/* * Copyright (C) 2005-2010 Timothy D. Morgan * Copyright (C) 2005 Gerald (Jerry) Carter * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; version 3 of the License. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * $Id: regfi.c 215 2011-03-28 01:46:11Z tim $ */ /** * @file * * Windows NT (and later) read-only registry library * * See @ref regfi.h for more information. * * Branched from Samba project Subversion repository, version #7470: * http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto * * Since then, it has been heavily rewritten, simplified, and improved. */ #include "regfi.h" /* Registry types mapping */ const unsigned int regfi_num_reg_types = 12; static const char* regfi_type_names[] = {"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK", "MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"}; const char* regfi_encoding_names[] = {"US-ASCII//TRANSLIT", "UTF-8//TRANSLIT", "UTF-16LE//TRANSLIT"}; /* Ensures regfi_init runs only once */ static pthread_once_t regfi_init_once = PTHREAD_ONCE_INIT; /****************************************************************************** ******************************************************************************/ void regfi_log_free(void* ptr) { REGFI_LOG* log_info = (REGFI_LOG*)ptr; if(log_info->messages != NULL) free(log_info->messages); talloc_free(log_info); } /****************************************************************************** ******************************************************************************/ void regfi_init() { int err; if((err = pthread_key_create(®fi_log_key, regfi_log_free)) != 0) fprintf(stderr, "ERROR: key_create: %s\n", strerror(err)); errno = err; } /****************************************************************************** ******************************************************************************/ REGFI_LOG* regfi_log_new() { int err; REGFI_LOG* log_info = talloc(NULL, REGFI_LOG); if(log_info == NULL) return NULL; log_info->msg_mask = REGFI_DEFAULT_LOG_MASK; log_info->messages = NULL; pthread_once(®fi_init_once, regfi_init); if((err = pthread_setspecific(regfi_log_key, log_info)) != 0) { fprintf(stderr, "ERROR: setspecific: %s\n", strerror(err)); goto fail; } return log_info; fail: talloc_free(log_info); errno = err; return NULL; } /****************************************************************************** ******************************************************************************/ void regfi_log_add(uint16_t msg_type, const char* fmt, ...) { /* XXX: Switch internal storage over to a linked list or stack. * Then add a regfi_log_get function that returns the list in some * convenient, user-friendly data structure. regfi_log_get_str should * stick around and will simply smush the list into a big string when * it's called, rather than having messages smushed when they're first * written to the log. */ uint32_t buf_size, buf_used; char* new_msg; REGFI_LOG* log_info; va_list args; log_info = (REGFI_LOG*)pthread_getspecific(regfi_log_key); if(log_info == NULL && (log_info = regfi_log_new()) == NULL) return; if((log_info->msg_mask & msg_type) == 0) return; if(log_info->messages == NULL) buf_used = 0; else buf_used = strlen(log_info->messages); buf_size = buf_used+strlen(fmt)+160; new_msg = realloc(log_info->messages, buf_size); if(new_msg == NULL) /* XXX: should we report this? */ return; switch (msg_type) { case REGFI_LOG_INFO: strcpy(new_msg+buf_used, "INFO: "); buf_used += 6; break; case REGFI_LOG_WARN: strcpy(new_msg+buf_used, "WARN: "); buf_used += 6; break; case REGFI_LOG_ERROR: strcpy(new_msg+buf_used, "ERROR: "); buf_used += 7; break; } va_start(args, fmt); vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args); va_end(args); strncat(new_msg, "\n", buf_size-1); log_info->messages = new_msg; } /****************************************************************************** ******************************************************************************/ char* regfi_log_get_str() { char* ret_val; REGFI_LOG* log_info = (REGFI_LOG*)pthread_getspecific(regfi_log_key); if(log_info == NULL && (log_info = regfi_log_new()) == NULL) return NULL; ret_val = log_info->messages; log_info->messages = NULL; return ret_val; } /****************************************************************************** ******************************************************************************/ bool regfi_log_set_mask(uint16_t msg_mask) { REGFI_LOG* log_info = (REGFI_LOG*)pthread_getspecific(regfi_log_key); if(log_info == NULL && (log_info = regfi_log_new()) == NULL) { return false; } log_info->msg_mask = msg_mask; return true; } /****************************************************************************** * Returns NULL for an invalid e *****************************************************************************/ static const char* regfi_encoding_int2str(REGFI_ENCODING e) { if(e < REGFI_NUM_ENCODINGS) return regfi_encoding_names[e]; return NULL; } /****************************************************************************** * Returns NULL for an invalid val *****************************************************************************/ const char* regfi_type_val2str(unsigned int val) { if(val == REG_KEY) return "KEY"; if(val >= regfi_num_reg_types) return NULL; return regfi_type_names[val]; } /****************************************************************************** * Returns -1 on error *****************************************************************************/ int regfi_type_str2val(const char* str) { int i; if(strcmp("KEY", str) == 0) return REG_KEY; for(i=0; i < regfi_num_reg_types; i++) if (strcmp(regfi_type_names[i], str) == 0) return i; if(strcmp("DWORD_LE", str) == 0) return REG_DWORD_LE; return -1; } /* Security descriptor formatting functions */ const char* regfi_ace_type2str(uint8_t type) { static const char* map[7] = {"ALLOW", "DENY", "AUDIT", "ALARM", "ALLOW CPD", "OBJ ALLOW", "OBJ DENY"}; if(type < 7) return map[type]; else /* XXX: would be nice to return the unknown integer value. * However, as it is a const string, it can't be free()ed later on, * so that would need to change. */ return "UNKNOWN"; } /* XXX: need a better reference on the meaning of each flag. */ /* For more info, see: * http://msdn2.microsoft.com/en-us/library/aa772242.aspx */ char* regfi_ace_flags2str(uint8_t flags) { static const char* flag_map[32] = { "OI", /* Object Inherit */ "CI", /* Container Inherit */ "NP", /* Non-Propagate */ "IO", /* Inherit Only */ "IA", /* Inherited ACE */ NULL, NULL, NULL, }; char* ret_val = malloc(35*sizeof(char)); char* fo = ret_val; uint32_t i; uint8_t f; if(ret_val == NULL) return NULL; fo[0] = '\0'; if (!flags) return ret_val; for(i=0; i < 8; i++) { f = (1<num_auths; char* ret_val = malloc(size); if(ret_val == NULL) return NULL; if(comps > WINSEC_MAX_SUBAUTHS) comps = WINSEC_MAX_SUBAUTHS; left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]); for (i = 0; i < comps; i++) left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]); return ret_val; } char* regfi_get_acl(WINSEC_ACL* acl) { uint32_t i, extra, size = 0; const char* type_str; char* flags_str; char* perms_str; char* sid_str; char* ace_delim = ""; char* ret_val = NULL; char* tmp_val = NULL; bool failed = false; char field_delim = ':'; for (i = 0; i < acl->num_aces && !failed; i++) { sid_str = regfi_sid2str(acl->aces[i]->trustee); type_str = regfi_ace_type2str(acl->aces[i]->type); perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask); flags_str = regfi_ace_flags2str(acl->aces[i]->flags); if(flags_str != NULL && perms_str != NULL && type_str != NULL && sid_str != NULL) { /* XXX: this is slow */ extra = strlen(sid_str) + strlen(type_str) + strlen(perms_str) + strlen(flags_str) + 5; tmp_val = realloc(ret_val, size+extra); if(tmp_val == NULL) { free(ret_val); ret_val = NULL; failed = true; } else { ret_val = tmp_val; size += sprintf(ret_val+size, "%s%s%c%s%c%s%c%s", ace_delim,sid_str, field_delim,type_str, field_delim,perms_str, field_delim,flags_str); ace_delim = "|"; } } else failed = true; if(sid_str != NULL) free(sid_str); if(sid_str != NULL) free(perms_str); if(sid_str != NULL) free(flags_str); } return ret_val; } char* regfi_get_sacl(WINSEC_DESC *sec_desc) { if (sec_desc->sacl) return regfi_get_acl(sec_desc->sacl); else return NULL; } char* regfi_get_dacl(WINSEC_DESC *sec_desc) { if (sec_desc->dacl) return regfi_get_acl(sec_desc->dacl); else return NULL; } char* regfi_get_owner(WINSEC_DESC *sec_desc) { return regfi_sid2str(sec_desc->owner_sid); } char* regfi_get_group(WINSEC_DESC *sec_desc) { return regfi_sid2str(sec_desc->grp_sid); } bool regfi_read_lock(REGFI_FILE* file, pthread_rwlock_t* lock, const char* context) { int lock_ret = pthread_rwlock_rdlock(lock); if(lock_ret != 0) { regfi_log_add(REGFI_LOG_ERROR, "Error obtaining read lock in" "%s due to: %s\n", context, strerror(lock_ret)); return false; } return true; } bool regfi_write_lock(REGFI_FILE* file, pthread_rwlock_t* lock, const char* context) { int lock_ret = pthread_rwlock_wrlock(lock); if(lock_ret != 0) { regfi_log_add(REGFI_LOG_ERROR, "Error obtaining write lock in" "%s due to: %s\n", context, strerror(lock_ret)); return false; } return true; } bool regfi_rw_unlock(REGFI_FILE* file, pthread_rwlock_t* lock, const char* context) { int lock_ret = pthread_rwlock_unlock(lock); if(lock_ret != 0) { regfi_log_add(REGFI_LOG_ERROR, "Error releasing lock in" "%s due to: %s\n", context, strerror(lock_ret)); return false; } return true; } bool regfi_lock(REGFI_FILE* file, pthread_mutex_t* lock, const char* context) { int lock_ret = pthread_mutex_lock(lock); if(lock_ret != 0) { regfi_log_add(REGFI_LOG_ERROR, "Error obtaining mutex lock in" "%s due to: %s\n", context, strerror(lock_ret)); return false; } return true; } bool regfi_unlock(REGFI_FILE* file, pthread_mutex_t* lock, const char* context) { int lock_ret = pthread_mutex_unlock(lock); if(lock_ret != 0) { regfi_log_add(REGFI_LOG_ERROR, "Error releasing mutex lock in" "%s due to: %s\n", context, strerror(lock_ret)); return false; } return true; } off_t regfi_raw_seek(REGFI_RAW_FILE* self, off_t offset, int whence) { return lseek(*(int*)self->state, offset, whence); } ssize_t regfi_raw_read(REGFI_RAW_FILE* self, void* buf, size_t count) { return read(*(int*)self->state, buf, count); } /***************************************************************************** * Convenience function to wrap up the ugly callback stuff *****************************************************************************/ off_t regfi_seek(REGFI_RAW_FILE* file_cb, off_t offset, int whence) { return file_cb->seek(file_cb, offset, whence); } /***************************************************************************** * This function is just like read(2), except that it continues to * re-try reading from the file descriptor if EINTR or EAGAIN is received. * regfi_read will attempt to read length bytes from the file and write them to * buf. * * On success, 0 is returned. Upon failure, an errno code is returned. * * The number of bytes successfully read is returned through the length * parameter by reference. If both the return value and length parameter are * returned as 0, then EOF was encountered immediately *****************************************************************************/ uint32_t regfi_read(REGFI_RAW_FILE* file_cb, uint8_t* buf, uint32_t* length) { uint32_t rsize = 0; uint32_t rret = 0; do { rret = file_cb->read(file_cb, buf + rsize, *length - rsize); if(rret > 0) rsize += rret; }while(*length - rsize > 0 && (rret > 0 || (rret == -1 && (errno == EAGAIN || errno == EINTR)))); *length = rsize; if (rret == -1 && errno != EINTR && errno != EAGAIN) return errno; return 0; } /***************************************************************************** * *****************************************************************************/ bool regfi_parse_cell(REGFI_RAW_FILE* file_cb, uint32_t offset, uint8_t* hdr, uint32_t hdr_len, uint32_t* cell_length, bool* unalloc) { uint32_t length; int32_t raw_length; uint8_t tmp[4]; if(regfi_seek(file_cb, offset, SEEK_SET) == -1) return false; length = 4; if((regfi_read(file_cb, tmp, &length) != 0) || length != 4) return false; raw_length = IVALS(tmp, 0); if(raw_length < 0) { (*cell_length) = raw_length*(-1); (*unalloc) = false; } else { (*cell_length) = raw_length; (*unalloc) = true; } if(*cell_length - 4 < hdr_len) return false; if(hdr_len > 0) { length = hdr_len; if((regfi_read(file_cb, hdr, &length) != 0) || length != hdr_len) return false; } return true; } /****************************************************************************** * Given an offset and an hbin, is the offset within that hbin? * The offset is a virtual file offset. ******************************************************************************/ static bool regfi_offset_in_hbin(const REGFI_HBIN* hbin, uint32_t voffset) { if(!hbin) return false; if((voffset > hbin->first_hbin_off) && (voffset < (hbin->first_hbin_off + hbin->block_size))) return true; return false; } /****************************************************************************** * Provide a physical offset and receive the correpsonding HBIN * block for it. NULL if one doesn't exist. ******************************************************************************/ const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32_t offset) { return (const REGFI_HBIN*)range_list_find_data(file->hbins, offset); } /****************************************************************************** * Calculate the largest possible cell size given a physical offset. * Largest size is based on the HBIN the offset is currently a member of. * Returns negative values on error. * (Since cells can only be ~2^31 in size, this works out.) ******************************************************************************/ int32_t regfi_calc_maxsize(REGFI_FILE* file, uint32_t offset) { const REGFI_HBIN* hbin = regfi_lookup_hbin(file, offset); if(hbin == NULL) return -1; return (hbin->block_size + hbin->file_off) - offset; } /****************************************************************************** ******************************************************************************/ REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32_t offset, uint32_t num_keys, uint32_t max_size, bool strict) { REGFI_SUBKEY_LIST* ret_val; ret_val = regfi_load_subkeylist_aux(file, offset, max_size, strict, REGFI_MAX_SUBKEY_DEPTH); if(ret_val == NULL) { regfi_log_add(REGFI_LOG_WARN, "Failed to load subkey list at" " offset 0x%.8X.", offset); return NULL; } if(num_keys != ret_val->num_keys) { /* Not sure which should be authoritative, the number from the * NK record, or the number in the subkey list. Just emit a warning for * now if they don't match. */ regfi_log_add(REGFI_LOG_WARN, "Number of subkeys listed in parent" " (%d) did not match number found in subkey list/tree (%d)" " while parsing subkey list/tree at offset 0x%.8X.", num_keys, ret_val->num_keys, offset); } return ret_val; } /****************************************************************************** ******************************************************************************/ REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32_t offset, uint32_t max_size, bool strict, uint8_t depth_left) { REGFI_SUBKEY_LIST* ret_val; REGFI_SUBKEY_LIST** sublists; uint32_t i, num_sublists, off; int32_t sublist_maxsize; if(depth_left == 0) { regfi_log_add(REGFI_LOG_WARN, "Maximum depth reached" " while parsing subkey list/tree at offset 0x%.8X.", offset); return NULL; } ret_val = regfi_parse_subkeylist(file, offset, max_size, strict); if(ret_val == NULL) return NULL; if(ret_val->recursive_type) { num_sublists = ret_val->num_children; sublists = (REGFI_SUBKEY_LIST**)malloc(num_sublists * sizeof(REGFI_SUBKEY_LIST*)); for(i=0; i < num_sublists; i++) { off = ret_val->elements[i].offset + REGFI_REGF_SIZE; sublist_maxsize = regfi_calc_maxsize(file, off); if(sublist_maxsize < 0) sublists[i] = NULL; else sublists[i] = regfi_load_subkeylist_aux(file, off, sublist_maxsize, strict, depth_left-1); } talloc_free(ret_val); return regfi_merge_subkeylists(num_sublists, sublists, strict); } return ret_val; } /****************************************************************************** ******************************************************************************/ REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32_t offset, uint32_t max_size, bool strict) { REGFI_SUBKEY_LIST* ret_val; uint32_t i, cell_length, length, elem_size, read_len; uint8_t* elements = NULL; uint8_t buf[REGFI_SUBKEY_LIST_MIN_LEN]; bool unalloc; bool recursive_type; if(!regfi_lock(file, &file->cb_lock, "regfi_parse_subkeylist")) goto fail; if(!regfi_parse_cell(file->cb, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN, &cell_length, &unalloc)) { regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while " "parsing subkey-list at offset 0x%.8X.", offset); goto fail_locked; } if(cell_length > max_size) { regfi_log_add(REGFI_LOG_WARN, "Cell size longer than max_size" " while parsing subkey-list at offset 0x%.8X.", offset); if(strict) goto fail_locked; cell_length = max_size & 0xFFFFFFF8; } recursive_type = false; if(buf[0] == 'r' && buf[1] == 'i') { recursive_type = true; elem_size = sizeof(uint32_t); } else if(buf[0] == 'l' && buf[1] == 'i') { elem_size = sizeof(uint32_t); } else if((buf[0] == 'l') && (buf[1] == 'f' || buf[1] == 'h')) elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM); else { regfi_log_add(REGFI_LOG_ERROR, "Unknown magic number" " (0x%.2X, 0x%.2X) encountered while parsing" " subkey-list at offset 0x%.8X.", buf[0], buf[1], offset); goto fail_locked; } ret_val = talloc(NULL, REGFI_SUBKEY_LIST); if(ret_val == NULL) goto fail_locked; ret_val->offset = offset; ret_val->cell_size = cell_length; ret_val->magic[0] = buf[0]; ret_val->magic[1] = buf[1]; ret_val->recursive_type = recursive_type; ret_val->num_children = SVAL(buf, 0x2); if(!recursive_type) ret_val->num_keys = ret_val->num_children; length = elem_size*ret_val->num_children; if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32_t) < length) { regfi_log_add(REGFI_LOG_WARN, "Number of elements too large for" " cell while parsing subkey-list at offset 0x%.8X.", offset); if(strict) goto fail_locked; length = cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32_t); } ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM, ret_val->num_children); if(ret_val->elements == NULL) goto fail_locked; elements = (uint8_t*)malloc(length); if(elements == NULL) goto fail_locked; read_len = length; if(regfi_read(file->cb, elements, &read_len) != 0 || read_len!=length) goto fail_locked; if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_subkeylist")) goto fail; if(elem_size == sizeof(uint32_t)) { for (i=0; i < ret_val->num_children; i++) { ret_val->elements[i].offset = IVAL(elements, i*elem_size); ret_val->elements[i].hash = 0; } } else { for (i=0; i < ret_val->num_children; i++) { ret_val->elements[i].offset = IVAL(elements, i*elem_size); ret_val->elements[i].hash = IVAL(elements, i*elem_size+4); } } free(elements); return ret_val; fail_locked: regfi_unlock(file, &file->cb_lock, "regfi_parse_subkeylist"); fail: if(elements != NULL) free(elements); talloc_free(ret_val); return NULL; } /******************************************************************* *******************************************************************/ REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16_t num_lists, REGFI_SUBKEY_LIST** lists, bool strict) { uint32_t i,j,k; REGFI_SUBKEY_LIST* ret_val; if(lists == NULL) return NULL; ret_val = talloc(NULL, REGFI_SUBKEY_LIST); if(ret_val == NULL) return NULL; /* Obtain total number of elements */ ret_val->num_keys = 0; for(i=0; i < num_lists; i++) { if(lists[i] != NULL) ret_val->num_keys += lists[i]->num_children; } ret_val->num_children = ret_val->num_keys; if(ret_val->num_keys > 0) { ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM, ret_val->num_keys); k=0; if(ret_val->elements != NULL) { for(i=0; i < num_lists; i++) { if(lists[i] != NULL) { for(j=0; j < lists[i]->num_keys; j++) { ret_val->elements[k].hash = lists[i]->elements[j].hash; ret_val->elements[k++].offset = lists[i]->elements[j].offset; } } } } } for(i=0; i < num_lists; i++) talloc_free(lists[i]); free(lists); return ret_val; } /****************************************************************************** * ******************************************************************************/ REGFI_SK* regfi_parse_sk(REGFI_FILE* file, uint32_t offset, uint32_t max_size, bool strict) { REGFI_SK* ret_val = NULL; uint8_t* sec_desc_buf = NULL; uint32_t cell_length, length; uint8_t sk_header[REGFI_SK_MIN_LENGTH]; bool unalloc = false; if(!regfi_lock(file, &file->cb_lock, "regfi_parse_sk")) goto fail; if(!regfi_parse_cell(file->cb, offset, sk_header, REGFI_SK_MIN_LENGTH, &cell_length, &unalloc)) { regfi_log_add(REGFI_LOG_WARN, "Could not parse SK record cell" " at offset 0x%.8X.", offset); goto fail_locked; } if(sk_header[0] != 's' || sk_header[1] != 'k') { regfi_log_add(REGFI_LOG_WARN, "Magic number mismatch in parsing" " SK record at offset 0x%.8X.", offset); goto fail_locked; } ret_val = talloc(NULL, REGFI_SK); if(ret_val == NULL) goto fail_locked; ret_val->offset = offset; /* XXX: Is there a way to be more conservative (shorter) with * cell length when cell is unallocated? */ ret_val->cell_size = cell_length; if(ret_val->cell_size > max_size) ret_val->cell_size = max_size & 0xFFFFFFF8; if((ret_val->cell_size < REGFI_SK_MIN_LENGTH) || (strict && (ret_val->cell_size & 0x00000007) != 0)) { regfi_log_add(REGFI_LOG_WARN, "Invalid cell size found while" " parsing SK record at offset 0x%.8X.", offset); goto fail_locked; } ret_val->magic[0] = sk_header[0]; ret_val->magic[1] = sk_header[1]; ret_val->unknown_tag = SVAL(sk_header, 0x2); ret_val->prev_sk_off = IVAL(sk_header, 0x4); ret_val->next_sk_off = IVAL(sk_header, 0x8); ret_val->ref_count = IVAL(sk_header, 0xC); ret_val->desc_size = IVAL(sk_header, 0x10); if((ret_val->prev_sk_off & 0x00000007) != 0 || (ret_val->next_sk_off & 0x00000007) != 0) { regfi_log_add(REGFI_LOG_WARN, "SK record's next/previous offsets" " are not a multiple of 8 while parsing SK record at" " offset 0x%.8X.", offset); goto fail_locked; } if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size) { regfi_log_add(REGFI_LOG_WARN, "Security descriptor too large for" " cell while parsing SK record at offset 0x%.8X.", offset); goto fail_locked; } sec_desc_buf = (uint8_t*)malloc(ret_val->desc_size); if(sec_desc_buf == NULL) goto fail_locked; length = ret_val->desc_size; if(regfi_read(file->cb, sec_desc_buf, &length) != 0 || length != ret_val->desc_size) { regfi_log_add(REGFI_LOG_ERROR, "Failed to read security" " descriptor while parsing SK record at offset 0x%.8X.", offset); goto fail_locked; } if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_sk")) goto fail; if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf, ret_val->desc_size))) { regfi_log_add(REGFI_LOG_ERROR, "Failed to parse security" " descriptor while parsing SK record at offset 0x%.8X.", offset); goto fail; } free(sec_desc_buf); return ret_val; fail_locked: regfi_unlock(file, &file->cb_lock, "regfi_parse_sk"); fail: if(sec_desc_buf != NULL) free(sec_desc_buf); talloc_free(ret_val); return NULL; } REGFI_VALUE_LIST* regfi_parse_valuelist(REGFI_FILE* file, uint32_t offset, uint32_t num_values, bool strict) { REGFI_VALUE_LIST* ret_val; uint32_t i, cell_length, length, read_len; bool unalloc; if(!regfi_lock(file, &file->cb_lock, "regfi_parse_valuelist")) goto fail; if(!regfi_parse_cell(file->cb, offset, NULL, 0, &cell_length, &unalloc)) { regfi_log_add(REGFI_LOG_ERROR, "Failed to read cell header" " while parsing value list at offset 0x%.8X.", offset); goto fail_locked; } if((cell_length & 0x00000007) != 0) { regfi_log_add(REGFI_LOG_WARN, "Cell length not a multiple of 8" " while parsing value list at offset 0x%.8X.", offset); if(strict) goto fail_locked; cell_length = cell_length & 0xFFFFFFF8; } if((num_values * sizeof(uint32_t)) > cell_length-sizeof(uint32_t)) { regfi_log_add(REGFI_LOG_WARN, "Too many values found" " while parsing value list at offset 0x%.8X.", offset); if(strict) goto fail_locked; num_values = cell_length/sizeof(uint32_t) - sizeof(uint32_t); } read_len = num_values*sizeof(uint32_t); ret_val = talloc(NULL, REGFI_VALUE_LIST); if(ret_val == NULL) goto fail_locked; ret_val->elements = (REGFI_VALUE_LIST_ELEM*)talloc_size(ret_val, read_len); if(ret_val->elements == NULL) goto fail_locked; ret_val->offset = offset; ret_val->cell_size = cell_length; ret_val->num_values = num_values; length = read_len; if((regfi_read(file->cb, (uint8_t*)ret_val->elements, &length) != 0) || length != read_len) { regfi_log_add(REGFI_LOG_ERROR, "Failed to read value pointers" " while parsing value list at offset 0x%.8X.", offset); goto fail_locked; } if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_valuelist")) goto fail; for(i=0; i < num_values; i++) { /* Fix endianness */ ret_val->elements[i] = IVAL(&ret_val->elements[i], 0); /* Validate the first num_values values to ensure they make sense */ if(strict) { /* XXX: Need to revisit this file length check when we start dealing * with partial files. */ if((ret_val->elements[i] + REGFI_REGF_SIZE > file->file_length) || ((ret_val->elements[i] & 0x00000007) != 0)) { regfi_log_add(REGFI_LOG_WARN, "Invalid value pointer" " (0x%.8X) found while parsing value list at offset" " 0x%.8X.", ret_val->elements[i], offset); goto fail; } } } return ret_val; fail_locked: regfi_unlock(file, &file->cb_lock, "regfi_parse_valuelist"); fail: talloc_free(ret_val); return NULL; } /* XXX: should give this boolean return type to indicate errors */ void regfi_interpret_valuename(REGFI_FILE* file, REGFI_VK* vk, REGFI_ENCODING output_encoding, bool strict) { /* XXX: Registry value names are supposedly limited to 16383 characters * according to: * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx * Might want to emit a warning if this is exceeded. * It is expected that "characters" could be variable width. * Also, it may be useful to use this information to limit false positives * when recovering deleted VK records. */ int32_t tmp_size; REGFI_ENCODING from_encoding = (vk->flags & REGFI_VK_FLAG_ASCIINAME) ? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE; if(from_encoding == output_encoding) { vk->name_raw[vk->name_length] = '\0'; vk->name = (char*)vk->name_raw; } else { vk->name = talloc_array(vk, char, vk->name_length+1); if(vk->name == NULL) return; tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding), regfi_encoding_int2str(output_encoding), vk->name_raw, vk->name, vk->name_length, vk->name_length+1); if(tmp_size < 0) { regfi_log_add(REGFI_LOG_WARN, "Error occurred while converting" " value name to encoding %s. Error message: %s", regfi_encoding_int2str(output_encoding), strerror(-tmp_size)); talloc_free(vk->name); vk->name = NULL; } } } /****************************************************************************** ******************************************************************************/ REGFI_VK* regfi_load_value(REGFI_FILE* file, uint32_t offset, REGFI_ENCODING output_encoding, bool strict) { REGFI_VK* ret_val = NULL; int32_t max_size; max_size = regfi_calc_maxsize(file, offset); if(max_size < 0) return NULL; ret_val = regfi_parse_vk(file, offset, max_size, strict); if(ret_val == NULL) return NULL; regfi_interpret_valuename(file, ret_val, output_encoding, strict); return ret_val; } /****************************************************************************** * If !strict, the list may contain NULLs, VK records may point to NULL. ******************************************************************************/ REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32_t offset, uint32_t num_values, uint32_t max_size, bool strict) { uint32_t usable_num_values; if((num_values+1) * sizeof(uint32_t) > max_size) { regfi_log_add(REGFI_LOG_WARN, "Number of values indicated by" " parent key (%d) would cause cell to straddle HBIN" " boundary while loading value list at offset" " 0x%.8X.", num_values, offset); if(strict) return NULL; usable_num_values = max_size/sizeof(uint32_t) - sizeof(uint32_t); } else usable_num_values = num_values; return regfi_parse_valuelist(file, offset, usable_num_values, strict); } /* XXX: should give this boolean return type to indicate errors */ void regfi_interpret_keyname(REGFI_FILE* file, REGFI_NK* nk, REGFI_ENCODING output_encoding, bool strict) { /* XXX: Registry key names are supposedly limited to 255 characters according to: * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx * Might want to emit a warning if this is exceeded. * It is expected that "characters" could be variable width. * Also, it may be useful to use this information to limit false positives * when recovering deleted NK records. */ int32_t tmp_size; REGFI_ENCODING from_encoding = (nk->flags & REGFI_NK_FLAG_ASCIINAME) ? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE; if(from_encoding == output_encoding) { nk->name_raw[nk->name_length] = '\0'; nk->name = (char*)nk->name_raw; } else { nk->name = talloc_array(nk, char, nk->name_length+1); if(nk->name == NULL) return; memset(nk->name,0,nk->name_length+1); tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding), regfi_encoding_int2str(output_encoding), nk->name_raw, nk->name, nk->name_length, nk->name_length+1); if(tmp_size < 0) { regfi_log_add(REGFI_LOG_WARN, "Error occurred while converting" " key name to encoding %s. Error message: %s", regfi_encoding_int2str(output_encoding), strerror(-tmp_size)); talloc_free(nk->name); nk->name = NULL; } } } /****************************************************************************** * ******************************************************************************/ REGFI_NK* regfi_load_key(REGFI_FILE* file, uint32_t offset, REGFI_ENCODING output_encoding, bool strict) { REGFI_NK* nk; uint32_t off; int32_t max_size; max_size = regfi_calc_maxsize(file, offset); if (max_size < 0) return NULL; /* get the initial nk record */ if((nk = regfi_parse_nk(file, offset, max_size, true)) == NULL) { regfi_log_add(REGFI_LOG_ERROR, "Could not load NK record at" " offset 0x%.8X.", offset); return NULL; } regfi_interpret_keyname(file, nk, output_encoding, strict); /* get value list */ if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE)) { off = nk->values_off + REGFI_REGF_SIZE; max_size = regfi_calc_maxsize(file, off); if(max_size < 0) { if(strict) { talloc_free(nk); return NULL; } else nk->values = NULL; } else { nk->values = regfi_load_valuelist(file, off, nk->num_values, max_size, true); if(nk->values == NULL) { regfi_log_add(REGFI_LOG_WARN, "Could not load value list" " for NK record at offset 0x%.8X.", offset); if(strict) { talloc_free(nk); return NULL; } } talloc_steal(nk, nk->values); } } /* now get subkey list */ if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE)) { off = nk->subkeys_off + REGFI_REGF_SIZE; max_size = regfi_calc_maxsize(file, off); if(max_size < 0) { if(strict) { talloc_free(nk); return NULL; } else nk->subkeys = NULL; } else { nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys, max_size, true); if(nk->subkeys == NULL) { regfi_log_add(REGFI_LOG_WARN, "Could not load subkey list" " while parsing NK record at offset 0x%.8X.", offset); nk->num_subkeys = 0; } talloc_steal(nk, nk->subkeys); } } return nk; } /****************************************************************************** ******************************************************************************/ const REGFI_SK* regfi_load_sk(REGFI_FILE* file, uint32_t offset, bool strict) { REGFI_SK* ret_val = NULL; int32_t max_size; void* failure_ptr = NULL; max_size = regfi_calc_maxsize(file, offset); if(max_size < 0) return NULL; if(file->sk_cache == NULL) return regfi_parse_sk(file, offset, max_size, strict); if(!regfi_lock(file, &file->sk_lock, "regfi_load_sk")) return NULL; /* First look if we have already parsed it */ ret_val = (REGFI_SK*)lru_cache_find(file->sk_cache, &offset, 4); /* Bail out if we have previously cached a parse failure at this offset. */ if(ret_val == (void*)REGFI_OFFSET_NONE) return NULL; if(ret_val == NULL) { ret_val = regfi_parse_sk(file, offset, max_size, strict); if(ret_val == NULL) { /* Cache the parse failure and bail out. */ failure_ptr = talloc(NULL, uint32_t); if(failure_ptr == NULL) return NULL; *(uint32_t*)failure_ptr = REGFI_OFFSET_NONE; lru_cache_update(file->sk_cache, &offset, 4, failure_ptr); /* Let the cache be the only owner of this */ talloc_unlink(NULL, failure_ptr); return NULL; } } if(!regfi_unlock(file, &file->sk_lock, "regfi_load_sk")) { talloc_unlink(NULL, ret_val); return NULL; } return ret_val; } /****************************************************************************** ******************************************************************************/ REGFI_NK* regfi_find_root_nk(REGFI_FILE* file, const REGFI_HBIN* hbin, REGFI_ENCODING output_encoding) { REGFI_NK* nk = NULL; uint32_t cell_length; uint32_t cur_offset = hbin->file_off+REGFI_HBIN_HEADER_SIZE; uint32_t hbin_end = hbin->file_off+hbin->block_size; bool unalloc; while(cur_offset < hbin_end) { if(!regfi_lock(file, &file->cb_lock, "regfi_find_root_nk")) return NULL; if(!regfi_parse_cell(file->cb, cur_offset, NULL, 0, &cell_length, &unalloc)) { regfi_log_add(REGFI_LOG_WARN, "Could not parse cell at offset" " 0x%.8X while searching for root key.", cur_offset); return NULL; } if(!regfi_unlock(file, &file->cb_lock, "regfi_find_root_nk")) return NULL; if(!unalloc) { nk = regfi_load_key(file, cur_offset, output_encoding, true); if(nk != NULL) { if(nk->flags & REGFI_NK_FLAG_ROOT) return nk; } } cur_offset += cell_length; } return NULL; } /****************************************************************************** ******************************************************************************/ REGFI_FILE* regfi_alloc(int fd, REGFI_ENCODING output_encoding) { REGFI_FILE* ret_val; REGFI_RAW_FILE* file_cb = talloc(NULL, REGFI_RAW_FILE); if(file_cb == NULL) return NULL; file_cb->state = (void*)talloc(file_cb, int); if(file_cb->state == NULL) goto fail; *(int*)file_cb->state = fd; file_cb->cur_off = 0; file_cb->size = 0; file_cb->read = ®fi_raw_read; file_cb->seek = ®fi_raw_seek; ret_val = regfi_alloc_cb(file_cb, output_encoding); if(ret_val == NULL) goto fail; /* In this case, we want file_cb to be freed when ret_val is */ talloc_steal(ret_val, file_cb); return ret_val; fail: talloc_free(file_cb); return NULL; } /****************************************************************************** ******************************************************************************/ int regfi_free_cb(void* f) { REGFI_FILE* file = (REGFI_FILE*)f; pthread_mutex_destroy(&file->cb_lock); pthread_rwlock_destroy(&file->hbins_lock); pthread_mutex_destroy(&file->sk_lock); return 0; } /****************************************************************************** ******************************************************************************/ REGFI_FILE* regfi_alloc_cb(REGFI_RAW_FILE* file_cb, REGFI_ENCODING output_encoding) { REGFI_FILE* rb; REGFI_HBIN* hbin = NULL; uint32_t hbin_off, cache_secret; int32_t file_length; bool rla; /* Determine file length. Must be at least big enough for the header * and one hbin. */ file_length = file_cb->seek(file_cb, 0, SEEK_END); if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC) { regfi_log_add(REGFI_LOG_ERROR, "File length (%d) too short to contain a" " header and at least one HBIN.", file_length); return NULL; } file_cb->seek(file_cb, 0, SEEK_SET); if(output_encoding != REGFI_ENCODING_UTF8 && output_encoding != REGFI_ENCODING_ASCII) { regfi_log_add(REGFI_LOG_ERROR, "Invalid output_encoding supplied" " in creation of regfi iterator."); return NULL; } /* Read file header */ if ((rb = regfi_parse_regf(file_cb, false)) == NULL) { regfi_log_add(REGFI_LOG_ERROR, "Failed to read REGF block."); return NULL; } rb->file_length = file_length; rb->cb = file_cb; rb->string_encoding = output_encoding; if(pthread_mutex_init(&rb->cb_lock, NULL) != 0) { regfi_log_add(REGFI_LOG_ERROR, "Failed to create cb_lock mutex."); goto fail; } if(pthread_rwlock_init(&rb->hbins_lock, NULL) != 0) { regfi_log_add(REGFI_LOG_ERROR, "Failed to create hbins_lock rwlock."); goto fail; } if(pthread_mutex_init(&rb->sk_lock, NULL) != 0) { regfi_log_add(REGFI_LOG_ERROR, "Failed to create sk_lock mutex."); goto fail; } rb->hbins = range_list_new(); if(rb->hbins == NULL) { regfi_log_add(REGFI_LOG_ERROR, "Failed to create HBIN range_list."); goto fail; } talloc_steal(rb, rb->hbins); rla = true; hbin_off = REGFI_REGF_SIZE; hbin = regfi_parse_hbin(rb, hbin_off, true); while(hbin && rla) { rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin); if(rla) talloc_steal(rb->hbins, hbin); hbin_off = hbin->file_off + hbin->block_size; hbin = regfi_parse_hbin(rb, hbin_off, true); } /* This secret isn't very secret, but we don't need a good one. This * secret is just designed to prevent someone from trying to blow our * caching and make things slow. */ cache_secret = 0x15DEAD05^time(NULL)^(getpid()<<16); if(REGFI_CACHE_SK) rb->sk_cache = lru_cache_create_ctx(rb, 64, cache_secret, true); else rb->sk_cache = NULL; /* success */ talloc_set_destructor(rb, regfi_free_cb); return rb; fail: pthread_mutex_destroy(&rb->cb_lock); pthread_rwlock_destroy(&rb->hbins_lock); pthread_mutex_destroy(&rb->sk_lock); range_list_free(rb->hbins); talloc_free(rb); return NULL; } /****************************************************************************** ******************************************************************************/ void regfi_free(REGFI_FILE* file) { /* Callback handles cleanup side effects */ talloc_free(file); } /****************************************************************************** * First checks the offset given by the file header, then checks the * rest of the file if that fails. ******************************************************************************/ const REGFI_NK* regfi_get_rootkey(REGFI_FILE* file) { REGFI_NK* nk = NULL; REGFI_HBIN* hbin; uint32_t root_offset, i, num_hbins; if(!file) return NULL; root_offset = file->root_cell+REGFI_REGF_SIZE; nk = regfi_load_key(file, root_offset, file->string_encoding, true); if(nk != NULL) { if(nk->flags & REGFI_NK_FLAG_ROOT) return nk; } regfi_log_add(REGFI_LOG_WARN, "File header indicated root key at" " location 0x%.8X, but no root key found." " Searching rest of file...", root_offset); /* If the file header gives bad info, scan through the file one HBIN * block at a time looking for an NK record with a root key type. */ if(!regfi_read_lock(file, &file->hbins_lock, "regfi_get_rootkey")) return NULL; num_hbins = range_list_size(file->hbins); for(i=0; i < num_hbins && nk == NULL; i++) { hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data; nk = regfi_find_root_nk(file, hbin, file->string_encoding); } if(!regfi_rw_unlock(file, &file->hbins_lock, "regfi_get_rootkey")) return NULL; return nk; } /****************************************************************************** *****************************************************************************/ void regfi_free_record(const void* record) { talloc_unlink(NULL, (void*)record); } /****************************************************************************** *****************************************************************************/ uint32_t regfi_fetch_num_subkeys(const REGFI_NK* key) { uint32_t num_in_list = 0; if(key == NULL) return 0; if(key->subkeys != NULL) num_in_list = key->subkeys->num_keys; if(num_in_list != key->num_subkeys) { regfi_log_add(REGFI_LOG_INFO, "Key at offset 0x%.8X contains %d keys in its" " subkey list but reports %d should be available.", key->offset, num_in_list, key->num_subkeys); return (num_in_list < key->num_subkeys)?num_in_list:key->num_subkeys; } return num_in_list; } /****************************************************************************** *****************************************************************************/ uint32_t regfi_fetch_num_values(const REGFI_NK* key) { uint32_t num_in_list = 0; if(key == NULL) return 0; if(key->values != NULL) num_in_list = key->values->num_values; if(num_in_list != key->num_values) { regfi_log_add(REGFI_LOG_INFO, "Key at offset 0x%.8X contains %d values in" " its value list but reports %d should be available.", key->offset, num_in_list, key->num_values); return (num_in_list < key->num_values)?num_in_list:key->num_values; } return num_in_list; } /****************************************************************************** *****************************************************************************/ REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* file) { REGFI_NK* root; REGFI_ITERATOR* ret_val; ret_val = talloc(NULL, REGFI_ITERATOR); if(ret_val == NULL) return NULL; root = (REGFI_NK*)regfi_get_rootkey(file); if(root == NULL) { talloc_free(ret_val); return NULL; } ret_val->cur_key = root; talloc_reparent(NULL, ret_val, root); ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH); if(ret_val->key_positions == NULL) { talloc_free(ret_val); return NULL; } talloc_steal(ret_val, ret_val->key_positions); ret_val->f = file; ret_val->cur_subkey = 0; ret_val->cur_value = 0; return ret_val; } /****************************************************************************** *****************************************************************************/ void regfi_iterator_free(REGFI_ITERATOR* i) { talloc_free(i); } /****************************************************************************** *****************************************************************************/ /* XXX: some way of indicating reason for failure should be added. */ bool regfi_iterator_down(REGFI_ITERATOR* i) { REGFI_NK* subkey; REGFI_ITER_POSITION* pos; pos = talloc(i->key_positions, REGFI_ITER_POSITION); if(pos == NULL) return false; subkey = (REGFI_NK*)regfi_iterator_cur_subkey(i); if(subkey == NULL) { talloc_free(pos); return false; } pos->nk = i->cur_key; pos->cur_subkey = i->cur_subkey; if(!void_stack_push(i->key_positions, pos)) { talloc_free(pos); talloc_unlink(NULL, subkey); return false; } talloc_reparent(NULL, i, subkey); i->cur_key = subkey; i->cur_subkey = 0; i->cur_value = 0; return true; } /****************************************************************************** *****************************************************************************/ bool regfi_iterator_up(REGFI_ITERATOR* i) { REGFI_ITER_POSITION* pos; pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions); if(pos == NULL) return false; talloc_unlink(i, i->cur_key); i->cur_key = pos->nk; i->cur_subkey = pos->cur_subkey; i->cur_value = 0; talloc_free(pos); return true; } /****************************************************************************** *****************************************************************************/ bool regfi_iterator_to_root(REGFI_ITERATOR* i) { while(regfi_iterator_up(i)) continue; return true; } /****************************************************************************** *****************************************************************************/ bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* name) { uint32_t new_index; if(regfi_find_subkey(i->f, i->cur_key, name, &new_index)) { i->cur_subkey = new_index; return true; } return false; } /****************************************************************************** *****************************************************************************/ bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path) { uint32_t x; if(path == NULL) return false; for(x=0; ((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x]) && regfi_iterator_down(i)); x++) { continue; } if(path[x] == NULL) { return true; } /* XXX: is this the right number of times? */ for(; x > 0; x--) regfi_iterator_up(i); return false; } /****************************************************************************** *****************************************************************************/ const REGFI_NK* regfi_iterator_cur_key(REGFI_ITERATOR* i) { talloc_reference(NULL, i->cur_key); return i->cur_key; } /****************************************************************************** *****************************************************************************/ const REGFI_SK* regfi_fetch_sk(REGFI_FILE* file, const REGFI_NK* key) { if(key == NULL || key->sk_off == REGFI_OFFSET_NONE) return NULL; return regfi_load_sk(file, key->sk_off + REGFI_REGF_SIZE, true); } /****************************************************************************** *****************************************************************************/ bool regfi_iterator_first_subkey(REGFI_ITERATOR* i) { i->cur_subkey = 0; return ((i->cur_key != NULL) && (i->cur_key->subkeys_off!=REGFI_OFFSET_NONE) && (i->cur_subkey < regfi_fetch_num_subkeys(i->cur_key))); } /****************************************************************************** *****************************************************************************/ const REGFI_NK* regfi_iterator_cur_subkey(REGFI_ITERATOR* i) { return regfi_get_subkey(i->f, i->cur_key, i->cur_subkey); } /****************************************************************************** *****************************************************************************/ bool regfi_iterator_next_subkey(REGFI_ITERATOR* i) { i->cur_subkey++; return ((i->cur_key != NULL) && (i->cur_key->subkeys_off!=REGFI_OFFSET_NONE) && (i->cur_subkey < regfi_fetch_num_subkeys(i->cur_key))); } /****************************************************************************** *****************************************************************************/ bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* name) { uint32_t new_index; if(regfi_find_value(i->f, i->cur_key, name, &new_index)) { i->cur_value = new_index; return true; } return false; } /****************************************************************************** *****************************************************************************/ bool regfi_iterator_first_value(REGFI_ITERATOR* i) { i->cur_value = 0; return (i->cur_key->values != NULL && i->cur_key->values->elements != NULL && (i->cur_value < regfi_fetch_num_values(i->cur_key))); } /****************************************************************************** *****************************************************************************/ const REGFI_VK* regfi_iterator_cur_value(REGFI_ITERATOR* i) { return regfi_get_value(i->f, i->cur_key, i->cur_value); } /****************************************************************************** *****************************************************************************/ bool regfi_iterator_next_value(REGFI_ITERATOR* i) { i->cur_value++; return (i->cur_key->values != NULL && i->cur_key->values->elements != NULL && (i->cur_value < regfi_fetch_num_values(i->cur_key))); } /****************************************************************************** *****************************************************************************/ const REGFI_CLASSNAME* regfi_fetch_classname(REGFI_FILE* file, const REGFI_NK* key) { REGFI_CLASSNAME* ret_val; uint8_t* raw; char* interpreted; uint32_t offset; int32_t conv_size, max_size; uint16_t parse_length; if(key->classname_off == REGFI_OFFSET_NONE || key->classname_length == 0) return NULL; offset = key->classname_off + REGFI_REGF_SIZE; max_size = regfi_calc_maxsize(file, offset); if(max_size <= 0) return NULL; parse_length = key->classname_length; raw = regfi_parse_classname(file, offset, &parse_length, max_size, true); if(raw == NULL) { regfi_log_add(REGFI_LOG_WARN, "Could not parse class" " name at offset 0x%.8X for key record at offset 0x%.8X.", offset, key->offset); return NULL; } ret_val = talloc(NULL, REGFI_CLASSNAME); if(ret_val == NULL) return NULL; ret_val->offset = offset; ret_val->raw = raw; ret_val->size = parse_length; talloc_steal(ret_val, raw); interpreted = talloc_array(NULL, char, parse_length); conv_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE), regfi_encoding_int2str(file->string_encoding), raw, interpreted, parse_length, parse_length); if(conv_size < 0) { regfi_log_add(REGFI_LOG_WARN, "Error occurred while" " converting classname to charset %s. Error message: %s", file->string_encoding, strerror(-conv_size)); talloc_free(interpreted); ret_val->interpreted = NULL; } else { interpreted = talloc_realloc(NULL, interpreted, char, conv_size); ret_val->interpreted = interpreted; talloc_steal(ret_val, interpreted); } return ret_val; } /****************************************************************************** *****************************************************************************/ const REGFI_DATA* regfi_fetch_data(REGFI_FILE* file, const REGFI_VK* value) { REGFI_DATA* ret_val = NULL; REGFI_BUFFER raw_data; if(value->data_size != 0) { raw_data = regfi_load_data(file, value->data_off, value->data_size, value->data_in_offset, true); if(raw_data.buf == NULL) { regfi_log_add(REGFI_LOG_WARN, "Could not parse data record" " while parsing VK record at offset 0x%.8X.", value->offset); } else { ret_val = regfi_buffer_to_data(raw_data); if(ret_val == NULL) { regfi_log_add(REGFI_LOG_WARN, "Error occurred in converting" " data buffer to data structure while interpreting " "data for VK record at offset 0x%.8X.", value->offset); talloc_free(raw_data.buf); return NULL; } if(!regfi_interpret_data(file, file->string_encoding, value->type, ret_val)) { regfi_log_add(REGFI_LOG_INFO, "Error occurred while" " interpreting data for VK record at offset 0x%.8X.", value->offset); } } } return ret_val; } /****************************************************************************** *****************************************************************************/ bool regfi_find_subkey(REGFI_FILE* file, const REGFI_NK* key, const char* name, uint32_t* index) { const REGFI_NK* cur; uint32_t i; uint32_t num_subkeys = regfi_fetch_num_subkeys(key); bool found = false; /* XXX: cur->name can be NULL in the registry. * Should we allow for a way to search for that? */ if(name == NULL) return false; for(i=0; (i < num_subkeys) && (found == false); i++) { cur = regfi_get_subkey(file, key, i); if(cur == NULL) return false; if((cur->name != NULL) && (strcasecmp(cur->name, name) == 0)) { found = true; *index = i; } regfi_free_record(cur); } return found; } /****************************************************************************** *****************************************************************************/ bool regfi_find_value(REGFI_FILE* file, const REGFI_NK* key, const char* name, uint32_t* index) { const REGFI_VK* cur; uint32_t i; uint32_t num_values = regfi_fetch_num_values(key); bool found = false; /* XXX: cur->name can be NULL in the registry. * Should we allow for a way to search for that? */ if(name == NULL) return false; for(i=0; (i < num_values) && (found == false); i++) { cur = regfi_get_value(file, key, i); if(cur == NULL) return false; if((cur->name != NULL) && (strcasecmp(cur->name, name) == 0)) { found = true; *index = i; } regfi_free_record(cur); } return found; } /****************************************************************************** *****************************************************************************/ const REGFI_NK* regfi_get_subkey(REGFI_FILE* file, const REGFI_NK* key, uint32_t index) { if(index < regfi_fetch_num_subkeys(key)) { return regfi_load_key(file, key->subkeys->elements[index].offset+REGFI_REGF_SIZE, file->string_encoding, true); } return NULL; } /****************************************************************************** *****************************************************************************/ const REGFI_VK* regfi_get_value(REGFI_FILE* file, const REGFI_NK* key, uint32_t index) { if(index < regfi_fetch_num_values(key)) { return regfi_load_value(file, key->values->elements[index]+REGFI_REGF_SIZE, file->string_encoding, true); } return NULL; } /****************************************************************************** *****************************************************************************/ const REGFI_NK* regfi_get_parentkey(REGFI_FILE* file, const REGFI_NK* key) { if(key != NULL && key->parent_off != REGFI_OFFSET_NONE) { /* fprintf(stderr, "key->parent_off=%.8X\n", key->parent_off);*/ return regfi_load_key(file, key->parent_off+REGFI_REGF_SIZE, file->string_encoding, true); } return NULL; } /****************************************************************************** *****************************************************************************/ REGFI_DATA* regfi_buffer_to_data(REGFI_BUFFER raw_data) { REGFI_DATA* ret_val; if(raw_data.buf == NULL) return NULL; ret_val = talloc(NULL, REGFI_DATA); if(ret_val == NULL) return NULL; talloc_steal(ret_val, raw_data.buf); ret_val->raw = raw_data.buf; ret_val->size = raw_data.len; ret_val->interpreted_size = 0; ret_val->interpreted.qword = 0; return ret_val; } /****************************************************************************** *****************************************************************************/ bool regfi_interpret_data(REGFI_FILE* file, REGFI_ENCODING string_encoding, uint32_t type, REGFI_DATA* data) { uint8_t** tmp_array; uint8_t* tmp_str; int32_t tmp_size; uint32_t i, j, array_size; if(data == NULL) return false; switch (type) { case REG_SZ: case REG_EXPAND_SZ: /* REG_LINK is a symbolic link, stored as a unicode string. */ case REG_LINK: tmp_str = talloc_array(NULL, uint8_t, data->size); if(tmp_str == NULL) { data->interpreted.string = NULL; data->interpreted_size = 0; return false; } tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE), regfi_encoding_int2str(string_encoding), data->raw, (char*)tmp_str, data->size, data->size); if(tmp_size < 0) { regfi_log_add(REGFI_LOG_INFO, "Error occurred while" " converting data of type %d to %d. Error message: %s", type, string_encoding, strerror(-tmp_size)); talloc_free(tmp_str); data->interpreted.string = NULL; data->interpreted_size = 0; return false; } tmp_str = talloc_realloc(NULL, tmp_str, uint8_t, tmp_size); data->interpreted.string = tmp_str; data->interpreted_size = tmp_size; talloc_steal(data, tmp_str); break; case REG_DWORD: if(data->size < 4) { data->interpreted.dword = 0; data->interpreted_size = 0; return false; } data->interpreted.dword = IVAL(data->raw, 0); data->interpreted_size = 4; break; case REG_DWORD_BE: if(data->size < 4) { data->interpreted.dword_be = 0; data->interpreted_size = 0; return false; } data->interpreted.dword_be = RIVAL(data->raw, 0); data->interpreted_size = 4; break; case REG_QWORD: if(data->size < 8) { data->interpreted.qword = 0; data->interpreted_size = 0; return false; } data->interpreted.qword = (uint64_t)IVAL(data->raw, 0) + (((uint64_t)IVAL(data->raw, 4))<<32); data->interpreted_size = 8; break; case REG_MULTI_SZ: tmp_str = talloc_array(NULL, uint8_t, data->size); if(tmp_str == NULL) { data->interpreted.multiple_string = NULL; data->interpreted_size = 0; return false; } /* Attempt to convert entire string from UTF-16LE to output encoding, * then parse and quote fields individually. */ tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE), regfi_encoding_int2str(string_encoding), data->raw, (char*)tmp_str, data->size, data->size); if(tmp_size < 0) { regfi_log_add(REGFI_LOG_INFO, "Error occurred while" " converting data of type %d to %s. Error message: %s", type, string_encoding, strerror(-tmp_size)); talloc_free(tmp_str); data->interpreted.multiple_string = NULL; data->interpreted_size = 0; return false; } array_size = tmp_size+1; tmp_array = talloc_array(NULL, uint8_t*, array_size); if(tmp_array == NULL) { talloc_free(tmp_str); data->interpreted.string = NULL; data->interpreted_size = 0; return false; } tmp_array[0] = tmp_str; for(i=0,j=1; i < tmp_size && j < array_size-1; i++) { if(tmp_str[i] == '\0' && (i+1 < tmp_size) && tmp_str[i+1] != '\0') tmp_array[j++] = tmp_str+i+1; } tmp_array[j] = NULL; tmp_array = talloc_realloc(NULL, tmp_array, uint8_t*, j+1); data->interpreted.multiple_string = tmp_array; /* XXX: how meaningful is this? should we store number of strings instead? */ data->interpreted_size = tmp_size; talloc_steal(tmp_array, tmp_str); talloc_steal(data, tmp_array); break; /* XXX: Dont know how to interpret these yet, just treat as binary */ case REG_NONE: data->interpreted.none = data->raw; data->interpreted_size = data->size; break; case REG_RESOURCE_LIST: data->interpreted.resource_list = data->raw; data->interpreted_size = data->size; break; case REG_FULL_RESOURCE_DESCRIPTOR: data->interpreted.full_resource_descriptor = data->raw; data->interpreted_size = data->size; break; case REG_RESOURCE_REQUIREMENTS_LIST: data->interpreted.resource_requirements_list = data->raw; data->interpreted_size = data->size; break; case REG_BINARY: data->interpreted.binary = data->raw; data->interpreted_size = data->size; break; default: data->interpreted.qword = 0; data->interpreted_size = 0; return false; } data->type = type; return true; } /****************************************************************************** * Convert from UTF-16LE to specified character set. * On error, returns a negative errno code. *****************************************************************************/ int32_t regfi_conv_charset(const char* input_charset, const char* output_charset, uint8_t* input, char* output, uint32_t input_len, uint32_t output_max) { iconv_t conv_desc; char* inbuf = (char*)input; char* outbuf = output; size_t in_len = (size_t)input_len; size_t out_len = (size_t)(output_max-1); int ret; /* XXX: Consider creating a couple of conversion descriptors earlier, * storing them on an iterator so they don't have to be recreated * each time. */ /* Set up conversion descriptor. */ conv_desc = iconv_open(output_charset, input_charset); ret = iconv(conv_desc, &inbuf, &in_len, &outbuf, &out_len); if(ret == -1) { iconv_close(conv_desc); return -errno; } *outbuf = '\0'; iconv_close(conv_desc); return output_max-out_len-1; } /******************************************************************* * Computes the checksum of the registry file header. * buffer must be at least the size of a regf header (4096 bytes). *******************************************************************/ static uint32_t regfi_compute_header_checksum(uint8_t* buffer) { uint32_t checksum, x; int i; /* XOR of all bytes 0x0000 - 0x01FB */ checksum = x = 0; for ( i=0; i<0x01FB; i+=4 ) { x = IVAL(buffer, i ); checksum ^= x; } return checksum; } /******************************************************************* *******************************************************************/ REGFI_FILE* regfi_parse_regf(REGFI_RAW_FILE* file_cb, bool strict) { uint8_t file_header[REGFI_REGF_SIZE]; uint32_t length; REGFI_FILE* ret_val; ret_val = talloc(NULL, REGFI_FILE); if(ret_val == NULL) return NULL; ret_val->sk_cache = NULL; ret_val->hbins = NULL; length = REGFI_REGF_SIZE; if((regfi_read(file_cb, file_header, &length)) != 0 || length != REGFI_REGF_SIZE) { regfi_log_add(REGFI_LOG_WARN, "Read failed while parsing REGF structure."); goto fail; } ret_val->checksum = IVAL(file_header, 0x1FC); ret_val->computed_checksum = regfi_compute_header_checksum(file_header); if (strict && (ret_val->checksum != ret_val->computed_checksum)) { regfi_log_add(REGFI_LOG_WARN, "Stored header checksum (%.8X) did not equal" " computed checksum (%.8X).", ret_val->checksum, ret_val->computed_checksum); if(strict) goto fail; } memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE); if(memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0) { regfi_log_add(REGFI_LOG_ERROR, "Magic number mismatch " "(%.2X %.2X %.2X %.2X) while parsing hive header", ret_val->magic[0], ret_val->magic[1], ret_val->magic[2], ret_val->magic[3]); goto fail; } ret_val->sequence1 = IVAL(file_header, 0x4); ret_val->sequence2 = IVAL(file_header, 0x8); ret_val->mtime.low = IVAL(file_header, 0xC); ret_val->mtime.high = IVAL(file_header, 0x10); ret_val->major_version = IVAL(file_header, 0x14); ret_val->minor_version = IVAL(file_header, 0x18); ret_val->type = IVAL(file_header, 0x1C); ret_val->format = IVAL(file_header, 0x20); ret_val->root_cell = IVAL(file_header, 0x24); ret_val->last_block = IVAL(file_header, 0x28); ret_val->cluster = IVAL(file_header, 0x2C); memcpy(ret_val->file_name, file_header+0x30, REGFI_REGF_NAME_SIZE); /* XXX: Should we add a warning if these uuid parsers fail? Can they? */ ret_val->rm_id = winsec_parse_uuid(ret_val, file_header+0x70, 16); ret_val->log_id = winsec_parse_uuid(ret_val, file_header+0x80, 16); ret_val->flags = IVAL(file_header, 0x90); ret_val->tm_id = winsec_parse_uuid(ret_val, file_header+0x94, 16); ret_val->guid_signature = IVAL(file_header, 0xa4); memcpy(ret_val->reserved1, file_header+0xa8, REGFI_REGF_RESERVED1_SIZE); memcpy(ret_val->reserved2, file_header+0x200, REGFI_REGF_RESERVED2_SIZE); ret_val->thaw_tm_id = winsec_parse_uuid(ret_val, file_header+0xFC8, 16); ret_val->thaw_rm_id = winsec_parse_uuid(ret_val, file_header+0xFD8, 16); ret_val->thaw_log_id = winsec_parse_uuid(ret_val, file_header+0xFE8, 16); ret_val->boot_type = IVAL(file_header, 0xFF8); ret_val->boot_recover = IVAL(file_header, 0xFFC); return ret_val; fail: talloc_free(ret_val); return NULL; } /****************************************************************************** * Given real file offset, read and parse the hbin at that location * along with it's associated cells. ******************************************************************************/ REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32_t offset, bool strict) { REGFI_HBIN* hbin = NULL; uint8_t hbin_header[REGFI_HBIN_HEADER_SIZE]; uint32_t length; if(offset >= file->file_length) goto fail; if(!regfi_lock(file, &file->cb_lock, "regfi_parse_hbin")) goto fail; if(regfi_seek(file->cb, offset, SEEK_SET) == -1) { regfi_log_add(REGFI_LOG_ERROR, "Seek failed" " while parsing hbin at offset 0x%.8X.", offset); goto fail_locked; } length = REGFI_HBIN_HEADER_SIZE; if((regfi_read(file->cb, hbin_header, &length) != 0) || length != REGFI_HBIN_HEADER_SIZE) { regfi_log_add(REGFI_LOG_ERROR, "Read failed" " while parsing hbin at offset 0x%.8X.", offset); goto fail_locked; } if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_hbin")) goto fail; hbin = talloc(NULL, REGFI_HBIN); if(hbin == NULL) goto fail; hbin->file_off = offset; memcpy(hbin->magic, hbin_header, 4); if(strict && (memcmp(hbin->magic, "hbin", 4) != 0)) { /* This always seems to happen at the end of a file, so we make it an INFO * message, rather than something more serious. */ regfi_log_add(REGFI_LOG_INFO, "Magic number mismatch " "(%.2X %.2X %.2X %.2X) while parsing hbin at offset" " 0x%.8X.", hbin->magic[0], hbin->magic[1], hbin->magic[2], hbin->magic[3], offset); goto fail; } hbin->first_hbin_off = IVAL(hbin_header, 0x4); hbin->block_size = IVAL(hbin_header, 0x8); /* this should be the same thing as hbin->block_size, but just in case */ hbin->next_block = IVAL(hbin_header, 0x1C); /* Ensure the block size is a multiple of 0x1000 and doesn't run off * the end of the file. */ /* XXX: This may need to be relaxed for dealing with * partial or corrupt files. */ if((offset + hbin->block_size > file->file_length) || (hbin->block_size & 0xFFFFF000) != hbin->block_size) { regfi_log_add(REGFI_LOG_ERROR, "The hbin offset is not aligned" " or runs off the end of the file" " while parsing hbin at offset 0x%.8X.", offset); goto fail; } return hbin; fail_locked: regfi_unlock(file, &file->cb_lock, "regfi_parse_hbin"); fail: talloc_free(hbin); return NULL; } /******************************************************************* *******************************************************************/ REGFI_NK* regfi_parse_nk(REGFI_FILE* file, uint32_t offset, uint32_t max_size, bool strict) { uint8_t nk_header[REGFI_NK_MIN_LENGTH]; REGFI_NK* ret_val; uint32_t length,cell_length; bool unalloc = false; ret_val = talloc(NULL, REGFI_NK); if(ret_val == NULL) { regfi_log_add(REGFI_LOG_ERROR, "Failed to allocate memory while" " parsing NK record at offset 0x%.8X.", offset); goto fail; } if(!regfi_lock(file, &file->cb_lock, "regfi_parse_nk")) goto fail; if(!regfi_parse_cell(file->cb, offset, nk_header, REGFI_NK_MIN_LENGTH, &cell_length, &unalloc)) { regfi_log_add(REGFI_LOG_WARN, "Could not parse cell header" " while parsing NK record at offset 0x%.8X.", offset); goto fail_locked; } if((nk_header[0x0] != 'n') || (nk_header[0x1] != 'k')) { regfi_log_add(REGFI_LOG_WARN, "Magic number mismatch in parsing" " NK record at offset 0x%.8X.", offset); goto fail_locked; } ret_val->values = NULL; ret_val->subkeys = NULL; ret_val->offset = offset; ret_val->cell_size = cell_length; if(ret_val->cell_size > max_size) ret_val->cell_size = max_size & 0xFFFFFFF8; if((ret_val->cell_size < REGFI_NK_MIN_LENGTH) || (strict && (ret_val->cell_size & 0x00000007) != 0)) { regfi_log_add(REGFI_LOG_WARN, "A length check failed while" " parsing NK record at offset 0x%.8X.", offset); goto fail_locked; } ret_val->magic[0] = nk_header[0x0]; ret_val->magic[1] = nk_header[0x1]; ret_val->flags = SVAL(nk_header, 0x2); if((ret_val->flags & ~REGFI_NK_KNOWN_FLAGS) != 0) { regfi_log_add(REGFI_LOG_WARN, "Unknown key flags (0x%.4X) while" " parsing NK record at offset 0x%.8X.", (ret_val->flags & ~REGFI_NK_KNOWN_FLAGS), offset); } ret_val->mtime.low = IVAL(nk_header, 0x4); ret_val->mtime.high = IVAL(nk_header, 0x8); /* If the key is unallocated and the MTIME is earlier than Jan 1, 1990 * or later than Jan 1, 2290, we consider this a bad key. This helps * weed out some false positives during deleted data recovery. */ if(unalloc && (ret_val->mtime.high < REGFI_MTIME_MIN_HIGH || ret_val->mtime.high > REGFI_MTIME_MAX_HIGH)) { goto fail_locked; } ret_val->unknown1 = IVAL(nk_header, 0xC); ret_val->parent_off = IVAL(nk_header, 0x10); ret_val->num_subkeys = IVAL(nk_header, 0x14); ret_val->unknown2 = IVAL(nk_header, 0x18); ret_val->subkeys_off = IVAL(nk_header, 0x1C); ret_val->unknown3 = IVAL(nk_header, 0x20); ret_val->num_values = IVAL(nk_header, 0x24); ret_val->values_off = IVAL(nk_header, 0x28); ret_val->sk_off = IVAL(nk_header, 0x2C); ret_val->classname_off = IVAL(nk_header, 0x30); ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34); ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38); ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C); ret_val->max_bytes_value = IVAL(nk_header, 0x40); ret_val->unk_index = IVAL(nk_header, 0x44); ret_val->name_length = SVAL(nk_header, 0x48); ret_val->classname_length = SVAL(nk_header, 0x4A); ret_val->name = NULL; if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size) { if(strict) { regfi_log_add(REGFI_LOG_ERROR, "Contents too large for cell" " while parsing NK record at offset 0x%.8X.", offset); goto fail_locked; } else ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH; } else if (unalloc) { /* Truncate cell_size if it's much larger than the apparent total record length. */ /* Round up to the next multiple of 8 */ length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8; if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH) length+=8; /* If cell_size is still greater, truncate. */ if(length < ret_val->cell_size) ret_val->cell_size = length; } /* +1 to length in case we decided to use this directly as a string later */ ret_val->name_raw = talloc_array(ret_val, uint8_t, ret_val->name_length+1); if(ret_val->name_raw == NULL) goto fail_locked; /* Don't need to seek, should be at the right offset */ length = ret_val->name_length; if((regfi_read(file->cb, (uint8_t*)ret_val->name_raw, &length) != 0) || length != ret_val->name_length) { regfi_log_add(REGFI_LOG_ERROR, "Failed to read key name" " while parsing NK record at offset 0x%.8X.", offset); goto fail_locked; } if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_nk")) goto fail; return ret_val; fail_locked: regfi_unlock(file, &file->cb_lock, "regfi_parse_nk"); fail: talloc_free(ret_val); return NULL; } uint8_t* regfi_parse_classname(REGFI_FILE* file, uint32_t offset, uint16_t* name_length, uint32_t max_size, bool strict) { uint8_t* ret_val = NULL; uint32_t length; uint32_t cell_length; bool unalloc = false; if(*name_length <= 0 || offset == REGFI_OFFSET_NONE || (offset & 0x00000007) != 0) { goto fail; } if(!regfi_lock(file, &file->cb_lock, "regfi_parse_classname")) goto fail; if(!regfi_parse_cell(file->cb, offset, NULL, 0, &cell_length, &unalloc)) { regfi_log_add(REGFI_LOG_WARN, "Could not parse cell header" " while parsing class name at offset 0x%.8X.", offset); goto fail_locked; } if((cell_length & 0x0000007) != 0) { regfi_log_add(REGFI_LOG_ERROR, "Cell length not a multiple of 8" " while parsing class name at offset 0x%.8X.", offset); goto fail_locked; } if(cell_length > max_size) { regfi_log_add(REGFI_LOG_WARN, "Cell stretches past hbin " "boundary while parsing class name at offset 0x%.8X.", offset); if(strict) goto fail_locked; cell_length = max_size; } if((cell_length - 4) < *name_length) { regfi_log_add(REGFI_LOG_WARN, "Class name is larger than" " cell_length while parsing class name at offset" " 0x%.8X.", offset); if(strict) goto fail_locked; *name_length = cell_length - 4; } ret_val = talloc_array(NULL, uint8_t, *name_length); if(ret_val != NULL) { length = *name_length; if((regfi_read(file->cb, ret_val, &length) != 0) || length != *name_length) { regfi_log_add(REGFI_LOG_ERROR, "Could not read class name" " while parsing class name at offset 0x%.8X.", offset); goto fail_locked; } } if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_classname")) goto fail; return ret_val; fail_locked: regfi_unlock(file, &file->cb_lock, "regfi_parse_classname"); fail: talloc_free(ret_val); return NULL; } /****************************************************************************** *******************************************************************************/ REGFI_VK* regfi_parse_vk(REGFI_FILE* file, uint32_t offset, uint32_t max_size, bool strict) { REGFI_VK* ret_val; uint8_t vk_header[REGFI_VK_MIN_LENGTH]; uint32_t raw_data_size, length, cell_length; bool unalloc = false; ret_val = talloc(NULL, REGFI_VK); if(ret_val == NULL) goto fail; if(!regfi_lock(file, &file->cb_lock, "regfi_parse_nk")) goto fail; if(!regfi_parse_cell(file->cb, offset, vk_header, REGFI_VK_MIN_LENGTH, &cell_length, &unalloc)) { regfi_log_add(REGFI_LOG_WARN, "Could not parse cell header" " while parsing VK record at offset 0x%.8X.", offset); goto fail_locked; } ret_val->offset = offset; ret_val->cell_size = cell_length; ret_val->name = NULL; ret_val->name_raw = NULL; if(ret_val->cell_size > max_size) ret_val->cell_size = max_size & 0xFFFFFFF8; if((ret_val->cell_size < REGFI_VK_MIN_LENGTH) || (ret_val->cell_size & 0x00000007) != 0) { regfi_log_add(REGFI_LOG_WARN, "Invalid cell size encountered" " while parsing VK record at offset 0x%.8X.", offset); goto fail_locked; } ret_val->magic[0] = vk_header[0x0]; ret_val->magic[1] = vk_header[0x1]; if((ret_val->magic[0] != 'v') || (ret_val->magic[1] != 'k')) { /* XXX: This does not account for deleted keys under Win2K which * often have this (and the name length) overwritten with * 0xFFFF. */ regfi_log_add(REGFI_LOG_WARN, "Magic number mismatch" " while parsing VK record at offset 0x%.8X.", offset); goto fail_locked; } ret_val->name_length = SVAL(vk_header, 0x2); raw_data_size = IVAL(vk_header, 0x4); ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET; /* The data is typically stored in the offset if the size <= 4, * in which case this flag is set. */ ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET); ret_val->data_off = IVAL(vk_header, 0x8); ret_val->type = IVAL(vk_header, 0xC); ret_val->flags = SVAL(vk_header, 0x10); ret_val->unknown1 = SVAL(vk_header, 0x12); if(ret_val->name_length > 0) { if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size) { regfi_log_add(REGFI_LOG_WARN, "Name too long for remaining cell" " space while parsing VK record at offset 0x%.8X.", offset); if(strict) goto fail_locked; else ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4; } /* Round up to the next multiple of 8 */ cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8; if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) cell_length+=8; /* +1 to length in case we decided to use this directly as a string later */ ret_val->name_raw = talloc_array(ret_val, uint8_t, ret_val->name_length+1); if(ret_val->name_raw == NULL) goto fail_locked; length = ret_val->name_length; if((regfi_read(file->cb, (uint8_t*)ret_val->name_raw, &length) != 0) || length != ret_val->name_length) { regfi_log_add(REGFI_LOG_ERROR, "Could not read value name" " while parsing VK record at offset 0x%.8X.", offset); goto fail_locked; } } else cell_length = REGFI_VK_MIN_LENGTH + 4; if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_nk")) goto fail; if(unalloc) { /* If cell_size is still greater, truncate. */ if(cell_length < ret_val->cell_size) ret_val->cell_size = cell_length; } return ret_val; fail_locked: regfi_unlock(file, &file->cb_lock, "regfi_parse_vk"); fail: talloc_free(ret_val); return NULL; } /****************************************************************************** * ******************************************************************************/ REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32_t voffset, uint32_t length, bool data_in_offset, bool strict) { REGFI_BUFFER ret_val; uint32_t cell_length, offset; int32_t max_size; bool unalloc; /* Microsoft's documentation indicates that "available memory" is * the limit on value sizes for the more recent registry format version. * This is not only annoying, but it's probably also incorrect, since clearly * value data sizes are limited to 2^31 (high bit used as a flag) and even * with big data records, the apparent max size is: * 16344 * 2^16 = 1071104040 (~1GB). * * We choose to limit it to 1M which was the limit in older versions and * should rarely be exceeded unless the file is corrupt or malicious. * For more info, see: * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx */ /* XXX: add way to skip this check at user discression. */ if(length > REGFI_VK_MAX_DATA_LENGTH) { regfi_log_add(REGFI_LOG_WARN, "Value data size %d larger than " "%d, truncating...", length, REGFI_VK_MAX_DATA_LENGTH); length = REGFI_VK_MAX_DATA_LENGTH; } if(data_in_offset) return regfi_parse_little_data(file, voffset, length, strict); else { offset = voffset + REGFI_REGF_SIZE; max_size = regfi_calc_maxsize(file, offset); if(max_size < 0) { regfi_log_add(REGFI_LOG_WARN, "Could not find HBIN for data" " at offset 0x%.8X.", offset); goto fail; } if(!regfi_lock(file, &file->cb_lock, "regfi_load_data")) goto fail; if(!regfi_parse_cell(file->cb, offset, NULL, 0, &cell_length, &unalloc)) { regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while" " parsing data record at offset 0x%.8X.", offset); goto fail_locked; } if(!regfi_unlock(file, &file->cb_lock, "regfi_load_data")) goto fail; if((cell_length & 0x00000007) != 0) { regfi_log_add(REGFI_LOG_WARN, "Cell length not multiple of 8" " while parsing data record at offset 0x%.8X.", offset); goto fail; } if(cell_length > max_size) { regfi_log_add(REGFI_LOG_WARN, "Cell extends past HBIN boundary" " while parsing data record at offset 0x%.8X.", offset); goto fail; } if(cell_length - 4 < length) { /* XXX: All big data records thus far have been 16 bytes long. * Should we check for this precise size instead of just * relying upon the above check? */ if (file->major_version >= 1 && file->minor_version >= 5) { /* Attempt to parse a big data record */ return regfi_load_big_data(file, offset, length, cell_length, NULL, strict); } else { regfi_log_add(REGFI_LOG_WARN, "Data length (0x%.8X) larger than" " remaining cell length (0x%.8X)" " while parsing data record at offset 0x%.8X.", length, cell_length - 4, offset); if(strict) goto fail; else length = cell_length - 4; } } ret_val = regfi_parse_data(file, offset, length, strict); } return ret_val; fail_locked: regfi_unlock(file, &file->cb_lock, "regfi_load_data"); fail: ret_val.buf = NULL; ret_val.len = 0; return ret_val; } /****************************************************************************** * Parses the common case data records stored in a single cell. ******************************************************************************/ REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32_t offset, uint32_t length, bool strict) { REGFI_BUFFER ret_val; uint32_t read_length; ret_val.buf = NULL; ret_val.len = 0; if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL) goto fail; ret_val.len = length; if(!regfi_lock(file, &file->cb_lock, "regfi_parse_data")) goto fail; if(regfi_seek(file->cb, offset+4, SEEK_SET) == -1) { regfi_log_add(REGFI_LOG_WARN, "Could not seek while " "reading data at offset 0x%.8X.", offset); goto fail_locked; } read_length = length; if((regfi_read(file->cb, ret_val.buf, &read_length) != 0) || read_length != length) { regfi_log_add(REGFI_LOG_ERROR, "Could not read data block while" " parsing data record at offset 0x%.8X.", offset); goto fail_locked; } if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_data")) goto fail; return ret_val; fail_locked: regfi_unlock(file, &file->cb_lock, "regfi_parse_data"); fail: talloc_free(ret_val.buf); ret_val.buf = NULL; ret_val.buf = 0; return ret_val; } /****************************************************************************** * ******************************************************************************/ REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32_t voffset, uint32_t length, bool strict) { uint8_t i; REGFI_BUFFER ret_val; ret_val.buf = NULL; ret_val.len = 0; if(length > 4) { regfi_log_add(REGFI_LOG_ERROR, "Data in offset but length > 4" " while parsing data record. (voffset=0x%.8X, length=%d)", voffset, length); return ret_val; } if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL) return ret_val; ret_val.len = length; for(i = 0; i < length; i++) ret_val.buf[i] = (uint8_t)((voffset >> i*8) & 0xFF); return ret_val; } /****************************************************************************** *******************************************************************************/ REGFI_BUFFER regfi_parse_big_data_header(REGFI_FILE* file, uint32_t offset, uint32_t max_size, bool strict) { REGFI_BUFFER ret_val; uint32_t cell_length; bool unalloc; /* XXX: do something with unalloc? */ ret_val.buf = (uint8_t*)talloc_array(NULL, uint8_t, REGFI_BIG_DATA_MIN_LENGTH); if(ret_val.buf == NULL) goto fail; if(REGFI_BIG_DATA_MIN_LENGTH > max_size) { regfi_log_add(REGFI_LOG_WARN, "Big data header exceeded max_size " "while parsing big data header at offset 0x%.8X.",offset); goto fail; } if(!regfi_lock(file, &file->cb_lock, "regfi_parse_big_data_header")) goto fail; if(!regfi_parse_cell(file->cb, offset, ret_val.buf, REGFI_BIG_DATA_MIN_LENGTH, &cell_length, &unalloc)) { regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while" " parsing big data header at offset 0x%.8X.", offset); goto fail_locked; } if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_header")) goto fail; if((ret_val.buf[0] != 'd') || (ret_val.buf[1] != 'b')) { regfi_log_add(REGFI_LOG_WARN, "Unknown magic number" " (0x%.2X, 0x%.2X) encountered while parsing" " big data header at offset 0x%.8X.", ret_val.buf[0], ret_val.buf[1], offset); goto fail; } ret_val.len = REGFI_BIG_DATA_MIN_LENGTH; return ret_val; fail_locked: regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_header"); fail: talloc_free(ret_val.buf); ret_val.buf = NULL; ret_val.len = 0; return ret_val; } /****************************************************************************** * ******************************************************************************/ uint32_t* regfi_parse_big_data_indirect(REGFI_FILE* file, uint32_t offset, uint16_t num_chunks, bool strict) { uint32_t* ret_val; uint32_t indirect_length; int32_t max_size; uint16_t i; bool unalloc; /* XXX: do something with unalloc? */ max_size = regfi_calc_maxsize(file, offset); if((max_size < 0) || (num_chunks*sizeof(uint32_t) + 4 > max_size)) return NULL; ret_val = (uint32_t*)talloc_array(NULL, uint32_t, num_chunks); if(ret_val == NULL) goto fail; if(!regfi_lock(file, &file->cb_lock, "regfi_parse_big_data_indirect")) goto fail; if(!regfi_parse_cell(file->cb, offset, (uint8_t*)ret_val, num_chunks*sizeof(uint32_t), &indirect_length, &unalloc)) { regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while" " parsing big data indirect record at offset 0x%.8X.", offset); goto fail_locked; } if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_indirect")) goto fail; /* Convert pointers to proper endianess, verify they are aligned. */ for(i=0; icb_lock, "regfi_parse_big_data_indirect"); fail: talloc_free(ret_val); return NULL; } /****************************************************************************** * Arguments: * file -- * offsets -- list of virtual offsets. * num_chunks -- * strict -- * * Returns: * A range_list with physical offsets and complete lengths * (including cell headers) of associated cells. * No data in range_list elements. ******************************************************************************/ range_list* regfi_parse_big_data_cells(REGFI_FILE* file, uint32_t* offsets, uint16_t num_chunks, bool strict) { uint32_t cell_length, chunk_offset; range_list* ret_val; uint16_t i; bool unalloc; /* XXX: do something with unalloc? */ ret_val = range_list_new(); if(ret_val == NULL) goto fail; for(i=0; icb_lock, "regfi_parse_big_data_cells")) goto fail; chunk_offset = offsets[i]+REGFI_REGF_SIZE; if(!regfi_parse_cell(file->cb, chunk_offset, NULL, 0, &cell_length, &unalloc)) { regfi_log_add(REGFI_LOG_WARN, "Could not parse cell while" " parsing big data chunk at offset 0x%.8X.", chunk_offset); goto fail_locked; } if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_cells")) goto fail; if(!range_list_add(ret_val, chunk_offset, cell_length, NULL)) goto fail; } return ret_val; fail_locked: regfi_unlock(file, &file->cb_lock, "regfi_parse_big_data_cells"); fail: if(ret_val != NULL) range_list_free(ret_val); return NULL; } /****************************************************************************** *******************************************************************************/ REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file, uint32_t offset, uint32_t data_length, uint32_t cell_length, range_list* used_ranges, bool strict) { REGFI_BUFFER ret_val; uint16_t num_chunks, i; uint32_t read_length, data_left, tmp_len, indirect_offset; uint32_t* indirect_ptrs = NULL; REGFI_BUFFER bd_header; range_list* bd_cells = NULL; const range_list_element* cell_info; ret_val.buf = NULL; /* XXX: Add better error/warning messages */ bd_header = regfi_parse_big_data_header(file, offset, cell_length, strict); if(bd_header.buf == NULL) goto fail; /* Keep track of used space for use by reglookup-recover */ if(used_ranges != NULL) if(!range_list_add(used_ranges, offset, cell_length, NULL)) goto fail; num_chunks = SVAL(bd_header.buf, 0x2); indirect_offset = IVAL(bd_header.buf, 0x4) + REGFI_REGF_SIZE; talloc_free(bd_header.buf); indirect_ptrs = regfi_parse_big_data_indirect(file, indirect_offset, num_chunks, strict); if(indirect_ptrs == NULL) goto fail; if(used_ranges != NULL) if(!range_list_add(used_ranges, indirect_offset, num_chunks*4+4, NULL)) goto fail; if((ret_val.buf = talloc_array(NULL, uint8_t, data_length)) == NULL) goto fail; data_left = data_length; bd_cells = regfi_parse_big_data_cells(file, indirect_ptrs, num_chunks, strict); if(bd_cells == NULL) goto fail; talloc_free(indirect_ptrs); indirect_ptrs = NULL; for(i=0; (i0); i++) { cell_info = range_list_get(bd_cells, i); if(cell_info == NULL) goto fail; /* XXX: This should be "cell_info->length-4" to account for the 4 byte cell * length. However, it has been observed that some (all?) chunks * have an additional 4 bytes of 0 at the end of their cells that * isn't part of the data, so we're trimming that off too. * Perhaps it's just an 8 byte alignment requirement... */ if(cell_info->length - 8 >= data_left) { if(i+1 != num_chunks) { regfi_log_add(REGFI_LOG_WARN, "Left over chunks detected " "while constructing big data at offset 0x%.8X " "(chunk offset 0x%.8X).", offset, cell_info->offset); } read_length = data_left; } else read_length = cell_info->length - 8; if(read_length > regfi_calc_maxsize(file, cell_info->offset)) { regfi_log_add(REGFI_LOG_WARN, "A chunk exceeded the maxsize " "while constructing big data at offset 0x%.8X " "(chunk offset 0x%.8X).", offset, cell_info->offset); goto fail; } if(!regfi_lock(file, &file->cb_lock, "regfi_load_big_data")) goto fail; if(regfi_seek(file->cb, cell_info->offset+sizeof(uint32_t), SEEK_SET) == -1) { regfi_log_add(REGFI_LOG_WARN, "Could not seek to chunk while " "constructing big data at offset 0x%.8X " "(chunk offset 0x%.8X).", offset, cell_info->offset); goto fail_locked; } tmp_len = read_length; if(regfi_read(file->cb, ret_val.buf+(data_length-data_left), &read_length) != 0 || (read_length != tmp_len)) { regfi_log_add(REGFI_LOG_WARN, "Could not read data chunk while" " constructing big data at offset 0x%.8X" " (chunk offset 0x%.8X).", offset, cell_info->offset); goto fail_locked; } if(!regfi_unlock(file, &file->cb_lock, "regfi_load_big_data")) goto fail; if(used_ranges != NULL) if(!range_list_add(used_ranges, cell_info->offset,cell_info->length,NULL)) goto fail; data_left -= read_length; } range_list_free(bd_cells); ret_val.len = data_length-data_left; return ret_val; fail_locked: regfi_unlock(file, &file->cb_lock, "regfi_load_big_data"); fail: talloc_free(ret_val.buf); talloc_free(indirect_ptrs); if(bd_cells != NULL) range_list_free(bd_cells); ret_val.buf = NULL; ret_val.len = 0; return ret_val; } range_list* regfi_parse_unalloc_cells(REGFI_FILE* file) { range_list* ret_val; REGFI_HBIN* hbin; const range_list_element* hbins_elem; uint32_t i, num_hbins, curr_off, cell_len; bool is_unalloc; ret_val = range_list_new(); if(ret_val == NULL) return NULL; if(!regfi_read_lock(file, &file->hbins_lock, "regfi_parse_unalloc_cells")) { range_list_free(ret_val); return NULL; } num_hbins = range_list_size(file->hbins); for(i=0; ihbins, i); if(hbins_elem == NULL) break; hbin = (REGFI_HBIN*)hbins_elem->data; curr_off = REGFI_HBIN_HEADER_SIZE; while(curr_off < hbin->block_size) { if(!regfi_lock(file, &file->cb_lock, "regfi_parse_unalloc_cells")) break; if(!regfi_parse_cell(file->cb, hbin->file_off+curr_off, NULL, 0, &cell_len, &is_unalloc)) { regfi_unlock(file, &file->cb_lock, "regfi_parse_unalloc_cells"); break; } if(!regfi_unlock(file, &file->cb_lock, "regfi_parse_unalloc_cells")) break; if((cell_len == 0) || ((cell_len & 0x00000007) != 0)) { regfi_log_add(REGFI_LOG_ERROR, "Bad cell length encountered" " while parsing unallocated cells at offset 0x%.8X.", hbin->file_off+curr_off); break; } /* for some reason the record_size of the last record in an hbin block can extend past the end of the block even though the record fits within the remaining space....aaarrrgggghhhhhh */ if(curr_off + cell_len >= hbin->block_size) cell_len = hbin->block_size - curr_off; if(is_unalloc) range_list_add(ret_val, hbin->file_off+curr_off, cell_len, NULL); curr_off = curr_off+cell_len; } } if(!regfi_rw_unlock(file, &file->hbins_lock, "regfi_parse_unalloc_cells")) { range_list_free(ret_val); return NULL; } return ret_val; } /* From lib/time.c */ /**************************************************************************** Put a 8 byte filetime from a time_t This takes real GMT as input and converts to kludge-GMT ****************************************************************************/ void regfi_unix2nt_time(REGFI_NTTIME *nt, time_t t) { double d; if (t==0) { nt->low = 0; nt->high = 0; return; } if (t == TIME_T_MAX) { nt->low = 0xffffffff; nt->high = 0x7fffffff; return; } if (t == -1) { nt->low = 0xffffffff; nt->high = 0xffffffff; return; } /* this converts GMT to kludge-GMT */ /* XXX: This was removed due to difficult dependency requirements. * So far, times appear to be correct without this adjustment, but * that may be proven wrong with adequate testing. */ /* t -= TimeDiff(t) - get_serverzone(); */ d = (double)(t); d += TIME_FIXUP_CONSTANT; d *= 1.0e7; nt->high = (uint32_t)(d * (1.0/(4.0*(double)(1<<30)))); nt->low = (uint32_t)(d - ((double)nt->high)*4.0*(double)(1<<30)); } /**************************************************************************** Interpret an 8 byte "filetime" structure to a time_t It's originally in "100ns units since jan 1st 1601" An 8 byte value of 0xffffffffffffffff will be returned as (time_t)0. It appears to be kludge-GMT (at least for file listings). This means its the GMT you get by taking a localtime and adding the serverzone. This is NOT the same as GMT in some cases. This routine converts this to real GMT. ****************************************************************************/ time_t regfi_nt2unix_time(const REGFI_NTTIME* nt) { double d; time_t ret; /* The next two lines are a fix needed for the broken SCO compiler. JRA. */ time_t l_time_min = TIME_T_MIN; time_t l_time_max = TIME_T_MAX; if (nt->high == 0 || (nt->high == 0xffffffff && nt->low == 0xffffffff)) return(0); d = ((double)nt->high)*4.0*(double)(1<<30); d += (nt->low&0xFFF00000); d *= 1.0e-7; /* now adjust by 369 years to make the secs since 1970 */ d -= TIME_FIXUP_CONSTANT; if (d <= l_time_min) return (l_time_min); if (d >= l_time_max) return (l_time_max); ret = (time_t)(d+0.5); /* this takes us from kludge-GMT to real GMT */ /* XXX: This was removed due to difficult dependency requirements. * So far, times appear to be correct without this adjustment, but * that may be proven wrong with adequate testing. */ /* ret -= get_serverzone(); ret += LocTimeDiff(ret); */ return(ret); } /* End of stuff from lib/time.c */