Context Navigation

source: trunk/src/reglookup-recover.c @ 115

Last change on this file since 115 was 115, checked in by tim, 16 years ago
added a few hacks to work around some issues.
File size: 24.4 KB

Line
1	/*
2	* Copyright (C) 2008 Timothy D. Morgan
3	*
4	* This program is free software; you can redistribute it and/or modify
5	* it under the terms of the GNU General Public License as published by
6	* the Free Software Foundation; version 3 of the License.
7	*
8	* This program is distributed in the hope that it will be useful,
9	* but WITHOUT ANY WARRANTY; without even the implied warranty of
10	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11	* GNU General Public License for more details.
12	*
13	* You should have received a copy of the GNU General Public License
14	* along with this program; if not, write to the Free Software
15	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
16	*
17	* $Id: $
18	*/
19
20	#include <stdio.h>
21	#include <stdlib.h>
22	#include <sysexits.h>
23
24	#include "../include/regfi.h"
25	#include "../include/range_list.h"
26	#include "../include/lru_cache.h"
27
28
29	/* Globals, influenced by command line parameters */
30	bool print_verbose = false;
31	bool print_security = false;
32	bool print_header = true;
33	bool print_leftover = false;
34	bool print_parsedraw = false;
35	char* registry_file = NULL;
36
37
38	#include "common.c"
39
40	/* Output format:
41	* real_offset,min_length,record_type,parent_path,name,data_type,mtime,num_values,value,data_length,raw_data
42	*/
43
44	void regfi_print_nk(REGF_NK_REC* nk)
45	{
46	printf("Found key at offset 0x%.8X:\n", nk->offset);
47	printf(" keyname: \"%s\"\n", nk->keyname);
48	printf(" parent_off (virtual): 0x%.8X\n", nk->parent_off);
49	printf(" cell_size: %d\n", nk->cell_size);
50	printf(" key_type: 0x%.4X\n", nk->key_type);
51	printf(" magic: %c%c\n", nk->magic[0], nk->magic[1]);
52	printf(" mtime: 0x%.8X 0x%.8X\n", nk->mtime.low, nk->mtime.high);
53	printf(" name_length: %d\n", nk->name_length);
54	printf(" classname_length: %d\n", nk->classname_length);
55	printf(" classname_off (virtual): 0x%.8X\n", nk->classname_off);
56	printf(" max_bytes_subkeyname: %d\n", nk->max_bytes_subkeyname);
57	printf(" max_bytes_subkeyclassname: %d\n", nk->max_bytes_subkeyclassname);
58	printf(" max_bytes_valuename: %d\n", nk->max_bytes_valuename);
59	printf(" max_bytes_value: %d\n", nk->max_bytes_value);
60	printf(" unknown1: 0x%.8X\n", nk->unknown1);
61	printf(" unknown2: 0x%.8X\n", nk->unknown2);
62	printf(" unknown3: 0x%.8X\n", nk->unknown3);
63	printf(" unk_index: 0x%.8X\n", nk->unk_index);
64	printf(" num_subkeys: %d\n", nk->num_subkeys);
65	printf(" subkeys_off (virtual): 0x%.8X\n", nk->subkeys_off);
66	printf(" num_values: %d\n", nk->num_values);
67	printf(" values_off (virtual): 0x%.8X\n", nk->values_off);
68	printf(" sk_off (virtual): 0x%.8X\n", nk->sk_off);
69	printf("\n");
70	}
71
72
73	char* getQuotedData(int fd, uint32 offset, uint32 length)
74	{
75	uint8* buf;
76	char* quoted_buf;
77	uint32 len;
78
79	if((lseek(fd, offset, SEEK_SET)) == -1)
80	return NULL;
81
82	buf = (uint8*)malloc(length);
83	if(buf == NULL)
84	return NULL;
85
86	len = length;
87	if((regfi_read(fd, buf, &length) != 0) \|\| length != len)
88	{
89	free(buf);
90	return NULL;
91	}
92
93	quoted_buf = quote_buffer(buf, length, common_special_chars);
94	free(buf);
95
96	return quoted_buf;
97	}
98
99
100	void printKey(REGF_FILE* f, REGF_NK_REC* nk, const char* prefix)
101	{
102	char mtime[20];
103	time_t tmp_time[1];
104	struct tm* tmp_time_s = NULL;
105	char* quoted_name = NULL;
106	char* quoted_raw = "";
107
108	*tmp_time = nt_time_to_unix(&nk->mtime);
109	tmp_time_s = gmtime(tmp_time);
110	strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s);
111
112	quoted_name = quote_string(nk->keyname, key_special_chars);
113	if (quoted_name == NULL)
114	{
115	quoted_name = malloc(1*sizeof(char));
116	if(quoted_name == NULL)
117	bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
118	quoted_name[0] = '\0';
119
120	fprintf(stderr, "WARNING: NULL key name in NK record at offset %.8X.\n",
121	nk->offset);
122	}
123
124	if(print_parsedraw)
125	quoted_raw = getQuotedData(f->fd, nk->offset, nk->cell_size);
126
127	printf("%.8X,%.8X,KEY,%s,%s,%s,%d,,,,,,,,%s\n", nk->offset, nk->cell_size,
128	prefix, quoted_name, mtime, nk->num_values, quoted_raw);
129
130	if(print_parsedraw)
131	free(quoted_raw);
132	}
133
134
135	void printValue(REGF_FILE* f, const REGF_VK_REC* vk, const char* prefix)
136	{
137	char* quoted_value = NULL;
138	char* quoted_name = NULL;
139	char* quoted_raw = "";
140	char* conv_error = NULL;
141	const char* str_type = NULL;
142	uint32 size = vk->data_size;
143
144	/* Microsoft's documentation indicates that "available memory" is
145	* the limit on value sizes. Annoying. We limit it to 1M which
146	* should rarely be exceeded, unless the file is corrupt or
147	* malicious. For more info, see:
148	* http://msdn2.microsoft.com/en-us/library/ms724872.aspx
149	*/
150	/* TODO: should probably do something different here for this tool.*/
151	if(size > VK_MAX_DATA_LENGTH)
152	{
153	fprintf(stderr, "WARNING: value data size %d larger than "
154	"%d, truncating...\n", size, VK_MAX_DATA_LENGTH);
155	size = VK_MAX_DATA_LENGTH;
156	}
157
158	quoted_name = quote_string(vk->valuename, key_special_chars);
159	if (quoted_name == NULL)
160	{ /* Value names are NULL when we're looking at the "(default)" value.
161	* Currently we just return a 0-length string to try an eliminate
162	* ambiguity with a literal "(default)" value. The data type of a line
163	* in the output allows one to differentiate between the parent key and
164	* this value.
165	*/
166	quoted_name = malloc(1*sizeof(char));
167	if(quoted_name == NULL)
168	bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
169	quoted_name[0] = '\0';
170	}
171
172	quoted_value = data_to_ascii(vk->data, size, vk->type, &conv_error);
173	if(quoted_value == NULL)
174	{
175	quoted_value = malloc(1*sizeof(char));
176	if(quoted_value == NULL)
177	bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
178	quoted_value[0] = '\0';
179
180	if(conv_error == NULL)
181	fprintf(stderr, "WARNING: Could not quote value for '%s/%s'. "
182	"Memory allocation failure likely.\n", prefix, quoted_name);
183	else if(print_verbose)
184	fprintf(stderr, "WARNING: Could not quote value for '%s/%s'. "
185	"Returned error: %s\n", prefix, quoted_name, conv_error);
186	}
187	/* XXX: should these always be printed? */
188	else if(conv_error != NULL && print_verbose)
189	fprintf(stderr, "VERBOSE: While quoting value for '%s/%s', "
190	"warning returned: %s\n", prefix, quoted_name, conv_error);
191
192
193	if(print_parsedraw)
194	quoted_raw = getQuotedData(f->fd, vk->offset, vk->cell_size);
195
196	str_type = regfi_type_val2str(vk->type);
197	if(str_type == NULL)
198	printf("%.8X,%.8X,VALUE,%s,%s,,,0x%.8X,%s,%d,,,,,%s\n",
199	vk->offset, vk->cell_size, prefix, quoted_name,
200	vk->type, quoted_value, vk->data_size, quoted_raw);
201	else
202	printf("%.8X,%.8X,VALUE,%s,%s,,,%s,%s,%d,,,,,%s\n",
203	vk->offset, vk->cell_size, prefix, quoted_name,
204	str_type, quoted_value, vk->data_size, quoted_raw);
205
206	if(print_parsedraw)
207	free(quoted_raw);
208	if(quoted_value != NULL)
209	free(quoted_value);
210	if(quoted_name != NULL)
211	free(quoted_name);
212	if(conv_error != NULL)
213	free(conv_error);
214	}
215
216
217	void printSK(REGF_FILE* f, REGF_SK_REC* sk)
218	{
219	char* quoted_raw = NULL;
220	char* empty_str = "";
221	char* owner = regfi_get_owner(sk->sec_desc);
222	char* group = regfi_get_group(sk->sec_desc);
223	char* sacl = regfi_get_sacl(sk->sec_desc);
224	char* dacl = regfi_get_dacl(sk->sec_desc);
225
226	if(print_parsedraw)
227	quoted_raw = getQuotedData(f->fd, sk->offset, sk->cell_size);
228
229	if(owner == NULL)
230	owner = empty_str;
231	if(group == NULL)
232	group = empty_str;
233	if(sacl == NULL)
234	sacl = empty_str;
235	if(dacl == NULL)
236	dacl = empty_str;
237
238	printf("%.8X,%.8X,SK,,,,,,,,%s,%s,%s,%s,%s\n", sk->offset, sk->cell_size,
239	owner, group, sacl, dacl, quoted_raw);
240
241	if(owner != empty_str)
242	free(owner);
243	if(group != empty_str)
244	free(group);
245	if(sacl != empty_str)
246	free(sacl);
247	if(dacl != empty_str)
248	free(dacl);
249
250	if(print_parsedraw)
251	free(quoted_raw);
252	}
253
254
255	int printCell(REGF_FILE* f, uint32 offset)
256	{
257	char* quoted_buf;
258	uint32 cell_length;
259	bool unalloc;
260
261	if(!regfi_parse_cell(f->fd, offset, NULL, 0, &cell_length, &unalloc))
262	return 1;
263
264	quoted_buf = getQuotedData(f->fd, offset, cell_length);
265	if(quoted_buf == NULL)
266	return 2;
267
268	printf("%.8X,%.8X,RAW,,,,,,,,,,,,%s\n", offset, cell_length, quoted_buf);
269
270	free(quoted_buf);
271	return 0;
272	}
273
274
275	/* This function returns a properly quoted parent path or partial parent
276	* path for a given key. Returns NULL on error, "" if no path was available.
277	* Paths returned must be free()d.
278	*/
279	/* TODO: This is not terribly efficient, as it may reparse many keys
280	* repeatedly. Should try to add caching. Also, piecing the path
281	* together is slow and redundant.
282	*/
283	char* getParentPath(REGF_FILE* f, REGF_NK_REC* nk)
284	{
285	void_stack* path_stack = void_stack_new(REGF_MAX_DEPTH);
286	REGF_HBIN* hbin;
287	REGF_NK_REC* cur_ancestor;
288	char* ret_val;
289	char* path_element;
290	char* tmp_str;
291	uint32 virt_offset, i, stack_size, ret_val_size, ret_val_left, element_size;
292	uint32 max_length;
293
294	virt_offset = nk->parent_off;
295	while(virt_offset != REGF_OFFSET_NONE)
296	{
297	/* TODO: Need to add checks for infinite loops and/or add depth limit */
298	hbin = regfi_lookup_hbin(f, virt_offset);
299	if(hbin == NULL)
300	virt_offset = REGF_OFFSET_NONE;
301	else
302	{
303	max_length = hbin->block_size + hbin->file_off
304	- (virt_offset+REGF_BLOCKSIZE);
305	cur_ancestor = regfi_parse_nk(f, virt_offset+REGF_BLOCKSIZE,
306	max_length, true);
307	if(cur_ancestor == NULL)
308	virt_offset = REGF_OFFSET_NONE;
309	else
310	{
311	if(cur_ancestor->key_type == NK_TYPE_ROOTKEY)
312	virt_offset = REGF_OFFSET_NONE;
313	else
314	virt_offset = cur_ancestor->parent_off;
315
316	path_element = quote_string(cur_ancestor->keyname, key_special_chars);
317	if(path_element == NULL \|\| !void_stack_push(path_stack, path_element))
318	{
319	free(cur_ancestor->keyname);
320	free(cur_ancestor);
321	void_stack_free_deep(path_stack);
322	return NULL;
323	}
324
325	regfi_key_free(cur_ancestor);
326	}
327	}
328	}
329
330	stack_size = void_stack_size(path_stack);
331	ret_val_size = 16*stack_size;
332	if(ret_val_size == 0)
333	ret_val_size = 1;
334	ret_val_left = ret_val_size;
335	ret_val = malloc(ret_val_size);
336	if(ret_val == NULL)
337	{
338	void_stack_free_deep(path_stack);
339	return NULL;
340	}
341	ret_val[0] = '\0';
342
343	for(i=0; i<stack_size; i++)
344	{
345	path_element = void_stack_pop(path_stack);
346	element_size = strlen(path_element);
347	if(ret_val_left < element_size+2)
348	{
349	ret_val_size += element_size+16;
350	ret_val_left += element_size+16;
351	tmp_str = (char*)realloc(ret_val, ret_val_size);
352	if(tmp_str == NULL)
353	{
354	free(ret_val);
355	void_stack_free_deep(path_stack);
356	return NULL;
357	}
358	ret_val = tmp_str;
359	}
360
361	ret_val_left -= snprintf(ret_val+ret_val_size-ret_val_left,ret_val_left, "/%s", path_element);
362	free(path_element);
363	}
364	void_stack_free(path_stack);
365
366	return ret_val;
367	}
368
369
370	/*
371	void dump_cell(int fd, uint32 offset)
372	{
373	uint8* buf;
374	uint32 length, j;
375	int32 cell_length;
376
377	if((lseek(fd, offset, SEEK_SET)) == -1)
378	exit(8);
379
380	length = 4;
381	regfi_read(fd, (void*)&cell_length, &length);
382	if(cell_length < 0)
383	cell_length *= -1;
384
385	buf = (uint8*)malloc(cell_length);
386	if(buf == NULL)
387	exit(9);
388	if((lseek(fd, offset, SEEK_SET)) == -1)
389	exit(8);
390
391	length = cell_length;
392	regfi_read(fd, buf, &length);
393	for(j=0; j < length; j++)
394	{
395	printf("%.2X", buf[j]);
396	if(j%4 == 3)
397	printf(" ");
398	}
399	printf("\n");
400	free(buf);
401	}
402	*/
403
404	static void usage(void)
405	{
406	fprintf(stderr, "Usage: reglookup-recover [options] <REGISTRY_FILE>\n");
407	fprintf(stderr, "Version: %s\n", REGLOOKUP_VERSION);
408	fprintf(stderr, "Options:\n");
409	fprintf(stderr, "\t-v\t sets verbose mode.\n");
410	fprintf(stderr, "\t-h\t enables header row. (default)\n");
411	fprintf(stderr, "\t-H\t disables header row.\n");
412	fprintf(stderr, "\t-l\t enables leftover(raw) cell output.\n");
413	fprintf(stderr, "\t-L\t disables leftover(raw) cell output. (default)\n");
414	fprintf(stderr, "\t-r\t enables raw cell output for parsed cells.\n");
415	fprintf(stderr, "\t-R\t disables raw cell output for parsed cells. (default)\n");
416	fprintf(stderr, "\n");
417	}
418
419
420	bool removeRange(range_list* rl, uint32 offset, uint32 length)
421	{
422	int32 rm_idx;
423	const range_list_element* cur_elem;
424
425	rm_idx = range_list_find(rl, offset);
426	if(rm_idx < 0)
427	return false;
428
429	cur_elem = range_list_get(rl, rm_idx);
430	if(cur_elem == NULL)
431	{
432	printf("removeRange: cur_elem == NULL. rm_idx=%d\n", rm_idx);
433	return false;
434	}
435
436	if(offset > cur_elem->offset)
437	{
438	if(!range_list_split_element(rl, rm_idx, offset))
439	{
440	printf("removeRange: first split failed\n");
441	return false;
442	}
443	rm_idx++;
444	}
445
446	if(offset+length < cur_elem->offset+cur_elem->length)
447	{
448	if(!range_list_split_element(rl, rm_idx, offset+length))
449	{
450	printf("removeRange: second split failed\n");
451	return false;
452	}
453	}
454
455	if(!range_list_remove(rl, rm_idx))
456	{
457	printf("removeRange: remove failed\n");
458	return false;
459	}
460
461	return true;
462	}
463
464
465	int extractKeys(REGF_FILE* f,
466	range_list* unalloc_cells,
467	range_list* unalloc_keys)
468	{
469	const range_list_element* cur_elem;
470	REGF_NK_REC* key;
471	uint32 i, j;
472
473	for(i=0; i < range_list_size(unalloc_cells); i++)
474	{
475	cur_elem = range_list_get(unalloc_cells, i);
476	for(j=0; cur_elem->length > REGFI_NK_MIN_LENGTH
477	&& j <= cur_elem->length-REGFI_NK_MIN_LENGTH; j+=8)
478	{
479	key = regfi_parse_nk(f, cur_elem->offset+j,
480	cur_elem->length-j, false);
481	if(key != NULL)
482	{
483	if(!range_list_add(unalloc_keys, key->offset,
484	key->cell_size, key))
485	{
486	fprintf(stderr, "ERROR: Couldn't add key to unalloc_keys.\n");
487	return 20;
488	}
489
490	if(removeRange(unalloc_cells, key->offset, key->cell_size))
491	{
492	/* TODO: This ugly hack is needed because unalloc_cells is changing
493	* underneath us when we find things. Need a better approach
494	* so we can parse things single-pass.
495	*/
496	i=0;
497	break;
498	}
499	else
500	return 30;
501	}
502	}
503	}
504
505	return 0;
506	}
507
508
509	int extractValueLists(REGF_FILE* f,
510	range_list* unalloc_cells,
511	range_list* unalloc_keys)
512	{
513	REGF_NK_REC* nk;
514	REGF_HBIN* hbin;
515	const range_list_element* cur_elem;
516	uint32 i, j, num_keys, off, values_length, max_length;
517
518	num_keys=range_list_size(unalloc_keys);
519	for(i=0; i<num_keys; i++)
520	{
521	cur_elem = range_list_get(unalloc_keys, i);
522	if(cur_elem == NULL)
523	return 10;
524	nk = cur_elem->data;
525
526	if(nk->num_values && (nk->values_off!=REGF_OFFSET_NONE))
527	{
528	hbin = regfi_lookup_hbin(f, nk->values_off);
529
530	if(hbin != NULL)
531	{
532	off = nk->values_off + REGF_BLOCKSIZE;
533	max_length = hbin->block_size + hbin->file_off - off;
534	/* TODO: This is kind of a hack. We parse all value-lists, VK records,
535	* and data records without regard for current allocation status.
536	* On the off chance that such a record correctly parsed but is
537	* actually a reallocated structure used by something else, we
538	* simply prune it after the fact. Would be faster to check this
539	* up front somehow.
540	*/
541	nk->values = regfi_load_valuelist(f, off, nk->num_values, max_length,
542	false);
543	values_length = (nk->num_values+1)*sizeof(uint32);
544	if(values_length != (values_length & 0xFFFFFFF8))
545	values_length = (values_length & 0xFFFFFFF8) + 8;
546
547	if(nk->values != NULL)
548	{
549	if(!range_list_has_range(unalloc_cells, off, values_length))
550	{ /* We've parsed a values-list which isn't in the unallocated list,
551	* so prune it.
552	*/
553	for(j=0; j<nk->num_values; j++)
554	{
555	if(nk->values[j] != NULL)
556	{
557	if(nk->values[j]->data != NULL)
558	free(nk->values[j]->data);
559	free(nk->values[j]);
560	}
561	}
562	free(nk->values);
563	nk->values = NULL;
564	}
565	else
566	{ /* Values-list was recovered. Remove from unalloc_cells and
567	* inspect values.
568	*/
569	if(!removeRange(unalloc_cells, off, values_length))
570	return 20;
571
572	for(j=0; j < nk->num_values; j++)
573	{
574	if(nk->values[j] != NULL)
575	{
576	if(!range_list_has_range(unalloc_cells, nk->values[j]->offset,
577	nk->values[j]->cell_size))
578	{ /* We've parsed a value which isn't in the unallocated list,
579	* so prune it.
580	*/
581	if(nk->values[j]->data != NULL)
582	free(nk->values[j]->data);
583	free(nk->values[j]);
584	nk->values[j] = NULL;
585	}
586	else
587	{
588	/* A VK record was recovered. Remove from unalloc_cells
589	* and inspect data.
590	*/
591	if(!removeRange(unalloc_cells, nk->values[j]->offset,
592	nk->values[j]->cell_size))
593	return 21;
594
595	/* Don't bother pruning or removing from unalloc_cells if
596	* there is no data, or it is stored in the offset.
597	*/
598	if(nk->values[j]->data != NULL && !nk->values[j]->data_in_offset)
599	{
600	off = nk->values[j]->data_off+REGF_BLOCKSIZE;
601	if(!range_list_has_range(unalloc_cells, off,
602	nk->values[j]->data_size))
603	{ /* We've parsed a data cell which isn't in the unallocated
604	* list, so prune it.
605	*/
606	free(nk->values[j]->data);
607	nk->values[j]->data = NULL;
608	}
609	else
610	{ /A data record was recovered. Remove from unalloc_cells./
611	if(!removeRange(unalloc_cells, off,
612	nk->values[j]->data_size))
613	return 22;
614	}
615	}
616	}
617	}
618	}
619	}
620	}
621	}
622	}
623	}
624
625	return 0;
626	}
627
628
629
630	int extractValues(REGF_FILE* f,
631	range_list* unalloc_cells,
632	range_list* unalloc_values)
633	{
634	const range_list_element* cur_elem;
635	REGF_VK_REC* vk;
636	uint32 i, j, off;
637
638	for(i=0; i < range_list_size(unalloc_cells); i++)
639	{
640	cur_elem = range_list_get(unalloc_cells, i);
641	for(j=0; j <= cur_elem->length; j+=8)
642	{
643	vk = regfi_parse_vk(f, cur_elem->offset+j,
644	cur_elem->length-j, false);
645	if(vk != NULL)
646	{
647	if(!range_list_add(unalloc_values, vk->offset,
648	vk->cell_size, vk))
649	{
650	fprintf(stderr, "ERROR: Couldn't add value to unalloc_values.\n");
651	return 20;
652	}
653
654	if(!removeRange(unalloc_cells, vk->offset, vk->cell_size))
655	return 30;
656
657	if(vk->data != NULL && !vk->data_in_offset)
658	{
659	off = vk->data_off+REGF_BLOCKSIZE;
660	if(!range_list_has_range(unalloc_cells, off,
661	vk->data_size))
662	{ /* We've parsed a data cell which isn't in the unallocated
663	* list, so prune it.
664	*/
665	free(vk->data);
666	vk->data = NULL;
667	}
668	else
669	{ /A data record was recovered. Remove from unalloc_cells./
670	if(!removeRange(unalloc_cells, off, vk->data_size))
671	return 40;
672	}
673	}
674
675	/* TODO: This ugly hack is needed because unalloc_cells is changing
676	* underneath us when we find things. Need a better approach
677	* so we can parse things single-pass.
678	*/
679	i=0;
680	break;
681	}
682	}
683	}
684
685	return 0;
686	}
687
688
689	int extractSKs(REGF_FILE* f,
690	range_list* unalloc_cells,
691	range_list* unalloc_sks)
692	{
693	const range_list_element* cur_elem;
694	REGF_SK_REC* sk;
695	uint32 i, j;
696
697	for(i=0; i < range_list_size(unalloc_cells); i++)
698	{
699	cur_elem = range_list_get(unalloc_cells, i);
700	for(j=0; j <= cur_elem->length; j+=8)
701	{
702	sk = regfi_parse_sk(f, cur_elem->offset+j,
703	cur_elem->length-j, false);
704	if(sk != NULL)
705	{
706	if(!range_list_add(unalloc_sks, sk->offset,
707	sk->cell_size, sk))
708	{
709	fprintf(stderr, "ERROR: Couldn't add sk to unalloc_sks.\n");
710	return 20;
711	}
712
713	if(removeRange(unalloc_cells, sk->offset, sk->cell_size))
714	{
715	/* TODO: This ugly hack is needed because unalloc_cells is changing
716	* underneath us when we find things. Need a better approach
717	* so we can parse things single-pass.
718	*/
719	i = 0;
720	break;
721	}
722	else
723	return 30;
724	}
725	}
726	}
727
728	return 0;
729	}
730
731
732	int main(int argc, char** argv)
733	{
734	REGF_FILE* f;
735	const range_list_element* cur_elem;
736	range_list* unalloc_cells;
737	range_list* unalloc_keys;
738	range_list* unalloc_values;
739	range_list* unalloc_sks;
740	char** parent_paths;
741	char* tmp_name;
742	char* tmp_path;
743	REGF_NK_REC* tmp_key;
744	REGF_VK_REC* tmp_value;
745	uint32 argi, arge, i, j, k, ret, num_unalloc_keys;
746	/* uint32 test_offset;*/
747
748	/* Process command line arguments */
749	if(argc < 2)
750	{
751	usage();
752	bailOut(EX_USAGE, "ERROR: Requires at least one argument.\n");
753	}
754
755	arge = argc-1;
756	for(argi = 1; argi < arge; argi++)
757	{
758	if (strcmp("-v", argv[argi]) == 0)
759	print_verbose = true;
760	else if (strcmp("-h", argv[argi]) == 0)
761	print_header = true;
762	else if (strcmp("-H", argv[argi]) == 0)
763	print_header = false;
764	else if (strcmp("-l", argv[argi]) == 0)
765	print_leftover = true;
766	else if (strcmp("-L", argv[argi]) == 0)
767	print_leftover = false;
768	else if (strcmp("-r", argv[argi]) == 0)
769	print_parsedraw = true;
770	else if (strcmp("-R", argv[argi]) == 0)
771	print_parsedraw = false;
772	else
773	{
774	usage();
775	fprintf(stderr, "ERROR: Unrecognized option: %s\n", argv[argi]);
776	bailOut(EX_USAGE, "");
777	}
778	}
779	/test_offset = strtol(argv[argi++], NULL, 16);/
780
781	if((registry_file = strdup(argv[argi])) == NULL)
782	bailOut(EX_OSERR, "ERROR: Memory allocation problem.\n");
783
784	f = regfi_open(registry_file);
785	if(f == NULL)
786	{
787	fprintf(stderr, "ERROR: Couldn't open registry file: %s\n", registry_file);
788	bailOut(EX_NOINPUT, "");
789	}
790
791	if(print_header)
792	printf("OFFSET,REC_LENGTH,REC_TYPE,PATH,NAME,"
793	"NK_MTIME,NK_NVAL,VK_TYPE,VK_VALUE,VK_DATA_LEN,"
794	"SK_OWNER,SK_GROUP,SK_SACL,SK_DACL,RAW_CELL\n");
795
796	unalloc_cells = regfi_parse_unalloc_cells(f);
797	if(unalloc_cells == NULL)
798	{
799	fprintf(stderr, "ERROR: Could not obtain list of unallocated cells.\n");
800	return 1;
801	}
802
803	/*XXX
804	for(i=0,k=0; i < range_list_size(unalloc_cells); i++)
805	{
806	cur_elem = range_list_get(unalloc_cells, i);
807	k+=cur_elem->length;
808	}
809	printf("UNALLOC=%d\n", k);
810	printf("UNALLOC_CELL_COUNT=%d\n", range_list_size(unalloc_cells));
811	XXX*/
812
813	unalloc_keys = range_list_new();
814	if(unalloc_keys == NULL)
815	return 10;
816
817	unalloc_values = range_list_new();
818	if(unalloc_values == NULL)
819	return 10;
820
821	unalloc_sks = range_list_new();
822	if(unalloc_sks == NULL)
823	return 10;
824
825	ret = extractKeys(f, unalloc_cells, unalloc_keys);
826	if(ret != 0)
827	{
828	fprintf(stderr, "ERROR: extractKeys() failed with %d.\n", ret);
829	return ret;
830	}
831
832	ret = extractValueLists(f, unalloc_cells, unalloc_keys);
833	if(ret != 0)
834	{
835	fprintf(stderr, "ERROR: extractValueLists() failed with %d.\n", ret);
836	return ret;
837	}
838
839	/* Carve any orphan values and associated data */
840	ret = extractValues(f, unalloc_cells, unalloc_values);
841	if(ret != 0)
842	{
843	fprintf(stderr, "ERROR: extractValues() failed with %d.\n", ret);
844	return ret;
845	}
846
847	/* Carve any SK records */
848	ret = extractSKs(f, unalloc_cells, unalloc_sks);
849	if(ret != 0)
850	{
851	fprintf(stderr, "ERROR: extractSKs() failed with %d.\n", ret);
852	return ret;
853	}
854
855	/* Now that we're done carving, associate recovered keys with parents,
856	* if at all possible.
857	*/
858	num_unalloc_keys = range_list_size(unalloc_keys);
859	parent_paths = (char*)malloc(sizeof(char)*num_unalloc_keys);
860	if(parent_paths == NULL)
861	return 10;
862
863	for(i=0; i < num_unalloc_keys; i++)
864	{
865	cur_elem = range_list_get(unalloc_keys, i);
866	tmp_key = (REGF_NK_REC*)cur_elem->data;
867
868	if(tmp_key == NULL)
869	return 20;
870
871	parent_paths[i] = getParentPath(f, tmp_key);
872	if(parent_paths[i] == NULL)
873	return 20;
874	}
875
876	/* Now start the output */
877
878	for(i=0; i < num_unalloc_keys; i++)
879	{
880	cur_elem = range_list_get(unalloc_keys, i);
881	tmp_key = (REGF_NK_REC*)cur_elem->data;
882
883	printKey(f, tmp_key, parent_paths[i]);
884	if(tmp_key->num_values > 0 && tmp_key->values != NULL)
885	{
886	tmp_name = quote_string(tmp_key->keyname, key_special_chars);
887	tmp_path = (char*)malloc(strlen(parent_paths[i])+strlen(tmp_name)+2);
888	if(tmp_path == NULL)
889	return 10;
890	sprintf(tmp_path, "%s/%s", parent_paths[i], tmp_name);
891	for(j=0; j < tmp_key->num_values; j++)
892	{
893	tmp_value = tmp_key->values[j];
894	if(tmp_value != NULL)
895	printValue(f, tmp_value, tmp_path);
896	}
897	free(tmp_path);
898	free(tmp_name);
899	free(parent_paths[i]);
900	}
901	}
902	free(parent_paths);
903
904	/* Print out orphaned values */
905	for(i=0; i < range_list_size(unalloc_values); i++)
906	{
907	cur_elem = range_list_get(unalloc_values, i);
908	tmp_value = (REGF_VK_REC*)cur_elem->data;
909
910	printValue(f, tmp_value, "");
911	}
912
913	/*XXX
914	for(i=0,j=0; i < range_list_size(unalloc_cells); i++)
915	{
916	cur_elem = range_list_get(unalloc_cells, i);
917	j+=cur_elem->length;
918	}
919	printf("PARSED_UNALLOC=%d\n", k-j);
920	XXX*/
921
922	if(print_leftover)
923	{
924	for(i=0; i < range_list_size(unalloc_cells); i++)
925	{
926	cur_elem = range_list_get(unalloc_cells, i);
927	printCell(f, cur_elem->offset);
928	}
929	}
930
931	/*
932	printf("Analyzing test_offset...\n");
933	if((tmp_key = regfi_parse_nk(f, test_offset, 4096, false)) != NULL)
934	regfi_print_nk(tmp_key);
935	else
936	dump_cell(f->fd, test_offset);
937	*/
938
939	return 0;
940	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: