Context Navigation

reglookup-recover.c @ 143

Last change on this file since 143 was 143, checked in by tim, 15 years ago

fixed a null pointer exception

removed some dependencies on less portable items

altered Makefiles to allow for MinGW cross compiling

Property svn:keywords set to Id

File size: 23.1 KB

Rev	Line
[111]	1	/*
[121]	2	* This program attempts to recover deleted data structures in a registry hive.
	3	*
[138]	4	* Copyright (C) 2008-2009 Timothy D. Morgan
[111]	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; version 3 of the License.
	9	*
	10	* This program is distributed in the hope that it will be useful,
	11	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	12	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	13	* GNU General Public License for more details.
	14	*
	15	* You should have received a copy of the GNU General Public License
	16	* along with this program; if not, write to the Free Software
	17	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	18	*
[118]	19	* $Id: reglookup-recover.c 143 2009-02-13 03:24:27Z tim $
[111]	20	*/
	21
	22	#include <stdio.h>
	23	#include <stdlib.h>
	24
	25	#include "../include/regfi.h"
	26	#include "../include/range_list.h"
	27	#include "../include/lru_cache.h"
	28
	29
	30	/* Globals, influenced by command line parameters */
	31	bool print_verbose = false;
	32	bool print_security = false;
	33	bool print_header = true;
	34	bool print_leftover = false;
	35	bool print_parsedraw = false;
	36	char* registry_file = NULL;
	37
	38	#include "common.c"
	39
	40
	41	char* getQuotedData(int fd, uint32 offset, uint32 length)
	42	{
	43	uint8* buf;
	44	char* quoted_buf;
	45	uint32 len;
	46
	47	if((lseek(fd, offset, SEEK_SET)) == -1)
	48	return NULL;
	49
	50	buf = (uint8*)malloc(length);
	51	if(buf == NULL)
	52	return NULL;
	53
	54	len = length;
	55	if((regfi_read(fd, buf, &length) != 0) \|\| length != len)
	56	{
	57	free(buf);
	58	return NULL;
	59	}
	60
	61	quoted_buf = quote_buffer(buf, length, common_special_chars);
	62	free(buf);
	63
	64	return quoted_buf;
	65	}
	66
	67
[135]	68	void printKey(REGFI_FILE* f, REGFI_NK_REC* nk, const char* prefix)
[111]	69	{
	70	char mtime[20];
	71	time_t tmp_time[1];
	72	struct tm* tmp_time_s = NULL;
	73	char* quoted_name = NULL;
	74	char* quoted_raw = "";
	75
	76	*tmp_time = nt_time_to_unix(&nk->mtime);
	77	tmp_time_s = gmtime(tmp_time);
	78	strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s);
	79
	80	quoted_name = quote_string(nk->keyname, key_special_chars);
	81	if (quoted_name == NULL)
	82	{
	83	quoted_name = malloc(1*sizeof(char));
	84	if(quoted_name == NULL)
[143]	85	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n");
[111]	86	quoted_name[0] = '\0';
	87
[138]	88	fprintf(stderr, "WARN: NULL key name in NK record at offset %.8X.\n",
[111]	89	nk->offset);
	90	}
	91
	92	if(print_parsedraw)
	93	quoted_raw = getQuotedData(f->fd, nk->offset, nk->cell_size);
	94
	95	printf("%.8X,%.8X,KEY,%s,%s,%s,%d,,,,,,,,%s\n", nk->offset, nk->cell_size,
	96	prefix, quoted_name, mtime, nk->num_values, quoted_raw);
	97
	98	if(print_parsedraw)
	99	free(quoted_raw);
[136]	100	free(quoted_name);
[111]	101	}
	102
	103
[135]	104	void printValue(REGFI_FILE* f, const REGFI_VK_REC* vk, const char* prefix)
[111]	105	{
	106	char* quoted_value = NULL;
	107	char* quoted_name = NULL;
	108	char* quoted_raw = "";
	109	char* conv_error = NULL;
	110	const char* str_type = NULL;
	111	uint32 size = vk->data_size;
	112
	113	/* Microsoft's documentation indicates that "available memory" is
	114	* the limit on value sizes. Annoying. We limit it to 1M which
	115	* should rarely be exceeded, unless the file is corrupt or
	116	* malicious. For more info, see:
	117	* http://msdn2.microsoft.com/en-us/library/ms724872.aspx
	118	*/
[116]	119	/* XXX: Should probably do something different here for this tool.
	120	* Also, It would be really nice if this message somehow included the
	121	* name of the current value we're having trouble with, since
	122	* stderr/stdout don't always sync nicely.
	123	*/
[135]	124	if(size > REGFI_VK_MAX_DATA_LENGTH)
[111]	125	{
[138]	126	fprintf(stderr, "WARN: value data size %d larger than "
[135]	127	"%d, truncating...\n", size, REGFI_VK_MAX_DATA_LENGTH);
	128	size = REGFI_VK_MAX_DATA_LENGTH;
[111]	129	}
	130
	131	quoted_name = quote_string(vk->valuename, key_special_chars);
	132	if (quoted_name == NULL)
	133	{ /* Value names are NULL when we're looking at the "(default)" value.
	134	* Currently we just return a 0-length string to try an eliminate
	135	* ambiguity with a literal "(default)" value. The data type of a line
	136	* in the output allows one to differentiate between the parent key and
	137	* this value.
	138	*/
	139	quoted_name = malloc(1*sizeof(char));
	140	if(quoted_name == NULL)
[143]	141	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n");
[111]	142	quoted_name[0] = '\0';
	143	}
	144
	145	quoted_value = data_to_ascii(vk->data, size, vk->type, &conv_error);
	146	if(quoted_value == NULL)
	147	{
	148	quoted_value = malloc(1*sizeof(char));
	149	if(quoted_value == NULL)
[143]	150	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n");
[111]	151	quoted_value[0] = '\0';
	152
	153	if(conv_error == NULL)
[138]	154	fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
[111]	155	"Memory allocation failure likely.\n", prefix, quoted_name);
	156	else if(print_verbose)
[138]	157	fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
[111]	158	"Returned error: %s\n", prefix, quoted_name, conv_error);
	159	}
	160	/* XXX: should these always be printed? */
	161	else if(conv_error != NULL && print_verbose)
[138]	162	fprintf(stderr, "INFO: While quoting value for '%s/%s', "
[111]	163	"warning returned: %s\n", prefix, quoted_name, conv_error);
	164
	165
	166	if(print_parsedraw)
	167	quoted_raw = getQuotedData(f->fd, vk->offset, vk->cell_size);
	168
	169	str_type = regfi_type_val2str(vk->type);
	170	if(str_type == NULL)
	171	printf("%.8X,%.8X,VALUE,%s,%s,,,0x%.8X,%s,%d,,,,,%s\n",
	172	vk->offset, vk->cell_size, prefix, quoted_name,
	173	vk->type, quoted_value, vk->data_size, quoted_raw);
	174	else
	175	printf("%.8X,%.8X,VALUE,%s,%s,,,%s,%s,%d,,,,,%s\n",
	176	vk->offset, vk->cell_size, prefix, quoted_name,
	177	str_type, quoted_value, vk->data_size, quoted_raw);
	178
	179	if(print_parsedraw)
	180	free(quoted_raw);
	181	if(quoted_value != NULL)
	182	free(quoted_value);
	183	if(quoted_name != NULL)
	184	free(quoted_name);
	185	if(conv_error != NULL)
	186	free(conv_error);
	187	}
	188
	189
[135]	190	void printSK(REGFI_FILE* f, REGFI_SK_REC* sk)
[111]	191	{
	192	char* quoted_raw = NULL;
	193	char* empty_str = "";
	194	char* owner = regfi_get_owner(sk->sec_desc);
	195	char* group = regfi_get_group(sk->sec_desc);
	196	char* sacl = regfi_get_sacl(sk->sec_desc);
	197	char* dacl = regfi_get_dacl(sk->sec_desc);
	198
	199	if(print_parsedraw)
	200	quoted_raw = getQuotedData(f->fd, sk->offset, sk->cell_size);
	201
	202	if(owner == NULL)
	203	owner = empty_str;
	204	if(group == NULL)
	205	group = empty_str;
	206	if(sacl == NULL)
	207	sacl = empty_str;
	208	if(dacl == NULL)
	209	dacl = empty_str;
	210
	211	printf("%.8X,%.8X,SK,,,,,,,,%s,%s,%s,%s,%s\n", sk->offset, sk->cell_size,
	212	owner, group, sacl, dacl, quoted_raw);
	213
	214	if(owner != empty_str)
	215	free(owner);
	216	if(group != empty_str)
	217	free(group);
	218	if(sacl != empty_str)
	219	free(sacl);
	220	if(dacl != empty_str)
	221	free(dacl);
	222
	223	if(print_parsedraw)
	224	free(quoted_raw);
	225	}
	226
	227
[135]	228	int printCell(REGFI_FILE* f, uint32 offset)
[111]	229	{
	230	char* quoted_buf;
	231	uint32 cell_length;
	232	bool unalloc;
	233
	234	if(!regfi_parse_cell(f->fd, offset, NULL, 0, &cell_length, &unalloc))
	235	return 1;
	236
	237	quoted_buf = getQuotedData(f->fd, offset, cell_length);
	238	if(quoted_buf == NULL)
	239	return 2;
	240
	241	printf("%.8X,%.8X,RAW,,,,,,,,,,,,%s\n", offset, cell_length, quoted_buf);
	242
	243	free(quoted_buf);
	244	return 0;
	245	}
	246
	247
[112]	248	/* This function returns a properly quoted parent path or partial parent
	249	* path for a given key. Returns NULL on error, "" if no path was available.
	250	* Paths returned must be free()d.
	251	*/
[116]	252	/* XXX: This is not terribly efficient, as it may reparse many keys
	253	* repeatedly. Should try to add caching. Also, piecing the path
	254	* together is slow and redundant.
[112]	255	*/
[135]	256	char* getParentPath(REGFI_FILE* f, REGFI_NK_REC* nk)
[112]	257	{
[135]	258	void_stack* path_stack = void_stack_new(REGFI_MAX_DEPTH);
	259	REGFI_HBIN* hbin;
	260	REGFI_NK_REC* cur_ancestor;
[112]	261	char* ret_val;
	262	char* path_element;
	263	char* tmp_str;
	264	uint32 virt_offset, i, stack_size, ret_val_size, ret_val_left, element_size;
	265	uint32 max_length;
	266
[118]	267	/* The path_stack size limit should guarantee that we don't recurse forever. */
[112]	268	virt_offset = nk->parent_off;
[135]	269	while(virt_offset != REGFI_OFFSET_NONE)
[112]	270	{
	271	hbin = regfi_lookup_hbin(f, virt_offset);
	272	if(hbin == NULL)
[135]	273	virt_offset = REGFI_OFFSET_NONE;
[112]	274	else
	275	{
	276	max_length = hbin->block_size + hbin->file_off
[135]	277	- (virt_offset+REGFI_REGF_SIZE);
	278	cur_ancestor = regfi_parse_nk(f, virt_offset+REGFI_REGF_SIZE,
[112]	279	max_length, true);
[138]	280	printMsgs(f);
	281
[112]	282	if(cur_ancestor == NULL)
[135]	283	virt_offset = REGFI_OFFSET_NONE;
[112]	284	else
	285	{
[135]	286	if((cur_ancestor->key_type == REGFI_NK_TYPE_ROOTKEY1)
	287	\|\| (cur_ancestor->key_type == REGFI_NK_TYPE_ROOTKEY2))
	288	virt_offset = REGFI_OFFSET_NONE;
[112]	289	else
	290	virt_offset = cur_ancestor->parent_off;
	291
	292	path_element = quote_string(cur_ancestor->keyname, key_special_chars);
	293	if(path_element == NULL \|\| !void_stack_push(path_stack, path_element))
	294	{
	295	free(cur_ancestor->keyname);
	296	free(cur_ancestor);
	297	void_stack_free_deep(path_stack);
	298	return NULL;
	299	}
	300
	301	regfi_key_free(cur_ancestor);
	302	}
	303	}
	304	}
	305
	306	stack_size = void_stack_size(path_stack);
	307	ret_val_size = 16*stack_size;
	308	if(ret_val_size == 0)
	309	ret_val_size = 1;
	310	ret_val_left = ret_val_size;
	311	ret_val = malloc(ret_val_size);
	312	if(ret_val == NULL)
	313	{
	314	void_stack_free_deep(path_stack);
	315	return NULL;
	316	}
	317	ret_val[0] = '\0';
	318
	319	for(i=0; i<stack_size; i++)
	320	{
	321	path_element = void_stack_pop(path_stack);
	322	element_size = strlen(path_element);
	323	if(ret_val_left < element_size+2)
	324	{
	325	ret_val_size += element_size+16;
	326	ret_val_left += element_size+16;
	327	tmp_str = (char*)realloc(ret_val, ret_val_size);
	328	if(tmp_str == NULL)
	329	{
	330	free(ret_val);
	331	void_stack_free_deep(path_stack);
	332	return NULL;
	333	}
	334	ret_val = tmp_str;
	335	}
	336
	337	ret_val_left -= snprintf(ret_val+ret_val_size-ret_val_left,ret_val_left, "/%s", path_element);
	338	free(path_element);
	339	}
	340	void_stack_free(path_stack);
	341
	342	return ret_val;
	343	}
	344
	345
[111]	346	static void usage(void)
	347	{
	348	fprintf(stderr, "Usage: reglookup-recover [options] <REGISTRY_FILE>\n");
	349	fprintf(stderr, "Version: %s\n", REGLOOKUP_VERSION);
	350	fprintf(stderr, "Options:\n");
	351	fprintf(stderr, "\t-v\t sets verbose mode.\n");
	352	fprintf(stderr, "\t-h\t enables header row. (default)\n");
	353	fprintf(stderr, "\t-H\t disables header row.\n");
	354	fprintf(stderr, "\t-l\t enables leftover(raw) cell output.\n");
	355	fprintf(stderr, "\t-L\t disables leftover(raw) cell output. (default)\n");
	356	fprintf(stderr, "\t-r\t enables raw cell output for parsed cells.\n");
	357	fprintf(stderr, "\t-R\t disables raw cell output for parsed cells. (default)\n");
	358	fprintf(stderr, "\n");
	359	}
	360
	361
[113]	362	bool removeRange(range_list* rl, uint32 offset, uint32 length)
[111]	363	{
[113]	364	int32 rm_idx;
	365	const range_list_element* cur_elem;
[115]	366
[113]	367	rm_idx = range_list_find(rl, offset);
	368	if(rm_idx < 0)
[116]	369	{
	370	fprintf(stderr, "DEBUG: removeRange: rm_idx < 0; (%d)\n", rm_idx);
[113]	371	return false;
[116]	372	}
[113]	373
	374	cur_elem = range_list_get(rl, rm_idx);
[111]	375	if(cur_elem == NULL)
	376	{
[116]	377	fprintf(stderr, "DEBUG: removeRange: cur_elem == NULL. rm_idx=%d\n", rm_idx);
[111]	378	return false;
	379	}
	380
	381	if(offset > cur_elem->offset)
	382	{
	383	if(!range_list_split_element(rl, rm_idx, offset))
	384	{
[116]	385	fprintf(stderr, "DEBUG: removeRange: first split failed\n");
[111]	386	return false;
	387	}
	388	rm_idx++;
[116]	389	cur_elem = range_list_get(rl, rm_idx);
	390	if(cur_elem == NULL)
	391	{
	392	fprintf(stderr,
	393	"DEBUG: removeRange: cur_elem == NULL after first split. rm_idx=%d\n",
	394	rm_idx);
	395	return false;
	396	}
[111]	397	}
	398
	399	if(offset+length < cur_elem->offset+cur_elem->length)
	400	{
	401	if(!range_list_split_element(rl, rm_idx, offset+length))
	402	{
[116]	403	fprintf(stderr, "DEBUG: removeRange: second split failed\n");
[111]	404	return false;
	405	}
	406	}
	407
	408	if(!range_list_remove(rl, rm_idx))
	409	{
[116]	410	fprintf(stderr, "DEBUG: removeRange: remove failed\n");
[111]	411	return false;
	412	}
	413
	414	return true;
	415	}
	416
	417
[117]	418	/* NOTE: unalloc_keys should be an empty range_list. */
[135]	419	int extractKeys(REGFI_FILE* f,
[111]	420	range_list* unalloc_cells,
	421	range_list* unalloc_keys)
	422	{
	423	const range_list_element* cur_elem;
[135]	424	REGFI_NK_REC* key;
[111]	425	uint32 i, j;
	426
	427	for(i=0; i < range_list_size(unalloc_cells); i++)
	428	{
[138]	429	printMsgs(f);
[111]	430	cur_elem = range_list_get(unalloc_cells, i);
[115]	431	for(j=0; cur_elem->length > REGFI_NK_MIN_LENGTH
	432	&& j <= cur_elem->length-REGFI_NK_MIN_LENGTH; j+=8)
[111]	433	{
[115]	434	key = regfi_parse_nk(f, cur_elem->offset+j,
	435	cur_elem->length-j, false);
[138]	436	printMsgs(f);
	437
[111]	438	if(key != NULL)
	439	{
	440	if(!range_list_add(unalloc_keys, key->offset,
	441	key->cell_size, key))
	442	{
	443	fprintf(stderr, "ERROR: Couldn't add key to unalloc_keys.\n");
	444	return 20;
	445	}
[116]	446	j+=key->cell_size-8;
[111]	447	}
	448	}
	449	}
	450
[116]	451	for(i=0; i<range_list_size(unalloc_keys); i++)
	452	{
	453	cur_elem = range_list_get(unalloc_keys, i);
	454	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
	455	return 30;
	456	}
	457
[111]	458	return 0;
	459	}
	460
	461
[135]	462	int extractValueLists(REGFI_FILE* f,
[111]	463	range_list* unalloc_cells,
	464	range_list* unalloc_keys)
	465	{
[135]	466	REGFI_NK_REC* nk;
	467	REGFI_HBIN* hbin;
[111]	468	const range_list_element* cur_elem;
	469	uint32 i, j, num_keys, off, values_length, max_length;
	470
	471	num_keys=range_list_size(unalloc_keys);
	472	for(i=0; i<num_keys; i++)
	473	{
	474	cur_elem = range_list_get(unalloc_keys, i);
	475	if(cur_elem == NULL)
	476	return 10;
	477	nk = cur_elem->data;
	478
[135]	479	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
[111]	480	{
	481	hbin = regfi_lookup_hbin(f, nk->values_off);
	482
	483	if(hbin != NULL)
	484	{
[135]	485	off = nk->values_off + REGFI_REGF_SIZE;
[111]	486	max_length = hbin->block_size + hbin->file_off - off;
[118]	487	/* XXX: This is a hack. We parse all value-lists, VK records,
	488	* and data records without regard for current allocation status.
	489	* On the off chance that such a record correctly parsed but is
	490	* actually a reallocated structure used by something else, we
	491	* simply prune it after the fact. Would be faster to check this
	492	* up front somehow.
[111]	493	*/
	494	nk->values = regfi_load_valuelist(f, off, nk->num_values, max_length,
	495	false);
[115]	496	values_length = (nk->num_values+1)*sizeof(uint32);
	497	if(values_length != (values_length & 0xFFFFFFF8))
	498	values_length = (values_length & 0xFFFFFFF8) + 8;
[111]	499
	500	if(nk->values != NULL)
	501	{
[115]	502	if(!range_list_has_range(unalloc_cells, off, values_length))
[111]	503	{ /* We've parsed a values-list which isn't in the unallocated list,
	504	* so prune it.
	505	*/
	506	for(j=0; j<nk->num_values; j++)
	507	{
	508	if(nk->values[j] != NULL)
	509	{
	510	if(nk->values[j]->data != NULL)
	511	free(nk->values[j]->data);
	512	free(nk->values[j]);
	513	}
	514	}
[115]	515	free(nk->values);
	516	nk->values = NULL;
[111]	517	}
	518	else
	519	{ /* Values-list was recovered. Remove from unalloc_cells and
	520	* inspect values.
	521	*/
[113]	522	if(!removeRange(unalloc_cells, off, values_length))
[111]	523	return 20;
	524
	525	for(j=0; j < nk->num_values; j++)
	526	{
	527	if(nk->values[j] != NULL)
	528	{
[113]	529	if(!range_list_has_range(unalloc_cells, nk->values[j]->offset,
	530	nk->values[j]->cell_size))
[111]	531	{ /* We've parsed a value which isn't in the unallocated list,
	532	* so prune it.
	533	*/
	534	if(nk->values[j]->data != NULL)
	535	free(nk->values[j]->data);
	536	free(nk->values[j]);
	537	nk->values[j] = NULL;
	538	}
	539	else
	540	{
	541	/* A VK record was recovered. Remove from unalloc_cells
	542	* and inspect data.
	543	*/
[113]	544	if(!removeRange(unalloc_cells, nk->values[j]->offset,
[111]	545	nk->values[j]->cell_size))
	546	return 21;
	547
	548	/* Don't bother pruning or removing from unalloc_cells if
[113]	549	* there is no data, or it is stored in the offset.
[111]	550	*/
	551	if(nk->values[j]->data != NULL && !nk->values[j]->data_in_offset)
	552	{
[135]	553	off = nk->values[j]->data_off+REGFI_REGF_SIZE;
[113]	554	if(!range_list_has_range(unalloc_cells, off,
	555	nk->values[j]->data_size))
[111]	556	{ /* We've parsed a data cell which isn't in the unallocated
	557	* list, so prune it.
	558	*/
	559	free(nk->values[j]->data);
	560	nk->values[j]->data = NULL;
	561	}
	562	else
	563	{ /A data record was recovered. Remove from unalloc_cells./
[113]	564	if(!removeRange(unalloc_cells, off,
[111]	565	nk->values[j]->data_size))
	566	return 22;
	567	}
	568	}
	569	}
	570	}
	571	}
	572	}
	573	}
	574	}
	575	}
	576	}
	577
	578	return 0;
	579	}
	580
	581
[117]	582	/* NOTE: unalloc_values should be an empty range_list. */
[135]	583	int extractValues(REGFI_FILE* f,
[117]	584	range_list* unalloc_cells,
[111]	585	range_list* unalloc_values)
	586	{
	587	const range_list_element* cur_elem;
[135]	588	REGFI_VK_REC* vk;
[115]	589	uint32 i, j, off;
[111]	590
	591	for(i=0; i < range_list_size(unalloc_cells); i++)
	592	{
[138]	593	printMsgs(f);
[111]	594	cur_elem = range_list_get(unalloc_cells, i);
	595	for(j=0; j <= cur_elem->length; j+=8)
	596	{
	597	vk = regfi_parse_vk(f, cur_elem->offset+j,
	598	cur_elem->length-j, false);
[138]	599	printMsgs(f);
	600
[111]	601	if(vk != NULL)
	602	{
	603	if(!range_list_add(unalloc_values, vk->offset,
	604	vk->cell_size, vk))
	605	{
	606	fprintf(stderr, "ERROR: Couldn't add value to unalloc_values.\n");
	607	return 20;
	608	}
[117]	609	j+=vk->cell_size-8;
	610	}
	611	}
	612	}
	613
	614	/* Remove value ranges from the unalloc_cells before we continue. */
	615	for(i=0; i<range_list_size(unalloc_values); i++)
	616	{
	617	cur_elem = range_list_get(unalloc_values, i);
	618	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
	619	return 30;
	620	}
[115]	621
[117]	622	/* Now see if the data associated with each value is intact */
	623	for(i=0; i<range_list_size(unalloc_values); i++)
	624	{
	625	cur_elem = range_list_get(unalloc_values, i);
[135]	626	vk = (REGFI_VK_REC*)cur_elem->data;
[117]	627	if(vk == NULL)
	628	return 40;
[115]	629
[117]	630	if(vk->data != NULL && !vk->data_in_offset)
	631	{
[135]	632	off = vk->data_off+REGFI_REGF_SIZE;
[117]	633	if(!range_list_has_range(unalloc_cells, off, vk->data_size))
	634	{ /* We've parsed a data cell which isn't in the unallocated
	635	* list, so prune it.
[115]	636	*/
[117]	637	free(vk->data);
	638	vk->data = NULL;
[111]	639	}
[117]	640	else
	641	{ /A data record was recovered. Remove from unalloc_cells./
	642	if(!removeRange(unalloc_cells, off, vk->data_size))
	643	return 50;
	644	}
[111]	645	}
	646	}
	647
	648	return 0;
	649	}
	650
	651
[118]	652	/* NOTE: unalloc_sks should be an empty range_list. */
[135]	653	int extractSKs(REGFI_FILE* f,
[111]	654	range_list* unalloc_cells,
	655	range_list* unalloc_sks)
	656	{
	657	const range_list_element* cur_elem;
[135]	658	REGFI_SK_REC* sk;
[111]	659	uint32 i, j;
	660
	661	for(i=0; i < range_list_size(unalloc_cells); i++)
	662	{
[138]	663	printMsgs(f);
[111]	664	cur_elem = range_list_get(unalloc_cells, i);
	665	for(j=0; j <= cur_elem->length; j+=8)
	666	{
	667	sk = regfi_parse_sk(f, cur_elem->offset+j,
	668	cur_elem->length-j, false);
[138]	669	printMsgs(f);
	670
[111]	671	if(sk != NULL)
	672	{
	673	if(!range_list_add(unalloc_sks, sk->offset,
	674	sk->cell_size, sk))
	675	{
	676	fprintf(stderr, "ERROR: Couldn't add sk to unalloc_sks.\n");
	677	return 20;
	678	}
[118]	679	j+=sk->cell_size-8;
[111]	680	}
	681	}
	682	}
	683
[118]	684	for(i=0; i<range_list_size(unalloc_sks); i++)
	685	{
	686	cur_elem = range_list_get(unalloc_sks, i);
	687	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
	688	return 30;
	689	}
	690
[111]	691	return 0;
	692	}
	693
	694
	695	int main(int argc, char** argv)
	696	{
[135]	697	REGFI_FILE* f;
[111]	698	const range_list_element* cur_elem;
	699	range_list* unalloc_cells;
	700	range_list* unalloc_keys;
	701	range_list* unalloc_values;
	702	range_list* unalloc_sks;
[112]	703	char** parent_paths;
	704	char* tmp_name;
	705	char* tmp_path;
[135]	706	REGFI_NK_REC* tmp_key;
	707	REGFI_VK_REC* tmp_value;
[116]	708	uint32 argi, arge, i, j, ret, num_unalloc_keys;
[111]	709	/* uint32 test_offset;*/
	710
	711	/* Process command line arguments */
	712	if(argc < 2)
	713	{
	714	usage();
[143]	715	bailOut(REGLOOKUP_EXIT_USAGE, "ERROR: Requires at least one argument.\n");
[111]	716	}
	717
	718	arge = argc-1;
	719	for(argi = 1; argi < arge; argi++)
	720	{
	721	if (strcmp("-v", argv[argi]) == 0)
	722	print_verbose = true;
	723	else if (strcmp("-h", argv[argi]) == 0)
	724	print_header = true;
	725	else if (strcmp("-H", argv[argi]) == 0)
	726	print_header = false;
	727	else if (strcmp("-l", argv[argi]) == 0)
	728	print_leftover = true;
	729	else if (strcmp("-L", argv[argi]) == 0)
	730	print_leftover = false;
	731	else if (strcmp("-r", argv[argi]) == 0)
	732	print_parsedraw = true;
	733	else if (strcmp("-R", argv[argi]) == 0)
	734	print_parsedraw = false;
	735	else
	736	{
	737	usage();
	738	fprintf(stderr, "ERROR: Unrecognized option: %s\n", argv[argi]);
[143]	739	bailOut(REGLOOKUP_EXIT_USAGE, "");
[111]	740	}
	741	}
	742	/test_offset = strtol(argv[argi++], NULL, 16);/
	743
	744	if((registry_file = strdup(argv[argi])) == NULL)
[143]	745	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Memory allocation problem.\n");
[111]	746
	747	f = regfi_open(registry_file);
	748	if(f == NULL)
	749	{
	750	fprintf(stderr, "ERROR: Couldn't open registry file: %s\n", registry_file);
[143]	751	bailOut(REGLOOKUP_EXIT_NOINPUT, "");
[111]	752	}
[138]	753	if(print_verbose)
	754	regfi_set_message_mask(f, REGFI_MSG_ERROR\|REGFI_MSG_WARN\|REGFI_MSG_INFO);
	755	else
	756	regfi_set_message_mask(f, REGFI_MSG_ERROR);
[111]	757
	758	if(print_header)
	759	printf("OFFSET,REC_LENGTH,REC_TYPE,PATH,NAME,"
	760	"NK_MTIME,NK_NVAL,VK_TYPE,VK_VALUE,VK_DATA_LEN,"
	761	"SK_OWNER,SK_GROUP,SK_SACL,SK_DACL,RAW_CELL\n");
	762
	763	unalloc_cells = regfi_parse_unalloc_cells(f);
	764	if(unalloc_cells == NULL)
	765	{
	766	fprintf(stderr, "ERROR: Could not obtain list of unallocated cells.\n");
	767	return 1;
	768	}
	769
	770	unalloc_keys = range_list_new();
	771	if(unalloc_keys == NULL)
	772	return 10;
	773
	774	unalloc_values = range_list_new();
	775	if(unalloc_values == NULL)
	776	return 10;
	777
	778	unalloc_sks = range_list_new();
	779	if(unalloc_sks == NULL)
	780	return 10;
	781
	782	ret = extractKeys(f, unalloc_cells, unalloc_keys);
	783	if(ret != 0)
	784	{
	785	fprintf(stderr, "ERROR: extractKeys() failed with %d.\n", ret);
	786	return ret;
	787	}
	788
	789	ret = extractValueLists(f, unalloc_cells, unalloc_keys);
	790	if(ret != 0)
	791	{
	792	fprintf(stderr, "ERROR: extractValueLists() failed with %d.\n", ret);
	793	return ret;
	794	}
	795
	796	/* Carve any orphan values and associated data */
	797	ret = extractValues(f, unalloc_cells, unalloc_values);
	798	if(ret != 0)
	799	{
	800	fprintf(stderr, "ERROR: extractValues() failed with %d.\n", ret);
	801	return ret;
	802	}
	803
	804	/* Carve any SK records */
	805	ret = extractSKs(f, unalloc_cells, unalloc_sks);
	806	if(ret != 0)
	807	{
	808	fprintf(stderr, "ERROR: extractSKs() failed with %d.\n", ret);
	809	return ret;
	810	}
	811
[112]	812	/* Now that we're done carving, associate recovered keys with parents,
	813	* if at all possible.
	814	*/
	815	num_unalloc_keys = range_list_size(unalloc_keys);
	816	parent_paths = (char*)malloc(sizeof(char)*num_unalloc_keys);
	817	if(parent_paths == NULL)
	818	return 10;
[111]	819
[112]	820	for(i=0; i < num_unalloc_keys; i++)
[111]	821	{
	822	cur_elem = range_list_get(unalloc_keys, i);
[135]	823	tmp_key = (REGFI_NK_REC*)cur_elem->data;
[111]	824
[112]	825	if(tmp_key == NULL)
	826	return 20;
	827
	828	parent_paths[i] = getParentPath(f, tmp_key);
	829	if(parent_paths[i] == NULL)
	830	return 20;
	831	}
	832
	833	/* Now start the output */
[111]	834
[112]	835	for(i=0; i < num_unalloc_keys; i++)
	836	{
	837	cur_elem = range_list_get(unalloc_keys, i);
[135]	838	tmp_key = (REGFI_NK_REC*)cur_elem->data;
[112]	839
	840	printKey(f, tmp_key, parent_paths[i]);
[114]	841	if(tmp_key->num_values > 0 && tmp_key->values != NULL)
[111]	842	{
[112]	843	tmp_name = quote_string(tmp_key->keyname, key_special_chars);
	844	tmp_path = (char*)malloc(strlen(parent_paths[i])+strlen(tmp_name)+2);
	845	if(tmp_path == NULL)
[136]	846	{
	847	free(tmp_name);
[112]	848	return 10;
[136]	849	}
	850
[112]	851	sprintf(tmp_path, "%s/%s", parent_paths[i], tmp_name);
	852	for(j=0; j < tmp_key->num_values; j++)
	853	{
	854	tmp_value = tmp_key->values[j];
	855	if(tmp_value != NULL)
	856	printValue(f, tmp_value, tmp_path);
	857	}
	858	free(tmp_path);
	859	free(tmp_name);
	860	free(parent_paths[i]);
[111]	861	}
	862	}
[112]	863	free(parent_paths);
[111]	864
	865	/* Print out orphaned values */
	866	for(i=0; i < range_list_size(unalloc_values); i++)
	867	{
	868	cur_elem = range_list_get(unalloc_values, i);
[135]	869	tmp_value = (REGFI_VK_REC*)cur_elem->data;
[111]	870
	871	printValue(f, tmp_value, "");
	872	}
	873
	874	if(print_leftover)
	875	{
	876	for(i=0; i < range_list_size(unalloc_cells); i++)
	877	{
	878	cur_elem = range_list_get(unalloc_cells, i);
	879	printCell(f, cur_elem->offset);
	880	}
	881	}
	882
	883	return 0;
	884	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/src/reglookup-recover.c @ 143

Download in other formats: