Context Navigation

source: trunk/src/reglookup-recover.c @ 117

Last change on this file since 117 was 117, checked in by tim, 16 years ago
reordered orphaned value extraction to be faster and more accurate
File size: 25.2 KB

Line
1	/*
2	* Copyright (C) 2008 Timothy D. Morgan
3	*
4	* This program is free software; you can redistribute it and/or modify
5	* it under the terms of the GNU General Public License as published by
6	* the Free Software Foundation; version 3 of the License.
7	*
8	* This program is distributed in the hope that it will be useful,
9	* but WITHOUT ANY WARRANTY; without even the implied warranty of
10	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11	* GNU General Public License for more details.
12	*
13	* You should have received a copy of the GNU General Public License
14	* along with this program; if not, write to the Free Software
15	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
16	*
17	* $Id: $
18	*/
19
20	#include <stdio.h>
21	#include <stdlib.h>
22	#include <sysexits.h>
23
24	#include "../include/regfi.h"
25	#include "../include/range_list.h"
26	#include "../include/lru_cache.h"
27
28
29	/* Globals, influenced by command line parameters */
30	bool print_verbose = false;
31	bool print_security = false;
32	bool print_header = true;
33	bool print_leftover = false;
34	bool print_parsedraw = false;
35	char* registry_file = NULL;
36
37
38	#include "common.c"
39
40	/* Output format:
41	* real_offset,min_length,record_type,parent_path,name,data_type,mtime,num_values,value,data_length,raw_data
42	*/
43
44	void regfi_print_nk(REGF_NK_REC* nk)
45	{
46	printf("Found key at offset 0x%.8X:\n", nk->offset);
47	printf(" keyname: \"%s\"\n", nk->keyname);
48	printf(" parent_off (virtual): 0x%.8X\n", nk->parent_off);
49	printf(" cell_size: %d\n", nk->cell_size);
50	printf(" key_type: 0x%.4X\n", nk->key_type);
51	printf(" magic: %c%c\n", nk->magic[0], nk->magic[1]);
52	printf(" mtime: 0x%.8X 0x%.8X\n", nk->mtime.low, nk->mtime.high);
53	printf(" name_length: %d\n", nk->name_length);
54	printf(" classname_length: %d\n", nk->classname_length);
55	printf(" classname_off (virtual): 0x%.8X\n", nk->classname_off);
56	printf(" max_bytes_subkeyname: %d\n", nk->max_bytes_subkeyname);
57	printf(" max_bytes_subkeyclassname: %d\n", nk->max_bytes_subkeyclassname);
58	printf(" max_bytes_valuename: %d\n", nk->max_bytes_valuename);
59	printf(" max_bytes_value: %d\n", nk->max_bytes_value);
60	printf(" unknown1: 0x%.8X\n", nk->unknown1);
61	printf(" unknown2: 0x%.8X\n", nk->unknown2);
62	printf(" unknown3: 0x%.8X\n", nk->unknown3);
63	printf(" unk_index: 0x%.8X\n", nk->unk_index);
64	printf(" num_subkeys: %d\n", nk->num_subkeys);
65	printf(" subkeys_off (virtual): 0x%.8X\n", nk->subkeys_off);
66	printf(" num_values: %d\n", nk->num_values);
67	printf(" values_off (virtual): 0x%.8X\n", nk->values_off);
68	printf(" sk_off (virtual): 0x%.8X\n", nk->sk_off);
69	printf("\n");
70	}
71
72
73	char* getQuotedData(int fd, uint32 offset, uint32 length)
74	{
75	uint8* buf;
76	char* quoted_buf;
77	uint32 len;
78
79	if((lseek(fd, offset, SEEK_SET)) == -1)
80	return NULL;
81
82	buf = (uint8*)malloc(length);
83	if(buf == NULL)
84	return NULL;
85
86	len = length;
87	if((regfi_read(fd, buf, &length) != 0) \|\| length != len)
88	{
89	free(buf);
90	return NULL;
91	}
92
93	quoted_buf = quote_buffer(buf, length, common_special_chars);
94	free(buf);
95
96	return quoted_buf;
97	}
98
99
100	void printKey(REGF_FILE* f, REGF_NK_REC* nk, const char* prefix)
101	{
102	char mtime[20];
103	time_t tmp_time[1];
104	struct tm* tmp_time_s = NULL;
105	char* quoted_name = NULL;
106	char* quoted_raw = "";
107
108	*tmp_time = nt_time_to_unix(&nk->mtime);
109	tmp_time_s = gmtime(tmp_time);
110	strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s);
111
112	quoted_name = quote_string(nk->keyname, key_special_chars);
113	if (quoted_name == NULL)
114	{
115	quoted_name = malloc(1*sizeof(char));
116	if(quoted_name == NULL)
117	bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
118	quoted_name[0] = '\0';
119
120	fprintf(stderr, "WARNING: NULL key name in NK record at offset %.8X.\n",
121	nk->offset);
122	}
123
124	if(print_parsedraw)
125	quoted_raw = getQuotedData(f->fd, nk->offset, nk->cell_size);
126
127	printf("%.8X,%.8X,KEY,%s,%s,%s,%d,,,,,,,,%s\n", nk->offset, nk->cell_size,
128	prefix, quoted_name, mtime, nk->num_values, quoted_raw);
129
130	if(print_parsedraw)
131	free(quoted_raw);
132	}
133
134
135	void printValue(REGF_FILE* f, const REGF_VK_REC* vk, const char* prefix)
136	{
137	char* quoted_value = NULL;
138	char* quoted_name = NULL;
139	char* quoted_raw = "";
140	char* conv_error = NULL;
141	const char* str_type = NULL;
142	uint32 size = vk->data_size;
143
144	/* Microsoft's documentation indicates that "available memory" is
145	* the limit on value sizes. Annoying. We limit it to 1M which
146	* should rarely be exceeded, unless the file is corrupt or
147	* malicious. For more info, see:
148	* http://msdn2.microsoft.com/en-us/library/ms724872.aspx
149	*/
150	/* XXX: Should probably do something different here for this tool.
151	* Also, It would be really nice if this message somehow included the
152	* name of the current value we're having trouble with, since
153	* stderr/stdout don't always sync nicely.
154	*/
155	if(size > VK_MAX_DATA_LENGTH)
156	{
157	fprintf(stderr, "WARNING: value data size %d larger than "
158	"%d, truncating...\n", size, VK_MAX_DATA_LENGTH);
159	size = VK_MAX_DATA_LENGTH;
160	}
161
162	quoted_name = quote_string(vk->valuename, key_special_chars);
163	if (quoted_name == NULL)
164	{ /* Value names are NULL when we're looking at the "(default)" value.
165	* Currently we just return a 0-length string to try an eliminate
166	* ambiguity with a literal "(default)" value. The data type of a line
167	* in the output allows one to differentiate between the parent key and
168	* this value.
169	*/
170	quoted_name = malloc(1*sizeof(char));
171	if(quoted_name == NULL)
172	bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
173	quoted_name[0] = '\0';
174	}
175
176	quoted_value = data_to_ascii(vk->data, size, vk->type, &conv_error);
177	if(quoted_value == NULL)
178	{
179	quoted_value = malloc(1*sizeof(char));
180	if(quoted_value == NULL)
181	bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
182	quoted_value[0] = '\0';
183
184	if(conv_error == NULL)
185	fprintf(stderr, "WARNING: Could not quote value for '%s/%s'. "
186	"Memory allocation failure likely.\n", prefix, quoted_name);
187	else if(print_verbose)
188	fprintf(stderr, "WARNING: Could not quote value for '%s/%s'. "
189	"Returned error: %s\n", prefix, quoted_name, conv_error);
190	}
191	/* XXX: should these always be printed? */
192	else if(conv_error != NULL && print_verbose)
193	fprintf(stderr, "VERBOSE: While quoting value for '%s/%s', "
194	"warning returned: %s\n", prefix, quoted_name, conv_error);
195
196
197	if(print_parsedraw)
198	quoted_raw = getQuotedData(f->fd, vk->offset, vk->cell_size);
199
200	str_type = regfi_type_val2str(vk->type);
201	if(str_type == NULL)
202	printf("%.8X,%.8X,VALUE,%s,%s,,,0x%.8X,%s,%d,,,,,%s\n",
203	vk->offset, vk->cell_size, prefix, quoted_name,
204	vk->type, quoted_value, vk->data_size, quoted_raw);
205	else
206	printf("%.8X,%.8X,VALUE,%s,%s,,,%s,%s,%d,,,,,%s\n",
207	vk->offset, vk->cell_size, prefix, quoted_name,
208	str_type, quoted_value, vk->data_size, quoted_raw);
209
210	if(print_parsedraw)
211	free(quoted_raw);
212	if(quoted_value != NULL)
213	free(quoted_value);
214	if(quoted_name != NULL)
215	free(quoted_name);
216	if(conv_error != NULL)
217	free(conv_error);
218	}
219
220
221	void printSK(REGF_FILE* f, REGF_SK_REC* sk)
222	{
223	char* quoted_raw = NULL;
224	char* empty_str = "";
225	char* owner = regfi_get_owner(sk->sec_desc);
226	char* group = regfi_get_group(sk->sec_desc);
227	char* sacl = regfi_get_sacl(sk->sec_desc);
228	char* dacl = regfi_get_dacl(sk->sec_desc);
229
230	if(print_parsedraw)
231	quoted_raw = getQuotedData(f->fd, sk->offset, sk->cell_size);
232
233	if(owner == NULL)
234	owner = empty_str;
235	if(group == NULL)
236	group = empty_str;
237	if(sacl == NULL)
238	sacl = empty_str;
239	if(dacl == NULL)
240	dacl = empty_str;
241
242	printf("%.8X,%.8X,SK,,,,,,,,%s,%s,%s,%s,%s\n", sk->offset, sk->cell_size,
243	owner, group, sacl, dacl, quoted_raw);
244
245	if(owner != empty_str)
246	free(owner);
247	if(group != empty_str)
248	free(group);
249	if(sacl != empty_str)
250	free(sacl);
251	if(dacl != empty_str)
252	free(dacl);
253
254	if(print_parsedraw)
255	free(quoted_raw);
256	}
257
258
259	int printCell(REGF_FILE* f, uint32 offset)
260	{
261	char* quoted_buf;
262	uint32 cell_length;
263	bool unalloc;
264
265	if(!regfi_parse_cell(f->fd, offset, NULL, 0, &cell_length, &unalloc))
266	return 1;
267
268	quoted_buf = getQuotedData(f->fd, offset, cell_length);
269	if(quoted_buf == NULL)
270	return 2;
271
272	printf("%.8X,%.8X,RAW,,,,,,,,,,,,%s\n", offset, cell_length, quoted_buf);
273
274	free(quoted_buf);
275	return 0;
276	}
277
278
279	/* This function returns a properly quoted parent path or partial parent
280	* path for a given key. Returns NULL on error, "" if no path was available.
281	* Paths returned must be free()d.
282	*/
283	/* XXX: This is not terribly efficient, as it may reparse many keys
284	* repeatedly. Should try to add caching. Also, piecing the path
285	* together is slow and redundant.
286	*/
287	char* getParentPath(REGF_FILE* f, REGF_NK_REC* nk)
288	{
289	void_stack* path_stack = void_stack_new(REGF_MAX_DEPTH);
290	REGF_HBIN* hbin;
291	REGF_NK_REC* cur_ancestor;
292	char* ret_val;
293	char* path_element;
294	char* tmp_str;
295	uint32 virt_offset, i, stack_size, ret_val_size, ret_val_left, element_size;
296	uint32 max_length;
297
298	virt_offset = nk->parent_off;
299	while(virt_offset != REGF_OFFSET_NONE)
300	{
301	/* TODO: Need to add checks for infinite loops and/or add depth limit */
302	hbin = regfi_lookup_hbin(f, virt_offset);
303	if(hbin == NULL)
304	virt_offset = REGF_OFFSET_NONE;
305	else
306	{
307	max_length = hbin->block_size + hbin->file_off
308	- (virt_offset+REGF_BLOCKSIZE);
309	cur_ancestor = regfi_parse_nk(f, virt_offset+REGF_BLOCKSIZE,
310	max_length, true);
311	if(cur_ancestor == NULL)
312	virt_offset = REGF_OFFSET_NONE;
313	else
314	{
315	if(cur_ancestor->key_type == NK_TYPE_ROOTKEY)
316	virt_offset = REGF_OFFSET_NONE;
317	else
318	virt_offset = cur_ancestor->parent_off;
319
320	path_element = quote_string(cur_ancestor->keyname, key_special_chars);
321	if(path_element == NULL \|\| !void_stack_push(path_stack, path_element))
322	{
323	free(cur_ancestor->keyname);
324	free(cur_ancestor);
325	void_stack_free_deep(path_stack);
326	return NULL;
327	}
328
329	regfi_key_free(cur_ancestor);
330	}
331	}
332	}
333
334	stack_size = void_stack_size(path_stack);
335	ret_val_size = 16*stack_size;
336	if(ret_val_size == 0)
337	ret_val_size = 1;
338	ret_val_left = ret_val_size;
339	ret_val = malloc(ret_val_size);
340	if(ret_val == NULL)
341	{
342	void_stack_free_deep(path_stack);
343	return NULL;
344	}
345	ret_val[0] = '\0';
346
347	for(i=0; i<stack_size; i++)
348	{
349	path_element = void_stack_pop(path_stack);
350	element_size = strlen(path_element);
351	if(ret_val_left < element_size+2)
352	{
353	ret_val_size += element_size+16;
354	ret_val_left += element_size+16;
355	tmp_str = (char*)realloc(ret_val, ret_val_size);
356	if(tmp_str == NULL)
357	{
358	free(ret_val);
359	void_stack_free_deep(path_stack);
360	return NULL;
361	}
362	ret_val = tmp_str;
363	}
364
365	ret_val_left -= snprintf(ret_val+ret_val_size-ret_val_left,ret_val_left, "/%s", path_element);
366	free(path_element);
367	}
368	void_stack_free(path_stack);
369
370	return ret_val;
371	}
372
373
374	/*
375	void dump_cell(int fd, uint32 offset)
376	{
377	uint8* buf;
378	uint32 length, j;
379	int32 cell_length;
380
381	if((lseek(fd, offset, SEEK_SET)) == -1)
382	exit(8);
383
384	length = 4;
385	regfi_read(fd, (void*)&cell_length, &length);
386	if(cell_length < 0)
387	cell_length *= -1;
388
389	buf = (uint8*)malloc(cell_length);
390	if(buf == NULL)
391	exit(9);
392	if((lseek(fd, offset, SEEK_SET)) == -1)
393	exit(8);
394
395	length = cell_length;
396	regfi_read(fd, buf, &length);
397	for(j=0; j < length; j++)
398	{
399	printf("%.2X", buf[j]);
400	if(j%4 == 3)
401	printf(" ");
402	}
403	printf("\n");
404	free(buf);
405	}
406	*/
407
408	static void usage(void)
409	{
410	fprintf(stderr, "Usage: reglookup-recover [options] <REGISTRY_FILE>\n");
411	fprintf(stderr, "Version: %s\n", REGLOOKUP_VERSION);
412	fprintf(stderr, "Options:\n");
413	fprintf(stderr, "\t-v\t sets verbose mode.\n");
414	fprintf(stderr, "\t-h\t enables header row. (default)\n");
415	fprintf(stderr, "\t-H\t disables header row.\n");
416	fprintf(stderr, "\t-l\t enables leftover(raw) cell output.\n");
417	fprintf(stderr, "\t-L\t disables leftover(raw) cell output. (default)\n");
418	fprintf(stderr, "\t-r\t enables raw cell output for parsed cells.\n");
419	fprintf(stderr, "\t-R\t disables raw cell output for parsed cells. (default)\n");
420	fprintf(stderr, "\n");
421	}
422
423
424	bool removeRange(range_list* rl, uint32 offset, uint32 length)
425	{
426	int32 rm_idx;
427	const range_list_element* cur_elem;
428
429	rm_idx = range_list_find(rl, offset);
430	if(rm_idx < 0)
431	{
432	fprintf(stderr, "DEBUG: removeRange: rm_idx < 0; (%d)\n", rm_idx);
433	return false;
434	}
435
436	cur_elem = range_list_get(rl, rm_idx);
437	if(cur_elem == NULL)
438	{
439	fprintf(stderr, "DEBUG: removeRange: cur_elem == NULL. rm_idx=%d\n", rm_idx);
440	return false;
441	}
442
443	if(offset > cur_elem->offset)
444	{
445	if(!range_list_split_element(rl, rm_idx, offset))
446	{
447	fprintf(stderr, "DEBUG: removeRange: first split failed\n");
448	return false;
449	}
450	rm_idx++;
451	cur_elem = range_list_get(rl, rm_idx);
452	if(cur_elem == NULL)
453	{
454	fprintf(stderr,
455	"DEBUG: removeRange: cur_elem == NULL after first split. rm_idx=%d\n",
456	rm_idx);
457	return false;
458	}
459	}
460
461	if(offset+length < cur_elem->offset+cur_elem->length)
462	{
463	if(!range_list_split_element(rl, rm_idx, offset+length))
464	{
465	fprintf(stderr, "DEBUG: removeRange: second split failed\n");
466	return false;
467	}
468	}
469
470	if(!range_list_remove(rl, rm_idx))
471	{
472	fprintf(stderr, "DEBUG: removeRange: remove failed\n");
473	return false;
474	}
475
476	return true;
477	}
478
479
480	/* NOTE: unalloc_keys should be an empty range_list. */
481	int extractKeys(REGF_FILE* f,
482	range_list* unalloc_cells,
483	range_list* unalloc_keys)
484	{
485	const range_list_element* cur_elem;
486	REGF_NK_REC* key;
487	uint32 i, j;
488
489	for(i=0; i < range_list_size(unalloc_cells); i++)
490	{
491	cur_elem = range_list_get(unalloc_cells, i);
492	for(j=0; cur_elem->length > REGFI_NK_MIN_LENGTH
493	&& j <= cur_elem->length-REGFI_NK_MIN_LENGTH; j+=8)
494	{
495	key = regfi_parse_nk(f, cur_elem->offset+j,
496	cur_elem->length-j, false);
497	if(key != NULL)
498	{
499	if(!range_list_add(unalloc_keys, key->offset,
500	key->cell_size, key))
501	{
502	fprintf(stderr, "ERROR: Couldn't add key to unalloc_keys.\n");
503	return 20;
504	}
505	j+=key->cell_size-8;
506	}
507	}
508	}
509
510	for(i=0; i<range_list_size(unalloc_keys); i++)
511	{
512	cur_elem = range_list_get(unalloc_keys, i);
513	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
514	return 30;
515	}
516
517	return 0;
518	}
519
520
521	int extractValueLists(REGF_FILE* f,
522	range_list* unalloc_cells,
523	range_list* unalloc_keys)
524	{
525	REGF_NK_REC* nk;
526	REGF_HBIN* hbin;
527	const range_list_element* cur_elem;
528	uint32 i, j, num_keys, off, values_length, max_length;
529
530	num_keys=range_list_size(unalloc_keys);
531	for(i=0; i<num_keys; i++)
532	{
533	cur_elem = range_list_get(unalloc_keys, i);
534	if(cur_elem == NULL)
535	return 10;
536	nk = cur_elem->data;
537
538	if(nk->num_values && (nk->values_off!=REGF_OFFSET_NONE))
539	{
540	hbin = regfi_lookup_hbin(f, nk->values_off);
541
542	if(hbin != NULL)
543	{
544	off = nk->values_off + REGF_BLOCKSIZE;
545	max_length = hbin->block_size + hbin->file_off - off;
546	/* TODO: This is kind of a hack. We parse all value-lists, VK records,
547	* and data records without regard for current allocation status.
548	* On the off chance that such a record correctly parsed but is
549	* actually a reallocated structure used by something else, we
550	* simply prune it after the fact. Would be faster to check this
551	* up front somehow.
552	*/
553	nk->values = regfi_load_valuelist(f, off, nk->num_values, max_length,
554	false);
555	values_length = (nk->num_values+1)*sizeof(uint32);
556	if(values_length != (values_length & 0xFFFFFFF8))
557	values_length = (values_length & 0xFFFFFFF8) + 8;
558
559	if(nk->values != NULL)
560	{
561	if(!range_list_has_range(unalloc_cells, off, values_length))
562	{ /* We've parsed a values-list which isn't in the unallocated list,
563	* so prune it.
564	*/
565	for(j=0; j<nk->num_values; j++)
566	{
567	if(nk->values[j] != NULL)
568	{
569	if(nk->values[j]->data != NULL)
570	free(nk->values[j]->data);
571	free(nk->values[j]);
572	}
573	}
574	free(nk->values);
575	nk->values = NULL;
576	}
577	else
578	{ /* Values-list was recovered. Remove from unalloc_cells and
579	* inspect values.
580	*/
581	if(!removeRange(unalloc_cells, off, values_length))
582	return 20;
583
584	for(j=0; j < nk->num_values; j++)
585	{
586	if(nk->values[j] != NULL)
587	{
588	if(!range_list_has_range(unalloc_cells, nk->values[j]->offset,
589	nk->values[j]->cell_size))
590	{ /* We've parsed a value which isn't in the unallocated list,
591	* so prune it.
592	*/
593	if(nk->values[j]->data != NULL)
594	free(nk->values[j]->data);
595	free(nk->values[j]);
596	nk->values[j] = NULL;
597	}
598	else
599	{
600	/* A VK record was recovered. Remove from unalloc_cells
601	* and inspect data.
602	*/
603	if(!removeRange(unalloc_cells, nk->values[j]->offset,
604	nk->values[j]->cell_size))
605	return 21;
606
607	/* Don't bother pruning or removing from unalloc_cells if
608	* there is no data, or it is stored in the offset.
609	*/
610	if(nk->values[j]->data != NULL && !nk->values[j]->data_in_offset)
611	{
612	off = nk->values[j]->data_off+REGF_BLOCKSIZE;
613	if(!range_list_has_range(unalloc_cells, off,
614	nk->values[j]->data_size))
615	{ /* We've parsed a data cell which isn't in the unallocated
616	* list, so prune it.
617	*/
618	free(nk->values[j]->data);
619	nk->values[j]->data = NULL;
620	}
621	else
622	{ /A data record was recovered. Remove from unalloc_cells./
623	if(!removeRange(unalloc_cells, off,
624	nk->values[j]->data_size))
625	return 22;
626	}
627	}
628	}
629	}
630	}
631	}
632	}
633	}
634	}
635	}
636
637	return 0;
638	}
639
640
641	/* NOTE: unalloc_values should be an empty range_list. */
642	int extractValues(REGF_FILE* f,
643	range_list* unalloc_cells,
644	range_list* unalloc_values)
645	{
646	const range_list_element* cur_elem;
647	REGF_VK_REC* vk;
648	uint32 i, j, off;
649
650	for(i=0; i < range_list_size(unalloc_cells); i++)
651	{
652	cur_elem = range_list_get(unalloc_cells, i);
653	for(j=0; j <= cur_elem->length; j+=8)
654	{
655	vk = regfi_parse_vk(f, cur_elem->offset+j,
656	cur_elem->length-j, false);
657	if(vk != NULL)
658	{
659	if(!range_list_add(unalloc_values, vk->offset,
660	vk->cell_size, vk))
661	{
662	fprintf(stderr, "ERROR: Couldn't add value to unalloc_values.\n");
663	return 20;
664	}
665	j+=vk->cell_size-8;
666	}
667	}
668	}
669
670	/* Remove value ranges from the unalloc_cells before we continue. */
671	for(i=0; i<range_list_size(unalloc_values); i++)
672	{
673	cur_elem = range_list_get(unalloc_values, i);
674	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
675	return 30;
676	}
677
678	/* Now see if the data associated with each value is intact */
679	for(i=0; i<range_list_size(unalloc_values); i++)
680	{
681	cur_elem = range_list_get(unalloc_values, i);
682	vk = (REGF_VK_REC*)cur_elem->data;
683	if(vk == NULL)
684	return 40;
685
686	if(vk->data != NULL && !vk->data_in_offset)
687	{
688	off = vk->data_off+REGF_BLOCKSIZE;
689	if(!range_list_has_range(unalloc_cells, off, vk->data_size))
690	{ /* We've parsed a data cell which isn't in the unallocated
691	* list, so prune it.
692	*/
693	free(vk->data);
694	vk->data = NULL;
695	}
696	else
697	{ /A data record was recovered. Remove from unalloc_cells./
698	if(!removeRange(unalloc_cells, off, vk->data_size))
699	return 50;
700	}
701	}
702	}
703
704	return 0;
705	}
706
707
708	int extractSKs(REGF_FILE* f,
709	range_list* unalloc_cells,
710	range_list* unalloc_sks)
711	{
712	const range_list_element* cur_elem;
713	REGF_SK_REC* sk;
714	uint32 i, j;
715
716	for(i=0; i < range_list_size(unalloc_cells); i++)
717	{
718	cur_elem = range_list_get(unalloc_cells, i);
719	for(j=0; j <= cur_elem->length; j+=8)
720	{
721	sk = regfi_parse_sk(f, cur_elem->offset+j,
722	cur_elem->length-j, false);
723	if(sk != NULL)
724	{
725	if(!range_list_add(unalloc_sks, sk->offset,
726	sk->cell_size, sk))
727	{
728	fprintf(stderr, "ERROR: Couldn't add sk to unalloc_sks.\n");
729	return 20;
730	}
731
732	if(removeRange(unalloc_cells, sk->offset, sk->cell_size))
733	{
734	/* TODO: This ugly hack is needed because unalloc_cells is changing
735	* underneath us when we find things. Need a better approach
736	* so we can parse things single-pass.
737	*/
738	i = 0;
739	break;
740	}
741	else
742	return 30;
743	}
744	}
745	}
746
747	return 0;
748	}
749
750
751	int main(int argc, char** argv)
752	{
753	REGF_FILE* f;
754	const range_list_element* cur_elem;
755	range_list* unalloc_cells;
756	range_list* unalloc_keys;
757	range_list* unalloc_values;
758	range_list* unalloc_sks;
759	char** parent_paths;
760	char* tmp_name;
761	char* tmp_path;
762	REGF_NK_REC* tmp_key;
763	REGF_VK_REC* tmp_value;
764	uint32 argi, arge, i, j, ret, num_unalloc_keys;
765	/* uint32 test_offset;*/
766
767	/* Process command line arguments */
768	if(argc < 2)
769	{
770	usage();
771	bailOut(EX_USAGE, "ERROR: Requires at least one argument.\n");
772	}
773
774	arge = argc-1;
775	for(argi = 1; argi < arge; argi++)
776	{
777	if (strcmp("-v", argv[argi]) == 0)
778	print_verbose = true;
779	else if (strcmp("-h", argv[argi]) == 0)
780	print_header = true;
781	else if (strcmp("-H", argv[argi]) == 0)
782	print_header = false;
783	else if (strcmp("-l", argv[argi]) == 0)
784	print_leftover = true;
785	else if (strcmp("-L", argv[argi]) == 0)
786	print_leftover = false;
787	else if (strcmp("-r", argv[argi]) == 0)
788	print_parsedraw = true;
789	else if (strcmp("-R", argv[argi]) == 0)
790	print_parsedraw = false;
791	else
792	{
793	usage();
794	fprintf(stderr, "ERROR: Unrecognized option: %s\n", argv[argi]);
795	bailOut(EX_USAGE, "");
796	}
797	}
798	/test_offset = strtol(argv[argi++], NULL, 16);/
799
800	if((registry_file = strdup(argv[argi])) == NULL)
801	bailOut(EX_OSERR, "ERROR: Memory allocation problem.\n");
802
803	f = regfi_open(registry_file);
804	if(f == NULL)
805	{
806	fprintf(stderr, "ERROR: Couldn't open registry file: %s\n", registry_file);
807	bailOut(EX_NOINPUT, "");
808	}
809
810	if(print_header)
811	printf("OFFSET,REC_LENGTH,REC_TYPE,PATH,NAME,"
812	"NK_MTIME,NK_NVAL,VK_TYPE,VK_VALUE,VK_DATA_LEN,"
813	"SK_OWNER,SK_GROUP,SK_SACL,SK_DACL,RAW_CELL\n");
814
815	unalloc_cells = regfi_parse_unalloc_cells(f);
816	if(unalloc_cells == NULL)
817	{
818	fprintf(stderr, "ERROR: Could not obtain list of unallocated cells.\n");
819	return 1;
820	}
821
822	/*XXX
823	for(i=0,k=0; i < range_list_size(unalloc_cells); i++)
824	{
825	cur_elem = range_list_get(unalloc_cells, i);
826	k+=cur_elem->length;
827	}
828	printf("UNALLOC=%d\n", k);
829	printf("UNALLOC_CELL_COUNT=%d\n", range_list_size(unalloc_cells));
830	XXX*/
831
832	unalloc_keys = range_list_new();
833	if(unalloc_keys == NULL)
834	return 10;
835
836	unalloc_values = range_list_new();
837	if(unalloc_values == NULL)
838	return 10;
839
840	unalloc_sks = range_list_new();
841	if(unalloc_sks == NULL)
842	return 10;
843
844	ret = extractKeys(f, unalloc_cells, unalloc_keys);
845	if(ret != 0)
846	{
847	fprintf(stderr, "ERROR: extractKeys() failed with %d.\n", ret);
848	return ret;
849	}
850
851	ret = extractValueLists(f, unalloc_cells, unalloc_keys);
852	if(ret != 0)
853	{
854	fprintf(stderr, "ERROR: extractValueLists() failed with %d.\n", ret);
855	return ret;
856	}
857
858	/* Carve any orphan values and associated data */
859	ret = extractValues(f, unalloc_cells, unalloc_values);
860	if(ret != 0)
861	{
862	fprintf(stderr, "ERROR: extractValues() failed with %d.\n", ret);
863	return ret;
864	}
865
866	/* Carve any SK records */
867	ret = extractSKs(f, unalloc_cells, unalloc_sks);
868	if(ret != 0)
869	{
870	fprintf(stderr, "ERROR: extractSKs() failed with %d.\n", ret);
871	return ret;
872	}
873
874	/* Now that we're done carving, associate recovered keys with parents,
875	* if at all possible.
876	*/
877	num_unalloc_keys = range_list_size(unalloc_keys);
878	parent_paths = (char*)malloc(sizeof(char)*num_unalloc_keys);
879	if(parent_paths == NULL)
880	return 10;
881
882	for(i=0; i < num_unalloc_keys; i++)
883	{
884	cur_elem = range_list_get(unalloc_keys, i);
885	tmp_key = (REGF_NK_REC*)cur_elem->data;
886
887	if(tmp_key == NULL)
888	return 20;
889
890	parent_paths[i] = getParentPath(f, tmp_key);
891	if(parent_paths[i] == NULL)
892	return 20;
893	}
894
895	/* Now start the output */
896
897	for(i=0; i < num_unalloc_keys; i++)
898	{
899	cur_elem = range_list_get(unalloc_keys, i);
900	tmp_key = (REGF_NK_REC*)cur_elem->data;
901
902	printKey(f, tmp_key, parent_paths[i]);
903	if(tmp_key->num_values > 0 && tmp_key->values != NULL)
904	{
905	tmp_name = quote_string(tmp_key->keyname, key_special_chars);
906	tmp_path = (char*)malloc(strlen(parent_paths[i])+strlen(tmp_name)+2);
907	if(tmp_path == NULL)
908	return 10;
909	sprintf(tmp_path, "%s/%s", parent_paths[i], tmp_name);
910	for(j=0; j < tmp_key->num_values; j++)
911	{
912	tmp_value = tmp_key->values[j];
913	if(tmp_value != NULL)
914	printValue(f, tmp_value, tmp_path);
915	}
916	free(tmp_path);
917	free(tmp_name);
918	free(parent_paths[i]);
919	}
920	}
921	free(parent_paths);
922
923	/* Print out orphaned values */
924	for(i=0; i < range_list_size(unalloc_values); i++)
925	{
926	cur_elem = range_list_get(unalloc_values, i);
927	tmp_value = (REGF_VK_REC*)cur_elem->data;
928
929	printValue(f, tmp_value, "");
930	}
931
932	/*XXX
933	for(i=0,j=0; i < range_list_size(unalloc_cells); i++)
934	{
935	cur_elem = range_list_get(unalloc_cells, i);
936	j+=cur_elem->length;
937	}
938	printf("PARSED_UNALLOC=%d\n", k-j);
939	XXX*/
940
941	if(print_leftover)
942	{
943	for(i=0; i < range_list_size(unalloc_cells); i++)
944	{
945	cur_elem = range_list_get(unalloc_cells, i);
946	printCell(f, cur_elem->offset);
947	}
948	}
949
950	/*
951	printf("Analyzing test_offset...\n");
952	if((tmp_key = regfi_parse_nk(f, test_offset, 4096, false)) != NULL)
953	regfi_print_nk(tmp_key);
954	else
955	dump_cell(f->fd, test_offset);
956	*/
957
958	return 0;
959	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: