Context Navigation

reglookup-recover.c @ 142

Last change on this file since 142 was 138, checked in by tim, 16 years ago

extended error message logging to allow for message type filtering

fine tuned message verbosity to more reasonable default levels for reglookup and reglookup-recover

updated related documentation

Property svn:keywords set to Id

File size: 23.0 KB

Rev	Line
[111]	1	/*
[121]	2	* This program attempts to recover deleted data structures in a registry hive.
	3	*
[138]	4	* Copyright (C) 2008-2009 Timothy D. Morgan
[111]	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; version 3 of the License.
	9	*
	10	* This program is distributed in the hope that it will be useful,
	11	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	12	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	13	* GNU General Public License for more details.
	14	*
	15	* You should have received a copy of the GNU General Public License
	16	* along with this program; if not, write to the Free Software
	17	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	18	*
[118]	19	* $Id: reglookup-recover.c 138 2009-02-08 19:53:48Z tim $
[111]	20	*/
	21
	22	#include <stdio.h>
	23	#include <stdlib.h>
	24	#include <sysexits.h>
	25
	26	#include "../include/regfi.h"
	27	#include "../include/range_list.h"
	28	#include "../include/lru_cache.h"
	29
	30
	31	/* Globals, influenced by command line parameters */
	32	bool print_verbose = false;
	33	bool print_security = false;
	34	bool print_header = true;
	35	bool print_leftover = false;
	36	bool print_parsedraw = false;
	37	char* registry_file = NULL;
	38
	39	#include "common.c"
	40
	41
	42	char* getQuotedData(int fd, uint32 offset, uint32 length)
	43	{
	44	uint8* buf;
	45	char* quoted_buf;
	46	uint32 len;
	47
	48	if((lseek(fd, offset, SEEK_SET)) == -1)
	49	return NULL;
	50
	51	buf = (uint8*)malloc(length);
	52	if(buf == NULL)
	53	return NULL;
	54
	55	len = length;
	56	if((regfi_read(fd, buf, &length) != 0) \|\| length != len)
	57	{
	58	free(buf);
	59	return NULL;
	60	}
	61
	62	quoted_buf = quote_buffer(buf, length, common_special_chars);
	63	free(buf);
	64
	65	return quoted_buf;
	66	}
	67
	68
[135]	69	void printKey(REGFI_FILE* f, REGFI_NK_REC* nk, const char* prefix)
[111]	70	{
	71	char mtime[20];
	72	time_t tmp_time[1];
	73	struct tm* tmp_time_s = NULL;
	74	char* quoted_name = NULL;
	75	char* quoted_raw = "";
	76
	77	*tmp_time = nt_time_to_unix(&nk->mtime);
	78	tmp_time_s = gmtime(tmp_time);
	79	strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s);
	80
	81	quoted_name = quote_string(nk->keyname, key_special_chars);
	82	if (quoted_name == NULL)
	83	{
	84	quoted_name = malloc(1*sizeof(char));
	85	if(quoted_name == NULL)
	86	bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
	87	quoted_name[0] = '\0';
	88
[138]	89	fprintf(stderr, "WARN: NULL key name in NK record at offset %.8X.\n",
[111]	90	nk->offset);
	91	}
	92
	93	if(print_parsedraw)
	94	quoted_raw = getQuotedData(f->fd, nk->offset, nk->cell_size);
	95
	96	printf("%.8X,%.8X,KEY,%s,%s,%s,%d,,,,,,,,%s\n", nk->offset, nk->cell_size,
	97	prefix, quoted_name, mtime, nk->num_values, quoted_raw);
	98
	99	if(print_parsedraw)
	100	free(quoted_raw);
[136]	101	free(quoted_name);
[111]	102	}
	103
	104
[135]	105	void printValue(REGFI_FILE* f, const REGFI_VK_REC* vk, const char* prefix)
[111]	106	{
	107	char* quoted_value = NULL;
	108	char* quoted_name = NULL;
	109	char* quoted_raw = "";
	110	char* conv_error = NULL;
	111	const char* str_type = NULL;
	112	uint32 size = vk->data_size;
	113
	114	/* Microsoft's documentation indicates that "available memory" is
	115	* the limit on value sizes. Annoying. We limit it to 1M which
	116	* should rarely be exceeded, unless the file is corrupt or
	117	* malicious. For more info, see:
	118	* http://msdn2.microsoft.com/en-us/library/ms724872.aspx
	119	*/
[116]	120	/* XXX: Should probably do something different here for this tool.
	121	* Also, It would be really nice if this message somehow included the
	122	* name of the current value we're having trouble with, since
	123	* stderr/stdout don't always sync nicely.
	124	*/
[135]	125	if(size > REGFI_VK_MAX_DATA_LENGTH)
[111]	126	{
[138]	127	fprintf(stderr, "WARN: value data size %d larger than "
[135]	128	"%d, truncating...\n", size, REGFI_VK_MAX_DATA_LENGTH);
	129	size = REGFI_VK_MAX_DATA_LENGTH;
[111]	130	}
	131
	132	quoted_name = quote_string(vk->valuename, key_special_chars);
	133	if (quoted_name == NULL)
	134	{ /* Value names are NULL when we're looking at the "(default)" value.
	135	* Currently we just return a 0-length string to try an eliminate
	136	* ambiguity with a literal "(default)" value. The data type of a line
	137	* in the output allows one to differentiate between the parent key and
	138	* this value.
	139	*/
	140	quoted_name = malloc(1*sizeof(char));
	141	if(quoted_name == NULL)
	142	bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
	143	quoted_name[0] = '\0';
	144	}
	145
	146	quoted_value = data_to_ascii(vk->data, size, vk->type, &conv_error);
	147	if(quoted_value == NULL)
	148	{
	149	quoted_value = malloc(1*sizeof(char));
	150	if(quoted_value == NULL)
	151	bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
	152	quoted_value[0] = '\0';
	153
	154	if(conv_error == NULL)
[138]	155	fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
[111]	156	"Memory allocation failure likely.\n", prefix, quoted_name);
	157	else if(print_verbose)
[138]	158	fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
[111]	159	"Returned error: %s\n", prefix, quoted_name, conv_error);
	160	}
	161	/* XXX: should these always be printed? */
	162	else if(conv_error != NULL && print_verbose)
[138]	163	fprintf(stderr, "INFO: While quoting value for '%s/%s', "
[111]	164	"warning returned: %s\n", prefix, quoted_name, conv_error);
	165
	166
	167	if(print_parsedraw)
	168	quoted_raw = getQuotedData(f->fd, vk->offset, vk->cell_size);
	169
	170	str_type = regfi_type_val2str(vk->type);
	171	if(str_type == NULL)
	172	printf("%.8X,%.8X,VALUE,%s,%s,,,0x%.8X,%s,%d,,,,,%s\n",
	173	vk->offset, vk->cell_size, prefix, quoted_name,
	174	vk->type, quoted_value, vk->data_size, quoted_raw);
	175	else
	176	printf("%.8X,%.8X,VALUE,%s,%s,,,%s,%s,%d,,,,,%s\n",
	177	vk->offset, vk->cell_size, prefix, quoted_name,
	178	str_type, quoted_value, vk->data_size, quoted_raw);
	179
	180	if(print_parsedraw)
	181	free(quoted_raw);
	182	if(quoted_value != NULL)
	183	free(quoted_value);
	184	if(quoted_name != NULL)
	185	free(quoted_name);
	186	if(conv_error != NULL)
	187	free(conv_error);
	188	}
	189
	190
[135]	191	void printSK(REGFI_FILE* f, REGFI_SK_REC* sk)
[111]	192	{
	193	char* quoted_raw = NULL;
	194	char* empty_str = "";
	195	char* owner = regfi_get_owner(sk->sec_desc);
	196	char* group = regfi_get_group(sk->sec_desc);
	197	char* sacl = regfi_get_sacl(sk->sec_desc);
	198	char* dacl = regfi_get_dacl(sk->sec_desc);
	199
	200	if(print_parsedraw)
	201	quoted_raw = getQuotedData(f->fd, sk->offset, sk->cell_size);
	202
	203	if(owner == NULL)
	204	owner = empty_str;
	205	if(group == NULL)
	206	group = empty_str;
	207	if(sacl == NULL)
	208	sacl = empty_str;
	209	if(dacl == NULL)
	210	dacl = empty_str;
	211
	212	printf("%.8X,%.8X,SK,,,,,,,,%s,%s,%s,%s,%s\n", sk->offset, sk->cell_size,
	213	owner, group, sacl, dacl, quoted_raw);
	214
	215	if(owner != empty_str)
	216	free(owner);
	217	if(group != empty_str)
	218	free(group);
	219	if(sacl != empty_str)
	220	free(sacl);
	221	if(dacl != empty_str)
	222	free(dacl);
	223
	224	if(print_parsedraw)
	225	free(quoted_raw);
	226	}
	227
	228
[135]	229	int printCell(REGFI_FILE* f, uint32 offset)
[111]	230	{
	231	char* quoted_buf;
	232	uint32 cell_length;
	233	bool unalloc;
	234
	235	if(!regfi_parse_cell(f->fd, offset, NULL, 0, &cell_length, &unalloc))
	236	return 1;
	237
	238	quoted_buf = getQuotedData(f->fd, offset, cell_length);
	239	if(quoted_buf == NULL)
	240	return 2;
	241
	242	printf("%.8X,%.8X,RAW,,,,,,,,,,,,%s\n", offset, cell_length, quoted_buf);
	243
	244	free(quoted_buf);
	245	return 0;
	246	}
	247
	248
[112]	249	/* This function returns a properly quoted parent path or partial parent
	250	* path for a given key. Returns NULL on error, "" if no path was available.
	251	* Paths returned must be free()d.
	252	*/
[116]	253	/* XXX: This is not terribly efficient, as it may reparse many keys
	254	* repeatedly. Should try to add caching. Also, piecing the path
	255	* together is slow and redundant.
[112]	256	*/
[135]	257	char* getParentPath(REGFI_FILE* f, REGFI_NK_REC* nk)
[112]	258	{
[135]	259	void_stack* path_stack = void_stack_new(REGFI_MAX_DEPTH);
	260	REGFI_HBIN* hbin;
	261	REGFI_NK_REC* cur_ancestor;
[112]	262	char* ret_val;
	263	char* path_element;
	264	char* tmp_str;
	265	uint32 virt_offset, i, stack_size, ret_val_size, ret_val_left, element_size;
	266	uint32 max_length;
	267
[118]	268	/* The path_stack size limit should guarantee that we don't recurse forever. */
[112]	269	virt_offset = nk->parent_off;
[135]	270	while(virt_offset != REGFI_OFFSET_NONE)
[112]	271	{
	272	hbin = regfi_lookup_hbin(f, virt_offset);
	273	if(hbin == NULL)
[135]	274	virt_offset = REGFI_OFFSET_NONE;
[112]	275	else
	276	{
	277	max_length = hbin->block_size + hbin->file_off
[135]	278	- (virt_offset+REGFI_REGF_SIZE);
	279	cur_ancestor = regfi_parse_nk(f, virt_offset+REGFI_REGF_SIZE,
[112]	280	max_length, true);
[138]	281	printMsgs(f);
	282
[112]	283	if(cur_ancestor == NULL)
[135]	284	virt_offset = REGFI_OFFSET_NONE;
[112]	285	else
	286	{
[135]	287	if((cur_ancestor->key_type == REGFI_NK_TYPE_ROOTKEY1)
	288	\|\| (cur_ancestor->key_type == REGFI_NK_TYPE_ROOTKEY2))
	289	virt_offset = REGFI_OFFSET_NONE;
[112]	290	else
	291	virt_offset = cur_ancestor->parent_off;
	292
	293	path_element = quote_string(cur_ancestor->keyname, key_special_chars);
	294	if(path_element == NULL \|\| !void_stack_push(path_stack, path_element))
	295	{
	296	free(cur_ancestor->keyname);
	297	free(cur_ancestor);
	298	void_stack_free_deep(path_stack);
	299	return NULL;
	300	}
	301
	302	regfi_key_free(cur_ancestor);
	303	}
	304	}
	305	}
	306
	307	stack_size = void_stack_size(path_stack);
	308	ret_val_size = 16*stack_size;
	309	if(ret_val_size == 0)
	310	ret_val_size = 1;
	311	ret_val_left = ret_val_size;
	312	ret_val = malloc(ret_val_size);
	313	if(ret_val == NULL)
	314	{
	315	void_stack_free_deep(path_stack);
	316	return NULL;
	317	}
	318	ret_val[0] = '\0';
	319
	320	for(i=0; i<stack_size; i++)
	321	{
	322	path_element = void_stack_pop(path_stack);
	323	element_size = strlen(path_element);
	324	if(ret_val_left < element_size+2)
	325	{
	326	ret_val_size += element_size+16;
	327	ret_val_left += element_size+16;
	328	tmp_str = (char*)realloc(ret_val, ret_val_size);
	329	if(tmp_str == NULL)
	330	{
	331	free(ret_val);
	332	void_stack_free_deep(path_stack);
	333	return NULL;
	334	}
	335	ret_val = tmp_str;
	336	}
	337
	338	ret_val_left -= snprintf(ret_val+ret_val_size-ret_val_left,ret_val_left, "/%s", path_element);
	339	free(path_element);
	340	}
	341	void_stack_free(path_stack);
	342
	343	return ret_val;
	344	}
	345
	346
[111]	347	static void usage(void)
	348	{
	349	fprintf(stderr, "Usage: reglookup-recover [options] <REGISTRY_FILE>\n");
	350	fprintf(stderr, "Version: %s\n", REGLOOKUP_VERSION);
	351	fprintf(stderr, "Options:\n");
	352	fprintf(stderr, "\t-v\t sets verbose mode.\n");
	353	fprintf(stderr, "\t-h\t enables header row. (default)\n");
	354	fprintf(stderr, "\t-H\t disables header row.\n");
	355	fprintf(stderr, "\t-l\t enables leftover(raw) cell output.\n");
	356	fprintf(stderr, "\t-L\t disables leftover(raw) cell output. (default)\n");
	357	fprintf(stderr, "\t-r\t enables raw cell output for parsed cells.\n");
	358	fprintf(stderr, "\t-R\t disables raw cell output for parsed cells. (default)\n");
	359	fprintf(stderr, "\n");
	360	}
	361
	362
[113]	363	bool removeRange(range_list* rl, uint32 offset, uint32 length)
[111]	364	{
[113]	365	int32 rm_idx;
	366	const range_list_element* cur_elem;
[115]	367
[113]	368	rm_idx = range_list_find(rl, offset);
	369	if(rm_idx < 0)
[116]	370	{
	371	fprintf(stderr, "DEBUG: removeRange: rm_idx < 0; (%d)\n", rm_idx);
[113]	372	return false;
[116]	373	}
[113]	374
	375	cur_elem = range_list_get(rl, rm_idx);
[111]	376	if(cur_elem == NULL)
	377	{
[116]	378	fprintf(stderr, "DEBUG: removeRange: cur_elem == NULL. rm_idx=%d\n", rm_idx);
[111]	379	return false;
	380	}
	381
	382	if(offset > cur_elem->offset)
	383	{
	384	if(!range_list_split_element(rl, rm_idx, offset))
	385	{
[116]	386	fprintf(stderr, "DEBUG: removeRange: first split failed\n");
[111]	387	return false;
	388	}
	389	rm_idx++;
[116]	390	cur_elem = range_list_get(rl, rm_idx);
	391	if(cur_elem == NULL)
	392	{
	393	fprintf(stderr,
	394	"DEBUG: removeRange: cur_elem == NULL after first split. rm_idx=%d\n",
	395	rm_idx);
	396	return false;
	397	}
[111]	398	}
	399
	400	if(offset+length < cur_elem->offset+cur_elem->length)
	401	{
	402	if(!range_list_split_element(rl, rm_idx, offset+length))
	403	{
[116]	404	fprintf(stderr, "DEBUG: removeRange: second split failed\n");
[111]	405	return false;
	406	}
	407	}
	408
	409	if(!range_list_remove(rl, rm_idx))
	410	{
[116]	411	fprintf(stderr, "DEBUG: removeRange: remove failed\n");
[111]	412	return false;
	413	}
	414
	415	return true;
	416	}
	417
	418
[117]	419	/* NOTE: unalloc_keys should be an empty range_list. */
[135]	420	int extractKeys(REGFI_FILE* f,
[111]	421	range_list* unalloc_cells,
	422	range_list* unalloc_keys)
	423	{
	424	const range_list_element* cur_elem;
[135]	425	REGFI_NK_REC* key;
[111]	426	uint32 i, j;
	427
	428	for(i=0; i < range_list_size(unalloc_cells); i++)
	429	{
[138]	430	printMsgs(f);
[111]	431	cur_elem = range_list_get(unalloc_cells, i);
[115]	432	for(j=0; cur_elem->length > REGFI_NK_MIN_LENGTH
	433	&& j <= cur_elem->length-REGFI_NK_MIN_LENGTH; j+=8)
[111]	434	{
[115]	435	key = regfi_parse_nk(f, cur_elem->offset+j,
	436	cur_elem->length-j, false);
[138]	437	printMsgs(f);
	438
[111]	439	if(key != NULL)
	440	{
	441	if(!range_list_add(unalloc_keys, key->offset,
	442	key->cell_size, key))
	443	{
	444	fprintf(stderr, "ERROR: Couldn't add key to unalloc_keys.\n");
	445	return 20;
	446	}
[116]	447	j+=key->cell_size-8;
[111]	448	}
	449	}
	450	}
	451
[116]	452	for(i=0; i<range_list_size(unalloc_keys); i++)
	453	{
	454	cur_elem = range_list_get(unalloc_keys, i);
	455	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
	456	return 30;
	457	}
	458
[111]	459	return 0;
	460	}
	461
	462
[135]	463	int extractValueLists(REGFI_FILE* f,
[111]	464	range_list* unalloc_cells,
	465	range_list* unalloc_keys)
	466	{
[135]	467	REGFI_NK_REC* nk;
	468	REGFI_HBIN* hbin;
[111]	469	const range_list_element* cur_elem;
	470	uint32 i, j, num_keys, off, values_length, max_length;
	471
	472	num_keys=range_list_size(unalloc_keys);
	473	for(i=0; i<num_keys; i++)
	474	{
	475	cur_elem = range_list_get(unalloc_keys, i);
	476	if(cur_elem == NULL)
	477	return 10;
	478	nk = cur_elem->data;
	479
[135]	480	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
[111]	481	{
	482	hbin = regfi_lookup_hbin(f, nk->values_off);
	483
	484	if(hbin != NULL)
	485	{
[135]	486	off = nk->values_off + REGFI_REGF_SIZE;
[111]	487	max_length = hbin->block_size + hbin->file_off - off;
[118]	488	/* XXX: This is a hack. We parse all value-lists, VK records,
	489	* and data records without regard for current allocation status.
	490	* On the off chance that such a record correctly parsed but is
	491	* actually a reallocated structure used by something else, we
	492	* simply prune it after the fact. Would be faster to check this
	493	* up front somehow.
[111]	494	*/
	495	nk->values = regfi_load_valuelist(f, off, nk->num_values, max_length,
	496	false);
[115]	497	values_length = (nk->num_values+1)*sizeof(uint32);
	498	if(values_length != (values_length & 0xFFFFFFF8))
	499	values_length = (values_length & 0xFFFFFFF8) + 8;
[111]	500
	501	if(nk->values != NULL)
	502	{
[115]	503	if(!range_list_has_range(unalloc_cells, off, values_length))
[111]	504	{ /* We've parsed a values-list which isn't in the unallocated list,
	505	* so prune it.
	506	*/
	507	for(j=0; j<nk->num_values; j++)
	508	{
	509	if(nk->values[j] != NULL)
	510	{
	511	if(nk->values[j]->data != NULL)
	512	free(nk->values[j]->data);
	513	free(nk->values[j]);
	514	}
	515	}
[115]	516	free(nk->values);
	517	nk->values = NULL;
[111]	518	}
	519	else
	520	{ /* Values-list was recovered. Remove from unalloc_cells and
	521	* inspect values.
	522	*/
[113]	523	if(!removeRange(unalloc_cells, off, values_length))
[111]	524	return 20;
	525
	526	for(j=0; j < nk->num_values; j++)
	527	{
	528	if(nk->values[j] != NULL)
	529	{
[113]	530	if(!range_list_has_range(unalloc_cells, nk->values[j]->offset,
	531	nk->values[j]->cell_size))
[111]	532	{ /* We've parsed a value which isn't in the unallocated list,
	533	* so prune it.
	534	*/
	535	if(nk->values[j]->data != NULL)
	536	free(nk->values[j]->data);
	537	free(nk->values[j]);
	538	nk->values[j] = NULL;
	539	}
	540	else
	541	{
	542	/* A VK record was recovered. Remove from unalloc_cells
	543	* and inspect data.
	544	*/
[113]	545	if(!removeRange(unalloc_cells, nk->values[j]->offset,
[111]	546	nk->values[j]->cell_size))
	547	return 21;
	548
	549	/* Don't bother pruning or removing from unalloc_cells if
[113]	550	* there is no data, or it is stored in the offset.
[111]	551	*/
	552	if(nk->values[j]->data != NULL && !nk->values[j]->data_in_offset)
	553	{
[135]	554	off = nk->values[j]->data_off+REGFI_REGF_SIZE;
[113]	555	if(!range_list_has_range(unalloc_cells, off,
	556	nk->values[j]->data_size))
[111]	557	{ /* We've parsed a data cell which isn't in the unallocated
	558	* list, so prune it.
	559	*/
	560	free(nk->values[j]->data);
	561	nk->values[j]->data = NULL;
	562	}
	563	else
	564	{ /A data record was recovered. Remove from unalloc_cells./
[113]	565	if(!removeRange(unalloc_cells, off,
[111]	566	nk->values[j]->data_size))
	567	return 22;
	568	}
	569	}
	570	}
	571	}
	572	}
	573	}
	574	}
	575	}
	576	}
	577	}
	578
	579	return 0;
	580	}
	581
	582
[117]	583	/* NOTE: unalloc_values should be an empty range_list. */
[135]	584	int extractValues(REGFI_FILE* f,
[117]	585	range_list* unalloc_cells,
[111]	586	range_list* unalloc_values)
	587	{
	588	const range_list_element* cur_elem;
[135]	589	REGFI_VK_REC* vk;
[115]	590	uint32 i, j, off;
[111]	591
	592	for(i=0; i < range_list_size(unalloc_cells); i++)
	593	{
[138]	594	printMsgs(f);
[111]	595	cur_elem = range_list_get(unalloc_cells, i);
	596	for(j=0; j <= cur_elem->length; j+=8)
	597	{
	598	vk = regfi_parse_vk(f, cur_elem->offset+j,
	599	cur_elem->length-j, false);
[138]	600	printMsgs(f);
	601
[111]	602	if(vk != NULL)
	603	{
	604	if(!range_list_add(unalloc_values, vk->offset,
	605	vk->cell_size, vk))
	606	{
	607	fprintf(stderr, "ERROR: Couldn't add value to unalloc_values.\n");
	608	return 20;
	609	}
[117]	610	j+=vk->cell_size-8;
	611	}
	612	}
	613	}
	614
	615	/* Remove value ranges from the unalloc_cells before we continue. */
	616	for(i=0; i<range_list_size(unalloc_values); i++)
	617	{
	618	cur_elem = range_list_get(unalloc_values, i);
	619	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
	620	return 30;
	621	}
[115]	622
[117]	623	/* Now see if the data associated with each value is intact */
	624	for(i=0; i<range_list_size(unalloc_values); i++)
	625	{
	626	cur_elem = range_list_get(unalloc_values, i);
[135]	627	vk = (REGFI_VK_REC*)cur_elem->data;
[117]	628	if(vk == NULL)
	629	return 40;
[115]	630
[117]	631	if(vk->data != NULL && !vk->data_in_offset)
	632	{
[135]	633	off = vk->data_off+REGFI_REGF_SIZE;
[117]	634	if(!range_list_has_range(unalloc_cells, off, vk->data_size))
	635	{ /* We've parsed a data cell which isn't in the unallocated
	636	* list, so prune it.
[115]	637	*/
[117]	638	free(vk->data);
	639	vk->data = NULL;
[111]	640	}
[117]	641	else
	642	{ /A data record was recovered. Remove from unalloc_cells./
	643	if(!removeRange(unalloc_cells, off, vk->data_size))
	644	return 50;
	645	}
[111]	646	}
	647	}
	648
	649	return 0;
	650	}
	651
	652
[118]	653	/* NOTE: unalloc_sks should be an empty range_list. */
[135]	654	int extractSKs(REGFI_FILE* f,
[111]	655	range_list* unalloc_cells,
	656	range_list* unalloc_sks)
	657	{
	658	const range_list_element* cur_elem;
[135]	659	REGFI_SK_REC* sk;
[111]	660	uint32 i, j;
	661
	662	for(i=0; i < range_list_size(unalloc_cells); i++)
	663	{
[138]	664	printMsgs(f);
[111]	665	cur_elem = range_list_get(unalloc_cells, i);
	666	for(j=0; j <= cur_elem->length; j+=8)
	667	{
	668	sk = regfi_parse_sk(f, cur_elem->offset+j,
	669	cur_elem->length-j, false);
[138]	670	printMsgs(f);
	671
[111]	672	if(sk != NULL)
	673	{
	674	if(!range_list_add(unalloc_sks, sk->offset,
	675	sk->cell_size, sk))
	676	{
	677	fprintf(stderr, "ERROR: Couldn't add sk to unalloc_sks.\n");
	678	return 20;
	679	}
[118]	680	j+=sk->cell_size-8;
[111]	681	}
	682	}
	683	}
	684
[118]	685	for(i=0; i<range_list_size(unalloc_sks); i++)
	686	{
	687	cur_elem = range_list_get(unalloc_sks, i);
	688	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
	689	return 30;
	690	}
	691
[111]	692	return 0;
	693	}
	694
	695
	696	int main(int argc, char** argv)
	697	{
[135]	698	REGFI_FILE* f;
[111]	699	const range_list_element* cur_elem;
	700	range_list* unalloc_cells;
	701	range_list* unalloc_keys;
	702	range_list* unalloc_values;
	703	range_list* unalloc_sks;
[112]	704	char** parent_paths;
	705	char* tmp_name;
	706	char* tmp_path;
[135]	707	REGFI_NK_REC* tmp_key;
	708	REGFI_VK_REC* tmp_value;
[116]	709	uint32 argi, arge, i, j, ret, num_unalloc_keys;
[111]	710	/* uint32 test_offset;*/
	711
	712	/* Process command line arguments */
	713	if(argc < 2)
	714	{
	715	usage();
	716	bailOut(EX_USAGE, "ERROR: Requires at least one argument.\n");
	717	}
	718
	719	arge = argc-1;
	720	for(argi = 1; argi < arge; argi++)
	721	{
	722	if (strcmp("-v", argv[argi]) == 0)
	723	print_verbose = true;
	724	else if (strcmp("-h", argv[argi]) == 0)
	725	print_header = true;
	726	else if (strcmp("-H", argv[argi]) == 0)
	727	print_header = false;
	728	else if (strcmp("-l", argv[argi]) == 0)
	729	print_leftover = true;
	730	else if (strcmp("-L", argv[argi]) == 0)
	731	print_leftover = false;
	732	else if (strcmp("-r", argv[argi]) == 0)
	733	print_parsedraw = true;
	734	else if (strcmp("-R", argv[argi]) == 0)
	735	print_parsedraw = false;
	736	else
	737	{
	738	usage();
	739	fprintf(stderr, "ERROR: Unrecognized option: %s\n", argv[argi]);
	740	bailOut(EX_USAGE, "");
	741	}
	742	}
	743	/test_offset = strtol(argv[argi++], NULL, 16);/
	744
	745	if((registry_file = strdup(argv[argi])) == NULL)
	746	bailOut(EX_OSERR, "ERROR: Memory allocation problem.\n");
	747
	748	f = regfi_open(registry_file);
	749	if(f == NULL)
	750	{
	751	fprintf(stderr, "ERROR: Couldn't open registry file: %s\n", registry_file);
	752	bailOut(EX_NOINPUT, "");
	753	}
[138]	754	if(print_verbose)
	755	regfi_set_message_mask(f, REGFI_MSG_ERROR\|REGFI_MSG_WARN\|REGFI_MSG_INFO);
	756	else
	757	regfi_set_message_mask(f, REGFI_MSG_ERROR);
[111]	758
	759	if(print_header)
	760	printf("OFFSET,REC_LENGTH,REC_TYPE,PATH,NAME,"
	761	"NK_MTIME,NK_NVAL,VK_TYPE,VK_VALUE,VK_DATA_LEN,"
	762	"SK_OWNER,SK_GROUP,SK_SACL,SK_DACL,RAW_CELL\n");
	763
	764	unalloc_cells = regfi_parse_unalloc_cells(f);
	765	if(unalloc_cells == NULL)
	766	{
	767	fprintf(stderr, "ERROR: Could not obtain list of unallocated cells.\n");
	768	return 1;
	769	}
	770
	771	unalloc_keys = range_list_new();
	772	if(unalloc_keys == NULL)
	773	return 10;
	774
	775	unalloc_values = range_list_new();
	776	if(unalloc_values == NULL)
	777	return 10;
	778
	779	unalloc_sks = range_list_new();
	780	if(unalloc_sks == NULL)
	781	return 10;
	782
	783	ret = extractKeys(f, unalloc_cells, unalloc_keys);
	784	if(ret != 0)
	785	{
	786	fprintf(stderr, "ERROR: extractKeys() failed with %d.\n", ret);
	787	return ret;
	788	}
	789
	790	ret = extractValueLists(f, unalloc_cells, unalloc_keys);
	791	if(ret != 0)
	792	{
	793	fprintf(stderr, "ERROR: extractValueLists() failed with %d.\n", ret);
	794	return ret;
	795	}
	796
	797	/* Carve any orphan values and associated data */
	798	ret = extractValues(f, unalloc_cells, unalloc_values);
	799	if(ret != 0)
	800	{
	801	fprintf(stderr, "ERROR: extractValues() failed with %d.\n", ret);
	802	return ret;
	803	}
	804
	805	/* Carve any SK records */
	806	ret = extractSKs(f, unalloc_cells, unalloc_sks);
	807	if(ret != 0)
	808	{
	809	fprintf(stderr, "ERROR: extractSKs() failed with %d.\n", ret);
	810	return ret;
	811	}
	812
[112]	813	/* Now that we're done carving, associate recovered keys with parents,
	814	* if at all possible.
	815	*/
	816	num_unalloc_keys = range_list_size(unalloc_keys);
	817	parent_paths = (char*)malloc(sizeof(char)*num_unalloc_keys);
	818	if(parent_paths == NULL)
	819	return 10;
[111]	820
[112]	821	for(i=0; i < num_unalloc_keys; i++)
[111]	822	{
	823	cur_elem = range_list_get(unalloc_keys, i);
[135]	824	tmp_key = (REGFI_NK_REC*)cur_elem->data;
[111]	825
[112]	826	if(tmp_key == NULL)
	827	return 20;
	828
	829	parent_paths[i] = getParentPath(f, tmp_key);
	830	if(parent_paths[i] == NULL)
	831	return 20;
	832	}
	833
	834	/* Now start the output */
[111]	835
[112]	836	for(i=0; i < num_unalloc_keys; i++)
	837	{
	838	cur_elem = range_list_get(unalloc_keys, i);
[135]	839	tmp_key = (REGFI_NK_REC*)cur_elem->data;
[112]	840
	841	printKey(f, tmp_key, parent_paths[i]);
[114]	842	if(tmp_key->num_values > 0 && tmp_key->values != NULL)
[111]	843	{
[112]	844	tmp_name = quote_string(tmp_key->keyname, key_special_chars);
	845	tmp_path = (char*)malloc(strlen(parent_paths[i])+strlen(tmp_name)+2);
	846	if(tmp_path == NULL)
[136]	847	{
	848	free(tmp_name);
[112]	849	return 10;
[136]	850	}
	851
[112]	852	sprintf(tmp_path, "%s/%s", parent_paths[i], tmp_name);
	853	for(j=0; j < tmp_key->num_values; j++)
	854	{
	855	tmp_value = tmp_key->values[j];
	856	if(tmp_value != NULL)
	857	printValue(f, tmp_value, tmp_path);
	858	}
	859	free(tmp_path);
	860	free(tmp_name);
	861	free(parent_paths[i]);
[111]	862	}
	863	}
[112]	864	free(parent_paths);
[111]	865
	866	/* Print out orphaned values */
	867	for(i=0; i < range_list_size(unalloc_values); i++)
	868	{
	869	cur_elem = range_list_get(unalloc_values, i);
[135]	870	tmp_value = (REGFI_VK_REC*)cur_elem->data;
[111]	871
	872	printValue(f, tmp_value, "");
	873	}
	874
	875	if(print_leftover)
	876	{
	877	for(i=0; i < range_list_size(unalloc_cells); i++)
	878	{
	879	cur_elem = range_list_get(unalloc_cells, i);
	880	printCell(f, cur_elem->offset);
	881	}
	882	}
	883
	884	return 0;
	885	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/src/reglookup-recover.c @ 142

Download in other formats: