Context Navigation

source: trunk/src/reglookup-recover.c @ 148

Last change on this file since 148 was 148, checked in by tim, 15 years ago

integrated talloc into range_list

fixed some uninitialized structure values in the winsec library

Property svn:keywords set to Id

File size: 23.9 KB

Line
1	/*
2	* This program attempts to recover deleted data structures in a registry hive.
3	*
4	* Copyright (C) 2008-2009 Timothy D. Morgan
5	*
6	* This program is free software; you can redistribute it and/or modify
7	* it under the terms of the GNU General Public License as published by
8	* the Free Software Foundation; version 3 of the License.
9	*
10	* This program is distributed in the hope that it will be useful,
11	* but WITHOUT ANY WARRANTY; without even the implied warranty of
12	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13	* GNU General Public License for more details.
14	*
15	* You should have received a copy of the GNU General Public License
16	* along with this program; if not, write to the Free Software
17	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
18	*
19	* $Id: reglookup-recover.c 148 2009-02-22 23:22:59Z tim $
20	*/
21
22	#include <stdio.h>
23	#include <stdlib.h>
24
25	#include "talloc.h"
26	#include "regfi.h"
27	#include "range_list.h"
28	#include "lru_cache.h"
29
30
31	/* Globals, influenced by command line parameters */
32	bool print_verbose = false;
33	bool print_security = false;
34	bool print_header = true;
35	bool print_leftover = false;
36	bool print_parsedraw = false;
37	char* registry_file = NULL;
38
39	#include "common.c"
40
41
42	char* getQuotedData(int fd, uint32 offset, uint32 length)
43	{
44	uint8* buf;
45	char* quoted_buf;
46	uint32 len;
47
48	if((lseek(fd, offset, SEEK_SET)) == -1)
49	return NULL;
50
51	buf = (uint8*)malloc(length);
52	if(buf == NULL)
53	return NULL;
54
55	len = length;
56	if((regfi_read(fd, buf, &length) != 0) \|\| length != len)
57	{
58	free(buf);
59	return NULL;
60	}
61
62	quoted_buf = quote_buffer(buf, length, common_special_chars);
63	free(buf);
64
65	return quoted_buf;
66	}
67
68
69	void printKey(REGFI_FILE* f, REGFI_NK_REC* nk, const char* prefix)
70	{
71	char mtime[20];
72	time_t tmp_time[1];
73	struct tm* tmp_time_s = NULL;
74	char* quoted_name = NULL;
75	char* quoted_raw = "";
76
77	*tmp_time = nt_time_to_unix(&nk->mtime);
78	tmp_time_s = gmtime(tmp_time);
79	strftime(mtime, sizeof(mtime), "%Y-%m-%d %H:%M:%S", tmp_time_s);
80
81	quoted_name = quote_string(nk->keyname, key_special_chars);
82	if (quoted_name == NULL)
83	{
84	quoted_name = malloc(1*sizeof(char));
85	if(quoted_name == NULL)
86	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n");
87	quoted_name[0] = '\0';
88
89	fprintf(stderr, "WARN: NULL key name in NK record at offset %.8X.\n",
90	nk->offset);
91	}
92
93	if(print_parsedraw)
94	quoted_raw = getQuotedData(f->fd, nk->offset, nk->cell_size);
95
96	printf("%.8X,%.8X,KEY,%s,%s,%s,%d,,,,,,,,%s\n", nk->offset, nk->cell_size,
97	prefix, quoted_name, mtime, nk->num_values, quoted_raw);
98
99	if(print_parsedraw)
100	free(quoted_raw);
101	free(quoted_name);
102	}
103
104
105	void printValue(REGFI_FILE* f, const REGFI_VK_REC* vk, const char* prefix)
106	{
107	char* quoted_value = NULL;
108	char* quoted_name = NULL;
109	char* quoted_raw = "";
110	char* conv_error = NULL;
111	const char* str_type = NULL;
112	uint32 size = vk->data_size;
113
114	/* Microsoft's documentation indicates that "available memory" is
115	* the limit on value sizes. Annoying. We limit it to 1M which
116	* should rarely be exceeded, unless the file is corrupt or
117	* malicious. For more info, see:
118	* http://msdn2.microsoft.com/en-us/library/ms724872.aspx
119	*/
120	/* XXX: Should probably do something different here for this tool.
121	* Also, It would be really nice if this message somehow included the
122	* name of the current value we're having trouble with, since
123	* stderr/stdout don't always sync nicely.
124	*/
125	if(size > REGFI_VK_MAX_DATA_LENGTH)
126	{
127	fprintf(stderr, "WARN: value data size %d larger than "
128	"%d, truncating...\n", size, REGFI_VK_MAX_DATA_LENGTH);
129	size = REGFI_VK_MAX_DATA_LENGTH;
130	}
131
132	quoted_name = quote_string(vk->valuename, key_special_chars);
133	if (quoted_name == NULL)
134	{ /* Value names are NULL when we're looking at the "(default)" value.
135	* Currently we just return a 0-length string to try an eliminate
136	* ambiguity with a literal "(default)" value. The data type of a line
137	* in the output allows one to differentiate between the parent key and
138	* this value.
139	*/
140	quoted_name = malloc(1*sizeof(char));
141	if(quoted_name == NULL)
142	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n");
143	quoted_name[0] = '\0';
144	}
145
146	quoted_value = data_to_ascii(vk->data, size, vk->type, &conv_error);
147	if(quoted_value == NULL)
148	{
149	quoted_value = malloc(1*sizeof(char));
150	if(quoted_value == NULL)
151	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Could not allocate sufficient memory.\n");
152	quoted_value[0] = '\0';
153
154	if(conv_error == NULL)
155	fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
156	"Memory allocation failure likely.\n", prefix, quoted_name);
157	else if(print_verbose)
158	fprintf(stderr, "WARN: Could not quote value for '%s/%s'. "
159	"Returned error: %s\n", prefix, quoted_name, conv_error);
160	}
161	/* XXX: should these always be printed? */
162	else if(conv_error != NULL && print_verbose)
163	fprintf(stderr, "INFO: While quoting value for '%s/%s', "
164	"warning returned: %s\n", prefix, quoted_name, conv_error);
165
166
167	if(print_parsedraw)
168	quoted_raw = getQuotedData(f->fd, vk->offset, vk->cell_size);
169
170	str_type = regfi_type_val2str(vk->type);
171	if(str_type == NULL)
172	printf("%.8X,%.8X,VALUE,%s,%s,,,0x%.8X,%s,%d,,,,,%s\n",
173	vk->offset, vk->cell_size, prefix, quoted_name,
174	vk->type, quoted_value, vk->data_size, quoted_raw);
175	else
176	printf("%.8X,%.8X,VALUE,%s,%s,,,%s,%s,%d,,,,,%s\n",
177	vk->offset, vk->cell_size, prefix, quoted_name,
178	str_type, quoted_value, vk->data_size, quoted_raw);
179
180	if(print_parsedraw)
181	free(quoted_raw);
182	if(quoted_value != NULL)
183	free(quoted_value);
184	if(quoted_name != NULL)
185	free(quoted_name);
186	if(conv_error != NULL)
187	free(conv_error);
188	}
189
190
191	void printSK(REGFI_FILE* f, REGFI_SK_REC* sk)
192	{
193	char* quoted_raw = NULL;
194	char* empty_str = "";
195	char* owner = regfi_get_owner(sk->sec_desc);
196	char* group = regfi_get_group(sk->sec_desc);
197	char* sacl = regfi_get_sacl(sk->sec_desc);
198	char* dacl = regfi_get_dacl(sk->sec_desc);
199
200	if(print_parsedraw)
201	quoted_raw = getQuotedData(f->fd, sk->offset, sk->cell_size);
202
203	if(owner == NULL)
204	owner = empty_str;
205	if(group == NULL)
206	group = empty_str;
207	if(sacl == NULL)
208	sacl = empty_str;
209	if(dacl == NULL)
210	dacl = empty_str;
211
212	printf("%.8X,%.8X,SK,,,,,,,,%s,%s,%s,%s,%s\n", sk->offset, sk->cell_size,
213	owner, group, sacl, dacl, quoted_raw);
214
215	if(owner != empty_str)
216	free(owner);
217	if(group != empty_str)
218	free(group);
219	if(sacl != empty_str)
220	free(sacl);
221	if(dacl != empty_str)
222	free(dacl);
223
224	if(print_parsedraw)
225	free(quoted_raw);
226	}
227
228
229	int printCell(REGFI_FILE* f, uint32 offset)
230	{
231	char* quoted_buf;
232	uint32 cell_length;
233	bool unalloc;
234
235	if(!regfi_parse_cell(f->fd, offset, NULL, 0, &cell_length, &unalloc))
236	return 1;
237
238	quoted_buf = getQuotedData(f->fd, offset, cell_length);
239	if(quoted_buf == NULL)
240	return 2;
241
242	printf("%.8X,%.8X,RAW,,,,,,,,,,,,%s\n", offset, cell_length, quoted_buf);
243
244	free(quoted_buf);
245	return 0;
246	}
247
248
249	/* This function returns a properly quoted parent path or partial parent
250	* path for a given key. Returns NULL on error, "" if no path was available.
251	* Paths returned must be free()d.
252	*/
253	/* XXX: This is not terribly efficient, as it may reparse many keys
254	* repeatedly. Should try to add caching. Also, piecing the path
255	* together is slow and redundant.
256	*/
257	char* getParentPath(REGFI_FILE* f, REGFI_NK_REC* nk)
258	{
259	void_stack* path_stack = void_stack_new(REGFI_MAX_DEPTH);
260	const REGFI_HBIN* hbin;
261	REGFI_NK_REC* cur_ancestor;
262	char* ret_val;
263	char* path_element;
264	char* tmp_str;
265	uint32 virt_offset, i, stack_size, ret_val_size, ret_val_left, element_size;
266	uint32 max_length;
267
268	/* The path_stack size limit should guarantee that we don't recurse forever. */
269	virt_offset = nk->parent_off;
270	while(virt_offset != REGFI_OFFSET_NONE)
271	{
272	hbin = regfi_lookup_hbin(f, virt_offset);
273	if(hbin == NULL)
274	virt_offset = REGFI_OFFSET_NONE;
275	else
276	{
277	max_length = hbin->block_size + hbin->file_off
278	- (virt_offset+REGFI_REGF_SIZE);
279	cur_ancestor = regfi_parse_nk(f, virt_offset+REGFI_REGF_SIZE,
280	max_length, true);
281	printMsgs(f);
282
283	if(cur_ancestor == NULL)
284	virt_offset = REGFI_OFFSET_NONE;
285	else
286	{
287	if((cur_ancestor->key_type == REGFI_NK_TYPE_ROOTKEY1)
288	\|\| (cur_ancestor->key_type == REGFI_NK_TYPE_ROOTKEY2))
289	virt_offset = REGFI_OFFSET_NONE;
290	else
291	virt_offset = cur_ancestor->parent_off;
292
293	path_element = quote_string(cur_ancestor->keyname, key_special_chars);
294	if(path_element == NULL \|\| !void_stack_push(path_stack, path_element))
295	{
296	free(cur_ancestor->keyname);
297	free(cur_ancestor);
298	void_stack_free_deep(path_stack);
299	return NULL;
300	}
301
302	regfi_key_free(cur_ancestor);
303	}
304	}
305	}
306
307	stack_size = void_stack_size(path_stack);
308	ret_val_size = 16*stack_size;
309	if(ret_val_size == 0)
310	ret_val_size = 1;
311	ret_val_left = ret_val_size;
312	ret_val = malloc(ret_val_size);
313	if(ret_val == NULL)
314	{
315	void_stack_free_deep(path_stack);
316	return NULL;
317	}
318	ret_val[0] = '\0';
319
320	for(i=0; i<stack_size; i++)
321	{
322	path_element = void_stack_pop(path_stack);
323	element_size = strlen(path_element);
324	if(ret_val_left < element_size+2)
325	{
326	ret_val_size += element_size+16;
327	ret_val_left += element_size+16;
328	tmp_str = (char*)realloc(ret_val, ret_val_size);
329	if(tmp_str == NULL)
330	{
331	free(ret_val);
332	void_stack_free_deep(path_stack);
333	return NULL;
334	}
335	ret_val = tmp_str;
336	}
337
338	ret_val_left -= snprintf(ret_val+ret_val_size-ret_val_left,ret_val_left, "/%s", path_element);
339	free(path_element);
340	}
341	void_stack_free(path_stack);
342
343	return ret_val;
344	}
345
346
347	static void usage(void)
348	{
349	fprintf(stderr, "Usage: reglookup-recover [options] <REGISTRY_FILE>\n");
350	fprintf(stderr, "Version: %s\n", REGLOOKUP_VERSION);
351	fprintf(stderr, "Options:\n");
352	fprintf(stderr, "\t-v\t sets verbose mode.\n");
353	fprintf(stderr, "\t-h\t enables header row. (default)\n");
354	fprintf(stderr, "\t-H\t disables header row.\n");
355	fprintf(stderr, "\t-l\t enables leftover(raw) cell output.\n");
356	fprintf(stderr, "\t-L\t disables leftover(raw) cell output. (default)\n");
357	fprintf(stderr, "\t-r\t enables raw cell output for parsed cells.\n");
358	fprintf(stderr, "\t-R\t disables raw cell output for parsed cells. (default)\n");
359	fprintf(stderr, "\n");
360	}
361
362
363	bool removeRange(range_list* rl, uint32 offset, uint32 length)
364	{
365	int32 rm_idx;
366	const range_list_element* cur_elem;
367
368	rm_idx = range_list_find(rl, offset);
369	if(rm_idx < 0)
370	{
371	fprintf(stderr, "DEBUG: removeRange: rm_idx < 0; (%d)\n", rm_idx);
372	return false;
373	}
374
375	cur_elem = range_list_get(rl, rm_idx);
376	if(cur_elem == NULL)
377	{
378	fprintf(stderr, "DEBUG: removeRange: cur_elem == NULL. rm_idx=%d\n", rm_idx);
379	return false;
380	}
381
382	if(offset > cur_elem->offset)
383	{
384	if(!range_list_split_element(rl, rm_idx, offset))
385	{
386	fprintf(stderr, "DEBUG: removeRange: first split failed\n");
387	return false;
388	}
389	rm_idx++;
390	cur_elem = range_list_get(rl, rm_idx);
391	if(cur_elem == NULL)
392	{
393	fprintf(stderr,
394	"DEBUG: removeRange: cur_elem == NULL after first split. rm_idx=%d\n",
395	rm_idx);
396	return false;
397	}
398	}
399
400	if(offset+length < cur_elem->offset+cur_elem->length)
401	{
402	if(!range_list_split_element(rl, rm_idx, offset+length))
403	{
404	fprintf(stderr, "DEBUG: removeRange: second split failed\n");
405	return false;
406	}
407	}
408
409	if(!range_list_remove(rl, rm_idx))
410	{
411	fprintf(stderr, "DEBUG: removeRange: remove failed\n");
412	return false;
413	}
414
415	return true;
416	}
417
418
419	int extractVKs(REGFI_FILE* f,
420	range_list* unalloc_cells,
421	range_list* unalloc_values)
422	{
423	const range_list_element* cur_elem;
424	REGFI_VK_REC* vk;
425	uint32 i, j;
426
427	for(i=0; i < range_list_size(unalloc_cells); i++)
428	{
429	printMsgs(f);
430	cur_elem = range_list_get(unalloc_cells, i);
431	for(j=0; j <= cur_elem->length; j+=8)
432	{
433	vk = regfi_parse_vk(f, cur_elem->offset+j,
434	cur_elem->length-j, false);
435	printMsgs(f);
436
437	if(vk != NULL)
438	{
439	if(!range_list_add(unalloc_values, vk->offset,
440	vk->cell_size, vk))
441	{
442	fprintf(stderr, "ERROR: Couldn't add value to unalloc_values.\n");
443	return 20;
444	}
445	j+=vk->cell_size-8;
446	}
447	}
448	}
449
450	/* Remove value ranges from the unalloc_cells before we continue. */
451	for(i=0; i<range_list_size(unalloc_values); i++)
452	{
453	cur_elem = range_list_get(unalloc_values, i);
454	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
455	return 30;
456	}
457
458	return 0;
459	}
460
461
462	int extractDataCells(REGFI_FILE* f,
463	range_list* unalloc_cells,
464	range_list* unalloc_values)
465	{
466	const range_list_element* cur_elem;
467	REGFI_VK_REC* vk;
468	const REGFI_HBIN* hbin;
469	uint32 i, off, data_offset, data_maxsize;
470
471	for(i=0; i<range_list_size(unalloc_values); i++)
472	{
473	cur_elem = range_list_get(unalloc_values, i);
474	vk = (REGFI_VK_REC*)cur_elem->data;
475	if(vk == NULL)
476	return 40;
477
478	if(vk->data_size == 0)
479	vk->data = NULL;
480	else
481	{
482	off = vk->data_off+REGFI_REGF_SIZE;
483
484	if(vk->data_in_offset)
485	{
486	vk->data = regfi_parse_data(f, vk->type, vk->data_off,
487	vk->data_size, 4,
488	vk->data_in_offset, false);
489	}
490	else if(range_list_has_range(unalloc_cells, off, vk->data_size))
491	{
492	hbin = regfi_lookup_hbin(f, vk->data_off);
493	if(hbin)
494	{
495	data_offset = vk->data_off+REGFI_REGF_SIZE;
496	data_maxsize = hbin->block_size + hbin->file_off - data_offset;
497	vk->data = regfi_parse_data(f, vk->type, data_offset,
498	vk->data_size, data_maxsize,
499	vk->data_in_offset, false);
500	if(vk->data != NULL)
501	{
502	/* XXX: This strict checking prevents partial recovery of data
503	* cells. Also, see code for regfi_parse_data and note that
504	* lengths indicated in VK records are sometimes just plain
505	* wrong. Need a feedback mechanism to be more fuzzy with
506	* data cell lengths and the ranges removed.
507	*/
508	/* A data record was recovered. Remove from unalloc_cells. */
509	if(!removeRange(unalloc_cells, off, vk->data_size))
510	return 50;
511	}
512	}
513	else
514	vk->data = NULL;
515	}
516	}
517	}
518
519	return 0;
520	}
521
522
523	/* NOTE: unalloc_keys should be an empty range_list. */
524	int extractKeys(REGFI_FILE* f,
525	range_list* unalloc_cells,
526	range_list* unalloc_keys)
527	{
528	const range_list_element* cur_elem;
529	REGFI_NK_REC* key;
530	uint32 i, j;
531
532	for(i=0; i < range_list_size(unalloc_cells); i++)
533	{
534	printMsgs(f);
535	cur_elem = range_list_get(unalloc_cells, i);
536	for(j=0; cur_elem->length > REGFI_NK_MIN_LENGTH
537	&& j <= cur_elem->length-REGFI_NK_MIN_LENGTH; j+=8)
538	{
539	key = regfi_parse_nk(f, cur_elem->offset+j,
540	cur_elem->length-j, false);
541	printMsgs(f);
542
543	if(key != NULL)
544	{
545	if(!range_list_add(unalloc_keys, key->offset,
546	key->cell_size, key))
547	{
548	fprintf(stderr, "ERROR: Couldn't add key to unalloc_keys.\n");
549	return 20;
550	}
551	j+=key->cell_size-8;
552	}
553	}
554	}
555
556	for(i=0; i<range_list_size(unalloc_keys); i++)
557	{
558	cur_elem = range_list_get(unalloc_keys, i);
559	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
560	return 30;
561	}
562
563	return 0;
564	}
565
566	int extractValueLists(REGFI_FILE* f,
567	range_list* unalloc_cells,
568	range_list* unalloc_keys,
569	range_list* unalloc_linked_values)
570	{
571	REGFI_NK_REC* nk;
572	REGFI_VK_REC* vk;
573	const REGFI_HBIN* hbin;
574	const range_list_element* cur_elem;
575	uint32 i, j, num_keys, off, values_length, max_length;
576
577	num_keys=range_list_size(unalloc_keys);
578	for(i=0; i<num_keys; i++)
579	{
580	cur_elem = range_list_get(unalloc_keys, i);
581	if(cur_elem == NULL)
582	return 10;
583	nk = cur_elem->data;
584
585	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
586	{
587	hbin = regfi_lookup_hbin(f, nk->values_off);
588
589	if(hbin != NULL)
590	{
591	off = nk->values_off + REGFI_REGF_SIZE;
592	max_length = hbin->block_size + hbin->file_off - off;
593	nk->values = regfi_load_valuelist(f, off, nk->num_values,
594	max_length, false);
595	if(nk->values != NULL && nk->values->elements != NULL)
596	{
597	/* Number of elements in the value list may be shorter than advertised
598	* by NK record due to cell truncation. We'll consider this valid and
599	* only throw out the whole value list if it bleeds into an already
600	* parsed structure.
601	*/
602	values_length = (nk->values->num_values+1)*sizeof(uint32);
603	if(values_length != (values_length & 0xFFFFFFF8))
604	values_length = (values_length & 0xFFFFFFF8) + 8;
605
606	if(!range_list_has_range(unalloc_cells, off, values_length))
607	{ /* We've parsed a values-list which isn't in the unallocated list,
608	* so prune it.
609	*/
610	free(nk->values->elements);
611	free(nk->values);
612	nk->values = NULL;
613	}
614	else
615	{ /* Values-list was recovered. Remove from unalloc_cells and
616	* inspect values.
617	*/
618	if(!removeRange(unalloc_cells, off, values_length))
619	return 20;
620
621	for(j=0; j < nk->values->num_values; j++)
622	{
623	/* Don't bother to restrict cell length here, since we'll
624	* check our unalloc_cells range_list later.
625	*/
626	vk = regfi_parse_vk(f, nk->values->elements[j]+REGFI_REGF_SIZE,
627	0x7FFFFFFF, false);
628	printMsgs(f);
629
630	if(vk != NULL)
631	{
632	if(range_list_has_range(unalloc_cells,
633	vk->offset, vk->cell_size))
634	{
635	if(!range_list_add(unalloc_linked_values, vk->offset,
636	vk->cell_size, vk))
637	{
638	free(vk);
639	return 30;
640	}
641
642	if(!removeRange(unalloc_cells, vk->offset, vk->cell_size))
643	return 40;
644	}
645	else
646	free(vk);
647	}
648	}
649	}
650	}
651	}
652	}
653	}
654
655	return 0;
656	}
657
658
659
660	/* NOTE: unalloc_sks should be an empty range_list. */
661	int extractSKs(REGFI_FILE* f,
662	range_list* unalloc_cells,
663	range_list* unalloc_sks)
664	{
665	const range_list_element* cur_elem;
666	REGFI_SK_REC* sk;
667	uint32 i, j;
668
669	for(i=0; i < range_list_size(unalloc_cells); i++)
670	{
671	printMsgs(f);
672	cur_elem = range_list_get(unalloc_cells, i);
673	for(j=0; j <= cur_elem->length; j+=8)
674	{
675	sk = regfi_parse_sk(f, cur_elem->offset+j,
676	cur_elem->length-j, false);
677	printMsgs(f);
678
679	if(sk != NULL)
680	{
681	if(!range_list_add(unalloc_sks, sk->offset,
682	sk->cell_size, sk))
683	{
684	fprintf(stderr, "ERROR: Couldn't add sk to unalloc_sks.\n");
685	return 20;
686	}
687	talloc_steal(unalloc_sks, sk);
688	j+=sk->cell_size-8;
689	}
690	}
691	}
692
693	for(i=0; i<range_list_size(unalloc_sks); i++)
694	{
695	cur_elem = range_list_get(unalloc_sks, i);
696	if(!removeRange(unalloc_cells, cur_elem->offset, cur_elem->length))
697	return 30;
698	}
699
700	return 0;
701	}
702
703
704	int main(int argc, char** argv)
705	{
706	REGFI_FILE* f;
707	const range_list_element* cur_elem;
708	range_list* unalloc_cells;
709	range_list* unalloc_keys;
710	range_list* unalloc_linked_values;
711	range_list* unalloc_values;
712	range_list* unalloc_sks;
713	char** parent_paths;
714	char* tmp_name;
715	char* tmp_path;
716	REGFI_NK_REC* tmp_key;
717	REGFI_VK_REC* tmp_value;
718	uint32 argi, arge, i, j, ret, num_unalloc_keys;
719
720	/* Process command line arguments */
721	if(argc < 2)
722	{
723	usage();
724	bailOut(REGLOOKUP_EXIT_USAGE, "ERROR: Requires at least one argument.\n");
725	}
726
727	arge = argc-1;
728	for(argi = 1; argi < arge; argi++)
729	{
730	if (strcmp("-v", argv[argi]) == 0)
731	print_verbose = true;
732	else if (strcmp("-h", argv[argi]) == 0)
733	print_header = true;
734	else if (strcmp("-H", argv[argi]) == 0)
735	print_header = false;
736	else if (strcmp("-l", argv[argi]) == 0)
737	print_leftover = true;
738	else if (strcmp("-L", argv[argi]) == 0)
739	print_leftover = false;
740	else if (strcmp("-r", argv[argi]) == 0)
741	print_parsedraw = true;
742	else if (strcmp("-R", argv[argi]) == 0)
743	print_parsedraw = false;
744	else
745	{
746	usage();
747	fprintf(stderr, "ERROR: Unrecognized option: %s\n", argv[argi]);
748	bailOut(REGLOOKUP_EXIT_USAGE, "");
749	}
750	}
751	/test_offset = strtol(argv[argi++], NULL, 16);/
752
753	if((registry_file = strdup(argv[argi])) == NULL)
754	bailOut(REGLOOKUP_EXIT_OSERR, "ERROR: Memory allocation problem.\n");
755
756	f = regfi_open(registry_file);
757	if(f == NULL)
758	{
759	fprintf(stderr, "ERROR: Couldn't open registry file: %s\n", registry_file);
760	bailOut(REGLOOKUP_EXIT_NOINPUT, "");
761	}
762	if(print_verbose)
763	regfi_set_message_mask(f, REGFI_MSG_ERROR\|REGFI_MSG_WARN\|REGFI_MSG_INFO);
764	else
765	regfi_set_message_mask(f, REGFI_MSG_ERROR);
766
767	if(print_header)
768	printf("OFFSET,REC_LENGTH,REC_TYPE,PATH,NAME,"
769	"NK_MTIME,NK_NVAL,VK_TYPE,VK_VALUE,VK_DATA_LEN,"
770	"SK_OWNER,SK_GROUP,SK_SACL,SK_DACL,RAW_CELL\n");
771
772	unalloc_cells = regfi_parse_unalloc_cells(f);
773	if(unalloc_cells == NULL)
774	{
775	fprintf(stderr, "ERROR: Could not obtain list of unallocated cells.\n");
776	return 1;
777	}
778
779	unalloc_keys = range_list_new();
780	if(unalloc_keys == NULL)
781	return 10;
782
783	unalloc_linked_values = range_list_new();
784	if(unalloc_linked_values == NULL)
785	return 10;
786
787	unalloc_values = range_list_new();
788	if(unalloc_values == NULL)
789	return 10;
790
791	unalloc_sks = range_list_new();
792	if(unalloc_sks == NULL)
793	return 10;
794
795	ret = extractKeys(f, unalloc_cells, unalloc_keys);
796	if(ret != 0)
797	{
798	fprintf(stderr, "ERROR: extractKeys() failed with %d.\n", ret);
799	return ret;
800	}
801
802	ret = extractValueLists(f, unalloc_cells, unalloc_keys,unalloc_linked_values);
803	if(ret != 0)
804	{
805	fprintf(stderr, "ERROR: extractValueLists() failed with %d.\n", ret);
806	return ret;
807	}
808
809	/* Carve any orphan values */
810	ret = extractVKs(f, unalloc_cells, unalloc_values);
811	if(ret != 0)
812	{
813	fprintf(stderr, "ERROR: extractVKs() failed with %d.\n", ret);
814	return ret;
815	}
816
817	/* Carve any data associated with VK records */
818	ret = extractDataCells(f, unalloc_cells, unalloc_linked_values);
819	if(ret != 0)
820	{
821	fprintf(stderr, "ERROR: extractDataCells() failed with %d.\n", ret);
822	return ret;
823	}
824	ret = extractDataCells(f, unalloc_cells, unalloc_values);
825	if(ret != 0)
826	{
827	fprintf(stderr, "ERROR: extractDataCells() failed with %d.\n", ret);
828	return ret;
829	}
830
831	/* Carve any SK records */
832	ret = extractSKs(f, unalloc_cells, unalloc_sks);
833	if(ret != 0)
834	{
835	fprintf(stderr, "ERROR: extractSKs() failed with %d.\n", ret);
836	return ret;
837	}
838
839	/* Now that we're done carving, associate recovered keys with parents,
840	* if at all possible.
841	*/
842	num_unalloc_keys = range_list_size(unalloc_keys);
843	parent_paths = (char*)malloc(sizeof(char)*num_unalloc_keys);
844	if(parent_paths == NULL)
845	return 10;
846
847	for(i=0; i < num_unalloc_keys; i++)
848	{
849	cur_elem = range_list_get(unalloc_keys, i);
850	tmp_key = (REGFI_NK_REC*)cur_elem->data;
851
852	if(tmp_key == NULL)
853	return 20;
854
855	parent_paths[i] = getParentPath(f, tmp_key);
856	if(parent_paths[i] == NULL)
857	return 20;
858	}
859
860	/* Now start the output */
861	for(i=0; i < num_unalloc_keys; i++)
862	{
863	cur_elem = range_list_get(unalloc_keys, i);
864	tmp_key = (REGFI_NK_REC*)cur_elem->data;
865
866	printKey(f, tmp_key, parent_paths[i]);
867	if(tmp_key->num_values > 0 && tmp_key->values != NULL)
868	{
869	tmp_name = quote_string(tmp_key->keyname, key_special_chars);
870	tmp_path = (char*)malloc(strlen(parent_paths[i])+strlen(tmp_name)+2);
871	if(tmp_path == NULL)
872	{
873	free(tmp_name);
874	return 10;
875	}
876
877	sprintf(tmp_path, "%s/%s", parent_paths[i], tmp_name);
878	for(j=0; j < tmp_key->values->num_values; j++)
879	{
880	tmp_value =
881	(REGFI_VK_REC*)range_list_find_data(unalloc_linked_values,
882	tmp_key->values->elements[j]
883	+ REGFI_REGF_SIZE);
884	if(tmp_value != NULL)
885	printValue(f, tmp_value, tmp_path);
886	}
887	free(tmp_path);
888	free(tmp_name);
889	free(parent_paths[i]);
890	}
891	}
892	free(parent_paths);
893
894	/* Print out orphaned values */
895	for(i=0; i < range_list_size(unalloc_values); i++)
896	{
897	cur_elem = range_list_get(unalloc_values, i);
898	tmp_value = (REGFI_VK_REC*)cur_elem->data;
899
900	printValue(f, tmp_value, "");
901	}
902
903	if(print_leftover)
904	{
905	for(i=0; i < range_list_size(unalloc_cells); i++)
906	{
907	cur_elem = range_list_get(unalloc_cells, i);
908	printCell(f, cur_elem->offset);
909	}
910	}
911
912	range_list_free(unalloc_cells);
913	range_list_free(unalloc_keys);
914	range_list_free(unalloc_linked_values);
915	range_list_free(unalloc_values);
916	range_list_free(unalloc_sks);
917
918	return 0;
919	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: