Context Navigation

source: trunk/src/reglookup-recover.c @ 121

Last change on this file since 121 was 121, checked in by tim, 16 years ago
fixed minor path/type filter bug in reglookup misc code cleanups
Property svn:keywords set to `Id`
File size: 22.6 KB

Line
1	/*
2	* This program attempts to recover deleted data structures in a registry hive.
3	*
4	* Copyright (C) 2008 Timothy D. Morgan
5	*
6	* This program is free software; you can redistribute it and/or modify
7	* it under the terms of the GNU General Public License as published by
8	* the Free Software Foundation; version 3 of the License.
9	*
10	* This program is distributed in the hope that it will be useful,
11	* but WITHOUT ANY WARRANTY; without even the implied warranty of
12	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13	* GNU General Public License for more details.
14	*
15	* You should have received a copy of the GNU General Public License
16	* along with this program; if not, write to the Free Software
17	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
18	*
19	* $Id: reglookup-recover.c 121 2008-08-09 17:22:26Z tim $
20	*/
21
22	#include <stdio.h>
23	#include <stdlib.h>
24	#include <sysexits.h>
25
26	#include "../include/regfi.h"
27	#include "../include/range_list.h"
28	#include "../include/lru_cache.h"
29
30
31	/* Globals, influenced by command line parameters */
32	bool print_verbose = false;
33	bool print_security = false;
34	bool print_header = true;
35	bool print_leftover = false;
36	bool print_parsedraw = false;
37	char* registry_file = NULL;
38
39	#include "common.c"
40
41
42	char* getQuotedData(int fd, uint32 offset, uint32 length)
43	{
44	uint8* buf;
45	char* quoted_buf;
46	uint32 len;
47
48	if((lseek(fd, offset, SEEK_SET)) == -1)
49	return NULL;
50
51	buf = (uint8*)malloc(length);
52	if(buf == NULL)
53	return NULL;
54
55	len = length;
56	if((regfi_read(fd, buf, &length) != 0) \|\| length != len)
57	{
58	free(buf);
59	return NULL;
60	}
61
62	quoted_buf = quote_buffer(buf, length, common_special_chars);
63	free(buf);
64
65	return quoted_buf;
66	}
67
68
69	void printKey(REGF_FILE* f, REGF_NK_REC* nk, const char* prefix)
70	{
71	char mtime[20];
72	time_t tmp_time[1];
73	struct tm* tmp_time_s = NULL;
74	char* quoted_name = NULL;
75	char* quoted_raw = "";
76
77	*tmp_time = nt_time_to_unix(&nk->mtime);
78	tmp_time_s = gmtime(tmp_time);
79	strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s);
80
81	quoted_name = quote_string(nk->keyname, key_special_chars);
82	if (quoted_name == NULL)
83	{
84	quoted_name = malloc(1*sizeof(char));
85	if(quoted_name == NULL)
86	bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
87	quoted_name[0] = '\0';
88
89	fprintf(stderr, "WARNING: NULL key name in NK record at offset %.8X.\n",
90	nk->offset);
91	}
92
93	if(print_parsedraw)
94	quoted_raw = getQuotedData(f->fd, nk->offset, nk->cell_size);
95
96	printf("%.8X,%.8X,KEY,%s,%s,%s,%d,,,,,,,,%s\n", nk->offset, nk->cell_size,
97	prefix, quoted_name, mtime, nk->num_values, quoted_raw);
98
99	if(print_parsedraw)
100	free(quoted_raw);
101	}
102
103
104	void printValue(REGF_FILE* f, const REGF_VK_REC* vk, const char* prefix)
105	{
106	char* quoted_value = NULL;
107	char* quoted_name = NULL;
108	char* quoted_raw = "";
109	char* conv_error = NULL;
110	const char* str_type = NULL;
111	uint32 size = vk->data_size;
112
113	/* Microsoft's documentation indicates that "available memory" is
114	* the limit on value sizes. Annoying. We limit it to 1M which
115	* should rarely be exceeded, unless the file is corrupt or
116	* malicious. For more info, see:
117	* http://msdn2.microsoft.com/en-us/library/ms724872.aspx
118	*/
119	/* XXX: Should probably do something different here for this tool.
120	* Also, It would be really nice if this message somehow included the
121	* name of the current value we're having trouble with, since
122	* stderr/stdout don't always sync nicely.
123	*/
124	if(size > VK_MAX_DATA_LENGTH)
125	{
126	fprintf(stderr, "WARNING: value data size %d larger than "
127	"%d, truncating...\n", size, VK_MAX_DATA_LENGTH);
128	size = VK_MAX_DATA_LENGTH;
129	}
130
131	quoted_name = quote_string(vk->valuename, key_special_chars);
132	if (quoted_name == NULL)
133	{ /* Value names are NULL when we're looking at the "(default)" value.
134	* Currently we just return a 0-length string to try an eliminate
135	* ambiguity with a literal "(default)" value. The data type of a line
136	* in the output allows one to differentiate between the parent key and
137	* this value.
138	*/
139	quoted_name = malloc(1*sizeof(char));
140	if(quoted_name == NULL)
141	bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
142	quoted_name[0] = '\0';
143	}
144
145	quoted_value = data_to_ascii(vk->data, size, vk->type, &conv_error);
146	if(quoted_value == NULL)
147	{
148	quoted_value = malloc(1*sizeof(char));
149	if(quoted_value == NULL)
150	bailOut(EX_OSERR, "ERROR: Could not allocate sufficient memory.\n");
151	quoted_value[0] = '\0';
152
153	if(conv_error == NULL)
154	fprintf(stderr, "WARNING: Could not quote value for '%s/%s'. "
155	"Memory allocation failure likely.\n", prefix, quoted_name);
156	else if(print_verbose)
157	fprintf(stderr, "WARNING: Could not quote value for '%s/%s'. "
158	"Returned error: %s\n", prefix, quoted_name, conv_error);
159	}
160	/* XXX: should these always be printed? */
161	else if(conv_error != NULL && print_verbose)
162	fprintf(stderr, "VERBOSE: While quoting value for '%s/%s', "
163	"warning returned: %s\n", prefix, quoted_name, conv_error);
164
165
166	if(print_parsedraw)
167	quoted_raw = getQuotedData(f->fd, vk->offset, vk->cell_size);
168
169	str_type = regfi_type_val2str(vk->type);
170	if(str_type == NULL)
171	printf("%.8X,%.8X,VALUE,%s,%s,,,0x%.8X,%s,%d,,,,,%s\n",
172	vk->offset, vk->cell_size, prefix, quoted_name,
173	vk->type, quoted_value, vk->data_size, quoted_raw);
174	else
175	printf("%.8X,%.8X,VALUE,%s,%s,,,%s,%s,%d,,,,,%s\n",
176	vk->offset, vk->cell_size, prefix, quoted_name,
177	str_type, quoted_value, vk->data_size, quoted_raw);
178
179	if(print_parsedraw)
180	free(quoted_raw);
181	if(quoted_value != NULL)
182	free(quoted_value);
183	if(quoted_name != NULL)
184	free(quoted_name);
185	if(conv_error != NULL)
186	free(conv_error);
187	}
188
189
190	void printSK(REGF_FILE* f, REGF_SK_REC* sk)
191	{
192	char* quoted_raw = NULL;
193	char* empty_str = "";
194	char* owner = regfi_get_owner(sk->sec_desc);
195	char* group = regfi_get_group(sk->sec_desc);
196	char* sacl = regfi_get_sacl(sk->sec_desc);
197	char* dacl = regfi_get_dacl(sk->sec_desc);
198
199	if(print_parsedraw)
200	quoted_raw = getQuotedData(f->fd, sk->offset, sk->cell_size);
201
202	if(owner == NULL)
203	owner = empty_str;
204	if(group == NULL)
205	group = empty_str;
206	if(sacl == NULL)
207	sacl = empty_str;
208	if(dacl == NULL)
209	dacl = empty_str;
210
211	printf("%.8X,%.8X,SK,,,,,,,,%s,%s,%s,%s,%s\n", sk->offset, sk->cell_size,
212	owner, group, sacl, dacl, quoted_raw);
213
214	if(owner != empty_str)
215	free(owner);
216	if(group != empty_str)
217	free(group);
218	if(sacl != empty_str)
219	free(sacl);
220	if(dacl != empty_str)
221	free(dacl);
222
223	if(print_parsedraw)
224	free(quoted_raw);
225	}
226
227
228	int printCell(REGF_FILE* f, uint32 offset)
229	{
230	char* quoted_buf;
231	uint32 cell_length;
232	bool unalloc;
233
234	if(!regfi_parse_cell(f->fd, offset, NULL, 0, &cell_length, &unalloc))
235	return 1;
236
237	quoted_buf = getQuotedData(f->fd, offset, cell_length);
238	if(quoted_buf == NULL)
239	return 2;
240
241	printf("%.8X,%.8X,RAW,,,,,,,,,,,,%s\n", offset, cell_length, quoted_buf);
242
243	free(quoted_buf);
244	return 0;
245	}
246
247
248	/* This function returns a properly quoted parent path or partial parent
249	* path for a given key. Returns NULL on error, "" if no path was available.
250	* Paths returned must be free()d.
251	*/
252	/* XXX: This is not terribly efficient, as it may reparse many keys
253	* repeatedly. Should try to add caching. Also, piecing the path
254	* together is slow and redundant.
255	*/
256	char* getParentPath(REGF_FILE* f, REGF_NK_REC* nk)
257	{
258	void_stack* path_stack = void_stack_new(REGF_MAX_DEPTH);
259	REGF_HBIN* hbin;
260	REGF_NK_REC* cur_ancestor;
261	char* ret_val;
262	char* path_element;
263	char* tmp_str;
264	uint32 virt_offset, i, stack_size, ret_val_size, ret_val_left, element_size;
265	uint32 max_length;
266
267	/* The path_stack size limit should guarantee that we don't recurse forever. */
268	virt_offset = nk->parent_off;
269	while(virt_offset != REGF_OFFSET_NONE)
270	{
271	hbin = regfi_lookup_hbin(f, virt_offset);
272	if(hbin == NULL)
273	virt_offset = REGF_OFFSET_NONE;
274	else
275	{
276	max_length = hbin->block_size + hbin->file_off
277	- (virt_offset+REGF_BLOCKSIZE);
278	cur_ancestor = regfi_parse_nk(f, virt_offset+REGF_BLOCKSIZE,
279	max_length, true);
280	if(cur_ancestor == NULL)
281	virt_offset = REGF_OFFSET_NONE;
282	else
283	{
284	if(cur_ancestor->key_type == NK_TYPE_ROOTKEY)
285	virt_offset = REGF_OFFSET_NONE;
286	else
287	virt_offset = cur_ancestor->parent_off;
288
289	path_element = quote_string(cur_ancestor->keyname, key_special_chars);
290	if(path_element == NULL \|\| !void_stack_push(path_stack, path_element))
291	{
292	free(cur_ancestor->keyname);
293	free(cur_ancestor);
294	void_stack_free_deep(path_stack);
295	return NULL;
296	}
297
298	regfi_key_free(cur_ancestor);
299	}
300	}
301	}
302
303	stack_size = void_stack_size(path_stack);
304	ret_val_size = 16*stack_size;
305	if(ret_val_size == 0)
306	ret_val_size = 1;
307	ret_val_left = ret_val_size;
308	ret_val = malloc(ret_val_size);
309	if(ret_val == NULL)
310	{
311	void_stack_free_deep(path_stack);
312	return NULL;
313	}
314	ret_val[0] = '\0';
315
316	for(i=0; i<stack_size; i++)
317	{
318	path_element = void_stack_pop(path_stack);
319	element_size = strlen(path_element);
320	if(ret_val_left < element_size+2)
321	{
322	ret_val_size += element_size+16;
323	ret_val_left += element_size+16;
324	tmp_str = (char*)realloc(ret_val, ret_val_size);
325	if(tmp_str == NULL)
326	{
327	free(ret_val);
328	void_stack_free_deep(path_stack);
329	return NULL;
330	}
331	ret_val = tmp_str;
332	}
333
334	ret_val_left -= snprintf(ret_val+ret_val_size-ret_val_left,ret_val_left, "/%s", path_element);
335	free(path_element);
336	}
337	void_stack_free(path_stack);
338
339	return ret_val;
340	}
341
342
343	static void usage(void)
344	{
345	fprintf(stderr, "Usage: reglookup-recover [options] <REGISTRY_FILE>\n");
346	fprintf(stderr, "Version: %s\n", REGLOOKUP_VERSION);
347	fprintf(stderr, "Options:\n");
348	fprintf(stderr, "\t-v\t sets verbose mode.\n");
349	fprintf(stderr, "\t-h\t enables header row. (default)\n");
350	fprintf(stderr, "\t-H\t disables header row.\n");
351	fprintf(stderr, "\t-l\t enables leftover(raw) cell output.\n");
352	fprintf(stderr, "\t-L\t disables leftover(raw) cell output. (default)\n");
353	fprintf(stderr, "\t-r\t enables raw cell output for parsed cells.\n");
354	fprintf(stderr, "\t-R\t disables raw cell output for parsed cells. (default)\n");
355	fprintf(stderr, "\n");
356	}
357
358
359	bool removeRange(range_list* rl, uint32 offset, uint32 length)
360	{
361	int32 rm_idx;
362	const range_list_element* cur_elem;
363
364	rm_idx = range_list_find(rl, offset);
365	if(rm_idx < 0)
366	{
367	fprintf(stderr, "DEBUG: removeRange: rm_idx < 0; (%d)\n", rm_idx);
368	return false;
369	}
370
371	cur_elem = range_list_get(rl, rm_idx);
372	if(cur_elem == NULL)
373	{
374	fprintf(stderr, "DEBUG: removeRange: cur_elem == NULL. rm_idx=%d\n", rm_idx);
375	return false;
376	}
377
378	if(offset > cur_elem->offset)
379	{
380	if(!range_list_split_element(rl, rm_idx, offset))
381	{
382	fprintf(stderr, "DEBUG: removeRange: first split failed\n");
383	return false;
384	}
385	rm_idx++;
386	cur_elem = range_list_get(rl, rm_idx);
387	if(cur_elem == NULL)
388	{
389	fprintf(stderr,
390	"DEBUG: removeRange: cur_elem == NULL after first split. rm_idx=%d\n",
391	rm_idx);
392	return false;
393	}
394	}
395
396	if(offset+length < cur_elem->offset+cur_elem->length)
397	{
398	if(!range_list_split_element(rl, rm_idx, offset+length))
399	{
400	fprintf(stderr, "DEBUG: removeRange: second split failed\n");
401	return false;
402	}
403	}
404
405	if(!range_list_remove(rl, rm_idx))
406	{
407	fprintf(stderr, "DEBUG: removeRange: remove failed\n");
408	return false;
409	}
410
411	return true;
412	}
413
414
415	/* NOTE: unalloc_keys should be an empty range_list. */
416	int extractKeys(REGF_FILE* f,
417	range_list* unalloc_cells,
418	range_list* unalloc_keys)
419	{
420	const range_list_element* cur_elem;
421	REGF_NK_REC* key;
422	uint32 i, j;
423
424	for(i=0; i < range_list_size(unalloc_cells); i++)
425	{
426	cur_elem = range_list_get(unalloc_cells, i);
427	for(j=0; cur_elem->length > REGFI_NK_MIN_LENGTH
428	&& j <= cur_elem->length-REGFI_NK_MIN_LENGTH; j+=8)
429	{
430	key = regfi_parse_nk(f, cur_elem->offset+j,
431	cur_elem->length-j, false);
432	if(key != NULL)
433	{
434	if(!range_list_add(unalloc_keys, key->offset,
435	key->cell_size, key))
436	{
437	fprintf(stderr, "ERROR: Couldn't add key to unalloc_keys.\n");
438	return 20;
439	}
440	j+=key->cell_size-8;
441	}
442	}
443	}
444
445	for(i=0; i<range_list_size(unalloc_keys); i++)
446	{
447	cur_elem = range_list_get(unalloc_keys, i);
448	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
449	return 30;
450	}
451
452	return 0;
453	}
454
455
456	int extractValueLists(REGF_FILE* f,
457	range_list* unalloc_cells,
458	range_list* unalloc_keys)
459	{
460	REGF_NK_REC* nk;
461	REGF_HBIN* hbin;
462	const range_list_element* cur_elem;
463	uint32 i, j, num_keys, off, values_length, max_length;
464
465	num_keys=range_list_size(unalloc_keys);
466	for(i=0; i<num_keys; i++)
467	{
468	cur_elem = range_list_get(unalloc_keys, i);
469	if(cur_elem == NULL)
470	return 10;
471	nk = cur_elem->data;
472
473	if(nk->num_values && (nk->values_off!=REGF_OFFSET_NONE))
474	{
475	hbin = regfi_lookup_hbin(f, nk->values_off);
476
477	if(hbin != NULL)
478	{
479	off = nk->values_off + REGF_BLOCKSIZE;
480	max_length = hbin->block_size + hbin->file_off - off;
481	/* XXX: This is a hack. We parse all value-lists, VK records,
482	* and data records without regard for current allocation status.
483	* On the off chance that such a record correctly parsed but is
484	* actually a reallocated structure used by something else, we
485	* simply prune it after the fact. Would be faster to check this
486	* up front somehow.
487	*/
488	nk->values = regfi_load_valuelist(f, off, nk->num_values, max_length,
489	false);
490	values_length = (nk->num_values+1)*sizeof(uint32);
491	if(values_length != (values_length & 0xFFFFFFF8))
492	values_length = (values_length & 0xFFFFFFF8) + 8;
493
494	if(nk->values != NULL)
495	{
496	if(!range_list_has_range(unalloc_cells, off, values_length))
497	{ /* We've parsed a values-list which isn't in the unallocated list,
498	* so prune it.
499	*/
500	for(j=0; j<nk->num_values; j++)
501	{
502	if(nk->values[j] != NULL)
503	{
504	if(nk->values[j]->data != NULL)
505	free(nk->values[j]->data);
506	free(nk->values[j]);
507	}
508	}
509	free(nk->values);
510	nk->values = NULL;
511	}
512	else
513	{ /* Values-list was recovered. Remove from unalloc_cells and
514	* inspect values.
515	*/
516	if(!removeRange(unalloc_cells, off, values_length))
517	return 20;
518
519	for(j=0; j < nk->num_values; j++)
520	{
521	if(nk->values[j] != NULL)
522	{
523	if(!range_list_has_range(unalloc_cells, nk->values[j]->offset,
524	nk->values[j]->cell_size))
525	{ /* We've parsed a value which isn't in the unallocated list,
526	* so prune it.
527	*/
528	if(nk->values[j]->data != NULL)
529	free(nk->values[j]->data);
530	free(nk->values[j]);
531	nk->values[j] = NULL;
532	}
533	else
534	{
535	/* A VK record was recovered. Remove from unalloc_cells
536	* and inspect data.
537	*/
538	if(!removeRange(unalloc_cells, nk->values[j]->offset,
539	nk->values[j]->cell_size))
540	return 21;
541
542	/* Don't bother pruning or removing from unalloc_cells if
543	* there is no data, or it is stored in the offset.
544	*/
545	if(nk->values[j]->data != NULL && !nk->values[j]->data_in_offset)
546	{
547	off = nk->values[j]->data_off+REGF_BLOCKSIZE;
548	if(!range_list_has_range(unalloc_cells, off,
549	nk->values[j]->data_size))
550	{ /* We've parsed a data cell which isn't in the unallocated
551	* list, so prune it.
552	*/
553	free(nk->values[j]->data);
554	nk->values[j]->data = NULL;
555	}
556	else
557	{ /A data record was recovered. Remove from unalloc_cells./
558	if(!removeRange(unalloc_cells, off,
559	nk->values[j]->data_size))
560	return 22;
561	}
562	}
563	}
564	}
565	}
566	}
567	}
568	}
569	}
570	}
571
572	return 0;
573	}
574
575
576	/* NOTE: unalloc_values should be an empty range_list. */
577	int extractValues(REGF_FILE* f,
578	range_list* unalloc_cells,
579	range_list* unalloc_values)
580	{
581	const range_list_element* cur_elem;
582	REGF_VK_REC* vk;
583	uint32 i, j, off;
584
585	for(i=0; i < range_list_size(unalloc_cells); i++)
586	{
587	cur_elem = range_list_get(unalloc_cells, i);
588	for(j=0; j <= cur_elem->length; j+=8)
589	{
590	vk = regfi_parse_vk(f, cur_elem->offset+j,
591	cur_elem->length-j, false);
592	if(vk != NULL)
593	{
594	if(!range_list_add(unalloc_values, vk->offset,
595	vk->cell_size, vk))
596	{
597	fprintf(stderr, "ERROR: Couldn't add value to unalloc_values.\n");
598	return 20;
599	}
600	j+=vk->cell_size-8;
601	}
602	}
603	}
604
605	/* Remove value ranges from the unalloc_cells before we continue. */
606	for(i=0; i<range_list_size(unalloc_values); i++)
607	{
608	cur_elem = range_list_get(unalloc_values, i);
609	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
610	return 30;
611	}
612
613	/* Now see if the data associated with each value is intact */
614	for(i=0; i<range_list_size(unalloc_values); i++)
615	{
616	cur_elem = range_list_get(unalloc_values, i);
617	vk = (REGF_VK_REC*)cur_elem->data;
618	if(vk == NULL)
619	return 40;
620
621	if(vk->data != NULL && !vk->data_in_offset)
622	{
623	off = vk->data_off+REGF_BLOCKSIZE;
624	if(!range_list_has_range(unalloc_cells, off, vk->data_size))
625	{ /* We've parsed a data cell which isn't in the unallocated
626	* list, so prune it.
627	*/
628	free(vk->data);
629	vk->data = NULL;
630	}
631	else
632	{ /A data record was recovered. Remove from unalloc_cells./
633	if(!removeRange(unalloc_cells, off, vk->data_size))
634	return 50;
635	}
636	}
637	}
638
639	return 0;
640	}
641
642
643	/* NOTE: unalloc_sks should be an empty range_list. */
644	int extractSKs(REGF_FILE* f,
645	range_list* unalloc_cells,
646	range_list* unalloc_sks)
647	{
648	const range_list_element* cur_elem;
649	REGF_SK_REC* sk;
650	uint32 i, j;
651
652	for(i=0; i < range_list_size(unalloc_cells); i++)
653	{
654	cur_elem = range_list_get(unalloc_cells, i);
655	for(j=0; j <= cur_elem->length; j+=8)
656	{
657	sk = regfi_parse_sk(f, cur_elem->offset+j,
658	cur_elem->length-j, false);
659	if(sk != NULL)
660	{
661	if(!range_list_add(unalloc_sks, sk->offset,
662	sk->cell_size, sk))
663	{
664	fprintf(stderr, "ERROR: Couldn't add sk to unalloc_sks.\n");
665	return 20;
666	}
667	j+=sk->cell_size-8;
668	}
669	}
670	}
671
672	for(i=0; i<range_list_size(unalloc_sks); i++)
673	{
674	cur_elem = range_list_get(unalloc_sks, i);
675	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
676	return 30;
677	}
678
679	return 0;
680	}
681
682
683	int main(int argc, char** argv)
684	{
685	REGF_FILE* f;
686	const range_list_element* cur_elem;
687	range_list* unalloc_cells;
688	range_list* unalloc_keys;
689	range_list* unalloc_values;
690	range_list* unalloc_sks;
691	char** parent_paths;
692	char* tmp_name;
693	char* tmp_path;
694	REGF_NK_REC* tmp_key;
695	REGF_VK_REC* tmp_value;
696	uint32 argi, arge, i, j, ret, num_unalloc_keys;
697	/* uint32 test_offset;*/
698
699	/* Process command line arguments */
700	if(argc < 2)
701	{
702	usage();
703	bailOut(EX_USAGE, "ERROR: Requires at least one argument.\n");
704	}
705
706	arge = argc-1;
707	for(argi = 1; argi < arge; argi++)
708	{
709	if (strcmp("-v", argv[argi]) == 0)
710	print_verbose = true;
711	else if (strcmp("-h", argv[argi]) == 0)
712	print_header = true;
713	else if (strcmp("-H", argv[argi]) == 0)
714	print_header = false;
715	else if (strcmp("-l", argv[argi]) == 0)
716	print_leftover = true;
717	else if (strcmp("-L", argv[argi]) == 0)
718	print_leftover = false;
719	else if (strcmp("-r", argv[argi]) == 0)
720	print_parsedraw = true;
721	else if (strcmp("-R", argv[argi]) == 0)
722	print_parsedraw = false;
723	else
724	{
725	usage();
726	fprintf(stderr, "ERROR: Unrecognized option: %s\n", argv[argi]);
727	bailOut(EX_USAGE, "");
728	}
729	}
730	/test_offset = strtol(argv[argi++], NULL, 16);/
731
732	if((registry_file = strdup(argv[argi])) == NULL)
733	bailOut(EX_OSERR, "ERROR: Memory allocation problem.\n");
734
735	f = regfi_open(registry_file);
736	if(f == NULL)
737	{
738	fprintf(stderr, "ERROR: Couldn't open registry file: %s\n", registry_file);
739	bailOut(EX_NOINPUT, "");
740	}
741
742	if(print_header)
743	printf("OFFSET,REC_LENGTH,REC_TYPE,PATH,NAME,"
744	"NK_MTIME,NK_NVAL,VK_TYPE,VK_VALUE,VK_DATA_LEN,"
745	"SK_OWNER,SK_GROUP,SK_SACL,SK_DACL,RAW_CELL\n");
746
747	unalloc_cells = regfi_parse_unalloc_cells(f);
748	if(unalloc_cells == NULL)
749	{
750	fprintf(stderr, "ERROR: Could not obtain list of unallocated cells.\n");
751	return 1;
752	}
753
754	unalloc_keys = range_list_new();
755	if(unalloc_keys == NULL)
756	return 10;
757
758	unalloc_values = range_list_new();
759	if(unalloc_values == NULL)
760	return 10;
761
762	unalloc_sks = range_list_new();
763	if(unalloc_sks == NULL)
764	return 10;
765
766	ret = extractKeys(f, unalloc_cells, unalloc_keys);
767	if(ret != 0)
768	{
769	fprintf(stderr, "ERROR: extractKeys() failed with %d.\n", ret);
770	return ret;
771	}
772
773	ret = extractValueLists(f, unalloc_cells, unalloc_keys);
774	if(ret != 0)
775	{
776	fprintf(stderr, "ERROR: extractValueLists() failed with %d.\n", ret);
777	return ret;
778	}
779
780	/* Carve any orphan values and associated data */
781	ret = extractValues(f, unalloc_cells, unalloc_values);
782	if(ret != 0)
783	{
784	fprintf(stderr, "ERROR: extractValues() failed with %d.\n", ret);
785	return ret;
786	}
787
788	/* Carve any SK records */
789	ret = extractSKs(f, unalloc_cells, unalloc_sks);
790	if(ret != 0)
791	{
792	fprintf(stderr, "ERROR: extractSKs() failed with %d.\n", ret);
793	return ret;
794	}
795
796	/* Now that we're done carving, associate recovered keys with parents,
797	* if at all possible.
798	*/
799	num_unalloc_keys = range_list_size(unalloc_keys);
800	parent_paths = (char*)malloc(sizeof(char)*num_unalloc_keys);
801	if(parent_paths == NULL)
802	return 10;
803
804	for(i=0; i < num_unalloc_keys; i++)
805	{
806	cur_elem = range_list_get(unalloc_keys, i);
807	tmp_key = (REGF_NK_REC*)cur_elem->data;
808
809	if(tmp_key == NULL)
810	return 20;
811
812	parent_paths[i] = getParentPath(f, tmp_key);
813	if(parent_paths[i] == NULL)
814	return 20;
815	}
816
817	/* Now start the output */
818
819	for(i=0; i < num_unalloc_keys; i++)
820	{
821	cur_elem = range_list_get(unalloc_keys, i);
822	tmp_key = (REGF_NK_REC*)cur_elem->data;
823
824	printKey(f, tmp_key, parent_paths[i]);
825	if(tmp_key->num_values > 0 && tmp_key->values != NULL)
826	{
827	tmp_name = quote_string(tmp_key->keyname, key_special_chars);
828	tmp_path = (char*)malloc(strlen(parent_paths[i])+strlen(tmp_name)+2);
829	if(tmp_path == NULL)
830	return 10;
831	sprintf(tmp_path, "%s/%s", parent_paths[i], tmp_name);
832	for(j=0; j < tmp_key->num_values; j++)
833	{
834	tmp_value = tmp_key->values[j];
835	if(tmp_value != NULL)
836	printValue(f, tmp_value, tmp_path);
837	}
838	free(tmp_path);
839	free(tmp_name);
840	free(parent_paths[i]);
841	}
842	}
843	free(parent_paths);
844
845	/* Print out orphaned values */
846	for(i=0; i < range_list_size(unalloc_values); i++)
847	{
848	cur_elem = range_list_get(unalloc_values, i);
849	tmp_value = (REGF_VK_REC*)cur_elem->data;
850
851	printValue(f, tmp_value, "");
852	}
853
854	if(print_leftover)
855	{
856	for(i=0; i < range_list_size(unalloc_cells); i++)
857	{
858	cur_elem = range_list_get(unalloc_cells, i);
859	printCell(f, cur_elem->offset);
860	}
861	}
862
863	return 0;
864	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: