Context Navigation

source: trunk/src/reglookup-recover.c @ 151

Last change on this file since 151 was 151, checked in by tim, 15 years ago

parsed more items from regf header structure

improved feedback from regfi_parse_data

Property svn:keywords set to Id

File size: 24.4 KB

Rev	Line
[111]	1	/*
[121]	2	* This program attempts to recover deleted data structures in a registry hive.
	3	*
[138]	4	* Copyright (C) 2008-2009 Timothy D. Morgan
[111]	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; version 3 of the License.
	9	*
	10	* This program is distributed in the hope that it will be useful,
	11	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	12	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	13	* GNU General Public License for more details.
	14	*
	15	* You should have received a copy of the GNU General Public License
	16	* along with this program; if not, write to the Free Software
[150]	17	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
[111]	18	*
[118]	19	* $Id: reglookup-recover.c 151 2009-03-04 21:14:09Z tim $
[111]	20	*/
	21
	22	#include <stdio.h>
	23	#include <stdlib.h>
	24
[148]	25	#include "talloc.h"
[147]	26	#include "regfi.h"
	27	#include "range_list.h"
	28	#include "lru_cache.h"
[111]	29
	30
	31	/* Globals, influenced by command line parameters */
	32	bool print_verbose = false;
	33	bool print_security = false;
	34	bool print_header = true;
	35	bool print_leftover = false;
	36	bool print_parsedraw = false;
	37	char* registry_file = NULL;
	38
	39	#include "common.c"
	40
	41
	42	char* getQuotedData(int fd, uint32 offset, uint32 length)
	43	{
	44	uint8* buf;
	45	char* quoted_buf;
	46	uint32 len;
	47
	48	if((lseek(fd, offset, SEEK_SET)) == -1)
	49	return NULL;
	50
	51	buf = (uint8*)malloc(length);
	52	if(buf == NULL)
	53	return NULL;
	54
	55	len = length;
	56	if((regfi_read(fd, buf, &length) != 0) \|\| length != len)
	57	{
	58	free(buf);
	59	return NULL;
	60	}
	61
	62	quoted_buf = quote_buffer(buf, length, common_special_chars);
	63	free(buf);
	64
	65	return quoted_buf;
	66	}
	67
	68
[135]	69	void printKey(REGFI_FILE* f, REGFI_NK_REC* nk, const char* prefix)
[111]	70	{
	71	char mtime[20];
	72	time_t tmp_time[1];
	73	struct tm* tmp_time_s = NULL;
	74	char* quoted_name = NULL;
	75	char* quoted_raw = "";
	76
	77	*tmp_time = nt_time_to_unix(&nk->mtime);
	78	tmp_time_s = gmtime(tmp_time);
	79	strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s);
	80
	81	quoted_name = quote_string(nk->keyname, key_special_chars);
	82	if (quoted_name == NULL)
	83	{
	84	quoted_name = malloc(1*sizeof(char));
	85	if(quoted_name == NULL)
[150]	86	bailOut(REGLOOKUP_EXIT_OSERR,
	87	"ERROR: Could not allocate sufficient memory.\n");
[111]	88	quoted_name[0] = '\0';
	89
[138]	90	fprintf(stderr, "WARN: NULL key name in NK record at offset %.8X.\n",
[111]	91	nk->offset);
	92	}
	93
	94	if(print_parsedraw)
	95	quoted_raw = getQuotedData(f->fd, nk->offset, nk->cell_size);
	96
	97	printf("%.8X,%.8X,KEY,%s,%s,%s,%d,,,,,,,,%s\n", nk->offset, nk->cell_size,
	98	prefix, quoted_name, mtime, nk->num_values, quoted_raw);
	99
	100	if(print_parsedraw)
	101	free(quoted_raw);
[136]	102	free(quoted_name);
[111]	103	}
	104
	105
[135]	106	void printValue(REGFI_FILE* f, const REGFI_VK_REC* vk, const char* prefix)
[111]	107	{
	108	char* quoted_value = NULL;
	109	char* quoted_name = NULL;
	110	char* quoted_raw = "";
	111	char* conv_error = NULL;
	112	const char* str_type = NULL;
	113	uint32 size = vk->data_size;
	114
	115	/* Microsoft's documentation indicates that "available memory" is
	116	* the limit on value sizes. Annoying. We limit it to 1M which
	117	* should rarely be exceeded, unless the file is corrupt or
	118	* malicious. For more info, see:
	119	* http://msdn2.microsoft.com/en-us/library/ms724872.aspx
	120	*/
[116]	121	/* XXX: Should probably do something different here for this tool.
	122	* Also, It would be really nice if this message somehow included the
	123	* name of the current value we're having trouble with, since
	124	* stderr/stdout don't always sync nicely.
	125	*/
[135]	126	if(size > REGFI_VK_MAX_DATA_LENGTH)
[111]	127	{
[138]	128	fprintf(stderr, "WARN: value data size %d larger than "
[135]	129	"%d, truncating...\n", size, REGFI_VK_MAX_DATA_LENGTH);
	130	size = REGFI_VK_MAX_DATA_LENGTH;
[111]	131	}
	132
	133	quoted_name = quote_string(vk->valuename, key_special_chars);
	134	if (quoted_name == NULL)
	135	{ /* Value names are NULL when we're looking at the "(default)" value.
	136	* Currently we just return a 0-length string to try an eliminate
	137	* ambiguity with a literal "(default)" value. The data type of a line
	138	* in the output allows one to differentiate between the parent key and
	139	* this value.
	140	*/
	141	quoted_name = malloc(1*sizeof(char));
	142	if(quoted_name == NULL)
[143]	143	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n");
[111]	144	quoted_name[0] = '\0';
	145	}
	146
	147	quoted_value = data_to_ascii(vk->data, size, vk->type, &conv_error);
	148	if(quoted_value == NULL)
	149	{
	150	quoted_value = malloc(1*sizeof(char));
	151	if(quoted_value == NULL)
[143]	152	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n");
[111]	153	quoted_value[0] = '\0';
	154
	155	if(conv_error == NULL)
[138]	156	fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
[111]	157	"Memory allocation failure likely.\n", prefix, quoted_name);
	158	else if(print_verbose)
[138]	159	fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
[111]	160	"Returned error: %s\n", prefix, quoted_name, conv_error);
	161	}
	162	/* XXX: should these always be printed? */
	163	else if(conv_error != NULL && print_verbose)
[138]	164	fprintf(stderr, "INFO: While quoting value for '%s/%s', "
[111]	165	"warning returned: %s\n", prefix, quoted_name, conv_error);
	166
	167
	168	if(print_parsedraw)
	169	quoted_raw = getQuotedData(f->fd, vk->offset, vk->cell_size);
	170
	171	str_type = regfi_type_val2str(vk->type);
	172	if(str_type == NULL)
	173	printf("%.8X,%.8X,VALUE,%s,%s,,,0x%.8X,%s,%d,,,,,%s\n",
	174	vk->offset, vk->cell_size, prefix, quoted_name,
	175	vk->type, quoted_value, vk->data_size, quoted_raw);
	176	else
	177	printf("%.8X,%.8X,VALUE,%s,%s,,,%s,%s,%d,,,,,%s\n",
	178	vk->offset, vk->cell_size, prefix, quoted_name,
	179	str_type, quoted_value, vk->data_size, quoted_raw);
	180
	181	if(print_parsedraw)
	182	free(quoted_raw);
	183	if(quoted_value != NULL)
	184	free(quoted_value);
	185	if(quoted_name != NULL)
	186	free(quoted_name);
	187	if(conv_error != NULL)
	188	free(conv_error);
	189	}
	190
	191
[135]	192	void printSK(REGFI_FILE* f, REGFI_SK_REC* sk)
[111]	193	{
	194	char* quoted_raw = NULL;
	195	char* empty_str = "";
	196	char* owner = regfi_get_owner(sk->sec_desc);
	197	char* group = regfi_get_group(sk->sec_desc);
	198	char* sacl = regfi_get_sacl(sk->sec_desc);
	199	char* dacl = regfi_get_dacl(sk->sec_desc);
	200
	201	if(print_parsedraw)
	202	quoted_raw = getQuotedData(f->fd, sk->offset, sk->cell_size);
	203
	204	if(owner == NULL)
	205	owner = empty_str;
	206	if(group == NULL)
	207	group = empty_str;
	208	if(sacl == NULL)
	209	sacl = empty_str;
	210	if(dacl == NULL)
	211	dacl = empty_str;
	212
	213	printf("%.8X,%.8X,SK,,,,,,,,%s,%s,%s,%s,%s\n", sk->offset, sk->cell_size,
	214	owner, group, sacl, dacl, quoted_raw);
	215
	216	if(owner != empty_str)
	217	free(owner);
	218	if(group != empty_str)
	219	free(group);
	220	if(sacl != empty_str)
	221	free(sacl);
	222	if(dacl != empty_str)
	223	free(dacl);
	224
	225	if(print_parsedraw)
	226	free(quoted_raw);
	227	}
	228
	229
[135]	230	int printCell(REGFI_FILE* f, uint32 offset)
[111]	231	{
	232	char* quoted_buf;
	233	uint32 cell_length;
	234	bool unalloc;
	235
	236	if(!regfi_parse_cell(f->fd, offset, NULL, 0, &cell_length, &unalloc))
	237	return 1;
	238
	239	quoted_buf = getQuotedData(f->fd, offset, cell_length);
	240	if(quoted_buf == NULL)
	241	return 2;
	242
	243	printf("%.8X,%.8X,RAW,,,,,,,,,,,,%s\n", offset, cell_length, quoted_buf);
	244
	245	free(quoted_buf);
	246	return 0;
	247	}
	248
	249
[112]	250	/* This function returns a properly quoted parent path or partial parent
	251	* path for a given key. Returns NULL on error, "" if no path was available.
	252	* Paths returned must be free()d.
	253	*/
[116]	254	/* XXX: This is not terribly efficient, as it may reparse many keys
[149]	255	* repeatedly. Should try to add caching.
[112]	256	*/
[135]	257	char* getParentPath(REGFI_FILE* f, REGFI_NK_REC* nk)
[112]	258	{
[135]	259	void_stack* path_stack = void_stack_new(REGFI_MAX_DEPTH);
[146]	260	const REGFI_HBIN* hbin;
[135]	261	REGFI_NK_REC* cur_ancestor;
[112]	262	char* ret_val;
[149]	263	uint32 virt_offset, i, stack_size, ret_val_size, ret_val_used;
[112]	264	uint32 max_length;
[151]	265	REGFI_BUFFER* path_element;
[149]	266
[118]	267	/* The path_stack size limit should guarantee that we don't recurse forever. */
[112]	268	virt_offset = nk->parent_off;
[149]	269	ret_val_size = 1; /* NUL */
[135]	270	while(virt_offset != REGFI_OFFSET_NONE)
[112]	271	{
	272	hbin = regfi_lookup_hbin(f, virt_offset);
	273	if(hbin == NULL)
[135]	274	virt_offset = REGFI_OFFSET_NONE;
[112]	275	else
	276	{
	277	max_length = hbin->block_size + hbin->file_off
[135]	278	- (virt_offset+REGFI_REGF_SIZE);
	279	cur_ancestor = regfi_parse_nk(f, virt_offset+REGFI_REGF_SIZE,
[112]	280	max_length, true);
[138]	281	printMsgs(f);
	282
[112]	283	if(cur_ancestor == NULL)
[135]	284	virt_offset = REGFI_OFFSET_NONE;
[112]	285	else
	286	{
[135]	287	if((cur_ancestor->key_type == REGFI_NK_TYPE_ROOTKEY1)
	288	\|\| (cur_ancestor->key_type == REGFI_NK_TYPE_ROOTKEY2))
	289	virt_offset = REGFI_OFFSET_NONE;
[112]	290	else
	291	virt_offset = cur_ancestor->parent_off;
	292
[151]	293	path_element = talloc(path_stack, REGFI_BUFFER);
[149]	294	if(path_element != NULL)
[151]	295	path_element->buf = (uint8*)quote_string(cur_ancestor->keyname,
[149]	296	key_special_chars);
	297
[151]	298	if(path_element == NULL \|\| path_element->buf == NULL
[149]	299	\|\| !void_stack_push(path_stack, path_element))
[112]	300	{
[150]	301	/* XXX: Need to add a warning here */
	302	regfi_free_key(cur_ancestor);
	303	void_stack_free(path_stack);
[112]	304	return NULL;
	305	}
	306
[149]	307	/* Path element and preceeding delimiter
	308	* Note that this integer can't overflow since key name lengths are
	309	* 16 bits and the max depth is 512.
	310	*/
[151]	311	path_element->len = strlen((char*)path_element->buf);
	312	ret_val_size += path_element->len + 1;
[149]	313
[150]	314	regfi_free_key(cur_ancestor);
[112]	315	}
	316	}
	317	}
	318
	319	stack_size = void_stack_size(path_stack);
[149]	320	ret_val_used = 0;
[112]	321	ret_val = malloc(ret_val_size);
	322	if(ret_val == NULL)
	323	{
[150]	324	void_stack_free(path_stack);
[112]	325	return NULL;
	326	}
	327	ret_val[0] = '\0';
	328
	329	for(i=0; i<stack_size; i++)
	330	{
	331	path_element = void_stack_pop(path_stack);
[149]	332	snprintf(ret_val+ret_val_used, ret_val_size-ret_val_used,
[151]	333	"/%s", path_element->buf);
	334	ret_val_used += path_element->len + 1;
	335	free(path_element->buf);
[150]	336	talloc_free(path_element);
[112]	337	}
	338	void_stack_free(path_stack);
	339
	340	return ret_val;
	341	}
	342
	343
[111]	344	static void usage(void)
	345	{
	346	fprintf(stderr, "Usage: reglookup-recover [options] <REGISTRY_FILE>\n");
	347	fprintf(stderr, "Version: %s\n", REGLOOKUP_VERSION);
	348	fprintf(stderr, "Options:\n");
	349	fprintf(stderr, "\t-v\t sets verbose mode.\n");
	350	fprintf(stderr, "\t-h\t enables header row. (default)\n");
	351	fprintf(stderr, "\t-H\t disables header row.\n");
	352	fprintf(stderr, "\t-l\t enables leftover(raw) cell output.\n");
	353	fprintf(stderr, "\t-L\t disables leftover(raw) cell output. (default)\n");
	354	fprintf(stderr, "\t-r\t enables raw cell output for parsed cells.\n");
	355	fprintf(stderr, "\t-R\t disables raw cell output for parsed cells. (default)\n");
	356	fprintf(stderr, "\n");
	357	}
	358
	359
[113]	360	bool removeRange(range_list* rl, uint32 offset, uint32 length)
[111]	361	{
[113]	362	int32 rm_idx;
	363	const range_list_element* cur_elem;
[115]	364
[113]	365	rm_idx = range_list_find(rl, offset);
	366	if(rm_idx < 0)
[116]	367	{
	368	fprintf(stderr, "DEBUG: removeRange: rm_idx < 0; (%d)\n", rm_idx);
[113]	369	return false;
[116]	370	}
[113]	371
	372	cur_elem = range_list_get(rl, rm_idx);
[111]	373	if(cur_elem == NULL)
	374	{
[116]	375	fprintf(stderr, "DEBUG: removeRange: cur_elem == NULL. rm_idx=%d\n", rm_idx);
[111]	376	return false;
	377	}
	378
	379	if(offset > cur_elem->offset)
	380	{
	381	if(!range_list_split_element(rl, rm_idx, offset))
	382	{
[116]	383	fprintf(stderr, "DEBUG: removeRange: first split failed\n");
[111]	384	return false;
	385	}
	386	rm_idx++;
[116]	387	cur_elem = range_list_get(rl, rm_idx);
	388	if(cur_elem == NULL)
	389	{
	390	fprintf(stderr,
	391	"DEBUG: removeRange: cur_elem == NULL after first split. rm_idx=%d\n",
	392	rm_idx);
	393	return false;
	394	}
[111]	395	}
	396
	397	if(offset+length < cur_elem->offset+cur_elem->length)
	398	{
	399	if(!range_list_split_element(rl, rm_idx, offset+length))
	400	{
[116]	401	fprintf(stderr, "DEBUG: removeRange: second split failed\n");
[111]	402	return false;
	403	}
	404	}
	405
	406	if(!range_list_remove(rl, rm_idx))
	407	{
[116]	408	fprintf(stderr, "DEBUG: removeRange: remove failed\n");
[111]	409	return false;
	410	}
	411
	412	return true;
	413	}
	414
	415
[145]	416	int extractVKs(REGFI_FILE* f,
	417	range_list* unalloc_cells,
	418	range_list* unalloc_values)
	419	{
	420	const range_list_element* cur_elem;
	421	REGFI_VK_REC* vk;
	422	uint32 i, j;
	423
	424	for(i=0; i < range_list_size(unalloc_cells); i++)
	425	{
	426	printMsgs(f);
	427	cur_elem = range_list_get(unalloc_cells, i);
	428	for(j=0; j <= cur_elem->length; j+=8)
	429	{
	430	vk = regfi_parse_vk(f, cur_elem->offset+j,
	431	cur_elem->length-j, false);
	432	printMsgs(f);
	433
	434	if(vk != NULL)
	435	{
	436	if(!range_list_add(unalloc_values, vk->offset,
	437	vk->cell_size, vk))
	438	{
	439	fprintf(stderr, "ERROR: Couldn't add value to unalloc_values.\n");
	440	return 20;
	441	}
	442	j+=vk->cell_size-8;
	443	}
	444	}
	445	}
	446
	447	/* Remove value ranges from the unalloc_cells before we continue. */
	448	for(i=0; i<range_list_size(unalloc_values); i++)
	449	{
	450	cur_elem = range_list_get(unalloc_values, i);
	451	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
	452	return 30;
	453	}
	454
	455	return 0;
	456	}
	457
	458
	459	int extractDataCells(REGFI_FILE* f,
	460	range_list* unalloc_cells,
	461	range_list* unalloc_values)
	462	{
	463	const range_list_element* cur_elem;
	464	REGFI_VK_REC* vk;
[146]	465	const REGFI_HBIN* hbin;
[151]	466	REGFI_BUFFER data;
[145]	467	uint32 i, off, data_offset, data_maxsize;
	468
	469	for(i=0; i<range_list_size(unalloc_values); i++)
	470	{
	471	cur_elem = range_list_get(unalloc_values, i);
	472	vk = (REGFI_VK_REC*)cur_elem->data;
	473	if(vk == NULL)
	474	return 40;
	475
	476	if(vk->data_size == 0)
	477	vk->data = NULL;
	478	else
	479	{
	480	off = vk->data_off+REGFI_REGF_SIZE;
	481
	482	if(vk->data_in_offset)
	483	{
[151]	484	data = regfi_parse_data(f, vk->type, vk->data_off,
	485	vk->data_size, 4,
	486	vk->data_in_offset, false);
	487	vk->data = data.buf;
	488	vk->data_size = data.len;
[145]	489	}
	490	else if(range_list_has_range(unalloc_cells, off, vk->data_size))
	491	{
	492	hbin = regfi_lookup_hbin(f, vk->data_off);
	493	if(hbin)
	494	{
	495	data_offset = vk->data_off+REGFI_REGF_SIZE;
	496	data_maxsize = hbin->block_size + hbin->file_off - data_offset;
[151]	497	data = regfi_parse_data(f, vk->type, data_offset,
	498	vk->data_size, data_maxsize,
	499	vk->data_in_offset, false);
	500	vk->data = data.buf;
	501	vk->data_size = data.len;
	502
[145]	503	if(vk->data != NULL)
	504	{
	505	/* XXX: This strict checking prevents partial recovery of data
	506	* cells. Also, see code for regfi_parse_data and note that
	507	* lengths indicated in VK records are sometimes just plain
	508	* wrong. Need a feedback mechanism to be more fuzzy with
	509	* data cell lengths and the ranges removed.
[151]	510	*
	511	* The introduction of REGFI_BUFFER in regfi_parse_data has
	512	* fixed some of this. Should review again with respect to
	513	* the other issues mentioned above though.
[145]	514	*/
	515	/* A data record was recovered. Remove from unalloc_cells. */
	516	if(!removeRange(unalloc_cells, off, vk->data_size))
	517	return 50;
	518	}
	519	}
	520	else
	521	vk->data = NULL;
	522	}
	523	}
	524	}
	525
	526	return 0;
	527	}
	528
	529
[117]	530	/* NOTE: unalloc_keys should be an empty range_list. */
[135]	531	int extractKeys(REGFI_FILE* f,
[111]	532	range_list* unalloc_cells,
	533	range_list* unalloc_keys)
	534	{
	535	const range_list_element* cur_elem;
[135]	536	REGFI_NK_REC* key;
[111]	537	uint32 i, j;
[150]	538	int error_code = 0;
[111]	539
	540	for(i=0; i < range_list_size(unalloc_cells); i++)
	541	{
[138]	542	printMsgs(f);
[111]	543	cur_elem = range_list_get(unalloc_cells, i);
[115]	544	for(j=0; cur_elem->length > REGFI_NK_MIN_LENGTH
	545	&& j <= cur_elem->length-REGFI_NK_MIN_LENGTH; j+=8)
[111]	546	{
[115]	547	key = regfi_parse_nk(f, cur_elem->offset+j,
	548	cur_elem->length-j, false);
[138]	549	printMsgs(f);
	550
[111]	551	if(key != NULL)
	552	{
	553	if(!range_list_add(unalloc_keys, key->offset,
	554	key->cell_size, key))
	555	{
	556	fprintf(stderr, "ERROR: Couldn't add key to unalloc_keys.\n");
[150]	557	error_code = 20;
	558	goto fail;
[111]	559	}
[150]	560	talloc_steal(unalloc_keys, key);
[116]	561	j+=key->cell_size-8;
[111]	562	}
	563	}
	564	}
	565
[116]	566	for(i=0; i<range_list_size(unalloc_keys); i++)
	567	{
	568	cur_elem = range_list_get(unalloc_keys, i);
	569	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
[150]	570	{
	571	error_code = 30;
	572	goto fail;
	573	}
[116]	574	}
	575
[111]	576	return 0;
[150]	577
	578	fail:
	579	regfi_free_key(key);
	580	return error_code;
[111]	581	}
	582
[135]	583	int extractValueLists(REGFI_FILE* f,
[111]	584	range_list* unalloc_cells,
[145]	585	range_list* unalloc_keys,
	586	range_list* unalloc_linked_values)
[111]	587	{
[135]	588	REGFI_NK_REC* nk;
[145]	589	REGFI_VK_REC* vk;
[146]	590	const REGFI_HBIN* hbin;
[111]	591	const range_list_element* cur_elem;
	592	uint32 i, j, num_keys, off, values_length, max_length;
	593
	594	num_keys=range_list_size(unalloc_keys);
	595	for(i=0; i<num_keys; i++)
	596	{
	597	cur_elem = range_list_get(unalloc_keys, i);
	598	if(cur_elem == NULL)
	599	return 10;
	600	nk = cur_elem->data;
	601
[135]	602	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
[111]	603	{
	604	hbin = regfi_lookup_hbin(f, nk->values_off);
	605
	606	if(hbin != NULL)
	607	{
[135]	608	off = nk->values_off + REGFI_REGF_SIZE;
[111]	609	max_length = hbin->block_size + hbin->file_off - off;
[145]	610	nk->values = regfi_load_valuelist(f, off, nk->num_values,
	611	max_length, false);
	612	if(nk->values != NULL && nk->values->elements != NULL)
	613	{
	614	/* Number of elements in the value list may be shorter than advertised
	615	* by NK record due to cell truncation. We'll consider this valid and
	616	* only throw out the whole value list if it bleeds into an already
	617	* parsed structure.
	618	*/
	619	values_length = (nk->values->num_values+1)*sizeof(uint32);
	620	if(values_length != (values_length & 0xFFFFFFF8))
	621	values_length = (values_length & 0xFFFFFFF8) + 8;
[111]	622
[115]	623	if(!range_list_has_range(unalloc_cells, off, values_length))
[111]	624	{ /* We've parsed a values-list which isn't in the unallocated list,
[145]	625	* so prune it.
[111]	626	*/
[150]	627	talloc_free(nk->values);
[115]	628	nk->values = NULL;
[111]	629	}
	630	else
	631	{ /* Values-list was recovered. Remove from unalloc_cells and
	632	* inspect values.
	633	*/
[113]	634	if(!removeRange(unalloc_cells, off, values_length))
[111]	635	return 20;
	636
[145]	637	for(j=0; j < nk->values->num_values; j++)
[111]	638	{
[145]	639	/* Don't bother to restrict cell length here, since we'll
	640	* check our unalloc_cells range_list later.
	641	*/
	642	vk = regfi_parse_vk(f, nk->values->elements[j]+REGFI_REGF_SIZE,
	643	0x7FFFFFFF, false);
	644	printMsgs(f);
	645
	646	if(vk != NULL)
[111]	647	{
[145]	648	if(range_list_has_range(unalloc_cells,
	649	vk->offset, vk->cell_size))
[111]	650	{
[145]	651	if(!range_list_add(unalloc_linked_values, vk->offset,
	652	vk->cell_size, vk))
[111]	653	{
[150]	654	talloc_free(vk);
[145]	655	return 30;
[111]	656	}
[145]	657
	658	if(!removeRange(unalloc_cells, vk->offset, vk->cell_size))
	659	return 40;
[111]	660	}
[145]	661	else
[150]	662	talloc_free(vk);
[111]	663	}
	664	}
	665	}
	666	}
	667	}
	668	}
	669	}
	670
	671	return 0;
	672	}
	673
	674
	675
[118]	676	/* NOTE: unalloc_sks should be an empty range_list. */
[135]	677	int extractSKs(REGFI_FILE* f,
[111]	678	range_list* unalloc_cells,
	679	range_list* unalloc_sks)
	680	{
	681	const range_list_element* cur_elem;
[135]	682	REGFI_SK_REC* sk;
[111]	683	uint32 i, j;
	684
	685	for(i=0; i < range_list_size(unalloc_cells); i++)
	686	{
[138]	687	printMsgs(f);
[111]	688	cur_elem = range_list_get(unalloc_cells, i);
	689	for(j=0; j <= cur_elem->length; j+=8)
	690	{
	691	sk = regfi_parse_sk(f, cur_elem->offset+j,
	692	cur_elem->length-j, false);
[138]	693	printMsgs(f);
	694
[111]	695	if(sk != NULL)
	696	{
	697	if(!range_list_add(unalloc_sks, sk->offset,
	698	sk->cell_size, sk))
	699	{
	700	fprintf(stderr, "ERROR: Couldn't add sk to unalloc_sks.\n");
	701	return 20;
	702	}
[148]	703	talloc_steal(unalloc_sks, sk);
[118]	704	j+=sk->cell_size-8;
[111]	705	}
	706	}
	707	}
	708
[118]	709	for(i=0; i<range_list_size(unalloc_sks); i++)
	710	{
	711	cur_elem = range_list_get(unalloc_sks, i);
	712	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
	713	return 30;
	714	}
	715
[111]	716	return 0;
	717	}
	718
	719
	720	int main(int argc, char** argv)
	721	{
[135]	722	REGFI_FILE* f;
[111]	723	const range_list_element* cur_elem;
	724	range_list* unalloc_cells;
	725	range_list* unalloc_keys;
[145]	726	range_list* unalloc_linked_values;
[111]	727	range_list* unalloc_values;
	728	range_list* unalloc_sks;
[112]	729	char** parent_paths;
	730	char* tmp_name;
	731	char* tmp_path;
[135]	732	REGFI_NK_REC* tmp_key;
	733	REGFI_VK_REC* tmp_value;
[116]	734	uint32 argi, arge, i, j, ret, num_unalloc_keys;
[111]	735
	736	/* Process command line arguments */
	737	if(argc < 2)
	738	{
	739	usage();
[143]	740	bailOut(REGLOOKUP_EXIT_USAGE, "ERROR: Requires at least one argument.\n");
[111]	741	}
	742
	743	arge = argc-1;
	744	for(argi = 1; argi < arge; argi++)
	745	{
	746	if (strcmp("-v", argv[argi]) == 0)
	747	print_verbose = true;
	748	else if (strcmp("-h", argv[argi]) == 0)
	749	print_header = true;
	750	else if (strcmp("-H", argv[argi]) == 0)
	751	print_header = false;
	752	else if (strcmp("-l", argv[argi]) == 0)
	753	print_leftover = true;
	754	else if (strcmp("-L", argv[argi]) == 0)
	755	print_leftover = false;
	756	else if (strcmp("-r", argv[argi]) == 0)
	757	print_parsedraw = true;
	758	else if (strcmp("-R", argv[argi]) == 0)
	759	print_parsedraw = false;
	760	else
	761	{
	762	usage();
	763	fprintf(stderr, "ERROR: Unrecognized option: %s\n", argv[argi]);
[143]	764	bailOut(REGLOOKUP_EXIT_USAGE, "");
[111]	765	}
	766	}
	767	/test_offset = strtol(argv[argi++], NULL, 16);/
	768
	769	if((registry_file = strdup(argv[argi])) == NULL)
[143]	770	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Memory allocation problem.\n");
[111]	771
	772	f = regfi_open(registry_file);
	773	if(f == NULL)
	774	{
	775	fprintf(stderr, "ERROR: Couldn't open registry file: %s\n", registry_file);
[143]	776	bailOut(REGLOOKUP_EXIT_NOINPUT, "");
[111]	777	}
[138]	778	if(print_verbose)
	779	regfi_set_message_mask(f, REGFI_MSG_ERROR\|REGFI_MSG_WARN\|REGFI_MSG_INFO);
	780	else
	781	regfi_set_message_mask(f, REGFI_MSG_ERROR);
[111]	782
	783	if(print_header)
	784	printf("OFFSET,REC_LENGTH,REC_TYPE,PATH,NAME,"
	785	"NK_MTIME,NK_NVAL,VK_TYPE,VK_VALUE,VK_DATA_LEN,"
	786	"SK_OWNER,SK_GROUP,SK_SACL,SK_DACL,RAW_CELL\n");
	787
	788	unalloc_cells = regfi_parse_unalloc_cells(f);
	789	if(unalloc_cells == NULL)
	790	{
	791	fprintf(stderr, "ERROR: Could not obtain list of unallocated cells.\n");
	792	return 1;
	793	}
	794
	795	unalloc_keys = range_list_new();
	796	if(unalloc_keys == NULL)
	797	return 10;
	798
[145]	799	unalloc_linked_values = range_list_new();
	800	if(unalloc_linked_values == NULL)
	801	return 10;
	802
[111]	803	unalloc_values = range_list_new();
	804	if(unalloc_values == NULL)
	805	return 10;
	806
	807	unalloc_sks = range_list_new();
	808	if(unalloc_sks == NULL)
	809	return 10;
	810
	811	ret = extractKeys(f, unalloc_cells, unalloc_keys);
	812	if(ret != 0)
	813	{
	814	fprintf(stderr, "ERROR: extractKeys() failed with %d.\n", ret);
	815	return ret;
	816	}
	817
[145]	818	ret = extractValueLists(f, unalloc_cells, unalloc_keys,unalloc_linked_values);
[111]	819	if(ret != 0)
	820	{
	821	fprintf(stderr, "ERROR: extractValueLists() failed with %d.\n", ret);
	822	return ret;
	823	}
	824
[145]	825	/* Carve any orphan values */
	826	ret = extractVKs(f, unalloc_cells, unalloc_values);
[111]	827	if(ret != 0)
	828	{
[145]	829	fprintf(stderr, "ERROR: extractVKs() failed with %d.\n", ret);
[111]	830	return ret;
	831	}
	832
[145]	833	/* Carve any data associated with VK records */
	834	ret = extractDataCells(f, unalloc_cells, unalloc_linked_values);
	835	if(ret != 0)
	836	{
	837	fprintf(stderr, "ERROR: extractDataCells() failed with %d.\n", ret);
	838	return ret;
	839	}
	840	ret = extractDataCells(f, unalloc_cells, unalloc_values);
	841	if(ret != 0)
	842	{
	843	fprintf(stderr, "ERROR: extractDataCells() failed with %d.\n", ret);
	844	return ret;
	845	}
	846
[111]	847	/* Carve any SK records */
	848	ret = extractSKs(f, unalloc_cells, unalloc_sks);
	849	if(ret != 0)
	850	{
	851	fprintf(stderr, "ERROR: extractSKs() failed with %d.\n", ret);
	852	return ret;
	853	}
	854
[112]	855	/* Now that we're done carving, associate recovered keys with parents,
	856	* if at all possible.
	857	*/
	858	num_unalloc_keys = range_list_size(unalloc_keys);
	859	parent_paths = (char*)malloc(sizeof(char)*num_unalloc_keys);
	860	if(parent_paths == NULL)
	861	return 10;
[111]	862
[112]	863	for(i=0; i < num_unalloc_keys; i++)
[111]	864	{
	865	cur_elem = range_list_get(unalloc_keys, i);
[135]	866	tmp_key = (REGFI_NK_REC*)cur_elem->data;
[111]	867
[112]	868	if(tmp_key == NULL)
	869	return 20;
	870
	871	parent_paths[i] = getParentPath(f, tmp_key);
	872	if(parent_paths[i] == NULL)
	873	return 20;
	874	}
	875
	876	/* Now start the output */
	877	for(i=0; i < num_unalloc_keys; i++)
	878	{
	879	cur_elem = range_list_get(unalloc_keys, i);
[135]	880	tmp_key = (REGFI_NK_REC*)cur_elem->data;
[112]	881
	882	printKey(f, tmp_key, parent_paths[i]);
[114]	883	if(tmp_key->num_values > 0 && tmp_key->values != NULL)
[111]	884	{
[112]	885	tmp_name = quote_string(tmp_key->keyname, key_special_chars);
	886	tmp_path = (char*)malloc(strlen(parent_paths[i])+strlen(tmp_name)+2);
	887	if(tmp_path == NULL)
[136]	888	{
	889	free(tmp_name);
[112]	890	return 10;
[136]	891	}
	892
[112]	893	sprintf(tmp_path, "%s/%s", parent_paths[i], tmp_name);
[145]	894	for(j=0; j < tmp_key->values->num_values; j++)
[112]	895	{
[145]	896	tmp_value =
	897	(REGFI_VK_REC*)range_list_find_data(unalloc_linked_values,
	898	tmp_key->values->elements[j]
	899	+ REGFI_REGF_SIZE);
[112]	900	if(tmp_value != NULL)
	901	printValue(f, tmp_value, tmp_path);
	902	}
	903	free(tmp_path);
	904	free(tmp_name);
	905	free(parent_paths[i]);
[111]	906	}
	907	}
[112]	908	free(parent_paths);
[111]	909
	910	/* Print out orphaned values */
	911	for(i=0; i < range_list_size(unalloc_values); i++)
	912	{
	913	cur_elem = range_list_get(unalloc_values, i);
[135]	914	tmp_value = (REGFI_VK_REC*)cur_elem->data;
[111]	915
	916	printValue(f, tmp_value, "");
	917	}
	918
	919	if(print_leftover)
	920	{
	921	for(i=0; i < range_list_size(unalloc_cells); i++)
	922	{
	923	cur_elem = range_list_get(unalloc_cells, i);
	924	printCell(f, cur_elem->offset);
	925	}
	926	}
	927
[148]	928	range_list_free(unalloc_cells);
	929	range_list_free(unalloc_keys);
	930	range_list_free(unalloc_linked_values);
	931	range_list_free(unalloc_values);
	932	range_list_free(unalloc_sks);
	933
[111]	934	return 0;
	935	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: