4) + REGFI_REGF_SIZE;
2986	talloc_free(bd_header.buf);
2987
2988	indirect_ptrs = regfi_parse_big_data_indirect(file, indirect_offset,
2989	num_chunks, strict);
2990	if(indirect_ptrs == NULL)
2991	goto fail;
2992
2993	if(used_ranges != NULL)
2994	if(!range_list_add(used_ranges, indirect_offset, num_chunks*4+4, NULL))
2995	goto fail;
2996
2997	if((ret_val.buf = talloc_array(NULL, uint8_t, data_length)) == NULL)
2998	goto fail;
2999	data_left = data_length;
3000
3001	bd_cells = regfi_parse_big_data_cells(file, indirect_ptrs, num_chunks, strict);
3002	if(bd_cells == NULL)
3003	goto fail;
3004
3005	talloc_free(indirect_ptrs);
3006	indirect_ptrs = NULL;
3007
3008	for(i=0; (i<num_chunks) && (data_left>0); i++)
3009	{
3010	cell_info = range_list_get(bd_cells, i);
3011	if(cell_info == NULL)
3012	goto fail;
3013
3014	/* XXX: This should be "cell_info->length-4" to account for the 4 byte cell
3015	* length. However, it has been observed that some (all?) chunks
3016	* have an additional 4 bytes of 0 at the end of their cells that
3017	* isn't part of the data, so we're trimming that off too.
3018	* Perhaps it's just an 8 byte alignment requirement...
3019	*/
3020	if(cell_info->length - 8 >= data_left)
3021	{
3022	if(i+1 != num_chunks)
3023	{
3024	regfi_add_message(file, REGFI_MSG_WARN, "Left over chunks detected "
3025	"while constructing big data at offset 0x%.8X "
3026	"(chunk offset 0x%.8X).", offset, cell_info->offset);
3027	}
3028	read_length = data_left;
3029	}
3030	else
3031	read_length = cell_info->length - 8;
3032
3033
3034	if(read_length > regfi_calc_maxsize(file, cell_info->offset))
3035	{
3036	regfi_add_message(file, REGFI_MSG_WARN, "A chunk exceeded the maxsize "
3037	"while constructing big data at offset 0x%.8X "
3038	"(chunk offset 0x%.8X).", offset, cell_info->offset);
3039	goto fail;
3040	}
3041
3042	if(lseek(file->fd, cell_info->offset+sizeof(uint32), SEEK_SET) == -1)
3043	{
3044	regfi_add_message(file, REGFI_MSG_WARN, "Could not seek to chunk while "
3045	"constructing big data at offset 0x%.8X "
3046	"(chunk offset 0x%.8X).", offset, cell_info->offset);
3047	goto fail;
3048	}
3049
3050	tmp_len = read_length;
3051	if(regfi_read(file->fd, ret_val.buf+(data_length-data_left),
3052	&read_length) != 0 \|\| (read_length != tmp_len))
3053	{
3054	regfi_add_message(file, REGFI_MSG_WARN, "Could not read data chunk while"
3055	" constructing big data at offset 0x%.8X"
3056	" (chunk offset 0x%.8X).", offset, cell_info->offset);
3057	goto fail;
3058	}
3059
3060	if(used_ranges != NULL)
3061	if(!range_list_add(used_ranges, cell_info->offset,cell_info->length,NULL))
3062	goto fail;
3063
3064	data_left -= read_length;
3065	}
3066	range_list_free(bd_cells);
3067
3068	ret_val.len = data_length-data_left;
3069	return ret_val;
3070
3071	fail:
3072	if(ret_val.buf != NULL)
3073	talloc_free(ret_val.buf);
3074	if(indirect_ptrs != NULL)
3075	talloc_free(indirect_ptrs);
3076	if(bd_cells != NULL)
3077	range_list_free(bd_cells);
3078	ret_val.buf = NULL;
3079	ret_val.len = 0;
3080	return ret_val;
3081	}
3082
3083
3084	range_list* regfi_parse_unalloc_cells(REGFI_FILE* file)
3085	{
3086	range_list* ret_val;
3087	REGFI_HBIN* hbin;
3088	const range_list_element* hbins_elem;
3089	uint32 i, num_hbins, curr_off, cell_len;
3090	bool is_unalloc;
3091
3092	ret_val = range_list_new();
3093	if(ret_val == NULL)
3094	return NULL;
3095
3096	num_hbins = range_list_size(file->hbins);
3097	for(i=0; i<num_hbins; i++)
3098	{
3099	hbins_elem = range_list_get(file->hbins, i);
3100	if(hbins_elem == NULL)
3101	break;
3102	hbin = (REGFI_HBIN*)hbins_elem->data;
3103
3104	curr_off = REGFI_HBIN_HEADER_SIZE;
3105	while(curr_off < hbin->block_size)
3106	{
3107	if(!regfi_parse_cell(file->fd, hbin->file_off+curr_off, NULL, 0,
3108	&cell_len, &is_unalloc))
3109	break;
3110
3111	if((cell_len == 0) \|\| ((cell_len & 0x00000007) != 0))
3112	{
3113	regfi_add_message(file, REGFI_MSG_ERROR, "Bad cell length encountered"
3114	" while parsing unallocated cells at offset 0x%.8X.",
3115	hbin->file_off+curr_off);
3116	break;
3117	}
3118
3119	/* for some reason the record_size of the last record in
3120	an hbin block can extend past the end of the block
3121	even though the record fits within the remaining
3122	space....aaarrrgggghhhhhh */
3123	if(curr_off + cell_len >= hbin->block_size)
3124	cell_len = hbin->block_size - curr_off;
3125
3126	if(is_unalloc)
3127	range_list_add(ret_val, hbin->file_off+curr_off,
3128	cell_len, NULL);
3129
3130	curr_off = curr_off+cell_len;
3131	}
3132	}
3133
3134	return ret_val;
3135	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: