[111] | 1 | /* |
---|
[121] | 2 | * This program attempts to recover deleted data structures in a registry hive. |
---|
| 3 | * |
---|
[138] | 4 | * Copyright (C) 2008-2009 Timothy D. Morgan |
---|
[111] | 5 | * |
---|
| 6 | * This program is free software; you can redistribute it and/or modify |
---|
| 7 | * it under the terms of the GNU General Public License as published by |
---|
| 8 | * the Free Software Foundation; version 3 of the License. |
---|
| 9 | * |
---|
| 10 | * This program is distributed in the hope that it will be useful, |
---|
| 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 13 | * GNU General Public License for more details. |
---|
| 14 | * |
---|
| 15 | * You should have received a copy of the GNU General Public License |
---|
| 16 | * along with this program; if not, write to the Free Software |
---|
| 17 | * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
---|
| 18 | * |
---|
[118] | 19 | * $Id: reglookup-recover.c 143 2009-02-13 03:24:27Z tim $ |
---|
[111] | 20 | */ |
---|
| 21 | |
---|
| 22 | #include <stdio.h> |
---|
| 23 | #include <stdlib.h> |
---|
| 24 | |
---|
| 25 | #include "../include/regfi.h" |
---|
| 26 | #include "../include/range_list.h" |
---|
| 27 | #include "../include/lru_cache.h" |
---|
| 28 | |
---|
| 29 | |
---|
| 30 | /* Globals, influenced by command line parameters */ |
---|
| 31 | bool print_verbose = false; |
---|
| 32 | bool print_security = false; |
---|
| 33 | bool print_header = true; |
---|
| 34 | bool print_leftover = false; |
---|
| 35 | bool print_parsedraw = false; |
---|
| 36 | char* registry_file = NULL; |
---|
| 37 | |
---|
| 38 | #include "common.c" |
---|
| 39 | |
---|
| 40 | |
---|
| 41 | char* getQuotedData(int fd, uint32 offset, uint32 length) |
---|
| 42 | { |
---|
| 43 | uint8* buf; |
---|
| 44 | char* quoted_buf; |
---|
| 45 | uint32 len; |
---|
| 46 | |
---|
| 47 | if((lseek(fd, offset, SEEK_SET)) == -1) |
---|
| 48 | return NULL; |
---|
| 49 | |
---|
| 50 | buf = (uint8*)malloc(length); |
---|
| 51 | if(buf == NULL) |
---|
| 52 | return NULL; |
---|
| 53 | |
---|
| 54 | len = length; |
---|
| 55 | if((regfi_read(fd, buf, &length) != 0) || length != len) |
---|
| 56 | { |
---|
| 57 | free(buf); |
---|
| 58 | return NULL; |
---|
| 59 | } |
---|
| 60 | |
---|
| 61 | quoted_buf = quote_buffer(buf, length, common_special_chars); |
---|
| 62 | free(buf); |
---|
| 63 | |
---|
| 64 | return quoted_buf; |
---|
| 65 | } |
---|
| 66 | |
---|
| 67 | |
---|
[135] | 68 | void printKey(REGFI_FILE* f, REGFI_NK_REC* nk, const char* prefix) |
---|
[111] | 69 | { |
---|
| 70 | char mtime[20]; |
---|
| 71 | time_t tmp_time[1]; |
---|
| 72 | struct tm* tmp_time_s = NULL; |
---|
| 73 | char* quoted_name = NULL; |
---|
| 74 | char* quoted_raw = ""; |
---|
| 75 | |
---|
| 76 | *tmp_time = nt_time_to_unix(&nk->mtime); |
---|
| 77 | tmp_time_s = gmtime(tmp_time); |
---|
| 78 | strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s); |
---|
| 79 | |
---|
| 80 | quoted_name = quote_string(nk->keyname, key_special_chars); |
---|
| 81 | if (quoted_name == NULL) |
---|
| 82 | { |
---|
| 83 | quoted_name = malloc(1*sizeof(char)); |
---|
| 84 | if(quoted_name == NULL) |
---|
[143] | 85 | bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n"); |
---|
[111] | 86 | quoted_name[0] = '\0'; |
---|
| 87 | |
---|
[138] | 88 | fprintf(stderr, "WARN: NULL key name in NK record at offset %.8X.\n", |
---|
[111] | 89 | nk->offset); |
---|
| 90 | } |
---|
| 91 | |
---|
| 92 | if(print_parsedraw) |
---|
| 93 | quoted_raw = getQuotedData(f->fd, nk->offset, nk->cell_size); |
---|
| 94 | |
---|
| 95 | printf("%.8X,%.8X,KEY,%s,%s,%s,%d,,,,,,,,%s\n", nk->offset, nk->cell_size, |
---|
| 96 | prefix, quoted_name, mtime, nk->num_values, quoted_raw); |
---|
| 97 | |
---|
| 98 | if(print_parsedraw) |
---|
| 99 | free(quoted_raw); |
---|
[136] | 100 | free(quoted_name); |
---|
[111] | 101 | } |
---|
| 102 | |
---|
| 103 | |
---|
[135] | 104 | void printValue(REGFI_FILE* f, const REGFI_VK_REC* vk, const char* prefix) |
---|
[111] | 105 | { |
---|
| 106 | char* quoted_value = NULL; |
---|
| 107 | char* quoted_name = NULL; |
---|
| 108 | char* quoted_raw = ""; |
---|
| 109 | char* conv_error = NULL; |
---|
| 110 | const char* str_type = NULL; |
---|
| 111 | uint32 size = vk->data_size; |
---|
| 112 | |
---|
| 113 | /* Microsoft's documentation indicates that "available memory" is |
---|
| 114 | * the limit on value sizes. Annoying. We limit it to 1M which |
---|
| 115 | * should rarely be exceeded, unless the file is corrupt or |
---|
| 116 | * malicious. For more info, see: |
---|
| 117 | * http://msdn2.microsoft.com/en-us/library/ms724872.aspx |
---|
| 118 | */ |
---|
[116] | 119 | /* XXX: Should probably do something different here for this tool. |
---|
| 120 | * Also, It would be really nice if this message somehow included the |
---|
| 121 | * name of the current value we're having trouble with, since |
---|
| 122 | * stderr/stdout don't always sync nicely. |
---|
| 123 | */ |
---|
[135] | 124 | if(size > REGFI_VK_MAX_DATA_LENGTH) |
---|
[111] | 125 | { |
---|
[138] | 126 | fprintf(stderr, "WARN: value data size %d larger than " |
---|
[135] | 127 | "%d, truncating...\n", size, REGFI_VK_MAX_DATA_LENGTH); |
---|
| 128 | size = REGFI_VK_MAX_DATA_LENGTH; |
---|
[111] | 129 | } |
---|
| 130 | |
---|
| 131 | quoted_name = quote_string(vk->valuename, key_special_chars); |
---|
| 132 | if (quoted_name == NULL) |
---|
| 133 | { /* Value names are NULL when we're looking at the "(default)" value. |
---|
| 134 | * Currently we just return a 0-length string to try an eliminate |
---|
| 135 | * ambiguity with a literal "(default)" value. The data type of a line |
---|
| 136 | * in the output allows one to differentiate between the parent key and |
---|
| 137 | * this value. |
---|
| 138 | */ |
---|
| 139 | quoted_name = malloc(1*sizeof(char)); |
---|
| 140 | if(quoted_name == NULL) |
---|
[143] | 141 | bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n"); |
---|
[111] | 142 | quoted_name[0] = '\0'; |
---|
| 143 | } |
---|
| 144 | |
---|
| 145 | quoted_value = data_to_ascii(vk->data, size, vk->type, &conv_error); |
---|
| 146 | if(quoted_value == NULL) |
---|
| 147 | { |
---|
| 148 | quoted_value = malloc(1*sizeof(char)); |
---|
| 149 | if(quoted_value == NULL) |
---|
[143] | 150 | bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n"); |
---|
[111] | 151 | quoted_value[0] = '\0'; |
---|
| 152 | |
---|
| 153 | if(conv_error == NULL) |
---|
[138] | 154 | fprintf(stderr, "WARN: Could not quote value for '%s/%s'. " |
---|
[111] | 155 | "Memory allocation failure likely.\n", prefix, quoted_name); |
---|
| 156 | else if(print_verbose) |
---|
[138] | 157 | fprintf(stderr, "WARN: Could not quote value for '%s/%s'. " |
---|
[111] | 158 | "Returned error: %s\n", prefix, quoted_name, conv_error); |
---|
| 159 | } |
---|
| 160 | /* XXX: should these always be printed? */ |
---|
| 161 | else if(conv_error != NULL && print_verbose) |
---|
[138] | 162 | fprintf(stderr, "INFO: While quoting value for '%s/%s', " |
---|
[111] | 163 | "warning returned: %s\n", prefix, quoted_name, conv_error); |
---|
| 164 | |
---|
| 165 | |
---|
| 166 | if(print_parsedraw) |
---|
| 167 | quoted_raw = getQuotedData(f->fd, vk->offset, vk->cell_size); |
---|
| 168 | |
---|
| 169 | str_type = regfi_type_val2str(vk->type); |
---|
| 170 | if(str_type == NULL) |
---|
| 171 | printf("%.8X,%.8X,VALUE,%s,%s,,,0x%.8X,%s,%d,,,,,%s\n", |
---|
| 172 | vk->offset, vk->cell_size, prefix, quoted_name, |
---|
| 173 | vk->type, quoted_value, vk->data_size, quoted_raw); |
---|
| 174 | else |
---|
| 175 | printf("%.8X,%.8X,VALUE,%s,%s,,,%s,%s,%d,,,,,%s\n", |
---|
| 176 | vk->offset, vk->cell_size, prefix, quoted_name, |
---|
| 177 | str_type, quoted_value, vk->data_size, quoted_raw); |
---|
| 178 | |
---|
| 179 | if(print_parsedraw) |
---|
| 180 | free(quoted_raw); |
---|
| 181 | if(quoted_value != NULL) |
---|
| 182 | free(quoted_value); |
---|
| 183 | if(quoted_name != NULL) |
---|
| 184 | free(quoted_name); |
---|
| 185 | if(conv_error != NULL) |
---|
| 186 | free(conv_error); |
---|
| 187 | } |
---|
| 188 | |
---|
| 189 | |
---|
[135] | 190 | void printSK(REGFI_FILE* f, REGFI_SK_REC* sk) |
---|
[111] | 191 | { |
---|
| 192 | char* quoted_raw = NULL; |
---|
| 193 | char* empty_str = ""; |
---|
| 194 | char* owner = regfi_get_owner(sk->sec_desc); |
---|
| 195 | char* group = regfi_get_group(sk->sec_desc); |
---|
| 196 | char* sacl = regfi_get_sacl(sk->sec_desc); |
---|
| 197 | char* dacl = regfi_get_dacl(sk->sec_desc); |
---|
| 198 | |
---|
| 199 | if(print_parsedraw) |
---|
| 200 | quoted_raw = getQuotedData(f->fd, sk->offset, sk->cell_size); |
---|
| 201 | |
---|
| 202 | if(owner == NULL) |
---|
| 203 | owner = empty_str; |
---|
| 204 | if(group == NULL) |
---|
| 205 | group = empty_str; |
---|
| 206 | if(sacl == NULL) |
---|
| 207 | sacl = empty_str; |
---|
| 208 | if(dacl == NULL) |
---|
| 209 | dacl = empty_str; |
---|
| 210 | |
---|
| 211 | printf("%.8X,%.8X,SK,,,,,,,,%s,%s,%s,%s,%s\n", sk->offset, sk->cell_size, |
---|
| 212 | owner, group, sacl, dacl, quoted_raw); |
---|
| 213 | |
---|
| 214 | if(owner != empty_str) |
---|
| 215 | free(owner); |
---|
| 216 | if(group != empty_str) |
---|
| 217 | free(group); |
---|
| 218 | if(sacl != empty_str) |
---|
| 219 | free(sacl); |
---|
| 220 | if(dacl != empty_str) |
---|
| 221 | free(dacl); |
---|
| 222 | |
---|
| 223 | if(print_parsedraw) |
---|
| 224 | free(quoted_raw); |
---|
| 225 | } |
---|
| 226 | |
---|
| 227 | |
---|
[135] | 228 | int printCell(REGFI_FILE* f, uint32 offset) |
---|
[111] | 229 | { |
---|
| 230 | char* quoted_buf; |
---|
| 231 | uint32 cell_length; |
---|
| 232 | bool unalloc; |
---|
| 233 | |
---|
| 234 | if(!regfi_parse_cell(f->fd, offset, NULL, 0, &cell_length, &unalloc)) |
---|
| 235 | return 1; |
---|
| 236 | |
---|
| 237 | quoted_buf = getQuotedData(f->fd, offset, cell_length); |
---|
| 238 | if(quoted_buf == NULL) |
---|
| 239 | return 2; |
---|
| 240 | |
---|
| 241 | printf("%.8X,%.8X,RAW,,,,,,,,,,,,%s\n", offset, cell_length, quoted_buf); |
---|
| 242 | |
---|
| 243 | free(quoted_buf); |
---|
| 244 | return 0; |
---|
| 245 | } |
---|
| 246 | |
---|
| 247 | |
---|
[112] | 248 | /* This function returns a properly quoted parent path or partial parent |
---|
| 249 | * path for a given key. Returns NULL on error, "" if no path was available. |
---|
| 250 | * Paths returned must be free()d. |
---|
| 251 | */ |
---|
[116] | 252 | /* XXX: This is not terribly efficient, as it may reparse many keys |
---|
| 253 | * repeatedly. Should try to add caching. Also, piecing the path |
---|
| 254 | * together is slow and redundant. |
---|
[112] | 255 | */ |
---|
[135] | 256 | char* getParentPath(REGFI_FILE* f, REGFI_NK_REC* nk) |
---|
[112] | 257 | { |
---|
[135] | 258 | void_stack* path_stack = void_stack_new(REGFI_MAX_DEPTH); |
---|
| 259 | REGFI_HBIN* hbin; |
---|
| 260 | REGFI_NK_REC* cur_ancestor; |
---|
[112] | 261 | char* ret_val; |
---|
| 262 | char* path_element; |
---|
| 263 | char* tmp_str; |
---|
| 264 | uint32 virt_offset, i, stack_size, ret_val_size, ret_val_left, element_size; |
---|
| 265 | uint32 max_length; |
---|
| 266 | |
---|
[118] | 267 | /* The path_stack size limit should guarantee that we don't recurse forever. */ |
---|
[112] | 268 | virt_offset = nk->parent_off; |
---|
[135] | 269 | while(virt_offset != REGFI_OFFSET_NONE) |
---|
[112] | 270 | { |
---|
| 271 | hbin = regfi_lookup_hbin(f, virt_offset); |
---|
| 272 | if(hbin == NULL) |
---|
[135] | 273 | virt_offset = REGFI_OFFSET_NONE; |
---|
[112] | 274 | else |
---|
| 275 | { |
---|
| 276 | max_length = hbin->block_size + hbin->file_off |
---|
[135] | 277 | - (virt_offset+REGFI_REGF_SIZE); |
---|
| 278 | cur_ancestor = regfi_parse_nk(f, virt_offset+REGFI_REGF_SIZE, |
---|
[112] | 279 | max_length, true); |
---|
[138] | 280 | printMsgs(f); |
---|
| 281 | |
---|
[112] | 282 | if(cur_ancestor == NULL) |
---|
[135] | 283 | virt_offset = REGFI_OFFSET_NONE; |
---|
[112] | 284 | else |
---|
| 285 | { |
---|
[135] | 286 | if((cur_ancestor->key_type == REGFI_NK_TYPE_ROOTKEY1) |
---|
| 287 | || (cur_ancestor->key_type == REGFI_NK_TYPE_ROOTKEY2)) |
---|
| 288 | virt_offset = REGFI_OFFSET_NONE; |
---|
[112] | 289 | else |
---|
| 290 | virt_offset = cur_ancestor->parent_off; |
---|
| 291 | |
---|
| 292 | path_element = quote_string(cur_ancestor->keyname, key_special_chars); |
---|
| 293 | if(path_element == NULL || !void_stack_push(path_stack, path_element)) |
---|
| 294 | { |
---|
| 295 | free(cur_ancestor->keyname); |
---|
| 296 | free(cur_ancestor); |
---|
| 297 | void_stack_free_deep(path_stack); |
---|
| 298 | return NULL; |
---|
| 299 | } |
---|
| 300 | |
---|
| 301 | regfi_key_free(cur_ancestor); |
---|
| 302 | } |
---|
| 303 | } |
---|
| 304 | } |
---|
| 305 | |
---|
| 306 | stack_size = void_stack_size(path_stack); |
---|
| 307 | ret_val_size = 16*stack_size; |
---|
| 308 | if(ret_val_size == 0) |
---|
| 309 | ret_val_size = 1; |
---|
| 310 | ret_val_left = ret_val_size; |
---|
| 311 | ret_val = malloc(ret_val_size); |
---|
| 312 | if(ret_val == NULL) |
---|
| 313 | { |
---|
| 314 | void_stack_free_deep(path_stack); |
---|
| 315 | return NULL; |
---|
| 316 | } |
---|
| 317 | ret_val[0] = '\0'; |
---|
| 318 | |
---|
| 319 | for(i=0; i<stack_size; i++) |
---|
| 320 | { |
---|
| 321 | path_element = void_stack_pop(path_stack); |
---|
| 322 | element_size = strlen(path_element); |
---|
| 323 | if(ret_val_left < element_size+2) |
---|
| 324 | { |
---|
| 325 | ret_val_size += element_size+16; |
---|
| 326 | ret_val_left += element_size+16; |
---|
| 327 | tmp_str = (char*)realloc(ret_val, ret_val_size); |
---|
| 328 | if(tmp_str == NULL) |
---|
| 329 | { |
---|
| 330 | free(ret_val); |
---|
| 331 | void_stack_free_deep(path_stack); |
---|
| 332 | return NULL; |
---|
| 333 | } |
---|
| 334 | ret_val = tmp_str; |
---|
| 335 | } |
---|
| 336 | |
---|
| 337 | ret_val_left -= snprintf(ret_val+ret_val_size-ret_val_left,ret_val_left, "/%s", path_element); |
---|
| 338 | free(path_element); |
---|
| 339 | } |
---|
| 340 | void_stack_free(path_stack); |
---|
| 341 | |
---|
| 342 | return ret_val; |
---|
| 343 | } |
---|
| 344 | |
---|
| 345 | |
---|
[111] | 346 | static void usage(void) |
---|
| 347 | { |
---|
| 348 | fprintf(stderr, "Usage: reglookup-recover [options] <REGISTRY_FILE>\n"); |
---|
| 349 | fprintf(stderr, "Version: %s\n", REGLOOKUP_VERSION); |
---|
| 350 | fprintf(stderr, "Options:\n"); |
---|
| 351 | fprintf(stderr, "\t-v\t sets verbose mode.\n"); |
---|
| 352 | fprintf(stderr, "\t-h\t enables header row. (default)\n"); |
---|
| 353 | fprintf(stderr, "\t-H\t disables header row.\n"); |
---|
| 354 | fprintf(stderr, "\t-l\t enables leftover(raw) cell output.\n"); |
---|
| 355 | fprintf(stderr, "\t-L\t disables leftover(raw) cell output. (default)\n"); |
---|
| 356 | fprintf(stderr, "\t-r\t enables raw cell output for parsed cells.\n"); |
---|
| 357 | fprintf(stderr, "\t-R\t disables raw cell output for parsed cells. (default)\n"); |
---|
| 358 | fprintf(stderr, "\n"); |
---|
| 359 | } |
---|
| 360 | |
---|
| 361 | |
---|
[113] | 362 | bool removeRange(range_list* rl, uint32 offset, uint32 length) |
---|
[111] | 363 | { |
---|
[113] | 364 | int32 rm_idx; |
---|
| 365 | const range_list_element* cur_elem; |
---|
[115] | 366 | |
---|
[113] | 367 | rm_idx = range_list_find(rl, offset); |
---|
| 368 | if(rm_idx < 0) |
---|
[116] | 369 | { |
---|
| 370 | fprintf(stderr, "DEBUG: removeRange: rm_idx < 0; (%d)\n", rm_idx); |
---|
[113] | 371 | return false; |
---|
[116] | 372 | } |
---|
[113] | 373 | |
---|
| 374 | cur_elem = range_list_get(rl, rm_idx); |
---|
[111] | 375 | if(cur_elem == NULL) |
---|
| 376 | { |
---|
[116] | 377 | fprintf(stderr, "DEBUG: removeRange: cur_elem == NULL. rm_idx=%d\n", rm_idx); |
---|
[111] | 378 | return false; |
---|
| 379 | } |
---|
| 380 | |
---|
| 381 | if(offset > cur_elem->offset) |
---|
| 382 | { |
---|
| 383 | if(!range_list_split_element(rl, rm_idx, offset)) |
---|
| 384 | { |
---|
[116] | 385 | fprintf(stderr, "DEBUG: removeRange: first split failed\n"); |
---|
[111] | 386 | return false; |
---|
| 387 | } |
---|
| 388 | rm_idx++; |
---|
[116] | 389 | cur_elem = range_list_get(rl, rm_idx); |
---|
| 390 | if(cur_elem == NULL) |
---|
| 391 | { |
---|
| 392 | fprintf(stderr, |
---|
| 393 | "DEBUG: removeRange: cur_elem == NULL after first split. rm_idx=%d\n", |
---|
| 394 | rm_idx); |
---|
| 395 | return false; |
---|
| 396 | } |
---|
[111] | 397 | } |
---|
| 398 | |
---|
| 399 | if(offset+length < cur_elem->offset+cur_elem->length) |
---|
| 400 | { |
---|
| 401 | if(!range_list_split_element(rl, rm_idx, offset+length)) |
---|
| 402 | { |
---|
[116] | 403 | fprintf(stderr, "DEBUG: removeRange: second split failed\n"); |
---|
[111] | 404 | return false; |
---|
| 405 | } |
---|
| 406 | } |
---|
| 407 | |
---|
| 408 | if(!range_list_remove(rl, rm_idx)) |
---|
| 409 | { |
---|
[116] | 410 | fprintf(stderr, "DEBUG: removeRange: remove failed\n"); |
---|
[111] | 411 | return false; |
---|
| 412 | } |
---|
| 413 | |
---|
| 414 | return true; |
---|
| 415 | } |
---|
| 416 | |
---|
| 417 | |
---|
[117] | 418 | /* NOTE: unalloc_keys should be an empty range_list. */ |
---|
[135] | 419 | int extractKeys(REGFI_FILE* f, |
---|
[111] | 420 | range_list* unalloc_cells, |
---|
| 421 | range_list* unalloc_keys) |
---|
| 422 | { |
---|
| 423 | const range_list_element* cur_elem; |
---|
[135] | 424 | REGFI_NK_REC* key; |
---|
[111] | 425 | uint32 i, j; |
---|
| 426 | |
---|
| 427 | for(i=0; i < range_list_size(unalloc_cells); i++) |
---|
| 428 | { |
---|
[138] | 429 | printMsgs(f); |
---|
[111] | 430 | cur_elem = range_list_get(unalloc_cells, i); |
---|
[115] | 431 | for(j=0; cur_elem->length > REGFI_NK_MIN_LENGTH |
---|
| 432 | && j <= cur_elem->length-REGFI_NK_MIN_LENGTH; j+=8) |
---|
[111] | 433 | { |
---|
[115] | 434 | key = regfi_parse_nk(f, cur_elem->offset+j, |
---|
| 435 | cur_elem->length-j, false); |
---|
[138] | 436 | printMsgs(f); |
---|
| 437 | |
---|
[111] | 438 | if(key != NULL) |
---|
| 439 | { |
---|
| 440 | if(!range_list_add(unalloc_keys, key->offset, |
---|
| 441 | key->cell_size, key)) |
---|
| 442 | { |
---|
| 443 | fprintf(stderr, "ERROR: Couldn't add key to unalloc_keys.\n"); |
---|
| 444 | return 20; |
---|
| 445 | } |
---|
[116] | 446 | j+=key->cell_size-8; |
---|
[111] | 447 | } |
---|
| 448 | } |
---|
| 449 | } |
---|
| 450 | |
---|
[116] | 451 | for(i=0; i<range_list_size(unalloc_keys); i++) |
---|
| 452 | { |
---|
| 453 | cur_elem = range_list_get(unalloc_keys, i); |
---|
| 454 | if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length)) |
---|
| 455 | return 30; |
---|
| 456 | } |
---|
| 457 | |
---|
[111] | 458 | return 0; |
---|
| 459 | } |
---|
| 460 | |
---|
| 461 | |
---|
[135] | 462 | int extractValueLists(REGFI_FILE* f, |
---|
[111] | 463 | range_list* unalloc_cells, |
---|
| 464 | range_list* unalloc_keys) |
---|
| 465 | { |
---|
[135] | 466 | REGFI_NK_REC* nk; |
---|
| 467 | REGFI_HBIN* hbin; |
---|
[111] | 468 | const range_list_element* cur_elem; |
---|
| 469 | uint32 i, j, num_keys, off, values_length, max_length; |
---|
| 470 | |
---|
| 471 | num_keys=range_list_size(unalloc_keys); |
---|
| 472 | for(i=0; i<num_keys; i++) |
---|
| 473 | { |
---|
| 474 | cur_elem = range_list_get(unalloc_keys, i); |
---|
| 475 | if(cur_elem == NULL) |
---|
| 476 | return 10; |
---|
| 477 | nk = cur_elem->data; |
---|
| 478 | |
---|
[135] | 479 | if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE)) |
---|
[111] | 480 | { |
---|
| 481 | hbin = regfi_lookup_hbin(f, nk->values_off); |
---|
| 482 | |
---|
| 483 | if(hbin != NULL) |
---|
| 484 | { |
---|
[135] | 485 | off = nk->values_off + REGFI_REGF_SIZE; |
---|
[111] | 486 | max_length = hbin->block_size + hbin->file_off - off; |
---|
[118] | 487 | /* XXX: This is a hack. We parse all value-lists, VK records, |
---|
| 488 | * and data records without regard for current allocation status. |
---|
| 489 | * On the off chance that such a record correctly parsed but is |
---|
| 490 | * actually a reallocated structure used by something else, we |
---|
| 491 | * simply prune it after the fact. Would be faster to check this |
---|
| 492 | * up front somehow. |
---|
[111] | 493 | */ |
---|
| 494 | nk->values = regfi_load_valuelist(f, off, nk->num_values, max_length, |
---|
| 495 | false); |
---|
[115] | 496 | values_length = (nk->num_values+1)*sizeof(uint32); |
---|
| 497 | if(values_length != (values_length & 0xFFFFFFF8)) |
---|
| 498 | values_length = (values_length & 0xFFFFFFF8) + 8; |
---|
[111] | 499 | |
---|
| 500 | if(nk->values != NULL) |
---|
| 501 | { |
---|
[115] | 502 | if(!range_list_has_range(unalloc_cells, off, values_length)) |
---|
[111] | 503 | { /* We've parsed a values-list which isn't in the unallocated list, |
---|
| 504 | * so prune it. |
---|
| 505 | */ |
---|
| 506 | for(j=0; j<nk->num_values; j++) |
---|
| 507 | { |
---|
| 508 | if(nk->values[j] != NULL) |
---|
| 509 | { |
---|
| 510 | if(nk->values[j]->data != NULL) |
---|
| 511 | free(nk->values[j]->data); |
---|
| 512 | free(nk->values[j]); |
---|
| 513 | } |
---|
| 514 | } |
---|
[115] | 515 | free(nk->values); |
---|
| 516 | nk->values = NULL; |
---|
[111] | 517 | } |
---|
| 518 | else |
---|
| 519 | { /* Values-list was recovered. Remove from unalloc_cells and |
---|
| 520 | * inspect values. |
---|
| 521 | */ |
---|
[113] | 522 | if(!removeRange(unalloc_cells, off, values_length)) |
---|
[111] | 523 | return 20; |
---|
| 524 | |
---|
| 525 | for(j=0; j < nk->num_values; j++) |
---|
| 526 | { |
---|
| 527 | if(nk->values[j] != NULL) |
---|
| 528 | { |
---|
[113] | 529 | if(!range_list_has_range(unalloc_cells, nk->values[j]->offset, |
---|
| 530 | nk->values[j]->cell_size)) |
---|
[111] | 531 | { /* We've parsed a value which isn't in the unallocated list, |
---|
| 532 | * so prune it. |
---|
| 533 | */ |
---|
| 534 | if(nk->values[j]->data != NULL) |
---|
| 535 | free(nk->values[j]->data); |
---|
| 536 | free(nk->values[j]); |
---|
| 537 | nk->values[j] = NULL; |
---|
| 538 | } |
---|
| 539 | else |
---|
| 540 | { |
---|
| 541 | /* A VK record was recovered. Remove from unalloc_cells |
---|
| 542 | * and inspect data. |
---|
| 543 | */ |
---|
[113] | 544 | if(!removeRange(unalloc_cells, nk->values[j]->offset, |
---|
[111] | 545 | nk->values[j]->cell_size)) |
---|
| 546 | return 21; |
---|
| 547 | |
---|
| 548 | /* Don't bother pruning or removing from unalloc_cells if |
---|
[113] | 549 | * there is no data, or it is stored in the offset. |
---|
[111] | 550 | */ |
---|
| 551 | if(nk->values[j]->data != NULL && !nk->values[j]->data_in_offset) |
---|
| 552 | { |
---|
[135] | 553 | off = nk->values[j]->data_off+REGFI_REGF_SIZE; |
---|
[113] | 554 | if(!range_list_has_range(unalloc_cells, off, |
---|
| 555 | nk->values[j]->data_size)) |
---|
[111] | 556 | { /* We've parsed a data cell which isn't in the unallocated |
---|
| 557 | * list, so prune it. |
---|
| 558 | */ |
---|
| 559 | free(nk->values[j]->data); |
---|
| 560 | nk->values[j]->data = NULL; |
---|
| 561 | } |
---|
| 562 | else |
---|
| 563 | { /*A data record was recovered. Remove from unalloc_cells.*/ |
---|
[113] | 564 | if(!removeRange(unalloc_cells, off, |
---|
[111] | 565 | nk->values[j]->data_size)) |
---|
| 566 | return 22; |
---|
| 567 | } |
---|
| 568 | } |
---|
| 569 | } |
---|
| 570 | } |
---|
| 571 | } |
---|
| 572 | } |
---|
| 573 | } |
---|
| 574 | } |
---|
| 575 | } |
---|
| 576 | } |
---|
| 577 | |
---|
| 578 | return 0; |
---|
| 579 | } |
---|
| 580 | |
---|
| 581 | |
---|
[117] | 582 | /* NOTE: unalloc_values should be an empty range_list. */ |
---|
[135] | 583 | int extractValues(REGFI_FILE* f, |
---|
[117] | 584 | range_list* unalloc_cells, |
---|
[111] | 585 | range_list* unalloc_values) |
---|
| 586 | { |
---|
| 587 | const range_list_element* cur_elem; |
---|
[135] | 588 | REGFI_VK_REC* vk; |
---|
[115] | 589 | uint32 i, j, off; |
---|
[111] | 590 | |
---|
| 591 | for(i=0; i < range_list_size(unalloc_cells); i++) |
---|
| 592 | { |
---|
[138] | 593 | printMsgs(f); |
---|
[111] | 594 | cur_elem = range_list_get(unalloc_cells, i); |
---|
| 595 | for(j=0; j <= cur_elem->length; j+=8) |
---|
| 596 | { |
---|
| 597 | vk = regfi_parse_vk(f, cur_elem->offset+j, |
---|
| 598 | cur_elem->length-j, false); |
---|
[138] | 599 | printMsgs(f); |
---|
| 600 | |
---|
[111] | 601 | if(vk != NULL) |
---|
| 602 | { |
---|
| 603 | if(!range_list_add(unalloc_values, vk->offset, |
---|
| 604 | vk->cell_size, vk)) |
---|
| 605 | { |
---|
| 606 | fprintf(stderr, "ERROR: Couldn't add value to unalloc_values.\n"); |
---|
| 607 | return 20; |
---|
| 608 | } |
---|
[117] | 609 | j+=vk->cell_size-8; |
---|
| 610 | } |
---|
| 611 | } |
---|
| 612 | } |
---|
| 613 | |
---|
| 614 | /* Remove value ranges from the unalloc_cells before we continue. */ |
---|
| 615 | for(i=0; i<range_list_size(unalloc_values); i++) |
---|
| 616 | { |
---|
| 617 | cur_elem = range_list_get(unalloc_values, i); |
---|
| 618 | if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length)) |
---|
| 619 | return 30; |
---|
| 620 | } |
---|
[115] | 621 | |
---|
[117] | 622 | /* Now see if the data associated with each value is intact */ |
---|
| 623 | for(i=0; i<range_list_size(unalloc_values); i++) |
---|
| 624 | { |
---|
| 625 | cur_elem = range_list_get(unalloc_values, i); |
---|
[135] | 626 | vk = (REGFI_VK_REC*)cur_elem->data; |
---|
[117] | 627 | if(vk == NULL) |
---|
| 628 | return 40; |
---|
[115] | 629 | |
---|
[117] | 630 | if(vk->data != NULL && !vk->data_in_offset) |
---|
| 631 | { |
---|
[135] | 632 | off = vk->data_off+REGFI_REGF_SIZE; |
---|
[117] | 633 | if(!range_list_has_range(unalloc_cells, off, vk->data_size)) |
---|
| 634 | { /* We've parsed a data cell which isn't in the unallocated |
---|
| 635 | * list, so prune it. |
---|
[115] | 636 | */ |
---|
[117] | 637 | free(vk->data); |
---|
| 638 | vk->data = NULL; |
---|
[111] | 639 | } |
---|
[117] | 640 | else |
---|
| 641 | { /*A data record was recovered. Remove from unalloc_cells.*/ |
---|
| 642 | if(!removeRange(unalloc_cells, off, vk->data_size)) |
---|
| 643 | return 50; |
---|
| 644 | } |
---|
[111] | 645 | } |
---|
| 646 | } |
---|
| 647 | |
---|
| 648 | return 0; |
---|
| 649 | } |
---|
| 650 | |
---|
| 651 | |
---|
[118] | 652 | /* NOTE: unalloc_sks should be an empty range_list. */ |
---|
[135] | 653 | int extractSKs(REGFI_FILE* f, |
---|
[111] | 654 | range_list* unalloc_cells, |
---|
| 655 | range_list* unalloc_sks) |
---|
| 656 | { |
---|
| 657 | const range_list_element* cur_elem; |
---|
[135] | 658 | REGFI_SK_REC* sk; |
---|
[111] | 659 | uint32 i, j; |
---|
| 660 | |
---|
| 661 | for(i=0; i < range_list_size(unalloc_cells); i++) |
---|
| 662 | { |
---|
[138] | 663 | printMsgs(f); |
---|
[111] | 664 | cur_elem = range_list_get(unalloc_cells, i); |
---|
| 665 | for(j=0; j <= cur_elem->length; j+=8) |
---|
| 666 | { |
---|
| 667 | sk = regfi_parse_sk(f, cur_elem->offset+j, |
---|
| 668 | cur_elem->length-j, false); |
---|
[138] | 669 | printMsgs(f); |
---|
| 670 | |
---|
[111] | 671 | if(sk != NULL) |
---|
| 672 | { |
---|
| 673 | if(!range_list_add(unalloc_sks, sk->offset, |
---|
| 674 | sk->cell_size, sk)) |
---|
| 675 | { |
---|
| 676 | fprintf(stderr, "ERROR: Couldn't add sk to unalloc_sks.\n"); |
---|
| 677 | return 20; |
---|
| 678 | } |
---|
[118] | 679 | j+=sk->cell_size-8; |
---|
[111] | 680 | } |
---|
| 681 | } |
---|
| 682 | } |
---|
| 683 | |
---|
[118] | 684 | for(i=0; i<range_list_size(unalloc_sks); i++) |
---|
| 685 | { |
---|
| 686 | cur_elem = range_list_get(unalloc_sks, i); |
---|
| 687 | if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length)) |
---|
| 688 | return 30; |
---|
| 689 | } |
---|
| 690 | |
---|
[111] | 691 | return 0; |
---|
| 692 | } |
---|
| 693 | |
---|
| 694 | |
---|
| 695 | int main(int argc, char** argv) |
---|
| 696 | { |
---|
[135] | 697 | REGFI_FILE* f; |
---|
[111] | 698 | const range_list_element* cur_elem; |
---|
| 699 | range_list* unalloc_cells; |
---|
| 700 | range_list* unalloc_keys; |
---|
| 701 | range_list* unalloc_values; |
---|
| 702 | range_list* unalloc_sks; |
---|
[112] | 703 | char** parent_paths; |
---|
| 704 | char* tmp_name; |
---|
| 705 | char* tmp_path; |
---|
[135] | 706 | REGFI_NK_REC* tmp_key; |
---|
| 707 | REGFI_VK_REC* tmp_value; |
---|
[116] | 708 | uint32 argi, arge, i, j, ret, num_unalloc_keys; |
---|
[111] | 709 | /* uint32 test_offset;*/ |
---|
| 710 | |
---|
| 711 | /* Process command line arguments */ |
---|
| 712 | if(argc < 2) |
---|
| 713 | { |
---|
| 714 | usage(); |
---|
[143] | 715 | bailOut(REGLOOKUP_EXIT_USAGE, "ERROR: Requires at least one argument.\n"); |
---|
[111] | 716 | } |
---|
| 717 | |
---|
| 718 | arge = argc-1; |
---|
| 719 | for(argi = 1; argi < arge; argi++) |
---|
| 720 | { |
---|
| 721 | if (strcmp("-v", argv[argi]) == 0) |
---|
| 722 | print_verbose = true; |
---|
| 723 | else if (strcmp("-h", argv[argi]) == 0) |
---|
| 724 | print_header = true; |
---|
| 725 | else if (strcmp("-H", argv[argi]) == 0) |
---|
| 726 | print_header = false; |
---|
| 727 | else if (strcmp("-l", argv[argi]) == 0) |
---|
| 728 | print_leftover = true; |
---|
| 729 | else if (strcmp("-L", argv[argi]) == 0) |
---|
| 730 | print_leftover = false; |
---|
| 731 | else if (strcmp("-r", argv[argi]) == 0) |
---|
| 732 | print_parsedraw = true; |
---|
| 733 | else if (strcmp("-R", argv[argi]) == 0) |
---|
| 734 | print_parsedraw = false; |
---|
| 735 | else |
---|
| 736 | { |
---|
| 737 | usage(); |
---|
| 738 | fprintf(stderr, "ERROR: Unrecognized option: %s\n", argv[argi]); |
---|
[143] | 739 | bailOut(REGLOOKUP_EXIT_USAGE, ""); |
---|
[111] | 740 | } |
---|
| 741 | } |
---|
| 742 | /*test_offset = strtol(argv[argi++], NULL, 16);*/ |
---|
| 743 | |
---|
| 744 | if((registry_file = strdup(argv[argi])) == NULL) |
---|
[143] | 745 | bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Memory allocation problem.\n"); |
---|
[111] | 746 | |
---|
| 747 | f = regfi_open(registry_file); |
---|
| 748 | if(f == NULL) |
---|
| 749 | { |
---|
| 750 | fprintf(stderr, "ERROR: Couldn't open registry file: %s\n", registry_file); |
---|
[143] | 751 | bailOut(REGLOOKUP_EXIT_NOINPUT, ""); |
---|
[111] | 752 | } |
---|
[138] | 753 | if(print_verbose) |
---|
| 754 | regfi_set_message_mask(f, REGFI_MSG_ERROR|REGFI_MSG_WARN|REGFI_MSG_INFO); |
---|
| 755 | else |
---|
| 756 | regfi_set_message_mask(f, REGFI_MSG_ERROR); |
---|
[111] | 757 | |
---|
| 758 | if(print_header) |
---|
| 759 | printf("OFFSET,REC_LENGTH,REC_TYPE,PATH,NAME," |
---|
| 760 | "NK_MTIME,NK_NVAL,VK_TYPE,VK_VALUE,VK_DATA_LEN," |
---|
| 761 | "SK_OWNER,SK_GROUP,SK_SACL,SK_DACL,RAW_CELL\n"); |
---|
| 762 | |
---|
| 763 | unalloc_cells = regfi_parse_unalloc_cells(f); |
---|
| 764 | if(unalloc_cells == NULL) |
---|
| 765 | { |
---|
| 766 | fprintf(stderr, "ERROR: Could not obtain list of unallocated cells.\n"); |
---|
| 767 | return 1; |
---|
| 768 | } |
---|
| 769 | |
---|
| 770 | unalloc_keys = range_list_new(); |
---|
| 771 | if(unalloc_keys == NULL) |
---|
| 772 | return 10; |
---|
| 773 | |
---|
| 774 | unalloc_values = range_list_new(); |
---|
| 775 | if(unalloc_values == NULL) |
---|
| 776 | return 10; |
---|
| 777 | |
---|
| 778 | unalloc_sks = range_list_new(); |
---|
| 779 | if(unalloc_sks == NULL) |
---|
| 780 | return 10; |
---|
| 781 | |
---|
| 782 | ret = extractKeys(f, unalloc_cells, unalloc_keys); |
---|
| 783 | if(ret != 0) |
---|
| 784 | { |
---|
| 785 | fprintf(stderr, "ERROR: extractKeys() failed with %d.\n", ret); |
---|
| 786 | return ret; |
---|
| 787 | } |
---|
| 788 | |
---|
| 789 | ret = extractValueLists(f, unalloc_cells, unalloc_keys); |
---|
| 790 | if(ret != 0) |
---|
| 791 | { |
---|
| 792 | fprintf(stderr, "ERROR: extractValueLists() failed with %d.\n", ret); |
---|
| 793 | return ret; |
---|
| 794 | } |
---|
| 795 | |
---|
| 796 | /* Carve any orphan values and associated data */ |
---|
| 797 | ret = extractValues(f, unalloc_cells, unalloc_values); |
---|
| 798 | if(ret != 0) |
---|
| 799 | { |
---|
| 800 | fprintf(stderr, "ERROR: extractValues() failed with %d.\n", ret); |
---|
| 801 | return ret; |
---|
| 802 | } |
---|
| 803 | |
---|
| 804 | /* Carve any SK records */ |
---|
| 805 | ret = extractSKs(f, unalloc_cells, unalloc_sks); |
---|
| 806 | if(ret != 0) |
---|
| 807 | { |
---|
| 808 | fprintf(stderr, "ERROR: extractSKs() failed with %d.\n", ret); |
---|
| 809 | return ret; |
---|
| 810 | } |
---|
| 811 | |
---|
[112] | 812 | /* Now that we're done carving, associate recovered keys with parents, |
---|
| 813 | * if at all possible. |
---|
| 814 | */ |
---|
| 815 | num_unalloc_keys = range_list_size(unalloc_keys); |
---|
| 816 | parent_paths = (char**)malloc(sizeof(char*)*num_unalloc_keys); |
---|
| 817 | if(parent_paths == NULL) |
---|
| 818 | return 10; |
---|
[111] | 819 | |
---|
[112] | 820 | for(i=0; i < num_unalloc_keys; i++) |
---|
[111] | 821 | { |
---|
| 822 | cur_elem = range_list_get(unalloc_keys, i); |
---|
[135] | 823 | tmp_key = (REGFI_NK_REC*)cur_elem->data; |
---|
[111] | 824 | |
---|
[112] | 825 | if(tmp_key == NULL) |
---|
| 826 | return 20; |
---|
| 827 | |
---|
| 828 | parent_paths[i] = getParentPath(f, tmp_key); |
---|
| 829 | if(parent_paths[i] == NULL) |
---|
| 830 | return 20; |
---|
| 831 | } |
---|
| 832 | |
---|
| 833 | /* Now start the output */ |
---|
[111] | 834 | |
---|
[112] | 835 | for(i=0; i < num_unalloc_keys; i++) |
---|
| 836 | { |
---|
| 837 | cur_elem = range_list_get(unalloc_keys, i); |
---|
[135] | 838 | tmp_key = (REGFI_NK_REC*)cur_elem->data; |
---|
[112] | 839 | |
---|
| 840 | printKey(f, tmp_key, parent_paths[i]); |
---|
[114] | 841 | if(tmp_key->num_values > 0 && tmp_key->values != NULL) |
---|
[111] | 842 | { |
---|
[112] | 843 | tmp_name = quote_string(tmp_key->keyname, key_special_chars); |
---|
| 844 | tmp_path = (char*)malloc(strlen(parent_paths[i])+strlen(tmp_name)+2); |
---|
| 845 | if(tmp_path == NULL) |
---|
[136] | 846 | { |
---|
| 847 | free(tmp_name); |
---|
[112] | 848 | return 10; |
---|
[136] | 849 | } |
---|
| 850 | |
---|
[112] | 851 | sprintf(tmp_path, "%s/%s", parent_paths[i], tmp_name); |
---|
| 852 | for(j=0; j < tmp_key->num_values; j++) |
---|
| 853 | { |
---|
| 854 | tmp_value = tmp_key->values[j]; |
---|
| 855 | if(tmp_value != NULL) |
---|
| 856 | printValue(f, tmp_value, tmp_path); |
---|
| 857 | } |
---|
| 858 | free(tmp_path); |
---|
| 859 | free(tmp_name); |
---|
| 860 | free(parent_paths[i]); |
---|
[111] | 861 | } |
---|
| 862 | } |
---|
[112] | 863 | free(parent_paths); |
---|
[111] | 864 | |
---|
| 865 | /* Print out orphaned values */ |
---|
| 866 | for(i=0; i < range_list_size(unalloc_values); i++) |
---|
| 867 | { |
---|
| 868 | cur_elem = range_list_get(unalloc_values, i); |
---|
[135] | 869 | tmp_value = (REGFI_VK_REC*)cur_elem->data; |
---|
[111] | 870 | |
---|
| 871 | printValue(f, tmp_value, ""); |
---|
| 872 | } |
---|
| 873 | |
---|
| 874 | if(print_leftover) |
---|
| 875 | { |
---|
| 876 | for(i=0; i < range_list_size(unalloc_cells); i++) |
---|
| 877 | { |
---|
| 878 | cur_elem = range_list_get(unalloc_cells, i); |
---|
| 879 | printCell(f, cur_elem->offset); |
---|
| 880 | } |
---|
| 881 | } |
---|
| 882 | |
---|
| 883 | return 0; |
---|
| 884 | } |
---|